3 * Copyright (C) 2006-2015 wolfSSL Inc.
5 * This file is part of wolfSSL. (formerly known as CyaSSL)
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
27 #include <wolfssl/wolfcrypt/settings.h>
29 #include <wolfssl/internal.h>
30 #include <wolfssl/error-ssl.h>
31 #include <wolfssl/wolfcrypt/asn.h>
32 #include <wolfssl/wolfcrypt/dh.h>
34 #include <wolfssl/wolfcrypt/misc.h>
36 #include <wolfcrypt/src/misc.c>
44 #include "ntru_crypto.h"
47 #if defined(DEBUG_WOLFSSL) || defined(SHOW_SECRETS) || defined(CHACHA_AEAD_TEST)
56 #include <sys/filio.h>
67 /* disable for while(0) cases at the .c level for now */
68 #pragma warning(disable:4127)
71 #if defined(WOLFSSL_CALLBACKS) && !defined(LARGE_STATIC_BUFFERS)
73 WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
76 #if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_RENEGOTIATION_INDICATION)
77 #error Cannot use both secure-renegotiation and renegotiation-indication
80 static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
81 const byte* input, int inSz, int type);
83 #ifndef NO_WOLFSSL_CLIENT
84 static int DoHelloVerifyRequest(WOLFSSL* ssl, const byte* input, word32*,
86 static int DoServerHello(WOLFSSL* ssl, const byte* input, word32*, word32);
87 static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, word32*,
90 static int DoCertificateRequest(WOLFSSL* ssl, const byte* input, word32*,
93 #ifdef HAVE_SESSION_TICKET
94 static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32*,
100 #ifndef NO_WOLFSSL_SERVER
101 static int DoClientHello(WOLFSSL* ssl, const byte* input, word32*, word32);
102 static int DoClientKeyExchange(WOLFSSL* ssl, byte* input, word32*, word32);
103 #if !defined(NO_RSA) || defined(HAVE_ECC)
104 static int DoCertificateVerify(WOLFSSL* ssl, byte*, word32*, word32);
110 static INLINE int DtlsCheckWindow(DtlsState* state);
111 static INLINE int DtlsUpdateWindow(DtlsState* state);
117 #ifndef NO_WOLFSSL_SERVER
118 runProcessOldClientHello,
120 getRecordLayerHeader,
122 runProcessingOneMessage
126 static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
127 int content, int verify);
132 static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes);
135 static void PickHashSigAlgo(WOLFSSL* ssl,
136 const byte* hashSigAlgo, word32 hashSigAlgoSz);
138 #ifndef WOLFSSL_HAVE_MIN
139 #define WOLFSSL_HAVE_MIN
141 static INLINE word32 min(word32 a, word32 b)
143 return a > b ? b : a;
146 #endif /* WOLFSSL_HAVE_MIN */
149 int IsTLS(const WOLFSSL* ssl)
151 if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_MINOR)
158 int IsAtLeastTLSv1_2(const WOLFSSL* ssl)
160 if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_2_MINOR)
162 if (ssl->version.major == DTLS_MAJOR && ssl->version.minor <= DTLSv1_2_MINOR)
171 static byte GetEntropy(ENTROPY_CMD cmd, byte* out)
173 /* TODO: add locking? */
177 return (wc_InitRng(&rng) == 0) ? 1 : 0;
182 if (cmd == GET_BYTE_OF_ENTROPY)
183 return (wc_RNG_GenerateBlock(&rng, out, 1) == 0) ? 1 : 0;
185 if (cmd == GET_NUM_BYTES_PER_BYTE_OF_ENTROPY) {
193 #endif /* HAVE_NTRU */
195 /* used by ssl.c too */
196 void c32to24(word32 in, word24 out)
198 out[0] = (in >> 16) & 0xff;
199 out[1] = (in >> 8) & 0xff;
206 static INLINE void c32to48(word32 in, byte out[6])
210 out[2] = (in >> 24) & 0xff;
211 out[3] = (in >> 16) & 0xff;
212 out[4] = (in >> 8) & 0xff;
216 #endif /* WOLFSSL_DTLS */
219 /* convert 16 bit integer to opaque */
220 static INLINE void c16toa(word16 u16, byte* c)
222 c[0] = (u16 >> 8) & 0xff;
227 #if !defined(NO_OLD_TLS) || defined(HAVE_CHACHA) || defined(HAVE_AESCCM) \
228 || defined(HAVE_AESGCM)
229 /* convert 32 bit integer to opaque */
230 static INLINE void c32toa(word32 u32, byte* c)
232 c[0] = (u32 >> 24) & 0xff;
233 c[1] = (u32 >> 16) & 0xff;
234 c[2] = (u32 >> 8) & 0xff;
240 /* convert a 24 bit integer into a 32 bit one */
241 static INLINE void c24to32(const word24 u24, word32* u32)
243 *u32 = (u24[0] << 16) | (u24[1] << 8) | u24[2];
247 /* convert opaque to 16 bit integer */
248 static INLINE void ato16(const byte* c, word16* u16)
250 *u16 = (word16) ((c[0] << 8) | (c[1]));
254 #if defined(WOLFSSL_DTLS) || defined(HAVE_SESSION_TICKET)
256 /* convert opaque to 32 bit integer */
257 static INLINE void ato32(const byte* c, word32* u32)
259 *u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3];
262 #endif /* WOLFSSL_DTLS */
267 /* alloc user allocs to work with zlib */
268 static void* myAlloc(void* opaque, unsigned int item, unsigned int size)
271 return XMALLOC(item * size, opaque, DYNAMIC_TYPE_LIBZ);
275 static void myFree(void* opaque, void* memory)
278 XFREE(memory, opaque, DYNAMIC_TYPE_LIBZ);
282 /* init zlib comp/decomp streams, 0 on success */
283 static int InitStreams(WOLFSSL* ssl)
285 ssl->c_stream.zalloc = (alloc_func)myAlloc;
286 ssl->c_stream.zfree = (free_func)myFree;
287 ssl->c_stream.opaque = (voidpf)ssl->heap;
289 if (deflateInit(&ssl->c_stream, Z_DEFAULT_COMPRESSION) != Z_OK)
290 return ZLIB_INIT_ERROR;
292 ssl->didStreamInit = 1;
294 ssl->d_stream.zalloc = (alloc_func)myAlloc;
295 ssl->d_stream.zfree = (free_func)myFree;
296 ssl->d_stream.opaque = (voidpf)ssl->heap;
298 if (inflateInit(&ssl->d_stream) != Z_OK) return ZLIB_INIT_ERROR;
304 static void FreeStreams(WOLFSSL* ssl)
306 if (ssl->didStreamInit) {
307 deflateEnd(&ssl->c_stream);
308 inflateEnd(&ssl->d_stream);
313 /* compress in to out, return out size or error */
314 static int myCompress(WOLFSSL* ssl, byte* in, int inSz, byte* out, int outSz)
317 int currTotal = (int)ssl->c_stream.total_out;
319 ssl->c_stream.next_in = in;
320 ssl->c_stream.avail_in = inSz;
321 ssl->c_stream.next_out = out;
322 ssl->c_stream.avail_out = outSz;
324 err = deflate(&ssl->c_stream, Z_SYNC_FLUSH);
325 if (err != Z_OK && err != Z_STREAM_END) return ZLIB_COMPRESS_ERROR;
327 return (int)ssl->c_stream.total_out - currTotal;
331 /* decompress in to out, returnn out size or error */
332 static int myDeCompress(WOLFSSL* ssl, byte* in,int inSz, byte* out,int outSz)
335 int currTotal = (int)ssl->d_stream.total_out;
337 ssl->d_stream.next_in = in;
338 ssl->d_stream.avail_in = inSz;
339 ssl->d_stream.next_out = out;
340 ssl->d_stream.avail_out = outSz;
342 err = inflate(&ssl->d_stream, Z_SYNC_FLUSH);
343 if (err != Z_OK && err != Z_STREAM_END) return ZLIB_DECOMPRESS_ERROR;
345 return (int)ssl->d_stream.total_out - currTotal;
348 #endif /* HAVE_LIBZ */
351 void InitSSL_Method(WOLFSSL_METHOD* method, ProtocolVersion pv)
353 method->version = pv;
354 method->side = WOLFSSL_CLIENT_END;
355 method->downgrade = 0;
359 /* Initialze SSL context, return 0 on success */
360 int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method)
362 XMEMSET(ctx, 0, sizeof(WOLFSSL_CTX));
364 ctx->method = method;
365 ctx->refCount = 1; /* so either CTX_free or SSL_free can release */
366 ctx->heap = ctx; /* defaults to self */
367 ctx->timeout = WOLFSSL_SESSION_TIMEOUT;
368 ctx->minDowngrade = TLSv1_MINOR; /* current default */
370 if (InitMutex(&ctx->countMutex) < 0) {
371 WOLFSSL_MSG("Mutex error on CTX init");
376 ctx->minDhKeySz = MIN_DHKEY_SZ;
380 ctx->eccTempKeySz = ECDHE_SIZE;
383 #ifndef WOLFSSL_USER_IO
384 ctx->CBIORecv = EmbedReceive;
385 ctx->CBIOSend = EmbedSend;
387 if (method->version.major == DTLS_MAJOR) {
388 ctx->CBIORecv = EmbedReceiveFrom;
389 ctx->CBIOSend = EmbedSendTo;
390 ctx->CBIOCookie = EmbedGenerateCookie;
393 #endif /* WOLFSSL_USER_IO */
396 ctx->CBIORecv = NetX_Receive;
397 ctx->CBIOSend = NetX_Send;
401 if (method->side == WOLFSSL_CLIENT_END)
402 ctx->haveNTRU = 1; /* always on cliet side */
403 /* server can turn on by loading key */
406 if (method->side == WOLFSSL_CLIENT_END) {
407 ctx->haveECDSAsig = 1; /* always on cliet side */
408 ctx->haveStaticECC = 1; /* server can turn on by loading key */
413 ctx->devId = NO_CAVIUM_DEVICE;
417 ctx->cm = wolfSSL_CertManagerNew();
418 if (ctx->cm == NULL) {
419 WOLFSSL_MSG("Bad Cert Manager New");
420 return BAD_CERT_MANAGER_ERROR;
424 #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER)
425 ctx->ticketHint = SESSION_TICKET_HINT_DEFAULT;
432 /* In case contexts are held in array and don't want to free actual ctx */
433 void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
435 XFREE(ctx->method, ctx->heap, DYNAMIC_TYPE_METHOD);
437 XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES);
440 XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH);
441 XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH);
444 XFREE(ctx->privateKey.buffer, ctx->heap, DYNAMIC_TYPE_KEY);
445 XFREE(ctx->certificate.buffer, ctx->heap, DYNAMIC_TYPE_CERT);
446 XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT);
447 wolfSSL_CertManagerFree(ctx->cm);
449 #ifdef HAVE_TLS_EXTENSIONS
450 TLSX_FreeAll(ctx->extensions);
455 void FreeSSL_Ctx(WOLFSSL_CTX* ctx)
459 if (LockMutex(&ctx->countMutex) != 0) {
460 WOLFSSL_MSG("Couldn't lock count mutex");
464 if (ctx->refCount == 0)
466 UnLockMutex(&ctx->countMutex);
469 WOLFSSL_MSG("CTX ref count down to 0, doing full free");
470 SSL_CtxResourceFree(ctx);
471 FreeMutex(&ctx->countMutex);
472 XFREE(ctx, ctx->heap, DYNAMIC_TYPE_CTX);
476 WOLFSSL_MSG("CTX ref count not 0 yet, no free");
481 /* Set cipher pointers to null */
482 void InitCiphers(WOLFSSL* ssl)
485 ssl->encrypt.arc4 = NULL;
486 ssl->decrypt.arc4 = NULL;
489 ssl->encrypt.des3 = NULL;
490 ssl->decrypt.des3 = NULL;
493 ssl->encrypt.aes = NULL;
494 ssl->decrypt.aes = NULL;
497 ssl->encrypt.cam = NULL;
498 ssl->decrypt.cam = NULL;
501 ssl->encrypt.hc128 = NULL;
502 ssl->decrypt.hc128 = NULL;
505 ssl->encrypt.rabbit = NULL;
506 ssl->decrypt.rabbit = NULL;
509 ssl->encrypt.chacha = NULL;
510 ssl->decrypt.chacha = NULL;
513 ssl->auth.poly1305 = NULL;
515 ssl->encrypt.setup = 0;
516 ssl->decrypt.setup = 0;
517 #ifdef HAVE_ONE_TIME_AUTH
524 void FreeCiphers(WOLFSSL* ssl)
529 if (ssl->devId != NO_CAVIUM_DEVICE) {
530 wc_Arc4FreeCavium(ssl->encrypt.arc4);
531 wc_Arc4FreeCavium(ssl->decrypt.arc4);
534 XFREE(ssl->encrypt.arc4, ssl->heap, DYNAMIC_TYPE_CIPHER);
535 XFREE(ssl->decrypt.arc4, ssl->heap, DYNAMIC_TYPE_CIPHER);
539 if (ssl->devId != NO_CAVIUM_DEVICE) {
540 wc_Des3_FreeCavium(ssl->encrypt.des3);
541 wc_Des3_FreeCavium(ssl->decrypt.des3);
544 XFREE(ssl->encrypt.des3, ssl->heap, DYNAMIC_TYPE_CIPHER);
545 XFREE(ssl->decrypt.des3, ssl->heap, DYNAMIC_TYPE_CIPHER);
549 if (ssl->devId != NO_CAVIUM_DEVICE) {
550 wc_AesFreeCavium(ssl->encrypt.aes);
551 wc_AesFreeCavium(ssl->decrypt.aes);
554 XFREE(ssl->encrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
555 XFREE(ssl->decrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
558 XFREE(ssl->encrypt.cam, ssl->heap, DYNAMIC_TYPE_CIPHER);
559 XFREE(ssl->decrypt.cam, ssl->heap, DYNAMIC_TYPE_CIPHER);
562 XFREE(ssl->encrypt.hc128, ssl->heap, DYNAMIC_TYPE_CIPHER);
563 XFREE(ssl->decrypt.hc128, ssl->heap, DYNAMIC_TYPE_CIPHER);
566 XFREE(ssl->encrypt.rabbit, ssl->heap, DYNAMIC_TYPE_CIPHER);
567 XFREE(ssl->decrypt.rabbit, ssl->heap, DYNAMIC_TYPE_CIPHER);
570 XFREE(ssl->encrypt.chacha, ssl->heap, DYNAMIC_TYPE_CIPHER);
571 XFREE(ssl->decrypt.chacha, ssl->heap, DYNAMIC_TYPE_CIPHER);
574 XFREE(ssl->auth.poly1305, ssl->heap, DYNAMIC_TYPE_CIPHER);
579 void InitCipherSpecs(CipherSpecs* cs)
581 cs->bulk_cipher_algorithm = INVALID_BYTE;
582 cs->cipher_type = INVALID_BYTE;
583 cs->mac_algorithm = INVALID_BYTE;
584 cs->kea = INVALID_BYTE;
585 cs->sig_algo = INVALID_BYTE;
594 static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig,
595 int haveRSAsig, int haveAnon)
600 #ifdef WOLFSSL_SHA512
601 suites->hashSigAlgo[idx++] = sha512_mac;
602 suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo;
604 #ifdef WOLFSSL_SHA384
605 suites->hashSigAlgo[idx++] = sha384_mac;
606 suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo;
609 suites->hashSigAlgo[idx++] = sha256_mac;
610 suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo;
613 suites->hashSigAlgo[idx++] = sha_mac;
614 suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo;
619 #ifdef WOLFSSL_SHA512
620 suites->hashSigAlgo[idx++] = sha512_mac;
621 suites->hashSigAlgo[idx++] = rsa_sa_algo;
623 #ifdef WOLFSSL_SHA384
624 suites->hashSigAlgo[idx++] = sha384_mac;
625 suites->hashSigAlgo[idx++] = rsa_sa_algo;
628 suites->hashSigAlgo[idx++] = sha256_mac;
629 suites->hashSigAlgo[idx++] = rsa_sa_algo;
632 suites->hashSigAlgo[idx++] = sha_mac;
633 suites->hashSigAlgo[idx++] = rsa_sa_algo;
639 suites->hashSigAlgo[idx++] = sha_mac;
640 suites->hashSigAlgo[idx++] = anonymous_sa_algo;
644 suites->hashSigAlgoSz = (word16)idx;
647 void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
648 word16 havePSK, word16 haveDH, word16 haveNTRU,
649 word16 haveECDSAsig, word16 haveStaticECC, int side)
652 int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
653 int tls1_2 = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_2_MINOR;
656 (void)tls; /* shut up compiler */
663 if (suites == NULL) {
664 WOLFSSL_MSG("InitSuites pointer error");
668 if (suites->setSuites)
669 return; /* trust user settings, don't override */
671 if (side == WOLFSSL_SERVER_END && haveStaticECC) {
672 haveRSA = 0; /* can't do RSA with ECDSA key */
673 (void)haveRSA; /* some builds won't read */
676 if (side == WOLFSSL_SERVER_END && haveECDSAsig) {
677 haveRSAsig = 0; /* can't have RSA sig if signed by ECDSA */
678 (void)haveRSAsig; /* non ecc builds won't read */
682 if (pv.major == DTLS_MAJOR) {
684 tls1_2 = pv.minor <= DTLSv1_2_MINOR;
688 #ifdef HAVE_RENEGOTIATION_INDICATION
689 if (side == WOLFSSL_CLIENT_END) {
690 suites->suites[idx++] = 0;
691 suites->suites[idx++] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV;
695 #ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
696 if (tls && haveNTRU && haveRSA) {
697 suites->suites[idx++] = 0;
698 suites->suites[idx++] = TLS_NTRU_RSA_WITH_AES_256_CBC_SHA;
702 #ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
703 if (tls && haveNTRU && haveRSA) {
704 suites->suites[idx++] = 0;
705 suites->suites[idx++] = TLS_NTRU_RSA_WITH_AES_128_CBC_SHA;
709 #ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA
710 if (tls && haveNTRU && haveRSA) {
711 suites->suites[idx++] = 0;
712 suites->suites[idx++] = TLS_NTRU_RSA_WITH_RC4_128_SHA;
716 #ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA
717 if (tls && haveNTRU && haveRSA) {
718 suites->suites[idx++] = 0;
719 suites->suites[idx++] = TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA;
723 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
724 if (tls1_2 && haveECDSAsig) {
725 suites->suites[idx++] = ECC_BYTE;
726 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
730 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
731 if (tls1_2 && haveECDSAsig) {
732 suites->suites[idx++] = ECC_BYTE;
733 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
737 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
738 if (tls1_2 && haveRSA) {
739 suites->suites[idx++] = ECC_BYTE;
740 suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
744 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
745 if (tls1_2 && haveRSA) {
746 suites->suites[idx++] = ECC_BYTE;
747 suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
751 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
752 if (tls1_2 && haveDH && haveRSA) {
753 suites->suites[idx++] = 0;
754 suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_GCM_SHA384;
758 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
759 if (tls1_2 && haveDH && haveRSA) {
760 suites->suites[idx++] = 0;
761 suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256;
765 #ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
766 if (tls1_2 && haveRSA) {
767 suites->suites[idx++] = 0;
768 suites->suites[idx++] = TLS_RSA_WITH_AES_256_GCM_SHA384;
772 #ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
773 if (tls1_2 && haveRSA) {
774 suites->suites[idx++] = 0;
775 suites->suites[idx++] = TLS_RSA_WITH_AES_128_GCM_SHA256;
779 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
780 if (tls1_2 && haveECDSAsig && haveStaticECC) {
781 suites->suites[idx++] = ECC_BYTE;
782 suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384;
786 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
787 if (tls1_2 && haveECDSAsig && haveStaticECC) {
788 suites->suites[idx++] = ECC_BYTE;
789 suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256;
793 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
794 if (tls1_2 && haveRSAsig && haveStaticECC) {
795 suites->suites[idx++] = ECC_BYTE;
796 suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384;
800 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
801 if (tls1_2 && haveRSAsig && haveStaticECC) {
802 suites->suites[idx++] = ECC_BYTE;
803 suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256;
807 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
808 if (tls1_2 && haveDH && havePSK) {
809 suites->suites[idx++] = 0;
810 suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_GCM_SHA384;
814 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
815 if (tls1_2 && haveDH && havePSK) {
816 suites->suites[idx++] = 0;
817 suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_GCM_SHA256;
821 #ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384
822 if (tls1_2 && havePSK) {
823 suites->suites[idx++] = 0;
824 suites->suites[idx++] = TLS_PSK_WITH_AES_256_GCM_SHA384;
828 #ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256
829 if (tls1_2 && havePSK) {
830 suites->suites[idx++] = 0;
831 suites->suites[idx++] = TLS_PSK_WITH_AES_128_GCM_SHA256;
835 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
836 if (tls1_2 && haveECDSAsig) {
837 suites->suites[idx++] = CHACHA_BYTE;
838 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256;
842 #ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
843 if (tls && haveRSA) {
844 suites->suites[idx++] = CHACHA_BYTE;
845 suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
849 #ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
850 if (tls && haveRSA) {
851 suites->suites[idx++] = CHACHA_BYTE;
852 suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
856 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
857 if (tls1_2 && haveRSAsig) {
858 suites->suites[idx++] = ECC_BYTE;
859 suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
863 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
864 if (tls1_2 && haveECDSAsig) {
865 suites->suites[idx++] = ECC_BYTE;
866 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
870 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
871 if (tls1_2 && haveRSAsig && haveStaticECC) {
872 suites->suites[idx++] = ECC_BYTE;
873 suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256;
877 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
878 if (tls1_2 && haveECDSAsig && haveStaticECC) {
879 suites->suites[idx++] = ECC_BYTE;
880 suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256;
884 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
885 if (tls1_2 && haveRSAsig) {
886 suites->suites[idx++] = ECC_BYTE;
887 suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384;
891 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
892 if (tls1_2 && haveECDSAsig) {
893 suites->suites[idx++] = ECC_BYTE;
894 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;
898 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
899 if (tls1_2 && haveRSAsig && haveStaticECC) {
900 suites->suites[idx++] = ECC_BYTE;
901 suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384;
905 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
906 if (tls1_2 && haveECDSAsig && haveStaticECC) {
907 suites->suites[idx++] = ECC_BYTE;
908 suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384;
912 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
913 if (tls && haveECDSAsig) {
914 suites->suites[idx++] = ECC_BYTE;
915 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
919 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
920 if (tls && haveECDSAsig && haveStaticECC) {
921 suites->suites[idx++] = ECC_BYTE;
922 suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA;
926 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
927 if (tls && haveECDSAsig) {
928 suites->suites[idx++] = ECC_BYTE;
929 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA;
933 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
934 if (tls && haveECDSAsig && haveStaticECC) {
935 suites->suites[idx++] = ECC_BYTE;
936 suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA;
940 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
941 if (tls && haveECDSAsig) {
942 suites->suites[idx++] = ECC_BYTE;
943 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA;
947 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
948 if (tls && haveECDSAsig && haveStaticECC) {
949 suites->suites[idx++] = ECC_BYTE;
950 suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA;
954 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
955 if (tls && haveECDSAsig) {
956 suites->suites[idx++] = ECC_BYTE;
957 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA;
961 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
962 if (tls && haveECDSAsig && haveStaticECC) {
963 suites->suites[idx++] = ECC_BYTE;
964 suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA;
968 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
969 if (tls && haveRSA) {
970 suites->suites[idx++] = ECC_BYTE;
971 suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;
975 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
976 if (tls && haveRSAsig && haveStaticECC) {
977 suites->suites[idx++] = ECC_BYTE;
978 suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA;
982 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
983 if (tls && haveRSA) {
984 suites->suites[idx++] = ECC_BYTE;
985 suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
989 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
990 if (tls && haveRSAsig && haveStaticECC) {
991 suites->suites[idx++] = ECC_BYTE;
992 suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA;
996 #ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
997 if (tls && haveRSA) {
998 suites->suites[idx++] = ECC_BYTE;
999 suites->suites[idx++] = TLS_ECDHE_RSA_WITH_RC4_128_SHA;
1003 #ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
1004 if (tls && haveRSAsig && haveStaticECC) {
1005 suites->suites[idx++] = ECC_BYTE;
1006 suites->suites[idx++] = TLS_ECDH_RSA_WITH_RC4_128_SHA;
1010 #ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
1011 if (tls && haveRSA) {
1012 suites->suites[idx++] = ECC_BYTE;
1013 suites->suites[idx++] = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA;
1017 #ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
1018 if (tls && haveRSAsig && haveStaticECC) {
1019 suites->suites[idx++] = ECC_BYTE;
1020 suites->suites[idx++] = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA;
1024 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
1025 if (tls1_2 && haveECDSAsig) {
1026 suites->suites[idx++] = ECC_BYTE;
1027 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
1031 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
1032 if (tls1_2 && haveECDSAsig) {
1033 suites->suites[idx++] = ECC_BYTE;
1034 suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8;
1038 #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
1039 if (tls1_2 && haveRSA) {
1040 suites->suites[idx++] = ECC_BYTE;
1041 suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8;
1045 #ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
1046 if (tls1_2 && haveRSA) {
1047 suites->suites[idx++] = ECC_BYTE;
1048 suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8;
1052 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
1053 if (tls1_2 && haveDH && haveRSA) {
1054 suites->suites[idx++] = 0;
1055 suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256;
1059 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
1060 if (tls1_2 && haveDH && haveRSA) {
1061 suites->suites[idx++] = 0;
1062 suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256;
1066 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
1067 if (tls && haveDH && haveRSA) {
1068 suites->suites[idx++] = 0;
1069 suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
1073 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
1074 if (tls && haveDH && haveRSA) {
1075 suites->suites[idx++] = 0;
1076 suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
1080 #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
1081 if (tls1_2 && haveRSA) {
1082 suites->suites[idx++] = 0;
1083 suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
1087 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
1088 if (tls1_2 && haveRSA) {
1089 suites->suites[idx++] = 0;
1090 suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
1094 #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
1095 if (tls && haveRSA) {
1096 suites->suites[idx++] = 0;
1097 suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA;
1101 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
1102 if (tls && haveRSA) {
1103 suites->suites[idx++] = 0;
1104 suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA;
1108 #ifdef BUILD_TLS_RSA_WITH_NULL_SHA
1109 if (tls && haveRSA) {
1110 suites->suites[idx++] = 0;
1111 suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA;
1115 #ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
1116 if (tls && haveRSA) {
1117 suites->suites[idx++] = 0;
1118 suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA256;
1122 #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
1123 if (tls && havePSK) {
1124 suites->suites[idx++] = 0;
1125 suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA;
1129 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
1130 if (tls && haveDH && havePSK) {
1131 suites->suites[idx++] = 0;
1132 suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_CBC_SHA384;
1136 #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384
1137 if (tls && havePSK) {
1138 suites->suites[idx++] = 0;
1139 suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA384;
1143 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
1144 if (tls && haveDH && havePSK) {
1145 suites->suites[idx++] = 0;
1146 suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CBC_SHA256;
1150 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
1151 if (tls && havePSK) {
1152 suites->suites[idx++] = 0;
1153 suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA256;
1157 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
1158 if (tls && havePSK) {
1159 suites->suites[idx++] = 0;
1160 suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA;
1164 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
1165 if (tls && haveDH && havePSK) {
1166 suites->suites[idx++] = ECC_BYTE;
1167 suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CCM;
1171 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
1172 if (tls && haveDH && havePSK) {
1173 suites->suites[idx++] = ECC_BYTE;
1174 suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_CCM;
1178 #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM
1179 if (tls && havePSK) {
1180 suites->suites[idx++] = ECC_BYTE;
1181 suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM;
1185 #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM
1186 if (tls && havePSK) {
1187 suites->suites[idx++] = ECC_BYTE;
1188 suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM;
1192 #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8
1193 if (tls && havePSK) {
1194 suites->suites[idx++] = ECC_BYTE;
1195 suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM_8;
1199 #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8
1200 if (tls && havePSK) {
1201 suites->suites[idx++] = ECC_BYTE;
1202 suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM_8;
1206 #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384
1207 if (tls && haveDH && havePSK) {
1208 suites->suites[idx++] = 0;
1209 suites->suites[idx++] = TLS_DHE_PSK_WITH_NULL_SHA384;
1213 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
1214 if (tls && havePSK) {
1215 suites->suites[idx++] = 0;
1216 suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA384;
1220 #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
1221 if (tls && haveDH && havePSK) {
1222 suites->suites[idx++] = 0;
1223 suites->suites[idx++] = TLS_DHE_PSK_WITH_NULL_SHA256;
1227 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
1228 if (tls && havePSK) {
1229 suites->suites[idx++] = 0;
1230 suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA256;
1234 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA
1235 if (tls && havePSK) {
1236 suites->suites[idx++] = 0;
1237 suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA;
1241 #ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
1243 suites->suites[idx++] = 0;
1244 suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA;
1248 #ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
1250 suites->suites[idx++] = 0;
1251 suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5;
1255 #ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
1257 suites->suites[idx++] = 0;
1258 suites->suites[idx++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
1262 #ifdef BUILD_TLS_RSA_WITH_HC_128_MD5
1263 if (tls && haveRSA) {
1264 suites->suites[idx++] = 0;
1265 suites->suites[idx++] = TLS_RSA_WITH_HC_128_MD5;
1269 #ifdef BUILD_TLS_RSA_WITH_HC_128_SHA
1270 if (tls && haveRSA) {
1271 suites->suites[idx++] = 0;
1272 suites->suites[idx++] = TLS_RSA_WITH_HC_128_SHA;
1276 #ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256
1277 if (tls && haveRSA) {
1278 suites->suites[idx++] = 0;
1279 suites->suites[idx++] = TLS_RSA_WITH_HC_128_B2B256;
1283 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256
1284 if (tls && haveRSA) {
1285 suites->suites[idx++] = 0;
1286 suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_B2B256;
1290 #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256
1291 if (tls && haveRSA) {
1292 suites->suites[idx++] = 0;
1293 suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_B2B256;
1297 #ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA
1298 if (tls && haveRSA) {
1299 suites->suites[idx++] = 0;
1300 suites->suites[idx++] = TLS_RSA_WITH_RABBIT_SHA;
1304 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
1305 if (tls && haveRSA) {
1306 suites->suites[idx++] = 0;
1307 suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA;
1311 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
1312 if (tls && haveDH && haveRSA) {
1313 suites->suites[idx++] = 0;
1314 suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA;
1318 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
1319 if (tls && haveRSA) {
1320 suites->suites[idx++] = 0;
1321 suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA;
1325 #ifdef BUILD_TLS_DHE_WITH_RSA_CAMELLIA_256_CBC_SHA
1326 if (tls && haveDH && haveRSA) {
1327 suites->suites[idx++] = 0;
1328 suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA;
1332 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
1333 if (tls && haveRSA) {
1334 suites->suites[idx++] = 0;
1335 suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256;
1339 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
1340 if (tls && haveDH && haveRSA) {
1341 suites->suites[idx++] = 0;
1342 suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256;
1346 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
1347 if (tls && haveRSA) {
1348 suites->suites[idx++] = 0;
1349 suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256;
1353 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
1354 if (tls && haveDH && haveRSA) {
1355 suites->suites[idx++] = 0;
1356 suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256;
1360 suites->suiteSz = idx;
1362 InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, 0);
1369 void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag)
1374 name->name = name->staticName;
1375 name->dynamicName = 0;
1376 #ifdef OPENSSL_EXTRA
1377 XMEMSET(&name->fullName, 0, sizeof(DecodedName));
1378 #endif /* OPENSSL_EXTRA */
1383 void FreeX509Name(WOLFSSL_X509_NAME* name)
1386 if (name->dynamicName)
1387 XFREE(name->name, NULL, DYNAMIC_TYPE_SUBJECT_CN);
1388 #ifdef OPENSSL_EXTRA
1389 if (name->fullName.fullName != NULL)
1390 XFREE(name->fullName.fullName, NULL, DYNAMIC_TYPE_X509);
1391 #endif /* OPENSSL_EXTRA */
1396 /* Initialize wolfSSL X509 type */
1397 void InitX509(WOLFSSL_X509* x509, int dynamicFlag)
1399 InitX509Name(&x509->issuer, 0);
1400 InitX509Name(&x509->subject, 0);
1402 x509->pubKey.buffer = NULL;
1403 x509->sig.buffer = NULL;
1404 x509->derCert.buffer = NULL;
1405 x509->altNames = NULL;
1406 x509->altNamesNext = NULL;
1407 x509->dynamicMemory = (byte)dynamicFlag;
1410 x509->pkCurveOID = 0;
1411 #endif /* HAVE_ECC */
1412 #ifdef OPENSSL_EXTRA
1413 x509->pathLength = 0;
1414 x509->basicConstSet = 0;
1415 x509->basicConstCrit = 0;
1416 x509->basicConstPlSet = 0;
1417 x509->subjAltNameSet = 0;
1418 x509->subjAltNameCrit = 0;
1419 x509->authKeyIdSet = 0;
1420 x509->authKeyIdCrit = 0;
1421 x509->authKeyId = NULL;
1422 x509->authKeyIdSz = 0;
1423 x509->subjKeyIdSet = 0;
1424 x509->subjKeyIdCrit = 0;
1425 x509->subjKeyId = NULL;
1426 x509->subjKeyIdSz = 0;
1427 x509->keyUsageSet = 0;
1428 x509->keyUsageCrit = 0;
1431 x509->certPolicySet = 0;
1432 x509->certPolicyCrit = 0;
1433 #endif /* WOLFSSL_SEP */
1434 #endif /* OPENSSL_EXTRA */
1438 /* Free wolfSSL X509 type */
1439 void FreeX509(WOLFSSL_X509* x509)
1444 FreeX509Name(&x509->issuer);
1445 FreeX509Name(&x509->subject);
1446 if (x509->pubKey.buffer)
1447 XFREE(x509->pubKey.buffer, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
1448 XFREE(x509->derCert.buffer, NULL, DYNAMIC_TYPE_SUBJECT_CN);
1449 XFREE(x509->sig.buffer, NULL, DYNAMIC_TYPE_SIGNATURE);
1450 #ifdef OPENSSL_EXTRA
1451 XFREE(x509->authKeyId, NULL, 0);
1452 XFREE(x509->subjKeyId, NULL, 0);
1453 #endif /* OPENSSL_EXTRA */
1455 FreeAltNames(x509->altNames, NULL);
1456 if (x509->dynamicMemory)
1457 XFREE(x509, NULL, DYNAMIC_TYPE_X509);
1460 #endif /* NO_CERTS */
1463 /* init everything to 0, NULL, default values before calling anything that may
1464 fail so that desctructor has a "good" state to cleanup */
1465 int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
1474 XMEMSET(ssl, 0, sizeof(WOLFSSL));
1476 ssl->ctx = ctx; /* only for passing to calls, options could change */
1477 ssl->version = ctx->method->version;
1483 ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer;
1484 ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN;
1486 ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer;
1487 ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN;
1489 #ifdef KEEP_PEER_CERT
1490 InitX509(&ssl->peerCert, 0);
1494 ssl->eccTempKeySz = ctx->eccTempKeySz;
1495 ssl->pkCurveOID = ctx->pkCurveOID;
1498 ssl->timeout = ctx->timeout;
1499 ssl->rfd = -1; /* set to invalid descriptor */
1502 ssl->IOCB_ReadCtx = &ssl->rfd; /* prevent invalid pointer access if not */
1503 ssl->IOCB_WriteCtx = &ssl->wfd; /* correctly set */
1506 ssl->IOCB_ReadCtx = &ssl->nxCtx; /* default NetX IO ctx, same for read */
1507 ssl->IOCB_WriteCtx = &ssl->nxCtx; /* and write */
1510 ssl->dtls_expected_rx = MAX_MTU;
1513 ssl->verifyCallback = ctx->verifyCallback;
1514 ssl->options.side = ctx->method->side;
1515 ssl->options.downgrade = ctx->method->downgrade;
1516 ssl->options.minDowngrade = ctx->minDowngrade;
1518 if (ssl->options.side == WOLFSSL_SERVER_END)
1519 ssl->options.haveDH = ctx->haveDH;
1521 ssl->options.haveNTRU = ctx->haveNTRU;
1522 ssl->options.haveECDSAsig = ctx->haveECDSAsig;
1523 ssl->options.haveStaticECC = ctx->haveStaticECC;
1526 havePSK = ctx->havePSK;
1527 ssl->options.havePSK = ctx->havePSK;
1528 ssl->options.client_psk_cb = ctx->client_psk_cb;
1529 ssl->options.server_psk_cb = ctx->server_psk_cb;
1533 haveAnon = ctx->haveAnon;
1534 ssl->options.haveAnon = ctx->haveAnon;
1537 ssl->options.serverState = NULL_STATE;
1538 ssl->options.clientState = NULL_STATE;
1539 ssl->options.connectState = CONNECT_BEGIN;
1540 ssl->options.acceptState = ACCEPT_BEGIN;
1541 ssl->options.handShakeState = NULL_STATE;
1542 ssl->options.processReply = doProcessInit;
1545 ssl->options.minDhKeySz = ctx->minDhKeySz;
1549 ssl->dtls_timeout_init = DTLS_TIMEOUT_INIT;
1550 ssl->dtls_timeout_max = DTLS_TIMEOUT_MAX;
1551 ssl->dtls_timeout = ssl->dtls_timeout_init;
1554 ssl->options.sessionCacheOff = ctx->sessionCacheOff;
1555 ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
1557 ssl->options.verifyPeer = ctx->verifyPeer;
1558 ssl->options.verifyNone = ctx->verifyNone;
1559 ssl->options.failNoCert = ctx->failNoCert;
1560 ssl->options.sendVerify = ctx->sendVerify;
1563 ssl->hmac = SSL_hmac; /* default to SSLv3 */
1565 ssl->hmac = TLS_hmac;
1568 ssl->heap = ctx->heap; /* defaults to self */
1570 ssl->options.dtls = ssl->version.major == DTLS_MAJOR;
1571 ssl->options.partialWrite = ctx->partialWrite;
1572 ssl->options.quietShutdown = ctx->quietShutdown;
1573 ssl->options.groupMessages = ctx->groupMessages;
1576 if (ssl->options.side == WOLFSSL_SERVER_END) {
1577 ssl->buffers.serverDH_P = ctx->serverDH_P;
1578 ssl->buffers.serverDH_G = ctx->serverDH_G;
1582 /* ctx still owns certificate, certChain, key, dh, and cm */
1583 ssl->buffers.certificate = ctx->certificate;
1584 ssl->buffers.certChain = ctx->certChain;
1585 ssl->buffers.key = ctx->privateKey;
1589 ssl->buffers.dtlsCtx.fd = -1;
1592 ssl->cipher.ssl = ssl;
1595 ssl->devId = ctx->devId;
1598 #ifdef HAVE_TLS_EXTENSIONS
1599 #ifdef HAVE_MAX_FRAGMENT
1600 ssl->max_fragment = MAX_RECORD_SIZE;
1604 /* default alert state (none) */
1605 ssl->alert_history.last_rx.code = -1;
1606 ssl->alert_history.last_rx.level = -1;
1607 ssl->alert_history.last_tx.code = -1;
1608 ssl->alert_history.last_tx.level = -1;
1611 InitCipherSpecs(&ssl->specs);
1613 /* all done with init, now can return errors, call other stuff */
1616 ssl->hsHashes = (HS_Hashes*)XMALLOC(sizeof(HS_Hashes), ssl->heap,
1617 DYNAMIC_TYPE_HASHES);
1618 if (ssl->hsHashes == NULL) {
1619 WOLFSSL_MSG("HS_Hashes Memory error");
1625 wc_InitMd5(&ssl->hsHashes->hashMd5);
1628 ret = wc_InitSha(&ssl->hsHashes->hashSha);
1635 ret = wc_InitSha256(&ssl->hsHashes->hashSha256);
1640 #ifdef WOLFSSL_SHA384
1641 ret = wc_InitSha384(&ssl->hsHashes->hashSha384);
1646 #ifdef WOLFSSL_SHA512
1647 ret = wc_InitSha512(&ssl->hsHashes->hashSha512);
1653 /* increment CTX reference count */
1654 if (LockMutex(&ctx->countMutex) != 0) {
1655 WOLFSSL_MSG("Couldn't lock CTX count mutex");
1659 UnLockMutex(&ctx->countMutex);
1662 ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap,
1663 DYNAMIC_TYPE_ARRAYS);
1664 if (ssl->arrays == NULL) {
1665 WOLFSSL_MSG("Arrays Memory error");
1668 XMEMSET(ssl->arrays, 0, sizeof(Arrays));
1671 if (ctx->server_hint[0]) { /* set in CTX */
1672 XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint, MAX_PSK_ID_LEN);
1673 ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0';
1678 ssl->rng = (RNG*)XMALLOC(sizeof(RNG), ssl->heap, DYNAMIC_TYPE_RNG);
1679 if (ssl->rng == NULL) {
1680 WOLFSSL_MSG("RNG Memory error");
1684 if ( (ret = wc_InitRng(ssl->rng)) != 0) {
1685 WOLFSSL_MSG("RNG Init error");
1690 ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
1691 DYNAMIC_TYPE_SUITES);
1692 if (ssl->suites == NULL) {
1693 WOLFSSL_MSG("Suites Memory error");
1697 *ssl->suites = *ctx->suites;
1699 XMEMSET(ssl->suites, 0, sizeof(Suites));
1703 /* make sure server has cert and key unless using PSK or Anon */
1704 if (ssl->options.side == WOLFSSL_SERVER_END && !havePSK && !haveAnon)
1705 if (!ssl->buffers.certificate.buffer || !ssl->buffers.key.buffer) {
1706 WOLFSSL_MSG("Server missing certificate and/or private key");
1707 return NO_PRIVATE_KEY;
1710 #ifdef HAVE_SECRET_CALLBACK
1711 ssl->sessionSecretCb = NULL;
1712 ssl->sessionSecretCtx = NULL;
1715 /* make sure server has DH parms, and add PSK if there, add NTRU too */
1716 if (ssl->options.side == WOLFSSL_SERVER_END)
1717 InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
1718 ssl->options.haveDH, ssl->options.haveNTRU,
1719 ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
1722 InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE,
1723 ssl->options.haveNTRU, ssl->options.haveECDSAsig,
1724 ssl->options.haveStaticECC, ssl->options.side);
1730 /* free use of temporary arrays */
1731 void FreeArrays(WOLFSSL* ssl, int keep)
1733 if (ssl->arrays && keep) {
1734 /* keeps session id for user retrieval */
1735 XMEMCPY(ssl->session.sessionID, ssl->arrays->sessionID, ID_LEN);
1736 ssl->session.sessionIDSz = ssl->arrays->sessionIDSz;
1738 XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_ARRAYS);
1743 /* In case holding SSL object in array and don't want to free actual ssl */
1744 void SSL_ResourceFree(WOLFSSL* ssl)
1746 /* Note: any resources used during the handshake should be released in the
1747 * function FreeHandshakeResources(). Be careful with the special cases
1748 * like the RNG which may optionally be kept for the whole session. (For
1749 * example with the RNG, it isn't used beyond the handshake except when
1750 * using stream ciphers where it is retained. */
1754 wc_FreeRng(ssl->rng);
1755 XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG);
1756 XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES);
1757 XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES);
1758 XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN);
1761 XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH);
1762 XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH);
1763 /* parameters (p,g) may be owned by ctx */
1764 if (ssl->buffers.weOwnDH || ssl->options.side == WOLFSSL_CLIENT_END) {
1765 XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH);
1766 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH);
1770 if (ssl->buffers.weOwnCert)
1771 XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT);
1772 if (ssl->buffers.weOwnCertChain)
1773 XFREE(ssl->buffers.certChain.buffer, ssl->heap, DYNAMIC_TYPE_CERT);
1774 if (ssl->buffers.weOwnKey)
1775 XFREE(ssl->buffers.key.buffer, ssl->heap, DYNAMIC_TYPE_KEY);
1778 if (ssl->peerRsaKey) {
1779 wc_FreeRsaKey(ssl->peerRsaKey);
1780 XFREE(ssl->peerRsaKey, ssl->heap, DYNAMIC_TYPE_RSA);
1783 if (ssl->buffers.inputBuffer.dynamicFlag)
1784 ShrinkInputBuffer(ssl, FORCED_FREE);
1785 if (ssl->buffers.outputBuffer.dynamicFlag)
1786 ShrinkOutputBuffer(ssl);
1788 if (ssl->dtls_pool != NULL) {
1790 XFREE(ssl->dtls_pool, ssl->heap, DYNAMIC_TYPE_NONE);
1792 if (ssl->dtls_msg_list != NULL) {
1793 DtlsMsgListDelete(ssl->dtls_msg_list, ssl->heap);
1794 ssl->dtls_msg_list = NULL;
1796 XFREE(ssl->buffers.dtlsCtx.peer.sa, ssl->heap, DYNAMIC_TYPE_SOCKADDR);
1797 ssl->buffers.dtlsCtx.peer.sa = NULL;
1799 #if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS)
1800 FreeX509(&ssl->peerCert);
1802 #if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS)
1803 wolfSSL_BIO_free(ssl->biord);
1804 if (ssl->biord != ssl->biowr) /* in case same as write */
1805 wolfSSL_BIO_free(ssl->biowr);
1811 if (ssl->peerEccKey) {
1812 if (ssl->peerEccKeyPresent)
1813 wc_ecc_free(ssl->peerEccKey);
1814 XFREE(ssl->peerEccKey, ssl->heap, DYNAMIC_TYPE_ECC);
1816 if (ssl->peerEccDsaKey) {
1817 if (ssl->peerEccDsaKeyPresent)
1818 wc_ecc_free(ssl->peerEccDsaKey);
1819 XFREE(ssl->peerEccDsaKey, ssl->heap, DYNAMIC_TYPE_ECC);
1821 if (ssl->eccTempKey) {
1822 if (ssl->eccTempKeyPresent)
1823 wc_ecc_free(ssl->eccTempKey);
1824 XFREE(ssl->eccTempKey, ssl->heap, DYNAMIC_TYPE_ECC);
1827 #ifdef HAVE_PK_CALLBACKS
1829 XFREE(ssl->buffers.peerEccDsaKey.buffer, ssl->heap, DYNAMIC_TYPE_ECC);
1830 #endif /* HAVE_ECC */
1832 XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA);
1834 #endif /* HAVE_PK_CALLBACKS */
1835 #ifdef HAVE_TLS_EXTENSIONS
1836 TLSX_FreeAll(ssl->extensions);
1839 if (ssl->nxCtx.nxPacket)
1840 nx_packet_release(ssl->nxCtx.nxPacket);
1844 #ifdef WOLFSSL_TI_HASH
1845 static void HashFinal(WOLFSSL * ssl) {
1846 byte dummyHash[32] ;
1848 wc_Md5Final(&(ssl->hsHashes->hashMd5), dummyHash) ;
1851 wc_ShaFinal(&(ssl->hsHashes->hashSha), dummyHash) ;
1854 wc_Sha256Final(&(ssl->hsHashes->hashSha256), dummyHash) ;
1859 #define HashFinal(ssl)
1863 /* Free any handshake resources no longer needed */
1864 void FreeHandshakeResources(WOLFSSL* ssl)
1868 #ifdef HAVE_SECURE_RENEGOTIATION
1869 if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) {
1870 WOLFSSL_MSG("Secure Renegotiation needs to retain handshake resources");
1876 if (ssl->buffers.inputBuffer.dynamicFlag)
1877 ShrinkInputBuffer(ssl, NO_FORCED_FREE);
1880 XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES);
1884 XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES);
1885 ssl->hsHashes = NULL;
1888 if (ssl->specs.cipher_type == stream || ssl->options.tls1_1 == 0) {
1889 wc_FreeRng(ssl->rng);
1890 XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG);
1896 if (ssl->options.dtls && ssl->dtls_pool != NULL) {
1898 XFREE(ssl->dtls_pool, ssl->heap, DYNAMIC_TYPE_DTLS_POOL);
1899 ssl->dtls_pool = NULL;
1904 if (ssl->options.saveArrays == 0)
1909 if (ssl->peerRsaKey) {
1910 wc_FreeRsaKey(ssl->peerRsaKey);
1911 XFREE(ssl->peerRsaKey, ssl->heap, DYNAMIC_TYPE_RSA);
1912 ssl->peerRsaKey = NULL;
1917 if (ssl->peerEccKey)
1919 if (ssl->peerEccKeyPresent) {
1920 wc_ecc_free(ssl->peerEccKey);
1921 ssl->peerEccKeyPresent = 0;
1923 XFREE(ssl->peerEccKey, ssl->heap, DYNAMIC_TYPE_ECC);
1924 ssl->peerEccKey = NULL;
1926 if (ssl->peerEccDsaKey)
1928 if (ssl->peerEccDsaKeyPresent) {
1929 wc_ecc_free(ssl->peerEccDsaKey);
1930 ssl->peerEccDsaKeyPresent = 0;
1932 XFREE(ssl->peerEccDsaKey, ssl->heap, DYNAMIC_TYPE_ECC);
1933 ssl->peerEccDsaKey = NULL;
1935 if (ssl->eccTempKey)
1937 if (ssl->eccTempKeyPresent) {
1938 wc_ecc_free(ssl->eccTempKey);
1939 ssl->eccTempKeyPresent = 0;
1941 XFREE(ssl->eccTempKey, ssl->heap, DYNAMIC_TYPE_ECC);
1942 ssl->eccTempKey = NULL;
1946 XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH);
1947 ssl->buffers.serverDH_Priv.buffer = NULL;
1948 XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH);
1949 ssl->buffers.serverDH_Pub.buffer = NULL;
1950 /* parameters (p,g) may be owned by ctx */
1951 if (ssl->buffers.weOwnDH || ssl->options.side == WOLFSSL_CLIENT_END) {
1952 XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH);
1953 ssl->buffers.serverDH_G.buffer = NULL;
1954 XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH);
1955 ssl->buffers.serverDH_P.buffer = NULL;
1959 if (ssl->buffers.weOwnCert) {
1960 XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT);
1961 ssl->buffers.certificate.buffer = NULL;
1963 if (ssl->buffers.weOwnCertChain) {
1964 XFREE(ssl->buffers.certChain.buffer, ssl->heap, DYNAMIC_TYPE_CERT);
1965 ssl->buffers.certChain.buffer = NULL;
1967 if (ssl->buffers.weOwnKey) {
1968 XFREE(ssl->buffers.key.buffer, ssl->heap, DYNAMIC_TYPE_KEY);
1969 ssl->buffers.key.buffer = NULL;
1972 #ifdef HAVE_PK_CALLBACKS
1974 XFREE(ssl->buffers.peerEccDsaKey.buffer, ssl->heap, DYNAMIC_TYPE_ECC);
1975 ssl->buffers.peerEccDsaKey.buffer = NULL;
1976 #endif /* HAVE_ECC */
1978 XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA);
1979 ssl->buffers.peerRsaKey.buffer = NULL;
1981 #endif /* HAVE_PK_CALLBACKS */
1985 void FreeSSL(WOLFSSL* ssl)
1987 FreeSSL_Ctx(ssl->ctx); /* will decrement and free underyling CTX if 0 */
1988 SSL_ResourceFree(ssl);
1989 XFREE(ssl, ssl->heap, DYNAMIC_TYPE_SSL);
1995 int DtlsPoolInit(WOLFSSL* ssl)
1997 if (ssl->dtls_pool == NULL) {
1998 DtlsPool *pool = (DtlsPool*)XMALLOC(sizeof(DtlsPool),
1999 ssl->heap, DYNAMIC_TYPE_DTLS_POOL);
2001 WOLFSSL_MSG("DTLS Buffer Pool Memory error");
2007 for (i = 0; i < DTLS_POOL_SZ; i++) {
2008 pool->buf[i].length = 0;
2009 pool->buf[i].buffer = NULL;
2012 ssl->dtls_pool = pool;
2019 int DtlsPoolSave(WOLFSSL* ssl, const byte *src, int sz)
2021 DtlsPool *pool = ssl->dtls_pool;
2022 if (pool != NULL && pool->used < DTLS_POOL_SZ) {
2023 buffer *pBuf = &pool->buf[pool->used];
2024 pBuf->buffer = (byte*)XMALLOC(sz, ssl->heap, DYNAMIC_TYPE_DTLS_POOL);
2025 if (pBuf->buffer == NULL) {
2026 WOLFSSL_MSG("DTLS Buffer Memory error");
2027 return MEMORY_ERROR;
2029 XMEMCPY(pBuf->buffer, src, sz);
2030 pBuf->length = (word32)sz;
2037 void DtlsPoolReset(WOLFSSL* ssl)
2039 DtlsPool *pool = ssl->dtls_pool;
2045 for (i = 0, pBuf = &pool->buf[0]; i < used; i++, pBuf++) {
2046 XFREE(pBuf->buffer, ssl->heap, DYNAMIC_TYPE_DTLS_POOL);
2047 pBuf->buffer = NULL;
2052 ssl->dtls_timeout = ssl->dtls_timeout_init;
2056 int DtlsPoolTimeout(WOLFSSL* ssl)
2059 if (ssl->dtls_timeout < ssl->dtls_timeout_max) {
2060 ssl->dtls_timeout *= DTLS_TIMEOUT_MULTIPLIER;
2067 int DtlsPoolSend(WOLFSSL* ssl)
2070 DtlsPool *pool = ssl->dtls_pool;
2072 if (pool != NULL && pool->used > 0) {
2074 for (i = 0; i < pool->used; i++) {
2076 buffer* buf = &pool->buf[i];
2078 DtlsRecordLayerHeader* dtls = (DtlsRecordLayerHeader*)buf->buffer;
2080 word16 message_epoch;
2081 ato16(dtls->epoch, &message_epoch);
2082 if (message_epoch == ssl->keys.dtls_epoch) {
2083 /* Increment record sequence number on retransmitted handshake
2085 c32to48(ssl->keys.dtls_sequence_number, dtls->sequence_number);
2086 ssl->keys.dtls_sequence_number++;
2089 /* The Finished message is sent with the next epoch, keep its
2090 * sequence number */
2093 if ((ret = CheckAvailableSize(ssl, buf->length)) != 0)
2096 XMEMCPY(ssl->buffers.outputBuffer.buffer, buf->buffer, buf->length);
2097 ssl->buffers.outputBuffer.idx = 0;
2098 ssl->buffers.outputBuffer.length = buf->length;
2100 sendResult = SendBuffered(ssl);
2101 if (sendResult < 0) {
2110 /* functions for managing DTLS datagram reordering */
2112 /* Need to allocate space for the handshake message header. The hashing
2113 * routines assume the message pointer is still within the buffer that
2114 * has the headers, and will include those headers in the hash. The store
2115 * routines need to take that into account as well. New will allocate
2116 * extra space for the headers. */
2117 DtlsMsg* DtlsMsgNew(word32 sz, void* heap)
2119 DtlsMsg* msg = NULL;
2121 msg = (DtlsMsg*)XMALLOC(sizeof(DtlsMsg), heap, DYNAMIC_TYPE_DTLS_MSG);
2124 msg->buf = (byte*)XMALLOC(sz + DTLS_HANDSHAKE_HEADER_SZ,
2125 heap, DYNAMIC_TYPE_NONE);
2126 if (msg->buf != NULL) {
2131 msg->msg = msg->buf + DTLS_HANDSHAKE_HEADER_SZ;
2134 XFREE(msg, heap, DYNAMIC_TYPE_DTLS_MSG);
2142 void DtlsMsgDelete(DtlsMsg* item, void* heap)
2147 if (item->buf != NULL)
2148 XFREE(item->buf, heap, DYNAMIC_TYPE_NONE);
2149 XFREE(item, heap, DYNAMIC_TYPE_DTLS_MSG);
2154 void DtlsMsgListDelete(DtlsMsg* head, void* heap)
2159 DtlsMsgDelete(head, heap);
2165 void DtlsMsgSet(DtlsMsg* msg, word32 seq, const byte* data, byte type,
2166 word32 fragOffset, word32 fragSz)
2168 if (msg != NULL && data != NULL && msg->fragSz <= msg->sz &&
2169 fragOffset <= msg->sz && (fragOffset + fragSz) <= msg->sz) {
2173 msg->fragSz += fragSz;
2174 /* If fragOffset is zero, this is either a full message that is out
2175 * of order, or the first fragment of a fragmented message. Copy the
2176 * handshake message header with the message data. Zero length messages
2177 * like Server Hello Done should be saved as well. */
2178 if (fragOffset == 0)
2179 XMEMCPY(msg->buf, data - DTLS_HANDSHAKE_HEADER_SZ,
2180 fragSz + DTLS_HANDSHAKE_HEADER_SZ);
2182 /* If fragOffet is non-zero, this is an additional fragment that
2183 * needs to be copied to its location in the message buffer. Also
2184 * copy the total size of the message over the fragment size. The
2185 * hash routines look at a defragmented message if it had actually
2186 * come across as a single handshake message. */
2187 XMEMCPY(msg->msg + fragOffset, data, fragSz);
2189 c32to24(msg->sz, msg->msg - DTLS_HANDSHAKE_FRAG_SZ);
2194 DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 seq)
2196 while (head != NULL && head->seq != seq) {
2203 DtlsMsg* DtlsMsgStore(DtlsMsg* head, word32 seq, const byte* data,
2204 word32 dataSz, byte type, word32 fragOffset, word32 fragSz, void* heap)
2207 /* See if seq exists in the list. If it isn't in the list, make
2208 * a new item of size dataSz, copy fragSz bytes from data to msg->msg
2209 * starting at offset fragOffset, and add fragSz to msg->fragSz. If
2210 * the seq is in the list and it isn't full, copy fragSz bytes from
2211 * data to msg->msg starting at offset fragOffset, and add fragSz to
2212 * msg->fragSz. The new item should be inserted into the list in its
2215 * 1. Find seq in list, or where seq should go in list. If seq not in
2216 * list, create new item and insert into list. Either case, keep
2218 * 2. If msg->fragSz + fragSz < sz, copy data to msg->msg at offset
2219 * fragOffset. Add fragSz to msg->fragSz.
