![(please configure the [header_logo] section in trac.ini)](/trac_user/contrib/chrome/site/your_project_logo.png){kind=logo}
Changeset 464 for azure_iot_hub_f767zi/trunk/wolfssl-4.7.0/src/internal.c
- Timestamp:
- Jun 22, 2021, 9:00:19 PM (3 years ago)
- Location:
- azure_iot_hub_f767zi/trunk/wolfssl-4.7.0
- Files:
-
- 1 edited
- 1 moved
-
. (moved) (moved from azure_iot_hub_f767zi/trunk/wolfssl-4.4.0 )
-
src/internal.c (modified) (419 diffs)
Legend:
- Unmodified
- Added
- Removed
-
azure_iot_hub_f767zi/trunk/wolfssl-4.7.0/src/internal.c
r457 r464 38 38 * certificates. This also allows loading intermediate CA's as trusted 39 39 * and ignoring no signer failures for CA's up the chain to root. 40 * WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT: 41 * Enable resending the previous DTLS handshake flight only on a network 42 * read timeout. By default we resend in two more cases, when we receive: 43 * - an out of order last msg of the peer's flight 44 * - a duplicate of the first msg from the peer's flight 45 * WOLFSSL_NO_DEF_TICKET_ENC_CB: 46 * No default ticket encryption callback. 47 * Server only. 48 * Application must set its own callback to use session tickets. 49 * WOLFSSL_TICKET_ENC_CHACHA20_POLY1305 50 * Use ChaCha20-Poly1305 to encrypt/decrypt session tickets in default 51 * callback. Default algorithm if none defined and algorithms compiled in. 52 * Server only. 53 * WOLFSSL_TICKET_ENC_AES128_GCM 54 * Use AES128-GCM to encrypt/decrypt session tickets in default callback. 55 * Server only. Default algorithm if ChaCha20/Poly1305 not compiled in. 56 * WOLFSSL_TICKET_ENC_AES256_GCM 57 * Use AES256-GCM to encrypt/decrypt session tickets in default callback. 58 * Server only. 59 * WOLFSSL_TICKET_DECRYPT_NO_CREATE 60 * Default callback will not request creation of new ticket on successful 61 * decryption. 62 * Server only. 40 63 */ 41 64 … … 73 96 defined(CHACHA_AEAD_TEST) || defined(WOLFSSL_SESSION_EXPORT_DEBUG) 74 97 #ifndef NO_STDIO_FILESYSTEM 75 #include <stdio.h> 98 #ifdef FUSION_RTOS 99 #include <fclstdio.h> 100 #else 101 #include <stdio.h> 102 #endif 76 103 #endif 77 104 #endif … … 125 152 static int SendHelloVerifyRequest(WOLFSSL*, const byte*, byte); 126 153 #endif /* WOLFSSL_DTLS */ 127 #endif 154 155 #endif /* !NO_WOLFSSL_SERVER */ 128 156 129 157 #endif /* !WOLFSSL_NO_TLS12 */ 158 159 #ifndef NO_WOLFSSL_SERVER 160 #if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) 161 static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx, 162 TicketEncCbCtx* keyCtx); 163 static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx); 164 static int DefTicketEncCb(WOLFSSL* ssl, 165 byte key_name[WOLFSSL_TICKET_NAME_SZ], 166 byte iv[WOLFSSL_TICKET_IV_SZ], 167 byte mac[WOLFSSL_TICKET_MAC_SZ], 168 int enc, byte* ticket, int inLen, int* outLen, 169 void* userCtx); 170 #endif 171 #endif 130 172 131 173 #ifdef WOLFSSL_DTLS … … 162 204 #if !defined(NO_OLD_TLS) && !defined(WOLFSSL_AEAD_ONLY) 163 205 static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, 164 int padSz, int content, int verify );206 int padSz, int content, int verify, int epochOrder); 165 207 166 208 #endif … … 205 247 static WC_INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend) 206 248 { 207 (void)isSend;208 209 249 #ifdef WOLFSSL_DTLS 210 250 /* For DTLS, epoch 0 is always not encrypted. */ … … 213 253 #endif /* WOLFSSL_DTLS */ 214 254 215 #ifdef WOLFSSL_TLS13 216 if (isSend) 217 return ssl->encrypt.setup; 218 else 219 return ssl->decrypt.setup; 220 #else 221 return ssl->keys.encryptionOn; 222 #endif 255 return ssl->keys.encryptionOn && 256 (isSend ? ssl->encrypt.setup : ssl->decrypt.setup); 223 257 } 224 258 … … 229 263 static WC_INLINE int IsDtlsNotSctpMode(WOLFSSL* ssl) 230 264 { 231 int result = ssl->options.dtls;232 233 if (result) {234 265 #ifdef WOLFSSL_SCTP 235 result = !ssl->options.dtlsSctp; 236 #endif 237 } 238 239 return result; 266 return ssl->options.dtls && !ssl->options.dtlsSctp; 267 #else 268 return ssl->options.dtls; 269 #endif 240 270 } 241 271 #endif /* DTLS || !WOLFSSL_NO_TLS12 */ … … 363 393 { 364 394 (void)opaque; 365 return XMALLOC(item * size, opaque, DYNAMIC_TYPE_LIBZ);395 return (void *)XMALLOC(item * size, opaque, DYNAMIC_TYPE_LIBZ); 366 396 } 367 397 … … 641 671 } 642 672 643 static int ImportCipherSpecState(WOLFSSL* ssl, byte* exp, word32 len, byte ver)673 static int ImportCipherSpecState(WOLFSSL* ssl, const byte* exp, word32 len, byte ver) 644 674 { 645 675 word32 idx = 0; … … 678 708 679 709 680 static int ImportKeyState(WOLFSSL* ssl, byte* exp, word32 len, byte ver)710 static int ImportKeyState(WOLFSSL* ssl, const byte* exp, word32 len, byte ver) 681 711 { 682 712 word32 idx = 0; … … 911 941 exp[idx++] = options->createTicket; 912 942 exp[idx++] = options->useTicket; 943 exp[idx++] = options->noTicketTls12; 913 944 #ifdef WOLFSSL_TLS13 914 945 if (ver > DTLS_EXPORT_VERSION_3) { … … 974 1005 /* copy items from Export struct to Options struct 975 1006 * On success returns size of buffer used on failure returns a negative value */ 976 static int dtls_export_load(WOLFSSL* ssl, byte* exp, word32 len, byte ver)1007 static int dtls_export_load(WOLFSSL* ssl, const byte* exp, word32 len, byte ver) 977 1008 { 978 1009 int idx = 0; … … 1076 1107 options->createTicket = exp[idx++]; /* Server to create new Ticket */ 1077 1108 options->useTicket = exp[idx++]; /* Use Ticket not session cache */ 1109 options->noTicketTls12 = exp[idx++]; /* Server won't create new Ticket */ 1078 1110 #ifdef WOLFSSL_TLS13 1079 1111 if (ver > DTLS_EXPORT_VERSION_3) { … … 1156 1188 1157 1189 1158 static int ImportPeerInfo(WOLFSSL* ssl, byte* buf, word32 len, byte ver)1190 static int ImportPeerInfo(WOLFSSL* ssl, const byte* buf, word32 len, byte ver) 1159 1191 { 1160 1192 word16 idx = 0; … … 1358 1390 1359 1391 /* On success return amount of buffer consumed */ 1360 int wolfSSL_dtls_import_state_internal(WOLFSSL* ssl, byte* buf, word32 sz)1392 int wolfSSL_dtls_import_state_internal(WOLFSSL* ssl, const byte* buf, word32 sz) 1361 1393 { 1362 1394 word32 idx = 0; … … 1425 1457 1426 1458 WOLFSSL_LEAVE("wolfSSL_dtls_import_state_internal", ret); 1427 return ret;1459 return idx; 1428 1460 } 1429 1461 1430 1462 1431 1463 /* On success return amount of buffer consumed */ 1432 int wolfSSL_dtls_import_internal(WOLFSSL* ssl, byte* buf, word32 sz)1464 int wolfSSL_dtls_import_internal(WOLFSSL* ssl, const byte* buf, word32 sz) 1433 1465 { 1434 1466 word32 idx = 0; … … 1551 1583 1552 1584 SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE); 1553 1585 /* make sure is a valid suite used */ 1586 if (wolfSSL_get_cipher(ssl) == NULL) { 1587 WOLFSSL_MSG("Can not match cipher suite imported"); 1588 return MATCH_SUITE_ERROR; 1589 } 1590 1591 #ifndef WOLFSSL_AEAD_ONLY 1554 1592 /* set hmac function to use when verifying */ 1555 1593 if (ssl->options.tls == 1 || ssl->options.tls1_1 == 1 || 1556 1594 ssl->options.dtls == 1) { 1557 1595 ssl->hmac = TLS_hmac; 1558 }1559 1560 /* make sure is a valid suite used */1561 if (wolfSSL_get_cipher(ssl) == NULL) {1562 WOLFSSL_MSG("Can not match cipher suite imported");1563 return MATCH_SUITE_ERROR;1564 1596 } 1565 1597 … … 1570 1602 return SANITY_CIPHER_E; 1571 1603 } 1604 #endif /* !WOLFSSL_AEAD_ONLY */ 1572 1605 1573 1606 return idx; … … 1659 1692 return BAD_MUTEX_E; 1660 1693 } 1694 1695 #ifndef NO_CERTS 1696 ctx->privateKeyDevId = INVALID_DEVID; 1697 #endif 1661 1698 1662 1699 #ifndef NO_DH … … 1782 1819 1783 1820 #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) 1821 #ifndef WOLFSSL_NO_DEF_TICKET_ENC_CB 1822 ret = TicketEncCbCtx_Init(ctx, &ctx->ticketKeyCtx); 1823 if (ret != 0) return ret; 1824 ctx->ticketEncCb = DefTicketEncCb; 1825 ctx->ticketEncCtx = (void*)&ctx->ticketKeyCtx; 1826 #endif 1784 1827 ctx->ticketHint = SESSION_TICKET_HINT_DEFAULT; 1785 1828 #endif … … 1791 1834 #ifdef WOLFSSL_EARLY_DATA 1792 1835 ctx->maxEarlyDataSz = MAX_EARLY_DATA_SZ; 1836 #endif 1837 1838 #if defined(WOLFSSL_TLS13) && !defined(HAVE_SUPPORTED_CURVES) 1839 ctx->noPskDheKe = 1; 1793 1840 #endif 1794 1841 … … 1848 1895 #ifdef KEEP_OUR_CERT 1849 1896 if (ctx->ourCert && ctx->ownOurCert) { 1850 FreeX509(ctx->ourCert); 1851 XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); 1897 wolfSSL_X509_free(ctx->ourCert); 1852 1898 ctx->ourCert = NULL; 1853 1899 } … … 1857 1903 ctx->cm = NULL; 1858 1904 #ifdef OPENSSL_EXTRA 1859 /* ctx->cm was free'd so cm of x509 store should now be NULL */1860 if (ctx->x509_store_pt != NULL) {1861 ctx->x509_store_pt->cm = NULL;1862 }1863 1905 wolfSSL_X509_STORE_free(ctx->x509_store_pt); 1864 1906 while (ctx->ca_names != NULL) { … … 1870 1912 #endif 1871 1913 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) 1872 while (ctx->x509Chain != NULL) { 1873 WOLFSSL_STACK *next = ctx->x509Chain->next; 1874 wolfSSL_X509_free(ctx->x509Chain->data.x509); 1875 XFREE(ctx->x509Chain, NULL, DYNAMIC_TYPE_OPENSSL); 1876 ctx->x509Chain = next; 1914 if (ctx->x509Chain) { 1915 wolfSSL_sk_X509_free(ctx->x509Chain); 1916 ctx->x509Chain = NULL; 1877 1917 } 1878 1918 #endif … … 1908 1948 ctx->alpn_cli_protos = NULL; 1909 1949 } 1950 #endif 1951 #ifdef WOLFSSL_STATIC_EPHEMERAL 1952 #ifndef NO_DH 1953 if (ctx->staticKE.dhKey) 1954 FreeDer(&ctx->staticKE.dhKey); 1955 #endif 1956 #ifdef HAVE_ECC 1957 if (ctx->staticKE.ecKey) 1958 FreeDer(&ctx->staticKE.ecKey); 1959 #endif 1910 1960 #endif 1911 1961 #ifdef WOLFSSL_STATIC_MEMORY … … 1943 1993 WOLFSSL_MSG("CTX ref count down to 0, doing full free"); 1944 1994 SSL_CtxResourceFree(ctx); 1995 #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \ 1996 !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) 1997 TicketEncCbCtx_Free(&ctx->ticketKeyCtx); 1998 #endif 1945 1999 wc_FreeMutex(&ctx->countMutex); 1946 2000 #ifdef WOLFSSL_STATIC_MEMORY … … 3334 3388 #ifndef NO_CERTS 3335 3389 3336 void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag )3390 void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag, void* heap) 3337 3391 { 3338 3392 (void)dynamicFlag; 3393 (void)heap; 3339 3394 3340 3395 if (name != NULL) { … … 3342 3397 name->dynamicName = 0; 3343 3398 name->sz = 0; 3399 name->heap = heap; 3344 3400 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 3345 XMEMSET(&name->fullName, 0, sizeof(DecodedName)); 3346 XMEMSET(&name->cnEntry, 0, sizeof(WOLFSSL_X509_NAME_ENTRY)); 3347 XMEMSET(&name->extra, 0, sizeof(name->extra)); 3348 name->cnEntry.value = &(name->cnEntry.data); /* point to internal data*/ 3349 name->cnEntry.nid = ASN_COMMON_NAME; 3401 XMEMSET(name->entry, 0, sizeof(name->entry)); 3350 3402 name->x509 = NULL; 3403 name->entrySz = 0; 3351 3404 #endif /* OPENSSL_EXTRA */ 3352 3405 } … … 3354 3407 3355 3408 3356 void FreeX509Name(WOLFSSL_X509_NAME* name , void* heap)3409 void FreeX509Name(WOLFSSL_X509_NAME* name) 3357 3410 { 3358 3411 if (name != NULL) { 3359 3412 if (name->dynamicName) { 3360 XFREE(name->name, heap, DYNAMIC_TYPE_SUBJECT_CN);3413 XFREE(name->name, name->heap, DYNAMIC_TYPE_SUBJECT_CN); 3361 3414 name->name = NULL; 3362 3415 } … … 3364 3417 { 3365 3418 int i; 3366 if (name->fullName.fullName != NULL) {3367 XFREE(name->fullName.fullName, heap, DYNAMIC_TYPE_X509);3368 name->fullName.fullName = NULL;3369 }3370 3419 for (i = 0; i < MAX_NAME_ENTRIES; i++) { 3371 /* free ASN1 string data */3372 if (name->extra[i].set && name->extra[i].data.data != NULL) {3373 XFREE(name->extra[i].data.data, heap, DYNAMIC_TYPE_OPENSSL);3420 if (name->entry[i].set) { 3421 wolfSSL_ASN1_OBJECT_free(name->entry[i].object); 3422 wolfSSL_ASN1_STRING_free(name->entry[i].value); 3374 3423 } 3375 3424 } 3376 wolfSSL_ASN1_OBJECT_free(&name->cnEntry.object);3377 3425 } 3378 3426 #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ 3379 3427 } 3380 (void)heap;3381 3428 } 3382 3429 … … 3393 3440 3394 3441 x509->heap = heap; 3395 InitX509Name(&x509->issuer, 0 );3396 InitX509Name(&x509->subject, 0 );3442 InitX509Name(&x509->issuer, 0, heap); 3443 InitX509Name(&x509->subject, 0, heap); 3397 3444 x509->dynamicMemory = (byte)dynamicFlag; 3398 3445 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) … … 3409 3456 return; 3410 3457 3411 FreeX509Name(&x509->issuer , x509->heap);3412 FreeX509Name(&x509->subject , x509->heap);3458 FreeX509Name(&x509->issuer); 3459 FreeX509Name(&x509->subject); 3413 3460 if (x509->pubKey.buffer) { 3414 3461 XFREE(x509->pubKey.buffer, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY); … … 3434 3481 wolfSSL_sk_X509_EXTENSION_free(x509->ext_sk); 3435 3482 } 3483 if (x509->ext_sk_full != NULL) { 3484 wolfSSL_sk_X509_EXTENSION_free(x509->ext_sk_full); 3485 } 3436 3486 #endif /* OPENSSL_ALL || WOLFSSL_QT */ 3437 3487 #ifdef OPENSSL_EXTRA … … 3460 3510 } 3461 3511 #endif /* OPENSSL_ALL */ 3512 #if defined(WOLFSSL_CERT_REQ) && defined(OPENSSL_ALL) 3513 if (x509->challengePwAttr) { 3514 wolfSSL_X509_ATTRIBUTE_free(x509->challengePwAttr); 3515 } 3516 #endif /* WOLFSSL_CERT_REQ */ 3462 3517 if (x509->altNames) { 3463 3518 FreeAltNames(x509->altNames, x509->heap); … … 3571 3626 #ifndef NO_RSA 3572 3627 #ifndef WOLFSSL_NO_TLS12 3573 #if !defined(NO_WOLFSSL_SERVER) || (!defined(NO_WOLFSSL_CLIENT) && \ 3574 !defined(WOLFSSL_NO_CLIENT_AUTH)) 3628 #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT) 3575 3629 static int TypeHash(int hashAlgo) 3576 3630 { … … 4257 4311 #endif 4258 4312 { 4259 ret = wc_ecc_shared_secret(priv_key, pub_key, out, outlen); 4313 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \ 4314 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \ 4315 !defined(HAVE_SELFTEST) 4316 ret = wc_ecc_set_rng(priv_key, ssl->rng); 4317 if (ret == 0) 4318 #endif 4319 ret = wc_ecc_shared_secret(priv_key, pub_key, out, outlen); 4260 4320 } 4261 4321 … … 4288 4348 4289 4349 /* get key size */ 4290 if (peer == NULL ) {4350 if (peer == NULL || peer->dp == NULL) { 4291 4351 keySz = ssl->eccTempKeySz; 4292 4352 } 4293 4353 else { 4294 4354 keySz = peer->dp->size; 4355 ecc_curve = peer->dp->id; 4295 4356 } 4296 4357 … … 5259 5320 ssl->ctx = ctx; /* only for passing to calls, options could change */ 5260 5321 ssl->version = ctx->method->version; 5322 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) 5323 ssl->options.mask = ctx->mask; 5324 #endif 5325 #ifdef OPENSSL_EXTRA 5326 if (ssl->version.minor == TLSv1_3_MINOR && 5327 (ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) { 5328 if (!ctx->method->downgrade) { 5329 WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.3 set but not " 5330 "allowed and downgrading disabled."); 5331 return VERSION_ERROR; 5332 } 5333 WOLFSSL_MSG("\tOption set to not allow TLSv1.3, Downgrading"); 5334 ssl->version.minor = TLSv1_2_MINOR; 5335 } 5336 if (ssl->version.minor == TLSv1_2_MINOR && 5337 (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { 5338 if (!ctx->method->downgrade) { 5339 WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.2 set but not " 5340 "allowed and downgrading disabled."); 5341 return VERSION_ERROR; 5342 } 5343 WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading"); 5344 ssl->version.minor = TLSv1_1_MINOR; 5345 } 5346 if (ssl->version.minor == TLSv1_1_MINOR && 5347 (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { 5348 if (!ctx->method->downgrade) { 5349 WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.1 set but not " 5350 "allowed and downgrading disabled."); 5351 return VERSION_ERROR; 5352 } 5353 WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading"); 5354 ssl->options.tls1_1 = 0; 5355 ssl->version.minor = TLSv1_MINOR; 5356 } 5357 if (ssl->version.minor == TLSv1_MINOR && 5358 (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { 5359 if (!ctx->method->downgrade) { 5360 WOLFSSL_MSG("\tInconsistent protocol options. TLS 1 set but not " 5361 "allowed and downgrading disabled."); 5362 return VERSION_ERROR; 5363 } 5364 WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading"); 5365 ssl->options.tls = 0; 5366 ssl->options.tls1_1 = 0; 5367 ssl->version.minor = SSLv3_MINOR; 5368 } 5369 if (ssl->version.minor == SSLv3_MINOR && 5370 (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { 5371 WOLFSSL_MSG("\tError, option set to not allow SSLv3"); 5372 return VERSION_ERROR; 5373 } 5374 5375 if (ssl->version.minor < ssl->options.minDowngrade) { 5376 WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); 5377 return VERSION_ERROR; 5378 } 5379 #endif 5261 5380 5262 5381 #ifdef HAVE_ECC … … 5269 5388 5270 5389 #ifdef OPENSSL_EXTRA 5271 ssl->options.mask = ctx->mask;5272 5390 ssl->CBIS = ctx->CBIS; 5273 5391 #endif … … 5285 5403 5286 5404 #ifndef NO_PSK 5287 ssl->options.havePSK = ctx->havePSK;5405 ssl->options.havePSK = ctx->havePSK; 5288 5406 ssl->options.client_psk_cb = ctx->client_psk_cb; 5289 5407 ssl->options.server_psk_cb = ctx->server_psk_cb; 5408 ssl->options.psk_ctx = ctx->psk_ctx; 5290 5409 #ifdef WOLFSSL_TLS13 5291 5410 ssl->options.client_psk_tls13_cb = ctx->client_psk_tls13_cb; … … 5350 5469 ssl->buffers.keyType = ctx->privateKeyType; 5351 5470 ssl->buffers.keyId = ctx->privateKeyId; 5471 ssl->buffers.keyLabel = ctx->privateKeyLabel; 5352 5472 ssl->buffers.keySz = ctx->privateKeySz; 5353 5473 ssl->buffers.keyDevId = ctx->privateKeyDevId; … … 5391 5511 } 5392 5512 } /* writeDup check */ 5513 5514 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) 5515 if (ctx->mask != 0 && wolfSSL_set_options(ssl, ctx->mask) == 0) { 5516 WOLFSSL_MSG("wolfSSL_set_options error"); 5517 return BAD_FUNC_ARG; 5518 } 5519 #endif 5393 5520 5394 5521 #ifdef WOLFSSL_SESSION_EXPORT … … 5687 5814 #endif 5688 5815 5816 #if defined(WOLFSSL_OPENVPN) && defined(HAVE_KEYING_MATERIAL) 5817 /* Save arrays by default for OpenVPN */ 5818 ssl->options.saveArrays = 1; 5819 #endif 5689 5820 5690 5821 ssl->cipher.ssl = ssl; … … 5695 5826 ssl->options.useClientOrder = ctx->useClientOrder; 5696 5827 ssl->options.mutualAuth = ctx->mutualAuth; 5828 5829 #ifdef WOLFSSL_STATIC_EPHEMERAL 5830 ssl->staticKE = ctx->staticKE; 5831 #endif 5697 5832 5698 5833 #ifdef WOLFSSL_TLS13 … … 5871 6006 5872 6007 #ifdef HAVE_SESSION_TICKET 6008 ssl->options.noTicketTls12 = ctx->noTicketTls12; 5873 6009 ssl->session.ticket = ssl->session.staticTicket; 5874 6010 #endif … … 6045 6181 6046 6182 /* Allocate memory for key */ 6047 *pKey = XMALLOC(sz, ssl->heap, type);6183 *pKey = (void *)XMALLOC(sz, ssl->heap, type); 6048 6184 if (*pKey == NULL) { 6049 6185 return MEMORY_E; … … 6192 6328 ssl->async.freeArgs = NULL; 6193 6329 } 6330 FreeBuildMsgArgs(ssl, &ssl->async.buildArgs); 6194 6331 #endif 6195 6332 } … … 6289 6426 #endif /* WOLFSSL_DTLS */ 6290 6427 #ifdef OPENSSL_EXTRA 6428 #ifndef NO_BIO 6291 6429 if (ssl->biord != ssl->biowr) /* only free write if different */ 6292 6430 wolfSSL_BIO_free(ssl->biowr); … … 6294 6432 ssl->biowr = NULL; 6295 6433 ssl->biord = NULL; 6434 #endif 6296 6435 #endif 6297 6436 #ifdef HAVE_LIBZ … … 6424 6563 } 6425 6564 #endif 6565 #ifdef WOLFSSL_STATIC_EPHEMERAL 6566 #ifndef NO_DH 6567 if (ssl->staticKE.dhKey && ssl->staticKE.dhKey != ssl->ctx->staticKE.dhKey) 6568 FreeDer(&ssl->staticKE.dhKey); 6569 #endif 6570 #ifdef HAVE_ECC 6571 if (ssl->staticKE.ecKey && ssl->staticKE.ecKey != ssl->ctx->staticKE.ecKey) 6572 FreeDer(&ssl->staticKE.ecKey); 6573 #endif 6574 #endif 6426 6575 6427 6576 #ifdef WOLFSSL_STATIC_MEMORY … … 6471 6620 void FreeHandshakeResources(WOLFSSL* ssl) 6472 6621 { 6622 WOLFSSL_ENTER("FreeHandshakeResources"); 6623 6624 #ifdef WOLFSSL_DTLS 6625 /* DTLS_POOL */ 6626 if (ssl->options.dtls) { 6627 DtlsMsgPoolReset(ssl); 6628 DtlsMsgListDelete(ssl->dtls_rx_msg_list, ssl->heap); 6629 ssl->dtls_rx_msg_list = NULL; 6630 ssl->dtls_rx_msg_list_sz = 0; 6631 } 6632 #endif 6473 6633 6474 6634 #ifdef HAVE_SECURE_RENEGOTIATION … … 6515 6675 } 6516 6676 } 6517 6518 #ifdef WOLFSSL_DTLS6519 /* DTLS_POOL */6520 if (ssl->options.dtls) {6521 DtlsMsgPoolReset(ssl);6522 DtlsMsgListDelete(ssl->dtls_rx_msg_list, ssl->heap);6523 ssl->dtls_rx_msg_list = NULL;6524 ssl->dtls_rx_msg_list_sz = 0;6525 }6526 #endif6527 6677 6528 6678 #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \ … … 6566 6716 #ifdef HAVE_ECC 6567 6717 dtype = DYNAMIC_TYPE_ECC; 6718 #elif defined(HAVE_CURVE25519) 6719 dtype = DYNAMIC_TYPE_CURVE25519; 6720 #else 6721 dtype = DYNAMIC_TYPE_CURVE448; 6568 6722 #endif 6569 #ifdef HAVE_CURVE25519 6570 #ifdef HAVE_ECC 6723 #if defined(HAVE_ECC) && defined(HAVE_CURVE25519) 6571 6724 if (ssl->peerX25519KeyPresent || 6572 6725 ssl->eccTempKeyPresent == DYNAMIC_TYPE_CURVE25519) 6573 #endif /* HAVE_ECC */6574 6726 { 6575 6727 dtype = DYNAMIC_TYPE_CURVE25519; 6576 6728 } 6577 #endif /* HAVE_CURVE25519 */6578 #if def HAVE_CURVE4486579 #ifdef HAVE_ECC6729 #endif 6730 #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && \ 6731 defined(HAVE_CURVE448) 6580 6732 if (ssl->peerX448KeyPresent || 6581 6733 ssl->eccTempKeyPresent == DYNAMIC_TYPE_CURVE448) 6582 #endif /* HAVE_ECC */6583 6734 { 6584 6735 dtype = DYNAMIC_TYPE_CURVE448; 6585 6736 } 6586 #endif /* HAVE_CURVE448 */6737 #endif 6587 6738 FreeKey(ssl, dtype, (void**)&ssl->eccTempKey); 6588 6739 ssl->eccTempKeyPresent = 0; … … 6701 6852 6702 6853 #if !defined(NO_OLD_TLS) || defined(WOLFSSL_DTLS) || \ 6854 !defined(WOLFSSL_NO_TLS12) || \ 6703 6855 ((defined(HAVE_CHACHA) || defined(HAVE_AESCCM) || defined(HAVE_AESGCM)) \ 6704 6856 && defined(HAVE_AEAD)) … … 6730 6882 static WC_INLINE void DtlsGetSEQ(WOLFSSL* ssl, int order, word32 seq[2]) 6731 6883 { 6884 #ifdef HAVE_SECURE_RENEGOTIATION 6885 order = DtlsCheckOrder(ssl, order); 6886 #endif 6732 6887 if (order == PREV_ORDER) { 6733 6888 /* Previous epoch case */ … … 6775 6930 { 6776 6931 word32 seq; 6932 #ifdef HAVE_SECURE_RENEGOTIATION 6933 order = DtlsCheckOrder(ssl, order); 6934 #endif 6777 6935 6778 6936 if (order == PREV_ORDER) { … … 6801 6959 6802 6960 #if defined(WOLFSSL_DTLS) || !defined(WOLFSSL_NO_TLS12) 6803 static WC_INLINEvoid WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)6961 void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out) 6804 6962 { 6805 6963 word32 seq[2] = {0, 0}; … … 6818 6976 } 6819 6977 #endif /* WOLFSSL_DTLS || !WOLFSSL_NO_TLS12 */ 6820 #endif /* !NO_OLD_TLS || WOLFSSL_DTLS || 6978 #endif /* !NO_OLD_TLS || WOLFSSL_DTLS || !WOLFSSL_NO_TLS12 || 6821 6979 * ((HAVE_CHACHA || HAVE_AESCCM || HAVE_AESGCM) && HAVE_AEAD) */ 6822 6980 … … 6833 6991 { 6834 6992 DtlsMsg* msg; 6993 WOLFSSL_ENTER("DtlsMsgNew()"); 6835 6994 6836 6995 (void)heap; … … 6858 7017 { 6859 7018 (void)heap; 7019 WOLFSSL_ENTER("DtlsMsgDelete()"); 6860 7020 6861 7021 if (item != NULL) { … … 6876 7036 { 6877 7037 DtlsMsg* next; 7038 WOLFSSL_ENTER("DtlsMsgListDelete()"); 6878 7039 while (head) { 6879 7040 next = head->next; … … 6883 7044 } 6884 7045 7046 /** 7047 * Drop messages when they are no longer going to be retransmitted 7048 */ 7049 void DtlsTxMsgListClean(WOLFSSL* ssl) 7050 { 7051 DtlsMsg* head = ssl->dtls_tx_msg_list; 7052 DtlsMsg* next; 7053 WOLFSSL_ENTER("DtlsTxMsgListClean()"); 7054 while (head) { 7055 next = head->next; 7056 if (VerifyForTxDtlsMsgDelete(ssl, head)) 7057 DtlsMsgDelete(head, ssl->heap); 7058 else 7059 /* Stored packets should be in order so break on first failed 7060 * verify */ 7061 break; 7062 ssl->dtls_tx_msg_list_sz--; 7063 /* Reset timer as deleting a node means that state has progressed */ 7064 ssl->dtls_timeout = ssl->dtls_timeout_init; 7065 head = next; 7066 } 7067 ssl->dtls_tx_msg_list = head; 7068 } 6885 7069 6886 7070 /* Create a DTLS Fragment from *begin - end, adjust new *begin and bytesLeft */ … … 6890 7074 DtlsFrag* newFrag; 6891 7075 word32 added = end - *begin + 1; 7076 7077 WOLFSSL_ENTER("CreateFragment()"); 6892 7078 6893 7079 (void)heap; … … 6908 7094 6909 7095 6910 int DtlsMsgSet(DtlsMsg* msg, word32 seq, const byte* data, byte type,7096 int DtlsMsgSet(DtlsMsg* msg, word32 seq, word16 epoch, const byte* data, byte type, 6911 7097 word32 fragOffset, word32 fragSz, void* heap) 6912 7098 { 7099 WOLFSSL_ENTER("DtlsMsgSet()"); 6913 7100 if (msg != NULL && data != NULL && msg->fragSz <= msg->sz && 6914 7101 (fragOffset + fragSz) <= msg->sz) { … … 6921 7108 6922 7109 msg->seq = seq; 7110 msg->epoch = epoch; 6923 7111 msg->type = type; 6924 7112 … … 7009 7197 7010 7198 7011 DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 seq)7199 DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 epoch, word32 seq) 7012 7200 { 7013 while (head != NULL && head->seq != seq) { 7201 WOLFSSL_ENTER("DtlsMsgFind()"); 7202 while (head != NULL && !(head->epoch == epoch && head->seq == seq)) { 7014 7203 head = head->next; 7015 7204 } … … 7018 7207 7019 7208 7020 void DtlsMsgStore(WOLFSSL* ssl, word32 seq, const byte* data,7209 void DtlsMsgStore(WOLFSSL* ssl, word32 epoch, word32 seq, const byte* data, 7021 7210 word32 dataSz, byte type, word32 fragOffset, word32 fragSz, void* heap) 7022 7211 { … … 7039 7228 7040 7229 DtlsMsg* head = ssl->dtls_rx_msg_list; 7230 WOLFSSL_ENTER("DtlsMsgStore()"); 7041 7231 7042 7232 if (head != NULL) { 7043 DtlsMsg* cur = DtlsMsgFind(head, seq);7233 DtlsMsg* cur = DtlsMsgFind(head, epoch, seq); 7044 7234 if (cur == NULL) { 7045 7235 cur = DtlsMsgNew(dataSz, heap); 7046 7236 if (cur != NULL) { 7047 if (DtlsMsgSet(cur, seq, data, type,7048 7237 if (DtlsMsgSet(cur, seq, epoch, data, type, 7238 fragOffset, fragSz, heap) < 0) { 7049 7239 DtlsMsgDelete(cur, heap); 7050 7240 } … … 7057 7247 else { 7058 7248 /* If this fails, the data is just dropped. */ 7059 DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz, heap); 7249 DtlsMsgSet(cur, seq, epoch, data, type, fragOffset, 7250 fragSz, heap); 7060 7251 } 7061 7252 } 7062 7253 else { 7063 7254 head = DtlsMsgNew(dataSz, heap); 7064 if (DtlsMsgSet(head, seq, data, type, fragOffset, fragSz, heap) < 0) { 7255 if (DtlsMsgSet(head, seq, epoch, data, type, fragOffset, 7256 fragSz, heap) < 0) { 7065 7257 DtlsMsgDelete(head, heap); 7066 7258 head = NULL; … … 7078 7270 DtlsMsg* DtlsMsgInsert(DtlsMsg* head, DtlsMsg* item) 7079 7271 { 7080 if (head == NULL || item->seq < head->seq) { 7272 WOLFSSL_ENTER("DtlsMsgInsert()"); 7273 if (head == NULL || (item->epoch <= head->epoch && 7274 item->seq < head->seq)) { 7081 7275 item->next = head; 7082 7276 head = item; … … 7089 7283 DtlsMsg* prev = head; 7090 7284 while (cur) { 7091 if (item->seq < cur->seq) { 7285 if (item->epoch <= cur->epoch && 7286 item->seq < cur->seq) { 7092 7287 item->next = cur; 7093 7288 prev->next = item; … … 7106 7301 7107 7302 7108 /* DtlsMsgPoolSave() adds the message to the end of the stored transmit list. */ 7109 int DtlsMsgPoolSave(WOLFSSL* ssl, const byte* data, word32 dataSz) 7303 /** 7304 * DtlsMsgPoolSave() adds the message to the end of the stored transmit 7305 * list. Must be called BEFORE BuildMessage or DtlsSEQIncrement or 7306 * anything else that increments ssl->keys.dtls_handshake_number. 7307 */ 7308 int DtlsMsgPoolSave(WOLFSSL* ssl, const byte* data, word32 dataSz, 7309 enum HandShakeType type) 7110 7310 { 7111 7311 DtlsMsg* item; … … 7126 7326 XMEMCPY(item->buf, data, dataSz); 7127 7327 item->sz = dataSz; 7128 item->seq = ssl->keys.dtls_epoch; 7328 item->epoch = ssl->keys.dtls_epoch; 7329 item->seq = ssl->keys.dtls_handshake_number; 7330 item->type = type; 7129 7331 7130 7332 if (cur == NULL) … … 7149 7351 { 7150 7352 int result = -1; 7353 WOLFSSL_ENTER("DtlsMsgPoolTimeout()"); 7151 7354 if (ssl->dtls_timeout < ssl->dtls_timeout_max) { 7152 7355 ssl->dtls_timeout *= DTLS_TIMEOUT_MULTIPLIER; … … 7168 7371 ssl->dtls_tx_msg = NULL; 7169 7372 ssl->dtls_tx_msg_list_sz = 0; 7170 ssl->dtls_timeout = ssl->dtls_timeout_init;7171 }7373 } 7374 ssl->dtls_timeout = ssl->dtls_timeout_init; 7172 7375 } 7173 7376 … … 7186 7389 ((!ssl->options.verifyPeer) && (type == client_key_exchange)))) || 7187 7390 ((ssl->options.side == WOLFSSL_CLIENT_END) && 7188 (type == server_hello)))); 7391 (type == hello_request || type == server_hello)))); 7392 } 7393 7394 7395 /** 7396 * Verify if message `item` from `ssl->dtls_tx_msg_list` should be deleted 7397 * depending on the current state of the handshake negotiation. 7398 */ 7399 int VerifyForTxDtlsMsgDelete(WOLFSSL* ssl, DtlsMsg* item) 7400 { 7401 WOLFSSL_ENTER("VerifyForTxDtlsMsgDelete()"); 7402 if (item->epoch < ssl->keys.dtls_epoch - 1) 7403 /* Messages not from current or previous epoch can be deleted */ 7404 return 1; 7405 switch (ssl->options.side) { 7406 case WOLFSSL_CLIENT_END: 7407 if (item->type == client_hello && 7408 ssl->options.serverState >= SERVER_HELLODONE_COMPLETE) 7409 return 1; /* client can forget first client_hello if received full 7410 * flight of packets from server */ 7411 else 7412 return 0; 7413 case WOLFSSL_SERVER_END: 7414 if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE && 7415 item->type == hello_request) 7416 return 1; /* Server can forget HelloRequest if client sent a valid 7417 * ClientHello */ 7418 if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE && 7419 item->type <= server_hello_done) 7420 return 1; /* server can forget everything up to ServerHelloDone if 7421 * a client finished message has been received and 7422 * successfully processed */ 7423 else 7424 return 0; 7425 default: 7426 return 0; 7427 } 7189 7428 } 7190 7429 … … 7196 7435 int ret = 0; 7197 7436 DtlsMsg* pool; 7437 int epochOrder; 7198 7438 7199 7439 WOLFSSL_ENTER("DtlsMsgPoolSend()"); … … 7203 7443 if (pool != NULL) { 7204 7444 if ((ssl->options.side == WOLFSSL_SERVER_END && 7205 !(ssl->options.acceptState == SERVER_HELLO_DONE || 7445 !(ssl->options.acceptState == ACCEPT_BEGIN_RENEG || 7446 ssl->options.acceptState == SERVER_HELLO_DONE || 7206 7447 ssl->options.acceptState == ACCEPT_FINISHED_DONE || 7207 7448 ssl->options.acceptState == ACCEPT_THIRD_REPLY_DONE)) || … … 7218 7459 7219 7460 while (pool != NULL) { 7220 if (pool-> seq== 0) {7461 if (pool->epoch == 0) { 7221 7462 DtlsRecordLayerHeader* dtls; 7222 int epochOrder;7223 7463 7224 7464 dtls = (DtlsRecordLayerHeader*)pool->buf; … … 7238 7478 } 7239 7479 7240 XMEMCPY(ssl->buffers.outputBuffer.buffer, 7480 XMEMCPY(ssl->buffers.outputBuffer.buffer + 7481 ssl->buffers.outputBuffer.idx + 7482 ssl->buffers.outputBuffer.length, 7241 7483 pool->buf, pool->sz); 7242 ssl->buffers.outputBuffer. idx = 0;7243 ssl->buffers.outputBuffer.length = pool->sz;7244 }7245 else if (pool->seq == ssl->keys.dtls_epoch) {7484 ssl->buffers.outputBuffer.length += pool->sz; 7485 } 7486 else { 7487 /* Handle sending packets from previous epoch */ 7246 7488 byte* input; 7247 7489 byte* output; … … 7251 7493 inputSz = pool->sz; 7252 7494 sendSz = inputSz + MAX_MSG_EXTRA; 7495 7496 #ifdef HAVE_SECURE_RENEGOTIATION 7497 /* 7498 * CUR_ORDER will use ssl->secure_renegotiation from epoch 2+. 