diff --git a/.gitignore b/.gitignore index dfedec021..15ee851d8 100644 --- a/.gitignore +++ b/.gitignore @@ -112,11 +112,11 @@ cov-int cyassl.tgz *.log *.trs -IDE\MDK-ARM\Projects/ -IDE\MDK-ARM\STM32F2xx_StdPeriph_Lib/inc -IDE\MDK-ARM\STM32F2xx_StdPeriph_Lib/src -IDE\MDK-ARM\LPC43xx\Drivers/ -IDE\MDK-ARM\LPC43xx\LPC43xx/ +IDE/MDK-ARM/Projects/ +IDE/MDK-ARM/STM32F2xx_StdPeriph_Lib/inc +IDE/MDK-ARM/STM32F2xx_StdPeriph_Lib/src +IDE/MDK-ARM/LPC43xx/Drivers/ +IDE/MDK-ARM/LPC43xx/LPC43xx/ *.gcno *.gcda *.gcov diff --git a/configure.ac b/configure.ac index 7e96504e8..fff155a7f 100644 --- a/configure.ac +++ b/configure.ac @@ -2488,14 +2488,14 @@ echo " * Persistent cert cache: $ENABLED_SAVECERT" echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER" echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS" echo " * NTRU: $ENABLED_NTRU" -echo " * SNI: $ENABLED_SNI" +echo " * Server Name Indication: $ENABLED_SNI" echo " * ALPN: $ENABLED_ALPN" echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" -echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" -echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" echo " * Session Ticket: $ENABLED_SESSION_TICKET" +echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" +echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" echo " * All TLS Extensions: $ENABLED_TLSX" echo " * PKCS#7 $ENABLED_PKCS7" echo " * wolfSCEP $ENABLED_WOLFSCEP" diff --git a/examples/client/client.c b/examples/client/client.c index dc4a80f0a..533621d19 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -310,7 +310,7 @@ static void Usage(void) #endif printf("-b Benchmark connections and print stats\n"); #ifdef HAVE_ALPN - printf("-L Application-Layer Protocole Name ({C,F}:)\n"); + printf("-L Application-Layer Protocol Negotiation ({C,F}:)\n"); #endif printf("-B Benchmark throughput using bytes and print stats\n"); printf("-s Use pre Shared keys\n"); diff --git a/examples/server/server.c b/examples/server/server.c index 3805417a9..8b648c622 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -200,7 +200,7 @@ static void Usage(void) DEFAULT_MIN_DHKEY_BITS); #endif #ifdef HAVE_ALPN - printf("-L Application-Layer Protocole Name ({C,F}:)\n"); + printf("-L Application-Layer Protocol Negotiation ({C,F}:)\n"); #endif printf("-d Disable client cert check\n"); printf("-b Bind to any interface instead of localhost only\n"); diff --git a/pull_to_vagrant.sh b/pull_to_vagrant.sh index e2d245632..15d88d97d 100755 --- a/pull_to_vagrant.sh +++ b/pull_to_vagrant.sh @@ -10,4 +10,5 @@ rsync -rvt /$SRC/.git ~/$DST/ rsync -rvt /$SRC/IDE ~/$DST/ rsync -rvt /$SRC/mcapi ~/$DST/ rsync -rvt /$SRC/mplabx ~/$DST/ +rsync -rvt /$SRC/certs ~/$DST/ rsync -rvt /$SRC/configure.ac ~/$DST/ diff --git a/src/internal.c b/src/internal.c index d0c2258fc..a54a76f52 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4450,6 +4450,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, (void)doCrlLookup; #ifdef HAVE_OCSP if (ssl->ctx->cm->ocspEnabled) { + WOLFSSL_MSG("Doing Leaf OCSP check"); ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); doCrlLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { @@ -10363,7 +10364,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -11068,7 +11069,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, size, 0)) < 0) @@ -11904,7 +11905,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) return MEMORY_E; /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -12664,7 +12665,7 @@ int DoSessionTicket(WOLFSSL* ssl, return MEMORY_E; /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -12813,7 +12814,7 @@ int DoSessionTicket(WOLFSSL* ssl, QSH_KeyExchangeWrite(ssl, 1); /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -13454,7 +13455,7 @@ int DoSessionTicket(WOLFSSL* ssl, QSH_KeyExchangeWrite(ssl, 1); /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -13996,7 +13997,7 @@ int DoSessionTicket(WOLFSSL* ssl, QSH_KeyExchangeWrite(ssl, 1); /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -15374,7 +15375,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input @@ -15452,7 +15453,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15514,7 +15515,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15602,7 +15603,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15657,7 +15658,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15752,7 +15753,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, diff --git a/src/ssl.c b/src/ssl.c index 292352dc2..c20c2e3aa 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -690,8 +690,9 @@ int wolfSSL_UseSNI(WOLFSSL* ssl, byte type, const void* data, word16 size) return TLSX_UseSNI(&ssl->extensions, type, data, size); } -int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type, - const void* data, word16 size) + +int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type, const void* data, + word16 size) { if (ctx == NULL) return BAD_FUNC_ARG; @@ -707,17 +708,20 @@ void wolfSSL_SNI_SetOptions(WOLFSSL* ssl, byte type, byte options) TLSX_SNI_SetOptions(ssl->extensions, type, options); } + void wolfSSL_CTX_SNI_SetOptions(WOLFSSL_CTX* ctx, byte type, byte options) { if (ctx && ctx->extensions) TLSX_SNI_SetOptions(ctx->extensions, type, options); } + byte wolfSSL_SNI_Status(WOLFSSL* ssl, byte type) { return TLSX_SNI_Status(ssl ? ssl->extensions : NULL, type); } + word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data) { if (data) @@ -729,6 +733,7 @@ word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data) return 0; } + int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, byte type, byte* sni, word32* inOutSz) { @@ -745,6 +750,7 @@ int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, #ifdef HAVE_MAX_FRAGMENT #ifndef NO_WOLFSSL_CLIENT + int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl) { if (ssl == NULL) @@ -753,6 +759,7 @@ int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl) return TLSX_UseMaxFragment(&ssl->extensions, mfl); } + int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl) { if (ctx == NULL) @@ -760,11 +767,13 @@ int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl) return TLSX_UseMaxFragment(&ctx->extensions, mfl); } + #endif /* NO_WOLFSSL_CLIENT */ #endif /* HAVE_MAX_FRAGMENT */ #ifdef HAVE_TRUNCATED_HMAC #ifndef NO_WOLFSSL_CLIENT + int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl) { if (ssl == NULL) @@ -773,6 +782,7 @@ int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl) return TLSX_UseTruncatedHMAC(&ssl->extensions); } + int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) { if (ctx == NULL) @@ -780,6 +790,7 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) return TLSX_UseTruncatedHMAC(&ctx->extensions); } + #endif /* NO_WOLFSSL_CLIENT */ #endif /* HAVE_TRUNCATED_HMAC */ @@ -808,6 +819,7 @@ int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name) return TLSX_UseSupportedCurve(&ssl->extensions, name); } + int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name) { if (ctx == NULL) @@ -885,7 +897,7 @@ int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, word16 name) #endif /* HAVE_QSH */ -/* Application-Layer Procotol Name */ +/* Application-Layer Procotol Negotiation */ #ifdef HAVE_ALPN int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list, @@ -988,7 +1000,7 @@ int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl) ret = TLSX_UseSecureRenegotiation(&ssl->extensions); if (ret == SSL_SUCCESS) { - TLSX* extension = TLSX_Find(ssl->extensions, SECURE_RENEGOTIATION); + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO); if (extension) ssl->secure_renegotiation = (SecureRenegotiation*)extension->data; @@ -2475,7 +2487,7 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password, #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - + if (ret == MP_OKAY) return SSL_SUCCESS; else if (ret == SSL_BAD_FILE) @@ -11849,7 +11861,7 @@ char *wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM *bn) XFREE(buf, NULL, DYNAMIC_TYPE_ECC); return NULL; } - + return buf; } #else @@ -14872,7 +14884,7 @@ int wolfSSL_EC_POINT_cmp(const WOLFSSL_EC_GROUP *group, int ret; (void)ctx; - + WOLFSSL_ENTER("wolfSSL_EC_POINT_cmp"); if (group == NULL || a == NULL || a->internal == NULL || b == NULL || @@ -15342,7 +15354,7 @@ int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *ecc, WOLFSSL_MSG("ECC private key file write failed"); return SSL_FAILURE; } - + XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); return SSL_SUCCESS; } @@ -15517,7 +15529,7 @@ int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa, WOLFSSL_MSG("DSA private key file write failed"); return SSL_FAILURE; } - + XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); return SSL_SUCCESS; } @@ -17091,4 +17103,3 @@ void* wolfSSL_get_jobject(WOLFSSL* ssl) #endif /* WOLFSSL_JNI */ #endif /* WOLFCRYPT_ONLY */ - diff --git a/src/tls.c b/src/tls.c index 97dc09ef5..ec756a9df 100644 --- a/src/tls.c +++ b/src/tls.c @@ -755,7 +755,7 @@ static INLINE word16 TLSX_ToSemaphore(word16 type) { switch (type) { - case SECURE_RENEGOTIATION: /* 0xFF01 */ + case TLSX_RENEGOTIATION_INFO: /* 0xFF01 */ return 63; default: @@ -784,7 +784,7 @@ static INLINE word16 TLSX_ToSemaphore(word16 type) /** Creates a new extension. */ static TLSX* TLSX_New(TLSX_Type type, void* data) { - TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), 0, DYNAMIC_TYPE_TLSX); + TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), NULL, DYNAMIC_TYPE_TLSX); if (extension) { extension->type = type; @@ -845,6 +845,9 @@ void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type) #endif +/******************************************************************************/ +/* Application-Layer Protocol Negotiation */ +/******************************************************************************/ #ifdef HAVE_ALPN /** Creates a new ALPN object, providing protocol name to use. */ @@ -981,7 +984,7 @@ static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size) alpn->negociated = 1; - ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn); + ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, (void*)alpn); if (ret != 0) { TLSX_ALPN_Free(alpn); return ret; @@ -1001,9 +1004,10 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length, TLSX *extension; ALPN *alpn = NULL, *list; - extension = TLSX_Find(ssl->extensions, WOLFSSL_ALPN); + extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL) - extension = TLSX_Find(ssl->ctx->extensions, WOLFSSL_ALPN); + extension = TLSX_Find(ssl->ctx->extensions, + TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL || extension->data == NULL) { WOLFSSL_MSG("No ALPN extensions not used or bad"); @@ -1088,7 +1092,7 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length, /* reply to ALPN extension sent from client */ if (isRequest) { #ifndef NO_WOLFSSL_SERVER - TLSX_SetResponse(ssl, WOLFSSL_ALPN); + TLSX_SetResponse(ssl, TLSX_APPLICATION_LAYER_PROTOCOL); #endif } @@ -1114,9 +1118,10 @@ int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options) /* Set Options of ALPN */ alpn->options = options; - extension = TLSX_Find(*extensions, WOLFSSL_ALPN); + extension = TLSX_Find(*extensions, TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL) { - ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn); + ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, + (void*)alpn); if (ret != 0) { TLSX_ALPN_Free(alpn); return ret; @@ -1140,7 +1145,7 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz) if (extensions == NULL || data == NULL || dataSz == NULL) return BAD_FUNC_ARG; - extension = TLSX_Find(extensions, WOLFSSL_ALPN); + extension = TLSX_Find(extensions, TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL) { WOLFSSL_MSG("TLS extension not found"); return SSL_ALPN_NOT_FOUND; @@ -1192,13 +1197,16 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz) #endif /* HAVE_ALPN */ -/* Server Name Indication */ +/******************************************************************************/ +/* Server Name Indication */ +/******************************************************************************/ + #ifdef HAVE_SNI /** Creates a new SNI object. */ static SNI* TLSX_SNI_New(byte type, const void* data, word16 size) { - SNI* sni = (SNI*)XMALLOC(sizeof(SNI), 0, DYNAMIC_TYPE_TLSX); + SNI* sni = (SNI*)XMALLOC(sizeof(SNI), NULL, DYNAMIC_TYPE_TLSX); if (sni) { sni->type = type; @@ -1211,7 +1219,7 @@ static SNI* TLSX_SNI_New(byte type, const void* data, word16 size) switch (sni->type) { case WOLFSSL_SNI_HOST_NAME: - sni->data.host_name = XMALLOC(size + 1, 0, DYNAMIC_TYPE_TLSX); + sni->data.host_name = XMALLOC(size+1, NULL, DYNAMIC_TYPE_TLSX); if (sni->data.host_name) { XSTRNCPY(sni->data.host_name, (const char*)data, size); @@ -1325,7 +1333,7 @@ static SNI* TLSX_SNI_Find(SNI *list, byte type) /** Sets the status of a SNI object. */ static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni) @@ -1335,7 +1343,7 @@ static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status) /** Gets the status of a SNI object. */ byte TLSX_SNI_Status(TLSX* extensions, byte type) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni) @@ -1356,10 +1364,10 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, int cacheOnly = 0; #endif - TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION); + TLSX *extension = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME); if (!extension) - extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION); + extension = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME); (void)isRequest; (void)input; @@ -1438,7 +1446,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, TLSX_SNI_SetStatus(ssl->extensions, type, matchStat); if(!cacheOnly) - TLSX_SetResponse(ssl, SERVER_NAME_INDICATION); + TLSX_SetResponse(ssl, TLSX_SERVER_NAME); } else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) { SendAlert(ssl, alert_fatal, unrecognized_name); @@ -1461,8 +1469,8 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest) if (isRequest) { #ifndef NO_WOLFSSL_SERVER - TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION); - TLSX* ssl_ext = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION); + TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME); + TLSX* ssl_ext = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME); SNI* ctx_sni = ctx_ext ? ctx_ext->data : NULL; SNI* ssl_sni = ssl_ext ? ssl_ext->data : NULL; SNI* sni = NULL; @@ -1502,7 +1510,7 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest) int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size) { - TLSX* extension = TLSX_Find(*extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(*extensions, TLSX_SERVER_NAME); SNI* sni = NULL; if (extensions == NULL || data == NULL) @@ -1512,7 +1520,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size) return MEMORY_E; if (!extension) { - int ret = TLSX_Push(extensions, SERVER_NAME_INDICATION, (void*)sni); + int ret = TLSX_Push(extensions, TLSX_SERVER_NAME, (void*)sni); if (ret != 0) { TLSX_SNI_Free(sni); return ret; @@ -1546,7 +1554,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size) /** Tells the SNI requested by the client. */ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni && sni->status != WOLFSSL_SNI_NO_MATCH) { @@ -1563,7 +1571,7 @@ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data) /** Sets the options for a SNI object. */ void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni) @@ -1681,7 +1689,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, if (helloSz < offset + extLen) return BUFFER_ERROR; - if (extType != SERVER_NAME_INDICATION) { + if (extType != TLSX_SERVER_NAME) { offset += extLen; /* skip extension */ } else { word16 listLen; @@ -1739,6 +1747,10 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, #endif /* HAVE_SNI */ +/******************************************************************************/ +/* Max Fragment Length Negotiation */ +/******************************************************************************/ + #ifdef HAVE_MAX_FRAGMENT static word16 TLSX_MFL_Write(byte* data, byte* output) @@ -1775,7 +1787,7 @@ static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length, if (r != SSL_SUCCESS) return r; /* throw error */ - TLSX_SetResponse(ssl, MAX_FRAGMENT_LENGTH); + TLSX_SetResponse(ssl, TLSX_MAX_FRAGMENT_LENGTH); } #endif @@ -1793,13 +1805,13 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl) if (mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl) return BAD_FUNC_ARG; - if ((data = XMALLOC(ENUM_LEN, 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((data = XMALLOC(ENUM_LEN, NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; data[0] = mfl; /* push new MFL extension. */ - if ((ret = TLSX_Push(extensions, MAX_FRAGMENT_LENGTH, data)) != 0) { + if ((ret = TLSX_Push(extensions, TLSX_MAX_FRAGMENT_LENGTH, data)) != 0) { XFREE(data, 0, DYNAMIC_TYPE_TLSX); return ret; } @@ -1822,6 +1834,10 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl) #endif /* HAVE_MAX_FRAGMENT */ +/******************************************************************************/ +/* Truncated HMAC */ +/******************************************************************************/ + #ifdef HAVE_TRUNCATED_HMAC static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length, @@ -1836,9 +1852,10 @@ static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length, if (isRequest) { int r = TLSX_UseTruncatedHMAC(&ssl->extensions); - if (r != SSL_SUCCESS) return r; /* throw error */ + if (r != SSL_SUCCESS) + return r; /* throw error */ - TLSX_SetResponse(ssl, TRUNCATED_HMAC); + TLSX_SetResponse(ssl, TLSX_TRUNCATED_HMAC); } #endif @@ -1854,7 +1871,7 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions) if (extensions == NULL) return BAD_FUNC_ARG; - if ((ret = TLSX_Push(extensions, TRUNCATED_HMAC, NULL)) != 0) + if ((ret = TLSX_Push(extensions, TLSX_TRUNCATED_HMAC, NULL)) != 0) return ret; return SSL_SUCCESS; @@ -1868,6 +1885,10 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions) #endif /* HAVE_TRUNCATED_HMAC */ +/******************************************************************************/ +/* Supported Elliptic Curves */ +/******************************************************************************/ + #ifdef HAVE_SUPPORTED_CURVES #ifndef HAVE_ECC @@ -1887,12 +1908,14 @@ static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list) static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name) { - EllipticCurve* curve; + EllipticCurve* curve = NULL; if (list == NULL) return BAD_FUNC_ARG; - if ((curve = XMALLOC(sizeof(EllipticCurve), 0, DYNAMIC_TYPE_TLSX)) == NULL) + curve = (EllipticCurve*)XMALLOC(sizeof(EllipticCurve), NULL, + DYNAMIC_TYPE_TLSX); + if (curve == NULL) return MEMORY_E; curve->name = name; @@ -1914,7 +1937,7 @@ static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore) return; /* turns semaphore on to avoid sending this extension. */ - TURN_ON(semaphore, TLSX_ToSemaphore(ELLIPTIC_CURVES)); + TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS)); } static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list) @@ -1988,7 +2011,7 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length, int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { TLSX* extension = (first == ECC_BYTE) - ? TLSX_Find(ssl->extensions, ELLIPTIC_CURVES) + ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) : NULL; EllipticCurve* curve = NULL; word32 oid = 0; @@ -2097,7 +2120,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) { - TLSX* extension = TLSX_Find(*extensions, ELLIPTIC_CURVES); + TLSX* extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS); EllipticCurve* curve = NULL; int ret = 0; @@ -2108,7 +2131,7 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) return ret; if (!extension) { - if ((ret = TLSX_Push(extensions, ELLIPTIC_CURVES, curve)) != 0) { + if ((ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, curve)) != 0) { XFREE(curve, 0, DYNAMIC_TYPE_TLSX); return ret; } @@ -2161,6 +2184,10 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) #endif /* HAVE_SUPPORTED_CURVES */ +/******************************************************************************/ +/* Renegotiation Indication */ +/******************************************************************************/ + #ifdef HAVE_SECURE_RENEGOTIATION static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data, @@ -2259,7 +2286,7 @@ int TLSX_UseSecureRenegotiation(TLSX** extensions) XMEMSET(data, 0, sizeof(SecureRenegotiation)); - ret = TLSX_Push(extensions, SECURE_RENEGOTIATION, data); + ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, data); if (ret != 0) { XFREE(data, 0, DYNAMIC_TYPE_TLSX); return ret; @@ -2283,11 +2310,15 @@ int TLSX_UseSecureRenegotiation(TLSX** extensions) #endif /* HAVE_SECURE_RENEGOTIATION */ +/******************************************************************************/ +/* Session Tickets */ +/******************************************************************************/ + #ifdef HAVE_SESSION_TICKET static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl) { - TLSX* extension = TLSX_Find(ssl->extensions, SESSION_TICKET); + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET); SessionTicket* ticket = extension ? extension->data : NULL; if (ticket) { @@ -2345,7 +2376,7 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length, ret = TLSX_UseSessionTicket(&ssl->extensions, NULL); if (ret == SSL_SUCCESS) { ret = 0; - TLSX_SetResponse(ssl, SESSION_TICKET); /* send blank ticket */ + TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); /* send blank ticket */ ssl->options.createTicket = 1; /* will send ticket msg */ ssl->options.useTicket = 1; } @@ -2361,7 +2392,7 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length, ret = TLSX_UseSessionTicket(&ssl->extensions, NULL); if (ret == SSL_SUCCESS) { ret = 