2223 DtlsMsg* cur = DtlsMsgFind(head, seq);
2225 cur = DtlsMsgNew(dataSz, heap);
2227 DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz);
2228 head = DtlsMsgInsert(head, cur);
2232 DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz);
2236 head = DtlsMsgNew(dataSz, heap);
2237 DtlsMsgSet(head, seq, data, type, fragOffset, fragSz);
2244 /* DtlsMsgInsert() is an in-order insert. */
2245 DtlsMsg* DtlsMsgInsert(DtlsMsg* head, DtlsMsg* item)
2247 if (head == NULL || item->seq < head->seq) {
2251 else if (head->next == NULL) {
2255 DtlsMsg* cur = head->next;
2256 DtlsMsg* prev = head;
2258 if (item->seq < cur->seq) {
2274 #endif /* WOLFSSL_DTLS */
2278 ProtocolVersion MakeSSLv3(void)
2281 pv.major = SSLv3_MAJOR;
2282 pv.minor = SSLv3_MINOR;
2287 #endif /* NO_OLD_TLS */
2292 ProtocolVersion MakeDTLSv1(void)
2295 pv.major = DTLS_MAJOR;
2296 pv.minor = DTLS_MINOR;
2301 ProtocolVersion MakeDTLSv1_2(void)
2304 pv.major = DTLS_MAJOR;
2305 pv.minor = DTLSv1_2_MINOR;
2310 #endif /* WOLFSSL_DTLS */
2315 #ifdef USE_WINDOWS_API
2317 word32 LowResTimer(void)
2319 static int init = 0;
2320 static LARGE_INTEGER freq;
2321 LARGE_INTEGER count;
2324 QueryPerformanceFrequency(&freq);
2328 QueryPerformanceCounter(&count);
2330 return (word32)(count.QuadPart / freq.QuadPart);
2333 #elif defined(HAVE_RTP_SYS)
2335 #include "rtptime.h"
2337 word32 LowResTimer(void)
2339 return (word32)rtp_get_system_sec();
2343 #elif defined(MICRIUM)
2345 word32 LowResTimer(void)
2347 NET_SECURE_OS_TICK clk;
2349 #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
2350 clk = NetSecure_OS_TimeGet();
2356 #elif defined(MICROCHIP_TCPIP_V5)
2358 word32 LowResTimer(void)
2360 return (word32) TickGet();
2364 #elif defined(MICROCHIP_TCPIP)
2366 #if defined(MICROCHIP_MPLAB_HARMONY)
2368 #include <system/tmr/sys_tmr.h>
2370 word32 LowResTimer(void)
2372 return (word32) SYS_TMR_TickCountGet();
2377 word32 LowResTimer(void)
2379 return (word32) SYS_TICK_Get();
2384 #elif defined(FREESCALE_MQX)
2386 word32 LowResTimer(void)
2388 TIME_STRUCT mqxTime;
2390 _time_get_elapsed(&mqxTime);
2392 return (word32) mqxTime.SECONDS;
2395 #elif defined(WOLFSSL_TIRTOS)
2397 word32 LowResTimer(void)
2399 return (word32) Seconds_get();
2402 #elif defined(USER_TICKS)
2404 word32 LowResTimer(void)
2407 write your own clock tick function if don't want time(0)
2408 needs second accuracy but doesn't have to correlated to EPOCH
2413 #elif defined(TIME_OVERRIDES)
2415 /* use same asn time overrides unless user wants tick override above */
2417 #ifndef HAVE_TIME_T_TYPE
2418 typedef long time_t;
2420 extern time_t XTIME(time_t * timer);
2422 word32 LowResTimer(void)
2424 return (word32) XTIME(0);
2427 #else /* !USE_WINDOWS_API && !HAVE_RTP_SYS && !MICRIUM && !USER_TICKS */
2431 word32 LowResTimer(void)
2433 return (word32)time(0);
2437 #endif /* USE_WINDOWS_API */
2440 /* add output to md5 and sha handshake hashes, exclude record header */
2441 static int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz)
2443 const byte* adj = output + RECORD_HEADER_SZ + ivSz;
2444 sz -= RECORD_HEADER_SZ;
2448 ssl->fuzzerCb(ssl, output, sz, FUZZ_HASH, ssl->fuzzerCtx);
2451 if (ssl->options.dtls) {
2452 adj += DTLS_RECORD_EXTRA;
2453 sz -= DTLS_RECORD_EXTRA;
2458 wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz);
2461 wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz);
2465 if (IsAtLeastTLSv1_2(ssl)) {
2469 ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, adj, sz);
2473 #ifdef WOLFSSL_SHA384
2474 ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz);
2478 #ifdef WOLFSSL_SHA512
2479 ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz);
2489 /* add input to md5 and sha handshake hashes, include handshake header */
2490 static int HashInput(WOLFSSL* ssl, const byte* input, int sz)
2492 const byte* adj = input - HANDSHAKE_HEADER_SZ;
2493 sz += HANDSHAKE_HEADER_SZ;
2496 if (ssl->options.dtls) {
2497 adj -= DTLS_HANDSHAKE_EXTRA;
2498 sz += DTLS_HANDSHAKE_EXTRA;
2504 wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz);
2507 wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz);
2511 if (IsAtLeastTLSv1_2(ssl)) {
2515 ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, adj, sz);
2519 #ifdef WOLFSSL_SHA384
2520 ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz);
2524 #ifdef WOLFSSL_SHA512
2525 ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz);
2535 /* add record layer header for message */
2536 static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl)
2538 RecordLayerHeader* rl;
2540 /* record layer header */
2541 rl = (RecordLayerHeader*)output;
2543 rl->pvMajor = ssl->version.major; /* type and version same in each */
2544 rl->pvMinor = ssl->version.minor;
2546 if (!ssl->options.dtls)
2547 c16toa((word16)length, rl->length);
2550 DtlsRecordLayerHeader* dtls;
2552 /* dtls record layer header extensions */
2553 dtls = (DtlsRecordLayerHeader*)output;
2554 c16toa(ssl->keys.dtls_epoch, dtls->epoch);
2555 c32to48(ssl->keys.dtls_sequence_number++, dtls->sequence_number);
2556 c16toa((word16)length, dtls->length);
2562 /* add handshake header for message */
2563 static void AddHandShakeHeader(byte* output, word32 length, byte type,
2566 HandShakeHeader* hs;
2569 /* handshake header */
2570 hs = (HandShakeHeader*)output;
2572 c32to24(length, hs->length); /* type and length same for each */
2574 if (ssl->options.dtls) {
2575 DtlsHandShakeHeader* dtls;
2577 /* dtls handshake header extensions */
2578 dtls = (DtlsHandShakeHeader*)output;
2579 c16toa(ssl->keys.dtls_handshake_number++, dtls->message_seq);
2580 c32to24(0, dtls->fragment_offset);
2581 c32to24(length, dtls->fragment_length);
2587 /* add both headers for handshake message */
2588 static void AddHeaders(byte* output, word32 length, byte type, WOLFSSL* ssl)
2590 if (!ssl->options.dtls) {
2591 AddRecordHeader(output, length + HANDSHAKE_HEADER_SZ, handshake, ssl);
2592 AddHandShakeHeader(output + RECORD_HEADER_SZ, length, type, ssl);
2596 AddRecordHeader(output, length+DTLS_HANDSHAKE_HEADER_SZ, handshake,ssl);
2597 AddHandShakeHeader(output + DTLS_RECORD_HEADER_SZ, length, type, ssl);
2603 /* return bytes received, -1 on error */
2604 static int Receive(WOLFSSL* ssl, byte* buf, word32 sz)
2608 if (ssl->ctx->CBIORecv == NULL) {
2609 WOLFSSL_MSG("Your IO Recv callback is null, please set");
2614 recvd = ssl->ctx->CBIORecv(ssl, (char *)buf, (int)sz, ssl->IOCB_ReadCtx);
2617 case WOLFSSL_CBIO_ERR_GENERAL: /* general/unknown error */
2620 case WOLFSSL_CBIO_ERR_WANT_READ: /* want read, would block */
2623 case WOLFSSL_CBIO_ERR_CONN_RST: /* connection reset */
2624 #ifdef USE_WINDOWS_API
2625 if (ssl->options.dtls) {
2629 ssl->options.connReset = 1;
2632 case WOLFSSL_CBIO_ERR_ISR: /* interrupt */
2633 /* see if we got our timeout */
2634 #ifdef WOLFSSL_CALLBACKS
2635 if (ssl->toInfoOn) {
2636 struct itimerval timeout;
2637 getitimer(ITIMER_REAL, &timeout);
2638 if (timeout.it_value.tv_sec == 0 &&
2639 timeout.it_value.tv_usec == 0) {
2640 XSTRNCPY(ssl->timeoutInfo.timeoutName,
2641 "recv() timeout", MAX_TIMEOUT_NAME_SZ);
2642 WOLFSSL_MSG("Got our timeout");
2649 case WOLFSSL_CBIO_ERR_CONN_CLOSE: /* peer closed connection */
2650 ssl->options.isClosed = 1;
2653 case WOLFSSL_CBIO_ERR_TIMEOUT:
2655 if (DtlsPoolTimeout(ssl) == 0 && DtlsPoolSend(ssl) == 0)
2669 /* Switch dynamic output buffer back to static, buffer is assumed clear */
2670 void ShrinkOutputBuffer(WOLFSSL* ssl)
2672 WOLFSSL_MSG("Shrinking output buffer\n");
2673 XFREE(ssl->buffers.outputBuffer.buffer - ssl->buffers.outputBuffer.offset,
2674 ssl->heap, DYNAMIC_TYPE_OUT_BUFFER);
2675 ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer;
2676 ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN;
2677 ssl->buffers.outputBuffer.dynamicFlag = 0;
2678 ssl->buffers.outputBuffer.offset = 0;
2682 /* Switch dynamic input buffer back to static, keep any remaining input */
2683 /* forced free means cleaning up */
2684 void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree)
2686 int usedLength = ssl->buffers.inputBuffer.length -
2687 ssl->buffers.inputBuffer.idx;
2688 if (!forcedFree && usedLength > STATIC_BUFFER_LEN)
2691 WOLFSSL_MSG("Shrinking input buffer\n");
2693 if (!forcedFree && usedLength)
2694 XMEMCPY(ssl->buffers.inputBuffer.staticBuffer,
2695 ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx,
2698 XFREE(ssl->buffers.inputBuffer.buffer - ssl->buffers.inputBuffer.offset,
2699 ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
2700 ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer;
2701 ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN;
2702 ssl->buffers.inputBuffer.dynamicFlag = 0;
2703 ssl->buffers.inputBuffer.offset = 0;
2704 ssl->buffers.inputBuffer.idx = 0;
2705 ssl->buffers.inputBuffer.length = usedLength;
2708 int SendBuffered(WOLFSSL* ssl)
2710 if (ssl->ctx->CBIOSend == NULL) {
2711 WOLFSSL_MSG("Your IO Send callback is null, please set");
2712 return SOCKET_ERROR_E;
2715 while (ssl->buffers.outputBuffer.length > 0) {
2716 int sent = ssl->ctx->CBIOSend(ssl,
2717 (char*)ssl->buffers.outputBuffer.buffer +
2718 ssl->buffers.outputBuffer.idx,
2719 (int)ssl->buffers.outputBuffer.length,
2720 ssl->IOCB_WriteCtx);
2724 case WOLFSSL_CBIO_ERR_WANT_WRITE: /* would block */
2727 case WOLFSSL_CBIO_ERR_CONN_RST: /* connection reset */
2728 ssl->options.connReset = 1;
2731 case WOLFSSL_CBIO_ERR_ISR: /* interrupt */
2732 /* see if we got our timeout */
2733 #ifdef WOLFSSL_CALLBACKS
2734 if (ssl->toInfoOn) {
2735 struct itimerval timeout;
2736 getitimer(ITIMER_REAL, &timeout);
2737 if (timeout.it_value.tv_sec == 0 &&
2738 timeout.it_value.tv_usec == 0) {
2739 XSTRNCPY(ssl->timeoutInfo.timeoutName,
2740 "send() timeout", MAX_TIMEOUT_NAME_SZ);
2741 WOLFSSL_MSG("Got our timeout");
2748 case WOLFSSL_CBIO_ERR_CONN_CLOSE: /* epipe / conn closed */
2749 ssl->options.connReset = 1; /* treat same as reset */
2753 return SOCKET_ERROR_E;
2756 return SOCKET_ERROR_E;
2759 if (sent > (int)ssl->buffers.outputBuffer.length) {
2760 WOLFSSL_MSG("SendBuffered() out of bounds read");
2761 return SEND_OOB_READ_E;
2764 ssl->buffers.outputBuffer.idx += sent;
2765 ssl->buffers.outputBuffer.length -= sent;
2768 ssl->buffers.outputBuffer.idx = 0;
2770 if (ssl->buffers.outputBuffer.dynamicFlag)
2771 ShrinkOutputBuffer(ssl);
2777 /* Grow the output buffer */
2778 static INLINE int GrowOutputBuffer(WOLFSSL* ssl, int size)
2781 byte hdrSz = ssl->options.dtls ? DTLS_RECORD_HEADER_SZ :
2783 byte align = WOLFSSL_GENERAL_ALIGNMENT;
2784 /* the encrypted data will be offset from the front of the buffer by
2785 the header, if the user wants encrypted alignment they need
2786 to define their alignment requirement */
2789 while (align < hdrSz)
2793 tmp = (byte*) XMALLOC(size + ssl->buffers.outputBuffer.length + align,
2794 ssl->heap, DYNAMIC_TYPE_OUT_BUFFER);
2795 WOLFSSL_MSG("growing output buffer\n");
2797 if (!tmp) return MEMORY_E;
2799 tmp += align - hdrSz;
2801 if (ssl->buffers.outputBuffer.length)
2802 XMEMCPY(tmp, ssl->buffers.outputBuffer.buffer,
2803 ssl->buffers.outputBuffer.length);
2805 if (ssl->buffers.outputBuffer.dynamicFlag)
2806 XFREE(ssl->buffers.outputBuffer.buffer -
2807 ssl->buffers.outputBuffer.offset, ssl->heap,
2808 DYNAMIC_TYPE_OUT_BUFFER);
2809 ssl->buffers.outputBuffer.dynamicFlag = 1;
2811 ssl->buffers.outputBuffer.offset = align - hdrSz;
2813 ssl->buffers.outputBuffer.offset = 0;
2814 ssl->buffers.outputBuffer.buffer = tmp;
2815 ssl->buffers.outputBuffer.bufferSize = size +
2816 ssl->buffers.outputBuffer.length;
2821 /* Grow the input buffer, should only be to read cert or big app data */
2822 int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength)
2825 byte hdrSz = DTLS_RECORD_HEADER_SZ;
2826 byte align = ssl->options.dtls ? WOLFSSL_GENERAL_ALIGNMENT : 0;
2827 /* the encrypted data will be offset from the front of the buffer by
2828 the dtls record header, if the user wants encrypted alignment they need
2829 to define their alignment requirement. in tls we read record header
2830 to get size of record and put actual data back at front, so don't need */
2833 while (align < hdrSz)
2836 tmp = (byte*) XMALLOC(size + usedLength + align, ssl->heap,
2837 DYNAMIC_TYPE_IN_BUFFER);
2838 WOLFSSL_MSG("growing input buffer\n");
2840 if (!tmp) return MEMORY_E;
2842 tmp += align - hdrSz;
2845 XMEMCPY(tmp, ssl->buffers.inputBuffer.buffer +
2846 ssl->buffers.inputBuffer.idx, usedLength);
2848 if (ssl->buffers.inputBuffer.dynamicFlag)
2849 XFREE(ssl->buffers.inputBuffer.buffer - ssl->buffers.inputBuffer.offset,
2850 ssl->heap,DYNAMIC_TYPE_IN_BUFFER);
2852 ssl->buffers.inputBuffer.dynamicFlag = 1;
2854 ssl->buffers.inputBuffer.offset = align - hdrSz;
2856 ssl->buffers.inputBuffer.offset = 0;
2857 ssl->buffers.inputBuffer.buffer = tmp;
2858 ssl->buffers.inputBuffer.bufferSize = size + usedLength;
2859 ssl->buffers.inputBuffer.idx = 0;
2860 ssl->buffers.inputBuffer.length = usedLength;
2866 /* check available size into output buffer, make room if needed */
2867 int CheckAvailableSize(WOLFSSL *ssl, int size)
2871 WOLFSSL_MSG("CheckAvailableSize() called with negative number");
2872 return BAD_FUNC_ARG;
2875 if (ssl->buffers.outputBuffer.bufferSize - ssl->buffers.outputBuffer.length
2877 if (GrowOutputBuffer(ssl, size) < 0)
2885 /* do all verify and sanity checks on record header */
2886 static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
2887 RecordLayerHeader* rh, word16 *size)
2889 if (!ssl->options.dtls) {
2892 ssl->fuzzerCb(ssl, input + *inOutIdx, RECORD_HEADER_SZ, FUZZ_HEAD,
2895 XMEMCPY(rh, input + *inOutIdx, RECORD_HEADER_SZ);
2896 *inOutIdx += RECORD_HEADER_SZ;
2897 ato16(rh->length, size);
2901 /* type and version in same sport */
2902 XMEMCPY(rh, input + *inOutIdx, ENUM_LEN + VERSION_SZ);
2903 *inOutIdx += ENUM_LEN + VERSION_SZ;
2904 ato16(input + *inOutIdx, &ssl->keys.dtls_state.curEpoch);
2905 *inOutIdx += 4; /* advance past epoch, skip first 2 seq bytes for now */
2906 ato32(input + *inOutIdx, &ssl->keys.dtls_state.curSeq);
2907 *inOutIdx += 4; /* advance past rest of seq */
2908 ato16(input + *inOutIdx, size);
2909 *inOutIdx += LENGTH_SZ;
2912 ssl->fuzzerCb(ssl, input + *inOutIdx - LENGTH_SZ - 8 - ENUM_LEN -
2913 VERSION_SZ, ENUM_LEN + VERSION_SZ + 8 + LENGTH_SZ,
2914 FUZZ_HEAD, ssl->fuzzerCtx);
2919 /* catch version mismatch */
2920 if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor){
2921 if (ssl->options.side == WOLFSSL_SERVER_END &&
2922 ssl->options.acceptState == ACCEPT_BEGIN)
2923 WOLFSSL_MSG("Client attempting to connect with different version");
2924 else if (ssl->options.side == WOLFSSL_CLIENT_END &&
2925 ssl->options.downgrade &&
2926 ssl->options.connectState < FIRST_REPLY_DONE)
2927 WOLFSSL_MSG("Server attempting to accept with different version");
2929 WOLFSSL_MSG("SSL version error");
2930 return VERSION_ERROR; /* only use requested version */
2935 if (ssl->options.dtls) {
2936 if (DtlsCheckWindow(&ssl->keys.dtls_state) != 1)
2937 return SEQUENCE_ERROR;
2941 /* record layer length check */
2942 #ifdef HAVE_MAX_FRAGMENT
2943 if (*size > (ssl->max_fragment + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) {
2944 SendAlert(ssl, alert_fatal, record_overflow);
2945 return LENGTH_ERROR;
2948 if (*size > (MAX_RECORD_SIZE + MAX_COMP_EXTRA + MAX_MSG_EXTRA))
2949 return LENGTH_ERROR;
2952 /* verify record type here as well */
2955 case change_cipher_spec:
2956 case application_data:
2961 WOLFSSL_MSG("Unknown Record Type");
2962 return UNKNOWN_RECORD_TYPE;
2965 /* haven't decrypted this record yet */
2966 ssl->keys.decryptedCur = 0;
2972 static int GetHandShakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
2973 byte *type, word32 *size, word32 totalSz)
2975 const byte *ptr = input + *inOutIdx;
2978 *inOutIdx += HANDSHAKE_HEADER_SZ;
2979 if (*inOutIdx > totalSz)
2983 c24to32(&ptr[1], size);
2990 static int GetDtlsHandShakeHeader(WOLFSSL* ssl, const byte* input,
2991 word32* inOutIdx, byte *type, word32 *size,
2992 word32 *fragOffset, word32 *fragSz,
2995 word32 idx = *inOutIdx;
2997 *inOutIdx += HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA;
2998 if (*inOutIdx > totalSz)
3001 *type = input[idx++];
3002 c24to32(input + idx, size);
3005 ato16(input + idx, &ssl->keys.dtls_peer_handshake_number);
3006 idx += DTLS_HANDSHAKE_SEQ_SZ;
3008 c24to32(input + idx, fragOffset);
3009 idx += DTLS_HANDSHAKE_FRAG_SZ;
3010 c24to32(input + idx, fragSz);
3018 /* fill with MD5 pad size since biggest required */
3019 static const byte PAD1[PAD_MD5] =
3020 { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
3021 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
3022 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
3023 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
3024 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
3025 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
3027 static const byte PAD2[PAD_MD5] =
3028 { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
3029 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
3030 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
3031 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
3032 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
3033 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
3036 /* calculate MD5 hash for finished */
3037 #ifdef WOLFSSL_TI_HASH
3038 #include <wolfssl/wolfcrypt/hash.h>
3041 static void BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
3044 byte md5_result[MD5_DIGEST_SIZE];
3046 #ifdef WOLFSSL_SMALL_STACK
3047 Md5* md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
3048 Md5* md5_2 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
3054 /* make md5 inner */
3055 md5[0] = ssl->hsHashes->hashMd5 ; /* Save current position */
3057 wc_Md5Update(&ssl->hsHashes->hashMd5, sender, SIZEOF_SENDER);
3058 wc_Md5Update(&ssl->hsHashes->hashMd5, ssl->arrays->masterSecret,SECRET_LEN);
3059 wc_Md5Update(&ssl->hsHashes->hashMd5, PAD1, PAD_MD5);
3060 wc_Md5GetHash(&ssl->hsHashes->hashMd5, md5_result);
3061 wc_Md5RestorePos(&ssl->hsHashes->hashMd5, md5) ; /* Restore current position */
3063 /* make md5 outer */
3065 wc_Md5Update(md5_2, ssl->arrays->masterSecret,SECRET_LEN);
3066 wc_Md5Update(md5_2, PAD2, PAD_MD5);
3067 wc_Md5Update(md5_2, md5_result, MD5_DIGEST_SIZE);
3068 wc_Md5Final(md5_2, hashes->md5);
3070 #ifdef WOLFSSL_SMALL_STACK
3071 XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3072 XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3078 /* calculate SHA hash for finished */
3079 static void BuildSHA(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
3081 byte sha_result[SHA_DIGEST_SIZE];
3083 #ifdef WOLFSSL_SMALL_STACK
3084 Sha* sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
3085 Sha* sha2 = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
3090 /* make sha inner */
3091 sha[0] = ssl->hsHashes->hashSha ; /* Save current position */
3093 wc_ShaUpdate(&ssl->hsHashes->hashSha, sender, SIZEOF_SENDER);
3094 wc_ShaUpdate(&ssl->hsHashes->hashSha, ssl->arrays->masterSecret,SECRET_LEN);
3095 wc_ShaUpdate(&ssl->hsHashes->hashSha, PAD1, PAD_SHA);
3096 wc_ShaGetHash(&ssl->hsHashes->hashSha, sha_result);
3097 wc_ShaRestorePos(&ssl->hsHashes->hashSha, sha) ; /* Restore current position */
3099 /* make sha outer */
3101 wc_ShaUpdate(sha2, ssl->arrays->masterSecret,SECRET_LEN);
3102 wc_ShaUpdate(sha2, PAD2, PAD_SHA);
3103 wc_ShaUpdate(sha2, sha_result, SHA_DIGEST_SIZE);
3104 wc_ShaFinal(sha2, hashes->sha);
3106 #ifdef WOLFSSL_SMALL_STACK
3107 XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3108 XFREE(sha2, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3114 /* Finished doesn't support SHA512, not SHA512 cipher suites yet */
3115 static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
3118 #ifdef WOLFSSL_SMALL_STACK
3119 #ifdef WOLFSSL_SHA384
3120 Sha384* sha384 = (Sha384*)XMALLOC(sizeof(Sha384), NULL, DYNAMIC_TYPE_TMP_BUFFER);
3123 #ifdef WOLFSSL_SHA384
3128 #ifdef WOLFSSL_SMALL_STACK
3130 #ifdef WOLFSSL_SHA384
3134 #ifdef WOLFSSL_SHA384
3135 XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3141 /* store current states, building requires get_digest which resets state */
3142 #ifdef WOLFSSL_SHA384
3143 sha384[0] = ssl->hsHashes->hashSha384;
3147 if (ssl->options.tls) {
3148 ret = BuildTlsFinished(ssl, hashes, sender);
3152 if (!ssl->options.tls) {
3153 BuildMD5(ssl, hashes, sender);
3154 BuildSHA(ssl, hashes, sender);
3159 if (IsAtLeastTLSv1_2(ssl)) {
3160 #ifdef WOLFSSL_SHA384
3161 ssl->hsHashes->hashSha384 = sha384[0];
3165 #ifdef WOLFSSL_SMALL_STACK
3166 #ifdef WOLFSSL_SHA384
3167 XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3175 /* cipher requirements */
3180 REQUIRES_ECC_STATIC,
3188 /* Does this cipher suite (first, second) have the requirement
3189 an ephemeral key exchange will still require the key for signing
3190 the key exchange so ECHDE_RSA requires an rsa key thus rsa_kea */
3191 static int CipherRequires(byte first, byte second, int requirement)
3194 if (first == CHACHA_BYTE) {
3198 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
3199 if (requirement == REQUIRES_RSA)
3203 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
3204 if (requirement == REQUIRES_ECC_DSA)
3208 case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
3209 if (requirement == REQUIRES_RSA)
3211 if (requirement == REQUIRES_DHE)
3217 /* ECC extensions */
3218 if (first == ECC_BYTE) {
3223 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA :
3224 if (requirement == REQUIRES_RSA)
3228 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA :
3229 if (requirement == REQUIRES_ECC_STATIC)
3231 if (requirement == REQUIRES_RSA_SIG)
3236 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA :
3237 if (requirement == REQUIRES_RSA)
3241 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA :
3242 if (requirement == REQUIRES_ECC_STATIC)
3244 if (requirement == REQUIRES_RSA_SIG)
3250 case TLS_ECDHE_RSA_WITH_RC4_128_SHA :
3251 if (requirement == REQUIRES_RSA)
3255 case TLS_ECDH_RSA_WITH_RC4_128_SHA :
3256 if (requirement == REQUIRES_ECC_STATIC)
3258 if (requirement == REQUIRES_RSA_SIG)
3265 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA :
3266 if (requirement == REQUIRES_ECC_DSA)
3270 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA :
3271 if (requirement == REQUIRES_ECC_STATIC)
3276 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA :
3277 if (requirement == REQUIRES_ECC_DSA)
3281 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA :
3282 if (requirement == REQUIRES_ECC_STATIC)
3287 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA :
3288 if (requirement == REQUIRES_RSA)
3292 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA :
3293 if (requirement == REQUIRES_ECC_STATIC)
3295 if (requirement == REQUIRES_RSA_SIG)
3300 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA :
3301 if (requirement == REQUIRES_ECC_DSA)
3305 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA :
3306 if (requirement == REQUIRES_ECC_STATIC)
3310 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA :
3311 if (requirement == REQUIRES_ECC_DSA)
3315 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA :
3316 if (requirement == REQUIRES_ECC_STATIC)
3320 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 :
3321 if (requirement == REQUIRES_ECC_DSA)
3325 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 :
3326 if (requirement == REQUIRES_ECC_DSA)
3330 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 :
3331 if (requirement == REQUIRES_ECC_STATIC)
3335 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 :
3336 if (requirement == REQUIRES_ECC_STATIC)
3341 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 :
3342 if (requirement == REQUIRES_RSA)
3346 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 :
3347 if (requirement == REQUIRES_RSA)
3351 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 :
3352 if (requirement == REQUIRES_ECC_STATIC)
3354 if (requirement == REQUIRES_RSA_SIG)
3358 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 :
3359 if (requirement == REQUIRES_ECC_STATIC)
3361 if (requirement == REQUIRES_RSA_SIG)
3365 case TLS_RSA_WITH_AES_128_CCM_8 :
3366 case TLS_RSA_WITH_AES_256_CCM_8 :
3367 if (requirement == REQUIRES_RSA)
3369 if (requirement == REQUIRES_RSA_SIG)
3373 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 :
3374 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 :
3375 if (requirement == REQUIRES_RSA)
3377 if (requirement == REQUIRES_RSA_SIG)
3381 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 :
3382 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 :
3383 if (requirement == REQUIRES_RSA_SIG)
3385 if (requirement == REQUIRES_ECC_STATIC)
3390 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 :
3391 case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 :
3392 if (requirement == REQUIRES_ECC_DSA)
3396 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 :
3397 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 :
3398 if (requirement == REQUIRES_ECC_DSA)
3402 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 :
3403 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 :
3404 if (requirement == REQUIRES_ECC_DSA)
3406 if (requirement == REQUIRES_ECC_STATIC)
3410 case TLS_PSK_WITH_AES_128_CCM:
3411 case TLS_PSK_WITH_AES_256_CCM:
3412 case TLS_PSK_WITH_AES_128_CCM_8:
3413 case TLS_PSK_WITH_AES_256_CCM_8:
3414 if (requirement == REQUIRES_PSK)
3418 case TLS_DHE_PSK_WITH_AES_128_CCM:
3419 case TLS_DHE_PSK_WITH_AES_256_CCM:
3420 if (requirement == REQUIRES_PSK)
3422 if (requirement == REQUIRES_DHE)
3427 WOLFSSL_MSG("Unsupported cipher suite, CipherRequires ECC");
3431 if (first != ECC_BYTE) { /* normal suites */
3435 case SSL_RSA_WITH_RC4_128_SHA :
3436 if (requirement == REQUIRES_RSA)
3440 case TLS_NTRU_RSA_WITH_RC4_128_SHA :
3441 if (requirement == REQUIRES_NTRU)
3445 case SSL_RSA_WITH_RC4_128_MD5 :
3446 if (requirement == REQUIRES_RSA)
3450 case SSL_RSA_WITH_3DES_EDE_CBC_SHA :
3451 if (requirement == REQUIRES_RSA)
3455 case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA :
3456 if (requirement == REQUIRES_NTRU)
3460 case TLS_RSA_WITH_AES_128_CBC_SHA :
3461 if (requirement == REQUIRES_RSA)
3465 case TLS_RSA_WITH_AES_128_CBC_SHA256 :
3466 if (requirement == REQUIRES_RSA)
3470 case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA :
3471 if (requirement == REQUIRES_NTRU)
3475 case TLS_RSA_WITH_AES_256_CBC_SHA :
3476 if (requirement == REQUIRES_RSA)
3480 case TLS_RSA_WITH_AES_256_CBC_SHA256 :
3481 if (requirement == REQUIRES_RSA)
3485 case TLS_RSA_WITH_NULL_SHA :
3486 case TLS_RSA_WITH_NULL_SHA256 :
3487 if (requirement == REQUIRES_RSA)
3491 case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA :
3492 if (requirement == REQUIRES_NTRU)
3497 case TLS_PSK_WITH_AES_128_GCM_SHA256 :
3498 case TLS_PSK_WITH_AES_256_GCM_SHA384 :
3499 case TLS_PSK_WITH_AES_128_CBC_SHA256 :
3500 case TLS_PSK_WITH_AES_256_CBC_SHA384 :
3501 case TLS_PSK_WITH_AES_128_CBC_SHA :
3502 case TLS_PSK_WITH_AES_256_CBC_SHA :
3503 case TLS_PSK_WITH_NULL_SHA384 :
3504 case TLS_PSK_WITH_NULL_SHA256 :
3505 case TLS_PSK_WITH_NULL_SHA :
3506 if (requirement == REQUIRES_PSK)
3510 case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 :
3511 case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 :
3512 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 :
3513 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 :
3514 case TLS_DHE_PSK_WITH_NULL_SHA384 :
3515 case TLS_DHE_PSK_WITH_NULL_SHA256 :
3516 if (requirement == REQUIRES_DHE)
3518 if (requirement == REQUIRES_PSK)
3523 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
3524 if (requirement == REQUIRES_RSA)
3526 if (requirement == REQUIRES_DHE)
3530 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 :
3531 if (requirement == REQUIRES_RSA)
3533 if (requirement == REQUIRES_DHE)
3537 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA :
3538 if (requirement == REQUIRES_RSA)
3540 if (requirement == REQUIRES_DHE)
3544 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA :
3545 if (requirement == REQUIRES_RSA)
3547 if (requirement == REQUIRES_DHE)
3551 case TLS_RSA_WITH_HC_128_MD5 :
3552 if (requirement == REQUIRES_RSA)
3556 case TLS_RSA_WITH_HC_128_SHA :
3557 if (requirement == REQUIRES_RSA)
3561 case TLS_RSA_WITH_HC_128_B2B256:
3562 if (requirement == REQUIRES_RSA)
3566 case TLS_RSA_WITH_AES_128_CBC_B2B256:
3567 case TLS_RSA_WITH_AES_256_CBC_B2B256:
3568 if (requirement == REQUIRES_RSA)
3572 case TLS_RSA_WITH_RABBIT_SHA :
3573 if (requirement == REQUIRES_RSA)
3577 case TLS_RSA_WITH_AES_128_GCM_SHA256 :
3578 case TLS_RSA_WITH_AES_256_GCM_SHA384 :
3579 if (requirement == REQUIRES_RSA)
3583 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 :
3584 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 :
3585 if (requirement == REQUIRES_RSA)
3587 if (requirement == REQUIRES_DHE)
3591 case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA :
3592 case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA :
3593 case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 :
3594 case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 :
3595 if (requirement == REQUIRES_RSA)
3599 case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA :
3600 case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA :
3601 case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 :
3602 case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 :
3603 if (requirement == REQUIRES_RSA)
3605 if (requirement == REQUIRES_RSA_SIG)
3607 if (requirement == REQUIRES_DHE)
3612 case TLS_DH_anon_WITH_AES_128_CBC_SHA :
3613 if (requirement == REQUIRES_DHE)
3619 WOLFSSL_MSG("Unsupported cipher suite, CipherRequires");
3622 } /* if ECC / Normal suites else */
3631 /* Match names with wildcards, each wildcard can represent a single name
3632 component or fragment but not mulitple names, i.e.,
3633 *.z.com matches y.z.com but not x.y.z.com
3635 return 1 on success */
3636 static int MatchDomainName(const char* pattern, int len, const char* str)
3640 if (pattern == NULL || str == NULL || len <= 0)
3645 p = (char)XTOLOWER((unsigned char)*pattern++);
3651 (p = (char)XTOLOWER((unsigned char)*pattern++)) == '*')
3657 while ( (s = (char)XTOLOWER((unsigned char) *str)) != '\0') {
3666 if (p != (char)XTOLOWER((unsigned char) *str))
3677 return *str == '\0';
3681 /* try to find an altName match to domain, return 1 on success */
3682 static int CheckAltNames(DecodedCert* dCert, char* domain)
3685 DNS_entry* altName = NULL;
3687 WOLFSSL_MSG("Checking AltNames");
3690 altName = dCert->altNames;
3693 WOLFSSL_MSG(" individual AltName check");
3695 if (MatchDomainName(altName->name,(int)XSTRLEN(altName->name), domain)){
3700 altName = altName->next;
3707 #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
3709 /* Copy parts X509 needs from Decoded cert, 0 on success */
3710 int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
3714 if (x509 == NULL || dCert == NULL)
3715 return BAD_FUNC_ARG;
3717 x509->version = dCert->version + 1;
3719 XSTRNCPY(x509->issuer.name, dCert->issuer, ASN_NAME_MAX);
3720 x509->issuer.name[ASN_NAME_MAX - 1] = '\0';
3721 x509->issuer.sz = (int)XSTRLEN(x509->issuer.name) + 1;
3722 #ifdef OPENSSL_EXTRA
3723 if (dCert->issuerName.fullName != NULL) {
3724 XMEMCPY(&x509->issuer.fullName,
3725 &dCert->issuerName, sizeof(DecodedName));
3726 x509->issuer.fullName.fullName = (char*)XMALLOC(
3727 dCert->issuerName.fullNameLen, NULL, DYNAMIC_TYPE_X509);
3728 if (x509->issuer.fullName.fullName != NULL)
3729 XMEMCPY(x509->issuer.fullName.fullName,
3730 dCert->issuerName.fullName, dCert->issuerName.fullNameLen);
3732 #endif /* OPENSSL_EXTRA */
3734 XSTRNCPY(x509->subject.name, dCert->subject, ASN_NAME_MAX);
3735 x509->subject.name[ASN_NAME_MAX - 1] = '\0';
3736 x509->subject.sz = (int)XSTRLEN(x509->subject.name) + 1;
3737 #ifdef OPENSSL_EXTRA
3738 if (dCert->subjectName.fullName != NULL) {
3739 XMEMCPY(&x509->subject.fullName,
