3 * Copyright (C) 2006-2015 wolfSSL Inc.
5 * This file is part of wolfSSL. (formerly known as CyaSSL)
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
27 #include <wolfssl/wolfcrypt/settings.h>
29 #include <wolfssl/ssl.h>
30 #include <wolfssl/internal.h>
31 #include <wolfssl/error-ssl.h>
32 #include <wolfssl/wolfcrypt/hmac.h>
34 #include <wolfssl/wolfcrypt/misc.h>
36 #include <wolfcrypt/src/misc.c>
44 #ifndef WOLFSSL_HAVE_MIN
45 #define WOLFSSL_HAVE_MIN
47 static INLINE word32 min(word32 a, word32 b)
52 #endif /* WOLFSSL_HAVE_MIN */
56 #define P_HASH_MAX_SIZE SHA384_DIGEST_SIZE
58 #define P_HASH_MAX_SIZE SHA256_DIGEST_SIZE
61 /* compute p_hash for MD5, SHA-1, SHA-256, or SHA-384 for TLSv1 PRF */
62 static int p_hash(byte* result, word32 resLen, const byte* secret,
63 word32 secLen, const byte* seed, word32 seedLen, int hash)
65 word32 len = P_HASH_MAX_SIZE;
72 #ifdef WOLFSSL_SMALL_STACK
77 byte previous[P_HASH_MAX_SIZE]; /* max size */
78 byte current[P_HASH_MAX_SIZE]; /* max size */
82 #ifdef WOLFSSL_SMALL_STACK
83 previous = (byte*)XMALLOC(P_HASH_MAX_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
84 current = (byte*)XMALLOC(P_HASH_MAX_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
85 hmac = (Hmac*)XMALLOC(sizeof(Hmac), NULL, DYNAMIC_TYPE_TMP_BUFFER);
87 if (previous == NULL || current == NULL || hmac == NULL) {
88 if (previous) XFREE(previous, NULL, DYNAMIC_TYPE_TMP_BUFFER);
89 if (current) XFREE(current, NULL, DYNAMIC_TYPE_TMP_BUFFER);
90 if (hmac) XFREE(hmac, NULL, DYNAMIC_TYPE_TMP_BUFFER);
100 len = MD5_DIGEST_SIZE;
107 len = SHA256_DIGEST_SIZE;
111 #ifdef WOLFSSL_SHA384
114 len = SHA384_DIGEST_SIZE;
122 len = SHA_DIGEST_SIZE;
127 times = resLen / len;
128 lastLen = resLen % len;
133 lastTime = times - 1;
135 if ((ret = wc_HmacSetKey(hmac, hash, secret, secLen)) == 0) {
136 if ((ret = wc_HmacUpdate(hmac, seed, seedLen)) == 0) { /* A0 = seed */
137 if ((ret = wc_HmacFinal(hmac, previous)) == 0) { /* A1 */
138 for (i = 0; i < times; i++) {
139 ret = wc_HmacUpdate(hmac, previous, len);
142 ret = wc_HmacUpdate(hmac, seed, seedLen);
145 ret = wc_HmacFinal(hmac, current);
149 if ((i == lastTime) && lastLen)
150 XMEMCPY(&result[idx], current,
151 min(lastLen, P_HASH_MAX_SIZE));
153 XMEMCPY(&result[idx], current, len);
155 ret = wc_HmacUpdate(hmac, previous, len);
158 ret = wc_HmacFinal(hmac, previous);
167 ForceZero(previous, P_HASH_MAX_SIZE);
168 ForceZero(current, P_HASH_MAX_SIZE);
169 ForceZero(hmac, sizeof(Hmac));
171 #ifdef WOLFSSL_SMALL_STACK
172 XFREE(previous, NULL, DYNAMIC_TYPE_TMP_BUFFER);
173 XFREE(current, NULL, DYNAMIC_TYPE_TMP_BUFFER);
174 XFREE(hmac, NULL, DYNAMIC_TYPE_TMP_BUFFER);
180 #undef P_HASH_MAX_SIZE
185 /* calculate XOR for TLSv1 PRF */
186 static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha)
190 for (i = 0; i < digLen; i++)
191 digest[i] = md5[i] ^ sha[i];
195 /* compute TLSv1 PRF (pseudo random function using HMAC) */
196 static int doPRF(byte* digest, word32 digLen, const byte* secret,word32 secLen,
197 const byte* label, word32 labLen, const byte* seed,
201 word32 half = (secLen + 1) / 2;
203 #ifdef WOLFSSL_SMALL_STACK
210 byte md5_half[MAX_PRF_HALF]; /* half is real size */
211 byte sha_half[MAX_PRF_HALF]; /* half is real size */
212 byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
213 byte md5_result[MAX_PRF_DIG]; /* digLen is real size */
214 byte sha_result[MAX_PRF_DIG]; /* digLen is real size */
217 if (half > MAX_PRF_HALF)
219 if (labLen + seedLen > MAX_PRF_LABSEED)
221 if (digLen > MAX_PRF_DIG)
224 #ifdef WOLFSSL_SMALL_STACK
225 md5_half = (byte*)XMALLOC(MAX_PRF_HALF, NULL, DYNAMIC_TYPE_TMP_BUFFER);
226 sha_half = (byte*)XMALLOC(MAX_PRF_HALF, NULL, DYNAMIC_TYPE_TMP_BUFFER);
227 labelSeed = (byte*)XMALLOC(MAX_PRF_LABSEED, NULL, DYNAMIC_TYPE_TMP_BUFFER);
228 md5_result = (byte*)XMALLOC(MAX_PRF_DIG, NULL, DYNAMIC_TYPE_TMP_BUFFER);
229 sha_result = (byte*)XMALLOC(MAX_PRF_DIG, NULL, DYNAMIC_TYPE_TMP_BUFFER);
231 if (md5_half == NULL || sha_half == NULL || labelSeed == NULL ||
232 md5_result == NULL || sha_result == NULL) {
233 if (md5_half) XFREE(md5_half, NULL, DYNAMIC_TYPE_TMP_BUFFER);
234 if (sha_half) XFREE(sha_half, NULL, DYNAMIC_TYPE_TMP_BUFFER);
235 if (labelSeed) XFREE(labelSeed, NULL, DYNAMIC_TYPE_TMP_BUFFER);
236 if (md5_result) XFREE(md5_result, NULL, DYNAMIC_TYPE_TMP_BUFFER);
237 if (sha_result) XFREE(sha_result, NULL, DYNAMIC_TYPE_TMP_BUFFER);
243 XMEMSET(md5_result, 0, digLen);
244 XMEMSET(sha_result, 0, digLen);
246 XMEMCPY(md5_half, secret, half);
247 XMEMCPY(sha_half, secret + half - secLen % 2, half);
249 XMEMCPY(labelSeed, label, labLen);
250 XMEMCPY(labelSeed + labLen, seed, seedLen);
252 if ((ret = p_hash(md5_result, digLen, md5_half, half, labelSeed,
253 labLen + seedLen, md5_mac)) == 0) {
254 if ((ret = p_hash(sha_result, digLen, sha_half, half, labelSeed,
255 labLen + seedLen, sha_mac)) == 0) {
256 get_xor(digest, digLen, md5_result, sha_result);
260 #ifdef WOLFSSL_SMALL_STACK
261 XFREE(md5_half, NULL, DYNAMIC_TYPE_TMP_BUFFER);
262 XFREE(sha_half, NULL, DYNAMIC_TYPE_TMP_BUFFER);
