tls13_client.c
Go to the documentation of this file.
1 /**
2  * @file tls13_client.c
3  * @brief Handshake message processing (TLS 1.3 client)
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include <string.h>
34 #include "tls.h"
35 #include "tls_cipher_suites.h"
36 #include "tls_handshake.h"
37 #include "tls_client_extensions.h"
38 #include "tls_client_misc.h"
39 #include "tls_extensions.h"
40 #include "tls_transcript_hash.h"
41 #include "tls_misc.h"
42 #include "tls13_client.h"
44 #include "tls13_key_material.h"
45 #include "tls13_misc.h"
46 #include "kdf/hkdf.h"
47 #include "debug.h"
48 
49 //Check TLS library configuration
50 #if (TLS_SUPPORT == ENABLED && TLS_CLIENT_SUPPORT == ENABLED && \
51  TLS_MAX_VERSION >= TLS_VERSION_1_3)
52 
53 
54 /**
55  * @brief Send EndOfEarlyData message
56  *
57  * The EndOfEarlyData message indicates that all 0-RTT application data
58  * messages, if any, have been transmitted and that the following records
59  * are protected under handshake traffic keys
60  *
61  * @param[in] context Pointer to the TLS context
62  * @return Error code
63  **/
64 
66 {
67 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
68  error_t error;
69  size_t length;
71 
72  //Point to the buffer where to format the message
73  message = (Tls13EndOfEarlyData *) (context->txBuffer + context->txBufferLen);
74 
75  //If the server has accepted early data, an EndOfEarlyData message will be
76  //sent to indicate the key change
77  error = tls13FormatEndOfEarlyData(context, message, &length);
78 
79  //Check status code
80  if(!error)
81  {
82  //Debug message
83  TRACE_INFO("Sending EndOfEarlyData message (%" PRIuSIZE " bytes)...\r\n", length);
85 
86  //Send handshake message
87  error = tlsSendHandshakeMessage(context, message, length,
89  }
90 
91  //Check status code
92  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
93  {
94  //Release encryption engine
95  tlsFreeEncryptionEngine(&context->encryptionEngine);
96 
97  //Calculate client handshake traffic keys
98  error = tlsInitEncryptionEngine(context, &context->encryptionEngine,
99  TLS_CONNECTION_END_CLIENT, context->clientHsTrafficSecret);
100 
101  //Handshake traffic keys successfully calculated?
102  if(!error)
103  {
104  //Send a Finished message to the server
105  context->state = TLS_STATE_CLIENT_FINISHED;
106  }
107  }
108 
109  //Return status code
110  return error;
111 #else
112  //Not implemented
113  return ERROR_NOT_IMPLEMENTED;
114 #endif
115 }
116 
117 
118 /**
119  * @brief Format EndOfEarlyData message
120  * @param[in] context Pointer to the TLS context
121  * @param[out] message Buffer where to format the EndOfEarlyData message
122  * @param[out] length Length of the resulting EndOfEarlyData message
123  * @return Error code
124  **/
125 
128 {
129  //The EndOfEarlyData message does not contain any data
130  *length = 0;
131 
132  //Successful processing
133  return NO_ERROR;
134 }
135 
136 
137 /**
138  * @brief Parse HelloRetryRequest message
139  *
140  * The server will send this message in response to a ClientHello message if
141  * it is able to find an acceptable set of parameters but the ClientHello does
142  * not contain sufficient information to proceed with the handshake
143  *
144  * @param[in] context Pointer to the TLS context
145  * @param[in] message Incoming HelloRetryRequest message to parse
146  * @param[in] length Message length
147  * @return Error code
148  **/
149 
151  const Tls13HelloRetryRequest *message, size_t length)
152 {
153  error_t error;
154  const uint8_t *p;
155  const HashAlgo *hashAlgo;
157  TlsCompressMethod compressMethod;
159 
160  //Debug message
161  TRACE_INFO("HelloRetryRequest message received (%" PRIuSIZE " bytes)...\r\n", length);
163 
164  //Check TLS version
165  if(context->versionMax != TLS_VERSION_1_3)
167 
168  //If a client receives a second HelloRetryRequest in the same connection,
169  //it must abort the handshake with an unexpected_message alert
170  if(context->state != TLS_STATE_SERVER_HELLO &&
171  context->state != TLS_STATE_SERVER_HELLO_3)
172  {
173  //Report an error
175  }
176 
177  //Check the length of the ServerHello message
178  if(length < sizeof(TlsServerHello))
179  return ERROR_DECODING_FAILED;
180 
181  //Point to the session ID
182  p = message->sessionId;
183  //Remaining bytes to process
184  length -= sizeof(TlsServerHello);
185 
186  //Check the length of the session ID
187  if(message->sessionIdLen > length)
188  return ERROR_DECODING_FAILED;
189  if(message->sessionIdLen > 32)
190  return ERROR_DECODING_FAILED;
191 
192  //Point to the next field
193  p += message->sessionIdLen;
194  //Remaining bytes to process
195  length -= message->sessionIdLen;
196 
197  //Malformed ServerHello message?
