mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 01:10:48 +02:00
827 lines
23 KiB
C
827 lines
23 KiB
C
/* ssl_ech.c
|
|
*
|
|
* Copyright (C) 2006-2026 wolfSSL Inc.
|
|
*
|
|
* This file is part of wolfSSL.
|
|
*
|
|
* wolfSSL is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* wolfSSL is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
|
*/
|
|
|
|
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
|
|
|
|
#if !defined(WOLFSSL_SSL_ECH_INCLUDED)
|
|
#ifndef WOLFSSL_IGNORE_FILE_WARN
|
|
#warning ssl_ech.c does not need to be compiled separately from ssl.c
|
|
#endif
|
|
#else
|
|
|
|
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
|
|
|
|
/* create the hpke key and ech config to send to clients */
|
|
int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName,
|
|
word16 kemId, word16 kdfId, word16 aeadId)
|
|
{
|
|
int ret = 0;
|
|
WOLFSSL_EchConfig* newConfig;
|
|
word16 encLen = HPKE_Npk_MAX;
|
|
#ifdef WOLFSSL_SMALL_STACK
|
|
Hpke* hpke = NULL;
|
|
WC_RNG* rng;
|
|
#else
|
|
Hpke hpke[1];
|
|
WC_RNG rng[1];
|
|
#endif
|
|
|
|
if (ctx == NULL || publicName == NULL)
|
|
return BAD_FUNC_ARG;
|
|
|
|
/* ECH spec limits public_name to 255 bytes (1-byte length prefix) */
|
|
if (XSTRLEN(publicName) > 255)
|
|
return BAD_FUNC_ARG;
|
|
|
|
WC_ALLOC_VAR_EX(rng, WC_RNG, 1, ctx->heap, DYNAMIC_TYPE_RNG,
|
|
return MEMORY_E);
|
|
ret = wc_InitRng(rng);
|
|
if (ret != 0) {
|
|
WC_FREE_VAR_EX(rng, ctx->heap, DYNAMIC_TYPE_RNG);
|
|
return ret;
|
|
}
|
|
|
|
newConfig = (WOLFSSL_EchConfig*)XMALLOC(sizeof(WOLFSSL_EchConfig),
|
|
ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
if (newConfig == NULL)
|
|
ret = MEMORY_E;
|
|
else
|
|
XMEMSET(newConfig, 0, sizeof(WOLFSSL_EchConfig));
|
|
|
|
/* set random configId */
|
|
if (ret == 0)
|
|
ret = wc_RNG_GenerateByte(rng, &newConfig->configId);
|
|
|
|
/* if 0 is selected for algorithms use default, may change with draft */
|
|
if (kemId == 0)
|
|
kemId = DHKEM_X25519_HKDF_SHA256;
|
|
|
|
if (kdfId == 0)
|
|
kdfId = HKDF_SHA256;
|
|
|
|
if (aeadId == 0)
|
|
aeadId = HPKE_AES_128_GCM;
|
|
|
|
if (ret == 0) {
|
|
/* set the kem id */
|
|
newConfig->kemId = kemId;
|
|
|
|
/* set the cipher suite, only 1 for now */
|
|
newConfig->numCipherSuites = 1;
|
|
newConfig->cipherSuites =
|
|
(EchCipherSuite*)XMALLOC(sizeof(EchCipherSuite), ctx->heap,
|
|
DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
if (newConfig->cipherSuites == NULL) {
|
|
ret = MEMORY_E;
|
|
}
|
|
else {
|
|
newConfig->cipherSuites[0].kdfId = kdfId;
|
|
newConfig->cipherSuites[0].aeadId = aeadId;
|
|
}
|
|
}
|
|
|
|
#ifdef WOLFSSL_SMALL_STACK
|
|
if (ret == 0) {
|
|
hpke = (Hpke*)XMALLOC(sizeof(Hpke), ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
if (hpke == NULL)
|
|
ret = MEMORY_E;
|
|
}
|
|
#endif
|
|
|
|
if (ret == 0)
|
|
ret = wc_HpkeInit(hpke, kemId, kdfId, aeadId, ctx->heap);
|
|
|
|
/* generate the receiver private key */
|
|
if (ret == 0)
|
|
ret = wc_HpkeGenerateKeyPair(hpke, &newConfig->receiverPrivkey, rng);
|
|
|
|
/* done with RNG */
|
|
wc_FreeRng(rng);
|
|
|
|
/* serialize the receiver key */
|
|
if (ret == 0)
|
|
ret = wc_HpkeSerializePublicKey(hpke, newConfig->receiverPrivkey,
|
|
newConfig->receiverPubkey, &encLen);
|
|
|
|
if (ret == 0) {
|
|
