tls13_client_extensions.c
Go to the documentation of this file.
1 /**
2  * @file tls13_client_extensions.c
3  * @brief Formatting and parsing of extensions (TLS 1.3 client)
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include <string.h>
34 #include "tls.h"
35 #include "tls_misc.h"
37 #include "debug.h"
38 
39 //Check TLS library configuration
40 #if (TLS_SUPPORT == ENABLED && TLS_CLIENT_SUPPORT == ENABLED && \
41  TLS_MAX_VERSION >= TLS_VERSION_1_3)
42 
43 
44 /**
45  * @brief Format Cookie extension
46  * @param[in] context Pointer to the TLS context
47  * @param[in] p Output stream where to write the Cookie extension
48  * @param[out] written Total number of bytes that have been written
49  * @return Error code
50  **/
51 
53  size_t *written)
54 {
55  size_t n;
56  TlsExtension *extension;
58 
59  //Initialize length field
60  n = 0;
61 
62  //When sending a HelloRetryRequest, the server may provide a Cookie
63  //extension to the client
64  if(context->cookieLen > 0)
65  {
66  //Add the Cookie extension
67  extension = (TlsExtension *) p;
68  //Type of the extension
69  extension->type = HTONS(TLS_EXT_COOKIE);
70 
71  //Point to the extension data field
72  cookie = (Tls13Cookie *) extension->value;
73 
74  //When sending the new ClientHello, the client must copy the contents
75  //of the Cookie extension received in the HelloRetryRequest
76  memcpy(cookie->value, context->cookie, context->cookieLen);
77 
78  //Set the length of the cookie
79  cookie->length = ntohs(context->cookieLen);
80 
81  //Consider the 2-byte length field that precedes the cookie
82  n = sizeof(Tls13Cookie) + context->cookieLen;
83  //Fix the length of the extension
84  extension->length = htons(n);
85 
86  //Compute the length, in bytes, of the Cookie extension
87  n += sizeof(TlsExtension);
88  }
89 
90  //Total number of bytes that have been written
91  *written = n;
92 
93  //Successful processing
94  return NO_ERROR;
95 }
96 
97 
98 /**
99  * @brief Format KeyShare extension (ClientHello message)
100  * @param[in] context Pointer to the TLS context
101  * @param[in] p Output stream where to write the KeyShare extension
102  * @param[out] written Total number of bytes that have been written
103  * @return Error code
104  **/
105 
107  uint8_t *p, size_t *written)
108 {
109  size_t n = 0;
110 
111 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
112  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
113  error_t error;
114  TlsExtension *extension;
115  Tls13KeyShareList *keyShareList;
116  Tls13KeyShareEntry *keyShareEntry;
117 
118  //Add the KeyShare extension
119  extension = (TlsExtension *) p;
120  //Type of the extension
121  extension->type = HTONS(TLS_EXT_KEY_SHARE);
122 
123  //The extension contains a list of offered KeyShareEntry values in
124  //descending order of client preference
125  keyShareList = (Tls13KeyShareList *) extension->value;
126 
127  //Point to the KeyShareEntry
128  keyShareEntry = (Tls13KeyShareEntry *) keyShareList->value;
129 
130 #if (TLS13_ECDHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
131  //Elliptic curve group?
132  if(tls13IsEcdheGroupSupported(context, context->namedGroup))
133  {
134  //Specify the named group for the key being exchanged
135  keyShareEntry->group = htons(context->namedGroup);
136 
137  //ECDHE parameters are encoded in the opaque key_exchange field of
138  //the KeyShareEntry
139  error = ecExport(&context->ecdhContext.params,
140  &context->ecdhContext.qa, keyShareEntry->keyExchange, &n);
141  //Any error to report?
142  if(error)
143  return error;
144 
145  //Set the length of the key_exchange field
146  keyShareEntry->length = htons(n);
147 
148  //Compute the length of the KeyShareEntry
149  n += sizeof(Tls13KeyShareEntry);
150  }
151  else
152 #endif
153 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
154  //Finite field group?
