diff --git a/src/internal 2.c b/src/internal 2.c deleted file mode 100755 index 3f284c1cf..000000000 --- a/src/internal 2.c +++ /dev/null @@ -1,22283 +0,0 @@ -/* internal.c - * - * Copyright (C) 2006-2016 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - - - -#ifdef HAVE_CONFIG_H - #include -#endif - -#include - -#ifndef WOLFCRYPT_ONLY - -#include -#include -#include -#include -#ifdef NO_INLINE - #include -#else - #define WOLFSSL_MISC_INCLUDED - #include -#endif - -#ifdef HAVE_LIBZ - #include "zlib.h" -#endif - -#ifdef HAVE_NTRU - #include "libntruencrypt/ntru_crypto.h" -#endif - -#if defined(DEBUG_WOLFSSL) || defined(SHOW_SECRETS) || \ - defined(CHACHA_AEAD_TEST) || defined(WOLFSSL_SESSION_EXPORT_DEBUG) - #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) - #if MQX_USE_IO_OLD - #include - #else - #include - #endif - #else - #include - #endif -#endif - -#ifdef __sun - #include -#endif - - -#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; } - -#ifdef _MSC_VER - /* disable for while(0) cases at the .c level for now */ - #pragma warning(disable:4127) -#endif - -#if defined(WOLFSSL_CALLBACKS) && !defined(LARGE_STATIC_BUFFERS) - #error \ -WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS -#endif - -#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_RENEGOTIATION_INDICATION) - #error Cannot use both secure-renegotiation and renegotiation-indication -#endif - -#ifndef NO_WOLFSSL_CLIENT - static int DoHelloVerifyRequest(WOLFSSL* ssl, const byte* input, word32*, - word32); - static int DoServerHello(WOLFSSL* ssl, const byte* input, word32*, word32); - static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, word32*, - word32); - #ifndef NO_CERTS - static int DoCertificateRequest(WOLFSSL* ssl, const byte* input, word32*, - word32); - #endif - #ifdef HAVE_SESSION_TICKET - static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32*, - word32); - #endif -#endif - - -#ifndef NO_WOLFSSL_SERVER - static int DoClientHello(WOLFSSL* ssl, const byte* input, word32*, word32); - static int DoClientKeyExchange(WOLFSSL* ssl, byte* input, word32*, word32); - #if !defined(NO_RSA) || defined(HAVE_ECC) - static int DoCertificateVerify(WOLFSSL* ssl, byte*, word32*, word32); - #endif - #if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) - static int SNI_Callback(WOLFSSL* ssl); - #endif - #ifdef WOLFSSL_DTLS - static int SendHelloVerifyRequest(WOLFSSL*, const byte*, byte); - #endif /* WOLFSSL_DTLS */ -#endif - - -#ifdef WOLFSSL_DTLS - static INLINE int DtlsCheckWindow(WOLFSSL* ssl); - static INLINE int DtlsUpdateWindow(WOLFSSL* ssl); -#endif - - -enum processReply { - doProcessInit = 0, -#ifndef NO_WOLFSSL_SERVER - runProcessOldClientHello, -#endif - getRecordLayerHeader, - getData, - decryptMessage, - verifyMessage, - runProcessingOneMessage -}; - -/* sub-states for build message */ -enum buildMsgState { - BUILD_MSG_BEGIN = 0, - BUILD_MSG_SIZE, - BUILD_MSG_HASH, - BUILD_MSG_VERIFY_MAC, - BUILD_MSG_ENCRYPT, -}; - -/* sub-states for cipher operations */ -enum cipherState { - CIPHER_STATE_BEGIN = 0, - CIPHER_STATE_DO, - CIPHER_STATE_END, -}; - -/* sub-states for send/do key share (key exchange) */ -enum asyncState { - TLS_ASYNC_BEGIN = 0, - TLS_ASYNC_BUILD, - TLS_ASYNC_DO, - TLS_ASYNC_VERIFY, - TLS_ASYNC_FINALIZE, - TLS_ASYNC_END -}; - - -#ifndef NO_OLD_TLS -static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, - int content, int verify); - -#endif - -#ifndef NO_CERTS -static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes); -#endif - -#ifdef HAVE_QSH - int QSH_Init(WOLFSSL* ssl); -#endif - - -int IsTLS(const WOLFSSL* ssl) -{ - if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_MINOR) - return 1; - - return 0; -} - - -int IsAtLeastTLSv1_2(const WOLFSSL* ssl) -{ - if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_2_MINOR) - return 1; - if (ssl->version.major == DTLS_MAJOR && ssl->version.minor <= DTLSv1_2_MINOR) - return 1; - - return 0; -} - - -static INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend) -{ - (void)isSend; - - #ifdef WOLFSSL_DTLS - /* For DTLS, epoch 0 is always not encrypted. */ - if (ssl->options.dtls && !isSend && ssl->keys.curEpoch == 0) - return 0; - #endif /* WOLFSSL_DTLS */ - - return ssl->keys.encryptionOn; -} - - -/* If SCTP is not enabled returns the state of the dtls option. - * If SCTP is enabled returns dtls && !sctp. */ -static INLINE int IsDtlsNotSctpMode(WOLFSSL* ssl) -{ - int result = ssl->options.dtls; - - if (result) { -#ifdef WOLFSSL_SCTP - result = !ssl->options.dtlsSctp; -#endif - } - - return result; -} - - -#ifdef HAVE_QSH -/* free all structs that where used with QSH */ -static int QSH_FreeAll(WOLFSSL* ssl) -{ - QSHKey* key = ssl->QSH_Key; - QSHKey* preKey = NULL; - QSHSecret* secret = ssl->QSH_secret; - QSHScheme* list = NULL; - QSHScheme* preList = NULL; - - /* free elements in struct */ - while (key) { - preKey = key; - if (key->pri.buffer) { - ForceZero(key->pri.buffer, key->pri.length); - XFREE(key->pri.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - if (key->pub.buffer) - XFREE(key->pub.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - key = (QSHKey*)key->next; - - /* free struct */ - XFREE(preKey, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - key = NULL; - - - /* free all of peers QSH keys */ - key = ssl->peerQSHKey; - while (key) { - preKey = key; - if (key->pri.buffer) { - ForceZero(key->pri.buffer, key->pri.length); - XFREE(key->pri.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - if (key->pub.buffer) - XFREE(key->pub.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - key = (QSHKey*)key->next; - - /* free struct */ - XFREE(preKey, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - key = NULL; - - /* free secret information */ - if (secret) { - /* free up the QSHScheme list in QSHSecret */ - if (secret->list) - list = secret->list; - while (list) { - preList = list; - if (list->PK) - XFREE(list->PK, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - list = (QSHScheme*)list->next; - XFREE(preList, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - - /* free secret buffers */ - if (secret->SerSi) { - if (secret->SerSi->buffer) { - /* clear extra secret material that supplemented Master Secret*/ - ForceZero(secret->SerSi->buffer, secret->SerSi->length); - XFREE(secret->SerSi->buffer, ssl->heap,DYNAMIC_TYPE_TMP_BUFFER); - } - XFREE(secret->SerSi, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - if (secret->CliSi) { - if (secret->CliSi->buffer) { - /* clear extra secret material that supplemented Master Secret*/ - ForceZero(secret->CliSi->buffer, secret->CliSi->length); - XFREE(secret->CliSi->buffer, ssl->heap,DYNAMIC_TYPE_TMP_BUFFER); - } - XFREE(secret->CliSi, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - } - XFREE(secret, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - secret = NULL; - - return 0; -} -#endif - - -#ifdef HAVE_NTRU -static WC_RNG* rng; -static wolfSSL_Mutex* rngMutex; - -static word32 GetEntropy(unsigned char* out, word32 num_bytes) -{ - int ret = 0; - - if (rng == NULL) { - if ((rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), 0, - DYNAMIC_TYPE_TLSX)) == NULL) - return DRBG_OUT_OF_MEMORY; - wc_InitRng(rng); - } - - if (rngMutex == NULL) { - if ((rngMutex = (wolfSSL_Mutex*)XMALLOC(sizeof(wolfSSL_Mutex), 0, - DYNAMIC_TYPE_TLSX)) == NULL) - return DRBG_OUT_OF_MEMORY; - wc_InitMutex(rngMutex); - } - - ret |= wc_LockMutex(rngMutex); - ret |= wc_RNG_GenerateBlock(rng, out, num_bytes); - ret |= wc_UnLockMutex(rngMutex); - - if (ret != 0) - return DRBG_ENTROPY_FAIL; - - return DRBG_OK; -} -#endif /* HAVE_NTRU */ - -/* used by ssl.c too */ -void c32to24(word32 in, word24 out) -{ - out[0] = (in >> 16) & 0xff; - out[1] = (in >> 8) & 0xff; - out[2] = in & 0xff; -} - - -/* convert 16 bit integer to opaque */ -static INLINE void c16toa(word16 u16, byte* c) -{ - c[0] = (u16 >> 8) & 0xff; - c[1] = u16 & 0xff; -} - - -#if !defined(NO_OLD_TLS) || defined(HAVE_CHACHA) || defined(HAVE_AESCCM) \ - || defined(HAVE_AESGCM) || defined(WOLFSSL_SESSION_EXPORT) \ - || defined(WOLFSSL_DTLS) || defined(HAVE_SESSION_TICKET) -/* convert 32 bit integer to opaque */ -static INLINE void c32toa(word32 u32, byte* c) -{ - c[0] = (u32 >> 24) & 0xff; - c[1] = (u32 >> 16) & 0xff; - c[2] = (u32 >> 8) & 0xff; - c[3] = u32 & 0xff; -} - -#endif - - -/* convert a 24 bit integer into a 32 bit one */ -static INLINE void c24to32(const word24 u24, word32* u32) -{ - *u32 = (u24[0] << 16) | (u24[1] << 8) | u24[2]; -} - - -/* convert opaque to 16 bit integer */ -static INLINE void ato16(const byte* c, word16* u16) -{ - *u16 = (word16) ((c[0] << 8) | (c[1])); -} - - -#if defined(WOLFSSL_DTLS) || defined(HAVE_SESSION_TICKET) || \ - defined(WOLFSSL_SESSION_EXPORT) - -/* convert opaque to 32 bit integer */ -static INLINE void ato32(const byte* c, word32* u32) -{ - *u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3]; -} - -#endif /* WOLFSSL_DTLS */ - - -#ifdef HAVE_LIBZ - - /* alloc user allocs to work with zlib */ - static void* myAlloc(void* opaque, unsigned int item, unsigned int size) - { - (void)opaque; - return XMALLOC(item * size, opaque, DYNAMIC_TYPE_LIBZ); - } - - - static void myFree(void* opaque, void* memory) - { - (void)opaque; - XFREE(memory, opaque, DYNAMIC_TYPE_LIBZ); - } - - - /* init zlib comp/decomp streams, 0 on success */ - static int InitStreams(WOLFSSL* ssl) - { - ssl->c_stream.zalloc = (alloc_func)myAlloc; - ssl->c_stream.zfree = (free_func)myFree; - ssl->c_stream.opaque = (voidpf)ssl->heap; - - if (deflateInit(&ssl->c_stream, Z_DEFAULT_COMPRESSION) != Z_OK) - return ZLIB_INIT_ERROR; - - ssl->didStreamInit = 1; - - ssl->d_stream.zalloc = (alloc_func)myAlloc; - ssl->d_stream.zfree = (free_func)myFree; - ssl->d_stream.opaque = (voidpf)ssl->heap; - - if (inflateInit(&ssl->d_stream) != Z_OK) return ZLIB_INIT_ERROR; - - return 0; - } - - - static void FreeStreams(WOLFSSL* ssl) - { - if (ssl->didStreamInit) { - deflateEnd(&ssl->c_stream); - inflateEnd(&ssl->d_stream); - } - } - - - /* compress in to out, return out size or error */ - static int myCompress(WOLFSSL* ssl, byte* in, int inSz, byte* out, int outSz) - { - int err; - int currTotal = (int)ssl->c_stream.total_out; - - ssl->c_stream.next_in = in; - ssl->c_stream.avail_in = inSz; - ssl->c_stream.next_out = out; - ssl->c_stream.avail_out = outSz; - - err = deflate(&ssl->c_stream, Z_SYNC_FLUSH); - if (err != Z_OK && err != Z_STREAM_END) return ZLIB_COMPRESS_ERROR; - - return (int)ssl->c_stream.total_out - currTotal; - } - - - /* decompress in to out, return out size or error */ - static int myDeCompress(WOLFSSL* ssl, byte* in,int inSz, byte* out,int outSz) - { - int err; - int currTotal = (int)ssl->d_stream.total_out; - - ssl->d_stream.next_in = in; - ssl->d_stream.avail_in = inSz; - ssl->d_stream.next_out = out; - ssl->d_stream.avail_out = outSz; - - err = inflate(&ssl->d_stream, Z_SYNC_FLUSH); - if (err != Z_OK && err != Z_STREAM_END) return ZLIB_DECOMPRESS_ERROR; - - return (int)ssl->d_stream.total_out - currTotal; - } - -#endif /* HAVE_LIBZ */ - - -#ifdef WOLFSSL_SESSION_EXPORT -#ifdef WOLFSSL_DTLS -/* serializes the cipher specs struct for exporting */ -static int ExportCipherSpecState(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - word32 idx = 0; - CipherSpecs* specs; - - WOLFSSL_ENTER("ExportCipherSpecState"); - - if (exp == NULL || ssl == NULL) { - return BAD_FUNC_ARG; - } - - specs= &(ssl->specs); - - if (DTLS_EXPORT_SPC_SZ > len) { - return BUFFER_E; - } - - XMEMSET(exp, 0, DTLS_EXPORT_SPC_SZ); - - c16toa(specs->key_size, exp + idx); idx += OPAQUE16_LEN; - c16toa(specs->iv_size, exp + idx); idx += OPAQUE16_LEN; - c16toa(specs->block_size, exp + idx); idx += OPAQUE16_LEN; - c16toa(specs->aead_mac_size, exp + idx); idx += OPAQUE16_LEN; - exp[idx++] = specs->bulk_cipher_algorithm; - exp[idx++] = specs->cipher_type; - exp[idx++] = specs->mac_algorithm; - exp[idx++] = specs->kea; - exp[idx++] = specs->sig_algo; - exp[idx++] = specs->hash_size; - exp[idx++] = specs->pad_size; - exp[idx++] = specs->static_ecdh; - - if (idx != DTLS_EXPORT_SPC_SZ) { - WOLFSSL_MSG("DTLS_EXPORT_SPC_SZ needs updated and export version"); - return DTLS_EXPORT_VER_E; - } - - WOLFSSL_LEAVE("ExportCipherSpecState", idx); - (void)ver; - return idx; -} - - -/* serializes the key struct for exporting */ -static int ExportKeyState(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - word32 idx = 0; - byte sz; - Keys* keys; - - WOLFSSL_ENTER("ExportKeyState"); - - if (exp == NULL || ssl == NULL) { - return BAD_FUNC_ARG; - } - - keys = &(ssl->keys); - - if (DTLS_EXPORT_KEY_SZ > len) { - WOLFSSL_MSG("Buffer not large enough for max key struct size"); - return BUFFER_E; - } - - XMEMSET(exp, 0, DTLS_EXPORT_KEY_SZ); - - c32toa(keys->peer_sequence_number_hi, exp + idx); idx += OPAQUE32_LEN; - c32toa(keys->peer_sequence_number_lo, exp + idx); idx += OPAQUE32_LEN; - c32toa(keys->sequence_number_hi, exp + idx); idx += OPAQUE32_LEN; - c32toa(keys->sequence_number_lo, exp + idx); idx += OPAQUE32_LEN; - - c16toa(keys->nextEpoch, exp + idx); idx += OPAQUE16_LEN; - c16toa(keys->nextSeq_hi, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->nextSeq_lo, exp + idx); idx += OPAQUE32_LEN; - c16toa(keys->curEpoch, exp + idx); idx += OPAQUE16_LEN; - c16toa(keys->curSeq_hi, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->curSeq_lo, exp + idx); idx += OPAQUE32_LEN; - c16toa(keys->prevSeq_hi, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->prevSeq_lo, exp + idx); idx += OPAQUE32_LEN; - - c16toa(keys->dtls_peer_handshake_number, exp + idx); idx += OPAQUE16_LEN; - c16toa(keys->dtls_expected_peer_handshake_number, exp + idx); - idx += OPAQUE16_LEN; - - c16toa(keys->dtls_sequence_number_hi, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->dtls_sequence_number_lo, exp + idx); idx += OPAQUE32_LEN; - c16toa(keys->dtls_prev_sequence_number_hi, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->dtls_prev_sequence_number_lo, exp + idx); idx += OPAQUE32_LEN; - c16toa(keys->dtls_epoch, exp + idx); idx += OPAQUE16_LEN; - c16toa(keys->dtls_handshake_number, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->encryptSz, exp + idx); idx += OPAQUE32_LEN; - c32toa(keys->padSz, exp + idx); idx += OPAQUE32_LEN; - exp[idx++] = keys->encryptionOn; - exp[idx++] = keys->decryptedCur; - - { - word32 i; - - c16toa(WOLFSSL_DTLS_WINDOW_WORDS, exp + idx); idx += OPAQUE16_LEN; - for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) { - c32toa(keys->window[i], exp + idx); - idx += OPAQUE32_LEN; - } - c16toa(WOLFSSL_DTLS_WINDOW_WORDS, exp + idx); idx += OPAQUE16_LEN; - for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) { - c32toa(keys->prevWindow[i], exp + idx); - idx += OPAQUE32_LEN; - } - } - -#ifdef HAVE_TRUNCATED_HMAC - sz = ssl->truncated_hmac ? TRUNCATED_HMAC_SZ: ssl->specs.hash_size; - exp[idx++] = ssl->truncated_hmac; -#else - sz = ssl->specs.hash_size; - exp[idx++] = 0; /* no truncated hmac */ -#endif - exp[idx++] = sz; - XMEMCPY(exp + idx, keys->client_write_MAC_secret, sz); idx += sz; - XMEMCPY(exp + idx, keys->server_write_MAC_secret, sz); idx += sz; - - sz = ssl->specs.key_size; - exp[idx++] = sz; - XMEMCPY(exp + idx, keys->client_write_key, sz); idx += sz; - XMEMCPY(exp + idx, keys->server_write_key, sz); idx += sz; - - sz = ssl->specs.iv_size; - exp[idx++] = sz; - XMEMCPY(exp + idx, keys->client_write_IV, sz); idx += sz; - XMEMCPY(exp + idx, keys->server_write_IV, sz); idx += sz; - XMEMCPY(exp + idx, keys->aead_exp_IV, AEAD_MAX_EXP_SZ); - idx += AEAD_MAX_EXP_SZ; - - sz = AEAD_MAX_IMP_SZ; - exp[idx++] = sz; - XMEMCPY(exp + idx, keys->aead_enc_imp_IV, sz); idx += sz; - XMEMCPY(exp + idx, keys->aead_dec_imp_IV, sz); idx += sz; - - /* DTLS_EXPORT_KEY_SZ is max value. idx size can vary */ - if (idx > DTLS_EXPORT_KEY_SZ) { - WOLFSSL_MSG("DTLS_EXPORT_KEY_SZ needs updated and export version"); - return DTLS_EXPORT_VER_E; - } - - WOLFSSL_LEAVE("ExportKeyState", idx); - (void)ver; - return idx; -} - -static int ImportCipherSpecState(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - word32 idx = 0; - CipherSpecs* specs; - - WOLFSSL_ENTER("ImportCipherSpecState"); - - if (exp == NULL || ssl == NULL) { - return BAD_FUNC_ARG; - } - - specs= &(ssl->specs); - - if (DTLS_EXPORT_SPC_SZ > len) { - WOLFSSL_MSG("Buffer not large enough for max spec struct size"); - return BUFFER_E; - } - - ato16(exp + idx, &specs->key_size); idx += OPAQUE16_LEN; - ato16(exp + idx, &specs->iv_size); idx += OPAQUE16_LEN; - ato16(exp + idx, &specs->block_size); idx += OPAQUE16_LEN; - ato16(exp + idx, &specs->aead_mac_size); idx += OPAQUE16_LEN; - specs->bulk_cipher_algorithm = exp[idx++]; - specs->cipher_type = exp[idx++]; - specs->mac_algorithm = exp[idx++]; - specs->kea = exp[idx++]; - specs->sig_algo = exp[idx++]; - specs->hash_size = exp[idx++]; - specs->pad_size = exp[idx++]; - specs->static_ecdh = exp[idx++]; - - WOLFSSL_LEAVE("ImportCipherSpecState", idx); - (void)ver; - return idx; -} - - -static int ImportKeyState(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - word32 idx = 0; - byte sz; - Keys* keys; - - WOLFSSL_ENTER("ImportKeyState"); - - if (exp == NULL || ssl == NULL) { - return BAD_FUNC_ARG; - } - - keys = &(ssl->keys); - - /* check minimum length -- includes byte used for size indicators */ - if (len < DTLS_EXPORT_MIN_KEY_SZ) { - return BUFFER_E; - } - ato32(exp + idx, &keys->peer_sequence_number_hi); idx += OPAQUE32_LEN; - ato32(exp + idx, &keys->peer_sequence_number_lo); idx += OPAQUE32_LEN; - ato32(exp + idx, &keys->sequence_number_hi); idx += OPAQUE32_LEN; - ato32(exp + idx, &keys->sequence_number_lo); idx += OPAQUE32_LEN; - - ato16(exp + idx, &keys->nextEpoch); idx += OPAQUE16_LEN; - ato16(exp + idx, &keys->nextSeq_hi); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->nextSeq_lo); idx += OPAQUE32_LEN; - ato16(exp + idx, &keys->curEpoch); idx += OPAQUE16_LEN; - ato16(exp + idx, &keys->curSeq_hi); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->curSeq_lo); idx += OPAQUE32_LEN; - ato16(exp + idx, &keys->prevSeq_hi); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->prevSeq_lo); idx += OPAQUE32_LEN; - - ato16(exp + idx, &keys->dtls_peer_handshake_number); idx += OPAQUE16_LEN; - ato16(exp + idx, &keys->dtls_expected_peer_handshake_number); - idx += OPAQUE16_LEN; - - ato16(exp + idx, &keys->dtls_sequence_number_hi); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->dtls_sequence_number_lo); idx += OPAQUE32_LEN; - ato16(exp + idx, &keys->dtls_prev_sequence_number_hi); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->dtls_prev_sequence_number_lo); idx += OPAQUE32_LEN; - ato16(exp + idx, &keys->dtls_epoch); idx += OPAQUE16_LEN; - ato16(exp + idx, &keys->dtls_handshake_number); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->encryptSz); idx += OPAQUE32_LEN; - ato32(exp + idx, &keys->padSz); idx += OPAQUE32_LEN; - keys->encryptionOn = exp[idx++]; - keys->decryptedCur = exp[idx++]; - - { - word16 i, wordCount, wordAdj = 0; - - /* do window */ - ato16(exp + idx, &wordCount); - idx += OPAQUE16_LEN; - - if (wordCount > WOLFSSL_DTLS_WINDOW_WORDS) { - wordCount = WOLFSSL_DTLS_WINDOW_WORDS; - wordAdj = (WOLFSSL_DTLS_WINDOW_WORDS - wordCount) * sizeof(word32); - } - - XMEMSET(keys->window, 0xFF, DTLS_SEQ_SZ); - for (i = 0; i < wordCount; i++) { - ato32(exp + idx, &keys->window[i]); - idx += OPAQUE32_LEN; - } - idx += wordAdj; - - /* do prevWindow */ - ato16(exp + idx, &wordCount); - idx += OPAQUE16_LEN; - - if (wordCount > WOLFSSL_DTLS_WINDOW_WORDS) { - wordCount = WOLFSSL_DTLS_WINDOW_WORDS; - wordAdj = (WOLFSSL_DTLS_WINDOW_WORDS - wordCount) * sizeof(word32); - } - - XMEMSET(keys->prevWindow, 0xFF, DTLS_SEQ_SZ); - for (i = 0; i < wordCount; i++) { - ato32(exp + idx, &keys->prevWindow[i]); - idx += OPAQUE32_LEN; - } - idx += wordAdj; - - } - -#ifdef HAVE_TRUNCATED_HMAC - ssl->truncated_hmac = exp[idx++]; -#else - idx++; /* no truncated hmac */ -#endif - sz = exp[idx++]; - if (sz > MAX_DIGEST_SIZE || sz + idx > len) { - return BUFFER_E; - } - XMEMCPY(keys->client_write_MAC_secret, exp + idx, sz); idx += sz; - XMEMCPY(keys->server_write_MAC_secret, exp + idx, sz); idx += sz; - - sz = exp[idx++]; - if (sz > AES_256_KEY_SIZE || sz + idx > len) { - return BUFFER_E; - } - XMEMCPY(keys->client_write_key, exp + idx, sz); idx += sz; - XMEMCPY(keys->server_write_key, exp + idx, sz); idx += sz; - - sz = exp[idx++]; - if (sz > MAX_WRITE_IV_SZ || sz + idx > len) { - return BUFFER_E; - } - XMEMCPY(keys->client_write_IV, exp + idx, sz); idx += sz; - XMEMCPY(keys->server_write_IV, exp + idx, sz); idx += sz; - XMEMCPY(keys->aead_exp_IV, exp + idx, AEAD_MAX_EXP_SZ); - idx += AEAD_MAX_EXP_SZ; - - sz = exp[idx++]; - if (sz > AEAD_MAX_IMP_SZ || sz + idx > len) { - return BUFFER_E; - } - XMEMCPY(keys->aead_enc_imp_IV, exp + idx, sz); idx += sz; - XMEMCPY(keys->aead_dec_imp_IV, exp + idx, sz); idx += sz; - - WOLFSSL_LEAVE("ImportKeyState", idx); - (void)ver; - return idx; -} - - -/* copy over necessary information from Options struct to buffer - * On success returns size of buffer used on failure returns a negative value */ -static int dtls_export_new(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - int idx = 0; - word16 zero = 0; - Options* options = &ssl->options; - - WOLFSSL_ENTER("dtls_export_new"); - - if (exp == NULL || options == NULL || len < DTLS_EXPORT_OPT_SZ) { - return BAD_FUNC_ARG; - } - - XMEMSET(exp, 0, DTLS_EXPORT_OPT_SZ); - - /* these options are kept and sent to indicate verify status and strength - * of handshake */ - exp[idx++] = options->sendVerify; - exp[idx++] = options->verifyPeer; - exp[idx++] = options->verifyNone; - exp[idx++] = options->downgrade; -#ifndef NO_DH - c16toa(options->minDhKeySz, exp + idx); idx += OPAQUE16_LEN; - c16toa(options->dhKeySz, exp + idx); idx += OPAQUE16_LEN; -#else - c16toa(zero, exp + idx); idx += OPAQUE16_LEN; - c16toa(zero, exp + idx); idx += OPAQUE16_LEN; -#endif -#ifndef NO_RSA - c16toa((word16)(options->minRsaKeySz), exp + idx); idx += OPAQUE16_LEN; -#else - c16toa(zero, exp + idx); idx += OPAQUE16_LEN; -#endif -#ifdef HAVE_ECC - c16toa((word16)(options->minEccKeySz), exp + idx); idx += OPAQUE16_LEN; -#else - c16toa(zero, exp + idx); idx += OPAQUE16_LEN; -#endif - - /* these options are kept to indicate state and behavior */ -#ifndef NO_PSK - exp[idx++] = options->havePSK; -#else - exp[idx++] = 0; -#endif - exp[idx++] = options->sessionCacheOff; - exp[idx++] = options->sessionCacheFlushOff; - exp[idx++] = options->side; - exp[idx++] = options->resuming; - exp[idx++] = options->haveSessionId; - exp[idx++] = options->tls; - exp[idx++] = options->tls1_1; - exp[idx++] = options->dtls; - exp[idx++] = options->connReset; - exp[idx++] = options->isClosed; - exp[idx++] = options->closeNotify; - exp[idx++] = options->sentNotify; - exp[idx++] = options->usingCompression; - exp[idx++] = options->haveRSA; - exp[idx++] = options->haveECC; - exp[idx++] = options->haveDH; - exp[idx++] = options->haveNTRU; - exp[idx++] = options->haveQSH; - exp[idx++] = options->haveECDSAsig; - exp[idx++] = options->haveStaticECC; - exp[idx++] = options->havePeerVerify; - exp[idx++] = options->usingPSK_cipher; - exp[idx++] = options->usingAnon_cipher; - exp[idx++] = options->sendAlertState; - exp[idx++] = options->partialWrite; - exp[idx++] = options->quietShutdown; - exp[idx++] = options->groupMessages; -#ifdef HAVE_POLY1305 - exp[idx++] = options->oldPoly; -#else - exp[idx++] = 0; -#endif -#ifdef HAVE_ANON - exp[idx++] = options->haveAnon; -#else - exp[idx++] = 0; -#endif -#ifdef HAVE_SESSION_TICKET - exp[idx++] = options->createTicket; - exp[idx++] = options->useTicket; -#else - exp[idx++] = 0; - exp[idx++] = 0; -#endif - exp[idx++] = options->processReply; - exp[idx++] = options->cipherSuite0; - exp[idx++] = options->cipherSuite; - exp[idx++] = options->serverState; - exp[idx++] = options->clientState; - exp[idx++] = options->handShakeState; - exp[idx++] = options->handShakeDone; - exp[idx++] = options->minDowngrade; - exp[idx++] = options->connectState; - exp[idx++] = options->acceptState; - exp[idx++] = options->asyncState; - - /* version of connection */ - exp[idx++] = ssl->version.major; - exp[idx++] = ssl->version.minor; - - (void)zero; - (void)ver; - - /* check if changes were made and notify of need to update export version */ - if (idx != DTLS_EXPORT_OPT_SZ) { - WOLFSSL_MSG("Update DTLS_EXPORT_OPT_SZ and version of wolfSSL export"); - return DTLS_EXPORT_VER_E; - } - - WOLFSSL_LEAVE("dtls_export_new", idx); - - return idx; -} - - -/* copy items from Export struct to Options struct - * On success returns size of buffer used on failure returns a negative value */ -static int dtls_export_load(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - int idx = 0; - Options* options = &ssl->options; - - if (ver != DTLS_EXPORT_VERSION) { - WOLFSSL_MSG("Export version not supported"); - return BAD_FUNC_ARG; - } - - if (exp == NULL || options == NULL || len < DTLS_EXPORT_OPT_SZ) { - return BAD_FUNC_ARG; - } - - /* these options are kept and sent to indicate verify status and strength - * of handshake */ - options->sendVerify = exp[idx++]; - options->verifyPeer = exp[idx++]; - options->verifyNone = exp[idx++]; - options->downgrade = exp[idx++]; -#ifndef NO_DH - ato16(exp + idx, &(options->minDhKeySz)); idx += OPAQUE16_LEN; - ato16(exp + idx, &(options->dhKeySz)); idx += OPAQUE16_LEN; -#else - idx += OPAQUE16_LEN; - idx += OPAQUE16_LEN; -#endif -#ifndef NO_RSA - ato16(exp + idx, (word16*)&(options->minRsaKeySz)); idx += OPAQUE16_LEN; -#else - idx += OPAQUE16_LEN; -#endif -#ifdef HAVE_ECC - ato16(exp + idx, (word16*)&(options->minEccKeySz)); idx += OPAQUE16_LEN; -#else - idx += OPAQUE16_LEN; -#endif - - /* these options are kept to indicate state and behavior */ -#ifndef NO_PSK - options->havePSK = exp[idx++]; -#else - idx++; -#endif - options->sessionCacheOff = exp[idx++]; - options->sessionCacheFlushOff = exp[idx++]; - options->side = exp[idx++]; - options->resuming = exp[idx++]; - options->haveSessionId = exp[idx++]; - options->tls = exp[idx++]; - options->tls1_1 = exp[idx++]; - options->dtls = exp[idx++]; - options->connReset = exp[idx++]; - options->isClosed = exp[idx++]; - options->closeNotify = exp[idx++]; - options->sentNotify = exp[idx++]; - options->usingCompression = exp[idx++]; - options->haveRSA = exp[idx++]; - options->haveECC = exp[idx++]; - options->haveDH = exp[idx++]; - options->haveNTRU = exp[idx++]; - options->haveQSH = exp[idx++]; - options->haveECDSAsig = exp[idx++]; - options->haveStaticECC = exp[idx++]; - options->havePeerVerify = exp[idx++]; - options->usingPSK_cipher = exp[idx++]; - options->usingAnon_cipher = exp[idx++]; - options->sendAlertState = exp[idx++]; - options->partialWrite = exp[idx++]; - options->quietShutdown = exp[idx++]; - options->groupMessages = exp[idx++]; -#ifdef HAVE_POLY1305 - options->oldPoly = exp[idx++]; /* set when to use old rfc way of poly*/ -#else - idx++; -#endif -#ifdef HAVE_ANON - options->haveAnon = exp[idx++]; /* User wants to allow Anon suites */ -#else - idx++; -#endif -#ifdef HAVE_SESSION_TICKET - options->createTicket = exp[idx++]; /* Server to create new Ticket */ - options->useTicket = exp[idx++]; /* Use Ticket not session cache */ -#else - idx++; - idx++; -#endif - options->processReply = exp[idx++]; - options->cipherSuite0 = exp[idx++]; - options->cipherSuite = exp[idx++]; - options->serverState = exp[idx++]; - options->clientState = exp[idx++]; - options->handShakeState = exp[idx++]; - options->handShakeDone = exp[idx++]; - options->minDowngrade = exp[idx++]; - options->connectState = exp[idx++]; - options->acceptState = exp[idx++]; - options->asyncState = exp[idx++]; - - /* version of connection */ - if (ssl->version.major != exp[idx++] || ssl->version.minor != exp[idx++]) { - WOLFSSL_MSG("Version mismatch ie DTLS v1 vs v1.2"); - return VERSION_ERROR; - } - - return idx; -} - -static int ExportPeerInfo(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - int idx = 0; - int ipSz = DTLS_EXPORT_IP; /* start as max size */ - int fam = 0; - word16 port = 0; - char ip[DTLS_EXPORT_IP]; - - if (ver != DTLS_EXPORT_VERSION) { - WOLFSSL_MSG("Export version not supported"); - return BAD_FUNC_ARG; - } - - if (ssl == NULL || exp == NULL || len < sizeof(ip) + 3 * DTLS_EXPORT_LEN) { - return BAD_FUNC_ARG; - } - - if (ssl->ctx->CBGetPeer == NULL) { - WOLFSSL_MSG("No get peer call back set"); - return BAD_FUNC_ARG; - } - if (ssl->ctx->CBGetPeer(ssl, ip, &ipSz, &port, &fam) != SSL_SUCCESS) { - WOLFSSL_MSG("Get peer callback error"); - return SOCKET_ERROR_E; - } - - /* check that ipSz/fam is not negative or too large since user can set cb */ - if (ipSz < 0 || ipSz > DTLS_EXPORT_IP || fam < 0) { - WOLFSSL_MSG("Bad ipSz or fam returned from get peer callback"); - return SOCKET_ERROR_E; - } - - c16toa((word16)fam, exp + idx); idx += DTLS_EXPORT_LEN; - c16toa((word16)ipSz, exp + idx); idx += DTLS_EXPORT_LEN; - XMEMCPY(exp + idx, ip, ipSz); idx += ipSz; - c16toa(port, exp + idx); idx += DTLS_EXPORT_LEN; - - return idx; -} - - -static int ImportPeerInfo(WOLFSSL* ssl, byte* buf, word32 len, byte ver) -{ - word16 idx = 0; - word16 ipSz; - word16 fam; - word16 port; - char ip[DTLS_EXPORT_IP]; - - if (ver != DTLS_EXPORT_VERSION) { - WOLFSSL_MSG("Export version not supported"); - return BAD_FUNC_ARG; - } - - if (ssl == NULL || buf == NULL || len < 3 * DTLS_EXPORT_LEN) { - return BAD_FUNC_ARG; - } - - /* import sin family */ - ato16(buf + idx, &fam); idx += DTLS_EXPORT_LEN; - - /* import ip address idx, and ipSz are unsigned but cast for enum */ - ato16(buf + idx, &ipSz); idx += DTLS_EXPORT_LEN; - if (ipSz >= sizeof(ip) || (word16)(idx + ipSz + DTLS_EXPORT_LEN) > len) { - return BUFFER_E; - } - XMEMSET(ip, 0, sizeof(ip)); - XMEMCPY(ip, buf + idx, ipSz); idx += ipSz; - ip[ipSz] = '\0'; /* with check that ipSz less than ip this is valid */ - ato16(buf + idx, &port); idx += DTLS_EXPORT_LEN; - - /* sanity check for a function to call, then use it to import peer info */ - if (ssl->ctx->CBSetPeer == NULL) { - WOLFSSL_MSG("No set peer function"); - return BAD_FUNC_ARG; - } - if (ssl->ctx->CBSetPeer(ssl, ip, ipSz, port, fam) != SSL_SUCCESS) { - WOLFSSL_MSG("Error setting peer info"); - return SOCKET_ERROR_E; - } - - return idx; -} - - -/* WOLFSSL_LOCAL function that serializes the current WOLFSSL session - * buf is used to hold the serialized WOLFSSL struct and sz is the size of buf - * passed in. - * On success returns the size of serialized session.*/ -int wolfSSL_dtls_export_internal(WOLFSSL* ssl, byte* buf, word32 sz) -{ - int ret; - word32 idx = 0; - word32 totalLen = 0; - - WOLFSSL_ENTER("wolfSSL_dtls_export_internal"); - - if (buf == NULL || ssl == NULL) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", BAD_FUNC_ARG); - return BAD_FUNC_ARG; - } - - totalLen += DTLS_EXPORT_LEN * 2; /* 2 protocol bytes and 2 length bytes */ - /* each of the following have a 2 byte length before data */ - totalLen += DTLS_EXPORT_LEN + DTLS_EXPORT_OPT_SZ; - totalLen += DTLS_EXPORT_LEN + DTLS_EXPORT_KEY_SZ; - totalLen += DTLS_EXPORT_LEN + DTLS_EXPORT_SPC_SZ; - totalLen += DTLS_EXPORT_LEN + ssl->buffers.dtlsCtx.peer.sz; - - if (totalLen > sz) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", BUFFER_E); - return BUFFER_E; - } - - buf[idx++] = (byte)DTLS_EXPORT_PRO; - buf[idx++] = ((byte)DTLS_EXPORT_PRO & 0xF0) | - ((byte)DTLS_EXPORT_VERSION & 0X0F); - - idx += DTLS_EXPORT_LEN; /* leave spot for length */ - - c16toa((word16)DTLS_EXPORT_OPT_SZ, buf + idx); idx += DTLS_EXPORT_LEN; - if ((ret = dtls_export_new(ssl, buf + idx, sz - idx, - DTLS_EXPORT_VERSION)) < 0) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", ret); - return ret; - } - idx += ret; - - /* export keys struct and dtls state -- variable length stored in ret */ - idx += DTLS_EXPORT_LEN; /* leave room for length */ - if ((ret = ExportKeyState(ssl, buf + idx, sz - idx, - DTLS_EXPORT_VERSION)) < 0) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", ret); - return ret; - } - c16toa((word16)ret, buf + idx - DTLS_EXPORT_LEN); idx += ret; - - /* export of cipher specs struct */ - c16toa((word16)DTLS_EXPORT_SPC_SZ, buf + idx); idx += DTLS_EXPORT_LEN; - if ((ret = ExportCipherSpecState(ssl, buf + idx, sz - idx, - DTLS_EXPORT_VERSION)) < 0) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", ret); - return ret; - } - idx += ret; - - /* export of dtls peer information */ - idx += DTLS_EXPORT_LEN; - if ((ret = ExportPeerInfo(ssl, buf + idx, sz - idx, - DTLS_EXPORT_VERSION)) < 0) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", ret); - return ret; - } - c16toa(ret, buf + idx - DTLS_EXPORT_LEN); - idx += ret; - - /* place total length of exported buffer minus 2 bytes protocol/version */ - c16toa((word16)(idx - DTLS_EXPORT_LEN), buf + DTLS_EXPORT_LEN); - - /* if compiled with debug options then print the version, protocol, size */ -#ifdef WOLFSSL_SESSION_EXPORT_DEBUG - { - char debug[256]; - snprintf(debug, sizeof(debug), "Exporting DTLS session\n" - "\tVersion : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n" - , (int)DTLS_EXPORT_VERSION, buf[0], (buf[1] >> 4), idx - 2); - WOLFSSL_MSG(debug); - } -#endif /* WOLFSSL_SESSION_EXPORT_DEBUG */ - - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", idx); - return idx; -} - - -/* On success return amount of buffer consumed */ -int wolfSSL_dtls_import_internal(WOLFSSL* ssl, byte* buf, word32 sz) -{ - word32 idx = 0; - word16 length = 0; - int version; - int ret; - - WOLFSSL_ENTER("wolfSSL_dtls_import_internal"); - /* check at least enough room for protocol and length */ - if (sz < DTLS_EXPORT_LEN * 2 || ssl == NULL) { - return BAD_FUNC_ARG; - } - - /* sanity check on protocol ID and size of buffer */ - if (buf[idx++] != (byte)DTLS_EXPORT_PRO || - (buf[idx] & 0xF0) != ((byte)DTLS_EXPORT_PRO & 0xF0)) { - /* don't increment on second idx to next get version */ - WOLFSSL_MSG("Incorrect protocol"); - return BAD_FUNC_ARG; - } - version = buf[idx++] & 0x0F; - - ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if (length > sz - DTLS_EXPORT_LEN) { /* subtract 2 for protocol */ - return BUFFER_E; - } - - /* if compiled with debug options then print the version, protocol, size */ -#ifdef WOLFSSL_SESSION_EXPORT_DEBUG - { - char debug[256]; - snprintf(debug, sizeof(debug), "Importing DTLS session\n" - "\tVersion : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n" - , (int)version, buf[0], (buf[1] >> 4), length); - WOLFSSL_MSG(debug); - } -#endif /* WOLFSSL_SESSION_EXPORT_DEBUG */ - - /* perform sanity checks and extract Options information used */ - if (DTLS_EXPORT_LEN + DTLS_EXPORT_OPT_SZ + idx > sz) { - WOLFSSL_MSG("Import Options struct error"); - return BUFFER_E; - } - ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if (length != DTLS_EXPORT_OPT_SZ) { - WOLFSSL_MSG("Import Options struct error"); - return BUFFER_E; - } - if ((ret = dtls_export_load(ssl, buf + idx, length, version)) < 0) { - WOLFSSL_MSG("Import Options struct error"); - return ret; - } - idx += length; - - /* perform sanity checks and extract Keys struct */ - if (DTLS_EXPORT_LEN + idx > sz) { - WOLFSSL_MSG("Import Key struct error"); - return BUFFER_E; - } - ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if (length > DTLS_EXPORT_KEY_SZ || length + idx > sz) { - WOLFSSL_MSG("Import Key struct error"); - return BUFFER_E; - } - if ((ret = ImportKeyState(ssl, buf + idx, length, version)) < 0) { - WOLFSSL_MSG("Import Key struct error"); - return ret; - } - idx += ret; - - /* perform sanity checks and extract CipherSpecs struct */ - if (DTLS_EXPORT_LEN + DTLS_EXPORT_SPC_SZ + idx > sz) { - WOLFSSL_MSG("Import CipherSpecs struct error"); - return BUFFER_E; - } - ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if ( length != DTLS_EXPORT_SPC_SZ) { - WOLFSSL_MSG("Import CipherSpecs struct error"); - return BUFFER_E; - } - if ((ret = ImportCipherSpecState(ssl, buf + idx, length, version)) < 0) { - WOLFSSL_MSG("Import CipherSpecs struct error"); - return ret; - } - idx += ret; - - /* perform sanity checks and extract DTLS peer info */ - if (DTLS_EXPORT_LEN + idx > sz) { - WOLFSSL_MSG("Import DTLS peer info error"); - return BUFFER_E; - } - ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if (idx + length > sz) { - WOLFSSL_MSG("Import DTLS peer info error"); - return BUFFER_E; - } - if ((ret = ImportPeerInfo(ssl, buf + idx, length, version)) < 0) { - WOLFSSL_MSG("Import Peer Addr error"); - return ret; - } - idx += ret; - - SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE); - - /* set hmac function to use when verifying */ - if (ssl->options.tls == 1 || ssl->options.tls1_1 == 1 || - ssl->options.dtls == 1) { - ssl->hmac = TLS_hmac; - } - - /* make sure is a valid suite used */ - if (wolfSSL_get_cipher(ssl) == NULL) { - WOLFSSL_MSG("Can not match cipher suite imported"); - return MATCH_SUITE_ERROR; - } - - /* do not allow stream ciphers with DTLS */ - if (ssl->specs.cipher_type == stream) { - WOLFSSL_MSG("Can not import stream ciphers for DTLS"); - return SANITY_CIPHER_E; - } - - return idx; -} -#endif /* WOLFSSL_DTLS */ -#endif /* WOLFSSL_SESSION_EXPORT */ - - -void InitSSL_Method(WOLFSSL_METHOD* method, ProtocolVersion pv) -{ - method->version = pv; - method->side = WOLFSSL_CLIENT_END; - method->downgrade = 0; -} - - -/* Initialize SSL context, return 0 on success */ -int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) -{ - int ret = 0; - - XMEMSET(ctx, 0, sizeof(WOLFSSL_CTX)); - - ctx->method = method; - ctx->refCount = 1; /* so either CTX_free or SSL_free can release */ - ctx->heap = ctx; /* defaults to self */ - ctx->timeout = WOLFSSL_SESSION_TIMEOUT; - ctx->minDowngrade = TLSv1_MINOR; /* current default */ - - if (wc_InitMutex(&ctx->countMutex) < 0) { - WOLFSSL_MSG("Mutex error on CTX init"); - ctx->err = CTX_INIT_MUTEX_E; - return BAD_MUTEX_E; - } - -#ifndef NO_DH - ctx->minDhKeySz = MIN_DHKEY_SZ; -#endif -#ifndef NO_RSA - ctx->minRsaKeySz = MIN_RSAKEY_SZ; -#endif -#ifdef HAVE_ECC - ctx->minEccKeySz = MIN_ECCKEY_SZ; - ctx->eccTempKeySz = ECDHE_SIZE; -#endif - -#ifndef WOLFSSL_USER_IO - ctx->CBIORecv = EmbedReceive; - ctx->CBIOSend = EmbedSend; - #ifdef WOLFSSL_DTLS - if (method->version.major == DTLS_MAJOR) { - ctx->CBIORecv = EmbedReceiveFrom; - ctx->CBIOSend = EmbedSendTo; - } - #ifdef WOLFSSL_SESSION_EXPORT - ctx->CBGetPeer = EmbedGetPeer; - ctx->CBSetPeer = EmbedSetPeer; - #endif - #endif -#endif /* WOLFSSL_USER_IO */ - -#ifdef HAVE_NETX - ctx->CBIORecv = NetX_Receive; - ctx->CBIOSend = NetX_Send; -#endif - -#ifdef HAVE_NTRU - if (method->side == WOLFSSL_CLIENT_END) - ctx->haveNTRU = 1; /* always on cliet side */ - /* server can turn on by loading key */ -#endif -#ifdef HAVE_ECC - if (method->side == WOLFSSL_CLIENT_END) { - ctx->haveECDSAsig = 1; /* always on cliet side */ - ctx->haveECC = 1; /* server turns on with ECC key cert */ - ctx->haveStaticECC = 1; /* server can turn on by loading key */ - } -#endif - - ctx->devId = INVALID_DEVID; - -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SCTP) - ctx->dtlsMtuSz = MAX_RECORD_SIZE; -#endif - -#ifndef NO_CERTS - ctx->cm = wolfSSL_CertManagerNew_ex(heap); - if (ctx->cm == NULL) { - WOLFSSL_MSG("Bad Cert Manager New"); - return BAD_CERT_MANAGER_ERROR; - } - #ifdef OPENSSL_EXTRA - /* setup WOLFSSL_X509_STORE */ - ctx->x509_store.cm = ctx->cm; - #endif -#endif - -#if defined(HAVE_EXTENDED_MASTER) && !defined(NO_WOLFSSL_CLIENT) - if (method->side == WOLFSSL_CLIENT_END) { - if ((method->version.major == SSLv3_MAJOR) && - (method->version.minor >= TLSv1_MINOR)) { - - ctx->haveEMS = 1; - } -#ifdef WOLFSSL_DTLS - if (method->version.major == DTLS_MAJOR) - ctx->haveEMS = 1; -#endif /* WOLFSSL_DTLS */ - } -#endif /* HAVE_EXTENDED_MASTER && !NO_WOLFSSL_CLIENT */ - -#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) - ctx->ticketHint = SESSION_TICKET_HINT_DEFAULT; -#endif - -#ifdef HAVE_WOLF_EVENT - ret = wolfEventQueue_Init(&ctx->event_queue); -#endif /* HAVE_WOLF_EVENT */ - - ctx->heap = heap; /* wolfSSL_CTX_load_static_memory sets */ - ctx->verifyDepth = MAX_CHAIN_DEPTH; - - return ret; -} - - -/* In case contexts are held in array and don't want to free actual ctx */ -void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) -{ -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - int i; -#endif - -#ifdef HAVE_WOLF_EVENT - wolfEventQueue_Free(&ctx->event_queue); -#endif /* HAVE_WOLF_EVENT */ - - XFREE(ctx->method, ctx->heap, DYNAMIC_TYPE_METHOD); - if (ctx->suites) - XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES); - -#ifndef NO_DH - XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH_BUFFER); - XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH_BUFFER); -#endif /* !NO_DH */ - -#ifdef SINGLE_THREADED - if (ctx->rng) { - wc_FreeRng(ctx->rng); - XFREE(ctx->rng, ctx->heap, DYNAMIC_TYPE_RNG); - } -#endif /* SINGLE_THREADED */ - -#ifndef NO_CERTS - FreeDer(&ctx->privateKey); - FreeDer(&ctx->certificate); - #ifdef KEEP_OUR_CERT - if (ctx->ourCert && ctx->ownOurCert) { - FreeX509(ctx->ourCert); - XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); - } - #endif /* KEEP_OUR_CERT */ - FreeDer(&ctx->certChain); - wolfSSL_CertManagerFree(ctx->cm); - #ifdef OPENSSL_EXTRA - /* ctx->cm was free'd so cm of x509 store should now be NULL */ - if (ctx->x509_store_pt != NULL) { - ctx->x509_store_pt->cm = NULL; - } - wolfSSL_X509_STORE_free(ctx->x509_store_pt); - while (ctx->ca_names != NULL) { - WOLFSSL_STACK *next = ctx->ca_names->next; - wolfSSL_X509_NAME_free(ctx->ca_names->data.name); - XFREE(ctx->ca_names->data.name, NULL, DYNAMIC_TYPE_OPENSSL); - XFREE(ctx->ca_names, NULL, DYNAMIC_TYPE_OPENSSL); - ctx->ca_names = next; - } - #endif - #ifdef WOLFSSL_NGINX - while (ctx->x509Chain != NULL) { - WOLFSSL_STACK *next = ctx->x509Chain->next; - wolfSSL_X509_free(ctx->x509Chain->data.x509); - XFREE(ctx->x509Chain, NULL, DYNAMIC_TYPE_OPENSSL); - ctx->x509Chain = next; - } - #endif -#endif /* !NO_CERTS */ - -#ifdef HAVE_TLS_EXTENSIONS - TLSX_FreeAll(ctx->extensions, ctx->heap); - -#ifndef NO_WOLFSSL_SERVER -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - if (ctx->certOcspRequest) { - FreeOcspRequest(ctx->certOcspRequest); - XFREE(ctx->certOcspRequest, ctx->heap, DYNAMIC_TYPE_OCSP_REQUEST); - } -#endif - -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - for (i = 0; i < MAX_CHAIN_DEPTH; i++) { - if (ctx->chainOcspRequest[i]) { - FreeOcspRequest(ctx->chainOcspRequest[i]); - XFREE(ctx->chainOcspRequest[i], ctx->heap, DYNAMIC_TYPE_OCSP_REQUEST); - } - } -#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ -#endif /* !NO_WOLFSSL_SERVER */ - -#endif /* HAVE_TLS_EXTENSIONS */ - -#ifdef WOLFSSL_STATIC_MEMORY - if (ctx->heap != NULL) { -#ifdef WOLFSSL_HEAP_TEST - /* avoid derefrencing a test value */ - if (ctx->heap != (void*)WOLFSSL_HEAP_TEST) -#endif - { - WOLFSSL_HEAP_HINT* hint = (WOLFSSL_HEAP_HINT*)(ctx->heap); - wc_FreeMutex(&((WOLFSSL_HEAP*)(hint->memory))->memory_mutex); - } - } -#endif /* WOLFSSL_STATIC_MEMORY */ -} - - -void FreeSSL_Ctx(WOLFSSL_CTX* ctx) -{ - int doFree = 0; - - if (wc_LockMutex(&ctx->countMutex) != 0) { - WOLFSSL_MSG("Couldn't lock count mutex"); - - /* check error state, if mutex error code then mutex init failed but - * CTX was still malloc'd */ - if (ctx->err == CTX_INIT_MUTEX_E) { - SSL_CtxResourceFree(ctx); - XFREE(ctx, ctx->heap, DYNAMIC_TYPE_CTX); - } - return; - } - ctx->refCount--; - if (ctx->refCount == 0) - doFree = 1; - wc_UnLockMutex(&ctx->countMutex); - - if (doFree) { - WOLFSSL_MSG("CTX ref count down to 0, doing full free"); - SSL_CtxResourceFree(ctx); - wc_FreeMutex(&ctx->countMutex); - XFREE(ctx, ctx->heap, DYNAMIC_TYPE_CTX); - } - else { - (void)ctx; - WOLFSSL_MSG("CTX ref count not 0 yet, no free"); - } -} - - -/* Set cipher pointers to null */ -void InitCiphers(WOLFSSL* ssl) -{ -#ifdef BUILD_ARC4 - ssl->encrypt.arc4 = NULL; - ssl->decrypt.arc4 = NULL; -#endif -#ifdef BUILD_DES3 - ssl->encrypt.des3 = NULL; - ssl->decrypt.des3 = NULL; -#endif -#ifdef BUILD_AES - ssl->encrypt.aes = NULL; - ssl->decrypt.aes = NULL; -#endif -#ifdef HAVE_CAMELLIA - ssl->encrypt.cam = NULL; - ssl->decrypt.cam = NULL; -#endif -#ifdef HAVE_HC128 - ssl->encrypt.hc128 = NULL; - ssl->decrypt.hc128 = NULL; -#endif -#ifdef BUILD_RABBIT - ssl->encrypt.rabbit = NULL; - ssl->decrypt.rabbit = NULL; -#endif -#ifdef HAVE_CHACHA - ssl->encrypt.chacha = NULL; - ssl->decrypt.chacha = NULL; -#endif -#ifdef HAVE_POLY1305 - ssl->auth.poly1305 = NULL; -#endif - ssl->encrypt.setup = 0; - ssl->decrypt.setup = 0; -#ifdef HAVE_ONE_TIME_AUTH - ssl->auth.setup = 0; -#endif -#ifdef HAVE_IDEA - ssl->encrypt.idea = NULL; - ssl->decrypt.idea = NULL; -#endif -} - - -/* Free ciphers */ -void FreeCiphers(WOLFSSL* ssl) -{ - (void)ssl; -#ifdef BUILD_ARC4 - wc_Arc4Free(ssl->encrypt.arc4); - wc_Arc4Free(ssl->decrypt.arc4); - XFREE(ssl->encrypt.arc4, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.arc4, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef BUILD_DES3 - wc_Des3Free(ssl->encrypt.des3); - wc_Des3Free(ssl->decrypt.des3); - XFREE(ssl->encrypt.des3, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.des3, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef BUILD_AES - wc_AesFree(ssl->encrypt.aes); - wc_AesFree(ssl->decrypt.aes); - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - XFREE(ssl->decrypt.additional, ssl->heap, DYNAMIC_TYPE_AES); - XFREE(ssl->decrypt.nonce, ssl->heap, DYNAMIC_TYPE_AES); - XFREE(ssl->encrypt.additional, ssl->heap, DYNAMIC_TYPE_AES); - XFREE(ssl->encrypt.nonce, ssl->heap, DYNAMIC_TYPE_AES); - #endif - XFREE(ssl->encrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef HAVE_CAMELLIA - XFREE(ssl->encrypt.cam, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.cam, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef HAVE_HC128 - XFREE(ssl->encrypt.hc128, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.hc128, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef BUILD_RABBIT - XFREE(ssl->encrypt.rabbit, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.rabbit, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef HAVE_CHACHA - XFREE(ssl->encrypt.chacha, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.chacha, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef HAVE_POLY1305 - XFREE(ssl->auth.poly1305, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef HAVE_IDEA - XFREE(ssl->encrypt.idea, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.idea, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -} - - -void InitCipherSpecs(CipherSpecs* cs) -{ - cs->bulk_cipher_algorithm = INVALID_BYTE; - cs->cipher_type = INVALID_BYTE; - cs->mac_algorithm = INVALID_BYTE; - cs->kea = INVALID_BYTE; - cs->sig_algo = INVALID_BYTE; - - cs->hash_size = 0; - cs->static_ecdh = 0; - cs->key_size = 0; - cs->iv_size = 0; - cs->block_size = 0; -} - -static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, - int haveRSAsig, int haveAnon) -{ - int idx = 0; - - if (haveECDSAsig) { - #ifdef WOLFSSL_SHA512 - suites->hashSigAlgo[idx++] = sha512_mac; - suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; - #endif - #ifdef WOLFSSL_SHA384 - suites->hashSigAlgo[idx++] = sha384_mac; - suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; - #endif - #ifndef NO_SHA256 - suites->hashSigAlgo[idx++] = sha256_mac; - suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; - #endif - #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - suites->hashSigAlgo[idx++] = sha_mac; - suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; - #endif - } - - if (haveRSAsig) { - #ifdef WOLFSSL_SHA512 - suites->hashSigAlgo[idx++] = sha512_mac; - suites->hashSigAlgo[idx++] = rsa_sa_algo; - #endif - #ifdef WOLFSSL_SHA384 - suites->hashSigAlgo[idx++] = sha384_mac; - suites->hashSigAlgo[idx++] = rsa_sa_algo; - #endif - #ifndef NO_SHA256 - suites->hashSigAlgo[idx++] = sha256_mac; - suites->hashSigAlgo[idx++] = rsa_sa_algo; - #endif - #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - suites->hashSigAlgo[idx++] = sha_mac; - suites->hashSigAlgo[idx++] = rsa_sa_algo; - #endif - } - - if (haveAnon) { - #ifdef HAVE_ANON - suites->hashSigAlgo[idx++] = sha_mac; - suites->hashSigAlgo[idx++] = anonymous_sa_algo; - #endif - } - - suites->hashSigAlgoSz = (word16)idx; -} - -void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, - word16 havePSK, word16 haveDH, word16 haveNTRU, - word16 haveECDSAsig, word16 haveECC, - word16 haveStaticECC, int side) -{ - word16 idx = 0; - int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; - int tls1_2 = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_2_MINOR; - int dtls = 0; - int haveRSAsig = 1; - - (void)tls; /* shut up compiler */ - (void)tls1_2; - (void)dtls; - (void)haveDH; - (void)havePSK; - (void)haveNTRU; - (void)haveStaticECC; - (void)haveECC; - - if (suites == NULL) { - WOLFSSL_MSG("InitSuites pointer error"); - return; - } - - if (suites->setSuites) - return; /* trust user settings, don't override */ - - if (side == WOLFSSL_SERVER_END && haveStaticECC) { - haveRSA = 0; /* can't do RSA with ECDSA key */ - (void)haveRSA; /* some builds won't read */ - } - - if (side == WOLFSSL_SERVER_END && haveECDSAsig) { - haveRSAsig = 0; /* can't have RSA sig if signed by ECDSA */ - (void)haveRSAsig; /* non ecc builds won't read */ - } - -#ifdef WOLFSSL_DTLS - if (pv.major == DTLS_MAJOR) { - dtls = 1; - tls = 1; - /* May be dead assignments dependant upon configuration */ - (void) dtls; - (void) tls; - tls1_2 = pv.minor <= DTLSv1_2_MINOR; - } -#endif - -#ifdef HAVE_RENEGOTIATION_INDICATION - if (side == WOLFSSL_CLIENT_END) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV; - } -#endif - -#ifdef BUILD_TLS_QSH - if (tls) { - suites->suites[idx++] = QSH_BYTE; - suites->suites[idx++] = TLS_QSH; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - if (tls && haveNTRU && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - if (tls && haveNTRU && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - if (!dtls && tls && haveNTRU && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveNTRU && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 - if (tls1_2 && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 - if (tls1_2 && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - if (tls1_2 && haveECC) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -/* Place as higher priority for MYSQL */ -#if defined(WOLFSSL_MYSQL_COMPATIBLE) -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; - } -#endif -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - if (!dtls && tls && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - if (!dtls && tls && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - if (tls && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - if (tls && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - if (!dtls && tls && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - if (!dtls && tls && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256; - } -#endif - -/* Place as higher priority for MYSQL testing */ -#if !defined(WOLFSSL_MYSQL_COMPATIBLE) -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; - } -#endif -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - if (tls1_2 && haveECC) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = - TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA - if (tls && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - if (tls && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - if (tls && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM - if (tls && haveDH && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CCM; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM - if (tls && haveDH && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_CCM; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_PSK_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM_8; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM_8; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 - if (tls && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_NULL_SHA384; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384 - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_PSK_WITH_NULL_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 - if (tls && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_NULL_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA; - } -#endif - -#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA - if (!dtls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5 - if (!dtls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5; - } -#endif - -#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA - if (haveRSA ) { - suites->suites[idx++] = 0; - suites->suites[idx++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_MD5 - if (!dtls && tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_HC_128_MD5; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA - if (!dtls && tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_HC_128_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256 - if (!dtls && tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_HC_128_B2B256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_B2B256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_B2B256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA - if (!dtls && tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_RABBIT_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256; - } -#endif - -#ifdef BUILD_SSL_RSA_WITH_IDEA_CBC_SHA - if (haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = SSL_RSA_WITH_IDEA_CBC_SHA; - } -#endif - - suites->suiteSz = idx; - - InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, 0); -} - - -#ifndef NO_CERTS - - -void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag) -{ - (void)dynamicFlag; - - if (name != NULL) { - name->name = name->staticName; - name->dynamicName = 0; -#ifdef OPENSSL_EXTRA - XMEMSET(&name->fullName, 0, sizeof(DecodedName)); - XMEMSET(&name->cnEntry, 0, sizeof(WOLFSSL_X509_NAME_ENTRY)); - XMEMSET(&name->extra, 0, sizeof(name->extra)); - name->cnEntry.value = &(name->cnEntry.data); /* point to internal data*/ - name->cnEntry.nid = ASN_COMMON_NAME; - name->x509 = NULL; -#endif /* OPENSSL_EXTRA */ - } -} - - -void FreeX509Name(WOLFSSL_X509_NAME* name, void* heap) -{ - if (name != NULL) { - if (name->dynamicName) - XFREE(name->name, heap, DYNAMIC_TYPE_SUBJECT_CN); -#ifdef OPENSSL_EXTRA - { - int i; - if (name->fullName.fullName != NULL) - XFREE(name->fullName.fullName, heap, DYNAMIC_TYPE_X509); - for (i = 0; i < MAX_NAME_ENTRIES; i++) { - /* free ASN1 string data */ - if (name->extra[i].set && name->extra[i].data.data != NULL) { - XFREE(name->extra[i].data.data, heap, DYNAMIC_TYPE_OPENSSL); - } - } - } -#endif /* OPENSSL_EXTRA */ - } - (void)heap; -} - - -/* Initialize wolfSSL X509 type */ -void InitX509(WOLFSSL_X509* x509, int dynamicFlag, void* heap) -{ - if (x509 == NULL) { - WOLFSSL_MSG("Null parameter passed in!"); - return; - } - - XMEMSET(x509, 0, sizeof(WOLFSSL_X509)); - - x509->heap = heap; - InitX509Name(&x509->issuer, 0); - InitX509Name(&x509->subject, 0); - x509->version = 0; - x509->pubKey.buffer = NULL; - x509->sig.buffer = NULL; - x509->derCert = NULL; - x509->altNames = NULL; - x509->altNamesNext = NULL; - x509->dynamicMemory = (byte)dynamicFlag; - x509->isCa = 0; -#ifdef HAVE_ECC - x509->pkCurveOID = 0; -#endif /* HAVE_ECC */ -#ifdef OPENSSL_EXTRA - x509->pathLength = 0; - x509->basicConstSet = 0; - x509->basicConstCrit = 0; - x509->basicConstPlSet = 0; - x509->subjAltNameSet = 0; - x509->subjAltNameCrit = 0; - x509->authKeyIdSet = 0; - x509->authKeyIdCrit = 0; - x509->authKeyId = NULL; - x509->authKeyIdSz = 0; - x509->subjKeyIdSet = 0; - x509->subjKeyIdCrit = 0; - x509->subjKeyId = NULL; - x509->subjKeyIdSz = 0; - x509->keyUsageSet = 0; - x509->keyUsageCrit = 0; - x509->keyUsage = 0; - #ifdef WOLFSSL_SEP - x509->certPolicySet = 0; - x509->certPolicyCrit = 0; - #endif /* WOLFSSL_SEP */ -#endif /* OPENSSL_EXTRA */ -} - - -/* Free wolfSSL X509 type */ -void FreeX509(WOLFSSL_X509* x509) -{ - if (x509 == NULL) - return; - - FreeX509Name(&x509->issuer, x509->heap); - FreeX509Name(&x509->subject, x509->heap); - if (x509->pubKey.buffer) - XFREE(x509->pubKey.buffer, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY); - FreeDer(&x509->derCert); - XFREE(x509->sig.buffer, x509->heap, DYNAMIC_TYPE_SIGNATURE); - #ifdef OPENSSL_EXTRA - XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); - XFREE(x509->subjKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); - if (x509->authInfo != NULL) { - XFREE(x509->authInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); - } - if (x509->extKeyUsageSrc != NULL) { - XFREE(x509->extKeyUsageSrc, x509->heap, DYNAMIC_TYPE_X509_EXT); - } - #endif /* OPENSSL_EXTRA */ - if (x509->altNames) - FreeAltNames(x509->altNames, NULL); -} - - -#ifndef NO_RSA - -int RsaSign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, - word32* outSz, RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - - WOLFSSL_ENTER("RsaSign"); - -#if defined(HAVE_PK_CALLBACKS) - if (ssl->ctx->RsaSignCb) { - ret = ssl->ctx->RsaSignCb(ssl, in, inSz, out, outSz, keyBuf, keySz, - ctx); - } - else -#endif /*HAVE_PK_CALLBACKS */ - { - ret = wc_RsaSSL_Sign(in, inSz, out, *outSz, key, ssl->rng); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - /* For positive response return in outSz */ - if (ret > 0) { - *outSz = ret; - ret = 0; - } - - WOLFSSL_LEAVE("RsaSign", ret); - - return ret; -} - -int RsaVerify(WOLFSSL* ssl, byte* in, word32 inSz, - byte** out, RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - - WOLFSSL_ENTER("RsaVerify"); - -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->RsaVerifyCb) { - ret = ssl->ctx->RsaVerifyCb(ssl, in, inSz, out, keyBuf, keySz, ctx); - } - else -#endif /*HAVE_PK_CALLBACKS */ - { - ret = wc_RsaSSL_VerifyInline(in, inSz, out, key); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("RsaVerify", ret); - - return ret; -} - -/* Verify RSA signature, 0 on success */ -int VerifyRsaSign(WOLFSSL* ssl, byte* verifySig, word32 sigSz, - const byte* plain, word32 plainSz, RsaKey* key) -{ - byte* out = NULL; /* inline result */ - int ret; - - (void)ssl; - - WOLFSSL_ENTER("VerifyRsaSign"); - - if (verifySig == NULL || plain == NULL || key == NULL) { - return BAD_FUNC_ARG; - } - - if (sigSz > ENCRYPT_LEN) { - WOLFSSL_MSG("Signature buffer too big"); - return BUFFER_E; - } - - ret = wc_RsaSSL_VerifyInline(verifySig, sigSz, &out, key); - - if (ret > 0) { - if (ret != (int)plainSz || !out || - XMEMCMP(plain, out, plainSz) != 0) { - WOLFSSL_MSG("RSA Signature verification failed"); - ret = RSA_SIGN_FAULT; - } else { - ret = 0; /* RSA reset */ - } - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("VerifyRsaSign", ret); - - return ret; -} - -int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz, - RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - - WOLFSSL_ENTER("RsaDec"); - -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->RsaDecCb) { - ret = ssl->ctx->RsaDecCb(ssl, in, inSz, out, keyBuf, keySz, - ctx); - } - else -#endif /* HAVE_PK_CALLBACKS */ - { - #ifdef WC_RSA_BLINDING - ret = wc_RsaSetRNG(key, ssl->rng); - if (ret != 0) - return ret; - #endif - ret = wc_RsaPrivateDecryptInline(in, inSz, out, key); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - /* For positive response return in outSz */ - if (ret > 0) { - *outSz = ret; - ret = 0; - } - - WOLFSSL_LEAVE("RsaDec", ret); - - return ret; -} - -int RsaEnc(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, word32* outSz, - RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - - WOLFSSL_ENTER("RsaEnc"); - -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->RsaEncCb) { - ret = ssl->ctx->RsaEncCb(ssl, in, inSz, out, outSz, keyBuf, keySz, - ctx); - } - else -#endif /* HAVE_PK_CALLBACKS */ - { - ret = wc_RsaPublicEncrypt(in, inSz, out, *outSz, key, ssl->rng); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - /* For positive response return in outSz */ - if (ret > 0) { - *outSz = ret; - ret = 0; - } - - WOLFSSL_LEAVE("RsaEnc", ret); - - return ret; -} - -#endif /* NO_RSA */ - -#ifdef HAVE_ECC - -int EccSign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, - word32* outSz, ecc_key* key, byte* keyBuf, word32 keySz, void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - - WOLFSSL_ENTER("EccSign"); - -#if defined(HAVE_PK_CALLBACKS) - if (ssl->ctx->EccSignCb) { - ret = ssl->ctx->EccSignCb(ssl, in, inSz, out, outSz, keyBuf, - keySz, ctx); - } - else -#endif /* HAVE_PK_CALLBACKS */ - { - ret = wc_ecc_sign_hash(in, inSz, out, outSz, ssl->rng, key); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("EccSign", ret); - - return ret; -} - -int EccVerify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* out, - word32 outSz, ecc_key* key, byte* keyBuf, word32 keySz, - void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - - WOLFSSL_ENTER("EccVerify"); - -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->EccVerifyCb) { - ret = ssl->ctx->EccVerifyCb(ssl, in, inSz, out, outSz, keyBuf, keySz, - &ssl->eccVerifyRes, ctx); - } - else -#endif /* HAVE_PK_CALLBACKS */ - { - ret = wc_ecc_verify_hash(in, inSz, out, outSz, &ssl->eccVerifyRes, key); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } - else -#endif /* WOLFSSL_ASYNC_CRYPT */ - { - ret = (ret != 0 || ssl->eccVerifyRes == 0) ? VERIFY_SIGN_ERROR : 0; - } - - WOLFSSL_LEAVE("EccVerify", ret); - - return ret; -} - -#ifdef HAVE_PK_CALLBACKS - /* Gets ECC key for shared secret callback testing - * Client side: returns peer key - * Server side: returns private key - */ - static int EccGetKey(WOLFSSL* ssl, ecc_key** otherKey) - { - int ret = NO_PEER_KEY; - ecc_key* tmpKey = NULL; - - if (ssl == NULL || otherKey == NULL) { - return BAD_FUNC_ARG; - } - - if (ssl->options.side == WOLFSSL_CLIENT_END) { - if (ssl->specs.static_ecdh) { - if (!ssl->peerEccDsaKey || !ssl->peerEccDsaKeyPresent || - !ssl->peerEccDsaKey->dp) { - return NO_PEER_KEY; - } - tmpKey = (struct ecc_key*)ssl->peerEccDsaKey; - } - else { - if (!ssl->peerEccKey || !ssl->peerEccKeyPresent || - !ssl->peerEccKey->dp) { - return NO_PEER_KEY; - } - tmpKey = (struct ecc_key*)ssl->peerEccKey; - } - } - else if (ssl->options.side == WOLFSSL_SERVER_END) { - if (ssl->specs.static_ecdh) { - if (ssl->hsKey == NULL) { - return NO_PRIVATE_KEY; - } - tmpKey = (struct ecc_key*)ssl->hsKey; - } - else { - if (!ssl->eccTempKeyPresent) { - return NO_PRIVATE_KEY; - } - tmpKey = (struct ecc_key*)ssl->eccTempKey; - } - } - - if (tmpKey) { - *otherKey = tmpKey; - ret = 0; - } - - return ret; - } -#endif /* HAVE_PK_CALLBACKS */ - -int EccSharedSecret(WOLFSSL* ssl, ecc_key* priv_key, ecc_key* pub_key, - byte* pubKeyDer, word32* pubKeySz, byte* out, word32* outlen, - int side, void* ctx) -{ - int ret; - - (void)ssl; - (void)pubKeyDer; - (void)pubKeySz; - (void)side; - (void)ctx; - - WOLFSSL_ENTER("EccSharedSecret"); - -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->EccSharedSecretCb) { - ecc_key* otherKey = NULL; - - ret = EccGetKey(ssl, &otherKey); - if (ret == 0) { - ret = ssl->ctx->EccSharedSecretCb(ssl, otherKey, pubKeyDer, - pubKeySz, out, outlen, side, ctx); - } - } - else -#endif - { - ret = wc_ecc_shared_secret(priv_key, pub_key, out, outlen); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &priv_key->asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("EccSharedSecret", ret); - - return ret; -} - -int EccMakeKey(WOLFSSL* ssl, ecc_key* key, ecc_key* peer) -{ - int ret = 0; - int keySz = 0; - - WOLFSSL_ENTER("EccMakeKey"); - - if (peer == NULL) { - keySz = ssl->eccTempKeySz; - } - else { - keySz = peer->dp->size; - } - - if (ssl->ecdhCurveOID > 0) { - ret = wc_ecc_make_key_ex(ssl->rng, keySz, key, - wc_ecc_get_oid(ssl->ecdhCurveOID, NULL, NULL)); - } - else { - ret = wc_ecc_make_key(ssl->rng, keySz, key); - if (ret == 0) - ssl->ecdhCurveOID = key->dp->oidSum; - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_NONE); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("EccMakeKey", ret); - - return ret; -} - -#endif /* HAVE_ECC */ - -#endif /* !NO_CERTS */ - -#if !defined(NO_CERTS) || !defined(NO_PSK) -#if !defined(NO_DH) - -int DhGenKeyPair(WOLFSSL* ssl, DhKey* dhKey, - byte* priv, word32* privSz, - byte* pub, word32* pubSz) -{ - int ret; - - WOLFSSL_ENTER("DhGenKeyPair"); - - ret = wc_DhGenerateKeyPair(dhKey, ssl->rng, priv, privSz, pub, pubSz); - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &dhKey->asyncDev, WC_ASYNC_FLAG_NONE); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("DhGenKeyPair", ret); - - return ret; -} - -int DhAgree(WOLFSSL* ssl, DhKey* dhKey, - const byte* priv, word32 privSz, - const byte* otherPub, word32 otherPubSz, - byte* agree, word32* agreeSz) -{ - int ret; - - (void)ssl; - - WOLFSSL_ENTER("DhAgree"); - - ret = wc_DhAgree(dhKey, agree, agreeSz, priv, privSz, otherPub, otherPubSz); - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &dhKey->asyncDev, WC_ASYNC_FLAG_NONE); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("DhAgree", ret); - - return ret; -} - -#endif /* !NO_DH */ -#endif /* !NO_CERTS || !NO_PSK */ - - - -/* This function inherits a WOLFSSL_CTX's fields into an SSL object. - It is used during initialization and to switch an ssl's CTX with - wolfSSL_Set_SSL_CTX. Requires ssl->suites alloc and ssl-arrays with PSK - unless writeDup is on. - - ssl object to initialize - ctx parent factory - writeDup flag indicating this is a write dup only - - SSL_SUCCESS return value on success */ -int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) -{ - byte havePSK = 0; - byte haveAnon = 0; - byte newSSL; - byte haveRSA = 0; - (void) haveAnon; /* Squash unused var warnings */ - - if (!ssl || !ctx) - return BAD_FUNC_ARG; - - if (ssl->suites == NULL && !writeDup) - return BAD_FUNC_ARG; - - newSSL = ssl->ctx == NULL; /* Assign after null check */ - -#ifndef NO_PSK - if (ctx->server_hint[0] && ssl->arrays == NULL && !writeDup) { - return BAD_FUNC_ARG; /* needed for copy below */ - } -#endif - - -#ifndef NO_RSA - haveRSA = 1; -#endif -#ifndef NO_PSK - havePSK = ctx->havePSK; -#endif /* NO_PSK */ -#ifdef HAVE_ANON - haveAnon = ctx->haveAnon; -#endif /* HAVE_ANON*/ - - /* decrement previous CTX reference count if exists. - * This should only happen if switching ctxs!*/ - if (!newSSL) { - WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx."); - wolfSSL_CTX_free(ssl->ctx); - } - - /* increment CTX reference count */ - if (wc_LockMutex(&ctx->countMutex) != 0) { - WOLFSSL_MSG("Couldn't lock CTX count mutex"); - return BAD_MUTEX_E; - } - ctx->refCount++; - wc_UnLockMutex(&ctx->countMutex); - ssl->ctx = ctx; /* only for passing to calls, options could change */ - ssl->version = ctx->method->version; - -#ifdef HAVE_ECC - ssl->eccTempKeySz = ctx->eccTempKeySz; - ssl->pkCurveOID = ctx->pkCurveOID; - ssl->ecdhCurveOID = ctx->ecdhCurveOID; -#endif - -#ifdef OPENSSL_EXTRA - ssl->options.mask = ctx->mask; - ssl->CBIS = ctx->CBIS; -#endif - ssl->timeout = ctx->timeout; - ssl->verifyCallback = ctx->verifyCallback; - ssl->options.side = ctx->method->side; - ssl->options.downgrade = ctx->method->downgrade; - ssl->options.minDowngrade = ctx->minDowngrade; - - ssl->options.haveDH = ctx->haveDH; - ssl->options.haveNTRU = ctx->haveNTRU; - ssl->options.haveECDSAsig = ctx->haveECDSAsig; - ssl->options.haveECC = ctx->haveECC; - ssl->options.haveStaticECC = ctx->haveStaticECC; - -#ifndef NO_PSK - ssl->options.havePSK = ctx->havePSK; - ssl->options.client_psk_cb = ctx->client_psk_cb; - ssl->options.server_psk_cb = ctx->server_psk_cb; -#endif /* NO_PSK */ - -#ifdef HAVE_ANON - ssl->options.haveAnon = ctx->haveAnon; -#endif -#ifndef NO_DH - ssl->options.minDhKeySz = ctx->minDhKeySz; -#endif -#ifndef NO_RSA - ssl->options.minRsaKeySz = ctx->minRsaKeySz; -#endif -#ifdef HAVE_ECC - ssl->options.minEccKeySz = ctx->minEccKeySz; -#endif - - ssl->options.sessionCacheOff = ctx->sessionCacheOff; - ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff; -#ifdef HAVE_EXT_CACHE - ssl->options.internalCacheOff = ctx->internalCacheOff; -#endif - - ssl->options.verifyPeer = ctx->verifyPeer; - ssl->options.verifyNone = ctx->verifyNone; - ssl->options.failNoCert = ctx->failNoCert; - ssl->options.failNoCertxPSK = ctx->failNoCertxPSK; - ssl->options.sendVerify = ctx->sendVerify; - - ssl->options.partialWrite = ctx->partialWrite; - ssl->options.quietShutdown = ctx->quietShutdown; - ssl->options.groupMessages = ctx->groupMessages; - -#ifndef NO_DH - ssl->buffers.serverDH_P = ctx->serverDH_P; - ssl->buffers.serverDH_G = ctx->serverDH_G; -#endif - -#ifndef NO_CERTS - /* ctx still owns certificate, certChain, key, dh, and cm */ - ssl->buffers.certificate = ctx->certificate; - ssl->buffers.certChain = ctx->certChain; - ssl->buffers.key = ctx->privateKey; -#endif - -#ifdef WOLFSSL_ASYNC_CRYPT - ssl->devId = ctx->devId; -#endif - - if (writeDup == 0) { - -#ifndef NO_PSK - if (ctx->server_hint[0]) { /* set in CTX */ - XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint,MAX_PSK_ID_LEN); - ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0'; - } -#endif /* NO_PSK */ - - if (ctx->suites) - *ssl->suites = *ctx->suites; - else - XMEMSET(ssl->suites, 0, sizeof(Suites)); - - /* make sure server has DH parms, and add PSK if there, add NTRU too */ - if (ssl->options.side == WOLFSSL_SERVER_END) - InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - else - InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE, - ssl->options.haveNTRU, ssl->options.haveECDSAsig, - ssl->options.haveECC, ssl->options.haveStaticECC, - ssl->options.side); - -#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT) - /* make sure server has cert and key unless using PSK or Anon - * This should be true even if just switching ssl ctx */ - if (ssl->options.side == WOLFSSL_SERVER_END && !havePSK && !haveAnon) - if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer - || !ssl->buffers.key || !ssl->buffers.key->buffer) { - WOLFSSL_MSG("Server missing certificate and/or private key"); - return NO_PRIVATE_KEY; - } -#endif - - } /* writeDup check */ - -#ifdef WOLFSSL_SESSION_EXPORT - #ifdef WOLFSSL_DTLS - ssl->dtls_export = ctx->dtls_export; /* export function for session */ - #endif -#endif - - ssl->CBIORecv = ctx->CBIORecv; - ssl->CBIOSend = ctx->CBIOSend; -#ifdef OPENSSL_EXTRA - ssl->readAhead = ctx->readAhead; -#endif - ssl->verifyDepth = ctx->verifyDepth; - - return SSL_SUCCESS; -} - -static int InitHashes(WOLFSSL* ssl) -{ - int ret; - - ssl->hsHashes = (HS_Hashes*)XMALLOC(sizeof(HS_Hashes), ssl->heap, - DYNAMIC_TYPE_HASHES); - if (ssl->hsHashes == NULL) { - WOLFSSL_MSG("HS_Hashes Memory error"); - return MEMORY_E; - } - XMEMSET(ssl->hsHashes, 0, sizeof(HS_Hashes)); - -#ifndef NO_OLD_TLS -#ifndef NO_MD5 - ret = wc_InitMd5_ex(&ssl->hsHashes->hashMd5, ssl->heap, ssl->devId); - if (ret != 0) - return ret; -#endif -#ifndef NO_SHA - ret = wc_InitSha_ex(&ssl->hsHashes->hashSha, ssl->heap, ssl->devId); - if (ret != 0) - return ret; -#endif -#endif /* !NO_OLD_TLS */ -#ifndef NO_SHA256 - ret = wc_InitSha256_ex(&ssl->hsHashes->hashSha256, ssl->heap, ssl->devId); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA384 - ret = wc_InitSha384_ex(&ssl->hsHashes->hashSha384, ssl->heap, ssl->devId); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA512 - ret = wc_InitSha512_ex(&ssl->hsHashes->hashSha512, ssl->heap, ssl->devId); - if (ret != 0) - return ret; -#endif - - return ret; -} - -static void FreeHashes(WOLFSSL* ssl) -{ - if (ssl->hsHashes) { -#ifndef NO_OLD_TLS - #ifndef NO_MD5 - wc_Md5Free(&ssl->hsHashes->hashMd5); - #endif - #ifndef NO_SHA - wc_ShaFree(&ssl->hsHashes->hashSha); - #endif -#endif /* !NO_OLD_TLS */ - #ifndef NO_SHA256 - wc_Sha256Free(&ssl->hsHashes->hashSha256); - #endif - #ifdef WOLFSSL_SHA384 - wc_Sha384Free(&ssl->hsHashes->hashSha384); - #endif - #ifdef WOLFSSL_SHA512 - wc_Sha512Free(&ssl->hsHashes->hashSha512); - #endif - - XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES); - ssl->hsHashes = NULL; - } -} - - -/* init everything to 0, NULL, default values before calling anything that may - fail so that destructor has a "good" state to cleanup - - ssl object to initialize - ctx parent factory - writeDup flag indicating this is a write dup only - - 0 on success */ -int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) -{ - int ret; - - XMEMSET(ssl, 0, sizeof(WOLFSSL)); - -#if defined(WOLFSSL_STATIC_MEMORY) - if (ctx->heap != NULL) { - WOLFSSL_HEAP_HINT* ssl_hint; - WOLFSSL_HEAP_HINT* ctx_hint; - - /* avoid derefrencing a test value */ - #ifdef WOLFSSL_HEAP_TEST - if (ctx->heap == (void*)WOLFSSL_HEAP_TEST) { - ssl->heap = ctx->heap; - } - else { - #endif - ssl->heap = (WOLFSSL_HEAP_HINT*)XMALLOC(sizeof(WOLFSSL_HEAP_HINT), - ctx->heap, DYNAMIC_TYPE_SSL); - if (ssl->heap == NULL) { - return MEMORY_E; - } - XMEMSET(ssl->heap, 0, sizeof(WOLFSSL_HEAP_HINT)); - ssl_hint = ((WOLFSSL_HEAP_HINT*)(ssl->heap)); - ctx_hint = ((WOLFSSL_HEAP_HINT*)(ctx->heap)); - - /* lock and check IO count / handshake count */ - if (wc_LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) { - WOLFSSL_MSG("Bad memory_mutex lock"); - XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL); - ssl->heap = NULL; /* free and set to NULL for IO counter */ - return BAD_MUTEX_E; - } - if (ctx_hint->memory->maxHa > 0 && - ctx_hint->memory->maxHa <= ctx_hint->memory->curHa) { - WOLFSSL_MSG("At max number of handshakes for static memory"); - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL); - ssl->heap = NULL; /* free and set to NULL for IO counter */ - return MEMORY_E; - } - - if (ctx_hint->memory->maxIO > 0 && - ctx_hint->memory->maxIO <= ctx_hint->memory->curIO) { - WOLFSSL_MSG("At max number of IO allowed for static memory"); - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL); - ssl->heap = NULL; /* free and set to NULL for IO counter */ - return MEMORY_E; - } - ctx_hint->memory->curIO++; - ctx_hint->memory->curHa++; - ssl_hint->memory = ctx_hint->memory; - ssl_hint->haFlag = 1; - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - - /* check if tracking stats */ - if (ctx_hint->memory->flag & WOLFMEM_TRACK_STATS) { - ssl_hint->stats = (WOLFSSL_MEM_CONN_STATS*)XMALLOC( - sizeof(WOLFSSL_MEM_CONN_STATS), ctx->heap, DYNAMIC_TYPE_SSL); - if (ssl_hint->stats == NULL) { - return MEMORY_E; - } - XMEMSET(ssl_hint->stats, 0, sizeof(WOLFSSL_MEM_CONN_STATS)); - } - - /* check if using fixed IO buffers */ - if (ctx_hint->memory->flag & WOLFMEM_IO_POOL_FIXED) { - if (wc_LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) { - WOLFSSL_MSG("Bad memory_mutex lock"); - return BAD_MUTEX_E; - } - if (SetFixedIO(ctx_hint->memory, &(ssl_hint->inBuf)) != 1) { - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - return MEMORY_E; - } - if (SetFixedIO(ctx_hint->memory, &(ssl_hint->outBuf)) != 1) { - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - return MEMORY_E; - } - if (ssl_hint->outBuf == NULL || ssl_hint->inBuf == NULL) { - WOLFSSL_MSG("Not enough memory to create fixed IO buffers"); - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - return MEMORY_E; - } - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - } - #ifdef WOLFSSL_HEAP_TEST - } - #endif - } - else { - ssl->heap = ctx->heap; - } -#else - ssl->heap = ctx->heap; /* carry over user heap without static memory */ -#endif /* WOLFSSL_STATIC_MEMORY */ - - ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer; - ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN; - - ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer; - ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN; - -#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS) - InitX509(&ssl->peerCert, 0, ssl->heap); -#endif - - ssl->rfd = -1; /* set to invalid descriptor */ - ssl->wfd = -1; - ssl->devId = ctx->devId; /* device for async HW (from wolfAsync_DevOpen) */ - - ssl->IOCB_ReadCtx = &ssl->rfd; /* prevent invalid pointer access if not */ - ssl->IOCB_WriteCtx = &ssl->wfd; /* correctly set */ - -#ifdef HAVE_NETX - ssl->IOCB_ReadCtx = &ssl->nxCtx; /* default NetX IO ctx, same for read */ - ssl->IOCB_WriteCtx = &ssl->nxCtx; /* and write */ -#endif - - /* initialize states */ - ssl->options.serverState = NULL_STATE; - ssl->options.clientState = NULL_STATE; - ssl->options.connectState = CONNECT_BEGIN; - ssl->options.acceptState = ACCEPT_BEGIN; - ssl->options.handShakeState = NULL_STATE; - ssl->options.processReply = doProcessInit; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - ssl->options.buildMsgState = BUILD_MSG_BEGIN; - ssl->encrypt.state = CIPHER_STATE_BEGIN; - ssl->decrypt.state = CIPHER_STATE_BEGIN; - -#ifdef WOLFSSL_DTLS - #ifdef WOLFSSL_SCTP - ssl->options.dtlsSctp = ctx->dtlsSctp; - ssl->dtlsMtuSz = ctx->dtlsMtuSz; - ssl->dtls_expected_rx = ssl->dtlsMtuSz; - #else - ssl->dtls_expected_rx = MAX_MTU; - #endif - ssl->dtls_timeout_init = DTLS_TIMEOUT_INIT; - ssl->dtls_timeout_max = DTLS_TIMEOUT_MAX; - ssl->dtls_timeout = ssl->dtls_timeout_init; - ssl->buffers.dtlsCtx.rfd = -1; - ssl->buffers.dtlsCtx.wfd = -1; -#endif - - #ifndef NO_OLD_TLS - ssl->hmac = SSL_hmac; /* default to SSLv3 */ - #else - ssl->hmac = TLS_hmac; - #endif - - - ssl->cipher.ssl = ssl; - -#ifdef HAVE_EXTENDED_MASTER - ssl->options.haveEMS = ctx->haveEMS; -#endif - ssl->options.useClientOrder = ctx->useClientOrder; - -#ifdef HAVE_TLS_EXTENSIONS -#ifdef HAVE_MAX_FRAGMENT - ssl->max_fragment = MAX_RECORD_SIZE; -#endif -#ifdef HAVE_ALPN - ssl->alpn_client_list = NULL; - #ifdef WOLFSSL_NGINX - ssl->alpnSelect = ctx->alpnSelect; - ssl->alpnSelectArg = ctx->alpnSelectArg; - #endif -#endif -#ifdef HAVE_SUPPORTED_CURVES - ssl->options.userCurves = ctx->userCurves; -#endif -#endif /* HAVE_TLS_EXTENSIONS */ - - /* default alert state (none) */ - ssl->alert_history.last_rx.code = -1; - ssl->alert_history.last_rx.level = -1; - ssl->alert_history.last_tx.code = -1; - ssl->alert_history.last_tx.level = -1; - -#ifdef OPENSSL_EXTRA - /* copy over application session context ID */ - ssl->sessionCtxSz = ctx->sessionCtxSz; - XMEMCPY(ssl->sessionCtx, ctx->sessionCtx, ctx->sessionCtxSz); -#endif - - InitCiphers(ssl); - InitCipherSpecs(&ssl->specs); - - /* all done with init, now can return errors, call other stuff */ - - if (!writeDup) { - /* arrays */ - ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap, - DYNAMIC_TYPE_ARRAYS); - if (ssl->arrays == NULL) { - WOLFSSL_MSG("Arrays Memory error"); - return MEMORY_E; - } - XMEMSET(ssl->arrays, 0, sizeof(Arrays)); - ssl->arrays->preMasterSecret = (byte*)XMALLOC(ENCRYPT_LEN, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->arrays->preMasterSecret == NULL) { - return MEMORY_E; - } - XMEMSET(ssl->arrays->preMasterSecret, 0, ENCRYPT_LEN); - - /* suites */ - ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, - DYNAMIC_TYPE_SUITES); - if (ssl->suites == NULL) { - WOLFSSL_MSG("Suites Memory error"); - return MEMORY_E; - } - } - - /* Initialize SSL with the appropriate fields from it's ctx */ - /* requires valid arrays and suites unless writeDup ing */ - if ((ret = SetSSL_CTX(ssl, ctx, writeDup)) != SSL_SUCCESS) - return ret; - - ssl->options.dtls = ssl->version.major == DTLS_MAJOR; - -#ifdef SINGLE_THREADED - ssl->rng = ctx->rng; /* CTX may have one, if so use it */ -#endif - - if (ssl->rng == NULL) { - /* RNG */ - ssl->rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), ssl->heap,DYNAMIC_TYPE_RNG); - if (ssl->rng == NULL) { - WOLFSSL_MSG("RNG Memory error"); - return MEMORY_E; - } - XMEMSET(ssl->rng, 0, sizeof(WC_RNG)); - ssl->options.weOwnRng = 1; - - /* FIPS RNG API does not accept a heap hint */ -#ifndef HAVE_FIPS - if ( (ret = wc_InitRng_ex(ssl->rng, ssl->heap, ssl->devId)) != 0) { - WOLFSSL_MSG("RNG Init error"); - return ret; - } -#else - if ( (ret = wc_InitRng(ssl->rng)) != 0) { - WOLFSSL_MSG("RNG Init error"); - return ret; - } -#endif - } - - if (writeDup) { - /* all done */ - return 0; - } - - /* hsHashes */ - ret = InitHashes(ssl); - if (ret != 0) - return ret; - -#ifdef SINGLE_THREADED - ssl->rng = ctx->rng; /* CTX may have one, if so use it */ -#endif - - if (ssl->rng == NULL) { - /* RNG */ - ssl->rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), ssl->heap,DYNAMIC_TYPE_RNG); - if (ssl->rng == NULL) { - WOLFSSL_MSG("RNG Memory error"); - return MEMORY_E; - } - XMEMSET(ssl->rng, 0, sizeof(WC_RNG)); - ssl->options.weOwnRng = 1; - - /* FIPS RNG API does not accept a heap hint */ -#ifndef HAVE_FIPS - if ( (ret = wc_InitRng_ex(ssl->rng, ssl->heap, ssl->devId)) != 0) { - WOLFSSL_MSG("RNG Init error"); - return ret; - } -#else - if ( (ret = wc_InitRng(ssl->rng)) != 0) { - WOLFSSL_MSG("RNG Init error"); - return ret; - } -#endif - } - -#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER) - if (ssl->options.dtls && ssl->options.side == WOLFSSL_SERVER_END) { - ret = wolfSSL_DTLS_SetCookieSecret(ssl, NULL, 0); - if (ret != 0) { - WOLFSSL_MSG("DTLS Cookie Secret error"); - return ret; - } - } -#endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */ - -#ifdef HAVE_SECRET_CALLBACK - ssl->sessionSecretCb = NULL; - ssl->sessionSecretCtx = NULL; -#endif - -#ifdef HAVE_SESSION_TICKET - ssl->session.ticket = ssl->session.staticTicket; -#endif - return 0; -} - - -/* free use of temporary arrays */ -void FreeArrays(WOLFSSL* ssl, int keep) -{ - if (ssl->arrays) { - if (keep) { - /* keeps session id for user retrieval */ - XMEMCPY(ssl->session.sessionID, ssl->arrays->sessionID, ID_LEN); - ssl->session.sessionIDSz = ssl->arrays->sessionIDSz; - } - if (ssl->arrays->preMasterSecret) { - XFREE(ssl->arrays->preMasterSecret, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - ssl->arrays->preMasterSecret = NULL; - } - XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS); - ssl->arrays->pendingMsg = NULL; - ForceZero(ssl->arrays, sizeof(Arrays)); /* clear arrays struct */ - } - XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_ARRAYS); - ssl->arrays = NULL; -} - -void FreeKey(WOLFSSL* ssl, int type, void** pKey) -{ - if (ssl && pKey && *pKey) { - switch (type) { - #ifndef NO_RSA - case DYNAMIC_TYPE_RSA: - wc_FreeRsaKey((RsaKey*)*pKey); - break; - #endif /* ! NO_RSA */ - #ifdef HAVE_ECC - case DYNAMIC_TYPE_ECC: - wc_ecc_free((ecc_key*)*pKey); - break; - #endif /* HAVE_ECC */ - #ifndef NO_DH - case DYNAMIC_TYPE_DH: - wc_FreeDhKey((DhKey*)*pKey); - break; - #endif /* !NO_DH */ - default: - break; - } - XFREE(*pKey, ssl->heap, type); - - /* Reset pointer */ - *pKey = NULL; - } -} - -int AllocKey(WOLFSSL* ssl, int type, void** pKey) -{ - int ret = BAD_FUNC_ARG; - int sz = 0; - - if (ssl == NULL || pKey == NULL) { - return BAD_FUNC_ARG; - } - - /* Sanity check key destination */ - if (*pKey != NULL) { - WOLFSSL_MSG("Key already present!"); - return BAD_STATE_E; - } - - /* Determine size */ - switch (type) { - case DYNAMIC_TYPE_RSA: - #ifndef NO_RSA - sz = sizeof(RsaKey); - #endif /* ! NO_RSA */ - break; - case DYNAMIC_TYPE_ECC: - #ifdef HAVE_ECC - sz = sizeof(ecc_key); - #endif /* HAVE_ECC */ - break; - case DYNAMIC_TYPE_DH: - #ifndef NO_DH - sz = sizeof(DhKey); - #endif /* !NO_DH */ - break; - default: - return BAD_FUNC_ARG; - } - - if (sz == 0) { - return NOT_COMPILED_IN; - } - - /* Allocate memeory for key */ - *pKey = XMALLOC(sz, ssl->heap, type); - if (*pKey == NULL) { - return MEMORY_E; - } - - /* Initialize key */ - switch (type) { - #ifndef NO_RSA - case DYNAMIC_TYPE_RSA: - ret = wc_InitRsaKey_ex((RsaKey*)*pKey, ssl->heap, ssl->devId); - break; - #endif /* ! NO_RSA */ - #ifdef HAVE_ECC - case DYNAMIC_TYPE_ECC: - ret = wc_ecc_init_ex((ecc_key*)*pKey, ssl->heap, ssl->devId); - break; - #endif /* HAVE_ECC */ - #ifndef NO_DH - case DYNAMIC_TYPE_DH: - ret = wc_InitDhKey_ex((DhKey*)*pKey, ssl->heap, ssl->devId); - break; - #endif /* !NO_DH */ - default: - return BAD_FUNC_ARG; - } - - /* On error free handshake key */ - if (ret != 0) { - FreeKey(ssl, type, pKey); - } - - return ret; -} - -static void FreeKeyExchange(WOLFSSL* ssl) -{ - /* Cleanup signature buffer */ - if (ssl->buffers.sig.buffer) { - XFREE(ssl->buffers.sig.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - ssl->buffers.sig.buffer = NULL; - ssl->buffers.sig.length = 0; - } - - /* Cleanup digest buffer */ - if (ssl->buffers.digest.buffer) { - XFREE(ssl->buffers.digest.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - ssl->buffers.digest.buffer = NULL; - ssl->buffers.digest.length = 0; - } - - /* Free handshake key */ - FreeKey(ssl, ssl->hsType, &ssl->hsKey); - -#ifndef NO_DH - /* Free temp DH key */ - FreeKey(ssl, DYNAMIC_TYPE_DH, (void**)&ssl->buffers.serverDH_Key); -#endif - - /* Cleanup async */ -#ifdef WOLFSSL_ASYNC_CRYPT - if (ssl->async.freeArgs) { - ssl->async.freeArgs(ssl, ssl->async.args); - ssl->async.freeArgs = NULL; - } -#endif -} - -/* In case holding SSL object in array and don't want to free actual ssl */ -void SSL_ResourceFree(WOLFSSL* ssl) -{ - /* Note: any resources used during the handshake should be released in the - * function FreeHandshakeResources(). Be careful with the special cases - * like the RNG which may optionally be kept for the whole session. (For - * example with the RNG, it isn't used beyond the handshake except when - * using stream ciphers where it is retained. */ - - FreeCiphers(ssl); - FreeArrays(ssl, 0); - FreeKeyExchange(ssl); - if (ssl->options.weOwnRng) { - wc_FreeRng(ssl->rng); - XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG); - } - XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES); - FreeHashes(ssl); - XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); - - /* clear keys struct after session */ - ForceZero(&ssl->keys, sizeof(Keys)); - -#ifndef NO_DH - if (ssl->buffers.serverDH_Priv.buffer) { - ForceZero(ssl->buffers.serverDH_Priv.buffer, - ssl->buffers.serverDH_Priv.length); - } - XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - /* parameters (p,g) may be owned by ctx */ - if (ssl->buffers.weOwnDH || ssl->options.side == WOLFSSL_CLIENT_END) { - XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - } -#endif /* !NO_DH */ -#ifndef NO_CERTS - ssl->keepCert = 0; /* make sure certificate is free'd */ - wolfSSL_UnloadCertsKeys(ssl); -#endif -#ifndef NO_RSA - FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); - ssl->peerRsaKeyPresent = 0; -#endif - if (ssl->buffers.inputBuffer.dynamicFlag) - ShrinkInputBuffer(ssl, FORCED_FREE); - if (ssl->buffers.outputBuffer.dynamicFlag) - ShrinkOutputBuffer(ssl); -#ifdef WOLFSSL_DTLS - DtlsMsgPoolReset(ssl); - if (ssl->dtls_rx_msg_list != NULL) { - DtlsMsgListDelete(ssl->dtls_rx_msg_list, ssl->heap); - ssl->dtls_rx_msg_list = NULL; - ssl->dtls_rx_msg_list_sz = 0; - } - XFREE(ssl->buffers.dtlsCtx.peer.sa, ssl->heap, DYNAMIC_TYPE_SOCKADDR); - ssl->buffers.dtlsCtx.peer.sa = NULL; -#ifndef NO_WOLFSSL_SERVER - XFREE(ssl->buffers.dtlsCookieSecret.buffer, ssl->heap, - DYNAMIC_TYPE_COOKIE_PWD); -#endif -#endif /* WOLFSSL_DTLS */ -#if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) - if (ssl->biord != ssl->biowr) /* only free write if different */ - wolfSSL_BIO_free(ssl->biowr); - wolfSSL_BIO_free(ssl->biord); /* always free read bio */ -#endif -#ifdef HAVE_LIBZ - FreeStreams(ssl); -#endif -#ifdef HAVE_ECC - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey); - ssl->peerEccDsaKeyPresent = 0; - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->eccTempKey); - ssl->eccTempKeyPresent = 0; -#endif /* HAVE_ECC */ -#ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - XFREE(ssl->buffers.peerEccDsaKey.buffer, ssl->heap, DYNAMIC_TYPE_ECC); - #endif /* HAVE_ECC */ - #ifndef NO_RSA - XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA); - #endif /* NO_RSA */ -#endif /* HAVE_PK_CALLBACKS */ -#ifdef HAVE_TLS_EXTENSIONS - TLSX_FreeAll(ssl->extensions, ssl->heap); - -#ifdef HAVE_ALPN - if (ssl->alpn_client_list != NULL) { - XFREE(ssl->alpn_client_list, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - ssl->alpn_client_list = NULL; - } -#endif -#endif /* HAVE_TLS_EXTENSIONS */ -#ifdef HAVE_NETX - if (ssl->nxCtx.nxPacket) - nx_packet_release(ssl->nxCtx.nxPacket); -#endif -#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS) - FreeX509(&ssl->peerCert); -#endif - -#ifdef HAVE_SESSION_TICKET - if (ssl->session.isDynamic) { - XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - ssl->session.ticket = ssl->session.staticTicket; - ssl->session.isDynamic = 0; - ssl->session.ticketLen = 0; - } -#endif -#ifdef HAVE_EXT_CACHE - wolfSSL_SESSION_free(ssl->extSession); -#endif -#ifdef HAVE_WRITE_DUP - if (ssl->dupWrite) { - FreeWriteDup(ssl); - } -#endif - -#ifdef WOLFSSL_STATIC_MEMORY - /* check if using fixed io buffers and free them */ - if (ssl->heap != NULL) { - #ifdef WOLFSSL_HEAP_TEST - /* avoid dereferencing a test value */ - if (ssl->heap != (void*)WOLFSSL_HEAP_TEST) { - #endif - WOLFSSL_HEAP_HINT* ssl_hint = (WOLFSSL_HEAP_HINT*)ssl->heap; - WOLFSSL_HEAP* ctx_heap; - - ctx_heap = ssl_hint->memory; - if (wc_LockMutex(&(ctx_heap->memory_mutex)) != 0) { - WOLFSSL_MSG("Bad memory_mutex lock"); - } - ctx_heap->curIO--; - if (FreeFixedIO(ctx_heap, &(ssl_hint->outBuf)) != 1) { - WOLFSSL_MSG("Error freeing fixed output buffer"); - } - if (FreeFixedIO(ctx_heap, &(ssl_hint->inBuf)) != 1) { - WOLFSSL_MSG("Error freeing fixed output buffer"); - } - if (ssl_hint->haFlag) { /* check if handshake count has been decreased*/ - ctx_heap->curHa--; - } - wc_UnLockMutex(&(ctx_heap->memory_mutex)); - - /* check if tracking stats */ - if (ctx_heap->flag & WOLFMEM_TRACK_STATS) { - XFREE(ssl_hint->stats, ssl->ctx->heap, DYNAMIC_TYPE_SSL); - } - XFREE(ssl->heap, ssl->ctx->heap, DYNAMIC_TYPE_SSL); - #ifdef WOLFSSL_HEAP_TEST - } - #endif - } -#endif /* WOLFSSL_STATIC_MEMORY */ -} - -/* Free any handshake resources no longer needed */ -void FreeHandshakeResources(WOLFSSL* ssl) -{ - -#ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) { - WOLFSSL_MSG("Secure Renegotiation needs to retain handshake resources"); - return; - } -#endif - - /* input buffer */ - if (ssl->buffers.inputBuffer.dynamicFlag) - ShrinkInputBuffer(ssl, NO_FORCED_FREE); - - /* suites */ - XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES); - ssl->suites = NULL; - - /* hsHashes */ - FreeHashes(ssl); - - /* RNG */ - if (ssl->specs.cipher_type == stream || ssl->options.tls1_1 == 0) { - if (ssl->options.weOwnRng) { - wc_FreeRng(ssl->rng); - XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG); - ssl->rng = NULL; - ssl->options.weOwnRng = 0; - } - } - -#ifdef WOLFSSL_DTLS - /* DTLS_POOL */ - if (ssl->options.dtls) { - DtlsMsgPoolReset(ssl); - DtlsMsgListDelete(ssl->dtls_rx_msg_list, ssl->heap); - ssl->dtls_rx_msg_list = NULL; - ssl->dtls_rx_msg_list_sz = 0; - } -#endif - - /* arrays */ - if (ssl->options.saveArrays == 0) - FreeArrays(ssl, 1); - -#ifndef NO_RSA - /* peerRsaKey */ - FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); - ssl->peerRsaKeyPresent = 0; -#endif - -#ifdef HAVE_ECC - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey); - ssl->peerEccDsaKeyPresent = 0; - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->eccTempKey); - ssl->eccTempKeyPresent = 0; -#endif /* HAVE_ECC */ -#ifndef NO_DH - if (ssl->buffers.serverDH_Priv.buffer) { - ForceZero(ssl->buffers.serverDH_Priv.buffer, - ssl->buffers.serverDH_Priv.length); - } - XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - ssl->buffers.serverDH_Priv.buffer = NULL; - XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - ssl->buffers.serverDH_Pub.buffer = NULL; - /* parameters (p,g) may be owned by ctx */ - if (ssl->buffers.weOwnDH || ssl->options.side == WOLFSSL_CLIENT_END) { - XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - ssl->buffers.serverDH_G.buffer = NULL; - XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - ssl->buffers.serverDH_P.buffer = NULL; - } -#endif /* !NO_DH */ -#ifndef NO_CERTS - wolfSSL_UnloadCertsKeys(ssl); -#endif -#ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - XFREE(ssl->buffers.peerEccDsaKey.buffer, ssl->heap, DYNAMIC_TYPE_ECC); - ssl->buffers.peerEccDsaKey.buffer = NULL; - #endif /* HAVE_ECC */ - #ifndef NO_RSA - XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA); - ssl->buffers.peerRsaKey.buffer = NULL; - #endif /* NO_RSA */ -#endif /* HAVE_PK_CALLBACKS */ - -#ifdef HAVE_QSH - QSH_FreeAll(ssl); -#endif - -#ifdef HAVE_SESSION_TICKET - if (ssl->session.isDynamic) { - XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - ssl->session.ticket = ssl->session.staticTicket; - ssl->session.isDynamic = 0; - ssl->session.ticketLen = 0; - } -#endif - -#ifdef WOLFSSL_STATIC_MEMORY - /* when done with handshake decrement current handshake count */ - if (ssl->heap != NULL) { - #ifdef WOLFSSL_HEAP_TEST - /* avoid dereferencing a test value */ - if (ssl->heap != (void*)WOLFSSL_HEAP_TEST) { - #endif - WOLFSSL_HEAP_HINT* ssl_hint = (WOLFSSL_HEAP_HINT*)ssl->heap; - WOLFSSL_HEAP* ctx_heap; - - ctx_heap = ssl_hint->memory; - if (wc_LockMutex(&(ctx_heap->memory_mutex)) != 0) { - WOLFSSL_MSG("Bad memory_mutex lock"); - } - ctx_heap->curHa--; - ssl_hint->haFlag = 0; /* set to zero since handshake has been dec */ - wc_UnLockMutex(&(ctx_heap->memory_mutex)); - #ifdef WOLFSSL_HEAP_TEST - } - #endif - } -#endif /* WOLFSSL_STATIC_MEMORY */ -} - - -/* heap argument is the heap hint used when creating SSL */ -void FreeSSL(WOLFSSL* ssl, void* heap) -{ - if (ssl->ctx) { - FreeSSL_Ctx(ssl->ctx); /* will decrement and free underyling CTX if 0 */ - } - SSL_ResourceFree(ssl); - XFREE(ssl, heap, DYNAMIC_TYPE_SSL); - (void)heap; -} - - -#if !defined(NO_OLD_TLS) || defined(HAVE_CHACHA) || defined(HAVE_AESCCM) \ - || defined(HAVE_AESGCM) || defined(WOLFSSL_DTLS) -static INLINE void GetSEQIncrement(WOLFSSL* ssl, int verify, word32 seq[2]) -{ - if (verify) { - seq[0] = ssl->keys.peer_sequence_number_hi; - seq[1] = ssl->keys.peer_sequence_number_lo++; - if (seq[1] > ssl->keys.peer_sequence_number_lo) { - /* handle rollover */ - ssl->keys.peer_sequence_number_hi++; - } - } - else { - seq[0] = ssl->keys.sequence_number_hi; - seq[1] = ssl->keys.sequence_number_lo++; - if (seq[1] > ssl->keys.sequence_number_lo) { - /* handle rollover */ - ssl->keys.sequence_number_hi++; - } - } -} - - -#ifdef WOLFSSL_DTLS -static INLINE void DtlsGetSEQ(WOLFSSL* ssl, int order, word32 seq[2]) -{ - if (order == PREV_ORDER) { - /* Previous epoch case */ - seq[0] = ((ssl->keys.dtls_epoch - 1) << 16) | - (ssl->keys.dtls_prev_sequence_number_hi & 0xFFFF); - seq[1] = ssl->keys.dtls_prev_sequence_number_lo; - } - else if (order == PEER_ORDER) { - seq[0] = (ssl->keys.curEpoch << 16) | - (ssl->keys.curSeq_hi & 0xFFFF); - seq[1] = ssl->keys.curSeq_lo; /* explicit from peer */ - } - else { - seq[0] = (ssl->keys.dtls_epoch << 16) | - (ssl->keys.dtls_sequence_number_hi & 0xFFFF); - seq[1] = ssl->keys.dtls_sequence_number_lo; - } -} - -static INLINE void DtlsSEQIncrement(WOLFSSL* ssl, int order) -{ - word32 seq; - - if (order == PREV_ORDER) { - seq = ssl->keys.dtls_prev_sequence_number_lo++; - if (seq > ssl->keys.dtls_prev_sequence_number_lo) { - /* handle rollover */ - ssl->keys.dtls_prev_sequence_number_hi++; - } - } - else if (order == PEER_ORDER) { - seq = ssl->keys.peer_sequence_number_lo++; - if (seq > ssl->keys.peer_sequence_number_lo) { - /* handle rollover */ - ssl->keys.peer_sequence_number_hi++; - } - } - else { - seq = ssl->keys.dtls_sequence_number_lo++; - if (seq > ssl->keys.dtls_sequence_number_lo) { - /* handle rollover */ - ssl->keys.dtls_sequence_number_hi++; - } - } -} -#endif /* WOLFSSL_DTLS */ - - -static INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out) -{ - word32 seq[2] = {0, 0}; - - if (!ssl->options.dtls) { - GetSEQIncrement(ssl, verifyOrder, seq); - } - else { -#ifdef WOLFSSL_DTLS - DtlsGetSEQ(ssl, verifyOrder, seq); -#endif - } - - c32toa(seq[0], out); - c32toa(seq[1], out + OPAQUE32_LEN); -} -#endif - - -#ifdef WOLFSSL_DTLS - -/* functions for managing DTLS datagram reordering */ - -/* Need to allocate space for the handshake message header. The hashing - * routines assume the message pointer is still within the buffer that - * has the headers, and will include those headers in the hash. The store - * routines need to take that into account as well. New will allocate - * extra space for the headers. */ -DtlsMsg* DtlsMsgNew(word32 sz, void* heap) -{ - DtlsMsg* msg = NULL; - - (void)heap; - msg = (DtlsMsg*)XMALLOC(sizeof(DtlsMsg), heap, DYNAMIC_TYPE_DTLS_MSG); - - if (msg != NULL) { - XMEMSET(msg, 0, sizeof(DtlsMsg)); - msg->buf = (byte*)XMALLOC(sz + DTLS_HANDSHAKE_HEADER_SZ, - heap, DYNAMIC_TYPE_DTLS_BUFFER); - if (msg->buf != NULL) { - msg->sz = sz; - msg->type = no_shake; - msg->msg = msg->buf + DTLS_HANDSHAKE_HEADER_SZ; - } - else { - XFREE(msg, heap, DYNAMIC_TYPE_DTLS_MSG); - msg = NULL; - } - } - - return msg; -} - -void DtlsMsgDelete(DtlsMsg* item, void* heap) -{ - (void)heap; - - if (item != NULL) { - DtlsFrag* cur = item->fragList; - while (cur != NULL) { - DtlsFrag* next = cur->next; - XFREE(cur, heap, DYNAMIC_TYPE_DTLS_FRAG); - cur = next; - } - if (item->buf != NULL) - XFREE(item->buf, heap, DYNAMIC_TYPE_DTLS_BUFFER); - XFREE(item, heap, DYNAMIC_TYPE_DTLS_MSG); - } -} - - -void DtlsMsgListDelete(DtlsMsg* head, void* heap) -{ - DtlsMsg* next; - while (head) { - next = head->next; - DtlsMsgDelete(head, heap); - head = next; - } -} - - -/* Create a DTLS Fragment from *begin - end, adjust new *begin and bytesLeft */ -static DtlsFrag* CreateFragment(word32* begin, word32 end, const byte* data, - byte* buf, word32* bytesLeft, void* heap) -{ - DtlsFrag* newFrag; - word32 added = end - *begin + 1; - - (void)heap; - newFrag = (DtlsFrag*)XMALLOC(sizeof(DtlsFrag), heap, - DYNAMIC_TYPE_DTLS_FRAG); - if (newFrag != NULL) { - newFrag->next = NULL; - newFrag->begin = *begin; - newFrag->end = end; - - XMEMCPY(buf + *begin, data, added); - *bytesLeft -= added; - *begin = newFrag->end + 1; - } - - return newFrag; -} - - -int DtlsMsgSet(DtlsMsg* msg, word32 seq, const byte* data, byte type, - word32 fragOffset, word32 fragSz, void* heap) -{ - if (msg != NULL && data != NULL && msg->fragSz <= msg->sz && - (fragOffset + fragSz) <= msg->sz) { - DtlsFrag* cur = msg->fragList; - DtlsFrag* prev = cur; - DtlsFrag* newFrag; - word32 bytesLeft = fragSz; /* could be overlapping fragment */ - word32 startOffset = fragOffset; - word32 added; - - msg->seq = seq; - msg->type = type; - - if (fragOffset == 0) { - XMEMCPY(msg->buf, data - DTLS_HANDSHAKE_HEADER_SZ, - DTLS_HANDSHAKE_HEADER_SZ); - c32to24(msg->sz, msg->msg - DTLS_HANDSHAKE_FRAG_SZ); - } - - /* if no mesage data, just return */ - if (fragSz == 0) - return 0; - - /* if list is empty add full fragment to front */ - if (cur == NULL) { - newFrag = CreateFragment(&fragOffset, fragOffset + fragSz - 1, data, - msg->msg, &bytesLeft, heap); - if (newFrag == NULL) - return MEMORY_E; - - msg->fragSz = fragSz; - msg->fragList = newFrag; - - return 0; - } - - /* add to front if before current front, up to next->begin */ - if (fragOffset < cur->begin) { - word32 end = fragOffset + fragSz - 1; - - if (end >= cur->begin) - end = cur->begin - 1; - - added = end - fragOffset + 1; - newFrag = CreateFragment(&fragOffset, end, data, msg->msg, - &bytesLeft, heap); - if (newFrag == NULL) - return MEMORY_E; - - msg->fragSz += added; - - newFrag->next = cur; - msg->fragList = newFrag; - } - - /* while we have bytes left, try to find a gap to fill */ - while (bytesLeft > 0) { - /* get previous packet in list */ - while (cur && (fragOffset >= cur->begin)) { - prev = cur; - cur = cur->next; - } - - /* don't add duplicate data */ - if (prev->end >= fragOffset) { - if ( (fragOffset + bytesLeft - 1) <= prev->end) - return 0; - fragOffset = prev->end + 1; - bytesLeft = startOffset + fragSz - fragOffset; - } - - if (cur == NULL) - /* we're at the end */ - added = bytesLeft; - else - /* we're in between two frames */ - added = min(bytesLeft, cur->begin - fragOffset); - - /* data already there */ - if (added == 0) - continue; - - newFrag = CreateFragment(&fragOffset, fragOffset + added - 1, - data + fragOffset - startOffset, - msg->msg, &bytesLeft, heap); - if (newFrag == NULL) - return MEMORY_E; - - msg->fragSz += added; - - newFrag->next = prev->next; - prev->next = newFrag; - } - } - - return 0; -} - - -DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 seq) -{ - while (head != NULL && head->seq != seq) { - head = head->next; - } - return head; -} - - -void DtlsMsgStore(WOLFSSL* ssl, word32 seq, const byte* data, - word32 dataSz, byte type, word32 fragOffset, word32 fragSz, void* heap) -{ - /* See if seq exists in the list. If it isn't in the list, make - * a new item of size dataSz, copy fragSz bytes from data to msg->msg - * starting at offset fragOffset, and add fragSz to msg->fragSz. If - * the seq is in the list and it isn't full, copy fragSz bytes from - * data to msg->msg starting at offset fragOffset, and add fragSz to - * msg->fragSz. Insertions take into account data already in the list - * in case there are overlaps in the handshake message due to retransmit - * messages. The new item should be inserted into the list in its - * proper position. - * - * 1. Find seq in list, or where seq should go in list. If seq not in - * list, create new item and insert into list. Either case, keep - * pointer to item. - * 2. Copy the data from the message to the stored message where it - * belongs without overlaps. - */ - - DtlsMsg* head = ssl->dtls_rx_msg_list; - - if (head != NULL) { - DtlsMsg* cur = DtlsMsgFind(head, seq); - if (cur == NULL) { - cur = DtlsMsgNew(dataSz, heap); - if (cur != NULL) { - if (DtlsMsgSet(cur, seq, data, type, - fragOffset, fragSz, heap) < 0) { - DtlsMsgDelete(cur, heap); - } - else { - ssl->dtls_rx_msg_list_sz++; - head = DtlsMsgInsert(head, cur); - } - } - } - else { - /* If this fails, the data is just dropped. */ - DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz, heap); - } - } - else { - head = DtlsMsgNew(dataSz, heap); - if (DtlsMsgSet(head, seq, data, type, fragOffset, fragSz, heap) < 0) { - DtlsMsgDelete(head, heap); - head = NULL; - } - else { - ssl->dtls_rx_msg_list_sz++; - } - } - - ssl->dtls_rx_msg_list = head; -} - - -/* DtlsMsgInsert() is an in-order insert. */ -DtlsMsg* DtlsMsgInsert(DtlsMsg* head, DtlsMsg* item) -{ - if (head == NULL || item->seq < head->seq) { - item->next = head; - head = item; - } - else if (head->next == NULL) { - head->next = item; - } - else { - DtlsMsg* cur = head->next; - DtlsMsg* prev = head; - while (cur) { - if (item->seq < cur->seq) { - item->next = cur; - prev->next = item; - break; - } - prev = cur; - cur = cur->next; - } - if (cur == NULL) { - prev->next = item; - } - } - - return head; -} - - -/* DtlsMsgPoolSave() adds the message to the end of the stored transmit list. */ -int DtlsMsgPoolSave(WOLFSSL* ssl, const byte* data, word32 dataSz) -{ - DtlsMsg* item; - int ret = 0; - - if (ssl->dtls_tx_msg_list_sz > DTLS_POOL_SZ) - return DTLS_POOL_SZ_E; - - item = DtlsMsgNew(dataSz, ssl->heap); - - if (item != NULL) { - DtlsMsg* cur = ssl->dtls_tx_msg_list; - - XMEMCPY(item->buf, data, dataSz); - item->sz = dataSz; - item->seq = ssl->keys.dtls_epoch; - - if (cur == NULL) - ssl->dtls_tx_msg_list = item; - else { - while (cur->next) - cur = cur->next; - cur->next = item; - } - ssl->dtls_tx_msg_list_sz++; - } - else - ret = MEMORY_E; - - return ret; -} - - -/* DtlsMsgPoolTimeout() updates the timeout time. */ -int DtlsMsgPoolTimeout(WOLFSSL* ssl) -{ - int result = -1; - if (ssl->dtls_timeout < ssl->dtls_timeout_max) { - ssl->dtls_timeout *= DTLS_TIMEOUT_MULTIPLIER; - result = 0; - } - return result; -} - - -/* DtlsMsgPoolReset() deletes the stored transmit list and resets the timeout - * value. */ -void DtlsMsgPoolReset(WOLFSSL* ssl) -{ - if (ssl->dtls_tx_msg_list) { - DtlsMsgListDelete(ssl->dtls_tx_msg_list, ssl->heap); - ssl->dtls_tx_msg_list = NULL; - ssl->dtls_tx_msg_list_sz = 0; - ssl->dtls_timeout = ssl->dtls_timeout_init; - } -} - - -int VerifyForDtlsMsgPoolSend(WOLFSSL* ssl, byte type, word32 fragOffset) -{ - /** - * only the first message from previous flight should be valid - * to be used for triggering retransmission of whole DtlsMsgPool. - * change cipher suite type is not verified here - */ - return ((fragOffset == 0) && - (((ssl->options.side == WOLFSSL_SERVER_END) && - ((type == client_hello) || - ((ssl->options.verifyPeer) && (type == certificate)) || - ((!ssl->options.verifyPeer) && (type == client_key_exchange)))) || - ((ssl->options.side == WOLFSSL_CLIENT_END) && - (type == server_hello)))); -} - - -/* DtlsMsgPoolSend() will send the stored transmit list. The stored list is - * updated with new sequence numbers, and will be re-encrypted if needed. */ -int DtlsMsgPoolSend(WOLFSSL* ssl, int sendOnlyFirstPacket) -{ - int ret = 0; - DtlsMsg* pool = ssl->dtls_tx_msg_list; - - if (pool != NULL) { - - while (pool != NULL) { - if (pool->seq == 0) { - DtlsRecordLayerHeader* dtls; - int epochOrder; - - dtls = (DtlsRecordLayerHeader*)pool->buf; - /* If the stored record's epoch is 0, and the currently set - * epoch is 0, use the "current order" sequence number. - * If the stored record's epoch is 0 and the currently set - * epoch is not 0, the stored record is considered a "previous - * order" sequence number. */ - epochOrder = (ssl->keys.dtls_epoch == 0) ? - CUR_ORDER : PREV_ORDER; - - WriteSEQ(ssl, epochOrder, dtls->sequence_number); - DtlsSEQIncrement(ssl, epochOrder); - if ((ret = CheckAvailableSize(ssl, pool->sz)) != 0) - return ret; - - XMEMCPY(ssl->buffers.outputBuffer.buffer, - pool->buf, pool->sz); - ssl->buffers.outputBuffer.idx = 0; - ssl->buffers.outputBuffer.length = pool->sz; - } - else if (pool->seq == ssl->keys.dtls_epoch) { - byte* input; - byte* output; - int inputSz, sendSz; - - input = pool->buf; - inputSz = pool->sz; - sendSz = inputSz + MAX_MSG_EXTRA; - - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - handshake, 0, 0, 0); - if (sendSz < 0) - return BUILD_MSG_ERROR; - - ssl->buffers.outputBuffer.length += sendSz; - } - - ret = SendBuffered(ssl); - if (ret < 0) { - return ret; - } - - /** - * on server side, retranmission is being triggered only by sending - * first message of given flight, in order to trigger client - * to retransmit its whole flight. Sending the whole previous flight - * could lead to retranmission of previous client flight for each - * server message from previous flight. Therefore one message should - * be enough to do the trick. - */ - if (sendOnlyFirstPacket && - ssl->options.side == WOLFSSL_SERVER_END) { - - pool = NULL; - } - else - pool = pool->next; - } - } - - return ret; -} - -#endif /* WOLFSSL_DTLS */ - -#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) - -ProtocolVersion MakeSSLv3(void) -{ - ProtocolVersion pv; - pv.major = SSLv3_MAJOR; - pv.minor = SSLv3_MINOR; - - return pv; -} - -#endif /* WOLFSSL_ALLOW_SSLV3 && !NO_OLD_TLS */ - - -#ifdef WOLFSSL_DTLS - -ProtocolVersion MakeDTLSv1(void) -{ - ProtocolVersion pv; - pv.major = DTLS_MAJOR; - pv.minor = DTLS_MINOR; - - return pv; -} - -ProtocolVersion MakeDTLSv1_2(void) -{ - ProtocolVersion pv; - pv.major = DTLS_MAJOR; - pv.minor = DTLSv1_2_MINOR; - - return pv; -} - -#endif /* WOLFSSL_DTLS */ - - - - -#if defined(USER_TICKS) -#if 0 - word32 LowResTimer(void) - { - /* - write your own clock tick function if don't want time(0) - needs second accuracy but doesn't have to correlated to EPOCH - */ - } -#endif - -#elif defined(TIME_OVERRIDES) - - /* use same asn time overrides unless user wants tick override above */ - - #ifndef HAVE_TIME_T_TYPE - typedef long time_t; - #endif - extern time_t XTIME(time_t * timer); - - word32 LowResTimer(void) - { - return (word32) XTIME(0); - } - -#elif defined(USE_WINDOWS_API) - - word32 LowResTimer(void) - { - static int init = 0; - static LARGE_INTEGER freq; - LARGE_INTEGER count; - - if (!init) { - QueryPerformanceFrequency(&freq); - init = 1; - } - - QueryPerformanceCounter(&count); - - return (word32)(count.QuadPart / freq.QuadPart); - } - -#elif defined(HAVE_RTP_SYS) - - #include "rtptime.h" - - word32 LowResTimer(void) - { - return (word32)rtp_get_system_sec(); - } - - -#elif defined(MICRIUM) - - word32 LowResTimer(void) - { - NET_SECURE_OS_TICK clk = 0; - - #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) - clk = NetSecure_OS_TimeGet(); - #endif - return (word32)clk; - } - - -#elif defined(MICROCHIP_TCPIP_V5) - - word32 LowResTimer(void) - { - return (word32) (TickGet() / TICKS_PER_SECOND); - } - - -#elif defined(MICROCHIP_TCPIP) - - #if defined(MICROCHIP_MPLAB_HARMONY) - - #include - - word32 LowResTimer(void) - { - return (word32) (SYS_TMR_TickCountGet() / - SYS_TMR_TickCounterFrequencyGet()); - } - - #else - - word32 LowResTimer(void) - { - return (word32) (SYS_TICK_Get() / SYS_TICK_TicksPerSecondGet()); - } - - #endif - -#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) - - word32 LowResTimer(void) - { - TIME_STRUCT mqxTime; - - _time_get_elapsed(&mqxTime); - - return (word32) mqxTime.SECONDS; - } -#elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS) - - #include "include/task.h" - - unsigned int LowResTimer(void) - { - return (unsigned int)(((float)xTaskGetTickCount())/configTICK_RATE_HZ); - } - -#elif defined(FREESCALE_KSDK_BM) - - #include "lwip/sys.h" /* lwIP */ - word32 LowResTimer(void) - { - return sys_now()/1000; - } - -#elif defined(WOLFSSL_TIRTOS) - - word32 LowResTimer(void) - { - return (word32) Seconds_get(); - } - -#elif defined(WOLFSSL_UTASKER) - - word32 LowResTimer(void) - { - return (word32)(uTaskerSystemTick / TICK_RESOLUTION); - } - -#else - /* Posix style time */ - #include - - word32 LowResTimer(void) - { - return (word32)time(0); - } - - -#endif - - -#ifndef NO_CERTS -static int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz) -{ - int ret = 0; - - (void)output; - (void)sz; - -#ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, output, sz, FUZZ_HASH, ssl->fuzzerCtx); -#endif -#ifndef NO_OLD_TLS -#ifndef NO_SHA - wc_ShaUpdate(&ssl->hsHashes->hashSha, output, sz); -#endif -#ifndef NO_MD5 - wc_Md5Update(&ssl->hsHashes->hashMd5, output, sz); -#endif -#endif /* NO_OLD_TLS */ - - if (IsAtLeastTLSv1_2(ssl)) { -#ifndef NO_SHA256 - ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, output, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA384 - ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, output, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA512 - ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, output, sz); - if (ret != 0) - return ret; -#endif - } - - return ret; -} -#endif /* NO_CERTS */ - - -/* add output to md5 and sha handshake hashes, exclude record header */ -static int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz) -{ - int ret = 0; - const byte* adj; - - adj = output + RECORD_HEADER_SZ + ivSz; - sz -= RECORD_HEADER_SZ; - -#ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, output, sz, FUZZ_HASH, ssl->fuzzerCtx); -#endif -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - adj += DTLS_RECORD_EXTRA; - sz -= DTLS_RECORD_EXTRA; - } -#endif -#ifndef NO_OLD_TLS -#ifndef NO_SHA - wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz); -#endif -#ifndef NO_MD5 - wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz); -#endif -#endif - - if (IsAtLeastTLSv1_2(ssl)) { -#ifndef NO_SHA256 - ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, adj, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA384 - ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA512 - ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz); - if (ret != 0) - return ret; -#endif - } - - return ret; -} - - -/* add input to md5 and sha handshake hashes, include handshake header */ -static int HashInput(WOLFSSL* ssl, const byte* input, int sz) -{ - int ret = 0; - const byte* adj; - - adj = input - HANDSHAKE_HEADER_SZ; - sz += HANDSHAKE_HEADER_SZ; - - (void)adj; - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - adj -= DTLS_HANDSHAKE_EXTRA; - sz += DTLS_HANDSHAKE_EXTRA; - } -#endif - - if (ssl->hsHashes == NULL) { - return BAD_FUNC_ARG; - } - -#ifndef NO_OLD_TLS -#ifndef NO_SHA - wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz); -#endif -#ifndef NO_MD5 - wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz); -#endif -#endif - - if (IsAtLeastTLSv1_2(ssl)) { -#ifndef NO_SHA256 - ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, adj, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA384 - ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA512 - ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz); - if (ret != 0) - return ret; -#endif - } - - return ret; -} - - -/* add record layer header for message */ -static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl) -{ - RecordLayerHeader* rl; - - /* record layer header */ - rl = (RecordLayerHeader*)output; - if (rl == NULL) { - return; - } - rl->type = type; - rl->pvMajor = ssl->version.major; /* type and version same in each */ - rl->pvMinor = ssl->version.minor; - -#ifdef WOLFSSL_ALTERNATIVE_DOWNGRADE - if (ssl->options.side == WOLFSSL_CLIENT_END - && ssl->options.connectState == CONNECT_BEGIN - && !ssl->options.resuming) { - rl->pvMinor = ssl->options.downgrade ? ssl->options.minDowngrade - : ssl->version.minor; - } -#endif - - if (!ssl->options.dtls) { - c16toa((word16)length, rl->length); - } - else { -#ifdef WOLFSSL_DTLS - DtlsRecordLayerHeader* dtls; - - /* dtls record layer header extensions */ - dtls = (DtlsRecordLayerHeader*)output; - WriteSEQ(ssl, 0, dtls->sequence_number); - c16toa((word16)length, dtls->length); -#endif - } -} - - -/* add handshake header for message */ -static void AddHandShakeHeader(byte* output, word32 length, - word32 fragOffset, word32 fragLength, - byte type, WOLFSSL* ssl) -{ - HandShakeHeader* hs; - (void)fragOffset; - (void)fragLength; - (void)ssl; - - /* handshake header */ - hs = (HandShakeHeader*)output; - hs->type = type; - c32to24(length, hs->length); /* type and length same for each */ -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - DtlsHandShakeHeader* dtls; - - /* dtls handshake header extensions */ - dtls = (DtlsHandShakeHeader*)output; - c16toa(ssl->keys.dtls_handshake_number++, dtls->message_seq); - c32to24(fragOffset, dtls->fragment_offset); - c32to24(fragLength, dtls->fragment_length); - } -#endif -} - - -/* add both headers for handshake message */ -static void AddHeaders(byte* output, word32 length, byte type, WOLFSSL* ssl) -{ - word32 lengthAdj = HANDSHAKE_HEADER_SZ; - word32 outputAdj = RECORD_HEADER_SZ; - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - lengthAdj += DTLS_HANDSHAKE_EXTRA; - outputAdj += DTLS_RECORD_EXTRA; - } -#endif - - AddRecordHeader(output, length + lengthAdj, handshake, ssl); - AddHandShakeHeader(output + outputAdj, length, 0, length, type, ssl); -} - - -#ifndef NO_CERTS -static void AddFragHeaders(byte* output, word32 fragSz, word32 fragOffset, - word32 length, byte type, WOLFSSL* ssl) -{ - word32 lengthAdj = HANDSHAKE_HEADER_SZ; - word32 outputAdj = RECORD_HEADER_SZ; - (void)fragSz; - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - lengthAdj += DTLS_HANDSHAKE_EXTRA; - outputAdj += DTLS_RECORD_EXTRA; - } -#endif - - AddRecordHeader(output, fragSz + lengthAdj, handshake, ssl); - AddHandShakeHeader(output + outputAdj, length, fragOffset, fragSz, type, ssl); -} -#endif /* NO_CERTS */ - - -/* return bytes received, -1 on error */ -static int Receive(WOLFSSL* ssl, byte* buf, word32 sz) -{ - int recvd; - - if (ssl->CBIORecv == NULL) { - WOLFSSL_MSG("Your IO Recv callback is null, please set"); - return -1; - } - -retry: - recvd = ssl->CBIORecv(ssl, (char *)buf, (int)sz, ssl->IOCB_ReadCtx); - if (recvd < 0) - switch (recvd) { - case WOLFSSL_CBIO_ERR_GENERAL: /* general/unknown error */ - return -1; - - case WOLFSSL_CBIO_ERR_WANT_READ: /* want read, would block */ - return WANT_READ; - - case WOLFSSL_CBIO_ERR_CONN_RST: /* connection reset */ - #ifdef USE_WINDOWS_API - if (ssl->options.dtls) { - goto retry; - } - #endif - ssl->options.connReset = 1; - return -1; - - case WOLFSSL_CBIO_ERR_ISR: /* interrupt */ - /* see if we got our timeout */ - #ifdef WOLFSSL_CALLBACKS - if (ssl->toInfoOn) { - struct itimerval timeout; - getitimer(ITIMER_REAL, &timeout); - if (timeout.it_value.tv_sec == 0 && - timeout.it_value.tv_usec == 0) { - XSTRNCPY(ssl->timeoutInfo.timeoutName, - "recv() timeout", MAX_TIMEOUT_NAME_SZ); - WOLFSSL_MSG("Got our timeout"); - return WANT_READ; - } - } - #endif - goto retry; - - case WOLFSSL_CBIO_ERR_CONN_CLOSE: /* peer closed connection */ - ssl->options.isClosed = 1; - return -1; - - case WOLFSSL_CBIO_ERR_TIMEOUT: - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl) && - !ssl->options.handShakeDone && - DtlsMsgPoolTimeout(ssl) == 0 && - DtlsMsgPoolSend(ssl, 0) == 0) { - - goto retry; - } - #endif - return -1; - - default: - return recvd; - } - - return recvd; -} - - -/* Switch dynamic output buffer back to static, buffer is assumed clear */ -void ShrinkOutputBuffer(WOLFSSL* ssl) -{ - WOLFSSL_MSG("Shrinking output buffer\n"); - XFREE(ssl->buffers.outputBuffer.buffer - ssl->buffers.outputBuffer.offset, - ssl->heap, DYNAMIC_TYPE_OUT_BUFFER); - ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer; - ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN; - ssl->buffers.outputBuffer.dynamicFlag = 0; - ssl->buffers.outputBuffer.offset = 0; -} - - -/* Switch dynamic input buffer back to static, keep any remaining input */ -/* forced free means cleaning up */ -void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree) -{ - int usedLength = ssl->buffers.inputBuffer.length - - ssl->buffers.inputBuffer.idx; - if (!forcedFree && usedLength > STATIC_BUFFER_LEN) - return; - - WOLFSSL_MSG("Shrinking input buffer\n"); - - if (!forcedFree && usedLength > 0) - XMEMCPY(ssl->buffers.inputBuffer.staticBuffer, - ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx, - usedLength); - - XFREE(ssl->buffers.inputBuffer.buffer - ssl->buffers.inputBuffer.offset, - ssl->heap, DYNAMIC_TYPE_IN_BUFFER); - ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer; - ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN; - ssl->buffers.inputBuffer.dynamicFlag = 0; - ssl->buffers.inputBuffer.offset = 0; - ssl->buffers.inputBuffer.idx = 0; - ssl->buffers.inputBuffer.length = usedLength; -} - -int SendBuffered(WOLFSSL* ssl) -{ - if (ssl->CBIOSend == NULL) { - WOLFSSL_MSG("Your IO Send callback is null, please set"); - return SOCKET_ERROR_E; - } - - while (ssl->buffers.outputBuffer.length > 0) { - int sent = ssl->CBIOSend(ssl, - (char*)ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.idx, - (int)ssl->buffers.outputBuffer.length, - ssl->IOCB_WriteCtx); - if (sent < 0) { - switch (sent) { - - case WOLFSSL_CBIO_ERR_WANT_WRITE: /* would block */ - return WANT_WRITE; - - case WOLFSSL_CBIO_ERR_CONN_RST: /* connection reset */ - ssl->options.connReset = 1; - break; - - case WOLFSSL_CBIO_ERR_ISR: /* interrupt */ - /* see if we got our timeout */ - #ifdef WOLFSSL_CALLBACKS - if (ssl->toInfoOn) { - struct itimerval timeout; - getitimer(ITIMER_REAL, &timeout); - if (timeout.it_value.tv_sec == 0 && - timeout.it_value.tv_usec == 0) { - XSTRNCPY(ssl->timeoutInfo.timeoutName, - "send() timeout", MAX_TIMEOUT_NAME_SZ); - WOLFSSL_MSG("Got our timeout"); - return WANT_WRITE; - } - } - #endif - continue; - - case WOLFSSL_CBIO_ERR_CONN_CLOSE: /* epipe / conn closed */ - ssl->options.connReset = 1; /* treat same as reset */ - break; - - default: - return SOCKET_ERROR_E; - } - - return SOCKET_ERROR_E; - } - - if (sent > (int)ssl->buffers.outputBuffer.length) { - WOLFSSL_MSG("SendBuffered() out of bounds read"); - return SEND_OOB_READ_E; - } - - ssl->buffers.outputBuffer.idx += sent; - ssl->buffers.outputBuffer.length -= sent; - } - - ssl->buffers.outputBuffer.idx = 0; - - if (ssl->buffers.outputBuffer.dynamicFlag) - ShrinkOutputBuffer(ssl); - - return 0; -} - - -/* Grow the output buffer */ -static INLINE int GrowOutputBuffer(WOLFSSL* ssl, int size) -{ - byte* tmp; - byte hdrSz = ssl->options.dtls ? DTLS_RECORD_HEADER_SZ : - RECORD_HEADER_SZ; - byte align = WOLFSSL_GENERAL_ALIGNMENT; - /* the encrypted data will be offset from the front of the buffer by - the header, if the user wants encrypted alignment they need - to define their alignment requirement */ - - if (align) { - while (align < hdrSz) - align *= 2; - } - - tmp = (byte*) XMALLOC(size + ssl->buffers.outputBuffer.length + align, - ssl->heap, DYNAMIC_TYPE_OUT_BUFFER); - WOLFSSL_MSG("growing output buffer\n"); - - if (!tmp) return MEMORY_E; - if (align) - tmp += align - hdrSz; - - if (ssl->buffers.outputBuffer.length) - XMEMCPY(tmp, ssl->buffers.outputBuffer.buffer, - ssl->buffers.outputBuffer.length); - - if (ssl->buffers.outputBuffer.dynamicFlag) - XFREE(ssl->buffers.outputBuffer.buffer - - ssl->buffers.outputBuffer.offset, ssl->heap, - DYNAMIC_TYPE_OUT_BUFFER); - ssl->buffers.outputBuffer.dynamicFlag = 1; - if (align) - ssl->buffers.outputBuffer.offset = align - hdrSz; - else - ssl->buffers.outputBuffer.offset = 0; - ssl->buffers.outputBuffer.buffer = tmp; - ssl->buffers.outputBuffer.bufferSize = size + - ssl->buffers.outputBuffer.length; - return 0; -} - - -/* Grow the input buffer, should only be to read cert or big app data */ -int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength) -{ - byte* tmp; - byte hdrSz = DTLS_RECORD_HEADER_SZ; - byte align = ssl->options.dtls ? WOLFSSL_GENERAL_ALIGNMENT : 0; - /* the encrypted data will be offset from the front of the buffer by - the dtls record header, if the user wants encrypted alignment they need - to define their alignment requirement. in tls we read record header - to get size of record and put actual data back at front, so don't need */ - - if (align) { - while (align < hdrSz) - align *= 2; - } - - if (usedLength < 0 || size < 0) { - WOLFSSL_MSG("GrowInputBuffer() called with negative number"); - return BAD_FUNC_ARG; - } - - tmp = (byte*) XMALLOC(size + usedLength + align, ssl->heap, - DYNAMIC_TYPE_IN_BUFFER); - WOLFSSL_MSG("growing input buffer\n"); - - if (!tmp) return MEMORY_E; - if (align) - tmp += align - hdrSz; - - if (usedLength) - XMEMCPY(tmp, ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx, usedLength); - - if (ssl->buffers.inputBuffer.dynamicFlag) - XFREE(ssl->buffers.inputBuffer.buffer - ssl->buffers.inputBuffer.offset, - ssl->heap,DYNAMIC_TYPE_IN_BUFFER); - - ssl->buffers.inputBuffer.dynamicFlag = 1; - if (align) - ssl->buffers.inputBuffer.offset = align - hdrSz; - else - ssl->buffers.inputBuffer.offset = 0; - ssl->buffers.inputBuffer.buffer = tmp; - ssl->buffers.inputBuffer.bufferSize = size + usedLength; - ssl->buffers.inputBuffer.idx = 0; - ssl->buffers.inputBuffer.length = usedLength; - - return 0; -} - - -/* check available size into output buffer, make room if needed */ -int CheckAvailableSize(WOLFSSL *ssl, int size) -{ - if (size < 0) { - WOLFSSL_MSG("CheckAvailableSize() called with negative number"); - return BAD_FUNC_ARG; - } - - if (ssl->buffers.outputBuffer.bufferSize - ssl->buffers.outputBuffer.length - < (word32)size) { - if (GrowOutputBuffer(ssl, size) < 0) - return MEMORY_E; - } - - return 0; -} - - -/* do all verify and sanity checks on record header */ -static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - RecordLayerHeader* rh, word16 *size) -{ - if (!ssl->options.dtls) { -#ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, input + *inOutIdx, RECORD_HEADER_SZ, FUZZ_HEAD, - ssl->fuzzerCtx); -#endif - XMEMCPY(rh, input + *inOutIdx, RECORD_HEADER_SZ); - *inOutIdx += RECORD_HEADER_SZ; - ato16(rh->length, size); - } - else { -#ifdef WOLFSSL_DTLS -#ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, input + *inOutIdx, DTLS_RECORD_HEADER_SZ, - FUZZ_HEAD, ssl->fuzzerCtx); -#endif - /* type and version in same sport */ - XMEMCPY(rh, input + *inOutIdx, ENUM_LEN + VERSION_SZ); - *inOutIdx += ENUM_LEN + VERSION_SZ; - ato16(input + *inOutIdx, &ssl->keys.curEpoch); - *inOutIdx += OPAQUE16_LEN; - ato16(input + *inOutIdx, &ssl->keys.curSeq_hi); - *inOutIdx += OPAQUE16_LEN; - ato32(input + *inOutIdx, &ssl->keys.curSeq_lo); - *inOutIdx += OPAQUE32_LEN; /* advance past rest of seq */ - ato16(input + *inOutIdx, size); - *inOutIdx += LENGTH_SZ; -#endif - } - -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl) && - (!DtlsCheckWindow(ssl) || - (ssl->options.handShakeDone && ssl->keys.curEpoch == 0))) { - return SEQUENCE_ERROR; - } -#endif - -#ifdef OPENSSL_EXTRA - /* case where specific protocols are turned off */ - if (!ssl->options.dtls && ssl->options.mask > 0) { - if (rh->pvMinor == SSLv3_MINOR && - (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { - WOLFSSL_MSG("Option set to not allow SSLv3"); - return VERSION_ERROR; - } - if (rh->pvMinor == TLSv1_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { - WOLFSSL_MSG("Option set to not allow TLSv1"); - return VERSION_ERROR; - } - if (rh->pvMinor == TLSv1_1_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { - WOLFSSL_MSG("Option set to not allow TLSv1.1"); - return VERSION_ERROR; - } - if (rh->pvMinor == TLSv1_2_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { - WOLFSSL_MSG("Option set to not allow TLSv1.2"); - return VERSION_ERROR; - } - } -#endif /* OPENSSL_EXTRA */ - - /* catch version mismatch */ - if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor){ - if (ssl->options.side == WOLFSSL_SERVER_END && - ssl->options.acceptState < ACCEPT_FIRST_REPLY_DONE) - - WOLFSSL_MSG("Client attempting to connect with different version"); - else if (ssl->options.side == WOLFSSL_CLIENT_END && - ssl->options.downgrade && - ssl->options.connectState < FIRST_REPLY_DONE) - WOLFSSL_MSG("Server attempting to accept with different version"); - else if (ssl->options.dtls && rh->type == handshake) - /* Check the DTLS handshake message RH version later. */ - WOLFSSL_MSG("DTLS handshake, skip RH version number check"); - else { - WOLFSSL_MSG("SSL version error"); - return VERSION_ERROR; /* only use requested version */ - } - } - - /* record layer length check */ -#ifdef HAVE_MAX_FRAGMENT - if (*size > (ssl->max_fragment + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) { - SendAlert(ssl, alert_fatal, record_overflow); - return LENGTH_ERROR; - } -#else - if (*size > (MAX_RECORD_SIZE + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) - return LENGTH_ERROR; -#endif - - /* verify record type here as well */ - switch (rh->type) { - case handshake: - case change_cipher_spec: - case application_data: - case alert: - break; - case no_type: - default: - WOLFSSL_MSG("Unknown Record Type"); - return UNKNOWN_RECORD_TYPE; - } - - /* haven't decrypted this record yet */ - ssl->keys.decryptedCur = 0; - - return 0; -} - - -static int GetHandShakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - byte *type, word32 *size, word32 totalSz) -{ - const byte *ptr = input + *inOutIdx; - (void)ssl; - - *inOutIdx += HANDSHAKE_HEADER_SZ; - if (*inOutIdx > totalSz) - return BUFFER_E; - - *type = ptr[0]; - c24to32(&ptr[1], size); - - return 0; -} - - -#ifdef WOLFSSL_DTLS -static int GetDtlsHandShakeHeader(WOLFSSL* ssl, const byte* input, - word32* inOutIdx, byte *type, word32 *size, - word32 *fragOffset, word32 *fragSz, - word32 totalSz) -{ - word32 idx = *inOutIdx; - - *inOutIdx += HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA; - if (*inOutIdx > totalSz) - return BUFFER_E; - - *type = input[idx++]; - c24to32(input + idx, size); - idx += OPAQUE24_LEN; - - ato16(input + idx, &ssl->keys.dtls_peer_handshake_number); - idx += DTLS_HANDSHAKE_SEQ_SZ; - - c24to32(input + idx, fragOffset); - idx += DTLS_HANDSHAKE_FRAG_SZ; - c24to32(input + idx, fragSz); - - if (ssl->curRL.pvMajor != ssl->version.major || - ssl->curRL.pvMinor != ssl->version.minor) { - - if (*type != client_hello && *type != hello_verify_request) - return VERSION_ERROR; - else { - WOLFSSL_MSG("DTLS Handshake ignoring hello or verify version"); - } - } - return 0; -} -#endif - - -#if !defined(NO_OLD_TLS) || \ - (defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_TLS_SHA1)) -/* fill with MD5 pad size since biggest required */ -static const byte PAD1[PAD_MD5] = - { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 - }; -static const byte PAD2[PAD_MD5] = - { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, - 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, - 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, - 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, - 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, - 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c - }; -#endif /* !NO_OLD_TLS || (NO_OLD_TLS && WOLFSSL_ALLOW_TLS_SHA1) */ - -#ifndef NO_OLD_TLS - -/* calculate MD5 hash for finished */ -#ifdef WOLFSSL_TI_HASH -#include -#endif - -static int BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender) -{ - int ret; - byte md5_result[MD5_DIGEST_SIZE]; -#ifdef WOLFSSL_SMALL_STACK - Md5* md5 = (Md5*)XMALLOC(sizeof(Md5), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (md5 == NULL) - return MEMORY_E; -#else - Md5 md5[1]; -#endif - - /* make md5 inner */ - ret = wc_Md5Copy(&ssl->hsHashes->hashMd5, md5); - if (ret == 0) - ret = wc_Md5Update(md5, sender, SIZEOF_SENDER); - if (ret == 0) - ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_Md5Update(md5, PAD1, PAD_MD5); - if (ret == 0) - ret = wc_Md5Final(md5, md5_result); - - /* make md5 outer */ - if (ret == 0) { - ret = wc_InitMd5_ex(md5, ssl->heap, ssl->devId); - if (ret == 0) { - ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_Md5Update(md5, PAD2, PAD_MD5); - if (ret == 0) - ret = wc_Md5Update(md5, md5_result, MD5_DIGEST_SIZE); - if (ret == 0) - ret = wc_Md5Final(md5, hashes->md5); - wc_Md5Free(md5); - } - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(md5, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} - - -/* calculate SHA hash for finished */ -static int BuildSHA(WOLFSSL* ssl, Hashes* hashes, const byte* sender) -{ - int ret; - byte sha_result[SHA_DIGEST_SIZE]; -#ifdef WOLFSSL_SMALL_STACK - Sha* sha = (Sha*)XMALLOC(sizeof(Sha), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (sha == NULL) - return MEMORY_E; -#else - Sha sha[1]; -#endif - /* make sha inner */ - ret = wc_ShaCopy(&ssl->hsHashes->hashSha, sha); /* Save current position */ - if (ret == 0) - ret = wc_ShaUpdate(sha, sender, SIZEOF_SENDER); - if (ret == 0) - ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_ShaUpdate(sha, PAD1, PAD_SHA); - if (ret == 0) - ret = wc_ShaFinal(sha, sha_result); - - /* make sha outer */ - if (ret == 0) { - ret = wc_InitSha_ex(sha, ssl->heap, ssl->devId); - if (ret == 0) { - ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_ShaUpdate(sha, PAD2, PAD_SHA); - if (ret == 0) - ret = wc_ShaUpdate(sha, sha_result, SHA_DIGEST_SIZE); - if (ret == 0) - ret = wc_ShaFinal(sha, hashes->sha); - wc_ShaFree(sha); - } - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(sha, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} -#endif - -/* Finished doesn't support SHA512, not SHA512 cipher suites yet */ -static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) -{ - int ret = 0; -#ifdef WOLFSSL_SHA384 -#ifdef WOLFSSL_SMALL_STACK - Sha384* sha384 = (Sha384*)XMALLOC(sizeof(Sha384), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); -#else - Sha384 sha384[1]; -#endif /* WOLFSSL_SMALL_STACK */ -#endif /* WOLFSSL_SHA384 */ - -#ifdef WOLFSSL_SMALL_STACK - if (ssl == NULL - #ifdef WOLFSSL_SHA384 - || sha384 == NULL - #endif - ) { - #ifdef WOLFSSL_SHA384 - XFREE(sha384, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return MEMORY_E; - } -#endif - - /* store current states, building requires get_digest which resets state */ -#ifdef WOLFSSL_SHA384 - sha384[0] = ssl->hsHashes->hashSha384; -#endif - -#ifndef NO_TLS - if (ssl->options.tls) { - ret = BuildTlsFinished(ssl, hashes, sender); - } -#endif -#ifndef NO_OLD_TLS - if (!ssl->options.tls) { - ret = BuildMD5(ssl, hashes, sender); - if (ret == 0) { - ret = BuildSHA(ssl, hashes, sender); - } - } -#endif - - /* restore */ - if (IsAtLeastTLSv1_2(ssl)) { - #ifdef WOLFSSL_SHA384 - ssl->hsHashes->hashSha384 = sha384[0]; - #endif - } - -#ifdef WOLFSSL_SHA384 -#ifdef WOLFSSL_SMALL_STACK - XFREE(sha384, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif -#endif - - return ret; -} - - - /* cipher requirements */ - enum { - REQUIRES_RSA, - REQUIRES_DHE, - REQUIRES_ECC, - REQUIRES_ECC_STATIC, - REQUIRES_PSK, - REQUIRES_NTRU, - REQUIRES_RSA_SIG - }; - - - - /* Does this cipher suite (first, second) have the requirement - an ephemeral key exchange will still require the key for signing - the key exchange so ECHDE_RSA requires an rsa key thus rsa_kea */ - static int CipherRequires(byte first, byte second, int requirement) - { - - if (first == CHACHA_BYTE) { - - switch (second) { - - case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - - case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_PSK) - return 1; - break; - - case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_PSK) - return 1; - break; - - case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_PSK) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - } - } - - /* ECC extensions */ - if (first == ECC_BYTE) { - - switch (second) { - -#ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; - -#ifndef NO_DES3 - case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; -#endif - -#ifndef NO_RC4 - case TLS_ECDHE_RSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; -#endif -#endif /* NO_RSA */ - -#ifndef NO_DES3 - case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; -#endif -#ifndef NO_RC4 - case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; -#endif -#ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; -#endif - - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; - -#ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; - - case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; - - case TLS_RSA_WITH_AES_128_CCM_8 : - case TLS_RSA_WITH_AES_256_CCM_8 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; - - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : - if (requirement == REQUIRES_RSA_SIG) - return 1; - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; -#endif - - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM : - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : - case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : - if (requirement == REQUIRES_ECC) - return 1; - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; - - case TLS_PSK_WITH_AES_128_CCM: - case TLS_PSK_WITH_AES_256_CCM: - case TLS_PSK_WITH_AES_128_CCM_8: - case TLS_PSK_WITH_AES_256_CCM_8: - if (requirement == REQUIRES_PSK) - return 1; - break; - - case TLS_DHE_PSK_WITH_AES_128_CCM: - case TLS_DHE_PSK_WITH_AES_256_CCM: - if (requirement == REQUIRES_PSK) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_NULL_SHA : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDHE_PSK_WITH_NULL_SHA256 : - if (requirement == REQUIRES_PSK) - return 1; - break; - - case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_PSK) - return 1; - break; - - default: - WOLFSSL_MSG("Unsupported cipher suite, CipherRequires ECC"); - return 0; - } /* switch */ - } /* if */ - if (first != ECC_BYTE && first != CHACHA_BYTE) { /* normal suites */ - switch (second) { - -#ifndef NO_RSA - case SSL_RSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case SSL_RSA_WITH_RC4_128_MD5 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case SSL_RSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_NTRU_RSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - - case TLS_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - - case TLS_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - - case TLS_RSA_WITH_AES_256_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_NULL_SHA : - case TLS_RSA_WITH_NULL_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - - case SSL_RSA_WITH_IDEA_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; -#endif - - case TLS_PSK_WITH_AES_128_GCM_SHA256 : - case TLS_PSK_WITH_AES_256_GCM_SHA384 : - case TLS_PSK_WITH_AES_128_CBC_SHA256 : - case TLS_PSK_WITH_AES_256_CBC_SHA384 : - case TLS_PSK_WITH_AES_128_CBC_SHA : - case TLS_PSK_WITH_AES_256_CBC_SHA : - case TLS_PSK_WITH_NULL_SHA384 : - case TLS_PSK_WITH_NULL_SHA256 : - case TLS_PSK_WITH_NULL_SHA : - if (requirement == REQUIRES_PSK) - return 1; - break; - - case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 : - case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 : - case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 : - case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : - case TLS_DHE_PSK_WITH_NULL_SHA384 : - case TLS_DHE_PSK_WITH_NULL_SHA256 : - if (requirement == REQUIRES_DHE) - return 1; - if (requirement == REQUIRES_PSK) - return 1; - break; - -#ifndef NO_RSA - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_RSA_WITH_HC_128_MD5 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_HC_128_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_HC_128_B2B256: - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_AES_128_CBC_B2B256: - case TLS_RSA_WITH_AES_256_CBC_B2B256: - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_RABBIT_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_AES_128_GCM_SHA256 : - case TLS_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 : - case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA : - case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA : - case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 : - case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : - case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : - case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 : - case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; -#endif -#ifdef HAVE_ANON - case TLS_DH_anon_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_DHE) - return 1; - break; -#endif - - default: - WOLFSSL_MSG("Unsupported cipher suite, CipherRequires"); - return 0; - } /* switch */ - } /* if ECC / Normal suites else */ - - return 0; - } - - -#ifndef NO_CERTS - - -/* Match names with wildcards, each wildcard can represent a single name - component or fragment but not mulitple names, i.e., - *.z.com matches y.z.com but not x.y.z.com - - return 1 on success */ -static int MatchDomainName(const char* pattern, int len, const char* str) -{ - char p, s; - - if (pattern == NULL || str == NULL || len <= 0) - return 0; - - while (len > 0) { - - p = (char)XTOLOWER((unsigned char)*pattern++); - if (p == 0) - break; - - if (p == '*') { - while (--len > 0 && - (p = (char)XTOLOWER((unsigned char)*pattern++)) == '*') { - } - - if (len == 0) - p = '\0'; - - while ( (s = (char)XTOLOWER((unsigned char) *str)) != '\0') { - if (s == p) - break; - if (s == '.') - return 0; - str++; - } - } - else { - if (p != (char)XTOLOWER((unsigned char) *str)) - return 0; - } - - if (*str != '\0') - str++; - - if (len > 0) - len--; - } - - return *str == '\0'; -} - - -/* try to find an altName match to domain, return 1 on success */ -static int CheckAltNames(DecodedCert* dCert, char* domain) -{ - int match = 0; - DNS_entry* altName = NULL; - - WOLFSSL_MSG("Checking AltNames"); - - if (dCert) - altName = dCert->altNames; - - while (altName) { - WOLFSSL_MSG("\tindividual AltName check"); - - if (MatchDomainName(altName->name,(int)XSTRLEN(altName->name), domain)){ - match = 1; - break; - } - - altName = altName->next; - } - - return match; -} - - -#ifdef OPENSSL_EXTRA -/* Check that alternative names, if they exists, match the domain. - * Fail if there are wild patterns and they didn't match. - * Check the common name if no alternative names matched. - * - * dCert Decoded cert to get the alternative names from. - * domain Domain name to compare against. - * checkCN Whether to check the common name. - * returns whether there was a problem in matching. - */ -static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN) -{ - int match; - DNS_entry* altName = NULL; - - WOLFSSL_MSG("Checking AltNames"); - - if (dCert) - altName = dCert->altNames; - - *checkCN = altName == NULL; - match = 0; - while (altName) { - WOLFSSL_MSG("\tindividual AltName check"); - - if (MatchDomainName(altName->name, (int)XSTRLEN(altName->name), - domain)) { - match = 1; - *checkCN = 0; - break; - } - /* No matches and wild pattern match failed. */ - else if (altName->name[0] == '*' && match == 0) - match = -1; - - altName = altName->next; - } - - return match != -1; -} - -/* Check the domain name matches the subject alternative name or the subject - * name. - * - * dcert Decoded certificate. - * domainName The domain name. - * domainNameLen The length of the domain name. - * returns DOMAIN_NAME_MISMATCH when no match found and 0 on success. - */ -int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen) -{ - int checkCN; - - /* Assume name is NUL terminated. */ - (void)domainNameLen; - - if (CheckForAltNames(dCert, domainName, &checkCN) == 0) { - WOLFSSL_MSG("DomainName match on alt names failed too"); - return DOMAIN_NAME_MISMATCH; - } - if (checkCN == 1) { - if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen, - domainName) == 0) { - WOLFSSL_MSG("DomainName match on common name failed"); - return DOMAIN_NAME_MISMATCH; - } - } - - return 0; -} -#endif - -#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) - -/* Copy parts X509 needs from Decoded cert, 0 on success */ -int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) -{ - int ret = 0; - - if (x509 == NULL || dCert == NULL || - dCert->subjectCNLen < 0) - return BAD_FUNC_ARG; - - x509->version = dCert->version + 1; - - XSTRNCPY(x509->issuer.name, dCert->issuer, ASN_NAME_MAX); - x509->issuer.name[ASN_NAME_MAX - 1] = '\0'; - x509->issuer.sz = (int)XSTRLEN(x509->issuer.name) + 1; -#ifdef OPENSSL_EXTRA - if (dCert->issuerName.fullName != NULL) { - XMEMCPY(&x509->issuer.fullName, - &dCert->issuerName, sizeof(DecodedName)); - x509->issuer.fullName.fullName = (char*)XMALLOC( - dCert->issuerName.fullNameLen, x509->heap, - DYNAMIC_TYPE_X509); - if (x509->issuer.fullName.fullName != NULL) - XMEMCPY(x509->issuer.fullName.fullName, - dCert->issuerName.fullName, dCert->issuerName.fullNameLen); - } - x509->issuer.x509 = x509; -#endif /* OPENSSL_EXTRA */ - - XSTRNCPY(x509->subject.name, dCert->subject, ASN_NAME_MAX); - x509->subject.name[ASN_NAME_MAX - 1] = '\0'; - x509->subject.sz = (int)XSTRLEN(x509->subject.name) + 1; -#ifdef OPENSSL_EXTRA - if (dCert->subjectName.fullName != NULL) { - XMEMCPY(&x509->subject.fullName, - &dCert->subjectName, sizeof(DecodedName)); - x509->subject.fullName.fullName = (char*)XMALLOC( - dCert->subjectName.fullNameLen, x509->heap, DYNAMIC_TYPE_X509); - if (x509->subject.fullName.fullName != NULL) - XMEMCPY(x509->subject.fullName.fullName, - dCert->subjectName.fullName, dCert->subjectName.fullNameLen); - } - x509->subject.x509 = x509; -#endif /* OPENSSL_EXTRA */ - - XMEMCPY(x509->serial, dCert->serial, EXTERNAL_SERIAL_SIZE); - x509->serialSz = dCert->serialSz; - if (dCert->subjectCNLen < ASN_NAME_MAX) { - XMEMCPY(x509->subjectCN, dCert->subjectCN, dCert->subjectCNLen); - x509->subjectCN[dCert->subjectCNLen] = '\0'; - } - else - x509->subjectCN[0] = '\0'; - -#ifdef WOLFSSL_SEP - { - int minSz = min(dCert->deviceTypeSz, EXTERNAL_SERIAL_SIZE); - if (minSz > 0) { - x509->deviceTypeSz = minSz; - XMEMCPY(x509->deviceType, dCert->deviceType, minSz); - } - else - x509->deviceTypeSz = 0; - minSz = min(dCert->hwTypeSz, EXTERNAL_SERIAL_SIZE); - if (minSz > 0) { - x509->hwTypeSz = minSz; - XMEMCPY(x509->hwType, dCert->hwType, minSz); - } - else - x509->hwTypeSz = 0; - minSz = min(dCert->hwSerialNumSz, EXTERNAL_SERIAL_SIZE); - if (minSz > 0) { - x509->hwSerialNumSz = minSz; - XMEMCPY(x509->hwSerialNum, dCert->hwSerialNum, minSz); - } - else - x509->hwSerialNumSz = 0; - } -#endif /* WOLFSSL_SEP */ - { - int minSz = min(dCert->beforeDateLen, MAX_DATE_SZ); - if (minSz > 0) { - x509->notBeforeSz = minSz; - XMEMCPY(x509->notBefore, dCert->beforeDate, minSz); - } - else - x509->notBeforeSz = 0; - minSz = min(dCert->afterDateLen, MAX_DATE_SZ); - if (minSz > 0) { - x509->notAfterSz = minSz; - XMEMCPY(x509->notAfter, dCert->afterDate, minSz); - } - else - x509->notAfterSz = 0; - } - - if (dCert->publicKey != NULL && dCert->pubKeySize != 0) { - x509->pubKey.buffer = (byte*)XMALLOC( - dCert->pubKeySize, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if (x509->pubKey.buffer != NULL) { - x509->pubKeyOID = dCert->keyOID; - x509->pubKey.length = dCert->pubKeySize; - XMEMCPY(x509->pubKey.buffer, dCert->publicKey, dCert->pubKeySize); - } - else - ret = MEMORY_E; - } - - if (dCert->signature != NULL && dCert->sigLength != 0) { - x509->sig.buffer = (byte*)XMALLOC( - dCert->sigLength, x509->heap, DYNAMIC_TYPE_SIGNATURE); - if (x509->sig.buffer == NULL) { - ret = MEMORY_E; - } - else { - XMEMCPY(x509->sig.buffer, dCert->signature, dCert->sigLength); - x509->sig.length = dCert->sigLength; - x509->sigOID = dCert->signatureOID; - } - } - - /* store cert for potential retrieval */ - if (AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, x509->heap) == 0) { - XMEMCPY(x509->derCert->buffer, dCert->source, dCert->maxIdx); - } - else { - ret = MEMORY_E; - } - - x509->altNames = dCert->altNames; - dCert->weOwnAltNames = 0; - x509->altNamesNext = x509->altNames; /* index hint */ - -#ifdef OPENSSL_EXTRA - /* add copies of alternate emails from dCert to X509 */ - if (dCert->altEmailNames != NULL) { - DNS_entry* cur = dCert->altEmailNames; - - while (cur != NULL) { - if (cur->type == ASN_RFC822_TYPE) { - DNS_entry* dnsEntry; - int strLen = (int)XSTRLEN(cur->name); - - dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), x509->heap, - DYNAMIC_TYPE_ALTNAME); - if (dnsEntry == NULL) { - WOLFSSL_MSG("\tOut of Memory"); - return MEMORY_E; - } - - dnsEntry->type = ASN_RFC822_TYPE; - dnsEntry->name = (char*)XMALLOC(strLen + 1, x509->heap, - DYNAMIC_TYPE_ALTNAME); - if (dnsEntry->name == NULL) { - WOLFSSL_MSG("\tOut of Memory"); - XFREE(dnsEntry, x509->heap, DYNAMIC_TYPE_ALTNAME); - return MEMORY_E; - } - - XMEMCPY(dnsEntry->name, cur->name, strLen); - dnsEntry->name[strLen] = '\0'; - - dnsEntry->next = x509->altNames; - x509->altNames = dnsEntry; - } - cur = cur->next; - } - } -#endif - - x509->isCa = dCert->isCA; -#ifdef OPENSSL_EXTRA - x509->pathLength = dCert->pathLength; - x509->keyUsage = dCert->extKeyUsage; - - x509->CRLdistSet = dCert->extCRLdistSet; - x509->CRLdistCrit = dCert->extCRLdistCrit; - x509->CRLInfo = dCert->extCrlInfo; - x509->CRLInfoSz = dCert->extCrlInfoSz; - x509->authInfoSet = dCert->extAuthInfoSet; - x509->authInfoCrit = dCert->extAuthInfoCrit; - if (dCert->extAuthInfo != NULL && dCert->extAuthInfoSz > 0) { - x509->authInfo = (byte*)XMALLOC(dCert->extAuthInfoSz, x509->heap, - DYNAMIC_TYPE_X509_EXT); - if (x509->authInfo != NULL) { - XMEMCPY(x509->authInfo, dCert->extAuthInfo, dCert->extAuthInfoSz); - x509->authInfoSz = dCert->extAuthInfoSz; - } - else { - ret = MEMORY_E; - } - } - x509->basicConstSet = dCert->extBasicConstSet; - x509->basicConstCrit = dCert->extBasicConstCrit; - x509->basicConstPlSet = dCert->pathLengthSet; - x509->subjAltNameSet = dCert->extSubjAltNameSet; - x509->subjAltNameCrit = dCert->extSubjAltNameCrit; - x509->authKeyIdSet = dCert->extAuthKeyIdSet; - x509->authKeyIdCrit = dCert->extAuthKeyIdCrit; - if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) { - x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, x509->heap, - DYNAMIC_TYPE_X509_EXT); - if (x509->authKeyId != NULL) { - XMEMCPY(x509->authKeyId, - dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz); - x509->authKeyIdSz = dCert->extAuthKeyIdSz; - } - else - ret = MEMORY_E; - } - x509->subjKeyIdSet = dCert->extSubjKeyIdSet; - x509->subjKeyIdCrit = dCert->extSubjKeyIdCrit; - if (dCert->extSubjKeyIdSrc != NULL && dCert->extSubjKeyIdSz != 0) { - x509->subjKeyId = (byte*)XMALLOC(dCert->extSubjKeyIdSz, x509->heap, - DYNAMIC_TYPE_X509_EXT); - if (x509->subjKeyId != NULL) { - XMEMCPY(x509->subjKeyId, - dCert->extSubjKeyIdSrc, dCert->extSubjKeyIdSz); - x509->subjKeyIdSz = dCert->extSubjKeyIdSz; - } - else - ret = MEMORY_E; - } - x509->keyUsageSet = dCert->extKeyUsageSet; - x509->keyUsageCrit = dCert->extKeyUsageCrit; - if (dCert->extExtKeyUsageSrc != NULL && dCert->extExtKeyUsageSz > 0) { - x509->extKeyUsageSrc = (byte*)XMALLOC(dCert->extExtKeyUsageSz, - x509->heap, DYNAMIC_TYPE_X509_EXT); - if (x509->extKeyUsageSrc != NULL) { - XMEMCPY(x509->extKeyUsageSrc, dCert->extExtKeyUsageSrc, - dCert->extExtKeyUsageSz); - x509->extKeyUsageSz = dCert->extExtKeyUsageSz; - x509->extKeyUsageCrit = dCert->extExtKeyUsageCrit; - x509->extKeyUsageCount = dCert->extExtKeyUsageCount; - } - else { - ret = MEMORY_E; - } - } - #ifdef WOLFSSL_SEP - x509->certPolicySet = dCert->extCertPolicySet; - x509->certPolicyCrit = dCert->extCertPolicyCrit; - #endif /* WOLFSSL_SEP */ - #ifdef WOLFSSL_CERT_EXT - { - int i; - for (i = 0; i < dCert->extCertPoliciesNb && i < MAX_CERTPOL_NB; i++) - XMEMCPY(x509->certPolicies[i], dCert->extCertPolicies[i], - MAX_CERTPOL_SZ); - x509->certPoliciesNb = dCert->extCertPoliciesNb; - } - #endif /* WOLFSSL_CERT_EXT */ -#endif /* OPENSSL_EXTRA */ -#ifdef HAVE_ECC - x509->pkCurveOID = dCert->pkCurveOID; -#endif /* HAVE_ECC */ - - return ret; -} - -#endif /* KEEP_PEER_CERT || SESSION_CERTS */ - -typedef struct DoCertArgs { - buffer* certs; - DecodedCert* dCert; - char* domain; - word32 idx; - word32 begin; - int totalCerts; /* number of certs in certs buffer */ - int count; - int dCertInit; - int certIdx; -#ifdef WOLFSSL_TRUST_PEER_CERT - byte haveTrustPeer; /* was cert verified by loaded trusted peer cert */ -#endif -} DoCertArgs; - -static void FreeDoCertArgs(WOLFSSL* ssl, void* pArgs) -{ - DoCertArgs* args = (DoCertArgs*)pArgs; - - (void)ssl; - - if (args->domain) { - XFREE(args->domain, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->domain = NULL; - } - if (args->certs) { - XFREE(args->certs, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->certs = NULL; - } - if (args->dCert) { - if (args->dCertInit) { - FreeDecodedCert(args->dCert); - args->dCertInit = 0; - } - XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->dCert = NULL; - } -} - -static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 size) -{ - int ret = 0, lastErr = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - DoCertArgs* args = (DoCertArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); -#else - DoCertArgs args[1]; -#endif - -#ifdef WOLFSSL_TRUST_PEER_CERT - byte haveTrustPeer = 0; /* was cert verified by loaded trusted peer cert */ -#endif - - WOLFSSL_ENTER("DoCertificate"); - -#ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_dc; - } - else -#endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(DoCertArgs)); - args->idx = *inOutIdx; - args->begin = *inOutIdx; - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeDoCertArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - word32 listSz; - - #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) - AddPacketName(ssl, "Certificate"); - if (ssl->toInfoOn) - AddLateName("Certificate", &ssl->timeoutInfo); - #endif - - /* allocate buffer for certs */ - args->certs = (buffer*)XMALLOC(sizeof(buffer) * MAX_CHAIN_DEPTH, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->certs == NULL) { - ERROR_OUT(MEMORY_E, exit_dc); - } - XMEMSET(args->certs, 0, sizeof(buffer) * MAX_CHAIN_DEPTH); - - if ((args->idx - args->begin) + OPAQUE24_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dc); - } - - c24to32(input + args->idx, &listSz); - args->idx += OPAQUE24_LEN; - - if (listSz > MAX_RECORD_SIZE) { - ERROR_OUT(BUFFER_ERROR, exit_dc); - } - - if ((args->idx - args->begin) + listSz != size) { - ERROR_OUT(BUFFER_ERROR, exit_dc); - } - - WOLFSSL_MSG("Loading peer's cert chain"); - /* first put cert chain into buffer so can verify top down - we're sent bottom up */ - while (listSz) { - word32 certSz; - - if (args->totalCerts >= ssl->verifyDepth) { - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; - #endif - ERROR_OUT(MAX_CHAIN_ERROR, exit_dc); - } - - if ((args->idx - args->begin) + OPAQUE24_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dc); - } - - c24to32(input + args->idx, &certSz); - args->idx += OPAQUE24_LEN; - - if ((args->idx - args->begin) + certSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dc); - } - - args->certs[args->totalCerts].length = certSz; - args->certs[args->totalCerts].buffer = input + args->idx; - - #ifdef SESSION_CERTS - if (ssl->session.chain.count < MAX_CHAIN_DEPTH && - certSz < MAX_X509_SIZE) { - ssl->session.chain.certs[ - ssl->session.chain.count].length = certSz; - XMEMCPY(ssl->session.chain.certs[ - ssl->session.chain.count].buffer, - input + args->idx, certSz); - ssl->session.chain.count++; - } - else { - WOLFSSL_MSG("Couldn't store chain cert for session"); - } - #endif /* SESSION_CERTS */ - - args->idx += certSz; - listSz -= certSz + CERT_HEADER_SZ; - - args->totalCerts++; - WOLFSSL_MSG("\tPut another cert into chain"); - } /* while (listSz) */ - - args->count = args->totalCerts; - args->certIdx = 0; - - args->dCertInit = 0; - args->dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->dCert == NULL) { - ERROR_OUT(MEMORY_E, exit_dc); - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - - case TLS_ASYNC_BUILD: - { - if (args->count > 0) { - #ifdef WOLFSSL_TRUST_PEER_CERT - if (args->certIdx == 0) { - /* if using trusted peer certs check before verify chain - and CA test */ - TrustedPeerCert* tp; - - if (!args->dCertInit) { - InitDecodedCert(args->dCert, - args->certs[args->certIdx].buffer, - args->certs[args->certIdx].length, ssl->heap); - args->dCert->sigCtx.devId = ssl->devId; /* setup async dev */ - args->dCertInit = 1; - } - - ret = ParseCertRelative(args->dCert, CERT_TYPE, 0, - ssl->ctx->cm); - if (ret != 0) { - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, - args->dCert->sigCtx.asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } - #endif - goto exit_dc; - } - - #ifndef NO_SKID - if (args->dCert->extAuthKeyIdSet) { - tp = GetTrustedPeer(ssl->ctx->cm, - args->dCert->extSubjKeyId, WC_MATCH_SKID); - } - else { /* if the cert has no SKID try to match by name */ - tp = GetTrustedPeer(ssl->ctx->cm, - args->dCert->subjectHash, WC_MATCH_NAME); - } - #else /* NO_SKID */ - tp = GetTrustedPeer(ssl->ctx->cm, args->dCert->subjectHash, - WC_MATCH_NAME); - #endif /* NO SKID */ - WOLFSSL_MSG("Checking for trusted peer cert"); - - if (tp == NULL) { - /* no trusted peer cert */ - WOLFSSL_MSG("No matching trusted peer cert. " - "Checking CAs"); - FreeDecodedCert(args->dCert); - args->dCertInit = 0; - } else if (MatchTrustedPeer(tp, args->dCert)){ - WOLFSSL_MSG("Found matching trusted peer cert"); - haveTrustPeer = 1; - } else { - WOLFSSL_MSG("Trusted peer cert did not match!"); - FreeDecodedCert(args->dCert); - args->dCertInit = 0; - } - } - #endif /* WOLFSSL_TRUST_PEER_CERT */ - - /* verify up to peer's first */ - /* do not verify chain if trusted peer cert found */ - while (args->count > 1 - #ifdef WOLFSSL_TRUST_PEER_CERT - && !haveTrustPeer - #endif /* WOLFSSL_TRUST_PEER_CERT */ - ) { - byte* subjectHash; - - args->certIdx = args->count - 1; - - if (!args->dCertInit) { - InitDecodedCert(args->dCert, - args->certs[args->certIdx].buffer, - args->certs[args->certIdx].length, ssl->heap); - args->dCert->sigCtx.devId = ssl->devId; /* setup async dev */ - args->dCertInit = 1; - } - - ret = ParseCertRelative(args->dCert, CERT_TYPE, - !ssl->options.verifyNone, ssl->ctx->cm); - if (ret != 0) { - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, - args->dCert->sigCtx.asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } - #endif - goto exit_dc; - } - - #ifndef NO_SKID - subjectHash = args->dCert->extSubjKeyId; - #else - subjectHash = args->dCert->subjectHash; - #endif - - /* Check key sizes for certs. Is redundent check since - ProcessBuffer also performs this check. */ - if (!ssl->options.verifyNone) { - switch (args->dCert->keyOID) { - #ifndef NO_RSA - case RSAk: - if (ssl->options.minRsaKeySz < 0 || - args->dCert->pubKeySize < - (word16)ssl->options.minRsaKeySz) { - WOLFSSL_MSG( - "RSA key size in cert chain error"); - ret = RSA_KEY_SIZE_E; - } - break; - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - case ECDSAk: - if (ssl->options.minEccKeySz < 0 || - args->dCert->pubKeySize < - (word16)ssl->options.minEccKeySz) { - WOLFSSL_MSG( - "ECC key size in cert chain error"); - ret = ECC_KEY_SIZE_E; - } - break; - #endif /* HAVE_ECC */ - default: - WOLFSSL_MSG("Key size not checked"); - /* key not being checked for size if not in - switch */ - break; - } /* switch (dCert->keyOID) */ - } /* if (!ssl->options.verifyNone) */ - - if (ret == 0 && args->dCert->isCA == 0) { - WOLFSSL_MSG("Chain cert is not a CA, not adding as one"); - } - else if (ret == 0 && ssl->options.verifyNone) { - WOLFSSL_MSG("Chain cert not verified by option, not adding as CA"); - } - else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, subjectHash)) { - DerBuffer* add = NULL; - ret = AllocDer(&add, args->certs[args->certIdx].length, - CA_TYPE, ssl->heap); - if (ret < 0) - goto exit_dc; - - WOLFSSL_MSG("Adding CA from chain"); - - XMEMCPY(add->buffer, args->certs[args->certIdx].buffer, - args->certs[args->certIdx].length); - - /* already verified above */ - ret = AddCA(ssl->ctx->cm, &add, WOLFSSL_CHAIN_CA, 0); - if (ret == 1) { - ret = 0; /* SSL_SUCCESS for external */ - } - } - else if (ret != 0) { - WOLFSSL_MSG("Failed to verify CA from chain"); - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_INVALID_CA; - #endif - } - else { - WOLFSSL_MSG("Verified CA from chain and already had it"); - } - - #if defined(HAVE_OCSP) || defined(HAVE_CRL) - if (ret == 0) { - int doCrlLookup = 1; - #ifdef HAVE_OCSP - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (ssl->status_request_v2) { - ret = TLSX_CSR2_InitRequests(ssl->extensions, - args->dCert, 0, ssl->heap); - } - else /* skips OCSP and force CRL check */ - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ - if (ssl->ctx->cm->ocspEnabled && - ssl->ctx->cm->ocspCheckAll) { - WOLFSSL_MSG("Doing Non Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, - NULL); - doCrlLookup = (ret == OCSP_CERT_UNKNOWN); - if (ret != 0) { - doCrlLookup = 0; - WOLFSSL_MSG("\tOCSP Lookup not ok"); - } - } - #endif /* HAVE_OCSP */ - - #ifdef HAVE_CRL - if (ret == 0 && doCrlLookup && - ssl->ctx->cm->crlEnabled && - ssl->ctx->cm->crlCheckAll) { - WOLFSSL_MSG("Doing Non Leaf CRL check"); - ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); - if (ret != 0) { - WOLFSSL_MSG("\tCRL check not ok"); - } - } - #endif /* HAVE_CRL */ - (void)doCrlLookup; - } - #endif /* HAVE_OCSP || HAVE_CRL */ - - if (ret != 0 && lastErr == 0) { - lastErr = ret; /* save error from last time */ - } - - FreeDecodedCert(args->dCert); - args->dCertInit = 0; - args->count--; - } /* while (count > 0 && !haveTrustPeer) */ - } /* if (count > 0) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dc; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - - case TLS_ASYNC_DO: - { - /* peer's, may not have one if blank client cert sent by TLSv1.2 */ - if (args->count > 0) { - int fatal = 0; - - WOLFSSL_MSG("Verifying Peer's cert"); - - args->certIdx = 0; - - if (!args->dCertInit) { - InitDecodedCert(args->dCert, - args->certs[args->certIdx].buffer, - args->certs[args->certIdx].length, ssl->heap); - args->dCertInit = 1; - } - - #ifdef WOLFSSL_TRUST_PEER_CERT - if (!haveTrustPeer) - #endif - { /* only parse if not already present in dCert from above */ - ret = ParseCertRelative(args->dCert, CERT_TYPE, - !ssl->options.verifyNone, ssl->ctx->cm); - if (ret != 0) { - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, - args->dCert->sigCtx.asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } - #endif - goto exit_dc; - } - } - - if (ret == 0) { - WOLFSSL_MSG("Verified Peer's cert"); - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_OK; - #endif - fatal = 0; - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; - #endif - } - else if (ret == ASN_PARSE_E) { - WOLFSSL_MSG("Got Peer cert ASN PARSE ERROR, fatal"); - fatal = 1; - } - else { - WOLFSSL_MSG("Failed to verify Peer's cert"); - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; - #endif - if (ssl->verifyCallback) { - WOLFSSL_MSG( - "\tCallback override available, will continue"); - fatal = 0; - } - else { - WOLFSSL_MSG("\tNo callback override available, fatal"); - fatal = 1; - } - } - - #ifdef HAVE_SECURE_RENEGOTIATION - if (fatal == 0 && ssl->secure_renegotiation - && ssl->secure_renegotiation->enabled) { - - if (IsEncryptionOn(ssl, 0)) { - /* compare against previous time */ - if (XMEMCMP(args->dCert->subjectHash, - ssl->secure_renegotiation->subject_hash, - SHA_DIGEST_SIZE) != 0) { - WOLFSSL_MSG( - "Peer sent different cert during scr, fatal"); - fatal = 1; - ret = SCR_DIFFERENT_CERT_E; - } - } - - /* cache peer's hash */ - if (fatal == 0) { - XMEMCPY(ssl->secure_renegotiation->subject_hash, - args->dCert->subjectHash, SHA_DIGEST_SIZE); - } - } - #endif /* HAVE_SECURE_RENEGOTIATION */ - - #if defined(HAVE_OCSP) || defined(HAVE_CRL) - if (fatal == 0) { - int doLookup = 1; - - if (ssl->options.side == WOLFSSL_CLIENT_END) { - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST - if (ssl->status_request) { - fatal = TLSX_CSR_InitRequest(ssl->extensions, - args->dCert, ssl->heap); - doLookup = 0; - } - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (ssl->status_request_v2) { - fatal = TLSX_CSR2_InitRequests(ssl->extensions, - args->dCert, 1, ssl->heap); - doLookup = 0; - } - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ - } - - #ifdef HAVE_OCSP - if (doLookup && ssl->ctx->cm->ocspEnabled) { - WOLFSSL_MSG("Doing Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, - args->dCert, NULL); - doLookup = (ret == OCSP_CERT_UNKNOWN); - if (ret != 0) { - WOLFSSL_MSG("\tOCSP Lookup not ok"); - fatal = 0; - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; - #endif - } - } - #endif /* HAVE_OCSP */ - - #ifdef HAVE_CRL - if (doLookup && ssl->ctx->cm->crlEnabled) { - WOLFSSL_MSG("Doing Leaf CRL check"); - ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); - if (ret != 0) { - WOLFSSL_MSG("\tCRL check not ok"); - fatal = 0; - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; - #endif - } - } - #endif /* HAVE_CRL */ - (void)doLookup; - } - #endif /* HAVE_OCSP || HAVE_CRL */ - - #ifdef KEEP_PEER_CERT - { - /* set X509 format for peer cert even if fatal */ - int copyRet = CopyDecodedToX509(&ssl->peerCert, - args->dCert); - if (copyRet == MEMORY_E) - fatal = 1; - } - #endif /* KEEP_PEER_CERT */ - - #ifndef IGNORE_KEY_EXTENSIONS - if (args->dCert->extKeyUsageSet) { - if ((ssl->specs.kea == rsa_kea) && - (ssl->options.side == WOLFSSL_CLIENT_END) && - (args->dCert->extKeyUsage & KEYUSE_KEY_ENCIPHER) == 0) { - ret = KEYUSE_ENCIPHER_E; - } - if ((ssl->specs.sig_algo == rsa_sa_algo || - (ssl->specs.sig_algo == ecc_dsa_sa_algo && - !ssl->specs.static_ecdh)) && - (args->dCert->extKeyUsage & KEYUSE_DIGITAL_SIG) == 0) { - WOLFSSL_MSG("KeyUse Digital Sig not set"); - ret = KEYUSE_SIGNATURE_E; - } - } - - if (args->dCert->extExtKeyUsageSet) { - if (ssl->options.side == WOLFSSL_CLIENT_END) { - if ((args->dCert->extExtKeyUsage & - (EXTKEYUSE_ANY | EXTKEYUSE_SERVER_AUTH)) == 0) { - WOLFSSL_MSG("ExtKeyUse Server Auth not set"); - ret = EXTKEYUSE_AUTH_E; - } - } - else { - if ((args->dCert->extExtKeyUsage & - (EXTKEYUSE_ANY | EXTKEYUSE_CLIENT_AUTH)) == 0) { - WOLFSSL_MSG("ExtKeyUse Client Auth not set"); - ret = EXTKEYUSE_AUTH_E; - } - } - } - #endif /* IGNORE_KEY_EXTENSIONS */ - - if (fatal) { - ssl->error = ret; - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; - #endif - goto exit_dc; - } - - ssl->options.havePeerCert = 1; - } /* if (count > 0) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dc; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - - case TLS_ASYNC_VERIFY: - { - if (args->count > 0) { - args->domain = (char*)XMALLOC(ASN_NAME_MAX, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->domain == NULL) { - ERROR_OUT(MEMORY_E, exit_dc); - } - - /* store for callback use */ - if (args->dCert->subjectCNLen < ASN_NAME_MAX) { - XMEMCPY(args->domain, args->dCert->subjectCN, args->dCert->subjectCNLen); - args->domain[args->dCert->subjectCNLen] = '\0'; - } - else { - args->domain[0] = '\0'; - } - - if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) { - if (MatchDomainName(args->dCert->subjectCN, - args->dCert->subjectCNLen, - (char*)ssl->buffers.domainName.buffer) == 0) { - WOLFSSL_MSG("DomainName match on common name failed"); - if (CheckAltNames(args->dCert, - (char*)ssl->buffers.domainName.buffer) == 0 ) { - WOLFSSL_MSG( - "DomainName match on alt names failed too"); - /* try to get peer key still */ - ret = DOMAIN_NAME_MISMATCH; - } - } - } - - /* decode peer key */ - switch (args->dCert->keyOID) { - #ifndef NO_RSA - case RSAk: - { - word32 keyIdx = 0; - int keyRet = 0; - - if (ssl->peerRsaKey == NULL) { - keyRet = AllocKey(ssl, DYNAMIC_TYPE_RSA, - (void**)&ssl->peerRsaKey); - } else if (ssl->peerRsaKeyPresent) { - /* don't leak on reuse */ - wc_FreeRsaKey(ssl->peerRsaKey); - ssl->peerRsaKeyPresent = 0; - keyRet = wc_InitRsaKey_ex(ssl->peerRsaKey, - ssl->heap, ssl->devId); - } - - if (keyRet != 0 || wc_RsaPublicKeyDecode( - args->dCert->publicKey, &keyIdx, ssl->peerRsaKey, - args->dCert->pubKeySize) != 0) { - ret = PEER_KEY_ERROR; - } - else { - ssl->peerRsaKeyPresent = 1; - #ifdef HAVE_PK_CALLBACKS - #ifndef NO_RSA - ssl->buffers.peerRsaKey.buffer = - (byte*)XMALLOC(args->dCert->pubKeySize, - ssl->heap, DYNAMIC_TYPE_RSA); - if (ssl->buffers.peerRsaKey.buffer == NULL) { - ret = MEMORY_ERROR; - } - else { - XMEMCPY(ssl->buffers.peerRsaKey.buffer, - args->dCert->publicKey, - args->dCert->pubKeySize); - ssl->buffers.peerRsaKey.length = - args->dCert->pubKeySize; - } - #endif /* NO_RSA */ - #endif /* HAVE_PK_CALLBACKS */ - } - - /* check size of peer RSA key */ - if (ret == 0 && ssl->peerRsaKeyPresent && - !ssl->options.verifyNone && - wc_RsaEncryptSize(ssl->peerRsaKey) - < ssl->options.minRsaKeySz) { - ret = RSA_KEY_SIZE_E; - WOLFSSL_MSG("Peer RSA key is too small"); - } - break; - } - #endif /* NO_RSA */ - #ifdef HAVE_NTRU - case NTRUk: - { - if (args->dCert->pubKeySize > sizeof(ssl->peerNtruKey)) { - ret = PEER_KEY_ERROR; - } - else { - XMEMCPY(ssl->peerNtruKey, args->dCert->publicKey, - args->dCert->pubKeySize); - ssl->peerNtruKeyLen = - (word16)args->dCert->pubKeySize; - ssl->peerNtruKeyPresent = 1; - } - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ECDSAk: - { - int curveId; - if (ssl->peerEccDsaKey == NULL) { - /* alloc/init on demand */ - ret = AllocKey(ssl, DYNAMIC_TYPE_ECC, - (void**)&ssl->peerEccDsaKey); - } else if (ssl->peerEccDsaKeyPresent) { - /* don't leak on reuse */ - wc_ecc_free(ssl->peerEccDsaKey); - ssl->peerEccDsaKeyPresent = 0; - ret = wc_ecc_init_ex(ssl->peerEccDsaKey, - ssl->heap, ssl->devId); - } - if (ret != 0) { - break; - } - - curveId = wc_ecc_get_oid(args->dCert->keyOID, NULL, NULL); - if (wc_ecc_import_x963_ex(args->dCert->publicKey, - args->dCert->pubKeySize, ssl->peerEccDsaKey, - curveId) != 0) { - ret = PEER_KEY_ERROR; - } - else { - ssl->peerEccDsaKeyPresent = 1; - #ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - ssl->buffers.peerEccDsaKey.buffer = - (byte*)XMALLOC(args->dCert->pubKeySize, - ssl->heap, DYNAMIC_TYPE_ECC); - if (ssl->buffers.peerEccDsaKey.buffer == NULL) - ret = MEMORY_ERROR; - else { - XMEMCPY(ssl->buffers.peerEccDsaKey.buffer, - args->dCert->publicKey, - args->dCert->pubKeySize); - ssl->buffers.peerEccDsaKey.length = - args->dCert->pubKeySize; - } - #endif /* HAVE_ECC */ - #endif /*HAVE_PK_CALLBACKS */ - } - - /* check size of peer ECC key */ - if (ret == 0 && ssl->peerEccDsaKeyPresent && - !ssl->options.verifyNone && - wc_ecc_size(ssl->peerEccDsaKey) - < ssl->options.minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("Peer ECC key is too small"); - } - break; - } - #endif /* HAVE_ECC */ - default: - break; - } - - FreeDecodedCert(args->dCert); - args->dCertInit = 0; - - /* release since we don't need it anymore */ - if (args->dCert) { - XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->dCert = NULL; - } - } /* if (count > 0) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dc; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - - case TLS_ASYNC_FINALIZE: - { - #ifdef WOLFSSL_SMALL_STACK - WOLFSSL_X509_STORE_CTX* store = (WOLFSSL_X509_STORE_CTX*)XMALLOC( - sizeof(WOLFSSL_X509_STORE_CTX), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (store == NULL) { - ERROR_OUT(MEMORY_E, exit_dc); - } - #else - WOLFSSL_X509_STORE_CTX store[1]; - #endif - - XMEMSET(store, 0, sizeof(WOLFSSL_X509_STORE_CTX)); - - /* load last error */ - if (lastErr != 0 && ret == 0) { - ret = lastErr; - } - - if (ret != 0) { - if (!ssl->options.verifyNone) { - int why = bad_certificate; - - if (ret == ASN_AFTER_DATE_E || ret == ASN_BEFORE_DATE_E) { - why = certificate_expired; - } - if (ssl->verifyCallback) { - int ok; - - store->error = ret; - store->error_depth = args->totalCerts; - store->discardSessionCerts = 0; - store->domain = args->domain; - store->userCtx = ssl->verifyCbCtx; - store->certs = args->certs; - store->totalCerts = args->totalCerts; - #ifdef KEEP_PEER_CERT - if (ssl->peerCert.subject.sz > 0) - store->current_cert = &ssl->peerCert; - else - store->current_cert = NULL; - #else - store->current_cert = NULL; - #endif /* KEEP_PEER_CERT */ - #if defined(HAVE_EX_DATA) || defined(HAVE_FORTRESS) - store->ex_data = ssl; - #endif - ok = ssl->verifyCallback(0, store); - if (ok) { - WOLFSSL_MSG("Verify callback overriding error!"); - ret = 0; - } - #ifdef SESSION_CERTS - if (store->discardSessionCerts) { - WOLFSSL_MSG("Verify callback requested discard sess certs"); - ssl->session.chain.count = 0; - } - #endif /* SESSION_CERTS */ - } - if (ret != 0) { - SendAlert(ssl, alert_fatal, why); /* try to send */ - ssl->options.isClosed = 1; - } - } - ssl->error = ret; - } - #ifdef WOLFSSL_ALWAYS_VERIFY_CB - else { - if (ssl->verifyCallback) { - int ok; - - store->error = ret; - #ifdef WOLFSSL_WPAS - store->error_depth = 0; - #else - store->error_depth = args->totalCerts; - #endif - store->discardSessionCerts = 0; - store->domain = args->domain; - store->userCtx = ssl->verifyCbCtx; - store->certs = args->certs; - store->totalCerts = args->totalCerts; - #ifdef KEEP_PEER_CERT - if (ssl->peerCert.subject.sz > 0) - store->current_cert = &ssl->peerCert; - else - store->current_cert = NULL; - #endif - store->ex_data = ssl; - - ok = ssl->verifyCallback(1, store); - if (!ok) { - WOLFSSL_MSG("Verify callback overriding valid certificate!"); - ret = -1; - SendAlert(ssl, alert_fatal, bad_certificate); - ssl->options.isClosed = 1; - } - #ifdef SESSION_CERTS - if (store->discardSessionCerts) { - WOLFSSL_MSG("Verify callback requested discard sess certs"); - ssl->session.chain.count = 0; - } - #endif /* SESSION_CERTS */ - } - } - #endif /* WOLFSSL_ALWAYS_VERIFY_CB */ - - if (ssl->options.verifyNone && - (ret == CRL_MISSING || ret == CRL_CERT_REVOKED)) { - WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); - ret = ssl->error = 0; - } - - if (ret == 0 && ssl->options.side == WOLFSSL_CLIENT_END) { - ssl->options.serverState = SERVER_CERT_COMPLETE; - } - - if (IsEncryptionOn(ssl, 0)) { - args->idx += ssl->keys.padSz; - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(store, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - - case TLS_ASYNC_END: - { - /* Set final index */ - *inOutIdx = args->idx; - - break; - } - default: - ret = INPUT_CASE_ERROR; - break; - } /* switch(ssl->options.asyncState) */ - -exit_dc: - - WOLFSSL_LEAVE("DoCertificate", ret); - -#ifdef WOLFSSL_ASYNC_CRYPT - /* Handle WC_PENDING_E */ - if (ret == WC_PENDING_E) { - /* Mark message as not recevied so it can process again */ - ssl->msgsReceived.got_certificate = 0; - - return ret; - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - FreeDoCertArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; -} - - -static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 size) -{ - int ret = 0; - byte status_type; - word32 status_length; - - if (size < ENUM_LEN + OPAQUE24_LEN) - return BUFFER_ERROR; - - status_type = input[(*inOutIdx)++]; - - c24to32(input + *inOutIdx, &status_length); - *inOutIdx += OPAQUE24_LEN; - - if (size != ENUM_LEN + OPAQUE24_LEN + status_length) - return BUFFER_ERROR; - - switch (status_type) { - - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - - /* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */ - case WOLFSSL_CSR2_OCSP: { - OcspRequest* request; - - #ifdef WOLFSSL_SMALL_STACK - CertStatus* status; - OcspResponse* response; - #else - CertStatus status[1]; - OcspResponse response[1]; - #endif - - do { - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST - if (ssl->status_request) { - request = (OcspRequest*)TLSX_CSR_GetRequest( - ssl->extensions); - ssl->status_request = 0; - break; - } - #endif - - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (ssl->status_request_v2) { - request = (OcspRequest*)TLSX_CSR2_GetRequest( - ssl->extensions, status_type, 0); - ssl->status_request_v2 = 0; - break; - } - #endif - - return BUFFER_ERROR; - } while(0); - - if (request == NULL) - return BAD_CERTIFICATE_STATUS_ERROR; /* not expected */ - - #ifdef WOLFSSL_SMALL_STACK - status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - - if (status == NULL || response == NULL) { - if (status) - XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (response) - XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - return MEMORY_ERROR; - } - #endif - - InitOcspResponse(response, status, input +*inOutIdx, status_length); - - if (OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, 0) != 0) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (CompareOcspReqResp(request, response) != 0) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (response->responseStatus != OCSP_SUCCESSFUL) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (response->status->status == CERT_REVOKED) - ret = OCSP_CERT_REVOKED; - else if (response->status->status != CERT_GOOD) - ret = BAD_CERTIFICATE_STATUS_ERROR; - - *inOutIdx += status_length; - - #ifdef WOLFSSL_SMALL_STACK - XFREE(status, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(response, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - } - break; - - #endif - - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - - case WOLFSSL_CSR2_OCSP_MULTI: { - OcspRequest* request; - word32 list_length = status_length; - byte index = 0; - - #ifdef WOLFSSL_SMALL_STACK - CertStatus* status; - OcspResponse* response; - #else - CertStatus status[1]; - OcspResponse response[1]; - #endif - - do { - if (ssl->status_request_v2) { - ssl->status_request_v2 = 0; - break; - } - - return BUFFER_ERROR; - } while(0); - - #ifdef WOLFSSL_SMALL_STACK - status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - - if (status == NULL || response == NULL) { - if (status) - XFREE(status, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (response) - XFREE(response, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - - return MEMORY_ERROR; - } - #endif - - while (list_length && ret == 0) { - if (OPAQUE24_LEN > list_length) { - ret = BUFFER_ERROR; - break; - } - - c24to32(input + *inOutIdx, &status_length); - *inOutIdx += OPAQUE24_LEN; - list_length -= OPAQUE24_LEN; - - if (status_length > list_length) { - ret = BUFFER_ERROR; - break; - } - - if (status_length) { - InitOcspResponse(response, status, input +*inOutIdx, - status_length); - - if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, - 0) != 0) - || (response->responseStatus != OCSP_SUCCESSFUL) - || (response->status->status != CERT_GOOD)) - ret = BAD_CERTIFICATE_STATUS_ERROR; - - while (ret == 0) { - request = (OcspRequest*)TLSX_CSR2_GetRequest( - ssl->extensions, status_type, index++); - - if (request == NULL) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (CompareOcspReqResp(request, response) == 0) - break; - else if (index == 1) /* server cert must be OK */ - ret = BAD_CERTIFICATE_STATUS_ERROR; - } - - *inOutIdx += status_length; - list_length -= status_length; - } - } - - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - ssl->status_request_v2 = 0; - #endif - - #ifdef WOLFSSL_SMALL_STACK - XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - } - break; - - #endif - - default: - ret = BUFFER_ERROR; - } - - if (ret != 0) - SendAlert(ssl, alert_fatal, bad_certificate_status_response); - - return ret; -} - -#endif /* !NO_CERTS */ - - -static int DoHelloRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 size, word32 totalSz) -{ - (void)input; - - if (size) /* must be 0 */ - return BUFFER_ERROR; - - if (IsEncryptionOn(ssl, 0)) { - /* access beyond input + size should be checked against totalSz */ - if (*inOutIdx + ssl->keys.padSz > totalSz) - return BUFFER_E; - - *inOutIdx += ssl->keys.padSz; - } - - if (ssl->options.side == WOLFSSL_SERVER_END) { - SendAlert(ssl, alert_fatal, unexpected_message); /* try */ - return FATAL_ERROR; - } -#ifdef HAVE_SECURE_RENEGOTIATION - else if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) { - ssl->secure_renegotiation->startScr = 1; - return 0; - } -#endif - else { - return SendAlert(ssl, alert_warning, no_renegotiation); - } -} - - -int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size, - word32 totalSz, int sniff) -{ - word32 finishedSz = (ssl->options.tls ? TLS_FINISHED_SZ : FINISHED_SZ); - - if (finishedSz != size) - return BUFFER_ERROR; - - /* check against totalSz */ - if (*inOutIdx + size + ssl->keys.padSz > totalSz) - return BUFFER_E; - - #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); - if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo); - #endif - - if (sniff == NO_SNIFF) { - if (XMEMCMP(input + *inOutIdx, &ssl->hsHashes->verifyHashes,size) != 0){ - WOLFSSL_MSG("Verify finished error on hashes"); - return VERIFY_FINISHED_ERROR; - } - } - -#ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation) { - /* save peer's state */ - if (ssl->options.side == WOLFSSL_CLIENT_END) - XMEMCPY(ssl->secure_renegotiation->server_verify_data, - input + *inOutIdx, TLS_FINISHED_SZ); - else - XMEMCPY(ssl->secure_renegotiation->client_verify_data, - input + *inOutIdx, TLS_FINISHED_SZ); - } -#endif - - /* force input exhaustion at ProcessReply consuming padSz */ - *inOutIdx += size + ssl->keys.padSz; - - if (ssl->options.side == WOLFSSL_CLIENT_END) { - ssl->options.serverState = SERVER_FINISHED_COMPLETE; - if (!ssl->options.resuming) { - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS); - } - #endif - ssl->options.handShakeState = HANDSHAKE_DONE; - ssl->options.handShakeDone = 1; - } - } - else { - ssl->options.clientState = CLIENT_FINISHED_COMPLETE; - if (ssl->options.resuming) { - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS); - } - #endif - ssl->options.handShakeState = HANDSHAKE_DONE; - ssl->options.handShakeDone = 1; - } - } - - - return 0; -} - - -/* Make sure no duplicates, no fast forward, or other problems; 0 on success */ -static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type) -{ - /* verify not a duplicate, mark received, check state */ - switch (type) { - -#ifndef NO_WOLFSSL_CLIENT - case hello_request: - if (ssl->msgsReceived.got_hello_request) { - WOLFSSL_MSG("Duplicate HelloRequest received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_hello_request = 1; - - break; -#endif - -#ifndef NO_WOLFSSL_SERVER - case client_hello: - if (ssl->msgsReceived.got_client_hello) { - WOLFSSL_MSG("Duplicate ClientHello received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_client_hello = 1; - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case server_hello: - if (ssl->msgsReceived.got_server_hello) { - WOLFSSL_MSG("Duplicate ServerHello received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_server_hello = 1; - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case hello_verify_request: - if (ssl->msgsReceived.got_hello_verify_request) { - WOLFSSL_MSG("Duplicate HelloVerifyRequest received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_hello_verify_request = 1; - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case session_ticket: - if (ssl->msgsReceived.got_session_ticket) { - WOLFSSL_MSG("Duplicate SessionTicket received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_session_ticket = 1; - - break; -#endif - - case certificate: - if (ssl->msgsReceived.got_certificate) { - WOLFSSL_MSG("Duplicate Certificate received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_certificate = 1; - -#ifndef NO_WOLFSSL_CLIENT - if (ssl->options.side == WOLFSSL_CLIENT_END) { - if ( ssl->msgsReceived.got_server_hello == 0) { - WOLFSSL_MSG("No ServerHello before Cert"); - return OUT_OF_ORDER_E; - } - } -#endif -#ifndef NO_WOLFSSL_SERVER - if (ssl->options.side == WOLFSSL_SERVER_END) { - if ( ssl->msgsReceived.got_client_hello == 0) { - WOLFSSL_MSG("No ClientHello before Cert"); - return OUT_OF_ORDER_E; - } - } -#endif - break; - -#ifndef NO_WOLFSSL_CLIENT - case certificate_status: - if (ssl->msgsReceived.got_certificate_status) { - WOLFSSL_MSG("Duplicate CertificateSatatus received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_certificate_status = 1; - - if (ssl->msgsReceived.got_certificate == 0) { - WOLFSSL_MSG("No Certificate before CertificateStatus"); - return OUT_OF_ORDER_E; - } - if (ssl->msgsReceived.got_server_key_exchange != 0) { - WOLFSSL_MSG("CertificateStatus after ServerKeyExchange"); - return OUT_OF_ORDER_E; - } - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case server_key_exchange: - if (ssl->msgsReceived.got_server_key_exchange) { - WOLFSSL_MSG("Duplicate ServerKeyExchange received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_server_key_exchange = 1; - - if (ssl->msgsReceived.got_server_hello == 0) { - WOLFSSL_MSG("No ServerHello before ServerKeyExchange"); - return OUT_OF_ORDER_E; - } - if (ssl->msgsReceived.got_certificate_status == 0) { -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST - if (ssl->status_request) { - int ret; - - WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); - if ((ret = TLSX_CSR_ForceRequest(ssl)) != 0) - return ret; - } -#endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (ssl->status_request_v2) { - int ret; - - WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); - if ((ret = TLSX_CSR2_ForceRequest(ssl)) != 0) - return ret; - } -#endif - } - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case certificate_request: - if (ssl->msgsReceived.got_certificate_request) { - WOLFSSL_MSG("Duplicate CertificateRequest received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_certificate_request = 1; - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case server_hello_done: - if (ssl->msgsReceived.got_server_hello_done) { - WOLFSSL_MSG("Duplicate ServerHelloDone received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_server_hello_done = 1; - - if (ssl->msgsReceived.got_certificate == 0) { - if (ssl->specs.kea == psk_kea || - ssl->specs.kea == dhe_psk_kea || - ssl->specs.kea == ecdhe_psk_kea || - ssl->options.usingAnon_cipher) { - WOLFSSL_MSG("No Cert required"); - } else { - WOLFSSL_MSG("No Certificate before ServerHelloDone"); - return OUT_OF_ORDER_E; - } - } - if (ssl->msgsReceived.got_server_key_exchange == 0) { - int pskNoServerHint = 0; /* not required in this case */ - - #ifndef NO_PSK - if (ssl->specs.kea == psk_kea && - ssl->arrays->server_hint[0] == 0) - pskNoServerHint = 1; - #endif - if (ssl->specs.static_ecdh == 1 || - ssl->specs.kea == rsa_kea || - ssl->specs.kea == ntru_kea || - pskNoServerHint) { - WOLFSSL_MSG("No KeyExchange required"); - } else { - WOLFSSL_MSG("No ServerKeyExchange before ServerDone"); - return OUT_OF_ORDER_E; - } - } - break; -#endif - -#ifndef NO_WOLFSSL_SERVER - case certificate_verify: - if (ssl->msgsReceived.got_certificate_verify) { - WOLFSSL_MSG("Duplicate CertificateVerify received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_certificate_verify = 1; - - if ( ssl->msgsReceived.got_certificate == 0) { - WOLFSSL_MSG("No Cert before CertVerify"); - return OUT_OF_ORDER_E; - } - break; -#endif - -#ifndef NO_WOLFSSL_SERVER - case client_key_exchange: - if (ssl->msgsReceived.got_client_key_exchange) { - WOLFSSL_MSG("Duplicate ClientKeyExchange received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_client_key_exchange = 1; - - if (ssl->msgsReceived.got_client_hello == 0) { - WOLFSSL_MSG("No ClientHello before ClientKeyExchange"); - return OUT_OF_ORDER_E; - } - break; -#endif - - case finished: - if (ssl->msgsReceived.got_finished) { - WOLFSSL_MSG("Duplicate Finished received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_finished = 1; - - if (ssl->msgsReceived.got_change_cipher == 0) { - WOLFSSL_MSG("Finished received before ChangeCipher"); - return NO_CHANGE_CIPHER_E; - } - - break; - - case change_cipher_hs: - if (ssl->msgsReceived.got_change_cipher) { - WOLFSSL_MSG("Duplicate ChangeCipher received"); - return DUPLICATE_MSG_E; - } - /* DTLS is going to ignore the CCS message if the client key - * exchange message wasn't received yet. */ - if (!ssl->options.dtls) - ssl->msgsReceived.got_change_cipher = 1; - -#ifndef NO_WOLFSSL_CLIENT - if (ssl->options.side == WOLFSSL_CLIENT_END) { - if (!ssl->options.resuming && - ssl->msgsReceived.got_server_hello_done == 0) { - WOLFSSL_MSG("No ServerHelloDone before ChangeCipher"); - return OUT_OF_ORDER_E; - } - #ifdef HAVE_SESSION_TICKET - if (ssl->expect_session_ticket) { - WOLFSSL_MSG("Expected session ticket missing"); - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - return OUT_OF_ORDER_E; - #endif - return SESSION_TICKET_EXPECT_E; - } - #endif - } -#endif -#ifndef NO_WOLFSSL_SERVER - if (ssl->options.side == WOLFSSL_SERVER_END) { - if (!ssl->options.resuming && - ssl->msgsReceived.got_client_key_exchange == 0) { - WOLFSSL_MSG("No ClientKeyExchange before ChangeCipher"); - return OUT_OF_ORDER_E; - } - #ifndef NO_CERTS - if (ssl->options.verifyPeer && - ssl->options.havePeerCert) { - - if (!ssl->options.havePeerVerify) { - WOLFSSL_MSG("client didn't send cert verify"); - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - return OUT_OF_ORDER_E; - #endif - return NO_PEER_VERIFY; - } - } - #endif - } -#endif - if (ssl->options.dtls) - ssl->msgsReceived.got_change_cipher = 1; - break; - - default: - WOLFSSL_MSG("Unknown message type"); - return SANITY_MSG_E; - } - - return 0; -} - - -static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, - byte type, word32 size, word32 totalSz) -{ - int ret = 0; - word32 expectedIdx; - - WOLFSSL_ENTER("DoHandShakeMsgType"); - - /* make sure can read the message */ - if (*inOutIdx + size > totalSz) - return INCOMPLETE_DATA; - - expectedIdx = *inOutIdx + size + - (ssl->keys.encryptionOn ? ssl->keys.padSz : 0); - - /* sanity check msg received */ - if ( (ret = SanityCheckMsgReceived(ssl, type)) != 0) { - WOLFSSL_MSG("Sanity Check on handshake message type received failed"); - return ret; - } - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - /* add name later, add on record and handshake header part back on */ - if (ssl->toInfoOn) { - int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - AddPacketInfo(ssl, 0, handshake, input + *inOutIdx - add, - size + add, READ_PROTO, ssl->heap); - #ifdef WOLFSSL_CALLBACKS - AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo); - #endif - } -#endif - - if (ssl->options.handShakeState == HANDSHAKE_DONE && type != hello_request){ - WOLFSSL_MSG("HandShake message after handshake complete"); - SendAlert(ssl, alert_fatal, unexpected_message); - return OUT_OF_ORDER_E; - } - - if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls == 0 && - ssl->options.serverState == NULL_STATE && type != server_hello) { - WOLFSSL_MSG("First server message not server hello"); - SendAlert(ssl, alert_fatal, unexpected_message); - return OUT_OF_ORDER_E; - } - - if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls && - type == server_hello_done && - ssl->options.serverState < SERVER_HELLO_COMPLETE) { - WOLFSSL_MSG("Server hello done received before server hello in DTLS"); - SendAlert(ssl, alert_fatal, unexpected_message); - return OUT_OF_ORDER_E; - } - - if (ssl->options.side == WOLFSSL_SERVER_END && - ssl->options.clientState == NULL_STATE && type != client_hello) { - WOLFSSL_MSG("First client message not client hello"); - SendAlert(ssl, alert_fatal, unexpected_message); - return OUT_OF_ORDER_E; - } - - /* above checks handshake state */ - /* hello_request not hashed */ - /* Also, skip hashing the client_hello message here for DTLS. It will be - * hashed later if the DTLS cookie is correct. */ - if (type != hello_request && - !