Changeset 464 for azure_iot_hub_f767zi/trunk/wolfssl-4.7.0/src/tls13.c
- Timestamp:
- Jun 22, 2021, 9:00:19 PM (3 years ago)
- Location:
- azure_iot_hub_f767zi/trunk/wolfssl-4.7.0
- Files:
-
- 1 edited
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
azure_iot_hub_f767zi/trunk/wolfssl-4.7.0/src/tls13.c
r457 r464 30 30 * NO_PSK 31 31 * Do not enable Pre-Shared Keys. 32 * TLS13_SUPPORTS_EXPORTERS 33 * Guard to compile out any code for exporter keys. 34 * Feature not supported yet. 32 * HAVE_KEYING_MATERIAL 33 * Enables exporting keying material based on section 7.5 of RFC 8446. 35 34 * WOLFSSL_ASYNC_CRYPT 36 35 * Enables the use of asynchronous cryptographic operations. … … 56 55 * WOLFSSL_TLS13 57 56 * Enable TLS 1.3 protocol implementation. 58 * WOLFSSL_TLS13_DRAFT_1859 * Conform with Draft 18 of the TLS v1.3 specification.60 * WOLFSSL_TLS13_DRAFT_2261 * Conform with Draft 22 of the TLS v1.3 specification.62 * WOLFSSL_TLS13_DRAFT_2363 * Conform with Draft 23 of the TLS v1.3 specification.64 57 * WOLFSSL_TLS13_MIDDLEBOX_COMPAT 65 58 * Enable middlebox compatibility in the TLS 1.3 handshake. … … 119 112 120 113 #ifndef HAVE_HKDF 121 #error The build option HAVE_HKDF is required for TLS 1.3 114 #ifndef _MSC_VER 115 #error "The build option HAVE_HKDF is required for TLS 1.3" 116 #else 117 #pragma message("error: The build option HAVE_HKDF is required for TLS 1.3") 118 #endif 122 119 #endif 123 120 … … 264 261 } 265 262 266 #ifdef WOLFSSL_TLS13_DRAFT_18267 /* Size of the TLS v1.3 label use when deriving keys. */268 #define TLS13_PROTOCOL_LABEL_SZ 9269 /* The protocol label for TLS v1.3. */270 static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "TLS 1.3, ";271 #else272 263 /* Size of the TLS v1.3 label use when deriving keys. */ 273 264 #define TLS13_PROTOCOL_LABEL_SZ 6 274 265 /* The protocol label for TLS v1.3. */ 275 266 static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 "; 276 #endif 277 278 #if !defined(WOLFSSL_TLS13_DRAFT_18) || defined(HAVE_SESSION_TICKET) || \ 279 !defined(NO_PSK) 267 280 268 /* Derive a key from a message. 281 269 * … … 370 358 hash, hashSz, digestAlg); 371 359 } 372 #endif373 360 374 361 /* Derive a key. … … 442 429 443 430 #ifndef NO_PSK 444 #ifdef WOLFSSL_TLS13_DRAFT_18445 /* The length of the binder key label. */446 #define BINDER_KEY_LABEL_SZ 23447 /* The binder key label. */448 static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =449 "external psk binder key";450 #else451 431 /* The length of the binder key label. */ 452 432 #define BINDER_KEY_LABEL_SZ 10 … … 454 434 static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] = 455 435 "ext binder"; 456 #endif 436 457 437 /* Derive the binder key. 458 438 * … … 464 444 { 465 445 WOLFSSL_MSG("Derive Binder Key"); 446 if (ssl == NULL || ssl->arrays == NULL) { 447 return BAD_FUNC_ARG; 448 } 466 449 return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, 467 450 binderKeyLabel, BINDER_KEY_LABEL_SZ, … … 471 454 472 455 #ifdef HAVE_SESSION_TICKET 473 #ifdef WOLFSSL_TLS13_DRAFT_18 474 /* The length of the binder key resume label. */ 475 #define BINDER_KEY_RESUME_LABEL_SZ 25 476 /* The binder key resume label. */ 477 static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] = 478 "resumption psk binder key"; 479 #else 456 480 457 /* The length of the binder key resume label. */ 481 458 #define BINDER_KEY_RESUME_LABEL_SZ 10 … … 483 460 static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] = 484 461 "res binder"; 485 #endif 462 486 463 /* Derive the binder resumption key. 487 464 * … … 493 470 { 494 471 WOLFSSL_MSG("Derive Binder Key - Resumption"); 472 if (ssl == NULL || ssl->arrays == NULL) { 473 return BAD_FUNC_ARG; 474 } 495 475 return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, 496 476 binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ, … … 500 480 501 481 #ifdef WOLFSSL_EARLY_DATA 502 #ifdef WOLFSSL_TLS13_DRAFT_18 503 /* The length of the early traffic label. */ 504 #define EARLY_TRAFFIC_LABEL_SZ 27 505 /* The early traffic label. */ 506 static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] = 507 "client early traffic secret"; 508 #else 482 509 483 /* The length of the early traffic label. */ 510 484 #define EARLY_TRAFFIC_LABEL_SZ 11 … … 512 486 static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] = 513 487 "c e traffic"; 514 #endif 488 515 489 /* Derive the early traffic key. 516 490 * … … 523 497 int ret; 524 498 WOLFSSL_MSG("Derive Early Traffic Secret"); 499 if (ssl == NULL || ssl->arrays == NULL) { 500 return BAD_FUNC_ARG; 501 } 525 502 ret = DeriveKey(ssl, key, -1, ssl->arrays->secret, 526 503 earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ, … … 538 515 } 539 516 540 #ifdef TLS13_SUPPORTS_EXPORTERS 541 #ifdef WOLFSSL_TLS13_DRAFT_18 542 /* The length of the early exporter label. */ 543 #define EARLY_EXPORTER_LABEL_SZ 28 544 /* The early exporter label. */ 545 static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] = 546 "early exporter master secret"; 547 #else 517 #ifdef HAVE_KEYING_MATERIAL 548 518 /* The length of the early exporter label. */ 549 519 #define EARLY_EXPORTER_LABEL_SZ 12 … … 551 521 static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] = 552 522 "e exp master"; 553 #endif 523 554 524 /* Derive the early exporter key. 555 525 * … … 562 532 int ret; 563 533 WOLFSSL_MSG("Derive Early Exporter Secret"); 534 if (ssl == NULL || ssl->arrays == NULL) { 535 return BAD_FUNC_ARG; 536 } 564 537 ret = DeriveKey(ssl, key, -1, ssl->arrays->secret, 565 538 earlyExporterLabel, EARLY_EXPORTER_LABEL_SZ, … … 579 552 #endif 580 553 581 #ifdef WOLFSSL_TLS13_DRAFT_18582 /* The length of the client handshake label. */583 #define CLIENT_HANDSHAKE_LABEL_SZ 31584 /* The client handshake label. */585 static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =586 "client handshake traffic secret";587 #else588 554 /* The length of the client handshake label. */ 589 555 #define CLIENT_HANDSHAKE_LABEL_SZ 12 … … 591 557 static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] = 592 558 "c hs traffic"; 593 #endif 559 594 560 /* Derive the client handshake key. 595 561 * … … 602 568 int ret; 603 569 WOLFSSL_MSG("Derive Client Handshake Secret"); 570 if (ssl == NULL || ssl->arrays == NULL) { 571 return BAD_FUNC_ARG; 572 } 604 573 ret = DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret, 605 574 clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ, … … 617 586 } 618 587 619 #ifdef WOLFSSL_TLS13_DRAFT_18620 /* The length of the server handshake label. */621 #define SERVER_HANDSHAKE_LABEL_SZ 31622 /* The server handshake label. */623 static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =624 "server handshake traffic secret";625 #else626 588 /* The length of the server handshake label. */ 627 589 #define SERVER_HANDSHAKE_LABEL_SZ 12 … … 629 591 static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] = 630 592 "s hs traffic"; 631 #endif 593 632 594 /* Derive the server handshake key. 633 595 * … … 640 602 int ret; 641 603 WOLFSSL_MSG("Derive Server Handshake Secret"); 604 if (ssl == NULL || ssl->arrays == NULL) { 605 return BAD_FUNC_ARG; 606 } 642 607 ret = DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret, 643 608 serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ, … … 655 620 } 656 621 657 #ifdef WOLFSSL_TLS13_DRAFT_18658 /* The length of the client application traffic label. */659 #define CLIENT_APP_LABEL_SZ 33660 /* The client application traffic label. */661 static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =662 "client application traffic secret";663 #else664 622 /* The length of the client application traffic label. */ 665 623 #define CLIENT_APP_LABEL_SZ 12 … … 667 625 static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] = 668 626 "c ap traffic"; 669 #endif 627 670 628 /* Derive the client application traffic key. 671 629 * … … 678 636 int ret; 679 637 WOLFSSL_MSG("Derive Client Traffic Secret"); 638 if (ssl == NULL || ssl->arrays == NULL) { 639 return BAD_FUNC_ARG; 640 } 680 641 ret = DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, 681 642 clientAppLabel, CLIENT_APP_LABEL_SZ, … … 693 654 } 694 655 695 #ifdef WOLFSSL_TLS13_DRAFT_18696 /* The length of the server application traffic label. */697 #define SERVER_APP_LABEL_SZ 33698 /* The server application traffic label. */699 static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =700 "server application traffic secret";701 #else702 656 /* The length of the server application traffic label. */ 703 657 #define SERVER_APP_LABEL_SZ 12 … … 705 659 static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] = 706 660 "s ap traffic"; 707 #endif 661 708 662 /* Derive the server application traffic key. 709 663 * … … 716 670 int ret; 717 671 WOLFSSL_MSG("Derive Server Traffic Secret"); 672 if (ssl == NULL || ssl->arrays == NULL) { 673 return BAD_FUNC_ARG; 674 } 718 675 ret = DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, 719 676 serverAppLabel, SERVER_APP_LABEL_SZ, … … 731 688 } 732 689 733 #ifdef TLS13_SUPPORTS_EXPORTERS 734 #ifdef WOLFSSL_TLS13_DRAFT_18 735 /* The length of the exporter master secret label. */ 736 #define EXPORTER_MASTER_LABEL_SZ 22 737 /* The exporter master secret label. */ 738 static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] = 739 "exporter master secret"; 740 #else 690 #ifdef HAVE_KEYING_MATERIAL 741 691 /* The length of the exporter master secret label. */ 742 692 #define EXPORTER_MASTER_LABEL_SZ 10 … … 744 694 static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] = 745 695 "exp master"; 746 #endif 696 747 697 /* Derive the exporter secret. 