155  if(tls13IsFfdheGroupSupported(context, context->namedGroup))
156  {
157 #if (TLS_FFDHE_SUPPORT == ENABLED)
158  //Specify the named group for the key being exchanged
159  keyShareEntry->group = htons(context->namedGroup);
160 
161  //Retrieve the length of the modulus
162  n = mpiGetByteLength(&context->dhContext.params.p);
163 
164  //Diffie-Hellman parameters are encoded in the opaque key_exchange field
165  //of the KeyShareEntry
166  error = mpiExport(&context->dhContext.ya,
167  keyShareEntry->keyExchange, n, MPI_FORMAT_BIG_ENDIAN);
168  //Any error to report?
169  if(error)
170  return error;
171 
172  //Set the length of the key_exchange field
173  keyShareEntry->length = htons(n);
174 
175  //Compute the length of the KeyShareEntry
176  n += sizeof(Tls13KeyShareEntry);
177 #endif
178  }
179  else
180 #endif
181  //Unknown group?
182  {
183  //Clients may send an empty client_shares vector in order to request group
184  //selection from the server, at the cost of an additional round trip
185  }
186 
187  //Fix the length of the list of offered key shares
188  keyShareList->length = htons(n);
189 
190  //Consider the 2-byte length field that precedes the list
191  n += sizeof(Tls13KeyShareList);
192  //Fix the length of the extension
193  extension->length = htons(n);
194 
195  //Compute the length, in bytes, of the KeyShare extension
196  n += sizeof(TlsExtension);
197 #endif
198 
199  //Total number of bytes that have been written
200  *written = n;
201 
202  //Successful processing
203  return NO_ERROR;
204 }
205 
206 
207 /**
208  * @brief Format PskKeyExchangeModes extension
209  * @param[in] context Pointer to the TLS context
210  * @param[in] p Output stream where to write the PskKeyExchangeModes extension
211  * @param[out] written Total number of bytes that have been written
212  * @return Error code
213  **/
214 
216  uint8_t *p, size_t *written)
217 {
218  size_t n = 0;
219 
220 #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
221  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
222  TlsExtension *extension;
223  Tls13PskKeModeList *pskKeModeList;
224 
225  //Add the PskKeyExchangeModes extension
226  extension = (TlsExtension *) p;
227  //Type of the extension
228  extension->type = HTONS(TLS_EXT_PSK_KEY_EXCHANGE_MODES);
229 
230  //Point to the extension data field
231  pskKeModeList = (Tls13PskKeModeList *) extension->value;
232  //The extension contains a list of supported PSK key exchange modes
233  n = 0;
234 
236  //PSK with (EC)DHE key establishment
237  pskKeModeList->value[n++] = TLS_PSK_KEY_EXCH_MODE_PSK_DHE_KE;
238 #endif
239 #if (TLS13_PSK_KE_SUPPORT == ENABLED)
240  //PSK-only key establishment
241  pskKeModeList->value[n++] = TLS_PSK_KEY_EXCH_MODE_PSK_KE;
242 #endif
243 
244  //Fix the length of the list
245  pskKeModeList->length = (uint8_t) n;
246 
247  //Consider the length field that precedes the list
248  n += sizeof(Tls13PskKeModeList);
249  //Fix the length of the extension
250  extension->length = htons(n);
251 
252  //Compute the length, in bytes, of the PskKeyExchangeModes extension
253  n += sizeof(TlsExtension);
254 #endif
255 
256  //Total number of bytes that have been written
257  *written = n;
258 
259  //Successful processing
260  return NO_ERROR;
261 }
262 
263 
264 /**
265  * @brief Format PreSharedKey extension
266  * @param[in] context Pointer to the TLS context
267  * @param[in] p Output stream where to write the PreSharedKey extension
268  * @param[out] written Total number of bytes that have been written
