luna - wolfssl/src/dtls13.c

   1/* dtls13.c
   2 *
   3 * Copyright (C) 2006-2026 wolfSSL Inc.
   4 *
   5 * This file is part of wolfSSL.
   6 *
   7 * wolfSSL is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 3 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * wolfSSL is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20 */
  21
  22#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
  23
  24#ifdef WOLFSSL_DTLS13
  25
  26#include <wolfssl/error-ssl.h>
  27#include <wolfssl/internal.h>
  28#include <wolfssl/ssl.h>
  29#include <wolfssl/wolfcrypt/aes.h>
  30#include <wolfssl/wolfcrypt/kdf.h>
  31
  32#ifdef NO_INLINE
  33#include <wolfssl/wolfcrypt/misc.h>
  34#else
  35#define WOLFSSL_MISC_INCLUDED
  36#include <wolfcrypt/src/misc.c>
  37#endif
  38
  39/**
  40 * enum rnDirection - distinguish between RecordNumber Enc/Dec
  41 * PROTECT: encrypt the Record Number
  42 * DEPROTECT: decrypt the Record Number
  43 */
  44enum rnDirection {
  45    PROTECT = 0,
  46    DEPROTECT,
  47};
  48
  49/**
  50 * struct Dtls13HandshakeHeader: represent DTLS Handshake header
  51 * @msg_type: type of message (client_hello,server_hello,etc)
  52 * @length: length of the message
  53 * @messageSeq: message sequence number (used for reordering and retransmission)
  54 * @fragmentOffset: this is the offset of the data in the complete message. For
  55 * an unfragmented message this is always zero
  56 * @fragmentLength: length of this fragment (if not fragmented @fragmentLength
  57 * is always equal to @length)
  58 */
  59typedef struct Dtls13HandshakeHeader {
  60    byte msg_type;
  61    byte length[3];
  62    byte messageSeq[2];
  63    byte fragmentOffset[3];
  64    byte fragmentLength[3];
  65} Dtls13HandshakeHeader;
  66
  67wc_static_assert(sizeof(Dtls13HandshakeHeader) == DTLS13_HANDSHAKE_HEADER_SZ);
  68
  69/**
  70 * struct Dtls13Recordplaintextheader: represent header of unprotected DTLSv1.3
  71 * record
  72 * @contentType: content type of the record (handshake, applicationData, etc)
  73 * @legacyversionrecord: legacy version field
  74 * @epoch: epoch number (lower 16 bits)
  75 * @sequenceNumber: sequence number (lower 16 bits)
  76 * @length: length of the record
  77 */
  78typedef struct Dtls13RecordPlaintextHeader {
  79    byte contentType;
  80    ProtocolVersion legacyVersionRecord;
  81    byte epoch[2];
  82    byte sequenceNumber[6];
  83    byte length[2];
  84} Dtls13RecordPlaintextHeader;
  85
  86/* size of the len field in the unified header */
  87#define DTLS13_LEN_SIZE 2
  88/* size of the flags in the unified header */
  89#define DTLS13_HDR_FLAGS_SIZE 1
  90/* size of the sequence number where SEQ_LEN_BIT is present */
  91#define DTLS13_SEQ_16_LEN 2
  92/* size of the sequence number where SEQ_LEN_BIT is not present */
  93#define DTLS13_SEQ_8_LEN 1
  94
  95/* fixed bits mask to detect unified header  */
  96#define DTLS13_FIXED_BITS_MASK (0x7 << 5)
  97/* fixed bits value to detect unified header  */
  98#define DTLS13_FIXED_BITS (0x1 << 5)
  99/* ConnectionID present bit in the unified header flags */
 100#define DTLS13_CID_BIT (0x1 << 4)
 101/* Sequence number is 16 bits if this bit is into unified header flags */
 102#define DTLS13_SEQ_LEN_BIT (0x1 << 3)
 103/* Length field is present if this bit is into unified header flags */
 104#define DTLS13_LEN_BIT (0x1 << 2)
 105
 106/* For now, the size of the outgoing DTLSv1.3 record header is fixed to 5 bytes
 107   (8 bit header flags + 16bit record number + 16 bit length). In the future, we
 108   can dynamically choose to remove the length from the header to save
 109   space. Also it will need to account for client connection ID when
 110   supported. */
 111#define DTLS13_UNIFIED_HEADER_SIZE 5
 112#define DTLS13_MIN_CIPHERTEXT 16
 113#ifndef DTLS13_MIN_RTX_INTERVAL
 114#define DTLS13_MIN_RTX_INTERVAL (DTLS_TIMEOUT_INIT * 1000)
 115#endif
 116
 117#ifndef NO_WOLFSSL_CLIENT
 118WOLFSSL_METHOD* wolfDTLSv1_3_client_method_ex(void* heap)
 119{
 120    WOLFSSL_METHOD* method;
 121
 122    WOLFSSL_ENTER("DTLSv1_3_client_method_ex");
 123    (void)heap;
 124
 125    method = (WOLFSSL_METHOD*)XMALLOC(sizeof(WOLFSSL_METHOD), heap,
 126        DYNAMIC_TYPE_METHOD);
 127    if (method)
 128        InitSSL_Method(method, MakeDTLSv1_3());
 129
 130    return method;
 131}
 132
 133WOLFSSL_METHOD* wolfDTLSv1_3_client_method(void)
 134{
 135    return wolfDTLSv1_3_client_method_ex(NULL);
 136}
 137#endif /* !NO_WOLFSSL_CLIENT */
 138
 139
 140#ifndef NO_WOLFSSL_SERVER
 141WOLFSSL_METHOD* wolfDTLSv1_3_server_method_ex(void* heap)
 142{
 143    WOLFSSL_METHOD* method;
 144
 145    WOLFSSL_ENTER("DTLSv1_3_server_method_ex");
 146    (void)heap;
 147
 148    method = (WOLFSSL_METHOD*)XMALLOC(sizeof(WOLFSSL_METHOD), heap,
 149        DYNAMIC_TYPE_METHOD);
 150    if (method) {
 151        InitSSL_Method(method, MakeDTLSv1_3());
 152        method->side = WOLFSSL_SERVER_END;
 153    }
 154
 155    return method;
 156}
 157
 158WOLFSSL_METHOD* wolfDTLSv1_3_server_method(void)
 159{
 160    return wolfDTLSv1_3_server_method_ex(NULL);
 161}
 162#endif /* !NO_WOLFSSL_SERVER */
 163
 164int Dtls13RlAddPlaintextHeader(WOLFSSL* ssl, byte* out,
 165    enum ContentType content_type, word16 length)
 166{
 167    Dtls13RecordPlaintextHeader* hdr;
 168    word32 seq[2];
 169    int ret;
 170
 171    hdr = (Dtls13RecordPlaintextHeader*)out;
 172    hdr->contentType = content_type;
 173    hdr->legacyVersionRecord.major = DTLS_MAJOR;
 174    hdr->legacyVersionRecord.minor = DTLSv1_2_MINOR;
 175
 176    ret = Dtls13GetSeq(ssl, CUR_ORDER, seq, 1);
 177    if (ret != 0)
 178        return ret;
 179
 180    /* seq[0] combines the epoch and 16 MSB of sequence number. We write on the
 181       epoch field and will overflow to the first two bytes of the sequence
 182       number */
 183    c16toa((word16)(seq[0] >> 16), hdr->epoch);
 184    c16toa((word16)seq[0], hdr->sequenceNumber);
 185    c32toa(seq[1], &hdr->sequenceNumber[2]);
 186
 187    c16toa(length, hdr->length);
 188
 189    return 0;
 190}
 191
 192static int Dtls13HandshakeAddHeaderFrag(WOLFSSL* ssl, byte* output,
 193    enum HandShakeType msg_type, word32 frag_offset, word32 frag_length,
 194    word32 msg_length)
 195{
 196    Dtls13HandshakeHeader* hdr;
 197
 198    hdr = (Dtls13HandshakeHeader*)output;
 199
 200    hdr->msg_type = msg_type;
 201    c32to24((word32)msg_length, hdr->length);
 202    c16toa(ssl->keys.dtls_handshake_number, hdr->messageSeq);
 203
 204    c32to24(frag_offset, hdr->fragmentOffset);
 205    c32to24(frag_length, hdr->fragmentLength);
 206
 207    return 0;
 208}
 209
 210static byte Dtls13TypeIsEncrypted(enum HandShakeType hs_type)
 211{
 212    byte ret = 0;
 213
 214    switch (hs_type) {
 215    case hello_request:
 216    case hello_verify_request:
 217    case client_hello:
 218    case hello_retry_request:
 219    case server_hello:
 220        break;
 221    case encrypted_extensions:
 222    case session_ticket:
 223    case end_of_early_data:
 224    case certificate:
 225    case server_key_exchange:
 226    case certificate_request:
 227    case server_hello_done:
 228    case certificate_verify:
 229    case client_key_exchange:
 230    case finished:
 231    case certificate_status:
 232    case key_update:
 233    case change_cipher_hs:
 234    case message_hash:
 235    case no_shake:
 236        ret = 1;
 237    }
 238
 239    return ret;
 240}
 241
 242static int Dtls13GetRnMask(WOLFSSL* ssl, const byte* ciphertext, byte* mask,
 243    enum rnDirection dir)
 244{
 245    RecordNumberCiphers* c;
 246
 247    if (dir == PROTECT)
 248        c = &ssl->dtlsRecordNumberEncrypt;
 249    else
 250        c = &ssl->dtlsRecordNumberDecrypt;
 251
 252#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
 253    if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm ||
 254        ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm) {
 255
 256        if (c->aes == NULL)
 257            return BAD_STATE_E;
 258#if !defined(HAVE_SELFTEST) && \
 259    (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) \
 260    || defined(WOLFSSL_KERNEL_MODE))
 261        return wc_AesEncryptDirect(c->aes, mask, ciphertext);
 262#else
 263        wc_AesEncryptDirect(c->aes, mask, ciphertext);
 264        return 0;
 265#endif
 266    }
 267#endif /* HAVE_AESGCM || HAVE_AESCCM */
 268
 269#ifdef HAVE_CHACHA
 270    if (ssl->specs.bulk_cipher_algorithm == wolfssl_chacha) {
 271        word32 counter;
 272        int ret;
 273
 274        if (c->chacha == NULL)
 275            return BAD_STATE_E;
 276
 277        /* assuming CIPHER[0..3] should be interpreted as little endian 32-bits
 278           integer. The draft rfc isn't really clear on that. See sec 4.2.3 of
 279           the draft. See also Section 2.3 of the Chacha RFC. */
 280        ato32le(ciphertext, &counter);
 281
 282        ret = wc_Chacha_SetIV(c->chacha, &ciphertext[4], counter);
 283        if (ret != 0)
 284            return ret;
 285
 286        XMEMSET(mask, 0, DTLS13_RN_MASK_SIZE);
 287
 288        return wc_Chacha_Process(c->chacha, mask, mask, DTLS13_RN_MASK_SIZE);
 289    }
 290#endif /* HAVE_CHACHA */
 291
 292    return NOT_COMPILED_IN;
 293}
 294
 295static int Dtls13EncryptDecryptRecordNumber(WOLFSSL* ssl, byte* seq,
 296    int SeqLength, const byte* ciphertext, enum rnDirection dir)
 297{
 298    byte mask[DTLS13_RN_MASK_SIZE];
 299    int ret;
 300
 301#ifdef HAVE_NULL_CIPHER
 302    /* Do not encrypt record numbers with null cipher. See RFC 9150 Sec 9 */
 303    if (ssl->specs.bulk_cipher_algorithm == wolfssl_cipher_null)
 304        return 0;
 305#endif /*HAVE_NULL_CIPHER */
 306
 307    ret = Dtls13GetRnMask(ssl, ciphertext, mask, dir);
 308    if (ret != 0)
 309        return ret;
 310
 311    xorbuf(seq, mask, SeqLength);
 312
 313    return 0;
 314}
 315
 316static byte Dtls13RtxMsgNeedsAck(WOLFSSL* ssl, enum HandShakeType hs)
 317{
 318
 319#ifndef NO_WOLFSSL_SERVER
 320    /* we send an ACK when processing the finished message. In this case either
 321       we already sent an ACK for client's Certificate/CertificateVerify or they
 322       are in our list of seen records and will be included in the ACK
 323       message */
 324    if (ssl->options.side == WOLFSSL_SERVER_END && (hs == finished))
 325        return 1;
 326#else
 327    (void)ssl;
 328#endif /* NO_WOLFSSL_SERVER */
 329
 330    if (hs == session_ticket || hs == key_update)
 331        return 1;
 332
 333    return 0;
 334}
 335
 336static void Dtls13MsgWasProcessed(WOLFSSL* ssl, enum HandShakeType hs)
 337{
 338    if (ssl->options.dtlsStateful)
 339        ssl->keys.dtls_expected_peer_handshake_number++;
 340
 341#ifdef WOLFSSL_RW_THREADED
 342    if (wc_LockMutex(&ssl->dtls13Rtx.mutex) == 0)
 343#endif
 344    {
 345        /* we need to send ACKs on the last message of a flight that needs
 346         * explicit acknowledgment */
 347        ssl->dtls13Rtx.sendAcks = Dtls13RtxMsgNeedsAck(ssl, hs);
 348    #ifdef WOLFSSL_RW_THREADED
 349        wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 350    #endif
 351    }
 352}
 353
 354int Dtls13ProcessBufferedMessages(WOLFSSL* ssl)
 355{
 356    DtlsMsg* msg = ssl->dtls_rx_msg_list;
 357    word32 idx = 0;
 358    int ret = 0;
 359
 360    WOLFSSL_ENTER("Dtls13ProcessBufferedMessages");
 361
 362    while (msg != NULL) {
 363        int downgraded = 0;
 364        idx = 0;
 365
 366        /* message not in order */
 367        if (ssl->keys.dtls_expected_peer_handshake_number != msg->seq)
 368            break;
 369
 370        /* message not complete */
 371        if (!msg->ready)
 372            break;
 373
 374#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
 375        ret = MsgCheckEncryption(ssl, msg->type, msg->encrypted);
 376        if (ret != 0) {
 377            SendAlert(ssl, alert_fatal, unexpected_message);
 378            break;
 379        }
 380#endif
 381
 382        /* We may have DTLS <=1.2 msgs stored from before we knew which version
 383         * we were going to use. Interpret correctly. */
 384        if (IsAtLeastTLSv1_3(ssl->version)) {
 385            ret = DoTls13HandShakeMsgType(ssl, msg->fullMsg, &idx, msg->type,
 386                    msg->sz, msg->sz);
 387            if (!IsAtLeastTLSv1_3(ssl->version))
 388                downgraded = 1;
 389        }
 390        else {
 391#if !defined(WOLFSSL_NO_TLS12)
 392            ret = DoHandShakeMsgType(ssl, msg->fullMsg, &idx, msg->type,
 393                    msg->sz, msg->sz);
 394#else
 395            WOLFSSL_MSG("DTLS1.2 disabled with WOLFSSL_NO_TLS12");
 396            WOLFSSL_ERROR_VERBOSE(NOT_COMPILED_IN);
 397            ret = NOT_COMPILED_IN;
 398#endif
 399        }
 400
 401        /* processing certificate_request triggers a connect. The error came
 402         * from there, the message can be considered processed successfully.