748 698 * … … 754 704 { 755 705 int ret; 756 WOLFSSL_MSG("Derive Exporter Secret"); 706 WOLFSSL_ENTER("Derive Exporter Secret"); 707 if (ssl == NULL || ssl->arrays == NULL) { 708 return BAD_FUNC_ARG; 709 } 757 710 ret = DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, 758 711 exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ, … … 769 722 return ret; 770 723 } 724 725 /* The length of the exporter label. */ 726 #define EXPORTER_LABEL_SZ 8 727 /* The exporter label. */ 728 static const byte exporterLabel[EXPORTER_LABEL_SZ + 1] = 729 "exporter"; 730 /* Hash("") */ 731 #ifndef NO_SHA256 732 static const byte emptySHA256Hash[] = { 733 0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, 734 0x99, 0x6F, 0xB9, 0x24, 0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, 735 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55 736 }; 737 #endif 738 #ifdef WOLFSSL_SHA384 739 static const byte emptySHA384Hash[] = { 740 0x38, 0xB0, 0x60, 0xA7, 0x51, 0xAC, 0x96, 0x38, 0x4C, 0xD9, 0x32, 0x7E, 741 0xB1, 0xB1, 0xE3, 0x6A, 0x21, 0xFD, 0xB7, 0x11, 0x14, 0xBE, 0x07, 0x43, 742 0x4C, 0x0C, 0xC7, 0xBF, 0x63, 0xF6, 0xE1, 0xDA, 0x27, 0x4E, 0xDE, 0xBF, 743 0xE7, 0x6F, 0x65, 0xFB, 0xD5, 0x1A, 0xD2, 0xF1, 0x48, 0x98, 0xB9, 0x5B 744 }; 745 #endif 746 #ifdef WOLFSSL_TLS13_SHA512 747 static const byte emptySHA512Hash[] = { 748 0xCF, 0x83, 0xE1, 0x35, 0x7E, 0xEF, 0xB8, 0xBD, 0xF1, 0x54, 0x28, 0x50, 749 0xD6, 0x6D, 0x80, 0x07, 0xD6, 0x20, 0xE4, 0x05, 0x0B, 0x57, 0x15, 0xDC, 750 0x83, 0xF4, 0xA9, 0x21, 0xD3, 0x6C, 0xE9, 0xCE, 0x47, 0xD0, 0xD1, 0x3C, 751 0x5D, 0x85, 0xF2, 0xB0, 0xFF, 0x83, 0x18, 0xD2, 0x87, 0x7E, 0xEC, 0x2F, 752 0x63, 0xB9, 0x31, 0xBD, 0x47, 0x41, 0x7A, 0x81, 0xA5, 0x38, 0x32, 0x7A, 753 0xF9, 0x27, 0xDA, 0x3E 754 }; 755 #endif 756 /** 757 * Implement section 7.5 of RFC 8446 758 * @return 0 on success 759 * <0 on failure 760 */ 761 int Tls13_Exporter(WOLFSSL* ssl, unsigned char *out, size_t outLen, 762 const char *label, size_t labelLen, 763 const unsigned char *context, size_t contextLen) 764 { 765 int ret; 766 enum wc_HashType hashType = WC_HASH_TYPE_NONE; 767 int hashLen = 0; 768 byte hashOut[WC_MAX_DIGEST_SIZE]; 769 const byte* emptyHash = NULL; 770 byte firstExpand[WC_MAX_DIGEST_SIZE]; 771 const byte* protocol = tls13ProtocolLabel; 772 word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ; 773 774 if (ssl->version.minor != TLSv1_3_MINOR) 775 return VERSION_ERROR; 776 777 switch (ssl->specs.mac_algorithm) { 778 #ifndef NO_SHA256 779 case sha256_mac: 780 hashType = WC_HASH_TYPE_SHA256; 781 hashLen = WC_SHA256_DIGEST_SIZE; 782 emptyHash = emptySHA256Hash; 783 break; 784 #endif 785 786 #ifdef WOLFSSL_SHA384 787 case sha384_mac: 788 hashType = WC_HASH_TYPE_SHA384; 789 hashLen = WC_SHA384_DIGEST_SIZE; 790 emptyHash = emptySHA384Hash; 791 break; 792 #endif 793 794 #ifdef WOLFSSL_TLS13_SHA512 795 case sha512_mac: 796 hashType = WC_HASH_TYPE_SHA512; 797 hashLen = WC_SHA512_DIGEST_SIZE; 798 emptyHash = emptySHA512Hash; 799 break; 800 #endif 801 } 802 803 /* Derive-Secret(Secret, label, "") */ 804 ret = HKDF_Expand_Label(firstExpand, hashLen, 805 ssl->arrays->exporterSecret, hashLen, 806 protocol, protocolLen, (byte*)label, (word32)labelLen, 807 emptyHash, hashLen, hashType); 808 if (ret != 0) 809 return ret; 810 811 /* Hash(context_value) */ 812 ret = wc_Hash(hashType, context, (word32)contextLen, hashOut, WC_MAX_DIGEST_SIZE); 813 if (ret != 0) 814 return ret; 815 816 ret = HKDF_Expand_Label(out, (word32)outLen, firstExpand, hashLen, 817 protocol, protocolLen, exporterLabel, EXPORTER_LABEL_SZ, 818 hashOut, hashLen, hashType); 819 820 return ret; 821 } 771 822 #endif 772 823 773 824 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) 774 #ifdef WOLFSSL_TLS13_DRAFT_18775 /* The length of the resumption master secret label. */776 #define RESUME_MASTER_LABEL_SZ 24777 /* The resumption master secret label. */778 static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =779 "resumption master secret";780 #else781 825 /* The length of the resumption master secret label. */ 782 826 #define RESUME_MASTER_LABEL_SZ 10 … … 784 828 static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] = 785 829 "res master"; 786 #endif 830 787 831 /* Derive the resumption secret. 788 832 * … … 791 835 * returns 0 on success, otherwise failure. 792 836 */ 793 static int DeriveResumptionSecret(WOLFSSL* ssl, byte* key) 794 { 837 int DeriveResumptionSecret(WOLFSSL* ssl, byte* key) 838 { 839 byte* masterSecret; 840 795 841 WOLFSSL_MSG("Derive Resumption Secret"); 796 return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, 797 resumeMasterLabel, RESUME_MASTER_LABEL_SZ, 798 ssl->specs.mac_algorithm, 1); 842 if (ssl == NULL) { 843 return BAD_FUNC_ARG; 844 } 845 if (ssl->arrays != NULL) { 846 masterSecret = ssl->arrays->masterSecret; 847 } 848 else { 849 masterSecret = ssl->session.masterSecret; 850 } 851 return DeriveKey(ssl, key, -1, masterSecret, resumeMasterLabel, 852 RESUME_MASTER_LABEL_SZ, ssl->specs.mac_algorithm, 1); 799 853 } 800 854 #endif … … 818 872 } 819 873 820 #ifdef WOLFSSL_TLS13_DRAFT_18821 /* The length of the application traffic label. */822 #define APP_TRAFFIC_LABEL_SZ 26823 /* The application traffic label. */824 static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =825 "application traffic secret";826 #else827 874 /* The length of the application traffic label. */ 828 875 #define APP_TRAFFIC_LABEL_SZ 11 … … 830 877 static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] = 831 878 "traffic upd"; 832 #endif 879 833 880 /* Update the traffic secret. 834 881 * … … 849 896 * ssl The SSL/TLS object. 850 897 */ 851 staticint DeriveEarlySecret(WOLFSSL* ssl)898 int DeriveEarlySecret(WOLFSSL* ssl) 852 899 { 853 900 WOLFSSL_MSG("Derive Early Secret"); 901 if (ssl == NULL || ssl->arrays == NULL) { 902 return BAD_FUNC_ARG; 903 } 854 904 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) 855 905 return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0, … … 862 912 } 863 913 864 #ifndef WOLFSSL_TLS13_DRAFT_18865 914 /* The length of the derived label. */ 866 915 #define DERIVED_LABEL_SZ 7 … … 868 917 static const byte derivedLabel[DERIVED_LABEL_SZ + 1] = 869 918 "derived"; 870 #endif 919 871 920 /* Derive the handshake secret using HKDF Extract. 872 921 * 873 922 * ssl The SSL/TLS object. 874 923 */ 875 static int DeriveHandshakeSecret(WOLFSSL* ssl) 876 { 877 #ifdef WOLFSSL_TLS13_DRAFT_18 878 WOLFSSL_MSG("Derive Handshake Secret"); 879 return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret, 880 ssl->arrays->secret, ssl->specs.hash_size, 881 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, 882 ssl->specs.mac_algorithm); 883 #else 924 int DeriveHandshakeSecret(WOLFSSL* ssl) 925 { 884 926 byte key[WC_MAX_DIGEST_SIZE]; 885 927 int ret; 886 887 928 WOLFSSL_MSG("Derive Handshake Secret"); 888 929 if (ssl == NULL || ssl->arrays == NULL) { 930 return BAD_FUNC_ARG; 931 } 889 932 ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, 890 933 derivedLabel, DERIVED_LABEL_SZ, … … 897 940 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, 898 941 ssl->specs.mac_algorithm); 899 #endif900 942 } 901 943 … … 904 946 * ssl The SSL/TLS object. 905 947 */ 906 static int DeriveMasterSecret(WOLFSSL* ssl) 907 { 908 #ifdef WOLFSSL_TLS13_DRAFT_18 909 WOLFSSL_MSG("Derive Master Secret"); 910 return Tls13_HKDF_Extract(ssl->arrays->masterSecret, 911 ssl->arrays->preMasterSecret, ssl->specs.hash_size, 912 ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm); 913 #else 948 int DeriveMasterSecret(WOLFSSL* ssl) 949 { 914 950 byte key[WC_MAX_DIGEST_SIZE]; 915 951 int ret; 916 917 952 WOLFSSL_MSG("Derive Master Secret"); 918 953 if (ssl == NULL || ssl->arrays == NULL) { 954 return BAD_FUNC_ARG; 955 } 919 956 ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret, 920 957 derivedLabel, DERIVED_LABEL_SZ, … … 923 960 return ret; 924 961 925 ret urnTls13_HKDF_Extract(ssl->arrays->masterSecret,962 ret = Tls13_HKDF_Extract(ssl->arrays->masterSecret, 926 963 key, ssl->specs.hash_size, 927 964 ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm); 928 #endif 929 } 930 931 #ifndef WOLFSSL_TLS13_DRAFT_18 965 966 #ifdef HAVE_KEYING_MATERIAL 967 if (ret != 0) 968 return ret; 969 /* Calculate exporter secret only when saving arrays */ 970 if (ssl->options.saveArrays) 971 ret = DeriveExporterSecret(ssl, ssl->arrays->exporterSecret); 972 #endif 973 974 return ret; 975 } 976 932 977 #if defined(HAVE_SESSION_TICKET) 933 978 /* Length of the resumption label. */ … … 943 988 * returns 0 on success, otherwise failure. 944 989 */ 945 static int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, 946 byte* secret) 990 int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, byte* secret) 947 991 { 948 992 int digestAlg; … … 982 1026 } 983 1027 #endif /* HAVE_SESSION_TICKET */ 984 #endif /* WOLFSSL_TLS13_DRAFT_18 */985 1028 986 1029 … … 999 1042 int hashSz = WC_SHA256_DIGEST_SIZE; 1000 1043 int ret = BAD_FUNC_ARG; 1044 1045 if (ssl == NULL || key == NULL || hash == NULL) { 1046 return BAD_FUNC_ARG; 1047 } 1001 1048 1002 1049 /* Get the hash of the previous handshake messages. */ … … 1071 1118 * returns 0 on success, otherwise failure. 1072 1119 */ 1073 staticint DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store)1120 int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store) 1074 1121 { 1075 1122 int ret = BAD_FUNC_ARG; /* Assume failure */ … … 1282 1329 word32 TimeNowInMilliseconds(void) 1283 1330 { 1284 const uint32_tsystemTickTimeInHz = 1000000 / systemTickInMicroseconds();1285 uint32_t*systemTickPtr = systemTickPointer();1331 const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds(); 1332 word32 *systemTickPtr = systemTickPointer(); 1286 1333 1287 1334 return (word32) (*systemTickPtr/systemTickTimeInHz) * 1000; … … 1407 1454 return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000)); 1408 1455 } 1456 #elif defined(WOLFSSL_LINUXKM) 1457 /* The time in milliseconds. 