269  * @param[out] identityList Pointer to the list of the identities that the
270  * client is willing to negotiate with the server
271  * @param[out] binderList Pointer to the list of HMAC values, one for each PSK
272  * offered in the PreSharedKey extension
273  * @return Error code
274  **/
275 
277  uint8_t *p, size_t *written, Tls13PskIdentityList **identityList,
278  Tls13PskBinderList **binderList)
279 {
280  size_t n = 0;
281 
282 #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
283  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
284  //Check whether the client is attempting a PSK key establishment
285  if(tls13IsPskValid(context) || tls13IsTicketValid(context))
286  {
287  error_t error;
288  size_t m;
289  uint16_t cipherSuite;
290  uint32_t ticketAge;
291  TlsExtension *extension;
292  TlsPskIdentity *pskIdentity;
293  Tls13PskBinder *pskBinder;
294  const HashAlgo *hashAlgo;
295 
296  //Add the PreSharedKey extension
297  extension = (TlsExtension *) p;
298  //Type of the extension
299  extension->type = HTONS(TLS_EXT_PRE_SHARED_KEY);
300 
301  //Point to the extension data field
302  *identityList = (Tls13PskIdentityList *) extension->value;
303  //Point to the first PskIdentity entry of the list
304  pskIdentity = (TlsPskIdentity *) (*identityList)->value;
305 
306  //Although PSKs can be established out of band, PSKs can also be
307  //established in a previous connection
308  if(tls13IsPskValid(context))
309  {
310  //Retrieve the length of the PSK identity
311  n = strlen(context->pskIdentity);
312  //Copy PSK identity
313  memcpy(pskIdentity->value, context->pskIdentity, n);
314 
315  //For externally established PSKs, the hash algorithm must be set when
316  //the PSK is established or default to SHA-256 if no such algorithm is
317  //defined
318  hashAlgo = tlsGetHashAlgo(context->pskHashAlgo);
319 
320  //Retrieve the cipher suite associated with the PSK, if any
321  cipherSuite = context->pskCipherSuite;
322 
323  //For PSK identities established externally, an obfuscated_ticket_age
324  //of 0 should be used (refer to RFC 8446, section 4.2.11)
325  ticketAge = 0;
326  }
327  else if(tls13IsTicketValid(context))
328  {
329  //Retrieve the length of the session ticket
330  n = context->ticketLen;
331  //Copy session ticket
332  memcpy(pskIdentity->value, context->ticket, n);
333 
334  //Each PSK is associated with a single hash algorithm. For PSKs
335  //established via the ticket mechanism, this is the KDF hash algorithm
336  //on the connection where the ticket was established
337  hashAlgo = tlsGetHashAlgo(context->ticketHashAlgo);
338 
339  //Retrieve the cipher suite associated with the ticket
340  cipherSuite = context->ticketCipherSuite;
341 
342  //The client's view of the age of a ticket is the time since the
343  //receipt of the NewSessionTicket message
344  ticketAge = context->timestamp - context->ticketTimestamp;
345 
346  //The obfuscated_ticket_age field contains an obfuscated version of
347  //the ticket age formed by taking the age in milliseconds and adding
348  //the ticket_age_add value that was included with the ticket
349  ticketAge += context->ticketAgeAdd;
350  }
351  else
352  {
353  //Just for sanity
354  return ERROR_FAILURE;
355  }
356 
357  //Valid cipher suite provisioned?
358  if(cipherSuite != 0)
359  {
360  //Restore the cipher suite associated with the PSK
361  error = tlsSelectCipherSuite(context, cipherSuite);
362  //Any error to report?