198  if(length < sizeof(TlsCipherSuite))
199  return ERROR_DECODING_FAILED;
200 
201  //Get the negotiated cipher suite
203  //Point to the next field
204  p += sizeof(TlsCipherSuite);
205  //Remaining bytes to process
206  length -= sizeof(TlsCipherSuite);
207 
208  //Malformed ServerHello message?
209  if(length < sizeof(TlsCompressMethod))
210  return ERROR_DECODING_FAILED;
211 
212  //Get the negotiated compression method
213  compressMethod = *p;
214  //Point to the next field
215  p += sizeof(TlsCompressMethod);
216  //Remaining bytes to process
217  length -= sizeof(TlsCompressMethod);
218 
219  //Legacy version
220  TRACE_INFO(" legacyVersion = 0x%04" PRIX16 " (%s)\r\n",
221  ntohs(message->serverVersion),
222  tlsGetVersionName(ntohs(message->serverVersion)));
223 
224  //Server random value
225  TRACE_INFO(" random\r\n");
226  TRACE_INFO_ARRAY(" ", message->random, 32);
227 
228  //Session identifier
229  TRACE_INFO(" sessionId\r\n");
230  TRACE_INFO_ARRAY(" ", message->sessionId, message->sessionIdLen);
231 
232  //Cipher suite identifier
233  TRACE_INFO(" cipherSuite = 0x%04" PRIX16 " (%s)\r\n",
235 
236  //Compression method
237  TRACE_INFO(" compressMethod = 0x%02" PRIX8 "\r\n", compressMethod);
238 
239  //Parse the list of extensions offered by the server
241  &extensions);
242  //Any error to report?
243  if(error)
244  return error;
245 
246  //Check the list of extensions offered by the server
248  context->version, &extensions);
249  //Any error to report?
250  if(error)
251  return error;
252 
253  //The legacy_version field must be set to 0x0303, which is the version
254  //number for TLS 1.2
255  if(ntohs(message->serverVersion) != TLS_VERSION_1_2)
257 
258  //A client which receives a legacy_session_id_echo field that does not
259  //match what it sent in the ClientHello must abort the handshake with an
260  //illegal_parameter alert (RFC 8446, section 4.1.4)
261  if(message->sessionIdLen != context->sessionIdLen ||
262  memcmp(message->sessionId, context->sessionId, message->sessionIdLen))
263  {
264  //The legacy_session_id_echo field is not valid
266  }
267 
268  //The HelloRetryRequest message must contain a SupportedVersions extension
269  if(extensions.selectedVersion == NULL)
271 
272  //TLS protocol?
273  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM)
274  {
275  //Release transcript hash context
276  tlsFreeTranscriptHash(context);
277 
278  //Format initial ClientHello message
279  error = tlsFormatInitialClientHello(context);
280  //Any error to report?
281  if(error)
282  return error;
283  }
284 
285  //The SupportedVersions extension contains the selected version
287  extensions.selectedVersion);
288  //Any error to report?
289  if(error)
290  return error;
291 
292  //Set cipher suite
293  error = tlsSelectCipherSuite(context, cipherSuite);
294  //Specified cipher suite not supported?
295  if(error)
296  return error;
297 
298  //Set compression method
299  error = tlsSelectCompressMethod(context, compressMethod);
300  //Specified compression method not supported?
