1 | /* tls13.c
|
---|
2 | *
|
---|
3 | * Copyright (C) 2006-2017 wolfSSL Inc.
|
---|
4 | *
|
---|
5 | * This file is part of wolfSSL.
|
---|
6 | *
|
---|
7 | * wolfSSL is free software; you can redistribute it and/or modify
|
---|
8 | * it under the terms of the GNU General Public License as published by
|
---|
9 | * the Free Software Foundation; either version 2 of the License, or
|
---|
10 | * (at your option) any later version.
|
---|
11 | *
|
---|
12 | * wolfSSL is distributed in the hope that it will be useful,
|
---|
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
---|
15 | * GNU General Public License for more details.
|
---|
16 | *
|
---|
17 | * You should have received a copy of the GNU General Public License
|
---|
18 | * along with this program; if not, write to the Free Software
|
---|
19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
---|
20 | */
|
---|
21 |
|
---|
22 |
|
---|
23 | /*
|
---|
24 | * WOLFSSL_TLS13_DRAFT_18
|
---|
25 | * Conform with Draft 18 of the TLS v1.3 specification.
|
---|
26 | * WOLFSSL_EARLY_DATA
|
---|
27 | * Allow 0-RTT Handshake using Early Data extensions and handshake message
|
---|
28 | * WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
29 | * Allow TLS v1.3 code to perform post-handshake authentication of the
|
---|
30 | * client.
|
---|
31 | * WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
|
---|
32 | * Allow a NewSessionTicket message to be sent by server before Client's
|
---|
33 | * Finished message.
|
---|
34 | * See TLS v.13 specification, Section 4.6.1, Paragraph 4 (Note).
|
---|
35 | * TLS13_SUPPORTS_EXPORTERS
|
---|
36 | * Gaurd to compile out any code for exporter keys.
|
---|
37 | * Feature not supported yet.
|
---|
38 | */
|
---|
39 |
|
---|
40 | #ifdef HAVE_CONFIG_H
|
---|
41 | #include <config.h>
|
---|
42 | #endif
|
---|
43 |
|
---|
44 | #include <wolfssl/wolfcrypt/settings.h>
|
---|
45 |
|
---|
46 | #ifdef WOLFSSL_TLS13
|
---|
47 | #ifdef HAVE_SESSION_TICKET
|
---|
48 | #include <sys/time.h>
|
---|
49 | #endif
|
---|
50 |
|
---|
51 | #ifndef WOLFCRYPT_ONLY
|
---|
52 |
|
---|
53 | #ifdef HAVE_ERRNO_H
|
---|
54 | #include <errno.h>
|
---|
55 | #endif
|
---|
56 |
|
---|
57 | #include <wolfssl/internal.h>
|
---|
58 | #include <wolfssl/error-ssl.h>
|
---|
59 | #include <wolfssl/wolfcrypt/asn.h>
|
---|
60 | #include <wolfssl/wolfcrypt/dh.h>
|
---|
61 | #ifdef NO_INLINE
|
---|
62 | #include <wolfssl/wolfcrypt/misc.h>
|
---|
63 | #else
|
---|
64 | #define WOLFSSL_MISC_INCLUDED
|
---|
65 | #include <wolfcrypt/src/misc.c>
|
---|
66 | #endif
|
---|
67 |
|
---|
68 | #ifdef HAVE_NTRU
|
---|
69 | #include "libntruencrypt/ntru_crypto.h"
|
---|
70 | #endif
|
---|
71 |
|
---|
72 | #if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_DEBUG) || \
|
---|
73 | defined(CHACHA_AEAD_TEST) || defined(WOLFSSL_SESSION_EXPORT_DEBUG)
|
---|
74 | #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
|
---|
75 | #if MQX_USE_IO_OLD
|
---|
76 | #include <fio.h>
|
---|
77 | #else
|
---|
78 | #include <nio.h>
|
---|
79 | #endif
|
---|
80 | #else
|
---|
81 | #include <stdio.h>
|
---|
82 | #endif
|
---|
83 | #endif
|
---|
84 |
|
---|
85 | #ifdef __sun
|
---|
86 | #include <sys/filio.h>
|
---|
87 | #endif
|
---|
88 |
|
---|
89 | #ifndef TRUE
|
---|
90 | #define TRUE 1
|
---|
91 | #endif
|
---|
92 | #ifndef FALSE
|
---|
93 | #define FALSE 0
|
---|
94 | #endif
|
---|
95 |
|
---|
96 | /* Set ret to error value and jump to label.
|
---|
97 | *
|
---|
98 | * err The error value to set.
|
---|
99 | * eLabel The label to jump to.
|
---|
100 | */
|
---|
101 | #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
|
---|
102 |
|
---|
103 |
|
---|
104 | /* Extract data using HMAC, salt and input.
|
---|
105 | * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
|
---|
106 | *
|
---|
107 | * prk The generated pseudorandom key.
|
---|
108 | * salt The salt.
|
---|
109 | * saltLen The length of the salt.
|
---|
110 | * ikm The input keying material.
|
---|
111 | * ikmLen The length of the input keying material.
|
---|
112 | * mac The type of digest to use.
|
---|
113 | * returns 0 on success, otherwise failure.
|
---|
114 | */
|
---|
115 | static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
|
---|
116 | byte* ikm, int ikmLen, int mac)
|
---|
117 | {
|
---|
118 | int ret;
|
---|
119 | int hash = 0;
|
---|
120 | int len = 0;
|
---|
121 |
|
---|
122 | switch (mac) {
|
---|
123 | #ifndef NO_SHA256
|
---|
124 | case sha256_mac:
|
---|
125 | hash = WC_SHA256;
|
---|
126 | len = WC_SHA256_DIGEST_SIZE;
|
---|
127 | break;
|
---|
128 | #endif
|
---|
129 |
|
---|
130 | #ifdef WOLFSSL_SHA384
|
---|
131 | case sha384_mac:
|
---|
132 | hash = WC_SHA384;
|
---|
133 | len = WC_SHA384_DIGEST_SIZE;
|
---|
134 | break;
|
---|
135 | #endif
|
---|
136 |
|
---|
137 | #ifdef WOLFSSL_TLS13_TLS13_SHA512
|
---|
138 | case sha512_mac:
|
---|
139 | hash = WC_SHA512;
|
---|
140 | len = WC_SHA512_DIGEST_SIZE;
|
---|
141 | break;
|
---|
142 | #endif
|
---|
143 | }
|
---|
144 |
|
---|
145 | /* When length is 0 then use zeroed data of digest length. */
|
---|
146 | if (ikmLen == 0) {
|
---|
147 | ikmLen = len;
|
---|
148 | XMEMSET(ikm, 0, len);
|
---|
149 | }
|
---|
150 |
|
---|
151 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
152 | WOLFSSL_MSG(" Salt");
|
---|
153 | WOLFSSL_BUFFER(salt, saltLen);
|
---|
154 | WOLFSSL_MSG(" IKM");
|
---|
155 | WOLFSSL_BUFFER(ikm, ikmLen);
|
---|
156 | #endif
|
---|
157 |
|
---|
158 | ret = wc_HKDF_Extract(hash, salt, saltLen, ikm, ikmLen, prk);
|
---|
159 |
|
---|
160 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
161 | WOLFSSL_MSG(" PRK");
|
---|
162 | WOLFSSL_BUFFER(prk, len);
|
---|
163 | #endif
|
---|
164 |
|
---|
165 | return ret;
|
---|
166 | }
|
---|
167 |
|
---|
168 | /* Expand data using HMAC, salt and label and info.
|
---|
169 | * TLS v1.3 defines this function.
|
---|
170 | *
|
---|
171 | * okm The generated pseudorandom key - output key material.
|
---|
172 | * prk The salt - pseudo-random key.
|
---|
173 | * prkLen The length of the salt - pseudo-random key.
|
---|
174 | * protocol The TLS protocol label.
|
---|
175 | * protocolLen The length of the TLS protocol label.
|
---|
176 | * info The information to expand.
|
---|
177 | * infoLen The length of the information.
|
---|
178 | * digest The type of digest to use.
|
---|
179 | * returns 0 on success, otherwise failure.
|
---|
180 | */
|
---|
181 | static int HKDF_Expand_Label(byte* okm, word32 okmLen,
|
---|
182 | const byte* prk, word32 prkLen,
|
---|
183 | const byte* protocol, word32 protocolLen,
|
---|
184 | const byte* label, word32 labelLen,
|
---|
185 | const byte* info, word32 infoLen,
|
---|
186 | int digest)
|
---|
187 | {
|
---|
188 | int ret = 0;
|
---|
189 | int idx = 0;
|
---|
190 | byte data[MAX_HKDF_LABEL_SZ];
|
---|
191 |
|
---|
192 | /* Output length. */
|
---|
193 | data[idx++] = okmLen >> 8;
|
---|
194 | data[idx++] = okmLen;
|
---|
195 | /* Length of protocol | label. */
|
---|
196 | data[idx++] = protocolLen + labelLen;
|
---|
197 | /* Protocol */
|
---|
198 | XMEMCPY(&data[idx], protocol, protocolLen);
|
---|
199 | idx += protocolLen;
|
---|
200 | /* Label */
|
---|
201 | XMEMCPY(&data[idx], label, labelLen);
|
---|
202 | idx += labelLen;
|
---|
203 | /* Length of hash of messages */
|
---|
204 | data[idx++] = infoLen;
|
---|
205 | /* Hash of messages */
|
---|
206 | XMEMCPY(&data[idx], info, infoLen);
|
---|
207 | idx += infoLen;
|
---|
208 |
|
---|
209 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
210 | WOLFSSL_MSG(" PRK");
|
---|
211 | WOLFSSL_BUFFER(prk, prkLen);
|
---|
212 | WOLFSSL_MSG(" Info");
|
---|
213 | WOLFSSL_BUFFER(data, idx);
|
---|
214 | #endif
|
---|
215 |
|
---|
216 | ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen);
|
---|
217 |
|
---|
218 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
219 | WOLFSSL_MSG(" OKM");
|
---|
220 | WOLFSSL_BUFFER(okm, okmLen);
|
---|
221 | #endif
|
---|
222 |
|
---|
223 | ForceZero(data, idx);
|
---|
224 |
|
---|
225 | return ret;
|
---|
226 | }
|
---|
227 |
|
---|
228 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
229 | /* Size of the TLS v1.3 label use when deriving keys. */
|
---|
230 | #define TLS13_PROTOCOL_LABEL_SZ 9
|
---|
231 | /* The protocol label for TLS v1.3. */
|
---|
232 | static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "TLS 1.3, ";
|
---|
233 | #else
|
---|
234 | /* Size of the TLS v1.3 label use when deriving keys. */
|
---|
235 | #define TLS13_PROTOCOL_LABEL_SZ 6
|
---|
236 | /* The protocol label for TLS v1.3. */
|
---|
237 | static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 ";
|
---|
238 | #endif
|
---|
239 |
|
---|
240 | #if !defined(WOLFSSL_TLS13_DRAFT_18) || defined(HAVE_SESSION_TICKET) || \
|
---|
241 | !defined(NO_PSK)
|
---|
242 | /* Derive a key from a message.
|
---|
243 | *
|
---|
244 | * ssl The SSL/TLS object.
|
---|
245 | * output The buffer to hold the derived key.
|
---|
246 | * outputLen The length of the derived key.
|
---|
247 | * secret The secret used to derive the key (HMAC secret).
|
---|
248 | * label The label used to distinguish the context.
|
---|
249 | * labelLen The length of the label.
|
---|
250 | * msg The message data to derive key from.
|
---|
251 | * msgLen The length of the message data to derive key from.
|
---|
252 | * hashAlgo The hash algorithm to use in the HMAC.
|
---|
253 | * returns 0 on success, otherwise failure.
|
---|
254 | */
|
---|
255 | static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,
|
---|
256 | const byte* secret, const byte* label, word32 labelLen,
|
---|
257 | byte* msg, int msgLen, int hashAlgo)
|
---|
258 | {
|
---|
259 | byte hash[MAX_DIGEST_SIZE];
|
---|
260 | Digest digest;
|
---|
261 | word32 hashSz = 0;
|
---|
262 | const byte* protocol;
|
---|
263 | word32 protocolLen;
|
---|
264 | int digestAlg;
|
---|
265 | int ret = BAD_FUNC_ARG;
|
---|
266 |
|
---|
267 | switch (hashAlgo) {
|
---|
268 | #ifndef NO_WOLFSSL_SHA256
|
---|
269 | case sha256_mac:
|
---|
270 | ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, INVALID_DEVID);
|
---|
271 | if (ret == 0) {
|
---|
272 | ret = wc_Sha256Update(&digest.sha256, msg, msgLen);
|
---|
273 | if (ret == 0)
|
---|
274 | ret = wc_Sha256Final(&digest.sha256, hash);
|
---|
275 | wc_Sha256Free(&digest.sha256);
|
---|
276 | }
|
---|
277 | hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
278 | digestAlg = WC_SHA256;
|
---|
279 | break;
|
---|
280 | #endif
|
---|
281 | #ifdef WOLFSSL_SHA384
|
---|
282 | case sha384_mac:
|
---|
283 | ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, INVALID_DEVID);
|
---|
284 | if (ret == 0) {
|
---|
285 | ret = wc_Sha384Update(&digest.sha384, msg, msgLen);
|
---|
286 | if (ret == 0)
|
---|
287 | ret = wc_Sha384Final(&digest.sha384, hash);
|
---|
288 | wc_Sha384Free(&digest.sha384);
|
---|
289 | }
|
---|
290 | hashSz = WC_SHA384_DIGEST_SIZE;
|
---|
291 | digestAlg = WC_SHA384;
|
---|
292 | break;
|
---|
293 | #endif
|
---|
294 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
295 | case sha512_mac:
|
---|
296 | ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, INVALID_DEVID);
|
---|
297 | if (ret == 0) {
|
---|
298 | ret = wc_Sha512Update(&digest.sha512, msg, msgLen);
|
---|
299 | if (ret == 0)
|
---|
300 | ret = wc_Sha512Final(&digest.sha512, hash);
|
---|
301 | wc_Sha512Free(&digest.sha512);
|
---|
302 | }
|
---|
303 | hashSz = WC_SHA512_DIGEST_SIZE;
|
---|
304 | digestAlg = WC_SHA512;
|
---|
305 | break;
|
---|
306 | #endif
|
---|
307 | }
|
---|
308 |
|
---|
309 | if (ret != 0)
|
---|
310 | return ret;
|
---|
311 |
|
---|
312 | switch (ssl->version.minor) {
|
---|
313 | case TLSv1_3_MINOR:
|
---|
314 | protocol = tls13ProtocolLabel;
|
---|
315 | protocolLen = TLS13_PROTOCOL_LABEL_SZ;
|
---|
316 | break;
|
---|
317 |
|
---|
318 | default:
|
---|
319 | return VERSION_ERROR;
|
---|
320 | }
|
---|
321 | if (outputLen == -1)
|
---|
322 | outputLen = hashSz;
|
---|
323 |
|
---|
324 | return HKDF_Expand_Label(output, outputLen, secret, hashSz,
|
---|
325 | protocol, protocolLen, label, labelLen,
|
---|
326 | hash, hashSz, digestAlg);
|
---|
327 | }
|
---|
328 | #endif
|
---|
329 |
|
---|
330 | /* Derive a key.
|
---|
331 | *
|
---|
332 | * ssl The SSL/TLS object.
|
---|
333 | * output The buffer to hold the derived key.
|
---|
334 | * outputLen The length of the derived key.
|
---|
335 | * secret The secret used to derive the key (HMAC secret).
|
---|
336 | * label The label used to distinguish the context.
|
---|
337 | * labelLen The length of the label.
|
---|
338 | * hashAlgo The hash algorithm to use in the HMAC.
|
---|
339 | * includeMsgs Whether to include a hash of the handshake messages so far.
|
---|
340 | * returns 0 on success, otherwise failure.
|
---|
341 | */
|
---|
342 | static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
|
---|
343 | const byte* secret, const byte* label, word32 labelLen,
|
---|
344 | int hashAlgo, int includeMsgs)
|
---|
345 | {
|
---|
346 | int ret = 0;
|
---|
347 | byte hash[MAX_DIGEST_SIZE];
|
---|
348 | word32 hashSz = 0;
|
---|
349 | word32 hashOutSz = 0;
|
---|
350 | const byte* protocol;
|
---|
351 | word32 protocolLen;
|
---|
352 | int digestAlg = 0;
|
---|
353 |
|
---|
354 | switch (hashAlgo) {
|
---|
355 | #ifndef NO_SHA256
|
---|
356 | case sha256_mac:
|
---|
357 | hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
358 | digestAlg = WC_SHA256;
|
---|
359 | if (includeMsgs)
|
---|
360 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
|
---|
361 | break;
|
---|
362 | #endif
|
---|
363 |
|
---|
364 | #ifdef WOLFSSL_SHA384
|
---|
365 | case sha384_mac:
|
---|
366 | hashSz = WC_SHA384_DIGEST_SIZE;
|
---|
367 | digestAlg = WC_SHA384;
|
---|
368 | if (includeMsgs)
|
---|
369 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
|
---|
370 | break;
|
---|
371 | #endif
|
---|
372 |
|
---|
373 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
374 | case sha512_mac:
|
---|
375 | hashSz = WC_SHA512_DIGEST_SIZE;
|
---|
376 | digestAlg = WC_SHA512;
|
---|
377 | if (includeMsgs)
|
---|
378 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
|
---|
379 | break;
|
---|
380 | #endif
|
---|
381 | }
|
---|
382 | if (ret != 0)
|
---|
383 | return ret;
|
---|
384 |
|
---|
385 | /* Only one protocol version defined at this time. */
|
---|
386 | protocol = tls13ProtocolLabel;
|
---|
387 | protocolLen = TLS13_PROTOCOL_LABEL_SZ;
|
---|
388 |
|
---|
389 | if (outputLen == -1)
|
---|
390 | outputLen = hashSz;
|
---|
391 | if (includeMsgs)
|
---|
392 | hashOutSz = hashSz;
|
---|
393 |
|
---|
394 | return HKDF_Expand_Label(output, outputLen, secret, hashSz,
|
---|
395 | protocol, protocolLen, label, labelLen,
|
---|
396 | hash, hashOutSz, digestAlg);
|
---|
397 | }
|
---|
398 |
|
---|
399 |
|
---|
400 | #ifndef NO_PSK
|
---|
401 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
402 | /* The length of the binder key label. */
|
---|
403 | #define BINDER_KEY_LABEL_SZ 23
|
---|
404 | /* The binder key label. */
|
---|
405 | static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
|
---|
406 | "external psk binder key";
|
---|
407 | #else
|
---|
408 | /* The length of the binder key label. */
|
---|
409 | #define BINDER_KEY_LABEL_SZ 10
|
---|
410 | /* The binder key label. */
|
---|
411 | static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
|
---|
412 | "ext binder";
|
---|
413 | #endif
|
---|
414 | /* Derive the binder key.
|
---|
415 | *
|
---|
416 | * ssl The SSL/TLS object.
|
---|
417 | * key The derived key.
|
---|
418 | * returns 0 on success, otherwise failure.
|
---|
419 | */
|
---|
420 | static int DeriveBinderKey(WOLFSSL* ssl, byte* key)
|
---|
421 | {
|
---|
422 | WOLFSSL_MSG("Derive Binder Key");
|
---|
423 | return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
|
---|
424 | binderKeyLabel, BINDER_KEY_LABEL_SZ,
|
---|
425 | NULL, 0, ssl->specs.mac_algorithm);
|
---|
426 | }
|
---|
427 | #endif /* !NO_PSK */
|
---|
428 |
|
---|
429 | #ifdef HAVE_SESSION_TICKET
|
---|
430 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
431 | /* The length of the binder key resume label. */
|
---|
432 | #define BINDER_KEY_RESUME_LABEL_SZ 25
|
---|
433 | /* The binder key resume label. */
|
---|
434 | static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
|
---|
435 | "resumption psk binder key";
|
---|
436 | #else
|
---|
437 | /* The length of the binder key resume label. */
|
---|
438 | #define BINDER_KEY_RESUME_LABEL_SZ 10
|
---|
439 | /* The binder key resume label. */
|
---|
440 | static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
|
---|
441 | "res binder";
|
---|
442 | #endif
|
---|
443 | /* Derive the binder resumption key.
|
---|
444 | *
|
---|
445 | * ssl The SSL/TLS object.
|
---|
446 | * key The derived key.
|
---|
447 | * returns 0 on success, otherwise failure.
|
---|
448 | */
|
---|
449 | static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key)
|
---|
450 | {
|
---|
451 | WOLFSSL_MSG("Derive Binder Key - Resumption");
|
---|
452 | return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
|
---|
453 | binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ,
|
---|
454 | NULL, 0, ssl->specs.mac_algorithm);
|
---|
455 | }
|
---|
456 | #endif /* HAVE_SESSION_TICKET */
|
---|
457 |
|
---|
458 | #ifdef WOLFSSL_EARLY_DATA
|
---|
459 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
460 | /* The length of the early traffic label. */
|
---|
461 | #define EARLY_TRAFFIC_LABEL_SZ 27
|
---|
462 | /* The early traffic label. */
|
---|
463 | static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
|
---|
464 | "client early traffic secret";
|
---|
465 | #else
|
---|
466 | /* The length of the early traffic label. */
|
---|
467 | #define EARLY_TRAFFIC_LABEL_SZ 11
|
---|
468 | /* The early traffic label. */
|
---|
469 | static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
|
---|
470 | "c e traffic";
|
---|
471 | #endif
|
---|
472 | /* Derive the early traffic key.
|
---|
473 | *
|
---|
474 | * ssl The SSL/TLS object.
|
---|
475 | * key The derived key.
|
---|
476 | * returns 0 on success, otherwise failure.
|
---|
477 | */
|
---|
478 | static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key)
|
---|
479 | {
|
---|
480 | WOLFSSL_MSG("Derive Early Traffic Secret");
|
---|
481 | return DeriveKey(ssl, key, -1, ssl->arrays->secret,
|
---|
482 | earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ,
|
---|
483 | ssl->specs.mac_algorithm, 1);
|
---|
484 | }
|
---|
485 |
|
---|
486 | #ifdef TLS13_SUPPORTS_EXPORTERS
|
---|
487 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
488 | /* The length of the early exporter label. */
|
---|
489 | #define EARLY_EXPORTER_LABEL_SZ 28
|
---|
490 | /* The early exporter label. */
|
---|
491 | static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
|
---|
492 | "early exporter master secret";
|
---|
493 | #else
|
---|
494 | /* The length of the early exporter label. */
|
---|
495 | #define EARLY_EXPORTER_LABEL_SZ 12
|
---|
496 | /* The early exporter label. */
|
---|
497 | static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
|
---|
498 | "e exp master";
|
---|
499 | #endif
|
---|
500 | /* Derive the early exporter key.
|
---|
501 | *
|
---|
502 | * ssl The SSL/TLS object.
|
---|
503 | * key The derived key.
|
---|
504 | * returns 0 on success, otherwise failure.
|
---|
505 | */
|
---|
506 | static int DeriveEarlyExporterSecret(WOLFSSL* ssl, byte* key)
|
---|
507 | {
|
---|
508 | WOLFSSL_MSG("Derive Early Exporter Secret");
|
---|
509 | return DeriveKey(ssl, key, -1, ssl->arrays->secret,
|
---|
510 | earlyExporterLabel, EARLY_EXPORTER_LABEL_SZ,
|
---|
511 | ssl->specs.mac_algorithm, 1);
|
---|
512 | }
|
---|
513 | #endif
|
---|
514 | #endif
|
---|
515 |
|
---|
516 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
517 | /* The length of the client hanshake label. */
|
---|
518 | #define CLIENT_HANDSHAKE_LABEL_SZ 31
|
---|
519 | /* The client hanshake label. */
|
---|
520 | static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
|
---|
521 | "client handshake traffic secret";
|
---|
522 | #else
|
---|
523 | /* The length of the client hanshake label. */
|
---|
524 | #define CLIENT_HANDSHAKE_LABEL_SZ 12
|
---|
525 | /* The client hanshake label. */
|
---|
526 | static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
|
---|
527 | "c hs traffic";
|
---|
528 | #endif
|
---|
529 | /* Derive the client handshake key.
|
---|
530 | *
|
---|
531 | * ssl The SSL/TLS object.
|
---|
532 | * key The derived key.
|
---|
533 | * returns 0 on success, otherwise failure.
|
---|
534 | */
|
---|
535 | static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key)
|
---|
536 | {
|
---|
537 | WOLFSSL_MSG("Derive Client Handshake Secret");
|
---|
538 | return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
|
---|
539 | clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ,
|
---|
540 | ssl->specs.mac_algorithm, 1);
|
---|
541 | }
|
---|
542 |
|
---|
543 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
544 | /* The length of the server handshake label. */
|
---|
545 | #define SERVER_HANDSHAKE_LABEL_SZ 31
|
---|
546 | /* The server handshake label. */
|
---|
547 | static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
|
---|
548 | "server handshake traffic secret";
|
---|
549 | #else
|
---|
550 | /* The length of the server handshake label. */
|
---|
551 | #define SERVER_HANDSHAKE_LABEL_SZ 12
|
---|
552 | /* The server handshake label. */
|
---|
553 | static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
|
---|
554 | "s hs traffic";
|
---|
555 | #endif
|
---|
556 | /* Derive the server handshake key.
|
---|
557 | *
|
---|
558 | * ssl The SSL/TLS object.
|
---|
559 | * key The derived key.
|
---|
560 | * returns 0 on success, otherwise failure.
|
---|
561 | */
|
---|
562 | static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key)
|
---|
563 | {
|
---|
564 | WOLFSSL_MSG("Derive Server Handshake Secret");
|
---|
565 | return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
|
---|
566 | serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ,
|
---|
567 | ssl->specs.mac_algorithm, 1);
|
---|
568 | }
|
---|
569 |
|
---|
570 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
571 | /* The length of the client application traffic label. */
|
---|
572 | #define CLIENT_APP_LABEL_SZ 33
|
---|
573 | /* The client application traffic label. */
|
---|
574 | static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
|
---|
575 | "client application traffic secret";
|
---|
576 | #else
|
---|
577 | /* The length of the client application traffic label. */
|
---|
578 | #define CLIENT_APP_LABEL_SZ 12
|
---|
579 | /* The client application traffic label. */
|
---|
580 | static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
|
---|
581 | "c ap traffic";
|
---|
582 | #endif
|
---|
583 | /* Derive the client application traffic key.
|
---|
584 | *
|
---|
585 | * ssl The SSL/TLS object.
|
---|
586 | * key The derived key.
|
---|
587 | * returns 0 on success, otherwise failure.
|
---|
588 | */
|
---|
589 | static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key)
|
---|
590 | {
|
---|
591 | WOLFSSL_MSG("Derive Client Traffic Secret");
|
---|
592 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
|
---|
593 | clientAppLabel, CLIENT_APP_LABEL_SZ,
|
---|
594 | ssl->specs.mac_algorithm, 1);
|
---|
595 | }
|
---|
596 |
|
---|
597 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
598 | /* The length of the server application traffic label. */
|
---|
599 | #define SERVER_APP_LABEL_SZ 33
|
---|
600 | /* The server application traffic label. */
|
---|
601 | static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
|
---|
602 | "server application traffic secret";
|
---|
603 | #else
|
---|
604 | /* The length of the server application traffic label. */
|
---|
605 | #define SERVER_APP_LABEL_SZ 12
|
---|
606 | /* The server application traffic label. */
|
---|
607 | static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
|
---|
608 | "s ap traffic";
|
---|
609 | #endif
|
---|
610 | /* Derive the server application traffic key.
|
---|
611 | *
|
---|
612 | * ssl The SSL/TLS object.
|
---|
613 | * key The derived key.
|
---|
614 | * returns 0 on success, otherwise failure.
|
---|
615 | */
|
---|
616 | static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key)
|
---|
617 | {
|
---|
618 | WOLFSSL_MSG("Derive Server Traffic Secret");
|
---|
619 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
|
---|
620 | serverAppLabel, SERVER_APP_LABEL_SZ,
|
---|
621 | ssl->specs.mac_algorithm, 1);
|
---|
622 | }
|
---|
623 |
|
---|
624 | #ifdef TLS13_SUPPORTS_EXPORTERS
|
---|
625 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
626 | /* The length of the exporter master secret label. */
|
---|
627 | #define EXPORTER_MASTER_LABEL_SZ 22
|
---|
628 | /* The exporter master secret label. */
|
---|
629 | static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
|
---|
630 | "exporter master secret";
|
---|
631 | #else
|
---|
632 | /* The length of the exporter master secret label. */
|
---|
633 | #define EXPORTER_MASTER_LABEL_SZ 10
|
---|
634 | /* The exporter master secret label. */
|
---|
635 | static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
|
---|
636 | "exp master";
|
---|
637 | #endif
|
---|
638 | /* Derive the exporter secret.
|
---|
639 | *
|
---|
640 | * ssl The SSL/TLS object.
|
---|
641 | * key The derived key.
|
---|
642 | * returns 0 on success, otherwise failure.
|
---|
643 | */
|
---|
644 | static int DeriveExporterSecret(WOLFSSL* ssl, byte* key)
|
---|
645 | {
|
---|
646 | WOLFSSL_MSG("Derive Exporter Secret");
|
---|
647 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
|
---|
648 | exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ,
|
---|
649 | ssl->specs.mac_algorithm, 1);
|
---|
650 | }
|
---|
651 | #endif
|
---|
652 |
|
---|
653 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
654 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
655 | /* The length of the resumption master secret label. */
|
---|
656 | #define RESUME_MASTER_LABEL_SZ 24
|
---|
657 | /* The resumption master secret label. */
|
---|
658 | static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
|
---|
659 | "resumption master secret";
|
---|
660 | #else
|
---|
661 | /* The length of the resumption master secret label. */
|
---|
662 | #define RESUME_MASTER_LABEL_SZ 10
|
---|
663 | /* The resumption master secret label. */
|
---|
664 | static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
|
---|
665 | "res master";
|
---|
666 | #endif
|
---|
667 | /* Derive the resumption secret.
|
---|
668 | *
|
---|
669 | * ssl The SSL/TLS object.
|
---|
670 | * key The derived key.
|
---|
671 | * returns 0 on success, otherwise failure.
|
---|
672 | */
|
---|
673 | static int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
|
---|
674 | {
|
---|
675 | WOLFSSL_MSG("Derive Resumption Secret");
|
---|
676 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
|
---|
677 | resumeMasterLabel, RESUME_MASTER_LABEL_SZ,
|
---|
678 | ssl->specs.mac_algorithm, 1);
|
---|
679 | }
|
---|
680 | #endif
|
---|
681 |
|
---|
682 | /* Length of the finished label. */
|
---|
683 | #define FINISHED_LABEL_SZ 8
|
---|
684 | /* Finished label for generating finished key. */
|
---|
685 | static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished";
|
---|
686 | /* Derive the finished secret.
|
---|
687 | *
|
---|
688 | * ssl The SSL/TLS object.
|
---|
689 | * key The key to use with the HMAC.
|
---|
690 | * secret The derived secret.
|
---|
691 | * returns 0 on success, otherwise failure.
|
---|
692 | */
|
---|
693 | static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret)
|
---|
694 | {
|
---|
695 | WOLFSSL_MSG("Derive Finished Secret");
|
---|
696 | return DeriveKey(ssl, secret, -1, key, finishedLabel, FINISHED_LABEL_SZ,
|
---|
697 | ssl->specs.mac_algorithm, 0);
|
---|
698 | }
|
---|
699 |
|
---|
700 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
701 | /* The length of the application traffic label. */
|
---|
702 | #define APP_TRAFFIC_LABEL_SZ 26
|
---|
703 | /* The application traffic label. */
|
---|
704 | static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
|
---|
705 | "application traffic secret";
|
---|
706 | #else
|
---|
707 | /* The length of the application traffic label. */
|
---|
708 | #define APP_TRAFFIC_LABEL_SZ 11
|
---|
709 | /* The application traffic label. */
|
---|
710 | static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
|
---|
711 | "traffic upd";
|
---|
712 | #endif
|
---|
713 | /* Update the traffic secret.
|
---|
714 | *
|
---|
715 | * ssl The SSL/TLS object.
|
---|
716 | * secret The previous secret and derived secret.
|
---|
717 | * returns 0 on success, otherwise failure.
|
---|
718 | */
|
---|
719 | static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret)
|
---|
720 | {
|
---|
721 | WOLFSSL_MSG("Derive New Application Traffic Secret");
|
---|
722 | return DeriveKey(ssl, secret, -1, secret,
|
---|
723 | appTrafficLabel, APP_TRAFFIC_LABEL_SZ,
|
---|
724 | ssl->specs.mac_algorithm, 0);
|
---|
725 | }
|
---|
726 |
|
---|
727 | /* Derive the early secret using HKDF Extract.
|
---|
728 | *
|
---|
729 | * ssl The SSL/TLS object.
|
---|
730 | */
|
---|
731 | static int DeriveEarlySecret(WOLFSSL* ssl)
|
---|
732 | {
|
---|
733 | WOLFSSL_MSG("Derive Early Secret");
|
---|
734 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
735 | return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
|
---|
736 | ssl->arrays->psk_key, ssl->arrays->psk_keySz,
|
---|
737 | ssl->specs.mac_algorithm);
|
---|
738 | #else
|
---|
739 | return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
|
---|
740 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
|
---|
741 | #endif
|
---|
742 | }
|
---|
743 |
|
---|
744 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
745 | /* The length of the derived label. */
|
---|
746 | #define DERIVED_LABEL_SZ 7
|
---|
747 | /* The derived label. */
|
---|
748 | static const byte derivedLabel[DERIVED_LABEL_SZ + 1] =
|
---|
749 | "derived";
|
---|
750 | #endif
|
---|
751 | /* Derive the handshake secret using HKDF Extract.
|
---|
752 | *
|
---|
753 | * ssl The SSL/TLS object.
|
---|
754 | */
|
---|
755 | static int DeriveHandshakeSecret(WOLFSSL* ssl)
|
---|
756 | {
|
---|
757 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
758 | WOLFSSL_MSG("Derive Handshake Secret");
|
---|
759 | return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
|
---|
760 | ssl->arrays->secret, ssl->specs.hash_size,
|
---|
761 | ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
|
---|
762 | ssl->specs.mac_algorithm);
|
---|
763 | #else
|
---|
764 | byte key[WC_MAX_DIGEST_SIZE];
|
---|
765 | int ret;
|
---|
766 |
|
---|
767 | WOLFSSL_MSG("Derive Handshake Secret");
|
---|
768 |
|
---|
769 | ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
|
---|
770 | derivedLabel, DERIVED_LABEL_SZ,
|
---|
771 | NULL, 0, ssl->specs.mac_algorithm);
|
---|
772 | if (ret != 0)
|
---|
773 | return ret;
|
---|
774 |
|
---|
775 | return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
|
---|
776 | key, ssl->specs.hash_size,
|
---|
777 | ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
|
---|
778 | ssl->specs.mac_algorithm);
|
---|
779 | #endif
|
---|
780 | }
|
---|
781 |
|
---|
782 | /* Derive the master secret using HKDF Extract.
|
---|
783 | *
|
---|
784 | * ssl The SSL/TLS object.
|
---|
785 | */
|
---|
786 | static int DeriveMasterSecret(WOLFSSL* ssl)
|
---|
787 | {
|
---|
788 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
789 | WOLFSSL_MSG("Derive Master Secret");
|
---|
790 | return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
|
---|
791 | ssl->arrays->preMasterSecret, ssl->specs.hash_size,
|
---|
792 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
|
---|
793 | #else
|
---|
794 | byte key[WC_MAX_DIGEST_SIZE];
|
---|
795 | int ret;
|
---|
796 |
|
---|
797 | WOLFSSL_MSG("Derive Master Secret");
|
---|
798 |
|
---|
799 | ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret,
|
---|
800 | derivedLabel, DERIVED_LABEL_SZ,
|
---|
801 | NULL, 0, ssl->specs.mac_algorithm);
|
---|
802 | if (ret != 0)
|
---|
803 | return ret;
|
---|
804 |
|
---|
805 | return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
|
---|
806 | key, ssl->specs.hash_size,
|
---|
807 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
|
---|
808 | #endif
|
---|
809 | }
|
---|
810 |
|
---|
811 | /* Calculate the HMAC of message data to this point.
|
---|
812 | *
|
---|
813 | * ssl The SSL/TLS object.
|
---|
814 | * key The HMAC key.
|
---|
815 | * hash The hash result - verify data.
|
---|
816 | * returns length of verify data generated.
|
---|
817 | */
|
---|
818 | static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash,
|
---|
819 | word32* pHashSz)
|
---|
820 | {
|
---|
821 | Hmac verifyHmac;
|
---|
822 | int hashType = WC_SHA256;
|
---|
823 | int hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
824 | int ret = BAD_FUNC_ARG;
|
---|
825 |
|
---|
826 | /* Get the hash of the previous handshake messages. */
|
---|
827 | switch (ssl->specs.mac_algorithm) {
|
---|
828 | #ifndef NO_SHA256
|
---|
829 | case sha256_mac:
|
---|
830 | hashType = WC_SHA256;
|
---|
831 | hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
832 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
|
---|
833 | break;
|
---|
834 | #endif /* !NO_SHA256 */
|
---|
835 | #ifdef WOLFSSL_SHA384
|
---|
836 | case sha384_mac:
|
---|
837 | hashType = WC_SHA384;
|
---|
838 | hashSz = WC_SHA384_DIGEST_SIZE;
|
---|
839 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
|
---|
840 | break;
|
---|
841 | #endif /* WOLFSSL_SHA384 */
|
---|
842 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
843 | case sha512_mac:
|
---|
844 | hashType = WC_SHA512;
|
---|
845 | hashSz = WC_SHA512_DIGEST_SIZE;
|
---|
846 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
|
---|
847 | break;
|
---|
848 | #endif /* WOLFSSL_TLS13_SHA512 */
|
---|
849 | }
|
---|
850 | if (ret != 0)
|
---|
851 | return ret;
|
---|
852 |
|
---|
853 | /* Calculate the verify data. */
|
---|
854 | ret = wc_HmacInit(&verifyHmac, ssl->heap, ssl->devId);
|
---|
855 | if (ret == 0) {
|
---|
856 | ret = wc_HmacSetKey(&verifyHmac, hashType, key, ssl->specs.hash_size);
|
---|
857 | if (ret == 0)
|
---|
858 | ret = wc_HmacUpdate(&verifyHmac, hash, hashSz);
|
---|
859 | if (ret == 0)
|
---|
860 | ret = wc_HmacFinal(&verifyHmac, hash);
|
---|
861 | wc_HmacFree(&verifyHmac);
|
---|
862 | }
|
---|
863 |
|
---|
864 | if (pHashSz)
|
---|
865 | *pHashSz = hashSz;
|
---|
866 |
|
---|
867 | return ret;
|
---|
868 | }
|
---|
869 |
|
---|
870 | /* The length of the label to use when deriving keys. */
|
---|
871 | #define WRITE_KEY_LABEL_SZ 3
|
---|
872 | /* The length of the label to use when deriving IVs. */
|
---|
873 | #define WRITE_IV_LABEL_SZ 2
|
---|
874 | /* The label to use when deriving keys. */
|
---|
875 | static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key";
|
---|
876 | /* The label to use when deriving IVs. */
|
---|
877 | static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv";
|
---|
878 |
|
---|
879 | /* Derive the keys and IVs for TLS v1.3.
|
---|
880 | *
|
---|
881 | * ssl The SSL/TLS object.
|
---|
882 | * sercret early_data_key when deriving the key and IV for encrypting early
|
---|
883 | * data application data and end_of_early_data messages.
|
---|
884 | * handshake_key when deriving keys and IVs for encrypting handshake
|
---|
885 | * messages.
|
---|
886 | * traffic_key when deriving first keys and IVs for encrypting
|
---|
887 | * traffic messages.
|
---|
888 | * update_traffic_key when deriving next keys and IVs for encrypting
|
---|
889 | * traffic messages.
|
---|
890 | * side ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived.
|
---|
891 | * DECRYPT_SIDE_ONLY when only decryption secret needs to be derived.
|
---|
892 | * ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived.
|
---|
893 | * store 1 indicates to derive the keys and IVs from derived secret and
|
---|
894 | * store ready for provisioning.
|
---|
895 | * returns 0 on success, otherwise failure.