363  if(error)
364  return error;
365  }
366  else
367  {
368  //Make sure the hash algorithm is valid
369  if(hashAlgo == NULL)
370  return ERROR_FAILURE;
371 
372  //Restore the hash algorithm associated with the PSK
373  context->cipherSuite.prfHashAlgo = hashAlgo;
374  }
375 
376  //Fix the length of the PSK identity
377  pskIdentity->length = htons(n);
378  //Consider the length field that precedes the PSK identity
379  n += sizeof(TlsPskIdentity);
380 
381  //The obfuscated_ticket_age field is a 32-bit unsigned integer
382  STORE32BE(ticketAge, (uint8_t *) pskIdentity + n);
383  //Compute the length of the PskIdentity entry
384  n += sizeof(uint32_t);
385 
386  //Fix the length of the list of PSK identities
387  (*identityList)->length = htons(n);
388  //Consider the 2-byte length field that precedes the list
389  n += sizeof(Tls13PskIdentityList);
390 
391  //Point to the list of PSK binders
392  *binderList = (Tls13PskBinderList *) ((uint8_t *) *identityList + n);
393  //Point to the first PskBinderEntry of the list
394  pskBinder = (Tls13PskBinder *) (*binderList)->value;
395 
396  //The PSK binder consists of Hash.length bytes
397  m = hashAlgo->digestSize;
398  //The value of the PSK binder will be calculated in a second step
399  memset(pskBinder->value, 0, m);
400 
401  //Fix the length of the PSK binder
402  pskBinder->length = (uint8_t) m;
403  //Consider the length field that precedes the PSK binder
404  m += sizeof(Tls13PskBinder);
405 
406  //Fix the length of the list of PSK binders
407  (*binderList)->length = htons(m);
408  //Consider the 2-byte length field that precedes the list
409  n += sizeof(Tls13PskBinderList) + m;
410 
411  //Fix the length of the extension
412  extension->length = htons(n);
413  //Compute the length, in bytes, of the PreSharedKey extension
414  n += sizeof(TlsExtension);
415  }
416  else
417 #endif
418  {
419  //PSK key establishment is not used
420  *identityList = NULL;
421  *binderList = NULL;
422  }
423 
424  //Total number of bytes that have been written
425  *written = n;
426 
427  //Successful processing
428  return NO_ERROR;
429 }
430 
431 
432 /**
433  * @brief Format EarlyData extension
434  * @param[in] context Pointer to the TLS context
435  * @param[in] p Output stream where to write the EarlyData extension
436  * @param[out] written Total number of bytes that have been written
437  * @return Error code
438  **/
439 
441  uint8_t *p, size_t *written)
442 {
443  size_t n = 0;
444 
445 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
446  //If the client opts to send application data in its first flight of
447  //messages, it must supply both the PreSharedKey and EarlyData extensions
448  if(context->earlyDataEnabled && !context->earlyDataRejected)
449  {
450  TlsExtension *extension;
451 
452  //Add the EarlyData extension
453  extension = (TlsExtension *) p;
454  //Type of the extension
455  extension->type = HTONS(TLS_EXT_EARLY_DATA);
456 
457  //The extension data field of this extension is empty
458  extension->length = HTONS(0);
459 
460  //Compute the length, in bytes, of the EarlyData extension
461  n = sizeof(TlsExtension);
462  }
463 #endif
464 
465  //Total number of bytes that have been written
466  *written = n;
467 
468  //Successful processing
469  return NO_ERROR;
470 }
471 
472 
473 /**
474  * @brief Parse SupportedVersions extension
475  * @param[in] context Pointer to the TLS context
476  * @param[in] selectedVersion Pointer to the SupportedVersions extension
477  * @return Error code
478  **/
479 
481  const uint8_t *selectedVersion)
482 {
483  error_t error;
484  uint16_t version;
485 
486  //The extension contains the selected version value
487  version = LOAD16BE(selectedVersion);
488 
489  //If the SupportedVersions extension contains a version prior to TLS 1.3,
490  //the client must abort the handshake with an illegal_parameter alert
493 
494  //Debug message
495  TRACE_INFO(" selectedVersion = 0x%04" PRIX16 " (%s)\r\n",
497 
498  //Set the TLS version to be used
499  error = tlsSelectVersion(context, version);
500  //Specified TLS/DTLS version not supported?
501  if(error)
502  return error;
503 
504  //Successful processing
505  return NO_ERROR;
506 }
507 
508 
509 /**
510  * @brief Parse Cookie extension
511  * @param[in] context Pointer to the TLS context
512  * @param[in] cookie Pointer to the Cookie extension
513  * @return Error code
514  **/
515 
517  const Tls13Cookie *cookie)
518 {
519  //Cookie extension found?