7499 * ssl->keys otherwise 7500 * PREV_ORDER will always use ssl->keys 7501 */ 7502 if (DtlsSCRKeysSet(ssl)) { 7503 if (pool->epoch == ssl->secure_renegotiation->tmp_keys.dtls_epoch) 7504 epochOrder = CUR_ORDER; 7505 else 7506 epochOrder = PREV_ORDER; 7507 } 7508 else { 7509 epochOrder = CUR_ORDER; 7510 } 7511 #else 7512 epochOrder = CUR_ORDER; 7513 #endif 7514 7253 7515 7254 7516 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) { … … 7259 7521 output = ssl->buffers.outputBuffer.buffer + 7260 7522 ssl->buffers.outputBuffer.length; 7261 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 7262 handshake, 0, 0, 0); 7523 if (inputSz != ENUM_LEN) 7524 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 7525 handshake, 0, 0, 0, epochOrder); 7526 else 7527 /* inputSz == ENUM_LEN must mean that this is a change cipher 7528 * spec message */ 7529 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 7530 change_cipher_spec, 0, 0, 0, epochOrder); 7531 7263 7532 if (sendSz < 0) { 7264 7533 WOLFSSL_ERROR(BUILD_MSG_ERROR); … … 7269 7538 } 7270 7539 7271 ret = SendBuffered(ssl); 7272 if (ret < 0) { 7273 WOLFSSL_ERROR(ret); 7274 return ret; 7275 } 7540 7541 if (!ssl->options.groupMessages) 7542 ret = SendBuffered(ssl); 7276 7543 7277 7544 /** … … 7284 7551 */ 7285 7552 if (sendOnlyFirstPacket && 7286 ssl->options.side == WOLFSSL_SERVER_END) { 7287 7553 ssl->options.side == WOLFSSL_SERVER_END) 7288 7554 pool = NULL; 7289 }7290 7555 else 7291 7556 pool = pool->next; 7292 7557 ssl->dtls_tx_msg = pool; 7293 7558 } 7559 7560 if (ret == 0 && ssl->options.groupMessages) 7561 ret = SendBuffered(ssl); 7294 7562 } 7295 7563 … … 7398 7666 word32 LowResTimer(void) 7399 7667 { 7400 const uint32_tsystemTickTimeInHz = 1000000 / systemTickInMicroseconds();7401 uint32_t*systemTickPtr = systemTickPointer();7668 const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds(); 7669 word32 *systemTickPtr = systemTickPointer(); 7402 7670 7403 7671 return (word32) *systemTickPtr/systemTickTimeInHz; … … 7543 7811 { 7544 7812 return k_uptime_get() / 1000; 7813 } 7814 7815 #elif defined(WOLFSSL_LINUXKM) 7816 #include <linux/time.h> 7817 #include <linux/ktime.h> 7818 word32 LowResTimer(void) 7819 { 7820 return (word32)ktime_get_real_ns(); 7545 7821 } 7546 7822 … … 7590 7866 #endif /* (HAVE_ED25519 || HAVE_ED448) && !WOLFSSL_NO_CLIENT_AUTH */ 7591 7867 7592 #ifndef NO_CERTS 7593 int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz) 7868 int HashRaw(WOLFSSL* ssl, const byte* data, int sz) 7594 7869 { 7595 7870 int ret = 0; 7596 7871 7597 (void) output;7872 (void)data; 7598 7873 (void)sz; 7599 7874 7600 if (ssl->hsHashes == NULL) 7875 if (ssl->hsHashes == NULL) { 7601 7876 return BAD_FUNC_ARG; 7602 7603 #ifdef HAVE_FUZZER 7604 if (ssl->fuzzerCb) 7605 ssl->fuzzerCb(ssl, output, sz, FUZZ_HASH, ssl->fuzzerCtx); 7606 #endif 7877 } 7878 7607 7879 #ifndef NO_OLD_TLS 7608 7880 #ifndef NO_SHA 7609 wc_ShaUpdate(&ssl->hsHashes->hashSha, output, sz);7881 wc_ShaUpdate(&ssl->hsHashes->hashSha, data, sz); 7610 7882 #endif 7611 7883 #ifndef NO_MD5 7612 wc_Md5Update(&ssl->hsHashes->hashMd5, output, sz);7884 wc_Md5Update(&ssl->hsHashes->hashMd5, data, sz); 7613 7885 #endif 7614 7886 #endif /* NO_OLD_TLS */ … … 7616 7888 if (IsAtLeastTLSv1_2(ssl)) { 7617 7889 #ifndef NO_SHA256 7618 ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, output, sz);7890 ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, data, sz); 7619 7891 if (ret != 0) 7620 7892 return ret; 7621 7893 #endif 7622 7894 #ifdef WOLFSSL_SHA384 7623 ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, output, sz);7895 ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, data, sz); 7624 7896 if (ret != 0) 7625 7897 return ret; 7626 7898 #endif 7627 7899 #ifdef WOLFSSL_SHA512 7628 ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, output, sz);7900 ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, data, sz); 7629 7901 if (ret != 0) 7630 7902 return ret; … … 7633 7905 ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \ 7634 7906 (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH))) 7635 ret = EdDSA_Update(ssl, output, sz);7907 ret = EdDSA_Update(ssl, data, sz); 7636 7908 if (ret != 0) 7637 7909 return ret; … … 7641 7913 return ret; 7642 7914 } 7643 #endif /* NO_CERTS */7644 7645 7915 7646 7916 /* add output to md5 and sha handshake hashes, exclude record header */ 7647 7917 int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz) 7648 7918 { 7649 int ret = 0;7650 7919 const byte* adj; 7651 7920 … … 7666 7935 } 7667 7936 #endif 7668 #ifndef NO_OLD_TLS 7669 #ifndef NO_SHA 7670 wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz); 7671 #endif 7672 #ifndef NO_MD5 7673 wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz); 7674 #endif 7675 #endif 7676 7677 if (IsAtLeastTLSv1_2(ssl)) { 7678 #ifndef NO_SHA256 7679 ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, adj, sz); 7680 if (ret != 0) 7681 return ret; 7682 #endif 7683 #ifdef WOLFSSL_SHA384 7684 ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz); 7685 if (ret != 0) 7686 return ret; 7687 #endif 7688 #ifdef WOLFSSL_SHA512 7689 ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz); 7690 if (ret != 0) 7691 return ret; 7692 #endif 7693 #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \ 7694 ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \ 7695 (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH))) 7696 ret = EdDSA_Update(ssl, adj, sz); 7697 if (ret != 0) 7698 return ret; 7699 #endif 7700 } 7701 7702 return ret; 7937 7938 return HashRaw(ssl, adj, sz); 7703 7939 } 7704 7940 … … 7707 7943 int HashInput(WOLFSSL* ssl, const byte* input, int sz) 7708 7944 { 7709 int ret = 0;7710 7945 const byte* adj; 7946 7947 if (ssl->hsHashes == NULL) { 7948 return BAD_FUNC_ARG; 7949 } 7711 7950 7712 7951 adj = input - HANDSHAKE_HEADER_SZ; 7713 7952 sz += HANDSHAKE_HEADER_SZ; 7714 7715 (void)adj;7716 7953 7717 7954 #ifdef WOLFSSL_DTLS … … 7722 7959 #endif 7723 7960 7724 if (ssl->hsHashes == NULL) { 7725 return BAD_FUNC_ARG; 7726 } 7727 7728 #ifndef NO_OLD_TLS 7729 #ifndef NO_SHA 7730 wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz); 7731 #endif 7732 #ifndef NO_MD5 7733 wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz); 7734 #endif 7735 #endif 7736 7737 if (IsAtLeastTLSv1_2(ssl)) { 7738 #ifndef NO_SHA256 7739 ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, adj, sz); 7740 if (ret != 0) 7741 return ret; 7742 #endif 7743 #ifdef WOLFSSL_SHA384 7744 ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz); 7745 if (ret != 0) 7746 return ret; 7747 #endif 7748 #ifdef WOLFSSL_SHA512 7749 ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz); 7750 if (ret != 0) 7751 return ret; 7752 #endif 7753 #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \ 7754 ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \ 7755 (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH))) 7756 ret = EdDSA_Update(ssl, adj, sz); 7757 if (ret != 0) 7758 return ret; 7759 #endif 7760 } 7761 7762 return ret; 7961 return HashRaw(ssl, adj, sz); 7763 7962 } 7764 7963 7765 7964 7766 7965 /* add record layer header for message */ 7767 static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl )7966 static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl, int epochOrder) 7768 7967 { 7769 7968 RecordLayerHeader* rl; 7969 7970 (void)epochOrder; 7770 7971 7771 7972 /* record layer header */ … … 7778 7979 #ifdef WOLFSSL_TLS13 7779 7980 if (IsAtLeastTLSv1_3(ssl->version)) { 7780 #ifdef WOLFSSL_TLS13_DRAFT_187781 rl->pvMinor = TLSv1_MINOR;7782 #else7783 7981 rl->pvMinor = TLSv1_2_MINOR; 7784 #endif7785 7982 } 7786 7983 else … … 7806 8003 /* dtls record layer header extensions */ 7807 8004 dtls = (DtlsRecordLayerHeader*)output; 7808 WriteSEQ(ssl, 0, dtls->sequence_number);8005 WriteSEQ(ssl, epochOrder, dtls->sequence_number); 7809 8006 c16toa((word16)length, dtls->length); 7810 8007 #endif … … 7858 8055 #endif 7859 8056 7860 AddRecordHeader(output, length + lengthAdj, handshake, ssl );8057 AddRecordHeader(output, length + lengthAdj, handshake, ssl, CUR_ORDER); 7861 8058 AddHandShakeHeader(output + outputAdj, length, 0, length, type, ssl); 7862 8059 } … … 7881 8078 #endif 7882 8079 7883 AddRecordHeader(output, fragSz + lengthAdj, handshake, ssl );8080 AddRecordHeader(output, fragSz + lengthAdj, handshake, ssl, CUR_ORDER); 7884 8081 AddHandShakeHeader(output + outputAdj, length, fragOffset, fragSz, type, ssl); 7885 8082 } … … 7904 8101 case WOLFSSL_CBIO_ERR_GENERAL: /* general/unknown error */ 7905 8102 #if defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD) 8103 #ifndef NO_BIO 7906 8104 if (ssl->biord) { 7907 8105 /* If retry and read flags are set, return WANT_READ */ … … 7911 8109 } 7912 8110 } 8111 #endif 7913 8112 #endif 7914 8113 return -1; … … 7953 8152 #ifdef WOLFSSL_DTLS 7954 8153 if (IsDtlsNotSctpMode(ssl) && 7955 !ssl->options.handShakeDone&&8154 ssl->options.handShakeState != HANDSHAKE_DONE && 7956 8155 DtlsMsgPoolTimeout(ssl) == 0 && 7957 8156 DtlsMsgPoolSend(ssl, 0) == 0) { … … 8236 8435 8237 8436 8238 /* check available size into output buffer, make room if needed */ 8437 /* Check available size into output buffer, make room if needed. 8438 * This function needs to be called before anything gets put 8439 * into the output buffers since it flushes pending data if it 8440 * predicts that the msg will exceed MTU. */ 8239 8441 int CheckAvailableSize(WOLFSSL *ssl, int size) 8240 8442 { … … 8243 8445 return BAD_FUNC_ARG; 8244 8446 } 8447 8448 #ifdef WOLFSSL_DTLS 8449 if (ssl->options.dtls && 8450 size + ssl->buffers.outputBuffer.length - 8451 ssl->buffers.outputBuffer.idx > ssl->dtls_expected_rx) { 8452 int ret; 8453 WOLFSSL_MSG("CheckAvailableSize() flushing buffer " 8454 "to make room for new message"); 8455 if ((ret = SendBuffered(ssl)) != 0) { 8456 return ret; 8457 } 8458 } 8459 #endif 8245 8460 8246 8461 if (ssl->buffers.outputBuffer.bufferSize - ssl->buffers.outputBuffer.length … … 8297 8512 8298 8513 #ifdef WOLFSSL_DTLS 8299 if (IsDtlsNotSctpMode(ssl) && !DtlsCheckWindow(ssl)) { 8514 if (IsDtlsNotSctpMode(ssl)) { 8515 if (!DtlsCheckWindow(ssl) || 8516 (rh->type == application_data && ssl->keys.curEpoch == 0) || 8517 (rh->type == alert && ssl->options.handShakeDone && 8518 ssl->keys.curEpoch == 0 && ssl->keys.dtls_epoch != 0)) { 8300 8519 WOLFSSL_LEAVE("GetRecordHeader()", SEQUENCE_ERROR); 8301 8520 return SEQUENCE_ERROR; 8521 } 8302 8522 } 8303 8523 #endif … … 8309 8529 if (rh->pvMajor != ssl->version.major || 8310 8530 (rh->pvMinor != ssl->version.minor && 8311 #ifdef WOLFSSL_TLS13_DRAFT_188312 (!IsAtLeastTLSv1_3(ssl->version) || rh->pvMinor != TLSv1_MINOR)8313 #else8314 8531 (!IsAtLeastTLSv1_3(ssl->version) || rh->pvMinor != TLSv1_2_MINOR) 8315 #endif8316 8532 )) 8317 8533 #endif … … 9281 9497 9282 9498 9283 /* try to find an altName match to domain, return 1 on success */9284 int CheckAltNames(DecodedCert* dCert, char* domain)9285 {9286 int match = 0;9287 DNS_entry* altName = NULL;9288 9289 WOLFSSL_MSG("Checking AltNames");9290 9291 if (dCert)9292 altName = dCert->altNames;9293 9294 while (altName) {9295 WOLFSSL_MSG("\tindividual AltName check");9296 9297 if (MatchDomainName(altName->name, altName->len, domain)){9298 match = 1;9299 break;9300 }9301 9302 altName = altName->next;9303 }9304 9305 return match;9306 }9307 9308 #ifdef OPENSSL_EXTRA9309 9499 /* Check that alternative names, if they exists, match the domain. 9310 9500 * Fail if there are wild patterns and they didn't match. … … 9314 9504 * domain Domain name to compare against. 9315 9505 * checkCN Whether to check the common name. 9316 * returns whether there was a problem in matching. 9506 * returns 1 : match was found. 9507 * 0 : no match found. 9508 * -1 : No matches and wild pattern match failed. 9317 9509 */ 9318 static int CheckForAltNames(DecodedCert* dCert,char* domain, int* checkCN)9510 int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) 9319 9511 { 9320 int match;9512 int match = 0; 9321 9513 DNS_entry* altName = NULL; 9514 char *buf; 9515 word32 len; 9322 9516 9323 9517 WOLFSSL_MSG("Checking AltNames"); … … 9326 9520 altName = dCert->altNames; 9327 9521 9328 *checkCN = altName == NULL; 9329 match = 0; 9522 if (checkCN != NULL) { 9523 *checkCN = (altName == NULL) ? 1 : 0; 9524 } 9525 9330 9526 while (altName) { 9527 #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) 9528 char name[WOLFSSL_MAX_IPSTR] = {0}; 9529 #endif 9530 9331 9531 WOLFSSL_MSG("\tindividual AltName check"); 9332 9532 9333 if (MatchDomainName(altName->name, altName->len, domain)) { 9533 #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) 9534 /* check if alt name is stored as IP addr octet */ 9535 if (altName->type == ASN_IP_TYPE) { 9536 char tmp[4]; 9537 int i; 9538 word32 idx = 0; 9539 for (i = 0; (idx < WOLFSSL_MAX_IPSTR) && (i < altName->len); i++) { 9540 XMEMSET(tmp, 0, sizeof(tmp)); 9541 XSNPRINTF(tmp, sizeof(tmp), (altName->len <= 4) ? "%u" : "%02X", 9542 altName->name[i]); 9543 idx += (word32)XSTRLEN(tmp); 9544 XSTRNCAT(name, tmp, (altName->len <= 4) ? 3 : 2); 9545 if ((idx < WOLFSSL_MAX_IPSTR ) && ((i + 1) < altName->len)) { 9546 name[idx++] = (altName->len <= 4) ? '.' : ':'; 9547 } 9548 } 9549 if (idx >= WOLFSSL_MAX_IPSTR) { 9550 idx = WOLFSSL_MAX_IPSTR -1; 9551 } 9552 name[idx] = '\0'; 9553 buf = name; 9554 len = (word32)XSTRLEN(name); 9555 } 9556 else 9557 #endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */ 9558 { 9559 buf = altName->name; 9560 len = altName->len; 9561 } 9562 9563 if (MatchDomainName(buf, len, domain)) { 9334 9564 match = 1; 9335 *checkCN = 0; 9565 if (checkCN != NULL) { 9566 *checkCN = 0; 9567 } 9568 WOLFSSL_MSG("\tmatch found"); 9336 9569 break; 9337 9570 } 9338 9571 /* No matches and wild pattern match failed. */ 9339 else if (altName->name && altName->len >=1 && 9340 altName->name[0] == '*' && match == 0) { 9572 else if (buf && (len >=1) && (buf[0] == '*')) { 9341 9573 match = -1; 9574 WOLFSSL_MSG("\twildcard match failed"); 9342 9575 } 9343 9576 … … 9345 9578 } 9346 9579 9347 return match != -1;9580 return match; 9348 9581 } 9582 9349 9583 9350 9584 /* Check the domain name matches the subject alternative name or the subject … … 9356 9590 * returns DOMAIN_NAME_MISMATCH when no match found and 0 on success. 9357 9591 */ 9358 int CheckHostName(DecodedCert* dCert, c har *domainName, size_t domainNameLen)9592 int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen) 9359 9593 { 9360 9594 int checkCN; 9595 int ret = DOMAIN_NAME_MISMATCH; 9361 9596 9362 9597 /* Assume name is NUL terminated. */ 9363 9598 (void)domainNameLen; 9364 9599 9365 if (CheckForAltNames(dCert, domainName, &checkCN) == 0) { 9366 WOLFSSL_MSG("DomainName match on alt names failed too"); 9367 return DOMAIN_NAME_MISMATCH; 9368 } 9600 if (CheckForAltNames(dCert, domainName, &checkCN) != 1) { 9601 WOLFSSL_MSG("DomainName match on alt names failed"); 9602 } 9603 else { 9604 ret = 0; 9605 } 9606 9369 9607 if (checkCN == 1) { 9370 9608 if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen, 9371 domainName) == 0) { 9609 domainName) == 1) { 9610 ret = 0; 9611 } 9612 else { 9372 9613 WOLFSSL_MSG("DomainName match on common name failed"); 9373 return DOMAIN_NAME_MISMATCH; 9374 } 9375 } 9376 9377 return 0; 9614 } 9615 } 9616 9617 return ret; 9378 9618 } 9379 9619 9380 int CheckIPAddr(DecodedCert* dCert, c har* ipasc)9620 int CheckIPAddr(DecodedCert* dCert, const char* ipasc) 9381 9621 { 9382 9622 WOLFSSL_MSG("Checking IPAddr"); … … 9384 9624 return CheckHostName(dCert, ipasc, (size_t)XSTRLEN(ipasc)); 9385 9625 } 9386 #endif 9626 9387 9627 9388 9628 #ifdef SESSION_CERTS … … 9415 9655 return BAD_FUNC_ARG; 9416 9656 9657 if (x509->issuer.name == NULL || x509->subject.name == NULL) { 9658 WOLFSSL_MSG("Either init was not called on X509 or programming error"); 9659 return BAD_FUNC_ARG; 9660 } 9661 9417 9662 x509->version = dCert->version + 1; 9418 9663 … … 9421 9666 x509->issuer.sz = (int)XSTRLEN(x509->issuer.name) + 1; 9422 9667 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 9423 if (dCert->issuerName.fullName != NULL) { 9424 XMEMCPY(&x509->issuer.fullName, 9425 &dCert->issuerName, sizeof(DecodedName)); 9426 x509->issuer.fullName.fullName = (char*)XMALLOC( 9427 dCert->issuerName.fullNameLen, x509->heap, 9428 DYNAMIC_TYPE_X509); 9429 if (x509->issuer.fullName.fullName != NULL) 9430 XMEMCPY(x509->issuer.fullName.fullName, 9431 dCert->issuerName.fullName, dCert->issuerName.fullNameLen); 9432 } 9433 x509->issuer.x509 = x509; 9668 if (dCert->issuerName != NULL) { 9669 wolfSSL_X509_set_issuer_name(x509, 9670 (WOLFSSL_X509_NAME*)dCert->issuerName); 9671 x509->issuer.x509 = x509; 9672 } 9434 9673 #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ 9435 9674 … … 9438 9677 x509->subject.sz = (int)XSTRLEN(x509->subject.name) + 1; 9439 9678 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 9440 if (dCert->subjectName.fullName != NULL) { 9441 XMEMCPY(&x509->subject.fullName, 9442 &dCert->subjectName, sizeof(DecodedName)); 9443 x509->subject.fullName.fullName = (char*)XMALLOC( 9444 dCert->subjectName.fullNameLen, x509->heap, DYNAMIC_TYPE_X509); 9445 if (x509->subject.fullName.fullName != NULL) 9446 XMEMCPY(x509->subject.fullName.fullName, 9447 dCert->subjectName.fullName, dCert->subjectName.fullNameLen); 9448 } 9449 x509->subject.x509 = x509; 9679 if (dCert->subjectName != NULL) { 9680 wolfSSL_X509_set_subject_name(x509, 9681 (WOLFSSL_X509_NAME*)dCert->subjectName); 9682 x509->subject.x509 = x509; 9683 } 9450 9684 #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ 9451 9685 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) … … 9466 9700 else 9467 9701 x509->subjectCN[0] = '\0'; 9702 9703 #ifdef WOLFSSL_CERT_REQ 9704 x509->isCSR = dCert->isCSR; 9705 /* CSR attributes */ 9706 if (dCert->cPwd) { 9707 if (dCert->cPwdLen < CTC_NAME_SIZE) { 9708 XMEMCPY(x509->challengePw, dCert->cPwd, dCert->cPwdLen); 9709 x509->challengePw[dCert->cPwdLen] = '\0'; 9710 #ifdef OPENSSL_ALL 9711 if (x509->challengePwAttr) { 9712 wolfSSL_X509_ATTRIBUTE_free(x509->challengePwAttr); 9713 } 9714 x509->challengePwAttr = wolfSSL_X509_ATTRIBUTE_new(); 9715 if (x509->challengePwAttr) { 9716 x509->challengePwAttr->value->value.asn1_string = 9717 wolfSSL_ASN1_STRING_new(); 9718 if (wolfSSL_ASN1_STRING_set( 9719 x509->challengePwAttr->value->value.asn1_string, 9720 dCert->cPwd, dCert->cPwdLen) != WOLFSSL_SUCCESS) { 9721 ret = MEMORY_E; 9722 } 9723 x509->challengePwAttr->value->type = V_ASN1_PRINTABLESTRING; 9724 } 9725 else { 9726 ret = MEMORY_E; 9727 } 9728 #endif 9729 } 9730 else { 9731 WOLFSSL_MSG("Challenge password too long"); 9732 ret = MEMORY_E; 9733 } 9734 } 9735 #endif 9468 9736 9469 9737 #ifdef WOLFSSL_SEP … … 9729 9997 int ret = 0; 9730 9998 OcspRequest* request; 9999 WOLFSSL_ENTER("ProcessCSR"); 9731 10000 9732 10001 #ifdef WOLFSSL_SMALL_STACK 9733 10002 CertStatus* status; 10003 OcspEntry* single; 9734 10004 OcspResponse* response; 9735 10005 #else 9736 10006 CertStatus status[1]; 10007 OcspEntry single[1]; 9737 10008 OcspResponse response[1]; 9738 10009 #endif … … 9764 10035 #ifdef WOLFSSL_SMALL_STACK 9765 10036 status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap, 9766 DYNAMIC_TYPE_OCSP_STATUS); 10037 DYNAMIC_TYPE_OCSP_STATUS); 10038 single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), ssl->heap, 10039 DYNAMIC_TYPE_OCSP_ENTRY); 9767 10040 response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap, 9768 9769 9770 if (status == NULL || response == NULL) {10041 DYNAMIC_TYPE_OCSP_REQUEST); 10042 10043 if (status == NULL || single == NULL || response == NULL) { 9771 10044 if (status) 9772 XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS); 10045 XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS); 10046 if (single) 10047 XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY); 9773 10048 if (response) 9774 XFREE(response, NULL, DYNAMIC_TYPE_OCSP_REQUEST);10049 XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); 9775 10050 9776 10051 return MEMORY_ERROR; … … 9778 10053 #endif 9779 10054 9780 InitOcspResponse(response, s tatus, input +*inOutIdx, status_length);10055 InitOcspResponse(response, single, status, input +*inOutIdx, status_length, ssl->heap); 9781 10056 9782 10057 if (OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, 0) != 0) … … 9786 10061 else if (response->responseStatus != OCSP_SUCCESSFUL) 9787 10062 ret = BAD_CERTIFICATE_STATUS_ERROR; 9788 else if (response->s tatus->status == CERT_REVOKED)10063 else if (response->single->status->status == CERT_REVOKED) 9789 10064 ret = OCSP_CERT_REVOKED; 9790 else if (response->s tatus->status != CERT_GOOD)10065 else if (response->single->status->status != CERT_GOOD) 9791 10066 ret = BAD_CERTIFICATE_STATUS_ERROR; 10067 10068 else { 10069 XMEMCPY(ssl->ocspProducedDate, response->producedDate, sizeof ssl->ocspProducedDate); 10070 ssl->ocspProducedDateFormat = response->producedDateFormat; 10071 } 9792 10072 9793 10073 *inOutIdx += status_length; … … 9795 10075 #ifdef WOLFSSL_SMALL_STACK 9796 10076 XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS); 10077 XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY); 9797 10078 XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); 9798 10079 #endif 9799 10080 10081 WOLFSSL_LEAVE("ProcessCSR", ret); 9800 10082 return ret; 9801 10083 } … … 9876 10158 if (ret == ASN_AFTER_DATE_E || ret == ASN_BEFORE_DATE_E) { 9877 10159 alertWhy = certificate_expired; 10160 } else if (ret == ASN_NO_SIGNER_E) { 10161 alertWhy = unknown_ca; 9878 10162 } 9879 10163 #if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) … … 9911 10195 { 9912 10196 int verify_ok = 0, use_cb = 0; 9913 void *heap = (ssl != NULL) ? ssl->heap : cm->heap; 10197 void *heap; 10198 10199 if (cm == NULL) { 10200 return BAD_FUNC_ARG; 10201 } 10202 10203 heap = (ssl != NULL) ? ssl->heap : cm->heap; 9914 10204 9915 10205 /* Determine if verify was okay */ … … 9942 10232 /* If altNames names is present, then subject common name is ignored */ 9943 10233 if (args->dCert->altNames != NULL) { 9944 if (Check AltNames(args->dCert, ssl->param->hostName) == 0) {10234 if (CheckForAltNames(args->dCert, ssl->param->hostName, NULL) != 1) { 9945 10235 if (ret == 0) { 9946 10236 ret = DOMAIN_NAME_MISMATCH; … … 9995 10285 char domain[ASN_NAME_MAX]; 9996 10286 #endif 10287 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 10288 int x509Free = 0; 10289 #endif 9997 10290 9998 10291 #ifdef WOLFSSL_SMALL_STACK … … 10044 10337 store->certs = args->certs; 10045 10338 store->totalCerts = args->totalCerts; 10046 #if defined(HAVE_EX_DATA) || defined(FORTRESS) 10339 #if (defined(HAVE_EX_DATA) || defined(FORTRESS)) && \ 10340 (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) 10047 10341 if (wolfSSL_CRYPTO_set_ex_data(&store->ex_data, 0, ssl) 10048 10342 != WOLFSSL_SUCCESS) { … … 10101 10395 if (CopyDecodedToX509(x509, args->dCert) == 0) { 10102 10396 store->current_cert = x509; 10397 x509Free = 1; 10103 10398 } 10104 10399 else { … … 10113 10408 #ifndef NO_WOLFSSL_CM_VERIFY 10114 10409 /* non-zero return code indicates failure override */ 10115 if ( (cm != NULL) && (cm->verifyCallback != NULL)) {10410 if (cm->verifyCallback != NULL) { 10116 10411 store->userCtx = cm; 10117 10412 if (cm->verifyCallback(verify_ok, store)) { … … 10167 10462 } 10168 10463 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 10169 if ( args->certIdx > 0)10464 if (x509Free) { 10170 10465 FreeX509(x509); 10466 } 10171 10467 #endif 10172 10468 #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) … … 10562 10858 10563 10859 /* allocate buffer for certs */ 10564 #ifdef OPENSSL_EXTRA10565 args->certs = (buffer*)XMALLOC(sizeof(buffer) *10566 (ssl->verifyDepth + 1), ssl->heap, DYNAMIC_TYPE_DER);10567 if (args->certs == NULL) {10568 ERROR_OUT(MEMORY_E, exit_ppc);10569 }10570 XMEMSET(args->certs, 0, sizeof(buffer) * (ssl->verifyDepth + 1));10571 #else10572 10860 args->certs = (buffer*)XMALLOC(sizeof(buffer) * MAX_CHAIN_DEPTH, 10573 10861 ssl->heap, DYNAMIC_TYPE_DER); … … 10576 10864 } 10577 10865 XMEMSET(args->certs, 0, sizeof(buffer) * MAX_CHAIN_DEPTH); 10578 #endif /* OPENSSL_EXTRA */10579 10866 10580 10867 /* Certificate List */ … … 10597 10884 word32 certSz; 10598 10885 10886 10599 10887 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 10600 if (args->totalCerts > ssl->verifyDepth) {10888 if (args->totalCerts >= MAX_CHAIN_DEPTH) { 10601 10889 ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; 10602 ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc); 10890 ret = MAX_CHAIN_ERROR; 10891 WOLFSSL_MSG("Too many certs for MAX_CHAIN_DEPTH"); 10892 break; /* break out to avoid reading more certs then buffer 10893 * can hold */ 10603 10894 } 10604 10895 #else … … 10636 10927 word16 extSz; 10637 10928 10929 if (args->exts == NULL) { 10930 ERROR_OUT(BUFFER_ERROR, exit_ppc); 10931 } 10638 10932 if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) { 10639 10933 ERROR_OUT(BUFFER_ERROR, exit_ppc); … … 10664 10958 args->certIdx = 0; /* select peer cert (first one) */ 10665 10959 10666 if (args->count == 0 && ssl->options.mutualAuth && 10960 if (args->count == 0 && (ssl->options.mutualAuth || 10961 (ssl->options.failNoCert && IsAtLeastTLSv1_3(ssl->version))) && 10667 10962 ssl->options.side == WOLFSSL_SERVER_END) { 10668 10963 ret = NO_PEER_CERT; … … 10837 11132 } 10838 11133 #endif /* HAVE_OCSP || HAVE_CRL */ 10839 11134 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 11135 if (ret == 0 && 11136 /* extend the limit "+1" until reaching 11137 * an ultimately trusted issuer.*/ 11138 args->count > (ssl->verifyDepth + 1)) { 11139 ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; 11140 ret = MAX_CHAIN_ERROR; 11141 } 11142 #endif 10840 11143 /* Do verify callback */ 10841 11144 ret = DoVerifyCallback(ssl->ctx->cm, ssl, ret, args); 11145 if (ssl->options.verifyNone && 11146 (ret == CRL_MISSING || ret == CRL_CERT_REVOKED)) { 11147 WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); 11148 ret = ssl->error = 0; 11149 } 10842 11150 10843 11151 #ifdef WOLFSSL_ALT_CERT_CHAINS … … 10853 11161 } 10854 11162 10855 ret = 0; /* clear error and continue */ 11163 ret = 0; /* clear errors and continue */ 11164 args->verifyErr = 0; 10856 11165 } 10857 11166 … … 10951 11260 #endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */ 10952 11261 11262 /* Check peer's certificate version number. TLS 1.2 / 1.3 11263 * requires the clients certificate be version 3 unless a 11264 * different version has been negotiated using RFC 7250 */ 11265 if ((ret == 0) && 11266 (ssl->options.side == WOLFSSL_SERVER_END)) { 11267 if (args->dCert->version != WOLFSSL_X509_V3) { 11268 WOLFSSL_MSG("Peers certificate was not version 3!"); 11269 args->lastErr = ASN_VERSION_E; 11270 /* setting last error but not considering it fatal 11271 * giving the user a chance to override */ 11272 } 11273 } 11274 10953 11275 /* check if fatal error */ 10954 11276 if (args->verifyErr) { 10955 11277 args->fatal = 1; 10956 if (ret == 0) { 10957 ret = args->lastErr; 10958 } 11278 ret = args->lastErr; 10959 11279 } 10960 11280 else { … … 10964 11284 else if (ret == ASN_PARSE_E || ret == BUFFER_E) { 10965 11285 WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR"); 11286 #if defined(WOLFSSL_EXTRA_ALERTS) || defined(OPENSSL_EXTRA) || \ 11287 defined(OPENSSL_EXTRA_X509_SMALL) 11288 DoCertFatalAlert(ssl, ret); 11289 #endif 10966 11290 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 10967 SendAlert(ssl, alert_fatal, bad_certificate);10968 11291 ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; 10969 11292 #endif … … 10980 11303 /* check if fatal error */ 10981 11304 args->fatal = (args->verifyErr) ? 