|
---|
896 | */
|
---|
897 | static int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store)
|
---|
898 | {
|
---|
899 | int ret;
|
---|
900 | int i = 0;
|
---|
901 | #ifdef WOLFSSL_SMALL_STACK
|
---|
902 | byte* key_dig;
|
---|
903 | #else
|
---|
904 | byte key_dig[MAX_PRF_DIG];
|
---|
905 | #endif
|
---|
906 | int provision;
|
---|
907 |
|
---|
908 | #ifdef WOLFSSL_SMALL_STACK
|
---|
909 | key_dig = (byte*)XMALLOC(MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_DIGEST);
|
---|
910 | if (key_dig == NULL)
|
---|
911 | return MEMORY_E;
|
---|
912 | #endif
|
---|
913 |
|
---|
914 | if (side == ENCRYPT_AND_DECRYPT_SIDE) {
|
---|
915 | provision = PROVISION_CLIENT_SERVER;
|
---|
916 | }
|
---|
917 | else {
|
---|
918 | provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^
|
---|
919 | (side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT :
|
---|
920 | PROVISION_SERVER;
|
---|
921 | }
|
---|
922 |
|
---|
923 | /* Derive the appropriate secret to use in the HKDF. */
|
---|
924 | switch (secret) {
|
---|
925 | #ifdef WOLFSSL_EARLY_DATA
|
---|
926 | case early_data_key:
|
---|
927 | ret = DeriveEarlyTrafficSecret(ssl, ssl->arrays->clientSecret);
|
---|
928 | if (ret != 0)
|
---|
929 | goto end;
|
---|
930 | break;
|
---|
931 | #endif
|
---|
932 |
|
---|
933 | case handshake_key:
|
---|
934 | if (provision & PROVISION_CLIENT) {
|
---|
935 | ret = DeriveClientHandshakeSecret(ssl,
|
---|
936 | ssl->arrays->clientSecret);
|
---|
937 | if (ret != 0)
|
---|
938 | goto end;
|
---|
939 | }
|
---|
940 | if (provision & PROVISION_SERVER) {
|
---|
941 | ret = DeriveServerHandshakeSecret(ssl,
|
---|
942 | ssl->arrays->serverSecret);
|
---|
943 | if (ret != 0)
|
---|
944 | goto end;
|
---|
945 | }
|
---|
946 | break;
|
---|
947 |
|
---|
948 | case traffic_key:
|
---|
949 | if (provision & PROVISION_CLIENT) {
|
---|
950 | ret = DeriveClientTrafficSecret(ssl, ssl->arrays->clientSecret);
|
---|
951 | if (ret != 0)
|
---|
952 | goto end;
|
---|
953 | }
|
---|
954 | if (provision & PROVISION_SERVER) {
|
---|
955 | ret = DeriveServerTrafficSecret(ssl, ssl->arrays->serverSecret);
|
---|
956 | if (ret != 0)
|
---|
957 | goto end;
|
---|
958 | }
|
---|
959 | break;
|
---|
960 |
|
---|
961 | case update_traffic_key:
|
---|
962 | if (provision & PROVISION_CLIENT) {
|
---|
963 | ret = DeriveTrafficSecret(ssl, ssl->arrays->clientSecret);
|
---|
964 | if (ret != 0)
|
---|
965 | goto end;
|
---|
966 | }
|
---|
967 | if (provision & PROVISION_SERVER) {
|
---|
968 | ret = DeriveTrafficSecret(ssl, ssl->arrays->serverSecret);
|
---|
969 | if (ret != 0)
|
---|
970 | goto end;
|
---|
971 | }
|
---|
972 | break;
|
---|
973 | }
|
---|
974 |
|
---|
975 | if (!store)
|
---|
976 | goto end;
|
---|
977 |
|
---|
978 | /* Key data = client key | server key | client IV | server IV */
|
---|
979 |
|
---|
980 | if (provision & PROVISION_CLIENT) {
|
---|
981 | /* Derive the client key. */
|
---|
982 | WOLFSSL_MSG("Derive Client Key");
|
---|
983 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
|
---|
984 | ssl->arrays->clientSecret, writeKeyLabel,
|
---|
985 | WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
|
---|
986 | if (ret != 0)
|
---|
987 | goto end;
|
---|
988 | i += ssl->specs.key_size;
|
---|
989 | }
|
---|
990 |
|
---|
991 | if (provision & PROVISION_SERVER) {
|
---|
992 | /* Derive the server key. */
|
---|
993 | WOLFSSL_MSG("Derive Server Key");
|
---|
994 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
|
---|
995 | ssl->arrays->serverSecret, writeKeyLabel,
|
---|
996 | WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
|
---|
997 | if (ret != 0)
|
---|
998 | goto end;
|
---|
999 | i += ssl->specs.key_size;
|
---|
1000 | }
|
---|
1001 |
|
---|
1002 | if (provision & PROVISION_CLIENT) {
|
---|
1003 | /* Derive the client IV. */
|
---|
1004 | WOLFSSL_MSG("Derive Client IV");
|
---|
1005 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
|
---|
1006 | ssl->arrays->clientSecret, writeIVLabel,
|
---|
1007 | WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0);
|
---|
1008 | if (ret != 0)
|
---|
1009 | goto end;
|
---|
1010 | i += ssl->specs.iv_size;
|
---|
1011 | }
|
---|
1012 |
|
---|
1013 | if (provision & PROVISION_SERVER) {
|
---|
1014 | /* Derive the server IV. */
|
---|
1015 | WOLFSSL_MSG("Derive Server IV");
|
---|
1016 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
|
---|
1017 | ssl->arrays->serverSecret, writeIVLabel,
|
---|
1018 | WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0);
|
---|
1019 | if (ret != 0)
|
---|
1020 | goto end;
|
---|
1021 | }
|
---|
1022 |
|
---|
1023 | /* Store keys and IVs but don't activate them. */
|
---|
1024 | ret = StoreKeys(ssl, key_dig, provision);
|
---|
1025 |
|
---|
1026 | end:
|
---|
1027 | #ifdef WOLFSSL_SMALL_STACK
|
---|
1028 | XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
|
---|
1029 | #endif
|
---|
1030 |
|
---|
1031 | return ret;
|
---|
1032 | }
|
---|
1033 |
|
---|
1034 | #ifdef HAVE_SESSION_TICKET
|
---|
1035 | #if defined(USER_TICKS)
|
---|
1036 | #if 0
|
---|
1037 | word32 TimeNowInMilliseconds(void)
|
---|
1038 | {
|
---|
1039 | /*
|
---|
1040 | write your own clock tick function if don't want gettimeofday()
|
---|
1041 | needs millisecond accuracy but doesn't have to correlated to EPOCH
|
---|
1042 | */
|
---|
1043 | }
|
---|
1044 | #endif
|
---|
1045 |
|
---|
1046 | #elif defined(TIME_OVERRIDES)
|
---|
1047 | #ifndef HAVE_TIME_T_TYPE
|
---|
1048 | typedef long time_t;
|
---|
1049 | #endif
|
---|
1050 | extern time_t XTIME(time_t * timer);
|
---|
1051 |
|
---|
1052 | /* The time in milliseconds.
|
---|
1053 | * Used for tickets to represent difference between when first seen and when
|
---|
1054 | * sending.
|
---|
1055 | *
|
---|
1056 | * returns the time in milliseconds as a 32-bit value.
|
---|
1057 | */
|
---|
1058 | word32 TimeNowInMilliseconds(void)
|
---|
1059 | {
|
---|
1060 | return (word32) XTIME(0) * 1000;
|
---|
1061 | }
|
---|
1062 | #elif defined(USE_WINDOWS_API)
|
---|
1063 | /* The time in milliseconds.
|
---|
1064 | * Used for tickets to represent difference between when first seen and when
|
---|
1065 | * sending.
|
---|
1066 | *
|
---|
1067 | * returns the time in milliseconds as a 32-bit value.
|
---|
1068 | */
|
---|
1069 | word32 TimeNowInMilliseconds(void)
|
---|
1070 | {
|
---|
1071 | static int init = 0;
|
---|
1072 | static LARGE_INTEGER freq;
|
---|
1073 | LARGE_INTEGER count;
|
---|
1074 |
|
---|
1075 | if (!init) {
|
---|
1076 | QueryPerformanceFrequency(&freq);
|
---|
1077 | init = 1;
|
---|
1078 | }
|
---|
1079 |
|
---|
1080 | QueryPerformanceCounter(&count);
|
---|
1081 |
|
---|
1082 | return (word32)(count.QuadPart / (freq.QuadPart / 1000));
|
---|
1083 | }
|
---|
1084 |
|
---|
1085 | #elif defined(HAVE_RTP_SYS)
|
---|
1086 | #include "rtptime.h"
|
---|
1087 |
|
---|
1088 | /* The time in milliseconds.
|
---|
1089 | * Used for tickets to represent difference between when first seen and when
|
---|
1090 | * sending.
|
---|
1091 | *
|
---|
1092 | * returns the time in milliseconds as a 32-bit value.
|
---|
1093 | */
|
---|
1094 | word32 TimeNowInMilliseconds(void)
|
---|
1095 | {
|
---|
1096 | return (word32)rtp_get_system_sec() * 1000;
|
---|
1097 | }
|
---|
1098 | #elif defined(MICRIUM)
|
---|
1099 | /* The time in milliseconds.
|
---|
1100 | * Used for tickets to represent difference between when first seen and when
|
---|
1101 | * sending.
|
---|
1102 | *
|
---|
1103 | * returns the time in milliseconds as a 32-bit value.
|
---|
1104 | */
|
---|
1105 | word32 TimeNowInMilliseconds(void)
|
---|
1106 | {
|
---|
1107 | OS_TICK ticks = 0;
|
---|
1108 | OS_ERR err;
|
---|
1109 |
|
---|
1110 | ticks = OSTimeGet(&err);
|
---|
1111 |
|
---|
1112 | return (word32) (ticks / OSCfg_TickRate_Hz) * 1000;
|
---|
1113 | }
|
---|
1114 | #elif defined(MICROCHIP_TCPIP_V5)
|
---|
1115 | /* The time in milliseconds.
|
---|
1116 | * Used for tickets to represent difference between when first seen and when
|
---|
1117 | * sending.
|
---|
1118 | *
|
---|
1119 | * returns the time in milliseconds as a 32-bit value.
|
---|
1120 | */
|
---|
1121 | word32 TimeNowInMilliseconds(void)
|
---|
1122 | {
|
---|
1123 | return (word32) (TickGet() / (TICKS_PER_SECOND / 1000));
|
---|
1124 | }
|
---|
1125 | #elif defined(MICROCHIP_TCPIP)
|
---|
1126 | #if defined(MICROCHIP_MPLAB_HARMONY)
|
---|
1127 | #include <system/tmr/sys_tmr.h>
|
---|
1128 |
|
---|
1129 | /* The time in milliseconds.
|
---|
1130 | * Used for tickets to represent difference between when first seen and when
|
---|
1131 | * sending.
|
---|
1132 | *
|
---|
1133 | * returns the time in milliseconds as a 32-bit value.
|
---|
1134 | */
|
---|
1135 | word32 TimeNowInMilliseconds(void)
|
---|
1136 | {
|
---|
1137 | return (word32)(SYS_TMR_TickCountGet() /
|
---|
1138 | (SYS_TMR_TickCounterFrequencyGet() / 1000));
|
---|
1139 | }
|
---|
1140 | #else
|
---|
1141 | /* The time in milliseconds.
|
---|
1142 | * Used for tickets to represent difference between when first seen and when
|
---|
1143 | * sending.
|
---|
1144 | *
|
---|
1145 | * returns the time in milliseconds as a 32-bit value.
|
---|
1146 | */
|
---|
1147 | word32 TimeNowInMilliseconds(void)
|
---|
1148 | {
|
---|
1149 | return (word32)(SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000));
|
---|
1150 | }
|
---|
1151 |
|
---|
1152 | #endif
|
---|
1153 |
|
---|
1154 | #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
|
---|
1155 | /* The time in milliseconds.
|
---|
1156 | * Used for tickets to represent difference between when first seen and when
|
---|
1157 | * sending.
|
---|
1158 | *
|
---|
1159 | * returns the time in milliseconds as a 32-bit value.
|
---|
1160 | */
|
---|
1161 | word32 TimeNowInMilliseconds(void)
|
---|
1162 | {
|
---|
1163 | TIME_STRUCT mqxTime;
|
---|
1164 |
|
---|
1165 | _time_get_elapsed(&mqxTime);
|
---|
1166 |
|
---|
1167 | return (word32) mqxTime.SECONDS * 1000;
|
---|
1168 | }
|
---|
1169 | #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
|
---|
1170 | #include "include/task.h"
|
---|
1171 |
|
---|
1172 | /* The time in milliseconds.
|
---|
1173 | * Used for tickets to represent difference between when first seen and when
|
---|
1174 | * sending.
|
---|
1175 | *
|
---|
1176 | * returns the time in milliseconds as a 32-bit value.
|
---|
1177 | */
|
---|
1178 | word32 TimeNowInMilliseconds(void)
|
---|
1179 | {
|
---|
1180 | return (unsigned int)(((float)xTaskGetTickCount()) /
|
---|
1181 | (configTICK_RATE_HZ / 1000));
|
---|
1182 | }
|
---|
1183 | #elif defined(FREESCALE_KSDK_BM)
|
---|
1184 | #include "lwip/sys.h" /* lwIP */
|
---|
1185 |
|
---|
1186 | /* The time in milliseconds.
|
---|
1187 | * Used for tickets to represent difference between when first seen and when
|
---|
1188 | * sending.
|
---|
1189 | *
|
---|
1190 | * returns the time in milliseconds as a 32-bit value.
|
---|
1191 | */
|
---|
1192 | word32 TimeNowInMilliseconds(void)
|
---|
1193 | {
|
---|
1194 | return sys_now();
|
---|
1195 | }
|
---|
1196 | #elif defined(WOLFSSL_TIRTOS)
|
---|
1197 | /* The time in milliseconds.
|
---|
1198 | * Used for tickets to represent difference between when first seen and when
|
---|
1199 | * sending.
|
---|
1200 | *
|
---|
1201 | * returns the time in milliseconds as a 32-bit value.
|
---|
1202 | */
|
---|
1203 | word32 TimeNowInMilliseconds(void)
|
---|
1204 | {
|
---|
1205 | return (word32) Seconds_get() * 1000;
|
---|
1206 | }
|
---|
1207 | #elif defined(WOLFSSL_UTASKER)
|
---|
1208 | /* The time in milliseconds.
|
---|
1209 | * Used for tickets to represent difference between when first seen and when
|
---|
1210 | * sending.
|
---|
1211 | *
|
---|
1212 | * returns the time in milliseconds as a 32-bit value.
|
---|
1213 | */
|
---|
1214 | word32 TimeNowInMilliseconds(void)
|
---|
1215 | {
|
---|
1216 | return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
|
---|
1217 | }
|
---|
1218 | #else
|
---|
1219 | /* The time in milliseconds.
|
---|
1220 | * Used for tickets to represent difference between when first seen and when
|
---|
1221 | * sending.
|
---|
1222 | *
|
---|
1223 | * returns the time in milliseconds as a 32-bit value.
|
---|
1224 | */
|
---|
1225 | word32 TimeNowInMilliseconds(void)
|
---|
1226 | {
|
---|
1227 | struct timeval now;
|
---|
1228 |
|
---|
1229 | if (gettimeofday(&now, 0) < 0)
|
---|
1230 | return GETTIME_ERROR;
|
---|
1231 | /* Convert to milliseconds number. */
|
---|
1232 | return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
|
---|
1233 | }
|
---|
1234 | #endif
|
---|
1235 | #endif /* HAVE_SESSION_TICKET || !NO_PSK */
|
---|
1236 |
|
---|
1237 |
|
---|
1238 | #if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_SESSION_TICKET) || \
|
---|
1239 | !defined(NO_PSK))
|
---|
1240 | /* Add input to all handshake hashes.
|
---|
1241 | *
|
---|
1242 | * ssl The SSL/TLS object.
|
---|
1243 | * input The data to hash.
|
---|
1244 | * sz The size of the data to hash.
|
---|
1245 | * returns 0 on success, otherwise failure.
|
---|
1246 | */
|
---|
1247 | static int HashInputRaw(WOLFSSL* ssl, const byte* input, int sz)
|
---|
1248 | {
|
---|
1249 | int ret = BAD_FUNC_ARG;
|
---|
1250 |
|
---|
1251 | #ifndef NO_SHA256
|
---|
1252 | ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, input, sz);
|
---|
1253 | if (ret != 0)
|
---|
1254 | return ret;
|
---|
1255 | #endif
|
---|
1256 | #ifdef WOLFSSL_SHA384
|
---|
1257 | ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, input, sz);
|
---|
1258 | if (ret != 0)
|
---|
1259 | return ret;
|
---|
1260 | #endif
|
---|
1261 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
1262 | ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, input, sz);
|
---|
1263 | if (ret != 0)
|
---|
1264 | return ret;
|
---|
1265 | #endif
|
---|
1266 |
|
---|
1267 | return ret;
|
---|
1268 | }
|
---|
1269 | #endif
|
---|
1270 |
|
---|
1271 | /* Extract the handshake header information.
|
---|
1272 | *
|
---|
1273 | * ssl The SSL/TLS object.
|
---|
1274 | * input The buffer holding the message data.
|
---|
1275 | * inOutIdx On entry, the index into the buffer of the handshake data.
|
---|
1276 | * On exit, the start of the hanshake data.
|
---|
1277 | * type Type of handshake message.
|
---|
1278 | * size The length of the handshake message data.
|
---|
1279 | * totalSz The total size of data in the buffer.
|
---|
1280 | * returns BUFFER_E if there is not enough input data and 0 on success.
|
---|
1281 | */
|
---|
1282 | static int GetHandshakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
---|
1283 | byte* type, word32* size, word32 totalSz)
|
---|
1284 | {
|
---|
1285 | const byte* ptr = input + *inOutIdx;
|
---|
1286 | (void)ssl;
|
---|
1287 |
|
---|
1288 | *inOutIdx += HANDSHAKE_HEADER_SZ;
|
---|
1289 | if (*inOutIdx > totalSz)
|
---|
1290 | return BUFFER_E;
|
---|
1291 |
|
---|
1292 | *type = ptr[0];
|
---|
1293 | c24to32(&ptr[1], size);
|
---|
1294 |
|
---|
1295 | return 0;
|
---|
1296 | }
|
---|
1297 |
|
---|
1298 | /* Add record layer header to message.
|
---|
1299 | *
|
---|
1300 | * output The buffer to write the record layer header into.
|
---|
1301 | * length The length of the record data.
|
---|
1302 | * type The type of record message.
|
---|
1303 | * ssl The SSL/TLS object.
|
---|
1304 | */
|
---|
1305 | static void AddTls13RecordHeader(byte* output, word32 length, byte type,
|
---|
1306 | WOLFSSL* ssl)
|
---|
1307 | {
|
---|
1308 | RecordLayerHeader* rl;
|
---|
1309 |
|
---|
1310 | rl = (RecordLayerHeader*)output;
|
---|
1311 | rl->type = type;
|
---|
1312 | rl->pvMajor = ssl->version.major;
|
---|
1313 | rl->pvMinor = TLSv1_MINOR;
|
---|
1314 | c16toa((word16)length, rl->length);
|
---|
1315 | }
|
---|
1316 |
|
---|
1317 | /* Add handshake header to message.
|
---|
1318 | *
|
---|
1319 | * output The buffer to write the hanshake header into.
|
---|
1320 | * length The length of the handshake data.
|
---|
1321 | * fragOffset The offset of the fragment data. (DTLS)
|
---|
1322 | * fragLength The length of the fragment data. (DTLS)
|
---|
1323 | * type The type of handshake message.
|
---|
1324 | * ssl The SSL/TLS object. (DTLS)
|
---|
1325 | */
|
---|
1326 | static void AddTls13HandShakeHeader(byte* output, word32 length,
|
---|
1327 | word32 fragOffset, word32 fragLength,
|
---|
1328 | byte type, WOLFSSL* ssl)
|
---|
1329 | {
|
---|
1330 | HandShakeHeader* hs;
|
---|
1331 | (void)fragOffset;
|
---|
1332 | (void)fragLength;
|
---|
1333 | (void)ssl;
|
---|
1334 |
|
---|
1335 | /* handshake header */
|
---|
1336 | hs = (HandShakeHeader*)output;
|
---|
1337 | hs->type = type;
|
---|
1338 | c32to24(length, hs->length);
|
---|
1339 | }
|
---|
1340 |
|
---|
1341 |
|
---|
1342 | /* Add both record layer and handshake header to message.
|
---|
1343 | *
|
---|
1344 | * output The buffer to write the headers into.
|
---|
1345 | * length The length of the handshake data.
|
---|
1346 | * type The type of record layer message.
|
---|
1347 | * ssl The SSL/TLS object. (DTLS)
|
---|
1348 | */
|
---|
1349 | static void AddTls13Headers(byte* output, word32 length, byte type,
|
---|
1350 | WOLFSSL* ssl)
|
---|
1351 | {
|
---|
1352 | word32 lengthAdj = HANDSHAKE_HEADER_SZ;
|
---|
1353 | word32 outputAdj = RECORD_HEADER_SZ;
|
---|
1354 |
|
---|
1355 | AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl);
|
---|
1356 | AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
|
---|
1357 | }
|
---|
1358 |
|
---|
1359 |
|
---|
1360 | #ifndef NO_CERTS
|
---|
1361 | /* Add both record layer and fragement handshake header to message.
|
---|
1362 | *
|
---|
1363 | * output The buffer to write the headers into.
|
---|
1364 | * fragOffset The offset of the fragment data. (DTLS)
|
---|
1365 | * fragLength The length of the fragment data. (DTLS)
|
---|
1366 | * length The length of the handshake data.
|
---|
1367 | * type The type of record layer message.
|
---|
1368 | * ssl The SSL/TLS object. (DTLS)
|
---|
1369 | */
|
---|
1370 | static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset,
|
---|
1371 | word32 length, byte type, WOLFSSL* ssl)
|
---|
1372 | {
|
---|
1373 | word32 lengthAdj = HANDSHAKE_HEADER_SZ;
|
---|
1374 | word32 outputAdj = RECORD_HEADER_SZ;
|
---|
1375 | (void)fragSz;
|
---|
1376 |
|
---|
1377 | AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl);
|
---|
1378 | AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz,
|
---|
1379 | type, ssl);
|
---|
1380 | }
|
---|
1381 | #endif /* NO_CERTS */
|
---|
1382 |
|
---|
1383 | /* Write the sequence number into the buffer.
|
---|
1384 | * No DTLS v1.3 support.
|
---|
1385 | *
|
---|
1386 | * ssl The SSL/TLS object.
|
---|
1387 | * verifyOrder Which set of sequence numbers to use.
|
---|
1388 | * out The buffer to write into.
|
---|
1389 | */
|
---|
1390 | static INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
|
---|
1391 | {
|
---|
1392 | word32 seq[2] = {0, 0};
|
---|
1393 |
|
---|
1394 | if (verifyOrder) {
|
---|
1395 | seq[0] = ssl->keys.peer_sequence_number_hi;
|
---|
1396 | seq[1] = ssl->keys.peer_sequence_number_lo++;
|
---|
1397 | /* handle rollover */
|
---|
1398 | if (seq[1] > ssl->keys.peer_sequence_number_lo)
|
---|
1399 | ssl->keys.peer_sequence_number_hi++;
|
---|
1400 | }
|
---|
1401 | else {
|
---|
1402 | seq[0] = ssl->keys.sequence_number_hi;
|
---|
1403 | seq[1] = ssl->keys.sequence_number_lo++;
|
---|
1404 | /* handle rollover */
|
---|
1405 | if (seq[1] > ssl->keys.sequence_number_lo)
|
---|
1406 | ssl->keys.sequence_number_hi++;
|
---|
1407 | }
|
---|
1408 |
|
---|
1409 | c32toa(seq[0], out);
|
---|
1410 | c32toa(seq[1], out + OPAQUE32_LEN);
|
---|
1411 | }
|
---|
1412 |
|
---|
1413 | /* Build the nonce for TLS v1.3 encryption and decryption.
|
---|
1414 | *
|
---|
1415 | * ssl The SSL/TLS object.
|
---|
1416 | * nonce The nonce data to use when encrypting or decrypting.
|
---|
1417 | * iv The derived IV.
|
---|
1418 | * order The side on which the message is to be or was sent.
|
---|
1419 | */
|
---|
1420 | static INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv,
|
---|
1421 | int order)
|
---|
1422 | {
|
---|
1423 | int i;
|
---|
1424 |
|
---|
1425 | /* The nonce is the IV with the sequence XORed into the last bytes. */
|
---|
1426 | WriteSEQ(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ);
|
---|
1427 | for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++)
|
---|
1428 | nonce[i] = iv[i];
|
---|
1429 | for (; i < AEAD_NONCE_SZ; i++)
|
---|
1430 | nonce[i] ^= iv[i];
|
---|
1431 | }
|
---|
1432 |
|
---|
1433 | #ifdef HAVE_CHACHA
|
---|
1434 | /* Encrypt with ChaCha20 and create authenication tag with Poly1305.
|
---|
1435 | *
|
---|
1436 | * ssl The SSL/TLS object.
|
---|
1437 | * output The buffer to write encrypted data and authentication tag into.
|
---|
1438 | * May be the same pointer as input.
|
---|
1439 | * input The data to encrypt.
|
---|
1440 | * sz The number of bytes to encrypt.
|
---|
1441 | * nonce The nonce to use with ChaCha20.
|
---|
1442 | * tag The authentication tag buffer.
|
---|
1443 | * returns 0 on success, otherwise failure.
|
---|
1444 | */
|
---|
1445 | static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output,
|
---|
1446 | const byte* input, word16 sz, byte* nonce,
|
---|
1447 | byte* tag)
|
---|
1448 | {
|
---|
1449 | int ret = 0;
|
---|
1450 | byte poly[CHACHA20_256_KEY_SIZE];
|
---|
1451 |
|
---|
1452 | /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
|
---|
1453 | XMEMSET(poly, 0, sizeof(poly));
|
---|
1454 |
|
---|
1455 | /* Set the nonce for ChaCha and get Poly1305 key. */
|
---|
1456 | ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0);
|
---|
1457 | if (ret != 0)
|
---|
1458 | return ret;
|
---|
1459 | /* Create Poly1305 key using ChaCha20 keystream. */
|
---|
1460 | ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly));
|
---|
1461 | if (ret != 0)
|
---|
1462 | return ret;
|
---|
1463 | /* Encrypt the plain text. */
|
---|
1464 | ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz);
|
---|
1465 | if (ret != 0) {
|
---|
1466 | ForceZero(poly, sizeof(poly));
|
---|
1467 | return ret;
|
---|
1468 | }
|
---|
1469 |
|
---|
1470 | /* Set key for Poly1305. */
|
---|
1471 | ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
|
---|
1472 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
|
---|
1473 | if (ret != 0)
|
---|
1474 | return ret;
|
---|
1475 | /* Add authentication code of encrypted data to end. */
|
---|
1476 | ret = wc_Poly1305_MAC(ssl->auth.poly1305, NULL, 0, output, sz, tag,
|
---|
1477 | POLY1305_AUTH_SZ);
|
---|
1478 |
|
---|
1479 | return ret;
|
---|
1480 | }
|
---|
1481 | #endif
|
---|
1482 |
|
---|
1483 | /* Encrypt data for TLS v1.3.
|
---|
1484 | *
|
---|
1485 | * ssl The SSL/TLS object.
|
---|
1486 | * output The buffer to write encrypted data and authentication tag into.
|
---|
1487 | * May be the same pointer as input.
|
---|
1488 | * input The data to encrypt.
|
---|
1489 | * sz The number of bytes to encrypt.
|
---|
1490 | * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
|
---|
1491 | * returns 0 on success, otherwise failure.
|
---|
1492 | */
|
---|
1493 | static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
|
---|
1494 | word16 sz, int asyncOkay)
|
---|
1495 | {
|
---|
1496 | int ret = 0;
|
---|
1497 | word16 dataSz = sz - ssl->specs.aead_mac_size;
|
---|
1498 | word16 macSz = ssl->specs.aead_mac_size;
|
---|
1499 | word32 nonceSz = 0;
|
---|
1500 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1501 | WC_ASYNC_DEV* asyncDev = NULL;
|
---|
1502 | word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN;
|
---|
1503 | #endif
|
---|
1504 |
|
---|
1505 | WOLFSSL_ENTER("EncryptTls13");
|
---|
1506 |
|
---|
1507 | (void)output;
|
---|
1508 | (void)input;
|
---|
1509 | (void)sz;
|
---|
1510 | (void)dataSz;
|
---|
1511 | (void)macSz;
|
---|
1512 | (void)asyncOkay;
|
---|
1513 | (void)nonceSz;
|
---|
1514 |
|
---|
1515 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1516 | if (ssl->error == WC_PENDING_E) {
|
---|
1517 | ssl->error = 0; /* clear async */
|
---|
1518 | }
|
---|
1519 | #endif
|
---|
1520 |
|
---|
1521 | switch (ssl->encrypt.state) {
|
---|
1522 | case CIPHER_STATE_BEGIN:
|
---|
1523 | {
|
---|
1524 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
1525 | WOLFSSL_MSG("Data to encrypt");
|
---|
1526 | WOLFSSL_BUFFER(input, dataSz);
|
---|
1527 | #endif
|
---|
1528 |
|
---|
1529 | if (ssl->encrypt.nonce == NULL)
|
---|
1530 | ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
|
---|
1531 | ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
|
---|
1532 | if (ssl->encrypt.nonce == NULL)
|
---|
1533 | return MEMORY_E;
|
---|
1534 |
|
---|
1535 | BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV,
|
---|
1536 | CUR_ORDER);
|
---|
1537 |
|
---|
1538 | /* Advance state and proceed */
|
---|
1539 | ssl->encrypt.state = CIPHER_STATE_DO;
|
---|
1540 | }
|
---|
1541 | FALL_THROUGH;
|
---|
1542 |
|
---|
1543 | case CIPHER_STATE_DO:
|
---|
1544 | {
|
---|
1545 | switch (ssl->specs.bulk_cipher_algorithm) {
|
---|
1546 | #ifdef BUILD_AESGCM
|
---|
1547 | case wolfssl_aes_gcm:
|
---|
1548 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1549 | /* intialize event */
|
---|
1550 | asyncDev = &ssl->encrypt.aes->asyncDev;
|
---|
1551 | ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
|
---|
1552 | if (ret != 0)
|
---|
1553 | break;
|
---|
1554 | #endif
|
---|
1555 |
|
---|
1556 | nonceSz = AESGCM_NONCE_SZ;
|
---|
1557 | ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input,
|
---|
1558 | dataSz, ssl->encrypt.nonce, nonceSz,
|
---|
1559 | output + dataSz, macSz, NULL, 0);
|
---|
1560 | break;
|
---|
1561 | #endif
|
---|
1562 |
|
---|
1563 | #ifdef HAVE_AESCCM
|
---|
1564 | case wolfssl_aes_ccm:
|
---|
1565 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1566 | /* intialize event */
|
---|
1567 | asyncDev = &ssl->encrypt.aes->asyncDev;
|
---|
1568 | ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
|
---|
1569 | if (ret != 0)
|
---|
1570 | break;
|
---|
1571 | #endif
|
---|
1572 |
|
---|
1573 | nonceSz = AESCCM_NONCE_SZ;
|
---|
1574 | ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input,
|
---|
1575 | dataSz, ssl->encrypt.nonce, nonceSz,
|
---|
1576 | output + dataSz, macSz, NULL, 0);
|
---|
1577 | break;
|
---|
1578 | #endif
|
---|
1579 |
|
---|
1580 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
|
---|
1581 | case wolfssl_chacha:
|
---|
1582 | ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz,
|
---|
1583 | ssl->encrypt.nonce, output + dataSz);
|
---|
1584 | break;
|
---|
1585 | #endif
|
---|
1586 |
|
---|
1587 | default:
|
---|
1588 | WOLFSSL_MSG("wolfSSL Encrypt programming error");
|
---|
1589 | return ENCRYPT_ERROR;
|
---|
1590 | }
|
---|
1591 |
|
---|
1592 | /* Advance state */
|
---|
1593 | ssl->encrypt.state = CIPHER_STATE_END;
|
---|
1594 |
|
---|
1595 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1596 | if (ret == WC_PENDING_E) {
|
---|
1597 | /* if async is not okay, then block */
|
---|
1598 | if (!asyncOkay) {
|
---|
1599 | ret = wc_AsyncWait(ret, asyncDev, event_flags);
|
---|
1600 | }
|
---|
1601 | else {
|
---|
1602 | /* If pending, then leave and return will resume below */
|
---|
1603 | return wolfSSL_AsyncPush(ssl, asyncDev);
|
---|
1604 | }
|
---|
1605 | }
|
---|
1606 | #endif
|
---|
1607 | }
|
---|
1608 | FALL_THROUGH;
|
---|
1609 |
|
---|
1610 | case CIPHER_STATE_END:
|
---|
1611 | {
|
---|
1612 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
1613 | WOLFSSL_MSG("Nonce");
|
---|
1614 | WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size);
|
---|
1615 | WOLFSSL_MSG("Encrypted data");
|
---|
1616 | WOLFSSL_BUFFER(output, dataSz);
|
---|
1617 | WOLFSSL_MSG("Authentication Tag");
|
---|
1618 | WOLFSSL_BUFFER(output + dataSz, macSz);
|
---|
1619 | #endif
|
---|
1620 |
|
---|
1621 | ForceZero(ssl->encrypt.nonce, AEAD_NONCE_SZ);
|
---|
1622 |
|
---|
1623 | break;
|
---|
1624 | }
|
---|
1625 | }
|
---|
1626 |
|
---|
1627 | /* Reset state */
|
---|
1628 | ssl->encrypt.state = CIPHER_STATE_BEGIN;
|
---|
1629 |
|
---|
1630 | return ret;
|
---|
1631 | }
|
---|
1632 |
|
---|
1633 | #ifdef HAVE_CHACHA
|
---|
1634 | /* Decrypt with ChaCha20 and check authenication tag with Poly1305.
|
---|
1635 | *
|
---|
1636 | * ssl The SSL/TLS object.
|
---|
1637 | * output The buffer to write decrypted data into.
|
---|
1638 | * May be the same pointer as input.
|
---|
1639 | * input The data to decrypt.
|
---|
1640 | * sz The number of bytes to decrypt.
|
---|
1641 | * nonce The nonce to use with ChaCha20.
|
---|
1642 | * tagIn The authentication tag data from packet.
|
---|
1643 | * returns 0 on success, otherwise failure.
|
---|
1644 | */
|
---|
1645 | static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output,
|
---|
1646 | const byte* input, word16 sz, byte* nonce,
|
---|
1647 | const byte* tagIn)
|
---|
1648 | {
|
---|
1649 | int ret;
|
---|
1650 | byte tag[POLY1305_AUTH_SZ];
|
---|
1651 | byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
|
---|
1652 |
|
---|
1653 | /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
|
---|
1654 | XMEMSET(poly, 0, sizeof(poly));
|
---|
1655 |
|
---|
1656 | /* Set nonce and get Poly1305 key. */
|
---|
1657 | ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0);
|
---|
1658 | if (ret != 0)
|
---|
1659 | return ret;
|
---|
1660 | /* Use ChaCha20 keystream to get Poly1305 key for tag. */
|
---|
1661 | ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly));
|
---|
1662 | if (ret != 0)
|
---|
1663 | return ret;
|
---|
1664 |
|
---|
1665 | /* Set key for Poly1305. */
|
---|
1666 | ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
|
---|
1667 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
|
---|
1668 | if (ret != 0)
|
---|
1669 | return ret;
|
---|
1670 | /* Generate authentication tag for encrypted data. */
|
---|
1671 | if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, NULL, 0, (byte*)input, sz,
|
---|
1672 | tag, sizeof(tag))) != 0) {
|
---|
1673 | return ret;
|
---|
1674 | }
|
---|
1675 |
|
---|
1676 | /* Check tag sent along with packet. */
|
---|
1677 | if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) {
|
---|
1678 | WOLFSSL_MSG("MAC did not match");
|
---|
1679 | return VERIFY_MAC_ERROR;
|
---|
1680 | }
|
---|
1681 |
|
---|
1682 | /* If the tag was good decrypt message. */
|
---|
1683 | ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz);
|
---|
1684 |
|
---|
1685 | return ret;
|
---|
1686 | }
|
---|
1687 | #endif
|
---|
1688 |
|
---|
1689 | /* Decrypt data for TLS v1.3.
|
---|
1690 | *
|
---|
1691 | * ssl The SSL/TLS object.
|
---|
1692 | * output The buffer to write decrypted data into.
|
---|
1693 | * May be the same pointer as input.
|
---|
1694 | * input The data to encrypt and authentication tag.
|
---|
1695 | * sz The length of the encrypted data plus authentication tag.
|
---|
1696 | * returns 0 on success, otherwise failure.
|
---|
1697 | */
|
---|
1698 | int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz)
|
---|
1699 | {
|
---|
1700 | int ret = 0;
|
---|
1701 | word16 dataSz = sz - ssl->specs.aead_mac_size;
|
---|
1702 | word16 macSz = ssl->specs.aead_mac_size;
|
---|
1703 | word32 nonceSz = 0;
|
---|
1704 |
|
---|
1705 | WOLFSSL_ENTER("DecryptTls13");
|
---|
1706 |
|
---|
1707 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1708 | ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state);
|
---|
1709 | if (ret != WC_NOT_PENDING_E) {
|
---|
1710 | /* check for still pending */
|
---|
1711 | if (ret == WC_PENDING_E)
|
---|
1712 | return ret;
|
---|
1713 |
|
---|
1714 | ssl->error = 0; /* clear async */
|
---|
1715 |
|
---|
1716 | /* let failures through so CIPHER_STATE_END logic is run */
|
---|
1717 | }
|
---|
1718 | else
|
---|
1719 | #endif
|
---|
1720 | {
|
---|
1721 | /* Reset state */
|
---|
1722 | ret = 0;
|
---|
1723 | ssl->decrypt.state = CIPHER_STATE_BEGIN;
|
---|
1724 | }
|
---|
1725 |
|
---|
1726 | (void)output;
|
---|
1727 | (void)input;
|
---|
1728 | (void)sz;
|
---|
1729 | (void)dataSz;
|
---|
1730 | (void)macSz;
|
---|
1731 | (void)nonceSz;
|
---|
1732 |
|
---|
1733 | switch (ssl->decrypt.state) {
|
---|
1734 | case CIPHER_STATE_BEGIN:
|
---|
1735 | {
|
---|
1736 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
1737 | WOLFSSL_MSG("Data to decrypt");
|
---|
1738 | WOLFSSL_BUFFER(input, dataSz);
|
---|
1739 | WOLFSSL_MSG("Authentication tag");
|
---|
1740 | WOLFSSL_BUFFER(input + dataSz, macSz);
|
---|
1741 | #endif
|
---|
1742 |
|
---|
1743 | if (ssl->decrypt.nonce == NULL)
|
---|
1744 | ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
|
---|
1745 | ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
|
---|
1746 | if (ssl->decrypt.nonce == NULL)
|
---|
1747 | return MEMORY_E;
|
---|
1748 |
|
---|
1749 | BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,
|
---|
1750 | PEER_ORDER);
|
---|
1751 |
|
---|
1752 | /* Advance state and proceed */
|
---|
1753 | ssl->decrypt.state = CIPHER_STATE_DO;
|
---|
1754 | }
|
---|
1755 | FALL_THROUGH;
|
---|
1756 |
|
---|
1757 | case CIPHER_STATE_DO:
|
---|
1758 | {
|
---|
1759 | switch (ssl->specs.bulk_cipher_algorithm) {
|
---|
1760 | #ifdef BUILD_AESGCM
|
---|
1761 | case wolfssl_aes_gcm:
|
---|
1762 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1763 | /* intialize event */
|
---|
1764 | ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
|
---|
1765 | WC_ASYNC_FLAG_CALL_AGAIN);
|
---|
1766 | if (ret != 0)
|
---|
1767 | break;
|
---|
1768 | #endif
|
---|
1769 |
|
---|
1770 | nonceSz = AESGCM_NONCE_SZ;
|
---|
1771 | ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input,
|
---|
1772 | dataSz, ssl->decrypt.nonce, nonceSz,
|
---|
1773 | input + dataSz, macSz, NULL, 0);
|
---|
1774 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1775 | if (ret == WC_PENDING_E) {
|
---|
1776 | ret = wolfSSL_AsyncPush(ssl,
|
---|
1777 | &ssl->decrypt.aes->asyncDev);
|
---|
1778 | }
|
---|
1779 | #endif
|
---|
1780 | break;
|
---|
1781 | #endif
|
---|
1782 |
|
---|
1783 | #ifdef HAVE_AESCCM
|
---|
1784 | case wolfssl_aes_ccm:
|
---|
1785 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1786 | /* intialize event */
|
---|
1787 | ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
|
---|
1788 | WC_ASYNC_FLAG_CALL_AGAIN);
|
---|
1789 | if (ret != 0)
|
---|
1790 | break;
|
---|
1791 | #endif
|
---|
1792 |
|
---|
1793 | nonceSz = AESCCM_NONCE_SZ;
|
---|
1794 | ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input,
|
---|
1795 | dataSz, ssl->decrypt.nonce, nonceSz,
|
---|
1796 | input + dataSz, macSz, NULL, 0);
|
---|
1797 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1798 | if (ret == WC_PENDING_E) {
|
---|
1799 | ret = wolfSSL_AsyncPush(ssl,
|
---|
1800 | &ssl->decrypt.aes->asyncDev);
|
---|
1801 | }
|
---|
1802 | #endif
|
---|
1803 | break;
|
---|
1804 | #endif
|
---|
1805 |
|
---|
1806 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
|
---|
1807 | case wolfssl_chacha:
|
---|
1808 | ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz,
|
---|
1809 | ssl->decrypt.nonce, input + dataSz);
|
---|
1810 | break;
|
---|
1811 | #endif
|
---|
1812 |
|
---|
1813 | default:
|
---|
1814 | WOLFSSL_MSG("wolfSSL Decrypt programming error");
|
---|
1815 | return DECRYPT_ERROR;
|
---|
1816 | }
|
---|
1817 |
|
---|
1818 | /* Advance state */
|
---|
1819 | ssl->decrypt.state = CIPHER_STATE_END;
|
---|
1820 |
|
---|
1821 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1822 | /* If pending, leave now */
|
---|
1823 | if (ret == WC_PENDING_E) {
|
---|
1824 | return ret;
|
---|
1825 | }
|
---|
1826 | #endif
|
---|
1827 | }
|
---|
1828 | FALL_THROUGH;
|
---|
1829 |
|
---|
1830 | case CIPHER_STATE_END:
|
---|
1831 | {
|
---|
1832 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
1833 | WOLFSSL_MSG("Nonce");
|
---|
1834 | WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size);
|
---|
1835 | WOLFSSL_MSG("Decrypted data");
|
---|
1836 | WOLFSSL_BUFFER(output, dataSz);
|
---|
1837 | #endif
|
---|
1838 |
|
---|
1839 | ForceZero(ssl->decrypt.nonce, AEAD_NONCE_SZ);
|
---|
1840 |
|
---|
1841 | break;
|
---|
1842 | }
|
---|
1843 | }
|
---|
1844 |
|
---|
1845 | #ifndef WOLFSSL_EARLY_DATA
|
---|
1846 | if (ret < 0) {
|
---|
1847 | SendAlert(ssl, alert_fatal, bad_record_mac);
|
---|
1848 | ret = VERIFY_MAC_ERROR;
|
---|
1849 | }
|
---|
1850 | #endif
|
---|
1851 |
|
---|
1852 | return ret;
|
---|
1853 | }
|
---|
1854 |
|
---|
1855 | /* Persistable BuildTls13Message arguments */
|
---|
1856 | typedef struct BuildMsg13Args {
|
---|
1857 | word32 sz;
|
---|
1858 | word32 idx;
|
---|
1859 | word32 headerSz;
|
---|
1860 | word16 size;
|
---|
1861 | } BuildMsg13Args;
|
---|
1862 |
|
---|
1863 | static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs)
|
---|
1864 | {
|
---|
1865 | BuildMsg13Args* args = (BuildMsg13Args*)pArgs;
|
---|
1866 |
|
---|
1867 | (void)ssl;
|
---|
1868 | (void)args;
|
---|
1869 |
|
---|
1870 | /* no allocations in BuildTls13Message */
|
---|
1871 | }
|
---|
1872 |
|
---|
1873 | /* Build SSL Message, encrypted.
|
---|
1874 | * TLS v1.3 encryption is AEAD only.
|
---|
1875 | *
|
---|
1876 | * ssl The SSL/TLS object.
|
---|
1877 | * output The buffer to write record message to.
|
---|
1878 | * outSz Size of the buffer being written into.
|
---|
1879 | * input The record data to encrypt (excluding record header).
|
---|
1880 | * inSz The size of the record data.
|
---|
1881 | * type The recorder header content type.
|
---|
1882 | * hashOutput Whether to hash the unencrypted record data.
|
---|
1883 | * sizeOnly Only want the size of the record message.
|
---|
1884 | * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
|
---|
1885 | * returns the size of the encrypted record message or negative value on error.
