wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 03:34:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

renames TLS Extension types to follow the TLSX_ + "extension name" pattern; using names listed by IANA:

Browse Source 
http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml

fixes ocsp response extensions parsing in asn.c;

fixes dir slashes in .gitignore: replaces '\' with '/';

removes trailing white spaces;
This commit is contained in:
Moisés Guimarães
2015-10-23 13:05:29 -03:00
parent a42308e28a
commit 82f86adb8e
12 changed files with 260 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.gitignore vendored
View File

@@ -112,11 +112,11 @@ cov-int
cyassl.tgz
*.log
*.trs
IDE\MDK-ARM\Projects/
IDE\MDK-ARM\STM32F2xx_StdPeriph_Lib/inc
IDE\MDK-ARM\STM32F2xx_StdPeriph_Lib/src
IDE\MDK-ARM\LPC43xx\Drivers/
IDE\MDK-ARM\LPC43xx\LPC43xx/
IDE/MDK-ARM/Projects/
IDE/MDK-ARM/STM32F2xx_StdPeriph_Lib/inc
IDE/MDK-ARM/STM32F2xx_StdPeriph_Lib/src
IDE/MDK-ARM/LPC43xx/Drivers/
IDE/MDK-ARM/LPC43xx/LPC43xx/
*.gcno
*.gcda
*.gcov

6
configure.ac
View File

@@ -2488,14 +2488,14 @@ echo " * Persistent cert cache: $ENABLED_SAVECERT"
echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER"
echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS"
echo " * NTRU: $ENABLED_NTRU"
echo " * SNI: $ENABLED_SNI"
echo " * Server Name Indication: $ENABLED_SNI"
echo " * ALPN: $ENABLED_ALPN"
echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT"
echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC"
echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION"
echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION"
echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES"
echo " * Session Ticket: $ENABLED_SESSION_TICKET"
echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION"
echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION"
echo " * All TLS Extensions: $ENABLED_TLSX"
echo " * PKCS#7 $ENABLED_PKCS7"
echo " * wolfSCEP $ENABLED_WOLFSCEP"

2
examples/client/client.c
View File

@@ -310,7 +310,7 @@ static void Usage(void)
#endif
printf("-b <num> Benchmark <num> connections and print stats\n");
#ifdef HAVE_ALPN
printf("-L <str> Application-Layer Protocole Name ({C,F}:<list>)\n");
printf("-L <str> Application-Layer Protocol Negotiation ({C,F}:<list>)\n");
#endif
printf("-B <num> Benchmark throughput using <num> bytes and print stats\n");
printf("-s Use pre Shared keys\n");

2
examples/server/server.c
View File

@@ -200,7 +200,7 @@ static void Usage(void)
DEFAULT_MIN_DHKEY_BITS);
#endif
#ifdef HAVE_ALPN
printf("-L <str> Application-Layer Protocole Name ({C,F}:<list>)\n");
printf("-L <str> Application-Layer Protocol Negotiation ({C,F}:<list>)\n");
#endif
printf("-d Disable client cert check\n");
printf("-b Bind to any interface instead of localhost only\n");

1
pull_to_vagrant.sh
View File

@@ -10,4 +10,5 @@ rsync -rvt /$SRC/.git ~/$DST/
rsync -rvt /$SRC/IDE ~/$DST/
rsync -rvt /$SRC/mcapi ~/$DST/
rsync -rvt /$SRC/mplabx ~/$DST/
rsync -rvt /$SRC/certs ~/$DST/
rsync -rvt /$SRC/configure.ac ~/$DST/

27
src/internal.c
View File

@@ -4450,6 +4450,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
(void)doCrlLookup;
#ifdef HAVE_OCSP
if (ssl->ctx->cm->ocspEnabled) {
WOLFSSL_MSG("Doing Leaf OCSP check");
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
if (ret != 0) {
@@ -10363,7 +10364,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
if (name == WOLFSSL_QSH) {
if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of buffer
used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
@@ -11068,7 +11069,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
if (name == WOLFSSL_QSH) {
if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
size, 0)) < 0)
@@ -11904,7 +11905,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
return MEMORY_E;
/* extension type */
c16toa(WOLFSSL_QSH, output + idx);
c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx);
idx += OPAQUE16_LEN;
/* write to output and check amount written */
@@ -12664,7 +12665,7 @@ int DoSessionTicket(WOLFSSL* ssl,
return MEMORY_E;
/* extension type */
c16toa(WOLFSSL_QSH, output + idx);
c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx);
idx += OPAQUE16_LEN;
/* write to output and check amount written */
@@ -12813,7 +12814,7 @@ int DoSessionTicket(WOLFSSL* ssl,
QSH_KeyExchangeWrite(ssl, 1);
/* extension type */
c16toa(WOLFSSL_QSH, output + idx);
c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx);
idx += OPAQUE16_LEN;
/* write to output and check amount written */
@@ -13454,7 +13455,7 @@ int DoSessionTicket(WOLFSSL* ssl,
QSH_KeyExchangeWrite(ssl, 1);
/* extension type */
c16toa(WOLFSSL_QSH, output + idx);
c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx);
idx += OPAQUE16_LEN;
/* write to output and check amount written */
@@ -13996,7 +13997,7 @@ int DoSessionTicket(WOLFSSL* ssl,
QSH_KeyExchangeWrite(ssl, 1);
/* extension type */
c16toa(WOLFSSL_QSH, output + idx);
c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx);
idx += OPAQUE16_LEN;
/* write to output and check amount written */
@@ -15374,7 +15375,7 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
if (name == WOLFSSL_QSH) {
if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the
length of buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input
@@ -15452,7 +15453,7 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
if (name == WOLFSSL_QSH) {
if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of
buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
@@ -15514,7 +15515,7 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
if (name == WOLFSSL_QSH) {
if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of
buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
@@ -15602,7 +15603,7 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
if (name == WOLFSSL_QSH) {
if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of
buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
@@ -15657,7 +15658,7 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
if (name == WOLFSSL_QSH) {
if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of
buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
@@ -15752,7 +15753,7 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
if (name == WOLFSSL_QSH) {
if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of
buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,