263 XFREE(labelSeed, NULL, DYNAMIC_TYPE_TMP_BUFFER);
264 XFREE(md5_result, NULL, DYNAMIC_TYPE_TMP_BUFFER);
265 XFREE(sha_result, NULL, DYNAMIC_TYPE_TMP_BUFFER);
274 /* Wrapper to call straight thru to p_hash in TSL 1.2 cases to remove stack
276 static int PRF(byte* digest, word32 digLen, const byte* secret, word32 secLen,
277 const byte* label, word32 labLen, const byte* seed, word32 seedLen,
278 int useAtLeastSha256, int hash_type)
282 if (useAtLeastSha256) {
283 #ifdef WOLFSSL_SMALL_STACK
286 byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
289 if (labLen + seedLen > MAX_PRF_LABSEED)
292 #ifdef WOLFSSL_SMALL_STACK
293 labelSeed = (byte*)XMALLOC(MAX_PRF_LABSEED, NULL,
294 DYNAMIC_TYPE_TMP_BUFFER);
295 if (labelSeed == NULL)
299 XMEMCPY(labelSeed, label, labLen);
300 XMEMCPY(labelSeed + labLen, seed, seedLen);
302 /* If a cipher suite wants an algorithm better than sha256, it
303 * should use better. */
304 if (hash_type < sha256_mac)
305 hash_type = sha256_mac;
306 ret = p_hash(digest, digLen, secret, secLen, labelSeed,
307 labLen + seedLen, hash_type);
309 #ifdef WOLFSSL_SMALL_STACK
310 XFREE(labelSeed, NULL, DYNAMIC_TYPE_TMP_BUFFER);
315 ret = doPRF(digest, digLen, secret, secLen, label, labLen, seed,
324 #ifdef WOLFSSL_SHA384
325 #define HSHASH_SZ SHA384_DIGEST_SIZE
327 #define HSHASH_SZ FINISHED_SZ
331 int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
334 byte handshake_hash[HSHASH_SZ];
335 word32 hashSz = FINISHED_SZ;
338 wc_Md5GetHash(&ssl->hsHashes->hashMd5, handshake_hash);
339 wc_ShaGetHash(&ssl->hsHashes->hashSha, &handshake_hash[MD5_DIGEST_SIZE]);
342 if (IsAtLeastTLSv1_2(ssl)) {
344 if (ssl->specs.mac_algorithm <= sha256_mac) {
345 int ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256,handshake_hash);
350 hashSz = SHA256_DIGEST_SIZE;
353 #ifdef WOLFSSL_SHA384
354 if (ssl->specs.mac_algorithm == sha384_mac) {
355 int ret = wc_Sha384Final(&ssl->hsHashes->hashSha384,handshake_hash);
360 hashSz = SHA384_DIGEST_SIZE;
365 if ( XSTRNCMP((const char*)sender, (const char*)client, SIZEOF_SENDER) == 0)
370 return PRF((byte*)hashes, TLS_FINISHED_SZ, ssl->arrays->masterSecret,
371 SECRET_LEN, side, FINISHED_LABEL_SZ, handshake_hash, hashSz,
372 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
378 ProtocolVersion MakeTLSv1(void)
381 pv.major = SSLv3_MAJOR;
382 pv.minor = TLSv1_MINOR;
388 ProtocolVersion MakeTLSv1_1(void)
391 pv.major = SSLv3_MAJOR;
392 pv.minor = TLSv1_1_MINOR;
400 ProtocolVersion MakeTLSv1_2(void)
403 pv.major = SSLv3_MAJOR;
404 pv.minor = TLSv1_2_MINOR;
410 static const byte master_label[MASTER_LABEL_SZ + 1] = "master secret";
411 static const byte key_label [KEY_LABEL_SZ + 1] = "key expansion";
414 /* External facing wrapper so user can call as well, 0 on success */
415 int wolfSSL_DeriveTlsKeys(byte* key_data, word32 keyLen,
416 const byte* ms, word32 msLen,
417 const byte* sr, const byte* cr,
418 int tls1_2, int hash_type)
422 XMEMCPY(seed, sr, RAN_LEN);
423 XMEMCPY(seed + RAN_LEN, cr, RAN_LEN);
425 return PRF(key_data, keyLen, ms, msLen, key_label, KEY_LABEL_SZ,
426 seed, SEED_LEN, tls1_2, hash_type);
430 int DeriveTlsKeys(WOLFSSL* ssl)
433 int length = 2 * ssl->specs.hash_size +
434 2 * ssl->specs.key_size +
435 2 * ssl->specs.iv_size;
436 #ifdef WOLFSSL_SMALL_STACK
439 byte key_data[MAX_PRF_DIG];
442 #ifdef WOLFSSL_SMALL_STACK
443 key_data = (byte*)XMALLOC(MAX_PRF_DIG, NULL, DYNAMIC_TYPE_TMP_BUFFER);
444 if (key_data == NULL) {
449 ret = wolfSSL_DeriveTlsKeys(key_data, length,
450 ssl->arrays->masterSecret, SECRET_LEN,
451 ssl->arrays->serverRandom, ssl->arrays->clientRandom,
452 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
454 ret = StoreKeys(ssl, key_data);
456 #ifdef WOLFSSL_SMALL_STACK
457 XFREE(key_data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
464 /* External facing wrapper so user can call as well, 0 on success */
465 int wolfSSL_MakeTlsMasterSecret(byte* ms, word32 msLen,
466 const byte* pms, word32 pmsLen,
467 const byte* cr, const byte* sr,
468 int tls1_2, int hash_type)
472 XMEMCPY(seed, cr, RAN_LEN);
473 XMEMCPY(seed + RAN_LEN, sr, RAN_LEN);
475 return PRF(ms, msLen, pms, pmsLen, master_label, MASTER_LABEL_SZ,
476 seed, SEED_LEN, tls1_2, hash_type);
480 int MakeTlsMasterSecret(WOLFSSL* ssl)
484 ret = wolfSSL_MakeTlsMasterSecret(ssl->arrays->masterSecret, SECRET_LEN,
485 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
486 ssl->arrays->clientRandom, ssl->arrays->serverRandom,
487 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
493 printf("master secret: ");
494 for (i = 0; i < SECRET_LEN; i++)
495 printf("%02x", ssl->arrays->masterSecret[i]);
499 ret = DeriveTlsKeys(ssl);
506 /* Used by EAP-TLS and EAP-TTLS to derive keying material from
507 * the master_secret. */
508 int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* msk, unsigned int len,
512 #ifdef WOLFSSL_SMALL_STACK
518 #ifdef WOLFSSL_SMALL_STACK
519 seed = (byte*)XMALLOC(SEED_LEN, NULL, DYNAMIC_TYPE_TMP_BUFFER);
525 * As per RFC-5281, the order of the client and server randoms is reversed
526 * from that used by the TLS protocol to derive keys.