 403         * WANT_WRITE means that we are done with processing the msg and we are
 404         * waiting to flush the output buffer. */
 405        if ((ret == 0 || ret == WC_NO_ERR_TRACE(WANT_WRITE)) ||
 406                        (msg->type == certificate_request &&
 407                         ssl->options.handShakeDone &&
 408                         ret == WC_NO_ERR_TRACE(WC_PENDING_E))) {
 409            if (IsAtLeastTLSv1_3(ssl->version))
 410                Dtls13MsgWasProcessed(ssl, (enum HandShakeType)msg->type);
 411            else if (downgraded)
 412                /* DoHandShakeMsgType normally handles the hs number but if
 413                 * DoTls13HandShakeMsgType processed 1.2 msgs then this wasn't
 414                 * incremented. */
 415                ssl->keys.dtls_expected_peer_handshake_number++;
 416
 417            ssl->dtls_rx_msg_list = msg->next;
 418            DtlsMsgDelete(msg, ssl->heap);
 419            msg = ssl->dtls_rx_msg_list;
 420            ssl->dtls_rx_msg_list_sz--;
 421        }
 422
 423        if (ret != 0)
 424            break;
 425    }
 426
 427    WOLFSSL_LEAVE("dtls13_process_buffered_messages()", ret);
 428
 429    return ret;
 430}
 431
 432static int Dtls13NextMessageComplete(WOLFSSL* ssl)
 433{
 434    return ssl->dtls_rx_msg_list != NULL &&
 435           ssl->dtls_rx_msg_list->ready &&
 436           ssl->dtls_rx_msg_list->seq ==
 437               ssl->keys.dtls_expected_peer_handshake_number;
 438}
 439
 440static WC_INLINE int FragIsInOutputBuffer(WOLFSSL* ssl, const byte* frag)
 441{
 442    const byte* OutputBuffer = ssl->buffers.outputBuffer.buffer;
 443    word32 OutputBufferSize = ssl->buffers.outputBuffer.bufferSize;
 444
 445    return frag >= OutputBuffer && frag < OutputBuffer + OutputBufferSize;
 446}
 447
 448static int Dtls13SendFragFromBuffer(WOLFSSL* ssl, byte* output, word16 length)
 449{
 450    byte* buf;
 451    int ret;
 452
 453    if (FragIsInOutputBuffer(ssl, output))
 454        return BAD_FUNC_ARG;
 455
 456    ret = CheckAvailableSize(ssl, length);
 457    if (ret != 0)
 458        return ret;
 459
 460    buf = GetOutputBuffer(ssl);
 461
 462    XMEMCPY(buf, output, length);
 463
 464    ssl->buffers.outputBuffer.length += length;
 465
 466    return SendBuffered(ssl);
 467}
 468
 469static int Dtls13SendNow(WOLFSSL* ssl, enum HandShakeType handshakeType)
 470{
 471    if (!ssl->options.groupMessages || ssl->dtls13SendingFragments)
 472        return 1;
 473
 474    if (handshakeType == client_hello || handshakeType == hello_retry_request ||
 475        handshakeType == finished || handshakeType == session_ticket ||
 476        handshakeType == key_update ||
 477        (handshakeType == certificate_request &&
 478            ssl->options.handShakeState == HANDSHAKE_DONE))
 479        return 1;
 480
 481    return 0;
 482}
 483
 484/* Handshake header DTLS only fields are not included in the transcript hash.
 485 * body points to the body of the DTLSHandshake message. */
 486int Dtls13HashClientHello(const WOLFSSL* ssl, byte* hash, int* hashSz,
 487        const byte* body, word32 length, CipherSpecs* specs)
 488{
 489    /* msg_type(1) + length (3) */
 490    byte header[OPAQUE32_LEN];
 491    int ret;
 492    WC_DECLARE_VAR(hashCtx, wc_HashAlg, 1, ssl->heap);
 493    int type = wolfSSL_GetHmacType_ex(specs);
 494
 495    if (type < 0)
 496        return type;
 497
 498    WC_ALLOC_VAR_EX(hashCtx, wc_HashAlg, 1, ssl->heap, DYNAMIC_TYPE_HASHES,
 499                    return MEMORY_E);
 500
 501    header[0] = (byte)client_hello;
 502    c32to24(length, header + 1);
 503
 504    ret = wc_HashInit_ex(hashCtx, (enum wc_HashType)type, ssl->heap, ssl->devId);
 505    if (ret == 0) {
 506        ret = wc_HashUpdate(hashCtx, (enum wc_HashType)type, header, OPAQUE32_LEN);
 507        if (ret == 0)
 508            ret = wc_HashUpdate(hashCtx, (enum wc_HashType)type, body, length);
 509        if (ret == 0)
 510            ret = wc_HashFinal(hashCtx, (enum wc_HashType)type, hash);
 511        if (ret == 0) {
 512            *hashSz = wc_HashGetDigestSize((enum wc_HashType)type);
 513            if (*hashSz < 0)
 514                ret = *hashSz;
 515        }
 516        wc_HashFree(hashCtx, (enum wc_HashType)type);
 517    }
 518    WC_FREE_VAR_EX(hashCtx, ssl->heap, DYNAMIC_TYPE_HASHES);
 519    return ret;
 520}
 521
 522/* Handshake header DTLS only fields are not included in the transcript hash */
 523int Dtls13HashHandshake(WOLFSSL* ssl, const byte* input, word16 length)
 524{
 525    int ret;
 526
 527    if (length < DTLS_HANDSHAKE_HEADER_SZ)
 528        return BAD_FUNC_ARG;
 529
 530    /* msg_type(1) + length (3) */
 531    ret = HashRaw(ssl, input, OPAQUE32_LEN);
 532    if (ret != 0)
 533        return ret;
 534
 535    input += OPAQUE32_LEN;
 536    length -= OPAQUE32_LEN;
 537
 538    /* message_seq(2) + fragment_offset(3) + fragment_length(3) */
 539    input += OPAQUE64_LEN;
 540    length -= OPAQUE64_LEN;
 541
 542    return HashRaw(ssl, input, length);
 543}
 544
 545static int Dtls13SendFragment(WOLFSSL* ssl, byte* output, word16 output_size,
 546    word16 length, enum HandShakeType handshakeType, int hashOutput,
 547    int sendImmediately)
 548{
 549    word16 recordHeaderLength;
 550    word16 recordLength;
 551    byte isProtected;
 552    int sendLength;
 553    byte* msg;
 554    int ret;
 555
 556    if (output_size < length)
 557        return BUFFER_ERROR;
 558
 559    isProtected = Dtls13TypeIsEncrypted(handshakeType);
 560    recordHeaderLength = Dtls13GetRlHeaderLength(ssl, isProtected);
 561
 562    if (length <= recordHeaderLength)
 563        return BUFFER_ERROR;
 564
 565    recordLength = length - recordHeaderLength;
 566
 567    if (!isProtected) {
 568        ret = Dtls13RlAddPlaintextHeader(ssl, output, handshake, recordLength);
 569        if (ret != 0)
 570            return ret;
 571    }
 572    else {
 573        msg = output + recordHeaderLength;
 574
 575        if (hashOutput) {
 576            ret = Dtls13HashHandshake(ssl, msg, recordLength);
 577            if (ret != 0)
 578                return ret;
 579        }
 580
 581        sendLength = BuildTls13Message(ssl, output, output_size, msg,
 582            recordLength, handshake, 0, 0, 0);
 583        if (sendLength < 0)
 584            return sendLength;
 585
 586        length = (word16)sendLength;
 587    }
 588
 589    if (!FragIsInOutputBuffer(ssl, output))
 590        return Dtls13SendFragFromBuffer(ssl, output, length);
 591
 592    ssl->buffers.outputBuffer.length += length;
 593
 594    ret = 0;
 595    if (sendImmediately)
 596        ret = SendBuffered(ssl);
 597
 598    return ret;
 599}
 600
 601static void Dtls13FreeFragmentsBuffer(WOLFSSL* ssl)
 602{
 603    XFREE(ssl->dtls13FragmentsBuffer.buffer, ssl->heap,
 604        DYNAMIC_TYPE_TMP_BUFFER);
 605    ssl->dtls13FragmentsBuffer.buffer = NULL;
 606    ssl->dtls13SendingFragments = 0;
 607    ssl->dtls13MessageLength = ssl->dtls13FragOffset = 0;
 608}
 609
 610static WC_INLINE void Dtls13FreeRtxBufferRecord(WOLFSSL* ssl,
 611    Dtls13RtxRecord* r)
 612{
 613    (void)ssl;
 614
 615    XFREE(r->data, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
 616    XFREE(r, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
 617}
 618
 619static Dtls13RtxRecord* Dtls13RtxNewRecord(WOLFSSL* ssl, byte* data,
 620    word16 length, enum HandShakeType handshakeType, w64wrapper seq)
 621{
 622    w64wrapper epochNumber;
 623    Dtls13RtxRecord* r;
 624
 625    WOLFSSL_ENTER("Dtls13RtxNewRecord");
 626
 627    if (ssl->dtls13EncryptEpoch == NULL)
 628        return NULL;
 629
 630    epochNumber = ssl->dtls13EncryptEpoch->epochNumber;
 631
 632    r = (Dtls13RtxRecord*)XMALLOC(sizeof(*r), ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
 633    if (r == NULL)
 634        return NULL;
 635
 636    r->data = (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
 637    if (r->data == NULL) {
 638        XFREE(r, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
 639        return NULL;
 640    }
 641
 642    XMEMCPY(r->data, data, length);
 643    r->epoch = epochNumber;
 644    r->length = length;
 645    r->next = NULL;
 646    r->handshakeType = handshakeType;
 647    r->seq[0] = seq;
 648    r->rnIdx = 1;
 649
 650    return r;
 651}
 652
 653static void Dtls13RtxAddRecord(Dtls13Rtx* fsm, Dtls13RtxRecord* r)
 654{
 655    WOLFSSL_ENTER("Dtls13RtxAddRecord");
 656
 657    *fsm->rtxRecordTailPtr = r;
 658    fsm->rtxRecordTailPtr = &r->next;
 659    r->next = NULL;
 660}
 661
 662static void Dtls13RtxRecordUnlink(WOLFSSL* ssl, Dtls13RtxRecord** prevNext,
 663    Dtls13RtxRecord* r)
 664{
 665    /* if r was at the tail of the list, update the tail pointer */
 666    if (r->next == NULL) {
 667    #ifdef WOLFSSL_RW_THREADED
 668        if (wc_LockMutex(&ssl->dtls13Rtx.mutex) == 0)
 669    #endif
 670        {
 671            ssl->dtls13Rtx.rtxRecordTailPtr = prevNext;
 672        #ifdef WOLFSSL_RW_THREADED
 673            wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 674        #endif
 675        }
 676    }
 677
 678    /* unlink */
 679    *prevNext = r->next;
 680}
 681
 682void Dtls13RtxFlushBuffered(WOLFSSL* ssl, byte keepNewSessionTicket)
 683{
 684    Dtls13RtxRecord *r, **prevNext;
 685
 686    WOLFSSL_ENTER("Dtls13RtxFlushBuffered");
 687
 688    prevNext = &ssl->dtls13Rtx.rtxRecords;
 689    r = ssl->dtls13Rtx.rtxRecords;
 690
 691    /* we process the head at the end */
 692    while (r != NULL) {
 693
 694        if (keepNewSessionTicket && r->handshakeType == session_ticket) {
 695            prevNext = &r->next;
 696            r = r->next;
 697            continue;
 698        }
 699
 700        *prevNext = r->next;
 701        Dtls13FreeRtxBufferRecord(ssl, r);
 702        r = *prevNext;
 703    }
 704
 705    ssl->dtls13Rtx.rtxRecordTailPtr = prevNext;
 706}
 707
 708static Dtls13RecordNumber* Dtls13NewRecordNumber(w64wrapper epoch,
 709    w64wrapper seq, void* heap)
 710{
 711    Dtls13RecordNumber* rn;
 712
 713    (void)heap;
 714
 715    rn = (Dtls13RecordNumber*)XMALLOC(sizeof(*rn), heap,
 716        DYNAMIC_TYPE_DTLS_MSG);
 717    if (rn == NULL)
 718        return NULL;
 719
 720    rn->next = NULL;
 721    rn->epoch = epoch;
 722    rn->seq = seq;
 723
 724    return rn;
 725}
 726
 727#ifndef DTLS13_MAX_ACK_RECORDS
 728#define DTLS13_MAX_ACK_RECORDS 512
 729#endif
 730
 731int Dtls13RtxAddAck(WOLFSSL* ssl, w64wrapper epoch, w64wrapper seq)
 732{
 733    Dtls13RecordNumber* rn;
 734    int count;
 735
 736    WOLFSSL_ENTER("Dtls13RtxAddAck");
 737
 738#ifdef WOLFSSL_RW_THREADED
 739    if (wc_LockMutex(&ssl->dtls13Rtx.mutex) == 0)
 740#endif
 741    {
 742        /* Find location to insert new record */
 743        Dtls13RecordNumber** prevNext = &ssl->dtls13Rtx.seenRecords;
 744        Dtls13RecordNumber* cur = ssl->dtls13Rtx.seenRecords;
 745
 746        if (ssl->dtls13Rtx.seenRecordsCount >= DTLS13_ACK_MAX_RECORDS) {
 747    #ifdef WOLFSSL_RW_THREADED
 748            wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 749    #endif
 750            return 0; /* list full, silently drop */
 751        }
 752
 753        count = 0;
 754        for (; cur != NULL; prevNext = &cur->next, cur = cur->next) {
 755            count++;
 756            if (w64Equal(cur->epoch, epoch) && w64Equal(cur->seq, seq)) {
 757                /* already in list. no duplicates. */
 758    #ifdef WOLFSSL_RW_THREADED
 759                wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 760    #endif
 761                return 0;
 762            }
 763            else if (w64LT(epoch, cur->epoch)
 764                    || (w64Equal(epoch, cur->epoch)
 765                            && w64LT(seq, cur->seq))) {
 766                break;
 767            }
 768        }
 769
 770        /* Cap the ACK list to prevent word16 overflow in
 771         * Dtls13GetAckListLength and bound memory consumption */
 772        if (count >= DTLS13_MAX_ACK_RECORDS) {
 773            WOLFSSL_MSG("DTLS 1.3 ACK list full, dropping record");
 774        #ifdef WOLFSSL_RW_THREADED
 775            wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 776        #endif
 777            return 0;
 778        }
 779
 780        rn = Dtls13NewRecordNumber(epoch, seq, ssl->heap);
 781        if (rn == NULL) {
 782    #ifdef WOLFSSL_RW_THREADED
 783            wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 784    #endif
 785            return MEMORY_E;
 786        }
 787
 788        *prevNext = rn;
 789        rn->next = cur;
 790        ssl->dtls13Rtx.seenRecordsCount++;
 791    #ifdef WOLFSSL_RW_THREADED