31
src/ssl.c
View File

@@ -690,8 +690,9 @@ int wolfSSL_UseSNI(WOLFSSL* ssl, byte type, const void* data, word16 size)
return TLSX_UseSNI(&ssl->extensions, type, data, size);
}
int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type,
const void* data, word16 size)
int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type, const void* data,
word16 size)
{
if (ctx == NULL)
return BAD_FUNC_ARG;
@@ -707,17 +708,20 @@ void wolfSSL_SNI_SetOptions(WOLFSSL* ssl, byte type, byte options)
TLSX_SNI_SetOptions(ssl->extensions, type, options);
}
void wolfSSL_CTX_SNI_SetOptions(WOLFSSL_CTX* ctx, byte type, byte options)
{
if (ctx && ctx->extensions)
TLSX_SNI_SetOptions(ctx->extensions, type, options);
}
byte wolfSSL_SNI_Status(WOLFSSL* ssl, byte type)
{
return TLSX_SNI_Status(ssl ? ssl->extensions : NULL, type);
}
word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data)
{
if (data)
@@ -729,6 +733,7 @@ word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data)
return 0;
}
int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
byte type, byte* sni, word32* inOutSz)
{
@@ -745,6 +750,7 @@ int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
#ifdef HAVE_MAX_FRAGMENT
#ifndef NO_WOLFSSL_CLIENT
int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl)
{
if (ssl == NULL)
@@ -753,6 +759,7 @@ int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl)
return TLSX_UseMaxFragment(&ssl->extensions, mfl);
}
int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl)
{
if (ctx == NULL)
@@ -760,11 +767,13 @@ int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl)
return TLSX_UseMaxFragment(&ctx->extensions, mfl);
}
#endif /* NO_WOLFSSL_CLIENT */
#endif /* HAVE_MAX_FRAGMENT */
#ifdef HAVE_TRUNCATED_HMAC
#ifndef NO_WOLFSSL_CLIENT
int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl)
{
if (ssl == NULL)
@@ -773,6 +782,7 @@ int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl)
return TLSX_UseTruncatedHMAC(&ssl->extensions);
}
int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx)
{
if (ctx == NULL)
@@ -780,6 +790,7 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx)
return TLSX_UseTruncatedHMAC(&ctx->extensions);
}
#endif /* NO_WOLFSSL_CLIENT */
#endif /* HAVE_TRUNCATED_HMAC */
@@ -808,6 +819,7 @@ int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name)
return TLSX_UseSupportedCurve(&ssl->extensions, name);
}
int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name)
{
if (ctx == NULL)
@@ -885,7 +897,7 @@ int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, word16 name)
#endif /* HAVE_QSH */
/* Application-Layer Procotol Name */
/* Application-Layer Procotol Negotiation */
#ifdef HAVE_ALPN
int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list,
@@ -988,7 +1000,7 @@ int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl)
ret = TLSX_UseSecureRenegotiation(&ssl->extensions);
if (ret == SSL_SUCCESS) {
TLSX* extension = TLSX_Find(ssl->extensions, SECURE_RENEGOTIATION);
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO);
if (extension)
ssl->secure_renegotiation = (SecureRenegotiation*)extension->data;
@@ -2475,7 +2487,7 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password,
#ifdef WOLFSSL_SMALL_STACK
XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
if (ret == MP_OKAY)
return SSL_SUCCESS;
else if (ret == SSL_BAD_FILE)
@@ -11849,7 +11861,7 @@ char *wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM *bn)
XFREE(buf, NULL, DYNAMIC_TYPE_ECC);
return NULL;
}
return buf;
}
#else
@@ -14872,7 +14884,7 @@ int wolfSSL_EC_POINT_cmp(const WOLFSSL_EC_GROUP *group,
int ret;
(void)ctx;
WOLFSSL_ENTER("wolfSSL_EC_POINT_cmp");
if (group == NULL || a == NULL || a->internal == NULL || b == NULL ||
@@ -15342,7 +15354,7 @@ int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *ecc,
WOLFSSL_MSG("ECC private key file write failed");
return SSL_FAILURE;
}
XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER);
return SSL_SUCCESS;
}
@@ -15517,7 +15529,7 @@ int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa,
WOLFSSL_MSG("DSA private key file write failed");
return SSL_FAILURE;
}
XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER);
return SSL_SUCCESS;
}
@@ -17091,4 +17103,3 @@ void* wolfSSL_get_jobject(WOLFSSL* ssl)
#endif /* WOLFSSL_JNI */
#endif /* WOLFCRYPT_ONLY */