|
---|
1886 | */
|
---|
1887 | int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
|
---|
1888 | int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay)
|
---|
1889 | {
|
---|
1890 | int ret = 0;
|
---|
1891 | BuildMsg13Args* args;
|
---|
1892 | BuildMsg13Args lcl_args;
|
---|
1893 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1894 | args = (BuildMsg13Args*)ssl->async.args;
|
---|
1895 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
|
---|
1896 | (void)sizeof(args_test);
|
---|
1897 | #endif
|
---|
1898 |
|
---|
1899 | WOLFSSL_ENTER("BuildTls13Message");
|
---|
1900 |
|
---|
1901 | ret = WC_NOT_PENDING_E;
|
---|
1902 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1903 | if (asyncOkay) {
|
---|
1904 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
|
---|
1905 | if (ret != WC_NOT_PENDING_E) {
|
---|
1906 | /* Check for error */
|
---|
1907 | if (ret < 0)
|
---|
1908 | goto exit_buildmsg;
|
---|
1909 | }
|
---|
1910 | }
|
---|
1911 | else
|
---|
1912 | #endif
|
---|
1913 | {
|
---|
1914 | args = &lcl_args;
|
---|
1915 | }
|
---|
1916 |
|
---|
1917 | /* Reset state */
|
---|
1918 | if (ret == WC_NOT_PENDING_E) {
|
---|
1919 | ret = 0;
|
---|
1920 | ssl->options.buildMsgState = BUILD_MSG_BEGIN;
|
---|
1921 | XMEMSET(args, 0, sizeof(BuildMsg13Args));
|
---|
1922 |
|
---|
1923 | args->sz = RECORD_HEADER_SZ + inSz;
|
---|
1924 | args->idx = RECORD_HEADER_SZ;
|
---|
1925 | args->headerSz = RECORD_HEADER_SZ;
|
---|
1926 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
1927 | ssl->async.freeArgs = FreeBuildMsg13Args;
|
---|
1928 | #endif
|
---|
1929 | }
|
---|
1930 |
|
---|
1931 | switch (ssl->options.buildMsgState) {
|
---|
1932 | case BUILD_MSG_BEGIN:
|
---|
1933 | {
|
---|
1934 | if (output == NULL || input == NULL)
|
---|
1935 | return BAD_FUNC_ARG;
|
---|
1936 | /* catch mistaken sizeOnly parameter */
|
---|
1937 | if (sizeOnly && (output || input)) {
|
---|
1938 | WOLFSSL_MSG("BuildTls13Message with sizeOnly doesn't need "
|
---|
1939 | "input or output");
|
---|
1940 | return BAD_FUNC_ARG;
|
---|
1941 | }
|
---|
1942 |
|
---|
1943 | /* Record layer content type at the end of record data. */
|
---|
1944 | args->sz++;
|
---|
1945 | /* Authentication data at the end. */
|
---|
1946 | args->sz += ssl->specs.aead_mac_size;
|
---|
1947 |
|
---|
1948 | if (sizeOnly)
|
---|
1949 | return args->sz;
|
---|
1950 |
|
---|
1951 | if (args->sz > (word32)outSz) {
|
---|
1952 | WOLFSSL_MSG("Oops, want to write past output buffer size");
|
---|
1953 | return BUFFER_E;
|
---|
1954 | }
|
---|
1955 |
|
---|
1956 | /* Record data length. */
|
---|
1957 | args->size = (word16)(args->sz - args->headerSz);
|
---|
1958 | /* Write/update the record header with the new size.
|
---|
1959 | * Always have the content type as application data for encrypted
|
---|
1960 | * messages in TLS v1.3.
|
---|
1961 | */
|
---|
1962 | AddTls13RecordHeader(output, args->size, application_data, ssl);
|
---|
1963 |
|
---|
1964 | /* TLS v1.3 can do in place encryption. */
|
---|
1965 | if (input != output + args->idx)
|
---|
1966 | XMEMCPY(output + args->idx, input, inSz);
|
---|
1967 | args->idx += inSz;
|
---|
1968 |
|
---|
1969 | ssl->options.buildMsgState = BUILD_MSG_HASH;
|
---|
1970 | }
|
---|
1971 | FALL_THROUGH;
|
---|
1972 |
|
---|
1973 | case BUILD_MSG_HASH:
|
---|
1974 | {
|
---|
1975 | if (hashOutput) {
|
---|
1976 | ret = HashOutput(ssl, output, args->headerSz + inSz, 0);
|
---|
1977 | if (ret != 0)
|
---|
1978 | goto exit_buildmsg;
|
---|
1979 | }
|
---|
1980 |
|
---|
1981 | ssl->options.buildMsgState = BUILD_MSG_ENCRYPT;
|
---|
1982 | }
|
---|
1983 | FALL_THROUGH;
|
---|
1984 |
|
---|
1985 | case BUILD_MSG_ENCRYPT:
|
---|
1986 | {
|
---|
1987 | /* The real record content type goes at the end of the data. */
|
---|
1988 | output[args->idx++] = type;
|
---|
1989 |
|
---|
1990 | #ifdef ATOMIC_USER
|
---|
1991 | if (ssl->ctx->MacEncryptCb) {
|
---|
1992 | /* User Record Layer Callback handling */
|
---|
1993 | byte* mac = output + args->idx;
|
---|
1994 | output += args->headerSz;
|
---|
1995 |
|
---|
1996 | ret = ssl->ctx->MacEncryptCb(ssl, mac, output, inSz, type, 0,
|
---|
1997 | output, output, args->size, ssl->MacEncryptCtx);
|
---|
1998 | }
|
---|
1999 | else
|
---|
2000 | #endif
|
---|
2001 | {
|
---|
2002 | output += args->headerSz;
|
---|
2003 | ret = EncryptTls13(ssl, output, output, args->size, asyncOkay);
|
---|
2004 | }
|
---|
2005 | break;
|
---|
2006 | }
|
---|
2007 | }
|
---|
2008 |
|
---|
2009 | exit_buildmsg:
|
---|
2010 |
|
---|
2011 | WOLFSSL_LEAVE("BuildTls13Message", ret);
|
---|
2012 |
|
---|
2013 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
2014 | if (ret == WC_PENDING_E) {
|
---|
2015 | return ret;
|
---|
2016 | }
|
---|
2017 | #endif
|
---|
2018 |
|
---|
2019 | /* make sure build message state is reset */
|
---|
2020 | ssl->options.buildMsgState = BUILD_MSG_BEGIN;
|
---|
2021 |
|
---|
2022 | /* return sz on success */
|
---|
2023 | if (ret == 0)
|
---|
2024 | ret = args->sz;
|
---|
2025 |
|
---|
2026 | /* Final cleanup */
|
---|
2027 | FreeBuildMsg13Args(ssl, args);
|
---|
2028 |
|
---|
2029 | return ret;
|
---|
2030 | }
|
---|
2031 |
|
---|
2032 | #ifndef NO_WOLFSSL_CLIENT
|
---|
2033 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
2034 | /* Setup pre-shared key based on the details in the extension data.
|
---|
2035 | *
|
---|
2036 | * ssl SSL/TLS object.
|
---|
2037 | * psk Pre-shared key extension data.
|
---|
2038 | * returns 0 on success, PSK_KEY_ERROR when the client PSK callback fails and
|
---|
2039 | * other negative value on failure.
|
---|
2040 | */
|
---|
2041 | static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk)
|
---|
2042 | {
|
---|
2043 | int ret;
|
---|
2044 |
|
---|
2045 | ssl->options.cipherSuite0 = psk->cipherSuite0;
|
---|
2046 | ssl->options.cipherSuite = psk->cipherSuite;
|
---|
2047 | if ((ret = SetCipherSpecs(ssl)) != 0)
|
---|
2048 | return ret;
|
---|
2049 |
|
---|
2050 | #ifdef HAVE_SESSION_TICKET
|
---|
2051 | if (psk->resumption) {
|
---|
2052 | #ifdef WOLFSSL_EARLY_DATA
|
---|
2053 | if (ssl->session.maxEarlyDataSz == 0)
|
---|
2054 | ssl->earlyData = 0;
|
---|
2055 | #endif
|
---|
2056 | /* Resumption PSK is master secret. */
|
---|
2057 | ssl->arrays->psk_keySz = ssl->specs.hash_size;
|
---|
2058 | XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
|
---|
2059 | ssl->arrays->psk_keySz);
|
---|
2060 | }
|
---|
2061 | #endif
|
---|
2062 | #ifndef NO_PSK
|
---|
2063 | if (!psk->resumption) {
|
---|
2064 | /* Get the pre-shared key. */
|
---|
2065 | ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
|
---|
2066 | (char *)psk->identity, ssl->arrays->client_identity,
|
---|
2067 | MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
|
---|
2068 | if (ssl->arrays->psk_keySz == 0 ||
|
---|
2069 | ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
|
---|
2070 | return PSK_KEY_ERROR;
|
---|
2071 | }
|
---|
2072 | }
|
---|
2073 | #endif
|
---|
2074 |
|
---|
2075 | /* Derive the early secret using the PSK. */
|
---|
2076 | return DeriveEarlySecret(ssl);
|
---|
2077 | }
|
---|
2078 |
|
---|
2079 | /* Derive and write the binders into the ClientHello in space left when
|
---|
2080 | * writing the Pre-Shared Key extension.
|
---|
2081 | *
|
---|
2082 | * ssl The SSL/TLS object.
|
---|
2083 | * output The buffer containing the ClientHello.
|
---|
2084 | * idx The index at the end of the completed ClientHello.
|
---|
2085 | * returns 0 on success and otherwise failure.
|
---|
2086 | */
|
---|
2087 | static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
|
---|
2088 | {
|
---|
2089 | int ret;
|
---|
2090 | TLSX* ext;
|
---|
2091 | PreSharedKey* current;
|
---|
2092 | byte binderKey[MAX_DIGEST_SIZE];
|
---|
2093 | word16 len;
|
---|
2094 |
|
---|
2095 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
|
---|
2096 | if (ext == NULL)
|
---|
2097 | return SANITY_MSG_E;
|
---|
2098 |
|
---|
2099 | /* Get the size of the binders to determine where to write binders. */
|
---|
2100 | idx -= TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
|
---|
2101 | client_hello);
|
---|
2102 |
|
---|
2103 | /* Hash truncated ClientHello - up to binders. */
|
---|
2104 | ret = HashOutput(ssl, output, idx, 0);
|
---|
2105 | if (ret != 0)
|
---|
2106 | return ret;
|
---|
2107 |
|
---|
2108 | current = (PreSharedKey*)ext->data;
|
---|
2109 | /* Calculate the binder for each identity based on previous handshake data.
|
---|
2110 | */
|
---|
2111 | while (current != NULL) {
|
---|
2112 | if ((ret = SetupPskKey(ssl, current)) != 0)
|
---|
2113 | return ret;
|
---|
2114 |
|
---|
2115 | #ifdef HAVE_SESSION_TICKET
|
---|
2116 | if (current->resumption)
|
---|
2117 | ret = DeriveBinderKeyResume(ssl, binderKey);
|
---|
2118 | #endif
|
---|
2119 | #ifndef NO_PSK
|
---|
2120 | if (!current->resumption)
|
---|
2121 | ret = DeriveBinderKey(ssl, binderKey);
|
---|
2122 | #endif
|
---|
2123 | if (ret != 0)
|
---|
2124 | return ret;
|
---|
2125 |
|
---|
2126 | /* Derive the Finished message secret. */
|
---|
2127 | ret = DeriveFinishedSecret(ssl, binderKey,
|
---|
2128 | ssl->keys.client_write_MAC_secret);
|
---|
2129 | if (ret != 0)
|
---|
2130 | return ret;
|
---|
2131 |
|
---|
2132 | /* Build the HMAC of the handshake message data = binder. */
|
---|
2133 | ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret,
|
---|
2134 | current->binder, ¤t->binderLen);
|
---|
2135 | if (ret != 0)
|
---|
2136 | return ret;
|
---|
2137 |
|
---|
2138 | current = current->next;
|
---|
2139 | }
|
---|
2140 |
|
---|
2141 | /* Data entered into extension, now write to message. */
|
---|
2142 | len = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx,
|
---|
2143 | client_hello);
|
---|
2144 |
|
---|
2145 | /* Hash binders to complete the hash of the ClientHello. */
|
---|
2146 | ret = HashOutputRaw(ssl, output + idx, len);
|
---|
2147 | if (ret < 0)
|
---|
2148 | return ret;
|
---|
2149 |
|
---|
2150 | #ifdef WOLFSSL_EARLY_DATA
|
---|
2151 | if (ssl->earlyData) {
|
---|
2152 | if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data)) != 0)
|
---|
2153 | return ret;
|
---|
2154 |
|
---|
2155 | /* Derive early data encryption key. */
|
---|
2156 | ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1);
|
---|
2157 | if (ret != 0)
|
---|
2158 | return ret;
|
---|
2159 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
2160 | return ret;
|
---|
2161 | }
|
---|
2162 | #endif
|
---|
2163 | return ret;
|
---|
2164 | }
|
---|
2165 | #endif
|
---|
2166 |
|
---|
2167 | /* Send a ClientHello message to the server.
|
---|
2168 | * Include the information required to start a handshake with servers using
|
---|
2169 | * protocol versions less than TLS v1.3.
|
---|
2170 | * Only a client will send this message.
|
---|
2171 | *
|
---|
2172 | * ssl The SSL/TLS object.
|
---|
2173 | * returns 0 on success and otherwise failure.
|
---|
2174 | */
|
---|
2175 | int SendTls13ClientHello(WOLFSSL* ssl)
|
---|
2176 | {
|
---|
2177 | byte* output;
|
---|
2178 | word32 length;
|
---|
2179 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
2180 | int sendSz;
|
---|
2181 | int ret;
|
---|
2182 |
|
---|
2183 | WOLFSSL_ENTER("SendTls13ClientHello");
|
---|
2184 |
|
---|
2185 | #ifdef HAVE_SESSION_TICKET
|
---|
2186 | if (ssl->options.resuming &&
|
---|
2187 | (ssl->session.version.major != ssl->version.major ||
|
---|
2188 | ssl->session.version.minor != ssl->version.minor)) {
|
---|
2189 | /* Cannot resume with a different protocol version - new handshake. */
|
---|
2190 | ssl->options.resuming = 0;
|
---|
2191 | ssl->version.major = ssl->session.version.major;
|
---|
2192 | ssl->version.minor = ssl->session.version.minor;
|
---|
2193 | return SendClientHello(ssl);
|
---|
2194 | }
|
---|
2195 | #endif
|
---|
2196 |
|
---|
2197 | if (ssl->suites == NULL) {
|
---|
2198 | WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello");
|
---|
2199 | return SUITES_ERROR;
|
---|
2200 | }
|
---|
2201 |
|
---|
2202 | /* Version | Random | Session Id | Cipher Suites | Compression | Ext */
|
---|
2203 | length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->suites->suiteSz +
|
---|
2204 | SUITE_LEN + COMP_LEN + ENUM_LEN;
|
---|
2205 |
|
---|
2206 | /* Auto populate extensions supported unless user defined. */
|
---|
2207 | if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
|
---|
2208 | return ret;
|
---|
2209 | #ifdef WOLFSSL_EARLY_DATA
|
---|
2210 | #ifndef NO_PSK
|
---|
2211 | if (!ssl->options.resuming && ssl->options.client_psk_cb == NULL)
|
---|
2212 | #else
|
---|
2213 | if (!ssl->options.resuming)
|
---|
2214 | #endif
|
---|
2215 | ssl->earlyData = 0;
|
---|
2216 | if (ssl->earlyData && (ret = TLSX_EarlyData_Use(ssl, 0)) < 0)
|
---|
2217 | return ret;
|
---|
2218 | #endif
|
---|
2219 | #ifdef HAVE_QSH
|
---|
2220 | if (QSH_Init(ssl) != 0)
|
---|
2221 | return MEMORY_E;
|
---|
2222 | #endif
|
---|
2223 | /* Include length of TLS extensions. */
|
---|
2224 | length += TLSX_GetRequestSize(ssl, client_hello);
|
---|
2225 |
|
---|
2226 | /* Total message size. */
|
---|
2227 | sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
|
---|
2228 |
|
---|
2229 | /* Check buffers are big enough and grow if needed. */
|
---|
2230 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
2231 | return ret;
|
---|
2232 |
|
---|
2233 | /* Get position in output buffer to write new message to. */
|
---|
2234 | output = ssl->buffers.outputBuffer.buffer +
|
---|
2235 | ssl->buffers.outputBuffer.length;
|
---|
2236 |
|
---|
2237 | /* Put the record and handshake headers on. */
|
---|
2238 | AddTls13Headers(output, length, client_hello, ssl);
|
---|
2239 |
|
---|
2240 | /* Protocol version. */
|
---|
2241 | output[idx++] = SSLv3_MAJOR;
|
---|
2242 | output[idx++] = TLSv1_2_MINOR;
|
---|
2243 | ssl->chVersion = ssl->version;
|
---|
2244 |
|
---|
2245 | /* Client Random */
|
---|
2246 | if (ssl->options.connectState == CONNECT_BEGIN) {
|
---|
2247 | ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
|
---|
2248 | if (ret != 0)
|
---|
2249 | return ret;
|
---|
2250 |
|
---|
2251 | /* Store random for possible second ClientHello. */
|
---|
2252 | XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN);
|
---|
2253 | }
|
---|
2254 | else
|
---|
2255 | XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN);
|
---|
2256 | idx += RAN_LEN;
|
---|
2257 |
|
---|
2258 | /* TLS v1.3 does not use session id - 0 length. */
|
---|
2259 | output[idx++] = 0;
|
---|
2260 |
|
---|
2261 | /* Cipher suites */
|
---|
2262 | c16toa(ssl->suites->suiteSz, output + idx);
|
---|
2263 | idx += OPAQUE16_LEN;
|
---|
2264 | XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz);
|
---|
2265 | idx += ssl->suites->suiteSz;
|
---|
2266 |
|
---|
2267 | /* Compression not supported in TLS v1.3. */
|
---|
2268 | output[idx++] = COMP_LEN;
|
---|
2269 | output[idx++] = NO_COMPRESSION;
|
---|
2270 |
|
---|
2271 | /* Write out extensions for a request. */
|
---|
2272 | idx += TLSX_WriteRequest(ssl, output + idx, client_hello);
|
---|
2273 |
|
---|
2274 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
2275 | /* Resumption has a specific set of extensions and binder is calculated
|
---|
2276 | * for each identity.
|
---|
2277 | */
|
---|
2278 | if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY))
|
---|
2279 | ret = WritePSKBinders(ssl, output, idx);
|
---|
2280 | else
|
---|
2281 | #endif
|
---|
2282 | ret = HashOutput(ssl, output, idx, 0);
|
---|
2283 | if (ret != 0)
|
---|
2284 | return ret;
|
---|
2285 |
|
---|
2286 | ssl->options.clientState = CLIENT_HELLO_COMPLETE;
|
---|
2287 |
|
---|
2288 | #ifdef WOLFSSL_CALLBACKS
|
---|
2289 | if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
|
---|
2290 | if (ssl->toInfoOn) {
|
---|
2291 | AddPacketInfo("ClientHello", &ssl->timeoutInfo, output, sendSz,
|
---|
2292 | ssl->heap);
|
---|
2293 | }
|
---|
2294 | #endif
|
---|
2295 |
|
---|
2296 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
2297 |
|
---|
2298 | ret = SendBuffered(ssl);
|
---|
2299 |
|
---|
2300 | WOLFSSL_LEAVE("SendTls13ClientHello", ret);
|
---|
2301 |
|
---|
2302 | return ret;
|
---|
2303 | }
|
---|
2304 |
|
---|
2305 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
2306 | #ifdef WOLFSSL_SEND_HRR_COOKIE
|
---|
2307 | /* Create Cookie extension using the hash of the first ClientHello.
|
---|
2308 | *
|
---|
2309 | * ssl SSL/TLS object.
|
---|
2310 | * hash The hash data.
|
---|
2311 | * hashSz The size of the hash data in bytes.
|
---|
2312 | * returns 0 on success, otherwise failure.
|
---|
2313 | */
|
---|
2314 | static int CreateCookie(WOLFSSL* ssl, byte* hash, byte hashSz)
|
---|
2315 | {
|
---|
2316 | int ret;
|
---|
2317 | byte mac[MAX_DIGEST_SIZE];
|
---|
2318 | Hmac cookieHmac;
|
---|
2319 | byte cookieType;
|
---|
2320 | byte macSz;
|
---|
2321 |
|
---|
2322 | #if !defined(NO_SHA) && defined(NO_SHA256)
|
---|
2323 | cookieType = SHA;
|
---|
2324 | macSz = WC_SHA_DIGEST_SIZE;
|
---|
2325 | #endif /* NO_SHA */
|
---|
2326 | #ifndef NO_SHA256
|
---|
2327 | cookieType = WC_SHA256;
|
---|
2328 | macSz = WC_SHA256_DIGEST_SIZE;
|
---|
2329 | #endif /* NO_SHA256 */
|
---|
2330 |
|
---|
2331 | ret = wc_HmacSetKey(&cookieHmac, cookieType,
|
---|
2332 | ssl->buffers.tls13CookieSecret.buffer,
|
---|
2333 | ssl->buffers.tls13CookieSecret.length);
|
---|
2334 | if (ret != 0)
|
---|
2335 | return ret;
|
---|
2336 | if ((ret = wc_HmacUpdate(&cookieHmac, hash, hashSz)) != 0)
|
---|
2337 | return ret;
|
---|
2338 | if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
|
---|
2339 | return ret;
|
---|
2340 |
|
---|
2341 | /* The cookie data is the hash and the integrity check. */
|
---|
2342 | return TLSX_Cookie_Use(ssl, hash, hashSz, mac, macSz, 1);
|
---|
2343 | }
|
---|
2344 | #endif
|
---|
2345 |
|
---|
2346 | /* Restart the Hanshake hash with a hash of the previous messages.
|
---|
2347 | *
|
---|
2348 | * ssl The SSL/TLS object.
|
---|
2349 | * returns 0 on success, otherwise failure.
|
---|
2350 | */
|
---|
2351 | static int RestartHandshakeHash(WOLFSSL* ssl)
|
---|
2352 | {
|
---|
2353 | int ret;
|
---|
2354 | Hashes hashes;
|
---|
2355 | byte header[HANDSHAKE_HEADER_SZ];
|
---|
2356 | byte* hash = NULL;
|
---|
2357 | byte hashSz = 0;
|
---|
2358 |
|
---|
2359 | ret = BuildCertHashes(ssl, &hashes);
|
---|
2360 | if (ret != 0)
|
---|
2361 | return ret;
|
---|
2362 | switch (ssl->specs.mac_algorithm) {
|
---|
2363 | #ifndef NO_SHA256
|
---|
2364 | case sha256_mac:
|
---|
2365 | hash = hashes.sha256;
|
---|
2366 | break;
|
---|
2367 | #endif
|
---|
2368 | #ifdef WOLFSSL_SHA384
|
---|
2369 | case sha384_mac:
|
---|
2370 | hash = hashes.sha384;
|
---|
2371 | break;
|
---|
2372 | #endif
|
---|
2373 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
2374 | case sha512_mac:
|
---|
2375 | hash = hashes.sha512;
|
---|
2376 | break;
|
---|
2377 | #endif
|
---|
2378 | }
|
---|
2379 | hashSz = ssl->specs.hash_size;
|
---|
2380 | AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
|
---|
2381 |
|
---|
2382 | WOLFSSL_MSG("Restart Hash");
|
---|
2383 | WOLFSSL_BUFFER(hash, hashSz);
|
---|
2384 |
|
---|
2385 | #ifdef WOLFSSL_SEND_HRR_COOKIE
|
---|
2386 | if (ssl->options.sendCookie) {
|
---|
2387 | byte cookie[OPAQUE8_LEN + MAX_DIGEST_SIZE + OPAQUE16_LEN * 2];
|
---|
2388 | TLSX* ext;
|
---|
2389 | word32 idx = 0;
|
---|
2390 |
|
---|
2391 | /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */
|
---|
2392 | cookie[idx++] = hashSz;
|
---|
2393 | XMEMCPY(cookie + idx, hash, hashSz);
|
---|
2394 | idx += hashSz;
|
---|
2395 | cookie[idx++] = ssl->options.cipherSuite0;
|
---|
2396 | cookie[idx++] = ssl->options.cipherSuite;
|
---|
2397 | if ((ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE)) != NULL) {
|
---|
2398 | KeyShareEntry* kse = (KeyShareEntry*)ext->data;
|
---|
2399 | c16toa(kse->group, cookie + idx);
|
---|
2400 | idx += OPAQUE16_LEN;
|
---|
2401 | }
|
---|
2402 | return CreateCookie(ssl, cookie, idx);
|
---|
2403 | }
|
---|
2404 | #endif
|
---|
2405 |
|
---|
2406 | ret = InitHandshakeHashes(ssl);
|
---|
2407 | if (ret != 0)
|
---|
2408 | return ret;
|
---|
2409 | ret = HashOutputRaw(ssl, header, sizeof(header));
|
---|
2410 | if (ret != 0)
|
---|
2411 | return ret;
|
---|
2412 | return HashOutputRaw(ssl, hash, hashSz);
|
---|
2413 | }
|
---|
2414 | #endif
|
---|
2415 |
|
---|
2416 | /* Parse and handle a HelloRetryRequest message.
|
---|
2417 | * Only a client will receive this message.
|
---|
2418 | *
|
---|
2419 | * ssl The SSL/TLS object.
|
---|
2420 | * input The message buffer.
|
---|
2421 | * inOutIdx On entry, the index into the message buffer of
|
---|
2422 | * HelloRetryRequest.
|
---|
2423 | * On exit, the index of byte after the HelloRetryRequest message.
|
---|
2424 | * totalSz The length of the current handshake message.
|
---|
2425 | * returns 0 on success and otherwise failure.
|
---|
2426 | */
|
---|
2427 | static int DoTls13HelloRetryRequest(WOLFSSL* ssl, const byte* input,
|
---|
2428 | word32* inOutIdx, word32 totalSz)
|
---|
2429 | {
|
---|
2430 | int ret;
|
---|
2431 | word32 begin = *inOutIdx;
|
---|
2432 | word32 i = begin;
|
---|
2433 | word16 totalExtSz;
|
---|
2434 | ProtocolVersion pv;
|
---|
2435 |
|
---|
2436 | WOLFSSL_ENTER("DoTls13HelloRetryRequest");
|
---|
2437 |
|
---|
2438 | #ifdef WOLFSSL_CALLBACKS
|
---|
2439 | if (ssl->hsInfoOn) AddPacketName("HelloRetryRequest", &ssl->handShakeInfo);
|
---|
2440 | if (ssl->toInfoOn) AddLateName("HelloRetryRequest", &ssl->timeoutInfo);
|
---|
2441 | #endif
|
---|
2442 |
|
---|
2443 | /* Version info and length field of extension data. */
|
---|
2444 | if (totalSz < i - begin + OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
|
---|
2445 | return BUFFER_ERROR;
|
---|
2446 |
|
---|
2447 | /* Protocol version. */
|
---|
2448 | XMEMCPY(&pv, input + i, OPAQUE16_LEN);
|
---|
2449 | i += OPAQUE16_LEN;
|
---|
2450 | ret = CheckVersion(ssl, pv);
|
---|
2451 | if (ret != 0)
|
---|
2452 | return ret;
|
---|
2453 |
|
---|
2454 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
2455 | /* Set the cipher suite from the message. */
|
---|
2456 | ssl->options.cipherSuite0 = input[i++];
|
---|
2457 | ssl->options.cipherSuite = input[i++];
|
---|
2458 |
|
---|
2459 | ret = SetCipherSpecs(ssl);
|
---|
2460 | if (ret != 0)
|
---|
2461 | return ret;
|
---|
2462 | #endif
|
---|
2463 |
|
---|
2464 | /* Length of extension data. */
|
---|
2465 | ato16(&input[i], &totalExtSz);
|
---|
2466 | i += OPAQUE16_LEN;
|
---|
2467 | if (totalExtSz == 0) {
|
---|
2468 | WOLFSSL_MSG("HelloRetryRequest must contain extensions");
|
---|
2469 | return MISSING_HANDSHAKE_DATA;
|
---|
2470 | }
|
---|
2471 |
|
---|
2472 | /* Extension data. */
|
---|
2473 | if (i - begin + totalExtSz > totalSz)
|
---|
2474 | return BUFFER_ERROR;
|
---|
2475 | if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
|
---|
2476 | hello_retry_request, NULL)) != 0)
|
---|
2477 | return ret;
|
---|
2478 | /* The KeyShare extension parsing fails when not valid. */
|
---|
2479 |
|
---|
2480 | /* Move index to byte after message. */
|
---|
2481 | *inOutIdx = i + totalExtSz;
|
---|
2482 |
|
---|
2483 | ssl->options.tls1_3 = 1;
|
---|
2484 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST;
|
---|
2485 |
|
---|
2486 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
2487 | ret = RestartHandshakeHash(ssl);
|
---|
2488 | #endif
|
---|
2489 |
|
---|
2490 | WOLFSSL_LEAVE("DoTls13HelloRetryRequest", ret);
|
---|
2491 |
|
---|
2492 | return ret;
|
---|
2493 | }
|
---|
2494 |
|
---|
2495 | /* Handle the ServerHello message from the server.
|
---|
2496 | * Only a client will receive this message.
|
---|
2497 | *
|
---|
2498 | * ssl The SSL/TLS object.
|
---|
2499 | * input The message buffer.
|
---|
2500 | * inOutIdx On entry, the index into the message buffer of ServerHello.
|
---|
2501 | * On exit, the index of byte after the ServerHello message.
|
---|
2502 | * helloSz The length of the current handshake message.
|
---|
2503 | * returns 0 on success and otherwise failure.
|
---|
2504 | */
|
---|
2505 | int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
---|
2506 | word32 helloSz)
|
---|
2507 | {
|
---|
2508 | ProtocolVersion pv;
|
---|
2509 | word32 i = *inOutIdx;
|
---|
2510 | word32 begin = i;
|
---|
2511 | int ret;
|
---|
2512 | word16 totalExtSz;
|
---|
2513 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
2514 | TLSX* ext;
|
---|
2515 | PreSharedKey* psk = NULL;
|
---|
2516 | #endif
|
---|
2517 |
|
---|
2518 | WOLFSSL_ENTER("DoTls13ServerHello");
|
---|
2519 |
|
---|
2520 | #ifdef WOLFSSL_CALLBACKS
|
---|
2521 | if (ssl->hsInfoOn) AddPacketName("ServerHello", &ssl->handShakeInfo);
|
---|
2522 | if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
|
---|
2523 | #endif
|
---|
2524 |
|
---|
2525 | /* Protocol version length check. */
|
---|
2526 | if (OPAQUE16_LEN > helloSz)
|
---|
2527 | return BUFFER_ERROR;
|
---|
2528 |
|
---|
2529 | /* Protocol version */
|
---|
2530 | XMEMCPY(&pv, input + i, OPAQUE16_LEN);
|
---|
2531 | i += OPAQUE16_LEN;
|
---|
2532 | ret = CheckVersion(ssl, pv);
|
---|
2533 | if (ret != 0)
|
---|
2534 | return ret;
|
---|
2535 | if (!IsAtLeastTLSv1_3(pv) && pv.major != TLS_DRAFT_MAJOR) {
|
---|
2536 | if (ssl->options.downgrade) {
|
---|
2537 | ssl->version = pv;
|
---|
2538 | return DoServerHello(ssl, input, inOutIdx, helloSz);
|
---|
2539 | }
|
---|
2540 |
|
---|
2541 | WOLFSSL_MSG("CLient using higher version, fatal error");
|
---|
2542 | return VERSION_ERROR;
|
---|
2543 | }
|
---|
2544 |
|
---|
2545 | /* Random, cipher suite and extensions length check. */
|
---|
2546 | if ((i - begin) + RAN_LEN + OPAQUE16_LEN + OPAQUE16_LEN > helloSz)
|
---|
2547 | return BUFFER_ERROR;
|
---|
2548 |
|
---|
2549 | /* Server random - keep for debugging. */
|
---|
2550 | XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
|
---|
2551 | i += RAN_LEN;
|
---|
2552 |
|
---|
2553 | /* Set the cipher suite from the message. */
|
---|
2554 | ssl->options.cipherSuite0 = input[i++];
|
---|
2555 | ssl->options.cipherSuite = input[i++];
|
---|
2556 |
|
---|
2557 | /* Get extension length and length check. */
|
---|
2558 | ato16(&input[i], &totalExtSz);
|
---|
2559 | i += OPAQUE16_LEN;
|
---|
2560 | if ((i - begin) + totalExtSz > helloSz)
|
---|
2561 | return BUFFER_ERROR;
|
---|
2562 |
|
---|
2563 | /* Parse and handle extensions. */
|
---|
2564 | ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, server_hello, NULL);
|
---|
2565 | if (ret != 0)
|
---|
2566 | return ret;
|
---|
2567 |
|
---|
2568 | i += totalExtSz;
|
---|
2569 | *inOutIdx = i;
|
---|
2570 |
|
---|
2571 | ssl->options.serverState = SERVER_HELLO_COMPLETE;
|
---|
2572 |
|
---|
2573 | #ifdef HAVE_SECRET_CALLBACK
|
---|
2574 | if (ssl->sessionSecretCb != NULL) {
|
---|
2575 | int secretSz = SECRET_LEN;
|
---|
2576 | ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
|
---|
2577 | &secretSz, ssl->sessionSecretCtx);
|
---|
2578 | if (ret != 0 || secretSz != SECRET_LEN)
|
---|
2579 | return SESSION_SECRET_CB_E;
|
---|
2580 | }
|
---|
2581 | #endif /* HAVE_SECRET_CALLBACK */
|
---|
2582 |
|
---|
2583 | ret = SetCipherSpecs(ssl);
|
---|
2584 | if (ret != 0)
|
---|
2585 | return ret;
|
---|
2586 |
|
---|
2587 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
2588 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
|
---|
2589 | if (ext != NULL)
|
---|
2590 | psk = (PreSharedKey*)ext->data;
|
---|
2591 | while (psk != NULL && !psk->chosen)
|
---|
2592 | psk = psk->next;
|
---|
2593 | if (psk == NULL) {
|
---|
2594 | ssl->options.resuming = 0;
|
---|
2595 | ssl->arrays->psk_keySz = 0;
|
---|
2596 | XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN);
|
---|
2597 | }
|
---|
2598 | else if ((ret = SetupPskKey(ssl, psk)) != 0)
|
---|
2599 | return ret;
|
---|
2600 | #endif
|
---|
2601 |
|
---|
2602 | ssl->keys.encryptionOn = 1;
|
---|
2603 |
|
---|
2604 | WOLFSSL_LEAVE("DoTls13ServerHello", ret);
|
---|
2605 |
|
---|
2606 | return ret;
|
---|
2607 | }
|
---|
2608 |
|
---|
2609 | /* Parse and handle an EncryptedExtensions message.
|
---|
2610 | * Only a client will receive this message.
|
---|
2611 | *
|
---|
2612 | * ssl The SSL/TLS object.
|
---|
2613 | * input The message buffer.
|
---|
2614 | * inOutIdx On entry, the index into the message buffer of
|
---|
2615 | * EncryptedExtensions.
|
---|
2616 | * On exit, the index of byte after the EncryptedExtensions
|
---|
2617 | * message.
|
---|
2618 | * totalSz The length of the current handshake message.
|
---|
2619 | * returns 0 on success and otherwise failure.
|
---|
2620 | */
|
---|
2621 | static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
|
---|
2622 | word32* inOutIdx, word32 totalSz)
|
---|
2623 | {
|
---|
2624 | int ret;
|
---|
2625 | word32 begin = *inOutIdx;
|
---|
2626 | word32 i = begin;
|
---|
2627 | word16 totalExtSz;
|
---|
2628 |
|
---|
2629 | WOLFSSL_ENTER("DoTls13EncryptedExtensions");
|
---|
2630 |
|
---|
2631 | #ifdef WOLFSSL_CALLBACKS
|
---|
2632 | if (ssl->hsInfoOn) AddPacketName("EncryptedExtensions",
|
---|
2633 | &ssl->handShakeInfo);
|
---|
2634 | if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo);
|
---|
2635 | #endif
|
---|
2636 |
|
---|
2637 | /* Length field of extension data. */
|
---|
2638 | if (totalSz < i - begin + OPAQUE16_LEN)
|
---|
2639 | return BUFFER_ERROR;
|
---|
2640 | ato16(&input[i], &totalExtSz);
|
---|
2641 | i += OPAQUE16_LEN;
|
---|
2642 |
|
---|
2643 | /* Extension data. */
|
---|
2644 | if (i - begin + totalExtSz > totalSz)
|
---|
2645 | return BUFFER_ERROR;
|
---|
2646 | if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
|
---|
2647 | encrypted_extensions, NULL)))
|
---|
2648 | return ret;
|
---|
2649 |
|
---|
2650 | /* Move index to byte after message. */
|
---|
2651 | *inOutIdx = i + totalExtSz;
|
---|
2652 |
|
---|
2653 | /* Always encrypted. */
|
---|
2654 | *inOutIdx += ssl->keys.padSz;
|
---|
2655 |
|
---|
2656 | #ifdef WOLFSSL_EARLY_DATA
|
---|
2657 | if (ssl->earlyData) {
|
---|
2658 | TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
|
---|
2659 | if (ext == NULL || !ext->val)
|
---|
2660 | ssl->earlyData = 0;
|
---|
2661 | }
|
---|
2662 | #endif
|
---|
2663 |
|
---|
2664 | WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret);
|
---|
2665 |
|
---|
2666 | return ret;
|
---|
2667 | }
|
---|
2668 |
|
---|
2669 | /* Handle a TLS v1.3 CertificateRequest message.
|
---|
2670 | * This message is always encrypted.
|
---|
2671 | * Only a client will receive this message.
|
---|
2672 | *
|
---|
2673 | * ssl The SSL/TLS object.
|
---|
2674 | * input The message buffer.
|
---|
2675 | * inOutIdx On entry, the index into the message buffer of CertificateRequest.
|
---|
2676 | * On exit, the index of byte after the CertificateRequest message.
|
---|
2677 | * size The length of the current handshake message.
|
---|
2678 | * returns 0 on success and otherwise failure.
|
---|
2679 | */
|
---|
2680 | static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
|
---|
2681 | word32* inOutIdx, word32 size)
|
---|
2682 | {
|
---|
2683 | word16 len;
|
---|
2684 | word32 begin = *inOutIdx;
|
---|
2685 | int ret = 0;
|
---|
2686 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
2687 | Suites peerSuites;
|
---|
2688 | #endif
|
---|
2689 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
2690 | CertReqCtx* certReqCtx;
|
---|
2691 | #endif
|
---|
2692 |
|
---|
2693 | WOLFSSL_ENTER("DoTls13CertificateRequest");
|
---|
2694 |
|
---|
2695 | #ifdef WOLFSSL_CALLBACKS
|
---|
2696 | if (ssl->hsInfoOn) AddPacketName("CertificateRequest", &ssl->handShakeInfo);
|
---|
2697 | if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
|
---|
2698 | #endif
|
---|
2699 |
|
---|
2700 | if ((*inOutIdx - begin) + OPAQUE8_LEN > size)
|
---|
2701 | return BUFFER_ERROR;
|
---|
2702 |
|
---|
2703 | /* Length of the request context. */
|
---|
2704 | len = input[(*inOutIdx)++];
|
---|
2705 | if ((*inOutIdx - begin) + len > size)
|
---|
2706 | return BUFFER_ERROR;
|
---|
2707 | if (ssl->options.connectState < FINISHED_DONE && len > 0)
|
---|
2708 | return BUFFER_ERROR;
|
---|
2709 |
|
---|
2710 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
2711 | /* CertReqCtx has one byte at end for context value.
|
---|
2712 | * Increase size to handle other implementations sending more than one byte.
|
---|
2713 | * That is, allocate extra space, over one byte, to hold the context value.
|
---|
2714 | */
|
---|
2715 | certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx) + len - 1, ssl->heap,
|
---|
2716 | DYNAMIC_TYPE_TMP_BUFFER);
|
---|
2717 | if (certReqCtx == NULL)
|
---|
2718 | return MEMORY_E;
|
---|
2719 | certReqCtx->next = ssl->certReqCtx;
|
---|
2720 | certReqCtx->len = len;
|
---|
2721 | XMEMCPY(&certReqCtx->ctx, input + *inOutIdx, len);
|
---|
2722 | ssl->certReqCtx = certReqCtx;
|
---|
2723 | #endif
|
---|
2724 | *inOutIdx += len;
|
---|
2725 |
|
---|
2726 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
2727 | /* Signature and hash algorithms. */
|
---|
2728 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
|
---|
2729 | return BUFFER_ERROR;
|
---|
2730 | ato16(input + *inOutIdx, &len);
|
---|
2731 | *inOutIdx += OPAQUE16_LEN;
|
---|
2732 | if ((*inOutIdx - begin) + len > size)
|
---|
2733 | return BUFFER_ERROR;
|
---|
2734 | PickHashSigAlgo(ssl, input + *inOutIdx, len);
|
---|
2735 | *inOutIdx += len;
|
---|
2736 |
|
---|
2737 | /* Length of certificate authority data. */
|
---|
2738 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
|
---|
2739 | return BUFFER_ERROR;
|
---|
2740 | ato16(input + *inOutIdx, &len);
|
---|
2741 | *inOutIdx += OPAQUE16_LEN;
|
---|
2742 | if ((*inOutIdx - begin) + len > size)
|
---|
2743 | return BUFFER_ERROR;
|
---|
2744 |
|
---|
2745 | /* Certificate authorities. */
|
---|
2746 | while (len) {
|
---|
2747 | word16 dnSz;
|
---|
2748 |
|
---|
2749 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
|
---|
2750 | return BUFFER_ERROR;
|
---|
2751 |
|
---|
2752 | ato16(input + *inOutIdx, &dnSz);
|
---|
2753 | *inOutIdx += OPAQUE16_LEN;
|
---|
2754 |
|
---|
2755 | if ((*inOutIdx - begin) + dnSz > size)
|
---|
2756 | return BUFFER_ERROR;
|
---|
2757 |
|
---|
2758 | *inOutIdx += dnSz;
|
---|
2759 | len -= OPAQUE16_LEN + dnSz;
|
---|
2760 | }
|
---|
2761 |
|
---|
2762 | /* Certificate extensions */
|
---|
2763 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
|
---|
2764 | return BUFFER_ERROR;
|
---|
2765 | ato16(input + *inOutIdx, &len);
|
---|
2766 | *inOutIdx += OPAQUE16_LEN;
|
---|
2767 | if ((*inOutIdx - begin) + len > size)
|
---|
2768 | return BUFFER_ERROR;
|
---|
2769 | *inOutIdx += len;
|
---|
2770 | #else
|
---|
2771 | /* TODO: Add support for more extensions:
|
---|
2772 | * signed_certificate_timestamp, certificate_authorities, oid_filters.