1458 * Used for tickets to represent difference between when first seen and when 1459 * sending. 1460 * 1461 * returns the time in milliseconds as a 32-bit value. 1462 */ 1463 word32 TimeNowInMilliseconds(void) 1464 { 1465 #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) 1466 return (word32)(ktime_get_real_ns() / (s64)1000000); 1467 #else 1468 return (word32)(ktime_get_real_ns() / (ktime_t)1000000); 1469 #endif 1470 } 1471 #elif defined(FUSION_RTOS) 1472 /* The time in milliseconds. 1473 * Used for tickets to represent difference between when first seen and when 1474 * sending. 1475 * 1476 * returns the time in milliseconds as a 32-bit value. 1477 */ 1478 word32 TimeNowInMilliseconds(void) 1479 { 1480 struct timeval now; 1481 if (FCL_GETTIMEOFDAY(&now, 0) < 0) 1482 return (word32)GETTIME_ERROR; /* TODO: return 0 for failure */ 1483 1484 /* Convert to milliseconds number. */ 1485 return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000); 1486 } 1487 1409 1488 #else 1410 1489 /* The time in milliseconds. … … 1419 1498 1420 1499 if (gettimeofday(&now, 0) < 0) 1421 return GETTIME_ERROR; 1500 return (word32)GETTIME_ERROR; /* TODO: return 0 for failure */ 1501 1422 1502 /* Convert to milliseconds number. */ 1423 1503 return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000); … … 1426 1506 #endif /* HAVE_SESSION_TICKET || !NO_PSK */ 1427 1507 1428 1429 #if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_SESSION_TICKET) || \1430 !defined(NO_PSK))1431 /* Add input to all handshake hashes.1432 *1433 * ssl The SSL/TLS object.1434 * input The data to hash.1435 * sz The size of the data to hash.1436 * returns 0 on success, otherwise failure.1437 */1438 static int HashInputRaw(WOLFSSL* ssl, const byte* input, int sz)1439 {1440 int ret = BAD_FUNC_ARG;1441 1442 #ifndef NO_SHA2561443 ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, input, sz);1444 if (ret != 0)1445 return ret;1446 #endif1447 #ifdef WOLFSSL_SHA3841448 ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, input, sz);1449 if (ret != 0)1450 return ret;1451 #endif1452 #ifdef WOLFSSL_TLS13_SHA5121453 ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, input, sz);1454 if (ret != 0)1455 return ret;1456 #endif1457 1458 return ret;1459 }1460 #endif1461 1508 1462 1509 /* Extract the handshake header information. … … 1502 1549 rl->type = type; 1503 1550 rl->pvMajor = ssl->version.major; 1504 #ifdef WOLFSSL_TLS13_DRAFT_181505 rl->pvMinor = TLSv1_MINOR;1506 #else1507 1551 /* NOTE: May be TLSv1_MINOR when sending first ClientHello. */ 1508 1552 rl->pvMinor = TLSv1_2_MINOR; 1509 #endif1510 1553 c16toa((word16)length, rl->length); 1511 1554 } … … 1584 1627 * out The buffer to write into. 1585 1628 */ 1586 static WC_INLINE void WriteSEQ (WOLFSSL* ssl, int verifyOrder, byte* out)1629 static WC_INLINE void WriteSEQTls13(WOLFSSL* ssl, int verifyOrder, byte* out) 1587 1630 { 1588 1631 word32 seq[2] = {0, 0}; … … 1620 1663 1621 1664 /* The nonce is the IV with the sequence XORed into the last bytes. */ 1622 WriteSEQ (ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ);1665 WriteSEQTls13(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ); 1623 1666 for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++) 1624 1667 nonce[i] = iv[i]; … … 1628 1671 1629 1672 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) 1630 /* Encrypt with ChaCha20 and create authen ication tag with Poly1305.1673 /* Encrypt with ChaCha20 and create authentication tag with Poly1305. 1631 1674 * 1632 1675 * ssl The SSL/TLS object. … … 1683 1726 1684 1727 #ifdef HAVE_NULL_CIPHER 1685 /* Create authen ication tag and copy data over input.1728 /* Create authentication tag and copy data over input. 1686 1729 * 1687 1730 * ssl The SSL/TLS object. … … 1765 1808 WOLFSSL_MSG("Data to encrypt"); 1766 1809 WOLFSSL_BUFFER(input, dataSz); 1767 #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) && \1768 !defined(WOLFSSL_TLS13_DRAFT_23)1769 1810 WOLFSSL_MSG("Additional Authentication Data"); 1770 1811 WOLFSSL_BUFFER(aad, aadSz); 1771 #endif1772 1812 #endif 1773 1813 … … 1912 1952 1913 1953 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) 1914 /* Decrypt with ChaCha20 and check authen ication tag with Poly1305.1954 /* Decrypt with ChaCha20 and check authentication tag with Poly1305. 1915 1955 * 1916 1956 * ssl The SSL/TLS object. … … 2068 2108 WOLFSSL_MSG("Data to decrypt"); 2069 2109 WOLFSSL_BUFFER(input, dataSz); 2070 #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) && \2071 !defined(WOLFSSL_TLS13_DRAFT_23)2072 2110 WOLFSSL_MSG("Additional Authentication Data"); 2073 2111 WOLFSSL_BUFFER(aad, aadSz); 2074 #endif2075 2112 WOLFSSL_MSG("Authentication tag"); 2076 2113 WOLFSSL_BUFFER(input + dataSz, macSz); … … 2351 2388 #endif 2352 2389 { 2353 #if defined(WOLFSSL_TLS13_DRAFT_18) || defined(WOLFSSL_TLS13_DRAFT_22) || \2354 defined(WOLFSSL_TLS13_DRAFT_23)2355 output += args->headerSz;2356 ret = EncryptTls13(ssl, output, output, args->size, NULL, 0,2357 asyncOkay);2358 #else2359 2390 const byte* aad = output; 2360 2391 output += args->headerSz; 2361 2392 ret = EncryptTls13(ssl, output, output, args->size, aad, 2362 2393 RECORD_HEADER_SZ, asyncOkay); 2363 #endif2364 2394 } 2365 2395 break; … … 2415 2445 #endif 2416 2446 2417 #ifndef WOLFSSL_TLS13_DRAFT_182418 2447 #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) 2419 2448 /* Create Cookie extension using the hash of the first ClientHello. … … 2462 2491 * returns 0 on success, otherwise failure. 2463 2492 */ 2464 staticint RestartHandshakeHash(WOLFSSL* ssl)2493 int RestartHandshakeHash(WOLFSSL* ssl) 2465 2494 { 2466 2495 int ret; … … 2526 2555 if (ret != 0) 2527 2556 return ret; 2528 ret = Hash OutputRaw(ssl, header, sizeof(header));2557 ret = HashRaw(ssl, header, sizeof(header)); 2529 2558 if (ret != 0) 2530 2559 return ret; 2531 return Hash OutputRaw(ssl, hash, hashSz);2560 return HashRaw(ssl, hash, hashSz); 2532 2561 } 2533 2562 … … 2541 2570 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C 2542 2571 }; 2543 #endif /* WOLFSSL_TLS13_DRAFT_18 */ 2572 2544 2573 2545 2574 #ifndef NO_WOLFSSL_CLIENT … … 2578 2607 /* Resumption PSK is master secret. */ 2579 2608 ssl->arrays->psk_keySz = ssl->specs.hash_size; 2580 #ifdef WOLFSSL_TLS13_DRAFT_182581 XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,2582 ssl->arrays->psk_keySz);2583 #else2584 2609 if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data, 2585 2610 ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) { 2586 2611 return ret; 2587 2612 } 2588 #endif2589 2613 } 2590 2614 #endif … … 2594 2618 const char* cipherName = NULL; 2595 2619 byte cipherSuite0 = TLS13_BYTE, cipherSuite = WOLFSSL_DEF_PSK_CIPHER; 2620 int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE; 2596 2621 2597 2622 /* Get the pre-shared key. */ … … 2602 2627 &cipherName); 2603 2628 if (GetCipherSuiteFromName(cipherName, &cipherSuite0, 2604 &cipherSuite) != 0) {2629 &cipherSuite, &cipherSuiteFlags) != 0) { 2605 2630 return PSK_KEY_ERROR; 2606 2631 } … … 2620 2645 return PSK_KEY_ERROR; 2621 2646 } 2647 (void)cipherSuiteFlags; 2622 2648 #else 2623 2649 /* PSK information loaded during setting of default TLS extensions. */ … … 2626 2652 #endif 2627 2653 2628 if (ssl->options.noPskDheKe) 2654 if (ssl->options.noPskDheKe) { 2629 2655 ssl->arrays->preMasterSz = 0; 2656 } 2630 2657 2631 2658 /* Derive the early secret using the PSK. */ … … 2707 2734 2708 2735 /* Hash binders to complete the hash of the ClientHello. */ 2709 ret = Hash OutputRaw(ssl, output + idx, len);2736 ret = HashRaw(ssl, output + idx, len); 2710 2737 if (ret < 0) 2711 2738 return ret; … … 2778 2805 length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->suites->suiteSz + 2779 2806 SUITE_LEN + COMP_LEN + ENUM_LEN; 2780 #ifndef WOLFSSL_TLS13_DRAFT_182781 2807 #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) 2782 2808 length += ID_LEN; … … 2785 2811 length += ssl->session.sessionIDSz; 2786 2812 #endif 2787 #endif2788 2813 2789 2814 /* Auto populate extensions supported unless user defined. */ … … 2846 2871 idx += RAN_LEN; 2847 2872 2848 #ifdef WOLFSSL_TLS13_DRAFT_182849 /* TLS v1.3 does not use session id - 0 length. */2850 output[idx++] = 0;2851 #else2852 2873 if (ssl->session.sessionIDSz > 0) { 2853 2874 /* Session resumption for old versions of protocol. */ … … 2866 2887 #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */ 2867 2888 } 2868 #endif /* WOLFSSL_TLS13_DRAFT_18 */2869 2889 2870 2890 /* Cipher suites */ … … 2921 2941 } 2922 2942 2923 #ifdef WOLFSSL_TLS13_DRAFT_182924 /* handle rocessing of TLS 1.3 hello_retry_request (6) */2925 /* Parse and handle a HelloRetryRequest message.2926 * Only a client will receive this message.2927 *2928 * ssl The SSL/TLS object.2929 * input The message buffer.2930 * inOutIdx On entry, the index into the message buffer of2931 * HelloRetryRequest.2932 * On exit, the index of byte after the HelloRetryRequest message.2933 * totalSz The length of the current handshake message.2934 * returns 0 on success and otherwise failure.2935 */2936 static int DoTls13HelloRetryRequest(WOLFSSL* ssl, const byte* input,2937 word32* inOutIdx, word32 totalSz)2938 {2939 int ret;2940 word32 begin = *inOutIdx;2941 word32 i = begin;2942 word16 totalExtSz;2943 ProtocolVersion pv;2944 2945 WOLFSSL_ENTER("DoTls13HelloRetryRequest");2946 2947 #ifdef WOLFSSL_CALLBACKS2948 if (ssl->hsInfoOn) AddPacketName(ssl, "HelloRetryRequest");2949 if (ssl->toInfoOn) AddLateName("HelloRetryRequest", &ssl->timeoutInfo);2950 #endif2951 2952 /* Version info and length field of extension