214
src/tls.c
View File

@@ -755,7 +755,7 @@ static INLINE word16 TLSX_ToSemaphore(word16 type)
{
switch (type) {
case SECURE_RENEGOTIATION: /* 0xFF01 */
case TLSX_RENEGOTIATION_INFO: /* 0xFF01 */
return 63;
default:
@@ -784,7 +784,7 @@ static INLINE word16 TLSX_ToSemaphore(word16 type)
/** Creates a new extension. */
static TLSX* TLSX_New(TLSX_Type type, void* data)
{
TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), 0, DYNAMIC_TYPE_TLSX);
TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), NULL, DYNAMIC_TYPE_TLSX);
if (extension) {
extension->type = type;
@@ -845,6 +845,9 @@ void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type)
#endif
/******************************************************************************/
/* Application-Layer Protocol Negotiation */
/******************************************************************************/
#ifdef HAVE_ALPN
/** Creates a new ALPN object, providing protocol name to use. */
@@ -981,7 +984,7 @@ static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size)
alpn->negociated = 1;
ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn);
ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, (void*)alpn);
if (ret != 0) {
TLSX_ALPN_Free(alpn);
return ret;
@@ -1001,9 +1004,10 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length,
TLSX *extension;
ALPN *alpn = NULL, *list;
extension = TLSX_Find(ssl->extensions, WOLFSSL_ALPN);
extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
if (extension == NULL)
extension = TLSX_Find(ssl->ctx->extensions, WOLFSSL_ALPN);
extension = TLSX_Find(ssl->ctx->extensions,
TLSX_APPLICATION_LAYER_PROTOCOL);
if (extension == NULL || extension->data == NULL) {
WOLFSSL_MSG("No ALPN extensions not used or bad");
@@ -1088,7 +1092,7 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length,
/* reply to ALPN extension sent from client */
if (isRequest) {
#ifndef NO_WOLFSSL_SERVER
TLSX_SetResponse(ssl, WOLFSSL_ALPN);
TLSX_SetResponse(ssl, TLSX_APPLICATION_LAYER_PROTOCOL);
#endif
}
@@ -1114,9 +1118,10 @@ int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options)
/* Set Options of ALPN */
alpn->options = options;
extension = TLSX_Find(*extensions, WOLFSSL_ALPN);
extension = TLSX_Find(*extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
if (extension == NULL) {
ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn);
ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL,
(void*)alpn);
if (ret != 0) {
TLSX_ALPN_Free(alpn);
return ret;
@@ -1140,7 +1145,7 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
if (extensions == NULL || data == NULL || dataSz == NULL)
return BAD_FUNC_ARG;
extension = TLSX_Find(extensions, WOLFSSL_ALPN);
extension = TLSX_Find(extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
if (extension == NULL) {
WOLFSSL_MSG("TLS extension not found");
return SSL_ALPN_NOT_FOUND;
@@ -1192,13 +1197,16 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
#endif /* HAVE_ALPN */
/* Server Name Indication */
/******************************************************************************/
/* Server Name Indication */
/******************************************************************************/
#ifdef HAVE_SNI
/** Creates a new SNI object. */
static SNI* TLSX_SNI_New(byte type, const void* data, word16 size)
{
SNI* sni = (SNI*)XMALLOC(sizeof(SNI), 0, DYNAMIC_TYPE_TLSX);
SNI* sni = (SNI*)XMALLOC(sizeof(SNI), NULL, DYNAMIC_TYPE_TLSX);
if (sni) {
sni->type = type;
@@ -1211,7 +1219,7 @@ static SNI* TLSX_SNI_New(byte type, const void* data, word16 size)
switch (sni->type) {
case WOLFSSL_SNI_HOST_NAME:
sni->data.host_name = XMALLOC(size + 1, 0, DYNAMIC_TYPE_TLSX);
sni->data.host_name = XMALLOC(size+1, NULL, DYNAMIC_TYPE_TLSX);
if (sni->data.host_name) {
XSTRNCPY(sni->data.host_name, (const char*)data, size);
@@ -1325,7 +1333,7 @@ static SNI* TLSX_SNI_Find(SNI *list, byte type)
/** Sets the status of a SNI object. */
static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
{
TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni)
@@ -1335,7 +1343,7 @@ static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
/** Gets the status of a SNI object. */
byte TLSX_SNI_Status(TLSX* extensions, byte type)
{
TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni)
@@ -1356,10 +1364,10 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
int cacheOnly = 0;
#endif
TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION);
TLSX *extension = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME);
if (!extension)
extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION);
extension = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
(void)isRequest;
(void)input;
@@ -1438,7 +1446,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
TLSX_SNI_SetStatus(ssl->extensions, type, matchStat);
if(!cacheOnly)
TLSX_SetResponse(ssl, SERVER_NAME_INDICATION);
TLSX_SetResponse(ssl, TLSX_SERVER_NAME);
} else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) {
SendAlert(ssl, alert_fatal, unrecognized_name);
@@ -1461,8 +1469,8 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest)
if (isRequest) {
#ifndef NO_WOLFSSL_SERVER
TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION);
TLSX* ssl_ext = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION);
TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
TLSX* ssl_ext = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME);
SNI* ctx_sni = ctx_ext ? ctx_ext->data : NULL;
SNI* ssl_sni = ssl_ext ? ssl_ext->data : NULL;
SNI* sni = NULL;
@@ -1502,7 +1510,7 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest)
int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
{
TLSX* extension = TLSX_Find(*extensions, SERVER_NAME_INDICATION);
TLSX* extension = TLSX_Find(*extensions, TLSX_SERVER_NAME);