3740 &dCert->subjectName, sizeof(DecodedName));
3741 x509->subject.fullName.fullName = (char*)XMALLOC(
3742 dCert->subjectName.fullNameLen, NULL, DYNAMIC_TYPE_X509);
3743 if (x509->subject.fullName.fullName != NULL)
3744 XMEMCPY(x509->subject.fullName.fullName,
3745 dCert->subjectName.fullName, dCert->subjectName.fullNameLen);
3747 #endif /* OPENSSL_EXTRA */
3749 XMEMCPY(x509->serial, dCert->serial, EXTERNAL_SERIAL_SIZE);
3750 x509->serialSz = dCert->serialSz;
3751 if (dCert->subjectCNLen < ASN_NAME_MAX) {
3752 XMEMCPY(x509->subjectCN, dCert->subjectCN, dCert->subjectCNLen);
3753 x509->subjectCN[dCert->subjectCNLen] = '\0';
3756 x509->subjectCN[0] = '\0';
3760 int minSz = min(dCert->deviceTypeSz, EXTERNAL_SERIAL_SIZE);
3762 x509->deviceTypeSz = minSz;
3763 XMEMCPY(x509->deviceType, dCert->deviceType, minSz);
3766 x509->deviceTypeSz = 0;
3767 minSz = min(dCert->hwTypeSz, EXTERNAL_SERIAL_SIZE);
3769 x509->hwTypeSz = minSz;
3770 XMEMCPY(x509->hwType, dCert->hwType, minSz);
3774 minSz = min(dCert->hwSerialNumSz, EXTERNAL_SERIAL_SIZE);
3776 x509->hwSerialNumSz = minSz;
3777 XMEMCPY(x509->hwSerialNum, dCert->hwSerialNum, minSz);
3780 x509->hwSerialNumSz = 0;
3782 #endif /* WOLFSSL_SEP */
3784 int minSz = min(dCert->beforeDateLen, MAX_DATE_SZ);
3786 x509->notBeforeSz = minSz;
3787 XMEMCPY(x509->notBefore, dCert->beforeDate, minSz);
3790 x509->notBeforeSz = 0;
3791 minSz = min(dCert->afterDateLen, MAX_DATE_SZ);
3793 x509->notAfterSz = minSz;
3794 XMEMCPY(x509->notAfter, dCert->afterDate, minSz);
3797 x509->notAfterSz = 0;
3800 if (dCert->publicKey != NULL && dCert->pubKeySize != 0) {
3801 x509->pubKey.buffer = (byte*)XMALLOC(
3802 dCert->pubKeySize, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
3803 if (x509->pubKey.buffer != NULL) {
3804 x509->pubKeyOID = dCert->keyOID;
3805 x509->pubKey.length = dCert->pubKeySize;
3806 XMEMCPY(x509->pubKey.buffer, dCert->publicKey, dCert->pubKeySize);
3812 if (dCert->signature != NULL && dCert->sigLength != 0) {
3813 x509->sig.buffer = (byte*)XMALLOC(
3814 dCert->sigLength, NULL, DYNAMIC_TYPE_SIGNATURE);
3815 if (x509->sig.buffer == NULL) {
3819 XMEMCPY(x509->sig.buffer, dCert->signature, dCert->sigLength);
3820 x509->sig.length = dCert->sigLength;
3821 x509->sigOID = dCert->signatureOID;
3825 /* store cert for potential retrieval */
3826 x509->derCert.buffer = (byte*)XMALLOC(dCert->maxIdx, NULL,
3828 if (x509->derCert.buffer == NULL) {
3832 XMEMCPY(x509->derCert.buffer, dCert->source, dCert->maxIdx);
3833 x509->derCert.length = dCert->maxIdx;
3836 x509->altNames = dCert->altNames;
3837 dCert->weOwnAltNames = 0;
3838 x509->altNamesNext = x509->altNames; /* index hint */
3840 x509->isCa = dCert->isCA;
3841 #ifdef OPENSSL_EXTRA
3842 x509->pathLength = dCert->pathLength;
3843 x509->keyUsage = dCert->extKeyUsage;
3845 x509->basicConstSet = dCert->extBasicConstSet;
3846 x509->basicConstCrit = dCert->extBasicConstCrit;
3847 x509->basicConstPlSet = dCert->extBasicConstPlSet;
3848 x509->subjAltNameSet = dCert->extSubjAltNameSet;
3849 x509->subjAltNameCrit = dCert->extSubjAltNameCrit;
3850 x509->authKeyIdSet = dCert->extAuthKeyIdSet;
3851 x509->authKeyIdCrit = dCert->extAuthKeyIdCrit;
3852 if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) {
3853 x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, NULL, 0);
3854 if (x509->authKeyId != NULL) {
3855 XMEMCPY(x509->authKeyId,
3856 dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz);
3857 x509->authKeyIdSz = dCert->extAuthKeyIdSz;
3862 x509->subjKeyIdSet = dCert->extSubjKeyIdSet;
3863 x509->subjKeyIdCrit = dCert->extSubjKeyIdCrit;
3864 if (dCert->extSubjKeyIdSrc != NULL && dCert->extSubjKeyIdSz != 0) {
3865 x509->subjKeyId = (byte*)XMALLOC(dCert->extSubjKeyIdSz, NULL, 0);
3866 if (x509->subjKeyId != NULL) {
3867 XMEMCPY(x509->subjKeyId,
3868 dCert->extSubjKeyIdSrc, dCert->extSubjKeyIdSz);
3869 x509->subjKeyIdSz = dCert->extSubjKeyIdSz;
3874 x509->keyUsageSet = dCert->extKeyUsageSet;
3875 x509->keyUsageCrit = dCert->extKeyUsageCrit;
3877 x509->certPolicySet = dCert->extCertPolicySet;
3878 x509->certPolicyCrit = dCert->extCertPolicyCrit;
3879 #endif /* WOLFSSL_SEP */
3880 #endif /* OPENSSL_EXTRA */
3882 x509->pkCurveOID = dCert->pkCurveOID;
3883 #endif /* HAVE_ECC */
3888 #endif /* KEEP_PEER_CERT || SESSION_CERTS */
3891 static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
3895 word32 begin = *inOutIdx;
3898 int totalCerts = 0; /* number of certs in certs buffer */
3900 buffer certs[MAX_CHAIN_DEPTH];
3902 #ifdef WOLFSSL_SMALL_STACK
3903 char* domain = NULL;
3904 DecodedCert* dCert = NULL;
3905 WOLFSSL_X509_STORE_CTX* store = NULL;
3907 char domain[ASN_NAME_MAX];
3908 DecodedCert dCert[1];
3909 WOLFSSL_X509_STORE_CTX store[1];
3912 #ifdef WOLFSSL_CALLBACKS
3913 if (ssl->hsInfoOn) AddPacketName("Certificate", &ssl->handShakeInfo);
3914 if (ssl->toInfoOn) AddLateName("Certificate", &ssl->timeoutInfo);
3917 if ((*inOutIdx - begin) + OPAQUE24_LEN > size)
3918 return BUFFER_ERROR;
3920 c24to32(input + *inOutIdx, &listSz);
3921 *inOutIdx += OPAQUE24_LEN;
3923 #ifdef HAVE_MAX_FRAGMENT
3924 if (listSz > ssl->max_fragment) {
3925 SendAlert(ssl, alert_fatal, record_overflow);
3929 if (listSz > MAX_RECORD_SIZE)
3933 if ((*inOutIdx - begin) + listSz != size)
3934 return BUFFER_ERROR;
3936 WOLFSSL_MSG("Loading peer's cert chain");
3937 /* first put cert chain into buffer so can verify top down
3938 we're sent bottom up */
3942 if (totalCerts >= MAX_CHAIN_DEPTH)
3943 return MAX_CHAIN_ERROR;
3945 if ((*inOutIdx - begin) + OPAQUE24_LEN > size)
3946 return BUFFER_ERROR;
3948 c24to32(input + *inOutIdx, &certSz);
3949 *inOutIdx += OPAQUE24_LEN;
3951 if ((*inOutIdx - begin) + certSz > size)
3952 return BUFFER_ERROR;
3954 certs[totalCerts].length = certSz;
3955 certs[totalCerts].buffer = input + *inOutIdx;
3957 #ifdef SESSION_CERTS
3958 if (ssl->session.chain.count < MAX_CHAIN_DEPTH &&
3959 certSz < MAX_X509_SIZE) {
3960 ssl->session.chain.certs[ssl->session.chain.count].length = certSz;
3961 XMEMCPY(ssl->session.chain.certs[ssl->session.chain.count].buffer,
3962 input + *inOutIdx, certSz);
3963 ssl->session.chain.count++;
3965 WOLFSSL_MSG("Couldn't store chain cert for session");
3969 *inOutIdx += certSz;
3970 listSz -= certSz + CERT_HEADER_SZ;
3973 WOLFSSL_MSG(" Put another cert into chain");
3978 #ifdef WOLFSSL_SMALL_STACK
3979 dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
3980 DYNAMIC_TYPE_TMP_BUFFER);
3985 /* verify up to peer's first */
3987 buffer myCert = certs[count - 1];
3990 InitDecodedCert(dCert, myCert.buffer, myCert.length, ssl->heap);
3991 ret = ParseCertRelative(dCert, CERT_TYPE, !ssl->options.verifyNone,
3994 subjectHash = dCert->extSubjKeyId;
3996 subjectHash = dCert->subjectHash;
3999 if (ret == 0 && dCert->isCA == 0) {
4000 WOLFSSL_MSG("Chain cert is not a CA, not adding as one");
4002 else if (ret == 0 && ssl->options.verifyNone) {
4003 WOLFSSL_MSG("Chain cert not verified by option, not adding as CA");
4005 else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, subjectHash)) {
4007 add.length = myCert.length;
4008 add.buffer = (byte*)XMALLOC(myCert.length, ssl->heap,
4010 WOLFSSL_MSG("Adding CA from chain");
4012 if (add.buffer == NULL)
4014 XMEMCPY(add.buffer, myCert.buffer, myCert.length);
4016 ret = AddCA(ssl->ctx->cm, add, WOLFSSL_CHAIN_CA,
4017 ssl->ctx->verifyPeer);
4018 if (ret == 1) ret = 0; /* SSL_SUCCESS for external */
4020 else if (ret != 0) {
4021 WOLFSSL_MSG("Failed to verify CA from chain");
4024 WOLFSSL_MSG("Verified CA from chain and already had it");
4027 #if defined(HAVE_OCSP) || defined(HAVE_CRL)
4029 int doCrlLookup = 1;
4032 if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) {
4033 WOLFSSL_MSG("Doing Non Leaf OCSP check");
4034 ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
4035 doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
4038 WOLFSSL_MSG("\tOCSP Lookup not ok");
4041 #endif /* HAVE_OCSP */
4044 if (doCrlLookup && ssl->ctx->cm->crlEnabled
4045 && ssl->ctx->cm->crlCheckAll) {
4046 WOLFSSL_MSG("Doing Non Leaf CRL check");
4047 ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
4050 WOLFSSL_MSG("\tCRL check not ok");
4053 #endif /* HAVE_CRL */
4055 #endif /* HAVE_OCSP || HAVE_CRL */
4057 if (ret != 0 && anyError == 0)
4058 anyError = ret; /* save error from last time */
4060 FreeDecodedCert(dCert);
4064 /* peer's, may not have one if blank client cert sent by TLSv1.2 */
4066 buffer myCert = certs[0];
4069 WOLFSSL_MSG("Verifying Peer's cert");
4071 InitDecodedCert(dCert, myCert.buffer, myCert.length, ssl->heap);
4072 ret = ParseCertRelative(dCert, CERT_TYPE, !ssl->options.verifyNone,
4075 WOLFSSL_MSG("Verified Peer's cert");
4078 else if (ret == ASN_PARSE_E) {
4079 WOLFSSL_MSG("Got Peer cert ASN PARSE ERROR, fatal");
4083 WOLFSSL_MSG("Failed to verify Peer's cert");
4084 if (ssl->verifyCallback) {
4085 WOLFSSL_MSG("\tCallback override available, will continue");
4089 WOLFSSL_MSG("\tNo callback override available, fatal");
4094 #ifdef HAVE_SECURE_RENEGOTIATION
4095 if (fatal == 0 && ssl->secure_renegotiation
4096 && ssl->secure_renegotiation->enabled) {
4098 if (ssl->keys.encryptionOn) {
4099 /* compare against previous time */
4100 if (XMEMCMP(dCert->subjectHash,
4101 ssl->secure_renegotiation->subject_hash,
4102 SHA_DIGEST_SIZE) != 0) {
4103 WOLFSSL_MSG("Peer sent different cert during scr, fatal");
4105 ret = SCR_DIFFERENT_CERT_E;
4109 /* cache peer's hash */
4111 XMEMCPY(ssl->secure_renegotiation->subject_hash,
4112 dCert->subjectHash, SHA_DIGEST_SIZE);
4117 #if defined(HAVE_OCSP) || defined(HAVE_CRL)
4119 int doCrlLookup = 1;
4122 if (ssl->ctx->cm->ocspEnabled) {
4123 ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
4124 doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
4126 WOLFSSL_MSG("\tOCSP Lookup not ok");
4130 #endif /* HAVE_OCSP */
4133 if (doCrlLookup && ssl->ctx->cm->crlEnabled) {
4134 WOLFSSL_MSG("Doing Leaf CRL check");
4135 ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
4137 WOLFSSL_MSG("\tCRL check not ok");
4141 #endif /* HAVE_CRL */
4143 #endif /* HAVE_OCSP || HAVE_CRL */
4145 #ifdef KEEP_PEER_CERT
4147 /* set X509 format for peer cert even if fatal */
4148 int copyRet = CopyDecodedToX509(&ssl->peerCert, dCert);
4149 if (copyRet == MEMORY_E)
4154 #ifndef IGNORE_KEY_EXTENSIONS
4155 if (dCert->extKeyUsageSet) {
4156 if ((ssl->specs.kea == rsa_kea) &&
4157 (dCert->extKeyUsage & KEYUSE_KEY_ENCIPHER) == 0) {
4158 ret = KEYUSE_ENCIPHER_E;
4160 if ((ssl->specs.sig_algo == rsa_sa_algo ||
4161 (ssl->specs.sig_algo == ecc_dsa_sa_algo &&
4162 !ssl->specs.static_ecdh)) &&
4163 (dCert->extKeyUsage & KEYUSE_DIGITAL_SIG) == 0) {
4164 WOLFSSL_MSG("KeyUse Digital Sig not set");
4165 ret = KEYUSE_SIGNATURE_E;
4169 if (dCert->extExtKeyUsageSet) {
4170 if (ssl->options.side == WOLFSSL_CLIENT_END) {
4171 if ((dCert->extExtKeyUsage &
4172 (EXTKEYUSE_ANY | EXTKEYUSE_SERVER_AUTH)) == 0) {
4173 WOLFSSL_MSG("ExtKeyUse Server Auth not set");
4174 ret = EXTKEYUSE_AUTH_E;
4178 if ((dCert->extExtKeyUsage &
4179 (EXTKEYUSE_ANY | EXTKEYUSE_CLIENT_AUTH)) == 0) {
4180 WOLFSSL_MSG("ExtKeyUse Client Auth not set");
4181 ret = EXTKEYUSE_AUTH_E;
4185 #endif /* IGNORE_KEY_EXTENSIONS */
4188 FreeDecodedCert(dCert);
4189 #ifdef WOLFSSL_SMALL_STACK
4190 XFREE(dCert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4195 ssl->options.havePeerCert = 1;
4197 #ifdef WOLFSSL_SMALL_STACK
4198 domain = (char*)XMALLOC(ASN_NAME_MAX, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4199 if (domain == NULL) {
4200 FreeDecodedCert(dCert);
4201 XFREE(dCert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4205 /* store for callback use */
4206 if (dCert->subjectCNLen < ASN_NAME_MAX) {
4207 XMEMCPY(domain, dCert->subjectCN, dCert->subjectCNLen);
4208 domain[dCert->subjectCNLen] = '\0';
4213 if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) {
4214 if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
4215 (char*)ssl->buffers.domainName.buffer) == 0) {
4216 WOLFSSL_MSG("DomainName match on common name failed");
4217 if (CheckAltNames(dCert,
4218 (char*)ssl->buffers.domainName.buffer) == 0 ) {
4219 WOLFSSL_MSG("DomainName match on alt names failed too");
4220 ret = DOMAIN_NAME_MISMATCH; /* try to get peer key still */
4225 /* decode peer key */
4226 switch (dCert->keyOID) {
4233 if (ssl->peerRsaKey == NULL) {
4234 ssl->peerRsaKey = (RsaKey*)XMALLOC(sizeof(RsaKey),
4235 ssl->heap, DYNAMIC_TYPE_RSA);
4236 if (ssl->peerRsaKey == NULL) {
4237 WOLFSSL_MSG("PeerRsaKey Memory error");
4240 keyRet = wc_InitRsaKey(ssl->peerRsaKey,
4243 } else if (ssl->peerRsaKeyPresent) {
4244 /* don't leak on reuse */
4245 wc_FreeRsaKey(ssl->peerRsaKey);
4246 ssl->peerRsaKeyPresent = 0;
4247 keyRet = wc_InitRsaKey(ssl->peerRsaKey, ssl->heap);
4250 if (keyRet != 0 || wc_RsaPublicKeyDecode(dCert->publicKey,
4251 &idx, ssl->peerRsaKey, dCert->pubKeySize) != 0) {
4252 ret = PEER_KEY_ERROR;
4255 ssl->peerRsaKeyPresent = 1;
4256 #ifdef HAVE_PK_CALLBACKS
4258 ssl->buffers.peerRsaKey.buffer =
4259 (byte*)XMALLOC(dCert->pubKeySize,
4260 ssl->heap, DYNAMIC_TYPE_RSA);
4261 if (ssl->buffers.peerRsaKey.buffer == NULL)
4264 XMEMCPY(ssl->buffers.peerRsaKey.buffer,
4265 dCert->publicKey, dCert->pubKeySize);
4266 ssl->buffers.peerRsaKey.length =
4270 #endif /*HAVE_PK_CALLBACKS */
4278 if (dCert->pubKeySize > sizeof(ssl->peerNtruKey)) {
4279 ret = PEER_KEY_ERROR;
4282 XMEMCPY(ssl->peerNtruKey, dCert->publicKey,
4284 ssl->peerNtruKeyLen = (word16)dCert->pubKeySize;
4285 ssl->peerNtruKeyPresent = 1;
4289 #endif /* HAVE_NTRU */
4293 if (ssl->peerEccDsaKey == NULL) {
4294 /* alloc/init on demand */
4295 ssl->peerEccDsaKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
4296 ssl->ctx->heap, DYNAMIC_TYPE_ECC);
4297 if (ssl->peerEccDsaKey == NULL) {
4298 WOLFSSL_MSG("PeerEccDsaKey Memory error");
4301 wc_ecc_init(ssl->peerEccDsaKey);
4302 } else if (ssl->peerEccDsaKeyPresent) {
4303 /* don't leak on reuse */
4304 wc_ecc_free(ssl->peerEccDsaKey);
4305 ssl->peerEccDsaKeyPresent = 0;
4306 wc_ecc_init(ssl->peerEccDsaKey);
4308 if (wc_ecc_import_x963(dCert->publicKey, dCert->pubKeySize,
4309 ssl->peerEccDsaKey) != 0) {
4310 ret = PEER_KEY_ERROR;
4313 ssl->peerEccDsaKeyPresent = 1;
4314 #ifdef HAVE_PK_CALLBACKS
4316 ssl->buffers.peerEccDsaKey.buffer =
4317 (byte*)XMALLOC(dCert->pubKeySize,
4318 ssl->heap, DYNAMIC_TYPE_ECC);
4319 if (ssl->buffers.peerEccDsaKey.buffer == NULL)
4322 XMEMCPY(ssl->buffers.peerEccDsaKey.buffer,
4323 dCert->publicKey, dCert->pubKeySize);
4324 ssl->buffers.peerEccDsaKey.length =
4327 #endif /* HAVE_ECC */
4328 #endif /*HAVE_PK_CALLBACKS */
4332 #endif /* HAVE_ECC */
4337 FreeDecodedCert(dCert);
4340 #ifdef WOLFSSL_SMALL_STACK
4341 XFREE(dCert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4343 store = (WOLFSSL_X509_STORE_CTX*)XMALLOC(sizeof(WOLFSSL_X509_STORE_CTX),
4344 NULL, DYNAMIC_TYPE_TMP_BUFFER);
4345 if (store == NULL) {
4346 XFREE(domain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4351 if (anyError != 0 && ret == 0)
4355 if (!ssl->options.verifyNone) {
4356 int why = bad_certificate;
4358 if (ret == ASN_AFTER_DATE_E || ret == ASN_BEFORE_DATE_E)
4359 why = certificate_expired;
4360 if (ssl->verifyCallback) {
4364 store->error_depth = totalCerts;
4365 store->discardSessionCerts = 0;
4366 store->domain = domain;
4367 store->userCtx = ssl->verifyCbCtx;
4368 #ifdef KEEP_PEER_CERT
4369 store->current_cert = &ssl->peerCert;
4371 store->current_cert = NULL;
4374 store->ex_data = ssl;
4376 ok = ssl->verifyCallback(0, store);
4378 WOLFSSL_MSG("Verify callback overriding error!");
4381 #ifdef SESSION_CERTS
4382 if (store->discardSessionCerts) {
4383 WOLFSSL_MSG("Verify callback requested discard sess certs");
4384 ssl->session.chain.count = 0;
4389 SendAlert(ssl, alert_fatal, why); /* try to send */
4390 ssl->options.isClosed = 1;
4395 #ifdef WOLFSSL_ALWAYS_VERIFY_CB
4397 if (ssl->verifyCallback) {
4401 store->error_depth = totalCerts;
4402 store->discardSessionCerts = 0;
4403 store->domain = domain;
4404 store->userCtx = ssl->verifyCbCtx;
4405 #ifdef KEEP_PEER_CERT
4406 store->current_cert = &ssl->peerCert;
4408 store->ex_data = ssl;
4410 ok = ssl->verifyCallback(1, store);
4412 WOLFSSL_MSG("Verify callback overriding valid certificate!");
4414 SendAlert(ssl, alert_fatal, bad_certificate);
4415 ssl->options.isClosed = 1;
4417 #ifdef SESSION_CERTS
4418 if (store->discardSessionCerts) {
4419 WOLFSSL_MSG("Verify callback requested discard sess certs");
4420 ssl->session.chain.count = 0;
4427 if (ssl->options.verifyNone &&
4428 (ret == CRL_MISSING || ret == CRL_CERT_REVOKED)) {
4429 WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
4430 ret = ssl->error = 0;
4433 if (ret == 0 && ssl->options.side == WOLFSSL_CLIENT_END)
4434 ssl->options.serverState = SERVER_CERT_COMPLETE;
4436 if (ssl->keys.encryptionOn) {
4437 *inOutIdx += ssl->keys.padSz;
4440 #ifdef WOLFSSL_SMALL_STACK
4441 XFREE(store, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4442 XFREE(domain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4448 #endif /* !NO_CERTS */
4451 static int DoHelloRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
4452 word32 size, word32 totalSz)
4456 if (size) /* must be 0 */
4457 return BUFFER_ERROR;
4459 if (ssl->keys.encryptionOn) {
4460 /* access beyond input + size should be checked against totalSz */
4461 if (*inOutIdx + ssl->keys.padSz > totalSz)
4464 *inOutIdx += ssl->keys.padSz;
4467 if (ssl->options.side == WOLFSSL_SERVER_END) {
4468 SendAlert(ssl, alert_fatal, unexpected_message); /* try */
4471 #ifdef HAVE_SECURE_RENEGOTIATION
4472 else if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) {
4473 ssl->secure_renegotiation->startScr = 1;
4478 return SendAlert(ssl, alert_warning, no_renegotiation);
4483 int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size,
4484 word32 totalSz, int sniff)
4486 word32 finishedSz = (ssl->options.tls ? TLS_FINISHED_SZ : FINISHED_SZ);
4488 if (finishedSz != size)
4489 return BUFFER_ERROR;
4491 /* check against totalSz */
4492 if (*inOutIdx + size + ssl->keys.padSz > totalSz)
4495 #ifdef WOLFSSL_CALLBACKS
4496 if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
4497 if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
4500 if (sniff == NO_SNIFF) {
4501 if (XMEMCMP(input + *inOutIdx, &ssl->hsHashes->verifyHashes,size) != 0){
4502 WOLFSSL_MSG("Verify finished error on hashes");
4503 return VERIFY_FINISHED_ERROR;
4507 #ifdef HAVE_SECURE_RENEGOTIATION
4508 if (ssl->secure_renegotiation) {
4509 /* save peer's state */
4510 if (ssl->options.side == WOLFSSL_CLIENT_END)
4511 XMEMCPY(ssl->secure_renegotiation->server_verify_data,
4512 input + *inOutIdx, TLS_FINISHED_SZ);
4514 XMEMCPY(ssl->secure_renegotiation->client_verify_data,
4515 input + *inOutIdx, TLS_FINISHED_SZ);
4519 /* force input exhaustion at ProcessReply consuming padSz */
4520 *inOutIdx += size + ssl->keys.padSz;
4522 if (ssl->options.side == WOLFSSL_CLIENT_END) {
4523 ssl->options.serverState = SERVER_FINISHED_COMPLETE;
4524 if (!ssl->options.resuming) {
4525 ssl->options.handShakeState = HANDSHAKE_DONE;
4526 ssl->options.handShakeDone = 1;
4529 if (ssl->options.dtls) {
4530 /* Other side has received our Finished, go to next epoch */
4531 ssl->keys.dtls_epoch++;
4532 ssl->keys.dtls_sequence_number = 1;
4538 ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
4539 if (ssl->options.resuming) {
4540 ssl->options.handShakeState = HANDSHAKE_DONE;
4541 ssl->options.handShakeDone = 1;
4544 if (ssl->options.dtls) {
4545 /* Other side has received our Finished, go to next epoch */
4546 ssl->keys.dtls_epoch++;
4547 ssl->keys.dtls_sequence_number = 1;
4557 /* Make sure no duplicates, no fast forward, or other problems; 0 on success */
4558 static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
4560 /* verify not a duplicate, mark received, check state */
4563 #ifndef NO_WOLFSSL_CLIENT
4565 if (ssl->msgsReceived.got_hello_request) {
4566 WOLFSSL_MSG("Duplicate HelloRequest received");
4567 return DUPLICATE_MSG_E;
4569 ssl->msgsReceived.got_hello_request = 1;
4574 #ifndef NO_WOLFSSL_SERVER
4576 if (ssl->msgsReceived.got_client_hello) {
4577 WOLFSSL_MSG("Duplicate ClientHello received");
4578 return DUPLICATE_MSG_E;
4580 ssl->msgsReceived.got_client_hello = 1;
4585 #ifndef NO_WOLFSSL_CLIENT
4587 if (ssl->msgsReceived.got_server_hello) {
4588 WOLFSSL_MSG("Duplicate ServerHello received");
4589 return DUPLICATE_MSG_E;
4591 ssl->msgsReceived.got_server_hello = 1;
4596 #ifndef NO_WOLFSSL_CLIENT
4597 case hello_verify_request:
4598 if (ssl->msgsReceived.got_hello_verify_request) {
4599 WOLFSSL_MSG("Duplicate HelloVerifyRequest received");
4600 return DUPLICATE_MSG_E;
4602 ssl->msgsReceived.got_hello_verify_request = 1;
4607 #ifndef NO_WOLFSSL_CLIENT
4608 case session_ticket:
4609 if (ssl->msgsReceived.got_session_ticket) {
4610 WOLFSSL_MSG("Duplicate SessionTicket received");
4611 return DUPLICATE_MSG_E;
4613 ssl->msgsReceived.got_session_ticket = 1;
4619 if (ssl->msgsReceived.got_certificate) {
4620 WOLFSSL_MSG("Duplicate Certificate received");
4621 return DUPLICATE_MSG_E;
4623 ssl->msgsReceived.got_certificate = 1;
4625 #ifndef NO_WOLFSSL_CLIENT
4626 if (ssl->options.side == WOLFSSL_CLIENT_END) {
4627 if ( ssl->msgsReceived.got_server_hello == 0) {
4628 WOLFSSL_MSG("No ServerHello before Cert");
4629 return OUT_OF_ORDER_E;
4633 #ifndef NO_WOLFSSL_SERVER
4634 if (ssl->options.side == WOLFSSL_SERVER_END) {
4635 if ( ssl->msgsReceived.got_client_hello == 0) {
4636 WOLFSSL_MSG("No ClientHello before Cert");
4637 return OUT_OF_ORDER_E;
4643 #ifndef NO_WOLFSSL_CLIENT
4644 case server_key_exchange:
4645 if (ssl->msgsReceived.got_server_key_exchange) {
4646 WOLFSSL_MSG("Duplicate ServerKeyExchange received");
4647 return DUPLICATE_MSG_E;
4649 ssl->msgsReceived.got_server_key_exchange = 1;
4651 if ( ssl->msgsReceived.got_server_hello == 0) {
4652 WOLFSSL_MSG("No ServerHello before Cert");
4653 return OUT_OF_ORDER_E;
4659 #ifndef NO_WOLFSSL_CLIENT
4660 case certificate_request:
4661 if (ssl->msgsReceived.got_certificate_request) {
4662 WOLFSSL_MSG("Duplicate CertificateRequest received");
4663 return DUPLICATE_MSG_E;
4665 ssl->msgsReceived.got_certificate_request = 1;
4670 #ifndef NO_WOLFSSL_CLIENT
4671 case server_hello_done:
4672 if (ssl->msgsReceived.got_server_hello_done) {
4673 WOLFSSL_MSG("Duplicate ServerHelloDone received");
4674 return DUPLICATE_MSG_E;
4676 ssl->msgsReceived.got_server_hello_done = 1;
4678 if (ssl->msgsReceived.got_certificate == 0) {
4679 if (ssl->specs.kea == psk_kea ||
4680 ssl->specs.kea == dhe_psk_kea ||
4681 ssl->options.usingAnon_cipher) {
4682 WOLFSSL_MSG("No Cert required");
4684 WOLFSSL_MSG("No Certificate before ServerHelloDone");
4685 return OUT_OF_ORDER_E;
4688 if (ssl->msgsReceived.got_server_key_exchange == 0) {
4689 if (ssl->specs.static_ecdh == 1 ||
4690 ssl->specs.kea == rsa_kea ||
4691 ssl->specs.kea == ntru_kea) {
4692 WOLFSSL_MSG("No KeyExchange required");
4694 WOLFSSL_MSG("No ServerKeyExchange before ServerDone");
4695 return OUT_OF_ORDER_E;
4701 #ifndef NO_WOLFSSL_SERVER
4702 case certificate_verify:
4703 if (ssl->msgsReceived.got_certificate_verify) {
4704 WOLFSSL_MSG("Duplicate CertificateVerify received");
4705 return DUPLICATE_MSG_E;
4707 ssl->msgsReceived.got_certificate_verify = 1;
4709 if ( ssl->msgsReceived.got_certificate == 0) {
4710 WOLFSSL_MSG("No Cert before CertVerify");
4711 return OUT_OF_ORDER_E;
4716 #ifndef NO_WOLFSSL_SERVER
4717 case client_key_exchange:
4718 if (ssl->msgsReceived.got_client_key_exchange) {
4719 WOLFSSL_MSG("Duplicate ClientKeyExchange received");
4720 return DUPLICATE_MSG_E;
4722 ssl->msgsReceived.got_client_key_exchange = 1;
4724 if (ssl->msgsReceived.got_client_hello == 0) {
4725 WOLFSSL_MSG("No ClientHello before ClientKeyExchange");
4726 return OUT_OF_ORDER_E;
4732 if (ssl->msgsReceived.got_finished) {
4733 WOLFSSL_MSG("Duplicate Finished received");
4734 return DUPLICATE_MSG_E;
4736 ssl->msgsReceived.got_finished = 1;
4738 if (ssl->msgsReceived.got_change_cipher == 0) {
4739 WOLFSSL_MSG("Finished received before ChangeCipher");
4740 return NO_CHANGE_CIPHER_E;
4745 case change_cipher_hs:
4746 if (ssl->msgsReceived.got_change_cipher) {
4747 WOLFSSL_MSG("Duplicate ChangeCipher received");
4748 return DUPLICATE_MSG_E;
4750 ssl->msgsReceived.got_change_cipher = 1;
4752 #ifndef NO_WOLFSSL_CLIENT
4753 if (ssl->options.side == WOLFSSL_CLIENT_END) {
4754 if (!ssl->options.resuming &&
4755 ssl->msgsReceived.got_server_hello_done == 0) {
4756 WOLFSSL_MSG("No ServerHelloDone before ChangeCipher");
4757 return OUT_OF_ORDER_E;
4761 #ifndef NO_WOLFSSL_SERVER
4762 if (ssl->options.side == WOLFSSL_SERVER_END) {
4763 if (!ssl->options.resuming &&
4764 ssl->msgsReceived.got_client_key_exchange == 0) {
4765 WOLFSSL_MSG("No ClientKeyExchange before ChangeCipher");
4766 return OUT_OF_ORDER_E;
4774 WOLFSSL_MSG("Unknown message type");
4775 return SANITY_MSG_E;
4782 static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
4783 byte type, word32 size, word32 totalSz)
4788 WOLFSSL_ENTER("DoHandShakeMsgType");
4790 /* make sure can read the message */
4791 if (*inOutIdx + size > totalSz)
4792 return INCOMPLETE_DATA;
4794 /* sanity check msg received */
4795 if ( (ret = SanityCheckMsgReceived(ssl, type)) != 0) {
4796 WOLFSSL_MSG("Sanity Check on handshake message type received failed");
4800 #ifdef WOLFSSL_CALLBACKS
4801 /* add name later, add on record and handshake header part back on */
4802 if (ssl->toInfoOn) {
4803 int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
4804 AddPacketInfo(0, &ssl->timeoutInfo, input + *inOutIdx - add,
4805 size + add, ssl->heap);
4806 AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
4810 if (ssl->options.handShakeState == HANDSHAKE_DONE && type != hello_request){
4811 WOLFSSL_MSG("HandShake message after handshake complete");
4812 SendAlert(ssl, alert_fatal, unexpected_message);
4813 return OUT_OF_ORDER_E;
4816 if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls == 0 &&
4817 ssl->options.serverState == NULL_STATE && type != server_hello) {
4818 WOLFSSL_MSG("First server message not server hello");
4819 SendAlert(ssl, alert_fatal, unexpected_message);
4820 return OUT_OF_ORDER_E;
4823 if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls &&
4824 type == server_hello_done &&
4825 ssl->options.serverState < SERVER_HELLO_COMPLETE) {
4826 WOLFSSL_MSG("Server hello done received before server hello in DTLS");
4827 SendAlert(ssl, alert_fatal, unexpected_message);
4828 return OUT_OF_ORDER_E;
4831 if (ssl->options.side == WOLFSSL_SERVER_END &&
4832 ssl->options.clientState == NULL_STATE && type != client_hello) {
4833 WOLFSSL_MSG("First client message not client hello");
4834 SendAlert(ssl, alert_fatal, unexpected_message);
4835 return OUT_OF_ORDER_E;
4838 /* above checks handshake state */
4839 /* hello_request not hashed */
4840 if (type != hello_request) {
4841 ret = HashInput(ssl, input + *inOutIdx, size);
4842 if (ret != 0) return ret;
4848 WOLFSSL_MSG("processing hello request");
4849 ret = DoHelloRequest(ssl, input, inOutIdx, size, totalSz);
4852 #ifndef NO_WOLFSSL_CLIENT
4853 case hello_verify_request:
4854 WOLFSSL_MSG("processing hello verify request");
4855 ret = DoHelloVerifyRequest(ssl, input,inOutIdx, size);
4859 WOLFSSL_MSG("processing server hello");
4860 ret = DoServerHello(ssl, input, inOutIdx, size);
4864 case certificate_request:
4865 WOLFSSL_MSG("processing certificate request");
4866 ret = DoCertificateRequest(ssl, input, inOutIdx, size);
4870 case server_key_exchange:
4871 WOLFSSL_MSG("processing server key exchange");
4872 ret = DoServerKeyExchange(ssl, input, inOutIdx, size);
4875 #ifdef HAVE_SESSION_TICKET
4876 case session_ticket:
4877 WOLFSSL_MSG("processing session ticket");
4878 ret = DoSessionTicket(ssl, input, inOutIdx, size);
4880 #endif /* HAVE_SESSION_TICKET */
4885 WOLFSSL_MSG("processing certificate");
4886 ret = DoCertificate(ssl, input, inOutIdx, size);
4890 case server_hello_done:
4891 WOLFSSL_MSG("processing server hello done");
4892 #ifdef WOLFSSL_CALLBACKS
4894 AddPacketName("ServerHelloDone", &ssl->handShakeInfo);
4896 AddLateName("ServerHelloDone", &ssl->timeoutInfo);
4898 ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
4899 if (ssl->keys.encryptionOn) {
4900 *inOutIdx += ssl->keys.padSz;
4902 if (ssl->options.resuming) {
4903 WOLFSSL_MSG("Not resuming as thought");
4904 ssl->options.resuming = 0;
4909 WOLFSSL_MSG("processing finished");
4910 ret = DoFinished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
4913 #ifndef NO_WOLFSSL_SERVER
4915 WOLFSSL_MSG("processing client hello");
4916 ret = DoClientHello(ssl, input, inOutIdx, size);
4919 case client_key_exchange:
4920 WOLFSSL_MSG("processing client key exchange");
4921 ret = DoClientKeyExchange(ssl, input, inOutIdx, size);
4924 #if !defined(NO_RSA) || defined(HAVE_ECC)
4925 case certificate_verify:
4926 WOLFSSL_MSG("processing certificate verify");
4927 ret = DoCertificateVerify(ssl, input, inOutIdx, size);
4929 #endif /* !NO_RSA || HAVE_ECC */
4931 #endif /* !NO_WOLFSSL_SERVER */
4934 WOLFSSL_MSG("Unknown handshake message type");
4935 ret = UNKNOWN_HANDSHAKE_TYPE;
4939 WOLFSSL_LEAVE("DoHandShakeMsgType()", ret);
4944 static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
4951 WOLFSSL_ENTER("DoHandShakeMsg()");
4953 if (GetHandShakeHeader(ssl, input, inOutIdx, &type, &size, totalSz) != 0)
4956 ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
4958 WOLFSSL_LEAVE("DoHandShakeMsg()", ret);
4965 static INLINE int DtlsCheckWindow(DtlsState* state)
4971 if (state->curEpoch == state->nextEpoch) {
4972 next = state->nextSeq;
4973 window = state->window;
4975 else if (state->curEpoch < state->nextEpoch) {
4976 next = state->prevSeq;
4977 window = state->prevWindow;
4983 cur = state->curSeq;
4985 if ((next > DTLS_SEQ_BITS) && (cur < next - DTLS_SEQ_BITS)) {
4988 else if ((cur < next) && (window & ((DtlsSeq)1 << (next - cur - 1)))) {
4996 static INLINE int DtlsUpdateWindow(DtlsState* state)
5002 if (state->curEpoch == state->nextEpoch) {
5003 next = &state->nextSeq;
5004 window = &state->window;
5007 next = &state->prevSeq;
5008 window = &state->prevWindow;
5011 cur = state->curSeq;
5014 *window |= ((DtlsSeq)1 << (*next - cur - 1));
5017 *window <<= (1 + cur - *next);
5026 static int DtlsMsgDrain(WOLFSSL* ssl)
5028 DtlsMsg* item = ssl->dtls_msg_list;
5031 /* While there is an item in the store list, and it is the expected
5032 * message, and it is complete, and there hasn't been an error in the
5034 while (item != NULL &&
5035 ssl->keys.dtls_expected_peer_handshake_number == item->seq &&
5036 item->fragSz == item->sz &&
5039 ssl->keys.dtls_expected_peer_handshake_number++;
5040 ret = DoHandShakeMsgType(ssl, item->msg,
5041 &idx, item->type, item->sz, item->sz);
5042 ssl->dtls_msg_list = item->next;
5043 DtlsMsgDelete(item, ssl->heap);
5044 item = ssl->dtls_msg_list;
5051 static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
5056 word32 fragOffset, fragSz;
5059 WOLFSSL_ENTER("DoDtlsHandShakeMsg()");
5060 if (GetDtlsHandShakeHeader(ssl, input, inOutIdx, &type,
5061 &size, &fragOffset, &fragSz, totalSz) != 0)
5064 if (*inOutIdx + fragSz > totalSz)
5065 return INCOMPLETE_DATA;
5067 /* Check the handshake sequence number first. If out of order,
5068 * add the current message to the list. If the message is in order,
5069 * but it is a fragment, add the current message to the list, then
5070 * check the head of the list to see if it is complete, if so, pop
5071 * it out as the current message. If the message is complete and in
5072 * order, process it. Check the head of the list to see if it is in
5073 * order, if so, process it. (Repeat until list exhausted.) If the
5074 * head is out of order, return for more processing.
5076 if (ssl->keys.dtls_peer_handshake_number >
5077 ssl->keys.dtls_expected_peer_handshake_number) {
5078 /* Current message is out of order. It will get stored in the list.