data. */2953 if (totalSz < i - begin + OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)2954 return BUFFER_ERROR;2955 2956 /* Protocol version. */2957 XMEMCPY(&pv, input + i, OPAQUE16_LEN);2958 i += OPAQUE16_LEN;2959 ret = CheckVersion(ssl, pv);2960 if (ret != 0)2961 return ret;2962 2963 /* Length of extension data. */2964 ato16(&input[i], &totalExtSz);2965 i += OPAQUE16_LEN;2966 if (totalExtSz == 0) {2967 WOLFSSL_MSG("HelloRetryRequest must contain extensions");2968 return MISSING_HANDSHAKE_DATA;2969 }2970 2971 /* Extension data. */2972 if (i - begin + totalExtSz > totalSz)2973 return BUFFER_ERROR;2974 if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,2975 hello_retry_request, NULL)) != 0)2976 return ret;2977 /* The KeyShare extension parsing fails when not valid. */2978 2979 /* Move index to byte after message. */2980 *inOutIdx = i + totalExtSz;2981 2982 ssl->options.tls1_3 = 1;2983 ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;2984 2985 WOLFSSL_LEAVE("DoTls13HelloRetryRequest", ret);2986 2987 return ret;2988 }2989 #endif2990 2991 2992 2943 /* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */ 2993 2944 /* Handle the ServerHello message from the server. … … 3008 2959 word32 begin = i; 3009 2960 int ret; 3010 #ifndef WOLFSSL_TLS13_DRAFT_183011 2961 byte sessIdSz; 3012 2962 const byte* sessId; 3013 2963 byte b; 3014 2964 int foundVersion; 3015 #endif3016 2965 word16 totalExtSz; 3017 2966 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) … … 3023 2972 WOLFSSL_ENTER("DoTls13ServerHello"); 3024 2973 2974 if (ssl->arrays == NULL) 2975 return BAD_FUNC_ARG; 2976 3025 2977 #ifdef WOLFSSL_CALLBACKS 3026 2978 if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello"); … … 3028 2980 #endif 3029 2981 2982 if (ssl == NULL || ssl->arrays == NULL) 2983 return BAD_FUNC_ARG; 2984 3030 2985 /* Protocol version length check. */ 3031 2986 if (OPAQUE16_LEN > helloSz) … … 3035 2990 XMEMCPY(&pv, input + i, OPAQUE16_LEN); 3036 2991 i += OPAQUE16_LEN; 3037 #ifdef WOLFSSL_TLS13_DRAFT_18 3038 ret = CheckVersion(ssl, pv); 3039 if (ret != 0) 3040 return ret; 3041 if (!IsAtLeastTLSv1_3(pv) && pv.major != TLS_DRAFT_MAJOR) { 3042 #ifndef WOLFSSL_NO_TLS12 3043 if (ssl->options.downgrade) { 3044 ssl->version = pv; 3045 return DoServerHello(ssl, input, inOutIdx, helloSz); 3046 } 3047 #endif 3048 3049 WOLFSSL_MSG("Client using higher version, fatal error"); 3050 return VERSION_ERROR; 3051 } 3052 #else 2992 3053 2993 #ifndef WOLFSSL_NO_TLS12 3054 2994 if (pv.major == ssl->version.major && pv.minor < TLSv1_2_MINOR && … … 3062 3002 if (pv.major != ssl->version.major || pv.minor != TLSv1_2_MINOR) 3063 3003 return VERSION_ERROR; 3064 #endif 3065 3066 #ifdef WOLFSSL_TLS13_DRAFT_18 3067 /* Random length check */ 3068 if ((i - begin) + RAN_LEN > helloSz) 3069 return BUFFER_ERROR; 3070 #else 3004 3071 3005 /* Random and session id length check */ 3072 3006 if ((i - begin) + RAN_LEN + ENUM_LEN > helloSz) 3073 3007 return BUFFER_ERROR; 3074 3008 3075 if (XMEMCMP(input + i, helloRetryRequestRandom, RAN_LEN) == 0) 3009 if (XMEMCMP(input + i, helloRetryRequestRandom, RAN_LEN) == 0) { 3076 3010 *extMsgType = hello_retry_request; 3077 #endif 3011 /* A HelloRetryRequest comes in as an ServerHello for MiddleBox compat. 3012 * Found message to be a HelloRetryRequest. 3013 * Don't allow more than one HelloRetryRequest or ServerHello. 3014 */ 3015 if (ssl->msgsReceived.got_hello_retry_request == 1) { 3016 return DUPLICATE_MSG_E; 3017 } 3018 /* Update counts to reflect change of message type. */ 3019 ssl->msgsReceived.got_hello_retry_request++; 3020 ssl->msgsReceived.got_server_hello--; 3021 } 3078 3022 3079 3023 /* Server random - keep for debugging. */ … … 3081 3025 i += RAN_LEN; 3082 3026 3083 #ifndef WOLFSSL_TLS13_DRAFT_183084 3027 /* Session id */ 3085 3028 sessIdSz = input[i++]; … … 3088 3031 sessId = input + i; 3089 3032 i += sessIdSz; 3090 #endif /* WOLFSSL_TLS13_DRAFT_18 */ 3033 3091 3034 ssl->options.haveSessionId = 1; 3092 3035 3093 #ifdef WOLFSSL_TLS13_DRAFT_183094 /* Ciphersuite check */3095 if ((i - begin) + OPAQUE16_LEN + OPAQUE16_LEN > helloSz)3096 return BUFFER_ERROR;3097 #else3098 3036 /* Ciphersuite and compression check */ 3099 3037 if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz) 3100 3038 return BUFFER_ERROR; 3101 #endif3102 3039 3103 3040 /* Set the cipher suite from the message. */ … … 3105 3042 ssl->options.cipherSuite = input[i++]; 3106 3043 3107 #ifndef WOLFSSL_TLS13_DRAFT_183108 3044 /* Compression */ 3109 3045 b = input[i++]; … … 3112 3048 return INVALID_PARAMETER; 3113 3049 } 3114 #endif 3115 3116 #ifndef WOLFSSL_TLS13_DRAFT_18 3050 3117 3051 if ((i - begin) + OPAQUE16_LEN > helloSz) { 3118 3052 if (!ssl->options.downgrade) … … 3123 3057 ssl->options.haveEMS = 0; 3124 3058 } 3125 if ((i - begin) < helloSz) 3126 #endif 3127 { 3059 if ((i - begin) < helloSz) { 3128 3060 /* Get extension length and length check. */ 3129 3061 if ((i - begin) + OPAQUE16_LEN > helloSz) … … 3134 3066 return BUFFER_ERROR; 3135 3067 3136 #ifndef WOLFSSL_TLS13_DRAFT_183137 3068 /* Need to negotiate version first. */ 3138 3069 if ((ret = TLSX_ParseVersion(ssl, (byte*)input + i, totalExtSz, … … 3151 3082 ssl->version.minor = pv.minor; 3152 3083 } 3153 #endif3154 3084 3155 3085 /* Parse and handle extensions. */ … … 3176 3106 #endif /* HAVE_SECRET_CALLBACK */ 3177 3107 3178 #ifndef WOLFSSL_TLS13_DRAFT_183179 3108 /* Version only negotiated in extensions for TLS v1.3. 3180 3109 * Only now do we know how to deal with session id. … … 3208 3137 } 3209 3138 3210 3139 #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT 3211 3140 if (sessIdSz == 0) 3212 3141 return INVALID_PARAMETER; … … 3219 3148 else if (XMEMCMP(ssl->arrays->clientRandom, sessId, sessIdSz) != 0) 3220 3149 return INVALID_PARAMETER; 3221 3150 #else 3222 3151 if (sessIdSz != ssl->session.sessionIDSz || (sessIdSz > 0 && 3223 3152 XMEMCMP(ssl->session.sessionID, sessId, sessIdSz) != 0)) { … … 3225 3154 return INVALID_PARAMETER; 3226 3155 } 3227 #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */ 3228 #endif 3156 #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */ 3229 3157 3230 3158 ret = SetCipherSpecs(ssl); … … 3246 3174 3247 3175 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) 3248 #ifndef WOLFSSL_TLS13_DRAFT_18 3249 if (*extMsgType == server_hello) 3250 #endif 3251 { 3176 if (*extMsgType == server_hello) { 3252 3177 ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); 3253 3178 if (ext != NULL) … … 3265 3190 #endif 3266 3191 3267 #ifdef WOLFSSL_TLS13_DRAFT_183268 ssl->keys.encryptionOn = 1;3269 #else3270 3192 if (*extMsgType == server_hello) { 3271 3193 ssl->keys.encryptionOn = 1; … … 3278 3200 ret = RestartHandshakeHash(ssl); 3279 3201 } 3280 #endif3281 3202 3282 3203 WOLFSSL_LEAVE("DoTls13ServerHello", ret); … … 3358 3279 } 3359 3280 3281 #ifndef NO_CERTS 3360 3282 /* handle processing TLS v1.3 certificate_request (13) */ 3361 3283 /* Handle a TLS v1.3 CertificateRequest message. … … 3376 3298 word32 begin = *inOutIdx; 3377 3299 int ret = 0; 3378 #ifndef WOLFSSL_TLS13_DRAFT_183379 3300 Suites peerSuites; 3380 #endif3381 3301 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH 3382 3302 CertReqCtx* certReqCtx; … … 3386 3306 WOLFSSL_ENTER("DoTls13CertificateRequest"); 3387 3307 3388 #ifndef WOLFSSL_TLS13_DRAFT_183389 3308 XMEMSET(&peerSuites, 0, sizeof(Suites)); 3390 #endif 3309 3391 3310 #ifdef WOLFSSL_CALLBACKS 3392 3311 if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateRequest"); … … 3420 3339 *inOutIdx += len; 3421 3340 3422 #ifdef WOLFSSL_TLS13_DRAFT_183423 /* Signature and hash algorithms. */3424 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)3425 return BUFFER_ERROR;3426 ato16(input + *inOutIdx, &len);3427 *inOutIdx += OPAQUE16_LEN;3428 if ((*inOutIdx - begin) + len > size)3429 return BUFFER_ERROR;3430 if (PickHashSigAlgo(ssl, input + *inOutIdx, len) != 0 &&3431 ssl->buffers.certificate && ssl->buffers.certificate->buffer &&3432 ssl->buffers.key && ssl->buffers.key->buffer) {3433 return INVALID_PARAMETER;3434 }3435 *inOutIdx += len;3436 3437 /* Length of certificate authority data. */3438 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)3439 return BUFFER_ERROR;3440 ato16(input + *inOutIdx, &len);3441 *inOutIdx += OPAQUE16_LEN;3442 if ((*inOutIdx - begin) + len > size)3443 return BUFFER_ERROR;3444 3445 /* Certificate authorities. */3446 while (len) {3447 word16 dnSz;3448 3449 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)3450 return BUFFER_ERROR;3451 3452 ato16(input + *inOutIdx, &dnSz);3453 *inOutIdx += OPAQUE16_LEN;3454 3455 if ((*inOutIdx - begin) + dnSz > size)3456 return BUFFER_ERROR;3457 3458 *inOutIdx += dnSz;3459 len -= OPAQUE16_LEN + dnSz;3460 }3461 3462 /* Certificate extensions */3463 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)3464 return BUFFER_ERROR;3465 ato16(input + *inOutIdx, &len);3466 *inOutIdx += OPAQUE16_LEN;3467 if ((*inOutIdx - begin) + len > size)3468 return BUFFER_ERROR;3469 *inOutIdx += len;3470 #else3471 3341 /* TODO: Add support for more extensions: 3472 3342 * signed_certificate_timestamp, certificate_authorities, oid_filters. … … 3486 3356 } 3487 3357 *inOutIdx += len; 3488 #endif3489 3358 3490 3359 if (ssl->buffers.certificate && ssl->buffers.certificate->buffer && … … 3494 3363 #endif 3495 3364 )) { 3496 #ifndef WOLFSSL_TLS13_DRAFT_183497 3365 if (PickHashSigAlgo(ssl, peerSuites.hashSigAlgo, 3498 3366 peerSuites.hashSigAlgoSz) != 0) { 3499 3367 return INVALID_PARAMETER; 3500 3368 } 3501 #endif3502 3369 ssl->options.sendVerify = SEND_CERT; 3503 3370 } 3504 3371 else { 3372 #ifndef WOLFSSL_NO_CLIENT_CERT_ERROR 3505 3373 ssl->options.sendVerify = SEND_BLANK_CERT; 3374 #else 3375 WOLFSSL_MSG("Certificate