(IsDtlsNotSctpMode(ssl) && type == client_hello) && - ssl->error != WC_PENDING_E) { - ret = HashInput(ssl, input + *inOutIdx, size); - if (ret != 0) return ret; - } - - switch (type) { - - case hello_request: - WOLFSSL_MSG("processing hello request"); - ret = DoHelloRequest(ssl, input, inOutIdx, size, totalSz); - break; - -#ifndef NO_WOLFSSL_CLIENT - case hello_verify_request: - WOLFSSL_MSG("processing hello verify request"); - ret = DoHelloVerifyRequest(ssl, input,inOutIdx, size); - break; - - case server_hello: - WOLFSSL_MSG("processing server hello"); - ret = DoServerHello(ssl, input, inOutIdx, size); - break; - -#ifndef NO_CERTS - case certificate_request: - WOLFSSL_MSG("processing certificate request"); - ret = DoCertificateRequest(ssl, input, inOutIdx, size); - break; -#endif - - case server_key_exchange: - WOLFSSL_MSG("processing server key exchange"); - ret = DoServerKeyExchange(ssl, input, inOutIdx, size); - break; - -#ifdef HAVE_SESSION_TICKET - case session_ticket: - WOLFSSL_MSG("processing session ticket"); - ret = DoSessionTicket(ssl, input, inOutIdx, size); - break; -#endif /* HAVE_SESSION_TICKET */ -#endif - -#ifndef NO_CERTS - case certificate: - WOLFSSL_MSG("processing certificate"); - ret = DoCertificate(ssl, input, inOutIdx, size); - break; - - case certificate_status: - WOLFSSL_MSG("processing certificate status"); - ret = DoCertificateStatus(ssl, input, inOutIdx, size); - break; -#endif - - case server_hello_done: - WOLFSSL_MSG("processing server hello done"); - #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) - AddPacketName(ssl, "ServerHelloDone"); - if (ssl->toInfoOn) - AddLateName("ServerHelloDone", &ssl->timeoutInfo); - #endif - ssl->options.serverState = SERVER_HELLODONE_COMPLETE; - if (IsEncryptionOn(ssl, 0)) { - *inOutIdx += ssl->keys.padSz; - } - if (ssl->options.resuming) { - WOLFSSL_MSG("Not resuming as thought"); - ssl->options.resuming = 0; - } - break; - - case finished: - WOLFSSL_MSG("processing finished"); - ret = DoFinished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF); - break; - -#ifndef NO_WOLFSSL_SERVER - case client_hello: - WOLFSSL_MSG("processing client hello"); - ret = DoClientHello(ssl, input, inOutIdx, size); - break; - - case client_key_exchange: - WOLFSSL_MSG("processing client key exchange"); - ret = DoClientKeyExchange(ssl, input, inOutIdx, size); - break; - -#if !defined(NO_RSA) || defined(HAVE_ECC) - case certificate_verify: - WOLFSSL_MSG("processing certificate verify"); - ret = DoCertificateVerify(ssl, input, inOutIdx, size); - break; -#endif /* !NO_RSA || HAVE_ECC */ - -#endif /* !NO_WOLFSSL_SERVER */ - - default: - WOLFSSL_MSG("Unknown handshake message type"); - ret = UNKNOWN_HANDSHAKE_TYPE; - break; - } - - if (ret == 0 && expectedIdx != *inOutIdx) { - WOLFSSL_MSG("Extra data in handshake message"); - if (!ssl->options.dtls) - SendAlert(ssl, alert_fatal, decode_error); - ret = DECODE_E; - } - -#ifdef WOLFSSL_ASYNC_CRYPT - /* if async, offset index so this msg will be processed again */ - if (ret == WC_PENDING_E) { - *inOutIdx -= HANDSHAKE_HEADER_SZ; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - *inOutIdx -= DTLS_HANDSHAKE_EXTRA; - } - #endif - } -#endif - - WOLFSSL_LEAVE("DoHandShakeMsgType()", ret); - return ret; -} - - -static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 totalSz) -{ - int ret = 0; - word32 inputLength; - - WOLFSSL_ENTER("DoHandShakeMsg()"); - - if (ssl->arrays == NULL) { - byte type; - word32 size; - - if (GetHandShakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0) - return PARSE_ERROR; - - return DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); - } - - inputLength = ssl->buffers.inputBuffer.length - *inOutIdx; - - /* If there is a pending fragmented handshake message, - * pending message size will be non-zero. */ - if (ssl->arrays->pendingMsgSz == 0) { - byte type; - word32 size; - - if (GetHandShakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0) - return PARSE_ERROR; - - /* Cap the maximum size of a handshake message to something reasonable. - * By default is the maximum size of a certificate message assuming - * nine 2048-bit RSA certificates in the chain. */ - if (size > MAX_HANDSHAKE_SZ) { - WOLFSSL_MSG("Handshake message too large"); - return HANDSHAKE_SIZE_ERROR; - } - - /* size is the size of the certificate message payload */ - if (inputLength - HANDSHAKE_HEADER_SZ < size) { - ssl->arrays->pendingMsgType = type; - ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ; - ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ, - ssl->heap, - DYNAMIC_TYPE_ARRAYS); - if (ssl->arrays->pendingMsg == NULL) - return MEMORY_E; - XMEMCPY(ssl->arrays->pendingMsg, - input + *inOutIdx - HANDSHAKE_HEADER_SZ, - inputLength); - ssl->arrays->pendingMsgOffset = inputLength; - *inOutIdx += inputLength - HANDSHAKE_HEADER_SZ; - return 0; - } - - ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); - } - else { - if (inputLength + ssl->arrays->pendingMsgOffset - > ssl->arrays->pendingMsgSz) { - - return BUFFER_ERROR; - } - else { - XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset, - input + *inOutIdx, inputLength); - ssl->arrays->pendingMsgOffset += inputLength; - *inOutIdx += inputLength; - } - - if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz) - { - word32 idx = 0; - ret = DoHandShakeMsgType(ssl, - ssl->arrays->pendingMsg - + HANDSHAKE_HEADER_SZ, - &idx, ssl->arrays->pendingMsgType, - ssl->arrays->pendingMsgSz - - HANDSHAKE_HEADER_SZ, - ssl->arrays->pendingMsgSz); - XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS); - ssl->arrays->pendingMsg = NULL; - ssl->arrays->pendingMsgSz = 0; - } - } - - WOLFSSL_LEAVE("DoHandShakeMsg()", ret); - return ret; -} - - -#ifdef WOLFSSL_DTLS - -static INLINE int DtlsCheckWindow(WOLFSSL* ssl) -{ - word32* window; - word16 cur_hi, next_hi; - word32 cur_lo, next_lo, diff; - int curLT; - - if (ssl->keys.curEpoch == ssl->keys.nextEpoch) { - next_hi = ssl->keys.nextSeq_hi; - next_lo = ssl->keys.nextSeq_lo; - window = ssl->keys.window; - } - else if (ssl->keys.curEpoch == ssl->keys.nextEpoch - 1) { - next_hi = ssl->keys.prevSeq_hi; - next_lo = ssl->keys.prevSeq_lo; - window = ssl->keys.prevWindow; - } - else { - return 0; - } - - cur_hi = ssl->keys.curSeq_hi; - cur_lo = ssl->keys.curSeq_lo; - - /* If the difference between next and cur is > 2^32, way outside window. */ - if ((cur_hi > next_hi + 1) || (next_hi > cur_hi + 1)) { - WOLFSSL_MSG("Current record from way too far in the future."); - return 0; - } - - if (cur_hi == next_hi) { - curLT = cur_lo < next_lo; - diff = curLT ? next_lo - cur_lo : cur_lo - next_lo; - } - else { - curLT = cur_hi < next_hi; - diff = curLT ? cur_lo - next_lo : next_lo - cur_lo; - } - - /* Check to see that the next value is greater than the number of messages - * trackable in the window, and that the difference between the next - * expected sequence number and the received sequence number is inside the - * window. */ - if ((next_hi || next_lo > DTLS_SEQ_BITS) && - curLT && (diff > DTLS_SEQ_BITS)) { - - WOLFSSL_MSG("Current record sequence number from the past."); - return 0; - } - else if (!curLT && (diff > DTLS_SEQ_BITS)) { - WOLFSSL_MSG("Rejecting message too far into the future."); - return 0; - } - else if (curLT) { - word32 idx = diff / DTLS_WORD_BITS; - word32 newDiff = diff % DTLS_WORD_BITS; - - if (window[idx] & (1 << (newDiff - 1))) { - WOLFSSL_MSG("Current record sequence number already received."); - return 0; - } - } - - return 1; -} - - -static INLINE int DtlsUpdateWindow(WOLFSSL* ssl) -{ - word32* window; - word32* next_lo; - word16* next_hi; - int curLT; - word32 cur_lo, diff; - word16 cur_hi; - - if (ssl->keys.curEpoch == ssl->keys.nextEpoch) { - next_hi = &ssl->keys.nextSeq_hi; - next_lo = &ssl->keys.nextSeq_lo; - window = ssl->keys.window; - } - else { - next_hi = &ssl->keys.prevSeq_hi; - next_lo = &ssl->keys.prevSeq_lo; - window = ssl->keys.prevWindow; - } - - cur_hi = ssl->keys.curSeq_hi; - cur_lo = ssl->keys.curSeq_lo; - - if (cur_hi == *next_hi) { - curLT = cur_lo < *next_lo; - diff = curLT ? *next_lo - cur_lo : cur_lo - *next_lo; - } - else { - curLT = cur_hi < *next_hi; - diff = curLT ? cur_lo - *next_lo : *next_lo - cur_lo; - } - - if (curLT) { - word32 idx = diff / DTLS_WORD_BITS; - word32 newDiff = diff % DTLS_WORD_BITS; - - if (idx < WOLFSSL_DTLS_WINDOW_WORDS) - window[idx] |= (1 << (newDiff - 1)); - } - else { - if (diff >= DTLS_SEQ_BITS) - XMEMSET(window, 0, DTLS_SEQ_SZ); - else { - word32 idx, newDiff, temp, i; - word32 oldWindow[WOLFSSL_DTLS_WINDOW_WORDS]; - - temp = 0; - diff++; - idx = diff / DTLS_WORD_BITS; - newDiff = diff % DTLS_WORD_BITS; - - XMEMCPY(oldWindow, window, sizeof(oldWindow)); - - for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) { - if (i < idx) - window[i] = 0; - else { - temp |= (oldWindow[i-idx] << newDiff); - window[i] = temp; - temp = oldWindow[i-idx] >> (DTLS_WORD_BITS - newDiff); - } - } - } - window[0] |= 1; - *next_lo = cur_lo + 1; - if (*next_lo < cur_lo) - (*next_hi)++; - } - - return 1; -} - - -static int DtlsMsgDrain(WOLFSSL* ssl) -{ - DtlsMsg* item = ssl->dtls_rx_msg_list; - int ret = 0; - - /* While there is an item in the store list, and it is the expected - * message, and it is complete, and there hasn't been an error in the - * last messge... */ - while (item != NULL && - ssl->keys.dtls_expected_peer_handshake_number == item->seq && - item->fragSz == item->sz && - ret == 0) { - word32 idx = 0; - ssl->keys.dtls_expected_peer_handshake_number++; - ret = DoHandShakeMsgType(ssl, item->msg, - &idx, item->type, item->sz, item->sz); - ssl->dtls_rx_msg_list = item->next; - DtlsMsgDelete(item, ssl->heap); - item = ssl->dtls_rx_msg_list; - ssl->dtls_rx_msg_list_sz--; - } - - return ret; -} - - -static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 totalSz) -{ - byte type; - word32 size; - word32 fragOffset, fragSz; - int ret = 0; - - WOLFSSL_ENTER("DoDtlsHandShakeMsg()"); - if (GetDtlsHandShakeHeader(ssl, input, inOutIdx, &type, - &size, &fragOffset, &fragSz, totalSz) != 0) - return PARSE_ERROR; - - if (*inOutIdx + fragSz > totalSz) - return INCOMPLETE_DATA; - - /* Check the handshake sequence number first. If out of order, - * add the current message to the list. If the message is in order, - * but it is a fragment, add the current message to the list, then - * check the head of the list to see if it is complete, if so, pop - * it out as the current message. If the message is complete and in - * order, process it. Check the head of the list to see if it is in - * order, if so, process it. (Repeat until list exhausted.) If the - * head is out of order, return for more processing. - */ - if (ssl->keys.dtls_peer_handshake_number > - ssl->keys.dtls_expected_peer_handshake_number) { - /* Current message is out of order. It will get stored in the list. - * Storing also takes care of defragmentation. If the messages is a - * client hello, we need to process this out of order; the server - * is not supposed to keep state, but the second client hello will - * have a different handshake sequence number than is expected, and - * the server shouldn't be expecting any particular handshake sequence - * number. (If the cookie changes multiple times in quick succession, - * the client could be sending multiple new client hello messages - * with newer and newer cookies.) */ - if (type != client_hello) { - if (ssl->dtls_rx_msg_list_sz < DTLS_POOL_SZ) { - DtlsMsgStore(ssl, ssl->keys.dtls_peer_handshake_number, - input + *inOutIdx, size, type, - fragOffset, fragSz, ssl->heap); - } - *inOutIdx += fragSz; - ret = 0; - } - else { - ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); - if (ret == 0) { - ssl->keys.dtls_expected_peer_handshake_number = - ssl->keys.dtls_peer_handshake_number + 1; - } - } - } - else if (ssl->keys.dtls_peer_handshake_number < - ssl->keys.dtls_expected_peer_handshake_number) { - /* Already saw this message and processed it. It can be ignored. */ - *inOutIdx += fragSz; - if(type == finished ) { - if (*inOutIdx + ssl->keys.padSz > totalSz) { - return BUFFER_E; - } - *inOutIdx += ssl->keys.padSz; - } - if (IsDtlsNotSctpMode(ssl) && - VerifyForDtlsMsgPoolSend(ssl, type, fragOffset)) { - - ret = DtlsMsgPoolSend(ssl, 0); - } - } - else if (fragSz < size) { - /* Since this branch is in order, but fragmented, dtls_rx_msg_list will - * be pointing to the message with this fragment in it. Check it to see - * if it is completed. */ - if (ssl->dtls_rx_msg_list_sz < DTLS_POOL_SZ) { - DtlsMsgStore(ssl, ssl->keys.dtls_peer_handshake_number, - input + *inOutIdx, size, type, - fragOffset, fragSz, ssl->heap); - } - *inOutIdx += fragSz; - ret = 0; - if (ssl->dtls_rx_msg_list != NULL && - ssl->dtls_rx_msg_list->fragSz >= ssl->dtls_rx_msg_list->sz) - ret = DtlsMsgDrain(ssl); - } - else { - /* This branch is in order next, and a complete message. */ - ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); - if (ret == 0) { - if (type != client_hello || !IsDtlsNotSctpMode(ssl)) - ssl->keys.dtls_expected_peer_handshake_number++; - if (ssl->dtls_rx_msg_list != NULL) { - ret = DtlsMsgDrain(ssl); - } - } - } - - WOLFSSL_LEAVE("DoDtlsHandShakeMsg()", ret); - return ret; -} -#endif - - -#ifdef HAVE_AEAD -static INLINE void AeadIncrementExpIV(WOLFSSL* ssl) -{ - int i; - for (i = AEAD_MAX_EXP_SZ-1; i >= 0; i--) { - if (++ssl->keys.aead_exp_IV[i]) return; - } -} - - -#if defined(HAVE_POLY1305) && defined(HAVE_CHACHA) -/* Used for the older version of creating AEAD tags with Poly1305 */ -static int Poly1305TagOld(WOLFSSL* ssl, byte* additional, const byte* out, - byte* cipher, word16 sz, byte* tag) -{ - int ret = 0; - int msglen = (sz - ssl->specs.aead_mac_size); - word32 keySz = 32; - byte padding[8]; /* used to temporarily store lengths */ - -#ifdef CHACHA_AEAD_TEST - printf("Using old version of poly1305 input.\n"); -#endif - - if (msglen < 0) - return INPUT_CASE_ERROR; - - if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, cipher, keySz)) != 0) - return ret; - - if ((ret = wc_Poly1305Update(ssl->auth.poly1305, additional, - AEAD_AUTH_DATA_SZ)) != 0) - return ret; - - /* length of additional input plus padding */ - XMEMSET(padding, 0, sizeof(padding)); - padding[0] = AEAD_AUTH_DATA_SZ; - if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding, - sizeof(padding))) != 0) - return ret; - - - /* add cipher info and then its length */ - XMEMSET(padding, 0, sizeof(padding)); - if ((ret = wc_Poly1305Update(ssl->auth.poly1305, out, msglen)) != 0) - return ret; - - /* 32 bit size of cipher to 64 bit endian */ - padding[0] = msglen & 0xff; - padding[1] = (msglen >> 8) & 0xff; - padding[2] = (msglen >> 16) & 0xff; - padding[3] = (msglen >> 24) & 0xff; - if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding, sizeof(padding))) - != 0) - return ret; - - /* generate tag */ - if ((ret = wc_Poly1305Final(ssl->auth.poly1305, tag)) != 0) - return ret; - - return ret; -} - - -/* When the flag oldPoly is not set this follows RFC7905. When oldPoly is set - * the implmentation follows an older draft for creating the nonce and MAC. - * The flag oldPoly gets set automaticlly depending on what cipher suite was - * negotiated in the handshake. This is able to be done because the IDs for the - * cipher suites was updated in RFC7905 giving unique values for the older - * draft in comparision to the more recent RFC. - * - * ssl WOLFSSL structure to get cipher and TLS state from - * out output buffer to hold encrypted data - * input data to encrypt - * sz size of input - * - * Return 0 on success negative values in error case - */ -static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input, - word16 sz) -{ - const byte* additionalSrc = input - RECORD_HEADER_SZ; - int ret = 0; - word32 msgLen = (sz - ssl->specs.aead_mac_size); - byte tag[POLY1305_AUTH_SZ]; - byte add[AEAD_AUTH_DATA_SZ]; - byte nonce[CHACHA20_NONCE_SZ]; - byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for poly1305 */ - #ifdef CHACHA_AEAD_TEST - int i; - #endif - - XMEMSET(tag, 0, sizeof(tag)); - XMEMSET(nonce, 0, sizeof(nonce)); - XMEMSET(poly, 0, sizeof(poly)); - XMEMSET(add, 0, sizeof(add)); - - /* opaque SEQ number stored for AD */ - WriteSEQ(ssl, CUR_ORDER, add); - - if (ssl->options.oldPoly != 0) { - /* get nonce. SEQ should not be incremented again here */ - XMEMCPY(nonce + CHACHA20_OLD_OFFSET, add, OPAQUE32_LEN * 2); - } - - /* Store the type, version. Unfortunately, they are in - * the input buffer ahead of the plaintext. */ - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - additionalSrc -= DTLS_HANDSHAKE_EXTRA; - DtlsSEQIncrement(ssl, CUR_ORDER); - } - #endif - - /* add TLS message size to additional data */ - add[AEAD_AUTH_DATA_SZ - 2] = (msgLen >> 8) & 0xff; - add[AEAD_AUTH_DATA_SZ - 1] = msgLen & 0xff; - - XMEMCPY(add + AEAD_TYPE_OFFSET, additionalSrc, 3); - - #ifdef CHACHA_AEAD_TEST - printf("Encrypt Additional : "); - for (i = 0; i < AEAD_AUTH_DATA_SZ; i++) { - printf("%02x", add[i]); - } - printf("\n\n"); - printf("input before encryption :\n"); - for (i = 0; i < sz; i++) { - printf("%02x", input[i]); - if ((i + 1) % 16 == 0) - printf("\n"); - } - printf("\n"); - #endif - - if (ssl->options.oldPoly == 0) { - /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte - * record sequence number XORed with client_write_IV/server_write_IV */ - XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, CHACHA20_IMP_IV_SZ); - nonce[4] ^= add[0]; - nonce[5] ^= add[1]; - nonce[6] ^= add[2]; - nonce[7] ^= add[3]; - nonce[8] ^= add[4]; - nonce[9] ^= add[5]; - nonce[10] ^= add[6]; - nonce[11] ^= add[7]; - } - - /* set the nonce for chacha and get poly1305 key */ - if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0) { - ForceZero(nonce, CHACHA20_NONCE_SZ); - return ret; - } - - ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */ - /* create Poly1305 key using chacha20 keystream */ - if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, - poly, sizeof(poly))) != 0) - return ret; - - /* encrypt the plain text */ - if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, out, - input, msgLen)) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - - /* get the poly1305 tag using either old padding scheme or more recent */ - if (ssl->options.oldPoly != 0) { - if ((ret = Poly1305TagOld(ssl, add, (const byte* )out, - poly, sz, tag)) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - } - else { - if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, - sizeof(poly))) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, add, - sizeof(add), out, msgLen, tag, sizeof(tag))) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - } - ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ - - /* append tag to ciphertext */ - XMEMCPY(out + msgLen, tag, sizeof(tag)); - - AeadIncrementExpIV(ssl); - - #ifdef CHACHA_AEAD_TEST - printf("mac tag :\n"); - for (i = 0; i < 16; i++) { - printf("%02x", tag[i]); - if ((i + 1) % 16 == 0) - printf("\n"); - } - printf("\n\noutput after encrypt :\n"); - for (i = 0; i < sz; i++) { - printf("%02x", out[i]); - if ((i + 1) % 16 == 0) - printf("\n"); - } - printf("\n"); - #endif - - return ret; -} - - -/* When the flag oldPoly is not set this follows RFC7905. When oldPoly is set - * the implmentation follows an older draft for creating the nonce and MAC. - * The flag oldPoly gets set automaticlly depending on what cipher suite was - * negotiated in the handshake. This is able to be done because the IDs for the - * cipher suites was updated in RFC7905 giving unique values for the older - * draft in comparision to the more recent RFC. - * - * ssl WOLFSSL structure to get cipher and TLS state from - * plain output buffer to hold decrypted data - * input data to decrypt - * sz size of input - * - * Return 0 on success negative values in error case - */ -static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input, - word16 sz) -{ - byte add[AEAD_AUTH_DATA_SZ]; - byte nonce[CHACHA20_NONCE_SZ]; - byte tag[POLY1305_AUTH_SZ]; - byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */ - int ret = 0; - int msgLen = (sz - ssl->specs.aead_mac_size); - - #ifdef CHACHA_AEAD_TEST - int i; - printf("input before decrypt :\n"); - for (i = 0; i < sz; i++) { - printf("%02x", input[i]); - if ((i + 1) % 16 == 0) - printf("\n"); - } - printf("\n"); - #endif - - XMEMSET(tag, 0, sizeof(tag)); - XMEMSET(poly, 0, sizeof(poly)); - XMEMSET(nonce, 0, sizeof(nonce)); - XMEMSET(add, 0, sizeof(add)); - - /* sequence number field is 64-bits */ - WriteSEQ(ssl, PEER_ORDER, add); - - if (ssl->options.oldPoly != 0) { - /* get nonce, SEQ should not be incremented again here */ - XMEMCPY(nonce + CHACHA20_OLD_OFFSET, add, OPAQUE32_LEN * 2); - } - - /* get AD info */ - /* Store the type, version. */ - add[AEAD_TYPE_OFFSET] = ssl->curRL.type; - add[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; - add[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; - - /* add TLS message size to additional data */ - add[AEAD_AUTH_DATA_SZ - 2] = (msgLen >> 8) & 0xff; - add[AEAD_AUTH_DATA_SZ - 1] = msgLen & 0xff; - - #ifdef CHACHA_AEAD_TEST - printf("Decrypt Additional : "); - for (i = 0; i < AEAD_AUTH_DATA_SZ; i++) { - printf("%02x", add[i]); - } - printf("\n\n"); - #endif - - if (ssl->options.oldPoly == 0) { - /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte - * record sequence number XORed with client_write_IV/server_write_IV */ - XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, CHACHA20_IMP_IV_SZ); - nonce[4] ^= add[0]; - nonce[5] ^= add[1]; - nonce[6] ^= add[2]; - nonce[7] ^= add[3]; - nonce[8] ^= add[4]; - nonce[9] ^= add[5]; - nonce[10] ^= add[6]; - nonce[11] ^= add[7]; - } - - /* set nonce and get poly1305 key */ - if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0) { - ForceZero(nonce, CHACHA20_NONCE_SZ); - return ret; - } - - ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */ - /* use chacha20 keystream to get poly1305 key for tag */ - if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, - poly, sizeof(poly))) != 0) - return ret; - - /* get the tag using Poly1305 */ - if (ssl->options.oldPoly != 0) { - if ((ret = Poly1305TagOld(ssl, add, input, poly, sz, tag)) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - } - else { - if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, - sizeof(poly))) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, add, - sizeof(add), (byte*)input, msgLen, tag, sizeof(tag))) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - } - ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ - - /* check tag sent along with packet */ - if (ConstantCompare(input + msgLen, tag, ssl->specs.aead_mac_size) != 0) { - WOLFSSL_MSG("MAC did not match"); - if (!ssl->options.dtls) - SendAlert(ssl, alert_fatal, bad_record_mac); - return VERIFY_MAC_ERROR; - } - - /* if the tag was good decrypt message */ - if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, plain, - input, msgLen)) != 0) - return ret; - - #ifdef CHACHA_AEAD_TEST - printf("plain after decrypt :\n"); - for (i = 0; i < sz; i++) { - printf("%02x", plain[i]); - if ((i + 1) % 16 == 0) - printf("\n"); - } - printf("\n"); - #endif - - return ret; -} -#endif /* HAVE_CHACHA && HAVE_POLY1305 */ -#endif /* HAVE_AEAD */ - - -static INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input, - word16 sz, int asyncOkay) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - WC_ASYNC_DEV* asyncDev = NULL; - word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN; -#else - (void)asyncOkay; -#endif - - (void)out; - (void)input; - (void)sz; - - switch (ssl->specs.bulk_cipher_algorithm) { - #ifdef BUILD_ARC4 - case wolfssl_rc4: - wc_Arc4Process(ssl->encrypt.arc4, out, input, sz); - break; - #endif - - #ifdef BUILD_DES3 - case wolfssl_triple_des: - ret = wc_Des3_CbcEncrypt(ssl->encrypt.des3, out, input, sz); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - asyncDev = &ssl->encrypt.des3->asyncDev; - if (asyncOkay) - ret = wolfSSL_AsyncPush(ssl, asyncDev, event_flags); - } - #endif - break; - #endif - - #ifdef BUILD_AES - case wolfssl_aes: - ret = wc_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - asyncDev = &ssl->encrypt.aes->asyncDev; - if (asyncOkay) - ret = wolfSSL_AsyncPush(ssl, asyncDev, event_flags); - break; - } - #endif - break; - #endif - - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - case wolfssl_aes_gcm: - case wolfssl_aes_ccm:/* GCM AEAD macros use same size as CCM */ - { - wc_AesAuthEncryptFunc aes_auth_fn; - #if defined(BUILD_AESGCM) && defined(HAVE_AESCCM) - aes_auth_fn = (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) - ? wc_AesGcmEncrypt : wc_AesCcmEncrypt; - #elif defined(BUILD_AESGCM) - aes_auth_fn = wc_AesGcmEncrypt; - #else - aes_auth_fn = wc_AesCcmEncrypt; - #endif - const byte* additionalSrc = input - 5; - - XMEMSET(ssl->encrypt.additional, 0, AEAD_AUTH_DATA_SZ); - - /* sequence number field is 64-bits */ - WriteSEQ(ssl, CUR_ORDER, ssl->encrypt.additional); - - /* Store the type, version. Unfortunately, they are in - * the input buffer ahead of the plaintext. */ - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - additionalSrc -= DTLS_HANDSHAKE_EXTRA; - } - #endif - XMEMCPY(ssl->encrypt.additional + AEAD_TYPE_OFFSET, - additionalSrc, 3); - - /* Store the length of the plain text minus the explicit - * IV length minus the authentication tag size. */ - c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, - ssl->encrypt.additional + AEAD_LEN_OFFSET); - XMEMCPY(ssl->encrypt.nonce, - ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ); - XMEMCPY(ssl->encrypt.nonce + AESGCM_IMP_IV_SZ, - ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ); - ret = aes_auth_fn(ssl->encrypt.aes, - out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ, - sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, - ssl->encrypt.nonce, AESGCM_NONCE_SZ, - out + sz - ssl->specs.aead_mac_size, - ssl->specs.aead_mac_size, - ssl->encrypt.additional, AEAD_AUTH_DATA_SZ); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - asyncDev = &ssl->encrypt.aes->asyncDev; - if (asyncOkay) - ret = wolfSSL_AsyncPush(ssl, asyncDev, event_flags); - } - #endif - } - break; - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - - #ifdef HAVE_CAMELLIA - case wolfssl_camellia: - wc_CamelliaCbcEncrypt(ssl->encrypt.cam, out, input, sz); - break; - #endif - - #ifdef HAVE_HC128 - case wolfssl_hc128: - ret = wc_Hc128_Process(ssl->encrypt.hc128, out, input, sz); - break; - #endif - - #ifdef BUILD_RABBIT - case wolfssl_rabbit: - ret = wc_RabbitProcess(ssl->encrypt.rabbit, out, input, sz); - break; - #endif - - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - case wolfssl_chacha: - ret = ChachaAEADEncrypt(ssl, out, input, sz); - break; - #endif - - #ifdef HAVE_NULL_CIPHER - case wolfssl_cipher_null: - if (input != out) { - XMEMMOVE(out, input, sz); - } - break; - #endif - - #ifdef HAVE_IDEA - case wolfssl_idea: - ret = wc_IdeaCbcEncrypt(ssl->encrypt.idea, out, input, sz); - break; - #endif - - default: - WOLFSSL_MSG("wolfSSL Encrypt programming error"); - ret = ENCRYPT_ERROR; - } - -#ifdef WOLFSSL_ASYNC_CRYPT - /* if async is not okay, then block */ - if (ret == WC_PENDING_E && !asyncOkay) { - ret = wc_AsyncWait(ret, asyncDev, event_flags); - } -#endif - - return ret; -} - -static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz, - int asyncOkay) -{ - int ret = 0; - -#ifdef WOLFSSL_ASYNC_CRYPT - if (asyncOkay && ssl->error == WC_PENDING_E) { - ssl->error = 0; /* clear async */ - } -#endif - - switch (ssl->encrypt.state) { - case CIPHER_STATE_BEGIN: - { - if (ssl->encrypt.setup == 0) { - WOLFSSL_MSG("Encrypt ciphers not setup"); - return ENCRYPT_ERROR; - } - - #ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, input, sz, FUZZ_ENCRYPT, ssl->fuzzerCtx); - #endif - - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - /* make sure AES GCM/CCM memory is allocated */ - /* free for these happens in FreeCiphers */ - if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm || - ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) { - /* make sure auth iv and auth are allocated */ - if (ssl->encrypt.additional == NULL) - ssl->encrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ, - ssl->heap, DYNAMIC_TYPE_AES); - if (ssl->encrypt.nonce == NULL) - ssl->encrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ, - ssl->heap, DYNAMIC_TYPE_AES); - if (ssl->encrypt.additional == NULL || - ssl->encrypt.nonce == NULL) { - return MEMORY_E; - } - } - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - - /* Advance state and proceed */ - ssl->encrypt.state = CIPHER_STATE_DO; - } - case CIPHER_STATE_DO: - { - ret = EncryptDo(ssl, out, input, sz, asyncOkay); - - /* Advance state */ - ssl->encrypt.state = CIPHER_STATE_END; - - #ifdef WOLFSSL_ASYNC_CRYPT - /* If pending, then leave and return will resume below */ - if (ret == WC_PENDING_E) { - return ret; - } - #endif - } - - case CIPHER_STATE_END: - { - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm || - ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) - { - /* finalize authentication cipher */ - AeadIncrementExpIV(ssl); - - if (ssl->encrypt.nonce) - ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ); - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - } - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - break; - } - } - - /* Reset state */ - ssl->encrypt.state = CIPHER_STATE_BEGIN; - - return ret; -} - -static INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, - word16 sz) -{ - int ret = 0; - - (void)plain; - (void)input; - (void)sz; - - switch (ssl->specs.bulk_cipher_algorithm) - { - #ifdef BUILD_ARC4 - case wolfssl_rc4: - wc_Arc4Process(ssl->decrypt.arc4, plain, input, sz); - break; - #endif - - #ifdef BUILD_DES3 - case wolfssl_triple_des: - ret = wc_Des3_CbcDecrypt(ssl->decrypt.des3, plain, input, sz); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.des3->asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } - #endif - break; - #endif - - #ifdef BUILD_AES - case wolfssl_aes: - ret = wc_AesCbcDecrypt(ssl->decrypt.aes, plain, input, sz); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } - #endif - break; - #endif - - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - case wolfssl_aes_gcm: - case wolfssl_aes_ccm: /* GCM AEAD macros use same size as CCM */ - { - wc_AesAuthDecryptFunc aes_auth_fn; - #if defined(BUILD_AESGCM) && defined(HAVE_AESCCM) - aes_auth_fn = (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) - ? wc_AesGcmDecrypt : wc_AesCcmDecrypt; - #elif defined(BUILD_AESGCM) - aes_auth_fn = wc_AesGcmDecrypt; - #else - aes_auth_fn = wc_AesCcmDecrypt; - #endif - - XMEMSET(ssl->decrypt.additional, 0, AEAD_AUTH_DATA_SZ); - - /* sequence number field is 64-bits */ - WriteSEQ(ssl, PEER_ORDER, ssl->decrypt.additional); - - ssl->decrypt.additional[AEAD_TYPE_OFFSET] = ssl->curRL.type; - ssl->decrypt.additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; - ssl->decrypt.additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; - - c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, - ssl->decrypt.additional + AEAD_LEN_OFFSET); - XMEMCPY(ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, - AESGCM_IMP_IV_SZ); - XMEMCPY(ssl->decrypt.nonce + AESGCM_IMP_IV_SZ, input, - AESGCM_EXP_IV_SZ); - if ((ret = aes_auth_fn(ssl->decrypt.aes, - plain + AESGCM_EXP_IV_SZ, - input + AESGCM_EXP_IV_SZ, - sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, - ssl->decrypt.nonce, AESGCM_NONCE_SZ, - input + sz - ssl->specs.aead_mac_size, - ssl->specs.aead_mac_size, - ssl->decrypt.additional, AEAD_AUTH_DATA_SZ)) < 0) { - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, - &ssl->decrypt.aes->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - break; - } - #endif - } - } - break; - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - - #ifdef HAVE_CAMELLIA - case wolfssl_camellia: - wc_CamelliaCbcDecrypt(ssl->decrypt.cam, plain, input, sz); - break; - #endif - - #ifdef HAVE_HC128 - case wolfssl_hc128: - ret = wc_Hc128_Process(ssl->decrypt.hc128, plain, input, sz); - break; - #endif - - #ifdef BUILD_RABBIT - case wolfssl_rabbit: - ret = wc_RabbitProcess(ssl->decrypt.rabbit, plain, input, sz); - break; - #endif - - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - case wolfssl_chacha: - ret = ChachaAEADDecrypt(ssl, plain, input, sz); - break; - #endif - - #ifdef HAVE_NULL_CIPHER - case wolfssl_cipher_null: - if (input != plain) { - XMEMMOVE(plain, input, sz); - } - break; - #endif - - #ifdef HAVE_IDEA - case wolfssl_idea: - ret = wc_IdeaCbcDecrypt(ssl->decrypt.idea, plain, input, sz); - break; - #endif - - default: - WOLFSSL_MSG("wolfSSL Decrypt programming error"); - ret = DECRYPT_ERROR; - } - - return ret; -} - -static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input, - word16 sz) -{ - int ret = 0; - -#ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state); - if (ret != WC_NOT_PENDING_E) { - /* check for still pending */ - if (ret == WC_PENDING_E) - return ret; - - ssl->error = 0; /* clear async */ - - /* let failures through so CIPHER_STATE_END logic is run */ - } - else -#endif - { - /* Reset state */ - ret = 0; - ssl->decrypt.state = CIPHER_STATE_BEGIN; - } - - switch (ssl->decrypt.state) { - case CIPHER_STATE_BEGIN: - { - if (ssl->decrypt.setup == 0) { - WOLFSSL_MSG("Decrypt ciphers not setup"); - return DECRYPT_ERROR; - } - - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - /* make sure AES GCM/CCM memory is allocated */ - /* free for these happens in FreeCiphers */ - if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm || - ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) { - /* make sure auth iv and auth are allocated */ - if (ssl->decrypt.additional == NULL) - ssl->decrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ, - ssl->heap, DYNAMIC_TYPE_AES); - if (ssl->decrypt.nonce == NULL) - ssl->decrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ, - ssl->heap, DYNAMIC_TYPE_AES); - if (ssl->decrypt.additional == NULL || - ssl->decrypt.nonce == NULL) { - return MEMORY_E; - } - } - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - - /* Advance state and proceed */ - ssl->decrypt.state = CIPHER_STATE_DO; - } - case CIPHER_STATE_DO: - { - ret = DecryptDo(ssl, plain, input, sz); - - /* Advance state */ - ssl->decrypt.state = CIPHER_STATE_END; - - #ifdef WOLFSSL_ASYNC_CRYPT - /* If pending, leave and return below */ - if (ret == WC_PENDING_E) { - return ret; - } - #endif - } - - case CIPHER_STATE_END: - { - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - /* make sure AES GCM/CCM nonce is cleared */ - if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm || - ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) { - if (ssl->decrypt.nonce) - ForceZero(ssl->decrypt.nonce, AESGCM_NONCE_SZ); - - if (ret < 0) - ret = VERIFY_MAC_ERROR; - } - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - break; - } - } - - /* Reset state */ - ssl->decrypt.state = CIPHER_STATE_BEGIN; - - /* handle mac error case */ - if (ret == VERIFY_MAC_ERROR) { - if (!ssl->options.dtls) - SendAlert(ssl, alert_fatal, bad_record_mac); - } - - return ret; -} - - -/* check cipher text size for sanity */ -static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz) -{ -#ifdef HAVE_TRUNCATED_HMAC - word32 minLength = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ - : ssl->specs.hash_size; -#else - word32 minLength = ssl->specs.hash_size; /* covers stream */ -#endif - - if (ssl->specs.cipher_type == block) { - if (encryptSz % ssl->specs.block_size) { - WOLFSSL_MSG("Block ciphertext not block size"); - return SANITY_CIPHER_E; - } - - minLength++; /* pad byte */ - - if (ssl->specs.block_size > minLength) - minLength = ssl->specs.block_size; - - if (ssl->options.tls1_1) - minLength += ssl->specs.block_size; /* explicit IV */ - } - else if (ssl->specs.cipher_type == aead) { - minLength = ssl->specs.aead_mac_size; /* authTag size */ - if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - minLength += AESGCM_EXP_IV_SZ; /* explicit IV */ - } - - if (encryptSz < minLength) { - WOLFSSL_MSG("Ciphertext not minimum size"); - return SANITY_CIPHER_E; - } - - return 0; -} - - -#ifndef NO_OLD_TLS - -static INLINE void Md5Rounds(int rounds, const byte* data, int sz) -{ - Md5 md5; - int i; - - wc_InitMd5(&md5); /* no error check on purpose, dummy round */ - - for (i = 0; i < rounds; i++) - wc_Md5Update(&md5, data, sz); - wc_Md5Free(&md5); /* in case needed to release resources */ -} - - - -/* do a dummy sha round */ -static INLINE void ShaRounds(int rounds, const byte* data, int sz) -{ - Sha sha; - int i; - - wc_InitSha(&sha); /* no error check on purpose, dummy round */ - - for (i = 0; i < rounds; i++) - wc_ShaUpdate(&sha, data, sz); - wc_ShaFree(&sha); /* in case needed to release resources */ -} -#endif - - -#ifndef NO_SHA256 - -static INLINE void Sha256Rounds(int rounds, const byte* data, int sz) -{ - Sha256 sha256; - int i; - - wc_InitSha256(&sha256); /* no error check on purpose, dummy round */ - - for (i = 0; i < rounds; i++) { - wc_Sha256Update(&sha256, data, sz); - /* no error check on purpose, dummy round */ - } - wc_Sha256Free(&sha256); /* in case needed to release resources */ -} - -#endif - - -#ifdef WOLFSSL_SHA384 - -static INLINE void Sha384Rounds(int rounds, const byte* data, int sz) -{ - Sha384 sha384; - int i; - - wc_InitSha384(&sha384); /* no error check on purpose, dummy round */ - - for (i = 0; i < rounds; i++) { - wc_Sha384Update(&sha384, data, sz); - /* no error check on purpose, dummy round */ - } - wc_Sha384Free(&sha384); /* in case needed to release resources */ -} - -#endif - - -#ifdef WOLFSSL_SHA512 - -static INLINE void Sha512Rounds(int rounds, const byte* data, int sz) -{ - Sha512 sha512; - int i; - - wc_InitSha512(&sha512); /* no error check on purpose, dummy round */ - - for (i = 0; i < rounds; i++) { - wc_Sha512Update(&sha512, data, sz); - /* no error check on purpose, dummy round */ - } - wc_Sha512Free(&sha512); /* in case needed to release resources */ -} - -#endif - - -#ifdef WOLFSSL_RIPEMD - -static INLINE void RmdRounds(int rounds, const byte* data, int sz) -{ - RipeMd ripemd; - int i; - - wc_InitRipeMd(&ripemd); - - for (i = 0; i < rounds; i++) - wc_RipeMdUpdate(&ripemd, data, sz); -} - -#endif - - -/* Do dummy rounds */ -static INLINE void DoRounds(int type, int rounds, const byte* data, int sz) -{ - (void)rounds; - (void)data; - (void)sz; - - switch (type) { - case no_mac : - break; - -#ifndef NO_OLD_TLS -#ifndef NO_MD5 - case md5_mac : - Md5Rounds(rounds, data, sz); - break; -#endif - -#ifndef NO_SHA - case sha_mac : - ShaRounds(rounds, data, sz); - break; -#endif -#endif - -#ifndef NO_SHA256 - case sha256_mac : - Sha256Rounds(rounds, data, sz); - break; -#endif - -#ifdef WOLFSSL_SHA384 - case sha384_mac : - Sha384Rounds(rounds, data, sz); - break; -#endif - -#ifdef WOLFSSL_SHA512 - case sha512_mac : - Sha512Rounds(rounds, data, sz); - break; -#endif - -#ifdef WOLFSSL_RIPEMD - case rmd_mac : - RmdRounds(rounds, data, sz); - break; -#endif - - default: - WOLFSSL_MSG("Bad round type"); - break; - } -} - - -/* do number of compression rounds on dummy data */ -static INLINE void CompressRounds(WOLFSSL* ssl, int rounds, const byte* dummy) -{ - if (rounds) - DoRounds(ssl->specs.mac_algorithm, rounds, dummy, COMPRESS_LOWER); -} - - -/* check all length bytes for the pad value, return 0 on success */ -static int PadCheck(const byte* a, byte pad, int length) -{ - int i; - int compareSum = 0; - - for (i = 0; i < length; i++) { - compareSum |= a[i] ^ pad; - } - - return compareSum; -} - - -/* get compression extra rounds */ -static INLINE int GetRounds(int pLen, int padLen, int t) -{ - int roundL1 = 1; /* round up flags */ - int roundL2 = 1; - - int L1 = COMPRESS_CONSTANT + pLen - t; - int L2 = COMPRESS_CONSTANT + pLen - padLen - 1 - t; - - L1 -= COMPRESS_UPPER; - L2 -= COMPRESS_UPPER; - - if ( (L1 % COMPRESS_LOWER) == 0) - roundL1 = 0; - if ( (L2 % COMPRESS_LOWER) == 0) - roundL2 = 0; - - L1 /= COMPRESS_LOWER; - L2 /= COMPRESS_LOWER; - - L1 += roundL1; - L2 += roundL2; - - return L1 - L2; -} - - -/* timing resistant pad/verify check, return 0 on success */ -static int TimingPadVerify(WOLFSSL* ssl, const byte* input, int padLen, int t, - int pLen, int content) -{ - byte verify[MAX_DIGEST_SIZE]; - byte dmy[sizeof(WOLFSSL) >= MAX_PAD_SIZE ? 1 : MAX_PAD_SIZE] = {0}; - byte* dummy = sizeof(dmy) < MAX_PAD_SIZE ? (byte*) ssl : dmy; - int ret = 0; - - (void)dmy; - - if ( (t + padLen + 1) > pLen) { - WOLFSSL_MSG("Plain Len not long enough for pad/mac"); - PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE); - ssl->hmac(ssl, verify, input, pLen - t, content, 1); /* still compare */ - ConstantCompare(verify, input + pLen - t, t); - - return VERIFY_MAC_ERROR; - } - - if (PadCheck(input + pLen - (padLen + 1), (byte)padLen, padLen + 1) != 0) { - WOLFSSL_MSG("PadCheck failed"); - PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE - padLen - 1); - ssl->hmac(ssl, verify, input, pLen - t, content, 1); /* still compare */ - ConstantCompare(verify, input + pLen - t, t); - - return VERIFY_MAC_ERROR; - } - - PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE - padLen - 1); - ret = ssl->hmac(ssl, verify, input, pLen - padLen - 1 - t, content, 1); - - CompressRounds(ssl, GetRounds(pLen, padLen, t), dummy); - - if (ConstantCompare(verify, input + (pLen - padLen - 1 - t), t) != 0) { - WOLFSSL_MSG("Verify MAC compare failed"); - return VERIFY_MAC_ERROR; - } - - /* treat any faulure as verify MAC error */ - if (ret != 0) - ret = VERIFY_MAC_ERROR; - - return ret; -} - - -int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx) -{ - word32 msgSz = ssl->keys.encryptSz; - word32 idx = *inOutIdx; - int dataSz; - int ivExtra = 0; - byte* rawData = input + idx; /* keep current for hmac */ -#ifdef HAVE_LIBZ - byte decomp[MAX_RECORD_SIZE + MAX_COMP_EXTRA]; -#endif - - if (ssl->options.handShakeDone == 0) { - WOLFSSL_MSG("Received App data before a handshake completed"); - SendAlert(ssl, alert_fatal, unexpected_message); - return OUT_OF_ORDER_E; - } - - if (ssl->specs.cipher_type == block) { - if (ssl->options.tls1_1) - ivExtra = ssl->specs.block_size; - } - else if (ssl->specs.cipher_type == aead) { - if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - ivExtra = AESGCM_EXP_IV_SZ; - } - - dataSz = msgSz - ivExtra - ssl->keys.padSz; - if (dataSz < 0) { - WOLFSSL_MSG("App data buffer error, malicious input?"); - return BUFFER_ERROR; - } - - /* read data */ - if (dataSz) { - int rawSz = dataSz; /* keep raw size for idx adjustment */ - -#ifdef HAVE_LIBZ - if (ssl->options.usingCompression) { - dataSz = myDeCompress(ssl, rawData, dataSz, decomp, sizeof(decomp)); - if (dataSz < 0) return dataSz; - } -#endif - idx += rawSz; - - ssl->buffers.clearOutputBuffer.buffer = rawData; - ssl->buffers.clearOutputBuffer.length = dataSz; - } - - idx += ssl->keys.padSz; - -#ifdef HAVE_LIBZ - /* decompress could be bigger, overwrite after verify */ - if (ssl->options.usingCompression) - XMEMMOVE(rawData, decomp, dataSz); -#endif - - *inOutIdx = idx; - return 0; -} - - -/* process alert, return level */ -static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type, - word32 totalSz) -{ - byte level; - byte code; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "Alert"); - if (ssl->toInfoOn) - /* add record header back on to info + alert bytes level/code */ - AddPacketInfo(ssl, "Alert", alert, input + *inOutIdx - - RECORD_HEADER_SZ, RECORD_HEADER_SZ + ALERT_SIZE, - READ_PROTO, ssl->heap); - #endif - - /* make sure can read the message */ - if (*inOutIdx + ALERT_SIZE > totalSz) - return BUFFER_E; - - level = input[(*inOutIdx)++]; - code = input[(*inOutIdx)++]; - ssl->alert_history.last_rx.code = code; - ssl->alert_history.last_rx.level = level; - *type = code; - if (level == alert_fatal) { - ssl->options.isClosed = 1; /* Don't send close_notify */ - } - - WOLFSSL_MSG("Got alert"); - if (*type == close_notify) { - WOLFSSL_MSG("\tclose notify"); - ssl->options.closeNotify = 1; - } - WOLFSSL_ERROR(*type); - if (IsEncryptionOn(ssl, 0)) { - if (*inOutIdx + ssl->keys.padSz > totalSz) - return BUFFER_E; - *inOutIdx += ssl->keys.padSz; - } - - return level; -} - -static int GetInputData(WOLFSSL *ssl, word32 size) -{ - int in; - int inSz; - int maxLength; - int usedLength; - int dtlsExtra = 0; - - - /* check max input length */ - usedLength = ssl->buffers.inputBuffer.length - ssl->buffers.inputBuffer.idx; - maxLength = ssl->buffers.inputBuffer.bufferSize - usedLength; - inSz = (int)(size - usedLength); /* from last partial read */ - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - if (size < ssl->dtls_expected_rx) - dtlsExtra = (int)(ssl->dtls_expected_rx - size); - inSz = ssl->dtls_expected_rx; - } -#endif - - /* check that no lengths or size values are negative */ - if (usedLength < 0 || maxLength < 0 || inSz <= 0) { - return BUFFER_ERROR; - } - - if (inSz > maxLength) { - if (GrowInputBuffer(ssl, size + dtlsExtra, usedLength) < 0) - return MEMORY_E; - } - - /* Put buffer data at start if not there */ - if (usedLength > 0 && ssl->buffers.inputBuffer.idx != 0) - XMEMMOVE(ssl->buffers.inputBuffer.buffer, - ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx, - usedLength); - - /* remove processed data */ - ssl->buffers.inputBuffer.idx = 0; - ssl->buffers.inputBuffer.length = usedLength; - - /* read data from network */ - do { - in = Receive(ssl, - ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.length, - inSz); - if (in == -1) - return SOCKET_ERROR_E; - - if (in == WANT_READ) - return WANT_READ; - - if (in > inSz) - return RECV_OVERFLOW_E; - - ssl->buffers.inputBuffer.length += in; - inSz -= in; - - } while (ssl->buffers.inputBuffer.length < size); - - return 0; -} - - -static INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz, - int content, word32* padSz) -{ - int ivExtra = 0; - int ret; - word32 pad = 0; - word32 padByte = 0; -#ifdef HAVE_TRUNCATED_HMAC - word32 digestSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ - : ssl->specs.hash_size; -#else - word32 digestSz = ssl->specs.hash_size; -#endif - byte verify[MAX_DIGEST_SIZE]; - - if (ssl->specs.cipher_type == block) { - if (ssl->options.tls1_1) - ivExtra = ssl->specs.block_size; - pad = *(input + msgSz - ivExtra - 1); - padByte = 1; - - if (ssl->options.tls) { - ret = TimingPadVerify(ssl, input, pad, digestSz, msgSz - ivExtra, - content); - if (ret != 0) - return ret; - } - else { /* sslv3, some implementations have bad padding, but don't - * allow bad read */ - int badPadLen = 0; - byte dmy[sizeof(WOLFSSL) >= MAX_PAD_SIZE ? 1 : MAX_PAD_SIZE] = {0}; - byte* dummy = sizeof(dmy) < MAX_PAD_SIZE ? (byte*) ssl : dmy; - - (void)dmy; - - if (pad > (msgSz - digestSz - 1)) { - WOLFSSL_MSG("Plain Len not long enough for pad/mac"); - pad = 0; /* no bad read */ - badPadLen = 1; - } - PadCheck(dummy, (byte)pad, MAX_PAD_SIZE); /* timing only */ - ret = ssl->hmac(ssl, verify, input, msgSz - digestSz - pad - 1, - content, 1); - if (ConstantCompare(verify, input + msgSz - digestSz - pad - 1, - digestSz) != 0) - return VERIFY_MAC_ERROR; - if (ret != 0 || badPadLen) - return VERIFY_MAC_ERROR; - } - } - else if (ssl->specs.cipher_type == stream) { - ret = ssl->hmac(ssl, verify, input, msgSz - digestSz, content, 1); - if (ConstantCompare(verify, input + msgSz - digestSz, digestSz) != 0){ - return VERIFY_MAC_ERROR; - } - if (ret != 0) - return VERIFY_MAC_ERROR; - } - - if (ssl->specs.cipher_type == aead) { - *padSz = ssl->specs.aead_mac_size; - } - else { - *padSz = digestSz + pad + padByte; - } - - return 0; -} - - -/* process input requests, return 0 is done, 1 is call again to complete, and - negative number is error */ -int ProcessReply(WOLFSSL* ssl) -{ - int ret = 0, type, readSz; - int atomicUser = 0; - word32 startIdx = 0; -#if defined(WOLFSSL_DTLS) - int used; -#endif - -#ifdef ATOMIC_USER - if (ssl->ctx->DecryptVerifyCb) - atomicUser = 1; -#endif - - if (ssl->error != 0 && ssl->error != WANT_READ && - ssl->error != WANT_WRITE && ssl->error != WC_PENDING_E) { - WOLFSSL_MSG("ProcessReply retry in error state, not allowed"); - return ssl->error; - } - - for (;;) { - switch (ssl->options.processReply) { - - /* in the WOLFSSL_SERVER case, get the first byte for detecting - * old client hello */ - case doProcessInit: - - readSz = RECORD_HEADER_SZ; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - readSz = DTLS_RECORD_HEADER_SZ; - #endif - - /* get header or return error */ - if (!ssl->options.dtls) { - if ((ret = GetInputData(ssl, readSz)) < 0) - return ret; - } else { - #ifdef WOLFSSL_DTLS - /* read ahead may already have header */ - used = ssl->buffers.inputBuffer.length - - ssl->buffers.inputBuffer.idx; - if (used < readSz) { - if ((ret = GetInputData(ssl, readSz)) < 0) - return ret; - } - #endif - } - -#ifdef OLD_HELLO_ALLOWED - - /* see if sending SSLv2 client hello */ - if ( ssl->options.side == WOLFSSL_SERVER_END && - ssl->options.clientState == NULL_STATE && - ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx] - != handshake) { - byte b0, b1; - - ssl->options.processReply = runProcessOldClientHello; - - /* sanity checks before getting size at front */ - if (ssl->buffers.inputBuffer.buffer[ - ssl->buffers.inputBuffer.idx + OPAQUE16_LEN] != OLD_HELLO_ID) { - WOLFSSL_MSG("Not a valid old client hello"); - return PARSE_ERROR; - } - - if (ssl->buffers.inputBuffer.buffer[ - ssl->buffers.inputBuffer.idx + OPAQUE24_LEN] != SSLv3_MAJOR && - ssl->buffers.inputBuffer.buffer[ - ssl->buffers.inputBuffer.idx + OPAQUE24_LEN] != DTLS_MAJOR) { - WOLFSSL_MSG("Not a valid version in old client hello"); - return PARSE_ERROR; - } - - /* how many bytes need ProcessOldClientHello */ - b0 = - ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++]; - b1 = - ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++]; - ssl->curSize = (word16)(((b0 & 0x7f) << 8) | b1); - } - else { - ssl->options.processReply = getRecordLayerHeader; - continue; - } - - /* in the WOLFSSL_SERVER case, run the old client hello */ - case runProcessOldClientHello: - - /* get sz bytes or return error */ - if (!ssl->options.dtls) { - if ((ret = GetInputData(ssl, ssl->curSize)) < 0) - return ret; - } else { - #ifdef WOLFSSL_DTLS - /* read ahead may already have */ - used = ssl->buffers.inputBuffer.length - - ssl->buffers.inputBuffer.idx; - if (used < ssl->curSize) - if ((ret = GetInputData(ssl, ssl->curSize)) < 0) - return ret; - #endif /* WOLFSSL_DTLS */ - } - - ret = ProcessOldClientHello(ssl, ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, - ssl->buffers.inputBuffer.length - - ssl->buffers.inputBuffer.idx, - ssl->curSize); - if (ret < 0) - return ret; - - else if (ssl->buffers.inputBuffer.idx == - ssl->buffers.inputBuffer.length) { - ssl->options.processReply = doProcessInit; - return 0; - } - -#endif /* OLD_HELLO_ALLOWED */ - - /* get the record layer header */ - case getRecordLayerHeader: - - ret = GetRecordHeader(ssl, ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, - &ssl->curRL, &ssl->curSize); -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls && ret == SEQUENCE_ERROR) { - WOLFSSL_MSG("Silently dropping out of order DTLS message"); - ssl->options.processReply = doProcessInit; - ssl->buffers.inputBuffer.length = 0; - ssl->buffers.inputBuffer.idx = 0; - - if (IsDtlsNotSctpMode(ssl) && ssl->options.dtlsHsRetain) { - ret = DtlsMsgPoolSend(ssl, 0); - if (ret != 0) - return ret; - } - - continue; - } -#endif - if (ret != 0) - return ret; - - ssl->options.processReply = getData; - - /* retrieve record layer data */ - case getData: - - /* get sz bytes or return error */ - if (!ssl->options.dtls) { - if ((ret = GetInputData(ssl, ssl->curSize)) < 0) - return ret; - } else { -#ifdef WOLFSSL_DTLS - /* read ahead may already have */ - used = ssl->buffers.inputBuffer.length - - ssl->buffers.inputBuffer.idx; - if (used < ssl->curSize) - if ((ret = GetInputData(ssl, ssl->curSize)) < 0) - return ret; -#endif - } - - ssl->options.processReply = decryptMessage; - startIdx = ssl->buffers.inputBuffer.idx; /* in case > 1 msg per */ - - /* decrypt message */ - case decryptMessage: - - if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0) { - ret = SanityCheckCipherText(ssl, ssl->curSize); - if (ret < 0) - return ret; - - if (atomicUser) { - #ifdef ATOMIC_USER - ret = ssl->ctx->DecryptVerifyCb(ssl, - ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx, - ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx, - ssl->curSize, ssl->curRL.type, 1, - &ssl->keys.padSz, ssl->DecryptVerifyCtx); - #endif /* ATOMIC_USER */ - } - else { - ret = Decrypt(ssl, ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx, - ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx, - ssl->curSize); - } - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) - return ret; - #endif - - if (ret == 0) { - /* handle success */ - if (ssl->options.tls1_1 && ssl->specs.cipher_type == block) - ssl->buffers.inputBuffer.idx += ssl->specs.block_size; - /* go past TLSv1.1 IV */ - if (ssl->specs.cipher_type == aead && - ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ; - } - else { - WOLFSSL_MSG("Decrypt failed"); - WOLFSSL_ERROR(ret); - #ifdef WOLFSSL_DTLS - /* If in DTLS mode, if the decrypt fails for any - * reason, pretend the datagram never happened. */ - if (ssl->options.dtls) { - ssl->options.processReply = doProcessInit; - ssl->buffers.inputBuffer.idx = - ssl->buffers.inputBuffer.length; - } - #endif /* WOLFSSL_DTLS */ - return DECRYPT_ERROR; - } - } - - ssl->options.processReply = verifyMessage; - - /* verify digest of message */ - case verifyMessage: - - if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0) { - if (!atomicUser) { - ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx, - ssl->curSize, ssl->curRL.type, - &ssl->keys.padSz); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) - return ret; - #endif - if (ret < 0) { - WOLFSSL_MSG("VerifyMac failed"); - WOLFSSL_ERROR(ret); - return DECRYPT_ERROR; - } - } - - ssl->keys.encryptSz = ssl->curSize; - ssl->keys.decryptedCur = 1; - } - - ssl->options.processReply = runProcessingOneMessage; - - /* the record layer is here */ - case runProcessingOneMessage: - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - DtlsUpdateWindow(ssl); - } - #endif /* WOLFSSL_DTLS */ - - WOLFSSL_MSG("received record layer msg"); - - switch (ssl->curRL.type) { - case handshake : - /* debugging in DoHandShakeMsg */ - if (!ssl->options.dtls) { - ret = DoHandShakeMsg(ssl, - ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, - ssl->buffers.inputBuffer.length); - } - else { - #ifdef WOLFSSL_DTLS - ret = DoDtlsHandShakeMsg(ssl, - ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, - ssl->buffers.inputBuffer.length); - #endif - } - if (ret != 0) - return ret; - break; - - case change_cipher_spec: - WOLFSSL_MSG("got CHANGE CIPHER SPEC"); - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ChangeCipher"); - /* add record header back on info */ - if (ssl->toInfoOn) { - AddPacketInfo(ssl, "ChangeCipher", - change_cipher_spec, - ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx - RECORD_HEADER_SZ, - 1 + RECORD_HEADER_SZ, READ_PROTO, ssl->heap); - #ifdef WOLFSSL_CALLBACKS - AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo); - #endif - } - #endif - - ret = SanityCheckMsgReceived(ssl, change_cipher_hs); - if (ret != 0) { - if (!ssl->options.dtls) { - return ret; - } - else { - #ifdef WOLFSSL_DTLS - /* Check for duplicate CCS message in DTLS mode. - * DTLS allows for duplicate messages, and it should be - * skipped. Also skip if out of order. */ - if (ret != DUPLICATE_MSG_E && ret != OUT_OF_ORDER_E) - return ret; - - if (IsDtlsNotSctpMode(ssl)) { - ret = DtlsMsgPoolSend(ssl, 1); - if (ret != 0) - return ret; - } - - if (ssl->curSize != 1) { - WOLFSSL_MSG("Malicious or corrupted" - " duplicate ChangeCipher msg"); - return LENGTH_ERROR; - } - ssl->buffers.inputBuffer.idx++; - break; - #endif /* WOLFSSL_DTLS */ - } - } - - if (IsEncryptionOn(ssl, 0) && ssl->options.handShakeDone) { - ssl->buffers.inputBuffer.idx += ssl->keys.padSz; - ssl->curSize -= (word16) ssl->buffers.inputBuffer.idx; - } - - if (ssl->curSize != 1) { - WOLFSSL_MSG("Malicious or corrupted ChangeCipher msg"); - return LENGTH_ERROR; - } - - ssl->buffers.inputBuffer.idx++; - ssl->keys.encryptionOn = 1; - - /* setup decrypt keys for following messages */ - if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) - return ret; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - DtlsMsgPoolReset(ssl); - ssl->keys.prevSeq_lo = ssl->keys.nextSeq_lo; - ssl->keys.prevSeq_hi = ssl->keys.nextSeq_hi; - XMEMCPY(ssl->keys.prevWindow, ssl->keys.window, - DTLS_SEQ_SZ); - ssl->keys.nextEpoch++; - ssl->keys.nextSeq_lo = 0; - ssl->keys.nextSeq_hi = 0; - XMEMSET(ssl->keys.window, 0, DTLS_SEQ_SZ); - } - #endif - - #ifdef HAVE_LIBZ - if (ssl->options.usingCompression) - if ( (ret = InitStreams(ssl)) != 0) - return ret; - #endif - ret = BuildFinished(ssl, &ssl->hsHashes->verifyHashes, - ssl->options.side == WOLFSSL_CLIENT_END ? - server : client); - if (ret != 0) - return ret; - break; - - case application_data: - WOLFSSL_MSG("got app DATA"); - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls && ssl->options.dtlsHsRetain) { - FreeHandshakeResources(ssl); - ssl->options.dtlsHsRetain = 0; - } - #endif - if ((ret = DoApplicationData(ssl, - ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx)) - != 0) { - WOLFSSL_ERROR(ret); - return ret; - } - break; - - case alert: - WOLFSSL_MSG("got ALERT!"); - ret = DoAlert(ssl, ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, &type, - ssl->buffers.inputBuffer.length); - if (ret == alert_fatal) - return FATAL_ERROR; - else if (ret < 0) - return ret; - - /* catch warnings that are handled as errors */ - if (type == close_notify) - return ssl->error = ZERO_RETURN; - - if (type == decrypt_error) - return FATAL_ERROR; - break; - - default: - WOLFSSL_ERROR(UNKNOWN_RECORD_TYPE); - return UNKNOWN_RECORD_TYPE; - } - - ssl->options.processReply = doProcessInit; - - /* input exhausted? */ - if (ssl->buffers.inputBuffer.idx >= ssl->buffers.inputBuffer.length) - return 0; - - /* more messages per record */ - else if ((ssl->buffers.inputBuffer.idx - startIdx) < ssl->curSize) { - WOLFSSL_MSG("More messages in record"); - #ifdef WOLFSSL_DTLS - /* read-ahead but dtls doesn't bundle messages per record */ - if (ssl->options.dtls) { - ssl->options.processReply = doProcessInit; - continue; - } - #endif - ssl->options.processReply = runProcessingOneMessage; - - if (IsEncryptionOn(ssl, 0)) { - WOLFSSL_MSG("Bundled encrypted messages, remove middle pad"); - ssl->buffers.inputBuffer.idx -= ssl->keys.padSz; - } - - continue; - } - /* more records */ - else { - WOLFSSL_MSG("More records in input"); - ssl->options.processReply = doProcessInit; - continue; - } - - default: - WOLFSSL_MSG("Bad process input state, programming error"); - return INPUT_CASE_ERROR; - } - } -} - - -int SendChangeCipher(WOLFSSL* ssl) -{ - byte *output; - int sendSz = RECORD_HEADER_SZ + ENUM_LEN; - int idx = RECORD_HEADER_SZ; - int ret; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - sendSz += DTLS_RECORD_EXTRA; - idx += DTLS_RECORD_EXTRA; - } - #endif - - /* are we in scr */ - if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) { - sendSz += MAX_MSG_EXTRA; - } - - /* check for avalaible size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddRecordHeader(output, 1, change_cipher_spec, ssl); - - output[idx] = 1; /* turn it on */ - - if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) { - byte input[ENUM_LEN]; - int inputSz = ENUM_LEN; - - input[0] = 1; /* turn it on */ - sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - change_cipher_spec, 0, 0, 0); - if (sendSz < 0) { - return sendSz; - } - } - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - #endif - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) AddPacketName(ssl, "ChangeCipher"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "ChangeCipher", change_cipher_spec, output, - sendSz, WRITE_PROTO, ssl->heap); - #endif - ssl->buffers.outputBuffer.length += sendSz; - - if (ssl->options.groupMessages) - return 0; - #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_DEBUG_DTLS) - else if (ssl->options.dtls) { - /* If using DTLS, force the ChangeCipherSpec message to be in the - * same datagram as the finished message. */ - return 0; - } - #endif - else - return SendBuffered(ssl); -} - - -#ifndef NO_OLD_TLS -static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, - int content, int verify) -{ - byte result[MAX_DIGEST_SIZE]; - word32 digestSz = ssl->specs.hash_size; /* actual sizes */ - word32 padSz = ssl->specs.pad_size; - int ret = 0; - - Md5 md5; - Sha sha; - - /* data */ - byte seq[SEQ_SZ]; - byte conLen[ENUM_LEN + LENGTH_SZ]; /* content & length */ - const byte* macSecret = wolfSSL_GetMacSecret(ssl, verify); - -#ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx); -#endif - - XMEMSET(seq, 0, SEQ_SZ); - conLen[0] = (byte)content; - c16toa((word16)sz, &conLen[ENUM_LEN]); - WriteSEQ(ssl, verify, seq); - - if (ssl->specs.mac_algorithm == md5_mac) { - ret = wc_InitMd5_ex(&md5, ssl->heap, ssl->devId); - if (ret != 0) - return ret; - - /* inner */ - ret = wc_Md5Update(&md5, macSecret, digestSz); - ret |= wc_Md5Update(&md5, PAD1, padSz); - ret |= wc_Md5Update(&md5, seq, SEQ_SZ); - ret |= wc_Md5Update(&md5, conLen, sizeof(conLen)); - /* in buffer */ - ret |= wc_Md5Update(&md5, in, sz); - if (ret != 0) - return VERIFY_MAC_ERROR; - ret = wc_Md5Final(&md5, result); - #ifdef WOLFSSL_ASYNC_CRYPT - /* TODO: Make non-blocking */ - if (ret == WC_PENDING_E) { - ret = wc_AsyncWait(ret, &md5.asyncDev, WC_ASYNC_FLAG_NONE); - } - #endif - if (ret != 0) - return VERIFY_MAC_ERROR; - - /* outer */ - ret = wc_Md5Update(&md5, macSecret, digestSz); - ret |= wc_Md5Update(&md5, PAD2, padSz); - ret |= wc_Md5Update(&md5, result, digestSz); - if (ret != 0) - return VERIFY_MAC_ERROR; - ret = wc_Md5Final(&md5, digest); - #ifdef WOLFSSL_ASYNC_CRYPT - /* TODO: Make non-blocking */ - if (ret == WC_PENDING_E) { - ret = wc_AsyncWait(ret, &md5.asyncDev, WC_ASYNC_FLAG_NONE); - } - #endif - if (ret != 0) - return VERIFY_MAC_ERROR; - - wc_Md5Free(&md5); - } - else { - ret = wc_InitSha_ex(&sha, ssl->heap, ssl->devId); - if (ret != 0) - return ret; - - /* inner */ - ret = wc_ShaUpdate(&sha, macSecret, digestSz); - ret |= wc_ShaUpdate(&sha, PAD1, padSz); - ret |= wc_ShaUpdate(&sha, seq, SEQ_SZ); - ret |= wc_ShaUpdate(&sha, conLen, sizeof(conLen)); - /* in buffer */ - ret |= wc_ShaUpdate(&sha, in, sz); - if (ret != 0) - return VERIFY_MAC_ERROR; - ret = wc_ShaFinal(&sha, result); - #ifdef WOLFSSL_ASYNC_CRYPT - /* TODO: Make non-blocking */ - if (ret == WC_PENDING_E) { - ret = wc_AsyncWait(ret, &sha.asyncDev, WC_ASYNC_FLAG_NONE); - } - #endif - if (ret != 0) - return VERIFY_MAC_ERROR; - - /* outer */ - ret = wc_ShaUpdate(&sha, macSecret, digestSz); - ret |= wc_ShaUpdate(&sha, PAD2, padSz); - ret |= wc_ShaUpdate(&sha, result, digestSz); - if (ret != 0) - return VERIFY_MAC_ERROR; - ret = wc_ShaFinal(&sha, digest); - #ifdef WOLFSSL_ASYNC_CRYPT - /* TODO: Make non-blocking */ - if (ret == WC_PENDING_E) { - ret = wc_AsyncWait(ret, &sha.asyncDev, WC_ASYNC_FLAG_NONE); - } - #endif - if (ret != 0) - return VERIFY_MAC_ERROR; - - wc_ShaFree(&sha); - } - return 0; -} -#endif /* NO_OLD_TLS */ - - -#ifndef NO_CERTS - -#if !defined(NO_MD5) && !defined(NO_OLD_TLS) -static int BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest) -{ - int ret; - byte md5_result[MD5_DIGEST_SIZE]; -#ifdef WOLFSSL_SMALL_STACK - Md5* md5 = (Md5*)XMALLOC(sizeof(Md5), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#else - Md5 md5[1]; -#endif - - /* make md5 inner */ - ret = wc_Md5Copy(&ssl->hsHashes->hashMd5, md5); /* Save current position */ - if (ret == 0) - ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_Md5Update(md5, PAD1, PAD_MD5); - if (ret == 0) - ret = wc_Md5Final(md5, md5_result); - - /* make md5 outer */ - if (ret == 0) { - ret = wc_InitMd5_ex(md5, ssl->heap, ssl->devId); - if (ret == 0) { - ret = wc_Md5Update(md5, ssl->arrays->masterSecret, SECRET_LEN); - if (ret == 0) - ret = wc_Md5Update(md5, PAD2, PAD_MD5); - if (ret == 0) - ret = wc_Md5Update(md5, md5_result, MD5_DIGEST_SIZE); - if (ret == 0) - ret = wc_Md5Final(md5, digest); - wc_Md5Free(md5); - } - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(md5, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} -#endif /* !NO_MD5 && !NO_OLD_TLS */ - -#if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) -static int BuildSHA_CertVerify(WOLFSSL* ssl, byte* digest) -{ - int ret; - byte sha_result[SHA_DIGEST_SIZE]; -#ifdef WOLFSSL_SMALL_STACK - Sha* sha = (Sha*)XMALLOC(sizeof(Sha), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#else - Sha sha[1]; -#endif - - /* make sha inner */ - ret = wc_ShaCopy(&ssl->hsHashes->hashSha, sha); /* Save current position */ - if (ret == 0) - ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_ShaUpdate(sha, PAD1, PAD_SHA); - if (ret == 0) - ret = wc_ShaFinal(sha, sha_result); - - /* make sha outer */ - if (ret == 0) { - ret = wc_InitSha_ex(sha, ssl->heap, ssl->devId); - if (ret == 0) { - ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_ShaUpdate(sha, PAD2, PAD_SHA); - if (ret == 0) - ret = wc_ShaUpdate(sha, sha_result, SHA_DIGEST_SIZE); - if (ret == 0) - ret = wc_ShaFinal(sha, digest); - wc_ShaFree(sha); - } - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(sha, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} -#endif /* !NO_SHA && (!NO_OLD_TLS || WOLFSSL_ALLOW_TLS_SHA1) */ - -static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) -{ - int ret = 0; - - (void)hashes; - - if (ssl->options.tls) { - #if !defined(NO_MD5) && !defined(NO_OLD_TLS) - ret = wc_Md5GetHash(&ssl->hsHashes->hashMd5, hashes->md5); - if (ret != 0) - return ret; - #endif - #if !defined(NO_SHA) - ret = wc_ShaGetHash(&ssl->hsHashes->hashSha, hashes->sha); - if (ret != 0) - return ret; - #endif - if (IsAtLeastTLSv1_2(ssl)) { - #ifndef NO_SHA256 - ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, - hashes->sha256); - if (ret != 0) - return ret; - #endif - #ifdef WOLFSSL_SHA384 - ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, - hashes->sha384); - if (ret != 0) - return ret; - #endif - #ifdef WOLFSSL_SHA512 - ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, - hashes->sha512); - if (ret != 0) - return ret; - #endif - } - } - else { - #if !defined(NO_MD5) && !defined(NO_OLD_TLS) - ret = BuildMD5_CertVerify(ssl, hashes->md5); - if (ret != 0) - return ret; - #endif - #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - ret = BuildSHA_CertVerify(ssl, hashes->sha); - if (ret != 0) - return ret; - #endif - } - - return ret; -} - -#endif /* WOLFSSL_LEANPSK */ - -/* Persistable BuildMessage arguments */ -typedef struct BuildMsgArgs { - word32 digestSz; - word32 sz; - word32 pad; - word32 idx; - word32 headerSz; - word16 size; - word32 ivSz; /* TLSv1.1 IV */ - byte iv[AES_BLOCK_SIZE]; /* max size */ -} BuildMsgArgs; - -static void FreeBuildMsgArgs(WOLFSSL* ssl, void* pArgs) -{ - BuildMsgArgs* args = (BuildMsgArgs*)pArgs; - - (void)ssl; - (void)args; - - /* no allocations in BuildMessage */ -} - -/* Build SSL Message, encrypted */ -int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, - int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - BuildMsgArgs* args = (BuildMsgArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); -#else - BuildMsgArgs args[1]; -#endif - - WOLFSSL_ENTER("BuildMessage"); - - if (ssl == NULL || output == NULL) { - return BAD_FUNC_ARG; - } - - ret = WC_NOT_PENDING_E; -#ifdef WOLFSSL_ASYNC_CRYPT - if (asyncOkay) { - ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_buildmsg; - } - } -#endif - - /* Reset state */ - if (ret == WC_NOT_PENDING_E) { - ret = 0; - ssl->options.buildMsgState = BUILD_MSG_BEGIN; - XMEMSET(args, 0, sizeof(BuildMsgArgs)); - - args->sz = RECORD_HEADER_SZ + inSz; - args->idx = RECORD_HEADER_SZ; - args->headerSz = RECORD_HEADER_SZ; - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeBuildMsgArgs; - #endif - } - - switch (ssl->options.buildMsgState) { - case BUILD_MSG_BEGIN: - { - /* catch mistaken sizeOnly parameter */ - if (!sizeOnly && (output == NULL || input == NULL) ) { - return BAD_FUNC_ARG; - } - if (sizeOnly && (output || input) ) { - WOLFSSL_MSG("BuildMessage w/sizeOnly doesn't need input/output"); - return BAD_FUNC_ARG; - } - - ssl->options.buildMsgState = BUILD_MSG_SIZE; - } - - case BUILD_MSG_SIZE: - { - args->digestSz = ssl->specs.hash_size; - #ifdef HAVE_TRUNCATED_HMAC - if (ssl->truncated_hmac) - args->digestSz = min(TRUNCATED_HMAC_SZ, args->digestSz); - #endif - args->sz += args->digestSz; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sz += DTLS_RECORD_EXTRA; - args->idx += DTLS_RECORD_EXTRA; - args->headerSz += DTLS_RECORD_EXTRA; - } - #endif - - if (ssl->specs.cipher_type == block) { - word32 blockSz = ssl->specs.block_size; - if (ssl->options.tls1_1) { - args->ivSz = blockSz; - args->sz += args->ivSz; - - if (args->ivSz > (word32)sizeof(args->iv)) - ERROR_OUT(BUFFER_E, exit_buildmsg); - } - args->sz += 1; /* pad byte */ - args->pad = (args->sz - args->headerSz) % blockSz; - args->pad = blockSz - args->pad; - args->sz += args->pad; - } - - #ifdef HAVE_AEAD - if (ssl->specs.cipher_type == aead) { - if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - args->ivSz = AESGCM_EXP_IV_SZ; - - args->sz += (args->ivSz + ssl->specs.aead_mac_size - args->digestSz); - } - #endif - - /* done with size calculations */ - if (sizeOnly) - goto exit_buildmsg; - - if (args->sz > (word32)outSz) { - WOLFSSL_MSG("Oops, want to write past output buffer size"); - ERROR_OUT(BUFFER_E, exit_buildmsg); - } - - if (args->ivSz > 0) { - ret = wc_RNG_GenerateBlock(ssl->rng, args->iv, args->ivSz); - if (ret != 0) - goto exit_buildmsg; - - } - - #ifdef HAVE_AEAD - if (ssl->specs.cipher_type == aead) { - if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - XMEMCPY(args->iv, ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ); - } - #endif - - args->size = (word16)(args->sz - args->headerSz); /* include mac and digest */ - AddRecordHeader(output, args->size, (byte)type, ssl); - - /* write to output */ - if (args->ivSz) { - XMEMCPY(output + args->idx, args->iv, - min(args->ivSz, sizeof(args->iv))); - args->idx += args->ivSz; - } - XMEMCPY(output + args->idx, input, inSz); - args->idx += inSz; - - ssl->options.buildMsgState = BUILD_MSG_HASH; - } - case BUILD_MSG_HASH: - { - word32 i; - - if (type == handshake && hashOutput) { - ret = HashOutput(ssl, output, args->headerSz + inSz, args->ivSz); - if (ret != 0) - goto exit_buildmsg; - } - if (ssl->specs.cipher_type == block) { - word32 tmpIdx = args->idx + args->digestSz; - - for (i = 0; i <= args->pad; i++) - output[tmpIdx++] = (byte)args->pad; /* pad byte gets pad value */ - } - - ssl->options.buildMsgState = BUILD_MSG_VERIFY_MAC; - } - case BUILD_MSG_VERIFY_MAC: - { - /* User Record Layer Callback handling */ - #ifdef ATOMIC_USER - if (ssl->ctx->MacEncryptCb) { - ret = ssl->ctx->MacEncryptCb(ssl, output + args->idx, - output + args->headerSz + args->ivSz, inSz, type, 0, - output + args->headerSz, output + args->headerSz, args->size, - ssl->MacEncryptCtx); - goto exit_buildmsg; - } - #endif - - if (ssl->specs.cipher_type != aead) { - #ifdef HAVE_TRUNCATED_HMAC - if (ssl->truncated_hmac && ssl->specs.hash_size > args->digestSz) { - #ifdef WOLFSSL_SMALL_STACK - byte* hmac = NULL; - #else - byte hmac[MAX_DIGEST_SIZE]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - hmac = (byte*)XMALLOC(MAX_DIGEST_SIZE, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (hmac == NULL) - ERROR_OUT(MEMORY_E, exit_buildmsg); - #endif - - ret = ssl->hmac(ssl, hmac, output + args->headerSz + args->ivSz, inSz, - type, 0); - XMEMCPY(output + args->idx, hmac, args->digestSz); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(hmac, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - else - #endif - ret = ssl->hmac(ssl, output + args->idx, output + args->headerSz + args->ivSz, - inSz, type, 0); - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - } - if (ret != 0) - goto exit_buildmsg; - - ssl->options.buildMsgState = BUILD_MSG_ENCRYPT; - } - case BUILD_MSG_ENCRYPT: - { - ret = Encrypt(ssl, output + args->headerSz, output + args->headerSz, args->size, - asyncOkay); - break; - } - } - -exit_buildmsg: - - WOLFSSL_LEAVE("BuildMessage", ret); - -#ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - return ret; - } -#endif - - /* make sure build message state is reset */ - ssl->options.buildMsgState = BUILD_MSG_BEGIN; - - /* return sz on success */ - if (ret == 0) - ret = args->sz; - - /* Final cleanup */ - FreeBuildMsgArgs(ssl, args); - - return ret; -} - - -int SendFinished(WOLFSSL* ssl) -{ - int sendSz, - finishedSz = ssl->options.tls ? TLS_FINISHED_SZ : - FINISHED_SZ; - byte input[FINISHED_SZ + DTLS_HANDSHAKE_HEADER_SZ]; /* max */ - byte *output; - Hashes* hashes; - int ret; - int headerSz = HANDSHAKE_HEADER_SZ; - int outputSz; - - /* setup encrypt keys */ - if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) - return ret; - - /* check for available size */ - outputSz = sizeof(input) + MAX_MSG_EXTRA; - if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) - return ret; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - headerSz += DTLS_HANDSHAKE_EXTRA; - ssl->keys.dtls_epoch++; - ssl->keys.dtls_prev_sequence_number_hi = - ssl->keys.dtls_sequence_number_hi; - ssl->keys.dtls_prev_sequence_number_lo = - ssl->keys.dtls_sequence_number_lo; - ssl->keys.dtls_sequence_number_hi = 0; - ssl->keys.dtls_sequence_number_lo = 0; - } - #endif - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl); - - /* make finished hashes */ - hashes = (Hashes*)&input[headerSz]; - ret = BuildFinished(ssl, hashes, - ssl->options.side == WOLFSSL_CLIENT_END ? client : server); - if (ret != 0) return ret; - -#ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation) { - if (ssl->options.side == WOLFSSL_CLIENT_END) - XMEMCPY(ssl->secure_renegotiation->client_verify_data, hashes, - TLS_FINISHED_SZ); - else - XMEMCPY(ssl->secure_renegotiation->server_verify_data, hashes, - TLS_FINISHED_SZ); - } -#endif - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, input, headerSz + finishedSz)) != 0) - return ret; - } - #endif - - sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz, - handshake, 1, 0, 0); - if (sendSz < 0) - return BUILD_MSG_ERROR; - - if (!ssl->options.resuming) { -#ifndef NO_SESSION_CACHE - AddSession(ssl); /* just try */ -#endif - if (ssl->options.side == WOLFSSL_SERVER_END) { - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS); - } - #endif - ssl->options.handShakeState = HANDSHAKE_DONE; - ssl->options.handShakeDone = 1; - } - } - else { - if (ssl->options.side == WOLFSSL_CLIENT_END) { - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS); - } - #endif - ssl->options.handShakeState = HANDSHAKE_DONE; - ssl->options.handShakeDone = 1; - } - } - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "Finished", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - - ssl->buffers.outputBuffer.length += sendSz; - - return SendBuffered(ssl); -} - - -#ifndef NO_CERTS -int SendCertificate(WOLFSSL* ssl) -{ - int ret = 0; - word32 certSz, certChainSz, headerSz, listSz, payloadSz; - word32 length, maxFragment; - - if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher) - return 0; /* not needed */ - - if (ssl->options.sendVerify == SEND_BLANK_CERT) { - certSz = 0; - certChainSz = 0; - headerSz = CERT_HEADER_SZ; - length = CERT_HEADER_SZ; - listSz = 0; - } - else { - if (!ssl->buffers.certificate) { - WOLFSSL_MSG("Send Cert missing certificate buffer"); - return BUFFER_ERROR; - } - certSz = ssl->buffers.certificate->length; - headerSz = 2 * CERT_HEADER_SZ; - /* list + cert size */ - length = certSz + headerSz; - listSz = certSz + CERT_HEADER_SZ; - - /* may need to send rest of chain, already has leading size(s) */ - if (certSz && ssl->buffers.certChain) { - certChainSz = ssl->buffers.certChain->length; - length += certChainSz; - listSz += certChainSz; - } - else - certChainSz = 0; - } - - payloadSz = length; - - if (ssl->fragOffset != 0) - length -= (ssl->fragOffset + headerSz); - - maxFragment = MAX_RECORD_SIZE; - if (ssl->options.dtls) { - #ifdef WOLFSSL_DTLS - maxFragment = MAX_MTU - DTLS_RECORD_HEADER_SZ - - DTLS_HANDSHAKE_HEADER_SZ - 100; - #endif /* WOLFSSL_DTLS */ - } - - #ifdef HAVE_MAX_FRAGMENT - if (ssl->max_fragment != 0 && maxFragment >= ssl->max_fragment) - maxFragment = ssl->max_fragment; - #endif /* HAVE_MAX_FRAGMENT */ - - while (length > 0 && ret == 0) { - byte* output = NULL; - word32 fragSz = 0; - word32 i = RECORD_HEADER_SZ; - int sendSz = RECORD_HEADER_SZ; - - if (!ssl->options.dtls) { - if (ssl->fragOffset == 0) { - if (headerSz + certSz + certChainSz <= - maxFragment - HANDSHAKE_HEADER_SZ) { - - fragSz = headerSz + certSz + certChainSz; - } - else { - fragSz = maxFragment - HANDSHAKE_HEADER_SZ; - } - sendSz += fragSz + HANDSHAKE_HEADER_SZ; - i += HANDSHAKE_HEADER_SZ; - } - else { - fragSz = min(length, maxFragment); - sendSz += fragSz; - } - - if (IsEncryptionOn(ssl, 1)) - sendSz += MAX_MSG_EXTRA; - } - else { - #ifdef WOLFSSL_DTLS - fragSz = min(length, maxFragment); - sendSz += fragSz + DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA - + HANDSHAKE_HEADER_SZ; - i += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA - + HANDSHAKE_HEADER_SZ; - #endif - } - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - if (ssl->fragOffset == 0) { - if (!ssl->options.dtls) { - AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl); - if (!IsEncryptionOn(ssl, 1)) - HashOutputRaw(ssl, output + RECORD_HEADER_SZ, - HANDSHAKE_HEADER_SZ); - } - else { - #ifdef WOLFSSL_DTLS - AddHeaders(output, payloadSz, certificate, ssl); - if (!IsEncryptionOn(ssl, 1)) - HashOutputRaw(ssl, - output + RECORD_HEADER_SZ + DTLS_RECORD_EXTRA, - HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA); - /* Adding the headers increments these, decrement them for - * actual message header. */ - ssl->keys.dtls_handshake_number--; - AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl); - ssl->keys.dtls_handshake_number--; - #endif /* WOLFSSL_DTLS */ - } - - /* list total */ - c32to24(listSz, output + i); - if (!IsEncryptionOn(ssl, 1)) - HashOutputRaw(ssl, output + i, CERT_HEADER_SZ); - i += CERT_HEADER_SZ; - length -= CERT_HEADER_SZ; - fragSz -= CERT_HEADER_SZ; - if (certSz) { - c32to24(certSz, output + i); - if (!IsEncryptionOn(ssl, 1)) - HashOutputRaw(ssl, output + i, CERT_HEADER_SZ); - i += CERT_HEADER_SZ; - length -= CERT_HEADER_SZ; - fragSz -= CERT_HEADER_SZ; - - if (!IsEncryptionOn(ssl, 1)) { - HashOutputRaw(ssl, ssl->buffers.certificate->buffer, certSz); - if (certChainSz) - HashOutputRaw(ssl, ssl->buffers.certChain->buffer, - certChainSz); - } - } - } - else { - if (!ssl->options.dtls) { - AddRecordHeader(output, fragSz, handshake, ssl); - } - else { - #ifdef WOLFSSL_DTLS - AddFragHeaders(output, fragSz, ssl->fragOffset + headerSz, - payloadSz, certificate, ssl); - ssl->keys.dtls_handshake_number--; - #endif /* WOLFSSL_DTLS */ - } - } - - /* member */ - if (certSz && ssl->fragOffset < certSz) { - word32 copySz = min(certSz - ssl->fragOffset, fragSz); - XMEMCPY(output + i, - ssl->buffers.certificate->buffer + ssl->fragOffset, copySz); - i += copySz; - ssl->fragOffset += copySz; - length -= copySz; - fragSz -= copySz; - } - if (certChainSz && fragSz) { - word32 copySz = min(certChainSz + certSz - ssl->fragOffset, fragSz); - XMEMCPY(output + i, - ssl->buffers.certChain->buffer + ssl->fragOffset - certSz, - copySz); - i += copySz; - ssl->fragOffset += copySz; - length -= copySz; - } - - if (IsEncryptionOn(ssl, 1)) { - byte* input = NULL; - int inputSz = i - RECORD_HEADER_SZ; /* build msg adds rec hdr */ - - if (inputSz < 0) { - WOLFSSL_MSG("Send Cert bad inputSz"); - return BUFFER_E; - } - - if (inputSz > 0) { /* clang thinks could be zero, let's help */ - input = (byte*)XMALLOC(inputSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (input == NULL) - return MEMORY_E; - XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); - } - - sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - handshake, 1, 0, 0); - - if (inputSz > 0) - XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - - if (sendSz < 0) - return sendSz; - } - else { - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - } - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - #endif - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "Certificate"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "Certificate", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - - ssl->buffers.outputBuffer.length += sendSz; - if (!ssl->options.groupMessages) - ret = SendBuffered(ssl); - } - - if (ret != WANT_WRITE) { - /* Clean up the fragment offset. */ - ssl->fragOffset = 0; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - ssl->keys.dtls_handshake_number++; - #endif - if (ssl->options.side == WOLFSSL_SERVER_END) - ssl->options.serverState = SERVER_CERT_COMPLETE; - } - - return ret; -} - - -int SendCertificateRequest(WOLFSSL* ssl) -{ - byte *output; - int ret; - int sendSz; - word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - - int typeTotal = 1; /* only 1 for now */ - int reqSz = ENUM_LEN + typeTotal + REQ_HEADER_SZ; /* add auth later */ - - if (IsAtLeastTLSv1_2(ssl)) - reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz; - - if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher) - return 0; /* not needed */ - - sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - i += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(output, reqSz, certificate_request, ssl); - - /* write to output */ - output[i++] = (byte)typeTotal; /* # of types */ -#ifdef HAVE_ECC - if ((ssl->options.cipherSuite0 == ECC_BYTE || - ssl->options.cipherSuite0 == CHACHA_BYTE) && - ssl->specs.sig_algo == ecc_dsa_sa_algo) { - output[i++] = ecdsa_sign; - } else -#endif /* HAVE_ECC */ - { - output[i++] = rsa_sign; - } - - /* supported hash/sig */ - if (IsAtLeastTLSv1_2(ssl)) { - c16toa(ssl->suites->hashSigAlgoSz, &output[i]); - i += LENGTH_SZ; - - XMEMCPY(&output[i], - ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz); - i += ssl->suites->hashSigAlgoSz; - } - - c16toa(0, &output[i]); /* auth's */ - /* if add more to output, adjust i - i += REQ_HEADER_SZ; */ - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - - ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) - return ret; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "CertificateRequest"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "CertificateRequest", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - ssl->buffers.outputBuffer.length += sendSz; - if (ssl->options.groupMessages) - return 0; - else - return SendBuffered(ssl); -} - -#ifndef NO_WOLFSSL_SERVER -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) -static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status, - byte count) -{ - byte* output = NULL; - word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - word32 length = ENUM_LEN; - int sendSz = 0; - int ret = 0; - int i = 0; - - WOLFSSL_ENTER("BuildCertificateStatus"); - - switch (type) { - case WOLFSSL_CSR2_OCSP_MULTI: - length += OPAQUE24_LEN; - /* followed by */ - - case WOLFSSL_CSR2_OCSP: - for (i = 0; i < count; i++) - length += OPAQUE24_LEN + status[i].length; - break; - - default: - return 0; - } - - sendSz = idx + length; - - if (ssl->keys.encryptionOn) - sendSz += MAX_MSG_EXTRA; - - if ((ret = CheckAvailableSize(ssl, sendSz)) == 0) { - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(output, length, certificate_status, ssl); - - output[idx++] = type; - - if (type == WOLFSSL_CSR2_OCSP_MULTI) { - c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx); - idx += OPAQUE24_LEN; - } - - for (i = 0; i < count; i++) { - c32to24(status[i].length, output + idx); - idx += OPAQUE24_LEN; - - XMEMCPY(output + idx, status[i].buffer, status[i].length); - idx += status[i].length; - } - - if (IsEncryptionOn(ssl, 1)) { - byte* input; - int inputSz = idx - RECORD_HEADER_SZ; - - input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (input == NULL) - return MEMORY_E; - - XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); - sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - handshake, 1, 0, 0); - XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - - if (sendSz < 0) - ret = sendSz; - } - else { - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - ret = HashOutput(ssl, output, sendSz, 0); - } - - #ifdef WOLFSSL_DTLS - if (ret == 0 && IsDtlsNotSctpMode(ssl)) - ret = DtlsMsgPoolSave(ssl, output, sendSz); - #endif - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ret == 0 && ssl->hsInfoOn) - AddPacketName(ssl, "CertificateStatus"); - if (ret == 0 && ssl->toInfoOn) - AddPacketInfo(ssl, "CertificateStatus", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - - if (ret == 0) { - ssl->buffers.outputBuffer.length += sendSz; - if (!ssl->options.groupMessages) - ret = SendBuffered(ssl); - } - } - - WOLFSSL_LEAVE("BuildCertificateStatus", ret); - return ret; -} -#endif -#endif /* NO_WOLFSSL_SERVER */ - - -int SendCertificateStatus(WOLFSSL* ssl) -{ - int ret = 0; - byte status_type = 0; - - WOLFSSL_ENTER("SendCertificateStatus"); - - (void) ssl; - -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST - status_type = ssl->status_request; -#endif - -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - status_type = status_type ? status_type : ssl->status_request_v2; -#endif - - switch (status_type) { - - #ifndef NO_WOLFSSL_SERVER - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - /* case WOLFSSL_CSR_OCSP: */ - case WOLFSSL_CSR2_OCSP: - { - OcspRequest* request = ssl->ctx->certOcspRequest; - buffer response; - - XMEMSET(&response, 0, sizeof(response)); - - /* unable to fetch status. skip. */ - if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) - return 0; - - if (!request || ssl->buffers.weOwnCert) { - DerBuffer* der = ssl->buffers.certificate; - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; - #else - DecodedCert cert[1]; - #endif - - /* unable to fetch status. skip. */ - if (der->buffer == NULL || der->length == 0) - return 0; - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) - return MEMORY_E; - #endif - - InitDecodedCert(cert, der->buffer, der->length, ssl->heap); - /* TODO: Setup async support here */ - if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, - ssl->ctx->cm)) != 0) { - WOLFSSL_MSG("ParseCert failed"); - } - else { - request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), - ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - if (request == NULL) { - FreeDecodedCert(cert); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - return MEMORY_E; - } - - ret = InitOcspRequest(request, cert, 0, ssl->heap); - if (ret != 0) { - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - } - else if (!ssl->buffers.weOwnCert && 0 == wc_LockMutex( - &ssl->ctx->cm->ocsp_stapling->ocspLock)) { - if (!ssl->ctx->certOcspRequest) - ssl->ctx->certOcspRequest = request; - wc_UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock); - } - } - - FreeDecodedCert(cert); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - - if (ret == 0) { - #ifdef WOLFSSL_NGINX - request->ssl = ssl; - #endif - ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, - &response); - - /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED - || ret == OCSP_CERT_UNKNOWN - || ret == OCSP_LOOKUP_FAIL) - ret = 0; - - if (response.buffer) { - if (ret == 0) - ret = BuildCertificateStatus(ssl, status_type, - &response, 1); - - XFREE(response.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - - } - - if (request != ssl->ctx->certOcspRequest) - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - - break; - } - - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ - /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ - - #if defined HAVE_CERTIFICATE_STATUS_REQUEST_V2 - case WOLFSSL_CSR2_OCSP_MULTI: - { - OcspRequest* request = ssl->ctx->certOcspRequest; - buffer responses[1 + MAX_CHAIN_DEPTH]; - int i = 0; - - XMEMSET(responses, 0, sizeof(responses)); - - /* unable to fetch status. skip. */ - if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) - return 0; - - if (!request || ssl->buffers.weOwnCert) { - DerBuffer* der = ssl->buffers.certificate; - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; - #else - DecodedCert cert[1]; - #endif - - /* unable to fetch status. skip. */ - if (der->buffer == NULL || der->length == 0) - return 0; - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) - return MEMORY_E; - #endif - - InitDecodedCert(cert, der->buffer, der->length, ssl->heap); - /* TODO: Setup async support here */ - if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, - ssl->ctx->cm)) != 0) { - WOLFSSL_MSG("ParseCert failed"); - } - else { - request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), - ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - if (request == NULL) { - FreeDecodedCert(cert); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - return MEMORY_E; - } - - ret = InitOcspRequest(request, cert, 0, ssl->heap); - if (ret != 0) { - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - } - else if (!ssl->buffers.weOwnCert && 0 == wc_LockMutex( - &ssl->ctx->cm->ocsp_stapling->ocspLock)) { - if (!ssl->ctx->certOcspRequest) - ssl->ctx->certOcspRequest = request; - - wc_UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock); - } - } - - FreeDecodedCert(cert); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - - if (ret == 0) { - #ifdef WOLFSSL_NGINX - request->ssl = ssl; - #endif - ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, - &responses[0]); - - /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED - || ret == OCSP_CERT_UNKNOWN - || ret == OCSP_LOOKUP_FAIL) - ret = 0; - } - - if (request != ssl->ctx->certOcspRequest) - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - - if (ret == 0 && (!ssl->ctx->chainOcspRequest[0] - || ssl->buffers.weOwnCertChain)) { - buffer der; - word32 idx = 0; - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; - #else - DecodedCert cert[1]; - #endif - - XMEMSET(&der, 0, sizeof(buffer)); - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) - return MEMORY_E; - #endif - - while (idx + OPAQUE24_LEN < ssl->buffers.certChain->length) { - c24to32(ssl->buffers.certChain->buffer + idx, &der.length); - idx += OPAQUE24_LEN; - - der.buffer = ssl->buffers.certChain->buffer + idx; - idx += der.length; - - if (idx > ssl->buffers.certChain->length) - break; - - InitDecodedCert(cert, der.buffer, der.length, ssl->heap); - /* TODO: Setup async support here */ - if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, - ssl->ctx->cm)) != 0) { - WOLFSSL_MSG("ParseCert failed"); - break; - } - else { - request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), - ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - if (request == NULL) { - ret = MEMORY_E; - break; - } - - ret = InitOcspRequest(request, cert, 0, ssl->heap); - if (ret != 0) { - XFREE(request, ssl->heap,DYNAMIC_TYPE_OCSP_REQUEST); - break; - } - else if (!ssl->buffers.weOwnCertChain && 0 == - wc_LockMutex( - &ssl->ctx->cm->ocsp_stapling->ocspLock)) { - if (!ssl->ctx->chainOcspRequest[i]) - ssl->ctx->chainOcspRequest[i] = request; - - wc_UnLockMutex( - &ssl->ctx->cm->ocsp_stapling->ocspLock); - } - - #ifdef WOLFSSL_NGINX - request->ssl = ssl; - #endif - ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, - request, &responses[i + 1]); - - /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED - || ret == OCSP_CERT_UNKNOWN - || ret == OCSP_LOOKUP_FAIL) - ret = 0; - - if (request != ssl->ctx->chainOcspRequest[i]) - XFREE(request, ssl->heap,DYNAMIC_TYPE_OCSP_REQUEST); - - i++; - } - - FreeDecodedCert(cert); - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - else { - while (ret == 0 && - NULL != (request = ssl->ctx->chainOcspRequest[i])) { - #ifdef WOLFSSL_NGINX - request->ssl = ssl; - #endif - ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, - request, &responses[++i]); - - /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED - || ret == OCSP_CERT_UNKNOWN - || ret == OCSP_LOOKUP_FAIL) - ret = 0; - } - } - - if (responses[0].buffer) { - if (ret == 0) - ret = BuildCertificateStatus(ssl, status_type, - responses, (byte)i + 1); - - for (i = 0; i < 1 + MAX_CHAIN_DEPTH; i++) - if (responses[i].buffer) - XFREE(responses[i].buffer, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - } - - break; - } - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ - #endif /* NO_WOLFSSL_SERVER */ - - default: - break; - } - - return ret; -} - -#endif /* !NO_CERTS */ - - -int SendData(WOLFSSL* ssl, const void* data, int sz) -{ - int sent = 0, /* plainText size */ - sendSz, - ret, - dtlsExtra = 0; - - if (ssl->error == WANT_WRITE || ssl->error == WC_PENDING_E) - ssl->error = 0; - - if (ssl->options.handShakeState != HANDSHAKE_DONE) { - int err; - WOLFSSL_MSG("handshake not complete, trying to finish"); - if ( (err = wolfSSL_negotiate(ssl)) != SSL_SUCCESS) { - /* if async would block return WANT_WRITE */ - if (ssl->error == WC_PENDING_E) { - return WOLFSSL_CBIO_ERR_WANT_WRITE; - } - return err; - } - } - - /* last time system socket output buffer was full, try again to send */ - if (ssl->buffers.outputBuffer.length > 0) { - WOLFSSL_MSG("output buffer was full, trying to send again"); - if ( (ssl->error = SendBuffered(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); - if (ssl->error == SOCKET_ERROR_E && ssl->options.connReset) - return 0; /* peer reset */ - return ssl->error; - } - else { - /* advance sent to previous sent + plain size just sent */ - sent = ssl->buffers.prevSent + ssl->buffers.plainSz; - WOLFSSL_MSG("sent write buffered data"); - - if (sent > sz) { - WOLFSSL_MSG("error: write() after WANT_WRITE with short size"); - return ssl->error = BAD_FUNC_ARG; - } - } - } - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - dtlsExtra = DTLS_RECORD_EXTRA; - } -#endif - - for (;;) { - int len; - byte* out; - byte* sendBuffer = (byte*)data + sent; /* may switch on comp */ - int buffSz; /* may switch on comp */ - int outputSz; -#ifdef HAVE_LIBZ - byte comp[MAX_RECORD_SIZE + MAX_COMP_EXTRA]; -#endif - - if (sent == sz) break; - - len = min(sz - sent, OUTPUT_RECORD_SIZE); -#ifdef HAVE_MAX_FRAGMENT - len = min(len, ssl->max_fragment); -#endif - -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - len = min(len, MAX_UDP_SIZE); - } -#endif - buffSz = len; - - /* check for available size */ - outputSz = len + COMP_EXTRA + dtlsExtra + MAX_MSG_EXTRA; - if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) - return ssl->error = ret; - - /* get output buffer */ - out = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - -#ifdef HAVE_LIBZ - if (ssl->options.usingCompression) { - buffSz = myCompress(ssl, sendBuffer, buffSz, comp, sizeof(comp)); - if (buffSz < 0) { - return buffSz; - } - sendBuffer = comp; - } -#endif - sendSz = BuildMessage(ssl, out, outputSz, sendBuffer, buffSz, - application_data, 0, 0, 1); - if (sendSz < 0) { - #ifdef WOLFSSL_ASYNC_CRYPT - if (sendSz == WC_PENDING_E) - ssl->error = sendSz; - #endif - return BUILD_MSG_ERROR; - } - - ssl->buffers.outputBuffer.length += sendSz; - - if ( (ret = SendBuffered(ssl)) < 0) { - WOLFSSL_ERROR(ret); - /* store for next call if WANT_WRITE or user embedSend() that - doesn't present like WANT_WRITE */ - ssl->buffers.plainSz = len; - ssl->buffers.prevSent = sent; - if (ret == SOCKET_ERROR_E && ssl->options.connReset) - return 0; /* peer reset */ - return ssl->error = ret; - } - - sent += len; - - /* only one message per attempt */ - if (ssl->options.partialWrite == 1) { - WOLFSSL_MSG("Paritial Write on, only sending one record"); - break; - } - } - - return sent; -} - -/* process input data */ -int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek) -{ - int size; - - WOLFSSL_ENTER("ReceiveData()"); - - /* reset error state */ - if (ssl->error == WANT_READ || ssl->error == WC_PENDING_E) { - ssl->error = 0; - } - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - /* In DTLS mode, we forgive some errors and allow the session - * to continue despite them. */ - if (ssl->error == VERIFY_MAC_ERROR || ssl->error == DECRYPT_ERROR) - ssl->error = 0; - } -#endif /* WOLFSSL_DTLS */ - - if (ssl->error != 0 && ssl->error != WANT_WRITE) { - WOLFSSL_MSG("User calling wolfSSL_read in error state, not allowed"); - return ssl->error; - } - - if (ssl->options.handShakeState != HANDSHAKE_DONE) { - int err; - WOLFSSL_MSG("Handshake not complete, trying to finish"); - if ( (err = wolfSSL_negotiate(ssl)) != SSL_SUCCESS) { - #ifdef WOLFSSL_ASYNC_CRYPT - /* if async would block return WANT_WRITE */ - if (ssl->error == WC_PENDING_E) { - return WOLFSSL_CBIO_ERR_WANT_READ; - } - #endif - return err; - } - } - -#ifdef HAVE_SECURE_RENEGOTIATION -startScr: - if (ssl->secure_renegotiation && ssl->secure_renegotiation->startScr) { - int err; - ssl->secure_renegotiation->startScr = 0; /* only start once */ - WOLFSSL_MSG("Need to start scr, server requested"); - if ( (err = wolfSSL_Rehandshake(ssl)) != SSL_SUCCESS) - return err; - } -#endif - - while (ssl->buffers.clearOutputBuffer.length == 0) { - if ( (ssl->error = ProcessReply(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); - if (ssl->error == ZERO_RETURN) { - WOLFSSL_MSG("Zero return, no more data coming"); - return 0; /* no more data coming */ - } - if (ssl->error == SOCKET_ERROR_E) { - if (ssl->options.connReset || ssl->options.isClosed) { - WOLFSSL_MSG("Peer reset or closed, connection done"); - ssl->error = SOCKET_PEER_CLOSED_E; - WOLFSSL_ERROR(ssl->error); - return 0; /* peer reset or closed */ - } - } - return ssl->error; - } - #ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation && - ssl->secure_renegotiation->startScr) { - goto startScr; - } - #endif - } - - if (sz < (int)ssl->buffers.clearOutputBuffer.length) - size = sz; - else - size = ssl->buffers.clearOutputBuffer.length; - - XMEMCPY(output, ssl->buffers.clearOutputBuffer.buffer, size); - - if (peek == 0) { - ssl->buffers.clearOutputBuffer.length -= size; - ssl->buffers.clearOutputBuffer.buffer += size; - } - - if (ssl->buffers.clearOutputBuffer.length == 0 && - ssl->buffers.inputBuffer.dynamicFlag) - ShrinkInputBuffer(ssl, NO_FORCED_FREE); - - WOLFSSL_LEAVE("ReceiveData()", size); - return size; -} - - -/* send alert message */ -int SendAlert(WOLFSSL* ssl, int severity, int type) -{ - byte input[ALERT_SIZE]; - byte *output; - int sendSz; - int ret; - int outputSz; - int dtlsExtra = 0; - -#ifdef HAVE_WRITE_DUP - if (ssl->dupWrite && ssl->dupSide == READ_DUP_SIDE) { - int notifyErr = 0; - - WOLFSSL_MSG("Read dup side cannot write alerts, notifying sibling"); - - if (type == close_notify) { - notifyErr = ZERO_RETURN; - } else if (severity == alert_fatal) { - notifyErr = FATAL_ERROR; - } - - if (notifyErr != 0) { - return NotifyWriteSide(ssl, notifyErr); - } - - return 0; - } -#endif - - /* if sendalert is called again for nonblocking */ - if (ssl->options.sendAlertState != 0) { - ret = SendBuffered(ssl); - if (ret == 0) - ssl->options.sendAlertState = 0; - return ret; - } - - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_ALERT, type); - } - #endif - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - dtlsExtra = DTLS_RECORD_EXTRA; - #endif - - /* check for available size */ - outputSz = ALERT_SIZE + MAX_MSG_EXTRA + dtlsExtra; - if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - input[0] = (byte)severity; - input[1] = (byte)type; - ssl->alert_history.last_tx.code = type; - ssl->alert_history.last_tx.level = severity; - if (severity == alert_fatal) { - ssl->options.isClosed = 1; /* Don't send close_notify */ - } - - /* only send encrypted alert if handshake actually complete, otherwise - other side may not be able to handle it */ - if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) - sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, - alert, 0, 0, 0); - else { - - AddRecordHeader(output, ALERT_SIZE, alert, ssl); - output += RECORD_HEADER_SZ; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - output += DTLS_RECORD_EXTRA; - #endif - XMEMCPY(output, input, ALERT_SIZE); - - sendSz = RECORD_HEADER_SZ + ALERT_SIZE; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - sendSz += DTLS_RECORD_EXTRA; - #endif - } - if (sendSz < 0) - return BUILD_MSG_ERROR; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "Alert"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "Alert", alert, output, sendSz, WRITE_PROTO, - ssl->heap); - #endif - - ssl->buffers.outputBuffer.length += sendSz; - ssl->options.sendAlertState = 1; - - return SendBuffered(ssl); -} - -const char* wolfSSL_ERR_reason_error_string(unsigned long e) -{ -#ifdef NO_ERROR_STRINGS - - (void)e; - return "no support for error strings built in"; - -#else - - int error = (int)e; - - /* pass to wolfCrypt */ - if (error < MAX_CODE_E && error > MIN_CODE_E) { - return wc_GetErrorString(error); - } - - switch (error) { - - case UNSUPPORTED_SUITE : - return "unsupported cipher suite"; - - case INPUT_CASE_ERROR : - return "input state error"; - - case PREFIX_ERROR : - return "bad index to key rounds"; - - case MEMORY_ERROR : - return "out of memory"; - - case VERIFY_FINISHED_ERROR : - return "verify problem on finished"; - - case VERIFY_MAC_ERROR : - return "verify mac problem"; - - case PARSE_ERROR : - return "parse error on header"; - - case SIDE_ERROR : - return "wrong client/server type"; - - case NO_PEER_CERT : - return "peer didn't send cert"; - - case UNKNOWN_HANDSHAKE_TYPE : - return "weird handshake type"; - - case SOCKET_ERROR_E : - return "error state on socket"; - - case SOCKET_NODATA : - return "expected data, not there"; - - case INCOMPLETE_DATA : - return "don't have enough data to complete task"; - - case UNKNOWN_RECORD_TYPE : - return "unknown type in record hdr"; - - case DECRYPT_ERROR : - return "error during decryption"; - - case FATAL_ERROR : - return "revcd alert fatal error"; - - case ENCRYPT_ERROR : - return "error during encryption"; - - case FREAD_ERROR : - return "fread problem"; - - case NO_PEER_KEY : - return "need peer's key"; - - case NO_PRIVATE_KEY : - return "need the private key"; - - case NO_DH_PARAMS : - return "server missing DH params"; - - case RSA_PRIVATE_ERROR : - return "error during rsa priv op"; - - case MATCH_SUITE_ERROR : - return "can't match cipher suite"; - - case COMPRESSION_ERROR : - return "compression mismatch error"; - - case BUILD_MSG_ERROR : - return "build message failure"; - - case BAD_HELLO : - return "client hello malformed"; - - case DOMAIN_NAME_MISMATCH : - return "peer subject name mismatch"; - - case WANT_READ : - case SSL_ERROR_WANT_READ : - return "non-blocking socket wants data to be read"; - - case NOT_READY_ERROR : - return "handshake layer not ready yet, complete first"; - - case PMS_VERSION_ERROR : - return "premaster secret version mismatch error"; - - case VERSION_ERROR : - return "record layer version error"; - - case WANT_WRITE : - case SSL_ERROR_WANT_WRITE : - return "non-blocking socket write buffer full"; - - case BUFFER_ERROR : - return "malformed buffer input error"; - - case VERIFY_CERT_ERROR : - return "verify problem on certificate"; - - case VERIFY_SIGN_ERROR : - return "verify problem based on signature"; - - case CLIENT_ID_ERROR : - return "psk client identity error"; - - case SERVER_HINT_ERROR: - return "psk server hint error"; - - case PSK_KEY_ERROR: - return "psk key callback error"; - - case NTRU_KEY_ERROR: - return "NTRU key error"; - - case NTRU_DRBG_ERROR: - return "NTRU drbg error"; - - case NTRU_ENCRYPT_ERROR: - return "NTRU encrypt error"; - - case NTRU_DECRYPT_ERROR: - return "NTRU decrypt error"; - - case ZLIB_INIT_ERROR: - return "zlib init error"; - - case ZLIB_COMPRESS_ERROR: - return "zlib compress error"; - - case ZLIB_DECOMPRESS_ERROR: - return "zlib decompress error"; - - case GETTIME_ERROR: - return "gettimeofday() error"; - - case GETITIMER_ERROR: - return "getitimer() error"; - - case SIGACT_ERROR: - return "sigaction() error"; - - case SETITIMER_ERROR: - return "setitimer() error"; - - case LENGTH_ERROR: - return "record layer length error"; - - case PEER_KEY_ERROR: - return "cant decode peer key"; - - case ZERO_RETURN: - case SSL_ERROR_ZERO_RETURN: - return "peer sent close notify alert"; - - case ECC_CURVETYPE_ERROR: - return "Bad ECC Curve Type or unsupported"; - - case ECC_CURVE_ERROR: - return "Bad ECC Curve or unsupported"; - - case ECC_PEERKEY_ERROR: - return "Bad ECC Peer Key"; - - case ECC_MAKEKEY_ERROR: - return "ECC Make Key failure"; - - case ECC_EXPORT_ERROR: - return "ECC Export Key failure"; - - case ECC_SHARED_ERROR: - return "ECC DHE shared failure"; - - case NOT_CA_ERROR: - return "Not a CA by basic constraint error"; - - case HTTP_TIMEOUT: - return "HTTP timeout for OCSP or CRL req"; - - case BAD_CERT_MANAGER_ERROR: - return "Bad Cert Manager error"; - - case OCSP_CERT_REVOKED: - return "OCSP Cert revoked"; - - case CRL_CERT_REVOKED: - return "CRL Cert revoked"; - - case CRL_MISSING: - return "CRL missing, not loaded"; - - case MONITOR_SETUP_E: - return "CRL monitor setup error"; - - case THREAD_CREATE_E: - return "Thread creation problem"; - - case OCSP_NEED_URL: - return "OCSP need URL"; - - case OCSP_CERT_UNKNOWN: - return "OCSP Cert unknown"; - - case OCSP_LOOKUP_FAIL: - return "OCSP Responder lookup fail"; - - case MAX_CHAIN_ERROR: - return "Maximum Chain Depth Exceeded"; - - case COOKIE_ERROR: - return "DTLS Cookie Error"; - - case SEQUENCE_ERROR: - return "DTLS Sequence Error"; - - case SUITES_ERROR: - return "Suites Pointer Error"; - - case SSL_NO_PEM_HEADER: - return "No PEM Header Error"; - - case OUT_OF_ORDER_E: - return "Out of order message, fatal"; - - case BAD_KEA_TYPE_E: - return "Bad KEA type found"; - - case SANITY_CIPHER_E: - return "Sanity check on ciphertext failed"; - - case RECV_OVERFLOW_E: - return "Receive callback returned more than requested"; - - case GEN_COOKIE_E: - return "Generate Cookie Error"; - - case NO_PEER_VERIFY: - return "Need peer certificate verify Error"; - - case FWRITE_ERROR: - return "fwrite Error"; - - case CACHE_MATCH_ERROR: - return "Cache restore header match Error"; - - case UNKNOWN_SNI_HOST_NAME_E: - return "Unrecognized host name Error"; - - case UNKNOWN_MAX_FRAG_LEN_E: - return "Unrecognized max frag len Error"; - - case KEYUSE_SIGNATURE_E: - return "Key Use digitalSignature not set Error"; - - case KEYUSE_ENCIPHER_E: - return "Key Use keyEncipherment not set Error"; - - case EXTKEYUSE_AUTH_E: - return "Ext Key Use server/client auth not set Error"; - - case SEND_OOB_READ_E: - return "Send Callback Out of Bounds Read Error"; - - case SECURE_RENEGOTIATION_E: - return "Invalid Renegotiation Error"; - - case SESSION_TICKET_LEN_E: - return "Session Ticket Too Long Error"; - - case SESSION_TICKET_EXPECT_E: - return "Session Ticket Error"; - - case SCR_DIFFERENT_CERT_E: - return "Peer sent different cert during SCR"; - - case SESSION_SECRET_CB_E: - return "Session Secret Callback Error"; - - case NO_CHANGE_CIPHER_E: - return "Finished received from peer before Change Cipher Error"; - - case SANITY_MSG_E: - return "Sanity Check on message order Error"; - - case DUPLICATE_MSG_E: - return "Duplicate HandShake message Error"; - - case SNI_UNSUPPORTED: - return "Protocol version does not support SNI Error"; - - case SOCKET_PEER_CLOSED_E: - return "Peer closed underlying transport Error"; - - case BAD_TICKET_KEY_CB_SZ: - return "Bad user session ticket key callback Size Error"; - - case BAD_TICKET_MSG_SZ: - return "Bad session ticket message Size Error"; - - case BAD_TICKET_ENCRYPT: - return "Bad user ticket callback encrypt Error"; - - case DH_KEY_SIZE_E: - return "DH key too small Error"; - - case SNI_ABSENT_ERROR: - return "No Server Name Indication extension Error"; - - case RSA_SIGN_FAULT: - return "RSA Signature Fault Error"; - - case HANDSHAKE_SIZE_ERROR: - return "Handshake message too large Error"; - - case UNKNOWN_ALPN_PROTOCOL_NAME_E: - return "Unrecognized protocol name Error"; - - case BAD_CERTIFICATE_STATUS_ERROR: - return "Bad Certificate Status Message Error"; - - case OCSP_INVALID_STATUS: - return "Invalid OCSP Status Error"; - - case RSA_KEY_SIZE_E: - return "RSA key too small"; - - case ECC_KEY_SIZE_E: - return "ECC key too small"; - - case DTLS_EXPORT_VER_E: - return "Version needs updated after code change or version mismatch"; - - case INPUT_SIZE_E: - return "Input size too large Error"; - - case CTX_INIT_MUTEX_E: - return "Initialize ctx mutex error"; - - case EXT_MASTER_SECRET_NEEDED_E: - return "Extended Master Secret must be enabled to resume EMS session"; - - case DTLS_POOL_SZ_E: - return "Maximum DTLS pool size exceeded"; - - case DECODE_E: - return "Decode handshake message error"; - - case WRITE_DUP_READ_E: - return "Write dup write side can't read error"; - - case WRITE_DUP_WRITE_E: - return "Write dup read side can't write error"; - - default : - return "unknown error number"; - } - -#endif /* NO_ERROR_STRINGS */ -} - -void SetErrorString(int error, char* str) -{ - XSTRNCPY(str, wolfSSL_ERR_reason_error_string(error), WOLFSSL_MAX_ERROR_SZ); -} - - -/* be sure to add to cipher_name_idx too !!!! */ -static const char* const cipher_names[] = -{ -#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA - "RC4-SHA", -#endif - -#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5 - "RC4-MD5", -#endif - -#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA - "DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - "AES128-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA - "AES256-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA - "NULL-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256 - "NULL-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - "DHE-RSA-AES128-SHA", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - "DHE-RSA-AES256-SHA", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - "DHE-PSK-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - "DHE-PSK-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 - "PSK-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 - "PSK-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - "DHE-PSK-AES256-CBC-SHA384", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - "DHE-PSK-AES128-CBC-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 - "PSK-AES256-CBC-SHA384", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 - "PSK-AES128-CBC-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA - "PSK-AES128-CBC-SHA", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA - "PSK-AES256-CBC-SHA", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM - "DHE-PSK-AES128-CCM", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM - "DHE-PSK-AES256-CCM", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM - "PSK-AES128-CCM", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM - "PSK-AES256-CCM", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 - "PSK-AES128-CCM-8", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 - "PSK-AES256-CCM-8", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 - "DHE-PSK-NULL-SHA384", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 - "DHE-PSK-NULL-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384 - "PSK-NULL-SHA384", -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 - "PSK-NULL-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA - "PSK-NULL-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_MD5 - "HC128-MD5", -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA - "HC128-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256 - "HC128-B2B256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - "AES128-B2B256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 - "AES256-B2B256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA - "RABBIT-SHA", -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - "NTRU-RC4-SHA", -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - "NTRU-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - "NTRU-AES128-SHA", -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - "NTRU-AES256-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 - "AES128-CCM-8", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 - "AES256-CCM-8", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM - "ECDHE-ECDSA-AES128-CCM", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - "ECDHE-ECDSA-AES128-CCM-8", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - "ECDHE-ECDSA-AES256-CCM-8", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - "ECDHE-RSA-AES128-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - "ECDHE-RSA-AES256-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - "ECDHE-ECDSA-AES128-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - "ECDHE-ECDSA-AES256-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - "ECDHE-RSA-RC4-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - "ECDHE-RSA-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - "ECDHE-ECDSA-RC4-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - "ECDHE-ECDSA-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - "AES128-SHA256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - "AES256-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - "DHE-RSA-AES128-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - "DHE-RSA-AES256-SHA256", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - "ECDH-RSA-AES128-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - "ECDH-RSA-AES256-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - "ECDH-ECDSA-AES128-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - "ECDH-ECDSA-AES256-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - "ECDH-RSA-RC4-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - "ECDH-RSA-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - "ECDH-ECDSA-RC4-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - "ECDH-ECDSA-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - "AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 - "AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - "DHE-RSA-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - "DHE-RSA-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - "ECDHE-RSA-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - "ECDHE-RSA-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - "ECDHE-ECDSA-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - "ECDHE-ECDSA-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - "ECDH-RSA-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - "ECDH-RSA-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - "ECDH-ECDSA-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - "ECDH-ECDSA-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - "CAMELLIA128-SHA", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - "DHE-RSA-CAMELLIA128-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - "CAMELLIA256-SHA", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - "DHE-RSA-CAMELLIA256-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - "CAMELLIA128-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - "DHE-RSA-CAMELLIA128-SHA256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - "CAMELLIA256-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - "DHE-RSA-CAMELLIA256-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - "ECDHE-RSA-AES128-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - "ECDHE-ECDSA-AES128-SHA256", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - "ECDH-RSA-AES128-SHA256", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - "ECDH-ECDSA-AES128-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - "ECDHE-RSA-AES256-SHA384", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - "ECDHE-ECDSA-AES256-SHA384", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - "ECDH-RSA-AES256-SHA384", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - "ECDH-ECDSA-AES256-SHA384", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - "ECDHE-RSA-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - "ECDHE-ECDSA-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - "DHE-RSA-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - "ECDHE-RSA-CHACHA20-POLY1305-OLD", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - "ECDHE-ECDSA-CHACHA20-POLY1305-OLD", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - "DHE-RSA-CHACHA20-POLY1305-OLD", -#endif - -#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - "ADH-AES128-SHA", -#endif - -#ifdef BUILD_TLS_QSH - "QSH", -#endif - -#ifdef HAVE_RENEGOTIATION_INDICATION - "RENEGOTIATION-INFO", -#endif - -#ifdef BUILD_SSL_RSA_WITH_IDEA_CBC_SHA - "IDEA-CBC-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA - "ECDHE-ECDSA-NULL-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 - "ECDHE-PSK-NULL-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - "ECDHE-PSK-AES128-CBC-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - "PSK-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - "ECDHE-PSK-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - "DHE-PSK-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - "EDH-RSA-DES-CBC3-SHA", -#endif -}; - - -/* cipher suite number that matches above name table */ -static int cipher_name_idx[] = -{ - -#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA - SSL_RSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5 - SSL_RSA_WITH_RC4_128_MD5, -#endif - -#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA - SSL_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA - TLS_RSA_WITH_NULL_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256 - TLS_RSA_WITH_NULL_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 - TLS_PSK_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 - TLS_PSK_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 - TLS_PSK_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 - TLS_PSK_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA - TLS_PSK_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA - TLS_PSK_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM - TLS_DHE_PSK_WITH_AES_128_CCM, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM - TLS_DHE_PSK_WITH_AES_256_CCM, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM - TLS_PSK_WITH_AES_128_CCM, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM - TLS_PSK_WITH_AES_256_CCM, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 - TLS_PSK_WITH_AES_128_CCM_8, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 - TLS_PSK_WITH_AES_256_CCM_8, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 - TLS_DHE_PSK_WITH_NULL_SHA384, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 - TLS_DHE_PSK_WITH_NULL_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384 - TLS_PSK_WITH_NULL_SHA384, -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 - TLS_PSK_WITH_NULL_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA - TLS_PSK_WITH_NULL_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_MD5 - TLS_RSA_WITH_HC_128_MD5, -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA - TLS_RSA_WITH_HC_128_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256 - TLS_RSA_WITH_HC_128_B2B256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - TLS_RSA_WITH_AES_128_CBC_B2B256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 - TLS_RSA_WITH_AES_256_CBC_B2B256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA - TLS_RSA_WITH_RABBIT_SHA, -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - TLS_NTRU_RSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - TLS_NTRU_RSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - TLS_NTRU_RSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 - TLS_RSA_WITH_AES_128_CCM_8, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 - TLS_RSA_WITH_AES_256_CCM_8, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM - TLS_ECDHE_ECDSA_WITH_AES_128_CCM, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - TLS_ECDHE_RSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_RSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - TLS_RSA_WITH_AES_256_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - TLS_ECDH_RSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - TLS_ECDH_ECDSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - TLS_RSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 - TLS_RSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - TLS_DH_anon_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_QSH - TLS_QSH, -#endif - -#ifdef HAVE_RENEGOTIATION_INDICATION - TLS_EMPTY_RENEGOTIATION_INFO_SCSV, -#endif - -#ifdef BUILD_SSL_RSA_WITH_IDEA_CBC_SHA - SSL_RSA_WITH_IDEA_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA - TLS_ECDHE_ECDSA_WITH_NULL_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 - TLS_ECDHE_PSK_WITH_NULL_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - TLS_PSK_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, -#endif -}; - - -/* returns the cipher_names array */ -const char* const* GetCipherNames(void) -{ - return cipher_names; -} - - -/* returns the size of the cipher_names array */ -int GetCipherNamesSize(void) -{ - return (int)(sizeof(cipher_names) / sizeof(char*)); -} - -/* gets cipher name in the format DHE-RSA-... rather then TLS_DHE... */ -const char* GetCipherNameInternal(const char* cipherName, int cipherSuite) -{ - const char* result = NULL; - const char* first; - int i; - - if (cipherName == NULL) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - - first = (XSTRSTR(cipherName, "CHACHA")) ? "CHACHA" - : (XSTRSTR(cipherName, "EC")) ? "EC" - : (XSTRSTR(cipherName, "CCM")) ? "CCM" - : NULL; /* normal */ - - for (i = 0; i < (int)(sizeof(cipher_name_idx)/sizeof(int)); i++) { - if (cipher_name_idx[i] == cipherSuite) { - const char* nameFound = cipher_names[i]; - - /* extra sanity check on returned cipher name */ - if (nameFound == NULL) { - continue; - } - - /* if first is null then not any */ - if (first == NULL) { - if ( !XSTRSTR(nameFound, "CHACHA") && - !XSTRSTR(nameFound, "EC") && - !XSTRSTR(nameFound, "CCM")) { - result = nameFound; - break; - } - } - else if (XSTRSTR(nameFound, first)) { - result = nameFound; - break; - } - } - } - - return result; -} - -const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl) -{ - if (ssl == NULL) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - - return GetCipherNameInternal( - wolfSSL_CIPHER_get_name(&ssl->cipher), - ssl->options.cipherSuite); -} - - -const char* wolfSSL_get_cipher_name_from_suite(const unsigned char cipherSuite, - const unsigned char cipherSuite0) -{ - - WOLFSSL_ENTER("wolfSSL_get_cipher_name_from_suite"); - - (void)cipherSuite; - (void)cipherSuite0; - -#ifndef NO_ERROR_STRINGS - -#if defined(HAVE_CHACHA) - if (cipherSuite0 == CHACHA_BYTE) { - /* ChaCha suites */ - switch (cipherSuite) { -#ifdef HAVE_POLY1305 -#ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; - - case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; - - case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - return "TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; - - case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - return "TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; -#endif - case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"; - - case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; -#ifndef NO_PSK - case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; - case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"; - case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; -#endif /* NO_PSK */ -#endif /* HAVE_POLY1305 */ - } /* switch */ - } /* chacha */ -#endif /* HAVE_CHACHA */ - -#if defined(HAVE_ECC) || defined(HAVE_AESCCM) - /* Awkwardly, the ECC cipher suites use the ECC_BYTE as expected, - * but the AES-CCM cipher suites also use it, even the ones that - * aren't ECC. */ - if (cipherSuite0 == ECC_BYTE) { - /* ECC suites */ - switch (cipherSuite) { -#ifdef HAVE_ECC - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"; - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"; - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"; - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"; -#ifndef NO_SHA - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; - #ifndef NO_RC4 - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_RC4_128_SHA : - return "TLS_ECDHE_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : - return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"; - #endif /* !NO_RC4 */ - #ifndef NO_DES3 - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ - - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"; - #ifndef NO_RC4 - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_RC4_128_SHA : - return "TLS_ECDH_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : - return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA"; - #endif /* !NO_RC4 */ - #ifndef NO_DES3 - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ -#endif /* HAVE_ECC */ - -#ifdef HAVE_AESGCM - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; -#endif /* HAVE_AESGCM */ - - case TLS_ECDHE_ECDSA_WITH_NULL_SHA : - return "TLS_ECDHE_ECDSA_WITH_NULL_SHA"; - #ifndef NO_PSK - case TLS_ECDHE_PSK_WITH_NULL_SHA256 : - return "TLS_ECDHE_PSK_WITH_NULL_SHA256"; - case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"; - #endif /* !NO_PSK */ - #ifndef NO_RSA - case TLS_RSA_WITH_AES_128_CCM_8 : - return "TLS_RSA_WITH_AES_128_CCM_8"; - case TLS_RSA_WITH_AES_256_CCM_8 : - return "TLS_RSA_WITH_AES_256_CCM_8"; - #endif /* !NO_RSA */ - #ifndef NO_PSK - case TLS_PSK_WITH_AES_128_CCM_8 : - return "TLS_PSK_WITH_AES_128_CCM_8"; - case TLS_PSK_WITH_AES_256_CCM_8 : - return "TLS_PSK_WITH_AES_256_CCM_8"; - case TLS_PSK_WITH_AES_128_CCM : - return "TLS_PSK_WITH_AES_128_CCM"; - case TLS_PSK_WITH_AES_256_CCM : - return "TLS_PSK_WITH_AES_256_CCM"; - case TLS_DHE_PSK_WITH_AES_128_CCM : - return "TLS_DHE_PSK_WITH_AES_128_CCM"; - case TLS_DHE_PSK_WITH_AES_256_CCM : - return "TLS_DHE_PSK_WITH_AES_256_CCM"; - #endif /* !NO_PSK */ - #ifdef HAVE_ECC - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM: - return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM"; - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: - return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"; - case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : - return "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"; - #endif /* HAVE_ECC */ -#endif /* HAVE_AESGCM */ - - default: - return "NONE"; - } /* switch */ - } /* ECC and AES CCM/GCM */ -#endif /* HAVE_ECC || HAVE_AESCCM*/ - - if (cipherSuite0 != ECC_BYTE && - cipherSuite0 != CHACHA_BYTE) { - - /* normal suites */ - switch (cipherSuite) { -#ifndef NO_RSA - #ifndef NO_RC4 - #ifndef NO_SHA - case SSL_RSA_WITH_RC4_128_SHA : - return "SSL_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_SHA */ - #ifndef NO_MD5 - case SSL_RSA_WITH_RC4_128_MD5 : - return "SSL_RSA_WITH_RC4_128_MD5"; - #endif /* !NO_MD5 */ - #endif /* !NO_RC4 */ - #ifndef NO_SHA - #ifndef NO_DES3 - case SSL_RSA_WITH_3DES_EDE_CBC_SHA : - return "SSL_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ - #ifdef HAVE_IDEA - case SSL_RSA_WITH_IDEA_CBC_SHA : - return "SSL_RSA_WITH_IDEA_CBC_SHA"; - #endif /* HAVE_IDEA */ - - case TLS_RSA_WITH_AES_128_CBC_SHA : - return "TLS_RSA_WITH_AES_128_CBC_SHA"; - case TLS_RSA_WITH_AES_256_CBC_SHA : - return "TLS_RSA_WITH_AES_256_CBC_SHA"; - #endif /* !NO_SHA */ - case TLS_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_RSA_WITH_AES_128_CBC_SHA256"; - case TLS_RSA_WITH_AES_256_CBC_SHA256 : - return "TLS_RSA_WITH_AES_256_CBC_SHA256"; - #ifdef HAVE_BLAKE2 - case TLS_RSA_WITH_AES_128_CBC_B2B256: - return "TLS_RSA_WITH_AES_128_CBC_B2B256"; - case TLS_RSA_WITH_AES_256_CBC_B2B256: - return "TLS_RSA_WITH_AES_256_CBC_B2B256"; - #endif /* HAVE_BLAKE2 */ - #ifndef NO_SHA - case TLS_RSA_WITH_NULL_SHA : - return "TLS_RSA_WITH_NULL_SHA"; - #endif /* !NO_SHA */ - case TLS_RSA_WITH_NULL_SHA256 : - return "TLS_RSA_WITH_NULL_SHA256"; -#endif /* NO_RSA */ - -#ifndef NO_PSK - #ifndef NO_SHA - case TLS_PSK_WITH_AES_128_CBC_SHA : - return "TLS_PSK_WITH_AES_128_CBC_SHA"; - case TLS_PSK_WITH_AES_256_CBC_SHA : - return "TLS_PSK_WITH_AES_256_CBC_SHA"; - #endif /* !NO_SHA */ - #ifndef NO_SHA256 - case TLS_PSK_WITH_AES_128_CBC_SHA256 : - return "TLS_PSK_WITH_AES_128_CBC_SHA256"; - case TLS_PSK_WITH_NULL_SHA256 : - return "TLS_PSK_WITH_NULL_SHA256"; - case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 : - return "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"; - case TLS_DHE_PSK_WITH_NULL_SHA256 : - return "TLS_DHE_PSK_WITH_NULL_SHA256"; - #ifdef HAVE_AESGCM - case TLS_PSK_WITH_AES_128_GCM_SHA256 : - return "TLS_PSK_WITH_AES_128_GCM_SHA256"; - case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 : - return "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"; - #endif /* HAVE_AESGCM */ - #endif /* !NO_SHA256 */ - #ifdef WOLFSSL_SHA384 - case TLS_PSK_WITH_AES_256_CBC_SHA384 : - return "TLS_PSK_WITH_AES_256_CBC_SHA384"; - case TLS_PSK_WITH_NULL_SHA384 : - return "TLS_PSK_WITH_NULL_SHA384"; - case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : - return "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"; - case TLS_DHE_PSK_WITH_NULL_SHA384 : - return "TLS_DHE_PSK_WITH_NULL_SHA384"; - #ifdef HAVE_AESGCM - case TLS_PSK_WITH_AES_256_GCM_SHA384 : - return "TLS_PSK_WITH_AES_256_GCM_SHA384"; - case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 : - return "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"; - #endif /* HAVE_AESGCM */ - #endif /* WOLFSSL_SHA384 */ - #ifndef NO_SHA - case TLS_PSK_WITH_NULL_SHA : - return "TLS_PSK_WITH_NULL_SHA"; - #endif /* !NO_SHA */ - #endif /* NO_PSK */ - - #ifndef NO_RSA - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; - #ifndef NO_SHA - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : - return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"; - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : - return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; - #ifndef NO_DES3 - case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif - #endif /* !NO_RSA */ - #ifndef NO_HC128 - #ifndef NO_MD5 - case TLS_RSA_WITH_HC_128_MD5 : - return "TLS_RSA_WITH_HC_128_MD5"; - #endif /* !NO_MD5 */ - #ifndef NO_SHA - case TLS_RSA_WITH_HC_128_SHA : - return "TLS_RSA_WITH_HC_128_SHA"; - #endif /* !NO_SHA */ - #ifdef HAVE_BLAKE2 - case TLS_RSA_WITH_HC_128_B2B256: - return "TLS_RSA_WITH_HC_128_B2B256"; - #endif /* HAVE_BLAKE2 */ - #endif /* !NO_HC128 */ - #ifndef NO_SHA - #ifndef NO_RABBIT - case TLS_RSA_WITH_RABBIT_SHA : - return "TLS_RSA_WITH_RABBIT_SHA"; - #endif /* !NO_RABBIT */ - #ifdef HAVE_NTRU - #ifndef NO_RC4 - case TLS_NTRU_RSA_WITH_RC4_128_SHA : - return "TLS_NTRU_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_RC4 */ - #ifndef NO_DES3 - case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ - case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : - return "TLS_NTRU_RSA_WITH_AES_128_CBC_SHA"; - case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : - return "TLS_NTRU_RSA_WITH_AES_256_CBC_SHA"; - #endif /* HAVE_NTRU */ - - #ifdef HAVE_QSH - case TLS_QSH : - return "TLS_QSH"; - #endif /* HAVE_QSH */ - #endif /* !NO_SHA */ - - case TLS_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_RSA_WITH_AES_256_GCM_SHA384"; - case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; - #ifndef NO_SHA - case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA : - return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"; - case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA : - return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"; - #endif /* !NO_SHA */ - case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 : - return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"; - case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 : - return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"; - #ifndef NO_SHA - case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : - return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"; - case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : - return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"; - #endif /* !NO_SHA */ - case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"; - case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"; -#endif /* !NO_PSK */ - -#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - case TLS_DH_anon_WITH_AES_128_CBC_SHA : - return "TLS_DH_anon_WITH_AES_128_CBC_SHA"; -#endif - default: - return "NONE"; - } /* switch */ - } /* normal / PSK */ -#endif /* NO_ERROR_STRINGS */ - - return "NONE"; -} - - -/** -Set the enabled cipher suites. - -@param [out] suites Suites structure. -@param [in] list List of cipher suites, only supports full name from - cipher_names[] delimited by ':'. - -@return true on success, else false. -*/ -int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) -{ - int ret = 0; - int idx = 0; - int haveRSAsig = 0; - int haveECDSAsig = 0; - int haveAnon = 0; - const int suiteSz = GetCipherNamesSize(); - char* next = (char*)list; - - if (suites == NULL || list == NULL) { - WOLFSSL_MSG("SetCipherList parameter error"); - return 0; - } - - if (next[0] == 0 || XSTRNCMP(next, "ALL", 3) == 0 || - XSTRNCMP(next, "DEFAULT", 7) == 0) - return 1; /* wolfSSL defualt */ - - do { - char* current = next; - char name[MAX_SUITE_NAME + 1]; - int i; - word32 length; - - next = XSTRSTR(next, ":"); - length = min(sizeof(name), !next ? (word32)XSTRLEN(current) /* last */ - : (word32)(next - current)); - - XSTRNCPY(name, current, length); - name[(length == sizeof(name)) ? length - 1 : length] = 0; - - for (i = 0; i < suiteSz; i++) { - if (XSTRNCMP(name, cipher_names[i], sizeof(name)) == 0) { - #ifdef WOLFSSL_DTLS - /* don't allow stream ciphers with DTLS */ - if (ctx->method->version.major == DTLS_MAJOR) { - if (XSTRSTR(name, "RC4") || - XSTRSTR(name, "HC128") || - XSTRSTR(name, "RABBIT")) - { - WOLFSSL_MSG("Stream ciphers not supported with DTLS"); - continue; - } - - } - #endif /* WOLFSSL_DTLS */ - - suites->suites[idx++] = (XSTRSTR(name, "CHACHA")) ? CHACHA_BYTE - : (XSTRSTR(name, "QSH")) ? QSH_BYTE - : (XSTRSTR(name, "EC")) ? ECC_BYTE - : (XSTRSTR(name, "CCM")) ? ECC_BYTE - : 0x00; /* normal */ - suites->suites[idx++] = (byte)cipher_name_idx[i]; - - /* The suites are either ECDSA, RSA, PSK, or Anon. The RSA - * suites don't necessarily have RSA in the name. */ - if ((haveECDSAsig == 0) && XSTRSTR(name, "ECDSA")) - haveECDSAsig = 1; - else if (XSTRSTR(name, "ADH")) - haveAnon = 1; - else if ((haveRSAsig == 0) && (XSTRSTR(name, "PSK") == NULL)) - haveRSAsig = 1; - - ret = 1; /* found at least one */ - break; - } - } - } - while (next++); /* ++ needed to skip ':' */ - - if (ret) { - suites->setSuites = 1; - suites->suiteSz = (word16)idx; - InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, haveAnon); - } - - (void)ctx; - - return ret; -} - -#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) -static void PickHashSigAlgo(WOLFSSL* ssl, - const byte* hashSigAlgo, word32 hashSigAlgoSz) -{ - word32 i; - - ssl->suites->sigAlgo = ssl->specs.sig_algo; - - /* set defaults */ - if (IsAtLeastTLSv1_2(ssl)) { - #ifdef WOLFSSL_ALLOW_TLS_SHA1 - ssl->suites->hashAlgo = sha_mac; - #else - ssl->suites->hashAlgo = sha256_mac; - #endif - } - else { - ssl->suites->hashAlgo = sha_mac; - } - - /* i+1 since peek a byte ahead for type */ - for (i = 0; (i+1) < hashSigAlgoSz; i += HELLO_EXT_SIGALGO_SZ) { - if (hashSigAlgo[i+1] == ssl->specs.sig_algo) { - if (hashSigAlgo[i] == sha_mac) { - break; - } - #ifndef NO_SHA256 - else if (hashSigAlgo[i] == sha256_mac) { - ssl->suites->hashAlgo = sha256_mac; - break; - } - #endif - #ifdef WOLFSSL_SHA384 - else if (hashSigAlgo[i] == sha384_mac) { - ssl->suites->hashAlgo = sha384_mac; - break; - } - #endif - #ifdef WOLFSSL_SHA512 - else if (hashSigAlgo[i] == sha512_mac) { - ssl->suites->hashAlgo = sha512_mac; - break; - } - #endif - } - } -} -#endif /* !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) */ - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - - /* Initialisze HandShakeInfo */ - void InitHandShakeInfo(HandShakeInfo* info, WOLFSSL* ssl) - { - int i; - - info->ssl = ssl; - info->cipherName[0] = 0; - for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++) - info->packetNames[i][0] = 0; - info->numberPackets = 0; - info->negotiationError = 0; - } - - /* Set Final HandShakeInfo parameters */ - void FinishHandShakeInfo(HandShakeInfo* info) - { - int i; - int sz = sizeof(cipher_name_idx)/sizeof(int); - - for (i = 0; i < sz; i++) - if (info->ssl->options.cipherSuite == (byte)cipher_name_idx[i]) { - if (info->ssl->options.cipherSuite0 == ECC_BYTE) - continue; /* ECC suites at end */ - XSTRNCPY(info->cipherName, cipher_names[i], MAX_CIPHERNAME_SZ); - break; - } - - /* error max and min are negative numbers */ - if (info->ssl->error <= MIN_PARAM_ERR && info->ssl->error >= MAX_PARAM_ERR) - info->negotiationError = info->ssl->error; - } - - - /* Add name to info packet names, increase packet name count */ - void AddPacketName(WOLFSSL* ssl, const char* name) - { - #ifdef WOLFSSL_CALLBACKS - HandShakeInfo* info = &ssl->handShakeInfo; - if (info->numberPackets < MAX_PACKETS_HANDSHAKE) { - XSTRNCPY(info->packetNames[info->numberPackets++], name, - MAX_PACKETNAME_SZ); - } - #endif - (void)ssl; - (void)name; - } - - - #ifdef WOLFSSL_CALLBACKS - /* Initialisze TimeoutInfo */ - void InitTimeoutInfo(TimeoutInfo* info) - { - int i; - - info->timeoutName[0] = 0; - info->flags = 0; - - for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++) { - info->packets[i].packetName[0] = 0; - info->packets[i].timestamp.tv_sec = 0; - info->packets[i].timestamp.tv_usec = 0; - info->packets[i].bufferValue = 0; - info->packets[i].valueSz = 0; - } - info->numberPackets = 0; - info->timeoutValue.tv_sec = 0; - info->timeoutValue.tv_usec = 0; - } - - - /* Free TimeoutInfo */ - void FreeTimeoutInfo(TimeoutInfo* info, void* heap) - { - int i; - (void)heap; - for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++) - if (info->packets[i].bufferValue) { - XFREE(info->packets[i].bufferValue, heap, DYNAMIC_TYPE_INFO); - info->packets[i].bufferValue = 0; - } - - } - - /* Add packet name to previsouly added packet info */ - void AddLateName(const char* name, TimeoutInfo* info) - { - /* make sure we have a valid previous one */ - if (info->numberPackets > 0 && info->numberPackets < - MAX_PACKETS_HANDSHAKE) { - XSTRNCPY(info->packets[info->numberPackets - 1].packetName, name, - MAX_PACKETNAME_SZ); - } - } - - /* Add record header to previsouly added packet info */ - void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info) - { - /* make sure we have a valid previous one */ - if (info->numberPackets > 0 && info->numberPackets < - MAX_PACKETS_HANDSHAKE) { - if (info->packets[info->numberPackets - 1].bufferValue) - XMEMCPY(info->packets[info->numberPackets - 1].bufferValue, rl, - RECORD_HEADER_SZ); - else - XMEMCPY(info->packets[info->numberPackets - 1].value, rl, - RECORD_HEADER_SZ); - } - } - - #endif /* WOLFSSL_CALLBACKS */ - - - /* Add PacketInfo to TimeoutInfo - * - * ssl WOLFSSL structure sending or receiving packet - * name name of packet being sent - * type type of packet being sent - * data data bing sent with packet - * sz size of data buffer - * written 1 if this packet is being written to wire, 0 if being read - * heap custom heap to use for mallocs/frees - */ - void AddPacketInfo(WOLFSSL* ssl, const char* name, int type, - const byte* data, int sz, int written, void* heap) - { - #ifdef WOLFSSL_CALLBACKS - TimeoutInfo* info = &ssl->timeoutInfo; - - if (info->numberPackets < (MAX_PACKETS_HANDSHAKE - 1)) { - Timeval currTime; - - /* may add name after */ - if (name) - XSTRNCPY(info->packets[info->numberPackets].packetName, name, - MAX_PACKETNAME_SZ); - - /* add data, put in buffer if bigger than static buffer */ - info->packets[info->numberPackets].valueSz = sz; - if (sz < MAX_VALUE_SZ) - XMEMCPY(info->packets[info->numberPackets].value, data, sz); - else { - info->packets[info->numberPackets].bufferValue = - (byte*)XMALLOC(sz, heap, DYNAMIC_TYPE_INFO); - if (!info->packets[info->numberPackets].bufferValue) - /* let next alloc catch, just don't fill, not fatal here */ - info->packets[info->numberPackets].valueSz = 0; - else - XMEMCPY(info->packets[info->numberPackets].bufferValue, - data, sz); - } - gettimeofday(&currTime, 0); - info->packets[info->numberPackets].timestamp.tv_sec = - currTime.tv_sec; - info->packets[info->numberPackets].timestamp.tv_usec = - currTime.tv_usec; - info->numberPackets++; - } - #endif /* WOLFSSL_CALLBACKS */ - #ifdef OPENSSL_EXTRA - if (ssl->protoMsgCb != NULL && sz > RECORD_HEADER_SZ) { - /* version from hex to dec 16 is 16^1, 256 from 16^2 and - 4096 from 16^3 */ - int version = (ssl->version.minor & 0X0F) + - (ssl->version.minor & 0xF0) * 16 + - (ssl->version.major & 0X0F) * 256 + - (ssl->version.major & 0xF0) * 4096; - - ssl->protoMsgCb(written, version, type, - (const void *)(data + RECORD_HEADER_SZ), - (size_t)(sz - RECORD_HEADER_SZ), - ssl, ssl->protoMsgCtx); - } - #endif /* OPENSSL_EXTRA */ - (void)written; - (void)name; - (void)heap; - (void)type; - (void)ssl; - } - -#endif /* WOLFSSL_CALLBACKS */ - - - -/* client only parts */ -#ifndef NO_WOLFSSL_CLIENT - - int SendClientHello(WOLFSSL* ssl) - { - byte *output; - word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - int sendSz; - int idSz = ssl->options.resuming - ? ssl->session.sessionIDSz - : 0; - int ret; - word16 extSz = 0; - - if (ssl->suites == NULL) { - WOLFSSL_MSG("Bad suites pointer in SendClientHello"); - return SUITES_ERROR; - } - -#ifdef HAVE_SESSION_TICKET - if (ssl->options.resuming && ssl->session.ticketLen > 0) { - SessionTicket* ticket; - - ticket = TLSX_SessionTicket_Create(0, ssl->session.ticket, - ssl->session.ticketLen, ssl->heap); - if (ticket == NULL) return MEMORY_E; - - ret = TLSX_UseSessionTicket(&ssl->extensions, ticket, ssl->heap); - if (ret != SSL_SUCCESS) return ret; - - idSz = 0; - } -#endif - length = VERSION_SZ + RAN_LEN - + idSz + ENUM_LEN - + ssl->suites->suiteSz + SUITE_LEN - + COMP_LEN + ENUM_LEN; - -#ifdef HAVE_TLS_EXTENSIONS - /* auto populate extensions supported unless user defined */ - if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0) - return ret; - #ifdef HAVE_QSH - if (QSH_Init(ssl) != 0) - return MEMORY_E; - #endif - extSz = TLSX_GetRequestSize(ssl); - if (extSz != 0) - length += extSz; -#else - if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz) - extSz += HELLO_EXT_SZ + HELLO_EXT_SIGALGO_SZ - + ssl->suites->hashSigAlgoSz; -#ifdef HAVE_EXTENDED_MASTER - if (ssl->options.haveEMS) - extSz += HELLO_EXT_SZ; -#endif - if (extSz != 0) - length += extSz + HELLO_EXT_SZ_SZ; -#endif - sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - length += ENUM_LEN; /* cookie */ - if (ssl->arrays->cookieSz != 0) length += ssl->arrays->cookieSz; - sendSz = length + DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ; - idx += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA; - } -#endif - - if (IsEncryptionOn(ssl, 1)) - sendSz += MAX_MSG_EXTRA; - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(output, length, client_hello, ssl); - - /* client hello, first version */ - output[idx++] = ssl->version.major; - output[idx++] = ssl->version.minor; - ssl->chVersion = ssl->version; /* store in case changed */ - - /* then random */ - if (ssl->options.connectState == CONNECT_BEGIN) { - ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN); - if (ret != 0) - return ret; - - /* store random */ - XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN); - } else { -#ifdef WOLFSSL_DTLS - /* send same random on hello again */ - XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN); -#endif - } - idx += RAN_LEN; - - /* then session id */ - output[idx++] = (byte)idSz; - if (idSz) { - XMEMCPY(output + idx, ssl->session.sessionID, - ssl->session.sessionIDSz); - idx += ssl->session.sessionIDSz; - } - - /* then DTLS cookie */ -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - byte cookieSz = ssl->arrays->cookieSz; - - output[idx++] = cookieSz; - if (cookieSz) { - XMEMCPY(&output[idx], ssl->arrays->cookie, cookieSz); - idx += cookieSz; - } - } -#endif - /* then cipher suites */ - c16toa(ssl->suites->suiteSz, output + idx); - idx += OPAQUE16_LEN; - XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz); - idx += ssl->suites->suiteSz; - - /* last, compression */ - output[idx++] = COMP_LEN; - if (ssl->options.usingCompression) - output[idx++] = ZLIB_COMPRESSION; - else - output[idx++] = NO_COMPRESSION; - -#ifdef HAVE_TLS_EXTENSIONS - idx += TLSX_WriteRequest(ssl, output + idx); - - (void)idx; /* suppress analyzer warning, keep idx current */ -#else - if (extSz != 0) { - c16toa(extSz, output + idx); - idx += HELLO_EXT_SZ_SZ; - - if (IsAtLeastTLSv1_2(ssl)) { - if (ssl->suites->hashSigAlgoSz) { - int i; - /* extension type */ - c16toa(HELLO_EXT_SIG_ALGO, output + idx); - idx += HELLO_EXT_TYPE_SZ; - /* extension data length */ - c16toa(HELLO_EXT_SIGALGO_SZ + ssl->suites->hashSigAlgoSz, - output + idx); - idx += HELLO_EXT_SZ_SZ; - /* sig algos length */ - c16toa(ssl->suites->hashSigAlgoSz, output + idx); - idx += HELLO_EXT_SIGALGO_SZ; - for (i = 0; i < ssl->suites->hashSigAlgoSz; i++, idx++) { - output[idx] = ssl->suites->hashSigAlgo[i]; - } - } - } -#ifdef HAVE_EXTENDED_MASTER - if (ssl->options.haveEMS) { - c16toa(HELLO_EXT_EXTMS, output + idx); - idx += HELLO_EXT_TYPE_SZ; - c16toa(0, output + idx); - idx += HELLO_EXT_SZ_SZ; - } -#endif - } -#endif - - if (IsEncryptionOn(ssl, 1)) { - byte* input; - int inputSz = idx - RECORD_HEADER_SZ; /* build msg adds rec hdr */ - - input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (input == NULL) - return MEMORY_E; - - XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); - sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - handshake, 1, 0, 0); - XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - - if (sendSz < 0) - return sendSz; - } else { - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) - return ret; - } - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - #endif - - ssl->options.clientState = CLIENT_HELLO_COMPLETE; - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "ClientHello", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); -#endif - - ssl->buffers.outputBuffer.length += sendSz; - - return SendBuffered(ssl); - } - - - static int DoHelloVerifyRequest(WOLFSSL* ssl, const byte* input, - word32* inOutIdx, word32 size) - { - ProtocolVersion pv; - byte cookieSz; - word32 begin = *inOutIdx; - -#ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) AddPacketName(ssl, "HelloVerifyRequest"); - if (ssl->toInfoOn) AddLateName("HelloVerifyRequest", &ssl->timeoutInfo); -#endif - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - DtlsMsgPoolReset(ssl); - } -#endif - - if ((*inOutIdx - begin) + OPAQUE16_LEN + OPAQUE8_LEN > size) - return BUFFER_ERROR; - - XMEMCPY(&pv, input + *inOutIdx, OPAQUE16_LEN); - *inOutIdx += OPAQUE16_LEN; - - if (pv.major != DTLS_MAJOR || - (pv.minor != DTLS_MINOR && pv.minor != DTLSv1_2_MINOR)) - return VERSION_ERROR; - - cookieSz = input[(*inOutIdx)++]; - - if (cookieSz) { - if ((*inOutIdx - begin) + cookieSz > size) - return BUFFER_ERROR; - -#ifdef WOLFSSL_DTLS - if (cookieSz <= MAX_COOKIE_LEN) { - XMEMCPY(ssl->arrays->cookie, input + *inOutIdx, cookieSz); - ssl->arrays->cookieSz = cookieSz; - } -#endif - *inOutIdx += cookieSz; - } - - ssl->options.serverState = SERVER_HELLOVERIFYREQUEST_COMPLETE; - return 0; - } - - - static INLINE int DSH_CheckSessionId(WOLFSSL* ssl) - { - int ret = 0; - -#ifdef HAVE_SECRET_CALLBACK - /* If a session secret callback exists, we are using that - * key instead of the saved session key. */ - ret = ret || (ssl->sessionSecretCb != NULL); -#endif - -#ifdef HAVE_SESSION_TICKET - /* server may send blank ticket which may not be expected to indicate - * existing one ok but will also be sending a new one */ - ret = ret || (ssl->session.ticketLen > 0); -#endif - - ret = ret || - (ssl->options.haveSessionId && XMEMCMP(ssl->arrays->sessionID, - ssl->session.sessionID, ID_LEN) == 0); - - return ret; - } - - static int DoServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 helloSz) - { - byte cs0; /* cipher suite bytes 0, 1 */ - byte cs1; - ProtocolVersion pv; - byte compression; - word32 i = *inOutIdx; - word32 begin = i; - -#ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello"); - if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo); -#endif - - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_START, SSL_SUCCESS); - } - #endif - - /* protocol version, random and session id length check */ - if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; - - /* protocol version */ - XMEMCPY(&pv, input + i, OPAQUE16_LEN); - i += OPAQUE16_LEN; - - if (pv.minor > ssl->version.minor) { - WOLFSSL_MSG("Server using higher version, fatal error"); - return VERSION_ERROR; - } - else if (pv.minor < ssl->version.minor) { - WOLFSSL_MSG("server using lower version"); - - if (!ssl->options.downgrade) { - WOLFSSL_MSG("\tno downgrade allowed, fatal error"); - return VERSION_ERROR; - } - if (pv.minor < ssl->options.minDowngrade) { - WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); - return VERSION_ERROR; - } - - #ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation && - ssl->secure_renegotiation->enabled && - ssl->options.handShakeDone) { - WOLFSSL_MSG("Server changed version during scr"); - return VERSION_ERROR; - } - #endif - - if (pv.minor == SSLv3_MINOR) { - /* turn off tls */ - WOLFSSL_MSG("\tdowngrading to SSLv3"); - ssl->options.tls = 0; - ssl->options.tls1_1 = 0; - ssl->version.minor = SSLv3_MINOR; - } - else if (pv.minor == TLSv1_MINOR) { - /* turn off tls 1.1+ */ - WOLFSSL_MSG("\tdowngrading to TLSv1"); - ssl->options.tls1_1 = 0; - ssl->version.minor = TLSv1_MINOR; - } - else if (pv.minor == TLSv1_1_MINOR) { - WOLFSSL_MSG("\tdowngrading to TLSv1.1"); - ssl->version.minor = TLSv1_1_MINOR; - } - } - - /* random */ - XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN); - i += RAN_LEN; - - /* session id */ - ssl->arrays->sessionIDSz = input[i++]; - - if (ssl->arrays->sessionIDSz > ID_LEN) { - WOLFSSL_MSG("Invalid session ID size"); - ssl->arrays->sessionIDSz = 0; - return BUFFER_ERROR; - } - else if (ssl->arrays->sessionIDSz) { - if ((i - begin) + ssl->arrays->sessionIDSz > helloSz) - return BUFFER_ERROR; - - XMEMCPY(ssl->arrays->sessionID, input + i, - ssl->arrays->sessionIDSz); - i += ssl->arrays->sessionIDSz; - ssl->options.haveSessionId = 1; - } - - - /* suite and compression */ - if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; - - cs0 = input[i++]; - cs1 = input[i++]; - -#ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled && - ssl->options.handShakeDone) { - if (ssl->options.cipherSuite0 != cs0 || - ssl->options.cipherSuite != cs1) { - WOLFSSL_MSG("Server changed cipher suite during scr"); - return MATCH_SUITE_ERROR; - } - } -#endif - - ssl->options.cipherSuite0 = cs0; - ssl->options.cipherSuite = cs1; - compression = input[i++]; - - if (compression != NO_COMPRESSION && !ssl->options.usingCompression) { - WOLFSSL_MSG("Server forcing compression w/o support"); - return COMPRESSION_ERROR; - } - - if (compression != ZLIB_COMPRESSION && ssl->options.usingCompression) { - WOLFSSL_MSG("Server refused compression, turning off"); - ssl->options.usingCompression = 0; /* turn off if server refused */ - } - - *inOutIdx = i; - -#ifdef HAVE_TLS_EXTENSIONS - if ( (i - begin) < helloSz) { - if (TLSX_SupportExtensions(ssl)) { - int ret = 0; - word16 totalExtSz; - - if ((i - begin) + OPAQUE16_LEN > helloSz) - return BUFFER_ERROR; - - ato16(&input[i], &totalExtSz); - i += OPAQUE16_LEN; - - if ((i - begin) + totalExtSz > helloSz) - return BUFFER_ERROR; - - if ((ret = TLSX_Parse(ssl, (byte *) input + i, - totalExtSz, 0, NULL))) - return ret; - - i += totalExtSz; - *inOutIdx = i; - } - else - *inOutIdx = begin + helloSz; /* skip extensions */ - } - else - ssl->options.haveEMS = 0; /* If no extensions, no EMS */ -#else - { - int allowExt = 0; - byte pendingEMS = 0; - - if ( (i - begin) < helloSz) { - if (ssl->version.major == SSLv3_MAJOR && - ssl->version.minor >= TLSv1_MINOR) { - - allowExt = 1; - } -#ifdef WOLFSSL_DTLS - if (ssl->version.major == DTLS_MAJOR) - allowExt = 1; -#endif - - if (allowExt) { - word16 totalExtSz; - - if ((i - begin) + OPAQUE16_LEN > helloSz) - return BUFFER_ERROR; - - ato16(&input[i], &totalExtSz); - i += OPAQUE16_LEN; - - if ((i - begin) + totalExtSz > helloSz) - return BUFFER_ERROR; - - while (totalExtSz) { - word16 extId, extSz; - - if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) - return BUFFER_ERROR; - - ato16(&input[i], &extId); - i += OPAQUE16_LEN; - ato16(&input[i], &extSz); - i += OPAQUE16_LEN; - - if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) - return BUFFER_ERROR; - - if (extId == HELLO_EXT_EXTMS) - pendingEMS = 1; - else - i += extSz; - - totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz; - } - - *inOutIdx = i; - } - else - *inOutIdx = begin + helloSz; /* skip extensions */ - } - - if (!pendingEMS && ssl->options.haveEMS) - ssl->options.haveEMS = 0; - } -#endif - - ssl->options.serverState = SERVER_HELLO_COMPLETE; - - if (IsEncryptionOn(ssl, 0)) { - *inOutIdx += ssl->keys.padSz; - } - -#ifdef HAVE_SECRET_CALLBACK - if (ssl->sessionSecretCb != NULL) { - int secretSz = SECRET_LEN, ret; - ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret, - &secretSz, ssl->sessionSecretCtx); - if (ret != 0 || secretSz != SECRET_LEN) - return SESSION_SECRET_CB_E; - } -#endif /* HAVE_SECRET_CALLBACK */ - - if (ssl->options.resuming) { - if (DSH_CheckSessionId(ssl)) { - if (SetCipherSpecs(ssl) == 0) { - int ret = -1; - - XMEMCPY(ssl->arrays->masterSecret, - ssl->session.masterSecret, SECRET_LEN); - #ifdef NO_OLD_TLS - ret = DeriveTlsKeys(ssl); - #else - #ifndef NO_TLS - if (ssl->options.tls) - ret = DeriveTlsKeys(ssl); - #endif - if (!ssl->options.tls) - ret = DeriveKeys(ssl); - #endif - ssl->options.serverState = SERVER_HELLODONE_COMPLETE; - - return ret; - } - else { - WOLFSSL_MSG("Unsupported cipher suite, DoServerHello"); - return UNSUPPORTED_SUITE; - } - } - else { - WOLFSSL_MSG("Server denied resumption attempt"); - ssl->options.resuming = 0; /* server denied resumption try */ - } - } - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - DtlsMsgPoolReset(ssl); - } - #endif - - return SetCipherSpecs(ssl); - } - - - /* Make sure client setup is valid for this suite, true on success */ - int VerifyClientSuite(WOLFSSL* ssl) - { - int havePSK = 0; - byte first = ssl->options.cipherSuite0; - byte second = ssl->options.cipherSuite; - - WOLFSSL_ENTER("VerifyClientSuite"); - - #ifndef NO_PSK - havePSK = ssl->options.havePSK; - #endif - - if (CipherRequires(first, second, REQUIRES_PSK)) { - WOLFSSL_MSG("Requires PSK"); - if (havePSK == 0) { - WOLFSSL_MSG("Don't have PSK"); - return 0; - } - } - - return 1; /* success */ - } - - -#ifndef NO_CERTS - /* just read in and ignore for now TODO: */ - static int DoCertificateRequest(WOLFSSL* ssl, const byte* input, word32* - inOutIdx, word32 size) - { - word16 len; - word32 begin = *inOutIdx; - - #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) - AddPacketName(ssl, "CertificateRequest"); - if (ssl->toInfoOn) - AddLateName("CertificateRequest", &ssl->timeoutInfo); - #endif - - if ((*inOutIdx - begin) + OPAQUE8_LEN > size) - return BUFFER_ERROR; - - len = input[(*inOutIdx)++]; - - if ((*inOutIdx - begin) + len > size) - return BUFFER_ERROR; - - /* types, read in here */ - *inOutIdx += len; - - /* signature and hash signature algorithm */ - if (IsAtLeastTLSv1_2(ssl)) { - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; - - ato16(input + *inOutIdx, &len); - *inOutIdx += OPAQUE16_LEN; - - if ((*inOutIdx - begin) + len > size) - return BUFFER_ERROR; - - PickHashSigAlgo(ssl, input + *inOutIdx, len); - *inOutIdx += len; - } - - /* authorities */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; - - ato16(input + *inOutIdx, &len); - *inOutIdx += OPAQUE16_LEN; - - if ((*inOutIdx - begin) + len > size) - return BUFFER_ERROR; - - while (len) { - word16 dnSz; - - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; - - ato16(input + *inOutIdx, &dnSz); - *inOutIdx += OPAQUE16_LEN; - - if ((*inOutIdx - begin) + dnSz > size) - return BUFFER_ERROR; - - *inOutIdx += dnSz; - len -= OPAQUE16_LEN + dnSz; - } - - /* don't send client cert or cert verify if user hasn't provided - cert and private key */ - if (ssl->buffers.certificate && ssl->buffers.certificate->buffer && - ssl->buffers.key && ssl->buffers.key->buffer) - ssl->options.sendVerify = SEND_CERT; - else if (IsTLS(ssl)) - ssl->options.sendVerify = SEND_BLANK_CERT; - - if (IsEncryptionOn(ssl, 0)) - *inOutIdx += ssl->keys.padSz; - - return 0; - } -#endif /* !NO_CERTS */ - - -#ifdef HAVE_ECC - - static int CheckCurveId(int tlsCurveId) - { - int ret = ECC_CURVE_ERROR; - - switch (tlsCurveId) { - #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP160R1: return ECC_SECP160R1_OID; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_SECPR2 - case WOLFSSL_ECC_SECP160R2: return ECC_SECP160R2_OID; - #endif /* HAVE_ECC_SECPR2 */ - #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP160K1: return ECC_SECP160K1_OID; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP192R1: return ECC_SECP192R1_OID; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP192K1: return ECC_SECP192K1_OID; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP224R1: return ECC_SECP224R1_OID; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP224K1: return ECC_SECP224K1_OID; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP256R1: return ECC_SECP256R1_OID; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP256K1: return ECC_SECP256K1_OID; - #endif /* HAVE_ECC_KOBLITZ */ - #ifdef HAVE_ECC_BRAINPOOL - case WOLFSSL_ECC_BRAINPOOLP256R1: return ECC_BRAINPOOLP256R1_OID; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP384R1: return ECC_SECP384R1_OID; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_BRAINPOOL - case WOLFSSL_ECC_BRAINPOOLP384R1: return ECC_BRAINPOOLP384R1_OID; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES) - #ifdef HAVE_ECC_BRAINPOOL - case WOLFSSL_ECC_BRAINPOOLP512R1: return ECC_BRAINPOOLP512R1_OID; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP521R1: return ECC_SECP521R1_OID; - #endif /* !NO_ECC_SECP */ - #endif - } - - return ret; - } - -#endif /* HAVE_ECC */ - - -/* Persistable DoServerKeyExchange arguments */ -typedef struct DskeArgs { - byte* output; /* not allocated */ -#if !defined(NO_DH) || defined(HAVE_ECC) - byte* verifySig; -#endif - word32 idx; - word32 begin; -#ifndef NO_RSA - int typeH; -#endif -#if !defined(NO_DH) || defined(HAVE_ECC) - word16 verifySigSz; -#endif - word16 sigSz; - byte sigAlgo; -} DskeArgs; - -static void FreeDskeArgs(WOLFSSL* ssl, void* pArgs) -{ - DskeArgs* args = (DskeArgs*)pArgs; - - (void)ssl; - (void)args; - -#if !defined(NO_DH) || defined(HAVE_ECC) - if (args->verifySig) { - XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->verifySig = NULL; - } -#endif -} - -static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, - word32* inOutIdx, word32 size) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - DskeArgs* args = (DskeArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); -#else - DskeArgs args[1]; -#endif - - WOLFSSL_ENTER("DoServerKeyExchange"); - -#ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_dske; - } - else -#endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(DskeArgs)); - args->idx = *inOutIdx; - args->begin = *inOutIdx; - args->sigAlgo = ssl->specs.sig_algo; - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeDskeArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) - AddPacketName(ssl, "ServerKeyExchange"); - if (ssl->toInfoOn) - AddLateName("ServerKeyExchange", &ssl->timeoutInfo); - #endif - - switch(ssl->specs.kea) - { - #ifndef NO_PSK - case psk_kea: - { - int srvHintLen; - word16 length; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - /* get PSK server hint from the wire */ - srvHintLen = min(length, MAX_PSK_ID_LEN - 1); - XMEMCPY(ssl->arrays->server_hint, input + args->idx, - srvHintLen); - ssl->arrays->server_hint[srvHintLen] = 0; - args->idx += length; - break; - } - #endif /* !NO_PSK */ - #ifndef NO_DH - case diffie_hellman_kea: - { - word16 length; - - /* p */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - if (length < ssl->options.minDhKeySz) { - WOLFSSL_MSG("Server using a DH key that is too small"); - SendAlert(ssl, alert_fatal, handshake_failure); - ERROR_OUT(DH_KEY_SIZE_E, exit_dske); - } - - ssl->buffers.serverDH_P.buffer = - (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_P.buffer) { - ssl->buffers.serverDH_P.