5079 * Storing also takes care of defragmentation. */
5080 ssl->dtls_msg_list = DtlsMsgStore(ssl->dtls_msg_list,
5081 ssl->keys.dtls_peer_handshake_number, input + *inOutIdx,
5082 size, type, fragOffset, fragSz, ssl->heap);
5083 *inOutIdx += fragSz;
5086 else if (ssl->keys.dtls_peer_handshake_number <
5087 ssl->keys.dtls_expected_peer_handshake_number) {
5088 /* Already saw this message and processed it. It can be ignored. */
5089 *inOutIdx += fragSz;
5092 else if (fragSz < size) {
5093 /* Since this branch is in order, but fragmented, dtls_msg_list will be
5094 * pointing to the message with this fragment in it. Check it to see
5095 * if it is completed. */
5096 ssl->dtls_msg_list = DtlsMsgStore(ssl->dtls_msg_list,
5097 ssl->keys.dtls_peer_handshake_number, input + *inOutIdx,
5098 size, type, fragOffset, fragSz, ssl->heap);
5099 *inOutIdx += fragSz;
5101 if (ssl->dtls_msg_list != NULL &&
5102 ssl->dtls_msg_list->fragSz >= ssl->dtls_msg_list->sz)
5103 ret = DtlsMsgDrain(ssl);
5106 /* This branch is in order next, and a complete message. */
5107 ssl->keys.dtls_expected_peer_handshake_number++;
5108 ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
5109 if (ret == 0 && ssl->dtls_msg_list != NULL)
5110 ret = DtlsMsgDrain(ssl);
5113 WOLFSSL_LEAVE("DoDtlsHandShakeMsg()", ret);
5119 #if !defined(NO_OLD_TLS) || defined(HAVE_CHACHA) || defined(HAVE_AESCCM) \
5120 || defined(HAVE_AESGCM)
5121 static INLINE word32 GetSEQIncrement(WOLFSSL* ssl, int verify)
5124 if (ssl->options.dtls) {
5126 return ssl->keys.dtls_state.curSeq; /* explicit from peer */
5128 return ssl->keys.dtls_sequence_number - 1; /* already incremented */
5132 return ssl->keys.peer_sequence_number++;
5134 return ssl->keys.sequence_number++;
5140 static INLINE void AeadIncrementExpIV(WOLFSSL* ssl)
5143 for (i = AEAD_EXP_IV_SZ-1; i >= 0; i--) {
5144 if (++ssl->keys.aead_exp_IV[i]) return;
5149 #if defined(HAVE_POLY1305) && defined(HAVE_CHACHA)
5150 /*more recent rfc's concatonate input for poly1305 differently*/
5151 static int Poly1305Tag(WOLFSSL* ssl, byte* additional, const byte* out,
5152 byte* cipher, word16 sz, byte* tag)
5156 int msglen = (sz - ssl->specs.aead_mac_size);
5162 return INPUT_CASE_ERROR;
5164 XMEMSET(padding, 0, sizeof(padding));
5166 if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, cipher, keySz)) != 0)
5169 /* additional input to poly1305 */
5170 if ((ret = wc_Poly1305Update(ssl->auth.poly1305, additional, blockSz)) != 0)
5174 if ((ret = wc_Poly1305Update(ssl->auth.poly1305, out, msglen)) != 0)
5177 /* handle padding for cipher input to make it 16 bytes long */
5178 if (msglen % 16 != 0) {
5179 paddingSz = (16 - (sz - ssl->specs.aead_mac_size) % 16);
5181 return INPUT_CASE_ERROR;
5183 if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding, paddingSz))
5188 /* add size of AD and size of cipher to poly input */
5189 XMEMSET(padding, 0, sizeof(padding));
5190 padding[0] = blockSz;
5192 /* 32 bit size of cipher to 64 bit endian */
5193 padding[8] = msglen & 0xff;
5194 padding[9] = (msglen >> 8) & 0xff;
5195 padding[10] = (msglen >>16) & 0xff;
5196 padding[11] = (msglen >>24) & 0xff;
5197 if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding, sizeof(padding)))
5202 if ((ret = wc_Poly1305Final(ssl->auth.poly1305, tag)) != 0)
5209 /* Used for the older version of creating AEAD tags with Poly1305 */
5210 static int Poly1305TagOld(WOLFSSL* ssl, byte* additional, const byte* out,
5211 byte* cipher, word16 sz, byte* tag)
5214 int msglen = (sz - ssl->specs.aead_mac_size);
5216 byte padding[8]; /* used to temporarly store lengths */
5218 #ifdef CHACHA_AEAD_TEST
5219 printf("Using old version of poly1305 input.\n");
5223 return INPUT_CASE_ERROR;
5225 if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, cipher, keySz)) != 0)
5228 /* add TLS compressed length and additional input to poly1305 */
5229 additional[AEAD_AUTH_DATA_SZ - 2] = (msglen >> 8) & 0xff;
5230 additional[AEAD_AUTH_DATA_SZ - 1] = msglen & 0xff;
5231 if ((ret = wc_Poly1305Update(ssl->auth.poly1305, additional,
5232 AEAD_AUTH_DATA_SZ)) != 0)
5235 /* length of additional input plus padding */
5236 XMEMSET(padding, 0, sizeof(padding));
5237 padding[0] = AEAD_AUTH_DATA_SZ;
5238 if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding,
5239 sizeof(padding))) != 0)
5243 /* add cipher info and then its length */
5244 XMEMSET(padding, 0, sizeof(padding));
5245 if ((ret = wc_Poly1305Update(ssl->auth.poly1305, out, msglen)) != 0)
5248 /* 32 bit size of cipher to 64 bit endian */
5249 padding[0] = msglen & 0xff;
5250 padding[1] = (msglen >> 8) & 0xff;
5251 padding[2] = (msglen >> 16) & 0xff;
5252 padding[3] = (msglen >> 24) & 0xff;
5253 if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding, sizeof(padding)))
5258 if ((ret = wc_Poly1305Final(ssl->auth.poly1305, tag)) != 0)
5265 static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
5268 const byte* additionalSrc = input - RECORD_HEADER_SZ;
5270 byte tag[POLY1305_AUTH_SZ];
5271 byte additional[CHACHA20_BLOCK_SIZE];
5272 byte nonce[AEAD_NONCE_SZ];
5273 byte cipher[CHACHA20_256_KEY_SIZE]; /* generated key for poly1305 */
5274 #ifdef CHACHA_AEAD_TEST
5278 XMEMSET(tag, 0, sizeof(tag));
5279 XMEMSET(nonce, 0, AEAD_NONCE_SZ);
5280 XMEMSET(cipher, 0, sizeof(cipher));
5281 XMEMSET(additional, 0, CHACHA20_BLOCK_SIZE);
5284 c32toa(ssl->keys.sequence_number, nonce + AEAD_IMP_IV_SZ
5287 /* opaque SEQ number stored for AD */
5288 c32toa(GetSEQIncrement(ssl, 0), additional + AEAD_SEQ_OFFSET);
5290 /* Store the type, version. Unfortunately, they are in
5291 * the input buffer ahead of the plaintext. */
5293 if (ssl->options.dtls) {
5294 c16toa(ssl->keys.dtls_epoch, additional);
5295 additionalSrc -= DTLS_HANDSHAKE_EXTRA;
5299 XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3);
5301 #ifdef CHACHA_AEAD_TEST
5302 printf("Encrypt Additional : ");
5303 for (i = 0; i < CHACHA20_BLOCK_SIZE; i++) {
5304 printf("%02x", additional[i]);
5307 printf("input before encryption :\n");
5308 for (i = 0; i < sz; i++) {
5309 printf("%02x", input[i]);
5310 if ((i + 1) % 16 == 0)
5316 /* set the nonce for chacha and get poly1305 key */
5317 if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0)
5320 if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, cipher,
5321 cipher, sizeof(cipher))) != 0)
5324 /* encrypt the plain text */
5325 if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, out, input,
5326 sz - ssl->specs.aead_mac_size)) != 0)
5329 /* get the tag : future use of hmac could go here*/
5330 if (ssl->options.oldPoly == 1) {
5331 if ((ret = Poly1305TagOld(ssl, additional, (const byte* )out,
5332 cipher, sz, tag)) != 0)
5336 if ((ret = Poly1305Tag(ssl, additional, (const byte* )out,
5337 cipher, sz, tag)) != 0)
5341 /* append tag to ciphertext */
5342 XMEMCPY(out + sz - ssl->specs.aead_mac_size, tag, sizeof(tag));
5344 AeadIncrementExpIV(ssl);
5345 ForceZero(nonce, AEAD_NONCE_SZ);
5347 #ifdef CHACHA_AEAD_TEST
5348 printf("mac tag :\n");
5349 for (i = 0; i < 16; i++) {
5350 printf("%02x", tag[i]);
5351 if ((i + 1) % 16 == 0)
5354 printf("\n\noutput after encrypt :\n");
5355 for (i = 0; i < sz; i++) {
5356 printf("%02x", out[i]);
5357 if ((i + 1) % 16 == 0)
5367 static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
5370 byte additional[CHACHA20_BLOCK_SIZE];
5371 byte nonce[AEAD_NONCE_SZ];
5372 byte tag[POLY1305_AUTH_SZ];
5373 byte cipher[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
5376 XMEMSET(tag, 0, sizeof(tag));
5377 XMEMSET(cipher, 0, sizeof(cipher));
5378 XMEMSET(nonce, 0, AEAD_NONCE_SZ);
5379 XMEMSET(additional, 0, CHACHA20_BLOCK_SIZE);
5381 #ifdef CHACHA_AEAD_TEST
5383 printf("input before decrypt :\n");
5384 for (i = 0; i < sz; i++) {
5385 printf("%02x", input[i]);
5386 if ((i + 1) % 16 == 0)
5393 c32toa(ssl->keys.peer_sequence_number, nonce + AEAD_IMP_IV_SZ
5396 /* sequence number field is 64-bits, we only use 32-bits */
5397 c32toa(GetSEQIncrement(ssl, 1), additional + AEAD_SEQ_OFFSET);
5400 additional[AEAD_TYPE_OFFSET] = ssl->curRL.type;
5401 additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
5402 additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
5404 /* Store the type, version. */
5406 if (ssl->options.dtls)
5407 c16toa(ssl->keys.dtls_state.curEpoch, additional);
5410 #ifdef CHACHA_AEAD_TEST
5411 printf("Decrypt Additional : ");
5412 for (i = 0; i < CHACHA20_BLOCK_SIZE; i++) {
5413 printf("%02x", additional[i]);
5418 /* set nonce and get poly1305 key */
5419 if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0)
5422 if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, cipher,
5423 cipher, sizeof(cipher))) != 0)
5426 /* get the tag : future use of hmac could go here*/
5427 if (ssl->options.oldPoly == 1) {
5428 if ((ret = Poly1305TagOld(ssl, additional, input, cipher,
5433 if ((ret = Poly1305Tag(ssl, additional, input, cipher,
5438 /* check mac sent along with packet */
5439 if (ConstantCompare(input + sz - ssl->specs.aead_mac_size, tag,
5440 ssl->specs.aead_mac_size) != 0) {
5441 WOLFSSL_MSG("Mac did not match");
5442 SendAlert(ssl, alert_fatal, bad_record_mac);
5443 ForceZero(nonce, AEAD_NONCE_SZ);
5444 return VERIFY_MAC_ERROR;
5447 /* if mac was good decrypt message */
5448 if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, plain, input,
5449 sz - ssl->specs.aead_mac_size)) != 0)
5452 #ifdef CHACHA_AEAD_TEST
5453 printf("plain after decrypt :\n");
5454 for (i = 0; i < sz; i++) {
5455 printf("%02x", plain[i]);
5456 if ((i + 1) % 16 == 0)
5464 #endif /* HAVE_CHACHA && HAVE_POLY1305 */
5465 #endif /* HAVE_AEAD */
5468 static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
5476 if (ssl->encrypt.setup == 0) {
5477 WOLFSSL_MSG("Encrypt ciphers not setup");
5478 return ENCRYPT_ERROR;
5483 ssl->fuzzerCb(ssl, input, sz, FUZZ_ENCRYPT, ssl->fuzzerCtx);
5486 switch (ssl->specs.bulk_cipher_algorithm) {
5489 wc_Arc4Process(ssl->encrypt.arc4, out, input, sz);
5494 case wolfssl_triple_des:
5495 ret = wc_Des3_CbcEncrypt(ssl->encrypt.des3, out, input, sz);
5501 ret = wc_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz);
5506 case wolfssl_aes_gcm:
5508 byte additional[AEAD_AUTH_DATA_SZ];
5509 byte nonce[AEAD_NONCE_SZ];
5510 const byte* additionalSrc = input - 5;
5512 XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
5514 /* sequence number field is 64-bits, we only use 32-bits */
5515 c32toa(GetSEQIncrement(ssl, 0),
5516 additional + AEAD_SEQ_OFFSET);
5518 /* Store the type, version. Unfortunately, they are in
5519 * the input buffer ahead of the plaintext. */
5521 if (ssl->options.dtls) {
5522 c16toa(ssl->keys.dtls_epoch, additional);
5523 additionalSrc -= DTLS_HANDSHAKE_EXTRA;
5526 XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3);
5528 /* Store the length of the plain text minus the explicit
5529 * IV length minus the authentication tag size. */
5530 c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
5531 additional + AEAD_LEN_OFFSET);
5533 ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ);
5534 XMEMCPY(nonce + AEAD_IMP_IV_SZ,
5535 ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
5536 ret = wc_AesGcmEncrypt(ssl->encrypt.aes,
5537 out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ,
5538 sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
5539 nonce, AEAD_NONCE_SZ,
5540 out + sz - ssl->specs.aead_mac_size,
5541 ssl->specs.aead_mac_size,
5542 additional, AEAD_AUTH_DATA_SZ);
5544 AeadIncrementExpIV(ssl);
5545 ForceZero(nonce, AEAD_NONCE_SZ);
5551 case wolfssl_aes_ccm:
5553 byte additional[AEAD_AUTH_DATA_SZ];
5554 byte nonce[AEAD_NONCE_SZ];
5555 const byte* additionalSrc = input - 5;
5557 XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
5559 /* sequence number field is 64-bits, we only use 32-bits */
5560 c32toa(GetSEQIncrement(ssl, 0),
5561 additional + AEAD_SEQ_OFFSET);
5563 /* Store the type, version. Unfortunately, they are in
5564 * the input buffer ahead of the plaintext. */
5566 if (ssl->options.dtls) {
5567 c16toa(ssl->keys.dtls_epoch, additional);
5568 additionalSrc -= DTLS_HANDSHAKE_EXTRA;
5571 XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3);
5573 /* Store the length of the plain text minus the explicit
5574 * IV length minus the authentication tag size. */
5575 c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
5576 additional + AEAD_LEN_OFFSET);
5578 ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ);
5579 XMEMCPY(nonce + AEAD_IMP_IV_SZ,
5580 ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
5581 wc_AesCcmEncrypt(ssl->encrypt.aes,
5582 out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ,
5583 sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
5584 nonce, AEAD_NONCE_SZ,
5585 out + sz - ssl->specs.aead_mac_size,
5586 ssl->specs.aead_mac_size,
5587 additional, AEAD_AUTH_DATA_SZ);
5588 AeadIncrementExpIV(ssl);
5589 ForceZero(nonce, AEAD_NONCE_SZ);
5594 #ifdef HAVE_CAMELLIA
5595 case wolfssl_camellia:
5596 wc_CamelliaCbcEncrypt(ssl->encrypt.cam, out, input, sz);
5602 ret = wc_Hc128_Process(ssl->encrypt.hc128, out, input, sz);
5607 case wolfssl_rabbit:
5608 ret = wc_RabbitProcess(ssl->encrypt.rabbit, out, input, sz);
5612 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
5613 case wolfssl_chacha:
5614 ret = ChachaAEADEncrypt(ssl, out, input, sz);
5618 #ifdef HAVE_NULL_CIPHER
5619 case wolfssl_cipher_null:
5621 XMEMMOVE(out, input, sz);
5627 WOLFSSL_MSG("wolfSSL Encrypt programming error");
5628 ret = ENCRYPT_ERROR;
5636 static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
5645 if (ssl->decrypt.setup == 0) {
5646 WOLFSSL_MSG("Decrypt ciphers not setup");
5647 return DECRYPT_ERROR;
5650 switch (ssl->specs.bulk_cipher_algorithm) {
5653 wc_Arc4Process(ssl->decrypt.arc4, plain, input, sz);
5658 case wolfssl_triple_des:
5659 ret = wc_Des3_CbcDecrypt(ssl->decrypt.des3, plain, input, sz);
5665 ret = wc_AesCbcDecrypt(ssl->decrypt.aes, plain, input, sz);
5670 case wolfssl_aes_gcm:
5672 byte additional[AEAD_AUTH_DATA_SZ];
5673 byte nonce[AEAD_NONCE_SZ];
5675 XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
5677 /* sequence number field is 64-bits, we only use 32-bits */
5678 c32toa(GetSEQIncrement(ssl, 1), additional + AEAD_SEQ_OFFSET);
5681 if (ssl->options.dtls)
5682 c16toa(ssl->keys.dtls_state.curEpoch, additional);
5685 additional[AEAD_TYPE_OFFSET] = ssl->curRL.type;
5686 additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
5687 additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
5689 c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
5690 additional + AEAD_LEN_OFFSET);
5691 XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ);
5692 XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ);
5693 if (wc_AesGcmDecrypt(ssl->decrypt.aes,
5694 plain + AEAD_EXP_IV_SZ,
5695 input + AEAD_EXP_IV_SZ,
5696 sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
5697 nonce, AEAD_NONCE_SZ,
5698 input + sz - ssl->specs.aead_mac_size,
5699 ssl->specs.aead_mac_size,
5700 additional, AEAD_AUTH_DATA_SZ) < 0) {
5701 SendAlert(ssl, alert_fatal, bad_record_mac);
5702 ret = VERIFY_MAC_ERROR;
5704 ForceZero(nonce, AEAD_NONCE_SZ);
5710 case wolfssl_aes_ccm:
5712 byte additional[AEAD_AUTH_DATA_SZ];
5713 byte nonce[AEAD_NONCE_SZ];
5715 XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
5717 /* sequence number field is 64-bits, we only use 32-bits */
5718 c32toa(GetSEQIncrement(ssl, 1), additional + AEAD_SEQ_OFFSET);
5721 if (ssl->options.dtls)
5722 c16toa(ssl->keys.dtls_state.curEpoch, additional);
5725 additional[AEAD_TYPE_OFFSET] = ssl->curRL.type;
5726 additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
5727 additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
5729 c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
5730 additional + AEAD_LEN_OFFSET);
5731 XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ);
5732 XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ);
5733 if (wc_AesCcmDecrypt(ssl->decrypt.aes,
5734 plain + AEAD_EXP_IV_SZ,
5735 input + AEAD_EXP_IV_SZ,
5736 sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
5737 nonce, AEAD_NONCE_SZ,
5738 input + sz - ssl->specs.aead_mac_size,
5739 ssl->specs.aead_mac_size,
5740 additional, AEAD_AUTH_DATA_SZ) < 0) {
5741 SendAlert(ssl, alert_fatal, bad_record_mac);
5742 ret = VERIFY_MAC_ERROR;
5744 ForceZero(nonce, AEAD_NONCE_SZ);
5749 #ifdef HAVE_CAMELLIA
5750 case wolfssl_camellia:
5751 wc_CamelliaCbcDecrypt(ssl->decrypt.cam, plain, input, sz);
5757 ret = wc_Hc128_Process(ssl->decrypt.hc128, plain, input, sz);
5762 case wolfssl_rabbit:
5763 ret = wc_RabbitProcess(ssl->decrypt.rabbit, plain, input, sz);
5767 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
5768 case wolfssl_chacha:
5769 ret = ChachaAEADDecrypt(ssl, plain, input, sz);
5773 #ifdef HAVE_NULL_CIPHER
5774 case wolfssl_cipher_null:
5775 if (input != plain) {
5776 XMEMMOVE(plain, input, sz);
5782 WOLFSSL_MSG("wolfSSL Decrypt programming error");
5783 ret = DECRYPT_ERROR;
5790 /* check cipher text size for sanity */
5791 static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz)
5793 #ifdef HAVE_TRUNCATED_HMAC
5794 word32 minLength = ssl->truncated_hmac ? TRUNCATED_HMAC_SZ
5795 : ssl->specs.hash_size;
5797 word32 minLength = ssl->specs.hash_size; /* covers stream */
5800 if (ssl->specs.cipher_type == block) {
5801 if (encryptSz % ssl->specs.block_size) {
5802 WOLFSSL_MSG("Block ciphertext not block size");
5803 return SANITY_CIPHER_E;
5806 minLength++; /* pad byte */
5808 if (ssl->specs.block_size > minLength)
5809 minLength = ssl->specs.block_size;
5811 if (ssl->options.tls1_1)
5812 minLength += ssl->specs.block_size; /* explicit IV */
5814 else if (ssl->specs.cipher_type == aead) {
5815 minLength = ssl->specs.aead_mac_size; /* authTag size */
5816 if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
5817 minLength += AEAD_EXP_IV_SZ; /* explicit IV */
5820 if (encryptSz < minLength) {
5821 WOLFSSL_MSG("Ciphertext not minimum size");
5822 return SANITY_CIPHER_E;
5831 static INLINE void Md5Rounds(int rounds, const byte* data, int sz)
5838 for (i = 0; i < rounds; i++)
5839 wc_Md5Update(&md5, data, sz);
5844 /* do a dummy sha round */
5845 static INLINE void ShaRounds(int rounds, const byte* data, int sz)
5850 wc_InitSha(&sha); /* no error check on purpose, dummy round */
5852 for (i = 0; i < rounds; i++)
5853 wc_ShaUpdate(&sha, data, sz);
5860 static INLINE void Sha256Rounds(int rounds, const byte* data, int sz)
5865 wc_InitSha256(&sha256); /* no error check on purpose, dummy round */
5867 for (i = 0; i < rounds; i++) {
5868 wc_Sha256Update(&sha256, data, sz);
5869 /* no error check on purpose, dummy round */
5877 #ifdef WOLFSSL_SHA384
5879 static INLINE void Sha384Rounds(int rounds, const byte* data, int sz)
5884 wc_InitSha384(&sha384); /* no error check on purpose, dummy round */
5886 for (i = 0; i < rounds; i++) {
5887 wc_Sha384Update(&sha384, data, sz);
5888 /* no error check on purpose, dummy round */
5895 #ifdef WOLFSSL_SHA512
5897 static INLINE void Sha512Rounds(int rounds, const byte* data, int sz)
5902 wc_InitSha512(&sha512); /* no error check on purpose, dummy round */
5904 for (i = 0; i < rounds; i++) {
5905 wc_Sha512Update(&sha512, data, sz);
5906 /* no error check on purpose, dummy round */
5913 #ifdef WOLFSSL_RIPEMD
5915 static INLINE void RmdRounds(int rounds, const byte* data, int sz)
5920 wc_InitRipeMd(&ripemd);
5922 for (i = 0; i < rounds; i++)
5923 wc_RipeMdUpdate(&ripemd, data, sz);
5929 /* Do dummy rounds */
5930 static INLINE void DoRounds(int type, int rounds, const byte* data, int sz)
5940 Md5Rounds(rounds, data, sz);
5946 ShaRounds(rounds, data, sz);
5953 Sha256Rounds(rounds, data, sz);
5957 #ifdef WOLFSSL_SHA384
5959 Sha384Rounds(rounds, data, sz);
5963 #ifdef WOLFSSL_SHA512
5965 Sha512Rounds(rounds, data, sz);
5969 #ifdef WOLFSSL_RIPEMD
5971 RmdRounds(rounds, data, sz);
5976 WOLFSSL_MSG("Bad round type");
5982 /* do number of compression rounds on dummy data */
5983 static INLINE void CompressRounds(WOLFSSL* ssl, int rounds, const byte* dummy)
5986 DoRounds(ssl->specs.mac_algorithm, rounds, dummy, COMPRESS_LOWER);
5990 /* check all length bytes for the pad value, return 0 on success */
5991 static int PadCheck(const byte* a, byte pad, int length)
5996 for (i = 0; i < length; i++) {
5997 compareSum |= a[i] ^ pad;
6004 /* get compression extra rounds */
6005 static INLINE int GetRounds(int pLen, int padLen, int t)
6007 int roundL1 = 1; /* round up flags */
6010 int L1 = COMPRESS_CONSTANT + pLen - t;
6011 int L2 = COMPRESS_CONSTANT + pLen - padLen - 1 - t;
6013 L1 -= COMPRESS_UPPER;
6014 L2 -= COMPRESS_UPPER;
6016 if ( (L1 % COMPRESS_LOWER) == 0)
6018 if ( (L2 % COMPRESS_LOWER) == 0)
6021 L1 /= COMPRESS_LOWER;
6022 L2 /= COMPRESS_LOWER;
6031 /* timing resistant pad/verify check, return 0 on success */
6032 static int TimingPadVerify(WOLFSSL* ssl, const byte* input, int padLen, int t,
6033 int pLen, int content)
6035 byte verify[MAX_DIGEST_SIZE];
6036 byte dmy[sizeof(WOLFSSL) >= MAX_PAD_SIZE ? 1 : MAX_PAD_SIZE] = {0};
6037 byte* dummy = sizeof(dmy) < MAX_PAD_SIZE ? (byte*) ssl : dmy;
6042 if ( (t + padLen + 1) > pLen) {
6043 WOLFSSL_MSG("Plain Len not long enough for pad/mac");
6044 PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE);
6045 ssl->hmac(ssl, verify, input, pLen - t, content, 1); /* still compare */
6046 ConstantCompare(verify, input + pLen - t, t);
6048 return VERIFY_MAC_ERROR;
6051 if (PadCheck(input + pLen - (padLen + 1), (byte)padLen, padLen + 1) != 0) {
6052 WOLFSSL_MSG("PadCheck failed");
6053 PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE - padLen - 1);
6054 ssl->hmac(ssl, verify, input, pLen - t, content, 1); /* still compare */
6055 ConstantCompare(verify, input + pLen - t, t);
6057 return VERIFY_MAC_ERROR;
6060 PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE - padLen - 1);
6061 ret = ssl->hmac(ssl, verify, input, pLen - padLen - 1 - t, content, 1);
6063 CompressRounds(ssl, GetRounds(pLen, padLen, t), dummy);
6065 if (ConstantCompare(verify, input + (pLen - padLen - 1 - t), t) != 0) {
6066 WOLFSSL_MSG("Verify MAC compare failed");
6067 return VERIFY_MAC_ERROR;
6071 return VERIFY_MAC_ERROR;
6076 int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx)
6078 word32 msgSz = ssl->keys.encryptSz;
6079 word32 idx = *inOutIdx;
6082 byte* rawData = input + idx; /* keep current for hmac */
6084 byte decomp[MAX_RECORD_SIZE + MAX_COMP_EXTRA];
6087 if (ssl->options.handShakeDone == 0) {
6088 WOLFSSL_MSG("Received App data before a handshake completed");
6089 SendAlert(ssl, alert_fatal, unexpected_message);
6090 return OUT_OF_ORDER_E;
6093 if (ssl->specs.cipher_type == block) {
6094 if (ssl->options.tls1_1)
6095 ivExtra = ssl->specs.block_size;
6097 else if (ssl->specs.cipher_type == aead) {
6098 if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
6099 ivExtra = AEAD_EXP_IV_SZ;
6102 dataSz = msgSz - ivExtra - ssl->keys.padSz;
6104 WOLFSSL_MSG("App data buffer error, malicious input?");
6105 return BUFFER_ERROR;
6110 int rawSz = dataSz; /* keep raw size for idx adjustment */
6113 if (ssl->options.usingCompression) {
6114 dataSz = myDeCompress(ssl, rawData, dataSz, decomp, sizeof(decomp));
6115 if (dataSz < 0) return dataSz;
6120 ssl->buffers.clearOutputBuffer.buffer = rawData;
6121 ssl->buffers.clearOutputBuffer.length = dataSz;
6124 idx += ssl->keys.padSz;
6127 /* decompress could be bigger, overwrite after verify */
6128 if (ssl->options.usingCompression)
6129 XMEMMOVE(rawData, decomp, dataSz);
6137 /* process alert, return level */
6138 static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type,
6144 #ifdef WOLFSSL_CALLBACKS
6146 AddPacketName("Alert", &ssl->handShakeInfo);
6148 /* add record header back on to info + 2 byte level, data */
6149 AddPacketInfo("Alert", &ssl->timeoutInfo, input + *inOutIdx -
6150 RECORD_HEADER_SZ, 2 + RECORD_HEADER_SZ, ssl->heap);
6153 /* make sure can read the message */
6154 if (*inOutIdx + ALERT_SIZE > totalSz)
6157 level = input[(*inOutIdx)++];
6158 code = input[(*inOutIdx)++];
6159 ssl->alert_history.last_rx.code = code;
6160 ssl->alert_history.last_rx.level = level;
6162 if (level == alert_fatal) {
6163 ssl->options.isClosed = 1; /* Don't send close_notify */
6166 WOLFSSL_MSG("Got alert");
6167 if (*type == close_notify) {
6168 WOLFSSL_MSG(" close notify");
6169 ssl->options.closeNotify = 1;
6171 WOLFSSL_ERROR(*type);
6172 if (ssl->keys.encryptionOn) {
6173 if (*inOutIdx + ssl->keys.padSz > totalSz)
6175 *inOutIdx += ssl->keys.padSz;
6181 static int GetInputData(WOLFSSL *ssl, word32 size)
6190 /* check max input length */
6191 usedLength = ssl->buffers.inputBuffer.length - ssl->buffers.inputBuffer.idx;
6192 maxLength = ssl->buffers.inputBuffer.bufferSize - usedLength;
6193 inSz = (int)(size - usedLength); /* from last partial read */
6196 if (ssl->options.dtls) {
6197 if (size < ssl->dtls_expected_rx)
6198 dtlsExtra = (int)(ssl->dtls_expected_rx - size);
6199 inSz = ssl->dtls_expected_rx;
6203 if (inSz > maxLength) {
6204 if (GrowInputBuffer(ssl, size + dtlsExtra, usedLength) < 0)
6209 return BUFFER_ERROR;
6211 /* Put buffer data at start if not there */
6212 if (usedLength > 0 && ssl->buffers.inputBuffer.idx != 0)
6213 XMEMMOVE(ssl->buffers.inputBuffer.buffer,
6214 ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx,
6217 /* remove processed data */
6218 ssl->buffers.inputBuffer.idx = 0;
6219 ssl->buffers.inputBuffer.length = usedLength;
6221 /* read data from network */
6224 ssl->buffers.inputBuffer.buffer +
6225 ssl->buffers.inputBuffer.length,
6228 return SOCKET_ERROR_E;
6230 if (in == WANT_READ)
6234 return RECV_OVERFLOW_E;
6236 ssl->buffers.inputBuffer.length += in;
6239 } while (ssl->buffers.inputBuffer.length < size);
6245 static INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz,
6246 int content, word32* padSz)
6252 #ifdef HAVE_TRUNCATED_HMAC
6253 word32 digestSz = ssl->truncated_hmac ? TRUNCATED_HMAC_SZ
6254 : ssl->specs.hash_size;
6256 word32 digestSz = ssl->specs.hash_size;
6258 byte verify[MAX_DIGEST_SIZE];
6260 if (ssl->specs.cipher_type == block) {
6261 if (ssl->options.tls1_1)
6262 ivExtra = ssl->specs.block_size;
6263 pad = *(input + msgSz - ivExtra - 1);
6266 if (ssl->options.tls) {
6267 ret = TimingPadVerify(ssl, input, pad, digestSz, msgSz - ivExtra,
6272 else { /* sslv3, some implementations have bad padding, but don't
6275 byte dmy[sizeof(WOLFSSL) >= MAX_PAD_SIZE ? 1 : MAX_PAD_SIZE] = {0};
6276 byte* dummy = sizeof(dmy) < MAX_PAD_SIZE ? (byte*) ssl : dmy;
6280 if (pad > (msgSz - digestSz - 1)) {
6281 WOLFSSL_MSG("Plain Len not long enough for pad/mac");
6282 pad = 0; /* no bad read */
6285 PadCheck(dummy, (byte)pad, MAX_PAD_SIZE); /* timing only */
6286 ret = ssl->hmac(ssl, verify, input, msgSz - digestSz - pad - 1,
6288 if (ConstantCompare(verify, input + msgSz - digestSz - pad - 1,
6290 return VERIFY_MAC_ERROR;
6291 if (ret != 0 || badPadLen)
6292 return VERIFY_MAC_ERROR;
6295 else if (ssl->specs.cipher_type == stream) {
6296 ret = ssl->hmac(ssl, verify, input, msgSz - digestSz, content, 1);
6297 if (ConstantCompare(verify, input + msgSz - digestSz, digestSz) != 0){
6298 return VERIFY_MAC_ERROR;
6301 return VERIFY_MAC_ERROR;
6304 if (ssl->specs.cipher_type == aead) {
6305 *padSz = ssl->specs.aead_mac_size;
6308 *padSz = digestSz + pad + padByte;
6315 /* process input requests, return 0 is done, 1 is call again to complete, and
6316 negative number is error */
6317 int ProcessReply(WOLFSSL* ssl)
6319 int ret = 0, type, readSz;
6321 word32 startIdx = 0;
6327 if (ssl->ctx->DecryptVerifyCb)
6331 if (ssl->error != 0 && ssl->error != WANT_READ && ssl->error != WANT_WRITE){
6332 WOLFSSL_MSG("ProcessReply retry in error state, not allowed");
6337 switch (ssl->options.processReply) {
6339 /* in the WOLFSSL_SERVER case, get the first byte for detecting
6340 * old client hello */
6343 readSz = RECORD_HEADER_SZ;
6346 if (ssl->options.dtls)
6347 readSz = DTLS_RECORD_HEADER_SZ;
6350 /* get header or return error */
6351 if (!ssl->options.dtls) {
6352 if ((ret = GetInputData(ssl, readSz)) < 0)
6356 /* read ahead may already have header */
6357 used = ssl->buffers.inputBuffer.length -
6358 ssl->buffers.inputBuffer.idx;
6360 if ((ret = GetInputData(ssl, readSz)) < 0)
6365 #ifdef OLD_HELLO_ALLOWED
6367 /* see if sending SSLv2 client hello */
6368 if ( ssl->options.side == WOLFSSL_SERVER_END &&
6369 ssl->options.clientState == NULL_STATE &&
6370 ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx]
6374 ssl->options.processReply = runProcessOldClientHello;
6376 /* sanity checks before getting size at front */
6377 if (ssl->buffers.inputBuffer.buffer[
6378 ssl->buffers.inputBuffer.idx + 2] != OLD_HELLO_ID) {
6379 WOLFSSL_MSG("Not a valid old client hello");
6383 if (ssl->buffers.inputBuffer.buffer[
6384 ssl->buffers.inputBuffer.idx + 3] != SSLv3_MAJOR &&
6385 ssl->buffers.inputBuffer.buffer[
6386 ssl->buffers.inputBuffer.idx + 3] != DTLS_MAJOR) {
6387 WOLFSSL_MSG("Not a valid version in old client hello");
6391 /* how many bytes need ProcessOldClientHello */
6393 ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++];
6395 ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++];
6396 ssl->curSize = (word16)(((b0 & 0x7f) << 8) | b1);
6399 ssl->options.processReply = getRecordLayerHeader;
6403 /* in the WOLFSSL_SERVER case, run the old client hello */
6404 case runProcessOldClientHello:
6406 /* get sz bytes or return error */
6407 if (!ssl->options.dtls) {
6408 if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
6412 /* read ahead may already have */
6413 used = ssl->buffers.inputBuffer.length -
6414 ssl->buffers.inputBuffer.idx;
6415 if (used < ssl->curSize)
6416 if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
6418 #endif /* WOLFSSL_DTLS */
6421 ret = ProcessOldClientHello(ssl, ssl->buffers.inputBuffer.buffer,
6422 &ssl->buffers.inputBuffer.idx,
6423 ssl->buffers.inputBuffer.length -
6424 ssl->buffers.inputBuffer.idx,
6429 else if (ssl->buffers.inputBuffer.idx ==
6430 ssl->buffers.inputBuffer.length) {
6431 ssl->options.processReply = doProcessInit;
6435 #endif /* OLD_HELLO_ALLOWED */
6437 /* get the record layer header */
6438 case getRecordLayerHeader:
6440 ret = GetRecordHeader(ssl, ssl->buffers.inputBuffer.buffer,
6441 &ssl->buffers.inputBuffer.idx,
6442 &ssl->curRL, &ssl->curSize);
6444 if (ssl->options.dtls && ret == SEQUENCE_ERROR) {
6445 ssl->options.processReply = doProcessInit;
6446 ssl->buffers.inputBuffer.length = 0;
6447 ssl->buffers.inputBuffer.idx = 0;
6454 ssl->options.processReply = getData;
6456 /* retrieve record layer data */
6459 /* get sz bytes or return error */
6460 if (!ssl->options.dtls) {
6461 if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
6465 /* read ahead may already have */
6466 used = ssl->buffers.inputBuffer.length -
6467 ssl->buffers.inputBuffer.idx;
6468 if (used < ssl->curSize)
6469 if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
6474 ssl->options.processReply = runProcessingOneMessage;
6475 startIdx = ssl->buffers.inputBuffer.idx; /* in case > 1 msg per */
6477 /* the record layer is here */
6478 case runProcessingOneMessage:
6481 if (ssl->options.dtls &&
6482 ssl->keys.dtls_state.curEpoch < ssl->keys.dtls_state.nextEpoch)
6483 ssl->keys.decryptedCur = 1;
6486 if (ssl->keys.encryptionOn && ssl->keys.decryptedCur == 0)
6488 ret = SanityCheckCipherText(ssl, ssl->curSize);
6494 ret = ssl->ctx->DecryptVerifyCb(ssl,
6495 ssl->buffers.inputBuffer.buffer +
6496 ssl->buffers.inputBuffer.idx,
6497 ssl->buffers.inputBuffer.buffer +
6498 ssl->buffers.inputBuffer.idx,
6499 ssl->curSize, ssl->curRL.type, 1,
6500 &ssl->keys.padSz, ssl->DecryptVerifyCtx);
6501 if (ssl->options.tls1_1 && ssl->specs.cipher_type == block)
6502 ssl->buffers.inputBuffer.idx += ssl->specs.block_size;
6503 /* go past TLSv1.1 IV */
6504 if (ssl->specs.cipher_type == aead &&
6505 ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
6506 ssl->buffers.inputBuffer.idx += AEAD_EXP_IV_SZ;
6507 #endif /* ATOMIC_USER */
6510 ret = Decrypt(ssl, ssl->buffers.inputBuffer.buffer +
6511 ssl->buffers.inputBuffer.idx,
6512 ssl->buffers.inputBuffer.buffer +
6513 ssl->buffers.inputBuffer.idx,
6517 return DECRYPT_ERROR;
6519 if (ssl->options.tls1_1 && ssl->specs.cipher_type == block)
6520 ssl->buffers.inputBuffer.idx += ssl->specs.block_size;
6521 /* go past TLSv1.1 IV */
6522 if (ssl->specs.cipher_type == aead &&
6523 ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
6524 ssl->buffers.inputBuffer.idx += AEAD_EXP_IV_SZ;
6526 ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer +
6527 ssl->buffers.inputBuffer.idx,
6528 ssl->curSize, ssl->curRL.type,
6533 return DECRYPT_ERROR;
6535 ssl->keys.encryptSz = ssl->curSize;
6536 ssl->keys.decryptedCur = 1;
6539 if (ssl->options.dtls) {
6541 DtlsUpdateWindow(&ssl->keys.dtls_state);
6542 #endif /* WOLFSSL_DTLS */
6545 WOLFSSL_MSG("received record layer msg");
6547 switch (ssl->curRL.type) {
6549 /* debugging in DoHandShakeMsg */
6550 if (!ssl->options.dtls) {
6551 ret = DoHandShakeMsg(ssl,
6552 ssl->buffers.inputBuffer.buffer,
6553 &ssl->buffers.inputBuffer.idx,
6554 ssl->buffers.inputBuffer.length);
6558 ret = DoDtlsHandShakeMsg(ssl,
6559 ssl->buffers.inputBuffer.buffer,
6560 &ssl->buffers.inputBuffer.idx,
6561 ssl->buffers.inputBuffer.length);
6568 case change_cipher_spec:
6569 WOLFSSL_MSG("got CHANGE CIPHER SPEC");
6570 #ifdef WOLFSSL_CALLBACKS
6572 AddPacketName("ChangeCipher", &ssl->handShakeInfo);
6573 /* add record header back on info */
6574 if (ssl->toInfoOn) {
6575 AddPacketInfo("ChangeCipher", &ssl->timeoutInfo,
6576 ssl->buffers.inputBuffer.buffer +
6577 ssl->buffers.inputBuffer.idx - RECORD_HEADER_SZ,
6578 1 + RECORD_HEADER_SZ, ssl->heap);
6579 AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
6583 ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
6587 #ifdef HAVE_SESSION_TICKET
6588 if (ssl->options.side == WOLFSSL_CLIENT_END &&
6589 ssl->expect_session_ticket) {
6590 WOLFSSL_MSG("Expected session ticket missing");
6591 return SESSION_TICKET_EXPECT_E;
6595 if (ssl->keys.encryptionOn && ssl->options.handShakeDone) {
6596 ssl->buffers.inputBuffer.idx += ssl->keys.padSz;
6597 ssl->curSize -= (word16) ssl->buffers.inputBuffer.idx;
6600 if (ssl->curSize != 1) {
6601 WOLFSSL_MSG("Malicious or corrupted ChangeCipher msg");
6602 return LENGTH_ERROR;
6605 if (ssl->options.side == WOLFSSL_SERVER_END &&
6606 ssl->options.verifyPeer &&
6607 ssl->options.havePeerCert)
6608 if (!ssl->options.havePeerVerify) {
6609 WOLFSSL_MSG("client didn't send cert verify");
6610 return NO_PEER_VERIFY;
6615 ssl->buffers.inputBuffer.idx++;
6616 ssl->keys.encryptionOn = 1;
6618 /* setup decrypt keys for following messages */
6619 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
6623 if (ssl->options.dtls) {
6625 ssl->keys.dtls_state.nextEpoch++;
6626 ssl->keys.dtls_state.nextSeq = 0;
6631 if (ssl->options.usingCompression)
6632 if ( (ret = InitStreams(ssl)) != 0)
6635 ret = BuildFinished(ssl, &ssl->hsHashes->verifyHashes,
6636 ssl->options.side == WOLFSSL_CLIENT_END ?