520  if(cookie != NULL)
521  {
522  size_t n;
523 
524  //Retrieve the length of the cookie
525  n = ntohs(cookie->length);
526 
527  //Clients must abort the handshake with an illegal_parameter alert if the
528  //HelloRetryRequest would not result in any change in the ClientHello
529  if(n == 0)
531 
532  //Check the length of the cookie
535 
536  //Sanity check
537  if(context->cookie != NULL)
538  {
539  //Release memory
540  tlsFreeMem(context->cookie);
541  context->cookie = NULL;
542  context->cookieLen = 0;
543  }
544 
545  //Allocate a memory block to store the cookie
546  context->cookie = tlsAllocMem(n);
547  //Failed to allocate memory?
548  if(context->cookie == NULL)
549  return ERROR_OUT_OF_MEMORY;
550 
551  //Save cookie
552  memcpy(context->cookie, cookie->value, n);
553  context->cookieLen = n;
554  }
555 
556  //Successful processing
557  return NO_ERROR;
558 }
559 
560 
561 /**
562  * @brief Parse KeyShare extension (HelloRetryRequest message)
563  * @param[in] context Pointer to the TLS context
564  * @param[in] selectedGroup Pointer to the KeyShare extension
565  * @return Error code
566  **/
567 
569  const uint8_t *selectedGroup)
570 {
571  error_t error;
572 
573  //Initialize status code
574  error = NO_ERROR;
575 
576 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
577  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
578  //KeyShare extension found?
579  if(selectedGroup != NULL)
580  {
581  uint16_t namedGroup;
582 
583  //The KeyShare extension contains the mutually supported group the server
584  //intends to negotiate
585  namedGroup = LOAD16BE(selectedGroup);
586 
587  //Check whether the server has selected a different ECDHE or FFDHE group
588  if(namedGroup != context->namedGroup)
589  {
590  //Generate an ephemeral key pair
591  error = tls13GenerateKeyShare(context, namedGroup);
592  }
593  }
594 #else
595  //KeyShare extension found?
596  if(selectedGroup != NULL)
597  {
598  //If a client receives an extension type that it did not request in the
599  //ClientHello, it must abort the handshake with an unsupported_extension
600  //fatal alert
602  }
603 #endif
604 
605  //Return status code
606  return error;
607 }
608 
609 
610 /**
611  * @brief Parse KeyShare extension (ServerHello message)
612  * @param[in] context Pointer to the TLS context
613  * @param[in] serverShare Pointer to the KeyShare extension
614  * @return Error code
615  **/
616 
618  const Tls13KeyShareEntry *serverShare)
619 {
620 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
621  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
622  //If using (EC)DHE key establishment, servers offer exactly one KeyShareEntry
623  //in the ServerHello
624  if(serverShare != NULL)
625  {
626  error_t error;
627  uint16_t namedGroup;
628 
629  //Convert the selected NamedGroup to host byte order
630  namedGroup = ntohs(serverShare->group);
631 
632  //Elliptic curve group?
633  if(tls13IsEcdheGroupSupported(context, namedGroup))
634  {
635  //ECDHE key exchange mechanism provides forward secrecy
636  context->keyExchMethod = TLS13_KEY_EXCH_ECDHE;
637  }
638  //Finite field group?
639  else if(tls13IsFfdheGroupSupported(context, namedGroup))
640  {
641  //DHE key exchange mechanism provides forward secrecy
642  context->keyExchMethod = TLS13_KEY_EXCH_DHE;
643  }
644  //Unknown group?
645  else
646  {
647  //Servers must not send a KeyShareEntry for any group not indicated
648  //in the client's SupportedGroups extension
650  }
651 
652  //The client must verify that the selected NamedGroup in the ServerHello
653  //is the same as that in the HelloRetryRequest
654  if(namedGroup != context->namedGroup)
656 
657  //Compute (EC)DHE shared secret
658  error = tls13GenerateSharedSecret(context, serverShare->keyExchange,
659  ntohs(serverShare->length));
660  //Any error to report?
661  if(error)
662  return error;
663  }
664  else
665  {
666  //PSKs can be used alone, at the cost of losing forward secrecy for
667  //the application data
668  context->keyExchMethod = TLS_KEY_EXCH_NONE;
669  }
670 #else
671  //KeyShareEntry extension found?