 792        wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 793    #endif
 794    }
 795
 796    return 0;
 797}
 798
 799static void Dtls13RtxFlushAcks(WOLFSSL* ssl)
 800{
 801    Dtls13RecordNumber *list, *rn;
 802
 803    (void)ssl;
 804
 805    WOLFSSL_ENTER("Dtls13RtxFlushAcks");
 806
 807#ifdef WOLFSSL_RW_THREADED
 808    if (wc_LockMutex(&ssl->dtls13Rtx.mutex) == 0)
 809#endif
 810    {
 811        list = ssl->dtls13Rtx.seenRecords;
 812
 813        while (list != NULL) {
 814            rn = list;
 815            list = rn->next;
 816            XFREE(rn, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
 817        }
 818
 819        ssl->dtls13Rtx.seenRecords = NULL;
 820        ssl->dtls13Rtx.seenRecordsCount = 0;
 821    #ifdef WOLFSSL_RW_THREADED
 822        wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 823    #endif
 824    }
 825}
 826
 827static int Dtls13DetectDisruption(WOLFSSL* ssl, word32 fragOffset)
 828{
 829    /* retransmission. The other peer may have lost our flight or our ACKs. We
 830       don't account this as a disruption */
 831    if (ssl->keys.dtls_peer_handshake_number <
 832        ssl->keys.dtls_expected_peer_handshake_number)
 833        return 0;
 834
 835    /* out of order message */
 836    if (ssl->keys.dtls_peer_handshake_number >
 837        ssl->keys.dtls_expected_peer_handshake_number) {
 838        return 1;
 839    }
 840
 841    /* first fragment of in-order message */
 842    if (fragOffset == 0)
 843        return 0;
 844
 845    /* is not the next fragment in the message (the check is not 100% perfect,
 846       in the worst case, we don't detect the disruption and wait for the other
 847       peer retransmission) */
 848    if (ssl->dtls_rx_msg_list != NULL) {
 849        DtlsFragBucket* last = ssl->dtls_rx_msg_list->fragBucketList;
 850        while (last != NULL && last->m.m.next != NULL)
 851            last = last->m.m.next;
 852        /* Does this fragment start right after the last fragment we
 853         * have stored? */
 854        if (last != NULL && (last->m.m.offset + last->m.m.sz) != fragOffset)
 855            return 1;
 856    }
 857    else {
 858        /* ssl->dtls_rx_msg_list is NULL and fragOffset != 0 so this is not in
 859         * order */
 860        return 1;
 861    }
 862
 863    return 0;
 864}
 865
 866static void Dtls13RtxRemoveCurAck(WOLFSSL* ssl)
 867{
 868    Dtls13RecordNumber *rn, **prevNext;
 869
 870#ifdef WOLFSSL_RW_THREADED
 871    if (wc_LockMutex(&ssl->dtls13Rtx.mutex) != 0)
 872        return;
 873#endif
 874
 875    prevNext = &ssl->dtls13Rtx.seenRecords;
 876    rn = ssl->dtls13Rtx.seenRecords;
 877
 878    while (rn != NULL) {
 879        if (w64Equal(rn->epoch, ssl->keys.curEpoch64) &&
 880            w64Equal(rn->seq, ssl->keys.curSeq)) {
 881            *prevNext = rn->next;
 882            XFREE(rn, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
 883            if (ssl->dtls13Rtx.seenRecordsCount > 0)
 884                ssl->dtls13Rtx.seenRecordsCount--;
 885#ifdef WOLFSSL_RW_THREADED
 886            wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 887#endif
 888            return;
 889        }
 890
 891        prevNext = &rn->next;
 892        rn = rn->next;
 893    }
 894
 895#ifdef WOLFSSL_RW_THREADED
 896    wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 897#endif
 898}
 899
 900static void Dtls13SaveOrFlushClientHello(WOLFSSL* ssl)
 901{
 902    Dtls13RtxRecord *r, **prev_next;
 903
 904    r = ssl->dtls13Rtx.rtxRecords;
 905    prev_next = &ssl->dtls13Rtx.rtxRecords;
 906
 907    if (ssl->options.side == WOLFSSL_CLIENT_END &&
 908        ssl->options.connectState >= CLIENT_HELLO_SENT &&
 909        ssl->options.connectState <= HELLO_AGAIN_REPLY) {
 910        while (r != NULL) {
 911            if (r->handshakeType == client_hello) {
 912                Dtls13RtxRecordUnlink(ssl, prev_next, r);
 913                if (ssl->options.downgrade &&
 914                        ssl->options.minDowngrade >= DTLSv1_2_MINOR) {
 915                    XFREE(ssl->dtls13ClientHello, ssl->heap,
 916                        DYNAMIC_TYPE_DTLS_MSG);
 917                    ssl->dtls13ClientHello = r->data;
 918                    ssl->dtls13ClientHelloSz = r->length;
 919                    r->data = NULL;
 920                }
 921                Dtls13FreeRtxBufferRecord(ssl, r);
 922                return;
 923            }
 924            prev_next = &r->next;
 925            r = r->next;
 926        }
 927    }
 928}
 929
 930static int Dtls13RtxMsgRecvd(WOLFSSL* ssl, enum HandShakeType hs,
 931    word32 fragOffset)
 932{
 933    WOLFSSL_ENTER("Dtls13RtxMsgRecvd");
 934
 935    if (!ssl->options.handShakeDone &&
 936        ssl->keys.dtls_peer_handshake_number >=
 937            ssl->keys.dtls_expected_peer_handshake_number) {
 938
 939        if (hs == server_hello)
 940            Dtls13SaveOrFlushClientHello(ssl);
 941
 942        /* In the handshake, receiving part of the next flight, acknowledge the
 943         * sent flight. */
 944        /* On the server side, receiving the last client flight does not ACK any
 945         * sent new_session_ticket messages. */
 946        /* We don't want to clear the buffer until we have done version
 947         * negotiation in the SH or have received a unified header in the
 948         * DTLS record. */
 949        if (ssl->options.serverState >= SERVER_HELLO_COMPLETE ||
 950                    ssl->options.seenUnifiedHdr)
 951            /* Use 1.2 API to clear 1.2 buffers too */
 952            DtlsMsgPoolReset(ssl);
 953    }
 954
 955    if (ssl->keys.dtls_peer_handshake_number <
 956        ssl->keys.dtls_expected_peer_handshake_number) {
 957
 958        /* retransmission detected. */
 959        ssl->dtls13Rtx.retransmit = 1;
 960
 961        /* the other peer may have retransmitted because an ACK for a flight
 962           that needs explicit ACK was lost.*/
 963        if (ssl->dtls13Rtx.seenRecords != NULL)
 964            ssl->dtls13Rtx.sendAcks = 1;
 965    }
 966
 967    if (ssl->keys.dtls_peer_handshake_number ==
 968            ssl->keys.dtls_expected_peer_handshake_number &&
 969        ssl->options.handShakeDone && hs == certificate_request) {
 970
 971        /* the current record, containing a post-handshake certificate request,
 972           is implicitly acknowledged by the
 973           certificate/certificate_verify/finished flight we are about to
 974           send. Please note that if the certificate request came out-of-order
 975           and we didn't send an ACK (sendMoreAcks == 0 and the missing
 976           packet(s) arrive before that fast timeout expired), then we will send
 977           both the ACK and the flight. While unnecessary this it's harmless, it
 978           should be rare and simplifies the code. Otherwise, it would be
 979           necessary to track which record number contained a CertificateRequest
 980           with a particular context id */
 981        Dtls13RtxRemoveCurAck(ssl);
 982    }
 983
 984    if (ssl->options.dtls13SendMoreAcks &&
 985        Dtls13DetectDisruption(ssl, fragOffset)) {
 986        WOLFSSL_MSG("Disruption detected");
 987        ssl->dtls13Rtx.sendAcks = 1;
 988    }
 989
 990    return 0;
 991}
 992
 993void Dtls13FreeFsmResources(WOLFSSL* ssl)
 994{
 995    Dtls13RtxFlushAcks(ssl);
 996    /* Use 1.2 API to clear 1.2 buffers too */
 997    DtlsMsgPoolReset(ssl);
 998    Dtls13RtxFlushBuffered(ssl, 0);
 999}
1000
1001static int Dtls13SendOneFragmentRtx(WOLFSSL* ssl,
1002    enum HandShakeType handshakeType, word16 outputSize, byte* message,
1003    word32 length, int hashOutput)
1004{
1005    Dtls13RtxRecord* rtxRecord = NULL;
1006    word16 recordHeaderLength;
1007    byte isProtected;
1008    int ret;
1009
1010    isProtected = Dtls13TypeIsEncrypted(handshakeType);
1011    recordHeaderLength = Dtls13GetRlHeaderLength(ssl, isProtected);
1012
1013    if (handshakeType != hello_retry_request) {
1014        rtxRecord = Dtls13RtxNewRecord(ssl, message + recordHeaderLength,
1015            (word16)(length - recordHeaderLength), handshakeType,
1016            ssl->dtls13EncryptEpoch->nextSeqNumber);
1017        if (rtxRecord == NULL)
1018            return MEMORY_E;
1019    }
1020
1021    ret = Dtls13SendFragment(ssl, message, outputSize, (word16)length,
1022        handshakeType, hashOutput, Dtls13SendNow(ssl, handshakeType));
1023
1024    if (rtxRecord != NULL) {
1025        if (ret == 0 || ret == WC_NO_ERR_TRACE(WANT_WRITE))
1026            Dtls13RtxAddRecord(&ssl->dtls13Rtx, rtxRecord);
1027        else
1028            Dtls13FreeRtxBufferRecord(ssl, rtxRecord);
1029    }
1030
1031    return ret;
1032}
1033
1034static int Dtls13SendFragmentedInternal(WOLFSSL* ssl)
1035{
1036    int fragLength, rlHeaderLength;
1037    word32 remainingSize;
1038    int maxFragment;
1039    int recordLength, outputSz;
1040    byte isEncrypted;
1041    byte* output;
1042    int ret;
1043
1044    isEncrypted = Dtls13TypeIsEncrypted(
1045        (enum HandShakeType)ssl->dtls13FragHandshakeType);
1046    rlHeaderLength = Dtls13GetRlHeaderLength(ssl, isEncrypted);
1047    maxFragment = wolfssl_local_GetMaxPlaintextSize(ssl);
1048    if (maxFragment <= DTLS_HANDSHAKE_HEADER_SZ ||
1049            maxFragment > MAX_RECORD_SIZE ||
1050            ssl->dtls13FragOffset > ssl->dtls13MessageLength) {
1051        Dtls13FreeFragmentsBuffer(ssl);
1052        return BUFFER_E;
1053    }
1054    remainingSize = ssl->dtls13MessageLength - ssl->dtls13FragOffset;
1055
1056    while (remainingSize > 0) {
1057
1058        fragLength = maxFragment - DTLS_HANDSHAKE_HEADER_SZ;
1059        if (fragLength > (int)remainingSize)
1060            fragLength = (int)remainingSize;
1061
1062        recordLength = fragLength + rlHeaderLength + DTLS_HANDSHAKE_HEADER_SZ;
1063        outputSz = wolfssl_local_GetRecordSize(ssl,
1064            fragLength + DTLS_HANDSHAKE_HEADER_SZ, isEncrypted);
1065        if (outputSz < 0) {
1066            Dtls13FreeFragmentsBuffer(ssl);
1067            return outputSz;
1068        }
1069        if ((word32)outputSz > WOLFSSL_MAX_16BIT) {
1070            Dtls13FreeFragmentsBuffer(ssl);
1071            return BUFFER_E;
1072        }
1073
1074        ret = CheckAvailableSize(ssl, outputSz);
1075        if (ret != 0) {
1076            Dtls13FreeFragmentsBuffer(ssl);
1077            return ret;
1078        }
1079
1080        output = GetOutputBuffer(ssl);
1081
1082        ret = Dtls13HandshakeAddHeaderFrag(ssl, output + rlHeaderLength,
1083            (enum HandShakeType)ssl->dtls13FragHandshakeType,
1084            ssl->dtls13FragOffset, fragLength, ssl->dtls13MessageLength);
1085        if (ret != 0) {
1086            Dtls13FreeFragmentsBuffer(ssl);
1087            return ret;
1088        }
1089
1090        XMEMCPY(output + rlHeaderLength + DTLS_HANDSHAKE_HEADER_SZ,
1091            ssl->dtls13FragmentsBuffer.buffer + ssl->dtls13FragOffset,
1092            fragLength);
1093
1094        ret = Dtls13SendOneFragmentRtx(ssl,
1095            (enum HandShakeType)ssl->dtls13FragHandshakeType,
1096            (word16)outputSz, output, (word32)recordLength, 0);
1097        if (ret == WC_NO_ERR_TRACE(WANT_WRITE)) {
1098            ssl->dtls13FragOffset += fragLength;
1099            return ret;
1100        }
1101
1102        if (ret != 0) {
1103            Dtls13FreeFragmentsBuffer(ssl);
1104            return ret;
1105        }
1106
1107        ssl->dtls13FragOffset += fragLength;
1108        remainingSize -= (word32)fragLength;
1109    }
1110
1111    /* we sent all fragments */
1112    Dtls13FreeFragmentsBuffer(ssl);
1113    return 0;
1114}
1115
1116static int Dtls13SendFragmented(WOLFSSL* ssl, byte* message, word16 length,
1117    enum HandShakeType handshake_type, int hash_output)
1118{
1119    int rlHeaderLength;
1120    byte isEncrypted;
1121    int messageSize;
1122    int ret;
1123
1124    if (ssl->dtls13SendingFragments != 0) {
1125        WOLFSSL_MSG(
1126            "dtls13_send_fragmented() invoked while already sending fragments");
1127        return BAD_STATE_E;
1128    }
1129
1130    isEncrypted = Dtls13TypeIsEncrypted(handshake_type);
1131    rlHeaderLength = Dtls13GetRlHeaderLength(ssl, isEncrypted);
1132
1133    if (length < rlHeaderLength + DTLS_HANDSHAKE_HEADER_SZ)
1134        return INCOMPLETE_DATA;
1135
1136    /* DTLSv1.3 do not consider fragmentation for hash transcript. Build the
1137       hash now pretending fragmentation will not happen */
1138    if (hash_output) {
1139        ret = Dtls13HashHandshake(ssl, message + rlHeaderLength,
1140            length - (word16)rlHeaderLength);
1141        if (ret != 0)
1142            return ret;
1143    }