528 XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN);
529 XMEMCPY(seed + RAN_LEN, ssl->arrays->serverRandom, RAN_LEN);
531 ret = PRF((byte*)msk, len, ssl->arrays->masterSecret, SECRET_LEN,
532 (const byte *)label, (word32)strlen(label), seed, SEED_LEN,
533 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
535 #ifdef WOLFSSL_SMALL_STACK
536 XFREE(seed, NULL, DYNAMIC_TYPE_TMP_BUFFER);
543 /*** next for static INLINE s copied internal.c ***/
545 /* convert 16 bit integer to opaque */
546 static INLINE void c16toa(word16 u16, byte* c)
548 c[0] = (u16 >> 8) & 0xff;
552 #ifdef HAVE_TLS_EXTENSIONS
553 /* convert opaque to 16 bit integer */
554 static INLINE void ato16(const byte* c, word16* u16)
556 *u16 = (c[0] << 8) | (c[1]);
560 /* convert a 24 bit integer into a 32 bit one */
561 static INLINE void c24to32(const word24 u24, word32* u32)
563 *u32 = (u24[0] << 16) | (u24[1] << 8) | u24[2];
568 /* convert 32 bit integer to opaque */
569 static INLINE void c32toa(word32 u32, byte* c)
571 c[0] = (u32 >> 24) & 0xff;
572 c[1] = (u32 >> 16) & 0xff;
573 c[2] = (u32 >> 8) & 0xff;
578 static INLINE word32 GetSEQIncrement(WOLFSSL* ssl, int verify)
581 if (ssl->options.dtls) {
583 return ssl->keys.dtls_state.curSeq; /* explicit from peer */
585 return ssl->keys.dtls_sequence_number - 1; /* already incremented */
589 return ssl->keys.peer_sequence_number++;
591 return ssl->keys.sequence_number++;
597 static INLINE word32 GetEpoch(WOLFSSL* ssl, int verify)
600 return ssl->keys.dtls_state.curEpoch;
602 return ssl->keys.dtls_epoch;
605 #endif /* WOLFSSL_DTLS */
611 /* return HMAC digest type in wolfSSL format */
612 int wolfSSL_GetHmacType(WOLFSSL* ssl)
617 switch (ssl->specs.mac_algorithm) {
630 #ifdef WOLFSSL_SHA384
651 return SSL_FATAL_ERROR;
657 int wolfSSL_SetTlsHmacInner(WOLFSSL* ssl, byte* inner, word32 sz, int content,
660 if (ssl == NULL || inner == NULL)
663 XMEMSET(inner, 0, WOLFSSL_TLS_HMAC_INNER_SZ);
666 if (ssl->options.dtls)
667 c16toa((word16)GetEpoch(ssl, verify), inner);
669 c32toa(GetSEQIncrement(ssl, verify), &inner[sizeof(word32)]);
670 inner[SEQ_SZ] = (byte)content;
671 inner[SEQ_SZ + ENUM_LEN] = ssl->version.major;
672 inner[SEQ_SZ + ENUM_LEN + ENUM_LEN] = ssl->version.minor;
673 c16toa((word16)sz, inner + SEQ_SZ + ENUM_LEN + VERSION_SZ);
680 int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
681 int content, int verify)
685 byte myInner[WOLFSSL_TLS_HMAC_INNER_SZ];
692 ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx);
695 wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify);
697 ret = wc_HmacSetKey(&hmac, wolfSSL_GetHmacType(ssl),
698 wolfSSL_GetMacSecret(ssl, verify), ssl->specs.hash_size);
701 ret = wc_HmacUpdate(&hmac, myInner, sizeof(myInner));
704 ret = wc_HmacUpdate(&hmac, in, sz); /* content */
707 ret = wc_HmacFinal(&hmac, digest);
714 #ifdef HAVE_TLS_EXTENSIONS
717 /** Supports up to 64 flags. Update as needed. */
718 #define SEMAPHORE_SIZE 8
721 static INLINE word16 TLSX_ToSemaphore(word16 type)
724 case SECURE_RENEGOTIATION:
729 /* This message SHOULD only happens during the adding of
730 new TLS extensions in which its IANA number overflows
731 the current semaphore's range, or if its number already
732 is assigned to be used by another extension.
733 Use this check value for the new extension and decrement
734 the check value by one. */
735 WOLFSSL_MSG("### TLSX semaphore colision or overflow detected!");
743 #define IS_OFF(semaphore, light) \
744 ((semaphore)[(light) / 8] ^ (byte) (0x01 << ((light) % 8)))
747 #define TURN_ON(semaphore, light) \
748 ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8)))
751 static int TLSX_Push(TLSX** list, TLSX_Type type, void* data)
755 extension = (TLSX*)XMALLOC(sizeof(TLSX), 0, DYNAMIC_TYPE_TLSX);
756 if (extension == NULL)
759 extension->type = type;
760 extension->data = data;
762 extension->next = *list;
765 /* remove duplicated extensions, there should be only one of each type. */
767 if (extension->next && extension->next->type == type) {
768 TLSX *next = extension->next;
770 extension->next = next->next;
775 /* there is no way to occur more than */
776 /* two extensions of the same type. */
779 } while ((extension = extension->next));
785 #ifndef NO_WOLFSSL_SERVER
787 void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type);
789 void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type)
791 TLSX *ext = TLSX_Find(ssl->extensions, type);
799 /* SNI - Server Name Indication */
803 static void TLSX_SNI_Free(SNI* sni)
807 case WOLFSSL_SNI_HOST_NAME:
808 XFREE(sni->data.host_name, 0, DYNAMIC_TYPE_TLSX);
812 XFREE(sni, 0, DYNAMIC_TYPE_TLSX);
816 static void TLSX_SNI_FreeAll(SNI* list)
820 while ((sni = list)) {
826 static int TLSX_SNI_Append(SNI** list, byte type, const void* data, word16 size)
833 if ((sni = XMALLOC(sizeof(SNI), 0, DYNAMIC_TYPE_TLSX)) == NULL)
837 case WOLFSSL_SNI_HOST_NAME: {
838 sni->data.host_name = XMALLOC(size + 1, 0, DYNAMIC_TYPE_TLSX);
840 if (sni->data.host_name) {
841 XSTRNCPY(sni->data.host_name, (const char*)data, size);
842 sni->data.host_name[size] = 0;
844 XFREE(sni, 0, DYNAMIC_TYPE_TLSX);
850 default: /* invalid type */
851 XFREE(sni, 0, DYNAMIC_TYPE_TLSX);
858 #ifndef NO_WOLFSSL_SERVER
860 sni->status = WOLFSSL_SNI_NO_MATCH;
868 static word16 TLSX_SNI_GetSize(SNI* list)
871 word16 length = OPAQUE16_LEN; /* list length */
873 while ((sni = list)) {
876 length += ENUM_LEN + OPAQUE16_LEN; /* sni type + sni length */
879 case WOLFSSL_SNI_HOST_NAME:
880 length += XSTRLEN((char*)sni->data.host_name);
888 static word16 TLSX_SNI_Write(SNI* list, byte* output)
892 word16 offset = OPAQUE16_LEN; /* list length offset */
894 while ((sni = list)) {
897 output[offset++] = sni->type; /* sni type */
900 case WOLFSSL_SNI_HOST_NAME:
901 length = XSTRLEN((char*)sni->data.host_name);
903 c16toa(length, output + offset); /* sni length */
904 offset += OPAQUE16_LEN;
906 XMEMCPY(output + offset, sni->data.host_name, length);
913 c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
918 static SNI* TLSX_SNI_Find(SNI *list, byte type)
922 while (sni && sni->type != type)
928 #ifndef NO_WOLFSSL_SERVER
929 static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
931 TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
932 SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
935 sni->status = status;
936 WOLFSSL_MSG("SNI did match!");
940 byte TLSX_SNI_Status(TLSX* extensions, byte type)
942 TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
943 SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
952 static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
955 #ifndef NO_WOLFSSL_SERVER
960 TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION);
963 extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION);
965 if (!extension || !extension->data)
966 return isRequest ? 0 : BUFFER_ERROR; /* not using SNI OR unexpected
967 SNI response from server. */
970 return length ? BUFFER_ERROR : 0; /* SNI response must be empty!