SNI* sni = NULL;
if (extensions == NULL || data == NULL)
@@ -1512,7 +1520,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
return MEMORY_E;
if (!extension) {
int ret = TLSX_Push(extensions, SERVER_NAME_INDICATION, (void*)sni);
int ret = TLSX_Push(extensions, TLSX_SERVER_NAME, (void*)sni);
if (ret != 0) {
TLSX_SNI_Free(sni);
return ret;
@@ -1546,7 +1554,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
/** Tells the SNI requested by the client. */
word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data)
{
TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni && sni->status != WOLFSSL_SNI_NO_MATCH) {
@@ -1563,7 +1571,7 @@ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data)
/** Sets the options for a SNI object. */
void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
{
TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni)
@@ -1681,7 +1689,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
if (helloSz < offset + extLen)
return BUFFER_ERROR;
if (extType != SERVER_NAME_INDICATION) {
if (extType != TLSX_SERVER_NAME) {
offset += extLen; /* skip extension */
} else {
word16 listLen;
@@ -1739,6 +1747,10 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
#endif /* HAVE_SNI */
/******************************************************************************/
/* Max Fragment Length Negotiation */
/******************************************************************************/
#ifdef HAVE_MAX_FRAGMENT
static word16 TLSX_MFL_Write(byte* data, byte* output)
@@ -1775,7 +1787,7 @@ static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (r != SSL_SUCCESS) return r; /* throw error */
TLSX_SetResponse(ssl, MAX_FRAGMENT_LENGTH);
TLSX_SetResponse(ssl, TLSX_MAX_FRAGMENT_LENGTH);
}
#endif
@@ -1793,13 +1805,13 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl)
if (mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl)
return BAD_FUNC_ARG;
if ((data = XMALLOC(ENUM_LEN, 0, DYNAMIC_TYPE_TLSX)) == NULL)
if ((data = XMALLOC(ENUM_LEN, NULL, DYNAMIC_TYPE_TLSX)) == NULL)
return MEMORY_E;
data[0] = mfl;
/* push new MFL extension. */
if ((ret = TLSX_Push(extensions, MAX_FRAGMENT_LENGTH, data)) != 0) {
if ((ret = TLSX_Push(extensions, TLSX_MAX_FRAGMENT_LENGTH, data)) != 0) {
XFREE(data, 0, DYNAMIC_TYPE_TLSX);
return ret;
}
@@ -1822,6 +1834,10 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl)
#endif /* HAVE_MAX_FRAGMENT */
/******************************************************************************/
/* Truncated HMAC */
/******************************************************************************/
#ifdef HAVE_TRUNCATED_HMAC
static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length,
@@ -1836,9 +1852,10 @@ static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (isRequest) {
int r = TLSX_UseTruncatedHMAC(&ssl->extensions);
if (r != SSL_SUCCESS) return r; /* throw error */
if (r != SSL_SUCCESS)
return r; /* throw error */
TLSX_SetResponse(ssl, TRUNCATED_HMAC);
TLSX_SetResponse(ssl, TLSX_TRUNCATED_HMAC);
}
#endif
@@ -1854,7 +1871,7 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions)
if (extensions == NULL)
return BAD_FUNC_ARG;
if ((ret = TLSX_Push(extensions, TRUNCATED_HMAC, NULL)) != 0)
if ((ret = TLSX_Push(extensions, TLSX_TRUNCATED_HMAC, NULL)) != 0)
return ret;
return SSL_SUCCESS;
@@ -1868,6 +1885,10 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions)
#endif /* HAVE_TRUNCATED_HMAC */
/******************************************************************************/
/* Supported Elliptic Curves */
/******************************************************************************/
#ifdef HAVE_SUPPORTED_CURVES
#ifndef HAVE_ECC
@@ -1887,12 +1908,14 @@ static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list)
static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name)
{
EllipticCurve* curve;
EllipticCurve* curve = NULL;
if (list == NULL)
return BAD_FUNC_ARG;
if ((curve = XMALLOC(sizeof(EllipticCurve), 0, DYNAMIC_TYPE_TLSX)) == NULL)
curve = (EllipticCurve*)XMALLOC(sizeof(EllipticCurve), NULL,
DYNAMIC_TYPE_TLSX);
if (curve == NULL)
return MEMORY_E;
curve->name = name;
@@ -1914,7 +1937,7 @@ static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
return;
/* turns semaphore on to avoid sending this extension. */
TURN_ON(semaphore, TLSX_ToSemaphore(ELLIPTIC_CURVES));
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
}
static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list)
@@ -1988,7 +2011,7 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length,
int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
TLSX* extension = (first == ECC_BYTE)
? TLSX_Find(ssl->extensions, ELLIPTIC_CURVES)
? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)
: NULL;
EllipticCurve* curve = NULL;
word32 oid = 0;
@@ -2097,7 +2120,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
int TLSX_UseSupportedCurve(TLSX** extensions, word16 name)
{
TLSX* extension = TLSX_Find(*extensions, ELLIPTIC_CURVES);
TLSX* extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS);
EllipticCurve* curve = NULL;
int ret = 0;
@@ -2108,7 +2131,7 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name)
return ret;
if (!extension) {
if ((ret = TLSX_Push(extensions, ELLIPTIC_CURVES, curve)) != 0) {
if ((ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, curve)) != 0) {
XFREE(curve, 0, DYNAMIC_TYPE_TLSX);
return ret;
}
@@ -2161,6 +2184,10 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name)
#endif /* HAVE_SUPPORTED_CURVES */
/******************************************************************************/
/* Renegotiation Indication */
/******************************************************************************/
#ifdef HAVE_SECURE_RENEGOTIATION
static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data,