1144
1145    messageSize = length - rlHeaderLength - DTLS_HANDSHAKE_HEADER_SZ;
1146
1147    ssl->dtls13FragmentsBuffer.buffer =
1148        (byte*)XMALLOC(messageSize, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
1149
1150    if (ssl->dtls13FragmentsBuffer.buffer == NULL)
1151        return MEMORY_E;
1152
1153    XMEMCPY(ssl->dtls13FragmentsBuffer.buffer,
1154        message + rlHeaderLength + DTLS_HANDSHAKE_HEADER_SZ, messageSize);
1155
1156    ssl->dtls13MessageLength = messageSize;
1157    ssl->dtls13FragHandshakeType = handshake_type;
1158    ssl->dtls13SendingFragments = 1;
1159
1160    return Dtls13SendFragmentedInternal(ssl);
1161}
1162
1163static WC_INLINE word8 Dtls13GetEpochBits(w64wrapper epoch)
1164{
1165    return w64GetLow32(epoch) & EE_MASK;
1166}
1167
1168#ifdef WOLFSSL_DTLS_CID
1169
1170static int Dtls13AddCID(WOLFSSL* ssl, byte* flags, byte* out, word16* idx)
1171{
1172    byte cidSz;
1173    int ret;
1174
1175    if (!wolfSSL_dtls_cid_is_enabled(ssl))
1176        return 0;
1177
1178    cidSz = DtlsGetCidTxSize(ssl);
1179
1180    /* no cid */
1181    if (cidSz == 0)
1182        return 0;
1183    *flags |= DTLS13_CID_BIT;
1184    /* we know that we have at least cidSz of space */
1185    ret = wolfSSL_dtls_cid_get_tx(ssl, out + *idx, cidSz);
1186    if (ret != WOLFSSL_SUCCESS)
1187        return ret;
1188    *idx += cidSz;
1189    return 0;
1190}
1191
1192static int Dtls13UnifiedHeaderParseCID(WOLFSSL* ssl, byte flags,
1193    const byte* input, word16 inputSize, word16* idx)
1194{
1195    unsigned int _cidSz;
1196    int ret;
1197
1198    if (flags & DTLS13_CID_BIT) {
1199        if (!wolfSSL_dtls_cid_is_enabled(ssl)) {
1200            WOLFSSL_MSG("CID while no negotiated CID, ignoring");
1201            return DTLS_CID_ERROR;
1202        }
1203
1204        if (!DtlsCIDCheck(ssl, input + *idx, inputSize - *idx)) {
1205            WOLFSSL_MSG("Not matching or wrong CID, ignoring");
1206            return DTLS_CID_ERROR;
1207        }
1208
1209        ret = wolfSSL_dtls_cid_get_rx_size(ssl, &_cidSz);
1210        if (ret != WOLFSSL_SUCCESS)
1211            return ret;
1212
1213        *idx += (word16)_cidSz;
1214        return 0;
1215    }
1216
1217    /* CID not present */
1218    if (wolfSSL_dtls_cid_is_enabled(ssl)) {
1219        ret = wolfSSL_dtls_cid_get_rx_size(ssl, &_cidSz);
1220        if (ret != WOLFSSL_SUCCESS)
1221            return ret;
1222
1223        if (_cidSz != 0) {
1224            WOLFSSL_MSG("expecting CID, ignoring");
1225            return DTLS_CID_ERROR;
1226        }
1227    }
1228
1229    return 0;
1230}
1231
1232int Dtls13UnifiedHeaderCIDPresent(byte flags)
1233{
1234    return Dtls13IsUnifiedHeader(flags) && (flags & DTLS13_CID_BIT);
1235}
1236
1237#else
1238#define Dtls13AddCID(a, b, c, d) 0
1239#define Dtls13UnifiedHeaderParseCID(a, b, c, d, e) 0
1240#endif /* WOLFSSL_DTLS_CID */
1241
1242/**
1243 * dtls13RlAddCiphertextHeader() - add record layer header in the buffer
1244 * @ssl: ssl object
1245 * @out: output buffer where to put the header
1246 * @length: length of the record
1247 */
1248int Dtls13RlAddCiphertextHeader(WOLFSSL* ssl, byte* out, word16 length)
1249{
1250    word16 seqNumber, idx;
1251    byte* flags;
1252    int ret;
1253
1254    if (out == NULL)
1255        return BAD_FUNC_ARG;
1256
1257    if (ssl->dtls13EncryptEpoch == NULL)
1258        return BAD_STATE_E;
1259
1260    flags = out;
1261
1262    /* header fixed bits */
1263    *flags = DTLS13_FIXED_BITS;
1264    /* epoch bits */
1265    *flags |= Dtls13GetEpochBits(ssl->dtls13EncryptEpoch->epochNumber);
1266
1267    idx = DTLS13_HDR_FLAGS_SIZE;
1268    ret = Dtls13AddCID(ssl, flags, out, &idx);
1269    if (ret != 0)
1270        return ret;
1271
1272    /* include 16-bit seq */
1273    *flags |= DTLS13_SEQ_LEN_BIT;
1274    /* include 16-bit length */
1275    *flags |= DTLS13_LEN_BIT;
1276
1277    seqNumber = (word16)w64GetLow32(ssl->dtls13EncryptEpoch->nextSeqNumber);
1278    c16toa(seqNumber, out + idx);
1279    idx += OPAQUE16_LEN;
1280    c16toa(length, out + idx);
1281
1282    return 0;
1283}
1284
1285/**
1286 * Dtls13HandshakeAddHeader() - add handshake layer header
1287 * @ssl: ssl object
1288 * @output: output buffer
1289 * @msg_type: handshake type
1290 * @length: length of the message
1291 */
1292int Dtls13HandshakeAddHeader(WOLFSSL* ssl, byte* output,
1293    enum HandShakeType msg_type, word32 length)
1294{
1295    Dtls13HandshakeHeader* hdr;
1296
1297    hdr = (Dtls13HandshakeHeader*)output;
1298
1299    hdr->msg_type = msg_type;
1300    c32to24((word32)length, hdr->length);
1301    c16toa(ssl->keys.dtls_handshake_number, hdr->messageSeq);
1302
1303    /* send unfragmented first */
1304    c32to24(0, hdr->fragmentOffset);
1305    c32to24((word32)length, hdr->fragmentLength);
1306
1307    return 0;
1308}
1309
1310int Dtls13MinimumRecordLength(WOLFSSL* ssl)
1311{
1312    return Dtls13GetRlHeaderLength(ssl, 1) + DTLS13_MIN_CIPHERTEXT;
1313}
1314
1315/**
1316 * Dtls13EncryptRecordNumber() - encrypt record number in the header
1317 * @ssl: ssl object
1318 * @hdr: header
1319 *
1320 * Further info rfc draft 43 sec 4.2.3
1321 */
1322int Dtls13EncryptRecordNumber(WOLFSSL* ssl, byte* hdr, word16 recordLength)
1323{
1324    int seqLength;
1325    int hdrLength;
1326    int cidSz;
1327
1328    if (ssl == NULL || hdr == NULL)
1329        return BAD_FUNC_ARG;
1330
1331#ifdef HAVE_NULL_CIPHER
1332    /* Do not encrypt record numbers with null cipher. See RFC 9150 Sec 9 */
1333    if (ssl->specs.bulk_cipher_algorithm == wolfssl_cipher_null)
1334        return 0;
1335#endif /*HAVE_NULL_CIPHER */
1336
1337    /* we need at least a 16 bytes of ciphertext to encrypt record number see
1338       4.2.3*/
1339    if (recordLength < Dtls13MinimumRecordLength(ssl))
1340        return BUFFER_ERROR;
1341
1342    seqLength = (*hdr & DTLS13_LEN_BIT) ? DTLS13_SEQ_16_LEN : DTLS13_SEQ_8_LEN;
1343
1344    cidSz = DtlsGetCidTxSize(ssl);
1345    /* header flags + seq number + CID size*/
1346    hdrLength = OPAQUE8_LEN + seqLength + cidSz;
1347
1348    /* length present */
1349    if (*hdr & DTLS13_LEN_BIT)
1350        hdrLength += DTLS13_LEN_SIZE;
1351
1352    return Dtls13EncryptDecryptRecordNumber(ssl,
1353        /* seq number offset */
1354        hdr + OPAQUE8_LEN + cidSz,
1355        /* seq size */
1356        seqLength,
1357        /* cipher text */
1358        hdr + hdrLength, PROTECT);
1359}
1360
1361/**
1362 * Dtls13GetRlHeaderLength() - get record layer header length
1363 * @ssl: ssl object
1364 * @isEncrypted: whether the record will be protected or not
1365 *
1366 * returns the length of the record layer header in bytes.
1367 */
1368word16 Dtls13GetRlHeaderLength(WOLFSSL* ssl, byte isEncrypted)
1369{
1370    (void)ssl;
1371
1372    if (!isEncrypted)
1373        return DTLS_RECORD_HEADER_SZ;
1374
1375    return DTLS13_UNIFIED_HEADER_SIZE + DtlsGetCidTxSize(ssl);
1376}
1377
1378/**
1379 * Dtls13GetHeadersLength() - return length of record + handshake header
1380 * @ssl: ssl object
1381 * @type: type of handshake in the message
1382 */
1383word16 Dtls13GetHeadersLength(WOLFSSL* ssl, enum HandShakeType type)
1384{
1385    byte isEncrypted;
1386
1387    isEncrypted = Dtls13TypeIsEncrypted(type);
1388
1389    return Dtls13GetRlHeaderLength(ssl, isEncrypted) + DTLS_HANDSHAKE_HEADER_SZ;
1390}
1391
1392/**
1393 * Dtls13IsUnifiedHeader() - check if header is a DTLS unified header
1394 * @header_flags: first byte of the header
1395 *
1396 * Further info: dtls v1.3 draft43 section 4
1397 */
1398int Dtls13IsUnifiedHeader(byte hdrFirstByte)
1399{
1400    if (hdrFirstByte == alert || hdrFirstByte == handshake ||
1401        hdrFirstByte == ack)
1402        return 0;
1403
1404    return ((hdrFirstByte & DTLS13_FIXED_BITS_MASK) == DTLS13_FIXED_BITS);
1405}
1406
1407int Dtls13ReconstructSeqNumber(WOLFSSL* ssl, Dtls13UnifiedHdrInfo* hdrInfo,
1408    w64wrapper* out)
1409{
1410    word16 expectedLowBits;
1411    word16 seqLowBits;
1412    w64wrapper temp;
1413    word32 out32;
1414    word32 shift;
1415    word16 mask;
1416    byte wrap = 0;
1417
1418    if (hdrInfo->seqHiPresent) {
1419        seqLowBits = (hdrInfo->seqHi << 8) | hdrInfo->seqLo;
1420        mask = 0xffff;
1421        shift = (1 << 16);
1422    }
1423    else {
1424        seqLowBits = hdrInfo->seqLo;
1425        mask = 0xff;
1426        shift = (1 << 8);
1427    }
1428
1429    /* *out = (nextPeerSeqNumber & ~mask) | seqLowbits */
1430    out32 = w64GetLow32(ssl->dtls13DecryptEpoch->nextPeerSeqNumber);
1431    expectedLowBits = out32 & mask;
1432    out32 = (out32 & ~mask) | seqLowBits;
1433    *out = ssl->dtls13DecryptEpoch->nextPeerSeqNumber;
1434    w64SetLow32(out, out32);
1435    if (seqLowBits >= expectedLowBits) {
1436        if ((word32)(seqLowBits - expectedLowBits) > shift / 2) {
1437            temp = w64Sub32(*out, shift, &wrap);
1438            if (!wrap)
1439                *out = temp;
1440            return 0;
1441        }
1442    }
1443    else {
1444        /*  seqLowbits < expectedLowBits */
1445        if ((word32)(expectedLowBits - seqLowBits) > shift / 2) {
1446            temp = w64Add32(*out, shift, &wrap);
1447            if (!wrap)
1448                *out = temp;
1449            return 0;
1450        }
1451    }
1452
1453    return 0;
1454}
1455
1456int Dtls13ReconstructEpochNumber(WOLFSSL* ssl, byte epochBits,
1457    w64wrapper* epoch)
1458{
1459    w64wrapper _epoch;
1460    Dtls13Epoch* e;
1461    byte found = 0;
1462    int i;
1463
1464    if (Dtls13GetEpochBits(ssl->dtls13PeerEpoch) == epochBits) {
1465        *epoch = ssl->dtls13PeerEpoch;
1466        return 0;
1467    }
1468
1469    w64Zero(&_epoch);
1470
1471    for (i = 0; i < DTLS13_EPOCH_SIZE; ++i) {
1472        e = &ssl->dtls13Epochs[i];
1473
1474        if (!e->isValid)
1475            continue;
1476
1477        if (Dtls13GetEpochBits(e->epochNumber) != epochBits)
1478            continue;
1479
1480        if (w64GT(e->epochNumber, _epoch)) {
1481            found = 1;
1482            _epoch = e->epochNumber;
1483        }
1484    }
1485
1486    if (found) {
1487        *epoch = _epoch;
1488        return 0;
1489    }
1490
1491    return SEQUENCE_ERROR;
1492}
1493
1494int Dtls13GetUnifiedHeaderSize(WOLFSSL* ssl, const byte input, word16* size)
1495{
1496    (void)ssl;
1497
1498    if (size == NULL)
1499        return BAD_FUNC_ARG;
1500
1501    /* flags (1) + CID + seq 8bit (1) */
1502    *size = OPAQUE8_LEN + DtlsGetCidRxSize(ssl) + OPAQUE8_LEN;
1503    if (input & DTLS13_SEQ_LEN_BIT)
1504        *size += OPAQUE8_LEN;
1505    if (input & DTLS13_LEN_BIT)
1506        *size += OPAQUE16_LEN;
1507
1508    return 0;
1509}
1510
1511/**
1512 * Dtls13ParseUnifiedRecordLayer() - parse DTLS unified header
1513 * @ssl: [in] ssl object
1514 * @input: [in] buffer where the header is
1515 * @inputSize: [in] size of the input buffer
1516 * @hdrInfo: [out] header info struct
1517 *
1518 * It parse the header and put the relevant information inside @hdrInfo. Further
1519 * info: draft43 section 4
1520 *
1521 * return 0 on success
1522 */
1523int Dtls13ParseUnifiedRecordLayer(WOLFSSL* ssl, const byte* input,
1524    word16 inputSize, Dtls13UnifiedHdrInfo* hdrInfo)
1525{
1526    byte seqLen, hasLength;
1527    byte* seqNum;
1528    byte flags;
1529    word16 idx;
1530    int ret;
1531
1532    if (input == NULL || inputSize < DTLS13_HDR_FLAGS_SIZE)
1533        return BAD_FUNC_ARG;
1534
1535    flags = *input;
1536    idx = DTLS13_HDR_FLAGS_SIZE;
1537    ret = Dtls13UnifiedHeaderParseCID(ssl, flags, input, inputSize, &idx);
1538    if (ret != 0)
1539        return ret;
1540
1541    seqNum = (byte*)input + idx;
1542    seqLen = (flags & DTLS13_SEQ_LEN_BIT) != 0 ? DTLS13_SEQ_16_LEN
1543                                               : DTLS13_SEQ_8_LEN;
1544    hasLength = flags & DTLS13_LEN_BIT;
1545    hdrInfo->epochBits = flags & EE_MASK;
1546
1547    idx += seqLen;
1548
1549    if (inputSize < idx)
1550        return BUFFER_ERROR;
1551
1552    if (hasLength) {
1553        if (inputSize < idx + DTLS13_LEN_SIZE)
1554            return BUFFER_ERROR;
1555
1556        ato16(input + idx, &hdrInfo->recordLength);
1557        idx += DTLS13_LEN_SIZE;
1558    }
1559    else {
1560        /* length not present. The size of the record is the all the remaining
1561           data received with this datagram */
1562        hdrInfo->recordLength = inputSize - idx;
1563    }
1564
1565    /* Do not encrypt record numbers with null cipher. See RFC 9150 Sec 9 */
1566    if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null)
1567    {
1568        /* minimum size for a dtls1.3 packet is 16 bytes (to have enough
1569         * ciphertext to create record number xor mask).