971 Nothing else to do. */
973 #ifndef NO_WOLFSSL_SERVER
975 if (OPAQUE16_LEN > length)
979 offset += OPAQUE16_LEN;
981 /* validating sni list length */
982 if (length != OPAQUE16_LEN + size)
985 for (size = 0; offset < length; offset += size) {
987 byte type = input[offset++];
989 if (offset + OPAQUE16_LEN > length)
992 ato16(input + offset, &size);
993 offset += OPAQUE16_LEN;
995 if (offset + size > length)
998 if (!(sni = TLSX_SNI_Find((SNI*)extension->data, type))) {
999 continue; /* not using this SNI type */
1003 case WOLFSSL_SNI_HOST_NAME: {
1004 byte matched = (XSTRLEN(sni->data.host_name) == size)
1005 && (XSTRNCMP(sni->data.host_name,
1006 (const char*)input + offset, size) == 0);
1008 if (matched || sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH) {
1009 int r = TLSX_UseSNI(&ssl->extensions,
1010 type, input + offset, size);
1012 if (r != SSL_SUCCESS) return r; /* throw error */
1014 TLSX_SNI_SetStatus(ssl->extensions, type,
1015 matched ? WOLFSSL_SNI_REAL_MATCH : WOLFSSL_SNI_FAKE_MATCH);
1017 } else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) {
1018 SendAlert(ssl, alert_fatal, unrecognized_name);
1020 return UNKNOWN_SNI_HOST_NAME_E;
1026 TLSX_SetResponse(ssl, SERVER_NAME_INDICATION);
1034 int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
1036 TLSX* extension = TLSX_Find(*extensions, SERVER_NAME_INDICATION);
1040 if (extensions == NULL || data == NULL)
1041 return BAD_FUNC_ARG;
1043 if ((ret = TLSX_SNI_Append(&sni, type, data, size)) != 0)
1047 if ((ret = TLSX_Push(extensions, SERVER_NAME_INDICATION, (void*)sni))
1054 /* push new SNI object to extension data. */
1055 sni->next = (SNI*)extension->data;
1056 extension->data = (void*)sni;
1058 /* look for another server name of the same type to remove */
1060 if (sni->next && sni->next->type == type) {
1061 SNI *next = sni->next;
1063 sni->next = next->next;
1064 TLSX_SNI_Free(next);
1068 } while ((sni = sni->next));
1074 #ifndef NO_WOLFSSL_SERVER
1075 word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data)
1077 TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
1078 SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
1080 if (sni && sni->status != WOLFSSL_SNI_NO_MATCH) {
1081 switch (sni->type) {
1082 case WOLFSSL_SNI_HOST_NAME:
1083 *data = sni->data.host_name;
1084 return XSTRLEN(*data);
1091 void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
1093 TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
1094 SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
1097 sni->options = options;
1100 int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
1101 byte type, byte* sni, word32* inOutSz)
1107 if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST)
1108 return INCOMPLETE_DATA;
1110 /* TLS record header */
1111 if ((enum ContentType) clientHello[offset++] != handshake)
1112 return BUFFER_ERROR;
1114 if (clientHello[offset++] != SSLv3_MAJOR)
1115 return BUFFER_ERROR;
1117 if (clientHello[offset++] < TLSv1_MINOR)
1118 return SNI_UNSUPPORTED;
1120 ato16(clientHello + offset, &len16);
1121 offset += OPAQUE16_LEN;
1123 if (offset + len16 > helloSz)
1124 return INCOMPLETE_DATA;
1126 /* Handshake header */
1127 if ((enum HandShakeType) clientHello[offset] != client_hello)
1128 return BUFFER_ERROR;
1130 c24to32(clientHello + offset + 1, &len32);
1131 offset += HANDSHAKE_HEADER_SZ;
1133 if (offset + len32 > helloSz)
1134 return BUFFER_ERROR;
1137 offset += VERSION_SZ + RAN_LEN; /* version, random */
1139 if (helloSz < offset + clientHello[offset])
1140 return BUFFER_ERROR;
1142 offset += ENUM_LEN + clientHello[offset]; /* skip session id */
1145 if (helloSz < offset + OPAQUE16_LEN)
1146 return BUFFER_ERROR;
1148 ato16(clientHello + offset, &len16);
1149 offset += OPAQUE16_LEN;
1151 if (helloSz < offset + len16)
1152 return BUFFER_ERROR;
1154 offset += len16; /* skip cypher suites */
1156 /* compression methods */
1157 if (helloSz < offset + 1)
1158 return BUFFER_ERROR;
1160 if (helloSz < offset + clientHello[offset])
1161 return BUFFER_ERROR;
1163 offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */
1166 if (helloSz < offset + OPAQUE16_LEN)
1167 return 0; /* no extensions in client hello. */
1169 ato16(clientHello + offset, &len16);
1170 offset += OPAQUE16_LEN;
1172 if (helloSz < offset + len16)
1173 return BUFFER_ERROR;
1175 while (len16 >= OPAQUE16_LEN + OPAQUE16_LEN) {
1179 ato16(clientHello + offset, &extType);
1180 offset += OPAQUE16_LEN;
1182 ato16(clientHello + offset, &extLen);
1183 offset += OPAQUE16_LEN;
1185 if (helloSz < offset + extLen)
1186 return BUFFER_ERROR;
1188 if (extType != SERVER_NAME_INDICATION) {
1189 offset += extLen; /* skip extension */
1193 ato16(clientHello + offset, &listLen);
1194 offset += OPAQUE16_LEN;
1196 if (helloSz < offset + listLen)
1197 return BUFFER_ERROR;
1199 while (listLen > ENUM_LEN + OPAQUE16_LEN) {
1200 byte sniType = clientHello[offset++];
1203 ato16(clientHello + offset, &sniLen);
1204 offset += OPAQUE16_LEN;
1206 if (helloSz < offset + sniLen)
1207 return BUFFER_ERROR;
1209 if (sniType != type) {
1211 listLen -= min(ENUM_LEN + OPAQUE16_LEN + sniLen, listLen);
1215 *inOutSz = min(sniLen, *inOutSz);
1216 XMEMCPY(sni, clientHello + offset, *inOutSz);
1222 len16 -= min(2 * OPAQUE16_LEN + extLen, len16);
1225 return len16 ? BUFFER_ERROR : 0;
1230 #define SNI_FREE_ALL TLSX_SNI_FreeAll
1231 #define SNI_GET_SIZE TLSX_SNI_GetSize
1232 #define SNI_WRITE TLSX_SNI_Write
1233 #define SNI_PARSE TLSX_SNI_Parse
1237 #define SNI_FREE_ALL(list)
1238 #define SNI_GET_SIZE(list) 0
1239 #define SNI_WRITE(a, b) 0
1240 #define SNI_PARSE(a, b, c, d) 0
1242 #endif /* HAVE_SNI */
1244 #ifdef HAVE_MAX_FRAGMENT
1246 static word16 TLSX_MFL_Write(byte* data, byte* output)
1248 output[0] = data[0];
1253 static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length,
1256 if (length != ENUM_LEN)
1257 return BUFFER_ERROR;
1260 case WOLFSSL_MFL_2_9 : ssl->max_fragment = 512; break;
1261 case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break;
1262 case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break;
1263 case WOLFSSL_MFL_2_12: ssl->max_fragment = 4096; break;
1264 case WOLFSSL_MFL_2_13: ssl->max_fragment = 8192; break;
1267 SendAlert(ssl, alert_fatal, illegal_parameter);