6642 case application_data:
6643 WOLFSSL_MSG("got app DATA");
6644 if ((ret = DoApplicationData(ssl,
6645 ssl->buffers.inputBuffer.buffer,
6646 &ssl->buffers.inputBuffer.idx))
6654 WOLFSSL_MSG("got ALERT!");
6655 ret = DoAlert(ssl, ssl->buffers.inputBuffer.buffer,
6656 &ssl->buffers.inputBuffer.idx, &type,
6657 ssl->buffers.inputBuffer.length);
6658 if (ret == alert_fatal)
6663 /* catch warnings that are handled as errors */
6664 if (type == close_notify)
6665 return ssl->error = ZERO_RETURN;
6667 if (type == decrypt_error)
6672 WOLFSSL_ERROR(UNKNOWN_RECORD_TYPE);
6673 return UNKNOWN_RECORD_TYPE;
6676 ssl->options.processReply = doProcessInit;
6678 /* input exhausted? */
6679 if (ssl->buffers.inputBuffer.idx == ssl->buffers.inputBuffer.length)
6682 /* more messages per record */
6683 else if ((ssl->buffers.inputBuffer.idx - startIdx) < ssl->curSize) {
6684 WOLFSSL_MSG("More messages in record");
6686 /* read-ahead but dtls doesn't bundle messages per record */
6687 if (ssl->options.dtls) {
6688 ssl->options.processReply = doProcessInit;
6692 ssl->options.processReply = runProcessingOneMessage;
6694 if (ssl->keys.encryptionOn) {
6695 WOLFSSL_MSG("Bundled encrypted messages, remove middle pad");
6696 ssl->buffers.inputBuffer.idx -= ssl->keys.padSz;
6703 WOLFSSL_MSG("More records in input");
6704 ssl->options.processReply = doProcessInit;
6709 WOLFSSL_MSG("Bad process input state, programming error");
6710 return INPUT_CASE_ERROR;
6716 int SendChangeCipher(WOLFSSL* ssl)
6719 int sendSz = RECORD_HEADER_SZ + ENUM_LEN;
6720 int idx = RECORD_HEADER_SZ;
6724 if (ssl->options.dtls) {
6725 sendSz += DTLS_RECORD_EXTRA;
6726 idx += DTLS_RECORD_EXTRA;
6731 if (ssl->keys.encryptionOn && ssl->options.handShakeDone) {
6732 sendSz += MAX_MSG_EXTRA;
6735 /* check for avalaible size */
6736 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
6739 /* get ouput buffer */
6740 output = ssl->buffers.outputBuffer.buffer +
6741 ssl->buffers.outputBuffer.length;
6743 AddRecordHeader(output, 1, change_cipher_spec, ssl);
6745 output[idx] = 1; /* turn it on */
6747 if (ssl->keys.encryptionOn && ssl->options.handShakeDone) {
6748 byte input[ENUM_LEN];
6749 int inputSz = ENUM_LEN;
6751 input[0] = 1; /* turn it on */
6752 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
6753 change_cipher_spec);
6759 if (ssl->options.dtls) {
6760 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
6764 #ifdef WOLFSSL_CALLBACKS
6765 if (ssl->hsInfoOn) AddPacketName("ChangeCipher", &ssl->handShakeInfo);
6767 AddPacketInfo("ChangeCipher", &ssl->timeoutInfo, output, sendSz,
6770 ssl->buffers.outputBuffer.length += sendSz;
6772 if (ssl->options.groupMessages)
6775 else if (ssl->options.dtls) {
6776 /* If using DTLS, force the ChangeCipherSpec message to be in the
6777 * same datagram as the finished message. */
6782 return SendBuffered(ssl);
6787 static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
6788 int content, int verify)
6790 byte result[MAX_DIGEST_SIZE];
6791 word32 digestSz = ssl->specs.hash_size; /* actual sizes */
6792 word32 padSz = ssl->specs.pad_size;
6800 byte conLen[ENUM_LEN + LENGTH_SZ]; /* content & length */
6801 const byte* macSecret = wolfSSL_GetMacSecret(ssl, verify);
6805 ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx);
6808 XMEMSET(seq, 0, SEQ_SZ);
6809 conLen[0] = (byte)content;
6810 c16toa((word16)sz, &conLen[ENUM_LEN]);
6811 c32toa(GetSEQIncrement(ssl, verify), &seq[sizeof(word32)]);
6813 if (ssl->specs.mac_algorithm == md5_mac) {
6816 wc_Md5Update(&md5, macSecret, digestSz);
6817 wc_Md5Update(&md5, PAD1, padSz);
6818 wc_Md5Update(&md5, seq, SEQ_SZ);
6819 wc_Md5Update(&md5, conLen, sizeof(conLen));
6821 wc_Md5Update(&md5, in, sz);
6822 wc_Md5Final(&md5, result);
6824 wc_Md5Update(&md5, macSecret, digestSz);
6825 wc_Md5Update(&md5, PAD2, padSz);
6826 wc_Md5Update(&md5, result, digestSz);
6827 wc_Md5Final(&md5, digest);
6830 ret = wc_InitSha(&sha);
6834 wc_ShaUpdate(&sha, macSecret, digestSz);
6835 wc_ShaUpdate(&sha, PAD1, padSz);
6836 wc_ShaUpdate(&sha, seq, SEQ_SZ);
6837 wc_ShaUpdate(&sha, conLen, sizeof(conLen));
6839 wc_ShaUpdate(&sha, in, sz);
6840 wc_ShaFinal(&sha, result);
6842 wc_ShaUpdate(&sha, macSecret, digestSz);
6843 wc_ShaUpdate(&sha, PAD2, padSz);
6844 wc_ShaUpdate(&sha, result, digestSz);
6845 wc_ShaFinal(&sha, digest);
6851 static void BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest)
6853 byte md5_result[MD5_DIGEST_SIZE];
6855 #ifdef WOLFSSL_SMALL_STACK
6856 Md5* md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
6857 Md5* md5_2 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
6863 /* make md5 inner */
6864 md5[0] = ssl->hsHashes->hashMd5 ; /* Save current position */
6865 wc_Md5Update(&ssl->hsHashes->hashMd5, ssl->arrays->masterSecret,SECRET_LEN);
6866 wc_Md5Update(&ssl->hsHashes->hashMd5, PAD1, PAD_MD5);
6867 wc_Md5GetHash(&ssl->hsHashes->hashMd5, md5_result);
6868 wc_Md5RestorePos(&ssl->hsHashes->hashMd5, md5) ; /* Restore current position */
6870 /* make md5 outer */
6872 wc_Md5Update(md5_2, ssl->arrays->masterSecret, SECRET_LEN);
6873 wc_Md5Update(md5_2, PAD2, PAD_MD5);
6874 wc_Md5Update(md5_2, md5_result, MD5_DIGEST_SIZE);
6876 wc_Md5Final(md5_2, digest);
6878 #ifdef WOLFSSL_SMALL_STACK
6879 XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
6880 XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER);
6885 static void BuildSHA_CertVerify(WOLFSSL* ssl, byte* digest)
6887 byte sha_result[SHA_DIGEST_SIZE];
6889 #ifdef WOLFSSL_SMALL_STACK
6890 Sha* sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
6891 Sha* sha2 = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
6897 /* make sha inner */
6898 sha[0] = ssl->hsHashes->hashSha ; /* Save current position */
6899 wc_ShaUpdate(&ssl->hsHashes->hashSha, ssl->arrays->masterSecret,SECRET_LEN);
6900 wc_ShaUpdate(&ssl->hsHashes->hashSha, PAD1, PAD_SHA);
6901 wc_ShaGetHash(&ssl->hsHashes->hashSha, sha_result);
6902 wc_ShaRestorePos(&ssl->hsHashes->hashSha, sha) ; /* Restore current position */
6904 /* make sha outer */
6906 wc_ShaUpdate(sha2, ssl->arrays->masterSecret,SECRET_LEN);
6907 wc_ShaUpdate(sha2, PAD2, PAD_SHA);
6908 wc_ShaUpdate(sha2, sha_result, SHA_DIGEST_SIZE);
6910 wc_ShaFinal(sha2, digest);
6912 #ifdef WOLFSSL_SMALL_STACK
6913 XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
6914 XFREE(sha2, NULL, DYNAMIC_TYPE_TMP_BUFFER);
6918 #endif /* NO_CERTS */
6919 #endif /* NO_OLD_TLS */
6924 static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes)
6926 /* store current states, building requires get_digest which resets state */
6927 #ifdef WOLFSSL_SHA384
6928 Sha384 sha384 = ssl->hsHashes->hashSha384;
6930 #ifdef WOLFSSL_SHA512
6931 Sha512 sha512 = ssl->hsHashes->hashSha512;
6934 if (ssl->options.tls) {
6935 #if ! defined( NO_OLD_TLS )
6936 wc_Md5GetHash(&ssl->hsHashes->hashMd5, hashes->md5);
6937 wc_ShaGetHash(&ssl->hsHashes->hashSha, hashes->sha);
6939 if (IsAtLeastTLSv1_2(ssl)) {
6943 ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256,hashes->sha256);
6947 #ifdef WOLFSSL_SHA384
6948 ret = wc_Sha384Final(&ssl->hsHashes->hashSha384,hashes->sha384);
6952 #ifdef WOLFSSL_SHA512
6953 ret = wc_Sha512Final(&ssl->hsHashes->hashSha512,hashes->sha512);
6959 #if ! defined( NO_OLD_TLS )
6961 BuildMD5_CertVerify(ssl, hashes->md5);
6962 BuildSHA_CertVerify(ssl, hashes->sha);
6967 if (IsAtLeastTLSv1_2(ssl)) {
6968 #ifdef WOLFSSL_SHA384
6969 ssl->hsHashes->hashSha384 = sha384;
6971 #ifdef WOLFSSL_SHA512
6972 ssl->hsHashes->hashSha512 = sha512;
6979 #endif /* WOLFSSL_LEANPSK */
6981 /* Build SSL Message, encrypted */
6982 static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
6983 const byte* input, int inSz, int type)
6985 #ifdef HAVE_TRUNCATED_HMAC
6986 word32 digestSz = min(ssl->specs.hash_size,
6987 ssl->truncated_hmac ? TRUNCATED_HMAC_SZ : ssl->specs.hash_size);
6989 word32 digestSz = ssl->specs.hash_size;
6991 word32 sz = RECORD_HEADER_SZ + inSz + digestSz;
6993 word32 idx = RECORD_HEADER_SZ;
6994 word32 ivSz = 0; /* TLSv1.1 IV */
6995 word32 headerSz = RECORD_HEADER_SZ;
6997 byte iv[AES_BLOCK_SIZE]; /* max size */
7002 if (ssl->options.dtls) {
7003 sz += DTLS_RECORD_EXTRA;
7004 idx += DTLS_RECORD_EXTRA;
7005 headerSz += DTLS_RECORD_EXTRA;
7010 if (ssl->ctx->MacEncryptCb)
7014 if (ssl->specs.cipher_type == block) {
7015 word32 blockSz = ssl->specs.block_size;
7016 if (ssl->options.tls1_1) {
7020 if (ivSz > (word32)sizeof(iv))
7023 ret = wc_RNG_GenerateBlock(ssl->rng, iv, ivSz);
7028 sz += 1; /* pad byte */
7029 pad = (sz - headerSz) % blockSz;
7030 pad = blockSz - pad;
7035 if (ssl->specs.cipher_type == aead) {
7036 if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
7037 ivSz = AEAD_EXP_IV_SZ;
7039 sz += (ivSz + ssl->specs.aead_mac_size - digestSz);
7040 XMEMCPY(iv, ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
7043 if (sz > (word32)outSz) {
7044 WOLFSSL_MSG("Oops, want to write past output buffer size");
7047 size = (word16)(sz - headerSz); /* include mac and digest */
7048 AddRecordHeader(output, size, (byte)type, ssl);
7050 /* write to output */
7052 XMEMCPY(output + idx, iv, min(ivSz, sizeof(iv)));
7055 XMEMCPY(output + idx, input, inSz);
7058 if (type == handshake) {
7059 ret = HashOutput(ssl, output, headerSz + inSz, ivSz);
7064 if (ssl->specs.cipher_type == block) {
7065 word32 tmpIdx = idx + digestSz;
7067 for (i = 0; i <= pad; i++)
7068 output[tmpIdx++] = (byte)pad; /* pad byte gets pad value too */
7071 if (atomicUser) { /* User Record Layer Callback handling */
7073 if ( (ret = ssl->ctx->MacEncryptCb(ssl, output + idx,
7074 output + headerSz + ivSz, inSz, type, 0,
7075 output + headerSz, output + headerSz, size,
7076 ssl->MacEncryptCtx)) != 0)
7081 if (ssl->specs.cipher_type != aead) {
7082 #ifdef HAVE_TRUNCATED_HMAC
7083 if (ssl->truncated_hmac && ssl->specs.hash_size > digestSz) {
7084 #ifdef WOLFSSL_SMALL_STACK
7087 byte hmac[MAX_DIGEST_SIZE];
7090 #ifdef WOLFSSL_SMALL_STACK
7091 hmac = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL,
7092 DYNAMIC_TYPE_TMP_BUFFER);
7097 ret = ssl->hmac(ssl, hmac, output + headerSz + ivSz, inSz,
7099 XMEMCPY(output + idx, hmac, digestSz);
7101 #ifdef WOLFSSL_SMALL_STACK
7102 XFREE(hmac, NULL, DYNAMIC_TYPE_TMP_BUFFER);
7106 ret = ssl->hmac(ssl, output+idx, output + headerSz + ivSz, inSz,
7112 if ( (ret = Encrypt(ssl, output + headerSz, output+headerSz,size)) != 0)
7120 int SendFinished(WOLFSSL* ssl)
7123 finishedSz = ssl->options.tls ? TLS_FINISHED_SZ :
7125 byte input[FINISHED_SZ + DTLS_HANDSHAKE_HEADER_SZ]; /* max */
7129 int headerSz = HANDSHAKE_HEADER_SZ;
7133 word32 sequence_number = ssl->keys.dtls_sequence_number;
7134 word16 epoch = ssl->keys.dtls_epoch;
7137 /* setup encrypt keys */
7138 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
7141 /* check for available size */
7142 outputSz = sizeof(input) + MAX_MSG_EXTRA;
7143 if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
7147 if (ssl->options.dtls) {
7148 /* Send Finished message with the next epoch, but don't commit that
7149 * change until the other end confirms its reception. */
7150 headerSz += DTLS_HANDSHAKE_EXTRA;
7151 ssl->keys.dtls_epoch++;
7152 ssl->keys.dtls_sequence_number = 0; /* reset after epoch change */
7156 /* get ouput buffer */
7157 output = ssl->buffers.outputBuffer.buffer +
7158 ssl->buffers.outputBuffer.length;
7160 AddHandShakeHeader(input, finishedSz, finished, ssl);
7162 /* make finished hashes */
7163 hashes = (Hashes*)&input[headerSz];
7164 ret = BuildFinished(ssl, hashes,
7165 ssl->options.side == WOLFSSL_CLIENT_END ? client : server);
7166 if (ret != 0) return ret;
7168 #ifdef HAVE_SECURE_RENEGOTIATION
7169 if (ssl->secure_renegotiation) {
7170 if (ssl->options.side == WOLFSSL_CLIENT_END)
7171 XMEMCPY(ssl->secure_renegotiation->client_verify_data, hashes,
7174 XMEMCPY(ssl->secure_renegotiation->server_verify_data, hashes,
7179 sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz,
7182 return BUILD_MSG_ERROR;
7185 if (ssl->options.dtls) {
7186 ssl->keys.dtls_epoch = epoch;
7187 ssl->keys.dtls_sequence_number = sequence_number;
7191 if (!ssl->options.resuming) {
7192 #ifndef NO_SESSION_CACHE
7193 AddSession(ssl); /* just try */
7195 if (ssl->options.side == WOLFSSL_SERVER_END) {
7196 ssl->options.handShakeState = HANDSHAKE_DONE;
7197 ssl->options.handShakeDone = 1;
7199 if (ssl->options.dtls) {
7200 /* Other side will soon receive our Finished, go to next
7202 ssl->keys.dtls_epoch++;
7203 ssl->keys.dtls_sequence_number = 1;
7209 if (ssl->options.side == WOLFSSL_CLIENT_END) {
7210 ssl->options.handShakeState = HANDSHAKE_DONE;
7211 ssl->options.handShakeDone = 1;
7213 if (ssl->options.dtls) {
7214 /* Other side will soon receive our Finished, go to next
7216 ssl->keys.dtls_epoch++;
7217 ssl->keys.dtls_sequence_number = 1;
7223 if (ssl->options.dtls) {
7224 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
7229 #ifdef WOLFSSL_CALLBACKS
7230 if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
7232 AddPacketInfo("Finished", &ssl->timeoutInfo, output, sendSz,
7236 ssl->buffers.outputBuffer.length += sendSz;
7238 return SendBuffered(ssl);
7242 int SendCertificate(WOLFSSL* ssl)
7244 int sendSz, length, ret = 0;
7245 word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
7246 word32 certSz, listSz;
7249 if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher)
7250 return 0; /* not needed */
7252 if (ssl->options.sendVerify == SEND_BLANK_CERT) {
7254 length = CERT_HEADER_SZ;
7258 certSz = ssl->buffers.certificate.length;
7259 /* list + cert size */
7260 length = certSz + 2 * CERT_HEADER_SZ;
7261 listSz = certSz + CERT_HEADER_SZ;
7263 /* may need to send rest of chain, already has leading size(s) */
7264 if (ssl->buffers.certChain.buffer) {
7265 length += ssl->buffers.certChain.length;
7266 listSz += ssl->buffers.certChain.length;
7269 sendSz = length + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
7272 if (ssl->options.dtls) {
7273 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
7274 i += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
7278 if (ssl->keys.encryptionOn)
7279 sendSz += MAX_MSG_EXTRA;
7281 /* check for available size */
7282 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
7285 /* get ouput buffer */
7286 output = ssl->buffers.outputBuffer.buffer +
7287 ssl->buffers.outputBuffer.length;
7289 AddHeaders(output, length, certificate, ssl);
7292 c32to24(listSz, output + i);
7293 i += CERT_HEADER_SZ;
7297 c32to24(certSz, output + i);
7298 i += CERT_HEADER_SZ;
7299 XMEMCPY(output + i, ssl->buffers.certificate.buffer, certSz);
7302 /* send rest of chain? */
7303 if (ssl->buffers.certChain.buffer) {
7304 XMEMCPY(output + i, ssl->buffers.certChain.buffer,
7305 ssl->buffers.certChain.length);
7306 i += ssl->buffers.certChain.length;
7310 if (ssl->keys.encryptionOn) {
7312 int inputSz = i - RECORD_HEADER_SZ; /* build msg adds rec hdr */
7314 input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
7318 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
7319 sendSz = BuildMessage(ssl, output, sendSz, input,inputSz,handshake);
7320 XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
7325 ret = HashOutput(ssl, output, sendSz, 0);
7331 if (ssl->options.dtls) {
7332 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
7337 #ifdef WOLFSSL_CALLBACKS
7338 if (ssl->hsInfoOn) AddPacketName("Certificate", &ssl->handShakeInfo);
7340 AddPacketInfo("Certificate", &ssl->timeoutInfo, output, sendSz,
7344 if (ssl->options.side == WOLFSSL_SERVER_END)
7345 ssl->options.serverState = SERVER_CERT_COMPLETE;
7347 ssl->buffers.outputBuffer.length += sendSz;
7348 if (ssl->options.groupMessages)
7351 return SendBuffered(ssl);
7355 int SendCertificateRequest(WOLFSSL* ssl)
7360 word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
7362 int typeTotal = 1; /* only 1 for now */
7363 int reqSz = ENUM_LEN + typeTotal + REQ_HEADER_SZ; /* add auth later */
7365 if (IsAtLeastTLSv1_2(ssl))
7366 reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz;
7368 if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher)
7369 return 0; /* not needed */
7371 sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
7374 if (ssl->options.dtls) {
7375 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
7376 i += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
7379 /* check for available size */
7380 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
7383 /* get ouput buffer */
7384 output = ssl->buffers.outputBuffer.buffer +
7385 ssl->buffers.outputBuffer.length;
7387 AddHeaders(output, reqSz, certificate_request, ssl);
7389 /* write to output */
7390 output[i++] = (byte)typeTotal; /* # of types */
7392 if (ssl->options.cipherSuite0 == ECC_BYTE &&
7393 ssl->specs.sig_algo == ecc_dsa_sa_algo) {
7394 output[i++] = ecdsa_sign;
7396 #endif /* HAVE_ECC */
7398 output[i++] = rsa_sign;
7401 /* supported hash/sig */
7402 if (IsAtLeastTLSv1_2(ssl)) {
7403 c16toa(ssl->suites->hashSigAlgoSz, &output[i]);
7407 ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz);
7408 i += ssl->suites->hashSigAlgoSz;
7411 c16toa(0, &output[i]); /* auth's */
7412 /* if add more to output, adjust i
7413 i += REQ_HEADER_SZ; */
7416 if (ssl->options.dtls) {
7417 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
7422 ret = HashOutput(ssl, output, sendSz, 0);
7426 #ifdef WOLFSSL_CALLBACKS
7428 AddPacketName("CertificateRequest", &ssl->handShakeInfo);
7430 AddPacketInfo("CertificateRequest", &ssl->timeoutInfo, output,
7433 ssl->buffers.outputBuffer.length += sendSz;
7434 if (ssl->options.groupMessages)
7437 return SendBuffered(ssl);
7439 #endif /* !NO_CERTS */
7442 int SendData(WOLFSSL* ssl, const void* data, int sz)
7444 int sent = 0, /* plainText size */
7449 if (ssl->error == WANT_WRITE)
7452 if (ssl->options.handShakeState != HANDSHAKE_DONE) {
7454 WOLFSSL_MSG("handshake not complete, trying to finish");
7455 if ( (err = wolfSSL_negotiate(ssl)) != SSL_SUCCESS)
7459 /* last time system socket output buffer was full, try again to send */
7460 if (ssl->buffers.outputBuffer.length > 0) {
7461 WOLFSSL_MSG("output buffer was full, trying to send again");
7462 if ( (ssl->error = SendBuffered(ssl)) < 0) {
7463 WOLFSSL_ERROR(ssl->error);
7464 if (ssl->error == SOCKET_ERROR_E && ssl->options.connReset)
7465 return 0; /* peer reset */
7469 /* advance sent to previous sent + plain size just sent */
7470 sent = ssl->buffers.prevSent + ssl->buffers.plainSz;
7471 WOLFSSL_MSG("sent write buffered data");
7474 WOLFSSL_MSG("error: write() after WANT_WRITE with short size");
7475 return ssl->error = BAD_FUNC_ARG;
7481 if (ssl->options.dtls) {
7482 dtlsExtra = DTLS_RECORD_EXTRA;
7487 #ifdef HAVE_MAX_FRAGMENT
7488 int len = min(sz - sent, min(ssl->max_fragment, OUTPUT_RECORD_SIZE));
7490 int len = min(sz - sent, OUTPUT_RECORD_SIZE);
7493 byte* sendBuffer = (byte*)data + sent; /* may switch on comp */
7494 int buffSz = len; /* may switch on comp */
7497 byte comp[MAX_RECORD_SIZE + MAX_COMP_EXTRA];
7500 if (sent == sz) break;
7503 if (ssl->options.dtls) {
7504 len = min(len, MAX_UDP_SIZE);
7509 /* check for available size */
7510 outputSz = len + COMP_EXTRA + dtlsExtra + MAX_MSG_EXTRA;
7511 if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
7512 return ssl->error = ret;
7514 /* get ouput buffer */
7515 out = ssl->buffers.outputBuffer.buffer +
7516 ssl->buffers.outputBuffer.length;
7519 if (ssl->options.usingCompression) {
7520 buffSz = myCompress(ssl, sendBuffer, buffSz, comp, sizeof(comp));
7527 sendSz = BuildMessage(ssl, out, outputSz, sendBuffer, buffSz,
7530 return BUILD_MSG_ERROR;
7532 ssl->buffers.outputBuffer.length += sendSz;
7534 if ( (ret = SendBuffered(ssl)) < 0) {
7536 /* store for next call if WANT_WRITE or user embedSend() that
7537 doesn't present like WANT_WRITE */
7538 ssl->buffers.plainSz = len;
7539 ssl->buffers.prevSent = sent;
7540 if (ret == SOCKET_ERROR_E && ssl->options.connReset)
7541 return 0; /* peer reset */
7542 return ssl->error = ret;
7547 /* only one message per attempt */
7548 if (ssl->options.partialWrite == 1) {
7549 WOLFSSL_MSG("Paritial Write on, only sending one record");
7557 /* process input data */
7558 int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek)
7562 WOLFSSL_ENTER("ReceiveData()");
7564 if (ssl->error == WANT_READ)
7567 if (ssl->error != 0 && ssl->error != WANT_WRITE) {
7568 WOLFSSL_MSG("User calling wolfSSL_read in error state, not allowed");
7572 if (ssl->options.handShakeState != HANDSHAKE_DONE) {
7574 WOLFSSL_MSG("Handshake not complete, trying to finish");
7575 if ( (err = wolfSSL_negotiate(ssl)) != SSL_SUCCESS)
7579 #ifdef HAVE_SECURE_RENEGOTIATION
7581 if (ssl->secure_renegotiation && ssl->secure_renegotiation->startScr) {
7583 ssl->secure_renegotiation->startScr = 0; /* only start once */
7584 WOLFSSL_MSG("Need to start scr, server requested");
7585 if ( (err = wolfSSL_Rehandshake(ssl)) != SSL_SUCCESS)
7590 while (ssl->buffers.clearOutputBuffer.length == 0) {
7591 if ( (ssl->error = ProcessReply(ssl)) < 0) {
7592 WOLFSSL_ERROR(ssl->error);
7593 if (ssl->error == ZERO_RETURN) {
7594 WOLFSSL_MSG("Zero return, no more data coming");
7595 return 0; /* no more data coming */
7597 if (ssl->error == SOCKET_ERROR_E) {
7598 if (ssl->options.connReset || ssl->options.isClosed) {
7599 WOLFSSL_MSG("Peer reset or closed, connection done");
7600 ssl->error = SOCKET_PEER_CLOSED_E;
7601 WOLFSSL_ERROR(ssl->error);
7602 return 0; /* peer reset or closed */
7607 #ifdef HAVE_SECURE_RENEGOTIATION
7608 if (ssl->secure_renegotiation &&
7609 ssl->secure_renegotiation->startScr) {
7615 if (sz < (int)ssl->buffers.clearOutputBuffer.length)
7618 size = ssl->buffers.clearOutputBuffer.length;
7620 XMEMCPY(output, ssl->buffers.clearOutputBuffer.buffer, size);
7623 ssl->buffers.clearOutputBuffer.length -= size;
7624 ssl->buffers.clearOutputBuffer.buffer += size;
7627 if (ssl->buffers.clearOutputBuffer.length == 0 &&
7628 ssl->buffers.inputBuffer.dynamicFlag)
7629 ShrinkInputBuffer(ssl, NO_FORCED_FREE);
7631 WOLFSSL_LEAVE("ReceiveData()", size);
7636 /* send alert message */
7637 int SendAlert(WOLFSSL* ssl, int severity, int type)
7639 byte input[ALERT_SIZE];
7646 /* if sendalert is called again for nonbloking */
7647 if (ssl->options.sendAlertState != 0) {
7648 ret = SendBuffered(ssl);
7650 ssl->options.sendAlertState = 0;
7655 if (ssl->options.dtls)
7656 dtlsExtra = DTLS_RECORD_EXTRA;
7659 /* check for available size */
7660 outputSz = ALERT_SIZE + MAX_MSG_EXTRA + dtlsExtra;
7661 if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
7664 /* get ouput buffer */
7665 output = ssl->buffers.outputBuffer.buffer +
7666 ssl->buffers.outputBuffer.length;
7668 input[0] = (byte)severity;
7669 input[1] = (byte)type;
7670 ssl->alert_history.last_tx.code = type;
7671 ssl->alert_history.last_tx.level = severity;
7672 if (severity == alert_fatal) {
7673 ssl->options.isClosed = 1; /* Don't send close_notify */
7676 /* only send encrypted alert if handshake actually complete, otherwise
7677 other side may not be able to handle it */
7678 if (ssl->keys.encryptionOn && ssl->options.handShakeDone)
7679 sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, alert);
7682 AddRecordHeader(output, ALERT_SIZE, alert, ssl);
7683 output += RECORD_HEADER_SZ;
7685 if (ssl->options.dtls)
7686 output += DTLS_RECORD_EXTRA;
7688 XMEMCPY(output, input, ALERT_SIZE);
7690 sendSz = RECORD_HEADER_SZ + ALERT_SIZE;
7692 if (ssl->options.dtls)
7693 sendSz += DTLS_RECORD_EXTRA;
7697 return BUILD_MSG_ERROR;
7699 #ifdef WOLFSSL_CALLBACKS
7701 AddPacketName("Alert", &ssl->handShakeInfo);
7703 AddPacketInfo("Alert", &ssl->timeoutInfo, output, sendSz,ssl->heap);
7706 ssl->buffers.outputBuffer.length += sendSz;
7707 ssl->options.sendAlertState = 1;
7709 return SendBuffered(ssl);
7712 const char* wolfSSL_ERR_reason_error_string(unsigned long e)
7714 #ifdef NO_ERROR_STRINGS
7717 return "no support for error strings built in";
7723 /* pass to wolfCrypt */
7724 if (error < MAX_CODE_E && error > MIN_CODE_E) {
7725 return wc_GetErrorString(error);
7730 case UNSUPPORTED_SUITE :
7731 return "unsupported cipher suite";
7733 case INPUT_CASE_ERROR :
7734 return "input state error";
7737 return "bad index to key rounds";
7740 return "out of memory";
7742 case VERIFY_FINISHED_ERROR :
7743 return "verify problem on finished";
7745 case VERIFY_MAC_ERROR :
7746 return "verify mac problem";
7749 return "parse error on header";
7752 return "wrong client/server type";
7755 return "peer didn't send cert";
7757 case UNKNOWN_HANDSHAKE_TYPE :
7758 return "weird handshake type";
7760 case SOCKET_ERROR_E :
7761 return "error state on socket";
7763 case SOCKET_NODATA :
7764 return "expected data, not there";
7766 case INCOMPLETE_DATA :
7767 return "don't have enough data to complete task";
7769 case UNKNOWN_RECORD_TYPE :
7770 return "unknown type in record hdr";
7772 case DECRYPT_ERROR :
7773 return "error during decryption";
7776 return "revcd alert fatal error";
7778 case ENCRYPT_ERROR :
7779 return "error during encryption";
7782 return "fread problem";
7785 return "need peer's key";
7787 case NO_PRIVATE_KEY :
7788 return "need the private key";
7791 return "server missing DH params";
7793 case RSA_PRIVATE_ERROR :
7794 return "error during rsa priv op";
7796 case MATCH_SUITE_ERROR :
7797 return "can't match cipher suite";
7799 case BUILD_MSG_ERROR :
7800 return "build message failure";
7803 return "client hello malformed";
7805 case DOMAIN_NAME_MISMATCH :
7806 return "peer subject name mismatch";
7809 case SSL_ERROR_WANT_READ :
7810 return "non-blocking socket wants data to be read";
7812 case NOT_READY_ERROR :
7813 return "handshake layer not ready yet, complete first";
7815 case PMS_VERSION_ERROR :
7816 return "premaster secret version mismatch error";
7818 case VERSION_ERROR :
7819 return "record layer version error";
7822 case SSL_ERROR_WANT_WRITE :
7823 return "non-blocking socket write buffer full";
7826 return "malformed buffer input error";
7828 case VERIFY_CERT_ERROR :
7829 return "verify problem on certificate";
7831 case VERIFY_SIGN_ERROR :
7832 return "verify problem based on signature";
7834 case CLIENT_ID_ERROR :
7835 return "psk client identity error";
7837 case SERVER_HINT_ERROR:
7838 return "psk server hint error";
7841 return "psk key callback error";
7843 case NTRU_KEY_ERROR:
7844 return "NTRU key error";
7846 case NTRU_DRBG_ERROR:
7847 return "NTRU drbg error";
7849 case NTRU_ENCRYPT_ERROR:
7850 return "NTRU encrypt error";
7852 case NTRU_DECRYPT_ERROR:
7853 return "NTRU decrypt error";
7855 case ZLIB_INIT_ERROR:
7856 return "zlib init error";
7858 case ZLIB_COMPRESS_ERROR:
7859 return "zlib compress error";
7861 case ZLIB_DECOMPRESS_ERROR:
7862 return "zlib decompress error";
7865 return "gettimeofday() error";
7867 case GETITIMER_ERROR:
7868 return "getitimer() error";
7871 return "sigaction() error";
7873 case SETITIMER_ERROR:
7874 return "setitimer() error";
7877 return "record layer length error";
7879 case PEER_KEY_ERROR:
7880 return "cant decode peer key";
7883 case SSL_ERROR_ZERO_RETURN:
7884 return "peer sent close notify alert";
7886 case ECC_CURVETYPE_ERROR:
7887 return "Bad ECC Curve Type or unsupported";
7889 case ECC_CURVE_ERROR:
7890 return "Bad ECC Curve or unsupported";
7892 case ECC_PEERKEY_ERROR:
7893 return "Bad ECC Peer Key";
7895 case ECC_MAKEKEY_ERROR:
7896 return "ECC Make Key failure";
7898 case ECC_EXPORT_ERROR:
7899 return "ECC Export Key failure";
7901 case ECC_SHARED_ERROR:
7902 return "ECC DHE shared failure";
7905 return "Not a CA by basic constraint error";
7907 case BAD_PATH_ERROR:
7908 return "Bad path for opendir error";
7910 case BAD_CERT_MANAGER_ERROR:
7911 return "Bad Cert Manager error";
7913 case OCSP_CERT_REVOKED:
7914 return "OCSP Cert revoked";
7916 case CRL_CERT_REVOKED:
7917 return "CRL Cert revoked";
7920 return "CRL missing, not loaded";
7922 case MONITOR_RUNNING_E:
7923 return "CRL monitor already running";
7925 case THREAD_CREATE_E:
7926 return "Thread creation problem";
7929 return "OCSP need URL";
7931 case OCSP_CERT_UNKNOWN:
7932 return "OCSP Cert unknown";
7934 case OCSP_LOOKUP_FAIL:
7935 return "OCSP Responder lookup fail";
7937 case MAX_CHAIN_ERROR:
7938 return "Maximum Chain Depth Exceeded";
7941 return "DTLS Cookie Error";
7943 case SEQUENCE_ERROR:
7944 return "DTLS Sequence Error";
7947 return "Suites Pointer Error";
7949 case SSL_NO_PEM_HEADER:
7950 return "No PEM Header Error";
7952 case OUT_OF_ORDER_E:
7953 return "Out of order message, fatal";
7955 case BAD_KEA_TYPE_E:
7956 return "Bad KEA type found";
7958 case SANITY_CIPHER_E:
7959 return "Sanity check on ciphertext failed";
7961 case RECV_OVERFLOW_E:
7962 return "Receive callback returned more than requested";
7965 return "Generate Cookie Error";
7967 case NO_PEER_VERIFY:
7968 return "Need peer certificate verify Error";
7971 return "fwrite Error";
7973 case CACHE_MATCH_ERROR:
7974 return "Cache restore header match Error";
7976 case UNKNOWN_SNI_HOST_NAME_E:
7977 return "Unrecognized host name Error";
7979 case KEYUSE_SIGNATURE_E:
7980 return "Key Use digitalSignature not set Error";
7982 case KEYUSE_ENCIPHER_E:
7983 return "Key Use keyEncipherment not set Error";
7985 case EXTKEYUSE_AUTH_E:
7986 return "Ext Key Use server/client auth not set Error";
7988 case SEND_OOB_READ_E:
7989 return "Send Callback Out of Bounds Read Error";
7991 case SECURE_RENEGOTIATION_E:
7992 return "Invalid Renegotiation Error";
7994 case SESSION_TICKET_LEN_E:
7995 return "Session Ticket Too Long Error";
7997 case SESSION_TICKET_EXPECT_E:
7998 return "Session Ticket Error";
8000 case SCR_DIFFERENT_CERT_E:
8001 return "Peer sent different cert during SCR";
8003 case SESSION_SECRET_CB_E:
8004 return "Session Secret Callback Error";
8006 case NO_CHANGE_CIPHER_E:
8007 return "Finished received from peer before Change Cipher Error";
8010 return "Sanity Check on message order Error";
8012 case DUPLICATE_MSG_E:
8013 return "Duplicate HandShake message Error";
8015 case SNI_UNSUPPORTED:
8016 return "Protocol version does not support SNI Error";
8018 case SOCKET_PEER_CLOSED_E:
8019 return "Peer closed underlying transport Error";
8021 case BAD_TICKET_KEY_CB_SZ:
8022 return "Bad user session ticket key callback Size Error";
8024 case BAD_TICKET_MSG_SZ:
8025 return "Bad session ticket message Size Error";
8027 case BAD_TICKET_ENCRYPT:
8028 return "Bad user ticket callback encrypt Error";
8031 return "DH key too small Error";
8034 return "unknown error number";
8037 #endif /* NO_ERROR_STRINGS */
8040 void SetErrorString(int error, char* str)
8042 XSTRNCPY(str, wolfSSL_ERR_reason_error_string(error), WOLFSSL_MAX_ERROR_SZ);
8046 /* be sure to add to cipher_name_idx too !!!! */
8047 static const char* const cipher_names[] =
8049 #ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
8053 #ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
8057 #ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
8061 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
8065 #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
8069 #ifdef BUILD_TLS_RSA_WITH_NULL_SHA
8073 #ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
8077 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
8078 "DHE-RSA-AES128-SHA",
8081 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
8082 "DHE-RSA-AES256-SHA",
8085 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
8086 "DHE-PSK-AES256-GCM-SHA384",
8089 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
8090 "DHE-PSK-AES128-GCM-SHA256",
8093 #ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384
8094 "PSK-AES256-GCM-SHA384",
8097 #ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256
8098 "PSK-AES128-GCM-SHA256",
8101 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
8102 "DHE-PSK-AES256-CBC-SHA384",
8105 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
8106 "DHE-PSK-AES128-CBC-SHA256",
8109 #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384
8110 "PSK-AES256-CBC-SHA384",
8113 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
8114 "PSK-AES128-CBC-SHA256",
8117 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
8118 "PSK-AES128-CBC-SHA",
8121 #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
8122 "PSK-AES256-CBC-SHA",
8125 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
8126 "DHE-PSK-AES128-CCM",
8129 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
8130 "DHE-PSK-AES256-CCM",
8133 #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM
8137 #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM
8141 #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8
8145 #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8
8149 #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384
8150 "DHE-PSK-NULL-SHA384",
8153 #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
8154 "DHE-PSK-NULL-SHA256",
8157 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
8161 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
8165 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA
8169 #ifdef BUILD_TLS_RSA_WITH_HC_128_MD5
8173 #ifdef BUILD_TLS_RSA_WITH_HC_128_SHA
8177 #ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256
8181 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256
8185 #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256
8189 #ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA
8193 #ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA
8197 #ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA
8198 "NTRU-DES-CBC3-SHA",
8201 #ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
8205 #ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
8209 #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
8213 #ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
8217 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
8218 "ECDHE-ECDSA-AES128-CCM-8",
8221 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
8222 "ECDHE-ECDSA-AES256-CCM-8",
8225 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
8226 "ECDHE-RSA-AES128-SHA",
8229 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
8230 "ECDHE-RSA-AES256-SHA",
8233 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
8234 "ECDHE-ECDSA-AES128-SHA",
8237 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
8238 "ECDHE-ECDSA-AES256-SHA",
8241 #ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
8242 "ECDHE-RSA-RC4-SHA",
8245 #ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
8246 "ECDHE-RSA-DES-CBC3-SHA",
8249 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
8250 "ECDHE-ECDSA-RC4-SHA",
8253 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
8254 "ECDHE-ECDSA-DES-CBC3-SHA",
8257 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
8261 #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
8265 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
8266 "DHE-RSA-AES128-SHA256",
8269 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
8270 "DHE-RSA-AES256-SHA256",
8273 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
8274 "ECDH-RSA-AES128-SHA",
8277 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
8278 "ECDH-RSA-AES256-SHA",
8281 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
8282 "ECDH-ECDSA-AES128-SHA",
8285 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
8286 "ECDH-ECDSA-AES256-SHA",
8289 #ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
8293 #ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
8294 "ECDH-RSA-DES-CBC3-SHA",
8297 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
8298 "ECDH-ECDSA-RC4-SHA",
8301 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
8302 "ECDH-ECDSA-DES-CBC3-SHA",
8305 #ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
8306 "AES128-GCM-SHA256",
8309 #ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
8310 "AES256-GCM-SHA384",
8313 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
8314 "DHE-RSA-AES128-GCM-SHA256",
8317 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
8318 "DHE-RSA-AES256-GCM-SHA384",
8321 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
8322 "ECDHE-RSA-AES128-GCM-SHA256",
8325 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
8326 "ECDHE-RSA-AES256-GCM-SHA384",
8329 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
8330 "ECDHE-ECDSA-AES128-GCM-SHA256",
8333 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
8334 "ECDHE-ECDSA-AES256-GCM-SHA384",
8337 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
8338 "ECDH-RSA-AES128-GCM-SHA256",
8341 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
8342 "ECDH-RSA-AES256-GCM-SHA384",
8345 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
8346 "ECDH-ECDSA-AES128-GCM-SHA256",
8349 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
8350 "ECDH-ECDSA-AES256-GCM-SHA384",
8353 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
8357 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
8358 "DHE-RSA-CAMELLIA128-SHA",
8361 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
8365 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
8366 "DHE-RSA-CAMELLIA256-SHA",
8369 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
8370 "CAMELLIA128-SHA256",
8373 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
8374 "DHE-RSA-CAMELLIA128-SHA256",
8377 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
8378 "CAMELLIA256-SHA256",
8381 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
8382 "DHE-RSA-CAMELLIA256-SHA256",
8385 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
8386 "ECDHE-RSA-AES128-SHA256",
8389 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
8390 "ECDHE-ECDSA-AES128-SHA256",
8393 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
8394 "ECDH-RSA-AES128-SHA256",
8397 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
8398 "ECDH-ECDSA-AES128-SHA256",
8401 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
8402 "ECDHE-RSA-AES256-SHA384",
8405 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
8406 "ECDHE-ECDSA-AES256-SHA384",
8409 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
8410 "ECDH-RSA-AES256-SHA384",
8413 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
8414 "ECDH-ECDSA-AES256-SHA384",
8417 #ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
8418 "ECDHE-RSA-CHACHA20-POLY1305",
8421 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
8422 "ECDHE-ECDSA-CHACHA20-POLY1305",
8425 #ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
8426 "DHE-RSA-CHACHA20-POLY1305",
8429 #ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
8433 #ifdef HAVE_RENEGOTIATION_INDICATION
8434 "RENEGOTIATION-INFO",
8439 /* cipher suite number that matches above name table */
8440 static int cipher_name_idx[] =
8443 #ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
8444 SSL_RSA_WITH_RC4_128_SHA,
8447 #ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
8448 SSL_RSA_WITH_RC4_128_MD5,
8451 #ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
8452 SSL_RSA_WITH_3DES_EDE_CBC_SHA,
8455 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
8456 TLS_RSA_WITH_AES_128_CBC_SHA,
8459 #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
8460 TLS_RSA_WITH_AES_256_CBC_SHA,
8463 #ifdef BUILD_TLS_RSA_WITH_NULL_SHA
8464 TLS_RSA_WITH_NULL_SHA,
8467 #ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
8468 TLS_RSA_WITH_NULL_SHA256,
8471 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
8472 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
8475 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
8476 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
8479 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
8480 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
8483 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
8484 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
8487 #ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384
8488 TLS_PSK_WITH_AES_256_GCM_SHA384,
8491 #ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256
8492 TLS_PSK_WITH_AES_128_GCM_SHA256,
8495 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
8496 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
8499 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
8500 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
8503 #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384
8504 TLS_PSK_WITH_AES_256_CBC_SHA384,
8507 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
8508 TLS_PSK_WITH_AES_128_CBC_SHA256,
8511 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
8512 TLS_PSK_WITH_AES_128_CBC_SHA,
8515 #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
8516 TLS_PSK_WITH_AES_256_CBC_SHA,
8519 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
8520 TLS_DHE_PSK_WITH_AES_128_CCM,
8523 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
8524 TLS_DHE_PSK_WITH_AES_256_CCM,
8527 #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM
8528 TLS_PSK_WITH_AES_128_CCM,
8531 #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM
8532 TLS_PSK_WITH_AES_256_CCM,
8535 #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8
8536 TLS_PSK_WITH_AES_128_CCM_8,
8539 #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8
8540 TLS_PSK_WITH_AES_256_CCM_8,
8543 #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384
8544 TLS_DHE_PSK_WITH_NULL_SHA384,
8547 #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
8548 TLS_DHE_PSK_WITH_NULL_SHA256,
8551 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
8552 TLS_PSK_WITH_NULL_SHA384,
8555 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
8556 TLS_PSK_WITH_NULL_SHA256,
8559 #ifdef BUILD_TLS_PSK_WITH_NULL_SHA
8560 TLS_PSK_WITH_NULL_SHA,
8563 #ifdef BUILD_TLS_RSA_WITH_HC_128_MD5
8564 TLS_RSA_WITH_HC_128_MD5,
8567 #ifdef BUILD_TLS_RSA_WITH_HC_128_SHA
8568 TLS_RSA_WITH_HC_128_SHA,
8571 #ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256
8572 TLS_RSA_WITH_HC_128_B2B256,
8575 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256
8576 TLS_RSA_WITH_AES_128_CBC_B2B256,
8579 #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256
8580 TLS_RSA_WITH_AES_256_CBC_B2B256,
8583 #ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA
8584 TLS_RSA_WITH_RABBIT_SHA,
8587 #ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA
8588 TLS_NTRU_RSA_WITH_RC4_128_SHA,
8591 #ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA
8592 TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA,
8595 #ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
8596 TLS_NTRU_RSA_WITH_AES_128_CBC_SHA,
8599 #ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
8600 TLS_NTRU_RSA_WITH_AES_256_CBC_SHA,
8603 #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
8604 TLS_RSA_WITH_AES_128_CCM_8,
8607 #ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
8608 TLS_RSA_WITH_AES_256_CCM_8,
8611 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
8612 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
8615 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
8616 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
8619 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
8620 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
8623 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
8624 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
8627 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
8628 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
8631 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
8632 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
8635 #ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
8636 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
8639 #ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
8640 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
8643 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
8644 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
8647 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
8648 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
8651 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
8652 TLS_RSA_WITH_AES_128_CBC_SHA256,
8655 #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
8656 TLS_RSA_WITH_AES_256_CBC_SHA256,
8659 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
8660 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
8663 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
8664 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
8667 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
8668 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
8671 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
8672 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
8675 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
8676 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
8679 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
8680 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
8683 #ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
8684 TLS_ECDH_RSA_WITH_RC4_128_SHA,
8687 #ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
8688 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
8691 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
8692 TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
8695 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
8696 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
8699 #ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
8700 TLS_RSA_WITH_AES_128_GCM_SHA256,
8703 #ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
8704 TLS_RSA_WITH_AES_256_GCM_SHA384,
8707 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
8708 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
8711 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
8712 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
8715 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
8716 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
8719 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
8720 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
8723 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
8724 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
8727 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
8728 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
8731 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
8732 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
8735 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
8736 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
8739 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
8740 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
8743 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
8744 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
8747 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
8748 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
8751 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
8752 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
8755 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
8756 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
8759 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
8760 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
8763 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
8764 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
8767 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
8768 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
8771 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
8772 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
8775 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
8776 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
8779 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
8780 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
8783 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
8784 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
8787 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
8788 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
8791 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
8792 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
8795 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
8796 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
8799 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
8800 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
8803 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
8804 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
8807 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
8808 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
8811 #ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
8812 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
8815 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
8816 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
8819 #ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
8820 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
8823 #ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
8824 TLS_DH_anon_WITH_AES_128_CBC_SHA,
8827 #ifdef HAVE_RENEGOTIATION_INDICATION
8828 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
8833 /* returns the cipher_names array */
8834 const char* const* GetCipherNames(void)
8836 return cipher_names;
8840 /* returns the size of the cipher_names array */
8841 int GetCipherNamesSize(void)
8843 return (int)(sizeof(cipher_names) / sizeof(char*));
8848 Set the enabled cipher suites.
8850 @param [out] suites Suites structure.
8851 @param [in] list List of cipher suites, only supports full name from
8852 cipher_name[] delimited by ':'.
8854 @return true on success, else false.