1 : 0; 11305 #if defined(WOLFSSL_EXTRA_ALERTS) || \ 11306 defined(OPENSSL_EXTRA) || \ 11307 defined(OPENSSL_EXTRA_X509_SMALL) 11308 if (args->fatal) 11309 DoCertFatalAlert(ssl, ret); 11310 #endif 10982 11311 } 10983 11312 else { 10984 11313 WOLFSSL_MSG("\tNo callback override available, fatal"); 10985 11314 args->fatal = 1; 10986 #ifdef OPENSSL_EXTRA 10987 SendAlert(ssl, alert_fatal, bad_certificate); 11315 #if defined(WOLFSSL_EXTRA_ALERTS) || \ 11316 defined(OPENSSL_EXTRA) || \ 11317 defined(OPENSSL_EXTRA_X509_SMALL) 11318 DoCertFatalAlert(ssl, ret); 10988 11319 #endif 10989 11320 } … … 11042 11373 args->dCert, ssl->heap); 11043 11374 doLookup = 0; 11044 #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)11375 #if defined(WOLFSSL_TLS13) 11045 11376 if (ssl->options.tls1_3) { 11046 11377 TLSX* ext = TLSX_Find(ssl->extensions, … … 11057 11388 } 11058 11389 #endif 11390 } 11391 /* Ensure a stapling response was seen */ 11392 else if (ssl->options.tls1_3 && 11393 ssl->ctx->cm->ocspMustStaple) { 11394 ret = OCSP_CERT_UNKNOWN; 11395 goto exit_ppc; 11059 11396 } 11060 11397 #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ … … 11115 11452 int copyRet = 0; 11116 11453 11454 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH 11455 if (ssl->options.handShakeDone) { 11456 FreeX509(&ssl->peerCert); 11457 InitX509(&ssl->peerCert, 0, ssl->heap); 11458 } 11459 else 11460 #endif 11117 11461 #ifdef HAVE_SECURE_RENEGOTIATION 11118 11462 if (ssl->secure_renegotiation && … … 11120 11464 /* free old peer cert */ 11121 11465 FreeX509(&ssl->peerCert); 11466 InitX509(&ssl->peerCert, 0, ssl->heap); 11122 11467 } 11468 else 11123 11469 #endif 11470 { 11471 } 11124 11472 11125 11473 /* set X509 format for peer cert */ … … 11202 11550 * alternative name extension MUST be used." */ 11203 11551 if (args->dCert->altNames) { 11204 if (CheckAltNames(args->dCert, 11205 (char*)ssl->buffers.domainName.buffer) == 0 ) { 11552 if (CheckForAltNames(args->dCert, 11553 (char*)ssl->buffers.domainName.buffer, 11554 NULL) != 1) { 11206 11555 WOLFSSL_MSG("DomainName match on alt names failed"); 11207 11556 /* try to get peer key still */ … … 11224 11573 (char*)ssl->buffers.domainName.buffer) == 0) { 11225 11574 WOLFSSL_MSG("DomainName match on common name failed"); 11226 if (CheckAltNames(args->dCert, 11227 (char*)ssl->buffers.domainName.buffer) == 0 ) { 11575 if (CheckForAltNames(args->dCert, 11576 (char*)ssl->buffers.domainName.buffer, 11577 NULL) != 1) { 11228 11578 WOLFSSL_MSG( 11229 11579 "DomainName match on alt names failed too"); … … 11279 11629 #ifdef HAVE_PK_CALLBACKS 11280 11630 #ifndef NO_RSA 11281 #ifdef HAVE_SECURE_RENEGOTIATION 11631 #if defined(HAVE_SECURE_RENEGOTIATION) || \ 11632 defined(WOLFSSL_POST_HANDSHAKE_AUTH) 11282 11633 if (ssl->buffers.peerRsaKey.buffer) { 11283 11634 XFREE(ssl->buffers.peerRsaKey.buffer, … … 11357 11708 ssl->peerEccDsaKeyPresent = 1; 11358 11709 #ifdef HAVE_PK_CALLBACKS 11710 if (ssl->buffers.peerEccDsaKey.buffer) 11711 XFREE(ssl->buffers.peerEccDsaKey.buffer, 11712 ssl->heap, DYNAMIC_TYPE_ECC); 11359 11713 ssl->buffers.peerEccDsaKey.buffer = 11360 11714 (byte*)XMALLOC(args->dCert->pubKeySize, … … 11381 11735 WOLFSSL_MSG("Peer ECC key is too small"); 11382 11736 } 11737 11738 /* populate curve oid - if missing */ 11739 if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->ecdhCurveOID == 0) 11740 ssl->ecdhCurveOID = args->dCert->pkCurveOID; 11383 11741 break; 11384 11742 } … … 11431 11789 WOLFSSL_MSG("Peer ECC key is too small"); 11432 11790 } 11791 11792 /* populate curve oid - if missing */ 11793 if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->ecdhCurveOID == 0) 11794 ssl->ecdhCurveOID = ECC_X25519_OID; 11433 11795 break; 11434 11796 } … … 11480 11842 WOLFSSL_MSG("Peer ECC key is too small"); 11481 11843 } 11844 11845 /* populate curve oid - if missing */ 11846 if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->ecdhCurveOID == 0) 11847 ssl->ecdhCurveOID = ECC_X448_OID; 11482 11848 break; 11483 11849 } … … 11573 11939 #endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */ 11574 11940 11941 #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP) || \ 11942 defined(WOLFSSL_SMALL_STACK) 11943 if (args) 11944 { 11945 FreeProcPeerCertArgs(ssl, args); 11946 } 11947 #else 11575 11948 FreeProcPeerCertArgs(ssl, args); 11949 #endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP || WOLFSSL_SMALL_STACK */ 11576 11950 11577 11951 #if defined(WOLFSSL_ASYNC_CRYPT) … … 11667 12041 11668 12042 #ifdef WOLFSSL_SMALL_STACK 11669 CertStatus* status; 12043 CertStatus* status; 12044 OcspEntry* single; 11670 12045 OcspResponse* response; 11671 12046 #else 11672 CertStatus status[1]; 12047 CertStatus status[1]; 12048 OcspEntry single[1]; 11673 12049 OcspResponse response[1]; 11674 12050 #endif … … 11686 12062 status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap, 11687 12063 DYNAMIC_TYPE_OCSP_STATUS); 12064 single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), ssl->heap, 12065 DYNAMIC_TYPE_OCSP_ENTRY); 11688 12066 response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap, 11689 DYNAMIC_TYPE_OCSP_REQUEST);11690 11691 if (status == NULL || response == NULL) {12067 DYNAMIC_TYPE_OCSP_REQUEST); 12068 12069 if (status == NULL || single == NULL || response == NULL) { 11692 12070 if (status) 11693 12071 XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS); 12072 if (single) 12073 XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY); 11694 12074 if (response) 11695 12075 XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); … … 11715 12095 11716 12096 if (status_length) { 11717 InitOcspResponse(response, s tatus, input +*inOutIdx,11718 status_length);12097 InitOcspResponse(response, single, status, input +*inOutIdx, 12098 status_length, ssl->heap); 11719 12099 11720 12100 if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, 11721 12101 0) != 0) 11722 12102 || (response->responseStatus != OCSP_SUCCESSFUL) 11723 || (response->s tatus->status != CERT_GOOD))12103 || (response->single->status->status != CERT_GOOD)) 11724 12104 ret = BAD_CERTIFICATE_STATUS_ERROR; 11725 12105 … … 11735 12115 ret = BAD_CERTIFICATE_STATUS_ERROR; 11736 12116 } 12117 FreeOcspResponse(response); 11737 12118 11738 12119 *inOutIdx += status_length; … … 11747 12128 #ifdef WOLFSSL_SMALL_STACK 11748 12129 XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS); 12130 XFREE(single, NULL, DYNAMIC_TYPE_OCSP_ENTRY); 11749 12131 XFREE(response, NULL, DYNAMIC_TYPE_OCSP_REQUEST); 11750 12132 #endif … … 11805 12187 11806 12188 if (IsEncryptionOn(ssl, 0)) { 12189 /* If size == totalSz then we are in DtlsMsgDrain so no need to worry 12190 * about padding */ 11807 12191 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 11808 12192 if (ssl->options.startedETMRead) { 11809 12193 word32 digestSz = MacSize(ssl); 11810 if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) 12194 if (size != totalSz && 12195 *inOutIdx + ssl->keys.padSz + digestSz > totalSz) 11811 12196 return BUFFER_E; 11812 12197 *inOutIdx += ssl->keys.padSz + digestSz; … … 11816 12201 { 11817 12202 /* access beyond input + size should be checked against totalSz */ 11818 if (*inOutIdx + ssl->keys.padSz > totalSz) 12203 if (size != totalSz && 12204 *inOutIdx + ssl->keys.padSz > totalSz) 11819 12205 return BUFFER_E; 11820 12206 … … 11852 12238 return BUFFER_ERROR; 11853 12239 11854 /* check against totalSz */ 12240 /* check against totalSz 12241 * If size == totalSz then we are in DtlsMsgDrain so no need to worry about 12242 * padding */ 12243 if (size != totalSz) { 11855 12244 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 11856 12245 if (ssl->options.startedETMRead) { … … 11864 12253 return BUFFER_E; 11865 12254 } 12255 } 11866 12256 11867 12257 #ifdef WOLFSSL_CALLBACKS … … 11892 12282 } 11893 12283 #endif 12284 #ifdef OPENSSL_ALL 12285 if (ssl->options.side == WOLFSSL_CLIENT_END) 12286 XMEMCPY(ssl->serverFinished, 12287 input + *inOutIdx, TLS_FINISHED_SZ); 12288 else 12289 XMEMCPY(ssl->clientFinished, 12290 input + *inOutIdx, TLS_FINISHED_SZ); 12291 #endif 11894 12292 11895 12293 /* force input exhaustion at ProcessReply consuming padSz */ … … 11934 12332 #ifdef WOLFSSL_DTLS 11935 12333 if (ssl->options.dtls) { 11936 DtlsMsgPoolReset(ssl); 12334 if ((!ssl->options.resuming && ssl->options.side == WOLFSSL_CLIENT_END) || 12335 (ssl->options.resuming && ssl->options.side == WOLFSSL_SERVER_END)){ 12336 DtlsMsgPoolReset(ssl); 12337 ssl->keys.dtls_handshake_number = 0; 12338 ssl->keys.dtls_expected_peer_handshake_number = 0; 12339 } 11937 12340 } 11938 12341 #endif … … 12085 12488 } 12086 12489 #endif 12490 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ 12491 defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) 12492 /* Check that a status request extension was seen as the 12493 * CertificateStatus wasn't when an OCSP staple is required. 12494 */ 12495 if ( 12496 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST 12497 !ssl->status_request && 12498 #endif 12499 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 12500 !ssl->status_request_v2 && 12501 #endif 12502 ssl->ctx->cm->ocspMustStaple) { 12503 return OCSP_CERT_UNKNOWN; 12504 } 12505 #endif 12087 12506 } 12088 12507 … … 12180 12599 return DUPLICATE_MSG_E; 12181 12600 } 12601 #ifdef WOLFSSL_DTLS 12602 if (ssl->options.dtls) { 12603 if (ssl->keys.curEpoch == 0) { 12604 WOLFSSL_MSG("Finished received with epoch 0"); 12605 return SEQUENCE_ERROR; 12606 } 12607 } 12608 #endif 12182 12609 ssl->msgsReceived.got_finished = 1; 12183 12610 … … 12194 12621 if (ssl->msgsReceived.got_change_cipher) { 12195 12622 WOLFSSL_MSG("Duplicate ChangeCipher received"); 12196 #ifdef WOLFSSL_EXTRA_ALERTS12197 SendAlert(ssl, alert_fatal, unexpected_message);12198 #endif12199 12623 return DUPLICATE_MSG_E; 12200 12624 } … … 12244 12668 ssl->options.havePeerCert) { 12245 12669 12246 if (!ssl->options.havePeerVerify) { 12670 if (!ssl->options.havePeerVerify || 12671 !ssl->msgsReceived.got_certificate_verify) { 12247 12672 WOLFSSL_MSG("client didn't send cert verify"); 12248 12673 #ifdef WOLFSSL_DTLS … … 12297 12722 #endif 12298 12723 12299 #if !defined( WOLFSSL_NO_SERVER) && \12724 #if !defined(NO_WOLFSSL_SERVER) && \ 12300 12725 defined(HAVE_SECURE_RENEGOTIATION) && \ 12301 12726 defined(HAVE_SERVER_RENEGOTIATION_INFO) … … 12404 12829 WOLFSSL_MSG("processing hello verify request"); 12405 12830 ret = DoHelloVerifyRequest(ssl, input,inOutIdx, size); 12831 if (IsEncryptionOn(ssl, 0)) { 12832 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 12833 if (ssl->options.startedETMRead) { 12834 word32 digestSz = MacSize(ssl); 12835 if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) 12836 return BUFFER_E; 12837 *inOutIdx += ssl->keys.padSz + digestSz; 12838 } 12839 else 12840 #endif 12841 { 12842 /* access beyond input + size should be checked against totalSz 12843 */ 12844 if (*inOutIdx + ssl->keys.padSz > totalSz) 12845 return BUFFER_E; 12846 12847 *inOutIdx += ssl->keys.padSz; 12848 } 12849 } 12406 12850 break; 12407 12851 … … 12511 12955 } 12512 12956 #endif 12957 /* If size == totalSz then we are in DtlsMsgDrain so no need to worry 12958 * about padding */ 12513 12959 if (IsEncryptionOn(ssl, 0)) { 12514 12960 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 12515 12961 if (ssl->options.startedETMRead) { 12516 12962 word32 digestSz = MacSize(ssl); 12517 if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) 12963 if (size != totalSz && 12964 *inOutIdx + ssl->keys.padSz + digestSz > totalSz) 12518 12965 return BUFFER_E; 12519 12966 *inOutIdx += ssl->keys.padSz + digestSz; … … 12524 12971 /* access beyond input + size should be checked against totalSz 12525 12972 */ 12526 if (*inOutIdx + ssl->keys.padSz > totalSz) 12973 if (size != totalSz && 12974 *inOutIdx + ssl->keys.padSz > totalSz) 12527 12975 return BUFFER_E; 12528 12529 12976 *inOutIdx += ssl->keys.padSz; 12530 12977 } … … 12565 13012 #endif 12566 13013 ) { 12567 ShrinkInputBuffer(ssl, NO_FORCED_FREE); 13014 if (IsEncryptionOn(ssl, 0)) { 13015 word32 extra = ssl->keys.padSz; 13016 13017 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 13018 if (ssl->options.startedETMRead) 13019 extra += MacSize(ssl); 13020 #endif 13021 13022 if (extra > ssl->buffers.inputBuffer.idx) 13023 return BUFFER_E; 13024 13025 ssl->buffers.inputBuffer.idx -= extra; 13026 ShrinkInputBuffer(ssl, NO_FORCED_FREE); 13027 ssl->buffers.inputBuffer.idx += extra; 13028 } 13029 else { 13030 ShrinkInputBuffer(ssl, NO_FORCED_FREE); 13031 } 12568 13032 } 12569 13033 … … 12776 13240 #endif 12777 13241 else if (curLT) { 12778 word32 idx = diff / DTLS_WORD_BITS; 12779 word32 newDiff = diff % DTLS_WORD_BITS; 13242 word32 idx; 13243 word32 newDiff; 13244 if (diff == 0) { 13245 WOLFSSL_MSG("DTLS sanity check failed"); 13246 return 0; 13247 } 13248 diff--; 13249 idx = diff / DTLS_WORD_BITS; 13250 newDiff = diff % DTLS_WORD_BITS; 12780 13251 12781 13252 /* verify idx is valid for window array */ … … 12797 13268 #ifdef WOLFSSL_MULTICAST 12798 13269 static WC_INLINE word32 UpdateHighwaterMark(word32 cur, word32 first, 12799 word32 second, word32 max)13270 word32 second, word32 high) 12800 13271 { 12801 13272 word32 newCur = 0; … … 12805 13276 else if (cur < second) 12806 13277 newCur = second; 12807 else if (cur < max)12808 newCur = max;13278 else if (cur < high) 13279 newCur = high; 12809 13280 12810 13281 return newCur; … … 12880 13351 if (cur_hi == *next_hi) { 12881 13352 curLT = cur_lo < *next_lo; 12882 diff = curLT ? *next_lo - cur_lo : cur_lo - *next_lo;13353 diff = curLT ? *next_lo - cur_lo - 1 : cur_lo - *next_lo + 1; 12883 13354 } 12884 13355 else { 12885 13356 curLT = cur_hi < *next_hi; 12886 diff = curLT ? cur_lo - *next_lo : *next_lo - cur_lo;13357 diff = curLT ? cur_lo - *next_lo - 1 : *next_lo - cur_lo + 1; 12887 13358 } 12888 13359 … … 12902 13373 12903 13374 temp = 0; 12904 diff++;12905 13375 idx = diff / DTLS_WORD_BITS; 12906 13376 newDiff = diff % DTLS_WORD_BITS; … … 12943 13413 ret == 0) { 12944 13414 word32 idx = 0; 12945 ssl->keys.dtls_expected_peer_handshake_number++; 12946 ret = DoHandShakeMsgType(ssl, item->msg, 12947 &idx, item->type, item->sz, item->sz); 13415 if ((ret = DoHandShakeMsgType(ssl, item->msg, &idx, item->type, 13416 item->sz, item->sz)) == 0) { 13417 if (item->type != finished) 13418 ssl->keys.dtls_expected_peer_handshake_number++; 13419 DtlsTxMsgListClean(ssl); 13420 } 12948 13421 #ifdef WOLFSSL_ASYNC_CRYPT 12949 13422 if (ret == WC_PENDING_E) { 12950 ssl->keys.dtls_expected_peer_handshake_number--;12951 13423 break; 12952 13424 } … … 12970 13442 word32 fragOffset, fragSz; 12971 13443 int ret = 0; 13444 int ignoreFinished = 0; 12972 13445 12973 13446 WOLFSSL_ENTER("DoDtlsHandShakeMsg()"); 12974 12975 /* process any pending DTLS messages - this flow can happen with async */12976 if (ssl->dtls_rx_msg_list != NULL) {12977 ret = DtlsMsgDrain(ssl);12978 if (ret != 0)12979 return ret;12980 12981 /* if done processing fragment exit with success */12982 if (totalSz == *inOutIdx)12983 return ret;12984 }12985 13447 12986 13448 /* parse header */ … … 13003 13465 WOLFSSL_ERROR(INCOMPLETE_DATA); 13004 13466 return INCOMPLETE_DATA; 13467 } 13468 13469 if (type == finished && ssl->keys.dtls_peer_handshake_number >= 13470 ssl->keys.dtls_expected_peer_handshake_number && 13471 ssl->keys.curEpoch == ssl->keys.dtls_epoch) { 13472 /* finished msg should be ignore from the current epoch 13473 * if it comes from a previous handshake */ 13474 if (ssl->options.side == WOLFSSL_CLIENT_END) { 13475 ignoreFinished = ssl->options.connectState < FINISHED_DONE; 13476 } 13477 else { 13478 ignoreFinished = ssl->options.acceptState < ACCEPT_FINISHED_DONE; 13479 } 13005 13480 } 13006 13481 … … 13015 13490 */ 13016 13491 if (ssl->keys.dtls_peer_handshake_number > 13017 ssl->keys.dtls_expected_peer_handshake_number) { 13492 ssl->keys.dtls_expected_peer_handshake_number && 13493 /* Only client_hello shouldn't be ignored if the handshake 13494 * num is greater */ 13495 (type == client_hello || 13496 ssl->options.handShakeState != HANDSHAKE_DONE) && 13497 !ignoreFinished) { 13018 13498 /* Current message is out of order. It will get stored in the list. 13019 13499 * Storing also takes care of defragmentation. If the messages is a … … 13025 13505 * the client could be sending multiple new client hello messages 13026 13506 * with newer and newer cookies.) */ 13507 WOLFSSL_MSG("Current message is out of order"); 13027 13508 if (type != client_hello) { 13028 13509 if (ssl->dtls_rx_msg_list_sz < DTLS_POOL_SZ) { 13029 DtlsMsgStore(ssl, ssl->keys.dtls_peer_handshake_number, 13510 DtlsMsgStore(ssl, ssl->keys.curEpoch, 13511 ssl->keys.dtls_peer_handshake_number, 13030 13512 input + *inOutIdx, size, type, 13031 13513 fragOffset, fragSz, ssl->heap); 13032 13514 } 13033 13515 *inOutIdx += fragSz; 13516 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 13517 if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) { 13518 word32 digestSz = MacSize(ssl); 13519 if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) 13520 return BUFFER_E; 13521 *inOutIdx += digestSz; 13522 } 13523 else 13524 #endif 13525 { 13526 if (*inOutIdx + ssl->keys.padSz > totalSz) { 13527 WOLFSSL_ERROR(BUFFER_E); 13528 return BUFFER_E; 13529 } 13530 } 13531 *inOutIdx += ssl->keys.padSz; 13034 13532 ret = 0; 13533 #ifndef WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT 13534 /* If we receive an out of order last flight msg then retransmit */ 13535 if (type == server_hello_done || type == finished) { 13536 ret = DtlsMsgPoolSend(ssl, 0); 13537 } 13538 #endif 13035 13539 } 13036 13540 else { … … 13043 13547 } 13044 13548 else if (ssl->keys.dtls_peer_handshake_number < 13045 ssl->keys.dtls_expected_peer_handshake_number) { 13549 ssl->keys.dtls_expected_peer_handshake_number || 13550 /* ignore all handshake messages if we are done with the 13551 * handshake */ 13552 (ssl->keys.dtls_peer_handshake_number > 13553 ssl->keys.dtls_expected_peer_handshake_number && 13554 ssl->options.handShakeState == HANDSHAKE_DONE) || 13555 ignoreFinished) { 13046 13556 /* Already saw this message and processed it. It can be ignored. */ 13557 WOLFSSL_MSG("Already saw this message and processed it"); 13047 13558 *inOutIdx += fragSz; 13048 if(type == finished ) {13049 13559 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 13050 if (ssl->options.startedETMRead) {13051 13052 13053 13054 *inOutIdx += ssl->keys.padSz +digestSz;13055 13056 13560 if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) { 13561 word32 digestSz = MacSize(ssl); 13562 if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) 13563 return BUFFER_E; 13564 *inOutIdx += digestSz; 13565 } 13566 else 13057 13567 #endif 13058 { 13059 if (*inOutIdx + ssl->keys.padSz > totalSz) { 13060 WOLFSSL_ERROR(BUFFER_E); 13061 return BUFFER_E; 13062 } 13063 *inOutIdx += ssl->keys.padSz; 13064 } 13065 } 13568 { 13569 if (*inOutIdx + ssl->keys.padSz > totalSz) { 13570 WOLFSSL_ERROR(BUFFER_E); 13571 return BUFFER_E; 13572 } 13573 } 13574 #ifndef WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT 13066 13575 if (IsDtlsNotSctpMode(ssl) && 13067 13576 VerifyForDtlsMsgPoolSend(ssl, type, fragOffset)) { … … 13069 13578 ret = DtlsMsgPoolSend(ssl, 0); 13070 13579 } 13580 #endif 13581 *inOutIdx += ssl->keys.padSz; 13071 13582 } 13072 13583 else if (fragSz < size) { … … 13074 13585 * be pointing to the message with this fragment in it. Check it to see 13075 13586 * if it is completed. */ 13587 WOLFSSL_MSG("Branch is in order, but fragmented"); 13076 13588 if (ssl->dtls_rx_msg_list_sz < DTLS_POOL_SZ) { 13077 DtlsMsgStore(ssl, ssl->keys.dtls_peer_handshake_number, 13589 DtlsMsgStore(ssl, ssl->keys.curEpoch, 13590 ssl->keys.dtls_peer_handshake_number, 13078 13591 input + *inOutIdx, size, type, 13079 13592 fragOffset, fragSz, ssl->heap); 13080 13593 } 13081 13594 *inOutIdx += fragSz; 13595 *inOutIdx += ssl->keys.padSz; 13596 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 13597 if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) { 13598 word32 digestSz = MacSize(ssl); 13599 if (*inOutIdx + digestSz > totalSz) 13600 return BUFFER_E; 13601 *inOutIdx += digestSz; 13602 } 13603 #endif 13082 13604 ret = 0; 13083 13605 if (ssl->dtls_rx_msg_list != NULL && … … 13086 13608 } 13087 13609 else { 13088 /* This branch is in order next, and a complete message. */ 13610 /* This branch is in order next, and a complete message. On success 13611 * clean the tx list. */ 13612 #ifdef WOLFSSL_ASYNC_CRYPT 13613 word32 idx = *inOutIdx; 13614 #endif 13615 WOLFSSL_MSG("Branch is in order and a complete message"); 13616 #ifdef WOLFSSL_ASYNC_CRYPT 13617 /* In async mode always store the message and process it with 13618 * DtlsMsgDrain because in case of a WC_PENDING_E it will be 13619 * easier this way. */ 13620 if (ssl->dtls_rx_msg_list_sz < DTLS_POOL_SZ) { 13621 DtlsMsgStore(ssl, ssl->keys.curEpoch, 13622 ssl->keys.dtls_peer_handshake_number, 13623 input + idx, size, type, 13624 fragOffset, fragSz, ssl->heap); 13625 } 13626 if (idx + fragSz + ssl->keys.padSz > totalSz) 13627 return BUFFER_E; 13628 *inOutIdx = idx + fragSz + ssl->keys.padSz; 13629 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 13630 if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) { 13631 word32 digestSz = MacSize(ssl); 13632 if (*inOutIdx + digestSz > totalSz) 13633 return BUFFER_E; 13634 *inOutIdx += digestSz; 13635 } 13636 #endif 13637 ret = DtlsMsgDrain(ssl); 13638 #else 13089 13639 ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); 13090 13640 if (ret == 0) { 13091 if (type != client_hello || !IsDtlsNotSctpMode(ssl)) 13641 DtlsTxMsgListClean(ssl); 13642 if (type != finished) 13092 13643 ssl->keys.dtls_expected_peer_handshake_number++; 13093 13644 if (ssl->dtls_rx_msg_list != NULL) { … … 13095 13646 } 13096 13647 } 13648 #endif 13097 13649 } 13098 13650 … … 13106 13658 #ifdef HAVE_AEAD 13107 13659 13108 #if !defined(NO_PUBLIC_GCM_SET_IV) && \13109 (( (defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \13110 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))) || \13111 (defined(HAVE_POLY1305) && defined(HAVE_CHACHA)) )13660 #if (!defined(NO_PUBLIC_GCM_SET_IV) && \ 13661 ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \ 13662 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))) || \ 13663 (defined(HAVE_POLY1305) && defined(HAVE_CHACHA)) 13112 13664 static WC_INLINE void AeadIncrementExpIV(WOLFSSL* ssl) 13113 13665 { … … 13882 14434 c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, 13883 14435 ssl->decrypt.additional + AEAD_LEN_OFFSET); 13884 XMEMCPY(ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, 13885 AESGCM_IMP_IV_SZ); 14436 14437 #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION) 14438 if (ssl->options.dtls && IsDtlsMsgSCRKeys(ssl)) 14439 XMEMCPY(ssl->decrypt.nonce, 14440 ssl->secure_renegotiation->tmp_keys.aead_dec_imp_IV, 14441 AESGCM_IMP_IV_SZ); 14442 else 14443 #endif 14444 XMEMCPY(ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, 14445 AESGCM_IMP_IV_SZ); 13886 14446 XMEMCPY(ssl->decrypt.nonce + AESGCM_IMP_IV_SZ, input, 13887 14447 AESGCM_EXP_IV_SZ); … … 14007 14567 case CIPHER_STATE_DO: 14008 14568 { 14569 #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION) 14570 if (ssl->options.dtls && DtlsSCRKeysSet(ssl)) { 14571 /* For epochs >1 the current cipher parameters are located in 14572 * ssl->secure_renegotiation->tmp_keys. Previous cipher 14573 * parameters and for epoch 1 use ssl->keys */ 14574 if (ssl->keys.curEpoch == 14575 ssl->secure_renegotiation->tmp_keys.dtls_epoch) { 14576 if (ssl->decrypt.src != SCR) { 14577 ssl->secure_renegotiation->cache_status = 14578 SCR_CACHE_NEEDED; 14579 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) 14580 break; 14581 } 14582 } 14583 else { 14584 if (ssl->decrypt.src != KEYS) { 14585 ssl->secure_renegotiation->cache_status = 14586 SCR_CACHE_NULL; 14587 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) 14588 break; 14589 } 14590 } 14591 } 14592 #endif 14593 14009 14594 ret = DecryptDo(ssl, plain, input, sz); 14010 14595 … … 14242 14827 * the size to make sure is valid. */ 14243 14828 ret = ssl->hmac(ssl, verify, input, pLen - macSz - padLen - 1, padLen, 14244 content, 1 );14829 content, 1, PEER_ORDER); 14245 14830 good |= MaskMac(input, pLen, ssl->specs.hash_size, verify); 14246 14831 … … 14275 14860 #ifdef WOLFSSL_EARLY_DATA 14276 14861 if (ssl->options.tls1_3 && ssl->options.handShakeDone == 0) { 14277 i f (ssl->options.side == WOLFSSL_SERVER_END &&14278 ssl->earlyData != no_early_data && 14279 ssl->options.clientState < CLIENT_FINISHED_COMPLETE) {14862 int process = 0; 14863 14864 if (ssl->options.side == WOLFSSL_SERVER_END) { 14280 14865 ssl->earlyDataSz += ssl->curSize; 14281 if (ssl->earlyDataSz <= ssl->options.maxEarlyDataSz) { 14866 if ((ssl->earlyData != no_early_data) && 14867 (ssl->options.clientState == CLIENT_HELLO_COMPLETE)) { 14868 process = 1; 14869 } 14870 if (!process && (ssl->earlyDataSz <= ssl->options.maxEarlyDataSz)) { 14282 14871 WOLFSSL_MSG("Ignoring EarlyData!"); 14283 14872 *inOutIdx = ssl->buffers.inputBuffer.length; 14284 14873 return 0; 14285 14874 } 14286 WOLFSSL_MSG("Too much EarlyData!"); 14287 } 14288 } 14875 if (ssl->earlyDataSz > ssl->options.maxEarlyDataSz) { 14876 WOLFSSL_MSG("Too much EarlyData!"); 14877 process = 0; 14878 } 14879 } 14880 if (!process) { 14881 WOLFSSL_MSG("Received App data before a handshake completed"); 14882 SendAlert(ssl, alert_fatal, unexpected_message); 14883 return OUT_OF_ORDER_E; 14884 } 14885 } 14886 else 14289 14887 #endif 14290 14888 if (ssl->options.handShakeDone == 0) { … … 14360 14958 14361 14959 *inOutIdx = idx; 14960 #ifdef HAVE_SECURE_RENEGOTIATION 14961 if (IsSCR(ssl)) { 14962 /* Reset the processReply state since 14963 * we finished processing this message. */ 14964 ssl->options.processReply = doProcessInit; 14965 /* If we are in a secure renegotiation then APP DATA is treated 14966 * differently */ 14967 return APP_DATA_READY; 14968 } 14969 #endif 14362 14970 return 0; 14363 14971 } … … 14533 15141 } 14534 15142 14535 ret = ssl->hmac(ssl, verify, input, msgSz - digestSz, -1, content, 1 );15143 ret = ssl->hmac(ssl, verify, input, msgSz - digestSz, -1, content, 1, PEER_ORDER); 14536 15144 ret |= ConstantCompare(verify, input + msgSz - digestSz, digestSz); 14537 15145 if (ret != 0) { … … 14586 15194 } 14587 15195 PadCheck(dummy, (byte)pad, MAX_PAD_SIZE); /* timing only */ 14588 ret = ssl->hmac(ssl, verify, input, msgSz - digestSz - pad - 1, pad,14589 content, 1);15196 ret = ssl->hmac(ssl, verify, input, msgSz - digestSz - pad - 1, 15197 pad, content, 1, PEER_ORDER); 14590 15198 if (ConstantCompare(verify, input + msgSz - digestSz - pad - 1, 14591 15199 digestSz) != 0) … … 14596 15204 } 14597 15205 else if (ssl->specs.cipher_type == stream) { 14598 ret = ssl->hmac(ssl, verify, input, msgSz - digestSz, -1, content, 1); 15206 ret = ssl->hmac(ssl, verify, input, msgSz - digestSz, -1, content, 1, 15207 PEER_ORDER); 14599 15208 if (ConstantCompare(verify, input + msgSz - digestSz, digestSz) != 0){ 14600 15209 return VERIFY_MAC_ERROR; … … 14639 15248 14640 15249 if (ssl->error != 0 && ssl->error != WANT_READ && ssl->error != WANT_WRITE 15250 #ifdef HAVE_SECURE_RENEGOTIATION 15251 && ssl->error != APP_DATA_READY 15252 #endif 14641 15253 #ifdef WOLFSSL_ASYNC_CRYPT 14642 15254 && ssl->error != WC_PENDING_E … … 14649 15261 return ssl->error; 14650 15262 } 15263 15264 #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_ASYNC_CRYPT) 15265 /* process any pending DTLS messages - this flow can happen with async */ 15266 if (ssl->dtls_rx_msg_list != NULL) { 15267 ret = DtlsMsgDrain(ssl); 15268 if (ret != 0) { 15269 WOLFSSL_ERROR(ret); 15270 return ret; 15271 } 15272 } 15273 #endif 14651 15274 14652 15275 for (;;) { … … 14770 15393 #endif /* WOLFSSL_DTLS_DROP_STATS */ 14771 15394 14772 if (IsDtlsNotSctpMode(ssl) && ssl->options.dtlsHsRetain) {14773 ret = DtlsMsgPoolSend(ssl, 0);14774 if (ret != 0)14775 return ret;14776 }14777 14778 15395 continue; 14779 15396 } … … 14819 15436 14820 15437 if (IsEncryptionOn(ssl, 0)) { 15438 #if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS) 14821 15439 int tooLong = 0; 15440 #endif 14822 15441 14823 15442 #ifdef WOLFSSL_TLS13 … … 14832 15451 tooLong = ssl->curSize > MAX_TLS_CIPHER_SZ; 14833 15452 #endif 15453 #if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS) 14834 15454 if (tooLong) { 14835 15455 WOLFSSL_MSG("Encrypted data too long"); 14836 #if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)14837 15456 SendAlert(ssl, alert_fatal, record_overflow); 14838 #endif14839 15457 return BUFFER_ERROR; 14840 15458 } 15459 #endif 14841 15460 } 14842 15461 ssl->keys.padSz = 0; … … 14888 15507 case decryptMessage: 14889 15508 14890 #if !defined(WOLFSSL_TLS13) || defined(WOLFSSL_TLS13_DRAFT_18)14891 if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0)14892 #else14893 15509 if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 && 14894 15510 (!IsAtLeastTLSv1_3(ssl->version) || 14895 15511 ssl->curRL.type != change_cipher_spec)) 14896 #endif14897 15512 { 14898 15513 bufferStatic* in = &ssl->buffers.inputBuffer; … … 14937 15552 in->buffer + in->idx, 14938 15553 ssl->curSize - digestSz); 14939 ssl->keys.padSz = 14940 in->buffer[in->idx + ssl->curSize - digestSz - 1]; 14941 ssl->keys.padSz += 1; 14942 ssl->keys.decryptedCur = 1; 15554 if (ret == 0) { 15555 ssl->keys.padSz = 15556 in->buffer[in->idx + ssl->curSize - 15557 digestSz - 1]; 15558 ssl->keys.padSz += 1; 15559 ssl->keys.decryptedCur = 1; 15560 } 14943 15561 } 14944 15562 else … … 14957 15575 { 14958 15576 #ifdef WOLFSSL_TLS13 14959 #if defined(WOLFSSL_TLS13_DRAFT_18) || \14960 defined(WOLFSSL_TLS13_DRAFT_22) || \14961 defined(WOLFSSL_TLS13_DRAFT_23)14962 ret = DecryptTls13(ssl,14963 in->buffer + in->idx,14964 in->buffer + in->idx,14965 ssl->curSize, NULL, 0);14966 #else14967 15577 ret = DecryptTls13(ssl, 14968 15578 in->buffer + in->idx, … … 14970 15580 ssl->curSize, 14971 15581 (byte*)&ssl->curRL, RECORD_HEADER_SZ); 14972 #endif14973 15582 #else 14974 15583 ret = DECRYPT_ERROR; … … 15041 15650 case verifyMessage: 15042 15651 15043 #if !defined(WOLFSSL_TLS13) || defined(WOLFSSL_TLS13_DRAFT_18)15044 if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0)15045 #else15046 15652 if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 && 15047 15653 (!IsAtLeastTLSv1_3(ssl->version) || 15048 15654 ssl->curRL.type != change_cipher_spec)) 15049 #endif15050 15655 { 15051 15656 if (!atomicUser … … 15091 15696 word16 i = (word16)(ssl->buffers.inputBuffer.length - 15092 15697 ssl->keys.padSz); 15698 15699 /* sanity check on underflow */ 15700 if (ssl->keys.padSz >= ssl->buffers.inputBuffer.length) { 15701 WOLFSSL_ERROR(DECRYPT_ERROR); 15702 return DECRYPT_ERROR; 15703 } 15704 15093 15705 /* Remove padding from end of plain text. */ 15094 15706 for (--i; i > ssl->buffers.inputBuffer.idx; i--) { … … 15111 15723 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 15112 15724 if (IsEncryptionOn(ssl, 0) && ssl->options.startedETMRead) { 15113 if (ssl->buffers.inputBuffer.length - ssl->keys.padSz - 15114 ssl->buffers.inputBuffer.idx - 15115 MacSize(ssl) > MAX_PLAINTEXT_SZ) { 15725 if ((ssl->buffers.inputBuffer.length - 15726 ssl->keys.padSz - 15727 MacSize(ssl) - 15728 ssl->buffers.inputBuffer.idx > MAX_PLAINTEXT_SZ) 15729 #ifdef WOLFSSL_ASYNC_CRYPT 15730 && ssl->buffers.inputBuffer.length != 15731 ssl->buffers.inputBuffer.idx 15732 #endif 15733 ) { 15116 15734 WOLFSSL_MSG("Plaintext too long - Encrypt-Then-MAC"); 15117 15735 #if defined(WOLFSSL_EXTRA_ALERTS) … … 15123 15741 else 15124 15742 #endif 15125 if (ssl->buffers.inputBuffer.length - ssl->keys.padSz - 15126 ssl->buffers.inputBuffer.idx > MAX_PLAINTEXT_SZ) { 15743 if (ssl->buffers.inputBuffer.length - 15744 ssl->keys.padSz - 15745 ssl->buffers.inputBuffer.idx > MAX_PLAINTEXT_SZ 15746 #ifdef WOLFSSL_ASYNC_CRYPT 15747 && ssl->buffers.inputBuffer.length != 15748 ssl->buffers.inputBuffer.idx 15749 #endif 15750 ) { 15127 15751 WOLFSSL_MSG("Plaintext too long"); 15128 15752 #if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS) … … 15132 15756 } 15133 15757 15134 15758 #ifdef WOLFSSL_DTLS 15135 15759 if (IsDtlsNotSctpMode(ssl)) { 15136 15760 DtlsUpdateWindow(ssl); 15137 15761 } 15138 15762 #endif /* WOLFSSL_DTLS */ 15139 15763 15140 15764 WOLFSSL_MSG("received record layer msg"); … … 15142 15766 switch (ssl->curRL.type) { 15143 15767 case handshake : 15768 WOLFSSL_MSG("got HANDSHAKE"); 15144 15769 /* debugging in DoHandShakeMsg */ 15145 15770 if (ssl->options.dtls) { … … 15151 15776 #endif 15152 15777 } 15153 else if (!IsAtLeastTLSv1_3(ssl->version)) { 15778 else if (!IsAtLeastTLSv1_3(ssl->version) 15779 #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12) 15780 || !TLSv1_3_Capable(ssl) 15781 #endif 15782 ) { 15154 15783 #ifndef WOLFSSL_NO_TLS12 15155 15784 ret = DoHandShakeMsg(ssl, … … 15163 15792 else { 15164 15793 #ifdef WOLFSSL_TLS13 15794 ssl->msgsReceived.got_change_cipher = 0; 15165 15795 ret = DoTls13HandShakeMsg(ssl, 15166 15796 ssl->buffers.inputBuffer.buffer, … … 15182 15812 #endif 15183 15813 } 15184 if (ret != 0) { 15814 if (ret != 0 15815 #ifdef WOLFSSL_ASYNC_CRYPT 15816 /* In async case, on pending, move onto next message. 