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_P.buffer, input + args->idx, - length); - args->idx += length; - - ssl->options.dhKeySz = length; - - /* g */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ssl->buffers.serverDH_G.buffer = - (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_G.buffer) { - ssl->buffers.serverDH_G.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_G.buffer, input + args->idx, - length); - args->idx += length; - - /* pub */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ssl->buffers.serverDH_Pub.buffer = - (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_Pub.buffer) { - ssl->buffers.serverDH_Pub.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + args->idx, - length); - args->idx += length; - break; - } - #endif /* !NO_DH */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - byte b; - int curveId, curveOid; - word16 length; - - if ((args->idx - args->begin) + ENUM_LEN + OPAQUE16_LEN + - OPAQUE8_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - b = input[args->idx++]; - if (b != named_curve) { - ERROR_OUT(ECC_CURVETYPE_ERROR, exit_dske); - } - - args->idx += 1; /* curve type, eat leading 0 */ - b = input[args->idx++]; - if ((curveOid = CheckCurveId(b)) < 0) { - ERROR_OUT(ECC_CURVE_ERROR, exit_dske); - } - ssl->ecdhCurveOID = curveOid; - - length = input[args->idx++]; - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - if (ssl->peerEccKey == NULL) { - /* alloc/init on demand */ - ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), - ssl->heap, DYNAMIC_TYPE_ECC); - if (ssl->peerEccKey == NULL) { - WOLFSSL_MSG("PeerEccKey Memory error"); - ERROR_OUT(MEMORY_E, exit_dske); - } - ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, - ssl->devId); - if (ret != 0) { - goto exit_dske; - } - } else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */ - wc_ecc_free(ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, ssl->devId); - if (ret != 0) { - goto exit_dske; - } - } - - curveId = wc_ecc_get_oid(curveOid, NULL, NULL); - if (wc_ecc_import_x963_ex(input + args->idx, length, - ssl->peerEccKey, curveId) != 0) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske); - } - - args->idx += length; - ssl->peerEccKeyPresent = 1; - break; - } - #endif /* HAVE_ECC */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - int srvHintLen; - word16 length; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - /* get PSK server hint from the wire */ - srvHintLen = min(length, MAX_PSK_ID_LEN - 1); - XMEMCPY(ssl->arrays->server_hint, input + args->idx, - srvHintLen); - ssl->arrays->server_hint[srvHintLen] = 0; - args->idx += length; - - /* p */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - if (length < ssl->options.minDhKeySz) { - WOLFSSL_MSG("Server using a DH key that is too small"); - SendAlert(ssl, alert_fatal, handshake_failure); - ERROR_OUT(DH_KEY_SIZE_E, exit_dske); - } - - ssl->buffers.serverDH_P.buffer = (byte*)XMALLOC(length, - ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_P.buffer) { - ssl->buffers.serverDH_P.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_P.buffer, input + args->idx, - length); - args->idx += length; - - ssl->options.dhKeySz = length; - - /* g */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ssl->buffers.serverDH_G.buffer = (byte*)XMALLOC(length, - ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_G.buffer) { - ssl->buffers.serverDH_G.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_G.buffer, input + args->idx, - length); - args->idx += length; - - /* pub */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC(length, - ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_Pub.buffer) { - ssl->buffers.serverDH_Pub.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + args->idx, - length); - args->idx += length; - break; - } - #endif /* !NO_DH || !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - byte b; - int curveOid, curveId; - int srvHintLen; - word16 length; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - /* get PSK server hint from the wire */ - srvHintLen = min(length, MAX_PSK_ID_LEN - 1); - XMEMCPY(ssl->arrays->server_hint, input + args->idx, srvHintLen); - ssl->arrays->server_hint[srvHintLen] = 0; - - args->idx += length; - - if ((args->idx - args->begin) + ENUM_LEN + OPAQUE16_LEN + - OPAQUE8_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - /* Check curve name and ID */ - b = input[args->idx++]; - if (b != named_curve) { - ERROR_OUT(ECC_CURVETYPE_ERROR, exit_dske); - } - - args->idx += 1; /* curve type, eat leading 0 */ - b = input[args->idx++]; - if ((curveOid = CheckCurveId(b)) < 0) { - ERROR_OUT(ECC_CURVE_ERROR, exit_dske); - } - - length = input[args->idx++]; - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - if (ssl->peerEccKey == NULL) { - /* alloc/init on demand */ - ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), - ssl->heap, DYNAMIC_TYPE_ECC); - if (ssl->peerEccKey == NULL) { - WOLFSSL_MSG("PeerEccKey Memory error"); - ERROR_OUT(MEMORY_E, exit_dske); - } - ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, - ssl->devId); - if (ret != 0) { - goto exit_dske; - } - } else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */ - wc_ecc_free(ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, - ssl->devId); - if (ret != 0) { - goto exit_dske; - } - } - - curveId = wc_ecc_get_oid(curveOid, NULL, NULL); - if (wc_ecc_import_x963_ex(input + args->idx, length, - ssl->peerEccKey, curveId) != 0) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske); - } - - args->idx += length; - ssl->peerEccKeyPresent = 1; - break; - } - #endif /* HAVE_ECC || !NO_PSK */ - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - - case TLS_ASYNC_BUILD: - { - switch(ssl->specs.kea) - { - case psk_kea: - case dhe_psk_kea: - case ecdhe_psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - - case diffie_hellman_kea: - case ecc_diffie_hellman_kea: - { - #if defined(NO_DH) && !defined(HAVE_ECC) - ERROR_OUT(NOT_COMPILED_IN, exit_dske); - #else - byte hashAlgo = sha_mac; - enum wc_HashType hashType = WC_HASH_TYPE_NONE; - word16 verifySz; - - if (ssl->options.usingAnon_cipher) { - break; - } - - verifySz = (word16)(args->idx - args->begin); - if (verifySz > MAX_DH_SZ) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - if (IsAtLeastTLSv1_2(ssl)) { - if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > - size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - hashAlgo = input[args->idx++]; - args->sigAlgo = input[args->idx++]; - - switch (hashAlgo) { - case sha512_mac: - #ifdef WOLFSSL_SHA512 - hashType = WC_HASH_TYPE_SHA512; - #endif - break; - case sha384_mac: - #ifdef WOLFSSL_SHA384 - hashType = WC_HASH_TYPE_SHA384; - #endif - break; - case sha256_mac: - #ifndef NO_SHA256 - hashType = WC_HASH_TYPE_SHA256; - #endif - break; - case sha_mac: - #if !defined(NO_SHA) && \ - (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - hashType = WC_HASH_TYPE_SHA; - #endif - break; - default: - WOLFSSL_MSG("Bad hash sig algo"); - break; - } - - if (hashType == WC_HASH_TYPE_NONE) { - ERROR_OUT(ALGO_ID_E, exit_dske); - } - } else { - /* only using sha and md5 for rsa */ - #ifndef NO_OLD_TLS - hashType = WC_HASH_TYPE_SHA; - if (args->sigAlgo == rsa_sa_algo) { - hashType = WC_HASH_TYPE_MD5_SHA; - } - #else - ERROR_OUT(ALGO_ID_E, exit_dske); - #endif - } - #ifndef NO_RSA - args->typeH = wc_HashGetOID(hashType); - #endif - - /* signature */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &args->verifySigSz); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + args->verifySigSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - /* buffer for signature */ - ssl->buffers.sig.buffer = (byte*)XMALLOC(SEED_LEN + verifySz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_dske); - } - ssl->buffers.sig.length = SEED_LEN + verifySz; - - /* buffer for hash */ - ssl->buffers.digest.length = wc_HashGetDigestSize(hashType); - ssl->buffers.digest.buffer = (byte*)XMALLOC( - ssl->buffers.digest.length, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.digest.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_dske); - } - - /* build message to hash */ - XMEMCPY(ssl->buffers.sig.buffer, - ssl->arrays->clientRandom, RAN_LEN); - XMEMCPY(&ssl->buffers.sig.buffer[RAN_LEN], - ssl->arrays->serverRandom, RAN_LEN); - XMEMCPY(&ssl->buffers.sig.buffer[RAN_LEN * 2], - input + args->begin, verifySz); /* message */ - - /* Perform hash */ - ret = wc_Hash(hashType, - ssl->buffers.sig.buffer, ssl->buffers.sig.length, - ssl->buffers.digest.buffer, ssl->buffers.digest.length); - if (ret != 0) { - goto exit_dske; - } - - switch (args->sigAlgo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - if (ssl->peerRsaKey == NULL || - !ssl->peerRsaKeyPresent) { - ERROR_OUT(NO_PEER_KEY, exit_dske); - } - break; - } - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - case ecc_dsa_sa_algo: - { - if (!ssl->peerEccDsaKeyPresent) { - ERROR_OUT(NO_PEER_KEY, exit_dske); - } - break; - } - #endif /* HAVE_ECC */ - - default: - ret = ALGO_ID_E; - } /* switch (args->sigAlgo) */ - - #endif /* NO_DH && !HAVE_ECC */ - break; - } - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - - case TLS_ASYNC_DO: - { - switch(ssl->specs.kea) - { - case psk_kea: - case dhe_psk_kea: - case ecdhe_psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - - case diffie_hellman_kea: - case ecc_diffie_hellman_kea: - { - #if defined(NO_DH) && !defined(HAVE_ECC) - ERROR_OUT(NOT_COMPILED_IN, exit_dske); - #else - if (ssl->options.usingAnon_cipher) { - break; - } - - if (args->verifySig == NULL) { - args->verifySig = (byte*)XMALLOC(args->verifySigSz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->verifySig == NULL) { - ERROR_OUT(MEMORY_E, exit_dske); - } - XMEMCPY(args->verifySig, input + args->idx, - args->verifySigSz); - } - - switch (args->sigAlgo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - ret = RsaVerify(ssl, - args->verifySig, args->verifySigSz, - &args->output, - ssl->peerRsaKey, - #ifdef HAVE_PK_CALLBACKS - ssl->buffers.peerRsaKey.buffer, - ssl->buffers.peerRsaKey.length, - ssl->RsaVerifyCtx - #else - NULL, 0, NULL - #endif - ); - - if (ret >= 0) { - args->sigSz = (word16)ret; - ret = 0; - } - break; - } - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - case ecc_dsa_sa_algo: - { - ret = EccVerify(ssl, - args->verifySig, args->verifySigSz, - ssl->buffers.digest.buffer, - ssl->buffers.digest.length, - ssl->peerEccDsaKey, - #ifdef HAVE_PK_CALLBACKS - ssl->buffers.peerEccDsaKey.buffer, - ssl->buffers.peerEccDsaKey.length, - ssl->EccVerifyCtx - #else - NULL, 0, NULL - #endif - ); - - break; - } - #endif /* HAVE_ECC */ - - default: - ret = ALGO_ID_E; - } /* switch (sigAlgo) */ - #endif /* NO_DH && !HAVE_ECC */ - break; - } - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - - case TLS_ASYNC_VERIFY: - { - switch(ssl->specs.kea) - { - case psk_kea: - case dhe_psk_kea: - case ecdhe_psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - - case diffie_hellman_kea: - case ecc_diffie_hellman_kea: - { - #if defined(NO_DH) && !defined(HAVE_ECC) - ERROR_OUT(NOT_COMPILED_IN, exit_dske); - #else - if (ssl->options.usingAnon_cipher) { - break; - } - - /* increment index after verify is done */ - args->idx += args->verifySigSz; - - switch(args->sigAlgo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - if (IsAtLeastTLSv1_2(ssl)) { - #ifdef WOLFSSL_SMALL_STACK - byte* encodedSig = NULL; - #else - byte encodedSig[MAX_ENCODED_SIG_SZ]; - #endif - word32 encSigSz; - - #ifdef WOLFSSL_SMALL_STACK - encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) { - ERROR_OUT(MEMORY_E, exit_dske); - } - #endif - - encSigSz = wc_EncodeSignature(encodedSig, - ssl->buffers.digest.buffer, - ssl->buffers.digest.length, args->typeH); - if (encSigSz != args->sigSz || !args->output || - XMEMCMP(args->output, encodedSig, - min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0) { - ret = VERIFY_SIGN_ERROR; - } - #ifdef WOLFSSL_SMALL_STACK - XFREE(encodedSig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - if (ret != 0) { - goto exit_dske; - } - } - else if (args->sigSz != FINISHED_SZ || - !args->output || - XMEMCMP(args->output, - ssl->buffers.digest.buffer, - FINISHED_SZ) != 0) { - ERROR_OUT(VERIFY_SIGN_ERROR, exit_dske); - } - break; - } - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - case ecc_dsa_sa_algo: - /* Nothing to do in this algo */ - break; - #endif /* HAVE_ECC */ - default: - ret = ALGO_ID_E; - } /* switch (sigAlgo) */ - #endif /* NO_DH && !HAVE_ECC */ - break; - } - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - - case TLS_ASYNC_FINALIZE: - { - if (IsEncryptionOn(ssl, 0)) { - args->idx += ssl->keys.padSz; - } - - /* QSH extensions */ - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - word16 name; - int qshSz; - - /* extension name */ - ato16(input + args->idx, &name); - args->idx += OPAQUE16_LEN; - - if (name == TLSX_QUANTUM_SAFE_HYBRID) { - /* if qshSz is larger than 0 it is the length of - buffer used */ - if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + args->idx, - size, 0)) < 0) { - ERROR_OUT(qshSz, exit_dske); - } - args->idx += qshSz; - } - else { - /* unknown extension sent server ignored handshake */ - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - } - #endif - - /* Check for error */ - if (ret != 0) { - goto exit_dske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - - case TLS_ASYNC_END: - { - /* return index */ - *inOutIdx = args->idx; - - ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; - break; - } - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - -exit_dske: - - WOLFSSL_LEAVE("DoServerKeyExchange", ret); - -#ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) { - /* Mark message as not recevied so it can process again */ - ssl->msgsReceived.got_server_key_exchange = 0; - - return ret; - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - /* Final cleanup */ - FreeDskeArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; -} - - -#ifdef HAVE_QSH - -#ifdef HAVE_NTRU -/* Encrypt a byte array using ntru - key a struct containing the public key to use - bufIn array to be encrypted - inSz size of bufIn array - bufOut cipher text out - outSz will be set to the new size of cipher text - */ -static int NtruSecretEncrypt(QSHKey* key, byte* bufIn, word32 inSz, - byte* bufOut, word16* outSz) -{ - int ret; - DRBG_HANDLE drbg; - - /* sanity checks on input arguments */ - if (key == NULL || bufIn == NULL || bufOut == NULL || outSz == NULL) - return BAD_FUNC_ARG; - - if (key->pub.buffer == NULL) - return BAD_FUNC_ARG; - - switch (key->name) { - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - break; - default: - WOLFSSL_MSG("Unknown QSH encryption key!"); - return -1; - } - - /* set up ntru drbg */ - ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (ret != DRBG_OK) - return NTRU_DRBG_ERROR; - - /* encrypt the byte array */ - ret = ntru_crypto_ntru_encrypt(drbg, key->pub.length, key->pub.buffer, - inSz, bufIn, outSz, bufOut); - ntru_crypto_drbg_uninstantiate(drbg); - if (ret != NTRU_OK) - return NTRU_ENCRYPT_ERROR; - - return ret; -} - -/* Decrypt a byte array using ntru - key a struct containing the private key to use - bufIn array to be decrypted - inSz size of bufIn array - bufOut plain text out - outSz will be set to the new size of plain text - */ - -static int NtruSecretDecrypt(QSHKey* key, byte* bufIn, word32 inSz, - byte* bufOut, word16* outSz) -{ - int ret; - DRBG_HANDLE drbg; - - /* sanity checks on input arguments */ - if (key == NULL || bufIn == NULL || bufOut == NULL || outSz == NULL) - return BAD_FUNC_ARG; - - if (key->pri.buffer == NULL) - return BAD_FUNC_ARG; - - switch (key->name) { - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - break; - default: - WOLFSSL_MSG("Unknown QSH decryption key!"); - return -1; - } - - - /* set up drbg */ - ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (ret != DRBG_OK) - return NTRU_DRBG_ERROR; - - /* decrypt cipher text */ - ret = ntru_crypto_ntru_decrypt(key->pri.length, key->pri.buffer, - inSz, bufIn, outSz, bufOut); - ntru_crypto_drbg_uninstantiate(drbg); - if (ret != NTRU_OK) - return NTRU_ENCRYPT_ERROR; - - return ret; -} -#endif /* HAVE_NTRU */ - -int QSH_Init(WOLFSSL* ssl) -{ - /* check so not initialising twice when running DTLS */ - if (ssl->QSH_secret != NULL) - return 0; - - /* malloc memory for holding generated secret information */ - if ((ssl->QSH_secret = (QSHSecret*)XMALLOC(sizeof(QSHSecret), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER)) == NULL) - return MEMORY_E; - - ssl->QSH_secret->CliSi = (buffer*)XMALLOC(sizeof(buffer), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->QSH_secret->CliSi == NULL) - return MEMORY_E; - - ssl->QSH_secret->SerSi = (buffer*)XMALLOC(sizeof(buffer), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->QSH_secret->SerSi == NULL) - return MEMORY_E; - - /* initialize variables */ - ssl->QSH_secret->list = NULL; - ssl->QSH_secret->CliSi->length = 0; - ssl->QSH_secret->CliSi->buffer = NULL; - ssl->QSH_secret->SerSi->length = 0; - ssl->QSH_secret->SerSi->buffer = NULL; - - return 0; -} - - -static int QSH_Encrypt(QSHKey* key, byte* in, word32 szIn, - byte* out, word32* szOut) -{ - int ret = 0; - word16 size = *szOut; - - (void)in; - (void)szIn; - (void)out; - (void)szOut; - - WOLFSSL_MSG("Encrypting QSH key material"); - - switch (key->name) { - #ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - ret = NtruSecretEncrypt(key, in, szIn, out, &size); - break; - #endif - default: - WOLFSSL_MSG("Unknown QSH encryption key!"); - return -1; - } - - *szOut = size; - - return ret; -} - - -/* Decrypt using Quantum Safe Handshake algorithms */ -int QSH_Decrypt(QSHKey* key, byte* in, word32 szIn, byte* out, word16* szOut) -{ - int ret = 0; - word16 size = *szOut; - - (void)in; - (void)szIn; - (void)out; - (void)szOut; - - WOLFSSL_MSG("Decrypting QSH key material"); - - switch (key->name) { - #ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - ret = NtruSecretDecrypt(key, in, szIn, out, &size); - break; - #endif - default: - WOLFSSL_MSG("Unknown QSH decryption key!"); - return -1; - } - - *szOut = size; - - return ret; -} - - -/* Get the max cipher text for corresponding encryption scheme - (encrypting 48 or max plain text whichever is smaller) - */ -static word32 QSH_MaxSecret(QSHKey* key) -{ - int ret = 0; -#ifdef HAVE_NTRU - byte isNtru = 0; - word16 inSz = 48; - word16 outSz; - DRBG_HANDLE drbg = 0; - byte bufIn[48]; -#endif - - if (key == NULL || key->pub.length == 0) - return 0; - - switch(key->name) { -#ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - isNtru = 1; - break; - case WOLFSSL_NTRU_EESS593: - isNtru = 1; - break; - case WOLFSSL_NTRU_EESS743: - isNtru = 1; - break; -#endif - default: - WOLFSSL_MSG("Unknown QSH encryption scheme size!"); - return 0; - } - -#ifdef HAVE_NTRU - if (isNtru) { - ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (ret != DRBG_OK) - return NTRU_DRBG_ERROR; - ret = ntru_crypto_ntru_encrypt(drbg, key->pub.length, - key->pub.buffer, inSz, bufIn, &outSz, NULL); - if (ret != NTRU_OK) { - return NTRU_ENCRYPT_ERROR; - } - ntru_crypto_drbg_uninstantiate(drbg); - ret = outSz; - } -#endif - - return ret; -} - -/* Generate the secret byte material for pms - returns length on success and -1 on fail - */ -static int QSH_GenerateSerCliSecret(WOLFSSL* ssl, byte isServer) -{ - int sz = 0; - int plainSz = 48; /* lesser of 48 and max plain text able to encrypt */ - int offset = 0; - word32 tmpSz = 0; - buffer* buf; - QSHKey* current = ssl->peerQSHKey; - QSHScheme* schmPre = NULL; - QSHScheme* schm = NULL; - - if (ssl == NULL) - return -1; - - WOLFSSL_MSG("Generating QSH secret key material"); - - /* get size of buffer needed */ - while (current) { - if (current->pub.length != 0) { - sz += plainSz; - } - current = (QSHKey*)current->next; - } - - /* allocate memory for buffer */ - if (isServer) { - buf = ssl->QSH_secret->SerSi; - } - else { - buf = ssl->QSH_secret->CliSi; - } - buf->length = sz; - buf->buffer = (byte*)XMALLOC(sz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (buf->buffer == NULL) { - WOLFSSL_ERROR(MEMORY_E); - } - - /* create secret information */ - sz = 0; - current = ssl->peerQSHKey; - while (current) { - schm = (QSHScheme*)XMALLOC(sizeof(QSHScheme), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (schm == NULL) - return MEMORY_E; - - /* initialize variables */ - schm->name = 0; - schm->PK = NULL; - schm->PKLen = 0; - schm->next = NULL; - if (ssl->QSH_secret->list == NULL) { - ssl->QSH_secret->list = schm; - } - else { - if (schmPre) - schmPre->next = schm; - } - - tmpSz = QSH_MaxSecret(current); - - if ((schm->PK = (byte*)XMALLOC(tmpSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER)) == NULL) - return -1; - - /* store info for writing extension */ - schm->name = current->name; - - /* no key to use for encryption */ - if (tmpSz == 0) { - current = (QSHKey*)current->next; - continue; - } - - if (wc_RNG_GenerateBlock(ssl->rng, buf->buffer + offset, plainSz) - != 0) { - return -1; - } - if (QSH_Encrypt(current, buf->buffer + offset, plainSz, schm->PK, - &tmpSz) != 0) { - return -1; - } - schm->PKLen = tmpSz; - - sz += tmpSz; - offset += plainSz; - schmPre = schm; - current = (QSHKey*)current->next; - } - - return sz; -} - - -static word32 QSH_KeyGetSize(WOLFSSL* ssl) -{ - word32 sz = 0; - QSHKey* current = ssl->peerQSHKey; - - if (ssl == NULL) - return -1; - - sz += OPAQUE16_LEN; /* type of extension ie 0x00 0x18 */ - sz += OPAQUE24_LEN; - /* get size of buffer needed */ - while (current) { - sz += OPAQUE16_LEN; /* scheme id */ - sz += OPAQUE16_LEN; /* encrypted key len*/ - sz += QSH_MaxSecret(current); - current = (QSHKey*)current->next; - } - - return sz; -} - - -/* handle QSH key Exchange - return 0 on success - */ -static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) -{ - int ret = 0; - - WOLFSSL_ENTER("QSH KeyExchange"); - - ret = QSH_GenerateSerCliSecret(ssl, isServer); - if (ret < 0) - return MEMORY_E; - - return 0; -} - -#endif /* HAVE_QSH */ - - -typedef struct SckeArgs { - byte* output; /* not allocated */ - byte* encSecret; - byte* input; - word32 encSz; - word32 length; - int sendSz; - int inputSz; -} SckeArgs; - -static void FreeSckeArgs(WOLFSSL* ssl, void* pArgs) -{ - SckeArgs* args = (SckeArgs*)pArgs; - - (void)ssl; - - if (args->encSecret) { - XFREE(args->encSecret, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->encSecret = NULL; - } - if (args->input) { - XFREE(args->input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->input = NULL; - } -} - -int SendClientKeyExchange(WOLFSSL* ssl) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - SckeArgs* args = (SckeArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); -#else - SckeArgs args[1]; -#endif - - WOLFSSL_ENTER("SendClientKeyExchange"); - -#ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_scke; - } - else -#endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(SckeArgs)); - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeSckeArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - switch (ssl->specs.kea) { - #ifndef NO_RSA - case rsa_kea: - if (ssl->peerRsaKey == NULL || - ssl->peerRsaKeyPresent == 0) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - break; - #endif - #ifndef NO_DH - case diffie_hellman_kea: - if (ssl->buffers.serverDH_P.buffer == NULL || - ssl->buffers.serverDH_G.buffer == NULL || - ssl->buffers.serverDH_Pub.buffer == NULL) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - break; - #endif /* NO_DH */ - #ifndef NO_PSK - case psk_kea: - /* sanity check that PSK client callback has been set */ - if (ssl->options.client_psk_cb == NULL) { - WOLFSSL_MSG("No client PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - break; - #endif /* NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - if (ssl->buffers.serverDH_P.buffer == NULL || - ssl->buffers.serverDH_G.buffer == NULL || - ssl->buffers.serverDH_Pub.buffer == NULL) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - - /* sanity check that PSK client callback has been set */ - if (ssl->options.client_psk_cb == NULL) { - WOLFSSL_MSG("No client PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - break; - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - /* sanity check that PSK client callback has been set */ - if (ssl->options.client_psk_cb == NULL) { - WOLFSSL_MSG("No client PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - - /* Check client ECC public key */ - if (!ssl->peerEccKey || !ssl->peerEccKeyPresent || - !ssl->peerEccKey->dp) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - /* create private key */ - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_scke; - } - - ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, ssl->peerEccKey); - - break; - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - if (ssl->peerNtruKeyPresent == 0) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - break; - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - ecc_key* peerKey; - - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - if (ssl->specs.static_ecdh) { - /* TODO: EccDsa is really fixed Ecc change naming */ - if (!ssl->peerEccDsaKey || - !ssl->peerEccDsaKeyPresent || - !ssl->peerEccDsaKey->dp) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - peerKey = ssl->peerEccDsaKey; - } - else { - if (!ssl->peerEccKey || !ssl->peerEccKeyPresent || - !ssl->peerEccKey->dp) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - peerKey = ssl->peerEccKey; - } - if (peerKey == NULL) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - - /* create private key */ - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_scke; - } - - ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, peerKey); - - break; - } - #endif /* HAVE_ECC */ - - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_scke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - - case TLS_ASYNC_BUILD: - { - args->encSz = MAX_ENCRYPT_SZ; - args->encSecret = (byte*)XMALLOC(args->encSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->encSecret == NULL) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - switch(ssl->specs.kea) - { - #ifndef NO_RSA - case rsa_kea: - { - ret = wc_RNG_GenerateBlock(ssl->rng, - ssl->arrays->preMasterSecret, SECRET_LEN); - if (ret != 0) { - goto exit_scke; - } - - ssl->arrays->preMasterSecret[0] = ssl->chVersion.major; - ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; - ssl->arrays->preMasterSz = SECRET_LEN; - break; - } - #endif /* !NO_RSA */ - #ifndef NO_DH - case diffie_hellman_kea: - { - ssl->buffers.sig.length = ENCRYPT_LEN; - ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - ret = AllocKey(ssl, DYNAMIC_TYPE_DH, - (void**)&ssl->buffers.serverDH_Key); - if (ret != 0) { - goto exit_scke; - } - - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - if (ret != 0) { - goto exit_scke; - } - - /* for DH, encSecret is Yc, agree is pre-master */ - ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.sig.buffer, &ssl->buffers.sig.length, - args->encSecret, &args->encSz); - break; - } - #endif /* !NO_DH */ - #ifndef NO_PSK - case psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, - ssl->arrays->server_hint, ssl->arrays->client_identity, - MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - args->encSz = (word32)XSTRLEN(ssl->arrays->client_identity); - if (args->encSz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_scke); - } - XMEMCPY(args->encSecret, ssl->arrays->client_identity, - args->encSz); - - /* make psk pre master secret */ - /* length of key + length 0s + length of key + key */ - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - XMEMSET(pms, 0, ssl->arrays->psk_keySz); - pms += ssl->arrays->psk_keySz; - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz = (ssl->arrays->psk_keySz * 2) + - (2 * OPAQUE16_LEN); - ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->psk_keySz = 0; /* No further need */ - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - word32 esSz = 0; - args->output = args->encSecret; - - ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, - ssl->arrays->server_hint, ssl->arrays->client_identity, - MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - esSz = (word32)XSTRLEN(ssl->arrays->client_identity); - - if (esSz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_scke); - } - - ssl->buffers.sig.length = ENCRYPT_LEN; - ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - c16toa((word16)esSz, args->output); - args->output += OPAQUE16_LEN; - XMEMCPY(args->output, ssl->arrays->client_identity, esSz); - args->output += esSz; - args->encSz = esSz + OPAQUE16_LEN; - - args->length = 0; - - ret = AllocKey(ssl, DYNAMIC_TYPE_DH, - (void**)&ssl->buffers.serverDH_Key); - if (ret != 0) { - goto exit_scke; - } - - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - if (ret != 0) { - goto exit_scke; - } - - /* for DH, encSecret is Yc, agree is pre-master */ - ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.sig.buffer, &ssl->buffers.sig.length, - args->output + OPAQUE16_LEN, &args->length); - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - word32 esSz = 0; - args->output = args->encSecret; - - /* Send PSK client identity */ - ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, - ssl->arrays->server_hint, ssl->arrays->client_identity, - MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - - esSz = (word32)XSTRLEN(ssl->arrays->client_identity); - if (esSz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_scke); - } - - /* place size and identity in output buffer sz:identity */ - c16toa((word16)esSz, args->output); - args->output += OPAQUE16_LEN; - XMEMCPY(args->output, ssl->arrays->client_identity, esSz); - args->output += esSz; - args->encSz = esSz + OPAQUE16_LEN; - - /* length is used for public key size */ - args->length = MAX_ENCRYPT_SZ; - - /* Create shared ECC key leaving room at the begining - of buffer for size of shared key. */ - ssl->arrays->preMasterSz = ENCRYPT_LEN - OPAQUE16_LEN; - - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - /* Place ECC key in output buffer, leaving room for size */ - ret = wc_ecc_export_x963((ecc_key*)ssl->hsKey, - args->output + OPAQUE8_LEN, &args->length); - if (ret != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_scke); - } - - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - ret = wc_RNG_GenerateBlock(ssl->rng, - ssl->arrays->preMasterSecret, SECRET_LEN); - if (ret != 0) { - goto exit_scke; - } - - ssl->arrays->preMasterSz = SECRET_LEN; - args->encSz = MAX_ENCRYPT_SZ; - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - ssl->arrays->preMasterSz = ENCRYPT_LEN; - - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - /* Place ECC key in buffer, leaving room for size */ - ret = wc_ecc_export_x963((ecc_key*)ssl->hsKey, - args->encSecret + OPAQUE8_LEN, &args->encSz); - if (ret != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_scke); - } - break; - } - #endif /* HAVE_ECC */ - - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_scke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - - case TLS_ASYNC_DO: - { - switch(ssl->specs.kea) - { - #ifndef NO_RSA - case rsa_kea: - { - ret = RsaEnc(ssl, - ssl->arrays->preMasterSecret, SECRET_LEN, - args->encSecret, &args->encSz, - ssl->peerRsaKey, - #if defined(HAVE_PK_CALLBACKS) - ssl->buffers.peerRsaKey.buffer, - ssl->buffers.peerRsaKey.length, - ssl->RsaEncCtx - #else - NULL, 0, NULL - #endif - ); - - break; - } - #endif /* !NO_RSA */ - #ifndef NO_DH - case diffie_hellman_kea: - { - ret = DhAgree(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.sig.buffer, ssl->buffers.sig.length, - ssl->buffers.serverDH_Pub.buffer, - ssl->buffers.serverDH_Pub.length, - ssl->arrays->preMasterSecret, - &ssl->arrays->preMasterSz); - break; - } - #endif /* !NO_DH */ - #ifndef NO_PSK - case psk_kea: - { - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - ret = DhAgree(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.sig.buffer, ssl->buffers.sig.length, - ssl->buffers.serverDH_Pub.buffer, - ssl->buffers.serverDH_Pub.length, - ssl->arrays->preMasterSecret + OPAQUE16_LEN, - &ssl->arrays->preMasterSz); - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - ecc_key* key = (ecc_key*)ssl->hsKey; - ret = EccSharedSecret(ssl, key, ssl->peerEccKey, - args->output + OPAQUE8_LEN, &args->length, - ssl->arrays->preMasterSecret + OPAQUE16_LEN, - &ssl->arrays->preMasterSz, - WOLFSSL_CLIENT_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - word32 rc; - DRBG_HANDLE drbg; - - rc = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (rc != DRBG_OK) { - ERROR_OUT(NTRU_DRBG_ERROR, exit_scke); - } - rc = ntru_crypto_ntru_encrypt(drbg, ssl->peerNtruKeyLen, - ssl->peerNtruKey, - ssl->arrays->preMasterSz, - ssl->arrays->preMasterSecret, - (word16*)&args->encSz, - args->encSecret); - ntru_crypto_drbg_uninstantiate(drbg); - if (rc != NTRU_OK) { - ERROR_OUT(NTRU_ENCRYPT_ERROR, exit_scke); - } - ret = 0; - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - ecc_key* key = (ecc_key*)ssl->hsKey; - ecc_key* peerKey = (ssl->specs.static_ecdh) ? - ssl->peerEccDsaKey : ssl->peerEccKey; - - ret = EccSharedSecret(ssl, - key, peerKey, - args->encSecret + OPAQUE8_LEN, &args->encSz, - ssl->arrays->preMasterSecret, - &ssl->arrays->preMasterSz, - WOLFSSL_CLIENT_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - - break; - } - #endif /* HAVE_ECC */ - - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_scke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - - case TLS_ASYNC_VERIFY: - { - switch(ssl->specs.kea) - { - #ifndef NO_RSA - case rsa_kea: - { - break; - } - #endif /* !NO_RSA */ - #ifndef NO_DH - case diffie_hellman_kea: - { - break; - } - #endif /* !NO_DH */ - #ifndef NO_PSK - case psk_kea: - { - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - - /* validate args */ - if (args->output == NULL || args->length == 0) { - ERROR_OUT(BAD_FUNC_ARG, exit_scke); - } - - c16toa((word16)args->length, args->output); - args->encSz += args->length + OPAQUE16_LEN; - c16toa((word16)ssl->arrays->preMasterSz, pms); - ssl->arrays->preMasterSz += OPAQUE16_LEN; - pms += ssl->arrays->preMasterSz; - - /* make psk pre master secret */ - /* length of key + length 0s + length of key + key */ - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += - ssl->arrays->psk_keySz + OPAQUE16_LEN; - ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->psk_keySz = 0; /* No further need */ - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - - /* validate args */ - if (args->output == NULL || args->length > ENCRYPT_LEN) { - ERROR_OUT(BAD_FUNC_ARG, exit_scke); - } - - /* place size of public key in output buffer */ - *args->output = (byte)args->length; - args->encSz += args->length + OPAQUE8_LEN; - - /* Create pre master secret is the concatination of - eccSize + eccSharedKey + pskSize + pskKey */ - c16toa((word16)ssl->arrays->preMasterSz, pms); - ssl->arrays->preMasterSz += OPAQUE16_LEN; - pms += ssl->arrays->preMasterSz; - - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += - ssl->arrays->psk_keySz + OPAQUE16_LEN; - - ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->psk_keySz = 0; /* No further need */ - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - /* place size of public key in buffer */ - *args->encSecret = (byte)args->encSz; - args->encSz += OPAQUE8_LEN; - break; - } - #endif /* HAVE_ECC */ - - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_scke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - - case TLS_ASYNC_FINALIZE: - { - word32 tlsSz = 0; - word32 idx = 0; - - #ifdef HAVE_QSH - word32 qshSz = 0; - if (ssl->peerQSHKeyPresent) { - qshSz = QSH_KeyGetSize(ssl); - } - #endif - - if (ssl->options.tls || ssl->specs.kea == diffie_hellman_kea) { - tlsSz = 2; - } - - if (ssl->specs.kea == ecc_diffie_hellman_kea || - ssl->specs.kea == dhe_psk_kea || - ssl->specs.kea == ecdhe_psk_kea) { /* always off */ - tlsSz = 0; - } - - idx = HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - args->sendSz = args->encSz + tlsSz + idx; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - idx += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA; - args->sendSz += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA; - } - #endif - - if (IsEncryptionOn(ssl, 1)) { - args->sendSz += MAX_MSG_EXTRA; - } - - #ifdef HAVE_QSH - args->encSz += qshSz; - args->sendSz += qshSz; - #endif - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_scke; - } - - /* get output buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - byte idxSave = idx; - idx = args->sendSz - qshSz; - - if (QSH_KeyExchangeWrite(ssl, 0) != 0) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - /* extension type */ - c16toa(TLSX_QUANTUM_SAFE_HYBRID, args->output + idx); - idx += OPAQUE16_LEN; - - /* write to output and check amount written */ - if (TLSX_QSHPK_Write(ssl->QSH_secret->list, - args->output + idx) > qshSz - OPAQUE16_LEN) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - idx = idxSave; - } - #endif - - AddHeaders(args->output, args->encSz + tlsSz, client_key_exchange, ssl); - - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - args->encSz -= qshSz; - } - #endif - if (tlsSz) { - c16toa((word16)args->encSz, &args->output[idx]); - idx += OPAQUE16_LEN; - } - XMEMCPY(args->output + idx, args->encSecret, args->encSz); - idx += args->encSz; - - if (IsEncryptionOn(ssl, 1)) { - args->inputSz = idx - RECORD_HEADER_SZ; /* buildmsg adds rechdr */ - args->input = (byte*)XMALLOC(args->inputSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->input == NULL) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - XMEMCPY(args->input, args->output + RECORD_HEADER_SZ, - args->inputSz); - } - - /* Check for error */ - if (ret != 0) { - goto exit_scke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - - case TLS_ASYNC_END: - { - if (IsEncryptionOn(ssl, 1)) { - ret = BuildMessage(ssl, args->output, args->sendSz, - args->input, args->inputSz, handshake, 1, 0, 1); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) - goto exit_scke; - #endif - XFREE(args->input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->input = NULL; /* make sure its not double free'd on cleanup */ - - if (ret >= 0) { - args->sendSz = ret; - ret = 0; - } - } - else { - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - ret = HashOutput(ssl, args->output, args->sendSz, 0); - } - - if (ret != 0) { - goto exit_scke; - } - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz)) != 0) { - goto exit_scke; - } - } - #endif - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ClientKeyExchange"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "ClientKeyExchange", handshake, - args->output, args->sendSz, WRITE_PROTO, ssl->heap); - #endif - - ssl->buffers.outputBuffer.length += args->sendSz; - - if (!ssl->options.groupMessages) { - ret = SendBuffered(ssl); - } - if (ret == 0 || ret == WANT_WRITE) { - int tmpRet = MakeMasterSecret(ssl); - if (tmpRet != 0) { - ret = tmpRet; /* save WANT_WRITE unless more serious */ - } - ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - } - break; - } - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - -exit_scke: - - WOLFSSL_LEAVE("SendClientKeyExchange", ret); - -#ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) - return ret; -#endif - - /* No further need for PMS */ - ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz); - ssl->arrays->preMasterSz = 0; - - /* Final cleanup */ - FreeSckeArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; -} - - -#ifndef NO_CERTS - -typedef struct ScvArgs { - byte* output; /* not allocated */ -#ifndef NO_RSA - byte* verifySig; -#endif - byte* verify; /* not allocated */ - byte* input; - word32 idx; - word32 extraSz; - word32 sigSz; - int sendSz; - int length; - int inputSz; -} ScvArgs; - -static void FreeScvArgs(WOLFSSL* ssl, void* pArgs) -{ - ScvArgs* args = (ScvArgs*)pArgs; - - (void)ssl; - -#ifndef NO_RSA - if (args->verifySig) { - XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->verifySig = NULL; - } -#endif - if (args->input) { - XFREE(args->input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->input = NULL; - } -} - -int SendCertificateVerify(WOLFSSL* ssl) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - ScvArgs* args = (ScvArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); -#else - ScvArgs args[1]; -#endif - - WOLFSSL_ENTER("SendCertificateVerify"); - -#ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_scv; - } - else -#endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(ScvArgs)); - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeScvArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - if (ssl->options.sendVerify == SEND_BLANK_CERT) { - return 0; /* sent blank cert, can't verify */ - } - - args->sendSz = MAX_CERT_VERIFY_SZ; - if (IsEncryptionOn(ssl, 1)) { - args->sendSz += MAX_MSG_EXTRA; - } - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_scv; - } - - /* get output buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - - case TLS_ASYNC_BUILD: - { - int keySz; - int typeH = 0; - - ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes); - if (ret != 0) { - goto exit_scv; - } - - /* make sure private key exists */ - if (ssl->buffers.key == NULL || ssl->buffers.key->buffer == NULL) { - WOLFSSL_MSG("Private key missing!"); - ERROR_OUT(NO_PRIVATE_KEY, exit_scv); - } - - #ifndef NO_RSA - ssl->hsType = DYNAMIC_TYPE_RSA; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_scv; - } - - WOLFSSL_MSG("Trying RSA client cert"); - - ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &args->idx, - (RsaKey*)ssl->hsKey, ssl->buffers.key->length); - if (ret == 0) { - keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey); - if (keySz < 0) { /* check if keySz has error case */ - ERROR_OUT(keySz, exit_scv); - } - - args->length = (word32)keySz; - if (keySz < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("RSA key size too small"); - ERROR_OUT(RSA_KEY_SIZE_E, exit_scv); - } - } - else - #endif /* !NO_RSA */ - { - #ifdef HAVE_ECC - #ifndef NO_RSA - FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey); - #endif /* !NO_RSA */ - - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_scv; - } - - WOLFSSL_MSG("Trying ECC client cert, RSA didn't work"); - - args->idx = 0; - ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, - &args->idx, (ecc_key*)ssl->hsKey, ssl->buffers.key->length); - if (ret != 0) { - WOLFSSL_MSG("Bad client cert type"); - goto exit_scv; - } - - WOLFSSL_MSG("Using ECC client cert"); - args->length = MAX_ENCODED_SIG_SZ; - - /* check minimum size of ECC key */ - keySz = wc_ecc_size((ecc_key*)ssl->hsKey); - if (keySz < ssl->options.minEccKeySz) { - WOLFSSL_MSG("ECC key size too small"); - ERROR_OUT(ECC_KEY_SIZE_E, exit_scv); - } - #endif - } - - /* idx is used to track verify pointer offset to output */ - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - args->verify = &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ]; - args->extraSz = 0; /* tls 1.2 hash/sig */ - - /* build encoded signature buffer */ - ssl->buffers.sig.length = MAX_ENCODED_SIG_SZ; - ssl->buffers.sig.buffer = (byte*)XMALLOC(ssl->buffers.sig.length, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_scv); - } - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - - #ifndef NO_OLD_TLS - #ifndef NO_SHA - /* old tls default */ - ssl->buffers.digest.length = SHA_DIGEST_SIZE; - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha; - typeH = SHAh; - #endif - #else - #ifndef NO_SHA256 - /* new tls default */ - ssl->buffers.digest.length = SHA256_DIGEST_SIZE; - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256; - typeH = SHA256h; - #endif - #endif /* !NO_OLD_TLS */ - - if (IsAtLeastTLSv1_2(ssl)) { - args->verify[0] = ssl->suites->hashAlgo; - args->verify[1] = (ssl->hsType == DYNAMIC_TYPE_ECC) ? - ecc_dsa_sa_algo : rsa_sa_algo; - args->extraSz = HASH_SIG_SIZE; - - switch (ssl->suites->hashAlgo) { - #ifndef NO_SHA - case sha_mac: - ssl->buffers.digest.length = SHA_DIGEST_SIZE; - ssl->buffers.digest.buffer = - ssl->hsHashes->certHashes.sha; - typeH = SHAh; - break; - #endif /* NO_SHA */ - #ifndef NO_SHA256 - case sha256_mac: - ssl->buffers.digest.length = SHA256_DIGEST_SIZE; - ssl->buffers.digest.buffer = - ssl->hsHashes->certHashes.sha256; - typeH = SHA256h; - break; - #endif /* !NO_SHA256 */ - #ifdef WOLFSSL_SHA384 - case sha384_mac: - ssl->buffers.digest.length = SHA384_DIGEST_SIZE; - ssl->buffers.digest.buffer = - ssl->hsHashes->certHashes.sha384; - typeH = SHA384h; - break; - #endif /* WOLFSSL_SHA384 */ - #ifdef WOLFSSL_SHA512 - case sha512_mac: - ssl->buffers.digest.length = SHA512_DIGEST_SIZE; - ssl->buffers.digest.buffer = - ssl->hsHashes->certHashes.sha512; - typeH = SHA512h; - break; - #endif /* WOLFSSL_SHA512 */ - } /* switch */ - } - #ifndef NO_OLD_TLS - else { - /* if old TLS load MD5 hash as value to sign */ - XMEMCPY(ssl->buffers.sig.buffer, ssl->hsHashes->certHashes.md5, - FINISHED_SZ); - } - #endif - - if (typeH == 0) { - ERROR_OUT(ALGO_ID_E, exit_scv); - } - - #ifndef NO_RSA - if (ssl->hsType == DYNAMIC_TYPE_RSA) { - ssl->buffers.sig.length = FINISHED_SZ; - args->sigSz = ENCRYPT_LEN; - - if (IsAtLeastTLSv1_2(ssl)) { - ssl->buffers.sig.length = wc_EncodeSignature( - ssl->buffers.sig.buffer, ssl->buffers.digest.buffer, - ssl->buffers.digest.length, typeH); - } - - /* prepend hdr */ - c16toa((word16)args->length, args->verify + args->extraSz); - } - #endif /* !NO_RSA */ - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - - case TLS_ASYNC_DO: - { - #ifdef HAVE_ECC - if (ssl->hsType == DYNAMIC_TYPE_ECC) { - ecc_key* key = (ecc_key*)ssl->hsKey; - - ret = EccSign(ssl, - ssl->buffers.digest.buffer, ssl->buffers.digest.length, - ssl->buffers.sig.buffer, &ssl->buffers.sig.length, - key, - #if defined(HAVE_PK_CALLBACKS) - ssl->buffers.key->buffer, - ssl->buffers.key->length, - ssl->EccSignCtx - #else - NULL, 0, NULL - #endif - ); - } - #endif /* HAVE_ECC */ - #ifndef NO_RSA - if (ssl->hsType == DYNAMIC_TYPE_RSA) { - RsaKey* key = (RsaKey*)ssl->hsKey; - - /* restore verify pointer */ - args->verify = &args->output[args->idx]; - - ret = RsaSign(ssl, - ssl->buffers.sig.buffer, ssl->buffers.sig.length, - args->verify + args->extraSz + VERIFY_HEADER, &args->sigSz, - key, - ssl->buffers.key->buffer, - ssl->buffers.key->length, - #ifdef HAVE_PK_CALLBACKS - ssl->RsaSignCtx - #else - NULL - #endif - ); - } - #endif /* !NO_RSA */ - - /* Check for error */ - if (ret != 0) { - goto exit_scv; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - - case TLS_ASYNC_VERIFY: - { - /* restore verify pointer */ - args->verify = &args->output[args->idx]; - - #ifdef HAVE_ECC - if (ssl->hsType == DYNAMIC_TYPE_ECC) { - args->length = ssl->buffers.sig.length; - /* prepend hdr */ - c16toa((word16)ssl->buffers.sig.length, args->verify + - args->extraSz); - XMEMCPY(args->verify + args->extraSz + VERIFY_HEADER, - ssl->buffers.sig.buffer, ssl->buffers.sig.length); - } - #endif /* HAVE_ECC */ - #ifndef NO_RSA - if (ssl->hsType == DYNAMIC_TYPE_RSA) { - RsaKey* key = (RsaKey*)ssl->hsKey; - - if (args->verifySig == NULL) { - args->verifySig = (byte*)XMALLOC(args->sigSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->verifySig == NULL) { - ERROR_OUT(MEMORY_E, exit_scv); - } - XMEMCPY(args->verifySig, args->verify + args->extraSz + - VERIFY_HEADER, args->sigSz); - } - - /* check for signature faults */ - ret = VerifyRsaSign(ssl, - args->verifySig, args->sigSz, - ssl->buffers.sig.buffer, ssl->buffers.sig.length, - key - ); - } - #endif /* !NO_RSA */ - - /* Check for error */ - if (ret != 0) { - goto exit_scv; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - - case TLS_ASYNC_FINALIZE: - { - if (args->output == NULL) { - ERROR_OUT(BUFFER_ERROR, exit_scv); - } - AddHeaders(args->output, args->length + args->extraSz + - VERIFY_HEADER, certificate_verify, ssl); - - args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + - args->length + args->extraSz + VERIFY_HEADER; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - - if (IsEncryptionOn(ssl, 1)) { - args->inputSz = args->sendSz - RECORD_HEADER_SZ; - /* build msg adds rec hdr */ - args->input = (byte*)XMALLOC(args->inputSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->input == NULL) { - ERROR_OUT(MEMORY_E, exit_scv); - } - - XMEMCPY(args->input, args->output + RECORD_HEADER_SZ, - args->inputSz); - } - - /* Check for error */ - if (ret != 0) { - goto exit_scv; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - - case TLS_ASYNC_END: - { - if (IsEncryptionOn(ssl, 1)) { - ret = BuildMessage(ssl, args->output, - MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA, - args->input, args->inputSz, handshake, - 1, 0, 1); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) - goto exit_scv; - #endif - - XFREE(args->input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->input = NULL; /* make sure its not double free'd on cleanup */ - - if (ret >= 0) { - args->sendSz = ret; - ret = 0; - } - } - else { - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - ret = HashOutput(ssl, args->output, args->sendSz, 0); - } - - if (ret != 0) { - goto exit_scv; - } - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz); - } - #endif - - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "CertificateVerify"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "CertificateVerify", handshake, - args->output, args->sendSz, WRITE_PROTO, ssl->heap); - #endif - - ssl->buffers.outputBuffer.length += args->sendSz; - - if (!ssl->options.groupMessages) { - ret = SendBuffered(ssl); - } - break; - } - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - -exit_scv: - - WOLFSSL_LEAVE("SendCertificateVerify", ret); - -#ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) { - return ret; - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - /* Digest is not allocated, so do this to prevent free */ - ssl->buffers.digest.buffer = NULL; - ssl->buffers.digest.length = 0; - - /* Final cleanup */ - FreeScvArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; -} - -#endif /* NO_CERTS */ - - -#ifdef HAVE_SESSION_TICKET -int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 size) -{ - word32 begin = *inOutIdx; - word32 lifetime; - word16 length; - - if (ssl->expect_session_ticket == 0) { - WOLFSSL_MSG("Unexpected session ticket"); - return SESSION_TICKET_EXPECT_E; - } - - if ((*inOutIdx - begin) + OPAQUE32_LEN > size) - return BUFFER_ERROR; - - ato32(input + *inOutIdx, &lifetime); - *inOutIdx += OPAQUE32_LEN; - - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; - - ato16(input + *inOutIdx, &length); - *inOutIdx += OPAQUE16_LEN; - - if ((*inOutIdx - begin) + length > size) - return BUFFER_ERROR; - - if (length > sizeof(ssl->session.staticTicket)) { - /* Free old dynamic ticket if we already had one */ - if (ssl->session.isDynamic) - XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - ssl->session.ticket = - (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - if (ssl->session.ticket == NULL) { - /* Set to static ticket to avoid null pointer error */ - ssl->session.ticket = ssl->session.staticTicket; - ssl->session.isDynamic = 0; - return MEMORY_E; - } - ssl->session.isDynamic = 1; - } else { - if(ssl->session.isDynamic) { - XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - } - ssl->session.isDynamic = 0; - ssl->session.ticket = ssl->session.staticTicket; - } - - /* If the received ticket including its length is greater than - * a length value, the save it. Otherwise, don't save it. */ - if (length > 0) { - XMEMCPY(ssl->session.ticket, input + *inOutIdx, length); - *inOutIdx += length; - ssl->session.ticketLen = length; - ssl->timeout = lifetime; - if (ssl->session_ticket_cb != NULL) { - ssl->session_ticket_cb(ssl, - ssl->session.ticket, ssl->session.ticketLen, - ssl->session_ticket_ctx); - } - /* Create a fake sessionID based on the ticket, this will - * supercede the existing session cache info. */ - ssl->options.haveSessionId = 1; - XMEMCPY(ssl->arrays->sessionID, - ssl->session.ticket + length - ID_LEN, ID_LEN); -#ifndef NO_SESSION_CACHE - AddSession(ssl); -#endif - - } - else { - ssl->session.ticketLen = 0; - } - - if (IsEncryptionOn(ssl, 0)) { - *inOutIdx += ssl->keys.padSz; - } - - ssl->expect_session_ticket = 0; - - return 0; -} -#endif /* HAVE_SESSION_TICKET */ - -#endif /* NO_WOLFSSL_CLIENT */ - - -#ifndef NO_WOLFSSL_SERVER - - int SendServerHello(WOLFSSL* ssl) - { - byte *output; - word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - int sendSz; - int ret; - byte sessIdSz = ID_LEN; - byte echoId = 0; /* ticket echo id flag */ - byte cacheOff = 0; /* session cache off flag */ - - length = VERSION_SZ + RAN_LEN - + ID_LEN + ENUM_LEN - + SUITE_LEN - + ENUM_LEN; - -#ifdef HAVE_TLS_EXTENSIONS - length += TLSX_GetResponseSize(ssl); - #ifdef HAVE_SESSION_TICKET - if (ssl->options.useTicket) { - /* echo session id sz can be 0,32 or bogus len inbetween */ - sessIdSz = ssl->arrays->sessionIDSz; - if (sessIdSz > ID_LEN) { - WOLFSSL_MSG("Bad bogus session id len"); - return BUFFER_ERROR; - } - length -= (ID_LEN - sessIdSz); /* adjust ID_LEN assumption */ - echoId = 1; - } - #endif /* HAVE_SESSION_TICKET */ -#else - if (ssl->options.haveEMS) { - length += HELLO_EXT_SZ_SZ + HELLO_EXT_SZ; - } -#endif - - /* is the session cahce off at build or runtime */ -#ifdef NO_SESSION_CACHE - cacheOff = 1; -#else - if (ssl->options.sessionCacheOff == 1) { - cacheOff = 1; - } -#endif - - /* if no session cache don't send a session ID unless we're echoing - * an ID as part of session tickets */ - if (echoId == 0 && cacheOff == 1) { - length -= ID_LEN; /* adjust ID_LEN assumption */ - sessIdSz = 0; - } - - /* check for avalaible size */ - if ((ret = CheckAvailableSize(ssl, MAX_HELLO_SZ)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - /* Server Hello should use the same sequence number as the - * Client Hello. */ - ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi; - ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo; - idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif /* WOLFSSL_DTLS */ - AddHeaders(output, length, server_hello, ssl); - - /* now write to output */ - /* first version */ - output[idx++] = ssl->version.major; - output[idx++] = ssl->version.minor; - - /* then random and session id */ - if (!ssl->options.resuming) { - /* generate random part and session id */ - ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, - RAN_LEN + sizeof(sessIdSz) + sessIdSz); - if (ret != 0) - return ret; - - /* store info in SSL for later */ - XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN); - idx += RAN_LEN; - output[idx++] = sessIdSz; - XMEMCPY(ssl->arrays->sessionID, output + idx, sessIdSz); - ssl->arrays->sessionIDSz = sessIdSz; - } - else { - /* If resuming, use info from SSL */ - XMEMCPY(output + idx, ssl->arrays->serverRandom, RAN_LEN); - idx += RAN_LEN; - output[idx++] = sessIdSz; - XMEMCPY(output + idx, ssl->arrays->sessionID, sessIdSz); - } - idx += sessIdSz; - -#ifdef SHOW_SECRETS - { - int j; - printf("server random: "); - for (j = 0; j < RAN_LEN; j++) - printf("%02x", ssl->arrays->serverRandom[j]); - printf("\n"); - } -#endif - - /* then cipher suite */ - output[idx++] = ssl->options.cipherSuite0; - output[idx++] = ssl->options.cipherSuite; - - /* then compression */ - if (ssl->options.usingCompression) - output[idx++] = ZLIB_COMPRESSION; - else - output[idx++] = NO_COMPRESSION; - - /* last, extensions */ -#ifdef HAVE_TLS_EXTENSIONS - TLSX_WriteResponse(ssl, output + idx); -#else -#ifdef HAVE_EXTENDED_MASTER - if (ssl->options.haveEMS) { - c16toa(HELLO_EXT_SZ, output + idx); - idx += HELLO_EXT_SZ_SZ; - - c16toa(HELLO_EXT_EXTMS, output + idx); - idx += HELLO_EXT_TYPE_SZ; - c16toa(0, output + idx); - /*idx += HELLO_EXT_SZ_SZ;*/ - /* idx is not used after this point. uncomment the line above - * if adding any more extentions in the future. */ - } -#endif -#endif - - ssl->buffers.outputBuffer.length += sendSz; - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - - if (ssl->options.dtls) { - DtlsSEQIncrement(ssl, CUR_ORDER); - } - #endif - - ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) - return ret; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ServerHello"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - - ssl->options.serverState = SERVER_HELLO_COMPLETE; - - if (ssl->options.groupMessages) - return 0; - else - return SendBuffered(ssl); - } - - -#ifdef HAVE_ECC - - static byte SetCurveId(ecc_key* key) - { - if (key == NULL || key->dp == NULL) { - WOLFSSL_MSG("SetCurveId: Invalid key!"); - return 0; - } - - switch(key->dp->oidSum) { - #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP160R1_OID: - return WOLFSSL_ECC_SECP160R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_SECPR2 - case ECC_SECP160R2_OID: - return WOLFSSL_ECC_SECP160R2; - #endif /* HAVE_ECC_SECPR2 */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP160K1_OID: - return WOLFSSL_ECC_SECP160K1; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP192R1_OID: - return WOLFSSL_ECC_SECP192R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP192K1_OID: - return WOLFSSL_ECC_SECP192K1; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP224R1_OID: - return WOLFSSL_ECC_SECP224R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP224K1_OID: - return WOLFSSL_ECC_SECP224K1; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP256R1_OID: - return WOLFSSL_ECC_SECP256R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP256K1_OID: - return WOLFSSL_ECC_SECP256K1; - #endif /* HAVE_ECC_KOBLITZ */ - #ifdef HAVE_ECC_BRAINPOOL - case ECC_BRAINPOOLP256R1_OID: - return WOLFSSL_ECC_BRAINPOOLP256R1; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP384R1_OID: - return WOLFSSL_ECC_SECP384R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_BRAINPOOL - case ECC_BRAINPOOLP384R1_OID: - return WOLFSSL_ECC_BRAINPOOLP384R1; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES) - #ifdef HAVE_ECC_BRAINPOOL - case ECC_BRAINPOOLP512R1_OID: - return WOLFSSL_ECC_BRAINPOOLP512R1; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP521R1_OID: - return WOLFSSL_ECC_SECP521R1; - #endif /* !NO_ECC_SECP */ - #endif - default: - return 0; - } - } - -#endif /* HAVE_ECC */ - - typedef struct SskeArgs { - byte* output; /* not allocated */ - #if defined(HAVE_ECC) || (!defined(NO_DH) && !defined(NO_RSA)) - byte* sigDataBuf; - #endif - #if defined(HAVE_ECC) - byte* exportBuf; - #endif - #ifndef NO_RSA - byte* verifySig; - #endif - word32 idx; - word32 tmpSigSz; - word32 length; - word32 sigSz; - #if defined(HAVE_ECC) || (!defined(NO_DH) && !defined(NO_RSA)) - word32 sigDataSz; - #endif - #if defined(HAVE_ECC) - word32 exportSz; - #endif - #ifdef HAVE_QSH - word32 qshSz; - #endif - int sendSz; - } SskeArgs; - - static void FreeSskeArgs(WOLFSSL* ssl, void* pArgs) - { - SskeArgs* args = (SskeArgs*)pArgs; - - (void)ssl; - - #if defined(HAVE_ECC) - if (args->exportBuf) { - XFREE(args->exportBuf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->exportBuf = NULL; - } - #endif - #if defined(HAVE_ECC) || (!defined(NO_DH) && !defined(NO_RSA)) - if (args->sigDataBuf) { - XFREE(args->sigDataBuf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->sigDataBuf = NULL; - } - #endif - #ifndef NO_RSA - if (args->verifySig) { - XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->verifySig = NULL; - } - #endif - (void)args; - } - - int SendServerKeyExchange(WOLFSSL* ssl) - { - int ret; - #ifdef WOLFSSL_ASYNC_CRYPT - SskeArgs* args = (SskeArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); - #else - SskeArgs args[1]; - #endif - - WOLFSSL_ENTER("SendServerKeyExchange"); - - #ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_sske; - } - else - #endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(SskeArgs)); - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeSskeArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - args->qshSz = QSH_KeyGetSize(ssl); - } - #endif - - /* Do some checks / debug msgs */ - switch(ssl->specs.kea) - { - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - WOLFSSL_MSG("Using ephemeral ECDH PSK"); - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - if (ssl->specs.static_ecdh) { - WOLFSSL_MSG("Using Static ECDH, not sending ServerKeyExchange"); - ERROR_OUT(0, exit_sske); - } - - /* make sure private key exists */ - if (ssl->buffers.key == NULL || - ssl->buffers.key->buffer == NULL) { - ERROR_OUT(NO_PRIVATE_KEY, exit_sske); - } - - WOLFSSL_MSG("Using ephemeral ECDH"); - break; - } - #endif /* HAVE_ECC */ - } - - /* Preparing keys */ - switch(ssl->specs.kea) - { - #ifndef NO_PSK - case psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && (!defined(NO_PSK) || !defined(NO_RSA)) - #if !defined(NO_PSK) - case dhe_psk_kea: - #endif - #if !defined(NO_RSA) - case diffie_hellman_kea: - #endif - { - /* Allocate DH key buffers and generate key */ - if (ssl->buffers.serverDH_P.buffer == NULL || - ssl->buffers.serverDH_G.buffer == NULL) { - ERROR_OUT(NO_DH_PARAMS, exit_sske); - } - - if (ssl->buffers.serverDH_Pub.buffer == NULL) { - /* Free'd in SSL_ResourceFree and FreeHandshakeResources */ - ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC( - ssl->buffers.serverDH_P.length + OPAQUE16_LEN, - ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_Pub.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - } - - if (ssl->buffers.serverDH_Priv.buffer == NULL) { - /* Free'd in SSL_ResourceFree and FreeHandshakeResources */ - ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC( - ssl->buffers.serverDH_P.length + OPAQUE16_LEN, - ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_Priv.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - } - - ssl->options.dhKeySz = - (word16)ssl->buffers.serverDH_P.length; - - ret = AllocKey(ssl, DYNAMIC_TYPE_DH, - (void**)&ssl->buffers.serverDH_Key); - if (ret != 0) { - goto exit_sske; - } - - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - if (ret != 0) { - goto exit_sske; - } - - ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_Priv.buffer, - &ssl->buffers.serverDH_Priv.length, - ssl->buffers.serverDH_Pub.buffer, - &ssl->buffers.serverDH_Pub.length); - break; - } - #endif /* !NO_DH && (!NO_PSK || !NO_RSA) */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - /* Fall through to create temp ECC key */ - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - /* need ephemeral key now, create it if missing */ - if (ssl->eccTempKey == NULL) { - /* alloc/init on demand */ - ret = AllocKey(ssl, DYNAMIC_TYPE_ECC, - (void**)&ssl->eccTempKey); - if (ret != 0) { - goto exit_sske; - } - } - - if (ssl->eccTempKeyPresent == 0) { - /* TODO: Need to first do wc_EccPrivateKeyDecode, - then we know curve dp */ - ret = EccMakeKey(ssl, ssl->eccTempKey, NULL); - if (ret == 0 || ret == WC_PENDING_E) { - ssl->eccTempKeyPresent = 1; - } - } - break; - } - #endif /* HAVE_ECC */ - default: - /* Skip ServerKeyExchange */ - goto exit_sske; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_sske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - - case TLS_ASYNC_BUILD: - { - #if (!defined(NO_DH) && !defined(NO_RSA)) || defined(HAVE_ECC) - word32 preSigSz, preSigIdx; - #endif - - switch(ssl->specs.kea) - { - #ifndef NO_PSK - case psk_kea: - { - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - - if (ssl->arrays->server_hint[0] == 0) { - ERROR_OUT(0, exit_sske); /* don't send */ - } - - /* include size part */ - args->length = (word32)XSTRLEN(ssl->arrays->server_hint); - if (args->length > MAX_PSK_ID_LEN) { - ERROR_OUT(SERVER_HINT_ERROR, exit_sske); - } - - args->length += HINT_LEN_SZ; - args->sendSz = args->length + HANDSHAKE_HEADER_SZ + - RECORD_HEADER_SZ; - - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_sske; - } - - /* get ouput buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(args->output, args->length, - server_key_exchange, ssl); - - /* key data */ - #ifdef HAVE_QSH - c16toa((word16)(args->length - args->qshSz - - HINT_LEN_SZ), args->output + args->idx); - #else - c16toa((word16)(args->length - HINT_LEN_SZ), - args->output + args->idx); - #endif - - args->idx += HINT_LEN_SZ; - XMEMCPY(args->output + args->idx, - ssl->arrays->server_hint, - args->length - HINT_LEN_SZ); - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - word32 hintLen; - - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - args->length = LENGTH_SZ * 3 + /* p, g, pub */ - ssl->buffers.serverDH_P.length + - ssl->buffers.serverDH_G.length + - ssl->buffers.serverDH_Pub.length; - - /* include size part */ - hintLen = (word32)XSTRLEN(ssl->arrays->server_hint); - if (hintLen > MAX_PSK_ID_LEN) { - ERROR_OUT(SERVER_HINT_ERROR, exit_sske); - } - args->length += hintLen + HINT_LEN_SZ; - args->sendSz = args->length + HANDSHAKE_HEADER_SZ + - RECORD_HEADER_SZ; - - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_sske; - } - - /* get ouput buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(args->output, args->length, - server_key_exchange, ssl); - - /* key data */ - c16toa((word16)hintLen, args->output + args->idx); - args->idx += HINT_LEN_SZ; - XMEMCPY(args->output + args->idx, - ssl->arrays->server_hint, hintLen); - args->idx += hintLen; - - /* add p, g, pub */ - c16toa((word16)ssl->buffers.serverDH_P.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length); - args->idx += ssl->buffers.serverDH_P.length; - - /* g */ - c16toa((word16)ssl->buffers.serverDH_G.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - args->idx += ssl->buffers.serverDH_G.length; - - /* pub */ - c16toa((word16)ssl->buffers.serverDH_Pub.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_Pub.buffer, - ssl->buffers.serverDH_Pub.length); - /* No need to update idx, since sizes are already set */ - /* args->idx += ssl->buffers.serverDH_Pub.length; */ - break; - } - #endif /* !defined(NO_DH) && !defined(NO_PSK) */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - word32 hintLen; - - /* curve type, named curve, length(1) */ - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - args->length = ENUM_LEN + CURVE_LEN + ENUM_LEN; - - args->exportSz = MAX_EXPORT_ECC_SZ; - args->exportBuf = (byte*)XMALLOC(args->exportSz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->exportBuf == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - if (wc_ecc_export_x963(ssl->eccTempKey, args->exportBuf, - &args->exportSz) != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_sske); - } - args->length += args->exportSz; - - /* include size part */ - hintLen = (word32)XSTRLEN(ssl->arrays->server_hint); - if (hintLen > MAX_PSK_ID_LEN) { - ERROR_OUT(SERVER_HINT_ERROR, exit_sske); - } - args->length += hintLen + HINT_LEN_SZ; - args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_sske; - } - - /* get output buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - /* key data */ - c16toa((word16)hintLen, args->output + args->idx); - args->idx += HINT_LEN_SZ; - XMEMCPY(args->output + args->idx, - ssl->arrays->server_hint, hintLen); - args->idx += hintLen; - - /* ECC key exchange data */ - args->output[args->idx++] = named_curve; - args->output[args->idx++] = 0x00; /* leading zero */ - args->output[args->idx++] = SetCurveId(ssl->eccTempKey); - args->output[args->idx++] = (byte)args->exportSz; - XMEMCPY(args->output + args->idx, args->exportBuf, - args->exportSz); - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - enum wc_HashType hashType = WC_HASH_TYPE_NONE; - - /* curve type, named curve, length(1) */ - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - args->length = ENUM_LEN + CURVE_LEN + ENUM_LEN; - - /* Export temp ECC key and add to length */ - args->exportSz = MAX_EXPORT_ECC_SZ; - args->exportBuf = (byte*)XMALLOC(args->exportSz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->exportBuf == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - if (wc_ecc_export_x963(ssl->eccTempKey, args->exportBuf, - &args->exportSz) != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_sske); - } - args->length += args->exportSz; - - preSigSz = args->length; - preSigIdx = args->idx; - - switch(ssl->specs.sig_algo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - word32 i = 0; - int keySz; - - ssl->hsType = DYNAMIC_TYPE_RSA; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_sske; - } - - ret = wc_RsaPrivateKeyDecode( - ssl->buffers.key->buffer, - &i, - (RsaKey*)ssl->hsKey, - ssl->buffers.key->length); - if (ret != 0) { - goto exit_sske; - } - keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey); - if (keySz < 0) { /* test if keySz has error */ - ERROR_OUT(keySz, exit_sske); - } - - args->tmpSigSz = (word32)keySz; - if (keySz < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("RSA signature key size too small"); - ERROR_OUT(RSA_KEY_SIZE_E, exit_sske); - } - break; - } - #endif /* !NO_RSA */ - case ecc_dsa_sa_algo: - { - word32 i = 0; - - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_sske; - } - - ret = wc_EccPrivateKeyDecode( - ssl->buffers.key->buffer, - &i, - (ecc_key*)ssl->hsKey, - ssl->buffers.key->length); - if (ret != 0) { - goto exit_sske; - } - /* worst case estimate */ - args->tmpSigSz = wc_ecc_sig_size( - (ecc_key*)ssl->hsKey); - - /* check the minimum ECC key size */ - if (wc_ecc_size((ecc_key*)ssl->hsKey) < - ssl->options.minEccKeySz) { - WOLFSSL_MSG("ECC key size too small"); - ret = ECC_KEY_SIZE_E; - goto exit_sske; - } - break; - } - default: - ERROR_OUT(ALGO_ID_E, exit_sske); /* unsupported type */ - } /* switch(ssl->specs.sig_algo) */ - - /* sig length */ - args->length += LENGTH_SZ; - args->length += args->tmpSigSz; - - if (IsAtLeastTLSv1_2(ssl)) { - args->length += HASH_SIG_SIZE; - } - - args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - preSigIdx = args->idx; - } - #endif - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_sske; - } - - /* get ouput buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - /* record and message headers will be added below, when we're sure - of the sig length */ - - /* key exchange data */ - args->output[args->idx++] = named_curve; - args->output[args->idx++] = 0x00; /* leading zero */ - args->output[args->idx++] = SetCurveId(ssl->eccTempKey); - args->output[args->idx++] = (byte)args->exportSz; - XMEMCPY(args->output + args->idx, args->exportBuf, args->exportSz); - args->idx += args->exportSz; - - /* Determine hash type */ - if (IsAtLeastTLSv1_2(ssl)) { - args->output[args->idx++] = ssl->suites->hashAlgo; - args->output[args->idx++] = ssl->suites->sigAlgo; - - switch (ssl->suites->hashAlgo) { - case sha512_mac: - #ifdef WOLFSSL_SHA512 - hashType = WC_HASH_TYPE_SHA512; - #endif - break; - case sha384_mac: - #ifdef WOLFSSL_SHA384 - hashType = WC_HASH_TYPE_SHA384; - #endif - break; - case sha256_mac: - #ifndef NO_SHA256 - hashType = WC_HASH_TYPE_SHA256; - #endif - break; - case sha_mac: - #if !defined(NO_SHA) && \ - (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - hashType = WC_HASH_TYPE_SHA; - #endif - break; - default: - WOLFSSL_MSG("Bad hash sig algo"); - break; - } - - if (hashType == WC_HASH_TYPE_NONE) { - ERROR_OUT(ALGO_ID_E, exit_sske); - } - - } else { - /* only using sha and md5 for rsa */ - #ifndef NO_OLD_TLS - hashType = WC_HASH_TYPE_SHA; - if (ssl->suites->sigAlgo == rsa_sa_algo) { - hashType = WC_HASH_TYPE_MD5_SHA; - } - #else - ERROR_OUT(ALGO_ID_E, exit_sske); - #endif - } - - /* Signtaure length will be written later, when we're sure what it is */ - - #ifdef HAVE_FUZZER - if (ssl->fuzzerCb) { - ssl->fuzzerCb(ssl, args->output + preSigIdx, - preSigSz, FUZZ_SIGNATURE, ssl->fuzzerCtx); - } - #endif - - /* Assemble buffer to hash for signature */ - args->sigDataSz = RAN_LEN + RAN_LEN + preSigSz; - args->sigDataBuf = (byte*)XMALLOC(args->sigDataSz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->sigDataBuf == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - XMEMCPY(args->sigDataBuf, ssl->arrays->clientRandom, - RAN_LEN); - XMEMCPY(args->sigDataBuf+RAN_LEN, - ssl->arrays->serverRandom, RAN_LEN); - XMEMCPY(args->sigDataBuf+RAN_LEN+RAN_LEN, - args->output + preSigIdx, preSigSz); - - ssl->buffers.sig.length = wc_HashGetDigestSize(hashType); - ssl->buffers.sig.buffer = (byte*)XMALLOC( - ssl->buffers.sig.length, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - /* Perform hash */ - ret = wc_Hash(hashType, - args->sigDataBuf, args->sigDataSz, - ssl->buffers.sig.buffer, ssl->buffers.sig.length); - if (ret != 0) { - goto exit_sske; - } - - args->sigSz = args->tmpSigSz; - - /* Sign hash to create signature */ - switch (ssl->specs.sig_algo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - /* For TLS 1.2 re-encode signature */ - if (IsAtLeastTLSv1_2(ssl)) { - int typeH = 0; - byte* encodedSig = (byte*)XMALLOC( - MAX_ENCODED_SIG_SZ, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - switch (ssl->suites->hashAlgo) { - case sha512_mac: - #ifdef WOLFSSL_SHA512 - typeH = SHA512h; - #endif - break; - case sha384_mac: - #ifdef WOLFSSL_SHA384 - typeH = SHA384h; - #endif - break; - case sha256_mac: - #ifndef NO_SHA256 - typeH = SHA256h; - #endif - break; - case sha_mac: - #if !defined(NO_SHA) && \ - (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - typeH = SHAh; - #endif - break; - default: - break; - } - - ssl->buffers.sig.length = - wc_EncodeSignature(encodedSig, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, typeH); - - /* Replace sig buffer with new one */ - XFREE(ssl->buffers.sig.buffer, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - ssl->buffers.sig.buffer = encodedSig; - } - - /* write sig size here */ - c16toa((word16)args->sigSz, - args->output + args->idx); - args->idx += LENGTH_SZ; - break; - } - #endif /* !NO_RSA */ - case ecc_dsa_sa_algo: - { - break; - } - } /* switch(ssl->specs.sig_algo) */ - break; - } - #endif /* HAVE_ECC */ - #if !defined(NO_DH) && !defined(NO_RSA) - case diffie_hellman_kea: - { - enum wc_HashType hashType = WC_HASH_TYPE_NONE; - - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - args->length = LENGTH_SZ * 3; /* p, g, pub */ - args->length += ssl->buffers.serverDH_P.length + - ssl->buffers.serverDH_G.length + - ssl->buffers.serverDH_Pub.length; - - preSigIdx = args->idx; - preSigSz = args->length; - - if (!ssl->options.usingAnon_cipher) { - word32 i = 0; - int keySz; - - /* make sure private key exists */ - if (ssl->buffers.key == NULL || - ssl->buffers.key->buffer == NULL) { - ERROR_OUT(NO_PRIVATE_KEY, exit_sske); - } - - ssl->hsType = DYNAMIC_TYPE_RSA; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_sske; - } - - /* sig length */ - args->length += LENGTH_SZ; - - ret = wc_RsaPrivateKeyDecode( - ssl->buffers.key->buffer, &i, - (RsaKey*)ssl->hsKey, ssl->buffers.key->length); - if (ret != 0) { - goto exit_sske; - } - keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey); - if (keySz < 0) { /* test if keySz has error */ - ERROR_OUT(keySz, exit_sske); - } - args->tmpSigSz = (word32)keySz; - args->length += args->tmpSigSz; - - if (keySz < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("RSA key size too small"); - ERROR_OUT(RSA_KEY_SIZE_E, exit_sske); - } - - if (IsAtLeastTLSv1_2(ssl)) { - args->length += HASH_SIG_SIZE; - } - } - - args->sendSz = args->length + HANDSHAKE_HEADER_SZ + - RECORD_HEADER_SZ; - - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - preSigIdx = args->idx; - } - #endif - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_sske; - } - - /* get ouput buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(args->output, args->length, - server_key_exchange, ssl); - - /* add p, g, pub */ - c16toa((word16)ssl->buffers.serverDH_P.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length); - args->idx += ssl->buffers.serverDH_P.length; - - /* g */ - c16toa((word16)ssl->buffers.serverDH_G.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - args->idx += ssl->buffers.serverDH_G.length; - - /* pub */ - c16toa((word16)ssl->buffers.serverDH_Pub.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_Pub.buffer, - ssl->buffers.serverDH_Pub.length); - args->idx += ssl->buffers.serverDH_Pub.length; - - #ifdef HAVE_FUZZER - if (ssl->fuzzerCb) { - ssl->fuzzerCb(ssl, args->output + preSigIdx, - preSigSz, FUZZ_SIGNATURE, ssl->fuzzerCtx); - } - #endif - - if (ssl->options.usingAnon_cipher) { - break; - } - - /* Determine hash type */ - if (IsAtLeastTLSv1_2(ssl)) { - args->output[args->idx++] = ssl->suites->hashAlgo; - args->output[args->idx++] = ssl->suites->sigAlgo; - - switch (ssl->suites->hashAlgo) { - case sha512_mac: - #ifdef WOLFSSL_SHA512 - hashType = WC_HASH_TYPE_SHA512; - #endif - break; - case sha384_mac: - #ifdef WOLFSSL_SHA384 - hashType = WC_HASH_TYPE_SHA384; - #endif - break; - case sha256_mac: - #ifndef NO_SHA256 - hashType = WC_HASH_TYPE_SHA256; - #endif - break; - case sha_mac: - #if !defined(NO_SHA) && \ - (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - hashType = WC_HASH_TYPE_SHA; - #endif - break; - default: - WOLFSSL_MSG("Bad hash sig algo"); - break; - } - - if (hashType == WC_HASH_TYPE_NONE) { - ERROR_OUT(ALGO_ID_E, exit_sske); - } - } else { - /* only using sha and md5 for rsa */ - #ifndef NO_OLD_TLS - hashType = WC_HASH_TYPE_SHA; - if (ssl->suites->sigAlgo == rsa_sa_algo) { - hashType = WC_HASH_TYPE_MD5_SHA; - } - #else - ERROR_OUT(ALGO_ID_E, exit_sske); - #endif - } - - /* signature size */ - c16toa((word16)args->tmpSigSz, args->output + args->idx); - args->idx += LENGTH_SZ; - - /* Assemble buffer to hash for signature */ - args->sigDataSz = RAN_LEN + RAN_LEN + preSigSz; - args->sigDataBuf = (byte*)XMALLOC(args->sigDataSz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->sigDataBuf == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - XMEMCPY(args->sigDataBuf, ssl->arrays->clientRandom, - RAN_LEN); - XMEMCPY(args->sigDataBuf+RAN_LEN, - ssl->arrays->serverRandom, RAN_LEN); - XMEMCPY(args->sigDataBuf+RAN_LEN+RAN_LEN, - args->output + preSigIdx, preSigSz); - - ssl->buffers.sig.length = wc_HashGetDigestSize(hashType); - ssl->buffers.sig.buffer = (byte*)XMALLOC( - ssl->buffers.sig.length, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - /* Perform hash */ - ret = wc_Hash(hashType, - args->sigDataBuf, args->sigDataSz, - ssl->buffers.sig.buffer, ssl->buffers.sig.length); - if (ret != 0) { - goto exit_sske; - } - - args->sigSz = args->tmpSigSz; - - /* Sign hash to create signature */ - switch (ssl->suites->sigAlgo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - /* For TLS 1.2 re-encode signature */ - if (IsAtLeastTLSv1_2(ssl)) { - int typeH = 0; - byte* encodedSig = (byte*)XMALLOC( - MAX_ENCODED_SIG_SZ, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - switch (ssl->suites->hashAlgo) { - case sha512_mac: - #ifdef WOLFSSL_SHA512 - typeH = SHA512h; - #endif - break; - case sha384_mac: - #ifdef WOLFSSL_SHA384 - typeH = SHA384h; - #endif - break; - case sha256_mac: - #ifndef NO_SHA256 - typeH = SHA256h; - #endif - break; - case sha_mac: - #if !defined(NO_SHA) && \ - (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - typeH = SHAh; - #endif - break; - default: - break; - } - - ssl->buffers.sig.length = - wc_EncodeSignature(encodedSig, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, typeH); - - /* Replace sig buffer with new one */ - XFREE(ssl->buffers.sig.buffer, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - ssl->buffers.sig.buffer = encodedSig; - } - break; - } - #endif /* NO_RSA */ - } /* switch (ssl->suites->sigAlgo) */ - break; - } - #endif /* !defined(NO_DH) && !defined(NO_RSA) */ - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_sske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - - case TLS_ASYNC_DO: - { - switch(ssl->specs.kea) - { - #ifndef NO_PSK - case psk_kea: - { - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - break; - } - #endif /* !defined(NO_DH) && !defined(NO_PSK) */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - /* Sign hash to create signature */ - switch (ssl->specs.sig_algo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - RsaKey* key = (RsaKey*)ssl->hsKey; - - ret = RsaSign(ssl, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - args->output + args->idx, - &args->sigSz, - key, - ssl->buffers.key->buffer, - ssl->buffers.key->length, - #ifdef HAVE_PK_CALLBACKS - ssl->RsaSignCtx - #else - NULL - #endif - ); - break; - } - #endif /* !NO_RSA */ - case ecc_dsa_sa_algo: - { - ecc_key* key = (ecc_key*)ssl->hsKey; - - ret = EccSign(ssl, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - args->output + LENGTH_SZ + args->idx, - &args->sigSz, - key, - #if defined(HAVE_PK_CALLBACKS) - ssl->buffers.key->buffer, - ssl->buffers.key->length, - ssl->EccSignCtx - #else - NULL, 0, NULL - #endif - ); - break; - } - } /* switch(ssl->specs.sig_algo) */ - break; - } - #endif /* HAVE_ECC */ - #if !defined(NO_DH) && !defined(NO_RSA) - case diffie_hellman_kea: - { - /* Sign hash to create signature */ - switch (ssl->suites->sigAlgo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - RsaKey* key = (RsaKey*)ssl->hsKey; - - if (ssl->options.usingAnon_cipher) { - break; - } - - ret = RsaSign(ssl, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - args->output + args->idx, - &args->sigSz, - key, - ssl->buffers.key->buffer, - ssl->buffers.key->length, - #ifdef HAVE_PK_CALLBACKS - ssl->RsaSignCtx - #else - NULL - #endif - ); - break; - } - #endif /* NO_RSA */ - } /* switch (ssl->suites->sigAlgo) */ - - break; - } - #endif /* !defined(NO_DH) && !defined(NO_RSA) */ - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_sske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - - case TLS_ASYNC_VERIFY: - { - switch(ssl->specs.kea) - { - #ifndef NO_PSK - case psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - #endif /* !defined(NO_DH) && !defined(NO_PSK) */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - switch(ssl->specs.sig_algo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - RsaKey* key = (RsaKey*)ssl->hsKey; - - if (args->verifySig == NULL) { - if (args->sigSz == 0) { - ERROR_OUT(BAD_COND_E, exit_sske); - } - args->verifySig = (byte*)XMALLOC( - args->sigSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (!args->verifySig) { - ERROR_OUT(MEMORY_E, exit_sske); - } - XMEMCPY(args->verifySig, - args->output + args->idx, args->sigSz); - } - - /* check for signature faults */ - ret = VerifyRsaSign(ssl, - args->verifySig, args->sigSz, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - key - ); - break; - } - #endif - case ecc_dsa_sa_algo: - { - /* Now that we know the real sig size, write it. */ - c16toa((word16)args->sigSz, - args->output + args->idx); - - /* And adjust length and sendSz from estimates */ - args->length += args->sigSz - args->tmpSigSz; - args->sendSz += args->sigSz - args->tmpSigSz; - break; - } - default: - ERROR_OUT(ALGO_ID_E, exit_sske); /* unsupported type */ - } /* switch(ssl->specs.sig_algo) */ - break; - } - #endif /* HAVE_ECC */ - #if !defined(NO_DH) && !defined(NO_RSA) - case diffie_hellman_kea: - { - switch (ssl->suites->sigAlgo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - RsaKey* key = (RsaKey*)ssl->hsKey; - - if (ssl->options.usingAnon_cipher) { - break; - } - - if (args->verifySig == NULL) { - if (args->sigSz == 0) { - ERROR_OUT(BAD_COND_E, exit_sske); - } - args->verifySig = (byte*)XMALLOC( - args->sigSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (!args->verifySig) { - ERROR_OUT(MEMORY_E, exit_sske); - } - XMEMCPY(args->verifySig, - args->output + args->idx, args->sigSz); - } - - /* check for signature faults */ - ret = VerifyRsaSign(ssl, - args->verifySig, args->sigSz, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - key - ); - break; - } - #endif - } /* switch (ssl->suites->sigAlgo) */ - break; - } - #endif /* !defined(NO_DH) && !defined(NO_RSA) */ - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_sske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - - case TLS_ASYNC_FINALIZE: - { - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - if (args->qshSz > 0) { - args->idx = args->sendSz - args->qshSz; - if (QSH_KeyExchangeWrite(ssl, 1) != 0) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - /* extension type */ - c16toa(TLSX_QUANTUM_SAFE_HYBRID, - args->output + args->idx); - args->idx += OPAQUE16_LEN; - - /* write to output and check amount written */ - if (TLSX_QSHPK_Write(ssl->QSH_secret->list, - args->output + args->idx) > - args->qshSz - OPAQUE16_LEN) { - ERROR_OUT(MEMORY_E, exit_sske); - } - } - } - #endif - - #if defined(HAVE_ECC) - if (ssl->specs.kea == ecdhe_psk_kea || - ssl->specs.kea == ecc_diffie_hellman_kea) { - /* Check output to make sure it was set */ - if (args->output) { - AddHeaders(args->output, args->length, - server_key_exchange, ssl); - } - else { - ERROR_OUT(BUFFER_ERROR, exit_sske); - } - } - #endif /* HAVE_ECC */ - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz)) != 0) { - goto exit_sske; - } - } - - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - - ret = HashOutput(ssl, args->output, args->sendSz, 0); - if (ret != 0) { - goto exit_sske; - } - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) { - AddPacketName(ssl, "ServerKeyExchange"); - } - if (ssl->toInfoOn) { - AddPacketInfo(ssl, "ServerKeyExchange", handshake, - args->output, args->sendSz, WRITE_PROTO, ssl->heap); - } - #endif - - /* Check for error */ - if (ret != 0) { - goto exit_sske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - - case TLS_ASYNC_END: - { - ssl->buffers.outputBuffer.length += args->sendSz; - if (!ssl->options.groupMessages) { - ret = SendBuffered(ssl); - } - - ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; - break; - } - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - - exit_sske: - - WOLFSSL_LEAVE("SendServerKeyExchange", ret); - - #ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) - return ret; - #endif /* WOLFSSL_ASYNC_CRYPT */ - - /* Final cleanup */ - FreeSskeArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; - } - -#ifdef HAVE_SERVER_RENEGOTIATION_INFO - - /* search suites for specific one, idx on success, negative on error */ - static int FindSuite(Suites* suites, byte first, byte second) - { - int i; - - if (suites == NULL || suites->suiteSz == 0) { - WOLFSSL_MSG("Suites pointer error or suiteSz 0"); - return SUITES_ERROR; - } - - for (i = 0; i < suites->suiteSz-1; i += SUITE_LEN) { - if (suites->suites[i] == first && - suites->suites[i+1] == second ) - return i; - } - - return MATCH_SUITE_ERROR; - } - -#endif - - /* Make sure server cert/key are valid for this suite, true on success */ - static int VerifyServerSuite(WOLFSSL* ssl, word16 idx) - { - int haveRSA = !ssl->options.haveStaticECC; - int havePSK = 0; - byte first; - byte second; - - WOLFSSL_ENTER("VerifyServerSuite"); - - if (ssl->suites == NULL) { - WOLFSSL_MSG("Suites pointer error"); - return 0; - } - - first = ssl->suites->suites[idx]; - second = ssl->suites->suites[idx+1]; - - #ifndef NO_PSK - havePSK = ssl->options.havePSK; - #endif - - if (ssl->options.haveNTRU) - haveRSA = 0; - - if (CipherRequires(first, second, REQUIRES_RSA)) { - WOLFSSL_MSG("Requires RSA"); - if (haveRSA == 0) { - WOLFSSL_MSG("Don't have RSA"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_DHE)) { - WOLFSSL_MSG("Requires DHE"); - if (ssl->options.haveDH == 0) { - WOLFSSL_MSG("Don't have DHE"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_ECC)) { - WOLFSSL_MSG("Requires ECC"); - if (ssl->options.haveECC == 0) { - WOLFSSL_MSG("Don't have ECC"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_ECC_STATIC)) { - WOLFSSL_MSG("Requires static ECC"); - if (ssl->options.haveStaticECC == 0) { - WOLFSSL_MSG("Don't have static ECC"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_PSK)) { - WOLFSSL_MSG("Requires PSK"); - if (havePSK == 0) { - WOLFSSL_MSG("Don't have PSK"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_NTRU)) { - WOLFSSL_MSG("Requires NTRU"); - if (ssl->options.haveNTRU == 0) { - WOLFSSL_MSG("Don't have NTRU"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_RSA_SIG)) { - WOLFSSL_MSG("Requires RSA Signature"); - if (ssl->options.side == WOLFSSL_SERVER_END && - ssl->options.haveECDSAsig == 1) { - WOLFSSL_MSG("Don't have RSA Signature"); - return 0; - } - } - -#ifdef HAVE_SUPPORTED_CURVES - if (!TLSX_ValidateEllipticCurves(ssl, first, second)) { - WOLFSSL_MSG("Don't have matching curves"); - return 0; - } -#endif - - /* ECCDHE is always supported if ECC on */ - -#ifdef HAVE_QSH - /* need to negotiate a classic suite in addition to TLS_QSH */ - if (first == QSH_BYTE && second == TLS_QSH) { - if (TLSX_SupportExtensions(ssl)) { - ssl->options.haveQSH = 1; /* matched TLS_QSH */ - } - else { - WOLFSSL_MSG("Version of SSL connection does not support TLS_QSH"); - } - return 0; - } -#endif - - return 1; - } - -#ifndef NO_WOLFSSL_SERVER - static int CompareSuites(WOLFSSL* ssl, Suites* peerSuites, word16 i, - word16 j) - { - if (ssl->suites->suites[i] == peerSuites->suites[j] && - ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) { - - if (VerifyServerSuite(ssl, i)) { - int result; - WOLFSSL_MSG("Verified suite validity"); - ssl->options.cipherSuite0 = ssl->suites->suites[i]; - ssl->options.cipherSuite = ssl->suites->suites[i+1]; - result = SetCipherSpecs(ssl); - if (result == 0) - PickHashSigAlgo(ssl, peerSuites->hashSigAlgo, - peerSuites->hashSigAlgoSz); - return result; - } - else { - WOLFSSL_MSG("Could not verify suite validity, continue"); - } - } - - return MATCH_SUITE_ERROR; - } - - static int MatchSuite(WOLFSSL* ssl, Suites* peerSuites) - { - int ret; - word16 i, j; - - WOLFSSL_ENTER("MatchSuite"); - - /* & 0x1 equivalent % 2 */ - if (peerSuites->suiteSz == 0 || peerSuites->suiteSz & 0x1) - return MATCH_SUITE_ERROR; - - if (ssl->suites == NULL) - return SUITES_ERROR; - - if (!ssl->options.useClientOrder) { - /* Server order */ - for (i = 0; i < ssl->suites->suiteSz; i += 2) { - for (j = 0; j < peerSuites->suiteSz; j += 2) { - ret = CompareSuites(ssl, peerSuites, i, j); - if (ret != MATCH_SUITE_ERROR) - return ret; - } - } - } - else { - /* Client order */ - for (j = 0; j < peerSuites->suiteSz; j += 2) { - for (i = 0; i < ssl->suites->suiteSz; i += 2) { - ret = CompareSuites(ssl, peerSuites, i, j); - if (ret != MATCH_SUITE_ERROR) - return ret; - } - } - } - - return MATCH_SUITE_ERROR; - } -#endif - -#ifdef OLD_HELLO_ALLOWED - - /* process old style client hello, deprecate? */ - int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 inSz, word16 sz) - { - word32 idx = *inOutIdx; - word16 sessionSz; - word16 randomSz; - word16 i, j; - ProtocolVersion pv; - Suites clSuites; - - (void)inSz; - WOLFSSL_MSG("Got old format client hello"); -#ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) - AddPacketName(ssl, "ClientHello"); - if (ssl->toInfoOn) - AddLateName("ClientHello", &ssl->timeoutInfo); -#endif - - /* manually hash input since different format */ -#ifndef NO_OLD_TLS -#ifndef NO_MD5 - wc_Md5Update(&ssl->hsHashes->hashMd5, input + idx, sz); -#endif -#ifndef NO_SHA - wc_ShaUpdate(&ssl->hsHashes->hashSha, input + idx, sz); -#endif -#endif -#ifndef NO_SHA256 - if (IsAtLeastTLSv1_2(ssl)) { - int shaRet = wc_Sha256Update(&ssl->hsHashes->hashSha256, - input + idx, sz); - if (shaRet != 0) - return shaRet; - } -#endif - - /* does this value mean client_hello? */ - idx++; - - /* version */ - pv.major = input[idx++]; - pv.minor = input[idx++]; - ssl->chVersion = pv; /* store */ - - if (ssl->version.minor > pv.minor) { - byte haveRSA = 0; - byte havePSK = 0; - if (!ssl->options.downgrade) { - WOLFSSL_MSG("Client trying to connect with lesser version"); - return VERSION_ERROR; - } - if (pv.minor < ssl->options.minDowngrade) { - WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); - return VERSION_ERROR; - } - if (pv.minor == SSLv3_MINOR) { - /* turn off tls */ - WOLFSSL_MSG("\tdowngrading to SSLv3"); - ssl->options.tls = 0; - ssl->options.tls1_1 = 0; - ssl->version.minor = SSLv3_MINOR; - } - else if (pv.minor == TLSv1_MINOR) { - WOLFSSL_MSG("\tdowngrading to TLSv1"); - /* turn off tls 1.1+ */ - ssl->options.tls1_1 = 0; - ssl->version.minor = TLSv1_MINOR; - } - else if (pv.minor == TLSv1_1_MINOR) { - WOLFSSL_MSG("\tdowngrading to TLSv1.1"); - ssl->version.minor = TLSv1_1_MINOR; - } -#ifndef NO_RSA - haveRSA = 1; -#endif -#ifndef NO_PSK - havePSK = ssl->options.havePSK; -#endif - - InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - } - - /* suite size */ - ato16(&input[idx], &clSuites.suiteSz); - idx += OPAQUE16_LEN; - - if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) - return BUFFER_ERROR; - clSuites.hashSigAlgoSz = 0; - - /* session size */ - ato16(&input[idx], &sessionSz); - idx += OPAQUE16_LEN; - - if (sessionSz > ID_LEN) - return BUFFER_ERROR; - - /* random size */ - ato16(&input[idx], &randomSz); - idx += OPAQUE16_LEN; - - if (randomSz > RAN_LEN) - return BUFFER_ERROR; - - /* suites */ - for (i = 0, j = 0; i < clSuites.suiteSz; i += 3) { - byte first = input[idx++]; - if (!first) { /* implicit: skip sslv2 type */ - XMEMCPY(&clSuites.suites[j], &input[idx], SUITE_LEN); - j += SUITE_LEN; - } - idx += SUITE_LEN; - } - clSuites.suiteSz = j; - - /* session id */ - if (sessionSz) { - XMEMCPY(ssl->arrays->sessionID, input + idx, sessionSz); - ssl->arrays->sessionIDSz = (byte)sessionSz; - idx += sessionSz; - ssl->options.resuming = 1; - } - - /* random */ - if (randomSz < RAN_LEN) - XMEMSET(ssl->arrays->clientRandom, 0, RAN_LEN - randomSz); - XMEMCPY(&ssl->arrays->clientRandom[RAN_LEN - randomSz], input + idx, - randomSz); - idx += randomSz; - - if (ssl->options.usingCompression) - ssl->options.usingCompression = 0; /* turn off */ - - ssl->options.clientState = CLIENT_HELLO_COMPLETE; - *inOutIdx = idx; - - ssl->options.haveSessionId = 1; - /* DoClientHello uses same resume code */ - if (ssl->options.resuming) { /* let's try */ - int ret = -1; - WOLFSSL_SESSION* session = GetSession(ssl, - ssl->arrays->masterSecret, 1); - #ifdef HAVE_SESSION_TICKET - if (ssl->options.useTicket == 1) { - session = &ssl->session; - } - #endif - - if (!session) { - WOLFSSL_MSG("Session lookup for resume failed"); - ssl->options.resuming = 0; - } else { - #ifdef HAVE_EXT_CACHE - wolfSSL_SESSION_free(session); - #endif - if (MatchSuite(ssl, &clSuites) < 0) { - WOLFSSL_MSG("Unsupported cipher suite, OldClientHello"); - return UNSUPPORTED_SUITE; - } - - ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom, - RAN_LEN); - if (ret != 0) - return ret; - - #ifdef NO_OLD_TLS - ret = DeriveTlsKeys(ssl); - #else - #ifndef NO_TLS - if (ssl->options.tls) - ret = DeriveTlsKeys(ssl); - #endif - if (!ssl->options.tls) - ret = DeriveKeys(ssl); - #endif - ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - - return ret; - } - } - - return MatchSuite(ssl, &clSuites); - } - -#endif /* OLD_HELLO_ALLOWED */ - - - static int DoClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 helloSz) - { - byte b; - byte bogusID = 0; /* flag for a bogus session id */ - ProtocolVersion pv; - Suites clSuites; - word32 i = *inOutIdx; - word32 begin = i; -#ifdef WOLFSSL_DTLS - Hmac cookieHmac; - byte peerCookie[MAX_COOKIE_LEN]; - byte peerCookieSz = 0; - byte cookieType; - byte cookieSz = 0; - - XMEMSET(&cookieHmac, 0, sizeof(Hmac)); -#endif /* WOLFSSL_DTLS */ - -#ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello"); - if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo); -#endif - - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_START, SSL_SUCCESS); - } - #endif - - /* protocol version, random and session id length check */ - if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; - - /* protocol version */ - XMEMCPY(&pv, input + i, OPAQUE16_LEN); - ssl->chVersion = pv; /* store */ -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - int ret; - #if defined(NO_SHA) && defined(NO_SHA256) - #error "DTLS needs either SHA or SHA-256" - #endif /* NO_SHA && NO_SHA256 */ - - #if !defined(NO_SHA) && defined(NO_SHA256) - cookieType = SHA; - cookieSz = SHA_DIGEST_SIZE; - #endif /* NO_SHA */ - #ifndef NO_SHA256 - cookieType = SHA256; - cookieSz = SHA256_DIGEST_SIZE; - #endif /* NO_SHA256 */ - ret = wc_HmacSetKey(&cookieHmac, cookieType, - ssl->buffers.dtlsCookieSecret.buffer, - ssl->buffers.dtlsCookieSecret.length); - if (ret != 0) return ret; - ret = wc_HmacUpdate(&cookieHmac, - (const byte*)ssl->buffers.dtlsCtx.peer.sa, - ssl->buffers.dtlsCtx.peer.sz); - if (ret != 0) return ret; - ret = wc_HmacUpdate(&cookieHmac, input + i, OPAQUE16_LEN); - if (ret != 0) return ret; - } -#endif /* WOLFSSL_DTLS */ - i += OPAQUE16_LEN; - - if ((!ssl->options.dtls && ssl->version.minor > pv.minor) || - (ssl->options.dtls && ssl->version.minor != DTLS_MINOR - && ssl->version.minor != DTLSv1_2_MINOR && pv.minor != DTLS_MINOR - && pv.minor != DTLSv1_2_MINOR)) { - - word16 haveRSA = 0; - word16 havePSK = 0; - - if (!ssl->options.downgrade) { - WOLFSSL_MSG("Client trying to connect with lesser version"); - return VERSION_ERROR; - } - if (pv.minor < ssl->options.minDowngrade) { - WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); - return VERSION_ERROR; - } - - if (pv.minor == SSLv3_MINOR) { - /* turn off tls */ - WOLFSSL_MSG("\tdowngrading to SSLv3"); - ssl->options.tls = 0; - ssl->options.tls1_1 = 0; - ssl->version.minor = SSLv3_MINOR; - } - else if (pv.minor == TLSv1_MINOR) { - /* turn off tls 1.1+ */ - WOLFSSL_MSG("\tdowngrading to TLSv1"); - ssl->options.tls1_1 = 0; - ssl->version.minor = TLSv1_MINOR; - } - else if (pv.minor == TLSv1_1_MINOR) { - WOLFSSL_MSG("\tdowngrading to TLSv1.1"); - ssl->version.minor = TLSv1_1_MINOR; - } -#ifndef NO_RSA - haveRSA = 1; -#endif -#ifndef NO_PSK - havePSK = ssl->options.havePSK; -#endif - InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - } - - /* random */ - XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN); -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - int ret = wc_HmacUpdate(&cookieHmac, input + i, RAN_LEN); - if (ret != 0) return ret; - } -#endif /* WOLFSSL_DTLS */ - i += RAN_LEN; - -#ifdef SHOW_SECRETS - { - int j; - printf("client random: "); - for (j = 0; j < RAN_LEN; j++) - printf("%02x", ssl->arrays->clientRandom[j]); - printf("\n"); - } -#endif - - /* session id */ - b = input[i++]; - -#ifdef HAVE_SESSION_TICKET - if (b > 0 && b < ID_LEN) { - bogusID = 1; - WOLFSSL_MSG("Client sent bogus session id, let's allow for echo"); - } -#endif - - if (b == ID_LEN || bogusID) { - if ((i - begin) + b > helloSz) - return BUFFER_ERROR; - - XMEMCPY(ssl->arrays->sessionID, input + i, b); -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - int ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); - if (ret != 0) return ret; - } -#endif /* WOLFSSL_DTLS */ - ssl->arrays->sessionIDSz = b; - i += b; - ssl->options.resuming = 1; /* client wants to resume */ - WOLFSSL_MSG("Client wants to resume session"); - } - else if (b) { - WOLFSSL_MSG("Invalid session ID size"); - return BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */ - } - - #ifdef WOLFSSL_DTLS - /* cookie */ - if (ssl->options.dtls) { - - if ((i - begin) + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; - - peerCookieSz = input[i++]; - - if (peerCookieSz) { - if (peerCookieSz > MAX_COOKIE_LEN) - return BUFFER_ERROR; - - if ((i - begin) + peerCookieSz > helloSz) - return BUFFER_ERROR; - - XMEMCPY(peerCookie, input + i, peerCookieSz); - - i += peerCookieSz; - } - } - #endif - - /* suites */ - if ((i - begin) + OPAQUE16_LEN > helloSz) - return BUFFER_ERROR; - - ato16(&input[i], &clSuites.suiteSz); - i += OPAQUE16_LEN; - - /* suites and compression length check */ - if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; - - if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) - return BUFFER_ERROR; - - XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz); - -#ifdef HAVE_SERVER_RENEGOTIATION_INFO - /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */ - if (FindSuite(&clSuites, 0, TLS_EMPTY_RENEGOTIATION_INFO_SCSV) >= 0) { - int ret = 0; - - ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, ssl->heap); - if (ret != SSL_SUCCESS) - return ret; - } -#endif /* HAVE_SERVER_RENEGOTIATION_INFO */ - -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - int ret = wc_HmacUpdate(&cookieHmac, - input + i - OPAQUE16_LEN, - clSuites.suiteSz + OPAQUE16_LEN); - if (ret != 0) return ret; - } -#endif /* WOLFSSL_DTLS */ - i += clSuites.suiteSz; - clSuites.hashSigAlgoSz = 0; - - /* compression length */ - b = input[i++]; - - if ((i - begin) + b > helloSz) - return BUFFER_ERROR; - - if (b == 0) { - WOLFSSL_MSG("No compression types in list"); - return COMPRESSION_ERROR; - } - -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - byte newCookie[MAX_COOKIE_LEN]; - int ret; - - ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); - if (ret != 0) return ret; - ret = wc_HmacFinal(&cookieHmac, newCookie); - if (ret != 0) return ret; - - /* If a cookie callback is set, call it to overwrite the cookie. - * This should be deprecated. The code now calculates the cookie - * using an HMAC as expected. */ - if (ssl->ctx->CBIOCookie != NULL && - ssl->ctx->CBIOCookie(ssl, newCookie, cookieSz, - ssl->IOCB_CookieCtx) != cookieSz) { - return COOKIE_ERROR; - } - - /* Check the cookie, see if we progress the state machine. */ - if (peerCookieSz != cookieSz || - XMEMCMP(peerCookie, newCookie, cookieSz) != 0) { - - /* Send newCookie to client in a HelloVerifyRequest message - * and let the state machine alone. */ - ssl->msgsReceived.got_client_hello = 0; - ssl->keys.dtls_handshake_number = 0; - ssl->keys.dtls_expected_peer_handshake_number = 0; - *inOutIdx += helloSz; - return SendHelloVerifyRequest(ssl, newCookie, cookieSz); - } - - /* This was skipped in the DTLS case so we could handle the hello - * verify request. */ - ret = HashInput(ssl, input + *inOutIdx, helloSz); - if (ret != 0) return ret; - } -#endif /* WOLFSSL_DTLS */ - - { - /* copmression match types */ - int matchNo = 0; - int matchZlib = 0; - - while (b--) { - byte comp = input[i++]; - - if (comp == NO_COMPRESSION) { - matchNo = 1; - } - if (comp == ZLIB_COMPRESSION) { - matchZlib = 1; - } - } - - if (ssl->options.usingCompression == 0 && matchNo) { - WOLFSSL_MSG("Matched No Compression"); - } else if (ssl->options.usingCompression && matchZlib) { - WOLFSSL_MSG("Matched zlib Compression"); - } else if (ssl->options.usingCompression && matchNo) { - WOLFSSL_MSG("Could only match no compression, turning off"); - ssl->options.usingCompression = 0; /* turn off */ - } else { - WOLFSSL_MSG("Could not match compression"); - return COMPRESSION_ERROR; - } - } - - *inOutIdx = i; - - /* tls extensions */ - if ((i - begin) < helloSz) { -#ifdef HAVE_TLS_EXTENSIONS - #ifdef HAVE_QSH - QSH_Init(ssl); - #endif - if (TLSX_SupportExtensions(ssl)) { - int ret = 0; -#else - if (IsAtLeastTLSv1_2(ssl)) { -#endif - /* Process the hello extension. Skip unsupported. */ - word16 totalExtSz; - -#ifdef HAVE_TLS_EXTENSIONS - /* auto populate extensions supported unless user defined */ - if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0) - return ret; -#endif - - if ((i - begin) + OPAQUE16_LEN > helloSz) - return BUFFER_ERROR; - - ato16(&input[i], &totalExtSz); - i += OPAQUE16_LEN; - - if ((i - begin) + totalExtSz > helloSz) - return BUFFER_ERROR; - -#ifdef HAVE_TLS_EXTENSIONS - /* tls extensions */ - if ((ret = TLSX_Parse(ssl, (byte *) input + i, - totalExtSz, 1, &clSuites))) - return ret; -#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) - if((ret=SNI_Callback(ssl))) - return ret; - ssl->options.side = WOLFSSL_SERVER_END; -#endif /*HAVE_STUNNEL*/ - - i += totalExtSz; -#else - while (totalExtSz) { - word16 extId, extSz; - - if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) - return BUFFER_ERROR; - - ato16(&input[i], &extId); - i += OPAQUE16_LEN; - ato16(&input[i], &extSz); - i += OPAQUE16_LEN; - - if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) - return BUFFER_ERROR; - - if (extId == HELLO_EXT_SIG_ALGO) { - ato16(&input[i], &clSuites.hashSigAlgoSz); - i += OPAQUE16_LEN; - - if (OPAQUE16_LEN + clSuites.hashSigAlgoSz > extSz) - return BUFFER_ERROR; - - XMEMCPY(clSuites.hashSigAlgo, &input[i], - min(clSuites.hashSigAlgoSz, HELLO_EXT_SIGALGO_MAX)); - i += clSuites.hashSigAlgoSz; - - if (clSuites.hashSigAlgoSz > HELLO_EXT_SIGALGO_MAX) - clSuites.hashSigAlgoSz = HELLO_EXT_SIGALGO_MAX; - } -#ifdef HAVE_EXTENDED_MASTER - else if (extId == HELLO_EXT_EXTMS) - ssl->options.haveEMS = 1; -#endif - else - i += extSz; - - totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz; - } -#endif - *inOutIdx = i; - } - else - *inOutIdx = begin + helloSz; /* skip extensions */ - } - - ssl->options.clientState = CLIENT_HELLO_COMPLETE; - ssl->options.haveSessionId = 1; - - /* ProcessOld uses same resume code */ - if (ssl->options.resuming) { - int ret = -1; - WOLFSSL_SESSION* session = GetSession(ssl, - ssl->arrays->masterSecret, 1); - #ifdef HAVE_SESSION_TICKET - if (ssl->options.useTicket == 1) { - session = &ssl->session; - } else if (bogusID == 1 && ssl->options.rejectTicket == 0) { - WOLFSSL_MSG("Bogus session ID without session ticket"); - return BUFFER_ERROR; - } - #endif - - if (!session) { - WOLFSSL_MSG("Session lookup for resume failed"); - ssl->options.resuming = 0; - } - else if (session->haveEMS != ssl->options.haveEMS) { - /* RFC 7627, 5.3, server-side */ - /* if old sess didn't have EMS, but new does, full handshake */ - if (!session->haveEMS && ssl->options.haveEMS) { - WOLFSSL_MSG("Attempting to resume a session that didn't " - "use EMS with a new session with EMS. Do full " - "handshake."); - ssl->options.resuming = 0; - } - /* if old sess used EMS, but new doesn't, MUST abort */ - else if (session->haveEMS && !ssl->options.haveEMS) { - WOLFSSL_MSG("Trying to resume a session with EMS without " - "using EMS"); - return EXT_MASTER_SECRET_NEEDED_E; - } -#ifdef HAVE_EXT_CACHE - wolfSSL_SESSION_free(session); -#endif - } - else { -#ifdef HAVE_EXT_CACHE - wolfSSL_SESSION_free(session); -#endif - if (MatchSuite(ssl, &clSuites) < 0) { - WOLFSSL_MSG("Unsupported cipher suite, ClientHello"); - return UNSUPPORTED_SUITE; - } - - ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom, - RAN_LEN); - if (ret != 0) - return ret; - - #ifdef NO_OLD_TLS - ret = DeriveTlsKeys(ssl); - #else - #ifndef NO_TLS - if (ssl->options.tls) - ret = DeriveTlsKeys(ssl); - #endif - if (!ssl->options.tls) - ret = DeriveKeys(ssl); - #endif - ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - - return ret; - } - } - return MatchSuite(ssl, &clSuites); - } - - -#if !defined(NO_RSA) || defined(HAVE_ECC) - - typedef struct DcvArgs { - byte* output; /* not allocated */ - word32 sendSz; - word16 sz; - word32 sigSz; - word32 idx; - word32 begin; - byte hashAlgo; - byte sigAlgo; - } DcvArgs; - - static void FreeDcvArgs(WOLFSSL* ssl, void* pArgs) - { - DcvArgs* args = (DcvArgs*)pArgs; - - (void)ssl; - (void)args; - } - - static int DoCertificateVerify(WOLFSSL* ssl, byte* input, - word32* inOutIdx, word32 size) - { - int ret = 0; - #ifdef WOLFSSL_ASYNC_CRYPT - DcvArgs* args = (DcvArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); - #else - DcvArgs args[1]; - #endif - - WOLFSSL_ENTER("DoCertificateVerify"); - - #ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_dcv; - } - else - #endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(DcvArgs)); - args->hashAlgo = sha_mac; - args->sigAlgo = anonymous_sa_algo; - args->idx = *inOutIdx; - args->begin = *inOutIdx; - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeDcvArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) - AddPacketName(ssl, "CertificateVerify"); - if (ssl->toInfoOn) - AddLateName("CertificateVerify", &ssl->timeoutInfo); - #endif - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - - case TLS_ASYNC_BUILD: - { - if (IsAtLeastTLSv1_2(ssl)) { - if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcv); - } - - args->hashAlgo = input[args->idx++]; - args->sigAlgo = input[args->idx++]; - } - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcv); - } - - ato16(input + args->idx, &args->sz); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + args->sz > size || - args->sz > ENCRYPT_LEN) { - ERROR_OUT(BUFFER_ERROR, exit_dcv); - } - - #ifdef HAVE_ECC - if (ssl->peerEccDsaKeyPresent) { - - WOLFSSL_MSG("Doing ECC peer cert verify"); - - /* make sure a default is defined */ - #if !defined(NO_SHA) - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha; - ssl->buffers.digest.length = SHA_DIGEST_SIZE; - #elif !defined(NO_SHA256) - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256; - ssl->buffers.digest.length = SHA256_DIGEST_SIZE; - #elif defined(WOLFSSL_SHA384) - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384; - ssl->buffers.digest.length = SHA384_DIGEST_SIZE; - #elif defined(WOLFSSL_SHA512) - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512; - ssl->buffers.digest.length = SHA512_DIGEST_SIZE; - #else - #error No digest enabled for ECC sig verify - #endif - - if (IsAtLeastTLSv1_2(ssl)) { - if (args->sigAlgo != ecc_dsa_sa_algo) { - WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); - } - - switch (args->hashAlgo) { - case sha256_mac: - #ifndef NO_SHA256 - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256; - ssl->buffers.digest.length = SHA256_DIGEST_SIZE; - #endif - break; - case sha384_mac: - #ifdef WOLFSSL_SHA384 - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384; - ssl->buffers.digest.length = SHA384_DIGEST_SIZE; - #endif - break; - case sha512_mac: - #ifdef WOLFSSL_SHA512 - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512; - ssl->buffers.digest.length = SHA512_DIGEST_SIZE; - #endif - break; - } - } - } - #endif /* HAVE_ECC */ - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - - case TLS_ASYNC_DO: - { - #ifndef NO_RSA - if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) { - WOLFSSL_MSG("Doing RSA peer cert verify"); - - ret = RsaVerify(ssl, - input + args->idx, - args->sz, - &args->output, - ssl->peerRsaKey, - #ifdef HAVE_PK_CALLBACKS - ssl->buffers.peerRsaKey.buffer, - ssl->buffers.peerRsaKey.length, - ssl->RsaVerifyCtx - #else - NULL, 0, NULL - #endif - ); - if (ret >= 0) { - args->sendSz = ret; - ret = 0; - } - } - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - if (ssl->peerEccDsaKeyPresent) { - WOLFSSL_MSG("Doing ECC peer cert verify"); - - ret = EccVerify(ssl, - input + args->idx, args->sz, - ssl->buffers.digest.buffer, ssl->buffers.digest.length, - ssl->peerEccDsaKey, - #ifdef HAVE_PK_CALLBACKS - ssl->buffers.peerEccDsaKey.buffer, - ssl->buffers.peerEccDsaKey.length, - ssl->EccVerifyCtx - #else - NULL, 0, NULL - #endif - ); - } - #endif /* HAVE_ECC */ - - /* Check for error */ - if (ret != 0) { - goto exit_dcv; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - - case TLS_ASYNC_VERIFY: - { - #ifndef NO_RSA - if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) { - if (IsAtLeastTLSv1_2(ssl)) { - #ifdef WOLFSSL_SMALL_STACK - byte* encodedSig = NULL; - #else - byte encodedSig[MAX_ENCODED_SIG_SZ]; - #endif - int typeH = SHAh; - - /* make sure a default is defined */ - #if !defined(NO_SHA) - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha; - ssl->buffers.digest.length = SHA_DIGEST_SIZE; - #elif !defined(NO_SHA256) - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256; - ssl->buffers.digest.length = SHA256_DIGEST_SIZE; - #elif defined(WOLFSSL_SHA384) - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384; - ssl->buffers.digest.length = SHA384_DIGEST_SIZE; - #elif defined(WOLFSSL_SHA512) - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512; - ssl->buffers.digest.length = SHA512_DIGEST_SIZE; - #else - #error No digest enabled for RSA sig verify - #endif - - #ifdef WOLFSSL_SMALL_STACK - encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) { - ERROR_OUT(MEMORY_E, exit_dcv); - } - #endif - - if (args->sigAlgo != rsa_sa_algo) { - WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); - } - - switch (args->hashAlgo) { - case sha256_mac: - #ifndef NO_SHA256 - typeH = SHA256h; - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256; - ssl->buffers.digest.length = SHA256_DIGEST_SIZE; - #endif /* !NO_SHA256 */ - break; - case sha384_mac: - #ifdef WOLFSSL_SHA384 - typeH = SHA384h; - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384; - ssl->buffers.digest.length = SHA384_DIGEST_SIZE; - #endif /* WOLFSSL_SHA384 */ - break; - case sha512_mac: - #ifdef WOLFSSL_SHA512 - typeH = SHA512h; - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512; - ssl->buffers.digest.length = SHA512_DIGEST_SIZE; - #endif /* WOLFSSL_SHA512 */ - break; - } /* switch */ - - args->sigSz = wc_EncodeSignature(encodedSig, - ssl->buffers.digest.buffer, - ssl->buffers.digest.length, typeH); - - if (args->sendSz != args->sigSz || !args->output || - XMEMCMP(args->output, encodedSig, - min(args->sigSz, MAX_ENCODED_SIG_SZ)) != 0) { - ret = VERIFY_CERT_ERROR; - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(encodedSig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - else { - if (args->sendSz != FINISHED_SZ || !args->output || - XMEMCMP(args->output, - &ssl->hsHashes->certHashes, FINISHED_SZ) != 0) { - ret = VERIFY_CERT_ERROR; - } - } - } - #endif /* !NO_RSA */ - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - - case TLS_ASYNC_FINALIZE: - { - ssl->options.havePeerVerify = 1; - - /* Set final index */ - args->idx += args->sz; - *inOutIdx = args->idx; - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - - case TLS_ASYNC_END: - { - break; - } - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - - exit_dcv: - - WOLFSSL_LEAVE("DoCertificateVerify", ret); - - #ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) { - /* Mark message as not recevied so it can process again */ - ssl->msgsReceived.got_certificate_verify = 0; - - return ret; - } - #endif /* WOLFSSL_ASYNC_CRYPT */ - - /* Digest is not allocated, so do this to prevent free */ - ssl->buffers.digest.buffer = NULL; - ssl->buffers.digest.length = 0; - - /* Final cleanup */ - FreeDcvArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; - } - -#endif /* !NO_RSA || HAVE_ECC */ - - int SendServerHelloDone(WOLFSSL* ssl) - { - byte* output; - int sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - int ret; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - #endif - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(output, 0, server_hello_done, ssl); - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return 0; - } - - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - - ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) - return ret; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ServerHelloDone"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "ServerHelloDone", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - ssl->options.serverState = SERVER_HELLODONE_COMPLETE; - - ssl->buffers.outputBuffer.length += sendSz; - - return SendBuffered(ssl); - } - - -#ifdef HAVE_SESSION_TICKET - -#define WOLFSSL_TICKET_FIXED_SZ (WOLFSSL_TICKET_NAME_SZ + \ - WOLFSSL_TICKET_IV_SZ + WOLFSSL_TICKET_MAC_SZ + LENGTH_SZ) -#define WOLFSSL_TICKET_ENC_SZ (SESSION_TICKET_LEN - WOLFSSL_TICKET_FIXED_SZ) - - /* our ticket format */ - typedef struct InternalTicket { - ProtocolVersion pv; /* version when ticket created */ - byte suite[SUITE_LEN]; /* cipher suite when created */ - byte msecret[SECRET_LEN]; /* master secret */ - word32 timestamp; /* born on */ - word16 haveEMS; /* have extended master secret */ - } InternalTicket; - - /* fit within SESSION_TICKET_LEN */ - typedef struct ExternalTicket { - byte key_name[WOLFSSL_TICKET_NAME_SZ]; /* key context name */ - byte iv[WOLFSSL_TICKET_IV_SZ]; /* this ticket's iv */ - byte enc_len[LENGTH_SZ]; /* encrypted length */ - byte enc_ticket[WOLFSSL_TICKET_ENC_SZ]; /* encrypted internal ticket */ - byte mac[WOLFSSL_TICKET_MAC_SZ]; /* total mac */ - /* !! if add to structure, add to TICKET_FIXED_SZ !! */ - } ExternalTicket; - - /* create a new session ticket, 0 on success */ - static int CreateTicket(WOLFSSL* ssl) - { - InternalTicket it; - ExternalTicket* et = (ExternalTicket*)ssl->session.ticket; - int encLen; - int ret; - byte zeros[WOLFSSL_TICKET_MAC_SZ]; /* biggest cmp size */ - - XMEMSET(&it, 0, sizeof(it)); - - /* build internal */ - it.pv.major = ssl->version.major; - it.pv.minor = ssl->version.minor; - - it.suite[0] = ssl->options.cipherSuite0; - it.suite[1] = ssl->options.cipherSuite; - - XMEMCPY(it.msecret, ssl->arrays->masterSecret, SECRET_LEN); - c32toa(LowResTimer(), (byte*)&it.timestamp); - it.haveEMS = ssl->options.haveEMS; - - /* build external */ - XMEMCPY(et->enc_ticket, &it, sizeof(InternalTicket)); - - /* encrypt */ - encLen = WOLFSSL_TICKET_ENC_SZ; /* max size user can use */ - ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac, 1, - et->enc_ticket, sizeof(InternalTicket), - &encLen, ssl->ctx->ticketEncCtx); - if (ret == WOLFSSL_TICKET_RET_OK) { - if (encLen < (int)sizeof(InternalTicket) || - encLen > WOLFSSL_TICKET_ENC_SZ) { - WOLFSSL_MSG("Bad user ticket encrypt size"); - return BAD_TICKET_KEY_CB_SZ; - } - - /* sanity checks on encrypt callback */ - - /* internal ticket can't be the same if encrypted */ - if (XMEMCMP(et->enc_ticket, &it, sizeof(InternalTicket)) == 0) { - WOLFSSL_MSG("User ticket encrypt didn't encrypt"); - return BAD_TICKET_ENCRYPT; - } - - XMEMSET(zeros, 0, sizeof(zeros)); - - /* name */ - if (XMEMCMP(et->key_name, zeros, WOLFSSL_TICKET_NAME_SZ) == 0) { - WOLFSSL_MSG("User ticket encrypt didn't set name"); - return BAD_TICKET_ENCRYPT; - } - - /* iv */ - if (XMEMCMP(et->iv, zeros, WOLFSSL_TICKET_IV_SZ) == 0) { - WOLFSSL_MSG("User ticket encrypt didn't set iv"); - return BAD_TICKET_ENCRYPT; - } - - /* mac */ - if (XMEMCMP(et->mac, zeros, WOLFSSL_TICKET_MAC_SZ) == 0) { - WOLFSSL_MSG("User ticket encrypt didn't set mac"); - return BAD_TICKET_ENCRYPT; - } - - /* set size */ - c16toa((word16)encLen, et->enc_len); - ssl->session.ticketLen = (word16)(encLen + WOLFSSL_TICKET_FIXED_SZ); - if (encLen < WOLFSSL_TICKET_ENC_SZ) { - /* move mac up since whole enc buffer not used */ - XMEMMOVE(et->enc_ticket +encLen, et->mac,WOLFSSL_TICKET_MAC_SZ); - } - } - - return ret; - } - - - /* Parse ticket sent by client, returns callback return value */ - int DoClientTicket(WOLFSSL* ssl, const byte* input, word32 len) - { - ExternalTicket* et; - InternalTicket* it; - int ret; - int outLen; - word16 inLen; - - if (len > SESSION_TICKET_LEN || - len < (word32)(sizeof(InternalTicket) + WOLFSSL_TICKET_FIXED_SZ)) { - return BAD_TICKET_MSG_SZ; - } - - et = (ExternalTicket*)input; - it = (InternalTicket*)et->enc_ticket; - - /* decrypt */ - ato16(et->enc_len, &inLen); - if (inLen > (word16)(len - WOLFSSL_TICKET_FIXED_SZ)) { - return BAD_TICKET_MSG_SZ; - } - outLen = inLen; /* may be reduced by user padding */ - ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, - et->enc_ticket + inLen, 0, - et->enc_ticket, inLen, &outLen, - ssl->ctx->ticketEncCtx); - if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) return ret; - if (outLen > inLen || outLen < (int)sizeof(InternalTicket)) { - WOLFSSL_MSG("Bad user ticket decrypt len"); - return BAD_TICKET_KEY_CB_SZ; - } - - /* get master secret */ - if (ret == WOLFSSL_TICKET_RET_OK || ret == WOLFSSL_TICKET_RET_CREATE) { - XMEMCPY(ssl->arrays->masterSecret, it->msecret, SECRET_LEN); - /* Copy the haveExtendedMasterSecret property from the ticket to - * the saved session, so the property may be checked later. */ - ssl->session.haveEMS = it->haveEMS; - } - - return ret; - } - - - /* send Session Ticket */ - int SendTicket(WOLFSSL* ssl) - { - byte* output; - int ret; - int sendSz; - word32 length = SESSION_HINT_SZ + LENGTH_SZ; - word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - - if (ssl->options.createTicket) { - ret = CreateTicket(ssl); - if (ret != 0) return ret; - } - - length += ssl->session.ticketLen; - sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(output, length, session_ticket, ssl); - - /* hint */ - c32toa(ssl->ctx->ticketHint, output + idx); - idx += SESSION_HINT_SZ; - - /* length */ - c16toa(ssl->session.ticketLen, output + idx); - idx += LENGTH_SZ; - - /* ticket */ - XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen); - /* idx += ssl->session.ticketLen; */ - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - - DtlsSEQIncrement(ssl, CUR_ORDER); - } - #endif - - ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) return ret; - ssl->buffers.outputBuffer.length += sendSz; - - return SendBuffered(ssl); - } - -#endif /* HAVE_SESSION_TICKET */ - - -#ifdef WOLFSSL_DTLS - static int SendHelloVerifyRequest(WOLFSSL* ssl, - const byte* cookie, byte cookieSz) - { - byte* output; - int length = VERSION_SZ + ENUM_LEN + cookieSz; - int idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ; - int sendSz = length + idx; - int ret; - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - /* Hello Verify Request should use the same sequence number as the - * Client Hello. */ - ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi; - ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo; - AddHeaders(output, length, hello_verify_request, ssl); - -#ifdef OPENSSL_EXTRA - output[idx++] = DTLS_MAJOR; - output[idx++] = DTLS_MINOR; -#else - output[idx++] = ssl->version.major; - output[idx++] = ssl->version.minor; -#endif - - output[idx++] = cookieSz; - if (cookie == NULL || cookieSz == 0) - return COOKIE_ERROR; - - XMEMCPY(output + idx, cookie, cookieSz); - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "HelloVerifyRequest"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "HelloVerifyRequest", handshake, output, - sendSz, WRITE_PROTO, ssl->heap); -#endif - - ssl->buffers.outputBuffer.length += sendSz; - - return SendBuffered(ssl); - } -#endif /* WOLFSSL_DTLS */ - - typedef struct DckeArgs { - byte* output; /* not allocated */ - word32 length; - word32 idx; - word32 begin; - word32 sigSz; - } DckeArgs; - - static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs) - { - DckeArgs* args = (DckeArgs*)pArgs; - - (void)ssl; - (void)args; - } - - static int DoClientKeyExchange(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 size) - { - int ret; - #ifdef WOLFSSL_ASYNC_CRYPT - DckeArgs* args = (DckeArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); - #else - DckeArgs args[1]; - #endif - - WOLFSSL_ENTER("DoClientKeyExchange"); - - #ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_dcke; - } - else - #endif /* WOLFSSL_ASYNC_CRYPT */ - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(DckeArgs)); - args->idx = *inOutIdx; - args->begin = *inOutIdx; - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeDckeArgs; - #endif - } - - /* Do Client Key Exchange State Machine */ - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - /* Sanity checks */ - if (ssl->options.side != WOLFSSL_SERVER_END) { - WOLFSSL_MSG("Client received client keyexchange, attack?"); - WOLFSSL_ERROR(ssl->error = SIDE_ERROR); - ERROR_OUT(SSL_FATAL_ERROR, exit_dcke); - } - - if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { - WOLFSSL_MSG("Client sending keyexchange at wrong time"); - SendAlert(ssl, alert_fatal, unexpected_message); - ERROR_OUT(OUT_OF_ORDER_E, exit_dcke); - } - - #ifndef NO_CERTS - if (ssl->options.verifyPeer && ssl->options.failNoCert) { - if (!ssl->options.havePeerCert) { - WOLFSSL_MSG("client didn't present peer cert"); - ERROR_OUT(NO_PEER_CERT, exit_dcke); - } - } - - if (ssl->options.verifyPeer && ssl->options.failNoCertxPSK) { - if (!ssl->options.havePeerCert && - !ssl->options.usingPSK_cipher) { - WOLFSSL_MSG("client didn't present peer cert"); - return NO_PEER_CERT; - } - } - #endif /* !NO_CERTS */ - - #if defined(WOLFSSL_CALLBACKS) - if (ssl->hsInfoOn) { - AddPacketName(ssl, "ClientKeyExchange"); - } - if (ssl->toInfoOn) { - AddLateName("ClientKeyExchange", &ssl->timeoutInfo); - } - #endif - - switch (ssl->specs.kea) { - #ifndef NO_RSA - case rsa_kea: - { - /* make sure private key exists */ - if (ssl->buffers.key == NULL || - ssl->buffers.key->buffer == NULL) { - ERROR_OUT(NO_PRIVATE_KEY, exit_dcke); - } - break; - } /* rsa_kea */ - #endif /* !NO_RSA */ - #ifndef NO_PSK - case psk_kea: - { - /* sanity check that PSK server callback has been set */ - if (ssl->options.server_psk_cb == NULL) { - WOLFSSL_MSG("No server PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - break; - } - #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - /* make sure private key exists */ - if (ssl->buffers.key == NULL || - ssl->buffers.key->buffer == NULL) { - ERROR_OUT(NO_PRIVATE_KEY, exit_dcke); - } - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - break; - } - #endif /* HAVE_ECC */ - #ifndef NO_DH - case diffie_hellman_kea: - { - break; - } - #endif /* !NO_DH */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - /* sanity check that PSK server callback has been set */ - if (ssl->options.server_psk_cb == NULL) { - WOLFSSL_MSG("No server PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - /* sanity check that PSK server callback has been set */ - if (ssl->options.server_psk_cb == NULL) { - WOLFSSL_MSG("No server PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - default: - WOLFSSL_MSG("Bad kea type"); - ret = BAD_KEA_TYPE_E; - } /* switch (ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dcke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* TLS_ASYNC_BEGIN */ - - case TLS_ASYNC_BUILD: - { - switch (ssl->specs.kea) { - #ifndef NO_RSA - case rsa_kea: - { - word32 i = 0; - int keySz; - - ssl->hsType = DYNAMIC_TYPE_RSA; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_dcke; - } - - ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, - &i, (RsaKey*)ssl->hsKey, ssl->buffers.key->length); - if (ret != 0) { - goto exit_dcke; - } - keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey); - if (keySz < 0) { /* test if keySz has error */ - ERROR_OUT(keySz, exit_dcke); - } - args->length = (word32)keySz; - - if (keySz < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("Peer RSA key is too small"); - ERROR_OUT(RSA_KEY_SIZE_E, exit_dcke); - } - ssl->arrays->preMasterSz = SECRET_LEN; - - if (ssl->options.tls) { - word16 check; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &check); - args->idx += OPAQUE16_LEN; - - if ((word32)check != args->length) { - WOLFSSL_MSG("RSA explicit size doesn't match"); - ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke); - } - } - - if ((args->idx - args->begin) + args->length > size) { - WOLFSSL_MSG("RSA message too big"); - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->output = NULL; - break; - } /* rsa_kea */ - #endif /* !NO_RSA */ - #ifndef NO_PSK - case psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - word16 ci_sz; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &ci_sz); - args->idx += OPAQUE16_LEN; - - if (ci_sz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_dcke); - } - - if ((args->idx - args->begin) + ci_sz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - XMEMCPY(ssl->arrays->client_identity, - input + args->idx, ci_sz); - args->idx += ci_sz; - - ssl->arrays->client_identity[ - min(ci_sz, MAX_PSK_ID_LEN-1)] = 0; - ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, - ssl->arrays->client_identity, ssl->arrays->psk_key, - MAX_PSK_KEY_LEN); - - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - - /* make psk pre master secret */ - /* length of key + length 0s + length of key + key */ - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - - XMEMSET(pms, 0, ssl->arrays->psk_keySz); - pms += ssl->arrays->psk_keySz; - - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz = - (ssl->arrays->psk_keySz * 2) + (OPAQUE16_LEN * 2); - break; - } - #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - word16 cipherLen; - word16 plainLen = ENCRYPT_LEN; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &cipherLen); - args->idx += OPAQUE16_LEN; - - if (cipherLen > MAX_NTRU_ENCRYPT_SZ) { - ERROR_OUT(NTRU_KEY_ERROR, exit_dcke); - } - - if ((args->idx - args->begin) + cipherLen > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - if (NTRU_OK != ntru_crypto_ntru_decrypt( - (word16) ssl->buffers.key->length, - ssl->buffers.key->buffer, cipherLen, - input + args->idx, &plainLen, - ssl->arrays->preMasterSecret)) { - ERROR_OUT(NTRU_DECRYPT_ERROR, exit_dcke); - } - - if (plainLen != SECRET_LEN) { - ERROR_OUT(NTRU_DECRYPT_ERROR, exit_dcke); - } - - args->idx += cipherLen; - ssl->arrays->preMasterSz = plainLen; - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - ecc_key* private_key = ssl->eccTempKey; - - /* handle static private key */ - if (ssl->specs.static_ecdh) { - word32 i = 0; - - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_dcke; - } - - ret = wc_EccPrivateKeyDecode( - ssl->buffers.key->buffer, - &i, - (ecc_key*)ssl->hsKey, - ssl->buffers.key->length); - if (ret == 0) { - private_key = (ecc_key*)ssl->hsKey; - if (wc_ecc_size(private_key) < - ssl->options.minEccKeySz) { - WOLFSSL_MSG("ECC key too small"); - ERROR_OUT(ECC_KEY_SIZE_E, exit_dcke); - } - } - } - - /* import peer ECC key */ - if ((args->idx - args->begin) + OPAQUE8_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->length = input[args->idx++]; - - if ((args->idx - args->begin) + args->length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ssl->arrays->preMasterSz = ENCRYPT_LEN; - - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - if (!ssl->specs.static_ecdh && - ssl->eccTempKeyPresent == 0) { - WOLFSSL_MSG("Ecc ephemeral key not made correctly"); - ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke); - } - - if (ssl->peerEccKey == NULL) { - /* alloc/init on demand */ - ret = AllocKey(ssl, DYNAMIC_TYPE_ECC, - (void**)&ssl->peerEccKey); - if (ret != 0) { - goto exit_dcke; - } - } else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */ - wc_ecc_free(ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, - ssl->devId); - if (ret != 0) { - goto exit_dcke; - } - } - - if (wc_ecc_import_x963_ex(input + args->idx, args->length, - ssl->peerEccKey, private_key->dp->id)) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke); - } - - ssl->peerEccKeyPresent = 1; - - if (ret != 0) { - goto exit_dcke; - } - break; - } - #endif /* HAVE_ECC */ - #ifndef NO_DH - case diffie_hellman_kea: - { - word16 clientPubSz; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &clientPubSz); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + clientPubSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->sigSz = clientPubSz; - - ret = AllocKey(ssl, DYNAMIC_TYPE_DH, - (void**)&ssl->buffers.serverDH_Key); - if (ret != 0) { - goto exit_dcke; - } - - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - break; - } - #endif /* !NO_DH */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - word16 clientSz; - - /* Read in the PSK hint */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &clientSz); - args->idx += OPAQUE16_LEN; - if (clientSz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_dcke); - } - - if ((args->idx - args->begin) + clientSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - XMEMCPY(ssl->arrays->client_identity, input + args->idx, - clientSz); - args->idx += clientSz; - ssl->arrays->client_identity[ - min(clientSz, MAX_PSK_ID_LEN-1)] = 0; - - /* Read in the DHE business */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &clientSz); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + clientSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->sigSz = clientSz; - - ret = AllocKey(ssl, DYNAMIC_TYPE_DH, - (void**)&ssl->buffers.serverDH_Key); - if (ret != 0) { - goto exit_dcke; - } - - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - word16 clientSz; - - /* Read in the PSK hint */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &clientSz); - args->idx += OPAQUE16_LEN; - if (clientSz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_dcke); - } - if ((args->idx - args->begin) + clientSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - XMEMCPY(ssl->arrays->client_identity, - input + args->idx, clientSz); - args->idx += clientSz; - ssl->arrays->client_identity[ - min(clientSz, MAX_PSK_ID_LEN-1)] = 0; - - /* import peer ECC key */ - if ((args->idx - args->begin) + OPAQUE8_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->length = input[args->idx++]; - - if ((args->idx - args->begin) + args->length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->sigSz = ENCRYPT_LEN - OPAQUE16_LEN; - - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - if (ssl->eccTempKeyPresent == 0) { - WOLFSSL_MSG("Ecc ephemeral key not made correctly"); - ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke); - } - - if (ssl->peerEccKey == NULL) { - /* alloc/init on demand */ - ret = AllocKey(ssl, DYNAMIC_TYPE_ECC, - (void**)&ssl->peerEccKey); - if (ret != 0) { - goto exit_dcke; - } - } - else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */ - wc_ecc_free(ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, - ssl->devId); - if (ret != 0) { - goto exit_dcke; - } - } - if (wc_ecc_import_x963_ex(input + args->idx, args->length, - ssl->peerEccKey, ssl->eccTempKey->dp->id)) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke); - } - - ssl->peerEccKeyPresent = 1; - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - default: - ret = BAD_KEA_TYPE_E; - } /* switch (ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dcke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* TLS_ASYNC_BUILD */ - - case TLS_ASYNC_DO: - { - switch (ssl->specs.kea) { - #ifndef NO_RSA - case rsa_kea: - { - RsaKey* key = (RsaKey*)ssl->hsKey; - ret = RsaDec(ssl, - input + args->idx, - args->length, - &args->output, - &args->sigSz, - key, - #if defined(HAVE_PK_CALLBACKS) - ssl->buffers.key->buffer, - ssl->buffers.key->length, - ssl->RsaDecCtx - #else - NULL, 0, NULL - #endif - ); - break; - } /* rsa_kea */ - #endif /* !NO_RSA */ - #ifndef NO_PSK - case psk_kea: - { - break; - } - #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - ecc_key* private_key = ssl->eccTempKey; - if (ssl->specs.static_ecdh) { - private_key = (ecc_key*)ssl->hsKey; - } - - /* Generate shared secret */ - ret = EccSharedSecret(ssl, - private_key, ssl->peerEccKey, - input + args->idx, &args->length, - ssl->arrays->preMasterSecret, - &ssl->arrays->preMasterSz, - WOLFSSL_SERVER_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - break; - } - #endif /* HAVE_ECC */ - #ifndef NO_DH - case diffie_hellman_kea: - { - ret = DhAgree(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_Priv.buffer, - ssl->buffers.serverDH_Priv.length, - input + args->idx, - (word16)args->sigSz, - ssl->arrays->preMasterSecret, - &ssl->arrays->preMasterSz); - break; - } - #endif /* !NO_DH */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - ret = DhAgree(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_Priv.buffer, - ssl->buffers.serverDH_Priv.length, - input + args->idx, - (word16)args->sigSz, - ssl->arrays->preMasterSecret + OPAQUE16_LEN, - &ssl->arrays->preMasterSz); - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - /* Generate shared secret */ - ret = EccSharedSecret(ssl, - ssl->eccTempKey, ssl->peerEccKey, - input + args->idx, &args->length, - ssl->arrays->preMasterSecret + OPAQUE16_LEN, - &args->sigSz, - WOLFSSL_SERVER_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - default: - ret = BAD_KEA_TYPE_E; - } /* switch (ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dcke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* TLS_ASYNC_DO */ - - case TLS_ASYNC_VERIFY: - { - switch (ssl->specs.kea) { - #ifndef NO_RSA - case rsa_kea: - { - /* Add the signature length to idx */ - args->idx += args->length; - - if (args->sigSz == SECRET_LEN && args->output != NULL) { - XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN); - if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major || - ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) { - ERROR_OUT(PMS_VERSION_ERROR, exit_dcke); - } - } - else { - ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke); - } - break; - } /* rsa_kea */ - #endif /* !NO_RSA */ - #ifndef NO_PSK - case psk_kea: - { - break; - } - #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - /* skip past the imported peer key */ - args->idx += args->length; - break; - } - #endif /* HAVE_ECC */ - #ifndef NO_DH - case diffie_hellman_kea: - { - args->idx += (word16)args->sigSz; - break; - } - #endif /* !NO_DH */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - word16 clientSz = (word16)args->sigSz; - - args->idx += clientSz; - c16toa((word16)ssl->arrays->preMasterSz, pms); - ssl->arrays->preMasterSz += OPAQUE16_LEN; - pms += ssl->arrays->preMasterSz; - - /* Use the PSK hint to look up the PSK and add it to the - * preMasterSecret here. */ - ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, - ssl->arrays->client_identity, ssl->arrays->psk_key, - MAX_PSK_KEY_LEN); - - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - - XMEMCPY(pms, ssl->arrays->psk_key, - ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += ssl->arrays->psk_keySz + - OPAQUE16_LEN; - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - word16 clientSz = (word16)args->sigSz; - - /* skip past the imported peer key */ - args->idx += args->length; - - /* Add preMasterSecret */ - c16toa(clientSz, pms); - ssl->arrays->preMasterSz += OPAQUE16_LEN + clientSz; - pms += ssl->arrays->preMasterSz; - - /* Use the PSK hint to look up the PSK and add it to the - * preMasterSecret here. */ - ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, - ssl->arrays->client_identity, ssl->arrays->psk_key, - MAX_PSK_KEY_LEN); - - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += - ssl->arrays->psk_keySz + OPAQUE16_LEN; - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - default: - ret = BAD_KEA_TYPE_E; - } /* switch (ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dcke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* TLS_ASYNC_VERIFY */ - - case TLS_ASYNC_FINALIZE: - { - #ifdef HAVE_QSH - word16 name; - - if (ssl->options.haveQSH) { - /* extension name */ - ato16(input + args->idx, &name); - args->idx += OPAQUE16_LEN; - - if (name == TLSX_QUANTUM_SAFE_HYBRID) { - int qshSz; - /* if qshSz is larger than 0 it is the - length of buffer used */ - if ((qshSz = TLSX_QSHCipher_Parse(ssl, - input + args->idx, - size - args->idx + args->begin, 1)) < 0) { - ERROR_OUT(qshSz, exit_dcke); - } - args->idx += qshSz; - } - else { - /* unknown extension sent client ignored handshake */ - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - } - #endif /* HAVE_QSH */ - ret = MakeMasterSecret(ssl); - - /* Check for error */ - if (ret != 0) { - goto exit_dcke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* TLS_ASYNC_FINALIZE */ - - case TLS_ASYNC_END: - { - /* Set final index */ - *inOutIdx = args->idx; - - ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - #ifndef NO_CERTS - if (ssl->options.verifyPeer) { - ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes); - } - #endif - break; - } /* TLS_ASYNC_END */ - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - - exit_dcke: - - WOLFSSL_LEAVE("DoClientKeyExchange", ret); - - #ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) { - /* Mark message as not recevied so it can process again */ - ssl->msgsReceived.got_client_key_exchange = 0; - - return ret; - } - #endif /* WOLFSSL_ASYNC_CRYPT */ - - /* Cleanup PMS */ - ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz); - ssl->arrays->preMasterSz = 0; - - /* Final cleanup */ - FreeDckeArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; - } - - -#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) - static int SNI_Callback(WOLFSSL* ssl) - { - /* Stunnel supports a custom sni callback to switch an SSL's ctx - * when SNI is received. Call it now if exists */ - if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) { - WOLFSSL_MSG("Calling custom sni callback"); - if(ssl->ctx->sniRecvCb(ssl, NULL, ssl->ctx->sniRecvCbArg) - == alert_fatal) { - WOLFSSL_MSG("Error in custom sni callback. Fatal alert"); - SendAlert(ssl, alert_fatal, unrecognized_name); - return FATAL_ERROR; - } - } - return 0; - } -#endif /* HAVE_STUNNEL */ -#endif /* NO_WOLFSSL_SERVER */ - - -#ifdef WOLFSSL_ASYNC_CRYPT -int wolfSSL_AsyncPop(WOLFSSL* ssl, byte* state) -{ - int ret = 0; - WC_ASYNC_DEV* asyncDev; - WOLF_EVENT* event; - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - /* check for pending async */ - asyncDev = ssl->async.dev; - if (asyncDev) { - /* grab event pointer */ - event = &asyncDev->event; - - ret = wolfAsync_EventPop(event, WOLF_EVENT_TYPE_ASYNC_WOLFSSL); - if (ret != WC_NOT_PENDING_E && ret != WC_PENDING_E) { - - /* advance key share state if doesn't need called again */ - if (state && (asyncDev->event.flags & WC_ASYNC_FLAG_CALL_AGAIN) == 0) { - (*state)++; - } - - /* clear event */ - XMEMSET(&asyncDev->event, 0, sizeof(WOLF_EVENT)); - - /* clear async dev */ - ssl->async.dev = NULL; - } - } - else { - ret = WC_NOT_PENDING_E; - } - - WOLFSSL_LEAVE("wolfSSL_AsyncPop", ret); - - return ret; -} - -int wolfSSL_AsyncPush(WOLFSSL* ssl, WC_ASYNC_DEV* asyncDev, word32 flags) -{ - int ret; - WOLF_EVENT* event; - - if (ssl == NULL || asyncDev == NULL) { - return BAD_FUNC_ARG; - } - - /* grab event pointer */ - event = &asyncDev->event; - - /* init event */ - ret = wolfAsync_EventInit(event, WOLF_EVENT_TYPE_ASYNC_WOLFSSL, ssl, flags); - if (ret == 0) { - ssl->async.dev = asyncDev; - - /* place event into queue */ - ret = wolfAsync_EventQueuePush(&ssl->ctx->event_queue, event); - } - - /* success means return WC_PENDING_E */ - if (ret == 0) { - ret = WC_PENDING_E; - } - - WOLFSSL_LEAVE("wolfSSL_AsyncPush", ret); - - return ret; -} - -#endif /* WOLFSSL_ASYNC_CRYPT */ - - -#undef ERROR_OUT - -#endif /* WOLFCRYPT_ONLY */ diff --git a/src/internal-save.c b/src/internal-save.c deleted file mode 100755 index b046428e1..000000000 --- a/src/internal-save.c +++ /dev/null @@ -1,23393 +0,0 @@ -/* internal.c - * - * Copyright (C) 2006-2016 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - - - -#ifdef HAVE_CONFIG_H - #include -#endif - -#include - -#ifndef WOLFCRYPT_ONLY - -#include -#include -#include -#include -#ifdef NO_INLINE - #include -#else - #define WOLFSSL_MISC_INCLUDED - #include -#endif - -#ifdef HAVE_LIBZ - #include "zlib.h" -#endif - -#ifdef HAVE_NTRU - #include "libntruencrypt/ntru_crypto.h" -#endif - -#if defined(DEBUG_WOLFSSL) || defined(SHOW_SECRETS) || \ - defined(CHACHA_AEAD_TEST) || defined(WOLFSSL_SESSION_EXPORT_DEBUG) - #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) - #if MQX_USE_IO_OLD - #include - #else - #include - #endif - #else - #include - #endif -#endif - -#ifdef __sun - #include -#endif - - -#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; } - -#ifdef _MSC_VER - /* disable for while(0) cases at the .c level for now */ - #pragma warning(disable:4127) -#endif - -#if defined(WOLFSSL_CALLBACKS) && !defined(LARGE_STATIC_BUFFERS) - #error \ -WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS -#endif - -#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_RENEGOTIATION_INDICATION) - #error Cannot use both secure-renegotiation and renegotiation-indication -#endif - -#ifndef NO_WOLFSSL_CLIENT - static int DoHelloVerifyRequest(WOLFSSL* ssl, const byte* input, word32*, - word32); - static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, word32*, - word32); - #ifndef NO_CERTS - static int DoCertificateRequest(WOLFSSL* ssl, const byte* input, word32*, - word32); - #endif - #ifdef HAVE_SESSION_TICKET - static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32*, - word32); - #endif -#endif - - -#ifndef NO_WOLFSSL_SERVER - static int DoClientKeyExchange(WOLFSSL* ssl, byte* input, word32*, word32); - #if !defined(NO_RSA) || defined(HAVE_ECC) - static int DoCertificateVerify(WOLFSSL* ssl, byte*, word32*, word32); - #endif - #ifdef WOLFSSL_DTLS - static int SendHelloVerifyRequest(WOLFSSL*, const byte*, byte); - #endif /* WOLFSSL_DTLS */ -#endif - - -#ifdef WOLFSSL_DTLS - static INLINE int DtlsCheckWindow(WOLFSSL* ssl); - static INLINE int DtlsUpdateWindow(WOLFSSL* ssl); -#endif - - -enum processReply { - doProcessInit = 0, -#ifndef NO_WOLFSSL_SERVER - runProcessOldClientHello, -#endif - getRecordLayerHeader, - getData, - decryptMessage, - verifyMessage, - runProcessingOneMessage -}; - -/* sub-states for build message */ -enum buildMsgState { - BUILD_MSG_BEGIN = 0, - BUILD_MSG_SIZE, - BUILD_MSG_HASH, - BUILD_MSG_VERIFY_MAC, - BUILD_MSG_ENCRYPT, -}; - -/* sub-states for cipher operations */ -enum cipherState { - CIPHER_STATE_BEGIN = 0, - CIPHER_STATE_DO, - CIPHER_STATE_END, -}; - - -#ifndef NO_OLD_TLS -static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, - int content, int verify); - -#endif - -#ifdef HAVE_QSH - int QSH_Init(WOLFSSL* ssl); -#endif - - -int IsTLS(const WOLFSSL* ssl) -{ - if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_MINOR) - return 1; - - return 0; -} - - -int IsAtLeastTLSv1_2(const WOLFSSL* ssl) -{ - if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_2_MINOR) - return 1; - if (ssl->version.major == DTLS_MAJOR && ssl->version.minor <= DTLSv1_2_MINOR) - return 1; - - return 0; -} - -int IsAtLeastTLSv1_3(const ProtocolVersion pv) -{ - return (pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_3_MINOR); -} - - -static INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend) -{ - (void)isSend; - - #ifdef WOLFSSL_DTLS - /* For DTLS, epoch 0 is always not encrypted. */ - if (ssl->options.dtls && !isSend && ssl->keys.curEpoch == 0) - return 0; - #endif /* WOLFSSL_DTLS */ - - return ssl->keys.encryptionOn; -} - - -/* If SCTP is not enabled returns the state of the dtls option. - * If SCTP is enabled returns dtls && !sctp. */ -static INLINE int IsDtlsNotSctpMode(WOLFSSL* ssl) -{ - int result = ssl->options.dtls; - - if (result) { -#ifdef WOLFSSL_SCTP - result = !ssl->options.dtlsSctp; -#endif - } - - return result; -} - - -#ifdef HAVE_QSH -/* free all structs that where used with QSH */ -static int QSH_FreeAll(WOLFSSL* ssl) -{ - QSHKey* key = ssl->QSH_Key; - QSHKey* preKey = NULL; - QSHSecret* secret = ssl->QSH_secret; - QSHScheme* list = NULL; - QSHScheme* preList = NULL; - - /* free elements in struct */ - while (key) { - preKey = key; - if (key->pri.buffer) { - ForceZero(key->pri.buffer, key->pri.length); - XFREE(key->pri.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - if (key->pub.buffer) - XFREE(key->pub.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - key = (QSHKey*)key->next; - - /* free struct */ - XFREE(preKey, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - key = NULL; - - - /* free all of peers QSH keys */ - key = ssl->peerQSHKey; - while (key) { - preKey = key; - if (key->pri.buffer) { - ForceZero(key->pri.buffer, key->pri.length); - XFREE(key->pri.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - if (key->pub.buffer) - XFREE(key->pub.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - key = (QSHKey*)key->next; - - /* free struct */ - XFREE(preKey, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - key = NULL; - - /* free secret information */ - if (secret) { - /* free up the QSHScheme list in QSHSecret */ - if (secret->list) - list = secret->list; - while (list) { - preList = list; - if (list->PK) - XFREE(list->PK, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - list = (QSHScheme*)list->next; - XFREE(preList, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - - /* free secret buffers */ - if (secret->SerSi) { - if (secret->SerSi->buffer) { - /* clear extra secret material that supplemented Master Secret*/ - ForceZero(secret->SerSi->buffer, secret->SerSi->length); - XFREE(secret->SerSi->buffer, ssl->heap,DYNAMIC_TYPE_TMP_BUFFER); - } - XFREE(secret->SerSi, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - if (secret->CliSi) { - if (secret->CliSi->buffer) { - /* clear extra secret material that supplemented Master Secret*/ - ForceZero(secret->CliSi->buffer, secret->CliSi->length); - XFREE(secret->CliSi->buffer, ssl->heap,DYNAMIC_TYPE_TMP_BUFFER); - } - XFREE(secret->CliSi, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - } - XFREE(secret, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - secret = NULL; - - return 0; -} -#endif - - -#ifdef HAVE_NTRU -static WC_RNG* rng; -static wolfSSL_Mutex* rngMutex; - -static word32 GetEntropy(unsigned char* out, word32 num_bytes) -{ - int ret = 0; - - if (rng == NULL) { - if ((rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), 0, - DYNAMIC_TYPE_TLSX)) == NULL) - return DRBG_OUT_OF_MEMORY; - wc_InitRng(rng); - } - - if (rngMutex == NULL) { - if ((rngMutex = (wolfSSL_Mutex*)XMALLOC(sizeof(wolfSSL_Mutex), 0, - DYNAMIC_TYPE_TLSX)) == NULL) - return DRBG_OUT_OF_MEMORY; - wc_InitMutex(rngMutex); - } - - ret |= wc_LockMutex(rngMutex); - ret |= wc_RNG_GenerateBlock(rng, out, num_bytes); - ret |= wc_UnLockMutex(rngMutex); - - if (ret != 0) - return DRBG_ENTROPY_FAIL; - - return DRBG_OK; -} -#endif /* HAVE_NTRU */ - -/* used by ssl.c too */ -void c32to24(word32 in, word24 out) -{ - out[0] = (in >> 16) & 0xff; - out[1] = (in >> 8) & 0xff; - out[2] = in & 0xff; -} - - -/* convert 16 bit integer to opaque */ -static INLINE void c16toa(word16 u16, byte* c) -{ - c[0] = (u16 >> 8) & 0xff; - c[1] = u16 & 0xff; -} - - -#if !defined(NO_OLD_TLS) || defined(HAVE_CHACHA) || defined(HAVE_AESCCM) \ - || defined(HAVE_AESGCM) || defined(WOLFSSL_SESSION_EXPORT) \ - || defined(WOLFSSL_DTLS) || defined(HAVE_SESSION_TICKET) -/* convert 32 bit integer to opaque */ -static INLINE void c32toa(word32 u32, byte* c) -{ - c[0] = (u32 >> 24) & 0xff; - c[1] = (u32 >> 16) & 0xff; - c[2] = (u32 >> 8) & 0xff; - c[3] = u32 & 0xff; -} - -#endif - - -/* convert a 24 bit integer into a 32 bit one */ -static INLINE void c24to32(const word24 u24, word32* u32) -{ - *u32 = (u24[0] << 16) | (u24[1] << 8) | u24[2]; -} - - -/* convert opaque to 16 bit integer */ -static INLINE void ato16(const byte* c, word16* u16) -{ - *u16 = (word16) ((c[0] << 8) | (c[1])); -} - - -#if defined(WOLFSSL_DTLS) || defined(HAVE_SESSION_TICKET) || \ - defined(WOLFSSL_SESSION_EXPORT) - -/* convert opaque to 32 bit integer */ -static INLINE void ato32(const byte* c, word32* u32) -{ - *u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3]; -} - -#endif /* WOLFSSL_DTLS */ - - -#ifdef HAVE_LIBZ - - /* alloc user allocs to work with zlib */ - static void* myAlloc(void* opaque, unsigned int item, unsigned int size) - { - (void)opaque; - return XMALLOC(item * size, opaque, DYNAMIC_TYPE_LIBZ); - } - - - static void myFree(void* opaque, void* memory) - { - (void)opaque; - XFREE(memory, opaque, DYNAMIC_TYPE_LIBZ); - } - - - /* init zlib comp/decomp streams, 0 on success */ - static int InitStreams(WOLFSSL* ssl) - { - ssl->c_stream.zalloc = (alloc_func)myAlloc; - ssl->c_stream.zfree = (free_func)myFree; - ssl->c_stream.opaque = (voidpf)ssl->heap; - - if (deflateInit(&ssl->c_stream, Z_DEFAULT_COMPRESSION) != Z_OK) - return ZLIB_INIT_ERROR; - - ssl->didStreamInit = 1; - - ssl->d_stream.zalloc = (alloc_func)myAlloc; - ssl->d_stream.zfree = (free_func)myFree; - ssl->d_stream.opaque = (voidpf)ssl->heap; - - if (inflateInit(&ssl->d_stream) != Z_OK) return ZLIB_INIT_ERROR; - - return 0; - } - - - static void FreeStreams(WOLFSSL* ssl) - { - if (ssl->didStreamInit) { - deflateEnd(&ssl->c_stream); - inflateEnd(&ssl->d_stream); - } - } - - - /* compress in to out, return out size or error */ - static int myCompress(WOLFSSL* ssl, byte* in, int inSz, byte* out, int outSz) - { - int err; - int currTotal = (int)ssl->c_stream.total_out; - - ssl->c_stream.next_in = in; - ssl->c_stream.avail_in = inSz; - ssl->c_stream.next_out = out; - ssl->c_stream.avail_out = outSz; - - err = deflate(&ssl->c_stream, Z_SYNC_FLUSH); - if (err != Z_OK && err != Z_STREAM_END) return ZLIB_COMPRESS_ERROR; - - return (int)ssl->c_stream.total_out - currTotal; - } - - - /* decompress in to out, return out size or error */ - static int myDeCompress(WOLFSSL* ssl, byte* in,int inSz, byte* out,int outSz) - { - int err; - int currTotal = (int)ssl->d_stream.total_out; - - ssl->d_stream.next_in = in; - ssl->d_stream.avail_in = inSz; - ssl->d_stream.next_out = out; - ssl->d_stream.avail_out = outSz; - - err = inflate(&ssl->d_stream, Z_SYNC_FLUSH); - if (err != Z_OK && err != Z_STREAM_END) return ZLIB_DECOMPRESS_ERROR; - - return (int)ssl->d_stream.total_out - currTotal; - } - -#endif /* HAVE_LIBZ */ - - -#ifdef WOLFSSL_SESSION_EXPORT -#ifdef WOLFSSL_DTLS -/* serializes the cipher specs struct for exporting */ -static int ExportCipherSpecState(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - word32 idx = 0; - CipherSpecs* specs; - - WOLFSSL_ENTER("ExportCipherSpecState"); - - if (exp == NULL || ssl == NULL) { - return BAD_FUNC_ARG; - } - - specs= &(ssl->specs); - - if (DTLS_EXPORT_SPC_SZ > len) { - return BUFFER_E; - } - - XMEMSET(exp, 0, DTLS_EXPORT_SPC_SZ); - - c16toa(specs->key_size, exp + idx); idx += OPAQUE16_LEN; - c16toa(specs->iv_size, exp + idx); idx += OPAQUE16_LEN; - c16toa(specs->block_size, exp + idx); idx += OPAQUE16_LEN; - c16toa(specs->aead_mac_size, exp + idx); idx += OPAQUE16_LEN; - exp[idx++] = specs->bulk_cipher_algorithm; - exp[idx++] = specs->cipher_type; - exp[idx++] = specs->mac_algorithm; - exp[idx++] = specs->kea; - exp[idx++] = specs->sig_algo; - exp[idx++] = specs->hash_size; - exp[idx++] = specs->pad_size; - exp[idx++] = specs->static_ecdh; - - if (idx != DTLS_EXPORT_SPC_SZ) { - WOLFSSL_MSG("DTLS_EXPORT_SPC_SZ needs updated and export version"); - return DTLS_EXPORT_VER_E; - } - - WOLFSSL_LEAVE("ExportCipherSpecState", idx); - (void)ver; - return idx; -} - - -/* serializes the key struct for exporting */ -static int ExportKeyState(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - word32 idx = 0; - byte sz; - Keys* keys; - - WOLFSSL_ENTER("ExportKeyState"); - - if (exp == NULL || ssl == NULL) { - return BAD_FUNC_ARG; - } - - keys = &(ssl->keys); - - if (DTLS_EXPORT_KEY_SZ > len) { - WOLFSSL_MSG("Buffer not large enough for max key struct size"); - return BUFFER_E; - } - - XMEMSET(exp, 0, DTLS_EXPORT_KEY_SZ); - - c32toa(keys->peer_sequence_number_hi, exp + idx); idx += OPAQUE32_LEN; - c32toa(keys->peer_sequence_number_lo, exp + idx); idx += OPAQUE32_LEN; - c32toa(keys->sequence_number_hi, exp + idx); idx += OPAQUE32_LEN; - c32toa(keys->sequence_number_lo, exp + idx); idx += OPAQUE32_LEN; - - c16toa(keys->nextEpoch, exp + idx); idx += OPAQUE16_LEN; - c16toa(keys->nextSeq_hi, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->nextSeq_lo, exp + idx); idx += OPAQUE32_LEN; - c16toa(keys->curEpoch, exp + idx); idx += OPAQUE16_LEN; - c16toa(keys->curSeq_hi, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->curSeq_lo, exp + idx); idx += OPAQUE32_LEN; - c16toa(keys->prevSeq_hi, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->prevSeq_lo, exp + idx); idx += OPAQUE32_LEN; - - c16toa(keys->dtls_peer_handshake_number, exp + idx); idx += OPAQUE16_LEN; - c16toa(keys->dtls_expected_peer_handshake_number, exp + idx); - idx += OPAQUE16_LEN; - - c16toa(keys->dtls_sequence_number_hi, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->dtls_sequence_number_lo, exp + idx); idx += OPAQUE32_LEN; - c16toa(keys->dtls_prev_sequence_number_hi, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->dtls_prev_sequence_number_lo, exp + idx); idx += OPAQUE32_LEN; - c16toa(keys->dtls_epoch, exp + idx); idx += OPAQUE16_LEN; - c16toa(keys->dtls_handshake_number, exp + idx); idx += OPAQUE16_LEN; - c32toa(keys->encryptSz, exp + idx); idx += OPAQUE32_LEN; - c32toa(keys->padSz, exp + idx); idx += OPAQUE32_LEN; - exp[idx++] = keys->encryptionOn; - exp[idx++] = keys->decryptedCur; - - { - word32 i; - - c16toa(WOLFSSL_DTLS_WINDOW_WORDS, exp + idx); idx += OPAQUE16_LEN; - for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) { - c32toa(keys->window[i], exp + idx); - idx += OPAQUE32_LEN; - } - c16toa(WOLFSSL_DTLS_WINDOW_WORDS, exp + idx); idx += OPAQUE16_LEN; - for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) { - c32toa(keys->prevWindow[i], exp + idx); - idx += OPAQUE32_LEN; - } - } - -#ifdef HAVE_TRUNCATED_HMAC - sz = ssl->truncated_hmac ? TRUNCATED_HMAC_SZ: ssl->specs.hash_size; - exp[idx++] = ssl->truncated_hmac; -#else - sz = ssl->specs.hash_size; - exp[idx++] = 0; /* no truncated hmac */ -#endif - exp[idx++] = sz; - XMEMCPY(exp + idx, keys->client_write_MAC_secret, sz); idx += sz; - XMEMCPY(exp + idx, keys->server_write_MAC_secret, sz); idx += sz; - - sz = ssl->specs.key_size; - exp[idx++] = sz; - XMEMCPY(exp + idx, keys->client_write_key, sz); idx += sz; - XMEMCPY(exp + idx, keys->server_write_key, sz); idx += sz; - - sz = ssl->specs.iv_size; - exp[idx++] = sz; - XMEMCPY(exp + idx, keys->client_write_IV, sz); idx += sz; - XMEMCPY(exp + idx, keys->server_write_IV, sz); idx += sz; - XMEMCPY(exp + idx, keys->aead_exp_IV, AEAD_MAX_EXP_SZ); - idx += AEAD_MAX_EXP_SZ; - - sz = AEAD_MAX_IMP_SZ; - exp[idx++] = sz; - XMEMCPY(exp + idx, keys->aead_enc_imp_IV, sz); idx += sz; - XMEMCPY(exp + idx, keys->aead_dec_imp_IV, sz); idx += sz; - - /* DTLS_EXPORT_KEY_SZ is max value. idx size can vary */ - if (idx > DTLS_EXPORT_KEY_SZ) { - WOLFSSL_MSG("DTLS_EXPORT_KEY_SZ needs updated and export version"); - return DTLS_EXPORT_VER_E; - } - - WOLFSSL_LEAVE("ExportKeyState", idx); - (void)ver; - return idx; -} - -static int ImportCipherSpecState(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - word32 idx = 0; - CipherSpecs* specs; - - WOLFSSL_ENTER("ImportCipherSpecState"); - - if (exp == NULL || ssl == NULL) { - return BAD_FUNC_ARG; - } - - specs= &(ssl->specs); - - if (DTLS_EXPORT_SPC_SZ > len) { - WOLFSSL_MSG("Buffer not large enough for max spec struct size"); - return BUFFER_E; - } - - ato16(exp + idx, &specs->key_size); idx += OPAQUE16_LEN; - ato16(exp + idx, &specs->iv_size); idx += OPAQUE16_LEN; - ato16(exp + idx, &specs->block_size); idx += OPAQUE16_LEN; - ato16(exp + idx, &specs->aead_mac_size); idx += OPAQUE16_LEN; - specs->bulk_cipher_algorithm = exp[idx++]; - specs->cipher_type = exp[idx++]; - specs->mac_algorithm = exp[idx++]; - specs->kea = exp[idx++]; - specs->sig_algo = exp[idx++]; - specs->hash_size = exp[idx++]; - specs->pad_size = exp[idx++]; - specs->static_ecdh = exp[idx++]; - - WOLFSSL_LEAVE("ImportCipherSpecState", idx); - (void)ver; - return idx; -} - - -static int ImportKeyState(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - word32 idx = 0; - byte sz; - Keys* keys; - - WOLFSSL_ENTER("ImportKeyState"); - - if (exp == NULL || ssl == NULL) { - return BAD_FUNC_ARG; - } - - keys = &(ssl->keys); - - /* check minimum length -- includes byte used for size indicators */ - if (len < DTLS_EXPORT_MIN_KEY_SZ) { - return BUFFER_E; - } - ato32(exp + idx, &keys->peer_sequence_number_hi); idx += OPAQUE32_LEN; - ato32(exp + idx, &keys->peer_sequence_number_lo); idx += OPAQUE32_LEN; - ato32(exp + idx, &keys->sequence_number_hi); idx += OPAQUE32_LEN; - ato32(exp + idx, &keys->sequence_number_lo); idx += OPAQUE32_LEN; - - ato16(exp + idx, &keys->nextEpoch); idx += OPAQUE16_LEN; - ato16(exp + idx, &keys->nextSeq_hi); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->nextSeq_lo); idx += OPAQUE32_LEN; - ato16(exp + idx, &keys->curEpoch); idx += OPAQUE16_LEN; - ato16(exp + idx, &keys->curSeq_hi); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->curSeq_lo); idx += OPAQUE32_LEN; - ato16(exp + idx, &keys->prevSeq_hi); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->prevSeq_lo); idx += OPAQUE32_LEN; - - ato16(exp + idx, &keys->dtls_peer_handshake_number); idx += OPAQUE16_LEN; - ato16(exp + idx, &keys->dtls_expected_peer_handshake_number); - idx += OPAQUE16_LEN; - - ato16(exp + idx, &keys->dtls_sequence_number_hi); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->dtls_sequence_number_lo); idx += OPAQUE32_LEN; - ato16(exp + idx, &keys->dtls_prev_sequence_number_hi); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->dtls_prev_sequence_number_lo); idx += OPAQUE32_LEN; - ato16(exp + idx, &keys->dtls_epoch); idx += OPAQUE16_LEN; - ato16(exp + idx, &keys->dtls_handshake_number); idx += OPAQUE16_LEN; - ato32(exp + idx, &keys->encryptSz); idx += OPAQUE32_LEN; - ato32(exp + idx, &keys->padSz); idx += OPAQUE32_LEN; - keys->encryptionOn = exp[idx++]; - keys->decryptedCur = exp[idx++]; - - { - word16 i, wordCount, wordAdj = 0; - - /* do window */ - ato16(exp + idx, &wordCount); - idx += OPAQUE16_LEN; - - if (wordCount > WOLFSSL_DTLS_WINDOW_WORDS) { - wordCount = WOLFSSL_DTLS_WINDOW_WORDS; - wordAdj = (WOLFSSL_DTLS_WINDOW_WORDS - wordCount) * sizeof(word32); - } - - XMEMSET(keys->window, 0xFF, DTLS_SEQ_SZ); - for (i = 0; i < wordCount; i++) { - ato32(exp + idx, &keys->window[i]); - idx += OPAQUE32_LEN; - } - idx += wordAdj; - - /* do prevWindow */ - ato16(exp + idx, &wordCount); - idx += OPAQUE16_LEN; - - if (wordCount > WOLFSSL_DTLS_WINDOW_WORDS) { - wordCount = WOLFSSL_DTLS_WINDOW_WORDS; - wordAdj = (WOLFSSL_DTLS_WINDOW_WORDS - wordCount) * sizeof(word32); - } - - XMEMSET(keys->prevWindow, 0xFF, DTLS_SEQ_SZ); - for (i = 0; i < wordCount; i++) { - ato32(exp + idx, &keys->prevWindow[i]); - idx += OPAQUE32_LEN; - } - idx += wordAdj; - - } - -#ifdef HAVE_TRUNCATED_HMAC - ssl->truncated_hmac = exp[idx++]; -#else - idx++; /* no truncated hmac */ -#endif - sz = exp[idx++]; - if (sz > MAX_DIGEST_SIZE || sz + idx > len) { - return BUFFER_E; - } - XMEMCPY(keys->client_write_MAC_secret, exp + idx, sz); idx += sz; - XMEMCPY(keys->server_write_MAC_secret, exp + idx, sz); idx += sz; - - sz = exp[idx++]; - if (sz > AES_256_KEY_SIZE || sz + idx > len) { - return BUFFER_E; - } - XMEMCPY(keys->client_write_key, exp + idx, sz); idx += sz; - XMEMCPY(keys->server_write_key, exp + idx, sz); idx += sz; - - sz = exp[idx++]; - if (sz > MAX_WRITE_IV_SZ || sz + idx > len) { - return BUFFER_E; - } - XMEMCPY(keys->client_write_IV, exp + idx, sz); idx += sz; - XMEMCPY(keys->server_write_IV, exp + idx, sz); idx += sz; - XMEMCPY(keys->aead_exp_IV, exp + idx, AEAD_MAX_EXP_SZ); - idx += AEAD_MAX_EXP_SZ; - - sz = exp[idx++]; - if (sz > AEAD_MAX_IMP_SZ || sz + idx > len) { - return BUFFER_E; - } - XMEMCPY(keys->aead_enc_imp_IV, exp + idx, sz); idx += sz; - XMEMCPY(keys->aead_dec_imp_IV, exp + idx, sz); idx += sz; - - WOLFSSL_LEAVE("ImportKeyState", idx); - (void)ver; - return idx; -} - - -/* copy over necessary information from Options struct to buffer - * On success returns size of buffer used on failure returns a negative value */ -static int dtls_export_new(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - int idx = 0; - word16 zero = 0; - Options* options = &ssl->options; - - WOLFSSL_ENTER("dtls_export_new"); - - if (exp == NULL || options == NULL || len < DTLS_EXPORT_OPT_SZ) { - return BAD_FUNC_ARG; - } - - XMEMSET(exp, 0, DTLS_EXPORT_OPT_SZ); - - /* these options are kept and sent to indicate verify status and strength - * of handshake */ - exp[idx++] = options->sendVerify; - exp[idx++] = options->verifyPeer; - exp[idx++] = options->verifyNone; - exp[idx++] = options->downgrade; -#ifndef NO_DH - c16toa(options->minDhKeySz, exp + idx); idx += OPAQUE16_LEN; - c16toa(options->dhKeySz, exp + idx); idx += OPAQUE16_LEN; -#else - c16toa(zero, exp + idx); idx += OPAQUE16_LEN; - c16toa(zero, exp + idx); idx += OPAQUE16_LEN; -#endif -#ifndef NO_RSA - c16toa((word16)(options->minRsaKeySz), exp + idx); idx += OPAQUE16_LEN; -#else - c16toa(zero, exp + idx); idx += OPAQUE16_LEN; -#endif -#ifdef HAVE_ECC - c16toa((word16)(options->minEccKeySz), exp + idx); idx += OPAQUE16_LEN; -#else - c16toa(zero, exp + idx); idx += OPAQUE16_LEN; -#endif - - /* these options are kept to indicate state and behavior */ -#ifndef NO_PSK - exp[idx++] = options->havePSK; -#else - exp[idx++] = 0; -#endif - exp[idx++] = options->sessionCacheOff; - exp[idx++] = options->sessionCacheFlushOff; - exp[idx++] = options->side; - exp[idx++] = options->resuming; - exp[idx++] = options->haveSessionId; - exp[idx++] = options->tls; - exp[idx++] = options->tls1_1; - exp[idx++] = options->dtls; - exp[idx++] = options->connReset; - exp[idx++] = options->isClosed; - exp[idx++] = options->closeNotify; - exp[idx++] = options->sentNotify; - exp[idx++] = options->usingCompression; - exp[idx++] = options->haveRSA; - exp[idx++] = options->haveECC; - exp[idx++] = options->haveDH; - exp[idx++] = options->haveNTRU; - exp[idx++] = options->haveQSH; - exp[idx++] = options->haveECDSAsig; - exp[idx++] = options->haveStaticECC; - exp[idx++] = options->havePeerVerify; - exp[idx++] = options->usingPSK_cipher; - exp[idx++] = options->usingAnon_cipher; - exp[idx++] = options->sendAlertState; - exp[idx++] = options->partialWrite; - exp[idx++] = options->quietShutdown; - exp[idx++] = options->groupMessages; -#ifdef HAVE_POLY1305 - exp[idx++] = options->oldPoly; -#else - exp[idx++] = 0; -#endif -#ifdef HAVE_ANON - exp[idx++] = options->haveAnon; -#else - exp[idx++] = 0; -#endif -#ifdef HAVE_SESSION_TICKET - exp[idx++] = options->createTicket; - exp[idx++] = options->useTicket; -#ifdef WOLFSSL_TLS13 - exp[idx++] = options->noTicketTls13; -#endif -#else - exp[idx++] = 0; - exp[idx++] = 0; -#ifdef WOLFSSL_TLS13 - exp[idx++] = 0; -#endif -#endif - exp[idx++] = options->processReply; - exp[idx++] = options->cipherSuite0; - exp[idx++] = options->cipherSuite; - exp[idx++] = options->serverState; - exp[idx++] = options->clientState; - exp[idx++] = options->handShakeState; - exp[idx++] = options->handShakeDone; - exp[idx++] = options->minDowngrade; - exp[idx++] = options->connectState; - exp[idx++] = options->acceptState; - exp[idx++] = options->asyncState; - - /* version of connection */ - exp[idx++] = ssl->version.major; - exp[idx++] = ssl->version.minor; - - (void)zero; - (void)ver; - - /* check if changes were made and notify of need to update export version */ - if (idx != DTLS_EXPORT_OPT_SZ) { - WOLFSSL_MSG("Update DTLS_EXPORT_OPT_SZ and version of wolfSSL export"); - return DTLS_EXPORT_VER_E; - } - - WOLFSSL_LEAVE("dtls_export_new", idx); - - return idx; -} - - -/* copy items from Export struct to Options struct - * On success returns size of buffer used on failure returns a negative value */ -static int dtls_export_load(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - int idx = 0; - Options* options = &ssl->options; - - if (ver != DTLS_EXPORT_VERSION) { - WOLFSSL_MSG("Export version not supported"); - return BAD_FUNC_ARG; - } - - if (exp == NULL || options == NULL || len < DTLS_EXPORT_OPT_SZ) { - return BAD_FUNC_ARG; - } - - /* these options are kept and sent to indicate verify status and strength - * of handshake */ - options->sendVerify = exp[idx++]; - options->verifyPeer = exp[idx++]; - options->verifyNone = exp[idx++]; - options->downgrade = exp[idx++]; -#ifndef NO_DH - ato16(exp + idx, &(options->minDhKeySz)); idx += OPAQUE16_LEN; - ato16(exp + idx, &(options->dhKeySz)); idx += OPAQUE16_LEN; -#else - idx += OPAQUE16_LEN; - idx += OPAQUE16_LEN; -#endif -#ifndef NO_RSA - ato16(exp + idx, (word16*)&(options->minRsaKeySz)); idx += OPAQUE16_LEN; -#else - idx += OPAQUE16_LEN; -#endif -#ifdef HAVE_ECC - ato16(exp + idx, (word16*)&(options->minEccKeySz)); idx += OPAQUE16_LEN; -#else - idx += OPAQUE16_LEN; -#endif - - /* these options are kept to indicate state and behavior */ -#ifndef NO_PSK - options->havePSK = exp[idx++]; -#else - idx++; -#endif - options->sessionCacheOff = exp[idx++]; - options->sessionCacheFlushOff = exp[idx++]; - options->side = exp[idx++]; - options->resuming = exp[idx++]; - options->haveSessionId = exp[idx++]; - options->tls = exp[idx++]; - options->tls1_1 = exp[idx++]; - options->dtls = exp[idx++]; - options->connReset = exp[idx++]; - options->isClosed = exp[idx++]; - options->closeNotify = exp[idx++]; - options->sentNotify = exp[idx++]; - options->usingCompression = exp[idx++]; - options->haveRSA = exp[idx++]; - options->haveECC = exp[idx++]; - options->haveDH = exp[idx++]; - options->haveNTRU = exp[idx++]; - options->haveQSH = exp[idx++]; - options->haveECDSAsig = exp[idx++]; - options->haveStaticECC = exp[idx++]; - options->havePeerVerify = exp[idx++]; - options->usingPSK_cipher = exp[idx++]; - options->usingAnon_cipher = exp[idx++]; - options->sendAlertState = exp[idx++]; - options->partialWrite = exp[idx++]; - options->quietShutdown = exp[idx++]; - options->groupMessages = exp[idx++]; -#ifdef HAVE_POLY1305 - options->oldPoly = exp[idx++]; /* set when to use old rfc way of poly*/ -#else - idx++; -#endif -#ifdef HAVE_ANON - options->haveAnon = exp[idx++]; /* User wants to allow Anon suites */ -#else - idx++; -#endif -#ifdef HAVE_SESSION_TICKET - options->createTicket = exp[idx++]; /* Server to create new Ticket */ - options->useTicket = exp[idx++]; /* Use Ticket not session cache */ -#ifdef WOLFSSL_TLS13 - options->noTicketTls13 = exp[idx++]; /* Server won't create new Ticket */ -#endif -#else - idx++; - idx++; -#ifdef WOLFSSL_TLS13 - idx++; -#endif -#endif - options->processReply = exp[idx++]; - options->cipherSuite0 = exp[idx++]; - options->cipherSuite = exp[idx++]; - options->serverState = exp[idx++]; - options->clientState = exp[idx++]; - options->handShakeState = exp[idx++]; - options->handShakeDone = exp[idx++]; - options->minDowngrade = exp[idx++]; - options->connectState = exp[idx++]; - options->acceptState = exp[idx++]; - options->asyncState = exp[idx++]; - - /* version of connection */ - if (ssl->version.major != exp[idx++] || ssl->version.minor != exp[idx++]) { - WOLFSSL_MSG("Version mismatch ie DTLS v1 vs v1.2"); - return VERSION_ERROR; - } - - return idx; -} - -static int ExportPeerInfo(WOLFSSL* ssl, byte* exp, word32 len, byte ver) -{ - int idx = 0; - int ipSz = DTLS_EXPORT_IP; /* start as max size */ - int fam = 0; - word16 port = 0; - char ip[DTLS_EXPORT_IP]; - - if (ver != DTLS_EXPORT_VERSION) { - WOLFSSL_MSG("Export version not supported"); - return BAD_FUNC_ARG; - } - - if (ssl == NULL || exp == NULL || len < sizeof(ip) + 3 * DTLS_EXPORT_LEN) { - return BAD_FUNC_ARG; - } - - if (ssl->ctx->CBGetPeer == NULL) { - WOLFSSL_MSG("No get peer call back set"); - return BAD_FUNC_ARG; - } - if (ssl->ctx->CBGetPeer(ssl, ip, &ipSz, &port, &fam) != SSL_SUCCESS) { - WOLFSSL_MSG("Get peer callback error"); - return SOCKET_ERROR_E; - } - - /* check that ipSz/fam is not negative or too large since user can set cb */ - if (ipSz < 0 || ipSz > DTLS_EXPORT_IP || fam < 0) { - WOLFSSL_MSG("Bad ipSz or fam returned from get peer callback"); - return SOCKET_ERROR_E; - } - - c16toa((word16)fam, exp + idx); idx += DTLS_EXPORT_LEN; - c16toa((word16)ipSz, exp + idx); idx += DTLS_EXPORT_LEN; - XMEMCPY(exp + idx, ip, ipSz); idx += ipSz; - c16toa(port, exp + idx); idx += DTLS_EXPORT_LEN; - - return idx; -} - - -static int ImportPeerInfo(WOLFSSL* ssl, byte* buf, word32 len, byte ver) -{ - word16 idx = 0; - word16 ipSz; - word16 fam; - word16 port; - char ip[DTLS_EXPORT_IP]; - - if (ver != DTLS_EXPORT_VERSION) { - WOLFSSL_MSG("Export version not supported"); - return BAD_FUNC_ARG; - } - - if (ssl == NULL || buf == NULL || len < 3 * DTLS_EXPORT_LEN) { - return BAD_FUNC_ARG; - } - - /* import sin family */ - ato16(buf + idx, &fam); idx += DTLS_EXPORT_LEN; - - /* import ip address idx, and ipSz are unsigned but cast for enum */ - ato16(buf + idx, &ipSz); idx += DTLS_EXPORT_LEN; - if (ipSz >= sizeof(ip) || (word16)(idx + ipSz + DTLS_EXPORT_LEN) > len) { - return BUFFER_E; - } - XMEMSET(ip, 0, sizeof(ip)); - XMEMCPY(ip, buf + idx, ipSz); idx += ipSz; - ip[ipSz] = '\0'; /* with check that ipSz less than ip this is valid */ - ato16(buf + idx, &port); idx += DTLS_EXPORT_LEN; - - /* sanity check for a function to call, then use it to import peer info */ - if (ssl->ctx->CBSetPeer == NULL) { - WOLFSSL_MSG("No set peer function"); - return BAD_FUNC_ARG; - } - if (ssl->ctx->CBSetPeer(ssl, ip, ipSz, port, fam) != SSL_SUCCESS) { - WOLFSSL_MSG("Error setting peer info"); - return SOCKET_ERROR_E; - } - - return idx; -} - - -/* WOLFSSL_LOCAL function that serializes the current WOLFSSL session - * buf is used to hold the serialized WOLFSSL struct and sz is the size of buf - * passed in. - * On success returns the size of serialized session.