672  if(serverShare != NULL)
673  {
674  //If a client receives an extension type that it did not request in the
675  //ClientHello, it must abort the handshake with an unsupported_extension
676  //fatal alert
678  }
679  else
680  {
681  //Perform a PSK handshake if possible
682  context->keyExchMethod = TLS_KEY_EXCH_NONE;
683  }
684 #endif
685 
686  //Successful processing
687  return NO_ERROR;
688 }
689 
690 
691 /**
692  * @brief Parse PreSharedKey extension
693  * @param[in] context Pointer to the TLS context
694  * @param[in] selectedIdentity Pointer to the PreSharedKey extension
695  * @return Error code
696  **/
697 
699  const uint8_t *selectedIdentity)
700 {
701  //Reset the server's selected_identity to its default value
702  context->selectedIdentity = -1;
703 
704 #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
705  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
706  //PreSharedKey extension found?
707  if(selectedIdentity != NULL)
708  {
709  const HashAlgo *hashAlgo;
710 
711  //If a client receives an extension type that it did not request in the
712  //ClientHello, it must abort the handshake with an unsupported_extension
713  //fatal alert
714  if(!tls13IsPskValid(context) && !tls13IsTicketValid(context))
716 
717  //In order to accept PSK key establishment, the server sends a
718  //PreSharedKey extension indicating the selected identity
719  context->selectedIdentity = LOAD16BE(selectedIdentity);
720 
721  //Clients must verify that the server's selected_identity is within the
722  //range supplied by the client (refer to RFC 8446, section 4.2.11)
723  if(context->selectedIdentity != 0)
725 
726  //Point to the cipher suite hash algorithm
727  hashAlgo = context->cipherSuite.prfHashAlgo;
728  //Make sure the hash algorithm is valid
729  if(hashAlgo == NULL)
730  return ERROR_FAILURE;
731 
732  //Clients must also verify that the server has selected a cipher suite
733  //indicating a hash algorithm associated with the PSK
734  if(tls13IsPskValid(context))
735  {
736  //PSK incompatible with the selected cipher suite?
737  if(tlsGetHashAlgo(context->pskHashAlgo) != hashAlgo)
739  }
740  else if(tls13IsTicketValid(context))
741  {
742  //PSK incompatible with the selected cipher suite?
743  if(tlsGetHashAlgo(context->ticketHashAlgo) != hashAlgo)
745  }
746  else
747  {
748  //Just for sanity
749  }
750 
751  //PSKs can be used with (EC)DHE key exchange in order to provide forward
752  //secrecy in combination with shared keys, or can be used alone, at the
753  //cost of losing forward secrecy for the application data
754 #if (TLS13_PSK_KE_SUPPORT == ENABLED)
755  if(context->keyExchMethod == TLS_KEY_EXCH_NONE)
756  context->keyExchMethod = TLS13_KEY_EXCH_PSK;
757 #endif
758 #if (TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
759  if(context->keyExchMethod == TLS13_KEY_EXCH_DHE)
760  context->keyExchMethod = TLS13_KEY_EXCH_PSK_DHE;
761 #endif
762 #if (TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
763  if(context->keyExchMethod == TLS13_KEY_EXCH_ECDHE)
764  context->keyExchMethod = TLS13_KEY_EXCH_PSK_ECDHE;
765 #endif
766  }
767 #else
768  //PreSharedKey extension found?
769  if(selectedIdentity != NULL)
770  {
771  //If a client receives an extension type that it did not request in the
772  //ClientHello, it must abort the handshake with an unsupported_extension
773  //fatal alert
775  }
776 #endif
777 
778  //Successful processing
779  return NO_ERROR;
780 }
781 
782 
783 /**
784  * @brief Parse EarlyData extension
785  * @param[in] msgType Handshake message type
786  * @param[in] context Pointer to the TLS context
787  * @param[in] earlyDataIndication Pointer to the EarlyData extension
788  * @return Error code
789  **/
790 
792  TlsMessageType msgType, const uint8_t *earlyDataIndication)
793 {
794 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
795  //The extension may appear in EncryptedExtensions and NewSessionTicket
796  //messages
798  {
799  //EarlyData extension found?