|
---|
2773 | */
|
---|
2774 | /* Certificate extensions */
|
---|
2775 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
|
---|
2776 | return BUFFER_ERROR;
|
---|
2777 | ato16(input + *inOutIdx, &len);
|
---|
2778 | *inOutIdx += OPAQUE16_LEN;
|
---|
2779 | if ((*inOutIdx - begin) + len > size)
|
---|
2780 | return BUFFER_ERROR;
|
---|
2781 | if (len == 0)
|
---|
2782 | return INVALID_PARAMETER;
|
---|
2783 | if ((ret = TLSX_Parse(ssl, (byte *)(input + *inOutIdx), len,
|
---|
2784 | certificate_request, &peerSuites))) {
|
---|
2785 | return ret;
|
---|
2786 | }
|
---|
2787 | *inOutIdx += len;
|
---|
2788 |
|
---|
2789 | PickHashSigAlgo(ssl, peerSuites.hashSigAlgo, peerSuites.hashSigAlgoSz);
|
---|
2790 | #endif
|
---|
2791 |
|
---|
2792 | if (ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
|
---|
2793 | ssl->buffers.key && ssl->buffers.key->buffer)
|
---|
2794 | ssl->options.sendVerify = SEND_CERT;
|
---|
2795 | else
|
---|
2796 | ssl->options.sendVerify = SEND_BLANK_CERT;
|
---|
2797 |
|
---|
2798 | /* This message is always encrypted so add encryption padding. */
|
---|
2799 | *inOutIdx += ssl->keys.padSz;
|
---|
2800 |
|
---|
2801 | #if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
---|
2802 | if (ssl->options.side == WOLFSSL_CLIENT_END &&
|
---|
2803 | ssl->options.handShakeState == HANDSHAKE_DONE) {
|
---|
2804 | /* reset handshake states */
|
---|
2805 | ssl->options.clientState = CLIENT_HELLO_COMPLETE;
|
---|
2806 | ssl->options.connectState = FIRST_REPLY_DONE;
|
---|
2807 | ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
|
---|
2808 | }
|
---|
2809 | #endif
|
---|
2810 |
|
---|
2811 | WOLFSSL_LEAVE("DoTls13CertificateRequest", ret);
|
---|
2812 |
|
---|
2813 | return ret;
|
---|
2814 | }
|
---|
2815 |
|
---|
2816 | #endif /* !NO_WOLFSSL_CLIENT */
|
---|
2817 |
|
---|
2818 | #ifndef NO_WOLFSSL_SERVER
|
---|
2819 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
2820 | /* Handle any Pre-Shared Key (PSK) extension.
|
---|
2821 | * Must do this in ClientHello as it requires a hash of the truncated message.
|
---|
2822 | * Don't know size of binders until Pre-Shared Key extension has been parsed.
|
---|
2823 | *
|
---|
2824 | * ssl The SSL/TLS object.
|
---|
2825 | * input The ClientHello message.
|
---|
2826 | * helloSz The size of the ClientHello message (including binders if present).
|
---|
2827 | * usingPSK Indicates handshake is using Pre-Shared Keys.
|
---|
2828 | * returns 0 on success and otherwise failure.
|
---|
2829 | */
|
---|
2830 | static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
|
---|
2831 | int* usingPSK)
|
---|
2832 | {
|
---|
2833 | int ret;
|
---|
2834 | TLSX* ext;
|
---|
2835 | word16 bindersLen;
|
---|
2836 | PreSharedKey* current;
|
---|
2837 | byte binderKey[MAX_DIGEST_SIZE];
|
---|
2838 | byte binder[MAX_DIGEST_SIZE];
|
---|
2839 | word32 binderLen;
|
---|
2840 | word16 modes;
|
---|
2841 | #ifdef WOLFSSL_EARLY_DATA
|
---|
2842 | int pskCnt = 0;
|
---|
2843 | TLSX* extEarlyData;
|
---|
2844 | #endif
|
---|
2845 |
|
---|
2846 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
|
---|
2847 | if (ext == NULL) {
|
---|
2848 | #ifdef WOLFSSL_EARLY_DATA
|
---|
2849 | ssl->earlyData = 0;
|
---|
2850 | #endif
|
---|
2851 | return 0;
|
---|
2852 | }
|
---|
2853 |
|
---|
2854 | /* Extensions pushed on stack/list and PSK must be last. */
|
---|
2855 | if (ssl->extensions != ext)
|
---|
2856 | return PSK_KEY_ERROR;
|
---|
2857 |
|
---|
2858 | /* Assume we are going to resume with a pre-shared key. */
|
---|
2859 | ssl->options.resuming = 1;
|
---|
2860 |
|
---|
2861 | /* Find the pre-shared key extension and calculate hash of truncated
|
---|
2862 | * ClientHello for binders.
|
---|
2863 | */
|
---|
2864 | bindersLen = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
|
---|
2865 | client_hello);
|
---|
2866 |
|
---|
2867 | /* Hash data up to binders for deriving binders in PSK extension. */
|
---|
2868 | ret = HashInput(ssl, input, helloSz - bindersLen);
|
---|
2869 | if (ret != 0)
|
---|
2870 | return ret;
|
---|
2871 |
|
---|
2872 | /* Look through all client's pre-shared keys for a match. */
|
---|
2873 | current = (PreSharedKey*)ext->data;
|
---|
2874 | while (current != NULL) {
|
---|
2875 | #ifdef WOLFSSL_EARLY_DATA
|
---|
2876 | pskCnt++;
|
---|
2877 | #endif
|
---|
2878 |
|
---|
2879 | #ifndef NO_PSK
|
---|
2880 | XMEMCPY(ssl->arrays->client_identity, current->identity,
|
---|
2881 | current->identityLen);
|
---|
2882 | ssl->arrays->client_identity[current->identityLen] = '\0';
|
---|
2883 | #endif
|
---|
2884 |
|
---|
2885 | #ifdef HAVE_SESSION_TICKET
|
---|
2886 | /* Decode the identity. */
|
---|
2887 | if ((ret = DoClientTicket(ssl, current->identity, current->identityLen))
|
---|
2888 | == WOLFSSL_TICKET_RET_OK) {
|
---|
2889 | word32 now;
|
---|
2890 | int diff;
|
---|
2891 |
|
---|
2892 | now = TimeNowInMilliseconds();
|
---|
2893 | if (now == (word32)GETTIME_ERROR)
|
---|
2894 | return now;
|
---|
2895 | diff = now - ssl->session.ticketSeen;
|
---|
2896 | diff -= current->ticketAge - ssl->session.ticketAdd;
|
---|
2897 | /* Check session and ticket age timeout.
|
---|
2898 | * Allow +/- 1000 milliseconds on ticket age.
|
---|
2899 | */
|
---|
2900 | if (diff > (int)ssl->timeout * 1000 || diff < -1000 ||
|
---|
2901 | diff - MAX_TICKET_AGE_SECS * 1000 > 1000) {
|
---|
2902 | /* Invalid difference, fallback to full handshake. */
|
---|
2903 | ssl->options.resuming = 0;
|
---|
2904 | break;
|
---|
2905 | }
|
---|
2906 |
|
---|
2907 | #ifdef WOLFSSL_EARLY_DATA
|
---|
2908 | ssl->options.maxEarlyDataSz = ssl->session.maxEarlyDataSz;
|
---|
2909 | #endif
|
---|
2910 | /* Use the same cipher suite as before and set up for use. */
|
---|
2911 | ssl->options.cipherSuite0 = ssl->session.cipherSuite0;
|
---|
2912 | ssl->options.cipherSuite = ssl->session.cipherSuite;
|
---|
2913 | ret = SetCipherSpecs(ssl);
|
---|
2914 | if (ret != 0)
|
---|
2915 | return ret;
|
---|
2916 |
|
---|
2917 | /* Resumption PSK is resumption master secret. */
|
---|
2918 | ssl->arrays->psk_keySz = ssl->specs.hash_size;
|
---|
2919 | XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
|
---|
2920 | ssl->specs.hash_size);
|
---|
2921 |
|
---|
2922 | /* Derive the early secret using the PSK. */
|
---|
2923 | ret = DeriveEarlySecret(ssl);
|
---|
2924 | if (ret != 0)
|
---|
2925 | return ret;
|
---|
2926 | /* Derive the binder key to use to with HMAC. */
|
---|
2927 | ret = DeriveBinderKeyResume(ssl, binderKey);
|
---|
2928 | if (ret != 0)
|
---|
2929 | return ret;
|
---|
2930 | }
|
---|
2931 | else
|
---|
2932 | #endif
|
---|
2933 | #ifndef NO_PSK
|
---|
2934 | if (ssl->options.server_psk_cb != NULL &&
|
---|
2935 | (ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
|
---|
2936 | ssl->arrays->client_identity, ssl->arrays->psk_key,
|
---|
2937 | MAX_PSK_KEY_LEN)) != 0) {
|
---|
2938 | if (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN)
|
---|
2939 | return PSK_KEY_ERROR;
|
---|
2940 |
|
---|
2941 | ssl->options.resuming = 0;
|
---|
2942 |
|
---|
2943 | /* PSK age is always zero. */
|
---|
2944 | if (current->ticketAge != ssl->session.ticketAdd)
|
---|
2945 | return PSK_KEY_ERROR;
|
---|
2946 |
|
---|
2947 | /* TODO: Callback should be able to change ciphersuite. */
|
---|
2948 | /* Default to ciphersuite if cb doesn't specify. */
|
---|
2949 | ssl->options.cipherSuite0 = TLS13_BYTE;
|
---|
2950 | ssl->options.cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
|
---|
2951 | ret = SetCipherSpecs(ssl);
|
---|
2952 | if (ret != 0)
|
---|
2953 | return ret;
|
---|
2954 |
|
---|
2955 | /* Derive the early secret using the PSK. */
|
---|
2956 | ret = DeriveEarlySecret(ssl);
|
---|
2957 | if (ret != 0)
|
---|
2958 | return ret;
|
---|
2959 | /* Derive the binder key to use to with HMAC. */
|
---|
2960 | ret = DeriveBinderKey(ssl, binderKey);
|
---|
2961 | if (ret != 0)
|
---|
2962 | return ret;
|
---|
2963 | }
|
---|
2964 | else
|
---|
2965 | #endif
|
---|
2966 | {
|
---|
2967 | current = current->next;
|
---|
2968 | continue;
|
---|
2969 | }
|
---|
2970 |
|
---|
2971 | ssl->options.sendVerify = 0;
|
---|
2972 |
|
---|
2973 | /* Derive the Finished message secret. */
|
---|
2974 | ret = DeriveFinishedSecret(ssl, binderKey,
|
---|
2975 | ssl->keys.client_write_MAC_secret);
|
---|
2976 | if (ret != 0)
|
---|
2977 | return ret;
|
---|
2978 |
|
---|
2979 | /* Derive the binder and compare with the one in the extension. */
|
---|
2980 | ret = BuildTls13HandshakeHmac(ssl,
|
---|
2981 | ssl->keys.client_write_MAC_secret, binder, &binderLen);
|
---|
2982 | if (ret != 0)
|
---|
2983 | return ret;
|
---|
2984 | if (binderLen != current->binderLen ||
|
---|
2985 | XMEMCMP(binder, current->binder, binderLen) != 0) {
|
---|
2986 | return BAD_BINDER;
|
---|
2987 | }
|
---|
2988 |
|
---|
2989 | /* This PSK works, no need to try any more. */
|
---|
2990 | current->chosen = 1;
|
---|
2991 | ext->resp = 1;
|
---|
2992 | break;
|
---|
2993 | }
|
---|
2994 |
|
---|
2995 | /* Hash the rest of the ClientHello. */
|
---|
2996 | ret = HashInputRaw(ssl, input + helloSz - bindersLen, bindersLen);
|
---|
2997 | if (ret != 0)
|
---|
2998 | return ret;
|
---|
2999 |
|
---|
3000 | #ifdef WOLFSSL_EARLY_DATA
|
---|
3001 | extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
|
---|
3002 | if (extEarlyData != NULL) {
|
---|
3003 | if (ssl->earlyData && current == ext->data) {
|
---|
3004 | extEarlyData->resp = 1;
|
---|
3005 |
|
---|
3006 | /* Derive early data decryption key. */
|
---|
3007 | ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY, 1);
|
---|
3008 | if (ret != 0)
|
---|
3009 | return ret;
|
---|
3010 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
|
---|
3011 | return ret;
|
---|
3012 |
|
---|
3013 | ssl->earlyData = 2;
|
---|
3014 | }
|
---|
3015 | else
|
---|
3016 | extEarlyData->resp = 0;
|
---|
3017 | }
|
---|
3018 | #endif
|
---|
3019 |
|
---|
3020 | /* Get the PSK key exchange modes the client wants to negotiate. */
|
---|
3021 | ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
|
---|
3022 | if (ext == NULL)
|
---|
3023 | return MISSING_HANDSHAKE_DATA;
|
---|
3024 | modes = ext->val;
|
---|
3025 |
|
---|
3026 | ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
|
---|
3027 | /* Use (EC)DHE for forward-security if possible. */
|
---|
3028 | if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
|
---|
3029 | ext != NULL) {
|
---|
3030 | /* Only use named group used in last session. */
|
---|
3031 | ssl->namedGroup = ssl->session.namedGroup;
|
---|
3032 |
|
---|
3033 | /* Try to establish a new secret. */
|
---|
3034 | ret = TLSX_KeyShare_Establish(ssl);
|
---|
3035 | if (ret == KEY_SHARE_ERROR)
|
---|
3036 | return PSK_KEY_ERROR;
|
---|
3037 | else if (ret < 0)
|
---|
3038 | return ret;
|
---|
3039 |
|
---|
3040 | /* Send new public key to client. */
|
---|
3041 | ext->resp = 1;
|
---|
3042 | }
|
---|
3043 | else if ((modes & (1 << PSK_KE)) == 0)
|
---|
3044 | return PSK_KEY_ERROR;
|
---|
3045 |
|
---|
3046 | *usingPSK = 1;
|
---|
3047 |
|
---|
3048 | return ret;
|
---|
3049 | }
|
---|
3050 | #endif
|
---|
3051 |
|
---|
3052 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE)
|
---|
3053 | /* Check that the Cookie data's integrity.
|
---|
3054 | *
|
---|
3055 | * ssl SSL/TLS object.
|
---|
3056 | * cookie The cookie data - hash and MAC.
|
---|
3057 | * cookieSz The length of the cookie data in bytes.
|
---|
3058 | * returns Length of the hash on success, otherwise failure.
|
---|
3059 | */
|
---|
3060 | static int CheckCookie(WOLFSSL* ssl, byte* cookie, byte cookieSz)
|
---|
3061 | {
|
---|
3062 | int ret;
|
---|
3063 | byte mac[MAX_DIGEST_SIZE];
|
---|
3064 | Hmac cookieHmac;
|
---|
3065 | byte cookieType;
|
---|
3066 | byte macSz;
|
---|
3067 |
|
---|
3068 | #if !defined(NO_SHA) && defined(NO_SHA256)
|
---|
3069 | cookieType = SHA;
|
---|
3070 | macSz = WC_SHA_DIGEST_SIZE;
|
---|
3071 | #endif /* NO_SHA */
|
---|
3072 | #ifndef NO_SHA256
|
---|
3073 | cookieType = WC_SHA256;
|
---|
3074 | macSz = WC_SHA256_DIGEST_SIZE;
|
---|
3075 | #endif /* NO_SHA256 */
|
---|
3076 |
|
---|
3077 | if (cookieSz < ssl->specs.hash_size + macSz)
|
---|
3078 | return HRR_COOKIE_ERROR;
|
---|
3079 | cookieSz -= macSz;
|
---|
3080 |
|
---|
3081 | ret = wc_HmacSetKey(&cookieHmac, cookieType,
|
---|
3082 | ssl->buffers.tls13CookieSecret.buffer,
|
---|
3083 | ssl->buffers.tls13CookieSecret.length);
|
---|
3084 | if (ret != 0)
|
---|
3085 | return ret;
|
---|
3086 | if ((ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz)) != 0)
|
---|
3087 | return ret;
|
---|
3088 | if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
|
---|
3089 | return ret;
|
---|
3090 |
|
---|
3091 | if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0)
|
---|
3092 | return HRR_COOKIE_ERROR;
|
---|
3093 | return cookieSz;
|
---|
3094 | }
|
---|
3095 |
|
---|
3096 | /* Length of the KeyShare Extension */
|
---|
3097 | #define HRR_KEY_SHARE_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
|
---|
3098 | /* Length of the Cookie Extension excluding cookie data */
|
---|
3099 | #define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
|
---|
3100 | /* PV | CipherSuite | Ext Len */
|
---|
3101 | #define HRR_BODY_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
|
---|
3102 | /* HH | PV | CipherSuite | Ext Len | Key Share | Cookie */
|
---|
3103 | #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \
|
---|
3104 | HRR_BODY_SZ + \
|
---|
3105 | HRR_KEY_SHARE_SZ + \
|
---|
3106 | HRR_COOKIE_HDR_SZ)
|
---|
3107 | /* Restart the Hanshake hash from the cookie value.
|
---|
3108 | *
|
---|
3109 | * ssl SSL/TLS object.
|
---|
3110 | * cookie Cookie data from client.
|
---|
3111 | * returns 0 on success, otherwise failure.
|
---|
3112 | */
|
---|
3113 | static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
|
---|
3114 | {
|
---|
3115 | byte header[HANDSHAKE_HEADER_SZ];
|
---|
3116 | byte hrr[MAX_HRR_SZ];
|
---|
3117 | int hrrIdx;
|
---|
3118 | word32 idx;
|
---|
3119 | byte hashSz;
|
---|
3120 | byte* cookieData;
|
---|
3121 | byte cookieDataSz;
|
---|
3122 | word16 length;
|
---|
3123 | int keyShareExt = 0;
|
---|
3124 | int ret;
|
---|
3125 |
|
---|
3126 | cookieDataSz = ret = CheckCookie(ssl, &cookie->data, cookie->len);
|
---|
3127 | if (ret < 0)
|
---|
3128 | return ret;
|
---|
3129 | hashSz = cookie->data;
|
---|
3130 | cookieData = &cookie->data;
|
---|
3131 | idx = OPAQUE8_LEN;
|
---|
3132 |
|
---|
3133 | /* Restart handshake hash with synthetic message hash. */
|
---|
3134 | AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
|
---|
3135 | if ((ret = InitHandshakeHashes(ssl)) != 0)
|
---|
3136 | return ret;
|
---|
3137 | if ((ret = HashOutputRaw(ssl, header, sizeof(header))) != 0)
|
---|
3138 | return ret;
|
---|
3139 | if ((ret = HashOutputRaw(ssl, cookieData + idx, hashSz)) != 0)
|
---|
3140 | return ret;
|
---|
3141 |
|
---|
3142 | /* Reconstruct the HelloRetryMessage for handshake hash. */
|
---|
3143 | length = HRR_BODY_SZ + HRR_COOKIE_HDR_SZ + cookie->len;
|
---|
3144 | if (cookieDataSz > hashSz + OPAQUE16_LEN) {
|
---|
3145 | keyShareExt = 1;
|
---|
3146 | length += HRR_KEY_SHARE_SZ;
|
---|
3147 | }
|
---|
3148 | AddTls13HandShakeHeader(hrr, length, 0, 0, hello_retry_request, ssl);
|
---|
3149 |
|
---|
3150 | idx += hashSz;
|
---|
3151 | hrrIdx = HANDSHAKE_HEADER_SZ;
|
---|
3152 | /* TODO: [TLS13] Replace existing code with code in comment.
|
---|
3153 | * Use the TLS v1.3 draft version for now.
|
---|
3154 | *
|
---|
3155 | * Change to:
|
---|
3156 | * hrr[hrrIdx++] = ssl->version.major;
|
---|
3157 | * hrr[hrrIdx++] = ssl->version.minor;
|
---|
3158 | */
|
---|
3159 | /* The negotiated protocol version. */
|
---|
3160 | hrr[hrrIdx++] = TLS_DRAFT_MAJOR;
|
---|
3161 | hrr[hrrIdx++] = TLS_DRAFT_MINOR;
|
---|
3162 | /* Cipher Suite */
|
---|
3163 | hrr[hrrIdx++] = cookieData[idx++];
|
---|
3164 | hrr[hrrIdx++] = cookieData[idx++];
|
---|
3165 |
|
---|
3166 | /* Extensions' length */
|
---|
3167 | length -= HRR_BODY_SZ;
|
---|
3168 | c16toa(length, hrr + hrrIdx);
|
---|
3169 | hrrIdx += 2;
|
---|
3170 | /* Optional KeyShare Extension */
|
---|
3171 | if (keyShareExt) {
|
---|
3172 | c16toa(TLSX_KEY_SHARE, hrr + hrrIdx);
|
---|
3173 | hrrIdx += 2;
|
---|
3174 | c16toa(OPAQUE16_LEN, hrr + hrrIdx);
|
---|
3175 | hrrIdx += 2;
|
---|
3176 | hrr[hrrIdx++] = cookieData[idx++];
|
---|
3177 | hrr[hrrIdx++] = cookieData[idx++];
|
---|
3178 | }
|
---|
3179 | /* Mandatory Cookie Extension */
|
---|
3180 | c16toa(TLSX_COOKIE, hrr + hrrIdx);
|
---|
3181 | hrrIdx += 2;
|
---|
3182 | c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx);
|
---|
3183 | hrrIdx += 2;
|
---|
3184 | c16toa(cookie->len, hrr + hrrIdx);
|
---|
3185 | hrrIdx += 2;
|
---|
3186 |
|
---|
3187 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
3188 | WOLFSSL_MSG("Reconstucted HelloRetryRequest");
|
---|
3189 | WOLFSSL_BUFFER(hrr, hrrIdx);
|
---|
3190 | WOLFSSL_MSG("Cookie");
|
---|
3191 | WOLFSSL_BUFFER(cookieData, cookie->len);
|
---|
3192 | #endif
|
---|
3193 |
|
---|
3194 | if ((ret = HashOutputRaw(ssl, hrr, hrrIdx)) != 0)
|
---|
3195 | return ret;
|
---|
3196 | return HashOutputRaw(ssl, cookieData, cookie->len);
|
---|
3197 | }
|
---|
3198 | #endif
|
---|
3199 |
|
---|
3200 | /* Handle a ClientHello handshake message.
|
---|
3201 | * If the protocol version in the message is not TLS v1.3 or higher, use
|
---|
3202 | * DoClientHello()
|
---|
3203 | * Only a server will receive this message.
|
---|
3204 | *
|
---|
3205 | * ssl The SSL/TLS object.
|
---|
3206 | * input The message buffer.
|
---|
3207 | * inOutIdx On entry, the index into the message buffer of ClientHello.
|
---|
3208 | * On exit, the index of byte after the ClientHello message and
|
---|
3209 | * padding.
|
---|
3210 | * helloSz The length of the current handshake message.
|
---|
3211 | * returns 0 on success and otherwise failure.
|
---|
3212 | */
|
---|
3213 | int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
---|
3214 | word32 helloSz)
|
---|
3215 | {
|
---|
3216 | int ret;
|
---|
3217 | byte b;
|
---|
3218 | ProtocolVersion pv;
|
---|
3219 | Suites clSuites;
|
---|
3220 | word32 i = *inOutIdx;
|
---|
3221 | word32 begin = i;
|
---|
3222 | word16 totalExtSz;
|
---|
3223 | int usingPSK = 0;
|
---|
3224 | byte sessIdSz;
|
---|
3225 |
|
---|
3226 | WOLFSSL_ENTER("DoTls13ClientHello");
|
---|
3227 |
|
---|
3228 | #ifdef WOLFSSL_CALLBACKS
|
---|
3229 | if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
|
---|
3230 | if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
|
---|
3231 | #endif
|
---|
3232 |
|
---|
3233 | /* protocol version, random and session id length check */
|
---|
3234 | if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
|
---|
3235 | return BUFFER_ERROR;
|
---|
3236 |
|
---|
3237 | /* Protocol version */
|
---|
3238 | XMEMCPY(&pv, input + i, OPAQUE16_LEN);
|
---|
3239 | ssl->chVersion = pv; /* store */
|
---|
3240 | i += OPAQUE16_LEN;
|
---|
3241 |
|
---|
3242 | if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor < TLSv1_3_MINOR)
|
---|
3243 | return DoClientHello(ssl, input, inOutIdx, helloSz);
|
---|
3244 |
|
---|
3245 | /* Client random */
|
---|
3246 | XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
|
---|
3247 | i += RAN_LEN;
|
---|
3248 |
|
---|
3249 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
3250 | WOLFSSL_MSG("client random");
|
---|
3251 | WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN);
|
---|
3252 | #endif
|
---|
3253 |
|
---|
3254 | /* Session id - empty in TLS v1.3 */
|
---|
3255 | sessIdSz = input[i++];
|
---|
3256 | if (sessIdSz > 0) {
|
---|
3257 | WOLFSSL_MSG("Client sent session id - not supported");
|
---|
3258 | return BUFFER_ERROR;
|
---|
3259 | }
|
---|
3260 |
|
---|
3261 | /* Cipher suites */
|
---|
3262 | if ((i - begin) + OPAQUE16_LEN > helloSz)
|
---|
3263 | return BUFFER_ERROR;
|
---|
3264 | ato16(&input[i], &clSuites.suiteSz);
|
---|
3265 | i += OPAQUE16_LEN;
|
---|
3266 | /* suites and compression length check */
|
---|
3267 | if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz)
|
---|
3268 | return BUFFER_ERROR;
|
---|
3269 | if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ)
|
---|
3270 | return BUFFER_ERROR;
|
---|
3271 | XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
|
---|
3272 | i += clSuites.suiteSz;
|
---|
3273 | clSuites.hashSigAlgoSz = 0;
|
---|
3274 |
|
---|
3275 | /* Compression */
|
---|
3276 | b = input[i++];
|
---|
3277 | if ((i - begin) + b > helloSz)
|
---|
3278 | return BUFFER_ERROR;
|
---|
3279 | if (b != COMP_LEN) {
|
---|
3280 | WOLFSSL_MSG("Must be one compression type in list");
|
---|
3281 | return INVALID_PARAMETER;
|
---|
3282 | }
|
---|
3283 | b = input[i++];
|
---|
3284 | if (b != NO_COMPRESSION) {
|
---|
3285 | WOLFSSL_MSG("Must be no compression type in list");
|
---|
3286 | return INVALID_PARAMETER;
|
---|
3287 | }
|
---|
3288 |
|
---|
3289 | /* TLS v1.3 ClientHello messages will have extensions. */
|
---|
3290 | if ((i - begin) >= helloSz) {
|
---|
3291 | WOLFSSL_MSG("ClientHello must have extensions in TLS v1.3");
|
---|
3292 | return BUFFER_ERROR;
|
---|
3293 | }
|
---|
3294 | if ((i - begin) + OPAQUE16_LEN > helloSz)
|
---|
3295 | return BUFFER_ERROR;
|
---|
3296 | ato16(&input[i], &totalExtSz);
|
---|
3297 | i += OPAQUE16_LEN;
|
---|
3298 | if ((i - begin) + totalExtSz > helloSz)
|
---|
3299 | return BUFFER_ERROR;
|
---|
3300 |
|
---|
3301 | #ifdef HAVE_QSH
|
---|
3302 | QSH_Init(ssl);
|
---|
3303 | #endif
|
---|
3304 |
|
---|
3305 | /* Auto populate extensions supported unless user defined. */
|
---|
3306 | if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
|
---|
3307 | return ret;
|
---|
3308 |
|
---|
3309 | /* Parse extensions */
|
---|
3310 | if ((ret = TLSX_Parse(ssl, (byte*)input + i, totalExtSz, client_hello,
|
---|
3311 | &clSuites))) {
|
---|
3312 | return ret;
|
---|
3313 | }
|
---|
3314 |
|
---|
3315 | #ifdef HAVE_STUNNEL
|
---|
3316 | if ((ret = SNI_Callback(ssl)) != 0)
|
---|
3317 | return ret;
|
---|
3318 | #endif /*HAVE_STUNNEL*/
|
---|
3319 |
|
---|
3320 | if (TLSX_Find(ssl->extensions, TLSX_SUPPORTED_VERSIONS) == NULL) {
|
---|
3321 | if (!ssl->options.downgrade) {
|
---|
3322 | WOLFSSL_MSG("Client trying to connect with lesser version");
|
---|
3323 | return VERSION_ERROR;
|
---|
3324 | }
|
---|
3325 | ssl->version.minor = pv.minor;
|
---|
3326 | }
|
---|
3327 |
|
---|
3328 | #ifdef WOLFSSL_SEND_HRR_COOKIE
|
---|
3329 | if (ssl->options.sendCookie &&
|
---|
3330 | ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
|
---|
3331 | TLSX* ext;
|
---|
3332 |
|
---|
3333 | if ((ext = TLSX_Find(ssl->extensions, TLSX_COOKIE)) == NULL)
|
---|
3334 | return HRR_COOKIE_ERROR;
|
---|
3335 | /* Ensure the cookie came from client and isn't the one in the response
|
---|
3336 | * - HelloRetryRequest.
|
---|
3337 | */
|
---|
3338 | if (ext->resp == 1)
|
---|
3339 | return HRR_COOKIE_ERROR;
|
---|
3340 | ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data);
|
---|
3341 | if (ret != 0)
|
---|
3342 | return ret;
|
---|
3343 | }
|
---|
3344 | #endif
|
---|
3345 |
|
---|
3346 | ssl->options.sendVerify = SEND_CERT;
|
---|
3347 |
|
---|
3348 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
3349 | /* Process the Pre-Shared Key extension if present. */
|
---|
3350 | ret = DoPreSharedKeys(ssl, input + begin, helloSz, &usingPSK);
|
---|
3351 | if (ret != 0)
|
---|
3352 | return ret;
|
---|
3353 | #endif
|
---|
3354 |
|
---|
3355 | if (!usingPSK) {
|
---|
3356 | if ((ret = MatchSuite(ssl, &clSuites)) < 0) {
|
---|
3357 | WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
|
---|
3358 | return ret;
|
---|
3359 | }
|
---|
3360 |
|
---|
3361 | #ifdef HAVE_SESSION_TICKET
|
---|
3362 | if (ssl->options.resuming) {
|
---|
3363 | ssl->options.resuming = 0;
|
---|
3364 | XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size);
|
---|
3365 | /* May or may not have done any hashing. */
|
---|
3366 | if ((ret = InitHandshakeHashes(ssl)) != 0)
|
---|
3367 | return ret;
|
---|
3368 | }
|
---|
3369 | #endif
|
---|
3370 |
|
---|
3371 | if ((ret = HashInput(ssl, input + begin, helloSz)) != 0)
|
---|
3372 | return ret;
|
---|
3373 |
|
---|
3374 | /* Derive early secret for handshake secret. */
|
---|
3375 | if ((ret = DeriveEarlySecret(ssl)) != 0)
|
---|
3376 | return ret;
|
---|
3377 | }
|
---|
3378 |
|
---|
3379 | i += totalExtSz;
|
---|
3380 | *inOutIdx = i;
|
---|
3381 |
|
---|
3382 | ssl->options.clientState = CLIENT_HELLO_COMPLETE;
|
---|
3383 |
|
---|
3384 | WOLFSSL_LEAVE("DoTls13ClientHello", ret);
|
---|
3385 |
|
---|
3386 | return ret;
|
---|
3387 | }
|
---|
3388 |
|
---|
3389 | /* Send the HelloRetryRequest message to indicate the negotiated protocol
|
---|
3390 | * version and security parameters the server is willing to use.
|
---|
3391 | * Only a server will send this message.
|
---|
3392 | *
|
---|
3393 | * ssl The SSL/TLS object.
|
---|
3394 | * returns 0 on success, otherwise failure.
|
---|
3395 | */
|
---|
3396 | int SendTls13HelloRetryRequest(WOLFSSL* ssl)
|
---|
3397 | {
|
---|
3398 | int ret;
|
---|
3399 | byte* output;
|
---|
3400 | word32 length;
|
---|
3401 | word32 len;
|
---|
3402 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
3403 | int sendSz;
|
---|
3404 |
|
---|
3405 | WOLFSSL_ENTER("SendTls13HelloRetryRequest");
|
---|
3406 |
|
---|
3407 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
3408 | if ((ret = RestartHandshakeHash(ssl)) < 0)
|
---|
3409 | return ret;
|
---|
3410 | #endif
|
---|
3411 |
|
---|
3412 | /* Get the length of the extensions that will be written. */
|
---|
3413 | len = TLSX_GetResponseSize(ssl, hello_retry_request);
|
---|
3414 | /* There must be extensions sent to indicate what client needs to do. */
|
---|
3415 | if (len == 0)
|
---|
3416 | return MISSING_HANDSHAKE_DATA;
|
---|
3417 |
|
---|
3418 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
3419 | /* Protocol version + CipherSuite + Extensions */
|
---|
3420 | length = OPAQUE16_LEN + OPAQUE16_LEN + len;
|
---|
3421 | #else
|
---|
3422 | /* Protocol version + Extensions */
|
---|
3423 | length = OPAQUE16_LEN + len;
|
---|
3424 | #endif
|
---|
3425 | sendSz = idx + length;
|
---|
3426 |
|
---|
3427 | /* Check buffers are big enough and grow if needed. */
|
---|
3428 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
3429 | return ret;
|
---|
3430 |
|
---|
3431 | /* Get position in output buffer to write new message to. */
|
---|
3432 | output = ssl->buffers.outputBuffer.buffer +
|
---|
3433 | ssl->buffers.outputBuffer.length;
|
---|
3434 | /* Add record and hanshake headers. */
|
---|
3435 | AddTls13Headers(output, length, hello_retry_request, ssl);
|
---|
3436 |
|
---|
3437 | /* TODO: [TLS13] Replace existing code with code in comment.
|
---|
3438 | * Use the TLS v1.3 draft version for now.
|
---|
3439 | *
|
---|
3440 | * Change to:
|
---|
3441 | * output[idx++] = ssl->version.major;
|
---|
3442 | * output[idx++] = ssl->version.minor;
|
---|
3443 | */
|
---|
3444 | /* The negotiated protocol version. */
|
---|
3445 | output[idx++] = TLS_DRAFT_MAJOR;
|
---|
3446 | output[idx++] = TLS_DRAFT_MINOR;
|
---|
3447 |
|
---|
3448 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
3449 | /* Chosen cipher suite */
|
---|
3450 | output[idx++] = ssl->options.cipherSuite0;
|
---|
3451 | output[idx++] = ssl->options.cipherSuite;
|
---|
3452 | #endif
|
---|
3453 |
|
---|
3454 | /* Add TLS extensions. */
|
---|
3455 | TLSX_WriteResponse(ssl, output + idx, hello_retry_request);
|
---|
3456 | idx += len;
|
---|
3457 |
|
---|
3458 | #ifdef WOLFSSL_CALLBACKS
|
---|
3459 | if (ssl->hsInfoOn)
|
---|
3460 | AddPacketName("HelloRetryRequest", &ssl->handShakeInfo);
|
---|
3461 | if (ssl->toInfoOn) {
|
---|
3462 | AddPacketInfo("HelloRetryRequest", &ssl->timeoutInfo, output, sendSz,
|
---|
3463 | ssl->heap);
|
---|
3464 | }
|
---|
3465 | #endif
|
---|
3466 |
|
---|
3467 | if ((ret = HashOutput(ssl, output, idx, 0)) != 0)
|
---|
3468 | return ret;
|
---|
3469 |
|
---|
3470 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
3471 |
|
---|
3472 | if (!ssl->options.groupMessages)
|
---|
3473 | ret = SendBuffered(ssl);
|
---|
3474 |
|
---|
3475 | WOLFSSL_LEAVE("SendTls13HelloRetryRequest", ret);
|
---|
3476 |
|
---|
3477 | return ret;
|
---|
3478 | }
|
---|
3479 |
|
---|
3480 | /* Send TLS v1.3 ServerHello message to client.
|
---|
3481 | * Only a server will send this message.
|
---|
3482 | *
|
---|
3483 | * ssl The SSL/TLS object.
|
---|
3484 | * returns 0 on success, otherwise failure.
|
---|
3485 | */
|
---|
3486 | static int SendTls13ServerHello(WOLFSSL* ssl)
|
---|
3487 | {
|
---|
3488 | byte* output;
|
---|
3489 | word32 length;
|
---|
3490 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
3491 | int sendSz;
|
---|
3492 | int ret;
|
---|
3493 |
|
---|
3494 | WOLFSSL_ENTER("SendTls13ServerHello");
|
---|
3495 |
|
---|
3496 | /* Protocol version, server random, cipher suite and extensions. */
|
---|
3497 | length = VERSION_SZ + RAN_LEN + SUITE_LEN +
|
---|
3498 | TLSX_GetResponseSize(ssl, server_hello);
|
---|
3499 | sendSz = idx + length;
|
---|
3500 |
|
---|
3501 | /* Check buffers are big enough and grow if needed. */
|
---|
3502 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
3503 | return ret;
|
---|
3504 |
|
---|
3505 | /* Get position in output buffer to write new message to. */
|
---|
3506 | output = ssl->buffers.outputBuffer.buffer +
|
---|
3507 | ssl->buffers.outputBuffer.length;
|
---|
3508 |
|
---|
3509 | /* Put the record and handshake headers on. */
|
---|
3510 | AddTls13Headers(output, length, server_hello, ssl);
|
---|
3511 |
|
---|
3512 | /* TODO: [TLS13] Replace existing code with code in comment.
|
---|
3513 | * Use the TLS v1.3 draft version for now.
|
---|
3514 | *
|
---|
3515 | * Change to:
|
---|
3516 | * output[idx++] = ssl->version.major;
|
---|
3517 | * output[idx++] = ssl->version.minor;
|
---|
3518 | */
|
---|
3519 | /* The negotiated protocol version. */
|
---|
3520 | output[idx++] = TLS_DRAFT_MAJOR;
|
---|
3521 | output[idx++] = TLS_DRAFT_MINOR;
|
---|
3522 |
|
---|
3523 | /* Generate server random. */
|
---|
3524 | if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0)
|
---|
3525 | return ret;
|
---|
3526 | /* Store in SSL for debugging. */
|
---|
3527 | XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
|
---|
3528 | idx += RAN_LEN;
|
---|
3529 |
|
---|
3530 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
3531 | WOLFSSL_MSG("Server random");
|
---|
3532 | WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
|
---|
3533 | #endif
|
---|
3534 |
|
---|
3535 | /* Chosen cipher suite */
|
---|
3536 | output[idx++] = ssl->options.cipherSuite0;
|
---|
3537 | output[idx++] = ssl->options.cipherSuite;
|
---|
3538 |
|
---|
3539 | /* Extensions */
|
---|
3540 | TLSX_WriteResponse(ssl, output + idx, server_hello);
|
---|
3541 |
|
---|
3542 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
3543 |
|
---|
3544 | if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0)
|
---|
3545 | return ret;
|
---|
3546 |
|
---|
3547 | #ifdef WOLFSSL_CALLBACKS
|
---|
3548 | if (ssl->hsInfoOn)
|
---|
3549 | AddPacketName("ServerHello", &ssl->handShakeInfo);
|
---|
3550 | if (ssl->toInfoOn) {
|
---|
3551 | AddPacketInfo("ServerHello", &ssl->timeoutInfo, output, sendSz,
|
---|
3552 | ssl->heap);
|
---|
3553 | }
|
---|
3554 | #endif
|
---|
3555 |
|
---|
3556 | ssl->options.serverState = SERVER_HELLO_COMPLETE;
|
---|
3557 |
|
---|
3558 | if (!ssl->options.groupMessages)
|
---|
3559 | ret = SendBuffered(ssl);
|
---|
3560 |
|
---|
3561 | WOLFSSL_LEAVE("SendTls13ServerHello", ret);
|
---|
3562 |
|
---|
3563 | return ret;
|
---|
3564 | }
|
---|
3565 |
|
---|
3566 | /* Send the rest of the extensions encrypted under the handshake key.
|
---|
3567 | * This message is always encrypted in TLS v1.3.
|
---|
3568 | * Only a server will send this message.
|
---|
3569 | *
|
---|
3570 | * ssl The SSL/TLS object.
|
---|
3571 | * returns 0 on success, otherwise failure.
|
---|
3572 | */
|
---|
3573 | static int SendTls13EncryptedExtensions(WOLFSSL* ssl)
|
---|
3574 | {
|
---|
3575 | int ret;
|
---|
3576 | byte* output;
|
---|
3577 | word32 length;
|
---|
3578 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
3579 | int sendSz;
|
---|
3580 |
|
---|
3581 | WOLFSSL_ENTER("SendTls13EncryptedExtensions");
|
---|
3582 |
|
---|
3583 | ssl->keys.encryptionOn = 1;
|
---|
3584 |
|
---|
3585 | /* Derive the handshake secret now that we are at first message to be
|
---|
3586 | * encrypted under the keys.
|
---|
3587 | */
|
---|
3588 | if ((ret = DeriveHandshakeSecret(ssl)) != 0)
|
---|
3589 | return ret;
|
---|
3590 | if ((ret = DeriveTls13Keys(ssl, handshake_key,
|
---|
3591 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0)
|
---|
3592 | return ret;
|
---|
3593 |
|
---|
3594 | /* Setup encrypt/decrypt keys for following messages. */
|
---|
3595 | #ifdef WOLFSSL_EARLY_DATA
|
---|
3596 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
3597 | return ret;
|
---|
3598 | if (ssl->earlyData != 2) {
|
---|
3599 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
|
---|
3600 | return ret;
|
---|
3601 | }
|
---|
3602 | #else
|
---|
3603 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
|
---|
3604 | return ret;
|
---|
3605 | #endif
|
---|
3606 |
|
---|
3607 | length = TLSX_GetResponseSize(ssl, encrypted_extensions);
|
---|
3608 | sendSz = idx + length;
|
---|
3609 | /* Encryption always on. */
|
---|
3610 | sendSz += MAX_MSG_EXTRA;
|
---|
3611 |
|
---|
3612 | /* Check buffers are big enough and grow if needed. */
|
---|
3613 | ret = CheckAvailableSize(ssl, sendSz);
|
---|
3614 | if (ret != 0)
|
---|
3615 | return ret;
|
---|
3616 |
|
---|
3617 | /* Get position in output buffer to write new message to. */
|
---|
3618 | output = ssl->buffers.outputBuffer.buffer +
|
---|
3619 | ssl->buffers.outputBuffer.length;
|
---|
3620 |
|
---|
3621 | /* Put the record and handshake headers on. */
|
---|
3622 | AddTls13Headers(output, length, encrypted_extensions, ssl);
|
---|
3623 |
|
---|
3624 | TLSX_WriteResponse(ssl, output + idx, encrypted_extensions);
|
---|
3625 | idx += length;
|
---|
3626 |
|
---|
3627 | #ifdef WOLFSSL_CALLBACKS
|
---|
3628 | if (ssl->hsInfoOn)
|
---|
3629 | AddPacketName("EncryptedExtensions", &ssl->handShakeInfo);
|
---|
3630 | if (ssl->toInfoOn) {
|
---|
3631 | AddPacketInfo("EncryptedExtensions", &ssl->timeoutInfo, output,
|
---|
3632 | sendSz, ssl->heap);
|
---|
3633 | }
|
---|
3634 | #endif
|
---|
3635 |
|
---|
3636 | /* This handshake message is always encrypted. */
|
---|
3637 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
|
---|
3638 | idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
|
---|
3639 | if (sendSz < 0)
|
---|
3640 | return sendSz;
|
---|
3641 |
|
---|
3642 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
3643 |
|
---|
3644 | ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
|
---|
3645 |
|
---|
3646 | if (!ssl->options.groupMessages)
|
---|
3647 | ret = SendBuffered(ssl);
|
---|
3648 |
|
---|
3649 | WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
|
---|
3650 |
|
---|
3651 | return ret;
|
---|
3652 | }
|
---|
3653 |
|
---|
3654 | #ifndef NO_CERTS
|
---|
3655 | /* Send the TLS v1.3 CertificateRequest message.