*/ -int wolfSSL_dtls_export_internal(WOLFSSL* ssl, byte* buf, word32 sz) -{ - int ret; - word32 idx = 0; - word32 totalLen = 0; - - WOLFSSL_ENTER("wolfSSL_dtls_export_internal"); - - if (buf == NULL || ssl == NULL) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", BAD_FUNC_ARG); - return BAD_FUNC_ARG; - } - - totalLen += DTLS_EXPORT_LEN * 2; /* 2 protocol bytes and 2 length bytes */ - /* each of the following have a 2 byte length before data */ - totalLen += DTLS_EXPORT_LEN + DTLS_EXPORT_OPT_SZ; - totalLen += DTLS_EXPORT_LEN + DTLS_EXPORT_KEY_SZ; - totalLen += DTLS_EXPORT_LEN + DTLS_EXPORT_SPC_SZ; - totalLen += DTLS_EXPORT_LEN + ssl->buffers.dtlsCtx.peer.sz; - - if (totalLen > sz) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", BUFFER_E); - return BUFFER_E; - } - - buf[idx++] = (byte)DTLS_EXPORT_PRO; - buf[idx++] = ((byte)DTLS_EXPORT_PRO & 0xF0) | - ((byte)DTLS_EXPORT_VERSION & 0X0F); - - idx += DTLS_EXPORT_LEN; /* leave spot for length */ - - c16toa((word16)DTLS_EXPORT_OPT_SZ, buf + idx); idx += DTLS_EXPORT_LEN; - if ((ret = dtls_export_new(ssl, buf + idx, sz - idx, - DTLS_EXPORT_VERSION)) < 0) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", ret); - return ret; - } - idx += ret; - - /* export keys struct and dtls state -- variable length stored in ret */ - idx += DTLS_EXPORT_LEN; /* leave room for length */ - if ((ret = ExportKeyState(ssl, buf + idx, sz - idx, - DTLS_EXPORT_VERSION)) < 0) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", ret); - return ret; - } - c16toa((word16)ret, buf + idx - DTLS_EXPORT_LEN); idx += ret; - - /* export of cipher specs struct */ - c16toa((word16)DTLS_EXPORT_SPC_SZ, buf + idx); idx += DTLS_EXPORT_LEN; - if ((ret = ExportCipherSpecState(ssl, buf + idx, sz - idx, - DTLS_EXPORT_VERSION)) < 0) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", ret); - return ret; - } - idx += ret; - - /* export of dtls peer information */ - idx += DTLS_EXPORT_LEN; - if ((ret = ExportPeerInfo(ssl, buf + idx, sz - idx, - DTLS_EXPORT_VERSION)) < 0) { - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", ret); - return ret; - } - c16toa(ret, buf + idx - DTLS_EXPORT_LEN); - idx += ret; - - /* place total length of exported buffer minus 2 bytes protocol/version */ - c16toa((word16)(idx - DTLS_EXPORT_LEN), buf + DTLS_EXPORT_LEN); - - /* if compiled with debug options then print the version, protocol, size */ -#ifdef WOLFSSL_SESSION_EXPORT_DEBUG - { - char debug[256]; - XSNPRINTF(debug, sizeof(debug), "Exporting DTLS session\n" - "\tVersion : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n" - , (int)DTLS_EXPORT_VERSION, buf[0], (buf[1] >> 4), idx - 2); - WOLFSSL_MSG(debug); - } -#endif /* WOLFSSL_SESSION_EXPORT_DEBUG */ - - WOLFSSL_LEAVE("wolfSSL_dtls_export_internal", idx); - return idx; -} - - -/* On success return amount of buffer consumed */ -int wolfSSL_dtls_import_internal(WOLFSSL* ssl, byte* buf, word32 sz) -{ - word32 idx = 0; - word16 length = 0; - int version; - int ret; - - WOLFSSL_ENTER("wolfSSL_dtls_import_internal"); - /* check at least enough room for protocol and length */ - if (sz < DTLS_EXPORT_LEN * 2 || ssl == NULL) { - return BAD_FUNC_ARG; - } - - /* sanity check on protocol ID and size of buffer */ - if (buf[idx++] != (byte)DTLS_EXPORT_PRO || - (buf[idx] & 0xF0) != ((byte)DTLS_EXPORT_PRO & 0xF0)) { - /* don't increment on second idx to next get version */ - WOLFSSL_MSG("Incorrect protocol"); - return BAD_FUNC_ARG; - } - version = buf[idx++] & 0x0F; - - ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if (length > sz - DTLS_EXPORT_LEN) { /* subtract 2 for protocol */ - return BUFFER_E; - } - - /* if compiled with debug options then print the version, protocol, size */ -#ifdef WOLFSSL_SESSION_EXPORT_DEBUG - { - char debug[256]; - XSNPRINTF(debug, sizeof(debug), "Importing DTLS session\n" - "\tVersion : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n" - , (int)version, buf[0], (buf[1] >> 4), length); - WOLFSSL_MSG(debug); - } -#endif /* WOLFSSL_SESSION_EXPORT_DEBUG */ - - /* perform sanity checks and extract Options information used */ - if (DTLS_EXPORT_LEN + DTLS_EXPORT_OPT_SZ + idx > sz) { - WOLFSSL_MSG("Import Options struct error"); - return BUFFER_E; - } - ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if (length != DTLS_EXPORT_OPT_SZ) { - WOLFSSL_MSG("Import Options struct error"); - return BUFFER_E; - } - if ((ret = dtls_export_load(ssl, buf + idx, length, version)) < 0) { - WOLFSSL_MSG("Import Options struct error"); - return ret; - } - idx += length; - - /* perform sanity checks and extract Keys struct */ - if (DTLS_EXPORT_LEN + idx > sz) { - WOLFSSL_MSG("Import Key struct error"); - return BUFFER_E; - } - ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if (length > DTLS_EXPORT_KEY_SZ || length + idx > sz) { - WOLFSSL_MSG("Import Key struct error"); - return BUFFER_E; - } - if ((ret = ImportKeyState(ssl, buf + idx, length, version)) < 0) { - WOLFSSL_MSG("Import Key struct error"); - return ret; - } - idx += ret; - - /* perform sanity checks and extract CipherSpecs struct */ - if (DTLS_EXPORT_LEN + DTLS_EXPORT_SPC_SZ + idx > sz) { - WOLFSSL_MSG("Import CipherSpecs struct error"); - return BUFFER_E; - } - ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if ( length != DTLS_EXPORT_SPC_SZ) { - WOLFSSL_MSG("Import CipherSpecs struct error"); - return BUFFER_E; - } - if ((ret = ImportCipherSpecState(ssl, buf + idx, length, version)) < 0) { - WOLFSSL_MSG("Import CipherSpecs struct error"); - return ret; - } - idx += ret; - - /* perform sanity checks and extract DTLS peer info */ - if (DTLS_EXPORT_LEN + idx > sz) { - WOLFSSL_MSG("Import DTLS peer info error"); - return BUFFER_E; - } - ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if (idx + length > sz) { - WOLFSSL_MSG("Import DTLS peer info error"); - return BUFFER_E; - } - if ((ret = ImportPeerInfo(ssl, buf + idx, length, version)) < 0) { - WOLFSSL_MSG("Import Peer Addr error"); - return ret; - } - idx += ret; - - SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE); - - /* set hmac function to use when verifying */ - if (ssl->options.tls == 1 || ssl->options.tls1_1 == 1 || - ssl->options.dtls == 1) { - ssl->hmac = TLS_hmac; - } - - /* make sure is a valid suite used */ - if (wolfSSL_get_cipher(ssl) == NULL) { - WOLFSSL_MSG("Can not match cipher suite imported"); - return MATCH_SUITE_ERROR; - } - - /* do not allow stream ciphers with DTLS */ - if (ssl->specs.cipher_type == stream) { - WOLFSSL_MSG("Can not import stream ciphers for DTLS"); - return SANITY_CIPHER_E; - } - - return idx; -} -#endif /* WOLFSSL_DTLS */ -#endif /* WOLFSSL_SESSION_EXPORT */ - - -void InitSSL_Method(WOLFSSL_METHOD* method, ProtocolVersion pv) -{ - method->version = pv; - method->side = WOLFSSL_CLIENT_END; - method->downgrade = 0; -} - - -/* Initialize SSL context, return 0 on success */ -int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) -{ - int ret = 0; - - XMEMSET(ctx, 0, sizeof(WOLFSSL_CTX)); - - ctx->method = method; - ctx->refCount = 1; /* so either CTX_free or SSL_free can release */ - ctx->heap = ctx; /* defaults to self */ - ctx->timeout = WOLFSSL_SESSION_TIMEOUT; - ctx->minDowngrade = TLSv1_MINOR; /* current default */ - - if (wc_InitMutex(&ctx->countMutex) < 0) { - WOLFSSL_MSG("Mutex error on CTX init"); - ctx->err = CTX_INIT_MUTEX_E; - return BAD_MUTEX_E; - } - -#ifndef NO_DH - ctx->minDhKeySz = MIN_DHKEY_SZ; -#endif -#ifndef NO_RSA - ctx->minRsaKeySz = MIN_RSAKEY_SZ; -#endif -#ifdef HAVE_ECC - ctx->minEccKeySz = MIN_ECCKEY_SZ; - ctx->eccTempKeySz = ECDHE_SIZE; -#endif - -#ifndef WOLFSSL_USER_IO - ctx->CBIORecv = EmbedReceive; - ctx->CBIOSend = EmbedSend; - #ifdef WOLFSSL_DTLS - if (method->version.major == DTLS_MAJOR) { - ctx->CBIORecv = EmbedReceiveFrom; - ctx->CBIOSend = EmbedSendTo; - } - #ifdef WOLFSSL_SESSION_EXPORT - ctx->CBGetPeer = EmbedGetPeer; - ctx->CBSetPeer = EmbedSetPeer; - #endif - #endif -#endif /* WOLFSSL_USER_IO */ - -#ifdef HAVE_NETX - ctx->CBIORecv = NetX_Receive; - ctx->CBIOSend = NetX_Send; -#endif - -#ifdef HAVE_NTRU - if (method->side == WOLFSSL_CLIENT_END) - ctx->haveNTRU = 1; /* always on cliet side */ - /* server can turn on by loading key */ -#endif -#ifdef HAVE_ECC - if (method->side == WOLFSSL_CLIENT_END) { - ctx->haveECDSAsig = 1; /* always on cliet side */ - ctx->haveECC = 1; /* server turns on with ECC key cert */ - ctx->haveStaticECC = 1; /* server can turn on by loading key */ - } -#endif - - ctx->devId = INVALID_DEVID; - -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SCTP) - ctx->dtlsMtuSz = MAX_RECORD_SIZE; -#endif - -#ifndef NO_CERTS - ctx->cm = wolfSSL_CertManagerNew_ex(heap); - if (ctx->cm == NULL) { - WOLFSSL_MSG("Bad Cert Manager New"); - return BAD_CERT_MANAGER_ERROR; - } - #ifdef OPENSSL_EXTRA - /* setup WOLFSSL_X509_STORE */ - ctx->x509_store.cm = ctx->cm; - #endif -#endif - -#if defined(HAVE_EXTENDED_MASTER) && !defined(NO_WOLFSSL_CLIENT) - if (method->side == WOLFSSL_CLIENT_END) { - if ((method->version.major == SSLv3_MAJOR) && - (method->version.minor >= TLSv1_MINOR)) { - - ctx->haveEMS = 1; - } -#ifdef WOLFSSL_DTLS - if (method->version.major == DTLS_MAJOR) - ctx->haveEMS = 1; -#endif /* WOLFSSL_DTLS */ - } -#endif /* HAVE_EXTENDED_MASTER && !NO_WOLFSSL_CLIENT */ - -#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) - ctx->ticketHint = SESSION_TICKET_HINT_DEFAULT; -#endif - -#ifdef HAVE_WOLF_EVENT - ret = wolfEventQueue_Init(&ctx->event_queue); -#endif /* HAVE_WOLF_EVENT */ - - ctx->heap = heap; /* wolfSSL_CTX_load_static_memory sets */ - - return ret; -} - - -/* In case contexts are held in array and don't want to free actual ctx */ -void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) -{ -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - int i; -#endif - -#ifdef HAVE_WOLF_EVENT - wolfEventQueue_Free(&ctx->event_queue); -#endif /* HAVE_WOLF_EVENT */ - - XFREE(ctx->method, ctx->heap, DYNAMIC_TYPE_METHOD); - if (ctx->suites) - XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES); - -#ifndef NO_DH - XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH_BUFFER); - XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH_BUFFER); -#endif /* !NO_DH */ - -#ifdef SINGLE_THREADED - if (ctx->rng) { - wc_FreeRng(ctx->rng); - XFREE(ctx->rng, ctx->heap, DYNAMIC_TYPE_RNG); - } -#endif /* SINGLE_THREADED */ - -#ifndef NO_CERTS - FreeDer(&ctx->privateKey); - FreeDer(&ctx->certificate); - #ifdef KEEP_OUR_CERT - if (ctx->ourCert && ctx->ownOurCert) { - FreeX509(ctx->ourCert); - XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); - } - #endif /* KEEP_OUR_CERT */ - FreeDer(&ctx->certChain); - wolfSSL_CertManagerFree(ctx->cm); - #ifdef OPENSSL_EXTRA - while (ctx->ca_names != NULL) { - WOLFSSL_STACK *next = ctx->ca_names->next; - wolfSSL_X509_NAME_free(ctx->ca_names->data.name); - XFREE(ctx->ca_names->data.name, NULL, DYNAMIC_TYPE_OPENSSL); - XFREE(ctx->ca_names, NULL, DYNAMIC_TYPE_OPENSSL); - ctx->ca_names = next; - } - #endif - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - while (ctx->x509Chain != NULL) { - WOLFSSL_STACK *next = ctx->x509Chain->next; - wolfSSL_X509_free(ctx->x509Chain->data.x509); - XFREE(ctx->x509Chain, NULL, DYNAMIC_TYPE_OPENSSL); - ctx->x509Chain = next; - } - #endif -#endif /* !NO_CERTS */ - -#ifdef HAVE_TLS_EXTENSIONS - TLSX_FreeAll(ctx->extensions, ctx->heap); - -#ifndef NO_WOLFSSL_SERVER -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - if (ctx->certOcspRequest) { - FreeOcspRequest(ctx->certOcspRequest); - XFREE(ctx->certOcspRequest, ctx->heap, DYNAMIC_TYPE_OCSP_REQUEST); - } -#endif - -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - for (i = 0; i < MAX_CHAIN_DEPTH; i++) { - if (ctx->chainOcspRequest[i]) { - FreeOcspRequest(ctx->chainOcspRequest[i]); - XFREE(ctx->chainOcspRequest[i], ctx->heap, DYNAMIC_TYPE_OCSP_REQUEST); - } - } -#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ -#endif /* !NO_WOLFSSL_SERVER */ - -#endif /* HAVE_TLS_EXTENSIONS */ - -#ifdef WOLFSSL_STATIC_MEMORY - if (ctx->heap != NULL) { -#ifdef WOLFSSL_HEAP_TEST - /* avoid derefrencing a test value */ - if (ctx->heap != (void*)WOLFSSL_HEAP_TEST) -#endif - { - WOLFSSL_HEAP_HINT* hint = (WOLFSSL_HEAP_HINT*)(ctx->heap); - wc_FreeMutex(&((WOLFSSL_HEAP*)(hint->memory))->memory_mutex); - } - } -#endif /* WOLFSSL_STATIC_MEMORY */ -} - - -void FreeSSL_Ctx(WOLFSSL_CTX* ctx) -{ - int doFree = 0; - - if (wc_LockMutex(&ctx->countMutex) != 0) { - WOLFSSL_MSG("Couldn't lock count mutex"); - - /* check error state, if mutex error code then mutex init failed but - * CTX was still malloc'd */ - if (ctx->err == CTX_INIT_MUTEX_E) { - SSL_CtxResourceFree(ctx); - XFREE(ctx, ctx->heap, DYNAMIC_TYPE_CTX); - } - return; - } - ctx->refCount--; - if (ctx->refCount == 0) - doFree = 1; - wc_UnLockMutex(&ctx->countMutex); - - if (doFree) { - WOLFSSL_MSG("CTX ref count down to 0, doing full free"); - SSL_CtxResourceFree(ctx); - wc_FreeMutex(&ctx->countMutex); - XFREE(ctx, ctx->heap, DYNAMIC_TYPE_CTX); - } - else { - (void)ctx; - WOLFSSL_MSG("CTX ref count not 0 yet, no free"); - } -} - - -/* Set cipher pointers to null */ -void InitCiphers(WOLFSSL* ssl) -{ -#ifdef BUILD_ARC4 - ssl->encrypt.arc4 = NULL; - ssl->decrypt.arc4 = NULL; -#endif -#ifdef BUILD_DES3 - ssl->encrypt.des3 = NULL; - ssl->decrypt.des3 = NULL; -#endif -#ifdef BUILD_AES - ssl->encrypt.aes = NULL; - ssl->decrypt.aes = NULL; -#endif -#ifdef HAVE_CAMELLIA - ssl->encrypt.cam = NULL; - ssl->decrypt.cam = NULL; -#endif -#ifdef HAVE_HC128 - ssl->encrypt.hc128 = NULL; - ssl->decrypt.hc128 = NULL; -#endif -#ifdef BUILD_RABBIT - ssl->encrypt.rabbit = NULL; - ssl->decrypt.rabbit = NULL; -#endif -#ifdef HAVE_CHACHA - ssl->encrypt.chacha = NULL; - ssl->decrypt.chacha = NULL; -#endif -#ifdef HAVE_POLY1305 - ssl->auth.poly1305 = NULL; -#endif - ssl->encrypt.setup = 0; - ssl->decrypt.setup = 0; -#ifdef HAVE_ONE_TIME_AUTH - ssl->auth.setup = 0; -#endif -#ifdef HAVE_IDEA - ssl->encrypt.idea = NULL; - ssl->decrypt.idea = NULL; -#endif -} - - -/* Free ciphers */ -void FreeCiphers(WOLFSSL* ssl) -{ - (void)ssl; -#ifdef BUILD_ARC4 - wc_Arc4Free(ssl->encrypt.arc4); - wc_Arc4Free(ssl->decrypt.arc4); - XFREE(ssl->encrypt.arc4, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.arc4, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef BUILD_DES3 - wc_Des3Free(ssl->encrypt.des3); - wc_Des3Free(ssl->decrypt.des3); - XFREE(ssl->encrypt.des3, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.des3, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef BUILD_AES - wc_AesFree(ssl->encrypt.aes); - wc_AesFree(ssl->decrypt.aes); - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - XFREE(ssl->decrypt.additional, ssl->heap, DYNAMIC_TYPE_AES); - XFREE(ssl->decrypt.nonce, ssl->heap, DYNAMIC_TYPE_AES); - XFREE(ssl->encrypt.additional, ssl->heap, DYNAMIC_TYPE_AES); - XFREE(ssl->encrypt.nonce, ssl->heap, DYNAMIC_TYPE_AES); - #endif - XFREE(ssl->encrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef HAVE_CAMELLIA - XFREE(ssl->encrypt.cam, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.cam, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef HAVE_HC128 - XFREE(ssl->encrypt.hc128, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.hc128, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef BUILD_RABBIT - XFREE(ssl->encrypt.rabbit, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.rabbit, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef HAVE_CHACHA - XFREE(ssl->encrypt.chacha, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.chacha, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef HAVE_POLY1305 - XFREE(ssl->auth.poly1305, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -#ifdef HAVE_IDEA - XFREE(ssl->encrypt.idea, ssl->heap, DYNAMIC_TYPE_CIPHER); - XFREE(ssl->decrypt.idea, ssl->heap, DYNAMIC_TYPE_CIPHER); -#endif -} - - -void InitCipherSpecs(CipherSpecs* cs) -{ - cs->bulk_cipher_algorithm = INVALID_BYTE; - cs->cipher_type = INVALID_BYTE; - cs->mac_algorithm = INVALID_BYTE; - cs->kea = INVALID_BYTE; - cs->sig_algo = INVALID_BYTE; - - cs->hash_size = 0; - cs->static_ecdh = 0; - cs->key_size = 0; - cs->iv_size = 0; - cs->block_size = 0; -} - -static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, - int haveRSAsig, int haveAnon, int tls1_2) -{ - int idx = 0; - - (void)tls1_2; - - if (haveECDSAsig) { - #ifdef WOLFSSL_SHA512 - suites->hashSigAlgo[idx++] = sha512_mac; - suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; - #endif - #ifdef WOLFSSL_SHA384 - suites->hashSigAlgo[idx++] = sha384_mac; - suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; - #endif - #ifndef NO_SHA256 - suites->hashSigAlgo[idx++] = sha256_mac; - suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; - #endif - #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - suites->hashSigAlgo[idx++] = sha_mac; - suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; - #endif - } - - if (haveRSAsig) { - #ifdef WC_RSA_PSS - if (tls1_2) { - #ifdef WOLFSSL_SHA512 - suites->hashSigAlgo[idx++] = rsa_pss_sa_algo; - suites->hashSigAlgo[idx++] = sha512_mac; - #endif - #ifdef WOLFSSL_SHA384 - suites->hashSigAlgo[idx++] = rsa_pss_sa_algo; - suites->hashSigAlgo[idx++] = sha384_mac; - #endif - #ifndef NO_SHA256 - suites->hashSigAlgo[idx++] = rsa_pss_sa_algo; - suites->hashSigAlgo[idx++] = sha256_mac; - #endif - } - #endif - #ifdef WOLFSSL_SHA512 - suites->hashSigAlgo[idx++] = sha512_mac; - suites->hashSigAlgo[idx++] = rsa_sa_algo; - #endif - #ifdef WOLFSSL_SHA384 - suites->hashSigAlgo[idx++] = sha384_mac; - suites->hashSigAlgo[idx++] = rsa_sa_algo; - #endif - #ifndef NO_SHA256 - suites->hashSigAlgo[idx++] = sha256_mac; - suites->hashSigAlgo[idx++] = rsa_sa_algo; - #endif - #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - suites->hashSigAlgo[idx++] = sha_mac; - suites->hashSigAlgo[idx++] = rsa_sa_algo; - #endif - } - - if (haveAnon) { - #ifdef HAVE_ANON - suites->hashSigAlgo[idx++] = sha_mac; - suites->hashSigAlgo[idx++] = anonymous_sa_algo; - #endif - } - - suites->hashSigAlgoSz = (word16)idx; -} - -void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, - word16 havePSK, word16 haveDH, word16 haveNTRU, - word16 haveECDSAsig, word16 haveECC, - word16 haveStaticECC, int side) -{ - word16 idx = 0; - int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; - int tls1_2 = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_2_MINOR; -#ifdef WOLFSSL_TLS13 - int tls1_3 = IsAtLeastTLSv1_3(pv); -#endif - int dtls = 0; - int haveRSAsig = 1; - - (void)tls; /* shut up compiler */ - (void)tls1_2; - (void)dtls; - (void)haveDH; - (void)havePSK; - (void)haveNTRU; - (void)haveStaticECC; - (void)haveECC; - - if (suites == NULL) { - WOLFSSL_MSG("InitSuites pointer error"); - return; - } - - if (suites->setSuites) - return; /* trust user settings, don't override */ - - if (side == WOLFSSL_SERVER_END && haveStaticECC) { - haveRSA = 0; /* can't do RSA with ECDSA key */ - (void)haveRSA; /* some builds won't read */ - } - - if (side == WOLFSSL_SERVER_END && haveECDSAsig) { - haveRSAsig = 0; /* can't have RSA sig if signed by ECDSA */ - (void)haveRSAsig; /* non ecc builds won't read */ - } - -#ifdef WOLFSSL_DTLS - if (pv.major == DTLS_MAJOR) { - dtls = 1; - tls = 1; - /* May be dead assignments dependant upon configuration */ - (void) dtls; - (void) tls; - tls1_2 = pv.minor <= DTLSv1_2_MINOR; - } -#endif - -#ifdef HAVE_RENEGOTIATION_INDICATION - if (side == WOLFSSL_CLIENT_END) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV; - } -#endif - -#ifdef BUILD_TLS_QSH - if (tls) { - suites->suites[idx++] = QSH_BYTE; - suites->suites[idx++] = TLS_QSH; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - if (tls && haveNTRU && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - if (tls && haveNTRU && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - if (!dtls && tls && haveNTRU && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveNTRU && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef WOLFSSL_TLS13 -#ifdef BUILD_TLS_AES_128_GCM_SHA256 - if (tls1_3) { - suites->suites[idx++] = TLS13_BYTE; - suites->suites[idx++] = TLS_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_AES_256_GCM_SHA384 - if (tls1_3) { - suites->suites[idx++] = TLS13_BYTE; - suites->suites[idx++] = TLS_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256 - if (tls1_3) { - suites->suites[idx++] = TLS13_BYTE; - suites->suites[idx++] = TLS_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_AES_128_CCM_SHA256 - if (tls1_3) { - suites->suites[idx++] = TLS13_BYTE; - suites->suites[idx++] = TLS_AES_128_CCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_AES_128_CCM_8_SHA256 - if (tls1_3) { - suites->suites[idx++] = TLS13_BYTE; - suites->suites[idx++] = TLS_AES_128_CCM_8_SHA256; - } -#endif -#endif /* WOLFSSL_TLS13 */ - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 - if (tls1_2 && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_256_GCM_SHA384; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 - if (tls1_2 && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_128_GCM_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - if (tls1_2 && haveECC) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -/* Place as higher priority for MYSQL */ -#if defined(WOLFSSL_MYSQL_COMPATIBLE) -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; - } -#endif -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - if (!dtls && tls && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - if (!dtls && tls && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECC && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - if (tls && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - if (tls && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - if (!dtls && tls && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - if (!dtls && tls && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveRSAsig && haveStaticECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - if (tls1_2 && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256; - } -#endif - -/* Place as higher priority for MYSQL testing */ -#if !defined(WOLFSSL_MYSQL_COMPATIBLE) -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; - } -#endif -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - if (tls1_2 && haveECC) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = - TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - if (tls1_2 && haveRSA) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA - if (tls && haveECC) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - if (tls && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA384; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - if (tls && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM - if (tls && haveDH && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CCM; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM - if (tls && haveDH && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_CCM; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_PSK_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = CHACHA_BYTE; - suites->suites[idx++] = TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256; - } -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM_8; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM_8; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 - if (tls && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_NULL_SHA384; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384 - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA384; - } -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_PSK_WITH_NULL_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 - if (tls && haveDH && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_PSK_WITH_NULL_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA256; - } -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA - if (tls && havePSK) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA; - } -#endif - -#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA - if (!dtls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5 - if (!dtls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5; - } -#endif - -#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA - if (haveRSA ) { - suites->suites[idx++] = 0; - suites->suites[idx++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_MD5 - if (!dtls && tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_HC_128_MD5; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA - if (!dtls && tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_HC_128_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256 - if (!dtls && tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_HC_128_B2B256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_B2B256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_B2B256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA - if (!dtls && tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_RABBIT_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - if (tls && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256; - } -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - if (tls && haveDH && haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256; - } -#endif - -#ifdef BUILD_SSL_RSA_WITH_IDEA_CBC_SHA - if (haveRSA) { - suites->suites[idx++] = 0; - suites->suites[idx++] = SSL_RSA_WITH_IDEA_CBC_SHA; - } -#endif - - suites->suiteSz = idx; - - InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, 0, tls1_2); -} - -#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) -/* Decode the signature algorithm. - * - * input The encoded signature algorithm. - * hashalgo The hash algorithm. - * hsType The signature type. - */ -static INLINE void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType) -{ - switch (input[0]) { - #ifdef WC_RSA_PSS - case rsa_pss_sa_algo: - /* PSS signatures: 0x080[4-6] */ - if (input[1] <= sha512_mac) { - *hsType = input[0]; - *hashAlgo = input[1]; - } - break; - #endif - /* ED25519: 0x0807 */ - /* ED448: 0x0808 */ - default: - *hashAlgo = input[0]; - *hsType = input[1]; - break; - } -} -#endif /* !NO_WOLFSSL_SERVER || !NO_CERTS */ - -#if !defined(NO_DH) || defined(HAVE_ECC) - -static enum wc_HashType HashType(int hashAlgo) -{ - switch (hashAlgo) { - #ifdef WOLFSSL_SHA512 - case sha512_mac: - return WC_HASH_TYPE_SHA512; - #endif - #ifdef WOLFSSL_SHA384 - case sha384_mac: - return WC_HASH_TYPE_SHA384; - #endif - #ifndef NO_SHA256 - case sha256_mac: - return WC_HASH_TYPE_SHA256; - #endif - #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - case sha_mac: - return WC_HASH_TYPE_SHA; - #endif - default: - WOLFSSL_MSG("Bad hash sig algo"); - break; - } - - return WC_HASH_TYPE_NONE; -} - -#ifndef NO_CERTS - - -void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag) -{ - (void)dynamicFlag; - - if (name != NULL) { - name->name = name->staticName; - name->dynamicName = 0; -#ifdef OPENSSL_EXTRA - XMEMSET(&name->fullName, 0, sizeof(DecodedName)); - XMEMSET(&name->cnEntry, 0, sizeof(WOLFSSL_X509_NAME_ENTRY)); - name->cnEntry.value = &(name->cnEntry.data); /* point to internal data*/ - name->x509 = NULL; -#endif /* OPENSSL_EXTRA */ - } -} - - -void FreeX509Name(WOLFSSL_X509_NAME* name, void* heap) -{ - if (name != NULL) { - if (name->dynamicName) - XFREE(name->name, heap, DYNAMIC_TYPE_SUBJECT_CN); -#ifdef OPENSSL_EXTRA - if (name->fullName.fullName != NULL) - XFREE(name->fullName.fullName, heap, DYNAMIC_TYPE_X509); -#endif /* OPENSSL_EXTRA */ - } - (void)heap; -} - - -/* Initialize wolfSSL X509 type */ -void InitX509(WOLFSSL_X509* x509, int dynamicFlag, void* heap) -{ - if (x509 == NULL) { - WOLFSSL_MSG("Null parameter passed in!"); - return; - } - - XMEMSET(x509, 0, sizeof(WOLFSSL_X509)); - - x509->heap = heap; - InitX509Name(&x509->issuer, 0); - InitX509Name(&x509->subject, 0); - x509->version = 0; - x509->pubKey.buffer = NULL; - x509->sig.buffer = NULL; - x509->derCert = NULL; - x509->altNames = NULL; - x509->altNamesNext = NULL; - x509->dynamicMemory = (byte)dynamicFlag; - x509->isCa = 0; -#ifdef HAVE_ECC - x509->pkCurveOID = 0; -#endif /* HAVE_ECC */ -#ifdef OPENSSL_EXTRA - x509->pathLength = 0; - x509->basicConstSet = 0; - x509->basicConstCrit = 0; - x509->basicConstPlSet = 0; - x509->subjAltNameSet = 0; - x509->subjAltNameCrit = 0; - x509->authKeyIdSet = 0; - x509->authKeyIdCrit = 0; - x509->authKeyId = NULL; - x509->authKeyIdSz = 0; - x509->subjKeyIdSet = 0; - x509->subjKeyIdCrit = 0; - x509->subjKeyId = NULL; - x509->subjKeyIdSz = 0; - x509->keyUsageSet = 0; - x509->keyUsageCrit = 0; - x509->keyUsage = 0; - #ifdef WOLFSSL_SEP - x509->certPolicySet = 0; - x509->certPolicyCrit = 0; - #endif /* WOLFSSL_SEP */ -#endif /* OPENSSL_EXTRA */ -} - - -/* Free wolfSSL X509 type */ -void FreeX509(WOLFSSL_X509* x509) -{ - if (x509 == NULL) - return; - - FreeX509Name(&x509->issuer, x509->heap); - FreeX509Name(&x509->subject, x509->heap); - if (x509->pubKey.buffer) - XFREE(x509->pubKey.buffer, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY); - FreeDer(&x509->derCert); - XFREE(x509->sig.buffer, x509->heap, DYNAMIC_TYPE_SIGNATURE); - #ifdef OPENSSL_EXTRA - XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); - XFREE(x509->subjKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); - if (x509->authInfo != NULL) { - XFREE(x509->authInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); - } - if (x509->extKeyUsageSrc != NULL) { - XFREE(x509->extKeyUsageSrc, x509->heap, DYNAMIC_TYPE_X509_EXT); - } - #endif /* OPENSSL_EXTRA */ - if (x509->altNames) - FreeAltNames(x509->altNames, NULL); -} - -#endif /* !NO_DH || HAVE_ECC */ - -#if !defined(NO_RSA) || defined(HAVE_ECC) -/* Encode the signature algorithm into buffer. - * - * hashalgo The hash algorithm. - * hsType The signature type. - * output The buffer to encode into. - */ -static INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output) -{ - switch (hsType) { -#ifdef HAVE_ECC - case ecc_dsa_sa_algo: - output[0] = hashAlgo; - output[1] = ecc_dsa_sa_algo; - break; -#endif -#ifndef NO_RSA - case rsa_sa_algo: - output[0] = hashAlgo; - output[1] = rsa_sa_algo; - break; - #ifdef WC_RSA_PSS - /* PSS signatures: 0x080[4-6] */ - case rsa_pss_sa_algo: - output[0] = rsa_pss_sa_algo; - output[1] = hashAlgo; - break; - #endif -#endif - /* ED25519: 0x0807 */ - /* ED448: 0x0808 */ - } -} -static void SetDigest(WOLFSSL* ssl, int hashAlgo) -{ - switch (hashAlgo) { - #ifndef NO_SHA - case sha_mac: - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha; - ssl->buffers.digest.length = SHA_DIGEST_SIZE; - break; - #endif /* !NO_SHA */ - #ifndef NO_SHA256 - case sha256_mac: - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256; - ssl->buffers.digest.length = SHA256_DIGEST_SIZE; - break; - #endif /* !NO_SHA256 */ - #ifdef WOLFSSL_SHA384 - case sha384_mac: - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384; - ssl->buffers.digest.length = SHA384_DIGEST_SIZE; - break; - #endif /* WOLFSSL_SHA384 */ - #ifdef WOLFSSL_SHA512 - case sha512_mac: - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512; - ssl->buffers.digest.length = SHA512_DIGEST_SIZE; - break; - #endif /* WOLFSSL_SHA512 */ - } /* switch */ -} -#endif - -#ifndef NO_RSA -static int TypeHash(int hashAlgo) -{ - switch (hashAlgo) { - #ifdef WOLFSSL_SHA512 - case sha512_mac: - return SHA512h; - #endif - #ifdef WOLFSSL_SHA384 - case sha384_mac: - return SHA384h; - #endif - #ifndef NO_SHA256 - case sha256_mac: - return SHA256h; - #endif - #ifndef NO_SHA - case sha_mac: - return SHAh; - #endif - } - - return 0; -} - -#if defined(WC_RSA_PSS) -static int ConvertHashPss(int hashAlgo, enum wc_HashType* hashType, int* mgf) { - switch (hashAlgo) { - #ifdef WOLFSSL_SHA512 - case sha512_mac: - *hashType = WC_HASH_TYPE_SHA512; - if (mgf != NULL) - *mgf = WC_MGF1SHA512; - break; - #endif - #ifdef WOLFSSL_SHA384 - case sha384_mac: - *hashType = WC_HASH_TYPE_SHA384; - if (mgf != NULL) - *mgf = WC_MGF1SHA384; - break; - #endif - #ifndef NO_SHA256 - case sha256_mac: - *hashType = WC_HASH_TYPE_SHA256; - if (mgf != NULL) - *mgf = WC_MGF1SHA256; - break; - #endif - default: - return BAD_FUNC_ARG; - } - - return 0; -} -#endif - -int RsaSign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, - word32* outSz, int sigAlgo, int hashAlgo, RsaKey* key, - const byte* keyBuf, word32 keySz, void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - (void)sigAlgo; - (void)hashAlgo; - - WOLFSSL_ENTER("RsaSign"); - -#if defined(WC_RSA_PSS) - if (sigAlgo == rsa_pss_sa_algo) { - enum wc_HashType hashType = WC_HASH_TYPE_NONE; - int mgf = 0; - - ret = ConvertHashPss(hashAlgo, &hashType, &mgf); - if (ret != 0) - return ret; - - #if defined(HAVE_PK_CALLBACKS) - if (ssl->ctx->RsaPssSignCb) { - ret = ssl->ctx->RsaPssSignCb(ssl, in, inSz, out, outSz, - TypeHash(hashAlgo), mgf, - keyBuf, keySz, ctx); - } - else - #endif - { - ret = wc_RsaPSS_Sign(in, inSz, out, *outSz, hashType, mgf, key, - ssl->rng); - } - } - else -#endif -#if defined(HAVE_PK_CALLBACKS) - if (ssl->ctx->RsaSignCb) { - ret = ssl->ctx->RsaSignCb(ssl, in, inSz, out, outSz, keyBuf, keySz, - ctx); - } - else -#endif /*HAVE_PK_CALLBACKS */ - ret = wc_RsaSSL_Sign(in, inSz, out, *outSz, key, ssl->rng); - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - /* For positive response return in outSz */ - if (ret > 0) { - *outSz = ret; - ret = 0; - } - - WOLFSSL_LEAVE("RsaSign", ret); - - return ret; -} - -int RsaVerify(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, int sigAlgo, - int hashAlgo, RsaKey* key, const byte* keyBuf, word32 keySz, - void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - (void)sigAlgo; - (void)hashAlgo; - - WOLFSSL_ENTER("RsaVerify"); - -#if defined(WC_RSA_PSS) - if (sigAlgo == rsa_pss_sa_algo) { - enum wc_HashType hashType = WC_HASH_TYPE_NONE; - int mgf = 0; - - ret = ConvertHashPss(hashAlgo, &hashType, &mgf); - if (ret != 0) - return ret; -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->RsaPssVerifyCb) { - ret = ssl->ctx->RsaPssVerifyCb(ssl, in, inSz, out, - TypeHash(hashAlgo), mgf, - keyBuf, keySz, ctx); - } - else -#endif /*HAVE_PK_CALLBACKS */ - ret = wc_RsaPSS_VerifyInline(in, inSz, out, hashType, mgf, key); - } - else -#endif -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->RsaVerifyCb) { - ret = ssl->ctx->RsaVerifyCb(ssl, in, inSz, out, keyBuf, keySz, ctx); - } - else -#endif /*HAVE_PK_CALLBACKS */ - { - ret = wc_RsaSSL_VerifyInline(in, inSz, out, key); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("RsaVerify", ret); - - return ret; -} - -/* Verify RSA signature, 0 on success */ -int VerifyRsaSign(WOLFSSL* ssl, byte* verifySig, word32 sigSz, - const byte* plain, word32 plainSz, int sigAlgo, int hashAlgo, RsaKey* key) -{ - byte* out = NULL; /* inline result */ - int ret; - - (void)ssl; - (void)sigAlgo; - (void)hashAlgo; - - WOLFSSL_ENTER("VerifyRsaSign"); - - if (verifySig == NULL || plain == NULL || key == NULL) { - return BAD_FUNC_ARG; - } - - if (sigSz > ENCRYPT_LEN) { - WOLFSSL_MSG("Signature buffer too big"); - return BUFFER_E; - } - -#if defined(WC_RSA_PSS) - if (sigAlgo == rsa_pss_sa_algo) { - enum wc_HashType hashType = WC_HASH_TYPE_NONE; - int mgf = 0; - - ret = ConvertHashPss(hashAlgo, &hashType, &mgf); - if (ret != 0) - return ret; - ret = wc_RsaPSS_VerifyInline(verifySig, sigSz, &out, hashType, mgf, - key); - if (ret > 0) - ret = wc_RsaPSS_CheckPadding(plain, plainSz, out, ret, hashType); - if (ret != 0) - ret = VERIFY_CERT_ERROR; - } - else -#endif - { - ret = wc_RsaSSL_VerifyInline(verifySig, sigSz, &out, key); - if (ret > 0) { - if (ret != (int)plainSz || !out || - XMEMCMP(plain, out, plainSz) != 0) { - WOLFSSL_MSG("RSA Signature verification failed"); - ret = RSA_SIGN_FAULT; - } else { - ret = 0; /* RSA reset */ - } - } - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("VerifyRsaSign", ret); - - return ret; -} - -int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz, - RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - - WOLFSSL_ENTER("RsaDec"); - -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->RsaDecCb) { - ret = ssl->ctx->RsaDecCb(ssl, in, inSz, out, keyBuf, keySz, - ctx); - } - else -#endif /* HAVE_PK_CALLBACKS */ - { - #ifdef WC_RSA_BLINDING - ret = wc_RsaSetRNG(key, ssl->rng); - if (ret != 0) - return ret; - #endif - ret = wc_RsaPrivateDecryptInline(in, inSz, out, key); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - /* For positive response return in outSz */ - if (ret > 0) { - *outSz = ret; - ret = 0; - } - - WOLFSSL_LEAVE("RsaDec", ret); - - return ret; -} - -int RsaEnc(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, word32* outSz, - RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - - WOLFSSL_ENTER("RsaEnc"); - -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->RsaEncCb) { - ret = ssl->ctx->RsaEncCb(ssl, in, inSz, out, outSz, keyBuf, keySz, - ctx); - } - else -#endif /* HAVE_PK_CALLBACKS */ - { - ret = wc_RsaPublicEncrypt(in, inSz, out, *outSz, key, ssl->rng); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - /* For positive response return in outSz */ - if (ret > 0) { - *outSz = ret; - ret = 0; - } - - WOLFSSL_LEAVE("RsaEnc", ret); - - return ret; -} - -#endif /* NO_RSA */ - -#ifdef HAVE_ECC - -int EccSign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, - word32* outSz, ecc_key* key, byte* keyBuf, word32 keySz, void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - - WOLFSSL_ENTER("EccSign"); - -#if defined(HAVE_PK_CALLBACKS) - if (ssl->ctx->EccSignCb) { - ret = ssl->ctx->EccSignCb(ssl, in, inSz, out, outSz, keyBuf, - keySz, ctx); - } - else -#endif /* HAVE_PK_CALLBACKS */ - { - ret = wc_ecc_sign_hash(in, inSz, out, outSz, ssl->rng, key); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("EccSign", ret); - - return ret; -} - -int EccVerify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* out, - word32 outSz, ecc_key* key, byte* keyBuf, word32 keySz, - void* ctx) -{ - int ret; - - (void)ssl; - (void)keyBuf; - (void)keySz; - (void)ctx; - - WOLFSSL_ENTER("EccVerify"); - -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->EccVerifyCb) { - ret = ssl->ctx->EccVerifyCb(ssl, in, inSz, out, outSz, keyBuf, keySz, - &ssl->eccVerifyRes, ctx); - } - else -#endif /* HAVE_PK_CALLBACKS */ - { - ret = wc_ecc_verify_hash(in, inSz, out, outSz, &ssl->eccVerifyRes, key); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - } - else -#endif /* WOLFSSL_ASYNC_CRYPT */ - { - ret = (ret != 0 || ssl->eccVerifyRes == 0) ? VERIFY_SIGN_ERROR : 0; - } - - WOLFSSL_LEAVE("EccVerify", ret); - - return ret; -} - -#ifdef HAVE_PK_CALLBACKS - /* Gets ECC key for shared secret callback testing - * Client side: returns peer key - * Server side: returns private key - */ - static int EccGetKey(WOLFSSL* ssl, ecc_key** otherKey) - { - int ret = NO_PEER_KEY; - ecc_key* tmpKey = NULL; - - if (ssl == NULL || otherKey == NULL) { - return BAD_FUNC_ARG; - } - - if (ssl->options.side == WOLFSSL_CLIENT_END) { - if (ssl->specs.static_ecdh) { - if (!ssl->peerEccDsaKey || !ssl->peerEccDsaKeyPresent || - !ssl->peerEccDsaKey->dp) { - return NO_PEER_KEY; - } - tmpKey = (struct ecc_key*)ssl->peerEccDsaKey; - } - else { - if (!ssl->peerEccKey || !ssl->peerEccKeyPresent || - !ssl->peerEccKey->dp) { - return NO_PEER_KEY; - } - tmpKey = (struct ecc_key*)ssl->peerEccKey; - } - } - else if (ssl->options.side == WOLFSSL_SERVER_END) { - if (ssl->specs.static_ecdh) { - if (ssl->hsKey == NULL) { - return NO_PRIVATE_KEY; - } - tmpKey = (struct ecc_key*)ssl->hsKey; - } - else { - if (!ssl->eccTempKeyPresent) { - return NO_PRIVATE_KEY; - } - tmpKey = (struct ecc_key*)ssl->eccTempKey; - } - } - - if (tmpKey) { - *otherKey = tmpKey; - ret = 0; - } - - return ret; - } -#endif /* HAVE_PK_CALLBACKS */ - -int EccSharedSecret(WOLFSSL* ssl, ecc_key* priv_key, ecc_key* pub_key, - byte* pubKeyDer, word32* pubKeySz, byte* out, word32* outlen, - int side, void* ctx) -{ - int ret; - - (void)ssl; - (void)pubKeyDer; - (void)pubKeySz; - (void)side; - (void)ctx; - - WOLFSSL_ENTER("EccSharedSecret"); - -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->EccSharedSecretCb) { - ecc_key* otherKey = NULL; - - ret = EccGetKey(ssl, &otherKey); - if (ret == 0) { - ret = ssl->ctx->EccSharedSecretCb(ssl, otherKey, pubKeyDer, - pubKeySz, out, outlen, side, ctx); - } - } - else -#endif - { - ret = wc_ecc_shared_secret(priv_key, pub_key, out, outlen); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &priv_key->asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("EccSharedSecret", ret); - - return ret; -} - -int EccMakeKey(WOLFSSL* ssl, ecc_key* key, ecc_key* peer) -{ - int ret = 0; - int keySz = 0; - - WOLFSSL_ENTER("EccMakeKey"); - - if (peer == NULL) { - keySz = ssl->eccTempKeySz; - } - else { - keySz = peer->dp->size; - } - - if (ssl->ecdhCurveOID > 0) { - ret = wc_ecc_make_key_ex(ssl->rng, keySz, key, - wc_ecc_get_oid(ssl->ecdhCurveOID, NULL, NULL)); - } - else { - ret = wc_ecc_make_key(ssl->rng, keySz, key); - if (ret == 0) - ssl->ecdhCurveOID = key->dp->oidSum; - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_NONE); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("EccMakeKey", ret); - - return ret; -} - - -#ifdef HAVE_CURVE25519 -#ifdef HAVE_PK_CALLBACKS - /* Gets X25519 key for shared secret callback testing - * Client side: returns peer key - * Server side: returns private key - */ - static int X25519GetKey(WOLFSSL* ssl, curve25519_key** otherKey) - { - int ret = NO_PEER_KEY; - struct curve25519_key* tmpKey = NULL; - - if (ssl == NULL || otherKey == NULL) { - return BAD_FUNC_ARG; - } - - if (ssl->options.side == WOLFSSL_CLIENT_END) { - if (!ssl->peerX25519Key || !ssl->peerX25519KeyPresent || - !ssl->peerX25519Key->dp) { - return NO_PEER_KEY; - } - tmpKey = (struct curve25519_key*)ssl->peerX25519Key; - } - else if (ssl->options.side == WOLFSSL_SERVER_END) { - if (!ssl->eccTempKeyPresent) { - return NO_PRIVATE_KEY; - } - tmpKey = (struct curve25519_key*)ssl->eccTempKey; - } - - if (tmpKey) { - *otherKey = (curve25519_key *)tmpKey; - ret = 0; - } - - return ret; - } -#endif /* HAVE_PK_CALLBACKS */ - -static int X25519SharedSecret(WOLFSSL* ssl, curve25519_key* priv_key, - curve25519_key* pub_key, byte* pubKeyDer, word32* pubKeySz, - byte* out, word32* outlen, int side, void* ctx) -{ - int ret; - - (void)ssl; - (void)pubKeyDer; - (void)pubKeySz; - (void)side; - (void)ctx; - - WOLFSSL_ENTER("X25519SharedSecret"); - -#ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->X25519SharedSecretCb) { - curve25519_key* otherKey = NULL; - - ret = X25519GetKey(ssl, &otherKey); - if (ret == 0) { - ret = ssl->ctx->X25519SharedSecretCb(ssl, otherKey, pubKeyDer, - pubKeySz, out, outlen, side, ctx); - } - } - else -#endif - { - ret = wc_curve25519_shared_secret_ex(priv_key, pub_key, out, outlen, - EC25519_LITTLE_ENDIAN); - } - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &priv_key->asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("X25519SharedSecret", ret); - - return ret; -} - -static int X25519MakeKey(WOLFSSL* ssl, curve25519_key* key, - curve25519_key* peer) -{ - int ret = 0; - - (void)peer; - - WOLFSSL_ENTER("X25519MakeKey"); - - ret = wc_curve25519_make_key(ssl->rng, CURVE25519_KEYSIZE, key); - if (ret == 0) - ssl->ecdhCurveOID = ECC_X25519_OID; - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &key->asyncDev, WC_ASYNC_FLAG_NONE); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("X25519MakeKey", ret); - - return ret; -} -#endif /* HAVE_CURVE25519 */ -#endif /* HAVE_ECC */ -#endif /* !NO_CERTS */ - -#if !defined(NO_CERTS) || !defined(NO_PSK) -#if !defined(NO_DH) - -int DhGenKeyPair(WOLFSSL* ssl, DhKey* dhKey, - byte* priv, word32* privSz, - byte* pub, word32* pubSz) -{ - int ret; - - WOLFSSL_ENTER("DhGenKeyPair"); - - ret = wc_DhGenerateKeyPair(dhKey, ssl->rng, priv, privSz, pub, pubSz); - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &dhKey->asyncDev, WC_ASYNC_FLAG_NONE); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("DhGenKeyPair", ret); - - return ret; -} - -int DhAgree(WOLFSSL* ssl, DhKey* dhKey, - const byte* priv, word32 privSz, - const byte* otherPub, word32 otherPubSz, - byte* agree, word32* agreeSz) -{ - int ret; - - (void)ssl; - - WOLFSSL_ENTER("DhAgree"); - - ret = wc_DhAgree(dhKey, agree, agreeSz, priv, privSz, otherPub, otherPubSz); - - /* Handle async pending response */ -#if defined(WOLFSSL_ASYNC_CRYPT) - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &dhKey->asyncDev, WC_ASYNC_FLAG_NONE); - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - WOLFSSL_LEAVE("DhAgree", ret); - - return ret; -} -#endif /* !NO_DH */ -#endif /* !NO_CERTS || !NO_PSK */ - - -/* This function inherits a WOLFSSL_CTX's fields into an SSL object. - It is used during initialization and to switch an ssl's CTX with - wolfSSL_Set_SSL_CTX. Requires ssl->suites alloc and ssl-arrays with PSK - unless writeDup is on. - - ssl object to initialize - ctx parent factory - writeDup flag indicating this is a write dup only - - SSL_SUCCESS return value on success */ -int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) -{ - byte havePSK = 0; - byte haveAnon = 0; - byte newSSL; - byte haveRSA = 0; - (void) haveAnon; /* Squash unused var warnings */ - - if (!ssl || !ctx) - return BAD_FUNC_ARG; - - if (ssl->suites == NULL && !writeDup) - return BAD_FUNC_ARG; - - newSSL = ssl->ctx == NULL; /* Assign after null check */ - -#ifndef NO_PSK - if (ctx->server_hint[0] && ssl->arrays == NULL && !writeDup) { - return BAD_FUNC_ARG; /* needed for copy below */ - } -#endif - - -#ifndef NO_RSA - haveRSA = 1; -#endif -#ifndef NO_PSK - havePSK = ctx->havePSK; -#endif /* NO_PSK */ -#ifdef HAVE_ANON - haveAnon = ctx->haveAnon; -#endif /* HAVE_ANON*/ - - /* decrement previous CTX reference count if exists. - * This should only happen if switching ctxs!*/ - if (!newSSL) { - WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx."); - wolfSSL_CTX_free(ssl->ctx); - } - - /* increment CTX reference count */ - if (wc_LockMutex(&ctx->countMutex) != 0) { - WOLFSSL_MSG("Couldn't lock CTX count mutex"); - return BAD_MUTEX_E; - } - ctx->refCount++; - wc_UnLockMutex(&ctx->countMutex); - ssl->ctx = ctx; /* only for passing to calls, options could change */ - ssl->version = ctx->method->version; - -#ifdef HAVE_ECC - ssl->eccTempKeySz = ctx->eccTempKeySz; - ssl->pkCurveOID = ctx->pkCurveOID; - ssl->ecdhCurveOID = ctx->ecdhCurveOID; -#endif - -#ifdef OPENSSL_EXTRA - ssl->options.mask = ctx->mask; -#endif - ssl->timeout = ctx->timeout; - ssl->verifyCallback = ctx->verifyCallback; - ssl->options.side = ctx->method->side; - ssl->options.downgrade = ctx->method->downgrade; - ssl->options.minDowngrade = ctx->minDowngrade; - - ssl->options.haveDH = ctx->haveDH; - ssl->options.haveNTRU = ctx->haveNTRU; - ssl->options.haveECDSAsig = ctx->haveECDSAsig; - ssl->options.haveECC = ctx->haveECC; - ssl->options.haveStaticECC = ctx->haveStaticECC; - -#ifndef NO_PSK - ssl->options.havePSK = ctx->havePSK; - ssl->options.client_psk_cb = ctx->client_psk_cb; - ssl->options.server_psk_cb = ctx->server_psk_cb; -#endif /* NO_PSK */ - -#ifdef HAVE_ANON - ssl->options.haveAnon = ctx->haveAnon; -#endif -#ifndef NO_DH - ssl->options.minDhKeySz = ctx->minDhKeySz; -#endif -#ifndef NO_RSA - ssl->options.minRsaKeySz = ctx->minRsaKeySz; -#endif -#ifdef HAVE_ECC - ssl->options.minEccKeySz = ctx->minEccKeySz; -#endif - - ssl->options.sessionCacheOff = ctx->sessionCacheOff; - ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff; -#ifdef HAVE_EXT_CACHE - ssl->options.internalCacheOff = ctx->internalCacheOff; -#endif - - ssl->options.verifyPeer = ctx->verifyPeer; - ssl->options.verifyNone = ctx->verifyNone; - ssl->options.failNoCert = ctx->failNoCert; - ssl->options.failNoCertxPSK = ctx->failNoCertxPSK; - ssl->options.sendVerify = ctx->sendVerify; - - ssl->options.partialWrite = ctx->partialWrite; - ssl->options.quietShutdown = ctx->quietShutdown; - ssl->options.groupMessages = ctx->groupMessages; - -#ifndef NO_DH - ssl->buffers.serverDH_P = ctx->serverDH_P; - ssl->buffers.serverDH_G = ctx->serverDH_G; -#endif - -#ifndef NO_CERTS - /* ctx still owns certificate, certChain, key, dh, and cm */ - ssl->buffers.certificate = ctx->certificate; - ssl->buffers.certChain = ctx->certChain; -#ifdef WOLFSSL_TLS13 - ssl->buffers.certChainCnt = ctx->certChainCnt; -#endif - ssl->buffers.key = ctx->privateKey; -#endif - -#ifdef WOLFSSL_ASYNC_CRYPT - ssl->devId = ctx->devId; -#endif - - if (writeDup == 0) { - -#ifndef NO_PSK - if (ctx->server_hint[0]) { /* set in CTX */ - XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint, - sizeof(ssl->arrays->server_hint)); - ssl->arrays->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */ - } -#endif /* NO_PSK */ - - if (ctx->suites) - *ssl->suites = *ctx->suites; - else - XMEMSET(ssl->suites, 0, sizeof(Suites)); - - /* make sure server has DH parms, and add PSK if there, add NTRU too */ - if (ssl->options.side == WOLFSSL_SERVER_END) - InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - else - InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE, - ssl->options.haveNTRU, ssl->options.haveECDSAsig, - ssl->options.haveECC, ssl->options.haveStaticECC, - ssl->options.side); - -#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT) - /* make sure server has cert and key unless using PSK or Anon - * This should be true even if just switching ssl ctx */ - if (ssl->options.side == WOLFSSL_SERVER_END && !havePSK && !haveAnon) - if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer - || !ssl->buffers.key || !ssl->buffers.key->buffer) { - WOLFSSL_MSG("Server missing certificate and/or private key"); - return NO_PRIVATE_KEY; - } -#endif - - } /* writeDup check */ - -#ifdef WOLFSSL_SESSION_EXPORT - #ifdef WOLFSSL_DTLS - ssl->dtls_export = ctx->dtls_export; /* export function for session */ - #endif -#endif - -#ifdef OPENSSL_EXTRA - ssl->readAhead = ctx->readAhead; -#endif - - return SSL_SUCCESS; -} - -int InitHandshakeHashes(WOLFSSL* ssl) -{ - int ret; - - /* make sure existing handshake hashes are free'd */ - if (ssl->hsHashes != NULL) { - FreeHandshakeHashes(ssl); - } - - /* allocate handshake hashes */ - ssl->hsHashes = (HS_Hashes*)XMALLOC(sizeof(HS_Hashes), ssl->heap, - DYNAMIC_TYPE_HASHES); - if (ssl->hsHashes == NULL) { - WOLFSSL_MSG("HS_Hashes Memory error"); - return MEMORY_E; - } - XMEMSET(ssl->hsHashes, 0, sizeof(HS_Hashes)); - -#ifndef NO_OLD_TLS -#ifndef NO_MD5 - ret = wc_InitMd5_ex(&ssl->hsHashes->hashMd5, ssl->heap, ssl->devId); - if (ret != 0) - return ret; -#endif -#ifndef NO_SHA - ret = wc_InitSha_ex(&ssl->hsHashes->hashSha, ssl->heap, ssl->devId); - if (ret != 0) - return ret; -#endif -#endif /* !NO_OLD_TLS */ -#ifndef NO_SHA256 - ret = wc_InitSha256_ex(&ssl->hsHashes->hashSha256, ssl->heap, ssl->devId); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA384 - ret = wc_InitSha384_ex(&ssl->hsHashes->hashSha384, ssl->heap, ssl->devId); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA512 - ret = wc_InitSha512_ex(&ssl->hsHashes->hashSha512, ssl->heap, ssl->devId); - if (ret != 0) - return ret; -#endif - - return ret; -} - -void FreeHandshakeHashes(WOLFSSL* ssl) -{ - if (ssl->hsHashes) { -#ifndef NO_OLD_TLS - #ifndef NO_MD5 - wc_Md5Free(&ssl->hsHashes->hashMd5); - #endif - #ifndef NO_SHA - wc_ShaFree(&ssl->hsHashes->hashSha); - #endif -#endif /* !NO_OLD_TLS */ - #ifndef NO_SHA256 - wc_Sha256Free(&ssl->hsHashes->hashSha256); - #endif - #ifdef WOLFSSL_SHA384 - wc_Sha384Free(&ssl->hsHashes->hashSha384); - #endif - #ifdef WOLFSSL_SHA512 - wc_Sha512Free(&ssl->hsHashes->hashSha512); - #endif - - XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES); - ssl->hsHashes = NULL; - } -} - - -/* init everything to 0, NULL, default values before calling anything that may - fail so that destructor has a "good" state to cleanup - - ssl object to initialize - ctx parent factory - writeDup flag indicating this is a write dup only - - 0 on success */ -int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) -{ - int ret; - - XMEMSET(ssl, 0, sizeof(WOLFSSL)); - -#if defined(WOLFSSL_STATIC_MEMORY) - if (ctx->heap != NULL) { - WOLFSSL_HEAP_HINT* ssl_hint; - WOLFSSL_HEAP_HINT* ctx_hint; - - /* avoid derefrencing a test value */ - #ifdef WOLFSSL_HEAP_TEST - if (ctx->heap == (void*)WOLFSSL_HEAP_TEST) { - ssl->heap = ctx->heap; - } - else { - #endif - ssl->heap = (WOLFSSL_HEAP_HINT*)XMALLOC(sizeof(WOLFSSL_HEAP_HINT), - ctx->heap, DYNAMIC_TYPE_SSL); - if (ssl->heap == NULL) { - return MEMORY_E; - } - XMEMSET(ssl->heap, 0, sizeof(WOLFSSL_HEAP_HINT)); - ssl_hint = ((WOLFSSL_HEAP_HINT*)(ssl->heap)); - ctx_hint = ((WOLFSSL_HEAP_HINT*)(ctx->heap)); - - /* lock and check IO count / handshake count */ - if (wc_LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) { - WOLFSSL_MSG("Bad memory_mutex lock"); - XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL); - ssl->heap = NULL; /* free and set to NULL for IO counter */ - return BAD_MUTEX_E; - } - if (ctx_hint->memory->maxHa > 0 && - ctx_hint->memory->maxHa <= ctx_hint->memory->curHa) { - WOLFSSL_MSG("At max number of handshakes for static memory"); - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL); - ssl->heap = NULL; /* free and set to NULL for IO counter */ - return MEMORY_E; - } - - if (ctx_hint->memory->maxIO > 0 && - ctx_hint->memory->maxIO <= ctx_hint->memory->curIO) { - WOLFSSL_MSG("At max number of IO allowed for static memory"); - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL); - ssl->heap = NULL; /* free and set to NULL for IO counter */ - return MEMORY_E; - } - ctx_hint->memory->curIO++; - ctx_hint->memory->curHa++; - ssl_hint->memory = ctx_hint->memory; - ssl_hint->haFlag = 1; - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - - /* check if tracking stats */ - if (ctx_hint->memory->flag & WOLFMEM_TRACK_STATS) { - ssl_hint->stats = (WOLFSSL_MEM_CONN_STATS*)XMALLOC( - sizeof(WOLFSSL_MEM_CONN_STATS), ctx->heap, DYNAMIC_TYPE_SSL); - if (ssl_hint->stats == NULL) { - return MEMORY_E; - } - XMEMSET(ssl_hint->stats, 0, sizeof(WOLFSSL_MEM_CONN_STATS)); - } - - /* check if using fixed IO buffers */ - if (ctx_hint->memory->flag & WOLFMEM_IO_POOL_FIXED) { - if (wc_LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) { - WOLFSSL_MSG("Bad memory_mutex lock"); - return BAD_MUTEX_E; - } - if (SetFixedIO(ctx_hint->memory, &(ssl_hint->inBuf)) != 1) { - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - return MEMORY_E; - } - if (SetFixedIO(ctx_hint->memory, &(ssl_hint->outBuf)) != 1) { - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - return MEMORY_E; - } - if (ssl_hint->outBuf == NULL || ssl_hint->inBuf == NULL) { - WOLFSSL_MSG("Not enough memory to create fixed IO buffers"); - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - return MEMORY_E; - } - wc_UnLockMutex(&(ctx_hint->memory->memory_mutex)); - } - #ifdef WOLFSSL_HEAP_TEST - } - #endif - } - else { - ssl->heap = ctx->heap; - } -#else - ssl->heap = ctx->heap; /* carry over user heap without static memory */ -#endif /* WOLFSSL_STATIC_MEMORY */ - - ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer; - ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN; - - ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer; - ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN; - -#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS) - InitX509(&ssl->peerCert, 0, ssl->heap); -#endif - - ssl->rfd = -1; /* set to invalid descriptor */ - ssl->wfd = -1; - ssl->devId = ctx->devId; /* device for async HW (from wolfAsync_DevOpen) */ - - ssl->IOCB_ReadCtx = &ssl->rfd; /* prevent invalid pointer access if not */ - ssl->IOCB_WriteCtx = &ssl->wfd; /* correctly set */ - -#ifdef HAVE_NETX - ssl->IOCB_ReadCtx = &ssl->nxCtx; /* default NetX IO ctx, same for read */ - ssl->IOCB_WriteCtx = &ssl->nxCtx; /* and write */ -#endif - - /* initialize states */ - ssl->options.serverState = NULL_STATE; - ssl->options.clientState = NULL_STATE; - ssl->options.connectState = CONNECT_BEGIN; - ssl->options.acceptState = ACCEPT_BEGIN; - ssl->options.handShakeState = NULL_STATE; - ssl->options.processReply = doProcessInit; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - ssl->options.buildMsgState = BUILD_MSG_BEGIN; - ssl->encrypt.state = CIPHER_STATE_BEGIN; - ssl->decrypt.state = CIPHER_STATE_BEGIN; - -#ifdef WOLFSSL_DTLS - #ifdef WOLFSSL_SCTP - ssl->options.dtlsSctp = ctx->dtlsSctp; - ssl->dtlsMtuSz = ctx->dtlsMtuSz; - ssl->dtls_expected_rx = ssl->dtlsMtuSz; - #else - ssl->dtls_expected_rx = MAX_MTU; - #endif - ssl->dtls_timeout_init = DTLS_TIMEOUT_INIT; - ssl->dtls_timeout_max = DTLS_TIMEOUT_MAX; - ssl->dtls_timeout = ssl->dtls_timeout_init; - ssl->buffers.dtlsCtx.rfd = -1; - ssl->buffers.dtlsCtx.wfd = -1; -#endif - - #ifndef NO_OLD_TLS - ssl->hmac = SSL_hmac; /* default to SSLv3 */ - #else - ssl->hmac = TLS_hmac; - #endif - - - ssl->cipher.ssl = ssl; - -#ifdef HAVE_EXTENDED_MASTER - ssl->options.haveEMS = ctx->haveEMS; -#endif - ssl->options.useClientOrder = ctx->useClientOrder; - -#ifdef WOLFSSL_TLS13 -#ifdef HAVE_SESSION_TICKET - ssl->options.noTicketTls13 = ctx->noTicketTls13; -#endif - ssl->options.noPskDheKe = ctx->noPskDheKe; -#endif - -#ifdef HAVE_TLS_EXTENSIONS -#ifdef HAVE_MAX_FRAGMENT - ssl->max_fragment = MAX_RECORD_SIZE; -#endif -#ifdef HAVE_ALPN - ssl->alpn_client_list = NULL; - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - ssl->alpnSelect = ctx->alpnSelect; - ssl->alpnSelectArg = ctx->alpnSelectArg; - #endif -#endif -#ifdef HAVE_SUPPORTED_CURVES - ssl->options.userCurves = ctx->userCurves; -#endif -#endif /* HAVE_TLS_EXTENSIONS */ - - /* default alert state (none) */ - ssl->alert_history.last_rx.code = -1; - ssl->alert_history.last_rx.level = -1; - ssl->alert_history.last_tx.code = -1; - ssl->alert_history.last_tx.level = -1; - - InitCiphers(ssl); - InitCipherSpecs(&ssl->specs); - - /* all done with init, now can return errors, call other stuff */ - - if (!writeDup) { - /* arrays */ - ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap, - DYNAMIC_TYPE_ARRAYS); - if (ssl->arrays == NULL) { - WOLFSSL_MSG("Arrays Memory error"); - return MEMORY_E; - } - XMEMSET(ssl->arrays, 0, sizeof(Arrays)); - ssl->arrays->preMasterSecret = (byte*)XMALLOC(ENCRYPT_LEN, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->arrays->preMasterSecret == NULL) { - return MEMORY_E; - } - XMEMSET(ssl->arrays->preMasterSecret, 0, ENCRYPT_LEN); - - /* suites */ - ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, - DYNAMIC_TYPE_SUITES); - if (ssl->suites == NULL) { - WOLFSSL_MSG("Suites Memory error"); - return MEMORY_E; - } - } - - /* Initialize SSL with the appropriate fields from it's ctx */ - /* requires valid arrays and suites unless writeDup ing */ - if ((ret = SetSSL_CTX(ssl, ctx, writeDup)) != SSL_SUCCESS) - return ret; - - ssl->options.dtls = ssl->version.major == DTLS_MAJOR; - -#ifdef SINGLE_THREADED - ssl->rng = ctx->rng; /* CTX may have one, if so use it */ -#endif - - if (ssl->rng == NULL) { - /* RNG */ - ssl->rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), ssl->heap,DYNAMIC_TYPE_RNG); - if (ssl->rng == NULL) { - WOLFSSL_MSG("RNG Memory error"); - return MEMORY_E; - } - XMEMSET(ssl->rng, 0, sizeof(WC_RNG)); - ssl->options.weOwnRng = 1; - - /* FIPS RNG API does not accept a heap hint */ -#ifndef HAVE_FIPS - if ( (ret = wc_InitRng_ex(ssl->rng, ssl->heap, ssl->devId)) != 0) { - WOLFSSL_MSG("RNG Init error"); - return ret; - } -#else - if ( (ret = wc_InitRng(ssl->rng)) != 0) { - WOLFSSL_MSG("RNG Init error"); - return ret; - } -#endif - } - - if (writeDup) { - /* all done */ - return 0; - } - - /* hsHashes */ - ret = InitHandshakeHashes(ssl); - if (ret != 0) - return ret; - -#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER) - if (ssl->options.dtls && ssl->options.side == WOLFSSL_SERVER_END) { - ret = wolfSSL_DTLS_SetCookieSecret(ssl, NULL, 0); - if (ret != 0) { - WOLFSSL_MSG("DTLS Cookie Secret error"); - return ret; - } - } -#endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */ - -#ifdef HAVE_SECRET_CALLBACK - ssl->sessionSecretCb = NULL; - ssl->sessionSecretCtx = NULL; -#endif - -#ifdef HAVE_SESSION_TICKET - ssl->session.ticket = ssl->session.staticTicket; -#endif - return 0; -} - - -/* free use of temporary arrays */ -void FreeArrays(WOLFSSL* ssl, int keep) -{ - if (ssl->arrays) { - if (keep) { - /* keeps session id for user retrieval */ - XMEMCPY(ssl->session.sessionID, ssl->arrays->sessionID, ID_LEN); - ssl->session.sessionIDSz = ssl->arrays->sessionIDSz; - } - if (ssl->arrays->preMasterSecret) { - XFREE(ssl->arrays->preMasterSecret, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - ssl->arrays->preMasterSecret = NULL; - } - XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS); - ssl->arrays->pendingMsg = NULL; - ForceZero(ssl->arrays, sizeof(Arrays)); /* clear arrays struct */ - } - XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_ARRAYS); - ssl->arrays = NULL; -} - -void FreeKey(WOLFSSL* ssl, int type, void** pKey) -{ - if (ssl && pKey && *pKey) { - switch (type) { - #ifndef NO_RSA - case DYNAMIC_TYPE_RSA: - wc_FreeRsaKey((RsaKey*)*pKey); - break; - #endif /* ! NO_RSA */ - #ifdef HAVE_ECC - case DYNAMIC_TYPE_ECC: - wc_ecc_free((ecc_key*)*pKey); - break; - #endif /* HAVE_ECC */ - #ifdef HAVE_CURVE25519 - case DYNAMIC_TYPE_CURVE25519: - wc_curve25519_free((curve25519_key*)*pKey); - break; - #endif /* HAVE_CURVE25519 */ - #ifndef NO_DH - case DYNAMIC_TYPE_DH: - wc_FreeDhKey((DhKey*)*pKey); - break; - #endif /* !NO_DH */ - default: - break; - } - XFREE(*pKey, ssl->heap, type); - - /* Reset pointer */ - *pKey = NULL; - } -} - -int AllocKey(WOLFSSL* ssl, int type, void** pKey) -{ - int ret = BAD_FUNC_ARG; - int sz = 0; - - if (ssl == NULL || pKey == NULL) { - return BAD_FUNC_ARG; - } - - /* Sanity check key destination */ - if (*pKey != NULL) { - WOLFSSL_MSG("Key already present!"); - return BAD_STATE_E; - } - - /* Determine size */ - switch (type) { - #ifndef NO_RSA - case DYNAMIC_TYPE_RSA: - sz = sizeof(RsaKey); - break; - #endif /* ! NO_RSA */ - #ifdef HAVE_ECC - case DYNAMIC_TYPE_ECC: - sz = sizeof(ecc_key); - break; - #endif /* HAVE_ECC */ - #ifdef HAVE_CURVE25519 - case DYNAMIC_TYPE_CURVE25519: - sz = sizeof(curve25519_key); - break; - #endif /* HAVE_CURVE25519 */ - #ifndef NO_DH - case DYNAMIC_TYPE_DH: - sz = sizeof(DhKey); - break; - #endif /* !NO_DH */ - default: - return BAD_FUNC_ARG; - } - - if (sz == 0) { - return NOT_COMPILED_IN; - } - - /* Allocate memeory for key */ - *pKey = XMALLOC(sz, ssl->heap, type); - if (*pKey == NULL) { - return MEMORY_E; - } - - /* Initialize key */ - switch (type) { - #ifndef NO_RSA - case DYNAMIC_TYPE_RSA: - ret = wc_InitRsaKey_ex((RsaKey*)*pKey, ssl->heap, ssl->devId); - break; - #endif /* ! NO_RSA */ - #ifdef HAVE_ECC - case DYNAMIC_TYPE_ECC: - ret = wc_ecc_init_ex((ecc_key*)*pKey, ssl->heap, ssl->devId); - break; - #endif /* HAVE_ECC */ - #ifdef HAVE_CURVE25519 - case DYNAMIC_TYPE_CURVE25519: - wc_curve25519_init((curve25519_key*)*pKey); - ret = 0; - break; - #endif /* HAVE_CURVE25519 */ - #ifndef NO_DH - case DYNAMIC_TYPE_DH: - ret = wc_InitDhKey_ex((DhKey*)*pKey, ssl->heap, ssl->devId); - break; - #endif /* !NO_DH */ - default: - return BAD_FUNC_ARG; - } - - /* On error free handshake key */ - if (ret != 0) { - FreeKey(ssl, type, pKey); - } - - return ret; -} - -#if !defined(NO_RSA) || defined(HAVE_ECC) -static int ReuseKey(WOLFSSL* ssl, int type, void* pKey) -{ - int ret = 0; - - switch (type) { - #ifndef NO_RSA - case DYNAMIC_TYPE_RSA: - wc_FreeRsaKey((RsaKey*)pKey); - ret = wc_InitRsaKey_ex((RsaKey*)pKey, ssl->heap, ssl->devId); - break; - #endif /* ! NO_RSA */ - #ifdef HAVE_ECC - case DYNAMIC_TYPE_ECC: - wc_ecc_free((ecc_key*)pKey); - ret = wc_ecc_init_ex((ecc_key*)pKey, ssl->heap, ssl->devId); - break; - #endif /* HAVE_ECC */ - #ifdef HAVE_CURVE25519 - case DYNAMIC_TYPE_CURVE25519: - wc_curve25519_free((curve25519_key*)pKey); - wc_curve25519_init((curve25519_key*)pKey); - break; - #endif /* HAVE_CURVE25519 */ - #ifndef NO_DH - case DYNAMIC_TYPE_DH: - wc_FreeDhKey((DhKey*)pKey); - ret = wc_InitDhKey_ex((DhKey*)pKey, ssl->heap, ssl->devId); - break; - #endif /* !NO_DH */ - default: - return BAD_FUNC_ARG; - } - - return ret; -} -#endif - -void FreeKeyExchange(WOLFSSL* ssl) -{ - /* Cleanup signature buffer */ - if (ssl->buffers.sig.buffer) { - XFREE(ssl->buffers.sig.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - ssl->buffers.sig.buffer = NULL; - ssl->buffers.sig.length = 0; - } - - /* Cleanup digest buffer */ - if (ssl->buffers.digest.buffer) { - XFREE(ssl->buffers.digest.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - ssl->buffers.digest.buffer = NULL; - ssl->buffers.digest.length = 0; - } - - /* Free handshake key */ - FreeKey(ssl, ssl->hsType, &ssl->hsKey); - -#ifndef NO_DH - /* Free temp DH key */ - FreeKey(ssl, DYNAMIC_TYPE_DH, (void**)&ssl->buffers.serverDH_Key); -#endif - - /* Cleanup async */ -#ifdef WOLFSSL_ASYNC_CRYPT - if (ssl->async.freeArgs) { - ssl->async.freeArgs(ssl, ssl->async.args); - ssl->async.freeArgs = NULL; - } -#endif -} - -/* In case holding SSL object in array and don't want to free actual ssl */ -void SSL_ResourceFree(WOLFSSL* ssl) -{ - /* Note: any resources used during the handshake should be released in the - * function FreeHandshakeResources(). Be careful with the special cases - * like the RNG which may optionally be kept for the whole session. (For - * example with the RNG, it isn't used beyond the handshake except when - * using stream ciphers where it is retained. */ - - FreeCiphers(ssl); - FreeArrays(ssl, 0); - FreeKeyExchange(ssl); - if (ssl->options.weOwnRng) { - wc_FreeRng(ssl->rng); - XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG); - } - XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES); - FreeHandshakeHashes(ssl); - XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); - - /* clear keys struct after session */ - ForceZero(&ssl->keys, sizeof(Keys)); - -#ifndef NO_DH - if (ssl->buffers.serverDH_Priv.buffer) { - ForceZero(ssl->buffers.serverDH_Priv.buffer, - ssl->buffers.serverDH_Priv.length); - } - XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - /* parameters (p,g) may be owned by ctx */ - if (ssl->buffers.weOwnDH || ssl->options.side == WOLFSSL_CLIENT_END) { - XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - } -#endif /* !NO_DH */ -#ifndef NO_CERTS - ssl->keepCert = 0; /* make sure certificate is free'd */ - wolfSSL_UnloadCertsKeys(ssl); -#endif -#ifndef NO_RSA - FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); - ssl->peerRsaKeyPresent = 0; -#endif - if (ssl->buffers.inputBuffer.dynamicFlag) - ShrinkInputBuffer(ssl, FORCED_FREE); - if (ssl->buffers.outputBuffer.dynamicFlag) - ShrinkOutputBuffer(ssl); -#ifdef WOLFSSL_DTLS - DtlsMsgPoolReset(ssl); - if (ssl->dtls_rx_msg_list != NULL) { - DtlsMsgListDelete(ssl->dtls_rx_msg_list, ssl->heap); - ssl->dtls_rx_msg_list = NULL; - ssl->dtls_rx_msg_list_sz = 0; - } - XFREE(ssl->buffers.dtlsCtx.peer.sa, ssl->heap, DYNAMIC_TYPE_SOCKADDR); - ssl->buffers.dtlsCtx.peer.sa = NULL; -#ifndef NO_WOLFSSL_SERVER - XFREE(ssl->buffers.dtlsCookieSecret.buffer, ssl->heap, - DYNAMIC_TYPE_COOKIE_PWD); -#endif -#endif /* WOLFSSL_DTLS */ -#if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) - if (ssl->biord != ssl->biowr) /* only free write if different */ - wolfSSL_BIO_free(ssl->biowr); - wolfSSL_BIO_free(ssl->biord); /* always free read bio */ -#endif -#ifdef HAVE_LIBZ - FreeStreams(ssl); -#endif -#ifdef HAVE_ECC - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey); - ssl->peerEccDsaKeyPresent = 0; -#ifdef HAVE_CURVE25519 - if (!ssl->peerX25519KeyPresent) -#endif /* HAVE_CURVE25519 */ - { - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->eccTempKey); - ssl->eccTempKeyPresent = 0; - } -#ifdef HAVE_CURVE25519 - else { - FreeKey(ssl, DYNAMIC_TYPE_CURVE25519, (void**)&ssl->eccTempKey); - ssl->eccTempKeyPresent = 0; - } - FreeKey(ssl, DYNAMIC_TYPE_CURVE25519, (void**)&ssl->peerX25519Key); - ssl->peerX25519KeyPresent = 0; -#endif -#endif /* HAVE_ECC */ -#ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - XFREE(ssl->buffers.peerEccDsaKey.buffer, ssl->heap, DYNAMIC_TYPE_ECC); - #endif /* HAVE_ECC */ - #ifndef NO_RSA - XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA); - #endif /* NO_RSA */ -#endif /* HAVE_PK_CALLBACKS */ -#ifdef HAVE_TLS_EXTENSIONS - TLSX_FreeAll(ssl->extensions, ssl->heap); - -#ifdef HAVE_ALPN - if (ssl->alpn_client_list != NULL) { - XFREE(ssl->alpn_client_list, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - ssl->alpn_client_list = NULL; - } -#endif -#endif /* HAVE_TLS_EXTENSIONS */ -#ifdef HAVE_NETX - if (ssl->nxCtx.nxPacket) - nx_packet_release(ssl->nxCtx.nxPacket); -#endif -#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS) - FreeX509(&ssl->peerCert); -#endif - -#ifdef HAVE_SESSION_TICKET - if (ssl->session.isDynamic) { - XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - ssl->session.ticket = ssl->session.staticTicket; - ssl->session.isDynamic = 0; - ssl->session.ticketLen = 0; - } -#endif -#ifdef HAVE_EXT_CACHE - wolfSSL_SESSION_free(ssl->extSession); -#endif -#ifdef HAVE_WRITE_DUP - if (ssl->dupWrite) { - FreeWriteDup(ssl); - } -#endif - -#ifdef WOLFSSL_STATIC_MEMORY - /* check if using fixed io buffers and free them */ - if (ssl->heap != NULL) { - #ifdef WOLFSSL_HEAP_TEST - /* avoid dereferencing a test value */ - if (ssl->heap != (void*)WOLFSSL_HEAP_TEST) { - #endif - WOLFSSL_HEAP_HINT* ssl_hint = (WOLFSSL_HEAP_HINT*)ssl->heap; - WOLFSSL_HEAP* ctx_heap; - - ctx_heap = ssl_hint->memory; - if (wc_LockMutex(&(ctx_heap->memory_mutex)) != 0) { - WOLFSSL_MSG("Bad memory_mutex lock"); - } - ctx_heap->curIO--; - if (FreeFixedIO(ctx_heap, &(ssl_hint->outBuf)) != 1) { - WOLFSSL_MSG("Error freeing fixed output buffer"); - } - if (FreeFixedIO(ctx_heap, &(ssl_hint->inBuf)) != 1) { - WOLFSSL_MSG("Error freeing fixed output buffer"); - } - if (ssl_hint->haFlag) { /* check if handshake count has been decreased*/ - ctx_heap->curHa--; - } - wc_UnLockMutex(&(ctx_heap->memory_mutex)); - - /* check if tracking stats */ - if (ctx_heap->flag & WOLFMEM_TRACK_STATS) { - XFREE(ssl_hint->stats, ssl->ctx->heap, DYNAMIC_TYPE_SSL); - } - XFREE(ssl->heap, ssl->ctx->heap, DYNAMIC_TYPE_SSL); - #ifdef WOLFSSL_HEAP_TEST - } - #endif - } -#endif /* WOLFSSL_STATIC_MEMORY */ -} - -/* Free any handshake resources no longer needed */ -void FreeHandshakeResources(WOLFSSL* ssl) -{ - -#ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) { - WOLFSSL_MSG("Secure Renegotiation needs to retain handshake resources"); - return; - } -#endif - - /* input buffer */ - if (ssl->buffers.inputBuffer.dynamicFlag) - ShrinkInputBuffer(ssl, NO_FORCED_FREE); - - /* suites */ - XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES); - ssl->suites = NULL; - - /* hsHashes */ - FreeHandshakeHashes(ssl); - - /* RNG */ - if (ssl->specs.cipher_type == stream || ssl->options.tls1_1 == 0) { - if (ssl->options.weOwnRng) { - wc_FreeRng(ssl->rng); - XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG); - ssl->rng = NULL; - ssl->options.weOwnRng = 0; - } - } - -#ifdef WOLFSSL_DTLS - /* DTLS_POOL */ - if (ssl->options.dtls) { - DtlsMsgPoolReset(ssl); - DtlsMsgListDelete(ssl->dtls_rx_msg_list, ssl->heap); - ssl->dtls_rx_msg_list = NULL; - ssl->dtls_rx_msg_list_sz = 0; - } -#endif - - /* arrays */ - if (ssl->options.saveArrays == 0) - FreeArrays(ssl, 1); - -#ifndef NO_RSA - /* peerRsaKey */ - FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); - ssl->peerRsaKeyPresent = 0; -#endif - -#ifdef HAVE_ECC - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey); - ssl->peerEccDsaKeyPresent = 0; -#ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID != ECC_X25519_OID) -#endif /* HAVE_CURVE25519 */ - { - FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->eccTempKey); - ssl->eccTempKeyPresent = 0; - } -#ifdef HAVE_CURVE25519 - else { - FreeKey(ssl, DYNAMIC_TYPE_CURVE25519, (void**)&ssl->eccTempKey); - ssl->eccTempKeyPresent = 0; - } - FreeKey(ssl, DYNAMIC_TYPE_CURVE25519, (void**)&ssl->peerX25519Key); - ssl->peerX25519KeyPresent = 0; -#endif /* HAVE_CURVE25519 */ -#endif /* HAVE_ECC */ -#ifndef NO_DH - if (ssl->buffers.serverDH_Priv.buffer) { - ForceZero(ssl->buffers.serverDH_Priv.buffer, - ssl->buffers.serverDH_Priv.length); - } - XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - ssl->buffers.serverDH_Priv.buffer = NULL; - XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - ssl->buffers.serverDH_Pub.buffer = NULL; - /* parameters (p,g) may be owned by ctx */ - if (ssl->buffers.weOwnDH || ssl->options.side == WOLFSSL_CLIENT_END) { - XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - ssl->buffers.serverDH_G.buffer = NULL; - XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - ssl->buffers.serverDH_P.buffer = NULL; - } -#endif /* !NO_DH */ -#ifndef NO_CERTS - wolfSSL_UnloadCertsKeys(ssl); -#endif -#ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - XFREE(ssl->buffers.peerEccDsaKey.buffer, ssl->heap, DYNAMIC_TYPE_ECC); - ssl->buffers.peerEccDsaKey.buffer = NULL; - #endif /* HAVE_ECC */ - #ifndef NO_RSA - XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA); - ssl->buffers.peerRsaKey.buffer = NULL; - #endif /* NO_RSA */ -#endif /* HAVE_PK_CALLBACKS */ - -#ifdef HAVE_QSH - QSH_FreeAll(ssl); -#endif - -#ifdef HAVE_SESSION_TICKET - if (ssl->session.isDynamic) { - XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - ssl->session.ticket = ssl->session.staticTicket; - ssl->session.isDynamic = 0; - ssl->session.ticketLen = 0; - } -#endif - -#ifdef WOLFSSL_STATIC_MEMORY - /* when done with handshake decrement current handshake count */ - if (ssl->heap != NULL) { - #ifdef WOLFSSL_HEAP_TEST - /* avoid dereferencing a test value */ - if (ssl->heap != (void*)WOLFSSL_HEAP_TEST) { - #endif - WOLFSSL_HEAP_HINT* ssl_hint = (WOLFSSL_HEAP_HINT*)ssl->heap; - WOLFSSL_HEAP* ctx_heap; - - ctx_heap = ssl_hint->memory; - if (wc_LockMutex(&(ctx_heap->memory_mutex)) != 0) { - WOLFSSL_MSG("Bad memory_mutex lock"); - } - ctx_heap->curHa--; - ssl_hint->haFlag = 0; /* set to zero since handshake has been dec */ - wc_UnLockMutex(&(ctx_heap->memory_mutex)); - #ifdef WOLFSSL_HEAP_TEST - } - #endif - } -#endif /* WOLFSSL_STATIC_MEMORY */ -} - - -/* heap argument is the heap hint used when creating SSL */ -void FreeSSL(WOLFSSL* ssl, void* heap) -{ - if (ssl->ctx) { - FreeSSL_Ctx(ssl->ctx); /* will decrement and free underyling CTX if 0 */ - } - SSL_ResourceFree(ssl); - XFREE(ssl, heap, DYNAMIC_TYPE_SSL); - (void)heap; -} - - -#if !defined(NO_OLD_TLS) || defined(HAVE_CHACHA) || defined(HAVE_AESCCM) \ - || defined(HAVE_AESGCM) || defined(WOLFSSL_DTLS) -static INLINE void GetSEQIncrement(WOLFSSL* ssl, int verify, word32 seq[2]) -{ - if (verify) { - seq[0] = ssl->keys.peer_sequence_number_hi; - seq[1] = ssl->keys.peer_sequence_number_lo++; - if (seq[1] > ssl->keys.peer_sequence_number_lo) { - /* handle rollover */ - ssl->keys.peer_sequence_number_hi++; - } - } - else { - seq[0] = ssl->keys.sequence_number_hi; - seq[1] = ssl->keys.sequence_number_lo++; - if (seq[1] > ssl->keys.sequence_number_lo) { - /* handle rollover */ - ssl->keys.sequence_number_hi++; - } - } -} - - -#ifdef WOLFSSL_DTLS -static INLINE void DtlsGetSEQ(WOLFSSL* ssl, int order, word32 seq[2]) -{ - if (order == PREV_ORDER) { - /* Previous epoch case */ - seq[0] = ((ssl->keys.dtls_epoch - 1) << 16) | - (ssl->keys.dtls_prev_sequence_number_hi & 0xFFFF); - seq[1] = ssl->keys.dtls_prev_sequence_number_lo; - } - else if (order == PEER_ORDER) { - seq[0] = (ssl->keys.curEpoch << 16) | - (ssl->keys.curSeq_hi & 0xFFFF); - seq[1] = ssl->keys.curSeq_lo; /* explicit from peer */ - } - else { - seq[0] = (ssl->keys.dtls_epoch << 16) | - (ssl->keys.dtls_sequence_number_hi & 0xFFFF); - seq[1] = ssl->keys.dtls_sequence_number_lo; - } -} - -static INLINE void DtlsSEQIncrement(WOLFSSL* ssl, int order) -{ - word32 seq; - - if (order == PREV_ORDER) { - seq = ssl->keys.dtls_prev_sequence_number_lo++; - if (seq > ssl->keys.dtls_prev_sequence_number_lo) { - /* handle rollover */ - ssl->keys.dtls_prev_sequence_number_hi++; - } - } - else if (order == PEER_ORDER) { - seq = ssl->keys.peer_sequence_number_lo++; - if (seq > ssl->keys.peer_sequence_number_lo) { - /* handle rollover */ - ssl->keys.peer_sequence_number_hi++; - } - } - else { - seq = ssl->keys.dtls_sequence_number_lo++; - if (seq > ssl->keys.dtls_sequence_number_lo) { - /* handle rollover */ - ssl->keys.dtls_sequence_number_hi++; - } - } -} -#endif /* WOLFSSL_DTLS */ - - -static INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out) -{ - word32 seq[2] = {0, 0}; - - if (!ssl->options.dtls) { - GetSEQIncrement(ssl, verifyOrder, seq); - } - else { -#ifdef WOLFSSL_DTLS - DtlsGetSEQ(ssl, verifyOrder, seq); -#endif - } - - c32toa(seq[0], out); - c32toa(seq[1], out + OPAQUE32_LEN); -} -#endif - - -#ifdef WOLFSSL_DTLS - -/* functions for managing DTLS datagram reordering */ - -/* Need to allocate space for the handshake message header. The hashing - * routines assume the message pointer is still within the buffer that - * has the headers, and will include those headers in the hash. The store - * routines need to take that into account as well. New will allocate - * extra space for the headers. */ -DtlsMsg* DtlsMsgNew(word32 sz, void* heap) -{ - DtlsMsg* msg = NULL; - - (void)heap; - msg = (DtlsMsg*)XMALLOC(sizeof(DtlsMsg), heap, DYNAMIC_TYPE_DTLS_MSG); - - if (msg != NULL) { - XMEMSET(msg, 0, sizeof(DtlsMsg)); - msg->buf = (byte*)XMALLOC(sz + DTLS_HANDSHAKE_HEADER_SZ, - heap, DYNAMIC_TYPE_DTLS_BUFFER); - if (msg->buf != NULL) { - msg->sz = sz; - msg->type = no_shake; - msg->msg = msg->buf + DTLS_HANDSHAKE_HEADER_SZ; - } - else { - XFREE(msg, heap, DYNAMIC_TYPE_DTLS_MSG); - msg = NULL; - } - } - - return msg; -} - -void DtlsMsgDelete(DtlsMsg* item, void* heap) -{ - (void)heap; - - if (item != NULL) { - DtlsFrag* cur = item->fragList; - while (cur != NULL) { - DtlsFrag* next = cur->next; - XFREE(cur, heap, DYNAMIC_TYPE_DTLS_FRAG); - cur = next; - } - if (item->buf != NULL) - XFREE(item->buf, heap, DYNAMIC_TYPE_DTLS_BUFFER); - XFREE(item, heap, DYNAMIC_TYPE_DTLS_MSG); - } -} - - -void DtlsMsgListDelete(DtlsMsg* head, void* heap) -{ - DtlsMsg* next; - while (head) { - next = head->next; - DtlsMsgDelete(head, heap); - head = next; - } -} - - -/* Create a DTLS Fragment from *begin - end, adjust new *begin and bytesLeft */ -static DtlsFrag* CreateFragment(word32* begin, word32 end, const byte* data, - byte* buf, word32* bytesLeft, void* heap) -{ - DtlsFrag* newFrag; - word32 added = end - *begin + 1; - - (void)heap; - newFrag = (DtlsFrag*)XMALLOC(sizeof(DtlsFrag), heap, - DYNAMIC_TYPE_DTLS_FRAG); - if (newFrag != NULL) { - newFrag->next = NULL; - newFrag->begin = *begin; - newFrag->end = end; - - XMEMCPY(buf + *begin, data, added); - *bytesLeft -= added; - *begin = newFrag->end + 1; - } - - return newFrag; -} - - -int DtlsMsgSet(DtlsMsg* msg, word32 seq, const byte* data, byte type, - word32 fragOffset, word32 fragSz, void* heap) -{ - if (msg != NULL && data != NULL && msg->fragSz <= msg->sz && - (fragOffset + fragSz) <= msg->sz) { - DtlsFrag* cur = msg->fragList; - DtlsFrag* prev = cur; - DtlsFrag* newFrag; - word32 bytesLeft = fragSz; /* could be overlapping fragment */ - word32 startOffset = fragOffset; - word32 added; - - msg->seq = seq; - msg->type = type; - - if (fragOffset == 0) { - XMEMCPY(msg->buf, data - DTLS_HANDSHAKE_HEADER_SZ, - DTLS_HANDSHAKE_HEADER_SZ); - c32to24(msg->sz, msg->msg - DTLS_HANDSHAKE_FRAG_SZ); - } - - /* if no mesage data, just return */ - if (fragSz == 0) - return 0; - - /* if list is empty add full fragment to front */ - if (cur == NULL) { - newFrag = CreateFragment(&fragOffset, fragOffset + fragSz - 1, data, - msg->msg, &bytesLeft, heap); - if (newFrag == NULL) - return MEMORY_E; - - msg->fragSz = fragSz; - msg->fragList = newFrag; - - return 0; - } - - /* add to front if before current front, up to next->begin */ - if (fragOffset < cur->begin) { - word32 end = fragOffset + fragSz - 1; - - if (end >= cur->begin) - end = cur->begin - 1; - - added = end - fragOffset + 1; - newFrag = CreateFragment(&fragOffset, end, data, msg->msg, - &bytesLeft, heap); - if (newFrag == NULL) - return MEMORY_E; - - msg->fragSz += added; - - newFrag->next = cur; - msg->fragList = newFrag; - } - - /* while we have bytes left, try to find a gap to fill */ - while (bytesLeft > 0) { - /* get previous packet in list */ - while (cur && (fragOffset >= cur->begin)) { - prev = cur; - cur = cur->next; - } - - /* don't add duplicate data */ - if (prev->end >= fragOffset) { - if ( (fragOffset + bytesLeft - 1) <= prev->end) - return 0; - fragOffset = prev->end + 1; - bytesLeft = startOffset + fragSz - fragOffset; - } - - if (cur == NULL) - /* we're at the end */ - added = bytesLeft; - else - /* we're in between two frames */ - added = min(bytesLeft, cur->begin - fragOffset); - - /* data already there */ - if (added == 0) - continue; - - newFrag = CreateFragment(&fragOffset, fragOffset + added - 1, - data + fragOffset - startOffset, - msg->msg, &bytesLeft, heap); - if (newFrag == NULL) - return MEMORY_E; - - msg->fragSz += added; - - newFrag->next = prev->next; - prev->next = newFrag; - } - } - - return 0; -} - - -DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 seq) -{ - while (head != NULL && head->seq != seq) { - head = head->next; - } - return head; -} - - -void DtlsMsgStore(WOLFSSL* ssl, word32 seq, const byte* data, - word32 dataSz, byte type, word32 fragOffset, word32 fragSz, void* heap) -{ - /* See if seq exists in the list. If it isn't in the list, make - * a new item of size dataSz, copy fragSz bytes from data to msg->msg - * starting at offset fragOffset, and add fragSz to msg->fragSz. If - * the seq is in the list and it isn't full, copy fragSz bytes from - * data to msg->msg starting at offset fragOffset, and add fragSz to - * msg->fragSz. Insertions take into account data already in the list - * in case there are overlaps in the handshake message due to retransmit - * messages. The new item should be inserted into the list in its - * proper position. - * - * 1. Find seq in list, or where seq should go in list. If seq not in - * list, create new item and insert into list. Either case, keep - * pointer to item. - * 2. Copy the data from the message to the stored message where it - * belongs without overlaps. - */ - - DtlsMsg* head = ssl->dtls_rx_msg_list; - - if (head != NULL) { - DtlsMsg* cur = DtlsMsgFind(head, seq); - if (cur == NULL) { - cur = DtlsMsgNew(dataSz, heap); - if (cur != NULL) { - if (DtlsMsgSet(cur, seq, data, type, - fragOffset, fragSz, heap) < 0) { - DtlsMsgDelete(cur, heap); - } - else { - ssl->dtls_rx_msg_list_sz++; - head = DtlsMsgInsert(head, cur); - } - } - } - else { - /* If this fails, the data is just dropped. */ - DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz, heap); - } - } - else { - head = DtlsMsgNew(dataSz, heap); - if (DtlsMsgSet(head, seq, data, type, fragOffset, fragSz, heap) < 0) { - DtlsMsgDelete(head, heap); - head = NULL; - } - else { - ssl->dtls_rx_msg_list_sz++; - } - } - - ssl->dtls_rx_msg_list = head; -} - - -/* DtlsMsgInsert() is an in-order insert. */ -DtlsMsg* DtlsMsgInsert(DtlsMsg* head, DtlsMsg* item) -{ - if (head == NULL || item->seq < head->seq) { - item->next = head; - head = item; - } - else if (head->next == NULL) { - head->next = item; - } - else { - DtlsMsg* cur = head->next; - DtlsMsg* prev = head; - while (cur) { - if (item->seq < cur->seq) { - item->next = cur; - prev->next = item; - break; - } - prev = cur; - cur = cur->next; - } - if (cur == NULL) { - prev->next = item; - } - } - - return head; -} - - -/* DtlsMsgPoolSave() adds the message to the end of the stored transmit list. */ -int DtlsMsgPoolSave(WOLFSSL* ssl, const byte* data, word32 dataSz) -{ - DtlsMsg* item; - int ret = 0; - - if (ssl->dtls_tx_msg_list_sz > DTLS_POOL_SZ) - return DTLS_POOL_SZ_E; - - item = DtlsMsgNew(dataSz, ssl->heap); - - if (item != NULL) { - DtlsMsg* cur = ssl->dtls_tx_msg_list; - - XMEMCPY(item->buf, data, dataSz); - item->sz = dataSz; - item->seq = ssl->keys.dtls_epoch; - - if (cur == NULL) - ssl->dtls_tx_msg_list = item; - else { - while (cur->next) - cur = cur->next; - cur->next = item; - } - ssl->dtls_tx_msg_list_sz++; - } - else - ret = MEMORY_E; - - return ret; -} - - -/* DtlsMsgPoolTimeout() updates the timeout time. */ -int DtlsMsgPoolTimeout(WOLFSSL* ssl) -{ - int result = -1; - if (ssl->dtls_timeout < ssl->dtls_timeout_max) { - ssl->dtls_timeout *= DTLS_TIMEOUT_MULTIPLIER; - result = 0; - } - return result; -} - - -/* DtlsMsgPoolReset() deletes the stored transmit list and resets the timeout - * value. */ -void DtlsMsgPoolReset(WOLFSSL* ssl) -{ - if (ssl->dtls_tx_msg_list) { - DtlsMsgListDelete(ssl->dtls_tx_msg_list, ssl->heap); - ssl->dtls_tx_msg_list = NULL; - ssl->dtls_tx_msg_list_sz = 0; - ssl->dtls_timeout = ssl->dtls_timeout_init; - } -} - - -int VerifyForDtlsMsgPoolSend(WOLFSSL* ssl, byte type, word32 fragOffset) -{ - /** - * only the first message from previous flight should be valid - * to be used for triggering retransmission of whole DtlsMsgPool. - * change cipher suite type is not verified here - */ - return ((fragOffset == 0) && - (((ssl->options.side == WOLFSSL_SERVER_END) && - ((type == client_hello) || - ((ssl->options.verifyPeer) && (type == certificate)) || - ((!ssl->options.verifyPeer) && (type == client_key_exchange)))) || - ((ssl->options.side == WOLFSSL_CLIENT_END) && - (type == server_hello)))); -} - - -/* DtlsMsgPoolSend() will send the stored transmit list. The stored list is - * updated with new sequence numbers, and will be re-encrypted if needed. */ -int DtlsMsgPoolSend(WOLFSSL* ssl, int sendOnlyFirstPacket) -{ - int ret = 0; - DtlsMsg* pool = ssl->dtls_tx_msg_list; - - if (pool != NULL) { - - while (pool != NULL) { - if (pool->seq == 0) { - DtlsRecordLayerHeader* dtls; - int epochOrder; - - dtls = (DtlsRecordLayerHeader*)pool->buf; - /* If the stored record's epoch is 0, and the currently set - * epoch is 0, use the "current order" sequence number. - * If the stored record's epoch is 0 and the currently set - * epoch is not 0, the stored record is considered a "previous - * order" sequence number. */ - epochOrder = (ssl->keys.dtls_epoch == 0) ? - CUR_ORDER : PREV_ORDER; - - WriteSEQ(ssl, epochOrder, dtls->sequence_number); - DtlsSEQIncrement(ssl, epochOrder); - if ((ret = CheckAvailableSize(ssl, pool->sz)) != 0) - return ret; - - XMEMCPY(ssl->buffers.outputBuffer.buffer, - pool->buf, pool->sz); - ssl->buffers.outputBuffer.idx = 0; - ssl->buffers.outputBuffer.length = pool->sz; - } - else if (pool->seq == ssl->keys.dtls_epoch) { - byte* input; - byte* output; - int inputSz, sendSz; - - input = pool->buf; - inputSz = pool->sz; - sendSz = inputSz + MAX_MSG_EXTRA; - - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - handshake, 0, 0, 0); - if (sendSz < 0) - return BUILD_MSG_ERROR; - - ssl->buffers.outputBuffer.length += sendSz; - } - - ret = SendBuffered(ssl); - if (ret < 0) { - return ret; - } - - /** - * on server side, retranmission is being triggered only by sending - * first message of given flight, in order to trigger client - * to retransmit its whole flight. Sending the whole previous flight - * could lead to retranmission of previous client flight for each - * server message from previous flight. Therefore one message should - * be enough to do the trick. - */ - if (sendOnlyFirstPacket && - ssl->options.side == WOLFSSL_SERVER_END) { - - pool = NULL; - } - else - pool = pool->next; - } - } - - return ret; -} - -#endif /* WOLFSSL_DTLS */ - -#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) - -ProtocolVersion MakeSSLv3(void) -{ - ProtocolVersion pv; - pv.major = SSLv3_MAJOR; - pv.minor = SSLv3_MINOR; - - return pv; -} - -#endif /* WOLFSSL_ALLOW_SSLV3 && !NO_OLD_TLS */ - - -#ifdef WOLFSSL_DTLS - -ProtocolVersion MakeDTLSv1(void) -{ - ProtocolVersion pv; - pv.major = DTLS_MAJOR; - pv.minor = DTLS_MINOR; - - return pv; -} - -ProtocolVersion MakeDTLSv1_2(void) -{ - ProtocolVersion pv; - pv.major = DTLS_MAJOR; - pv.minor = DTLSv1_2_MINOR; - - return pv; -} - -#endif /* WOLFSSL_DTLS */ - - - - -#if defined(USER_TICKS) -#if 0 - word32 LowResTimer(void) - { - /* - write your own clock tick function if don't want time(0) - needs second accuracy but doesn't have to correlated to EPOCH - */ - } -#endif - -#elif defined(TIME_OVERRIDES) - - /* use same asn time overrides unless user wants tick override above */ - - #ifndef HAVE_TIME_T_TYPE - typedef long time_t; - #endif - extern time_t XTIME(time_t * timer); - - word32 LowResTimer(void) - { - return (word32) XTIME(0); - } - -#elif defined(USE_WINDOWS_API) - - word32 LowResTimer(void) - { - static int init = 0; - static LARGE_INTEGER freq; - LARGE_INTEGER count; - - if (!init) { - QueryPerformanceFrequency(&freq); - init = 1; - } - - QueryPerformanceCounter(&count); - - return (word32)(count.QuadPart / freq.QuadPart); - } - -#elif defined(HAVE_RTP_SYS) - - #include "rtptime.h" - - word32 LowResTimer(void) - { - return (word32)rtp_get_system_sec(); - } - - -#elif defined(MICRIUM) - - word32 LowResTimer(void) - { - NET_SECURE_OS_TICK clk = 0; - - #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) - clk = NetSecure_OS_TimeGet(); - #endif - return (word32)clk; - } - - -#elif defined(MICROCHIP_TCPIP_V5) - - word32 LowResTimer(void) - { - return (word32) (TickGet() / TICKS_PER_SECOND); - } - - -#elif defined(MICROCHIP_TCPIP) - - #if defined(MICROCHIP_MPLAB_HARMONY) - - #include - - word32 LowResTimer(void) - { - return (word32) (SYS_TMR_TickCountGet() / - SYS_TMR_TickCounterFrequencyGet()); - } - - #else - - word32 LowResTimer(void) - { - return (word32) (SYS_TICK_Get() / SYS_TICK_TicksPerSecondGet()); - } - - #endif - -#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) - - word32 LowResTimer(void) - { - TIME_STRUCT mqxTime; - - _time_get_elapsed(&mqxTime); - - return (word32) mqxTime.SECONDS; - } -#elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS) - - #include "include/task.h" - - unsigned int LowResTimer(void) - { - return (unsigned int)(((float)xTaskGetTickCount())/configTICK_RATE_HZ); - } - -#elif defined(FREESCALE_KSDK_BM) - - #include "lwip/sys.h" /* lwIP */ - word32 LowResTimer(void) - { - return sys_now()/1000; - } - -#elif defined(WOLFSSL_TIRTOS) - - word32 LowResTimer(void) - { - return (word32) Seconds_get(); - } - -#elif defined(WOLFSSL_UTASKER) - - word32 LowResTimer(void) - { - return (word32)(uTaskerSystemTick / TICK_RESOLUTION); - } - -#else - /* Posix style time */ - #include - - word32 LowResTimer(void) - { - return (word32)time(0); - } - - -#endif - - -#ifndef NO_CERTS -int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz) -{ - int ret = 0; - - (void)output; - (void)sz; - -#ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, output, sz, FUZZ_HASH, ssl->fuzzerCtx); -#endif -#ifndef NO_OLD_TLS -#ifndef NO_SHA - wc_ShaUpdate(&ssl->hsHashes->hashSha, output, sz); -#endif -#ifndef NO_MD5 - wc_Md5Update(&ssl->hsHashes->hashMd5, output, sz); -#endif -#endif /* NO_OLD_TLS */ - - if (IsAtLeastTLSv1_2(ssl)) { -#ifndef NO_SHA256 - ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, output, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA384 - ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, output, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA512 - ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, output, sz); - if (ret != 0) - return ret; -#endif - } - - return ret; -} -#endif /* NO_CERTS */ - - -/* add output to md5 and sha handshake hashes, exclude record header */ -int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz) -{ - int ret = 0; - const byte* adj; - - adj = output + RECORD_HEADER_SZ + ivSz; - sz -= RECORD_HEADER_SZ; - -#ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, output, sz, FUZZ_HASH, ssl->fuzzerCtx); -#endif -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - adj += DTLS_RECORD_EXTRA; - sz -= DTLS_RECORD_EXTRA; - } -#endif -#ifndef NO_OLD_TLS -#ifndef NO_SHA - wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz); -#endif -#ifndef NO_MD5 - wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz); -#endif -#endif - - if (IsAtLeastTLSv1_2(ssl)) { -#ifndef NO_SHA256 - ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, adj, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA384 - ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA512 - ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz); - if (ret != 0) - return ret; -#endif - } - - return ret; -} - - -/* add input to md5 and sha handshake hashes, include handshake header */ -int HashInput(WOLFSSL* ssl, const byte* input, int sz) -{ - int ret = 0; - const byte* adj; - - adj = input - HANDSHAKE_HEADER_SZ; - sz += HANDSHAKE_HEADER_SZ; - - (void)adj; - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - adj -= DTLS_HANDSHAKE_EXTRA; - sz += DTLS_HANDSHAKE_EXTRA; - } -#endif - - if (ssl->hsHashes == NULL) { - return BAD_FUNC_ARG; - } - -#ifndef NO_OLD_TLS -#ifndef NO_SHA - wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz); -#endif -#ifndef NO_MD5 - wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz); -#endif -#endif - - if (IsAtLeastTLSv1_2(ssl)) { -#ifndef NO_SHA256 - ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, adj, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA384 - ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz); - if (ret != 0) - return ret; -#endif -#ifdef WOLFSSL_SHA512 - ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz); - if (ret != 0) - return ret; -#endif - } - - return ret; -} - - -/* add record layer header for message */ -static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl) -{ - RecordLayerHeader* rl; - - /* record layer header */ - rl = (RecordLayerHeader*)output; - if (rl == NULL) { - return; - } - rl->type = type; - rl->pvMajor = ssl->version.major; /* type and version same in each */ -#ifdef WOLFSSL_TLS13 - if (IsAtLeastTLSv1_3(ssl->version)) - rl->pvMinor = TLSv1_MINOR; - else -#endif - rl->pvMinor = ssl->version.minor; - -#ifdef WOLFSSL_ALTERNATIVE_DOWNGRADE - if (ssl->options.side == WOLFSSL_CLIENT_END - && ssl->options.connectState == CONNECT_BEGIN - && !ssl->options.resuming) { - rl->pvMinor = ssl->options.downgrade ? ssl->options.minDowngrade - : ssl->version.minor; - } -#endif - - if (!ssl->options.dtls) { - c16toa((word16)length, rl->length); - } - else { -#ifdef WOLFSSL_DTLS - DtlsRecordLayerHeader* dtls; - - /* dtls record layer header extensions */ - dtls = (DtlsRecordLayerHeader*)output; - WriteSEQ(ssl, 0, dtls->sequence_number); - c16toa((word16)length, dtls->length); -#endif - } -} - - -/* add handshake header for message */ -static void AddHandShakeHeader(byte* output, word32 length, - word32 fragOffset, word32 fragLength, - byte type, WOLFSSL* ssl) -{ - HandShakeHeader* hs; - (void)fragOffset; - (void)fragLength; - (void)ssl; - - /* handshake header */ - hs = (HandShakeHeader*)output; - hs->type = type; - c32to24(length, hs->length); /* type and length same for each */ -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - DtlsHandShakeHeader* dtls; - - /* dtls handshake header extensions */ - dtls = (DtlsHandShakeHeader*)output; - c16toa(ssl->keys.dtls_handshake_number++, dtls->message_seq); - c32to24(fragOffset, dtls->fragment_offset); - c32to24(fragLength, dtls->fragment_length); - } -#endif -} - - -/* add both headers for handshake message */ -static void AddHeaders(byte* output, word32 length, byte type, WOLFSSL* ssl) -{ - word32 lengthAdj = HANDSHAKE_HEADER_SZ; - word32 outputAdj = RECORD_HEADER_SZ; - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - lengthAdj += DTLS_HANDSHAKE_EXTRA; - outputAdj += DTLS_RECORD_EXTRA; - } -#endif - - AddRecordHeader(output, length + lengthAdj, handshake, ssl); - AddHandShakeHeader(output + outputAdj, length, 0, length, type, ssl); -} - - -#ifndef NO_CERTS -static void AddFragHeaders(byte* output, word32 fragSz, word32 fragOffset, - word32 length, byte type, WOLFSSL* ssl) -{ - word32 lengthAdj = HANDSHAKE_HEADER_SZ; - word32 outputAdj = RECORD_HEADER_SZ; - (void)fragSz; - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - lengthAdj += DTLS_HANDSHAKE_EXTRA; - outputAdj += DTLS_RECORD_EXTRA; - } -#endif - - AddRecordHeader(output, fragSz + lengthAdj, handshake, ssl); - AddHandShakeHeader(output + outputAdj, length, fragOffset, fragSz, type, ssl); -} -#endif /* NO_CERTS */ - - -/* return bytes received, -1 on error */ -static int Receive(WOLFSSL* ssl, byte* buf, word32 sz) -{ - int recvd; - - if (ssl->ctx->CBIORecv == NULL) { - WOLFSSL_MSG("Your IO Recv callback is null, please set"); - return -1; - } - -retry: - recvd = ssl->ctx->CBIORecv(ssl, (char *)buf, (int)sz, ssl->IOCB_ReadCtx); - if (recvd < 0) - switch (recvd) { - case WOLFSSL_CBIO_ERR_GENERAL: /* general/unknown error */ - return -1; - - case WOLFSSL_CBIO_ERR_WANT_READ: /* want read, would block */ - return WANT_READ; - - case WOLFSSL_CBIO_ERR_CONN_RST: /* connection reset */ - #ifdef USE_WINDOWS_API - if (ssl->options.dtls) { - goto retry; - } - #endif - ssl->options.connReset = 1; - return -1; - - case WOLFSSL_CBIO_ERR_ISR: /* interrupt */ - /* see if we got our timeout */ - #ifdef WOLFSSL_CALLBACKS - if (ssl->toInfoOn) { - struct itimerval timeout; - getitimer(ITIMER_REAL, &timeout); - if (timeout.it_value.tv_sec == 0 && - timeout.it_value.tv_usec == 0) { - XSTRNCPY(ssl->timeoutInfo.timeoutName, - "recv() timeout", MAX_TIMEOUT_NAME_SZ); - WOLFSSL_MSG("Got our timeout"); - return WANT_READ; - } - } - #endif - goto retry; - - case WOLFSSL_CBIO_ERR_CONN_CLOSE: /* peer closed connection */ - ssl->options.isClosed = 1; - return -1; - - case WOLFSSL_CBIO_ERR_TIMEOUT: - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl) && - !ssl->options.handShakeDone && - DtlsMsgPoolTimeout(ssl) == 0 && - DtlsMsgPoolSend(ssl, 0) == 0) { - - goto retry; - } - #endif - return -1; - - default: - return recvd; - } - - return recvd; -} - - -/* Switch dynamic output buffer back to static, buffer is assumed clear */ -void ShrinkOutputBuffer(WOLFSSL* ssl) -{ - WOLFSSL_MSG("Shrinking output buffer\n"); - XFREE(ssl->buffers.outputBuffer.buffer - ssl->buffers.outputBuffer.offset, - ssl->heap, DYNAMIC_TYPE_OUT_BUFFER); - ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer; - ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN; - ssl->buffers.outputBuffer.dynamicFlag = 0; - ssl->buffers.outputBuffer.offset = 0; -} - - -/* Switch dynamic input buffer back to static, keep any remaining input */ -/* forced free means cleaning up */ -void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree) -{ - int usedLength = ssl->buffers.inputBuffer.length - - ssl->buffers.inputBuffer.idx; - if (!forcedFree && usedLength > STATIC_BUFFER_LEN) - return; - - WOLFSSL_MSG("Shrinking input buffer\n"); - - if (!forcedFree && usedLength > 0) - XMEMCPY(ssl->buffers.inputBuffer.staticBuffer, - ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx, - usedLength); - - XFREE(ssl->buffers.inputBuffer.buffer - ssl->buffers.inputBuffer.offset, - ssl->heap, DYNAMIC_TYPE_IN_BUFFER); - ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer; - ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN; - ssl->buffers.inputBuffer.dynamicFlag = 0; - ssl->buffers.inputBuffer.offset = 0; - ssl->buffers.inputBuffer.idx = 0; - ssl->buffers.inputBuffer.length = usedLength; -} - -int SendBuffered(WOLFSSL* ssl) -{ - if (ssl->ctx->CBIOSend == NULL) { - WOLFSSL_MSG("Your IO Send callback is null, please set"); - return SOCKET_ERROR_E; - } - -#ifdef WOLFSSL_DEBUG_TLS - if (ssl->buffers.outputBuffer.idx == 0) { - WOLFSSL_MSG("Data to send"); - WOLFSSL_BUFFER(ssl->buffers.outputBuffer.buffer, - ssl->buffers.outputBuffer.length); - } -#endif - - while (ssl->buffers.outputBuffer.length > 0) { - int sent = ssl->ctx->CBIOSend(ssl, - (char*)ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.idx, - (int)ssl->buffers.outputBuffer.length, - ssl->IOCB_WriteCtx); - if (sent < 0) { - switch (sent) { - - case WOLFSSL_CBIO_ERR_WANT_WRITE: /* would block */ - return WANT_WRITE; - - case WOLFSSL_CBIO_ERR_CONN_RST: /* connection reset */ - ssl->options.connReset = 1; - break; - - case WOLFSSL_CBIO_ERR_ISR: /* interrupt */ - /* see if we got our timeout */ - #ifdef WOLFSSL_CALLBACKS - if (ssl->toInfoOn) { - struct itimerval timeout; - getitimer(ITIMER_REAL, &timeout); - if (timeout.it_value.tv_sec == 0 && - timeout.it_value.tv_usec == 0) { - XSTRNCPY(ssl->timeoutInfo.timeoutName, - "send() timeout", MAX_TIMEOUT_NAME_SZ); - WOLFSSL_MSG("Got our timeout"); - return WANT_WRITE; - } - } - #endif - continue; - - case WOLFSSL_CBIO_ERR_CONN_CLOSE: /* epipe / conn closed */ - ssl->options.connReset = 1; /* treat same as reset */ - break; - - default: - return SOCKET_ERROR_E; - } - - return SOCKET_ERROR_E; - } - - if (sent > (int)ssl->buffers.outputBuffer.length) { - WOLFSSL_MSG("SendBuffered() out of bounds read"); - return SEND_OOB_READ_E; - } - - ssl->buffers.outputBuffer.idx += sent; - ssl->buffers.outputBuffer.length -= sent; - } - - ssl->buffers.outputBuffer.idx = 0; - - if (ssl->buffers.outputBuffer.dynamicFlag) - ShrinkOutputBuffer(ssl); - - return 0; -} - - -/* Grow the output buffer */ -static INLINE int GrowOutputBuffer(WOLFSSL* ssl, int size) -{ - byte* tmp; -#if WOLFSSL_GENERAL_ALIGNMENT > 0 - byte hdrSz = ssl->options.dtls ? DTLS_RECORD_HEADER_SZ : - RECORD_HEADER_SZ; - byte align = WOLFSSL_GENERAL_ALIGNMENT; -#else - const byte align = WOLFSSL_GENERAL_ALIGNMENT; -#endif - -#if WOLFSSL_GENERAL_ALIGNMENT > 0 - /* the encrypted data will be offset from the front of the buffer by - the header, if the user wants encrypted alignment they need - to define their alignment requirement */ - - if (align) { - while (align < hdrSz) - align *= 2; - } -#endif - - tmp = (byte*)XMALLOC(size + ssl->buffers.outputBuffer.length + align, - ssl->heap, DYNAMIC_TYPE_OUT_BUFFER); - WOLFSSL_MSG("growing output buffer\n"); - - if (tmp == NULL) - return MEMORY_E; - -#if WOLFSSL_GENERAL_ALIGNMENT > 0 - if (align) - tmp += align - hdrSz; -#endif - - if (ssl->buffers.outputBuffer.length) - XMEMCPY(tmp, ssl->buffers.outputBuffer.buffer, - ssl->buffers.outputBuffer.length); - - if (ssl->buffers.outputBuffer.dynamicFlag) - XFREE(ssl->buffers.outputBuffer.buffer - - ssl->buffers.outputBuffer.offset, ssl->heap, - DYNAMIC_TYPE_OUT_BUFFER); - ssl->buffers.outputBuffer.dynamicFlag = 1; - -#if WOLFSSL_GENERAL_ALIGNMENT > 0 - if (align) - ssl->buffers.outputBuffer.offset = align - hdrSz; - else -#endif - ssl->buffers.outputBuffer.offset = 0; - - ssl->buffers.outputBuffer.buffer = tmp; - ssl->buffers.outputBuffer.bufferSize = size + - ssl->buffers.outputBuffer.length; - return 0; -} - - -/* Grow the input buffer, should only be to read cert or big app data */ -int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength) -{ - byte* tmp; -#if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0 - byte align = ssl->options.dtls ? WOLFSSL_GENERAL_ALIGNMENT : 0; - byte hdrSz = DTLS_RECORD_HEADER_SZ; -#else - const byte align = WOLFSSL_GENERAL_ALIGNMENT; -#endif - -#if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0 - /* the encrypted data will be offset from the front of the buffer by - the dtls record header, if the user wants encrypted alignment they need - to define their alignment requirement. in tls we read record header - to get size of record and put actual data back at front, so don't need */ - - if (align) { - while (align < hdrSz) - align *= 2; - } -#endif - - if (usedLength < 0 || size < 0) { - WOLFSSL_MSG("GrowInputBuffer() called with negative number"); - return BAD_FUNC_ARG; - } - - tmp = (byte*)XMALLOC(size + usedLength + align, - ssl->heap, DYNAMIC_TYPE_IN_BUFFER); - WOLFSSL_MSG("growing input buffer\n"); - - if (tmp == NULL) - return MEMORY_E; - -#if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0 - if (align) - tmp += align - hdrSz; -#endif - - if (usedLength) - XMEMCPY(tmp, ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx, usedLength); - - if (ssl->buffers.inputBuffer.dynamicFlag) - XFREE(ssl->buffers.inputBuffer.buffer - ssl->buffers.inputBuffer.offset, - ssl->heap,DYNAMIC_TYPE_IN_BUFFER); - - ssl->buffers.inputBuffer.dynamicFlag = 1; -#if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0 - if (align) - ssl->buffers.inputBuffer.offset = align - hdrSz; - else -#endif - ssl->buffers.inputBuffer.offset = 0; - - ssl->buffers.inputBuffer.buffer = tmp; - ssl->buffers.inputBuffer.bufferSize = size + usedLength; - ssl->buffers.inputBuffer.idx = 0; - ssl->buffers.inputBuffer.length = usedLength; - - return 0; -} - - -/* check available size into output buffer, make room if needed */ -int CheckAvailableSize(WOLFSSL *ssl, int size) -{ - if (size < 0) { - WOLFSSL_MSG("CheckAvailableSize() called with negative number"); - return BAD_FUNC_ARG; - } - - if (ssl->buffers.outputBuffer.bufferSize - ssl->buffers.outputBuffer.length - < (word32)size) { - if (GrowOutputBuffer(ssl, size) < 0) - return MEMORY_E; - } - - return 0; -} - - -/* do all verify and sanity checks on record header */ -static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - RecordLayerHeader* rh, word16 *size) -{ - if (!ssl->options.dtls) { -#ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, input + *inOutIdx, RECORD_HEADER_SZ, FUZZ_HEAD, - ssl->fuzzerCtx); -#endif - XMEMCPY(rh, input + *inOutIdx, RECORD_HEADER_SZ); - *inOutIdx += RECORD_HEADER_SZ; - ato16(rh->length, size); - } - else { -#ifdef WOLFSSL_DTLS -#ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, input + *inOutIdx, DTLS_RECORD_HEADER_SZ, - FUZZ_HEAD, ssl->fuzzerCtx); -#endif - /* type and version in same sport */ - XMEMCPY(rh, input + *inOutIdx, ENUM_LEN + VERSION_SZ); - *inOutIdx += ENUM_LEN + VERSION_SZ; - ato16(input + *inOutIdx, &ssl->keys.curEpoch); - *inOutIdx += OPAQUE16_LEN; - ato16(input + *inOutIdx, &ssl->keys.curSeq_hi); - *inOutIdx += OPAQUE16_LEN; - ato32(input + *inOutIdx, &ssl->keys.curSeq_lo); - *inOutIdx += OPAQUE32_LEN; /* advance past rest of seq */ - ato16(input + *inOutIdx, size); - *inOutIdx += LENGTH_SZ; -#endif - } - -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl) && - (!DtlsCheckWindow(ssl) || - (ssl->options.handShakeDone && ssl->keys.curEpoch == 0))) { - return SEQUENCE_ERROR; - } -#endif - -#ifdef OPENSSL_EXTRA - /* case where specific protocols are turned off */ - if (!ssl->options.dtls && ssl->options.mask > 0) { - if (rh->pvMinor == SSLv3_MINOR && - (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { - WOLFSSL_MSG("Option set to not allow SSLv3"); - return VERSION_ERROR; - } - if (rh->pvMinor == TLSv1_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { - WOLFSSL_MSG("Option set to not allow TLSv1"); - return VERSION_ERROR; - } - if (rh->pvMinor == TLSv1_1_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { - WOLFSSL_MSG("Option set to not allow TLSv1.1"); - return VERSION_ERROR; - } - if (rh->pvMinor == TLSv1_2_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { - WOLFSSL_MSG("Option set to not allow TLSv1.2"); - return VERSION_ERROR; - } - } -#endif /* OPENSSL_EXTRA */ - - /* catch version mismatch */ -#ifndef WOLFSSL_TLS13 - if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor) -#else - if (rh->pvMajor != ssl->version.major || - (rh->pvMinor != ssl->version.minor && - (!IsAtLeastTLSv1_3(ssl->version) || rh->pvMinor != TLSv1_MINOR))) -#endif - { - if (ssl->options.side == WOLFSSL_SERVER_END && - ssl->options.acceptState < ACCEPT_FIRST_REPLY_DONE) - - WOLFSSL_MSG("Client attempting to connect with different version"); - else if (ssl->options.side == WOLFSSL_CLIENT_END && - ssl->options.downgrade && - ssl->options.connectState < FIRST_REPLY_DONE) - WOLFSSL_MSG("Server attempting to accept with different version"); - else if (ssl->options.dtls && rh->type == handshake) - /* Check the DTLS handshake message RH version later. */ - WOLFSSL_MSG("DTLS handshake, skip RH version number check"); - else { - WOLFSSL_MSG("SSL version error"); - return VERSION_ERROR; /* only use requested version */ - } - } - - /* record layer length check */ -#ifdef HAVE_MAX_FRAGMENT - if (*size > (ssl->max_fragment + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) { - SendAlert(ssl, alert_fatal, record_overflow); - return LENGTH_ERROR; - } -#else - if (*size > (MAX_RECORD_SIZE + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) - return LENGTH_ERROR; -#endif - - /* verify record type here as well */ - switch (rh->type) { - case handshake: - case change_cipher_spec: - case application_data: - case alert: - break; - case no_type: - default: - WOLFSSL_MSG("Unknown Record Type"); - return UNKNOWN_RECORD_TYPE; - } - - /* haven't decrypted this record yet */ - ssl->keys.decryptedCur = 0; - - return 0; -} - - -static int GetHandShakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - byte *type, word32 *size, word32 totalSz) -{ - const byte *ptr = input + *inOutIdx; - (void)ssl; - - *inOutIdx += HANDSHAKE_HEADER_SZ; - if (*inOutIdx > totalSz) - return BUFFER_E; - - *type = ptr[0]; - c24to32(&ptr[1], size); - - return 0; -} - - -#ifdef WOLFSSL_DTLS -static int GetDtlsHandShakeHeader(WOLFSSL* ssl, const byte* input, - word32* inOutIdx, byte *type, word32 *size, - word32 *fragOffset, word32 *fragSz, - word32 totalSz) -{ - word32 idx = *inOutIdx; - - *inOutIdx += HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA; - if (*inOutIdx > totalSz) - return BUFFER_E; - - *type = input[idx++]; - c24to32(input + idx, size); - idx += OPAQUE24_LEN; - - ato16(input + idx, &ssl->keys.dtls_peer_handshake_number); - idx += DTLS_HANDSHAKE_SEQ_SZ; - - c24to32(input + idx, fragOffset); - idx += DTLS_HANDSHAKE_FRAG_SZ; - c24to32(input + idx, fragSz); - - if (ssl->curRL.pvMajor != ssl->version.major || - ssl->curRL.pvMinor != ssl->version.minor) { - - if (*type != client_hello && *type != hello_verify_request) - return VERSION_ERROR; - else { - WOLFSSL_MSG("DTLS Handshake ignoring hello or verify version"); - } - } - return 0; -} -#endif - - -#if !defined(NO_OLD_TLS) || \ - (defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_TLS_SHA1)) -/* fill with MD5 pad size since biggest required */ -static const byte PAD1[PAD_MD5] = - { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 - }; -static const byte PAD2[PAD_MD5] = - { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, - 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, - 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, - 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, - 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, - 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c - }; -#endif /* !NO_OLD_TLS || (NO_OLD_TLS && WOLFSSL_ALLOW_TLS_SHA1) */ - -#ifndef NO_OLD_TLS - -/* calculate MD5 hash for finished */ -#ifdef WOLFSSL_TI_HASH -#include -#endif - -static int BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender) -{ - int ret; - byte md5_result[MD5_DIGEST_SIZE]; -#ifdef WOLFSSL_SMALL_STACK - Md5* md5 = (Md5*)XMALLOC(sizeof(Md5), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (md5 == NULL) - return MEMORY_E; -#else - Md5 md5[1]; -#endif - - /* make md5 inner */ - ret = wc_Md5Copy(&ssl->hsHashes->hashMd5, md5); - if (ret == 0) - ret = wc_Md5Update(md5, sender, SIZEOF_SENDER); - if (ret == 0) - ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_Md5Update(md5, PAD1, PAD_MD5); - if (ret == 0) - ret = wc_Md5Final(md5, md5_result); - - /* make md5 outer */ - if (ret == 0) { - ret = wc_InitMd5_ex(md5, ssl->heap, ssl->devId); - if (ret == 0) { - ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_Md5Update(md5, PAD2, PAD_MD5); - if (ret == 0) - ret = wc_Md5Update(md5, md5_result, MD5_DIGEST_SIZE); - if (ret == 0) - ret = wc_Md5Final(md5, hashes->md5); - wc_Md5Free(md5); - } - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(md5, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} - - -/* calculate SHA hash for finished */ -static int BuildSHA(WOLFSSL* ssl, Hashes* hashes, const byte* sender) -{ - int ret; - byte sha_result[SHA_DIGEST_SIZE]; -#ifdef WOLFSSL_SMALL_STACK - Sha* sha = (Sha*)XMALLOC(sizeof(Sha), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (sha == NULL) - return MEMORY_E; -#else - Sha sha[1]; -#endif - /* make sha inner */ - ret = wc_ShaCopy(&ssl->hsHashes->hashSha, sha); /* Save current position */ - if (ret == 0) - ret = wc_ShaUpdate(sha, sender, SIZEOF_SENDER); - if (ret == 0) - ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_ShaUpdate(sha, PAD1, PAD_SHA); - if (ret == 0) - ret = wc_ShaFinal(sha, sha_result); - - /* make sha outer */ - if (ret == 0) { - ret = wc_InitSha_ex(sha, ssl->heap, ssl->devId); - if (ret == 0) { - ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_ShaUpdate(sha, PAD2, PAD_SHA); - if (ret == 0) - ret = wc_ShaUpdate(sha, sha_result, SHA_DIGEST_SIZE); - if (ret == 0) - ret = wc_ShaFinal(sha, hashes->sha); - wc_ShaFree(sha); - } - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(sha, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} -#endif - -/* Finished doesn't support SHA512, not SHA512 cipher suites yet */ -static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) -{ - int ret = 0; -#ifdef WOLFSSL_SHA384 -#ifdef WOLFSSL_SMALL_STACK - Sha384* sha384; -#else - Sha384 sha384[1]; -#endif /* WOLFSSL_SMALL_STACK */ -#endif /* WOLFSSL_SHA384 */ - - if (ssl == NULL) - return BAD_FUNC_ARG; - -#ifdef WOLFSSL_SHA384 -#ifdef WOLFSSL_SMALL_STACK - sha384 = (Sha384*)XMALLOC(sizeof(Sha384), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (sha384 == NULL) - return MEMORY_E; -#endif /* WOLFSSL_SMALL_STACK */ -#endif /* WOLFSSL_SHA384 */ - - /* store current states, building requires get_digest which resets state */ -#ifdef WOLFSSL_SHA384 - sha384[0] = ssl->hsHashes->hashSha384; -#endif - -#ifndef NO_TLS - if (ssl->options.tls) { - ret = BuildTlsFinished(ssl, hashes, sender); - } -#endif -#ifndef NO_OLD_TLS - if (!ssl->options.tls) { - ret = BuildMD5(ssl, hashes, sender); - if (ret == 0) { - ret = BuildSHA(ssl, hashes, sender); - } - } -#endif - - /* restore */ - if (IsAtLeastTLSv1_2(ssl)) { - #ifdef WOLFSSL_SHA384 - ssl->hsHashes->hashSha384 = sha384[0]; - #endif - } - -#ifdef WOLFSSL_SHA384 -#ifdef WOLFSSL_SMALL_STACK - XFREE(sha384, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif -#endif - - return ret; -} - - - /* cipher requirements */ - enum { - REQUIRES_RSA, - REQUIRES_DHE, - REQUIRES_ECC, - REQUIRES_ECC_STATIC, - REQUIRES_PSK, - REQUIRES_NTRU, - REQUIRES_RSA_SIG - }; - - - - /* Does this cipher suite (first, second) have the requirement - an ephemeral key exchange will still require the key for signing - the key exchange so ECHDE_RSA requires an rsa key thus rsa_kea */ - static int CipherRequires(byte first, byte second, int requirement) - { - - if (first == CHACHA_BYTE) { - - switch (second) { - - case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - - case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_PSK) - return 1; - break; - - case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_PSK) - return 1; - break; - - case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_PSK) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - } - } - - /* ECC extensions */ - if (first == ECC_BYTE) { - - switch (second) { - -#ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; - -#ifndef NO_DES3 - case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; -#endif - -#ifndef NO_RC4 - case TLS_ECDHE_RSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; -#endif -#endif /* NO_RSA */ - -#ifndef NO_DES3 - case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; -#endif -#ifndef NO_RC4 - case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; -#endif -#ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; -#endif - - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; - -#ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; - - case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_ECC_STATIC) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; - - case TLS_RSA_WITH_AES_128_CCM_8 : - case TLS_RSA_WITH_AES_256_CCM_8 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - break; - - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : - if (requirement == REQUIRES_RSA_SIG) - return 1; - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; -#endif - - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM : - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : - case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : - if (requirement == REQUIRES_ECC) - return 1; - if (requirement == REQUIRES_ECC_STATIC) - return 1; - break; - - case TLS_PSK_WITH_AES_128_CCM: - case TLS_PSK_WITH_AES_256_CCM: - case TLS_PSK_WITH_AES_128_CCM_8: - case TLS_PSK_WITH_AES_256_CCM_8: - if (requirement == REQUIRES_PSK) - return 1; - break; - - case TLS_DHE_PSK_WITH_AES_128_CCM: - case TLS_DHE_PSK_WITH_AES_256_CCM: - if (requirement == REQUIRES_PSK) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_ECDHE_ECDSA_WITH_NULL_SHA : - if (requirement == REQUIRES_ECC) - return 1; - break; - - case TLS_ECDHE_PSK_WITH_NULL_SHA256 : - if (requirement == REQUIRES_PSK) - return 1; - break; - - case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_PSK) - return 1; - break; - - default: - WOLFSSL_MSG("Unsupported cipher suite, CipherRequires ECC"); - return 0; - } /* switch */ - } /* if */ - - /* Distinct TLS v1.3 cipher suites with cipher and digest only. */ - if (first == TLS13_BYTE) { - - switch (second) { -#ifdef WOLFSSL_TLS13 - case TLS_AES_128_GCM_SHA256: - case TLS_AES_256_GCM_SHA384: - case TLS_CHACHA20_POLY1305_SHA256: - case TLS_AES_128_CCM_SHA256: - case TLS_AES_128_CCM_8_SHA256: - break; -#endif - - default: - WOLFSSL_MSG("Unsupported cipher suite, CipherRequires " - "TLS v1.3"); - return 0; - } - } - - if (first != ECC_BYTE && first != CHACHA_BYTE && - first != TLS13_BYTE) { /* normal suites */ - switch (second) { - -#ifndef NO_RSA - case SSL_RSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case SSL_RSA_WITH_RC4_128_MD5 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case SSL_RSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_NTRU_RSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - - case TLS_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - - case TLS_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - - case TLS_RSA_WITH_AES_256_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_NULL_SHA : - case TLS_RSA_WITH_NULL_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - - case SSL_RSA_WITH_IDEA_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; -#endif - - case TLS_PSK_WITH_AES_128_GCM_SHA256 : - case TLS_PSK_WITH_AES_256_GCM_SHA384 : - case TLS_PSK_WITH_AES_128_CBC_SHA256 : - case TLS_PSK_WITH_AES_256_CBC_SHA384 : - case TLS_PSK_WITH_AES_128_CBC_SHA : - case TLS_PSK_WITH_AES_256_CBC_SHA : - case TLS_PSK_WITH_NULL_SHA384 : - case TLS_PSK_WITH_NULL_SHA256 : - case TLS_PSK_WITH_NULL_SHA : - if (requirement == REQUIRES_PSK) - return 1; - break; - - case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 : - case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 : - case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 : - case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : - case TLS_DHE_PSK_WITH_NULL_SHA384 : - case TLS_DHE_PSK_WITH_NULL_SHA256 : - if (requirement == REQUIRES_DHE) - return 1; - if (requirement == REQUIRES_PSK) - return 1; - break; - -#ifndef NO_RSA - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_RSA_WITH_HC_128_MD5 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_HC_128_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_HC_128_B2B256: - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_AES_128_CBC_B2B256: - case TLS_RSA_WITH_AES_256_CBC_B2B256: - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_RABBIT_SHA : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_RSA_WITH_AES_128_GCM_SHA256 : - case TLS_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 : - case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA : - case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA : - case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 : - case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - break; - - case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : - case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : - case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 : - case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 : - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; - - case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - if (requirement == REQUIRES_RSA) - return 1; - if (requirement == REQUIRES_RSA_SIG) - return 1; - if (requirement == REQUIRES_DHE) - return 1; - break; -#endif -#ifdef HAVE_ANON - case TLS_DH_anon_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_DHE) - return 1; - break; -#endif - - default: - WOLFSSL_MSG("Unsupported cipher suite, CipherRequires"); - return 0; - } /* switch */ - } /* if ECC / Normal suites else */ - - return 0; - } - - -#ifndef NO_CERTS - - -/* Match names with wildcards, each wildcard can represent a single name - component or fragment but not mulitple names, i.e., - *.z.com matches y.z.com but not x.y.z.com - - return 1 on success */ -int MatchDomainName(const char* pattern, int len, const char* str) -{ - char p, s; - - if (pattern == NULL || str == NULL || len <= 0) - return 0; - - while (len > 0) { - - p = (char)XTOLOWER((unsigned char)*pattern++); - if (p == 0) - break; - - if (p == '*') { - while (--len > 0 && - (p = (char)XTOLOWER((unsigned char)*pattern++)) == '*') { - } - - if (len == 0) - p = '\0'; - - while ( (s = (char)XTOLOWER((unsigned char) *str)) != '\0') { - if (s == p) - break; - if (s == '.') - return 0; - str++; - } - } - else { - if (p != (char)XTOLOWER((unsigned char) *str)) - return 0; - } - - if (*str != '\0') - str++; - - if (len > 0) - len--; - } - - return *str == '\0'; -} - - -/* try to find an altName match to domain, return 1 on success */ -int CheckAltNames(DecodedCert* dCert, char* domain) -{ - int match = 0; - DNS_entry* altName = NULL; - - WOLFSSL_MSG("Checking AltNames"); - - if (dCert) - altName = dCert->altNames; - - while (altName) { - WOLFSSL_MSG("\tindividual AltName check"); - - if (MatchDomainName(altName->name,(int)XSTRLEN(altName->name), domain)){ - match = 1; - break; - } - - altName = altName->next; - } - - return match; -} - - -#ifdef OPENSSL_EXTRA -/* Check that alternative names, if they exists, match the domain. - * Fail if there are wild patterns and they didn't match. - * Check the common name if no alternative names matched. - * - * dCert Decoded cert to get the alternative names from. - * domain Domain name to compare against. - * checkCN Whether to check the common name. - * returns whether there was a problem in matching. - */ -static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN) -{ - int match; - DNS_entry* altName = NULL; - - WOLFSSL_MSG("Checking AltNames"); - - if (dCert) - altName = dCert->altNames; - - *checkCN = altName == NULL; - match = 0; - while (altName) { - WOLFSSL_MSG("\tindividual AltName check"); - - if (MatchDomainName(altName->name, (int)XSTRLEN(altName->name), - domain)) { - match = 1; - *checkCN = 0; - break; - } - /* No matches and wild pattern match failed. */ - else if (altName->name[0] == '*' && match == 0) - match = -1; - - altName = altName->next; - } - - return match != -1; -} - -/* Check the domain name matches the subject alternative name or the subject - * name. - * - * dcert Decoded certificate. - * domainName The domain name. - * domainNameLen The length of the domain name. - * returns DOMAIN_NAME_MISMATCH when no match found and 0 on success. - */ -int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen) -{ - int checkCN; - - /* Assume name is NUL terminated. */ - (void)domainNameLen; - - if (CheckForAltNames(dCert, domainName, &checkCN) == 0) { - WOLFSSL_MSG("DomainName match on alt names failed too"); - return DOMAIN_NAME_MISMATCH; - } - if (checkCN == 1) { - if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen, - domainName) == 0) { - WOLFSSL_MSG("DomainName match on common name failed"); - return DOMAIN_NAME_MISMATCH; - } - } - - return 0; -} -#endif - -#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) - -/* Copy parts X509 needs from Decoded cert, 0 on success */ -int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) -{ - int ret = 0; - - if (x509 == NULL || dCert == NULL || - dCert->subjectCNLen < 0) - return BAD_FUNC_ARG; - - x509->version = dCert->version + 1; - - XSTRNCPY(x509->issuer.name, dCert->issuer, ASN_NAME_MAX); - x509->issuer.name[ASN_NAME_MAX - 1] = '\0'; - x509->issuer.sz = (int)XSTRLEN(x509->issuer.name) + 1; -#ifdef OPENSSL_EXTRA - if (dCert->issuerName.fullName != NULL) { - XMEMCPY(&x509->issuer.fullName, - &dCert->issuerName, sizeof(DecodedName)); - x509->issuer.fullName.fullName = (char*)XMALLOC( - dCert->issuerName.fullNameLen, x509->heap, - DYNAMIC_TYPE_X509); - if (x509->issuer.fullName.fullName != NULL) - XMEMCPY(x509->issuer.fullName.fullName, - dCert->issuerName.fullName, dCert->issuerName.fullNameLen); - } - x509->issuer.x509 = x509; -#endif /* OPENSSL_EXTRA */ - - XSTRNCPY(x509->subject.name, dCert->subject, ASN_NAME_MAX); - x509->subject.name[ASN_NAME_MAX - 1] = '\0'; - x509->subject.sz = (int)XSTRLEN(x509->subject.name) + 1; -#ifdef OPENSSL_EXTRA - if (dCert->subjectName.fullName != NULL) { - XMEMCPY(&x509->subject.fullName, - &dCert->subjectName, sizeof(DecodedName)); - x509->subject.fullName.fullName = (char*)XMALLOC( - dCert->subjectName.fullNameLen, x509->heap, DYNAMIC_TYPE_X509); - if (x509->subject.fullName.fullName != NULL) - XMEMCPY(x509->subject.fullName.fullName, - dCert->subjectName.fullName, dCert->subjectName.fullNameLen); - } - x509->subject.x509 = x509; -#endif /* OPENSSL_EXTRA */ - - XMEMCPY(x509->serial, dCert->serial, EXTERNAL_SERIAL_SIZE); - x509->serialSz = dCert->serialSz; - if (dCert->subjectCNLen < ASN_NAME_MAX) { - XMEMCPY(x509->subjectCN, dCert->subjectCN, dCert->subjectCNLen); - x509->subjectCN[dCert->subjectCNLen] = '\0'; - } - else - x509->subjectCN[0] = '\0'; - -#ifdef WOLFSSL_SEP - { - int minSz = min(dCert->deviceTypeSz, EXTERNAL_SERIAL_SIZE); - if (minSz > 0) { - x509->deviceTypeSz = minSz; - XMEMCPY(x509->deviceType, dCert->deviceType, minSz); - } - else - x509->deviceTypeSz = 0; - minSz = min(dCert->hwTypeSz, EXTERNAL_SERIAL_SIZE); - if (minSz > 0) { - x509->hwTypeSz = minSz; - XMEMCPY(x509->hwType, dCert->hwType, minSz); - } - else - x509->hwTypeSz = 0; - minSz = min(dCert->hwSerialNumSz, EXTERNAL_SERIAL_SIZE); - if (minSz > 0) { - x509->hwSerialNumSz = minSz; - XMEMCPY(x509->hwSerialNum, dCert->hwSerialNum, minSz); - } - else - x509->hwSerialNumSz = 0; - } -#endif /* WOLFSSL_SEP */ - { - int minSz = min(dCert->beforeDateLen, MAX_DATE_SZ); - if (minSz > 0) { - x509->notBeforeSz = minSz; - XMEMCPY(x509->notBefore, dCert->beforeDate, minSz); - } - else - x509->notBeforeSz = 0; - minSz = min(dCert->afterDateLen, MAX_DATE_SZ); - if (minSz > 0) { - x509->notAfterSz = minSz; - XMEMCPY(x509->notAfter, dCert->afterDate, minSz); - } - else - x509->notAfterSz = 0; - } - - if (dCert->publicKey != NULL && dCert->pubKeySize != 0) { - x509->pubKey.buffer = (byte*)XMALLOC( - dCert->pubKeySize, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if (x509->pubKey.buffer != NULL) { - x509->pubKeyOID = dCert->keyOID; - x509->pubKey.length = dCert->pubKeySize; - XMEMCPY(x509->pubKey.buffer, dCert->publicKey, dCert->pubKeySize); - } - else - ret = MEMORY_E; - } - - if (dCert->signature != NULL && dCert->sigLength != 0 && - dCert->sigLength <= MAX_ENCODED_SIG_SZ) { - x509->sig.buffer = (byte*)XMALLOC( - dCert->sigLength, x509->heap, DYNAMIC_TYPE_SIGNATURE); - if (x509->sig.buffer == NULL) { - ret = MEMORY_E; - } - else { - XMEMCPY(x509->sig.buffer, dCert->signature, dCert->sigLength); - x509->sig.length = dCert->sigLength; - x509->sigOID = dCert->signatureOID; - } - } - - /* store cert for potential retrieval */ - if (AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, x509->heap) == 0) { - XMEMCPY(x509->derCert->buffer, dCert->source, dCert->maxIdx); - } - else { - ret = MEMORY_E; - } - - x509->altNames = dCert->altNames; - dCert->weOwnAltNames = 0; - x509->altNamesNext = x509->altNames; /* index hint */ - - x509->isCa = dCert->isCA; -#ifdef OPENSSL_EXTRA - x509->pathLength = dCert->pathLength; - x509->keyUsage = dCert->extKeyUsage; - - x509->CRLdistSet = dCert->extCRLdistSet; - x509->CRLdistCrit = dCert->extCRLdistCrit; - x509->CRLInfo = dCert->extCrlInfo; - x509->CRLInfoSz = dCert->extCrlInfoSz; - x509->authInfoSet = dCert->extAuthInfoSet; - x509->authInfoCrit = dCert->extAuthInfoCrit; - if (dCert->extAuthInfo != NULL && dCert->extAuthInfoSz > 0) { - x509->authInfo = (byte*)XMALLOC(dCert->extAuthInfoSz, x509->heap, - DYNAMIC_TYPE_X509_EXT); - if (x509->authInfo != NULL) { - XMEMCPY(x509->authInfo, dCert->extAuthInfo, dCert->extAuthInfoSz); - x509->authInfoSz = dCert->extAuthInfoSz; - } - else { - ret = MEMORY_E; - } - } - x509->basicConstSet = dCert->extBasicConstSet; - x509->basicConstCrit = dCert->extBasicConstCrit; - x509->basicConstPlSet = dCert->pathLengthSet; - x509->subjAltNameSet = dCert->extSubjAltNameSet; - x509->subjAltNameCrit = dCert->extSubjAltNameCrit; - x509->authKeyIdSet = dCert->extAuthKeyIdSet; - x509->authKeyIdCrit = dCert->extAuthKeyIdCrit; - if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) { - x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, x509->heap, - DYNAMIC_TYPE_X509_EXT); - if (x509->authKeyId != NULL) { - XMEMCPY(x509->authKeyId, - dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz); - x509->authKeyIdSz = dCert->extAuthKeyIdSz; - } - else - ret = MEMORY_E; - } - x509->subjKeyIdSet = dCert->extSubjKeyIdSet; - x509->subjKeyIdCrit = dCert->extSubjKeyIdCrit; - if (dCert->extSubjKeyIdSrc != NULL && dCert->extSubjKeyIdSz != 0) { - x509->subjKeyId = (byte*)XMALLOC(dCert->extSubjKeyIdSz, x509->heap, - DYNAMIC_TYPE_X509_EXT); - if (x509->subjKeyId != NULL) { - XMEMCPY(x509->subjKeyId, - dCert->extSubjKeyIdSrc, dCert->extSubjKeyIdSz); - x509->subjKeyIdSz = dCert->extSubjKeyIdSz; - } - else - ret = MEMORY_E; - } - x509->keyUsageSet = dCert->extKeyUsageSet; - x509->keyUsageCrit = dCert->extKeyUsageCrit; - if (dCert->extExtKeyUsageSrc != NULL && dCert->extExtKeyUsageSz > 0) { - x509->extKeyUsageSrc = (byte*)XMALLOC(dCert->extExtKeyUsageSz, - x509->heap, DYNAMIC_TYPE_X509_EXT); - if (x509->extKeyUsageSrc != NULL) { - XMEMCPY(x509->extKeyUsageSrc, dCert->extExtKeyUsageSrc, - dCert->extExtKeyUsageSz); - x509->extKeyUsageSz = dCert->extExtKeyUsageSz; - x509->extKeyUsageCrit = dCert->extExtKeyUsageCrit; - x509->extKeyUsageCount = dCert->extExtKeyUsageCount; - } - else { - ret = MEMORY_E; - } - } - #ifdef WOLFSSL_SEP - x509->certPolicySet = dCert->extCertPolicySet; - x509->certPolicyCrit = dCert->extCertPolicyCrit; - #endif /* WOLFSSL_SEP */ - #ifdef WOLFSSL_CERT_EXT - { - int i; - for (i = 0; i < dCert->extCertPoliciesNb && i < MAX_CERTPOL_NB; i++) - XMEMCPY(x509->certPolicies[i], dCert->extCertPolicies[i], - MAX_CERTPOL_SZ); - x509->certPoliciesNb = dCert->extCertPoliciesNb; - } - #endif /* WOLFSSL_CERT_EXT */ -#endif /* OPENSSL_EXTRA */ -#ifdef HAVE_ECC - x509->pkCurveOID = dCert->pkCurveOID; -#endif /* HAVE_ECC */ - - return ret; -} - -#endif /* KEEP_PEER_CERT || SESSION_CERTS */ - -typedef struct ProcPeerCertArgs { - buffer* certs; -#ifdef WOLFSSL_TLS13 - buffer* exts; /* extentions */ -#endif - DecodedCert* dCert; - char* domain; - word32 idx; - word32 begin; - int totalCerts; /* number of certs in certs buffer */ - int count; - int dCertInit; - int certIdx; - int fatal; - int lastErr; -#ifdef WOLFSSL_TLS13 - byte ctxSz; -#endif -#ifdef WOLFSSL_TRUST_PEER_CERT - byte haveTrustPeer; /* was cert verified by loaded trusted peer cert */ -#endif -} ProcPeerCertArgs; - -static void FreeProcPeerCertArgs(WOLFSSL* ssl, void* pArgs) -{ - ProcPeerCertArgs* args = (ProcPeerCertArgs*)pArgs; - - (void)ssl; - - if (args->domain) { - XFREE(args->domain, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->domain = NULL; - } - if (args->certs) { - XFREE(args->certs, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->certs = NULL; - } -#ifdef WOLFSSL_TLS13 - if (args->exts) { - XFREE(args->exts, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->exts = NULL; - } -#endif - if (args->dCert) { - if (args->dCertInit) { - FreeDecodedCert(args->dCert); - args->dCertInit = 0; - } - XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->dCert = NULL; - } -} - -int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 totalSz) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - ProcPeerCertArgs* args = (ProcPeerCertArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); -#else - ProcPeerCertArgs args[1]; -#endif - -#ifdef WOLFSSL_TRUST_PEER_CERT - byte haveTrustPeer = 0; /* was cert verified by loaded trusted peer cert */ -#endif - - WOLFSSL_ENTER("ProcessPeerCerts"); - -#ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_ppc; - } - else -#endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(ProcPeerCertArgs)); - args->idx = *inOutIdx; - args->begin = *inOutIdx; - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeProcPeerCertArgs; - #endif - } - - switch (ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - word32 listSz; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "Certificate"); - if (ssl->toInfoOn) - AddLateName("Certificate", &ssl->timeoutInfo); - #endif - - #ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) { - byte ctxSz; - - /* Certificate Request Context */ - if ((args->idx - args->begin) + OPAQUE8_LEN > totalSz) - return BUFFER_ERROR; - ctxSz = *(input + args->idx); - args->idx++; - if ((args->idx - args->begin) + ctxSz > totalSz) - return BUFFER_ERROR; - #ifndef NO_WOLFSSL_CLIENT - /* Must be empty when received from server. */ - if (ssl->options.side == WOLFSSL_CLIENT_END) { - if (ctxSz != 0) { - return INVALID_CERT_CTX_E; - } - } - #endif - #ifndef NO_WOLFSSL_SERVER - /* Must contain value sent in request when received from client. */ - if (ssl->options.side == WOLFSSL_SERVER_END) { - if (ssl->clientCertCtx.length != ctxSz || - XMEMCMP(ssl->clientCertCtx.buffer, - input + args->idx, ctxSz) != 0) { - return INVALID_CERT_CTX_E; - } - } - #endif - args->idx += ctxSz; - - /* allocate buffer for cert extensions */ - args->exts = (buffer*)XMALLOC(sizeof(buffer) * MAX_CHAIN_DEPTH, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->exts == NULL) { - ERROR_OUT(MEMORY_E, exit_ppc); - } - } - #endif - - /* allocate buffer for certs */ - args->certs = (buffer*)XMALLOC(sizeof(buffer) * MAX_CHAIN_DEPTH, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->certs == NULL) { - ERROR_OUT(MEMORY_E, exit_ppc); - } - XMEMSET(args->certs, 0, sizeof(buffer) * MAX_CHAIN_DEPTH); - - /* Certificate List */ - if ((args->idx - args->begin) + OPAQUE24_LEN > totalSz) { - ERROR_OUT(BUFFER_ERROR, exit_ppc); - } - c24to32(input + args->idx, &listSz); - args->idx += OPAQUE24_LEN; - if (listSz > MAX_RECORD_SIZE) { - ERROR_OUT(BUFFER_ERROR, exit_ppc); - } - if ((args->idx - args->begin) + listSz != totalSz) { - ERROR_OUT(BUFFER_ERROR, exit_ppc); - } - - WOLFSSL_MSG("Loading peer's cert chain"); - /* first put cert chain into buffer so can verify top down - we're sent bottom up */ - while (listSz) { - word32 certSz; - - if (args->totalCerts >= MAX_CHAIN_DEPTH) { - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; - #endif - ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc); - } - - if ((args->idx - args->begin) + OPAQUE24_LEN > totalSz) { - ERROR_OUT(BUFFER_ERROR, exit_ppc); - } - - c24to32(input + args->idx, &certSz); - args->idx += OPAQUE24_LEN; - - if ((args->idx - args->begin) + certSz > totalSz) { - ERROR_OUT(BUFFER_ERROR, exit_ppc); - } - - args->certs[args->totalCerts].length = certSz; - args->certs[args->totalCerts].buffer = input + args->idx; - - #ifdef SESSION_CERTS - if (ssl->session.chain.count < MAX_CHAIN_DEPTH && - certSz < MAX_X509_SIZE) { - ssl->session.chain.certs[ - ssl->session.chain.count].length = certSz; - XMEMCPY(ssl->session.chain.certs[ - ssl->session.chain.count].buffer, - input + args->idx, certSz); - ssl->session.chain.count++; - } - else { - WOLFSSL_MSG("Couldn't store chain cert for session"); - } - #endif /* SESSION_CERTS */ - - args->idx += certSz; - listSz -= certSz + CERT_HEADER_SZ; - - #ifdef WOLFSSL_TLS13 - /* Extensions */ - if (ssl->options.tls1_3) { - word16 extSz; - - if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) - return BUFFER_ERROR; - ato16(input + args->idx, &extSz); - args->idx += OPAQUE16_LEN; - if ((args->idx - args->begin) + extSz > totalSz) - return BUFFER_ERROR; - /* Store extension data info for later processing. */ - args->exts[args->totalCerts].length = extSz; - args->exts[args->totalCerts].buffer = input + args->idx; - args->idx += extSz; - listSz -= extSz + OPAQUE16_LEN; - } - #endif - - args->totalCerts++; - WOLFSSL_MSG("\tPut another cert into chain"); - } /* while (listSz) */ - - args->count = args->totalCerts; - args->certIdx = 0; - - args->dCertInit = 0; - args->dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->dCert == NULL) { - ERROR_OUT(MEMORY_E, exit_ppc); - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - FALL_THROUGH; - - case TLS_ASYNC_BUILD: - { - if (args->count > 0) { - #ifdef WOLFSSL_TRUST_PEER_CERT - if (args->certIdx == 0) { - /* if using trusted peer certs check before verify chain - and CA test */ - TrustedPeerCert* tp; - - if (!args->dCertInit) { - InitDecodedCert(args->dCert, - args->certs[args->certIdx].buffer, - args->certs[args->certIdx].length, ssl->heap); - args->dCert->sigCtx.devId = ssl->devId; /* setup async dev */ - args->dCertInit = 1; - } - - ret = ParseCertRelative(args->dCert, CERT_TYPE, 0, - ssl->ctx->cm); - if (ret != 0) { - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, - args->dCert->sigCtx.asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } - #endif - goto exit_ppc; - } - - #ifndef NO_SKID - if (args->dCert->extAuthKeyIdSet) { - tp = GetTrustedPeer(ssl->ctx->cm, - args->dCert->extSubjKeyId, WC_MATCH_SKID); - } - else { /* if the cert has no SKID try to match by name */ - tp = GetTrustedPeer(ssl->ctx->cm, - args->dCert->subjectHash, WC_MATCH_NAME); - } - #else /* NO_SKID */ - tp = GetTrustedPeer(ssl->ctx->cm, args->dCert->subjectHash, - WC_MATCH_NAME); - #endif /* NO SKID */ - WOLFSSL_MSG("Checking for trusted peer cert"); - - if (tp == NULL) { - /* no trusted peer cert */ - WOLFSSL_MSG("No matching trusted peer cert. " - "Checking CAs"); - FreeDecodedCert(args->dCert); - args->dCertInit = 0; - } else if (MatchTrustedPeer(tp, args->dCert)){ - WOLFSSL_MSG("Found matching trusted peer cert"); - haveTrustPeer = 1; - } else { - WOLFSSL_MSG("Trusted peer cert did not match!"); - FreeDecodedCert(args->dCert); - args->dCertInit = 0; - } - } - #endif /* WOLFSSL_TRUST_PEER_CERT */ - - /* verify up to peer's first */ - /* do not verify chain if trusted peer cert found */ - while (args->count > 1 - #ifdef WOLFSSL_TRUST_PEER_CERT - && !haveTrustPeer - #endif /* WOLFSSL_TRUST_PEER_CERT */ - ) { - byte* subjectHash; - - args->certIdx = args->count - 1; - - if (!args->dCertInit) { - InitDecodedCert(args->dCert, - args->certs[args->certIdx].buffer, - args->certs[args->certIdx].length, ssl->heap); - args->dCert->sigCtx.devId = ssl->devId; /* setup async dev */ - args->dCertInit = 1; - } - - ret = ParseCertRelative(args->dCert, CERT_TYPE, - !ssl->options.verifyNone, ssl->ctx->cm); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, - args->dCert->sigCtx.asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - goto exit_ppc; - } - #endif - - #ifndef NO_SKID - subjectHash = args->dCert->extSubjKeyId; - #else - subjectHash = args->dCert->subjectHash; - #endif - - /* Check key sizes for certs. Is redundent check since - ProcessBuffer also performs this check. */ - if (!ssl->options.verifyNone) { - switch (args->dCert->keyOID) { - #ifndef NO_RSA - case RSAk: - if (ssl->options.minRsaKeySz < 0 || - args->dCert->pubKeySize < - (word16)ssl->options.minRsaKeySz) { - WOLFSSL_MSG( - "RSA key size in cert chain error"); - ret = RSA_KEY_SIZE_E; - } - break; - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - case ECDSAk: - if (ssl->options.minEccKeySz < 0 || - args->dCert->pubKeySize < - (word16)ssl->options.minEccKeySz) { - WOLFSSL_MSG( - "ECC key size in cert chain error"); - ret = ECC_KEY_SIZE_E; - } - break; - #endif /* HAVE_ECC */ - default: - WOLFSSL_MSG("Key size not checked"); - /* key not being checked for size if not in - switch */ - break; - } /* switch (dCert->keyOID) */ - } /* if (!ssl->options.verifyNone) */ - - if (ret == 0 && args->dCert->isCA == 0) { - WOLFSSL_MSG("Chain cert is not a CA, not adding as one"); - } - else if (ret == 0 && ssl->options.verifyNone) { - WOLFSSL_MSG("Chain cert not verified by option, not adding as CA"); - } - else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, subjectHash)) { - DerBuffer* add = NULL; - ret = AllocDer(&add, args->certs[args->certIdx].length, - CA_TYPE, ssl->heap); - if (ret < 0) - goto exit_ppc; - - WOLFSSL_MSG("Adding CA from chain"); - - XMEMCPY(add->buffer, args->certs[args->certIdx].buffer, - args->certs[args->certIdx].length); - - /* already verified above */ - ret = AddCA(ssl->ctx->cm, &add, WOLFSSL_CHAIN_CA, 0); - if (ret == 1) { - ret = 0; /* SSL_SUCCESS for external */ - } - } - else if (ret != 0) { - WOLFSSL_MSG("Failed to verify CA from chain"); - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_INVALID_CA; - #endif - } - else { - WOLFSSL_MSG("Verified CA from chain and already had it"); - } - - #if defined(HAVE_OCSP) || defined(HAVE_CRL) - if (ret == 0) { - int doCrlLookup = 1; - #ifdef HAVE_OCSP - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (ssl->status_request_v2) { - ret = TLSX_CSR2_InitRequests(ssl->extensions, - args->dCert, 0, ssl->heap); - } - else /* skips OCSP and force CRL check */ - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ - if (ssl->ctx->cm->ocspEnabled && - ssl->ctx->cm->ocspCheckAll) { - WOLFSSL_MSG("Doing Non Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, args->dCert, - NULL); - doCrlLookup = (ret == OCSP_CERT_UNKNOWN); - if (ret != 0) { - doCrlLookup = 0; - WOLFSSL_MSG("\tOCSP Lookup not ok"); - } - } - #endif /* HAVE_OCSP */ - - #ifdef HAVE_CRL - if (ret == 0 && doCrlLookup && - ssl->ctx->cm->crlEnabled && - ssl->ctx->cm->crlCheckAll) { - WOLFSSL_MSG("Doing Non Leaf CRL check"); - ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); - if (ret != 0) { - WOLFSSL_MSG("\tCRL check not ok"); - } - } - #endif /* HAVE_CRL */ - (void)doCrlLookup; - } - #endif /* HAVE_OCSP || HAVE_CRL */ - - if (ret != 0 && args->lastErr == 0) { - args->lastErr = ret; /* save error from last time */ - ret = 0; /* reset error */ - } - - FreeDecodedCert(args->dCert); - args->dCertInit = 0; - args->count--; - } /* while (count > 0 && !haveTrustPeer) */ - } /* if (count > 0) */ - - /* Check for error */ - if (ret != 0) { - goto exit_ppc; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - FALL_THROUGH; - - case TLS_ASYNC_DO: - { - /* peer's, may not have one if blank client cert sent by TLSv1.2 */ - if (args->count > 0) { - WOLFSSL_MSG("Verifying Peer's cert"); - - args->certIdx = 0; - - if (!args->dCertInit) { - InitDecodedCert(args->dCert, - args->certs[args->certIdx].buffer, - args->certs[args->certIdx].length, ssl->heap); - args->dCertInit = 1; - } - - #ifdef WOLFSSL_TRUST_PEER_CERT - if (!haveTrustPeer) - #endif - { /* only parse if not already present in dCert from above */ - ret = ParseCertRelative(args->dCert, CERT_TYPE, - !ssl->options.verifyNone, ssl->ctx->cm); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, - args->dCert->sigCtx.asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - goto exit_ppc; - } - #endif - } - - if (ret == 0) { - WOLFSSL_MSG("Verified Peer's cert"); - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_OK; - #endif - args->fatal = 0; - } - else if (ret == ASN_PARSE_E || ret == BUFFER_E) { - WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR"); - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; - #endif - args->fatal = 1; - } - else { - WOLFSSL_MSG("Failed to verify Peer's cert"); - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; - #endif - if (ssl->verifyCallback) { - WOLFSSL_MSG( - "\tCallback override available, will continue"); - args->fatal = 0; - } - else { - WOLFSSL_MSG("\tNo callback override available, fatal"); - args->fatal = 1; - } - } - - #ifdef HAVE_SECURE_RENEGOTIATION - if (args->fatal == 0 && ssl->secure_renegotiation - && ssl->secure_renegotiation->enabled) { - - if (IsEncryptionOn(ssl, 0)) { - /* compare against previous time */ - if (XMEMCMP(args->dCert->subjectHash, - ssl->secure_renegotiation->subject_hash, - SHA_DIGEST_SIZE) != 0) { - WOLFSSL_MSG( - "Peer sent different cert during scr, fatal"); - args->fatal = 1; - ret = SCR_DIFFERENT_CERT_E; - } - } - - /* cache peer's hash */ - if (args->fatal == 0) { - XMEMCPY(ssl->secure_renegotiation->subject_hash, - args->dCert->subjectHash, SHA_DIGEST_SIZE); - } - } - #endif /* HAVE_SECURE_RENEGOTIATION */ - - #if defined(HAVE_OCSP) || defined(HAVE_CRL) - if (args->fatal == 0) { - int doLookup = 1; - - if (ssl->options.side == WOLFSSL_CLIENT_END) { - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST - if (ssl->status_request) { - args->fatal = TLSX_CSR_InitRequest(ssl->extensions, - args->dCert, ssl->heap); - doLookup = 0; - } - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (ssl->status_request_v2) { - args->fatal = TLSX_CSR2_InitRequests(ssl->extensions, - args->dCert, 1, ssl->heap); - doLookup = 0; - } - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ - } - - #ifdef HAVE_OCSP - if (doLookup && ssl->ctx->cm->ocspEnabled) { - WOLFSSL_MSG("Doing Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, - args->dCert, NULL); - doLookup = (ret == OCSP_CERT_UNKNOWN); - if (ret != 0) { - WOLFSSL_MSG("\tOCSP Lookup not ok"); - args->fatal = 0; - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; - #endif - } - } - #endif /* HAVE_OCSP */ - - #ifdef HAVE_CRL - if (doLookup && ssl->ctx->cm->crlEnabled) { - WOLFSSL_MSG("Doing Leaf CRL check"); - ret = CheckCertCRL(ssl->ctx->cm->crl, args->dCert); - if (ret != 0) { - WOLFSSL_MSG("\tCRL check not ok"); - args->fatal = 0; - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; - #endif - } - } - #endif /* HAVE_CRL */ - (void)doLookup; - } - #endif /* HAVE_OCSP || HAVE_CRL */ - - #ifdef KEEP_PEER_CERT - if (args->fatal == 0) { - /* set X509 format for peer cert */ - int copyRet = CopyDecodedToX509(&ssl->peerCert, - args->dCert); - if (copyRet == MEMORY_E) - args->fatal = 1; - } - #endif /* KEEP_PEER_CERT */ - - #ifndef IGNORE_KEY_EXTENSIONS - if (args->dCert->extKeyUsageSet) { - if ((ssl->specs.kea == rsa_kea) && - (ssl->options.side == WOLFSSL_CLIENT_END) && - (args->dCert->extKeyUsage & KEYUSE_KEY_ENCIPHER) == 0) { - ret = KEYUSE_ENCIPHER_E; - } - if ((ssl->specs.sig_algo == rsa_sa_algo || - (ssl->specs.sig_algo == ecc_dsa_sa_algo && - !ssl->specs.static_ecdh)) && - (args->dCert->extKeyUsage & KEYUSE_DIGITAL_SIG) == 0) { - WOLFSSL_MSG("KeyUse Digital Sig not set"); - ret = KEYUSE_SIGNATURE_E; - } - } - - if (args->dCert->extExtKeyUsageSet) { - if (ssl->options.side == WOLFSSL_CLIENT_END) { - if ((args->dCert->extExtKeyUsage & - (EXTKEYUSE_ANY | EXTKEYUSE_SERVER_AUTH)) == 0) { - WOLFSSL_MSG("ExtKeyUse Server Auth not set"); - ret = EXTKEYUSE_AUTH_E; - } - } - else { - if ((args->dCert->extExtKeyUsage & - (EXTKEYUSE_ANY | EXTKEYUSE_CLIENT_AUTH)) == 0) { - WOLFSSL_MSG("ExtKeyUse Client Auth not set"); - ret = EXTKEYUSE_AUTH_E; - } - } - } - #endif /* IGNORE_KEY_EXTENSIONS */ - - if (args->fatal) { - ssl->error = ret; - #ifdef OPENSSL_EXTRA - ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; - #endif - goto exit_ppc; - } - - ssl->options.havePeerCert = 1; - } /* if (count > 0) */ - - /* Check for error */ - if (args->fatal && ret != 0) { - goto exit_ppc; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - FALL_THROUGH; - - case TLS_ASYNC_VERIFY: - { - if (args->count > 0) { - args->domain = (char*)XMALLOC(ASN_NAME_MAX, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->domain == NULL) { - ERROR_OUT(MEMORY_E, exit_ppc); - } - - /* store for callback use */ - if (args->dCert->subjectCNLen < ASN_NAME_MAX) { - XMEMCPY(args->domain, args->dCert->subjectCN, args->dCert->subjectCNLen); - args->domain[args->dCert->subjectCNLen] = '\0'; - } - else { - args->domain[0] = '\0'; - } - - if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) { - if (MatchDomainName(args->dCert->subjectCN, - args->dCert->subjectCNLen, - (char*)ssl->buffers.domainName.buffer) == 0) { - WOLFSSL_MSG("DomainName match on common name failed"); - if (CheckAltNames(args->dCert, - (char*)ssl->buffers.domainName.buffer) == 0 ) { - WOLFSSL_MSG( - "DomainName match on alt names failed too"); - /* try to get peer key still */ - ret = DOMAIN_NAME_MISMATCH; - } - } - } - - /* decode peer key */ - switch (args->dCert->keyOID) { - #ifndef NO_RSA - case RSAk: - { - word32 keyIdx = 0; - int keyRet = 0; - - if (ssl->peerRsaKey == NULL) { - keyRet = AllocKey(ssl, DYNAMIC_TYPE_RSA, - (void**)&ssl->peerRsaKey); - } else if (ssl->peerRsaKeyPresent) { - keyRet = ReuseKey(ssl, DYNAMIC_TYPE_RSA, - ssl->peerRsaKey); - ssl->peerRsaKeyPresent = 0; - } - - if (keyRet != 0 || wc_RsaPublicKeyDecode( - args->dCert->publicKey, &keyIdx, ssl->peerRsaKey, - args->dCert->pubKeySize) != 0) { - ret = PEER_KEY_ERROR; - } - else { - ssl->peerRsaKeyPresent = 1; - #ifdef HAVE_PK_CALLBACKS - #ifndef NO_RSA - ssl->buffers.peerRsaKey.buffer = - (byte*)XMALLOC(args->dCert->pubKeySize, - ssl->heap, DYNAMIC_TYPE_RSA); - if (ssl->buffers.peerRsaKey.buffer == NULL) { - ret = MEMORY_ERROR; - } - else { - XMEMCPY(ssl->buffers.peerRsaKey.buffer, - args->dCert->publicKey, - args->dCert->pubKeySize); - ssl->buffers.peerRsaKey.length = - args->dCert->pubKeySize; - } - #endif /* NO_RSA */ - #endif /* HAVE_PK_CALLBACKS */ - } - - /* check size of peer RSA key */ - if (ret == 0 && ssl->peerRsaKeyPresent && - !ssl->options.verifyNone && - wc_RsaEncryptSize(ssl->peerRsaKey) - < ssl->options.minRsaKeySz) { - ret = RSA_KEY_SIZE_E; - WOLFSSL_MSG("Peer RSA key is too small"); - } - break; - } - #endif /* NO_RSA */ - #ifdef HAVE_NTRU - case NTRUk: - { - if (args->dCert->pubKeySize > sizeof(ssl->peerNtruKey)) { - ret = PEER_KEY_ERROR; - } - else { - XMEMCPY(ssl->peerNtruKey, args->dCert->publicKey, - args->dCert->pubKeySize); - ssl->peerNtruKeyLen = - (word16)args->dCert->pubKeySize; - ssl->peerNtruKeyPresent = 1; - } - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ECDSAk: - { - int curveId; - int keyRet = 0; - if (ssl->peerEccDsaKey == NULL) { - /* alloc/init on demand */ - keyRet = AllocKey(ssl, DYNAMIC_TYPE_ECC, - (void**)&ssl->peerEccDsaKey); - } else if (ssl->peerEccDsaKeyPresent) { - keyRet = ReuseKey(ssl, DYNAMIC_TYPE_ECC, - ssl->peerEccDsaKey); - ssl->peerEccDsaKeyPresent = 0; - } - - curveId = wc_ecc_get_oid(args->dCert->keyOID, NULL, NULL); - if (keyRet != 0 || - wc_ecc_import_x963_ex(args->dCert->publicKey, - args->dCert->pubKeySize, ssl->peerEccDsaKey, - curveId) != 0) { - ret = PEER_KEY_ERROR; - } - else { - ssl->peerEccDsaKeyPresent = 1; - #ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - ssl->buffers.peerEccDsaKey.buffer = - (byte*)XMALLOC(args->dCert->pubKeySize, - ssl->heap, DYNAMIC_TYPE_ECC); - if (ssl->buffers.peerEccDsaKey.buffer == NULL) { - ERROR_OUT(MEMORY_ERROR, exit_ppc); - } - else { - XMEMCPY(ssl->buffers.peerEccDsaKey.buffer, - args->dCert->publicKey, - args->dCert->pubKeySize); - ssl->buffers.peerEccDsaKey.length = - args->dCert->pubKeySize; - } - #endif /* HAVE_ECC */ - #endif /*HAVE_PK_CALLBACKS */ - } - - /* check size of peer ECC key */ - if (ret == 0 && ssl->peerEccDsaKeyPresent && - !ssl->options.verifyNone && - wc_ecc_size(ssl->peerEccDsaKey) - < ssl->options.minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("Peer ECC key is too small"); - } - break; - } - #endif /* HAVE_ECC */ - default: - break; - } - - FreeDecodedCert(args->dCert); - args->dCertInit = 0; - - /* release since we don't need it anymore */ - if (args->dCert) { - XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->dCert = NULL; - } - } /* if (count > 0) */ - - /* Check for error */ - if (args->fatal && ret != 0) { - goto exit_ppc; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - FALL_THROUGH; - - case TLS_ASYNC_FINALIZE: - { - #ifdef WOLFSSL_SMALL_STACK - WOLFSSL_X509_STORE_CTX* store = (WOLFSSL_X509_STORE_CTX*)XMALLOC( - sizeof(WOLFSSL_X509_STORE_CTX), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (store == NULL) { - ERROR_OUT(MEMORY_E, exit_ppc); - } - #else - WOLFSSL_X509_STORE_CTX store[1]; - #endif - - XMEMSET(store, 0, sizeof(WOLFSSL_X509_STORE_CTX)); - - /* load last error */ - if (args->lastErr != 0 && ret == 0) { - ret = args->lastErr; - } - - if (ret != 0) { - if (!ssl->options.verifyNone) { - int why = bad_certificate; - - if (ret == ASN_AFTER_DATE_E || ret == ASN_BEFORE_DATE_E) { - why = certificate_expired; - } - if (ssl->verifyCallback) { - int ok; - - store->error = ret; - store->error_depth = args->totalCerts; - store->discardSessionCerts = 0; - store->domain = args->domain; - store->userCtx = ssl->verifyCbCtx; - store->certs = args->certs; - store->totalCerts = args->totalCerts; - #ifdef KEEP_PEER_CERT - if (ssl->peerCert.subject.sz > 0) - store->current_cert = &ssl->peerCert; - else - store->current_cert = NULL; - #else - store->current_cert = NULL; - #endif /* KEEP_PEER_CERT */ - #if defined(HAVE_EX_DATA) || defined(HAVE_FORTRESS) - store->ex_data = ssl; - #endif - ok = ssl->verifyCallback(0, store); - if (ok) { - WOLFSSL_MSG("Verify callback overriding error!"); - ret = 0; - } - #ifdef SESSION_CERTS - if (store->discardSessionCerts) { - WOLFSSL_MSG("Verify callback requested discard sess certs"); - ssl->session.chain.count = 0; - } - #endif /* SESSION_CERTS */ - } - if (ret != 0) { - SendAlert(ssl, alert_fatal, why); /* try to send */ - ssl->options.isClosed = 1; - } - } - ssl->error = ret; - } - #ifdef WOLFSSL_ALWAYS_VERIFY_CB - else { - if (ssl->verifyCallback) { - int ok; - - store->error = ret; - #ifdef WOLFSSL_WPAS - store->error_depth = 0; - #else - store->error_depth = args->totalCerts; - #endif - store->discardSessionCerts = 0; - store->domain = args->domain; - store->userCtx = ssl->verifyCbCtx; - store->certs = args->certs; - store->totalCerts = args->totalCerts; - #ifdef KEEP_PEER_CERT - if (ssl->peerCert.subject.sz > 0) - store->current_cert = &ssl->peerCert; - else - store->current_cert = NULL; - #endif - store->ex_data = ssl; - - ok = ssl->verifyCallback(1, store); - if (!ok) { - WOLFSSL_MSG("Verify callback overriding valid certificate!"); - ret = -1; - SendAlert(ssl, alert_fatal, bad_certificate); - ssl->options.isClosed = 1; - } - #ifdef SESSION_CERTS - if (store->discardSessionCerts) { - WOLFSSL_MSG("Verify callback requested discard sess certs"); - ssl->session.chain.count = 0; - } - #endif /* SESSION_CERTS */ - } - } - #endif /* WOLFSSL_ALWAYS_VERIFY_CB */ - - if (ssl->options.verifyNone && - (ret == CRL_MISSING || ret == CRL_CERT_REVOKED)) { - WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); - ret = ssl->error = 0; - } - - if (ret == 0 && ssl->options.side == WOLFSSL_CLIENT_END) { - ssl->options.serverState = SERVER_CERT_COMPLETE; - } - - if (IsEncryptionOn(ssl, 0)) { - args->idx += ssl->keys.padSz; - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(store, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - FALL_THROUGH; - - case TLS_ASYNC_END: - { - /* Set final index */ - *inOutIdx = args->idx; - - break; - } - default: - ret = INPUT_CASE_ERROR; - break; - } /* switch(ssl->options.asyncState) */ - -exit_ppc: - - WOLFSSL_LEAVE("ProcessPeerCerts", ret); - -#ifdef WOLFSSL_ASYNC_CRYPT - /* Handle WC_PENDING_E */ - if (ret == WC_PENDING_E) { - /* Mark message as not recevied so it can process again */ - ssl->msgsReceived.got_certificate = 0; - - return ret; - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - FreeProcPeerCertArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; -} - -static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 size) -{ - return ProcessPeerCerts(ssl, input, inOutIdx, size); -} - -static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 size) -{ - int ret = 0; - byte status_type; - word32 status_length; - - if (size < ENUM_LEN + OPAQUE24_LEN) - return BUFFER_ERROR; - - status_type = input[(*inOutIdx)++]; - - c24to32(input + *inOutIdx, &status_length); - *inOutIdx += OPAQUE24_LEN; - - if (size != ENUM_LEN + OPAQUE24_LEN + status_length) - return BUFFER_ERROR; - - switch (status_type) { - - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - - /* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */ - case WOLFSSL_CSR2_OCSP: { - OcspRequest* request; - - #ifdef WOLFSSL_SMALL_STACK - CertStatus* status; - OcspResponse* response; - #else - CertStatus status[1]; - OcspResponse response[1]; - #endif - - do { - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST - if (ssl->status_request) { - request = (OcspRequest*)TLSX_CSR_GetRequest( - ssl->extensions); - ssl->status_request = 0; - break; - } - #endif - - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (ssl->status_request_v2) { - request = (OcspRequest*)TLSX_CSR2_GetRequest( - ssl->extensions, status_type, 0); - ssl->status_request_v2 = 0; - break; - } - #endif - - return BUFFER_ERROR; - } while(0); - - if (request == NULL) - return BAD_CERTIFICATE_STATUS_ERROR; /* not expected */ - - #ifdef WOLFSSL_SMALL_STACK - status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - - if (status == NULL || response == NULL) { - if (status) - XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (response) - XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - return MEMORY_ERROR; - } - #endif - - InitOcspResponse(response, status, input +*inOutIdx, status_length); - - if (OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, 0) != 0) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (CompareOcspReqResp(request, response) != 0) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (response->responseStatus != OCSP_SUCCESSFUL) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (response->status->status == CERT_REVOKED) - ret = OCSP_CERT_REVOKED; - else if (response->status->status != CERT_GOOD) - ret = BAD_CERTIFICATE_STATUS_ERROR; - - *inOutIdx += status_length; - - #ifdef WOLFSSL_SMALL_STACK - XFREE(status, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(response, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - } - break; - - #endif - - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - - case WOLFSSL_CSR2_OCSP_MULTI: { - OcspRequest* request; - word32 list_length = status_length; - byte idx = 0; - - #ifdef WOLFSSL_SMALL_STACK - CertStatus* status; - OcspResponse* response; - #else - CertStatus status[1]; - OcspResponse response[1]; - #endif - - do { - if (ssl->status_request_v2) { - ssl->status_request_v2 = 0; - break; - } - - return BUFFER_ERROR; - } while(0); - - #ifdef WOLFSSL_SMALL_STACK - status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - - if (status == NULL || response == NULL) { - if (status) - XFREE(status, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (response) - XFREE(response, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - - return MEMORY_ERROR; - } - #endif - - while (list_length && ret == 0) { - if (OPAQUE24_LEN > list_length) { - ret = BUFFER_ERROR; - break; - } - - c24to32(input + *inOutIdx, &status_length); - *inOutIdx += OPAQUE24_LEN; - list_length -= OPAQUE24_LEN; - - if (status_length > list_length) { - ret = BUFFER_ERROR; - break; - } - - if (status_length) { - InitOcspResponse(response, status, input +*inOutIdx, - status_length); - - if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, - 0) != 0) - || (response->responseStatus != OCSP_SUCCESSFUL) - || (response->status->status != CERT_GOOD)) - ret = BAD_CERTIFICATE_STATUS_ERROR; - - while (ret == 0) { - request = (OcspRequest*)TLSX_CSR2_GetRequest( - ssl->extensions, status_type, idx++); - - if (request == NULL) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (CompareOcspReqResp(request, response) == 0) - break; - else if (idx == 1) /* server cert must be OK */ - ret = BAD_CERTIFICATE_STATUS_ERROR; - } - - *inOutIdx += status_length; - list_length -= status_length; - } - } - - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - ssl->status_request_v2 = 0; - #endif - - #ifdef WOLFSSL_SMALL_STACK - XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - } - break; - - #endif - - default: - ret = BUFFER_ERROR; - } - - if (ret != 0) - SendAlert(ssl, alert_fatal, bad_certificate_status_response); - - return ret; -} - -#endif /* !NO_CERTS */ - - -static int DoHelloRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 size, word32 totalSz) -{ - (void)input; - - if (size) /* must be 0 */ - return BUFFER_ERROR; - - if (IsEncryptionOn(ssl, 0)) { - /* access beyond input + size should be checked against totalSz */ - if (*inOutIdx + ssl->keys.padSz > totalSz) - return BUFFER_E; - - *inOutIdx += ssl->keys.padSz; - } - - if (ssl->options.side == WOLFSSL_SERVER_END) { - SendAlert(ssl, alert_fatal, unexpected_message); /* try */ - return FATAL_ERROR; - } -#ifdef HAVE_SECURE_RENEGOTIATION - else if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) { - ssl->secure_renegotiation->startScr = 1; - return 0; - } -#endif - else { - return SendAlert(ssl, alert_warning, no_renegotiation); - } -} - - -int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size, - word32 totalSz, int sniff) -{ - word32 finishedSz = (ssl->options.tls ? TLS_FINISHED_SZ : FINISHED_SZ); - - if (finishedSz != size) - return BUFFER_ERROR; - - /* check against totalSz */ - if (*inOutIdx + size + ssl->keys.padSz > totalSz) - return BUFFER_E; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); - if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo); - #endif - - if (sniff == NO_SNIFF) { - if (XMEMCMP(input + *inOutIdx, &ssl->hsHashes->verifyHashes,size) != 0){ - WOLFSSL_MSG("Verify finished error on hashes"); - return VERIFY_FINISHED_ERROR; - } - } - -#ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation) { - /* save peer's state */ - if (ssl->options.side == WOLFSSL_CLIENT_END) - XMEMCPY(ssl->secure_renegotiation->server_verify_data, - input + *inOutIdx, TLS_FINISHED_SZ); - else - XMEMCPY(ssl->secure_renegotiation->client_verify_data, - input + *inOutIdx, TLS_FINISHED_SZ); - } -#endif - - /* force input exhaustion at ProcessReply consuming padSz */ - *inOutIdx += size + ssl->keys.padSz; - - if (ssl->options.side == WOLFSSL_CLIENT_END) { - ssl->options.serverState = SERVER_FINISHED_COMPLETE; - if (!ssl->options.resuming) { - ssl->options.handShakeState = HANDSHAKE_DONE; - ssl->options.handShakeDone = 1; - } - } - else { - ssl->options.clientState = CLIENT_FINISHED_COMPLETE; - if (ssl->options.resuming) { - ssl->options.handShakeState = HANDSHAKE_DONE; - ssl->options.handShakeDone = 1; - } - } - - return 0; -} - - -/* Make sure no duplicates, no fast forward, or other problems; 0 on success */ -static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type) -{ - /* verify not a duplicate, mark received, check state */ - switch (type) { - -#ifndef NO_WOLFSSL_CLIENT - case hello_request: - if (ssl->msgsReceived.got_hello_request) { - WOLFSSL_MSG("Duplicate HelloRequest received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_hello_request = 1; - - break; -#endif - -#ifndef NO_WOLFSSL_SERVER - case client_hello: - if (ssl->msgsReceived.got_client_hello) { - WOLFSSL_MSG("Duplicate ClientHello received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_client_hello = 1; - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case server_hello: - if (ssl->msgsReceived.got_server_hello) { - WOLFSSL_MSG("Duplicate ServerHello received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_server_hello = 1; - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case hello_verify_request: - if (ssl->msgsReceived.got_hello_verify_request) { - WOLFSSL_MSG("Duplicate HelloVerifyRequest received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_hello_verify_request = 1; - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case session_ticket: - if (ssl->msgsReceived.got_session_ticket) { - WOLFSSL_MSG("Duplicate SessionTicket received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_session_ticket = 1; - - break; -#endif - - case certificate: - if (ssl->msgsReceived.got_certificate) { - WOLFSSL_MSG("Duplicate Certificate received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_certificate = 1; - -#ifndef NO_WOLFSSL_CLIENT - if (ssl->options.side == WOLFSSL_CLIENT_END) { - if ( ssl->msgsReceived.got_server_hello == 0) { - WOLFSSL_MSG("No ServerHello before Cert"); - return OUT_OF_ORDER_E; - } - } -#endif -#ifndef NO_WOLFSSL_SERVER - if (ssl->options.side == WOLFSSL_SERVER_END) { - if ( ssl->msgsReceived.got_client_hello == 0) { - WOLFSSL_MSG("No ClientHello before Cert"); - return OUT_OF_ORDER_E; - } - } -#endif - break; - -#ifndef NO_WOLFSSL_CLIENT - case certificate_status: - if (ssl->msgsReceived.got_certificate_status) { - WOLFSSL_MSG("Duplicate CertificateSatatus received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_certificate_status = 1; - - if (ssl->msgsReceived.got_certificate == 0) { - WOLFSSL_MSG("No Certificate before CertificateStatus"); - return OUT_OF_ORDER_E; - } - if (ssl->msgsReceived.got_server_key_exchange != 0) { - WOLFSSL_MSG("CertificateStatus after ServerKeyExchange"); - return OUT_OF_ORDER_E; - } - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case server_key_exchange: - if (ssl->msgsReceived.got_server_key_exchange) { - WOLFSSL_MSG("Duplicate ServerKeyExchange received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_server_key_exchange = 1; - - if (ssl->msgsReceived.got_server_hello == 0) { - WOLFSSL_MSG("No ServerHello before ServerKeyExchange"); - return OUT_OF_ORDER_E; - } - if (ssl->msgsReceived.got_certificate_status == 0) { -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST - if (ssl->status_request) { - int ret; - - WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); - if ((ret = TLSX_CSR_ForceRequest(ssl)) != 0) - return ret; - } -#endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (ssl->status_request_v2) { - int ret; - - WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); - if ((ret = TLSX_CSR2_ForceRequest(ssl)) != 0) - return ret; - } -#endif - } - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case certificate_request: - if (ssl->msgsReceived.got_certificate_request) { - WOLFSSL_MSG("Duplicate CertificateRequest received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_certificate_request = 1; - - break; -#endif - -#ifndef NO_WOLFSSL_CLIENT - case server_hello_done: - if (ssl->msgsReceived.got_server_hello_done) { - WOLFSSL_MSG("Duplicate ServerHelloDone received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_server_hello_done = 1; - - if (ssl->msgsReceived.got_certificate == 0) { - if (ssl->specs.kea == psk_kea || - ssl->specs.kea == dhe_psk_kea || - ssl->specs.kea == ecdhe_psk_kea || - ssl->options.usingAnon_cipher) { - WOLFSSL_MSG("No Cert required"); - } else { - WOLFSSL_MSG("No Certificate before ServerHelloDone"); - return OUT_OF_ORDER_E; - } - } - if (ssl->msgsReceived.got_server_key_exchange == 0) { - int pskNoServerHint = 0; /* not required in this case */ - - #ifndef NO_PSK - if (ssl->specs.kea == psk_kea && - ssl->arrays->server_hint[0] == 0) - pskNoServerHint = 1; - #endif - if (ssl->specs.static_ecdh == 1 || - ssl->specs.kea == rsa_kea || - ssl->specs.kea == ntru_kea || - pskNoServerHint) { - WOLFSSL_MSG("No KeyExchange required"); - } else { - WOLFSSL_MSG("No ServerKeyExchange before ServerDone"); - return OUT_OF_ORDER_E; - } - } - break; -#endif - -#ifndef NO_WOLFSSL_SERVER - case certificate_verify: - if (ssl->msgsReceived.got_certificate_verify) { - WOLFSSL_MSG("Duplicate CertificateVerify received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_certificate_verify = 1; - - if ( ssl->msgsReceived.got_certificate == 0) { - WOLFSSL_MSG("No Cert before CertVerify"); - return OUT_OF_ORDER_E; - } - break; -#endif - -#ifndef NO_WOLFSSL_SERVER - case client_key_exchange: - if (ssl->msgsReceived.got_client_key_exchange) { - WOLFSSL_MSG("Duplicate ClientKeyExchange received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_client_key_exchange = 1; - - if (ssl->msgsReceived.got_client_hello == 0) { - WOLFSSL_MSG("No ClientHello before ClientKeyExchange"); - return OUT_OF_ORDER_E; - } - break; -#endif - - case finished: - if (ssl->msgsReceived.got_finished) { - WOLFSSL_MSG("Duplicate Finished received"); - return DUPLICATE_MSG_E; - } - ssl->msgsReceived.got_finished = 1; - - if (ssl->msgsReceived.got_change_cipher == 0) { - WOLFSSL_MSG("Finished received before ChangeCipher"); - return NO_CHANGE_CIPHER_E; - } - break; - - case change_cipher_hs: - if (ssl->msgsReceived.got_change_cipher) { - WOLFSSL_MSG("Duplicate ChangeCipher received"); - return DUPLICATE_MSG_E; - } - /* DTLS is going to ignore the CCS message if the client key - * exchange message wasn't received yet. */ - if (!ssl->options.dtls) - ssl->msgsReceived.got_change_cipher = 1; - -#ifndef NO_WOLFSSL_CLIENT - if (ssl->options.side == WOLFSSL_CLIENT_END) { - if (!ssl->options.resuming && - ssl->msgsReceived.got_server_hello_done == 0) { - WOLFSSL_MSG("No ServerHelloDone before ChangeCipher"); - return OUT_OF_ORDER_E; - } - #ifdef HAVE_SESSION_TICKET - if (ssl->expect_session_ticket) { - WOLFSSL_MSG("Expected session ticket missing"); - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - return OUT_OF_ORDER_E; - #endif - return SESSION_TICKET_EXPECT_E; - } - #endif - } -#endif -#ifndef NO_WOLFSSL_SERVER - if (ssl->options.side == WOLFSSL_SERVER_END) { - if (!ssl->options.resuming && - ssl->msgsReceived.got_client_key_exchange == 0) { - WOLFSSL_MSG("No ClientKeyExchange before ChangeCipher"); - return OUT_OF_ORDER_E; - } - #ifndef NO_CERTS - if (ssl->options.verifyPeer && - ssl->options.havePeerCert) { - - if (!ssl->options.havePeerVerify) { - WOLFSSL_MSG("client didn't send cert verify"); - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - return OUT_OF_ORDER_E; - #endif - return NO_PEER_VERIFY; - } - } - #endif - } -#endif - if (ssl->options.dtls) - ssl->msgsReceived.got_change_cipher = 1; - break; - - default: - WOLFSSL_MSG("Unknown message type"); - return SANITY_MSG_E; - } - - return 0; -} - - -static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, - byte type, word32 size, word32 totalSz) -{ - int ret = 0; - word32 expectedIdx; - - WOLFSSL_ENTER("DoHandShakeMsgType"); - -#ifdef WOLFSSL_TLS13 - if (type == hello_retry_request) { - return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size, - totalSz); - } -#endif - - /* make sure can read the message */ - if (*inOutIdx + size > totalSz) - return INCOMPLETE_DATA; - - expectedIdx = *inOutIdx + size + - (ssl->keys.encryptionOn ? ssl->keys.padSz : 0); - - /* sanity check msg received */ - if ( (ret = SanityCheckMsgReceived(ssl, type)) != 0) { - WOLFSSL_MSG("Sanity Check on handshake message type received failed"); - return ret; - } - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - /* add name later, add on record and handshake header part back on */ - if (ssl->toInfoOn) { - int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - AddPacketInfo(ssl, 0, handshake, input + *inOutIdx - add, - size + add, READ_PROTO, ssl->heap); - #ifdef WOLFSSL_CALLBACKS - AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo); - #endif - } -#endif - - if (ssl->options.handShakeState == HANDSHAKE_DONE && type != hello_request){ - WOLFSSL_MSG("HandShake message after handshake complete"); - SendAlert(ssl, alert_fatal, unexpected_message); - return OUT_OF_ORDER_E; - } - - if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls == 0 && - ssl->options.serverState == NULL_STATE && type != server_hello) { - WOLFSSL_MSG("First server message not server hello"); - SendAlert(ssl, alert_fatal, unexpected_message); - return OUT_OF_ORDER_E; - } - - if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls && - type == server_hello_done && - ssl->options.serverState < SERVER_HELLO_COMPLETE) { - WOLFSSL_MSG("Server hello done received before server hello in DTLS"); - SendAlert(ssl, alert_fatal, unexpected_message); - return OUT_OF_ORDER_E; - } - - if (ssl->options.side == WOLFSSL_SERVER_END && - ssl->options.clientState == NULL_STATE && type != client_hello) { - WOLFSSL_MSG("First client message not client hello"); - SendAlert(ssl, alert_fatal, unexpected_message); - return OUT_OF_ORDER_E; - } - - /* above checks handshake state */ - /* hello_request not hashed */ - /* Also, skip hashing the client_hello message here for DTLS. It will be - * hashed later if the DTLS cookie is correct. */ - if (type != hello_request && - !