tls13_client.c
Go to the documentation of this file.
1 /**
2  * @file tls13_client.c
3  * @brief Handshake message processing (TLS 1.3 client)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_cipher_suites.h"
38 #include "tls_handshake.h"
39 #include "tls_client_extensions.h"
40 #include "tls_client_misc.h"
41 #include "tls_extensions.h"
42 #include "tls_transcript_hash.h"
43 #include "tls_misc.h"
44 #include "tls13_client.h"
46 #include "tls13_key_material.h"
47 #include "tls13_misc.h"
48 #include "kdf/hkdf.h"
49 #include "debug.h"
50 
51 //Check TLS library configuration
52 #if (TLS_SUPPORT == ENABLED && TLS_CLIENT_SUPPORT == ENABLED && \
53  TLS_MAX_VERSION >= TLS_VERSION_1_3)
54 
55 
56 /**
57  * @brief Send EndOfEarlyData message
58  *
59  * The EndOfEarlyData message indicates that all 0-RTT application data
60  * messages, if any, have been transmitted and that the following records
61  * are protected under handshake traffic keys
62  *
63  * @param[in] context Pointer to the TLS context
64  * @return Error code
65  **/
66 
68 {
69 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
70  error_t error;
71  size_t length;
73 
74  //Point to the buffer where to format the message
75  message = (Tls13EndOfEarlyData *) (context->txBuffer + context->txBufferLen);
76 
77  //If the server has accepted early data, an EndOfEarlyData message will be
78  //sent to indicate the key change
79  error = tls13FormatEndOfEarlyData(context, message, &length);
80 
81  //Check status code
82  if(!error)
83  {
84  //Debug message
85  TRACE_INFO("Sending EndOfEarlyData message (%" PRIuSIZE " bytes)...\r\n", length);
87 
88  //Send handshake message
89  error = tlsSendHandshakeMessage(context, message, length,
91  }
92 
93  //Check status code
94  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
95  {
96  //Release encryption engine
97  tlsFreeEncryptionEngine(&context->encryptionEngine);
98 
99  //Calculate client handshake traffic keys
100  error = tlsInitEncryptionEngine(context, &context->encryptionEngine,
101  TLS_CONNECTION_END_CLIENT, context->clientHsTrafficSecret);
102 
103  //Handshake traffic keys successfully calculated?
104  if(!error)
105  {
106  //Send a Finished message to the server
107  context->state = TLS_STATE_CLIENT_FINISHED;
108  }
109  }
110 
111  //Return status code
112  return error;
113 #else
114  //Not implemented
115  return ERROR_NOT_IMPLEMENTED;
116 #endif
117 }
118 
119 
120 /**
121  * @brief Format EndOfEarlyData message
122  * @param[in] context Pointer to the TLS context
123  * @param[out] message Buffer where to format the EndOfEarlyData message
124  * @param[out] length Length of the resulting EndOfEarlyData message
125  * @return Error code
126  **/
127 
130 {
131  //The EndOfEarlyData message does not contain any data
132  *length = 0;
133 
134  //Successful processing
135  return NO_ERROR;
136 }
137 
138 
139 /**
140  * @brief Parse HelloRetryRequest message
141  *
142  * The server will send this message in response to a ClientHello message if
143  * it is able to find an acceptable set of parameters but the ClientHello does
144  * not contain sufficient information to proceed with the handshake
145  *
146  * @param[in] context Pointer to the TLS context
147  * @param[in] message Incoming HelloRetryRequest message to parse
148  * @param[in] length Message length
149  * @return Error code
150  **/
151 
153  const Tls13HelloRetryRequest *message, size_t length)
154 {
155  error_t error;
156  uint16_t cipherSuite;
157  uint8_t compressMethod;
158  const uint8_t *p;
159  const HashAlgo *hashAlgo;
161 
162  //Debug message
163  TRACE_INFO("HelloRetryRequest message received (%" PRIuSIZE " bytes)...\r\n", length);
165 
166  //Check TLS version
167  if(context->versionMax != TLS_VERSION_1_3)
169 
170  //If a client receives a second HelloRetryRequest in the same connection,
171  //it must abort the handshake with an unexpected_message alert
172  if(context->state != TLS_STATE_SERVER_HELLO &&
173  context->state != TLS_STATE_SERVER_HELLO_3)
174  {
175  //Report an error
177  }
178 
179  //Check the length of the ServerHello message
180  if(length < sizeof(TlsServerHello))
181  return ERROR_DECODING_FAILED;
182 
183  //Point to the session ID
184  p = message->sessionId;
185  //Remaining bytes to process
186  length -= sizeof(TlsServerHello);
187 
188  //Check the length of the session ID
189  if(message->sessionIdLen > length)
190  return ERROR_DECODING_FAILED;
191  if(message->sessionIdLen > 32)
192  return ERROR_DECODING_FAILED;
193 
194  //Point to the next field
195  p += message->sessionIdLen;
196  //Remaining bytes to process
197  length -= message->sessionIdLen;
198 
199  //Malformed ServerHello message?