301  if(error)
302  return error;
303 
304  //Initialize handshake message hashing
305  error = tlsInitTranscriptHash(context);
306  //Any error to report?
307  if(error)
308  return error;
309 
310  //When the server responds to a ClientHello with a HelloRetryRequest, the
311  //value of ClientHello1 is replaced with a special synthetic handshake
312  //message of handshake type MessageHash containing Hash(ClientHello1)
313  error = tls13DigestClientHello1(context);
314  //Any error to report?
315  if(error)
316  return error;
317 
318  //When sending a HelloRetryRequest, the server may provide a Cookie
319  //extension to the client
320  error = tls13ParseCookieExtension(context, extensions.cookie);
321  //Any error to report?
322  if(error)
323  return error;
324 
325  //The KeyShare extension contains the mutually supported group the server
326  //intends to negotiate
327  error = tls13ParseSelectedGroupExtension(context, extensions.selectedGroup);
328  //Any error to report?
329  if(error)
330  return error;
331 
332  //Point to the cipher suite hash algorithm
333  hashAlgo = context->cipherSuite.prfHashAlgo;
334  //Make sure the hash algorithm is valid
335  if(hashAlgo == NULL)
336  return ERROR_FAILURE;
337 
338  //In addition, in its updated ClientHello, the client should not offer any
339  //pre-shared keys associated with a hash other than that of the selected
340  //cipher suite. This allows the client to avoid having to compute partial
341  //hash transcripts for multiple hashes in the second ClientHello
342  if(tls13IsPskValid(context))
343  {
344  //Remove any PSKs which are incompatible with the server's indicated
345  //cipher suite
346  if(tlsGetHashAlgo(context->pskHashAlgo) != hashAlgo)
347  {
348  context->pskHashAlgo = TLS_HASH_ALGO_NONE;
349  context->ticketHashAlgo = TLS_HASH_ALGO_NONE;
350  }
351  }
352  else if(tls13IsTicketValid(context))
353  {
354  //Remove any PSKs which are incompatible with the server's indicated
355  //cipher suite
356  if(tlsGetHashAlgo(context->ticketHashAlgo) != hashAlgo)
357  {
358  context->ticketHashAlgo = TLS_HASH_ALGO_NONE;
359  }
360  }
361 
362  //Any 0-RTT data sent by the client?
363  if(context->earlyDataEnabled)
364  {
365  //A client must not include the EarlyData extension in its followup
366  //ClientHello (refer to RFC 8446, section 4.2.10)
367  context->earlyDataRejected = TRUE;
368  }
369 
370  //Clients must abort the handshake with an illegal_parameter alert if the
371  //HelloRetryRequest would not result in any change in the ClientHello
372  if(context->cookieLen == 0 && context->namedGroup == context->preferredGroup)
373  {
374  //Report an error
376  }
377 
378 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
379  //The middlebox compatibility mode improves the chance of successfully
380  //connecting through middleboxes
381  if(context->state == TLS_STATE_SERVER_HELLO)
382  {
383  //In middlebox compatibility mode, the client sends a dummy
384  //ChangeCipherSpec record immediately before its second flight
385  context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC;
386  }
387  else
388 #endif
389  {
390  //The client can send its second flight
391  context->state = TLS_STATE_CLIENT_HELLO_2;
392  }
393 
394  //Successful processing
395  return NO_ERROR;
396 }
397 
398 
399 /**
400  * @brief Parse EncryptedExtensions message
401  *
402  * The server sends the EncryptedExtensions message immediately after the
403  * ServerHello message. The EncryptedExtensions message contains extensions
404  * that can be protected
405  *
406  * @param[in] context Pointer to the TLS context
407  * @param[in] message Incoming EncryptedExtensions message to parse
408  * @param[in] length Message length
409  * @return Error code
410  **/
411 
413  const Tls13EncryptedExtensions *message, size_t length)
414 {
415  error_t error;
417 
418  //Debug message
419  TRACE_INFO("EncryptedExtensions message received (%" PRIuSIZE " bytes)...\r\n", length);
421 
422  //Check TLS version
423  if(context->version != TLS_VERSION_1_3)
425 
426  //Check current state
427  if(context->state != TLS_STATE_ENCRYPTED_EXTENSIONS)
429 
430  //Check the length of the EncryptedExtensions message
431  if(length < sizeof(Tls13EncryptedExtensions))
432  return ERROR_DECODING_FAILED;
433 
434  //Parse the list of extensions offered by the server
436  (uint8_t *) message, length, &extensions);
437  //Any error to report?