(IsDtlsNotSctpMode(ssl) && type == client_hello) && - ssl->error != WC_PENDING_E) { - ret = HashInput(ssl, input + *inOutIdx, size); - if (ret != 0) return ret; - } - - switch (type) { - - case hello_request: - WOLFSSL_MSG("processing hello request"); - ret = DoHelloRequest(ssl, input, inOutIdx, size, totalSz); - break; - -#ifndef NO_WOLFSSL_CLIENT - case hello_verify_request: - WOLFSSL_MSG("processing hello verify request"); - ret = DoHelloVerifyRequest(ssl, input,inOutIdx, size); - break; - - case server_hello: - WOLFSSL_MSG("processing server hello"); - ret = DoServerHello(ssl, input, inOutIdx, size); - break; - -#ifndef NO_CERTS - case certificate_request: - WOLFSSL_MSG("processing certificate request"); - ret = DoCertificateRequest(ssl, input, inOutIdx, size); - break; -#endif - - case server_key_exchange: - WOLFSSL_MSG("processing server key exchange"); - ret = DoServerKeyExchange(ssl, input, inOutIdx, size); - break; - -#ifdef HAVE_SESSION_TICKET - case session_ticket: - WOLFSSL_MSG("processing session ticket"); - ret = DoSessionTicket(ssl, input, inOutIdx, size); - break; -#endif /* HAVE_SESSION_TICKET */ -#endif - -#ifndef NO_CERTS - case certificate: - WOLFSSL_MSG("processing certificate"); - ret = DoCertificate(ssl, input, inOutIdx, size); - break; - - case certificate_status: - WOLFSSL_MSG("processing certificate status"); - ret = DoCertificateStatus(ssl, input, inOutIdx, size); - break; -#endif - - case server_hello_done: - WOLFSSL_MSG("processing server hello done"); - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ServerHelloDone"); - if (ssl->toInfoOn) - AddLateName("ServerHelloDone", &ssl->timeoutInfo); - #endif - ssl->options.serverState = SERVER_HELLODONE_COMPLETE; - if (IsEncryptionOn(ssl, 0)) { - *inOutIdx += ssl->keys.padSz; - } - if (ssl->options.resuming) { - WOLFSSL_MSG("Not resuming as thought"); - ssl->options.resuming = 0; - } - break; - - case finished: - WOLFSSL_MSG("processing finished"); - ret = DoFinished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF); - break; - -#ifndef NO_WOLFSSL_SERVER - case client_hello: - WOLFSSL_MSG("processing client hello"); - ret = DoClientHello(ssl, input, inOutIdx, size); - break; - - case client_key_exchange: - WOLFSSL_MSG("processing client key exchange"); - ret = DoClientKeyExchange(ssl, input, inOutIdx, size); - break; - -#if !defined(NO_RSA) || defined(HAVE_ECC) - case certificate_verify: - WOLFSSL_MSG("processing certificate verify"); - ret = DoCertificateVerify(ssl, input, inOutIdx, size); - break; -#endif /* !NO_RSA || HAVE_ECC */ - -#endif /* !NO_WOLFSSL_SERVER */ - - default: - WOLFSSL_MSG("Unknown handshake message type"); - ret = UNKNOWN_HANDSHAKE_TYPE; - break; - } - - if (ret == 0 && expectedIdx != *inOutIdx) { - WOLFSSL_MSG("Extra data in handshake message"); - if (!ssl->options.dtls) - SendAlert(ssl, alert_fatal, decode_error); - ret = DECODE_E; - } - -#ifdef WOLFSSL_ASYNC_CRYPT - /* if async, offset index so this msg will be processed again */ - if (ret == WC_PENDING_E) { - *inOutIdx -= HANDSHAKE_HEADER_SZ; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - *inOutIdx -= DTLS_HANDSHAKE_EXTRA; - } - #endif - } -#endif - - WOLFSSL_LEAVE("DoHandShakeMsgType()", ret); - return ret; -} - - -static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 totalSz) -{ - int ret = 0; - word32 inputLength; - - WOLFSSL_ENTER("DoHandShakeMsg()"); - - if (ssl->arrays == NULL) { - byte type; - word32 size; - - if (GetHandShakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0) - return PARSE_ERROR; - - return DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); - } - - inputLength = ssl->buffers.inputBuffer.length - *inOutIdx; - - /* If there is a pending fragmented handshake message, - * pending message size will be non-zero. */ - if (ssl->arrays->pendingMsgSz == 0) { - byte type; - word32 size; - - if (GetHandShakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0) - return PARSE_ERROR; - - /* Cap the maximum size of a handshake message to something reasonable. - * By default is the maximum size of a certificate message assuming - * nine 2048-bit RSA certificates in the chain. */ - if (size > MAX_HANDSHAKE_SZ) { - WOLFSSL_MSG("Handshake message too large"); - return HANDSHAKE_SIZE_ERROR; - } - - /* size is the size of the certificate message payload */ - if (inputLength - HANDSHAKE_HEADER_SZ < size) { - ssl->arrays->pendingMsgType = type; - ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ; - ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ, - ssl->heap, - DYNAMIC_TYPE_ARRAYS); - if (ssl->arrays->pendingMsg == NULL) - return MEMORY_E; - XMEMCPY(ssl->arrays->pendingMsg, - input + *inOutIdx - HANDSHAKE_HEADER_SZ, - inputLength); - ssl->arrays->pendingMsgOffset = inputLength; - *inOutIdx += inputLength - HANDSHAKE_HEADER_SZ; - return 0; - } - - ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); - } - else { - if (inputLength + ssl->arrays->pendingMsgOffset - > ssl->arrays->pendingMsgSz) { - - return BUFFER_ERROR; - } - else { - XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset, - input + *inOutIdx, inputLength); - ssl->arrays->pendingMsgOffset += inputLength; - *inOutIdx += inputLength; - } - - if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz) - { - word32 idx = 0; - ret = DoHandShakeMsgType(ssl, - ssl->arrays->pendingMsg - + HANDSHAKE_HEADER_SZ, - &idx, ssl->arrays->pendingMsgType, - ssl->arrays->pendingMsgSz - - HANDSHAKE_HEADER_SZ, - ssl->arrays->pendingMsgSz); - XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS); - ssl->arrays->pendingMsg = NULL; - ssl->arrays->pendingMsgSz = 0; - } - } - - WOLFSSL_LEAVE("DoHandShakeMsg()", ret); - return ret; -} - - -#ifdef WOLFSSL_DTLS - -static INLINE int DtlsCheckWindow(WOLFSSL* ssl) -{ - word32* window; - word16 cur_hi, next_hi; - word32 cur_lo, next_lo, diff; - int curLT; - - if (ssl->keys.curEpoch == ssl->keys.nextEpoch) { - next_hi = ssl->keys.nextSeq_hi; - next_lo = ssl->keys.nextSeq_lo; - window = ssl->keys.window; - } - else if (ssl->keys.curEpoch == ssl->keys.nextEpoch - 1) { - next_hi = ssl->keys.prevSeq_hi; - next_lo = ssl->keys.prevSeq_lo; - window = ssl->keys.prevWindow; - } - else { - return 0; - } - - cur_hi = ssl->keys.curSeq_hi; - cur_lo = ssl->keys.curSeq_lo; - - /* If the difference between next and cur is > 2^32, way outside window. */ - if ((cur_hi > next_hi + 1) || (next_hi > cur_hi + 1)) { - WOLFSSL_MSG("Current record from way too far in the future."); - return 0; - } - - if (cur_hi == next_hi) { - curLT = cur_lo < next_lo; - diff = curLT ? next_lo - cur_lo : cur_lo - next_lo; - } - else { - curLT = cur_hi < next_hi; - diff = curLT ? cur_lo - next_lo : next_lo - cur_lo; - } - - /* Check to see that the next value is greater than the number of messages - * trackable in the window, and that the difference between the next - * expected sequence number and the received sequence number is inside the - * window. */ - if ((next_hi || next_lo > DTLS_SEQ_BITS) && - curLT && (diff > DTLS_SEQ_BITS)) { - - WOLFSSL_MSG("Current record sequence number from the past."); - return 0; - } - else if (!curLT && (diff > DTLS_SEQ_BITS)) { - WOLFSSL_MSG("Rejecting message too far into the future."); - return 0; - } - else if (curLT) { - word32 idx = diff / DTLS_WORD_BITS; - word32 newDiff = diff % DTLS_WORD_BITS; - - /* verify idx is valid for window array */ - if (idx >= WOLFSSL_DTLS_WINDOW_WORDS) { - WOLFSSL_MSG("Invalid DTLS windows index"); - return 0; - } - - if (window[idx] & (1 << (newDiff - 1))) { - WOLFSSL_MSG("Current record sequence number already received."); - return 0; - } - } - - return 1; -} - - -static INLINE int DtlsUpdateWindow(WOLFSSL* ssl) -{ - word32* window; - word32* next_lo; - word16* next_hi; - int curLT; - word32 cur_lo, diff; - word16 cur_hi; - - if (ssl->keys.curEpoch == ssl->keys.nextEpoch) { - next_hi = &ssl->keys.nextSeq_hi; - next_lo = &ssl->keys.nextSeq_lo; - window = ssl->keys.window; - } - else { - next_hi = &ssl->keys.prevSeq_hi; - next_lo = &ssl->keys.prevSeq_lo; - window = ssl->keys.prevWindow; - } - - cur_hi = ssl->keys.curSeq_hi; - cur_lo = ssl->keys.curSeq_lo; - - if (cur_hi == *next_hi) { - curLT = cur_lo < *next_lo; - diff = curLT ? *next_lo - cur_lo : cur_lo - *next_lo; - } - else { - curLT = cur_hi < *next_hi; - diff = curLT ? cur_lo - *next_lo : *next_lo - cur_lo; - } - - if (curLT) { - word32 idx = diff / DTLS_WORD_BITS; - word32 newDiff = diff % DTLS_WORD_BITS; - - if (idx < WOLFSSL_DTLS_WINDOW_WORDS) - window[idx] |= (1 << (newDiff - 1)); - } - else { - if (diff >= DTLS_SEQ_BITS) - XMEMSET(window, 0, DTLS_SEQ_SZ); - else { - word32 idx, newDiff, temp, i; - word32 oldWindow[WOLFSSL_DTLS_WINDOW_WORDS]; - - temp = 0; - diff++; - idx = diff / DTLS_WORD_BITS; - newDiff = diff % DTLS_WORD_BITS; - - XMEMCPY(oldWindow, window, sizeof(oldWindow)); - - for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) { - if (i < idx) - window[i] = 0; - else { - temp |= (oldWindow[i-idx] << newDiff); - window[i] = temp; - temp = oldWindow[i-idx] >> (DTLS_WORD_BITS - newDiff); - } - } - } - window[0] |= 1; - *next_lo = cur_lo + 1; - if (*next_lo < cur_lo) - (*next_hi)++; - } - - return 1; -} - - -static int DtlsMsgDrain(WOLFSSL* ssl) -{ - DtlsMsg* item = ssl->dtls_rx_msg_list; - int ret = 0; - - /* While there is an item in the store list, and it is the expected - * message, and it is complete, and there hasn't been an error in the - * last messge... */ - while (item != NULL && - ssl->keys.dtls_expected_peer_handshake_number == item->seq && - item->fragSz == item->sz && - ret == 0) { - word32 idx = 0; - ssl->keys.dtls_expected_peer_handshake_number++; - ret = DoHandShakeMsgType(ssl, item->msg, - &idx, item->type, item->sz, item->sz); - ssl->dtls_rx_msg_list = item->next; - DtlsMsgDelete(item, ssl->heap); - item = ssl->dtls_rx_msg_list; - ssl->dtls_rx_msg_list_sz--; - } - - return ret; -} - - -static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 totalSz) -{ - byte type; - word32 size; - word32 fragOffset, fragSz; - int ret = 0; - - WOLFSSL_ENTER("DoDtlsHandShakeMsg()"); - if (GetDtlsHandShakeHeader(ssl, input, inOutIdx, &type, - &size, &fragOffset, &fragSz, totalSz) != 0) - return PARSE_ERROR; - - if (*inOutIdx + fragSz > totalSz) - return INCOMPLETE_DATA; - - /* Check the handshake sequence number first. If out of order, - * add the current message to the list. If the message is in order, - * but it is a fragment, add the current message to the list, then - * check the head of the list to see if it is complete, if so, pop - * it out as the current message. If the message is complete and in - * order, process it. Check the head of the list to see if it is in - * order, if so, process it. (Repeat until list exhausted.) If the - * head is out of order, return for more processing. - */ - if (ssl->keys.dtls_peer_handshake_number > - ssl->keys.dtls_expected_peer_handshake_number) { - /* Current message is out of order. It will get stored in the list. - * Storing also takes care of defragmentation. If the messages is a - * client hello, we need to process this out of order; the server - * is not supposed to keep state, but the second client hello will - * have a different handshake sequence number than is expected, and - * the server shouldn't be expecting any particular handshake sequence - * number. (If the cookie changes multiple times in quick succession, - * the client could be sending multiple new client hello messages - * with newer and newer cookies.) */ - if (type != client_hello) { - if (ssl->dtls_rx_msg_list_sz < DTLS_POOL_SZ) { - DtlsMsgStore(ssl, ssl->keys.dtls_peer_handshake_number, - input + *inOutIdx, size, type, - fragOffset, fragSz, ssl->heap); - } - *inOutIdx += fragSz; - ret = 0; - } - else { - ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); - if (ret == 0) { - ssl->keys.dtls_expected_peer_handshake_number = - ssl->keys.dtls_peer_handshake_number + 1; - } - } - } - else if (ssl->keys.dtls_peer_handshake_number < - ssl->keys.dtls_expected_peer_handshake_number) { - /* Already saw this message and processed it. It can be ignored. */ - *inOutIdx += fragSz; - if(type == finished ) { - if (*inOutIdx + ssl->keys.padSz > totalSz) { - return BUFFER_E; - } - *inOutIdx += ssl->keys.padSz; - } - if (IsDtlsNotSctpMode(ssl) && - VerifyForDtlsMsgPoolSend(ssl, type, fragOffset)) { - - ret = DtlsMsgPoolSend(ssl, 0); - } - } - else if (fragSz < size) { - /* Since this branch is in order, but fragmented, dtls_rx_msg_list will - * be pointing to the message with this fragment in it. Check it to see - * if it is completed. */ - if (ssl->dtls_rx_msg_list_sz < DTLS_POOL_SZ) { - DtlsMsgStore(ssl, ssl->keys.dtls_peer_handshake_number, - input + *inOutIdx, size, type, - fragOffset, fragSz, ssl->heap); - } - *inOutIdx += fragSz; - ret = 0; - if (ssl->dtls_rx_msg_list != NULL && - ssl->dtls_rx_msg_list->fragSz >= ssl->dtls_rx_msg_list->sz) - ret = DtlsMsgDrain(ssl); - } - else { - /* This branch is in order next, and a complete message. */ - ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); - if (ret == 0) { - if (type != client_hello || !IsDtlsNotSctpMode(ssl)) - ssl->keys.dtls_expected_peer_handshake_number++; - if (ssl->dtls_rx_msg_list != NULL) { - ret = DtlsMsgDrain(ssl); - } - } - } - - WOLFSSL_LEAVE("DoDtlsHandShakeMsg()", ret); - return ret; -} -#endif - - -#ifdef HAVE_AEAD -static INLINE void AeadIncrementExpIV(WOLFSSL* ssl) -{ - int i; - for (i = AEAD_MAX_EXP_SZ-1; i >= 0; i--) { - if (++ssl->keys.aead_exp_IV[i]) return; - } -} - - -#if defined(HAVE_POLY1305) && defined(HAVE_CHACHA) -/* Used for the older version of creating AEAD tags with Poly1305 */ -static int Poly1305TagOld(WOLFSSL* ssl, byte* additional, const byte* out, - byte* cipher, word16 sz, byte* tag) -{ - int ret = 0; - int msglen = (sz - ssl->specs.aead_mac_size); - word32 keySz = 32; - byte padding[8]; /* used to temporarily store lengths */ - -#ifdef CHACHA_AEAD_TEST - printf("Using old version of poly1305 input.\n"); -#endif - - if (msglen < 0) - return INPUT_CASE_ERROR; - - if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, cipher, keySz)) != 0) - return ret; - - if ((ret = wc_Poly1305Update(ssl->auth.poly1305, additional, - AEAD_AUTH_DATA_SZ)) != 0) - return ret; - - /* length of additional input plus padding */ - XMEMSET(padding, 0, sizeof(padding)); - padding[0] = AEAD_AUTH_DATA_SZ; - if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding, - sizeof(padding))) != 0) - return ret; - - - /* add cipher info and then its length */ - XMEMSET(padding, 0, sizeof(padding)); - if ((ret = wc_Poly1305Update(ssl->auth.poly1305, out, msglen)) != 0) - return ret; - - /* 32 bit size of cipher to 64 bit endian */ - padding[0] = msglen & 0xff; - padding[1] = (msglen >> 8) & 0xff; - padding[2] = (msglen >> 16) & 0xff; - padding[3] = (msglen >> 24) & 0xff; - if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding, sizeof(padding))) - != 0) - return ret; - - /* generate tag */ - if ((ret = wc_Poly1305Final(ssl->auth.poly1305, tag)) != 0) - return ret; - - return ret; -} - - -/* When the flag oldPoly is not set this follows RFC7905. When oldPoly is set - * the implmentation follows an older draft for creating the nonce and MAC. - * The flag oldPoly gets set automaticlly depending on what cipher suite was - * negotiated in the handshake. This is able to be done because the IDs for the - * cipher suites was updated in RFC7905 giving unique values for the older - * draft in comparision to the more recent RFC. - * - * ssl WOLFSSL structure to get cipher and TLS state from - * out output buffer to hold encrypted data - * input data to encrypt - * sz size of input - * - * Return 0 on success negative values in error case - */ -static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input, - word16 sz) -{ - const byte* additionalSrc = input - RECORD_HEADER_SZ; - int ret = 0; - word32 msgLen = (sz - ssl->specs.aead_mac_size); - byte tag[POLY1305_AUTH_SZ]; - byte add[AEAD_AUTH_DATA_SZ]; - byte nonce[CHACHA20_NONCE_SZ]; - byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for poly1305 */ - #ifdef CHACHA_AEAD_TEST - int i; - #endif - - XMEMSET(tag, 0, sizeof(tag)); - XMEMSET(nonce, 0, sizeof(nonce)); - XMEMSET(poly, 0, sizeof(poly)); - XMEMSET(add, 0, sizeof(add)); - - /* opaque SEQ number stored for AD */ - WriteSEQ(ssl, CUR_ORDER, add); - - if (ssl->options.oldPoly != 0) { - /* get nonce. SEQ should not be incremented again here */ - XMEMCPY(nonce + CHACHA20_OLD_OFFSET, add, OPAQUE32_LEN * 2); - } - - /* Store the type, version. Unfortunately, they are in - * the input buffer ahead of the plaintext. */ - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - additionalSrc -= DTLS_HANDSHAKE_EXTRA; - DtlsSEQIncrement(ssl, CUR_ORDER); - } - #endif - - /* add TLS message size to additional data */ - add[AEAD_AUTH_DATA_SZ - 2] = (msgLen >> 8) & 0xff; - add[AEAD_AUTH_DATA_SZ - 1] = msgLen & 0xff; - - XMEMCPY(add + AEAD_TYPE_OFFSET, additionalSrc, 3); - - #ifdef CHACHA_AEAD_TEST - printf("Encrypt Additional : "); - for (i = 0; i < AEAD_AUTH_DATA_SZ; i++) { - printf("%02x", add[i]); - } - printf("\n\n"); - printf("input before encryption :\n"); - for (i = 0; i < sz; i++) { - printf("%02x", input[i]); - if ((i + 1) % 16 == 0) - printf("\n"); - } - printf("\n"); - #endif - - if (ssl->options.oldPoly == 0) { - /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte - * record sequence number XORed with client_write_IV/server_write_IV */ - XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, CHACHA20_IMP_IV_SZ); - nonce[4] ^= add[0]; - nonce[5] ^= add[1]; - nonce[6] ^= add[2]; - nonce[7] ^= add[3]; - nonce[8] ^= add[4]; - nonce[9] ^= add[5]; - nonce[10] ^= add[6]; - nonce[11] ^= add[7]; - } - - /* set the nonce for chacha and get poly1305 key */ - if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0) { - ForceZero(nonce, CHACHA20_NONCE_SZ); - return ret; - } - - ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */ - /* create Poly1305 key using chacha20 keystream */ - if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, - poly, sizeof(poly))) != 0) - return ret; - - /* encrypt the plain text */ - if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, out, - input, msgLen)) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - - /* get the poly1305 tag using either old padding scheme or more recent */ - if (ssl->options.oldPoly != 0) { - if ((ret = Poly1305TagOld(ssl, add, (const byte* )out, - poly, sz, tag)) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - } - else { - if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, - sizeof(poly))) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, add, - sizeof(add), out, msgLen, tag, sizeof(tag))) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - } - ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ - - /* append tag to ciphertext */ - XMEMCPY(out + msgLen, tag, sizeof(tag)); - - AeadIncrementExpIV(ssl); - - #ifdef CHACHA_AEAD_TEST - printf("mac tag :\n"); - for (i = 0; i < 16; i++) { - printf("%02x", tag[i]); - if ((i + 1) % 16 == 0) - printf("\n"); - } - printf("\n\noutput after encrypt :\n"); - for (i = 0; i < sz; i++) { - printf("%02x", out[i]); - if ((i + 1) % 16 == 0) - printf("\n"); - } - printf("\n"); - #endif - - return ret; -} - - -/* When the flag oldPoly is not set this follows RFC7905. When oldPoly is set - * the implmentation follows an older draft for creating the nonce and MAC. - * The flag oldPoly gets set automaticlly depending on what cipher suite was - * negotiated in the handshake. This is able to be done because the IDs for the - * cipher suites was updated in RFC7905 giving unique values for the older - * draft in comparision to the more recent RFC. - * - * ssl WOLFSSL structure to get cipher and TLS state from - * plain output buffer to hold decrypted data - * input data to decrypt - * sz size of input - * - * Return 0 on success negative values in error case - */ -static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input, - word16 sz) -{ - byte add[AEAD_AUTH_DATA_SZ]; - byte nonce[CHACHA20_NONCE_SZ]; - byte tag[POLY1305_AUTH_SZ]; - byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */ - int ret = 0; - int msgLen = (sz - ssl->specs.aead_mac_size); - - #ifdef CHACHA_AEAD_TEST - int i; - printf("input before decrypt :\n"); - for (i = 0; i < sz; i++) { - printf("%02x", input[i]); - if ((i + 1) % 16 == 0) - printf("\n"); - } - printf("\n"); - #endif - - XMEMSET(tag, 0, sizeof(tag)); - XMEMSET(poly, 0, sizeof(poly)); - XMEMSET(nonce, 0, sizeof(nonce)); - XMEMSET(add, 0, sizeof(add)); - - /* sequence number field is 64-bits */ - WriteSEQ(ssl, PEER_ORDER, add); - - if (ssl->options.oldPoly != 0) { - /* get nonce, SEQ should not be incremented again here */ - XMEMCPY(nonce + CHACHA20_OLD_OFFSET, add, OPAQUE32_LEN * 2); - } - - /* get AD info */ - /* Store the type, version. */ - add[AEAD_TYPE_OFFSET] = ssl->curRL.type; - add[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; - add[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; - - /* add TLS message size to additional data */ - add[AEAD_AUTH_DATA_SZ - 2] = (msgLen >> 8) & 0xff; - add[AEAD_AUTH_DATA_SZ - 1] = msgLen & 0xff; - - #ifdef CHACHA_AEAD_TEST - printf("Decrypt Additional : "); - for (i = 0; i < AEAD_AUTH_DATA_SZ; i++) { - printf("%02x", add[i]); - } - printf("\n\n"); - #endif - - if (ssl->options.oldPoly == 0) { - /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte - * record sequence number XORed with client_write_IV/server_write_IV */ - XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, CHACHA20_IMP_IV_SZ); - nonce[4] ^= add[0]; - nonce[5] ^= add[1]; - nonce[6] ^= add[2]; - nonce[7] ^= add[3]; - nonce[8] ^= add[4]; - nonce[9] ^= add[5]; - nonce[10] ^= add[6]; - nonce[11] ^= add[7]; - } - - /* set nonce and get poly1305 key */ - if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0) { - ForceZero(nonce, CHACHA20_NONCE_SZ); - return ret; - } - - ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */ - /* use chacha20 keystream to get poly1305 key for tag */ - if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, - poly, sizeof(poly))) != 0) - return ret; - - /* get the tag using Poly1305 */ - if (ssl->options.oldPoly != 0) { - if ((ret = Poly1305TagOld(ssl, add, input, poly, sz, tag)) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - } - else { - if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, - sizeof(poly))) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, add, - sizeof(add), (byte*)input, msgLen, tag, sizeof(tag))) != 0) { - ForceZero(poly, sizeof(poly)); - return ret; - } - } - ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ - - /* check tag sent along with packet */ - if (ConstantCompare(input + msgLen, tag, ssl->specs.aead_mac_size) != 0) { - WOLFSSL_MSG("MAC did not match"); - if (!ssl->options.dtls) - SendAlert(ssl, alert_fatal, bad_record_mac); - return VERIFY_MAC_ERROR; - } - - /* if the tag was good decrypt message */ - if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, plain, - input, msgLen)) != 0) - return ret; - - #ifdef CHACHA_AEAD_TEST - printf("plain after decrypt :\n"); - for (i = 0; i < sz; i++) { - printf("%02x", plain[i]); - if ((i + 1) % 16 == 0) - printf("\n"); - } - printf("\n"); - #endif - - return ret; -} -#endif /* HAVE_CHACHA && HAVE_POLY1305 */ -#endif /* HAVE_AEAD */ - - -static INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input, - word16 sz, int asyncOkay) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - WC_ASYNC_DEV* asyncDev = NULL; - word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN; -#else - (void)asyncOkay; -#endif - - (void)out; - (void)input; - (void)sz; - - switch (ssl->specs.bulk_cipher_algorithm) { - #ifdef BUILD_ARC4 - case wolfssl_rc4: - wc_Arc4Process(ssl->encrypt.arc4, out, input, sz); - break; - #endif - - #ifdef BUILD_DES3 - case wolfssl_triple_des: - ret = wc_Des3_CbcEncrypt(ssl->encrypt.des3, out, input, sz); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - asyncDev = &ssl->encrypt.des3->asyncDev; - if (asyncOkay) - ret = wolfSSL_AsyncPush(ssl, asyncDev, event_flags); - } - #endif - break; - #endif - - #ifdef BUILD_AES - case wolfssl_aes: - ret = wc_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - asyncDev = &ssl->encrypt.aes->asyncDev; - if (asyncOkay) - ret = wolfSSL_AsyncPush(ssl, asyncDev, event_flags); - break; - } - #endif - break; - #endif - - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - case wolfssl_aes_gcm: - case wolfssl_aes_ccm:/* GCM AEAD macros use same size as CCM */ - { - wc_AesAuthEncryptFunc aes_auth_fn; - const byte* additionalSrc; - #if defined(BUILD_AESGCM) && defined(HAVE_AESCCM) - aes_auth_fn = (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) - ? wc_AesGcmEncrypt : wc_AesCcmEncrypt; - #elif defined(BUILD_AESGCM) - aes_auth_fn = wc_AesGcmEncrypt; - #else - aes_auth_fn = wc_AesCcmEncrypt; - #endif - additionalSrc = input - 5; - - XMEMSET(ssl->encrypt.additional, 0, AEAD_AUTH_DATA_SZ); - - /* sequence number field is 64-bits */ - WriteSEQ(ssl, CUR_ORDER, ssl->encrypt.additional); - - /* Store the type, version. Unfortunately, they are in - * the input buffer ahead of the plaintext. */ - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - additionalSrc -= DTLS_HANDSHAKE_EXTRA; - } - #endif - XMEMCPY(ssl->encrypt.additional + AEAD_TYPE_OFFSET, - additionalSrc, 3); - - /* Store the length of the plain text minus the explicit - * IV length minus the authentication tag size. */ - c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, - ssl->encrypt.additional + AEAD_LEN_OFFSET); - XMEMCPY(ssl->encrypt.nonce, - ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ); - XMEMCPY(ssl->encrypt.nonce + AESGCM_IMP_IV_SZ, - ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ); - ret = aes_auth_fn(ssl->encrypt.aes, - out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ, - sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, - ssl->encrypt.nonce, AESGCM_NONCE_SZ, - out + sz - ssl->specs.aead_mac_size, - ssl->specs.aead_mac_size, - ssl->encrypt.additional, AEAD_AUTH_DATA_SZ); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - asyncDev = &ssl->encrypt.aes->asyncDev; - if (asyncOkay) - ret = wolfSSL_AsyncPush(ssl, asyncDev, event_flags); - } - #endif - } - break; - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - - #ifdef HAVE_CAMELLIA - case wolfssl_camellia: - wc_CamelliaCbcEncrypt(ssl->encrypt.cam, out, input, sz); - break; - #endif - - #ifdef HAVE_HC128 - case wolfssl_hc128: - ret = wc_Hc128_Process(ssl->encrypt.hc128, out, input, sz); - break; - #endif - - #ifdef BUILD_RABBIT - case wolfssl_rabbit: - ret = wc_RabbitProcess(ssl->encrypt.rabbit, out, input, sz); - break; - #endif - - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - case wolfssl_chacha: - ret = ChachaAEADEncrypt(ssl, out, input, sz); - break; - #endif - - #ifdef HAVE_NULL_CIPHER - case wolfssl_cipher_null: - if (input != out) { - XMEMMOVE(out, input, sz); - } - break; - #endif - - #ifdef HAVE_IDEA - case wolfssl_idea: - ret = wc_IdeaCbcEncrypt(ssl->encrypt.idea, out, input, sz); - break; - #endif - - default: - WOLFSSL_MSG("wolfSSL Encrypt programming error"); - ret = ENCRYPT_ERROR; - } - -#ifdef WOLFSSL_ASYNC_CRYPT - /* if async is not okay, then block */ - if (ret == WC_PENDING_E && !asyncOkay) { - ret = wc_AsyncWait(ret, asyncDev, event_flags); - } -#endif - - return ret; -} - -static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz, - int asyncOkay) -{ - int ret = 0; - -#ifdef WOLFSSL_ASYNC_CRYPT - if (asyncOkay && ssl->error == WC_PENDING_E) { - ssl->error = 0; /* clear async */ - } -#endif - - switch (ssl->encrypt.state) { - case CIPHER_STATE_BEGIN: - { - if (ssl->encrypt.setup == 0) { - WOLFSSL_MSG("Encrypt ciphers not setup"); - return ENCRYPT_ERROR; - } - - #ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, input, sz, FUZZ_ENCRYPT, ssl->fuzzerCtx); - #endif - - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - /* make sure AES GCM/CCM memory is allocated */ - /* free for these happens in FreeCiphers */ - if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm || - ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) { - /* make sure auth iv and auth are allocated */ - if (ssl->encrypt.additional == NULL) - ssl->encrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ, - ssl->heap, DYNAMIC_TYPE_AES); - if (ssl->encrypt.nonce == NULL) - ssl->encrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ, - ssl->heap, DYNAMIC_TYPE_AES); - if (ssl->encrypt.additional == NULL || - ssl->encrypt.nonce == NULL) { - return MEMORY_E; - } - } - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - - /* Advance state and proceed */ - ssl->encrypt.state = CIPHER_STATE_DO; - } - FALL_THROUGH; - - case CIPHER_STATE_DO: - { - ret = EncryptDo(ssl, out, input, sz, asyncOkay); - - /* Advance state */ - ssl->encrypt.state = CIPHER_STATE_END; - - #ifdef WOLFSSL_ASYNC_CRYPT - /* If pending, then leave and return will resume below */ - if (ret == WC_PENDING_E) { - return ret; - } - #endif - } - FALL_THROUGH; - - case CIPHER_STATE_END: - { - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm || - ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) - { - /* finalize authentication cipher */ - AeadIncrementExpIV(ssl); - - if (ssl->encrypt.nonce) - ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ); - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - } - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - break; - } - } - - /* Reset state */ - ssl->encrypt.state = CIPHER_STATE_BEGIN; - - return ret; -} - -static INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, - word16 sz) -{ - int ret = 0; - - (void)plain; - (void)input; - (void)sz; - - switch (ssl->specs.bulk_cipher_algorithm) - { - #ifdef BUILD_ARC4 - case wolfssl_rc4: - wc_Arc4Process(ssl->decrypt.arc4, plain, input, sz); - break; - #endif - - #ifdef BUILD_DES3 - case wolfssl_triple_des: - ret = wc_Des3_CbcDecrypt(ssl->decrypt.des3, plain, input, sz); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.des3->asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } - #endif - break; - #endif - - #ifdef BUILD_AES - case wolfssl_aes: - ret = wc_AesCbcDecrypt(ssl->decrypt.aes, plain, input, sz); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev, - WC_ASYNC_FLAG_CALL_AGAIN); - } - #endif - break; - #endif - - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - case wolfssl_aes_gcm: - case wolfssl_aes_ccm: /* GCM AEAD macros use same size as CCM */ - { - wc_AesAuthDecryptFunc aes_auth_fn; - #if defined(BUILD_AESGCM) && defined(HAVE_AESCCM) - aes_auth_fn = (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) - ? wc_AesGcmDecrypt : wc_AesCcmDecrypt; - #elif defined(BUILD_AESGCM) - aes_auth_fn = wc_AesGcmDecrypt; - #else - aes_auth_fn = wc_AesCcmDecrypt; - #endif - - XMEMSET(ssl->decrypt.additional, 0, AEAD_AUTH_DATA_SZ); - - /* sequence number field is 64-bits */ - WriteSEQ(ssl, PEER_ORDER, ssl->decrypt.additional); - - ssl->decrypt.additional[AEAD_TYPE_OFFSET] = ssl->curRL.type; - ssl->decrypt.additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; - ssl->decrypt.additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; - - c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, - ssl->decrypt.additional + AEAD_LEN_OFFSET); - XMEMCPY(ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, - AESGCM_IMP_IV_SZ); - XMEMCPY(ssl->decrypt.nonce + AESGCM_IMP_IV_SZ, input, - AESGCM_EXP_IV_SZ); - if ((ret = aes_auth_fn(ssl->decrypt.aes, - plain + AESGCM_EXP_IV_SZ, - input + AESGCM_EXP_IV_SZ, - sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, - ssl->decrypt.nonce, AESGCM_NONCE_SZ, - input + sz - ssl->specs.aead_mac_size, - ssl->specs.aead_mac_size, - ssl->decrypt.additional, AEAD_AUTH_DATA_SZ)) < 0) { - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - ret = wolfSSL_AsyncPush(ssl, - &ssl->decrypt.aes->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - break; - } - #endif - } - } - break; - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - - #ifdef HAVE_CAMELLIA - case wolfssl_camellia: - wc_CamelliaCbcDecrypt(ssl->decrypt.cam, plain, input, sz); - break; - #endif - - #ifdef HAVE_HC128 - case wolfssl_hc128: - ret = wc_Hc128_Process(ssl->decrypt.hc128, plain, input, sz); - break; - #endif - - #ifdef BUILD_RABBIT - case wolfssl_rabbit: - ret = wc_RabbitProcess(ssl->decrypt.rabbit, plain, input, sz); - break; - #endif - - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - case wolfssl_chacha: - ret = ChachaAEADDecrypt(ssl, plain, input, sz); - break; - #endif - - #ifdef HAVE_NULL_CIPHER - case wolfssl_cipher_null: - if (input != plain) { - XMEMMOVE(plain, input, sz); - } - break; - #endif - - #ifdef HAVE_IDEA - case wolfssl_idea: - ret = wc_IdeaCbcDecrypt(ssl->decrypt.idea, plain, input, sz); - break; - #endif - - default: - WOLFSSL_MSG("wolfSSL Decrypt programming error"); - ret = DECRYPT_ERROR; - } - - return ret; -} - -static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input, - word16 sz) -{ - int ret = 0; - -#ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state); - if (ret != WC_NOT_PENDING_E) { - /* check for still pending */ - if (ret == WC_PENDING_E) - return ret; - - ssl->error = 0; /* clear async */ - - /* let failures through so CIPHER_STATE_END logic is run */ - } - else -#endif - { - /* Reset state */ - ret = 0; - ssl->decrypt.state = CIPHER_STATE_BEGIN; - } - - switch (ssl->decrypt.state) { - case CIPHER_STATE_BEGIN: - { - if (ssl->decrypt.setup == 0) { - WOLFSSL_MSG("Decrypt ciphers not setup"); - return DECRYPT_ERROR; - } - - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - /* make sure AES GCM/CCM memory is allocated */ - /* free for these happens in FreeCiphers */ - if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm || - ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) { - /* make sure auth iv and auth are allocated */ - if (ssl->decrypt.additional == NULL) - ssl->decrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ, - ssl->heap, DYNAMIC_TYPE_AES); - if (ssl->decrypt.nonce == NULL) - ssl->decrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ, - ssl->heap, DYNAMIC_TYPE_AES); - if (ssl->decrypt.additional == NULL || - ssl->decrypt.nonce == NULL) { - return MEMORY_E; - } - } - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - - /* Advance state and proceed */ - ssl->decrypt.state = CIPHER_STATE_DO; - } - FALL_THROUGH; - case CIPHER_STATE_DO: - { - ret = DecryptDo(ssl, plain, input, sz); - - /* Advance state */ - ssl->decrypt.state = CIPHER_STATE_END; - - #ifdef WOLFSSL_ASYNC_CRYPT - /* If pending, leave and return below */ - if (ret == WC_PENDING_E) { - return ret; - } - #endif - } - FALL_THROUGH; - case CIPHER_STATE_END: - { - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - /* make sure AES GCM/CCM nonce is cleared */ - if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm || - ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) { - if (ssl->decrypt.nonce) - ForceZero(ssl->decrypt.nonce, AESGCM_NONCE_SZ); - - if (ret < 0) - ret = VERIFY_MAC_ERROR; - } - #endif /* BUILD_AESGCM || HAVE_AESCCM */ - break; - } - } - - /* Reset state */ - ssl->decrypt.state = CIPHER_STATE_BEGIN; - - /* handle mac error case */ - if (ret == VERIFY_MAC_ERROR) { - if (!ssl->options.dtls) - SendAlert(ssl, alert_fatal, bad_record_mac); - } - - return ret; -} - -/* Check conditions for a cipher to have an explicit IV. - * - * ssl The SSL/TLS object. - * returns 1 if the cipher in use has an explicit IV and 0 otherwise. - */ -static INLINE int CipherHasExpIV(WOLFSSL *ssl) -{ -#ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) - return 0; -#endif - return (ssl->specs.cipher_type == aead) && - (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha); -} - -/* check cipher text size for sanity */ -static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz) -{ -#ifdef HAVE_TRUNCATED_HMAC - word32 minLength = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ - : ssl->specs.hash_size; -#else - word32 minLength = ssl->specs.hash_size; /* covers stream */ -#endif - - if (ssl->specs.cipher_type == block) { - if (encryptSz % ssl->specs.block_size) { - WOLFSSL_MSG("Block ciphertext not block size"); - return SANITY_CIPHER_E; - } - - minLength++; /* pad byte */ - - if (ssl->specs.block_size > minLength) - minLength = ssl->specs.block_size; - - if (ssl->options.tls1_1) - minLength += ssl->specs.block_size; /* explicit IV */ - } - else if (ssl->specs.cipher_type == aead) { - minLength = ssl->specs.aead_mac_size; /* authTag size */ - if (CipherHasExpIV(ssl)) - minLength += AESGCM_EXP_IV_SZ; /* explicit IV */ - } - - if (encryptSz < minLength) { - WOLFSSL_MSG("Ciphertext not minimum size"); - return SANITY_CIPHER_E; - } - - return 0; -} - - -#ifndef NO_OLD_TLS - -static INLINE void Md5Rounds(int rounds, const byte* data, int sz) -{ - Md5 md5; - int i; - - wc_InitMd5(&md5); /* no error check on purpose, dummy round */ - - for (i = 0; i < rounds; i++) - wc_Md5Update(&md5, data, sz); - wc_Md5Free(&md5); /* in case needed to release resources */ -} - - - -/* do a dummy sha round */ -static INLINE void ShaRounds(int rounds, const byte* data, int sz) -{ - Sha sha; - int i; - - wc_InitSha(&sha); /* no error check on purpose, dummy round */ - - for (i = 0; i < rounds; i++) - wc_ShaUpdate(&sha, data, sz); - wc_ShaFree(&sha); /* in case needed to release resources */ -} -#endif - - -#ifndef NO_SHA256 - -static INLINE void Sha256Rounds(int rounds, const byte* data, int sz) -{ - Sha256 sha256; - int i; - - wc_InitSha256(&sha256); /* no error check on purpose, dummy round */ - - for (i = 0; i < rounds; i++) { - wc_Sha256Update(&sha256, data, sz); - /* no error check on purpose, dummy round */ - } - wc_Sha256Free(&sha256); /* in case needed to release resources */ -} - -#endif - - -#ifdef WOLFSSL_SHA384 - -static INLINE void Sha384Rounds(int rounds, const byte* data, int sz) -{ - Sha384 sha384; - int i; - - wc_InitSha384(&sha384); /* no error check on purpose, dummy round */ - - for (i = 0; i < rounds; i++) { - wc_Sha384Update(&sha384, data, sz); - /* no error check on purpose, dummy round */ - } - wc_Sha384Free(&sha384); /* in case needed to release resources */ -} - -#endif - - -#ifdef WOLFSSL_SHA512 - -static INLINE void Sha512Rounds(int rounds, const byte* data, int sz) -{ - Sha512 sha512; - int i; - - wc_InitSha512(&sha512); /* no error check on purpose, dummy round */ - - for (i = 0; i < rounds; i++) { - wc_Sha512Update(&sha512, data, sz); - /* no error check on purpose, dummy round */ - } - wc_Sha512Free(&sha512); /* in case needed to release resources */ -} - -#endif - - -#ifdef WOLFSSL_RIPEMD - -static INLINE void RmdRounds(int rounds, const byte* data, int sz) -{ - RipeMd ripemd; - int i; - - wc_InitRipeMd(&ripemd); - - for (i = 0; i < rounds; i++) - wc_RipeMdUpdate(&ripemd, data, sz); -} - -#endif - - -/* Do dummy rounds */ -static INLINE void DoRounds(int type, int rounds, const byte* data, int sz) -{ - (void)rounds; - (void)data; - (void)sz; - - switch (type) { - case no_mac : - break; - -#ifndef NO_OLD_TLS -#ifndef NO_MD5 - case md5_mac : - Md5Rounds(rounds, data, sz); - break; -#endif - -#ifndef NO_SHA - case sha_mac : - ShaRounds(rounds, data, sz); - break; -#endif -#endif - -#ifndef NO_SHA256 - case sha256_mac : - Sha256Rounds(rounds, data, sz); - break; -#endif - -#ifdef WOLFSSL_SHA384 - case sha384_mac : - Sha384Rounds(rounds, data, sz); - break; -#endif - -#ifdef WOLFSSL_SHA512 - case sha512_mac : - Sha512Rounds(rounds, data, sz); - break; -#endif - -#ifdef WOLFSSL_RIPEMD - case rmd_mac : - RmdRounds(rounds, data, sz); - break; -#endif - - default: - WOLFSSL_MSG("Bad round type"); - break; - } -} - - -/* do number of compression rounds on dummy data */ -static INLINE void CompressRounds(WOLFSSL* ssl, int rounds, const byte* dummy) -{ - if (rounds) - DoRounds(ssl->specs.mac_algorithm, rounds, dummy, COMPRESS_LOWER); -} - - -/* check all length bytes for the pad value, return 0 on success */ -static int PadCheck(const byte* a, byte pad, int length) -{ - int i; - int compareSum = 0; - - for (i = 0; i < length; i++) { - compareSum |= a[i] ^ pad; - } - - return compareSum; -} - - -/* get compression extra rounds */ -static INLINE int GetRounds(int pLen, int padLen, int t) -{ - int roundL1 = 1; /* round up flags */ - int roundL2 = 1; - - int L1 = COMPRESS_CONSTANT + pLen - t; - int L2 = COMPRESS_CONSTANT + pLen - padLen - 1 - t; - - L1 -= COMPRESS_UPPER; - L2 -= COMPRESS_UPPER; - - if ( (L1 % COMPRESS_LOWER) == 0) - roundL1 = 0; - if ( (L2 % COMPRESS_LOWER) == 0) - roundL2 = 0; - - L1 /= COMPRESS_LOWER; - L2 /= COMPRESS_LOWER; - - L1 += roundL1; - L2 += roundL2; - - return L1 - L2; -} - - -/* timing resistant pad/verify check, return 0 on success */ -static int TimingPadVerify(WOLFSSL* ssl, const byte* input, int padLen, int t, - int pLen, int content) -{ - byte verify[MAX_DIGEST_SIZE]; - byte dmy[sizeof(WOLFSSL) >= MAX_PAD_SIZE ? 1 : MAX_PAD_SIZE] = {0}; - byte* dummy = sizeof(dmy) < MAX_PAD_SIZE ? (byte*) ssl : dmy; - int ret = 0; - - (void)dmy; - - if ( (t + padLen + 1) > pLen) { - WOLFSSL_MSG("Plain Len not long enough for pad/mac"); - PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE); - ssl->hmac(ssl, verify, input, pLen - t, content, 1); /* still compare */ - ConstantCompare(verify, input + pLen - t, t); - - return VERIFY_MAC_ERROR; - } - - if (PadCheck(input + pLen - (padLen + 1), (byte)padLen, padLen + 1) != 0) { - WOLFSSL_MSG("PadCheck failed"); - PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE - padLen - 1); - ssl->hmac(ssl, verify, input, pLen - t, content, 1); /* still compare */ - ConstantCompare(verify, input + pLen - t, t); - - return VERIFY_MAC_ERROR; - } - - PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE - padLen - 1); - ret = ssl->hmac(ssl, verify, input, pLen - padLen - 1 - t, content, 1); - - CompressRounds(ssl, GetRounds(pLen, padLen, t), dummy); - - if (ConstantCompare(verify, input + (pLen - padLen - 1 - t), t) != 0) { - WOLFSSL_MSG("Verify MAC compare failed"); - return VERIFY_MAC_ERROR; - } - - /* treat any faulure as verify MAC error */ - if (ret != 0) - ret = VERIFY_MAC_ERROR; - - return ret; -} - - -int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx) -{ - word32 msgSz = ssl->keys.encryptSz; - word32 idx = *inOutIdx; - int dataSz; - int ivExtra = 0; - byte* rawData = input + idx; /* keep current for hmac */ -#ifdef HAVE_LIBZ - byte decomp[MAX_RECORD_SIZE + MAX_COMP_EXTRA]; -#endif - - if (ssl->options.handShakeDone == 0) { - WOLFSSL_MSG("Received App data before a handshake completed"); - SendAlert(ssl, alert_fatal, unexpected_message); - return OUT_OF_ORDER_E; - } - - if (ssl->specs.cipher_type == block) { - if (ssl->options.tls1_1) - ivExtra = ssl->specs.block_size; - } - else if (ssl->specs.cipher_type == aead) { - if (CipherHasExpIV(ssl)) - ivExtra = AESGCM_EXP_IV_SZ; - } - - dataSz = msgSz - ivExtra - ssl->keys.padSz; - if (dataSz < 0) { - WOLFSSL_MSG("App data buffer error, malicious input?"); - return BUFFER_ERROR; - } - - /* read data */ - if (dataSz) { - int rawSz = dataSz; /* keep raw size for idx adjustment */ - -#ifdef HAVE_LIBZ - if (ssl->options.usingCompression) { - dataSz = myDeCompress(ssl, rawData, dataSz, decomp, sizeof(decomp)); - if (dataSz < 0) return dataSz; - } -#endif - idx += rawSz; - - ssl->buffers.clearOutputBuffer.buffer = rawData; - ssl->buffers.clearOutputBuffer.length = dataSz; - } - - idx += ssl->keys.padSz; - -#ifdef HAVE_LIBZ - /* decompress could be bigger, overwrite after verify */ - if (ssl->options.usingCompression) - XMEMMOVE(rawData, decomp, dataSz); -#endif - - *inOutIdx = idx; - return 0; -} - - -/* process alert, return level */ -static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type, - word32 totalSz) -{ - byte level; - byte code; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "Alert"); - if (ssl->toInfoOn) - /* add record header back on to info + alert bytes level/code */ - AddPacketInfo(ssl, "Alert", alert, input + *inOutIdx - - RECORD_HEADER_SZ, RECORD_HEADER_SZ + ALERT_SIZE, - READ_PROTO, ssl->heap); - #endif - - /* make sure can read the message */ - if (*inOutIdx + ALERT_SIZE > totalSz) - return BUFFER_E; - - level = input[(*inOutIdx)++]; - code = input[(*inOutIdx)++]; - ssl->alert_history.last_rx.code = code; - ssl->alert_history.last_rx.level = level; - *type = code; - if (level == alert_fatal) { - ssl->options.isClosed = 1; /* Don't send close_notify */ - } - - WOLFSSL_MSG("Got alert"); - if (*type == close_notify) { - WOLFSSL_MSG("\tclose notify"); - ssl->options.closeNotify = 1; - } -#ifdef WOLFSSL_TLS13 - if (*type == decode_error) { - WOLFSSL_MSG(" decode error"); - } - if (*type == illegal_parameter) { - WOLFSSL_MSG(" illegal parameter"); - } -#endif - WOLFSSL_ERROR(*type); - if (IsEncryptionOn(ssl, 0)) { - if (*inOutIdx + ssl->keys.padSz > totalSz) - return BUFFER_E; - *inOutIdx += ssl->keys.padSz; - } - - return level; -} - -static int GetInputData(WOLFSSL *ssl, word32 size) -{ - int in; - int inSz; - int maxLength; - int usedLength; - int dtlsExtra = 0; - - - /* check max input length */ - usedLength = ssl->buffers.inputBuffer.length - ssl->buffers.inputBuffer.idx; - maxLength = ssl->buffers.inputBuffer.bufferSize - usedLength; - inSz = (int)(size - usedLength); /* from last partial read */ - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - if (size < ssl->dtls_expected_rx) - dtlsExtra = (int)(ssl->dtls_expected_rx - size); - inSz = ssl->dtls_expected_rx; - } -#endif - - /* check that no lengths or size values are negative */ - if (usedLength < 0 || maxLength < 0 || inSz <= 0) { - return BUFFER_ERROR; - } - - if (inSz > maxLength) { - if (GrowInputBuffer(ssl, size + dtlsExtra, usedLength) < 0) - return MEMORY_E; - } - - /* Put buffer data at start if not there */ - if (usedLength > 0 && ssl->buffers.inputBuffer.idx != 0) - XMEMMOVE(ssl->buffers.inputBuffer.buffer, - ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx, - usedLength); - - /* remove processed data */ - ssl->buffers.inputBuffer.idx = 0; - ssl->buffers.inputBuffer.length = usedLength; - - /* read data from network */ - do { - in = Receive(ssl, - ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.length, - inSz); - if (in == -1) - return SOCKET_ERROR_E; - - if (in == WANT_READ) - return WANT_READ; - - if (in > inSz) - return RECV_OVERFLOW_E; - - ssl->buffers.inputBuffer.length += in; - inSz -= in; - - } while (ssl->buffers.inputBuffer.length < size); - -#ifdef WOLFSSL_DEBUG_TLS - if (ssl->buffers.inputBuffer.idx == 0) { - WOLFSSL_MSG("Data received"); - WOLFSSL_BUFFER(ssl->buffers.inputBuffer.buffer, - ssl->buffers.inputBuffer.length); - } -#endif - - return 0; -} - - -static INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz, - int content, word32* padSz) -{ - int ivExtra = 0; - int ret; - word32 pad = 0; - word32 padByte = 0; -#ifdef HAVE_TRUNCATED_HMAC - word32 digestSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ - : ssl->specs.hash_size; -#else - word32 digestSz = ssl->specs.hash_size; -#endif - byte verify[MAX_DIGEST_SIZE]; - - if (ssl->specs.cipher_type == block) { - if (ssl->options.tls1_1) - ivExtra = ssl->specs.block_size; - pad = *(input + msgSz - ivExtra - 1); - padByte = 1; - - if (ssl->options.tls) { - ret = TimingPadVerify(ssl, input, pad, digestSz, msgSz - ivExtra, - content); - if (ret != 0) - return ret; - } - else { /* sslv3, some implementations have bad padding, but don't - * allow bad read */ - int badPadLen = 0; - byte dmy[sizeof(WOLFSSL) >= MAX_PAD_SIZE ? 1 : MAX_PAD_SIZE] = {0}; - byte* dummy = sizeof(dmy) < MAX_PAD_SIZE ? (byte*) ssl : dmy; - - (void)dmy; - - if (pad > (msgSz - digestSz - 1)) { - WOLFSSL_MSG("Plain Len not long enough for pad/mac"); - pad = 0; /* no bad read */ - badPadLen = 1; - } - PadCheck(dummy, (byte)pad, MAX_PAD_SIZE); /* timing only */ - ret = ssl->hmac(ssl, verify, input, msgSz - digestSz - pad - 1, - content, 1); - if (ConstantCompare(verify, input + msgSz - digestSz - pad - 1, - digestSz) != 0) - return VERIFY_MAC_ERROR; - if (ret != 0 || badPadLen) - return VERIFY_MAC_ERROR; - } - } - else if (ssl->specs.cipher_type == stream) { - ret = ssl->hmac(ssl, verify, input, msgSz - digestSz, content, 1); - if (ConstantCompare(verify, input + msgSz - digestSz, digestSz) != 0){ - return VERIFY_MAC_ERROR; - } - if (ret != 0) - return VERIFY_MAC_ERROR; - } - - if (ssl->specs.cipher_type == aead) { - *padSz = ssl->specs.aead_mac_size; - } - else { - *padSz = digestSz + pad + padByte; - } - - return 0; -} - - -/* process input requests, return 0 is done, 1 is call again to complete, and - negative number is error */ -int ProcessReply(WOLFSSL* ssl) -{ - int ret = 0, type, readSz; - int atomicUser = 0; - word32 startIdx = 0; -#if defined(WOLFSSL_DTLS) - int used; -#endif - -#ifdef ATOMIC_USER - if (ssl->ctx->DecryptVerifyCb) - atomicUser = 1; -#endif - - if (ssl->error != 0 && ssl->error != WANT_READ && - ssl->error != WANT_WRITE && ssl->error != WC_PENDING_E) { - WOLFSSL_MSG("ProcessReply retry in error state, not allowed"); - return ssl->error; - } - - for (;;) { - switch (ssl->options.processReply) { - - /* in the WOLFSSL_SERVER case, get the first byte for detecting - * old client hello */ - case doProcessInit: - - readSz = RECORD_HEADER_SZ; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - readSz = DTLS_RECORD_HEADER_SZ; - #endif - - /* get header or return error */ - if (!ssl->options.dtls) { - if ((ret = GetInputData(ssl, readSz)) < 0) - return ret; - } else { - #ifdef WOLFSSL_DTLS - /* read ahead may already have header */ - used = ssl->buffers.inputBuffer.length - - ssl->buffers.inputBuffer.idx; - if (used < readSz) { - if ((ret = GetInputData(ssl, readSz)) < 0) - return ret; - } - #endif - } - -#ifdef OLD_HELLO_ALLOWED - - /* see if sending SSLv2 client hello */ - if ( ssl->options.side == WOLFSSL_SERVER_END && - ssl->options.clientState == NULL_STATE && - ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx] - != handshake) { - byte b0, b1; - - ssl->options.processReply = runProcessOldClientHello; - - /* sanity checks before getting size at front */ - if (ssl->buffers.inputBuffer.buffer[ - ssl->buffers.inputBuffer.idx + OPAQUE16_LEN] != OLD_HELLO_ID) { - WOLFSSL_MSG("Not a valid old client hello"); - return PARSE_ERROR; - } - - if (ssl->buffers.inputBuffer.buffer[ - ssl->buffers.inputBuffer.idx + OPAQUE24_LEN] != SSLv3_MAJOR && - ssl->buffers.inputBuffer.buffer[ - ssl->buffers.inputBuffer.idx + OPAQUE24_LEN] != DTLS_MAJOR) { - WOLFSSL_MSG("Not a valid version in old client hello"); - return PARSE_ERROR; - } - - /* how many bytes need ProcessOldClientHello */ - b0 = - ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++]; - b1 = - ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++]; - ssl->curSize = (word16)(((b0 & 0x7f) << 8) | b1); - } - else { - ssl->options.processReply = getRecordLayerHeader; - continue; - } - FALL_THROUGH; - - /* in the WOLFSSL_SERVER case, run the old client hello */ - case runProcessOldClientHello: - - /* get sz bytes or return error */ - if (!ssl->options.dtls) { - if ((ret = GetInputData(ssl, ssl->curSize)) < 0) - return ret; - } else { - #ifdef WOLFSSL_DTLS - /* read ahead may already have */ - used = ssl->buffers.inputBuffer.length - - ssl->buffers.inputBuffer.idx; - if (used < ssl->curSize) - if ((ret = GetInputData(ssl, ssl->curSize)) < 0) - return ret; - #endif /* WOLFSSL_DTLS */ - } - - ret = ProcessOldClientHello(ssl, ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, - ssl->buffers.inputBuffer.length - - ssl->buffers.inputBuffer.idx, - ssl->curSize); - if (ret < 0) - return ret; - - else if (ssl->buffers.inputBuffer.idx == - ssl->buffers.inputBuffer.length) { - ssl->options.processReply = doProcessInit; - return 0; - } - -#endif /* OLD_HELLO_ALLOWED */ - FALL_THROUGH; - - /* get the record layer header */ - case getRecordLayerHeader: - - ret = GetRecordHeader(ssl, ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, - &ssl->curRL, &ssl->curSize); -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls && ret == SEQUENCE_ERROR) { - WOLFSSL_MSG("Silently dropping out of order DTLS message"); - ssl->options.processReply = doProcessInit; - ssl->buffers.inputBuffer.length = 0; - ssl->buffers.inputBuffer.idx = 0; - - if (IsDtlsNotSctpMode(ssl) && ssl->options.dtlsHsRetain) { - ret = DtlsMsgPoolSend(ssl, 0); - if (ret != 0) - return ret; - } - - continue; - } -#endif - if (ret != 0) - return ret; - - ssl->options.processReply = getData; - FALL_THROUGH; - - /* retrieve record layer data */ - case getData: - - /* get sz bytes or return error */ - if (!ssl->options.dtls) { - if ((ret = GetInputData(ssl, ssl->curSize)) < 0) - return ret; - } else { -#ifdef WOLFSSL_DTLS - /* read ahead may already have */ - used = ssl->buffers.inputBuffer.length - - ssl->buffers.inputBuffer.idx; - if (used < ssl->curSize) - if ((ret = GetInputData(ssl, ssl->curSize)) < 0) - return ret; -#endif - } - - ssl->options.processReply = decryptMessage; - startIdx = ssl->buffers.inputBuffer.idx; /* in case > 1 msg per */ - FALL_THROUGH; - - /* decrypt message */ - case decryptMessage: - - if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0) { - bufferStatic* in = &ssl->buffers.inputBuffer; - - ret = SanityCheckCipherText(ssl, ssl->curSize); - if (ret < 0) - return ret; - - if (atomicUser) { - #ifdef ATOMIC_USER - ret = ssl->ctx->DecryptVerifyCb(ssl, - in->buffer + in->idx, - in->buffer + in->idx, - ssl->curSize, ssl->curRL.type, 1, - &ssl->keys.padSz, ssl->DecryptVerifyCtx); - #endif /* ATOMIC_USER */ - } - else { - if (!ssl->options.tls1_3) { - ret = Decrypt(ssl, - in->buffer + in->idx, - in->buffer + in->idx, - ssl->curSize); - } - else { - #ifdef WOLFSSL_TLS13 - ret = DecryptTls13(ssl, - in->buffer + in->idx, - in->buffer + in->idx, - ssl->curSize); - #else - ret = DECRYPT_ERROR; - #endif /* WOLFSSL_TLS13 */ - } - } - - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) - return ret; - #endif - - if (ret >= 0) { - /* handle success */ - if (ssl->options.tls1_1 && ssl->specs.cipher_type == block) - ssl->buffers.inputBuffer.idx += ssl->specs.block_size; - /* go past TLSv1.1 IV */ - if (CipherHasExpIV(ssl)) - ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ; - } - else { - WOLFSSL_MSG("Decrypt failed"); - WOLFSSL_ERROR(ret); - #ifdef WOLFSSL_DTLS - /* If in DTLS mode, if the decrypt fails for any - * reason, pretend the datagram never happened. */ - if (ssl->options.dtls) { - ssl->options.processReply = doProcessInit; - ssl->buffers.inputBuffer.idx = - ssl->buffers.inputBuffer.length; - } - #endif /* WOLFSSL_DTLS */ - - return DECRYPT_ERROR; - } - } - - ssl->options.processReply = verifyMessage; - FALL_THROUGH; - - /* verify digest of message */ - case verifyMessage: - - if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0) { - if (!atomicUser) { - ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx, - ssl->curSize, ssl->curRL.type, - &ssl->keys.padSz); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) - return ret; - #endif - if (ret < 0) { - WOLFSSL_MSG("VerifyMac failed"); - WOLFSSL_ERROR(ret); - return DECRYPT_ERROR; - } - } - - ssl->keys.encryptSz = ssl->curSize; - ssl->keys.decryptedCur = 1; -#ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) { - /* Get the real content type from the end of the data. */ - ssl->keys.padSz++; - ssl->curRL.type = ssl->buffers.inputBuffer.buffer[ - ssl->buffers.inputBuffer.length - ssl->keys.padSz]; - } -#endif - } - - ssl->options.processReply = runProcessingOneMessage; - FALL_THROUGH; - - /* the record layer is here */ - case runProcessingOneMessage: - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - DtlsUpdateWindow(ssl); - } - #endif /* WOLFSSL_DTLS */ - - WOLFSSL_MSG("received record layer msg"); - - switch (ssl->curRL.type) { - case handshake : - /* debugging in DoHandShakeMsg */ - if (ssl->options.dtls) { -#ifdef WOLFSSL_DTLS - ret = DoDtlsHandShakeMsg(ssl, - ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, - ssl->buffers.inputBuffer.length); -#endif - } - else if (!IsAtLeastTLSv1_3(ssl->version)) { - ret = DoHandShakeMsg(ssl, - ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, - ssl->buffers.inputBuffer.length); - } - else { -#ifdef WOLFSSL_TLS13 - ret = DoTls13HandShakeMsg(ssl, - ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, - ssl->buffers.inputBuffer.length); -#else - ret = BUFFER_ERROR; -#endif - } - if (ret != 0) - return ret; - break; - - case change_cipher_spec: - WOLFSSL_MSG("got CHANGE CIPHER SPEC"); - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ChangeCipher"); - /* add record header back on info */ - if (ssl->toInfoOn) { - AddPacketInfo(ssl, "ChangeCipher", - change_cipher_spec, - ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx - RECORD_HEADER_SZ, - 1 + RECORD_HEADER_SZ, READ_PROTO, ssl->heap); - #ifdef WOLFSSL_CALLBACKS - AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo); - #endif - } - #endif - - ret = SanityCheckMsgReceived(ssl, change_cipher_hs); - if (ret != 0) { - if (!ssl->options.dtls) { - return ret; - } - else { - #ifdef WOLFSSL_DTLS - /* Check for duplicate CCS message in DTLS mode. - * DTLS allows for duplicate messages, and it should be - * skipped. Also skip if out of order. */ - if (ret != DUPLICATE_MSG_E && ret != OUT_OF_ORDER_E) - return ret; - - if (IsDtlsNotSctpMode(ssl)) { - ret = DtlsMsgPoolSend(ssl, 1); - if (ret != 0) - return ret; - } - - if (ssl->curSize != 1) { - WOLFSSL_MSG("Malicious or corrupted" - " duplicate ChangeCipher msg"); - return LENGTH_ERROR; - } - ssl->buffers.inputBuffer.idx++; - break; - #endif /* WOLFSSL_DTLS */ - } - } - - if (IsEncryptionOn(ssl, 0) && ssl->options.handShakeDone) { - ssl->buffers.inputBuffer.idx += ssl->keys.padSz; - ssl->curSize -= (word16) ssl->buffers.inputBuffer.idx; - } - - if (ssl->curSize != 1) { - WOLFSSL_MSG("Malicious or corrupted ChangeCipher msg"); - return LENGTH_ERROR; - } - - ssl->buffers.inputBuffer.idx++; - ssl->keys.encryptionOn = 1; - - /* setup decrypt keys for following messages */ - if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) - return ret; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - DtlsMsgPoolReset(ssl); - ssl->keys.prevSeq_lo = ssl->keys.nextSeq_lo; - ssl->keys.prevSeq_hi = ssl->keys.nextSeq_hi; - XMEMCPY(ssl->keys.prevWindow, ssl->keys.window, - DTLS_SEQ_SZ); - ssl->keys.nextEpoch++; - ssl->keys.nextSeq_lo = 0; - ssl->keys.nextSeq_hi = 0; - XMEMSET(ssl->keys.window, 0, DTLS_SEQ_SZ); - } - #endif - - #ifdef HAVE_LIBZ - if (ssl->options.usingCompression) - if ( (ret = InitStreams(ssl)) != 0) - return ret; - #endif - ret = BuildFinished(ssl, &ssl->hsHashes->verifyHashes, - ssl->options.side == WOLFSSL_CLIENT_END ? - server : client); - if (ret != 0) - return ret; - break; - - case application_data: - WOLFSSL_MSG("got app DATA"); - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls && ssl->options.dtlsHsRetain) { - FreeHandshakeResources(ssl); - ssl->options.dtlsHsRetain = 0; - } - #endif - #ifdef WOLFSSL_TLS13 - if (ssl->keys.keyUpdateRespond) { - WOLFSSL_MSG("No KeyUpdate from peer seen"); - return SANITY_MSG_E; - } - #endif - if ((ret = DoApplicationData(ssl, - ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx)) - != 0) { - WOLFSSL_ERROR(ret); - return ret; - } - break; - - case alert: - WOLFSSL_MSG("got ALERT!"); - ret = DoAlert(ssl, ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, &type, - ssl->buffers.inputBuffer.length); - if (ret == alert_fatal) - return FATAL_ERROR; - else if (ret < 0) - return ret; - - /* catch warnings that are handled as errors */ - if (type == close_notify) - return ssl->error = ZERO_RETURN; - - if (type == decrypt_error) - return FATAL_ERROR; - break; - - default: - WOLFSSL_ERROR(UNKNOWN_RECORD_TYPE); - return UNKNOWN_RECORD_TYPE; - } - - ssl->options.processReply = doProcessInit; - - /* input exhausted? */ - if (ssl->buffers.inputBuffer.idx >= ssl->buffers.inputBuffer.length) - return 0; - - /* more messages per record */ - else if ((ssl->buffers.inputBuffer.idx - startIdx) < ssl->curSize) { - WOLFSSL_MSG("More messages in record"); - - ssl->options.processReply = runProcessingOneMessage; - - if (IsEncryptionOn(ssl, 0)) { - WOLFSSL_MSG("Bundled encrypted messages, remove middle pad"); - if (ssl->buffers.inputBuffer.idx >= ssl->keys.padSz) { - ssl->buffers.inputBuffer.idx -= ssl->keys.padSz; - } - else { - WOLFSSL_MSG("\tmiddle padding error"); - return FATAL_ERROR; - } - } - - continue; - } - /* more records */ - else { - WOLFSSL_MSG("More records in input"); - ssl->options.processReply = doProcessInit; - continue; - } - - default: - WOLFSSL_MSG("Bad process input state, programming error"); - return INPUT_CASE_ERROR; - } - } -} - - -int SendChangeCipher(WOLFSSL* ssl) -{ - byte *output; - int sendSz = RECORD_HEADER_SZ + ENUM_LEN; - int idx = RECORD_HEADER_SZ; - int ret; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - sendSz += DTLS_RECORD_EXTRA; - idx += DTLS_RECORD_EXTRA; - } - #endif - - /* are we in scr */ - if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) { - sendSz += MAX_MSG_EXTRA; - } - - /* check for avalaible size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddRecordHeader(output, 1, change_cipher_spec, ssl); - - output[idx] = 1; /* turn it on */ - - if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) { - byte input[ENUM_LEN]; - int inputSz = ENUM_LEN; - - input[0] = 1; /* turn it on */ - sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - change_cipher_spec, 0, 0, 0); - if (sendSz < 0) { - return sendSz; - } - } - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - #endif - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) AddPacketName(ssl, "ChangeCipher"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "ChangeCipher", change_cipher_spec, output, - sendSz, WRITE_PROTO, ssl->heap); - #endif - ssl->buffers.outputBuffer.length += sendSz; - - if (ssl->options.groupMessages) - return 0; - #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_DEBUG_DTLS) - else if (ssl->options.dtls) { - /* If using DTLS, force the ChangeCipherSpec message to be in the - * same datagram as the finished message. */ - return 0; - } - #endif - else - return SendBuffered(ssl); -} - - -#ifndef NO_OLD_TLS -static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, - int content, int verify) -{ - byte result[MAX_DIGEST_SIZE]; - word32 digestSz = ssl->specs.hash_size; /* actual sizes */ - word32 padSz = ssl->specs.pad_size; - int ret = 0; - - Md5 md5; - Sha sha; - - /* data */ - byte seq[SEQ_SZ]; - byte conLen[ENUM_LEN + LENGTH_SZ]; /* content & length */ - const byte* macSecret = wolfSSL_GetMacSecret(ssl, verify); - -#ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx); -#endif - - XMEMSET(seq, 0, SEQ_SZ); - conLen[0] = (byte)content; - c16toa((word16)sz, &conLen[ENUM_LEN]); - WriteSEQ(ssl, verify, seq); - - if (ssl->specs.mac_algorithm == md5_mac) { - ret = wc_InitMd5_ex(&md5, ssl->heap, ssl->devId); - if (ret != 0) - return ret; - - /* inner */ - ret = wc_Md5Update(&md5, macSecret, digestSz); - ret |= wc_Md5Update(&md5, PAD1, padSz); - ret |= wc_Md5Update(&md5, seq, SEQ_SZ); - ret |= wc_Md5Update(&md5, conLen, sizeof(conLen)); - /* in buffer */ - ret |= wc_Md5Update(&md5, in, sz); - if (ret != 0) - return VERIFY_MAC_ERROR; - ret = wc_Md5Final(&md5, result); - #ifdef WOLFSSL_ASYNC_CRYPT - /* TODO: Make non-blocking */ - if (ret == WC_PENDING_E) { - ret = wc_AsyncWait(ret, &md5.asyncDev, WC_ASYNC_FLAG_NONE); - } - #endif - if (ret != 0) - return VERIFY_MAC_ERROR; - - /* outer */ - ret = wc_Md5Update(&md5, macSecret, digestSz); - ret |= wc_Md5Update(&md5, PAD2, padSz); - ret |= wc_Md5Update(&md5, result, digestSz); - if (ret != 0) - return VERIFY_MAC_ERROR; - ret = wc_Md5Final(&md5, digest); - #ifdef WOLFSSL_ASYNC_CRYPT - /* TODO: Make non-blocking */ - if (ret == WC_PENDING_E) { - ret = wc_AsyncWait(ret, &md5.asyncDev, WC_ASYNC_FLAG_NONE); - } - #endif - if (ret != 0) - return VERIFY_MAC_ERROR; - - wc_Md5Free(&md5); - } - else { - ret = wc_InitSha_ex(&sha, ssl->heap, ssl->devId); - if (ret != 0) - return ret; - - /* inner */ - ret = wc_ShaUpdate(&sha, macSecret, digestSz); - ret |= wc_ShaUpdate(&sha, PAD1, padSz); - ret |= wc_ShaUpdate(&sha, seq, SEQ_SZ); - ret |= wc_ShaUpdate(&sha, conLen, sizeof(conLen)); - /* in buffer */ - ret |= wc_ShaUpdate(&sha, in, sz); - if (ret != 0) - return VERIFY_MAC_ERROR; - ret = wc_ShaFinal(&sha, result); - #ifdef WOLFSSL_ASYNC_CRYPT - /* TODO: Make non-blocking */ - if (ret == WC_PENDING_E) { - ret = wc_AsyncWait(ret, &sha.asyncDev, WC_ASYNC_FLAG_NONE); - } - #endif - if (ret != 0) - return VERIFY_MAC_ERROR; - - /* outer */ - ret = wc_ShaUpdate(&sha, macSecret, digestSz); - ret |= wc_ShaUpdate(&sha, PAD2, padSz); - ret |= wc_ShaUpdate(&sha, result, digestSz); - if (ret != 0) - return VERIFY_MAC_ERROR; - ret = wc_ShaFinal(&sha, digest); - #ifdef WOLFSSL_ASYNC_CRYPT - /* TODO: Make non-blocking */ - if (ret == WC_PENDING_E) { - ret = wc_AsyncWait(ret, &sha.asyncDev, WC_ASYNC_FLAG_NONE); - } - #endif - if (ret != 0) - return VERIFY_MAC_ERROR; - - wc_ShaFree(&sha); - } - return 0; -} -#endif /* NO_OLD_TLS */ - - -#ifndef NO_CERTS - -#if !defined(NO_MD5) && !defined(NO_OLD_TLS) -static int BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest) -{ - int ret; - byte md5_result[MD5_DIGEST_SIZE]; -#ifdef WOLFSSL_SMALL_STACK - Md5* md5 = (Md5*)XMALLOC(sizeof(Md5), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#else - Md5 md5[1]; -#endif - - /* make md5 inner */ - ret = wc_Md5Copy(&ssl->hsHashes->hashMd5, md5); /* Save current position */ - if (ret == 0) - ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_Md5Update(md5, PAD1, PAD_MD5); - if (ret == 0) - ret = wc_Md5Final(md5, md5_result); - - /* make md5 outer */ - if (ret == 0) { - ret = wc_InitMd5_ex(md5, ssl->heap, ssl->devId); - if (ret == 0) { - ret = wc_Md5Update(md5, ssl->arrays->masterSecret, SECRET_LEN); - if (ret == 0) - ret = wc_Md5Update(md5, PAD2, PAD_MD5); - if (ret == 0) - ret = wc_Md5Update(md5, md5_result, MD5_DIGEST_SIZE); - if (ret == 0) - ret = wc_Md5Final(md5, digest); - wc_Md5Free(md5); - } - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(md5, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} -#endif /* !NO_MD5 && !NO_OLD_TLS */ - -#if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) -static int BuildSHA_CertVerify(WOLFSSL* ssl, byte* digest) -{ - int ret; - byte sha_result[SHA_DIGEST_SIZE]; -#ifdef WOLFSSL_SMALL_STACK - Sha* sha = (Sha*)XMALLOC(sizeof(Sha), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#else - Sha sha[1]; -#endif - - /* make sha inner */ - ret = wc_ShaCopy(&ssl->hsHashes->hashSha, sha); /* Save current position */ - if (ret == 0) - ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_ShaUpdate(sha, PAD1, PAD_SHA); - if (ret == 0) - ret = wc_ShaFinal(sha, sha_result); - - /* make sha outer */ - if (ret == 0) { - ret = wc_InitSha_ex(sha, ssl->heap, ssl->devId); - if (ret == 0) { - ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN); - if (ret == 0) - ret = wc_ShaUpdate(sha, PAD2, PAD_SHA); - if (ret == 0) - ret = wc_ShaUpdate(sha, sha_result, SHA_DIGEST_SIZE); - if (ret == 0) - ret = wc_ShaFinal(sha, digest); - wc_ShaFree(sha); - } - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(sha, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} -#endif /* !NO_SHA && (!NO_OLD_TLS || WOLFSSL_ALLOW_TLS_SHA1) */ - -int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) -{ - int ret = 0; - - (void)hashes; - - if (ssl->options.tls) { - #if !defined(NO_MD5) && !defined(NO_OLD_TLS) - ret = wc_Md5GetHash(&ssl->hsHashes->hashMd5, hashes->md5); - if (ret != 0) - return ret; - #endif - #if !defined(NO_SHA) - ret = wc_ShaGetHash(&ssl->hsHashes->hashSha, hashes->sha); - if (ret != 0) - return ret; - #endif - if (IsAtLeastTLSv1_2(ssl)) { - #ifndef NO_SHA256 - ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, - hashes->sha256); - if (ret != 0) - return ret; - #endif - #ifdef WOLFSSL_SHA384 - ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, - hashes->sha384); - if (ret != 0) - return ret; - #endif - #ifdef WOLFSSL_SHA512 - ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, - hashes->sha512); - if (ret != 0) - return ret; - #endif - } - } - else { - #if !defined(NO_MD5) && !defined(NO_OLD_TLS) - ret = BuildMD5_CertVerify(ssl, hashes->md5); - if (ret != 0) - return ret; - #endif - #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_TLS_SHA1)) - ret = BuildSHA_CertVerify(ssl, hashes->sha); - if (ret != 0) - return ret; - #endif - } - - return ret; -} - -#endif /* WOLFSSL_LEANPSK */ - -/* Persistable BuildMessage arguments */ -typedef struct BuildMsgArgs { - word32 digestSz; - word32 sz; - word32 pad; - word32 idx; - word32 headerSz; - word16 size; - word32 ivSz; /* TLSv1.1 IV */ - byte iv[AES_BLOCK_SIZE]; /* max size */ -} BuildMsgArgs; - -static void FreeBuildMsgArgs(WOLFSSL* ssl, void* pArgs) -{ - BuildMsgArgs* args = (BuildMsgArgs*)pArgs; - - (void)ssl; - (void)args; - - /* no allocations in BuildMessage */ -} - -/* Build SSL Message, encrypted */ -int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, - int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - BuildMsgArgs* args = (BuildMsgArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); -#else - BuildMsgArgs args[1]; -#endif - - WOLFSSL_ENTER("BuildMessage"); - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - -#ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) { - return BuildTls13Message(ssl, output, outSz, input, inSz, type, - hashOutput, sizeOnly); - } -#endif - - ret = WC_NOT_PENDING_E; -#ifdef WOLFSSL_ASYNC_CRYPT - if (asyncOkay) { - ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_buildmsg; - } - } -#endif - - /* Reset state */ - if (ret == WC_NOT_PENDING_E) { - ret = 0; - ssl->options.buildMsgState = BUILD_MSG_BEGIN; - XMEMSET(args, 0, sizeof(BuildMsgArgs)); - - args->sz = RECORD_HEADER_SZ + inSz; - args->idx = RECORD_HEADER_SZ; - args->headerSz = RECORD_HEADER_SZ; - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeBuildMsgArgs; - #endif - } - - switch (ssl->options.buildMsgState) { - case BUILD_MSG_BEGIN: - { - /* catch mistaken sizeOnly parameter */ - if (!sizeOnly && (output == NULL || input == NULL) ) { - return BAD_FUNC_ARG; - } - if (sizeOnly && (output || input) ) { - WOLFSSL_MSG("BuildMessage w/sizeOnly doesn't need input/output"); - return BAD_FUNC_ARG; - } - - ssl->options.buildMsgState = BUILD_MSG_SIZE; - } - FALL_THROUGH; - case BUILD_MSG_SIZE: - { - args->digestSz = ssl->specs.hash_size; - #ifdef HAVE_TRUNCATED_HMAC - if (ssl->truncated_hmac) - args->digestSz = min(TRUNCATED_HMAC_SZ, args->digestSz); - #endif - args->sz += args->digestSz; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sz += DTLS_RECORD_EXTRA; - args->idx += DTLS_RECORD_EXTRA; - args->headerSz += DTLS_RECORD_EXTRA; - } - #endif - - if (ssl->specs.cipher_type == block) { - word32 blockSz = ssl->specs.block_size; - if (ssl->options.tls1_1) { - args->ivSz = blockSz; - args->sz += args->ivSz; - - if (args->ivSz > (word32)sizeof(args->iv)) - ERROR_OUT(BUFFER_E, exit_buildmsg); - } - args->sz += 1; /* pad byte */ - args->pad = (args->sz - args->headerSz) % blockSz; - args->pad = blockSz - args->pad; - args->sz += args->pad; - } - - #ifdef HAVE_AEAD - if (ssl->specs.cipher_type == aead) { - if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - args->ivSz = AESGCM_EXP_IV_SZ; - - args->sz += (args->ivSz + ssl->specs.aead_mac_size - args->digestSz); - } - #endif - - /* done with size calculations */ - if (sizeOnly) - goto exit_buildmsg; - - if (args->sz > (word32)outSz) { - WOLFSSL_MSG("Oops, want to write past output buffer size"); - ERROR_OUT(BUFFER_E, exit_buildmsg); - } - - if (args->ivSz > 0) { - ret = wc_RNG_GenerateBlock(ssl->rng, args->iv, args->ivSz); - if (ret != 0) - goto exit_buildmsg; - - } - - #ifdef HAVE_AEAD - if (ssl->specs.cipher_type == aead) { - if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - XMEMCPY(args->iv, ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ); - } - #endif - - args->size = (word16)(args->sz - args->headerSz); /* include mac and digest */ - AddRecordHeader(output, args->size, (byte)type, ssl); - - /* write to output */ - if (args->ivSz) { - XMEMCPY(output + args->idx, args->iv, - min(args->ivSz, sizeof(args->iv))); - args->idx += args->ivSz; - } - XMEMCPY(output + args->idx, input, inSz); - args->idx += inSz; - - ssl->options.buildMsgState = BUILD_MSG_HASH; - } - FALL_THROUGH; - case BUILD_MSG_HASH: - { - word32 i; - - if (type == handshake && hashOutput) { - ret = HashOutput(ssl, output, args->headerSz + inSz, args->ivSz); - if (ret != 0) - goto exit_buildmsg; - } - if (ssl->specs.cipher_type == block) { - word32 tmpIdx = args->idx + args->digestSz; - - for (i = 0; i <= args->pad; i++) - output[tmpIdx++] = (byte)args->pad; /* pad byte gets pad value */ - } - - ssl->options.buildMsgState = BUILD_MSG_VERIFY_MAC; - } - FALL_THROUGH; - case BUILD_MSG_VERIFY_MAC: - { - /* User Record Layer Callback handling */ - #ifdef ATOMIC_USER - if (ssl->ctx->MacEncryptCb) { - ret = ssl->ctx->MacEncryptCb(ssl, output + args->idx, - output + args->headerSz + args->ivSz, inSz, type, 0, - output + args->headerSz, output + args->headerSz, args->size, - ssl->MacEncryptCtx); - goto exit_buildmsg; - } - #endif - - if (ssl->specs.cipher_type != aead) { - #ifdef HAVE_TRUNCATED_HMAC - if (ssl->truncated_hmac && ssl->specs.hash_size > args->digestSz) { - #ifdef WOLFSSL_SMALL_STACK - byte* hmac = NULL; - #else - byte hmac[MAX_DIGEST_SIZE]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - hmac = (byte*)XMALLOC(MAX_DIGEST_SIZE, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (hmac == NULL) - ERROR_OUT(MEMORY_E, exit_buildmsg); - #endif - - ret = ssl->hmac(ssl, hmac, output + args->headerSz + args->ivSz, inSz, - type, 0); - XMEMCPY(output + args->idx, hmac, args->digestSz); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(hmac, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - else - #endif - ret = ssl->hmac(ssl, output + args->idx, output + args->headerSz + args->ivSz, - inSz, type, 0); - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - } - if (ret != 0) - goto exit_buildmsg; - - ssl->options.buildMsgState = BUILD_MSG_ENCRYPT; - } - FALL_THROUGH; - case BUILD_MSG_ENCRYPT: - { - ret = Encrypt(ssl, output + args->headerSz, output + args->headerSz, args->size, - asyncOkay); - break; - } - } - -exit_buildmsg: - - WOLFSSL_LEAVE("BuildMessage", ret); - -#ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - return ret; - } -#endif - - /* make sure build message state is reset */ - ssl->options.buildMsgState = BUILD_MSG_BEGIN; - - /* return sz on success */ - if (ret == 0) - ret = args->sz; - - /* Final cleanup */ - FreeBuildMsgArgs(ssl, args); - - return ret; -} - - -int SendFinished(WOLFSSL* ssl) -{ - int sendSz, - finishedSz = ssl->options.tls ? TLS_FINISHED_SZ : - FINISHED_SZ; - byte input[FINISHED_SZ + DTLS_HANDSHAKE_HEADER_SZ]; /* max */ - byte *output; - Hashes* hashes; - int ret; - int headerSz = HANDSHAKE_HEADER_SZ; - int outputSz; - - /* setup encrypt keys */ - if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) - return ret; - - /* check for available size */ - outputSz = sizeof(input) + MAX_MSG_EXTRA; - if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) - return ret; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - headerSz += DTLS_HANDSHAKE_EXTRA; - ssl->keys.dtls_epoch++; - ssl->keys.dtls_prev_sequence_number_hi = - ssl->keys.dtls_sequence_number_hi; - ssl->keys.dtls_prev_sequence_number_lo = - ssl->keys.dtls_sequence_number_lo; - ssl->keys.dtls_sequence_number_hi = 0; - ssl->keys.dtls_sequence_number_lo = 0; - } - #endif - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl); - - /* make finished hashes */ - hashes = (Hashes*)&input[headerSz]; - ret = BuildFinished(ssl, hashes, - ssl->options.side == WOLFSSL_CLIENT_END ? client : server); - if (ret != 0) return ret; - -#ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation) { - if (ssl->options.side == WOLFSSL_CLIENT_END) - XMEMCPY(ssl->secure_renegotiation->client_verify_data, hashes, - TLS_FINISHED_SZ); - else - XMEMCPY(ssl->secure_renegotiation->server_verify_data, hashes, - TLS_FINISHED_SZ); - } -#endif - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, input, headerSz + finishedSz)) != 0) - return ret; - } - #endif - - sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz, - handshake, 1, 0, 0); - if (sendSz < 0) - return BUILD_MSG_ERROR; - - if (!ssl->options.resuming) { -#ifndef NO_SESSION_CACHE - AddSession(ssl); /* just try */ -#endif - if (ssl->options.side == WOLFSSL_SERVER_END) { - ssl->options.handShakeState = HANDSHAKE_DONE; - ssl->options.handShakeDone = 1; - } - } - else { - if (ssl->options.side == WOLFSSL_CLIENT_END) { - ssl->options.handShakeState = HANDSHAKE_DONE; - ssl->options.handShakeDone = 1; - } - } - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "Finished", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - - ssl->buffers.outputBuffer.length += sendSz; - - return SendBuffered(ssl); -} - - -#ifndef NO_CERTS -int SendCertificate(WOLFSSL* ssl) -{ - int ret = 0; - word32 certSz, certChainSz, headerSz, listSz, payloadSz; - word32 length, maxFragment; - - if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher) - return 0; /* not needed */ - - if (ssl->options.sendVerify == SEND_BLANK_CERT) { - certSz = 0; - certChainSz = 0; - headerSz = CERT_HEADER_SZ; - length = CERT_HEADER_SZ; - listSz = 0; - } - else { - if (!ssl->buffers.certificate) { - WOLFSSL_MSG("Send Cert missing certificate buffer"); - return BUFFER_ERROR; - } - certSz = ssl->buffers.certificate->length; - headerSz = 2 * CERT_HEADER_SZ; - /* list + cert size */ - length = certSz + headerSz; - listSz = certSz + CERT_HEADER_SZ; - - /* may need to send rest of chain, already has leading size(s) */ - if (certSz && ssl->buffers.certChain) { - certChainSz = ssl->buffers.certChain->length; - length += certChainSz; - listSz += certChainSz; - } - else - certChainSz = 0; - } - - payloadSz = length; - - if (ssl->fragOffset != 0) - length -= (ssl->fragOffset + headerSz); - - maxFragment = MAX_RECORD_SIZE; - if (ssl->options.dtls) { - #ifdef WOLFSSL_DTLS - maxFragment = MAX_MTU - DTLS_RECORD_HEADER_SZ - - DTLS_HANDSHAKE_HEADER_SZ - 100; - #endif /* WOLFSSL_DTLS */ - } - - #ifdef HAVE_MAX_FRAGMENT - if (ssl->max_fragment != 0 && maxFragment >= ssl->max_fragment) - maxFragment = ssl->max_fragment; - #endif /* HAVE_MAX_FRAGMENT */ - - while (length > 0 && ret == 0) { - byte* output = NULL; - word32 fragSz = 0; - word32 i = RECORD_HEADER_SZ; - int sendSz = RECORD_HEADER_SZ; - - if (!ssl->options.dtls) { - if (ssl->fragOffset == 0) { - if (headerSz + certSz + certChainSz <= - maxFragment - HANDSHAKE_HEADER_SZ) { - - fragSz = headerSz + certSz + certChainSz; - } - else { - fragSz = maxFragment - HANDSHAKE_HEADER_SZ; - } - sendSz += fragSz + HANDSHAKE_HEADER_SZ; - i += HANDSHAKE_HEADER_SZ; - } - else { - fragSz = min(length, maxFragment); - sendSz += fragSz; - } - - if (IsEncryptionOn(ssl, 1)) - sendSz += MAX_MSG_EXTRA; - } - else { - #ifdef WOLFSSL_DTLS - fragSz = min(length, maxFragment); - sendSz += fragSz + DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA - + HANDSHAKE_HEADER_SZ; - i += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA - + HANDSHAKE_HEADER_SZ; - #endif - } - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - if (ssl->fragOffset == 0) { - if (!ssl->options.dtls) { - AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl); - if (!IsEncryptionOn(ssl, 1)) - HashOutputRaw(ssl, output + RECORD_HEADER_SZ, - HANDSHAKE_HEADER_SZ); - } - else { - #ifdef WOLFSSL_DTLS - AddHeaders(output, payloadSz, certificate, ssl); - if (!IsEncryptionOn(ssl, 1)) - HashOutputRaw(ssl, - output + RECORD_HEADER_SZ + DTLS_RECORD_EXTRA, - HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA); - /* Adding the headers increments these, decrement them for - * actual message header. */ - ssl->keys.dtls_handshake_number--; - AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl); - ssl->keys.dtls_handshake_number--; - #endif /* WOLFSSL_DTLS */ - } - - /* list total */ - c32to24(listSz, output + i); - if (!IsEncryptionOn(ssl, 1)) - HashOutputRaw(ssl, output + i, CERT_HEADER_SZ); - i += CERT_HEADER_SZ; - length -= CERT_HEADER_SZ; - fragSz -= CERT_HEADER_SZ; - if (certSz) { - c32to24(certSz, output + i); - if (!IsEncryptionOn(ssl, 1)) - HashOutputRaw(ssl, output + i, CERT_HEADER_SZ); - i += CERT_HEADER_SZ; - length -= CERT_HEADER_SZ; - fragSz -= CERT_HEADER_SZ; - - if (!IsEncryptionOn(ssl, 1)) { - HashOutputRaw(ssl, ssl->buffers.certificate->buffer, certSz); - if (certChainSz) - HashOutputRaw(ssl, ssl->buffers.certChain->buffer, - certChainSz); - } - } - } - else { - if (!ssl->options.dtls) { - AddRecordHeader(output, fragSz, handshake, ssl); - } - else { - #ifdef WOLFSSL_DTLS - AddFragHeaders(output, fragSz, ssl->fragOffset + headerSz, - payloadSz, certificate, ssl); - ssl->keys.dtls_handshake_number--; - #endif /* WOLFSSL_DTLS */ - } - } - - /* member */ - if (certSz && ssl->fragOffset < certSz) { - word32 copySz = min(certSz - ssl->fragOffset, fragSz); - XMEMCPY(output + i, - ssl->buffers.certificate->buffer + ssl->fragOffset, copySz); - i += copySz; - ssl->fragOffset += copySz; - length -= copySz; - fragSz -= copySz; - } - if (certChainSz && fragSz) { - word32 copySz = min(certChainSz + certSz - ssl->fragOffset, fragSz); - XMEMCPY(output + i, - ssl->buffers.certChain->buffer + ssl->fragOffset - certSz, - copySz); - i += copySz; - ssl->fragOffset += copySz; - length -= copySz; - } - - if (IsEncryptionOn(ssl, 1)) { - byte* input = NULL; - int inputSz = i - RECORD_HEADER_SZ; /* build msg adds rec hdr */ - - if (inputSz < 0) { - WOLFSSL_MSG("Send Cert bad inputSz"); - return BUFFER_E; - } - - if (inputSz > 0) { /* clang thinks could be zero, let's help */ - input = (byte*)XMALLOC(inputSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (input == NULL) - return MEMORY_E; - XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); - } - - sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - handshake, 1, 0, 0); - - if (inputSz > 0) - XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - - if (sendSz < 0) - return sendSz; - } - else { - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - } - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - #endif - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "Certificate"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "Certificate", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - - ssl->buffers.outputBuffer.length += sendSz; - if (!ssl->options.groupMessages) - ret = SendBuffered(ssl); - } - - if (ret != WANT_WRITE) { - /* Clean up the fragment offset. */ - ssl->fragOffset = 0; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - ssl->keys.dtls_handshake_number++; - #endif - if (ssl->options.side == WOLFSSL_SERVER_END) - ssl->options.serverState = SERVER_CERT_COMPLETE; - } - - return ret; -} - - -int SendCertificateRequest(WOLFSSL* ssl) -{ - byte *output; - int ret; - int sendSz; - word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - - int typeTotal = 1; /* only 1 for now */ - int reqSz = ENUM_LEN + typeTotal + REQ_HEADER_SZ; /* add auth later */ - - if (IsAtLeastTLSv1_2(ssl)) - reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz; - - if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher) - return 0; /* not needed */ - - sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - i += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(output, reqSz, certificate_request, ssl); - - /* write to output */ - output[i++] = (byte)typeTotal; /* # of types */ -#ifdef HAVE_ECC - if ((ssl->options.cipherSuite0 == ECC_BYTE || - ssl->options.cipherSuite0 == CHACHA_BYTE) && - ssl->specs.sig_algo == ecc_dsa_sa_algo) { - output[i++] = ecdsa_sign; - } else -#endif /* HAVE_ECC */ - { - output[i++] = rsa_sign; - } - - /* supported hash/sig */ - if (IsAtLeastTLSv1_2(ssl)) { - c16toa(ssl->suites->hashSigAlgoSz, &output[i]); - i += LENGTH_SZ; - - XMEMCPY(&output[i], - ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz); - i += ssl->suites->hashSigAlgoSz; - } - - c16toa(0, &output[i]); /* auth's */ - /* if add more to output, adjust i - i += REQ_HEADER_SZ; */ - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - - ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) - return ret; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "CertificateRequest"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "CertificateRequest", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - ssl->buffers.outputBuffer.length += sendSz; - if (ssl->options.groupMessages) - return 0; - else - return SendBuffered(ssl); -} - -#ifndef NO_WOLFSSL_SERVER -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) -static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status, - byte count) -{ - byte* output = NULL; - word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - word32 length = ENUM_LEN; - int sendSz = 0; - int ret = 0; - int i = 0; - - WOLFSSL_ENTER("BuildCertificateStatus"); - - switch (type) { - case WOLFSSL_CSR2_OCSP_MULTI: - length += OPAQUE24_LEN; - FALL_THROUGH; /* followed by */ - - case WOLFSSL_CSR2_OCSP: - for (i = 0; i < count; i++) - length += OPAQUE24_LEN + status[i].length; - break; - - default: - return 0; - } - - sendSz = idx + length; - - if (ssl->keys.encryptionOn) - sendSz += MAX_MSG_EXTRA; - - if ((ret = CheckAvailableSize(ssl, sendSz)) == 0) { - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(output, length, certificate_status, ssl); - - output[idx++] = type; - - if (type == WOLFSSL_CSR2_OCSP_MULTI) { - c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx); - idx += OPAQUE24_LEN; - } - - for (i = 0; i < count; i++) { - c32to24(status[i].length, output + idx); - idx += OPAQUE24_LEN; - - XMEMCPY(output + idx, status[i].buffer, status[i].length); - idx += status[i].length; - } - - if (IsEncryptionOn(ssl, 1)) { - byte* input; - int inputSz = idx - RECORD_HEADER_SZ; - - input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (input == NULL) - return MEMORY_E; - - XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); - sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - handshake, 1, 0, 0); - XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - - if (sendSz < 0) - ret = sendSz; - } - else { - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - ret = HashOutput(ssl, output, sendSz, 0); - } - - #ifdef WOLFSSL_DTLS - if (ret == 0 && IsDtlsNotSctpMode(ssl)) - ret = DtlsMsgPoolSave(ssl, output, sendSz); - #endif - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ret == 0 && ssl->hsInfoOn) - AddPacketName(ssl, "CertificateStatus"); - if (ret == 0 && ssl->toInfoOn) - AddPacketInfo(ssl, "CertificateStatus", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - - if (ret == 0) { - ssl->buffers.outputBuffer.length += sendSz; - if (!ssl->options.groupMessages) - ret = SendBuffered(ssl); - } - } - - WOLFSSL_LEAVE("BuildCertificateStatus", ret); - return ret; -} -#endif -#endif /* NO_WOLFSSL_SERVER */ - - -int SendCertificateStatus(WOLFSSL* ssl) -{ - int ret = 0; - byte status_type = 0; - - WOLFSSL_ENTER("SendCertificateStatus"); - - (void) ssl; - -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST - status_type = ssl->status_request; -#endif - -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - status_type = status_type ? status_type : ssl->status_request_v2; -#endif - - switch (status_type) { - - #ifndef NO_WOLFSSL_SERVER - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - /* case WOLFSSL_CSR_OCSP: */ - case WOLFSSL_CSR2_OCSP: - { - OcspRequest* request = ssl->ctx->certOcspRequest; - buffer response; - - XMEMSET(&response, 0, sizeof(response)); - - /* unable to fetch status. skip. */ - if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) - return 0; - - if (request == NULL || ssl->buffers.weOwnCert) { - DerBuffer* der = ssl->buffers.certificate; - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; - #else - DecodedCert cert[1]; - #endif - - /* unable to fetch status. skip. */ - if (der->buffer == NULL || der->length == 0) - return 0; - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) - return MEMORY_E; - #endif - - InitDecodedCert(cert, der->buffer, der->length, ssl->heap); - /* TODO: Setup async support here */ - if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, - ssl->ctx->cm)) != 0) { - WOLFSSL_MSG("ParseCert failed"); - } - else { - request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), - ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - if (request) { - ret = InitOcspRequest(request, cert, 0, ssl->heap); - if (ret == 0) { - /* make sure ctx OCSP request is updated */ - if (!ssl->buffers.weOwnCert) { - wolfSSL_Mutex* ocspLock = - &ssl->ctx->cm->ocsp_stapling->ocspLock; - if (wc_LockMutex(ocspLock) == 0) { - if (ssl->ctx->certOcspRequest == NULL) - ssl->ctx->certOcspRequest = request; - wc_UnLockMutex(ocspLock); - } - } - } - else { - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - request = NULL; - } - } - else { - ret = MEMORY_E; - } - } - - FreeDecodedCert(cert); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - - if (ret == 0) { - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - request->ssl = ssl; - #endif - ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, - &response); - - /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED || - ret == OCSP_CERT_UNKNOWN || - ret == OCSP_LOOKUP_FAIL) { - ret = 0; - } - - if (response.buffer) { - if (ret == 0) - ret = BuildCertificateStatus(ssl, status_type, - &response, 1); - - XFREE(response.buffer, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - - } - - if (request != ssl->ctx->certOcspRequest) - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - - break; - } - - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ - /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ - - #if defined HAVE_CERTIFICATE_STATUS_REQUEST_V2 - case WOLFSSL_CSR2_OCSP_MULTI: - { - OcspRequest* request = ssl->ctx->certOcspRequest; - buffer responses[1 + MAX_CHAIN_DEPTH]; - int i = 0; - - XMEMSET(responses, 0, sizeof(responses)); - - /* unable to fetch status. skip. */ - if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) - return 0; - - if (!request || ssl->buffers.weOwnCert) { - DerBuffer* der = ssl->buffers.certificate; - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; - #else - DecodedCert cert[1]; - #endif - - /* unable to fetch status. skip. */ - if (der->buffer == NULL || der->length == 0) - return 0; - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) - return MEMORY_E; - #endif - - InitDecodedCert(cert, der->buffer, der->length, ssl->heap); - /* TODO: Setup async support here */ - if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, - ssl->ctx->cm)) != 0) { - WOLFSSL_MSG("ParseCert failed"); - } - else { - request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), - ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - if (request) { - ret = InitOcspRequest(request, cert, 0, ssl->heap); - if (ret == 0) { - /* make sure ctx OCSP request is updated */ - if (!ssl->buffers.weOwnCert) { - wolfSSL_Mutex* ocspLock = - &ssl->ctx->cm->ocsp_stapling->ocspLock; - if (wc_LockMutex(ocspLock) == 0) { - if (ssl->ctx->certOcspRequest == NULL) - ssl->ctx->certOcspRequest = request; - wc_UnLockMutex(ocspLock); - } - } - } - else { - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - request = NULL; - } - } - else { - ret = MEMORY_E; - } - } - - FreeDecodedCert(cert); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - - if (ret == 0) { - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - request->ssl = ssl; - #endif - ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, - &responses[0]); - - /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED || - ret == OCSP_CERT_UNKNOWN || - ret == OCSP_LOOKUP_FAIL) { - ret = 0; - } - } - - if (request != ssl->ctx->certOcspRequest) - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - - if (ret == 0 && (!ssl->ctx->chainOcspRequest[0] - || ssl->buffers.weOwnCertChain)) { - buffer der; - word32 idx = 0; - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; - #else - DecodedCert cert[1]; - #endif - - XMEMSET(&der, 0, sizeof(buffer)); - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) - return MEMORY_E; - #endif - - while (idx + OPAQUE24_LEN < ssl->buffers.certChain->length) { - c24to32(ssl->buffers.certChain->buffer + idx, &der.length); - idx += OPAQUE24_LEN; - - der.buffer = ssl->buffers.certChain->buffer + idx; - idx += der.length; - - if (idx > ssl->buffers.certChain->length) - break; - - InitDecodedCert(cert, der.buffer, der.length, ssl->heap); - /* TODO: Setup async support here */ - if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, - ssl->ctx->cm)) != 0) { - WOLFSSL_MSG("ParseCert failed"); - break; - } - else { - request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), - ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - if (request == NULL) { - FreeDecodedCert(cert); - - ret = MEMORY_E; - break; - } - - ret = InitOcspRequest(request, cert, 0, ssl->heap); - if (ret == 0) { - /* make sure ctx OCSP request is updated */ - if (!ssl->buffers.weOwnCertChain) { - wolfSSL_Mutex* ocspLock = - &ssl->ctx->cm->ocsp_stapling->ocspLock; - if (wc_LockMutex(ocspLock) == 0) { - if (ssl->ctx->chainOcspRequest[i] == NULL) - ssl->ctx->chainOcspRequest[i] = request; - wc_UnLockMutex(ocspLock); - } - } - } - else { - FreeDecodedCert(cert); - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - request = NULL; - break; - } - - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - request->ssl = ssl; - #endif - ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, - request, &responses[i + 1]); - - /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED || - ret == OCSP_CERT_UNKNOWN || - ret == OCSP_LOOKUP_FAIL) { - ret = 0; - } - - if (request != ssl->ctx->chainOcspRequest[i]) - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - - i++; - } - - FreeDecodedCert(cert); - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - else { - while (ret == 0 && - NULL != (request = ssl->ctx->chainOcspRequest[i])) { - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - request->ssl = ssl; - #endif - ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, - request, &responses[++i]); - - /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED || - ret == OCSP_CERT_UNKNOWN || - ret == OCSP_LOOKUP_FAIL) { - ret = 0; - } - } - } - - if (responses[0].buffer) { - if (ret == 0) - ret = BuildCertificateStatus(ssl, status_type, - responses, (byte)i + 1); - - for (i = 0; i < 1 + MAX_CHAIN_DEPTH; i++) - if (responses[i].buffer) - XFREE(responses[i].buffer, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - } - - break; - } - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ - #endif /* NO_WOLFSSL_SERVER */ - - default: - break; - } - - return ret; -} - -#endif /* !NO_CERTS */ - - -int SendData(WOLFSSL* ssl, const void* data, int sz) -{ - int sent = 0, /* plainText size */ - sendSz, - ret, - dtlsExtra = 0; - - if (ssl->error == WANT_WRITE || ssl->error == WC_PENDING_E) - ssl->error = 0; - - if (ssl->options.handShakeState != HANDSHAKE_DONE) { - int err; - WOLFSSL_MSG("handshake not complete, trying to finish"); - if ( (err = wolfSSL_negotiate(ssl)) != SSL_SUCCESS) { - /* if async would block return WANT_WRITE */ - if (ssl->error == WC_PENDING_E) { - return WOLFSSL_CBIO_ERR_WANT_WRITE; - } - return err; - } - } - - /* last time system socket output buffer was full, try again to send */ - if (ssl->buffers.outputBuffer.length > 0) { - WOLFSSL_MSG("output buffer was full, trying to send again"); - if ( (ssl->error = SendBuffered(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); - if (ssl->error == SOCKET_ERROR_E && ssl->options.connReset) - return 0; /* peer reset */ - return ssl->error; - } - else { - /* advance sent to previous sent + plain size just sent */ - sent = ssl->buffers.prevSent + ssl->buffers.plainSz; - WOLFSSL_MSG("sent write buffered data"); - - if (sent > sz) { - WOLFSSL_MSG("error: write() after WANT_WRITE with short size"); - return ssl->error = BAD_FUNC_ARG; - } - } - } - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - dtlsExtra = DTLS_RECORD_EXTRA; - } -#endif - - for (;;) { - int len; - byte* out; - byte* sendBuffer = (byte*)data + sent; /* may switch on comp */ - int buffSz; /* may switch on comp */ - int outputSz; -#ifdef HAVE_LIBZ - byte comp[MAX_RECORD_SIZE + MAX_COMP_EXTRA]; -#endif - - if (sent == sz) break; - - len = min(sz - sent, OUTPUT_RECORD_SIZE); -#ifdef HAVE_MAX_FRAGMENT - len = min(len, ssl->max_fragment); -#endif - -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - len = min(len, MAX_UDP_SIZE); - } -#endif - buffSz = len; - - /* check for available size */ - outputSz = len + COMP_EXTRA + dtlsExtra + MAX_MSG_EXTRA; - if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) - return ssl->error = ret; - - /* get output buffer */ - out = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - -#ifdef HAVE_LIBZ - if (ssl->options.usingCompression) { - buffSz = myCompress(ssl, sendBuffer, buffSz, comp, sizeof(comp)); - if (buffSz < 0) { - return buffSz; - } - sendBuffer = comp; - } -#endif - if (!ssl->options.tls1_3) { - sendSz = BuildMessage(ssl, out, outputSz, sendBuffer, buffSz, - application_data, 0, 0, 1); - } - else { -#ifdef WOLFSSL_TLS13 - sendSz = BuildTls13Message(ssl, out, outputSz, sendBuffer, buffSz, - application_data, 0, 0); -#else - sendSz = BUFFER_ERROR; -#endif - } - if (sendSz < 0) { - #ifdef WOLFSSL_ASYNC_CRYPT - if (sendSz == WC_PENDING_E) - ssl->error = sendSz; - #endif - return BUILD_MSG_ERROR; - } - - ssl->buffers.outputBuffer.length += sendSz; - - if ( (ret = SendBuffered(ssl)) < 0) { - WOLFSSL_ERROR(ret); - /* store for next call if WANT_WRITE or user embedSend() that - doesn't present like WANT_WRITE */ - ssl->buffers.plainSz = len; - ssl->buffers.prevSent = sent; - if (ret == SOCKET_ERROR_E && ssl->options.connReset) - return 0; /* peer reset */ - return ssl->error = ret; - } - - sent += len; - - /* only one message per attempt */ - if (ssl->options.partialWrite == 1) { - WOLFSSL_MSG("Paritial Write on, only sending one record"); - break; - } - } - - return sent; -} - -/* process input data */ -int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek) -{ - int size; - - WOLFSSL_ENTER("ReceiveData()"); - - /* reset error state */ - if (ssl->error == WANT_READ || ssl->error == WC_PENDING_E) { - ssl->error = 0; - } - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - /* In DTLS mode, we forgive some errors and allow the session - * to continue despite them. */ - if (ssl->error == VERIFY_MAC_ERROR || ssl->error == DECRYPT_ERROR) - ssl->error = 0; - } -#endif /* WOLFSSL_DTLS */ - - if (ssl->error != 0 && ssl->error != WANT_WRITE) { - WOLFSSL_MSG("User calling wolfSSL_read in error state, not allowed"); - return ssl->error; - } - - if (ssl->options.handShakeState != HANDSHAKE_DONE) { - int err; - WOLFSSL_MSG("Handshake not complete, trying to finish"); - if ( (err = wolfSSL_negotiate(ssl)) != SSL_SUCCESS) { - #ifdef WOLFSSL_ASYNC_CRYPT - /* if async would block return WANT_WRITE */ - if (ssl->error == WC_PENDING_E) { - return WOLFSSL_CBIO_ERR_WANT_READ; - } - #endif - return err; - } - } - -#ifdef HAVE_SECURE_RENEGOTIATION -startScr: - if (ssl->secure_renegotiation && ssl->secure_renegotiation->startScr) { - int err; - ssl->secure_renegotiation->startScr = 0; /* only start once */ - WOLFSSL_MSG("Need to start scr, server requested"); - if ( (err = wolfSSL_Rehandshake(ssl)) != SSL_SUCCESS) - return err; - } -#endif - - while (ssl->buffers.clearOutputBuffer.length == 0) { - if ( (ssl->error = ProcessReply(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); - if (ssl->error == ZERO_RETURN) { - WOLFSSL_MSG("Zero return, no more data coming"); - return 0; /* no more data coming */ - } - if (ssl->error == SOCKET_ERROR_E) { - if (ssl->options.connReset || ssl->options.isClosed) { - WOLFSSL_MSG("Peer reset or closed, connection done"); - ssl->error = SOCKET_PEER_CLOSED_E; - WOLFSSL_ERROR(ssl->error); - return 0; /* peer reset or closed */ - } - } - return ssl->error; - } - #ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation && - ssl->secure_renegotiation->startScr) { - goto startScr; - } - #endif - } - - if (sz < (int)ssl->buffers.clearOutputBuffer.length) - size = sz; - else - size = ssl->buffers.clearOutputBuffer.length; - - XMEMCPY(output, ssl->buffers.clearOutputBuffer.buffer, size); - - if (peek == 0) { - ssl->buffers.clearOutputBuffer.length -= size; - ssl->buffers.clearOutputBuffer.buffer += size; - } - - if (ssl->buffers.clearOutputBuffer.length == 0 && - ssl->buffers.inputBuffer.dynamicFlag) - ShrinkInputBuffer(ssl, NO_FORCED_FREE); - - WOLFSSL_LEAVE("ReceiveData()", size); - return size; -} - - -/* send alert message */ -int SendAlert(WOLFSSL* ssl, int severity, int type) -{ - byte input[ALERT_SIZE]; - byte *output; - int sendSz; - int ret; - int outputSz; - int dtlsExtra = 0; - -#ifdef HAVE_WRITE_DUP - if (ssl->dupWrite && ssl->dupSide == READ_DUP_SIDE) { - int notifyErr = 0; - - WOLFSSL_MSG("Read dup side cannot write alerts, notifying sibling"); - - if (type == close_notify) { - notifyErr = ZERO_RETURN; - } else if (severity == alert_fatal) { - notifyErr = FATAL_ERROR; - } - - if (notifyErr != 0) { - return NotifyWriteSide(ssl, notifyErr); - } - - return 0; - } -#endif - - /* if sendalert is called again for nonblocking */ - if (ssl->options.sendAlertState != 0) { - ret = SendBuffered(ssl); - if (ret == 0) - ssl->options.sendAlertState = 0; - return ret; - } - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - dtlsExtra = DTLS_RECORD_EXTRA; - #endif - - /* check for available size */ - outputSz = ALERT_SIZE + MAX_MSG_EXTRA + dtlsExtra; - if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - input[0] = (byte)severity; - input[1] = (byte)type; - ssl->alert_history.last_tx.code = type; - ssl->alert_history.last_tx.level = severity; - if (severity == alert_fatal) { - ssl->options.isClosed = 1; /* Don't send close_notify */ - } - - /* only send encrypted alert if handshake actually complete, otherwise - other side may not be able to handle it */ - if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) - sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, - alert, 0, 0, 0); - else { - - AddRecordHeader(output, ALERT_SIZE, alert, ssl); - output += RECORD_HEADER_SZ; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - output += DTLS_RECORD_EXTRA; - #endif - XMEMCPY(output, input, ALERT_SIZE); - - sendSz = RECORD_HEADER_SZ + ALERT_SIZE; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - sendSz += DTLS_RECORD_EXTRA; - #endif - } - if (sendSz < 0) - return BUILD_MSG_ERROR; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "Alert"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "Alert", alert, output, sendSz, WRITE_PROTO, - ssl->heap); - #endif - - ssl->buffers.outputBuffer.length += sendSz; - ssl->options.sendAlertState = 1; - - return SendBuffered(ssl); -} - -const char* wolfSSL_ERR_reason_error_string(unsigned long e) -{ -#ifdef NO_ERROR_STRINGS - - (void)e; - return "no support for error strings built in"; - -#else - - int error = (int)e; - - /* pass to wolfCrypt */ - if (error < MAX_CODE_E && error > MIN_CODE_E) { - return wc_GetErrorString(error); - } - - switch (error) { - - case UNSUPPORTED_SUITE : - return "unsupported cipher suite"; - - case INPUT_CASE_ERROR : - return "input state error"; - - case PREFIX_ERROR : - return "bad index to key rounds"; - - case MEMORY_ERROR : - return "out of memory"; - - case VERIFY_FINISHED_ERROR : - return "verify problem on finished"; - - case VERIFY_MAC_ERROR : - return "verify mac problem"; - - case PARSE_ERROR : - return "parse error on header"; - - case SIDE_ERROR : - return "wrong client/server type"; - - case NO_PEER_CERT : - return "peer didn't send cert"; - - case UNKNOWN_HANDSHAKE_TYPE : - return "weird handshake type"; - - case SOCKET_ERROR_E : - return "error state on socket"; - - case SOCKET_NODATA : - return "expected data, not there"; - - case INCOMPLETE_DATA : - return "don't have enough data to complete task"; - - case UNKNOWN_RECORD_TYPE : - return "unknown type in record hdr"; - - case DECRYPT_ERROR : - return "error during decryption"; - - case FATAL_ERROR : - return "revcd alert fatal error"; - - case ENCRYPT_ERROR : - return "error during encryption"; - - case FREAD_ERROR : - return "fread problem"; - - case NO_PEER_KEY : - return "need peer's key"; - - case NO_PRIVATE_KEY : - return "need the private key"; - - case NO_DH_PARAMS : - return "server missing DH params"; - - case RSA_PRIVATE_ERROR : - return "error during rsa priv op"; - - case MATCH_SUITE_ERROR : - return "can't match cipher suite"; - - case COMPRESSION_ERROR : - return "compression mismatch error"; - - case BUILD_MSG_ERROR : - return "build message failure"; - - case BAD_HELLO : - return "client hello malformed"; - - case DOMAIN_NAME_MISMATCH : - return "peer subject name mismatch"; - - case WANT_READ : - case SSL_ERROR_WANT_READ : - return "non-blocking socket wants data to be read"; - - case NOT_READY_ERROR : - return "handshake layer not ready yet, complete first"; - - case PMS_VERSION_ERROR : - return "premaster secret version mismatch error"; - - case VERSION_ERROR : - return "record layer version error"; - - case WANT_WRITE : - case SSL_ERROR_WANT_WRITE : - return "non-blocking socket write buffer full"; - - case BUFFER_ERROR : - return "malformed buffer input error"; - - case VERIFY_CERT_ERROR : - return "verify problem on certificate"; - - case VERIFY_SIGN_ERROR : - return "verify problem based on signature"; - - case CLIENT_ID_ERROR : - return "psk client identity error"; - - case SERVER_HINT_ERROR: - return "psk server hint error"; - - case PSK_KEY_ERROR: - return "psk key callback error"; - - case NTRU_KEY_ERROR: - return "NTRU key error"; - - case NTRU_DRBG_ERROR: - return "NTRU drbg error"; - - case NTRU_ENCRYPT_ERROR: - return "NTRU encrypt error"; - - case NTRU_DECRYPT_ERROR: - return "NTRU decrypt error"; - - case ZLIB_INIT_ERROR: - return "zlib init error"; - - case ZLIB_COMPRESS_ERROR: - return "zlib compress error"; - - case ZLIB_DECOMPRESS_ERROR: - return "zlib decompress error"; - - case GETTIME_ERROR: - return "gettimeofday() error"; - - case GETITIMER_ERROR: - return "getitimer() error"; - - case SIGACT_ERROR: - return "sigaction() error"; - - case SETITIMER_ERROR: - return "setitimer() error"; - - case LENGTH_ERROR: - return "record layer length error"; - - case PEER_KEY_ERROR: - return "cant decode peer key"; - - case ZERO_RETURN: - case SSL_ERROR_ZERO_RETURN: - return "peer sent close notify alert"; - - case ECC_CURVETYPE_ERROR: - return "Bad ECC Curve Type or unsupported"; - - case ECC_CURVE_ERROR: - return "Bad ECC Curve or unsupported"; - - case ECC_PEERKEY_ERROR: - return "Bad ECC Peer Key"; - - case ECC_MAKEKEY_ERROR: - return "ECC Make Key failure"; - - case ECC_EXPORT_ERROR: - return "ECC Export Key failure"; - - case ECC_SHARED_ERROR: - return "ECC DHE shared failure"; - - case NOT_CA_ERROR: - return "Not a CA by basic constraint error"; - - case HTTP_TIMEOUT: - return "HTTP timeout for OCSP or CRL req"; - - case BAD_CERT_MANAGER_ERROR: - return "Bad Cert Manager error"; - - case OCSP_CERT_REVOKED: - return "OCSP Cert revoked"; - - case CRL_CERT_REVOKED: - return "CRL Cert revoked"; - - case CRL_MISSING: - return "CRL missing, not loaded"; - - case MONITOR_SETUP_E: - return "CRL monitor setup error"; - - case THREAD_CREATE_E: - return "Thread creation problem"; - - case OCSP_NEED_URL: - return "OCSP need URL"; - - case OCSP_CERT_UNKNOWN: - return "OCSP Cert unknown"; - - case OCSP_LOOKUP_FAIL: - return "OCSP Responder lookup fail"; - - case MAX_CHAIN_ERROR: - return "Maximum Chain Depth Exceeded"; - - case COOKIE_ERROR: - return "DTLS Cookie Error"; - - case SEQUENCE_ERROR: - return "DTLS Sequence Error"; - - case SUITES_ERROR: - return "Suites Pointer Error"; - - case SSL_NO_PEM_HEADER: - return "No PEM Header Error"; - - case OUT_OF_ORDER_E: - return "Out of order message, fatal"; - - case BAD_KEA_TYPE_E: - return "Bad KEA type found"; - - case SANITY_CIPHER_E: - return "Sanity check on ciphertext failed"; - - case RECV_OVERFLOW_E: - return "Receive callback returned more than requested"; - - case GEN_COOKIE_E: - return "Generate Cookie Error"; - - case NO_PEER_VERIFY: - return "Need peer certificate verify Error"; - - case FWRITE_ERROR: - return "fwrite Error"; - - case CACHE_MATCH_ERROR: - return "Cache restore header match Error"; - - case UNKNOWN_SNI_HOST_NAME_E: - return "Unrecognized host name Error"; - - case UNKNOWN_MAX_FRAG_LEN_E: - return "Unrecognized max frag len Error"; - - case KEYUSE_SIGNATURE_E: - return "Key Use digitalSignature not set Error"; - - case KEYUSE_ENCIPHER_E: - return "Key Use keyEncipherment not set Error"; - - case EXTKEYUSE_AUTH_E: - return "Ext Key Use server/client auth not set Error"; - - case SEND_OOB_READ_E: - return "Send Callback Out of Bounds Read Error"; - - case SECURE_RENEGOTIATION_E: - return "Invalid Renegotiation Error"; - - case SESSION_TICKET_LEN_E: - return "Session Ticket Too Long Error"; - - case SESSION_TICKET_EXPECT_E: - return "Session Ticket Error"; - - case SCR_DIFFERENT_CERT_E: - return "Peer sent different cert during SCR"; - - case SESSION_SECRET_CB_E: - return "Session Secret Callback Error"; - - case NO_CHANGE_CIPHER_E: - return "Finished received from peer before Change Cipher Error"; - - case SANITY_MSG_E: - return "Sanity Check on message order Error"; - - case DUPLICATE_MSG_E: - return "Duplicate HandShake message Error"; - - case SNI_UNSUPPORTED: - return "Protocol version does not support SNI Error"; - - case SOCKET_PEER_CLOSED_E: - return "Peer closed underlying transport Error"; - - case BAD_TICKET_KEY_CB_SZ: - return "Bad user session ticket key callback Size Error"; - - case BAD_TICKET_MSG_SZ: - return "Bad session ticket message Size Error"; - - case BAD_TICKET_ENCRYPT: - return "Bad user ticket callback encrypt Error"; - - case DH_KEY_SIZE_E: - return "DH key too small Error"; - - case SNI_ABSENT_ERROR: - return "No Server Name Indication extension Error"; - - case RSA_SIGN_FAULT: - return "RSA Signature Fault Error"; - - case HANDSHAKE_SIZE_ERROR: - return "Handshake message too large Error"; - - case UNKNOWN_ALPN_PROTOCOL_NAME_E: - return "Unrecognized protocol name Error"; - - case BAD_CERTIFICATE_STATUS_ERROR: - return "Bad Certificate Status Message Error"; - - case OCSP_INVALID_STATUS: - return "Invalid OCSP Status Error"; - - case RSA_KEY_SIZE_E: - return "RSA key too small"; - - case ECC_KEY_SIZE_E: - return "ECC key too small"; - - case DTLS_EXPORT_VER_E: - return "Version needs updated after code change or version mismatch"; - - case INPUT_SIZE_E: - return "Input size too large Error"; - - case CTX_INIT_MUTEX_E: - return "Initialize ctx mutex error"; - - case EXT_MASTER_SECRET_NEEDED_E: - return "Extended Master Secret must be enabled to resume EMS session"; - - case DTLS_POOL_SZ_E: - return "Maximum DTLS pool size exceeded"; - - case DECODE_E: - return "Decode handshake message error"; - - case WRITE_DUP_READ_E: - return "Write dup write side can't read error"; - - case WRITE_DUP_WRITE_E: - return "Write dup read side can't write error"; - - case INVALID_CERT_CTX_E: - return "Certificate context does not match request or not empty"; - - case BAD_KEY_SHARE_DATA: - return "The Key Share data contains group that was in Client Hello"; - - case MISSING_HANDSHAKE_DATA: - return "The handshake message is missing required data"; - - case BAD_BINDER: - return "Binder value does not match value server calculated"; - - case EXT_NOT_ALLOWED: - return "Extension type not allowed in handshake message type"; - - case INVALID_PARAMETER: - return "The security parameter is invalid"; - - case KEY_SHARE_ERROR: - return "Key share extension did not contain a valid named group"; - - default : - return "unknown error number"; - } - -#endif /* NO_ERROR_STRINGS */ -} - -void SetErrorString(int error, char* str) -{ - XSTRNCPY(str, wolfSSL_ERR_reason_error_string(error), WOLFSSL_MAX_ERROR_SZ); -} - - -/* be sure to add to cipher_name_idx too !!!! */ -static const char* const cipher_names[] = -{ -#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA - "RC4-SHA", -#endif - -#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5 - "RC4-MD5", -#endif - -#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA - "DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - "AES128-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA - "AES256-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA - "NULL-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256 - "NULL-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - "DHE-RSA-AES128-SHA", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - "DHE-RSA-AES256-SHA", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - "DHE-PSK-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - "DHE-PSK-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 - "PSK-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 - "PSK-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - "DHE-PSK-AES256-CBC-SHA384", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - "DHE-PSK-AES128-CBC-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 - "PSK-AES256-CBC-SHA384", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 - "PSK-AES128-CBC-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA - "PSK-AES128-CBC-SHA", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA - "PSK-AES256-CBC-SHA", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM - "DHE-PSK-AES128-CCM", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM - "DHE-PSK-AES256-CCM", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM - "PSK-AES128-CCM", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM - "PSK-AES256-CCM", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 - "PSK-AES128-CCM-8", -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 - "PSK-AES256-CCM-8", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 - "DHE-PSK-NULL-SHA384", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 - "DHE-PSK-NULL-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384 - "PSK-NULL-SHA384", -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 - "PSK-NULL-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA - "PSK-NULL-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_MD5 - "HC128-MD5", -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA - "HC128-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256 - "HC128-B2B256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - "AES128-B2B256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 - "AES256-B2B256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA - "RABBIT-SHA", -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - "NTRU-RC4-SHA", -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - "NTRU-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - "NTRU-AES128-SHA", -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - "NTRU-AES256-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 - "AES128-CCM-8", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 - "AES256-CCM-8", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM - "ECDHE-ECDSA-AES128-CCM", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - "ECDHE-ECDSA-AES128-CCM-8", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - "ECDHE-ECDSA-AES256-CCM-8", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - "ECDHE-RSA-AES128-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - "ECDHE-RSA-AES256-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - "ECDHE-ECDSA-AES128-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - "ECDHE-ECDSA-AES256-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - "ECDHE-RSA-RC4-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - "ECDHE-RSA-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - "ECDHE-ECDSA-RC4-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - "ECDHE-ECDSA-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - "AES128-SHA256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - "AES256-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - "DHE-RSA-AES128-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - "DHE-RSA-AES256-SHA256", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - "ECDH-RSA-AES128-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - "ECDH-RSA-AES256-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - "ECDH-ECDSA-AES128-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - "ECDH-ECDSA-AES256-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - "ECDH-RSA-RC4-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - "ECDH-RSA-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - "ECDH-ECDSA-RC4-SHA", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - "ECDH-ECDSA-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - "AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 - "AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - "DHE-RSA-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - "DHE-RSA-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - "ECDHE-RSA-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - "ECDHE-RSA-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - "ECDHE-ECDSA-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - "ECDHE-ECDSA-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - "ECDH-RSA-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - "ECDH-RSA-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - "ECDH-ECDSA-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - "ECDH-ECDSA-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - "CAMELLIA128-SHA", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - "DHE-RSA-CAMELLIA128-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - "CAMELLIA256-SHA", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - "DHE-RSA-CAMELLIA256-SHA", -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - "CAMELLIA128-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - "DHE-RSA-CAMELLIA128-SHA256", -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - "CAMELLIA256-SHA256", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - "DHE-RSA-CAMELLIA256-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - "ECDHE-RSA-AES128-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - "ECDHE-ECDSA-AES128-SHA256", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - "ECDH-RSA-AES128-SHA256", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - "ECDH-ECDSA-AES128-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - "ECDHE-RSA-AES256-SHA384", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - "ECDHE-ECDSA-AES256-SHA384", -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - "ECDH-RSA-AES256-SHA384", -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - "ECDH-ECDSA-AES256-SHA384", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - "ECDHE-RSA-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - "ECDHE-ECDSA-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - "DHE-RSA-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - "ECDHE-RSA-CHACHA20-POLY1305-OLD", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - "ECDHE-ECDSA-CHACHA20-POLY1305-OLD", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - "DHE-RSA-CHACHA20-POLY1305-OLD", -#endif - -#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - "ADH-AES128-SHA", -#endif - -#ifdef BUILD_TLS_QSH - "QSH", -#endif - -#ifdef HAVE_RENEGOTIATION_INDICATION - "RENEGOTIATION-INFO", -#endif - -#ifdef BUILD_SSL_RSA_WITH_IDEA_CBC_SHA - "IDEA-CBC-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA - "ECDHE-ECDSA-NULL-SHA", -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 - "ECDHE-PSK-NULL-SHA256", -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - "ECDHE-PSK-AES128-CBC-SHA256", -#endif - -#ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - "PSK-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - "ECDHE-PSK-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - "DHE-PSK-CHACHA20-POLY1305", -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - "EDH-RSA-DES-CBC3-SHA", -#endif - -#ifdef BUILD_TLS_AES_128_GCM_SHA256 - "TLS13-AES128-GCM-SHA256", -#endif - -#ifdef BUILD_TLS_AES_256_GCM_SHA384 - "TLS13-AES256-GCM-SHA384", -#endif - -#ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256 - "TLS13-CHACHA20-POLY1305-SHA256", -#endif - -#ifdef BUILD_TLS_AES_128_CCM_SHA256 - "TLS13-AES128-CCM-SHA256", -#endif - -#ifdef BUILD_TLS_AES_128_CCM_8_SHA256 - "TLS13-AES128-CCM-8-SHA256", -#endif - -}; - - -/* cipher suite number that matches above name table */ -static int cipher_name_idx[] = -{ - -#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA - SSL_RSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5 - SSL_RSA_WITH_RC4_128_MD5, -#endif - -#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA - SSL_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA - TLS_RSA_WITH_NULL_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256 - TLS_RSA_WITH_NULL_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 - TLS_PSK_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 - TLS_PSK_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 - TLS_PSK_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 - TLS_PSK_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA - TLS_PSK_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA - TLS_PSK_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM - TLS_DHE_PSK_WITH_AES_128_CCM, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM - TLS_DHE_PSK_WITH_AES_256_CCM, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM - TLS_PSK_WITH_AES_128_CCM, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM - TLS_PSK_WITH_AES_256_CCM, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 - TLS_PSK_WITH_AES_128_CCM_8, -#endif - -#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 - TLS_PSK_WITH_AES_256_CCM_8, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 - TLS_DHE_PSK_WITH_NULL_SHA384, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 - TLS_DHE_PSK_WITH_NULL_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384 - TLS_PSK_WITH_NULL_SHA384, -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 - TLS_PSK_WITH_NULL_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_NULL_SHA - TLS_PSK_WITH_NULL_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_MD5 - TLS_RSA_WITH_HC_128_MD5, -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA - TLS_RSA_WITH_HC_128_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256 - TLS_RSA_WITH_HC_128_B2B256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - TLS_RSA_WITH_AES_128_CBC_B2B256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 - TLS_RSA_WITH_AES_256_CBC_B2B256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA - TLS_RSA_WITH_RABBIT_SHA, -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - TLS_NTRU_RSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - TLS_NTRU_RSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - TLS_NTRU_RSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 - TLS_RSA_WITH_AES_128_CCM_8, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 - TLS_RSA_WITH_AES_256_CCM_8, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM - TLS_ECDHE_ECDSA_WITH_AES_128_CCM, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - TLS_ECDHE_RSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_RSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - TLS_RSA_WITH_AES_256_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - TLS_ECDH_RSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - TLS_ECDH_ECDSA_WITH_RC4_128_SHA, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - TLS_RSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 - TLS_RSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - TLS_DH_anon_WITH_AES_128_CBC_SHA, -#endif - -#ifdef BUILD_TLS_QSH - TLS_QSH, -#endif - -#ifdef HAVE_RENEGOTIATION_INDICATION - TLS_EMPTY_RENEGOTIATION_INFO_SCSV, -#endif - -#ifdef BUILD_SSL_RSA_WITH_IDEA_CBC_SHA - SSL_RSA_WITH_IDEA_CBC_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA - TLS_ECDHE_ECDSA_WITH_NULL_SHA, -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 - TLS_ECDHE_PSK_WITH_NULL_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, -#endif - -#ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - TLS_PSK_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - -#ifdef BUILD_TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256, -#endif - -#ifdef BUILD_TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384, -#endif - -#ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256, -#endif - -#ifdef BUILD_TLS_AES_128_CCM_SHA256 - TLS_AES_128_CCM_SHA256, -#endif - -#ifdef BUILD_TLS_AES_128_CCM_8_SHA256 - TLS_AES_128_CCM_8_SHA256, -#endif - -}; - - -/* returns the cipher_names array */ -const char* const* GetCipherNames(void) -{ - return cipher_names; -} - - -/* returns the size of the cipher_names array */ -int GetCipherNamesSize(void) -{ - return (int)(sizeof(cipher_names) / sizeof(char*)); -} - -/* gets cipher name in the format DHE-RSA-... rather then TLS_DHE... */ -const char* GetCipherNameInternal(const char* cipherName, int cipherSuite) -{ - const char* result = NULL; - const char* first; - int i; - - if (cipherName == NULL) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - - first = (XSTRSTR(cipherName, "CHACHA")) ? "CHACHA" - : (XSTRSTR(cipherName, "EC")) ? "EC" - : (XSTRSTR(cipherName, "CCM")) ? "CCM" - : NULL; /* normal */ - - for (i = 0; i < (int)(sizeof(cipher_name_idx)/sizeof(int)); i++) { - if (cipher_name_idx[i] == cipherSuite) { - const char* nameFound = cipher_names[i]; - - /* extra sanity check on returned cipher name */ - if (nameFound == NULL) { - continue; - } - - /* if first is null then not any */ - if (first == NULL) { - if ( !XSTRSTR(nameFound, "CHACHA") && - !XSTRSTR(nameFound, "EC") && - !XSTRSTR(nameFound, "CCM")) { - result = nameFound; - break; - } - } - else if (XSTRSTR(nameFound, first)) { - result = nameFound; - break; - } - } - } - - return result; -} - -const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl) -{ - if (ssl == NULL) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - - return GetCipherNameInternal( - wolfSSL_CIPHER_get_name(&ssl->cipher), - ssl->options.cipherSuite); -} - - -const char* wolfSSL_get_cipher_name_from_suite(const unsigned char cipherSuite, - const unsigned char cipherSuite0) -{ - - WOLFSSL_ENTER("wolfSSL_get_cipher_name_from_suite"); - - (void)cipherSuite; - (void)cipherSuite0; - -#ifndef NO_ERROR_STRINGS - -#if defined(HAVE_CHACHA) - if (cipherSuite0 == CHACHA_BYTE) { - /* ChaCha suites */ - switch (cipherSuite) { -#ifdef HAVE_POLY1305 -#ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; - - case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; - - case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - return "TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; - - case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - return "TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; -#endif - case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"; - - case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; -#ifndef NO_PSK - case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; - case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"; - case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; -#endif /* NO_PSK */ -#endif /* HAVE_POLY1305 */ - } /* switch */ - } /* chacha */ -#endif /* HAVE_CHACHA */ - -#if defined(HAVE_ECC) || defined(HAVE_AESCCM) - /* Awkwardly, the ECC cipher suites use the ECC_BYTE as expected, - * but the AES-CCM cipher suites also use it, even the ones that - * aren't ECC. */ - if (cipherSuite0 == ECC_BYTE) { - /* ECC suites */ - switch (cipherSuite) { -#ifdef HAVE_ECC - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"; - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"; - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"; - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"; -#ifndef NO_SHA - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; - #ifndef NO_RC4 - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_RC4_128_SHA : - return "TLS_ECDHE_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : - return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"; - #endif /* !NO_RC4 */ - #ifndef NO_DES3 - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ - - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"; - #ifndef NO_RC4 - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_RC4_128_SHA : - return "TLS_ECDH_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : - return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA"; - #endif /* !NO_RC4 */ - #ifndef NO_DES3 - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ -#endif /* HAVE_ECC */ - -#ifdef HAVE_AESGCM - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; -#endif /* HAVE_AESGCM */ - - case TLS_ECDHE_ECDSA_WITH_NULL_SHA : - return "TLS_ECDHE_ECDSA_WITH_NULL_SHA"; - #ifndef NO_PSK - case TLS_ECDHE_PSK_WITH_NULL_SHA256 : - return "TLS_ECDHE_PSK_WITH_NULL_SHA256"; - case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"; - #endif /* !NO_PSK */ - #ifndef NO_RSA - case TLS_RSA_WITH_AES_128_CCM_8 : - return "TLS_RSA_WITH_AES_128_CCM_8"; - case TLS_RSA_WITH_AES_256_CCM_8 : - return "TLS_RSA_WITH_AES_256_CCM_8"; - #endif /* !NO_RSA */ - #ifndef NO_PSK - case TLS_PSK_WITH_AES_128_CCM_8 : - return "TLS_PSK_WITH_AES_128_CCM_8"; - case TLS_PSK_WITH_AES_256_CCM_8 : - return "TLS_PSK_WITH_AES_256_CCM_8"; - case TLS_PSK_WITH_AES_128_CCM : - return "TLS_PSK_WITH_AES_128_CCM"; - case TLS_PSK_WITH_AES_256_CCM : - return "TLS_PSK_WITH_AES_256_CCM"; - case TLS_DHE_PSK_WITH_AES_128_CCM : - return "TLS_DHE_PSK_WITH_AES_128_CCM"; - case TLS_DHE_PSK_WITH_AES_256_CCM : - return "TLS_DHE_PSK_WITH_AES_256_CCM"; - #endif /* !NO_PSK */ - #ifdef HAVE_ECC - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM: - return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM"; - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: - return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"; - case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : - return "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"; - #endif /* HAVE_ECC */ -#endif /* HAVE_AESGCM */ - - default: - return "NONE"; - } /* switch */ - } /* ECC and AES CCM/GCM */ -#endif /* HAVE_ECC || HAVE_AESCCM*/ - - if (cipherSuite0 == TLS13_BYTE) { - /* TLS v1.3 suites */ - switch (cipherSuite) { -#ifdef WOLFSSL_TLS13 - #ifdef HAVE_AESGCM - case TLS_AES_128_GCM_SHA256 : - return "TLS_AES_128_GCM_SHA256"; - case TLS_AES_256_GCM_SHA384 : - return "TLS_AES_256_GCM_SHA384"; - #endif - - #ifdef HAVE_CHACHA - case TLS_CHACHA20_POLY1305_SHA256 : - return "TLS_CHACHA20_POLY1305_SHA256"; - #endif - - #ifdef HAVE_AESCCM - case TLS_AES_128_CCM_SHA256 : - return "TLS_AES_128_CCM_SHA256"; - case TLS_AES_128_CCM_8_SHA256 : - return "TLS_AES_256_CCM_8_SHA256"; - #endif -#endif - - default: - return "NONE"; - } - } - - if (cipherSuite0 != ECC_BYTE && - cipherSuite0 != CHACHA_BYTE && - cipherSuite0 != TLS13_BYTE) { - - /* normal suites */ - switch (cipherSuite) { -#ifndef NO_RSA - #ifndef NO_RC4 - #ifndef NO_SHA - case SSL_RSA_WITH_RC4_128_SHA : - return "SSL_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_SHA */ - #ifndef NO_MD5 - case SSL_RSA_WITH_RC4_128_MD5 : - return "SSL_RSA_WITH_RC4_128_MD5"; - #endif /* !NO_MD5 */ - #endif /* !NO_RC4 */ - #ifndef NO_SHA - #ifndef NO_DES3 - case SSL_RSA_WITH_3DES_EDE_CBC_SHA : - return "SSL_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ - #ifdef HAVE_IDEA - case SSL_RSA_WITH_IDEA_CBC_SHA : - return "SSL_RSA_WITH_IDEA_CBC_SHA"; - #endif /* HAVE_IDEA */ - - case TLS_RSA_WITH_AES_128_CBC_SHA : - return "TLS_RSA_WITH_AES_128_CBC_SHA"; - case TLS_RSA_WITH_AES_256_CBC_SHA : - return "TLS_RSA_WITH_AES_256_CBC_SHA"; - #endif /* !NO_SHA */ - case TLS_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_RSA_WITH_AES_128_CBC_SHA256"; - case TLS_RSA_WITH_AES_256_CBC_SHA256 : - return "TLS_RSA_WITH_AES_256_CBC_SHA256"; - #ifdef HAVE_BLAKE2 - case TLS_RSA_WITH_AES_128_CBC_B2B256: - return "TLS_RSA_WITH_AES_128_CBC_B2B256"; - case TLS_RSA_WITH_AES_256_CBC_B2B256: - return "TLS_RSA_WITH_AES_256_CBC_B2B256"; - #endif /* HAVE_BLAKE2 */ - #ifndef NO_SHA - case TLS_RSA_WITH_NULL_SHA : - return "TLS_RSA_WITH_NULL_SHA"; - #endif /* !NO_SHA */ - case TLS_RSA_WITH_NULL_SHA256 : - return "TLS_RSA_WITH_NULL_SHA256"; -#endif /* NO_RSA */ - -#ifndef NO_PSK - #ifndef NO_SHA - case TLS_PSK_WITH_AES_128_CBC_SHA : - return "TLS_PSK_WITH_AES_128_CBC_SHA"; - case TLS_PSK_WITH_AES_256_CBC_SHA : - return "TLS_PSK_WITH_AES_256_CBC_SHA"; - #endif /* !NO_SHA */ - #ifndef NO_SHA256 - case TLS_PSK_WITH_AES_128_CBC_SHA256 : - return "TLS_PSK_WITH_AES_128_CBC_SHA256"; - case TLS_PSK_WITH_NULL_SHA256 : - return "TLS_PSK_WITH_NULL_SHA256"; - case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 : - return "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"; - case TLS_DHE_PSK_WITH_NULL_SHA256 : - return "TLS_DHE_PSK_WITH_NULL_SHA256"; - #ifdef HAVE_AESGCM - case TLS_PSK_WITH_AES_128_GCM_SHA256 : - return "TLS_PSK_WITH_AES_128_GCM_SHA256"; - case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 : - return "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"; - #endif /* HAVE_AESGCM */ - #endif /* !NO_SHA256 */ - #ifdef WOLFSSL_SHA384 - case TLS_PSK_WITH_AES_256_CBC_SHA384 : - return "TLS_PSK_WITH_AES_256_CBC_SHA384"; - case TLS_PSK_WITH_NULL_SHA384 : - return "TLS_PSK_WITH_NULL_SHA384"; - case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : - return "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"; - case TLS_DHE_PSK_WITH_NULL_SHA384 : - return "TLS_DHE_PSK_WITH_NULL_SHA384"; - #ifdef HAVE_AESGCM - case TLS_PSK_WITH_AES_256_GCM_SHA384 : - return "TLS_PSK_WITH_AES_256_GCM_SHA384"; - case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 : - return "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"; - #endif /* HAVE_AESGCM */ - #endif /* WOLFSSL_SHA384 */ - #ifndef NO_SHA - case TLS_PSK_WITH_NULL_SHA : - return "TLS_PSK_WITH_NULL_SHA"; - #endif /* !NO_SHA */ - #endif /* NO_PSK */ - - #ifndef NO_RSA - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; - #ifndef NO_SHA - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : - return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"; - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : - return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; - #ifndef NO_DES3 - case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif - #endif /* !NO_RSA */ - #ifndef NO_HC128 - #ifndef NO_MD5 - case TLS_RSA_WITH_HC_128_MD5 : - return "TLS_RSA_WITH_HC_128_MD5"; - #endif /* !NO_MD5 */ - #ifndef NO_SHA - case TLS_RSA_WITH_HC_128_SHA : - return "TLS_RSA_WITH_HC_128_SHA"; - #endif /* !NO_SHA */ - #ifdef HAVE_BLAKE2 - case TLS_RSA_WITH_HC_128_B2B256: - return "TLS_RSA_WITH_HC_128_B2B256"; - #endif /* HAVE_BLAKE2 */ - #endif /* !NO_HC128 */ - #ifndef NO_SHA - #ifndef NO_RABBIT - case TLS_RSA_WITH_RABBIT_SHA : - return "TLS_RSA_WITH_RABBIT_SHA"; - #endif /* !NO_RABBIT */ - #ifdef HAVE_NTRU - #ifndef NO_RC4 - case TLS_NTRU_RSA_WITH_RC4_128_SHA : - return "TLS_NTRU_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_RC4 */ - #ifndef NO_DES3 - case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ - case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : - return "TLS_NTRU_RSA_WITH_AES_128_CBC_SHA"; - case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : - return "TLS_NTRU_RSA_WITH_AES_256_CBC_SHA"; - #endif /* HAVE_NTRU */ - - #ifdef HAVE_QSH - case TLS_QSH : - return "TLS_QSH"; - #endif /* HAVE_QSH */ - #endif /* !NO_SHA */ - - case TLS_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_RSA_WITH_AES_256_GCM_SHA384"; - case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; - #ifndef NO_SHA - case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA : - return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"; - case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA : - return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"; - #endif /* !NO_SHA */ - case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 : - return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"; - case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 : - return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"; - #ifndef NO_SHA - case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : - return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"; - case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : - return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"; - #endif /* !NO_SHA */ - case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"; - case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"; -#endif /* !NO_PSK */ - -#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - case TLS_DH_anon_WITH_AES_128_CBC_SHA : - return "TLS_DH_anon_WITH_AES_128_CBC_SHA"; -#endif - default: - return "NONE"; - } /* switch */ - } /* normal / PSK */ -#endif /* NO_ERROR_STRINGS */ - - return "NONE"; -} - - -/** -Set the enabled cipher suites. - -@param [out] suites Suites structure. -@param [in] list List of cipher suites, only supports full name from - cipher_names[] delimited by ':'. - -@return true on success, else false. -*/ -int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) -{ - int ret = 0; - int idx = 0; - int haveRSAsig = 0; - int haveECDSAsig = 0; - int haveAnon = 0; - const int suiteSz = GetCipherNamesSize(); - char* next = (char*)list; - - if (suites == NULL || list == NULL) { - WOLFSSL_MSG("SetCipherList parameter error"); - return 0; - } - - if (next[0] == 0 || XSTRNCMP(next, "ALL", 3) == 0 || - XSTRNCMP(next, "DEFAULT", 7) == 0) - return 1; /* wolfSSL defualt */ - - do { - char* current = next; - char name[MAX_SUITE_NAME + 1]; - int i; - word32 length; - - next = XSTRSTR(next, ":"); - length = min(sizeof(name), !next ? (word32)XSTRLEN(current) /* last */ - : (word32)(next - current)); - - XSTRNCPY(name, current, length); - name[(length == sizeof(name)) ? length - 1 : length] = 0; - - for (i = 0; i < suiteSz; i++) { - if (XSTRNCMP(name, cipher_names[i], sizeof(name)) == 0) { - #ifdef WOLFSSL_DTLS - /* don't allow stream ciphers with DTLS */ - if (ctx->method->version.major == DTLS_MAJOR) { - if (XSTRSTR(name, "RC4") || - XSTRSTR(name, "HC128") || - XSTRSTR(name, "RABBIT")) - { - WOLFSSL_MSG("Stream ciphers not supported with DTLS"); - continue; - } - - } - #endif /* WOLFSSL_DTLS */ - - suites->suites[idx++] = (XSTRSTR(name, "TLS13")) ? TLS13_BYTE - : (XSTRSTR(name, "CHACHA")) ? CHACHA_BYTE - : (XSTRSTR(name, "QSH")) ? QSH_BYTE - : (XSTRSTR(name, "EC")) ? ECC_BYTE - : (XSTRSTR(name, "CCM")) ? ECC_BYTE - : 0x00; /* normal */ - suites->suites[idx++] = (byte)cipher_name_idx[i]; - - /* The suites are either ECDSA, RSA, PSK, or Anon. The RSA - * suites don't necessarily have RSA in the name. */ - if (XSTRSTR(name, "TLS13")) { - haveRSAsig = 1; - haveECDSAsig = 1; - } - else if ((haveECDSAsig == 0) && XSTRSTR(name, "ECDSA")) - haveECDSAsig = 1; - else if (XSTRSTR(name, "ADH")) - haveAnon = 1; - else if ((haveRSAsig == 0) && (XSTRSTR(name, "PSK") == NULL)) - haveRSAsig = 1; - - ret = 1; /* found at least one */ - break; - } - } - } - while (next++); /* ++ needed to skip ':' */ - - if (ret) { - suites->setSuites = 1; - suites->suiteSz = (word16)idx; - InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, haveAnon, 1); - } - - (void)ctx; - - return ret; -} - -#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) -void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, - word32 hashSigAlgoSz) -{ - word32 i; - - ssl->suites->sigAlgo = ssl->specs.sig_algo; - - /* set defaults */ - if (IsAtLeastTLSv1_2(ssl)) { - #ifdef WOLFSSL_ALLOW_TLS_SHA1 - ssl->suites->hashAlgo = sha_mac; - #else - ssl->suites->hashAlgo = sha256_mac; - #endif - } - else { - ssl->suites->hashAlgo = sha_mac; - } - - /* i+1 since peek a byte ahead for type */ - for (i = 0; (i+1) < hashSigAlgoSz; i += HELLO_EXT_SIGALGO_SZ) { - byte hashAlgo = 0, sigAlgo = 0; - - DecodeSigAlg(&hashSigAlgo[i], &hashAlgo, &sigAlgo); - if (sigAlgo == ssl->specs.sig_algo || (sigAlgo == rsa_pss_sa_algo && - ssl->specs.sig_algo == rsa_sa_algo)) { - if (hashAlgo == sha_mac) { - ssl->suites->sigAlgo = sigAlgo; - break; - } - #ifndef NO_SHA256 - else if (hashAlgo == sha256_mac) { - ssl->suites->hashAlgo = sha256_mac; - ssl->suites->sigAlgo = sigAlgo; - break; - } - #endif - #ifdef WOLFSSL_SHA384 - else if (hashAlgo == sha384_mac) { - ssl->suites->hashAlgo = sha384_mac; - ssl->suites->sigAlgo = sigAlgo; - break; - } - #endif - #ifdef WOLFSSL_SHA512 - else if (hashAlgo == sha512_mac) { - ssl->suites->hashAlgo = sha512_mac; - ssl->suites->sigAlgo = sigAlgo; - break; - } - #endif - } - else if (ssl->specs.sig_algo == 0) { - ssl->suites->hashAlgo = ssl->specs.mac_algorithm; - } - } - -} -#endif /* !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) */ - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - - /* Initialisze HandShakeInfo */ - void InitHandShakeInfo(HandShakeInfo* info, WOLFSSL* ssl) - { - int i; - - info->ssl = ssl; - info->cipherName[0] = 0; - for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++) - info->packetNames[i][0] = 0; - info->numberPackets = 0; - info->negotiationError = 0; - } - - /* Set Final HandShakeInfo parameters */ - void FinishHandShakeInfo(HandShakeInfo* info) - { - int i; - int sz = sizeof(cipher_name_idx)/sizeof(int); - - for (i = 0; i < sz; i++) - if (info->ssl->options.cipherSuite == (byte)cipher_name_idx[i]) { - if (info->ssl->options.cipherSuite0 == ECC_BYTE) - continue; /* ECC suites at end */ - XSTRNCPY(info->cipherName, cipher_names[i], MAX_CIPHERNAME_SZ); - break; - } - - /* error max and min are negative numbers */ - if (info->ssl->error <= MIN_PARAM_ERR && info->ssl->error >= MAX_PARAM_ERR) - info->negotiationError = info->ssl->error; - } - - - /* Add name to info packet names, increase packet name count */ - void AddPacketName(WOLFSSL* ssl, const char* name) - { - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - HandShakeInfo* info = &ssl->handShakeInfo; - if (info->numberPackets < MAX_PACKETS_HANDSHAKE) { - XSTRNCPY(info->packetNames[info->numberPackets++], name, - MAX_PACKETNAME_SZ); - } - #endif - (void)ssl; - (void)name; - } - - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - /* Initialisze TimeoutInfo */ - void InitTimeoutInfo(TimeoutInfo* info) - { - int i; - - info->timeoutName[0] = 0; - info->flags = 0; - - for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++) { - info->packets[i].packetName[0] = 0; - info->packets[i].timestamp.tv_sec = 0; - info->packets[i].timestamp.tv_usec = 0; - info->packets[i].bufferValue = 0; - info->packets[i].valueSz = 0; - } - info->numberPackets = 0; - info->timeoutValue.tv_sec = 0; - info->timeoutValue.tv_usec = 0; - } - - - /* Free TimeoutInfo */ - void FreeTimeoutInfo(TimeoutInfo* info, void* heap) - { - int i; - (void)heap; - for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++) - if (info->packets[i].bufferValue) { - XFREE(info->packets[i].bufferValue, heap, DYNAMIC_TYPE_INFO); - info->packets[i].bufferValue = 0; - } - - } - - /* Add packet name to previsouly added packet info */ - void AddLateName(const char* name, TimeoutInfo* info) - { - /* make sure we have a valid previous one */ - if (info->numberPackets > 0 && info->numberPackets < - MAX_PACKETS_HANDSHAKE) { - XSTRNCPY(info->packets[info->numberPackets - 1].packetName, name, - MAX_PACKETNAME_SZ); - } - } - - /* Add record header to previsouly added packet info */ - void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info) - { - /* make sure we have a valid previous one */ - if (info->numberPackets > 0 && info->numberPackets < - MAX_PACKETS_HANDSHAKE) { - if (info->packets[info->numberPackets - 1].bufferValue) - XMEMCPY(info->packets[info->numberPackets - 1].bufferValue, rl, - RECORD_HEADER_SZ); - else - XMEMCPY(info->packets[info->numberPackets - 1].value, rl, - RECORD_HEADER_SZ); - } - } - - #endif /* WOLFSSL_CALLBACKS */ - - - /* Add PacketInfo to TimeoutInfo - * - * ssl WOLFSSL structure sending or receiving packet - * name name of packet being sent - * type type of packet being sent - * data data bing sent with packet - * sz size of data buffer - * written 1 if this packet is being written to wire, 0 if being read - * heap custom heap to use for mallocs/frees - */ - void AddPacketInfo(WOLFSSL* ssl, const char* name, int type, - const byte* data, int sz, int written, void* heap) - { - #ifdef WOLFSSL_CALLBACKS - TimeoutInfo* info = &ssl->timeoutInfo; - - if (info->numberPackets < (MAX_PACKETS_HANDSHAKE - 1)) { - Timeval currTime; - - /* may add name after */ - if (name) - XSTRNCPY(info->packets[info->numberPackets].packetName, name, - MAX_PACKETNAME_SZ); - - /* add data, put in buffer if bigger than static buffer */ - info->packets[info->numberPackets].valueSz = sz; - if (sz < MAX_VALUE_SZ) - XMEMCPY(info->packets[info->numberPackets].value, data, sz); - else { - info->packets[info->numberPackets].bufferValue = - (byte*)XMALLOC(sz, heap, DYNAMIC_TYPE_INFO); - if (!info->packets[info->numberPackets].bufferValue) - /* let next alloc catch, just don't fill, not fatal here */ - info->packets[info->numberPackets].valueSz = 0; - else - XMEMCPY(info->packets[info->numberPackets].bufferValue, - data, sz); - } - gettimeofday(&currTime, 0); - info->packets[info->numberPackets].timestamp.tv_sec = - currTime.tv_sec; - info->packets[info->numberPackets].timestamp.tv_usec = - currTime.tv_usec; - info->numberPackets++; - } - #endif /* WOLFSSL_CALLBACKS */ - #ifdef OPENSSL_EXTRA - if (ssl->protoMsgCb != NULL && sz > RECORD_HEADER_SZ) { - /* version from hex to dec 16 is 16^1, 256 from 16^2 and - 4096 from 16^3 */ - int version = (ssl->version.minor & 0X0F) + - (ssl->version.minor & 0xF0) * 16 + - (ssl->version.major & 0X0F) * 256 + - (ssl->version.major & 0xF0) * 4096; - - ssl->protoMsgCb(written, version, type, - (const void *)(data + RECORD_HEADER_SZ), - (size_t)(sz - RECORD_HEADER_SZ), - ssl, ssl->protoMsgCtx); - } - #endif /* OPENSSL_EXTRA */ - (void)written; - (void)name; - (void)heap; - (void)type; - (void)ssl; - } - -#endif /* WOLFSSL_CALLBACKS */ - - - -/* client only parts */ -#ifndef NO_WOLFSSL_CLIENT - - int SendClientHello(WOLFSSL* ssl) - { - byte *output; - word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - int sendSz; - int idSz = ssl->options.resuming - ? ssl->session.sessionIDSz - : 0; - int ret; - word16 extSz = 0; - - -#ifdef WOLFSSL_TLS13 - if (IsAtLeastTLSv1_3(ssl->version)) - return SendTls13ClientHello(ssl); -#endif - - if (ssl->suites == NULL) { - WOLFSSL_MSG("Bad suites pointer in SendClientHello"); - return SUITES_ERROR; - } - -#ifdef HAVE_SESSION_TICKET - if (ssl->options.resuming && ssl->session.ticketLen > 0) { - SessionTicket* ticket; - - ticket = TLSX_SessionTicket_Create(0, ssl->session.ticket, - ssl->session.ticketLen, ssl->heap); - if (ticket == NULL) return MEMORY_E; - - ret = TLSX_UseSessionTicket(&ssl->extensions, ticket, ssl->heap); - if (ret != SSL_SUCCESS) return ret; - - idSz = 0; - } -#endif - length = VERSION_SZ + RAN_LEN - + idSz + ENUM_LEN - + ssl->suites->suiteSz + SUITE_LEN - + COMP_LEN + ENUM_LEN; - -#ifdef HAVE_TLS_EXTENSIONS - /* auto populate extensions supported unless user defined */ - if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0) - return ret; - #ifdef HAVE_QSH - if (QSH_Init(ssl) != 0) - return MEMORY_E; - #endif - extSz = TLSX_GetRequestSize(ssl); - if (extSz != 0) - length += extSz; -#else - if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz) - extSz += HELLO_EXT_SZ + HELLO_EXT_SIGALGO_SZ - + ssl->suites->hashSigAlgoSz; -#ifdef HAVE_EXTENDED_MASTER - if (ssl->options.haveEMS) - extSz += HELLO_EXT_SZ; -#endif - if (extSz != 0) - length += extSz + HELLO_EXT_SZ_SZ; -#endif - sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - length += ENUM_LEN; /* cookie */ - if (ssl->arrays->cookieSz != 0) length += ssl->arrays->cookieSz; - sendSz = length + DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ; - idx += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA; - } -#endif - - if (IsEncryptionOn(ssl, 1)) - sendSz += MAX_MSG_EXTRA; - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(output, length, client_hello, ssl); - - /* client hello, first version */ - output[idx++] = ssl->version.major; - output[idx++] = ssl->version.minor; - ssl->chVersion = ssl->version; /* store in case changed */ - - /* then random */ - if (ssl->options.connectState == CONNECT_BEGIN) { - ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN); - if (ret != 0) - return ret; - - /* store random */ - XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN); - } else { -#ifdef WOLFSSL_DTLS - /* send same random on hello again */ - XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN); -#endif - } - idx += RAN_LEN; - - /* then session id */ - output[idx++] = (byte)idSz; - if (idSz) { - XMEMCPY(output + idx, ssl->session.sessionID, - ssl->session.sessionIDSz); - idx += ssl->session.sessionIDSz; - } - - /* then DTLS cookie */ -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - byte cookieSz = ssl->arrays->cookieSz; - - output[idx++] = cookieSz; - if (cookieSz) { - XMEMCPY(&output[idx], ssl->arrays->cookie, cookieSz); - idx += cookieSz; - } - } -#endif - /* then cipher suites */ - c16toa(ssl->suites->suiteSz, output + idx); - idx += OPAQUE16_LEN; - XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz); - idx += ssl->suites->suiteSz; - - /* last, compression */ - output[idx++] = COMP_LEN; - if (ssl->options.usingCompression) - output[idx++] = ZLIB_COMPRESSION; - else - output[idx++] = NO_COMPRESSION; - -#ifdef HAVE_TLS_EXTENSIONS - idx += TLSX_WriteRequest(ssl, output + idx); - - (void)idx; /* suppress analyzer warning, keep idx current */ -#else - if (extSz != 0) { - c16toa(extSz, output + idx); - idx += HELLO_EXT_SZ_SZ; - - if (IsAtLeastTLSv1_2(ssl)) { - if (ssl->suites->hashSigAlgoSz) { - int i; - /* extension type */ - c16toa(HELLO_EXT_SIG_ALGO, output + idx); - idx += HELLO_EXT_TYPE_SZ; - /* extension data length */ - c16toa(HELLO_EXT_SIGALGO_SZ + ssl->suites->hashSigAlgoSz, - output + idx); - idx += HELLO_EXT_SZ_SZ; - /* sig algos length */ - c16toa(ssl->suites->hashSigAlgoSz, output + idx); - idx += HELLO_EXT_SIGALGO_SZ; - for (i = 0; i < ssl->suites->hashSigAlgoSz; i++, idx++) { - output[idx] = ssl->suites->hashSigAlgo[i]; - } - } - } -#ifdef HAVE_EXTENDED_MASTER - if (ssl->options.haveEMS) { - c16toa(HELLO_EXT_EXTMS, output + idx); - idx += HELLO_EXT_TYPE_SZ; - c16toa(0, output + idx); - idx += HELLO_EXT_SZ_SZ; - } -#endif - } -#endif - - if (IsEncryptionOn(ssl, 1)) { - byte* input; - int inputSz = idx - RECORD_HEADER_SZ; /* build msg adds rec hdr */ - - input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (input == NULL) - return MEMORY_E; - - XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); - sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - handshake, 1, 0, 0); - XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - - if (sendSz < 0) - return sendSz; - } else { - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) - return ret; - } - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - #endif - - ssl->options.clientState = CLIENT_HELLO_COMPLETE; - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "ClientHello", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); -#endif - - ssl->buffers.outputBuffer.length += sendSz; - - return SendBuffered(ssl); - } - - - static int DoHelloVerifyRequest(WOLFSSL* ssl, const byte* input, - word32* inOutIdx, word32 size) - { - ProtocolVersion pv; - byte cookieSz; - word32 begin = *inOutIdx; - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) AddPacketName(ssl, "HelloVerifyRequest"); - if (ssl->toInfoOn) AddLateName("HelloVerifyRequest", &ssl->timeoutInfo); -#endif - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - DtlsMsgPoolReset(ssl); - } -#endif - - if ((*inOutIdx - begin) + OPAQUE16_LEN + OPAQUE8_LEN > size) - return BUFFER_ERROR; - - XMEMCPY(&pv, input + *inOutIdx, OPAQUE16_LEN); - *inOutIdx += OPAQUE16_LEN; - - if (pv.major != DTLS_MAJOR || - (pv.minor != DTLS_MINOR && pv.minor != DTLSv1_2_MINOR)) - return VERSION_ERROR; - - cookieSz = input[(*inOutIdx)++]; - - if (cookieSz) { - if ((*inOutIdx - begin) + cookieSz > size) - return BUFFER_ERROR; - -#ifdef WOLFSSL_DTLS - if (cookieSz <= MAX_COOKIE_LEN) { - XMEMCPY(ssl->arrays->cookie, input + *inOutIdx, cookieSz); - ssl->arrays->cookieSz = cookieSz; - } -#endif - *inOutIdx += cookieSz; - } - - ssl->options.serverState = SERVER_HELLOVERIFYREQUEST_COMPLETE; - return 0; - } - - - static INLINE int DSH_CheckSessionId(WOLFSSL* ssl) - { - int ret = 0; - -#ifdef HAVE_SECRET_CALLBACK - /* If a session secret callback exists, we are using that - * key instead of the saved session key. */ - ret = ret || (ssl->sessionSecretCb != NULL); -#endif - -#ifdef HAVE_SESSION_TICKET - /* server may send blank ticket which may not be expected to indicate - * existing one ok but will also be sending a new one */ - ret = ret || (ssl->session.ticketLen > 0); -#endif - - ret = ret || - (ssl->options.haveSessionId && XMEMCMP(ssl->arrays->sessionID, - ssl->session.sessionID, ID_LEN) == 0); - - return ret; - } - - /* Check the version in the received message is valid and set protocol - * version to use. - * - * ssl The SSL/TLS object. - * pv The protocol version from the packet. - * returns 0 on success, otherwise failure. - */ - int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv) - { -#ifdef WOLFSSL_TLS13 - /* TODO: [TLS13] Remove this. - * Translate the draft TLS v1.3 version to final version. - */ - if (pv.major == TLS_DRAFT_MAJOR) { - pv.major = SSLv3_MAJOR; - pv.minor = TLSv1_3_MINOR; - } -#endif - - /* Check for upgrade attack. */ - if (pv.minor > ssl->version.minor) { - WOLFSSL_MSG("Server using higher version, fatal error"); - return VERSION_ERROR; - } - if (pv.minor < ssl->version.minor) { - WOLFSSL_MSG("server using lower version"); - - /* Check for downgrade attack. */ - if (!ssl->options.downgrade) { - WOLFSSL_MSG("\tno downgrade allowed, fatal error"); - return VERSION_ERROR; - } - if (pv.minor < ssl->options.minDowngrade) { - WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); - return VERSION_ERROR; - } - - #ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation && - ssl->secure_renegotiation->enabled && - ssl->options.handShakeDone) { - WOLFSSL_MSG("Server changed version during scr"); - return VERSION_ERROR; - } - #endif - - /* Checks made - OK to downgrade. */ - if (pv.minor == SSLv3_MINOR) { - /* turn off tls */ - WOLFSSL_MSG("\tdowngrading to SSLv3"); - ssl->options.tls = 0; - ssl->options.tls1_1 = 0; - ssl->version.minor = SSLv3_MINOR; - } - else if (pv.minor == TLSv1_MINOR) { - /* turn off tls 1.1+ */ - WOLFSSL_MSG("\tdowngrading to TLSv1"); - ssl->options.tls1_1 = 0; - ssl->version.minor = TLSv1_MINOR; - } - else if (pv.minor == TLSv1_1_MINOR) { - WOLFSSL_MSG("\tdowngrading to TLSv1.1"); - ssl->version.minor = TLSv1_1_MINOR; - } - else if (pv.minor == TLSv1_2_MINOR) { - WOLFSSL_MSG(" downgrading to TLSv1.2"); - ssl->version.minor = TLSv1_2_MINOR; - } - } - - return 0; - } - - int DoServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 helloSz) - { - byte cs0; /* cipher suite bytes 0, 1 */ - byte cs1; - ProtocolVersion pv; - byte compression; - word32 i = *inOutIdx; - word32 begin = i; - int ret; - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello"); - if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo); -#endif - - /* protocol version, random and session id length check */ - if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; - - /* protocol version */ - XMEMCPY(&pv, input + i, OPAQUE16_LEN); - i += OPAQUE16_LEN; - - ret = CheckVersion(ssl, pv); - if (ret != 0) - return ret; - -#ifdef WOLFSSL_TLS13 - if (IsAtLeastTLSv1_3(pv)) - return DoTls13ServerHello(ssl, input, inOutIdx, helloSz); -#endif - - /* random */ - XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN); - i += RAN_LEN; - - /* session id */ - ssl->arrays->sessionIDSz = input[i++]; - - if (ssl->arrays->sessionIDSz > ID_LEN) { - WOLFSSL_MSG("Invalid session ID size"); - ssl->arrays->sessionIDSz = 0; - return BUFFER_ERROR; - } - else if (ssl->arrays->sessionIDSz) { - if ((i - begin) + ssl->arrays->sessionIDSz > helloSz) - return BUFFER_ERROR; - - XMEMCPY(ssl->arrays->sessionID, input + i, - ssl->arrays->sessionIDSz); - i += ssl->arrays->sessionIDSz; - ssl->options.haveSessionId = 1; - } - - - /* suite and compression */ - if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; - - cs0 = input[i++]; - cs1 = input[i++]; - -#ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled && - ssl->options.handShakeDone) { - if (ssl->options.cipherSuite0 != cs0 || - ssl->options.cipherSuite != cs1) { - WOLFSSL_MSG("Server changed cipher suite during scr"); - return MATCH_SUITE_ERROR; - } - } -#endif - - ssl->options.cipherSuite0 = cs0; - ssl->options.cipherSuite = cs1; - compression = input[i++]; - - if (compression != NO_COMPRESSION && !ssl->options.usingCompression) { - WOLFSSL_MSG("Server forcing compression w/o support"); - return COMPRESSION_ERROR; - } - - if (compression != ZLIB_COMPRESSION && ssl->options.usingCompression) { - WOLFSSL_MSG("Server refused compression, turning off"); - ssl->options.usingCompression = 0; /* turn off if server refused */ - } - - *inOutIdx = i; - -#ifdef HAVE_TLS_EXTENSIONS - if ( (i - begin) < helloSz) { - if (TLSX_SupportExtensions(ssl)) { - word16 totalExtSz; - - if ((i - begin) + OPAQUE16_LEN > helloSz) - return BUFFER_ERROR; - - ato16(&input[i], &totalExtSz); - i += OPAQUE16_LEN; - - if ((i - begin) + totalExtSz > helloSz) - return BUFFER_ERROR; - - if ((ret = TLSX_Parse(ssl, (byte *) input + i, - totalExtSz, 0, NULL))) - return ret; - - i += totalExtSz; - *inOutIdx = i; - } - else - *inOutIdx = begin + helloSz; /* skip extensions */ - } - else - ssl->options.haveEMS = 0; /* If no extensions, no EMS */ -#else - { - int allowExt = 0; - byte pendingEMS = 0; - - if ( (i - begin) < helloSz) { - if (ssl->version.major == SSLv3_MAJOR && - ssl->version.minor >= TLSv1_MINOR) { - - allowExt = 1; - } -#ifdef WOLFSSL_DTLS - if (ssl->version.major == DTLS_MAJOR) - allowExt = 1; -#endif - - if (allowExt) { - word16 totalExtSz; - - if ((i - begin) + OPAQUE16_LEN > helloSz) - return BUFFER_ERROR; - - ato16(&input[i], &totalExtSz); - i += OPAQUE16_LEN; - - if ((i - begin) + totalExtSz > helloSz) - return BUFFER_ERROR; - - while (totalExtSz) { - word16 extId, extSz; - - if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) - return BUFFER_ERROR; - - ato16(&input[i], &extId); - i += OPAQUE16_LEN; - ato16(&input[i], &extSz); - i += OPAQUE16_LEN; - - if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) - return BUFFER_ERROR; - - if (extId == HELLO_EXT_EXTMS) - pendingEMS = 1; - else - i += extSz; - - totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz; - } - - *inOutIdx = i; - } - else - *inOutIdx = begin + helloSz; /* skip extensions */ - } - - if (!pendingEMS && ssl->options.haveEMS) - ssl->options.haveEMS = 0; - } -#endif - - ssl->options.serverState = SERVER_HELLO_COMPLETE; - - if (IsEncryptionOn(ssl, 0)) { - *inOutIdx += ssl->keys.padSz; - } - -#ifdef HAVE_SECRET_CALLBACK - if (ssl->sessionSecretCb != NULL) { - int secretSz = SECRET_LEN; - ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret, - &secretSz, ssl->sessionSecretCtx); - if (ret != 0 || secretSz != SECRET_LEN) - return SESSION_SECRET_CB_E; - } -#endif /* HAVE_SECRET_CALLBACK */ - - if (ssl->options.resuming) { - if (DSH_CheckSessionId(ssl)) { - if (SetCipherSpecs(ssl) == 0) { - - XMEMCPY(ssl->arrays->masterSecret, - ssl->session.masterSecret, SECRET_LEN); - #ifdef NO_OLD_TLS - ret = DeriveTlsKeys(ssl); - #else - ret = -1; /* default value */ - #ifndef NO_TLS - if (ssl->options.tls) - ret = DeriveTlsKeys(ssl); - #endif - if (!ssl->options.tls) - ret = DeriveKeys(ssl); - #endif /* NO_OLD_TLS */ - ssl->options.serverState = SERVER_HELLODONE_COMPLETE; - - return ret; - } - else { - WOLFSSL_MSG("Unsupported cipher suite, DoServerHello"); - return UNSUPPORTED_SUITE; - } - } - else { - WOLFSSL_MSG("Server denied resumption attempt"); - ssl->options.resuming = 0; /* server denied resumption try */ - } - } - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - DtlsMsgPoolReset(ssl); - } - #endif - - return SetCipherSpecs(ssl); - } - - - /* Make sure client setup is valid for this suite, true on success */ - int VerifyClientSuite(WOLFSSL* ssl) - { - int havePSK = 0; - byte first = ssl->options.cipherSuite0; - byte second = ssl->options.cipherSuite; - - WOLFSSL_ENTER("VerifyClientSuite"); - - #ifndef NO_PSK - havePSK = ssl->options.havePSK; - #endif - - if (CipherRequires(first, second, REQUIRES_PSK)) { - WOLFSSL_MSG("Requires PSK"); - if (havePSK == 0) { - WOLFSSL_MSG("Don't have PSK"); - return 0; - } - } - - return 1; /* success */ - } - - -#ifndef NO_CERTS - /* just read in and ignore for now TODO: */ - static int DoCertificateRequest(WOLFSSL* ssl, const byte* input, word32* - inOutIdx, word32 size) - { - word16 len; - word32 begin = *inOutIdx; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl,"CertificateRequest"); - if (ssl->toInfoOn) - AddLateName("CertificateRequest", &ssl->timeoutInfo); - #endif - - if ((*inOutIdx - begin) + OPAQUE8_LEN > size) - return BUFFER_ERROR; - - len = input[(*inOutIdx)++]; - - if ((*inOutIdx - begin) + len > size) - return BUFFER_ERROR; - - /* types, read in here */ - *inOutIdx += len; - - /* signature and hash signature algorithm */ - if (IsAtLeastTLSv1_2(ssl)) { - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; - - ato16(input + *inOutIdx, &len); - *inOutIdx += OPAQUE16_LEN; - - if ((*inOutIdx - begin) + len > size) - return BUFFER_ERROR; - - PickHashSigAlgo(ssl, input + *inOutIdx, len); - *inOutIdx += len; - } - - /* authorities */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; - - ato16(input + *inOutIdx, &len); - *inOutIdx += OPAQUE16_LEN; - - if ((*inOutIdx - begin) + len > size) - return BUFFER_ERROR; - - while (len) { - word16 dnSz; - - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; - - ato16(input + *inOutIdx, &dnSz); - *inOutIdx += OPAQUE16_LEN; - - if ((*inOutIdx - begin) + dnSz > size) - return BUFFER_ERROR; - - *inOutIdx += dnSz; - len -= OPAQUE16_LEN + dnSz; - } - - /* don't send client cert or cert verify if user hasn't provided - cert and private key */ - if (ssl->buffers.certificate && ssl->buffers.certificate->buffer && - ssl->buffers.key && ssl->buffers.key->buffer) - ssl->options.sendVerify = SEND_CERT; - else if (IsTLS(ssl)) - ssl->options.sendVerify = SEND_BLANK_CERT; - - if (IsEncryptionOn(ssl, 0)) - *inOutIdx += ssl->keys.padSz; - - return 0; - } -#endif /* !NO_CERTS */ - - -#ifdef HAVE_ECC - - static int CheckCurveId(int tlsCurveId) - { - int ret = ECC_CURVE_ERROR; - - switch (tlsCurveId) { - #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP160R1: return ECC_SECP160R1_OID; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_SECPR2 - case WOLFSSL_ECC_SECP160R2: return ECC_SECP160R2_OID; - #endif /* HAVE_ECC_SECPR2 */ - #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP160K1: return ECC_SECP160K1_OID; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP192R1: return ECC_SECP192R1_OID; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP192K1: return ECC_SECP192K1_OID; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP224R1: return ECC_SECP224R1_OID; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP224K1: return ECC_SECP224K1_OID; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) - #ifdef HAVE_CURVE25519 - case WOLFSSL_ECC_X25519: return ECC_X25519_OID; - #endif - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP256R1: return ECC_SECP256R1_OID; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP256K1: return ECC_SECP256K1_OID; - #endif /* HAVE_ECC_KOBLITZ */ - #ifdef HAVE_ECC_BRAINPOOL - case WOLFSSL_ECC_BRAINPOOLP256R1: return ECC_BRAINPOOLP256R1_OID; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP384R1: return ECC_SECP384R1_OID; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_BRAINPOOL - case WOLFSSL_ECC_BRAINPOOLP384R1: return ECC_BRAINPOOLP384R1_OID; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES) - #ifdef HAVE_ECC_BRAINPOOL - case WOLFSSL_ECC_BRAINPOOLP512R1: return ECC_BRAINPOOLP512R1_OID; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP521R1: return ECC_SECP521R1_OID; - #endif /* !NO_ECC_SECP */ - #endif - } - - return ret; - } - -#endif /* HAVE_ECC */ - - -/* Persistable DoServerKeyExchange arguments */ -typedef struct DskeArgs { - byte* output; /* not allocated */ -#if !defined(NO_DH) || defined(HAVE_ECC) - byte* verifySig; -#endif - word32 idx; - word32 begin; -#if !defined(NO_DH) || defined(HAVE_ECC) - word16 verifySigSz; -#endif - word16 sigSz; - byte sigAlgo; - byte hashAlgo; -} DskeArgs; - -static void FreeDskeArgs(WOLFSSL* ssl, void* pArgs) -{ - DskeArgs* args = (DskeArgs*)pArgs; - - (void)ssl; - (void)args; - -#if !defined(NO_DH) || defined(HAVE_ECC) - if (args->verifySig) { - XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->verifySig = NULL; - } -#endif -} - -static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, - word32* inOutIdx, word32 size) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - DskeArgs* args = (DskeArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); -#else - DskeArgs args[1]; -#endif - - WOLFSSL_ENTER("DoServerKeyExchange"); - -#ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_dske; - } - else -#endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(DskeArgs)); - args->idx = *inOutIdx; - args->begin = *inOutIdx; - args->sigAlgo = ssl->specs.sig_algo; - args->hashAlgo = sha_mac; - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeDskeArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ServerKeyExchange"); - if (ssl->toInfoOn) - AddLateName("ServerKeyExchange", &ssl->timeoutInfo); - #endif - - switch(ssl->specs.kea) - { - #ifndef NO_PSK - case psk_kea: - { - int srvHintLen; - word16 length; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - /* get PSK server hint from the wire */ - srvHintLen = min(length, MAX_PSK_ID_LEN); - XMEMCPY(ssl->arrays->server_hint, input + args->idx, - srvHintLen); - ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */ - args->idx += length; - break; - } - #endif /* !NO_PSK */ - #ifndef NO_DH - case diffie_hellman_kea: - { - word16 length; - - /* p */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - if (length < ssl->options.minDhKeySz) { - WOLFSSL_MSG("Server using a DH key that is too small"); - SendAlert(ssl, alert_fatal, handshake_failure); - ERROR_OUT(DH_KEY_SIZE_E, exit_dske); - } - - ssl->buffers.serverDH_P.buffer = - (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_P.buffer) { - ssl->buffers.serverDH_P.