200  if(length < sizeof(uint16_t))
201  return ERROR_DECODING_FAILED;
202 
203  //Get the negotiated cipher suite
205  //Point to the next field
206  p += sizeof(uint16_t);
207  //Remaining bytes to process
208  length -= sizeof(uint16_t);
209 
210  //Malformed ServerHello message?
211  if(length < sizeof(uint8_t))
212  return ERROR_DECODING_FAILED;
213 
214  //Get the value of the legacy_compression_method field
215  compressMethod = *p;
216  //Point to the next field
217  p += sizeof(uint8_t);
218  //Remaining bytes to process
219  length -= sizeof(uint8_t);
220 
221  //Legacy version
222  TRACE_INFO(" legacyVersion = 0x%04" PRIX16 " (%s)\r\n",
223  ntohs(message->serverVersion),
224  tlsGetVersionName(ntohs(message->serverVersion)));
225 
226  //Server random value
227  TRACE_INFO(" random\r\n");
228  TRACE_INFO_ARRAY(" ", message->random, 32);
229 
230  //Session identifier
231  TRACE_INFO(" sessionId\r\n");
232  TRACE_INFO_ARRAY(" ", message->sessionId, message->sessionIdLen);
233 
234  //Cipher suite identifier
235  TRACE_INFO(" cipherSuite = 0x%04" PRIX16 " (%s)\r\n",
237 
238  //Compression method
239  TRACE_INFO(" legacyCompressMethod = 0x%02" PRIX8 "\r\n", compressMethod);
240 
241  //The legacy_version field must be set to 0x0303, which is the version
242  //number for TLS 1.2
243  if(ntohs(message->serverVersion) != TLS_VERSION_1_2)
245 
246  //A client which receives a legacy_session_id_echo field that does not
247  //match what it sent in the ClientHello must abort the handshake with an
248  //illegal_parameter alert (RFC 8446, section 4.1.4)
249  if(message->sessionIdLen != context->sessionIdLen ||
250  memcmp(message->sessionId, context->sessionId, message->sessionIdLen))
251  {
252  //The legacy_session_id_echo field is not valid
254  }
255 
256  //Upon receipt of a HelloRetryRequest, the client must check that the
257  //legacy_compression_method is 0
258  if(compressMethod != TLS_COMPRESSION_METHOD_NULL)
259  return ERROR_DECODING_FAILED;
260 
261  //Parse the list of extensions offered by the server
263  &extensions);
264  //Any error to report?
265  if(error)
266  return error;
267 
268  //The HelloRetryRequest message must contain a SupportedVersions extension
269  if(extensions.selectedVersion == NULL)
271 
272  //TLS protocol?