1269 return UNKNOWN_MAX_FRAG_LEN_E;
1272 #ifndef NO_WOLFSSL_SERVER
1274 int r = TLSX_UseMaxFragment(&ssl->extensions, *input);
1276 if (r != SSL_SUCCESS) return r; /* throw error */
1278 TLSX_SetResponse(ssl, MAX_FRAGMENT_LENGTH);
1285 int TLSX_UseMaxFragment(TLSX** extensions, byte mfl)
1290 if (extensions == NULL)
1291 return BAD_FUNC_ARG;
1293 if (mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl)
1294 return BAD_FUNC_ARG;
1296 if ((data = XMALLOC(ENUM_LEN, 0, DYNAMIC_TYPE_TLSX)) == NULL)
1301 /* push new MFL extension. */
1302 if ((ret = TLSX_Push(extensions, MAX_FRAGMENT_LENGTH, data)) != 0) {
1303 XFREE(data, 0, DYNAMIC_TYPE_TLSX);
1311 #define MFL_FREE_ALL(data) XFREE(data, 0, DYNAMIC_TYPE_TLSX)
1312 #define MFL_GET_SIZE(data) ENUM_LEN
1313 #define MFL_WRITE TLSX_MFL_Write
1314 #define MFL_PARSE TLSX_MFL_Parse
1318 #define MFL_FREE_ALL(a)
1319 #define MFL_GET_SIZE(a) 0
1320 #define MFL_WRITE(a, b) 0
1321 #define MFL_PARSE(a, b, c, d) 0
1323 #endif /* HAVE_MAX_FRAGMENT */
1325 #ifdef HAVE_TRUNCATED_HMAC
1327 static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length,
1330 if (length != 0 || input == NULL)
1331 return BUFFER_ERROR;
1333 #ifndef NO_WOLFSSL_SERVER
1335 int r = TLSX_UseTruncatedHMAC(&ssl->extensions);
1337 if (r != SSL_SUCCESS) return r; /* throw error */
1339 TLSX_SetResponse(ssl, TRUNCATED_HMAC);
1343 ssl->truncated_hmac = 1;
1348 int TLSX_UseTruncatedHMAC(TLSX** extensions)
1352 if (extensions == NULL)
1353 return BAD_FUNC_ARG;
1355 if ((ret = TLSX_Push(extensions, TRUNCATED_HMAC, NULL)) != 0)
1361 #define THM_PARSE TLSX_THM_Parse
1365 #define THM_PARSE(a, b, c, d) 0
1367 #endif /* HAVE_TRUNCATED_HMAC */
1369 #ifdef HAVE_SUPPORTED_CURVES
1372 #error Elliptic Curves Extension requires Elliptic Curve Cryptography. \
1373 Use --enable-ecc in the configure script or define HAVE_ECC.
1376 static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list)
1378 EllipticCurve* curve;
1380 while ((curve = list)) {
1382 XFREE(curve, 0, DYNAMIC_TYPE_TLSX);
1386 static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name)
1388 EllipticCurve* curve;
1391 return BAD_FUNC_ARG;
1393 if ((curve = XMALLOC(sizeof(EllipticCurve), 0, DYNAMIC_TYPE_TLSX)) == NULL)
1397 curve->next = *list;
1404 #ifndef NO_WOLFSSL_CLIENT
1406 static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
1410 for (i = 0; i < ssl->suites->suiteSz; i+= 2)
1411 if (ssl->suites->suites[i] == ECC_BYTE)
1414 /* No elliptic curve suite found */
1415 TURN_ON(semaphore, TLSX_ToSemaphore(ELLIPTIC_CURVES));
1418 static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list)
1420 EllipticCurve* curve;
1421 word16 length = OPAQUE16_LEN; /* list length */
1423 while ((curve = list)) {
1425 length += OPAQUE16_LEN; /* curve length */
1431 static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output);
1432 static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output)
1439 offset = TLSX_EllipticCurve_WriteR(curve->next, output);
1440 c16toa(curve->name, output + offset);
1442 return OPAQUE16_LEN + offset;
1445 static word16 TLSX_EllipticCurve_Write(EllipticCurve* list, byte* output)
1447 word16 length = TLSX_EllipticCurve_WriteR(list, output + OPAQUE16_LEN);
1449 c16toa(length, output); /* writing list length */
1451 return OPAQUE16_LEN + length;
1454 #endif /* NO_WOLFSSL_CLIENT */
1455 #ifndef NO_WOLFSSL_SERVER
1457 static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length,
1464 (void) isRequest; /* shut up compiler! */
1466 if (OPAQUE16_LEN > length || length % OPAQUE16_LEN)
1467 return BUFFER_ERROR;
1469 ato16(input, &offset);
1471 /* validating curve list length */
1472 if (length != OPAQUE16_LEN + offset)
1473 return BUFFER_ERROR;
1476 ato16(input + offset, &name);
1477 offset -= OPAQUE16_LEN;
1479 r = TLSX_UseSupportedCurve(&ssl->extensions, name);
1481 if (r != SSL_SUCCESS) return r; /* throw error */
1487 int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
1488 TLSX* extension = (first == ECC_BYTE)
1489 ? TLSX_Find(ssl->extensions, ELLIPTIC_CURVES)
1491 EllipticCurve* curve = NULL;
1493 word16 octets = 0; /* acording to 'ecc_set_type ecc_sets[];' */
1494 int sig = 0; /* valitade signature */
1495 int key = 0; /* validate key */
1501 return 1; /* no suite restriction */
1503 for (curve = extension->data; curve && !(sig && key); curve = curve->next) {
1505 switch (curve->name) {
1506 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
1507 case WOLFSSL_ECC_SECP160R1: oid = ECC_160R1; octets = 20; break;
1509 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
1510 case WOLFSSL_ECC_SECP192R1: oid = ECC_192R1; octets = 24; break;
1512 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
1513 case WOLFSSL_ECC_SECP224R1: oid = ECC_224R1; octets = 28; break;
1515 #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
1516 case WOLFSSL_ECC_SECP256R1: oid = ECC_256R1; octets = 32; break;
1518 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
1519 case WOLFSSL_ECC_SECP384R1: oid = ECC_384R1; octets = 48; break;
1521 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
1522 case WOLFSSL_ECC_SECP521R1: oid = ECC_521R1; octets = 66; break;
1524 default: continue; /* unsupported curve */
1530 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
1531 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
1532 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
1533 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
1534 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
1535 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
1536 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
1537 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
1538 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
1539 case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8:
1540 sig |= ssl->pkCurveOID == oid;
1541 key |= ssl->eccTempKeySz == octets;
1545 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
1546 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
1547 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
1548 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
1549 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
1550 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