438  if(error)
439  return error;
440 
441  //Check the list of extensions offered by the server
443  context->version, &extensions);
444  //Any error to report?
445  if(error)
446  return error;
447 
448 #if (TLS_SNI_SUPPORT == ENABLED)
449  //When the server includes a ServerName extension, the data field of
450  //this extension may be empty
451  error = tlsParseServerSniExtension(context, extensions.serverNameList);
452  //Any error to report?
453  if(error)
454  return error;
455 #endif
456 
457 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED && TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
458  //A client must treat receipt of both MaxFragmentLength and RecordSizeLimit
459  //extensions as a fatal error, and it should generate an illegal_parameter
460  //alert (refer to RFC 8449, section 5)
461  if(extensions.maxFragLen != NULL && extensions.recordSizeLimit != NULL)
463 #endif
464 
465 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
466  //Servers that receive an ClientHello containing a MaxFragmentLength
467  //extension may accept the requested maximum fragment length by including
468  //an extension of type MaxFragmentLength in the ServerHello
469  error = tlsParseServerMaxFragLenExtension(context, extensions.maxFragLen);
470  //Any error to report?
471  if(error)
472  return error;
473 #endif
474 
475 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
476  //The value of RecordSizeLimit is the maximum size of record in octets
477  //that the peer is willing to receive
479  extensions.recordSizeLimit);
480  //Any error to report?
481  if(error)
482  return error;
483 #endif
484 
485 #if (TLS_ALPN_SUPPORT == ENABLED)
486  //Parse ALPN extension
487  error = tlsParseServerAlpnExtension(context, extensions.protocolNameList);
488  //Any error to report?
489  if(error)
490  return error;
491 #endif
492 
493 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
494  //Parse ClientCertType extension
495  error = tlsParseClientCertTypeExtension(context, extensions.clientCertType);
496  //Any error to report?
497  if(error)
498  return error;
499 
500  //Parse ServerCertType extension
501  error = tlsParseServerCertTypeExtension(context, extensions.serverCertType);
502  //Any error to report?
503  if(error)
504  return error;
505 #endif
506 
507 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
508  //Parse EarlyData extension
509  error = tls13ParseServerEarlyDataExtension(context,
510  TLS_TYPE_ENCRYPTED_EXTENSIONS, extensions.earlyDataIndication);
511  //Any error to report?
512  if(error)
513  return error;
514 
515  //Check whether the server has accepted the early data
516  if(context->earlyDataExtReceived)
517  {
518 #if (TLS_ALPN_SUPPORT == ENABLED)
519  //Valid ticket?
520  if(!tls13IsPskValid(context) && tls13IsTicketValid(context))
521  {
522  //Enforce ALPN protocol
523  if(context->selectedProtocol != NULL || context->ticketAlpn != NULL)
524  {
525  if(context->selectedProtocol != NULL && context->ticketAlpn != NULL)
526  {
527  //Compare the selected ALPN protocol against the expected value
528  if(strcmp(context->selectedProtocol, context->ticketAlpn))
529  {
530  //The selected ALPN protocol is not acceptable
531  return ERROR_HANDSHAKE_FAILED;
532  }
533  }
534  else
535  {
536  //The selected ALPN protocol is not acceptable
537  return ERROR_HANDSHAKE_FAILED;
538  }
539  }
540  }
541 #endif
542 
543  //The EndOfEarlyData message is encrypted with the 0-RTT traffic keys
544  tlsFreeEncryptionEngine(&context->encryptionEngine);
545 
546  //Calculate client early traffic keys
547  error = tlsInitEncryptionEngine(context, &context->encryptionEngine,
548  TLS_CONNECTION_END_CLIENT, context->clientEarlyTrafficSecret);
549  //Any error to report?