273  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM)
274  {
275  //Release transcript hash context
276  tlsFreeTranscriptHash(context);
277 
278  //Format initial ClientHello message
279  error = tlsFormatInitialClientHello(context);
280  //Any error to report?
281  if(error)
282  return error;
283  }
284 
285  //The SupportedVersions extension contains the selected version
287  extensions.selectedVersion);
288  //Any error to report?
289  if(error)
290  return error;
291 
292  //Check the list of extensions offered by the server
294  context->version, &extensions);
295  //Any error to report?
296  if(error)
297  return error;
298 
299  //Set cipher suite
300  error = tlsSelectCipherSuite(context, cipherSuite);
301  //Specified cipher suite not supported?
302  if(error)
303  return error;
304 
305  //Initialize handshake message hashing
306  error = tlsInitTranscriptHash(context);
307  //Any error to report?
308  if(error)
309  return error;
310 
311  //When the server responds to a ClientHello with a HelloRetryRequest, the
312  //value of ClientHello1 is replaced with a special synthetic handshake
313  //message of handshake type MessageHash containing Hash(ClientHello1)
314  error = tls13DigestClientHello1(context);
315  //Any error to report?
316  if(error)
317  return error;
318 
319  //When sending a HelloRetryRequest, the server may provide a Cookie
320  //extension to the client
321  error = tls13ParseCookieExtension(context, extensions.cookie);
322  //Any error to report?
323  if(error)
324  return error;
325 
326  //The KeyShare extension contains the mutually supported group the server
327  //intends to negotiate
328  error = tls13ParseSelectedGroupExtension(context, extensions.selectedGroup);
329  //Any error to report?
330  if(error)
331  return error;
332 
333  //Point to the cipher suite hash algorithm
334  hashAlgo = context->cipherSuite.prfHashAlgo;
335  //Make sure the hash algorithm is valid
336  if(hashAlgo == NULL)
337  return ERROR_FAILURE;
338 
339  //In addition, in its updated ClientHello, the client should not offer any
340  //pre-shared keys associated with a hash other than that of the selected
341  //cipher suite. This allows the client to avoid having to compute partial
342  //hash transcripts for multiple hashes in the second ClientHello
343  if(tls13IsPskValid(context))
344  {
345  //Remove any PSKs which are incompatible with the server's indicated
346  //cipher suite
347  if(tlsGetHashAlgo(context->pskHashAlgo) != hashAlgo)
348  {
349  context->pskHashAlgo = TLS_HASH_ALGO_NONE;
350  context->ticketHashAlgo = TLS_HASH_ALGO_NONE;
351  }
352  }
353  else if(tls13IsTicketValid(context))
354  {
355  //Remove any PSKs which are incompatible with the server's indicated
356  //cipher suite
357  if(tlsGetHashAlgo(context->ticketHashAlgo) != hashAlgo)
358  {
359  context->ticketHashAlgo = TLS_HASH_ALGO_NONE;
360  }
361  }
362 
363  //Any 0-RTT data sent by the client?