@@ -2259,7 +2286,7 @@ int TLSX_UseSecureRenegotiation(TLSX** extensions)
XMEMSET(data, 0, sizeof(SecureRenegotiation));
ret = TLSX_Push(extensions, SECURE_RENEGOTIATION, data);
ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, data);
if (ret != 0) {
XFREE(data, 0, DYNAMIC_TYPE_TLSX);
return ret;
@@ -2283,11 +2310,15 @@ int TLSX_UseSecureRenegotiation(TLSX** extensions)
#endif /* HAVE_SECURE_RENEGOTIATION */
/******************************************************************************/
/* Session Tickets */
/******************************************************************************/
#ifdef HAVE_SESSION_TICKET
static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl)
{
TLSX* extension = TLSX_Find(ssl->extensions, SESSION_TICKET);
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET);
SessionTicket* ticket = extension ? extension->data : NULL;
if (ticket) {
@@ -2345,7 +2376,7 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length,
ret = TLSX_UseSessionTicket(&ssl->extensions, NULL);
if (ret == SSL_SUCCESS) {
ret = 0;
TLSX_SetResponse(ssl, SESSION_TICKET); /* send blank ticket */
TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); /* send blank ticket */
ssl->options.createTicket = 1; /* will send ticket msg */
ssl->options.useTicket = 1;
}
@@ -2361,7 +2392,7 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length,
ret = TLSX_UseSessionTicket(&ssl->extensions, NULL);
if (ret == SSL_SUCCESS) {
ret = 0;
TLSX_SetResponse(ssl, SESSION_TICKET);
TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);
/* send blank ticket */
ssl->options.createTicket = 1; /* will send ticket msg */
ssl->options.useTicket = 1;
@@ -2416,7 +2447,7 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket)
/* If the ticket is NULL, the client will request a new ticket from the
server. Otherwise, the client will use it in the next client hello. */
if ((ret = TLSX_Push(extensions, SESSION_TICKET, (void*)ticket)) != 0)
if ((ret = TLSX_Push(extensions, TLSX_SESSION_TICKET, (void*)ticket)) != 0)
return ret;
return SSL_SUCCESS;
@@ -2436,6 +2467,9 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket)
#endif /* HAVE_SESSION_TICKET */
/******************************************************************************/
/* Quantum-Safe-Hybrid */
/******************************************************************************/
#ifdef HAVE_QSH
static WC_RNG* rng;
@@ -2459,7 +2493,7 @@ static int TLSX_QSH_Append(QSHScheme** list, word16 name, byte* pub,
if (list == NULL)
return BAD_FUNC_ARG;
if ((temp = XMALLOC(sizeof(QSHScheme), 0, DYNAMIC_TYPE_TLSX)) == NULL)
if ((temp = XMALLOC(sizeof(QSHScheme), NULL, DYNAMIC_TYPE_TLSX)) == NULL)
return MEMORY_E;
temp->name = name;
@@ -2499,7 +2533,7 @@ static void TLSX_QSH_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
return;
/* No QSH suite found */
TURN_ON(semaphore, TLSX_ToSemaphore(WOLFSSL_QSH));
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_QUANTUM_SAFE_HYBRID));
}
@@ -2610,7 +2644,7 @@ word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output)
static void TLSX_QSHAgreement(TLSX** extensions)
{
TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH);
TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID);
QSHScheme* format = NULL;
QSHScheme* delete = NULL;
QSHScheme* prev = NULL;
@@ -2735,7 +2769,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length,
while ((offset_len < offset_pk) && numKeys) {
QSHKey * temp;
if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL)
if ((temp = XMALLOC(sizeof(QSHKey), NULL, DYNAMIC_TYPE_TLSX)) == NULL)
return MEMORY_E;
/* initialize */
@@ -2768,7 +2802,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length,
/* read in public key */
if (PKLen > 0) {
temp->pub.buffer = (byte*)XMALLOC(temp->pub.length,
0, DYNAMIC_TYPE_PUBLIC_KEY);
NULL, DYNAMIC_TYPE_PUBLIC_KEY);
XMEMCPY(temp->pub.buffer, input + offset_len, temp->pub.length);
offset_len += PKLen;
}
@@ -2797,7 +2831,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length,
/* reply to a QSH extension sent from client */
if (isRequest) {
TLSX_SetResponse(ssl, WOLFSSL_QSH);
TLSX_SetResponse(ssl, TLSX_QUANTUM_SAFE_HYBRID);
/* only use schemes we have key generated for -- free the rest */
TLSX_QSHAgreement(&ssl->extensions);
}
@@ -2903,7 +2937,7 @@ int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, word16 length,
/* return 1 on success */
int TLSX_ValidateQSHScheme(TLSX** extensions, word16 theirs) {
TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH);
TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID);
QSHScheme* format = NULL;
/* if no extension is sent then do not use QSH */
@@ -2947,7 +2981,7 @@ static int TLSX_HaveQSHScheme(word16 name)
/* Add a QSHScheme struct to list of usable ones */
int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz)
{
TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH);
TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID);
QSHScheme* format = NULL;
int ret = 0;
@@ -2961,7 +2995,8 @@ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz)
return ret;
if (!extension) {
if ((ret = TLSX_Push(extensions, WOLFSSL_QSH, format)) != 0) {
if ((ret = TLSX_Push(extensions, TLSX_QUANTUM_SAFE_HYBRID, format))
!= 0) {
XFREE(format, 0, DYNAMIC_TYPE_TLSX);
return ret;
}
@@ -3018,6 +3053,9 @@ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz)
#endif /* HAVE_QSH */
/******************************************************************************/
/* TLS Extensions Framework */
/******************************************************************************/
/** Finds an extension in the provided list. */
TLSX* TLSX_Find(TLSX* list, TLSX_Type type)
@@ -3040,35 +3078,35 @@ void TLSX_FreeAll(TLSX* list)
switch (extension->type) {
case SERVER_NAME_INDICATION:
case TLSX_SERVER_NAME:
SNI_FREE_ALL((SNI*)extension->data);
break;
case MAX_FRAGMENT_LENGTH:
case TLSX_MAX_FRAGMENT_LENGTH:
MFL_FREE_ALL(extension->data);
break;
case TRUNCATED_HMAC:
case TLSX_TRUNCATED_HMAC:
/* Nothing to do. */
break;
case ELLIPTIC_CURVES:
case TLSX_SUPPORTED_GROUPS:
EC_FREE_ALL(extension->data);
break;
case SECURE_RENEGOTIATION:
case TLSX_RENEGOTIATION_INFO:
SCR_FREE_ALL(extension->data);
break;
case SESSION_TICKET:
case TLSX_SESSION_TICKET:
/* Nothing to do. */
break;
case WOLFSSL_QSH:
case TLSX_QUANTUM_SAFE_HYBRID:
QSH_FREE_ALL(extension->data);
break;
case WOLFSSL_ALPN:
case TLSX_APPLICATION_LAYER_PROTOCOL:
ALPN_FREE_ALL((ALPN*)extension->data);
break;
}
@@ -3105,37 +3143,37 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
switch (extension->type) {
case SERVER_NAME_INDICATION:
case TLSX_SERVER_NAME:
/* SNI only sends the name on the request. */
if (isRequest)
length += SNI_GET_SIZE(extension->data);
break;
case MAX_FRAGMENT_LENGTH:
case TLSX_MAX_FRAGMENT_LENGTH:
length += MFL_GET_SIZE(extension->data);
break;
case TRUNCATED_HMAC:
case TLSX_TRUNCATED_HMAC:
/* always empty. */
break;
case ELLIPTIC_CURVES:
case TLSX_SUPPORTED_GROUPS:
length += EC_GET_SIZE(extension->data);
break;
case SECURE_RENEGOTIATION:
case TLSX_RENEGOTIATION_INFO:
length += SCR_GET_SIZE(extension->data, isRequest);
break;
case SESSION_TICKET:
case TLSX_SESSION_TICKET:
length += STK_GET_SIZE(extension->data, isRequest);
break;
case WOLFSSL_QSH:
case TLSX_QUANTUM_SAFE_HYBRID:
length += QSH_GET_SIZE(extension->data, isRequest);
break;
case WOLFSSL_ALPN:
case TLSX_APPLICATION_LAYER_PROTOCOL:
length += ALPN_GET_SIZE(extension->data);
break;
@@ -3175,34 +3213,34 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
/* extension data should be written internally. */
switch (extension->type) {
case SERVER_NAME_INDICATION:
case TLSX_SERVER_NAME:
if (isRequest)
offset += SNI_WRITE(extension->data, output + offset);
break;
case MAX_FRAGMENT_LENGTH:
case TLSX_MAX_FRAGMENT_LENGTH:
offset += MFL_WRITE(extension->data, output + offset);
break;
case TRUNCATED_HMAC:
case TLSX_TRUNCATED_HMAC:
/* always empty. */
break;
case ELLIPTIC_CURVES:
case TLSX_SUPPORTED_GROUPS:
offset += EC_WRITE(extension->data, output + offset);
break;
case SECURE_RENEGOTIATION:
case TLSX_RENEGOTIATION_INFO:
offset += SCR_WRITE(extension->data, output + offset,
isRequest);
break;
case SESSION_TICKET:
case TLSX_SESSION_TICKET:
offset += STK_WRITE(extension->data, output + offset,
isRequest);
break;
case WOLFSSL_QSH:
case TLSX_QUANTUM_SAFE_HYBRID:
if (isRequest) {
offset += QSH_WRITE(extension->data, output + offset);
}
@@ -3210,7 +3248,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
offset += QSH_SERREQ(output + offset, isRequest);
break;
case WOLFSSL_ALPN:
case TLSX_APPLICATION_LAYER_PROTOCOL:
offset += ALPN_WRITE(extension->data, output + offset);
break;
}
@@ -3234,14 +3272,14 @@ static word32 GetEntropy(unsigned char* out, word32 num_bytes)
int ret = 0;
if (rng == NULL) {
if ((rng = XMALLOC(sizeof(WC_RNG), 0, DYNAMIC_TYPE_TLSX)) == NULL)
if ((rng = XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_TLSX)) == NULL)
return DRBG_OUT_OF_MEMORY;
wc_InitRng(rng);
}
if (rngMutex == NULL) {
if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), 0,
DYNAMIC_TYPE_TLSX)) == NULL)
if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), NULL,
DYNAMIC_TYPE_TLSX)) == NULL)
return DRBG_OUT_OF_MEMORY;
InitMutex(rngMutex);
}
@@ -3360,7 +3398,7 @@ int TLSX_CreateNtruKey(WOLFSSL* ssl, int type)
return ret;
}
if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL)
if ((temp = XMALLOC(sizeof(QSHKey), NULL, DYNAMIC_TYPE_TLSX)) == NULL)
return MEMORY_E;
temp->name = type;
temp->pub.length = public_key_len;
@@ -3471,7 +3509,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
}
else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
/* for each scheme make a client key */
extension = TLSX_Find(ssl->extensions, WOLFSSL_QSH);
extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID);
if (extension) {
qsh = (QSHScheme*)extension->data;
@@ -3596,7 +3634,7 @@ word16 TLSX_GetResponseSize(WOLFSSL* ssl)
#ifdef HAVE_QSH
/* change response if not using TLS_QSH */
if (!ssl->options.haveQSH) {
TLSX* ext = TLSX_Find(ssl->extensions, WOLFSSL_QSH);
TLSX* ext = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID);
if (ext)
ext->resp = 0;
}
@@ -3661,49 +3699,49 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest,
return BUFFER_ERROR;
switch (type) {
case SERVER_NAME_INDICATION:
case TLSX_SERVER_NAME:
WOLFSSL_MSG("SNI extension received");
ret = SNI_PARSE(ssl, input + offset, size, isRequest);
break;
case MAX_FRAGMENT_LENGTH:
case TLSX_MAX_FRAGMENT_LENGTH:
WOLFSSL_MSG("Max Fragment Length extension received");
ret = MFL_PARSE(ssl, input + offset, size, isRequest);
break;
case TRUNCATED_HMAC:
case TLSX_TRUNCATED_HMAC:
WOLFSSL_MSG("Truncated HMAC extension received");
ret = THM_PARSE(ssl, input + offset, size, isRequest);
break;
case ELLIPTIC_CURVES:
case TLSX_SUPPORTED_GROUPS:
WOLFSSL_MSG("Elliptic Curves extension received");
ret = EC_PARSE(ssl, input + offset, size, isRequest);
break;
case SECURE_RENEGOTIATION:
case TLSX_RENEGOTIATION_INFO:
WOLFSSL_MSG("Secure Renegotiation extension received");
ret = SCR_PARSE(ssl, input + offset, size, isRequest);
break;
case SESSION_TICKET:
case TLSX_SESSION_TICKET:
WOLFSSL_MSG("Session Ticket extension received");
ret = STK_PARSE(ssl, input + offset, size, isRequest);
break;
case WOLFSSL_QSH:
case TLSX_QUANTUM_SAFE_HYBRID:
WOLFSSL_MSG("Quantum-Safe-Hybrid extension received");
ret = QSH_PARSE(ssl, input + offset, size, isRequest);
break;
case WOLFSSL_ALPN:
case TLSX_APPLICATION_LAYER_PROTOCOL:
WOLFSSL_MSG("ALPN extension received");
ret = ALPN_PARSE(ssl, input + offset, size, isRequest);