550  if(error)
551  return error;
552 
553  //Restore sequence number
554  context->encryptionEngine.seqNum = context->earlyDataSeqNum;
555  }
556 #endif
557 
558  //PSK key exchange method?
559  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
560  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
561  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
562  {
563  //As the server is authenticating via a PSK, it does not send a
564  //Certificate or a CertificateVerify message
565  context->state = TLS_STATE_SERVER_FINISHED;
566  }
567  else
568  {
569  //A server can optionally request a certificate from the client
570  context->state = TLS_STATE_CERTIFICATE_REQUEST;
571  }
572 
573  //Successful processing
574  return NO_ERROR;
575 }
576 
577 
578 /**
579  * @brief Parse NewSessionTicket message
580  *
581  * At any time after the server has received the client Finished message, it
582  * may send a NewSessionTicket message
583  *
584  * @param[in] context Pointer to the TLS context
585  * @param[in] message Incoming NewSessionTicket message to parse
586  * @param[in] length Message length
587  * @return Error code
588  **/
589 
591  const Tls13NewSessionTicket *message, size_t length)
592 {
593  error_t error;
594  size_t n;
595  const uint8_t *p;
596  const Tls13Ticket *ticket;
597  const HashAlgo *hashAlgo;
599 
600  //Debug message
601  TRACE_INFO("NewSessionTicket message received (%" PRIuSIZE " bytes)...\r\n", length);
603 
604  //Check TLS version
605  if(context->version != TLS_VERSION_1_3)
607 
608  //Check current state
609  if(context->state != TLS_STATE_APPLICATION_DATA &&
610  context->state != TLS_STATE_CLOSING)
611  {
612  //Report an error
614  }
615 
616  //Check the length of the NewSessionTicket message
617  if(length < sizeof(Tls13NewSessionTicket))
618  return ERROR_DECODING_FAILED;
619 
620  //Point to the ticket nonce
621  p = message->ticketNonce;
622  //Remaining bytes to process
623  length -= sizeof(Tls13NewSessionTicket);
624 
625  //Malformed NewSessionTicket message?
626  if(length < message->ticketNonceLen)
627  return ERROR_DECODING_FAILED;
628 
629  //Point to the next field
630  p += message->ticketNonceLen;
631  //Remaining bytes to process
632  length -= message->ticketNonceLen;
633 
634  //Malformed NewSessionTicket message?
635  if(length < sizeof(Tls13Ticket))
636  return ERROR_DECODING_FAILED;
637 
638  //Point to the session ticket
639  ticket = (Tls13Ticket *) p;
640  //Retrieve the length of the ticket
641  n = ntohs(ticket->length);
642 
643  //Malformed NewSessionTicket message?
644  if(length < (sizeof(Tls13Ticket) + n))
645  return ERROR_DECODING_FAILED;
646 
647  //Point to the next field
648  p += sizeof(Tls13Ticket) + n;
649  //Remaining bytes to process
650  length -= sizeof(Tls13Ticket) + n;
651 
652  //The message includes a set of extension values for the ticket
654  &extensions);
655  //Any error to report?
656  if(error)
657  return error;
658 
659  //Check the list of extensions offered by the server
661  context->version, &extensions);
662  //Any error to report?
663  if(error)
664  return error;
665 
666  //A ticket_lifetime value of zero indicates that the ticket should be
667  //discarded immediately
668  if(ntohl(message->ticketLifetime) > 0)
669  {
670  //Check the length of the session ticket
671  if(n > 0 && n <= TLS13_MAX_TICKET_SIZE)
672  {
673  //Servers may send multiple tickets on a single connection
674  if(context->ticket != NULL)
675  {
676  //Release memory
677  memset(context->ticket, 0, context->ticketLen);
678  tlsFreeMem(context->ticket);
679  context->ticket = NULL;
680  context->ticketLen = 0;
681  }
682 
683  //Allocate a memory block to hold the ticket
684  context->ticket = tlsAllocMem(n);
685  //Failed to allocate memory?