364  if(context->earlyDataEnabled)
365  {
366  //A client must not include the EarlyData extension in its followup
367  //ClientHello (refer to RFC 8446, section 4.2.10)
368  context->earlyDataRejected = TRUE;
369  }
370 
371  //Clients must abort the handshake with an illegal_parameter alert if the
372  //HelloRetryRequest would not result in any change in the ClientHello
373  if(context->cookieLen == 0 && context->namedGroup == context->preferredGroup)
374  {
375  //Report an error
377  }
378 
379 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
380  //The middlebox compatibility mode improves the chance of successfully
381  //connecting through middleboxes
382  if(context->state == TLS_STATE_SERVER_HELLO)
383  {
384  //In middlebox compatibility mode, the client sends a dummy
385  //ChangeCipherSpec record immediately before its second flight
386  context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC;
387  }
388  else
389 #endif
390  {
391  //The client can send its second flight
392  context->state = TLS_STATE_CLIENT_HELLO_2;
393  }
394 
395  //Successful processing
396  return NO_ERROR;
397 }
398 
399 
400 /**
401  * @brief Parse EncryptedExtensions message
402  *
403  * The server sends the EncryptedExtensions message immediately after the
404  * ServerHello message. The EncryptedExtensions message contains extensions
405  * that can be protected
406  *
407  * @param[in] context Pointer to the TLS context
408  * @param[in] message Incoming EncryptedExtensions message to parse
409  * @param[in] length Message length
410  * @return Error code
411  **/
412 
414  const Tls13EncryptedExtensions *message, size_t length)
415 {
416  error_t error;
418 
419  //Debug message
420  TRACE_INFO("EncryptedExtensions message received (%" PRIuSIZE " bytes)...\r\n", length);
422 
423  //Check TLS version
424  if(context->version != TLS_VERSION_1_3)
426 
427  //Check current state
428  if(context->state != TLS_STATE_ENCRYPTED_EXTENSIONS)
430 
431  //Check the length of the EncryptedExtensions message
432  if(length < sizeof(Tls13EncryptedExtensions))
433  return ERROR_DECODING_FAILED;
434 
435  //Parse the list of extensions offered by the server
437  (uint8_t *) message, length, &extensions);
438  //Any error to report?
439  if(error)
440  return error;
441 
442  //Check the list of extensions offered by the server
444  context->version, &extensions);
445  //Any error to report?
446  if(error)
447  return error;
448 
449 #if (TLS_SNI_SUPPORT == ENABLED)
450  //When the server includes a ServerName extension, the data field of
451  //this extension may be empty
452  error = tlsParseServerSniExtension(context, extensions.serverNameList);
453  //Any error to report?
454  if(error)
455  return error;
456 #endif
457 
458 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED && TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
459  //A client must treat receipt of both MaxFragmentLength and RecordSizeLimit
460  //extensions as a fatal error, and it should generate an illegal_parameter
461  //alert (refer to RFC 8449, section 5)
462  if(extensions.maxFragLen != NULL && extensions.recordSizeLimit != NULL)
464 #endif
465 
466 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
467  //Servers that receive an ClientHello containing a MaxFragmentLength
468  //extension may accept the requested maximum fragment length by including
469  //an extension of type MaxFragmentLength in the ServerHello
470  error = tlsParseServerMaxFragLenExtension(context, extensions.maxFragLen);
471  //Any error to report?
472  if(error)
473  return error;
474 #endif
475 
476 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
477  //The value of RecordSizeLimit is the maximum size of record in octets
478  //that the peer is willing to receive
480  extensions.recordSizeLimit);
481  //Any error to report?
482  if(error)
483  return error;
484 #endif
485 
486 #if (TLS_ALPN_SUPPORT == ENABLED)
487  //Parse ALPN extension
488  error = tlsParseServerAlpnExtension(context, extensions.protocolNameList);
489  //Any error to report?
490  if(error)
491  return error;
492 #endif
493 
494 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
495  //Parse ClientCertType extension
496  error = tlsParseClientCertTypeExtension(context, extensions.clientCertType);
497  //Any error to report?
498  if(error)
499  return error;
500 
501  //Parse ServerCertType extension
502  error = tlsParseServerCertTypeExtension(context, extensions.serverCertType);
503  //Any error to report?
504  if(error)
505  return error;
506 #endif
507 
508 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
509  //Parse EarlyData extension
510  error = tls13ParseServerEarlyDataExtension(context,
511  TLS_TYPE_ENCRYPTED_EXTENSIONS, extensions.earlyDataIndication);
512  //Any error to report?
513  if(error)
514  return error;
515 
516  //Check whether the server has accepted the early data
517  if(context->earlyDataExtReceived)
518  {
519 #if (TLS_ALPN_SUPPORT == ENABLED)
520  //Valid ticket?
