Merge branch 'master' of https://github.com/wolfSSL/wolfssl into PR-E…

…xpressif-Benchmark

IDE/WIN10/wolfssl-fips.vcxproj

@@ -272,6 +272,7 @@
     <ClCompile Include="..\..\wolfcrypt\src\hash.c" />
     <ClCompile Include="..\..\wolfcrypt\src\hmac.c" />
     <ClCompile Include="..\..\wolfcrypt\src\integer.c" />
+    <ClCompile Include="..\..\wolfcrypt\src\pkcs7.c" />
     <ClCompile Include="..\..\wolfcrypt\src\tfm.c" />
     <ClCompile Include="..\..\src\internal.c" />
     <ClCompile Include="..\..\src\wolfio.c" />

src/internal.c

@@ -19609,7 +19609,8 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx, int sniff)
         return BUFFER_ERROR;
     }
 #ifdef WOLFSSL_EARLY_DATA
-    if (ssl->earlyData > early_data_ext) {
+    if (ssl->options.side == WOLFSSL_SERVER_END &&
+            ssl->earlyData > early_data_ext) {
         if (ssl->earlyDataSz + dataSz > ssl->options.maxEarlyDataSz) {
             if (sniff == NO_SNIFF) {
                 SendAlert(ssl, alert_fatal, unexpected_message);
@@ -19649,11 +19650,14 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx, int sniff)
 #endif
 
     *inOutIdx = idx;
+#ifdef WOLFSSL_DTLS13
+    if (ssl->options.connectState == WAIT_FINISHED_ACK) {
+        /* DTLS 1.3 is waiting for an ACK but we can still return app data. */
+        return APP_DATA_READY;
+    }
+#endif
 #ifdef HAVE_SECURE_RENEGOTIATION
     if (IsSCR(ssl)) {
-        /* Reset the processReply state since
-         * we finished processing this message. */
-        ssl->options.processReply = doProcessInit;
         /* If we are in a secure renegotiation then APP DATA is treated
          * differently */
         return APP_DATA_READY;
@@ -20246,7 +20250,7 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
 #endif
 
     if (ssl->error != 0 && ssl->error != WANT_READ && ssl->error != WANT_WRITE
-    #ifdef HAVE_SECURE_RENEGOTIATION
+    #if defined(HAVE_SECURE_RENEGOTIATION) || defined(WOLFSSL_DTLS13)
         && ssl->error != APP_DATA_READY
     #endif
     #ifdef WOLFSSL_ASYNC_CRYPT
@@ -21213,7 +21217,13 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
                                                 &ssl->buffers.inputBuffer.idx,
                                                               NO_SNIFF)) != 0) {
                         WOLFSSL_ERROR(ret);
-                        return ret;
+                    #if defined(WOLFSSL_DTLS13) || \
+                        defined(HAVE_SECURE_RENEGOTIATION)
+                        /* Not really an error. We will return after cleaning
+                         * up the processReply state. */
+                        if (ret != APP_DATA_READY)
+                    #endif
+                            return ret;
                     }
                     break;
 