1570         * (draft 43 - Sec 4.2.3) */
1571        if (hdrInfo->recordLength < DTLS13_RN_MASK_SIZE)
1572            return LENGTH_ERROR;
1573        if (inputSize < idx + DTLS13_RN_MASK_SIZE)
1574            return BUFFER_ERROR;
1575
1576        ret = Dtls13EncryptDecryptRecordNumber(ssl, seqNum, seqLen, input + idx,
1577            DEPROTECT);
1578        if (ret != 0)
1579            return ret;
1580    }
1581
1582    if (seqLen == DTLS13_SEQ_16_LEN) {
1583        hdrInfo->seqHiPresent = 1;
1584        hdrInfo->seqHi = seqNum[0];
1585        hdrInfo->seqLo = seqNum[1];
1586    }
1587    else {
1588        hdrInfo->seqHiPresent = 0;
1589        hdrInfo->seqLo = seqNum[0];
1590    }
1591
1592    return 0;
1593}
1594
1595int Dtls13RecordRecvd(WOLFSSL* ssl)
1596{
1597    int ret;
1598
1599    if (ssl->curRL.type != handshake)
1600        return 0;
1601
1602    if (!ssl->options.dtls13SendMoreAcks)
1603        ssl->dtls13FastTimeout = 1;
1604
1605    ret = Dtls13RtxAddAck(ssl, ssl->keys.curEpoch64, ssl->keys.curSeq);
1606    if (ret != 0)
1607        WOLFSSL_MSG("can't save ack fragment");
1608
1609    return ret;
1610}
1611
1612static void Dtls13RtxMoveToEndOfList(WOLFSSL* ssl, Dtls13RtxRecord** prevNext,
1613    Dtls13RtxRecord* r)
1614{
1615    /* already at the end */
1616    if (r->next == NULL)
1617        return;
1618
1619    Dtls13RtxRecordUnlink(ssl, prevNext, r);
1620    /* add to the end */
1621    Dtls13RtxAddRecord(&ssl->dtls13Rtx, r);
1622}
1623
1624static int Dtls13RtxSendBuffered(WOLFSSL* ssl)
1625{
1626    word16 headerLength;
1627    Dtls13RtxRecord *r, **prevNext;
1628    w64wrapper seq;
1629    byte* output;
1630    int isLast;
1631    int sendSz;
1632#ifndef NO_ASN_TIME
1633#ifdef WOLFSSL_32BIT_MILLI_TIME
1634    word32 now;
1635#else
1636    sword64 now;
1637#endif
1638#endif
1639    int ret;
1640
1641    WOLFSSL_ENTER("Dtls13RtxSendBuffered");
1642
1643#ifndef NO_ASN_TIME
1644    now = TimeNowInMilliseconds();
1645    if (now - ssl->dtls13Rtx.lastRtx < DTLS13_MIN_RTX_INTERVAL) {
1646#ifdef WOLFSSL_DEBUG_TLS
1647        WOLFSSL_MSG("Avoid too fast retransmission");
1648#endif /* WOLFSSL_DEBUG_TLS */
1649        return 0;
1650    }
1651    ssl->dtls13Rtx.lastRtx = now;
1652#endif
1653
1654    r = ssl->dtls13Rtx.rtxRecords;
1655    prevNext = &ssl->dtls13Rtx.rtxRecords;
1656    while (r != NULL) {
1657        isLast = r->next == NULL;
1658        WOLFSSL_MSG("Dtls13Rtx One Record");
1659
1660        headerLength = Dtls13GetRlHeaderLength(ssl, !w64IsZero(r->epoch));
1661
1662        sendSz = r->length + headerLength;
1663
1664        if (!w64IsZero(r->epoch))
1665            sendSz += MAX_MSG_EXTRA;
1666
1667        if ((word32)sendSz > WOLFSSL_MAX_16BIT) {
1668            return BUFFER_E;
1669        }
1670
1671        ret = CheckAvailableSize(ssl, sendSz);
1672        if (ret != 0)
1673            return ret;
1674
1675        output = GetOutputBuffer(ssl);
1676
1677        XMEMCPY(output + headerLength, r->data, r->length);
1678
1679        if (!w64Equal(ssl->dtls13EncryptEpoch->epochNumber, r->epoch)) {
1680            ret = Dtls13SetEpochKeys(ssl, r->epoch, ENCRYPT_SIDE_ONLY);
1681            if (ret != 0)
1682                return ret;
1683        }
1684
1685        seq = ssl->dtls13EncryptEpoch->nextSeqNumber;
1686
1687        ret = Dtls13SendFragment(ssl, output, (word16)sendSz, r->length + headerLength,
1688            (enum HandShakeType)r->handshakeType, 0,
1689            isLast || !ssl->options.groupMessages);
1690        if (ret != 0 && ret != WC_NO_ERR_TRACE(WANT_WRITE))
1691            return ret;
1692
1693        if (r->rnIdx >= DTLS13_RETRANS_RN_SIZE)
1694            r->rnIdx = 0;
1695
1696#ifdef WOLFSSL_DEBUG_TLS
1697        WOLFSSL_MSG_EX("tracking r hs: %d with seq: %ld", r->handshakeType,
1698            seq);
1699#endif /* WOLFSSL_DEBUG_TLS */
1700
1701        r->seq[r->rnIdx] = seq;
1702        r->rnIdx++;
1703
1704        if (ret == WC_NO_ERR_TRACE(WANT_WRITE)) {
1705            /* this fragment will be sent eventually. Move it to the end of the
1706               list so next time we start with a new one. */
1707            Dtls13RtxMoveToEndOfList(ssl, prevNext, r);
1708            return ret;
1709        }
1710
1711        prevNext = &r->next;
1712        r = r->next;
1713    }
1714
1715    return 0;
1716}
1717
1718static int Dtls13AcceptFragmented(WOLFSSL *ssl, enum HandShakeType type)
1719{
1720    if (IsEncryptionOn(ssl, 0))
1721        return 1;
1722    if (ssl->options.side == WOLFSSL_CLIENT_END && type == server_hello)
1723        return 1;
1724#ifdef WOLFSSL_DTLS_CH_FRAG
1725    if (ssl->options.side == WOLFSSL_SERVER_END && type == client_hello &&
1726            ssl->options.dtls13ChFrag && ssl->options.dtlsStateful)
1727        return 1;
1728#endif
1729    return 0;
1730}
1731
1732int Dtls13CheckEpoch(WOLFSSL* ssl, enum HandShakeType type)
1733{
1734    w64wrapper plainEpoch = w64From32(0x0, 0x0);
1735    w64wrapper hsEpoch = w64From32(0x0, DTLS13_EPOCH_HANDSHAKE);
1736    w64wrapper t0Epoch = w64From32(0x0, DTLS13_EPOCH_TRAFFIC0);
1737
1738    if (IsAtLeastTLSv1_3(ssl->version)) {
1739        switch (type) {
1740            case client_hello:
1741            case server_hello:
1742            case hello_verify_request:
1743            case hello_retry_request:
1744            case hello_request:
1745                if (!w64Equal(ssl->keys.curEpoch64, plainEpoch)) {
1746                    WOLFSSL_MSG("Msg should be epoch 0");
1747                    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
1748                    return SANITY_MSG_E;
1749                }
1750                break;
1751            case encrypted_extensions:
1752            case server_key_exchange:
1753            case server_hello_done:
1754            case client_key_exchange:
1755                if (!w64Equal(ssl->keys.curEpoch64, hsEpoch)) {
1756                    if (ssl->options.side == WOLFSSL_CLIENT_END &&
1757                            ssl->options.serverState < SERVER_HELLO_COMPLETE) {
1758                        /* before processing SH we don't know which version
1759                         * will be negotiated.  */
1760                        if (!w64Equal(ssl->keys.curEpoch64, plainEpoch)) {
1761                            WOLFSSL_MSG("Msg should be epoch 2 or 0");
1762                            WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
1763                            return SANITY_MSG_E;
1764                        }
1765                    }
1766                    else {
1767                        WOLFSSL_MSG("Msg should be epoch 2");
1768                        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
1769                        return SANITY_MSG_E;
1770                    }
1771                }
1772                break;
1773            case certificate_request:
1774            case certificate:
1775            case certificate_verify:
1776            case finished:
1777                if (!ssl->options.handShakeDone) {
1778                    if (!w64Equal(ssl->keys.curEpoch64, hsEpoch)) {
1779                        if (ssl->options.side == WOLFSSL_CLIENT_END &&
1780                            ssl->options.serverState < SERVER_HELLO_COMPLETE) {
1781                            /* before processing SH we don't know which version
1782                             * will be negotiated.  */
1783                            if (!w64Equal(ssl->keys.curEpoch64, plainEpoch)) {
1784                                WOLFSSL_MSG("Msg should be epoch 2 or 0");
1785                                WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
1786                                return SANITY_MSG_E;
1787                            }
1788                        }
1789                        else {
1790                            WOLFSSL_MSG("Msg should be epoch 2");
1791                            WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
1792                            return SANITY_MSG_E;
1793                        }
1794                    }
1795                }
1796                else {
1797                    /* Allow epoch 2 in case of rtx */
1798                    if (!w64GTE(ssl->keys.curEpoch64, hsEpoch)) {
1799                        WOLFSSL_MSG("Msg should be epoch 2+");
1800                        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
1801                        return SANITY_MSG_E;
1802                    }
1803                }
1804                break;
1805            case certificate_status:
1806            case change_cipher_hs:
1807            case key_update:
1808            case session_ticket:
1809                if (!w64GTE(ssl->keys.curEpoch64, t0Epoch)) {
1810                    WOLFSSL_MSG("Msg should be epoch 3+");
1811                    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
1812                    return SANITY_MSG_E;
1813                }
1814                break;
1815            case end_of_early_data:
1816            case message_hash:
1817            case no_shake:
1818            default:
1819                WOLFSSL_MSG("Unknown message type");
1820                WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
1821                return SANITY_MSG_E;
1822        }
1823    }
1824    return 0;
1825}
1826
1827/**
1828 * Dtls13HandshakeRecv() - process an handshake message. Deal with
1829 fragmentation if needed
1830 * @ssl: [in] ssl object
1831 * @input: [in] input buffer
1832 * @size: [in] input buffer size
1833 * @type: [out] content type
1834 * @processedSize: [out] amount of byte processed
1835 *
1836 * returns 0 on success
1837 */
1838static int _Dtls13HandshakeRecv(WOLFSSL* ssl, byte* input, word32 size,
1839    word32* processedSize)
1840{
1841    word32 fragOff, fragLength;
1842    byte isComplete, isFirst;
1843    byte usingAsyncCrypto;
1844    word32 messageLength;
1845    byte handshakeType;
1846    word32 idx;
1847    int ret;
1848
1849    idx = 0;
1850    ret = GetDtlsHandShakeHeader(ssl, input, &idx, &handshakeType,
1851        &messageLength, &fragOff, &fragLength, size);
1852    if (ret != 0)
1853        return PARSE_ERROR;
1854
1855    /* Need idx + fragLength as we don't advance the inputBuffer idx value */
1856    ret = EarlySanityCheckMsgReceived(ssl, handshakeType, idx + fragLength);
1857    if (ret != 0) {
1858        WOLFSSL_ERROR(ret);
1859        return ret;
1860    }
1861
1862    ret = Dtls13CheckEpoch(ssl, (enum HandShakeType)handshakeType);
1863    if (ret != 0) {
1864        WOLFSSL_ERROR(ret);
1865        return ret;
1866    }
1867
1868    if (ssl->options.side == WOLFSSL_SERVER_END &&
1869            ssl->options.acceptState < TLS13_ACCEPT_FIRST_REPLY_DONE) {
1870        if (handshakeType != client_hello) {
1871            WOLFSSL_MSG("Ignoring other messages before we verify a ClientHello");
1872            *processedSize = size;
1873            return 0;
1874        }
1875        if (!ssl->options.dtlsStateful) {
1876            /* To be able to operate in stateless mode, we assume the
1877             * ClientHello is in order and we use its Handshake Message number
1878             * and Sequence Number for our Tx. */
1879            ssl->keys.dtls_expected_peer_handshake_number =
1880                ssl->keys.dtls_handshake_number =
1881                    ssl->keys.dtls_peer_handshake_number;
1882            ssl->dtls13Epochs[0].nextSeqNumber = ssl->keys.curSeq;
1883        }
1884    }
1885
1886    if (idx + fragLength > size) {
1887        WOLFSSL_ERROR(INCOMPLETE_DATA);
1888        return INCOMPLETE_DATA;
1889    }
1890
1891    if (fragOff + fragLength > messageLength)
1892        return BUFFER_ERROR;
1893
1894    ret = Dtls13RtxMsgRecvd(ssl, (enum HandShakeType)handshakeType, fragOff);
1895    if (ret != 0)
1896        return ret;
1897
1898    if (ssl->keys.dtls_peer_handshake_number <
1899        ssl->keys.dtls_expected_peer_handshake_number) {
1900
1901#ifdef WOLFSSL_DEBUG_TLS
1902        WOLFSSL_MSG(
1903            "DTLS1.3 retransmission detected - discard and schedule a rtx");
1904#endif /* WOLFSSL_DEBUG_TLS */
1905
1906        /* ignore the message */
1907        *processedSize = idx + fragLength + ssl->keys.padSz;
1908
1909        return 0;
1910    }
1911
1912    isFirst = fragOff == 0;
1913    isComplete = isFirst && fragLength == messageLength;
1914
1915    if (!isComplete && !Dtls13AcceptFragmented(ssl, (enum HandShakeType)handshakeType)) {
1916#if defined(WOLFSSL_DTLS_CH_FRAG) && !defined(NO_WOLFSSL_SERVER)
1917        byte tls13 = 0;
1918        /* check if the first CH fragment contains a valid cookie */
1919        if (ssl->options.dtls13ChFrag && !ssl->options.dtlsStateful &&
1920                isFirst && handshakeType == client_hello &&
1921                DoClientHelloStateless(ssl, input + idx, fragLength, 1, &tls13)
1922                    == 0 && tls13) {
1923            /* We can save this message and continue as stateful. */
1924            if (ssl->chGoodCb != NULL) {
1925                int cbret = ssl->chGoodCb(ssl, ssl->chGoodCtx);
1926                if (cbret < 0) {
1927                    ssl->error = cbret;
1928                    WOLFSSL_MSG("ClientHello Good Cb don't continue error");
1929                    return WOLFSSL_FATAL_ERROR;
1930                }
1931            }
1932            WOLFSSL_MSG("ClientHello fragment verified");
1933        }
1934        else
1935#endif
1936        {
1937#ifdef WOLFSSL_DEBUG_TLS
1938            WOLFSSL_MSG("DTLS1.3 not accepting fragmented plaintext message");
1939#endif /* WOLFSSL_DEBUG_TLS */
1940            /* ignore the message */
1941            *processedSize = idx + fragLength + ssl->keys.padSz;
1942            return 0;
1943        }
1944    }
1945
1946    usingAsyncCrypto = ssl->devId != INVALID_DEVID;
1947
1948    /* store the message if any of the following: (a) incomplete message, (b)
1949     * out of order message or (c) if using async crypto. In (c) the processing
1950     * of the message can return WC_PENDING_E, it's easier to handle this error
1951     * if the message is stored in the buffer.
1952     */
1953    if (!isComplete ||
1954        ssl->keys.dtls_peer_handshake_number >
1955            ssl->keys.dtls_expected_peer_handshake_number ||
1956        usingAsyncCrypto) {
1957        if (ssl->dtls_rx_msg_list_sz < DTLS_POOL_SZ) {
1958            DtlsMsgStore(ssl, (word16)w64GetLow32(ssl->keys.curEpoch64),
1959                ssl->keys.dtls_peer_handshake_number,
1960                input + DTLS_HANDSHAKE_HEADER_SZ, messageLength, handshakeType,
1961                fragOff, fragLength, ssl->heap);
1962        }
1963        else {
1964            /* DTLS_POOL_SZ outstanding messages is way more than enough for any
1965             * valid peer */
1966            return DTLS_TOO_MANY_FRAGMENTS_E;
1967        }
1968
1969        *processedSize = idx + fragLength + ssl->keys.padSz;
1970        if (Dtls13NextMessageComplete(ssl))
1971            return Dtls13ProcessBufferedMessages(ssl);
1972
1973        return 0;
1974    }
1975
1976    ret = DoTls13HandShakeMsgType(ssl, input, &idx, handshakeType,
1977        messageLength, size);
1978    *processedSize = idx;
1979    if (ret != 0)
1980        return ret;
1981
1982    Dtls13MsgWasProcessed(ssl, (enum HandShakeType)handshakeType);
1983
1984    /* check if we have buffered some message */
1985    if (Dtls13NextMessageComplete(ssl))
1986        return Dtls13ProcessBufferedMessages(ssl);
1987
1988    return 0;
1989}
1990
1991int Dtls13HandshakeRecv(WOLFSSL* ssl, byte* input, word32* inOutIdx,
1992    word32 totalSz)
1993{
1994    word32 maxSize, processedSize = 0;
1995    byte* message;
1996    int ret;
1997
1998    message = input + *inOutIdx;
1999    maxSize = totalSz - *inOutIdx;
2000
2001    ret = _Dtls13HandshakeRecv(ssl, message, maxSize, &processedSize);
2002
2003    *inOutIdx += processedSize;
2004
2005    return ret;
2006}
2007
2008/**
2009 * Dtls13FragmentsContinue() - keep sending pending fragments
2010 * @ssl: ssl object
2011 */
2012int Dtls13FragmentsContinue(WOLFSSL* ssl)
2013{
2014    int ret;
2015
2016    ret = Dtls13SendFragmentedInternal(ssl);
2017    if (ret == 0)
2018        ssl->keys.dtls_handshake_number++;
2019
2020    return ret;
2021}
2022
2023/**
2024 * Dtls13AddHeaders() - setup handshake header
2025 * @output: output buffer at the start of the record
2026 * @length: length of the full message, included headers
2027 * @hsType: handshake type
2028 * @ssl: ssl object
2029 *
2030 * This function add the handshake headers and leaves space for the record
2031 * layer. The real record layer will be added in dtls_send() for unprotected
2032 * messages and in BuildTls13message() for protected messages.