0; - TLSX_SetResponse(ssl, SESSION_TICKET); + TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); /* send blank ticket */ ssl->options.createTicket = 1; /* will send ticket msg */ ssl->options.useTicket = 1; @@ -2416,7 +2447,7 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket) /* If the ticket is NULL, the client will request a new ticket from the server. Otherwise, the client will use it in the next client hello. */ - if ((ret = TLSX_Push(extensions, SESSION_TICKET, (void*)ticket)) != 0) + if ((ret = TLSX_Push(extensions, TLSX_SESSION_TICKET, (void*)ticket)) != 0) return ret; return SSL_SUCCESS; @@ -2436,6 +2467,9 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket) #endif /* HAVE_SESSION_TICKET */ +/******************************************************************************/ +/* Quantum-Safe-Hybrid */ +/******************************************************************************/ #ifdef HAVE_QSH static WC_RNG* rng; @@ -2459,7 +2493,7 @@ static int TLSX_QSH_Append(QSHScheme** list, word16 name, byte* pub, if (list == NULL) return BAD_FUNC_ARG; - if ((temp = XMALLOC(sizeof(QSHScheme), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = XMALLOC(sizeof(QSHScheme), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; temp->name = name; @@ -2499,7 +2533,7 @@ static void TLSX_QSH_ValidateRequest(WOLFSSL* ssl, byte* semaphore) return; /* No QSH suite found */ - TURN_ON(semaphore, TLSX_ToSemaphore(WOLFSSL_QSH)); + TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_QUANTUM_SAFE_HYBRID)); } @@ -2610,7 +2644,7 @@ word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output) static void TLSX_QSHAgreement(TLSX** extensions) { - TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH); + TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); QSHScheme* format = NULL; QSHScheme* delete = NULL; QSHScheme* prev = NULL; @@ -2735,7 +2769,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, while ((offset_len < offset_pk) && numKeys) { QSHKey * temp; - if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = XMALLOC(sizeof(QSHKey), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; /* initialize */ @@ -2768,7 +2802,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, /* read in public key */ if (PKLen > 0) { temp->pub.buffer = (byte*)XMALLOC(temp->pub.length, - 0, DYNAMIC_TYPE_PUBLIC_KEY); + NULL, DYNAMIC_TYPE_PUBLIC_KEY); XMEMCPY(temp->pub.buffer, input + offset_len, temp->pub.length); offset_len += PKLen; } @@ -2797,7 +2831,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, /* reply to a QSH extension sent from client */ if (isRequest) { - TLSX_SetResponse(ssl, WOLFSSL_QSH); + TLSX_SetResponse(ssl, TLSX_QUANTUM_SAFE_HYBRID); /* only use schemes we have key generated for -- free the rest */ TLSX_QSHAgreement(&ssl->extensions); } @@ -2903,7 +2937,7 @@ int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, word16 length, /* return 1 on success */ int TLSX_ValidateQSHScheme(TLSX** extensions, word16 theirs) { - TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH); + TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); QSHScheme* format = NULL; /* if no extension is sent then do not use QSH */ @@ -2947,7 +2981,7 @@ static int TLSX_HaveQSHScheme(word16 name) /* Add a QSHScheme struct to list of usable ones */ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz) { - TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH); + TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); QSHScheme* format = NULL; int ret = 0; @@ -2961,7 +2995,8 @@ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz) return ret; if (!extension) { - if ((ret = TLSX_Push(extensions, WOLFSSL_QSH, format)) != 0) { + if ((ret = TLSX_Push(extensions, TLSX_QUANTUM_SAFE_HYBRID, format)) + != 0) { XFREE(format, 0, DYNAMIC_TYPE_TLSX); return ret; } @@ -3018,6 +3053,9 @@ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz) #endif /* HAVE_QSH */ +/******************************************************************************/ +/* TLS Extensions Framework */ +/******************************************************************************/ /** Finds an extension in the provided list. */ TLSX* TLSX_Find(TLSX* list, TLSX_Type type) @@ -3040,35 +3078,35 @@ void TLSX_FreeAll(TLSX* list) switch (extension->type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: SNI_FREE_ALL((SNI*)extension->data); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: MFL_FREE_ALL(extension->data); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: /* Nothing to do. */ break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: EC_FREE_ALL(extension->data); break; - case SECURE_RENEGOTIATION: + case TLSX_RENEGOTIATION_INFO: SCR_FREE_ALL(extension->data); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: /* Nothing to do. */ break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: QSH_FREE_ALL(extension->data); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: ALPN_FREE_ALL((ALPN*)extension->data); break; } @@ -3105,37 +3143,37 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) switch (extension->type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: /* SNI only sends the name on the request. */ if (isRequest) length += SNI_GET_SIZE(extension->data); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: length += MFL_GET_SIZE(extension->data); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: /* always empty. */ break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: length += EC_GET_SIZE(extension->data); break; - case SECURE_RENEGOTIATION: + case TLSX_RENEGOTIATION_INFO: length += SCR_GET_SIZE(extension->data, isRequest); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: length += STK_GET_SIZE(extension->data, isRequest); break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: length += QSH_GET_SIZE(extension->data, isRequest); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: length += ALPN_GET_SIZE(extension->data); break; @@ -3175,34 +3213,34 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, /* extension data should be written internally. */ switch (extension->type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: if (isRequest) offset += SNI_WRITE(extension->data, output + offset); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: offset += MFL_WRITE(extension->data, output + offset); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: /* always empty. */ break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: offset += EC_WRITE(extension->data, output + offset); break; - case SECURE_RENEGOTIATION: + case TLSX_RENEGOTIATION_INFO: offset += SCR_WRITE(extension->data, output + offset, isRequest); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: offset += STK_WRITE(extension->data, output + offset, isRequest); break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: if (isRequest) { offset += QSH_WRITE(extension->data, output + offset); } @@ -3210,7 +3248,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, offset += QSH_SERREQ(output + offset, isRequest); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: offset += ALPN_WRITE(extension->data, output + offset); break; } @@ -3234,14 +3272,14 @@ static word32 GetEntropy(unsigned char* out, word32 num_bytes) int ret = 0; if (rng == NULL) { - if ((rng = XMALLOC(sizeof(WC_RNG), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((rng = XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return DRBG_OUT_OF_MEMORY; wc_InitRng(rng); } if (rngMutex == NULL) { - if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), 0, - DYNAMIC_TYPE_TLSX)) == NULL) + if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), NULL, + DYNAMIC_TYPE_TLSX)) == NULL) return DRBG_OUT_OF_MEMORY; InitMutex(rngMutex); } @@ -3360,7 +3398,7 @@ int TLSX_CreateNtruKey(WOLFSSL* ssl, int type) return ret; } - if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = XMALLOC(sizeof(QSHKey), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; temp->name = type; temp->pub.length = public_key_len; @@ -3471,7 +3509,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) } else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) { /* for each scheme make a client key */ - extension = TLSX_Find(ssl->extensions, WOLFSSL_QSH); + extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); if (extension) { qsh = (QSHScheme*)extension->data; @@ -3596,7 +3634,7 @@ word16 TLSX_GetResponseSize(WOLFSSL* ssl) #ifdef HAVE_QSH /* change response if not using TLS_QSH */ if (!ssl->options.haveQSH) { - TLSX* ext = TLSX_Find(ssl->extensions, WOLFSSL_QSH); + TLSX* ext = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); if (ext) ext->resp = 0; } @@ -3661,49 +3699,49 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest, return BUFFER_ERROR; switch (type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: WOLFSSL_MSG("SNI extension received"); ret = SNI_PARSE(ssl, input + offset, size, isRequest); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: WOLFSSL_MSG("Max Fragment Length extension received"); ret = MFL_PARSE(ssl, input + offset, size, isRequest); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: WOLFSSL_MSG("Truncated HMAC extension received"); ret = THM_PARSE(ssl, input + offset, size, isRequest); break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: WOLFSSL_MSG("Elliptic Curves extension received"); ret = EC_PARSE(ssl, input + offset, size, isRequest); break; - case SECURE_RENEGOTIATION: + case TLSX_RENEGOTIATION_INFO: WOLFSSL_MSG("Secure Renegotiation extension received"); ret = SCR_PARSE(ssl, input + offset, size, isRequest); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: WOLFSSL_MSG("Session Ticket extension received"); ret = STK_PARSE(ssl, input + offset, size, isRequest); break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: WOLFSSL_MSG("Quantum-Safe-Hybrid extension received"); ret = QSH_PARSE(ssl, input + offset, size, isRequest); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: WOLFSSL_MSG("ALPN extension received"); ret = ALPN_PARSE(ssl, input + offset, size, isRequest); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 5eeae21d4..3cc87a979 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8602,8 +8602,13 @@ static int DecodeResponseData(byte* source, if (DecodeSingleResponse(source, &idx, resp, size) < 0) return ASN_PARSE_E; - if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) - return ASN_PARSE_E; + /* + * Check the length of the ResponseData against the current index to + * see if there are extensions, they are optional. + */ + if (idx - prev_idx < resp->responseSz) + if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) + return ASN_PARSE_E; *ioIndex = idx; return 0; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d65665ec0..0540b7df2 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -868,7 +868,7 @@ enum Misc { COMP_LEN = 1, /* compression length */ CURVE_LEN = 2, /* ecc named curve length */ SERVER_ID_LEN = 20, /* server session id length */ - + HANDSHAKE_HEADER_SZ = 4, /* type + length(3) */ RECORD_HEADER_SZ = 5, /* type + version + len(2) */ CERT_HEADER_SZ = 3, /* always 3 bytes */ @@ -897,7 +897,7 @@ enum Misc { MAX_PRF_LABSEED = 128, /* Maximum label + seed len */ MAX_PRF_DIG = 224, /* Maximum digest len */ MAX_REQUEST_SZ = 256, /* Maximum cert req len (no auth yet */ - SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */ + SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */ RC4_KEY_SIZE = 16, /* always 128bit */ DES_KEY_SIZE = 8, /* des */ @@ -1156,7 +1156,7 @@ enum { /* only the sniffer needs space in the buffer for extra MTU record(s) */ #ifdef WOLFSSL_SNIFFER - #define MTU_EXTRA MAX_MTU * 3 + #define MTU_EXTRA MAX_MTU * 3 #else #define MTU_EXTRA 0 #endif @@ -1174,9 +1174,9 @@ enum { #define RECORD_SIZE MAX_RECORD_SIZE #else #ifdef WOLFSSL_DTLS - #define RECORD_SIZE MAX_MTU + #define RECORD_SIZE MAX_MTU #else - #define RECORD_SIZE 128 + #define RECORD_SIZE 128 #endif #endif @@ -1263,14 +1263,14 @@ typedef struct OCSP_Entry OCSP_Entry; #define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE #endif -#ifdef NO_ASN +#ifdef NO_ASN /* no_asn won't have */ typedef struct CertStatus CertStatus; #endif struct OCSP_Entry { OCSP_Entry* next; /* next entry */ - byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ + byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ CertStatus* status; /* OCSP response list */ int totalStatus; /* number on list */ @@ -1307,8 +1307,8 @@ typedef struct CRL_Entry CRL_Entry; /* Complete CRL */ struct CRL_Entry { CRL_Entry* next; /* next entry */ - byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ - /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ + byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ + /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ /* restore the hash here if needed for optimized comparisons */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte nextDate[MAX_DATE_SIZE]; /* next update date */ @@ -1456,18 +1456,18 @@ typedef struct Keys { -/* RFC 6066 TLS Extensions */ +/** TLS Extensions - RFC 6066 */ #ifdef HAVE_TLS_EXTENSIONS typedef enum { - SERVER_NAME_INDICATION = 0x0000, - MAX_FRAGMENT_LENGTH = 0x0001, - TRUNCATED_HMAC = 0x0004, - ELLIPTIC_CURVES = 0x000a, - SESSION_TICKET = 0x0023, - SECURE_RENEGOTIATION = 0xff01, - WOLFSSL_QSH = 0x0018, /* Quantum-Safe-Hybrid */ - WOLFSSL_ALPN = 0x0010 /* Application-Layer Protocol Name */ + TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */ + TLSX_MAX_FRAGMENT_LENGTH = 0x0001, + TLSX_TRUNCATED_HMAC = 0x0004, + TLSX_SUPPORTED_GROUPS = 0x000a, + TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ + TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ + TLSX_SESSION_TICKET = 0x0023, + TLSX_RENEGOTIATION_INFO = 0xff01 } TLSX_Type; typedef struct TLSX { @@ -1495,19 +1495,20 @@ WOLFSSL_LOCAL word16 TLSX_WriteResponse(WOLFSSL* ssl, byte* output); WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest, Suites *suites); -#elif defined(HAVE_SNI) \ - || defined(HAVE_MAX_FRAGMENT) \ - || defined(HAVE_TRUNCATED_HMAC) \ - || defined(HAVE_SUPPORTED_CURVES) \ - || defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SESSION_TICKET) \ - || defined(HAVE_ALPN) +#elif defined(HAVE_SNI) \ + || defined(HAVE_MAX_FRAGMENT) \ + || defined(HAVE_TRUNCATED_HMAC) \ + || defined(HAVE_SUPPORTED_CURVES) \ + || defined(HAVE_ALPN) \ + || defined(HAVE_QSH) \ + || defined(HAVE_SESSION_TICKET) \ + || defined(HAVE_SECURE_RENEGOTIATION) #error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined. #endif /* HAVE_TLS_EXTENSIONS */ -/* Server Name Indication */ +/** Server Name Indication - RFC 6066 (session 3) */ #ifdef HAVE_SNI typedef struct SNI { @@ -1535,7 +1536,7 @@ WOLFSSL_LOCAL int TLSX_SNI_GetFromBuffer(const byte* buffer, word32 bufferSz, #endif /* HAVE_SNI */ -/* Application-layer Protocol Name */ +/* Application-Layer Protocol Negotiation - RFC 7301 */ #ifdef HAVE_ALPN typedef struct ALPN { char* protocol_name; /* ALPN protocol name */ @@ -1554,19 +1555,21 @@ WOLFSSL_LOCAL int TLSX_ALPN_SetOptions(TLSX** extensions, const byte option); #endif /* HAVE_ALPN */ -/* Maximum Fragment Length */ +/** Maximum Fragment Length Negotiation - RFC 6066 (session 4) */ #ifdef HAVE_MAX_FRAGMENT WOLFSSL_LOCAL int TLSX_UseMaxFragment(TLSX** extensions, byte mfl); #endif /* HAVE_MAX_FRAGMENT */ +/** Truncated HMAC - RFC 6066 (session 7) */ #ifdef HAVE_TRUNCATED_HMAC WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); #endif /* HAVE_TRUNCATED_HMAC */ +/** Supported Elliptic Curves - RFC 4492 (session 4) */ #ifdef HAVE_SUPPORTED_CURVES typedef struct EllipticCurve { @@ -1583,6 +1586,7 @@ WOLFSSL_LOCAL int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, #endif /* HAVE_SUPPORTED_CURVES */ +/** Renegotiation Indication - RFC 5746 */ #ifdef HAVE_SECURE_RENEGOTIATION enum key_cache_state { @@ -1593,7 +1597,6 @@ enum key_cache_state { SCR_CACHE_COMPLETE /* complete restore to real keys */ }; - /* Additional Conection State according to rfc5746 section 3.1 */ typedef struct SecureRenegotiation { byte enabled; /* secure_renegotiation flag in rfc */ @@ -1609,6 +1612,7 @@ WOLFSSL_LOCAL int TLSX_UseSecureRenegotiation(TLSX** extensions); #endif /* HAVE_SECURE_RENEGOTIATION */ +/** Session Ticket - RFC 5077 (session 3.2) */ #ifdef HAVE_SESSION_TICKET typedef struct SessionTicket { @@ -1617,13 +1621,15 @@ typedef struct SessionTicket { word16 