1551 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
1552 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
1553 sig |= ssl->pkCurveOID == oid;
1554 key |= ssl->pkCurveOID == oid;
1559 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
1560 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
1561 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
1562 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
1563 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
1564 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
1565 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
1566 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
1568 key |= ssl->eccTempKeySz == octets;
1572 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
1573 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
1574 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
1575 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
1576 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
1577 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
1578 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
1579 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
1581 key |= ssl->pkCurveOID == oid;
1594 #endif /* NO_WOLFSSL_SERVER */
1596 int TLSX_UseSupportedCurve(TLSX** extensions, word16 name)
1598 TLSX* extension = TLSX_Find(*extensions, ELLIPTIC_CURVES);
1599 EllipticCurve* curve = NULL;
1602 if (extensions == NULL)
1603 return BAD_FUNC_ARG;
1605 if ((ret = TLSX_EllipticCurve_Append(&curve, name)) != 0)
1609 if ((ret = TLSX_Push(extensions, ELLIPTIC_CURVES, curve)) != 0) {
1610 XFREE(curve, 0, DYNAMIC_TYPE_TLSX);
1615 /* push new EllipticCurve object to extension data. */
1616 curve->next = (EllipticCurve*)extension->data;
1617 extension->data = (void*)curve;
1619 /* look for another curve of the same name to remove (replacement) */
1621 if (curve->next && curve->next->name == name) {
1622 EllipticCurve *next = curve->next;
1624 curve->next = next->next;
1625 XFREE(next, 0, DYNAMIC_TYPE_TLSX);
1629 } while ((curve = curve->next));
1635 #define EC_FREE_ALL TLSX_EllipticCurve_FreeAll
1636 #define EC_VALIDATE_REQUEST TLSX_EllipticCurve_ValidateRequest
1638 #ifndef NO_WOLFSSL_CLIENT
1639 #define EC_GET_SIZE TLSX_EllipticCurve_GetSize
1640 #define EC_WRITE TLSX_EllipticCurve_Write
1642 #define EC_GET_SIZE(list) 0
1643 #define EC_WRITE(a, b) 0
1646 #ifndef NO_WOLFSSL_SERVER
1647 #define EC_PARSE TLSX_EllipticCurve_Parse
1649 #define EC_PARSE(a, b, c, d) 0
1654 #define EC_FREE_ALL(list)
1655 #define EC_GET_SIZE(list) 0
1656 #define EC_WRITE(a, b) 0
1657 #define EC_PARSE(a, b, c, d) 0
1658 #define EC_VALIDATE_REQUEST(a, b)
1660 #endif /* HAVE_SUPPORTED_CURVES */
1662 #ifdef HAVE_SECURE_RENEGOTIATION
1664 static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data,
1667 byte length = OPAQUE8_LEN; /* empty info length */
1669 if (data->enabled) {
1670 /* client sends client_verify_data only */
1671 length += TLS_FINISHED_SZ;
1673 /* server also sends server_verify_data */
1675 length += TLS_FINISHED_SZ;
1681 static word16 TLSX_SecureRenegotiation_Write(SecureRenegotiation* data,
1682 byte* output, int isRequest)
1684 word16 offset = OPAQUE8_LEN; /* RenegotiationInfo length */
1686 if (data->enabled) {
1687 /* client sends client_verify_data only */
1688 XMEMCPY(output + offset, data->client_verify_data, TLS_FINISHED_SZ);
1689 offset += TLS_FINISHED_SZ;
1691 /* server also sends server_verify_data */
1693 XMEMCPY(output + offset, data->server_verify_data, TLS_FINISHED_SZ);
1694 offset += TLS_FINISHED_SZ;
1698 output[0] = offset - 1; /* info length - self */
1703 static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, byte* input,
1704 word16 length, byte isRequest)
1706 int ret = SECURE_RENEGOTIATION_E;
1708 if (length >= OPAQUE8_LEN) {
1709 if (ssl->secure_renegotiation == NULL) {
1710 #ifndef NO_WOLFSSL_SERVER
1711 if (isRequest && *input == 0) {
1712 ret = 0; /* don't reply, user didn't enable */
1716 else if (isRequest) {
1717 #ifndef NO_WOLFSSL_SERVER
1718 if (*input == TLS_FINISHED_SZ) {
1719 /* TODO compare client_verify_data */
1725 #ifndef NO_WOLFSSL_CLIENT
1726 if (!ssl->secure_renegotiation->enabled) {
1728 ssl->secure_renegotiation->enabled = 1;
1732 else if (*input == 2 * TLS_FINISHED_SZ) {
1733 /* TODO compare client_verify_data and server_verify_data */
1741 /* TODO: turn on fatal error at ssl level too */
1742 SendAlert(ssl, alert_fatal, handshake_failure);
1748 int TLSX_UseSecureRenegotiation(TLSX** extensions)
1751 SecureRenegotiation* data = NULL;
1753 data = (SecureRenegotiation*)XMALLOC(sizeof(SecureRenegotiation), NULL,
1758 XMEMSET(data, 0, sizeof(SecureRenegotiation));
1760 ret = TLSX_Push(extensions, SECURE_RENEGOTIATION, data);
1762 XFREE(data, 0, DYNAMIC_TYPE_TLSX);
1770 #define SCR_FREE_ALL(data) XFREE(data, NULL, DYNAMIC_TYPE_TLSX)
1771 #define SCR_GET_SIZE TLSX_SecureRenegotiation_GetSize
1772 #define SCR_WRITE TLSX_SecureRenegotiation_Write
1773 #define SCR_PARSE TLSX_SecureRenegotiation_Parse
1777 #define SCR_FREE_ALL(a)
1778 #define SCR_GET_SIZE(a, b) 0
1779 #define SCR_WRITE(a, b, c) 0
1780 #define SCR_PARSE(a, b, c, d) 0
1782 #endif /* HAVE_SECURE_RENEGOTIATION */
1784 #ifdef HAVE_SESSION_TICKET
1786 static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl)
1788 TLSX* extension = TLSX_Find(ssl->extensions, SESSION_TICKET);
1789 SessionTicket* ticket = extension ? extension->data : NULL;
1792 /* TODO validate ticket timeout here! */
1793 if (ticket->lifetime == 0xfffffff) {
1794 /* send empty ticket on timeout */
1795 TLSX_UseSessionTicket(&ssl->extensions, NULL);
1801 static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest)
1804 return ticket ? ticket->size : 0;
1807 static word16 TLSX_SessionTicket_Write(SessionTicket* ticket, byte* output,
1810 word16 offset = 0; /* empty ticket */
1812 if (isRequest && ticket) {
1813 XMEMCPY(output + offset, ticket->data, ticket->size);
1814 offset += ticket->size;
1821 static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length,
1829 return BUFFER_ERROR;
1831 ssl->expect_session_ticket = 1;
1833 #ifndef NO_WOLFSSL_SERVER
1836 if (ssl->ctx->ticketEncCb == NULL) {
1837 WOLFSSL_MSG("Client sent session ticket, server has no callback");