newConfig->publicName = (char*)XMALLOC(XSTRLEN(publicName) + 1,
|
|
ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
if (newConfig->publicName == NULL) {
|
|
ret = MEMORY_E;
|
|
}
|
|
else {
|
|
XMEMCPY(newConfig->publicName, publicName,
|
|
XSTRLEN(publicName) + 1);
|
|
}
|
|
}
|
|
|
|
if (ret != 0) {
|
|
if (newConfig) {
|
|
if (newConfig->receiverPrivkey != NULL) {
|
|
wc_HpkeFreeKey(hpke, newConfig->kemId,
|
|
newConfig->receiverPrivkey, ctx->heap);
|
|
}
|
|
XFREE(newConfig->cipherSuites, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
XFREE(newConfig->publicName, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
XFREE(newConfig, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
}
|
|
}
|
|
else {
|
|
/* insert new configs at beginning of LL as preference should be given
|
|
* to the most recently generated configs */
|
|
if (ctx->echConfigs == NULL) {
|
|
ctx->echConfigs = newConfig;
|
|
}
|
|
else {
|
|
newConfig->next = ctx->echConfigs;
|
|
ctx->echConfigs = newConfig;
|
|
}
|
|
}
|
|
|
|
if (ret == 0)
|
|
ret = WOLFSSL_SUCCESS;
|
|
|
|
WC_FREE_VAR_EX(hpke, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
WC_FREE_VAR_EX(rng, ctx->heap, DYNAMIC_TYPE_RNG);
|
|
|
|
return ret;
|
|
}
|
|
|
|
int wolfSSL_CTX_SetEchConfigsBase64(WOLFSSL_CTX* ctx, const char* echConfigs64,
|
|
word32 echConfigs64Len)
|
|
{
|
|
int ret = 0;
|
|
word32 decodedLen = echConfigs64Len * 3 / 4 + 1;
|
|
byte* decodedConfigs;
|
|
|
|
if (ctx == NULL || echConfigs64 == NULL || echConfigs64Len == 0)
|
|
return BAD_FUNC_ARG;
|
|
|
|
decodedConfigs = (byte*)XMALLOC(decodedLen, ctx->heap,
|
|
DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
if (decodedConfigs == NULL)
|
|
return MEMORY_E;
|
|
|
|
decodedConfigs[decodedLen - 1] = 0;
|
|
|
|
/* decode the echConfigs */
|
|
ret = Base64_Decode((const byte*)echConfigs64, echConfigs64Len,
|
|
decodedConfigs, &decodedLen);
|
|
|
|
if (ret != 0) {
|
|
XFREE(decodedConfigs, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
return ret;
|
|
}
|
|
|
|
ret = wolfSSL_CTX_SetEchConfigs(ctx, decodedConfigs, decodedLen);
|
|
|
|
XFREE(decodedConfigs, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
return ret;
|
|
}
|
|
|
|
int wolfSSL_CTX_SetEchConfigs(WOLFSSL_CTX* ctx, const byte* echConfigs,
|
|
word32 echConfigsLen)
|
|
{
|
|
int ret;
|
|
|
|
if (ctx == NULL || echConfigs == NULL || echConfigsLen == 0)
|
|
return BAD_FUNC_ARG;
|
|
|
|
FreeEchConfigs(ctx->echConfigs, ctx->heap);
|
|
ctx->echConfigs = NULL;
|
|
ret = SetEchConfigsEx(&ctx->echConfigs, ctx->heap, echConfigs,
|
|
echConfigsLen);
|
|
|
|
if (ret == 0)
|
|
return WOLFSSL_SUCCESS;
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* get the ech configs that the server context is using */
|
|
int wolfSSL_CTX_GetEchConfigs(WOLFSSL_CTX* ctx, byte* output,
|
|
word32* outputLen) {
|
|
if (ctx == NULL || outputLen == NULL)
|
|
return BAD_FUNC_ARG;
|
|
|
|
/* if we don't have ech configs */
|
|
if (ctx->echConfigs == NULL)
|
|
return WOLFSSL_FATAL_ERROR;
|
|
|
|
return GetEchConfigsEx(ctx->echConfigs, output, outputLen);
|
|
}
|
|
|
|
void wolfSSL_CTX_SetEchEnable(WOLFSSL_CTX* ctx, byte enable)
|
|
{
|
|
if (ctx != NULL) {
|
|
ctx->disableECH = !enable;
|
|
if (ctx->disableECH) {
|
|