size; } SessionTicket; -WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions, +WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket); WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime, byte* data, word16 size); WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket); + #endif /* HAVE_SESSION_TICKET */ +/** Quantum-Safe-Hybrid - draft-whyte-qsh-tls12-00 */ #ifdef HAVE_QSH typedef struct QSHScheme { @@ -1753,7 +1759,7 @@ struct WOLFSSL_CTX { CallbackEccSign EccSignCb; /* User EccSign Callback handler */ CallbackEccVerify EccVerifyCb; /* User EccVerify Callback handler */ #endif /* HAVE_ECC */ - #ifndef NO_RSA + #ifndef NO_RSA CallbackRsaSign RsaSignCb; /* User RsaSign Callback handler */ CallbackRsaVerify RsaVerifyCb; /* User RsaVerify Callback handler */ CallbackRsaEnc RsaEncCb; /* User Rsa Public Encrypt handler */ @@ -1803,7 +1809,7 @@ void InitCipherSpecs(CipherSpecs* cs); /* Supported Message Authentication Codes from page 43 */ -enum MACAlgorithm { +enum MACAlgorithm { no_mac, md5_mac, sha_mac, @@ -1817,10 +1823,10 @@ enum MACAlgorithm { /* Supported Key Exchange Protocols */ -enum KeyExchangeAlgorithm { +enum KeyExchangeAlgorithm { no_kea, - rsa_kea, - diffie_hellman_kea, + rsa_kea, + diffie_hellman_kea, fortezza_kea, psk_kea, dhe_psk_kea, @@ -1846,8 +1852,8 @@ enum EccCurves { /* Valid client certificate request types from page 27 */ -enum ClientCertificateType { - rsa_sign = 1, +enum ClientCertificateType { + rsa_sign = 1, dss_sign = 2, rsa_fixed_dh = 3, dss_fixed_dh = 4, @@ -2177,7 +2183,7 @@ struct WOLFSSL_X509_NAME { #define EXTERNAL_SERIAL_SIZE 32 #endif -#ifdef NO_ASN +#ifdef NO_ASN typedef struct DNS_entry DNS_entry; #endif @@ -2529,20 +2535,20 @@ typedef struct EncryptedInfo { #ifdef WOLFSSL_CALLBACKS WOLFSSL_LOCAL void InitHandShakeInfo(HandShakeInfo*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void FinishHandShakeInfo(HandShakeInfo*, const WOLFSSL*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddPacketName(const char*, HandShakeInfo*); WOLFSSL_LOCAL void InitTimeoutInfo(TimeoutInfo*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void FreeTimeoutInfo(TimeoutInfo*, void*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddPacketInfo(const char*, TimeoutInfo*, const byte*, int, void*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddLateName(const char*, TimeoutInfo*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info); #endif @@ -2550,10 +2556,10 @@ typedef struct EncryptedInfo { /* Record Layer Header identifier from page 12 */ enum ContentType { no_type = 0, - change_cipher_spec = 20, - alert = 21, - handshake = 22, - application_data = 23 + change_cipher_spec = 20, + alert = 21, + handshake = 22, + application_data = 23 }; @@ -2576,16 +2582,16 @@ typedef struct DtlsHandShakeHeader { enum HandShakeType { no_shake = -1, - hello_request = 0, - client_hello = 1, + hello_request = 0, + client_hello = 1, server_hello = 2, hello_verify_request = 3, /* DTLS addition */ session_ticket = 4, - certificate = 11, + certificate = 11, server_key_exchange = 12, - certificate_request = 13, + certificate_request = 13, server_hello_done = 14, - certificate_verify = 15, + certificate_verify = 15, client_key_exchange = 16, finished = 20, certificate_status = 22, @@ -2685,7 +2691,7 @@ WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength); #endif /* WOLFSSL_DTLS */ #ifndef NO_TLS - + #endif /* NO_TLS */ @@ -2721,4 +2727,3 @@ WOLFSSL_LOCAL int SetKeysSide(WOLFSSL*, enum encrypt_side); #endif #endif /* wolfSSL_INT_H */ - diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index d852d2be1..c11d3d5fd 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -166,35 +166,35 @@ typedef struct WOLFSSL_X509_STORE_CTX { /* Valid Alert types from page 16/17 */ enum AlertDescription { - close_notify = 0, - unexpected_message = 10, - bad_record_mac = 20, - record_overflow = 22, - decompression_failure = 30, - handshake_failure = 40, - no_certificate = 41, - bad_certificate = 42, - unsupported_certificate = 43, - certificate_revoked = 44, - certificate_expired = 45, - certificate_unknown = 46, - illegal_parameter = 47, - decrypt_error = 51, + close_notify = 0, + unexpected_message = 10, + bad_record_mac = 20, + record_overflow = 22, + decompression_failure = 30, + handshake_failure = 40, + no_certificate = 41, + bad_certificate = 42, + unsupported_certificate = 43, + certificate_revoked = 44, + certificate_expired = 45, + certificate_unknown = 46, + illegal_parameter = 47, + decrypt_error = 51, #ifdef WOLFSSL_MYSQL_COMPATIBLE /* catch name conflict for enum protocol with MYSQL build */ - wc_protocol_version = 70, + wc_protocol_version = 70, #else - protocol_version = 70, + protocol_version = 70, #endif - no_renegotiation = 100, - unrecognized_name = 112, - no_application_protocol = 120 + no_renegotiation = 100, + unrecognized_name = 112, /**< RFC 6066, section 3 */ + no_application_protocol = 120 }; enum AlertLevel { alert_warning = 1, - alert_fatal = 2 + alert_fatal = 2 }; @@ -1349,7 +1349,7 @@ WOLFSSL_API int wolfSSL_SNI_GetFromBuffer( #endif #endif -/* Application-Layer Protocol Name */ +/* Application-Layer Protocol Negotiation */ #ifdef HAVE_ALPN /* ALPN status code */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index b39114fa4..48e0412c2 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -779,4 +779,3 @@ WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*); #endif /* !NO_ASN */ #endif /* WOLF_CRYPT_ASN_H */ -