1843 ret = TLSX_UseSessionTicket(&ssl->extensions, NULL);
1844 if (ret == SSL_SUCCESS) {
1846 TLSX_SetResponse(ssl, SESSION_TICKET); /* send blank ticket */
1847 ssl->options.createTicket = 1; /* will send ticket msg */
1848 ssl->options.useTicket = 1;
1851 /* got actual ticket from client */
1852 ret = DoClientTicket(ssl, input, length);
1853 if (ret == WOLFSSL_TICKET_RET_OK) { /* use ticket to resume */
1854 WOLFSSL_MSG("Using exisitng client ticket");
1855 ssl->options.useTicket = 1;
1856 ssl->options.resuming = 1;
1857 } else if (ret == WOLFSSL_TICKET_RET_CREATE) {
1858 WOLFSSL_MSG("Using existing client ticket, creating new one");
1859 ret = TLSX_UseSessionTicket(&ssl->extensions, NULL);
1860 if (ret == SSL_SUCCESS) {
1862 TLSX_SetResponse(ssl, SESSION_TICKET);
1863 /* send blank ticket */
1864 ssl->options.createTicket = 1; /* will send ticket msg */
1865 ssl->options.useTicket = 1;
1866 ssl->options.resuming = 1;
1868 } else if (ret == WOLFSSL_TICKET_RET_REJECT) {
1869 WOLFSSL_MSG("Process client ticket rejected, not using");
1870 ret = 0; /* not fatal */
1871 } else if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) {
1872 WOLFSSL_MSG("Process client ticket fatal error, not using");
1876 #endif /* NO_WOLFSSL_SERVER */
1881 WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime,
1882 byte* data, word16 size)
1884 SessionTicket* ticket = (SessionTicket*)XMALLOC(sizeof(SessionTicket),
1885 NULL, DYNAMIC_TYPE_TLSX);
1887 ticket->data = (byte*)XMALLOC(size, NULL, DYNAMIC_TYPE_TLSX);
1888 if (ticket->data == NULL) {
1889 XFREE(ticket, NULL, DYNAMIC_TYPE_TLSX);
1893 XMEMCPY(ticket->data, data, size);
1894 ticket->size = size;
1895 ticket->lifetime = lifetime;
1900 WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket)
1903 XFREE(ticket->data, NULL, DYNAMIC_TYPE_TLSX);
1904 XFREE(ticket, NULL, DYNAMIC_TYPE_TLSX);
1908 int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket)
1912 if (extensions == NULL)
1913 return BAD_FUNC_ARG;
1915 /* If the ticket is NULL, the client will request a new ticket from the
1916 server. Otherwise, the client will use it in the next client hello. */
1917 if ((ret = TLSX_Push(extensions, SESSION_TICKET, (void*)ticket)) != 0)
1923 #define STK_VALIDATE_REQUEST TLSX_SessionTicket_ValidateRequest
1924 #define STK_GET_SIZE TLSX_SessionTicket_GetSize
1925 #define STK_WRITE TLSX_SessionTicket_Write
1926 #define STK_PARSE TLSX_SessionTicket_Parse
1930 #define STK_VALIDATE_REQUEST(a)
1931 #define STK_GET_SIZE(a, b) 0
1932 #define STK_WRITE(a, b, c) 0
1933 #define STK_PARSE(a, b, c, d) 0
1935 #endif /* HAVE_SESSION_TICKET */
1938 TLSX* TLSX_Find(TLSX* list, TLSX_Type type)
1940 TLSX* extension = list;
1942 while (extension && extension->type != type)
1943 extension = extension->next;
1948 void TLSX_FreeAll(TLSX* list)
1952 while ((extension = list)) {
1953 list = extension->next;
1955 switch (extension->type) {
1956 case SERVER_NAME_INDICATION:
1957 SNI_FREE_ALL((SNI*)extension->data);
1960 case MAX_FRAGMENT_LENGTH:
1961 MFL_FREE_ALL(extension->data);
1964 case TRUNCATED_HMAC:
1965 /* Nothing to do. */
1968 case ELLIPTIC_CURVES:
1969 EC_FREE_ALL(extension->data);
1972 case SECURE_RENEGOTIATION:
1973 SCR_FREE_ALL(extension->data);
1976 case SESSION_TICKET:
1977 /* Nothing to do. */
1981 XFREE(extension, 0, DYNAMIC_TYPE_TLSX);
1985 int TLSX_SupportExtensions(WOLFSSL* ssl) {
1986 return ssl && (IsTLS(ssl) || ssl->version.major == DTLS_MAJOR);
1989 static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
1994 while ((extension = list)) {
1995 list = extension->next;
1997 if (!isRequest && !extension->resp)
1998 continue; /* skip! */
2000 if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type)))
2001 continue; /* skip! */
2003 /* type + data length */
2004 length += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
2006 switch (extension->type) {
2007 case SERVER_NAME_INDICATION:
2009 length += SNI_GET_SIZE(extension->data);
2011 case MAX_FRAGMENT_LENGTH:
2012 length += MFL_GET_SIZE(extension->data);
2015 case TRUNCATED_HMAC:
2016 /* empty extension. */
2019 case ELLIPTIC_CURVES:
2020 length += EC_GET_SIZE(extension->data);
2023 case SECURE_RENEGOTIATION:
2024 length += SCR_GET_SIZE(extension->data, isRequest);
2027 case SESSION_TICKET:
2028 length += STK_GET_SIZE(extension->data, isRequest);
2032 TURN_ON(semaphore, TLSX_ToSemaphore(extension->type));
2038 static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
2043 word16 length_offset = 0;
2045 while ((extension = list)) {
2046 list = extension->next;
2048 if (!isRequest && !extension->resp)
2049 continue; /* skip! */
2051 if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type)))
2052 continue; /* skip! */
2054 /* extension type */
2055 c16toa(extension->type, output + offset);
2056 offset += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
2057 length_offset = offset;
2059 /* extension data should be written internally */
2060 switch (extension->type) {
2061 case SERVER_NAME_INDICATION:
2063 offset += SNI_WRITE(extension->data, output + offset);
2066 case MAX_FRAGMENT_LENGTH:
2067 offset += MFL_WRITE(extension->data, output + offset);
2070 case TRUNCATED_HMAC:
2071 /* empty extension. */
2074 case ELLIPTIC_CURVES:
2075 offset += EC_WRITE(extension->data, output + offset);
2078 case SECURE_RENEGOTIATION:
2079 offset += SCR_WRITE(extension->data, output + offset,
2083 case SESSION_TICKET:
2084 offset += STK_WRITE(extension->data, output + offset,
2089 /* writing extension data length */
2090 c16toa(offset - length_offset, output + length_offset - OPAQUE16_LEN);
2092 TURN_ON(semaphore, TLSX_ToSemaphore(extension->type));
2098 #ifndef NO_WOLFSSL_CLIENT
2100 word16 TLSX_GetRequestSize(WOLFSSL* ssl)
2104 if (TLSX_SupportExtensions(ssl)) {
2105 byte semaphore[SEMAPHORE_SIZE] = {0};
2107 EC_VALIDATE_REQUEST(ssl, semaphore);
2108 STK_VALIDATE_REQUEST(ssl);
2110 if (ssl->extensions)
2111 length += TLSX_GetSize(ssl->extensions, semaphore, 1);
2113 if (ssl->ctx && ssl->ctx->extensions)
2114 length += TLSX_GetSize(ssl->ctx->extensions, semaphore, 1);
2116 if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz)
2117 length += ssl->suites->hashSigAlgoSz + HELLO_EXT_LEN;