521  if(!tls13IsPskValid(context) && tls13IsTicketValid(context))
522  {
523  //Enforce ALPN protocol
524  if(context->selectedProtocol != NULL || context->ticketAlpn != NULL)
525  {
526  if(context->selectedProtocol != NULL && context->ticketAlpn != NULL)
527  {
528  //Compare the selected ALPN protocol against the expected value
529  if(strcmp(context->selectedProtocol, context->ticketAlpn))
530  {
531  //The selected ALPN protocol is not acceptable
532  return ERROR_HANDSHAKE_FAILED;
533  }
534  }
535  else
536  {
537  //The selected ALPN protocol is not acceptable
538  return ERROR_HANDSHAKE_FAILED;
539  }
540  }
541  }
542 #endif
543 
544  //The EndOfEarlyData message is encrypted with the 0-RTT traffic keys
545  tlsFreeEncryptionEngine(&context->encryptionEngine);
546 
547  //Calculate client early traffic keys
548  error = tlsInitEncryptionEngine(context, &context->encryptionEngine,
549  TLS_CONNECTION_END_CLIENT, context->clientEarlyTrafficSecret);
550  //Any error to report?
551  if(error)
552  return error;
553 
554  //Restore sequence number
555  context->encryptionEngine.seqNum = context->earlyDataSeqNum;
556  }
557 #endif
558 
559  //PSK key exchange method?
560  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
561  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
562  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
563  {
564  //As the server is authenticating via a PSK, it does not send a
565  //Certificate or a CertificateVerify message
566  context->state = TLS_STATE_SERVER_FINISHED;
567  }
568  else
569  {
570  //A server can optionally request a certificate from the client
571  context->state = TLS_STATE_CERTIFICATE_REQUEST;
572  }
573 
574  //Successful processing
575  return NO_ERROR;
576 }
577 
578 
579 /**
580  * @brief Parse NewSessionTicket message
581  *
582  * At any time after the server has received the client Finished message, it
583  * may send a NewSessionTicket message
584  *
585  * @param[in] context Pointer to the TLS context
586  * @param[in] message Incoming NewSessionTicket message to parse
587  * @param[in] length Message length
588  * @return Error code
589  **/
590 
592  const Tls13NewSessionTicket *message, size_t length)
593 {
594  error_t error;
595  size_t n;
596  const uint8_t *p;
597  const Tls13Ticket *ticket;
598  const HashAlgo *hashAlgo;
600 
601  //Debug message
602  TRACE_INFO("NewSessionTicket message received (%" PRIuSIZE " bytes)...\r\n", length);
604 
605  //Check TLS version
606  if(context->version != TLS_VERSION_1_3)
608 
609  //Check current state
610  if(context->state != TLS_STATE_APPLICATION_DATA &&
611  context->state != TLS_STATE_CLOSING)
612  {
613  //Report an error
615  }
616 
617  //Check the length of the NewSessionTicket message
618  if(length < sizeof(Tls13NewSessionTicket))
619  return ERROR_DECODING_FAILED;
620 
621  //Point to the ticket nonce
622  p = message->ticketNonce;
623  //Remaining bytes to process
624  length -= sizeof(Tls13NewSessionTicket);
625 
626  //Malformed NewSessionTicket message?
627  if(length < message->ticketNonceLen)
628  return ERROR_DECODING_FAILED;
629 
630  //Point to the next field
631  p += message->ticketNonceLen;
632  //Remaining bytes to process
633  length -= message->ticketNonceLen;
634 
635  //Malformed NewSessionTicket message?
636  if(length < sizeof(Tls13Ticket))
637  return ERROR_DECODING_FAILED;
638 
639  //Point to the session ticket
640  ticket = (Tls13Ticket *) p;
641  //Retrieve the length of the ticket
642  n = ntohs(ticket->length);
643 
644  //Malformed NewSessionTicket message?