15817 * Current message should have been DtlsMsgStore'ed and 15818 * should be processed with DtlsMsgDrain */ 15819 && (!ssl->options.dtls 15820 || ret != WC_PENDING_E) 15821 #endif 15822 ) { 15185 15823 WOLFSSL_ERROR(ret); 15186 15824 return ret; … … 15198 15836 change_cipher_spec, 15199 15837 ssl->buffers.inputBuffer.buffer + 15200 ssl->buffers.inputBuffer.idx - RECORD_HEADER_SZ, 15838 ssl->buffers.inputBuffer.idx - RECORD_HEADER_SZ - 15839 (ssl->options.dtls ? DTLS_RECORD_EXTRA : 0), 15201 15840 1 + RECORD_HEADER_SZ, READ_PROTO, ssl->heap); 15202 15841 #ifdef WOLFSSL_CALLBACKS … … 15207 15846 15208 15847 #ifdef WOLFSSL_TLS13 15209 #ifdef WOLFSSL_TLS13_DRAFT_1815210 if (IsAtLeastTLSv1_3(ssl->version)) {15211 SendAlert(ssl, alert_fatal, illegal_parameter);15212 return UNKNOWN_RECORD_TYPE;15213 }15214 #else15215 15848 if (IsAtLeastTLSv1_3(ssl->version)) { 15216 15849 word32 i = ssl->buffers.inputBuffer.idx; … … 15225 15858 } 15226 15859 ssl->buffers.inputBuffer.idx++; 15860 if (!ssl->msgsReceived.got_change_cipher) { 15861 ssl->msgsReceived.got_change_cipher = 1; 15862 } 15863 else { 15864 SendAlert(ssl, alert_fatal, illegal_parameter); 15865 return UNKNOWN_RECORD_TYPE; 15866 } 15227 15867 break; 15228 15868 } 15229 #endif15230 15869 #endif 15231 15870 15232 15871 #ifndef WOLFSSL_NO_TLS12 15872 if (ssl->buffers.inputBuffer.buffer[ 15873 ssl->buffers.inputBuffer.idx] != 1) { 15874 WOLFSSL_MSG("ChangeCipher msg wrong value"); 15875 return LENGTH_ERROR; 15876 } 15877 15878 if (IsEncryptionOn(ssl, 0) && ssl->options.handShakeDone) { 15879 #ifdef HAVE_AEAD 15880 if (ssl->specs.cipher_type == aead) { 15881 if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) 15882 ssl->curSize -= AESGCM_EXP_IV_SZ; 15883 ssl->buffers.inputBuffer.idx += ssl->specs.aead_mac_size; 15884 ssl->curSize -= ssl->specs.aead_mac_size; 15885 } 15886 else 15887 #endif 15888 { 15889 ssl->buffers.inputBuffer.idx += ssl->keys.padSz; 15890 ssl->curSize -= (word16)ssl->keys.padSz; 15891 ssl->curSize -= ssl->specs.iv_size; 15892 } 15893 15894 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 15895 if (ssl->options.startedETMRead) { 15896 word32 digestSz = MacSize(ssl); 15897 ssl->buffers.inputBuffer.idx += digestSz; 15898 ssl->curSize -= digestSz; 15899 } 15900 #endif 15901 } 15902 15903 if (ssl->curSize != 1) { 15904 WOLFSSL_MSG("Malicious or corrupted ChangeCipher msg"); 15905 return LENGTH_ERROR; 15906 } 15907 15908 ssl->buffers.inputBuffer.idx++; 15909 15233 15910 ret = SanityCheckMsgReceived(ssl, change_cipher_hs); 15234 15911 if (ret != 0) { … … 15243 15920 if (ret != DUPLICATE_MSG_E && ret != OUT_OF_ORDER_E) 15244 15921 return ret; 15245 15246 if (IsDtlsNotSctpMode(ssl)) { 15247 ret = DtlsMsgPoolSend(ssl, 1); 15248 if (ret != 0) 15249 return ret; 15250 } 15251 15252 if (ssl->curSize != 1) { 15253 WOLFSSL_MSG("Malicious or corrupted" 15254 " duplicate ChangeCipher msg"); 15255 return LENGTH_ERROR; 15256 } 15257 ssl->buffers.inputBuffer.idx++; 15922 /* Reset error */ 15923 ret = 0; 15258 15924 break; 15259 15925 #endif /* WOLFSSL_DTLS */ … … 15261 15927 } 15262 15928 15263 if (IsEncryptionOn(ssl, 0) && ssl->options.handShakeDone) {15264 ssl->buffers.inputBuffer.idx += ssl->keys.padSz;15265 ssl->curSize -= (word16) ssl->buffers.inputBuffer.idx;15266 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)15267 if (ssl->options.startedETMRead) {15268 word32 digestSz = MacSize(ssl);15269 ssl->buffers.inputBuffer.idx += digestSz;15270 ssl->curSize -= digestSz;15271 }15272 #endif15273 }15274 15275 if (ssl->curSize != 1) {15276 WOLFSSL_MSG("Malicious or corrupted ChangeCipher msg");15277 return LENGTH_ERROR;15278 }15279 15280 ssl->buffers.inputBuffer.idx++;15281 15929 ssl->keys.encryptionOn = 1; 15282 15930 … … 15332 15980 #ifdef WOLFSSL_DTLS 15333 15981 if (ssl->options.dtls && ssl->options.dtlsHsRetain) { 15982 #ifdef HAVE_SECURE_RENEGOTIATION 15983 /* 15984 * Only free HS resources when not in the process of a 15985 * secure renegotiation and we have received APP DATA 15986 * from the current epoch 15987 */ 15988 if (!IsSCR(ssl) && (DtlsUseSCRKeys(ssl) 15989 || !DtlsSCRKeysSet(ssl))) { 15990 FreeHandshakeResources(ssl); 15991 ssl->options.dtlsHsRetain = 0; 15992 } 15993 #else 15334 15994 FreeHandshakeResources(ssl); 15335 15995 ssl->options.dtlsHsRetain = 0; 15996 #endif 15336 15997 } 15337 15998 #endif … … 15367 16028 if (type == decrypt_error) 15368 16029 return FATAL_ERROR; 16030 16031 /* Reset error if we got an alert level in ret */ 16032 if (ret > 0) 16033 ret = 0; 15369 16034 break; 15370 16035 … … 15376 16041 ssl->options.processReply = doProcessInit; 15377 16042 15378 /* input exhausted? */ 15379 if (ssl->buffers.inputBuffer.idx >= ssl->buffers.inputBuffer.length) 15380 return 0; 16043 /* input exhausted */ 16044 if (ssl->buffers.inputBuffer.idx >= ssl->buffers.inputBuffer.length 16045 #ifdef WOLFSSL_DTLS 16046 /* If app data was processed then return now to avoid 16047 * dropping any app data. */ 16048 || (ssl->options.dtls && ssl->curRL.type == application_data) 16049 #endif 16050 ) 16051 return ret; 15381 16052 15382 16053 /* more messages per record */ … … 15413 16084 } 15414 16085 } 15415 15416 continue;15417 16086 } 15418 16087 /* more records */ 15419 16088 else { 15420 16089 WOLFSSL_MSG("More records in input"); 15421 ssl->options.processReply = doProcessInit; 15422 continue; 15423 } 15424 16090 } 16091 #ifdef WOLFSSL_ASYNC_CRYPT 16092 /* We are setup to read next message/record but we had an error 16093 * (probably WC_PENDING_E) so return that so it can be handled 16094 * by higher layers. */ 16095 if (ret != 0) 16096 return ret; 16097 #endif 16098 continue; 15425 16099 default: 15426 16100 WOLFSSL_MSG("Bad process input state, programming error"); … … 15432 16106 15433 16107 16108 #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) || \ 16109 (defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)) 15434 16110 int SendChangeCipher(WOLFSSL* ssl) 15435 16111 { … … 15474 16150 ssl->buffers.outputBuffer.length; 15475 16151 15476 AddRecordHeader(output, 1, change_cipher_spec, ssl );16152 AddRecordHeader(output, 1, change_cipher_spec, ssl, CUR_ORDER); 15477 16153 15478 16154 output[idx] = 1; /* turn it on */ … … 15483 16159 15484 16160 input[0] = 1; /* turn it on */ 16161 #ifdef WOLFSSL_DTLS 16162 if (IsDtlsNotSctpMode(ssl) && 16163 (ret = DtlsMsgPoolSave(ssl, input, inputSz, change_cipher_hs)) != 0) { 16164 return ret; 16165 } 16166 #endif 15485 16167 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 15486 change_cipher_spec, 0, 0, 0 );16168 change_cipher_spec, 0, 0, 0, CUR_ORDER); 15487 16169 if (sendSz < 0) { 15488 16170 return sendSz; 15489 16171 } 15490 16172 } 15491 15492 16173 #ifdef WOLFSSL_DTLS 16174 else { 15493 16175 if (IsDtlsNotSctpMode(ssl)) { 16176 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, change_cipher_hs)) != 0) 16177 return ret; 15494 16178 DtlsSEQIncrement(ssl, CUR_ORDER); 15495 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) 15496 return ret; 15497 } 16179 } 16180 } 15498 16181 #endif 15499 16182 #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) … … 15505 16188 ssl->buffers.outputBuffer.length += sendSz; 15506 16189 16190 #ifdef WOLFSSL_TLS13 16191 if (!ssl->options.tls1_3) 16192 #endif 16193 { 16194 /* setup encrypt keys */ 16195 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) 16196 return ret; 16197 16198 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 16199 ssl->options.startedETMWrite = ssl->options.encThenMac; 16200 #endif 16201 } 16202 15507 16203 if (ssl->options.groupMessages) 15508 16204 return 0; … … 15517 16213 return SendBuffered(ssl); 15518 16214 } 16215 #endif 15519 16216 15520 16217 15521 16218 #if !defined(NO_OLD_TLS) && !defined(WOLFSSL_AEAD_ONLY) 15522 16219 static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, 15523 int padLen, int content, int verify )16220 int padLen, int content, int verify, int epochOrder) 15524 16221 { 15525 16222 byte result[WC_MAX_DIGEST_SIZE]; … … 15534 16231 byte seq[SEQ_SZ]; 15535 16232 byte conLen[ENUM_LEN + LENGTH_SZ]; /* content & length */ 15536 const byte* macSecret = wolfSSL_GetMacSecret(ssl, verify);16233 const byte* macSecret = NULL; 15537 16234 15538 16235 (void)padLen; … … 15543 16240 #endif 15544 16241 16242 #ifdef WOLFSSL_DTLS 16243 if (ssl->options.dtls) 16244 macSecret = wolfSSL_GetDtlsMacSecret(ssl, verify, epochOrder); 16245 else 16246 macSecret = wolfSSL_GetMacSecret(ssl, verify); 16247 #else 16248 macSecret = wolfSSL_GetMacSecret(ssl, verify); 16249 #endif 16250 15545 16251 XMEMSET(seq, 0, SEQ_SZ); 15546 16252 conLen[0] = (byte)content; 15547 16253 c16toa((word16)sz, &conLen[ENUM_LEN]); 15548 WriteSEQ(ssl, verify, seq);16254 WriteSEQ(ssl, epochOrder, seq); 15549 16255 15550 16256 if (ssl->specs.mac_algorithm == md5_mac) { … … 15635 16341 } 15636 16342 #endif /* !NO_OLD_TLS && !WOLFSSL_AEAD_ONLY */ 15637 15638 15639 #ifndef NO_CERTS15640 16343 15641 16344 #if !defined(NO_MD5) && !defined(NO_OLD_TLS) … … 15781 16484 } 15782 16485 15783 #endif /* !NO_CERTS */15784 15785 16486 #ifndef WOLFSSL_NO_TLS12 15786 /* Persistable BuildMessage arguments */ 15787 typedef struct BuildMsgArgs { 15788 word32 digestSz; 15789 word32 sz; 15790 word32 pad; 15791 word32 idx; 15792 word32 headerSz; 15793 word16 size; 15794 word32 ivSz; /* TLSv1.1 IV */ 15795 byte* iv; 15796 } BuildMsgArgs; 15797 15798 static void FreeBuildMsgArgs(WOLFSSL* ssl, void* pArgs) 16487 void FreeBuildMsgArgs(WOLFSSL* ssl, BuildMsgArgs* args) 15799 16488 { 15800 BuildMsgArgs* args = (BuildMsgArgs*)pArgs; 15801 15802 (void)ssl; 15803 (void)args; 15804 15805 if (args->iv) { 15806 XFREE(args->iv, ssl->heap, DYNAMIC_TYPE_SALT); 15807 args->iv = NULL; 16489 if (args) { 16490 if (ssl && args->iv) 16491 XFREE(args->iv, ssl->heap, DYNAMIC_TYPE_SALT); 16492 XMEMSET(args, 0, sizeof(BuildMsgArgs)); 15808 16493 } 15809 16494 } … … 15812 16497 /* Build SSL Message, encrypted */ 15813 16498 int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, 15814 int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay) 16499 int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay, 16500 int epochOrder) 15815 16501 { 15816 16502 #ifndef WOLFSSL_NO_TLS12 … … 15819 16505 BuildMsgArgs lcl_args; 15820 16506 #ifdef WOLFSSL_ASYNC_CRYPT 15821 args = (BuildMsgArgs*)ssl->async.args; 15822 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; 15823 (void)sizeof(args_test); 16507 args = &ssl->async.buildArgs; 15824 16508 #endif 15825 16509 #endif … … 15830 16514 return BAD_FUNC_ARG; 15831 16515 } 16516 16517 (void)epochOrder; 15832 16518 15833 16519 #ifdef WOLFSSL_NO_TLS12 … … 15867 16553 args->idx = RECORD_HEADER_SZ; 15868 16554 args->headerSz = RECORD_HEADER_SZ; 15869 #ifdef WOLFSSL_ASYNC_CRYPT15870 ssl->async.freeArgs = FreeBuildMsgArgs;15871 #endif15872 16555 } 15873 16556 … … 15883 16566 ERROR_OUT(BAD_FUNC_ARG, exit_buildmsg); 15884 16567 } 16568 #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION) 16569 if (ssl->options.dtls && DtlsSCRKeysSet(ssl)) { 16570 /* For epochs >1 the current cipher parameters are located in 16571 * ssl->secure_renegotiation->tmp_keys. Previous cipher 16572 * parameters and for epoch 1 use ssl->keys */ 16573 switch (epochOrder) { 16574 case PREV_ORDER: 16575 if (ssl->encrypt.src != KEYS) { 16576 ssl->secure_renegotiation->cache_status = 16577 SCR_CACHE_NULL; 16578 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) 16579 ERROR_OUT(ret, exit_buildmsg); 16580 } 16581 break; 16582 case CUR_ORDER: 16583 if (ssl->keys.dtls_epoch == 16584 ssl->secure_renegotiation->tmp_keys.dtls_epoch) { 16585 if (ssl->encrypt.src != SCR) { 16586 ssl->secure_renegotiation->cache_status = 16587 SCR_CACHE_NEEDED; 16588 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) 16589 != 0) 16590 ERROR_OUT(ret, exit_buildmsg); 16591 } 16592 } 16593 else { 16594 if (ssl->encrypt.src != KEYS) { 16595 ssl->secure_renegotiation->cache_status = 16596 SCR_CACHE_NULL; 16597 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) 16598 != 0) 16599 ERROR_OUT(ret, exit_buildmsg); 16600 } 16601 } 16602 break; 16603 default: 16604 WOLFSSL_MSG("BuildMessage only supports PREV_ORDER and " 16605 "CUR_ORDER"); 16606 ERROR_OUT(BAD_FUNC_ARG, exit_buildmsg); 16607 } 16608 } 16609 #endif 15885 16610 15886 16611 ssl->options.buildMsgState = BUILD_MSG_SIZE; … … 15970 16695 15971 16696 args->size = (word16)(args->sz - args->headerSz); /* include mac and digest */ 15972 AddRecordHeader(output, args->size, (byte)type, ssl );16697 AddRecordHeader(output, args->size, (byte)type, ssl, epochOrder); 15973 16698 15974 16699 /* write to output */ … … 16065 16790 ret = ssl->hmac(ssl, hmac, 16066 16791 output + args->headerSz + args->ivSz, inSz, 16067 -1, type, 0 );16792 -1, type, 0, epochOrder); 16068 16793 XMEMCPY(output + args->idx, hmac, args->digestSz); 16069 16794 … … 16076 16801 { 16077 16802 ret = ssl->hmac(ssl, output + args->idx, output + 16078 args->headerSz + args->ivSz, inSz, -1, type, 0 );16803 args->headerSz + args->ivSz, inSz, -1, type, 0, epochOrder); 16079 16804 } 16080 16805 } … … 16088 16813 case BUILD_MSG_ENCRYPT: 16089 16814 { 16815 #if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS) 16816 /* If we want the PREV_ORDER then modify CUR_ORDER sequence number 16817 * for all encryption algos that use it for encryption parameters */ 16818 word16 dtls_epoch = 0; 16819 word16 dtls_sequence_number_hi = 0; 16820 word32 dtls_sequence_number_lo = 0; 16821 int swap_seq = ssl->options.dtls && epochOrder == PREV_ORDER && 16822 DtlsUseSCRKeys(ssl); 16823 if (swap_seq) { 16824 dtls_epoch = ssl->keys.dtls_epoch; 16825 dtls_sequence_number_hi = ssl->keys.dtls_sequence_number_hi; 16826 dtls_sequence_number_lo = ssl->keys.dtls_sequence_number_lo; 16827 ssl->keys.dtls_epoch--; 16828 ssl->keys.dtls_sequence_number_hi = 16829 ssl->keys.dtls_prev_sequence_number_hi; 16830 ssl->keys.dtls_sequence_number_lo = 16831 ssl->keys.dtls_prev_sequence_number_lo; 16832 } 16833 #endif 16090 16834 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 16091 16835 if (ssl->options.startedETMWrite) { … … 16100 16844 output + args->headerSz, args->size, asyncOkay); 16101 16845 } 16846 #if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS) 16847 /* Restore sequence numbers */ 16848 if (swap_seq) { 16849 ssl->keys.dtls_epoch = dtls_epoch; 16850 ssl->keys.dtls_sequence_number_hi = dtls_sequence_number_hi; 16851 ssl->keys.dtls_sequence_number_lo = dtls_sequence_number_lo; 16852 } 16853 #endif 16102 16854 if (ret != 0) 16103 16855 goto exit_buildmsg; … … 16129 16881 ret = ssl->hmac(ssl, hmac, output + args->headerSz, 16130 16882 args->ivSz + inSz + args->pad + 1, -1, type, 16131 0 );16883 0, epochOrder); 16132 16884 XMEMCPY(output + args->idx + args->pad + 1, hmac, 16133 16885 args->digestSz); … … 16143 16895 output + args->headerSz, 16144 16896 args->ivSz + inSz + args->pad + 1, -1, type, 16145 0 );16897 0, epochOrder); 16146 16898 } 16147 16899 } … … 16165 16917 #ifdef WOLFSSL_DTLS 16166 16918 if (ret == 0 && ssl->options.dtls) 16167 DtlsSEQIncrement(ssl, CUR_ORDER);16919 DtlsSEQIncrement(ssl, epochOrder); 16168 16920 #endif 16169 16921 … … 16174 16926 /* Final cleanup */ 16175 16927 FreeBuildMsgArgs(ssl, args); 16176 #ifdef WOLFSSL_ASYNC_CRYPT16177 ssl->async.freeArgs = NULL;16178 #endif16179 16928 16180 16929 return ret; … … 16199 16948 WOLFSSL_ENTER("SendFinished"); 16200 16949 16201 /* setup encrypt keys */16202 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)16203 return ret;16204 16205 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)16206 ssl->options.startedETMWrite = ssl->options.encThenMac;16207 #endif16208 16209 16950 /* check for available size */ 16210 16951 outputSz = sizeof(input) + MAX_MSG_EXTRA; … … 16247 16988 } 16248 16989 #endif 16990 #ifdef OPENSSL_ALL 16991 if (ssl->options.side == WOLFSSL_CLIENT_END) 16992 XMEMCPY(ssl->clientFinished, 16993 hashes, TLS_FINISHED_SZ); 16994 else 16995 XMEMCPY(ssl->serverFinished, 16996 hashes, TLS_FINISHED_SZ); 16997 #endif 16249 16998 16250 16999 #ifdef WOLFSSL_DTLS 16251 17000 if (IsDtlsNotSctpMode(ssl)) { 16252 if ((ret = DtlsMsgPoolSave(ssl, input, headerSz + finishedSz )) != 0)17001 if ((ret = DtlsMsgPoolSave(ssl, input, headerSz + finishedSz, finished)) != 0) 16253 17002 return ret; 16254 17003 } … … 16256 17005 16257 17006 sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz, 16258 handshake, 1, 0, 0 );17007 handshake, 1, 0, 0, CUR_ORDER); 16259 17008 if (sendSz < 0) 16260 17009 return BUILD_MSG_ERROR; … … 16298 17047 16299 17048 ret = SendBuffered(ssl); 17049 17050 #ifdef WOLFSSL_DTLS 17051 if ((!ssl->options.resuming && 17052 ssl->options.side == WOLFSSL_SERVER_END) || 17053 (ssl->options.resuming && 17054 ssl->options.side == WOLFSSL_CLIENT_END)) { 17055 ssl->keys.dtls_handshake_number = 0; 17056 ssl->keys.dtls_expected_peer_handshake_number = 0; 17057 } 17058 #endif 16300 17059 16301 17060 WOLFSSL_LEAVE("SendFinished", ret); … … 16443 17202 #endif /* !NO_WOLFSSL_SERVER */ 16444 17203 17204 #if (!defined(WOLFSSL_NO_TLS12) && !defined(NO_CERTS)) \ 17205 || (defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER)) 17206 static int cipherExtraData(WOLFSSL* ssl) 17207 { 17208 /* Cipher data that may be added by BuildMessage */ 17209 return ssl->specs.hash_size + ssl->specs.block_size + 17210 ssl->specs.aead_mac_size + ssl->specs.iv_size + 17211 ssl->specs.pad_size; 17212 } 17213 #endif 17214 16445 17215 #ifndef WOLFSSL_NO_TLS12 16446 17216 … … 16554 17324 } 16555 17325 17326 if (IsEncryptionOn(ssl, 1)) 17327 sendSz += cipherExtraData(ssl); 17328 16556 17329 /* check for available size */ 16557 17330 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) … … 16566 17339 AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl); 16567 17340 if (!IsEncryptionOn(ssl, 1)) 16568 Hash OutputRaw(ssl, output + RECORD_HEADER_SZ,17341 HashRaw(ssl, output + RECORD_HEADER_SZ, 16569 17342 HANDSHAKE_HEADER_SZ); 16570 17343 } … … 16572 17345 #ifdef WOLFSSL_DTLS 16573 17346 AddHeaders(output, payloadSz, certificate, ssl); 16574 if (!IsEncryptionOn(ssl, 1)) 16575 HashOutputRaw(ssl, 16576 output + RECORD_HEADER_SZ + DTLS_RECORD_EXTRA, 16577 HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA); 17347 HashRaw(ssl, 17348 output + RECORD_HEADER_SZ + DTLS_RECORD_EXTRA, 17349 HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA); 16578 17350 /* Adding the headers increments these, decrement them for 16579 17351 * actual message header. */ … … 16586 17358 /* list total */ 16587 17359 c32to24(listSz, output + i); 16588 if ( !IsEncryptionOn(ssl, 1))16589 Hash OutputRaw(ssl, output + i, CERT_HEADER_SZ);17360 if (ssl->options.dtls || !IsEncryptionOn(ssl, 1)) 17361 HashRaw(ssl, output + i, CERT_HEADER_SZ); 16590 17362 i += CERT_HEADER_SZ; 16591 17363 length -= CERT_HEADER_SZ; … … 16593 17365 if (certSz) { 16594 17366 c32to24(certSz, output + i); 16595 if ( !IsEncryptionOn(ssl, 1))16596 Hash OutputRaw(ssl, output + i, CERT_HEADER_SZ);17367 if (ssl->options.dtls || !IsEncryptionOn(ssl, 1)) 17368 HashRaw(ssl, output + i, CERT_HEADER_SZ); 16597 17369 i += CERT_HEADER_SZ; 16598 17370 length -= CERT_HEADER_SZ; 16599 17371 fragSz -= CERT_HEADER_SZ; 16600 17372 16601 if ( !IsEncryptionOn(ssl, 1)) {16602 Hash OutputRaw(ssl, ssl->buffers.certificate->buffer, certSz);17373 if (ssl->options.dtls || !IsEncryptionOn(ssl, 1)) { 17374 HashRaw(ssl, ssl->buffers.certificate->buffer, certSz); 16603 17375 if (certChainSz) 16604 Hash OutputRaw(ssl, ssl->buffers.certChain->buffer,17376 HashRaw(ssl, ssl->buffers.certChain->buffer, 16605 17377 certChainSz); 16606 17378 } … … 16609 17381 else { 16610 17382 if (!ssl->options.dtls) { 16611 AddRecordHeader(output, fragSz, handshake, ssl );17383 AddRecordHeader(output, fragSz, handshake, ssl, CUR_ORDER); 16612 17384 } 16613 17385 else { … … 16642 17414 if (IsEncryptionOn(ssl, 1)) { 16643 17415 byte* input = NULL; 16644 int inputSz = i - RECORD_HEADER_SZ; /* build msg adds rec hdr */ 17416 int inputSz = i; /* build msg adds rec hdr */ 17417 int recordHeaderSz = RECORD_HEADER_SZ; 17418 17419 if (ssl->options.dtls) 17420 recordHeaderSz += DTLS_RECORD_EXTRA; 17421 inputSz -= recordHeaderSz; 16645 17422 16646 17423 if (inputSz < 0) { … … 16654 17431 if (input == NULL) 16655 17432 return MEMORY_E; 16656 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); 16657 } 16658 17433 XMEMCPY(input, output + recordHeaderSz, inputSz); 17434 } 17435 17436 #ifndef WOLFSSL_DTLS 16659 17437 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 16660 handshake, 1, 0, 0); 16661 16662 if (inputSz > 0) 16663 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 17438 handshake, 1, 0, 0, CUR_ORDER); 17439 #else 17440 if (!ssl->options.dtls) 17441 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 17442 handshake, 1, 0, 0, CUR_ORDER); 17443 else /* DTLS 1.2 has to ignore fragmentation in hashing so we need to 17444 * calculate the hash ourselves above */ { 17445 if ((ret = DtlsMsgPoolSave(ssl, input, inputSz, certificate)) != 0) { 17446 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 17447 return ret; 17448 } 17449 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 17450 handshake, 0, 0, 0, CUR_ORDER); 17451 } 17452 #endif 17453 17454 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 16664 17455 16665 17456 if (sendSz < 0) … … 16667 17458 } 16668 17459 else { 17460 sendSz = i; 16669 17461 #ifdef WOLFSSL_DTLS 17462 if (IsDtlsNotSctpMode(ssl)) { 17463 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, certificate)) != 0) 17464 return ret; 17465 } 16670 17466 if (ssl->options.dtls) 16671 17467 DtlsSEQIncrement(ssl, CUR_ORDER); 16672 17468 #endif 16673 17469 } 16674 16675 #ifdef WOLFSSL_DTLS16676 if (IsDtlsNotSctpMode(ssl)) {16677 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0)16678 return ret;16679 }16680 #endif16681 17470 16682 17471 #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) … … 16720 17509 word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; 16721 17510 word32 dnLen = 0; 16722 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) 17511 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) 16723 17512 WOLF_STACK_OF(WOLFSSL_X509_NAME)* names; 16724 17513 #endif … … 16733 17522 reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz; 16734 17523 16735 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) 17524 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) 16736 17525 /* Certificate Authorities */ 16737 17526 names = ssl->ctx->ca_names; … … 16762 17551 #endif 16763 17552 } 17553 17554 if (IsEncryptionOn(ssl, 1)) 17555 sendSz += cipherExtraData(ssl); 17556 16764 17557 /* check for available size */ 16765 17558 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) … … 16798 17591 c16toa((word16)dnLen, &output[i]); /* auth's */ 16799 17592 i += REQ_HEADER_SZ; 16800 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) 17593 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) 16801 17594 names = ssl->ctx->ca_names; 16802 17595 while (names != NULL) { … … 16815 17608 16816 17609 if (IsEncryptionOn(ssl, 1)) { 16817 byte* input; 16818 int inputSz = i - RECORD_HEADER_SZ; /* build msg adds rec hdr */ 17610 byte* input = NULL; 17611 int inputSz = i; /* build msg adds rec hdr */ 17612 int recordHeaderSz = RECORD_HEADER_SZ; 17613 17614 if (ssl->options.dtls) 17615 recordHeaderSz += DTLS_RECORD_EXTRA; 17616 inputSz -= recordHeaderSz; 17617 17618 if (inputSz <= 0) { 17619 WOLFSSL_MSG("Send Cert Req bad inputSz"); 17620 return BUFFER_E; 17621 } 16819 17622 16820 17623 input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); … … 16822 17625 return MEMORY_E; 16823 17626 16824 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); 17627 XMEMCPY(input, output + recordHeaderSz, inputSz); 17628 #ifdef WOLFSSL_DTLS 17629 if (IsDtlsNotSctpMode(ssl) && 17630 (ret = DtlsMsgPoolSave(ssl, input, inputSz, certificate_request)) != 0) { 17631 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 17632 return ret; 17633 } 17634 #endif 16825 17635 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 16826 handshake, 1, 0, 0 );17636 handshake, 1, 0, 0, CUR_ORDER); 16827 17637 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 16828 17638 … … 16830 17640 return sendSz; 16831 17641 } else { 17642 sendSz = i; 16832 17643 #ifdef WOLFSSL_DTLS 17644 if (IsDtlsNotSctpMode(ssl)) { 17645 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, certificate_request)) != 0) 17646 return ret; 17647 } 16833 17648 if (ssl->options.dtls) 16834 17649 DtlsSEQIncrement(ssl, CUR_ORDER); 16835 if (IsDtlsNotSctpMode(ssl)) {16836 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0)16837 return ret;16838 }16839 17650 #endif 16840 17651 ret = HashOutput(ssl, output, sendSz, 0); … … 16919 17730 if (IsEncryptionOn(ssl, 1)) { 16920 17731 byte* input; 16921 int inputSz = idx - RECORD_HEADER_SZ; 16922 17732 int inputSz = idx; /* build msg adds rec hdr */ 17733 int recordHeaderSz = RECORD_HEADER_SZ; 17734 17735 if (ssl->options.dtls) 17736 recordHeaderSz += DTLS_RECORD_EXTRA; 17737 inputSz -= recordHeaderSz; 16923 17738 input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 16924 17739 if (input == NULL) 16925 17740 return MEMORY_E; 16926 17741 16927 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); 16928 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 16929 handshake, 1, 0, 0); 17742 XMEMCPY(input, output + recordHeaderSz, inputSz); 17743 #ifdef WOLFSSL_DTLS 17744 ret = DtlsMsgPoolSave(ssl, input, inputSz, certificate_status); 17745 #endif 17746 if (ret == 0) 17747 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 17748 handshake, 1, 0, 0, CUR_ORDER); 16930 17749 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 16931 17750 … … 16935 17754 else { 16936 17755 #ifdef WOLFSSL_DTLS 16937 if (ssl->options.dtls) 17756 if (ret == 0 && IsDtlsNotSctpMode(ssl)) 17757 ret = DtlsMsgPoolSave(ssl, output, sendSz, certificate_status); 17758 if (ret == 0 && ssl->options.dtls) 16938 17759 DtlsSEQIncrement(ssl, CUR_ORDER); 16939 17760 #endif 16940 17761 ret = HashOutput(ssl, output, sendSz, 0); 16941 17762 } 16942 16943 #ifdef WOLFSSL_DTLS16944 if (ret == 0 && IsDtlsNotSctpMode(ssl))16945 ret = DtlsMsgPoolSave(ssl, output, sendSz);16946 #endif16947 17763 16948 17764 #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) … … 17047 17863 DecodedCert cert[1]; 17048 17864 #endif 17865 DerBuffer* chain; 17049 17866 17050 17867 #ifdef WOLFSSL_SMALL_STACK … … 17063 17880 } 17064 17881 17065 while (idx + OPAQUE24_LEN < ssl->buffers.certChain->length) { 17066 c24to32(ssl->buffers.certChain->buffer + idx, &der.length); 17882 /* use certChain if available, otherwise use peer certificate */ 17883 chain = ssl->buffers.certChain; 17884 if (chain == NULL) { 17885 chain = ssl->buffers.certificate; 17886 } 17887 17888 while (chain && idx + OPAQUE24_LEN < chain->length) { 17889 c24to32(chain->buffer + idx, &der.length); 17067 17890 idx += OPAQUE24_LEN; 17068 17891 17069 der.buffer = ssl->buffers.certChain->buffer + idx;17892 der.buffer = chain->buffer + idx; 17070 17893 idx += der.length; 17071 17894 17072 if (idx > ssl->buffers.certChain->length)17895 if (idx > chain->length) 17073 17896 break; 17074 17897 … … 17148 17971 17149 17972 17973 17974 #if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS) 17975 /** 17976 * Check if the SCR keys are set in ssl->secure_renegotiation->tmp_keys. 17977 */ 17978 int DtlsSCRKeysSet(WOLFSSL* ssl) 17979 { 17980 return ssl->secure_renegotiation && 17981 ssl->secure_renegotiation->tmp_keys.dtls_epoch != 0; 17982 } 17983 17984 /** 17985 * ssl->keys contains the current cipher parameters only for epoch 1. For 17986 * epochs >1 ssl->secure_renegotiation->tmp_keys contains the current 17987 * cipher parameters. This function checks if the message currently being 17988 * processed should use ssl->keys or ssl->secure_renegotiation->tmp_keys. 17989 */ 17990 int IsDtlsMsgSCRKeys(WOLFSSL* ssl) 17991 { 17992 return DtlsSCRKeysSet(ssl) && 17993 ssl->keys.curEpoch == 17994 ssl->secure_renegotiation->tmp_keys.dtls_epoch; 17995 } 17996 17997 /** 17998 * ssl->keys contains the current cipher parameters only for epoch 1. For 17999 * epochs >1 ssl->secure_renegotiation->tmp_keys contains the current 18000 * cipher parameters. This function checks if the message currently being 18001 * built should use ssl->keys or ssl->secure_renegotiation->tmp_keys. 18002 */ 18003 int DtlsUseSCRKeys(WOLFSSL* ssl) 18004 { 18005 return DtlsSCRKeysSet(ssl) && 18006 ssl->secure_renegotiation->tmp_keys.dtls_epoch == 18007 ssl->keys.dtls_epoch; 18008 } 18009 18010 /** 18011 * If ssl->secure_renegotiation->tmp_keys.dtls_epoch > ssl->keys.dtls_epoch 18012 * then PREV_ORDER refers to the current epoch. 18013 * */ 18014 int DtlsCheckOrder(WOLFSSL* ssl, int order) 18015 { 18016 if (order == PREV_ORDER && ssl->secure_renegotiation && 18017 ssl->secure_renegotiation->tmp_keys.dtls_epoch > ssl->keys.dtls_epoch) { 18018 return CUR_ORDER; 18019 } 18020 else { 18021 return order; 18022 } 18023 } 18024 #endif /* HAVE_SECURE_RENEGOTIATION && WOLFSSL_DTLS */ 18025 17150 18026 /* If secure renegotiation is disabled, this will always return false. 17151 18027 * Otherwise it checks to see if we are currently renegotiating. */ 17152 static WC_INLINEint IsSCR(WOLFSSL* ssl)18028 int IsSCR(WOLFSSL* ssl) 17153 18029 { 17154 18030 #ifndef HAVE_SECURE_RENEGOTIATION … … 17156 18032 #else /* HAVE_SECURE_RENEGOTIATION */ 17157 18033 if (ssl->secure_renegotiation && 17158 ssl->secure_renegotiation->enabled && 17159 ssl->options.handShakeState != HANDSHAKE_DONE) 18034 ssl->secure_renegotiation->enabled && /* Is SCR enabled? */ 18035 ssl->options.handShakeDone && /* At least one handshake done? */ 18036 ssl->options.handShakeState != HANDSHAKE_DONE) /* Currently handshaking? */ 17160 18037 return 1; 17161 18038 #endif /* HAVE_SECURE_RENEGOTIATION */ … … 17197 18074 if (ssl->options.handShakeState == HANDSHAKE_DONE) { 17198 18075 WOLFSSL_MSG("handshake complete, trying to send early data"); 17199 return BUILD_MSG_ERROR; 18076 ssl->error = BUILD_MSG_ERROR; 18077 return WOLFSSL_FATAL_ERROR; 17200 18078 } 17201 18079 #ifdef WOLFSSL_EARLY_DATA_GROUP … … 17264 18142 len = wolfSSL_GetMaxRecordSize(ssl, sz - sent); 17265 18143 17266 #ifdef WOLFSSL_DTLS 17267 if (IsDtlsNotSctpMode(ssl)) { 17268 len = min(len, MAX_UDP_SIZE); 18144 #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_DTLS_SIZE_CHECK) 18145 if (ssl->options.dtls && (len < sz - sent)) { 18146 ssl->error = DTLS_SIZE_ERROR; 18147 WOLFSSL_ERROR(ssl->error); 18148 return ssl->error; 17269 18149 } 17270 18150 #endif … … 17295 18175 if (!ssl->options.tls1_3) { 17296 18176 sendSz = BuildMessage(ssl, out, outputSz, sendBuffer, buffSz, 17297 application_data, 0, 0, 1 );18177 application_data, 0, 0, 1, CUR_ORDER); 17298 18178 } 17299 18179 else { … … 17353 18233 17354 18234 /* reset error state */ 17355 if (ssl->error == WANT_READ 17356 #ifdef WOLFSSL_ASYNC_CRYPT 17357 || ssl->error == WC_PENDING_E 17358 #endif 17359 ) { 18235 if (ssl->error == WANT_READ) { 17360 18236 ssl->error = 0; 17361 18237 } … … 17370 18246 #endif /* WOLFSSL_DTLS */ 17371 18247 17372 if (ssl->error != 0 && ssl->error != WANT_WRITE) { 18248 if (ssl->error != 0 && ssl->error != WANT_WRITE 18249 #ifdef WOLFSSL_ASYNC_CRYPT 18250 && ssl->error != WC_PENDING_E 18251 #endif 18252 #ifdef HAVE_SECURE_RENEGOTIATION 18253 && ssl->error != APP_DATA_READY 18254 #endif 18255 ) { 17373 18256 WOLFSSL_MSG("User calling wolfSSL_read in error state, not allowed"); 17374 18257 return ssl->error; … … 17380 18263 else 17381 18264 #endif 17382 if (ssl->options.handShakeState != HANDSHAKE_DONE) { 17383 int err; 17384 WOLFSSL_MSG("Handshake not complete, trying to finish"); 17385 if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) { 17386 #ifdef WOLFSSL_ASYNC_CRYPT 17387 /* if async would block return WANT_WRITE */ 17388 if (ssl->error == WC_PENDING_E) { 17389 return WOLFSSL_CBIO_ERR_WANT_READ; 17390 } 17391 #endif 17392 return err; 18265 { 18266 int negotiate = 0; 18267 #ifdef HAVE_SECURE_RENEGOTIATION 18268 if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) { 18269 if (ssl->options.handShakeState != HANDSHAKE_DONE 18270 && ssl->buffers.clearOutputBuffer.length == 0) 18271 negotiate = 1; 18272 } 18273 else 18274 #endif 18275 if (ssl->options.handShakeState != HANDSHAKE_DONE) 18276 negotiate = 1; 18277 18278 if (negotiate) { 18279 int err; 18280 WOLFSSL_MSG("Handshake not complete, trying to finish"); 18281 if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) { 18282 #ifdef WOLFSSL_ASYNC_CRYPT 18283 /* if async would block return WANT_WRITE */ 18284 if (ssl->error == WC_PENDING_E) { 18285 return WOLFSSL_CBIO_ERR_WANT_READ; 18286 } 18287 #endif 18288 return err; 18289 } 17393 18290 } 17394 18291 } … … 17397 18294 startScr: 17398 18295 if (ssl->secure_renegotiation && ssl->secure_renegotiation->startScr) { 17399 int err;18296 int ret; 17400 18297 WOLFSSL_MSG("Need to start scr, server requested"); 17401 if ( (err = wolfSSL_Rehandshake(ssl)) != WOLFSSL_SUCCESS) 17402 return err; 18298 ret = wolfSSL_Rehandshake(ssl); 17403 18299 ssl->secure_renegotiation->startScr = 0; /* only start once */ 18300 if (ret != WOLFSSL_SUCCESS) 18301 return ret; 17404 18302 } 17405 18303 #endif … … 17410 18308 if (ssl->error == ZERO_RETURN) { 17411 18309 WOLFSSL_MSG("Zero return, no more data coming"); 17412 return 0; 18310 return 0; /* no more data coming */ 17413 18311 } 17414 18312 if (ssl->error == SOCKET_ERROR_E) { … … 17417 18315 ssl->error = SOCKET_PEER_CLOSED_E; 17418 18316 WOLFSSL_ERROR(ssl->error); 17419 return 0; 18317 return 0; /* peer reset or closed */ 17420 18318 } 17421 18319 } … … 17427 18325 goto startScr; 17428 18326 } 18327 if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled && 18328 ssl->options.handShakeState != HANDSHAKE_DONE 18329 && ssl->buffers.clearOutputBuffer.length == 0) { 18330 /* ProcessReply processed a handshake packet and not any APP DATA 18331 * so let's move the handshake along */ 18332 int err; 18333 WOLFSSL_MSG("Handshake not complete, trying to finish"); 18334 if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) { 18335 #ifdef WOLFSSL_ASYNC_CRYPT 18336 /* if async would block return WANT_WRITE */ 18337 if (ssl->error == WC_PENDING_E) { 18338 return WOLFSSL_CBIO_ERR_WANT_READ; 18339 } 18340 #endif 18341 return err; 18342 } 18343 } 17429 18344 #endif 17430 } 17431 17432 if (sz < (int)ssl->buffers.clearOutputBuffer.length) 17433 size = sz; 17434 else 17435 size = ssl->buffers.clearOutputBuffer.length; 18345 #ifdef WOLFSSL_TLS13 18346 if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.handShakeDone && 18347 ssl->curRL.type == handshake && peek) { 18348 WOLFSSL_MSG("Got Handshake Messge in APP data"); 18349 if (ssl->buffers.inputBuffer.length == 0) { 18350 ssl->error = WOLFSSL_ERROR_WANT_READ; 18351 return 0; 18352 } 18353 } 18354 #endif 18355 } 18356 18357 size = min(sz, (int)ssl->buffers.clearOutputBuffer.length); 17436 18358 17437 18359 XMEMCPY(output, ssl->buffers.clearOutputBuffer.buffer, size); … … 17522 18444 } 17523 18445 17524 /* only send encrypted alert if handshake actually complete, otherwise 17525 other side may not be able to handle it */ 17526 if (IsEncryptionOn(ssl, 1) && (IsAtLeastTLSv1_3(ssl->version) || 17527 ssl->options.handShakeDone)) { 18446 /* send encrypted alert if encryption is on - can be a rehandshake over 18447 * an existing encrypted channel. 