required but none set on client"); 3376 SendAlert(ssl, alert_fatal, illegal_parameter); 3377 return NO_CERT_ERROR; 3378 #endif 3506 3379 } 3507 3380 … … 3514 3387 return ret; 3515 3388 } 3516 3389 #endif /* !NO_CERTS */ 3517 3390 #endif /* !NO_WOLFSSL_CLIENT */ 3518 3391 … … 3576 3449 byte cipherSuite0 = TLS13_BYTE; 3577 3450 byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER; 3451 int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE; 3578 3452 #endif 3579 3453 … … 3625 3499 #ifdef HAVE_SESSION_TICKET 3626 3500 /* Decode the identity. */ 3627 if ( (ret = DoClientTicket(ssl, current->identity, current->identityLen))3501 if (DoClientTicket(ssl, current->identity, current->identityLen) 3628 3502 == WOLFSSL_TICKET_RET_OK) { 3629 3503 word32 now; … … 3642 3516 /* Invalid difference, fallback to full handshake. */ 3643 3517 ssl->options.resuming = 0; 3644 break; 3518 /* Hash the rest of the ClientHello. */ 3519 return HashRaw(ssl, input + helloSz - bindersLen, bindersLen); 3645 3520 } 3646 3521 … … 3667 3542 /* Resumption PSK is resumption master secret. */ 3668 3543 ssl->arrays->psk_keySz = ssl->specs.hash_size; 3669 #ifdef WOLFSSL_TLS13_DRAFT_183670 XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,3671 ssl->arrays->psk_keySz);3672 #else3673 3544 if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data, 3674 3545 ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) { 3675 3546 return ret; 3676 3547 } 3677 #endif3678 3548 3679 3549 /* Derive the early secret using the PSK. */ … … 3694 3564 MAX_PSK_KEY_LEN, &cipherName)) != 0 && 3695 3565 GetCipherSuiteFromName(cipherName, &cipherSuite0, 3696 &cipherSuite) == 0) ||3566 &cipherSuite, &cipherSuiteFlags) == 0) || 3697 3567 (ssl->options.server_psk_cb != NULL && 3698 3568 (ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, … … 3705 3575 suite[0] = cipherSuite0; 3706 3576 suite[1] = cipherSuite; 3577 (void)cipherSuiteFlags; 3707 3578 if (!FindSuiteSSL(ssl, suite)) { 3708 3579 current = current->next; … … 3712 3583 /* Default to ciphersuite if cb doesn't specify. */ 3713 3584 ssl->options.resuming = 0; 3585 /* Don't send certificate request when using PSK. */ 3586 ssl->options.verifyPeer = 0; 3714 3587 3715 3588 /* PSK age is always zero. */ … … 3765 3638 3766 3639 /* Hash the rest of the ClientHello. */ 3767 ret = Hash InputRaw(ssl, input + helloSz - bindersLen, bindersLen);3640 ret = HashRaw(ssl, input + helloSz - bindersLen, bindersLen); 3768 3641 if (ret != 0) 3769 3642 return ret; … … 3807 3680 modes = ext->val; 3808 3681 3682 #ifdef HAVE_SUPPORTED_CURVES 3809 3683 ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); 3810 3684 /* Use (EC)DHE for forward-security if possible. */ … … 3826 3700 ext->resp = 1; 3827 3701 } 3828 else { 3702 else 3703 #endif 3704 { 3829 3705 if ((modes & (1 << PSK_KE)) == 0) 3830 3706 return PSK_KEY_ERROR; … … 3841 3717 #endif 3842 3718 3843 #if !defined(WOLFSSL_TLS13_DRAFT_18) &&defined(WOLFSSL_SEND_HRR_COOKIE)3719 #if defined(WOLFSSL_SEND_HRR_COOKIE) 3844 3720 /* Check that the Cookie data's integrity. 3845 3721 * … … 3892 3768 /* Length of the Cookie Extension excluding cookie data */ 3893 3769 #define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) 3894 #ifdef WOLFSSL_TLS13_DRAFT_183895 /* PV | CipherSuite | Ext Len */3896 #define HRR_BODY_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)3897 /* HH | PV | CipherSuite | Ext Len | Key Share | Cookie */3898 #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \3899 HRR_BODY_SZ + \3900 HRR_KEY_SHARE_SZ + \3901 HRR_COOKIE_HDR_SZ)3902 #else3903 3770 /* PV | Random | Session Id | CipherSuite | Compression | Ext Len */ 3904 3771 #define HRR_BODY_SZ (VERSION_SZ + RAN_LEN + ENUM_LEN + ID_LEN + \ … … 3910 3777 HRR_VERSIONS_SZ + \ 3911 3778 HRR_COOKIE_HDR_SZ) 3912 #endif 3779 3913 3780 3914 3781 /* Restart the handshake hash from the cookie value. … … 3942 3809 if ((ret = InitHandshakeHashes(ssl)) != 0) 3943 3810 return ret; 3944 if ((ret = Hash OutputRaw(ssl, header, sizeof(header))) != 0)3945 return ret; 3946 if ((ret = Hash OutputRaw(ssl, cookieData + idx, hashSz)) != 0)3811 if ((ret = HashRaw(ssl, header, sizeof(header))) != 0) 3812 return ret; 3813 if ((ret = HashRaw(ssl, cookieData + idx, hashSz)) != 0) 3947 3814 return ret; 3948 3815 3949 3816 /* Reconstruct the HelloRetryMessage for handshake hash. */ 3950 #ifdef WOLFSSL_TLS13_DRAFT_183951 length = HRR_BODY_SZ + HRR_COOKIE_HDR_SZ + cookie->len;3952 #else3953 3817 length = HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz + 3954 3818 HRR_COOKIE_HDR_SZ + cookie->len; 3955 3819 length += HRR_VERSIONS_SZ; 3956 #endif3957 3820 if (cookieDataSz > hashSz + OPAQUE16_LEN) { 3958 3821 keyShareExt = 1; 3959 3822 length += HRR_KEY_SHARE_SZ; 3960 3823 } 3961 #ifdef WOLFSSL_TLS13_DRAFT_18 3962 AddTls13HandShakeHeader(hrr, length, 0, 0, hello_retry_request, ssl); 3963 3964 idx += hashSz; 3965 hrrIdx = HANDSHAKE_HEADER_SZ; 3966 /* The negotiated protocol version. */ 3967 hrr[hrrIdx++] = TLS_DRAFT_MAJOR; 3968 hrr[hrrIdx++] = TLS_DRAFT_MINOR; 3969 /* Cipher Suite */ 3970 hrr[hrrIdx++] = cookieData[idx++]; 3971 hrr[hrrIdx++] = cookieData[idx++]; 3972 3973 /* Extensions' length */ 3974 length -= HRR_BODY_SZ; 3975 c16toa(length, hrr + hrrIdx); 3976 hrrIdx += 2; 3977 #else 3824 3978 3825 AddTls13HandShakeHeader(hrr, length, 0, 0, server_hello, ssl); 3979 3826 … … 4007 3854 hrrIdx += 2; 4008 3855 4009 #endif4010 3856 /* Optional KeyShare Extension */ 4011 3857 if (keyShareExt) { … … 4017 3863 hrr[hrrIdx++] = cookieData[idx++]; 4018 3864 } 4019 #ifndef WOLFSSL_TLS13_DRAFT_184020 3865 c16toa(TLSX_SUPPORTED_VERSIONS, hrr + hrrIdx); 4021 3866 hrrIdx += 2; … … 4029 3874 hrr[hrrIdx++] = ssl->version.minor; 4030 3875 #endif 4031 #endif 3876 4032 3877 /* Mandatory Cookie Extension */ 4033 3878 c16toa(TLSX_COOKIE, hrr + hrrIdx); … … 4045 3890 #endif 4046 3891 4047 if ((ret = Hash OutputRaw(ssl, hrr, hrrIdx)) != 0)4048 return ret; 4049 return Hash OutputRaw(ssl, cookieData, cookie->len);3892 if ((ret = HashRaw(ssl, hrr, hrrIdx)) != 0) 3893 return ret; 3894 return HashRaw(ssl, cookieData, cookie->len); 4050 3895 } 4051 3896 #endif … … 4205 4050 } 4206 4051 4052 /* From here on we are a TLS 1.3 ClientHello. */ 4053 4207 4054 /* Client random */ 4208 4055 XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN); … … 4214 4061 #endif 4215 4062 4216 #ifdef WOLFSSL_TLS13_DRAFT_184217 /* Session id - empty in TLS v1.3 */4218 sessIdSz = input[i++];4219 if (sessIdSz > 0 && !ssl->options.downgrade) {4220 WOLFSSL_MSG("Client sent session id - not supported");4221 return BUFFER_ERROR;4222 }4223 #else4224 4063 sessIdSz = input[i++]; 4225 4064 if (sessIdSz != ID_LEN && sessIdSz != 0) 4226 4065 return INVALID_PARAMETER; 4227 #endif4228 4066 4229 4067 if (sessIdSz + i > helloSz) { … … 4251 4089 clSuites.hashSigAlgoSz = 0; 4252 4090 4253 #ifdef HAVE_SERVER_RENEGOTIATION_INFO4254 ret = FindSuite(&clSuites, 0, TLS_EMPTY_RENEGOTIATION_INFO_SCSV);4255 if (ret == SUITES_ERROR)4256 return BUFFER_ERROR;4257 if (ret >= 0) {4258 TLSX* extension;4259 4260 /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */4261 ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, ssl->heap);4262 if (ret != WOLFSSL_SUCCESS)4263 return ret;4264 4265 extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO);4266 if (extension) {4267 ssl->secure_renegotiation = (SecureRenegotiation*)extension->data;4268 ssl->secure_renegotiation->enabled = 1;4269 }4270 }4271 #endif /* HAVE_SERVER_RENEGOTIATION_INFO */4272 4273 4091 /* Compression */ 4274 4092 b = input[i++]; … … 4306 4124 } 4307 4125 4308 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ 4309 defined(WOLFSSL_HAPROXY) 4126 #ifdef HAVE_SNI 4310 4127 if ((ret = SNI_Callback(ssl)) != 0) 4311 4128 return ret; 4312 4129 ssl->options.side = WOLFSSL_SERVER_END; 4313 #endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */4130 #endif 4314 4131 4315 4132 i += totalExtSz; … … 4321 4138 ssl->options.haveSessionId = 1; 4322 4139 4323 #if !defined(WOLFSSL_TLS13_DRAFT_18) &&defined(WOLFSSL_SEND_HRR_COOKIE)4140 #if defined(WOLFSSL_SEND_HRR_COOKIE) 4324 4141 if (ssl->options.sendCookie && 4325 4142 ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) { … … 4340 4157 4341 4158 #if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \ 4342 defined(HAVE_TLS_EXTENSIONS)4159 defined(HAVE_TLS_EXTENSIONS) 4343 4160 if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY) != NULL) { 4344 4161 /* Refine list for PSK processing. */ … … 4362 4179 4363 4180 if (!usingPSK) { 4181 #ifndef NO_CERTS 4364 4182 if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) { 4365 4183 WOLFSSL_MSG("Client did not send a KeyShare extension"); … … 4379 4197 } 4380 4198 4381 #ifdef HAVE_NULL_CIPHER4199 #ifdef HAVE_NULL_CIPHER 4382 4200 if (ssl->options.cipherSuite0 == ECC_BYTE && 4383 4201 (ssl->options.cipherSuite == TLS_SHA256_SHA256 || … … 4386 4204 } 4387 4205 else 4388 #endif4206 #endif 4389 4207 /* Check that the negotiated ciphersuite matches protocol version. */ 4390 4208 if (ssl->options.cipherSuite0 != TLS13_BYTE) { … … 4395 4213 } 4396 4214 4397 #ifdef HAVE_SESSION_TICKET4215 #ifdef HAVE_SESSION_TICKET 4398 4216 if (ssl->options.resuming) { 4399 4217 ssl->options.resuming = 0; 4400 4218 XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size); 4401 4219 } 4402 #endif4220 #endif 4403 4221 4404 4222 /* Derive early secret for handshake secret. */ 4405 4223 if ((ret = DeriveEarlySecret(ssl)) != 0) 4406 4224 return ret; 4225 #else 4226 ret = INVALID_PARAMETER; 4227 #endif 4407 4228 } 4408 4229 … … 4413 4234 } 4414 4235 4415 #ifdef WOLFSSL_TLS13_DRAFT_18 4416 /* handle generation of TLS 1.3 hello_retry_request (6) */ 4417 /* Send the HelloRetryRequest message to indicate the negotiated protocol 4418 * version and security parameters the server is willing to use. 4236 /* Send TLS v1.3 ServerHello message to client. 