|
---|
3656 | * This message is always encrypted in TLS v1.3.
|
---|
3657 | * Only a server will send this message.
|
---|
3658 | *
|
---|
3659 | * ssl SSL/TLS object.
|
---|
3660 | * reqCtx Request context.
|
---|
3661 | * reqCtxLen Length of context. 0 when sending as part of handshake.
|
---|
3662 | * returns 0 on success, otherwise failure.
|
---|
3663 | */
|
---|
3664 | static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
|
---|
3665 | int reqCtxLen)
|
---|
3666 | {
|
---|
3667 | byte* output;
|
---|
3668 | int ret;
|
---|
3669 | int sendSz;
|
---|
3670 | word32 i;
|
---|
3671 | int reqSz;
|
---|
3672 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
3673 | TLSX* ext;
|
---|
3674 | #endif
|
---|
3675 |
|
---|
3676 | WOLFSSL_ENTER("SendTls13CertificateRequest");
|
---|
3677 |
|
---|
3678 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
3679 | InitSuitesHashSigAlgo(ssl->suites, 1, 1, 0, 1, ssl->buffers.keySz);
|
---|
3680 |
|
---|
3681 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
3682 | i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
3683 | reqSz = OPAQUE8_LEN + reqCtxLen + REQ_HEADER_SZ + REQ_HEADER_SZ;
|
---|
3684 | reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz;
|
---|
3685 |
|
---|
3686 | sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
|
---|
3687 | /* Always encrypted and make room for padding. */
|
---|
3688 | sendSz += MAX_MSG_EXTRA;
|
---|
3689 |
|
---|
3690 | /* Check buffers are big enough and grow if needed. */
|
---|
3691 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
3692 | return ret;
|
---|
3693 |
|
---|
3694 | /* Get position in output buffer to write new message to. */
|
---|
3695 | output = ssl->buffers.outputBuffer.buffer +
|
---|
3696 | ssl->buffers.outputBuffer.length;
|
---|
3697 |
|
---|
3698 | /* Put the record and handshake headers on. */
|
---|
3699 | AddTls13Headers(output, reqSz, certificate_request, ssl);
|
---|
3700 |
|
---|
3701 | /* Certificate request context. */
|
---|
3702 | output[i++] = reqCtxLen;
|
---|
3703 | if (reqCtxLen != 0) {
|
---|
3704 | XMEMCPY(output + i, reqCtx, reqCtxLen);
|
---|
3705 | i += reqCtxLen;
|
---|
3706 | }
|
---|
3707 |
|
---|
3708 | /* supported hash/sig */
|
---|
3709 | c16toa(ssl->suites->hashSigAlgoSz, &output[i]);
|
---|
3710 | i += LENGTH_SZ;
|
---|
3711 |
|
---|
3712 | XMEMCPY(&output[i], ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz);
|
---|
3713 | i += ssl->suites->hashSigAlgoSz;
|
---|
3714 |
|
---|
3715 | /* Certificate authorities not supported yet - empty buffer. */
|
---|
3716 | c16toa(0, &output[i]);
|
---|
3717 | i += REQ_HEADER_SZ;
|
---|
3718 |
|
---|
3719 | /* Certificate extensions. */
|
---|
3720 | c16toa(0, &output[i]); /* auth's */
|
---|
3721 | i += REQ_HEADER_SZ;
|
---|
3722 | #else
|
---|
3723 | ext = TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS);
|
---|
3724 | if (ext == NULL)
|
---|
3725 | return EXT_MISSING;
|
---|
3726 | ext->resp = 0;
|
---|
3727 |
|
---|
3728 | i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
3729 | reqSz = OPAQUE8_LEN + reqCtxLen +
|
---|
3730 | TLSX_GetRequestSize(ssl, certificate_request);
|
---|
3731 |
|
---|
3732 | sendSz = i + reqSz;
|
---|
3733 | /* Always encrypted and make room for padding. */
|
---|
3734 | sendSz += MAX_MSG_EXTRA;
|
---|
3735 |
|
---|
3736 | /* Check buffers are big enough and grow if needed. */
|
---|
3737 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
3738 | return ret;
|
---|
3739 |
|
---|
3740 | /* Get position in output buffer to write new message to. */
|
---|
3741 | output = ssl->buffers.outputBuffer.buffer +
|
---|
3742 | ssl->buffers.outputBuffer.length;
|
---|
3743 |
|
---|
3744 | /* Put the record and handshake headers on. */
|
---|
3745 | AddTls13Headers(output, reqSz, certificate_request, ssl);
|
---|
3746 |
|
---|
3747 | /* Certificate request context. */
|
---|
3748 | output[i++] = reqCtxLen;
|
---|
3749 | if (reqCtxLen != 0) {
|
---|
3750 | XMEMCPY(output + i, reqCtx, reqCtxLen);
|
---|
3751 | i += reqCtxLen;
|
---|
3752 | }
|
---|
3753 |
|
---|
3754 | /* Certificate extensions. */
|
---|
3755 | i += TLSX_WriteRequest(ssl, output + i, certificate_request);
|
---|
3756 | #endif
|
---|
3757 |
|
---|
3758 | /* Always encrypted. */
|
---|
3759 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
|
---|
3760 | i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
|
---|
3761 | if (sendSz < 0)
|
---|
3762 | return sendSz;
|
---|
3763 |
|
---|
3764 | #ifdef WOLFSSL_CALLBACKS
|
---|
3765 | if (ssl->hsInfoOn)
|
---|
3766 | AddPacketName("CertificateRequest", &ssl->handShakeInfo);
|
---|
3767 | if (ssl->toInfoOn) {
|
---|
3768 | AddPacketInfo("CertificateRequest", &ssl->timeoutInfo, output,
|
---|
3769 | sendSz, ssl->heap);
|
---|
3770 | }
|
---|
3771 | #endif
|
---|
3772 |
|
---|
3773 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
3774 | if (!ssl->options.groupMessages)
|
---|
3775 | ret = SendBuffered(ssl);
|
---|
3776 |
|
---|
3777 | WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
|
---|
3778 |
|
---|
3779 | return ret;
|
---|
3780 | }
|
---|
3781 | #endif /* NO_CERTS */
|
---|
3782 | #endif /* NO_WOLFSSL_SERVER */
|
---|
3783 |
|
---|
3784 | #ifndef NO_CERTS
|
---|
3785 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519)
|
---|
3786 | /* Encode the signature algorithm into buffer.
|
---|
3787 | *
|
---|
3788 | * hashalgo The hash algorithm.
|
---|
3789 | * hsType The signature type.
|
---|
3790 | * output The buffer to encode into.
|
---|
3791 | */
|
---|
3792 | static INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
|
---|
3793 | {
|
---|
3794 | switch (hsType) {
|
---|
3795 | #ifdef HAVE_ECC
|
---|
3796 | case ecc_dsa_sa_algo:
|
---|
3797 | output[0] = hashAlgo;
|
---|
3798 | output[1] = ecc_dsa_sa_algo;
|
---|
3799 | break;
|
---|
3800 | #endif
|
---|
3801 | #ifdef HAVE_ED25519
|
---|
3802 | /* ED25519: 0x0807 */
|
---|
3803 | case ed25519_sa_algo:
|
---|
3804 | output[0] = ED25519_SA_MAJOR;
|
---|
3805 | output[1] = ED25519_SA_MINOR;
|
---|
3806 | (void)hashAlgo;
|
---|
3807 | break;
|
---|
3808 | #endif
|
---|
3809 | #ifndef NO_RSA
|
---|
3810 | /* PSS signatures: 0x080[4-6] */
|
---|
3811 | case rsa_pss_sa_algo:
|
---|
3812 | output[0] = rsa_pss_sa_algo;
|
---|
3813 | output[1] = hashAlgo;
|
---|
3814 | break;
|
---|
3815 | #endif
|
---|
3816 | /* ED448: 0x0808 */
|
---|
3817 | }
|
---|
3818 | }
|
---|
3819 |
|
---|
3820 | /* Decode the signature algorithm.
|
---|
3821 | *
|
---|
3822 | * input The encoded signature algorithm.
|
---|
3823 | * hashalgo The hash algorithm.
|
---|
3824 | * hsType The signature type.
|
---|
3825 | */
|
---|
3826 | static INLINE void DecodeSigAlg(byte* input, byte* hashAlgo, byte* hsType)
|
---|
3827 | {
|
---|
3828 | switch (input[0]) {
|
---|
3829 | case NEW_SA_MAJOR:
|
---|
3830 | /* PSS signatures: 0x080[4-6] */
|
---|
3831 | if (input[1] <= sha512_mac) {
|
---|
3832 | *hsType = input[0];
|
---|
3833 | *hashAlgo = input[1];
|
---|
3834 | }
|
---|
3835 | #ifdef HAVE_ED25519
|
---|
3836 | /* ED25519: 0x0807 */
|
---|
3837 | if (input[1] == ED25519_SA_MINOR) {
|
---|
3838 | *hsType = ed25519_sa_algo;
|
---|
3839 | /* Hash performed as part of sign/verify operation. */
|
---|
3840 | *hashAlgo = sha512_mac;
|
---|
3841 | }
|
---|
3842 | #endif
|
---|
3843 | /* ED448: 0x0808 */
|
---|
3844 | break;
|
---|
3845 | default:
|
---|
3846 | *hashAlgo = input[0];
|
---|
3847 | *hsType = input[1];
|
---|
3848 | break;
|
---|
3849 | }
|
---|
3850 | }
|
---|
3851 |
|
---|
3852 | /* Get the hash of the messages so far.
|
---|
3853 | *
|
---|
3854 | * ssl The SSL/TLS object.
|
---|
3855 | * hash The buffer to write the hash to.
|
---|
3856 | * returns the length of the hash.
|
---|
3857 | */
|
---|
3858 | static INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash)
|
---|
3859 | {
|
---|
3860 | int ret = 0;
|
---|
3861 | switch (ssl->specs.mac_algorithm) {
|
---|
3862 | #ifndef NO_SHA256
|
---|
3863 | case sha256_mac:
|
---|
3864 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
|
---|
3865 | if (ret == 0)
|
---|
3866 | ret = WC_SHA256_DIGEST_SIZE;
|
---|
3867 | break;
|
---|
3868 | #endif /* !NO_SHA256 */
|
---|
3869 | #ifdef WOLFSSL_SHA384
|
---|
3870 | case sha384_mac:
|
---|
3871 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
|
---|
3872 | if (ret == 0)
|
---|
3873 | ret = WC_SHA384_DIGEST_SIZE;
|
---|
3874 | break;
|
---|
3875 | #endif /* WOLFSSL_SHA384 */
|
---|
3876 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
3877 | case sha512_mac:
|
---|
3878 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
|
---|
3879 | if (ret == 0)
|
---|
3880 | ret = WC_SHA512_DIGEST_SIZE;
|
---|
3881 | break;
|
---|
3882 | #endif /* WOLFSSL_TLS13_SHA512 */
|
---|
3883 | }
|
---|
3884 | return ret;
|
---|
3885 | }
|
---|
3886 |
|
---|
3887 | /* The length of the certificate verification label - client and server. */
|
---|
3888 | #define CERT_VFY_LABEL_SZ 34
|
---|
3889 | /* The server certificate verification label. */
|
---|
3890 | static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] =
|
---|
3891 | "TLS 1.3, server CertificateVerify";
|
---|
3892 | /* The client certificate verification label. */
|
---|
3893 | static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] =
|
---|
3894 | "TLS 1.3, client CertificateVerify";
|
---|
3895 |
|
---|
3896 | /* The number of prefix bytes for signature data. */
|
---|
3897 | #define SIGNING_DATA_PREFIX_SZ 64
|
---|
3898 | /* The prefix byte in the signature data. */
|
---|
3899 | #define SIGNING_DATA_PREFIX_BYTE 0x20
|
---|
3900 | /* Maximum length of the signature data. */
|
---|
3901 | #define MAX_SIG_DATA_SZ (SIGNING_DATA_PREFIX_SZ + \
|
---|
3902 | CERT_VFY_LABEL_SZ + \
|
---|
3903 | MAX_DIGEST_SIZE)
|
---|
3904 |
|
---|
3905 | /* Create the signature data for TLS v1.3 certificate verification.
|
---|
3906 | *
|
---|
3907 | * ssl The SSL/TLS object.
|
---|
3908 | * sigData The signature data.
|
---|
3909 | * sigDataSz The length of the signature data.
|
---|
3910 | * check Indicates this is a check not create.
|
---|
3911 | */
|
---|
3912 | static int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
|
---|
3913 | int check)
|
---|
3914 | {
|
---|
3915 | word16 idx;
|
---|
3916 | int side = ssl->options.side;
|
---|
3917 | int ret;
|
---|
3918 |
|
---|
3919 | /* Signature Data = Prefix | Label | Handshake Hash */
|
---|
3920 | XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ);
|
---|
3921 | idx = SIGNING_DATA_PREFIX_SZ;
|
---|
3922 |
|
---|
3923 | if ((side == WOLFSSL_SERVER_END && check) ||
|
---|
3924 | (side == WOLFSSL_CLIENT_END && !check)) {
|
---|
3925 | XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ);
|
---|
3926 | }
|
---|
3927 | if ((side == WOLFSSL_CLIENT_END && check) ||
|
---|
3928 | (side == WOLFSSL_SERVER_END && !check)) {
|
---|
3929 | XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ);
|
---|
3930 | }
|
---|
3931 | idx += CERT_VFY_LABEL_SZ;
|
---|
3932 |
|
---|
3933 | ret = GetMsgHash(ssl, &sigData[idx]);
|
---|
3934 | if (ret < 0)
|
---|
3935 | return ret;
|
---|
3936 |
|
---|
3937 | *sigDataSz = idx + ret;
|
---|
3938 | ret = 0;
|
---|
3939 |
|
---|
3940 | return ret;
|
---|
3941 | }
|
---|
3942 |
|
---|
3943 | #ifndef NO_RSA
|
---|
3944 | /* Encode the PKCS #1.5 RSA signature.
|
---|
3945 | *
|
---|
3946 | * sig The buffer to place the encoded signature into.
|
---|
3947 | * sigData The data to be signed.
|
---|
3948 | * sigDataSz The size of the data to be signed.
|
---|
3949 | * hashAlgo The hash algorithm to use when signing.
|
---|
3950 | * returns the length of the encoded signature or negative on error.
|
---|
3951 | */
|
---|
3952 | static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
|
---|
3953 | int sigAlgo, int hashAlgo)
|
---|
3954 | {
|
---|
3955 | Digest digest;
|
---|
3956 | int hashSz = 0;
|
---|
3957 | int ret = BAD_FUNC_ARG;
|
---|
3958 | byte* hash;
|
---|
3959 |
|
---|
3960 | (void)sigAlgo;
|
---|
3961 |
|
---|
3962 | hash = sig;
|
---|
3963 |
|
---|
3964 | /* Digest the signature data. */
|
---|
3965 | switch (hashAlgo) {
|
---|
3966 | #ifndef NO_WOLFSSL_SHA256
|
---|
3967 | case sha256_mac:
|
---|
3968 | ret = wc_InitSha256(&digest.sha256);
|
---|
3969 | if (ret == 0) {
|
---|
3970 | ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
|
---|
3971 | if (ret == 0)
|
---|
3972 | ret = wc_Sha256Final(&digest.sha256, hash);
|
---|
3973 | wc_Sha256Free(&digest.sha256);
|
---|
3974 | }
|
---|
3975 | hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
3976 | break;
|
---|
3977 | #endif
|
---|
3978 | #ifdef WOLFSSL_SHA384
|
---|
3979 | case sha384_mac:
|
---|
3980 | ret = wc_InitSha384(&digest.sha384);
|
---|
3981 | if (ret == 0) {
|
---|
3982 | ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
|
---|
3983 | if (ret == 0)
|
---|
3984 | ret = wc_Sha384Final(&digest.sha384, hash);
|
---|
3985 | wc_Sha384Free(&digest.sha384);
|
---|
3986 | }
|
---|
3987 | hashSz = WC_SHA384_DIGEST_SIZE;
|
---|
3988 | break;
|
---|
3989 | #endif
|
---|
3990 | #ifdef WOLFSSL_SHA512
|
---|
3991 | case sha512_mac:
|
---|
3992 | ret = wc_InitSha512(&digest.sha512);
|
---|
3993 | if (ret == 0) {
|
---|
3994 | ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
|
---|
3995 | if (ret == 0)
|
---|
3996 | ret = wc_Sha512Final(&digest.sha512, hash);
|
---|
3997 | wc_Sha512Free(&digest.sha512);
|
---|
3998 | }
|
---|
3999 | hashSz = WC_SHA512_DIGEST_SIZE;
|
---|
4000 | break;
|
---|
4001 | #endif
|
---|
4002 | }
|
---|
4003 |
|
---|
4004 | if (ret != 0)
|
---|
4005 | return ret;
|
---|
4006 |
|
---|
4007 | return hashSz;
|
---|
4008 | }
|
---|
4009 | #endif /* !NO_RSA */
|
---|
4010 |
|
---|
4011 | #ifdef HAVE_ECC
|
---|
4012 | /* Encode the ECC signature.
|
---|
4013 | *
|
---|
4014 | * sigData The data to be signed.
|
---|
4015 | * sigDataSz The size of the data to be signed.
|
---|
4016 | * hashAlgo The hash algorithm to use when signing.
|
---|
4017 | * returns the length of the encoded signature or negative on error.
|
---|
4018 | */
|
---|
4019 | static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
|
---|
4020 | {
|
---|
4021 | Digest digest;
|
---|
4022 | int hashSz = 0;
|
---|
4023 | int ret = BAD_FUNC_ARG;
|
---|
4024 |
|
---|
4025 | /* Digest the signature data. */
|
---|
4026 | switch (hashAlgo) {
|
---|
4027 | #ifndef NO_WOLFSSL_SHA256
|
---|
4028 | case sha256_mac:
|
---|
4029 | ret = wc_InitSha256(&digest.sha256);
|
---|
4030 | if (ret == 0) {
|
---|
4031 | ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
|
---|
4032 | if (ret == 0)
|
---|
4033 | ret = wc_Sha256Final(&digest.sha256, sigData);
|
---|
4034 | wc_Sha256Free(&digest.sha256);
|
---|
4035 | }
|
---|
4036 | hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
4037 | break;
|
---|
4038 | #endif
|
---|
4039 | #ifdef WOLFSSL_SHA384
|
---|
4040 | case sha384_mac:
|
---|
4041 | ret = wc_InitSha384(&digest.sha384);
|
---|
4042 | if (ret == 0) {
|
---|
4043 | ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
|
---|
4044 | if (ret == 0)
|
---|
4045 | ret = wc_Sha384Final(&digest.sha384, sigData);
|
---|
4046 | wc_Sha384Free(&digest.sha384);
|
---|
4047 | }
|
---|
4048 | hashSz = WC_SHA384_DIGEST_SIZE;
|
---|
4049 | break;
|
---|
4050 | #endif
|
---|
4051 | #ifdef WOLFSSL_SHA512
|
---|
4052 | case sha512_mac:
|
---|
4053 | ret = wc_InitSha512(&digest.sha512);
|
---|
4054 | if (ret == 0) {
|
---|
4055 | ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
|
---|
4056 | if (ret == 0)
|
---|
4057 | ret = wc_Sha512Final(&digest.sha512, sigData);
|
---|
4058 | wc_Sha512Free(&digest.sha512);
|
---|
4059 | }
|
---|
4060 | hashSz = WC_SHA512_DIGEST_SIZE;
|
---|
4061 | break;
|
---|
4062 | #endif
|
---|
4063 | }
|
---|
4064 |
|
---|
4065 | if (ret != 0)
|
---|
4066 | return ret;
|
---|
4067 |
|
---|
4068 | return hashSz;
|
---|
4069 | }
|
---|
4070 | #endif /* HAVE_ECC */
|
---|
4071 |
|
---|
4072 | #ifndef NO_RSA
|
---|
4073 | /* Check that the decrypted signature matches the encoded signature
|
---|
4074 | * based on the digest of the signature data.
|
---|
4075 | *
|
---|
4076 | * ssl The SSL/TLS object.
|
---|
4077 | * hashAlgo The signature algorithm used to generate signature.
|
---|
4078 | * hashAlgo The hash algorithm used to generate signature.
|
---|
4079 | * decSig The decrypted signature.
|
---|
4080 | * decSigSz The size of the decrypted signature.
|
---|
4081 | * returns 0 on success, otherwise failure.
|
---|
4082 | */
|
---|
4083 | static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
|
---|
4084 | byte* decSig, word32 decSigSz)
|
---|
4085 | {
|
---|
4086 | int ret = 0;
|
---|
4087 | byte sigData[MAX_SIG_DATA_SZ];
|
---|
4088 | word16 sigDataSz;
|
---|
4089 | word32 sigSz;
|
---|
4090 |
|
---|
4091 | ret = CreateSigData(ssl, sigData, &sigDataSz, 1);
|
---|
4092 | if (ret != 0)
|
---|
4093 | return ret;
|
---|
4094 |
|
---|
4095 | if (sigAlgo == rsa_pss_sa_algo) {
|
---|
4096 | enum wc_HashType hashType = WC_HASH_TYPE_NONE;
|
---|
4097 |
|
---|
4098 | ret = ConvertHashPss(hashAlgo, &hashType, NULL);
|
---|
4099 | if (ret < 0)
|
---|
4100 | return ret;
|
---|
4101 |
|
---|
4102 | /* PSS signature can be done in-pace */
|
---|
4103 | ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz,
|
---|
4104 | sigAlgo, hashAlgo);
|
---|
4105 | if (ret < 0)
|
---|
4106 | return ret;
|
---|
4107 | sigSz = ret;
|
---|
4108 |
|
---|
4109 | ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz,
|
---|
4110 | hashType);
|
---|
4111 | }
|
---|
4112 |
|
---|
4113 | return ret;
|
---|
4114 | }
|
---|
4115 | #endif /* !NO_RSA */
|
---|
4116 | #endif /* !NO_RSA || HAVE_ECC */
|
---|
4117 |
|
---|
4118 | /* Get the next certificate from the list for writing into the TLS v1.3
|
---|
4119 | * Certificate message.
|
---|
4120 | *
|
---|
4121 | * data The certificate list.
|
---|
4122 | * length The length of the certificate data in the list.
|
---|
4123 | * idx The index of the next certificate.
|
---|
4124 | * returns the length of the certificate data. 0 indicates no more certificates
|
---|
4125 | * in the list.
|
---|
4126 | */
|
---|
4127 | static word32 NextCert(byte* data, word32 length, word32* idx)
|
---|
4128 | {
|
---|
4129 | word32 len;
|
---|
4130 |
|
---|
4131 | /* Is index at end of list. */
|
---|
4132 | if (*idx == length)
|
---|
4133 | return 0;
|
---|
4134 |
|
---|
4135 | /* Length of the current ASN.1 encoded certificate. */
|
---|
4136 | c24to32(data + *idx, &len);
|
---|
4137 | /* Include the length field. */
|
---|
4138 | len += 3;
|
---|
4139 |
|
---|
4140 | /* Move index to next certificate and return the current certificate's
|
---|
4141 | * length.
|
---|
4142 | */
|
---|
4143 | *idx += len;
|
---|
4144 | return len;
|
---|
4145 | }
|
---|
4146 |
|
---|
4147 | /* Add certificate data and empty extension to output up to the fragment size.
|
---|
4148 | *
|
---|
4149 | * cert The certificate data to write out.
|
---|
4150 | * len The length of the certificate data.
|
---|
4151 | * idx The start of the certificate data to write out.
|
---|
4152 | * fragSz The maximum size of this fragment.
|
---|
4153 | * output The buffer to write to.
|
---|
4154 | * returns the number of bytes written.
|
---|
4155 | */
|
---|
4156 | static word32 AddCertExt(byte* cert, word32 len, word32 idx, word32 fragSz,
|
---|
4157 | byte* output)
|
---|
4158 | {
|
---|
4159 | word32 i = 0;
|
---|
4160 | word32 copySz = min(len - idx, fragSz);
|
---|
4161 |
|
---|
4162 | if (idx < len) {
|
---|
4163 | XMEMCPY(output, cert + idx, copySz);
|
---|
4164 | i = copySz;
|
---|
4165 | }
|
---|
4166 |
|
---|
4167 | if (copySz + OPAQUE16_LEN <= fragSz) {
|
---|
4168 | /* Empty extension */
|
---|
4169 | output[i++] = 0;
|
---|
4170 | output[i++] = 0;
|
---|
4171 | }
|
---|
4172 |
|
---|
4173 | return i;
|
---|
4174 | }
|
---|
4175 |
|
---|
4176 | /* Send the certificate for this end and any CAs that help with validation.
|
---|
4177 | * This message is always encrypted in TLS v1.3.
|
---|
4178 | *
|
---|
4179 | * ssl The SSL/TLS object.
|
---|
4180 | * returns 0 on success, otherwise failure.
|
---|
4181 | */
|
---|
4182 | static int SendTls13Certificate(WOLFSSL* ssl)
|
---|
4183 | {
|
---|
4184 | int ret = 0;
|
---|
4185 | word32 certSz, certChainSz, headerSz, listSz, payloadSz;
|
---|
4186 | word32 length, maxFragment;
|
---|
4187 | word32 len = 0;
|
---|
4188 | word32 idx = 0;
|
---|
4189 | word32 offset = OPAQUE16_LEN;
|
---|
4190 | byte* p = NULL;
|
---|
4191 | byte certReqCtxLen = 0;
|
---|
4192 | byte* certReqCtx = NULL;
|
---|
4193 |
|
---|
4194 | WOLFSSL_ENTER("SendTls13Certificate");
|
---|
4195 |
|
---|
4196 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
4197 | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
|
---|
4198 | certReqCtxLen = ssl->certReqCtx->len;
|
---|
4199 | certReqCtx = &ssl->certReqCtx->ctx;
|
---|
4200 | }
|
---|
4201 | #endif
|
---|
4202 |
|
---|
4203 | if (ssl->options.sendVerify == SEND_BLANK_CERT) {
|
---|
4204 | certSz = 0;
|
---|
4205 | certChainSz = 0;
|
---|
4206 | headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ;
|
---|
4207 | length = headerSz;
|
---|
4208 | listSz = 0;
|
---|
4209 | }
|
---|
4210 | else {
|
---|
4211 | if (!ssl->buffers.certificate) {
|
---|
4212 | WOLFSSL_MSG("Send Cert missing certificate buffer");
|
---|
4213 | return BUFFER_ERROR;
|
---|
4214 | }
|
---|
4215 | /* Certificate Data */
|
---|
4216 | certSz = ssl->buffers.certificate->length;
|
---|
4217 | /* Cert Req Ctx Len | Cert Req Ctx | Cert List Len | Cert Data Len */
|
---|
4218 | headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ +
|
---|
4219 | CERT_HEADER_SZ;
|
---|
4220 | /* Length of message data with one certificate and empty extensions. */
|
---|
4221 | length = headerSz + certSz + OPAQUE16_LEN;
|
---|
4222 | /* Length of list data with one certificate and empty extensions. */
|
---|
4223 | listSz = CERT_HEADER_SZ + certSz + OPAQUE16_LEN;
|
---|
4224 |
|
---|
4225 | /* Send rest of chain if sending cert (chain has leading size/s). */
|
---|
4226 | if (certSz > 0 && ssl->buffers.certChainCnt > 0) {
|
---|
4227 | /* The pointer to the current spot in the cert chain buffer. */
|
---|
4228 | p = ssl->buffers.certChain->buffer;
|
---|
4229 | /* Chain length including extensions. */
|
---|
4230 | certChainSz = ssl->buffers.certChain->length +
|
---|
4231 | OPAQUE16_LEN * ssl->buffers.certChainCnt;
|
---|
4232 | length += certChainSz;
|
---|
4233 | listSz += certChainSz;
|
---|
4234 | }
|
---|
4235 | else
|
---|
4236 | certChainSz = 0;
|
---|
4237 | }
|
---|
4238 |
|
---|
4239 | payloadSz = length;
|
---|
4240 |
|
---|
4241 | if (ssl->fragOffset != 0)
|
---|
4242 | length -= (ssl->fragOffset + headerSz);
|
---|
4243 |
|
---|
4244 | maxFragment = MAX_RECORD_SIZE;
|
---|
4245 |
|
---|
4246 | #ifdef HAVE_MAX_FRAGMENT
|
---|
4247 | if (ssl->max_fragment != 0 && maxFragment >= ssl->max_fragment)
|
---|
4248 | maxFragment = ssl->max_fragment;
|
---|
4249 | #endif /* HAVE_MAX_FRAGMENT */
|
---|
4250 |
|
---|
4251 | while (length > 0 && ret == 0) {
|
---|
4252 | byte* output = NULL;
|
---|
4253 | word32 fragSz = 0;
|
---|
4254 | word32 i = RECORD_HEADER_SZ;
|
---|
4255 | int sendSz = RECORD_HEADER_SZ;
|
---|
4256 |
|
---|
4257 | if (ssl->fragOffset == 0) {
|
---|
4258 | if (headerSz + certSz + OPAQUE16_LEN + certChainSz <=
|
---|
4259 | maxFragment - HANDSHAKE_HEADER_SZ) {
|
---|
4260 |
|
---|
4261 | fragSz = headerSz + certSz + OPAQUE16_LEN + certChainSz;
|
---|
4262 | }
|
---|
4263 | else {
|
---|
4264 | fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
|
---|
4265 | }
|
---|
4266 | sendSz += fragSz + HANDSHAKE_HEADER_SZ;
|
---|
4267 | i += HANDSHAKE_HEADER_SZ;
|
---|
4268 | }
|
---|
4269 | else {
|
---|
4270 | fragSz = min(length, maxFragment);
|
---|
4271 | sendSz += fragSz;
|
---|
4272 | }
|
---|
4273 |
|
---|
4274 | sendSz += MAX_MSG_EXTRA;
|
---|
4275 |
|
---|
4276 | /* Check buffers are big enough and grow if needed. */
|
---|
4277 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
4278 | return ret;
|
---|
4279 |
|
---|
4280 | /* Get position in output buffer to write new message to. */
|
---|
4281 | output = ssl->buffers.outputBuffer.buffer +
|
---|
4282 | ssl->buffers.outputBuffer.length;
|
---|
4283 |
|
---|
4284 | if (ssl->fragOffset == 0) {
|
---|
4285 | AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
|
---|
4286 |
|
---|
4287 | /* Request context. */
|
---|
4288 | output[i++] = certReqCtxLen;
|
---|
4289 | if (certReqCtxLen > 0) {
|
---|
4290 | XMEMCPY(output + i, certReqCtx, certReqCtxLen);
|
---|
4291 | i += certReqCtxLen;
|
---|
4292 | }
|
---|
4293 | length -= OPAQUE8_LEN + certReqCtxLen;
|
---|
4294 | fragSz -= OPAQUE8_LEN + certReqCtxLen;
|
---|
4295 | /* Certificate list length. */
|
---|
4296 | c32to24(listSz, output + i);
|
---|
4297 | i += CERT_HEADER_SZ;
|
---|
4298 | length -= CERT_HEADER_SZ;
|
---|
4299 | fragSz -= CERT_HEADER_SZ;
|
---|
4300 | /* Leaf certificate data length. */
|
---|
4301 | if (certSz > 0) {
|
---|
4302 | c32to24(certSz, output + i);
|
---|
4303 | i += CERT_HEADER_SZ;
|
---|
4304 | length -= CERT_HEADER_SZ;
|
---|
4305 | fragSz -= CERT_HEADER_SZ;
|
---|
4306 | }
|
---|
4307 | }
|
---|
4308 | else
|
---|
4309 | AddTls13RecordHeader(output, fragSz, handshake, ssl);
|
---|
4310 |
|
---|
4311 | if (certSz > 0 && ssl->fragOffset < certSz + OPAQUE16_LEN) {
|
---|
4312 | /* Put in the leaf certificate and empty extension. */
|
---|
4313 | word32 copySz = AddCertExt(ssl->buffers.certificate->buffer, certSz,
|
---|
4314 | ssl->fragOffset, fragSz, output + i);
|
---|
4315 |
|
---|
4316 | i += copySz;
|
---|
4317 | ssl->fragOffset += copySz;
|
---|
4318 | length -= copySz;
|
---|
4319 | fragSz -= copySz;
|
---|
4320 | }
|
---|
4321 | if (certChainSz > 0 && fragSz > 0) {
|
---|
4322 | /* Put in the CA certificates with empty extensions. */
|
---|
4323 | while (fragSz > 0) {
|
---|
4324 | word32 l;
|
---|
4325 |
|
---|
4326 | if (offset == len + OPAQUE16_LEN) {
|
---|
4327 | /* Find next CA certificate to write out. */
|
---|
4328 | offset = 0;
|
---|
4329 | len = NextCert(ssl->buffers.certChain->buffer,
|
---|
4330 | ssl->buffers.certChain->length, &idx);
|
---|
4331 | if (len == 0)
|
---|
4332 | break;
|
---|
4333 | }
|
---|
4334 |
|
---|
4335 | /* Write out certificate and empty extension. */
|
---|
4336 | l = AddCertExt(p, len, offset, fragSz, output + i);
|
---|
4337 | i += l;
|
---|
4338 | ssl->fragOffset += l;
|
---|
4339 | length -= l;
|
---|
4340 | fragSz -= l;
|
---|
4341 | offset += l;
|
---|
4342 | }
|
---|
4343 | }
|
---|
4344 |
|
---|
4345 | if ((int)i - RECORD_HEADER_SZ < 0) {
|
---|
4346 | WOLFSSL_MSG("Send Cert bad inputSz");
|
---|
4347 | return BUFFER_E;
|
---|
4348 | }
|
---|
4349 |
|
---|
4350 | /* This message is always encrypted. */
|
---|
4351 | sendSz = BuildTls13Message(ssl, output, sendSz,
|
---|
4352 | output + RECORD_HEADER_SZ,
|
---|
4353 | i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
|
---|
4354 | if (sendSz < 0)
|
---|
4355 | return sendSz;
|
---|
4356 |
|
---|
4357 | #ifdef WOLFSSL_CALLBACKS
|
---|
4358 | if (ssl->hsInfoOn)
|
---|
4359 | AddPacketName("Certificate", &ssl->handShakeInfo);
|
---|
4360 | if (ssl->toInfoOn) {
|
---|
4361 | AddPacketInfo("Certificate", &ssl->timeoutInfo, output, sendSz,
|
---|
4362 | ssl->heap);
|
---|
4363 | }
|
---|
4364 | #endif
|
---|
4365 |
|
---|
4366 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
4367 | if (!ssl->options.groupMessages)
|
---|
4368 | ret = SendBuffered(ssl);
|
---|
4369 | }
|
---|
4370 |
|
---|
4371 | if (ret != WANT_WRITE) {
|
---|
4372 | /* Clean up the fragment offset. */
|
---|
4373 | ssl->fragOffset = 0;
|
---|
4374 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
4375 | ssl->options.serverState = SERVER_CERT_COMPLETE;
|
---|
4376 | }
|
---|
4377 |
|
---|
4378 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
4379 | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
|
---|
4380 | CertReqCtx* ctx = ssl->certReqCtx;
|
---|
4381 | ssl->certReqCtx = ssl->certReqCtx->next;
|
---|
4382 | XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
4383 | }
|
---|
4384 | #endif
|
---|
4385 |
|
---|
4386 | WOLFSSL_LEAVE("SendTls13Certificate", ret);
|
---|
4387 |
|
---|
4388 | return ret;
|
---|
4389 | }
|
---|
4390 |
|
---|
4391 | typedef struct Scv13Args {
|
---|
4392 | byte* output; /* not allocated */
|
---|
4393 | #ifndef NO_RSA
|
---|
4394 | byte* verifySig;
|
---|
4395 | #endif
|
---|
4396 | byte* verify; /* not allocated */
|
---|
4397 | word32 idx;
|
---|
4398 | word32 sigLen;
|
---|
4399 | int sendSz;
|
---|
4400 | word16 length;
|
---|
4401 |
|
---|
4402 | byte sigAlgo;
|
---|
4403 | byte* sigData;
|
---|
4404 | word16 sigDataSz;
|
---|
4405 | } Scv13Args;
|
---|
4406 |
|
---|
4407 | static void FreeScv13Args(WOLFSSL* ssl, void* pArgs)
|
---|
4408 | {
|
---|
4409 | Scv13Args* args = (Scv13Args*)pArgs;
|
---|
4410 |
|
---|
4411 | (void)ssl;
|
---|
4412 |
|
---|
4413 | #ifndef NO_RSA
|
---|
4414 | if (args->verifySig) {
|
---|
4415 | XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
|
---|
4416 | args->verifySig = NULL;
|
---|
4417 | }
|
---|
4418 | #endif
|
---|
4419 | if (args->sigData) {
|
---|
4420 | XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
|
---|
4421 | args->sigData = NULL;
|
---|
4422 | }
|
---|
4423 | }
|
---|
4424 |
|
---|
4425 | /* Send the TLS v1.3 CertificateVerify message.
|
---|
4426 | * A hash of all the message so far is used.
|
---|
4427 | * The signed data is:
|
---|
4428 | * 0x20 * 64 | context string | 0x00 | hash of messages
|
---|
4429 | * This message is always encrypted in TLS v1.3.
|
---|
4430 | *
|
---|
4431 | * ssl The SSL/TLS object.
|
---|
4432 | * returns 0 on success, otherwise failure.