TLSX_Remove(&ctx->extensions, TLSX_ECH, ctx->heap);
|
|
FreeEchConfigs(ctx->echConfigs, ctx->heap);
|
|
ctx->echConfigs = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* set the ech config from base64 for our client ssl object, base64 is the
|
|
* format ech configs are sent using dns records */
|
|
int wolfSSL_SetEchConfigsBase64(WOLFSSL* ssl, const char* echConfigs64,
|
|
word32 echConfigs64Len)
|
|
{
|
|
int ret = 0;
|
|
word32 decodedLen = echConfigs64Len * 3 / 4 + 1;
|
|
byte* decodedConfigs;
|
|
|
|
if (ssl == NULL || echConfigs64 == NULL || echConfigs64Len == 0)
|
|
return BAD_FUNC_ARG;
|
|
|
|
/* already have ech configs */
|
|
if (ssl->echConfigs != NULL) {
|
|
return WOLFSSL_FATAL_ERROR;
|
|
}
|
|
|
|
decodedConfigs = (byte*)XMALLOC(decodedLen, ssl->heap,
|
|
DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
if (decodedConfigs == NULL)
|
|
return MEMORY_E;
|
|
|
|
decodedConfigs[decodedLen - 1] = 0;
|
|
|
|
/* decode the echConfigs */
|
|
ret = Base64_Decode((const byte*)echConfigs64, echConfigs64Len,
|
|
decodedConfigs, &decodedLen);
|
|
|
|
if (ret != 0) {
|
|
XFREE(decodedConfigs, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
return ret;
|
|
}
|
|
|
|
ret = wolfSSL_SetEchConfigs(ssl, decodedConfigs, decodedLen);
|
|
|
|
XFREE(decodedConfigs, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* set the ech config from a raw buffer, this is the format ech configs are
|
|
* sent using retry_configs from the ech server */
|
|
int wolfSSL_SetEchConfigs(WOLFSSL* ssl, const byte* echConfigs,
|
|
word32 echConfigsLen)
|
|
{
|
|
int ret;
|
|
|
|
if (ssl == NULL || echConfigs == NULL || echConfigsLen == 0)
|
|
return BAD_FUNC_ARG;
|
|
|
|
/* already have ech configs */
|
|
if (ssl->echConfigs != NULL) {
|
|
return WOLFSSL_FATAL_ERROR;
|
|
}
|
|
|
|
ret = SetEchConfigsEx(&ssl->echConfigs, ssl->heap, echConfigs,
|
|
echConfigsLen);
|
|
|
|
/* if we found valid configs */
|
|
if (ret == 0) {
|
|
return WOLFSSL_SUCCESS;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* store retry configs received during ECH rejection
|
|
* returns 0 on success, error otherwise */
|
|
int SetRetryConfigs(WOLFSSL* ssl, const byte* echConfigs, word32 echConfigsLen)
|
|
{
|
|
int ret;
|
|
|
|
if (ssl == NULL || echConfigs == NULL || echConfigsLen == 0)
|
|
return BAD_FUNC_ARG;
|
|
|
|
if (ssl->echRetryConfigs != NULL) {
|
|
return WOLFSSL_FATAL_ERROR;
|
|
}
|
|
|
|
ret = SetEchConfigsEx(&ssl->echRetryConfigs, ssl->heap, echConfigs,
|
|
echConfigsLen);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* get the raw ech config from our struct */
|
|
int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen)
|
|
{
|
|
int i;
|
|
word16 totalLen = 0;
|
|
word16 kemEncLen;
|
|
word16 publicNameLen;
|
|
|
|
if (config == NULL || (output == NULL && outputLen == NULL))
|
|
return BAD_FUNC_ARG;
|
|
|
|
/* ECH spec limits public_name to 255 bytes (1-byte length prefix) */
|
|
if (config->publicName == NULL || XSTRLEN(config->publicName) > 255)
|
|
return BAD_FUNC_ARG;
|
|
publicNameLen = (word16)XSTRLEN(config->publicName);
|
|
|
|
/* 2 for version */
|
|
totalLen += 2;
|
|
/* 2 for length */
|
|
totalLen += 2;
|
|
/* 1 for configId */
|
|
totalLen += 1;
|
|
/* 2 for kemId */
|
|
totalLen += 2;
|
|
/* 2 for hpke_len */