9
wolfcrypt/src/asn.c
View File

@@ -8602,8 +8602,13 @@ static int DecodeResponseData(byte* source,
if (DecodeSingleResponse(source, &idx, resp, size) < 0)
return ASN_PARSE_E;
if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
return ASN_PARSE_E;
/*
* Check the length of the ResponseData against the current index to
* see if there are extensions, they are optional.
*/
if (idx - prev_idx < resp->responseSz)
if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
return ASN_PARSE_E;
*ioIndex = idx;
return 0;

115
wolfssl/internal.h
View File

@@ -868,7 +868,7 @@ enum Misc {
COMP_LEN = 1, /* compression length */
CURVE_LEN = 2, /* ecc named curve length */
SERVER_ID_LEN = 20, /* server session id length */
HANDSHAKE_HEADER_SZ = 4, /* type + length(3) */
RECORD_HEADER_SZ = 5, /* type + version + len(2) */
CERT_HEADER_SZ = 3, /* always 3 bytes */
@@ -897,7 +897,7 @@ enum Misc {
MAX_PRF_LABSEED = 128, /* Maximum label + seed len */
MAX_PRF_DIG = 224, /* Maximum digest len */
MAX_REQUEST_SZ = 256, /* Maximum cert req len (no auth yet */
SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */
SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */
RC4_KEY_SIZE = 16, /* always 128bit */
DES_KEY_SIZE = 8, /* des */
@@ -1156,7 +1156,7 @@ enum {
/* only the sniffer needs space in the buffer for extra MTU record(s) */
#ifdef WOLFSSL_SNIFFER
#define MTU_EXTRA MAX_MTU * 3
#define MTU_EXTRA MAX_MTU * 3
#else
#define MTU_EXTRA 0
#endif
@@ -1174,9 +1174,9 @@ enum {
#define RECORD_SIZE MAX_RECORD_SIZE
#else
#ifdef WOLFSSL_DTLS
#define RECORD_SIZE MAX_MTU
#define RECORD_SIZE MAX_MTU
#else
#define RECORD_SIZE 128
#define RECORD_SIZE 128
#endif
#endif
@@ -1263,14 +1263,14 @@ typedef struct OCSP_Entry OCSP_Entry;
#define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE
#endif
#ifdef NO_ASN
#ifdef NO_ASN
/* no_asn won't have */
typedef struct CertStatus CertStatus;
#endif
struct OCSP_Entry {
OCSP_Entry* next; /* next entry */
byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */
CertStatus* status; /* OCSP response list */
int totalStatus; /* number on list */
@@ -1307,8 +1307,8 @@ typedef struct CRL_Entry CRL_Entry;
/* Complete CRL */
struct CRL_Entry {
CRL_Entry* next; /* next entry */
byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */
/* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */
byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */
/* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */
/* restore the hash here if needed for optimized comparisons */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */
byte nextDate[MAX_DATE_SIZE]; /* next update date */
@@ -1456,18 +1456,18 @@ typedef struct Keys {
/* RFC 6066 TLS Extensions */
/** TLS Extensions - RFC 6066 */
#ifdef HAVE_TLS_EXTENSIONS
typedef enum {
SERVER_NAME_INDICATION = 0x0000,
MAX_FRAGMENT_LENGTH = 0x0001,
TRUNCATED_HMAC = 0x0004,
ELLIPTIC_CURVES = 0x000a,
SESSION_TICKET = 0x0023,
SECURE_RENEGOTIATION = 0xff01,
WOLFSSL_QSH = 0x0018, /* Quantum-Safe-Hybrid */
WOLFSSL_ALPN = 0x0010 /* Application-Layer Protocol Name */
TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */
TLSX_MAX_FRAGMENT_LENGTH = 0x0001,
TLSX_TRUNCATED_HMAC = 0x0004,
TLSX_SUPPORTED_GROUPS = 0x000a,
TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */
TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */
TLSX_SESSION_TICKET = 0x0023,
TLSX_RENEGOTIATION_INFO = 0xff01
} TLSX_Type;
typedef struct TLSX {
@@ -1495,19 +1495,20 @@ WOLFSSL_LOCAL word16 TLSX_WriteResponse(WOLFSSL* ssl, byte* output);
WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length,
byte isRequest, Suites *suites);
#elif defined(HAVE_SNI) \
|| defined(HAVE_MAX_FRAGMENT) \
|| defined(HAVE_TRUNCATED_HMAC) \
|| defined(HAVE_SUPPORTED_CURVES) \
|| defined(HAVE_SECURE_RENEGOTIATION) \
|| defined(HAVE_SESSION_TICKET) \
|| defined(HAVE_ALPN)
#elif defined(HAVE_SNI) \
|| defined(HAVE_MAX_FRAGMENT) \
|| defined(HAVE_TRUNCATED_HMAC) \
|| defined(HAVE_SUPPORTED_CURVES) \
|| defined(HAVE_ALPN) \
|| defined(HAVE_QSH) \
|| defined(HAVE_SESSION_TICKET) \
|| defined(HAVE_SECURE_RENEGOTIATION)
#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined.
#endif /* HAVE_TLS_EXTENSIONS */
/* Server Name Indication */
/** Server Name Indication - RFC 6066 (session 3) */
#ifdef HAVE_SNI
typedef struct SNI {
@@ -1535,7 +1536,7 @@ WOLFSSL_LOCAL int TLSX_SNI_GetFromBuffer(const byte* buffer, word32 bufferSz,
#endif /* HAVE_SNI */
/* Application-layer Protocol Name */
/* Application-Layer Protocol Negotiation - RFC 7301 */
#ifdef HAVE_ALPN
typedef struct ALPN {
char* protocol_name; /* ALPN protocol name */
@@ -1554,19 +1555,21 @@ WOLFSSL_LOCAL int TLSX_ALPN_SetOptions(TLSX** extensions, const byte option);
#endif /* HAVE_ALPN */
/* Maximum Fragment Length */
/** Maximum Fragment Length Negotiation - RFC 6066 (session 4) */
#ifdef HAVE_MAX_FRAGMENT
WOLFSSL_LOCAL int TLSX_UseMaxFragment(TLSX** extensions, byte mfl);
#endif /* HAVE_MAX_FRAGMENT */
/** Truncated HMAC - RFC 6066 (session 7) */
#ifdef HAVE_TRUNCATED_HMAC
WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions);
#endif /* HAVE_TRUNCATED_HMAC */
/** Supported Elliptic Curves - RFC 4492 (session 4) */
#ifdef HAVE_SUPPORTED_CURVES
typedef struct EllipticCurve {
@@ -1583,6 +1586,7 @@ WOLFSSL_LOCAL int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first,
#endif /* HAVE_SUPPORTED_CURVES */
/** Renegotiation Indication - RFC 5746 */
#ifdef HAVE_SECURE_RENEGOTIATION
enum key_cache_state {
@@ -1593,7 +1597,6 @@ enum key_cache_state {
SCR_CACHE_COMPLETE /* complete restore to real keys */
};
/* Additional Conection State according to rfc5746 section 3.1 */
typedef struct SecureRenegotiation {
byte enabled; /* secure_renegotiation flag in rfc */
@@ -1609,6 +1612,7 @@ WOLFSSL_LOCAL int TLSX_UseSecureRenegotiation(TLSX** extensions);
#endif /* HAVE_SECURE_RENEGOTIATION */
/** Session Ticket - RFC 5077 (session 3.2) */
#ifdef HAVE_SESSION_TICKET
typedef struct SessionTicket {
@@ -1617,13 +1621,15 @@ typedef struct SessionTicket {
word16 size;
} SessionTicket;
WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions,
WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions,
SessionTicket* ticket);
WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime,
byte* data, word16 size);
WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket);
#endif /* HAVE_SESSION_TICKET */
/** Quantum-Safe-Hybrid - draft-whyte-qsh-tls12-00 */
#ifdef HAVE_QSH
typedef struct QSHScheme {
@@ -1753,7 +1759,7 @@ struct WOLFSSL_CTX {
CallbackEccSign EccSignCb; /* User EccSign Callback handler */
CallbackEccVerify EccVerifyCb; /* User EccVerify Callback handler */
#endif /* HAVE_ECC */
#ifndef NO_RSA
#ifndef NO_RSA
CallbackRsaSign RsaSignCb; /* User RsaSign Callback handler */
CallbackRsaVerify RsaVerifyCb; /* User RsaVerify Callback handler */
CallbackRsaEnc RsaEncCb; /* User Rsa Public Encrypt handler */
@@ -1803,7 +1809,7 @@ void InitCipherSpecs(CipherSpecs* cs);
/* Supported Message Authentication Codes from page 43 */
enum MACAlgorithm {
enum MACAlgorithm {
no_mac,
md5_mac,
sha_mac,
@@ -1817,10 +1823,10 @@ enum MACAlgorithm {
/* Supported Key Exchange Protocols */
enum KeyExchangeAlgorithm {
enum KeyExchangeAlgorithm {
no_kea,
rsa_kea,
diffie_hellman_kea,
rsa_kea,
diffie_hellman_kea,
fortezza_kea,
psk_kea,
dhe_psk_kea,
@@ -1846,8 +1852,8 @@ enum EccCurves {
/* Valid client certificate request types from page 27 */
enum ClientCertificateType {
rsa_sign = 1,
enum ClientCertificateType {
rsa_sign = 1,
dss_sign = 2,
rsa_fixed_dh = 3,
dss_fixed_dh = 4,
@@ -2177,7 +2183,7 @@ struct WOLFSSL_X509_NAME {
#define EXTERNAL_SERIAL_SIZE 32
#endif
#ifdef NO_ASN
#ifdef NO_ASN
typedef struct DNS_entry DNS_entry;
#endif
@@ -2529,20 +2535,20 @@ typedef struct EncryptedInfo {
#ifdef WOLFSSL_CALLBACKS
WOLFSSL_LOCAL
void InitHandShakeInfo(HandShakeInfo*);
WOLFSSL_LOCAL
WOLFSSL_LOCAL
void FinishHandShakeInfo(HandShakeInfo*, const WOLFSSL*);
WOLFSSL_LOCAL
WOLFSSL_LOCAL
void AddPacketName(const char*, HandShakeInfo*);
WOLFSSL_LOCAL
void InitTimeoutInfo(TimeoutInfo*);
WOLFSSL_LOCAL
WOLFSSL_LOCAL
void FreeTimeoutInfo(TimeoutInfo*, void*);
WOLFSSL_LOCAL
WOLFSSL_LOCAL
void AddPacketInfo(const char*, TimeoutInfo*, const byte*, int, void*);
WOLFSSL_LOCAL
WOLFSSL_LOCAL
void AddLateName(const char*, TimeoutInfo*);
WOLFSSL_LOCAL
WOLFSSL_LOCAL
void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info);
#endif
@@ -2550,10 +2556,10 @@ typedef struct EncryptedInfo {
/* Record Layer Header identifier from page 12 */
enum ContentType {
no_type = 0,
change_cipher_spec = 20,
alert = 21,
handshake = 22,
application_data = 23
change_cipher_spec = 20,
alert = 21,
handshake = 22,
application_data = 23
};
@@ -2576,16 +2582,16 @@ typedef struct DtlsHandShakeHeader {
enum HandShakeType {
no_shake = -1,
hello_request = 0,
client_hello = 1,
hello_request = 0,
client_hello = 1,
server_hello = 2,
hello_verify_request = 3, /* DTLS addition */
session_ticket = 4,
certificate = 11,
certificate = 11,
server_key_exchange = 12,
certificate_request = 13,
certificate_request = 13,
server_hello_done = 14,
certificate_verify = 15,
certificate_verify = 15,
client_key_exchange = 16,
finished = 20,
certificate_status = 22,
@@ -2685,7 +2691,7 @@ WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
#endif /* WOLFSSL_DTLS */
#ifndef NO_TLS
#endif /* NO_TLS */
@@ -2721,4 +2727,3 @@ WOLFSSL_LOCAL int SetKeysSide(WOLFSSL*, enum encrypt_side);
#endif
#endif /* wolfSSL_INT_H */