4419 4237 * Only a server will send this message. 4420 4238 * … … 4422 4240 * returns 0 on success, otherwise failure. 4423 4241 */ 4424 int SendTls13HelloRetryRequest(WOLFSSL* ssl)4425 {4426 int ret;4427 byte* output;4428 word32 length;4429 word16 len;4430 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;4431 int sendSz;4432 4433 WOLFSSL_ENTER("SendTls13HelloRetryRequest");4434 4435 /* Get the length of the extensions that will be written. */4436 len = 0;4437 ret = TLSX_GetResponseSize(ssl, hello_retry_request, &len);4438 /* There must be extensions sent to indicate what client needs to do. */4439 if (ret != 0)4440 return MISSING_HANDSHAKE_DATA;4441 4442 /* Protocol version + Extensions */4443 length = OPAQUE16_LEN + len;4444 sendSz = idx + length;4445 4446 /* Check buffers are big enough and grow if needed. */4447 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)4448 return ret;4449 4450 /* Get position in output buffer to write new message to. */4451 output = ssl->buffers.outputBuffer.buffer +4452 ssl->buffers.outputBuffer.length;4453 /* Add record and handshake headers. */4454 AddTls13Headers(output, length, hello_retry_request, ssl);4455 4456 /* The negotiated protocol version. */4457 output[idx++] = TLS_DRAFT_MAJOR;4458 output[idx++] = TLS_DRAFT_MINOR;4459 4460 /* Add TLS extensions. */4461 ret = TLSX_WriteResponse(ssl, output + idx, hello_retry_request, NULL);4462 if (ret != 0)4463 return ret;4464 idx += len;4465 4466 #ifdef WOLFSSL_CALLBACKS4467 if (ssl->hsInfoOn)4468 AddPacketName(ssl, "HelloRetryRequest");4469 if (ssl->toInfoOn) {4470 AddPacketInfo(ssl, "HelloRetryRequest", handshake, output, sendSz,4471 WRITE_PROTO, ssl->heap);4472 }4473 #endif4474 if ((ret = HashOutput(ssl, output, idx, 0)) != 0)4475 return ret;4476 4477 ssl->buffers.outputBuffer.length += sendSz;4478 4479 if (!ssl->options.groupMessages)4480 ret = SendBuffered(ssl);4481 4482 WOLFSSL_LEAVE("SendTls13HelloRetryRequest", ret);4483 4484 return ret;4485 }4486 #endif /* WOLFSSL_TLS13_DRAFT_18 */4487 4488 /* Send TLS v1.3 ServerHello message to client.4489 * Only a server will send this message.4490 *4491 * ssl The SSL/TLS object.4492 * returns 0 on success, otherwise failure.4493 */4494 #ifdef WOLFSSL_TLS13_DRAFT_184495 static4496 #endif4497 4242 /* handle generation of TLS 1.3 server_hello (2) */ 4498 4243 int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType) … … 4507 4252 WOLFSSL_ENTER("SendTls13ServerHello"); 4508 4253 4509 #ifndef WOLFSSL_TLS13_DRAFT_184510 4254 if (extMsgType == hello_retry_request) { 4511 4255 WOLFSSL_MSG("wolfSSL Doing HelloRetryRequest"); … … 4513 4257 return ret; 4514 4258 } 4515 #endif 4516 4517 #ifdef WOLFSSL_TLS13_DRAFT_18 4518 /* Protocol version, server random, cipher suite and extensions. */ 4519 length = VERSION_SZ + RAN_LEN + SUITE_LEN; 4520 ret = TLSX_GetResponseSize(ssl, server_hello, &length); 4521 if (ret != 0) 4522 return ret; 4523 #else 4259 4524 4260 /* Protocol version, server random, session id, cipher suite, compression 4525 4261 * and extensions. … … 4530 4266 if (ret != 0) 4531 4267 return ret; 4532 #endif4533 4268 sendSz = idx + length; 4534 4269 … … 4544 4279 AddTls13Headers(output, length, server_hello, ssl); 4545 4280 4546 #ifdef WOLFSSL_TLS13_DRAFT_184547 /* The negotiated protocol version. */4548 output[idx++] = TLS_DRAFT_MAJOR;4549 output[idx++] = TLS_DRAFT_MINOR;4550 #else4551 4281 /* The protocol version must be TLS v1.2 for middleboxes. */ 4552 4282 output[idx++] = ssl->version.major; 4553 4283 output[idx++] = TLSv1_2_MINOR; 4554 #endif4555 4284 4556 4285 if (extMsgType == server_hello) { … … 4559 4288 return ret; 4560 4289 } 4561 #ifndef WOLFSSL_TLS13_DRAFT_184562 4290 else { 4563 4291 /* HelloRetryRequest message has fixed value for random. */ 4564 4292 XMEMCPY(output + idx, helloRetryRequestRandom, RAN_LEN); 4565 4293 } 4566 #endif 4294 4567 4295 /* Store in SSL for debugging. */ 4568 4296 XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN); … … 4574 4302 #endif 4575 4303 4576 #ifndef WOLFSSL_TLS13_DRAFT_184577 4304 output[idx++] = ssl->session.sessionIDSz; 4578 4305 if (ssl->session.sessionIDSz > 0) { … … 4580 4307 idx += ssl->session.sessionIDSz; 4581 4308 } 4582 #endif4583 4309 4584 4310 /* Chosen cipher suite */ … … 4586 4312 output[idx++] = ssl->options.cipherSuite; 4587 4313 4588 #ifndef WOLFSSL_TLS13_DRAFT_184589 4314 /* Compression not supported in TLS v1.3. */ 4590 4315 output[idx++] = 0; 4591 #endif4592 4316 4593 4317 /* Extensions */ … … 4610 4334 #endif 4611 4335 4612 #ifdef WOLFSSL_TLS13_DRAFT_184613 ssl->options.serverState = SERVER_HELLO_COMPLETE;4614 #else4615 4336 if (extMsgType == server_hello) 4616 4337 ssl->options.serverState = SERVER_HELLO_COMPLETE; 4617 #endif 4618 4619 #ifdef WOLFSSL_TLS13_DRAFT_18 4620 if (!ssl->options.groupMessages) 4621 #else 4338 4622 4339 if (!ssl->options.groupMessages || extMsgType != server_hello) 4623 #endif 4340 4624 4341 ret = SendBuffered(ssl); 4625 4342 … … 4651 4368 ssl->keys.encryptionOn = 1; 4652 4369 4653 #if ndef WOLFSSL_NO_SERVER_GROUPS_EXT4370 #if defined(HAVE_SUPPORTED_CURVES) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) 4654 4371 if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0) 4655 4372 return ret; … … 4750 4467 word32 i; 4751 4468 word16 reqSz; 4752 #ifndef WOLFSSL_TLS13_DRAFT_184753 4469 TLSX* ext; 4754 #endif4755 4470 4756 4471 WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND); … … 4760 4475 InitSuitesHashSigAlgo(ssl->suites, 1, 1, 0, 1, ssl->buffers.keySz); 4761 4476 4762 #ifdef WOLFSSL_TLS13_DRAFT_184763 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;4764 reqSz = OPAQUE8_LEN + reqCtxLen + REQ_HEADER_SZ + REQ_HEADER_SZ;4765 reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz;4766 4767 sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;4768 /* Always encrypted and make room for padding. */4769 sendSz += MAX_MSG_EXTRA;4770 4771 /* Check buffers are big enough and grow if needed. */4772 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)4773 return ret;4774 4775 /* Get position in output buffer to write new message to. */4776 output = ssl->buffers.outputBuffer.buffer +4777 ssl->buffers.outputBuffer.length;4778 4779 /* Put the record and handshake headers on. */4780 AddTls13Headers(output, reqSz, certificate_request, ssl);4781 4782 /* Certificate request context. */4783 output[i++] = reqCtxLen;4784 if (reqCtxLen != 0) {4785 XMEMCPY(output + i, reqCtx, reqCtxLen);4786 i += reqCtxLen;4787 }4788 4789 /* supported hash/sig */4790 c16toa(ssl->suites->hashSigAlgoSz, &output[i]);4791 i += LENGTH_SZ;4792 4793 XMEMCPY(&output[i], ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz);4794 i += ssl->suites->hashSigAlgoSz;4795 4796 /* Certificate authorities not supported yet - empty buffer. */4797 c16toa(0, &output[i]);4798 i += REQ_HEADER_SZ;4799 4800 /* Certificate extensions. */4801 c16toa(0, &output[i]); /* auth's */4802 i += REQ_HEADER_SZ;4803 #else4804 4477 ext = TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS); 4805 4478 if (ext == NULL) … … 4841 4514 return ret; 4842 4515 i += reqSz; 4843 #endif4844 4516 4845 4517 /* Always encrypted. */ … … 5181 4853 #endif /* HAVE_ECC */ 5182 4854 5183 #if ndef NO_RSA4855 #if !defined(NO_RSA) && defined(WC_RSA_PSS) 5184 4856 /* Check that the decrypted signature matches the encoded signature 5185 4857 * based on the digest of the signature data. … … 5224 4896 return ret; 5225 4897 } 5226 #endif /* !NO_RSA */4898 #endif /* !NO_RSA && WC_RSA_PSS */ 5227 4899 #endif /* !NO_RSA || HAVE_ECC */ 5228 4900 … … 5534 5206 } 5535 5207 5208 #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ 5209 defined(HAVE_ED448)) && \ 5210 (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) 5536 5211 typedef struct Scv13Args { 5537 5212 byte* output; /* not allocated */ … … 5650 5325 } 5651 5326 5652 if (args->length <= 0) {5327 if (args->length == 0) { 5653 5328 ERROR_OUT(NO_PRIVATE_KEY, exit_scv); 5654 5329 } … … 5657 5332 if (ssl->hsType == DYNAMIC_TYPE_RSA) 5658 5333 args->sigAlgo = rsa_pss_sa_algo; 5334 #ifdef HAVE_ECC 5659 5335 else if (ssl->hsType == DYNAMIC_TYPE_ECC) 5660 5336 args->sigAlgo = ecc_dsa_sa_algo; 5337 #endif 5661 5338 #ifdef HAVE_ED25519 5662 5339 else if (ssl->hsType == DYNAMIC_TYPE_ED25519) … … 5667 5344 args->sigAlgo = ed448_sa_algo; 5668 5345 #endif 5346 else { 5347 ERROR_OUT(ALGO_ID_E, exit_scv); 5348 } 5669 5349 EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo, args->verify); 5670 5350 … … 5913 5593 return ret; 5914 5594 } 5915 5595 #endif 5596 5597 #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) 5916 5598 /* handle processing TLS v1.3 certificate (11) */ 5917 5599 /* Parse and handle a TLS v1.3 Certificate message. … … 5954 5636 return ret; 5955 5637 } 5638 #endif 5956 5639 5957 5640 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ … … 6078 5761 if (args->sigAlgo == ed25519_sa_algo && 6079 5762 !ssl->peerEd25519KeyPresent) { 6080 WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); 5763 WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert"); 5764 ret = SIG_VERIFY_E; 5765 goto exit_dcv; 6081 5766 } 6082 5767 #endif 6083 5768 #ifdef HAVE_ED448 6084 5769 if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) { 6085 WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify"); 5770 WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert"); 5771 ret = SIG_VERIFY_E; 5772 goto exit_dcv; 6086 5773 } 6087 5774 #endif … … 6089 5776 if (args->sigAlgo == ecc_dsa_sa_algo && 6090 5777 !ssl->peerEccDsaKeyPresent) { 6091 WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); 