645  if(length < (sizeof(Tls13Ticket) + n))
646  return ERROR_DECODING_FAILED;
647 
648  //Point to the next field
649  p += sizeof(Tls13Ticket) + n;
650  //Remaining bytes to process
651  length -= sizeof(Tls13Ticket) + n;
652 
653  //The message includes a set of extension values for the ticket
655  &extensions);
656  //Any error to report?
657  if(error)
658  return error;
659 
660  //Check the list of extensions offered by the server
662  context->version, &extensions);
663  //Any error to report?
664  if(error)
665  return error;
666 
667  //A ticket_lifetime value of zero indicates that the ticket should be
668  //discarded immediately
669  if(ntohl(message->ticketLifetime) > 0)
670  {
671  //Check the length of the session ticket
672  if(n > 0 && n <= TLS13_MAX_TICKET_SIZE)
673  {
674  //Servers may send multiple tickets on a single connection
675  if(context->ticket != NULL)
676  {
677  //Release memory
678  memset(context->ticket, 0, context->ticketLen);
679  tlsFreeMem(context->ticket);
680  context->ticket = NULL;
681  context->ticketLen = 0;
682  }
683 
684  //Allocate a memory block to hold the ticket
685  context->ticket = tlsAllocMem(n);
686  //Failed to allocate memory?
687  if(context->ticket == NULL)
688  return ERROR_OUT_OF_MEMORY;
689 
690  //Copy session ticket
691  memcpy(context->ticket, ticket->data, n);
692  context->ticketLen = n;
693 
694  //The client's view of the age of a ticket is the time since the
695  //receipt of the NewSessionTicket message
696  context->ticketTimestamp = osGetSystemTime();
697 
698  //Save the lifetime of the ticket
699  context->ticketLifetime = ntohl(message->ticketLifetime);
700 
701  //Clients must not cache tickets for longer than 7 days, regardless
702  //of the ticket_lifetime value (refer to RFC 8446, section 4.6.1)
703  context->ticketLifetime = MIN(context->ticketLifetime,
705 
706  //Random value used to obscure the age of the ticket
707  context->ticketAgeAdd = ntohl(message->ticketAgeAdd);
708 
709  //The sole extension currently defined for NewSessionTicket is
710  //EarlyData indicating that the ticket may be used to send 0-RTT data
711  error = tls13ParseServerEarlyDataExtension(context,
712  TLS_TYPE_NEW_SESSION_TICKET, extensions.earlyDataIndication);
713  //Any error to report?
714  if(error)
715  return error;
716 
717  //The hash function used by HKDF is the cipher suite hash algorithm
718  hashAlgo = context->cipherSuite.prfHashAlgo;
719  //Make sure the hash algorithm is valid
720  if(hashAlgo == NULL)
721  return ERROR_FAILURE;
722 
723  //Calculate the PSK associated with the ticket
724  error = tls13HkdfExpandLabel(hashAlgo, context->resumptionMasterSecret,
725  hashAlgo->digestSize, "resumption", message->ticketNonce,
726  message->ticketNonceLen, context->ticketPsk, hashAlgo->digestSize);
727  //Any error to report?
728  if(error)
729  return error;
730 
731  //Set the length of the PSK associated with the ticket
732  context->ticketPskLen = hashAlgo->digestSize;
733 
734  //Debug message
735  TRACE_DEBUG("Ticket PSK:\r\n");
736  TRACE_DEBUG_ARRAY(" ", context->ticketPsk, context->ticketPskLen);
737  }
738  }
739 
740  //Successful processing
741  return NO_ERROR;
742 }
743 
744 #endif
@ TLS13_KEY_EXCH_PSK
Definition: tls.h:1047
#define tlsAllocMem(size)
Definition: tls.h:757
Parsing and checking of TLS extensions.
#define TLS13_MAX_TICKET_LIFETIME
Definition: tls13_misc.h:99
TLS helper functions.