18448 * TLS 1.3 encrypts handshake packets after the ServerHello 18449 */ 18450 if (IsEncryptionOn(ssl, 1)) { 17528 18451 sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, alert, 17529 0, 0, 0 );18452 0, 0, 0, CUR_ORDER); 17530 18453 } 17531 18454 else { 17532 18455 17533 AddRecordHeader(output, ALERT_SIZE, alert, ssl );18456 AddRecordHeader(output, ALERT_SIZE, alert, ssl, CUR_ORDER); 17534 18457 output += RECORD_HEADER_SZ; 17535 18458 #ifdef WOLFSSL_DTLS … … 18000 18923 return "TLS1.3 Secret Callback Error"; 18001 18924 18925 case DTLS_SIZE_ERROR: 18926 return "DTLS trying to send too much in single datagram error"; 18927 18928 case NO_CERT_ERROR: 18929 return "TLS1.3 No Certificate Set Error"; 18930 18002 18931 default : 18003 18932 return "unknown error number"; … … 18013 18942 } 18014 18943 18015 #ifndef NO_ERROR_STRINGS 18016 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) 18017 #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),(v),(u)} 18944 #ifdef NO_CIPHER_SUITE_ALIASES 18945 #ifndef NO_ERROR_STRINGS 18946 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) 18947 #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE} 18948 #define SUITE_ALIAS(x,z,w,v,u) 18949 #else 18950 #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE} 18951 #define SUITE_ALIAS(x,z,w,v,u) 18952 #endif 18018 18953 #else 18019 #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w)} 18954 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) 18955 #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE} 18956 #define SUITE_ALIAS(x,z,w,v,u) 18957 #else 18958 #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE} 18959 #define SUITE_ALIAS(x,z,w,v,u) 18960 #endif 18020 18961 #endif 18021 #else 18022 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) 18023 #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),(v),(u)} 18962 #else /* !NO_CIPHER_SUITE_ALIASES */ 18963 18964 /* note that the comma is included at the end of the SUITE_ALIAS() macro 18965 * definitions, to allow aliases to be gated out by the above null macros 18966 * in the NO_CIPHER_SUITE_ALIASES section. 18967 */ 18968 18969 #ifndef NO_ERROR_STRINGS 18970 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \ 18971 defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX) 18972 #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE} 18973 #define SUITE_ALIAS(x,z,w,v,u) {(x),"",(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS}, 18974 #else 18975 #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE} 18976 #define SUITE_ALIAS(x,z,w,v,u) {(x),"",(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS}, 18977 #endif 18024 18978 #else 18025 #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w)} 18979 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \ 18980 defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX) 18981 #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE} 18982 #define SUITE_ALIAS(x,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS}, 18983 #else 18984 #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE} 18985 #define SUITE_ALIAS(x,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS}, 18986 #endif 18026 18987 #endif 18027 #endif 18988 #endif /* NO_CIPHER_SUITE_ALIASES */ 18028 18989 18029 18990 static const CipherSuiteInfo cipher_names[] = … … 18048 19009 #ifdef BUILD_TLS_AES_128_CCM_8_SHA256 18049 19010 SUITE_INFO("TLS13-AES128-CCM-8-SHA256","TLS_AES_128_CCM_8_SHA256",TLS13_BYTE,TLS_AES_128_CCM_8_SHA256,TLSv1_3_MINOR, SSLv3_MAJOR), 19011 SUITE_ALIAS("TLS13-AES128-CCM8-SHA256",TLS13_BYTE,TLS_AES_128_CCM_8_SHA256,TLSv1_3_MINOR, SSLv3_MAJOR) 18050 19012 #endif 18051 19013 … … 18158 19120 #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 18159 19121 SUITE_INFO("PSK-AES128-CCM-8","TLS_PSK_WITH_AES_128_CCM_8",ECC_BYTE,TLS_PSK_WITH_AES_128_CCM_8,TLSv1_MINOR,SSLv3_MAJOR), 19122 SUITE_ALIAS("PSK-AES128-CCM8",ECC_BYTE,TLS_PSK_WITH_AES_128_CCM_8,TLSv1_MINOR,SSLv3_MAJOR) 18160 19123 #endif 18161 19124 18162 19125 #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 18163 19126 SUITE_INFO("PSK-AES256-CCM-8","TLS_PSK_WITH_AES_256_CCM_8",ECC_BYTE,TLS_PSK_WITH_AES_256_CCM_8,TLSv1_MINOR,SSLv3_MAJOR), 19127 SUITE_ALIAS("PSK-AES256-CCM8",ECC_BYTE,TLS_PSK_WITH_AES_256_CCM_8,TLSv1_MINOR,SSLv3_MAJOR) 18164 19128 #endif 18165 19129 … … 18214 19178 #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 18215 19179 SUITE_INFO("AES128-CCM-8","TLS_RSA_WITH_AES_128_CCM_8",ECC_BYTE,TLS_RSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR), 19180 SUITE_ALIAS("AES128-CCM8",ECC_BYTE,TLS_RSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR) 18216 19181 #endif 18217 19182 18218 19183 #ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 18219 19184 SUITE_INFO("AES256-CCM-8","TLS_RSA_WITH_AES_256_CCM_8",ECC_BYTE,TLS_RSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR), 19185 SUITE_ALIAS("AES256-CCM8",ECC_BYTE,TLS_RSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR) 18220 19186 #endif 18221 19187 … … 18226 19192 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 18227 19193 SUITE_INFO("ECDHE-ECDSA-AES128-CCM-8","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR), 19194 SUITE_ALIAS("ECDHE-ECDSA-AES128-CCM8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR) 18228 19195 #endif 18229 19196 18230 19197 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 18231 19198 SUITE_INFO("ECDHE-ECDSA-AES256-CCM-8","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR), 19199 SUITE_ALIAS("ECDHE-ECDSA-AES256-CCM8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR) 18232 19200 #endif 18233 19201 … … 18525 19493 for (i = 0; i < GetCipherNamesSize(); i++) { 18526 19494 if ((cipher_names[i].cipherSuite0 == cipherSuite0) && 18527 (cipher_names[i].cipherSuite == cipherSuite)) { 19495 (cipher_names[i].cipherSuite == cipherSuite) 19496 #ifndef NO_CIPHER_SUITE_ALIASES 19497 && (! (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS)) 19498 #endif 19499 ) { 18528 19500 nameInternal = cipher_names[i].name; 18529 19501 break; … … 18542 19514 n3 = n[3]; 18543 19515 n4 = n[4]; 19516 19517 #ifdef HAVE_NTRU 19518 if (XSTRNCMP(n0,"NTRU",4) == 0) 19519 return "NTRU"; 19520 #endif 18544 19521 18545 19522 if (XSTRNCMP(n0,"ECDHE",5) == 0 && XSTRNCMP(n1,"PSK",3) == 0) … … 18578 19555 n2 = n[2]; 18579 19556 19557 #ifdef HAVE_NTRU 19558 if (XSTRNCMP(n0,"NTRU",4) == 0) 19559 return "NTRU"; 19560 #endif 19561 18580 19562 if ((XSTRNCMP(n0,"AES128",6) == 0) || (XSTRNCMP(n0,"AES256",6) == 0) || 18581 19563 ((XSTRNCMP(n0,"TLS13",5) == 0) && ((XSTRNCMP(n1,"AES128",6) == 0) || … … 18591 19573 else if (XSTRNCMP(n1,"ECDSA",5) == 0) 18592 19574 authStr = "ECDSA"; 19575 else if (XSTRNCMP(n0,"ADH",3) == 0) 19576 authStr = "None"; 18593 19577 else 18594 19578 authStr = "unknown"; … … 18640 19624 (XSTRNCMP(n2,"CAMELLIA128",11) == 0)) 18641 19625 encStr = "CAMELLIA(128)"; 18642 else if ((XSTRNCMP(n0,"RC4",3) == 0) || (XSTRNCMP(n2,"RC4",3) == 0)) 19626 else if ((XSTRNCMP(n0,"RC4",3) == 0) || (XSTRNCMP(n1,"RC4",3) == 0) || 19627 (XSTRNCMP(n2,"RC4",3) == 0)) 18643 19628 encStr = "RC4"; 18644 else if (((XSTRNCMP(n0,"DES",3) == 0) || (XSTRNCMP(n2,"DES",3) == 0)) && 18645 ((XSTRNCMP(n1,"CBC3",4) == 0) || (XSTRNCMP(n3,"CBC3",4) == 0))) 19629 else if (((XSTRNCMP(n0,"DES",3) == 0) || (XSTRNCMP(n1,"DES",3) == 0) || 19630 (XSTRNCMP(n2,"DES",3) == 0)) && 19631 ((XSTRNCMP(n1,"CBC3",4) == 0) || (XSTRNCMP(n2,"CBC3",4) == 0) || 19632 (XSTRNCMP(n3,"CBC3",4) == 0))) 18646 19633 encStr = "3DES"; 18647 19634 else if ((XSTRNCMP(n1,"CHACHA20",8) == 0 && XSTRNCMP(n2,"POLY1305",8) == 0) || … … 18733 19720 for (i = 0; i < GetCipherNamesSize(); i++) { 18734 19721 if ((cipher_names[i].cipherSuite0 == cipherSuite0) && 18735 (cipher_names[i].cipherSuite == cipherSuite)) { 19722 (cipher_names[i].cipherSuite == cipherSuite) 19723 #ifndef NO_CIPHER_SUITE_ALIASES 19724 && (! (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS)) 19725 #endif 19726 ) { 18736 19727 nameIana = cipher_names[i].name_iana; 18737 19728 break; … … 18765 19756 18766 19757 int GetCipherSuiteFromName(const char* name, byte* cipherSuite0, 18767 byte* cipherSuite )19758 byte* cipherSuite, int* flags) 18768 19759 { 18769 19760 int ret = BAD_FUNC_ARG; 18770 19761 int i; 18771 unsigned long len = (unsigned long)XSTRLEN(name); 19762 unsigned long len; 19763 const char* nameDelim; 19764 19765 /* Support trailing : */ 19766 nameDelim = XSTRSTR(name, ":"); 19767 if (nameDelim) 19768 len = (unsigned long)(nameDelim - name); 19769 else 19770 len = (unsigned long)XSTRLEN(name); 18772 19771 18773 19772 for (i = 0; i < GetCipherNamesSize(); i++) { 18774 if (XSTRNCMP(name, cipher_names[i].name, len) == 0) { 19773 if ((XSTRNCMP(name, cipher_names[i].name, len) == 0) && 19774 (cipher_names[i].name[len] == 0)) { 18775 19775 *cipherSuite0 = cipher_names[i].cipherSuite0; 18776 19776 *cipherSuite = cipher_names[i].cipherSuite; 19777 *flags = cipher_names[i].flags; 18777 19778 ret = 0; 18778 19779 break; … … 18912 19913 18913 19914 #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) 19915 static int MatchSigAlgo(WOLFSSL* ssl, int sigAlgo) 19916 { 19917 #ifdef HAVE_ED25519 19918 if (ssl->pkCurveOID == ECC_ED25519_OID) { 19919 /* Certificate has Ed25519 key, only match with Ed25519 sig alg */ 19920 return sigAlgo == ed25519_sa_algo; 19921 } 19922 #endif 19923 #ifdef HAVE_ED448 19924 if (ssl->pkCurveOID == ECC_ED448_OID) { 19925 /* Certificate has Ed448 key, only match with Ed448 sig alg */ 19926 return sigAlgo == ed448_sa_algo; 19927 } 19928 #endif 19929 #ifdef WC_RSA_PSS 19930 /* RSA certificate and PSS sig alg. */ 19931 if (ssl->suites->sigAlgo == rsa_sa_algo) { 19932 #if defined(WOLFSSL_TLS13) 19933 /* TLS 1.3 only supports RSA-PSS. */ 19934 if (IsAtLeastTLSv1_3(ssl->version)) 19935 return sigAlgo == rsa_pss_sa_algo; 19936 #endif 19937 /* TLS 1.2 and below - RSA-PSS allowed. */ 19938 if (sigAlgo == rsa_pss_sa_algo) 19939 return 1; 19940 } 19941 #endif 19942 /* Signature algorithm matches certificate. */ 19943 return sigAlgo == ssl->suites->sigAlgo; 19944 } 19945 19946 #if defined(HAVE_ECC) && defined(WOLFSSL_TLS13) || \ 19947 defined(USE_ECDSA_KEYSZ_HASH_ALGO) 19948 static int CmpEccStrength(int hashAlgo, int curveSz) 19949 { 19950 int dgstSz = GetMacDigestSize(hashAlgo); 19951 if (dgstSz <= 0) 19952 return -1; 19953 return dgstSz - (curveSz & (~0x3)); 19954 } 19955 #endif 19956 19957 static byte MinHashAlgo(WOLFSSL* ssl) 19958 { 19959 #ifdef WOLFSSL_TLS13 19960 if (IsAtLeastTLSv1_3(ssl->version)) { 19961 return sha256_mac; 19962 } 19963 #endif 19964 #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_ALLOW_TLS_SHA1) 19965 if (IsAtLeastTLSv1_2(ssl)) { 19966 return sha256_mac; 19967 } 19968 #endif /* WOLFSSL_NO_TLS12 */ 19969 return sha_mac; 19970 } 19971 18914 19972 int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) 18915 19973 { 18916 19974 word32 i; 18917 19975 int ret = MATCH_SUITE_ERROR; 18918 18919 ssl->suites->sigAlgo = ssl->specs.sig_algo; 19976 byte minHash; 18920 19977 18921 19978 /* set defaults */ 18922 19979 if (IsAtLeastTLSv1_3(ssl->version)) { 18923 ssl->suites->hashAlgo = sha256_mac;18924 19980 #ifndef NO_CERTS 19981 /* TLS 1.3 cipher suites don't have public key algorithms in them. 19982 * Using the one in the certificate - if any. 19983 */ 18925 19984 ssl->suites->sigAlgo = ssl->buffers.keyType; 18926 19985 #endif 18927 19986 } 18928 #ifndef WOLFSSL_NO_TLS12 18929 else if (IsAtLeastTLSv1_2(ssl)) { 18930 #ifdef WOLFSSL_ALLOW_TLS_SHA1 18931 ssl->suites->hashAlgo = sha_mac; 18932 #else 18933 ssl->suites->hashAlgo = sha256_mac; 18934 #endif 18935 } 18936 else { 18937 ssl->suites->hashAlgo = sha_mac; 18938 } 18939 #endif 18940 19987 else 19988 ssl->suites->sigAlgo = ssl->specs.sig_algo; 19989 if (ssl->suites->sigAlgo == 0) { 19990 /* PSK ciphersuite - get digest to use from cipher suite */ 19991 ssl->suites->hashAlgo = ssl->specs.mac_algorithm; 19992 return 0; 19993 } 19994 ssl->suites->hashAlgo = minHash = MinHashAlgo(ssl); 19995 19996 /* No list means go with the defaults. */ 18941 19997 if (hashSigAlgoSz == 0) 18942 19998 return 0; 18943 19999 18944 /* i+1 since peek a byte ahead for type*/20000 /* i+1 since two bytes used to describe hash and signature algorithm */ 18945 20001 for (i = 0; (i+1) < hashSigAlgoSz; i += HELLO_EXT_SIGALGO_SZ) { 18946 20002 byte hashAlgo = 0, sigAlgo = 0; 18947 20003 18948 20004 DecodeSigAlg(&hashSigAlgo[i], &hashAlgo, &sigAlgo); 20005 /* Keep looking if hash algorithm not strong enough. */ 20006 if (hashAlgo < minHash) 20007 continue; 20008 /* Keep looking if signature algorithm isn't supported by cert. */ 20009 if (!MatchSigAlgo(ssl, sigAlgo)) 20010 continue; 20011 18949 20012 #ifdef HAVE_ED25519 18950 20013 if (ssl->pkCurveOID == ECC_ED25519_OID) { 18951 if (sigAlgo != ed25519_sa_algo) 18952 continue; 18953 if (sigAlgo == ed25519_sa_algo && 18954 ssl->suites->sigAlgo == ecc_dsa_sa_algo) { 18955 ssl->suites->sigAlgo = sigAlgo; 18956 ssl->suites->hashAlgo = sha512_mac; 18957 ret = 0; 18958 break; 18959 } 20014 /* Matched Ed25519 - set chosen and finished. */ 20015 ssl->suites->sigAlgo = sigAlgo; 20016 ssl->suites->hashAlgo = hashAlgo; 20017 ret = 0; 20018 break; 18960 20019 } 18961 20020 #endif 18962 20021 #ifdef HAVE_ED448 18963 20022 if (ssl->pkCurveOID == ECC_ED448_OID) { 18964 if (sigAlgo != ed448_sa_algo) 20023 /* Matched Ed448 - set chosen and finished. */ 20024 ssl->suites->sigAlgo = sigAlgo; 20025 ssl->suites->hashAlgo = hashAlgo; 20026 ret = 0; 20027 break; 20028 } 20029 #endif 20030 20031 #if defined(WOLFSSL_ECDSA_MATCH_HASH) && defined(USE_ECDSA_KEYSZ_HASH_ALGO) 20032 #error "WOLFSSL_ECDSA_MATCH_HASH and USE_ECDSA_KEYSZ_HASH_ALGO cannot " 20033 "be used together" 20034 #endif 20035 20036 #if defined(HAVE_ECC) && (defined(WOLFSSL_TLS13) || \ 20037 defined(WOLFSSL_ECDSA_MATCH_HASH)) 20038 if (sigAlgo == ecc_dsa_sa_algo 20039 #ifndef WOLFSSL_ECDSA_MATCH_HASH 20040 && IsAtLeastTLSv1_3(ssl->version) 20041 #endif 20042 ) { 20043 /* Must be exact match. */ 20044 if (CmpEccStrength(hashAlgo, ssl->buffers.keySz) != 0) 18965 20045 continue; 18966 20046 18967 if (sigAlgo == ed448_sa_algo && 18968 ssl->suites->sigAlgo == ecc_dsa_sa_algo) { 18969 ssl->suites->sigAlgo = sigAlgo; 18970 ssl->suites->hashAlgo = sha512_mac; 18971 ret = 0; 18972 break; 18973 } 18974 } 18975 #endif 18976 #if defined(WOLFSSL_TLS13) && defined(HAVE_ECC) 18977 if (IsAtLeastTLSv1_3(ssl->version) && sigAlgo == ssl->suites->sigAlgo && 18978 sigAlgo == ecc_dsa_sa_algo) { 18979 18980 int digestSz = GetMacDigestSize(hashAlgo); 18981 if (digestSz <= 0) 18982 continue; 18983 18984 /* TLS 1.3 signature algorithms for ECDSA match hash length with 18985 * key size. 18986 */ 18987 if (digestSz != ssl->buffers.keySz) 18988 continue; 18989 20047 /* Matched ECDSA exaclty - set chosen and finished. */ 18990 20048 ssl->suites->hashAlgo = hashAlgo; 18991 20049 ssl->suites->sigAlgo = sigAlgo; 18992 20050 ret = 0; 18993 break; /* done selected sig/hash algorithms */ 18994 } 18995 else 20051 break; 20052 } 18996 20053 #endif 20054 18997 20055 /* For ECDSA the `USE_ECDSA_KEYSZ_HASH_ALGO` build option will choose a hash 18998 20056 * algorithm that matches the ephemeral ECDHE key size or the next highest … … 19001 20059 */ 19002 20060 #if defined(HAVE_ECC) && defined(USE_ECDSA_KEYSZ_HASH_ALGO) 19003 if (sigAlgo == ssl->suites->sigAlgo && sigAlgo == ecc_dsa_sa_algo) { 19004 int digestSz = GetMacDigestSize(hashAlgo); 19005 if (digestSz <= 0) 20061 if (sigAlgo == ecc_dsa_sa_algo) { 20062 int cmp = CmpEccStrength(hashAlgo, ssl->eccTempKeySz); 20063 20064 /* Keep looking if digest not strong enough. */ 20065 if (cmp < 0) 19006 20066 continue; 19007 20067 19008 /* For ecc_dsa_sa_algo, pick hash algo that is curve size unless 19009 algorithm in not compiled in, then choose next highest */ 19010 if (digestSz == ssl->eccTempKeySz) { 20068 /* Looking for exact match or next highest. */ 20069 if (ret != 0 || hashAlgo <= ssl->suites->hashAlgo) { 19011 20070 ssl->suites->hashAlgo = hashAlgo; 19012 20071 ssl->suites->sigAlgo = sigAlgo; … … 19015 20074 #endif 19016 20075 ret = 0; 19017 break; /* done selected sig/hash algorithms */19018 } 19019 /* not strong enough, so keep checking hashSigAlso list*/19020 if ( digestSz < ssl->eccTempKeySz)20076 } 20077 20078 /* Continue looking if not the same strength. */ 20079 if (cmp > 0) 19021 20080 continue; 19022 19023 /* mark as highest and check remainder of hashSigAlgo list */ 19024 ssl->suites->hashAlgo = hashAlgo; 19025 ssl->suites->sigAlgo = sigAlgo; 19026 ret = 0; 19027 } 19028 else 20081 /* Exact match - finished. */ 20082 break; 20083 } 19029 20084 #endif 19030 #ifdef WC_RSA_PSS 19031 if (IsAtLeastTLSv1_3(ssl->version) && 19032 ssl->suites->sigAlgo == rsa_sa_algo && 19033 sigAlgo != rsa_pss_sa_algo) { 19034 continue; 19035 } 19036 else if (sigAlgo == ssl->suites->sigAlgo || 19037 (sigAlgo == rsa_pss_sa_algo && 19038 (ssl->suites->sigAlgo == rsa_sa_algo))) 19039 #else 19040 if (sigAlgo == ssl->suites->sigAlgo) 19041 #endif 19042 { 19043 /* pick highest available between both server and client */ 19044 switch (hashAlgo) { 19045 case sha_mac: 19046 #ifdef WOLFSSL_SHA224 19047 case sha224_mac: 20085 20086 switch (hashAlgo) { 20087 #ifndef NO_SHA 20088 case sha_mac: 20089 #endif 20090 #ifdef WOLFSSL_SHA224 20091 case sha224_mac: 20092 #endif 20093 #ifndef NO_SHA256 20094 case sha256_mac: 20095 #endif 20096 #ifdef WOLFSSL_SHA384 20097 case sha384_mac: 20098 #endif 20099 #ifdef WOLFSSL_SHA512 20100 case sha512_mac: 20101 #endif 20102 #ifdef WOLFSSL_STRONGEST_HASH_SIG 20103 /* Is hash algorithm weaker than chosen/min? */ 20104 if (hashAlgo < ssl->suites->hashAlgo) 20105 break; 20106 #else 20107 /* Is hash algorithm stonger than last chosen? */ 20108 if (ret == 0 && hashAlgo > ssl->suites->hashAlgo) 20109 break; 19048 20110 #endif 19049 #ifndef NO_SHA256 19050 case sha256_mac: 19051 #endif 19052 #ifdef WOLFSSL_SHA384 19053 case sha384_mac: 19054 #endif 19055 #ifdef WOLFSSL_SHA512 19056 case sha512_mac: 19057 #endif 19058 /* not strong enough, so keep checking hashSigAlso list */ 19059 if (hashAlgo < ssl->suites->hashAlgo) { 19060 ret = 0; 19061 continue; 19062 } 19063 /* mark as highest and check remainder of hashSigAlgo list */ 19064 ssl->suites->hashAlgo = hashAlgo; 19065 ssl->suites->sigAlgo = sigAlgo; 19066 break; 19067 default: 19068 continue; 19069 } 19070 ret = 0; 19071 break; 19072 } 19073 #if defined(WOLFSSL_TLS13) 19074 else if (ssl->specs.sig_algo == 0 && IsAtLeastTLSv1_3(ssl->version)) { 19075 } 19076 #endif 19077 else if (ssl->specs.sig_algo == 0) 19078 { 19079 ssl->suites->hashAlgo = ssl->specs.mac_algorithm; 19080 ret = 0; 20111 /* The chosen one - but keep looking. */ 20112 ssl->suites->hashAlgo = hashAlgo; 20113 ssl->suites->sigAlgo = sigAlgo; 20114 ret = 0; 20115 break; 20116 default: 20117 /* Support for hash algorithm not compiled in. */ 20118 break; 19081 20119 } 19082 20120 } … … 19107 20145 int sz = GetCipherNamesSize(); 19108 20146 19109 for (i = 0; i < sz; i++) 20147 for (i = 0; i < sz; i++) { 20148 #ifndef NO_CIPHER_SUITE_ALIASES 20149 if (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS) 20150 continue; 20151 #endif 19110 20152 if (info->ssl->options.cipherSuite == 19111 20153 (byte)cipher_names[i].cipherSuite) { … … 19116 20158 break; 19117 20159 } 20160 } 19118 20161 19119 20162 /* error max and min are negative numbers */ … … 19279 20322 #if !defined(NO_CERTS) 19280 20323 20324 #ifdef WOLF_CRYPTO_CB 20325 /* Create a private key for a device. 20326 * 20327 * pkey Key object. 20328 * data Data to identify key. 20329 * length Length of data. 20330 * hsType Type of the key to create. 20331 * heap Custom heap to use for mallocs/frees 20332 * devId Id for device. 20333 * return 0 on success. 20334 * return NOT_COMPILED_IN if algorithm type not supported. 20335 * return MEMORY_E on memory allocation failure. 20336 * return other internal error 20337 */ 20338 int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType, 20339 int label, int id, void* heap, int devId) 20340 { 20341 int ret = NOT_COMPILED_IN; 20342 20343 if (hsType == DYNAMIC_TYPE_RSA) { 20344 #ifndef NO_RSA 20345 RsaKey* rsaKey; 20346 20347 rsaKey = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA); 20348 if (rsaKey == NULL) { 20349 return MEMORY_E; 20350 } 20351 20352 if (label) { 20353 ret = wc_InitRsaKey_Label(rsaKey, (char*)data, heap, devId); 20354 } 20355 else if (id) { 20356 ret = wc_InitRsaKey_Id(rsaKey, data, length, heap, devId); 20357 } 20358 if (ret == 0) { 20359 *pkey = (void*)rsaKey; 20360 } 20361 else { 20362 XFREE(rsaKey, heap, DYNAMIC_TYPE_RSA); 20363 } 20364 #endif 20365 } 20366 else if (hsType == DYNAMIC_TYPE_ECC) { 20367 #ifdef HAVE_ECC 20368 ecc_key* ecKey; 20369 20370 ecKey = (ecc_key*)XMALLOC(sizeof(ecc_key), heap, DYNAMIC_TYPE_ECC); 20371 if (ecKey == NULL) { 20372 return MEMORY_E; 20373 } 20374 20375 if (label) { 20376 ret = wc_ecc_init_label(ecKey, (char*)data, heap, devId); 20377 } 20378 else if (id) { 20379 ret = wc_ecc_init_id(ecKey, data, length, heap, devId); 20380 } 20381 if (ret == 0) { 20382 *pkey = (void*)ecKey; 20383 } 20384 else { 20385 XFREE(ecKey, heap, DYNAMIC_TYPE_ECC); 20386 } 20387 #endif 20388 } 20389 20390 return ret; 20391 } 20392 #endif 20393 19281 20394 /* Decode the private key - RSA/ECC/Ed25519/Ed448 - and creates a key object. 19282 20395 * The signature type is set as well. … … 19309 20422 19310 20423 #ifdef HAVE_PKCS11 19311 if (ssl->buffers.keyDevId != INVALID_DEVID && ssl->buffers.keyId) { 20424 if (ssl->buffers.keyDevId != INVALID_DEVID && (ssl->buffers.keyId || 20425 ssl->buffers.keyLabel)) { 19312 20426 if (ssl->buffers.keyType == rsa_sa_algo) 19313 20427 ssl->hsType = DYNAMIC_TYPE_RSA; … … 19321 20435 if (ssl->buffers.keyType == rsa_sa_algo) { 19322 20436 #ifndef NO_RSA 19323 ret = wc_InitRsaKey_Id((RsaKey*)ssl->hsKey, 19324 ssl->buffers.key->buffer, ssl->buffers.key->length, 19325 ssl->heap, ssl->buffers.keyDevId); 20437 if (ssl->buffers.keyLabel) { 20438 ret = wc_InitRsaKey_Label((RsaKey*)ssl->hsKey, 20439 (char*)ssl->buffers.key->buffer, 20440 ssl->heap, ssl->buffers.keyDevId); 20441 } 20442 else if (ssl->buffers.keyId) { 20443 ret = wc_InitRsaKey_Id((RsaKey*)ssl->hsKey, 20444 ssl->buffers.key->buffer, 20445 ssl->buffers.key->length, ssl->heap, 20446 ssl->buffers.keyDevId); 20447 } 19326 20448 if (ret == 0) { 19327 20449 if (ssl->buffers.keySz < ssl->options.minRsaKeySz) { … … 19339 20461 else if (ssl->buffers.keyType == ecc_dsa_sa_algo) { 19340 20462 #ifdef HAVE_ECC 19341 ret = wc_ecc_init_id((ecc_key*)ssl->hsKey, ssl->buffers.key->buffer, 19342 ssl->buffers.key->length, ssl->heap, 19343 ssl->buffers.keyDevId); 20463 if (ssl->buffers.keyLabel) { 20464 ret = wc_ecc_init_label((ecc_key*)ssl->hsKey, 20465 (char*)ssl->buffers.key->buffer, 20466 ssl->heap, ssl->buffers.keyDevId); 20467 } 20468 else if (ssl->buffers.keyId) { 20469 ret = wc_ecc_init_id((ecc_key*)ssl->hsKey, 20470 ssl->buffers.key->buffer, 20471 ssl->buffers.key->length, ssl->heap, 20472 ssl->buffers.keyDevId); 20473 } 19344 20474 if (ret == 0) { 19345 20475 if (ssl->buffers.keySz < ssl->options.minEccKeySz) { … … 19532 20662 19533 20663 #endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */ 20664 20665 #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12) 20666 /* returns 1 if able to do TLS 1.3 otherwise 0 */ 20667 int TLSv1_3_Capable(WOLFSSL* ssl) 20668 { 20669 #ifndef WOLFSSL_TLS13 20670 return 0; 20671 #else 20672 int ret = 0; 20673 20674 if (IsAtLeastTLSv1_3(ssl->ctx->method->version)) { 20675 ret = 1; 20676 } 20677 20678 #ifdef OPENSSL_EXTRA 20679 if ((wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_3)) { 20680 /* option set at run time to disable TLS 1.3 */ 20681 ret = 0; 20682 } 20683 #endif 20684 return ret; 20685 #endif 20686 } 20687 #endif /* WOLFSSL_TLS13 */ 19534 20688 19535 20689 /* client only parts */ … … 19731 20885 if (IsEncryptionOn(ssl, 1)) { 19732 20886 byte* input; 19733 int inputSz = idx - RECORD_HEADER_SZ; /* build msg adds rec hdr */ 19734 20887 int inputSz = idx; /* build msg adds rec hdr */ 20888 int recordHeaderSz = RECORD_HEADER_SZ; 20889 20890 if (ssl->options.dtls) 20891 recordHeaderSz += DTLS_RECORD_EXTRA; 20892 inputSz -= recordHeaderSz; 19735 20893 input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 19736 20894 if (input == NULL) 19737 20895 return MEMORY_E; 19738 20896 19739 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); 20897 XMEMCPY(input, output + recordHeaderSz, inputSz); 20898 #ifdef WOLFSSL_DTLS 20899 if (IsDtlsNotSctpMode(ssl) && 20900 (ret = DtlsMsgPoolSave(ssl, input, inputSz, client_hello)) != 0) { 20901 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 20902 return ret; 20903 } 20904 #endif 19740 20905 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 19741 handshake, 1, 0, 0 );20906 handshake, 1, 0, 0, CUR_ORDER); 19742 20907 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 19743 20908 … … 19747 20912 #ifdef WOLFSSL_DTLS 19748 20913 if (IsDtlsNotSctpMode(ssl)) { 19749 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz )) != 0)20914 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, client_hello)) != 0) 19750 20915 return ret; 19751 20916 } … … 20196 21361 return ret; 20197 21362 } 20198 20199 #ifdef WOLFSSL_TLS1320200 /* returns 1 if able to do TLS 1.3 otherwise 0 */20201 static int TLSv1_3_Capable(WOLFSSL* ssl)20202 {20203 #ifndef WOLFSSL_TLS1320204 return 0;20205 #else20206 int ret = 0;20207 20208 if (IsAtLeastTLSv1_3(ssl->ctx->method->version)) {20209 ret = 1;20210 }20211 20212 #ifdef OPENSSL_EXTRA20213 if ((wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_3)) {20214 /* option set at run time to disable TLS 1.3 */20215 ret = 0;20216 }20217 #endif20218 return ret;20219 #endif20220 }20221 #endif /* WOLFSSL_TLS13 */20222 21363 20223 21364 int CompleteServerHello(WOLFSSL* ssl) … … 20244 21385 #endif 20245 21386 if (ssl->ctx->method->version.major == SSLv3_MAJOR && 20246 ssl->ctx->method->version.minor == TLSv1_2_MINOR) { 21387 ssl->ctx->method->version.minor == TLSv1_2_MINOR 21388 #ifdef OPENSSL_EXTRA 21389 && (wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_2) == 0 21390 #endif 21391 ) { 20247 21392 /* TLS v1.2 capable client not allowed to downgrade when 20248 21393 * connecting to TLS v1.2 capable server. … … 20286 21431 } 20287 21432 } 20288 #ifdef WOLFSSL_DTLS20289 if (ssl->options.dtls) {20290 DtlsMsgPoolReset(ssl);20291 }20292 #endif20293 20294 21433 return SetCipherSpecs(ssl); 20295 21434 } 20296 21435 20297 #endif /* WOLFSSL_NO_TLS12 */21436 #endif /* !WOLFSSL_NO_TLS12 */ 20298 21437 20299 21438 … … 20481 21620 20482 21621 switch (tlsCurveId) { 20483 #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)21622 #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160 20484 21623 #ifndef NO_ECC_SECP 20485 21624 case WOLFSSL_ECC_SECP160R1: return ECC_SECP160R1_OID; … … 20492 21631 #endif /* HAVE_ECC_KOBLITZ */ 20493 21632 #endif 20494 #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)21633 #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192 20495 21634 #ifndef NO_ECC_SECP 20496 21635 case WOLFSSL_ECC_SECP192R1: return ECC_SECP192R1_OID; … … 20500 21639 #endif /* HAVE_ECC_KOBLITZ */ 20501 21640 #endif 20502 #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)21641 #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224 20503 21642 #ifndef NO_ECC_SECP 20504 21643 case WOLFSSL_ECC_SECP224R1: return ECC_SECP224R1_OID; … … 20508 21647 #endif /* HAVE_ECC_KOBLITZ */ 20509 21648 #endif 20510 #if def HAVE_CURVE2551921649 #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 20511 21650 case WOLFSSL_ECC_X25519: return ECC_X25519_OID; 20512 21651 #endif 20513 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)21652 #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 20514 21653 #ifndef NO_ECC_SECP 20515 21654 case WOLFSSL_ECC_SECP256R1: return ECC_SECP256R1_OID; … … 20522 21661 #endif /* HAVE_ECC_BRAINPOOL */ 20523 21662 #endif 20524 #if def HAVE_CURVE44821663 #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448 20525 21664 case WOLFSSL_ECC_X448: return ECC_X448_OID; 20526 21665 #endif 20527 