8856 int SetCipherList(Suites* suites, const char* list)
8861 int haveECDSAsig = 0;
8863 const int suiteSz = GetCipherNamesSize();
8864 char* next = (char*)list;
8866 if (suites == NULL || list == NULL) {
8867 WOLFSSL_MSG("SetCipherList parameter error");
8871 if (next[0] == 0 || XSTRNCMP(next, "ALL", 3) == 0)
8872 return 1; /* wolfSSL defualt */
8875 char* current = next;
8876 char name[MAX_SUITE_NAME + 1];
8880 next = XSTRSTR(next, ":");
8881 length = min(sizeof(name), !next ? (word32)XSTRLEN(current) /* last */
8882 : (word32)(next - current));
8884 XSTRNCPY(name, current, length);
8885 name[(length == sizeof(name)) ? length - 1 : length] = 0;
8887 for (i = 0; i < suiteSz; i++) {
8888 if (XSTRNCMP(name, cipher_names[i], sizeof(name)) == 0) {
8889 suites->suites[idx++] = (XSTRSTR(name, "CHACHA")) ? CHACHA_BYTE
8890 : (XSTRSTR(name, "EC")) ? ECC_BYTE
8891 : (XSTRSTR(name, "CCM")) ? ECC_BYTE
8892 : 0x00; /* normal */
8894 suites->suites[idx++] = (byte)cipher_name_idx[i];
8896 /* The suites are either ECDSA, RSA, PSK, or Anon. The RSA
8897 * suites don't necessarily have RSA in the name. */
8898 if ((haveECDSAsig == 0) && XSTRSTR(name, "ECDSA"))
8900 else if (XSTRSTR(name, "ADH"))
8902 else if ((haveRSAsig == 0) && (XSTRSTR(name, "PSK") == NULL))
8905 ret = 1; /* found at least one */
8910 while (next++); /* ++ needed to skip ':' */
8913 suites->setSuites = 1;
8914 suites->suiteSz = (word16)idx;
8915 InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, haveAnon);
8922 static void PickHashSigAlgo(WOLFSSL* ssl,
8923 const byte* hashSigAlgo, word32 hashSigAlgoSz)
8927 ssl->suites->sigAlgo = ssl->specs.sig_algo;
8928 ssl->suites->hashAlgo = sha_mac;
8930 /* i+1 since peek a byte ahead for type */
8931 for (i = 0; (i+1) < hashSigAlgoSz; i += 2) {
8932 if (hashSigAlgo[i+1] == ssl->specs.sig_algo) {
8933 if (hashSigAlgo[i] == sha_mac) {
8937 else if (hashSigAlgo[i] == sha256_mac) {
8938 ssl->suites->hashAlgo = sha256_mac;
8942 #ifdef WOLFSSL_SHA384
8943 else if (hashSigAlgo[i] == sha384_mac) {
8944 ssl->suites->hashAlgo = sha384_mac;
8948 #ifdef WOLFSSL_SHA512
8949 else if (hashSigAlgo[i] == sha512_mac) {
8950 ssl->suites->hashAlgo = sha512_mac;
8959 #ifdef WOLFSSL_CALLBACKS
8961 /* Initialisze HandShakeInfo */
8962 void InitHandShakeInfo(HandShakeInfo* info)
8966 info->cipherName[0] = 0;
8967 for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++)
8968 info->packetNames[i][0] = 0;
8969 info->numberPackets = 0;
8970 info->negotiationError = 0;
8973 /* Set Final HandShakeInfo parameters */
8974 void FinishHandShakeInfo(HandShakeInfo* info, const WOLFSSL* ssl)
8977 int sz = sizeof(cipher_name_idx)/sizeof(int);
8979 for (i = 0; i < sz; i++)
8980 if (ssl->options.cipherSuite == (byte)cipher_name_idx[i]) {
8981 if (ssl->options.cipherSuite0 == ECC_BYTE)
8982 continue; /* ECC suites at end */
8983 XSTRNCPY(info->cipherName, cipher_names[i], MAX_CIPHERNAME_SZ);
8987 /* error max and min are negative numbers */
8988 if (ssl->error <= MIN_PARAM_ERR && ssl->error >= MAX_PARAM_ERR)
8989 info->negotiationError = ssl->error;
8993 /* Add name to info packet names, increase packet name count */
8994 void AddPacketName(const char* name, HandShakeInfo* info)
8996 if (info->numberPackets < MAX_PACKETS_HANDSHAKE) {
8997 XSTRNCPY(info->packetNames[info->numberPackets++], name,
9003 /* Initialisze TimeoutInfo */
9004 void InitTimeoutInfo(TimeoutInfo* info)
9008 info->timeoutName[0] = 0;
9011 for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++) {
9012 info->packets[i].packetName[0] = 0;
9013 info->packets[i].timestamp.tv_sec = 0;
9014 info->packets[i].timestamp.tv_usec = 0;
9015 info->packets[i].bufferValue = 0;
9016 info->packets[i].valueSz = 0;
9018 info->numberPackets = 0;
9019 info->timeoutValue.tv_sec = 0;
9020 info->timeoutValue.tv_usec = 0;
9024 /* Free TimeoutInfo */
9025 void FreeTimeoutInfo(TimeoutInfo* info, void* heap)
9029 for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++)
9030 if (info->packets[i].bufferValue) {
9031 XFREE(info->packets[i].bufferValue, heap, DYNAMIC_TYPE_INFO);
9032 info->packets[i].bufferValue = 0;
9038 /* Add PacketInfo to TimeoutInfo */
9039 void AddPacketInfo(const char* name, TimeoutInfo* info, const byte* data,
9042 if (info->numberPackets < (MAX_PACKETS_HANDSHAKE - 1)) {
9045 /* may add name after */
9047 XSTRNCPY(info->packets[info->numberPackets].packetName, name,
9050 /* add data, put in buffer if bigger than static buffer */
9051 info->packets[info->numberPackets].valueSz = sz;
9052 if (sz < MAX_VALUE_SZ)
9053 XMEMCPY(info->packets[info->numberPackets].value, data, sz);
9055 info->packets[info->numberPackets].bufferValue =
9056 XMALLOC(sz, heap, DYNAMIC_TYPE_INFO);
9057 if (!info->packets[info->numberPackets].bufferValue)
9058 /* let next alloc catch, just don't fill, not fatal here */
9059 info->packets[info->numberPackets].valueSz = 0;
9061 XMEMCPY(info->packets[info->numberPackets].bufferValue,
9064 gettimeofday(&currTime, 0);
9065 info->packets[info->numberPackets].timestamp.tv_sec =
9067 info->packets[info->numberPackets].timestamp.tv_usec =
9069 info->numberPackets++;
9074 /* Add packet name to previsouly added packet info */
9075 void AddLateName(const char* name, TimeoutInfo* info)
9077 /* make sure we have a valid previous one */
9078 if (info->numberPackets > 0 && info->numberPackets <
9079 MAX_PACKETS_HANDSHAKE) {
9080 XSTRNCPY(info->packets[info->numberPackets - 1].packetName, name,
9085 /* Add record header to previsouly added packet info */
9086 void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info)
9088 /* make sure we have a valid previous one */
9089 if (info->numberPackets > 0 && info->numberPackets <
9090 MAX_PACKETS_HANDSHAKE) {
9091 if (info->packets[info->numberPackets - 1].bufferValue)
9092 XMEMCPY(info->packets[info->numberPackets - 1].bufferValue, rl,
9095 XMEMCPY(info->packets[info->numberPackets - 1].value, rl,
9100 #endif /* WOLFSSL_CALLBACKS */
9104 /* client only parts */
9105 #ifndef NO_WOLFSSL_CLIENT
9107 int SendClientHello(WOLFSSL* ssl)
9110 word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
9112 int idSz = ssl->options.resuming
9113 ? ssl->session.sessionIDSz
9117 if (ssl->suites == NULL) {
9118 WOLFSSL_MSG("Bad suites pointer in SendClientHello");
9119 return SUITES_ERROR;
9122 #ifdef HAVE_SESSION_TICKET
9123 if (ssl->options.resuming && ssl->session.ticketLen > 0) {
9124 SessionTicket* ticket;
9126 ticket = TLSX_SessionTicket_Create(0,
9127 ssl->session.ticket, ssl->session.ticketLen);
9128 if (ticket == NULL) return MEMORY_E;
9130 ret = TLSX_UseSessionTicket(&ssl->extensions, ticket);
9131 if (ret != SSL_SUCCESS) return ret;
9137 length = VERSION_SZ + RAN_LEN
9139 + ssl->suites->suiteSz + SUITE_LEN
9140 + COMP_LEN + ENUM_LEN;
9142 #ifdef HAVE_TLS_EXTENSIONS
9143 length += TLSX_GetRequestSize(ssl);
9145 if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz) {
9146 length += ssl->suites->hashSigAlgoSz + HELLO_EXT_SZ;
9149 sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
9152 if (ssl->options.dtls) {
9153 length += ENUM_LEN; /* cookie */
9154 if (ssl->arrays->cookieSz != 0) length += ssl->arrays->cookieSz;
9155 sendSz = length + DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ;
9156 idx += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
9160 if (ssl->keys.encryptionOn)
9161 sendSz += MAX_MSG_EXTRA;
9163 /* check for available size */
9164 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
9167 /* get ouput buffer */
9168 output = ssl->buffers.outputBuffer.buffer +
9169 ssl->buffers.outputBuffer.length;
9171 AddHeaders(output, length, client_hello, ssl);
9173 /* client hello, first version */
9174 output[idx++] = ssl->version.major;
9175 output[idx++] = ssl->version.minor;
9176 ssl->chVersion = ssl->version; /* store in case changed */
9179 if (ssl->options.connectState == CONNECT_BEGIN) {
9180 ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
9185 XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN);
9188 /* send same random on hello again */
9189 XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN);
9194 /* then session id */
9195 output[idx++] = (byte)idSz;
9197 XMEMCPY(output + idx, ssl->session.sessionID,
9198 ssl->session.sessionIDSz);
9199 idx += ssl->session.sessionIDSz;
9202 /* then DTLS cookie */
9204 if (ssl->options.dtls) {
9205 byte cookieSz = ssl->arrays->cookieSz;
9207 output[idx++] = cookieSz;
9209 XMEMCPY(&output[idx], ssl->arrays->cookie, cookieSz);
9214 /* then cipher suites */
9215 c16toa(ssl->suites->suiteSz, output + idx);
9217 XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz);
9218 idx += ssl->suites->suiteSz;
9220 /* last, compression */
9221 output[idx++] = COMP_LEN;
9222 if (ssl->options.usingCompression)
9223 output[idx++] = ZLIB_COMPRESSION;
9225 output[idx++] = NO_COMPRESSION;
9227 #ifdef HAVE_TLS_EXTENSIONS
9228 idx += TLSX_WriteRequest(ssl, output + idx);
9230 (void)idx; /* suppress analyzer warning, keep idx current */
9232 if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz)
9235 /* add in the extensions length */
9236 c16toa(HELLO_EXT_LEN + ssl->suites->hashSigAlgoSz, output + idx);
9239 c16toa(HELLO_EXT_SIG_ALGO, output + idx);
9241 c16toa(HELLO_EXT_SIGALGO_SZ+ssl->suites->hashSigAlgoSz, output+idx);
9243 c16toa(ssl->suites->hashSigAlgoSz, output + idx);
9245 for (i = 0; i < ssl->suites->hashSigAlgoSz; i++, idx++) {
9246 output[idx] = ssl->suites->hashSigAlgo[i];
9251 if (ssl->keys.encryptionOn) {
9253 int inputSz = idx - RECORD_HEADER_SZ; /* build msg adds rec hdr */
9255 input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
9259 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
9260 sendSz = BuildMessage(ssl, output, sendSz, input,inputSz,handshake);
9261 XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
9266 ret = HashOutput(ssl, output, sendSz, 0);
9272 if (ssl->options.dtls) {
9273 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
9278 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
9280 #ifdef WOLFSSL_CALLBACKS
9281 if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
9283 AddPacketInfo("ClientHello", &ssl->timeoutInfo, output, sendSz,
9287 ssl->buffers.outputBuffer.length += sendSz;
9289 return SendBuffered(ssl);
9293 static int DoHelloVerifyRequest(WOLFSSL* ssl, const byte* input,
9294 word32* inOutIdx, word32 size)
9298 word32 begin = *inOutIdx;
9300 #ifdef WOLFSSL_CALLBACKS
9301 if (ssl->hsInfoOn) AddPacketName("HelloVerifyRequest",
9302 &ssl->handShakeInfo);
9303 if (ssl->toInfoOn) AddLateName("HelloVerifyRequest", &ssl->timeoutInfo);
9307 if (ssl->options.dtls) {
9312 if ((*inOutIdx - begin) + OPAQUE16_LEN + OPAQUE8_LEN > size)
9313 return BUFFER_ERROR;
9315 XMEMCPY(&pv, input + *inOutIdx, OPAQUE16_LEN);
9316 *inOutIdx += OPAQUE16_LEN;
9318 cookieSz = input[(*inOutIdx)++];
9321 if ((*inOutIdx - begin) + cookieSz > size)
9322 return BUFFER_ERROR;
9325 if (cookieSz <= MAX_COOKIE_LEN) {
9326 XMEMCPY(ssl->arrays->cookie, input + *inOutIdx, cookieSz);
9327 ssl->arrays->cookieSz = cookieSz;
9330 *inOutIdx += cookieSz;
9333 ssl->options.serverState = SERVER_HELLOVERIFYREQUEST_COMPLETE;
9338 static INLINE int DSH_CheckSessionId(WOLFSSL* ssl)
9342 #ifdef HAVE_SECRET_CALLBACK
9343 /* If a session secret callback exists, we are using that
9344 * key instead of the saved session key. */
9345 ret = ret || (ssl->sessionSecretCb != NULL);
9348 #ifdef HAVE_SESSION_TICKET
9349 /* server may send blank ticket which may not be expected to indicate
9350 * exisiting one ok but will also be sending a new one */
9351 ret = ret || (ssl->session.ticketLen > 0);
9355 (ssl->options.haveSessionId && XMEMCMP(ssl->arrays->sessionID,
9356 ssl->session.sessionID, ID_LEN) == 0);
9361 static int DoServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
9364 byte cs0; /* cipher suite bytes 0, 1 */
9368 word32 i = *inOutIdx;
9371 #ifdef WOLFSSL_CALLBACKS
9372 if (ssl->hsInfoOn) AddPacketName("ServerHello", &ssl->handShakeInfo);
9373 if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
9376 /* protocol version, random and session id length check */
9377 if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
9378 return BUFFER_ERROR;
9380 /* protocol version */
9381 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
9384 if (pv.minor > ssl->version.minor) {
9385 WOLFSSL_MSG("Server using higher version, fatal error");
9386 return VERSION_ERROR;
9388 else if (pv.minor < ssl->version.minor) {
9389 WOLFSSL_MSG("server using lower version");
9391 if (!ssl->options.downgrade) {
9392 WOLFSSL_MSG(" no downgrade allowed, fatal error");
9393 return VERSION_ERROR;
9395 if (pv.minor < ssl->options.minDowngrade) {
9396 WOLFSSL_MSG(" version below minimum allowed, fatal error");
9397 return VERSION_ERROR;
9400 #ifdef HAVE_SECURE_RENEGOTIATION
9401 if (ssl->secure_renegotiation &&
9402 ssl->secure_renegotiation->enabled &&
9403 ssl->options.handShakeDone) {
9404 WOLFSSL_MSG("Server changed version during scr");
9405 return VERSION_ERROR;
9409 if (pv.minor == SSLv3_MINOR) {
9411 WOLFSSL_MSG(" downgrading to SSLv3");
9412 ssl->options.tls = 0;
9413 ssl->options.tls1_1 = 0;
9414 ssl->version.minor = SSLv3_MINOR;
9416 else if (pv.minor == TLSv1_MINOR) {
9417 /* turn off tls 1.1+ */
9418 WOLFSSL_MSG(" downgrading to TLSv1");
9419 ssl->options.tls1_1 = 0;
9420 ssl->version.minor = TLSv1_MINOR;
9422 else if (pv.minor == TLSv1_1_MINOR) {
9423 WOLFSSL_MSG(" downgrading to TLSv1.1");
9424 ssl->version.minor = TLSv1_1_MINOR;
9429 XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
9433 ssl->arrays->sessionIDSz = input[i++];
9435 if (ssl->arrays->sessionIDSz > ID_LEN) {
9436 WOLFSSL_MSG("Invalid session ID size");
9437 ssl->arrays->sessionIDSz = 0;
9438 return BUFFER_ERROR;
9440 else if (ssl->arrays->sessionIDSz) {
9441 if ((i - begin) + ssl->arrays->sessionIDSz > helloSz)
9442 return BUFFER_ERROR;
9444 XMEMCPY(ssl->arrays->sessionID, input + i,
9445 ssl->arrays->sessionIDSz);
9446 i += ssl->arrays->sessionIDSz;
9447 ssl->options.haveSessionId = 1;
9451 /* suite and compression */
9452 if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz)
9453 return BUFFER_ERROR;
9458 #ifdef HAVE_SECURE_RENEGOTIATION
9459 if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled &&
9460 ssl->options.handShakeDone) {
9461 if (ssl->options.cipherSuite0 != cs0 ||
9462 ssl->options.cipherSuite != cs1) {
9463 WOLFSSL_MSG("Server changed cipher suite during scr");
9464 return MATCH_SUITE_ERROR;
9469 ssl->options.cipherSuite0 = cs0;
9470 ssl->options.cipherSuite = cs1;
9471 compression = input[i++];
9473 if (compression != ZLIB_COMPRESSION && ssl->options.usingCompression) {
9474 WOLFSSL_MSG("Server refused compression, turning off");
9475 ssl->options.usingCompression = 0; /* turn off if server refused */
9480 /* tls extensions */
9481 if ( (i - begin) < helloSz) {
9482 #ifdef HAVE_TLS_EXTENSIONS
9483 if (TLSX_SupportExtensions(ssl)) {
9487 if ((i - begin) + OPAQUE16_LEN > helloSz)
9488 return BUFFER_ERROR;
9490 ato16(&input[i], &totalExtSz);
9493 if ((i - begin) + totalExtSz > helloSz)
9494 return BUFFER_ERROR;
9496 if ((ret = TLSX_Parse(ssl, (byte *) input + i,
9497 totalExtSz, 0, NULL)))
9505 *inOutIdx = begin + helloSz; /* skip extensions */
9508 ssl->options.serverState = SERVER_HELLO_COMPLETE;
9510 if (ssl->keys.encryptionOn) {
9511 *inOutIdx += ssl->keys.padSz;
9514 #ifdef HAVE_SECRET_CALLBACK
9515 if (ssl->sessionSecretCb != NULL) {
9516 int secretSz = SECRET_LEN, ret;
9517 ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
9518 &secretSz, ssl->sessionSecretCtx);
9519 if (ret != 0 || secretSz != SECRET_LEN)
9520 return SESSION_SECRET_CB_E;
9522 #endif /* HAVE_SECRET_CALLBACK */
9524 if (ssl->options.resuming) {
9525 if (DSH_CheckSessionId(ssl)) {
9526 if (SetCipherSpecs(ssl) == 0) {
9529 XMEMCPY(ssl->arrays->masterSecret,
9530 ssl->session.masterSecret, SECRET_LEN);
9532 ret = DeriveTlsKeys(ssl);
9535 if (ssl->options.tls)
9536 ret = DeriveTlsKeys(ssl);
9538 if (!ssl->options.tls)
9539 ret = DeriveKeys(ssl);
9541 ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
9546 WOLFSSL_MSG("Unsupported cipher suite, DoServerHello");
9547 return UNSUPPORTED_SUITE;
9551 WOLFSSL_MSG("Server denied resumption attempt");
9552 ssl->options.resuming = 0; /* server denied resumption try */
9556 if (ssl->options.dtls) {
9561 return SetCipherSpecs(ssl);
9565 /* Make sure client setup is valid for this suite, true on success */
9566 int VerifyClientSuite(WOLFSSL* ssl)
9569 byte first = ssl->options.cipherSuite0;
9570 byte second = ssl->options.cipherSuite;
9572 WOLFSSL_ENTER("VerifyClientSuite");
9575 havePSK = ssl->options.havePSK;
9578 if (CipherRequires(first, second, REQUIRES_PSK)) {
9579 WOLFSSL_MSG("Requires PSK");
9581 WOLFSSL_MSG("Don't have PSK");
9586 return 1; /* success */
9591 /* just read in and ignore for now TODO: */
9592 static int DoCertificateRequest(WOLFSSL* ssl, const byte* input, word32*
9593 inOutIdx, word32 size)
9596 word32 begin = *inOutIdx;
9598 #ifdef WOLFSSL_CALLBACKS
9600 AddPacketName("CertificateRequest", &ssl->handShakeInfo);
9602 AddLateName("CertificateRequest", &ssl->timeoutInfo);
9605 if ((*inOutIdx - begin) + OPAQUE8_LEN > size)
9606 return BUFFER_ERROR;
9608 len = input[(*inOutIdx)++];
9610 if ((*inOutIdx - begin) + len > size)
9611 return BUFFER_ERROR;
9613 /* types, read in here */
9616 /* signature and hash signature algorithm */
9617 if (IsAtLeastTLSv1_2(ssl)) {
9618 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9619 return BUFFER_ERROR;
9621 ato16(input + *inOutIdx, &len);
9622 *inOutIdx += OPAQUE16_LEN;
9624 if ((*inOutIdx - begin) + len > size)
9625 return BUFFER_ERROR;
9627 PickHashSigAlgo(ssl, input + *inOutIdx, len);
9632 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9633 return BUFFER_ERROR;
9635 ato16(input + *inOutIdx, &len);
9636 *inOutIdx += OPAQUE16_LEN;
9638 if ((*inOutIdx - begin) + len > size)
9639 return BUFFER_ERROR;
9644 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9645 return BUFFER_ERROR;
9647 ato16(input + *inOutIdx, &dnSz);
9648 *inOutIdx += OPAQUE16_LEN;
9650 if ((*inOutIdx - begin) + dnSz > size)
9651 return BUFFER_ERROR;
9654 len -= OPAQUE16_LEN + dnSz;
9657 /* don't send client cert or cert verify if user hasn't provided
9658 cert and private key */
9659 if (ssl->buffers.certificate.buffer && ssl->buffers.key.buffer)
9660 ssl->options.sendVerify = SEND_CERT;
9661 else if (IsTLS(ssl))
9662 ssl->options.sendVerify = SEND_BLANK_CERT;
9664 if (ssl->keys.encryptionOn)
9665 *inOutIdx += ssl->keys.padSz;
9669 #endif /* !NO_CERTS */
9674 static int CheckCurveId(int oid)
9679 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
9680 case WOLFSSL_ECC_SECP160R1:
9682 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
9683 case WOLFSSL_ECC_SECP192R1:
9685 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
9686 case WOLFSSL_ECC_SECP224R1:
9688 #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
9689 case WOLFSSL_ECC_SECP256R1:
9691 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
9692 case WOLFSSL_ECC_SECP384R1:
9694 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
9695 case WOLFSSL_ECC_SECP521R1:
9706 #endif /* HAVE_ECC */
9708 static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
9709 word32* inOutIdx, word32 size)
9712 word32 begin = *inOutIdx;
9714 #define ERROR_OUT(err, eLabel) do { ret = err; goto eLabel; } while(0)
9716 (void)length; /* shut up compiler warnings */
9723 #ifdef WOLFSSL_CALLBACKS
9725 AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
9727 AddLateName("ServerKeyExchange", &ssl->timeoutInfo);
9731 if (ssl->specs.kea == psk_kea) {
9733 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9734 return BUFFER_ERROR;
9736 ato16(input + *inOutIdx, &length);
9737 *inOutIdx += OPAQUE16_LEN;
9739 if ((*inOutIdx - begin) + length > size)
9740 return BUFFER_ERROR;
9742 XMEMCPY(ssl->arrays->server_hint, input + *inOutIdx,
9743 min(length, MAX_PSK_ID_LEN));
9745 ssl->arrays->server_hint[min(length, MAX_PSK_ID_LEN - 1)] = 0;
9746 *inOutIdx += length;
9752 if (ssl->specs.kea == diffie_hellman_kea)
9755 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9756 return BUFFER_ERROR;
9758 ato16(input + *inOutIdx, &length);
9759 *inOutIdx += OPAQUE16_LEN;
9761 if ((*inOutIdx - begin) + length > size)
9762 return BUFFER_ERROR;
9764 if (length < ssl->options.minDhKeySz) {
9765 WOLFSSL_MSG("Server using a DH key that is too small");
9766 SendAlert(ssl, alert_fatal, handshake_failure);
9767 return DH_KEY_SIZE_E;
9770 ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap,
9773 if (ssl->buffers.serverDH_P.buffer)
9774 ssl->buffers.serverDH_P.length = length;
9776 return MEMORY_ERROR;
9778 XMEMCPY(ssl->buffers.serverDH_P.buffer, input + *inOutIdx, length);
9779 *inOutIdx += length;
9781 ssl->options.dhKeySz = length;
9784 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9785 return BUFFER_ERROR;
9787 ato16(input + *inOutIdx, &length);
9788 *inOutIdx += OPAQUE16_LEN;
9790 if ((*inOutIdx - begin) + length > size)
9791 return BUFFER_ERROR;
9793 ssl->buffers.serverDH_G.buffer = (byte*) XMALLOC(length, ssl->heap,
9796 if (ssl->buffers.serverDH_G.buffer)
9797 ssl->buffers.serverDH_G.length = length;
9799 return MEMORY_ERROR;
9801 XMEMCPY(ssl->buffers.serverDH_G.buffer, input + *inOutIdx, length);
9802 *inOutIdx += length;
9805 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9806 return BUFFER_ERROR;
9808 ato16(input + *inOutIdx, &length);
9809 *inOutIdx += OPAQUE16_LEN;
9811 if ((*inOutIdx - begin) + length > size)
9812 return BUFFER_ERROR;
9814 ssl->buffers.serverDH_Pub.buffer = (byte*) XMALLOC(length, ssl->heap,
9817 if (ssl->buffers.serverDH_Pub.buffer)
9818 ssl->buffers.serverDH_Pub.length = length;
9820 return MEMORY_ERROR;
9822 XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, length);
9823 *inOutIdx += length;
9828 if (ssl->specs.kea == ecc_diffie_hellman_kea)
9832 if ((*inOutIdx - begin) + ENUM_LEN + OPAQUE16_LEN + OPAQUE8_LEN > size)
9833 return BUFFER_ERROR;
9835 b = input[(*inOutIdx)++];
9837 if (b != named_curve)
9838 return ECC_CURVETYPE_ERROR;
9840 *inOutIdx += 1; /* curve type, eat leading 0 */
9841 b = input[(*inOutIdx)++];
9843 if (CheckCurveId(b) != 0) {
9844 return ECC_CURVE_ERROR;
9847 length = input[(*inOutIdx)++];
9849 if ((*inOutIdx - begin) + length > size)
9850 return BUFFER_ERROR;
9852 if (ssl->peerEccKey == NULL) {
9853 /* alloc/init on demand */
9854 ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
9855 ssl->ctx->heap, DYNAMIC_TYPE_ECC);
9856 if (ssl->peerEccKey == NULL) {
9857 WOLFSSL_MSG("PeerEccKey Memory error");
9860 wc_ecc_init(ssl->peerEccKey);
9861 } else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */
9862 wc_ecc_free(ssl->peerEccKey);
9863 ssl->peerEccKeyPresent = 0;
9864 wc_ecc_init(ssl->peerEccKey);
9867 if (wc_ecc_import_x963(input + *inOutIdx, length, ssl->peerEccKey) != 0)
9868 return ECC_PEERKEY_ERROR;
9870 *inOutIdx += length;
9871 ssl->peerEccKeyPresent = 1;
9873 #endif /* HAVE_ECC */
9875 #if !defined(NO_DH) && !defined(NO_PSK)
9876 if (ssl->specs.kea == dhe_psk_kea) {
9877 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9878 return BUFFER_ERROR;
9880 ato16(input + *inOutIdx, &length);
9881 *inOutIdx += OPAQUE16_LEN;
9883 if ((*inOutIdx - begin) + length > size)
9884 return BUFFER_ERROR;
9886 XMEMCPY(ssl->arrays->server_hint, input + *inOutIdx,
9887 min(length, MAX_PSK_ID_LEN));
9889 ssl->arrays->server_hint[min(length, MAX_PSK_ID_LEN - 1)] = 0;
9890 *inOutIdx += length;
9893 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9894 return BUFFER_ERROR;
9896 ato16(input + *inOutIdx, &length);
9897 *inOutIdx += OPAQUE16_LEN;
9899 if ((*inOutIdx - begin) + length > size)
9900 return BUFFER_ERROR;
9902 if (length < ssl->options.minDhKeySz) {
9903 WOLFSSL_MSG("Server using a DH key that is too small");
9904 SendAlert(ssl, alert_fatal, handshake_failure);
9905 return DH_KEY_SIZE_E;
9908 ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap,
9911 if (ssl->buffers.serverDH_P.buffer)
9912 ssl->buffers.serverDH_P.length = length;
9914 return MEMORY_ERROR;
9916 XMEMCPY(ssl->buffers.serverDH_P.buffer, input + *inOutIdx, length);
9917 *inOutIdx += length;
9919 ssl->options.dhKeySz = length;
9922 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9923 return BUFFER_ERROR;
9925 ato16(input + *inOutIdx, &length);
9926 *inOutIdx += OPAQUE16_LEN;
9928 if ((*inOutIdx - begin) + length > size)
9929 return BUFFER_ERROR;
9931 ssl->buffers.serverDH_G.buffer = (byte*) XMALLOC(length, ssl->heap,
9934 if (ssl->buffers.serverDH_G.buffer)
9935 ssl->buffers.serverDH_G.length = length;
9937 return MEMORY_ERROR;
9939 XMEMCPY(ssl->buffers.serverDH_G.buffer, input + *inOutIdx, length);
9940 *inOutIdx += length;
9943 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
9944 return BUFFER_ERROR;
9946 ato16(input + *inOutIdx, &length);
9947 *inOutIdx += OPAQUE16_LEN;
9949 if ((*inOutIdx - begin) + length > size)
9950 return BUFFER_ERROR;
9952 ssl->buffers.serverDH_Pub.buffer = (byte*) XMALLOC(length, ssl->heap,
9955 if (ssl->buffers.serverDH_Pub.buffer)
9956 ssl->buffers.serverDH_Pub.length = length;
9958 return MEMORY_ERROR;
9960 XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, length);
9961 *inOutIdx += length;
9963 #endif /* !NO_DH || !NO_PSK */
9965 #if !defined(NO_DH) || defined(HAVE_ECC)
9966 if (!ssl->options.usingAnon_cipher &&
9967 (ssl->specs.kea == ecc_diffie_hellman_kea ||
9968 ssl->specs.kea == diffie_hellman_kea))
9971 #ifdef WOLFSSL_SMALL_STACK
9980 #ifdef WOLFSSL_SMALL_STACK
9981 Sha256* sha256 = NULL;
9982 byte* hash256 = NULL;
9985 byte hash256[SHA256_DIGEST_SIZE];
9988 #ifdef WOLFSSL_SHA384
9989 #ifdef WOLFSSL_SMALL_STACK
9990 Sha384* sha384 = NULL;
9991 byte* hash384 = NULL;
9994 byte hash384[SHA384_DIGEST_SIZE];
9997 #ifdef WOLFSSL_SHA512
9998 #ifdef WOLFSSL_SMALL_STACK
9999 Sha512* sha512 = NULL;
10000 byte* hash512 = NULL;
10003 byte hash512[SHA512_DIGEST_SIZE];
10006 #ifdef WOLFSSL_SMALL_STACK
10008 byte* messageVerify = NULL;
10010 byte hash[FINISHED_SZ];
10011 byte messageVerify[MAX_DH_SZ];
10013 byte hashAlgo = sha_mac;
10014 byte sigAlgo = ssl->specs.sig_algo;
10015 word16 verifySz = (word16) (*inOutIdx - begin);
10024 #ifdef WOLFSSL_SHA384
10027 #ifdef WOLFSSL_SHA512
10035 /* save message for hash verify */
10036 if (verifySz > MAX_DH_SZ)
10037 ERROR_OUT(BUFFER_ERROR, done);
10039 #ifdef WOLFSSL_SMALL_STACK
10040 messageVerify = (byte*)XMALLOC(MAX_DH_SZ, NULL,
10041 DYNAMIC_TYPE_TMP_BUFFER);
10042 if (messageVerify == NULL)
10043 ERROR_OUT(MEMORY_E, done);
10046 XMEMCPY(messageVerify, input + begin, verifySz);
10048 if (IsAtLeastTLSv1_2(ssl)) {
10050 if ((*inOutIdx - begin) + ENUM_LEN + ENUM_LEN > size)
10051 ERROR_OUT(BUFFER_ERROR, done);
10053 hashAlgo = input[(*inOutIdx)++];
10054 sigAlgo = input[(*inOutIdx)++];
10056 switch (hashAlgo) {
10058 #ifdef WOLFSSL_SHA512
10065 #ifdef WOLFSSL_SHA384
10086 ERROR_OUT(ALGO_ID_E, done);
10089 if (setHash == 0) {
10090 ERROR_OUT(ALGO_ID_E, done);
10094 /* only using sha and md5 for rsa */
10097 if (sigAlgo == rsa_sa_algo) {
10101 ERROR_OUT(ALGO_ID_E, done);
10106 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
10107 ERROR_OUT(BUFFER_ERROR, done);
10109 ato16(input + *inOutIdx, &length);
10110 *inOutIdx += OPAQUE16_LEN;
10112 if ((*inOutIdx - begin) + length > size)
10113 ERROR_OUT(BUFFER_ERROR, done);
10115 /* inOutIdx updated at the end of the function */
10117 /* verify signature */
10118 #ifdef WOLFSSL_SMALL_STACK
10119 hash = (byte*)XMALLOC(FINISHED_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10121 ERROR_OUT(MEMORY_E, done);
10126 #ifdef WOLFSSL_SMALL_STACK
10128 md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
10130 ERROR_OUT(MEMORY_E, done);
10135 wc_Md5Update(md5, ssl->arrays->clientRandom, RAN_LEN);
10136 wc_Md5Update(md5, ssl->arrays->serverRandom, RAN_LEN);
10137 wc_Md5Update(md5, messageVerify, verifySz);
10138 wc_Md5Final(md5, hash);
10141 #ifdef WOLFSSL_SMALL_STACK
10143 sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
10145 ERROR_OUT(MEMORY_E, done);
10149 ret = wc_InitSha(sha);
10150 if (ret != 0) goto done;
10151 wc_ShaUpdate(sha, ssl->arrays->clientRandom, RAN_LEN);
10152 wc_ShaUpdate(sha, ssl->arrays->serverRandom, RAN_LEN);
10153 wc_ShaUpdate(sha, messageVerify, verifySz);
10154 wc_ShaFinal(sha, hash + MD5_DIGEST_SIZE);
10159 #ifdef WOLFSSL_SMALL_STACK
10161 sha256 = (Sha256*)XMALLOC(sizeof(Sha256), NULL,
10162 DYNAMIC_TYPE_TMP_BUFFER);
10163 hash256 = (byte*)XMALLOC(SHA256_DIGEST_SIZE, NULL,
10164 DYNAMIC_TYPE_TMP_BUFFER);
10165 if (sha256 == NULL || hash256 == NULL)
10166 ERROR_OUT(MEMORY_E, done);
10170 if (!(ret = wc_InitSha256(sha256))
10171 && !(ret = wc_Sha256Update(sha256, ssl->arrays->clientRandom,
10173 && !(ret = wc_Sha256Update(sha256, ssl->arrays->serverRandom,
10175 && !(ret = wc_Sha256Update(sha256, messageVerify, verifySz)))
10176 ret = wc_Sha256Final(sha256, hash256);
10177 if (ret != 0) goto done;
10181 #ifdef WOLFSSL_SHA384
10182 #ifdef WOLFSSL_SMALL_STACK
10184 sha384 = (Sha384*)XMALLOC(sizeof(Sha384), NULL,
10185 DYNAMIC_TYPE_TMP_BUFFER);
10186 hash384 = (byte*)XMALLOC(SHA384_DIGEST_SIZE, NULL,
10187 DYNAMIC_TYPE_TMP_BUFFER);
10188 if (sha384 == NULL || hash384 == NULL)
10189 ERROR_OUT(MEMORY_E, done);
10193 if (!(ret = wc_InitSha384(sha384))
10194 && !(ret = wc_Sha384Update(sha384, ssl->arrays->clientRandom,
10196 && !(ret = wc_Sha384Update(sha384, ssl->arrays->serverRandom,
10198 && !(ret = wc_Sha384Update(sha384, messageVerify, verifySz)))
10199 ret = wc_Sha384Final(sha384, hash384);
10200 if (ret != 0) goto done;
10204 #ifdef WOLFSSL_SHA512
10205 #ifdef WOLFSSL_SMALL_STACK
10207 sha512 = (Sha512*)XMALLOC(sizeof(Sha512), NULL,
10208 DYNAMIC_TYPE_TMP_BUFFER);
10209 hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL,
10210 DYNAMIC_TYPE_TMP_BUFFER);
10211 if (sha512 == NULL || hash512 == NULL)
10212 ERROR_OUT(MEMORY_E, done);
10216 if (!(ret = wc_InitSha512(sha512))
10217 && !(ret = wc_Sha512Update(sha512, ssl->arrays->clientRandom,
10219 && !(ret = wc_Sha512Update(sha512, ssl->arrays->serverRandom,
10221 && !(ret = wc_Sha512Update(sha512, messageVerify, verifySz)))
10222 ret = wc_Sha512Final(sha512, hash512);
10223 if (ret != 0) goto done;
10229 if (sigAlgo == rsa_sa_algo)
10232 byte doUserRsa = 0;
10233 word32 verifiedSz = 0;
10235 #ifdef HAVE_PK_CALLBACKS
10236 if (ssl->ctx->RsaVerifyCb)
10238 #endif /*HAVE_PK_CALLBACKS */
10240 if (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)
10241 ERROR_OUT(NO_PEER_KEY, done);
10244 #ifdef HAVE_PK_CALLBACKS
10245 verifiedSz = ssl->ctx->RsaVerifyCb(ssl,
10246 (byte *)input + *inOutIdx,
10248 ssl->buffers.peerRsaKey.buffer,
10249 ssl->buffers.peerRsaKey.length,
10250 ssl->RsaVerifyCtx);
10251 #endif /*HAVE_PK_CALLBACKS */
10254 verifiedSz = wc_RsaSSL_VerifyInline((byte *)input + *inOutIdx,
10255 length, &out, ssl->peerRsaKey);
10257 if (IsAtLeastTLSv1_2(ssl)) {
10260 byte* digest = &hash[MD5_DIGEST_SIZE];
10262 int digestSz = SHA_DIGEST_SIZE;
10264 byte* digest = hash256;
10265 int typeH = SHA256h;
10266 int digestSz = SHA256_DIGEST_SIZE;
10268 #ifdef WOLFSSL_SMALL_STACK
10269 byte* encodedSig = NULL;
10271 byte encodedSig[MAX_ENCODED_SIG_SZ];
10274 if (hashAlgo == sha_mac) {
10276 digest = &hash[MD5_DIGEST_SIZE];
10278 digestSz = SHA_DIGEST_SIZE;
10281 else if (hashAlgo == sha256_mac) {
10285 digestSz = SHA256_DIGEST_SIZE;
10288 else if (hashAlgo == sha384_mac) {
10289 #ifdef WOLFSSL_SHA384
10292 digestSz = SHA384_DIGEST_SIZE;
10295 else if (hashAlgo == sha512_mac) {
10296 #ifdef WOLFSSL_SHA512
10299 digestSz = SHA512_DIGEST_SIZE;
10303 #ifdef WOLFSSL_SMALL_STACK
10304 encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
10305 DYNAMIC_TYPE_TMP_BUFFER);
10306 if (encodedSig == NULL)
10307 ERROR_OUT(MEMORY_E, done);
10310 if (digest == NULL)
10311 ERROR_OUT(ALGO_ID_E, done);
10312 encSigSz = wc_EncodeSignature(encodedSig, digest, digestSz,
10314 if (encSigSz != verifiedSz || !out || XMEMCMP(out, encodedSig,
10315 min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0)
10316 ret = VERIFY_SIGN_ERROR;
10318 #ifdef WOLFSSL_SMALL_STACK
10319 XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10324 else if (verifiedSz != FINISHED_SZ || !out || XMEMCMP(out,
10325 hash, FINISHED_SZ) != 0)
10326 ERROR_OUT(VERIFY_SIGN_ERROR, done);
10331 if (sigAlgo == ecc_dsa_sa_algo) {
10334 byte* digest = &hash[MD5_DIGEST_SIZE];
10335 word32 digestSz = SHA_DIGEST_SIZE;
10337 byte* digest = hash256;
10338 word32 digestSz = SHA256_DIGEST_SIZE;
10340 byte doUserEcc = 0;
10342 #ifdef HAVE_PK_CALLBACKS
10343 if (ssl->ctx->EccVerifyCb)
10347 if (!ssl->peerEccDsaKeyPresent)
10348 ERROR_OUT(NO_PEER_KEY, done);
10350 if (IsAtLeastTLSv1_2(ssl)) {
10351 if (hashAlgo == sha_mac) {
10353 digest = &hash[MD5_DIGEST_SIZE];
10354 digestSz = SHA_DIGEST_SIZE;
10357 else if (hashAlgo == sha256_mac) {
10360 digestSz = SHA256_DIGEST_SIZE;
10363 else if (hashAlgo == sha384_mac) {
10364 #ifdef WOLFSSL_SHA384
10366 digestSz = SHA384_DIGEST_SIZE;
10369 else if (hashAlgo == sha512_mac) {
10370 #ifdef WOLFSSL_SHA512
10372 digestSz = SHA512_DIGEST_SIZE;
10377 #ifdef HAVE_PK_CALLBACKS
10378 ret = ssl->ctx->EccVerifyCb(ssl, input + *inOutIdx, length,
10380 ssl->buffers.peerEccDsaKey.buffer,
10381 ssl->buffers.peerEccDsaKey.length,
10382 &verify, ssl->EccVerifyCtx);
10386 ret = wc_ecc_verify_hash(input + *inOutIdx, length,
10387 digest, digestSz, &verify, ssl->peerEccDsaKey);
10389 if (ret != 0 || verify == 0)
10390 ERROR_OUT(VERIFY_SIGN_ERROR, done);
10393 #endif /* HAVE_ECC */
10394 ERROR_OUT(ALGO_ID_E, done);
10396 /* signature length */
10397 *inOutIdx += length;
10399 ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
10402 #ifdef WOLFSSL_SMALL_STACK
10404 XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10405 XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10408 XFREE(sha256, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10409 XFREE(hash256, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10411 #ifdef WOLFSSL_SHA384
10412 XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10413 XFREE(hash384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10415 #ifdef WOLFSSL_SHA512
10416 XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10417 XFREE(hash512, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10419 XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10420 XFREE(messageVerify, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10426 if (ssl->keys.encryptionOn) {
10427 *inOutIdx += ssl->keys.padSz;
10431 #else /* !NO_DH or HAVE_ECC */
10432 return NOT_COMPILED_IN; /* not supported by build */
10433 #endif /* !NO_DH or HAVE_ECC */
10439 int SendClientKeyExchange(WOLFSSL* ssl)
10441 #ifdef WOLFSSL_SMALL_STACK
10442 byte* encSecret = NULL;
10444 byte encSecret[MAX_ENCRYPT_SZ];
10449 byte doUserRsa = 0;
10453 #ifdef HAVE_PK_CALLBACKS
10455 if (ssl->ctx->RsaEncCb)
10457 #endif /* NO_RSA */
10458 #endif /*HAVE_PK_CALLBACKS */
10460 #ifdef WOLFSSL_SMALL_STACK
10461 encSecret = (byte*)XMALLOC(MAX_ENCRYPT_SZ, NULL,
10462 DYNAMIC_TYPE_TMP_BUFFER);
10463 if (encSecret == NULL)
10467 switch (ssl->specs.kea) {
10470 ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->preMasterSecret,
10473 #ifdef WOLFSSL_SMALL_STACK
10474 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10479 ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
10480 ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
10481 ssl->arrays->preMasterSz = SECRET_LEN;
10483 if (ssl->peerRsaKey == NULL || ssl->peerRsaKeyPresent == 0) {
10484 #ifdef WOLFSSL_SMALL_STACK
10485 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10487 return NO_PEER_KEY;
10491 #ifdef HAVE_PK_CALLBACKS
10493 encSz = MAX_ENCRYPT_SZ;
10494 ret = ssl->ctx->RsaEncCb(ssl,
10495 ssl->arrays->preMasterSecret,
10498 ssl->buffers.peerRsaKey.buffer,
10499 ssl->buffers.peerRsaKey.length,
10501 #endif /* NO_RSA */
10502 #endif /*HAVE_PK_CALLBACKS */
10505 ret = wc_RsaPublicEncrypt(ssl->arrays->preMasterSecret,
10506 SECRET_LEN, encSecret, MAX_ENCRYPT_SZ,
10507 ssl->peerRsaKey, ssl->rng);
10510 ret = 0; /* set success to 0 */
10516 case diffie_hellman_kea:
10518 buffer serverP = ssl->buffers.serverDH_P;
10519 buffer serverG = ssl->buffers.serverDH_G;
10520 buffer serverPub = ssl->buffers.serverDH_Pub;
10521 #ifdef WOLFSSL_SMALL_STACK
10524 byte priv[ENCRYPT_LEN];
10529 if (serverP.buffer == 0 || serverG.buffer == 0 ||
10530 serverPub.buffer == 0) {
10531 #ifdef WOLFSSL_SMALL_STACK
10532 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10534 return NO_PEER_KEY;
10537 #ifdef WOLFSSL_SMALL_STACK
10538 priv = (byte*)XMALLOC(ENCRYPT_LEN, NULL,
10539 DYNAMIC_TYPE_TMP_BUFFER);
10540 if (priv == NULL) {
10541 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10546 wc_InitDhKey(&key);
10547 ret = wc_DhSetKey(&key, serverP.buffer, serverP.length,
10548 serverG.buffer, serverG.length);
10550 /* for DH, encSecret is Yc, agree is pre-master */
10551 ret = wc_DhGenerateKeyPair(&key, ssl->rng, priv, &privSz,
10552 encSecret, &encSz);
10554 ret = wc_DhAgree(&key, ssl->arrays->preMasterSecret,
10555 &ssl->arrays->preMasterSz, priv, privSz,
10556 serverPub.buffer, serverPub.length);
10557 #ifdef WOLFSSL_SMALL_STACK
10558 XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10560 wc_FreeDhKey(&key);
10567 byte* pms = ssl->arrays->preMasterSecret;
10569 ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
10570 ssl->arrays->server_hint, ssl->arrays->client_identity,
10571 MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
10572 if (ssl->arrays->psk_keySz == 0 ||
10573 ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
10574 #ifdef WOLFSSL_SMALL_STACK
10575 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10577 return PSK_KEY_ERROR;
10579 encSz = (word32)XSTRLEN(ssl->arrays->client_identity);
10580 if (encSz > MAX_PSK_ID_LEN) {
10581 #ifdef WOLFSSL_SMALL_STACK
10582 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10584 return CLIENT_ID_ERROR;
10586 XMEMCPY(encSecret, ssl->arrays->client_identity, encSz);
10588 /* make psk pre master secret */
10589 /* length of key + length 0s + length of key + key */
10590 c16toa((word16)ssl->arrays->psk_keySz, pms);
10592 XMEMSET(pms, 0, ssl->arrays->psk_keySz);
10593 pms += ssl->arrays->psk_keySz;
10594 c16toa((word16)ssl->arrays->psk_keySz, pms);
10596 XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
10597 ssl->arrays->preMasterSz = ssl->arrays->psk_keySz * 2 + 4;
10598 ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz);
10599 ssl->arrays->psk_keySz = 0; /* No further need */
10602 #endif /* NO_PSK */
10603 #if !defined(NO_DH) && !defined(NO_PSK)
10606 byte* pms = ssl->arrays->preMasterSecret;
10607 byte* es = encSecret;
10608 buffer serverP = ssl->buffers.serverDH_P;
10609 buffer serverG = ssl->buffers.serverDH_G;
10610 buffer serverPub = ssl->buffers.serverDH_Pub;
10611 #ifdef WOLFSSL_SMALL_STACK
10614 byte priv[ENCRYPT_LEN];
10621 if (serverP.buffer == 0 || serverG.buffer == 0 ||
10622 serverPub.buffer == 0) {
10623 #ifdef WOLFSSL_SMALL_STACK
10624 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10626 return NO_PEER_KEY;
10629 ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
10630 ssl->arrays->server_hint, ssl->arrays->client_identity,
10631 MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
10632 if (ssl->arrays->psk_keySz == 0 ||
10633 ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
10634 #ifdef WOLFSSL_SMALL_STACK
10635 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10637 return PSK_KEY_ERROR;
10639 esSz = (word32)XSTRLEN(ssl->arrays->client_identity);
10641 if (esSz > MAX_PSK_ID_LEN) {
10642 #ifdef WOLFSSL_SMALL_STACK
10643 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10645 return CLIENT_ID_ERROR;
10648 #ifdef WOLFSSL_SMALL_STACK
10649 priv = (byte*)XMALLOC(ENCRYPT_LEN, NULL,
10650 DYNAMIC_TYPE_TMP_BUFFER);
10651 if (priv == NULL) {
10652 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10656 c16toa((word16)esSz, es);
10657 es += OPAQUE16_LEN;
10658 XMEMCPY(es, ssl->arrays->client_identity, esSz);
10660 encSz = esSz + OPAQUE16_LEN;
10662 wc_InitDhKey(&key);
10663 ret = wc_DhSetKey(&key, serverP.buffer, serverP.length,
10664 serverG.buffer, serverG.length);
10666 /* for DH, encSecret is Yc, agree is pre-master */
10667 ret = wc_DhGenerateKeyPair(&key, ssl->rng, priv, &privSz,
10668 es + OPAQUE16_LEN, &pubSz);
10670 ret = wc_DhAgree(&key, pms + OPAQUE16_LEN,
10671 &ssl->arrays->preMasterSz, priv, privSz,
10672 serverPub.buffer, serverPub.length);
10673 wc_FreeDhKey(&key);
10674 #ifdef WOLFSSL_SMALL_STACK
10675 XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10678 #ifdef WOLFSSL_SMALL_STACK
10679 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10684 c16toa((word16)pubSz, es);
10685 encSz += pubSz + OPAQUE16_LEN;
10686 c16toa((word16)ssl->arrays->preMasterSz, pms);
10687 ssl->arrays->preMasterSz += OPAQUE16_LEN;
10688 pms += ssl->arrays->preMasterSz;
10690 /* make psk pre master secret */
10691 /* length of key + length 0s + length of key + key */
10692 c16toa((word16)ssl->arrays->psk_keySz, pms);
10693 pms += OPAQUE16_LEN;
10694 XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
10695 ssl->arrays->preMasterSz +=
10696 ssl->arrays->psk_keySz + OPAQUE16_LEN;
10697 ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz);
10698 ssl->arrays->psk_keySz = 0; /* No further need */
10701 #endif /* !NO_DH && !NO_PSK */
10706 word16 cipherLen = MAX_ENCRYPT_SZ;
10708 static uint8_t const wolfsslStr[] = {
10709 'C', 'y', 'a', 'S', 'S', 'L', ' ', 'N', 'T', 'R', 'U'
10712 ret = wc_RNG_GenerateBlock(ssl->rng,
10713 ssl->arrays->preMasterSecret, SECRET_LEN);
10715 #ifdef WOLFSSL_SMALL_STACK
10716 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10721 ssl->arrays->preMasterSz = SECRET_LEN;
10723 if (ssl->peerNtruKeyPresent == 0) {
10724 #ifdef WOLFSSL_SMALL_STACK
10725 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10727 return NO_PEER_KEY;
10730 rc = ntru_crypto_drbg_instantiate(MAX_NTRU_BITS, wolfsslStr,
10731 sizeof(wolfsslStr), GetEntropy,
10733 if (rc != DRBG_OK) {
10734 #ifdef WOLFSSL_SMALL_STACK
10735 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10737 return NTRU_DRBG_ERROR;
10740 rc = ntru_crypto_ntru_encrypt(drbg, ssl->peerNtruKeyLen,
10742 ssl->arrays->preMasterSz,
10743 ssl->arrays->preMasterSecret,
10744 &cipherLen, encSecret);
10745 ntru_crypto_drbg_uninstantiate(drbg);
10746 if (rc != NTRU_OK) {
10747 #ifdef WOLFSSL_SMALL_STACK
10748 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10750 return NTRU_ENCRYPT_ERROR;
10757 #endif /* HAVE_NTRU */
10759 case ecc_diffie_hellman_kea:
10762 ecc_key* peerKey = NULL;
10763 word32 size = MAX_ENCRYPT_SZ;
10765 if (ssl->specs.static_ecdh) {
10766 /* TODO: EccDsa is really fixed Ecc change naming */
10767 if (!ssl->peerEccDsaKey || !ssl->peerEccDsaKeyPresent ||
10768 !ssl->peerEccDsaKey->dp) {
10769 #ifdef WOLFSSL_SMALL_STACK
10770 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10772 return NO_PEER_KEY;
10774 peerKey = ssl->peerEccDsaKey;
10777 if (!ssl->peerEccKey || !ssl->peerEccKeyPresent ||
10778 !ssl->peerEccKey->dp) {
10779 #ifdef WOLFSSL_SMALL_STACK
10780 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10782 return NO_PEER_KEY;
10784 peerKey = ssl->peerEccKey;
10787 if (peerKey == NULL) {
10788 #ifdef WOLFSSL_SMALL_STACK
10789 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10791 return NO_PEER_KEY;
10794 wc_ecc_init(&myKey);
10795 ret = wc_ecc_make_key(ssl->rng, peerKey->dp->size, &myKey);
10797 #ifdef WOLFSSL_SMALL_STACK
10798 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10800 return ECC_MAKEKEY_ERROR;
10803 /* precede export with 1 byte length */
10804 ret = wc_ecc_export_x963(&myKey, encSecret + 1, &size);
10805 encSecret[0] = (byte)size;
10809 ret = ECC_EXPORT_ERROR;
10811 size = sizeof(ssl->arrays->preMasterSecret);
10812 ret = wc_ecc_shared_secret(&myKey, peerKey,
10813 ssl->arrays->preMasterSecret, &size);
10815 ret = ECC_SHARED_ERROR;
10818 ssl->arrays->preMasterSz = size;
10819 wc_ecc_free(&myKey);
10822 #endif /* HAVE_ECC */
10824 #ifdef WOLFSSL_SMALL_STACK
10825 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10827 return ALGO_ID_E; /* unsupported kea */
10835 if (ssl->options.tls || ssl->specs.kea == diffie_hellman_kea)
10838 if (ssl->specs.kea == ecc_diffie_hellman_kea ||
10839 ssl->specs.kea == dhe_psk_kea) /* always off */
10842 sendSz = encSz + tlsSz + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
10843 idx = HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
10845 #ifdef WOLFSSL_DTLS
10846 if (ssl->options.dtls) {
10847 sendSz += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
10848 idx += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
10852 if (ssl->keys.encryptionOn)
10853 sendSz += MAX_MSG_EXTRA;
10855 /* check for available size */
10856 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) {
10857 #ifdef WOLFSSL_SMALL_STACK
10858 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10863 /* get ouput buffer */
10864 output = ssl->buffers.outputBuffer.buffer +
10865 ssl->buffers.outputBuffer.length;
10867 AddHeaders(output, encSz + tlsSz, client_key_exchange, ssl);
10870 c16toa((word16)encSz, &output[idx]);
10873 XMEMCPY(output + idx, encSecret, encSz);
10876 if (ssl->keys.encryptionOn) {
10878 int inputSz = idx-RECORD_HEADER_SZ; /* buildmsg adds rechdr */
10880 input = (byte*)XMALLOC(inputSz, ssl->heap,
10881 DYNAMIC_TYPE_TMP_BUFFER);
10882 if (input == NULL) {
10883 #ifdef WOLFSSL_SMALL_STACK
10884 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10889 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
10890 sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
10892 XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
10894 #ifdef WOLFSSL_SMALL_STACK
10895 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10900 ret = HashOutput(ssl, output, sendSz, 0);
10902 #ifdef WOLFSSL_SMALL_STACK
10903 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10909 #ifdef WOLFSSL_DTLS
10910 if (ssl->options.dtls) {
10911 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) {
10912 #ifdef WOLFSSL_SMALL_STACK
10913 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10920 #ifdef WOLFSSL_CALLBACKS
10922 AddPacketName("ClientKeyExchange", &ssl->handShakeInfo);
10924 AddPacketInfo("ClientKeyExchange", &ssl->timeoutInfo,
10925 output, sendSz, ssl->heap);
10928 ssl->buffers.outputBuffer.length += sendSz;
10930 if (ssl->options.groupMessages)
10933 ret = SendBuffered(ssl);
10936 #ifdef WOLFSSL_SMALL_STACK
10937 XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
10940 if (ret == 0 || ret == WANT_WRITE) {
10941 int tmpRet = MakeMasterSecret(ssl);
10943 ret = tmpRet; /* save WANT_WRITE unless more serious */
10944 ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
10946 /* No further need for PMS */
10947 ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
10948 ssl->arrays->preMasterSz = 0;
10954 int SendCertificateVerify(WOLFSSL* ssl)
10957 int sendSz = MAX_CERT_VERIFY_SZ, length, ret;
10959 word32 sigOutSz = 0;
10962 int initRsaKey = 0;
10971 if (ssl->options.sendVerify == SEND_BLANK_CERT)
10972 return 0; /* sent blank cert, can't verify */
10974 if (ssl->keys.encryptionOn)
10975 sendSz += MAX_MSG_EXTRA;
10977 /* check for available size */
10978 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
10981 /* get ouput buffer */
10982 output = ssl->buffers.outputBuffer.buffer +
10983 ssl->buffers.outputBuffer.length;
10985 ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes);
10990 wc_ecc_init(&eccKey);
10993 ret = wc_InitRsaKey(&key, ssl->heap);
10994 if (ret == 0) initRsaKey = 1;
10996 ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &key,
10997 ssl->buffers.key.length);
10999 sigOutSz = wc_RsaEncryptSize(&key);
11004 WOLFSSL_MSG("Trying ECC client cert, RSA didn't work");
11007 ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &eccKey,
11008 ssl->buffers.key.length);
11010 WOLFSSL_MSG("Using ECC client cert");
11012 sigOutSz = MAX_ENCODED_SIG_SZ;
11015 WOLFSSL_MSG("Bad client cert type");
11020 byte* verify = (byte*)&output[RECORD_HEADER_SZ +
11021 HANDSHAKE_HEADER_SZ];
11023 byte* signBuffer = ssl->hsHashes->certHashes.md5;
11025 byte* signBuffer = NULL;
11027 word32 signSz = FINISHED_SZ;
11028 word32 extraSz = 0; /* tls 1.2 hash/sig */
11029 #ifdef WOLFSSL_SMALL_STACK
11030 byte* encodedSig = NULL;
11032 byte encodedSig[MAX_ENCODED_SIG_SZ];
11035 #ifdef WOLFSSL_SMALL_STACK
11036 encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
11037 DYNAMIC_TYPE_TMP_BUFFER);
11038 if (encodedSig == NULL) {
11041 wc_FreeRsaKey(&key);
11044 wc_ecc_free(&eccKey);
11054 #ifdef WOLFSSL_DTLS
11055 if (ssl->options.dtls)
11056 verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
11059 if (IsAtLeastTLSv1_2(ssl)) {
11060 verify[0] = ssl->suites->hashAlgo;
11061 verify[1] = usingEcc ? ecc_dsa_sa_algo : rsa_sa_algo;
11062 extraSz = HASH_SIG_SIZE;
11067 word32 localSz = MAX_ENCODED_SIG_SZ;
11070 byte doUserEcc = 0;
11072 /* old tls default */
11073 digestSz = SHA_DIGEST_SIZE;
11074 digest = ssl->hsHashes->certHashes.sha;
11076 /* new tls default */
11077 digestSz = SHA256_DIGEST_SIZE;
11078 digest = ssl->hsHashes->certHashes.sha256;
11081 #ifdef HAVE_PK_CALLBACKS
11083 if (ssl->ctx->EccSignCb)
11085 #endif /* HAVE_ECC */
11086 #endif /*HAVE_PK_CALLBACKS */
11088 if (IsAtLeastTLSv1_2(ssl)) {
11089 if (ssl->suites->hashAlgo == sha_mac) {
11091 digest = ssl->hsHashes->certHashes.sha;
11092 digestSz = SHA_DIGEST_SIZE;
11095 else if (ssl->suites->hashAlgo == sha256_mac) {
11097 digest = ssl->hsHashes->certHashes.sha256;
11098 digestSz = SHA256_DIGEST_SIZE;
11101 else if (ssl->suites->hashAlgo == sha384_mac) {
11102 #ifdef WOLFSSL_SHA384
11103 digest = ssl->hsHashes->certHashes.sha384;
11104 digestSz = SHA384_DIGEST_SIZE;
11107 else if (ssl->suites->hashAlgo == sha512_mac) {
11108 #ifdef WOLFSSL_SHA512
11109 digest = ssl->hsHashes->certHashes.sha512;
11110 digestSz = SHA512_DIGEST_SIZE;
11116 #ifdef HAVE_PK_CALLBACKS
11118 ret = ssl->ctx->EccSignCb(ssl, digest, digestSz,
11119 encodedSig, &localSz,
11120 ssl->buffers.key.buffer,
11121 ssl->buffers.key.length,
11123 #endif /* HAVE_ECC */
11124 #endif /*HAVE_PK_CALLBACKS */
11127 ret = wc_ecc_sign_hash(digest, digestSz, encodedSig,
11128 &localSz, ssl->rng, &eccKey);
11132 c16toa((word16)length, verify + extraSz); /* prepend hdr */
11133 XMEMCPY(verify + extraSz + VERIFY_HEADER,encodedSig,length);
11139 byte doUserRsa = 0;
11141 #ifdef HAVE_PK_CALLBACKS
11142 if (ssl->ctx->RsaSignCb)
11144 #endif /*HAVE_PK_CALLBACKS */
11146 if (IsAtLeastTLSv1_2(ssl)) {
11148 * MSVC Compiler complains because it can not
11149 * guarantee any of the conditionals will succeed in
11150 * assigning a value before wc_EncodeSignature executes.