#define TRACE_INFO_ARRAY(p, a, n)
Definition: debug.h:95
uint8_t length
Definition: dtls_misc.h:149
error_t tls13ParseNewSessionTicket(TlsContext *context, const Tls13NewSessionTicket *message, size_t length)
TLS cipher suites.
error_t tls13ParseSelectedGroupExtension(TlsContext *context, const uint8_t *selectedGroup)
error_t tlsInitEncryptionEngine(TlsContext *context, TlsEncryptionEngine *encryptionEngine, TlsConnectionEnd entity, const uint8_t *secret)
Initialize encryption engine.
Definition: tls_misc.c:354
@ ERROR_WOULD_BLOCK
Definition: error.h:95
@ TLS13_KEY_EXCH_PSK_DHE
Definition: tls.h:1048
TLS handshake.
@ TLS_COMPRESSION_METHOD_NULL
Definition: tls.h:1015
@ ERROR_VERSION_NOT_SUPPORTED
Definition: error.h:67
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
@ ERROR_UNEXPECTED_MESSAGE
Definition: error.h:192
uint8_t p
Definition: ndp.h:298
Helper functions for TLS client.
error_t tlsParseServerRecordSizeLimitExtension(TlsContext *context, const uint8_t *recordSizeLimit)
Parse RecordSizeLimit extension.
error_t tls13SendEndOfEarlyData(TlsContext *context)
__start_packed struct @100 Tls13HelloRetryRequest
HelloRetryRequest message.
error_t tls13DigestClientHello1(TlsContext *context)
#define TRUE
Definition: os_port.h:50
@ TLS_STATE_CERTIFICATE_REQUEST
Definition: tls.h:1303
size_t digestSize
Definition: crypto.h:1135
error_t tlsParseServerCertTypeExtension(TlsContext *context, const uint8_t *serverCertType)
Parse ServerCertType extension.
@ TLS_STATE_APPLICATION_DATA
Definition: tls.h:1319
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:228
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
error_t tlsParseServerSniExtension(TlsContext *context, const TlsServerNameList *serverNameList)
Parse SNI extension.
uint8_t ticketNonceLen
Definition: tls13_misc.h:339
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
@ TLS_TYPE_END_OF_EARLY_DATA
Definition: tls.h:937
@ TLS_HASH_ALGO_NONE
Definition: tls.h:1094
TLS 1.3 helper functions.
@ TLS_STATE_SERVER_HELLO
Definition: tls.h:1295
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
void tlsFreeEncryptionEngine(TlsEncryptionEngine *encryptionEngine)
Release encryption engine.
Definition: tls_misc.c:592
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:829
#define TLS_VERSION_1_2
Definition: tls.h:94
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
__start_packed struct @101 Tls13EncryptedExtensions
EncryptedExtensions message.
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:253
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
@ TLS_STATE_SERVER_FINISHED
Definition: tls.h:1314
#define TLS_VERSION_1_3
Definition: tls.h:95
@ TLS_TYPE_ENCRYPTED_EXTENSIONS
Definition: tls.h:939
@ TLS_STATE_SERVER_HELLO_3
Definition: tls.h:1297
error_t tlsFormatInitialClientHello(TlsContext *context)
Format initial ClientHello message.
#define TRACE_INFO(...)
Definition: debug.h:94
error_t tls13ParseServerEarlyDataExtension(TlsContext *context, TlsMessageType msgType, const uint8_t *earlyDataIndication)
#define MIN(a, b)
Definition: os_port.h:62
@ TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC
Definition: tls.h:1308
Hello extensions.
Definition: tls.h:1894
error_t tls13HkdfExpandLabel(const HashAlgo *hash, const uint8_t *secret, size_t secretLen, const char_t *label, const uint8_t *context, size_t contextLen, uint8_t *output, size_t outputLen)
Transcript hash calculation.
Formatting and parsing of extensions (TLS client)
#define ntohs(value)
Definition: cpu_endian.h:398
#define TLS13_MAX_TICKET_SIZE
Definition: tls13_misc.h:92
#define TRACE_DEBUG(...)