|
|
totalLen += 2;
|
|
|
|
/* hpke_pub_key */
|
|
kemEncLen = wc_HpkeKemGetEncLen(config->kemId);
|
|
if (kemEncLen == 0)
|
|
return BAD_FUNC_ARG;
|
|
totalLen += kemEncLen;
|
|
|
|
/* cipherSuitesLen */
|
|
totalLen += 2;
|
|
/* cipherSuites */
|
|
totalLen += config->numCipherSuites * 4;
|
|
/* public name len */
|
|
totalLen += 2;
|
|
|
|
/* public name */
|
|
totalLen += publicNameLen;
|
|
/* trailing zeros */
|
|
totalLen += 2;
|
|
|
|
if (output == NULL) {
|
|
*outputLen = totalLen;
|
|
return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
|
|
}
|
|
|
|
if (totalLen > *outputLen) {
|
|
*outputLen = totalLen;
|
|
return INPUT_SIZE_E;
|
|
}
|
|
|
|
/* version */
|
|
c16toa(TLSX_ECH, output);
|
|
output += 2;
|
|
|
|
/* length - 4 for version and length itself */
|
|
c16toa(totalLen - 4, output);
|
|
output += 2;
|
|
|
|
/* configId */
|
|
*output = config->configId;
|
|
output++;
|
|
/* kemId */
|
|
c16toa(config->kemId, output);
|
|
output += 2;
|
|
|
|
/* length and key itself */
|
|
c16toa(kemEncLen, output);
|
|
output += 2;
|
|
XMEMCPY(output, config->receiverPubkey, kemEncLen);
|
|
output += kemEncLen;
|
|
|
|
/* cipherSuites len */
|
|
c16toa(config->numCipherSuites * 4, output);
|
|
output += 2;
|
|
|
|
/* cipherSuites */
|
|
for (i = 0; i < config->numCipherSuites; i++) {
|
|
c16toa(config->cipherSuites[i].kdfId, output);
|
|
output += 2;
|
|
c16toa(config->cipherSuites[i].aeadId, output);
|
|
output += 2;
|
|
}
|
|
|
|
/* set maximum name length to 0 */
|
|
*output = 0;
|
|
output++;
|
|
|
|
/* publicName len */
|
|
*output = (byte)publicNameLen;
|
|
output++;
|
|
|
|
/* publicName */
|
|
XMEMCPY(output, config->publicName, publicNameLen);
|
|
output += publicNameLen;
|
|
|
|
/* terminating zeros */
|
|
c16toa(0, output);
|
|
/* output += 2; */
|
|
|
|
*outputLen = totalLen;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* wrapper function to get ech configs from application code */
|
|
int wolfSSL_GetEchConfigs(WOLFSSL* ssl, byte* output, word32* outputLen)
|
|
{
|
|
if (ssl == NULL || outputLen == NULL)
|
|
return BAD_FUNC_ARG;
|
|
|
|
/* if we don't have ech configs */
|
|
if (ssl->echConfigs == NULL) {
|
|
return WOLFSSL_FATAL_ERROR;
|
|
}
|
|
|
|
return GetEchConfigsEx(ssl->echConfigs, output, outputLen);
|
|
}
|
|
|
|
/* wrapper function to get retry configs
|
|
* a client should only call this after the 'wolfSSL_connect()' call fails
|
|
* returns error if retry configs were not received or were malformed */
|
|
int wolfSSL_GetEchRetryConfigs(WOLFSSL* ssl, byte* output, word32* outputLen)
|
|
{
|
|
if (ssl == NULL || outputLen == NULL)
|
|
return BAD_FUNC_ARG;
|
|
|
|
if (ssl->echRetryConfigs == NULL || !ssl->options.echRetryConfigsAccepted) {
|
|
return WOLFSSL_FATAL_ERROR;
|
|
}
|
|
|
|
return GetEchConfigsEx(ssl->echRetryConfigs, output, outputLen);
|
|
}
|
|
|
|
void wolfSSL_SetEchEnable(WOLFSSL* ssl, byte enable)
|
|
{
|
|
if (ssl != NULL) {
|
|
ssl->options.disableECH = !enable;
|
|
if (ssl->options.disableECH) {
|
|
TLSX_Remove(&ssl->extensions, TLSX_ECH, ssl->heap);
|
|
FreeEchConfigs(ssl->echConfigs, ssl->heap);
|
|
ssl->echConfigs = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* Walk the ECHConfigExtension list and check for mandatory extensions.