|
---|
4433 | */
|
---|
4434 | static int SendTls13CertificateVerify(WOLFSSL* ssl)
|
---|
4435 | {
|
---|
4436 | int ret = 0;
|
---|
4437 | buffer* sig = &ssl->buffers.sig;
|
---|
4438 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
4439 | Scv13Args* args = (Scv13Args*)ssl->async.args;
|
---|
4440 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
|
---|
4441 | (void)sizeof(args_test);
|
---|
4442 | #else
|
---|
4443 | Scv13Args args[1];
|
---|
4444 | #endif
|
---|
4445 |
|
---|
4446 | WOLFSSL_ENTER("SendTls13CertificateVerify");
|
---|
4447 |
|
---|
4448 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
4449 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
|
---|
4450 | if (ret != WC_NOT_PENDING_E) {
|
---|
4451 | /* Check for error */
|
---|
4452 | if (ret < 0)
|
---|
4453 | goto exit_scv;
|
---|
4454 | }
|
---|
4455 | else
|
---|
4456 | #endif
|
---|
4457 | {
|
---|
4458 | /* Reset state */
|
---|
4459 | ret = 0;
|
---|
4460 | ssl->options.asyncState = TLS_ASYNC_BEGIN;
|
---|
4461 | XMEMSET(args, 0, sizeof(Scv13Args));
|
---|
4462 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
4463 | ssl->async.freeArgs = FreeScv13Args;
|
---|
4464 | #endif
|
---|
4465 | }
|
---|
4466 |
|
---|
4467 | switch(ssl->options.asyncState)
|
---|
4468 | {
|
---|
4469 | case TLS_ASYNC_BEGIN:
|
---|
4470 | {
|
---|
4471 | if (ssl->options.sendVerify == SEND_BLANK_CERT) {
|
---|
4472 | return 0; /* sent blank cert, can't verify */
|
---|
4473 | }
|
---|
4474 |
|
---|
4475 | args->sendSz = MAX_CERT_VERIFY_SZ;
|
---|
4476 | /* Always encrypted. */
|
---|
4477 | args->sendSz += MAX_MSG_EXTRA;
|
---|
4478 |
|
---|
4479 | /* check for available size */
|
---|
4480 | if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) {
|
---|
4481 | goto exit_scv;
|
---|
4482 | }
|
---|
4483 |
|
---|
4484 | /* get output buffer */
|
---|
4485 | args->output = ssl->buffers.outputBuffer.buffer +
|
---|
4486 | ssl->buffers.outputBuffer.length;
|
---|
4487 |
|
---|
4488 | /* Advance state and proceed */
|
---|
4489 | ssl->options.asyncState = TLS_ASYNC_BUILD;
|
---|
4490 | } /* case TLS_ASYNC_BEGIN */
|
---|
4491 | FALL_THROUGH;
|
---|
4492 |
|
---|
4493 | case TLS_ASYNC_BUILD:
|
---|
4494 | {
|
---|
4495 | /* idx is used to track verify pointer offset to output */
|
---|
4496 | args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
4497 | args->verify =
|
---|
4498 | &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
|
---|
4499 |
|
---|
4500 | ret = DecodePrivateKey(ssl, &args->length);
|
---|
4501 | if (ret != 0)
|
---|
4502 | goto exit_scv;
|
---|
4503 |
|
---|
4504 | /* Add signature algorithm. */
|
---|
4505 | if (ssl->hsType == DYNAMIC_TYPE_RSA)
|
---|
4506 | args->sigAlgo = rsa_pss_sa_algo;
|
---|
4507 | else if (ssl->hsType == DYNAMIC_TYPE_ECC)
|
---|
4508 | args->sigAlgo = ecc_dsa_sa_algo;
|
---|
4509 | #ifdef HAVE_ED25519
|
---|
4510 | else if (ssl->hsType == DYNAMIC_TYPE_ED25519)
|
---|
4511 | args->sigAlgo = ed25519_sa_algo;
|
---|
4512 | #endif
|
---|
4513 | EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo, args->verify);
|
---|
4514 |
|
---|
4515 | /* Create the data to be signed. */
|
---|
4516 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
|
---|
4517 | DYNAMIC_TYPE_SIGNATURE);
|
---|
4518 | if (args->sigData == NULL) {
|
---|
4519 | ERROR_OUT(MEMORY_E, exit_scv);
|
---|
4520 | }
|
---|
4521 |
|
---|
4522 | ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0);
|
---|
4523 | if (ret != 0)
|
---|
4524 | goto exit_scv;
|
---|
4525 |
|
---|
4526 | #ifndef NO_RSA
|
---|
4527 | if (ssl->hsType == DYNAMIC_TYPE_RSA) {
|
---|
4528 | /* build encoded signature buffer */
|
---|
4529 | sig->length = MAX_ENCODED_SIG_SZ;
|
---|
4530 | sig->buffer = (byte*)XMALLOC(sig->length, ssl->heap,
|
---|
4531 | DYNAMIC_TYPE_SIGNATURE);
|
---|
4532 | if (sig->buffer == NULL) {
|
---|
4533 | ERROR_OUT(MEMORY_E, exit_scv);
|
---|
4534 | }
|
---|
4535 |
|
---|
4536 | ret = CreateRSAEncodedSig(sig->buffer, args->sigData,
|
---|
4537 | args->sigDataSz, args->sigAlgo, ssl->suites->hashAlgo);
|
---|
4538 | if (ret < 0)
|
---|
4539 | goto exit_scv;
|
---|
4540 | sig->length = ret;
|
---|
4541 | ret = 0;
|
---|
4542 |
|
---|
4543 | /* Maximum size of RSA Signature. */
|
---|
4544 | args->sigLen = args->length;
|
---|
4545 | }
|
---|
4546 | #endif /* !NO_RSA */
|
---|
4547 | #ifdef HAVE_ECC
|
---|
4548 | if (ssl->hsType == DYNAMIC_TYPE_ECC) {
|
---|
4549 | sig->length = args->sendSz - args->idx - HASH_SIG_SIZE -
|
---|
4550 | VERIFY_HEADER;
|
---|
4551 | ret = CreateECCEncodedSig(args->sigData,
|
---|
4552 | args->sigDataSz, ssl->suites->hashAlgo);
|
---|
4553 | if (ret < 0)
|
---|
4554 | goto exit_scv;
|
---|
4555 | args->sigDataSz = ret;
|
---|
4556 | ret = 0;
|
---|
4557 | }
|
---|
4558 | #endif /* HAVE_ECC */
|
---|
4559 | #ifdef HAVE_ED25519
|
---|
4560 | if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
|
---|
4561 | /* Nothing to do */
|
---|
4562 | sig->length = ED25519_SIG_SIZE;
|
---|
4563 | }
|
---|
4564 | #endif /* HAVE_ECC */
|
---|
4565 |
|
---|
4566 | /* Advance state and proceed */
|
---|
4567 | ssl->options.asyncState = TLS_ASYNC_DO;
|
---|
4568 | } /* case TLS_ASYNC_BUILD */
|
---|
4569 | FALL_THROUGH;
|
---|
4570 |
|
---|
4571 | case TLS_ASYNC_DO:
|
---|
4572 | {
|
---|
4573 | #ifdef HAVE_ECC
|
---|
4574 | if (ssl->hsType == DYNAMIC_TYPE_ECC) {
|
---|
4575 | ret = EccSign(ssl, args->sigData, args->sigDataSz,
|
---|
4576 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
|
---|
4577 | &sig->length, (ecc_key*)ssl->hsKey,
|
---|
4578 | #if defined(HAVE_PK_CALLBACKS)
|
---|
4579 | ssl->buffers.key->buffer, ssl->buffers.key->length,
|
---|
4580 | ssl->EccSignCtx
|
---|
4581 | #else
|
---|
4582 | NULL, 0, NULL
|
---|
4583 | #endif
|
---|
4584 | );
|
---|
4585 | args->length = sig->length;
|
---|
4586 | }
|
---|
4587 | #endif /* HAVE_ECC */
|
---|
4588 | #ifdef HAVE_ED25519
|
---|
4589 | if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
|
---|
4590 | ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz,
|
---|
4591 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
|
---|
4592 | &sig->length, (ed25519_key*)ssl->hsKey,
|
---|
4593 | #if defined(HAVE_PK_CALLBACKS)
|
---|
4594 | ssl->buffers.key->buffer, ssl->buffers.key->length,
|
---|
4595 | ssl->Ed25519SignCtx
|
---|
4596 | #else
|
---|
4597 | NULL, 0, NULL
|
---|
4598 | #endif
|
---|
4599 | );
|
---|
4600 | args->length = sig->length;
|
---|
4601 | }
|
---|
4602 | #endif
|
---|
4603 | #ifndef NO_RSA
|
---|
4604 | if (ssl->hsType == DYNAMIC_TYPE_RSA) {
|
---|
4605 |
|
---|
4606 | ret = RsaSign(ssl, sig->buffer, sig->length,
|
---|
4607 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, &args->sigLen,
|
---|
4608 | args->sigAlgo, ssl->suites->hashAlgo,
|
---|
4609 | (RsaKey*)ssl->hsKey,
|
---|
4610 | ssl->buffers.key->buffer, ssl->buffers.key->length,
|
---|
4611 | #ifdef HAVE_PK_CALLBACKS
|
---|
4612 | ssl->RsaSignCtx
|
---|
4613 | #else
|
---|
4614 | NULL
|
---|
4615 | #endif
|
---|
4616 | );
|
---|
4617 | args->length = args->sigLen;
|
---|
4618 | }
|
---|
4619 | #endif /* !NO_RSA */
|
---|
4620 |
|
---|
4621 | /* Check for error */
|
---|
4622 | if (ret != 0) {
|
---|
4623 | goto exit_scv;
|
---|
4624 | }
|
---|
4625 |
|
---|
4626 | /* Add signature length. */
|
---|
4627 | c16toa(args->length, args->verify + HASH_SIG_SIZE);
|
---|
4628 |
|
---|
4629 | /* Advance state and proceed */
|
---|
4630 | ssl->options.asyncState = TLS_ASYNC_VERIFY;
|
---|
4631 | } /* case TLS_ASYNC_DO */
|
---|
4632 | FALL_THROUGH;
|
---|
4633 |
|
---|
4634 | case TLS_ASYNC_VERIFY:
|
---|
4635 | {
|
---|
4636 | #ifndef NO_RSA
|
---|
4637 | if (ssl->hsType == DYNAMIC_TYPE_RSA) {
|
---|
4638 | if (args->verifySig == NULL) {
|
---|
4639 | args->verifySig = (byte*)XMALLOC(args->sigLen, ssl->heap,
|
---|
4640 | DYNAMIC_TYPE_SIGNATURE);
|
---|
4641 | if (args->verifySig == NULL) {
|
---|
4642 | ERROR_OUT(MEMORY_E, exit_scv);
|
---|
4643 | }
|
---|
4644 | XMEMCPY(args->verifySig,
|
---|
4645 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
|
---|
4646 | args->sigLen);
|
---|
4647 | }
|
---|
4648 |
|
---|
4649 | /* check for signature faults */
|
---|
4650 | ret = VerifyRsaSign(ssl, args->verifySig, args->sigLen,
|
---|
4651 | sig->buffer, sig->length, args->sigAlgo,
|
---|
4652 | ssl->suites->hashAlgo, (RsaKey*)ssl->hsKey);
|
---|
4653 | }
|
---|
4654 | #endif /* !NO_RSA */
|
---|
4655 |
|
---|
4656 | /* Check for error */
|
---|
4657 | if (ret != 0) {
|
---|
4658 | goto exit_scv;
|
---|
4659 | }
|
---|
4660 |
|
---|
4661 | /* Advance state and proceed */
|
---|
4662 | ssl->options.asyncState = TLS_ASYNC_FINALIZE;
|
---|
4663 | } /* case TLS_ASYNC_VERIFY */
|
---|
4664 | FALL_THROUGH;
|
---|
4665 |
|
---|
4666 | case TLS_ASYNC_FINALIZE:
|
---|
4667 | {
|
---|
4668 | /* Put the record and handshake headers on. */
|
---|
4669 | AddTls13Headers(args->output, args->length + HASH_SIG_SIZE +
|
---|
4670 | VERIFY_HEADER, certificate_verify, ssl);
|
---|
4671 |
|
---|
4672 | args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ +
|
---|
4673 | args->length + HASH_SIG_SIZE + VERIFY_HEADER;
|
---|
4674 |
|
---|
4675 | /* Advance state and proceed */
|
---|
4676 | ssl->options.asyncState = TLS_ASYNC_END;
|
---|
4677 | } /* case TLS_ASYNC_FINALIZE */
|
---|
4678 | FALL_THROUGH;
|
---|
4679 |
|
---|
4680 | case TLS_ASYNC_END:
|
---|
4681 | {
|
---|
4682 | /* This message is always encrypted. */
|
---|
4683 | ret = BuildTls13Message(ssl, args->output,
|
---|
4684 | MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,
|
---|
4685 | args->output + RECORD_HEADER_SZ,
|
---|
4686 | args->sendSz - RECORD_HEADER_SZ, handshake,
|
---|
4687 | 1, 0, 0);
|
---|
4688 |
|
---|
4689 | if (ret < 0) {
|
---|
4690 | goto exit_scv;
|
---|
4691 | }
|
---|
4692 | else {
|
---|
4693 | args->sendSz = ret;
|
---|
4694 | ret = 0;
|
---|
4695 | }
|
---|
4696 |
|
---|
4697 | #ifdef WOLFSSL_CALLBACKS
|
---|
4698 | if (ssl->hsInfoOn)
|
---|
4699 | AddPacketName("CertificateVerify", &ssl->handShakeInfo);
|
---|
4700 | if (ssl->toInfoOn) {
|
---|
4701 | AddPacketInfo("CertificateVerify", &ssl->timeoutInfo,
|
---|
4702 | args->output, args->sendSz, ssl->heap);
|
---|
4703 | }
|
---|
4704 | #endif
|
---|
4705 |
|
---|
4706 | ssl->buffers.outputBuffer.length += args->sendSz;
|
---|
4707 |
|
---|
4708 | if (!ssl->options.groupMessages)
|
---|
4709 | ret = SendBuffered(ssl);
|
---|
4710 | break;
|
---|
4711 | }
|
---|
4712 | default:
|
---|
4713 | ret = INPUT_CASE_ERROR;
|
---|
4714 | } /* switch(ssl->options.asyncState) */
|
---|
4715 |
|
---|
4716 | exit_scv:
|
---|
4717 |
|
---|
4718 | WOLFSSL_LEAVE("SendTls13CertificateVerify", ret);
|
---|
4719 |
|
---|
4720 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
4721 | /* Handle async operation */
|
---|
4722 | if (ret == WC_PENDING_E) {
|
---|
4723 | return ret;
|
---|
4724 | }
|
---|
4725 | #endif /* WOLFSSL_ASYNC_CRYPT */
|
---|
4726 |
|
---|
4727 | /* Final cleanup */
|
---|
4728 | FreeScv13Args(ssl, args);
|
---|
4729 | FreeKeyExchange(ssl);
|
---|
4730 |
|
---|
4731 | return ret;
|
---|
4732 | }
|
---|
4733 |
|
---|
4734 |
|
---|
4735 | /* Parse and handle a TLS v1.3 Certificate message.
|
---|
4736 | *
|
---|
4737 | * ssl The SSL/TLS object.
|
---|
4738 | * input The message buffer.
|
---|
4739 | * inOutIdx On entry, the index into the message buffer of Certificate.
|
---|
4740 | * On exit, the index of byte after the Certificate message.
|
---|
4741 | * totalSz The length of the current handshake message.
|
---|
4742 | * returns 0 on success and otherwise failure.
|
---|
4743 | */
|
---|
4744 | static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
---|
4745 | word32 totalSz)
|
---|
4746 | {
|
---|
4747 | int ret;
|
---|
4748 |
|
---|
4749 | WOLFSSL_ENTER("DoTls13Certificate");
|
---|
4750 |
|
---|
4751 | ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz);
|
---|
4752 |
|
---|
4753 | #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
---|
4754 | if (ret == 0 && ssl->options.side == WOLFSSL_SERVER_END &&
|
---|
4755 | ssl->options.handShakeState == HANDSHAKE_DONE) {
|
---|
4756 | /* reset handshake states */
|
---|
4757 | ssl->options.serverState = SERVER_FINISHED_COMPLETE;
|
---|
4758 | ssl->options.acceptState = TICKET_SENT;
|
---|
4759 | ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
|
---|
4760 | }
|
---|
4761 | #endif
|
---|
4762 |
|
---|
4763 | WOLFSSL_LEAVE("DoTls13Certificate", ret);
|
---|
4764 |
|
---|
4765 | return ret;
|
---|
4766 | }
|
---|
4767 |
|
---|
4768 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519)
|
---|
4769 |
|
---|
4770 | typedef struct Dcv13Args {
|
---|
4771 | byte* output; /* not allocated */
|
---|
4772 | word32 sendSz;
|
---|
4773 | word16 sz;
|
---|
4774 | word32 sigSz;
|
---|
4775 | word32 idx;
|
---|
4776 | word32 begin;
|
---|
4777 | byte hashAlgo;
|
---|
4778 | byte sigAlgo;
|
---|
4779 |
|
---|
4780 | byte* sigData;
|
---|
4781 | word16 sigDataSz;
|
---|
4782 | } Dcv13Args;
|
---|
4783 |
|
---|
4784 | static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
|
---|
4785 | {
|
---|
4786 | Dcv13Args* args = (Dcv13Args*)pArgs;
|
---|
4787 |
|
---|
4788 | if (args->sigData != NULL) {
|
---|
4789 | XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
|
---|
4790 | args->sigData = NULL;
|
---|
4791 | }
|
---|
4792 |
|
---|
4793 | (void)ssl;
|
---|
4794 | }
|
---|
4795 |
|
---|
4796 | /* Parse and handle a TLS v1.3 CertificateVerify message.
|
---|
4797 | *
|
---|
4798 | * ssl The SSL/TLS object.
|
---|
4799 | * input The message buffer.
|
---|
4800 | * inOutIdx On entry, the index into the message buffer of
|
---|
4801 | * CertificateVerify.
|
---|
4802 | * On exit, the index of byte after the CertificateVerify message.
|
---|
4803 | * totalSz The length of the current handshake message.
|
---|
4804 | * returns 0 on success and otherwise failure.
|
---|
4805 | */
|
---|
4806 | static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
|
---|
4807 | word32* inOutIdx, word32 totalSz)
|
---|
4808 | {
|
---|
4809 | int ret = 0;
|
---|
4810 | buffer* sig = &ssl->buffers.sig;
|
---|
4811 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
4812 | Dcv13Args* args = (Dcv13Args*)ssl->async.args;
|
---|
4813 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
|
---|
4814 | (void)sizeof(args_test);
|
---|
4815 | #else
|
---|
4816 | Dcv13Args args[1];
|
---|
4817 | #endif
|
---|
4818 |
|
---|
4819 | WOLFSSL_ENTER("DoTls13CertificateVerify");
|
---|
4820 |
|
---|
4821 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
4822 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
|
---|
4823 | if (ret != WC_NOT_PENDING_E) {
|
---|
4824 | /* Check for error */
|
---|
4825 | if (ret < 0)
|
---|
4826 | goto exit_dcv;
|
---|
4827 | }
|
---|
4828 | else
|
---|
4829 | #endif
|
---|
4830 | {
|
---|
4831 | /* Reset state */
|
---|
4832 | ret = 0;
|
---|
4833 | ssl->options.asyncState = TLS_ASYNC_BEGIN;
|
---|
4834 | XMEMSET(args, 0, sizeof(Dcv13Args));
|
---|
4835 | args->hashAlgo = sha_mac;
|
---|
4836 | args->sigAlgo = anonymous_sa_algo;
|
---|
4837 | args->idx = *inOutIdx;
|
---|
4838 | args->begin = *inOutIdx;
|
---|
4839 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
4840 | ssl->async.freeArgs = FreeDcv13Args;
|
---|
4841 | #endif
|
---|
4842 | }
|
---|
4843 |
|
---|
4844 | switch(ssl->options.asyncState)
|
---|
4845 | {
|
---|
4846 | case TLS_ASYNC_BEGIN:
|
---|
4847 | {
|
---|
4848 | #ifdef WOLFSSL_CALLBACKS
|
---|
4849 | if (ssl->hsInfoOn) AddPacketName("CertificateVerify",
|
---|
4850 | &ssl->handShakeInfo);
|
---|
4851 | if (ssl->toInfoOn) AddLateName("CertificateVerify",
|
---|
4852 | &ssl->timeoutInfo);
|
---|
4853 | #endif
|
---|
4854 |
|
---|
4855 | /* Advance state and proceed */
|
---|
4856 | ssl->options.asyncState = TLS_ASYNC_BUILD;
|
---|
4857 | } /* case TLS_ASYNC_BEGIN */
|
---|
4858 | FALL_THROUGH;
|
---|
4859 |
|
---|
4860 | case TLS_ASYNC_BUILD:
|
---|
4861 | {
|
---|
4862 | /* Signature algorithm. */
|
---|
4863 | if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) {
|
---|
4864 | ERROR_OUT(BUFFER_ERROR, exit_dcv);
|
---|
4865 | }
|
---|
4866 | DecodeSigAlg(input + args->idx, &args->hashAlgo, &args->sigAlgo);
|
---|
4867 | args->idx += OPAQUE16_LEN;
|
---|
4868 |
|
---|
4869 | /* Signature length. */
|
---|
4870 | if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
|
---|
4871 | ERROR_OUT(BUFFER_ERROR, exit_dcv);
|
---|
4872 | }
|
---|
4873 | ato16(input + args->idx, &args->sz);
|
---|
4874 | args->idx += OPAQUE16_LEN;
|
---|
4875 |
|
---|
4876 | /* Signature data. */
|
---|
4877 | if ((args->idx - args->begin) + args->sz > totalSz ||
|
---|
4878 | args->sz > ENCRYPT_LEN) {
|
---|
4879 | ERROR_OUT(BUFFER_ERROR, exit_dcv);
|
---|
4880 | }
|
---|
4881 |
|
---|
4882 | /* Check for public key of required type. */
|
---|
4883 | #ifdef HAVE_ED25519
|
---|
4884 | if (args->sigAlgo == ed25519_sa_algo &&
|
---|
4885 | !ssl->peerEd25519KeyPresent) {
|
---|
4886 | WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
|
---|
4887 | }
|
---|
4888 | #endif
|
---|
4889 | #ifdef HAVE_ECC
|
---|
4890 | if (args->sigAlgo == ecc_dsa_sa_algo &&
|
---|
4891 | !ssl->peerEccDsaKeyPresent) {
|
---|
4892 | WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
|
---|
4893 | }
|
---|
4894 | #endif
|
---|
4895 | #ifndef NO_RSA
|
---|
4896 | if ((args->sigAlgo == rsa_sa_algo ||
|
---|
4897 | args->sigAlgo == rsa_pss_sa_algo) &&
|
---|
4898 | (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
|
---|
4899 | WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
|
---|
4900 | }
|
---|
4901 | #endif
|
---|
4902 |
|
---|
4903 | sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap,
|
---|
4904 | DYNAMIC_TYPE_SIGNATURE);
|
---|
4905 | if (sig->buffer == NULL) {
|
---|
4906 | ERROR_OUT(MEMORY_E, exit_dcv);
|
---|
4907 | }
|
---|
4908 | sig->length = args->sz;
|
---|
4909 | XMEMCPY(sig->buffer, input + args->idx, args->sz);
|
---|
4910 |
|
---|
4911 | #ifdef HAVE_ECC
|
---|
4912 | if (ssl->peerEccDsaKeyPresent) {
|
---|
4913 | WOLFSSL_MSG("Doing ECC peer cert verify");
|
---|
4914 |
|
---|
4915 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
|
---|
4916 | DYNAMIC_TYPE_SIGNATURE);
|
---|
4917 | if (args->sigData == NULL) {
|
---|
4918 | ERROR_OUT(MEMORY_E, exit_dcv);
|
---|
4919 | }
|
---|
4920 |
|
---|
4921 | ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
|
---|
4922 | if (ret != 0)
|
---|
4923 | goto exit_dcv;
|
---|
4924 | ret = CreateECCEncodedSig(args->sigData,
|
---|
4925 | args->sigDataSz, args->hashAlgo);
|
---|
4926 | if (ret < 0)
|
---|
4927 | goto exit_dcv;
|
---|
4928 | args->sigDataSz = ret;
|
---|
4929 | ret = 0;
|
---|
4930 | }
|
---|
4931 | #endif
|
---|
4932 | #ifdef HAVE_ED25519
|
---|
4933 | if (ssl->peerEd25519KeyPresent) {
|
---|
4934 | WOLFSSL_MSG("Doing ED25519 peer cert verify");
|
---|
4935 |
|
---|
4936 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
|
---|
4937 | DYNAMIC_TYPE_SIGNATURE);
|
---|
4938 | if (args->sigData == NULL) {
|
---|
4939 | ERROR_OUT(MEMORY_E, exit_dcv);
|
---|
4940 | }
|
---|
4941 |
|
---|
4942 | CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
|
---|
4943 | ret = 0;
|
---|
4944 | }
|
---|
4945 | #endif
|
---|
4946 |
|
---|
4947 | /* Advance state and proceed */
|
---|
4948 | ssl->options.asyncState = TLS_ASYNC_DO;
|
---|
4949 | } /* case TLS_ASYNC_BUILD */
|
---|
4950 | FALL_THROUGH;
|
---|
4951 |
|
---|
4952 | case TLS_ASYNC_DO:
|
---|
4953 | {
|
---|
4954 | #ifndef NO_RSA
|
---|
4955 | if (args->sigAlgo == rsa_sa_algo ||
|
---|
4956 | args->sigAlgo == rsa_pss_sa_algo) {
|
---|
4957 | WOLFSSL_MSG("Doing RSA peer cert verify");
|
---|
4958 |
|
---|
4959 | ret = RsaVerify(ssl, sig->buffer, sig->length, &args->output,
|
---|
4960 | args->sigAlgo, args->hashAlgo, ssl->peerRsaKey,
|
---|
4961 | #ifdef HAVE_PK_CALLBACKS
|
---|
4962 | ssl->buffers.peerRsaKey.buffer,
|
---|
4963 | ssl->buffers.peerRsaKey.length,
|
---|
4964 | ssl->RsaVerifyCtx
|
---|
4965 | #else
|
---|
4966 | NULL, 0, NULL
|
---|
4967 | #endif
|
---|
4968 | );
|
---|
4969 | if (ret >= 0) {
|
---|
4970 | args->sendSz = ret;
|
---|
4971 | ret = 0;
|
---|
4972 | }
|
---|
4973 | }
|
---|
4974 | #endif /* !NO_RSA */
|
---|
4975 | #ifdef HAVE_ECC
|
---|
4976 | if (ssl->peerEccDsaKeyPresent) {
|
---|
4977 | WOLFSSL_MSG("Doing ECC peer cert verify");
|
---|
4978 |
|
---|
4979 | ret = EccVerify(ssl, input + args->idx, args->sz,
|
---|
4980 | args->sigData, args->sigDataSz,
|
---|
4981 | ssl->peerEccDsaKey,
|
---|
4982 | #ifdef HAVE_PK_CALLBACKS
|
---|
4983 | ssl->buffers.peerEccDsaKey.buffer,
|
---|
4984 | ssl->buffers.peerEccDsaKey.length,
|
---|
4985 | ssl->EccVerifyCtx
|
---|
4986 | #else
|
---|
4987 | NULL, 0, NULL
|
---|
4988 | #endif
|
---|
4989 | );
|
---|
4990 | }
|
---|
4991 | #endif /* HAVE_ECC */
|
---|
4992 | #ifdef HAVE_ED25519
|
---|
4993 | if (ssl->peerEd25519KeyPresent) {
|
---|
4994 | WOLFSSL_MSG("Doing ED25519 peer cert verify");
|
---|
4995 |
|
---|
4996 | ret = Ed25519Verify(ssl, input + args->idx, args->sz,
|
---|
4997 | args->sigData, args->sigDataSz,
|
---|
4998 | ssl->peerEd25519Key,
|
---|
4999 | #ifdef HAVE_PK_CALLBACKS
|
---|
5000 | ssl->buffers.peerEd25519Key.buffer,
|
---|
5001 | ssl->buffers.peerEd25519Key.length,
|
---|
5002 | ssl->Ed25519VerifyCtx
|
---|
5003 | #else
|
---|
5004 | NULL, 0, NULL
|
---|
5005 | #endif
|
---|
5006 | );
|
---|
5007 | }
|
---|
5008 | #endif
|
---|
5009 |
|
---|
5010 | /* Check for error */
|
---|
5011 | if (ret != 0) {
|
---|
5012 | goto exit_dcv;
|
---|
5013 | }
|
---|
5014 |
|
---|
5015 | /* Advance state and proceed */
|
---|
5016 | ssl->options.asyncState = TLS_ASYNC_VERIFY;
|
---|
5017 | } /* case TLS_ASYNC_DO */
|
---|
5018 | FALL_THROUGH;
|
---|
5019 |
|
---|
5020 | case TLS_ASYNC_VERIFY:
|
---|
5021 | {
|
---|
5022 | #ifndef NO_RSA
|
---|
5023 | if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
|
---|
5024 | ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo,
|
---|
5025 | args->output, args->sendSz);
|
---|
5026 | if (ret != 0)
|
---|
5027 | goto exit_dcv;
|
---|
5028 | }
|
---|
5029 | #endif /* !NO_RSA */
|
---|
5030 |
|
---|
5031 | /* Advance state and proceed */
|
---|
5032 | ssl->options.asyncState = TLS_ASYNC_FINALIZE;
|
---|
5033 | } /* case TLS_ASYNC_VERIFY */
|
---|
5034 | FALL_THROUGH;
|
---|
5035 |
|
---|
5036 | case TLS_ASYNC_FINALIZE:
|
---|
5037 | {
|
---|
5038 | ssl->options.havePeerVerify = 1;
|
---|
5039 |
|
---|
5040 | /* Set final index */
|
---|
5041 | args->idx += args->sz;
|
---|
5042 | *inOutIdx = args->idx;
|
---|
5043 |
|
---|
5044 | /* Encryption is always on: add padding */
|
---|
5045 | *inOutIdx += ssl->keys.padSz;
|
---|
5046 |
|
---|
5047 | /* Advance state and proceed */
|
---|
5048 | ssl->options.asyncState = TLS_ASYNC_END;
|
---|
5049 | } /* case TLS_ASYNC_FINALIZE */
|
---|
5050 |
|
---|
5051 | case TLS_ASYNC_END:
|
---|
5052 | {
|
---|
5053 | break;
|
---|
5054 | }
|
---|
5055 | default:
|
---|
5056 | ret = INPUT_CASE_ERROR;
|
---|
5057 | } /* switch(ssl->options.asyncState) */
|
---|
5058 |
|
---|
5059 | exit_dcv:
|
---|
5060 |
|
---|
5061 | WOLFSSL_LEAVE("DoTls13CertificateVerify", ret);
|
---|
5062 |
|
---|
5063 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
5064 | /* Handle async operation */
|
---|
5065 | if (ret == WC_PENDING_E) {
|
---|
5066 | /* Mark message as not recevied so it can process again */
|
---|
5067 | ssl->msgsReceived.got_certificate_verify = 0;
|
---|
5068 |
|
---|
5069 | return ret;
|
---|
5070 | }
|
---|
5071 | #endif /* WOLFSSL_ASYNC_CRYPT */
|
---|
5072 |
|
---|
5073 | /* Final cleanup */
|
---|
5074 | FreeDcv13Args(ssl, args);
|
---|
5075 | FreeKeyExchange(ssl);
|
---|
5076 |
|
---|
5077 | return ret;
|
---|
5078 | }
|
---|
5079 | #endif /* !NO_RSA || HAVE_ECC */
|
---|
5080 |
|
---|
5081 | /* Parse and handle a TLS v1.3 Finished message.
|
---|
5082 | *
|
---|
5083 | * ssl The SSL/TLS object.
|
---|
5084 | * input The message buffer.
|
---|
5085 | * inOutIdx On entry, the index into the message buffer of Finished.
|
---|
5086 | * On exit, the index of byte after the Finished message and padding.
|
---|
5087 | * size Length of message data.
|
---|
5088 | * totalSz Length of remaining data in the message buffer.
|
---|
5089 | * sniff Indicates whether we are sniffing packets.
|
---|
5090 | * returns 0 on success and otherwise failure.
|
---|
5091 | */
|
---|
5092 | static int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
---|
5093 | word32 size, word32 totalSz, int sniff)
|
---|
5094 | {
|
---|
5095 | int ret;
|
---|
5096 | word32 finishedSz = 0;
|
---|
5097 | byte* secret;
|
---|
5098 | byte mac[MAX_DIGEST_SIZE];
|
---|
5099 |
|
---|
5100 | WOLFSSL_ENTER("DoTls13Finished");
|
---|
5101 |
|
---|
5102 | /* check against totalSz */
|
---|
5103 | if (*inOutIdx + size + ssl->keys.padSz > totalSz)
|
---|
5104 | return BUFFER_E;
|
---|
5105 |
|
---|
5106 | if (ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
5107 | /* All the handshake messages have been received to calculate
|
---|
5108 | * client and server finished keys.
|
---|
5109 | */
|
---|
5110 | ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
|
---|
5111 | ssl->keys.client_write_MAC_secret);
|
---|
5112 | if (ret != 0)
|
---|
5113 | return ret;
|
---|
5114 |
|
---|
5115 | ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret,
|
---|
5116 | ssl->keys.server_write_MAC_secret);
|
---|
5117 | if (ret != 0)
|
---|
5118 | return ret;
|
---|
5119 |
|
---|
5120 | secret = ssl->keys.server_write_MAC_secret;
|
---|
5121 | }
|
---|
5122 | else
|
---|
5123 | secret = ssl->keys.client_write_MAC_secret;
|
---|
5124 |
|
---|
5125 | ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);
|
---|
5126 | if (ret != 0)
|
---|
5127 | return ret;
|
---|
5128 | if (size != finishedSz)
|
---|
5129 | return BUFFER_ERROR;
|
---|
5130 |
|
---|
5131 | #ifdef WOLFSSL_CALLBACKS
|
---|
5132 | if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
|
---|
5133 | if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
|
---|
5134 | #endif
|
---|
5135 |
|
---|
5136 | if (sniff == NO_SNIFF) {
|
---|
5137 | /* Actually check verify data. */
|
---|
5138 | if (XMEMCMP(input + *inOutIdx, mac, size) != 0){
|
---|
5139 | WOLFSSL_MSG("Verify finished error on hashes");
|
---|
5140 | return VERIFY_FINISHED_ERROR;
|
---|
5141 | }
|
---|
5142 | }
|
---|
5143 |
|
---|
5144 | /* Force input exhaustion at ProcessReply by consuming padSz. */
|
---|
5145 | *inOutIdx += size + ssl->keys.padSz;
|
---|
5146 |
|
---|
5147 | if (ssl->options.side == WOLFSSL_SERVER_END &&
|
---|
5148 | !ssl->options.handShakeDone) {
|
---|
5149 | #ifdef WOLFSSL_EARLY_DATA
|
---|
5150 | if (ssl->earlyData) {
|
---|
5151 | if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0)
|
---|
5152 | return ret;
|
---|
5153 | }
|
---|
5154 | #endif
|
---|
5155 | /* Setup keys for application data messages from client. */
|
---|
5156 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
|
---|
5157 | return ret;
|
---|
5158 | }
|
---|
5159 |
|
---|
5160 | #ifndef NO_WOLFSSL_CLIENT
|
---|
5161 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
5162 | ssl->options.serverState = SERVER_FINISHED_COMPLETE;
|
---|
5163 | #endif
|
---|
5164 | #ifndef NO_WOLFSSL_SERVER
|
---|
5165 | if (ssl->options.side == WOLFSSL_SERVER_END) {
|
---|
5166 | ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
|
---|
5167 | ssl->options.handShakeState = HANDSHAKE_DONE;
|
---|
5168 | ssl->options.handShakeDone = 1;
|
---|
5169 | }
|
---|
5170 | #endif
|
---|
5171 |
|
---|
5172 | WOLFSSL_LEAVE("DoTls13Finished", 0);
|
---|
5173 |
|
---|
5174 | return 0;
|
---|
5175 | }
|
---|
5176 | #endif /* NO_CERTS */
|
---|
5177 |
|
---|
5178 | /* Send the TLS v1.3 Finished message.
|
---|
5179 | *
|
---|
5180 | * ssl The SSL/TLS object.
|
---|
5181 | * returns 0 on success, otherwise failure.
|
---|
5182 | */
|
---|
5183 | static int SendTls13Finished(WOLFSSL* ssl)
|
---|
5184 | {
|
---|
5185 | int sendSz;
|
---|
5186 | int finishedSz = ssl->specs.hash_size;
|
---|
5187 | byte* input;
|
---|
5188 | byte* output;
|
---|
5189 | int ret;
|
---|
5190 | int headerSz = HANDSHAKE_HEADER_SZ;
|
---|
5191 | int outputSz;
|
---|
5192 | byte* secret;
|
---|
5193 |
|
---|
5194 | WOLFSSL_ENTER("SendTls13Finished");
|
---|
5195 |
|
---|
5196 | outputSz = MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA;
|
---|
5197 | /* Check buffers are big enough and grow if needed. */
|
---|
5198 | if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
|
---|
5199 | return ret;
|
---|
5200 |
|
---|
5201 | /* get output buffer */
|
---|
5202 | output = ssl->buffers.outputBuffer.buffer +
|
---|
5203 | ssl->buffers.outputBuffer.length;
|
---|
5204 | input = output + RECORD_HEADER_SZ;
|
---|
5205 |
|
---|
5206 | AddTls13HandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl);
|
---|
5207 |
|
---|
5208 | /* make finished hashes */
|
---|
5209 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
5210 | secret = ssl->keys.client_write_MAC_secret;
|
---|
5211 | else {
|
---|
5212 | /* All the handshake messages have been done to calculate client and
|
---|
5213 | * server finished keys.
|
---|
5214 | */
|
---|
5215 | ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
|
---|
5216 | ssl->keys.client_write_MAC_secret);
|
---|
5217 | if (ret != 0)
|
---|
5218 | return ret;
|
---|
5219 |
|
---|
5220 | ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret,
|
---|
5221 | ssl->keys.server_write_MAC_secret);
|
---|
5222 | if (ret != 0)
|
---|
5223 | return ret;
|
---|
5224 |
|
---|
5225 | secret = ssl->keys.server_write_MAC_secret;
|
---|
5226 | }
|
---|
5227 | ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL);
|
---|
5228 | if (ret != 0)
|
---|
5229 | return ret;
|
---|
5230 |
|
---|
5231 | /* This message is always encrypted. */
|
---|
5232 | sendSz = BuildTls13Message(ssl, output, outputSz, input,
|
---|
5233 | headerSz + finishedSz, handshake, 1, 0, 0);
|
---|
5234 | if (sendSz < 0)
|
---|
5235 | return BUILD_MSG_ERROR;
|
---|
5236 |
|
---|
5237 | if (!ssl->options.resuming) {
|
---|
5238 | #ifndef NO_SESSION_CACHE
|
---|
5239 | AddSession(ssl); /* just try */
|
---|
5240 | #endif
|
---|
5241 | }
|
---|
5242 |
|
---|
5243 | #ifdef WOLFSSL_CALLBACKS
|
---|
5244 | if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
|
---|
5245 | if (ssl->toInfoOn) {
|
---|
5246 | AddPacketInfo("Finished", &ssl->timeoutInfo, output, sendSz,
|
---|
5247 | ssl->heap);
|
---|
5248 | }
|
---|
5249 | #endif
|
---|
5250 |
|
---|
5251 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
5252 |
|
---|
5253 | if ((ret = SendBuffered(ssl)) != 0)
|
---|
5254 | return ret;
|
---|
5255 |
|
---|
5256 | if (ssl->options.side == WOLFSSL_SERVER_END) {
|
---|
5257 | /* Can send application data now. */
|
---|
5258 | if ((ret = DeriveMasterSecret(ssl)) != 0)
|
---|
5259 | return ret;
|
---|
5260 | #ifdef WOLFSSL_EARLY_DATA
|
---|
5261 | if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1))
|
---|
5262 | != 0) {
|
---|
5263 | return ret;
|
---|
5264 | }
|
---|
5265 | if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY,
|
---|
5266 | !ssl->earlyData)) != 0) {
|
---|
5267 | return ret;
|
---|
5268 | }
|
---|
5269 | #else
|
---|
5270 | if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE,
|
---|
5271 | 1)) != 0) {
|
---|
5272 | return ret;
|
---|
5273 | }
|
---|
5274 | #endif
|
---|
5275 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
5276 | return ret;
|
---|
5277 | }
|
---|
5278 |
|
---|
5279 | if (ssl->options.side == WOLFSSL_CLIENT_END &&
|
---|
5280 | !ssl->options.handShakeDone) {
|
---|
5281 | #ifdef WOLFSSL_EARLY_DATA
|
---|
5282 | if (ssl->earlyData) {
|
---|
5283 | if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_AND_DECRYPT_SIDE,
|
---|
5284 | 1)) != 0) {
|
---|
5285 | return ret;
|
---|
5286 | }
|
---|
5287 | }
|
---|
5288 | #endif
|
---|
5289 | /* Setup keys for application data messages. */
|
---|
5290 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
|
---|
5291 | return ret;
|
---|
5292 |
|
---|
5293 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
5294 | ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
|
---|
5295 | #endif
|
---|
5296 | }
|
---|
5297 |
|
---|
5298 | if (ssl->options.resuming) {
|
---|
5299 | if (ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
5300 | ssl->options.handShakeState = HANDSHAKE_DONE;
|
---|
5301 | ssl->options.handShakeDone = 1;
|
---|
5302 | }
|
---|
5303 | }
|
---|
5304 | #ifndef NO_WOLFSSL_CLIENT
|
---|
5305 | if (ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
5306 | if (!ssl->options.resuming) {
|
---|
5307 | ssl->options.handShakeState = HANDSHAKE_DONE;
|
---|
5308 | ssl->options.handShakeDone = 1;
|
---|
5309 | }
|
---|
5310 | }
|
---|
5311 | #endif
|
---|
5312 |
|
---|
5313 | WOLFSSL_LEAVE("SendTls13Finished", ret);
|
---|
5314 |
|
---|
5315 | return ret;
|
---|
5316 | }
|
---|
5317 |
|
---|
5318 | /* Send the TLS v1.3 KeyUpdate message.
|
---|
5319 | *
|
---|
5320 | * ssl The SSL/TLS object.
|
---|
5321 | * returns 0 on success, otherwise failure.
|
---|
5322 | */
|
---|
5323 | static int SendTls13KeyUpdate(WOLFSSL* ssl)
|
---|
5324 | {
|
---|
5325 | int sendSz;
|
---|
5326 | byte* input;
|
---|
5327 | byte* output;
|
---|
5328 | int ret;
|
---|
5329 | int headerSz = HANDSHAKE_HEADER_SZ;
|
---|
5330 | int outputSz;
|
---|
5331 | word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
5332 |
|
---|
5333 | WOLFSSL_ENTER("SendTls13KeyUpdate");
|
---|
5334 |
|
---|
5335 | outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA;
|
---|
5336 | /* Check buffers are big enough and grow if needed. */
|
---|
5337 | if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
|
---|
5338 | return ret;
|
---|
5339 |
|
---|
5340 | /* get output buffer */
|
---|
5341 | output = ssl->buffers.outputBuffer.buffer +
|
---|
5342 | ssl->buffers.outputBuffer.length;
|
---|
5343 | input = output + RECORD_HEADER_SZ;
|
---|
5344 |
|
---|
5345 | AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl);
|
---|
5346 |
|
---|
5347 | /* If:
|
---|
5348 | * 1. I haven't sent a KeyUpdate requesting a response and
|
---|
5349 | * 2. This isn't responding to peer KeyUpdate requiring a response then,
|
---|
5350 | * I want a response.
|
---|
5351 | */
|
---|
5352 | ssl->keys.updateResponseReq = output[i++] =
|
---|
5353 | !ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond;
|
---|
5354 | /* Sent response, no longer need to respond. */
|
---|
5355 | ssl->keys.keyUpdateRespond = 0;
|
---|
5356 |
|
---|
5357 | /* This message is always encrypted. */
|
---|
5358 | sendSz = BuildTls13Message(ssl, output, outputSz, input,
|
---|
5359 | headerSz + OPAQUE8_LEN, handshake, 0, 0, 0);
|
---|
5360 | if (sendSz < 0)
|
---|
5361 | return BUILD_MSG_ERROR;
|
---|
5362 |
|
---|
5363 | #ifdef WOLFSSL_CALLBACKS
|
---|
5364 | if (ssl->hsInfoOn) AddPacketName("KeyUpdate", &ssl->handShakeInfo);
|
---|
5365 | if (ssl->toInfoOn) {
|
---|
5366 | AddPacketInfo("KeyUpdate", &ssl->timeoutInfo, output, sendSz,
|
---|
5367 | ssl->heap);
|
---|
5368 | }
|
---|
5369 | #endif
|
---|
5370 |
|
---|
5371 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
5372 |
|
---|
5373 | ret = SendBuffered(ssl);
|
---|
5374 | if (ret != 0 && ret != WANT_WRITE)
|
---|
5375 | return ret;
|
---|
5376 |
|
---|
5377 | /* Future traffic uses new encryption keys. */
|
---|
5378 | if ((ret = DeriveTls13Keys(ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1))
|
---|
5379 | != 0)
|
---|
5380 | return ret;
|
---|
5381 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
5382 | return ret;
|
---|
5383 |
|
---|
5384 | WOLFSSL_LEAVE("SendTls13KeyUpdate", ret);
|
---|
5385 |
|
---|
5386 | return ret;
|
---|
5387 | }
|
---|
5388 |
|
---|
5389 | /* Parse and handle a TLS v1.3 KeyUpdate message.
|
---|
5390 | *
|
---|
5391 | * ssl The SSL/TLS object.
|
---|
5392 | * input The message buffer.
|
---|
5393 | * inOutIdx On entry, the index into the message buffer of Finished.
|
---|
5394 | * On exit, the index of byte after the Finished message and padding.
|
---|
5395 | * totalSz The length of the current handshake message.
|
---|
5396 | * returns 0 on success and otherwise failure.
|
---|
5397 | */
|
---|
5398 | static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
---|
5399 | word32 totalSz)
|
---|
5400 | {
|
---|
5401 | int ret;
|
---|
5402 | word32 i = *inOutIdx;
|
---|
5403 |
|
---|
5404 | WOLFSSL_ENTER("DoTls13KeyUpdate");
|
---|
5405 |
|
---|
5406 | /* check against totalSz */
|
---|
5407 | if (OPAQUE8_LEN != totalSz)
|
---|
5408 | return BUFFER_E;
|
---|
5409 |
|
---|
5410 | switch (input[i]) {
|
---|
5411 | case update_not_requested:
|
---|
5412 | /* This message in response to any oustanding request. */
|
---|
5413 | ssl->keys.keyUpdateRespond = 0;
|
---|
5414 | ssl->keys.updateResponseReq = 0;
|
---|
5415 | break;
|
---|
5416 | case update_requested:
|
---|
5417 | /* New key update requiring a response. */
|
---|
5418 | ssl->keys.keyUpdateRespond = 1;
|
---|
5419 | break;
|
---|
5420 | default:
|
---|
5421 | return INVALID_PARAMETER;
|
---|
5422 | break;
|
---|
5423 | }
|
---|
5424 |
|
---|
5425 | /* Move index to byte after message. */
|
---|
5426 | *inOutIdx += totalSz;
|
---|
5427 | /* Always encrypted. */
|
---|
5428 | *inOutIdx += ssl->keys.padSz;
|
---|
5429 |
|
---|
5430 | /* Future traffic uses new decryption keys. */
|
---|
5431 | if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1))
|
---|
5432 | != 0) {
|
---|
5433 | return ret;
|
---|
5434 | }
|
---|
5435 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
|
---|
5436 | return ret;
|
---|
5437 |
|
---|
5438 | if (ssl->keys.keyUpdateRespond)
|
---|
5439 | return SendTls13KeyUpdate(ssl);
|
---|
5440 |
|
---|
5441 | WOLFSSL_LEAVE("DoTls13KeyUpdate", ret);
|
---|
5442 |
|
---|
5443 | return 0;
|
---|
5444 | }
|
---|
5445 |
|
---|
5446 | #ifdef WOLFSSL_EARLY_DATA
|
---|
5447 | #ifndef NO_WOLFSSL_CLIENT
|
---|
5448 | /* Send the TLS v1.3 EndOfEarlyData message to indicate that there will be no
|
---|
5449 | * more early application data.