11152 byte* digest = NULL;
11157 if (ssl->suites->hashAlgo == sha_mac) {
11159 digest = ssl->hsHashes->certHashes.sha;
11161 digestSz = SHA_DIGEST_SIZE;
11165 else if (ssl->suites->hashAlgo == sha256_mac) {
11167 digest = ssl->hsHashes->certHashes.sha256;
11169 digestSz = SHA256_DIGEST_SIZE;
11173 else if (ssl->suites->hashAlgo == sha384_mac) {
11174 #ifdef WOLFSSL_SHA384
11175 digest = ssl->hsHashes->certHashes.sha384;
11177 digestSz = SHA384_DIGEST_SIZE;
11181 else if (ssl->suites->hashAlgo == sha512_mac) {
11182 #ifdef WOLFSSL_SHA512
11183 digest = ssl->hsHashes->certHashes.sha512;
11185 digestSz = SHA512_DIGEST_SIZE;
11193 digest = ssl->hsHashes->certHashes.sha;
11194 digestSz = SHA_DIGEST_SIZE;
11197 digest = ssl->hsHashes->certHashes.sha256;
11198 digestSz = SHA256_DIGEST_SIZE;
11203 signSz = wc_EncodeSignature(encodedSig, digest,digestSz,typeH);
11204 signBuffer = encodedSig;
11207 c16toa((word16)length, verify + extraSz); /* prepend hdr */
11209 #ifdef HAVE_PK_CALLBACKS
11211 word32 ioLen = ENCRYPT_LEN;
11212 ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
11213 verify + extraSz + VERIFY_HEADER,
11215 ssl->buffers.key.buffer,
11216 ssl->buffers.key.length,
11218 #endif /* NO_RSA */
11219 #endif /*HAVE_PK_CALLBACKS */
11222 ret = wc_RsaSSL_Sign(signBuffer, signSz, verify + extraSz +
11223 VERIFY_HEADER, ENCRYPT_LEN, &key, ssl->rng);
11227 ret = 0; /* RSA reset */
11230 #ifdef WOLFSSL_SMALL_STACK
11231 XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
11235 AddHeaders(output, length + extraSz + VERIFY_HEADER,
11236 certificate_verify, ssl);
11238 sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + length +
11239 extraSz + VERIFY_HEADER;
11241 #ifdef WOLFSSL_DTLS
11242 if (ssl->options.dtls) {
11243 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
11247 if (ssl->keys.encryptionOn) {
11249 int inputSz = sendSz - RECORD_HEADER_SZ;
11250 /* build msg adds rec hdr */
11251 input = (byte*)XMALLOC(inputSz, ssl->heap,
11252 DYNAMIC_TYPE_TMP_BUFFER);
11256 XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
11257 sendSz = BuildMessage(ssl, output,
11258 MAX_CERT_VERIFY_SZ +MAX_MSG_EXTRA,
11259 input, inputSz, handshake);
11260 XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
11266 ret = HashOutput(ssl, output, sendSz, 0);
11269 #ifdef WOLFSSL_DTLS
11270 if (ssl->options.dtls) {
11271 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
11279 wc_FreeRsaKey(&key);
11282 wc_ecc_free(&eccKey);
11286 #ifdef WOLFSSL_CALLBACKS
11288 AddPacketName("CertificateVerify", &ssl->handShakeInfo);
11290 AddPacketInfo("CertificateVerify", &ssl->timeoutInfo,
11291 output, sendSz, ssl->heap);
11293 ssl->buffers.outputBuffer.length += sendSz;
11294 if (ssl->options.groupMessages)
11297 return SendBuffered(ssl);
11302 #endif /* NO_CERTS */
11304 #ifdef HAVE_SESSION_TICKET
11305 int DoSessionTicket(WOLFSSL* ssl,
11306 const byte* input, word32* inOutIdx, word32 size)
11308 word32 begin = *inOutIdx;
11312 if (ssl->expect_session_ticket == 0) {
11313 WOLFSSL_MSG("Unexpected session ticket");
11314 return SESSION_TICKET_EXPECT_E;
11317 if ((*inOutIdx - begin) + OPAQUE32_LEN > size)
11318 return BUFFER_ERROR;
11320 ato32(input + *inOutIdx, &lifetime);
11321 *inOutIdx += OPAQUE32_LEN;
11323 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
11324 return BUFFER_ERROR;
11326 ato16(input + *inOutIdx, &length);
11327 *inOutIdx += OPAQUE16_LEN;
11329 if (length > sizeof(ssl->session.ticket))
11330 return SESSION_TICKET_LEN_E;
11332 if ((*inOutIdx - begin) + length > size)
11333 return BUFFER_ERROR;
11335 /* If the received ticket including its length is greater than
11336 * a length value, the save it. Otherwise, don't save it. */
11338 XMEMCPY(ssl->session.ticket, input + *inOutIdx, length);
11339 *inOutIdx += length;
11340 ssl->session.ticketLen = length;
11341 ssl->timeout = lifetime;
11342 if (ssl->session_ticket_cb != NULL) {
11343 ssl->session_ticket_cb(ssl,
11344 ssl->session.ticket, ssl->session.ticketLen,
11345 ssl->session_ticket_ctx);
11347 /* Create a fake sessionID based on the ticket, this will
11348 * supercede the existing session cache info. */
11349 ssl->options.haveSessionId = 1;
11350 XMEMCPY(ssl->arrays->sessionID,
11351 ssl->session.ticket + length - ID_LEN, ID_LEN);
11352 #ifndef NO_SESSION_CACHE
11358 ssl->session.ticketLen = 0;
11361 if (ssl->keys.encryptionOn) {
11362 *inOutIdx += ssl->keys.padSz;
11365 ssl->expect_session_ticket = 0;
11369 #endif /* HAVE_SESSION_TICKET */
11371 #endif /* NO_WOLFSSL_CLIENT */
11374 #ifndef NO_WOLFSSL_SERVER
11376 int SendServerHello(WOLFSSL* ssl)
11379 word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
11382 byte sessIdSz = ID_LEN;
11384 length = VERSION_SZ + RAN_LEN
11385 + ID_LEN + ENUM_LEN
11389 #ifdef HAVE_TLS_EXTENSIONS
11390 length += TLSX_GetResponseSize(ssl);
11392 #ifdef HAVE_SESSION_TICKET
11393 if (ssl->options.useTicket && ssl->arrays->sessionIDSz == 0) {
11394 /* no session id */
11398 #endif /* HAVE_SESSION_TICKET */
11401 /* check for avalaible size */
11402 if ((ret = CheckAvailableSize(ssl, MAX_HELLO_SZ)) != 0)
11405 /* get ouput buffer */
11406 output = ssl->buffers.outputBuffer.buffer +
11407 ssl->buffers.outputBuffer.length;
11409 sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
11410 AddHeaders(output, length, server_hello, ssl);
11412 #ifdef WOLFSSL_DTLS
11413 if (ssl->options.dtls) {
11414 idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
11415 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
11418 /* now write to output */
11419 /* first version */
11420 output[idx++] = ssl->version.major;
11421 output[idx++] = ssl->version.minor;
11424 if (!ssl->options.resuming) {
11425 ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom,
11431 XMEMCPY(output + idx, ssl->arrays->serverRandom, RAN_LEN);
11434 #ifdef SHOW_SECRETS
11437 printf("server random: ");
11438 for (j = 0; j < RAN_LEN; j++)
11439 printf("%02x", ssl->arrays->serverRandom[j]);
11443 /* then session id */
11444 output[idx++] = sessIdSz;
11447 if (!ssl->options.resuming) {
11448 ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->sessionID,
11450 if (ret != 0) return ret;
11453 XMEMCPY(output + idx, ssl->arrays->sessionID, sessIdSz);
11457 /* then cipher suite */
11458 output[idx++] = ssl->options.cipherSuite0;
11459 output[idx++] = ssl->options.cipherSuite;
11461 /* then compression */
11462 if (ssl->options.usingCompression)
11463 output[idx++] = ZLIB_COMPRESSION;
11465 output[idx++] = NO_COMPRESSION;
11467 /* last, extensions */
11468 #ifdef HAVE_TLS_EXTENSIONS
11469 TLSX_WriteResponse(ssl, output + idx);
11472 ssl->buffers.outputBuffer.length += sendSz;
11473 #ifdef WOLFSSL_DTLS
11474 if (ssl->options.dtls) {
11475 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
11480 ret = HashOutput(ssl, output, sendSz, 0);
11484 #ifdef WOLFSSL_CALLBACKS
11486 AddPacketName("ServerHello", &ssl->handShakeInfo);
11488 AddPacketInfo("ServerHello", &ssl->timeoutInfo, output, sendSz,
11492 ssl->options.serverState = SERVER_HELLO_COMPLETE;
11494 if (ssl->options.groupMessages)
11497 return SendBuffered(ssl);
11503 static byte SetCurveId(int size)
11506 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
11508 return WOLFSSL_ECC_SECP160R1;
11510 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
11512 return WOLFSSL_ECC_SECP192R1;
11514 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
11516 return WOLFSSL_ECC_SECP224R1;
11518 #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
11520 return WOLFSSL_ECC_SECP256R1;
11522 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
11524 return WOLFSSL_ECC_SECP384R1;
11526 #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
11528 return WOLFSSL_ECC_SECP521R1;
11535 #endif /* HAVE_ECC */
11538 int SendServerKeyExchange(WOLFSSL* ssl)
11542 #define ERROR_OUT(err, eLabel) do { ret = err; goto eLabel; } while(0)
11545 if (ssl->specs.kea == psk_kea)
11548 word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
11550 if (ssl->arrays->server_hint[0] == 0) return 0; /* don't send */
11552 /* include size part */
11553 length = (word32)XSTRLEN(ssl->arrays->server_hint);
11554 if (length > MAX_PSK_ID_LEN)
11555 return SERVER_HINT_ERROR;
11557 length += HINT_LEN_SZ;
11558 sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
11560 #ifdef WOLFSSL_DTLS
11561 if (ssl->options.dtls) {
11562 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
11563 idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
11566 /* check for available size */
11567 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
11570 /* get ouput buffer */
11571 output = ssl->buffers.outputBuffer.buffer +
11572 ssl->buffers.outputBuffer.length;
11574 AddHeaders(output, length, server_key_exchange, ssl);
11577 c16toa((word16)(length - HINT_LEN_SZ), output + idx);
11578 idx += HINT_LEN_SZ;
11579 XMEMCPY(output + idx, ssl->arrays->server_hint,length -HINT_LEN_SZ);
11581 #ifdef WOLFSSL_DTLS
11582 if (ssl->options.dtls)
11583 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
11587 ret = HashOutput(ssl, output, sendSz, 0);
11591 #ifdef WOLFSSL_CALLBACKS
11593 AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
11595 AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo, output,
11596 sendSz, ssl->heap);
11599 ssl->buffers.outputBuffer.length += sendSz;
11600 if (ssl->options.groupMessages)
11603 ret = SendBuffered(ssl);
11604 ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
11608 #if !defined(NO_DH) && !defined(NO_PSK)
11609 if (ssl->specs.kea == dhe_psk_kea) {
11611 word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
11616 if (ssl->buffers.serverDH_P.buffer == NULL ||
11617 ssl->buffers.serverDH_G.buffer == NULL)
11618 return NO_DH_PARAMS;
11620 if (ssl->buffers.serverDH_Pub.buffer == NULL) {
11621 ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC(
11622 ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap,
11624 if (ssl->buffers.serverDH_Pub.buffer == NULL)
11628 if (ssl->buffers.serverDH_Priv.buffer == NULL) {
11629 ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC(
11630 ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap,
11632 if (ssl->buffers.serverDH_Priv.buffer == NULL)
11636 wc_InitDhKey(&dhKey);
11637 ret = wc_DhSetKey(&dhKey, ssl->buffers.serverDH_P.buffer,
11638 ssl->buffers.serverDH_P.length,
11639 ssl->buffers.serverDH_G.buffer,
11640 ssl->buffers.serverDH_G.length);
11642 ret = wc_DhGenerateKeyPair(&dhKey, ssl->rng,
11643 ssl->buffers.serverDH_Priv.buffer,
11644 &ssl->buffers.serverDH_Priv.length,
11645 ssl->buffers.serverDH_Pub.buffer,
11646 &ssl->buffers.serverDH_Pub.length);
11647 wc_FreeDhKey(&dhKey);
11651 length = LENGTH_SZ * 3 + /* p, g, pub */
11652 ssl->buffers.serverDH_P.length +
11653 ssl->buffers.serverDH_G.length +
11654 ssl->buffers.serverDH_Pub.length;
11656 /* include size part */
11657 hintLen = (word32)XSTRLEN(ssl->arrays->server_hint);
11658 if (hintLen > MAX_PSK_ID_LEN)
11659 return SERVER_HINT_ERROR;
11660 length += hintLen + HINT_LEN_SZ;
11661 sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
11663 #ifdef WOLFSSL_DTLS
11664 if (ssl->options.dtls) {
11665 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
11666 idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
11670 /* check for available size */
11671 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
11674 /* get ouput buffer */
11675 output = ssl->buffers.outputBuffer.buffer +
11676 ssl->buffers.outputBuffer.length;
11678 AddHeaders(output, length, server_key_exchange, ssl);
11681 c16toa((word16)hintLen, output + idx);
11682 idx += HINT_LEN_SZ;
11683 XMEMCPY(output + idx, ssl->arrays->server_hint, hintLen);
11686 /* add p, g, pub */
11687 c16toa((word16)ssl->buffers.serverDH_P.length, output + idx);
11689 XMEMCPY(output + idx, ssl->buffers.serverDH_P.buffer,
11690 ssl->buffers.serverDH_P.length);
11691 idx += ssl->buffers.serverDH_P.length;
11694 c16toa((word16)ssl->buffers.serverDH_G.length, output + idx);
11696 XMEMCPY(output + idx, ssl->buffers.serverDH_G.buffer,
11697 ssl->buffers.serverDH_G.length);
11698 idx += ssl->buffers.serverDH_G.length;
11701 c16toa((word16)ssl->buffers.serverDH_Pub.length, output + idx);
11703 XMEMCPY(output + idx, ssl->buffers.serverDH_Pub.buffer,
11704 ssl->buffers.serverDH_Pub.length);
11705 idx += ssl->buffers.serverDH_Pub.length;
11706 (void)idx; /* suppress analyzer warning, and keep idx current */
11708 #ifdef WOLFSSL_DTLS
11709 if (ssl->options.dtls)
11710 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
11714 ret = HashOutput(ssl, output, sendSz, 0);
11719 #ifdef WOLFSSL_CALLBACKS
11721 AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
11723 AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo, output,
11724 sendSz, ssl->heap);
11727 ssl->buffers.outputBuffer.length += sendSz;
11728 if (ssl->options.groupMessages)
11731 ret = SendBuffered(ssl);
11732 ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
11734 #endif /* !NO_DH && !NO_PSK */
11737 if (ssl->specs.kea == ecc_diffie_hellman_kea)
11740 word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
11743 word32 preSigSz, preSigIdx;
11748 #ifdef WOLFSSL_SMALL_STACK
11749 byte* exportBuf = NULL;
11751 byte exportBuf[MAX_EXPORT_ECC_SZ];
11753 word32 expSz = MAX_EXPORT_ECC_SZ;
11762 #ifdef WOLFSSL_SHA384
11765 #ifdef WOLFSSL_SHA512
11769 if (ssl->specs.static_ecdh) {
11770 WOLFSSL_MSG("Using Static ECDH, not sending ServerKeyExchagne");
11774 /* curve type, named curve, length(1) */
11775 length = ENUM_LEN + CURVE_LEN + ENUM_LEN;
11777 WOLFSSL_MSG("Using ephemeral ECDH");
11779 /* need ephemeral key now, create it if missing */
11780 if (ssl->eccTempKey == NULL) {
11781 /* alloc/init on demand */
11782 ssl->eccTempKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
11783 ssl->ctx->heap, DYNAMIC_TYPE_ECC);
11784 if (ssl->eccTempKey == NULL) {
11785 WOLFSSL_MSG("EccTempKey Memory error");
11788 wc_ecc_init(ssl->eccTempKey);
11790 if (ssl->eccTempKeyPresent == 0) {
11791 if (wc_ecc_make_key(ssl->rng, ssl->eccTempKeySz,
11792 ssl->eccTempKey) != 0) {
11793 return ECC_MAKEKEY_ERROR;
11795 ssl->eccTempKeyPresent = 1;
11798 #ifdef WOLFSSL_SMALL_STACK
11799 exportBuf = (byte*)XMALLOC(MAX_EXPORT_ECC_SZ, NULL,
11800 DYNAMIC_TYPE_TMP_BUFFER);
11801 if (exportBuf == NULL)
11805 if (wc_ecc_export_x963(ssl->eccTempKey, exportBuf, &expSz) != 0)
11806 ERROR_OUT(ECC_EXPORT_ERROR, done_a);
11813 ret = wc_InitRsaKey(&rsaKey, ssl->heap);
11818 wc_ecc_init(&dsaKey);
11821 length += LENGTH_SZ;
11823 if (!ssl->buffers.key.buffer) {
11825 wc_FreeRsaKey(&rsaKey);
11827 wc_ecc_free(&dsaKey);
11828 ERROR_OUT(NO_PRIVATE_KEY, done_a);
11832 if (ssl->specs.sig_algo == rsa_sa_algo) {
11835 ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i,
11836 &rsaKey, ssl->buffers.key.length);
11839 sigSz = wc_RsaEncryptSize(&rsaKey);
11843 if (ssl->specs.sig_algo == ecc_dsa_sa_algo) {
11844 /* ecdsa sig size */
11846 ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
11847 &dsaKey, ssl->buffers.key.length);
11850 sigSz = wc_ecc_sig_size(&dsaKey); /* worst case estimate */
11854 wc_FreeRsaKey(&rsaKey);
11856 wc_ecc_free(&dsaKey);
11857 ERROR_OUT(ALGO_ID_E, done_a); /* unsupported type */
11861 if (IsAtLeastTLSv1_2(ssl))
11862 length += HASH_SIG_SIZE;
11864 sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
11866 #ifdef WOLFSSL_DTLS
11867 if (ssl->options.dtls) {
11868 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
11869 idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
11873 /* check for available size */
11874 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) {
11876 wc_FreeRsaKey(&rsaKey);
11878 wc_ecc_free(&dsaKey);
11882 /* get ouput buffer */
11883 output = ssl->buffers.outputBuffer.buffer +
11884 ssl->buffers.outputBuffer.length;
11886 /* record and message headers will be added below, when we're sure
11887 of the sig length */
11889 /* key exchange data */
11890 output[idx++] = named_curve;
11891 output[idx++] = 0x00; /* leading zero */
11892 output[idx++] = SetCurveId(wc_ecc_size(ssl->eccTempKey));
11893 output[idx++] = (byte)expSz;
11894 XMEMCPY(output + idx, exportBuf, expSz);
11896 if (IsAtLeastTLSv1_2(ssl)) {
11899 output[idx++] = ssl->suites->hashAlgo;
11900 output[idx++] = ssl->suites->sigAlgo;
11902 switch (ssl->suites->hashAlgo) {
11904 #ifdef WOLFSSL_SHA512
11911 #ifdef WOLFSSL_SHA384
11932 WOLFSSL_MSG("Bad hash sig algo");
11936 if (setHash == 0) {
11938 wc_FreeRsaKey(&rsaKey);
11940 wc_ecc_free(&dsaKey);
11941 ERROR_OUT(ALGO_ID_E, done_a);
11944 /* only using sha and md5 for rsa */
11947 if (ssl->suites->sigAlgo == rsa_sa_algo) {
11952 wc_FreeRsaKey(&rsaKey);
11954 wc_ecc_free(&dsaKey);
11955 ERROR_OUT(ALGO_ID_E, done_a);
11959 /* Signtaure length will be written later, when we're sure what it
11964 ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz, FUZZ_SIGNATURE,
11971 #ifdef WOLFSSL_SMALL_STACK
11979 #ifdef WOLFSSL_SMALL_STACK
11982 byte hash[FINISHED_SZ];
11985 #ifdef WOLFSSL_SMALL_STACK
11986 Sha256* sha256 = NULL;
11987 byte* hash256 = NULL;
11990 byte hash256[SHA256_DIGEST_SIZE];
11993 #ifdef WOLFSSL_SHA384
11994 #ifdef WOLFSSL_SMALL_STACK
11995 Sha384* sha384 = NULL;
11996 byte* hash384 = NULL;
11999 byte hash384[SHA384_DIGEST_SIZE];
12002 #ifdef WOLFSSL_SHA512
12003 #ifdef WOLFSSL_SMALL_STACK
12004 Sha512* sha512 = NULL;
12005 byte* hash512 = NULL;
12008 byte hash512[SHA512_DIGEST_SIZE];
12012 #ifdef WOLFSSL_SMALL_STACK
12013 hash = (byte*)XMALLOC(FINISHED_SZ, NULL,
12014 DYNAMIC_TYPE_TMP_BUFFER);
12016 ERROR_OUT(MEMORY_E, done_a);
12021 #ifdef WOLFSSL_SMALL_STACK
12023 md5 = (Md5*)XMALLOC(sizeof(Md5), NULL,
12024 DYNAMIC_TYPE_TMP_BUFFER);
12026 ERROR_OUT(MEMORY_E, done_a2);
12031 wc_Md5Update(md5, ssl->arrays->clientRandom, RAN_LEN);
12032 wc_Md5Update(md5, ssl->arrays->serverRandom, RAN_LEN);
12033 wc_Md5Update(md5, output + preSigIdx, preSigSz);
12034 wc_Md5Final(md5, hash);
12037 #ifdef WOLFSSL_SMALL_STACK
12039 sha = (Sha*)XMALLOC(sizeof(Sha), NULL,
12040 DYNAMIC_TYPE_TMP_BUFFER);
12042 ERROR_OUT(MEMORY_E, done_a2);
12046 ret = wc_InitSha(sha);
12047 if (ret != 0) goto done_a2;
12048 wc_ShaUpdate(sha, ssl->arrays->clientRandom, RAN_LEN);
12049 wc_ShaUpdate(sha, ssl->arrays->serverRandom, RAN_LEN);
12050 wc_ShaUpdate(sha, output + preSigIdx, preSigSz);
12051 wc_ShaFinal(sha, &hash[MD5_DIGEST_SIZE]);
12056 #ifdef WOLFSSL_SMALL_STACK
12058 sha256 = (Sha256*)XMALLOC(sizeof(Sha256), NULL,
12059 DYNAMIC_TYPE_TMP_BUFFER);
12060 hash256 = (byte*)XMALLOC(SHA256_DIGEST_SIZE, NULL,
12061 DYNAMIC_TYPE_TMP_BUFFER);
12062 if (sha256 == NULL || hash256 == NULL)
12063 ERROR_OUT(MEMORY_E, done_a2);
12068 if (!(ret = wc_InitSha256(sha256))
12069 && !(ret = wc_Sha256Update(sha256,
12070 ssl->arrays->clientRandom, RAN_LEN))
12071 && !(ret = wc_Sha256Update(sha256,
12072 ssl->arrays->serverRandom, RAN_LEN))
12073 && !(ret = wc_Sha256Update(sha256,
12074 output + preSigIdx, preSigSz)))
12075 ret = wc_Sha256Final(sha256, hash256);
12077 if (ret != 0) goto done_a2;
12081 #ifdef WOLFSSL_SHA384
12082 #ifdef WOLFSSL_SMALL_STACK
12084 sha384 = (Sha384*)XMALLOC(sizeof(Sha384), NULL,
12085 DYNAMIC_TYPE_TMP_BUFFER);
12086 hash384 = (byte*)XMALLOC(SHA384_DIGEST_SIZE, NULL,
12087 DYNAMIC_TYPE_TMP_BUFFER);
12088 if (sha384 == NULL || hash384 == NULL)
12089 ERROR_OUT(MEMORY_E, done_a2);
12094 if (!(ret = wc_InitSha384(sha384))
12095 && !(ret = wc_Sha384Update(sha384,
12096 ssl->arrays->clientRandom, RAN_LEN))
12097 && !(ret = wc_Sha384Update(sha384,
12098 ssl->arrays->serverRandom, RAN_LEN))
12099 && !(ret = wc_Sha384Update(sha384,
12100 output + preSigIdx, preSigSz)))
12101 ret = wc_Sha384Final(sha384, hash384);
12103 if (ret != 0) goto done_a2;
12107 #ifdef WOLFSSL_SHA512
12108 #ifdef WOLFSSL_SMALL_STACK
12110 sha512 = (Sha512*)XMALLOC(sizeof(Sha512), NULL,
12111 DYNAMIC_TYPE_TMP_BUFFER);
12112 hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL,
12113 DYNAMIC_TYPE_TMP_BUFFER);
12114 if (sha512 == NULL || hash512 == NULL)
12115 ERROR_OUT(MEMORY_E, done_a2);
12120 if (!(ret = wc_InitSha512(sha512))
12121 && !(ret = wc_Sha512Update(sha512,
12122 ssl->arrays->clientRandom, RAN_LEN))
12123 && !(ret = wc_Sha512Update(sha512,
12124 ssl->arrays->serverRandom, RAN_LEN))
12125 && !(ret = wc_Sha512Update(sha512,
12126 output + preSigIdx, preSigSz)))
12127 ret = wc_Sha512Final(sha512, hash512);
12129 if (ret != 0) goto done_a2;
12134 if (ssl->suites->sigAlgo == rsa_sa_algo) {
12135 byte* signBuffer = hash;
12136 word32 signSz = FINISHED_SZ;
12137 byte doUserRsa = 0;
12138 #ifdef WOLFSSL_SMALL_STACK
12139 byte* encodedSig = NULL;
12141 byte encodedSig[MAX_ENCODED_SIG_SZ];
12144 #ifdef HAVE_PK_CALLBACKS
12145 if (ssl->ctx->RsaSignCb)
12149 #ifdef WOLFSSL_SMALL_STACK
12150 encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
12151 DYNAMIC_TYPE_TMP_BUFFER);
12152 if (encodedSig == NULL)
12153 ERROR_OUT(MEMORY_E, done_a2);
12156 if (IsAtLeastTLSv1_2(ssl)) {
12157 byte* digest = &hash[MD5_DIGEST_SIZE];
12159 int digestSz = SHA_DIGEST_SIZE;
12161 if (ssl->suites->hashAlgo == sha256_mac) {
12165 digestSz = SHA256_DIGEST_SIZE;
12168 else if (ssl->suites->hashAlgo == sha384_mac) {
12169 #ifdef WOLFSSL_SHA384
12172 digestSz = SHA384_DIGEST_SIZE;
12175 else if (ssl->suites->hashAlgo == sha512_mac) {
12176 #ifdef WOLFSSL_SHA512
12179 digestSz = SHA512_DIGEST_SIZE;
12183 if (digest == NULL) {
12185 wc_FreeRsaKey(&rsaKey);
12187 wc_ecc_free(&dsaKey);
12188 ERROR_OUT(ALGO_ID_E, done_a2);
12190 signSz = wc_EncodeSignature(encodedSig, digest,
12192 signBuffer = encodedSig;
12194 /* write sig size here */
12195 c16toa((word16)sigSz, output + idx);
12199 #ifdef HAVE_PK_CALLBACKS
12200 word32 ioLen = sigSz;
12201 ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
12202 output + idx, &ioLen,
12203 ssl->buffers.key.buffer,
12204 ssl->buffers.key.length,
12206 #endif /*HAVE_PK_CALLBACKS */
12209 ret = wc_RsaSSL_Sign(signBuffer, signSz, output + idx,
12210 sigSz, &rsaKey, ssl->rng);
12212 wc_FreeRsaKey(&rsaKey);
12213 wc_ecc_free(&dsaKey);
12215 #ifdef WOLFSSL_SMALL_STACK
12216 XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12224 if (ssl->suites->sigAlgo == ecc_dsa_sa_algo) {
12226 byte* digest = &hash[MD5_DIGEST_SIZE];
12227 word32 digestSz = SHA_DIGEST_SIZE;
12229 byte* digest = hash256;
12230 word32 digestSz = SHA256_DIGEST_SIZE;
12233 byte doUserEcc = 0;
12235 #if defined(HAVE_PK_CALLBACKS) && defined(HAVE_ECC)
12236 if (ssl->ctx->EccSignCb)
12240 if (IsAtLeastTLSv1_2(ssl)) {
12241 if (ssl->suites->hashAlgo == sha_mac) {
12243 digest = &hash[MD5_DIGEST_SIZE];
12244 digestSz = SHA_DIGEST_SIZE;
12247 else if (ssl->suites->hashAlgo == sha256_mac) {
12250 digestSz = SHA256_DIGEST_SIZE;
12253 else if (ssl->suites->hashAlgo == sha384_mac) {
12254 #ifdef WOLFSSL_SHA384
12256 digestSz = SHA384_DIGEST_SIZE;
12259 else if (ssl->suites->hashAlgo == sha512_mac) {
12260 #ifdef WOLFSSL_SHA512
12262 digestSz = SHA512_DIGEST_SIZE;
12268 #if defined(HAVE_PK_CALLBACKS) && defined(HAVE_ECC)
12269 ret = ssl->ctx->EccSignCb(ssl, digest, digestSz,
12270 output + LENGTH_SZ + idx, &sz,
12271 ssl->buffers.key.buffer,
12272 ssl->buffers.key.length,
12277 ret = wc_ecc_sign_hash(digest, digestSz,
12278 output + LENGTH_SZ + idx, &sz, ssl->rng, &dsaKey);
12281 wc_FreeRsaKey(&rsaKey);
12283 wc_ecc_free(&dsaKey);
12288 /* Now that we know the real sig size, write it. */
12289 c16toa((word16)sz, output + idx);
12291 /* And adjust length and sendSz from estimates */
12292 length += sz - sigSz;
12293 sendSz += sz - sigSz;
12297 #ifdef WOLFSSL_SMALL_STACK
12299 XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12300 XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12302 XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12304 XFREE(sha256, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12305 XFREE(hash256, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12307 #ifdef WOLFSSL_SHA384
12308 XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12309 XFREE(hash384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12311 #ifdef WOLFSSL_SHA512
12312 XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12313 XFREE(hash512, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12321 AddHeaders(output, length, server_key_exchange, ssl);
12323 #ifdef WOLFSSL_DTLS
12324 if (ssl->options.dtls)
12325 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
12329 if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0)
12332 #ifdef WOLFSSL_CALLBACKS
12334 AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
12336 AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo,
12337 output, sendSz, ssl->heap);
12340 ssl->buffers.outputBuffer.length += sendSz;
12341 if (ssl->options.groupMessages)
12344 ret = SendBuffered(ssl);
12345 ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
12348 #ifdef WOLFSSL_SMALL_STACK
12349 XFREE(exportBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12354 #endif /* HAVE_ECC */
12356 #if !defined(NO_DH) && !defined(NO_RSA)
12357 if (ssl->specs.kea == diffie_hellman_kea) {
12359 word32 length = 0, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
12361 word32 sigSz = 0, i = 0;
12362 word32 preSigSz = 0, preSigIdx = 0;
12366 if (ssl->buffers.serverDH_P.buffer == NULL ||
12367 ssl->buffers.serverDH_G.buffer == NULL)
12368 return NO_DH_PARAMS;
12370 if (ssl->buffers.serverDH_Pub.buffer == NULL) {
12371 ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC(
12372 ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap,
12374 if (ssl->buffers.serverDH_Pub.buffer == NULL)
12378 if (ssl->buffers.serverDH_Priv.buffer == NULL) {
12379 ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC(
12380 ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap,
12382 if (ssl->buffers.serverDH_Priv.buffer == NULL)
12386 wc_InitDhKey(&dhKey);
12387 ret = wc_DhSetKey(&dhKey, ssl->buffers.serverDH_P.buffer,
12388 ssl->buffers.serverDH_P.length,
12389 ssl->buffers.serverDH_G.buffer,
12390 ssl->buffers.serverDH_G.length);
12392 ret = wc_DhGenerateKeyPair(&dhKey, ssl->rng,
12393 ssl->buffers.serverDH_Priv.buffer,
12394 &ssl->buffers.serverDH_Priv.length,
12395 ssl->buffers.serverDH_Pub.buffer,
12396 &ssl->buffers.serverDH_Pub.length);
12397 wc_FreeDhKey(&dhKey);
12399 if (ret != 0) return ret;
12401 length = LENGTH_SZ * 3; /* p, g, pub */
12402 length += ssl->buffers.serverDH_P.length +
12403 ssl->buffers.serverDH_G.length +
12404 ssl->buffers.serverDH_Pub.length;
12409 if (!ssl->options.usingAnon_cipher) {
12410 ret = wc_InitRsaKey(&rsaKey, ssl->heap);
12411 if (ret != 0) return ret;
12414 length += LENGTH_SZ;
12416 if (!ssl->buffers.key.buffer)
12417 return NO_PRIVATE_KEY;
12419 ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i, &rsaKey,
12420 ssl->buffers.key.length);
12422 sigSz = wc_RsaEncryptSize(&rsaKey);
12426 wc_FreeRsaKey(&rsaKey);
12430 if (IsAtLeastTLSv1_2(ssl))
12431 length += HASH_SIG_SIZE;
12434 sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
12436 #ifdef WOLFSSL_DTLS
12437 if (ssl->options.dtls) {
12438 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
12439 idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
12444 /* check for available size */
12445 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) {
12446 if (!ssl->options.usingAnon_cipher)
12447 wc_FreeRsaKey(&rsaKey);
12451 /* get ouput buffer */
12452 output = ssl->buffers.outputBuffer.buffer +
12453 ssl->buffers.outputBuffer.length;
12455 AddHeaders(output, length, server_key_exchange, ssl);
12457 /* add p, g, pub */
12458 c16toa((word16)ssl->buffers.serverDH_P.length, output + idx);
12460 XMEMCPY(output + idx, ssl->buffers.serverDH_P.buffer,
12461 ssl->buffers.serverDH_P.length);
12462 idx += ssl->buffers.serverDH_P.length;
12465 c16toa((word16)ssl->buffers.serverDH_G.length, output + idx);
12467 XMEMCPY(output + idx, ssl->buffers.serverDH_G.buffer,
12468 ssl->buffers.serverDH_G.length);
12469 idx += ssl->buffers.serverDH_G.length;
12472 c16toa((word16)ssl->buffers.serverDH_Pub.length, output + idx);
12474 XMEMCPY(output + idx, ssl->buffers.serverDH_Pub.buffer,
12475 ssl->buffers.serverDH_Pub.length);
12476 idx += ssl->buffers.serverDH_Pub.length;
12480 ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz, FUZZ_SIGNATURE,
12484 /* Add signature */
12485 if (!ssl->options.usingAnon_cipher) {
12487 #ifdef WOLFSSL_SMALL_STACK
12495 #ifdef WOLFSSL_SMALL_STACK
12498 byte hash[FINISHED_SZ];
12501 #ifdef WOLFSSL_SMALL_STACK
12502 Sha256* sha256 = NULL;
12503 byte* hash256 = NULL;
12506 byte hash256[SHA256_DIGEST_SIZE];
12509 #ifdef WOLFSSL_SHA384
12510 #ifdef WOLFSSL_SMALL_STACK
12511 Sha384* sha384 = NULL;
12512 byte* hash384 = NULL;
12515 byte hash384[SHA384_DIGEST_SIZE];
12518 #ifdef WOLFSSL_SHA512
12519 #ifdef WOLFSSL_SMALL_STACK
12520 Sha512* sha512 = NULL;
12521 byte* hash512 = NULL;
12524 byte hash512[SHA512_DIGEST_SIZE];
12535 #ifdef WOLFSSL_SHA384
12538 #ifdef WOLFSSL_SHA512
12542 /* Add hash/signature algo ID */
12543 if (IsAtLeastTLSv1_2(ssl)) {
12546 output[idx++] = ssl->suites->hashAlgo;
12547 output[idx++] = ssl->suites->sigAlgo;
12549 switch (ssl->suites->hashAlgo) {
12551 #ifdef WOLFSSL_SHA512
12558 #ifdef WOLFSSL_SHA384
12579 WOLFSSL_MSG("Bad hash sig algo");
12583 if (setHash == 0) {
12584 wc_FreeRsaKey(&rsaKey);
12588 /* only using sha and md5 for rsa */
12591 if (ssl->suites->sigAlgo == rsa_sa_algo) {
12595 wc_FreeRsaKey(&rsaKey);
12600 /* signature size */
12601 c16toa((word16)sigSz, output + idx);
12605 #ifdef WOLFSSL_SMALL_STACK
12606 hash = (byte*)XMALLOC(FINISHED_SZ, NULL,
12607 DYNAMIC_TYPE_TMP_BUFFER);
12609 return MEMORY_E; /* No heap commitment before this point,
12610 from now on, the resources are freed
12616 #ifdef WOLFSSL_SMALL_STACK
12618 md5 = (Md5*)XMALLOC(sizeof(Md5), NULL,
12619 DYNAMIC_TYPE_TMP_BUFFER);
12621 ERROR_OUT(MEMORY_E, done_b);
12626 wc_Md5Update(md5, ssl->arrays->clientRandom, RAN_LEN);
12627 wc_Md5Update(md5, ssl->arrays->serverRandom, RAN_LEN);
12628 wc_Md5Update(md5, output + preSigIdx, preSigSz);
12629 wc_Md5Final(md5, hash);
12633 #ifdef WOLFSSL_SMALL_STACK
12635 sha = (Sha*)XMALLOC(sizeof(Sha), NULL,
12636 DYNAMIC_TYPE_TMP_BUFFER);
12638 ERROR_OUT(MEMORY_E, done_b);
12643 if ((ret = wc_InitSha(sha)) != 0)
12645 wc_ShaUpdate(sha, ssl->arrays->clientRandom, RAN_LEN);
12646 wc_ShaUpdate(sha, ssl->arrays->serverRandom, RAN_LEN);
12647 wc_ShaUpdate(sha, output + preSigIdx, preSigSz);
12648 wc_ShaFinal(sha, &hash[MD5_DIGEST_SIZE]);
12653 #ifdef WOLFSSL_SMALL_STACK
12655 sha256 = (Sha256*)XMALLOC(sizeof(Sha256), NULL,
12656 DYNAMIC_TYPE_TMP_BUFFER);
12657 hash256 = (byte*)XMALLOC(SHA256_DIGEST_SIZE, NULL,
12658 DYNAMIC_TYPE_TMP_BUFFER);
12659 if (sha256 == NULL || hash256 == NULL)
12660 ERROR_OUT(MEMORY_E, done_b);
12665 if (!(ret = wc_InitSha256(sha256))
12666 && !(ret = wc_Sha256Update(sha256,
12667 ssl->arrays->clientRandom, RAN_LEN))
12668 && !(ret = wc_Sha256Update(sha256,
12669 ssl->arrays->serverRandom, RAN_LEN))
12670 && !(ret = wc_Sha256Update(sha256,
12671 output + preSigIdx, preSigSz)))
12672 ret = wc_Sha256Final(sha256, hash256);
12674 if (ret != 0) goto done_b;
12678 #ifdef WOLFSSL_SHA384
12679 #ifdef WOLFSSL_SMALL_STACK
12681 sha384 = (Sha384*)XMALLOC(sizeof(Sha384), NULL,
12682 DYNAMIC_TYPE_TMP_BUFFER);
12683 hash384 = (byte*)XMALLOC(SHA384_DIGEST_SIZE, NULL,
12684 DYNAMIC_TYPE_TMP_BUFFER);
12685 if (sha384 == NULL || hash384 == NULL)
12686 ERROR_OUT(MEMORY_E, done_b);
12691 if (!(ret = wc_InitSha384(sha384))
12692 && !(ret = wc_Sha384Update(sha384,
12693 ssl->arrays->clientRandom, RAN_LEN))
12694 && !(ret = wc_Sha384Update(sha384,
12695 ssl->arrays->serverRandom, RAN_LEN))
12696 && !(ret = wc_Sha384Update(sha384,
12697 output + preSigIdx, preSigSz)))
12698 ret = wc_Sha384Final(sha384, hash384);
12700 if (ret != 0) goto done_b;
12704 #ifdef WOLFSSL_SHA512
12705 #ifdef WOLFSSL_SMALL_STACK
12707 sha512 = (Sha512*)XMALLOC(sizeof(Sha512), NULL,
12708 DYNAMIC_TYPE_TMP_BUFFER);
12709 hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL,
12710 DYNAMIC_TYPE_TMP_BUFFER);
12711 if (sha512 == NULL || hash512 == NULL)
12712 ERROR_OUT(MEMORY_E, done_b);
12717 if (!(ret = wc_InitSha512(sha512))
12718 && !(ret = wc_Sha512Update(sha512,
12719 ssl->arrays->clientRandom, RAN_LEN))
12720 && !(ret = wc_Sha512Update(sha512,
12721 ssl->arrays->serverRandom, RAN_LEN))
12722 && !(ret = wc_Sha512Update(sha512,
12723 output + preSigIdx, preSigSz)))
12724 ret = wc_Sha512Final(sha512, hash512);
12726 if (ret != 0) goto done_b;
12731 if (ssl->suites->sigAlgo == rsa_sa_algo) {
12732 byte* signBuffer = hash;
12733 word32 signSz = FINISHED_SZ;
12734 #ifdef WOLFSSL_SMALL_STACK
12735 byte* encodedSig = NULL;
12737 byte encodedSig[MAX_ENCODED_SIG_SZ];
12739 byte doUserRsa = 0;
12741 #ifdef HAVE_PK_CALLBACKS
12742 if (ssl->ctx->RsaSignCb)
12746 #ifdef WOLFSSL_SMALL_STACK
12747 encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
12748 DYNAMIC_TYPE_TMP_BUFFER);
12749 if (encodedSig == NULL)
12750 ERROR_OUT(MEMORY_E, done_b);
12753 if (IsAtLeastTLSv1_2(ssl)) {
12754 byte* digest = &hash[MD5_DIGEST_SIZE];
12756 int digestSz = SHA_DIGEST_SIZE;
12758 if (ssl->suites->hashAlgo == sha256_mac) {
12762 digestSz = SHA256_DIGEST_SIZE;
12765 else if (ssl->suites->hashAlgo == sha384_mac) {
12766 #ifdef WOLFSSL_SHA384
12769 digestSz = SHA384_DIGEST_SIZE;
12772 else if (ssl->suites->hashAlgo == sha512_mac) {
12773 #ifdef WOLFSSL_SHA512
12776 digestSz = SHA512_DIGEST_SIZE;
12780 if (digest == NULL) {
12783 signSz = wc_EncodeSignature(encodedSig, digest,
12785 signBuffer = encodedSig;
12788 if (doUserRsa && ret == 0) {
12789 #ifdef HAVE_PK_CALLBACKS
12790 word32 ioLen = sigSz;
12791 ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
12792 output + idx, &ioLen,
12793 ssl->buffers.key.buffer,
12794 ssl->buffers.key.length,
12797 } else if (ret == 0) {
12798 ret = wc_RsaSSL_Sign(signBuffer, signSz, output + idx,
12799 sigSz, &rsaKey, ssl->rng);
12802 wc_FreeRsaKey(&rsaKey);
12804 #ifdef WOLFSSL_SMALL_STACK
12805 XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12811 #ifdef WOLFSSL_SMALL_STACK
12813 XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12814 XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12816 XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12818 XFREE(sha256, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12819 XFREE(hash256, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12821 #ifdef WOLFSSL_SHA384
12822 XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12823 XFREE(hash384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12825 #ifdef WOLFSSL_SHA512
12826 XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12827 XFREE(hash512, NULL, DYNAMIC_TYPE_TMP_BUFFER);
12831 if (ret < 0) return ret;
12834 #ifdef WOLFSSL_DTLS
12835 if (ssl->options.dtls)
12836 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
12840 if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0)
12843 #ifdef WOLFSSL_CALLBACKS
12845 AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
12847 AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo,