5778 WOLFSSL_MSG("Peer sent ECC sig but not ECC cert"); 5779 ret = SIG_VERIFY_E; 5780 goto exit_dcv; 6092 5781 } 6093 5782 #endif 6094 5783 #ifndef NO_RSA 6095 5784 if (args->sigAlgo == rsa_sa_algo) { 6096 WOLFSSL_MSG(" Oops, peer sent PKCS#1.5 signature");5785 WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate"); 6097 5786 ERROR_OUT(INVALID_PARAMETER, exit_dcv); 6098 5787 } 6099 5788 if (args->sigAlgo == rsa_pss_sa_algo && 6100 5789 (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) { 6101 WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); 5790 WOLFSSL_MSG("Peer sent RSA sig but not RSA cert"); 5791 ret = SIG_VERIFY_E; 5792 goto exit_dcv; 6102 5793 } 6103 5794 #endif … … 6261 5952 case TLS_ASYNC_VERIFY: 6262 5953 { 6263 #if ndef NO_RSA5954 #if !defined(NO_RSA) && defined(WC_RSA_PSS) 6264 5955 if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) { 6265 5956 ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo, … … 6271 5962 ssl->peerRsaKeyPresent = 0; 6272 5963 } 6273 #endif /* !NO_RSA */5964 #endif /* !NO_RSA && WC_RSA_PSS */ 6274 5965 6275 5966 /* Advance state and proceed */ … … 6291 5982 /* Advance state and proceed */ 6292 5983 ssl->options.asyncState = TLS_ASYNC_END; 5984 5985 #if !defined(NO_WOLFSSL_CLIENT) 5986 if (ssl->options.side == WOLFSSL_CLIENT_END) 5987 ssl->options.serverState = SERVER_CERT_VERIFY_COMPLETE; 5988 #endif 6293 5989 } /* case TLS_ASYNC_FINALIZE */ 6294 5990 … … 6326 6022 } 6327 6023 #endif /* !NO_RSA || HAVE_ECC */ 6024 #endif /* !NO_CERTS */ 6328 6025 6329 6026 /* Parse and handle a TLS v1.3 Finished message. … … 6338 6035 * returns 0 on success and otherwise failure. 6339 6036 */ 6340 staticint DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,6037 int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, 6341 6038 word32 size, word32 totalSz, int sniff) 6342 6039 { … … 6377 6074 secret = ssl->keys.server_write_MAC_secret; 6378 6075 } 6379 else 6076 else { 6380 6077 secret = ssl->keys.client_write_MAC_secret; 6381 6382 ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz); 6383 if (ret != 0) 6384 return ret; 6385 if (size != finishedSz) 6386 return BUFFER_ERROR; 6387 6388 #ifdef WOLFSSL_CALLBACKS 6389 if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); 6390 if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo); 6391 #endif 6078 } 6079 6080 if (sniff == NO_SNIFF) { 6081 ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz); 6082 if (ret != 0) 6083 return ret; 6084 if (size != finishedSz) 6085 return BUFFER_ERROR; 6086 } 6087 6088 #ifdef WOLFSSL_CALLBACKS 6089 if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); 6090 if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo); 6091 #endif 6392 6092 6393 6093 if (sniff == NO_SNIFF) { … … 6433 6133 return 0; 6434 6134 } 6435 #endif /* NO_CERTS */6436 6135 6437 6136 /* Send the TLS v1.3 Finished message. … … 6502 6201 if (sendSz < 0) 6503 6202 return BUILD_MSG_ERROR; 6504 6505 #ifndef NO_SESSION_CACHE6506 if (!ssl->options.resuming && (ssl->options.side == WOLFSSL_SERVER_END ||6507 (ssl->options.side == WOLFSSL_SERVER_END && ssl->arrays != NULL))) {6508 AddSession(ssl); /* just try */6509 }6510 #endif6511 6203 6512 6204 #ifdef WOLFSSL_CALLBACKS … … 6839 6531 word16 length; 6840 6532 word32 now; 6841 #ifndef WOLFSSL_TLS13_DRAFT_18 6842 const byte* nonce; 6843 byte nonceLength; 6844 #endif 6533 const byte* nonce; 6534 byte nonceLength; 6845 6535 6846 6536 WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_DO); … … 6861 6551 *inOutIdx += SESSION_ADD_SZ; 6862 6552 6863 #ifndef WOLFSSL_TLS13_DRAFT_186864 6553 /* Ticket nonce. */ 6865 6554 if ((*inOutIdx - begin) + 1 > size) … … 6875 6564 nonce = input + *inOutIdx; 6876 6565 *inOutIdx += nonceLength; 6877 #endif6878 6566 6879 6567 /* Ticket length. */ … … 6902 6590 ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz; 6903 6591 #endif 6904 #ifndef WOLFSSL_TLS13_DRAFT_186905 6592 ssl->session.ticketNonce.len = nonceLength; 6906 6593 if (nonceLength > 0) 6907 6594 XMEMCPY(&ssl->session.ticketNonce.data, nonce, nonceLength); 6908 #endif6909 6595 ssl->session.namedGroup = ssl->namedGroup; 6910 6596 … … 7002 6688 if (ssl->earlyData != no_early_data) { 7003 6689 static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 }; 7004 ret = Hash InputRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData));6690 ret = HashRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData)); 7005 6691 if (ret != 0) 7006 6692 return ret; 7007 6693 } 7008 6694 #endif 7009 if ((ret = Hash InputRaw(ssl, header, sizeof(header))) != 0)7010 return ret; 7011 if ((ret = Hash InputRaw(ssl, mac, finishedSz)) != 0)6695 if ((ret = HashRaw(ssl, header, sizeof(header))) != 0) 6696 return ret; 6697 if ((ret = HashRaw(ssl, mac, finishedSz)) != 0) 7012 6698 return ret; 7013 6699 … … 7069 6755 #endif 7070 6756 7071 #ifndef WOLFSSL_TLS13_DRAFT_187072 6757 /* Start ticket nonce at 0 and go up to 255. */ 7073 6758 if (ssl->session.ticketNonce.len == 0) { … … 7077 6762 else 7078 6763 ssl->session.ticketNonce.data[0]++; 7079 #endif7080 6764 7081 6765 if (!ssl->options.noTicketTls13) { … … 7099 6783 length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ + 7100 6784 ssl->session.ticketLen + extSz; 7101 #ifndef WOLFSSL_TLS13_DRAFT_187102 6785 /* Nonce */ 7103 6786 length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ; 7104 #endif7105 6787 sendSz = idx + length + MAX_MSG_EXTRA; 7106 6788 … … 7123 6805 idx += SESSION_ADD_SZ; 7124 6806 7125 #ifndef WOLFSSL_TLS13_DRAFT_187126 6807 output[idx++] = ssl->session.ticketNonce.len; 7127 6808 output[idx++] = ssl->session.ticketNonce.data[0]; 7128 #endif7129 6809 7130 6810 /* length */ … … 7161 6841 ssl->buffers.outputBuffer.length += sendSz; 7162 6842 7163 if (!ssl->options.groupMessages) 7164 ret = SendBuffered(ssl); 6843 /* Always send as this is either directly after server's Finished or only 6844 * message after client's Finished. 6845 */ 6846 ret = SendBuffered(ssl); 7165 6847 7166 6848 WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0); … … 7212 6894 } 7213 6895 #endif 7214 #ifdef WOLFSSL_TLS13_DRAFT_18 7215 if (ssl->msgsReceived.got_server_hello) { 6896 if (ssl->msgsReceived.got_server_hello == 1) { 7216 6897 WOLFSSL_MSG("Duplicate ServerHello received"); 7217 6898 return DUPLICATE_MSG_E; 7218 6899 } 7219 ssl->msgsReceived.got_server_hello = 1;7220 #else7221 if (ssl->msgsReceived.got_server_hello == 2) {7222 WOLFSSL_MSG("Duplicate ServerHello received");7223 return DUPLICATE_MSG_E;7224 }7225 6900 ssl->msgsReceived.got_server_hello++; 7226 #endif7227 6901 7228 6902 break; … … 7273 6947 #endif 7274 6948 7275 #ifdef WOLFSSL_TLS13_DRAFT_187276 #ifndef NO_WOLFSSL_CLIENT7277 case hello_retry_request:7278 #ifndef NO_WOLFSSL_SERVER7279 if (ssl->options.side == WOLFSSL_SERVER_END) {7280 WOLFSSL_MSG("HelloRetryRequest received by server");7281 return OUT_OF_ORDER_E;7282 }7283 #endif7284 if (ssl->options.clientState > CLIENT_FINISHED_COMPLETE) {7285 WOLFSSL_MSG("HelloRetryRequest received out of order");7286 return OUT_OF_ORDER_E;7287 }7288 if (ssl->msgsReceived.got_hello_retry_request) {7289 WOLFSSL_MSG("Duplicate HelloRetryRequest received");7290 return DUPLICATE_MSG_E;7291 }7292 ssl->msgsReceived.got_hello_retry_request = 1;7293 7294 break;7295 #endif7296 #endif7297 7298 6949 #ifndef NO_WOLFSSL_CLIENT 7299 6950 case encrypted_extensions: … … 7377 7028 if (ssl->options.serverState == 7378 7029 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE && 7030 ssl->arrays != NULL && 7379 7031 ssl->arrays->psk_keySz != 0) { 7380 7032 WOLFSSL_MSG("CertificateRequset received while using PSK"); … … 7403 7055 /* Server's authenticating with PSK must not send this. */ 7404 7056 if (ssl->options.serverState == SERVER_CERT_COMPLETE && 7057 ssl->arrays != NULL && 7405 7058 ssl->arrays->psk_keySz != 0) { 7406 7059 WOLFSSL_MSG("CertificateVerify received while using PSK"); … … 7441 7094 return OUT_OF_ORDER_E; 7442 7095 } 7443 if (ssl->options.serverState < 7096 /* Must have seen certificate and verify from server except when 7097 * using PSK. */ 7098 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) 7099 if (ssl->arrays != NULL && ssl->arrays->psk_keySz != 0) { 7100 if (ssl->options.serverState != 7444 7101 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { 7102 WOLFSSL_MSG("Finished received out of order"); 7103 return OUT_OF_ORDER_E; 7104 } 7105 } 7106 else 7107 #endif 7108 if (ssl->options.serverState != SERVER_CERT_VERIFY_COMPLETE) { 7445 7109 WOLFSSL_MSG("Finished received out of order"); 7446 7110 return OUT_OF_ORDER_E; … … 7450 7114 #ifndef NO_WOLFSSL_SERVER 7451 7115 if (ssl->options.side == WOLFSSL_SERVER_END) { 7452 if (ssl->options.serverState <SERVER_FINISHED_COMPLETE) {7116 if (ssl->options.serverState != SERVER_FINISHED_COMPLETE) { 7453 7117 WOLFSSL_MSG("Finished received out of order"); 7454 7118 return OUT_OF_ORDER_E; … … 7531 7195 if (ssl->options.handShakeState == HANDSHAKE_DONE && 7532 7196 type != session_ticket && type != certificate_request && 7533 type != certificate && type != key_update ) {7197 type != certificate && type != key_update && type != finished) { 7534 7198 WOLFSSL_MSG("HandShake message after handshake complete"); 7535 7199 SendAlert(ssl, alert_fatal, unexpected_message); … … 7556 7220 #ifndef NO_WOLFSSL_CLIENT 7557 7221 /* Messages only received by client. */ 7558 #ifdef WOLFSSL_TLS13_DRAFT_187559 case hello_retry_request:7560 WOLFSSL_MSG("processing hello retry request");7561 ret = DoTls13HelloRetryRequest(ssl, input, inOutIdx, size);7562 break;7563 #endif7564 7565 7222 case server_hello: 7566 7223 WOLFSSL_MSG("processing server hello"); … … 7572 7229 IsAtLeastTLSv1_3(ssl->version)) { 7573 7230 