2121 length += OPAQUE16_LEN; /* for total length storage */
2126 word16 TLSX_WriteRequest(WOLFSSL* ssl, byte* output)
2130 if (TLSX_SupportExtensions(ssl) && output) {
2131 byte semaphore[SEMAPHORE_SIZE] = {0};
2133 offset += OPAQUE16_LEN; /* extensions length */
2135 EC_VALIDATE_REQUEST(ssl, semaphore);
2137 if (ssl->extensions)
2138 offset += TLSX_Write(ssl->extensions, output + offset,
2141 if (ssl->ctx && ssl->ctx->extensions)
2142 offset += TLSX_Write(ssl->ctx->extensions, output + offset,
2145 if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz)
2148 /* extension type */
2149 c16toa(HELLO_EXT_SIG_ALGO, output + offset);
2150 offset += HELLO_EXT_TYPE_SZ;
2152 /* extension data length */
2153 c16toa(OPAQUE16_LEN + ssl->suites->hashSigAlgoSz, output + offset);
2154 offset += OPAQUE16_LEN;
2156 /* sig algos length */
2157 c16toa(ssl->suites->hashSigAlgoSz, output + offset);
2158 offset += OPAQUE16_LEN;
2161 for (i = 0; i < ssl->suites->hashSigAlgoSz; i++, offset++)
2162 output[offset] = ssl->suites->hashSigAlgo[i];
2165 if (offset > OPAQUE16_LEN)
2166 c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
2172 #endif /* NO_WOLFSSL_CLIENT */
2174 #ifndef NO_WOLFSSL_SERVER
2176 word16 TLSX_GetResponseSize(WOLFSSL* ssl)
2179 byte semaphore[SEMAPHORE_SIZE] = {0};
2181 if (TLSX_SupportExtensions(ssl))
2182 length += TLSX_GetSize(ssl->extensions, semaphore, 0);
2184 /* All the response data is set at the ssl object only, so no ctx here. */
2187 length += OPAQUE16_LEN; /* for total length storage */
2192 word16 TLSX_WriteResponse(WOLFSSL *ssl, byte* output)
2196 if (TLSX_SupportExtensions(ssl) && output) {
2197 byte semaphore[SEMAPHORE_SIZE] = {0};
2199 offset += OPAQUE16_LEN; /* extensions length */
2201 offset += TLSX_Write(ssl->extensions, output + offset, semaphore, 0);
2203 if (offset > OPAQUE16_LEN)
2204 c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
2210 #endif /* NO_WOLFSSL_SERVER */
2212 int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest,
2218 if (!ssl || !input || (isRequest && !suites))
2219 return BAD_FUNC_ARG;
2221 while (ret == 0 && offset < length) {
2225 if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN)
2226 return BUFFER_ERROR;
2228 ato16(input + offset, &type);
2229 offset += HELLO_EXT_TYPE_SZ;
2231 ato16(input + offset, &size);
2232 offset += OPAQUE16_LEN;
2234 if (offset + size > length)
2235 return BUFFER_ERROR;
2238 case SERVER_NAME_INDICATION:
2239 WOLFSSL_MSG("SNI extension received");
2241 ret = SNI_PARSE(ssl, input + offset, size, isRequest);
2244 case MAX_FRAGMENT_LENGTH:
2245 WOLFSSL_MSG("Max Fragment Length extension received");
2247 ret = MFL_PARSE(ssl, input + offset, size, isRequest);
2250 case TRUNCATED_HMAC:
2251 WOLFSSL_MSG("Truncated HMAC extension received");
2253 ret = THM_PARSE(ssl, input + offset, size, isRequest);
2256 case ELLIPTIC_CURVES:
2257 WOLFSSL_MSG("Elliptic Curves extension received");
2259 ret = EC_PARSE(ssl, input + offset, size, isRequest);
2262 case SECURE_RENEGOTIATION:
2263 WOLFSSL_MSG("Secure Renegotiation extension received");
2265 ret = SCR_PARSE(ssl, input + offset, size, isRequest);
2268 case SESSION_TICKET:
2269 WOLFSSL_MSG("Session Ticket extension received");
2271 ret = STK_PARSE(ssl, input + offset, size, isRequest);
2274 case HELLO_EXT_SIG_ALGO:
2276 /* do not mess with offset inside the switch! */
2277 if (IsAtLeastTLSv1_2(ssl)) {
2278 ato16(input + offset, &suites->hashSigAlgoSz);
2280 if (suites->hashSigAlgoSz > size - OPAQUE16_LEN)
2281 return BUFFER_ERROR;
2283 XMEMCPY(suites->hashSigAlgo,
2284 input + offset + OPAQUE16_LEN,
2285 min(suites->hashSigAlgoSz,
2286 HELLO_EXT_SIGALGO_MAX));
2289 WOLFSSL_MSG("Servers MUST NOT send SIG ALGO extension.");
2295 /* offset should be updated here! */
2302 /* undefining semaphore macros */
2305 #undef SEMAPHORE_SIZE
2310 #ifndef NO_WOLFSSL_CLIENT
2314 WOLFSSL_METHOD* wolfTLSv1_client_method(void)
2316 WOLFSSL_METHOD* method =
2317 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
2318 DYNAMIC_TYPE_METHOD);
2320 InitSSL_Method(method, MakeTLSv1());
2325 WOLFSSL_METHOD* wolfTLSv1_1_client_method(void)
2327 WOLFSSL_METHOD* method =
2328 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
2329 DYNAMIC_TYPE_METHOD);
2331 InitSSL_Method(method, MakeTLSv1_1());
2335 #endif /* !NO_OLD_TLS */
2337 #ifndef NO_SHA256 /* can't use without SHA256 */
2339 WOLFSSL_METHOD* wolfTLSv1_2_client_method(void)
2341 WOLFSSL_METHOD* method =
2342 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
2343 DYNAMIC_TYPE_METHOD);
2345 InitSSL_Method(method, MakeTLSv1_2());
2352 WOLFSSL_METHOD* wolfSSLv23_client_method(void)
2354 WOLFSSL_METHOD* method =
2355 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
2356 DYNAMIC_TYPE_METHOD);
2358 #ifndef NO_SHA256 /* 1.2 requires SHA256 */
2359 InitSSL_Method(method, MakeTLSv1_2());
2361 InitSSL_Method(method, MakeTLSv1_1());
2364 method->downgrade = 1;
2371 #endif /* NO_WOLFSSL_CLIENT */
2375 #ifndef NO_WOLFSSL_SERVER
2379 WOLFSSL_METHOD* wolfTLSv1_server_method(void)
2381 WOLFSSL_METHOD* method =
2382 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
2383 DYNAMIC_TYPE_METHOD);
2385 InitSSL_Method(method, MakeTLSv1());
2386 method->side = WOLFSSL_SERVER_END;
2392 WOLFSSL_METHOD* wolfTLSv1_1_server_method(void)
2394 WOLFSSL_METHOD* method =
2395 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
2396 DYNAMIC_TYPE_METHOD);
2398 InitSSL_Method(method, MakeTLSv1_1());
2399 method->side = WOLFSSL_SERVER_END;
2404 #endif /* !NO_OLD_TLS */
2406 #ifndef NO_SHA256 /* can't use without SHA256 */
2408 WOLFSSL_METHOD* wolfTLSv1_2_server_method(void)
2410 WOLFSSL_METHOD* method =
2411 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
2412 DYNAMIC_TYPE_METHOD);
2414 InitSSL_Method(method, MakeTLSv1_2());
2415 method->side = WOLFSSL_SERVER_END;
2423 WOLFSSL_METHOD* wolfSSLv23_server_method(void)
2425 WOLFSSL_METHOD* method =
2426 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
2427 DYNAMIC_TYPE_METHOD);
2429 #ifndef NO_SHA256 /* 1.2 requires SHA256 */
2430 InitSSL_Method(method, MakeTLSv1_2());
2432 InitSSL_Method(method, MakeTLSv1_1());
2434 method->side = WOLFSSL_SERVER_END;
2436 method->downgrade = 1;
2437 #endif /* !NO_OLD_TLS */
2444 #endif /* NO_WOLFSSL_SERVER */