|
---|
5450 | * The encryption key now changes to the pre-calculated handshake key.
|
---|
5451 | *
|
---|
5452 | * ssl The SSL/TLS object.
|
---|
5453 | * returns 0 on success and otherwise failure.
|
---|
5454 | */
|
---|
5455 | static int SendTls13EndOfEarlyData(WOLFSSL* ssl)
|
---|
5456 | {
|
---|
5457 | byte* output;
|
---|
5458 | int ret;
|
---|
5459 | int sendSz;
|
---|
5460 | word32 length;
|
---|
5461 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
5462 |
|
---|
5463 | WOLFSSL_ENTER("SendTls13EndOfEarlyData");
|
---|
5464 |
|
---|
5465 | length = 0;
|
---|
5466 | sendSz = idx + length + MAX_MSG_EXTRA;
|
---|
5467 |
|
---|
5468 | /* Check buffers are big enough and grow if needed. */
|
---|
5469 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
5470 | return ret;
|
---|
5471 |
|
---|
5472 | /* Get position in output buffer to write new message to. */
|
---|
5473 | output = ssl->buffers.outputBuffer.buffer +
|
---|
5474 | ssl->buffers.outputBuffer.length;
|
---|
5475 |
|
---|
5476 | /* Put the record and handshake headers on. */
|
---|
5477 | AddTls13Headers(output, length, end_of_early_data, ssl);
|
---|
5478 |
|
---|
5479 | /* This message is always encrypted. */
|
---|
5480 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
|
---|
5481 | idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
|
---|
5482 | if (sendSz < 0)
|
---|
5483 | return sendSz;
|
---|
5484 |
|
---|
5485 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
5486 |
|
---|
5487 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
5488 | return ret;
|
---|
5489 |
|
---|
5490 | if (!ssl->options.groupMessages)
|
---|
5491 | ret = SendBuffered(ssl);
|
---|
5492 |
|
---|
5493 | WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
|
---|
5494 |
|
---|
5495 | return ret;
|
---|
5496 | }
|
---|
5497 | #endif /* !NO_WOLFSSL_CLIENT */
|
---|
5498 |
|
---|
5499 | #ifndef NO_WOLFSSL_SERVER
|
---|
5500 | /* Parse the TLS v1.3 EndOfEarlyData message that indicates that there will be
|
---|
5501 | * no more early application data.
|
---|
5502 | * The decryption key now changes to the pre-calculated handshake key.
|
---|
5503 | *
|
---|
5504 | * ssl The SSL/TLS object.
|
---|
5505 | * returns 0 on success and otherwise failure.
|
---|
5506 | */
|
---|
5507 | static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input,
|
---|
5508 | word32* inOutIdx, word32 size)
|
---|
5509 | {
|
---|
5510 | int ret;
|
---|
5511 | word32 begin = *inOutIdx;
|
---|
5512 |
|
---|
5513 | (void)input;
|
---|
5514 |
|
---|
5515 | WOLFSSL_ENTER("DoTls13EndOfEarlyData");
|
---|
5516 |
|
---|
5517 | if ((*inOutIdx - begin) != size)
|
---|
5518 | return BUFFER_ERROR;
|
---|
5519 |
|
---|
5520 | /* Always encrypted. */
|
---|
5521 | *inOutIdx += ssl->keys.padSz;
|
---|
5522 |
|
---|
5523 | ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY);
|
---|
5524 |
|
---|
5525 | WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
|
---|
5526 |
|
---|
5527 | return ret;
|
---|
5528 | }
|
---|
5529 | #endif /* !NO_WOLFSSL_SERVER */
|
---|
5530 | #endif /* WOLFSSL_EARLY_DATA */
|
---|
5531 |
|
---|
5532 | #ifndef NO_WOLFSSL_CLIENT
|
---|
5533 | /* Handle a New Session Ticket handshake message.
|
---|
5534 | * Message contains the information required to perform resumption.
|
---|
5535 | *
|
---|
5536 | * ssl The SSL/TLS object.
|
---|
5537 | * input The message buffer.
|
---|
5538 | * inOutIdx On entry, the index into the message buffer of Finished.
|
---|
5539 | * On exit, the index of byte after the Finished message and padding.
|
---|
5540 | * size The length of the current handshake message.
|
---|
5541 | * retuns 0 on success, otherwise failure.
|
---|
5542 | */
|
---|
5543 | static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
|
---|
5544 | word32* inOutIdx, word32 size)
|
---|
5545 | {
|
---|
5546 | #ifdef HAVE_SESSION_TICKET
|
---|
5547 | int ret;
|
---|
5548 | word32 begin = *inOutIdx;
|
---|
5549 | word32 lifetime;
|
---|
5550 | word32 ageAdd;
|
---|
5551 | word16 length;
|
---|
5552 | word32 now;
|
---|
5553 |
|
---|
5554 | WOLFSSL_ENTER("DoTls13NewSessionTicket");
|
---|
5555 |
|
---|
5556 | /* Lifetime hint. */
|
---|
5557 | if ((*inOutIdx - begin) + SESSION_HINT_SZ > size)
|
---|
5558 | return BUFFER_ERROR;
|
---|
5559 | ato32(input + *inOutIdx, &lifetime);
|
---|
5560 | *inOutIdx += SESSION_HINT_SZ;
|
---|
5561 | if (lifetime > MAX_LIFETIME)
|
---|
5562 | return SERVER_HINT_ERROR;
|
---|
5563 |
|
---|
5564 | /* Age add. */
|
---|
5565 | if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)
|
---|
5566 | return BUFFER_ERROR;
|
---|
5567 | ato32(input + *inOutIdx, &ageAdd);
|
---|
5568 | *inOutIdx += SESSION_ADD_SZ;
|
---|
5569 |
|
---|
5570 | /* Ticket length. */
|
---|
5571 | if ((*inOutIdx - begin) + LENGTH_SZ > size)
|
---|
5572 | return BUFFER_ERROR;
|
---|
5573 | ato16(input + *inOutIdx, &length);
|
---|
5574 | *inOutIdx += LENGTH_SZ;
|
---|
5575 | if ((*inOutIdx - begin) + length > size)
|
---|
5576 | return BUFFER_ERROR;
|
---|
5577 |
|
---|
5578 | if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)
|
---|
5579 | return ret;
|
---|
5580 | *inOutIdx += length;
|
---|
5581 |
|
---|
5582 | now = TimeNowInMilliseconds();
|
---|
5583 | if (now == (word32)GETTIME_ERROR)
|
---|
5584 | return now;
|
---|
5585 | /* Copy in ticket data (server identity). */
|
---|
5586 | ssl->timeout = lifetime;
|
---|
5587 | ssl->session.timeout = lifetime;
|
---|
5588 | ssl->session.cipherSuite0 = ssl->options.cipherSuite0;
|
---|
5589 | ssl->session.cipherSuite = ssl->options.cipherSuite;
|
---|
5590 | ssl->session.ticketSeen = now;
|
---|
5591 | ssl->session.ticketAdd = ageAdd;
|
---|
5592 | #ifdef WOLFSSL_EARLY_DATA
|
---|
5593 | ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
|
---|
5594 | #endif
|
---|
5595 |
|
---|
5596 | if ((*inOutIdx - begin) + EXTS_SZ > size)
|
---|
5597 | return BUFFER_ERROR;
|
---|
5598 | ato16(input + *inOutIdx, &length);
|
---|
5599 | *inOutIdx += EXTS_SZ;
|
---|
5600 | if ((*inOutIdx - begin) + length != size)
|
---|
5601 | return BUFFER_ERROR;
|
---|
5602 | #ifdef WOLFSSL_EARLY_DATA
|
---|
5603 | ret = TLSX_Parse(ssl, (byte *)input + (*inOutIdx), length, session_ticket,
|
---|
5604 | NULL);
|
---|
5605 | if (ret != 0)
|
---|
5606 | return ret;
|
---|
5607 | #endif
|
---|
5608 | *inOutIdx += length;
|
---|
5609 |
|
---|
5610 | #ifndef NO_SESSION_CACHE
|
---|
5611 | AddSession(ssl);
|
---|
5612 | #endif
|
---|
5613 |
|
---|
5614 | /* Always encrypted. */
|
---|
5615 | *inOutIdx += ssl->keys.padSz;
|
---|
5616 |
|
---|
5617 | ssl->expect_session_ticket = 0;
|
---|
5618 | #else
|
---|
5619 | (void)ssl;
|
---|
5620 | (void)input;
|
---|
5621 |
|
---|
5622 | WOLFSSL_ENTER("DoTls13NewSessionTicket");
|
---|
5623 |
|
---|
5624 | *inOutIdx += size + ssl->keys.padSz;
|
---|
5625 | #endif /* HAVE_SESSION_TICKET */
|
---|
5626 |
|
---|
5627 | WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0);
|
---|
5628 |
|
---|
5629 | return 0;
|
---|
5630 | }
|
---|
5631 | #endif /* NO_WOLFSSL_CLIENT */
|
---|
5632 |
|
---|
5633 | #ifndef NO_WOLFSSL_SERVER
|
---|
5634 | #ifdef HAVE_SESSION_TICKET
|
---|
5635 |
|
---|
5636 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
|
---|
5637 | /* Offset of the MAC size in the finished message. */
|
---|
5638 | #define FINISHED_MSG_SIZE_OFFSET 3
|
---|
5639 |
|
---|
5640 | /* Calculate the resumption secret which includes the unseen client finished
|
---|
5641 | * message.
|
---|
5642 | *
|
---|
5643 | * ssl The SSL/TLS object.
|
---|
5644 | * retuns 0 on success, otherwise failure.
|
---|
5645 | */
|
---|
5646 | static int ExpectedResumptionSecret(WOLFSSL* ssl)
|
---|
5647 | {
|
---|
5648 | int ret;
|
---|
5649 | word32 finishedSz = 0;
|
---|
5650 | byte mac[MAX_DIGEST_SIZE];
|
---|
5651 | Digest digest;
|
---|
5652 | static byte header[] = { 0x14, 0x00, 0x00, 0x00 };
|
---|
5653 |
|
---|
5654 | /* Copy the running hash so we cna restore it after. */
|
---|
5655 | switch (ssl->specs.mac_algorithm) {
|
---|
5656 | #ifndef NO_SHA256
|
---|
5657 | case sha256_mac:
|
---|
5658 | ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256);
|
---|
5659 | if (ret != 0)
|
---|
5660 | return ret;
|
---|
5661 | break;
|
---|
5662 | #endif
|
---|
5663 | #ifdef WOLFSSL_SHA384
|
---|
5664 | case sha384_mac:
|
---|
5665 | ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384);
|
---|
5666 | if (ret != 0)
|
---|
5667 | return ret;
|
---|
5668 | break;
|
---|
5669 | #endif
|
---|
5670 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
5671 | case sha512_mac:
|
---|
5672 | ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512);
|
---|
5673 | if (ret != 0)
|
---|
5674 | return ret;
|
---|
5675 | break;
|
---|
5676 | #endif
|
---|
5677 | }
|
---|
5678 |
|
---|
5679 | /* Generate the Client's Finished message and hash it. */
|
---|
5680 | ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac,
|
---|
5681 | &finishedSz);
|
---|
5682 | if (ret != 0)
|
---|
5683 | return ret;
|
---|
5684 | header[FINISHED_MSG_SIZE_OFFSET] = finishedSz;
|
---|
5685 | #ifdef WOLFSSL_EARLY_DATA
|
---|
5686 | if (ssl->earlyData) {
|
---|
5687 | static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 };
|
---|
5688 | ret = HashInputRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData));
|
---|
5689 | if (ret != 0)
|
---|
5690 | return ret;
|
---|
5691 | }
|
---|
5692 | #endif
|
---|
5693 | if ((ret = HashInputRaw(ssl, header, sizeof(header))) != 0)
|
---|
5694 | return ret;
|
---|
5695 | if ((ret = HashInputRaw(ssl, mac, finishedSz)) != 0)
|
---|
5696 | return ret;
|
---|
5697 |
|
---|
5698 | if ((ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret)) != 0)
|
---|
5699 | return ret;
|
---|
5700 |
|
---|
5701 | /* Restore the hash inline with currently seen messages. */
|
---|
5702 | switch (ssl->specs.mac_algorithm) {
|
---|
5703 | #ifndef NO_SHA256
|
---|
5704 | case sha256_mac:
|
---|
5705 | ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256);
|
---|
5706 | if (ret != 0)
|
---|
5707 | return ret;
|
---|
5708 | break;
|
---|
5709 | #endif
|
---|
5710 | #ifdef WOLFSSL_SHA384
|
---|
5711 | case sha384_mac:
|
---|
5712 | ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384);
|
---|
5713 | if (ret != 0)
|
---|
5714 | return ret;
|
---|
5715 | break;
|
---|
5716 | #endif
|
---|
5717 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
5718 | case sha512_mac:
|
---|
5719 | ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha384);
|
---|
5720 | if (ret != 0)
|
---|
5721 | return ret;
|
---|
5722 | break;
|
---|
5723 | #endif
|
---|
5724 | }
|
---|
5725 |
|
---|
5726 | return ret;
|
---|
5727 | }
|
---|
5728 | #endif
|
---|
5729 |
|
---|
5730 | /* Send New Session Ticket handshake message.
|
---|
5731 | * Message contains the information required to perform resumption.
|
---|
5732 | *
|
---|
5733 | * ssl The SSL/TLS object.
|
---|
5734 | * retuns 0 on success, otherwise failure.
|
---|
5735 | */
|
---|
5736 | static int SendTls13NewSessionTicket(WOLFSSL* ssl)
|
---|
5737 | {
|
---|
5738 | byte* output;
|
---|
5739 | int ret;
|
---|
5740 | int sendSz;
|
---|
5741 | word32 extSz;
|
---|
5742 | word32 length;
|
---|
5743 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
5744 |
|
---|
5745 | WOLFSSL_ENTER("SendTls13NewSessionTicket");
|
---|
5746 |
|
---|
5747 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
|
---|
5748 | if (!ssl->msgsReceived.got_finished) {
|
---|
5749 | if ((ret = ExpectedResumptionSecret(ssl)) != 0)
|
---|
5750 | return ret;
|
---|
5751 | }
|
---|
5752 | #endif
|
---|
5753 |
|
---|
5754 | if (!ssl->options.noTicketTls13) {
|
---|
5755 | if ((ret = CreateTicket(ssl)) != 0)
|
---|
5756 | return ret;
|
---|
5757 | }
|
---|
5758 |
|
---|
5759 | #ifdef WOLFSSL_EARLY_DATA
|
---|
5760 | ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
|
---|
5761 | if (ssl->session.maxEarlyDataSz > 0)
|
---|
5762 | TLSX_EarlyData_Use(ssl, ssl->session.maxEarlyDataSz);
|
---|
5763 | extSz = TLSX_GetResponseSize(ssl, session_ticket);
|
---|
5764 | #else
|
---|
5765 | extSz = EXTS_SZ;
|
---|
5766 | #endif
|
---|
5767 |
|
---|
5768 | /* Lifetime | Age Add | Ticket | Extensions */
|
---|
5769 | length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ +
|
---|
5770 | ssl->session.ticketLen + extSz;
|
---|
5771 | sendSz = idx + length + MAX_MSG_EXTRA;
|
---|
5772 |
|
---|
5773 | /* Check buffers are big enough and grow if needed. */
|
---|
5774 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
5775 | return ret;
|
---|
5776 |
|
---|
5777 | /* Get position in output buffer to write new message to. */
|
---|
5778 | output = ssl->buffers.outputBuffer.buffer +
|
---|
5779 | ssl->buffers.outputBuffer.length;
|
---|
5780 |
|
---|
5781 | /* Put the record and handshake headers on. */
|
---|
5782 | AddTls13Headers(output, length, session_ticket, ssl);
|
---|
5783 |
|
---|
5784 | /* Lifetime hint */
|
---|
5785 | c32toa(ssl->ctx->ticketHint, output + idx);
|
---|
5786 | idx += SESSION_HINT_SZ;
|
---|
5787 | /* Age add - obfuscator */
|
---|
5788 | c32toa(ssl->session.ticketAdd, output + idx);
|
---|
5789 | idx += SESSION_ADD_SZ;
|
---|
5790 |
|
---|
5791 | /* length */
|
---|
5792 | c16toa(ssl->session.ticketLen, output + idx);
|
---|
5793 | idx += LENGTH_SZ;
|
---|
5794 | /* ticket */
|
---|
5795 | XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
|
---|
5796 | idx += ssl->session.ticketLen;
|
---|
5797 |
|
---|
5798 | #ifdef WOLFSSL_EARLY_DATA
|
---|
5799 | idx += TLSX_WriteResponse(ssl, output + idx, session_ticket);
|
---|
5800 | #else
|
---|
5801 | /* No extension support - empty extensions. */
|
---|
5802 | c16toa(0, output + idx);
|
---|
5803 | idx += EXTS_SZ;
|
---|
5804 | #endif
|
---|
5805 |
|
---|
5806 | ssl->options.haveSessionId = 1;
|
---|
5807 |
|
---|
5808 | #ifndef NO_SESSION_CACHE
|
---|
5809 | AddSession(ssl);
|
---|
5810 | #endif
|
---|
5811 |
|
---|
5812 | /* This message is always encrypted. */
|
---|
5813 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
|
---|
5814 | idx - RECORD_HEADER_SZ, handshake, 0, 0, 0);
|
---|
5815 | if (sendSz < 0)
|
---|
5816 | return sendSz;
|
---|
5817 |
|
---|
5818 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
5819 |
|
---|
5820 | if (!ssl->options.groupMessages)
|
---|
5821 | ret = SendBuffered(ssl);
|
---|
5822 |
|
---|
5823 | WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0);
|
---|
5824 |
|
---|
5825 | return ret;
|
---|
5826 | }
|
---|
5827 | #endif /* HAVE_SESSION_TICKET */
|
---|
5828 | #endif /* NO_WOLFSSL_SERVER */
|
---|
5829 |
|
---|
5830 | /* Make sure no duplicates, no fast forward, or other problems
|
---|
5831 | *
|
---|
5832 | * ssl The SSL/TLS object.
|
---|
5833 | * type Type of handshake message received.
|
---|
5834 | * returns 0 on success, otherwise failure.
|
---|
5835 | */
|
---|
5836 | static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
|
---|
5837 | {
|
---|
5838 | /* verify not a duplicate, mark received, check state */
|
---|
5839 | switch (type) {
|
---|
5840 |
|
---|
5841 | #ifndef NO_WOLFSSL_SERVER
|
---|
5842 | case client_hello:
|
---|
5843 | if (ssl->msgsReceived.got_client_hello == 2) {
|
---|
5844 | WOLFSSL_MSG("Too many ClientHello received");
|
---|
5845 | return DUPLICATE_MSG_E;
|
---|
5846 | }
|
---|
5847 | ssl->msgsReceived.got_client_hello++;
|
---|
5848 |
|
---|
5849 | break;
|
---|
5850 | #endif
|
---|
5851 |
|
---|
5852 | #ifndef NO_WOLFSSL_CLIENT
|
---|
5853 | case server_hello:
|
---|
5854 | if (ssl->msgsReceived.got_server_hello) {
|
---|
5855 | WOLFSSL_MSG("Duplicate ServerHello received");
|
---|
5856 | return DUPLICATE_MSG_E;
|
---|
5857 | }
|
---|
5858 | ssl->msgsReceived.got_server_hello = 1;
|
---|
5859 |
|
---|
5860 | break;
|
---|
5861 | #endif
|
---|
5862 |
|
---|
5863 | #ifndef NO_WOLFSSL_CLIENT
|
---|
5864 | case session_ticket:
|
---|
5865 | if (ssl->msgsReceived.got_session_ticket) {
|
---|
5866 | WOLFSSL_MSG("Duplicate SessionTicket received");
|
---|
5867 | return DUPLICATE_MSG_E;
|
---|
5868 | }
|
---|
5869 | ssl->msgsReceived.got_session_ticket = 1;
|
---|
5870 |
|
---|
5871 | break;
|
---|
5872 | #endif
|
---|
5873 |
|
---|
5874 | #ifndef NO_WOLFSSL_SERVER
|
---|
5875 | #ifdef WOLFSSL_EARLY_DATA
|
---|
5876 | case end_of_early_data:
|
---|
5877 | if (ssl->msgsReceived.got_end_of_early_data == 1) {
|
---|
5878 | WOLFSSL_MSG("Too many EndOfEarlyData received");
|
---|
5879 | return DUPLICATE_MSG_E;
|
---|
5880 | }
|
---|
5881 | ssl->msgsReceived.got_end_of_early_data++;
|
---|
5882 |
|
---|
5883 | break;
|
---|
5884 | #endif
|
---|
5885 | #endif
|
---|
5886 |
|
---|
5887 | #ifndef NO_WOLFSSL_CLIENT
|
---|
5888 | case hello_retry_request:
|
---|
5889 | if (ssl->msgsReceived.got_hello_retry_request) {
|
---|
5890 | WOLFSSL_MSG("Duplicate HelloRetryRequest received");
|
---|
5891 | return DUPLICATE_MSG_E;
|
---|
5892 | }
|
---|
5893 | ssl->msgsReceived.got_hello_retry_request = 1;
|
---|
5894 |
|
---|
5895 | break;
|
---|
5896 | #endif
|
---|
5897 |
|
---|
5898 | #ifndef NO_WOLFSSL_CLIENT
|
---|
5899 | case encrypted_extensions:
|
---|
5900 | if (ssl->msgsReceived.got_encrypted_extensions) {
|
---|
5901 | WOLFSSL_MSG("Duplicate EncryptedExtensions received");
|
---|
5902 | return DUPLICATE_MSG_E;
|
---|
5903 | }
|
---|
5904 | ssl->msgsReceived.got_encrypted_extensions = 1;
|
---|
5905 |
|
---|
5906 | break;
|
---|
5907 | #endif
|
---|
5908 |
|
---|
5909 | case certificate:
|
---|
5910 | if (ssl->msgsReceived.got_certificate) {
|
---|
5911 | WOLFSSL_MSG("Duplicate Certificate received");
|
---|
5912 | return DUPLICATE_MSG_E;
|
---|
5913 | }
|
---|
5914 | ssl->msgsReceived.got_certificate = 1;
|
---|
5915 |
|
---|
5916 | #ifndef NO_WOLFSSL_CLIENT
|
---|
5917 | if (ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
5918 | if ( ssl->msgsReceived.got_server_hello == 0) {
|
---|
5919 | WOLFSSL_MSG("No ServerHello before Cert");
|
---|
5920 | return OUT_OF_ORDER_E;
|
---|
5921 | }
|
---|
5922 | }
|
---|
5923 | #endif
|
---|
5924 | #ifndef NO_WOLFSSL_SERVER
|
---|
5925 | if (ssl->options.side == WOLFSSL_SERVER_END) {
|
---|
5926 | if ( ssl->msgsReceived.got_client_hello == 0) {
|
---|
5927 | WOLFSSL_MSG("No ClientHello before Cert");
|
---|
5928 | return OUT_OF_ORDER_E;
|
---|
5929 | }
|
---|
5930 | }
|
---|
5931 | #endif
|
---|
5932 | break;
|
---|
5933 |
|
---|
5934 | #ifndef NO_WOLFSSL_CLIENT
|
---|
5935 | case certificate_request:
|
---|
5936 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
5937 | if (ssl->msgsReceived.got_finished)
|
---|
5938 | ;
|
---|
5939 | else
|
---|
5940 | #endif
|
---|
5941 | if (ssl->msgsReceived.got_certificate_request) {
|
---|
5942 | WOLFSSL_MSG("Duplicate CertificateRequest received");
|
---|
5943 | return DUPLICATE_MSG_E;
|
---|
5944 | }
|
---|
5945 | ssl->msgsReceived.got_certificate_request = 1;
|
---|
5946 |
|
---|
5947 | break;
|
---|
5948 | #endif
|
---|
5949 |
|
---|
5950 | case certificate_verify:
|
---|
5951 | if (ssl->msgsReceived.got_certificate_verify) {
|
---|
5952 | WOLFSSL_MSG("Duplicate CertificateVerify received");
|
---|
5953 | return DUPLICATE_MSG_E;
|
---|
5954 | }
|
---|
5955 | ssl->msgsReceived.got_certificate_verify = 1;
|
---|
5956 |
|
---|
5957 | if (ssl->msgsReceived.got_certificate == 0) {
|
---|
5958 | WOLFSSL_MSG("No Cert before CertVerify");
|
---|
5959 | return OUT_OF_ORDER_E;
|
---|
5960 | }
|
---|
5961 | break;
|
---|
5962 |
|
---|
5963 | case finished:
|
---|
5964 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
5965 | if (1) {
|
---|
5966 | }
|
---|
5967 | else
|
---|
5968 | #endif
|
---|
5969 | if (ssl->msgsReceived.got_finished) {
|
---|
5970 | WOLFSSL_MSG("Duplicate Finished received");
|
---|
5971 | return DUPLICATE_MSG_E;
|
---|
5972 | }
|
---|
5973 | ssl->msgsReceived.got_finished = 1;
|
---|
5974 |
|
---|
5975 | break;
|
---|
5976 |
|
---|
5977 | case key_update:
|
---|
5978 | if (!ssl->msgsReceived.got_finished) {
|
---|
5979 | WOLFSSL_MSG("No KeyUpdate before Finished");
|
---|
5980 | return OUT_OF_ORDER_E;
|
---|
5981 | }
|
---|
5982 | break;
|
---|
5983 |
|
---|
5984 | default:
|
---|
5985 | WOLFSSL_MSG("Unknown message type");
|
---|
5986 | return SANITY_MSG_E;
|
---|
5987 | }
|
---|
5988 |
|
---|
5989 | return 0;
|
---|
5990 | }
|
---|
5991 |
|
---|
5992 | /* Handle a type of handshake message that has been received.
|
---|
5993 | *
|
---|
5994 | * ssl The SSL/TLS object.
|
---|
5995 | * input The message buffer.
|
---|
5996 | * inOutIdx On entry, the index into the buffer of the current message.
|
---|
5997 | * On exit, the index into the buffer of the next message.
|
---|
5998 | * size The length of the current handshake message.
|
---|
5999 | * totalSz Length of remaining data in the message buffer.
|
---|
6000 | * returns 0 on success and otherwise failure.
|
---|
6001 | */
|
---|
6002 | int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
---|
6003 | byte type, word32 size, word32 totalSz)
|
---|
6004 | {
|
---|
6005 | int ret = 0;
|
---|
6006 | (void)totalSz;
|
---|
6007 | word32 inIdx = *inOutIdx;
|
---|
6008 |
|
---|
6009 | WOLFSSL_ENTER("DoTls13HandShakeMsgType");
|
---|
6010 |
|
---|
6011 | /* make sure can read the message */
|
---|
6012 | if (*inOutIdx + size > totalSz)
|
---|
6013 | return INCOMPLETE_DATA;
|
---|
6014 |
|
---|
6015 | /* sanity check msg received */
|
---|
6016 | if ( (ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) {
|
---|
6017 | WOLFSSL_MSG("Sanity Check on handshake message type received failed");
|
---|
6018 | return ret;
|
---|
6019 | }
|
---|
6020 |
|
---|
6021 | #ifdef WOLFSSL_CALLBACKS
|
---|
6022 | /* add name later, add on record and handshake header part back on */
|
---|
6023 | if (ssl->toInfoOn) {
|
---|
6024 | int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
6025 | AddPacketInfo(0, &ssl->timeoutInfo, input + *inOutIdx - add,
|
---|
6026 | size + add, ssl->heap);
|
---|
6027 | AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
|
---|
6028 | }
|
---|
6029 | #endif
|
---|
6030 |
|
---|
6031 | if (ssl->options.handShakeState == HANDSHAKE_DONE &&
|
---|
6032 | type != session_ticket && type != certificate_request &&
|
---|
6033 | type != certificate && type != key_update) {
|
---|
6034 | WOLFSSL_MSG("HandShake message after handshake complete");
|
---|
6035 | SendAlert(ssl, alert_fatal, unexpected_message);
|
---|
6036 | return OUT_OF_ORDER_E;
|
---|
6037 | }
|
---|
6038 |
|
---|
6039 | if (ssl->options.side == WOLFSSL_CLIENT_END &&
|
---|
6040 | ssl->options.serverState == NULL_STATE &&
|
---|
6041 | type != server_hello && type != hello_retry_request) {
|
---|
6042 | WOLFSSL_MSG("First server message not server hello");
|
---|
6043 | SendAlert(ssl, alert_fatal, unexpected_message);
|
---|
6044 | return OUT_OF_ORDER_E;
|
---|
6045 | }
|
---|
6046 |
|
---|
6047 | if (ssl->options.side == WOLFSSL_SERVER_END &&
|
---|
6048 | ssl->options.clientState == NULL_STATE && type != client_hello) {
|
---|
6049 | WOLFSSL_MSG("First client message not client hello");
|
---|
6050 | SendAlert(ssl, alert_fatal, unexpected_message);
|
---|
6051 | return OUT_OF_ORDER_E;
|
---|
6052 | }
|
---|
6053 |
|
---|
6054 | /* above checks handshake state */
|
---|
6055 | switch (type) {
|
---|
6056 |
|
---|
6057 | #ifndef NO_WOLFSSL_CLIENT
|
---|
6058 | case hello_retry_request:
|
---|
6059 | WOLFSSL_MSG("processing hello rety request");
|
---|
6060 | ret = DoTls13HelloRetryRequest(ssl, input, inOutIdx, size);
|
---|
6061 | break;
|
---|
6062 |
|
---|
6063 | case server_hello:
|
---|
6064 | WOLFSSL_MSG("processing server hello");
|
---|
6065 | ret = DoTls13ServerHello(ssl, input, inOutIdx, size);
|
---|
6066 | break;
|
---|
6067 |
|
---|
6068 | #ifndef NO_CERTS
|
---|
6069 | case certificate_request:
|
---|
6070 | WOLFSSL_MSG("processing certificate request");
|
---|
6071 | ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size);
|
---|
6072 | break;
|
---|
6073 | #endif
|
---|
6074 |
|
---|
6075 | case session_ticket:
|
---|
6076 | WOLFSSL_MSG("processing new session ticket");
|
---|
6077 | ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size);
|
---|
6078 | break;
|
---|
6079 |
|
---|
6080 | case encrypted_extensions:
|
---|
6081 | WOLFSSL_MSG("processing encrypted extensions");
|
---|
6082 | ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size);
|
---|
6083 | break;
|
---|
6084 | #endif /* !NO_WOLFSSL_CLIENT */
|
---|
6085 |
|
---|
6086 | #ifndef NO_CERTS
|
---|
6087 | case certificate:
|
---|
6088 | WOLFSSL_MSG("processing certificate");
|
---|
6089 | ret = DoTls13Certificate(ssl, input, inOutIdx, size);
|
---|
6090 | break;
|
---|
6091 | #endif
|
---|
6092 |
|
---|
6093 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519)
|
---|
6094 | case certificate_verify:
|
---|
6095 | WOLFSSL_MSG("processing certificate verify");
|
---|
6096 | ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size);
|
---|
6097 | break;
|
---|
6098 | #endif /* !NO_RSA || HAVE_ECC */
|
---|
6099 |
|
---|
6100 | #ifdef WOLFSSL_EARLY_DATA
|
---|
6101 | #ifndef NO_WOLFSSL_SERVER
|
---|
6102 | case end_of_early_data:
|
---|
6103 | WOLFSSL_MSG("processing end of early data");
|
---|
6104 | ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size);
|
---|
6105 | break;
|
---|
6106 | #endif
|
---|
6107 | #endif
|
---|
6108 |
|
---|
6109 | case finished:
|
---|
6110 | WOLFSSL_MSG("processing finished");
|
---|
6111 | ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
|
---|
6112 | break;
|
---|
6113 |
|
---|
6114 | case key_update:
|
---|
6115 | WOLFSSL_MSG("processing finished");
|
---|
6116 | ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size);
|
---|
6117 | break;
|
---|
6118 |
|
---|
6119 | #ifndef NO_WOLFSSL_SERVER
|
---|
6120 | case client_hello:
|
---|
6121 | WOLFSSL_MSG("processing client hello");
|
---|
6122 | ret = DoTls13ClientHello(ssl, input, inOutIdx, size);
|
---|
6123 | break;
|
---|
6124 | #endif /* !NO_WOLFSSL_SERVER */
|
---|
6125 |
|
---|
6126 | default:
|
---|
6127 | WOLFSSL_MSG("Unknown handshake message type");
|
---|
6128 | ret = UNKNOWN_HANDSHAKE_TYPE;
|
---|
6129 | break;
|
---|
6130 | }
|
---|
6131 |
|
---|
6132 | /* reset error */
|
---|
6133 | if (ret == 0 && ssl->error == WC_PENDING_E)
|
---|
6134 | ssl->error = 0;
|
---|
6135 |
|
---|
6136 |
|
---|
6137 | if (ret == 0 && type != client_hello && type != session_ticket &&
|
---|
6138 | type != key_update && ssl->error != WC_PENDING_E) {
|
---|
6139 | ret = HashInput(ssl, input + inIdx, size);
|
---|
6140 | }
|
---|
6141 |
|
---|
6142 | if (ret == BUFFER_ERROR || ret == MISSING_HANDSHAKE_DATA)
|
---|
6143 | SendAlert(ssl, alert_fatal, decode_error);
|
---|
6144 |
|
---|
6145 | if (ret == EXT_NOT_ALLOWED || ret == PEER_KEY_ERROR ||
|
---|
6146 | ret == ECC_PEERKEY_ERROR || ret == BAD_KEY_SHARE_DATA ||
|
---|
6147 | ret == PSK_KEY_ERROR || ret == INVALID_PARAMETER) {
|
---|
6148 | SendAlert(ssl, alert_fatal, illegal_parameter);
|
---|
6149 | }
|
---|
6150 |
|
---|
6151 | if (ssl->options.tls1_3) {
|
---|
6152 | if (type == server_hello && ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
6153 | if ((ret = DeriveEarlySecret(ssl)) != 0)
|
---|
6154 | return ret;
|
---|
6155 | if ((ret = DeriveHandshakeSecret(ssl)) != 0)
|
---|
6156 | return ret;
|
---|
6157 |
|
---|
6158 | if ((ret = DeriveTls13Keys(ssl, handshake_key,
|
---|
6159 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
|
---|
6160 | return ret;
|
---|
6161 | }
|
---|
6162 | #ifdef WOLFSSL_EARLY_DATA
|
---|
6163 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
|
---|
6164 | return ret;
|
---|
6165 | #else
|
---|
6166 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
|
---|
6167 | return ret;
|
---|
6168 | #endif
|
---|
6169 | }
|
---|
6170 | #ifdef WOLFSSL_EARLY_DATA
|
---|
6171 | if (type == encrypted_extensions &&
|
---|
6172 | ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
6173 | if (!ssl->earlyData)
|
---|
6174 | {
|
---|
6175 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
6176 | return ret;
|
---|
6177 | }
|
---|
6178 | }
|
---|
6179 | #endif
|
---|
6180 |
|
---|
6181 | if (type == finished && ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
6182 | if ((ret = DeriveMasterSecret(ssl)) != 0)
|
---|
6183 | return ret;
|
---|
6184 | #ifdef WOLFSSL_EARLY_DATA
|
---|
6185 | if ((ret = DeriveTls13Keys(ssl, traffic_key,
|
---|
6186 | ENCRYPT_AND_DECRYPT_SIDE, !ssl->earlyData)) != 0) {
|
---|
6187 | return ret;
|
---|
6188 | }
|
---|
6189 | #else
|
---|
6190 | if ((ret = DeriveTls13Keys(ssl, traffic_key,
|
---|
6191 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
|
---|
6192 | return ret;
|
---|
6193 | }
|
---|
6194 | #endif
|
---|
6195 | }
|
---|
6196 |
|
---|
6197 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
6198 | if (type == finished && ssl->options.side == WOLFSSL_SERVER_END) {
|
---|
6199 | ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
|
---|
6200 | if (ret != 0)
|
---|
6201 | return ret;
|
---|
6202 | }
|
---|
6203 | #endif
|
---|
6204 | }
|
---|
6205 |
|
---|
6206 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
6207 | /* if async, offset index so this msg will be processed again */
|
---|
6208 | if (ret == WC_PENDING_E && *inOutIdx > 0) {
|
---|
6209 | *inOutIdx -= HANDSHAKE_HEADER_SZ;
|
---|
6210 | }
|
---|
6211 | #endif
|
---|
6212 |
|
---|
6213 | WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret);
|
---|
6214 | return ret;
|
---|
6215 | }
|
---|
6216 |
|
---|
6217 |
|
---|
6218 | /* Handle a handshake message that has been received.
|
---|
6219 | *
|
---|
6220 | * ssl The SSL/TLS object.
|
---|
6221 | * input The message buffer.
|
---|
6222 | * inOutIdx On entry, the index into the buffer of the current message.
|
---|
6223 | * On exit, the index into the buffer of the next message.
|
---|
6224 | * totalSz Length of remaining data in the message buffer.
|
---|
6225 | * returns 0 on success and otherwise failure.
|
---|
6226 | */
|
---|
6227 | int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
---|
6228 | word32 totalSz)
|
---|
6229 | {
|
---|
6230 | int ret = 0;
|
---|
6231 | word32 inputLength;
|
---|
6232 |
|
---|
6233 | WOLFSSL_ENTER("DoTls13HandShakeMsg()");
|
---|
6234 |
|
---|
6235 | if (ssl->arrays == NULL) {
|
---|
6236 | byte type;
|
---|
6237 | word32 size;
|
---|
6238 |
|
---|
6239 | if (GetHandshakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0)
|
---|
6240 | return PARSE_ERROR;
|
---|
6241 |
|
---|
6242 | return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
|
---|
6243 | totalSz);
|
---|
6244 | }
|
---|
6245 |
|
---|
6246 | inputLength = ssl->buffers.inputBuffer.length - *inOutIdx - ssl->keys.padSz;
|
---|
6247 |
|
---|
6248 | /* If there is a pending fragmented handshake message,
|
---|
6249 | * pending message size will be non-zero. */
|
---|
6250 | if (ssl->arrays->pendingMsgSz == 0) {
|
---|
6251 | byte type;
|
---|
6252 | word32 size;
|
---|
6253 |
|
---|
6254 | if (GetHandshakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0)
|
---|
6255 | return PARSE_ERROR;
|
---|
6256 |
|
---|
6257 | /* Cap the maximum size of a handshake message to something reasonable.
|
---|
6258 | * By default is the maximum size of a certificate message assuming
|
---|
6259 | * nine 2048-bit RSA certificates in the chain. */
|
---|
6260 | if (size > MAX_HANDSHAKE_SZ) {
|
---|
6261 | WOLFSSL_MSG("Handshake message too large");
|
---|
6262 | return HANDSHAKE_SIZE_ERROR;
|
---|
6263 | }
|
---|
6264 |
|
---|
6265 | /* size is the size of the certificate message payload */
|
---|
6266 | if (inputLength - HANDSHAKE_HEADER_SZ < size) {
|
---|
6267 | ssl->arrays->pendingMsgType = type;
|
---|
6268 | ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
|
---|
6269 | ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
|
---|
6270 | ssl->heap,
|
---|
6271 | DYNAMIC_TYPE_ARRAYS);
|
---|
6272 | if (ssl->arrays->pendingMsg == NULL)
|
---|
6273 | return MEMORY_E;
|
---|
6274 | XMEMCPY(ssl->arrays->pendingMsg,
|
---|
6275 | input + *inOutIdx - HANDSHAKE_HEADER_SZ,
|
---|
6276 | inputLength);
|
---|
6277 | ssl->arrays->pendingMsgOffset = inputLength;
|
---|
6278 | *inOutIdx += inputLength + ssl->keys.padSz - HANDSHAKE_HEADER_SZ;
|
---|
6279 | return 0;
|
---|
6280 | }
|
---|
6281 |
|
---|
6282 | ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
|
---|
6283 | totalSz);
|
---|
6284 | }
|
---|
6285 | else {
|
---|
6286 | if (inputLength + ssl->arrays->pendingMsgOffset >
|
---|
6287 | ssl->arrays->pendingMsgSz) {
|
---|
6288 | return BUFFER_ERROR;
|
---|
6289 | }
|
---|
6290 |
|
---|
6291 | XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
|
---|
6292 | input + *inOutIdx, inputLength);
|
---|
6293 | ssl->arrays->pendingMsgOffset += inputLength;
|
---|
6294 | *inOutIdx += inputLength + ssl->keys.padSz;
|
---|
6295 |
|
---|
6296 | if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
|
---|
6297 | {
|
---|
6298 | word32 idx = 0;
|
---|
6299 | ret = DoTls13HandShakeMsgType(ssl,
|
---|
6300 | ssl->arrays->pendingMsg + HANDSHAKE_HEADER_SZ,
|
---|
6301 | &idx, ssl->arrays->pendingMsgType,
|
---|
6302 | ssl->arrays->pendingMsgSz - HANDSHAKE_HEADER_SZ,
|
---|
6303 | ssl->arrays->pendingMsgSz);
|
---|
6304 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
6305 | if (ret == WC_PENDING_E) {
|
---|
6306 | /* setup to process fragment again */
|
---|
6307 | ssl->arrays->pendingMsgOffset -= inputLength;
|
---|
6308 | *inOutIdx -= inputLength + ssl->keys.padSz;
|
---|
6309 | }
|
---|
6310 | else
|
---|
6311 | #endif
|
---|
6312 | {
|
---|
6313 | XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
|
---|
6314 | ssl->arrays->pendingMsg = NULL;
|
---|
6315 | ssl->arrays->pendingMsgSz = 0;
|
---|
6316 | }
|
---|
6317 | }
|
---|
6318 | }
|
---|
6319 |
|
---|
6320 | WOLFSSL_LEAVE("DoTls13HandShakeMsg()", ret);
|
---|
6321 | return ret;
|
---|
6322 | }
|
---|
6323 |
|
---|
6324 |
|
---|
6325 | /* The client connecting to the server.
|
---|
6326 | * The protocol version is expecting to be TLS v1.3.
|
---|
6327 | * If the server downgrades, and older versions of the protocol are compiled
|
---|
6328 | * in, the client will fallback to wolfSSL_connect().
|
---|
6329 | * Please see note at top of README if you get an error from connect.
|
---|
6330 | *
|
---|
6331 | * ssl The SSL/TLS object.
|
---|
6332 | * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
|
---|
6333 | * unrecoverable error occurs and 0 otherwise.
|
---|
6334 | * For more error information use wolfSSL_get_error().