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_P.buffer, input + args->idx, - length); - args->idx += length; - - ssl->options.dhKeySz = length; - - /* g */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ssl->buffers.serverDH_G.buffer = - (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_G.buffer) { - ssl->buffers.serverDH_G.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_G.buffer, input + args->idx, - length); - args->idx += length; - - /* pub */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ssl->buffers.serverDH_Pub.buffer = - (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_Pub.buffer) { - ssl->buffers.serverDH_Pub.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + args->idx, - length); - args->idx += length; - break; - } - #endif /* !NO_DH */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - byte b; - int curveId, curveOid; - word16 length; - - if ((args->idx - args->begin) + ENUM_LEN + OPAQUE16_LEN + - OPAQUE8_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - b = input[args->idx++]; - if (b != named_curve) { - ERROR_OUT(ECC_CURVETYPE_ERROR, exit_dske); - } - - args->idx += 1; /* curve type, eat leading 0 */ - b = input[args->idx++]; - if ((curveOid = CheckCurveId(b)) < 0) { - ERROR_OUT(ECC_CURVE_ERROR, exit_dske); - } - ssl->ecdhCurveOID = curveOid; - - length = input[args->idx++]; - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - if (ssl->peerX25519Key == NULL) { - ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519, - (void**)&ssl->peerX25519Key); - if (ret != 0) { - goto exit_dske; - } - } else if (ssl->peerEccKeyPresent) { - ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519, - ssl->peerX25519Key); - ssl->peerX25519KeyPresent = 0; - if (ret != 0) { - goto exit_dske; - } - } - - if (wc_curve25519_import_public_ex(input + args->idx, - length, ssl->peerX25519Key, - EC25519_LITTLE_ENDIAN) != 0) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske); - } - - args->idx += length; - ssl->peerX25519KeyPresent = 1; - break; - } - #endif - if (ssl->peerEccKey == NULL) { - ret = AllocKey(ssl, DYNAMIC_TYPE_ECC, - (void**)&ssl->peerEccKey); - if (ret != 0) { - goto exit_dske; - } - } else if (ssl->peerEccKeyPresent) { - ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC, ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - if (ret != 0) { - goto exit_dske; - } - } - - curveId = wc_ecc_get_oid(curveOid, NULL, NULL); - if (wc_ecc_import_x963_ex(input + args->idx, length, - ssl->peerEccKey, curveId) != 0) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske); - } - - args->idx += length; - ssl->peerEccKeyPresent = 1; - break; - } - #endif /* HAVE_ECC */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - int srvHintLen; - word16 length; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - /* get PSK server hint from the wire */ - srvHintLen = min(length, MAX_PSK_ID_LEN); - XMEMCPY(ssl->arrays->server_hint, input + args->idx, - srvHintLen); - ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */ - args->idx += length; - - /* p */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - if (length < ssl->options.minDhKeySz) { - WOLFSSL_MSG("Server using a DH key that is too small"); - SendAlert(ssl, alert_fatal, handshake_failure); - ERROR_OUT(DH_KEY_SIZE_E, exit_dske); - } - - ssl->buffers.serverDH_P.buffer = (byte*)XMALLOC(length, - ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_P.buffer) { - ssl->buffers.serverDH_P.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_P.buffer, input + args->idx, - length); - args->idx += length; - - ssl->options.dhKeySz = length; - - /* g */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ssl->buffers.serverDH_G.buffer = (byte*)XMALLOC(length, - ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_G.buffer) { - ssl->buffers.serverDH_G.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_G.buffer, input + args->idx, - length); - args->idx += length; - - /* pub */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC(length, - ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_Pub.buffer) { - ssl->buffers.serverDH_Pub.length = length; - } - else { - ERROR_OUT(MEMORY_ERROR, exit_dske); - } - - XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + args->idx, - length); - args->idx += length; - break; - } - #endif /* !NO_DH || !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - byte b; - int curveOid, curveId; - int srvHintLen; - word16 length; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &length); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - /* get PSK server hint from the wire */ - srvHintLen = min(length, MAX_PSK_ID_LEN); - XMEMCPY(ssl->arrays->server_hint, input + args->idx, - srvHintLen); - ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */ - - args->idx += length; - - if ((args->idx - args->begin) + ENUM_LEN + OPAQUE16_LEN + - OPAQUE8_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - /* Check curve name and ID */ - b = input[args->idx++]; - if (b != named_curve) { - ERROR_OUT(ECC_CURVETYPE_ERROR, exit_dske); - } - - args->idx += 1; /* curve type, eat leading 0 */ - b = input[args->idx++]; - if ((curveOid = CheckCurveId(b)) < 0) { - ERROR_OUT(ECC_CURVE_ERROR, exit_dske); - } - - length = input[args->idx++]; - if ((args->idx - args->begin) + length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - if (ssl->peerX25519Key == NULL) { - ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519, - (void**)&ssl->peerX25519Key); - if (ret != 0) { - goto exit_dske; - } - } else if (ssl->peerEccKeyPresent) { - ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519, - ssl->peerX25519Key); - ssl->peerX25519KeyPresent = 0; - if (ret != 0) { - goto exit_dske; - } - } - - if (wc_curve25519_import_public_ex(input + args->idx, - length, ssl->peerX25519Key, - EC25519_LITTLE_ENDIAN) != 0) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske); - } - - args->idx += length; - ssl->peerX25519KeyPresent = 1; - break; - } - #endif - - if (ssl->peerEccKey == NULL) { - AllocKey(ssl, DYNAMIC_TYPE_ECC, - (void**)&ssl->peerEccKey); - if (ret != 0) { - goto exit_dske; - } - } else if (ssl->peerEccKeyPresent) { - ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC, ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - if (ret != 0) { - goto exit_dske; - } - } - - curveId = wc_ecc_get_oid(curveOid, NULL, NULL); - if (wc_ecc_import_x963_ex(input + args->idx, length, - ssl->peerEccKey, curveId) != 0) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske); - } - - args->idx += length; - ssl->peerEccKeyPresent = 1; - break; - } - #endif /* HAVE_ECC || !NO_PSK */ - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - FALL_THROUGH; - - case TLS_ASYNC_BUILD: - { - switch(ssl->specs.kea) - { - case psk_kea: - case dhe_psk_kea: - case ecdhe_psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - - case diffie_hellman_kea: - case ecc_diffie_hellman_kea: - { - #if defined(NO_DH) && !defined(HAVE_ECC) - ERROR_OUT(NOT_COMPILED_IN, exit_dske); - #else - enum wc_HashType hashType; - word16 verifySz; - - if (ssl->options.usingAnon_cipher) { - break; - } - - verifySz = (word16)(args->idx - args->begin); - if (verifySz > MAX_DH_SZ) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - if (IsAtLeastTLSv1_2(ssl)) { - if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > - size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - DecodeSigAlg(&input[args->idx], &args->hashAlgo, - &args->sigAlgo); - args->idx += 2; - hashType = HashType(args->hashAlgo); - if (hashType == WC_HASH_TYPE_NONE) { - ERROR_OUT(ALGO_ID_E, exit_dske); - } - } else { - /* only using sha and md5 for rsa */ - #ifndef NO_OLD_TLS - hashType = WC_HASH_TYPE_SHA; - if (args->sigAlgo == rsa_sa_algo) { - hashType = WC_HASH_TYPE_MD5_SHA; - } - #else - ERROR_OUT(ALGO_ID_E, exit_dske); - #endif - } - - /* signature */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - ato16(input + args->idx, &args->verifySigSz); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + args->verifySigSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - - /* buffer for signature */ - ssl->buffers.sig.buffer = (byte*)XMALLOC(SEED_LEN + verifySz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_dske); - } - ssl->buffers.sig.length = SEED_LEN + verifySz; - - /* buffer for hash */ - ssl->buffers.digest.length = wc_HashGetDigestSize(hashType); - ssl->buffers.digest.buffer = (byte*)XMALLOC( - ssl->buffers.digest.length, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.digest.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_dske); - } - - /* build message to hash */ - XMEMCPY(ssl->buffers.sig.buffer, - ssl->arrays->clientRandom, RAN_LEN); - XMEMCPY(&ssl->buffers.sig.buffer[RAN_LEN], - ssl->arrays->serverRandom, RAN_LEN); - XMEMCPY(&ssl->buffers.sig.buffer[RAN_LEN * 2], - input + args->begin, verifySz); /* message */ - - /* Perform hash */ - ret = wc_Hash(hashType, - ssl->buffers.sig.buffer, ssl->buffers.sig.length, - ssl->buffers.digest.buffer, ssl->buffers.digest.length); - if (ret != 0) { - goto exit_dske; - } - - switch (args->sigAlgo) - { - #ifndef NO_RSA - #ifdef WC_RSA_PSS - case rsa_pss_sa_algo: - #endif - case rsa_sa_algo: - { - if (ssl->peerRsaKey == NULL || - !ssl->peerRsaKeyPresent) { - ERROR_OUT(NO_PEER_KEY, exit_dske); - } - break; - } - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - case ecc_dsa_sa_algo: - { - if (!ssl->peerEccDsaKeyPresent) { - ERROR_OUT(NO_PEER_KEY, exit_dske); - } - break; - } - #endif /* HAVE_ECC */ - - default: - ret = ALGO_ID_E; - } /* switch (args->sigAlgo) */ - - #endif /* NO_DH && !HAVE_ECC */ - break; - } - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - FALL_THROUGH; - - case TLS_ASYNC_DO: - { - switch(ssl->specs.kea) - { - case psk_kea: - case dhe_psk_kea: - case ecdhe_psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - - case diffie_hellman_kea: - case ecc_diffie_hellman_kea: - { - #if defined(NO_DH) && !defined(HAVE_ECC) - ERROR_OUT(NOT_COMPILED_IN, exit_dske); - #else - if (ssl->options.usingAnon_cipher) { - break; - } - - if (args->verifySig == NULL) { - args->verifySig = (byte*)XMALLOC(args->verifySigSz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->verifySig == NULL) { - ERROR_OUT(MEMORY_E, exit_dske); - } - XMEMCPY(args->verifySig, input + args->idx, - args->verifySigSz); - } - - switch (args->sigAlgo) - { - #ifndef NO_RSA - #ifdef WC_RSA_PSS - case rsa_pss_sa_algo: - #endif - case rsa_sa_algo: - { - ret = RsaVerify(ssl, - args->verifySig, args->verifySigSz, - &args->output, - args->sigAlgo, args->hashAlgo, - ssl->peerRsaKey, - #ifdef HAVE_PK_CALLBACKS - ssl->buffers.peerRsaKey.buffer, - ssl->buffers.peerRsaKey.length, - ssl->RsaVerifyCtx - #else - NULL, 0, NULL - #endif - ); - - if (ret >= 0) { - args->sigSz = (word16)ret; - ret = 0; - } - break; - } - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - case ecc_dsa_sa_algo: - { - ret = EccVerify(ssl, - args->verifySig, args->verifySigSz, - ssl->buffers.digest.buffer, - ssl->buffers.digest.length, - ssl->peerEccDsaKey, - #ifdef HAVE_PK_CALLBACKS - ssl->buffers.peerEccDsaKey.buffer, - ssl->buffers.peerEccDsaKey.length, - ssl->EccVerifyCtx - #else - NULL, 0, NULL - #endif - ); - - break; - } - #endif /* HAVE_ECC */ - - default: - ret = ALGO_ID_E; - } /* switch (sigAlgo) */ - #endif /* NO_DH && !HAVE_ECC */ - break; - } - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - FALL_THROUGH; - - case TLS_ASYNC_VERIFY: - { - switch(ssl->specs.kea) - { - case psk_kea: - case dhe_psk_kea: - case ecdhe_psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - - case diffie_hellman_kea: - case ecc_diffie_hellman_kea: - { - #if defined(NO_DH) && !defined(HAVE_ECC) - ERROR_OUT(NOT_COMPILED_IN, exit_dske); - #else - if (ssl->options.usingAnon_cipher) { - break; - } - - /* increment index after verify is done */ - args->idx += args->verifySigSz; - - switch(args->sigAlgo) - { - #ifndef NO_RSA - #ifdef WC_RSA_PSS - case rsa_pss_sa_algo: - ret = wc_RsaPSS_CheckPadding( - ssl->buffers.digest.buffer, - ssl->buffers.digest.length, - args->output, args->sigSz, - HashType(args->hashAlgo)); - if (ret != 0) - return ret; - break; - #endif - case rsa_sa_algo: - { - if (IsAtLeastTLSv1_2(ssl)) { - #ifdef WOLFSSL_SMALL_STACK - byte* encodedSig = NULL; - #else - byte encodedSig[MAX_ENCODED_SIG_SZ]; - #endif - word32 encSigSz; - - #ifdef WOLFSSL_SMALL_STACK - encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) { - ERROR_OUT(MEMORY_E, exit_dske); - } - #endif - - encSigSz = wc_EncodeSignature(encodedSig, - ssl->buffers.digest.buffer, - ssl->buffers.digest.length, - TypeHash(args->hashAlgo)); - if (encSigSz != args->sigSz || !args->output || - XMEMCMP(args->output, encodedSig, - min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0) { - ret = VERIFY_SIGN_ERROR; - } - #ifdef WOLFSSL_SMALL_STACK - XFREE(encodedSig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - if (ret != 0) { - goto exit_dske; - } - } - else if (args->sigSz != FINISHED_SZ || - !args->output || - XMEMCMP(args->output, - ssl->buffers.digest.buffer, - FINISHED_SZ) != 0) { - ERROR_OUT(VERIFY_SIGN_ERROR, exit_dske); - } - break; - } - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - case ecc_dsa_sa_algo: - /* Nothing to do in this algo */ - break; - #endif /* HAVE_ECC */ - default: - ret = ALGO_ID_E; - } /* switch (sigAlgo) */ - #endif /* NO_DH && !HAVE_ECC */ - break; - } - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - FALL_THROUGH; - - case TLS_ASYNC_FINALIZE: - { - if (IsEncryptionOn(ssl, 0)) { - args->idx += ssl->keys.padSz; - } - - /* QSH extensions */ - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - word16 name; - int qshSz; - - /* extension name */ - ato16(input + args->idx, &name); - args->idx += OPAQUE16_LEN; - - if (name == TLSX_QUANTUM_SAFE_HYBRID) { - /* if qshSz is larger than 0 it is the length of - buffer used */ - if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + args->idx, - size, 0)) < 0) { - ERROR_OUT(qshSz, exit_dske); - } - args->idx += qshSz; - } - else { - /* unknown extension sent server ignored handshake */ - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - } - #endif - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - FALL_THROUGH; - - case TLS_ASYNC_END: - { - /* return index */ - *inOutIdx = args->idx; - - ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; - break; - } - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - -exit_dske: - - WOLFSSL_LEAVE("DoServerKeyExchange", ret); - -#ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) { - /* Mark message as not recevied so it can process again */ - ssl->msgsReceived.got_server_key_exchange = 0; - - return ret; - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - /* Final cleanup */ - FreeDskeArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; -} - - -#ifdef HAVE_QSH - -#ifdef HAVE_NTRU -/* Encrypt a byte array using ntru - key a struct containing the public key to use - bufIn array to be encrypted - inSz size of bufIn array - bufOut cipher text out - outSz will be set to the new size of cipher text - */ -static int NtruSecretEncrypt(QSHKey* key, byte* bufIn, word32 inSz, - byte* bufOut, word16* outSz) -{ - int ret; - DRBG_HANDLE drbg; - - /* sanity checks on input arguments */ - if (key == NULL || bufIn == NULL || bufOut == NULL || outSz == NULL) - return BAD_FUNC_ARG; - - if (key->pub.buffer == NULL) - return BAD_FUNC_ARG; - - switch (key->name) { - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - break; - default: - WOLFSSL_MSG("Unknown QSH encryption key!"); - return -1; - } - - /* set up ntru drbg */ - ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (ret != DRBG_OK) - return NTRU_DRBG_ERROR; - - /* encrypt the byte array */ - ret = ntru_crypto_ntru_encrypt(drbg, key->pub.length, key->pub.buffer, - inSz, bufIn, outSz, bufOut); - ntru_crypto_drbg_uninstantiate(drbg); - if (ret != NTRU_OK) - return NTRU_ENCRYPT_ERROR; - - return ret; -} - -/* Decrypt a byte array using ntru - key a struct containing the private key to use - bufIn array to be decrypted - inSz size of bufIn array - bufOut plain text out - outSz will be set to the new size of plain text - */ - -static int NtruSecretDecrypt(QSHKey* key, byte* bufIn, word32 inSz, - byte* bufOut, word16* outSz) -{ - int ret; - DRBG_HANDLE drbg; - - /* sanity checks on input arguments */ - if (key == NULL || bufIn == NULL || bufOut == NULL || outSz == NULL) - return BAD_FUNC_ARG; - - if (key->pri.buffer == NULL) - return BAD_FUNC_ARG; - - switch (key->name) { - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - break; - default: - WOLFSSL_MSG("Unknown QSH decryption key!"); - return -1; - } - - - /* set up drbg */ - ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (ret != DRBG_OK) - return NTRU_DRBG_ERROR; - - /* decrypt cipher text */ - ret = ntru_crypto_ntru_decrypt(key->pri.length, key->pri.buffer, - inSz, bufIn, outSz, bufOut); - ntru_crypto_drbg_uninstantiate(drbg); - if (ret != NTRU_OK) - return NTRU_ENCRYPT_ERROR; - - return ret; -} -#endif /* HAVE_NTRU */ - -int QSH_Init(WOLFSSL* ssl) -{ - /* check so not initialising twice when running DTLS */ - if (ssl->QSH_secret != NULL) - return 0; - - /* malloc memory for holding generated secret information */ - if ((ssl->QSH_secret = (QSHSecret*)XMALLOC(sizeof(QSHSecret), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER)) == NULL) - return MEMORY_E; - - ssl->QSH_secret->CliSi = (buffer*)XMALLOC(sizeof(buffer), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->QSH_secret->CliSi == NULL) - return MEMORY_E; - - ssl->QSH_secret->SerSi = (buffer*)XMALLOC(sizeof(buffer), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->QSH_secret->SerSi == NULL) - return MEMORY_E; - - /* initialize variables */ - ssl->QSH_secret->list = NULL; - ssl->QSH_secret->CliSi->length = 0; - ssl->QSH_secret->CliSi->buffer = NULL; - ssl->QSH_secret->SerSi->length = 0; - ssl->QSH_secret->SerSi->buffer = NULL; - - return 0; -} - - -static int QSH_Encrypt(QSHKey* key, byte* in, word32 szIn, - byte* out, word32* szOut) -{ - int ret = 0; - word16 size = *szOut; - - (void)in; - (void)szIn; - (void)out; - (void)szOut; - - WOLFSSL_MSG("Encrypting QSH key material"); - - switch (key->name) { - #ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - ret = NtruSecretEncrypt(key, in, szIn, out, &size); - break; - #endif - default: - WOLFSSL_MSG("Unknown QSH encryption key!"); - return -1; - } - - *szOut = size; - - return ret; -} - - -/* Decrypt using Quantum Safe Handshake algorithms */ -int QSH_Decrypt(QSHKey* key, byte* in, word32 szIn, byte* out, word16* szOut) -{ - int ret = 0; - word16 size = *szOut; - - (void)in; - (void)szIn; - (void)out; - (void)szOut; - - WOLFSSL_MSG("Decrypting QSH key material"); - - switch (key->name) { - #ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - ret = NtruSecretDecrypt(key, in, szIn, out, &size); - break; - #endif - default: - WOLFSSL_MSG("Unknown QSH decryption key!"); - return -1; - } - - *szOut = size; - - return ret; -} - - -/* Get the max cipher text for corresponding encryption scheme - (encrypting 48 or max plain text whichever is smaller) - */ -static word32 QSH_MaxSecret(QSHKey* key) -{ - int ret = 0; -#ifdef HAVE_NTRU - byte isNtru = 0; - word16 inSz = 48; - word16 outSz; - DRBG_HANDLE drbg = 0; - byte bufIn[48]; -#endif - - if (key == NULL || key->pub.length == 0) - return 0; - - switch(key->name) { -#ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - isNtru = 1; - break; - case WOLFSSL_NTRU_EESS593: - isNtru = 1; - break; - case WOLFSSL_NTRU_EESS743: - isNtru = 1; - break; -#endif - default: - WOLFSSL_MSG("Unknown QSH encryption scheme size!"); - return 0; - } - -#ifdef HAVE_NTRU - if (isNtru) { - ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (ret != DRBG_OK) - return NTRU_DRBG_ERROR; - ret = ntru_crypto_ntru_encrypt(drbg, key->pub.length, - key->pub.buffer, inSz, bufIn, &outSz, NULL); - if (ret != NTRU_OK) { - return NTRU_ENCRYPT_ERROR; - } - ntru_crypto_drbg_uninstantiate(drbg); - ret = outSz; - } -#endif - - return ret; -} - -/* Generate the secret byte material for pms - returns length on success and -1 on fail - */ -static int QSH_GenerateSerCliSecret(WOLFSSL* ssl, byte isServer) -{ - int sz = 0; - int plainSz = 48; /* lesser of 48 and max plain text able to encrypt */ - int offset = 0; - word32 tmpSz = 0; - buffer* buf; - QSHKey* current = ssl->peerQSHKey; - QSHScheme* schmPre = NULL; - QSHScheme* schm = NULL; - - if (ssl == NULL) - return -1; - - WOLFSSL_MSG("Generating QSH secret key material"); - - /* get size of buffer needed */ - while (current) { - if (current->pub.length != 0) { - sz += plainSz; - } - current = (QSHKey*)current->next; - } - - /* allocate memory for buffer */ - if (isServer) { - buf = ssl->QSH_secret->SerSi; - } - else { - buf = ssl->QSH_secret->CliSi; - } - buf->length = sz; - buf->buffer = (byte*)XMALLOC(sz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (buf->buffer == NULL) { - WOLFSSL_ERROR(MEMORY_E); - } - - /* create secret information */ - sz = 0; - current = ssl->peerQSHKey; - while (current) { - schm = (QSHScheme*)XMALLOC(sizeof(QSHScheme), ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (schm == NULL) - return MEMORY_E; - - /* initialize variables */ - schm->name = 0; - schm->PK = NULL; - schm->PKLen = 0; - schm->next = NULL; - if (ssl->QSH_secret->list == NULL) { - ssl->QSH_secret->list = schm; - } - else { - if (schmPre) - schmPre->next = schm; - } - - tmpSz = QSH_MaxSecret(current); - - if ((schm->PK = (byte*)XMALLOC(tmpSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER)) == NULL) - return -1; - - /* store info for writing extension */ - schm->name = current->name; - - /* no key to use for encryption */ - if (tmpSz == 0) { - current = (QSHKey*)current->next; - continue; - } - - if (wc_RNG_GenerateBlock(ssl->rng, buf->buffer + offset, plainSz) - != 0) { - return -1; - } - if (QSH_Encrypt(current, buf->buffer + offset, plainSz, schm->PK, - &tmpSz) != 0) { - return -1; - } - schm->PKLen = tmpSz; - - sz += tmpSz; - offset += plainSz; - schmPre = schm; - current = (QSHKey*)current->next; - } - - return sz; -} - - -static word32 QSH_KeyGetSize(WOLFSSL* ssl) -{ - word32 sz = 0; - QSHKey* current = ssl->peerQSHKey; - - if (ssl == NULL) - return -1; - - sz += OPAQUE16_LEN; /* type of extension ie 0x00 0x18 */ - sz += OPAQUE24_LEN; - /* get size of buffer needed */ - while (current) { - sz += OPAQUE16_LEN; /* scheme id */ - sz += OPAQUE16_LEN; /* encrypted key len*/ - sz += QSH_MaxSecret(current); - current = (QSHKey*)current->next; - } - - return sz; -} - - -/* handle QSH key Exchange - return 0 on success - */ -static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) -{ - int ret = 0; - - WOLFSSL_ENTER("QSH KeyExchange"); - - ret = QSH_GenerateSerCliSecret(ssl, isServer); - if (ret < 0) - return MEMORY_E; - - return 0; -} - -#endif /* HAVE_QSH */ - - -typedef struct SckeArgs { - byte* output; /* not allocated */ - byte* encSecret; - byte* input; - word32 encSz; - word32 length; - int sendSz; - int inputSz; -} SckeArgs; - -static void FreeSckeArgs(WOLFSSL* ssl, void* pArgs) -{ - SckeArgs* args = (SckeArgs*)pArgs; - - (void)ssl; - - if (args->encSecret) { - XFREE(args->encSecret, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->encSecret = NULL; - } - if (args->input) { - XFREE(args->input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->input = NULL; - } -} - -int SendClientKeyExchange(WOLFSSL* ssl) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - SckeArgs* args = (SckeArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); -#else - SckeArgs args[1]; -#endif - - WOLFSSL_ENTER("SendClientKeyExchange"); - -#ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_scke; - } - else -#endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(SckeArgs)); - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeSckeArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - switch (ssl->specs.kea) { - #ifndef NO_RSA - case rsa_kea: - if (ssl->peerRsaKey == NULL || - ssl->peerRsaKeyPresent == 0) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - break; - #endif - #ifndef NO_DH - case diffie_hellman_kea: - if (ssl->buffers.serverDH_P.buffer == NULL || - ssl->buffers.serverDH_G.buffer == NULL || - ssl->buffers.serverDH_Pub.buffer == NULL) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - break; - #endif /* NO_DH */ - #ifndef NO_PSK - case psk_kea: - /* sanity check that PSK client callback has been set */ - if (ssl->options.client_psk_cb == NULL) { - WOLFSSL_MSG("No client PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - break; - #endif /* NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - if (ssl->buffers.serverDH_P.buffer == NULL || - ssl->buffers.serverDH_G.buffer == NULL || - ssl->buffers.serverDH_Pub.buffer == NULL) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - - /* sanity check that PSK client callback has been set */ - if (ssl->options.client_psk_cb == NULL) { - WOLFSSL_MSG("No client PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - break; - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - /* sanity check that PSK client callback has been set */ - if (ssl->options.client_psk_cb == NULL) { - WOLFSSL_MSG("No client PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - - #ifdef HAVE_CURVE25519 - if (ssl->peerX25519KeyPresent) { - /* Check client ECC public key */ - if (!ssl->peerX25519Key || !ssl->peerX25519Key->dp) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->X25519SharedSecretCb != NULL) { - break; - } - #endif - - /* create private key */ - ssl->hsType = DYNAMIC_TYPE_CURVE25519; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_scke; - } - - ret = X25519MakeKey(ssl, (curve25519_key*)ssl->hsKey, - ssl->peerX25519Key); - break; - } - #endif - /* Check client ECC public key */ - if (!ssl->peerEccKey || !ssl->peerEccKeyPresent || - !ssl->peerEccKey->dp) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - /* create private key */ - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_scke; - } - - ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, ssl->peerEccKey); - - break; - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - if (ssl->peerNtruKeyPresent == 0) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - break; - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - ecc_key* peerKey; - - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - if (ssl->ctx->X25519SharedSecretCb != NULL) - break; - } - else - #endif - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - #ifdef HAVE_CURVE25519 - if (ssl->peerX25519KeyPresent) { - if (!ssl->peerX25519Key || !ssl->peerX25519Key->dp) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - - /* create private key */ - ssl->hsType = DYNAMIC_TYPE_CURVE25519; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_scke; - } - - ret = X25519MakeKey(ssl, (curve25519_key*)ssl->hsKey, - ssl->peerX25519Key); - break; - } - else - #endif - if (ssl->specs.static_ecdh) { - /* TODO: EccDsa is really fixed Ecc change naming */ - if (!ssl->peerEccDsaKey || - !ssl->peerEccDsaKeyPresent || - !ssl->peerEccDsaKey->dp) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - peerKey = ssl->peerEccDsaKey; - } - else { - if (!ssl->peerEccKey || !ssl->peerEccKeyPresent || - !ssl->peerEccKey->dp) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - peerKey = ssl->peerEccKey; - } - if (peerKey == NULL) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - - /* create private key */ - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_scke; - } - - ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, peerKey); - - break; - } - #endif /* HAVE_ECC */ - - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_scke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - FALL_THROUGH; - - case TLS_ASYNC_BUILD: - { - args->encSz = MAX_ENCRYPT_SZ; - args->encSecret = (byte*)XMALLOC(args->encSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->encSecret == NULL) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - switch(ssl->specs.kea) - { - #ifndef NO_RSA - case rsa_kea: - { - ret = wc_RNG_GenerateBlock(ssl->rng, - ssl->arrays->preMasterSecret, SECRET_LEN); - if (ret != 0) { - goto exit_scke; - } - - ssl->arrays->preMasterSecret[0] = ssl->chVersion.major; - ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; - ssl->arrays->preMasterSz = SECRET_LEN; - break; - } - #endif /* !NO_RSA */ - #ifndef NO_DH - case diffie_hellman_kea: - { - ssl->buffers.sig.length = ENCRYPT_LEN; - ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - ret = AllocKey(ssl, DYNAMIC_TYPE_DH, - (void**)&ssl->buffers.serverDH_Key); - if (ret != 0) { - goto exit_scke; - } - - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - if (ret != 0) { - goto exit_scke; - } - - /* for DH, encSecret is Yc, agree is pre-master */ - ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.sig.buffer, &ssl->buffers.sig.length, - args->encSecret, &args->encSz); - break; - } - #endif /* !NO_DH */ - #ifndef NO_PSK - case psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, - ssl->arrays->server_hint, ssl->arrays->client_identity, - MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */ - args->encSz = (word32)XSTRLEN(ssl->arrays->client_identity); - if (args->encSz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_scke); - } - XMEMCPY(args->encSecret, ssl->arrays->client_identity, - args->encSz); - - /* make psk pre master secret */ - /* length of key + length 0s + length of key + key */ - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - XMEMSET(pms, 0, ssl->arrays->psk_keySz); - pms += ssl->arrays->psk_keySz; - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz = (ssl->arrays->psk_keySz * 2) + - (2 * OPAQUE16_LEN); - ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->psk_keySz = 0; /* No further need */ - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - word32 esSz = 0; - args->output = args->encSecret; - - ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, - ssl->arrays->server_hint, ssl->arrays->client_identity, - MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */ - esSz = (word32)XSTRLEN(ssl->arrays->client_identity); - - if (esSz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_scke); - } - - ssl->buffers.sig.length = ENCRYPT_LEN; - ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - c16toa((word16)esSz, args->output); - args->output += OPAQUE16_LEN; - XMEMCPY(args->output, ssl->arrays->client_identity, esSz); - args->output += esSz; - args->encSz = esSz + OPAQUE16_LEN; - - args->length = 0; - - ret = AllocKey(ssl, DYNAMIC_TYPE_DH, - (void**)&ssl->buffers.serverDH_Key); - if (ret != 0) { - goto exit_scke; - } - - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - if (ret != 0) { - goto exit_scke; - } - - /* for DH, encSecret is Yc, agree is pre-master */ - ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.sig.buffer, &ssl->buffers.sig.length, - args->output + OPAQUE16_LEN, &args->length); - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - word32 esSz = 0; - args->output = args->encSecret; - - /* Send PSK client identity */ - ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, - ssl->arrays->server_hint, ssl->arrays->client_identity, - MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */ - esSz = (word32)XSTRLEN(ssl->arrays->client_identity); - if (esSz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_scke); - } - - /* place size and identity in output buffer sz:identity */ - c16toa((word16)esSz, args->output); - args->output += OPAQUE16_LEN; - XMEMCPY(args->output, ssl->arrays->client_identity, esSz); - args->output += esSz; - args->encSz = esSz + OPAQUE16_LEN; - - /* length is used for public key size */ - args->length = MAX_ENCRYPT_SZ; - - /* Create shared ECC key leaving room at the begining - of buffer for size of shared key. */ - ssl->arrays->preMasterSz = ENCRYPT_LEN - OPAQUE16_LEN; - - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->X25519SharedSecretCb != NULL) { - break; - } - #endif - - ret = wc_curve25519_export_public_ex( - (curve25519_key*)ssl->hsKey, - args->output + OPAQUE8_LEN, &args->length, - EC25519_LITTLE_ENDIAN); - if (ret != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_scke); - } - - break; - } - #endif - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - /* Place ECC key in output buffer, leaving room for size */ - ret = wc_ecc_export_x963((ecc_key*)ssl->hsKey, - args->output + OPAQUE8_LEN, &args->length); - if (ret != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_scke); - } - - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - ret = wc_RNG_GenerateBlock(ssl->rng, - ssl->arrays->preMasterSecret, SECRET_LEN); - if (ret != 0) { - goto exit_scke; - } - - ssl->arrays->preMasterSz = SECRET_LEN; - args->encSz = MAX_ENCRYPT_SZ; - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - ssl->arrays->preMasterSz = ENCRYPT_LEN; - - #ifdef HAVE_CURVE25519 - if (ssl->hsType == DYNAMIC_TYPE_CURVE25519) { - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->X25519SharedSecretCb != NULL) { - break; - } - #endif - - ret = wc_curve25519_export_public_ex( - (curve25519_key*)ssl->hsKey, - args->encSecret + OPAQUE8_LEN, &args->encSz, - EC25519_LITTLE_ENDIAN); - if (ret != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_scke); - } - - break; - } - #endif - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - /* Place ECC key in buffer, leaving room for size */ - ret = wc_ecc_export_x963((ecc_key*)ssl->hsKey, - args->encSecret + OPAQUE8_LEN, &args->encSz); - if (ret != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_scke); - } - break; - } - #endif /* HAVE_ECC */ - - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_scke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - FALL_THROUGH; - - case TLS_ASYNC_DO: - { - switch(ssl->specs.kea) - { - #ifndef NO_RSA - case rsa_kea: - { - ret = RsaEnc(ssl, - ssl->arrays->preMasterSecret, SECRET_LEN, - args->encSecret, &args->encSz, - ssl->peerRsaKey, - #if defined(HAVE_PK_CALLBACKS) - ssl->buffers.peerRsaKey.buffer, - ssl->buffers.peerRsaKey.length, - ssl->RsaEncCtx - #else - NULL, 0, NULL - #endif - ); - - break; - } - #endif /* !NO_RSA */ - #ifndef NO_DH - case diffie_hellman_kea: - { - ret = DhAgree(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.sig.buffer, ssl->buffers.sig.length, - ssl->buffers.serverDH_Pub.buffer, - ssl->buffers.serverDH_Pub.length, - ssl->arrays->preMasterSecret, - &ssl->arrays->preMasterSz); - break; - } - #endif /* !NO_DH */ - #ifndef NO_PSK - case psk_kea: - { - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - ret = DhAgree(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.sig.buffer, ssl->buffers.sig.length, - ssl->buffers.serverDH_Pub.buffer, - ssl->buffers.serverDH_Pub.length, - ssl->arrays->preMasterSecret + OPAQUE16_LEN, - &ssl->arrays->preMasterSz); - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - #ifdef HAVE_CURVE25519 - if (ssl->peerX25519KeyPresent) { - ret = X25519SharedSecret(ssl, - (curve25519_key*)ssl->hsKey, ssl->peerX25519Key, - args->output + OPAQUE8_LEN, &args->length, - ssl->arrays->preMasterSecret + OPAQUE16_LEN, - &ssl->arrays->preMasterSz, - WOLFSSL_CLIENT_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - break; - } - #endif - ret = EccSharedSecret(ssl, - (ecc_key*)ssl->hsKey, ssl->peerEccKey, - args->output + OPAQUE8_LEN, &args->length, - ssl->arrays->preMasterSecret + OPAQUE16_LEN, - &ssl->arrays->preMasterSz, - WOLFSSL_CLIENT_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - word32 rc; - DRBG_HANDLE drbg; - - rc = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (rc != DRBG_OK) { - ERROR_OUT(NTRU_DRBG_ERROR, exit_scke); - } - rc = ntru_crypto_ntru_encrypt(drbg, ssl->peerNtruKeyLen, - ssl->peerNtruKey, - ssl->arrays->preMasterSz, - ssl->arrays->preMasterSecret, - (word16*)&args->encSz, - args->encSecret); - ntru_crypto_drbg_uninstantiate(drbg); - if (rc != NTRU_OK) { - ERROR_OUT(NTRU_ENCRYPT_ERROR, exit_scke); - } - ret = 0; - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - ecc_key* peerKey; - - #ifdef HAVE_CURVE25519 - if (ssl->peerX25519KeyPresent) { - ret = X25519SharedSecret(ssl, - (curve25519_key*)ssl->hsKey, ssl->peerX25519Key, - args->encSecret + OPAQUE8_LEN, &args->encSz, - ssl->arrays->preMasterSecret, - &ssl->arrays->preMasterSz, - WOLFSSL_CLIENT_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - break; - } - #endif - peerKey = (ssl->specs.static_ecdh) ? - ssl->peerEccDsaKey : ssl->peerEccKey; - - ret = EccSharedSecret(ssl, - (ecc_key*)ssl->hsKey, peerKey, - args->encSecret + OPAQUE8_LEN, &args->encSz, - ssl->arrays->preMasterSecret, - &ssl->arrays->preMasterSz, - WOLFSSL_CLIENT_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - - break; - } - #endif /* HAVE_ECC */ - - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_scke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - FALL_THROUGH; - - case TLS_ASYNC_VERIFY: - { - switch(ssl->specs.kea) - { - #ifndef NO_RSA - case rsa_kea: - { - break; - } - #endif /* !NO_RSA */ - #ifndef NO_DH - case diffie_hellman_kea: - { - break; - } - #endif /* !NO_DH */ - #ifndef NO_PSK - case psk_kea: - { - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - - /* validate args */ - if (args->output == NULL || args->length == 0) { - ERROR_OUT(BAD_FUNC_ARG, exit_scke); - } - - c16toa((word16)args->length, args->output); - args->encSz += args->length + OPAQUE16_LEN; - c16toa((word16)ssl->arrays->preMasterSz, pms); - ssl->arrays->preMasterSz += OPAQUE16_LEN; - pms += ssl->arrays->preMasterSz; - - /* make psk pre master secret */ - /* length of key + length 0s + length of key + key */ - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += - ssl->arrays->psk_keySz + OPAQUE16_LEN; - ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->psk_keySz = 0; /* No further need */ - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - - /* validate args */ - if (args->output == NULL || args->length > ENCRYPT_LEN) { - ERROR_OUT(BAD_FUNC_ARG, exit_scke); - } - - /* place size of public key in output buffer */ - *args->output = (byte)args->length; - args->encSz += args->length + OPAQUE8_LEN; - - /* Create pre master secret is the concatination of - eccSize + eccSharedKey + pskSize + pskKey */ - c16toa((word16)ssl->arrays->preMasterSz, pms); - ssl->arrays->preMasterSz += OPAQUE16_LEN; - pms += ssl->arrays->preMasterSz; - - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += - ssl->arrays->psk_keySz + OPAQUE16_LEN; - - ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->psk_keySz = 0; /* No further need */ - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - /* place size of public key in buffer */ - *args->encSecret = (byte)args->encSz; - args->encSz += OPAQUE8_LEN; - break; - } - #endif /* HAVE_ECC */ - - default: - ret = BAD_KEA_TYPE_E; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_scke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - FALL_THROUGH; - - case TLS_ASYNC_FINALIZE: - { - word32 tlsSz = 0; - word32 idx = 0; - - #ifdef HAVE_QSH - word32 qshSz = 0; - if (ssl->peerQSHKeyPresent) { - qshSz = QSH_KeyGetSize(ssl); - } - #endif - - if (ssl->options.tls || ssl->specs.kea == diffie_hellman_kea) { - tlsSz = 2; - } - - if (ssl->specs.kea == ecc_diffie_hellman_kea || - ssl->specs.kea == dhe_psk_kea || - ssl->specs.kea == ecdhe_psk_kea) { /* always off */ - tlsSz = 0; - } - - idx = HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - args->sendSz = args->encSz + tlsSz + idx; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - idx += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA; - args->sendSz += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA; - } - #endif - - if (IsEncryptionOn(ssl, 1)) { - args->sendSz += MAX_MSG_EXTRA; - } - - #ifdef HAVE_QSH - args->encSz += qshSz; - args->sendSz += qshSz; - #endif - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_scke; - } - - /* get output buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - byte idxSave = idx; - idx = args->sendSz - qshSz; - - if (QSH_KeyExchangeWrite(ssl, 0) != 0) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - /* extension type */ - c16toa(TLSX_QUANTUM_SAFE_HYBRID, args->output + idx); - idx += OPAQUE16_LEN; - - /* write to output and check amount written */ - if (TLSX_QSHPK_Write(ssl->QSH_secret->list, - args->output + idx) > qshSz - OPAQUE16_LEN) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - idx = idxSave; - } - #endif - - AddHeaders(args->output, args->encSz + tlsSz, client_key_exchange, ssl); - - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - args->encSz -= qshSz; - } - #endif - if (tlsSz) { - c16toa((word16)args->encSz, &args->output[idx]); - idx += OPAQUE16_LEN; - } - XMEMCPY(args->output + idx, args->encSecret, args->encSz); - idx += args->encSz; - - if (IsEncryptionOn(ssl, 1)) { - args->inputSz = idx - RECORD_HEADER_SZ; /* buildmsg adds rechdr */ - args->input = (byte*)XMALLOC(args->inputSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->input == NULL) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - XMEMCPY(args->input, args->output + RECORD_HEADER_SZ, - args->inputSz); - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - FALL_THROUGH; - - case TLS_ASYNC_END: - { - if (IsEncryptionOn(ssl, 1)) { - ret = BuildMessage(ssl, args->output, args->sendSz, - args->input, args->inputSz, handshake, 1, 0, 1); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) - goto exit_scke; - #endif - XFREE(args->input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->input = NULL; /* make sure its not double free'd on cleanup */ - - if (ret >= 0) { - args->sendSz = ret; - ret = 0; - } - } - else { - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - ret = HashOutput(ssl, args->output, args->sendSz, 0); - } - - if (ret != 0) { - goto exit_scke; - } - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz)) != 0) { - goto exit_scke; - } - } - #endif - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ClientKeyExchange"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "ClientKeyExchange", handshake, - args->output, args->sendSz, WRITE_PROTO, ssl->heap); - #endif - - ssl->buffers.outputBuffer.length += args->sendSz; - - if (!ssl->options.groupMessages) { - ret = SendBuffered(ssl); - } - if (ret == 0 || ret == WANT_WRITE) { - int tmpRet = MakeMasterSecret(ssl); - if (tmpRet != 0) { - ret = tmpRet; /* save WANT_WRITE unless more serious */ - } - ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - } - break; - } - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - -exit_scke: - - WOLFSSL_LEAVE("SendClientKeyExchange", ret); - -#ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) - return ret; -#endif - - /* No further need for PMS */ - ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz); - ssl->arrays->preMasterSz = 0; - - /* Final cleanup */ - FreeSckeArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; -} - - -#ifndef NO_CERTS -/* Decode the private key - RSA or ECC - and creates a key object. - * The signature type is set as well. - * The maximum length of a signature is returned. - * - * ssl The SSL/TLS object. - * length The length of a signature. - * returns 0 on success, otherwise failure. - */ -int DecodePrivateKey(WOLFSSL *ssl, word16* length) -{ - int ret; - int keySz; - word32 idx; - - /* make sure private key exists */ - if (ssl->buffers.key == NULL || ssl->buffers.key->buffer == NULL) { - WOLFSSL_MSG("Private key missing!"); - ERROR_OUT(NO_PRIVATE_KEY, exit_dpk); - } - -#ifndef NO_RSA - ssl->hsType = DYNAMIC_TYPE_RSA; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_dpk; - } - - WOLFSSL_MSG("Trying RSA private key"); - - /* Set start of data to beginning of buffer. */ - idx = 0; - /* Decode the key assuming it is an RSA private key. */ - ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, - (RsaKey*)ssl->hsKey, ssl->buffers.key->length); - if (ret == 0) { - WOLFSSL_MSG("Using RSA private key"); - - /* It worked so check it meeets minimum key size requirements. */ - keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey); - if (keySz < 0) { /* check if keySz has error case */ - ERROR_OUT(keySz, exit_dpk); - } - - if (keySz < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("RSA key size too small"); - ERROR_OUT(RSA_KEY_SIZE_E, exit_dpk); - } - - /* Return the maximum signature length. */ - *length = (word16)keySz; - - goto exit_dpk; - } -#endif /* !NO_RSA */ - -#ifdef HAVE_ECC -#ifndef NO_RSA - FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey); -#endif /* !NO_RSA */ - - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_dpk; - } - -#ifndef NO_RSA - WOLFSSL_MSG("Trying ECC private key, RSA didn't work"); -#else - WOLFSSL_MSG("Trying ECC private key"); -#endif - - /* Set start of data to beginning of buffer. */ - idx = 0; - /* Decode the key assuming it is an ECC private key. */ - ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, - (ecc_key*)ssl->hsKey, - ssl->buffers.key->length); - if (ret != 0) { - WOLFSSL_MSG("Bad client cert type"); - goto exit_dpk; - } - - WOLFSSL_MSG("Using ECC private key"); - - /* Check it meets the minimum ECC key size requirements. */ - keySz = wc_ecc_size((ecc_key*)ssl->hsKey); - if (keySz < ssl->options.minEccKeySz) { - WOLFSSL_MSG("ECC key size too small"); - ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk); - } - - /* Return the maximum signature length. */ - *length = wc_ecc_sig_size((ecc_key*)ssl->hsKey); -#endif - -exit_dpk: - return ret; -} - - -typedef struct ScvArgs { - byte* output; /* not allocated */ -#ifndef NO_RSA - byte* verifySig; -#endif - byte* verify; /* not allocated */ - byte* input; - word32 idx; - word32 extraSz; - word32 sigSz; - int sendSz; - int length; - int inputSz; - byte sigAlgo; -} ScvArgs; - -static void FreeScvArgs(WOLFSSL* ssl, void* pArgs) -{ - ScvArgs* args = (ScvArgs*)pArgs; - - (void)ssl; - -#ifndef NO_RSA - if (args->verifySig) { - XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->verifySig = NULL; - } -#endif - if (args->input) { - XFREE(args->input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->input = NULL; - } -} - -int SendCertificateVerify(WOLFSSL* ssl) -{ - int ret = 0; -#ifdef WOLFSSL_ASYNC_CRYPT - ScvArgs* args = (ScvArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); -#else - ScvArgs args[1]; -#endif - - WOLFSSL_ENTER("SendCertificateVerify"); - -#ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_scv; - } - else -#endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(ScvArgs)); - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeScvArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - if (ssl->options.sendVerify == SEND_BLANK_CERT) { - return 0; /* sent blank cert, can't verify */ - } - - args->sendSz = MAX_CERT_VERIFY_SZ; - if (IsEncryptionOn(ssl, 1)) { - args->sendSz += MAX_MSG_EXTRA; - } - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_scv; - } - - /* get output buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - FALL_THROUGH; - - case TLS_ASYNC_BUILD: - { - ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes); - if (ret != 0) { - goto exit_scv; - } - - /* Decode private key. */ - ret = DecodePrivateKey(ssl, (word16*)&args->length); - if (ret != 0) { - goto exit_scv; - } - - /* idx is used to track verify pointer offset to output */ - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - args->verify = &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ]; - args->extraSz = 0; /* tls 1.2 hash/sig */ - - /* build encoded signature buffer */ - ssl->buffers.sig.length = MAX_ENCODED_SIG_SZ; - ssl->buffers.sig.buffer = (byte*)XMALLOC(ssl->buffers.sig.length, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_scv); - } - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - - #ifndef NO_OLD_TLS - #ifndef NO_SHA - /* old tls default */ - SetDigest(ssl, sha_mac); - #endif - #else - #ifndef NO_SHA256 - /* new tls default */ - SetDigest(ssl, sha256_mac); - #endif - #endif /* !NO_OLD_TLS */ - - if (ssl->hsType == DYNAMIC_TYPE_RSA) { - #ifdef WC_RSA_PSS - if (IsAtLeastTLSv1_2(ssl) && - (ssl->pssAlgo | (1 << ssl->suites->hashAlgo))) { - args->sigAlgo = rsa_pss_sa_algo; - } - else - #endif - args->sigAlgo = rsa_sa_algo; - } - else if (ssl->hsType == DYNAMIC_TYPE_ECC) - args->sigAlgo = ecc_dsa_sa_algo; - - if (IsAtLeastTLSv1_2(ssl)) { - EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo, - args->verify); - args->extraSz = HASH_SIG_SIZE; - SetDigest(ssl, ssl->suites->hashAlgo); - } - #ifndef NO_OLD_TLS - else { - /* if old TLS load MD5 and SHA hash as value to sign */ - XMEMCPY(ssl->buffers.sig.buffer, - (byte*)ssl->hsHashes->certHashes.md5, FINISHED_SZ); - } - #endif - - #ifndef NO_RSA - if (args->sigAlgo == rsa_sa_algo) { - ssl->buffers.sig.length = FINISHED_SZ; - args->sigSz = ENCRYPT_LEN; - - if (IsAtLeastTLSv1_2(ssl)) { - ssl->buffers.sig.length = wc_EncodeSignature( - ssl->buffers.sig.buffer, ssl->buffers.digest.buffer, - ssl->buffers.digest.length, - TypeHash(ssl->suites->hashAlgo)); - } - - /* prepend hdr */ - c16toa((word16)args->length, args->verify + args->extraSz); - } - else if (args->sigAlgo == rsa_pss_sa_algo) { - XMEMCPY(ssl->buffers.sig.buffer, ssl->buffers.digest.buffer, - ssl->buffers.digest.length); - ssl->buffers.sig.length = ssl->buffers.digest.length; - args->sigSz = ENCRYPT_LEN; - - /* prepend hdr */ - c16toa((word16)args->length, args->verify + args->extraSz); - } - #endif /* !NO_RSA */ - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - FALL_THROUGH; - - case TLS_ASYNC_DO: - { - #ifdef HAVE_ECC - if (ssl->hsType == DYNAMIC_TYPE_ECC) { - ecc_key* key = (ecc_key*)ssl->hsKey; - - ret = EccSign(ssl, - ssl->buffers.digest.buffer, ssl->buffers.digest.length, - ssl->buffers.sig.buffer, &ssl->buffers.sig.length, - key, - #if defined(HAVE_PK_CALLBACKS) - ssl->buffers.key->buffer, - ssl->buffers.key->length, - ssl->EccSignCtx - #else - NULL, 0, NULL - #endif - ); - } - #endif /* HAVE_ECC */ - #ifndef NO_RSA - if (ssl->hsType == DYNAMIC_TYPE_RSA) { - RsaKey* key = (RsaKey*)ssl->hsKey; - - /* restore verify pointer */ - args->verify = &args->output[args->idx]; - - ret = RsaSign(ssl, - ssl->buffers.sig.buffer, ssl->buffers.sig.length, - args->verify + args->extraSz + VERIFY_HEADER, &args->sigSz, - args->sigAlgo, ssl->suites->hashAlgo, key, - ssl->buffers.key->buffer, ssl->buffers.key->length, - #ifdef HAVE_PK_CALLBACKS - ssl->RsaSignCtx - #else - NULL - #endif - ); - } - #endif /* !NO_RSA */ - - /* Check for error */ - if (ret != 0) { - goto exit_scv; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - FALL_THROUGH; - - case TLS_ASYNC_VERIFY: - { - /* restore verify pointer */ - args->verify = &args->output[args->idx]; - - #ifdef HAVE_ECC - if (ssl->hsType == DYNAMIC_TYPE_ECC) { - args->length = ssl->buffers.sig.length; - /* prepend hdr */ - c16toa((word16)ssl->buffers.sig.length, args->verify + - args->extraSz); - XMEMCPY(args->verify + args->extraSz + VERIFY_HEADER, - ssl->buffers.sig.buffer, ssl->buffers.sig.length); - } - #endif /* HAVE_ECC */ - #ifndef NO_RSA - if (ssl->hsType == DYNAMIC_TYPE_RSA) { - RsaKey* key = (RsaKey*)ssl->hsKey; - - if (args->verifySig == NULL) { - args->verifySig = (byte*)XMALLOC(args->sigSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->verifySig == NULL) { - ERROR_OUT(MEMORY_E, exit_scv); - } - XMEMCPY(args->verifySig, args->verify + args->extraSz + - VERIFY_HEADER, args->sigSz); - } - - /* check for signature faults */ - ret = VerifyRsaSign(ssl, - args->verifySig, args->sigSz, - ssl->buffers.sig.buffer, ssl->buffers.sig.length, - args->sigAlgo, ssl->suites->hashAlgo, key - ); - } - #endif /* !NO_RSA */ - - /* Check for error */ - if (ret != 0) { - goto exit_scv; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - FALL_THROUGH; - - case TLS_ASYNC_FINALIZE: - { - if (args->output == NULL) { - ERROR_OUT(BUFFER_ERROR, exit_scv); - } - AddHeaders(args->output, args->length + args->extraSz + - VERIFY_HEADER, certificate_verify, ssl); - - args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + - args->length + args->extraSz + VERIFY_HEADER; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - - if (IsEncryptionOn(ssl, 1)) { - args->inputSz = args->sendSz - RECORD_HEADER_SZ; - /* build msg adds rec hdr */ - args->input = (byte*)XMALLOC(args->inputSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (args->input == NULL) { - ERROR_OUT(MEMORY_E, exit_scv); - } - - XMEMCPY(args->input, args->output + RECORD_HEADER_SZ, - args->inputSz); - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - FALL_THROUGH; - - case TLS_ASYNC_END: - { - if (IsEncryptionOn(ssl, 1)) { - ret = BuildMessage(ssl, args->output, - MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA, - args->input, args->inputSz, handshake, - 1, 0, 1); - #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) - goto exit_scv; - #endif - - XFREE(args->input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->input = NULL; /* make sure its not double free'd on cleanup */ - - if (ret >= 0) { - args->sendSz = ret; - ret = 0; - } - } - else { - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - ret = HashOutput(ssl, args->output, args->sendSz, 0); - } - - if (ret != 0) { - goto exit_scv; - } - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz); - } - #endif - - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "CertificateVerify"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "CertificateVerify", handshake, - args->output, args->sendSz, WRITE_PROTO, ssl->heap); - #endif - - ssl->buffers.outputBuffer.length += args->sendSz; - - if (!ssl->options.groupMessages) { - ret = SendBuffered(ssl); - } - break; - } - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - -exit_scv: - - WOLFSSL_LEAVE("SendCertificateVerify", ret); - -#ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) { - return ret; - } -#endif /* WOLFSSL_ASYNC_CRYPT */ - - /* Digest is not allocated, so do this to prevent free */ - ssl->buffers.digest.buffer = NULL; - ssl->buffers.digest.length = 0; - - /* Final cleanup */ - FreeScvArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; -} - -#endif /* NO_CERTS */ - - -#ifdef HAVE_SESSION_TICKET -static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 size) -{ - word32 begin = *inOutIdx; - word32 lifetime; - word16 length; - - if (ssl->expect_session_ticket == 0) { - WOLFSSL_MSG("Unexpected session ticket"); - return SESSION_TICKET_EXPECT_E; - } - - if ((*inOutIdx - begin) + OPAQUE32_LEN > size) - return BUFFER_ERROR; - - ato32(input + *inOutIdx, &lifetime); - *inOutIdx += OPAQUE32_LEN; - - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; - - ato16(input + *inOutIdx, &length); - *inOutIdx += OPAQUE16_LEN; - - if ((*inOutIdx - begin) + length > size) - return BUFFER_ERROR; - - if (length > sizeof(ssl->session.staticTicket)) { - /* Free old dynamic ticket if we already had one */ - if (ssl->session.isDynamic) - XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - ssl->session.ticket = - (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - if (ssl->session.ticket == NULL) { - /* Set to static ticket to avoid null pointer error */ - ssl->session.ticket = ssl->session.staticTicket; - ssl->session.isDynamic = 0; - return MEMORY_E; - } - ssl->session.isDynamic = 1; - } else { - if(ssl->session.isDynamic) { - XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - } - ssl->session.isDynamic = 0; - ssl->session.ticket = ssl->session.staticTicket; - } - - /* If the received ticket including its length is greater than - * a length value, the save it. Otherwise, don't save it. */ - if (length > 0) { - XMEMCPY(ssl->session.ticket, input + *inOutIdx, length); - *inOutIdx += length; - ssl->session.ticketLen = length; - ssl->timeout = lifetime; - if (ssl->session_ticket_cb != NULL) { - ssl->session_ticket_cb(ssl, - ssl->session.ticket, ssl->session.ticketLen, - ssl->session_ticket_ctx); - } - /* Create a fake sessionID based on the ticket, this will - * supercede the existing session cache info. */ - ssl->options.haveSessionId = 1; - XMEMCPY(ssl->arrays->sessionID, - ssl->session.ticket + length - ID_LEN, ID_LEN); -#ifndef NO_SESSION_CACHE - AddSession(ssl); -#endif - - } - else { - ssl->session.ticketLen = 0; - } - - if (IsEncryptionOn(ssl, 0)) { - *inOutIdx += ssl->keys.padSz; - } - - ssl->expect_session_ticket = 0; - - return 0; -} -#endif /* HAVE_SESSION_TICKET */ - -#endif /* NO_WOLFSSL_CLIENT */ - - -#ifndef NO_WOLFSSL_SERVER - - int SendServerHello(WOLFSSL* ssl) - { - byte *output; - word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - int sendSz; - int ret; - byte sessIdSz = ID_LEN; - byte echoId = 0; /* ticket echo id flag */ - byte cacheOff = 0; /* session cache off flag */ - - length = VERSION_SZ + RAN_LEN - + ID_LEN + ENUM_LEN - + SUITE_LEN - + ENUM_LEN; - -#ifdef HAVE_TLS_EXTENSIONS - length += TLSX_GetResponseSize(ssl, server_hello); - #ifdef HAVE_SESSION_TICKET - if (ssl->options.useTicket) { - /* echo session id sz can be 0,32 or bogus len inbetween */ - sessIdSz = ssl->arrays->sessionIDSz; - if (sessIdSz > ID_LEN) { - WOLFSSL_MSG("Bad bogus session id len"); - return BUFFER_ERROR; - } - if (!IsAtLeastTLSv1_3(ssl->version)) - length -= (ID_LEN - sessIdSz); /* adjust ID_LEN assumption */ - echoId = 1; - } - #endif /* HAVE_SESSION_TICKET */ -#else - if (ssl->options.haveEMS) { - length += HELLO_EXT_SZ_SZ + HELLO_EXT_SZ; - } -#endif - - /* is the session cahce off at build or runtime */ -#ifdef NO_SESSION_CACHE - cacheOff = 1; -#else - if (ssl->options.sessionCacheOff == 1) { - cacheOff = 1; - } -#endif - - /* if no session cache don't send a session ID unless we're echoing - * an ID as part of session tickets */ - if (echoId == 0 && cacheOff == 1) { - length -= ID_LEN; /* adjust ID_LEN assumption */ - sessIdSz = 0; - } - - /* check for avalaible size */ - if ((ret = CheckAvailableSize(ssl, MAX_HELLO_SZ)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - /* Server Hello should use the same sequence number as the - * Client Hello. */ - ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi; - ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo; - idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif /* WOLFSSL_DTLS */ - AddHeaders(output, length, server_hello, ssl); - - /* now write to output */ - /* first version */ - output[idx++] = ssl->version.major; - output[idx++] = ssl->version.minor; - - /* then random and session id */ - if (!ssl->options.resuming) { - /* generate random part and session id */ - ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, - RAN_LEN + sizeof(sessIdSz) + sessIdSz); - if (ret != 0) - return ret; - - /* store info in SSL for later */ - XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN); - idx += RAN_LEN; - output[idx++] = sessIdSz; - XMEMCPY(ssl->arrays->sessionID, output + idx, sessIdSz); - ssl->arrays->sessionIDSz = sessIdSz; - } - else { - /* If resuming, use info from SSL */ - XMEMCPY(output + idx, ssl->arrays->serverRandom, RAN_LEN); - idx += RAN_LEN; - output[idx++] = sessIdSz; - XMEMCPY(output + idx, ssl->arrays->sessionID, sessIdSz); - } - idx += sessIdSz; - -#ifdef SHOW_SECRETS - { - int j; - printf("server random: "); - for (j = 0; j < RAN_LEN; j++) - printf("%02x", ssl->arrays->serverRandom[j]); - printf("\n"); - } -#endif - - /* then cipher suite */ - output[idx++] = ssl->options.cipherSuite0; - output[idx++] = ssl->options.cipherSuite; - - /* then compression */ - if (ssl->options.usingCompression) - output[idx++] = ZLIB_COMPRESSION; - else - output[idx++] = NO_COMPRESSION; - - /* last, extensions */ -#ifdef HAVE_TLS_EXTENSIONS - TLSX_WriteResponse(ssl, output + idx, server_hello); -#else -#ifdef HAVE_EXTENDED_MASTER - if (ssl->options.haveEMS) { - c16toa(HELLO_EXT_SZ, output + idx); - idx += HELLO_EXT_SZ_SZ; - - c16toa(HELLO_EXT_EXTMS, output + idx); - idx += HELLO_EXT_TYPE_SZ; - c16toa(0, output + idx); - /*idx += HELLO_EXT_SZ_SZ;*/ - /* idx is not used after this point. uncomment the line above - * if adding any more extentions in the future. */ - } -#endif -#endif - - ssl->buffers.outputBuffer.length += sendSz; - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - - if (ssl->options.dtls) { - DtlsSEQIncrement(ssl, CUR_ORDER); - } - #endif - - ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) - return ret; - - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ServerHello"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - - ssl->options.serverState = SERVER_HELLO_COMPLETE; - - if (ssl->options.groupMessages) - return 0; - else - return SendBuffered(ssl); - } - - -#ifdef HAVE_ECC - - static byte SetCurveId(ecc_key* key) - { - if (key == NULL || key->dp == NULL) { - WOLFSSL_MSG("SetCurveId: Invalid key!"); - return 0; - } - - switch(key->dp->oidSum) { - #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP160R1_OID: - return WOLFSSL_ECC_SECP160R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_SECPR2 - case ECC_SECP160R2_OID: - return WOLFSSL_ECC_SECP160R2; - #endif /* HAVE_ECC_SECPR2 */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP160K1_OID: - return WOLFSSL_ECC_SECP160K1; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP192R1_OID: - return WOLFSSL_ECC_SECP192R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP192K1_OID: - return WOLFSSL_ECC_SECP192K1; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP224R1_OID: - return WOLFSSL_ECC_SECP224R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP224K1_OID: - return WOLFSSL_ECC_SECP224K1; - #endif /* HAVE_ECC_KOBLITZ */ - #endif - #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP256R1_OID: - return WOLFSSL_ECC_SECP256R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_KOBLITZ - case ECC_SECP256K1_OID: - return WOLFSSL_ECC_SECP256K1; - #endif /* HAVE_ECC_KOBLITZ */ - #ifdef HAVE_ECC_BRAINPOOL - case ECC_BRAINPOOLP256R1_OID: - return WOLFSSL_ECC_BRAINPOOLP256R1; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) - #ifdef HAVE_CURVE25519 - case ECC_X25519_OID: - return WOLFSSL_ECC_X25519; - #endif - #ifndef NO_ECC_SECP - case ECC_SECP384R1_OID: - return WOLFSSL_ECC_SECP384R1; - #endif /* !NO_ECC_SECP */ - #ifdef HAVE_ECC_BRAINPOOL - case ECC_BRAINPOOLP384R1_OID: - return WOLFSSL_ECC_BRAINPOOLP384R1; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES) - #ifdef HAVE_ECC_BRAINPOOL - case ECC_BRAINPOOLP512R1_OID: - return WOLFSSL_ECC_BRAINPOOLP512R1; - #endif /* HAVE_ECC_BRAINPOOL */ - #endif - #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) - #ifndef NO_ECC_SECP - case ECC_SECP521R1_OID: - return WOLFSSL_ECC_SECP521R1; - #endif /* !NO_ECC_SECP */ - #endif - default: - return 0; - } - } - -#endif /* HAVE_ECC */ - - typedef struct SskeArgs { - byte* output; /* not allocated */ - #if defined(HAVE_ECC) || (!defined(NO_DH) && !defined(NO_RSA)) - byte* sigDataBuf; - #endif - #if defined(HAVE_ECC) - byte* exportBuf; - #endif - #ifndef NO_RSA - byte* verifySig; - #endif - word32 idx; - word32 tmpSigSz; - word32 length; - word32 sigSz; - #if defined(HAVE_ECC) || (!defined(NO_DH) && !defined(NO_RSA)) - word32 sigDataSz; - #endif - #if defined(HAVE_ECC) - word32 exportSz; - #endif - #ifdef HAVE_QSH - word32 qshSz; - #endif - int sendSz; - } SskeArgs; - - static void FreeSskeArgs(WOLFSSL* ssl, void* pArgs) - { - SskeArgs* args = (SskeArgs*)pArgs; - - (void)ssl; - - #if defined(HAVE_ECC) - if (args->exportBuf) { - XFREE(args->exportBuf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->exportBuf = NULL; - } - #endif - #if defined(HAVE_ECC) || (!defined(NO_DH) && !defined(NO_RSA)) - if (args->sigDataBuf) { - XFREE(args->sigDataBuf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->sigDataBuf = NULL; - } - #endif - #ifndef NO_RSA - if (args->verifySig) { - XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - args->verifySig = NULL; - } - #endif - (void)args; - } - - int SendServerKeyExchange(WOLFSSL* ssl) - { - int ret; - #ifdef WOLFSSL_ASYNC_CRYPT - SskeArgs* args = (SskeArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); - #else - SskeArgs args[1]; - #endif - - WOLFSSL_ENTER("SendServerKeyExchange"); - - #ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_sske; - } - else - #endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(SskeArgs)); - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeSskeArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - args->qshSz = QSH_KeyGetSize(ssl); - } - #endif - - /* Do some checks / debug msgs */ - switch(ssl->specs.kea) - { - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - WOLFSSL_MSG("Using ephemeral ECDH PSK"); - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - if (ssl->specs.static_ecdh) { - WOLFSSL_MSG("Using Static ECDH, not sending ServerKeyExchange"); - ERROR_OUT(0, exit_sske); - } - - /* make sure private key exists */ - if (ssl->buffers.key == NULL || - ssl->buffers.key->buffer == NULL) { - ERROR_OUT(NO_PRIVATE_KEY, exit_sske); - } - - WOLFSSL_MSG("Using ephemeral ECDH"); - break; - } - #endif /* HAVE_ECC */ - } - - /* Preparing keys */ - switch(ssl->specs.kea) - { - #ifndef NO_PSK - case psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && (!defined(NO_PSK) || !defined(NO_RSA)) - #if !defined(NO_PSK) - case dhe_psk_kea: - #endif - #if !defined(NO_RSA) - case diffie_hellman_kea: - #endif - { - /* Allocate DH key buffers and generate key */ - if (ssl->buffers.serverDH_P.buffer == NULL || - ssl->buffers.serverDH_G.buffer == NULL) { - ERROR_OUT(NO_DH_PARAMS, exit_sske); - } - - if (ssl->buffers.serverDH_Pub.buffer == NULL) { - /* Free'd in SSL_ResourceFree and FreeHandshakeResources */ - ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC( - ssl->buffers.serverDH_P.length + OPAQUE16_LEN, - ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_Pub.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - } - - if (ssl->buffers.serverDH_Priv.buffer == NULL) { - /* Free'd in SSL_ResourceFree and FreeHandshakeResources */ - ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC( - ssl->buffers.serverDH_P.length + OPAQUE16_LEN, - ssl->heap, DYNAMIC_TYPE_DH_BUFFER); - if (ssl->buffers.serverDH_Priv.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - } - - ssl->options.dhKeySz = - (word16)ssl->buffers.serverDH_P.length; - - ret = AllocKey(ssl, DYNAMIC_TYPE_DH, - (void**)&ssl->buffers.serverDH_Key); - if (ret != 0) { - goto exit_sske; - } - - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - if (ret != 0) { - goto exit_sske; - } - - ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_Priv.buffer, - &ssl->buffers.serverDH_Priv.length, - ssl->buffers.serverDH_Pub.buffer, - &ssl->buffers.serverDH_Pub.length); - break; - } - #endif /* !NO_DH && (!NO_PSK || !NO_RSA) */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - /* Fall through to create temp ECC key */ - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - /* need ephemeral key now, create it if missing */ - if (ssl->eccTempKey == NULL) { - /* alloc/init on demand */ - ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519, - (void**)&ssl->eccTempKey); - if (ret != 0) { - goto exit_sske; - } - } - - if (ssl->eccTempKeyPresent == 0) { - ret = X25519MakeKey(ssl, - (curve25519_key*)ssl->eccTempKey, NULL); - if (ret == 0 || ret == WC_PENDING_E) { - ssl->eccTempKeyPresent = 1; - } - } - break; - } - #endif - /* need ephemeral key now, create it if missing */ - if (ssl->eccTempKey == NULL) { - /* alloc/init on demand */ - ret = AllocKey(ssl, DYNAMIC_TYPE_ECC, - (void**)&ssl->eccTempKey); - if (ret != 0) { - goto exit_sske; - } - } - - if (ssl->eccTempKeyPresent == 0) { - /* TODO: Need to first do wc_EccPrivateKeyDecode, - then we know curve dp */ - ret = EccMakeKey(ssl, ssl->eccTempKey, NULL); - if (ret == 0 || ret == WC_PENDING_E) { - ssl->eccTempKeyPresent = 1; - } - } - break; - } - #endif /* HAVE_ECC */ - default: - /* Skip ServerKeyExchange */ - goto exit_sske; - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_sske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - FALL_THROUGH; - - case TLS_ASYNC_BUILD: - { - #if (!defined(NO_DH) && !defined(NO_RSA)) || defined(HAVE_ECC) - word32 preSigSz, preSigIdx; - #endif - - switch(ssl->specs.kea) - { - #ifndef NO_PSK - case psk_kea: - { - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - - if (ssl->arrays->server_hint[0] == 0) { - ERROR_OUT(0, exit_sske); /* don't send */ - } - - /* include size part */ - args->length = (word32)XSTRLEN(ssl->arrays->server_hint); - if (args->length > MAX_PSK_ID_LEN) { - ERROR_OUT(SERVER_HINT_ERROR, exit_sske); - } - - args->length += HINT_LEN_SZ; - args->sendSz = args->length + HANDSHAKE_HEADER_SZ + - RECORD_HEADER_SZ; - - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_sske; - } - - /* get ouput buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(args->output, args->length, - server_key_exchange, ssl); - - /* key data */ - #ifdef HAVE_QSH - c16toa((word16)(args->length - args->qshSz - - HINT_LEN_SZ), args->output + args->idx); - #else - c16toa((word16)(args->length - HINT_LEN_SZ), - args->output + args->idx); - #endif - - args->idx += HINT_LEN_SZ; - XMEMCPY(args->output + args->idx, - ssl->arrays->server_hint, - args->length - HINT_LEN_SZ); - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - word32 hintLen; - - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - args->length = LENGTH_SZ * 3 + /* p, g, pub */ - ssl->buffers.serverDH_P.length + - ssl->buffers.serverDH_G.length + - ssl->buffers.serverDH_Pub.length; - - /* include size part */ - hintLen = (word32)XSTRLEN(ssl->arrays->server_hint); - if (hintLen > MAX_PSK_ID_LEN) { - ERROR_OUT(SERVER_HINT_ERROR, exit_sske); - } - args->length += hintLen + HINT_LEN_SZ; - args->sendSz = args->length + HANDSHAKE_HEADER_SZ + - RECORD_HEADER_SZ; - - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_sske; - } - - /* get ouput buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(args->output, args->length, - server_key_exchange, ssl); - - /* key data */ - c16toa((word16)hintLen, args->output + args->idx); - args->idx += HINT_LEN_SZ; - XMEMCPY(args->output + args->idx, - ssl->arrays->server_hint, hintLen); - args->idx += hintLen; - - /* add p, g, pub */ - c16toa((word16)ssl->buffers.serverDH_P.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length); - args->idx += ssl->buffers.serverDH_P.length; - - /* g */ - c16toa((word16)ssl->buffers.serverDH_G.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - args->idx += ssl->buffers.serverDH_G.length; - - /* pub */ - c16toa((word16)ssl->buffers.serverDH_Pub.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_Pub.buffer, - ssl->buffers.serverDH_Pub.length); - /* No need to update idx, since sizes are already set */ - /* args->idx += ssl->buffers.serverDH_Pub.length; */ - break; - } - #endif /* !defined(NO_DH) && !defined(NO_PSK) */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - word32 hintLen; - - /* curve type, named curve, length(1) */ - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - args->length = ENUM_LEN + CURVE_LEN + ENUM_LEN; - - args->exportSz = MAX_EXPORT_ECC_SZ; - args->exportBuf = (byte*)XMALLOC(args->exportSz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->exportBuf == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - if (wc_curve25519_export_public_ex( - (curve25519_key*)ssl->eccTempKey, - args->exportBuf, &args->exportSz, - EC25519_LITTLE_ENDIAN) != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_sske); - } - } - else - #endif - { - if (wc_ecc_export_x963(ssl->eccTempKey, - args->exportBuf, &args->exportSz) != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_sske); - } - } - args->length += args->exportSz; - - /* include size part */ - hintLen = (word32)XSTRLEN(ssl->arrays->server_hint); - if (hintLen > MAX_PSK_ID_LEN) { - ERROR_OUT(SERVER_HINT_ERROR, exit_sske); - } - args->length += hintLen + HINT_LEN_SZ; - args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_sske; - } - - /* get output buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - /* key data */ - c16toa((word16)hintLen, args->output + args->idx); - args->idx += HINT_LEN_SZ; - XMEMCPY(args->output + args->idx, - ssl->arrays->server_hint, hintLen); - args->idx += hintLen; - - /* ECC key exchange data */ - args->output[args->idx++] = named_curve; - args->output[args->idx++] = 0x00; /* leading zero */ - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) - args->output[args->idx++] = WOLFSSL_ECC_X25519; - else - #endif - { - args->output[args->idx++] = - SetCurveId(ssl->eccTempKey); - } - args->output[args->idx++] = (byte)args->exportSz; - XMEMCPY(args->output + args->idx, args->exportBuf, - args->exportSz); - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - enum wc_HashType hashType; - - /* curve type, named curve, length(1) */ - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - args->length = ENUM_LEN + CURVE_LEN + ENUM_LEN; - - /* Export temp ECC key and add to length */ - args->exportSz = MAX_EXPORT_ECC_SZ; - args->exportBuf = (byte*)XMALLOC(args->exportSz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->exportBuf == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - if (wc_curve25519_export_public_ex( - (curve25519_key*)ssl->eccTempKey, - args->exportBuf, &args->exportSz, - EC25519_LITTLE_ENDIAN) != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_sske); - } - } - else - #endif - { - if (wc_ecc_export_x963(ssl->eccTempKey, - args->exportBuf, &args->exportSz) != 0) { - ERROR_OUT(ECC_EXPORT_ERROR, exit_sske); - } - } - args->length += args->exportSz; - - preSigSz = args->length; - preSigIdx = args->idx; - - switch(ssl->suites->sigAlgo) - { - #ifndef NO_RSA - #ifdef WC_RSA_PSS - case rsa_pss_sa_algo: - #endif - case rsa_sa_algo: - { - word32 i = 0; - int keySz; - - ssl->hsType = DYNAMIC_TYPE_RSA; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_sske; - } - - ret = wc_RsaPrivateKeyDecode( - ssl->buffers.key->buffer, - &i, - (RsaKey*)ssl->hsKey, - ssl->buffers.key->length); - if (ret != 0) { - goto exit_sske; - } - keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey); - if (keySz < 0) { /* test if keySz has error */ - ERROR_OUT(keySz, exit_sske); - } - - args->tmpSigSz = (word32)keySz; - if (keySz < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("RSA signature key size too small"); - ERROR_OUT(RSA_KEY_SIZE_E, exit_sske); - } - break; - } - #endif /* !NO_RSA */ - case ecc_dsa_sa_algo: - { - word32 i = 0; - - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_sske; - } - - ret = wc_EccPrivateKeyDecode( - ssl->buffers.key->buffer, - &i, - (ecc_key*)ssl->hsKey, - ssl->buffers.key->length); - if (ret != 0) { - goto exit_sske; - } - /* worst case estimate */ - args->tmpSigSz = wc_ecc_sig_size( - (ecc_key*)ssl->hsKey); - - /* check the minimum ECC key size */ - if (wc_ecc_size((ecc_key*)ssl->hsKey) < - ssl->options.minEccKeySz) { - WOLFSSL_MSG("ECC key size too small"); - ret = ECC_KEY_SIZE_E; - goto exit_sske; - } - break; - } - default: - ERROR_OUT(ALGO_ID_E, exit_sske); /* unsupported type */ - } /* switch(ssl->specs.sig_algo) */ - - /* sig length */ - args->length += LENGTH_SZ; - args->length += args->tmpSigSz; - - if (IsAtLeastTLSv1_2(ssl)) { - args->length += HASH_SIG_SIZE; - } - - args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - preSigIdx = args->idx; - } - #endif - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_sske; - } - - /* get ouput buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - /* record and message headers will be added below, when we're sure - of the sig length */ - - /* key exchange data */ - args->output[args->idx++] = named_curve; - args->output[args->idx++] = 0x00; /* leading zero */ - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) - args->output[args->idx++] = WOLFSSL_ECC_X25519; - else - #endif - { - args->output[args->idx++] = - SetCurveId(ssl->eccTempKey); - } - args->output[args->idx++] = (byte)args->exportSz; - XMEMCPY(args->output + args->idx, args->exportBuf, args->exportSz); - args->idx += args->exportSz; - - /* Determine hash type */ - if (IsAtLeastTLSv1_2(ssl)) { - EncodeSigAlg(ssl->suites->hashAlgo, - ssl->suites->sigAlgo, - &args->output[args->idx]); - args->idx += 2; - - hashType = HashType(ssl->suites->hashAlgo); - if (hashType == WC_HASH_TYPE_NONE) { - ERROR_OUT(ALGO_ID_E, exit_sske); - } - - } else { - /* only using sha and md5 for rsa */ - #ifndef NO_OLD_TLS - hashType = WC_HASH_TYPE_SHA; - if (ssl->suites->sigAlgo == rsa_sa_algo) { - hashType = WC_HASH_TYPE_MD5_SHA; - } - #else - ERROR_OUT(ALGO_ID_E, exit_sske); - #endif - } - - /* Signtaure length will be written later, when we're sure what it is */ - - #ifdef HAVE_FUZZER - if (ssl->fuzzerCb) { - ssl->fuzzerCb(ssl, args->output + preSigIdx, - preSigSz, FUZZ_SIGNATURE, ssl->fuzzerCtx); - } - #endif - - /* Assemble buffer to hash for signature */ - args->sigDataSz = RAN_LEN + RAN_LEN + preSigSz; - args->sigDataBuf = (byte*)XMALLOC(args->sigDataSz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->sigDataBuf == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - XMEMCPY(args->sigDataBuf, ssl->arrays->clientRandom, - RAN_LEN); - XMEMCPY(args->sigDataBuf+RAN_LEN, - ssl->arrays->serverRandom, RAN_LEN); - XMEMCPY(args->sigDataBuf+RAN_LEN+RAN_LEN, - args->output + preSigIdx, preSigSz); - - ssl->buffers.sig.length = wc_HashGetDigestSize(hashType); - ssl->buffers.sig.buffer = (byte*)XMALLOC( - ssl->buffers.sig.length, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - /* Perform hash */ - ret = wc_Hash(hashType, - args->sigDataBuf, args->sigDataSz, - ssl->buffers.sig.buffer, ssl->buffers.sig.length); - if (ret != 0) { - goto exit_sske; - } - - args->sigSz = args->tmpSigSz; - - /* Sign hash to create signature */ - switch (ssl->suites->sigAlgo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - /* For TLS 1.2 re-encode signature */ - if (IsAtLeastTLSv1_2(ssl)) { - byte* encodedSig = (byte*)XMALLOC( - MAX_ENCODED_SIG_SZ, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - ssl->buffers.sig.length = - wc_EncodeSignature(encodedSig, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - TypeHash(ssl->suites->hashAlgo)); - - /* Replace sig buffer with new one */ - XFREE(ssl->buffers.sig.buffer, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - ssl->buffers.sig.buffer = encodedSig; - } - - /* write sig size here */ - c16toa((word16)args->sigSz, - args->output + args->idx); - args->idx += LENGTH_SZ; - break; - } - #ifdef WC_RSA_PSS - case rsa_pss_sa_algo: - /* write sig size here */ - c16toa((word16)args->sigSz, - args->output + args->idx); - args->idx += LENGTH_SZ; - break; - #endif - #endif /* !NO_RSA */ - case ecc_dsa_sa_algo: - { - break; - } - } /* switch(ssl->specs.sig_algo) */ - break; - } - #endif /* HAVE_ECC */ - #if !defined(NO_DH) && !defined(NO_RSA) - case diffie_hellman_kea: - { - enum wc_HashType hashType; - - args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - args->length = LENGTH_SZ * 3; /* p, g, pub */ - args->length += ssl->buffers.serverDH_P.length + - ssl->buffers.serverDH_G.length + - ssl->buffers.serverDH_Pub.length; - - preSigIdx = args->idx; - preSigSz = args->length; - - if (!ssl->options.usingAnon_cipher) { - word32 i = 0; - int keySz; - - /* make sure private key exists */ - if (ssl->buffers.key == NULL || - ssl->buffers.key->buffer == NULL) { - ERROR_OUT(NO_PRIVATE_KEY, exit_sske); - } - - ssl->hsType = DYNAMIC_TYPE_RSA; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_sske; - } - - /* sig length */ - args->length += LENGTH_SZ; - - ret = wc_RsaPrivateKeyDecode( - ssl->buffers.key->buffer, &i, - (RsaKey*)ssl->hsKey, ssl->buffers.key->length); - if (ret != 0) { - goto exit_sske; - } - keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey); - if (keySz < 0) { /* test if keySz has error */ - ERROR_OUT(keySz, exit_sske); - } - args->tmpSigSz = (word32)keySz; - args->length += args->tmpSigSz; - - if (keySz < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("RSA key size too small"); - ERROR_OUT(RSA_KEY_SIZE_E, exit_sske); - } - - if (IsAtLeastTLSv1_2(ssl)) { - args->length += HASH_SIG_SIZE; - } - } - - args->sendSz = args->length + HANDSHAKE_HEADER_SZ + - RECORD_HEADER_SZ; - - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - preSigIdx = args->idx; - } - #endif - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { - goto exit_sske; - } - - /* get ouput buffer */ - args->output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(args->output, args->length, - server_key_exchange, ssl); - - /* add p, g, pub */ - c16toa((word16)ssl->buffers.serverDH_P.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length); - args->idx += ssl->buffers.serverDH_P.length; - - /* g */ - c16toa((word16)ssl->buffers.serverDH_G.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - args->idx += ssl->buffers.serverDH_G.length; - - /* pub */ - c16toa((word16)ssl->buffers.serverDH_Pub.length, - args->output + args->idx); - args->idx += LENGTH_SZ; - XMEMCPY(args->output + args->idx, - ssl->buffers.serverDH_Pub.buffer, - ssl->buffers.serverDH_Pub.length); - args->idx += ssl->buffers.serverDH_Pub.length; - - #ifdef HAVE_FUZZER - if (ssl->fuzzerCb) { - ssl->fuzzerCb(ssl, args->output + preSigIdx, - preSigSz, FUZZ_SIGNATURE, ssl->fuzzerCtx); - } - #endif - - if (ssl->options.usingAnon_cipher) { - break; - } - - /* Determine hash type */ - if (IsAtLeastTLSv1_2(ssl)) { - EncodeSigAlg(ssl->suites->hashAlgo, - ssl->suites->sigAlgo, - &args->output[args->idx]); - args->idx += 2; - - hashType = HashType(ssl->suites->hashAlgo); - if (hashType == WC_HASH_TYPE_NONE) { - ERROR_OUT(ALGO_ID_E, exit_sske); - } - } else { - /* only using sha and md5 for rsa */ - #ifndef NO_OLD_TLS - hashType = WC_HASH_TYPE_SHA; - if (ssl->suites->sigAlgo == rsa_sa_algo) { - hashType = WC_HASH_TYPE_MD5_SHA; - } - #else - ERROR_OUT(ALGO_ID_E, exit_sske); - #endif - } - - /* signature size */ - c16toa((word16)args->tmpSigSz, args->output + args->idx); - args->idx += LENGTH_SZ; - - /* Assemble buffer to hash for signature */ - args->sigDataSz = RAN_LEN + RAN_LEN + preSigSz; - args->sigDataBuf = (byte*)XMALLOC(args->sigDataSz, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args->sigDataBuf == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - XMEMCPY(args->sigDataBuf, ssl->arrays->clientRandom, - RAN_LEN); - XMEMCPY(args->sigDataBuf+RAN_LEN, - ssl->arrays->serverRandom, RAN_LEN); - XMEMCPY(args->sigDataBuf+RAN_LEN+RAN_LEN, - args->output + preSigIdx, preSigSz); - - ssl->buffers.sig.length = wc_HashGetDigestSize(hashType); - ssl->buffers.sig.buffer = (byte*)XMALLOC( - ssl->buffers.sig.length, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (ssl->buffers.sig.buffer == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - /* Perform hash */ - ret = wc_Hash(hashType, - args->sigDataBuf, args->sigDataSz, - ssl->buffers.sig.buffer, ssl->buffers.sig.length); - if (ret != 0) { - goto exit_sske; - } - - args->sigSz = args->tmpSigSz; - - /* Sign hash to create signature */ - switch (ssl->suites->sigAlgo) - { - #ifndef NO_RSA - case rsa_sa_algo: - { - /* For TLS 1.2 re-encode signature */ - if (IsAtLeastTLSv1_2(ssl)) { - byte* encodedSig = (byte*)XMALLOC( - MAX_ENCODED_SIG_SZ, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - ssl->buffers.sig.length = - wc_EncodeSignature(encodedSig, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - TypeHash(ssl->suites->hashAlgo)); - - /* Replace sig buffer with new one */ - XFREE(ssl->buffers.sig.buffer, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - ssl->buffers.sig.buffer = encodedSig; - } - break; - } - #endif /* NO_RSA */ - } /* switch (ssl->suites->sigAlgo) */ - break; - } - #endif /* !defined(NO_DH) && !defined(NO_RSA) */ - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_sske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - FALL_THROUGH; - - case TLS_ASYNC_DO: - { - switch(ssl->specs.kea) - { - #ifndef NO_PSK - case psk_kea: - { - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - break; - } - #endif /* !defined(NO_DH) && !defined(NO_PSK) */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - /* Sign hash to create signature */ - switch (ssl->suites->sigAlgo) - { - #ifndef NO_RSA - #ifdef WC_RSA_PSS - case rsa_pss_sa_algo: - #endif - case rsa_sa_algo: - { - RsaKey* key = (RsaKey*)ssl->hsKey; - - ret = RsaSign(ssl, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - args->output + args->idx, - &args->sigSz, - ssl->suites->sigAlgo, ssl->suites->hashAlgo, - key, - ssl->buffers.key->buffer, - ssl->buffers.key->length, - #ifdef HAVE_PK_CALLBACKS - ssl->RsaSignCtx - #else - NULL - #endif - ); - break; - } - #endif /* !NO_RSA */ - case ecc_dsa_sa_algo: - { - ecc_key* key = (ecc_key*)ssl->hsKey; - - ret = EccSign(ssl, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - args->output + LENGTH_SZ + args->idx, - &args->sigSz, - key, - #if defined(HAVE_PK_CALLBACKS) - ssl->buffers.key->buffer, - ssl->buffers.key->length, - ssl->EccSignCtx - #else - NULL, 0, NULL - #endif - ); - break; - } - } /* switch(ssl->specs.sig_algo) */ - break; - } - #endif /* HAVE_ECC */ - #if !defined(NO_DH) && !defined(NO_RSA) - case diffie_hellman_kea: - { - /* Sign hash to create signature */ - switch (ssl->suites->sigAlgo) - { - #ifndef NO_RSA - #ifdef WC_RSA_PSS - case rsa_pss_sa_algo: - #endif - case rsa_sa_algo: - { - RsaKey* key = (RsaKey*)ssl->hsKey; - - if (ssl->options.usingAnon_cipher) { - break; - } - - ret = RsaSign(ssl, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - args->output + args->idx, - &args->sigSz, - ssl->suites->sigAlgo, ssl->suites->hashAlgo, - key, - ssl->buffers.key->buffer, - ssl->buffers.key->length, - #ifdef HAVE_PK_CALLBACKS - ssl->RsaSignCtx - #else - NULL - #endif - ); - break; - } - #endif /* NO_RSA */ - } /* switch (ssl->suites->sigAlgo) */ - - break; - } - #endif /* !defined(NO_DH) && !defined(NO_RSA) */ - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_sske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - FALL_THROUGH; - - case TLS_ASYNC_VERIFY: - { - switch(ssl->specs.kea) - { - #ifndef NO_PSK - case psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - #endif /* !NO_PSK */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - #endif /* !defined(NO_DH) && !defined(NO_PSK) */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - /* Nothing to do in this sub-state */ - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - switch(ssl->suites->sigAlgo) - { - #ifndef NO_RSA - #ifdef WC_RSA_PSS - case rsa_pss_sa_algo: - #endif - case rsa_sa_algo: - { - RsaKey* key = (RsaKey*)ssl->hsKey; - - if (args->verifySig == NULL) { - if (args->sigSz == 0) { - ERROR_OUT(BAD_COND_E, exit_sske); - } - args->verifySig = (byte*)XMALLOC( - args->sigSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (!args->verifySig) { - ERROR_OUT(MEMORY_E, exit_sske); - } - XMEMCPY(args->verifySig, - args->output + args->idx, args->sigSz); - } - - /* check for signature faults */ - ret = VerifyRsaSign(ssl, - args->verifySig, args->sigSz, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - ssl->suites->sigAlgo, ssl->suites->hashAlgo, - key - ); - break; - } - #endif - case ecc_dsa_sa_algo: - { - /* Now that we know the real sig size, write it. */ - c16toa((word16)args->sigSz, - args->output + args->idx); - - /* And adjust length and sendSz from estimates */ - args->length += args->sigSz - args->tmpSigSz; - args->sendSz += args->sigSz - args->tmpSigSz; - break; - } - default: - ERROR_OUT(ALGO_ID_E, exit_sske); /* unsupported type */ - } /* switch(ssl->specs.sig_algo) */ - break; - } - #endif /* HAVE_ECC */ - #if !defined(NO_DH) && !defined(NO_RSA) - case diffie_hellman_kea: - { - switch (ssl->suites->sigAlgo) - { - #ifndef NO_RSA - #ifndef WC_RSA_PSS - case rsa_pss_sa_algo: - #endif - case rsa_sa_algo: - { - RsaKey* key = (RsaKey*)ssl->hsKey; - - if (ssl->options.usingAnon_cipher) { - break; - } - - if (args->verifySig == NULL) { - if (args->sigSz == 0) { - ERROR_OUT(BAD_COND_E, exit_sske); - } - args->verifySig = (byte*)XMALLOC( - args->sigSz, ssl->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (!args->verifySig) { - ERROR_OUT(MEMORY_E, exit_sske); - } - XMEMCPY(args->verifySig, - args->output + args->idx, args->sigSz); - } - - /* check for signature faults */ - ret = VerifyRsaSign(ssl, - args->verifySig, args->sigSz, - ssl->buffers.sig.buffer, - ssl->buffers.sig.length, - ssl->suites->sigAlgo, ssl->suites->hashAlgo, - key - ); - break; - } - #endif - } /* switch (ssl->suites->sigAlgo) */ - break; - } - #endif /* !defined(NO_DH) && !defined(NO_RSA) */ - } /* switch(ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_sske; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - FALL_THROUGH; - - case TLS_ASYNC_FINALIZE: - { - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - if (args->qshSz > 0) { - args->idx = args->sendSz - args->qshSz; - if (QSH_KeyExchangeWrite(ssl, 1) != 0) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - /* extension type */ - c16toa(TLSX_QUANTUM_SAFE_HYBRID, - args->output + args->idx); - args->idx += OPAQUE16_LEN; - - /* write to output and check amount written */ - if (TLSX_QSHPK_Write(ssl->QSH_secret->list, - args->output + args->idx) > - args->qshSz - OPAQUE16_LEN) { - ERROR_OUT(MEMORY_E, exit_sske); - } - } - } - #endif - - #if defined(HAVE_ECC) - if (ssl->specs.kea == ecdhe_psk_kea || - ssl->specs.kea == ecc_diffie_hellman_kea) { - /* Check output to make sure it was set */ - if (args->output) { - AddHeaders(args->output, args->length, - server_key_exchange, ssl); - } - else { - ERROR_OUT(BUFFER_ERROR, exit_sske); - } - } - #endif /* HAVE_ECC */ - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz)) != 0) { - goto exit_sske; - } - } - - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - - ret = HashOutput(ssl, args->output, args->sendSz, 0); - if (ret != 0) { - goto exit_sske; - } - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) { - AddPacketName(ssl, "ServerKeyExchange"); - } - if (ssl->toInfoOn) { - AddPacketInfo(ssl, "ServerKeyExchange", handshake, - args->output, args->sendSz, WRITE_PROTO, ssl->heap); - } - #endif - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - FALL_THROUGH; - - case TLS_ASYNC_END: - { - ssl->buffers.outputBuffer.length += args->sendSz; - if (!ssl->options.groupMessages) { - ret = SendBuffered(ssl); - } - - ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; - break; - } - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - - exit_sske: - - WOLFSSL_LEAVE("SendServerKeyExchange", ret); - - #ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) - return ret; - #endif /* WOLFSSL_ASYNC_CRYPT */ - - /* Final cleanup */ - FreeSskeArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; - } - -#ifdef HAVE_SERVER_RENEGOTIATION_INFO - - /* search suites for specific one, idx on success, negative on error */ - static int FindSuite(Suites* suites, byte first, byte second) - { - int i; - - if (suites == NULL || suites->suiteSz == 0) { - WOLFSSL_MSG("Suites pointer error or suiteSz 0"); - return SUITES_ERROR; - } - - for (i = 0; i < suites->suiteSz-1; i += SUITE_LEN) { - if (suites->suites[i] == first && - suites->suites[i+1] == second ) - return i; - } - - return MATCH_SUITE_ERROR; - } - -#endif - - /* Make sure server cert/key are valid for this suite, true on success */ - static int VerifyServerSuite(WOLFSSL* ssl, word16 idx) - { - int haveRSA = !ssl->options.haveStaticECC; - int havePSK = 0; - byte first; - byte second; - - WOLFSSL_ENTER("VerifyServerSuite"); - - if (ssl->suites == NULL) { - WOLFSSL_MSG("Suites pointer error"); - return 0; - } - - first = ssl->suites->suites[idx]; - second = ssl->suites->suites[idx+1]; - - #ifndef NO_PSK - havePSK = ssl->options.havePSK; - #endif - - if (ssl->options.haveNTRU) - haveRSA = 0; - - if (CipherRequires(first, second, REQUIRES_RSA)) { - WOLFSSL_MSG("Requires RSA"); - if (haveRSA == 0) { - WOLFSSL_MSG("Don't have RSA"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_DHE)) { - WOLFSSL_MSG("Requires DHE"); - if (ssl->options.haveDH == 0) { - WOLFSSL_MSG("Don't have DHE"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_ECC)) { - WOLFSSL_MSG("Requires ECC"); - if (ssl->options.haveECC == 0) { - WOLFSSL_MSG("Don't have ECC"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_ECC_STATIC)) { - WOLFSSL_MSG("Requires static ECC"); - if (ssl->options.haveStaticECC == 0) { - WOLFSSL_MSG("Don't have static ECC"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_PSK)) { - WOLFSSL_MSG("Requires PSK"); - if (havePSK == 0) { - WOLFSSL_MSG("Don't have PSK"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_NTRU)) { - WOLFSSL_MSG("Requires NTRU"); - if (ssl->options.haveNTRU == 0) { - WOLFSSL_MSG("Don't have NTRU"); - return 0; - } - } - - if (CipherRequires(first, second, REQUIRES_RSA_SIG)) { - WOLFSSL_MSG("Requires RSA Signature"); - if (ssl->options.side == WOLFSSL_SERVER_END && - ssl->options.haveECDSAsig == 1) { - WOLFSSL_MSG("Don't have RSA Signature"); - return 0; - } - } - -#ifdef HAVE_SUPPORTED_CURVES - if (!TLSX_ValidateEllipticCurves(ssl, first, second)) { - WOLFSSL_MSG("Don't have matching curves"); - return 0; - } -#endif - - /* ECCDHE is always supported if ECC on */ - -#ifdef HAVE_QSH - /* need to negotiate a classic suite in addition to TLS_QSH */ - if (first == QSH_BYTE && second == TLS_QSH) { - if (TLSX_SupportExtensions(ssl)) { - ssl->options.haveQSH = 1; /* matched TLS_QSH */ - } - else { - WOLFSSL_MSG("Version of SSL connection does not support TLS_QSH"); - } - return 0; - } -#endif - -#ifdef WOLFSSL_TLS13 - if (IsAtLeastTLSv1_3(ssl->version) && - ssl->options.side == WOLFSSL_SERVER_END) { - /* Try to establish a key share. */ - int ret = TLSX_KeyShare_Establish(ssl); - if (ret == KEY_SHARE_ERROR) - ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST; - else if (ret != 0) - return 0; - } -#endif - - return 1; - } - -#ifndef NO_WOLFSSL_SERVER - static int CompareSuites(WOLFSSL* ssl, Suites* peerSuites, word16 i, - word16 j) - { - if (ssl->suites->suites[i] == peerSuites->suites[j] && - ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) { - - if (VerifyServerSuite(ssl, i)) { - int result; - WOLFSSL_MSG("Verified suite validity"); - ssl->options.cipherSuite0 = ssl->suites->suites[i]; - ssl->options.cipherSuite = ssl->suites->suites[i+1]; - result = SetCipherSpecs(ssl); - if (result == 0) - PickHashSigAlgo(ssl, peerSuites->hashSigAlgo, - peerSuites->hashSigAlgoSz); - return result; - } - else { - WOLFSSL_MSG("Could not verify suite validity, continue"); - } - } - - return MATCH_SUITE_ERROR; - } - - int MatchSuite(WOLFSSL* ssl, Suites* peerSuites) - { - int ret; - word16 i, j; - - WOLFSSL_ENTER("MatchSuite"); - - /* & 0x1 equivalent % 2 */ - if (peerSuites->suiteSz == 0 || peerSuites->suiteSz & 0x1) - return MATCH_SUITE_ERROR; - - if (ssl->suites == NULL) - return SUITES_ERROR; - - if (!ssl->options.useClientOrder) { - /* Server order */ - for (i = 0; i < ssl->suites->suiteSz; i += 2) { - for (j = 0; j < peerSuites->suiteSz; j += 2) { - ret = CompareSuites(ssl, peerSuites, i, j); - if (ret != MATCH_SUITE_ERROR) - return ret; - } - } - } - else { - /* Client order */ - for (j = 0; j < peerSuites->suiteSz; j += 2) { - for (i = 0; i < ssl->suites->suiteSz; i += 2) { - ret = CompareSuites(ssl, peerSuites, i, j); - if (ret != MATCH_SUITE_ERROR) - return ret; - } - } - } - - return MATCH_SUITE_ERROR; - } -#endif - -#ifdef OLD_HELLO_ALLOWED - - /* process old style client hello, deprecate? */ - int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 inSz, word16 sz) - { - word32 idx = *inOutIdx; - word16 sessionSz; - word16 randomSz; - word16 i, j; - ProtocolVersion pv; - Suites clSuites; - - (void)inSz; - WOLFSSL_MSG("Got old format client hello"); -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ClientHello"); - if (ssl->toInfoOn) - AddLateName("ClientHello", &ssl->timeoutInfo); -#endif - - /* manually hash input since different format */ -#ifndef NO_OLD_TLS -#ifndef NO_MD5 - wc_Md5Update(&ssl->hsHashes->hashMd5, input + idx, sz); -#endif -#ifndef NO_SHA - wc_ShaUpdate(&ssl->hsHashes->hashSha, input + idx, sz); -#endif -#endif -#ifndef NO_SHA256 - if (IsAtLeastTLSv1_2(ssl)) { - int shaRet = wc_Sha256Update(&ssl->hsHashes->hashSha256, - input + idx, sz); - if (shaRet != 0) - return shaRet; - } -#endif - - /* does this value mean client_hello? */ - idx++; - - /* version */ - pv.major = input[idx++]; - pv.minor = input[idx++]; - ssl->chVersion = pv; /* store */ - - if (ssl->version.minor > pv.minor) { - byte haveRSA = 0; - byte havePSK = 0; - if (!ssl->options.downgrade) { - WOLFSSL_MSG("Client trying to connect with lesser version"); - return VERSION_ERROR; - } - if (pv.minor < ssl->options.minDowngrade) { - WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); - return VERSION_ERROR; - } - if (pv.minor == SSLv3_MINOR) { - /* turn off tls */ - WOLFSSL_MSG("\tdowngrading to SSLv3"); - ssl->options.tls = 0; - ssl->options.tls1_1 = 0; - ssl->version.minor = SSLv3_MINOR; - } - else if (pv.minor == TLSv1_MINOR) { - WOLFSSL_MSG("\tdowngrading to TLSv1"); - /* turn off tls 1.1+ */ - ssl->options.tls1_1 = 0; - ssl->version.minor = TLSv1_MINOR; - } - else if (pv.minor == TLSv1_1_MINOR) { - WOLFSSL_MSG("\tdowngrading to TLSv1.1"); - ssl->version.minor = TLSv1_1_MINOR; - } - else if (pv.minor == TLSv1_2_MINOR) { - WOLFSSL_MSG(" downgrading to TLSv1.2"); - ssl->version.minor = TLSv1_2_MINOR; - } -#ifndef NO_RSA - haveRSA = 1; -#endif -#ifndef NO_PSK - havePSK = ssl->options.havePSK; -#endif - - InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - } - - /* suite size */ - ato16(&input[idx], &clSuites.suiteSz); - idx += OPAQUE16_LEN; - - if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) - return BUFFER_ERROR; - clSuites.hashSigAlgoSz = 0; - - /* session size */ - ato16(&input[idx], &sessionSz); - idx += OPAQUE16_LEN; - - if (sessionSz > ID_LEN) - return BUFFER_ERROR; - - /* random size */ - ato16(&input[idx], &randomSz); - idx += OPAQUE16_LEN; - - if (randomSz > RAN_LEN) - return BUFFER_ERROR; - - /* suites */ - for (i = 0, j = 0; i < clSuites.suiteSz; i += 3) { - byte first = input[idx++]; - if (!first) { /* implicit: skip sslv2 type */ - XMEMCPY(&clSuites.suites[j], &input[idx], SUITE_LEN); - j += SUITE_LEN; - } - idx += SUITE_LEN; - } - clSuites.suiteSz = j; - - /* session id */ - if (sessionSz) { - XMEMCPY(ssl->arrays->sessionID, input + idx, sessionSz); - ssl->arrays->sessionIDSz = (byte)sessionSz; - idx += sessionSz; - ssl->options.resuming = 1; - } - - /* random */ - if (randomSz < RAN_LEN) - XMEMSET(ssl->arrays->clientRandom, 0, RAN_LEN - randomSz); - XMEMCPY(&ssl->arrays->clientRandom[RAN_LEN - randomSz], input + idx, - randomSz); - idx += randomSz; - - if (ssl->options.usingCompression) - ssl->options.usingCompression = 0; /* turn off */ - - ssl->options.clientState = CLIENT_HELLO_COMPLETE; - *inOutIdx = idx; - - ssl->options.haveSessionId = 1; - /* DoClientHello uses same resume code */ - if (ssl->options.resuming) { /* let's try */ - int ret = -1; - WOLFSSL_SESSION* session = GetSession(ssl, - ssl->arrays->masterSecret, 1); - #ifdef HAVE_SESSION_TICKET - if (ssl->options.useTicket == 1) { - session = &ssl->session; - } - #endif - - if (!session) { - WOLFSSL_MSG("Session lookup for resume failed"); - ssl->options.resuming = 0; - } else { - #ifdef HAVE_EXT_CACHE - wolfSSL_SESSION_free(session); - #endif - if (MatchSuite(ssl, &clSuites) < 0) { - WOLFSSL_MSG("Unsupported cipher suite, OldClientHello"); - return UNSUPPORTED_SUITE; - } - - ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom, - RAN_LEN); - if (ret != 0) - return ret; - - #ifdef NO_OLD_TLS - ret = DeriveTlsKeys(ssl); - #else - #ifndef NO_TLS - if (ssl->options.tls) - ret = DeriveTlsKeys(ssl); - #endif - if (!ssl->options.tls) - ret = DeriveKeys(ssl); - #endif - ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - - return ret; - } - } - - return MatchSuite(ssl, &clSuites); - } - -#endif /* OLD_HELLO_ALLOWED */ - - - int DoClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 helloSz) - { - byte b; - byte bogusID = 0; /* flag for a bogus session id */ - ProtocolVersion pv; - Suites clSuites; - word32 i = *inOutIdx; - word32 begin = i; -#ifdef WOLFSSL_DTLS - Hmac cookieHmac; - byte peerCookie[MAX_COOKIE_LEN]; - byte peerCookieSz = 0; - byte cookieType; - byte cookieSz = 0; - - XMEMSET(&cookieHmac, 0, sizeof(Hmac)); -#endif /* WOLFSSL_DTLS */ - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello"); - if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo); -#endif - - /* protocol version, random and session id length check */ - if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; - - /* protocol version */ - XMEMCPY(&pv, input + i, OPAQUE16_LEN); - ssl->chVersion = pv; /* store */ -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - int ret; - #if defined(NO_SHA) && defined(NO_SHA256) - #error "DTLS needs either SHA or SHA-256" - #endif /* NO_SHA && NO_SHA256 */ - - #if !defined(NO_SHA) && defined(NO_SHA256) - cookieType = SHA; - cookieSz = SHA_DIGEST_SIZE; - #endif /* NO_SHA */ - #ifndef NO_SHA256 - cookieType = SHA256; - cookieSz = SHA256_DIGEST_SIZE; - #endif /* NO_SHA256 */ - ret = wc_HmacSetKey(&cookieHmac, cookieType, - ssl->buffers.dtlsCookieSecret.buffer, - ssl->buffers.dtlsCookieSecret.length); - if (ret != 0) return ret; - ret = wc_HmacUpdate(&cookieHmac, - (const byte*)ssl->buffers.dtlsCtx.peer.sa, - ssl->buffers.dtlsCtx.peer.sz); - if (ret != 0) return ret; - ret = wc_HmacUpdate(&cookieHmac, input + i, OPAQUE16_LEN); - if (ret != 0) return ret; - } -#endif /* WOLFSSL_DTLS */ - i += OPAQUE16_LEN; - - if ((!ssl->options.dtls && ssl->version.minor > pv.minor) || - (ssl->options.dtls && ssl->version.minor != DTLS_MINOR - && ssl->version.minor != DTLSv1_2_MINOR && pv.minor != DTLS_MINOR - && pv.minor != DTLSv1_2_MINOR)) { - - word16 haveRSA = 0; - word16 havePSK = 0; - - if (!ssl->options.downgrade) { - WOLFSSL_MSG("Client trying to connect with lesser version"); - return VERSION_ERROR; - } - if (pv.minor < ssl->options.minDowngrade) { - WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); - return VERSION_ERROR; - } - - if (pv.minor == SSLv3_MINOR) { - /* turn off tls */ - WOLFSSL_MSG("\tdowngrading to SSLv3"); - ssl->options.tls = 0; - ssl->options.tls1_1 = 0; - ssl->version.minor = SSLv3_MINOR; - } - else if (pv.minor == TLSv1_MINOR) { - /* turn off tls 1.1+ */ - WOLFSSL_MSG("\tdowngrading to TLSv1"); - ssl->options.tls1_1 = 0; - ssl->version.minor = TLSv1_MINOR; - } - else if (pv.minor == TLSv1_1_MINOR) { - WOLFSSL_MSG("\tdowngrading to TLSv1.1"); - ssl->version.minor = TLSv1_1_MINOR; - } - else if (pv.minor == TLSv1_2_MINOR) { - WOLFSSL_MSG(" downgrading to TLSv1.2"); - ssl->version.minor = TLSv1_2_MINOR; - } -#ifndef NO_RSA - haveRSA = 1; -#endif -#ifndef NO_PSK - havePSK = ssl->options.havePSK; -#endif - InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - } - - /* random */ - XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN); -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - int ret = wc_HmacUpdate(&cookieHmac, input + i, RAN_LEN); - if (ret != 0) return ret; - } -#endif /* WOLFSSL_DTLS */ - i += RAN_LEN; - -#ifdef SHOW_SECRETS - { - int j; - printf("client random: "); - for (j = 0; j < RAN_LEN; j++) - printf("%02x", ssl->arrays->clientRandom[j]); - printf("\n"); - } -#endif - - /* session id */ - b = input[i++]; - -#ifdef HAVE_SESSION_TICKET - if (b > 0 && b < ID_LEN) { - bogusID = 1; - WOLFSSL_MSG("Client sent bogus session id, let's allow for echo"); - } -#endif - - if (b == ID_LEN || bogusID) { - if ((i - begin) + b > helloSz) - return BUFFER_ERROR; - - XMEMCPY(ssl->arrays->sessionID, input + i, b); -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - int ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); - if (ret != 0) return ret; - } -#endif /* WOLFSSL_DTLS */ - ssl->arrays->sessionIDSz = b; - i += b; - ssl->options.resuming = 1; /* client wants to resume */ - WOLFSSL_MSG("Client wants to resume session"); - } - else if (b) { - WOLFSSL_MSG("Invalid session ID size"); - return BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */ - } - - #ifdef WOLFSSL_DTLS - /* cookie */ - if (ssl->options.dtls) { - - if ((i - begin) + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; - - peerCookieSz = input[i++]; - - if (peerCookieSz) { - if (peerCookieSz > MAX_COOKIE_LEN) - return BUFFER_ERROR; - - if ((i - begin) + peerCookieSz > helloSz) - return BUFFER_ERROR; - - XMEMCPY(peerCookie, input + i, peerCookieSz); - - i += peerCookieSz; - } - } - #endif - - /* suites */ - if ((i - begin) + OPAQUE16_LEN > helloSz) - return BUFFER_ERROR; - - ato16(&input[i], &clSuites.suiteSz); - i += OPAQUE16_LEN; - - /* suites and compression length check */ - if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; - - if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) - return BUFFER_ERROR; - - XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz); - -#ifdef HAVE_SERVER_RENEGOTIATION_INFO - /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */ - if (FindSuite(&clSuites, 0, TLS_EMPTY_RENEGOTIATION_INFO_SCSV) >= 0) { - int ret = 0; - - ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, ssl->heap); - if (ret != SSL_SUCCESS) - return ret; - } -#endif /* HAVE_SERVER_RENEGOTIATION_INFO */ - -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - int ret = wc_HmacUpdate(&cookieHmac, - input + i - OPAQUE16_LEN, - clSuites.suiteSz + OPAQUE16_LEN); - if (ret != 0) return ret; - } -#endif /* WOLFSSL_DTLS */ - i += clSuites.suiteSz; - clSuites.hashSigAlgoSz = 0; - - /* compression length */ - b = input[i++]; - - if ((i - begin) + b > helloSz) - return BUFFER_ERROR; - - if (b == 0) { - WOLFSSL_MSG("No compression types in list"); - return COMPRESSION_ERROR; - } - -#ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - byte newCookie[MAX_COOKIE_LEN]; - int ret; - - ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); - if (ret != 0) return ret; - ret = wc_HmacFinal(&cookieHmac, newCookie); - if (ret != 0) return ret; - - /* If a cookie callback is set, call it to overwrite the cookie. - * This should be deprecated. The code now calculates the cookie - * using an HMAC as expected. */ - if (ssl->ctx->CBIOCookie != NULL && - ssl->ctx->CBIOCookie(ssl, newCookie, cookieSz, - ssl->IOCB_CookieCtx) != cookieSz) { - return COOKIE_ERROR; - } - - /* Check the cookie, see if we progress the state machine. */ - if (peerCookieSz != cookieSz || - XMEMCMP(peerCookie, newCookie, cookieSz) != 0) { - - /* Send newCookie to client in a HelloVerifyRequest message - * and let the state machine alone. */ - ssl->msgsReceived.got_client_hello = 0; - ssl->keys.dtls_handshake_number = 0; - ssl->keys.dtls_expected_peer_handshake_number = 0; - *inOutIdx += helloSz; - return SendHelloVerifyRequest(ssl, newCookie, cookieSz); - } - - /* This was skipped in the DTLS case so we could handle the hello - * verify request. */ - ret = HashInput(ssl, input + *inOutIdx, helloSz); - if (ret != 0) return ret; - } -#endif /* WOLFSSL_DTLS */ - - { - /* copmression match types */ - int matchNo = 0; - int matchZlib = 0; - - while (b--) { - byte comp = input[i++]; - - if (comp == NO_COMPRESSION) { - matchNo = 1; - } - if (comp == ZLIB_COMPRESSION) { - matchZlib = 1; - } - } - - if (ssl->options.usingCompression == 0 && matchNo) { - WOLFSSL_MSG("Matched No Compression"); - } else if (ssl->options.usingCompression && matchZlib) { - WOLFSSL_MSG("Matched zlib Compression"); - } else if (ssl->options.usingCompression && matchNo) { - WOLFSSL_MSG("Could only match no compression, turning off"); - ssl->options.usingCompression = 0; /* turn off */ - } else { - WOLFSSL_MSG("Could not match compression"); - return COMPRESSION_ERROR; - } - } - - *inOutIdx = i; - - /* tls extensions */ - if ((i - begin) < helloSz) { -#ifdef HAVE_TLS_EXTENSIONS - #ifdef HAVE_QSH - QSH_Init(ssl); - #endif - if (TLSX_SupportExtensions(ssl)) { - int ret = 0; -#else - if (IsAtLeastTLSv1_2(ssl)) { -#endif - /* Process the hello extension. Skip unsupported. */ - word16 totalExtSz; - -#ifdef HAVE_TLS_EXTENSIONS - /* auto populate extensions supported unless user defined */ - if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0) - return ret; -#endif - - if ((i - begin) + OPAQUE16_LEN > helloSz) - return BUFFER_ERROR; - - ato16(&input[i], &totalExtSz); - i += OPAQUE16_LEN; - - if ((i - begin) + totalExtSz > helloSz) - return BUFFER_ERROR; - -#ifdef HAVE_TLS_EXTENSIONS - /* tls extensions */ - if ((ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, - client_hello, &clSuites))) - return ret; -#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - if((ret=SNI_Callback(ssl))) - return ret; - ssl->options.side = WOLFSSL_SERVER_END; -#endif /*HAVE_STUNNEL*/ - - i += totalExtSz; -#else - while (totalExtSz) { - word16 extId, extSz; - - if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) - return BUFFER_ERROR; - - ato16(&input[i], &extId); - i += OPAQUE16_LEN; - ato16(&input[i], &extSz); - i += OPAQUE16_LEN; - - if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) - return BUFFER_ERROR; - - if (extId == HELLO_EXT_SIG_ALGO) { - ato16(&input[i], &clSuites.hashSigAlgoSz); - i += OPAQUE16_LEN; - - if (OPAQUE16_LEN + clSuites.hashSigAlgoSz > extSz) - return BUFFER_ERROR; - - XMEMCPY(clSuites.hashSigAlgo, &input[i], - min(clSuites.hashSigAlgoSz, HELLO_EXT_SIGALGO_MAX)); - i += clSuites.hashSigAlgoSz; - - if (clSuites.hashSigAlgoSz > HELLO_EXT_SIGALGO_MAX) - clSuites.hashSigAlgoSz = HELLO_EXT_SIGALGO_MAX; - } -#ifdef HAVE_EXTENDED_MASTER - else if (extId == HELLO_EXT_EXTMS) - ssl->options.haveEMS = 1; -#endif - else - i += extSz; - - totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz; - } -#endif - *inOutIdx = i; - } - else - *inOutIdx = begin + helloSz; /* skip extensions */ - } - - ssl->options.clientState = CLIENT_HELLO_COMPLETE; - ssl->options.haveSessionId = 1; - - /* ProcessOld uses same resume code */ - if (ssl->options.resuming) { - int ret = -1; - WOLFSSL_SESSION* session = GetSession(ssl, - ssl->arrays->masterSecret, 1); - #ifdef HAVE_SESSION_TICKET - if (ssl->options.useTicket == 1) { - session = &ssl->session; - } else if (bogusID == 1 && ssl->options.rejectTicket == 0) { - WOLFSSL_MSG("Bogus session ID without session ticket"); - return BUFFER_ERROR; - } - #endif - - if (!session) { - WOLFSSL_MSG("Session lookup for resume failed"); - ssl->options.resuming = 0; - } - else if (session->haveEMS != ssl->options.haveEMS) { - /* RFC 7627, 5.3, server-side */ - /* if old sess didn't have EMS, but new does, full handshake */ - if (!session->haveEMS && ssl->options.haveEMS) { - WOLFSSL_MSG("Attempting to resume a session that didn't " - "use EMS with a new session with EMS. Do full " - "handshake."); - ssl->options.resuming = 0; - } - /* if old sess used EMS, but new doesn't, MUST abort */ - else if (session->haveEMS && !ssl->options.haveEMS) { - WOLFSSL_MSG("Trying to resume a session with EMS without " - "using EMS"); - return EXT_MASTER_SECRET_NEEDED_E; - } -#ifdef HAVE_EXT_CACHE - wolfSSL_SESSION_free(session); -#endif - } - else { -#ifdef HAVE_EXT_CACHE - wolfSSL_SESSION_free(session); -#endif - if (MatchSuite(ssl, &clSuites) < 0) { - WOLFSSL_MSG("Unsupported cipher suite, ClientHello"); - return UNSUPPORTED_SUITE; - } - - ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom, - RAN_LEN); - if (ret != 0) - return ret; - - #ifdef NO_OLD_TLS - ret = DeriveTlsKeys(ssl); - #else - #ifndef NO_TLS - if (ssl->options.tls) - ret = DeriveTlsKeys(ssl); - #endif - if (!ssl->options.tls) - ret = DeriveKeys(ssl); - #endif - ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - - return ret; - } - } - return MatchSuite(ssl, &clSuites); - } - - -#if !defined(NO_RSA) || defined(HAVE_ECC) - - typedef struct DcvArgs { - byte* output; /* not allocated */ - word32 sendSz; - word16 sz; - word32 sigSz; - word32 idx; - word32 begin; - byte hashAlgo; - byte sigAlgo; - } DcvArgs; - - static void FreeDcvArgs(WOLFSSL* ssl, void* pArgs) - { - DcvArgs* args = (DcvArgs*)pArgs; - - (void)ssl; - (void)args; - } - - static int DoCertificateVerify(WOLFSSL* ssl, byte* input, - word32* inOutIdx, word32 size) - { - int ret = 0; - #ifdef WOLFSSL_ASYNC_CRYPT - DcvArgs* args = (DcvArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); - #else - DcvArgs args[1]; - #endif - - WOLFSSL_ENTER("DoCertificateVerify"); - - #ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_dcv; - } - else - #endif - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(DcvArgs)); - args->hashAlgo = sha_mac; - args->sigAlgo = anonymous_sa_algo; - args->idx = *inOutIdx; - args->begin = *inOutIdx; - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeDcvArgs; - #endif - } - - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "CertificateVerify"); - if (ssl->toInfoOn) - AddLateName("CertificateVerify", &ssl->timeoutInfo); - #endif - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* case TLS_ASYNC_BEGIN */ - FALL_THROUGH; - - case TLS_ASYNC_BUILD: - { - if (IsAtLeastTLSv1_2(ssl)) { - if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcv); - } - - DecodeSigAlg(&input[args->idx], &args->hashAlgo, - &args->sigAlgo); - args->idx += 2; - } - #ifndef NO_RSA - else if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) - args->sigAlgo = rsa_sa_algo; - #endif - #ifdef HAVE_ECC - else if (ssl->peerEccDsaKeyPresent) - args->sigAlgo = ecc_dsa_sa_algo; - #endif - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcv); - } - - ato16(input + args->idx, &args->sz); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + args->sz > size || - args->sz > ENCRYPT_LEN) { - ERROR_OUT(BUFFER_ERROR, exit_dcv); - } - - #ifdef HAVE_ECC - if (ssl->peerEccDsaKeyPresent) { - - WOLFSSL_MSG("Doing ECC peer cert verify"); - - /* make sure a default is defined */ - #if !defined(NO_SHA) - SetDigest(ssl, sha_mac); - #elif !defined(NO_SHA256) - SetDigest(ssl, sha256_mac); - #elif defined(WOLFSSL_SHA384) - SetDigest(ssl, sha384_mac); - #elif defined(WOLFSSL_SHA512) - SetDigest(ssl, sha512_mac); - #else - #error No digest enabled for ECC sig verify - #endif - - if (IsAtLeastTLSv1_2(ssl)) { - if (args->sigAlgo != ecc_dsa_sa_algo) { - WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); - } - - SetDigest(ssl, args->hashAlgo); - } - } - #endif /* HAVE_ECC */ - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* case TLS_ASYNC_BUILD */ - FALL_THROUGH; - - case TLS_ASYNC_DO: - { - #ifndef NO_RSA - if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) { - WOLFSSL_MSG("Doing RSA peer cert verify"); - - ret = RsaVerify(ssl, - input + args->idx, - args->sz, - &args->output, - args->sigAlgo, args->hashAlgo, - ssl->peerRsaKey, - #ifdef HAVE_PK_CALLBACKS - ssl->buffers.peerRsaKey.buffer, - ssl->buffers.peerRsaKey.length, - ssl->RsaVerifyCtx - #else - NULL, 0, NULL - #endif - ); - if (ret >= 0) { - if (args->sigAlgo == rsa_sa_algo) - args->sendSz = ret; - else { - args->sigSz = ret; - args->sendSz = ssl->buffers.digest.length; - } - ret = 0; - } - } - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - if (ssl->peerEccDsaKeyPresent) { - WOLFSSL_MSG("Doing ECC peer cert verify"); - - ret = EccVerify(ssl, - input + args->idx, args->sz, - ssl->buffers.digest.buffer, ssl->buffers.digest.length, - ssl->peerEccDsaKey, - #ifdef HAVE_PK_CALLBACKS - ssl->buffers.peerEccDsaKey.buffer, - ssl->buffers.peerEccDsaKey.length, - ssl->EccVerifyCtx - #else - NULL, 0, NULL - #endif - ); - } - #endif /* HAVE_ECC */ - - /* Check for error */ - if (ret != 0) { - goto exit_dcv; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* case TLS_ASYNC_DO */ - FALL_THROUGH; - - case TLS_ASYNC_VERIFY: - { - #ifndef NO_RSA - if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) { - if (IsAtLeastTLSv1_2(ssl)) { - #ifdef WC_RSA_PSS - if (args->sigAlgo == rsa_pss_sa_algo) { - SetDigest(ssl, args->hashAlgo); - - ret = wc_RsaPSS_CheckPadding( - ssl->buffers.digest.buffer, - ssl->buffers.digest.length, - args->output, args->sigSz, - HashType(args->hashAlgo)); - if (ret != 0) - return ret; - } - else - #endif - { - #ifdef WOLFSSL_SMALL_STACK - byte* encodedSig = NULL; - #else - byte encodedSig[MAX_ENCODED_SIG_SZ]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, - ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) { - ERROR_OUT(MEMORY_E, exit_dcv); - } - #endif - - if (args->sigAlgo != rsa_sa_algo) { - WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); - } - - SetDigest(ssl, args->hashAlgo); - - args->sigSz = wc_EncodeSignature(encodedSig, - ssl->buffers.digest.buffer, - ssl->buffers.digest.length, - TypeHash(args->hashAlgo)); - - if (args->sendSz != args->sigSz || !args->output || - XMEMCMP(args->output, encodedSig, - min(args->sigSz, MAX_ENCODED_SIG_SZ)) != 0) { - ret = VERIFY_CERT_ERROR; - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(encodedSig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - } - else { - if (args->sendSz != FINISHED_SZ || !args->output || - XMEMCMP(args->output, - &ssl->hsHashes->certHashes, FINISHED_SZ) != 0) { - ret = VERIFY_CERT_ERROR; - } - } - } - #endif /* !NO_RSA */ - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* case TLS_ASYNC_VERIFY */ - FALL_THROUGH; - - case TLS_ASYNC_FINALIZE: - { - ssl->options.havePeerVerify = 1; - - /* Set final index */ - args->idx += args->sz; - *inOutIdx = args->idx; - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* case TLS_ASYNC_FINALIZE */ - - case TLS_ASYNC_END: - { - break; - } - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - - exit_dcv: - - WOLFSSL_LEAVE("DoCertificateVerify", ret); - - #ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) { - /* Mark message as not recevied so it can process again */ - ssl->msgsReceived.got_certificate_verify = 0; - - return ret; - } - #endif /* WOLFSSL_ASYNC_CRYPT */ - - /* Digest is not allocated, so do this to prevent free */ - ssl->buffers.digest.buffer = NULL; - ssl->buffers.digest.length = 0; - - /* Final cleanup */ - FreeDcvArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; - } - -#endif /* !NO_RSA || HAVE_ECC */ - - int SendServerHelloDone(WOLFSSL* ssl) - { - byte* output; - int sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - int ret; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - #endif - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(output, 0, server_hello_done, ssl); - - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return 0; - } - - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif - - ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) - return ret; - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "ServerHelloDone"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "ServerHelloDone", handshake, output, sendSz, - WRITE_PROTO, ssl->heap); - #endif - ssl->options.serverState = SERVER_HELLODONE_COMPLETE; - - ssl->buffers.outputBuffer.length += sendSz; - - return SendBuffered(ssl); - } - - -#ifdef HAVE_SESSION_TICKET - -#define WOLFSSL_TICKET_FIXED_SZ (WOLFSSL_TICKET_NAME_SZ + \ - WOLFSSL_TICKET_IV_SZ + WOLFSSL_TICKET_MAC_SZ + LENGTH_SZ) -#define WOLFSSL_TICKET_ENC_SZ (SESSION_TICKET_LEN - WOLFSSL_TICKET_FIXED_SZ) - - /* our ticket format */ - typedef struct InternalTicket { - ProtocolVersion pv; /* version when ticket created */ - byte suite[SUITE_LEN]; /* cipher suite when created */ - byte msecret[SECRET_LEN]; /* master secret */ - word32 timestamp; /* born on */ - word16 haveEMS; /* have extended master secret */ -#ifdef WOLFSSL_TLS13 - word32 ageAdd; /* Obfuscation of age */ - byte namedGroup; /* Named group used */ -#endif - } InternalTicket; - - /* fit within SESSION_TICKET_LEN */ - typedef struct ExternalTicket { - byte key_name[WOLFSSL_TICKET_NAME_SZ]; /* key context name */ - byte iv[WOLFSSL_TICKET_IV_SZ]; /* this ticket's iv */ - byte enc_len[LENGTH_SZ]; /* encrypted length */ - byte enc_ticket[WOLFSSL_TICKET_ENC_SZ]; /* encrypted internal ticket */ - byte mac[WOLFSSL_TICKET_MAC_SZ]; /* total mac */ - /* !! if add to structure, add to TICKET_FIXED_SZ !! */ - } ExternalTicket; - - /* create a new session ticket, 0 on success */ - int CreateTicket(WOLFSSL* ssl) - { - InternalTicket it; - ExternalTicket* et = (ExternalTicket*)ssl->session.ticket; - int encLen; - int ret; - byte zeros[WOLFSSL_TICKET_MAC_SZ]; /* biggest cmp size */ - - XMEMSET(&it, 0, sizeof(it)); - - /* build internal */ - it.pv.major = ssl->version.major; - it.pv.minor = ssl->version.minor; - - it.suite[0] = ssl->options.cipherSuite0; - it.suite[1] = ssl->options.cipherSuite; - - if (!ssl->options.tls1_3) { - XMEMCPY(it.msecret, ssl->arrays->masterSecret, SECRET_LEN); - c32toa(LowResTimer(), (byte*)&it.timestamp); - it.haveEMS = ssl->options.haveEMS; - } - else { -#ifdef WOLFSSL_TLS13 - /* Client adds to ticket age to obfuscate. */ - ret = wc_RNG_GenerateBlock(ssl->rng, (byte*)&it.ageAdd, - sizeof(it.ageAdd)); - if (ret != 0) - return BAD_TICKET_ENCRYPT; - ssl->session.ticketAdd = it.ageAdd; - it.namedGroup = ssl->session.namedGroup; - it.timestamp = TimeNowInMilliseconds(); - /* Resumption master secret. */ - XMEMCPY(it.msecret, ssl->session.masterSecret, SECRET_LEN); -#endif - } - - /* build external */ - XMEMCPY(et->enc_ticket, &it, sizeof(InternalTicket)); - - /* encrypt */ - encLen = WOLFSSL_TICKET_ENC_SZ; /* max size user can use */ - ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac, 1, - et->enc_ticket, sizeof(InternalTicket), - &encLen, ssl->ctx->ticketEncCtx); - if (ret == WOLFSSL_TICKET_RET_OK) { - if (encLen < (int)sizeof(InternalTicket) || - encLen > WOLFSSL_TICKET_ENC_SZ) { - WOLFSSL_MSG("Bad user ticket encrypt size"); - return BAD_TICKET_KEY_CB_SZ; - } - - /* sanity checks on encrypt callback */ - - /* internal ticket can't be the same if encrypted */ - if (XMEMCMP(et->enc_ticket, &it, sizeof(InternalTicket)) == 0) { - WOLFSSL_MSG("User ticket encrypt didn't encrypt"); - return BAD_TICKET_ENCRYPT; - } - - XMEMSET(zeros, 0, sizeof(zeros)); - - /* name */ - if (XMEMCMP(et->key_name, zeros, WOLFSSL_TICKET_NAME_SZ) == 0) { - WOLFSSL_MSG("User ticket encrypt didn't set name"); - return BAD_TICKET_ENCRYPT; - } - - /* iv */ - if (XMEMCMP(et->iv, zeros, WOLFSSL_TICKET_IV_SZ) == 0) { - WOLFSSL_MSG("User ticket encrypt didn't set iv"); - return BAD_TICKET_ENCRYPT; - } - - /* mac */ - if (XMEMCMP(et->mac, zeros, WOLFSSL_TICKET_MAC_SZ) == 0) { - WOLFSSL_MSG("User ticket encrypt didn't set mac"); - return BAD_TICKET_ENCRYPT; - } - - /* set size */ - c16toa((word16)encLen, et->enc_len); - ssl->session.ticketLen = (word16)(encLen + WOLFSSL_TICKET_FIXED_SZ); - if (encLen < WOLFSSL_TICKET_ENC_SZ) { - /* move mac up since whole enc buffer not used */ - XMEMMOVE(et->enc_ticket +encLen, et->mac,WOLFSSL_TICKET_MAC_SZ); - } - } - - return ret; - } - - - /* Parse ticket sent by client, returns callback return value */ - int DoClientTicket(WOLFSSL* ssl, const byte* input, word32 len) - { - ExternalTicket* et; - InternalTicket* it; - int ret; - int outLen; - word16 inLen; - - if (len > SESSION_TICKET_LEN || - len < (word32)(sizeof(InternalTicket) + WOLFSSL_TICKET_FIXED_SZ)) { - return BAD_TICKET_MSG_SZ; - } - - et = (ExternalTicket*)input; - it = (InternalTicket*)et->enc_ticket; - - /* decrypt */ - ato16(et->enc_len, &inLen); - if (inLen > (word16)(len - WOLFSSL_TICKET_FIXED_SZ)) { - return BAD_TICKET_MSG_SZ; - } - outLen = inLen; /* may be reduced by user padding */ - ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, - et->enc_ticket + inLen, 0, - et->enc_ticket, inLen, &outLen, - ssl->ctx->ticketEncCtx); - if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) return ret; - if (outLen > inLen || outLen < (int)sizeof(InternalTicket)) { - WOLFSSL_MSG("Bad user ticket decrypt len"); - return BAD_TICKET_KEY_CB_SZ; - } - - /* get master secret */ - if (ret == WOLFSSL_TICKET_RET_OK || ret == WOLFSSL_TICKET_RET_CREATE) { - if (!IsAtLeastTLSv1_3(ssl->version)) { - XMEMCPY(ssl->arrays->masterSecret, it->msecret, SECRET_LEN); - /* Copy the haveExtendedMasterSecret property from the ticket to - * the saved session, so the property may be checked later. */ - ssl->session.haveEMS = it->haveEMS; - } - else { -#ifdef WOLFSSL_TLS13 - /* Restore information to renegotiate. */ - ssl->session.ticketSeen = it->timestamp; - ssl->session.ticketAdd = it->ageAdd; - ssl->session.cipherSuite0 = it->suite[0]; - ssl->session.cipherSuite = it->suite[1]; - /* Resumption master secret. */ - XMEMCPY(ssl->session.masterSecret, it->msecret, SECRET_LEN); - ssl->session.namedGroup = it->namedGroup; -#endif - } - } - - return ret; - } - - - /* send Session Ticket */ - int SendTicket(WOLFSSL* ssl) - { - byte* output; - int ret; - int sendSz; - word32 length = SESSION_HINT_SZ + LENGTH_SZ; - word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - - if (ssl->options.createTicket) { - ret = CreateTicket(ssl); - if (ret != 0) return ret; - } - - length += ssl->session.ticketLen; - sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - AddHeaders(output, length, session_ticket, ssl); - - /* hint */ - c32toa(ssl->ctx->ticketHint, output + idx); - idx += SESSION_HINT_SZ; - - /* length */ - c16toa(ssl->session.ticketLen, output + idx); - idx += LENGTH_SZ; - - /* ticket */ - XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen); - /* idx += ssl->session.ticketLen; */ - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) - return ret; - - DtlsSEQIncrement(ssl, CUR_ORDER); - } - #endif - - ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) return ret; - ssl->buffers.outputBuffer.length += sendSz; - - return SendBuffered(ssl); - } - -#endif /* HAVE_SESSION_TICKET */ - - -#ifdef WOLFSSL_DTLS - static int SendHelloVerifyRequest(WOLFSSL* ssl, - const byte* cookie, byte cookieSz) - { - byte* output; - int length = VERSION_SZ + ENUM_LEN + cookieSz; - int idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ; - int sendSz = length + idx; - int ret; - - /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; - - /* get output buffer */ - output = ssl->buffers.outputBuffer.buffer + - ssl->buffers.outputBuffer.length; - - /* Hello Verify Request should use the same sequence number as the - * Client Hello. */ - ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi; - ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo; - AddHeaders(output, length, hello_verify_request, ssl); - -#ifdef OPENSSL_EXTRA - output[idx++] = DTLS_MAJOR; - output[idx++] = DTLS_MINOR; -#else - output[idx++] = ssl->version.major; - output[idx++] = ssl->version.minor; -#endif - - output[idx++] = cookieSz; - if (cookie == NULL || cookieSz == 0) - return COOKIE_ERROR; - - XMEMCPY(output + idx, cookie, cookieSz); - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) - AddPacketName(ssl, "HelloVerifyRequest"); - if (ssl->toInfoOn) - AddPacketInfo(ssl, "HelloVerifyRequest", handshake, output, - sendSz, WRITE_PROTO, ssl->heap); -#endif - - ssl->buffers.outputBuffer.length += sendSz; - - return SendBuffered(ssl); - } -#endif /* WOLFSSL_DTLS */ - - typedef struct DckeArgs { - byte* output; /* not allocated */ - word32 length; - word32 idx; - word32 begin; - word32 sigSz; - } DckeArgs; - - static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs) - { - DckeArgs* args = (DckeArgs*)pArgs; - - (void)ssl; - (void)args; - } - - static int DoClientKeyExchange(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 size) - { - int ret; - #ifdef WOLFSSL_ASYNC_CRYPT - DckeArgs* args = (DckeArgs*)ssl->async.args; - typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; - (void)sizeof(args_test); - #else - DckeArgs args[1]; - #endif - - WOLFSSL_ENTER("DoClientKeyExchange"); - - #ifdef WOLFSSL_ASYNC_CRYPT - ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); - if (ret != WC_NOT_PENDING_E) { - /* Check for error */ - if (ret < 0) - goto exit_dcke; - } - else - #endif /* WOLFSSL_ASYNC_CRYPT */ - { - /* Reset state */ - ret = 0; - ssl->options.asyncState = TLS_ASYNC_BEGIN; - XMEMSET(args, 0, sizeof(DckeArgs)); - args->idx = *inOutIdx; - args->begin = *inOutIdx; - #ifdef WOLFSSL_ASYNC_CRYPT - ssl->async.freeArgs = FreeDckeArgs; - #endif - } - - /* Do Client Key Exchange State Machine */ - switch(ssl->options.asyncState) - { - case TLS_ASYNC_BEGIN: - { - /* Sanity checks */ - if (ssl->options.side != WOLFSSL_SERVER_END) { - WOLFSSL_MSG("Client received client keyexchange, attack?"); - WOLFSSL_ERROR(ssl->error = SIDE_ERROR); - ERROR_OUT(SSL_FATAL_ERROR, exit_dcke); - } - - if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { - WOLFSSL_MSG("Client sending keyexchange at wrong time"); - SendAlert(ssl, alert_fatal, unexpected_message); - ERROR_OUT(OUT_OF_ORDER_E, exit_dcke); - } - - #ifndef NO_CERTS - if (ssl->options.verifyPeer && ssl->options.failNoCert) { - if (!ssl->options.havePeerCert) { - WOLFSSL_MSG("client didn't present peer cert"); - ERROR_OUT(NO_PEER_CERT, exit_dcke); - } - } - - if (ssl->options.verifyPeer && ssl->options.failNoCertxPSK) { - if (!ssl->options.havePeerCert && - !ssl->options.usingPSK_cipher) { - WOLFSSL_MSG("client didn't present peer cert"); - return NO_PEER_CERT; - } - } - #endif /* !NO_CERTS */ - - #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - if (ssl->hsInfoOn) { - AddPacketName(ssl, "ClientKeyExchange"); - } - if (ssl->toInfoOn) { - AddLateName("ClientKeyExchange", &ssl->timeoutInfo); - } - #endif - - switch (ssl->specs.kea) { - #ifndef NO_RSA - case rsa_kea: - { - /* make sure private key exists */ - if (ssl->buffers.key == NULL || - ssl->buffers.key->buffer == NULL) { - ERROR_OUT(NO_PRIVATE_KEY, exit_dcke); - } - break; - } /* rsa_kea */ - #endif /* !NO_RSA */ - #ifndef NO_PSK - case psk_kea: - { - /* sanity check that PSK server callback has been set */ - if (ssl->options.server_psk_cb == NULL) { - WOLFSSL_MSG("No server PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - break; - } - #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - /* make sure private key exists */ - if (ssl->buffers.key == NULL || - ssl->buffers.key->buffer == NULL) { - ERROR_OUT(NO_PRIVATE_KEY, exit_dcke); - } - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - break; - } - #endif /* HAVE_ECC */ - #ifndef NO_DH - case diffie_hellman_kea: - { - break; - } - #endif /* !NO_DH */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - /* sanity check that PSK server callback has been set */ - if (ssl->options.server_psk_cb == NULL) { - WOLFSSL_MSG("No server PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - /* sanity check that PSK server callback has been set */ - if (ssl->options.server_psk_cb == NULL) { - WOLFSSL_MSG("No server PSK callback set"); - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - default: - WOLFSSL_MSG("Bad kea type"); - ret = BAD_KEA_TYPE_E; - } /* switch (ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dcke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_BUILD; - } /* TLS_ASYNC_BEGIN */ - FALL_THROUGH; - - case TLS_ASYNC_BUILD: - { - switch (ssl->specs.kea) { - #ifndef NO_RSA - case rsa_kea: - { - word32 i = 0; - int keySz; - - ssl->hsType = DYNAMIC_TYPE_RSA; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_dcke; - } - - ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, - &i, (RsaKey*)ssl->hsKey, ssl->buffers.key->length); - if (ret != 0) { - goto exit_dcke; - } - keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey); - if (keySz < 0) { /* test if keySz has error */ - ERROR_OUT(keySz, exit_dcke); - } - args->length = (word32)keySz; - - if (keySz < ssl->options.minRsaKeySz) { - WOLFSSL_MSG("Peer RSA key is too small"); - ERROR_OUT(RSA_KEY_SIZE_E, exit_dcke); - } - ssl->arrays->preMasterSz = SECRET_LEN; - - if (ssl->options.tls) { - word16 check; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &check); - args->idx += OPAQUE16_LEN; - - if ((word32)check != args->length) { - WOLFSSL_MSG("RSA explicit size doesn't match"); - ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke); - } - } - - if ((args->idx - args->begin) + args->length > size) { - WOLFSSL_MSG("RSA message too big"); - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->output = NULL; - break; - } /* rsa_kea */ - #endif /* !NO_RSA */ - #ifndef NO_PSK - case psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - word16 ci_sz; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &ci_sz); - args->idx += OPAQUE16_LEN; - - if (ci_sz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_dcke); - } - - if ((args->idx - args->begin) + ci_sz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - XMEMCPY(ssl->arrays->client_identity, - input + args->idx, ci_sz); - args->idx += ci_sz; - - ssl->arrays->client_identity[ci_sz] = '\0'; /* null term */ - ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, - ssl->arrays->client_identity, ssl->arrays->psk_key, - MAX_PSK_KEY_LEN); - - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - - /* make psk pre master secret */ - /* length of key + length 0s + length of key + key */ - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - - XMEMSET(pms, 0, ssl->arrays->psk_keySz); - pms += ssl->arrays->psk_keySz; - - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz = - (ssl->arrays->psk_keySz * 2) + (OPAQUE16_LEN * 2); - break; - } - #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - word16 cipherLen; - word16 plainLen = ENCRYPT_LEN; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &cipherLen); - args->idx += OPAQUE16_LEN; - - if (cipherLen > MAX_NTRU_ENCRYPT_SZ) { - ERROR_OUT(NTRU_KEY_ERROR, exit_dcke); - } - - if ((args->idx - args->begin) + cipherLen > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - if (NTRU_OK != ntru_crypto_ntru_decrypt( - (word16) ssl->buffers.key->length, - ssl->buffers.key->buffer, cipherLen, - input + args->idx, &plainLen, - ssl->arrays->preMasterSecret)) { - ERROR_OUT(NTRU_DECRYPT_ERROR, exit_dcke); - } - - if (plainLen != SECRET_LEN) { - ERROR_OUT(NTRU_DECRYPT_ERROR, exit_dcke); - } - - args->idx += cipherLen; - ssl->arrays->preMasterSz = plainLen; - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - ecc_key* private_key = ssl->eccTempKey; - - /* handle static private key */ - if (ssl->specs.static_ecdh && - ssl->ecdhCurveOID != ECC_X25519_OID) { - word32 i = 0; - - ssl->hsType = DYNAMIC_TYPE_ECC; - ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey); - if (ret != 0) { - goto exit_dcke; - } - - ret = wc_EccPrivateKeyDecode( - ssl->buffers.key->buffer, - &i, - (ecc_key*)ssl->hsKey, - ssl->buffers.key->length); - if (ret == 0) { - private_key = (ecc_key*)ssl->hsKey; - if (wc_ecc_size(private_key) < - ssl->options.minEccKeySz) { - WOLFSSL_MSG("ECC key too small"); - ERROR_OUT(ECC_KEY_SIZE_E, exit_dcke); - } - } - } - - /* import peer ECC key */ - if ((args->idx - args->begin) + OPAQUE8_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->length = input[args->idx++]; - - if ((args->idx - args->begin) + args->length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ssl->arrays->preMasterSz = ENCRYPT_LEN; - - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->X25519SharedSecretCb != NULL) { - break; - } - #endif - if (ssl->peerX25519Key == NULL) { - /* alloc/init on demand */ - ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519, - (void**)&ssl->peerX25519Key); - if (ret != 0) { - goto exit_dcke; - } - } else if (ssl->peerX25519KeyPresent) { - ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519, - ssl->peerX25519Key); - ssl->peerX25519KeyPresent = 0; - if (ret != 0) { - goto exit_dcke; - } - } - - if (wc_curve25519_import_public_ex( - input + args->idx, args->length, - ssl->peerX25519Key, - EC25519_LITTLE_ENDIAN)) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke); - } - - ssl->peerX25519KeyPresent = 1; - - if (ret != 0) { - goto exit_dcke; - } - break; - } - #endif - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - if (!ssl->specs.static_ecdh && - ssl->eccTempKeyPresent == 0) { - WOLFSSL_MSG("Ecc ephemeral key not made correctly"); - ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke); - } - - if (ssl->peerEccKey == NULL) { - /* alloc/init on demand */ - ret = AllocKey(ssl, DYNAMIC_TYPE_ECC, - (void**)&ssl->peerEccKey); - if (ret != 0) { - goto exit_dcke; - } - } else if (ssl->peerEccKeyPresent) { - ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC, - ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - if (ret != 0) { - goto exit_dcke; - } - } - - if (wc_ecc_import_x963_ex(input + args->idx, args->length, - ssl->peerEccKey, private_key->dp->id)) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke); - } - - ssl->peerEccKeyPresent = 1; - - if (ret != 0) { - goto exit_dcke; - } - break; - } - #endif /* HAVE_ECC */ - #ifndef NO_DH - case diffie_hellman_kea: - { - word16 clientPubSz; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &clientPubSz); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + clientPubSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->sigSz = clientPubSz; - - ret = AllocKey(ssl, DYNAMIC_TYPE_DH, - (void**)&ssl->buffers.serverDH_Key); - if (ret != 0) { - goto exit_dcke; - } - - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - break; - } - #endif /* !NO_DH */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - word16 clientSz; - - /* Read in the PSK hint */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &clientSz); - args->idx += OPAQUE16_LEN; - if (clientSz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_dcke); - } - - if ((args->idx - args->begin) + clientSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - XMEMCPY(ssl->arrays->client_identity, input + args->idx, - clientSz); - args->idx += clientSz; - ssl->arrays->client_identity[clientSz] = '\0'; /* null term */ - - /* Read in the DHE business */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &clientSz); - args->idx += OPAQUE16_LEN; - - if ((args->idx - args->begin) + clientSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->sigSz = clientSz; - - ret = AllocKey(ssl, DYNAMIC_TYPE_DH, - (void**)&ssl->buffers.serverDH_Key); - if (ret != 0) { - goto exit_dcke; - } - - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); - - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - word16 clientSz; - - /* Read in the PSK hint */ - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &clientSz); - args->idx += OPAQUE16_LEN; - if (clientSz > MAX_PSK_ID_LEN) { - ERROR_OUT(CLIENT_ID_ERROR, exit_dcke); - } - if ((args->idx - args->begin) + clientSz > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - XMEMCPY(ssl->arrays->client_identity, - input + args->idx, clientSz); - args->idx += clientSz; - ssl->arrays->client_identity[clientSz] = '\0'; /* null term */ - - /* import peer ECC key */ - if ((args->idx - args->begin) + OPAQUE8_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->length = input[args->idx++]; - - if ((args->idx - args->begin) + args->length > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - args->sigSz = ENCRYPT_LEN - OPAQUE16_LEN; - - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->X25519SharedSecretCb != NULL) { - break; - } - #endif - - if (ssl->eccTempKeyPresent == 0) { - WOLFSSL_MSG( - "X25519 ephemeral key not made correctly"); - ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke); - } - - if (ssl->peerX25519Key == NULL) { - /* alloc/init on demand */ - ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519, - (void**)&ssl->peerX25519Key); - if (ret != 0) { - goto exit_dcke; - } - } else if (ssl->peerX25519KeyPresent) { - ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519, - ssl->peerX25519Key); - ssl->peerX25519KeyPresent = 0; - if (ret != 0) { - goto exit_dcke; - } - } - - if (wc_curve25519_import_public_ex( - input + args->idx, args->length, - ssl->peerX25519Key, - EC25519_LITTLE_ENDIAN)) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke); - } - - ssl->peerX25519KeyPresent = 1; - - break; - } - #endif - #ifdef HAVE_PK_CALLBACKS - /* if callback then use it for shared secret */ - if (ssl->ctx->EccSharedSecretCb != NULL) { - break; - } - #endif - - if (ssl->eccTempKeyPresent == 0) { - WOLFSSL_MSG("Ecc ephemeral key not made correctly"); - ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke); - } - - if (ssl->peerEccKey == NULL) { - /* alloc/init on demand */ - ret = AllocKey(ssl, DYNAMIC_TYPE_ECC, - (void**)&ssl->peerEccKey); - if (ret != 0) { - goto exit_dcke; - } - } - else if (ssl->peerEccKeyPresent) { - ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC, - ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - if (ret != 0) { - goto exit_dcke; - } - } - if (wc_ecc_import_x963_ex(input + args->idx, args->length, - ssl->peerEccKey, ssl->eccTempKey->dp->id)) { - ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke); - } - - ssl->peerEccKeyPresent = 1; - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - default: - ret = BAD_KEA_TYPE_E; - } /* switch (ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dcke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_DO; - } /* TLS_ASYNC_BUILD */ - FALL_THROUGH; - - case TLS_ASYNC_DO: - { - switch (ssl->specs.kea) { - #ifndef NO_RSA - case rsa_kea: - { - RsaKey* key = (RsaKey*)ssl->hsKey; - ret = RsaDec(ssl, - input + args->idx, - args->length, - &args->output, - &args->sigSz, - key, - #if defined(HAVE_PK_CALLBACKS) - ssl->buffers.key->buffer, - ssl->buffers.key->length, - ssl->RsaDecCtx - #else - NULL, 0, NULL - #endif - ); - break; - } /* rsa_kea */ - #endif /* !NO_RSA */ - #ifndef NO_PSK - case psk_kea: - { - break; - } - #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - void* private_key = ssl->eccTempKey; - - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - ret = X25519SharedSecret(ssl, - (curve25519_key*)private_key, - ssl->peerX25519Key, - input + args->idx, &args->length, - ssl->arrays->preMasterSecret, - &ssl->arrays->preMasterSz, - WOLFSSL_SERVER_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - break; - } - #endif - if (ssl->specs.static_ecdh) { - private_key = ssl->hsKey; - } - - /* Generate shared secret */ - ret = EccSharedSecret(ssl, - (ecc_key*)private_key, ssl->peerEccKey, - input + args->idx, &args->length, - ssl->arrays->preMasterSecret, - &ssl->arrays->preMasterSz, - WOLFSSL_SERVER_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - break; - } - #endif /* HAVE_ECC */ - #ifndef NO_DH - case diffie_hellman_kea: - { - ret = DhAgree(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_Priv.buffer, - ssl->buffers.serverDH_Priv.length, - input + args->idx, - (word16)args->sigSz, - ssl->arrays->preMasterSecret, - &ssl->arrays->preMasterSz); - break; - } - #endif /* !NO_DH */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - ret = DhAgree(ssl, ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_Priv.buffer, - ssl->buffers.serverDH_Priv.length, - input + args->idx, - (word16)args->sigSz, - ssl->arrays->preMasterSecret + OPAQUE16_LEN, - &ssl->arrays->preMasterSz); - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - #ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID) { - ret = X25519SharedSecret(ssl, - (curve25519_key*)ssl->eccTempKey, - ssl->peerX25519Key, - input + args->idx, &args->length, - ssl->arrays->preMasterSecret + OPAQUE16_LEN, - &args->sigSz, - WOLFSSL_SERVER_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - break; - } - #endif - /* Generate shared secret */ - ret = EccSharedSecret(ssl, - ssl->eccTempKey, ssl->peerEccKey, - input + args->idx, &args->length, - ssl->arrays->preMasterSecret + OPAQUE16_LEN, - &args->sigSz, - WOLFSSL_SERVER_END, - #ifdef HAVE_PK_CALLBACKS - ssl->EccSharedSecretCtx - #else - NULL - #endif - ); - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - default: - ret = BAD_KEA_TYPE_E; - } /* switch (ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dcke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_VERIFY; - } /* TLS_ASYNC_DO */ - FALL_THROUGH; - - case TLS_ASYNC_VERIFY: - { - switch (ssl->specs.kea) { - #ifndef NO_RSA - case rsa_kea: - { - /* Add the signature length to idx */ - args->idx += args->length; - - if (args->sigSz == SECRET_LEN && args->output != NULL) { - XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN); - if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major || - ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) { - ERROR_OUT(PMS_VERSION_ERROR, exit_dcke); - } - } - else { - ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke); - } - break; - } /* rsa_kea */ - #endif /* !NO_RSA */ - #ifndef NO_PSK - case psk_kea: - { - break; - } - #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - break; - } - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - { - /* skip past the imported peer key */ - args->idx += args->length; - break; - } - #endif /* HAVE_ECC */ - #ifndef NO_DH - case diffie_hellman_kea: - { - args->idx += (word16)args->sigSz; - break; - } - #endif /* !NO_DH */ - #if !defined(NO_DH) && !defined(NO_PSK) - case dhe_psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - word16 clientSz = (word16)args->sigSz; - - args->idx += clientSz; - c16toa((word16)ssl->arrays->preMasterSz, pms); - ssl->arrays->preMasterSz += OPAQUE16_LEN; - pms += ssl->arrays->preMasterSz; - - /* Use the PSK hint to look up the PSK and add it to the - * preMasterSecret here. */ - ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, - ssl->arrays->client_identity, ssl->arrays->psk_key, - MAX_PSK_KEY_LEN); - - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - - XMEMCPY(pms, ssl->arrays->psk_key, - ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += ssl->arrays->psk_keySz + - OPAQUE16_LEN; - break; - } - #endif /* !NO_DH && !NO_PSK */ - #if defined(HAVE_ECC) && !defined(NO_PSK) - case ecdhe_psk_kea: - { - byte* pms = ssl->arrays->preMasterSecret; - word16 clientSz = (word16)args->sigSz; - - /* skip past the imported peer key */ - args->idx += args->length; - - /* Add preMasterSecret */ - c16toa(clientSz, pms); - ssl->arrays->preMasterSz += OPAQUE16_LEN + clientSz; - pms += ssl->arrays->preMasterSz; - - /* Use the PSK hint to look up the PSK and add it to the - * preMasterSecret here. */ - ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, - ssl->arrays->client_identity, ssl->arrays->psk_key, - MAX_PSK_KEY_LEN); - - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - ERROR_OUT(PSK_KEY_ERROR, exit_dcke); - } - - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += - ssl->arrays->psk_keySz + OPAQUE16_LEN; - break; - } - #endif /* HAVE_ECC && !NO_PSK */ - default: - ret = BAD_KEA_TYPE_E; - } /* switch (ssl->specs.kea) */ - - /* Check for error */ - if (ret != 0) { - goto exit_dcke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_FINALIZE; - } /* TLS_ASYNC_VERIFY */ - FALL_THROUGH; - - case TLS_ASYNC_FINALIZE: - { - #ifdef HAVE_QSH - word16 name; - - if (ssl->options.haveQSH) { - /* extension name */ - ato16(input + args->idx, &name); - args->idx += OPAQUE16_LEN; - - if (name == TLSX_QUANTUM_SAFE_HYBRID) { - int qshSz; - /* if qshSz is larger than 0 it is the - length of buffer used */ - if ((qshSz = TLSX_QSHCipher_Parse(ssl, - input + args->idx, - size - args->idx + args->begin, 1)) < 0) { - ERROR_OUT(qshSz, exit_dcke); - } - args->idx += qshSz; - } - else { - /* unknown extension sent client ignored handshake */ - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - } - #endif /* HAVE_QSH */ - ret = MakeMasterSecret(ssl); - - /* Check for error */ - if (ret != 0) { - goto exit_dcke; - } - - /* Advance state and proceed */ - ssl->options.asyncState = TLS_ASYNC_END; - } /* TLS_ASYNC_FINALIZE */ - FALL_THROUGH; - - case TLS_ASYNC_END: - { - /* Set final index */ - *inOutIdx = args->idx; - - ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - #ifndef NO_CERTS - if (ssl->options.verifyPeer) { - ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes); - } - #endif - break; - } /* TLS_ASYNC_END */ - default: - ret = INPUT_CASE_ERROR; - } /* switch(ssl->options.asyncState) */ - - exit_dcke: - - WOLFSSL_LEAVE("DoClientKeyExchange", ret); - - #ifdef WOLFSSL_ASYNC_CRYPT - /* Handle async operation */ - if (ret == WC_PENDING_E) { - /* Mark message as not recevied so it can process again */ - ssl->msgsReceived.got_client_key_exchange = 0; - - return ret; - } - #endif /* WOLFSSL_ASYNC_CRYPT */ - - /* Cleanup PMS */ - ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz); - ssl->arrays->preMasterSz = 0; - - /* Final cleanup */ - FreeDckeArgs(ssl, args); - FreeKeyExchange(ssl); - - return ret; - } - - -#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - int SNI_Callback(WOLFSSL* ssl) - { - /* Stunnel supports a custom sni callback to switch an SSL's ctx - * when SNI is received. Call it now if exists */ - if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) { - WOLFSSL_MSG("Calling custom sni callback"); - if(ssl->ctx->sniRecvCb(ssl, NULL, ssl->ctx->sniRecvCbArg) - == alert_fatal) { - WOLFSSL_MSG("Error in custom sni callback. Fatal alert"); - SendAlert(ssl, alert_fatal, unrecognized_name); - return FATAL_ERROR; - } - } - return 0; - } -#endif /* HAVE_STUNNEL || WOLGSSL_NGINX */ -#endif /* NO_WOLFSSL_SERVER */ - - -#ifdef WOLFSSL_ASYNC_CRYPT -int wolfSSL_AsyncPop(WOLFSSL* ssl, byte* state) -{ - int ret = 0; - WC_ASYNC_DEV* asyncDev; - WOLF_EVENT* event; - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - /* check for pending async */ - asyncDev = ssl->async.dev; - if (asyncDev) { - /* grab event pointer */ - event = &asyncDev->event; - - ret = wolfAsync_EventPop(event, WOLF_EVENT_TYPE_ASYNC_WOLFSSL); - if (ret != WC_NOT_PENDING_E && ret != WC_PENDING_E) { - - /* advance key share state if doesn't need called again */ - if (state && (asyncDev->event.flags & WC_ASYNC_FLAG_CALL_AGAIN) == 0) { - (*state)++; - } - - /* clear event */ - XMEMSET(&asyncDev->event, 0, sizeof(WOLF_EVENT)); - - /* clear async dev */ - ssl->async.dev = NULL; - } - } - else { - ret = WC_NOT_PENDING_E; - } - - WOLFSSL_LEAVE("wolfSSL_AsyncPop", ret); - - return ret; -} - -int wolfSSL_AsyncPush(WOLFSSL* ssl, WC_ASYNC_DEV* asyncDev, word32 flags) -{ - int ret; - WOLF_EVENT* event; - - if (ssl == NULL || asyncDev == NULL) { - return BAD_FUNC_ARG; - } - - /* grab event pointer */ - event = &asyncDev->event; - - /* init event */ - ret = wolfAsync_EventInit(event, WOLF_EVENT_TYPE_ASYNC_WOLFSSL, ssl, flags); - if (ret == 0) { - ssl->async.dev = asyncDev; - - /* place event into queue */ - ret = wolfAsync_EventQueuePush(&ssl->ctx->event_queue, event); - } - - /* success means return WC_PENDING_E */ - if (ret == 0) { - ret = WC_PENDING_E; - } - - WOLFSSL_LEAVE("wolfSSL_AsyncPush", ret); - - return ret; -} - -#endif /* WOLFSSL_ASYNC_CRYPT */ - - -#undef ERROR_OUT - -#endif /* WOLFCRYPT_ONLY */ diff --git a/tests/api(オリジナル).c b/tests/api(オリジナル).c deleted file mode 100644 index 2b49aede4..000000000 --- a/tests/api(オリジナル).c +++ /dev/null @@ -1,5050 +0,0 @@ -/* api.c API unit tests - * - * Copyright (C) 2006-2016 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - - -/*----------------------------------------------------------------------------* - | Includes - *----------------------------------------------------------------------------*/ - -#ifdef HAVE_CONFIG_H - #include -#endif - -#include - -#if defined(WOLFSSL_STATIC_MEMORY) - #include -#endif /* WOLFSSL_STATIC_MEMORY */ -#ifdef HAVE_ECC - #include /* wc_ecc_fp_free */ -#endif -#ifndef NO_ASN - #include -#endif -#include - -#include -#include /* compatibility layer */ -#include -#include - -#ifndef NO_MD5 - #include -#endif -#ifndef NO_SHA - #include -#endif -#ifndef NO_SHA256 - #include -#endif -#ifdef WOLFSSL_SHA512 - #include -#endif -#ifdef WOLFSSL_SHA384 - #include -#endif -#ifdef WOLFSSL_RIPEMD - #include -#endif - -#ifdef OPENSSL_EXTRA - #include - #include - #include - #include - #include - #include -#ifndef NO_DES3 - #include -#endif -#endif /* OPENSSL_EXTRA */ - -/* enable testing buffer load functions */ -#ifndef USE_CERT_BUFFERS_2048 - #define USE_CERT_BUFFERS_2048 -#endif -#include - - -typedef struct testVector { - const char* input; - const char* output; - size_t inLen; - size_t outLen; - -} testVector; - - -/*----------------------------------------------------------------------------* - | Constants - *----------------------------------------------------------------------------*/ - -#define TEST_SUCCESS (1) -#define TEST_FAIL (0) - -#define testingFmt " %s:" -#define resultFmt " %s\n" -static const char* passed = "passed"; -static const char* failed = "failed"; - -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - static const char* bogusFile = - #ifdef _WIN32 - "NUL" - #else - "/dev/null" - #endif - ; -#endif - -enum { - TESTING_RSA = 1, - TESTING_ECC = 2 -}; - - -/*----------------------------------------------------------------------------* - | Setup - *----------------------------------------------------------------------------*/ - -static int test_wolfSSL_Init(void) -{ - int result; - - printf(testingFmt, "wolfSSL_Init()"); - result = wolfSSL_Init(); - printf(resultFmt, result == SSL_SUCCESS ? passed : failed); - - return result; -} - - -static int test_wolfSSL_Cleanup(void) -{ - int result; - - printf(testingFmt, "wolfSSL_Cleanup()"); - result = wolfSSL_Cleanup(); - printf(resultFmt, result == SSL_SUCCESS ? passed : failed); - - return result; -} - - -/* Initialize the wolfCrypt state. - * POST: 0 success. - */ -static int test_wolfCrypt_Init(void) -{ - int result; - - printf(testingFmt, "wolfCrypt_Init()"); - result = wolfCrypt_Init(); - printf(resultFmt, result == 0 ? passed : failed); - - return result; - -} /* END test_wolfCrypt_Init */ - -/*----------------------------------------------------------------------------* - | Method Allocators - *----------------------------------------------------------------------------*/ - -static void test_wolfSSL_Method_Allocators(void) -{ - #define TEST_METHOD_ALLOCATOR(allocator, condition) \ - do { \ - WOLFSSL_METHOD *method; \ - condition(method = allocator()); \ - XFREE(method, 0, DYNAMIC_TYPE_METHOD); \ - } while(0) - - #define TEST_VALID_METHOD_ALLOCATOR(a) \ - TEST_METHOD_ALLOCATOR(a, AssertNotNull) - - #define TEST_INVALID_METHOD_ALLOCATOR(a) \ - TEST_METHOD_ALLOCATOR(a, AssertNull) - -#ifndef NO_OLD_TLS - #ifdef WOLFSSL_ALLOW_SSLV3 - TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_server_method); - TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_client_method); - #endif - TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_server_method); - TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_client_method); - TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_server_method); - TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_client_method); -#endif - TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_2_server_method); - TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_2_client_method); - TEST_VALID_METHOD_ALLOCATOR(wolfSSLv23_client_method); - -#ifdef WOLFSSL_DTLS - #ifndef NO_OLD_TLS - TEST_VALID_METHOD_ALLOCATOR(wolfDTLSv1_server_method); - TEST_VALID_METHOD_ALLOCATOR(wolfDTLSv1_client_method); - #endif - TEST_VALID_METHOD_ALLOCATOR(wolfDTLSv1_2_server_method); - TEST_VALID_METHOD_ALLOCATOR(wolfDTLSv1_2_client_method); -#endif - -#ifdef OPENSSL_EXTRA - TEST_INVALID_METHOD_ALLOCATOR(wolfSSLv2_server_method); - TEST_INVALID_METHOD_ALLOCATOR(wolfSSLv2_client_method); -#endif -} - -/*----------------------------------------------------------------------------* - | Context - *----------------------------------------------------------------------------*/ - -static void test_wolfSSL_CTX_new(WOLFSSL_METHOD *method) -{ - WOLFSSL_CTX *ctx; - - AssertNull(ctx = wolfSSL_CTX_new(NULL)); - - AssertNotNull(method); - AssertNotNull(ctx = wolfSSL_CTX_new(method)); - - wolfSSL_CTX_free(ctx); -} - - -static void test_wolfSSL_CTX_use_certificate_file(void) -{ -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - WOLFSSL_CTX *ctx; - - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - - /* invalid context */ - AssertFalse(wolfSSL_CTX_use_certificate_file(NULL, svrCertFile, - SSL_FILETYPE_PEM)); - /* invalid cert file */ - AssertFalse(wolfSSL_CTX_use_certificate_file(ctx, bogusFile, - SSL_FILETYPE_PEM)); - /* invalid cert type */ - AssertFalse(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, 9999)); - -#ifdef NO_RSA - /* rsa needed */ - AssertFalse(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,SSL_FILETYPE_PEM)); -#else - /* success */ - AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); -#endif - - wolfSSL_CTX_free(ctx); -#endif -} - -/* Test function for wolfSSL_CTX_use_certificate_buffer. Load cert into - * context using buffer. - * PRE: NO_CERTS not defined; USE_CERT_BUFFERS_2048 defined; compile with - * --enable-testcert flag. - */ -static int test_wolfSSL_CTX_use_certificate_buffer(void) -{ - #if !defined(NO_CERTS) && defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA) - WOLFSSL_CTX* ctx; - int ret; - - printf(testingFmt, "wolfSSL_CTX_use_certificate_buffer()"); - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - - ret = wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048, - sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1); - - printf(resultFmt, ret == SSL_SUCCESS ? passed : failed); - wolfSSL_CTX_free(ctx); - - return ret; - #else - return SSL_SUCCESS; - #endif - -} /*END test_wolfSSL_CTX_use_certificate_buffer*/ - -static void test_wolfSSL_CTX_use_PrivateKey_file(void) -{ -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - WOLFSSL_CTX *ctx; - - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - - /* invalid context */ - AssertFalse(wolfSSL_CTX_use_PrivateKey_file(NULL, svrKeyFile, - SSL_FILETYPE_PEM)); - /* invalid key file */ - AssertFalse(wolfSSL_CTX_use_PrivateKey_file(ctx, bogusFile, - SSL_FILETYPE_PEM)); - /* invalid key type */ - AssertFalse(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, 9999)); - - /* success */ -#ifdef NO_RSA - /* rsa needed */ - AssertFalse(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); -#else - /* success */ - AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); -#endif - - wolfSSL_CTX_free(ctx); -#endif -} - - -/* test both file and buffer versions along with unloading trusted peer certs */ -static void test_wolfSSL_CTX_trust_peer_cert(void) -{ -#if !defined(NO_CERTS) && defined(WOLFSSL_TRUST_PEER_CERT) - WOLFSSL_CTX *ctx; - - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - -#if !defined(NO_FILESYSTEM) - /* invalid file */ - assert(wolfSSL_CTX_trust_peer_cert(ctx, NULL, - SSL_FILETYPE_PEM) != SSL_SUCCESS); - assert(wolfSSL_CTX_trust_peer_cert(ctx, bogusFile, - SSL_FILETYPE_PEM) != SSL_SUCCESS); - assert(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile, - SSL_FILETYPE_ASN1) != SSL_SUCCESS); - - /* success */ - assert(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile, SSL_FILETYPE_PEM) - == SSL_SUCCESS); - - /* unload cert */ - assert(wolfSSL_CTX_Unload_trust_peers(NULL) != SSL_SUCCESS); - assert(wolfSSL_CTX_Unload_trust_peers(ctx) == SSL_SUCCESS); -#endif - - /* Test of loading certs from buffers */ - - /* invalid buffer */ - assert(wolfSSL_CTX_trust_peer_buffer(ctx, NULL, -1, - SSL_FILETYPE_ASN1) != SSL_SUCCESS); - - /* success */ -#ifdef USE_CERT_BUFFERS_1024 - assert(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_1024, - sizeof_client_cert_der_1024, SSL_FILETYPE_ASN1) == SSL_SUCCESS); -#endif -#ifdef USE_CERT_BUFFERS_2048 - assert(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_2048, - sizeof_client_cert_der_2048, SSL_FILETYPE_ASN1) == SSL_SUCCESS); -#endif - - /* unload cert */ - assert(wolfSSL_CTX_Unload_trust_peers(NULL) != SSL_SUCCESS); - assert(wolfSSL_CTX_Unload_trust_peers(ctx) == SSL_SUCCESS); - - wolfSSL_CTX_free(ctx); -#endif -} - - -static void test_wolfSSL_CTX_load_verify_locations(void) -{ -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - WOLFSSL_CTX *ctx; - - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - - /* invalid context */ - AssertFalse(wolfSSL_CTX_load_verify_locations(NULL, caCertFile, 0)); - - /* invalid ca file */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, NULL, 0)); - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, bogusFile, 0)); - - -#ifndef WOLFSSL_TIRTOS - /* invalid path */ - /* not working... investigate! */ - /* AssertFalse(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, bogusFile)); */ -#endif - - /* success */ - AssertTrue(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); - - wolfSSL_CTX_free(ctx); -#endif -} - -static void test_wolfSSL_CTX_SetTmpDH_file(void) -{ -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_DH) - WOLFSSL_CTX *ctx; - - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - - /* invalid context */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(NULL, - dhParamFile, SSL_FILETYPE_PEM)); - - /* invalid dhParamFile file */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, - NULL, SSL_FILETYPE_PEM)); - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, - bogusFile, SSL_FILETYPE_PEM)); - - /* success */ - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, dhParamFile, - SSL_FILETYPE_PEM)); - - wolfSSL_CTX_free(ctx); -#endif -} - -static void test_wolfSSL_CTX_SetTmpDH_buffer(void) -{ -#if !defined(NO_CERTS) && !defined(NO_DH) - WOLFSSL_CTX *ctx; - - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - - /* invalid context */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(NULL, dh_key_der_2048, - sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1)); - - /* invalid dhParamFile file */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(NULL, NULL, - 0, SSL_FILETYPE_ASN1)); - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, dsa_key_der_2048, - sizeof_dsa_key_der_2048, SSL_FILETYPE_ASN1)); - - /* success */ - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, dh_key_der_2048, - sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1)); - - wolfSSL_CTX_free(ctx); -#endif -} - -/*----------------------------------------------------------------------------* - | SSL - *----------------------------------------------------------------------------*/ - -static void test_server_wolfSSL_new(void) -{ -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA) - WOLFSSL_CTX *ctx; - WOLFSSL_CTX *ctx_nocert; - WOLFSSL *ssl; - - AssertNotNull(ctx_nocert = wolfSSL_CTX_new(wolfSSLv23_server_method())); - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - - AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - - /* invalid context */ - AssertNull(ssl = wolfSSL_new(NULL)); -#ifndef WOLFSSL_SESSION_EXPORT - AssertNull(ssl = wolfSSL_new(ctx_nocert)); -#endif - - /* success */ - AssertNotNull(ssl = wolfSSL_new(ctx)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - wolfSSL_CTX_free(ctx_nocert); -#endif -} - - -static void test_client_wolfSSL_new(void) -{ -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA) - WOLFSSL_CTX *ctx; - WOLFSSL_CTX *ctx_nocert; - WOLFSSL *ssl; - - AssertNotNull(ctx_nocert = wolfSSL_CTX_new(wolfSSLv23_client_method())); - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - - AssertTrue(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); - - /* invalid context */ - AssertNull(ssl = wolfSSL_new(NULL)); - - /* success */ - AssertNotNull(ssl = wolfSSL_new(ctx_nocert)); - wolfSSL_free(ssl); - - /* success */ - AssertNotNull(ssl = wolfSSL_new(ctx)); - wolfSSL_free(ssl); - - wolfSSL_CTX_free(ctx); - wolfSSL_CTX_free(ctx_nocert); -#endif -} - -static void test_wolfSSL_SetTmpDH_file(void) -{ -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_DH) - WOLFSSL_CTX *ctx; - WOLFSSL *ssl; - - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#ifndef NO_RSA - AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, - SSL_FILETYPE_PEM)); -#else - AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, eccCertFile, - SSL_FILETYPE_PEM)); - AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, - SSL_FILETYPE_PEM)); -#endif - AssertNotNull(ssl = wolfSSL_new(ctx)); - - /* invalid ssl */ - AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_file(NULL, - dhParamFile, SSL_FILETYPE_PEM)); - - /* invalid dhParamFile file */ - AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, - NULL, SSL_FILETYPE_PEM)); - AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, - bogusFile, SSL_FILETYPE_PEM)); - - /* success */ - AssertIntEQ(SSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, dhParamFile, - SSL_FILETYPE_PEM)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif -} - -static void test_wolfSSL_SetTmpDH_buffer(void) -{ -#if !defined(NO_CERTS) && !defined(NO_DH) - WOLFSSL_CTX *ctx; - WOLFSSL *ssl; - - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - AssertTrue(wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048, - sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1)); - AssertTrue(wolfSSL_CTX_use_PrivateKey_buffer(ctx, server_key_der_2048, - sizeof_server_key_der_2048, SSL_FILETYPE_ASN1)); - AssertNotNull(ssl = wolfSSL_new(ctx)); - - /* invalid ssl */ - AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(NULL, dh_key_der_2048, - sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1)); - - /* invalid dhParamFile file */ - AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(NULL, NULL, - 0, SSL_FILETYPE_ASN1)); - AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dsa_key_der_2048, - sizeof_dsa_key_der_2048, SSL_FILETYPE_ASN1)); - - /* success */ - AssertIntEQ(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, - sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif -} - - -/* Test function for wolfSSL_SetMinVersion. Sets the minimum downgrade version - * allowed. - * POST: return 1 on success. - */ -static int test_wolfSSL_SetMinVersion(void) -{ - WOLFSSL_CTX* ctx; - WOLFSSL* ssl; - int failFlag, itr; - - #ifndef NO_OLD_TLS - const int versions[] = { WOLFSSL_TLSV1, WOLFSSL_TLSV1_1, - WOLFSSL_TLSV1_2}; - #else - const int versions[] = { WOLFSSL_TLSV1_2 }; - #endif - failFlag = SSL_SUCCESS; - - AssertTrue(wolfSSL_Init()); - ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); - ssl = wolfSSL_new(ctx); - - printf(testingFmt, "wolfSSL_SetMinVersion()"); - - for (itr = 0; itr < (int)(sizeof(versions)/sizeof(int)); itr++){ - if(wolfSSL_SetMinVersion(ssl, *(versions + itr)) != SSL_SUCCESS){ - failFlag = SSL_FAILURE; - } - } - - printf(resultFmt, failFlag == SSL_SUCCESS ? passed : failed); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - AssertTrue(wolfSSL_Cleanup()); - - return failFlag; - -} /* END test_wolfSSL_SetMinVersion */ - - -/*----------------------------------------------------------------------------* - | IO - *----------------------------------------------------------------------------*/ -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ - !defined(NO_RSA) && !defined(SINGLE_THREADED) -#define HAVE_IO_TESTS_DEPENDENCIES -#endif - -/* helper functions */ -#ifdef HAVE_IO_TESTS_DEPENDENCIES -#ifdef WOLFSSL_SESSION_EXPORT -/* set up function for sending session information */ -static int test_export(WOLFSSL* inSsl, byte* buf, word32 sz, void* userCtx) -{ - WOLFSSL_CTX* ctx; - WOLFSSL* ssl; - - AssertNotNull(inSsl); - AssertNotNull(buf); - AssertIntNE(0, sz); - - /* Set ctx to DTLS 1.2 */ - ctx = wolfSSL_CTX_new(wolfDTLSv1_2_server_method()); - AssertNotNull(ctx); - - ssl = wolfSSL_new(ctx); - AssertNotNull(ssl); - - AssertIntGE(wolfSSL_dtls_import(ssl, buf, sz), 0); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - (void)userCtx; - return SSL_SUCCESS; -} -#endif - - -static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) -{ - SOCKET_T sockfd = 0; - SOCKET_T clientfd = 0; - word16 port; - - WOLFSSL_METHOD* method = 0; - WOLFSSL_CTX* ctx = 0; - WOLFSSL* ssl = 0; - - char msg[] = "I hear you fa shizzle!"; - char input[1024]; - int idx; - int ret, err = 0; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - ((func_args*)args)->return_code = TEST_FAIL; - if (((func_args*)args)->callbacks != NULL && - ((func_args*)args)->callbacks->method != NULL) { - method = ((func_args*)args)->callbacks->method(); - } - else { - method = wolfSSLv23_server_method(); - } - ctx = wolfSSL_CTX_new(method); - -#if defined(USE_WINDOWS_API) - port = ((func_args*)args)->signal->port; -#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ - !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) - /* Let tcp_listen assign port */ - port = 0; -#else - /* Use default port */ - port = wolfSSLPort; -#endif - - wolfSSL_CTX_set_verify(ctx, - SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - -#ifdef OPENSSL_EXTRA - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); -#endif - - if (wolfSSL_CTX_load_verify_locations(ctx, cliCertFile, 0) != SSL_SUCCESS) - { - /*err_sys("can't load ca file, Please run from wolfSSL home dir");*/ - goto done; - } - if (wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM) - != SSL_SUCCESS) - { - /*err_sys("can't load server cert chain file, " - "Please run from wolfSSL home dir");*/ - goto done; - } - if (wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM) - != SSL_SUCCESS) - { - /*err_sys("can't load server key file, " - "Please run from wolfSSL home dir");*/ - goto done; - } - - ssl = wolfSSL_new(ctx); - tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1); - CloseSocket(sockfd); - - if (wolfSSL_set_fd(ssl, clientfd) != SSL_SUCCESS) { - /*err_sys("SSL_set_fd failed");*/ - goto done; - } - -#ifdef NO_PSK - #if !defined(NO_FILESYSTEM) && !defined(NO_DH) - wolfSSL_SetTmpDH_file(ssl, dhParamFile, SSL_FILETYPE_PEM); - #elif !defined(NO_DH) - SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */ - #endif -#endif - - do { -#ifdef WOLFSSL_ASYNC_CRYPT - if (err == WC_PENDING_E) { - ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); - if (ret < 0) { break; } else if (ret == 0) { continue; } - } -#endif - - err = 0; /* Reset error */ - ret = wolfSSL_accept(ssl); - if (ret != SSL_SUCCESS) { - err = wolfSSL_get_error(ssl, 0); - } - } while (ret != SSL_SUCCESS && err == WC_PENDING_E); - - if (ret != SSL_SUCCESS) { - char buffer[WOLFSSL_MAX_ERROR_SZ]; - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); - /*err_sys("SSL_accept failed");*/ - goto done; - } - - idx = wolfSSL_read(ssl, input, sizeof(input)-1); - if (idx > 0) { - input[idx] = 0; - printf("Client message: %s\n", input); - } - - if (wolfSSL_write(ssl, msg, sizeof(msg)) != sizeof(msg)) - { - /*err_sys("SSL_write failed");*/ -#ifdef WOLFSSL_TIRTOS - return; -#else - return 0; -#endif - } - -#ifdef WOLFSSL_TIRTOS - Task_yield(); -#endif - -done: - wolfSSL_shutdown(ssl); - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - - CloseSocket(clientfd); - ((func_args*)args)->return_code = TEST_SUCCESS; - -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif - -#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ - && defined(HAVE_THREAD_LS) - wc_ecc_fp_free(); /* free per thread cache */ -#endif - -#ifndef WOLFSSL_TIRTOS - return 0; -#endif -} - - -static void test_client_nofail(void* args) -{ - SOCKET_T sockfd = 0; - - WOLFSSL_METHOD* method = 0; - WOLFSSL_CTX* ctx = 0; - WOLFSSL* ssl = 0; - - char msg[64] = "hello wolfssl!"; - char reply[1024]; - int input; - int msgSz = (int)XSTRLEN(msg); - int ret, err = 0; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - ((func_args*)args)->return_code = TEST_FAIL; - if (((func_args*)args)->callbacks != NULL && - ((func_args*)args)->callbacks->method != NULL) { - method = ((func_args*)args)->callbacks->method(); - } - else { - method = wolfSSLv23_client_method(); - } - ctx = wolfSSL_CTX_new(method); - -#ifdef OPENSSL_EXTRA - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); -#endif - - if (wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0) != SSL_SUCCESS) - { - /* err_sys("can't load ca file, Please run from wolfSSL home dir");*/ - goto done2; - } - if (wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM) - != SSL_SUCCESS) - { - /*err_sys("can't load client cert file, " - "Please run from wolfSSL home dir");*/ - goto done2; - } - if (wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM) - != SSL_SUCCESS) - { - /*err_sys("can't load client key file, " - "Please run from wolfSSL home dir");*/ - goto done2; - } - - ssl = wolfSSL_new(ctx); - tcp_connect(&sockfd, wolfSSLIP, ((func_args*)args)->signal->port, - 0, 0, ssl); - if (wolfSSL_set_fd(ssl, sockfd) != SSL_SUCCESS) { - /*err_sys("SSL_set_fd failed");*/ - goto done2; - } - - do { -#ifdef WOLFSSL_ASYNC_CRYPT - if (err == WC_PENDING_E) { - ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); - if (ret < 0) { break; } else if (ret == 0) { continue; } - } -#endif - - err = 0; /* Reset error */ - ret = wolfSSL_connect(ssl); - if (ret != SSL_SUCCESS) { - err = wolfSSL_get_error(ssl, 0); - } - } while (ret != SSL_SUCCESS && err == WC_PENDING_E); - - if (ret != SSL_SUCCESS) { - char buffer[WOLFSSL_MAX_ERROR_SZ]; - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); - /*err_sys("SSL_connect failed");*/ - goto done2; - } - - if (wolfSSL_write(ssl, msg, msgSz) != msgSz) - { - /*err_sys("SSL_write failed");*/ - goto done2; - } - - input = wolfSSL_read(ssl, reply, sizeof(reply)-1); - if (input > 0) - { - reply[input] = 0; - printf("Server response: %s\n", reply); - } - -done2: - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - - CloseSocket(sockfd); - ((func_args*)args)->return_code = TEST_SUCCESS; - -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif - - return; -} - -/* SNI / ALPN / session export helper functions */ -#if defined(HAVE_SNI) || defined(HAVE_ALPN) || defined(WOLFSSL_SESSION_EXPORT) - -static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args) -{ - callback_functions* callbacks = ((func_args*)args)->callbacks; - - WOLFSSL_CTX* ctx = wolfSSL_CTX_new(callbacks->method()); - WOLFSSL* ssl = NULL; - SOCKET_T sfd = 0; - SOCKET_T cfd = 0; - word16 port; - - char msg[] = "I hear you fa shizzle!"; - int len = (int) XSTRLEN(msg); - char input[1024]; - int idx; - int ret, err = 0; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - ((func_args*)args)->return_code = TEST_FAIL; - -#if defined(USE_WINDOWS_API) - port = ((func_args*)args)->signal->port; -#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ - !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) - /* Let tcp_listen assign port */ - port = 0; -#else - /* Use default port */ - port = wolfSSLPort; -#endif - - wolfSSL_CTX_set_verify(ctx, - SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - -#ifdef OPENSSL_EXTRA - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); -#endif -#ifdef WOLFSSL_SESSION_EXPORT - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_dtls_set_export(ctx, test_export)); -#endif - - - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, cliCertFile, 0)); - - AssertIntEQ(SSL_SUCCESS, - wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - - AssertIntEQ(SSL_SUCCESS, - wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - - if (callbacks->ctx_ready) - callbacks->ctx_ready(ctx); - - ssl = wolfSSL_new(ctx); - if (wolfSSL_dtls(ssl)) { - SOCKADDR_IN_T cliAddr; - socklen_t cliLen; - - cliLen = sizeof(cliAddr); - tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 1, 0, 0, 0); - idx = (int)recvfrom(sfd, input, sizeof(input), MSG_PEEK, - (struct sockaddr*)&cliAddr, &cliLen); - AssertIntGT(idx, 0); - wolfSSL_dtls_set_peer(ssl, &cliAddr, cliLen); - } - else { - tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1); - CloseSocket(sfd); - } - - AssertIntEQ(SSL_SUCCESS, wolfSSL_set_fd(ssl, cfd)); - -#ifdef NO_PSK - #if !defined(NO_FILESYSTEM) && !defined(NO_DH) - wolfSSL_SetTmpDH_file(ssl, dhParamFile, SSL_FILETYPE_PEM); - #elif !defined(NO_DH) - SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */ - #endif -#endif - - if (callbacks->ssl_ready) - callbacks->ssl_ready(ssl); - - do { -#ifdef WOLFSSL_ASYNC_CRYPT - if (err == WC_PENDING_E) { - ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); - if (ret < 0) { break; } else if (ret == 0) { continue; } - } -#endif - - err = 0; /* Reset error */ - ret = wolfSSL_accept(ssl); - if (ret != SSL_SUCCESS) { - err = wolfSSL_get_error(ssl, 0); - } - } while (ret != SSL_SUCCESS && err == WC_PENDING_E); - - if (ret != SSL_SUCCESS) { - char buffer[WOLFSSL_MAX_ERROR_SZ]; - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); - /*err_sys("SSL_accept failed");*/ - } - else { - if (0 < (idx = wolfSSL_read(ssl, input, sizeof(input)-1))) { - input[idx] = 0; - printf("Client message: %s\n", input); - } - - AssertIntEQ(len, wolfSSL_write(ssl, msg, len)); -#if defined(WOLFSSL_SESSION_EXPORT) && !defined(HAVE_IO_POOL) - if (wolfSSL_dtls(ssl)) { - byte* import; - word32 sz; - - wolfSSL_dtls_export(ssl, NULL, &sz); - import = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - AssertNotNull(import); - idx = wolfSSL_dtls_export(ssl, import, &sz); - AssertIntGE(idx, 0); - AssertIntGE(wolfSSL_dtls_import(ssl, import, idx), 0); - XFREE(import, NULL, DYNAMIC_TYPE_TMP_BUFFER); - } -#endif -#ifdef WOLFSSL_TIRTOS - Task_yield(); -#endif - wolfSSL_shutdown(ssl); - } - - if (callbacks->on_result) - callbacks->on_result(ssl); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - CloseSocket(cfd); - - ((func_args*)args)->return_code = TEST_SUCCESS; - -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif - -#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \ - && defined(HAVE_THREAD_LS) - wc_ecc_fp_free(); /* free per thread cache */ -#endif - -#ifndef WOLFSSL_TIRTOS - return 0; -#endif -} - - -static void run_wolfssl_client(void* args) -{ - callback_functions* callbacks = ((func_args*)args)->callbacks; - - WOLFSSL_CTX* ctx = wolfSSL_CTX_new(callbacks->method()); - WOLFSSL* ssl = NULL; - SOCKET_T sfd = 0; - - char msg[] = "hello wolfssl server!"; - int len = (int) XSTRLEN(msg); - char input[1024]; - int idx; - int ret, err = 0; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - ((func_args*)args)->return_code = TEST_FAIL; - -#ifdef OPENSSL_EXTRA - wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); -#endif - - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); - - AssertIntEQ(SSL_SUCCESS, - wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); - - AssertIntEQ(SSL_SUCCESS, - wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); - - if (callbacks->ctx_ready) - callbacks->ctx_ready(ctx); - - ssl = wolfSSL_new(ctx); - if (wolfSSL_dtls(ssl)) { - tcp_connect(&sfd, wolfSSLIP, ((func_args*)args)->signal->port, - 1, 0, ssl); - } - else { - tcp_connect(&sfd, wolfSSLIP, ((func_args*)args)->signal->port, - 0, 0, ssl); - } - AssertIntEQ(SSL_SUCCESS, wolfSSL_set_fd(ssl, sfd)); - - if (callbacks->ssl_ready) - callbacks->ssl_ready(ssl); - - do { -#ifdef WOLFSSL_ASYNC_CRYPT - if (err == WC_PENDING_E) { - ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); - if (ret < 0) { break; } else if (ret == 0) { continue; } - } -#endif - - err = 0; /* Reset error */ - ret = wolfSSL_connect(ssl); - if (ret != SSL_SUCCESS) { - err = wolfSSL_get_error(ssl, 0); - } - } while (ret != SSL_SUCCESS && err == WC_PENDING_E); - - if (ret != SSL_SUCCESS) { - char buffer[WOLFSSL_MAX_ERROR_SZ]; - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); - /*err_sys("SSL_connect failed");*/ - } - else { - AssertIntEQ(len, wolfSSL_write(ssl, msg, len)); - - if (0 < (idx = wolfSSL_read(ssl, input, sizeof(input)-1))) { - input[idx] = 0; - printf("Server response: %s\n", input); - } - } - - if (callbacks->on_result) - callbacks->on_result(ssl); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - CloseSocket(sfd); - ((func_args*)args)->return_code = TEST_SUCCESS; - -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif -} - -#endif /* defined(HAVE_SNI) || defined(HAVE_ALPN) || - defined(WOLFSSL_SESSION_EXPORT) */ -#endif /* io tests dependencies */ - - -static void test_wolfSSL_read_write(void) -{ -#ifdef HAVE_IO_TESTS_DEPENDENCIES - /* The unit testing for read and write shall happen simutaneously, since - * one can't do anything with one without the other. (Except for a failure - * test case.) This function will call all the others that will set up, - * execute, and report their test findings. - * - * Set up the success case first. This function will become the template - * for the other tests. This should eventually be renamed - * - * The success case isn't interesting, how can this fail? - * - Do not give the client context a CA certificate. The connect should - * fail. Do not need server for this? - * - Using NULL for the ssl object on server. Do not need client for this. - * - Using NULL for the ssl object on client. Do not need server for this. - * - Good ssl objects for client and server. Client write() without server - * read(). - * - Good ssl objects for client and server. Server write() without client - * read(). - * - Forgetting the password callback? - */ - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - StartTCP(); - InitTcpReady(&ready); - -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif - - server_args.signal = &ready; - client_args.signal = &ready; - - start_thread(test_server_nofail, &server_args, &serverThread); - wait_tcp_ready(&server_args); - test_client_nofail(&client_args); - join_thread(serverThread); - - AssertTrue(client_args.return_code); - AssertTrue(server_args.return_code); - - FreeTcpReady(&ready); - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - -#endif -} - - -static void test_wolfSSL_dtls_export(void) -{ -#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) && \ - defined(WOLFSSL_SESSION_EXPORT) - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - callback_functions server_cbf; - callback_functions client_cbf; -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - InitTcpReady(&ready); - -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif - - /* set using dtls */ - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); - XMEMSET(&server_cbf, 0, sizeof(callback_functions)); - XMEMSET(&client_cbf, 0, sizeof(callback_functions)); - server_cbf.method = wolfDTLSv1_2_server_method; - client_cbf.method = wolfDTLSv1_2_client_method; - server_args.callbacks = &server_cbf; - client_args.callbacks = &client_cbf; - - server_args.signal = &ready; - client_args.signal = &ready; - - start_thread(run_wolfssl_server, &server_args, &serverThread); - wait_tcp_ready(&server_args); - run_wolfssl_client(&client_args); - join_thread(serverThread); - - AssertTrue(client_args.return_code); - AssertTrue(server_args.return_code); - - FreeTcpReady(&ready); - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - printf(testingFmt, "wolfSSL_dtls_export()"); - printf(resultFmt, passed); -#endif -} - -/*----------------------------------------------------------------------------* - | TLS extensions tests - *----------------------------------------------------------------------------*/ - -#if defined(HAVE_SNI) || defined(HAVE_ALPN) -/* connection test runner */ -static void test_wolfSSL_client_server(callback_functions* client_callbacks, - callback_functions* server_callbacks) -{ -#ifdef HAVE_IO_TESTS_DEPENDENCIES - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); - - StartTCP(); - - client_args.callbacks = client_callbacks; - server_args.callbacks = server_callbacks; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - /* RUN Server side */ - InitTcpReady(&ready); - -#if defined(USE_WINDOWS_API) - /* use RNG to get random port if using windows */ - ready.port = GetRandomPort(); -#endif - - server_args.signal = &ready; - client_args.signal = &ready; - start_thread(run_wolfssl_server, &server_args, &serverThread); - wait_tcp_ready(&server_args); - - /* RUN Client side */ - run_wolfssl_client(&client_args); - join_thread(serverThread); - - FreeTcpReady(&ready); -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif - -#else - (void)client_callbacks; - (void)server_callbacks; -#endif -} - -#endif /* defined(HAVE_SNI) || defined(HAVE_ALPN) */ - - -#ifdef HAVE_SNI -static void test_wolfSSL_UseSNI_params(void) -{ - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - AssertNotNull(ctx); - AssertNotNull(ssl); - - /* invalid [ctx|ssl] */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseSNI(NULL, 0, "ctx", 3)); - AssertIntNE(SSL_SUCCESS, wolfSSL_UseSNI( NULL, 0, "ssl", 3)); - /* invalid type */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, -1, "ctx", 3)); - AssertIntNE(SSL_SUCCESS, wolfSSL_UseSNI( ssl, -1, "ssl", 3)); - /* invalid data */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, 0, NULL, 3)); - AssertIntNE(SSL_SUCCESS, wolfSSL_UseSNI( ssl, 0, NULL, 3)); - /* success case */ - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, 0, "ctx", 3)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseSNI( ssl, 0, "ssl", 3)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -} - -/* BEGIN of connection tests callbacks */ -static void use_SNI_at_ctx(WOLFSSL_CTX* ctx) -{ - AssertIntEQ(SSL_SUCCESS, - wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, "www.wolfssl.com", 15)); -} - -static void use_SNI_at_ssl(WOLFSSL* ssl) -{ - AssertIntEQ(SSL_SUCCESS, - wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, "www.wolfssl.com", 15)); -} - -static void different_SNI_at_ssl(WOLFSSL* ssl) -{ - AssertIntEQ(SSL_SUCCESS, - wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, "ww2.wolfssl.com", 15)); -} - -static void use_SNI_WITH_CONTINUE_at_ssl(WOLFSSL* ssl) -{ - use_SNI_at_ssl(ssl); - wolfSSL_SNI_SetOptions(ssl, WOLFSSL_SNI_HOST_NAME, - WOLFSSL_SNI_CONTINUE_ON_MISMATCH); -} - -static void use_SNI_WITH_FAKE_ANSWER_at_ssl(WOLFSSL* ssl) -{ - use_SNI_at_ssl(ssl); - wolfSSL_SNI_SetOptions(ssl, WOLFSSL_SNI_HOST_NAME, - WOLFSSL_SNI_ANSWER_ON_MISMATCH); -} - -static void use_MANDATORY_SNI_at_ctx(WOLFSSL_CTX* ctx) -{ - use_SNI_at_ctx(ctx); - wolfSSL_CTX_SNI_SetOptions(ctx, WOLFSSL_SNI_HOST_NAME, - WOLFSSL_SNI_ABORT_ON_ABSENCE); -} - -static void use_MANDATORY_SNI_at_ssl(WOLFSSL* ssl) -{ - use_SNI_at_ssl(ssl); - wolfSSL_SNI_SetOptions(ssl, WOLFSSL_SNI_HOST_NAME, - WOLFSSL_SNI_ABORT_ON_ABSENCE); -} - -static void use_PSEUDO_MANDATORY_SNI_at_ctx(WOLFSSL_CTX* ctx) -{ - use_SNI_at_ctx(ctx); - wolfSSL_CTX_SNI_SetOptions(ctx, WOLFSSL_SNI_HOST_NAME, - WOLFSSL_SNI_ANSWER_ON_MISMATCH | WOLFSSL_SNI_ABORT_ON_ABSENCE); -} - -static void verify_UNKNOWN_SNI_on_server(WOLFSSL* ssl) -{ - AssertIntEQ(UNKNOWN_SNI_HOST_NAME_E, wolfSSL_get_error(ssl, 0)); -} - -static void verify_SNI_ABSENT_on_server(WOLFSSL* ssl) -{ - AssertIntEQ(SNI_ABSENT_ERROR, wolfSSL_get_error(ssl, 0)); -} - -static void verify_SNI_no_matching(WOLFSSL* ssl) -{ - byte type = WOLFSSL_SNI_HOST_NAME; - char* request = (char*) &type; /* to be overwriten */ - - AssertIntEQ(WOLFSSL_SNI_NO_MATCH, wolfSSL_SNI_Status(ssl, type)); - AssertNotNull(request); - AssertIntEQ(0, wolfSSL_SNI_GetRequest(ssl, type, (void**) &request)); - AssertNull(request); -} - -static void verify_SNI_real_matching(WOLFSSL* ssl) -{ - byte type = WOLFSSL_SNI_HOST_NAME; - char* request = NULL; - - AssertIntEQ(WOLFSSL_SNI_REAL_MATCH, wolfSSL_SNI_Status(ssl, type)); - AssertIntEQ(15, wolfSSL_SNI_GetRequest(ssl, type, (void**) &request)); - AssertNotNull(request); - AssertStrEQ("www.wolfssl.com", request); -} - -static void verify_SNI_fake_matching(WOLFSSL* ssl) -{ - byte type = WOLFSSL_SNI_HOST_NAME; - char* request = NULL; - - AssertIntEQ(WOLFSSL_SNI_FAKE_MATCH, wolfSSL_SNI_Status(ssl, type)); - AssertIntEQ(15, wolfSSL_SNI_GetRequest(ssl, type, (void**) &request)); - AssertNotNull(request); - AssertStrEQ("ww2.wolfssl.com", request); -} - -static void verify_FATAL_ERROR_on_client(WOLFSSL* ssl) -{ - AssertIntEQ(FATAL_ERROR, wolfSSL_get_error(ssl, 0)); -} -/* END of connection tests callbacks */ - -static void test_wolfSSL_UseSNI_connection(void) -{ - unsigned long i; - callback_functions callbacks[] = { - /* success case at ctx */ - {0, use_SNI_at_ctx, 0, 0}, - {0, use_SNI_at_ctx, 0, verify_SNI_real_matching}, - - /* success case at ssl */ - {0, 0, use_SNI_at_ssl, 0}, - {0, 0, use_SNI_at_ssl, verify_SNI_real_matching}, - - /* default missmatch behavior */ - {0, 0, different_SNI_at_ssl, verify_FATAL_ERROR_on_client}, - {0, 0, use_SNI_at_ssl, verify_UNKNOWN_SNI_on_server}, - - /* continue on missmatch */ - {0, 0, different_SNI_at_ssl, 0}, - {0, 0, use_SNI_WITH_CONTINUE_at_ssl, verify_SNI_no_matching}, - - /* fake answer on missmatch */ - {0, 0, different_SNI_at_ssl, 0}, - {0, 0, use_SNI_WITH_FAKE_ANSWER_at_ssl, verify_SNI_fake_matching}, - - /* sni abort - success */ - {0, use_SNI_at_ctx, 0, 0}, - {0, use_MANDATORY_SNI_at_ctx, 0, verify_SNI_real_matching}, - - /* sni abort - abort when absent (ctx) */ - {0, 0, 0, verify_FATAL_ERROR_on_client}, - {0, use_MANDATORY_SNI_at_ctx, 0, verify_SNI_ABSENT_on_server}, - - /* sni abort - abort when absent (ssl) */ - {0, 0, 0, verify_FATAL_ERROR_on_client}, - {0, 0, use_MANDATORY_SNI_at_ssl, verify_SNI_ABSENT_on_server}, - - /* sni abort - success when overwriten */ - {0, 0, 0, 0}, - {0, use_MANDATORY_SNI_at_ctx, use_SNI_at_ssl, verify_SNI_no_matching}, - - /* sni abort - success when allowing missmatches */ - {0, 0, different_SNI_at_ssl, 0}, - {0, use_PSEUDO_MANDATORY_SNI_at_ctx, 0, verify_SNI_fake_matching}, - }; - - for (i = 0; i < sizeof(callbacks) / sizeof(callback_functions); i += 2) { - callbacks[i ].method = wolfSSLv23_client_method; - callbacks[i + 1].method = wolfSSLv23_server_method; - test_wolfSSL_client_server(&callbacks[i], &callbacks[i + 1]); - } -} - -static void test_wolfSSL_SNI_GetFromBuffer(void) -{ - byte buffer[] = { /* www.paypal.com */ - 0x00, 0x00, 0x00, 0x00, 0xff, 0x01, 0x00, 0x00, 0x60, 0x03, 0x03, 0x5c, - 0xc4, 0xb3, 0x8c, 0x87, 0xef, 0xa4, 0x09, 0xe0, 0x02, 0xab, 0x86, 0xca, - 0x76, 0xf0, 0x9e, 0x01, 0x65, 0xf6, 0xa6, 0x06, 0x13, 0x1d, 0x0f, 0xa5, - 0x79, 0xb0, 0xd4, 0x77, 0x22, 0xeb, 0x1a, 0x00, 0x00, 0x16, 0x00, 0x6b, - 0x00, 0x67, 0x00, 0x39, 0x00, 0x33, 0x00, 0x3d, 0x00, 0x3c, 0x00, 0x35, - 0x00, 0x2f, 0x00, 0x05, 0x00, 0x04, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x21, - 0x00, 0x00, 0x00, 0x13, 0x00, 0x11, 0x00, 0x00, 0x0e, 0x77, 0x77, 0x77, - 0x2e, 0x70, 0x61, 0x79, 0x70, 0x61, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x00, - 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01 - }; - - byte buffer2[] = { /* api.textmate.org */ - 0x16, 0x03, 0x01, 0x00, 0xc6, 0x01, 0x00, 0x00, 0xc2, 0x03, 0x03, 0x52, - 0x8b, 0x7b, 0xca, 0x69, 0xec, 0x97, 0xd5, 0x08, 0x03, 0x50, 0xfe, 0x3b, - 0x99, 0xc3, 0x20, 0xce, 0xa5, 0xf6, 0x99, 0xa5, 0x71, 0xf9, 0x57, 0x7f, - 0x04, 0x38, 0xf6, 0x11, 0x0b, 0xb8, 0xd3, 0x00, 0x00, 0x5e, 0x00, 0xff, - 0xc0, 0x24, 0xc0, 0x23, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x07, 0xc0, 0x08, - 0xc0, 0x28, 0xc0, 0x27, 0xc0, 0x14, 0xc0, 0x13, 0xc0, 0x11, 0xc0, 0x12, - 0xc0, 0x26, 0xc0, 0x25, 0xc0, 0x2a, 0xc0, 0x29, 0xc0, 0x05, 0xc0, 0x04, - 0xc0, 0x02, 0xc0, 0x03, 0xc0, 0x0f, 0xc0, 0x0e, 0xc0, 0x0c, 0xc0, 0x0d, - 0x00, 0x3d, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0x05, 0x00, 0x04, 0x00, 0x35, - 0x00, 0x0a, 0x00, 0x67, 0x00, 0x6b, 0x00, 0x33, 0x00, 0x39, 0x00, 0x16, - 0x00, 0xaf, 0x00, 0xae, 0x00, 0x8d, 0x00, 0x8c, 0x00, 0x8a, 0x00, 0x8b, - 0x00, 0xb1, 0x00, 0xb0, 0x00, 0x2c, 0x00, 0x3b, 0x01, 0x00, 0x00, 0x3b, - 0x00, 0x00, 0x00, 0x15, 0x00, 0x13, 0x00, 0x00, 0x10, 0x61, 0x70, 0x69, - 0x2e, 0x74, 0x65, 0x78, 0x74, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x6f, 0x72, - 0x67, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x17, 0x00, 0x18, 0x00, - 0x19, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0d, 0x00, 0x0c, 0x00, - 0x0a, 0x05, 0x01, 0x04, 0x01, 0x02, 0x01, 0x04, 0x03, 0x02, 0x03 - }; - - byte buffer3[] = { /* no sni extension */ - 0x16, 0x03, 0x03, 0x00, 0x4d, 0x01, 0x00, 0x00, 0x49, 0x03, 0x03, 0xea, - 0xa1, 0x9f, 0x60, 0xdd, 0x52, 0x12, 0x13, 0xbd, 0x84, 0x34, 0xd5, 0x1c, - 0x38, 0x25, 0xa8, 0x97, 0xd2, 0xd5, 0xc6, 0x45, 0xaf, 0x1b, 0x08, 0xe4, - 0x1e, 0xbb, 0xdf, 0x9d, 0x39, 0xf0, 0x65, 0x00, 0x00, 0x16, 0x00, 0x6b, - 0x00, 0x67, 0x00, 0x39, 0x00, 0x33, 0x00, 0x3d, 0x00, 0x3c, 0x00, 0x35, - 0x00, 0x2f, 0x00, 0x05, 0x00, 0x04, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x0a, - 0x00, 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01 - }; - - byte buffer4[] = { /* last extension has zero size */ - 0x16, 0x03, 0x01, 0x00, 0xba, 0x01, 0x00, 0x00, - 0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45, - 0x15, 0xbd, 0x64, 0xa9, 0xb6, 0x07, 0xb4, 0x50, 0xc6, 0xdd, 0xff, 0xc2, - 0xd3, 0x0d, 0x4f, 0x36, 0xb4, 0x41, 0x51, 0x61, 0xc1, 0xa5, 0x9e, 0x00, - 0x00, 0x28, 0xcc, 0x14, 0xcc, 0x13, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e, - 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x07, 0xc0, 0x11, - 0x00, 0x33, 0x00, 0x32, 0x00, 0x39, 0x00, 0x9c, 0x00, 0x2f, 0x00, 0x35, - 0x00, 0x0a, 0x00, 0x05, 0x00, 0x04, 0x01, 0x00, 0x00, 0x65, 0xff, 0x01, - 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x17, 0x00, - 0x18, 0x00, 0x19, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, - 0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, 0x1b, 0x00, 0x19, 0x06, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, - 0x33, 0x2e, 0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, - 0x75, 0x50, 0x00, 0x00, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x0d, 0x00, 0x12, 0x00, 0x10, 0x04, 0x01, 0x05, 0x01, 0x02, - 0x01, 0x04, 0x03, 0x05, 0x03, 0x02, 0x03, 0x04, 0x02, 0x02, 0x02, 0x00, - 0x12, 0x00, 0x00 - }; - - byte buffer5[] = { /* SSL v2.0 client hello */ - 0x00, 0x2b, 0x01, 0x03, 0x01, 0x00, 0x09, 0x00, 0x00, - /* dummy bytes bellow, just to pass size check */ - 0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45, - 0x15, 0xbd, 0x64, 0xa9, 0xb6, 0x07, 0xb4, 0x50, 0xc6, 0xdd, 0xff, 0xc2, - 0xd3, 0x0d, 0x4f, 0x36, 0xb4, 0x41, 0x51, 0x61, 0xc1, 0xa5, 0x9e, 0x00, - }; - - byte result[32] = {0}; - word32 length = 32; - - AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buffer4, sizeof(buffer4), - 0, result, &length)); - - AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buffer3, sizeof(buffer3), - 0, result, &length)); - - AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2), - 1, result, &length)); - - AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), - 0, result, &length)); - buffer[0] = 0x16; - - AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), - 0, result, &length)); - buffer[1] = 0x03; - - AssertIntEQ(SNI_UNSUPPORTED, wolfSSL_SNI_GetFromBuffer(buffer, - sizeof(buffer), 0, result, &length)); - buffer[2] = 0x03; - - AssertIntEQ(INCOMPLETE_DATA, wolfSSL_SNI_GetFromBuffer(buffer, - sizeof(buffer), 0, result, &length)); - buffer[4] = 0x64; - - AssertIntEQ(SSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), - 0, result, &length)); - result[length] = 0; - AssertStrEQ("www.paypal.com", (const char*) result); - - length = 32; - - AssertIntEQ(SSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2), - 0, result, &length)); - result[length] = 0; - AssertStrEQ("api.textmate.org", (const char*) result); - - /* SSL v2.0 tests */ - AssertIntEQ(SNI_UNSUPPORTED, wolfSSL_SNI_GetFromBuffer(buffer5, - sizeof(buffer5), 0, result, &length)); - - buffer5[2] = 0x02; - AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer5, - sizeof(buffer5), 0, result, &length)); - - buffer5[2] = 0x01; buffer5[6] = 0x08; - AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer5, - sizeof(buffer5), 0, result, &length)); - - buffer5[6] = 0x09; buffer5[8] = 0x01; - AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer5, - sizeof(buffer5), 0, result, &length)); -} - -#endif /* HAVE_SNI */ - -static void test_wolfSSL_UseSNI(void) -{ -#ifdef HAVE_SNI - test_wolfSSL_UseSNI_params(); - test_wolfSSL_UseSNI_connection(); - - test_wolfSSL_SNI_GetFromBuffer(); -#endif -} - -static void test_wolfSSL_UseMaxFragment(void) -{ -#ifdef HAVE_MAX_FRAGMENT - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - AssertNotNull(ctx); - AssertNotNull(ssl); - - /* error cases */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(NULL, WOLFSSL_MFL_2_9)); - AssertIntNE(SSL_SUCCESS, wolfSSL_UseMaxFragment( NULL, WOLFSSL_MFL_2_9)); - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, 0)); - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, 6)); - AssertIntNE(SSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, 0)); - AssertIntNE(SSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, 6)); - - /* success case */ - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_9)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_10)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_11)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_12)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_13)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseMaxFragment( ssl, WOLFSSL_MFL_2_9)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseMaxFragment( ssl, WOLFSSL_MFL_2_10)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseMaxFragment( ssl, WOLFSSL_MFL_2_11)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseMaxFragment( ssl, WOLFSSL_MFL_2_12)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseMaxFragment( ssl, WOLFSSL_MFL_2_13)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif -} - -static void test_wolfSSL_UseTruncatedHMAC(void) -{ -#ifdef HAVE_TRUNCATED_HMAC - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - AssertNotNull(ctx); - AssertNotNull(ssl); - - /* error cases */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseTruncatedHMAC(NULL)); - AssertIntNE(SSL_SUCCESS, wolfSSL_UseTruncatedHMAC(NULL)); - - /* success case */ - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_UseTruncatedHMAC(ctx)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseTruncatedHMAC(ssl)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif -} - -static void test_wolfSSL_UseSupportedCurve(void) -{ -#ifdef HAVE_SUPPORTED_CURVES - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - AssertNotNull(ctx); - AssertNotNull(ssl); - -#ifndef NO_WOLFSSL_CLIENT - /* error cases */ - AssertIntNE(SSL_SUCCESS, - wolfSSL_CTX_UseSupportedCurve(NULL, WOLFSSL_ECC_SECP256R1)); - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseSupportedCurve(ctx, 0)); - - AssertIntNE(SSL_SUCCESS, - wolfSSL_UseSupportedCurve(NULL, WOLFSSL_ECC_SECP256R1)); - AssertIntNE(SSL_SUCCESS, wolfSSL_UseSupportedCurve(ssl, 0)); - - /* success case */ - AssertIntEQ(SSL_SUCCESS, - wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_SECP256R1)); - AssertIntEQ(SSL_SUCCESS, - wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1)); -#endif - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif -} - -#ifdef HAVE_ALPN - -static void verify_ALPN_FATAL_ERROR_on_client(WOLFSSL* ssl) -{ - AssertIntEQ(UNKNOWN_ALPN_PROTOCOL_NAME_E, wolfSSL_get_error(ssl, 0)); -} - -static void use_ALPN_all(WOLFSSL* ssl) -{ - /* http/1.1,spdy/1,spdy/2,spdy/3 */ - char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, alpn_list, sizeof(alpn_list), - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); -} - -static void use_ALPN_all_continue(WOLFSSL* ssl) -{ - /* http/1.1,spdy/1,spdy/2,spdy/3 */ - char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, alpn_list, sizeof(alpn_list), - WOLFSSL_ALPN_CONTINUE_ON_MISMATCH)); -} - -static void use_ALPN_one(WOLFSSL* ssl) -{ - /* spdy/2 */ - char proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; - - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto), - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); -} - -static void use_ALPN_unknown(WOLFSSL* ssl) -{ - /* http/2.0 */ - char proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x32, 0x2e, 0x30}; - - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto), - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); -} - -static void use_ALPN_unknown_continue(WOLFSSL* ssl) -{ - /* http/2.0 */ - char proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x32, 0x2e, 0x30}; - - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto), - WOLFSSL_ALPN_CONTINUE_ON_MISMATCH)); -} - -static void verify_ALPN_not_matching_spdy3(WOLFSSL* ssl) -{ - /* spdy/3 */ - char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - - char *proto; - word16 protoSz = 0; - - AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); - - /* check value */ - AssertIntNE(1, sizeof(nego_proto) == protoSz); - AssertIntNE(0, XMEMCMP(nego_proto, proto, sizeof(nego_proto))); -} - -static void verify_ALPN_not_matching_continue(WOLFSSL* ssl) -{ - char *proto = NULL; - word16 protoSz = 0; - - AssertIntEQ(SSL_ALPN_NOT_FOUND, - wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); - - /* check value */ - AssertIntEQ(1, 0 == protoSz); - AssertIntEQ(1, NULL == proto); -} - -static void verify_ALPN_matching_http1(WOLFSSL* ssl) -{ - /* http/1.1 */ - char nego_proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31}; - char *proto; - word16 protoSz = 0; - - AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); - - /* check value */ - AssertIntEQ(1, sizeof(nego_proto) == protoSz); - AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); -} - -static void verify_ALPN_matching_spdy2(WOLFSSL* ssl) -{ - /* spdy/2 */ - char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; - char *proto; - word16 protoSz = 0; - - AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); - - /* check value */ - AssertIntEQ(1, sizeof(nego_proto) == protoSz); - AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); -} - -static void verify_ALPN_client_list(WOLFSSL* ssl) -{ - /* http/1.1,spdy/1,spdy/2,spdy/3 */ - char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c, - 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - char *clist = NULL; - word16 clistSz = 0; - - AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetPeerProtocol(ssl, &clist, - &clistSz)); - - /* check value */ - AssertIntEQ(1, sizeof(alpn_list) == clistSz); - AssertIntEQ(0, XMEMCMP(alpn_list, clist, clistSz)); - - AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_FreePeerProtocol(ssl, &clist)); -} - -static void test_wolfSSL_UseALPN_connection(void) -{ - unsigned long i; - callback_functions callbacks[] = { - /* success case same list */ - {0, 0, use_ALPN_all, 0}, - {0, 0, use_ALPN_all, verify_ALPN_matching_http1}, - - /* success case only one for server */ - {0, 0, use_ALPN_all, 0}, - {0, 0, use_ALPN_one, verify_ALPN_matching_spdy2}, - - /* success case only one for client */ - {0, 0, use_ALPN_one, 0}, - {0, 0, use_ALPN_all, verify_ALPN_matching_spdy2}, - - /* success case none for client */ - {0, 0, 0, 0}, - {0, 0, use_ALPN_all, 0}, - - /* success case missmatch behavior but option 'continue' set */ - {0, 0, use_ALPN_all_continue, verify_ALPN_not_matching_continue}, - {0, 0, use_ALPN_unknown_continue, 0}, - - /* success case read protocol send by client */ - {0, 0, use_ALPN_all, 0}, - {0, 0, use_ALPN_one, verify_ALPN_client_list}, - - /* missmatch behavior with same list - * the first and only this one must be taken */ - {0, 0, use_ALPN_all, 0}, - {0, 0, use_ALPN_all, verify_ALPN_not_matching_spdy3}, - - /* default missmatch behavior */ - {0, 0, use_ALPN_all, 0}, - {0, 0, use_ALPN_unknown, verify_ALPN_FATAL_ERROR_on_client}, - }; - - for (i = 0; i < sizeof(callbacks) / sizeof(callback_functions); i += 2) { - callbacks[i ].method = wolfSSLv23_client_method; - callbacks[i + 1].method = wolfSSLv23_server_method; - test_wolfSSL_client_server(&callbacks[i], &callbacks[i + 1]); - } -} - -static void test_wolfSSL_UseALPN_params(void) -{ - /* "http/1.1" */ - char http1[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31}; - /* "spdy/1" */ - char spdy1[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x31}; - /* "spdy/2" */ - char spdy2[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; - /* "spdy/3" */ - char spdy3[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; - char buff[256]; - word32 idx; - - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - AssertNotNull(ctx); - AssertNotNull(ssl); - - /* error cases */ - AssertIntNE(SSL_SUCCESS, - wolfSSL_UseALPN(NULL, http1, sizeof(http1), - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - AssertIntNE(SSL_SUCCESS, wolfSSL_UseALPN(ssl, NULL, 0, - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - - /* success case */ - /* http1 only */ - AssertIntEQ(SSL_SUCCESS, - wolfSSL_UseALPN(ssl, http1, sizeof(http1), - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - - /* http1, spdy1 */ - XMEMCPY(buff, http1, sizeof(http1)); - idx = sizeof(http1); - buff[idx++] = ','; - XMEMCPY(buff+idx, spdy1, sizeof(spdy1)); - idx += sizeof(spdy1); - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx, - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - - /* http1, spdy2, spdy1 */ - XMEMCPY(buff, http1, sizeof(http1)); - idx = sizeof(http1); - buff[idx++] = ','; - XMEMCPY(buff+idx, spdy2, sizeof(spdy2)); - idx += sizeof(spdy2); - buff[idx++] = ','; - XMEMCPY(buff+idx, spdy1, sizeof(spdy1)); - idx += sizeof(spdy1); - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx, - WOLFSSL_ALPN_FAILED_ON_MISMATCH)); - - /* spdy3, http1, spdy2, spdy1 */ - XMEMCPY(buff, spdy3, sizeof(spdy3)); - idx = sizeof(spdy3); - buff[idx++] = ','; - XMEMCPY(buff+idx, http1, sizeof(http1)); - idx += sizeof(http1); - buff[idx++] = ','; - XMEMCPY(buff+idx, spdy2, sizeof(spdy2)); - idx += sizeof(spdy2); - buff[idx++] = ','; - XMEMCPY(buff+idx, spdy1, sizeof(spdy1)); - idx += sizeof(spdy1); - AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx, - WOLFSSL_ALPN_CONTINUE_ON_MISMATCH)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -} -#endif /* HAVE_ALPN */ - -static void test_wolfSSL_UseALPN(void) -{ -#ifdef HAVE_ALPN - test_wolfSSL_UseALPN_connection(); - test_wolfSSL_UseALPN_params(); -#endif -} - -static void test_wolfSSL_DisableExtendedMasterSecret(void) -{ -#ifdef HAVE_EXTENDED_MASTER - WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - WOLFSSL *ssl = wolfSSL_new(ctx); - - AssertNotNull(ctx); - AssertNotNull(ssl); - - /* error cases */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_DisableExtendedMasterSecret(NULL)); - AssertIntNE(SSL_SUCCESS, wolfSSL_DisableExtendedMasterSecret(NULL)); - - /* success cases */ - AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_DisableExtendedMasterSecret(ctx)); - AssertIntEQ(SSL_SUCCESS, wolfSSL_DisableExtendedMasterSecret(ssl)); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); -#endif -} - -/*----------------------------------------------------------------------------* - | X509 Tests - *----------------------------------------------------------------------------*/ -static void test_wolfSSL_X509_NAME_get_entry(void) -{ -#if !defined(NO_CERTS) && !defined(NO_RSA) -#if defined(OPENSSL_EXTRA) && (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)) \ - && (defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE)) || defined(WOLFSSL_HAPROXY) - printf(testingFmt, "wolfSSL_X509_NAME_get_entry()"); - - { - /* use openssl like name to test mapping */ - X509_NAME_ENTRY* ne = NULL; - X509_NAME* name = NULL; - char* subCN = NULL; - X509* x509; - ASN1_STRING* asn; - int idx; - - #ifndef NO_FILESYSTEM - x509 = wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM); - AssertNotNull(x509); - - name = X509_get_subject_name(x509); - - idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1); - AssertIntGE(idx, 0); - - ne = X509_NAME_get_entry(name, idx); - AssertNotNull(ne); - - asn = X509_NAME_ENTRY_get_data(ne); - AssertNotNull(asn); - - subCN = (char*)ASN1_STRING_data(asn); - AssertNotNull(subCN); - - wolfSSL_FreeX509(x509); - #endif - - } - - printf(resultFmt, passed); -#endif /* OPENSSL_EXTRA */ -#endif /* !NO_CERTS */ -} - - -/* Testing functions dealing with PKCS12 parsing out X509 certs */ -static void test_wolfSSL_PKCS12(void) -{ - /* .p12 file is encrypted with DES3 */ -#if defined(OPENSSL_EXTRA) && !defined(NO_DES3) && !defined(NO_FILESYSTEM) && \ - !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA) - byte buffer[5300]; - char file[] = "./certs/test-servercert.p12"; - FILE *f; - int bytes, ret; - WOLFSSL_BIO *bio; - WOLFSSL_EVP_PKEY *pkey; - WC_PKCS12 *pkcs12; - WOLFSSL_X509 *cert; - WOLFSSL_X509 *tmp; - STACK_OF(WOLFSSL_X509) *ca; - - printf(testingFmt, "wolfSSL_PKCS12()"); - - f = fopen(file, "rb"); - AssertNotNull(f); - bytes = (int)fread(buffer, 1, sizeof(buffer), f); - fclose(f); - - bio = BIO_new_mem_buf((void*)buffer, bytes); - AssertNotNull(bio); - - pkcs12 = d2i_PKCS12_bio(bio, NULL); - AssertNotNull(pkcs12); - PKCS12_free(pkcs12); - - d2i_PKCS12_bio(bio, &pkcs12); - AssertNotNull(pkcs12); - - /* check verify MAC fail case */ - ret = PKCS12_parse(pkcs12, "bad", &pkey, &cert, NULL); - AssertIntEQ(ret, 0); - AssertNull(pkey); - AssertNull(cert); - - /* check parse with no extra certs kept */ - ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, NULL); - AssertIntEQ(ret, 1); - AssertNotNull(pkey); - AssertNotNull(cert); - - wolfSSL_EVP_PKEY_free(pkey); - wolfSSL_X509_free(cert); - - /* check parse with extra certs kept */ - ret = PKCS12_parse(pkcs12, "wolfSSL test", &pkey, &cert, &ca); - AssertIntEQ(ret, 1); - AssertNotNull(pkey); - AssertNotNull(cert); - AssertNotNull(ca); - - /* should be 2 other certs on stack */ - tmp = sk_X509_pop(ca); - AssertNotNull(tmp); - X509_free(tmp); - tmp = sk_X509_pop(ca); - AssertNotNull(tmp); - X509_free(tmp); - AssertNull(sk_X509_pop(ca)); - - EVP_PKEY_free(pkey); - X509_free(cert); - BIO_free(bio); - PKCS12_free(pkcs12); - sk_X509_free(ca); - - printf(resultFmt, passed); -#endif /* OPENSSL_EXTRA */ -} - - -/* Testing function wolfSSL_CTX_SetMinVersion; sets the minimum downgrade - * version allowed. - * POST: 1 on success. - */ -static int test_wolfSSL_CTX_SetMinVersion(void) -{ - WOLFSSL_CTX* ctx; - int failFlag, itr; - - #ifndef NO_OLD_TLS - const int versions[] = { WOLFSSL_TLSV1, WOLFSSL_TLSV1_1, - WOLFSSL_TLSV1_2 }; - #else - const int versions[] = { WOLFSSL_TLSV1_2 }; - #endif - - failFlag = SSL_SUCCESS; - - AssertTrue(wolfSSL_Init()); - ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); - - printf(testingFmt, "wolfSSL_CTX_SetMinVersion()"); - - for (itr = 0; itr < (int)(sizeof(versions)/sizeof(int)); itr++){ - if(wolfSSL_CTX_SetMinVersion(ctx, *(versions + itr)) != SSL_SUCCESS){ - failFlag = SSL_FAILURE; - } - } - - printf(resultFmt, failFlag == SSL_SUCCESS ? passed : failed); - - wolfSSL_CTX_free(ctx); - AssertTrue(wolfSSL_Cleanup()); - - return failFlag; - -} /* END test_wolfSSL_CTX_SetMinVersion */ - - -/*----------------------------------------------------------------------------* - | OCSP Stapling - *----------------------------------------------------------------------------*/ - - -/* Testing wolfSSL_UseOCSPStapling function. OCSP stapling eliminates the need - * need to contact the CA, lowering the cost of cert revocation checking. - * PRE: HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST - * POST: 1 returned for success. - */ -static int test_wolfSSL_UseOCSPStapling(void) -{ - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && defined(HAVE_OCSP) - int ret; - WOLFSSL_CTX* ctx; - WOLFSSL* ssl; - - wolfSSL_Init(); - ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); - ssl = wolfSSL_new(ctx); - printf(testingFmt, "wolfSSL_UseOCSPStapling()"); - - ret = wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR2_OCSP, - WOLFSSL_CSR2_OCSP_USE_NONCE); - - printf(resultFmt, ret == SSL_SUCCESS ? passed : failed); - - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - - if(ret != SSL_SUCCESS){ - wolfSSL_Cleanup(); - return SSL_FAILURE; - } - - return wolfSSL_Cleanup(); - #else - return SSL_SUCCESS; - #endif - -} /*END test_wolfSSL_UseOCSPStapling */ - - -/* Testing OCSP stapling version 2, wolfSSL_UseOCSPStaplingV2 funciton. OCSP - * stapling eliminates the need ot contact the CA and lowers cert revocation - * check. - * PRE: HAVE_CERTIFICATE_STATUS_REQUEST_V2 and HAVE_OCSP defined. - */ -static int test_wolfSSL_UseOCSPStaplingV2 (void) -{ - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && defined(HAVE_OCSP) - int ret; - WOLFSSL_CTX* ctx; - WOLFSSL* ssl; - - wolfSSL_Init(); - ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); - ssl = wolfSSL_new(ctx); - printf(testingFmt, "wolfSSL_UseOCSPStaplingV2()"); - - ret = wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, - WOLFSSL_CSR2_OCSP_USE_NONCE ); - - printf(resultFmt, ret == SSL_SUCCESS ? passed : failed); - - wolfSSL_free(ssl); - wolfSSL_CTX_free(ctx); - - if (ret != SSL_SUCCESS){ - wolfSSL_Cleanup(); - return SSL_FAILURE; - } - - return wolfSSL_Cleanup(); - #else - return SSL_SUCCESS; - #endif - -} /*END test_wolfSSL_UseOCSPStaplingV2*/ - -/*----------------------------------------------------------------------------* - | Wolfcrypt - *----------------------------------------------------------------------------*/ - -/* - * Unit test for the wc_InitMd5() - */ -static int test_wc_InitMd5 (void) -{ -#ifndef NO_MD5 - - Md5 md5; - int ret, flag; - - printf(testingFmt, "wc_InitMd5()"); - - flag = 0; - - /* Test good arg. */ - ret = wc_InitMd5(&md5); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - - /* Test bad arg. */ - if (!flag) { - ret = wc_InitMd5(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} /* END test_wc_InitMd5 */ - -/* - * Unit test for the wc_InitSha() - */ -static int test_wc_InitSha(void) -{ -#ifndef NO_SHA - Sha sha; - int ret, flag; - - flag = 0; - - printf(testingFmt, "wc_InitSha()"); - - /* Test good arg. */ - ret = wc_InitSha(&sha); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - - /* Test bad arg. */ - if (!flag) { - ret = wc_InitSha(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; - -} /* END test_wc_InitSha */ - -/* - * Unit test for wc_InitSha256() - */ -static int test_wc_InitSha256 (void) -{ -#ifndef NO_SHA256 - Sha256 sha256; - int ret, flag; - - flag = 0; - - printf(testingFmt, "wc_InitSha256()"); - - /* Test good arg. */ - ret = wc_InitSha256(&sha256); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - - /* Test bad arg. */ - if (!flag) { - ret = wc_InitSha256(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} /* END test_wc_InitSha256 */ - - -/* - * Testing wc_InitSha512() - */ -static int test_wc_InitSha512 (void) -{ -#ifdef WOLFSSL_SHA512 - Sha512 sha512; - int ret, flag; - - flag = 0; - - printf(testingFmt, "wc_InitSha512()"); - - /* Test good arg. */ - ret = wc_InitSha512(&sha512); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - - /* Test bad arg. */ - if (!flag) { - ret = wc_InitSha512(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; - -} /* END test_wc_InitSha512 */ - -/* - * Testing wc_InitSha384() - */ -static int test_wc_InitSha384 (void) -{ -#ifdef WOLFSSL_SHA384 - Sha384 sha384; - int ret, flag; - - flag = 0; - - printf(testingFmt, "wc_InitSha384()"); - - /* Test good arg. */ - ret = wc_InitSha384(&sha384); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - - /* Test bad arg. */ - if (!flag) { - ret = wc_InitSha384(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} /* END test_wc_InitSha384 */ - -/* - * Testing wc_InitSha224(); - */ -static int test_wc_InitSha224 (void) -{ -#ifdef WOLFSSL_SHA224 - Sha224 sha224; - int ret, flag; - - flag = 0; - - printf(testingFmt, "wc_InitSha224()"); - - /* Test good arg. */ - ret = wc_InitSha224(&sha224); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - - /* Test bad arg. */ - if (!flag) { - ret = wc_InitSha224(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} /* END test_wc_InitSha224 */ - - -/* - * Testing wc_InitRipeMd() - */ -static int test_wc_InitRipeMd (void) -{ -#ifdef WOLFSSL_RIPEMD - RipeMd ripemd; - int ret, flag; - - flag = 0; - - printf(testingFmt, "wc_InitRipeMd()"); - - /* Test good arg. */ - ret = wc_InitRipeMd(&ripemd); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - - /* Test bad arg. */ - if (!flag) { - ret = wc_InitRipeMd(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; - -} /* END test_wc_InitRipeMd */ - -/* - * Testing wc_UpdateMd5() - */ -static int test_wc_Md5Update (void) -{ - -#ifndef NO_MD5 - Md5 md5; - byte hash[MD5_DIGEST_SIZE]; - testVector a, b, c; - int ret, flag; - - flag = 0; - - ret = wc_InitMd5(&md5); - if (ret != 0) { - flag = ret; - } - - printf(testingFmt, "wc_Md5Update()"); - - /* Input */ - if (!flag) { - a.input = "a"; - a.inLen = XSTRLEN(a.input); - } - - if (!flag){ - ret = wc_Md5Update(&md5, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_Md5Final(&md5, hash); - if (ret != 0) { - flag = ret; - } - } - - /* Update input. */ - if (!flag) { - a.input = "abc"; - a.output = "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f" - "\x72"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); - - ret = wc_Md5Update(&md5, (byte*) a.input, (word32) a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_Md5Final(&md5, hash); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - if (XMEMCMP(hash, a.output, MD5_DIGEST_SIZE) != 0) { - flag = SSL_FATAL_ERROR; - } - } - - /*Pass in bad values. */ - if (!flag) { - b.input = NULL; - b.inLen = 0; - - ret = wc_Md5Update(&md5, (byte*)b.input, (word32)b.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - c.input = NULL; - c.inLen = MD5_DIGEST_SIZE; - - ret = wc_Md5Update(&md5, (byte*)c.input, (word32)c.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Md5Update(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} /* END test_wc_Md5Update() */ - -/* - * Tesing wc_ShaUpdate() - */ -static int test_wc_ShaUpdate (void) -{ - -#ifndef NO_SHA - Sha sha; - byte hash[SHA_DIGEST_SIZE]; - testVector a, b, c; - int ret, flag; - - flag = 0; - - ret = wc_InitSha(&sha); - if (ret != 0) { - flag = ret; - } - - printf(testingFmt, "wc_ShaUpdate()"); - - /* Input. */ - if (!flag) { - a.input = "a"; - a.inLen = XSTRLEN(a.input); - } - - if (!flag) { - ret = wc_ShaUpdate(&sha, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_ShaFinal(&sha, hash); - if (ret != 0) { - flag = ret; - } - } - - /* Update input. */ - if (!flag) { - a.input = "abc"; - a.output = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E\x25\x71\x78\x50\xC2" - "\x6C\x9C\xD0\xD8\x9D"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); - - ret = wc_ShaUpdate(&sha, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_ShaFinal(&sha, hash); - if (ret !=0) { - flag = ret; - } - } - - if (!flag) { - if (XMEMCMP(hash, a.output, SHA_DIGEST_SIZE) != 0) { - flag = SSL_FATAL_ERROR; - } - } - - /* Try passing in bad values. */ - if (!flag) { - b.input = NULL; - b.inLen = 0; - - ret = wc_ShaUpdate(&sha, (byte*)b.input, (word32)b.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - c.input = NULL; - c.inLen = SHA_DIGEST_SIZE; - - ret = wc_ShaUpdate(&sha, (byte*)c.input, (word32)c.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_ShaUpdate(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; - -} /* END test_wc_ShaUpdate() */ - - -/* - * Unit test for wc_Sha256Update() - */ -static int test_wc_Sha256Update (void) -{ -#ifndef NO_SHA256 - Sha256 sha256; - byte hash[SHA256_DIGEST_SIZE]; - testVector a, b, c; - int ret, flag; - - flag = 0; - - ret = wc_InitSha256(&sha256); - if (ret != 0) { - flag = ret; - } - - printf(testingFmt, "wc_Sha256Update()"); - - /* Input. */ - if (!flag) { - a.input = "a"; - a.inLen = XSTRLEN(a.input); - } - - if (!flag) { - ret = wc_Sha256Update(&sha256, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_Sha256Final(&sha256, hash); - if (ret != 0) { - flag = ret; - } - } - - /* Update input. */ - if (!flag) { - a.input = "abc"; - a.output = "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22" - "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" - "\x15\xAD"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); - - ret = wc_Sha256Update(&sha256, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_Sha256Final(&sha256, hash); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - if (XMEMCMP(hash, a.output, SHA256_DIGEST_SIZE) != 0) { - flag = SSL_FATAL_ERROR; - } - } - - /* Try passing in bad values */ - if (!flag) { - b.input = NULL; - b.inLen = 0; - - ret = wc_Sha256Update(&sha256, (byte*)b.input, (word32)b.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - c.input = NULL; - c.inLen = SHA256_DIGEST_SIZE; - - ret = wc_Sha256Update(&sha256, (byte*)c.input, (word32)c.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha256Update(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - /* If not returned then the unit test passed. */ - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; - -} /* END test_wc_Sha256Update */ - -/* - * test wc_Sha384Update() - */ -static int test_wc_Sha384Update (void) -{ - -#ifdef WOLFSSL_SHA384 - Sha384 sha384; - byte hash[SHA384_DIGEST_SIZE]; - testVector a, b, c; - int ret, flag; - - flag = 0; - - ret = wc_InitSha384(&sha384); - if (ret != 0) { - flag = ret; - } - - printf(testingFmt, "wc_Sha384Update()"); - - /* Input */ - if (!flag) { - a.input = "a"; - a.inLen = XSTRLEN(a.input); - } - - if (!flag) { - ret = wc_Sha384Update(&sha384, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_Sha384Final(&sha384, hash); - if (ret != 0) { - flag = ret; - } - } - - /* Update input. */ - if (!flag) { - a.input = "abc"; - a.output = "\xcb\x00\x75\x3f\x45\xa3\x5e\x8b\xb5\xa0\x3d\x69\x9a\xc6\x50" - "\x07\x27\x2c\x32\xab\x0e\xde\xd1\x63\x1a\x8b\x60\x5a\x43\xff" - "\x5b\xed\x80\x86\x07\x2b\xa1\xe7\xcc\x23\x58\xba\xec\xa1\x34" - "\xc8\x25\xa7"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); - - ret = wc_Sha384Update(&sha384, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_Sha384Final(&sha384, hash); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - if (XMEMCMP(hash, a.output, SHA384_DIGEST_SIZE) != 0) { - flag = SSL_FATAL_ERROR; - } - } - - /* Pass in bad values. */ - if (!flag) { - b.input = NULL; - b.inLen = 0; - - ret = wc_Sha384Update(&sha384, (byte*)b.input, (word32)b.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - c.input = NULL; - c.inLen = SHA384_DIGEST_SIZE; - - ret = wc_Sha384Update(&sha384, (byte*)c.input, (word32)c.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha384Update(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} /* END test_wc_Sha384Update */ - -/* - * Testing wc_RipeMdUpdate() - */ -static int test_wc_RipeMdUpdate (void) -{ - -#ifdef WOLFSSL_RIPEMD - RipeMd ripemd; - byte hash[RIPEMD_DIGEST_SIZE]; - testVector a, b, c; - int ret, flag; - - flag = 0; - - ret = wc_InitRipeMd(&ripemd); - if (ret != 0) { - flag = ret; - } - - printf(testingFmt, "wc_RipeMdUpdate()"); - - /* Input */ - if (!flag) { - a.input = "a"; - a.inLen = XSTRLEN(a.input); - } - - if (!flag) { - ret = wc_RipeMdUpdate(&ripemd, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_RipeMdFinal(&ripemd, hash); - if (ret != 0) { - flag = ret; - } - } - - /* Update input. */ - if (!flag) { - a.input = "abc"; - a.output = "\x8e\xb2\x08\xf7\xe0\x5d\x98\x7a\x9b\x04\x4a\x8e\x98\xc6" - "\xb0\x87\xf1\x5a\x0b\xfc"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); - - ret = wc_RipeMdUpdate(&ripemd, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_RipeMdFinal(&ripemd, hash); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - if (XMEMCMP(hash, a.output, RIPEMD_DIGEST_SIZE) != 0) { - flag = SSL_FATAL_ERROR; - } - } - - /* Pass in bad values. */ - if (!flag) { - b.input = NULL; - b.inLen = 0; - - ret = wc_RipeMdUpdate(&ripemd, (byte*)b.input, (word32)b.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - c.input = NULL; - c.inLen = RIPEMD_DIGEST_SIZE; - - ret = wc_RipeMdUpdate(&ripemd, (byte*)c.input, (word32)c.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_RipeMdUpdate(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; - -} /* END test_wc_RipeMdUdpate */ - -/* - * wc_Sha512Update() test. - */ -static int test_wc_Sha512Update (void) -{ - -#ifdef WOLFSSL_SHA512 - Sha512 sha512; - byte hash[SHA512_DIGEST_SIZE]; - testVector a, b, c; - int ret, flag; - - flag = 0; - - ret = wc_InitSha512(&sha512); - if (ret != 0) { - flag = ret; - } - - printf(testingFmt, "wc_Sha512Update()"); - - /* Input. */ - if (!flag) { - a.input = "a"; - a.inLen = XSTRLEN(a.input); - } - - if (!flag) { - ret = wc_Sha512Update(&sha512, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_Sha512Final(&sha512, hash); - if (ret != 0) { - flag = ret; - } - } - - /* Update input. */ - if (!flag) { - a.input = "abc"; - a.output = "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41" - "\x31\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b" - "\x55\xd3\x9a\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c" - "\x23\xa3\xfe\xeb\xbd\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a" - "\x9a\xc9\x4f\xa5\x4c\xa4\x9f"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); - - ret = wc_Sha512Update(&sha512, (byte*) a.input, (word32) a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_Sha512Final(&sha512, hash); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - if (XMEMCMP(hash, a.output, SHA512_DIGEST_SIZE) != 0) { - flag = SSL_FATAL_ERROR; - } - } - - /* Try passing in bad values */ - if (!flag) { - b.input = NULL; - b.inLen = 0; - - ret = wc_Sha512Update(&sha512, (byte*)b.input, (word32)b.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - c.input = NULL; - c.inLen = SHA512_DIGEST_SIZE; - - ret = wc_Sha512Update(&sha512, (byte*)c.input, (word32)c.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha512Update(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; - -} /* END test_wc_Sha512Update */ - -/* - * Unit test on wc_Sha224Update - */ -static int test_wc_Sha224Update (void) -{ -#ifdef WOLFSSL_SHA224 - Sha224 sha224; - byte hash[SHA224_DIGEST_SIZE]; - testVector a, b, c; - int ret, flag; - - flag = 0; - - ret = wc_InitSha224(&sha224); - if (ret != 0) { - flag = ret; - } - - printf(testingFmt, "wc_Sha224Update()"); - - /* Input. */ - if (!flag) { - a.input = "a"; - a.inLen = XSTRLEN(a.input); - } - - if (!flag) { - ret = wc_Sha224Update(&sha224, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_Sha224Final(&sha224, hash); - if (ret != 0) { - flag = ret; - } - } - - /* Update input. */ - if (!flag) { - a.input = "abc"; - a.output = "\x23\x09\x7d\x22\x34\x05\xd8\x22\x86\x42\xa4\x77\xbd\xa2" - "\x55\xb3\x2a\xad\xbc\xe4\xbd\xa0\xb3\xf7\xe3\x6c\x9d\xa7"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); - - ret = wc_Sha224Update(&sha224, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - ret = wc_Sha224Final(&sha224, hash); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - if (XMEMCMP(hash, a.output, SHA224_DIGEST_SIZE) != 0) { - flag = SSL_FATAL_ERROR; - } - } - - /* Pass in bad values. */ - if (!flag) { - b.input = NULL; - b.inLen = 0; - - ret = wc_Sha224Update(&sha224, (byte*)b.input, (word32)b.inLen); - if (ret != 0) { - flag = ret; - } - } - - if (!flag) { - c.input = NULL; - c.inLen = SHA224_DIGEST_SIZE; - - ret = wc_Sha224Update(&sha224, (byte*)c.input, (word32)c.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha224Update(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; - -} /* END test_wc_Sha224Update */ - -/* - * Unit test on wc_Md5Final() in wolfcrypt/src/md5.c - */ -static int test_wc_Md5Final (void) -{ - -#ifndef NO_MD5 - /* Instantiate */ - Md5 md5; - byte* hash_test[3]; - byte hash1[MD5_DIGEST_SIZE]; - byte hash2[2*MD5_DIGEST_SIZE]; - byte hash3[5*MD5_DIGEST_SIZE]; - int times, i, flag, ret; - - flag = 0; - - /* Initialize */ - ret = wc_InitMd5(&md5); - if (ret != 0) { - flag = ret; - } - - if (!flag) { - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; - } - - times = sizeof(hash_test)/sizeof(byte*); - - /* Test good args. */ - printf(testingFmt, "wc_Md5Final()"); - - for (i = 0; i < times; i++) { - if (!flag) { - ret = wc_Md5Final(&md5, hash_test[i]); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - } - } - - /* Test bad args. */ - if (!flag) { - ret = wc_Md5Final(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Md5Final(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Md5Final(&md5, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} - -/* - * Unit test on wc_ShaFinal - */ -static int test_wc_ShaFinal (void) -{ -#ifndef NO_SHA - Sha sha; - byte* hash_test[3]; - byte hash1[SHA_DIGEST_SIZE]; - byte hash2[2*SHA_DIGEST_SIZE]; - byte hash3[5*SHA_DIGEST_SIZE]; - int times, i, ret, flag; - - flag = 0; - - /*Initialize*/ - ret = wc_InitSha(&sha); - if (ret) { - flag = ret; - } - - if (!flag) { - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; - } - - times = sizeof(hash_test)/sizeof(byte*); - - /* Good test args. */ - printf(testingFmt, "wc_ShaFinal()"); - - for (i = 0; i < times; i++) { - if (!flag) { - ret = wc_ShaFinal(&sha, hash_test[i]); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - } - } - - /* Test bad args. */ - if (!flag) { - ret = wc_ShaFinal(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_ShaFinal(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_ShaFinal(&sha, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} /* END test_wc_ShaFinal */ - -/* - * Unit test function for wc_Sha256Final() - */ -static int test_wc_Sha256Final (void) -{ -#ifndef NO_SHA256 - Sha256 sha256; - byte* hash_test[3]; - byte hash1[SHA256_DIGEST_SIZE]; - byte hash2[2*SHA256_DIGEST_SIZE]; - byte hash3[5*SHA256_DIGEST_SIZE]; - int times, i, ret, flag; - - flag = 0; - - /* Initialize */ - ret = wc_InitSha256(&sha256); - if (ret != 0) { - flag = ret; - } - - if (!flag) { - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; - } - - times = sizeof(hash_test) / sizeof(byte*); - - /* Good test args. */ - printf(testingFmt, "wc_Sha256Final()"); - - for (i = 0; i < times; i++) { - if (!flag) { - ret = wc_Sha256Final(&sha256, hash_test[i]); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - } - } - - /* Test bad args. */ - if (!flag ) { - ret = wc_Sha256Final(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha256Final(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha256Final(&sha256, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; - -} /* END test_wc_Sha256Final */ - -/* - * Unit test function for wc_Sha512Final() - */ -static int test_wc_Sha512Final (void) -{ -#ifdef WOLFSSL_SHA512 - Sha512 sha512; - byte* hash_test[3]; - byte hash1[SHA512_DIGEST_SIZE]; - byte hash2[2*SHA512_DIGEST_SIZE]; - byte hash3[5*SHA512_DIGEST_SIZE]; - int times, i, ret, flag; - - flag = 0; - - /* Initialize */ - ret = wc_InitSha512(&sha512); - if (ret != 0) { - flag = ret; - } - - if (!flag) { - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; - } - - times = sizeof(hash_test) / sizeof(byte *); - - /* Good test args. */ - printf(testingFmt, "wc_Sha512Final()"); - - for (i = 0; i < times; i++) { - if (!flag) { - ret = wc_Sha512Final(&sha512, hash_test[i]); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - } - } - /* Test bad args. */ - if (!flag) { - ret = wc_Sha512Final(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - - if (!flag) {} - ret = wc_Sha512Final(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha512Final(&sha512, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} /* END test_wc_Sha512Final */ - -/* - * Unit test functionf or wc_Sha384Final(); - */ -static int test_wc_Sha384Final (void) -{ -#ifdef WOLFSSL_SHA384 - Sha384 sha384; - byte* hash_test[3]; - byte hash1[SHA384_DIGEST_SIZE]; - byte hash2[2*SHA384_DIGEST_SIZE]; - byte hash3[5*SHA384_DIGEST_SIZE]; - int times, i, ret, flag; - - flag = 0; - - /* Initialize */ - ret = wc_InitSha384(&sha384); - if (ret) { - flag = ret; - } - - if (!flag) { - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; - } - - times = sizeof(hash_test) / sizeof(byte*); - - /* Good test args. */ - printf(testingFmt, "wc_Sha384Final()"); - - for (i = 0; i < times; i++) { - if (!flag) { - ret = wc_Sha384Final(&sha384, hash_test[i]); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - } - } - - /* Test bad args. */ - if (!flag) { - ret = wc_Sha384Final(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha384Final(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha384Final(&sha384, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; - -} /* END test_wc_Sha384Final */ - -/* - * Unit test function for wc_RipeMdFinal() - */ -static int test_wc_RipeMdFinal (void) -{ -#ifdef WOLFSSL_RIPEMD - RipeMd ripemd; - byte* hash_test[3]; - byte hash1[RIPEMD_DIGEST_SIZE]; - byte hash2[2*RIPEMD_DIGEST_SIZE]; - byte hash3[5*RIPEMD_DIGEST_SIZE]; - int times, i, ret, flag; - - flag = 0; - - /* Initialize */ - ret = wc_InitRipeMd(&ripemd); - if (ret != 0) { - flag = ret; - } - - if (!flag) { - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; - } - - times = sizeof(hash_test) / sizeof(byte*); - - /* Good test args. */ - printf(testingFmt, "wc_RipeMdFinal()"); - /* Testing oversized buffers. */ - for (i = 0; i < times; i++) { - if (!flag) { - ret = wc_RipeMdFinal(&ripemd, hash_test[i]); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - } - } - - /* Test bad args. */ - if (!flag) { - ret = wc_RipeMdFinal(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_RipeMdFinal(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_RipeMdFinal(&ripemd, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} /* END test_wc_RipeMdFinal */ - -/* - * Unit test for wc_Sha224Final(); - */ -static int test_wc_Sha224Final (void) -{ -#ifdef WOLFSSL_SHA224 - Sha224 sha224; - byte* hash_test[3]; - byte hash1[SHA224_DIGEST_SIZE]; - byte hash2[2*SHA224_DIGEST_SIZE]; - byte hash3[5*SHA224_DIGEST_SIZE]; - int times, i, ret, flag; - - flag = 0; - - /* Initialize */ - ret = wc_InitSha224(&sha224); - if (ret) { - flag = ret; - } - - if (!flag) { - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; - } - - times = sizeof(hash_test) / sizeof(byte*); - - /* Good test args. */ - printf(testingFmt, "wc_sha224Final()"); - /* Testing oversized buffers. */ - for (i = 0; i < times; i++) { - if (!flag) { - ret = wc_Sha224Final(&sha224, hash_test[i]); - if (ret != 0) { - flag = SSL_FATAL_ERROR; - } - } - } - - /* Test bad args. */ - if (!flag) { - ret = wc_Sha224Final(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha224Final(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - if (!flag) { - ret = wc_Sha224Final(&sha224, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR; - } - } - - printf(resultFmt, flag == 0 ? passed : failed); - -#endif - return 0; -} /* END test_wc_Sha224Final */ - - -/*----------------------------------------------------------------------------* - | Compatibility Tests - *----------------------------------------------------------------------------*/ - - -static void test_wolfSSL_DES(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_DES3) - const_DES_cblock myDes; - DES_key_schedule key; - word32 i; - - printf(testingFmt, "wolfSSL_DES()"); - - DES_check_key(1); - DES_set_key(&myDes, &key); - - /* check, check of odd parity */ - XMEMSET(key, 4, sizeof(DES_key_schedule)); key[0] = 3; /*set even parity*/ - XMEMSET(myDes, 5, sizeof(const_DES_cblock)); - AssertIntEQ(DES_set_key_checked(&myDes, &key), -1); - AssertIntNE(key[0], myDes[0]); /* should not have copied over key */ - - /* set odd parity for success case */ - key[0] = 4; - AssertIntEQ(DES_set_key_checked(&myDes, &key), 0); - for (i = 0; i < sizeof(DES_key_schedule); i++) { - AssertIntEQ(key[i], myDes[i]); - } - - /* check weak key */ - XMEMSET(key, 1, sizeof(DES_key_schedule)); - XMEMSET(myDes, 5, sizeof(const_DES_cblock)); - AssertIntEQ(DES_set_key_checked(&myDes, &key), -2); - AssertIntNE(key[0], myDes[0]); /* should not have copied over key */ - - /* now do unchecked copy of a weak key over */ - DES_set_key_unchecked(&myDes, &key); - /* compare arrays, should be the same */ - for (i = 0; i < sizeof(DES_key_schedule); i++) { - AssertIntEQ(key[i], myDes[i]); - } - - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_DES3) */ -} - - -static void test_wolfSSL_certs(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - X509* x509; - WOLFSSL* ssl; - WOLFSSL_CTX* ctx; - STACK_OF(ASN1_OBJECT)* sk; - int crit; - - printf(testingFmt, "wolfSSL_certs()"); - - AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - AssertNotNull(ssl = SSL_new(ctx)); - - AssertIntEQ(wolfSSL_check_private_key(ssl), SSL_SUCCESS); - - #ifdef HAVE_PK_CALLBACKS - AssertIntEQ((int)SSL_set_tlsext_debug_arg(ssl, NULL), SSL_SUCCESS); - #endif /* HAVE_PK_CALLBACKS */ - - /* create and use x509 */ - x509 = wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM); - AssertNotNull(x509); - AssertIntEQ(SSL_use_certificate(ssl, x509), SSL_SUCCESS); - - #ifndef HAVE_USER_RSA - /* with loading in a new cert the check on private key should now fail */ - AssertIntNE(wolfSSL_check_private_key(ssl), SSL_SUCCESS); - #endif - - - #if defined(USE_CERT_BUFFERS_2048) - AssertIntEQ(SSL_use_certificate_ASN1(ssl, - (unsigned char*)server_cert_der_2048, - sizeof_server_cert_der_2048), SSL_SUCCESS); - #endif - - #if !defined(NO_SHA) && !defined(NO_SHA256) - /************* Get Digest of Certificate ******************/ - { - byte digest[64]; /* max digest size */ - word32 digestSz; - - XMEMSET(digest, 0, sizeof(digest)); - AssertIntEQ(X509_digest(x509, wolfSSL_EVP_sha1(), digest, &digestSz), - SSL_SUCCESS); - AssertIntEQ(X509_digest(x509, wolfSSL_EVP_sha256(), digest, &digestSz), - SSL_SUCCESS); - - AssertIntEQ(X509_digest(NULL, wolfSSL_EVP_sha1(), digest, &digestSz), - SSL_FAILURE); - } - #endif /* !NO_SHA && !NO_SHA256*/ - - /* test and checkout X509 extensions */ - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_basic_constraints, - &crit, NULL); - AssertNotNull(sk); - AssertIntEQ(crit, 0); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_key_usage, - &crit, NULL); - /* AssertNotNull(sk); NID not yet supported */ - AssertIntEQ(crit, -1); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_ext_key_usage, - &crit, NULL); - /* AssertNotNull(sk); no extension set */ - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, - NID_authority_key_identifier, &crit, NULL); - AssertNotNull(sk); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, - NID_private_key_usage_period, &crit, NULL); - /* AssertNotNull(sk); NID not yet supported */ - AssertIntEQ(crit, -1); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_subject_alt_name, - &crit, NULL); - /* AssertNotNull(sk); no alt names set */ - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_issuer_alt_name, - &crit, NULL); - /* AssertNotNull(sk); NID not yet supported */ - AssertIntEQ(crit, -1); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_info_access, &crit, - NULL); - /* AssertNotNull(sk); no auth info set */ - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_sinfo_access, - &crit, NULL); - /* AssertNotNull(sk); NID not yet supported */ - AssertIntEQ(crit, -1); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_name_constraints, - &crit, NULL); - /* AssertNotNull(sk); NID not yet supported */ - AssertIntEQ(crit, -1); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, - NID_certificate_policies, &crit, NULL); - #if !defined(WOLFSSL_SEP) && !defined(WOLFSSL_CERT_EXT) - AssertNull(sk); - #else - /* AssertNotNull(sk); no cert policy set */ - #endif - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_policy_mappings, - &crit, NULL); - /* AssertNotNull(sk); NID not yet supported */ - AssertIntEQ(crit, -1); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_policy_constraints, - &crit, NULL); - /* AssertNotNull(sk); NID not yet supported */ - AssertIntEQ(crit, -1); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_inhibit_any_policy, - &crit, NULL); - /* AssertNotNull(sk); NID not yet supported */ - AssertIntEQ(crit, -1); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_tlsfeature, &crit, - NULL); - /* AssertNotNull(sk); NID not yet supported */ - AssertIntEQ(crit, -1); - wolfSSL_sk_ASN1_OBJECT_free(sk); - - /* test invalid cases */ - crit = 0; - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, -1, &crit, NULL); - AssertNull(sk); - AssertIntEQ(crit, -1); - sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(NULL, NID_tlsfeature, - NULL, NULL); - AssertNull(sk); - - AssertIntEQ(SSL_get_hit(ssl), 0); - X509_free(x509); - SSL_free(ssl); - SSL_CTX_free(ctx); - - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ -} - - -static void test_wolfSSL_private_keys(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - WOLFSSL* ssl; - WOLFSSL_CTX* ctx; - EVP_PKEY* pkey = NULL; - - printf(testingFmt, "wolfSSL_private_keys()"); - - OpenSSL_add_all_digests(); - OpenSSL_add_all_algorithms(); - - AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - AssertNotNull(ssl = SSL_new(ctx)); - - AssertIntEQ(wolfSSL_check_private_key(ssl), SSL_SUCCESS); - -#ifdef USE_CERT_BUFFERS_2048 - { - const unsigned char* server_key = (const unsigned char*)server_key_der_2048; - - AssertIntEQ(SSL_use_RSAPrivateKey_ASN1(ssl, - (unsigned char*)client_key_der_2048, - sizeof_client_key_der_2048), SSL_SUCCESS); -#ifndef HAVE_USER_RSA - /* Should missmatch now that a different private key loaded */ - AssertIntNE(wolfSSL_check_private_key(ssl), SSL_SUCCESS); -#endif - - AssertIntEQ(SSL_use_PrivateKey_ASN1(0, ssl, - (unsigned char*)server_key, - sizeof_server_key_der_2048), SSL_SUCCESS); - /* After loading back in DER format of original key, should match */ - AssertIntEQ(wolfSSL_check_private_key(ssl), SSL_SUCCESS); - - /* pkey not set yet, expecting to fail */ - AssertIntEQ(SSL_use_PrivateKey(ssl, pkey), SSL_FAILURE); - - /* set PKEY and test again */ - AssertNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, - &server_key, (long)sizeof_server_key_der_2048)); - AssertIntEQ(SSL_use_PrivateKey(ssl, pkey), SSL_SUCCESS); - } -#endif - - - EVP_PKEY_free(pkey); - SSL_free(ssl); /* frees x509 also since loaded into ssl */ - SSL_CTX_free(ctx); - - /* test existence of no-op macros in wolfssl/openssl/ssl.h */ - CONF_modules_free(); - ENGINE_cleanup(); - CONF_modules_unload(); - - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ -} - - -static void test_wolfSSL_PEM_PrivateKey(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ - (defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN)) && \ - defined(USE_CERT_BUFFERS_2048) - const unsigned char* server_key = (const unsigned char*)server_key_der_2048; - EVP_PKEY* pkey = NULL; - BIO* bio; - - printf(testingFmt, "wolfSSL_PEM_PrivateKey()"); - - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); - AssertNotNull(bio); - - AssertNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, - &server_key, (long)sizeof_server_key_der_2048)); - AssertIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), - SSL_SUCCESS); - - BIO_free(bio); - EVP_PKEY_free(pkey); - - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ -} - - -static void test_wolfSSL_tmp_dh(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_DSA) && !defined(NO_RSA) - byte buffer[5300]; - char file[] = "./certs/dsaparams.pem"; - FILE *f; - int bytes; - DSA* dsa; - DH* dh; - BIO* bio; - SSL* ssl; - SSL_CTX* ctx; - - printf(testingFmt, "wolfSSL_tmp_dh()"); - - AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - AssertNotNull(ssl = SSL_new(ctx)); - - f = fopen(file, "rb"); - AssertNotNull(f); - bytes = (int)fread(buffer, 1, sizeof(buffer), f); - fclose(f); - - bio = BIO_new_mem_buf((void*)buffer, bytes); - AssertNotNull(bio); - - dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL); - AssertNotNull(dsa); - - dh = wolfSSL_DSA_dup_DH(dsa); - AssertNotNull(dh); - - AssertIntEQ((int)SSL_CTX_set_tmp_dh(ctx, dh), SSL_SUCCESS); - AssertIntEQ((int)SSL_set_tmp_dh(ssl, dh), SSL_SUCCESS); - - BIO_free(bio); - DSA_free(dsa); - DH_free(dh); - SSL_free(ssl); - SSL_CTX_free(ctx); - - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ -} - -static void test_wolfSSL_ctrl(void) -{ - #if defined(OPENSSL_EXTRA) - byte buffer[5300]; - BIO* bio; - int bytes; - BUF_MEM* ptr = NULL; - - printf(testingFmt, "wolfSSL_crtl()"); - - bytes = sizeof(buffer); - bio = BIO_new_mem_buf((void*)buffer, bytes); - AssertNotNull(bio); - AssertNotNull(BIO_s_socket()); - - AssertIntEQ((int)wolfSSL_BIO_get_mem_ptr(bio, &ptr), SSL_SUCCESS); - - /* needs tested after stubs filled out @TODO - SSL_ctrl - SSL_CTX_ctrl - */ - - BIO_free(bio); - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) */ -} - - -static void test_wolfSSL_CTX_add_extra_chain_cert(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - char caFile[] = "./certs/client-ca.pem"; - char clientFile[] = "./certs/client-cert.pem"; - SSL_CTX* ctx; - X509* x509 = NULL; - - printf(testingFmt, "wolfSSL_CTX_add_extra_chain_cert()"); - - AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - - x509 = wolfSSL_X509_load_certificate_file(caFile, SSL_FILETYPE_PEM); - AssertNotNull(x509); - AssertIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), SSL_SUCCESS); - - x509 = wolfSSL_X509_load_certificate_file(clientFile, SSL_FILETYPE_PEM); - AssertNotNull(x509); - AssertIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), SSL_SUCCESS); - - AssertNull(SSL_CTX_get_default_passwd_cb(ctx)); - AssertNull(SSL_CTX_get_default_passwd_cb_userdata(ctx)); - - SSL_CTX_free(ctx); - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ -} - - -static void test_wolfSSL_ERR_peek_last_error_line(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL) && \ - !defined(NO_OLD_TLS) && defined(HAVE_IO_TESTS_DEPENDENCIES) - tcp_ready ready; - func_args client_args; - func_args server_args; -#ifndef SINGLE_THREADED - THREAD_TYPE serverThread; -#endif - callback_functions client_cb; - callback_functions server_cb; - int line = 0; - const char* file = NULL; - - printf(testingFmt, "wolfSSL_ERR_peek_last_error_line()"); - - /* create a failed connection and inspect the error */ -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - XMEMSET(&client_args, 0, sizeof(func_args)); - XMEMSET(&server_args, 0, sizeof(func_args)); - - StartTCP(); - InitTcpReady(&ready); - - client_cb.method = wolfTLSv1_1_client_method; - server_cb.method = wolfTLSv1_2_server_method; - - server_args.signal = &ready; - server_args.callbacks = &server_cb; - client_args.signal = &ready; - client_args.callbacks = &client_cb; - -#ifndef SINGLE_THREADED - start_thread(test_server_nofail, &server_args, &serverThread); - wait_tcp_ready(&server_args); - test_client_nofail(&client_args); - join_thread(serverThread); -#endif - - FreeTcpReady(&ready); - - /* check that error code was stored */ - AssertIntNE((int)ERR_peek_last_error_line(NULL, NULL), 0); - ERR_peek_last_error_line(NULL, &line); - AssertIntNE(line, 0); - ERR_peek_last_error_line(&file, NULL); - AssertNotNull(file); - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - printf(resultFmt, passed); - - printf("\nTesting error print out\n"); - ERR_print_errors_fp(stdout); - printf("Done testing print out\n\n"); - fflush(stdout); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(DEBUG_WOLFSSL) */ -} - - -static void test_wolfSSL_X509_STORE_set_flags(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - - X509_STORE* store; - X509* x509; - - printf(testingFmt, "wolfSSL_ERR_peek_last_error_line()"); - AssertNotNull((store = wolfSSL_X509_STORE_new())); - AssertNotNull((x509 = - wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM))); - AssertIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS); - -#ifdef HAVE_CRL - AssertIntEQ(X509_STORE_set_flags(store, WOLFSSL_CRL_CHECKALL), SSL_SUCCESS); -#else - AssertIntEQ(X509_STORE_set_flags(store, WOLFSSL_CRL_CHECKALL), - NOT_COMPILED_IN); -#endif - - wolfSSL_X509_free(x509); - wolfSSL_X509_STORE_free(store); - - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ -} - -static void test_wolfSSL_X509_LOOKUP_load_file(void) -{ - #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - WOLFSSL_X509_STORE* store; - WOLFSSL_X509_LOOKUP* lookup; - - printf(testingFmt, "wolfSSL_X509_LOOKUP_load_file()"); - - AssertNotNull(store = wolfSSL_X509_STORE_new()); - AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); - AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/client-ca.pem", - X509_FILETYPE_PEM), 1); - AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/crl/crl2.pem", - X509_FILETYPE_PEM), 1); - - AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, cliCertFile, - SSL_FILETYPE_PEM), 1); - AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, - SSL_FILETYPE_PEM), ASN_NO_SIGNER_E); - AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", - X509_FILETYPE_PEM), 1); - AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, - SSL_FILETYPE_PEM), 1); - - wolfSSL_X509_STORE_free(store); - - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ -} - - -static void test_wolfSSL_BN(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_ASN) - BIGNUM* a; - BIGNUM* b; - BIGNUM* c; - BIGNUM* d; - ASN1_INTEGER ai; - unsigned char value[1]; - - printf(testingFmt, "wolfSSL_BN()"); - - AssertNotNull(b = BN_new()); - AssertNotNull(c = BN_new()); - AssertNotNull(d = BN_new()); - - value[0] = 0x03; - - /* at the moment hard setting since no set function */ - ai.data[0] = 0x02; /* tag for ASN_INTEGER */ - ai.data[1] = 0x01; /* length of integer */ - ai.data[2] = value[0]; - - AssertNotNull(a = ASN1_INTEGER_to_BN(&ai, NULL)); - - value[0] = 0x02; - AssertNotNull(BN_bin2bn(value, sizeof(value), b)); - - value[0] = 0x05; - AssertNotNull(BN_bin2bn(value, sizeof(value), c)); - - /* a^b mod c = */ - AssertIntEQ(BN_mod_exp(d, NULL, b, c, NULL), SSL_FAILURE); - AssertIntEQ(BN_mod_exp(d, a, b, c, NULL), SSL_SUCCESS); - - /* check result 3^2 mod 5 */ - value[0] = 0; - AssertIntEQ(BN_bn2bin(d, value), SSL_SUCCESS); - AssertIntEQ((int)(value[0]), 4); - - /* a*b mod c = */ - AssertIntEQ(BN_mod_mul(d, NULL, b, c, NULL), SSL_FAILURE); - AssertIntEQ(BN_mod_mul(d, a, b, c, NULL), SSL_SUCCESS); - - /* check result 3*2 mod 5 */ - value[0] = 0; - AssertIntEQ(BN_bn2bin(d, value), SSL_SUCCESS); - AssertIntEQ((int)(value[0]), 1); - - BN_free(a); - BN_free(b); - BN_free(c); - BN_clear_free(d); - - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_ASN) */ -} - -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) -#define TEST_ARG 0x1234 -static void msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg) -{ - (void)write_p; - (void)version; - (void)content_type; - (void)buf; - (void)len; - (void)ssl; - AssertTrue(arg == (void*)TEST_ARG); -} -#endif - -static void test_wolfSSL_set_options(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - SSL* ssl; - SSL_CTX* ctx; - - unsigned char protos[] = { - 7, 't', 'l', 's', '/', '1', '.', '2', - 8, 'h', 't', 't', 'p', '/', '1', '.', '1' - }; - unsigned int len = sizeof(protos); - - void *arg = (void *)TEST_ARG; - - printf(testingFmt, "wolfSSL_set_options()"); - - AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); - AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); - AssertNotNull(ssl = SSL_new(ctx)); - - AssertTrue(SSL_set_options(ssl, SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1); - AssertTrue(SSL_get_options(ssl) == SSL_OP_NO_TLSv1); - - AssertIntGT((int)SSL_set_options(ssl, (SSL_OP_COOKIE_EXCHANGE | - SSL_OP_NO_SSLv2)), 0); - AssertTrue((SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE) & - SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE); - AssertTrue((SSL_set_options(ssl, SSL_OP_NO_TLSv1_2) & - SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2); - AssertTrue((SSL_set_options(ssl, SSL_OP_NO_COMPRESSION) & - SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION); - - AssertTrue(SSL_set_msg_callback(ssl, msg_cb) == SSL_SUCCESS); - AssertTrue(SSL_set_msg_callback_arg(ssl, arg) == SSL_SUCCESS); - - AssertTrue(SSL_CTX_set_alpn_protos(ctx, protos, len) == SSL_SUCCESS); - - SSL_free(ssl); - SSL_CTX_free(ctx); - - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ -} - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) -static int verify_cb(int ok, X509_STORE_CTX *ctx) -{ - (void) ok; - (void) ctx; - printf("ENTER verify_cb\n"); - return SSL_SUCCESS; -} -#endif - -static void test_wolfSSL_X509_STORE_CTX(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) - X509_STORE_CTX *ctx = NULL ; - - printf(testingFmt, "test_wolfSSL_X509_STORE_CTX()"); - AssertNotNull(ctx = X509_STORE_CTX_new()); - X509_STORE_CTX_set_verify_cb(ctx, verify_cb); - printf(resultFmt, passed); - #endif -} - -static void test_wolfSSL_PEM_read_bio(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) - byte buffer[5300]; - FILE *f; - int bytes; - X509* x509; - BIO* bio = NULL; - - printf(testingFmt, "wolfSSL_PEM_read_bio()"); - - AssertNotNull(f = fopen(cliCertFile, "rb")); - bytes = (int)fread(buffer, 1, sizeof(buffer), f); - fclose(f); - - AssertNull(x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); - AssertNotNull(bio = BIO_new_mem_buf((void*)buffer, bytes)); - AssertNotNull(x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); - AssertIntEQ((int)BIO_set_fd(bio, 0, BIO_NOCLOSE), 1); - - BIO_free(bio); - X509_free(x509); - - printf(resultFmt, passed); - #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ -} - - -static void test_wolfSSL_BIO(void) -{ - #if defined(OPENSSL_EXTRA) - byte buffer[20]; - BIO* bio1; - BIO* bio2; - BIO* bio3; - char* bufPt; - int i; - - printf(testingFmt, "wolfSSL_BIO()"); - - for (i = 0; i < 20; i++) { - buffer[i] = i; - } - - /* Creating and testing type BIO_s_bio */ - AssertNotNull(bio1 = BIO_new(BIO_s_bio())); - AssertNotNull(bio2 = BIO_new(BIO_s_bio())); - AssertNotNull(bio3 = BIO_new(BIO_s_bio())); - - /* read/write before set up */ - AssertIntEQ(BIO_read(bio1, buffer, 2), WOLFSSL_BIO_UNSET); - AssertIntEQ(BIO_write(bio1, buffer, 2), WOLFSSL_BIO_UNSET); - - AssertIntEQ(BIO_set_write_buf_size(bio1, 20), SSL_SUCCESS); - AssertIntEQ(BIO_set_write_buf_size(bio2, 8), SSL_SUCCESS); - AssertIntEQ(BIO_make_bio_pair(bio1, bio2), SSL_SUCCESS); - - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 10), 10); - XMEMCPY(bufPt, buffer, 10); - AssertIntEQ(BIO_write(bio1, buffer + 10, 10), 10); - /* write buffer full */ - AssertIntEQ(BIO_write(bio1, buffer, 10), WOLFSSL_BIO_ERROR); - AssertIntEQ(BIO_flush(bio1), SSL_SUCCESS); - AssertIntEQ((int)BIO_ctrl_pending(bio1), 0); - - /* write the other direction with pair */ - AssertIntEQ((int)BIO_nwrite(bio2, &bufPt, 10), 8); - XMEMCPY(bufPt, buffer, 8); - AssertIntEQ(BIO_write(bio2, buffer, 10), WOLFSSL_BIO_ERROR); - - /* try read */ - AssertIntEQ((int)BIO_ctrl_pending(bio1), 8); - AssertIntEQ((int)BIO_ctrl_pending(bio2), 20); - - AssertIntEQ(BIO_nread(bio2, &bufPt, (int)BIO_ctrl_pending(bio2)), 20); - for (i = 0; i < 20; i++) { - AssertIntEQ((int)bufPt[i], i); - } - AssertIntEQ(BIO_nread(bio2, &bufPt, 1), WOLFSSL_BIO_ERROR); - AssertIntEQ(BIO_nread(bio1, &bufPt, (int)BIO_ctrl_pending(bio1)), 8); - for (i = 0; i < 8; i++) { - AssertIntEQ((int)bufPt[i], i); - } - AssertIntEQ(BIO_nread(bio1, &bufPt, 1), WOLFSSL_BIO_ERROR); - AssertIntEQ(BIO_ctrl_reset_read_request(bio1), 1); - - /* new pair */ - AssertIntEQ(BIO_make_bio_pair(bio1, bio3), SSL_FAILURE); - BIO_free(bio2); /* free bio2 and automaticly remove from pair */ - AssertIntEQ(BIO_make_bio_pair(bio1, bio3), SSL_SUCCESS); - AssertIntEQ((int)BIO_ctrl_pending(bio3), 0); - AssertIntEQ(BIO_nread(bio3, &bufPt, 10), WOLFSSL_BIO_ERROR); - - /* test wrap around... */ - AssertIntEQ(BIO_reset(bio1), 0); - AssertIntEQ(BIO_reset(bio3), 0); - - /* fill write buffer, read only small amount then write again */ - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - XMEMCPY(bufPt, buffer, 20); - AssertIntEQ(BIO_nread(bio3, &bufPt, 4), 4); - for (i = 0; i < 4; i++) { - AssertIntEQ(bufPt[i], i); - } - - /* try writing over read index */ - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 5), 4); - XMEMSET(bufPt, 0, 4); - AssertIntEQ((int)BIO_ctrl_pending(bio3), 20); - - /* read and write 0 bytes */ - AssertIntEQ(BIO_nread(bio3, &bufPt, 0), 0); - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 0), 0); - - /* should read only to end of write buffer then need to read again */ - AssertIntEQ(BIO_nread(bio3, &bufPt, 20), 16); - for (i = 0; i < 16; i++) { - AssertIntEQ(bufPt[i], buffer[4 + i]); - } - - AssertIntEQ(BIO_nread(bio3, NULL, 0), SSL_FAILURE); - AssertIntEQ(BIO_nread0(bio3, &bufPt), 4); - for (i = 0; i < 4; i++) { - AssertIntEQ(bufPt[i], 0); - } - - /* read index should not have advanced with nread0 */ - AssertIntEQ(BIO_nread(bio3, &bufPt, 5), 4); - for (i = 0; i < 4; i++) { - AssertIntEQ(bufPt[i], 0); - } - - /* write and fill up buffer checking reset of index state */ - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - XMEMCPY(bufPt, buffer, 20); - - /* test reset on data in bio1 write buffer */ - AssertIntEQ(BIO_reset(bio1), 0); - AssertIntEQ((int)BIO_ctrl_pending(bio3), 0); - AssertIntEQ(BIO_nread(bio3, &bufPt, 3), WOLFSSL_BIO_ERROR); - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); - XMEMCPY(bufPt, buffer, 20); - AssertIntEQ(BIO_nread(bio3, &bufPt, 6), 6); - for (i = 0; i < 6; i++) { - AssertIntEQ(bufPt[i], i); - } - - /* test case of writing twice with offset read index */ - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 3), 3); - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 4), 3); /* try overwriting */ - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); - AssertIntEQ(BIO_nread(bio3, &bufPt, 0), 0); - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); - AssertIntEQ(BIO_nread(bio3, &bufPt, 1), 1); - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 4), 1); - AssertIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); - - BIO_free(bio1); - BIO_free(bio3); - - /* BIOs with file pointers */ - #if !defined(NO_FILESYSTEM) - { - XFILE f1; - XFILE f2; - BIO* f_bio1; - BIO* f_bio2; - unsigned char cert[300]; - char testFile[] = "tests/bio_write_test.txt"; - char msg[] = "bio_write_test.txt contains the first 300 bytes of certs/server-cert.pem\ncreated by tests/unit.test\n\n"; - - AssertNotNull(f_bio1 = BIO_new(BIO_s_file())); - AssertNotNull(f_bio2 = BIO_new(BIO_s_file())); - - AssertIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); - AssertIntEQ((int)BIO_set_mem_eof_return(NULL, -1), 0); - - f1 = XFOPEN(svrCertFile, "rwb"); - AssertIntEQ((int)BIO_set_fp(f_bio1, f1, BIO_CLOSE), SSL_SUCCESS); - AssertIntEQ(BIO_write_filename(f_bio2, testFile), - SSL_SUCCESS); - - AssertIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); - AssertIntEQ(BIO_write(f_bio2, msg, sizeof(msg)), sizeof(msg)); - AssertIntEQ(BIO_write(f_bio2, cert, sizeof(cert)), sizeof(cert)); - - AssertIntEQ((int)BIO_get_fp(f_bio2, &f2), SSL_SUCCESS); - AssertIntEQ(BIO_reset(f_bio2), 0); - AssertIntEQ(BIO_seek(f_bio2, 4), 0); - - BIO_free(f_bio1); - BIO_free(f_bio2); - } - #endif /* !defined(NO_FILESYSTEM) */ - - printf(resultFmt, passed); - #endif -} - -static void test_wolfSSL_DES_ecb_encrypt(void) -{ - #if defined(OPENSSL_EXTRA) && !defined(NO_DES3) && defined(WOLFSSL_DES_ECB) - WOLFSSL_DES_cblock input1,input2,output1,output2,back1,back2; - WOLFSSL_DES_key_schedule key; - - printf(testingFmt, "wolfSSL_DES_ecb_encrypt()"); - - XMEMCPY(key,"12345678",sizeof(WOLFSSL_DES_key_schedule)); - XMEMCPY(input1, "Iamhuman",sizeof(WOLFSSL_DES_cblock)); - XMEMCPY(input2, "Whoisit?",sizeof(WOLFSSL_DES_cblock)); - XMEMSET(output1, 0, sizeof(WOLFSSL_DES_cblock)); - XMEMSET(output2, 0, sizeof(WOLFSSL_DES_cblock)); - XMEMSET(back1, 0, sizeof(WOLFSSL_DES_cblock)); - XMEMSET(back2, 0, sizeof(WOLFSSL_DES_cblock)); - - /* Encrypt messages */ - wolfSSL_DES_ecb_encrypt(&input1,&output1,&key,DES_ENCRYPT); - wolfSSL_DES_ecb_encrypt(&input2,&output2,&key,DES_ENCRYPT); - - /* Decrypt messages */ - int ret1 = 0; - int ret2 = 0; - wolfSSL_DES_ecb_encrypt(&output1,&back1,&key,DES_DECRYPT); - ret1 = memcmp((unsigned char *) back1,(unsigned char *) input1,sizeof(WOLFSSL_DES_cblock)); - AssertIntEQ(ret1,0); - wolfSSL_DES_ecb_encrypt(&output2,&back2,&key,DES_DECRYPT); - ret2 = memcmp((unsigned char *) back2,(unsigned char *) input2,sizeof(WOLFSSL_DES_cblock)); - AssertIntEQ(ret2,0); - - printf(resultFmt, passed); - #endif -} -/*----------------------------------------------------------------------------* - | wolfCrypt ASN - *----------------------------------------------------------------------------*/ - -static void test_wc_GetPkcs8TraditionalOffset(void) -{ -#if !defined(NO_ASN) && !defined(NO_FILESYSTEM) - int length, derSz; - word32 inOutIdx; - const char* path = "./certs/server-keyPkcs8.der"; - FILE* file; - byte der[2048]; - - printf(testingFmt, "wc_GetPkcs8TraditionalOffset"); - - file = fopen(path, "rb"); - AssertNotNull(file); - derSz = (int)fread(der, 1, sizeof(der), file); - fclose(file); - - /* valid case */ - inOutIdx = 0; - length = wc_GetPkcs8TraditionalOffset(der, &inOutIdx, derSz); - AssertIntGT(length, 0); - - /* inOutIdx > sz */ - inOutIdx = 4000; - length = wc_GetPkcs8TraditionalOffset(der, &inOutIdx, derSz); - AssertIntEQ(length, BAD_FUNC_ARG); - - /* null input */ - inOutIdx = 0; - length = wc_GetPkcs8TraditionalOffset(NULL, &inOutIdx, 0); - AssertIntEQ(length, BAD_FUNC_ARG); - - /* invalid input, fill buffer with 1's */ - XMEMSET(der, 1, sizeof(der)); - inOutIdx = 0; - length = wc_GetPkcs8TraditionalOffset(der, &inOutIdx, derSz); - AssertIntEQ(length, ASN_PARSE_E); - - printf(resultFmt, passed); -#endif /* NO_ASN */ -} - - -/*----------------------------------------------------------------------------* - | wolfCrypt ECC - *----------------------------------------------------------------------------*/ - -static void test_wc_ecc_get_curve_size_from_name(void) -{ -#ifdef HAVE_ECC - int ret; - - printf(testingFmt, "wc_ecc_get_curve_size_from_name"); - - #if !defined(NO_ECC256) && !defined(NO_ECC_SECP) - ret = wc_ecc_get_curve_size_from_name("SECP256R1"); - AssertIntEQ(ret, 32); - #endif - - /* invalid case */ - ret = wc_ecc_get_curve_size_from_name("BADCURVE"); - AssertIntEQ(ret, -1); - - /* NULL input */ - ret = wc_ecc_get_curve_size_from_name(NULL); - AssertIntEQ(ret, BAD_FUNC_ARG); - - printf(resultFmt, passed); -#endif /* HAVE_ECC */ -} - -static void test_wc_ecc_get_curve_id_from_name(void) -{ -#ifdef HAVE_ECC - int id; - - printf(testingFmt, "wc_ecc_get_curve_id_from_name"); - - #if !defined(NO_ECC256) && !defined(NO_ECC_SECP) - id = wc_ecc_get_curve_id_from_name("SECP256R1"); - AssertIntEQ(id, ECC_SECP256R1); - #endif - - /* invalid case */ - id = wc_ecc_get_curve_id_from_name("BADCURVE"); - AssertIntEQ(id, -1); - - /* NULL input */ - id = wc_ecc_get_curve_id_from_name(NULL); - AssertIntEQ(id, BAD_FUNC_ARG); - - printf(resultFmt, passed); -#endif /* HAVE_ECC */ -} - -static void test_wc_ecc_get_curve_id_from_params(void) -{ -#ifdef HAVE_ECC - int id; - - const byte prime[] = - { - 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF - }; - - const byte primeInvalid[] = - { - 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x01,0x01 - }; - - const byte Af[] = - { - 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFC - }; - - const byte Bf[] = - { - 0x5A,0xC6,0x35,0xD8,0xAA,0x3A,0x93,0xE7, - 0xB3,0xEB,0xBD,0x55,0x76,0x98,0x86,0xBC, - 0x65,0x1D,0x06,0xB0,0xCC,0x53,0xB0,0xF6, - 0x3B,0xCE,0x3C,0x3E,0x27,0xD2,0x60,0x4B - }; - - const byte order[] = - { - 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0xBC,0xE6,0xFA,0xAD,0xA7,0x17,0x9E,0x84, - 0xF3,0xB9,0xCA,0xC2,0xFC,0x63,0x25,0x51 - }; - - const byte Gx[] = - { - 0x6B,0x17,0xD1,0xF2,0xE1,0x2C,0x42,0x47, - 0xF8,0xBC,0xE6,0xE5,0x63,0xA4,0x40,0xF2, - 0x77,0x03,0x7D,0x81,0x2D,0xEB,0x33,0xA0, - 0xF4,0xA1,0x39,0x45,0xD8,0x98,0xC2,0x96 - }; - - const byte Gy[] = - { - 0x4F,0xE3,0x42,0xE2,0xFE,0x1A,0x7F,0x9B, - 0x8E,0xE7,0xEB,0x4A,0x7C,0x0F,0x9E,0x16, - 0x2B,0xCE,0x33,0x57,0x6B,0x31,0x5E,0xCE, - 0xCB,0xB6,0x40,0x68,0x37,0xBF,0x51,0xF5 - }; - - int cofactor = 1; - int fieldSize = 256; - - printf(testingFmt, "wc_ecc_get_curve_id_from_params"); - - #if !defined(NO_ECC256) && !defined(NO_ECC_SECP) - id = wc_ecc_get_curve_id_from_params(fieldSize, prime, sizeof(prime), - Af, sizeof(Af), Bf, sizeof(Bf), order, sizeof(order), - Gx, sizeof(Gx), Gy, sizeof(Gy), cofactor); - AssertIntEQ(id, ECC_SECP256R1); - #endif - - /* invalid case, fieldSize = 0 */ - id = wc_ecc_get_curve_id_from_params(0, prime, sizeof(prime), - Af, sizeof(Af), Bf, sizeof(Bf), order, sizeof(order), - Gx, sizeof(Gx), Gy, sizeof(Gy), cofactor); - AssertIntEQ(id, ECC_CURVE_INVALID); - - /* invalid case, NULL prime */ - id = wc_ecc_get_curve_id_from_params(fieldSize, NULL, sizeof(prime), - Af, sizeof(Af), Bf, sizeof(Bf), order, sizeof(order), - Gx, sizeof(Gx), Gy, sizeof(Gy), cofactor); - AssertIntEQ(id, BAD_FUNC_ARG); - - /* invalid case, invalid prime */ - id = wc_ecc_get_curve_id_from_params(fieldSize, - primeInvalid, sizeof(primeInvalid), - Af, sizeof(Af), Bf, sizeof(Bf), order, sizeof(order), - Gx, sizeof(Gx), Gy, sizeof(Gy), cofactor); - AssertIntEQ(id, ECC_CURVE_INVALID); - - printf(resultFmt, passed); -#endif -} - - -/*----------------------------------------------------------------------------* - | Certficate Failure Checks - *----------------------------------------------------------------------------*/ -#ifndef NO_CERTS - /* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */ - static int verify_sig_cm(const char* ca, byte* cert_buf, size_t cert_sz, - int type) - { - int ret; - WOLFSSL_CERT_MANAGER* cm = NULL; - - switch (type) { - case TESTING_RSA: - #ifdef NO_RSA - printf("RSA disabled, skipping test\n"); - return ASN_SIG_CONFIRM_E; - #else - break; - #endif - case TESTING_ECC: - #ifndef HAVE_ECC - printf("ECC disabled, skipping test\n"); - return ASN_SIG_CONFIRM_E; - #else - break; - #endif - default: - printf("Bad function argument\n"); - return BAD_FUNC_ARG; - } - cm = wolfSSL_CertManagerNew(); - if (cm == NULL) { - printf("wolfSSL_CertManagerNew failed\n"); - return -1; - } - - ret = wolfSSL_CertManagerLoadCA(cm, ca, 0); - if (ret != SSL_SUCCESS) { - printf("wolfSSL_CertManagerLoadCA failed\n"); - wolfSSL_CertManagerFree(cm); - return ret; - } - - ret = wolfSSL_CertManagerVerifyBuffer(cm, cert_buf, cert_sz, SSL_FILETYPE_ASN1); - /* Let AssertIntEQ handle return code */ - - wolfSSL_CertManagerFree(cm); - - return ret; - } - - static int test_RsaSigFailure_cm(void) - { - int ret = 0; - const char* ca_cert = "./certs/ca-cert.pem"; - const char* server_cert = "./certs/server-cert.der"; - byte* cert_buf = NULL; - size_t cert_sz = 0; - - ret = load_file(server_cert, &cert_buf, &cert_sz); - if (ret == 0) { - /* corrupt DER - invert last byte, which is signature */ - cert_buf[cert_sz-1] = ~cert_buf[cert_sz-1]; - - /* test bad cert */ - ret = verify_sig_cm(ca_cert, cert_buf, cert_sz, TESTING_RSA); - } - - printf("Signature failure test: RSA: Ret %d\n", ret); - - if (cert_buf) - free(cert_buf); - - return ret; - } - - static int test_EccSigFailure_cm(void) - { - int ret = 0; - /* self-signed ECC cert, so use server cert as CA */ - const char* ca_cert = "./certs/server-ecc.pem"; - const char* server_cert = "./certs/server-ecc.der"; - byte* cert_buf = NULL; - size_t cert_sz = 0; - - ret = load_file(server_cert, &cert_buf, &cert_sz); - if (ret == 0) { - /* corrupt DER - invert last byte, which is signature */ - cert_buf[cert_sz-1] = ~cert_buf[cert_sz-1]; - - /* test bad cert */ - ret = verify_sig_cm(ca_cert, cert_buf, cert_sz, TESTING_ECC); - } - - printf("Signature failure test: ECC: Ret %d\n", ret); - - if (cert_buf) - free(cert_buf); - - return ret; - } - -#endif /* NO_CERTS */ - - -/*----------------------------------------------------------------------------* - | Main - *----------------------------------------------------------------------------*/ - -void ApiTest(void) -{ - printf(" Begin API Tests\n"); - AssertIntEQ(test_wolfSSL_Init(), SSL_SUCCESS); - /* wolfcrypt initialization tests */ - test_wolfSSL_Method_Allocators(); - test_wolfSSL_CTX_new(wolfSSLv23_server_method()); - test_wolfSSL_CTX_use_certificate_file(); - AssertIntEQ(test_wolfSSL_CTX_use_certificate_buffer(), SSL_SUCCESS); - test_wolfSSL_CTX_use_PrivateKey_file(); - test_wolfSSL_CTX_load_verify_locations(); - test_wolfSSL_CTX_trust_peer_cert(); - test_wolfSSL_CTX_SetTmpDH_file(); - test_wolfSSL_CTX_SetTmpDH_buffer(); - test_server_wolfSSL_new(); - test_client_wolfSSL_new(); - test_wolfSSL_SetTmpDH_file(); - test_wolfSSL_SetTmpDH_buffer(); - //test_wolfSSL_Get_others(); - test_wolfSSL_read_write(); - test_wolfSSL_dtls_export(); - AssertIntEQ(test_wolfSSL_SetMinVersion(), SSL_SUCCESS); - AssertIntEQ(test_wolfSSL_CTX_SetMinVersion(), SSL_SUCCESS); - - /* TLS extensions tests */ - test_wolfSSL_UseSNI(); - test_wolfSSL_UseMaxFragment(); - test_wolfSSL_UseTruncatedHMAC(); - test_wolfSSL_UseSupportedCurve(); - test_wolfSSL_UseALPN(); - test_wolfSSL_DisableExtendedMasterSecret(); - - /* X509 tests */ - test_wolfSSL_X509_NAME_get_entry(); - test_wolfSSL_PKCS12(); - - /*OCSP Stapling. */ - AssertIntEQ(test_wolfSSL_UseOCSPStapling(), SSL_SUCCESS); - AssertIntEQ(test_wolfSSL_UseOCSPStaplingV2(), SSL_SUCCESS); - - /* compatibility tests */ - test_wolfSSL_DES(); - test_wolfSSL_certs(); - test_wolfSSL_private_keys(); - test_wolfSSL_PEM_PrivateKey(); - test_wolfSSL_tmp_dh(); - test_wolfSSL_ctrl(); - test_wolfSSL_CTX_add_extra_chain_cert(); - test_wolfSSL_ERR_peek_last_error_line(); - test_wolfSSL_X509_STORE_set_flags(); - test_wolfSSL_X509_LOOKUP_load_file(); - test_wolfSSL_BN(); - test_wolfSSL_set_options(); - test_wolfSSL_X509_STORE_CTX(); - test_wolfSSL_PEM_read_bio(); - test_wolfSSL_BIO(); - test_wolfSSL_DES_ecb_encrypt(); - AssertIntEQ(test_wolfSSL_Cleanup(), SSL_SUCCESS); - - /* wolfCrypt ASN tests */ - test_wc_GetPkcs8TraditionalOffset(); - - /* wolfCrypt ECC tests */ - test_wc_ecc_get_curve_size_from_name(); - test_wc_ecc_get_curve_id_from_name(); - test_wc_ecc_get_curve_id_from_params(); - -#ifndef NO_CERTS - /* Bad certificate signature tests */ - AssertIntEQ(test_EccSigFailure_cm(), ASN_SIG_CONFIRM_E); - AssertIntEQ(test_RsaSigFailure_cm(), ASN_SIG_CONFIRM_E); -#endif /* NO_CERTS */ - - /*wolfcrypt */ - printf("\n-----------------wolfcrypt unit tests------------------\n"); - AssertFalse(test_wolfCrypt_Init()); - AssertFalse(test_wc_InitMd5()); - AssertFalse(test_wc_Md5Update()); - AssertFalse(test_wc_Md5Final()); - AssertFalse(test_wc_InitSha()); - AssertFalse(test_wc_ShaUpdate()); - AssertFalse(test_wc_ShaFinal()); - AssertFalse(test_wc_InitSha256()); - AssertFalse(test_wc_Sha256Update()); - AssertFalse(test_wc_Sha256Final()); - AssertFalse(test_wc_InitSha512()); - AssertFalse(test_wc_Sha512Update()); - AssertFalse(test_wc_Sha512Final()); - AssertFalse(test_wc_InitSha384()); - AssertFalse(test_wc_Sha384Update()); - AssertFalse(test_wc_Sha384Final()); - AssertFalse(test_wc_InitSha224()); - AssertFalse(test_wc_Sha224Update()); - AssertFalse(test_wc_Sha224Final()); - AssertFalse(test_wc_InitRipeMd()); - AssertFalse(test_wc_RipeMdUpdate()); - AssertFalse(test_wc_RipeMdFinal()); - printf(" End API Tests\n"); - -} diff --git a/wolfssl/internal 2.h.orig b/wolfssl/internal 2.h.orig deleted file mode 100755 index d00a6c087..000000000 --- a/wolfssl/internal 2.h.orig +++ /dev/null @@ -1,3326 +0,0 @@ -/* internal.h - * - * Copyright (C) 2006-2016 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - - - -#ifndef WOLFSSL_INT_H -#define WOLFSSL_INT_H - - -#include -#include -#ifdef HAVE_CRL - #include -#endif -#include -#ifndef NO_DES3 - #include -#endif -#ifndef NO_HC128 - #include -#endif -#ifndef NO_RABBIT - #include -#endif -#ifdef HAVE_CHACHA - #include -#endif -#ifndef NO_ASN - #include - #include -#endif -#ifndef NO_MD5 - #include -#endif -#ifndef NO_SHA - #include -#endif -#ifndef NO_AES - #include -#endif -#ifdef HAVE_POLY1305 - #include -#endif -#ifdef HAVE_CAMELLIA - #include -#endif -#include -#ifndef NO_HMAC - #include -#endif -#ifndef NO_RC4 - #include -#endif -#ifdef HAVE_ECC - #include -#endif -#ifndef NO_SHA256 - #include -#endif -#ifdef HAVE_OCSP - #include -#endif -#ifdef WOLFSSL_SHA512 - #include -#endif -#ifdef HAVE_AESGCM - #include -#endif -#ifdef WOLFSSL_RIPEMD - #include -#endif -#ifdef HAVE_IDEA - #include -#endif -#ifndef NO_RSA - #include -#endif -#ifdef HAVE_ECC - #include -#endif -#ifndef NO_DH - #include -#endif - -#include - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - #include -#endif -#ifdef WOLFSSL_CALLBACKS - #include -#endif - -#ifdef USE_WINDOWS_API - #ifdef WOLFSSL_GAME_BUILD - #include "system/xtl.h" - #else - #if defined(_WIN32_WCE) || defined(WIN32_LEAN_AND_MEAN) - /* On WinCE winsock2.h must be included before windows.h */ - #include - #endif - #include - #endif -#elif defined(THREADX) - #ifndef SINGLE_THREADED - #include "tx_api.h" - #endif -#elif defined(MICRIUM) - /* do nothing, just don't pick Unix */ -#elif defined(FREERTOS) || defined(FREERTOS_TCP) || defined(WOLFSSL_SAFERTOS) - /* do nothing */ -#elif defined(EBSNET) - /* do nothing */ -#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) - /* do nothing */ -#elif defined(FREESCALE_FREE_RTOS) - #include "fsl_os_abstraction.h" -#elif defined(WOLFSSL_uITRON4) - /* do nothing */ -#elif defined(WOLFSSL_uTKERNEL2) - /* do nothing */ -#elif defined(WOLFSSL_MDK_ARM) - #if defined(WOLFSSL_MDK5) - #include "cmsis_os.h" - #else - #include - #endif -#elif defined(WOLFSSL_CMSIS_RTOS) - #include "cmsis_os.h" -#elif defined(MBED) -#elif defined(WOLFSSL_TIRTOS) - /* do nothing */ -#elif defined(INTIME_RTOS) - #include -#else - #ifndef SINGLE_THREADED - #define WOLFSSL_PTHREADS - #include - #endif - #if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) - #include /* for close of BIO */ - #endif -#endif - -#ifndef CHAR_BIT - /* Needed for DTLS without big math */ - #include -#endif - - -#ifdef HAVE_LIBZ - #include "zlib.h" -#endif - -#ifdef WOLFSSL_ASYNC_CRYPT - #include -#endif - -#ifdef _MSC_VER - /* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */ - #pragma warning(disable: 4996) -#endif - -#ifdef NO_SHA - #define SHA_DIGEST_SIZE 20 -#endif - -#ifdef NO_SHA256 - #define SHA256_DIGEST_SIZE 32 -#endif - -#ifdef NO_MD5 - #define MD5_DIGEST_SIZE 16 -#endif - - -#ifdef __cplusplus - extern "C" { -#endif - - -typedef byte word24[3]; - -/* Define or comment out the cipher suites you'd like to be compiled in - make sure to use at least one BUILD_SSL_xxx or BUILD_TLS_xxx is defined - - When adding cipher suites, add name to cipher_names, idx to cipher_name_idx - - Now that there is a maximum strength crypto build, the following BUILD_XXX - flags need to be divided into two groups selected by WOLFSSL_MAX_STRENGTH. - Those that do not use Perfect Forward Security and do not use AEAD ciphers - need to be switched off. Allowed suites use (EC)DHE, AES-GCM|CCM, or - CHACHA-POLY. -*/ - -/* Check that if WOLFSSL_MAX_STRENGTH is set that all the required options are - * not turned off. */ -#if defined(WOLFSSL_MAX_STRENGTH) && \ - ((!defined(HAVE_ECC) && (defined(NO_DH) || defined(NO_RSA))) || \ - (!defined(HAVE_AESGCM) && !defined(HAVE_AESCCM) && \ - (!defined(HAVE_POLY1305) || !defined(HAVE_CHACHA))) || \ - (defined(NO_SHA256) && !defined(WOLFSSL_SHA384)) || \ - !defined(NO_OLD_TLS)) - - #error "You are trying to build max strength with requirements disabled." -#endif - -/* Have QSH : Quantum-safe Handshake */ -#if defined(HAVE_QSH) - #define BUILD_TLS_QSH -#endif - -#ifndef WOLFSSL_MAX_STRENGTH - - #if !defined(NO_RSA) && !defined(NO_RC4) - #if defined(WOLFSSL_STATIC_RSA) - #if !defined(NO_SHA) - #define BUILD_SSL_RSA_WITH_RC4_128_SHA - #endif - #if !defined(NO_MD5) - #define BUILD_SSL_RSA_WITH_RC4_128_MD5 - #endif - #endif - #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) \ - && defined(WOLFSSL_STATIC_RSA) - #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - #endif - #endif - - #if !defined(NO_RSA) && !defined(NO_DES3) - #if !defined(NO_SHA) - #if defined(WOLFSSL_STATIC_RSA) - #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA - #endif - #if !defined(NO_TLS) && defined(HAVE_NTRU) \ - && defined(WOLFSSL_STATIC_RSA) - #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - #endif - #endif - #endif - - #if !defined(NO_RSA) && defined(HAVE_IDEA) - #if !defined(NO_SHA) && defined(WOLFSSL_STATIC_RSA) - #define BUILD_SSL_RSA_WITH_IDEA_CBC_SHA - #endif - #endif - - #if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS) - #if !defined(NO_SHA) - #if defined(WOLFSSL_STATIC_RSA) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA - #endif - #if defined(HAVE_NTRU) && defined(WOLFSSL_STATIC_RSA) - #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - #endif - #endif - #if defined(WOLFSSL_STATIC_RSA) - #if !defined (NO_SHA256) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - #endif - #if defined (HAVE_AESGCM) - #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - #if defined (WOLFSSL_SHA384) - #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 - #endif - #endif - #if defined (HAVE_AESCCM) - #define BUILD_TLS_RSA_WITH_AES_128_CCM_8 - #define BUILD_TLS_RSA_WITH_AES_256_CCM_8 - #endif - #if defined(HAVE_BLAKE2) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - #define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 - #endif - #endif - #endif - - #if defined(HAVE_CAMELLIA) && !defined(NO_TLS) - #ifndef NO_RSA - #if defined(WOLFSSL_STATIC_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - #endif - #endif - #if !defined(NO_DH) - #if !defined(NO_SHA) - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - #endif - #endif - #endif - #endif - -#if defined(WOLFSSL_STATIC_PSK) - #if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS) - #if !defined(NO_SHA) - #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA - #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 - #ifdef HAVE_AESGCM - #define BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 - #endif - #ifdef HAVE_AESCCM - #define BUILD_TLS_PSK_WITH_AES_128_CCM_8 - #define BUILD_TLS_PSK_WITH_AES_256_CCM_8 - #define BUILD_TLS_PSK_WITH_AES_128_CCM - #define BUILD_TLS_PSK_WITH_AES_256_CCM - #endif - #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 - #ifdef HAVE_AESGCM - #define BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 - #endif - #endif - #endif -#endif - - #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) - #if !defined(NO_RSA) - #if defined(WOLFSSL_STATIC_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_NULL_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_RSA_WITH_NULL_SHA256 - #endif - #endif - #endif - #if !defined(NO_PSK) && defined(WOLFSSL_STATIC_PSK) - #if !defined(NO_SHA) - #define BUILD_TLS_PSK_WITH_NULL_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_PSK_WITH_NULL_SHA256 - #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_PSK_WITH_NULL_SHA384 - #endif - #endif - #endif - -#if defined(WOLFSSL_STATIC_RSA) - #if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS) - #ifndef NO_MD5 - #define BUILD_TLS_RSA_WITH_HC_128_MD5 - #endif - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_HC_128_SHA - #endif - #if defined(HAVE_BLAKE2) - #define BUILD_TLS_RSA_WITH_HC_128_B2B256 - #endif - #endif - - #if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_RABBIT_SHA - #endif - #endif -#endif - - #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) - - #if !defined(NO_SHA) - #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - #if !defined(NO_DES3) - #define BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - #endif - #endif - #if !defined(NO_SHA256) - #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - #endif - #endif - - #if defined(HAVE_ANON) && !defined(NO_TLS) && !defined(NO_DH) && \ - !defined(NO_AES) && !defined(NO_SHA) - #define BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - #endif - - #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) - #ifndef NO_SHA256 - #ifndef NO_AES - #define BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - #endif - #ifdef HAVE_NULL_CIPHER - #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 - #endif - #endif - #ifdef WOLFSSL_SHA384 - #ifndef NO_AES - #define BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - #endif - #ifdef HAVE_NULL_CIPHER - #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 - #endif - #endif - #endif - - #if defined(HAVE_ECC) && !defined(NO_TLS) - #if !defined(NO_AES) - #if !defined(NO_SHA) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - #endif - #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - #endif - #endif /* NO_SHA */ - #ifndef NO_SHA256 - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - #endif - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - #endif - #endif - - #ifdef WOLFSSL_SHA384 - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - #endif - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - #endif - #endif - - #if defined (HAVE_AESGCM) - #if !defined(NO_RSA) - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - #endif - #if defined(WOLFSSL_SHA384) - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - #endif - #endif - #endif - - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - #endif - - #if defined(WOLFSSL_SHA384) - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - #endif - #endif - #endif - #endif /* NO_AES */ - #if !defined(NO_RC4) - #if !defined(NO_SHA) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - #endif - #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - #endif - #endif - #endif - #if !defined(NO_DES3) - #ifndef NO_SHA - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - #endif - #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - #endif - #endif /* NO_SHA */ - #endif - #if defined(HAVE_NULL_CIPHER) - #if !defined(NO_SHA) - #define BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA - #endif - #if !defined(NO_PSK) && !defined(NO_SHA256) - #define BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 - #endif - #endif - #if !defined(NO_PSK) && !defined(NO_SHA256) && !defined(NO_AES) - #define BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - #endif - #endif - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) - #if !defined(NO_OLD_POLY1305) - #ifdef HAVE_ECC - #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - #ifndef NO_RSA - #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - #endif - #endif - #if !defined(NO_DH) && !defined(NO_RSA) - #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - #endif - #endif /* NO_OLD_POLY1305 */ - #if !defined(NO_PSK) - #define BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - #ifdef HAVE_ECC - #define BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - #endif - #ifndef NO_DH - #define BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - #endif - #endif /* !NO_PSK */ - #endif - -#endif /* !WOLFSSL_MAX_STRENGTH */ - -#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) && defined(HAVE_AESGCM) - - #ifndef NO_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - #endif - - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - #endif -#endif - -#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) - #ifndef NO_SHA256 - #ifdef HAVE_AESGCM - #define BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - #endif - #ifdef HAVE_AESCCM - #define BUILD_TLS_DHE_PSK_WITH_AES_128_CCM - #define BUILD_TLS_DHE_PSK_WITH_AES_256_CCM - #endif - #endif - #if defined(WOLFSSL_SHA384) && defined(HAVE_AESGCM) - #define BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - #endif -#endif - -#if defined(HAVE_ECC) && !defined(NO_TLS) && !defined(NO_AES) - #ifdef HAVE_AESGCM - #ifndef NO_SHA256 - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - #ifndef NO_RSA - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - #endif - #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - #ifndef NO_RSA - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - #endif - #endif - #endif - #if defined(HAVE_AESCCM) && !defined(NO_SHA256) - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - #endif -#endif - -#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) - #ifdef HAVE_ECC - #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - #ifndef NO_RSA - #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - #endif - #endif - #if !defined(NO_DH) && !defined(NO_RSA) - #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - #endif -#endif - - -#if defined(BUILD_SSL_RSA_WITH_RC4_128_SHA) || \ - defined(BUILD_SSL_RSA_WITH_RC4_128_MD5) - #define BUILD_ARC4 -#endif - -#if defined(BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA) - #define BUILD_DES3 -#endif - -#if defined(BUILD_TLS_RSA_WITH_AES_128_CBC_SHA) || \ - defined(BUILD_TLS_RSA_WITH_AES_256_CBC_SHA) || \ - defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) || \ - defined(BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256) - #undef BUILD_AES - #define BUILD_AES -#endif - -#if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384) || \ - defined(BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) || \ - defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) || \ - defined(BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384) || \ - defined(BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384) - #define BUILD_AESGCM -#endif - -#if defined(BUILD_TLS_RSA_WITH_HC_128_SHA) || \ - defined(BUILD_TLS_RSA_WITH_HC_128_MD5) || \ - defined(BUILD_TLS_RSA_WITH_HC_128_B2B256) - #define BUILD_HC128 -#endif - -#if defined(BUILD_TLS_RSA_WITH_RABBIT_SHA) - #define BUILD_RABBIT -#endif - -#ifdef NO_DES3 - #define DES_BLOCK_SIZE 8 -#else - #undef BUILD_DES3 - #define BUILD_DES3 -#endif - -#if defined(NO_AES) || defined(NO_AES_DECRYPT) - #define AES_BLOCK_SIZE 16 - #undef BUILD_AES -#else - #undef BUILD_AES - #define BUILD_AES -#endif - -#ifndef NO_RC4 - #undef BUILD_ARC4 - #define BUILD_ARC4 -#endif - -#ifdef HAVE_CHACHA - #define CHACHA20_BLOCK_SIZE 16 -#endif - -#if defined(WOLFSSL_MAX_STRENGTH) || \ - defined(HAVE_AESGCM) || defined(HAVE_AESCCM) || \ - (defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) - - #define HAVE_AEAD -#endif - -#if defined(WOLFSSL_MAX_STRENGTH) || \ - defined(HAVE_ECC) || !defined(NO_DH) - - #define HAVE_PFS -#endif - -#if defined(BUILD_SSL_RSA_WITH_IDEA_CBC_SHA) - #define BUILD_IDEA -#endif - -/* actual cipher values, 2nd byte */ -enum { - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x39, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x33, - TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x34, - TLS_RSA_WITH_AES_256_CBC_SHA = 0x35, - TLS_RSA_WITH_AES_128_CBC_SHA = 0x2F, - TLS_RSA_WITH_NULL_SHA = 0x02, - TLS_PSK_WITH_AES_256_CBC_SHA = 0x8d, - TLS_PSK_WITH_AES_128_CBC_SHA256 = 0xae, - TLS_PSK_WITH_AES_256_CBC_SHA384 = 0xaf, - TLS_PSK_WITH_AES_128_CBC_SHA = 0x8c, - TLS_PSK_WITH_NULL_SHA256 = 0xb0, - TLS_PSK_WITH_NULL_SHA384 = 0xb1, - TLS_PSK_WITH_NULL_SHA = 0x2c, - SSL_RSA_WITH_RC4_128_SHA = 0x05, - SSL_RSA_WITH_RC4_128_MD5 = 0x04, - SSL_RSA_WITH_3DES_EDE_CBC_SHA = 0x0A, - SSL_RSA_WITH_IDEA_CBC_SHA = 0x07, - - /* ECC suites, first byte is 0xC0 (ECC_BYTE) */ - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0x14, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0x13, - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0x0A, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0x09, - TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0x11, - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0x07, - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x12, - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0x08, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0x27, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0x23, - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0x28, - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0x24, - TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0x06, - TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0x3a, - TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0x37, - - /* static ECDH, first byte is 0xC0 (ECC_BYTE) */ - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0x0F, - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0x0E, - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0x05, - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0x04, - TLS_ECDH_RSA_WITH_RC4_128_SHA = 0x0C, - TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0x02, - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0D, - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0x03, - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0x29, - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0x25, - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0x2A, - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0x26, - - /* wolfSSL extension - eSTREAM */ - TLS_RSA_WITH_HC_128_MD5 = 0xFB, - TLS_RSA_WITH_HC_128_SHA = 0xFC, - TLS_RSA_WITH_RABBIT_SHA = 0xFD, - - /* wolfSSL extension - Blake2b 256 */ - TLS_RSA_WITH_AES_128_CBC_B2B256 = 0xF8, - TLS_RSA_WITH_AES_256_CBC_B2B256 = 0xF9, - TLS_RSA_WITH_HC_128_B2B256 = 0xFA, /* eSTREAM too */ - - /* wolfSSL extension - NTRU */ - TLS_NTRU_RSA_WITH_RC4_128_SHA = 0xe5, - TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA = 0xe6, - TLS_NTRU_RSA_WITH_AES_128_CBC_SHA = 0xe7, /* clashes w/official SHA-256 */ - TLS_NTRU_RSA_WITH_AES_256_CBC_SHA = 0xe8, - - /* wolfSSL extension - NTRU , Quantum-safe Handshake - first byte is 0xD0 (QSH_BYTE) */ - TLS_QSH = 0x01, - - /* SHA256 */ - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x6b, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x67, - TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x3d, - TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x3c, - TLS_RSA_WITH_NULL_SHA256 = 0x3b, - TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0xb2, - TLS_DHE_PSK_WITH_NULL_SHA256 = 0xb4, - - /* SHA384 */ - TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0xb3, - TLS_DHE_PSK_WITH_NULL_SHA384 = 0xb5, - - /* AES-GCM */ - TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x9c, - TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x9d, - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x9e, - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x9f, - TLS_PSK_WITH_AES_128_GCM_SHA256 = 0xa8, - TLS_PSK_WITH_AES_256_GCM_SHA384 = 0xa9, - TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0xaa, - TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0xab, - - /* ECC AES-GCM, first byte is 0xC0 (ECC_BYTE) */ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0x2b, - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0x2c, - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0x2d, - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0x2e, - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0x2f, - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0x30, - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0x31, - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0x32, - - /* AES-CCM, first byte is 0xC0 but isn't ECC, - * also, in some of the other AES-CCM suites - * there will be second byte number conflicts - * with non-ECC AES-GCM */ - TLS_RSA_WITH_AES_128_CCM_8 = 0xa0, - TLS_RSA_WITH_AES_256_CCM_8 = 0xa1, - TLS_ECDHE_ECDSA_WITH_AES_128_CCM = 0xac, - TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xae, - TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xaf, - TLS_PSK_WITH_AES_128_CCM = 0xa4, - TLS_PSK_WITH_AES_256_CCM = 0xa5, - TLS_PSK_WITH_AES_128_CCM_8 = 0xa8, - TLS_PSK_WITH_AES_256_CCM_8 = 0xa9, - TLS_DHE_PSK_WITH_AES_128_CCM = 0xa6, - TLS_DHE_PSK_WITH_AES_256_CCM = 0xa7, - - /* Camellia */ - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x41, - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x84, - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xba, - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0xc0, - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x45, - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x88, - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xbe, - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0xc4, - - /* chacha20-poly1305 suites first byte is 0xCC (CHACHA_BYTE) */ - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xa8, - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xa9, - TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xaa, - TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xac, - TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xab, - TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xad, - - /* chacha20-poly1305 earlier version of nonce and padding (CHACHA_BYTE) */ - TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 = 0x13, - TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 = 0x14, - TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 = 0x15, - - /* Renegotiation Indication Extension Special Suite */ - TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0xff -}; - - -#ifndef WOLFSSL_SESSION_TIMEOUT - #define WOLFSSL_SESSION_TIMEOUT 500 - /* default session resumption cache timeout in seconds */ -#endif - - -#ifndef WOLFSSL_DTLS_WINDOW_WORDS - #define WOLFSSL_DTLS_WINDOW_WORDS 2 -#endif /* WOLFSSL_DTLS_WINDOW_WORDS */ -#define DTLS_WORD_BITS (sizeof(word32) * CHAR_BIT) -#define DTLS_SEQ_BITS (WOLFSSL_DTLS_WINDOW_WORDS * DTLS_WORD_BITS) -#define DTLS_SEQ_SZ (sizeof(word32) * WOLFSSL_DTLS_WINDOW_WORDS) - - -enum Misc { - ECC_BYTE = 0xC0, /* ECC first cipher suite byte */ - QSH_BYTE = 0xD0, /* Quantum-safe Handshake cipher suite */ - CHACHA_BYTE = 0xCC, /* ChaCha first cipher suite */ - - SEND_CERT = 1, - SEND_BLANK_CERT = 2, - - DTLS_MAJOR = 0xfe, /* DTLS major version number */ - DTLS_MINOR = 0xff, /* DTLS minor version number */ - DTLSv1_2_MINOR = 0xfd, /* DTLS minor version number */ - SSLv3_MAJOR = 3, /* SSLv3 and TLSv1+ major version number */ - SSLv3_MINOR = 0, /* TLSv1 minor version number */ - TLSv1_MINOR = 1, /* TLSv1 minor version number */ - TLSv1_1_MINOR = 2, /* TLSv1_1 minor version number */ - TLSv1_2_MINOR = 3, /* TLSv1_2 minor version number */ - OLD_HELLO_ID = 0x01, /* SSLv2 Client Hello Indicator */ - INVALID_BYTE = 0xff, /* Used to initialize cipher specs values */ - NO_COMPRESSION = 0, - ZLIB_COMPRESSION = 221, /* wolfSSL zlib compression */ - HELLO_EXT_SIG_ALGO = 13, /* ID for the sig_algo hello extension */ - HELLO_EXT_EXTMS = 0x0017, /* ID for the extended master secret ext */ - SECRET_LEN = 48, /* pre RSA and all master */ -#if defined(WOLFSSL_MYSQL_COMPATIBLE) - ENCRYPT_LEN = 1024, /* allow larger static buffer with mysql */ -#else - ENCRYPT_LEN = 512, /* allow 4096 bit static buffer */ -#endif - SIZEOF_SENDER = 4, /* clnt or srvr */ - FINISHED_SZ = 36, /* MD5_DIGEST_SIZE + SHA_DIGEST_SIZE */ - MAX_RECORD_SIZE = 16384, /* 2^14, max size by standard */ - MAX_MSG_EXTRA = 38 + MAX_DIGEST_SIZE, - /* max added to msg, mac + pad from */ - /* RECORD_HEADER_SZ + BLOCK_SZ (pad) + Max - digest sz + BLOC_SZ (iv) + pad byte (1) */ - MAX_COMP_EXTRA = 1024, /* max compression extra */ - MAX_MTU = 1500, /* max expected MTU */ - MAX_UDP_SIZE = 8192 - 100, /* was MAX_MTU - 100 */ - MAX_DH_SZ = 1036, /* 4096 p, pub, g + 2 byte size for each */ - MAX_STR_VERSION = 8, /* string rep of protocol version */ - - PAD_MD5 = 48, /* pad length for finished */ - PAD_SHA = 40, /* pad length for finished */ - MAX_PAD_SIZE = 256, /* maximum length of padding */ - COMPRESS_DUMMY_SIZE = 64, /* compression dummy round size */ - COMPRESS_CONSTANT = 13, /* compression calc constant */ - COMPRESS_UPPER = 55, /* compression calc numerator */ - COMPRESS_LOWER = 64, /* compression calc denominator */ - - PEM_LINE_LEN = 80, /* PEM line max + fudge */ - LENGTH_SZ = 2, /* length field for HMAC, data only */ - VERSION_SZ = 2, /* length of proctocol version */ - SEQ_SZ = 8, /* 64 bit sequence number */ - ALERT_SIZE = 2, /* level + description */ - VERIFY_HEADER = 2, /* always use 2 bytes */ - EXT_ID_SZ = 2, /* always use 2 bytes */ - MAX_DH_SIZE = 513, /* 4096 bit plus possible leading 0 */ - SESSION_HINT_SZ = 4, /* session timeout hint */ - - RAN_LEN = 32, /* random length */ - SEED_LEN = RAN_LEN * 2, /* tls prf seed length */ - ID_LEN = 32, /* session id length */ - COOKIE_SECRET_SZ = 14, /* dtls cookie secret size */ - MAX_COOKIE_LEN = 32, /* max dtls cookie size */ - COOKIE_SZ = 20, /* use a 20 byte cookie */ - SUITE_LEN = 2, /* cipher suite sz length */ - ENUM_LEN = 1, /* always a byte */ - OPAQUE8_LEN = 1, /* 1 byte */ - OPAQUE16_LEN = 2, /* 2 bytes */ - OPAQUE24_LEN = 3, /* 3 bytes */ - OPAQUE32_LEN = 4, /* 4 bytes */ - OPAQUE64_LEN = 8, /* 8 bytes */ - COMP_LEN = 1, /* compression length */ - CURVE_LEN = 2, /* ecc named curve length */ - SERVER_ID_LEN = 20, /* server session id length */ - - HANDSHAKE_HEADER_SZ = 4, /* type + length(3) */ - RECORD_HEADER_SZ = 5, /* type + version + len(2) */ - CERT_HEADER_SZ = 3, /* always 3 bytes */ - REQ_HEADER_SZ = 2, /* cert request header sz */ - HINT_LEN_SZ = 2, /* length of hint size field */ - TRUNCATED_HMAC_SZ = 10, /* length of hmac w/ truncated hmac extension */ - HELLO_EXT_SZ = 4, /* base length of a hello extension */ - HELLO_EXT_TYPE_SZ = 2, /* length of a hello extension type */ - HELLO_EXT_SZ_SZ = 2, /* length of a hello extension size */ - HELLO_EXT_SIGALGO_SZ = 2, /* length of number of items in sigalgo list */ - HELLO_EXT_SIGALGO_MAX = 32, /* number of items in the signature algo list */ - - DTLS_HANDSHAKE_HEADER_SZ = 12, /* normal + seq(2) + offset(3) + length(3) */ - DTLS_RECORD_HEADER_SZ = 13, /* normal + epoch(2) + seq_num(6) */ - DTLS_HANDSHAKE_EXTRA = 8, /* diff from normal */ - DTLS_RECORD_EXTRA = 8, /* diff from normal */ - DTLS_HANDSHAKE_SEQ_SZ = 2, /* handshake header sequence number */ - DTLS_HANDSHAKE_FRAG_SZ = 3, /* fragment offset and length are 24 bit */ - DTLS_POOL_SZ = 255,/* allowed number of list items in TX pool */ - DTLS_EXPORT_PRO = 165,/* wolfSSL protocol for serialized session */ - DTLS_EXPORT_VERSION = 3, /* wolfSSL version for serialized session */ - DTLS_EXPORT_OPT_SZ = 57, /* amount of bytes used from Options */ - DTLS_EXPORT_KEY_SZ = 325 + (DTLS_SEQ_SZ * 2), - /* max amount of bytes used from Keys */ - DTLS_EXPORT_MIN_KEY_SZ = 78 + (DTLS_SEQ_SZ * 2), - /* min amount of bytes used from Keys */ - DTLS_EXPORT_SPC_SZ = 16, /* amount of bytes used from CipherSpecs */ - DTLS_EXPORT_LEN = 2, /* 2 bytes for length and protocol */ - DTLS_EXPORT_IP = 46, /* max ip size IPv4 mapped IPv6 */ - MAX_EXPORT_BUFFER = 514, /* max size of buffer for exporting */ - FINISHED_LABEL_SZ = 15, /* TLS finished label size */ - TLS_FINISHED_SZ = 12, /* TLS has a shorter size */ - EXT_MASTER_LABEL_SZ = 22, /* TLS extended master secret label sz */ - MASTER_LABEL_SZ = 13, /* TLS master secret label sz */ - KEY_LABEL_SZ = 13, /* TLS key block expansion sz */ - MAX_PRF_HALF = 256, /* Maximum half secret len */ - MAX_PRF_LABSEED = 128, /* Maximum label + seed len */ - MAX_PRF_DIG = 224, /* Maximum digest len */ - MAX_REQUEST_SZ = 256, /* Maximum cert req len (no auth yet */ - SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */ - - RC4_KEY_SIZE = 16, /* always 128bit */ - DES_KEY_SIZE = 8, /* des */ - DES3_KEY_SIZE = 24, /* 3 des ede */ - DES_IV_SIZE = DES_BLOCK_SIZE, - AES_256_KEY_SIZE = 32, /* for 256 bit */ - AES_192_KEY_SIZE = 24, /* for 192 bit */ - AES_IV_SIZE = 16, /* always block size */ - AES_128_KEY_SIZE = 16, /* for 128 bit */ - - AEAD_SEQ_OFFSET = 4, /* Auth Data: Sequence number */ - AEAD_TYPE_OFFSET = 8, /* Auth Data: Type */ - AEAD_VMAJ_OFFSET = 9, /* Auth Data: Major Version */ - AEAD_VMIN_OFFSET = 10, /* Auth Data: Minor Version */ - AEAD_LEN_OFFSET = 11, /* Auth Data: Length */ - AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */ - AESGCM_IMP_IV_SZ = 4, /* Size of GCM/CCM AEAD implicit IV */ - AESGCM_EXP_IV_SZ = 8, /* Size of GCM/CCM AEAD explicit IV */ - AESGCM_NONCE_SZ = AESGCM_EXP_IV_SZ + AESGCM_IMP_IV_SZ, - - CHACHA20_IMP_IV_SZ = 12, /* Size of ChaCha20 AEAD implicit IV */ - CHACHA20_NONCE_SZ = 12, /* Size of ChacCha20 nonce */ - CHACHA20_OLD_OFFSET = 4, /* Offset for seq # in old poly1305 */ - - /* For any new implicit/explicit IV size adjust AEAD_MAX_***_SZ */ - - AES_GCM_AUTH_SZ = 16, /* AES-GCM Auth Tag length */ - AES_CCM_16_AUTH_SZ = 16, /* AES-CCM-16 Auth Tag length */ - AES_CCM_8_AUTH_SZ = 8, /* AES-CCM-8 Auth Tag Length */ - - CAMELLIA_128_KEY_SIZE = 16, /* for 128 bit */ - CAMELLIA_192_KEY_SIZE = 24, /* for 192 bit */ - CAMELLIA_256_KEY_SIZE = 32, /* for 256 bit */ - CAMELLIA_IV_SIZE = 16, /* always block size */ - - CHACHA20_256_KEY_SIZE = 32, /* for 256 bit */ - CHACHA20_128_KEY_SIZE = 16, /* for 128 bit */ - CHACHA20_IV_SIZE = 12, /* 96 bits for iv */ - - POLY1305_AUTH_SZ = 16, /* 128 bits */ - - HC_128_KEY_SIZE = 16, /* 128 bits */ - HC_128_IV_SIZE = 16, /* also 128 bits */ - - RABBIT_KEY_SIZE = 16, /* 128 bits */ - RABBIT_IV_SIZE = 8, /* 64 bits for iv */ - - EVP_SALT_SIZE = 8, /* evp salt size 64 bits */ - - ECDHE_SIZE = 32, /* ECHDE server size defaults to 256 bit */ - MAX_EXPORT_ECC_SZ = 256, /* Export ANS X9.62 max future size */ - -#ifdef HAVE_QSH - /* qsh handshake sends 600+ size keys over hello extensions */ - MAX_HELLO_SZ = 2048, /* max client or server hello */ -#else - MAX_HELLO_SZ = 128, /* max client or server hello */ -#endif - MAX_CERT_VERIFY_SZ = 1024, /* max */ - CLIENT_HELLO_FIRST = 35, /* Protocol + RAN_LEN + sizeof(id_len) */ - MAX_SUITE_NAME = 48, /* maximum length of cipher suite string */ - - DTLS_TIMEOUT_INIT = 1, /* default timeout init for DTLS receive */ - DTLS_TIMEOUT_MAX = 64, /* default max timeout for DTLS receive */ - DTLS_TIMEOUT_MULTIPLIER = 2, /* default timeout multiplier for DTLS recv */ - - MAX_PSK_ID_LEN = 128, /* max psk identity/hint supported */ - MAX_PSK_KEY_LEN = 64, /* max psk key supported */ - - MAX_WOLFSSL_FILE_SIZE = 1024 * 1024 * 4, /* 4 mb file size alloc limit */ - -#if defined(HAVE_EX_DATA) || defined(FORTRESS) - MAX_EX_DATA = 5, /* allow for five items of ex_data */ -#endif - - MAX_X509_SIZE = 2048, /* max static x509 buffer size */ - CERT_MIN_SIZE = 256, /* min PEM cert size with header/footer */ - FILE_BUFFER_SIZE = 1024, /* default static file buffer size for input, - will use dynamic buffer if not big enough */ - - MAX_NTRU_PUB_KEY_SZ = 1027, /* NTRU max for now */ - MAX_NTRU_ENCRYPT_SZ = 1027, /* NTRU max for now */ - MAX_NTRU_BITS = 256, /* max symmetric bit strength */ - NO_SNIFF = 0, /* not sniffing */ - SNIFF = 1, /* currently sniffing */ - - HASH_SIG_SIZE = 2, /* default SHA1 RSA */ - - NO_COPY = 0, /* should we copy static buffer for write */ - COPY = 1, /* should we copy static buffer for write */ - - PREV_ORDER = -1, /* Sequence number is in previous epoch. */ - PEER_ORDER = 1, /* Peer sequence number for verify. */ - CUR_ORDER = 0, /* Current sequence number. */ - WRITE_PROTO = 1, /* writing a protocol message */ - READ_PROTO = 0 /* reading a protocol message */ -}; - - -/* Set max implicit IV size for AEAD cipher suites */ -#ifdef HAVE_CHACHA - #define AEAD_MAX_IMP_SZ 12 -#else - #define AEAD_MAX_IMP_SZ 4 -#endif - -/* Set max explicit IV size for AEAD cipher suites */ -#define AEAD_MAX_EXP_SZ 8 - - -#ifndef WOLFSSL_MAX_SUITE_SZ - #define WOLFSSL_MAX_SUITE_SZ 300 - /* 150 suites for now! */ -#endif - -/* set minimum ECC key size allowed */ -#ifndef WOLFSSL_MIN_ECC_BITS - #ifdef WOLFSSL_MAX_STRENGTH - #define WOLFSSL_MIN_ECC_BITS 256 - #else - #define WOLFSSL_MIN_ECC_BITS 224 - #endif -#endif /* WOLFSSL_MIN_ECC_BITS */ -#if (WOLFSSL_MIN_ECC_BITS % 8) - /* Some ECC keys are not divisable by 8 such as prime239v1 or sect131r1. - In these cases round down to the nearest value divisable by 8. The - restriction of being divisable by 8 is in place to match wc_ecc_size - function from wolfSSL. - */ - #error ECC minimum bit size must be a multiple of 8 -#endif -#define MIN_ECCKEY_SZ (WOLFSSL_MIN_ECC_BITS / 8) - -/* set minimum RSA key size allowed */ -#ifndef WOLFSSL_MIN_RSA_BITS - #ifdef WOLFSSL_MAX_STRENGTH - #define WOLFSSL_MIN_RSA_BITS 2048 - #else - #define WOLFSSL_MIN_RSA_BITS 1024 - #endif -#endif /* WOLFSSL_MIN_RSA_BITS */ -#if (WOLFSSL_MIN_RSA_BITS % 8) - /* This is to account for the example case of a min size of 2050 bits but - still allows 2049 bit key. So we need the measurment to be in bytes. */ - #error RSA minimum bit size must be a multiple of 8 -#endif -#define MIN_RSAKEY_SZ (WOLFSSL_MIN_RSA_BITS / 8) - -/* set minimum DH key size allowed */ -#ifndef WOLFSSL_MIN_DHKEY_BITS - #ifdef WOLFSSL_MAX_STRENGTH - #define WOLFSSL_MIN_DHKEY_BITS 2048 - #else - #define WOLFSSL_MIN_DHKEY_BITS 1024 - #endif -#endif -#if (WOLFSSL_MIN_DHKEY_BITS % 8) - #error DH minimum bit size must be multiple of 8 -#endif -#if (WOLFSSL_MIN_DHKEY_BITS > 16000) - #error DH minimum bit size must not be greater than 16000 -#endif -#define MIN_DHKEY_SZ (WOLFSSL_MIN_DHKEY_BITS / 8) - - -#ifdef SESSION_INDEX -/* Shift values for making a session index */ -#define SESSIDX_ROW_SHIFT 4 -#define SESSIDX_IDX_MASK 0x0F -#endif - - -/* max cert chain peer depth */ -#ifndef MAX_CHAIN_DEPTH - #define MAX_CHAIN_DEPTH 9 -#endif - -/* max size of a certificate message payload */ -/* assumes MAX_CHAIN_DEPTH number of certificates at 2kb per certificate */ -#ifndef MAX_CERTIFICATE_SZ - #define MAX_CERTIFICATE_SZ \ - CERT_HEADER_SZ + \ - (MAX_X509_SIZE + CERT_HEADER_SZ) * MAX_CHAIN_DEPTH -#endif - -/* max size of a handshake message, currently set to the certificate */ -#ifndef MAX_HANDSHAKE_SZ - #define MAX_HANDSHAKE_SZ MAX_CERTIFICATE_SZ -#endif - -#ifndef SESSION_TICKET_LEN - #define SESSION_TICKET_LEN 256 -#endif - -#ifndef SESSION_TICKET_HINT_DEFAULT - #define SESSION_TICKET_HINT_DEFAULT 300 -#endif - - -/* don't use extra 3/4k stack space unless need to */ -#ifdef HAVE_NTRU - #define MAX_ENCRYPT_SZ MAX_NTRU_ENCRYPT_SZ -#else - #define MAX_ENCRYPT_SZ ENCRYPT_LEN -#endif - - -/* states */ -enum states { - NULL_STATE = 0, - - SERVER_HELLOVERIFYREQUEST_COMPLETE, - SERVER_HELLO_COMPLETE, - SERVER_CERT_COMPLETE, - SERVER_KEYEXCHANGE_COMPLETE, - SERVER_HELLODONE_COMPLETE, - SERVER_FINISHED_COMPLETE, - - CLIENT_HELLO_COMPLETE, - CLIENT_KEYEXCHANGE_COMPLETE, - CLIENT_FINISHED_COMPLETE, - - HANDSHAKE_DONE -}; - - -#if defined(__GNUC__) - #define WOLFSSL_PACK __attribute__ ((packed)) -#else - #define WOLFSSL_PACK -#endif - -/* SSL Version */ -typedef struct ProtocolVersion { - byte major; - byte minor; -} WOLFSSL_PACK ProtocolVersion; - - -WOLFSSL_LOCAL ProtocolVersion MakeSSLv3(void); -WOLFSSL_LOCAL ProtocolVersion MakeTLSv1(void); -WOLFSSL_LOCAL ProtocolVersion MakeTLSv1_1(void); -WOLFSSL_LOCAL ProtocolVersion MakeTLSv1_2(void); - -#ifdef WOLFSSL_DTLS - WOLFSSL_LOCAL ProtocolVersion MakeDTLSv1(void); - WOLFSSL_LOCAL ProtocolVersion MakeDTLSv1_2(void); - - #ifdef WOLFSSL_SESSION_EXPORT - WOLFSSL_LOCAL int wolfSSL_dtls_import_internal(WOLFSSL* ssl, byte* buf, - word32 sz); - WOLFSSL_LOCAL int wolfSSL_dtls_export_internal(WOLFSSL* ssl, byte* buf, - word32 sz); - WOLFSSL_LOCAL int wolfSSL_send_session(WOLFSSL* ssl); - #endif -#endif - - -/* wolfSSL BIO_METHOD type */ -struct WOLFSSL_BIO_METHOD { - byte type; /* method type */ -}; - - -/* wolfSSL BIO type */ -struct WOLFSSL_BIO { - WOLFSSL_BUF_MEM* mem_buf; - WOLFSSL* ssl; /* possible associated ssl */ -#ifndef NO_FILESYSTEM - XFILE file; -#endif - WOLFSSL_BIO* prev; /* previous in chain */ - WOLFSSL_BIO* next; /* next in chain */ - WOLFSSL_BIO* pair; /* BIO paired with */ - void* heap; /* user heap hint */ - byte* mem; /* memory buffer */ - int wrSz; /* write buffer size (mem) */ - int wrIdx; /* current index for write buffer */ - int rdIdx; /* current read index */ - int readRq; /* read request */ - int memLen; /* memory buffer length */ - int fd; /* possible file descriptor */ - int eof; /* eof flag */ - int flags; - byte type; /* method type */ - byte close; /* close flag */ -}; - - -/* wolfSSL method type */ -struct WOLFSSL_METHOD { - ProtocolVersion version; - byte side; /* connection side, server or client */ - byte downgrade; /* whether to downgrade version, default no */ -}; - - -/* defaults to client */ -WOLFSSL_LOCAL void InitSSL_Method(WOLFSSL_METHOD*, ProtocolVersion); - -/* for sniffer */ -WOLFSSL_LOCAL int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 size, word32 totalSz, int sniff); -WOLFSSL_LOCAL int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx); - - -/* wolfSSL buffer type - internal uses "buffer" type */ -typedef WOLFSSL_BUFFER_INFO buffer; - -#ifndef NO_CERTS - /* wolfSSL DER buffer */ - typedef struct DerBuffer { - byte* buffer; - void* heap; - word32 length; - int type; /* enum CertType */ - int dynType; /* DYNAMIC_TYPE_* */ - } DerBuffer; -#endif /* !NO_CERTS */ - - -enum { - FORCED_FREE = 1, - NO_FORCED_FREE = 0 -}; - - -/* only use compression extra if using compression */ -#ifdef HAVE_LIBZ - #define COMP_EXTRA MAX_COMP_EXTRA -#else - #define COMP_EXTRA 0 -#endif - -/* only the sniffer needs space in the buffer for extra MTU record(s) */ -#ifdef WOLFSSL_SNIFFER - #define MTU_EXTRA MAX_MTU * 3 -#else - #define MTU_EXTRA 0 -#endif - - -/* embedded callbacks require large static buffers, make sure on */ -#ifdef WOLFSSL_CALLBACKS - #undef LARGE_STATIC_BUFFERS - #define LARGE_STATIC_BUFFERS -#endif - - -/* give user option to use 16K static buffers */ -#if defined(LARGE_STATIC_BUFFERS) - #define RECORD_SIZE MAX_RECORD_SIZE -#else - #ifdef WOLFSSL_DTLS - #define RECORD_SIZE MAX_MTU - #else - #define RECORD_SIZE 128 - #endif -#endif - - -/* user option to turn off 16K output option */ -/* if using small static buffers (default) and SSL_write tries to write data - larger than the record we have, dynamically get it, unless user says only - write in static buffer chunks */ -#ifndef STATIC_CHUNKS_ONLY - #define OUTPUT_RECORD_SIZE MAX_RECORD_SIZE -#else - #define OUTPUT_RECORD_SIZE RECORD_SIZE -#endif - -/* wolfSSL input buffer - - RFC 2246: - - length - The length (in bytes) of the following TLSPlaintext.fragment. - The length should not exceed 2^14. -*/ -#if defined(LARGE_STATIC_BUFFERS) - #define STATIC_BUFFER_LEN RECORD_HEADER_SZ + RECORD_SIZE + COMP_EXTRA + \ - MTU_EXTRA + MAX_MSG_EXTRA -#else - /* don't fragment memory from the record header */ - #define STATIC_BUFFER_LEN RECORD_HEADER_SZ -#endif - -typedef struct { - ALIGN16 byte staticBuffer[STATIC_BUFFER_LEN]; - byte* buffer; /* place holder for static or dynamic buffer */ - word32 length; /* total buffer length used */ - word32 idx; /* idx to part of length already consumed */ - word32 bufferSize; /* current buffer size */ - byte dynamicFlag; /* dynamic memory currently in use */ - byte offset; /* alignment offset attempt */ -} bufferStatic; - -/* Cipher Suites holder */ -typedef struct Suites { - word16 suiteSz; /* suite length in bytes */ - word16 hashSigAlgoSz; /* SigAlgo extension length in bytes */ - byte suites[WOLFSSL_MAX_SUITE_SZ]; - byte hashSigAlgo[HELLO_EXT_SIGALGO_MAX]; /* sig/algo to offer */ - byte setSuites; /* user set suites from default */ - byte hashAlgo; /* selected hash algorithm */ - byte sigAlgo; /* selected sig algorithm */ -} Suites; - - -WOLFSSL_LOCAL -void InitSuites(Suites*, ProtocolVersion, word16, word16, word16, word16, - word16, word16, word16, int); -WOLFSSL_LOCAL -int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list); - -#ifndef PSK_TYPES_DEFINED - typedef unsigned int (*wc_psk_client_callback)(WOLFSSL*, const char*, char*, - unsigned int, unsigned char*, unsigned int); - typedef unsigned int (*wc_psk_server_callback)(WOLFSSL*, const char*, - unsigned char*, unsigned int); -#endif /* PSK_TYPES_DEFINED */ -#ifdef WOLFSSL_DTLS - typedef int (*wc_dtls_export)(WOLFSSL* ssl, - unsigned char* exportBuffer, unsigned int sz, void* userCtx); -#endif - - -/* wolfSSL Cipher type just points back to SSL */ -struct WOLFSSL_CIPHER { - WOLFSSL* ssl; -}; - - -typedef struct OcspEntry OcspEntry; - -#ifdef NO_SHA - #define OCSP_DIGEST_SIZE SHA256_DIGEST_SIZE -#else - #define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE -#endif - -#ifdef NO_ASN - /* no_asn won't have */ - typedef struct CertStatus CertStatus; -#endif - -struct OcspEntry { - OcspEntry* next; /* next entry */ - byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ - byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ - CertStatus* status; /* OCSP response list */ - int totalStatus; /* number on list */ -}; - - -#ifndef HAVE_OCSP - typedef struct WOLFSSL_OCSP WOLFSSL_OCSP; -#endif - -/* wolfSSL OCSP controller */ -struct WOLFSSL_OCSP { - WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ - OcspEntry* ocspList; /* OCSP response list */ - wolfSSL_Mutex ocspLock; /* OCSP list lock */ -#ifdef WOLFSSL_NGINX - int(*statusCb)(WOLFSSL*, void*); -#endif -}; - -#ifndef MAX_DATE_SIZE -#define MAX_DATE_SIZE 32 -#endif - -typedef struct CRL_Entry CRL_Entry; - -#ifdef NO_SHA - #define CRL_DIGEST_SIZE SHA256_DIGEST_SIZE -#else - #define CRL_DIGEST_SIZE SHA_DIGEST_SIZE -#endif - -#ifdef NO_ASN - typedef struct RevokedCert RevokedCert; -#endif - -/* Complete CRL */ -struct CRL_Entry { - CRL_Entry* next; /* next entry */ - byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ - /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ - /* restore the hash here if needed for optimized comparisons */ - byte lastDate[MAX_DATE_SIZE]; /* last date updated */ - byte nextDate[MAX_DATE_SIZE]; /* next update date */ - byte lastDateFormat; /* last date format */ - byte nextDateFormat; /* next date format */ - RevokedCert* certs; /* revoked cert list */ - int totalCerts; /* number on list */ -}; - - -typedef struct CRL_Monitor CRL_Monitor; - -/* CRL directory monitor */ -struct CRL_Monitor { - char* path; /* full dir path, if valid pointer we're using */ - int type; /* PEM or ASN1 type */ -}; - - -#if defined(HAVE_CRL) && defined(NO_FILESYSTEM) - #undef HAVE_CRL_MONITOR -#endif - -/* wolfSSL CRL controller */ -struct WOLFSSL_CRL { - WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ - CRL_Entry* crlList; /* our CRL list */ -#ifdef HAVE_CRL_IO - CbCrlIO crlIOCb; -#endif - wolfSSL_Mutex crlLock; /* CRL list lock */ - CRL_Monitor monitors[2]; /* PEM and DER possible */ -#ifdef HAVE_CRL_MONITOR - pthread_cond_t cond; /* condition to signal setup */ - pthread_t tid; /* monitoring thread */ - int mfd; /* monitor fd, -1 if no init yet */ - int setup; /* thread is setup predicate */ -#endif - void* heap; /* heap hint for dynamic memory */ -}; - - -#ifdef NO_ASN - typedef struct Signer Signer; -#ifdef WOLFSSL_TRUST_PEER_CERT - typedef struct TrustedPeerCert TrustedPeerCert; -#endif -#endif - - -#ifndef CA_TABLE_SIZE - #define CA_TABLE_SIZE 11 -#endif -#ifdef WOLFSSL_TRUST_PEER_CERT - #define TP_TABLE_SIZE 11 -#endif - -/* wolfSSL Certificate Manager */ -struct WOLFSSL_CERT_MANAGER { - Signer* caTable[CA_TABLE_SIZE]; /* the CA signer table */ - void* heap; /* heap helper */ -#ifdef WOLFSSL_TRUST_PEER_CERT - TrustedPeerCert* tpTable[TP_TABLE_SIZE]; /* table of trusted peer certs */ - wolfSSL_Mutex tpLock; /* trusted peer list lock */ -#endif - WOLFSSL_CRL* crl; /* CRL checker */ - WOLFSSL_OCSP* ocsp; /* OCSP checker */ -#if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) - WOLFSSL_OCSP* ocsp_stapling; /* OCSP checker for OCSP stapling */ -#endif - char* ocspOverrideURL; /* use this responder */ - void* ocspIOCtx; /* I/O callback CTX */ - CallbackCACache caCacheCallback; /* CA cache addition callback */ - CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */ - CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */ - CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */ - wolfSSL_Mutex caLock; /* CA list lock */ - byte crlEnabled; /* is CRL on ? */ - byte crlCheckAll; /* always leaf, but all ? */ - byte ocspEnabled; /* is OCSP on ? */ - byte ocspCheckAll; /* always leaf, but all ? */ - byte ocspSendNonce; /* send the OCSP nonce ? */ - byte ocspUseOverrideURL; /* ignore cert's responder, override */ - byte ocspStaplingEnabled; /* is OCSP Stapling on ? */ - -#ifndef NO_RSA - short minRsaKeySz; /* minimum allowed RSA key size */ -#endif -#ifdef HAVE_ECC - short minEccKeySz; /* minimum allowed ECC key size */ -#endif -}; - -WOLFSSL_LOCAL int CM_SaveCertCache(WOLFSSL_CERT_MANAGER*, const char*); -WOLFSSL_LOCAL int CM_RestoreCertCache(WOLFSSL_CERT_MANAGER*, const char*); -WOLFSSL_LOCAL int CM_MemSaveCertCache(WOLFSSL_CERT_MANAGER*, void*, int, int*); -WOLFSSL_LOCAL int CM_MemRestoreCertCache(WOLFSSL_CERT_MANAGER*, const void*, int); -WOLFSSL_LOCAL int CM_GetCertCacheMemSize(WOLFSSL_CERT_MANAGER*); - -/* wolfSSL Sock Addr */ -struct WOLFSSL_SOCKADDR { - unsigned int sz; /* sockaddr size */ - void* sa; /* pointer to the sockaddr_in or sockaddr_in6 */ -}; - -typedef struct WOLFSSL_DTLS_CTX { - WOLFSSL_SOCKADDR peer; - int rfd; - int wfd; -} WOLFSSL_DTLS_CTX; - - -#define MAX_WRITE_IV_SZ 16 /* max size of client/server write_IV */ - -/* keys and secrets - * keep as a constant size (no additional ifdefs) for session export */ -typedef struct Keys { - byte client_write_MAC_secret[MAX_DIGEST_SIZE]; /* max sizes */ - byte server_write_MAC_secret[MAX_DIGEST_SIZE]; - byte client_write_key[AES_256_KEY_SIZE]; /* max sizes */ - byte server_write_key[AES_256_KEY_SIZE]; - byte client_write_IV[MAX_WRITE_IV_SZ]; /* max sizes */ - byte server_write_IV[MAX_WRITE_IV_SZ]; -#if defined(HAVE_AEAD) || defined(WOLFSSL_SESSION_EXPORT) - byte aead_exp_IV[AEAD_MAX_EXP_SZ]; - byte aead_enc_imp_IV[AEAD_MAX_IMP_SZ]; - byte aead_dec_imp_IV[AEAD_MAX_IMP_SZ]; -#endif - - word32 peer_sequence_number_hi; - word32 peer_sequence_number_lo; - word32 sequence_number_hi; - word32 sequence_number_lo; - -#ifdef WOLFSSL_DTLS - word32 window[WOLFSSL_DTLS_WINDOW_WORDS]; - /* Sliding window for current epoch */ - word16 nextEpoch; /* Expected epoch in next record */ - word16 nextSeq_hi; /* Expected sequence in next record */ - word32 nextSeq_lo; - - word16 curEpoch; /* Received epoch in current record */ - word16 curSeq_hi; /* Received sequence in current record */ - word32 curSeq_lo; - - word32 prevWindow[WOLFSSL_DTLS_WINDOW_WORDS]; - /* Sliding window for old epoch */ - word16 prevSeq_hi; /* Next sequence in allowed old epoch */ - word32 prevSeq_lo; - - word16 dtls_peer_handshake_number; - word16 dtls_expected_peer_handshake_number; - - word16 dtls_epoch; /* Current epoch */ - word16 dtls_sequence_number_hi; /* Current epoch */ - word32 dtls_sequence_number_lo; - word16 dtls_prev_sequence_number_hi; /* Previous epoch */ - word32 dtls_prev_sequence_number_lo; - word16 dtls_handshake_number; /* Current tx handshake seq */ -#endif - - word32 encryptSz; /* last size of encrypted data */ - word32 padSz; /* how much to advance after decrypt part */ - byte encryptionOn; /* true after change cipher spec */ - byte decryptedCur; /* only decrypt current record once */ -} Keys; - - - -/** TLS Extensions - RFC 6066 */ -#ifdef HAVE_TLS_EXTENSIONS - -typedef enum { - TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */ - TLSX_MAX_FRAGMENT_LENGTH = 0x0001, - TLSX_TRUNCATED_HMAC = 0x0004, - TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stapling */ - TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */ - TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ - TLSX_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stapling v2 */ - TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ - TLSX_SESSION_TICKET = 0x0023, - TLSX_RENEGOTIATION_INFO = 0xff01 -} TLSX_Type; - -typedef struct TLSX { - TLSX_Type type; /* Extension Type */ - void* data; /* Extension Data */ - byte resp; /* IsResponse Flag */ - struct TLSX* next; /* List Behavior */ -} TLSX; - -WOLFSSL_LOCAL TLSX* TLSX_Find(TLSX* list, TLSX_Type type); -WOLFSSL_LOCAL void TLSX_FreeAll(TLSX* list, void* heap); -WOLFSSL_LOCAL int TLSX_SupportExtensions(WOLFSSL* ssl); -WOLFSSL_LOCAL int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isRequest); - -#ifndef NO_WOLFSSL_CLIENT -WOLFSSL_LOCAL word16 TLSX_GetRequestSize(WOLFSSL* ssl); -WOLFSSL_LOCAL word16 TLSX_WriteRequest(WOLFSSL* ssl, byte* output); -#endif - -#ifndef NO_WOLFSSL_SERVER -WOLFSSL_LOCAL word16 TLSX_GetResponseSize(WOLFSSL* ssl); -WOLFSSL_LOCAL word16 TLSX_WriteResponse(WOLFSSL* ssl, byte* output); -#endif - -WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, - byte isRequest, Suites *suites); - -#elif defined(HAVE_SNI) \ - || defined(HAVE_MAX_FRAGMENT) \ - || defined(HAVE_TRUNCATED_HMAC) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \ - || defined(HAVE_SUPPORTED_CURVES) \ - || defined(HAVE_ALPN) \ - || defined(HAVE_QSH) \ - || defined(HAVE_SESSION_TICKET) \ - || defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SERVER_RENEGOTIATION_INFO) - -#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined. - -#endif /* HAVE_TLS_EXTENSIONS */ - -/** Server Name Indication - RFC 6066 (session 3) */ -#ifdef HAVE_SNI - -typedef struct SNI { - byte type; /* SNI Type */ - union { char* host_name; } data; /* SNI Data */ - struct SNI* next; /* List Behavior */ -#ifndef NO_WOLFSSL_SERVER - byte options; /* Behavior options */ - byte status; /* Matching result */ -#endif -} SNI; - -WOLFSSL_LOCAL int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, - word16 size, void* heap); - -#ifndef NO_WOLFSSL_SERVER -WOLFSSL_LOCAL void TLSX_SNI_SetOptions(TLSX* extensions, byte type, - byte options); -WOLFSSL_LOCAL byte TLSX_SNI_Status(TLSX* extensions, byte type); -WOLFSSL_LOCAL word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, - void** data); -WOLFSSL_LOCAL int TLSX_SNI_GetFromBuffer(const byte* buffer, word32 bufferSz, - byte type, byte* sni, word32* inOutSz); -#endif - -#endif /* HAVE_SNI */ - -/* Application-Layer Protocol Negotiation - RFC 7301 */ -#ifdef HAVE_ALPN -typedef struct ALPN { - char* protocol_name; /* ALPN protocol name */ - struct ALPN* next; /* List Behavior */ - byte options; /* Behavior options */ - byte negotiated; /* ALPN protocol negotiated or not */ -} ALPN; - -WOLFSSL_LOCAL int TLSX_ALPN_GetRequest(TLSX* extensions, - void** data, word16 *dataSz); - -WOLFSSL_LOCAL int TLSX_UseALPN(TLSX** extensions, const void* data, - word16 size, byte options, void* heap); - -WOLFSSL_LOCAL int TLSX_ALPN_SetOptions(TLSX** extensions, const byte option); - -#endif /* HAVE_ALPN */ - -/** Maximum Fragment Length Negotiation - RFC 6066 (session 4) */ -#ifdef HAVE_MAX_FRAGMENT - -WOLFSSL_LOCAL int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap); - -#endif /* HAVE_MAX_FRAGMENT */ - -/** Truncated HMAC - RFC 6066 (session 7) */ -#ifdef HAVE_TRUNCATED_HMAC - -WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions, void* heap); - -#endif /* HAVE_TRUNCATED_HMAC */ - -/** Certificate Status Request - RFC 6066 (session 8) */ -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST - -typedef struct { - byte status_type; - byte options; - union { - OcspRequest ocsp; - } request; -} CertificateStatusRequest; - -WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, - byte status_type, byte options, void* heap, int devId); -WOLFSSL_LOCAL int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert, - void* heap); -WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); -WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); - -#endif - -/** Certificate Status Request v2 - RFC 6961 */ -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - -typedef struct CSRIv2 { - byte status_type; - byte options; - word16 requests; - union { - OcspRequest ocsp[1 + MAX_CHAIN_DEPTH]; - } request; - struct CSRIv2* next; -} CertificateStatusRequestItemV2; - -WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, - byte status_type, byte options, void* heap, int devId); -WOLFSSL_LOCAL int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, - byte isPeer, void* heap); -WOLFSSL_LOCAL void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, - byte index); -WOLFSSL_LOCAL int TLSX_CSR2_ForceRequest(WOLFSSL* ssl); - -#endif - -/** Supported Elliptic Curves - RFC 4492 (session 4) */ -#ifdef HAVE_SUPPORTED_CURVES - -typedef struct EllipticCurve { - word16 name; /* CurveNames */ - struct EllipticCurve* next; /* List Behavior */ -} EllipticCurve; - -WOLFSSL_LOCAL int TLSX_UseSupportedCurve(TLSX** extensions, word16 name, - void* heap); - -#ifndef NO_WOLFSSL_SERVER -WOLFSSL_LOCAL int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, - byte second); -#endif - -#endif /* HAVE_SUPPORTED_CURVES */ - -/** Renegotiation Indication - RFC 5746 */ -#if defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SERVER_RENEGOTIATION_INFO) - -enum key_cache_state { - SCR_CACHE_NULL = 0, /* empty / begin state */ - SCR_CACHE_NEEDED, /* need to cache keys */ - SCR_CACHE_COPY, /* we have a cached copy */ - SCR_CACHE_PARTIAL, /* partial restore to real keys */ - SCR_CACHE_COMPLETE /* complete restore to real keys */ -}; - -/* Additional Connection State according to rfc5746 section 3.1 */ -typedef struct SecureRenegotiation { - byte enabled; /* secure_renegotiation flag in rfc */ - byte startScr; /* server requested client to start scr */ - enum key_cache_state cache_status; /* track key cache state */ - byte client_verify_data[TLS_FINISHED_SZ]; /* cached */ - byte server_verify_data[TLS_FINISHED_SZ]; /* cached */ - byte subject_hash[SHA_DIGEST_SIZE]; /* peer cert hash */ - Keys tmp_keys; /* can't overwrite real keys yet */ -} SecureRenegotiation; - -WOLFSSL_LOCAL int TLSX_UseSecureRenegotiation(TLSX** extensions, void* heap); - -#ifdef HAVE_SERVER_RENEGOTIATION_INFO -WOLFSSL_LOCAL int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap); -#endif - -#endif /* HAVE_SECURE_RENEGOTIATION */ - -/** Session Ticket - RFC 5077 (session 3.2) */ -#ifdef HAVE_SESSION_TICKET - -typedef struct SessionTicket { - word32 lifetime; - byte* data; - word16 size; -} SessionTicket; - -WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions, - SessionTicket* ticket, void* heap); -WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime, - byte* data, word16 size, void* heap); -WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket, void* heap); - -#endif /* HAVE_SESSION_TICKET */ - -/** Quantum-Safe-Hybrid - draft-whyte-qsh-tls12-00 */ -#ifdef HAVE_QSH - -typedef struct QSHScheme { - struct QSHScheme* next; /* List Behavior */ - byte* PK; - word16 name; /* QSHScheme Names */ - word16 PKLen; -} QSHScheme; - -typedef struct QSHkey { - struct QSHKey* next; - word16 name; - buffer pub; - buffer pri; -} QSHKey; - -typedef struct QSHSecret { - QSHScheme* list; - buffer* SerSi; - buffer* CliSi; -} QSHSecret; - -/* used in key exchange during handshake */ -WOLFSSL_LOCAL int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, - word16 length, byte isServer); -WOLFSSL_LOCAL word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output); -WOLFSSL_LOCAL word16 TLSX_QSH_GetSize(QSHScheme* list, byte isRequest); - -/* used by api for setting a specific QSH scheme */ -WOLFSSL_LOCAL int TLSX_UseQSHScheme(TLSX** extensions, word16 name, - byte* pKey, word16 pKeySz, void* heap); - -/* used when parsing in QSHCipher structs */ -WOLFSSL_LOCAL int QSH_Decrypt(QSHKey* key, byte* in, word32 szIn, - byte* out, word16* szOut); -#ifndef NO_WOLFSSL_SERVER -WOLFSSL_LOCAL int TLSX_ValidateQSHScheme(TLSX** extensions, word16 name); -#endif - -#endif /* HAVE_QSH */ - - -/* wolfSSL context type */ -struct WOLFSSL_CTX { - WOLFSSL_METHOD* method; -#ifdef SINGLE_THREADED - WC_RNG* rng; /* to be shared with WOLFSSL w/o locking */ -#endif - wolfSSL_Mutex countMutex; /* reference count mutex */ - int refCount; /* reference count */ - int err; /* error code in case of mutex not created */ -#ifndef NO_DH - buffer serverDH_P; - buffer serverDH_G; -#endif -#ifndef NO_CERTS - DerBuffer* certificate; - DerBuffer* certChain; - /* chain after self, in DER, with leading size for each cert */ - #ifdef OPENSSL_EXTRA - STACK_OF(WOLFSSL_X509_NAME)* ca_names; - #endif - #ifdef WOLFSSL_NGINX - STACK_OF(WOLFSSL_X509)* x509Chain; - #endif - DerBuffer* privateKey; - WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ -#endif -#ifdef KEEP_OUR_CERT - WOLFSSL_X509* ourCert; /* keep alive a X509 struct of cert */ - int ownOurCert; /* Dispose of certificate if we own */ -#endif - Suites* suites; /* make dynamic, user may not need/set */ - void* heap; /* for user memory overrides */ - int verifyDepth; - byte verifyPeer; - byte verifyNone; - byte failNoCert; - byte failNoCertxPSK; /* fail if no cert with the exception of PSK*/ - byte sessionCacheOff; - byte sessionCacheFlushOff; -#ifdef HAVE_EXT_CACHE - byte internalCacheOff; -#endif - byte sendVerify; /* for client side */ - byte haveRSA; /* RSA available */ - byte haveECC; /* ECC available */ - byte haveDH; /* server DH parms set by user */ - byte haveNTRU; /* server private NTRU key loaded */ - byte haveECDSAsig; /* server cert signed w/ ECDSA */ - byte haveStaticECC; /* static server ECC private key */ - byte partialWrite; /* only one msg per write call */ - byte quietShutdown; /* don't send close notify */ - byte groupMessages; /* group handshake messages before sending */ - byte minDowngrade; /* minimum downgrade version */ - byte haveEMS; /* have extended master secret extension */ - byte useClientOrder; /* Use client's cipher preference order */ -#if defined(WOLFSSL_SCTP) && defined(WOLFSSL_DTLS) - byte dtlsSctp; /* DTLS-over-SCTP mode */ - word16 dtlsMtuSz; /* DTLS MTU size */ -#endif -#ifndef NO_DH - word16 minDhKeySz; /* minimum DH key size */ -#endif -#ifndef NO_RSA - short minRsaKeySz; /* minimum RSA key size */ -#endif -#ifdef HAVE_ECC - short minEccKeySz; /* minimum ECC key size */ -#endif -#ifdef OPENSSL_EXTRA - byte sessionCtx[ID_LEN]; /* app session context ID */ - unsigned long mask; /* store SSL_OP_ flags */ - byte sessionCtxSz; - CallbackInfoState* CBIS; /* used to get info about SSL state */ -#endif - CallbackIORecv CBIORecv; - CallbackIOSend CBIOSend; -#ifdef WOLFSSL_DTLS - CallbackGenCookie CBIOCookie; /* gen cookie callback */ - wc_dtls_export dtls_export; /* export function for DTLS session */ -#ifdef WOLFSSL_SESSION_EXPORT - CallbackGetPeer CBGetPeer; - CallbackSetPeer CBSetPeer; -#endif -#endif /* WOLFSSL_DTLS */ - VerifyCallback verifyCallback; /* cert verification callback */ - word32 timeout; /* session timeout */ -#ifdef HAVE_ECC - word16 eccTempKeySz; /* in octets 20 - 66 */ - word32 ecdhCurveOID; /* curve Ecc_Sum */ - word32 pkCurveOID; /* curve Ecc_Sum */ -#endif -#ifndef NO_PSK - byte havePSK; /* psk key set by user */ - wc_psk_client_callback client_psk_cb; /* client callback */ - wc_psk_server_callback server_psk_cb; /* server callback */ - char server_hint[MAX_PSK_ID_LEN]; -#endif /* NO_PSK */ -#ifdef HAVE_ANON - byte haveAnon; /* User wants to allow Anon suites */ -#endif /* HAVE_ANON */ -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - pem_password_cb* passwd_cb; - void* userdata; - WOLFSSL_X509_STORE x509_store; /* points to ctx->cm */ - WOLFSSL_X509_STORE* x509_store_pt; /* take ownership of external store */ - byte readAhead; - void* userPRFArg; /* passed to prf callback */ -#endif /* OPENSSL_EXTRA */ -#ifdef HAVE_EX_DATA - void* ex_data[MAX_EX_DATA]; -#endif -#if defined(HAVE_ALPN) && defined(WOLFSSL_NGINX) - CallbackALPNSelect alpnSelect; - void* alpnSelectArg; -#endif -#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) - CallbackSniRecv sniRecvCb; - void* sniRecvCbArg; -#endif -#ifdef HAVE_OCSP - WOLFSSL_OCSP ocsp; -#endif - int devId; /* async device id to use */ -#ifdef HAVE_TLS_EXTENSIONS - TLSX* extensions; /* RFC 6066 TLS Extensions data */ - #ifndef NO_WOLFSSL_SERVER - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - OcspRequest* certOcspRequest; - #endif - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - OcspRequest* chainOcspRequest[MAX_CHAIN_DEPTH]; - #endif - #endif - #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) - SessionTicketEncCb ticketEncCb; /* enc/dec session ticket Cb */ - void* ticketEncCtx; /* session encrypt context */ - int ticketHint; /* ticket hint in seconds */ - #endif - #ifdef HAVE_SUPPORTED_CURVES - byte userCurves; /* indicates user called wolfSSL_CTX_UseSupportedCurve */ - #endif -#endif -#ifdef ATOMIC_USER - CallbackMacEncrypt MacEncryptCb; /* Atomic User Mac/Encrypt Cb */ - CallbackDecryptVerify DecryptVerifyCb; /* Atomic User Decrypt/Verify Cb */ -#endif -#ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - CallbackEccSign EccSignCb; /* User EccSign Callback handler */ - CallbackEccVerify EccVerifyCb; /* User EccVerify Callback handler */ - CallbackEccSharedSecret EccSharedSecretCb; /* User EccVerify Callback handler */ - #endif /* HAVE_ECC */ - #ifndef NO_RSA - CallbackRsaSign RsaSignCb; /* User RsaSign Callback handler */ - CallbackRsaVerify RsaVerifyCb; /* User RsaVerify Callback handler */ - CallbackRsaEnc RsaEncCb; /* User Rsa Public Encrypt handler */ - CallbackRsaDec RsaDecCb; /* User Rsa Private Decrypt handler */ - #endif /* NO_RSA */ -#endif /* HAVE_PK_CALLBACKS */ -#ifdef HAVE_WOLF_EVENT - WOLF_EVENT_QUEUE event_queue; -#endif /* HAVE_WOLF_EVENT */ -#ifdef HAVE_EXT_CACHE - WOLFSSL_SESSION*(*get_sess_cb)(WOLFSSL*, unsigned char*, int, int*); - int (*new_sess_cb)(WOLFSSL*, WOLFSSL_SESSION*); - void (*rem_sess_cb)(WOLFSSL_CTX*, WOLFSSL_SESSION*); -#endif -}; - - -WOLFSSL_LOCAL -WOLFSSL_CTX* wolfSSL_CTX_new_ex(WOLFSSL_METHOD* method, void* heap); -WOLFSSL_LOCAL -int InitSSL_Ctx(WOLFSSL_CTX*, WOLFSSL_METHOD*, void* heap); -WOLFSSL_LOCAL -void FreeSSL_Ctx(WOLFSSL_CTX*); -WOLFSSL_LOCAL -void SSL_CtxResourceFree(WOLFSSL_CTX*); - -WOLFSSL_LOCAL -int DeriveTlsKeys(WOLFSSL* ssl); -WOLFSSL_LOCAL -int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 inSz, word16 sz); -#ifndef NO_CERTS - WOLFSSL_LOCAL - int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify); - WOLFSSL_LOCAL - int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash); -#ifdef WOLFSSL_TRUST_PEER_CERT - WOLFSSL_LOCAL - int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int verify); - WOLFSSL_LOCAL - int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash); -#endif -#endif - -/* All cipher suite related info - * Keep as a constant size (no ifdefs) for session export */ -typedef struct CipherSpecs { - word16 key_size; - word16 iv_size; - word16 block_size; - word16 aead_mac_size; - byte bulk_cipher_algorithm; - byte cipher_type; /* block, stream, or aead */ - byte mac_algorithm; - byte kea; /* key exchange algo */ - byte sig_algo; - byte hash_size; - byte pad_size; - byte static_ecdh; -} CipherSpecs; - - -void InitCipherSpecs(CipherSpecs* cs); - - -/* Supported Message Authentication Codes from page 43 */ -enum MACAlgorithm { - no_mac, - md5_mac, - sha_mac, - sha224_mac, - sha256_mac, /* needs to match external KDF_MacAlgorithm */ - sha384_mac, - sha512_mac, - rmd_mac, - blake2b_mac -}; - - -/* Supported Key Exchange Protocols */ -enum KeyExchangeAlgorithm { - no_kea, - rsa_kea, - diffie_hellman_kea, - fortezza_kea, - psk_kea, - dhe_psk_kea, - ecdhe_psk_kea, - ntru_kea, - ecc_diffie_hellman_kea, - ecc_static_diffie_hellman_kea /* for verify suite only */ -}; - - -/* Supported Authentication Schemes */ -enum SignatureAlgorithm { - anonymous_sa_algo, - rsa_sa_algo, - dsa_sa_algo, - ecc_dsa_sa_algo -}; - - -/* Supprted ECC Curve Types */ -enum EccCurves { - named_curve = 3 -}; - - -/* Valid client certificate request types from page 27 */ -enum ClientCertificateType { - rsa_sign = 1, - dss_sign = 2, - rsa_fixed_dh = 3, - dss_fixed_dh = 4, - rsa_ephemeral_dh = 5, - dss_ephemeral_dh = 6, - fortezza_kea_cert = 20, - ecdsa_sign = 64, - rsa_fixed_ecdh = 65, - ecdsa_fixed_ecdh = 66 -}; - - -enum CipherType { stream, block, aead }; - - - - - - -/* cipher for now */ -typedef struct Ciphers { -#ifdef BUILD_ARC4 - Arc4* arc4; -#endif -#ifdef BUILD_DES3 - Des3* des3; -#endif -#if defined(BUILD_AES) || defined(BUILD_AESGCM) - Aes* aes; - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - byte* additional; - byte* nonce; - #endif -#endif -#ifdef HAVE_CAMELLIA - Camellia* cam; -#endif -#ifdef HAVE_CHACHA - ChaCha* chacha; -#endif -#ifdef HAVE_HC128 - HC128* hc128; -#endif -#ifdef BUILD_RABBIT - Rabbit* rabbit; -#endif -#ifdef HAVE_IDEA - Idea* idea; -#endif - byte state; - byte setup; /* have we set it up flag for detection */ -} Ciphers; - - -#ifdef HAVE_ONE_TIME_AUTH -/* Ciphers for one time authentication such as poly1305 */ -typedef struct OneTimeAuth { -#ifdef HAVE_POLY1305 - Poly1305* poly1305; -#endif - byte setup; /* flag for if a cipher has been set */ - -} OneTimeAuth; -#endif - - -WOLFSSL_LOCAL void InitCiphers(WOLFSSL* ssl); -WOLFSSL_LOCAL void FreeCiphers(WOLFSSL* ssl); - - -/* hashes type */ -typedef struct Hashes { - #if !defined(NO_MD5) && !defined(NO_OLD_TLS) - byte md5[MD5_DIGEST_SIZE]; - #endif - #if !defined(NO_SHA) - byte sha[SHA_DIGEST_SIZE]; - #endif - #ifndef NO_SHA256 - byte sha256[SHA256_DIGEST_SIZE]; - #endif - #ifdef WOLFSSL_SHA384 - byte sha384[SHA384_DIGEST_SIZE]; - #endif - #ifdef WOLFSSL_SHA512 - byte sha512[SHA512_DIGEST_SIZE]; - #endif -} Hashes; - - -/* Static x509 buffer */ -typedef struct x509_buffer { - int length; /* actual size */ - byte buffer[MAX_X509_SIZE]; /* max static cert size */ -} x509_buffer; - - -/* wolfSSL X509_CHAIN, for no dynamic memory SESSION_CACHE */ -struct WOLFSSL_X509_CHAIN { - int count; /* total number in chain */ - x509_buffer certs[MAX_CHAIN_DEPTH]; /* only allow max depth 4 for now */ -}; - - -/* wolfSSL session type */ -struct WOLFSSL_SESSION { - word32 bornOn; /* create time in seconds */ - word32 timeout; /* timeout in seconds */ - byte sessionID[ID_LEN]; /* id for protocol */ - byte sessionIDSz; - byte masterSecret[SECRET_LEN]; /* stored secret */ - word16 haveEMS; /* ext master secret flag */ -#ifdef SESSION_CERTS - WOLFSSL_X509_CHAIN chain; /* peer cert chain, static */ - ProtocolVersion version; /* which version was used */ - byte cipherSuite0; /* first byte, normally 0 */ - byte cipherSuite; /* 2nd byte, actual suite */ -#endif -#ifndef NO_CLIENT_CACHE - word16 idLen; /* serverID length */ - byte serverID[SERVER_ID_LEN]; /* for easier client lookup */ -#endif -#ifdef OPENSSL_EXTRA - byte sessionCtxSz; /* sessionCtx length */ - byte sessionCtx[ID_LEN]; /* app specific context id */ -#endif -#ifdef HAVE_SESSION_TICKET - byte* ticket; - word16 ticketLen; - byte staticTicket[SESSION_TICKET_LEN]; - byte