686  if(context->ticket == NULL)
687  return ERROR_OUT_OF_MEMORY;
688 
689  //Copy session ticket
690  memcpy(context->ticket, ticket->data, n);
691  context->ticketLen = n;
692 
693  //The client's view of the age of a ticket is the time since the
694  //receipt of the NewSessionTicket message
695  context->ticketTimestamp = osGetSystemTime();
696 
697  //Save the lifetime of the ticket
698  context->ticketLifetime = ntohl(message->ticketLifetime);
699 
700  //Clients must not cache tickets for longer than 7 days, regardless
701  //of the ticket_lifetime value (refer to RFC 8446, section 4.6.1)
702  context->ticketLifetime = MIN(context->ticketLifetime,
704 
705  //Random value used to obscure the age of the ticket
706  context->ticketAgeAdd = ntohl(message->ticketAgeAdd);
707 
708  //The sole extension currently defined for NewSessionTicket is
709  //EarlyData indicating that the ticket may be used to send 0-RTT data
710  error = tls13ParseServerEarlyDataExtension(context,
711  TLS_TYPE_NEW_SESSION_TICKET, extensions.earlyDataIndication);
712  //Any error to report?
713  if(error)
714  return error;
715 
716  //The hash function used by HKDF is the cipher suite hash algorithm
717  hashAlgo = context->cipherSuite.prfHashAlgo;
718  //Make sure the hash algorithm is valid
719  if(hashAlgo == NULL)
720  return ERROR_FAILURE;
721 
722  //Calculate the PSK associated with the ticket
723  error = tls13HkdfExpandLabel(hashAlgo, context->resumptionMasterSecret,
724  hashAlgo->digestSize, "resumption", message->ticketNonce,
725  message->ticketNonceLen, context->ticketPsk, hashAlgo->digestSize);
726  //Any error to report?
727  if(error)
728  return error;
729 
730  //Set the length of the PSK associated with the ticket
731  context->ticketPskLen = hashAlgo->digestSize;
732 
733  //Debug message
734  TRACE_DEBUG("Ticket PSK:\r\n");
735  TRACE_DEBUG_ARRAY(" ", context->ticketPsk, context->ticketPskLen);
736  }
737  }
738 
739  //Successful processing
740  return NO_ERROR;
741 }
742 
743 #endif
TLS (Transport Layer Security)
Formatting and parsing of extensions (TLS 1.3 client)
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
Helper functions for TLS client.
bool_t tls13IsTicketValid(TlsContext *context)
error_t tls13ParseNewSessionTicket(TlsContext *context, const Tls13NewSessionTicket *message, size_t length)
Handshake message processing (TLS 1.3 client)
error_t tls13ParseSelectedGroupExtension(TlsContext *context, const uint8_t *selectedGroup)
systime_t osGetSystemTime(void)
Retrieve system time.
Debugging facilities.
#define tlsFreeMem(p)
Definition: tls.h:760
error_t tls13ParseHelloRetryRequest(TlsContext *context, const Tls13HelloRetryRequest *message, size_t length)
uint8_t p
Definition: ndp.h:295
TLS 1.3 key schedule.
Generic error code.
Definition: error.h:43
HKDF (HMAC-based Key Derivation Function)
uint8_t message[]
Definition: chap.h:150
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:836
#define TLS13_MAX_TICKET_SIZE
Definition: tls13_misc.h:90
error_t tls13ParseServerSupportedVersionsExtension(TlsContext *context, const uint8_t *selectedVersion)
#define TLS_VERSION_1_3
Definition: tls.h:90
error_t tls13ParseCookieExtension(TlsContext *context, const Tls13Cookie *cookie)
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:99
error_t tlsSelectCompressMethod(TlsContext *context, uint8_t identifier)
Set compression method.
Definition: tls_misc.c:345
void tlsFreeTranscriptHash(TlsContext *context)
Release transcript hash context.
error_t tlsInitTranscriptHash(TlsContext *context)
Initialize handshake message hashing.
#define TRUE
Definition: os_port.h:48
__start_packed struct @86 TlsServerHello
ServerHello message.
#define TLS13_MAX_TICKET_LIFETIME
Definition: tls13_misc.h:97
__start_packed struct @105 Tls13EncryptedExtensions
EncryptedExtensions message.
#define ntohl(value)
Definition: cpu_endian.h:397
Parsing and checking of TLS extensions.
TLS helper functions.
#define ntohs(value)
Definition: cpu_endian.h:396
TLS handshake.