@@ -21270,9 +21280,18 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
             /* input exhausted */
             if (ssl->buffers.inputBuffer.idx >= ssl->buffers.inputBuffer.length
 #ifdef WOLFSSL_DTLS
-                /* If app data was processed then return now to avoid
-                 * dropping any app data. */
-                || (ssl->options.dtls && ssl->curRL.type == application_data)
+                || (ssl->options.dtls &&
+                    /* If app data was processed then return now to avoid
+                     * dropping any app data. */
+                    (ssl->curRL.type == application_data ||
+                    /* client: if we processed a finished message, return to
+                     *         allow higher layers to establish the crypto
+                     *         parameters of the connection. The remaining data
+                     *         may be app data that we would drop without the
+                     *         crypto setup. */
+                    (ssl->options.side == WOLFSSL_CLIENT_END &&
+                        ssl->options.serverState == SERVER_FINISHED_COMPLETE &&
+                        ssl->options.handShakeState != HANDSHAKE_DONE)))
 #endif
                 ) {
                 /* Shrink input buffer when we successfully finish record
@@ -21327,6 +21346,11 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
              * by higher layers. */
             if (ret != 0)
                 return ret;
+#endif
+#if defined(WOLFSSL_DTLS13) || defined(HAVE_SECURE_RENEGOTIATION)
+            /* Signal to user that we have application data ready to read */
+            if (ret == APP_DATA_READY)
+                return ret;
 #endif
             /* It is safe to shrink the input buffer here now. local vars will
              * be reset to the new starting value. */
@@ -23598,6 +23622,12 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
         groupMsgs = 1;
     #endif
     }
+    else if (IsAtLeastTLSv1_3(ssl->version) &&
+            ssl->options.side == WOLFSSL_SERVER_END &&
+            ssl->options.acceptState >= TLS13_ACCEPT_FINISHED_SENT) {
+        /* We can send data without waiting on peer finished msg */
+        WOLFSSL_MSG("server sending data before receiving client finished");
+    }
     else
 #endif
     if (ssl->options.handShakeState != HANDSHAKE_DONE && !IsSCR(ssl)) {
@@ -23835,7 +23865,7 @@ int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek)
 #ifdef WOLFSSL_ASYNC_CRYPT
             && ssl->error != WC_PENDING_E
 #endif
-#ifdef HAVE_SECURE_RENEGOTIATION
+#if defined(HAVE_SECURE_RENEGOTIATION) || defined(WOLFSSL_DTLS13)
             && ssl->error != APP_DATA_READY
 #endif
     ) {
@@ -27050,7 +27080,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
             || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
         #endif
         ) {
-            *length = GetPrivateKeySigSize(ssl);
+            *length = (word16)GetPrivateKeySigSize(ssl);
             return 0;
         }
         else
@@ -31582,7 +31612,7 @@ int SendCertificateVerify(WOLFSSL* ssl)
             if (ssl->buffers.key == NULL) {
             #ifdef HAVE_PK_CALLBACKS
                 if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
-                    args->length = GetPrivateKeySigSize(ssl);
+                    args->length = (word16)GetPrivateKeySigSize(ssl);
                 else
             #endif
                     ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
@@ -33555,7 +33585,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                             if (ssl->buffers.key == NULL) {
                             #ifdef HAVE_PK_CALLBACKS
                                 if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
-                                    keySz = (word32)GetPrivateKeySigSize(ssl);
+                                    keySz = (word16)GetPrivateKeySigSize(ssl);
                                 else
                             #endif
                                     ERROR_OUT(NO_PRIVATE_KEY, exit_sske);

src/ssl.c

@@ -3233,7 +3233,14 @@ int wolfSSL_write(WOLFSSL* ssl, const void* data, int sz)
     }
 #endif
 #ifdef WOLFSSL_EARLY_DATA
-    if (ssl->earlyData != no_early_data && (ret = wolfSSL_negotiate(ssl)) < 0) {
+    if (IsAtLeastTLSv1_3(ssl->version) &&
+            ssl->options.side == WOLFSSL_SERVER_END &&
+            ssl->options.acceptState >= TLS13_ACCEPT_FINISHED_SENT) {
+        /* We can send data without waiting on peer finished msg */
+        WOLFSSL_MSG("server sending data before receiving client finished");
+    }
+    else if (ssl->earlyData != no_early_data &&
+            (ret = wolfSSL_negotiate(ssl)) < 0) {
         ssl->error = ret;
         return WOLFSSL_FATAL_ERROR;
     }
@@ -7779,11 +7786,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
 
     #ifdef WOLF_PRIVATE_KEY_ID
         if (ssl != NULL) {
-            ssl->buffers.keyType = keyType;
+            ssl->buffers.keyType = (byte)keyType;
             ssl->buffers.keySz = keySz;
         }
         else if (ctx != NULL) {
-            ctx->privateKeyType = keyType;
+            ctx->privateKeyType = (byte)keyType;
             ctx->privateKeySz = keySz;
         }
     #endif

src/tls13.c

@@ -8633,7 +8633,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl)
             if (ssl->buffers.key == NULL) {
             #ifdef HAVE_PK_CALLBACKS
                 if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
-                    args->length = GetPrivateKeySigSize(ssl);
+                    args->length = (word16)GetPrivateKeySigSize(ssl);
                 else
             #endif
                     ERROR_OUT(NO_PRIVATE_KEY, exit_scv);

tests/api.c

@@ -68148,6 +68148,7 @@ static int test_dtls13_early_data(void)
     char msg[] = "This is early data";
     char msg2[] = "This is client data";
     char msg3[] = "This is server data";
+    char msg4[] = "This is server immediate data";
     char msgBuf[50];
 
     XMEMSET(&test_ctx, 0, sizeof(test_ctx));
@@ -68175,6 +68176,7 @@ static int test_dtls13_early_data(void)
     ExpectIntEQ(wolfSSL_disable_hrr_cookie(ssl_s), WOLFSSL_SUCCESS);
 #endif
 
+    /* Test 0-RTT data */
     ExpectIntEQ(wolfSSL_write_early_data(ssl_c, msg, sizeof(msg),
             &written), sizeof(msg));
     ExpectIntEQ(written, sizeof(msg));
@@ -68184,6 +68186,15 @@ static int test_dtls13_early_data(void)
     ExpectIntEQ(read, sizeof(msg));
     ExpectStrEQ(msg, msgBuf);
 