|
---|
6335 | */
|
---|
6336 | int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
|
---|
6337 | {
|
---|
6338 | int neededState;
|
---|
6339 |
|
---|
6340 | WOLFSSL_ENTER("wolfSSL_connect_TLSv13()");
|
---|
6341 |
|
---|
6342 | #ifdef HAVE_ERRNO_H
|
---|
6343 | errno = 0;
|
---|
6344 | #endif
|
---|
6345 |
|
---|
6346 | if (ssl->options.side != WOLFSSL_CLIENT_END) {
|
---|
6347 | WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
|
---|
6348 | return WOLFSSL_FATAL_ERROR;
|
---|
6349 | }
|
---|
6350 |
|
---|
6351 | if (ssl->buffers.outputBuffer.length > 0) {
|
---|
6352 | if ((ssl->error = SendBuffered(ssl)) == 0) {
|
---|
6353 | /* fragOffset is non-zero when sending fragments. On the last
|
---|
6354 | * fragment, fragOffset is zero again, and the state can be
|
---|
6355 | * advanced. */
|
---|
6356 | if (ssl->fragOffset == 0) {
|
---|
6357 | ssl->options.connectState++;
|
---|
6358 | WOLFSSL_MSG("connect state: "
|
---|
6359 | "Advanced from last buffered fragment send");
|
---|
6360 | }
|
---|
6361 | else {
|
---|
6362 | WOLFSSL_MSG("connect state: "
|
---|
6363 | "Not advanced, more fragments to send");
|
---|
6364 | }
|
---|
6365 | }
|
---|
6366 | else {
|
---|
6367 | WOLFSSL_ERROR(ssl->error);
|
---|
6368 | return WOLFSSL_FATAL_ERROR;
|
---|
6369 | }
|
---|
6370 | }
|
---|
6371 |
|
---|
6372 | switch (ssl->options.connectState) {
|
---|
6373 |
|
---|
6374 | case CONNECT_BEGIN:
|
---|
6375 | /* Always send client hello first. */
|
---|
6376 | if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
|
---|
6377 | WOLFSSL_ERROR(ssl->error);
|
---|
6378 | return WOLFSSL_FATAL_ERROR;
|
---|
6379 | }
|
---|
6380 |
|
---|
6381 | ssl->options.connectState = CLIENT_HELLO_SENT;
|
---|
6382 | WOLFSSL_MSG("connect state: CLIENT_HELLO_SENT");
|
---|
6383 | #ifdef WOLFSSL_EARLY_DATA
|
---|
6384 | if (ssl->earlyData) {
|
---|
6385 | ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
|
---|
6386 | return WOLFSSL_SUCCESS;
|
---|
6387 | }
|
---|
6388 | #endif
|
---|
6389 | FALL_THROUGH;
|
---|
6390 |
|
---|
6391 | case CLIENT_HELLO_SENT:
|
---|
6392 | neededState = ssl->options.resuming ? SERVER_FINISHED_COMPLETE :
|
---|
6393 | SERVER_HELLODONE_COMPLETE;
|
---|
6394 | /* Get the response/s from the server. */
|
---|
6395 | while (ssl->options.serverState < neededState) {
|
---|
6396 | if ((ssl->error = ProcessReply(ssl)) < 0) {
|
---|
6397 | WOLFSSL_ERROR(ssl->error);
|
---|
6398 | return WOLFSSL_FATAL_ERROR;
|
---|
6399 | }
|
---|
6400 | /* if resumption failed, reset needed state. */
|
---|
6401 | if (neededState == SERVER_FINISHED_COMPLETE &&
|
---|
6402 | !ssl->options.resuming) {
|
---|
6403 | neededState = SERVER_HELLODONE_COMPLETE;
|
---|
6404 | }
|
---|
6405 | }
|
---|
6406 |
|
---|
6407 | ssl->options.connectState = HELLO_AGAIN;
|
---|
6408 | WOLFSSL_MSG("connect state: HELLO_AGAIN");
|
---|
6409 | FALL_THROUGH;
|
---|
6410 |
|
---|
6411 | case HELLO_AGAIN:
|
---|
6412 | if (ssl->options.certOnly)
|
---|
6413 | return WOLFSSL_SUCCESS;
|
---|
6414 |
|
---|
6415 | if (!ssl->options.tls1_3) {
|
---|
6416 | if (ssl->options.downgrade)
|
---|
6417 | return wolfSSL_connect(ssl);
|
---|
6418 |
|
---|
6419 | WOLFSSL_MSG("Client using higher version, fatal error");
|
---|
6420 | return VERSION_ERROR;
|
---|
6421 | }
|
---|
6422 |
|
---|
6423 | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
|
---|
6424 | ssl->options.serverState = NULL_STATE;
|
---|
6425 | /* Try again with different security parameters. */
|
---|
6426 | if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
|
---|
6427 | WOLFSSL_ERROR(ssl->error);
|
---|
6428 | return WOLFSSL_FATAL_ERROR;
|
---|
6429 | }
|
---|
6430 | }
|
---|
6431 |
|
---|
6432 | ssl->options.connectState = HELLO_AGAIN_REPLY;
|
---|
6433 | WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY");
|
---|
6434 | FALL_THROUGH;
|
---|
6435 |
|
---|
6436 | case HELLO_AGAIN_REPLY:
|
---|
6437 | if (ssl->options.serverState == NULL_STATE ||
|
---|
6438 | ssl->error == WC_PENDING_E) {
|
---|
6439 | neededState = ssl->options.resuming ? SERVER_FINISHED_COMPLETE :
|
---|
6440 | SERVER_HELLODONE_COMPLETE;
|
---|
6441 |
|
---|
6442 | /* Get the response/s from the server. */
|
---|
6443 | while (ssl->options.serverState < neededState) {
|
---|
6444 | if ((ssl->error = ProcessReply(ssl)) < 0) {
|
---|
6445 | WOLFSSL_ERROR(ssl->error);
|
---|
6446 | return WOLFSSL_FATAL_ERROR;
|
---|
6447 | }
|
---|
6448 | /* if resumption failed, reset needed state */
|
---|
6449 | else if (neededState == SERVER_FINISHED_COMPLETE) {
|
---|
6450 | if (!ssl->options.resuming)
|
---|
6451 | neededState = SERVER_HELLODONE_COMPLETE;
|
---|
6452 | }
|
---|
6453 | }
|
---|
6454 | }
|
---|
6455 |
|
---|
6456 | ssl->options.connectState = FIRST_REPLY_DONE;
|
---|
6457 | WOLFSSL_MSG("connect state: FIRST_REPLY_DONE");
|
---|
6458 | FALL_THROUGH;
|
---|
6459 |
|
---|
6460 | case FIRST_REPLY_DONE:
|
---|
6461 | #ifdef WOLFSSL_EARLY_DATA
|
---|
6462 | if (ssl->earlyData) {
|
---|
6463 | if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) {
|
---|
6464 | WOLFSSL_ERROR(ssl->error);
|
---|
6465 | return WOLFSSL_FATAL_ERROR;
|
---|
6466 | }
|
---|
6467 | WOLFSSL_MSG("sent: end_of_early_data");
|
---|
6468 | }
|
---|
6469 | #endif
|
---|
6470 |
|
---|
6471 | ssl->options.connectState = FIRST_REPLY_FIRST;
|
---|
6472 | WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST");
|
---|
6473 | FALL_THROUGH;
|
---|
6474 |
|
---|
6475 | case FIRST_REPLY_FIRST:
|
---|
6476 | #ifndef NO_CERTS
|
---|
6477 | if (!ssl->options.resuming && ssl->options.sendVerify) {
|
---|
6478 | ssl->error = SendTls13Certificate(ssl);
|
---|
6479 | if (ssl->error != 0) {
|
---|
6480 | WOLFSSL_ERROR(ssl->error);
|
---|
6481 | return WOLFSSL_FATAL_ERROR;
|
---|
6482 | }
|
---|
6483 | WOLFSSL_MSG("sent: certificate");
|
---|
6484 | }
|
---|
6485 | #endif
|
---|
6486 |
|
---|
6487 | ssl->options.connectState = FIRST_REPLY_SECOND;
|
---|
6488 | WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND");
|
---|
6489 | FALL_THROUGH;
|
---|
6490 |
|
---|
6491 | case FIRST_REPLY_SECOND:
|
---|
6492 |
|
---|
6493 | #ifndef NO_CERTS
|
---|
6494 | if (!ssl->options.resuming && ssl->options.sendVerify) {
|
---|
6495 | ssl->error = SendTls13CertificateVerify(ssl);
|
---|
6496 | if (ssl->error != 0) {
|
---|
6497 | WOLFSSL_ERROR(ssl->error);
|
---|
6498 | return WOLFSSL_FATAL_ERROR;
|
---|
6499 | }
|
---|
6500 | WOLFSSL_MSG("sent: certificate verify");
|
---|
6501 | }
|
---|
6502 | #endif
|
---|
6503 |
|
---|
6504 | ssl->options.connectState = FIRST_REPLY_THIRD;
|
---|
6505 | WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD");
|
---|
6506 | FALL_THROUGH;
|
---|
6507 |
|
---|
6508 | case FIRST_REPLY_THIRD:
|
---|
6509 | if ((ssl->error = SendTls13Finished(ssl)) != 0) {
|
---|
6510 | WOLFSSL_ERROR(ssl->error);
|
---|
6511 | return WOLFSSL_FATAL_ERROR;
|
---|
6512 | }
|
---|
6513 | WOLFSSL_MSG("sent: finished");
|
---|
6514 |
|
---|
6515 | ssl->options.connectState = FINISHED_DONE;
|
---|
6516 | WOLFSSL_MSG("connect state: FINISHED_DONE");
|
---|
6517 | FALL_THROUGH;
|
---|
6518 |
|
---|
6519 | case FINISHED_DONE:
|
---|
6520 | #ifndef NO_HANDSHAKE_DONE_CB
|
---|
6521 | if (ssl->hsDoneCb != NULL) {
|
---|
6522 | int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
|
---|
6523 | if (cbret < 0) {
|
---|
6524 | ssl->error = cbret;
|
---|
6525 | WOLFSSL_MSG("HandShake Done Cb don't continue error");
|
---|
6526 | return WOLFSSL_FATAL_ERROR;
|
---|
6527 | }
|
---|
6528 | }
|
---|
6529 | #endif /* NO_HANDSHAKE_DONE_CB */
|
---|
6530 |
|
---|
6531 | WOLFSSL_LEAVE("wolfSSL_connect_TLSv13()", WOLFSSL_SUCCESS);
|
---|
6532 | return WOLFSSL_SUCCESS;
|
---|
6533 |
|
---|
6534 | default:
|
---|
6535 | WOLFSSL_MSG("Unknown connect state ERROR");
|
---|
6536 | return WOLFSSL_FATAL_ERROR; /* unknown connect state */
|
---|
6537 | }
|
---|
6538 | }
|
---|
6539 |
|
---|
6540 | #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
|
---|
6541 | /* Send a cookie with the HelloRetryRequest to avoid storing state.
|
---|
6542 | *
|
---|
6543 | * ssl SSL/TLS object.
|
---|
6544 | * secret Secret to use when generating integrity check for cookie.
|
---|
6545 | * A value of NULL indicates to generate a new random secret.
|
---|
6546 | * secretSz Size of secret data in bytes.
|
---|
6547 | * Use a value of 0 to indicate use of default size.
|
---|
6548 | * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, SIDE_ERROR when
|
---|
6549 | * called on a client; WOLFSSL_SUCCESS on success and otherwise failure.
|
---|
6550 | */
|
---|
6551 | int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret,
|
---|
6552 | unsigned int secretSz)
|
---|
6553 | {
|
---|
6554 | int ret;
|
---|
6555 |
|
---|
6556 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
6557 | return BAD_FUNC_ARG;
|
---|
6558 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
6559 | return SIDE_ERROR;
|
---|
6560 |
|
---|
6561 | if (secretSz == 0) {
|
---|
6562 | #if !defined(NO_SHA) && defined(NO_SHA256)
|
---|
6563 | secretSz = WC_SHA_DIGEST_SIZE;
|
---|
6564 | #endif /* NO_SHA */
|
---|
6565 | #ifndef NO_SHA256
|
---|
6566 | secretSz = WC_SHA256_DIGEST_SIZE;
|
---|
6567 | #endif /* NO_SHA256 */
|
---|
6568 | }
|
---|
6569 |
|
---|
6570 | if (secretSz != ssl->buffers.tls13CookieSecret.length) {
|
---|
6571 | byte* newSecret;
|
---|
6572 |
|
---|
6573 | if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
|
---|
6574 | ForceZero(ssl->buffers.tls13CookieSecret.buffer,
|
---|
6575 | ssl->buffers.tls13CookieSecret.length);
|
---|
6576 | XFREE(ssl->buffers.tls13CookieSecret.buffer,
|
---|
6577 | ssl->heap, DYNAMIC_TYPE_COOKIE_PWD);
|
---|
6578 | }
|
---|
6579 |
|
---|
6580 | newSecret = (byte*)XMALLOC(secretSz, ssl->heap,
|
---|
6581 | DYNAMIC_TYPE_COOKIE_PWD);
|
---|
6582 | if (newSecret == NULL) {
|
---|
6583 | ssl->buffers.tls13CookieSecret.buffer = NULL;
|
---|
6584 | ssl->buffers.tls13CookieSecret.length = 0;
|
---|
6585 | WOLFSSL_MSG("couldn't allocate new cookie secret");
|
---|
6586 | return MEMORY_ERROR;
|
---|
6587 | }
|
---|
6588 | ssl->buffers.tls13CookieSecret.buffer = newSecret;
|
---|
6589 | ssl->buffers.tls13CookieSecret.length = secretSz;
|
---|
6590 | }
|
---|
6591 |
|
---|
6592 | /* If the supplied secret is NULL, randomly generate a new secret. */
|
---|
6593 | if (secret == NULL) {
|
---|
6594 | ret = wc_RNG_GenerateBlock(ssl->rng,
|
---|
6595 | ssl->buffers.tls13CookieSecret.buffer, secretSz);
|
---|
6596 | if (ret < 0)
|
---|
6597 | return ret;
|
---|
6598 | }
|
---|
6599 | else
|
---|
6600 | XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz);
|
---|
6601 |
|
---|
6602 | ssl->options.sendCookie = 1;
|
---|
6603 |
|
---|
6604 | return WOLFSSL_SUCCESS;
|
---|
6605 | }
|
---|
6606 | #endif
|
---|
6607 |
|
---|
6608 | /* Create a key share entry from group.
|
---|
6609 | * Generates a key pair.
|
---|
6610 | *
|
---|
6611 | * ssl The SSL/TLS object.
|
---|
6612 | * group The named group.
|
---|
6613 | * returns 0 on success, otherwise failure.
|
---|
6614 | */
|
---|
6615 | int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
|
---|
6616 | {
|
---|
6617 | int ret;
|
---|
6618 |
|
---|
6619 | if (ssl == NULL)
|
---|
6620 | return BAD_FUNC_ARG;
|
---|
6621 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
6622 | return SIDE_ERROR;
|
---|
6623 |
|
---|
6624 | ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
|
---|
6625 | if (ret != 0)
|
---|
6626 | return ret;
|
---|
6627 |
|
---|
6628 | return WOLFSSL_SUCCESS;
|
---|
6629 | }
|
---|
6630 |
|
---|
6631 | /* Send no key share entries - use HelloRetryRequest to negotiate shared group.
|
---|
6632 | *
|
---|
6633 | * ssl The SSL/TLS object.
|
---|
6634 | * returns 0 on success, otherwise failure.
|
---|
6635 | */
|
---|
6636 | int wolfSSL_NoKeyShares(WOLFSSL* ssl)
|
---|
6637 | {
|
---|
6638 | int ret;
|
---|
6639 |
|
---|
6640 | if (ssl == NULL)
|
---|
6641 | return BAD_FUNC_ARG;
|
---|
6642 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
6643 | return SIDE_ERROR;
|
---|
6644 |
|
---|
6645 | ret = TLSX_KeyShare_Empty(ssl);
|
---|
6646 | if (ret != 0)
|
---|
6647 | return ret;
|
---|
6648 |
|
---|
6649 | return WOLFSSL_SUCCESS;
|
---|
6650 | }
|
---|
6651 |
|
---|
6652 | /* Do not send a ticket after TLS v1.3 handshake for resumption.
|
---|
6653 | *
|
---|
6654 | * ctx The SSL/TLS CTX object.
|
---|
6655 | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
|
---|
6656 | */
|
---|
6657 | int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx)
|
---|
6658 | {
|
---|
6659 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
|
---|
6660 | return BAD_FUNC_ARG;
|
---|
6661 | if (ctx->method->side == WOLFSSL_CLIENT_END)
|
---|
6662 | return SIDE_ERROR;
|
---|
6663 |
|
---|
6664 | #ifdef HAVE_SESSION_TICKET
|
---|
6665 | ctx->noTicketTls13 = 1;
|
---|
6666 | #endif
|
---|
6667 |
|
---|
6668 | return 0;
|
---|
6669 | }
|
---|
6670 |
|
---|
6671 | /* Do not send a ticket after TLS v1.3 handshake for resumption.
|
---|
6672 | *
|
---|
6673 | * ssl The SSL/TLS object.
|
---|
6674 | * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on
|
---|
6675 | * a client and 0 on success.
|
---|
6676 | */
|
---|
6677 | int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl)
|
---|
6678 | {
|
---|
6679 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
6680 | return BAD_FUNC_ARG;
|
---|
6681 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
6682 | return SIDE_ERROR;
|
---|
6683 |
|
---|
6684 | #ifdef HAVE_SESSION_TICKET
|
---|
6685 | ssl->options.noTicketTls13 = 1;
|
---|
6686 | #endif
|
---|
6687 |
|
---|
6688 | return 0;
|
---|
6689 | }
|
---|
6690 |
|
---|
6691 | /* Disallow (EC)DHE key exchange when using pre-shared keys.
|
---|
6692 | *
|
---|
6693 | * ctx The SSL/TLS CTX object.
|
---|
6694 | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
|
---|
6695 | */
|
---|
6696 | int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx)
|
---|
6697 | {
|
---|
6698 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
|
---|
6699 | return BAD_FUNC_ARG;
|
---|
6700 |
|
---|
6701 | ctx->noPskDheKe = 1;
|
---|
6702 |
|
---|
6703 | return 0;
|
---|
6704 | }
|
---|
6705 |
|
---|
6706 | /* Disallow (EC)DHE key exchange when using pre-shared keys.
|
---|
6707 | *
|
---|
6708 | * ssl The SSL/TLS object.
|
---|
6709 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on
|
---|
6710 | * success.
|
---|
6711 | */
|
---|
6712 | int wolfSSL_no_dhe_psk(WOLFSSL* ssl)
|
---|
6713 | {
|
---|
6714 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
6715 | return BAD_FUNC_ARG;
|
---|
6716 |
|
---|
6717 | ssl->options.noPskDheKe = 1;
|
---|
6718 |
|
---|
6719 | return 0;
|
---|
6720 | }
|
---|
6721 |
|
---|
6722 | /* Update the keys for encryption and decryption.
|
---|
6723 | * If using non-blocking I/O and WOLFSSL_ERROR_WANT_WRITE is returned then
|
---|
6724 | * calling wolfSSL_write() will have the message sent when ready.
|
---|
6725 | *
|
---|
6726 | * ssl The SSL/TLS object.
|
---|
6727 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
|
---|
6728 | * WOLFSSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write,
|
---|
6729 | * WOLFSSL_SUCCESS on success and otherwise failure.
|
---|
6730 | */
|
---|
6731 | int wolfSSL_update_keys(WOLFSSL* ssl)
|
---|
6732 | {
|
---|
6733 | int ret;
|
---|
6734 |
|
---|
6735 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
6736 | return BAD_FUNC_ARG;
|
---|
6737 |
|
---|
6738 | ret = SendTls13KeyUpdate(ssl);
|
---|
6739 | if (ret == WANT_WRITE)
|
---|
6740 | ret = WOLFSSL_ERROR_WANT_WRITE;
|
---|
6741 | else if (ret == 0)
|
---|
6742 | ret = WOLFSSL_SUCCESS;
|
---|
6743 | return ret;
|
---|
6744 | }
|
---|
6745 |
|
---|
6746 | #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
---|
6747 | /* Allow post-handshake authentication in TLS v1.3 connections.
|
---|
6748 | *
|
---|
6749 | * ctx The SSL/TLS CTX object.
|
---|
6750 | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
|
---|
6751 | * 0 on success.
|
---|
6752 | */
|
---|
6753 | int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx)
|
---|
6754 | {
|
---|
6755 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
|
---|
6756 | return BAD_FUNC_ARG;
|
---|
6757 | if (ctx->method->side == WOLFSSL_SERVER_END)
|
---|
6758 | return SIDE_ERROR;
|
---|
6759 |
|
---|
6760 | ctx->postHandshakeAuth = 1;
|
---|
6761 |
|
---|
6762 | return 0;
|
---|
6763 | }
|
---|
6764 |
|
---|
6765 | /* Allow post-handshake authentication in TLS v1.3 connection.
|
---|
6766 | *
|
---|
6767 | * ssl The SSL/TLS object.
|
---|
6768 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
|
---|
6769 | * SIDE_ERROR when not a server and 0 on success.
|
---|
6770 | */
|
---|
6771 | int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl)
|
---|
6772 | {
|
---|
6773 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
6774 | return BAD_FUNC_ARG;
|
---|
6775 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
6776 | return SIDE_ERROR;
|
---|
6777 |
|
---|
6778 | ssl->options.postHandshakeAuth = 1;
|
---|
6779 |
|
---|
6780 | return 0;
|
---|
6781 | }
|
---|
6782 |
|
---|
6783 | /* Request a certificate of the client.
|
---|
6784 | * Can be called any time after handshake completion.
|
---|
6785 | * A maximum of 256 requests can be sent on a connection.
|
---|
6786 | *
|
---|
6787 | * ssl SSL/TLS object.
|
---|
6788 | */
|
---|
6789 | int wolfSSL_request_certificate(WOLFSSL* ssl)
|
---|
6790 | {
|
---|
6791 | int ret;
|
---|
6792 | CertReqCtx* certReqCtx;
|
---|
6793 |
|
---|
6794 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
6795 | return BAD_FUNC_ARG;
|
---|
6796 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
6797 | return SIDE_ERROR;
|
---|
6798 | if (ssl->options.handShakeState != HANDSHAKE_DONE)
|
---|
6799 | return NOT_READY_ERROR;
|
---|
6800 | if (!ssl->options.postHandshakeAuth)
|
---|
6801 | return POST_HAND_AUTH_ERROR;
|
---|
6802 |
|
---|
6803 | certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap,
|
---|
6804 | DYNAMIC_TYPE_TMP_BUFFER);
|
---|
6805 | if (certReqCtx == NULL)
|
---|
6806 | return MEMORY_E;
|
---|
6807 | XMEMSET(certReqCtx, 0, sizeof(CertReqCtx));
|
---|
6808 | certReqCtx->next = ssl->certReqCtx;
|
---|
6809 | certReqCtx->len = 1;
|
---|
6810 | if (certReqCtx->next != NULL)
|
---|
6811 | certReqCtx->ctx = certReqCtx->next->ctx + 1;
|
---|
6812 | ssl->certReqCtx = certReqCtx;
|
---|
6813 |
|
---|
6814 | ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len);
|
---|
6815 | if (ret == WANT_WRITE)
|
---|
6816 | ret = WOLFSSL_ERROR_WANT_WRITE;
|
---|
6817 | else if (ret == 0)
|
---|
6818 | ret = WOLFSSL_SUCCESS;
|
---|
6819 | return ret;
|
---|
6820 | }
|
---|
6821 | #endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */
|
---|
6822 |
|
---|
6823 | #ifndef NO_WOLFSSL_SERVER
|
---|
6824 | /* The server accepting a connection from a client.
|
---|
6825 | * The protocol version is expecting to be TLS v1.3.
|
---|
6826 | * If the client downgrades, and older versions of the protocol are compiled
|
---|
6827 | * in, the server will fallback to wolfSSL_accept().
|
---|
6828 | * Please see note at top of README if you get an error from accept.
|
---|
6829 | *
|
---|
6830 | * ssl The SSL/TLS object.
|
---|
6831 | * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
|
---|
6832 | * unrecoverable error occurs and 0 otherwise.
|
---|
6833 | * For more error information use wolfSSL_get_error().
|
---|
6834 | */
|
---|
6835 | int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
|
---|
6836 | {
|
---|
6837 | word16 havePSK = 0;
|
---|
6838 | word16 haveAnon = 0;
|
---|
6839 | WOLFSSL_ENTER("SSL_accept_TLSv13()");
|
---|
6840 |
|
---|
6841 | #ifdef HAVE_ERRNO_H
|
---|
6842 | errno = 0;
|
---|
6843 | #endif
|
---|
6844 |
|
---|
6845 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
6846 | havePSK = ssl->options.havePSK;
|
---|
6847 | #endif
|
---|
6848 | (void)havePSK;
|
---|
6849 |
|
---|
6850 | #ifdef HAVE_ANON
|
---|
6851 | haveAnon = ssl->options.haveAnon;
|
---|
6852 | #endif
|
---|
6853 | (void)haveAnon;
|
---|
6854 |
|
---|
6855 | if (ssl->options.side != WOLFSSL_SERVER_END) {
|
---|
6856 | WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
|
---|
6857 | return WOLFSSL_FATAL_ERROR;
|
---|
6858 | }
|
---|
6859 |
|
---|
6860 | #ifndef NO_CERTS
|
---|
6861 | /* in case used set_accept_state after init */
|
---|
6862 | if (!havePSK && !haveAnon &&
|
---|
6863 | (!ssl->buffers.certificate ||
|
---|
6864 | !ssl->buffers.certificate->buffer ||
|
---|
6865 | !ssl->buffers.key ||
|
---|
6866 | !ssl->buffers.key->buffer)) {
|
---|
6867 | WOLFSSL_MSG("accept error: don't have server cert and key");
|
---|
6868 | ssl->error = NO_PRIVATE_KEY;
|
---|
6869 | WOLFSSL_ERROR(ssl->error);
|
---|
6870 | return WOLFSSL_FATAL_ERROR;
|
---|
6871 | }
|
---|
6872 | #endif
|
---|
6873 |
|
---|
6874 | if (ssl->buffers.outputBuffer.length > 0) {
|
---|
6875 | if ((ssl->error = SendBuffered(ssl)) == 0) {
|
---|
6876 | /* fragOffset is non-zero when sending fragments. On the last
|
---|
6877 | * fragment, fragOffset is zero again, and the state can be
|
---|
6878 | * advanced. */
|
---|
6879 | if (ssl->fragOffset == 0) {
|
---|
6880 | ssl->options.acceptState++;
|
---|
6881 | WOLFSSL_MSG("accept state: "
|
---|
6882 | "Advanced from last buffered fragment send");
|
---|
6883 | }
|
---|
6884 | else {
|
---|
6885 | WOLFSSL_MSG("accept state: "
|
---|
6886 | "Not advanced, more fragments to send");
|
---|
6887 | }
|
---|
6888 | }
|
---|
6889 | else {
|
---|
6890 | WOLFSSL_ERROR(ssl->error);
|
---|
6891 | return WOLFSSL_FATAL_ERROR;
|
---|
6892 | }
|
---|
6893 | }
|
---|
6894 |
|
---|
6895 | switch (ssl->options.acceptState) {
|
---|
6896 |
|
---|
6897 | case ACCEPT_BEGIN :
|
---|
6898 | /* get response */
|
---|
6899 | while (ssl->options.clientState < CLIENT_HELLO_COMPLETE)
|
---|
6900 | if ((ssl->error = ProcessReply(ssl)) < 0) {
|
---|
6901 | WOLFSSL_ERROR(ssl->error);
|
---|
6902 | return WOLFSSL_FATAL_ERROR;
|
---|
6903 | }
|
---|
6904 |
|
---|
6905 | ssl->options.acceptState = ACCEPT_CLIENT_HELLO_DONE;
|
---|
6906 | WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE");
|
---|
6907 | FALL_THROUGH;
|
---|
6908 |
|
---|
6909 | case ACCEPT_CLIENT_HELLO_DONE :
|
---|
6910 | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
|
---|
6911 | if ((ssl->error = SendTls13HelloRetryRequest(ssl)) != 0) {
|
---|
6912 | WOLFSSL_ERROR(ssl->error);
|
---|
6913 | return WOLFSSL_FATAL_ERROR;
|
---|
6914 | }
|
---|
6915 | }
|
---|
6916 | ssl->options.acceptState = ACCEPT_HELLO_RETRY_REQUEST_DONE;
|
---|
6917 | WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE");
|
---|
6918 | FALL_THROUGH;
|
---|
6919 |
|
---|
6920 | case ACCEPT_HELLO_RETRY_REQUEST_DONE :
|
---|
6921 | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
|
---|
6922 | if ( (ssl->error = ProcessReply(ssl)) < 0) {
|
---|
6923 | WOLFSSL_ERROR(ssl->error);
|
---|
6924 | return WOLFSSL_FATAL_ERROR;
|
---|
6925 | }
|
---|
6926 | }
|
---|
6927 | ssl->options.acceptState = ACCEPT_FIRST_REPLY_DONE;
|
---|
6928 | WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
|
---|
6929 | FALL_THROUGH;
|
---|
6930 |
|
---|
6931 | case ACCEPT_FIRST_REPLY_DONE :
|
---|
6932 | if ((ssl->error = SendTls13ServerHello(ssl)) != 0) {
|
---|
6933 | WOLFSSL_ERROR(ssl->error);
|
---|
6934 | return WOLFSSL_FATAL_ERROR;
|
---|
6935 | }
|
---|
6936 | ssl->options.acceptState = SERVER_HELLO_SENT;
|
---|
6937 | WOLFSSL_MSG("accept state SERVER_HELLO_SENT");
|
---|
6938 | FALL_THROUGH;
|
---|
6939 |
|
---|
6940 | case SERVER_HELLO_SENT :
|
---|
6941 | if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) {
|
---|
6942 | WOLFSSL_ERROR(ssl->error);
|
---|
6943 | return WOLFSSL_FATAL_ERROR;
|
---|
6944 | }
|
---|
6945 | ssl->options.acceptState = SERVER_EXTENSIONS_SENT;
|
---|
6946 | WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT");
|
---|
6947 | FALL_THROUGH;
|
---|
6948 |
|
---|
6949 | case SERVER_EXTENSIONS_SENT :
|
---|
6950 | #ifndef NO_CERTS
|
---|
6951 | if (!ssl->options.resuming) {
|
---|
6952 | if (ssl->options.verifyPeer) {
|
---|
6953 | ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
|
---|
6954 | if (ssl->error != 0) {
|
---|
6955 | WOLFSSL_ERROR(ssl->error);
|
---|
6956 | return WOLFSSL_FATAL_ERROR;
|
---|
6957 | }
|
---|
6958 | }
|
---|
6959 | }
|
---|
6960 | #endif
|
---|
6961 | ssl->options.acceptState = CERT_REQ_SENT;
|
---|
6962 | WOLFSSL_MSG("accept state CERT_REQ_SENT");
|
---|
6963 | FALL_THROUGH;
|
---|
6964 |
|
---|
6965 | case CERT_REQ_SENT :
|
---|
6966 | ssl->options.acceptState = KEY_EXCHANGE_SENT;
|
---|
6967 | #ifndef NO_CERTS
|
---|
6968 | if (!ssl->options.resuming && ssl->options.sendVerify) {
|
---|
6969 | if ((ssl->error = SendTls13Certificate(ssl)) != 0) {
|
---|
6970 | WOLFSSL_ERROR(ssl->error);
|
---|
6971 | return WOLFSSL_FATAL_ERROR;
|
---|
6972 | }
|
---|
6973 | }
|
---|
6974 | #endif
|
---|
6975 | ssl->options.acceptState = CERT_SENT;
|
---|
6976 | WOLFSSL_MSG("accept state CERT_SENT");
|
---|
6977 | FALL_THROUGH;
|
---|
6978 |
|
---|
6979 | case CERT_SENT :
|
---|
6980 | #ifndef NO_CERTS
|
---|
6981 | if (!ssl->options.resuming && ssl->options.sendVerify) {
|
---|
6982 | if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
|
---|
6983 | WOLFSSL_ERROR(ssl->error);
|
---|
6984 | return WOLFSSL_FATAL_ERROR;
|
---|
6985 | }
|
---|
6986 | }
|
---|
6987 | #endif
|
---|
6988 | ssl->options.acceptState = CERT_STATUS_SENT;
|
---|
6989 | WOLFSSL_MSG("accept state CERT_STATUS_SENT");
|
---|
6990 | FALL_THROUGH;
|
---|
6991 |
|
---|
6992 | case CERT_VERIFY_SENT :
|
---|
6993 | if ((ssl->error = SendTls13Finished(ssl)) != 0) {
|
---|
6994 | WOLFSSL_ERROR(ssl->error);
|
---|
6995 | return WOLFSSL_FATAL_ERROR;
|
---|
6996 | }
|
---|
6997 |
|
---|
6998 | ssl->options.acceptState = ACCEPT_FINISHED_DONE;
|
---|
6999 | WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE");
|
---|
7000 | #ifdef WOLFSSL_EARLY_DATA
|
---|
7001 | if (ssl->earlyData) {
|
---|
7002 | ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
|
---|
7003 | return WOLFSSL_SUCCESS;
|
---|
7004 | }
|
---|
7005 | #endif
|
---|
7006 | FALL_THROUGH;
|
---|
7007 |
|
---|
7008 | case ACCEPT_FINISHED_DONE :
|
---|
7009 | #ifdef HAVE_SESSION_TICKET
|
---|
7010 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
|
---|
7011 | if (!ssl->options.resuming && !ssl->options.verifyPeer &&
|
---|
7012 | !ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
|
---|
7013 | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
|
---|
7014 | WOLFSSL_ERROR(ssl->error);
|
---|
7015 | return WOLFSSL_FATAL_ERROR;
|
---|
7016 | }
|
---|
7017 | }
|
---|
7018 | #endif
|
---|
7019 | #endif /* HAVE_SESSION_TICKET */
|
---|
7020 | ssl->options.acceptState = TICKET_SENT;
|
---|
7021 | WOLFSSL_MSG("accept state TICKET_SENT");
|
---|
7022 | FALL_THROUGH;
|
---|
7023 |
|
---|
7024 | case TICKET_SENT:
|
---|
7025 | while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE)
|
---|
7026 | if ( (ssl->error = ProcessReply(ssl)) < 0) {
|
---|
7027 | WOLFSSL_ERROR(ssl->error);
|
---|
7028 | return WOLFSSL_FATAL_ERROR;
|
---|
7029 | }
|
---|
7030 |
|
---|
7031 | ssl->options.acceptState = ACCEPT_SECOND_REPLY_DONE;
|
---|
7032 | WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");
|
---|
7033 | FALL_THROUGH;
|
---|
7034 |
|
---|
7035 | case ACCEPT_SECOND_REPLY_DONE :
|
---|
7036 | #ifdef HAVE_SESSION_TICKET
|
---|
7037 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
|
---|
7038 | if (!ssl->options.verifyPeer) {
|
---|
7039 | }
|
---|
7040 | else
|
---|
7041 | #endif
|
---|
7042 | if (!ssl->options.resuming &&
|
---|
7043 | !ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
|
---|
7044 | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
|
---|
7045 | WOLFSSL_ERROR(ssl->error);
|
---|
7046 | return WOLFSSL_FATAL_ERROR;
|
---|
7047 | }
|
---|
7048 | }
|
---|
7049 | #endif /* HAVE_SESSION_TICKET */
|
---|
7050 | ssl->options.acceptState = ACCEPT_THIRD_REPLY_DONE;
|
---|
7051 | WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE");
|
---|
7052 | FALL_THROUGH;
|
---|
7053 |
|
---|
7054 | case ACCEPT_THIRD_REPLY_DONE:
|
---|
7055 | #ifndef NO_HANDSHAKE_DONE_CB
|
---|
7056 | if (ssl->hsDoneCb) {
|
---|
7057 | int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
|
---|
7058 | if (cbret < 0) {
|
---|
7059 | ssl->error = cbret;
|
---|
7060 | WOLFSSL_MSG("HandShake Done Cb don't continue error");
|
---|
7061 | return WOLFSSL_FATAL_ERROR;
|
---|
7062 | }
|
---|
7063 | }
|
---|
7064 | #endif /* NO_HANDSHAKE_DONE_CB */
|
---|
7065 |
|
---|
7066 | WOLFSSL_LEAVE("SSL_accept()", WOLFSSL_SUCCESS);
|
---|
7067 | return WOLFSSL_SUCCESS;
|
---|
7068 |
|
---|
7069 | default :
|
---|
7070 | WOLFSSL_MSG("Unknown accept state ERROR");
|
---|
7071 | return WOLFSSL_FATAL_ERROR;
|
---|
7072 | }
|
---|
7073 | }
|
---|
7074 | #endif
|
---|
7075 |
|
---|
7076 | #ifdef WOLFSSL_EARLY_DATA
|
---|
7077 | /* Sets the maximum amount of early data that can be seen by server when using
|
---|
7078 | * session tickets for resumption.
|
---|
7079 | * A value of zero indicates no early data is to be sent by client using session
|
---|
7080 | * tickets.
|
---|
7081 | *
|
---|
7082 | * ctx The SSL/TLS CTX object.
|
---|
7083 | * sz Maximum size of the early data.
|
---|
7084 | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
|
---|
7085 | * 0 on success.
|
---|
7086 | */
|
---|
7087 | int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz)
|
---|
7088 | {
|
---|
7089 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
|
---|
7090 | return BAD_FUNC_ARG;
|
---|
7091 | if (ctx->method->side == WOLFSSL_CLIENT_END)
|
---|
7092 | return SIDE_ERROR;
|
---|
7093 |
|
---|
7094 | ctx->maxEarlyDataSz = sz;
|
---|
7095 |
|
---|
7096 | return 0;
|
---|
7097 | }
|
---|
7098 |
|
---|
7099 | /* Sets the maximum amount of early data that can be seen by server when using
|
---|
7100 | * session tickets for resumption.
|
---|
7101 | * A value of zero indicates no early data is to be sent by client using session
|
---|
7102 | * tickets.
|
---|
7103 | *
|
---|
7104 | * ssl The SSL/TLS object.
|
---|
7105 | * sz Maximum size of the early data.
|
---|
7106 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
|
---|
7107 | * SIDE_ERROR when not a server and 0 on success.
|
---|
7108 | */
|
---|
7109 | int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz)
|
---|
7110 | {
|
---|
7111 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
7112 | return BAD_FUNC_ARG;
|
---|
7113 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
7114 | return SIDE_ERROR;
|
---|
7115 |
|
---|
7116 | ssl->options.maxEarlyDataSz = sz;
|
---|
7117 |
|
---|
7118 | return 0;
|
---|
7119 | }
|
---|
7120 |
|
---|
7121 | /* Write early data to the server.
|
---|
7122 | *
|
---|
7123 | * ssl The SSL/TLS object.
|
---|
7124 | * data Early data to write
|
---|
7125 | * sz The size of the eary data in bytes.
|
---|
7126 | * outSz The number of early data bytes written.
|
---|
7127 | * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
|
---|
7128 | * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
|
---|
7129 | * early data bytes written.
|
---|
7130 | */
|
---|
7131 | int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz)
|
---|
7132 | {
|
---|
7133 | int ret = 0;
|
---|
7134 |
|
---|
7135 | WOLFSSL_ENTER("SSL_write_early_data()");
|
---|
7136 |
|
---|
7137 | if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
|
---|
7138 | return BAD_FUNC_ARG;
|
---|
7139 | if (!IsAtLeastTLSv1_3(ssl->version))
|
---|
7140 | return BAD_FUNC_ARG;
|
---|
7141 |
|
---|
7142 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
7143 | return SIDE_ERROR;
|
---|
7144 |
|
---|
7145 | if (ssl->options.handShakeState == NULL_STATE) {
|
---|
7146 | ssl->earlyData = 1;
|
---|
7147 | ret = wolfSSL_connect_TLSv13(ssl);
|
---|
7148 | if (ret <= 0)
|
---|
7149 | return WOLFSSL_FATAL_ERROR;
|
---|
7150 | }
|
---|
7151 | if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) {
|
---|
7152 | ret = SendData(ssl, data, sz);
|
---|
7153 | if (ret > 0)
|
---|
7154 | *outSz = ret;
|
---|
7155 | }
|
---|
7156 |
|
---|
7157 | WOLFSSL_LEAVE("SSL_write_early_data()", ret);
|
---|
7158 |
|
---|
7159 | if (ret < 0)
|
---|
7160 | ret = WOLFSSL_FATAL_ERROR;
|
---|
7161 | return ret;
|
---|
7162 | }
|
---|
7163 |
|
---|
7164 | /* Read the any early data from the client.
|
---|
7165 | *
|
---|
7166 | * ssl The SSL/TLS object.
|
---|
7167 | * data Buffer to put the early data into.
|
---|
7168 | * sz The size of the buffer in bytes.
|
---|
7169 | * outSz The number of early data bytes read.
|
---|
7170 | * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
|
---|
7171 | * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
|
---|
7172 | * early data bytes read.
|
---|
7173 | */
|
---|
7174 | int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
|
---|
7175 | {
|
---|
7176 | int ret;
|
---|
7177 |
|
---|
7178 | WOLFSSL_ENTER("wolfSSL_read_early_data()");
|
---|
7179 |
|
---|
7180 |
|
---|
7181 | if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
|
---|
7182 | return BAD_FUNC_ARG;
|
---|
7183 | if (!IsAtLeastTLSv1_3(ssl->version))
|
---|
7184 | return BAD_FUNC_ARG;
|
---|
7185 |
|
---|
7186 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
7187 | return SIDE_ERROR;
|
---|
7188 |
|
---|
7189 | if (ssl->options.handShakeState == NULL_STATE) {
|
---|
7190 | ssl->earlyData = 1;
|
---|
7191 | ret = wolfSSL_accept_TLSv13(ssl);
|
---|
7192 | if (ret <= 0)
|
---|
7193 | return WOLFSSL_FATAL_ERROR;
|
---|
7194 | }
|
---|
7195 | if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) {
|
---|
7196 | ret = ReceiveData(ssl, (byte*)data, sz, FALSE);
|
---|
7197 | if (ret > 0)
|
---|
7198 | *outSz = ret;
|
---|
7199 | if (ssl->error == ZERO_RETURN)
|
---|
7200 | ssl->error = WOLFSSL_ERROR_NONE;
|
---|
7201 | }
|
---|
7202 | else
|
---|
7203 | ret = 0;
|
---|
7204 |
|
---|
7205 | WOLFSSL_LEAVE("wolfSSL_read_early_data()", ret);
|
---|
7206 |
|
---|
7207 | if (ret < 0)
|
---|
7208 | ret = WOLFSSL_FATAL_ERROR;
|
---|
7209 | return ret;
|
---|
7210 | }
|
---|
7211 | #endif
|
---|
7212 |
|
---|
7213 | #undef ERROR_OUT
|
---|
7214 |
|
---|
7215 | #endif /* !WOLFCRYPT_ONLY */
|
---|
7216 |
|
---|
7217 | #endif /* WOLFSSL_TLS13 */
|
---|