isDynamic; -#endif -#ifdef HAVE_EXT_CACHE - byte isAlloced; -#endif -#ifdef HAVE_EX_DATA - void* ex_data[MAX_EX_DATA]; -#endif -}; - - -WOLFSSL_LOCAL -WOLFSSL_SESSION* GetSession(WOLFSSL*, byte*, byte); -WOLFSSL_LOCAL -int SetSession(WOLFSSL*, WOLFSSL_SESSION*); - -typedef int (*hmacfp) (WOLFSSL*, byte*, const byte*, word32, int, int); - -#ifndef NO_CLIENT_CACHE - WOLFSSL_SESSION* GetSessionClient(WOLFSSL*, const byte*, int); -#endif - -/* client connect state for nonblocking restart */ -enum ConnectState { - CONNECT_BEGIN = 0, - CLIENT_HELLO_SENT, - HELLO_AGAIN, /* HELLO_AGAIN s for DTLS case */ - HELLO_AGAIN_REPLY, - FIRST_REPLY_DONE, - FIRST_REPLY_FIRST, - FIRST_REPLY_SECOND, - FIRST_REPLY_THIRD, - FIRST_REPLY_FOURTH, - FINISHED_DONE, - SECOND_REPLY_DONE -}; - - -/* server accept state for nonblocking restart */ -enum AcceptState { - ACCEPT_BEGIN = 0, - ACCEPT_CLIENT_HELLO_DONE, - ACCEPT_FIRST_REPLY_DONE, - SERVER_HELLO_SENT, - CERT_SENT, - CERT_STATUS_SENT, - KEY_EXCHANGE_SENT, - CERT_REQ_SENT, - SERVER_HELLO_DONE, - ACCEPT_SECOND_REPLY_DONE, - TICKET_SENT, - CHANGE_CIPHER_SENT, - ACCEPT_FINISHED_DONE, - ACCEPT_THIRD_REPLY_DONE -}; - -/* buffers for struct WOLFSSL */ -typedef struct Buffers { - bufferStatic inputBuffer; - bufferStatic outputBuffer; - buffer domainName; /* for client check */ - buffer clearOutputBuffer; - buffer sig; /* signature data */ - buffer digest; /* digest data */ - int prevSent; /* previous plain text bytes sent - when got WANT_WRITE */ - int plainSz; /* plain text bytes in buffer to send - when got WANT_WRITE */ - byte weOwnCert; /* SSL own cert flag */ - byte weOwnCertChain; /* SSL own cert chain flag */ - byte weOwnKey; /* SSL own key flag */ - byte weOwnDH; /* SSL own dh (p,g) flag */ -#ifndef NO_DH - buffer serverDH_P; /* WOLFSSL_CTX owns, unless we own */ - buffer serverDH_G; /* WOLFSSL_CTX owns, unless we own */ - buffer serverDH_Pub; - buffer serverDH_Priv; - DhKey* serverDH_Key; -#endif -#ifndef NO_CERTS - DerBuffer* certificate; /* WOLFSSL_CTX owns, unless we own */ - DerBuffer* key; /* WOLFSSL_CTX owns, unless we own */ - DerBuffer* certChain; /* WOLFSSL_CTX owns, unless we own */ - /* chain after self, in DER, with leading size for each cert */ -#endif -#ifdef WOLFSSL_DTLS - WOLFSSL_DTLS_CTX dtlsCtx; /* DTLS connection context */ - #ifndef NO_WOLFSSL_SERVER - buffer dtlsCookieSecret; /* DTLS cookie secret */ - #endif /* NO_WOLFSSL_SERVER */ -#endif -#ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - buffer peerEccDsaKey; /* we own for Ecc Verify Callbacks */ - #endif /* HAVE_ECC */ - #ifndef NO_RSA - buffer peerRsaKey; /* we own for Rsa Verify Callbacks */ - #endif /* NO_RSA */ -#endif /* HAVE_PK_CALLBACKS */ -} Buffers; - -typedef struct Options { -#ifndef NO_PSK - wc_psk_client_callback client_psk_cb; - wc_psk_server_callback server_psk_cb; - word16 havePSK:1; /* psk key set by user */ -#endif /* NO_PSK */ -#ifdef OPENSSL_EXTRA - unsigned long mask; /* store SSL_OP_ flags */ -#endif - - /* on/off or small bit flags, optimize layout */ - word16 sendVerify:2; /* false = 0, true = 1, sendBlank = 2 */ - word16 sessionCacheOff:1; - word16 sessionCacheFlushOff:1; -#ifdef HAVE_EXT_CACHE - word16 internalCacheOff:1; -#endif - word16 side:1; /* client or server end */ - word16 verifyPeer:1; - word16 verifyNone:1; - word16 failNoCert:1; - word16 failNoCertxPSK:1; /* fail for no cert except with PSK */ - word16 downgrade:1; /* allow downgrade of versions */ - word16 resuming:1; - word16 haveSessionId:1; /* server may not send */ - word16 tls:1; /* using TLS ? */ - word16 tls1_1:1; /* using TLSv1.1+ ? */ - word16 dtls:1; /* using datagrams ? */ - word16 connReset:1; /* has the peer reset */ - word16 isClosed:1; /* if we consider conn closed */ - word16 closeNotify:1; /* we've received a close notify */ - word16 sentNotify:1; /* we've sent a close notify */ - word16 usingCompression:1; /* are we using compression */ - word16 haveRSA:1; /* RSA available */ - word16 haveECC:1; /* ECC available */ - word16 haveDH:1; /* server DH parms set by user */ - word16 haveNTRU:1; /* server NTRU private key loaded */ - word16 haveQSH:1; /* have QSH ability */ - word16 haveECDSAsig:1; /* server ECDSA signed cert */ - word16 haveStaticECC:1; /* static server ECC private key */ - word16 havePeerCert:1; /* do we have peer's cert */ - word16 havePeerVerify:1; /* and peer's cert verify */ - word16 usingPSK_cipher:1; /* are using psk as cipher */ - word16 usingAnon_cipher:1; /* are we using an anon cipher */ - word16 sendAlertState:1; /* nonblocking resume */ - word16 partialWrite:1; /* only one msg per write call */ - word16 quietShutdown:1; /* don't send close notify */ - word16 certOnly:1; /* stop once we get cert */ - word16 groupMessages:1; /* group handshake messages */ - word16 usingNonblock:1; /* are we using nonblocking socket */ - word16 saveArrays:1; /* save array Memory for user get keys - or psk */ - word16 weOwnRng:1; /* will be true unless CTX owns */ -#ifdef HAVE_POLY1305 - word16 oldPoly:1; /* set when to use old rfc way of poly*/ -#endif -#ifdef HAVE_ANON - word16 haveAnon:1; /* User wants to allow Anon suites */ -#endif -#ifdef HAVE_SESSION_TICKET - word16 createTicket:1; /* Server to create new Ticket */ - word16 useTicket:1; /* Use Ticket not session cache */ - word16 rejectTicket:1; /* Callback rejected ticket */ -#endif -#ifdef WOLFSSL_DTLS - word16 dtlsHsRetain:1; /* DTLS retaining HS data */ -#ifdef WOLFSSL_SCTP - word16 dtlsSctp:1; /* DTLS-over-SCTP mode */ -#endif -#endif - word16 haveEMS:1; /* using extended master secret */ -#if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SUPPORTED_CURVES) - word16 userCurves:1; /* indicates user called wolfSSL_UseSupportedCurve */ -#endif - word16 keepResources:1; /* Keep resources after handshake */ - word16 useClientOrder:1; /* Use client's cipher order */ - - /* need full byte values for this section */ - byte processReply; /* nonblocking resume */ - byte cipherSuite0; /* first byte, normally 0 */ - byte cipherSuite; /* second byte, actual suite */ - byte serverState; - byte clientState; - byte handShakeState; - byte handShakeDone; /* at least one handshake complete */ - byte minDowngrade; /* minimum downgrade version */ - byte connectState; /* nonblocking resume */ - byte acceptState; /* nonblocking resume */ - byte asyncState; /* sub-state for enum asyncState */ - byte buildMsgState; /* sub-state for enum buildMsgState */ -#ifndef NO_DH - word16 minDhKeySz; /* minimum DH key size */ - word16 dhKeySz; /* actual DH key size */ -#endif -#ifndef NO_RSA - short minRsaKeySz; /* minimum RSA key size */ -#endif -#ifdef HAVE_ECC - short minEccKeySz; /* minimum ECC key size */ -#endif - -} Options; - -typedef struct Arrays { - byte* pendingMsg; /* defrag buffer */ - byte* preMasterSecret; - word32 preMasterSz; /* differs for DH, actual size */ - word32 pendingMsgSz; /* defrag buffer size */ - word32 pendingMsgOffset; /* current offset into defrag buffer */ -#ifndef NO_PSK - word32 psk_keySz; /* actual size */ - char client_identity[MAX_PSK_ID_LEN]; - char server_hint[MAX_PSK_ID_LEN]; - byte psk_key[MAX_PSK_KEY_LEN]; -#endif - byte clientRandom[RAN_LEN]; - byte serverRandom[RAN_LEN]; - byte sessionID[ID_LEN]; - byte sessionIDSz; - byte masterSecret[SECRET_LEN]; -#ifdef WOLFSSL_DTLS - byte cookie[MAX_COOKIE_LEN]; - byte cookieSz; -#endif - byte pendingMsgType; /* defrag buffer message type */ -} Arrays; - -#ifndef ASN_NAME_MAX -#define ASN_NAME_MAX 256 -#endif - -#ifndef MAX_DATE_SZ -#define MAX_DATE_SZ 32 -#endif - -struct WOLFSSL_STACK { - unsigned long num; /* number of nodes in stack - * (saftey measure for freeing and shortcut for count) */ - union { - WOLFSSL_X509* x509; - WOLFSSL_X509_NAME* name; - WOLFSSL_BIO* bio; - WOLFSSL_ASN1_OBJECT* obj; - char* string; - } data; - WOLFSSL_STACK* next; -}; - - -struct WOLFSSL_X509_NAME { - char *name; - char staticName[ASN_NAME_MAX]; - int dynamicName; - int sz; -#if defined(OPENSSL_EXTRA) && !defined(NO_ASN) - DecodedName fullName; - WOLFSSL_X509_NAME_ENTRY cnEntry; - WOLFSSL_X509_NAME_ENTRY extra[MAX_NAME_ENTRIES]; /* extra entries added */ - WOLFSSL_X509* x509; /* x509 that struct belongs to */ -#endif /* OPENSSL_EXTRA */ -}; - -#ifndef EXTERNAL_SERIAL_SIZE - #define EXTERNAL_SERIAL_SIZE 32 -#endif - -#ifdef NO_ASN - typedef struct DNS_entry DNS_entry; -#endif - -struct WOLFSSL_X509 { - int version; - WOLFSSL_X509_NAME issuer; - WOLFSSL_X509_NAME subject; - int serialSz; - byte serial[EXTERNAL_SERIAL_SIZE]; - char subjectCN[ASN_NAME_MAX]; /* common name short cut */ -#ifdef WOLFSSL_CERT_REQ - char challengePw[CTC_NAME_SIZE]; /* for REQ certs */ -#endif -#ifdef WOLFSSL_SEP - int deviceTypeSz; - byte deviceType[EXTERNAL_SERIAL_SIZE]; - int hwTypeSz; - byte hwType[EXTERNAL_SERIAL_SIZE]; - int hwSerialNumSz; - byte hwSerialNum[EXTERNAL_SERIAL_SIZE]; - #ifdef OPENSSL_EXTRA - byte certPolicySet; - byte certPolicyCrit; - #endif /* OPENSSL_EXTRA */ -#endif - int notBeforeSz; - byte notBefore[MAX_DATE_SZ]; - int notAfterSz; - byte notAfter[MAX_DATE_SZ]; - int sigOID; - buffer sig; - int pubKeyOID; - buffer pubKey; - #ifdef HAVE_ECC - word32 pkCurveOID; - #endif /* HAVE_ECC */ - #ifndef NO_CERTS - DerBuffer* derCert; /* may need */ - #endif - DNS_entry* altNames; /* alt names list */ - DNS_entry* altNamesNext; /* hint for retrieval */ - void* heap; /* heap hint */ - byte dynamicMemory; /* dynamic memory flag */ - byte isCa; -#ifdef WOLFSSL_CERT_EXT - char certPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ]; - int certPoliciesNb; -#endif /* WOLFSSL_CERT_EXT */ -#ifdef OPENSSL_EXTRA -#ifdef HAVE_EX_DATA - void* ex_data[MAX_EX_DATA]; -#endif - word32 pathLength; - word16 keyUsage; - byte CRLdistSet; - byte CRLdistCrit; - byte* CRLInfo; - int CRLInfoSz; - byte authInfoSet; - byte authInfoCrit; - byte* authInfo; - int authInfoSz; - byte basicConstSet; - byte basicConstCrit; - byte basicConstPlSet; - byte subjAltNameSet; - byte subjAltNameCrit; - byte authKeyIdSet; - byte authKeyIdCrit; - byte* authKeyId; - word32 authKeyIdSz; - byte subjKeyIdSet; - byte subjKeyIdCrit; - byte* subjKeyId; - word32 subjKeyIdSz; - byte keyUsageSet; - byte keyUsageCrit; - byte extKeyUsageCrit; - byte* extKeyUsageSrc; - word32 extKeyUsageSz; - word32 extKeyUsageCount; -#endif /* OPENSSL_EXTRA */ -}; - - -/* record layer header for PlainText, Compressed, and CipherText */ -typedef struct RecordLayerHeader { - byte type; - byte pvMajor; - byte pvMinor; - byte length[2]; -} RecordLayerHeader; - - -/* record layer header for DTLS PlainText, Compressed, and CipherText */ -typedef struct DtlsRecordLayerHeader { - byte type; - byte pvMajor; - byte pvMinor; - byte sequence_number[8]; /* per record */ - byte length[2]; -} DtlsRecordLayerHeader; - - -typedef struct DtlsFrag { - word32 begin; - word32 end; - struct DtlsFrag* next; -} DtlsFrag; - - -typedef struct DtlsMsg { - struct DtlsMsg* next; - byte* buf; - byte* msg; - DtlsFrag* fragList; - word32 fragSz; /* Length of fragments received */ - word32 seq; /* Handshake sequence number */ - word32 sz; /* Length of whole mesage */ - byte type; -} DtlsMsg; - - -#ifdef HAVE_NETX - - /* NETX I/O Callback default */ - typedef struct NetX_Ctx { - NX_TCP_SOCKET* nxSocket; /* send/recv socket handle */ - NX_PACKET* nxPacket; /* incoming packet handle for short reads */ - ULONG nxOffset; /* offset already read from nxPacket */ - ULONG nxWait; /* wait option flag */ - } NetX_Ctx; - -#endif - - -/* Handshake messages received from peer (plus change cipher */ -typedef struct MsgsReceived { - word16 got_hello_request:1; - word16 got_client_hello:1; - word16 got_server_hello:1; - word16 got_hello_verify_request:1; - word16 got_session_ticket:1; - word16 got_certificate:1; - word16 got_certificate_status:1; - word16 got_server_key_exchange:1; - word16 got_certificate_request:1; - word16 got_server_hello_done:1; - word16 got_certificate_verify:1; - word16 got_client_key_exchange:1; - word16 got_finished:1; - word16 got_change_cipher:1; -} MsgsReceived; - - -/* Handshake hashes */ -typedef struct HS_Hashes { - Hashes verifyHashes; - Hashes certHashes; /* for cert verify */ -#ifndef NO_SHA - Sha hashSha; /* sha hash of handshake msgs */ -#endif -#if !defined(NO_MD5) && !defined(NO_OLD_TLS) - Md5 hashMd5; /* md5 hash of handshake msgs */ -#endif -#ifndef NO_SHA256 - Sha256 hashSha256; /* sha256 hash of handshake msgs */ -#endif -#ifdef WOLFSSL_SHA384 - Sha384 hashSha384; /* sha384 hash of handshake msgs */ -#endif -#ifdef WOLFSSL_SHA512 - Sha512 hashSha512; /* sha512 hash of handshake msgs */ -#endif -} HS_Hashes; - - -#ifdef WOLFSSL_ASYNC_CRYPT - #define MAX_ASYNC_ARGS 16 - typedef void (*FreeArgsCb)(struct WOLFSSL* ssl, void* pArgs); - - struct WOLFSSL_ASYNC { - WC_ASYNC_DEV* dev; - FreeArgsCb freeArgs; /* function pointer to cleanup args */ - word32 args[MAX_ASYNC_ARGS]; /* holder for current args */ - }; -#endif - -#ifdef HAVE_WRITE_DUP - - #define WRITE_DUP_SIDE 1 - #define READ_DUP_SIDE 2 - - typedef struct WriteDup { - wolfSSL_Mutex dupMutex; /* reference count mutex */ - int dupCount; /* reference count */ - int dupErr; /* under dupMutex, pass to other side */ - } WriteDup; - - WOLFSSL_LOCAL void FreeWriteDup(WOLFSSL* ssl); - WOLFSSL_LOCAL int NotifyWriteSide(WOLFSSL* ssl, int err); -#endif /* HAVE_WRITE_DUP */ - - -/* wolfSSL ssl type */ -struct WOLFSSL { - WOLFSSL_CTX* ctx; - Suites* suites; /* only need during handshake */ - Arrays* arrays; - HS_Hashes* hsHashes; - void* IOCB_ReadCtx; - void* IOCB_WriteCtx; - WC_RNG* rng; - void* verifyCbCtx; /* cert verify callback user ctx*/ - VerifyCallback verifyCallback; /* cert verification callback */ - void* heap; /* for user overrides */ -#ifdef HAVE_WRITE_DUP - WriteDup* dupWrite; /* valid pointer indicates ON */ - /* side that decrements dupCount to zero frees overall structure */ - byte dupSide; /* write side or read side */ -#endif - CallbackIORecv CBIORecv; - CallbackIOSend CBIOSend; -#ifdef WOLFSSL_STATIC_MEMORY - WOLFSSL_HEAP_HINT heap_hint; -#endif -#ifndef NO_HANDSHAKE_DONE_CB - HandShakeDoneCb hsDoneCb; /* notify user handshake done */ - void* hsDoneCtx; /* user handshake cb context */ -#endif -#ifdef WOLFSSL_ASYNC_CRYPT - struct WOLFSSL_ASYNC async; -#endif - void* hsKey; /* Handshake key (RsaKey or ecc_key) allocated from heap */ - word32 hsType; /* Type of Handshake key (hsKey) */ - WOLFSSL_CIPHER cipher; - hmacfp hmac; - Ciphers encrypt; - Ciphers decrypt; - Buffers buffers; - WOLFSSL_SESSION session; -#ifdef HAVE_EXT_CACHE - WOLFSSL_SESSION* extSession; -#endif - WOLFSSL_ALERT_HISTORY alert_history; - int verifyDepth; - int error; - int rfd; /* read file descriptor */ - int wfd; /* write file descriptor */ - int rflags; /* user read flags */ - int wflags; /* user write flags */ - word32 timeout; /* session timeout */ - word32 fragOffset; /* fragment offset */ - word16 curSize; - RecordLayerHeader curRL; - MsgsReceived msgsReceived; /* peer messages received */ - ProtocolVersion version; /* negotiated version */ - ProtocolVersion chVersion; /* client hello version */ - CipherSpecs specs; - Keys keys; - Options options; -#ifdef OPENSSL_EXTRA - CallbackInfoState* CBIS; /* used to get info about SSL state */ - WOLFSSL_BIO* biord; /* socket bio read to free/close */ - WOLFSSL_BIO* biowr; /* socket bio write to free/close */ - byte sessionCtx[ID_LEN]; /* app session context ID */ - unsigned long peerVerifyRet; - byte readAhead; - byte sessionCtxSz; /* size of sessionCtx stored */ -#ifdef HAVE_PK_CALLBACKS - void* loggingCtx; /* logging callback argument */ -#endif -#endif -#ifndef NO_RSA - RsaKey* peerRsaKey; - byte peerRsaKeyPresent; -#endif -#ifdef HAVE_QSH - QSHKey* QSH_Key; - QSHKey* peerQSHKey; - QSHSecret* QSH_secret; - byte isQSH; /* is the handshake a QSH? */ - byte sendQSHKeys; /* flag for if the client should sen - public keys */ - byte peerQSHKeyPresent; - byte minRequest; - byte maxRequest; - byte user_set_QSHSchemes; -#endif -#ifdef HAVE_NTRU - word16 peerNtruKeyLen; - byte peerNtruKey[MAX_NTRU_PUB_KEY_SZ]; - byte peerNtruKeyPresent; -#endif -#ifdef HAVE_ECC - ecc_key* peerEccKey; /* peer's ECDHE key */ - ecc_key* peerEccDsaKey; /* peer's ECDSA key */ - ecc_key* eccTempKey; /* private ECDHE key */ - int eccVerifyRes; - word32 pkCurveOID; /* curve Ecc_Sum */ - word32 ecdhCurveOID; /* curve Ecc_Sum */ - word16 eccTempKeySz; /* in octets 20 - 66 */ - byte peerEccKeyPresent; - byte peerEccDsaKeyPresent; - byte eccTempKeyPresent; -#endif -#ifdef HAVE_LIBZ - z_stream c_stream; /* compression stream */ - z_stream d_stream; /* decompression stream */ - byte didStreamInit; /* for stream init and end */ -#endif -#ifdef WOLFSSL_DTLS - int dtls_timeout_init; /* starting timeout value */ - int dtls_timeout_max; /* maximum timeout value */ - int dtls_timeout; /* current timeout value, changes */ - word32 dtls_tx_msg_list_sz; - word32 dtls_rx_msg_list_sz; - DtlsMsg* dtls_tx_msg_list; - DtlsMsg* dtls_rx_msg_list; - void* IOCB_CookieCtx; /* gen cookie ctx */ - word32 dtls_expected_rx; - wc_dtls_export dtls_export; /* export function for session */ -#ifdef WOLFSSL_SCTP - word16 dtlsMtuSz; -#endif /* WOLFSSL_SCTP */ -#endif -#ifdef WOLFSSL_CALLBACKS - TimeoutInfo timeoutInfo; /* info saved during handshake */ - HandShakeInfo handShakeInfo; /* info saved during handshake */ -#endif -#ifdef OPENSSL_EXTRA - SSL_Msg_Cb protoMsgCb; /* inspect protocol message callback */ - void* protoMsgCtx; /* user set context with msg callback */ -#endif -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - byte hsInfoOn; /* track handshake info */ - byte toInfoOn; /* track timeout info */ -#endif -#ifdef HAVE_FUZZER - CallbackFuzzer fuzzerCb; /* for testing with using fuzzer */ - void* fuzzerCtx; /* user defined pointer */ -#endif -#ifdef KEEP_PEER_CERT - WOLFSSL_X509 peerCert; /* X509 peer cert */ -#endif -#ifdef KEEP_OUR_CERT - WOLFSSL_X509* ourCert; /* keep alive a X509 struct of cert. - points to ctx if not owned (owned - flag found in buffers.weOwnCert) */ -#endif - byte keepCert; /* keep certificate after handshake */ -#if defined(HAVE_EX_DATA) || defined(FORTRESS) - void* ex_data[MAX_EX_DATA]; /* external data, for Fortress */ -#endif - int devId; /* async device id to use */ -#ifdef HAVE_ONE_TIME_AUTH - OneTimeAuth auth; -#endif -#ifdef HAVE_TLS_EXTENSIONS - TLSX* extensions; /* RFC 6066 TLS Extensions data */ - #ifdef HAVE_MAX_FRAGMENT - word16 max_fragment; - #endif - #ifdef HAVE_TRUNCATED_HMAC - byte truncated_hmac; - #endif - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST - byte status_request; - #endif - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - byte status_request_v2; - #endif - #if defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SERVER_RENEGOTIATION_INFO) - SecureRenegotiation* secure_renegotiation; /* valid pointer indicates */ - #endif /* user turned on */ - #ifdef HAVE_ALPN - char* alpn_client_list; /* keep the client's list */ - #ifdef WOLFSSL_NGINX - CallbackALPNSelect alpnSelect; - void* alpnSelectArg; - #endif - #endif /* of accepted protocols */ - #if !defined(NO_WOLFSSL_CLIENT) && defined(HAVE_SESSION_TICKET) - CallbackSessionTicket session_ticket_cb; - void* session_ticket_ctx; - byte expect_session_ticket; - #endif -#endif /* HAVE_TLS_EXTENSIONS */ -#ifdef OPENSSL_EXTRA - byte* ocspResp; - int ocspRespSz; -#ifdef WOLFSSL_NGINX - char* url; -#endif -#endif -#ifdef HAVE_NETX - NetX_Ctx nxCtx; /* NetX IO Context */ -#endif -#ifdef SESSION_INDEX - int sessionIndex; /* Session's location in the cache. */ -#endif -#ifdef ATOMIC_USER - void* MacEncryptCtx; /* Atomic User Mac/Encrypt Callback Context */ - void* DecryptVerifyCtx; /* Atomic User Decrypt/Verify Callback Context */ -#endif -#ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - void* EccSignCtx; /* Ecc Sign Callback Context */ - void* EccVerifyCtx; /* Ecc Verify Callback Context */ - void* EccSharedSecretCtx; /* Ecc Pms Callback Context */ - #endif /* HAVE_ECC */ - #ifndef NO_RSA - void* RsaSignCtx; /* Rsa Sign Callback Context */ - void* RsaVerifyCtx; /* Rsa Verify Callback Context */ - void* RsaEncCtx; /* Rsa Public Encrypt Callback Context */ - void* RsaDecCtx; /* Rsa Private Decrypt Callback Context */ - #endif /* NO_RSA */ -#endif /* HAVE_PK_CALLBACKS */ -#ifdef HAVE_SECRET_CALLBACK - SessionSecretCb sessionSecretCb; - void* sessionSecretCtx; -#endif /* HAVE_SECRET_CALLBACK */ -#ifdef WOLFSSL_JNI - void* jObjectRef; /* reference to WolfSSLSession in JNI wrapper */ -#endif /* WOLFSSL_JNI */ -}; - - -WOLFSSL_LOCAL -int SetSSL_CTX(WOLFSSL*, WOLFSSL_CTX*, int); -WOLFSSL_LOCAL -int InitSSL(WOLFSSL*, WOLFSSL_CTX*, int); -WOLFSSL_LOCAL -void FreeSSL(WOLFSSL*, void* heap); -WOLFSSL_API void SSL_ResourceFree(WOLFSSL*); /* Micrium uses */ - - -enum { - IV_SZ = 32, /* max iv sz */ - NAME_SZ = 80 /* max one line */ -}; - - -typedef struct EncryptedInfo { - char name[NAME_SZ]; /* encryption name */ - byte iv[IV_SZ]; /* encrypted IV */ - word32 ivSz; /* encrypted IV size */ - long consumed; /* tracks PEM bytes consumed */ - byte set; /* if encryption set */ - WOLFSSL_CTX* ctx; /* CTX owner */ -} EncryptedInfo; - - -#ifndef NO_CERTS - - WOLFSSL_LOCAL int AllocDer(DerBuffer** der, word32 length, int type, void* heap); - WOLFSSL_LOCAL void FreeDer(DerBuffer** der); - - WOLFSSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type, - DerBuffer** pDer, void* heap, EncryptedInfo* info, - int* eccKey); - - WOLFSSL_LOCAL int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, - long sz, int format, int type, WOLFSSL* ssl, - long* used, int userChain); - WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, - int type, WOLFSSL* ssl, int userChain, - WOLFSSL_CRL* crl); - - #ifdef OPENSSL_EXTRA - WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, char *domainName, - size_t domainNameLen); - #endif -#endif - - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - WOLFSSL_LOCAL - void InitHandShakeInfo(HandShakeInfo*, WOLFSSL*); - WOLFSSL_LOCAL - void FinishHandShakeInfo(HandShakeInfo*); - WOLFSSL_LOCAL - void AddPacketName(WOLFSSL* ssl, const char* name); - - WOLFSSL_LOCAL - void InitTimeoutInfo(TimeoutInfo*); - WOLFSSL_LOCAL - void FreeTimeoutInfo(TimeoutInfo*, void*); - WOLFSSL_LOCAL - void AddPacketInfo(WOLFSSL* ssl, const char* name, int type, - const byte* data, int sz, int write, void* heap); - WOLFSSL_LOCAL - void AddLateName(const char*, TimeoutInfo*); - WOLFSSL_LOCAL - void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info); -#endif - - -/* Record Layer Header identifier from page 12 */ -enum ContentType { - no_type = 0, - change_cipher_spec = 20, - alert = 21, - handshake = 22, - application_data = 23 -}; - - -/* handshake header, same for each message type, pgs 20/21 */ -typedef struct HandShakeHeader { - byte type; - word24 length; -} HandShakeHeader; - - -/* DTLS handshake header, same for each message type */ -typedef struct DtlsHandShakeHeader { - byte type; - word24 length; - byte message_seq[2]; /* start at 0, retransmit gets same # */ - word24 fragment_offset; /* bytes in previous fragments */ - word24 fragment_length; /* length of this fragment */ -} DtlsHandShakeHeader; - - -enum HandShakeType { - hello_request = 0, - client_hello = 1, - server_hello = 2, - hello_verify_request = 3, /* DTLS addition */ - session_ticket = 4, - certificate = 11, - server_key_exchange = 12, - certificate_request = 13, - server_hello_done = 14, - certificate_verify = 15, - client_key_exchange = 16, - finished = 20, - certificate_status = 22, - change_cipher_hs = 55, /* simulate unique handshake type for sanity - checks. record layer change_cipher - conflicts with handshake finished */ - no_shake = 255 /* used to initialize the DtlsMsg record */ -}; - - -static const byte client[SIZEOF_SENDER] = { 0x43, 0x4C, 0x4E, 0x54 }; -static const byte server[SIZEOF_SENDER] = { 0x53, 0x52, 0x56, 0x52 }; - -static const byte tls_client[FINISHED_LABEL_SZ + 1] = "client finished"; -static const byte tls_server[FINISHED_LABEL_SZ + 1] = "server finished"; - - -/* internal functions */ -WOLFSSL_LOCAL int SendChangeCipher(WOLFSSL*); -WOLFSSL_LOCAL int SendTicket(WOLFSSL*); -WOLFSSL_LOCAL int DoClientTicket(WOLFSSL*, const byte*, word32); -WOLFSSL_LOCAL int SendData(WOLFSSL*, const void*, int); -WOLFSSL_LOCAL int SendCertificate(WOLFSSL*); -WOLFSSL_LOCAL int SendCertificateRequest(WOLFSSL*); -WOLFSSL_LOCAL int SendCertificateStatus(WOLFSSL*); -WOLFSSL_LOCAL int SendServerKeyExchange(WOLFSSL*); -WOLFSSL_LOCAL int SendBuffered(WOLFSSL*); -WOLFSSL_LOCAL int ReceiveData(WOLFSSL*, byte*, int, int); -WOLFSSL_LOCAL int SendFinished(WOLFSSL*); -WOLFSSL_LOCAL int SendAlert(WOLFSSL*, int, int); -WOLFSSL_LOCAL int ProcessReply(WOLFSSL*); - -WOLFSSL_LOCAL int SetCipherSpecs(WOLFSSL*); -WOLFSSL_LOCAL int MakeMasterSecret(WOLFSSL*); - -WOLFSSL_LOCAL int AddSession(WOLFSSL*); -WOLFSSL_LOCAL int DeriveKeys(WOLFSSL* ssl); -WOLFSSL_LOCAL int StoreKeys(WOLFSSL* ssl, const byte* keyData); - -WOLFSSL_LOCAL int IsTLS(const WOLFSSL* ssl); -WOLFSSL_LOCAL int IsAtLeastTLSv1_2(const WOLFSSL* ssl); - -WOLFSSL_LOCAL void FreeHandshakeResources(WOLFSSL* ssl); -WOLFSSL_LOCAL void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree); -WOLFSSL_LOCAL void ShrinkOutputBuffer(WOLFSSL* ssl); - -WOLFSSL_LOCAL int VerifyClientSuite(WOLFSSL* ssl); -#ifndef NO_CERTS - #ifndef NO_RSA - WOLFSSL_LOCAL int VerifyRsaSign(WOLFSSL* ssl, - byte* verifySig, word32 sigSz, - const byte* plain, word32 plainSz, - RsaKey* key); - WOLFSSL_LOCAL int RsaSign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, - word32* outSz, RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx); - WOLFSSL_LOCAL int RsaVerify(WOLFSSL* ssl, byte* in, word32 inSz, - byte** out, RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx); - WOLFSSL_LOCAL int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, - word32* outSz, RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx); - WOLFSSL_LOCAL int RsaEnc(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, - word32* outSz, RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx); - #endif /* !NO_RSA */ - - #ifdef HAVE_ECC - WOLFSSL_LOCAL int EccSign(WOLFSSL* ssl, const byte* in, word32 inSz, - byte* out, word32* outSz, ecc_key* key, byte* keyBuf, word32 keySz, - void* ctx); - WOLFSSL_LOCAL int EccVerify(WOLFSSL* ssl, const byte* in, word32 inSz, - const byte* out, word32 outSz, ecc_key* key, byte* keyBuf, word32 keySz, - void* ctx); - WOLFSSL_LOCAL int EccSharedSecret(WOLFSSL* ssl, ecc_key* priv_key, - ecc_key* pub_key, byte* pubKeyDer, word32* pubKeySz, byte* out, - word32* outlen, int side, void* ctx); - #endif /* HAVE_ECC */ - - #ifdef WOLFSSL_TRUST_PEER_CERT - - /* options for searching hash table for a matching trusted peer cert */ - #define WC_MATCH_SKID 0 - #define WC_MATCH_NAME 1 - - WOLFSSL_LOCAL TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash, - int type); - WOLFSSL_LOCAL int MatchTrustedPeer(TrustedPeerCert* tp, - DecodedCert* cert); - #endif - - WOLFSSL_LOCAL Signer* GetCA(void* cm, byte* hash); - #ifndef NO_SKID - WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash); - #endif -#endif /* !NO_CERTS */ -WOLFSSL_LOCAL int BuildTlsHandshakeHash(WOLFSSL* ssl, byte* hash, - word32* hashLen); -WOLFSSL_LOCAL int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, - const byte* sender); -WOLFSSL_LOCAL void FreeArrays(WOLFSSL* ssl, int keep); -WOLFSSL_LOCAL int CheckAvailableSize(WOLFSSL *ssl, int size); -WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength); - -#ifndef NO_TLS - WOLFSSL_LOCAL int MakeTlsMasterSecret(WOLFSSL*); - WOLFSSL_LOCAL int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, - word32 sz, int content, int verify); -#endif - -#ifndef NO_WOLFSSL_CLIENT - WOLFSSL_LOCAL int SendClientHello(WOLFSSL*); - WOLFSSL_LOCAL int SendClientKeyExchange(WOLFSSL*); - WOLFSSL_LOCAL int SendCertificateVerify(WOLFSSL*); -#endif /* NO_WOLFSSL_CLIENT */ - -#ifndef NO_WOLFSSL_SERVER - WOLFSSL_LOCAL int SendServerHello(WOLFSSL*); - WOLFSSL_LOCAL int SendServerHelloDone(WOLFSSL*); -#endif /* NO_WOLFSSL_SERVER */ - -#ifdef WOLFSSL_DTLS - WOLFSSL_LOCAL DtlsMsg* DtlsMsgNew(word32, void*); - WOLFSSL_LOCAL void DtlsMsgDelete(DtlsMsg*, void*); - WOLFSSL_LOCAL void DtlsMsgListDelete(DtlsMsg*, void*); - WOLFSSL_LOCAL int DtlsMsgSet(DtlsMsg*, word32, const byte*, byte, - word32, word32, void*); - WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg*, word32); - WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL*, word32, const byte*, word32, - byte, word32, word32, void*); - WOLFSSL_LOCAL DtlsMsg* DtlsMsgInsert(DtlsMsg*, DtlsMsg*); - - WOLFSSL_LOCAL int DtlsMsgPoolSave(WOLFSSL*, const byte*, word32); - WOLFSSL_LOCAL int DtlsMsgPoolTimeout(WOLFSSL*); - WOLFSSL_LOCAL int VerifyForDtlsMsgPoolSend(WOLFSSL*, byte, word32); - WOLFSSL_LOCAL void DtlsMsgPoolReset(WOLFSSL*); - WOLFSSL_LOCAL int DtlsMsgPoolSend(WOLFSSL*, int); -#endif /* WOLFSSL_DTLS */ - -#ifndef NO_TLS - - -#endif /* NO_TLS */ - - -WOLFSSL_LOCAL word32 LowResTimer(void); - -#ifndef NO_CERTS - WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME*, int); - WOLFSSL_LOCAL void FreeX509Name(WOLFSSL_X509_NAME* name, void* heap); - WOLFSSL_LOCAL void InitX509(WOLFSSL_X509*, int, void* heap); - WOLFSSL_LOCAL void FreeX509(WOLFSSL_X509*); - WOLFSSL_LOCAL int CopyDecodedToX509(WOLFSSL_X509*, DecodedCert*); -#endif - -/* used by ssl.c and internal.c */ -WOLFSSL_LOCAL void c32to24(word32 in, word24 out); - -WOLFSSL_LOCAL const char* const* GetCipherNames(void); -WOLFSSL_LOCAL int GetCipherNamesSize(void); -WOLFSSL_LOCAL const char* GetCipherNameInternal(const char* cipherName, int cipherSuite); -WOLFSSL_LOCAL const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl); -WOLFSSL_LOCAL const char* wolfSSL_get_cipher_name_from_suite( - const unsigned char cipherSuite, const unsigned char cipherSuite0); - -enum encrypt_side { - ENCRYPT_SIDE_ONLY = 1, - DECRYPT_SIDE_ONLY, - ENCRYPT_AND_DECRYPT_SIDE -}; - -WOLFSSL_LOCAL int SetKeysSide(WOLFSSL*, enum encrypt_side); - - -#ifndef NO_DH - WOLFSSL_LOCAL int DhGenKeyPair(WOLFSSL* ssl, DhKey* dhKey, - byte* priv, word32* privSz, - byte* pub, word32* pubSz); - WOLFSSL_LOCAL int DhAgree(WOLFSSL* ssl, DhKey* dhKey, - const byte* priv, word32 privSz, - const byte* otherPub, word32 otherPubSz, - byte* agree, word32* agreeSz); -#endif /* !NO_DH */ - -#ifdef HAVE_ECC - WOLFSSL_LOCAL int EccMakeKey(WOLFSSL* ssl, ecc_key* key, ecc_key* peer); -#endif - -WOLFSSL_LOCAL int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, - const byte* input, int inSz, int type, int hashOutput, - int sizeOnly, int asyncOkay); - -WOLFSSL_LOCAL int AllocKey(WOLFSSL* ssl, int type, void** pKey); -WOLFSSL_LOCAL void FreeKey(WOLFSSL* ssl, int type, void** pKey); - -#ifdef WOLFSSL_ASYNC_CRYPT - WOLFSSL_LOCAL int wolfSSL_AsyncPop(WOLFSSL* ssl, byte* state); - WOLFSSL_LOCAL int wolfSSL_AsyncPush(WOLFSSL* ssl, WC_ASYNC_DEV* asyncDev, - word32 flags); -#endif - - -#ifdef __cplusplus - } /* extern "C" */ -#endif - -#endif /* wolfSSL_INT_H */ diff --git a/wolfssl/internal-save.h b/wolfssl/internal-save.h deleted file mode 100755 index 99d19d367..000000000 --- a/wolfssl/internal-save.h +++ /dev/null @@ -1,3627 +0,0 @@ -/* internal.h - * - * Copyright (C) 2006-2016 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - - - -#ifndef WOLFSSL_INT_H -#define WOLFSSL_INT_H - - -#include -#include -#ifdef HAVE_CRL - #include -#endif -#include -#ifndef NO_DES3 - #include -#endif -#ifndef NO_HC128 - #include -#endif -#ifndef NO_RABBIT - #include -#endif -#ifdef HAVE_CHACHA - #include -#endif -#ifndef NO_ASN - #include - #include -#endif -#ifndef NO_MD5 - #include -#endif -#ifndef NO_SHA - #include -#endif -#ifndef NO_AES - #include -#endif -#ifdef HAVE_POLY1305 - #include -#endif -#ifdef HAVE_CAMELLIA - #include -#endif -#include -#ifndef NO_HMAC - #include -#endif -#ifndef NO_RC4 - #include -#endif -#ifdef HAVE_ECC - #include -#endif -#ifdef HAVE_CURVE25519 - #include -#endif -#ifndef NO_SHA256 - #include -#endif -#ifdef HAVE_OCSP - #include -#endif -#ifdef WOLFSSL_SHA512 - #include -#endif -#ifdef HAVE_AESGCM - #include -#endif -#ifdef WOLFSSL_RIPEMD - #include -#endif -#ifdef HAVE_IDEA - #include -#endif -#ifndef NO_RSA - #include -#endif -#ifdef HAVE_ECC - #include -#endif -#ifndef NO_DH - #include -#endif - -#include - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - #include -#endif -#ifdef WOLFSSL_CALLBACKS - #include -#endif - -#ifdef USE_WINDOWS_API - #ifdef WOLFSSL_GAME_BUILD - #include "system/xtl.h" - #else - #if defined(_WIN32_WCE) || defined(WIN32_LEAN_AND_MEAN) - /* On WinCE winsock2.h must be included before windows.h */ - #include - #endif - #include - #endif -#elif defined(THREADX) - #ifndef SINGLE_THREADED - #include "tx_api.h" - #endif -#elif defined(MICRIUM) - /* do nothing, just don't pick Unix */ -#elif defined(FREERTOS) || defined(FREERTOS_TCP) || defined(WOLFSSL_SAFERTOS) - /* do nothing */ -#elif defined(EBSNET) - /* do nothing */ -#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) - /* do nothing */ -#elif defined(FREESCALE_FREE_RTOS) - #include "fsl_os_abstraction.h" -#elif defined(WOLFSSL_uITRON4) - /* do nothing */ -#elif defined(WOLFSSL_uTKERNEL2) - /* do nothing */ -#elif defined(WOLFSSL_MDK_ARM) - #if defined(WOLFSSL_MDK5) - #include "cmsis_os.h" - #else - #include - #endif -#elif defined(WOLFSSL_CMSIS_RTOS) - #include "cmsis_os.h" -#elif defined(MBED) -#elif defined(WOLFSSL_TIRTOS) - /* do nothing */ -#elif defined(INTIME_RTOS) - #include -#else - #ifndef SINGLE_THREADED - #define WOLFSSL_PTHREADS - #include - #endif - #if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) - #include /* for close of BIO */ - #endif -#endif - -#ifndef CHAR_BIT - /* Needed for DTLS without big math */ - #include -#endif - - -#ifdef HAVE_LIBZ - #include "zlib.h" -#endif - -#ifdef WOLFSSL_ASYNC_CRYPT - #include -#endif - -#ifdef _MSC_VER - /* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */ - #pragma warning(disable: 4996) -#endif - -#ifdef NO_SHA - #define SHA_DIGEST_SIZE 20 -#endif - -#ifdef NO_SHA256 - #define SHA256_DIGEST_SIZE 32 -#endif - -#ifdef NO_MD5 - #define MD5_DIGEST_SIZE 16 -#endif - - -#ifdef __cplusplus - extern "C" { -#endif - - -typedef byte word24[3]; - -/* Define or comment out the cipher suites you'd like to be compiled in - make sure to use at least one BUILD_SSL_xxx or BUILD_TLS_xxx is defined - - When adding cipher suites, add name to cipher_names, idx to cipher_name_idx - - Now that there is a maximum strength crypto build, the following BUILD_XXX - flags need to be divided into two groups selected by WOLFSSL_MAX_STRENGTH. - Those that do not use Perfect Forward Security and do not use AEAD ciphers - need to be switched off. Allowed suites use (EC)DHE, AES-GCM|CCM, or - CHACHA-POLY. -*/ - -/* Check that if WOLFSSL_MAX_STRENGTH is set that all the required options are - * not turned off. */ -#if defined(WOLFSSL_MAX_STRENGTH) && \ - ((!defined(HAVE_ECC) && (defined(NO_DH) || defined(NO_RSA))) || \ - (!defined(HAVE_AESGCM) && !defined(HAVE_AESCCM) && \ - (!defined(HAVE_POLY1305) || !defined(HAVE_CHACHA))) || \ - (defined(NO_SHA256) && !defined(WOLFSSL_SHA384)) || \ - !defined(NO_OLD_TLS)) - - #error "You are trying to build max strength with requirements disabled." -#endif - -/* Have QSH : Quantum-safe Handshake */ -#if defined(HAVE_QSH) - #define BUILD_TLS_QSH -#endif - -#ifndef WOLFSSL_MAX_STRENGTH - - #if !defined(NO_RSA) && !defined(NO_RC4) - #if defined(WOLFSSL_STATIC_RSA) - #if !defined(NO_SHA) - #define BUILD_SSL_RSA_WITH_RC4_128_SHA - #endif - #if !defined(NO_MD5) - #define BUILD_SSL_RSA_WITH_RC4_128_MD5 - #endif - #endif - #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) \ - && defined(WOLFSSL_STATIC_RSA) - #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - #endif - #endif - - #if !defined(NO_RSA) && !defined(NO_DES3) - #if !defined(NO_SHA) - #if defined(WOLFSSL_STATIC_RSA) - #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA - #endif - #if !defined(NO_TLS) && defined(HAVE_NTRU) \ - && defined(WOLFSSL_STATIC_RSA) - #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - #endif - #endif - #endif - - #if !defined(NO_RSA) && defined(HAVE_IDEA) - #if !defined(NO_SHA) && defined(WOLFSSL_STATIC_RSA) - #define BUILD_SSL_RSA_WITH_IDEA_CBC_SHA - #endif - #endif - - #if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS) - #if !defined(NO_SHA) - #if defined(WOLFSSL_STATIC_RSA) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA - #endif - #if defined(HAVE_NTRU) && defined(WOLFSSL_STATIC_RSA) - #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - #endif - #endif - #if defined(WOLFSSL_STATIC_RSA) - #if !defined (NO_SHA256) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - #endif - #if defined (HAVE_AESGCM) - #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - #if defined (WOLFSSL_SHA384) - #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 - #endif - #endif - #if defined (HAVE_AESCCM) - #define BUILD_TLS_RSA_WITH_AES_128_CCM_8 - #define BUILD_TLS_RSA_WITH_AES_256_CCM_8 - #endif - #if defined(HAVE_BLAKE2) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - #define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 - #endif - #endif - #endif - - #if defined(HAVE_CAMELLIA) && !defined(NO_TLS) - #ifndef NO_RSA - #if defined(WOLFSSL_STATIC_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - #endif - #endif - #if !defined(NO_DH) - #if !defined(NO_SHA) - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - #endif - #endif - #endif - #endif - -#if defined(WOLFSSL_STATIC_PSK) - #if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS) - #if !defined(NO_SHA) - #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA - #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 - #ifdef HAVE_AESGCM - #define BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 - #endif - #ifdef HAVE_AESCCM - #define BUILD_TLS_PSK_WITH_AES_128_CCM_8 - #define BUILD_TLS_PSK_WITH_AES_256_CCM_8 - #define BUILD_TLS_PSK_WITH_AES_128_CCM - #define BUILD_TLS_PSK_WITH_AES_256_CCM - #endif - #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 - #ifdef HAVE_AESGCM - #define BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 - #endif - #endif - #endif -#endif - - #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) - #if !defined(NO_RSA) - #if defined(WOLFSSL_STATIC_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_NULL_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_RSA_WITH_NULL_SHA256 - #endif - #endif - #endif - #if !defined(NO_PSK) && defined(WOLFSSL_STATIC_PSK) - #if !defined(NO_SHA) - #define BUILD_TLS_PSK_WITH_NULL_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_PSK_WITH_NULL_SHA256 - #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_PSK_WITH_NULL_SHA384 - #endif - #endif - #endif - -#if defined(WOLFSSL_STATIC_RSA) - #if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS) - #ifndef NO_MD5 - #define BUILD_TLS_RSA_WITH_HC_128_MD5 - #endif - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_HC_128_SHA - #endif - #if defined(HAVE_BLAKE2) - #define BUILD_TLS_RSA_WITH_HC_128_B2B256 - #endif - #endif - - #if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_RABBIT_SHA - #endif - #endif -#endif - - #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) - - #if !defined(NO_SHA) - #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - #if !defined(NO_DES3) - #define BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - #endif - #endif - #if !defined(NO_SHA256) - #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - #endif - #endif - - #if defined(HAVE_ANON) && !defined(NO_TLS) && !defined(NO_DH) && \ - !defined(NO_AES) && !defined(NO_SHA) - #define BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - #endif - - #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) - #ifndef NO_SHA256 - #ifndef NO_AES - #define BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - #endif - #ifdef HAVE_NULL_CIPHER - #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 - #endif - #endif - #ifdef WOLFSSL_SHA384 - #ifndef NO_AES - #define BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - #endif - #ifdef HAVE_NULL_CIPHER - #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 - #endif - #endif - #endif - - #if defined(HAVE_ECC) && !defined(NO_TLS) - #if !defined(NO_AES) - #if !defined(NO_SHA) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - #endif - #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - #endif - #endif /* NO_SHA */ - #ifndef NO_SHA256 - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - #endif - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - #endif - #endif - - #ifdef WOLFSSL_SHA384 - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - #endif - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - #endif - #endif - - #if defined (HAVE_AESGCM) - #if !defined(NO_RSA) - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - #endif - #if defined(WOLFSSL_SHA384) - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - #endif - #endif - #endif - - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - #endif - - #if defined(WOLFSSL_SHA384) - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - #endif - #endif - #endif - #endif /* NO_AES */ - #if !defined(NO_RC4) - #if !defined(NO_SHA) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - #endif - #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - #endif - #endif - #endif - #if !defined(NO_DES3) - #ifndef NO_SHA - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - #endif - #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - #if defined(WOLFSSL_STATIC_DH) - #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - #endif - #endif /* NO_SHA */ - #endif - #if defined(HAVE_NULL_CIPHER) - #if !defined(NO_SHA) - #define BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA - #endif - #if !defined(NO_PSK) && !defined(NO_SHA256) - #define BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 - #endif - #endif - #if !defined(NO_PSK) && !defined(NO_SHA256) && !defined(NO_AES) - #define BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - #endif - #endif - #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) - #if !defined(NO_OLD_POLY1305) - #ifdef HAVE_ECC - #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - #ifndef NO_RSA - #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - #endif - #endif - #if !defined(NO_DH) && !defined(NO_RSA) - #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - #endif - #endif /* NO_OLD_POLY1305 */ - #if !defined(NO_PSK) - #define BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - #ifdef HAVE_ECC - #define BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - #endif - #ifndef NO_DH - #define BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - #endif - #endif /* !NO_PSK */ - #endif - -#endif /* !WOLFSSL_MAX_STRENGTH */ - -#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) && defined(HAVE_AESGCM) - - #ifndef NO_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - #endif - - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - #endif -#endif - -#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) - #ifndef NO_SHA256 - #ifdef HAVE_AESGCM - #define BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - #endif - #ifdef HAVE_AESCCM - #define BUILD_TLS_DHE_PSK_WITH_AES_128_CCM - #define BUILD_TLS_DHE_PSK_WITH_AES_256_CCM - #endif - #endif - #if defined(WOLFSSL_SHA384) && defined(HAVE_AESGCM) - #define BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - #endif -#endif - -#if defined(HAVE_ECC) && !defined(NO_TLS) && !defined(NO_AES) - #ifdef HAVE_AESGCM - #ifndef NO_SHA256 - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - #ifndef NO_RSA - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - #endif - #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - #ifndef NO_RSA - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - #endif - #endif - #endif - #if defined(HAVE_AESCCM) && !defined(NO_SHA256) - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - #endif -#endif - -#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) - #ifdef HAVE_ECC - #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - #ifndef NO_RSA - #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - #endif - #endif - #if !defined(NO_DH) && !defined(NO_RSA) - #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - #endif -#endif - -#if defined(WOLFSSL_TLS13) - #ifdef HAVE_AESGCM - #ifndef NO_SHA256 - #define BUILD_TLS_AES_128_GCM_SHA256 - #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_AES_256_GCM_SHA384 - #endif - #endif - - #ifdef HAVE_CHACHA - #ifndef NO_SHA256 - #define BUILD_TLS_CHACHA20_POLY1305_SHA256 - #endif - #endif - - #ifdef HAVE_AESCCM - #ifndef NO_SHA256 - #define BUILD_TLS_AES_128_CCM_SHA256 - #define BUILD_TLS_AES_128_CCM_8_SHA256 - #endif - #endif -#endif - -#if defined(BUILD_SSL_RSA_WITH_RC4_128_SHA) || \ - defined(BUILD_SSL_RSA_WITH_RC4_128_MD5) - #define BUILD_ARC4 -#endif - -#if defined(BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA) - #define BUILD_DES3 -#endif - -#if defined(BUILD_TLS_RSA_WITH_AES_128_CBC_SHA) || \ - defined(BUILD_TLS_RSA_WITH_AES_256_CBC_SHA) || \ - defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) || \ - defined(BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256) - #undef BUILD_AES - #define BUILD_AES -#endif - -#if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256) || \ - defined(BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384) || \ - defined(BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) || \ - defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) || \ - defined(BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384) || \ - defined(BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384) - #define BUILD_AESGCM -#endif - -#if defined(BUILD_TLS_RSA_WITH_HC_128_SHA) || \ - defined(BUILD_TLS_RSA_WITH_HC_128_MD5) || \ - defined(BUILD_TLS_RSA_WITH_HC_128_B2B256) - #define BUILD_HC128 -#endif - -#if defined(BUILD_TLS_RSA_WITH_RABBIT_SHA) - #define BUILD_RABBIT -#endif - -#ifdef NO_DES3 - #define DES_BLOCK_SIZE 8 -#else - #undef BUILD_DES3 - #define BUILD_DES3 -#endif - -#if defined(NO_AES) || defined(NO_AES_DECRYPT) - #define AES_BLOCK_SIZE 16 - #undef BUILD_AES -#else - #undef BUILD_AES - #define BUILD_AES -#endif - -#ifndef NO_RC4 - #undef BUILD_ARC4 - #define BUILD_ARC4 -#endif - -#ifdef HAVE_CHACHA - #define CHACHA20_BLOCK_SIZE 16 -#endif - -#if defined(WOLFSSL_MAX_STRENGTH) || \ - defined(HAVE_AESGCM) || defined(HAVE_AESCCM) || \ - (defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) - - #define HAVE_AEAD -#endif - -#if defined(WOLFSSL_MAX_STRENGTH) || \ - defined(HAVE_ECC) || !defined(NO_DH) - - #define HAVE_PFS -#endif - -#if defined(BUILD_SSL_RSA_WITH_IDEA_CBC_SHA) - #define BUILD_IDEA -#endif - -/* actual cipher values, 2nd byte */ -enum { - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x39, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x33, - TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x34, - TLS_RSA_WITH_AES_256_CBC_SHA = 0x35, - TLS_RSA_WITH_AES_128_CBC_SHA = 0x2F, - TLS_RSA_WITH_NULL_SHA = 0x02, - TLS_PSK_WITH_AES_256_CBC_SHA = 0x8d, - TLS_PSK_WITH_AES_128_CBC_SHA256 = 0xae, - TLS_PSK_WITH_AES_256_CBC_SHA384 = 0xaf, - TLS_PSK_WITH_AES_128_CBC_SHA = 0x8c, - TLS_PSK_WITH_NULL_SHA256 = 0xb0, - TLS_PSK_WITH_NULL_SHA384 = 0xb1, - TLS_PSK_WITH_NULL_SHA = 0x2c, - SSL_RSA_WITH_RC4_128_SHA = 0x05, - SSL_RSA_WITH_RC4_128_MD5 = 0x04, - SSL_RSA_WITH_3DES_EDE_CBC_SHA = 0x0A, - SSL_RSA_WITH_IDEA_CBC_SHA = 0x07, - - /* ECC suites, first byte is 0xC0 (ECC_BYTE) */ - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0x14, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0x13, - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0x0A, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0x09, - TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0x11, - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0x07, - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x12, - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0x08, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0x27, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0x23, - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0x28, - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0x24, - TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0x06, - TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0x3a, - TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0x37, - - /* static ECDH, first byte is 0xC0 (ECC_BYTE) */ - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0x0F, - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0x0E, - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0x05, - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0x04, - TLS_ECDH_RSA_WITH_RC4_128_SHA = 0x0C, - TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0x02, - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0D, - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0x03, - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0x29, - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0x25, - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0x2A, - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0x26, - - /* wolfSSL extension - eSTREAM */ - TLS_RSA_WITH_HC_128_MD5 = 0xFB, - TLS_RSA_WITH_HC_128_SHA = 0xFC, - TLS_RSA_WITH_RABBIT_SHA = 0xFD, - - /* wolfSSL extension - Blake2b 256 */ - TLS_RSA_WITH_AES_128_CBC_B2B256 = 0xF8, - TLS_RSA_WITH_AES_256_CBC_B2B256 = 0xF9, - TLS_RSA_WITH_HC_128_B2B256 = 0xFA, /* eSTREAM too */ - - /* wolfSSL extension - NTRU */ - TLS_NTRU_RSA_WITH_RC4_128_SHA = 0xe5, - TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA = 0xe6, - TLS_NTRU_RSA_WITH_AES_128_CBC_SHA = 0xe7, /* clashes w/official SHA-256 */ - TLS_NTRU_RSA_WITH_AES_256_CBC_SHA = 0xe8, - - /* wolfSSL extension - NTRU , Quantum-safe Handshake - first byte is 0xD0 (QSH_BYTE) */ - TLS_QSH = 0x01, - - /* SHA256 */ - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x6b, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x67, - TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x3d, - TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x3c, - TLS_RSA_WITH_NULL_SHA256 = 0x3b, - TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0xb2, - TLS_DHE_PSK_WITH_NULL_SHA256 = 0xb4, - - /* SHA384 */ - TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0xb3, - TLS_DHE_PSK_WITH_NULL_SHA384 = 0xb5, - - /* AES-GCM */ - TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x9c, - TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x9d, - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x9e, - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x9f, - TLS_PSK_WITH_AES_128_GCM_SHA256 = 0xa8, - TLS_PSK_WITH_AES_256_GCM_SHA384 = 0xa9, - TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0xaa, - TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0xab, - - /* ECC AES-GCM, first byte is 0xC0 (ECC_BYTE) */ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0x2b, - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0x2c, - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0x2d, - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0x2e, - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0x2f, - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0x30, - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0x31, - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0x32, - - /* AES-CCM, first byte is 0xC0 but isn't ECC, - * also, in some of the other AES-CCM suites - * there will be second byte number conflicts - * with non-ECC AES-GCM */ - TLS_RSA_WITH_AES_128_CCM_8 = 0xa0, - TLS_RSA_WITH_AES_256_CCM_8 = 0xa1, - TLS_ECDHE_ECDSA_WITH_AES_128_CCM = 0xac, - TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xae, - TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xaf, - TLS_PSK_WITH_AES_128_CCM = 0xa4, - TLS_PSK_WITH_AES_256_CCM = 0xa5, - TLS_PSK_WITH_AES_128_CCM_8 = 0xa8, - TLS_PSK_WITH_AES_256_CCM_8 = 0xa9, - TLS_DHE_PSK_WITH_AES_128_CCM = 0xa6, - TLS_DHE_PSK_WITH_AES_256_CCM = 0xa7, - - /* Camellia */ - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x41, - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x84, - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xba, - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0xc0, - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x45, - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x88, - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xbe, - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0xc4, - - /* chacha20-poly1305 suites first byte is 0xCC (CHACHA_BYTE) */ - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xa8, - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xa9, - TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xaa, - TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xac, - TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xab, - TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xad, - - /* chacha20-poly1305 earlier version of nonce and padding (CHACHA_BYTE) */ - TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 = 0x13, - TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 = 0x14, - TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 = 0x15, - - /* TLS v1.3 cipher suites */ - TLS_AES_128_GCM_SHA256 = 0x01, - TLS_AES_256_GCM_SHA384 = 0x02, - TLS_CHACHA20_POLY1305_SHA256 = 0x03, - TLS_AES_128_CCM_SHA256 = 0x04, - TLS_AES_128_CCM_8_SHA256 = 0x05, - - /* Renegotiation Indication Extension Special Suite */ - TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0xff -}; - - -#ifndef WOLFSSL_SESSION_TIMEOUT - #define WOLFSSL_SESSION_TIMEOUT 500 - /* default session resumption cache timeout in seconds */ -#endif - - -#ifndef WOLFSSL_DTLS_WINDOW_WORDS - #define WOLFSSL_DTLS_WINDOW_WORDS 2 -#endif /* WOLFSSL_DTLS_WINDOW_WORDS */ -#define DTLS_WORD_BITS (sizeof(word32) * CHAR_BIT) -#define DTLS_SEQ_BITS (WOLFSSL_DTLS_WINDOW_WORDS * DTLS_WORD_BITS) -#define DTLS_SEQ_SZ (sizeof(word32) * WOLFSSL_DTLS_WINDOW_WORDS) - - -enum Misc { - ECC_BYTE = 0xC0, /* ECC first cipher suite byte */ - QSH_BYTE = 0xD0, /* Quantum-safe Handshake cipher suite */ - CHACHA_BYTE = 0xCC, /* ChaCha first cipher suite */ - TLS13_BYTE = 0x13, /* TLS v.13 first byte of cipher suite */ - - SEND_CERT = 1, - SEND_BLANK_CERT = 2, - - DTLS_MAJOR = 0xfe, /* DTLS major version number */ - DTLS_MINOR = 0xff, /* DTLS minor version number */ - DTLSv1_2_MINOR = 0xfd, /* DTLS minor version number */ - SSLv3_MAJOR = 3, /* SSLv3 and TLSv1+ major version number */ - SSLv3_MINOR = 0, /* TLSv1 minor version number */ - TLSv1_MINOR = 1, /* TLSv1 minor version number */ - TLSv1_1_MINOR = 2, /* TLSv1_1 minor version number */ - TLSv1_2_MINOR = 3, /* TLSv1_2 minor version number */ - TLSv1_3_MINOR = 4, /* TLSv1_3 minor version number */ - TLS_DRAFT_MAJOR = 0x7f, /* Draft TLS major version number */ - TLS_DRAFT_MINOR = 0x12, /* Minor version number of TLS draft */ - OLD_HELLO_ID = 0x01, /* SSLv2 Client Hello Indicator */ - INVALID_BYTE = 0xff, /* Used to initialize cipher specs values */ - NO_COMPRESSION = 0, - ZLIB_COMPRESSION = 221, /* wolfSSL zlib compression */ - HELLO_EXT_SIG_ALGO = 13, /* ID for the sig_algo hello extension */ - HELLO_EXT_EXTMS = 0x0017, /* ID for the extended master secret ext */ - SECRET_LEN = 48, /* pre RSA and all master */ -#if defined(WOLFSSL_MYSQL_COMPATIBLE) - ENCRYPT_LEN = 1024, /* allow larger static buffer with mysql */ -#else - ENCRYPT_LEN = 512, /* allow 4096 bit static buffer */ -#endif - SIZEOF_SENDER = 4, /* clnt or srvr */ - FINISHED_SZ = 36, /* MD5_DIGEST_SIZE + SHA_DIGEST_SIZE */ - MAX_RECORD_SIZE = 16384, /* 2^14, max size by standard */ - MAX_MSG_EXTRA = 38 + MAX_DIGEST_SIZE, - /* max added to msg, mac + pad from */ - /* RECORD_HEADER_SZ + BLOCK_SZ (pad) + Max - digest sz + BLOC_SZ (iv) + pad byte (1) */ - MAX_COMP_EXTRA = 1024, /* max compression extra */ - MAX_MTU = 1500, /* max expected MTU */ - MAX_UDP_SIZE = 8192 - 100, /* was MAX_MTU - 100 */ - MAX_DH_SZ = 1036, /* 4096 p, pub, g + 2 byte size for each */ - MAX_STR_VERSION = 8, /* string rep of protocol version */ - - PAD_MD5 = 48, /* pad length for finished */ - PAD_SHA = 40, /* pad length for finished */ - MAX_PAD_SIZE = 256, /* maximum length of padding */ - COMPRESS_DUMMY_SIZE = 64, /* compression dummy round size */ - COMPRESS_CONSTANT = 13, /* compression calc constant */ - COMPRESS_UPPER = 55, /* compression calc numerator */ - COMPRESS_LOWER = 64, /* compression calc denominator */ - - PEM_LINE_LEN = 80, /* PEM line max + fudge */ - LENGTH_SZ = 2, /* length field for HMAC, data only */ - VERSION_SZ = 2, /* length of proctocol version */ - SEQ_SZ = 8, /* 64 bit sequence number */ - ALERT_SIZE = 2, /* level + description */ - VERIFY_HEADER = 2, /* always use 2 bytes */ - EXTS_SZ = 2, /* always use 2 bytes */ - EXT_ID_SZ = 2, /* always use 2 bytes */ - MAX_DH_SIZE = 513, /* 4096 bit plus possible leading 0 */ - NAMED_DH_MASK = 0x100, /* Named group mask for DH parameters */ - SESSION_HINT_SZ = 4, /* session timeout hint */ - SESSION_ADD_SZ = 4, /* session age add */ - MAX_LIFETIME = 604800, /* maximum ticket lifetime */ - - RAN_LEN = 32, /* random length */ - SEED_LEN = RAN_LEN * 2, /* tls prf seed length */ - ID_LEN = 32, /* session id length */ - COOKIE_SECRET_SZ = 14, /* dtls cookie secret size */ - MAX_COOKIE_LEN = 32, /* max dtls cookie size */ - COOKIE_SZ = 20, /* use a 20 byte cookie */ - SUITE_LEN = 2, /* cipher suite sz length */ - ENUM_LEN = 1, /* always a byte */ - OPAQUE8_LEN = 1, /* 1 byte */ - OPAQUE16_LEN = 2, /* 2 bytes */ - OPAQUE24_LEN = 3, /* 3 bytes */ - OPAQUE32_LEN = 4, /* 4 bytes */ - OPAQUE64_LEN = 8, /* 8 bytes */ - COMP_LEN = 1, /* compression length */ - CURVE_LEN = 2, /* ecc named curve length */ - KE_GROUP_LEN = 2, /* key exchange group length */ - SERVER_ID_LEN = 20, /* server session id length */ - - HANDSHAKE_HEADER_SZ = 4, /* type + length(3) */ - RECORD_HEADER_SZ = 5, /* type + version + len(2) */ - CERT_HEADER_SZ = 3, /* always 3 bytes */ - REQ_HEADER_SZ = 2, /* cert request header sz */ - HINT_LEN_SZ = 2, /* length of hint size field */ - TRUNCATED_HMAC_SZ = 10, /* length of hmac w/ truncated hmac extension */ - HELLO_EXT_SZ = 4, /* base length of a hello extension */ - HELLO_EXT_TYPE_SZ = 2, /* length of a hello extension type */ - HELLO_EXT_SZ_SZ = 2, /* length of a hello extension size */ - HELLO_EXT_SIGALGO_SZ = 2, /* length of number of items in sigalgo list */ - HELLO_EXT_SIGALGO_MAX = 32, /* number of items in the signature algo list */ - - DTLS_HANDSHAKE_HEADER_SZ = 12, /* normal + seq(2) + offset(3) + length(3) */ - DTLS_RECORD_HEADER_SZ = 13, /* normal + epoch(2) + seq_num(6) */ - DTLS_HANDSHAKE_EXTRA = 8, /* diff from normal */ - DTLS_RECORD_EXTRA = 8, /* diff from normal */ - DTLS_HANDSHAKE_SEQ_SZ = 2, /* handshake header sequence number */ - DTLS_HANDSHAKE_FRAG_SZ = 3, /* fragment offset and length are 24 bit */ - DTLS_POOL_SZ = 255,/* allowed number of list items in TX pool */ - DTLS_EXPORT_PRO = 165,/* wolfSSL protocol for serialized session */ - DTLS_EXPORT_VERSION = 3, /* wolfSSL version for serialized session */ - DTLS_EXPORT_OPT_SZ = 57, /* amount of bytes used from Options */ - DTLS_EXPORT_KEY_SZ = 325 + (DTLS_SEQ_SZ * 2), - /* max amount of bytes used from Keys */ - DTLS_EXPORT_MIN_KEY_SZ = 78 + (DTLS_SEQ_SZ * 2), - /* min amount of bytes used from Keys */ - DTLS_EXPORT_SPC_SZ = 16, /* amount of bytes used from CipherSpecs */ - DTLS_EXPORT_LEN = 2, /* 2 bytes for length and protocol */ - DTLS_EXPORT_IP = 46, /* max ip size IPv4 mapped IPv6 */ - MAX_EXPORT_BUFFER = 514, /* max size of buffer for exporting */ - FINISHED_LABEL_SZ = 15, /* TLS finished label size */ - TLS_FINISHED_SZ = 12, /* TLS has a shorter size */ - EXT_MASTER_LABEL_SZ = 22, /* TLS extended master secret label sz */ - MASTER_LABEL_SZ = 13, /* TLS master secret label sz */ - KEY_LABEL_SZ = 13, /* TLS key block expansion sz */ - MAX_PRF_HALF = 256, /* Maximum half secret len */ - MAX_PRF_LABSEED = 128, /* Maximum label + seed len */ - MAX_PRF_DIG = 224, /* Maximum digest len */ - PROTOCOL_LABEL_SZ = 9, /* Length of the protocol label */ - MAX_LABEL_SZ = 34, /* Maximum length of a label */ - MAX_HKDF_LABEL_SZ = OPAQUE16_LEN + - OPAQUE8_LEN + PROTOCOL_LABEL_SZ + MAX_LABEL_SZ + - OPAQUE8_LEN + MAX_DIGEST_SIZE, - MAX_REQUEST_SZ = 256, /* Maximum cert req len (no auth yet */ - SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */ - - RC4_KEY_SIZE = 16, /* always 128bit */ - DES_KEY_SIZE = 8, /* des */ - DES3_KEY_SIZE = 24, /* 3 des ede */ - DES_IV_SIZE = DES_BLOCK_SIZE, - AES_256_KEY_SIZE = 32, /* for 256 bit */ - AES_192_KEY_SIZE = 24, /* for 192 bit */ - AES_IV_SIZE = 16, /* always block size */ - AES_128_KEY_SIZE = 16, /* for 128 bit */ - - AEAD_SEQ_OFFSET = 4, /* Auth Data: Sequence number */ - AEAD_TYPE_OFFSET = 8, /* Auth Data: Type */ - AEAD_VMAJ_OFFSET = 9, /* Auth Data: Major Version */ - AEAD_VMIN_OFFSET = 10, /* Auth Data: Minor Version */ - AEAD_LEN_OFFSET = 11, /* Auth Data: Length */ - AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */ - AEAD_NONCE_SZ = 12, - AESGCM_IMP_IV_SZ = 4, /* Size of GCM/CCM AEAD implicit IV */ - AESGCM_EXP_IV_SZ = 8, /* Size of GCM/CCM AEAD explicit IV */ - AESGCM_NONCE_SZ = AESGCM_EXP_IV_SZ + AESGCM_IMP_IV_SZ, - - CHACHA20_IMP_IV_SZ = 12, /* Size of ChaCha20 AEAD implicit IV */ - CHACHA20_NONCE_SZ = 12, /* Size of ChacCha20 nonce */ - CHACHA20_OLD_OFFSET = 4, /* Offset for seq # in old poly1305 */ - - /* For any new implicit/explicit IV size adjust AEAD_MAX_***_SZ */ - - AES_GCM_AUTH_SZ = 16, /* AES-GCM Auth Tag length */ - AES_CCM_16_AUTH_SZ = 16, /* AES-CCM-16 Auth Tag length */ - AES_CCM_8_AUTH_SZ = 8, /* AES-CCM-8 Auth Tag Length */ - AESCCM_NONCE_SZ = 12, - - CAMELLIA_128_KEY_SIZE = 16, /* for 128 bit */ - CAMELLIA_192_KEY_SIZE = 24, /* for 192 bit */ - CAMELLIA_256_KEY_SIZE = 32, /* for 256 bit */ - CAMELLIA_IV_SIZE = 16, /* always block size */ - - CHACHA20_256_KEY_SIZE = 32, /* for 256 bit */ - CHACHA20_128_KEY_SIZE = 16, /* for 128 bit */ - CHACHA20_IV_SIZE = 12, /* 96 bits for iv */ - - POLY1305_AUTH_SZ = 16, /* 128 bits */ - - HC_128_KEY_SIZE = 16, /* 128 bits */ - HC_128_IV_SIZE = 16, /* also 128 bits */ - - RABBIT_KEY_SIZE = 16, /* 128 bits */ - RABBIT_IV_SIZE = 8, /* 64 bits for iv */ - - EVP_SALT_SIZE = 8, /* evp salt size 64 bits */ - - ECDHE_SIZE = 32, /* ECHDE server size defaults to 256 bit */ - MAX_EXPORT_ECC_SZ = 256, /* Export ANS X9.62 max future size */ - -#ifdef HAVE_QSH - /* qsh handshake sends 600+ size keys over hello extensions */ - MAX_HELLO_SZ = 2048, /* max client or server hello */ -#else - MAX_HELLO_SZ = 128, /* max client or server hello */ -#endif - MAX_CERT_VERIFY_SZ = 1024, /* max */ - CLIENT_HELLO_FIRST = 35, /* Protocol + RAN_LEN + sizeof(id_len) */ - MAX_SUITE_NAME = 48, /* maximum length of cipher suite string */ - - DTLS_TIMEOUT_INIT = 1, /* default timeout init for DTLS receive */ - DTLS_TIMEOUT_MAX = 64, /* default max timeout for DTLS receive */ - DTLS_TIMEOUT_MULTIPLIER = 2, /* default timeout multiplier for DTLS recv */ - - MAX_PSK_ID_LEN = 128, /* max psk identity/hint supported */ - NULL_TERM_LEN = 1, /* length of null '\0' termination character */ - MAX_PSK_KEY_LEN = 64, /* max psk key supported */ - MIN_PSK_ID_LEN = 6, /* min length of identities */ - MIN_PSK_BINDERS_LEN= 33, /* min length of binders */ - - MAX_WOLFSSL_FILE_SIZE = 1024 * 1024 * 4, /* 4 mb file size alloc limit */ - -#if defined(HAVE_EX_DATA) || defined(FORTRESS) - MAX_EX_DATA = 5, /* allow for five items of ex_data */ -#endif - - MAX_X509_SIZE = 2048, /* max static x509 buffer size */ - CERT_MIN_SIZE = 256, /* min PEM cert size with header/footer */ - FILE_BUFFER_SIZE = 1024, /* default static file buffer size for input, - will use dynamic buffer if not big enough */ - - MAX_NTRU_PUB_KEY_SZ = 1027, /* NTRU max for now */ - MAX_NTRU_ENCRYPT_SZ = 1027, /* NTRU max for now */ - MAX_NTRU_BITS = 256, /* max symmetric bit strength */ - NO_SNIFF = 0, /* not sniffing */ - SNIFF = 1, /* currently sniffing */ - - HASH_SIG_SIZE = 2, /* default SHA1 RSA */ - - NO_COPY = 0, /* should we copy static buffer for write */ - COPY = 1, /* should we copy static buffer for write */ - - PREV_ORDER = -1, /* Sequence number is in previous epoch. */ - PEER_ORDER = 1, /* Peer sequence number for verify. */ - CUR_ORDER = 0, /* Current sequence number. */ - WRITE_PROTO = 1, /* writing a protocol message */ - READ_PROTO = 0 /* reading a protocol message */ -}; - - -/* Set max implicit IV size for AEAD cipher suites */ -#define AEAD_MAX_IMP_SZ 12 - -/* Set max explicit IV size for AEAD cipher suites */ -#define AEAD_MAX_EXP_SZ 8 - - -#ifndef WOLFSSL_MAX_SUITE_SZ - #define WOLFSSL_MAX_SUITE_SZ 300 - /* 150 suites for now! */ -#endif - -/* set minimum ECC key size allowed */ -#ifndef WOLFSSL_MIN_ECC_BITS - #ifdef WOLFSSL_MAX_STRENGTH - #define WOLFSSL_MIN_ECC_BITS 256 - #else - #define WOLFSSL_MIN_ECC_BITS 224 - #endif -#endif /* WOLFSSL_MIN_ECC_BITS */ -#if (WOLFSSL_MIN_ECC_BITS % 8) - /* Some ECC keys are not divisable by 8 such as prime239v1 or sect131r1. - In these cases round down to the nearest value divisable by 8. The - restriction of being divisable by 8 is in place to match wc_ecc_size - function from wolfSSL. - */ - #error ECC minimum bit size must be a multiple of 8 -#endif -#define MIN_ECCKEY_SZ (WOLFSSL_MIN_ECC_BITS / 8) - -/* set minimum RSA key size allowed */ -#ifndef WOLFSSL_MIN_RSA_BITS - #ifdef WOLFSSL_MAX_STRENGTH - #define WOLFSSL_MIN_RSA_BITS 2048 - #else - #define WOLFSSL_MIN_RSA_BITS 1024 - #endif -#endif /* WOLFSSL_MIN_RSA_BITS */ -#if (WOLFSSL_MIN_RSA_BITS % 8) - /* This is to account for the example case of a min size of 2050 bits but - still allows 2049 bit key. So we need the measurment to be in bytes. */ - #error RSA minimum bit size must be a multiple of 8 -#endif -#define MIN_RSAKEY_SZ (WOLFSSL_MIN_RSA_BITS / 8) - -/* set minimum DH key size allowed */ -#ifndef WOLFSSL_MIN_DHKEY_BITS - #ifdef WOLFSSL_MAX_STRENGTH - #define WOLFSSL_MIN_DHKEY_BITS 2048 - #else - #define WOLFSSL_MIN_DHKEY_BITS 1024 - #endif -#endif -#if (WOLFSSL_MIN_DHKEY_BITS % 8) - #error DH minimum bit size must be multiple of 8 -#endif -#if (WOLFSSL_MIN_DHKEY_BITS > 16000) - #error DH minimum bit size must not be greater than 16000 -#endif -#define MIN_DHKEY_SZ (WOLFSSL_MIN_DHKEY_BITS / 8) - - -#ifdef SESSION_INDEX -/* Shift values for making a session index */ -#define SESSIDX_ROW_SHIFT 4 -#define SESSIDX_IDX_MASK 0x0F -#endif - - -/* max cert chain peer depth */ -#ifndef MAX_CHAIN_DEPTH - #define MAX_CHAIN_DEPTH 9 -#endif - -/* max size of a certificate message payload */ -/* assumes MAX_CHAIN_DEPTH number of certificates at 2kb per certificate */ -#ifndef MAX_CERTIFICATE_SZ - #define MAX_CERTIFICATE_SZ \ - CERT_HEADER_SZ + \ - (MAX_X509_SIZE + CERT_HEADER_SZ) * MAX_CHAIN_DEPTH -#endif - -/* max size of a handshake message, currently set to the certificate */ -#ifndef MAX_HANDSHAKE_SZ - #define MAX_HANDSHAKE_SZ MAX_CERTIFICATE_SZ -#endif - -#ifndef SESSION_TICKET_LEN - #define SESSION_TICKET_LEN 256 -#endif - -#ifndef SESSION_TICKET_HINT_DEFAULT - #define SESSION_TICKET_HINT_DEFAULT 300 -#endif - - -/* don't use extra 3/4k stack space unless need to */ -#ifdef HAVE_NTRU - #define MAX_ENCRYPT_SZ MAX_NTRU_ENCRYPT_SZ -#else - #define MAX_ENCRYPT_SZ ENCRYPT_LEN -#endif - - -/* states */ -enum states { - NULL_STATE = 0, - - SERVER_HELLOVERIFYREQUEST_COMPLETE, - SERVER_HELLO_COMPLETE, - SERVER_ENCRYPTED_EXTENSIONS_COMPLETE, - SERVER_CERT_COMPLETE, - SERVER_KEYEXCHANGE_COMPLETE, - SERVER_HELLODONE_COMPLETE, - SERVER_FINISHED_COMPLETE, - SERVER_HELLO_RETRY_REQUEST, - - CLIENT_HELLO_COMPLETE, - CLIENT_KEYEXCHANGE_COMPLETE, - CLIENT_FINISHED_COMPLETE, - - HANDSHAKE_DONE -}; - - -#if defined(__GNUC__) - #define WOLFSSL_PACK __attribute__ ((packed)) -#else - #define WOLFSSL_PACK -#endif - -/* SSL Version */ -typedef struct ProtocolVersion { - byte major; - byte minor; -} WOLFSSL_PACK ProtocolVersion; - - -WOLFSSL_LOCAL ProtocolVersion MakeSSLv3(void); -WOLFSSL_LOCAL ProtocolVersion MakeTLSv1(void); -WOLFSSL_LOCAL ProtocolVersion MakeTLSv1_1(void); -WOLFSSL_LOCAL ProtocolVersion MakeTLSv1_2(void); -WOLFSSL_LOCAL ProtocolVersion MakeTLSv1_3(void); - -#ifdef WOLFSSL_DTLS - WOLFSSL_LOCAL ProtocolVersion MakeDTLSv1(void); - WOLFSSL_LOCAL ProtocolVersion MakeDTLSv1_2(void); - - #ifdef WOLFSSL_SESSION_EXPORT - WOLFSSL_LOCAL int wolfSSL_dtls_import_internal(WOLFSSL* ssl, byte* buf, - word32 sz); - WOLFSSL_LOCAL int wolfSSL_dtls_export_internal(WOLFSSL* ssl, byte* buf, - word32 sz); - WOLFSSL_LOCAL int wolfSSL_send_session(WOLFSSL* ssl); - #endif -#endif - - -enum BIO_TYPE { - BIO_BUFFER = 1, - BIO_SOCKET = 2, - BIO_SSL = 3, - BIO_MEMORY = 4, - BIO_BIO = 5, - BIO_FILE = 6 -}; - - -/* wolfSSL BIO_METHOD type */ -struct WOLFSSL_BIO_METHOD { - byte type; /* method type */ -}; - - -/* wolfSSL BIO type */ -struct WOLFSSL_BIO { - WOLFSSL* ssl; /* possible associated ssl */ -#ifndef NO_FILESYSTEM - XFILE file; -#endif - WOLFSSL_BIO* prev; /* previous in chain */ - WOLFSSL_BIO* next; /* next in chain */ - WOLFSSL_BIO* pair; /* BIO paired with */ - void* heap; /* user heap hint */ - byte* mem; /* memory buffer */ - int wrSz; /* write buffer size (mem) */ - int wrIdx; /* current index for write buffer */ - int rdIdx; /* current read index */ - int readRq; /* read request */ - int memLen; /* memory buffer length */ - int fd; /* possible file descriptor */ - int eof; /* eof flag */ - byte type; /* method type */ - byte close; /* close flag */ -}; - - -/* wolfSSL method type */ -struct WOLFSSL_METHOD { - ProtocolVersion version; - byte side; /* connection side, server or client */ - byte downgrade; /* whether to downgrade version, default no */ -}; - -/* wolfSSL buffer type - internal uses "buffer" type */ -typedef WOLFSSL_BUFFER_INFO buffer; - - -/* defaults to client */ -WOLFSSL_LOCAL void InitSSL_Method(WOLFSSL_METHOD*, ProtocolVersion); - -/* for sniffer */ -WOLFSSL_LOCAL int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 size, word32 totalSz, int sniff); -WOLFSSL_LOCAL int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx); -/* TLS v1.3 needs these */ -WOLFSSL_LOCAL int DoClientHello(WOLFSSL* ssl, const byte* input, word32*, - word32); -WOLFSSL_LOCAL int DoServerHello(WOLFSSL* ssl, const byte* input, word32*, - word32); -WOLFSSL_LOCAL int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv); -WOLFSSL_LOCAL void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, - word32 hashSigAlgoSz); -WOLFSSL_LOCAL int DecodePrivateKey(WOLFSSL *ssl, word16* length); -WOLFSSL_LOCAL void FreeKeyExchange(WOLFSSL* ssl); -WOLFSSL_LOCAL int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 size); -WOLFSSL_LOCAL int MatchDomainName(const char* pattern, int len, const char* str); -#ifndef NO_CERTS -WOLFSSL_LOCAL int CheckAltNames(DecodedCert* dCert, char* domain); -#endif -WOLFSSL_LOCAL int CreateTicket(WOLFSSL* ssl); -WOLFSSL_LOCAL int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz); -WOLFSSL_LOCAL int HashOutput(WOLFSSL* ssl, const byte* output, int sz, - int ivSz); -WOLFSSL_LOCAL int HashInput(WOLFSSL* ssl, const byte* input, int sz); -#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY) -WOLFSSL_LOCAL int SNI_Callback(WOLFSSL* ssl); -#endif -#ifdef WOLFSSL_TLS13 -WOLFSSL_LOCAL int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, - word16 sz); -WOLFSSL_LOCAL int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, - word32* inOutIdx, byte type, - word32 size, word32 totalSz); -WOLFSSL_LOCAL int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, - word32* inOutIdx, word32 totalSz); -WOLFSSL_LOCAL int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, - word32* inOutIdx, word32 helloSz); -#endif - -#ifndef NO_CERTS - /* wolfSSL DER buffer */ - typedef struct DerBuffer { - byte* buffer; - void* heap; - word32 length; - int type; /* enum CertType */ - int dynType; /* DYNAMIC_TYPE_* */ - } DerBuffer; -#endif /* !NO_CERTS */ - - -enum { - FORCED_FREE = 1, - NO_FORCED_FREE = 0 -}; - - -/* only use compression extra if using compression */ -#ifdef HAVE_LIBZ - #define COMP_EXTRA MAX_COMP_EXTRA -#else - #define COMP_EXTRA 0 -#endif - -/* only the sniffer needs space in the buffer for extra MTU record(s) */ -#ifdef WOLFSSL_SNIFFER - #define MTU_EXTRA MAX_MTU * 3 -#else - #define MTU_EXTRA 0 -#endif - - -/* embedded callbacks require large static buffers, make sure on */ -#ifdef WOLFSSL_CALLBACKS - #undef LARGE_STATIC_BUFFERS - #define LARGE_STATIC_BUFFERS -#endif - - -/* give user option to use 16K static buffers */ -#if defined(LARGE_STATIC_BUFFERS) - #define RECORD_SIZE MAX_RECORD_SIZE -#else - #ifdef WOLFSSL_DTLS - #define RECORD_SIZE MAX_MTU - #else - #define RECORD_SIZE 128 - #endif -#endif - - -/* user option to turn off 16K output option */ -/* if using small static buffers (default) and SSL_write tries to write data - larger than the record we have, dynamically get it, unless user says only - write in static buffer chunks */ -#ifndef STATIC_CHUNKS_ONLY - #define OUTPUT_RECORD_SIZE MAX_RECORD_SIZE -#else - #define OUTPUT_RECORD_SIZE RECORD_SIZE -#endif - -/* wolfSSL input buffer - - RFC 2246: - - length - The length (in bytes) of the following TLSPlaintext.fragment. - The length should not exceed 2^14. -*/ -#if defined(LARGE_STATIC_BUFFERS) - #define STATIC_BUFFER_LEN RECORD_HEADER_SZ + RECORD_SIZE + COMP_EXTRA + \ - MTU_EXTRA + MAX_MSG_EXTRA -#else - /* don't fragment memory from the record header */ - #define STATIC_BUFFER_LEN RECORD_HEADER_SZ -#endif - -typedef struct { - ALIGN16 byte staticBuffer[STATIC_BUFFER_LEN]; - byte* buffer; /* place holder for static or dynamic buffer */ - word32 length; /* total buffer length used */ - word32 idx; /* idx to part of length already consumed */ - word32 bufferSize; /* current buffer size */ - byte dynamicFlag; /* dynamic memory currently in use */ - byte offset; /* alignment offset attempt */ -} bufferStatic; - -/* Cipher Suites holder */ -typedef struct Suites { - word16 suiteSz; /* suite length in bytes */ - word16 hashSigAlgoSz; /* SigAlgo extension length in bytes */ - byte suites[WOLFSSL_MAX_SUITE_SZ]; - byte hashSigAlgo[HELLO_EXT_SIGALGO_MAX]; /* sig/algo to offer */ - byte setSuites; /* user set suites from default */ - byte hashAlgo; /* selected hash algorithm */ - byte sigAlgo; /* selected sig algorithm */ -} Suites; - - -WOLFSSL_LOCAL void InitSuites(Suites*, ProtocolVersion, word16, word16, word16, word16, - word16, word16, word16, int); -WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites); -WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list); - -#ifndef PSK_TYPES_DEFINED - typedef unsigned int (*wc_psk_client_callback)(WOLFSSL*, const char*, char*, - unsigned int, unsigned char*, unsigned int); - typedef unsigned int (*wc_psk_server_callback)(WOLFSSL*, const char*, - unsigned char*, unsigned int); -#endif /* PSK_TYPES_DEFINED */ -#ifdef WOLFSSL_DTLS - typedef int (*wc_dtls_export)(WOLFSSL* ssl, - unsigned char* exportBuffer, unsigned int sz, void* userCtx); -#endif - - -/* wolfSSL Cipher type just points back to SSL */ -struct WOLFSSL_CIPHER { - WOLFSSL* ssl; -}; - - -typedef struct OcspEntry OcspEntry; - -#ifdef NO_SHA - #define OCSP_DIGEST_SIZE SHA256_DIGEST_SIZE -#else - #define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE -#endif - -#ifdef NO_ASN - /* no_asn won't have */ - typedef struct CertStatus CertStatus; -#endif - -struct OcspEntry { - OcspEntry* next; /* next entry */ - byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ - byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ - CertStatus* status; /* OCSP response list */ - int totalStatus; /* number on list */ -}; - - -#ifndef HAVE_OCSP - typedef struct WOLFSSL_OCSP WOLFSSL_OCSP; -#endif - -/* wolfSSL OCSP controller */ -struct WOLFSSL_OCSP { - WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ - OcspEntry* ocspList; /* OCSP response list */ - wolfSSL_Mutex ocspLock; /* OCSP list lock */ -#if defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY) - int(*statusCb)(WOLFSSL*, void*); -#endif -}; - -#ifndef MAX_DATE_SIZE -#define MAX_DATE_SIZE 32 -#endif - -typedef struct CRL_Entry CRL_Entry; - -#ifdef NO_SHA - #define CRL_DIGEST_SIZE SHA256_DIGEST_SIZE -#else - #define CRL_DIGEST_SIZE SHA_DIGEST_SIZE -#endif - -#ifdef NO_ASN - typedef struct RevokedCert RevokedCert; -#endif - -/* Complete CRL */ -struct CRL_Entry { - CRL_Entry* next; /* next entry */ - byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ - /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ - /* restore the hash here if needed for optimized comparisons */ - byte lastDate[MAX_DATE_SIZE]; /* last date updated */ - byte nextDate[MAX_DATE_SIZE]; /* next update date */ - byte lastDateFormat; /* last date format */ - byte nextDateFormat; /* next date format */ - RevokedCert* certs; /* revoked cert list */ - int totalCerts; /* number on list */ - int verified; - byte* toBeSigned; - word32 tbsSz; - byte* signature; - word32 signatureSz; - word32 signatureOID; -#if !defined(NO_SKID) && defined(CRL_SKID_READY) - byte extAuthKeyIdSet; - byte extAuthKeyId[KEYID_SIZE]; -#endif -}; - - -typedef struct CRL_Monitor CRL_Monitor; - -/* CRL directory monitor */ -struct CRL_Monitor { - char* path; /* full dir path, if valid pointer we're using */ - int type; /* PEM or ASN1 type */ -}; - - -#if defined(HAVE_CRL) && defined(NO_FILESYSTEM) - #undef HAVE_CRL_MONITOR -#endif - -/* wolfSSL CRL controller */ -struct WOLFSSL_CRL { - WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ - CRL_Entry* crlList; /* our CRL list */ -#ifdef HAVE_CRL_IO - CbCrlIO crlIOCb; -#endif - wolfSSL_Mutex crlLock; /* CRL list lock */ - CRL_Monitor monitors[2]; /* PEM and DER possible */ -#ifdef HAVE_CRL_MONITOR - pthread_cond_t cond; /* condition to signal setup */ - pthread_t tid; /* monitoring thread */ - int mfd; /* monitor fd, -1 if no init yet */ - int setup; /* thread is setup predicate */ -#endif - void* heap; /* heap hint for dynamic memory */ -}; - - -#ifdef NO_ASN - typedef struct Signer Signer; -#ifdef WOLFSSL_TRUST_PEER_CERT - typedef struct TrustedPeerCert TrustedPeerCert; -#endif -#endif - - -#ifndef CA_TABLE_SIZE - #define CA_TABLE_SIZE 11 -#endif -#ifdef WOLFSSL_TRUST_PEER_CERT - #define TP_TABLE_SIZE 11 -#endif - -/* wolfSSL Certificate Manager */ -struct WOLFSSL_CERT_MANAGER { - Signer* caTable[CA_TABLE_SIZE]; /* the CA signer table */ - void* heap; /* heap helper */ -#ifdef WOLFSSL_TRUST_PEER_CERT - TrustedPeerCert* tpTable[TP_TABLE_SIZE]; /* table of trusted peer certs */ - wolfSSL_Mutex tpLock; /* trusted peer list lock */ -#endif - WOLFSSL_CRL* crl; /* CRL checker */ - WOLFSSL_OCSP* ocsp; /* OCSP checker */ -#if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) - WOLFSSL_OCSP* ocsp_stapling; /* OCSP checker for OCSP stapling */ -#endif - char* ocspOverrideURL; /* use this responder */ - void* ocspIOCtx; /* I/O callback CTX */ - CallbackCACache caCacheCallback; /* CA cache addition callback */ - CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */ - CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */ - CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */ - wolfSSL_Mutex caLock; /* CA list lock */ - byte crlEnabled; /* is CRL on ? */ - byte crlCheckAll; /* always leaf, but all ? */ - byte ocspEnabled; /* is OCSP on ? */ - byte ocspCheckAll; /* always leaf, but all ? */ - byte ocspSendNonce; /* send the OCSP nonce ? */ - byte ocspUseOverrideURL; /* ignore cert's responder, override */ - byte ocspStaplingEnabled; /* is OCSP Stapling on ? */ - -#ifndef NO_RSA - short minRsaKeySz; /* minimum allowed RSA key size */ -#endif -#ifdef HAVE_ECC - short minEccKeySz; /* minimum allowed ECC key size */ -#endif -}; - -WOLFSSL_LOCAL int CM_SaveCertCache(WOLFSSL_CERT_MANAGER*, const char*); -WOLFSSL_LOCAL int CM_RestoreCertCache(WOLFSSL_CERT_MANAGER*, const char*); -WOLFSSL_LOCAL int CM_MemSaveCertCache(WOLFSSL_CERT_MANAGER*, void*, int, int*); -WOLFSSL_LOCAL int CM_MemRestoreCertCache(WOLFSSL_CERT_MANAGER*, const void*, int); -WOLFSSL_LOCAL int CM_GetCertCacheMemSize(WOLFSSL_CERT_MANAGER*); - -/* wolfSSL Sock Addr */ -struct WOLFSSL_SOCKADDR { - unsigned int sz; /* sockaddr size */ - void* sa; /* pointer to the sockaddr_in or sockaddr_in6 */ -}; - -typedef struct WOLFSSL_DTLS_CTX { - WOLFSSL_SOCKADDR peer; - int rfd; - int wfd; -} WOLFSSL_DTLS_CTX; - - -#define MAX_WRITE_IV_SZ 16 /* max size of client/server write_IV */ - -/* keys and secrets - * keep as a constant size (no additional ifdefs) for session export */ -typedef struct Keys { - byte client_write_MAC_secret[MAX_DIGEST_SIZE]; /* max sizes */ - byte server_write_MAC_secret[MAX_DIGEST_SIZE]; - byte client_write_key[AES_256_KEY_SIZE]; /* max sizes */ - byte server_write_key[AES_256_KEY_SIZE]; - byte client_write_IV[MAX_WRITE_IV_SZ]; /* max sizes */ - byte server_write_IV[MAX_WRITE_IV_SZ]; -#if defined(HAVE_AEAD) || defined(WOLFSSL_SESSION_EXPORT) - byte aead_exp_IV[AEAD_MAX_EXP_SZ]; - byte aead_enc_imp_IV[AEAD_MAX_IMP_SZ]; - byte aead_dec_imp_IV[AEAD_MAX_IMP_SZ]; -#endif - - word32 peer_sequence_number_hi; - word32 peer_sequence_number_lo; - word32 sequence_number_hi; - word32 sequence_number_lo; - -#ifdef WOLFSSL_DTLS - word32 window[WOLFSSL_DTLS_WINDOW_WORDS]; - /* Sliding window for current epoch */ - word16 nextEpoch; /* Expected epoch in next record */ - word16 nextSeq_hi; /* Expected sequence in next record */ - word32 nextSeq_lo; - - word16 curEpoch; /* Received epoch in current record */ - word16 curSeq_hi; /* Received sequence in current record */ - word32 curSeq_lo; - - word32 prevWindow[WOLFSSL_DTLS_WINDOW_WORDS]; - /* Sliding window for old epoch */ - word16 prevSeq_hi; /* Next sequence in allowed old epoch */ - word32 prevSeq_lo; - - word16 dtls_peer_handshake_number; - word16 dtls_expected_peer_handshake_number; - - word16 dtls_epoch; /* Current epoch */ - word16 dtls_sequence_number_hi; /* Current epoch */ - word32 dtls_sequence_number_lo; - word16 dtls_prev_sequence_number_hi; /* Previous epoch */ - word32 dtls_prev_sequence_number_lo; - word16 dtls_handshake_number; /* Current tx handshake seq */ -#endif - - word32 encryptSz; /* last size of encrypted data */ - word32 padSz; /* how much to advance after decrypt part */ - byte encryptionOn; /* true after change cipher spec */ - byte decryptedCur; /* only decrypt current record once */ -#ifdef WOLFSSL_TLS13 - byte updateResponseReq:1; /* KeyUpdate response from peer required. */ - byte keyUpdateRespond:1; /* KeyUpdate is to be responded to. */ -#endif -} Keys; - - - -/** TLS Extensions - RFC 6066 */ -#ifdef HAVE_TLS_EXTENSIONS - -typedef enum { - TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */ - TLSX_MAX_FRAGMENT_LENGTH = 0x0001, - TLSX_TRUNCATED_HMAC = 0x0004, - TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stapling */ - TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */ - TLSX_SIGNATURE_ALGORITHMS = 0x000d, - TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ - TLSX_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stapling v2 */ - TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ - TLSX_SESSION_TICKET = 0x0023, -#ifdef WOLFSSL_TLS13 - TLSX_KEY_SHARE = 0x0028, - #ifndef NO_PSK - TLSX_PRE_SHARED_KEY = 0x0029, - #endif - TLSX_SUPPORTED_VERSIONS = 0x002b, - #ifndef NO_PSK - TLSX_PSK_KEY_EXCHANGE_MODES = 0x002d, - #endif -#endif - TLSX_RENEGOTIATION_INFO = 0xff01 -} TLSX_Type; - -typedef struct TLSX { - TLSX_Type type; /* Extension Type */ - void* data; /* Extension Data */ - word32 val; /* Extension Value */ - byte resp; /* IsResponse Flag */ - struct TLSX* next; /* List Behavior */ -} TLSX; - -WOLFSSL_LOCAL TLSX* TLSX_Find(TLSX* list, TLSX_Type type); -WOLFSSL_LOCAL void TLSX_FreeAll(TLSX* list, void* heap); -WOLFSSL_LOCAL int TLSX_SupportExtensions(WOLFSSL* ssl); -WOLFSSL_LOCAL int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isRequest); - -#ifndef NO_WOLFSSL_CLIENT -WOLFSSL_LOCAL word16 TLSX_GetRequestSize(WOLFSSL* ssl); -WOLFSSL_LOCAL word16 TLSX_WriteRequest(WOLFSSL* ssl, byte* output); -#endif - -#ifndef NO_WOLFSSL_SERVER -WOLFSSL_LOCAL word16 TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType); -WOLFSSL_LOCAL word16 TLSX_WriteResponse(WOLFSSL* ssl, byte* output, - byte msgType); -#endif - -WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, - byte msgType, Suites *suites); - -#elif defined(HAVE_SNI) \ - || defined(HAVE_MAX_FRAGMENT) \ - || defined(HAVE_TRUNCATED_HMAC) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \ - || defined(HAVE_SUPPORTED_CURVES) \ - || defined(HAVE_ALPN) \ - || defined(HAVE_QSH) \ - || defined(HAVE_SESSION_TICKET) \ - || defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SERVER_RENEGOTIATION_INFO) - -#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined. - -#endif /* HAVE_TLS_EXTENSIONS */ - -/** Server Name Indication - RFC 6066 (session 3) */ -#ifdef HAVE_SNI - -typedef struct SNI { - byte type; /* SNI Type */ - union { char* host_name; } data; /* SNI Data */ - struct SNI* next; /* List Behavior */ -#ifndef NO_WOLFSSL_SERVER - byte options; /* Behavior options */ - byte status; /* Matching result */ -#endif -} SNI; - -WOLFSSL_LOCAL int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, - word16 size, void* heap); - -#ifndef NO_WOLFSSL_SERVER -WOLFSSL_LOCAL void TLSX_SNI_SetOptions(TLSX* extensions, byte type, - byte options); -WOLFSSL_LOCAL byte TLSX_SNI_Status(TLSX* extensions, byte type); -WOLFSSL_LOCAL word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, - void** data); -WOLFSSL_LOCAL int TLSX_SNI_GetFromBuffer(const byte* buffer, word32 bufferSz, - byte type, byte* sni, word32* inOutSz); -#endif - -#endif /* HAVE_SNI */ - -/* Application-Layer Protocol Negotiation - RFC 7301 */ -#ifdef HAVE_ALPN -typedef struct ALPN { - char* protocol_name; /* ALPN protocol name */ - struct ALPN* next; /* List Behavior */ - byte options; /* Behavior options */ - byte negotiated; /* ALPN protocol negotiated or not */ -} ALPN; - -WOLFSSL_LOCAL int TLSX_ALPN_GetRequest(TLSX* extensions, - void** data, word16 *dataSz); - -WOLFSSL_LOCAL int TLSX_UseALPN(TLSX** extensions, const void* data, - word16 size, byte options, void* heap); - -WOLFSSL_LOCAL int TLSX_ALPN_SetOptions(TLSX** extensions, const byte option); - -#endif /* HAVE_ALPN */ - -/** Maximum Fragment Length Negotiation - RFC 6066 (session 4) */ -#ifdef HAVE_MAX_FRAGMENT - -WOLFSSL_LOCAL int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap); - -#endif /* HAVE_MAX_FRAGMENT */ - -/** Truncated HMAC - RFC 6066 (session 7) */ -#ifdef HAVE_TRUNCATED_HMAC - -WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions, void* heap); - -#endif /* HAVE_TRUNCATED_HMAC */ - -/** Certificate Status Request - RFC 6066 (session 8) */ -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST - -typedef struct { - byte status_type; - byte options; - union { - OcspRequest ocsp; - } request; -} CertificateStatusRequest; - -WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, - byte status_type, byte options, void* heap, int devId); -#ifndef NO_CERTS -WOLFSSL_LOCAL int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert, - void* heap); -#endif -WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); -WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); - -#endif - -/** Certificate Status Request v2 - RFC 6961 */ -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - -typedef struct CSRIv2 { - byte status_type; - byte options; - word16 requests; - union { - OcspRequest ocsp[1 + MAX_CHAIN_DEPTH]; - } request; - struct CSRIv2* next; -} CertificateStatusRequestItemV2; - -WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, - byte status_type, byte options, void* heap, int devId); -#ifndef NO_CERTS -WOLFSSL_LOCAL int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, - byte isPeer, void* heap); -#endif -WOLFSSL_LOCAL void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, - byte index); -WOLFSSL_LOCAL int TLSX_CSR2_ForceRequest(WOLFSSL* ssl); - -#endif - -/** Supported Elliptic Curves - RFC 4492 (session 4) */ -#ifdef HAVE_SUPPORTED_CURVES - -typedef struct EllipticCurve { - word16 name; /* CurveNames */ - struct EllipticCurve* next; /* List Behavior */ -} EllipticCurve; - -WOLFSSL_LOCAL int TLSX_UseSupportedCurve(TLSX** extensions, word16 name, - void* heap); - -#ifndef NO_WOLFSSL_SERVER -WOLFSSL_LOCAL int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, - byte second); -#endif - -#endif /* HAVE_SUPPORTED_CURVES */ - -/** Renegotiation Indication - RFC 5746 */ -#if defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SERVER_RENEGOTIATION_INFO) - -enum key_cache_state { - SCR_CACHE_NULL = 0, /* empty / begin state */ - SCR_CACHE_NEEDED, /* need to cache keys */ - SCR_CACHE_COPY, /* we have a cached copy */ - SCR_CACHE_PARTIAL, /* partial restore to real keys */ - SCR_CACHE_COMPLETE /* complete restore to real keys */ -}; - -/* Additional Connection State according to rfc5746 section 3.1 */ -typedef struct SecureRenegotiation { - byte enabled; /* secure_renegotiation flag in rfc */ - byte startScr; /* server requested client to start scr */ - enum key_cache_state cache_status; /* track key cache state */ - byte client_verify_data[TLS_FINISHED_SZ]; /* cached */ - byte server_verify_data[TLS_FINISHED_SZ]; /* cached */ - byte subject_hash[SHA_DIGEST_SIZE]; /* peer cert hash */ - Keys tmp_keys; /* can't overwrite real keys yet */ -} SecureRenegotiation; - -WOLFSSL_LOCAL int TLSX_UseSecureRenegotiation(TLSX** extensions, void* heap); - -#ifdef HAVE_SERVER_RENEGOTIATION_INFO -WOLFSSL_LOCAL int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap); -#endif - -#endif /* HAVE_SECURE_RENEGOTIATION */ - -/** Session Ticket - RFC 5077 (session 3.2) */ -#ifdef HAVE_SESSION_TICKET - -typedef struct SessionTicket { - word32 lifetime; -#ifdef WOLFSSL_TLS13 - word64 seen; - word32 ageAdd; -#endif - byte* data; - word16 size; -} SessionTicket; - -WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions, - SessionTicket* ticket, void* heap); -WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime, - byte* data, word16 size, void* heap); -WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket, void* heap); - -#endif /* HAVE_SESSION_TICKET */ - -/** Quantum-Safe-Hybrid - draft-whyte-qsh-tls12-00 */ -#ifdef HAVE_QSH - -typedef struct QSHScheme { - struct QSHScheme* next; /* List Behavior */ - byte* PK; - word16 name; /* QSHScheme Names */ - word16 PKLen; -} QSHScheme; - -typedef struct QSHkey { - struct QSHKey* next; - word16 name; - buffer pub; - buffer pri; -} QSHKey; - -typedef struct QSHSecret { - QSHScheme* list; - buffer* SerSi; - buffer* CliSi; -} QSHSecret; - -/* used in key exchange during handshake */ -WOLFSSL_LOCAL int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, - word16 length, byte isServer); -WOLFSSL_LOCAL word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output); -WOLFSSL_LOCAL word16 TLSX_QSH_GetSize(QSHScheme* list, byte isRequest); - -/* used by api for setting a specific QSH scheme */ -WOLFSSL_LOCAL int TLSX_UseQSHScheme(TLSX** extensions, word16 name, - byte* pKey, word16 pKeySz, void* heap); - -/* used when parsing in QSHCipher structs */ -WOLFSSL_LOCAL int QSH_Decrypt(QSHKey* key, byte* in, word32 szIn, - byte* out, word16* szOut); -#ifndef NO_WOLFSSL_SERVER -WOLFSSL_LOCAL int TLSX_ValidateQSHScheme(TLSX** extensions, word16 name); -#endif - -#endif /* HAVE_QSH */ - -#ifdef WOLFSSL_TLS13 -/* Key Share - TLS v1.3 Specification */ - -/* The KeyShare extension information - entry in a linked list. */ -typedef struct KeyShareEntry { - word16 group; /* NamedGroup */ - byte* ke; /* Key exchange data */ - word32 keLen; /* Key exchange data length */ - void* key; /* Private key */ - word32 keyLen; /* Private key length */ - struct KeyShareEntry* next; /* List pointer */ -} KeyShareEntry; - -WOLFSSL_LOCAL int TLSX_KeyShare_Use(WOLFSSL* ssl, word16 group, word16 len, - byte* data, KeyShareEntry **kse); -WOLFSSL_LOCAL int TLSX_KeyShare_Empty(WOLFSSL* ssl); -WOLFSSL_LOCAL int TLSX_KeyShare_Establish(WOLFSSL* ssl); - -#ifndef NO_PSK -/* The PreSharedKey extension information - entry in a linked list. */ -typedef struct PreSharedKey { - word16 identityLen; /* Length of identity */ - byte* identity; /* PSK identity */ - word32 ticketAge; /* Age of the ticket */ - word32 binderLen; /* Length of HMAC */ - byte binder[MAX_DIGEST_SIZE]; /* HMAC of hanshake */ - byte hmac; /* HMAC algorithm */ - byte resumption:1; /* Resumption PSK */ - byte chosen:1; /* Server's choice */ - struct PreSharedKey* next; /* List pointer */ -} PreSharedKey; - -WOLFSSL_LOCAL word16 TLSX_PreSharedKey_WriteBinders(PreSharedKey* list, - byte* output, byte msgType); -WOLFSSL_LOCAL word16 TLSX_PreSharedKey_GetSizeBinders(PreSharedKey* list, - byte msgType); -WOLFSSL_LOCAL int TLSX_PreSharedKey_Use(WOLFSSL* ssl, byte* identity, - word16 len, word32 age, byte hmac, - byte resumption, - PreSharedKey **preSharedKey); - -enum PskKeyExchangeMode { - PSK_KE, - PSK_DHE_KE -}; - -WOLFSSL_LOCAL int TLSX_PskKeModes_Use(WOLFSSL* ssl, byte modes); -#endif /* NO_PSK */ - -/* The types of keys to derive for. */ -enum DeriveKeyType { - handshake_key, - traffic_key, - update_traffic_key -}; - -/* The key update request values for KeyUpdate message. */ -enum KeyUpdateRequest { - update_not_requested, - update_requested -}; -#endif /* WOLFSSL_TLS13 */ - - -/* wolfSSL context type */ -struct WOLFSSL_CTX { - WOLFSSL_METHOD* method; -#ifdef SINGLE_THREADED - WC_RNG* rng; /* to be shared with WOLFSSL w/o locking */ -#endif - wolfSSL_Mutex countMutex; /* reference count mutex */ - int refCount; /* reference count */ - int err; /* error code in case of mutex not created */ -#ifndef NO_DH - buffer serverDH_P; - buffer serverDH_G; -#endif -#ifndef NO_CERTS - DerBuffer* certificate; - DerBuffer* certChain; - /* chain after self, in DER, with leading size for each cert */ - #ifdef OPENSSL_EXTRA - STACK_OF(WOLFSSL_X509_NAME)* ca_names; - #endif - #if defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY) - STACK_OF(WOLFSSL_X509)* x509Chain; - #endif -#ifdef WOLFSSL_TLS13 - int certChainCnt; -#endif - DerBuffer* privateKey; - WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ -#endif -#ifdef KEEP_OUR_CERT - WOLFSSL_X509* ourCert; /* keep alive a X509 struct of cert */ - int ownOurCert; /* Dispose of certificate if we own */ -#endif - Suites* suites; /* make dynamic, user may not need/set */ - void* heap; /* for user memory overrides */ - byte verifyPeer; - byte verifyNone; - byte failNoCert; - byte failNoCertxPSK; /* fail if no cert with the exception of PSK*/ - byte sessionCacheOff; - byte sessionCacheFlushOff; -#ifdef HAVE_EXT_CACHE - byte internalCacheOff; -#endif - byte sendVerify; /* for client side */ - byte haveRSA; /* RSA available */ - byte haveECC; /* ECC available */ - byte haveDH; /* server DH parms set by user */ - byte haveNTRU; /* server private NTRU key loaded */ - byte haveECDSAsig; /* server cert signed w/ ECDSA */ - byte haveStaticECC; /* static server ECC private key */ - byte partialWrite; /* only one msg per write call */ - byte quietShutdown; /* don't send close notify */ - byte groupMessages; /* group handshake messages before sending */ - byte minDowngrade; /* minimum downgrade version */ - byte haveEMS; /* have extended master secret extension */ - byte useClientOrder; /* Use client's cipher preference order */ -#ifdef WOLFSSL_TLS13 - byte noTicketTls13; /* Server won't create new Ticket */ - byte noPskDheKe; /* Don't use (EC)DHE with PSK */ -#endif -#if defined(WOLFSSL_SCTP) && defined(WOLFSSL_DTLS) - byte dtlsSctp; /* DTLS-over-SCTP mode */ - word16 dtlsMtuSz; /* DTLS MTU size */ -#endif -#ifndef NO_DH - word16 minDhKeySz; /* minimum DH key size */ -#endif -#ifndef NO_RSA - short minRsaKeySz; /* minimum RSA key size */ -#endif -#ifdef HAVE_ECC - short minEccKeySz; /* minimum ECC key size */ -#endif -#ifdef OPENSSL_EXTRA - unsigned long mask; /* store SSL_OP_ flags */ - const unsigned char *alpn_cli_protos;/* ALPN client protocol list */ - unsigned int alpn_cli_protos_len; -#endif - CallbackIORecv CBIORecv; - CallbackIOSend CBIOSend; -#ifdef WOLFSSL_DTLS - CallbackGenCookie CBIOCookie; /* gen cookie callback */ - wc_dtls_export dtls_export; /* export function for DTLS session */ -#ifdef WOLFSSL_SESSION_EXPORT - CallbackGetPeer CBGetPeer; - CallbackSetPeer CBSetPeer; -#endif -#endif /* WOLFSSL_DTLS */ - VerifyCallback verifyCallback; /* cert verification callback */ - word32 timeout; /* session timeout */ -#ifdef HAVE_ECC - word16 eccTempKeySz; /* in octets 20 - 66 */ - word32 ecdhCurveOID; /* curve Ecc_Sum */ - word32 pkCurveOID; /* curve Ecc_Sum */ -#endif -#ifndef NO_PSK - byte havePSK; /* psk key set by user */ - wc_psk_client_callback client_psk_cb; /* client callback */ - wc_psk_server_callback server_psk_cb; /* server callback */ - char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN]; -#endif /* NO_PSK */ -#ifdef HAVE_ANON - byte haveAnon; /* User wants to allow Anon suites */ -#endif /* HAVE_ANON */ -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - pem_password_cb* passwd_cb; - void* userdata; - WOLFSSL_X509_STORE x509_store; /* points to ctx->cm */ - byte readAhead; - void* userPRFArg; /* passed to prf callback */ -#endif /* OPENSSL_EXTRA */ -#ifdef HAVE_EX_DATA - void* ex_data[MAX_EX_DATA]; -#endif -#if defined(HAVE_ALPN) && (defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) - CallbackALPNSelect alpnSelect; - void* alpnSelectArg; -#endif -#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - CallbackSniRecv sniRecvCb; - void* sniRecvCbArg; -#endif -#ifdef HAVE_OCSP - WOLFSSL_OCSP ocsp; -#endif - int devId; /* async device id to use */ -#ifdef HAVE_TLS_EXTENSIONS - TLSX* extensions; /* RFC 6066 TLS Extensions data */ - #ifndef NO_WOLFSSL_SERVER - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - OcspRequest* certOcspRequest; - #endif - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - OcspRequest* chainOcspRequest[MAX_CHAIN_DEPTH]; - #endif - #endif - #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) - SessionTicketEncCb ticketEncCb; /* enc/dec session ticket Cb */ - void* ticketEncCtx; /* session encrypt context */ - int ticketHint; /* ticket hint in seconds */ - #endif - #ifdef HAVE_SUPPORTED_CURVES - byte userCurves; /* indicates user called wolfSSL_CTX_UseSupportedCurve */ - #endif -#endif -#ifdef ATOMIC_USER - CallbackMacEncrypt MacEncryptCb; /* Atomic User Mac/Encrypt Cb */ - CallbackDecryptVerify DecryptVerifyCb; /* Atomic User Decrypt/Verify Cb */ -#endif -#ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - CallbackEccSign EccSignCb; /* User EccSign Callback handler */ - CallbackEccVerify EccVerifyCb; /* User EccVerify Callback handler */ - CallbackEccSharedSecret EccSharedSecretCb; /* User EccVerify Callback handler */ - #ifdef HAVE_CURVE25519 - /* User EccSharedSecret Callback handler */ - CallbackX25519SharedSecret X25519SharedSecretCb; - #endif - #endif /* HAVE_ECC */ - #ifndef NO_RSA - CallbackRsaSign RsaSignCb; /* User RsaSign Callback handler */ - CallbackRsaVerify RsaVerifyCb; /* User RsaVerify Callback handler */ - #ifdef WC_RSA_PSS - CallbackRsaPssSign RsaPssSignCb; /* User RsaPssSign */ - CallbackRsaPssVerify RsaPssVerifyCb; /* User RsaPssVerify */ - #endif - CallbackRsaEnc RsaEncCb; /* User Rsa Public Encrypt handler */ - CallbackRsaDec RsaDecCb; /* User Rsa Private Decrypt handler */ - #endif /* NO_RSA */ -#endif /* HAVE_PK_CALLBACKS */ -#ifdef HAVE_WOLF_EVENT - WOLF_EVENT_QUEUE event_queue; -#endif /* HAVE_WOLF_EVENT */ -#ifdef HAVE_EXT_CACHE - WOLFSSL_SESSION*(*get_sess_cb)(WOLFSSL*, unsigned char*, int, int*); - int (*new_sess_cb)(WOLFSSL*, WOLFSSL_SESSION*); - void (*rem_sess_cb)(WOLFSSL_CTX*, WOLFSSL_SESSION*); -#endif -}; - - -WOLFSSL_LOCAL -WOLFSSL_CTX* wolfSSL_CTX_new_ex(WOLFSSL_METHOD* method, void* heap); -WOLFSSL_LOCAL -int InitSSL_Ctx(WOLFSSL_CTX*, WOLFSSL_METHOD*, void* heap); -WOLFSSL_LOCAL -void FreeSSL_Ctx(WOLFSSL_CTX*); -WOLFSSL_LOCAL -void SSL_CtxResourceFree(WOLFSSL_CTX*); - -WOLFSSL_LOCAL -int DeriveTlsKeys(WOLFSSL* ssl); -WOLFSSL_LOCAL -int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, - word32 inSz, word16 sz); - -#ifndef NO_CERTS - WOLFSSL_LOCAL - int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify); - WOLFSSL_LOCAL - int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash); -#ifdef WOLFSSL_TRUST_PEER_CERT - WOLFSSL_LOCAL - int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int verify); - WOLFSSL_LOCAL - int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash); -#endif -#endif - -/* All cipher suite related info - * Keep as a constant size (no ifdefs) for session export */ -typedef struct CipherSpecs { - word16 key_size; - word16 iv_size; - word16 block_size; - word16 aead_mac_size; - byte bulk_cipher_algorithm; - byte cipher_type; /* block, stream, or aead */ - byte mac_algorithm; - byte kea; /* key exchange algo */ - byte sig_algo; - byte hash_size; - byte pad_size; - byte static_ecdh; -} CipherSpecs; - - -void InitCipherSpecs(CipherSpecs* cs); - - -/* Supported Message Authentication Codes from page 43 */ -enum MACAlgorithm { - no_mac, - md5_mac, - sha_mac, - sha224_mac, - sha256_mac, /* needs to match external KDF_MacAlgorithm */ - sha384_mac, - sha512_mac, - rmd_mac, - blake2b_mac -}; - - -/* Supported Key Exchange Protocols */ -enum KeyExchangeAlgorithm { - no_kea, - rsa_kea, - diffie_hellman_kea, - fortezza_kea, - psk_kea, - dhe_psk_kea, - ecdhe_psk_kea, - ntru_kea, - ecc_diffie_hellman_kea, - ecc_static_diffie_hellman_kea /* for verify suite only */ -}; - - -/* Supported Authentication Schemes */ -enum SignatureAlgorithm { - anonymous_sa_algo = 0, - rsa_sa_algo = 1, - dsa_sa_algo = 2, - ecc_dsa_sa_algo = 3, - rsa_pss_sa_algo = 8 -}; - - -/* Supprted ECC Curve Types */ -enum EccCurves { - named_curve = 3 -}; - - -/* Valid client certificate request types from page 27 */ -enum ClientCertificateType { - rsa_sign = 1, - dss_sign = 2, - rsa_fixed_dh = 3, - dss_fixed_dh = 4, - rsa_ephemeral_dh = 5, - dss_ephemeral_dh = 6, - fortezza_kea_cert = 20, - ecdsa_sign = 64, - rsa_fixed_ecdh = 65, - ecdsa_fixed_ecdh = 66 -}; - - -enum CipherType { stream, block, aead }; - - - - - - -/* cipher for now */ -typedef struct Ciphers { -#ifdef BUILD_ARC4 - Arc4* arc4; -#endif -#ifdef BUILD_DES3 - Des3* des3; -#endif -#if defined(BUILD_AES) || defined(BUILD_AESGCM) - Aes* aes; - #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) - byte* additional; - byte* nonce; - #endif -#endif -#ifdef HAVE_CAMELLIA - Camellia* cam; -#endif -#ifdef HAVE_CHACHA - ChaCha* chacha; -#endif -#ifdef HAVE_HC128 - HC128* hc128; -#endif -#ifdef BUILD_RABBIT - Rabbit* rabbit; -#endif -#ifdef HAVE_IDEA - Idea* idea; -#endif - byte state; - byte setup; /* have we set it up flag for detection */ -} Ciphers; - - -#ifdef HAVE_ONE_TIME_AUTH -/* Ciphers for one time authentication such as poly1305 */ -typedef struct OneTimeAuth { -#ifdef HAVE_POLY1305 - Poly1305* poly1305; -#endif - byte setup; /* flag for if a cipher has been set */ - -} OneTimeAuth; -#endif - - -WOLFSSL_LOCAL void InitCiphers(WOLFSSL* ssl); -WOLFSSL_LOCAL void FreeCiphers(WOLFSSL* ssl); - - -/* hashes type */ -typedef struct Hashes { - #if !defined(NO_MD5) && !defined(NO_OLD_TLS) - byte md5[MD5_DIGEST_SIZE]; - #endif - #if !defined(NO_SHA) - byte sha[SHA_DIGEST_SIZE]; - #endif - #ifndef NO_SHA256 - byte sha256[SHA256_DIGEST_SIZE]; - #endif - #ifdef WOLFSSL_SHA384 - byte sha384[SHA384_DIGEST_SIZE]; - #endif - #ifdef WOLFSSL_SHA512 - byte sha512[SHA512_DIGEST_SIZE]; - #endif -} Hashes; - -WOLFSSL_LOCAL int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes); - -#ifdef WOLFSSL_TLS13 -typedef union Digest { -#ifndef NO_WOLFSSL_SHA256 - Sha256 sha256; -#endif -#ifdef WOLFSSL_SHA384 - Sha384 sha384; -#endif -#ifdef WOLFSSL_SHA512 - Sha512 sha512; -#endif -} Digest; -#endif - -/* Static x509 buffer */ -typedef struct x509_buffer { - int length; /* actual size */ - byte buffer[MAX_X509_SIZE]; /* max static cert size */ -} x509_buffer; - - -/* wolfSSL X509_CHAIN, for no dynamic memory SESSION_CACHE */ -struct WOLFSSL_X509_CHAIN { - int count; /* total number in chain */ - x509_buffer certs[MAX_CHAIN_DEPTH]; /* only allow max depth 4 for now */ -}; - - -/* wolfSSL session type */ -struct WOLFSSL_SESSION { - word32 bornOn; /* create time in seconds */ - word32 timeout; /* timeout in seconds */ - byte sessionID[ID_LEN]; /* id for protocol */ - byte sessionIDSz; - byte masterSecret[SECRET_LEN]; /* stored secret */ - word16 haveEMS; /* ext master secret flag */ -#ifdef SESSION_CERTS - WOLFSSL_X509_CHAIN chain; /* peer cert chain, static */ -#endif -#if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \ - defined(HAVE_SESSION_TICKET)) - ProtocolVersion version; /* which version was used */ - byte cipherSuite0; /* first byte, normally 0 */ - byte cipherSuite; /* 2nd byte, actual suite */ -#endif -#ifndef NO_CLIENT_CACHE - word16 idLen; /* serverID length */ - byte serverID[SERVER_ID_LEN]; /* for easier client lookup */ -#endif -#ifdef HAVE_SESSION_TICKET - #ifdef WOLFSSL_TLS13 - byte namedGroup; - word32 ticketSeen; /* Time ticket seen (ms) */ - word32 ticketAdd; /* Added by client */ - #endif - byte* ticket; - word16 ticketLen; - byte staticTicket[SESSION_TICKET_LEN]; - byte isDynamic; -#endif -#ifdef HAVE_EXT_CACHE - byte isAlloced; -#endif -#ifdef HAVE_EX_DATA - void* ex_data[MAX_EX_DATA]; -#endif -}; - - -WOLFSSL_LOCAL -WOLFSSL_SESSION* GetSession(WOLFSSL*, byte*, byte); -WOLFSSL_LOCAL -int SetSession(WOLFSSL*, WOLFSSL_SESSION*); - -typedef int (*hmacfp) (WOLFSSL*, byte*, const byte*, word32, int, int); - -#ifndef NO_CLIENT_CACHE - WOLFSSL_SESSION* GetSessionClient(WOLFSSL*, const byte*, int); -#endif - -/* client connect state for nonblocking restart */ -enum ConnectState { - CONNECT_BEGIN = 0, - CLIENT_HELLO_SENT, - HELLO_AGAIN, /* HELLO_AGAIN s for DTLS case */ - HELLO_AGAIN_REPLY, - FIRST_REPLY_DONE, - FIRST_REPLY_FIRST, - FIRST_REPLY_SECOND, - FIRST_REPLY_THIRD, - FIRST_REPLY_FOURTH, - FINISHED_DONE, - SECOND_REPLY_DONE -}; - - -/* server accept state for nonblocking restart */ -enum AcceptState { - ACCEPT_BEGIN = 0, - ACCEPT_CLIENT_HELLO_DONE, - ACCEPT_HELLO_RETRY_REQUEST_DONE, - ACCEPT_FIRST_REPLY_DONE, - SERVER_HELLO_SENT, - SERVER_EXTENSIONS_SENT, - CERT_SENT, - CERT_VERIFY_SENT, - CERT_STATUS_SENT, - KEY_EXCHANGE_SENT, - CERT_REQ_SENT, - SERVER_HELLO_DONE, - ACCEPT_SECOND_REPLY_DONE, - TICKET_SENT, - CHANGE_CIPHER_SENT, - ACCEPT_FINISHED_DONE, - ACCEPT_THIRD_REPLY_DONE -}; - -/* buffers for struct WOLFSSL */ -typedef struct Buffers { - bufferStatic inputBuffer; - bufferStatic outputBuffer; - buffer domainName; /* for client check */ - buffer clearOutputBuffer; - buffer sig; /* signature data */ - buffer digest; /* digest data */ - int prevSent; /* previous plain text bytes sent - when got WANT_WRITE */ - int plainSz; /* plain text bytes in buffer to send - when got WANT_WRITE */ - byte weOwnCert; /* SSL own cert flag */ - byte weOwnCertChain; /* SSL own cert chain flag */ - byte weOwnKey; /* SSL own key flag */ - byte weOwnDH; /* SSL own dh (p,g) flag */ -#ifndef NO_DH - buffer serverDH_P; /* WOLFSSL_CTX owns, unless we own */ - buffer serverDH_G; /* WOLFSSL_CTX owns, unless we own */ - buffer serverDH_Pub; - buffer serverDH_Priv; - DhKey* serverDH_Key; -#endif -#ifndef NO_CERTS - DerBuffer* certificate; /* WOLFSSL_CTX owns, unless we own */ - DerBuffer* key; /* WOLFSSL_CTX owns, unless we own */ - DerBuffer* certChain; /* WOLFSSL_CTX owns, unless we own */ - /* chain after self, in DER, with leading size for each cert */ -#ifdef WOLFSSL_TLS13 - int certChainCnt; -#endif -#endif -#ifdef WOLFSSL_DTLS - WOLFSSL_DTLS_CTX dtlsCtx; /* DTLS connection context */ - #ifndef NO_WOLFSSL_SERVER - buffer dtlsCookieSecret; /* DTLS cookie secret */ - #endif /* NO_WOLFSSL_SERVER */ -#endif -#ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - buffer peerEccDsaKey; /* we own for Ecc Verify Callbacks */ - #endif /* HAVE_ECC */ - #ifndef NO_RSA - buffer peerRsaKey; /* we own for Rsa Verify Callbacks */ - #endif /* NO_RSA */ -#endif /* HAVE_PK_CALLBACKS */ -} Buffers; - -/* sub-states for send/do key share (key exchange) */ -enum asyncState { - TLS_ASYNC_BEGIN = 0, - TLS_ASYNC_BUILD, - TLS_ASYNC_DO, - TLS_ASYNC_VERIFY, - TLS_ASYNC_FINALIZE, - TLS_ASYNC_END -}; - -typedef struct Options { -#ifndef NO_PSK - wc_psk_client_callback client_psk_cb; - wc_psk_server_callback server_psk_cb; - word16 havePSK:1; /* psk key set by user */ -#endif /* NO_PSK */ -#ifdef OPENSSL_EXTRA - unsigned long mask; /* store SSL_OP_ flags */ -#endif - - /* on/off or small bit flags, optimize layout */ - word16 sendVerify:2; /* false = 0, true = 1, sendBlank = 2 */ - word16 sessionCacheOff:1; - word16 sessionCacheFlushOff:1; -#ifdef HAVE_EXT_CACHE - word16 internalCacheOff:1; -#endif - word16 side:1; /* client or server end */ - word16 verifyPeer:1; - word16 verifyNone:1; - word16 failNoCert:1; - word16 failNoCertxPSK:1; /* fail for no cert except with PSK */ - word16 downgrade:1; /* allow downgrade of versions */ - word16 resuming:1; - word16 haveSessionId:1; /* server may not send */ - word16 tls:1; /* using TLS ? */ - word16 tls1_1:1; /* using TLSv1.1+ ? */ - word16 tls1_3:1; /* using TLSv1.3+ ? */ - word16 dtls:1; /* using datagrams ? */ - word16 connReset:1; /* has the peer reset */ - word16 isClosed:1; /* if we consider conn closed */ - word16 closeNotify:1; /* we've received a close notify */ - word16 sentNotify:1; /* we've sent a close notify */ - word16 usingCompression:1; /* are we using compression */ - word16 haveRSA:1; /* RSA available */ - word16 haveECC:1; /* ECC available */ - word16 haveDH:1; /* server DH parms set by user */ - word16 haveNTRU:1; /* server NTRU private key loaded */ - word16 haveQSH:1; /* have QSH ability */ - word16 haveECDSAsig:1; /* server ECDSA signed cert */ - word16 haveStaticECC:1; /* static server ECC private key */ - word16 havePeerCert:1; /* do we have peer's cert */ - word16 havePeerVerify:1; /* and peer's cert verify */ - word16 usingPSK_cipher:1; /* are using psk as cipher */ - word16 usingAnon_cipher:1; /* are we using an anon cipher */ - word16 noPskDheKe:1; /* Don't use (EC)DHE with PSK */ - word16 sendAlertState:1; /* nonblocking resume */ - word16 partialWrite:1; /* only one msg per write call */ - word16 quietShutdown:1; /* don't send close notify */ - word16 certOnly:1; /* stop once we get cert */ - word16 groupMessages:1; /* group handshake messages */ - word16 usingNonblock:1; /* are we using nonblocking socket */ - word16 saveArrays:1; /* save array Memory for user get keys - or psk */ - word16 weOwnRng:1; /* will be true unless CTX owns */ -#ifdef HAVE_POLY1305 - word16 oldPoly:1; /* set when to use old rfc way of poly*/ -#endif -#ifdef HAVE_ANON - word16 haveAnon:1; /* User wants to allow Anon suites */ -#endif -#ifdef HAVE_SESSION_TICKET - word16 createTicket:1; /* Server to create new Ticket */ - word16 useTicket:1; /* Use Ticket not session cache */ - word16 rejectTicket:1; /* Callback rejected ticket */ -#ifdef WOLFSSL_TLS13 - word16 noTicketTls13:1; /* Server won't create new Ticket */ -#endif -#endif -#ifdef WOLFSSL_DTLS - word16 dtlsHsRetain:1; /* DTLS retaining HS data */ -#ifdef WOLFSSL_SCTP - word16 dtlsSctp:1; /* DTLS-over-SCTP mode */ -#endif -#endif - word16 haveEMS:1; /* using extended master secret */ -#if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SUPPORTED_CURVES) - word16 userCurves:1; /* indicates user called wolfSSL_UseSupportedCurve */ -#endif - word16 keepResources:1; /* Keep resources after handshake */ - word16 useClientOrder:1; /* Use client's cipher order */ - - /* need full byte values for this section */ - byte processReply; /* nonblocking resume */ - byte cipherSuite0; /* first byte, normally 0 */ - byte cipherSuite; /* second byte, actual suite */ - byte serverState; - byte clientState; - byte handShakeState; - byte handShakeDone; /* at least one handshake complete */ - byte minDowngrade; /* minimum downgrade version */ - byte connectState; /* nonblocking resume */ - byte acceptState; /* nonblocking resume */ - byte asyncState; /* sub-state for enum asyncState */ - byte buildMsgState; /* sub-state for enum buildMsgState */ -#ifndef NO_DH - word16 minDhKeySz; /* minimum DH key size */ - word16 dhKeySz; /* actual DH key size */ -#endif -#ifndef NO_RSA - short minRsaKeySz; /* minimum RSA key size */ -#endif -#ifdef HAVE_ECC - short minEccKeySz; /* minimum ECC key size */ -#endif - -} Options; - -typedef struct Arrays { - byte* pendingMsg; /* defrag buffer */ - byte* preMasterSecret; - word32 preMasterSz; /* differs for DH, actual size */ - word32 pendingMsgSz; /* defrag buffer size */ - word32 pendingMsgOffset; /* current offset into defrag buffer */ -#ifndef NO_PSK - word32 psk_keySz; /* actual size */ - char client_identity[MAX_PSK_ID_LEN + NULL_TERM_LEN]; - char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN]; - byte psk_key[MAX_PSK_KEY_LEN]; -#endif - byte clientRandom[RAN_LEN]; - byte serverRandom[RAN_LEN]; - byte sessionID[ID_LEN]; - byte sessionIDSz; -#ifdef WOLFSSL_TLS13 - byte clientSecret[SECRET_LEN]; - byte serverSecret[SECRET_LEN]; - byte secret[SECRET_LEN]; -#endif - byte masterSecret[SECRET_LEN]; -#ifdef WOLFSSL_DTLS - byte cookie[MAX_COOKIE_LEN]; - byte cookieSz; -#endif - byte pendingMsgType; /* defrag buffer message type */ -} Arrays; - -#ifndef ASN_NAME_MAX -#define ASN_NAME_MAX 256 -#endif - -#ifndef MAX_DATE_SZ -#define MAX_DATE_SZ 32 -#endif - -struct WOLFSSL_STACK { - unsigned long num; /* number of nodes in stack - * (saftey measure for freeing and shortcut for count) */ - union { - WOLFSSL_X509* x509; - WOLFSSL_X509_NAME* name; - WOLFSSL_BIO* bio; - WOLFSSL_ASN1_OBJECT* obj; - char* string; - } data; - WOLFSSL_STACK* next; -}; - - -struct WOLFSSL_X509_NAME { - char *name; - char staticName[ASN_NAME_MAX]; - int dynamicName; - int sz; -#if defined(OPENSSL_EXTRA) && !defined(NO_ASN) - DecodedName fullName; - WOLFSSL_X509_NAME_ENTRY cnEntry; - WOLFSSL_X509* x509; /* x509 that struct belongs to */ -#endif /* OPENSSL_EXTRA */ -}; - -#ifndef EXTERNAL_SERIAL_SIZE - #define EXTERNAL_SERIAL_SIZE 32 -#endif - -#ifdef NO_ASN - typedef struct DNS_entry DNS_entry; -#endif - -struct WOLFSSL_X509 { - int version; - WOLFSSL_X509_NAME issuer; - WOLFSSL_X509_NAME subject; - int serialSz; - byte serial[EXTERNAL_SERIAL_SIZE]; - char subjectCN[ASN_NAME_MAX]; /* common name short cut */ -#ifdef WOLFSSL_SEP - int deviceTypeSz; - byte deviceType[EXTERNAL_SERIAL_SIZE]; - int hwTypeSz; - byte hwType[EXTERNAL_SERIAL_SIZE]; - int hwSerialNumSz; - byte hwSerialNum[EXTERNAL_SERIAL_SIZE]; - #ifdef OPENSSL_EXTRA - byte certPolicySet; - byte certPolicyCrit; - #endif /* OPENSSL_EXTRA */ -#endif - int notBeforeSz; - byte notBefore[MAX_DATE_SZ]; - int notAfterSz; - byte notAfter[MAX_DATE_SZ]; - int sigOID; - buffer sig; - int pubKeyOID; - buffer pubKey; - #ifdef HAVE_ECC - word32 pkCurveOID; - #endif /* HAVE_ECC */ - #ifndef NO_CERTS - DerBuffer* derCert; /* may need */ - #endif - DNS_entry* altNames; /* alt names list */ - DNS_entry* altNamesNext; /* hint for retrieval */ - void* heap; /* heap hint */ - byte dynamicMemory; /* dynamic memory flag */ - byte isCa; -#ifdef WOLFSSL_CERT_EXT - char certPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ]; - int certPoliciesNb; -#endif /* WOLFSSL_CERT_EXT */ -#ifdef OPENSSL_EXTRA -#ifdef HAVE_EX_DATA - void* ex_data[MAX_EX_DATA]; -#endif - word32 pathLength; - word16 keyUsage; - byte CRLdistSet; - byte CRLdistCrit; - byte* CRLInfo; - int CRLInfoSz; - byte authInfoSet; - byte authInfoCrit; - byte* authInfo; - int authInfoSz; - byte basicConstSet; - byte basicConstCrit; - byte basicConstPlSet; - byte subjAltNameSet; - byte subjAltNameCrit; - byte authKeyIdSet; - byte authKeyIdCrit; - byte* authKeyId; - word32 authKeyIdSz; - byte subjKeyIdSet; - byte subjKeyIdCrit; - byte* subjKeyId; - word32 subjKeyIdSz; - byte keyUsageSet; - byte keyUsageCrit; - byte extKeyUsageCrit; - byte* extKeyUsageSrc; - word32 extKeyUsageSz; - word32 extKeyUsageCount; -#endif /* OPENSSL_EXTRA */ -}; - - -/* record layer header for PlainText, Compressed, and CipherText */ -typedef struct RecordLayerHeader { - byte type; - byte pvMajor; - byte pvMinor; - byte length[2]; -} RecordLayerHeader; - - -/* record layer header for DTLS PlainText, Compressed, and CipherText */ -typedef struct DtlsRecordLayerHeader { - byte type; - byte pvMajor; - byte pvMinor; - byte sequence_number[8]; /* per record */ - byte length[2]; -} DtlsRecordLayerHeader; - - -typedef struct DtlsFrag { - word32 begin; - word32 end; - struct DtlsFrag* next; -} DtlsFrag; - - -typedef struct DtlsMsg { - struct DtlsMsg* next; - byte* buf; - byte* msg; - DtlsFrag* fragList; - word32 fragSz; /* Length of fragments received */ - word32 seq; /* Handshake sequence number */ - word32 sz; /* Length of whole mesage */ - byte type; -} DtlsMsg; - - -#ifdef HAVE_NETX - - /* NETX I/O Callback default */ - typedef struct NetX_Ctx { - NX_TCP_SOCKET* nxSocket; /* send/recv socket handle */ - NX_PACKET* nxPacket; /* incoming packet handle for short reads */ - ULONG nxOffset; /* offset already read from nxPacket */ - ULONG nxWait; /* wait option flag */ - } NetX_Ctx; - -#endif - - -/* Handshake messages received from peer (plus change cipher */ -typedef struct MsgsReceived { - word16 got_hello_request:1; - word16 got_client_hello:2; - word16 got_server_hello:1; - word16 got_hello_verify_request:1; - word16 got_session_ticket:1; - word16 got_hello_retry_request:1; - word16 got_encrypted_extensions:1; - word16 got_certificate:1; - word16 got_certificate_status:1; - word16 got_server_key_exchange:1; - word16 got_certificate_request:1; - word16 got_server_hello_done:1; - word16 got_certificate_verify:1; - word16 got_client_key_exchange:1; - word16 got_finished:1; - word16 got_key_update:1; - word16 got_change_cipher:1; -} MsgsReceived; - - -/* Handshake hashes */ -typedef struct HS_Hashes { - Hashes verifyHashes; - Hashes certHashes; /* for cert verify */ -#ifndef NO_SHA - Sha hashSha; /* sha hash of handshake msgs */ -#endif -#if !defined(NO_MD5) && !defined(NO_OLD_TLS) - Md5 hashMd5; /* md5 hash of handshake msgs */ -#endif -#ifndef NO_SHA256 - Sha256 hashSha256; /* sha256 hash of handshake msgs */ -#endif -#ifdef WOLFSSL_SHA384 - Sha384 hashSha384; /* sha384 hash of handshake msgs */ -#endif -#ifdef WOLFSSL_SHA512 - Sha512 hashSha512; /* sha512 hash of handshake msgs */ -#endif -} HS_Hashes; - - -#ifdef WOLFSSL_ASYNC_CRYPT - #define MAX_ASYNC_ARGS 16 - typedef void (*FreeArgsCb)(struct WOLFSSL* ssl, void* pArgs); - - struct WOLFSSL_ASYNC { - WC_ASYNC_DEV* dev; - FreeArgsCb freeArgs; /* function pointer to cleanup args */ - word32 args[MAX_ASYNC_ARGS]; /* holder for current args */ - }; -#endif - -#ifdef HAVE_WRITE_DUP - - #define WRITE_DUP_SIDE 1 - #define READ_DUP_SIDE 2 - - typedef struct WriteDup { - wolfSSL_Mutex dupMutex; /* reference count mutex */ - int dupCount; /* reference count */ - int dupErr; /* under dupMutex, pass to other side */ - } WriteDup; - - WOLFSSL_LOCAL void FreeWriteDup(WOLFSSL* ssl); - WOLFSSL_LOCAL int NotifyWriteSide(WOLFSSL* ssl, int err); -#endif /* HAVE_WRITE_DUP */ - - -/* wolfSSL ssl type */ -struct WOLFSSL { - WOLFSSL_CTX* ctx; - Suites* suites; /* only need during handshake */ - Arrays* arrays; - HS_Hashes* hsHashes; - void* IOCB_ReadCtx; - void* IOCB_WriteCtx; - WC_RNG* rng; - void* verifyCbCtx; /* cert verify callback user ctx*/ - VerifyCallback verifyCallback; /* cert verification callback */ - void* heap; /* for user overrides */ -#ifdef HAVE_WRITE_DUP - WriteDup* dupWrite; /* valid pointer indicates ON */ - /* side that decrements dupCount to zero frees overall structure */ - byte dupSide; /* write side or read side */ -#endif -#ifdef WOLFSSL_STATIC_MEMORY - WOLFSSL_HEAP_HINT heap_hint; -#endif -#ifndef NO_HANDSHAKE_DONE_CB - HandShakeDoneCb hsDoneCb; /* notify user handshake done */ - void* hsDoneCtx; /* user handshake cb context */ -#endif -#ifdef WOLFSSL_ASYNC_CRYPT - struct WOLFSSL_ASYNC async; -#endif - void* hsKey; /* Handshake key (RsaKey or ecc_key) allocated from heap */ - word32 hsType; /* Type of Handshake key (hsKey) */ - WOLFSSL_CIPHER cipher; - hmacfp hmac; - Ciphers encrypt; - Ciphers decrypt; - Buffers buffers; - WOLFSSL_SESSION session; -#ifdef HAVE_EXT_CACHE - WOLFSSL_SESSION* extSession; -#endif - WOLFSSL_ALERT_HISTORY alert_history; - int error; - int rfd; /* read file descriptor */ - int wfd; /* write file descriptor */ - int rflags; /* user read flags */ - int wflags; /* user write flags */ - word32 timeout; /* session timeout */ - word32 fragOffset; /* fragment offset */ - word16 curSize; - RecordLayerHeader curRL; - MsgsReceived msgsReceived; /* peer messages received */ - ProtocolVersion version; /* negotiated version */ - ProtocolVersion chVersion; /* client hello version */ - CipherSpecs specs; - Keys keys; - Options options; -#ifdef OPENSSL_EXTRA - WOLFSSL_BIO* biord; /* socket bio read to free/close */ - WOLFSSL_BIO* biowr; /* socket bio write to free/close */ - unsigned long peerVerifyRet; - byte readAhead; -#ifdef HAVE_PK_CALLBACKS - void* loggingCtx; /* logging callback argument */ -#endif -#endif -#ifndef NO_RSA - RsaKey* peerRsaKey; - byte peerRsaKeyPresent; -#endif -#ifdef HAVE_QSH - QSHKey* QSH_Key; - QSHKey* peerQSHKey; - QSHSecret* QSH_secret; - byte isQSH; /* is the handshake a QSH? */ - byte sendQSHKeys; /* flag for if the client should sen - public keys */ - byte peerQSHKeyPresent; - byte minRequest; - byte maxRequest; - byte user_set_QSHSchemes; -#endif -#ifdef WOLFSSL_TLS13 - word16 namedGroup; -#endif - byte pssAlgo; -#ifdef HAVE_NTRU - word16 peerNtruKeyLen; - byte peerNtruKey[MAX_NTRU_PUB_KEY_SZ]; - byte peerNtruKeyPresent; -#endif -#ifdef HAVE_ECC - ecc_key* peerEccKey; /* peer's ECDHE key */ - ecc_key* peerEccDsaKey; /* peer's ECDSA key */ - ecc_key* eccTempKey; /* private ECDHE key */ - int eccVerifyRes; - word32 pkCurveOID; /* curve Ecc_Sum */ - word32 ecdhCurveOID; /* curve Ecc_Sum */ - word16 eccTempKeySz; /* in octets 20 - 66 */ - byte peerEccKeyPresent; - byte peerEccDsaKeyPresent; - byte eccTempKeyPresent; -#ifdef HAVE_CURVE25519 - curve25519_key* peerX25519Key; - byte peerX25519KeyPresent; -#endif -#endif -#ifdef HAVE_LIBZ - z_stream c_stream; /* compression stream */ - z_stream d_stream; /* decompression stream */ - byte didStreamInit; /* for stream init and end */ -#endif -#ifdef WOLFSSL_DTLS - int dtls_timeout_init; /* starting timeout value */ - int dtls_timeout_max; /* maximum timeout value */ - int dtls_timeout; /* current timeout value, changes */ - word32 dtls_tx_msg_list_sz; - word32 dtls_rx_msg_list_sz; - DtlsMsg* dtls_tx_msg_list; - DtlsMsg* dtls_rx_msg_list; - void* IOCB_CookieCtx; /* gen cookie ctx */ - word32 dtls_expected_rx; - wc_dtls_export dtls_export; /* export function for session */ -#ifdef WOLFSSL_SCTP - word16 dtlsMtuSz; -#endif /* WOLFSSL_SCTP */ -#endif -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - TimeoutInfo timeoutInfo; /* info saved during handshake */ - HandShakeInfo handShakeInfo; /* info saved during handshake */ -#endif -#ifdef OPENSSL_EXTRA - SSL_Msg_Cb protoMsgCb; /* inspect protocol message callback */ - void* protoMsgCtx; /* user set context with msg callback */ -#endif -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - byte hsInfoOn; /* track handshake info */ - byte toInfoOn; /* track timeout info */ -#endif -#ifdef HAVE_FUZZER - CallbackFuzzer fuzzerCb; /* for testing with using fuzzer */ - void* fuzzerCtx; /* user defined pointer */ -#endif -#ifdef WOLFSSL_TLS13 - buffer clientCertCtx; /* Certificate context in request */ -#endif -#ifdef KEEP_PEER_CERT - WOLFSSL_X509 peerCert; /* X509 peer cert */ -#endif -#ifdef KEEP_OUR_CERT - WOLFSSL_X509* ourCert; /* keep alive a X509 struct of cert. - points to ctx if not owned (owned - flag found in buffers.weOwnCert) */ -#endif - byte keepCert; /* keep certificate after handshake */ -#if defined(HAVE_EX_DATA) || defined(FORTRESS) - void* ex_data[MAX_EX_DATA]; /* external data, for Fortress */ -#endif - int devId; /* async device id to use */ -#ifdef HAVE_ONE_TIME_AUTH - OneTimeAuth auth; -#endif -#ifdef HAVE_TLS_EXTENSIONS - TLSX* extensions; /* RFC 6066 TLS Extensions data */ - #ifdef HAVE_MAX_FRAGMENT - word16 max_fragment; - #endif - #ifdef HAVE_TRUNCATED_HMAC - byte truncated_hmac; - #endif - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST - byte status_request; - #endif - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - byte status_request_v2; - #endif - #if defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SERVER_RENEGOTIATION_INFO) - SecureRenegotiation* secure_renegotiation; /* valid pointer indicates */ - #endif /* user turned on */ - #ifdef HAVE_ALPN - char* alpn_client_list; /* keep the client's list */ - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - CallbackALPNSelect alpnSelect; - void* alpnSelectArg; - #endif - #endif /* of accepted protocols */ - #if !defined(NO_WOLFSSL_CLIENT) && defined(HAVE_SESSION_TICKET) - CallbackSessionTicket session_ticket_cb; - void* session_ticket_ctx; - byte expect_session_ticket; - #endif -#endif /* HAVE_TLS_EXTENSIONS */ -#ifdef OPENSSL_EXTRA - byte* ocspResp; - int ocspRespSz; -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - char* url; -#endif -#endif -#ifdef HAVE_NETX - NetX_Ctx nxCtx; /* NetX IO Context */ -#endif -#ifdef SESSION_INDEX - int sessionIndex; /* Session's location in the cache. */ -#endif -#ifdef ATOMIC_USER - void* MacEncryptCtx; /* Atomic User Mac/Encrypt Callback Context */ - void* DecryptVerifyCtx; /* Atomic User Decrypt/Verify Callback Context */ -#endif -#ifdef HAVE_PK_CALLBACKS - #ifdef HAVE_ECC - void* EccSignCtx; /* Ecc Sign Callback Context */ - void* EccVerifyCtx; /* Ecc Verify Callback Context */ - void* EccSharedSecretCtx; /* Ecc Pms Callback Context */ - #ifdef HAVE_CURVE25519 - void* X25519SharedSecretCtx; /* X25519 Pms Callback Context */ - #endif - #endif /* HAVE_ECC */ - #ifndef NO_RSA - void* RsaSignCtx; /* Rsa Sign Callback Context */ - void* RsaVerifyCtx; /* Rsa Verify Callback Context */ - #ifdef WC_RSA_PSS - void* RsaPssSignCtx; /* Rsa PSS Sign Callback Context */ - void* RsaPssVerifyCtx; /* Rsa PSS Verify Callback Context */ - #endif - void* RsaEncCtx; /* Rsa Public Encrypt Callback Context */ - void* RsaDecCtx; /* Rsa Private Decrypt Callback Context */ - #endif /* NO_RSA */ -#endif /* HAVE_PK_CALLBACKS */ -#ifdef HAVE_SECRET_CALLBACK - SessionSecretCb sessionSecretCb; - void* sessionSecretCtx; -#endif /* HAVE_SECRET_CALLBACK */ -#ifdef WOLFSSL_JNI - void* jObjectRef; /* reference to WolfSSLSession in JNI wrapper */ -#endif /* WOLFSSL_JNI */ -}; - - -WOLFSSL_LOCAL -int SetSSL_CTX(WOLFSSL*, WOLFSSL_CTX*, int); -WOLFSSL_LOCAL -int InitSSL(WOLFSSL*, WOLFSSL_CTX*, int); -WOLFSSL_LOCAL -void FreeSSL(WOLFSSL*, void* heap); -WOLFSSL_API void SSL_ResourceFree(WOLFSSL*); /* Micrium uses */ - - -enum { - IV_SZ = 32, /* max iv sz */ - NAME_SZ = 80 /* max one line */ -}; - - -typedef struct EncryptedInfo { - char name[NAME_SZ]; /* encryption name */ - byte iv[IV_SZ]; /* encrypted IV */ - word32 ivSz; /* encrypted IV size */ - long consumed; /* tracks PEM bytes consumed */ - byte set; /* if encryption set */ - WOLFSSL_CTX* ctx; /* CTX owner */ -} EncryptedInfo; - - -#ifndef NO_CERTS - - WOLFSSL_LOCAL int AllocDer(DerBuffer** der, word32 length, int type, void* heap); - WOLFSSL_LOCAL void FreeDer(DerBuffer** der); - - WOLFSSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type, - DerBuffer** pDer, void* heap, EncryptedInfo* info, - int* eccKey); - - WOLFSSL_LOCAL int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, - long sz, int format, int type, WOLFSSL* ssl, - long* used, int userChain); - WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, - int type, WOLFSSL* ssl, int userChain, - WOLFSSL_CRL* crl); - - #ifdef OPENSSL_EXTRA - WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, char *domainName, - size_t domainNameLen); - #endif -#endif - - -#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) - WOLFSSL_LOCAL - void InitHandShakeInfo(HandShakeInfo*, WOLFSSL*); - WOLFSSL_LOCAL - void FinishHandShakeInfo(HandShakeInfo*); - WOLFSSL_LOCAL - void AddPacketName(WOLFSSL* ssl, const char* name); - - WOLFSSL_LOCAL - void InitTimeoutInfo(TimeoutInfo*); - WOLFSSL_LOCAL - void FreeTimeoutInfo(TimeoutInfo*, void*); - WOLFSSL_LOCAL - void AddPacketInfo(WOLFSSL* ssl, const char* name, int type, - const byte* data, int sz, int write, void* heap); - WOLFSSL_LOCAL - void AddLateName(const char*, TimeoutInfo*); - WOLFSSL_LOCAL - void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info); -#endif - - -/* Record Layer Header identifier from page 12 */ -enum ContentType { - no_type = 0, - change_cipher_spec = 20, - alert = 21, - handshake = 22, - application_data = 23 -}; - - -/* handshake header, same for each message type, pgs 20/21 */ -typedef struct HandShakeHeader { - byte type; - word24 length; -} HandShakeHeader; - - -/* DTLS handshake header, same for each message type */ -typedef struct DtlsHandShakeHeader { - byte type; - word24 length; - byte message_seq[2]; /* start at 0, retransmit gets same # */ - word24 fragment_offset; /* bytes in previous fragments */ - word24 fragment_length; /* length of this fragment */ -} DtlsHandShakeHeader; - - -enum HandShakeType { - hello_request = 0, - client_hello = 1, - server_hello = 2, - hello_verify_request = 3, /* DTLS addition */ - session_ticket = 4, - hello_retry_request = 6, - encrypted_extensions = 8, - certificate = 11, - server_key_exchange = 12, - certificate_request = 13, - server_hello_done = 14, - certificate_verify = 15, - client_key_exchange = 16, - finished = 20, - certificate_status = 22, - key_update = 24, - change_cipher_hs = 55, /* simulate unique handshake type for sanity - checks. record layer change_cipher - conflicts with handshake finished */ - no_shake = 255 /* used to initialize the DtlsMsg record */ -}; - - -static const byte client[SIZEOF_SENDER] = { 0x43, 0x4C, 0x4E, 0x54 }; -static const byte server[SIZEOF_SENDER] = { 0x53, 0x52, 0x56, 0x52 }; - -static const byte tls_client[FINISHED_LABEL_SZ + 1] = "client finished"; -static const byte tls_server[FINISHED_LABEL_SZ + 1] = "server finished"; - - -/* internal functions */ -WOLFSSL_LOCAL int SendChangeCipher(WOLFSSL*); -WOLFSSL_LOCAL int SendTicket(WOLFSSL*); -WOLFSSL_LOCAL int DoClientTicket(WOLFSSL*, const byte*, word32); -WOLFSSL_LOCAL int SendData(WOLFSSL*, const void*, int); -#ifdef WOLFSSL_TLS13 -WOLFSSL_LOCAL int SendTls13HelloRetryRequest(WOLFSSL*); -WOLFSSL_LOCAL int SendTls13EncryptedExtensions(WOLFSSL*); -#endif -WOLFSSL_LOCAL int SendCertificate(WOLFSSL*); -#ifdef WOLFSSL_TLS13 -WOLFSSL_LOCAL int SendTls13Certificate(WOLFSSL*); -#endif -WOLFSSL_LOCAL int SendCertificateRequest(WOLFSSL*); -#ifdef WOLFSSL_TLS13 -WOLFSSL_LOCAL int SendTls13CertificateRequest(WOLFSSL*); -#endif -WOLFSSL_LOCAL int SendCertificateStatus(WOLFSSL*); -WOLFSSL_LOCAL int SendServerKeyExchange(WOLFSSL*); -WOLFSSL_LOCAL int SendBuffered(WOLFSSL*); -WOLFSSL_LOCAL int ReceiveData(WOLFSSL*, byte*, int, int); -WOLFSSL_LOCAL int SendFinished(WOLFSSL*); -#ifdef WOLFSSL_TLS13 -WOLFSSL_LOCAL int SendTls13Finished(WOLFSSL*); -WOLFSSL_LOCAL int SendTls13NewSessionTicket(WOLFSSL*); -#endif -WOLFSSL_LOCAL int SendAlert(WOLFSSL*, int, int); -WOLFSSL_LOCAL int ProcessReply(WOLFSSL*); - -WOLFSSL_LOCAL int SetCipherSpecs(WOLFSSL*); -WOLFSSL_LOCAL int MakeMasterSecret(WOLFSSL*); - -WOLFSSL_LOCAL int AddSession(WOLFSSL*); -WOLFSSL_LOCAL int DeriveKeys(WOLFSSL* ssl); -WOLFSSL_LOCAL int StoreKeys(WOLFSSL* ssl, const byte* keyData); - -WOLFSSL_LOCAL int IsTLS(const WOLFSSL* ssl); -WOLFSSL_LOCAL int IsAtLeastTLSv1_2(const WOLFSSL* ssl); -WOLFSSL_LOCAL int IsAtLeastTLSv1_3(const ProtocolVersion pv); - -WOLFSSL_LOCAL void FreeHandshakeResources(WOLFSSL* ssl); -WOLFSSL_LOCAL void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree); -WOLFSSL_LOCAL void ShrinkOutputBuffer(WOLFSSL* ssl); - -WOLFSSL_LOCAL int VerifyClientSuite(WOLFSSL* ssl); -#ifndef NO_CERTS - #ifndef NO_RSA - WOLFSSL_LOCAL int CheckRsaPssPadding(const byte* plain, word32 plainSz, - byte* out, word32 sigSz, - enum wc_HashType hashType); - WOLFSSL_LOCAL int VerifyRsaSign(WOLFSSL* ssl, - byte* verifySig, word32 sigSz, - const byte* plain, word32 plainSz, - int sigAlgo, int hashAlgo, - RsaKey* key); - WOLFSSL_LOCAL int RsaSign(WOLFSSL* ssl, const byte* in, word32 inSz, - byte* out, word32* outSz, int sigAlgo, int hashAlgo, RsaKey* key, - const byte* keyBuf, word32 keySz, void* ctx); - WOLFSSL_LOCAL int RsaVerify(WOLFSSL* ssl, byte* in, word32 inSz, - byte** out, int sigAlgo, int hashAlgo, RsaKey* key, - const byte* keyBuf, word32 keySz, void* ctx); - WOLFSSL_LOCAL int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, - word32* outSz, RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx); - WOLFSSL_LOCAL int RsaEnc(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, - word32* outSz, RsaKey* key, const byte* keyBuf, word32 keySz, void* ctx); - #endif /* !NO_RSA */ - - #ifdef HAVE_ECC - WOLFSSL_LOCAL int EccSign(WOLFSSL* ssl, const byte* in, word32 inSz, - byte* out, word32* outSz, ecc_key* key, byte* keyBuf, word32 keySz, - void* ctx); - WOLFSSL_LOCAL int EccVerify(WOLFSSL* ssl, const byte* in, word32 inSz, - const byte* out, word32 outSz, ecc_key* key, byte* keyBuf, word32 keySz, - void* ctx); - WOLFSSL_LOCAL int EccSharedSecret(WOLFSSL* ssl, ecc_key* priv_key, - ecc_key* pub_key, byte* pubKeyDer, word32* pubKeySz, byte* out, - word32* outlen, int side, void* ctx); - #endif /* HAVE_ECC */ - - #ifdef WOLFSSL_TRUST_PEER_CERT - - /* options for searching hash table for a matching trusted peer cert */ - #define WC_MATCH_SKID 0 - #define WC_MATCH_NAME 1 - - WOLFSSL_LOCAL TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash, - int type); - WOLFSSL_LOCAL int MatchTrustedPeer(TrustedPeerCert* tp, - DecodedCert* cert); - #endif - - WOLFSSL_LOCAL Signer* GetCA(void* cm, byte* hash); - #ifndef NO_SKID - WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash); - #endif -#endif /* !NO_CERTS */ -WOLFSSL_LOCAL int BuildTlsHandshakeHash(WOLFSSL* ssl, byte* hash, - word32* hashLen); -WOLFSSL_LOCAL int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, - const byte* sender); -WOLFSSL_LOCAL void FreeArrays(WOLFSSL* ssl, int keep); -WOLFSSL_LOCAL int CheckAvailableSize(WOLFSSL *ssl, int size); -WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength); - -#ifndef NO_TLS - WOLFSSL_LOCAL int MakeTlsMasterSecret(WOLFSSL*); - WOLFSSL_LOCAL int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, - word32 sz, int content, int verify); -#endif - -#ifndef NO_WOLFSSL_CLIENT - WOLFSSL_LOCAL int SendClientHello(WOLFSSL*); - #ifdef WOLFSSL_TLS13 - WOLFSSL_LOCAL int SendTls13ClientHello(WOLFSSL*); - #endif - WOLFSSL_LOCAL int SendClientKeyExchange(WOLFSSL*); - WOLFSSL_LOCAL int SendCertificateVerify(WOLFSSL*); -#endif /* NO_WOLFSSL_CLIENT */ - - WOLFSSL_LOCAL int SendTls13CertificateVerify(WOLFSSL*); - -#ifndef NO_WOLFSSL_SERVER - WOLFSSL_LOCAL int SendServerHello(WOLFSSL*); - #ifdef WOLFSSL_TLS13 - WOLFSSL_LOCAL int SendTls13ServerHello(WOLFSSL*); - #endif - WOLFSSL_LOCAL int SendServerHelloDone(WOLFSSL*); -#endif /* NO_WOLFSSL_SERVER */ - -#ifdef WOLFSSL_DTLS - WOLFSSL_LOCAL DtlsMsg* DtlsMsgNew(word32, void*); - WOLFSSL_LOCAL void DtlsMsgDelete(DtlsMsg*, void*); - WOLFSSL_LOCAL void DtlsMsgListDelete(DtlsMsg*, void*); - WOLFSSL_LOCAL int DtlsMsgSet(DtlsMsg*, word32, const byte*, byte, - word32, word32, void*); - WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg*, word32); - WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL*, word32, const byte*, word32, - byte, word32, word32, void*); - WOLFSSL_LOCAL DtlsMsg* DtlsMsgInsert(DtlsMsg*, DtlsMsg*); - - WOLFSSL_LOCAL int DtlsMsgPoolSave(WOLFSSL*, const byte*, word32); - WOLFSSL_LOCAL int DtlsMsgPoolTimeout(WOLFSSL*); - WOLFSSL_LOCAL int VerifyForDtlsMsgPoolSend(WOLFSSL*, byte, word32); - WOLFSSL_LOCAL void DtlsMsgPoolReset(WOLFSSL*); - WOLFSSL_LOCAL int DtlsMsgPoolSend(WOLFSSL*, int); -#endif /* WOLFSSL_DTLS */ - -#ifndef NO_TLS - - -#endif /* NO_TLS */ - -#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) - WOLFSSL_LOCAL word32 TimeNowInMilliseconds(void); -#endif -WOLFSSL_LOCAL word32 LowResTimer(void); - -#ifndef NO_CERTS - WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME*, int); - WOLFSSL_LOCAL void FreeX509Name(WOLFSSL_X509_NAME* name, void* heap); - WOLFSSL_LOCAL void InitX509(WOLFSSL_X509*, int, void* heap); - WOLFSSL_LOCAL void FreeX509(WOLFSSL_X509*); - WOLFSSL_LOCAL int CopyDecodedToX509(WOLFSSL_X509*, DecodedCert*); -#endif - -/* used by ssl.c and internal.c */ -WOLFSSL_LOCAL void c32to24(word32 in, word24 out); - -WOLFSSL_LOCAL const char* const* GetCipherNames(void); -WOLFSSL_LOCAL int GetCipherNamesSize(void); -WOLFSSL_LOCAL const char* GetCipherNameInternal(const char* cipherName, int cipherSuite); -WOLFSSL_LOCAL const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl); -WOLFSSL_LOCAL const char* wolfSSL_get_cipher_name_from_suite( - const unsigned char cipherSuite, const unsigned char cipherSuite0); - -enum encrypt_side { - ENCRYPT_SIDE_ONLY = 1, - DECRYPT_SIDE_ONLY, - ENCRYPT_AND_DECRYPT_SIDE -}; - -WOLFSSL_LOCAL int SetKeysSide(WOLFSSL*, enum encrypt_side); - - -#ifndef NO_DH - WOLFSSL_LOCAL int DhGenKeyPair(WOLFSSL* ssl, DhKey* dhKey, - byte* priv, word32* privSz, - byte* pub, word32* pubSz); - WOLFSSL_LOCAL int DhAgree(WOLFSSL* ssl, DhKey* dhKey, - const byte* priv, word32 privSz, - const byte* otherPub, word32 otherPubSz, - byte* agree, word32* agreeSz); -#endif /* !NO_DH */ - -#ifdef HAVE_ECC - WOLFSSL_LOCAL int EccMakeKey(WOLFSSL* ssl, ecc_key* key, ecc_key* peer); -#endif - -WOLFSSL_LOCAL int InitHandshakeHashes(WOLFSSL* ssl); -WOLFSSL_LOCAL void FreeHandshakeHashes(WOLFSSL* ssl); - -WOLFSSL_LOCAL int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, - const byte* input, int inSz, int type, int hashOutput, - int sizeOnly, int asyncOkay); - -#ifdef WOLFSSL_TLS13 -int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input, - int inSz, int type, int hashOutput, int sizeOnly); -#endif - -WOLFSSL_LOCAL int AllocKey(WOLFSSL* ssl, int type, void** pKey); -WOLFSSL_LOCAL void FreeKey(WOLFSSL* ssl, int type, void** pKey); - -#ifdef WOLFSSL_ASYNC_CRYPT - WOLFSSL_LOCAL int wolfSSL_AsyncPop(WOLFSSL* ssl, byte* state); - WOLFSSL_LOCAL int wolfSSL_AsyncPush(WOLFSSL* ssl, WC_ASYNC_DEV* asyncDev, - word32 flags); -#endif - - -#ifdef __cplusplus - } /* extern "C" */ -#endif - -#endif /* wolfSSL_INT_H */ diff --git a/wolfssl/openssl/ssl のコピー.h b/wolfssl/openssl/ssl のコピー.h deleted file mode 100644 index 4ab04404a..000000000 --- a/wolfssl/openssl/ssl のコピー.h +++ /dev/null @@ -1,813 +0,0 @@ -/* ssl.h - * - * Copyright (C) 2006-2016 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - - - -/* ssl.h defines wolfssl_openssl compatibility layer - * - */ - - -#ifndef WOLFSSL_OPENSSL_H_ -#define WOLFSSL_OPENSSL_H_ - -/* wolfssl_openssl compatibility layer */ -#include - -#include - -#ifdef __cplusplus - extern "C" { -#endif - -#ifdef _WIN32 - /* wincrypt.h clashes */ - #undef X509_NAME -#endif - -#ifdef WOLFSSL_UTASKER - /* tcpip.h clashes */ - #undef ASN1_INTEGER -#endif - - -typedef WOLFSSL SSL; -typedef WOLFSSL_SESSION SSL_SESSION; -typedef WOLFSSL_METHOD SSL_METHOD; -typedef WOLFSSL_CTX SSL_CTX; - -typedef WOLFSSL_X509 X509; -typedef WOLFSSL_X509_NAME X509_NAME; -typedef WOLFSSL_X509_CHAIN X509_CHAIN; - - -/* redeclare guard */ -#define WOLFSSL_TYPES_DEFINED - - -typedef WOLFSSL_EVP_PKEY EVP_PKEY; -typedef WOLFSSL_BIO BIO; -typedef WOLFSSL_BIO_METHOD BIO_METHOD; -typedef WOLFSSL_CIPHER SSL_CIPHER; -typedef WOLFSSL_X509_LOOKUP X509_LOOKUP; -typedef WOLFSSL_X509_LOOKUP_METHOD X509_LOOKUP_METHOD; -typedef WOLFSSL_X509_CRL X509_CRL; -typedef WOLFSSL_X509_EXTENSION X509_EXTENSION; -typedef WOLFSSL_ASN1_TIME ASN1_TIME; -typedef WOLFSSL_ASN1_INTEGER ASN1_INTEGER; -typedef WOLFSSL_ASN1_OBJECT ASN1_OBJECT; -typedef WOLFSSL_ASN1_STRING ASN1_STRING; -typedef WOLFSSL_dynlock_value CRYPTO_dynlock_value; -typedef WOLFSSL_BUF_MEM BUF_MEM; - -/* GENERAL_NAME and BASIC_CONSTRAINTS structs may need implemented as - * compatibility layer expands. For now treating them as an ASN1_OBJECT */ -typedef WOLFSSL_ASN1_OBJECT GENERAL_NAME; -typedef WOLFSSL_ASN1_OBJECT BASIC_CONSTRAINTS; - -#define ASN1_UTCTIME WOLFSSL_ASN1_TIME -#define ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME - -typedef WOLFSSL_MD4_CTX MD4_CTX; -typedef WOLFSSL_COMP_METHOD COMP_METHOD; -typedef WOLFSSL_X509_REVOKED X509_REVOKED; -typedef WOLFSSL_X509_OBJECT X509_OBJECT; -typedef WOLFSSL_X509_STORE X509_STORE; -typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; - -#define CRYPTO_free XFREE -#define CRYPTO_malloc XMALLOC - -#define SSL_get_client_random(ssl,out,outSz) \ - wolfSSL_get_client_random((ssl),(out),(outSz)) -#define SSL_get_cipher_list(ctx,i) wolfSSL_get_cipher_list_ex((ctx),(i)) -#define SSL_get_cipher_name(ctx) wolfSSL_get_cipher((ctx)) -#define SSL_get_shared_ciphers(ctx,buf,len) \ - wolfSSL_get_shared_ciphers((ctx),(buf),(len)) - -#define ERR_print_errors_fp(file) wolfSSL_ERR_dump_errors_fp((file)) - -/* at the moment only returns ok */ -#define SSL_get_verify_result wolfSSL_get_verify_result -#define SSL_get_verify_mode wolfSSL_SSL_get_mode -#define SSL_get_verify_depth wolfSSL_get_verify_depth -#define SSL_CTX_get_verify_mode wolfSSL_CTX_get_verify_mode -#define SSL_CTX_get_verify_depth wolfSSL_CTX_get_verify_depth -#define SSL_get_certificate wolfSSL_get_certificate -#define SSL_use_certificate wolfSSL_use_certificate -#define SSL_use_certificate_ASN1 wolfSSL_use_certificate_ASN1 - -#define SSL_use_PrivateKey wolfSSL_use_PrivateKey -#define SSL_use_PrivateKey_ASN1 wolfSSL_use_PrivateKey_ASN1 -#define SSL_use_RSAPrivateKey_ASN1 wolfSSL_use_RSAPrivateKey_ASN1 -#define SSL_get_privatekey wolfSSL_get_privatekey - -#define SSLv23_method wolfSSLv23_method -#define SSLv3_server_method wolfSSLv3_server_method -#define SSLv3_client_method wolfSSLv3_client_method -#define TLSv1_server_method wolfTLSv1_server_method -#define TLSv1_client_method wolfTLSv1_client_method -#define TLSv1_1_server_method wolfTLSv1_1_server_method -#define TLSv1_1_client_method wolfTLSv1_1_client_method -#define TLSv1_2_server_method wolfTLSv1_2_server_method -#define TLSv1_2_client_method wolfTLSv1_2_client_method - -#ifdef WOLFSSL_DTLS - #define DTLSv1_client_method wolfDTLSv1_client_method - #define DTLSv1_server_method wolfDTLSv1_server_method - #define DTLSv1_2_client_method wolfDTLSv1_2_client_method - #define DTLSv1_2_server_method wolfDTLSv1_2_server_method -#endif - - -#ifndef NO_FILESYSTEM - #define SSL_CTX_use_certificate_file wolfSSL_CTX_use_certificate_file - #define SSL_CTX_use_PrivateKey_file wolfSSL_CTX_use_PrivateKey_file - #define SSL_CTX_load_verify_locations wolfSSL_CTX_load_verify_locations - #define SSL_CTX_use_certificate_chain_file wolfSSL_CTX_use_certificate_chain_file - #define SSL_CTX_use_RSAPrivateKey_file wolfSSL_CTX_use_RSAPrivateKey_file - - #define SSL_use_certificate_file wolfSSL_use_certificate_file - #define SSL_use_PrivateKey_file wolfSSL_use_PrivateKey_file - #define SSL_use_certificate_chain_file wolfSSL_use_certificate_chain_file - #define SSL_use_RSAPrivateKey_file wolfSSL_use_RSAPrivateKey_file -#endif - -#define SSL_CTX_new wolfSSL_CTX_new -#define SSL_new wolfSSL_new -#define SSL_set_fd wolfSSL_set_fd -#define SSL_get_fd wolfSSL_get_fd -#define SSL_connect wolfSSL_connect -#define SSL_clear wolfSSL_clear -#define SSL_state wolfSSL_state - -#define SSL_write wolfSSL_write -#define SSL_read wolfSSL_read -#define SSL_peek wolfSSL_peek -#define SSL_accept wolfSSL_accept -#define SSL_CTX_free wolfSSL_CTX_free -#define SSL_free wolfSSL_free -#define SSL_shutdown wolfSSL_shutdown - -#define SSL_CTX_set_quiet_shutdown wolfSSL_CTX_set_quiet_shutdown -#define SSL_set_quiet_shutdown wolfSSL_set_quiet_shutdown -#define SSL_get_error wolfSSL_get_error -#define SSL_set_session wolfSSL_set_session -#define SSL_get_session wolfSSL_get_session -#define SSL_flush_sessions wolfSSL_flush_sessions -/* assume unlimited temporarily */ -#define SSL_CTX_get_session_cache_mode(ctx) 0 - -#define SSL_CTX_set_verify wolfSSL_CTX_set_verify -#define SSL_set_verify wolfSSL_set_verify -#define SSL_pending wolfSSL_pending -#define SSL_load_error_strings wolfSSL_load_error_strings -#define SSL_library_init wolfSSL_library_init -#define SSL_CTX_set_session_cache_mode wolfSSL_CTX_set_session_cache_mode -#define SSL_CTX_set_cipher_list wolfSSL_CTX_set_cipher_list -#define SSL_set_cipher_list wolfSSL_set_cipher_list - -#define ERR_error_string wolfSSL_ERR_error_string -#define ERR_error_string_n wolfSSL_ERR_error_string_n -#define ERR_reason_error_string wolfSSL_ERR_reason_error_string - -#define SSL_set_ex_data wolfSSL_set_ex_data -#define SSL_get_shutdown wolfSSL_get_shutdown -#define SSL_set_rfd wolfSSL_set_rfd -#define SSL_set_wfd wolfSSL_set_wfd -#define SSL_set_shutdown wolfSSL_set_shutdown -#define SSL_set_session_id_context wolfSSL_set_session_id_context -#define SSL_set_connect_state wolfSSL_set_connect_state -#define SSL_set_accept_state wolfSSL_set_accept_state -#define SSL_session_reused wolfSSL_session_reused -#define SSL_SESSION_free wolfSSL_SESSION_free -#define SSL_is_init_finished wolfSSL_is_init_finished - -#define SSL_get_version wolfSSL_get_version -#define SSL_get_current_cipher wolfSSL_get_current_cipher - -/* use wolfSSL_get_cipher_name for its return format */ -#define SSL_get_cipher wolfSSL_get_cipher_name -#define SSL_CIPHER_description wolfSSL_CIPHER_description -#define SSL_CIPHER_get_name wolfSSL_CIPHER_get_name -#define SSL_get1_session wolfSSL_get1_session - -#define SSL_get_keyblock_size wolfSSL_get_keyblock_size -#define SSL_get_keys wolfSSL_get_keys -#define SSL_SESSION_get_master_key wolfSSL_SESSION_get_master_key -#define SSL_SESSION_get_master_key_length wolfSSL_SESSION_get_master_key_length - -#define SSL_X509_NAME_get_text_by_NID wolfSSL_X509_NAME_get_text_by_NID -#define X509_get_ext_d2i wolfSSL_X509_get_ext_d2i -#define X509_digest wolfSSL_X509_digest -#define X509_free wolfSSL_X509_free -#define OPENSSL_free wolfSSL_OPENSSL_free - -#define OCSP_parse_url wolfSSL_OCSP_parse_url -#define SSLv23_client_method wolfSSLv23_client_method -#define SSLv2_client_method wolfSSLv2_client_method -#define SSLv2_server_method wolfSSLv2_server_method - -#define MD4_Init wolfSSL_MD4_Init -#define MD4_Update wolfSSL_MD4_Update -#define MD4_Final wolfSSL_MD4_Final - -#define BIO_new wolfSSL_BIO_new -#define BIO_free wolfSSL_BIO_free -#define BIO_free_all wolfSSL_BIO_free_all -#define BIO_nread0 wolfSSL_BIO_nread0 -#define BIO_nread wolfSSL_BIO_nread -#define BIO_read wolfSSL_BIO_read -#define BIO_nwrite0 wolfSSL_BIO_nwrite0 -#define BIO_nwrite wolfSSL_BIO_nwrite -#define BIO_write wolfSSL_BIO_write -#define BIO_push wolfSSL_BIO_push -#define BIO_pop wolfSSL_BIO_pop -#define BIO_flush wolfSSL_BIO_flush -#define BIO_pending wolfSSL_BIO_pending - -#define BIO_get_mem_data wolfSSL_BIO_get_mem_data -#define BIO_new_mem_buf wolfSSL_BIO_new_mem_buf - -#define BIO_f_buffer wolfSSL_BIO_f_buffer -#define BIO_set_write_buffer_size wolfSSL_BIO_set_write_buffer_size -#define BIO_f_ssl wolfSSL_BIO_f_ssl -#define BIO_new_socket wolfSSL_BIO_new_socket -#define SSL_set_bio wolfSSL_set_bio -#define BIO_eof wolfSSL_BIO_eof -#define BIO_set_ss wolfSSL_BIO_set_ss - -#define BIO_s_mem wolfSSL_BIO_s_mem -#define BIO_f_base64 wolfSSL_BIO_f_base64 -#define BIO_set_flags wolfSSL_BIO_set_flags - -#define OpenSSL_add_all_digests() -#define OpenSSL_add_all_algorithms wolfSSL_add_all_algorithms -#define SSLeay_add_ssl_algorithms wolfSSL_add_all_algorithms -#define SSLeay_add_all_algorithms wolfSSL_add_all_algorithms - -#define RAND_screen wolfSSL_RAND_screen -#define RAND_file_name wolfSSL_RAND_file_name -#define RAND_write_file wolfSSL_RAND_write_file -#define RAND_load_file wolfSSL_RAND_load_file -#define RAND_egd wolfSSL_RAND_egd -#define RAND_seed wolfSSL_RAND_seed -#define RAND_add wolfSSL_RAND_add - -#define COMP_zlib wolfSSL_COMP_zlib -#define COMP_rle wolfSSL_COMP_rle -#define SSL_COMP_add_compression_method wolfSSL_COMP_add_compression_method - -#define SSL_get_ex_new_index wolfSSL_get_ex_new_index - -#define CRYPTO_set_id_callback wolfSSL_set_id_callback -#define CRYPTO_set_locking_callback wolfSSL_set_locking_callback -#define CRYPTO_set_dynlock_create_callback wolfSSL_set_dynlock_create_callback -#define CRYPTO_set_dynlock_lock_callback wolfSSL_set_dynlock_lock_callback -#define CRYPTO_set_dynlock_destroy_callback wolfSSL_set_dynlock_destroy_callback -#define CRYPTO_num_locks wolfSSL_num_locks - - -# define CRYPTO_LOCK 1 -# define CRYPTO_UNLOCK 2 -# define CRYPTO_READ 4 -# define CRYPTO_WRITE 8 - -#define X509_STORE_CTX_get_current_cert wolfSSL_X509_STORE_CTX_get_current_cert -#define X509_STORE_add_cert wolfSSL_X509_STORE_add_cert -#define X509_STORE_set_flags wolfSSL_X509_STORE_set_flags -#define X509_STORE_CTX_set_verify_cb wolfSSL_X509_STORE_CTX_set_verify_cb -#define X509_STORE_CTX_get_chain wolfSSL_X509_STORE_CTX_get_chain -#define X509_STORE_CTX_get_error wolfSSL_X509_STORE_CTX_get_error -#define X509_STORE_CTX_get_error_depth wolfSSL_X509_STORE_CTX_get_error_depth - -#define X509_NAME_oneline wolfSSL_X509_NAME_oneline -#define X509_get_issuer_name wolfSSL_X509_get_issuer_name -#define X509_get_subject_name wolfSSL_X509_get_subject_name -#define X509_verify_cert_error_string wolfSSL_X509_verify_cert_error_string - -#define X509_LOOKUP_add_dir wolfSSL_X509_LOOKUP_add_dir -#define X509_LOOKUP_load_file wolfSSL_X509_LOOKUP_load_file -#define X509_LOOKUP_hash_dir wolfSSL_X509_LOOKUP_hash_dir -#define X509_LOOKUP_file wolfSSL_X509_LOOKUP_file - -#define X509_STORE_add_lookup wolfSSL_X509_STORE_add_lookup -#define X509_STORE_new wolfSSL_X509_STORE_new -#define X509_STORE_get_by_subject wolfSSL_X509_STORE_get_by_subject -#define X509_STORE_CTX_init wolfSSL_X509_STORE_CTX_init -#define X509_STORE_CTX_cleanup wolfSSL_X509_STORE_CTX_cleanup - -#define X509_CRL_get_lastUpdate wolfSSL_X509_CRL_get_lastUpdate -#define X509_CRL_get_nextUpdate wolfSSL_X509_CRL_get_nextUpdate - -#define X509_get_pubkey wolfSSL_X509_get_pubkey -#define X509_CRL_verify wolfSSL_X509_CRL_verify -#define X509_STORE_CTX_set_error wolfSSL_X509_STORE_CTX_set_error -#define X509_OBJECT_free_contents wolfSSL_X509_OBJECT_free_contents -#define EVP_PKEY_new wolfSSL_PKEY_new -#define EVP_PKEY_free wolfSSL_EVP_PKEY_free -#define EVP_PKEY_type wolfSSL_EVP_PKEY_type -#define EVP_PKEY_base_id wolfSSL_EVP_PKEY_base_id -#define X509_cmp_current_time wolfSSL_X509_cmp_current_time -#define sk_X509_REVOKED_num wolfSSL_sk_X509_REVOKED_num -#define X509_CRL_get_REVOKED wolfSSL_X509_CRL_get_REVOKED -#define sk_X509_REVOKED_value wolfSSL_sk_X509_REVOKED_value -#define X509_get_notBefore(cert) (ASN1_TIME*)wolfSSL_X509_notBefore((cert)) -#define X509_get_notAfter(cert) (ASN1_TIME*)wolfSSL_X509_notAfter((cert)) - - -#define X509_get_serialNumber wolfSSL_X509_get_serialNumber - -#define ASN1_TIME_print wolfSSL_ASN1_TIME_print -#define ASN1_GENERALIZEDTIME_print wolfSSL_ASN1_GENERALIZEDTIME_print - -#define ASN1_INTEGER_cmp wolfSSL_ASN1_INTEGER_cmp -#define ASN1_INTEGER_get wolfSSL_ASN1_INTEGER_get -#define ASN1_INTEGER_to_BN wolfSSL_ASN1_INTEGER_to_BN -#define ASN1_STRING_to_UTF8 wolfSSL_ASN1_STRING_to_UTF8 - -#define SSL_load_client_CA_file wolfSSL_load_client_CA_file - -#define SSL_CTX_get_client_CA_list wolfSSL_SSL_CTX_get_client_CA_list -#define SSL_CTX_set_client_CA_list wolfSSL_CTX_set_client_CA_list -#define SSL_CTX_set_cert_store wolfSSL_CTX_set_cert_store -#define SSL_CTX_get_cert_store wolfSSL_CTX_get_cert_store -#define X509_STORE_CTX_get_ex_data wolfSSL_X509_STORE_CTX_get_ex_data -#define SSL_get_ex_data_X509_STORE_CTX_idx wolfSSL_get_ex_data_X509_STORE_CTX_idx -#define SSL_get_ex_data wolfSSL_get_ex_data - -#define SSL_CTX_set_default_passwd_cb_userdata wolfSSL_CTX_set_default_passwd_cb_userdata -#define SSL_CTX_set_default_passwd_cb wolfSSL_CTX_set_default_passwd_cb - -#define SSL_CTX_set_timeout(ctx, to) wolfSSL_CTX_set_timeout(ctx, (unsigned int) to) -#define SSL_CTX_set_info_callback wolfSSL_CTX_set_info_callback - -#define ERR_peek_error wolfSSL_ERR_peek_error -#define ERR_peek_last_error_line wolfSSL_ERR_peek_last_error_line -#define ERR_peek_errors_fp wolfSSL_ERR_peek_errors_fp -#define ERR_GET_REASON wolfSSL_ERR_GET_REASON - -#define SSL_alert_type_string wolfSSL_alert_type_string -#define SSL_alert_desc_string wolfSSL_alert_desc_string -#define SSL_state_string wolfSSL_state_string - -#define RSA_free wolfSSL_RSA_free -#define RSA_generate_key wolfSSL_RSA_generate_key -#define SSL_CTX_set_tmp_rsa_callback wolfSSL_CTX_set_tmp_rsa_callback - -#define PEM_def_callback wolfSSL_PEM_def_callback - -#define SSL_CTX_sess_accept wolfSSL_CTX_sess_accept -#define SSL_CTX_sess_connect wolfSSL_CTX_sess_connect -#define SSL_CTX_sess_accept_good wolfSSL_CTX_sess_accept_good -#define SSL_CTX_sess_connect_good wolfSSL_CTX_sess_connect_good -#define SSL_CTX_sess_accept_renegotiate wolfSSL_CTX_sess_accept_renegotiate -#define SSL_CTX_sess_connect_renegotiate wolfSSL_CTX_sess_connect_renegotiate -#define SSL_CTX_sess_hits wolfSSL_CTX_sess_hits -#define SSL_CTX_sess_cb_hits wolfSSL_CTX_sess_cb_hits -#define SSL_CTX_sess_cache_full wolfSSL_CTX_sess_cache_full -#define SSL_CTX_sess_misses wolfSSL_CTX_sess_misses -#define SSL_CTX_sess_timeouts wolfSSL_CTX_sess_timeouts -#define SSL_CTX_sess_number wolfSSL_CTX_sess_number -#define SSL_CTX_sess_get_cache_size wolfSSL_CTX_sess_get_cache_size - - -#define SSL_DEFAULT_CIPHER_LIST WOLFSSL_DEFAULT_CIPHER_LIST -#define RSA_F4 WOLFSSL_RSA_F4 - -#define SSL_CTX_set_psk_client_callback wolfSSL_CTX_set_psk_client_callback -#define SSL_set_psk_client_callback wolfSSL_set_psk_client_callback - -#define SSL_get_psk_identity_hint wolfSSL_get_psk_identity_hint -#define SSL_get_psk_identity wolfSSL_get_psk_identity - -#define SSL_CTX_use_psk_identity_hint wolfSSL_CTX_use_psk_identity_hint -#define SSL_use_psk_identity_hint wolfSSL_use_psk_identity_hint - -#define SSL_CTX_set_psk_server_callback wolfSSL_CTX_set_psk_server_callback -#define SSL_set_psk_server_callback wolfSSL_set_psk_server_callback - -#define ERR_get_error_line_data wolfSSL_ERR_get_error_line_data - -#define ERR_get_error wolfSSL_ERR_get_error -#define ERR_clear_error wolfSSL_ERR_clear_error - -#define RAND_status wolfSSL_RAND_status -#define RAND_bytes wolfSSL_RAND_bytes -#define SSLv23_server_method wolfSSLv23_server_method -#define SSL_CTX_set_options wolfSSL_CTX_set_options -#define SSL_CTX_clear_options wolfSSL_CTX_clear_options - -#define SSL_CTX_check_private_key wolfSSL_CTX_check_private_key - -#define ERR_free_strings wolfSSL_ERR_free_strings -#define ERR_remove_state wolfSSL_ERR_remove_state -#define EVP_cleanup wolfSSL_EVP_cleanup - -#define CRYPTO_cleanup_all_ex_data wolfSSL_cleanup_all_ex_data -#define SSL_CTX_set_mode wolfSSL_CTX_set_mode -#define SSL_CTX_get_mode wolfSSL_CTX_get_mode -#define SSL_CTX_set_default_read_ahead wolfSSL_CTX_set_default_read_ahead - -#define SSL_CTX_sess_set_cache_size wolfSSL_CTX_sess_set_cache_size -#define SSL_CTX_set_default_verify_paths wolfSSL_CTX_set_default_verify_paths - -#define SSL_CTX_set_session_id_context wolfSSL_CTX_set_session_id_context -#define SSL_get_peer_certificate wolfSSL_get_peer_certificate - -#define SSL_want_read wolfSSL_want_read -#define SSL_want_write wolfSSL_want_write - -#define BIO_prf wolfSSL_BIO_prf -#define ASN1_UTCTIME_pr wolfSSL_ASN1_UTCTIME_pr - -#define sk_num wolfSSL_sk_num -#define sk_value wolfSSL_sk_value -#define sk_X509_pop wolfSSL_sk_X509_pop -#define sk_X509_free wolfSSL_sk_X509_free -#define d2i_X509_bio wolfSSL_d2i_X509_bio - -#define SSL_CTX_get_ex_data wolfSSL_CTX_get_ex_data -#define SSL_CTX_set_ex_data wolfSSL_CTX_set_ex_data -#define SSL_CTX_sess_set_get_cb wolfSSL_CTX_sess_set_get_cb -#define SSL_CTX_sess_set_new_cb wolfSSL_CTX_sess_set_new_cb -#define SSL_CTX_sess_set_remove_cb wolfSSL_CTX_sess_set_remove_cb - -#define i2d_SSL_SESSION wolfSSL_i2d_SSL_SESSION -#define d2i_SSL_SESSION wolfSSL_d2i_SSL_SESSION -#define SSL_SESSION_set_timeout wolfSSL_SSL_SESSION_set_timeout -#define SSL_SESSION_get_timeout wolfSSL_SESSION_get_timeout -#define SSL_SESSION_get_time wolfSSL_SESSION_get_time -#define SSL_CTX_get_ex_new_index wolfSSL_CTX_get_ex_new_index -#define PEM_read_bio_X509 wolfSSL_PEM_read_bio_X509 -#define PEM_read_bio_X509_AUX wolfSSL_PEM_read_bio_X509_AUX - -/*#if OPENSSL_API_COMPAT < 0x10100000L*/ -#define CONF_modules_free() -#define ENGINE_cleanup() -#define HMAC_CTX_cleanup wolfSSL_HMAC_cleanup -#define SSL_CTX_need_tmp_RSA(ctx) 0 -#define SSL_CTX_set_tmp_rsa(ctx,rsa) 1 -#define SSL_need_tmp_RSA(ssl) 0 -#define SSL_set_tmp_rsa(ssl,rsa) 1 -/*#endif*/ -#define CONF_modules_unload(a) - -#define SSL_get_hit wolfSSL_session_reused - -/* yassl had set the default to be 500 */ -#define SSL_get_default_timeout(ctx) 500 - -/* Lighthttp compatibility */ - -#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ - defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(HAVE_POCO_LIB) || defined(WOLFSSL_HAPROXY) -typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; - -#define X509_NAME_free wolfSSL_X509_NAME_free -#define SSL_CTX_use_certificate wolfSSL_CTX_use_certificate -#define SSL_CTX_use_PrivateKey wolfSSL_CTX_use_PrivateKey -#define BIO_read_filename wolfSSL_BIO_read_filename -#define BIO_s_file wolfSSL_BIO_s_file -#define OBJ_nid2sn wolfSSL_OBJ_nid2sn -#define OBJ_obj2nid wolfSSL_OBJ_obj2nid -#define OBJ_sn2nid wolfSSL_OBJ_sn2nid -#define SSL_CTX_set_verify_depth wolfSSL_CTX_set_verify_depth -#define SSL_set_verify_depth wolfSSL_set_verify_depth -#define SSL_get_app_data wolfSSL_get_app_data -#define SSL_set_app_data wolfSSL_set_app_data -#define X509_NAME_entry_count wolfSSL_X509_NAME_entry_count -#define X509_NAME_ENTRY_get_object wolfSSL_X509_NAME_ENTRY_get_object -#define X509_NAME_get_entry wolfSSL_X509_NAME_get_entry -#define ASN1_STRING_data wolfSSL_ASN1_STRING_data -#define ASN1_STRING_length wolfSSL_ASN1_STRING_length -#define X509_NAME_get_index_by_NID wolfSSL_X509_NAME_get_index_by_NID -#define X509_NAME_ENTRY_get_data wolfSSL_X509_NAME_ENTRY_get_data -#define sk_X509_NAME_pop_free wolfSSL_sk_X509_NAME_pop_free -#define SHA1 wolfSSL_SHA1 -#define X509_check_private_key wolfSSL_X509_check_private_key -#define SSL_dup_CA_list wolfSSL_dup_CA_list - -#define NID_commonName 0x03 /* matchs ASN_COMMON_NAME in asn.h */ - -#define OBJ_nid2ln wolfSSL_OBJ_nid2ln -#define OBJ_txt2nid wolfSSL_OBJ_txt2nid -#define PEM_read_bio_DHparams wolfSSL_PEM_read_bio_DHparams -#define PEM_read_bio_DSAparams wolfSSL_PEM_read_bio_DSAparams -#define PEM_write_bio_X509 wolfSSL_PEM_write_bio_X509 - - -#ifdef WOLFSSL_HAPROXY -#define SSL_get_rbio wolfSSL_SSL_get_rbio -#define SSL_get_wbio wolfSSL_SSL_get_wbio -#define SSL_do_handshake wolfSSL_SSL_do_handshake -#define SSL_get_ciphers(x) wolfSSL_get_ciphers_compat(x) -#define SSL_SESSION_get_id wolfSSL_SESSION_get_id -#define ASN1_STRING_get0_data wolfSSL_ASN1_STRING_data -#define SSL_get_cipher_bits(s,np) wolfSSL_CIPHER_get_bits(SSL_get_current_cipher(s),np) -#define sk_SSL_CIPHER_num wolfSSL_sk_SSL_CIPHER_num -#define sk_SSL_COMP_zero wolfSSL_sk_SSL_COMP_zero -#define sk_SSL_CIPHER_value wolfSSL_sk_SSL_CIPHER_value -#endif /* WOLFSSL_HAPROXY */ -#endif /* HAVE_STUNNEL || HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE || WOLFSSL_NGINX || HAVE_POCO_LIB || WOLFSSL_HAPROXY */ - -#define SSL_CTX_set_tmp_dh wolfSSL_CTX_set_tmp_dh - -#define BIO_new_file wolfSSL_BIO_new_file -#define BIO_ctrl wolfSSL_BIO_ctrl -#define BIO_ctrl_pending wolfSSL_BIO_ctrl_pending -#define BIO_get_mem_ptr wolfSSL_BIO_get_mem_ptr -#define BIO_int_ctrl wolfSSL_BIO_int_ctrl -#define BIO_reset wolfSSL_BIO_reset -#define BIO_s_file wolfSSL_BIO_s_file -#define BIO_s_bio wolfSSL_BIO_s_bio -#define BIO_s_socket wolfSSL_BIO_s_socket -#define BIO_set_fd wolfSSL_BIO_set_fd -#define BIO_ctrl_reset_read_request wolfSSL_BIO_ctrl_reset_read_request - -#define BIO_set_write_buf_size wolfSSL_BIO_set_write_buf_size -#define BIO_make_bio_pair wolfSSL_BIO_make_bio_pair - -#define BIO_set_fp wolfSSL_BIO_set_fp -#define BIO_get_fp wolfSSL_BIO_get_fp -#define BIO_seek wolfSSL_BIO_seek -#define BIO_write_filename wolfSSL_BIO_write_filename -#define BIO_set_mem_eof_return wolfSSL_BIO_set_mem_eof_return - -#define SSL_set_options wolfSSL_set_options -#define SSL_get_options wolfSSL_get_options -#define SSL_set_tmp_dh wolfSSL_set_tmp_dh -#define SSL_clear_num_renegotiations wolfSSL_clear_num_renegotiations -#define SSL_total_renegotiations wolfSSL_total_renegotiations -#define SSL_set_tlsext_debug_arg wolfSSL_set_tlsext_debug_arg -#define SSL_set_tlsext_status_type wolfSSL_set_tlsext_status_type -#define SSL_set_tlsext_status_exts wolfSSL_set_tlsext_status_exts -#define SSL_get_tlsext_status_ids wolfSSL_get_tlsext_status_ids -#define SSL_set_tlsext_status_ids wolfSSL_set_tlsext_status_ids -#define SSL_get_tlsext_status_ocsp_resp wolfSSL_get_tlsext_status_ocsp_resp -#define SSL_set_tlsext_status_ocsp_resp wolfSSL_set_tlsext_status_ocsp_resp - -#define SSL_CTX_add_extra_chain_cert wolfSSL_CTX_add_extra_chain_cert -#define SSL_CTX_get_read_ahead wolfSSL_CTX_get_read_ahead -#define SSL_CTX_set_read_ahead wolfSSL_CTX_set_read_ahead -#define SSL_CTX_set_tlsext_status_arg wolfSSL_CTX_set_tlsext_status_arg -#define SSL_CTX_set_tlsext_opaque_prf_input_callback_arg \ - wolfSSL_CTX_set_tlsext_opaque_prf_input_callback_arg -#define SSL_get_server_random wolfSSL_get_server_random - -#define SSL_get_tlsext_status_exts wolfSSL_get_tlsext_status_exts - -#define BIO_C_SET_FILE_PTR 106 -#define BIO_C_GET_FILE_PTR 107 -#define BIO_C_SET_FILENAME 108 -#define BIO_C_FILE_SEEK 128 -#define BIO_C_SET_BUF_MEM_EOF_RETURN 130 -#define BIO_C_SET_WRITE_BUF_SIZE 136 -#define BIO_C_MAKE_BIO_PAIR 138 - -#define BIO_CTRL_RESET 1 -#define BIO_CTRL_INFO 3 -#define BIO_CTRL_FLUSH 11 -#define BIO_CLOSE 0x01 -#define BIO_FP_WRITE 0x04 - -#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11 -#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12 -#define SSL_CTRL_SET_TMP_DH 3 -#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65 -#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67 -#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69 -#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71 - -#define SSL_CTRL_SET_TMP_DH 3 -#define SSL_CTRL_EXTRA_CHAIN_CERT 14 - -#define SSL_CTRL_SET_SESS_CACHE_SIZE 42 -#define SSL_CTRL_GET_READ_AHEAD 40 -#define SSL_CTRL_SET_READ_AHEAD 41 - -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64 - -#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 - -#define SSL_ctrl wolfSSL_ctrl -#define SSL_CTX_ctrl wolfSSL_CTX_ctrl - -#define X509_V_FLAG_CRL_CHECK WOLFSSL_CRL_CHECK -#define X509_V_FLAG_CRL_CHECK_ALL WOLFSSL_CRL_CHECKALL - -#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) -#include - -#define SSL2_VERSION 0x0002 -#define SSL3_VERSION 0x0300 -#define TLS1_VERSION 0x0301 -#define DTLS1_VERSION 0xFEFF -#define SSL23_ST_SR_CLNT_HELLO_A (0x210|0x2000) -#define SSL3_ST_SR_CLNT_HELLO_A (0x110|0x2000) -#define ASN1_STRFLGS_ESC_MSB 4 -#define X509_V_ERR_CERT_REJECTED 28 - -#define SSL_alert_desc_string_long wolfSSL_alert_desc_string_long -#define SSL_alert_type_string_long wolfSSL_alert_type_string_long -#define SSL_CIPHER_get_bits wolfSSL_CIPHER_get_bits -#define sk_X509_NAME_num wolfSSL_sk_X509_NAME_num -#define sk_X509_num wolfSSL_sk_X509_num -#define X509_NAME_print_ex wolfSSL_X509_NAME_print_ex -#define X509_get0_pubkey_bitstr wolfSSL_X509_get0_pubkey_bitstr -#define SSL_CTX_get_options wolfSSL_CTX_get_options - -#define SSL_CTX_flush_sessions wolfSSL_flush_sessions -#define SSL_CTX_add_session wolfSSL_CTX_add_session -#define SSL_get_SSL_CTX wolfSSL_get_SSL_CTX -#define SSL_version wolfSSL_version -#define SSL_get_state wolfSSL_get_state -#define SSL_state_string_long wolfSSL_state_string_long -#define SSL_get_peer_cert_chain wolfSSL_get_peer_cert_chain -#define sk_X509_NAME_value wolfSSL_sk_X509_NAME_value -#define sk_X509_value wolfSSL_sk_X509_value -#define SSL_SESSION_get_ex_data wolfSSL_SESSION_get_ex_data -#define SSL_SESSION_set_ex_data wolfSSL_SESSION_set_ex_data -#define SSL_SESSION_get_ex_new_index wolfSSL_SESSION_get_ex_new_index -#define SSL_SESSION_get_id wolfSSL_SESSION_get_id -#define CRYPTO_dynlock_value WOLFSSL_dynlock_value -typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; -#define X509_STORE_get1_certs wolfSSL_X509_STORE_get1_certs -#define sk_X509_pop_free wolfSSL_sk_X509_pop_free - -#define SSL_TLSEXT_ERR_OK 0 -#define SSL_TLSEXT_ERR_ALERT_FATAL alert_fatal -#define SSL_TLSEXT_ERR_NOACK alert_warning -#define TLSEXT_NAMETYPE_host_name WOLFSSL_SNI_HOST_NAME - -#define SSL_set_tlsext_host_name wolfSSL_set_tlsext_host_name -#define SSL_get_servername wolfSSL_get_servername -#define SSL_set_SSL_CTX wolfSSL_set_SSL_CTX -#define SSL_CTX_get_verify_callback wolfSSL_CTX_get_verify_callback -#define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_tlsext_servername_callback -#define SSL_CTX_set_tlsext_servername_arg wolfSSL_CTX_set_servername_arg - -#define PSK_MAX_PSK_LEN 256 -#define PSK_MAX_IDENTITY_LEN 128 -#define ERR_remove_thread_state WOLFSSL_ERR_remove_thread_state -#define SSL_CTX_clear_options wolfSSL_CTX_clear_options - - -#endif /* HAVE_STUNNEL || WOLFSSL_NGINX */ -#define SSL_CTX_get_default_passwd_cb wolfSSL_CTX_get_default_passwd_cb -#define SSL_CTX_get_default_passwd_cb_userdata wolfSSL_CTX_get_default_passwd_cb_userdata - -/* certificate extension NIDs */ -#define NID_basic_constraints 133 -#define NID_key_usage 129 /* 2.5.29.15 */ -#define NID_ext_key_usage 151 /* 2.5.29.37 */ -#define NID_subject_key_identifier 128 -#define NID_authority_key_identifier 149 -#define NID_private_key_usage_period 130 /* 2.5.29.16 */ -#define NID_subject_alt_name 131 -#define NID_issuer_alt_name 132 -#define NID_info_access 69 -#define NID_sinfo_access 79 /* id-pe 11 */ -#define NID_name_constraints 144 /* 2.5.29.30 */ -#define NID_certificate_policies 146 -#define NID_policy_mappings 147 -#define NID_policy_constraints 150 -#define NID_inhibit_any_policy 168 /* 2.5.29.54 */ -#define NID_tlsfeature 92 /* id-pe 24 */ - - -#define SSL_CTX_set_msg_callback wolfSSL_CTX_set_msg_callback -#define SSL_set_msg_callback wolfSSL_set_msg_callback -#define SSL_CTX_set_msg_callback_arg wolfSSL_CTX_set_msg_callback_arg -#define SSL_set_msg_callback_arg wolfSSL_set_msg_callback_arg - -/* certificate extension NIDs */ -#define NID_basic_constraints 133 -#define NID_key_usage 129 /* 2.5.29.15 */ -#define NID_ext_key_usage 151 /* 2.5.29.37 */ -#define NID_subject_key_identifier 128 -#define NID_authority_key_identifier 149 -#define NID_private_key_usage_period 130 /* 2.5.29.16 */ -#define NID_subject_alt_name 131 -#define NID_issuer_alt_name 132 -#define NID_info_access 69 -#define NID_sinfo_access 79 /* id-pe 11 */ -#define NID_name_constraints 144 /* 2.5.29.30 */ -#define NID_certificate_policies 146 -#define NID_policy_mappings 147 -#define NID_policy_constraints 150 -#define NID_inhibit_any_policy 168 /* 2.5.29.54 */ -#define NID_tlsfeature 92 /* id-pe 24 */ - - -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - -#include - -#define OPENSSL_STRING WOLFSSL_STRING - -#define TLSEXT_TYPE_application_layer_protocol_negotiation 16 - -#define OPENSSL_NPN_UNSUPPORTED 0 -#define OPENSSL_NPN_NEGOTIATED 1 -#define OPENSSL_NPN_NO_OVERLAP 2 - -/* Nginx checks these to see if the error was a handshake error. */ -#define SSL_R_BAD_CHANGE_CIPHER_SPEC LENGTH_ERROR -#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG BUFFER_E -#define SSL_R_DIGEST_CHECK_FAILED VERIFY_MAC_ERROR -#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST SUITES_ERROR -#define SSL_R_EXCESSIVE_MESSAGE_SIZE BUFFER_ERROR -#define SSL_R_LENGTH_MISMATCH LENGTH_ERROR -#define SSL_R_NO_CIPHERS_SPECIFIED SUITES_ERROR -#define SSL_R_NO_COMPRESSION_SPECIFIED COMPRESSION_ERROR -#define SSL_R_NO_SHARED_CIPHER MATCH_SUITE_ERROR -#define SSL_R_RECORD_LENGTH_MISMATCH HANDSHAKE_SIZE_ERROR -#define SSL_R_UNEXPECTED_MESSAGE OUT_OF_ORDER_E -#define SSL_R_UNEXPECTED_RECORD SANITY_MSG_E -#define SSL_R_UNKNOWN_ALERT_TYPE BUFFER_ERROR -#define SSL_R_UNKNOWN_PROTOCOL VERSION_ERROR -#define SSL_R_WRONG_VERSION_NUMBER VERSION_ERROR -#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC ENCRYPT_ERROR - -/* Nginx uses this to determine if reached end of certs in file. - * PEM_read_bio_X509 is called and the return error is lost. - * The error that needs to be detected is: SSL_NO_PEM_HEADER. - */ -#define ERR_GET_LIB(l) (int)((((unsigned long)l)>>24L)&0xffL) -#define PEM_R_NO_START_LINE 108 -#define ERR_LIB_PEM 9 - -#ifdef HAVE_SESSION_TICKET -#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 -#endif - -#define OPENSSL_config wolfSSL_OPENSSL_config -#define OPENSSL_memdup wolfSSL_OPENSSL_memdup -#define X509_get_ex_new_index wolfSSL_X509_get_ex_new_index -#define X509_get_ex_data wolfSSL_X509_get_ex_data -#define X509_set_ex_data wolfSSL_X509_set_ex_data -#define X509_NAME_digest wolfSSL_X509_NAME_digest -#define SSL_CTX_get_timeout wolfSSL_SSL_CTX_get_timeout -#define SSL_CTX_set_tmp_ecdh wolfSSL_SSL_CTX_set_tmp_ecdh -#define SSL_CTX_remove_session wolfSSL_SSL_CTX_remove_session -#define SSL_get_rbio wolfSSL_SSL_get_rbio -#define SSL_get_wbio wolfSSL_SSL_get_wbio -#define SSL_do_handshake wolfSSL_SSL_do_handshake -#define SSL_in_init wolfSSL_SSL_in_init -#define SSL_get0_session wolfSSL_SSL_get0_session -#define X509_check_host wolfSSL_X509_check_host -#define i2a_ASN1_INTEGER wolfSSL_i2a_ASN1_INTEGER -#define ERR_peek_error_line_data wolfSSL_ERR_peek_error_line_data -#define ERR_load_BIO_strings wolfSSL_ERR_load_BIO_strings -#define SSL_CTX_set_tlsext_ticket_key_cb wolfSSL_CTX_set_tlsext_ticket_key_cb -#define X509_email_free wolfSSL_X509_email_free -#define X509_get1_ocsp wolfSSL_X509_get1_ocsp -#define SSL_CTX_set_tlsext_status_cb wolfSSL_CTX_set_tlsext_status_cb -#define X509_check_issued wolfSSL_X509_check_issued -#define X509_dup wolfSSL_X509_dup -#define X509_STORE_CTX_new wolfSSL_X509_STORE_CTX_new -#define X509_STORE_CTX_free wolfSSL_X509_STORE_CTX_free -#define SSL_CTX_get_extra_chain_certs wolfSSL_CTX_get_extra_chain_certs -#define X509_STORE_CTX_get1_issuer wolfSSL_X509_STORE_CTX_get1_issuer -#define sk_OPENSSL_STRING_value wolfSSL_sk_WOLFSSL_STRING_value -#define SSL_get0_alpn_selected wolfSSL_get0_alpn_selected -#define SSL_select_next_proto wolfSSL_select_next_proto -#define SSL_CTX_set_alpn_select_cb wolfSSL_CTX_set_alpn_select_cb -#define SSL_CTX_set_alpn_protos wolfSSL_CTX_set_alpn_protos -#define SSL_CTX_set_next_protos_advertised_cb wolfSSL_CTX_set_next_protos_advertised_cb -#define SSL_CTX_set_next_proto_select_cb wolfSSL_CTX_set_next_proto_select_cb -#define SSL_get0_next_proto_negotiated wolfSSL_get0_next_proto_negotiated - -#endif - -#ifdef __cplusplus - } /* extern "C" */ -#endif - - -#endif /* wolfSSL_openssl_h__ */