+    /* Test 0.5-RTT data */
+    ExpectIntEQ(wolfSSL_write(ssl_s, msg4, sizeof(msg4)), sizeof(msg4));
+
+    ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
+    ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), APP_DATA_READY);
+
+    ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), sizeof(msg4));
+    ExpectStrEQ(msg4, msgBuf);
+
     /* Complete handshake */
     ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
     ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
@@ -68195,11 +68206,14 @@ static int test_dtls13_early_data(void)
      * parsing logic. */
     ExpectFalse(wolfSSL_is_init_finished(ssl_s));
     ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, sizeof(msgBuf),
-            &read), WOLFSSL_FAILURE);
-    ExpectTrue(wolfSSL_is_init_finished(ssl_s));
+            &read), -1);
+    ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
 
     ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
 
+    ExpectTrue(wolfSSL_is_init_finished(ssl_s));
+
+
     /* Test bi-directional write */
     ExpectIntEQ(wolfSSL_write(ssl_c, msg2, sizeof(msg2)), sizeof(msg2));
     ExpectIntEQ(wolfSSL_read(ssl_s, msgBuf, sizeof(msgBuf)), sizeof(msg2));

wolfcrypt/src/integer.c

@@ -4425,9 +4425,6 @@ int mp_add_d (mp_int* a, mp_digit b, mp_int* c) /* //NOLINT(misc-no-recursion) *
   /* old number of used digits in c */
   oldused = c->used;
 
-  /* sign always positive */
-  c->sign = MP_ZPOS;
-
   /* source alias */
   tmpa    = a->dp;
 
@@ -4478,6 +4475,9 @@ int mp_add_d (mp_int* a, mp_digit b, mp_int* c) /* //NOLINT(misc-no-recursion) *
      ix       = 1;
   }
 
+  /* sign always positive */
+  c->sign = MP_ZPOS;
+
   /* now zero to oldused */
   while (ix++ < oldused) {
      *tmpc++ = 0;

wolfcrypt/src/pkcs7.c

@@ -4627,7 +4627,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
                 WOLFSSL_MSG("PKCS#7 signedData needs to be version 1 or 3");
                 ret = ASN_VERSION_E;
             }
-            pkcs7->version = version;
+            pkcs7->version = (byte)version;
 
             /* Get the set of DigestAlgorithmIdentifiers */
             if (ret == 0 && GetSet(pkiMsg, &idx, &length, pkiMsgSz) < 0)
@@ -4913,7 +4913,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
             if (multiPart) {
                 pkcs7->stream->expected = contentLen + ASN_TAG_SZ;
             }
-            pkcs7->stream->multi = multiPart;
+            pkcs7->stream->multi = (byte)multiPart;
 
         #endif
             wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_VERIFY_STAGE3);
@@ -5221,7 +5221,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
                         pkcs7->stream = stream;
                     #endif
                     }
-                    pkcs7->version = version;
+                    pkcs7->version = (byte)version;
         #ifdef ASN_BER_TO_DER
                     pkcs7->der = der;
         #endif
@@ -7692,7 +7692,7 @@ static int wc_PKCS7_PwriKek_KeyWrap(PKCS7* pkcs7, const byte* kek, word32 kekSz,
     if (*outSz < (word32)outLen)
         return BUFFER_E;
 
-    out[0] = cekSz;
+    out[0] = (byte)cekSz;
     out[1] = ~cek[0];
     out[2] = ~cek[1];
     out[3] = ~cek[2];
@@ -10845,7 +10845,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
     byte* encryptedContent = NULL;
     int explicitOctet = 0;
     word32 localIdx;
-    byte   tag;
+    byte   tag = 0;
 
     if (pkcs7 == NULL)
         return BAD_FUNC_ARG;

wolfcrypt/src/sp_int.c

@@ -17524,6 +17524,11 @@ int sp_mont_red_ex(sp_int* a, const sp_int* m, sp_int_digit mp, int ct)
     if ((a == NULL) || (m == NULL) || sp_iszero(m)) {
         err = MP_VAL;
     }
+#ifdef WOLFSSL_SP_INT_NEGATIVE
+    else if ((a->sign == MP_NEG) || (m->sign == MP_NEG)) {
+        err = MP_VAL;
+    }
+#endif
     /* Ensure a has enough space for calculation. */
     else if (a->size < m->used * 2 + 1) {
         err = MP_VAL;

wolfssl.vcxproj

@@ -299,6 +299,7 @@
     <ClCompile Include="wolfcrypt\src\curve25519.c" />
     <ClCompile Include="wolfcrypt\src\curve448.c" />
     <ClCompile Include="wolfcrypt\src\cpuid.c" />
+    <ClCompile Include="wolfcrypt\src\cryptocb.c" />
     <ClCompile Include="wolfcrypt\src\des3.c" />
     <ClCompile Include="wolfcrypt\src\dh.c" />
     <ClCompile Include="wolfcrypt\src\dsa.c" />