12848 output, sendSz, ssl->heap);
12851 ssl->buffers.outputBuffer.length += sendSz;
12852 if (ssl->options.groupMessages)
12855 ret = SendBuffered(ssl);
12856 ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
12865 /* Make sure server cert/key are valid for this suite, true on success */
12866 static int VerifyServerSuite(WOLFSSL* ssl, word16 idx)
12868 int haveRSA = !ssl->options.haveStaticECC;
12873 WOLFSSL_ENTER("VerifyServerSuite");
12875 if (ssl->suites == NULL) {
12876 WOLFSSL_MSG("Suites pointer error");
12880 first = ssl->suites->suites[idx];
12881 second = ssl->suites->suites[idx+1];
12884 havePSK = ssl->options.havePSK;
12887 if (ssl->options.haveNTRU)
12890 if (CipherRequires(first, second, REQUIRES_RSA)) {
12891 WOLFSSL_MSG("Requires RSA");
12892 if (haveRSA == 0) {
12893 WOLFSSL_MSG("Don't have RSA");
12898 if (CipherRequires(first, second, REQUIRES_DHE)) {
12899 WOLFSSL_MSG("Requires DHE");
12900 if (ssl->options.haveDH == 0) {
12901 WOLFSSL_MSG("Don't have DHE");
12906 if (CipherRequires(first, second, REQUIRES_ECC_DSA)) {
12907 WOLFSSL_MSG("Requires ECCDSA");
12908 if (ssl->options.haveECDSAsig == 0) {
12909 WOLFSSL_MSG("Don't have ECCDSA");
12914 if (CipherRequires(first, second, REQUIRES_ECC_STATIC)) {
12915 WOLFSSL_MSG("Requires static ECC");
12916 if (ssl->options.haveStaticECC == 0) {
12917 WOLFSSL_MSG("Don't have static ECC");
12922 if (CipherRequires(first, second, REQUIRES_PSK)) {
12923 WOLFSSL_MSG("Requires PSK");
12924 if (havePSK == 0) {
12925 WOLFSSL_MSG("Don't have PSK");
12930 if (CipherRequires(first, second, REQUIRES_NTRU)) {
12931 WOLFSSL_MSG("Requires NTRU");
12932 if (ssl->options.haveNTRU == 0) {
12933 WOLFSSL_MSG("Don't have NTRU");
12938 if (CipherRequires(first, second, REQUIRES_RSA_SIG)) {
12939 WOLFSSL_MSG("Requires RSA Signature");
12940 if (ssl->options.side == WOLFSSL_SERVER_END &&
12941 ssl->options.haveECDSAsig == 1) {
12942 WOLFSSL_MSG("Don't have RSA Signature");
12947 #ifdef HAVE_SUPPORTED_CURVES
12948 if (!TLSX_ValidateEllipticCurves(ssl, first, second)) {
12949 WOLFSSL_MSG("Don't have matching curves");
12954 /* ECCDHE is always supported if ECC on */
12960 static int MatchSuite(WOLFSSL* ssl, Suites* peerSuites)
12964 WOLFSSL_ENTER("MatchSuite");
12966 /* & 0x1 equivalent % 2 */
12967 if (peerSuites->suiteSz == 0 || peerSuites->suiteSz & 0x1)
12968 return MATCH_SUITE_ERROR;
12970 if (ssl->suites == NULL)
12971 return SUITES_ERROR;
12972 /* start with best, if a match we are good */
12973 for (i = 0; i < ssl->suites->suiteSz; i += 2)
12974 for (j = 0; j < peerSuites->suiteSz; j += 2)
12975 if (ssl->suites->suites[i] == peerSuites->suites[j] &&
12976 ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) {
12978 if (VerifyServerSuite(ssl, i)) {
12980 WOLFSSL_MSG("Verified suite validity");
12981 ssl->options.cipherSuite0 = ssl->suites->suites[i];
12982 ssl->options.cipherSuite = ssl->suites->suites[i+1];
12983 result = SetCipherSpecs(ssl);
12985 PickHashSigAlgo(ssl, peerSuites->hashSigAlgo,
12986 peerSuites->hashSigAlgoSz);
12990 WOLFSSL_MSG("Could not verify suite validity, continue");
12994 return MATCH_SUITE_ERROR;
12998 #ifdef OLD_HELLO_ALLOWED
13000 /* process old style client hello, deprecate? */
13001 int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
13002 word32 inSz, word16 sz)
13004 word32 idx = *inOutIdx;
13008 ProtocolVersion pv;
13012 WOLFSSL_MSG("Got old format client hello");
13013 #ifdef WOLFSSL_CALLBACKS
13015 AddPacketName("ClientHello", &ssl->handShakeInfo);
13017 AddLateName("ClientHello", &ssl->timeoutInfo);
13020 /* manually hash input since different format */
13023 wc_Md5Update(&ssl->hsHashes->hashMd5, input + idx, sz);
13026 wc_ShaUpdate(&ssl->hsHashes->hashSha, input + idx, sz);
13030 if (IsAtLeastTLSv1_2(ssl)) {
13031 int shaRet = wc_Sha256Update(&ssl->hsHashes->hashSha256,
13038 /* does this value mean client_hello? */
13042 pv.major = input[idx++];
13043 pv.minor = input[idx++];
13044 ssl->chVersion = pv; /* store */
13046 if (ssl->version.minor > pv.minor) {
13049 if (!ssl->options.downgrade) {
13050 WOLFSSL_MSG("Client trying to connect with lesser version");
13051 return VERSION_ERROR;
13053 if (pv.minor < ssl->options.minDowngrade) {
13054 WOLFSSL_MSG(" version below minimum allowed, fatal error");
13055 return VERSION_ERROR;
13057 if (pv.minor == SSLv3_MINOR) {
13059 WOLFSSL_MSG(" downgrading to SSLv3");
13060 ssl->options.tls = 0;
13061 ssl->options.tls1_1 = 0;
13062 ssl->version.minor = SSLv3_MINOR;
13064 else if (pv.minor == TLSv1_MINOR) {
13065 WOLFSSL_MSG(" downgrading to TLSv1");
13066 /* turn off tls 1.1+ */
13067 ssl->options.tls1_1 = 0;
13068 ssl->version.minor = TLSv1_MINOR;
13070 else if (pv.minor == TLSv1_1_MINOR) {
13071 WOLFSSL_MSG(" downgrading to TLSv1.1");
13072 ssl->version.minor = TLSv1_1_MINOR;
13078 havePSK = ssl->options.havePSK;
13081 InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
13082 ssl->options.haveDH, ssl->options.haveNTRU,
13083 ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
13084 ssl->options.side);
13088 ato16(&input[idx], &clSuites.suiteSz);
13091 if (clSuites.suiteSz > MAX_SUITE_SZ)
13092 return BUFFER_ERROR;
13093 clSuites.hashSigAlgoSz = 0;
13096 ato16(&input[idx], &sessionSz);
13099 if (sessionSz > ID_LEN)
13100 return BUFFER_ERROR;
13103 ato16(&input[idx], &randomSz);
13106 if (randomSz > RAN_LEN)
13107 return BUFFER_ERROR;
13110 for (i = 0, j = 0; i < clSuites.suiteSz; i += 3) {
13111 byte first = input[idx++];
13112 if (!first) { /* implicit: skip sslv2 type */
13113 XMEMCPY(&clSuites.suites[j], &input[idx], 2);
13118 clSuites.suiteSz = j;
13122 XMEMCPY(ssl->arrays->sessionID, input + idx, sessionSz);
13123 ssl->arrays->sessionIDSz = (byte)sessionSz;
13125 ssl->options.resuming = 1;
13129 if (randomSz < RAN_LEN)
13130 XMEMSET(ssl->arrays->clientRandom, 0, RAN_LEN - randomSz);
13131 XMEMCPY(&ssl->arrays->clientRandom[RAN_LEN - randomSz], input + idx,
13135 if (ssl->options.usingCompression)
13136 ssl->options.usingCompression = 0; /* turn off */
13138 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
13141 ssl->options.haveSessionId = 1;
13142 /* DoClientHello uses same resume code */
13143 if (ssl->options.resuming) { /* let's try */
13145 WOLFSSL_SESSION* session = GetSession(ssl,
13146 ssl->arrays->masterSecret);
13147 #ifdef HAVE_SESSION_TICKET
13148 if (ssl->options.useTicket == 1) {
13149 session = &ssl->session;
13154 WOLFSSL_MSG("Session lookup for resume failed");
13155 ssl->options.resuming = 0;
13157 if (MatchSuite(ssl, &clSuites) < 0) {
13158 WOLFSSL_MSG("Unsupported cipher suite, OldClientHello");
13159 return UNSUPPORTED_SUITE;
13161 #ifdef SESSION_CERTS
13162 ssl->session = *session; /* restore session certs. */
13165 ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom,
13171 ret = DeriveTlsKeys(ssl);
13174 if (ssl->options.tls)
13175 ret = DeriveTlsKeys(ssl);
13177 if (!ssl->options.tls)
13178 ret = DeriveKeys(ssl);
13180 ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
13186 return MatchSuite(ssl, &clSuites);
13189 #endif /* OLD_HELLO_ALLOWED */
13192 static int DoClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
13196 ProtocolVersion pv;
13198 word32 i = *inOutIdx;
13201 #ifdef WOLFSSL_CALLBACKS
13202 if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
13203 if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
13206 /* protocol version, random and session id length check */
13207 if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
13208 return BUFFER_ERROR;
13210 /* protocol version */
13211 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
13212 ssl->chVersion = pv; /* store */
13215 if (ssl->version.minor > pv.minor) {
13219 if (!ssl->options.downgrade) {
13220 WOLFSSL_MSG("Client trying to connect with lesser version");
13221 return VERSION_ERROR;
13223 if (pv.minor < ssl->options.minDowngrade) {
13224 WOLFSSL_MSG(" version below minimum allowed, fatal error");
13225 return VERSION_ERROR;
13228 if (pv.minor == SSLv3_MINOR) {
13230 WOLFSSL_MSG(" downgrading to SSLv3");
13231 ssl->options.tls = 0;
13232 ssl->options.tls1_1 = 0;
13233 ssl->version.minor = SSLv3_MINOR;
13235 else if (pv.minor == TLSv1_MINOR) {
13236 /* turn off tls 1.1+ */
13237 WOLFSSL_MSG(" downgrading to TLSv1");
13238 ssl->options.tls1_1 = 0;
13239 ssl->version.minor = TLSv1_MINOR;
13241 else if (pv.minor == TLSv1_1_MINOR) {
13242 WOLFSSL_MSG(" downgrading to TLSv1.1");
13243 ssl->version.minor = TLSv1_1_MINOR;
13249 havePSK = ssl->options.havePSK;
13251 InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
13252 ssl->options.haveDH, ssl->options.haveNTRU,
13253 ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
13254 ssl->options.side);
13258 XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
13261 #ifdef SHOW_SECRETS
13264 printf("client random: ");
13265 for (j = 0; j < RAN_LEN; j++)
13266 printf("%02x", ssl->arrays->clientRandom[j]);
13275 if ((i - begin) + ID_LEN > helloSz)
13276 return BUFFER_ERROR;
13278 XMEMCPY(ssl->arrays->sessionID, input + i, ID_LEN);
13279 ssl->arrays->sessionIDSz = ID_LEN;
13281 ssl->options.resuming = 1; /* client wants to resume */
13282 WOLFSSL_MSG("Client wants to resume session");
13285 WOLFSSL_MSG("Invalid session ID size");
13286 return BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */
13289 #ifdef WOLFSSL_DTLS
13291 if (ssl->options.dtls) {
13293 if ((i - begin) + OPAQUE8_LEN > helloSz)
13294 return BUFFER_ERROR;
13299 byte cookie[MAX_COOKIE_LEN];
13301 if (b > MAX_COOKIE_LEN)
13302 return BUFFER_ERROR;
13304 if ((i - begin) + b > helloSz)
13305 return BUFFER_ERROR;
13307 if (ssl->ctx->CBIOCookie == NULL) {
13308 WOLFSSL_MSG("Your Cookie callback is null, please set");
13309 return COOKIE_ERROR;
13312 if ((ssl->ctx->CBIOCookie(ssl, cookie, COOKIE_SZ,
13313 ssl->IOCB_CookieCtx) != COOKIE_SZ)
13314 || (b != COOKIE_SZ)
13315 || (XMEMCMP(cookie, input + i, b) != 0)) {
13316 return COOKIE_ERROR;
13325 if ((i - begin) + OPAQUE16_LEN > helloSz)
13326 return BUFFER_ERROR;
13328 ato16(&input[i], &clSuites.suiteSz);
13331 /* suites and compression length check */
13332 if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz)
13333 return BUFFER_ERROR;
13335 if (clSuites.suiteSz > MAX_SUITE_SZ)
13336 return BUFFER_ERROR;
13338 XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
13339 i += clSuites.suiteSz;
13340 clSuites.hashSigAlgoSz = 0;
13342 /* compression length */
13345 if ((i - begin) + b > helloSz)
13346 return BUFFER_ERROR;
13348 if (ssl->options.usingCompression) {
13352 byte comp = input[i++];
13354 if (comp == ZLIB_COMPRESSION)
13359 WOLFSSL_MSG("Not matching compression, turning off");
13360 ssl->options.usingCompression = 0; /* turn off */
13364 i += b; /* ignore, since we're not on */
13368 /* tls extensions */
13369 if ((i - begin) < helloSz) {
13370 #ifdef HAVE_TLS_EXTENSIONS
13371 if (TLSX_SupportExtensions(ssl)) {
13374 if (IsAtLeastTLSv1_2(ssl)) {
13376 /* Process the hello extension. Skip unsupported. */
13379 if ((i - begin) + OPAQUE16_LEN > helloSz)
13380 return BUFFER_ERROR;
13382 ato16(&input[i], &totalExtSz);
13385 if ((i - begin) + totalExtSz > helloSz)
13386 return BUFFER_ERROR;
13388 #ifdef HAVE_TLS_EXTENSIONS
13389 if ((ret = TLSX_Parse(ssl, (byte *) input + i,
13390 totalExtSz, 1, &clSuites)))
13395 while (totalExtSz) {
13396 word16 extId, extSz;
13398 if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz)
13399 return BUFFER_ERROR;
13401 ato16(&input[i], &extId);
13403 ato16(&input[i], &extSz);
13406 if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz)
13407 return BUFFER_ERROR;
13409 if (extId == HELLO_EXT_SIG_ALGO) {
13410 ato16(&input[i], &clSuites.hashSigAlgoSz);
13413 if (OPAQUE16_LEN + clSuites.hashSigAlgoSz > extSz)
13414 return BUFFER_ERROR;
13416 XMEMCPY(clSuites.hashSigAlgo, &input[i],
13417 min(clSuites.hashSigAlgoSz, HELLO_EXT_SIGALGO_MAX));
13418 i += clSuites.hashSigAlgoSz;
13420 if (clSuites.hashSigAlgoSz > HELLO_EXT_SIGALGO_MAX)
13421 clSuites.hashSigAlgoSz = HELLO_EXT_SIGALGO_MAX;
13426 totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz;
13432 *inOutIdx = begin + helloSz; /* skip extensions */
13435 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
13436 ssl->options.haveSessionId = 1;
13438 /* ProcessOld uses same resume code */
13439 if (ssl->options.resuming && (!ssl->options.dtls ||
13440 ssl->options.acceptState == HELLO_VERIFY_SENT)) { /* let's try */
13442 WOLFSSL_SESSION* session = GetSession(ssl,
13443 ssl->arrays->masterSecret);
13444 #ifdef HAVE_SESSION_TICKET
13445 if (ssl->options.useTicket == 1) {
13446 session = &ssl->session;
13451 WOLFSSL_MSG("Session lookup for resume failed");
13452 ssl->options.resuming = 0;
13455 if (MatchSuite(ssl, &clSuites) < 0) {
13456 WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
13457 return UNSUPPORTED_SUITE;
13459 #ifdef SESSION_CERTS
13460 ssl->session = *session; /* restore session certs. */
13463 ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom,
13469 ret = DeriveTlsKeys(ssl);
13472 if (ssl->options.tls)
13473 ret = DeriveTlsKeys(ssl);
13475 if (!ssl->options.tls)
13476 ret = DeriveKeys(ssl);
13478 ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
13483 return MatchSuite(ssl, &clSuites);
13486 #if !defined(NO_RSA) || defined(HAVE_ECC)
13487 static int DoCertificateVerify(WOLFSSL* ssl, byte* input, word32* inOutIdx,
13491 int ret = VERIFY_CERT_ERROR; /* start in error state */
13492 byte hashAlgo = sha_mac;
13493 byte sigAlgo = anonymous_sa_algo;
13494 word32 begin = *inOutIdx;
13496 #ifdef WOLFSSL_CALLBACKS
13498 AddPacketName("CertificateVerify", &ssl->handShakeInfo);
13500 AddLateName("CertificateVerify", &ssl->timeoutInfo);
13504 if (IsAtLeastTLSv1_2(ssl)) {
13505 if ((*inOutIdx - begin) + ENUM_LEN + ENUM_LEN > size)
13506 return BUFFER_ERROR;
13508 hashAlgo = input[(*inOutIdx)++];
13509 sigAlgo = input[(*inOutIdx)++];
13512 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
13513 return BUFFER_ERROR;
13515 ato16(input + *inOutIdx, &sz);
13516 *inOutIdx += OPAQUE16_LEN;
13518 if ((*inOutIdx - begin) + sz > size || sz > ENCRYPT_LEN)
13519 return BUFFER_ERROR;
13523 if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
13526 byte doUserRsa = 0;
13528 #ifdef HAVE_PK_CALLBACKS
13529 if (ssl->ctx->RsaVerifyCb)
13531 #endif /*HAVE_PK_CALLBACKS */
13533 WOLFSSL_MSG("Doing RSA peer cert verify");
13536 #ifdef HAVE_PK_CALLBACKS
13537 outLen = ssl->ctx->RsaVerifyCb(ssl, input + *inOutIdx, sz,
13539 ssl->buffers.peerRsaKey.buffer,
13540 ssl->buffers.peerRsaKey.length,
13541 ssl->RsaVerifyCtx);
13542 #endif /*HAVE_PK_CALLBACKS */
13545 outLen = wc_RsaSSL_VerifyInline(input + *inOutIdx, sz, &out,
13549 if (IsAtLeastTLSv1_2(ssl)) {
13550 #ifdef WOLFSSL_SMALL_STACK
13551 byte* encodedSig = NULL;
13553 byte encodedSig[MAX_ENCODED_SIG_SZ];
13556 byte* digest = ssl->hsHashes->certHashes.sha;
13558 int digestSz = SHA_DIGEST_SIZE;
13560 #ifdef WOLFSSL_SMALL_STACK
13561 encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
13562 DYNAMIC_TYPE_TMP_BUFFER);
13563 if (encodedSig == NULL)
13567 if (sigAlgo != rsa_sa_algo) {
13568 WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
13571 if (hashAlgo == sha256_mac) {
13573 digest = ssl->hsHashes->certHashes.sha256;
13575 digestSz = SHA256_DIGEST_SIZE;
13578 else if (hashAlgo == sha384_mac) {
13579 #ifdef WOLFSSL_SHA384
13580 digest = ssl->hsHashes->certHashes.sha384;
13582 digestSz = SHA384_DIGEST_SIZE;
13585 else if (hashAlgo == sha512_mac) {
13586 #ifdef WOLFSSL_SHA512
13587 digest = ssl->hsHashes->certHashes.sha512;
13589 digestSz = SHA512_DIGEST_SIZE;
13593 sigSz = wc_EncodeSignature(encodedSig, digest, digestSz, typeH);
13595 if (outLen == (int)sigSz && out && XMEMCMP(out, encodedSig,
13596 min(sigSz, MAX_ENCODED_SIG_SZ)) == 0)
13597 ret = 0; /* verified */
13599 #ifdef WOLFSSL_SMALL_STACK
13600 XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
13604 if (outLen == FINISHED_SZ && out && XMEMCMP(out,
13605 &ssl->hsHashes->certHashes,
13606 FINISHED_SZ) == 0) {
13607 ret = 0; /* verified */
13613 if (ssl->peerEccDsaKeyPresent) {
13616 byte* digest = ssl->hsHashes->certHashes.sha;
13617 word32 digestSz = SHA_DIGEST_SIZE;
13618 byte doUserEcc = 0;
13620 #ifdef HAVE_PK_CALLBACKS
13621 if (ssl->ctx->EccVerifyCb)
13625 WOLFSSL_MSG("Doing ECC peer cert verify");
13627 if (IsAtLeastTLSv1_2(ssl)) {
13628 if (sigAlgo != ecc_dsa_sa_algo) {
13629 WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
13632 if (hashAlgo == sha256_mac) {
13634 digest = ssl->hsHashes->certHashes.sha256;
13635 digestSz = SHA256_DIGEST_SIZE;
13638 else if (hashAlgo == sha384_mac) {
13639 #ifdef WOLFSSL_SHA384
13640 digest = ssl->hsHashes->certHashes.sha384;
13641 digestSz = SHA384_DIGEST_SIZE;
13644 else if (hashAlgo == sha512_mac) {
13645 #ifdef WOLFSSL_SHA512
13646 digest = ssl->hsHashes->certHashes.sha512;
13647 digestSz = SHA512_DIGEST_SIZE;
13653 #ifdef HAVE_PK_CALLBACKS
13654 ret = ssl->ctx->EccVerifyCb(ssl, input + *inOutIdx, sz, digest,
13656 ssl->buffers.peerEccDsaKey.buffer,
13657 ssl->buffers.peerEccDsaKey.length,
13658 &verify, ssl->EccVerifyCtx);
13662 err = wc_ecc_verify_hash(input + *inOutIdx, sz, digest,
13663 digestSz, &verify, ssl->peerEccDsaKey);
13666 if (err == 0 && verify == 1)
13667 ret = 0; /* verified */
13673 ssl->options.havePeerVerify = 1;
13677 #endif /* !NO_RSA || HAVE_ECC */
13679 int SendServerHelloDone(WOLFSSL* ssl)
13682 int sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
13685 #ifdef WOLFSSL_DTLS
13686 if (ssl->options.dtls)
13687 sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
13689 /* check for available size */
13690 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
13693 /* get ouput buffer */
13694 output = ssl->buffers.outputBuffer.buffer +
13695 ssl->buffers.outputBuffer.length;
13697 AddHeaders(output, 0, server_hello_done, ssl);
13699 #ifdef WOLFSSL_DTLS
13700 if (ssl->options.dtls) {
13701 if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
13706 ret = HashOutput(ssl, output, sendSz, 0);
13710 #ifdef WOLFSSL_CALLBACKS
13712 AddPacketName("ServerHelloDone", &ssl->handShakeInfo);
13714 AddPacketInfo("ServerHelloDone", &ssl->timeoutInfo, output, sendSz,
13717 ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
13719 ssl->buffers.outputBuffer.length += sendSz;
13721 return SendBuffered(ssl);
13725 #ifdef HAVE_SESSION_TICKET
13727 #define WOLFSSL_TICKET_FIXED_SZ (WOLFSSL_TICKET_NAME_SZ + \
13728 WOLFSSL_TICKET_IV_SZ + WOLFSSL_TICKET_MAC_SZ + LENGTH_SZ)
13729 #define WOLFSSL_TICKET_ENC_SZ (SESSION_TICKET_LEN - WOLFSSL_TICKET_FIXED_SZ)
13731 /* our ticket format */
13732 typedef struct InternalTicket {
13733 ProtocolVersion pv; /* version when ticket created */
13734 byte suite[SUITE_LEN]; /* cipher suite when created */
13735 byte msecret[SECRET_LEN]; /* master secret */
13736 word32 timestamp; /* born on */
13739 /* fit within SESSION_TICKET_LEN */
13740 typedef struct ExternalTicket {
13741 byte key_name[WOLFSSL_TICKET_NAME_SZ]; /* key context name */
13742 byte iv[WOLFSSL_TICKET_IV_SZ]; /* this ticket's iv */
13743 byte enc_len[LENGTH_SZ]; /* encrypted length */
13744 byte enc_ticket[WOLFSSL_TICKET_ENC_SZ]; /* encrypted internal ticket */
13745 byte mac[WOLFSSL_TICKET_MAC_SZ]; /* total mac */
13746 /* !! if add to structure, add to TICKET_FIXED_SZ !! */
13749 /* create a new session ticket, 0 on success */
13750 static int CreateTicket(WOLFSSL* ssl)
13753 ExternalTicket* et = (ExternalTicket*)ssl->session.ticket;
13756 byte zeros[WOLFSSL_TICKET_MAC_SZ]; /* biggest cmp size */
13758 /* build internal */
13759 it.pv.major = ssl->version.major;
13760 it.pv.minor = ssl->version.minor;
13762 it.suite[0] = ssl->options.cipherSuite0;
13763 it.suite[1] = ssl->options.cipherSuite;
13765 XMEMCPY(it.msecret, ssl->arrays->masterSecret, SECRET_LEN);
13766 c32toa(LowResTimer(), (byte*)&it.timestamp);
13768 /* build external */
13769 XMEMCPY(et->enc_ticket, &it, sizeof(InternalTicket));
13772 encLen = WOLFSSL_TICKET_ENC_SZ; /* max size user can use */
13773 ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac, 1,
13774 et->enc_ticket, sizeof(InternalTicket),
13775 &encLen, ssl->ctx->ticketEncCtx);
13776 if (ret == WOLFSSL_TICKET_RET_OK) {
13777 if (encLen < (int)sizeof(InternalTicket) ||
13778 encLen > WOLFSSL_TICKET_ENC_SZ) {
13779 WOLFSSL_MSG("Bad user ticket encrypt size");
13780 return BAD_TICKET_KEY_CB_SZ;
13783 /* sanity checks on encrypt callback */
13785 /* internal ticket can't be the same if encrypted */
13786 if (XMEMCMP(et->enc_ticket, &it, sizeof(InternalTicket)) == 0) {
13787 WOLFSSL_MSG("User ticket encrypt didn't encrypt");
13788 return BAD_TICKET_ENCRYPT;
13791 XMEMSET(zeros, 0, sizeof(zeros));
13794 if (XMEMCMP(et->key_name, zeros, WOLFSSL_TICKET_NAME_SZ) == 0) {
13795 WOLFSSL_MSG("User ticket encrypt didn't set name");
13796 return BAD_TICKET_ENCRYPT;
13800 if (XMEMCMP(et->iv, zeros, WOLFSSL_TICKET_IV_SZ) == 0) {
13801 WOLFSSL_MSG("User ticket encrypt didn't set iv");
13802 return BAD_TICKET_ENCRYPT;
13806 if (XMEMCMP(et->mac, zeros, WOLFSSL_TICKET_MAC_SZ) == 0) {
13807 WOLFSSL_MSG("User ticket encrypt didn't set mac");
13808 return BAD_TICKET_ENCRYPT;
13812 c16toa((word16)encLen, et->enc_len);
13813 ssl->session.ticketLen = (word16)(encLen + WOLFSSL_TICKET_FIXED_SZ);
13814 if (encLen < WOLFSSL_TICKET_ENC_SZ) {
13815 /* move mac up since whole enc buffer not used */
13816 XMEMMOVE(et->enc_ticket +encLen, et->mac,WOLFSSL_TICKET_MAC_SZ);
13824 /* Parse ticket sent by client, returns callback return value */
13825 int DoClientTicket(WOLFSSL* ssl, const byte* input, word32 len)
13827 ExternalTicket* et;
13828 InternalTicket* it;
13833 if (len > SESSION_TICKET_LEN ||
13834 len < (word32)(sizeof(InternalTicket) + WOLFSSL_TICKET_FIXED_SZ)) {
13835 return BAD_TICKET_MSG_SZ;
13838 et = (ExternalTicket*)input;
13839 it = (InternalTicket*)et->enc_ticket;
13842 ato16(et->enc_len, &inLen);
13843 if (inLen > (word16)(len - WOLFSSL_TICKET_FIXED_SZ)) {
13844 return BAD_TICKET_MSG_SZ;
13846 outLen = inLen; /* may be reduced by user padding */
13847 ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv,
13848 et->enc_ticket + inLen, 0,
13849 et->enc_ticket, inLen, &outLen,
13850 ssl->ctx->ticketEncCtx);
13851 if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) return ret;
13852 if (outLen > inLen || outLen < (int)sizeof(InternalTicket)) {
13853 WOLFSSL_MSG("Bad user ticket decrypt len");
13854 return BAD_TICKET_KEY_CB_SZ;
13857 /* get master secret */
13858 if (ret == WOLFSSL_TICKET_RET_OK || ret == WOLFSSL_TICKET_RET_CREATE)
13859 XMEMCPY(ssl->arrays->masterSecret, it->msecret, SECRET_LEN);
13865 /* send Session Ticket */
13866 int SendTicket(WOLFSSL* ssl)
13871 word32 length = SESSION_HINT_SZ + LENGTH_SZ;
13872 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
13874 #ifdef WOLFSSL_DTLS
13875 if (ssl->options.dtls) {
13876 length += DTLS_RECORD_EXTRA;
13877 idx += DTLS_RECORD_EXTRA;
13881 if (ssl->options.createTicket) {
13882 ret = CreateTicket(ssl);
13883 if (ret != 0) return ret;
13886 length += ssl->session.ticketLen;
13887 sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
13889 /* check for available size */
13890 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
13893 /* get ouput buffer */
13894 output = ssl->buffers.outputBuffer.buffer +
13895 ssl->buffers.outputBuffer.length;
13897 AddHeaders(output, length, session_ticket, ssl);
13900 c32toa(ssl->ctx->ticketHint, output + idx);
13901 idx += SESSION_HINT_SZ;
13904 c16toa(ssl->session.ticketLen, output + idx);
13908 XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
13909 /* idx += ssl->session.ticketLen; */
13911 ret = HashOutput(ssl, output, sendSz, 0);
13912 if (ret != 0) return ret;
13913 ssl->buffers.outputBuffer.length += sendSz;
13915 return SendBuffered(ssl);
13918 #endif /* HAVE_SESSION_TICKET */
13921 #ifdef WOLFSSL_DTLS
13922 int SendHelloVerifyRequest(WOLFSSL* ssl)
13925 byte cookieSz = COOKIE_SZ;
13926 int length = VERSION_SZ + ENUM_LEN + cookieSz;
13927 int idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
13928 int sendSz = length + idx;
13931 /* check for available size */
13932 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
13935 /* get ouput buffer */
13936 output = ssl->buffers.outputBuffer.buffer +
13937 ssl->buffers.outputBuffer.length;
13939 AddHeaders(output, length, hello_verify_request, ssl);
13941 output[idx++] = ssl->chVersion.major;
13942 output[idx++] = ssl->chVersion.minor;
13944 output[idx++] = cookieSz;
13945 if (ssl->ctx->CBIOCookie == NULL) {
13946 WOLFSSL_MSG("Your Cookie callback is null, please set");
13947 return COOKIE_ERROR;
13949 if ((ret = ssl->ctx->CBIOCookie(ssl, output + idx, cookieSz,
13950 ssl->IOCB_CookieCtx)) < 0)
13953 ret = HashOutput(ssl, output, sendSz, 0);
13957 #ifdef WOLFSSL_CALLBACKS
13959 AddPacketName("HelloVerifyRequest", &ssl->handShakeInfo);
13961 AddPacketInfo("HelloVerifyRequest", &ssl->timeoutInfo, output,
13962 sendSz, ssl->heap);
13964 ssl->options.serverState = SERVER_HELLOVERIFYREQUEST_COMPLETE;
13966 ssl->buffers.outputBuffer.length += sendSz;
13968 return SendBuffered(ssl);
13972 static int DoClientKeyExchange(WOLFSSL* ssl, byte* input, word32* inOutIdx,
13978 word32 begin = *inOutIdx;
13980 (void)length; /* shut up compiler warnings */
13986 if (ssl->options.side != WOLFSSL_SERVER_END) {
13987 WOLFSSL_MSG("Client received client keyexchange, attack?");
13988 WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
13989 return SSL_FATAL_ERROR;
13992 if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
13993 WOLFSSL_MSG("Client sending keyexchange at wrong time");
13994 SendAlert(ssl, alert_fatal, unexpected_message);
13995 return OUT_OF_ORDER_E;
13999 if (ssl->options.verifyPeer && ssl->options.failNoCert)
14000 if (!ssl->options.havePeerCert) {
14001 WOLFSSL_MSG("client didn't present peer cert");
14002 return NO_PEER_CERT;
14006 #ifdef WOLFSSL_CALLBACKS
14008 AddPacketName("ClientKeyExchange", &ssl->handShakeInfo);
14010 AddLateName("ClientKeyExchange", &ssl->timeoutInfo);
14013 switch (ssl->specs.kea) {
14019 byte doUserRsa = 0;
14021 #ifdef HAVE_PK_CALLBACKS
14022 if (ssl->ctx->RsaDecCb)
14026 ret = wc_InitRsaKey(&key, ssl->heap);
14027 if (ret != 0) return ret;
14029 if (ssl->buffers.key.buffer)
14030 ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx,
14031 &key, ssl->buffers.key.length);
14033 return NO_PRIVATE_KEY;
14036 length = wc_RsaEncryptSize(&key);
14037 ssl->arrays->preMasterSz = SECRET_LEN;
14039 if (ssl->options.tls) {
14042 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
14043 return BUFFER_ERROR;
14045 ato16(input + *inOutIdx, &check);
14046 *inOutIdx += OPAQUE16_LEN;
14048 if ((word32) check != length) {
14049 WOLFSSL_MSG("RSA explicit size doesn't match");
14050 wc_FreeRsaKey(&key);
14051 return RSA_PRIVATE_ERROR;
14055 if ((*inOutIdx - begin) + length > size) {
14056 WOLFSSL_MSG("RSA message too big");
14057 wc_FreeRsaKey(&key);
14058 return BUFFER_ERROR;
14062 #ifdef HAVE_PK_CALLBACKS
14063 ret = ssl->ctx->RsaDecCb(ssl,
14064 input + *inOutIdx, length, &out,
14065 ssl->buffers.key.buffer,
14066 ssl->buffers.key.length,
14071 ret = wc_RsaPrivateDecryptInline(input + *inOutIdx, length,
14075 *inOutIdx += length;
14077 if (ret == SECRET_LEN) {
14078 XMEMCPY(ssl->arrays->preMasterSecret, out, SECRET_LEN);
14079 if (ssl->arrays->preMasterSecret[0] !=
14080 ssl->chVersion.major
14081 || ssl->arrays->preMasterSecret[1] !=
14082 ssl->chVersion.minor)
14083 ret = PMS_VERSION_ERROR;
14085 ret = MakeMasterSecret(ssl);
14088 ret = RSA_PRIVATE_ERROR;
14092 wc_FreeRsaKey(&key);
14099 byte* pms = ssl->arrays->preMasterSecret;
14102 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
14103 return BUFFER_ERROR;
14105 ato16(input + *inOutIdx, &ci_sz);
14106 *inOutIdx += OPAQUE16_LEN;
14108 if (ci_sz > MAX_PSK_ID_LEN)
14109 return CLIENT_ID_ERROR;
14111 if ((*inOutIdx - begin) + ci_sz > size)
14112 return BUFFER_ERROR;
14114 XMEMCPY(ssl->arrays->client_identity, input + *inOutIdx, ci_sz);
14115 *inOutIdx += ci_sz;
14117 ssl->arrays->client_identity[min(ci_sz, MAX_PSK_ID_LEN-1)] = 0;
14118 ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
14119 ssl->arrays->client_identity, ssl->arrays->psk_key,
14122 if (ssl->arrays->psk_keySz == 0 ||
14123 ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN)
14124 return PSK_KEY_ERROR;
14126 /* make psk pre master secret */
14127 /* length of key + length 0s + length of key + key */
14128 c16toa((word16) ssl->arrays->psk_keySz, pms);
14129 pms += OPAQUE16_LEN;
14131 XMEMSET(pms, 0, ssl->arrays->psk_keySz);
14132 pms += ssl->arrays->psk_keySz;
14134 c16toa((word16) ssl->arrays->psk_keySz, pms);
14135 pms += OPAQUE16_LEN;
14137 XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
14138 ssl->arrays->preMasterSz = ssl->arrays->psk_keySz * 2 + 4;
14140 ret = MakeMasterSecret(ssl);
14142 /* No further need for PSK */
14143 ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz);
14144 ssl->arrays->psk_keySz = 0;
14147 #endif /* NO_PSK */
14152 word16 plainLen = sizeof(ssl->arrays->preMasterSecret);
14154 if (!ssl->buffers.key.buffer)
14155 return NO_PRIVATE_KEY;
14157 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
14158 return BUFFER_ERROR;
14160 ato16(input + *inOutIdx, &cipherLen);
14161 *inOutIdx += OPAQUE16_LEN;
14163 if (cipherLen > MAX_NTRU_ENCRYPT_SZ)
14164 return NTRU_KEY_ERROR;
14166 if ((*inOutIdx - begin) + cipherLen > size)
14167 return BUFFER_ERROR;
14169 if (NTRU_OK != ntru_crypto_ntru_decrypt(
14170 (word16) ssl->buffers.key.length,
14171 ssl->buffers.key.buffer, cipherLen,
14172 input + *inOutIdx, &plainLen,
14173 ssl->arrays->preMasterSecret))
14174 return NTRU_DECRYPT_ERROR;
14176 if (plainLen != SECRET_LEN)
14177 return NTRU_DECRYPT_ERROR;
14179 *inOutIdx += cipherLen;
14181 ssl->arrays->preMasterSz = plainLen;
14182 ret = MakeMasterSecret(ssl);
14185 #endif /* HAVE_NTRU */
14187 case ecc_diffie_hellman_kea:
14189 if ((*inOutIdx - begin) + OPAQUE8_LEN > size)
14190 return BUFFER_ERROR;
14192 length = input[(*inOutIdx)++];
14194 if ((*inOutIdx - begin) + length > size)
14195 return BUFFER_ERROR;
14197 if (ssl->peerEccKey == NULL) {
14198 /* alloc/init on demand */
14199 ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
14200 ssl->ctx->heap, DYNAMIC_TYPE_ECC);
14201 if (ssl->peerEccKey == NULL) {
14202 WOLFSSL_MSG("PeerEccKey Memory error");
14205 wc_ecc_init(ssl->peerEccKey);
14206 } else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */
14207 wc_ecc_free(ssl->peerEccKey);
14208 ssl->peerEccKeyPresent = 0;
14209 wc_ecc_init(ssl->peerEccKey);
14212 if (wc_ecc_import_x963(input + *inOutIdx, length, ssl->peerEccKey))
14213 return ECC_PEERKEY_ERROR;
14215 *inOutIdx += length;
14216 ssl->peerEccKeyPresent = 1;
14218 length = sizeof(ssl->arrays->preMasterSecret);
14220 if (ssl->specs.static_ecdh) {
14224 wc_ecc_init(&staticKey);
14225 ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
14226 &staticKey, ssl->buffers.key.length);
14229 ret = wc_ecc_shared_secret(&staticKey, ssl->peerEccKey,
14230 ssl->arrays->preMasterSecret, &length);
14232 wc_ecc_free(&staticKey);
14235 if (ssl->eccTempKeyPresent == 0) {
14236 WOLFSSL_MSG("Ecc ephemeral key not made correctly");
14237 ret = ECC_MAKEKEY_ERROR;
14239 ret = wc_ecc_shared_secret(ssl->eccTempKey,ssl->peerEccKey,
14240 ssl->arrays->preMasterSecret, &length);
14245 return ECC_SHARED_ERROR;
14247 ssl->arrays->preMasterSz = length;
14248 ret = MakeMasterSecret(ssl);
14251 #endif /* HAVE_ECC */
14253 case diffie_hellman_kea:
14255 word16 clientPubSz;
14258 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
14259 return BUFFER_ERROR;
14261 ato16(input + *inOutIdx, &clientPubSz);
14262 *inOutIdx += OPAQUE16_LEN;
14264 if ((*inOutIdx - begin) + clientPubSz > size)
14265 return BUFFER_ERROR;
14267 wc_InitDhKey(&dhKey);
14268 ret = wc_DhSetKey(&dhKey, ssl->buffers.serverDH_P.buffer,
14269 ssl->buffers.serverDH_P.length,
14270 ssl->buffers.serverDH_G.buffer,
14271 ssl->buffers.serverDH_G.length);
14273 ret = wc_DhAgree(&dhKey, ssl->arrays->preMasterSecret,
14274 &ssl->arrays->preMasterSz,
14275 ssl->buffers.serverDH_Priv.buffer,
14276 ssl->buffers.serverDH_Priv.length,
14277 input + *inOutIdx, clientPubSz);
14278 wc_FreeDhKey(&dhKey);
14280 *inOutIdx += clientPubSz;
14283 ret = MakeMasterSecret(ssl);
14287 #if !defined(NO_DH) && !defined(NO_PSK)
14290 byte* pms = ssl->arrays->preMasterSecret;
14294 /* Read in the PSK hint */
14295 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
14296 return BUFFER_ERROR;
14298 ato16(input + *inOutIdx, &clientSz);
14299 *inOutIdx += OPAQUE16_LEN;
14300 if (clientSz > MAX_PSK_ID_LEN)
14301 return CLIENT_ID_ERROR;
14303 if ((*inOutIdx - begin) + clientSz > size)
14304 return BUFFER_ERROR;
14306 XMEMCPY(ssl->arrays->client_identity,
14307 input + *inOutIdx, clientSz);
14308 *inOutIdx += clientSz;
14309 ssl->arrays->client_identity[min(clientSz, MAX_PSK_ID_LEN-1)] =
14312 /* Read in the DHE business */
14313 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
14314 return BUFFER_ERROR;
14316 ato16(input + *inOutIdx, &clientSz);
14317 *inOutIdx += OPAQUE16_LEN;
14319 if ((*inOutIdx - begin) + clientSz > size)
14320 return BUFFER_ERROR;
14322 wc_InitDhKey(&dhKey);
14323 ret = wc_DhSetKey(&dhKey, ssl->buffers.serverDH_P.buffer,
14324 ssl->buffers.serverDH_P.length,
14325 ssl->buffers.serverDH_G.buffer,
14326 ssl->buffers.serverDH_G.length);
14328 ret = wc_DhAgree(&dhKey, pms + OPAQUE16_LEN,
14329 &ssl->arrays->preMasterSz,
14330 ssl->buffers.serverDH_Priv.buffer,
14331 ssl->buffers.serverDH_Priv.length,
14332 input + *inOutIdx, clientSz);
14333 wc_FreeDhKey(&dhKey);
14335 *inOutIdx += clientSz;
14336 c16toa((word16)ssl->arrays->preMasterSz, pms);
14337 ssl->arrays->preMasterSz += OPAQUE16_LEN;
14338 pms += ssl->arrays->preMasterSz;
14340 /* Use the PSK hint to look up the PSK and add it to the
14341 * preMasterSecret here. */
14342 ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
14343 ssl->arrays->client_identity, ssl->arrays->psk_key,
14346 if (ssl->arrays->psk_keySz == 0 ||
14347 ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN)
14348 return PSK_KEY_ERROR;
14350 c16toa((word16) ssl->arrays->psk_keySz, pms);
14351 pms += OPAQUE16_LEN;
14353 XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
14354 ssl->arrays->preMasterSz +=
14355 ssl->arrays->psk_keySz + OPAQUE16_LEN;
14357 ret = MakeMasterSecret(ssl);
14359 /* No further need for PSK */
14360 ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz);
14361 ssl->arrays->psk_keySz = 0;
14364 #endif /* !NO_DH && !NO_PSK */
14367 WOLFSSL_MSG("Bad kea type");
14368 ret = BAD_KEA_TYPE_E;
14373 /* No further need for PMS */
14374 ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
14375 ssl->arrays->preMasterSz = 0;
14378 ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
14380 if (ssl->options.verifyPeer)
14381 ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes);
14388 #endif /* NO_WOLFSSL_SERVER */