Definition: debug.h:106
error_t tls13FormatEndOfEarlyData(TlsContext *context, Tls13EndOfEarlyData *message, size_t *length)
@ ERROR_TIMEOUT
Definition: error.h:94
@ TLS13_KEY_EXCH_PSK_ECDHE
Definition: tls.h:1049
@ TLS_STATE_CLIENT_HELLO_2
Definition: tls.h:1291
@ TLS_STATE_CLOSING
Definition: tls.h:1320
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:107
const char_t * tlsGetCipherSuiteName(uint16_t identifier)
Convert cipher suite identifier to string representation.
error_t tls13ParseServerSupportedVersionsExtension(TlsContext *context, const uint8_t *selectedVersion)
error_t tlsParseClientCertTypeExtension(TlsContext *context, const uint8_t *clientCertType)
Parse ClientCertType extension.
uint8_t n
uint8_t extensions[]
Definition: tls13_misc.h:327
uint16_t cipherSuite
Cipher suite identifier.
Definition: tls13_misc.h:372
HKDF (HMAC-based Key Derivation Function)
bool_t tls13IsPskValid(TlsContext *context)
@ TLS_STATE_ENCRYPTED_EXTENSIONS
Definition: tls.h:1299
__start_packed struct @86 TlsServerHello
ServerHello message.
bool_t tls13IsTicketValid(TlsContext *context)
error_t tlsInitTranscriptHash(TlsContext *context)
Initialize handshake message hashing.
@ TLS_CONNECTION_END_CLIENT
Definition: tls.h:861
error_t tls13ParseCookieExtension(TlsContext *context, const Tls13Cookie *cookie)
Formatting and parsing of extensions (TLS 1.3 client)
uint8_t message[]
Definition: chap.h:152
TLS (Transport Layer Security)
__start_packed struct @102 Tls13NewSessionTicket
NewSessionTicket message (TLS 1.3)
void * Tls13EndOfEarlyData
EndOfEarlyData message.
Definition: tls13_misc.h:317
@ TLS_TRANSPORT_PROTOCOL_STREAM
Definition: tls.h:850
error_t tls13ParseEncryptedExtensions(TlsContext *context, const Tls13EncryptedExtensions *message, size_t length)
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
TLS 1.3 key schedule.
Common interface for hash algorithms.
Definition: crypto.h:1128
error_t tlsParseServerAlpnExtension(TlsContext *context, const TlsProtocolNameList *protocolNameList)
Parse ALPN extension.
const char_t * tlsGetVersionName(uint16_t version)
Convert TLS version to string representation.
Definition: tls_misc.c:788
@ TLS_TYPE_NEW_SESSION_TICKET
Definition: tls.h:936
@ ERROR_DECODING_FAILED
Definition: error.h:235
@ TLS_TYPE_HELLO_RETRY_REQUEST
Definition: tls.h:938
__start_packed struct @104 Tls13Ticket
Session ticket.
#define PRIuSIZE
Definition: compiler_port.h:78
#define LOAD16BE(p)
Definition: cpu_endian.h:170
#define tlsFreeMem(p)
Definition: tls.h:762
@ TLS_STATE_CLIENT_FINISHED
Definition: tls.h:1310
error_t tlsParseServerMaxFragLenExtension(TlsContext *context, const uint8_t *maxFragLen)
Parse MaxFragmentLength extension.
Handshake message processing (TLS 1.3 client)
#define ntohl(value)
Definition: cpu_endian.h:399
@ NO_ERROR
Success.
Definition: error.h:44
error_t tls13ParseHelloRetryRequest(TlsContext *context, const Tls13HelloRetryRequest *message, size_t length)
Debugging facilities.
void tlsFreeTranscriptHash(TlsContext *context)
Release transcript hash context.
systime_t osGetSystemTime(void)
Retrieve system time.