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)21666 #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 20528 21667 #ifndef NO_ECC_SECP 20529 21668 case WOLFSSL_ECC_SECP384R1: return ECC_SECP384R1_OID; … … 20533 21672 #endif /* HAVE_ECC_BRAINPOOL */ 20534 21673 #endif 20535 #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)21674 #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512 20536 21675 #ifdef HAVE_ECC_BRAINPOOL 20537 21676 case WOLFSSL_ECC_BRAINPOOLP512R1: return ECC_BRAINPOOLP512R1_OID; 20538 21677 #endif /* HAVE_ECC_BRAINPOOL */ 20539 21678 #endif 20540 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)21679 #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 20541 21680 #ifndef NO_ECC_SECP 20542 21681 case WOLFSSL_ECC_SECP521R1: return ECC_SECP521R1_OID; … … 20548 21687 } 20549 21688 20550 #endif /* HAVE_ECC */21689 #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */ 20551 21690 20552 21691 /* Persistable DoServerKeyExchange arguments */ 20553 21692 typedef struct DskeArgs { 20554 21693 byte* output; /* not allocated */ 20555 #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_ ED25519) || \20556 defined(HAVE_ED448)21694 #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ 21695 defined(HAVE_CURVE448) 20557 21696 byte* verifySig; 20558 21697 #endif 20559 21698 word32 idx; 20560 21699 word32 begin; 20561 #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_ ED25519) || \20562 defined(HAVE_ED448)21700 #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ 21701 defined(HAVE_CURVE448) 20563 21702 word16 verifySigSz; 20564 21703 #endif … … 20578 21717 (void)args; 20579 21718 20580 #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_ ED25519) || \20581 defined(HAVE_ED448)21719 #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ 21720 defined(HAVE_CURVE448) 20582 21721 if (args->verifySig) { 20583 21722 XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE); … … 20598 21737 #endif 20599 21738 20600 ssl->buffers.weOwnDH = 1; 20601 20602 ssl->buffers.serverDH_P.buffer = NULL; 20603 ssl->buffers.serverDH_G.buffer = NULL; 20604 ssl->buffers.serverDH_Pub.buffer = NULL; 21739 if (ssl->buffers.weOwnDH) { 21740 if (ssl->buffers.serverDH_P.buffer) { 21741 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, 21742 DYNAMIC_TYPE_PUBLIC_KEY); 21743 ssl->buffers.serverDH_P.buffer = NULL; 21744 } 21745 21746 if (ssl->buffers.serverDH_G.buffer) { 21747 XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, 21748 DYNAMIC_TYPE_PUBLIC_KEY); 21749 ssl->buffers.serverDH_G.buffer = NULL; 21750 } 21751 21752 } 21753 21754 if (ssl->buffers.serverDH_Pub.buffer) { 21755 XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, 21756 DYNAMIC_TYPE_PUBLIC_KEY); 21757 ssl->buffers.serverDH_Pub.buffer = NULL; 21758 } 20605 21759 20606 21760 /* p */ … … 20644 21798 /* g */ 20645 21799 if ((args->idx - args->begin) + OPAQUE16_LEN > size) { 21800 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, 21801 DYNAMIC_TYPE_PUBLIC_KEY); 21802 ssl->buffers.serverDH_P.buffer = NULL; 20646 21803 ERROR_OUT(BUFFER_ERROR, exit_gdpk); 20647 21804 } … … 20651 21808 20652 21809 if ((args->idx - args->begin) + length > size) { 21810 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, 21811 DYNAMIC_TYPE_PUBLIC_KEY); 21812 ssl->buffers.serverDH_P.buffer = NULL; 20653 21813 ERROR_OUT(BUFFER_ERROR, exit_gdpk); 21814 } 21815 21816 if (length > ssl->options.maxDhKeySz) { 21817 WOLFSSL_MSG("Server using a DH key generator that is too big"); 21818 SendAlert(ssl, alert_fatal, handshake_failure); 21819 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, 21820 DYNAMIC_TYPE_PUBLIC_KEY); 21821 ssl->buffers.serverDH_P.buffer = NULL; 21822 ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk); 20654 21823 } 20655 21824 … … 20660 21829 } 20661 21830 else { 21831 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, 21832 DYNAMIC_TYPE_PUBLIC_KEY); 21833 ssl->buffers.serverDH_P.buffer = NULL; 20662 21834 ERROR_OUT(MEMORY_ERROR, exit_gdpk); 20663 21835 } … … 20669 21841 /* pub */ 20670 21842 if ((args->idx - args->begin) + OPAQUE16_LEN > size) { 21843 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, 21844 DYNAMIC_TYPE_PUBLIC_KEY); 21845 ssl->buffers.serverDH_P.buffer = NULL; 21846 XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, 21847 DYNAMIC_TYPE_PUBLIC_KEY); 21848 ssl->buffers.serverDH_G.buffer = NULL; 20671 21849 ERROR_OUT(BUFFER_ERROR, exit_gdpk); 20672 21850 } … … 20676 21854 20677 21855 if ((args->idx - args->begin) + length > size) { 21856 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, 21857 DYNAMIC_TYPE_PUBLIC_KEY); 21858 ssl->buffers.serverDH_P.buffer = NULL; 21859 XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, 21860 DYNAMIC_TYPE_PUBLIC_KEY); 21861 ssl->buffers.serverDH_G.buffer = NULL; 20678 21862 ERROR_OUT(BUFFER_ERROR, exit_gdpk); 21863 } 21864 21865 if (length > ssl->options.maxDhKeySz) { 21866 WOLFSSL_MSG("Server using a public DH key that is too big"); 21867 SendAlert(ssl, alert_fatal, handshake_failure); 21868 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, 21869 DYNAMIC_TYPE_PUBLIC_KEY); 21870 ssl->buffers.serverDH_P.buffer = NULL; 21871 XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, 21872 DYNAMIC_TYPE_PUBLIC_KEY); 21873 ssl->buffers.serverDH_G.buffer = NULL; 21874 ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk); 20679 21875 } 20680 21876 … … 20685 21881 } 20686 21882 else { 21883 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, 21884 DYNAMIC_TYPE_PUBLIC_KEY); 21885 ssl->buffers.serverDH_P.buffer = NULL; 21886 XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, 21887 DYNAMIC_TYPE_PUBLIC_KEY); 21888 ssl->buffers.serverDH_G.buffer = NULL; 20687 21889 ERROR_OUT(MEMORY_ERROR, exit_gdpk); 20688 21890 } … … 20690 21892 XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + args->idx, 20691 21893 length); 21894 ssl->buffers.weOwnDH = 1; 20692 21895 args->idx += length; 20693 21896 … … 21216 22419 case ecc_diffie_hellman_kea: 21217 22420 { 21218 #if defined(NO_DH) && !defined(HAVE_ECC) && !defined(HAVE_ED25519)\21219 && !defined(HAVE_ED448)22421 #if defined(NO_DH) && !defined(HAVE_ECC) && \ 22422 !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448) 21220 22423 ERROR_OUT(NOT_COMPILED_IN, exit_dske); 21221 22424 #else … … 21389 22592 case ecc_diffie_hellman_kea: 21390 22593 { 21391 #if defined(NO_DH) && !defined(HAVE_ECC) && !defined(HAVE_ED25519)\21392 && !defined(HAVE_ED448)22594 #if defined(NO_DH) && !defined(HAVE_ECC) && \ 22595 !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448) 21393 22596 ERROR_OUT(NOT_COMPILED_IN, exit_dske); 21394 22597 #else … … 21563 22766 case ecc_diffie_hellman_kea: 21564 22767 { 21565 #if defined(NO_DH) && !defined(HAVE_ECC) && !defined(HAVE_ED25519)\21566 && !defined(HAVE_ED448)22768 #if defined(NO_DH) && !defined(HAVE_ECC) && \ 22769 !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448) 21567 22770 ERROR_OUT(NOT_COMPILED_IN, exit_dske); 21568 22771 #else … … 22624 23827 XMEMCPY(args->output, ssl->arrays->client_identity, esSz); 22625 23828 args->output += esSz; 23829 args->length = args->encSz - esSz - OPAQUE16_LEN; 22626 23830 args->encSz = esSz + OPAQUE16_LEN; 22627 22628 args->length = 0;22629 23831 22630 23832 ret = AllocKey(ssl, DYNAMIC_TYPE_DH, … … 23297 24499 23298 24500 if (IsEncryptionOn(ssl, 1)) { 23299 args->inputSz = idx - RECORD_HEADER_SZ; /* buildmsg adds rechdr */ 24501 int recordHeaderSz = RECORD_HEADER_SZ; 24502 24503 if (ssl->options.dtls) 24504 recordHeaderSz += DTLS_RECORD_EXTRA; 24505 args->inputSz = idx - recordHeaderSz; /* buildmsg adds rechdr */ 23300 24506 args->input = (byte*)XMALLOC(args->inputSz, ssl->heap, 23301 24507 DYNAMIC_TYPE_IN_BUFFER); … … 23304 24510 } 23305 24511 23306 XMEMCPY(args->input, args->output + RECORD_HEADER_SZ,24512 XMEMCPY(args->input, args->output + recordHeaderSz, 23307 24513 args->inputSz); 23308 24514 } … … 23316 24522 { 23317 24523 if (IsEncryptionOn(ssl, 1)) { 24524 #ifdef WOLFSSL_DTLS 24525 if (IsDtlsNotSctpMode(ssl) && 24526 (ret = DtlsMsgPoolSave(ssl, args->input, args->inputSz, client_key_exchange)) != 0) { 24527 goto exit_scke; 24528 } 24529 #endif 23318 24530 ret = BuildMessage(ssl, args->output, args->sendSz, 23319 args->input, args->inputSz, handshake, 1, 0, 0 );24531 args->input, args->inputSz, handshake, 1, 0, 0, CUR_ORDER); 23320 24532 XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 23321 24533 args->input = NULL; /* make sure its not double free'd on cleanup */ … … 23328 24540 else { 23329 24541 #ifdef WOLFSSL_DTLS 24542 if (IsDtlsNotSctpMode(ssl)) { 24543 if ((ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz, client_key_exchange)) != 0) { 24544 goto exit_scke; 24545 } 24546 } 23330 24547 if (ssl->options.dtls) 23331 24548 DtlsSEQIncrement(ssl, CUR_ORDER); … … 23337 24554 goto exit_scke; 23338 24555 } 23339 23340 #ifdef WOLFSSL_DTLS23341 if (IsDtlsNotSctpMode(ssl)) {23342 if ((ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz)) != 0) {23343 goto exit_scke;23344 }23345 }23346 #endif23347 24556 23348 24557 #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) … … 23397 24606 23398 24607 #endif /* !WOLFSSL_NO_TLS12 */ 24608 24609 #ifndef NO_CERTS 24610 24611 #ifndef WOLFSSL_NO_TLS12 24612 24613 #ifndef WOLFSSL_NO_CLIENT_AUTH 24614 typedef struct ScvArgs { 24615 byte* output; /* not allocated */ 24616 #ifndef NO_RSA 24617 byte* verifySig; 24618 #endif 24619 byte* verify; /* not allocated */ 24620 byte* input; 24621 word32 idx; 24622 word32 extraSz; 24623 word32 sigSz; 24624 int sendSz; 24625 int inputSz; 24626 word16 length; 24627 byte sigAlgo; 24628 } ScvArgs; 24629 24630 static void FreeScvArgs(WOLFSSL* ssl, void* pArgs) 24631 { 24632 ScvArgs* args = (ScvArgs*)pArgs; 24633 24634 (void)ssl; 24635 24636 #ifndef NO_RSA 24637 if (args->verifySig) { 24638 XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE); 24639 args->verifySig = NULL; 24640 } 24641 #endif 24642 if (args->input) { 24643 XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 24644 args->input = NULL; 24645 } 24646 } 24647 24648 /* handle generation of certificate_verify (15) */ 24649 int SendCertificateVerify(WOLFSSL* ssl) 24650 { 24651 int ret = 0; 24652 #ifdef WOLFSSL_ASYNC_CRYPT 24653 ScvArgs* args = (ScvArgs*)ssl->async.args; 24654 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; 24655 (void)sizeof(args_test); 24656 #else 24657 ScvArgs args[1]; 24658 #endif 24659 24660 WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND); 24661 WOLFSSL_ENTER("SendCertificateVerify"); 24662 24663 #ifdef WOLFSSL_ASYNC_CRYPT 24664 /* BuildMessage does its own Pop */ 24665 if (ssl->error != WC_PENDING_E || 24666 ssl->options.asyncState != TLS_ASYNC_END) 24667 ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); 24668 if (ret != WC_NOT_PENDING_E) { 24669 /* Check for error */ 24670 if (ret < 0) 24671 goto exit_scv; 24672 } 24673 else 24674 #endif 24675 { 24676 /* Reset state */ 24677 ret = 0; 24678 ssl->options.asyncState = TLS_ASYNC_BEGIN; 24679 XMEMSET(args, 0, sizeof(ScvArgs)); 24680 #ifdef WOLFSSL_ASYNC_CRYPT 24681 ssl->async.freeArgs = FreeScvArgs; 24682 #endif 24683 } 24684 24685 switch(ssl->options.asyncState) 24686 { 24687 case TLS_ASYNC_BEGIN: 24688 { 24689 if (ssl->options.sendVerify == SEND_BLANK_CERT) { 24690 return 0; /* sent blank cert, can't verify */ 24691 } 24692 24693 args->sendSz = MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA; 24694 if (IsEncryptionOn(ssl, 1)) { 24695 args->sendSz += MAX_MSG_EXTRA; 24696 } 24697 24698 /* check for available size */ 24699 if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { 24700 goto exit_scv; 24701 } 24702 24703 /* get output buffer */ 24704 args->output = ssl->buffers.outputBuffer.buffer + 24705 ssl->buffers.outputBuffer.length; 24706 24707 /* Advance state and proceed */ 24708 ssl->options.asyncState = TLS_ASYNC_BUILD; 24709 } /* case TLS_ASYNC_BEGIN */ 24710 FALL_THROUGH; 24711 24712 case TLS_ASYNC_BUILD: 24713 { 24714 ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes); 24715 if (ret != 0) { 24716 goto exit_scv; 24717 } 24718 24719 if (ssl->buffers.key == NULL) { 24720 #ifdef HAVE_PK_CALLBACKS 24721 if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) 24722 args->length = GetPrivateKeySigSize(ssl); 24723 else 24724 #endif 24725 ERROR_OUT(NO_PRIVATE_KEY, exit_scv); 24726 } 24727 else { 24728 /* Decode private key. */ 24729 ret = DecodePrivateKey(ssl, &args->length); 24730 if (ret != 0) { 24731 goto exit_scv; 24732 } 24733 } 24734 24735 if (args->length == 0) { 24736 ERROR_OUT(NO_PRIVATE_KEY, exit_scv); 24737 } 24738 24739 /* idx is used to track verify pointer offset to output */ 24740 args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; 24741 args->verify = &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ]; 24742 args->extraSz = 0; /* tls 1.2 hash/sig */ 24743 24744 /* build encoded signature buffer */ 24745 ssl->buffers.sig.length = MAX_ENCODED_SIG_SZ; 24746 ssl->buffers.sig.buffer = (byte*)XMALLOC(ssl->buffers.sig.length, 24747 ssl->heap, DYNAMIC_TYPE_SIGNATURE); 24748 if (ssl->buffers.sig.buffer == NULL) { 24749 ERROR_OUT(MEMORY_E, exit_scv); 24750 } 24751 24752 #ifdef WOLFSSL_DTLS 24753 if (ssl->options.dtls) { 24754 args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; 24755 args->verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; 24756 } 24757 #endif 24758 24759 #ifndef NO_OLD_TLS 24760 #ifndef NO_SHA 24761 /* old tls default */ 24762 SetDigest(ssl, sha_mac); 24763 #endif 24764 #else 24765 #ifndef NO_SHA256 24766 /* new tls default */ 24767 SetDigest(ssl, sha256_mac); 24768 #endif 24769 #endif /* !NO_OLD_TLS */ 24770 24771 if (ssl->hsType == DYNAMIC_TYPE_RSA) { 24772 #ifdef WC_RSA_PSS 24773 if (IsAtLeastTLSv1_2(ssl) && 24774 (ssl->pssAlgo & (1 << ssl->suites->hashAlgo))) { 24775 args->sigAlgo = rsa_pss_sa_algo; 24776 } 24777 else 24778 #endif 24779 args->sigAlgo = rsa_sa_algo; 24780 } 24781 else if (ssl->hsType == DYNAMIC_TYPE_ECC) 24782 args->sigAlgo = ecc_dsa_sa_algo; 24783 else if (ssl->hsType == DYNAMIC_TYPE_ED25519) 24784 args->sigAlgo = ed25519_sa_algo; 24785 else if (ssl->hsType == DYNAMIC_TYPE_ED448) 24786 args->sigAlgo = ed448_sa_algo; 24787 24788 if (IsAtLeastTLSv1_2(ssl)) { 24789 EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo, 24790 args->verify); 24791 args->extraSz = HASH_SIG_SIZE; 24792 SetDigest(ssl, ssl->suites->hashAlgo); 24793 } 24794 #ifndef NO_OLD_TLS 24795 else { 24796 /* if old TLS load MD5 and SHA hash as value to sign */ 24797 XMEMCPY(ssl->buffers.sig.buffer, 24798 (byte*)ssl->hsHashes->certHashes.md5, FINISHED_SZ); 24799 } 24800 #endif 24801 24802 #ifndef NO_RSA 24803 if (args->sigAlgo == rsa_sa_algo) { 24804 ssl->buffers.sig.length = FINISHED_SZ; 24805 args->sigSz = ENCRYPT_LEN; 24806 24807 if (IsAtLeastTLSv1_2(ssl)) { 24808 ssl->buffers.sig.length = wc_EncodeSignature( 24809 ssl->buffers.sig.buffer, ssl->buffers.digest.buffer, 24810 ssl->buffers.digest.length, 24811 TypeHash(ssl->suites->hashAlgo)); 24812 } 24813 24814 /* prepend hdr */ 24815 c16toa(args->length, args->verify + args->extraSz); 24816 } 24817 #ifdef WC_RSA_PSS 24818 else if (args->sigAlgo == rsa_pss_sa_algo) { 24819 XMEMCPY(ssl->buffers.sig.buffer, ssl->buffers.digest.buffer, 24820 ssl->buffers.digest.length); 24821 ssl->buffers.sig.length = ssl->buffers.digest.length; 24822 args->sigSz = ENCRYPT_LEN; 24823 24824 /* prepend hdr */ 24825 c16toa(args->length, args->verify + args->extraSz); 24826 } 24827 #endif 24828 #endif /* !NO_RSA */ 24829 #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH) 24830 if (args->sigAlgo == ed25519_sa_algo) { 24831 ret = Ed25519CheckPubKey(ssl); 24832 if (ret != 0) 24833 goto exit_scv; 24834 } 24835 #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */ 24836 #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH) 24837 if (args->sigAlgo == ed448_sa_algo) { 24838 ret = Ed448CheckPubKey(ssl); 24839 if (ret != 0) 24840 goto exit_scv; 24841 } 24842 #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */ 24843 24844 /* Advance state and proceed */ 24845 ssl->options.asyncState = TLS_ASYNC_DO; 24846 } /* case TLS_ASYNC_BUILD */ 24847 FALL_THROUGH; 24848 24849 case TLS_ASYNC_DO: 24850 { 24851 #ifdef HAVE_ECC 24852 if (ssl->hsType == DYNAMIC_TYPE_ECC) { 24853 ecc_key* key = (ecc_key*)ssl->hsKey; 24854 24855 ret = EccSign(ssl, 24856 ssl->buffers.digest.buffer, ssl->buffers.digest.length, 24857 ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length, 24858 key, 24859 #ifdef HAVE_PK_CALLBACKS 24860 ssl->buffers.key 24861 #else 24862 NULL 24863 #endif 24864 ); 24865 } 24866 #endif /* HAVE_ECC */ 24867 #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH) 24868 if (ssl->hsType == DYNAMIC_TYPE_ED25519) { 24869 ed25519_key* key = (ed25519_key*)ssl->hsKey; 24870 24871 ret = Ed25519Sign(ssl, 24872 ssl->hsHashes->messages, ssl->hsHashes->length, 24873 ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length, 24874 key, 24875 #ifdef HAVE_PK_CALLBACKS 24876 ssl->buffers.key 24877 #else 24878 NULL 24879 #endif 24880 ); 24881 } 24882 #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */ 24883 #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH) 24884 if (ssl->hsType == DYNAMIC_TYPE_ED448) { 24885 ed448_key* key = (ed448_key*)ssl->hsKey; 24886 24887 ret = Ed448Sign(ssl, 24888 ssl->hsHashes->messages, ssl->hsHashes->length, 24889 ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length, 24890 key, 24891 #ifdef HAVE_PK_CALLBACKS 24892 ssl->buffers.key 24893 #else 24894 NULL 24895 #endif 24896 ); 24897 } 24898 #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */ 24899 #ifndef NO_RSA 24900 if (ssl->hsType == DYNAMIC_TYPE_RSA) { 24901 RsaKey* key = (RsaKey*)ssl->hsKey; 24902 24903 /* restore verify pointer */ 24904 args->verify = &args->output[args->idx]; 24905 24906 ret = RsaSign(ssl, 24907 ssl->buffers.sig.buffer, ssl->buffers.sig.length, 24908 args->verify + args->extraSz + VERIFY_HEADER, &args->sigSz, 24909 args->sigAlgo, ssl->suites->hashAlgo, key, 24910 ssl->buffers.key 24911 ); 24912 } 24913 #endif /* !NO_RSA */ 24914 24915 /* Check for error */ 24916 if (ret != 0) { 24917 goto exit_scv; 24918 } 24919 24920 /* Advance state and proceed */ 24921 ssl->options.asyncState = TLS_ASYNC_VERIFY; 24922 } /* case TLS_ASYNC_DO */ 24923 FALL_THROUGH; 24924 24925 case TLS_ASYNC_VERIFY: 24926 { 24927 /* restore verify pointer */ 24928 args->verify = &args->output[args->idx]; 24929 24930 switch (ssl->hsType) { 24931 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) 24932 #ifdef HAVE_ECC 24933 case DYNAMIC_TYPE_ECC: 24934 #endif 24935 #ifdef HAVE_ED25519 24936 case DYNAMIC_TYPE_ED25519: 24937 #endif 24938 #ifdef HAVE_ED448 24939 case DYNAMIC_TYPE_ED448: 24940 #endif 24941 args->length = (word16)ssl->buffers.sig.length; 24942 /* prepend hdr */ 24943 c16toa(args->length, args->verify + args->extraSz); 24944 XMEMCPY(args->verify + args->extraSz + VERIFY_HEADER, 24945 ssl->buffers.sig.buffer, ssl->buffers.sig.length); 24946 break; 24947 #endif 24948 #ifndef NO_RSA 24949 case DYNAMIC_TYPE_RSA: 24950 { 24951 RsaKey* key = (RsaKey*)ssl->hsKey; 24952 24953 if (args->verifySig == NULL) { 24954 args->verifySig = (byte*)XMALLOC(args->sigSz, ssl->heap, 24955 DYNAMIC_TYPE_SIGNATURE); 24956 if (args->verifySig == NULL) { 24957 ERROR_OUT(MEMORY_E, exit_scv); 24958 } 24959 XMEMCPY(args->verifySig, args->verify + args->extraSz + 24960 VERIFY_HEADER, args->sigSz); 24961 } 24962 24963 /* check for signature faults */ 24964 ret = VerifyRsaSign(ssl, 24965 args->verifySig, args->sigSz, 24966 ssl->buffers.sig.buffer, ssl->buffers.sig.length, 24967 args->sigAlgo, ssl->suites->hashAlgo, key, 24968 ssl->buffers.key 24969 ); 24970 break; 24971 } 24972 #endif /* !NO_RSA */ 24973 default: 24974 break; 24975 } 24976 24977 /* Check for error */ 24978 if (ret != 0) { 24979 goto exit_scv; 24980 } 24981 24982 /* Advance state and proceed */ 24983 ssl->options.asyncState = TLS_ASYNC_FINALIZE; 24984 } /* case TLS_ASYNC_VERIFY */ 24985 FALL_THROUGH; 24986 24987 case TLS_ASYNC_FINALIZE: 24988 { 24989 if (args->output == NULL) { 24990 ERROR_OUT(BUFFER_ERROR, exit_scv); 24991 } 24992 AddHeaders(args->output, (word32)args->length + args->extraSz + 24993 VERIFY_HEADER, certificate_verify, ssl); 24994 24995 args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + 24996 (word32)args->length + args->extraSz + VERIFY_HEADER; 24997 24998 #ifdef WOLFSSL_DTLS 24999 if (ssl->options.dtls) { 25000 args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; 25001 } 25002 #endif 25003 25004 if (IsEncryptionOn(ssl, 1)) { 25005 int recordHeaderSz = RECORD_HEADER_SZ; 25006 25007 if (ssl->options.dtls) 25008 recordHeaderSz += DTLS_RECORD_EXTRA; 25009 args->inputSz = args->sendSz - recordHeaderSz; 25010 /* build msg adds rec hdr */ 25011 args->input = (byte*)XMALLOC(args->inputSz, ssl->heap, 25012 DYNAMIC_TYPE_IN_BUFFER); 25013 if (args->input == NULL) { 25014 ERROR_OUT(MEMORY_E, exit_scv); 25015 } 25016 25017 XMEMCPY(args->input, args->output + recordHeaderSz, 25018 args->inputSz); 25019 } 25020 25021 /* Advance state and proceed */ 25022 ssl->options.asyncState = TLS_ASYNC_END; 25023 } /* case TLS_ASYNC_FINALIZE */ 25024 FALL_THROUGH; 25025 25026 case TLS_ASYNC_END: 25027 { 25028 if (IsEncryptionOn(ssl, 1)) { 25029 #ifdef WOLFSSL_DTLS 25030 if (IsDtlsNotSctpMode(ssl) && 25031 (ret = DtlsMsgPoolSave(ssl, args->input, args->inputSz, certificate_verify)) != 0) { 25032 goto exit_scv; 25033 } 25034 #endif 25035 ret = BuildMessage(ssl, args->output, 25036 MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA, 25037 args->input, args->inputSz, handshake, 25038 1, 0, 1, CUR_ORDER); 25039 #ifdef WOLFSSL_ASYNC_CRYPT 25040 if (ret == WC_PENDING_E) 25041 goto exit_scv; 25042 #endif 25043 25044 XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 25045 args->input = NULL; /* make sure its not double free'd on cleanup */ 25046 25047 if (ret >= 0) { 25048 args->sendSz = ret; 25049 ret = 0; 25050 } 25051 } 25052 else { 25053 #ifdef WOLFSSL_DTLS 25054 if (IsDtlsNotSctpMode(ssl)) { 25055 ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz, certificate_verify); 25056 } 25057 if (ret == 0 && ssl->options.dtls) 25058 DtlsSEQIncrement(ssl, CUR_ORDER); 25059 #endif 25060 if (ret == 0) 25061 ret = HashOutput(ssl, args->output, args->sendSz, 0); 25062 } 25063 25064 if (ret != 0) { 25065 goto exit_scv; 25066 } 25067 25068 #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) 25069 if (ssl->hsInfoOn) 25070 AddPacketName(ssl, "CertificateVerify"); 25071 if (ssl->toInfoOn) 25072 AddPacketInfo(ssl, "CertificateVerify", handshake, 25073 args->output, args->sendSz, WRITE_PROTO, ssl->heap); 25074 #endif 25075 25076 ssl->buffers.outputBuffer.length += args->sendSz; 25077 25078 if (!ssl->options.groupMessages) { 25079 ret = SendBuffered(ssl); 25080 } 25081 break; 25082 } 25083 default: 25084 ret = INPUT_CASE_ERROR; 25085 } /* switch(ssl->options.asyncState) */ 25086 25087 exit_scv: 25088 25089 WOLFSSL_LEAVE("SendCertificateVerify", ret); 25090 WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND); 25091 25092 #ifdef WOLFSSL_ASYNC_CRYPT 25093 /* Handle async operation */ 25094 if (ret == WC_PENDING_E) { 25095 return ret; 25096 } 25097 #endif /* WOLFSSL_ASYNC_CRYPT */ 25098 25099 /* Digest is not allocated, so do this to prevent free */ 25100 ssl->buffers.digest.buffer = NULL; 25101 ssl->buffers.digest.length = 0; 25102 25103 /* Final cleanup */ 25104 FreeScvArgs(ssl, args); 25105 FreeKeyExchange(ssl); 25106 25107 return ret; 25108 } 25109 #endif /* WOLFSSL_NO_CLIENT_AUTH */ 25110 25111 #endif /* WOLFSSL_NO_TLS12 */ 25112 25113 #endif /* NO_CERTS */ 25114 25115 25116 #ifdef HAVE_SESSION_TICKET 25117 int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length) 25118 { 25119 /* Free old dynamic ticket if we already had one */ 25120 if (ssl->session.isDynamic) { 25121 XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); 25122 ssl->session.ticket = ssl->session.staticTicket; 25123 ssl->session.isDynamic = 0; 25124 } 25125 25126 if (length > sizeof(ssl->session.staticTicket)) { 25127 byte* sessionTicket = 25128 (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); 25129 if (sessionTicket == NULL) 25130 return MEMORY_E; 25131 ssl->session.ticket = sessionTicket; 25132 ssl->session.isDynamic = 1; 25133 } 25134 ssl->session.ticketLen = (word16)length; 25135 25136 if (length > 0) { 25137 XMEMCPY(ssl->session.ticket, ticket, length); 25138 if (ssl->session_ticket_cb != NULL) { 25139 ssl->session_ticket_cb(ssl, 25140 ssl->session.ticket, ssl->session.ticketLen, 25141 ssl->session_ticket_ctx); 25142 } 25143 /* Create a fake sessionID based on the ticket, this will 25144 * supersede the existing session cache info. */ 25145 ssl->options.haveSessionId = 1; 25146 #ifdef WOLFSSL_TLS13 25147 if (ssl->options.tls1_3) { 25148 XMEMCPY(ssl->session.sessionID, 25149 ssl->session.ticket + length - ID_LEN, ID_LEN); 25150 } 25151 else 25152 #endif 25153 XMEMCPY(ssl->arrays->sessionID, 25154 ssl->session.ticket + length - ID_LEN, ID_LEN); 25155 } 25156 25157 return 0; 25158 } 25159 25160 #ifndef WOLFSSL_NO_TLS12 25161 25162 /* handle processing of session_ticket (4) */ 25163 static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, 25164 word32 size) 25165 { 25166 word32 begin = *inOutIdx; 25167 word32 lifetime; 25168 word16 length; 25169 int ret; 25170 25171 if (ssl->expect_session_ticket == 0) { 25172 WOLFSSL_MSG("Unexpected session ticket"); 25173 return SESSION_TICKET_EXPECT_E; 25174 } 25175 25176 if (OPAQUE32_LEN > size) 25177 return BUFFER_ERROR; 25178 25179 ato32(input + *inOutIdx, &lifetime); 25180 *inOutIdx += OPAQUE32_LEN; 25181 25182 if ((*inOutIdx - begin) + OPAQUE16_LEN > size) 25183 return BUFFER_ERROR; 25184 25185 ato16(input + *inOutIdx, &length); 25186 *inOutIdx += OPAQUE16_LEN; 25187 25188 if ((*inOutIdx - begin) + length > size) 25189 return BUFFER_ERROR; 25190 25191 if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0) 25192 return ret; 25193 *inOutIdx += length; 25194 if (length > 0) { 25195 ssl->timeout = lifetime; 25196 #ifndef NO_SESSION_CACHE 25197 AddSession(ssl); 25198 #endif 25199 } 25200 25201 if (IsEncryptionOn(ssl, 0)) { 25202 *inOutIdx += ssl->keys.padSz; 25203 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) 25204 if (ssl->options.startedETMRead) 25205 *inOutIdx += MacSize(ssl); 25206 #endif 25207 } 25208 25209 ssl->expect_session_ticket = 0; 25210 25211 return 0; 25212 } 25213 25214 #endif /* !WOLFSSL_NO_TLS12 */ 25215 25216 #endif /* HAVE_SESSION_TICKET */ 25217 25218 #endif /* NO_WOLFSSL_CLIENT */ 23399 25219 23400 25220 #ifndef NO_CERTS … … 23443 25263 #endif /* HAVE_PK_CALLBACKS */ 23444 25264 23445 #ifndef WOLFSSL_NO_TLS1223446 23447 #ifndef WOLFSSL_NO_CLIENT_AUTH23448 typedef struct ScvArgs {23449 byte* output; /* not allocated */23450 #ifndef NO_RSA23451 byte* verifySig;23452 #endif23453 byte* verify; /* not allocated */23454 byte* input;23455 word32 idx;23456 word32 extraSz;23457 word32 sigSz;23458 int sendSz;23459 int inputSz;23460 word16 length;23461 byte sigAlgo;23462 } ScvArgs;23463 23464 static void FreeScvArgs(WOLFSSL* ssl, void* pArgs)23465 {23466 ScvArgs* args = (ScvArgs*)pArgs;23467 23468 (void)ssl;23469 23470 #ifndef NO_RSA23471 if (args->verifySig) {23472 XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);23473 args->verifySig = NULL;23474 }23475 #endif23476 if (args->input) {23477 XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);23478 args->input = NULL;23479 }23480 }23481 23482 /* handle generation of certificate_verify (15) */23483 int SendCertificateVerify(WOLFSSL* ssl)23484 {23485 int ret = 0;23486 #ifdef WOLFSSL_ASYNC_CRYPT23487 ScvArgs* args = (ScvArgs*)ssl->async.args;23488 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];23489 (void)sizeof(args_test);23490 #else23491 ScvArgs args[1];23492 #endif23493 23494 WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND);23495 WOLFSSL_ENTER("SendCertificateVerify");23496 23497 #ifdef WOLFSSL_ASYNC_CRYPT23498 ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);23499 if (ret != WC_NOT_PENDING_E) {23500 /* Check for error */23501 if (ret < 0)23502 goto exit_scv;23503 }23504 else23505 #endif23506 {23507 /* Reset state */23508 ret = 0;23509 ssl->options.asyncState = TLS_ASYNC_BEGIN;23510 XMEMSET(args, 0, sizeof(ScvArgs));23511 #ifdef WOLFSSL_ASYNC_CRYPT23512 ssl->async.freeArgs = FreeScvArgs;23513 #endif23514 }23515 23516 switch(ssl->options.asyncState)23517 {23518 case TLS_ASYNC_BEGIN:23519 {23520 if (ssl->options.sendVerify == SEND_BLANK_CERT) {23521 return 0; /* sent blank cert, can't verify */23522 }23523 23524 args->sendSz = MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA;23525 if (IsEncryptionOn(ssl, 1)) {23526 args->sendSz += MAX_MSG_EXTRA;23527 }23528 23529 /* check for available size */23530 if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) {23531 goto exit_scv;23532 }23533 23534 /* get output buffer */23535 args->output = ssl->buffers.outputBuffer.buffer +23536 ssl->buffers.outputBuffer.length;23537 23538 /* Advance state and proceed */23539 ssl->options.asyncState = TLS_ASYNC_BUILD;23540 } /* case TLS_ASYNC_BEGIN */23541 FALL_THROUGH;23542 23543 case TLS_ASYNC_BUILD:23544 {23545 ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes);23546 if (ret != 0) {23547 goto exit_scv;23548 }23549 23550 if (ssl->buffers.key == NULL) {23551 #ifdef HAVE_PK_CALLBACKS23552 if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))23553 args->length = GetPrivateKeySigSize(ssl);23554 else23555 #endif23556 ERROR_OUT(NO_PRIVATE_KEY, exit_scv);23557 }23558 else {23559 /* Decode private key. */23560 ret = DecodePrivateKey(ssl, &args->length);23561 if (ret != 0) {23562 goto exit_scv;23563 }23564 }23565 23566 if (args->length == 0) {23567 ERROR_OUT(NO_PRIVATE_KEY, exit_scv);23568 }23569 23570 /* idx is used to track verify pointer offset to output */23571 args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;23572 args->verify = &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];23573 args->extraSz = 0; /* tls 1.2 hash/sig */23574 23575 /* build encoded signature buffer */23576 ssl->buffers.sig.length = MAX_ENCODED_SIG_SZ;23577 ssl->buffers.sig.buffer = (byte*)XMALLOC(ssl->buffers.sig.length,23578 ssl->heap, DYNAMIC_TYPE_SIGNATURE);23579 if (ssl->buffers.sig.buffer == NULL) {23580 ERROR_OUT(MEMORY_E, exit_scv);23581 }23582 23583 #ifdef WOLFSSL_DTLS23584 if (ssl->options.dtls) {23585 args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;23586 args->verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;23587 }23588 #endif23589 23590 #ifndef NO_OLD_TLS23591 #ifndef NO_SHA23592 /* old tls default */23593 SetDigest(ssl, sha_mac);23594 #endif23595 #else23596 #ifndef NO_SHA25623597 /* new tls default */23598 SetDigest(ssl, sha256_mac);23599 #endif23600 #endif /* !NO_OLD_TLS */23601 23602 if (ssl->hsType == DYNAMIC_TYPE_RSA) {23603 #ifdef WC_RSA_PSS23604 if (IsAtLeastTLSv1_2(ssl) &&23605 (ssl->pssAlgo & (1 << ssl->suites->hashAlgo))) {23606 args->sigAlgo = rsa_pss_sa_algo;23607 }23608 else23609 #endif23610 args->sigAlgo = rsa_sa_algo;23611 }23612 else if (ssl->hsType == DYNAMIC_TYPE_ECC)23613 args->sigAlgo = ecc_dsa_sa_algo;23614 else if (ssl->hsType == DYNAMIC_TYPE_ED25519)23615 args->sigAlgo = ed25519_sa_algo;23616 else if (ssl->hsType == DYNAMIC_TYPE_ED448)23617 args->sigAlgo = ed448_sa_algo;23618 23619 if (IsAtLeastTLSv1_2(ssl)) {23620 EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo,23621 args->verify);23622 args->extraSz = HASH_SIG_SIZE;23623 SetDigest(ssl, ssl->suites->hashAlgo);23624 }23625 #ifndef NO_OLD_TLS23626 else {23627 /* if old TLS load MD5 and SHA hash as value to sign */23628 XMEMCPY(ssl->buffers.sig.buffer,23629 (byte*)ssl->hsHashes->certHashes.md5, FINISHED_SZ);23630 }23631 #endif23632 23633 #ifndef NO_RSA23634 if (args->sigAlgo == rsa_sa_algo) {23635 ssl->buffers.sig.length = FINISHED_SZ;23636 args->sigSz = ENCRYPT_LEN;23637 23638 if (IsAtLeastTLSv1_2(ssl)) {23639 ssl->buffers.sig.length = wc_EncodeSignature(23640 ssl->buffers.sig.buffer, ssl->buffers.digest.buffer,23641 ssl->buffers.digest.length,23642 TypeHash(ssl->suites->hashAlgo));23643 }23644 23645 /* prepend hdr */23646 c16toa(args->length, args->verify + args->extraSz);23647 }23648 #ifdef WC_RSA_PSS23649 else if (args->sigAlgo == rsa_pss_sa_algo) {23650 XMEMCPY(ssl->buffers.sig.buffer, ssl->buffers.digest.buffer,23651 ssl->buffers.digest.length);23652 ssl->buffers.sig.length = ssl->buffers.digest.length;23653 args->sigSz = ENCRYPT_LEN;23654 23655 /* prepend hdr */23656 c16toa(args->length, args->verify + args->extraSz);23657 }23658 #endif23659 #endif /* !NO_RSA */23660 #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)23661 if (args->sigAlgo == ed25519_sa_algo) {23662 ret = Ed25519CheckPubKey(ssl);23663 if (ret != 0)23664 goto exit_scv;23665 }23666 #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */23667 #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)23668 if (args->sigAlgo == ed448_sa_algo) {23669 ret = Ed448CheckPubKey(ssl);23670 if (ret != 0)23671 goto exit_scv;23672 }23673 #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */23674 23675 /* Advance state and proceed */23676 ssl->options.asyncState = TLS_ASYNC_DO;23677 } /* case TLS_ASYNC_BUILD */23678 FALL_THROUGH;23679 23680 case TLS_ASYNC_DO:23681 {23682 #ifdef HAVE_ECC23683 if (ssl->hsType == DYNAMIC_TYPE_ECC) {23684 ecc_key* key = (ecc_key*)ssl->hsKey;23685 23686 ret = EccSign(ssl,23687 ssl->buffers.digest.buffer, ssl->buffers.digest.length,23688 ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length,23689 key,23690 #ifdef HAVE_PK_CALLBACKS23691 ssl->buffers.key23692 #else23693 NULL23694 #endif23695 );23696 }23697 #endif /* HAVE_ECC */23698 #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)23699 if (ssl->hsType == DYNAMIC_TYPE_ED25519) {23700 ed25519_key* key = (ed25519_key*)ssl->hsKey;23701 23702 ret = Ed25519Sign(ssl,23703 ssl->hsHashes->messages, ssl->hsHashes->length,23704 ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length,23705 key,23706 #ifdef HAVE_PK_CALLBACKS23707 ssl->buffers.key23708 #else23709 NULL23710 #endif23711 );23712 }23713 #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */23714 #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)23715 if (ssl->hsType == DYNAMIC_TYPE_ED448) {23716 ed448_key* key = (ed448_key*)ssl->hsKey;23717 23718 ret = Ed448Sign(ssl,23719 ssl->hsHashes->messages, ssl->hsHashes->length,23720 ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length,23721 key,23722 #ifdef HAVE_PK_CALLBACKS23723 ssl->buffers.key23724 #else23725 NULL23726 #endif23727 );23728 }23729 #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */23730 #ifndef NO_RSA23731 if (ssl->hsType == DYNAMIC_TYPE_RSA) {23732 RsaKey* key = (RsaKey*)ssl->hsKey;23733 23734 /* restore verify pointer */23735 args->verify = &args->output[args->idx];23736 23737 ret = RsaSign(ssl,23738 ssl->buffers.sig.buffer, ssl->buffers.sig.length,23739 args->verify + args->extraSz + VERIFY_HEADER, &args->sigSz,23740 args->sigAlgo, ssl->suites->hashAlgo, key,23741 ssl->buffers.key23742 );23743 }23744 #endif /* !NO_RSA */23745 23746 /* Check for error */23747 if (ret != 0) {23748 goto exit_scv;23749 }23750 23751 /* Advance state and proceed */23752 ssl->options.asyncState = TLS_ASYNC_VERIFY;23753 } /* case TLS_ASYNC_DO */23754 FALL_THROUGH;23755 23756 case TLS_ASYNC_VERIFY:23757 {23758 /* restore verify pointer */23759 args->verify = &args->output[args->idx];23760 23761 switch (ssl->hsType) {23762 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)23763 #ifdef HAVE_ECC23764 case DYNAMIC_TYPE_ECC:23765 #endif23766 #ifdef HAVE_ED2551923767 case DYNAMIC_TYPE_ED25519:23768 #endif23769 #ifdef HAVE_ED44823770 case DYNAMIC_TYPE_ED448:23771 #endif23772 args->length = (word16)ssl->buffers.sig.length;23773 /* prepend hdr */23774 c16toa(args->length, args->verify + args->extraSz);23775 XMEMCPY(args->verify + args->extraSz + VERIFY_HEADER,23776 ssl->buffers.sig.buffer, ssl->buffers.sig.length);23777 break;23778 #endif23779 #ifndef NO_RSA23780 case DYNAMIC_TYPE_RSA:23781 {23782 RsaKey* key = (RsaKey*)ssl->hsKey;23783 23784 if (args->verifySig == NULL) {23785 args->verifySig = (byte*)XMALLOC(args->sigSz, ssl->heap,23786 DYNAMIC_TYPE_SIGNATURE);23787 if (args->verifySig == NULL) {23788 ERROR_OUT(MEMORY_E, exit_scv);23789 }23790 XMEMCPY(args->verifySig, args->verify + args->extraSz +23791 VERIFY_HEADER, args->sigSz);23792 }23793 23794 /* check for signature faults */23795 ret = VerifyRsaSign(ssl,23796 args->verifySig, args->sigSz,23797 ssl->buffers.sig.buffer, ssl->buffers.sig.length,23798 args->sigAlgo, ssl->suites->hashAlgo, key,23799 ssl->buffers.key23800 );23801 break;23802 }23803 #endif /* !NO_RSA */23804 default:23805 break;23806 }23807 23808 /* Check for error */23809 if (ret != 0) {23810 goto exit_scv;23811 }23812 23813 /* Advance state and proceed */23814 ssl->options.asyncState = TLS_ASYNC_FINALIZE;23815 } /* case TLS_ASYNC_VERIFY */23816 FALL_THROUGH;23817 23818 case TLS_ASYNC_FINALIZE:23819 {23820 if (args->output == NULL) {23821 ERROR_OUT(BUFFER_ERROR, exit_scv);23822 }23823 AddHeaders(args->output, (word32)args->length + args->extraSz +23824 VERIFY_HEADER, certificate_verify, ssl);23825 23826 args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ +23827 (word32)args->length + args->extraSz + VERIFY_HEADER;23828 23829 #ifdef WOLFSSL_DTLS23830 if (ssl->options.dtls) {23831 args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;23832 }23833 #endif23834 23835 if (IsEncryptionOn(ssl, 1)) {23836 args->inputSz = args->sendSz - RECORD_HEADER_SZ;23837 /* build msg adds rec hdr */23838 args->input = (byte*)XMALLOC(args->inputSz, ssl->heap,23839 DYNAMIC_TYPE_IN_BUFFER);23840 if (args->input == NULL) {23841 ERROR_OUT(MEMORY_E, exit_scv);23842 }23843 23844 XMEMCPY(args->input, args->output + RECORD_HEADER_SZ,23845 args->inputSz);23846 }23847 23848 /* Advance state and proceed */23849 ssl->options.asyncState = TLS_ASYNC_END;23850 } /* case TLS_ASYNC_FINALIZE */23851 FALL_THROUGH;23852 23853 case TLS_ASYNC_END:23854 {23855 if (IsEncryptionOn(ssl, 1)) {23856 ret = BuildMessage(ssl, args->output,23857 MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,23858 args->input, args->inputSz, handshake,23859 1, 0, 1);23860 #ifdef WOLFSSL_ASYNC_CRYPT23861 if (ret == WC_PENDING_E)23862 goto exit_scv;23863 #endif23864 23865 XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);23866 args->input = NULL; /* make sure its not double free'd on cleanup */23867 23868 if (ret >= 0) {23869 args->sendSz = ret;23870 ret = 0;23871 }23872 }23873 else {23874 #ifdef WOLFSSL_DTLS23875 if (ssl->options.dtls)23876 DtlsSEQIncrement(ssl, CUR_ORDER);23877 #endif23878 ret = HashOutput(ssl, args->output, args->sendSz, 0);23879 }23880 23881 if (ret != 0) {23882 goto exit_scv;23883 }23884 23885 #ifdef WOLFSSL_DTLS23886 if (IsDtlsNotSctpMode(ssl)) {23887 ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz);23888 }23889 #endif23890 23891 23892 #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)23893 if (ssl->hsInfoOn)23894 AddPacketName(ssl, "CertificateVerify");23895 if (ssl->toInfoOn)23896 AddPacketInfo(ssl, "CertificateVerify", handshake,23897 args->output, args->sendSz, WRITE_PROTO, ssl->heap);23898 #endif23899 23900 ssl->buffers.outputBuffer.length += args->sendSz;23901 23902 if (!ssl->options.groupMessages) {23903 ret = SendBuffered(ssl);23904 }23905 break;23906 }23907 default:23908 ret = INPUT_CASE_ERROR;23909 } /* switch(ssl->options.asyncState) */23910 23911 exit_scv:23912 23913 WOLFSSL_LEAVE("SendCertificateVerify", ret);23914 WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND);23915 23916 #ifdef WOLFSSL_ASYNC_CRYPT23917 /* Handle async operation */23918 if (ret == WC_PENDING_E) {23919 return ret;23920 }23921 #endif /* WOLFSSL_ASYNC_CRYPT */23922 23923 /* Digest is not allocated, so do this to prevent free */23924 ssl->buffers.digest.buffer = NULL;23925 ssl->buffers.digest.length = 0;23926 23927 /* Final cleanup */23928 FreeScvArgs(ssl, args);23929 FreeKeyExchange(ssl);23930 23931 return ret;23932 }23933 #endif /* WOLFSSL_NO_CLIENT_AUTH */23934 23935 #endif /* WOLFSSL_NO_TLS12 */23936 23937 25265 #endif /* NO_CERTS */ 23938 23939 23940 #ifdef HAVE_SESSION_TICKET23941 int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length)23942 {23943 /* Free old dynamic ticket if we already had one */23944 if (ssl->session.isDynamic) {23945 XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);23946 ssl->session.ticket = ssl->session.staticTicket;23947 ssl->session.isDynamic = 0;23948 }23949 23950 if (length > sizeof(ssl->session.staticTicket)) {23951 byte* sessionTicket =23952 (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);23953 if (sessionTicket == NULL)23954 return MEMORY_E;23955 ssl->session.ticket = sessionTicket;23956 ssl->session.isDynamic = 1;23957 }23958 ssl->session.ticketLen = (word16)length;23959 23960 if (length > 0) {23961 XMEMCPY(ssl->session.ticket, ticket, length);23962 if (ssl->session_ticket_cb != NULL) {23963 ssl->session_ticket_cb(ssl,23964 ssl->session.ticket, ssl->session.ticketLen,23965 ssl->session_ticket_ctx);23966 }23967 /* Create a fake sessionID based on the ticket, this will23968 * supersede the existing session cache info. */23969 ssl->options.haveSessionId = 1;23970 #ifdef WOLFSSL_TLS1323971 if (ssl->options.tls1_3) {23972 XMEMCPY(ssl->session.sessionID,23973 ssl->session.ticket + length - ID_LEN, ID_LEN);23974 }23975 else23976 #endif23977 XMEMCPY(ssl->arrays->sessionID,23978 ssl->session.ticket + length - ID_LEN, ID_LEN);23979 }23980 23981 return 0;23982 }23983 23984 #ifndef WOLFSSL_NO_TLS1223985 23986 /* handle processing of session_ticket (4) */23987 static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,23988 word32 size)23989 {23990 word32 begin = *inOutIdx;23991 word32 lifetime;23992 word16 length;23993 int ret;23994 23995 if (ssl->expect_session_ticket == 0) {23996 WOLFSSL_MSG("Unexpected session ticket");23997 return SESSION_TICKET_EXPECT_E;23998 }23999 24000 if (OPAQUE32_LEN > size)24001 return BUFFER_ERROR;24002 24003 ato32(input + *inOutIdx, &lifetime);24004 *inOutIdx += OPAQUE32_LEN;24005 24006 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)24007 return BUFFER_ERROR;24008 24009 ato16(input + *inOutIdx, &length);24010 *inOutIdx += OPAQUE16_LEN;24011 24012 if ((*inOutIdx - begin) + length > size)24013 return BUFFER_ERROR;24014 24015 if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)24016 return ret;24017 *inOutIdx += length;24018 if (length > 0) {24019 ssl->timeout = lifetime;24020 #ifndef NO_SESSION_CACHE24021 AddSession(ssl);24022 #endif24023 }24024 24025 if (IsEncryptionOn(ssl, 0)) {24026 *inOutIdx += ssl->keys.padSz;24027 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)24028 if (ssl->options.startedETMRead)24029 *inOutIdx += MacSize(ssl);24030 #endif24031 }24032 24033 ssl->expect_session_ticket = 0;24034 24035 return 0;24036 }24037 24038 #endif /* !WOLFSSL_NO_TLS12 */24039 24040 #endif /* HAVE_SESSION_TICKET */24041 24042 #endif /* NO_WOLFSSL_CLIENT */24043 25266 24044 25267 #ifdef HAVE_ECC … … 24046 25269 word16 GetCurveByOID(int oidSum) { 24047 25270 switch(oidSum) { 24048 #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)25271 #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160 24049 25272 #ifndef NO_ECC_SECP 24050 25273 case ECC_SECP160R1_OID: … … 24060 25283 #endif /* HAVE_ECC_KOBLITZ */ 24061 25284 #endif 24062 #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)25285 #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192 24063 25286 #ifndef NO_ECC_SECP 24064 25287 case ECC_SECP192R1_OID: … … 24070 25293 #endif /* HAVE_ECC_KOBLITZ */ 24071 25294 #endif 24072 #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)25295 #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224 24073 25296 #ifndef NO_ECC_SECP 24074 25297 case ECC_SECP224R1_OID: … … 24080 25303 #endif /* HAVE_ECC_KOBLITZ */ 24081 25304 #endif 24082 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)25305 #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 24083 25306 #ifndef NO_ECC_SECP 24084 25307 case ECC_SECP256R1_OID: … … 24094 25317 #endif /* HAVE_ECC_BRAINPOOL */ 24095 25318 #endif 24096 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)25319 #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 24097 25320 #ifndef NO_ECC_SECP 24098 25321 case ECC_SECP384R1_OID: … … 24104 25327 #endif /* HAVE_ECC_BRAINPOOL */ 24105 25328 #endif 24106 #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)25329 #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512 24107 25330 #ifdef HAVE_ECC_BRAINPOOL 24108 25331 case ECC_BRAINPOOLP512R1_OID: … … 24110 25333 #endif /* HAVE_ECC_BRAINPOOL */ 24111 25334 #endif 24112 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)25335 #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 24113 25336 #ifndef NO_ECC_SECP 24114 25337 case ECC_SECP521R1_OID: … … 24190 25413 #ifdef WOLFSSL_DTLS 24191 25414 if (ssl->options.dtls) { 24192 /* Server Hello should use the same sequence number as the 24193 * Client Hello. */ 24194 ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi; 24195 ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo; 25415 if (((ssl->keys.dtls_sequence_number_hi == ssl->keys.curSeq_hi && 25416 ssl->keys.dtls_sequence_number_lo < ssl->keys.curSeq_lo) || 25417 (ssl->keys.dtls_sequence_number_hi < ssl->keys.curSeq_hi))) { 25418 /* Server Hello should use the same sequence number as the 25419 * Client Hello if available. */ 25420 ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi; 25421 ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo; 25422 } 24196 25423 idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; 24197 25424 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; … … 24236 25463 if (ssl->ctx->method->version.major == SSLv3_MAJOR && 24237 25464 ssl->ctx->method->version.minor == TLSv1_2_MINOR && 25465 #ifdef OPENSSL_EXTRA 25466 (wolfSSL_get_options(ssl) & SSL_OP_NO_TLSv1_2) == 0 && 25467 #endif 24238 25468 !IsAtLeastTLSv1_2(ssl)) { 24239 25469 /* TLS v1.2 capable server downgraded. */ … … 24306 25536 if (IsEncryptionOn(ssl, 1)) { 24307 25537 byte* input; 24308 int inputSz = idx - RECORD_HEADER_SZ; /* build msg adds rec hdr */ 24309 25538 int inputSz = idx; /* build msg adds rec hdr */ 25539 int recordHeaderSz = RECORD_HEADER_SZ; 25540 25541 if (ssl->options.dtls) 25542 recordHeaderSz += DTLS_RECORD_EXTRA; 25543 inputSz -= recordHeaderSz; 24310 25544 input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 24311 25545 if (input == NULL) 24312 25546 return MEMORY_E; 24313 25547 24314 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); 25548 XMEMCPY(input, output + recordHeaderSz, inputSz); 25549 #ifdef WOLFSSL_DTLS 25550 if (IsDtlsNotSctpMode(ssl) && 25551 (ret = DtlsMsgPoolSave(ssl, input, inputSz, server_hello)) != 0) { 25552 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 25553 return ret; 25554 } 25555 #endif 24315 25556 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 24316 handshake, 1, 0, 0 );25557 handshake, 1, 0, 0, CUR_ORDER); 24317 25558 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 24318 25559 … … 24321 25562 } else { 24322 25563 #ifdef WOLFSSL_DTLS 25564 if (IsDtlsNotSctpMode(ssl)) { 25565 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, server_hello)) != 0) 25566 return ret; 25567 } 24323 25568 if (ssl->options.dtls) 24324 25569 DtlsSEQIncrement(ssl, CUR_ORDER); … … 24340 25585 ssl->buffers.outputBuffer.length += sendSz; 24341 25586 24342 #ifdef WOLFSSL_DTLS24343 if (IsDtlsNotSctpMode(ssl)) {24344 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0)24345 return ret;24346 }24347 #endif24348 24349 25587 if (ssl->options.groupMessages) 24350 25588 ret = 0; … … 24376 25614 byte* output; /* not allocated */ 24377 25615 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \ 24378 (!defined(NO_DH) && !defined(NO_RSA))25616 !defined(NO_RSA) 24379 25617 byte* sigDataBuf; 24380 25618 #endif … … 24391 25629 word32 sigSz; 24392 25630 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \ 24393 (!defined(NO_DH) && !defined(NO_RSA))25631 !defined(NO_RSA) 24394 25632 word32 sigDataSz; 24395 25633 #endif … … 24534 25772 ERROR_OUT(MEMORY_E, exit_sske); 24535 25773 } 25774 ssl->buffers.serverDH_Pub.length = 25775 ssl->buffers.serverDH_P.length + OPAQUE16_LEN; 24536 25776 } 24537 25777 … … 24544 25784 ERROR_OUT(MEMORY_E, exit_sske); 24545 25785 } 25786 ssl->buffers.serverDH_Priv.length = 25787 ssl->buffers.serverDH_P.length + OPAQUE16_LEN; 24546 25788 } 24547 25789 … … 25535 26777 } 25536 26778 #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */ 25537 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || \25538 defined(HAVE_ED448)26779 #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ 26780 defined(HAVE_CURVE448) 25539 26781 case ecc_diffie_hellman_kea: 25540 26782 { … … 25859 27101 if (IsEncryptionOn(ssl, 1)) { 25860 27102 args->inputSz = args->length + HANDSHAKE_HEADER_SZ; 25861 /* buildmsg adds rechdr */ 27103 if (ssl->options.dtls) 27104 args->inputSz += DTLS_HANDSHAKE_EXTRA; 25862 27105 args->input = (byte*)XMALLOC(args->inputSz, ssl->heap, 25863 27106 DYNAMIC_TYPE_IN_BUFFER); … … 25870 27113 } 25871 27114 25872 XMEMCPY(args->input, args->output + RECORD_HEADER_SZ, 27115 if (!ssl->options.dtls) 27116 XMEMCPY(args->input, args->output + RECORD_HEADER_SZ, 25873 27117 args->inputSz); 27118 else 27119 XMEMCPY(args->input, args->output + DTLS_RECORD_HEADER_SZ, 27120 args->inputSz); 27121 27122 #ifdef WOLFSSL_DTLS 27123 if (IsDtlsNotSctpMode(ssl) && 27124 (ret = DtlsMsgPoolSave(ssl, args->input, args->inputSz, server_key_exchange)) 27125 != 0) { 27126 goto exit_sske; 27127 } 27128 #endif 25874 27129 ret = BuildMessage(ssl, args->output, args->sendSz, 25875 args->input, args->inputSz, handshake, 1, 0, 0 );27130 args->input, args->inputSz, handshake, 1, 0, 0, CUR_ORDER); 25876 27131 XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 25877 27132 args->input = NULL; … … 25887 27142 if (IsDtlsNotSctpMode(ssl)) { 25888 27143 if ((ret = DtlsMsgPoolSave(ssl, 25889 args->output, args->sendSz )) != 0) {27144 args->output, args->sendSz, server_key_exchange)) != 0) { 25890 27145 goto exit_sske; 25891 27146 } … … 25943 27198 25944 27199 /* Final cleanup */ 27200 if (args->input != NULL) { 27201 XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 27202 args->input = NULL; 27203 } 25945 27204 FreeSskeArgs(ssl, args); 25946 27205 FreeKeyExchange(ssl); … … 26098 27357 #ifdef WOLFSSL_TLS13 26099 27358 if (IsAtLeastTLSv1_3(ssl->version) && 26100 ssl->options.side == WOLFSSL_SERVER_END) { 27359 ssl->options.side == WOLFSSL_SERVER_END) { 27360 #ifdef HAVE_SUPPORTED_CURVES 26101 27361 /* Try to establish a key share. */ 26102 27362 int ret = TLSX_KeyShare_Establish(ssl); … … 26105 27365 else if (ret != 0) 26106 27366 return 0; 27367 #endif 26107 27368 } 26108 27369 else if (first == TLS13_BYTE || (first == ECC_BYTE && … … 26288 27549 if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) 26289 27550 return BUFFER_ERROR; 27551 /* Make sure the suiteSz is a multiple of 3. (Old Client Hello) */ 27552 if (clSuites.suiteSz % 3 != 0) 27553 return BUFFER_ERROR; 26290 27554 clSuites.hashSigAlgoSz = 0; 26291 27555 … … 26427 27691 SendAlert(ssl, alert_fatal, handshake_failure); 26428 27692 #endif 27693 #ifdef HAVE_EXT_CACHE 27694 wolfSSL_SESSION_free(session); 27695 #endif 26429 27696 return EXT_MASTER_SECRET_NEEDED_E; 26430 27697 } … … 26519 27786 ssl->chVersion = pv; /* store */ 26520 27787 #ifdef WOLFSSL_DTLS 26521 if (IsDtlsNotSctpMode(ssl) ) {27788 if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl) && !ssl->options.resuming) { 26522 27789 #if defined(NO_SHA) && defined(NO_SHA256) 26523 27790 #error "DTLS needs either SHA or SHA-256" … … 26535 27802 ssl->buffers.dtlsCookieSecret.buffer, 26536 27803 ssl->buffers.dtlsCookieSecret.length); 26537 if (ret != 0) return ret;27804 if (ret != 0) goto out; 26538 27805 ret = wc_HmacUpdate(&cookieHmac, 26539 27806 (const byte*)ssl->buffers.dtlsCtx.peer.sa, 26540 27807 ssl->buffers.dtlsCtx.peer.sz); 26541 if (ret != 0) return ret;27808 if (ret != 0) goto out; 26542 27809 ret = wc_HmacUpdate(&cookieHmac, input + i, OPAQUE16_LEN); 26543 if (ret != 0) return ret;27810 if (ret != 0) goto out; 26544 27811 } 26545 27812 #endif /* WOLFSSL_DTLS */ … … 26561 27828 if (!ssl->options.downgrade) { 26562 27829 WOLFSSL_MSG("Client trying to connect with lesser version"); 26563 return VERSION_ERROR; 27830 ret = VERSION_ERROR; 27831 goto out; 26564 27832 } 26565 27833 if (pv.minor < ssl->options.minDowngrade) { 26566 27834 WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); 26567 return VERSION_ERROR; 27835 ret = VERSION_ERROR; 27836 goto out; 26568 27837 } 26569 27838 … … 26634 27903 (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { 26635 27904 WOLFSSL_MSG("\tError, option set to not allow SSLv3"); 26636 return VERSION_ERROR; 27905 ret = VERSION_ERROR; 27906 goto out; 26637 27907 } 26638 27908 26639 27909 if (ssl->version.minor < ssl->options.minDowngrade) { 26640 27910 WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); 26641 return VERSION_ERROR; 27911 ret = VERSION_ERROR; 27912 goto out; 26642 27913 } 26643 27914 … … 26669 27940 XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN); 26670 27941 #ifdef WOLFSSL_DTLS 26671 if (IsDtlsNotSctpMode(ssl) ) {27942 if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl) && !ssl->options.resuming) { 26672 27943 ret = wc_HmacUpdate(&cookieHmac, input + i, RAN_LEN); 26673 if (ret != 0) return ret;27944 if (ret != 0) goto out; 26674 27945 } 26675 27946 #endif /* WOLFSSL_DTLS */ … … 26697 27968 26698 27969 if (b == ID_LEN || bogusID) { 26699 if ((i - begin) + b > helloSz) 26700 return BUFFER_ERROR; 27970 if ((i - begin) + b > helloSz) { 27971 ret = BUFFER_ERROR; 27972 goto out; 27973 } 26701 27974 26702 27975 XMEMCPY(ssl->arrays->sessionID, input + i, b); 26703 27976 #ifdef WOLFSSL_DTLS 26704 if (IsDtlsNotSctpMode(ssl)) { 27977 if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl) && 27978 !ssl->options.resuming) { 26705 27979 ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); 26706 if (ret != 0) return ret;27980 if (ret != 0) goto out; 26707 27981 } 26708 27982 #endif /* WOLFSSL_DTLS */ … … 26714 27988 else if (b) { 26715 27989 WOLFSSL_MSG("Invalid session ID size"); 26716 return BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */ 27990 ret = BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */ 27991 goto out; 26717 27992 } 26718 27993 … … 26721 27996 if (ssl->options.dtls) { 26722 27997 26723 if ((i - begin) + OPAQUE8_LEN > helloSz) 26724 return BUFFER_ERROR; 27998 if ((i - begin) + OPAQUE8_LEN > helloSz) { 27999 ret = BUFFER_ERROR; 28000 goto out; 28001 } 26725 28002 26726 28003 peerCookieSz = input[i++]; 26727 28004 26728 28005 if (peerCookieSz) { 26729 if (peerCookieSz > MAX_COOKIE_LEN) 26730 return BUFFER_ERROR; 26731 26732 if ((i - begin) + peerCookieSz > helloSz) 26733 return BUFFER_ERROR; 28006 if (peerCookieSz > MAX_COOKIE_LEN) { 28007 ret = BUFFER_ERROR; 28008 goto out; 28009 } 28010 28011 if ((i - begin) + peerCookieSz > helloSz) { 28012 ret = BUFFER_ERROR; 28013 goto out; 28014 } 26734 28015 26735 28016 XMEMCPY(peerCookie, input + i, peerCookieSz); … … 26741 28022 26742 28023 /* suites */ 26743 if ((i - begin) + OPAQUE16_LEN > helloSz) 26744 return BUFFER_ERROR; 28024 if ((i - begin) + OPAQUE16_LEN > helloSz) { 28025 ret = BUFFER_ERROR; 28026 goto out; 28027 } 26745 28028 26746 28029 ato16(&input[i], &clSuites.suiteSz); 26747 28030 i += OPAQUE16_LEN; 26748 28031 28032 /* Cipher suite lists are always multiples of two in length. */ 28033 if (clSuites.suiteSz % 2 != 0) { 28034 ret = BUFFER_ERROR; 28035 goto out; 28036 } 28037 26749 28038 /* suites and compression length check */ 26750 if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) 26751 return BUFFER_ERROR; 26752 26753 if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) 26754 return BUFFER_ERROR; 28039 if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) { 28040 ret = BUFFER_ERROR; 28041 goto out; 28042 } 28043 28044 if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) { 28045 ret = BUFFER_ERROR; 28046 goto out; 28047 } 26755 28048 26756 28049 XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz); … … 26764 28057 ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, ssl->heap); 26765 28058 if (ret != WOLFSSL_SUCCESS) 26766 return ret;28059 goto out; 26767 28060 26768 28061 extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO); … … 26781 28074 WOLFSSL_MSG("Client trying to connect with lesser version"); 26782 28075 SendAlert(ssl, alert_fatal, inappropriate_fallback); 26783 return VERSION_ERROR; 28076 ret = VERSION_ERROR; 28077 goto out; 26784 28078 } 26785 28079 } … … 26787 28081 26788 28082 #ifdef WOLFSSL_DTLS 26789 if (IsDtlsNotSctpMode(ssl) ) {28083 if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl) && !ssl->options.resuming) { 26790 28084 ret = wc_HmacUpdate(&cookieHmac, 26791 28085 input + i - OPAQUE16_LEN, 26792 28086 clSuites.suiteSz + OPAQUE16_LEN); 26793 if (ret != 0) return ret;28087 if (ret != 0) goto out; 26794 28088 } 26795 28089 #endif /* WOLFSSL_DTLS */ … … 26800 28094 b = input[i++]; 26801 28095 26802 if ((i - begin) + b > helloSz) 26803 return BUFFER_ERROR; 28096 if ((i - begin) + b > helloSz) { 28097 ret = BUFFER_ERROR; 28098 goto out; 28099 } 26804 28100 26805 28101 if (b == 0) { … … 26808 28104 SendAlert(ssl, alert_fatal, decode_error); 26809 28105 #endif 26810 return COMPRESSION_ERROR; 28106 ret = COMPRESSION_ERROR; 28107 goto out; 26811 28108 } 26812 28109 26813 28110 #ifdef WOLFSSL_DTLS 26814 28111 if (IsDtlsNotSctpMode(ssl)) { 26815 byte newCookie[MAX_COOKIE_LEN]; 26816 26817 ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); 26818 if (ret != 0) return ret; 26819 ret = wc_HmacFinal(&cookieHmac, newCookie); 26820 if (ret != 0) return ret; 26821 26822 /* If a cookie callback is set, call it to overwrite the cookie. 26823 * This should be deprecated. The code now calculates the cookie 26824 * using an HMAC as expected. */ 26825 if (ssl->ctx->CBIOCookie != NULL && 26826 ssl->ctx->CBIOCookie(ssl, newCookie, cookieSz, 26827 ssl->IOCB_CookieCtx) != cookieSz) { 26828 return COOKIE_ERROR; 26829 } 26830 26831 /* Check the cookie, see if we progress the state machine. */ 26832 if (peerCookieSz != cookieSz || 26833 XMEMCMP(peerCookie, newCookie, cookieSz) != 0) { 26834 26835 /* Send newCookie to client in a HelloVerifyRequest message 26836 * and let the state machine alone. */ 26837 ssl->msgsReceived.got_client_hello = 0; 26838 ssl->keys.dtls_handshake_number = 0; 26839 ssl->keys.dtls_expected_peer_handshake_number = 0; 26840 *inOutIdx += helloSz; 26841 return SendHelloVerifyRequest(ssl, newCookie, cookieSz); 28112 if (!IsSCR(ssl) && !ssl->options.resuming) { 28113 byte newCookie[MAX_COOKIE_LEN]; 28114 28115 ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); 28116 if (ret != 0) goto out; 28117 ret = wc_HmacFinal(&cookieHmac, newCookie); 28118 if (ret != 0) goto out; 28119 28120 /* If a cookie callback is set, call it to overwrite the cookie. 