2033 *
2034 * returns 0 on success, -1 otherwise
2035 */
2036int Dtls13AddHeaders(byte* output, word32 length, enum HandShakeType hsType,
2037    WOLFSSL* ssl)
2038{
2039    word16 handshakeOffset;
2040    byte isEncrypted;
2041
2042    isEncrypted = Dtls13TypeIsEncrypted(hsType);
2043    handshakeOffset = Dtls13GetRlHeaderLength(ssl, isEncrypted);
2044
2045    /* The record header is placed by either Dtls13HandshakeSend() or
2046       BuildTls13Message() */
2047
2048    return Dtls13HandshakeAddHeader(ssl, output + handshakeOffset, hsType,
2049        length);
2050}
2051
2052/**
2053 * Dtls13HandshakeSend() - send an handshake message. Fragment if necessary.
2054 *
2055 * @ssl: ssl object
2056 * @message: message where the buffer is in. Handshake header already in place.
2057 * @output_size: size of the @message buffer
2058 * @length: length of the message including headers
2059 * @handshakeType: handshake type of the message
2060 * @hashOutput: if true add the message to the transcript hash
2061 *
2062 */
2063int Dtls13HandshakeSend(WOLFSSL* ssl, byte* message, word16 outputSize,
2064    word16 length, enum HandShakeType handshakeType, int hashOutput)
2065{
2066    int maxFrag;
2067    int maxLen;
2068    int ret;
2069
2070    if (ssl->dtls13EncryptEpoch == NULL)
2071        return BAD_STATE_E;
2072
2073    /* if we are here, the message is built */
2074    ssl->options.buildingMsg = 0;
2075
2076    if (!ssl->options.handShakeDone) {
2077
2078        /* during the handshake, if we are sending a new flight, we can flush
2079           our ACK list. When sending client
2080           [certificate/certificate_verify]/finished flight, we may flush an ACK
2081           for a newSessionticket message, sent by the server just after sending
2082           its finished message. This should not be a problem. That message
2083           arrived out-of-order (before the server finished) so likely an ACK
2084           was already sent. In the worst case we will ACK the server
2085           retranmission*/
2086        if (handshakeType == certificate || handshakeType == finished ||
2087            handshakeType == server_hello || handshakeType == client_hello)
2088            Dtls13RtxFlushAcks(ssl);
2089    }
2090
2091    /* we want to send always with the highest epoch  */
2092    if (!w64Equal(ssl->dtls13EncryptEpoch->epochNumber, ssl->dtls13Epoch)) {
2093        ret = Dtls13SetEpochKeys(ssl, ssl->dtls13Epoch, ENCRYPT_SIDE_ONLY);
2094        if (ret != 0)
2095            return ret;
2096    }
2097
2098    maxFrag = wolfssl_local_GetMaxPlaintextSize(ssl);
2099    maxLen = length;
2100
2101    if (handshakeType == key_update) {
2102        ssl->dtls13WaitKeyUpdateAck = 1;
2103#ifdef HAVE_WRITE_DUP
2104        /* Notify the read side so it can watch for the ACK on our behalf. */
2105        if (ssl->dupWrite != NULL && ssl->dupSide == WRITE_DUP_SIDE) {
2106            if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0)
2107                return BAD_MUTEX_E;
2108            ssl->dupWrite->keyUpdateEpoch = ssl->dtls13Epoch;
2109            ssl->dupWrite->keyUpdateSeq =
2110                ssl->dtls13EncryptEpoch->nextSeqNumber;
2111            ssl->dupWrite->keyUpdateWaiting = 1;
2112            wc_UnLockMutex(&ssl->dupWrite->dupMutex);
2113        }
2114#endif /* HAVE_WRITE_DUP */
2115    }
2116
2117    if (maxLen < maxFrag) {
2118        ret = Dtls13SendOneFragmentRtx(ssl, handshakeType, outputSize, message,
2119            length, hashOutput);
2120        if (ret == 0 || ret == WC_NO_ERR_TRACE(WANT_WRITE))
2121            ssl->keys.dtls_handshake_number++;
2122    }
2123    else {
2124        ret = Dtls13SendFragmented(ssl, message, length, handshakeType,
2125            hashOutput);
2126        if (ret == 0)
2127            ssl->keys.dtls_handshake_number++;
2128    }
2129
2130    return ret;
2131}
2132
2133#define SN_LABEL_SZ 2
2134static const byte snLabel[SN_LABEL_SZ + 1] = "sn";
2135
2136/**
2137 * Dtls13DeriveSnKeys() - derive the key used to encrypt the record number
2138 * @ssl: ssl object
2139 * @provision: which side (CLIENT or SERVER) to provision
2140 */
2141int Dtls13DeriveSnKeys(WOLFSSL* ssl, int provision)
2142{
2143    int ret = 0;
2144    WC_DECLARE_VAR(key_dig, byte, MAX_PRF_DIG, ssl->heap);
2145    WC_ALLOC_VAR_EX(key_dig, byte, MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_DIGEST,
2146                    return MEMORY_E);
2147
2148    if (provision & PROVISION_CLIENT) {
2149        WOLFSSL_MSG("Derive SN Client key");
2150        ret = Tls13DeriveKey(ssl, key_dig, ssl->specs.key_size,
2151            ssl->clientSecret, snLabel, SN_LABEL_SZ, ssl->specs.mac_algorithm,
2152            0, WOLFSSL_CLIENT_END);
2153        if (ret != 0)
2154            goto end;
2155
2156        XMEMCPY(ssl->keys.client_sn_key, key_dig, ssl->specs.key_size);
2157    }
2158
2159    if (provision & PROVISION_SERVER) {
2160        WOLFSSL_MSG("Derive SN Server key");
2161        ret = Tls13DeriveKey(ssl, key_dig, ssl->specs.key_size,
2162            ssl->serverSecret, snLabel, SN_LABEL_SZ, ssl->specs.mac_algorithm,
2163            0, WOLFSSL_SERVER_END);
2164        if (ret != 0)
2165            goto end;
2166
2167        XMEMCPY(ssl->keys.server_sn_key, key_dig, ssl->specs.key_size);
2168    }
2169
2170end:
2171    ForceZero(key_dig, MAX_PRF_DIG);
2172#ifdef WOLFSSL_CHECK_MEM_ZERO
2173    wc_MemZero_Check(key_dig, MAX_PRF_DIG);
2174#endif
2175    WC_FREE_VAR_EX(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
2176    return ret;
2177}
2178
2179static int Dtls13InitAesCipher(WOLFSSL* ssl, RecordNumberCiphers* cipher,
2180    const byte* key, word16 keySize)
2181{
2182    int ret;
2183    if (cipher->aes == NULL) {
2184        cipher->aes =
2185            (Aes*)XMALLOC(sizeof(Aes), ssl->heap, DYNAMIC_TYPE_CIPHER);
2186        if (cipher->aes == NULL)
2187            return MEMORY_E;
2188    }
2189    else {
2190        wc_AesFree(cipher->aes);
2191    }
2192
2193    XMEMSET(cipher->aes, 0, sizeof(*cipher->aes));
2194
2195    ret = wc_AesInit(cipher->aes, ssl->heap, INVALID_DEVID);
2196    if (ret != 0) {
2197        XFREE(cipher->aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
2198        cipher->aes = NULL;
2199        return ret;
2200    }
2201
2202    ret = wc_AesSetKey(cipher->aes, key, keySize, NULL, AES_ENCRYPTION);
2203    if (ret != 0) {
2204        wc_AesFree(cipher->aes);
2205        XFREE(cipher->aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
2206        cipher->aes = NULL;
2207    }
2208
2209    return ret;
2210}
2211
2212#ifdef HAVE_CHACHA
2213static int Dtls13InitChaChaCipher(RecordNumberCiphers* c, byte* key,
2214    word16 keySize, void* heap)
2215{
2216    int ret;
2217    (void)heap;
2218
2219    if (c->chacha == NULL) {
2220        c->chacha = (ChaCha*)XMALLOC(sizeof(ChaCha), heap, DYNAMIC_TYPE_CIPHER);
2221
2222        if (c->chacha == NULL)
2223            return MEMORY_E;
2224    }
2225
2226    ret = wc_Chacha_SetKey(c->chacha, key, keySize);
2227    if (ret != 0) {
2228        XFREE(c->chacha, heap, DYNAMIC_TYPE_CIPHER);
2229        c->chacha = NULL;
2230    }
2231
2232    return ret;
2233}
2234#endif /* HAVE_CHACHA */
2235
2236struct Dtls13Epoch* Dtls13GetEpoch(WOLFSSL* ssl, w64wrapper epochNumber)
2237{
2238    Dtls13Epoch* e;
2239    int i;
2240
2241    for (i = 0; i < DTLS13_EPOCH_SIZE; ++i) {
2242        e = &ssl->dtls13Epochs[i];
2243        if (w64Equal(e->epochNumber, epochNumber) && e->isValid)
2244            return e;
2245    }
2246
2247    return NULL;
2248}
2249
2250void Dtls13SetOlderEpochSide(WOLFSSL* ssl, w64wrapper epochNumber,
2251                                    int side)
2252{
2253    Dtls13Epoch* e;
2254    int i;
2255
2256    for (i = 0; i < DTLS13_EPOCH_SIZE; ++i) {
2257        e = &ssl->dtls13Epochs[i];
2258        if (e->isValid && w64LT(e->epochNumber, epochNumber)) {
2259            e->side = (byte)side;
2260        }
2261    }
2262}
2263
2264static void Dtls13EpochCopyKeys(WOLFSSL* ssl, Dtls13Epoch* e, Keys* k, int side)
2265{
2266    byte clientWrite, serverWrite;
2267    byte enc, dec;
2268
2269    WOLFSSL_ENTER("Dtls13EpochCopyKeys");
2270
2271    clientWrite = serverWrite = 0;
2272    enc = dec = 0;
2273    switch (side) {
2274
2275    case ENCRYPT_SIDE_ONLY:
2276        if (ssl->options.side == WOLFSSL_CLIENT_END)
2277            clientWrite = 1;
2278        if (ssl->options.side == WOLFSSL_SERVER_END)
2279            serverWrite = 1;
2280        enc = 1;
2281        break;
2282
2283    case DECRYPT_SIDE_ONLY:
2284        if (ssl->options.side == WOLFSSL_CLIENT_END)
2285            serverWrite = 1;
2286        if (ssl->options.side == WOLFSSL_SERVER_END)
2287            clientWrite = 1;
2288        dec = 1;
2289        break;
2290
2291    case ENCRYPT_AND_DECRYPT_SIDE:
2292        clientWrite = serverWrite = 1;
2293        enc = dec = 1;
2294        break;
2295    }
2296
2297    if (clientWrite) {
2298        XMEMCPY(e->client_write_key, k->client_write_key,
2299            sizeof(e->client_write_key));
2300
2301        XMEMCPY(e->client_write_IV, k->client_write_IV,
2302            sizeof(e->client_write_IV));
2303
2304        XMEMCPY(e->client_sn_key, k->client_sn_key, sizeof(e->client_sn_key));
2305    }
2306
2307    if (serverWrite) {
2308        XMEMCPY(e->server_write_key, k->server_write_key,
2309            sizeof(e->server_write_key));
2310        XMEMCPY(e->server_write_IV, k->server_write_IV,
2311            sizeof(e->server_write_IV));
2312        XMEMCPY(e->server_sn_key, k->server_sn_key, sizeof(e->server_sn_key));
2313    }
2314
2315    if (enc)
2316        XMEMCPY(e->aead_enc_imp_IV, k->aead_enc_imp_IV,
2317            sizeof(e->aead_enc_imp_IV));
2318
2319    if (dec)
2320        XMEMCPY(e->aead_dec_imp_IV, k->aead_dec_imp_IV,
2321            sizeof(e->aead_dec_imp_IV));
2322}
2323
2324/* For storing the sequence number we use a word32[2] array here, instead of
2325   word64. This is to reuse existing code */
2326int Dtls13GetSeq(WOLFSSL* ssl, int order, word32* seq, byte increment)
2327{
2328    w64wrapper* nativeSeq;
2329
2330    if (order == PEER_ORDER) {
2331        nativeSeq = &ssl->keys.curSeq;
2332        /* never increment seq number for current record. In DTLS seq number are
2333           explicit */
2334        increment = 0;
2335    }
2336    else if (order == CUR_ORDER) {
2337
2338        if (ssl->dtls13EncryptEpoch == NULL) {
2339            return BAD_STATE_E;
2340        }
2341
2342        nativeSeq = &ssl->dtls13EncryptEpoch->nextSeqNumber;
2343    }
2344    else {
2345        return BAD_FUNC_ARG;
2346    }
2347
2348    seq[0] = w64GetHigh32(*nativeSeq);
2349    seq[1] = w64GetLow32(*nativeSeq);
2350
2351#ifdef WOLFSSL_DEBUG_TLS
2352    WOLFSSL_MSG_EX("Dtls13GetSeq(): using seq: %ld", *nativeSeq);
2353#endif /* WOLFSSL_DEBUG_TLS */
2354
2355    if (increment) {
2356        w64Increment(nativeSeq);
2357
2358        /* seq number wrapped up */
2359        if (w64IsZero(*nativeSeq))
2360            return BAD_STATE_E;
2361    }
2362
2363    return 0;
2364}
2365
2366static Dtls13Epoch* Dtls13NewEpochSlot(WOLFSSL* ssl)
2367{
2368    Dtls13Epoch *e, *oldest = NULL;
2369    w64wrapper oldestNumber;
2370    int i;
2371
2372    /* FIXME: add max function */
2373    oldestNumber = w64From32((word32)-1, (word32)-1);
2374    oldest = NULL;
2375
2376    for (i = 0; i < DTLS13_EPOCH_SIZE; ++i) {
2377        e = &ssl->dtls13Epochs[i];
2378        if (!e->isValid)
2379            return e;
2380
2381        if (!w64Equal(e->epochNumber, ssl->dtls13Epoch) &&
2382            !w64Equal(e->epochNumber, ssl->dtls13PeerEpoch) &&
2383            w64LT(e->epochNumber, oldestNumber))
2384            oldest = e;
2385    }
2386
2387    if (oldest == NULL)
2388        return NULL;
2389
2390    e = oldest;
2391
2392#ifdef WOLFSSL_DEBUG_TLS
2393    WOLFSSL_MSG_EX("Delete epoch: %d", e->epochNumber);
2394#endif /* WOLFSSL_DEBUG_TLS */
2395
2396    XMEMSET(e, 0, sizeof(*e));
2397
2398    return e;
2399}
2400
2401int Dtls13NewEpoch(WOLFSSL* ssl, w64wrapper epochNumber, int side)
2402{
2403    Dtls13Epoch* e;
2404
2405#ifdef WOLFSSL_DEBUG_TLS
2406    WOLFSSL_MSG_EX("New epoch: %d", w64GetLow32(epochNumber));
2407#endif /* WOLFSSL_DEBUG_TLS */
2408
2409    e = Dtls13GetEpoch(ssl, epochNumber);
2410    if (e == NULL) {
2411        e = Dtls13NewEpochSlot(ssl);
2412        if (e == NULL)
2413            return BAD_STATE_E;
2414    }
2415
2416    Dtls13EpochCopyKeys(ssl, e, &ssl->keys, side);
2417
2418    if (!e->isValid) {
2419        /* fresh epoch, initialize fields */
2420        e->epochNumber = epochNumber;
2421        e->isValid = 1;
2422        e->side = (byte)side;
2423    }
2424    else if (e->side != side) {
2425        /* epoch used for the other side already. update side */
2426        e->side = ENCRYPT_AND_DECRYPT_SIDE;
2427    }
2428
2429    /* Once handshake is done. Mark epochs older than the last one as encrypt
2430     * only so that they can't be used for decryption. */
2431    if (ssl->options.handShakeDone && (e->side == ENCRYPT_AND_DECRYPT_SIDE ||
2432            e->side == DECRYPT_SIDE_ONLY)) {
2433        w64Decrement(&epochNumber);
2434        Dtls13SetOlderEpochSide(ssl, epochNumber, ENCRYPT_SIDE_ONLY);
2435    }
2436
2437    return 0;
2438}
2439
2440int Dtls13SetEpochKeys(WOLFSSL* ssl, w64wrapper epochNumber,
2441    enum encrypt_side side)
2442{
2443    byte clientWrite, serverWrite;
2444    Dtls13Epoch* e;
2445    byte enc, dec;
2446
2447    WOLFSSL_ENTER("Dtls13SetEpochKeys");
2448
2449    clientWrite = serverWrite = 0;
2450    enc = dec = 0;
2451    switch (side) {
2452
2453    case ENCRYPT_SIDE_ONLY:
2454        if (ssl->options.side == WOLFSSL_CLIENT_END)
2455            clientWrite = 1;
2456        if (ssl->options.side == WOLFSSL_SERVER_END)
2457            serverWrite = 1;
2458        enc = 1;
2459        break;
2460
2461    case DECRYPT_SIDE_ONLY:
2462        if (ssl->options.side == WOLFSSL_CLIENT_END)
2463            serverWrite = 1;
2464        if (ssl->options.side == WOLFSSL_SERVER_END)
2465            clientWrite = 1;
2466        dec = 1;
2467        break;
2468
2469    case ENCRYPT_AND_DECRYPT_SIDE:
2470        clientWrite = serverWrite = 1;
2471        enc = dec = 1;
2472        break;
2473    }
2474