TLS 1.3 helper functions.
__start_packed struct @106 Tls13NewSessionTicket
NewSessionTicket message (TLS 1.3)
error_t tlsInitEncryptionEngine(TlsContext *context, TlsEncryptionEngine *encryptionEngine, TlsConnectionEnd entity, const uint8_t *secret)
Initialize encryption engine.
Definition: tls_misc.c:376
uint16_t TlsCipherSuite
Cipher suite.
Definition: tls.h:1325
Formatting and parsing of extensions (TLS client)
error_t tlsParseServerAlpnExtension(TlsContext *context, const TlsProtocolNameList *protocolNameList)
Parse ALPN extension.
#define LOAD16BE(p)
Definition: cpu_endian.h:168
uint8_t TlsCompressMethod
Compression method.
Definition: tls.h:1343
error_t tlsParseServerCertTypeExtension(TlsContext *context, const uint8_t *serverCertType)
Parse ServerCertType extension.
#define MIN(a, b)
Definition: os_port.h:60
error_t tlsParseClientCertTypeExtension(TlsContext *context, const uint8_t *clientCertType)
Parse ClientCertType extension.
error_t tlsParseServerSniExtension(TlsContext *context, const TlsServerNameList *serverNameList)
Parse SNI extension.
error_t tls13DigestClientHello1(TlsContext *context)
uint16_t cipherSuite
Cipher suite identifier.
Definition: tls13_misc.h:367
error_t tls13HkdfExpandLabel(const HashAlgo *hash, const uint8_t *secret, size_t secretLen, const char_t *label, const uint8_t *context, size_t contextLen, uint8_t *output, size_t outputLen)
#define TLS_VERSION_1_2
Definition: tls.h:83
error_t tls13FormatEndOfEarlyData(TlsContext *context, Tls13EndOfEarlyData *message, size_t *length)
#define TRACE_INFO(...)
Definition: debug.h:86
TLS cipher suites.
Success.
Definition: error.h:42
error_t tls13ParseEncryptedExtensions(TlsContext *context, const Tls13EncryptedExtensions *message, size_t length)
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:247
const char_t * tlsGetVersionName(uint16_t version)
Convert TLS version to string representation.
Definition: tls_misc.c:795
__start_packed struct @108 Tls13Ticket
Session ticket.
error_t tlsParseServerRecordSizeLimitExtension(TlsContext *context, const uint8_t *recordSizeLimit)
Parse RecordSizeLimit extension.
error_t
Error codes.
Definition: error.h:40
error_t tlsParseServerMaxFragLenExtension(TlsContext *context, const uint8_t *maxFragLen)
Parse MaxFragmentLength extension.
uint8_t extensions[]
Definition: tls13_misc.h:322
bool_t tls13IsPskValid(TlsContext *context)
#define PRIuSIZE
Definition: compiler_port.h:72
error_t tls13ParseServerEarlyDataExtension(TlsContext *context, TlsMessageType msgType, const uint8_t *earlyDataIndication)
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
Hello extensions.
Definition: tls.h:1878
#define TRACE_INFO_ARRAY(p, a, n)
Definition: debug.h:87
void tlsFreeEncryptionEngine(TlsEncryptionEngine *encryptionEngine)
Release encryption engine.
Definition: tls_misc.c:599
const char_t * tlsGetCipherSuiteName(uint16_t identifier)
Convert cipher suite identifier to string representation.
Transcript hash calculation.
#define tlsAllocMem(size)
Definition: tls.h:755
uint8_t ticketNonceLen
Definition: tls13_misc.h:334
size_t digestSize
Definition: crypto.h:1061
Common interface for hash algorithms.
Definition: crypto.h:1054
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
void * Tls13EndOfEarlyData
EndOfEarlyData message.
Definition: tls13_misc.h:312
error_t tlsFormatInitialClientHello(TlsContext *context)
Format initial ClientHello message.
#define TlsContext
Definition: tls.h:34
__start_packed struct @104 Tls13HelloRetryRequest
HelloRetryRequest message.
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
error_t tls13SendEndOfEarlyData(TlsContext *context)
#define TRACE_DEBUG(...)
Definition: debug.h:98