28121 * This should be deprecated. The code now calculates the cookie 28122 * using an HMAC as expected. */ 28123 if (ssl->ctx->CBIOCookie != NULL && 28124 ssl->ctx->CBIOCookie(ssl, newCookie, cookieSz, 28125 ssl->IOCB_CookieCtx) != cookieSz) { 28126 ret = COOKIE_ERROR; 28127 goto out; 28128 } 28129 28130 /* Check the cookie, see if we progress the state machine. */ 28131 if (peerCookieSz != cookieSz || 28132 XMEMCMP(peerCookie, newCookie, cookieSz) != 0) { 28133 28134 /* Send newCookie to client in a HelloVerifyRequest message 28135 * and let the state machine alone. */ 28136 ssl->msgsReceived.got_client_hello = 0; 28137 ssl->keys.dtls_handshake_number = 0; 28138 ssl->keys.dtls_expected_peer_handshake_number = 0; 28139 *inOutIdx += helloSz; 28140 ret = SendHelloVerifyRequest(ssl, newCookie, cookieSz); 28141 goto out; 28142 } 26842 28143 } 26843 28144 … … 26845 28146 * verify request. */ 26846 28147 ret = HashInput(ssl, input + *inOutIdx, helloSz); 26847 if (ret != 0) return ret;28148 if (ret != 0) goto out; 26848 28149 } 26849 28150 #endif /* WOLFSSL_DTLS */ … … 26877 28178 SendAlert(ssl, alert_fatal, illegal_parameter); 26878 28179 #endif 26879 return COMPRESSION_ERROR; 28180 ret = COMPRESSION_ERROR; 28181 goto out; 26880 28182 } 26881 28183 } … … 26900 28202 /* auto populate extensions supported unless user defined */ 26901 28203 if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0) 26902 return ret; 26903 #endif 26904 26905 if ((i - begin) + OPAQUE16_LEN > helloSz) 26906 return BUFFER_ERROR; 28204 goto out; 28205 #endif 28206 28207 if ((i - begin) + OPAQUE16_LEN > helloSz) { 28208 ret = BUFFER_ERROR; 28209 goto out; 28210 } 26907 28211 26908 28212 ato16(&input[i], &totalExtSz); 26909 28213 i += OPAQUE16_LEN; 26910 28214 26911 if ((i - begin) + totalExtSz > helloSz) 26912 return BUFFER_ERROR; 28215 if ((i - begin) + totalExtSz > helloSz) { 28216 ret = BUFFER_ERROR; 28217 goto out; 28218 } 26913 28219 26914 28220 #ifdef HAVE_TLS_EXTENSIONS … … 26916 28222 if ((ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, 26917 28223 client_hello, &clSuites))) 26918 return ret;28224 goto out; 26919 28225 #ifdef WOLFSSL_TLS13 26920 28226 if (TLSX_Find(ssl->extensions, … … 26922 28228 WOLFSSL_MSG( 26923 28229 "Client attempting to connect with higher version"); 26924 return VERSION_ERROR; 28230 ret = VERSION_ERROR; 28231 goto out; 26925 28232 } 26926 28233 #endif 26927 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)28234 #ifdef HAVE_SNI 26928 28235 if((ret=SNI_Callback(ssl))) 26929 return ret;28236 goto out; 26930 28237 ssl->options.side = WOLFSSL_SERVER_END; 26931 28238 #endif … … 26936 28243 word16 extId, extSz; 26937 28244 26938 if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) 26939 return BUFFER_ERROR; 28245 if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) { 28246 ret = BUFFER_ERROR; 28247 goto out; 28248 } 26940 28249 26941 28250 ato16(&input[i], &extId); … … 26944 28253 i += OPAQUE16_LEN; 26945 28254 26946 if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) 26947 return BUFFER_ERROR; 28255 if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) { 28256 ret = BUFFER_ERROR; 28257 goto out; 28258 } 26948 28259 26949 28260 if (extId == HELLO_EXT_SIG_ALGO) { … … 26953 28264 i += OPAQUE16_LEN; 26954 28265 26955 if (OPAQUE16_LEN + hashSigAlgoSz > extSz) 26956 return BUFFER_ERROR; 28266 if (OPAQUE16_LEN + hashSigAlgoSz > extSz) { 28267 ret = BUFFER_ERROR; 28268 goto out; 28269 } 28270 28271 if (hashSigAlgoSz % 2 != 0) { 28272 ret = BUFFER_ERROR; 28273 goto out; 28274 } 26957 28275 26958 28276 clSuites.hashSigAlgoSz = hashSigAlgoSz; … … 26991 28309 ret = HandleTlsResumption(ssl, bogusID, &clSuites); 26992 28310 if (ret != 0) 26993 return ret; 26994 26995 #ifdef HAVE_SECURE_RENEGOTIATION 26996 if (ssl->secure_renegotiation && 26997 ssl->secure_renegotiation->enabled && 26998 IsEncryptionOn(ssl, 0)) 26999 ssl->secure_renegotiation->startScr = 1; 27000 #endif 28311 goto out; 27001 28312 27002 28313 if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) { … … 27004 28315 WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); 27005 28316 27006 return ret;28317 goto out; 27007 28318 } 27008 28319 } … … 27015 28326 ret = TLSX_SupportedFFDHE_Set(ssl); 27016 28327 if (ret != 0) 27017 return ret;28328 goto out; 27018 28329 } 27019 28330 #endif … … 27028 28339 #endif 27029 28340 27030 #ifdef HAVE_SECURE_RENEGOTIATION 27031 if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled && 27032 IsEncryptionOn(ssl, 0)) { 27033 ssl->secure_renegotiation->startScr = 1; 27034 } 28341 #ifdef WOLFSSL_DTLS 28342 if (ret == 0 && ssl->options.dtls) 28343 DtlsMsgPoolReset(ssl); 27035 28344 #endif 27036 28345 WOLFSSL_LEAVE("DoClientHello", ret); 27037 28346 WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); 28347 28348 out: 28349 28350 #ifdef WOLFSSL_DTLS 28351 wc_HmacFree(&cookieHmac); 28352 #endif 27038 28353 27039 28354 return ret; … … 27483 28798 byte* input; 27484 28799 int inputSz = HANDSHAKE_HEADER_SZ; /* build msg adds rec hdr */ 28800 int recordHeaderSz = RECORD_HEADER_SZ; 28801 28802 if (ssl->options.dtls) { 28803 recordHeaderSz += DTLS_RECORD_EXTRA; 28804 inputSz += DTLS_HANDSHAKE_EXTRA; 28805 } 27485 28806 27486 28807 input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); … … 27488 28809 return MEMORY_E; 27489 28810 27490 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); 28811 XMEMCPY(input, output + recordHeaderSz, inputSz); 28812 #ifdef WOLFSSL_DTLS 28813 if (IsDtlsNotSctpMode(ssl) && 28814 (ret = DtlsMsgPoolSave(ssl, input, inputSz, server_hello_done)) != 0) { 28815 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 28816 return ret; 28817 } 28818 #endif 27491 28819 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 27492 handshake, 1, 0, 0 );28820 handshake, 1, 0, 0, CUR_ORDER); 27493 28821 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 27494 28822 … … 27498 28826 #ifdef WOLFSSL_DTLS 27499 28827 if (IsDtlsNotSctpMode(ssl)) { 27500 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz )) != 0)28828 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, server_hello_done)) != 0) 27501 28829 return ret; 27502 28830 } … … 27546 28874 word32 ageAdd; /* Obfuscation of age */ 27547 28875 word16 namedGroup; /* Named group used */ 27548 #ifndef WOLFSSL_TLS13_DRAFT_1827549 28876 TicketNonce ticketNonce; /* Ticket nonce */ 27550 #endif27551 28877 #ifdef WOLFSSL_EARLY_DATA 27552 28878 word32 maxEarlyDataSz; /* Max size of early data */ … … 27555 28881 } InternalTicket; 27556 28882 28883 /* RFC 5077 defines this for session tickets */ 27557 28884 /* fit within SESSION_TICKET_LEN */ 27558 28885 typedef struct ExternalTicket { … … 27604 28931 /* Resumption master secret. */ 27605 28932 XMEMCPY(it.msecret, ssl->session.masterSecret, SECRET_LEN); 27606 #ifndef WOLFSSL_TLS13_DRAFT_1827607 28933 XMEMCPY(&it.ticketNonce, &ssl->session.ticketNonce, 27608 28934 sizeof(TicketNonce)); 27609 #endif 27610 #endif 27611 } 27612 27613 /* build external */ 27614 XMEMCPY(et->enc_ticket, &it, sizeof(InternalTicket)); 28935 #endif 28936 } 27615 28937 27616 28938 /* encrypt */ … … 27620 28942 } 27621 28943 else { 28944 /* build external */ 28945 XMEMCPY(et->enc_ticket, &it, sizeof(InternalTicket)); 28946 27622 28947 ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac, 1, 27623 28948 et->enc_ticket, sizeof(InternalTicket), 27624 28949 &encLen, ssl->ctx->ticketEncCtx); 28950 if (ret != WOLFSSL_TICKET_RET_OK) { 28951 ForceZero(et->enc_ticket, sizeof(it)); 28952 } 27625 28953 } 27626 28954 if (ret == WOLFSSL_TICKET_RET_OK) { 27627 28955 if (encLen < (int)sizeof(InternalTicket) || 27628 28956 encLen > WOLFSSL_TICKET_ENC_SZ) { 28957 ForceZero(&it, sizeof(it)); 28958 ForceZero(et->enc_ticket, sizeof(it)); 27629 28959 WOLFSSL_MSG("Bad user ticket encrypt size"); 27630 28960 return BAD_TICKET_KEY_CB_SZ; … … 27635 28965 /* internal ticket can't be the same if encrypted */ 27636 28966 if (XMEMCMP(et->enc_ticket, &it, sizeof(InternalTicket)) == 0) { 28967 ForceZero(&it, sizeof(it)); 28968 ForceZero(et->enc_ticket, sizeof(it)); 27637 28969 WOLFSSL_MSG("User ticket encrypt didn't encrypt"); 27638 28970 return BAD_TICKET_ENCRYPT; 27639 28971 } 27640 28972 28973 ForceZero(&it, sizeof(it)); 27641 28974 XMEMSET(zeros, 0, sizeof(zeros)); 27642 28975 … … 27676 29009 { 27677 29010 ExternalTicket* et; 27678 InternalTicket *it;29011 InternalTicket it; 27679 29012 int ret; 27680 29013 int outLen; … … 27690 29023 27691 29024 et = (ExternalTicket*)input; 27692 it = (InternalTicket*)et->enc_ticket;27693 29025 27694 29026 /* decrypt */ … … 27714 29046 } 27715 29047 29048 /* copy the decrypted ticket to avoid alignment issues */ 29049 XMEMCPY(&it, et->enc_ticket, sizeof(InternalTicket)); 29050 ForceZero(et->enc_ticket, sizeof(it)); 29051 27716 29052 /* get master secret */ 27717 29053 if (ret == WOLFSSL_TICKET_RET_OK || ret == WOLFSSL_TICKET_RET_CREATE) { 27718 if (ssl->version.minor < it->pv.minor) { 29054 if (ssl->version.minor < it.pv.minor) { 29055 ForceZero(&it, sizeof(it)); 27719 29056 WOLFSSL_MSG("Ticket has greater version"); 27720 29057 return VERSION_ERROR; 27721 29058 } 27722 else if (ssl->version.minor > it->pv.minor) { 29059 else if (ssl->version.minor > it.pv.minor) { 29060 if (IsAtLeastTLSv1_3(it.pv) != IsAtLeastTLSv1_3(ssl->version)) { 29061 ForceZero(&it, sizeof(it)); 29062 WOLFSSL_MSG("Tickets cannot be shared between " 29063 "TLS 1.3 and TLS 1.2 and lower"); 29064 return VERSION_ERROR; 29065 } 29066 27723 29067 if (!ssl->options.downgrade) { 29068 ForceZero(&it, sizeof(it)); 27724 29069 WOLFSSL_MSG("Ticket has lesser version"); 27725 29070 return VERSION_ERROR; … … 27728 29073 WOLFSSL_MSG("Downgrading protocol due to ticket"); 27729 29074 27730 if (it->pv.minor < ssl->options.minDowngrade) 29075 if (it.pv.minor < ssl->options.minDowngrade) { 29076 ForceZero(&it, sizeof(it)); 27731 29077 return VERSION_ERROR; 27732 ssl->version.minor = it->pv.minor; 29078 } 29079 ssl->version.minor = it.pv.minor; 27733 29080 } 27734 29081 27735 29082 27736 29083 if (!IsAtLeastTLSv1_3(ssl->version)) { 27737 XMEMCPY(ssl->arrays->masterSecret, it ->msecret, SECRET_LEN);29084 XMEMCPY(ssl->arrays->masterSecret, it.msecret, SECRET_LEN); 27738 29085 /* Copy the haveExtendedMasterSecret property from the ticket to 27739 29086 * the saved session, so the property may be checked later. */ 27740 ssl->session.haveEMS = it ->haveEMS;29087 ssl->session.haveEMS = it.haveEMS; 27741 29088 #ifndef NO_RESUME_SUITE_CHECK 27742 ssl->session.cipherSuite0 = it ->suite[0];27743 ssl->session.cipherSuite = it ->suite[1];29089 ssl->session.cipherSuite0 = it.suite[0]; 29090 ssl->session.cipherSuite = it.suite[1]; 27744 29091 #endif 27745 29092 } … … 27747 29094 #ifdef WOLFSSL_TLS13 27748 29095 /* Restore information to renegotiate. */ 27749 ssl->session.ticketSeen = it ->timestamp;27750 ssl->session.ticketAdd = it ->ageAdd;27751 ssl->session.cipherSuite0 = it ->suite[0];27752 ssl->session.cipherSuite = it ->suite[1];29096 ssl->session.ticketSeen = it.timestamp; 29097 ssl->session.ticketAdd = it.ageAdd; 29098 ssl->session.cipherSuite0 = it.suite[0]; 29099 ssl->session.cipherSuite = it.suite[1]; 27753 29100 #ifdef WOLFSSL_EARLY_DATA 27754 ssl->session.maxEarlyDataSz = it ->maxEarlyDataSz;29101 ssl->session.maxEarlyDataSz = it.maxEarlyDataSz; 27755 29102 #endif 27756 29103 /* Resumption master secret. */ 27757 XMEMCPY(ssl->session.masterSecret, it->msecret, SECRET_LEN); 27758 #ifndef WOLFSSL_TLS13_DRAFT_18 27759 XMEMCPY(&ssl->session.ticketNonce, &it->ticketNonce, 29104 XMEMCPY(ssl->session.masterSecret, it.msecret, SECRET_LEN); 29105 XMEMCPY(&ssl->session.ticketNonce, &it.ticketNonce, 27760 29106 sizeof(TicketNonce)); 27761 #endif 27762 ssl->session.namedGroup = it->namedGroup; 27763 #endif 27764 } 27765 } 29107 ssl->session.namedGroup = it.namedGroup; 29108 #endif 29109 } 29110 } 29111 29112 ForceZero(&it, sizeof(it)); 27766 29113 27767 29114 WOLFSSL_LEAVE("DoClientTicket", ret); … … 27802 29149 #endif 27803 29150 } 29151 29152 if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) 29153 sendSz += cipherExtraData(ssl); 29154 27804 29155 /* check for available size */ 27805 29156 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) … … 27826 29177 if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) { 27827 29178 byte* input; 27828 int inputSz = idx - RECORD_HEADER_SZ; /* build msg adds rec hdr */ 27829 29179 int inputSz = idx; /* build msg adds rec hdr */ 29180 int recordHeaderSz = RECORD_HEADER_SZ; 29181 29182 if (ssl->options.dtls) 29183 recordHeaderSz += DTLS_RECORD_EXTRA; 29184 inputSz -= recordHeaderSz; 27830 29185 input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 27831 29186 if (input == NULL) 27832 29187 return MEMORY_E; 27833 29188 27834 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);29189 XMEMCPY(input, output + recordHeaderSz, inputSz); 27835 29190 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 27836 handshake, 1, 0, 0 );29191 handshake, 1, 0, 0, CUR_ORDER); 27837 29192 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 27838 29193 … … 27843 29198 #ifdef WOLFSSL_DTLS 27844 29199 if (ssl->options.dtls) { 27845 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz )) != 0)29200 if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, session_ticket)) != 0) 27846 29201 return ret; 27847 29202 … … 27856 29211 ssl->buffers.outputBuffer.length += sendSz; 27857 29212 27858 ret = SendBuffered(ssl); 29213 if (!ssl->options.groupMessages) 29214 ret = SendBuffered(ssl); 27859 29215 27860 29216 WOLFSSL_LEAVE("SendTicket", ret); … … 27863 29219 return ret; 27864 29220 } 29221 29222 #ifndef WOLFSSL_NO_DEF_TICKET_ENC_CB 29223 29224 /* Initialize the context for session ticket encryption. 29225 * 29226 * @param [in] ctx SSL context. 29227 * @param [in] keyCtx Context for session ticket encryption. 29228 * @return 0 on success. 29229 * @return BAD_MUTEX_E when initializing mutex fails. 29230 */ 29231 static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx, TicketEncCbCtx* keyCtx) 29232 { 29233 int ret = 0; 29234 29235 XMEMSET(keyCtx, 0, sizeof(*keyCtx)); 29236 keyCtx->ctx = ctx; 29237 29238 #ifndef SINGLE_THREADED 29239 ret = wc_InitMutex(&keyCtx->mutex); 29240 #endif 29241 29242 return ret; 29243 } 29244 29245 /* Setup the session ticket encryption context for this. 29246 * 29247 * Initialize RNG, generate name, generate primeary key and set primary key 29248 * expirary. 29249 * 29250 * @param [in] keyCtx Context for session ticket encryption. 29251 * @param [in] heap Dynamic memory allocation hint. 29252 * @param [in] devId Device identifier. 29253 * @return 0 on success. 29254 * @return Other value when random number generator fails. 29255 */ 29256 static int TicketEncCbCtx_Setup(TicketEncCbCtx* keyCtx, void* heap, int devId) 29257 { 29258 int ret; 29259 29260 #ifndef SINGLE_THREADED 29261 ret = 0; 29262 29263 /* Check that key wasn't set up while waiting. */ 29264 if (keyCtx->expirary[0] == 0) 29265 #endif 29266 { 29267 ret = wc_InitRng_ex(&keyCtx->rng, heap, devId); 29268 if (ret == 0) { 29269 ret = wc_RNG_GenerateBlock(&keyCtx->rng, keyCtx->name, 29270 sizeof(keyCtx->name)); 29271 } 29272 if (ret == 0) { 29273 /* Mask of the bottom bit - used for index of key. */ 29274 keyCtx->name[WOLFSSL_TICKET_NAME_SZ - 1] &= 0xfe; 29275 29276 /* Generate initial primary key. */ 29277 ret = wc_RNG_GenerateBlock(&keyCtx->rng, keyCtx->key[0], 29278 WOLFSSL_TICKET_KEY_SZ); 29279 } 29280 if (ret == 0) { 29281 keyCtx->expirary[0] = LowResTimer() + WOLFSSL_TICKET_KEY_LIFETIME; 29282 } 29283 } 29284 29285 return ret; 29286 } 29287 /* Free the context for session ticket encryption. 29288 * 29289 * Zeroize keys and name. 29290 * 29291 * @param [in] keyCtx Context for session ticket encryption. 29292 */ 29293 static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx) 29294 { 29295 /* Zeroize sensitive data. */ 29296 ForceZero(keyCtx->name, sizeof(keyCtx->name)); 29297 ForceZero(keyCtx->key[0], sizeof(keyCtx->key[0])); 29298 ForceZero(keyCtx->key[1], sizeof(keyCtx->key[1])); 29299 29300 #ifndef SINGLE_THREADED 29301 wc_FreeMutex(&keyCtx->mutex); 29302 #endif 29303 wc_FreeRng(&keyCtx->rng); 29304 } 29305 29306 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && \ 29307 !defined(WOLFSSL_TICKET_ENC_AES128_GCM) && \ 29308 !defined(WOLFSSL_TICKET_ENC_AES256_GCM) 29309 /* Ticket encryption/decryption implementation. 29310 * 29311 * @param [in] key Key for encryption/decryption. 29312 * @param [in] keyLen Length of key in bytes. 29313 * @param [in] iv IV/Nonce for encryption/decryption. 29314 * @param [in] aad Additional authentication data. 29315 * @param [in] aadSz Length of additional authentication data. 29316 * @param [in] in Data to encrypt/decrypt. 29317 * @param [in] inLen Length of encrypted data. 29318 * @param [out] out Resulting data from encrypt/decrypt. 29319 * @param [out] outLen Size of resulting data. 29320 * @param [in] tag Authentication tag for encrypted data. 29321 * @param [in] heap Dynamic memory allocation data hint. 29322 * @param [in] enc 1 when encrypting, 0 when decrypting. 29323 * @return 0 on success. 29324 * @return Other value when encryption/decryption fails. 29325 */ 29326 static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz, 29327 byte* in, int inLen, byte* out, int* outLen, byte* tag, 29328 void* heap, int enc) 29329 { 29330 int ret; 29331 29332 (void)keyLen; 29333 (void)heap; 29334 29335 if (enc) { 29336 ret = wc_ChaCha20Poly1305_Encrypt(key, iv, aad, aadSz, in, inLen, out, 29337 tag); 29338 } 29339 else { 29340 ret = wc_ChaCha20Poly1305_Decrypt(key, iv, aad, aadSz, in, inLen, tag, 29341 out); 29342 } 29343 29344 *outLen = inLen; 29345 29346 return ret; 29347 } 29348 #elif defined(HAVE_AESGCM) 29349 /* Ticket encryption/decryption implementation. 29350 * 29351 * @param [in] key Key for encryption/decryption. 29352 * @param [in] keyLen Length of key in bytes. 29353 * @param [in] iv IV/Nonce for encryption/decryption. 29354 * @param [in] aad Additional authentication data. 29355 * @param [in] aadSz Length of additional authentication data. 29356 * @param [in] in Data to encrypt/decrypt. 29357 * @param [in] inLen Length of encrypted data. 29358 * @param [out] out Resulting data from encrypt/decrypt. 29359 * @param [out] outLen Size of resulting data. 29360 * @param [in] tag Authentication tag for encrypted data. 29361 * @param [in] heap Dynamic memory allocation data hint. 29362 * @param [in] enc 1 when encrypting, 0 when decrypting. 29363 * @return 0 on success. 29364 * @return MEMORY_E when dynamic memory allocation fails. 29365 * @return Other value when encryption/decryption fails. 29366 */ 29367 static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz, 29368 byte* in, int inLen, byte* out, int* outLen, byte* tag, 29369 void* heap, int enc) 29370 { 29371 int ret; 29372 #ifdef WOLFSSL_SMALL_STACK 29373 Aes* aes; 29374 #else 29375 Aes aes[1]; 29376 #endif 29377 29378 (void)heap; 29379 29380 #ifdef WOLFSSL_SMALL_STACK 29381 aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_TMP_BUFFER); 29382 if (aes == NULL) 29383 return MEMORY_E; 29384 #endif 29385 29386 if (enc) { 29387 ret = wc_AesInit(aes, NULL, INVALID_DEVID); 29388 if (ret == 0) { 29389 ret = wc_AesGcmSetKey(aes, key, keyLen); 29390 } 29391 if (ret == 0) { 29392 ret = wc_AesGcmEncrypt(aes, in, out, inLen, iv, GCM_NONCE_MID_SZ, 29393 tag, AES_BLOCK_SIZE, aad, aadSz); 29394 } 29395 wc_AesFree(aes); 29396 } 29397 else { 29398 ret = wc_AesInit(aes, NULL, INVALID_DEVID); 29399 if (ret == 0) { 29400 ret = wc_AesGcmSetKey(aes, key, keyLen); 29401 } 29402 if (ret == 0) { 29403 ret = wc_AesGcmDecrypt(aes, in, out, inLen, iv, GCM_NONCE_MID_SZ, 29404 tag, AES_BLOCK_SIZE, aad, aadSz); 29405 } 29406 wc_AesFree(aes); 29407 } 29408 29409 #ifdef WOLFSSL_SMALL_STACK 29410 XFREE(aes, heap, DYNAMIC_TYPE_TMP_BUFFER); 29411 #endif 29412 29413 *outLen = inLen; 29414 29415 return ret; 29416 } 29417 #else 29418 #error "No encryption algorithm available for default ticket encryption." 29419 #endif 29420 29421 /* Choose a key to use for encryption. 29422 * 29423 * Generate a new key if the current ones are expired. 29424 * If the secondary key has not been used and the primary key has expired then 29425 * generate a new primary key. 29426 * 29427 * @param [in] Ticket encryption callback context. 29428 * @param [in] Session ticket lifetime. 29429 * @param [out] Index of key to use for encryption. 29430 * @return 0 on success. 29431 * @return Other value when random number generation fails. 29432 */ 29433 static int TicketEncCbCtx_ChooseKey(TicketEncCbCtx* keyCtx, int ticketHint, 29434 int* keyIdx) 29435 { 29436 int ret = 0; 29437 29438 /* Get new current time as lock may have taken some time. */ 29439 word32 now = LowResTimer(); 29440 29441 /* Check expirary of primary key for encrypt. */ 29442 if (keyCtx->expirary[0] >= now + ticketHint) { 29443 *keyIdx = 0; 29444 } 29445 /* Check expirary of primary key for encrypt. */ 29446 else if (keyCtx->expirary[1] >= now + ticketHint) { 29447 *keyIdx = 1; 29448 } 29449 /* No key available to use. */ 29450 else { 29451 int genKey; 29452 29453 /* Generate which ever key is expired for decrypt - primary first. */ 29454 if (keyCtx->expirary[0] < now) { 29455 genKey = 0; 29456 } 29457 else if (keyCtx->expirary[1] < now) { 29458 genKey = 1; 29459 } 29460 /* Timeouts and expirary should not allow this to happen. */ 29461 else { 29462 return BAD_STATE_E; 29463 } 29464 29465 /* Generate the required key */ 29466 ret = wc_RNG_GenerateBlock(&keyCtx->rng, keyCtx->key[genKey], 29467 WOLFSSL_TICKET_KEY_SZ); 29468 if (ret == 0) { 29469 keyCtx->expirary[genKey] = now + WOLFSSL_TICKET_KEY_LIFETIME; 29470 *keyIdx = genKey; 29471 } 29472 } 29473 29474 return ret; 29475 } 29476 29477 /* Default Session Ticket encryption/decryption callback. 29478 * 29479 * Use ChaCha20-Poly1305 or AES-GCM to encrypt/decrypt the ticket. 29480 * Two keys are used: 29481 * - When the first expires for encryption, then use the other. 29482 * - Don't encrypt with key if the ticket lifetime will go beyond expirary. 29483 * - Generate a new primary key when primary key expired for decrypt and 29484 * no secondary key is activate for encryption. 29485 * - Generate a new secondary key when expired and needed. 29486 * - Calculate expirary starting from first encrypted ticket. 29487 * - Key name has last bit set to indicate index of key. 29488 * Keys expire for decryption after ticket key lifetime from the first encrypted 29489 * ticket. 29490 * Keys can only be use for encryption while the ticket hint does not exceed 29491 * the key lifetime. 29492 * Lifetime of a key must be greater than the lifetime of a ticket. This means 29493 * that if one ticket is only valid for decryption, then the other will be 29494 * valid for encryption. 29495 * AAD = key_name | iv | ticket len (16-bits network order) 29496 * 29497 * @param [in] ssl SSL connection. 29498 * @param [in,out] key_name Name of key from client. 29499 * Encrypt: name of key returned. 29500 * Decrypt: name from ticket message to check. 29501 * @param [in] iv IV to use in encryption/decryption. 29502 * @param [in] mac MAC for authentication of encrypted data. 29503 * @param [in] enc 1 when encrypting ticket, 0 when decrypting. 29504 * @param [in,out] ticket Encrypted/decrypted session ticket bytes. 29505 * @param [in] inLen Length of incoming ticket. 29506 * @param [out] outLen Length of outgoing ticket. 29507 * @param [in] userCtx Context for encryption/decryption of ticket. 29508 * @return WOLFSSL_TICKET_RET_OK when successful. 29509 * @return WOLFSSL_TICKET_RET_CREATE when successful and a new ticket is to 29510 * be created for TLS 1.2 and below. 29511 * @return WOLFSSL_TICKET_RET_REJECT when failed to produce valid encrypted or 29512 * decrypted ticket. 29513 * @return WOLFSSL_TICKET_RET_FATAL when key name does not match. 29514 */ 29515 static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], 29516 byte iv[WOLFSSL_TICKET_IV_SZ], 29517 byte mac[WOLFSSL_TICKET_MAC_SZ], 29518 int enc, byte* ticket, int inLen, int* outLen, 29519 void* userCtx) 29520 { 29521 int ret; 29522 TicketEncCbCtx* keyCtx = (TicketEncCbCtx*)userCtx; 29523 WOLFSSL_CTX* ctx = keyCtx->ctx; 29524 word16 sLen = XHTONS(inLen); 29525 byte aad[WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + sizeof(sLen)]; 29526 int aadSz = WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + sizeof(sLen); 29527 byte* p = aad; 29528 int keyIdx = 0; 29529 29530 /* Check we have setup the RNG, name and primary key. */ 29531 if (keyCtx->expirary[0] == 0) { 29532 #ifndef SINGLE_THREADED 29533 /* Lock around access to expirary and key - stop initial key being 29534 * generated twice at the same time. */ 29535 if (wc_LockMutex(&keyCtx->mutex) != 0) { 29536 WOLFSSL_MSG("Couldn't lock key context mutex"); 29537 return WOLFSSL_TICKET_RET_REJECT; 29538 } 29539 #endif 29540 /* Sets expirary of primary key in setup. */ 29541 ret = TicketEncCbCtx_Setup(keyCtx, ssl->ctx->heap, ssl->ctx->devId); 29542 #ifndef SINGLE_THREADED 29543 wc_UnLockMutex(&keyCtx->mutex); 29544 #endif 29545 if (ret != 0) 29546 return ret; 29547 } 29548 29549 if (enc) { 29550 /* Return the name of the key - missing key index. */ 29551 XMEMCPY(key_name, keyCtx->name, WOLFSSL_TICKET_NAME_SZ); 29552 29553 /* Generate a new IV into buffer to be returned. 29554 * Don't use the RNG in keyCtx as it's for generating private data. */ 29555 ret = wc_RNG_GenerateBlock(ssl->rng, iv, WOLFSSL_TICKET_IV_SZ); 29556 if (ret != 0) { 29557 return WOLFSSL_TICKET_RET_REJECT; 29558 } 29559 } 29560 else { 29561 /* Mask of last bit that is the key index. */ 29562 byte lastByte = key_name[WOLFSSL_TICKET_NAME_SZ - 1] & 0xfe; 29563 29564 /* For decryption, see if we know this key - check all but last byte. */ 29565 if (XMEMCMP(key_name, keyCtx->name, WOLFSSL_TICKET_NAME_SZ - 1) != 0) { 29566 return WOLFSSL_TICKET_RET_FATAL; 29567 } 29568 /* Ensure last byte without index bit matches too. */ 29569 if (lastByte != keyCtx->name[WOLFSSL_TICKET_NAME_SZ - 1]) { 29570 return WOLFSSL_TICKET_RET_FATAL; 29571 } 29572 } 29573 29574 /* Build AAD from: key name, iv, and length of ticket. */ 29575 XMEMCPY(p, keyCtx->name, WOLFSSL_TICKET_NAME_SZ); 29576 p += WOLFSSL_TICKET_NAME_SZ; 29577 XMEMCPY(p, iv, WOLFSSL_TICKET_IV_SZ); 29578 p += WOLFSSL_TICKET_IV_SZ; 29579 XMEMCPY(p, &sLen, sizeof(sLen)); 29580 29581 /* Encrypt ticket. */ 29582 if (enc) { 29583 word32 now; 29584 29585 now = LowResTimer(); 29586 /* As long as encryption expirary isn't imminent - no lock. */ 29587 if (keyCtx->expirary[0] > now + ctx->ticketHint) { 29588 keyIdx = 0; 29589 } 29590 else if (keyCtx->expirary[1] > now + ctx->ticketHint) { 29591 keyIdx = 1; 29592 } 29593 else { 29594 #ifndef SINGLE_THREADED 29595 /* Lock around access to expirary and key - stop key being generated 29596 * twice at the same time. */ 29597 if (wc_LockMutex(&keyCtx->mutex) != 0) { 29598 WOLFSSL_MSG("Couldn't lock key context mutex"); 29599 return WOLFSSL_TICKET_RET_REJECT; 29600 } 29601 #endif 29602 ret = TicketEncCbCtx_ChooseKey(keyCtx, ctx->ticketHint, &keyIdx); 29603 #ifndef SINGLE_THREADED 29604 wc_UnLockMutex(&keyCtx->mutex); 29605 #endif 29606 if (ret != 0) { 29607 return WOLFSSL_TICKET_RET_REJECT; 29608 } 29609 } 29610 /* Set the name of the key to the index chosen. */ 29611 key_name[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx; 29612 /* Update AAD too. */ 29613 aad[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx; 29614 29615 /* Encrypt ticket data. */ 29616 ret = TicketEncDec(keyCtx->key[keyIdx], WOLFSSL_TICKET_KEY_SZ, iv, aad, 29617 aadSz, ticket, inLen, ticket, outLen, mac, ssl->heap, 29618 1); 29619 if (ret != 0) return WOLFSSL_TICKET_RET_REJECT; 29620 } 29621 /* Decrypt ticket. */ 29622 else { 29623 /* Get index of key from name. */ 29624 keyIdx = key_name[WOLFSSL_TICKET_NAME_SZ - 1] & 0x1; 29625 /* Update AAD with index. */ 29626 aad[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx; 29627 29628 /* Check expirary */ 29629 if (keyCtx->expirary[keyIdx] <= LowResTimer()) { 29630 return WOLFSSL_TICKET_RET_REJECT; 29631 } 29632 29633 /* Decrypt ticket data. */ 29634 ret = TicketEncDec(keyCtx->key[keyIdx], WOLFSSL_TICKET_KEY_SZ, iv, aad, 29635 aadSz, ticket, inLen, ticket, outLen, mac, ssl->heap, 29636 0); 29637 if (ret != 0) { 29638 return WOLFSSL_TICKET_RET_REJECT; 29639 } 29640 } 29641 29642 #ifndef WOLFSSL_TICKET_DECRYPT_NO_CREATE 29643 if (!IsAtLeastTLSv1_3(ssl->version) && !enc) 29644 return WOLFSSL_TICKET_RET_CREATE; 29645 #endif 29646 return WOLFSSL_TICKET_RET_OK; 29647 } 29648 29649 #endif /* !WOLFSSL_NO_DEF_TICKET_ENC_CB */ 27865 29650 27866 29651 #endif /* HAVE_SESSION_TICKET */ … … 27885 29670 sendSz += MAX_MSG_EXTRA; 27886 29671 29672 if (ssl->options.dtls) 29673 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; 29674 27887 29675 /* check for available size */ 27888 29676 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) … … 27898 29686 byte* input; 27899 29687 int inputSz = HANDSHAKE_HEADER_SZ; /* build msg adds rec hdr */ 29688 int recordHeaderSz = RECORD_HEADER_SZ; 29689 29690 if (ssl->options.dtls) { 29691 recordHeaderSz += DTLS_RECORD_EXTRA; 29692 inputSz += DTLS_HANDSHAKE_EXTRA; 29693 } 27900 29694 27901 29695 input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); … … 27903 29697 return MEMORY_E; 27904 29698 27905 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); 29699 XMEMCPY(input, output + recordHeaderSz, inputSz); 29700 #ifdef WOLFSSL_DTLS 29701 if (IsDtlsNotSctpMode(ssl) && 29702 (ret = DtlsMsgPoolSave(ssl, input, inputSz, hello_request)) != 0) { 29703 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 29704 return ret; 29705 } 29706 #endif 27906 29707 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 27907 handshake, 0, 0, 0 );29708 handshake, 0, 0, 0, CUR_ORDER); 27908 29709 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 27909 29710 … … 27935 29736 int ret; 27936 29737 29738 /* are we in scr */ 29739 if (IsEncryptionOn(ssl, 1)) { 29740 sendSz += MAX_MSG_EXTRA; 29741 } 29742 27937 29743 /* check for available size */ 27938 29744 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) … … 27970 29776 sendSz, WRITE_PROTO, ssl->heap); 27971 29777 #endif 29778 29779 /* are we in scr */ 29780 if (IsEncryptionOn(ssl, 1)) { 29781 byte* input; 29782 int inputSz = HANDSHAKE_HEADER_SZ + length; /* build msg adds rec hdr */ 29783 int recordHeaderSz = RECORD_HEADER_SZ; 29784 29785 if (ssl->options.dtls) { 29786 recordHeaderSz += DTLS_RECORD_EXTRA; 29787 inputSz += DTLS_HANDSHAKE_EXTRA; 29788 } 29789 29790 input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 29791 if (input == NULL) 29792 return MEMORY_E; 29793 29794 XMEMCPY(input, output + recordHeaderSz, inputSz); 29795 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, 29796 handshake, 0, 0, 0, CUR_ORDER); 29797 XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); 29798 29799 if (sendSz < 0) 29800 return sendSz; 29801 } 27972 29802 27973 29803 ssl->buffers.outputBuffer.length += sendSz; … … 28054 29884 } 28055 29885 28056 #if ndef NO_CERTS29886 #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) 28057 29887 if (ssl->options.verifyPeer && ssl->options.failNoCert) { 28058 29888 if (!ssl->options.havePeerCert) { … … 28069 29899 } 28070 29900 } 28071 #endif /* !NO_CERTS */29901 #endif /* !NO_CERTS && !WOLFSSL_NO_CLIENT_AUTH */ 28072 29902 28073 29903 #if defined(WOLFSSL_CALLBACKS) … … 28254 30084 if (ssl->arrays->psk_keySz == 0 || 28255 30085 ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { 30086 #if defined(WOLFSSL_EXTRA_ALERTS) || \ 30087 defined(WOLFSSL_PSK_IDENTITY_ALERT) 30088 SendAlert(ssl, alert_fatal, 30089 unknown_psk_identity); 30090 #endif 28256 30091 ERROR_OUT(PSK_KEY_ERROR, exit_dcke); 28257 30092 } … … 28507 30342 28508 30343 ssl->peerEccKeyPresent = 1; 30344 30345 #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE) 30346 /* client_hello may have sent FFEDH2048, which sets namedGroup, 30347 but that is not being used, so clear it */ 30348 /* resolves issue with server side wolfSSL_get_curve_name */ 30349 ssl->namedGroup = 0; 30350 #endif 28509 30351 #endif /* HAVE_ECC */ 28510 30352 … … 29127 30969 if (ssl->arrays->psk_keySz == 0 || 29128 30970 ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { 30971 #if defined(WOLFSSL_EXTRA_ALERTS) || \ 30972 defined(WOLFSSL_PSK_IDENTITY_ALERT) 30973 SendAlert(ssl, alert_fatal, 30974 unknown_psk_identity); 30975 #endif 29129 30976 ERROR_OUT(PSK_KEY_ERROR, exit_dcke); 29130 30977 } … … 29242 31089 29243 31090 ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; 29244 #if ndef NO_CERTS31091 #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) 29245 31092 if (ssl->options.verifyPeer) { 29246 31093 ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes); … … 29283 31130 #endif /* !WOLFSSL_NO_TLS12 */ 29284 31131 29285 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ 29286 defined(WOLFSSL_HAPROXY) 31132 #ifdef HAVE_SNI 29287 31133 int SNI_Callback(WOLFSSL* ssl) 29288 31134 { … … 29300 31146 return 0; 29301 31147 } 29302 #endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY*/31148 #endif /* HAVE_SNI */ 29303 31149 29304 31150 #endif /* NO_WOLFSSL_SERVER */ … … 29412 31258 #endif /* HAVE_MAX_FRAGMENT */ 29413 31259 #ifdef WOLFSSL_DTLS 29414 if ((ssl->options.dtls) && (maxFragment > MAX_UDP_SIZE)) { 29415 maxFragment = MAX_UDP_SIZE; 31260 if (IsDtlsNotSctpMode(ssl)) { 31261 if (maxFragment > MAX_UDP_SIZE) { 31262 maxFragment = MAX_UDP_SIZE; 31263 } 31264 #if defined(WOLFSSL_DTLS_MTU) 31265 if (maxFragment > 31266 ssl->dtlsMtuSz - RECORD_HEADER_SZ - DTLS_RECORD_EXTRA) { 31267 maxFragment = ssl->dtlsMtuSz - RECORD_HEADER_SZ - DTLS_RECORD_EXTRA; 31268 } 31269 #endif 29416 31270 } 29417 31271 #endif
Note:
See TracChangeset
for help on using the changeset viewer.