2475    e = Dtls13GetEpoch(ssl, epochNumber);
2476    /* we don't have the requested key */
2477    if (e == NULL)
2478        return BAD_STATE_E;
2479
2480    if (e->side != ENCRYPT_AND_DECRYPT_SIDE && e->side != side)
2481        return BAD_STATE_E;
2482
2483    if (enc)
2484        ssl->dtls13EncryptEpoch = e;
2485    if (dec)
2486        ssl->dtls13DecryptEpoch = e;
2487
2488    /* epoch 0 has no key to copy */
2489    if (w64IsZero(epochNumber))
2490        return 0;
2491
2492    if (clientWrite) {
2493        XMEMCPY(ssl->keys.client_write_key, e->client_write_key,
2494            sizeof(ssl->keys.client_write_key));
2495
2496        XMEMCPY(ssl->keys.client_write_IV, e->client_write_IV,
2497            sizeof(ssl->keys.client_write_IV));
2498
2499        XMEMCPY(ssl->keys.client_sn_key, e->client_sn_key,
2500            sizeof(ssl->keys.client_sn_key));
2501    }
2502
2503    if (serverWrite) {
2504        XMEMCPY(ssl->keys.server_write_key, e->server_write_key,
2505            sizeof(ssl->keys.server_write_key));
2506
2507        XMEMCPY(ssl->keys.server_write_IV, e->server_write_IV,
2508            sizeof(ssl->keys.server_write_IV));
2509
2510        XMEMCPY(ssl->keys.server_sn_key, e->server_sn_key,
2511            sizeof(ssl->keys.server_sn_key));
2512    }
2513
2514    if (enc)
2515        XMEMCPY(ssl->keys.aead_enc_imp_IV, e->aead_enc_imp_IV,
2516            sizeof(ssl->keys.aead_enc_imp_IV));
2517    if (dec)
2518        XMEMCPY(ssl->keys.aead_dec_imp_IV, e->aead_dec_imp_IV,
2519            sizeof(ssl->keys.aead_dec_imp_IV));
2520
2521    return SetKeysSide(ssl, side);
2522}
2523
2524int Dtls13SetRecordNumberKeys(WOLFSSL* ssl, enum encrypt_side side)
2525{
2526    RecordNumberCiphers* enc = NULL;
2527    RecordNumberCiphers* dec = NULL;
2528    byte *encKey = NULL, *decKey = NULL;
2529    int ret;
2530
2531    if (ssl == NULL) {
2532        return BAD_FUNC_ARG;
2533    }
2534
2535    switch (side) {
2536    case ENCRYPT_SIDE_ONLY:
2537        enc = &ssl->dtlsRecordNumberEncrypt;
2538        break;
2539    case DECRYPT_SIDE_ONLY:
2540        dec = &ssl->dtlsRecordNumberDecrypt;
2541        break;
2542    case ENCRYPT_AND_DECRYPT_SIDE:
2543        enc = &ssl->dtlsRecordNumberEncrypt;
2544        dec = &ssl->dtlsRecordNumberDecrypt;
2545        break;
2546    }
2547
2548    if (enc) {
2549        if (ssl->options.side == WOLFSSL_CLIENT_END)
2550            encKey = ssl->keys.client_sn_key;
2551        else
2552            encKey = ssl->keys.server_sn_key;
2553    }
2554
2555    if (dec) {
2556        if (ssl->options.side == WOLFSSL_CLIENT_END)
2557            decKey = ssl->keys.server_sn_key;
2558        else
2559            decKey = ssl->keys.client_sn_key;
2560    }
2561
2562    /* DTLSv1.3 supports only AEAD algorithm.  */
2563#if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
2564    if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm ||
2565        ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm) {
2566
2567        if (enc) {
2568            ret = Dtls13InitAesCipher(ssl, enc, encKey, ssl->specs.key_size);
2569            if (ret != 0)
2570                return ret;
2571#ifdef WOLFSSL_DEBUG_TLS
2572            WOLFSSL_MSG("Provisioning AES Record Number enc key:");
2573            WOLFSSL_BUFFER(encKey, ssl->specs.key_size);
2574#endif /* WOLFSSL_DEBUG_TLS */
2575        }
2576
2577        if (dec) {
2578            ret = Dtls13InitAesCipher(ssl, dec, decKey, ssl->specs.key_size);
2579            if (ret != 0)
2580                return ret;
2581#ifdef WOLFSSL_DEBUG_TLS
2582            WOLFSSL_MSG("Provisioning AES Record Number dec key:");
2583            WOLFSSL_BUFFER(decKey, ssl->specs.key_size);
2584#endif /* WOLFSSL_DEBUG_TLS */
2585        }
2586
2587        return 0;
2588    }
2589#endif /* BUILD_AESGCM || HAVE_AESCCM */
2590
2591#ifdef HAVE_CHACHA
2592    if (ssl->specs.bulk_cipher_algorithm == wolfssl_chacha) {
2593        if (enc) {
2594            ret = Dtls13InitChaChaCipher(enc, encKey, ssl->specs.key_size,
2595                ssl->heap);
2596            if (ret != 0)
2597                return ret;
2598#ifdef WOLFSSL_DEBUG_TLS
2599            WOLFSSL_MSG("Provisioning CHACHA Record Number enc key:");
2600            WOLFSSL_BUFFER(encKey, ssl->specs.key_size);
2601#endif /* WOLFSSL_DEBUG_TLS */
2602        }
2603
2604        if (dec) {
2605            ret = Dtls13InitChaChaCipher(dec, decKey, ssl->specs.key_size,
2606                ssl->heap);
2607            if (ret != 0)
2608                return ret;
2609#ifdef WOLFSSL_DEBUG_TLS
2610            WOLFSSL_MSG("Provisioning CHACHA Record Number dec key:");
2611            WOLFSSL_BUFFER(decKey, ssl->specs.key_size);
2612#endif /* WOLFSSL_DEBUG_TLS */
2613        }
2614
2615        return 0;
2616    }
2617#endif /* HAVE_CHACHA */
2618
2619#ifdef HAVE_NULL_CIPHER
2620    if (ssl->specs.bulk_cipher_algorithm == wolfssl_cipher_null) {
2621#ifdef WOLFSSL_DEBUG_TLS
2622        WOLFSSL_MSG("Skipping Record Number key provisioning with null cipher");
2623#endif /* WOLFSSL_DEBUG_TLS */
2624        return 0;
2625    }
2626#endif /* HAVE_NULL_CIPHER */
2627
2628    return NOT_COMPILED_IN;
2629}
2630
2631
2632int Dtls13WriteAckMessage(WOLFSSL* ssl,
2633    Dtls13RecordNumber* recordNumberList, word16 recordsCount, word32* length)
2634{
2635    word16 msgSz, headerLength;
2636    byte *output, *ackMessage;
2637    word32 sendSz;
2638    word32 written;
2639    int ret;
2640
2641    sendSz = 0;
2642    written = 0;
2643
2644    if (ssl->dtls13EncryptEpoch == NULL)
2645        return BAD_STATE_E;
2646
2647    if (recordsCount > DTLS13_ACK_MAX_RECORDS)
2648        return BUFFER_E;
2649    msgSz = (word16)(DTLS13_RN_SIZE * recordsCount);
2650
2651    if (w64IsZero(ssl->dtls13EncryptEpoch->epochNumber)) {
2652        /* unprotected ACK */
2653        headerLength = DTLS_RECORD_HEADER_SZ;
2654    }
2655    else {
2656        headerLength = Dtls13GetRlHeaderLength(ssl, 1);
2657        sendSz += MAX_MSG_EXTRA;
2658    }
2659
2660    sendSz += headerLength;
2661
2662    /* ACK list 2 bytes length field */
2663    sendSz += OPAQUE16_LEN;
2664
2665    /* ACK list */
2666    sendSz += msgSz;
2667
2668    ret = CheckAvailableSize(ssl, sendSz);
2669    if (ret != 0)
2670        return ret;
2671
2672    output = GetOutputBuffer(ssl);
2673
2674    ackMessage = output + headerLength;
2675
2676    c16toa(msgSz, ackMessage);
2677    ackMessage += OPAQUE16_LEN;
2678
2679    WOLFSSL_MSG("write ack records");
2680
2681    while (recordNumberList != NULL) {
2682        if (written + DTLS13_RN_SIZE > msgSz)
2683            return BUFFER_E;
2684        WOLFSSL_MSG_EX("epoch %d seq %d", recordNumberList->epoch,
2685                recordNumberList->seq);
2686        c64toa(&recordNumberList->epoch, ackMessage);
2687        ackMessage += OPAQUE64_LEN;
2688        c64toa(&recordNumberList->seq, ackMessage);
2689        ackMessage += OPAQUE64_LEN;
2690        recordNumberList = recordNumberList->next;
2691        written += DTLS13_RN_SIZE;
2692    }
2693
2694    if (written != msgSz)
2695        return BUFFER_E;
2696
2697    *length = msgSz + OPAQUE16_LEN;
2698
2699    return 0;
2700}
2701
2702static int Dtls13RtxIsTrackedByRn(const Dtls13RtxRecord* r, w64wrapper epoch,
2703    w64wrapper seq)
2704{
2705    int i;
2706    if (!w64Equal(r->epoch, epoch))
2707        return 0;
2708
2709    for (i = 0; i < r->rnIdx; ++i) {
2710        if (w64Equal(r->seq[i], seq))
2711            return 1;
2712    }
2713
2714    return 0;
2715}
2716
2717static int Dtls13KeyUpdateAckReceived(WOLFSSL* ssl)
2718{
2719    int ret;
2720
2721    ret = DeriveTls13Keys(ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1);
2722    if (ret != 0)
2723        return ret;
2724
2725    w64Increment(&ssl->dtls13Epoch);
2726
2727    /* Epoch wrapped up */
2728    if (w64IsZero(ssl->dtls13Epoch))
2729        return BAD_STATE_E;
2730
2731    return Dtls13SetEpochKeys(ssl, ssl->dtls13Epoch, ENCRYPT_SIDE_ONLY);
2732}
2733
2734#ifdef WOLFSSL_DEBUG_TLS
2735static void Dtls13PrintRtxRecord(Dtls13RtxRecord* r)
2736{
2737    int i;
2738
2739    WOLFSSL_MSG_EX("r: hs: %d epoch: %ld", r->handshakeType, r->epoch);
2740    for (i = 0; i < r->rnIdx; i++)
2741        WOLFSSL_MSG_EX("seq: %ld", r->seq[i]);
2742}
2743#endif /* WOLFSSL_DEBUG_TLS */
2744
2745void Dtls13RtxRemoveRecord(WOLFSSL* ssl, w64wrapper epoch,
2746    w64wrapper seq)
2747{
2748    Dtls13RtxRecord *r, **prevNext;
2749
2750    prevNext = &ssl->dtls13Rtx.rtxRecords;
2751    r = ssl->dtls13Rtx.rtxRecords;
2752
2753    while (r != NULL) {
2754#ifdef WOLFSSL_DEBUG_TLS
2755        Dtls13PrintRtxRecord(r);
2756#endif /* WOLFSSL_DEBUG_TLS */
2757
2758        if (Dtls13RtxIsTrackedByRn(r, epoch, seq)) {
2759#ifdef WOLFSSL_DEBUG_TLS
2760            WOLFSSL_MSG("removing record");
2761#endif /* WOLFSSL_DEBUG_TLS */
2762            Dtls13RtxRecordUnlink(ssl, prevNext, r);
2763            Dtls13FreeRtxBufferRecord(ssl, r);
2764            return;
2765        }
2766        prevNext = &r->next;
2767        r = r->next;
2768    }
2769
2770    return;
2771}
2772
2773int Dtls13DoScheduledWork(WOLFSSL* ssl)
2774{
2775    int ret;
2776    int sendAcks;
2777
2778    WOLFSSL_ENTER("Dtls13DoScheduledWork");
2779
2780    ssl->dtls13SendingAckOrRtx = 1;
2781
2782#ifdef WOLFSSL_RW_THREADED
2783    ret = wc_LockMutex(&ssl->dtls13Rtx.mutex);
2784    if (ret < 0)
2785        return ret;
2786#endif
2787    sendAcks = ssl->dtls13Rtx.sendAcks;
2788    if (sendAcks) {
2789        ssl->dtls13Rtx.sendAcks = 0;
2790    }
2791#ifdef WOLFSSL_RW_THREADED
2792    ret = wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
2793#endif
2794    if (sendAcks) {
2795#ifdef HAVE_WRITE_DUP
2796        /* The read side cannot encrypt.  Transfer the seenRecords list to the
2797         * shared WriteDup struct so the write side sends the ACK instead. */
2798        if (ssl->dupWrite != NULL && ssl->dupSide == READ_DUP_SIDE) {
2799            struct Dtls13RecordNumber** tail = NULL;
2800            if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0)
2801                return BAD_MUTEX_E;
2802            tail = (struct Dtls13RecordNumber**)&ssl->dupWrite->sendAckList;
2803            while (*tail != NULL)
2804                tail = &(*tail)->next;
2805            *tail = ssl->dtls13Rtx.seenRecords;
2806            ssl->dtls13Rtx.seenRecords = NULL;
2807            ssl->dtls13Rtx.seenRecordsCount = 0;
2808            ssl->dupWrite->sendAcks = 1;
2809            wc_UnLockMutex(&ssl->dupWrite->dupMutex);
2810        }
2811        else
2812#endif /* HAVE_WRITE_DUP */
2813        {
2814            ret = SendDtls13Ack(ssl);
2815            if (ret != 0)
2816                return ret;
2817        }
2818    }
2819
2820    if (ssl->dtls13Rtx.retransmit) {
2821        ssl->dtls13Rtx.retransmit = 0;
2822        ret = Dtls13RtxSendBuffered(ssl);
2823        if (ret != 0)
2824            return ret;
2825    }
2826
2827    ssl->dtls13SendingAckOrRtx = 0;
2828
2829    if (ssl->dtls13DoKeyUpdate) {
2830        ssl->dtls13DoKeyUpdate = 0;
2831        ret = Tls13UpdateKeys(ssl);
2832        if (ret != 0)
2833            return ret;
2834    }
2835
2836    return 0;
2837}
2838
2839/* Send ACKs when available after a timeout but only retransmit the last
2840 * flight after a long timeout */
2841int Dtls13RtxTimeout(WOLFSSL* ssl)
2842{
2843    int ret = 0;
2844
2845    /* We don't want to send acks until we have done version
2846     * negotiation in the SH or have received a unified header in the
2847     * DTLS record. */
2848    if (ssl->dtls13Rtx.seenRecords != NULL &&
2849            (ssl->options.serverState >= SERVER_HELLO_COMPLETE ||
2850                    ssl->options.seenUnifiedHdr)) {
2851        ssl->dtls13Rtx.sendAcks = 0;
2852        /* reset fast timeout as we are sending ACKs */
2853        ssl->dtls13FastTimeout = 0;
2854        ret = SendDtls13Ack(ssl);
2855        if (ret != 0)
2856            return ret;
2857    }
2858
2859    /* we have two timeouts, a shorter (dtls13FastTimeout = 1) and a longer
2860       one. When the shorter expires we only send ACKs, as it normally means
2861       that some messages we are waiting for don't arrive yet. But we
2862       retransmit our buffered messages only if the longer timeout
2863       expires. fastTimeout is 1/4 of the longer timeout */
2864    if (ssl->dtls13FastTimeout) {
2865        ssl->dtls13FastTimeout = 0;
2866        return 0;
2867    }
2868
2869    /* Increase timeout on long timeout */
2870    if (DtlsMsgPoolTimeout(ssl) != 0)
2871        return WOLFSSL_FATAL_ERROR;
2872
2873    return Dtls13RtxSendBuffered(ssl);
2874}
2875
2876static int Dtls13RtxHasKeyUpdateBuffered(WOLFSSL* ssl)
2877{
2878    Dtls13RtxRecord* r = ssl->dtls13Rtx.rtxRecords;
2879
2880    while (r != NULL) {
2881        if (r->handshakeType == key_update)
2882            return 1;
2883
2884        r = r->next;
2885    }
2886
2887    return 0;
2888}
2889
2890int DoDtls13KeyUpdateAck(WOLFSSL* ssl)
2891{
2892    int ret = 0;
2893
2894    if (!Dtls13RtxHasKeyUpdateBuffered(ssl)) {
2895        /* we removed the KeyUpdate message because it was ACKed */
2896        ssl->dtls13WaitKeyUpdateAck = 0;
2897        ret = Dtls13KeyUpdateAckReceived(ssl);
2898    }
2899
2900    return ret;
2901}
2902
2903int DoDtls13Ack(WOLFSSL* ssl, const byte* input, word32 inputSize,
2904    word32* processedSize)
2905{
2906    const byte* ackMessage;
2907    w64wrapper epoch, seq;
2908    word16 length;
2909#ifndef WOLFSSL_RW_THREADED
2910    int ret;
2911#endif
2912    int i;
2913
2914    if (inputSize < OPAQUE16_LEN)
2915        return BUFFER_ERROR;
2916
2917    ato16(input, &length);
2918
2919    if (inputSize < (word32)(OPAQUE16_LEN + length))
2920        return BUFFER_ERROR;
2921
2922    if (length % (DTLS13_RN_SIZE) != 0)
2923        return PARSE_ERROR;
2924
2925    WOLFSSL_MSG("read ack records");
2926
2927    ackMessage = input + OPAQUE16_LEN;
2928    for (i = 0; i < length; i += DTLS13_RN_SIZE) {
2929        ato64(ackMessage + i, &epoch);
2930        ato64(ackMessage + i + OPAQUE64_LEN, &seq);
2931        WOLFSSL_MSG_EX("epoch %d seq %d", epoch, seq);
2932        Dtls13RtxRemoveRecord(ssl, epoch, seq);
2933#ifdef HAVE_WRITE_DUP
2934        /* Read side: check if this ACK covers the write side's pending KeyUpdate.