|
|
* Returns:
|
|
* 0 if all extensions are known/optional,
|
|
* error otherwise. */
|
|
static int EchConfigCheckExtensions(const byte* exts, word16 extsLen)
|
|
{
|
|
word16 bytesLeft = extsLen;
|
|
word16 extType;
|
|
word16 extDataLen;
|
|
|
|
while (bytesLeft >= 4) {
|
|
ato16(exts, &extType);
|
|
ato16(exts + 2, &extDataLen);
|
|
if (bytesLeft - 4 < extDataLen)
|
|
return BUFFER_E;
|
|
if (extType & 0x8000)
|
|
return UNSUPPORTED_EXTENSION;
|
|
exts += 4 + extDataLen;
|
|
bytesLeft -= 4 + extDataLen;
|
|
}
|
|
|
|
if (bytesLeft != 0)
|
|
return BUFFER_E;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Parse the ECH configs and output to the corresponding outputConfigs
|
|
* return 0 on success, error otherwise */
|
|
int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
|
|
const byte* echConfigs, word32 echConfigsLen)
|
|
{
|
|
int ret = 0;
|
|
int unsupportedAlgos = 0;
|
|
word32 configIdx;
|
|
word32 idx;
|
|
int j;
|
|
word16 totalLength;
|
|
word16 version;
|
|
word16 length;
|
|
word16 hpkePubkeyLen;
|
|
word16 cipherSuitesLen;
|
|
word16 extensionsLen;
|
|
byte publicNameLen;
|
|
WOLFSSL_EchConfig* configList = NULL;
|
|
WOLFSSL_EchConfig* workingConfig = NULL;
|
|
WOLFSSL_EchConfig* lastConfig = NULL;
|
|
const byte* echConfig = NULL;
|
|
|
|
if (outputConfigs == NULL || echConfigs == NULL || echConfigsLen < 2)
|
|
return BAD_FUNC_ARG;
|
|
|
|
/* check that the total length is well formed */
|
|
ato16(echConfigs, &totalLength);
|
|
if (totalLength != echConfigsLen - 2)
|
|
return BUFFER_E;
|
|
|
|
configIdx = 2;
|
|
|
|
do {
|
|
/* version (2) + length (2) */
|
|
if (configIdx + 4 > echConfigsLen) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
echConfig = echConfigs + configIdx;
|
|
ato16(echConfig, &version);
|
|
ato16(echConfig + 2, &length);
|
|
|
|
if (configIdx + 4 + length > echConfigsLen) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
if (version != TLSX_ECH) {
|
|
configIdx += 4 + length;
|
|
continue;
|
|
}
|
|
|
|
if (workingConfig == NULL) {
|
|
workingConfig = (WOLFSSL_EchConfig*)XMALLOC(
|
|
sizeof(WOLFSSL_EchConfig), heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
configList = workingConfig;
|
|
}
|
|
else {
|
|
lastConfig = workingConfig;
|
|
workingConfig->next = (WOLFSSL_EchConfig*)XMALLOC(
|
|
sizeof(WOLFSSL_EchConfig), heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
workingConfig = workingConfig->next;
|
|
}
|
|
if (workingConfig == NULL) {
|
|
ret = MEMORY_E;
|
|
break;
|
|
}
|
|
XMEMSET(workingConfig, 0, sizeof(WOLFSSL_EchConfig));
|
|
|
|
workingConfig->rawLen = 4 + length;
|
|
workingConfig->raw = (byte*)XMALLOC(workingConfig->rawLen, heap,
|
|
DYNAMIC_TYPE_TMP_BUFFER);
|
|
if (workingConfig->raw == NULL) {
|
|
ret = MEMORY_E;
|
|
break;
|
|
}
|
|
XMEMCPY(workingConfig->raw, echConfig, workingConfig->rawLen);
|
|
|
|
/* version and length already checked */
|
|
echConfig += 4;
|
|
idx = 0;
|
|
|
|
/* configId */
|
|
if (idx + 1 > length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
workingConfig->configId = echConfig[idx];
|
|
idx += 1;
|
|
|
|
/* kemId */
|
|
if (idx + 2 > length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