42
wolfssl/ssl.h
View File

@@ -166,35 +166,35 @@ typedef struct WOLFSSL_X509_STORE_CTX {
/* Valid Alert types from page 16/17 */
enum AlertDescription {
close_notify = 0,
unexpected_message = 10,
bad_record_mac = 20,
record_overflow = 22,
decompression_failure = 30,
handshake_failure = 40,
no_certificate = 41,
bad_certificate = 42,
unsupported_certificate = 43,
certificate_revoked = 44,
certificate_expired = 45,
certificate_unknown = 46,
illegal_parameter = 47,
decrypt_error = 51,
close_notify = 0,
unexpected_message = 10,
bad_record_mac = 20,
record_overflow = 22,
decompression_failure = 30,
handshake_failure = 40,
no_certificate = 41,
bad_certificate = 42,
unsupported_certificate = 43,
certificate_revoked = 44,
certificate_expired = 45,
certificate_unknown = 46,
illegal_parameter = 47,
decrypt_error = 51,
#ifdef WOLFSSL_MYSQL_COMPATIBLE
/* catch name conflict for enum protocol with MYSQL build */
wc_protocol_version = 70,
wc_protocol_version = 70,
#else
protocol_version = 70,
protocol_version = 70,
#endif
no_renegotiation = 100,
unrecognized_name = 112,
no_application_protocol = 120
no_renegotiation = 100,
unrecognized_name = 112, /**< RFC 6066, section 3 */
no_application_protocol = 120
};
enum AlertLevel {
alert_warning = 1,
alert_fatal = 2
alert_fatal = 2
};
@@ -1349,7 +1349,7 @@ WOLFSSL_API int wolfSSL_SNI_GetFromBuffer(
#endif
#endif
/* Application-Layer Protocol Name */
/* Application-Layer Protocol Negotiation */
#ifdef HAVE_ALPN
/* ALPN status code */

1
wolfssl/wolfcrypt/asn.h
View File

@@ -779,4 +779,3 @@ WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*);
#endif /* !NO_ASN */
#endif /* WOLF_CRYPT_ASN_H */