2935         * Match on both epoch AND seq to avoid false positives from data records
2936         * in the same epoch (sent while dtls13WaitKeyUpdateAck == 1). */
2937        if (ssl->dupWrite != NULL && ssl->dupSide == READ_DUP_SIDE) {
2938            if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0)
2939                return BAD_MUTEX_E;
2940            if (ssl->dupWrite->keyUpdateWaiting &&
2941                    w64Equal(epoch, ssl->dupWrite->keyUpdateEpoch) &&
2942                    w64Equal(seq,   ssl->dupWrite->keyUpdateSeq)) {
2943                ssl->dupWrite->keyUpdateAcked = 1;
2944                ssl->dupWrite->keyUpdateWaiting = 0;
2945            }
2946            wc_UnLockMutex(&ssl->dupWrite->dupMutex);
2947        }
2948#endif /* HAVE_WRITE_DUP */
2949    }
2950
2951    /* last client flight was completely acknowledged by the server. Handshake
2952       is complete. */
2953    if (ssl->options.side == WOLFSSL_CLIENT_END &&
2954        ssl->options.connectState == WAIT_FINISHED_ACK &&
2955        ssl->dtls13Rtx.rtxRecords == NULL) {
2956        ssl->options.serverState = SERVER_FINISHED_ACKED;
2957    }
2958
2959#ifndef WOLFSSL_RW_THREADED
2960    if (ssl->dtls13WaitKeyUpdateAck) {
2961        ret = DoDtls13KeyUpdateAck(ssl);
2962        if (ret != 0)
2963            return ret;
2964    }
2965#endif
2966
2967    *processedSize = length + OPAQUE16_LEN;
2968
2969    /* After the handshake, not retransmitting here may incur in some extra time
2970       in case a post-handshake authentication message is lost, because the ACK
2971       mechanism does not shortcut the retransmission timer. If, on the other
2972       hand, we retransmit we may do extra retransmissions of unrelated messages
2973       in the queue. ex: we send KeyUpdate, CertificateRequest that are
2974       unrelated between each other, receiving the ACK for the KeyUpdate will
2975       trigger re-sending the CertificateRequest before the timeout.*/
2976    /* TODO: be more smart about when doing retransmission looking in the
2977       retransmission queue or based on the type of message removed from the
2978       seen record list */
2979    if (ssl->dtls13Rtx.rtxRecords != NULL)
2980        ssl->dtls13Rtx.retransmit = 1;
2981
2982    return 0;
2983}
2984
2985int SendDtls13Ack(WOLFSSL* ssl)
2986{
2987    word32 outputSize;
2988    int headerSize;
2989    word32 length;
2990    byte* output;
2991    int ret;
2992
2993    if (ssl->dtls13EncryptEpoch == NULL)
2994        return BAD_STATE_E;
2995
2996    WOLFSSL_ENTER("SendDtls13Ack");
2997
2998    ret = 0;
2999
3000    /* The handshake is not complete and the client didn't setup the TRAFFIC0
3001       epoch yet */
3002    if (ssl->options.side == WOLFSSL_SERVER_END &&
3003        !ssl->options.handShakeDone &&
3004        w64GTE(ssl->dtls13Epoch, w64From32(0, DTLS13_EPOCH_TRAFFIC0))) {
3005        ret = Dtls13SetEpochKeys(ssl, w64From32(0, DTLS13_EPOCH_HANDSHAKE),
3006            ENCRYPT_SIDE_ONLY);
3007    }
3008    else if (!w64Equal(ssl->dtls13Epoch,
3009                 ssl->dtls13EncryptEpoch->epochNumber)) {
3010        ret = Dtls13SetEpochKeys(ssl, ssl->dtls13Epoch, ENCRYPT_SIDE_ONLY);
3011    }
3012
3013    if (ret != 0)
3014        return ret;
3015
3016#ifdef WOLFSSL_RW_THREADED
3017    ret = wc_LockMutex(&ssl->dtls13Rtx.mutex);
3018    if (ret < 0)
3019        return ret;
3020#endif
3021    ret = Dtls13WriteAckMessage(ssl, ssl->dtls13Rtx.seenRecords,
3022        ssl->dtls13Rtx.seenRecordsCount, &length);
3023#ifdef WOLFSSL_RW_THREADED
3024    wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
3025#endif
3026    if (ret != 0)
3027        return ret;
3028
3029    output = GetOutputBuffer(ssl);
3030
3031    if (w64IsZero(ssl->dtls13EncryptEpoch->epochNumber)) {
3032        ret = Dtls13RlAddPlaintextHeader(ssl, output, ack, (word16)length);
3033        if (ret != 0)
3034            return ret;
3035
3036        ssl->buffers.outputBuffer.length += length + DTLS_RECORD_HEADER_SZ;
3037    }
3038    else {
3039        outputSize = ssl->buffers.outputBuffer.bufferSize -
3040                     ssl->buffers.outputBuffer.idx -
3041                     ssl->buffers.outputBuffer.length;
3042
3043        headerSize = Dtls13GetRlHeaderLength(ssl, 1);
3044
3045        ret = BuildTls13Message(ssl, output, outputSize, output + headerSize,
3046            length, ack, 0, 0, 0);
3047        if (ret < 0)
3048            return ret;
3049
3050        ssl->buffers.outputBuffer.length += ret;
3051    }
3052
3053    Dtls13RtxFlushAcks(ssl);
3054
3055    return SendBuffered(ssl);
3056}
3057
3058static int Dtls13RtxRecordMatchesReqCtx(Dtls13RtxRecord* r, byte* ctx,
3059    byte ctxLen)
3060{
3061    if (r->handshakeType != certificate_request)
3062        return 0;
3063    if (r->length <= ctxLen + 1)
3064        return 0;
3065    return XMEMCMP(ctx, r->data + 1, ctxLen) == 0;
3066}
3067
3068int Dtls13RtxProcessingCertificate(WOLFSSL* ssl, byte* input, word32 inputSize)
3069{
3070    Dtls13RtxRecord* rtxRecord = ssl->dtls13Rtx.rtxRecords;
3071    Dtls13RtxRecord** prevNext = &ssl->dtls13Rtx.rtxRecords;
3072    byte ctxLength;
3073
3074    WOLFSSL_ENTER("Dtls13RtxProcessingCertificate");
3075
3076    if (inputSize <= 1) {
3077        WOLFSSL_MSG("Malformed Certificate");
3078        return BAD_FUNC_ARG;
3079    }
3080
3081    ctxLength = *input;
3082
3083    if (inputSize < (word32)ctxLength + OPAQUE8_LEN) {
3084        WOLFSSL_MSG("Malformed Certificate");
3085        return BAD_FUNC_ARG;
3086    }
3087
3088    while (rtxRecord != NULL) {
3089        if (Dtls13RtxRecordMatchesReqCtx(rtxRecord, input + 1, ctxLength)) {
3090            Dtls13RtxRecordUnlink(ssl, prevNext, rtxRecord);
3091            Dtls13FreeRtxBufferRecord(ssl, rtxRecord);
3092            return 0;
3093        }
3094        prevNext = &rtxRecord->next;
3095        rtxRecord = rtxRecord->next;
3096    }
3097
3098    /* This isn't an error since we just can't find a Dtls13RtxRecord that
3099     * matches the Request Context. Request Context validity is checked
3100     * later. */
3101    WOLFSSL_MSG("Can't find any previous Certificate Request");
3102    return 0;
3103}
3104
3105int wolfSSL_dtls13_has_pending_msg(WOLFSSL* ssl)
3106{
3107    return ssl->dtls13Rtx.rtxRecords != NULL;
3108}
3109
3110#ifndef WOLFSSL_TLS13_IGNORE_AEAD_LIMITS
3111/* Limits specified by
3112 * https://www.rfc-editor.org/rfc/rfc9147.html#name-aead-limits
3113 * We specify the limit by which we need to do a key update as the halfway point
3114 * to the hard decryption fail limit. */
3115int Dtls13CheckAEADFailLimit(WOLFSSL* ssl)
3116{
3117    w64wrapper keyUpdateLimit;
3118    w64wrapper hardLimit;
3119    switch (ssl->specs.bulk_cipher_algorithm) {
3120#if defined(BUILD_AESGCM) || (defined(HAVE_CHACHA) && defined(HAVE_POLY1305))
3121        case wolfssl_aes_gcm:
3122        case wolfssl_chacha:
3123            hardLimit = DTLS_AEAD_AES_GCM_CHACHA_FAIL_LIMIT;
3124            keyUpdateLimit = DTLS_AEAD_AES_GCM_CHACHA_FAIL_KU_LIMIT;
3125            break;
3126#endif
3127#ifdef HAVE_AESCCM
3128        case wolfssl_aes_ccm:
3129            if (ssl->specs.aead_mac_size == AES_CCM_8_AUTH_SZ) {
3130                /* Limit is 2^7. The RFC recommends that
3131                 * "TLS_AES_128_CCM_8_SHA256 is not suitable for general use".
3132                 * We still should enforce the limit. */
3133                hardLimit = DTLS_AEAD_AES_CCM_8_FAIL_LIMIT;
3134                keyUpdateLimit = DTLS_AEAD_AES_CCM_8_FAIL_KU_LIMIT;
3135            }
3136            else {
3137                /* Limit is 2^23.5.
3138                 * Without the fraction is 11863283 (0x00B504F3)
3139                 * Half of this value is    5931641 (0x005A8279) */
3140                hardLimit = DTLS_AEAD_AES_CCM_FAIL_LIMIT;
3141                keyUpdateLimit = DTLS_AEAD_AES_CCM_FAIL_KU_LIMIT;
3142            }
3143            break;
3144#endif
3145        case wolfssl_cipher_null:
3146            /* No encryption being done. The MAC check must have failed. */
3147            return 0;
3148        default:
3149            WOLFSSL_MSG("Unrecognized ciphersuite for AEAD limit check");
3150            WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
3151            return DECRYPT_ERROR;
3152    }
3153    if (ssl->dtls13DecryptEpoch == NULL) {
3154        WOLFSSL_MSG("Dtls13CheckAEADFailLimit: ssl->dtls13DecryptEpoch should "
3155                    "not be NULL");
3156        WOLFSSL_ERROR_VERBOSE(BAD_STATE_E);
3157        return BAD_STATE_E;
3158    }
3159    w64Increment(&ssl->dtls13DecryptEpoch->dropCount);
3160    if (w64GT(ssl->dtls13DecryptEpoch->dropCount, hardLimit)) {
3161        /* We have reached the hard limit for failed decryptions. */
3162        WOLFSSL_MSG("Connection exceeded hard AEAD limit");
3163        WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
3164        return DECRYPT_ERROR;
3165    }
3166    else if (w64GT(ssl->dtls13DecryptEpoch->dropCount, keyUpdateLimit)) {
3167        WOLFSSL_MSG("Connection exceeded key update limit. Issuing key update");
3168        /* If not waiting for a response then request a key update. */
3169        if (!ssl->keys.updateResponseReq) {
3170            ssl->dtls13DoKeyUpdate = 1;
3171            ssl->dtls13InvalidateBefore = ssl->dtls13PeerEpoch;
3172            w64Increment(&ssl->dtls13InvalidateBefore);
3173        }
3174    }
3175    return 0;
3176}
3177#endif
3178
3179#ifdef WOLFSSL_DTLS_CH_FRAG
3180int wolfSSL_dtls13_allow_ch_frag(WOLFSSL *ssl, int enabled)
3181{
3182    if (ssl->options.side == WOLFSSL_CLIENT_END) {
3183        return WOLFSSL_FAILURE;
3184    }
3185    ssl->options.dtls13ChFrag = !!enabled;
3186    return WOLFSSL_SUCCESS;
3187}
3188#endif
3189
3190#ifdef WOLFSSL_DTLS13_NO_HRR_ON_RESUME
3191int wolfSSL_dtls13_no_hrr_on_resume(WOLFSSL *ssl, int enabled)
3192{
3193    if (ssl->options.side == WOLFSSL_CLIENT_END) {
3194        return WOLFSSL_FAILURE;
3195    }
3196    ssl->options.dtls13NoHrrOnResume = !!enabled;
3197    return WOLFSSL_SUCCESS;
3198}
3199#endif
3200
3201#endif /* WOLFSSL_DTLS13 */