ato16(echConfig + idx, &workingConfig->kemId);
|
|
idx += 2;
|
|
|
|
/* hpke public_key */
|
|
if (idx + 2 > length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
ato16(echConfig + idx, &hpkePubkeyLen);
|
|
idx += 2;
|
|
if (idx + hpkePubkeyLen > length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
/* unsupported KEM: skip pubkey; end of loop will free this config */
|
|
if (wc_HpkeKemIsSupported(workingConfig->kemId)) {
|
|
if (hpkePubkeyLen != wc_HpkeKemGetEncLen(workingConfig->kemId)) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
XMEMCPY(workingConfig->receiverPubkey, echConfig + idx, hpkePubkeyLen);
|
|
}
|
|
idx += hpkePubkeyLen;
|
|
|
|
/* cipher suites */
|
|
if (idx + 2 > length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
ato16(echConfig + idx, &cipherSuitesLen);
|
|
idx += 2;
|
|
if (cipherSuitesLen == 0 || cipherSuitesLen % 4 != 0 ||
|
|
cipherSuitesLen >= 1024) {
|
|
/* numCipherSuites is a byte so only 256 ciphersuites (each 4 bytes)
|
|
* can be accessed */
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
if (idx + cipherSuitesLen > length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
workingConfig->cipherSuites = (EchCipherSuite*)XMALLOC(cipherSuitesLen,
|
|
heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
if (workingConfig->cipherSuites == NULL) {
|
|
ret = MEMORY_E;
|
|
break;
|
|
}
|
|
workingConfig->numCipherSuites = (byte)(cipherSuitesLen / 4);
|
|
for (j = 0; j < workingConfig->numCipherSuites; j++) {
|
|
ato16(echConfig + idx, &workingConfig->cipherSuites[j].kdfId);
|
|
ato16(echConfig + idx + 2, &workingConfig->cipherSuites[j].aeadId);
|
|
idx += 4;
|
|
}
|
|
|
|
/* ignore maximum name length */
|
|
if (idx + 1 > length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
idx += 1;
|
|
|
|
/* publicName */
|
|
if (idx + 1 > length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
publicNameLen = echConfig[idx];
|
|
idx += 1;
|
|
if (publicNameLen == 0) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
if (idx + publicNameLen > length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
workingConfig->publicName = (char*)XMALLOC(publicNameLen + 1, heap,
|
|
DYNAMIC_TYPE_TMP_BUFFER);
|
|
if (workingConfig->publicName == NULL) {
|
|
ret = MEMORY_E;
|
|
break;
|
|
}
|
|
XMEMCPY(workingConfig->publicName, echConfig + idx, publicNameLen);
|
|
workingConfig->publicName[publicNameLen] = '\0';
|
|
idx += publicNameLen;
|
|
|
|
/* extensions */
|
|
if (idx + 2 > length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
ato16(echConfig + idx, &extensionsLen);
|
|
idx += 2;
|
|
if (idx + extensionsLen != length) {
|
|
ret = BUFFER_E;
|
|
break;
|
|
}
|
|
|
|
ret = EchConfigCheckExtensions(echConfig + idx, extensionsLen);
|
|
if (ret < 0)
|
|
break;
|
|
|
|
/* KEM, ciphersuite, or mandatory extension not supported, free this
|
|
* config and then try to parse another */
|
|
if (ret == WC_NO_ERR_TRACE(UNSUPPORTED_EXTENSION) ||
|
|
EchConfigGetSupportedCipherSuite(workingConfig) < 0) {
|
|
ret = 0;
|
|
unsupportedAlgos = 1;
|
|
XFREE(workingConfig->cipherSuites, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