ssl->options.cacheMessages = 0; 7574 if ( ssl->hsHashes->messages != NULL) {7231 if ((ssl->hsHashes != NULL) && (ssl->hsHashes->messages != NULL)) { 7575 7232 XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES); 7576 7233 ssl->hsHashes->messages = NULL; … … 7614 7271 7615 7272 /* Messages received by both client and server. */ 7616 #ifndef NO_CERTS 7273 #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \ 7274 !defined(WOLFSSL_NO_CLIENT_AUTH)) 7617 7275 case certificate: 7618 7276 WOLFSSL_MSG("processing certificate"); … … 7676 7334 7677 7335 if ((ret = DeriveTls13Keys(ssl, handshake_key, 7678 7336 ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) { 7679 7337 return ret; 7680 7338 } 7681 7339 #ifdef WOLFSSL_EARLY_DATA 7682 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) 7683 return ret; 7684 #else 7340 if (ssl->earlyData != no_early_data) { 7341 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) 7342 return ret; 7343 } 7344 else 7345 #endif 7685 7346 if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) 7686 7347 return ret; 7687 #endif7688 7348 } 7689 7349 … … 7693 7353 #ifdef WOLFSSL_EARLY_DATA 7694 7354 if ((ret = DeriveTls13Keys(ssl, traffic_key, 7695 7696 7355 ENCRYPT_AND_DECRYPT_SIDE, 7356 ssl->earlyData == no_early_data)) != 0) { 7697 7357 return ret; 7698 7358 } 7699 7359 #else 7700 7360 if ((ret = DeriveTls13Keys(ssl, traffic_key, 7701 7361 ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) { 7702 7362 return ret; 7703 7363 } … … 7711 7371 ssl->options.connectState = FIRST_REPLY_DONE; 7712 7372 ssl->options.handShakeState = CLIENT_HELLO_COMPLETE; 7713 7714 if (wolfSSL_connect_TLSv13(ssl) != SSL_SUCCESS) 7715 ret = POST_HAND_AUTH_ERROR; 7373 ssl->options.processReply = 0; /* doProcessInit */ 7374 7375 if (wolfSSL_connect_TLSv13(ssl) != WOLFSSL_SUCCESS) { 7376 ret = ssl->error; 7377 if (ret != WC_PENDING_E) 7378 ret = POST_HAND_AUTH_ERROR; 7379 } 7716 7380 } 7717 7381 #endif … … 7756 7420 int ret = 0; 7757 7421 word32 inputLength; 7422 byte type; 7423 word32 size = 0; 7758 7424 7759 7425 WOLFSSL_ENTER("DoTls13HandShakeMsg()"); 7760 7426 7761 7427 if (ssl->arrays == NULL) { 7762 byte type; 7763 word32 size; 7428 7764 7429 7765 7430 if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size, … … 7778 7443 * pending message size will be non-zero. */ 7779 7444 if (ssl->arrays->pendingMsgSz == 0) { 7780 byte type;7781 word32 size;7782 7445 7783 7446 if (GetHandshakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0) … … 7879 7542 if (ssl->buffers.outputBuffer.length > 0 7880 7543 #ifdef WOLFSSL_ASYNC_CRYPT 7881 /* do not send buffered or advance state if last error was an 7544 /* do not send buffered or advance state if last error was an 7882 7545 async pending operation */ 7883 7546 && ssl->error != WC_PENDING_E … … 7917 7580 #ifdef WOLFSSL_EARLY_DATA 7918 7581 if (ssl->earlyData != no_early_data) { 7919 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ 7920 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) 7582 #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) 7921 7583 if ((ssl->error = SendChangeCipher(ssl)) != 0) { 7922 7584 WOLFSSL_ERROR(ssl->error); … … 7941 7603 } 7942 7604 7943 ssl->options.connectState = HELLO_AGAIN;7944 WOLFSSL_MSG("connect state: HELLO_AGAIN");7945 FALL_THROUGH;7946 7947 case HELLO_AGAIN:7948 if (ssl->options.certOnly)7949 return WOLFSSL_SUCCESS;7950 7951 7605 if (!ssl->options.tls1_3) { 7952 7606 #ifndef WOLFSSL_NO_TLS12 … … 7954 7608 return wolfSSL_connect(ssl); 7955 7609 #endif 7956 7957 7610 WOLFSSL_MSG("Client using higher version, fatal error"); 7958 7611 return VERSION_ERROR; 7959 7612 } 7960 7613 7614 ssl->options.connectState = HELLO_AGAIN; 7615 WOLFSSL_MSG("connect state: HELLO_AGAIN"); 7616 FALL_THROUGH; 7617 7618 case HELLO_AGAIN: 7619 if (ssl->options.certOnly) 7620 return WOLFSSL_SUCCESS; 7621 7961 7622 if (ssl->options.serverState == 7962 7623 SERVER_HELLO_RETRY_REQUEST_COMPLETE) { 7963 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ 7964 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) 7624 #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) 7965 7625 if (!ssl->options.sentChangeCipher) { 7966 7626 if ((ssl->error = SendChangeCipher(ssl)) != 0) { … … 8011 7671 8012 7672 case FIRST_REPLY_FIRST: 8013 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ 8014 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) 7673 #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) 8015 7674 if (!ssl->options.sentChangeCipher) { 8016 7675 if ((ssl->error = SendChangeCipher(ssl)) != 0) { … … 8043 7702 8044 7703 case FIRST_REPLY_THIRD: 8045 #ifndef NO_CERTS 7704 #if (!defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \ 7705 defined(HAVE_ED25519) || defined(HAVE_ED448))) && \ 7706 (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) 8046 7707 if (!ssl->options.resuming && ssl->options.sendVerify) { 8047 7708 ssl->error = SendTls13CertificateVerify(ssl); … … 8172 7833 #endif 8173 7834 7835 #ifdef HAVE_SUPPORTED_CURVES 8174 7836 /* Create a key share entry from group. 8175 7837 * Generates a key pair. … … 8213 7875 return WOLFSSL_SUCCESS; 8214 7876 } 7877 #endif 8215 7878 8216 7879 /* Do not send a ticket after TLS v1.3 handshake for resumption. … … 8414 8077 return NOT_READY_ERROR; 8415 8078 8079 #ifdef HAVE_SUPPORTED_CURVES 8416 8080 /* Return supported groups only. */ 8417 8081 return TLSX_SupportedCurve_Preferred(ssl, 1); 8418 8082 #else 8083 return 0; 8084 #endif 8085 #else 8419 8086 return SIDE_ERROR; 8420 8087 #endif … … 8422 8089 #endif 8423 8090 8091 #if defined(HAVE_SUPPORTED_CURVES) 8424 8092 /* Sets the key exchange groups in rank order on a context. 8425 8093 * … … 8432 8100 int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) 8433 8101 { 8434 int i; 8435 8102 int ret, i; 8103 8104 WOLFSSL_ENTER("wolfSSL_CTX_set_groups"); 8436 8105 if (ctx == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) 8437 8106 return BAD_FUNC_ARG; … … 8439 8108 return BAD_FUNC_ARG; 8440 8109 8441 for (i = 0; i < count; i++) 8442 ctx->group[i] = (word16)groups[i]; 8110 ctx->numGroups = 0; 8111 TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap); 8112 for (i = 0; i < count; i++) { 8113 /* Call to wolfSSL_CTX_UseSupportedCurve also checks if input groups 8114 * are valid */ 8115 if ((ret = wolfSSL_CTX_UseSupportedCurve(ctx, groups[i])) 8116 != WOLFSSL_SUCCESS) { 8117 TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap); 8118 return ret; 8119 } 8120 ctx->group[i] = groups[i]; 8121 } 8443 8122 ctx->numGroups = (byte)count; 8444 8123 … … 8456 8135 int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) 8457 8136 { 8458 int i; 8459 8137 int ret, i; 8138 8139 WOLFSSL_ENTER("wolfSSL_set_groups"); 8460 8140 if (ssl == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) 8461 8141 return BAD_FUNC_ARG; … … 8463 8143 return BAD_FUNC_ARG; 8464 8144 8465 for (i = 0; i < count; i++) 8466 ssl->group[i] = (word16)groups[i]; 8145 ssl->numGroups = 0; 8146 TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap); 8147 for (i = 0; i < count; i++) { 8148 /* Call to wolfSSL_UseSupportedCurve also checks if input groups 8149 * are valid */ 8150 if ((ret = wolfSSL_UseSupportedCurve(ssl, groups[i])) 8151 != WOLFSSL_SUCCESS) { 8152 TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap); 8153 return ret; 8154 } 8155 ssl->group[i] = groups[i]; 8156 } 8467 8157 ssl->numGroups = (byte)count; 8468 8158 8469 8159 return WOLFSSL_SUCCESS; 8470 8160 } 8161 #endif /* HAVE_SUPPORTED_CURVES */ 8471 8162 8472 8163 #ifndef NO_PSK … … 8607 8298 if (ssl->buffers.outputBuffer.length > 0 8608 8299 #ifdef WOLFSSL_ASYNC_CRYPT 8609 /* do not send buffered or advance state if last error was an 8300 /* do not send buffered or advance state if last error was an 8610 8301 async pending operation */ 8611 8302 && ssl->error != WC_PENDING_E … … 8653 8344 8654 8345 case TLS13_ACCEPT_CLIENT_HELLO_DONE : 8655 #ifdef WOLFSSL_TLS13_DRAFT_188656 if (ssl->options.serverState ==8657 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {8658 if ((ssl->error = SendTls13HelloRetryRequest(ssl)) != 0) {8659 WOLFSSL_ERROR(ssl->error);8660 return WOLFSSL_FATAL_ERROR;8661 }8662 }8663 8664 ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE;8665 WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");8666 FALL_THROUGH;8667 8668 case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE :8669 #else8670 8346 if (ssl->options.serverState == 8671 8347 SERVER_HELLO_RETRY_REQUEST_COMPLETE) { … … 8696 8372 WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE"); 8697 8373 FALL_THROUGH; 8698 #endif8699 8374 8700 8375 case TLS13_ACCEPT_FIRST_REPLY_DONE : … … 8724 8399 8725 8400 case TLS13_SERVER_HELLO_SENT : 8726 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ 8727 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) 8401 #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) 8728 8402 if (!ssl->options.sentChangeCipher) { 8729 8403 if ((ssl->error = SendChangeCipher(ssl)) != 0) { … … 8740 8414 8741 8415 case TLS13_ACCEPT_THIRD_REPLY_DONE : 8416 #ifdef HAVE_SUPPORTED_CURVES 8742 8417 if (!ssl->options.noPskDheKe) { 8743 8418 ssl->error = TLSX_KeyShare_DeriveSecret(ssl); … … 8745 8420 return WOLFSSL_FATAL_ERROR; 8746 8421 } 8422 #endif 8747 8423 8748 8424 if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) { … … 8784 8460 8785 8461 case TLS13_CERT_SENT : 8786 #ifndef NO_CERTS 8462 #if !defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \ 8463 defined(HAVE_ED25519) || defined(HAVE_ED448)) 8787 8464 if (!ssl->options.resuming && ssl->options.sendVerify) { 8788 8465 if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
Note:
See TracChangeset
for help on using the changeset viewer.