XFREE(workingConfig->publicName, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
XFREE(workingConfig->raw, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
XFREE(workingConfig, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
workingConfig = lastConfig;
|
|
if (workingConfig != NULL)
|
|
workingConfig->next = NULL;
|
|
else
|
|
configList = NULL;
|
|
}
|
|
|
|
configIdx += 4 + length;
|
|
} while (configIdx < echConfigsLen);
|
|
|
|
if (ret == 0 && configIdx != echConfigsLen)
|
|
ret = BUFFER_E;
|
|
|
|
/* if we found valid configs */
|
|
if (ret == 0 && configList != NULL) {
|
|
*outputConfigs = configList;
|
|
|
|
return ret;
|
|
}
|
|
|
|
workingConfig = configList;
|
|
while (workingConfig != NULL) {
|
|
lastConfig = workingConfig;
|
|
workingConfig = workingConfig->next;
|
|
|
|
XFREE(lastConfig->cipherSuites, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
XFREE(lastConfig->publicName, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
XFREE(lastConfig->raw, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
XFREE(lastConfig, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
}
|
|
|
|
/* syntactically correct but configs are not supported */
|
|
if (ret == 0 && unsupportedAlgos)
|
|
return UNSUPPORTED_SUITE;
|
|
if (ret == 0)
|
|
return UNSUPPORTED_PROTO_VERSION;
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* get the raw ech configs from our linked list of ech config structs */
|
|
int GetEchConfigsEx(WOLFSSL_EchConfig* configs, byte* output, word32* outputLen)
|
|
{
|
|
int ret = 0;
|
|
WOLFSSL_EchConfig* workingConfig = NULL;
|
|
byte* outputStart = output;
|
|
word32 totalLen = 2;
|
|
word32 workingOutputLen = 0;
|
|
|
|
if (configs == NULL || outputLen == NULL ||
|
|
(output != NULL && *outputLen < totalLen)) {
|
|
return BAD_FUNC_ARG;
|
|
}
|
|
|
|
/* skip over total length which we fill in later */
|
|
if (output != NULL) {
|
|
workingOutputLen = *outputLen - totalLen;
|
|
output += 2;
|
|
}
|
|
else {
|
|
/* caller getting the size only, set current 2 byte length size */
|
|
*outputLen = totalLen;
|
|
}
|
|
|
|
workingConfig = configs;
|
|
|
|
while (workingConfig != NULL) {
|
|
/* get this config */
|
|
ret = GetEchConfig(workingConfig, output, &workingOutputLen);
|
|
|
|
if (output != NULL)
|
|
output += workingOutputLen;
|
|
|
|
/* add this config's length to the total length */
|
|
totalLen += workingOutputLen;
|
|
|
|
if (totalLen > *outputLen)
|
|
workingOutputLen = 0;
|
|
else
|
|
workingOutputLen = *outputLen - totalLen;
|
|
|
|
/* only error we break on, other 2 we need to keep finding length */
|
|
if (ret == WC_NO_ERR_TRACE(BAD_FUNC_ARG))
|
|
return BAD_FUNC_ARG;
|
|
|
|
workingConfig = workingConfig->next;
|
|
}
|
|
|
|
if (output == NULL) {
|
|
*outputLen = totalLen;
|
|
return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
|
|
}
|
|
|
|
if (totalLen > *outputLen) {
|
|
*outputLen = totalLen;
|
|
return INPUT_SIZE_E;
|
|
}
|
|
|
|
/* total size -2 for size itself */
|
|
c16toa(totalLen - 2, outputStart);
|
|
|
|
*outputLen = totalLen;
|
|
|
|
return WOLFSSL_SUCCESS;
|
|
}
|
|
|
|
#endif /* WOLFSSL_TLS13 && HAVE_ECH */
|
|
|
|
#endif /* !WOLFSSL_SSL_ECH_INCLUDED */
|
|
|