800  if(earlyDataIndication != NULL)
801  {
802  //If a client receives an extension type that it did not request in the
803  //ClientHello, it must abort the handshake with an unsupported_extension
804  //fatal alert
805  if(!context->earlyDataEnabled || context->earlyDataRejected)
807 
808  //If the server has supplied an EarlyData extension, the client must
809  //verify that the server's selected_identity is 0. If any other value
810  //is returned, it must abort the handshake with an illegal_parameter
811  //fatal alert
812  if(context->selectedIdentity != 0)
814 
815  //A valid EarlyData extension has been received
816  context->earlyDataExtReceived = TRUE;
817  }
818  else
819  {
820  //The EncryptedExtensions message does not contain any EarlyData
821  //extension
822  context->earlyDataExtReceived = FALSE;
823  }
824  }
826  {
827  //The extension contains the maximum amount of 0-RTT data that the client
828  //is allowed to send
829  if(earlyDataIndication != NULL)
830  context->maxEarlyDataSize = LOAD32BE(earlyDataIndication);
831  else
832  context->maxEarlyDataSize = 0;
833  }
834  else
835  {
836  //Just for sanity
837  }
838 #else
839  //Check message type
841  {
842  //EarlyData extension found?
843  if(earlyDataIndication != NULL)
844  {
845  //If a client receives an extension type that it did not request in the
846  //ClientHello, it must abort the handshake with an unsupported_extension
847  //fatal alert
849  }
850  }
852  {
853  //Early data is not implemented
854  context->maxEarlyDataSize = 0;
855  }
856  else
857  {
858  //Just for sanity
859  }
860 #endif
861 
862  //Successful processing
863  return NO_ERROR;
864 }
865 
866 #endif
TLS (Transport Layer Security)
uint16_t version
Definition: dtls_misc.h:163
__start_packed struct @95 Tls13KeyShareEntry
Key share entry.
Formatting and parsing of extensions (TLS 1.3 client)
TlsMessageType
Handshake message type.
Definition: tls.h:926
error_t tlsSelectVersion(TlsContext *context, uint16_t version)
Set the TLS version to be used.
Definition: tls_misc.c:219
bool_t tls13IsTicketValid(TlsContext *context)
error_t tls13ParseSelectedGroupExtension(TlsContext *context, const uint8_t *selectedGroup)
error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
Debugging facilities.
#define tlsFreeMem(p)
Definition: tls.h:760
uint8_t p
Definition: ndp.h:295
Generic error code.
Definition: error.h:43
error_t tls13FormatClientKeyShareExtension(TlsContext *context, uint8_t *p, size_t *written)
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:836
error_t tls13ParseServerSupportedVersionsExtension(TlsContext *context, const uint8_t *selectedVersion)
#define TLS_VERSION_1_3
Definition: tls.h:90
error_t tls13ParseCookieExtension(TlsContext *context, const Tls13Cookie *cookie)
#define LOAD32BE(p)
Definition: cpu_endian.h:192
#define htons(value)
Definition: cpu_endian.h:390
uint8_t m
Definition: ndp.h:299
__start_packed struct @100 Tls13PskBinder
PSK binder.
#define HTONS(value)
Definition: cpu_endian.h:388
error_t tls13FormatPskKeModesExtension(TlsContext *context, uint8_t *p, size_t *written)
#define ENABLED
Definition: os_port.h:35
__start_packed struct @97 Tls13PskKeModeList
List of PSK key exchange modes.
#define TRUE
Definition: os_port.h:48
__start_packed struct @101 Tls13PskBinderList
List of PSK binders.
TLS helper functions.
#define STORE32BE(a, p)
Definition: cpu_endian.h:268
__start_packed struct @68 TlsExtension
TLS extension.
#define ntohs(value)
Definition: cpu_endian.h:396
#define TLS13_PSK_DHE_KE_SUPPORT
Definition: tls13_misc.h:55
bool_t tls13IsFfdheGroupSupported(TlsContext *context, uint16_t namedGroup)
#define TLS13_PSK_ECDHE_KE_SUPPORT
Definition: tls13_misc.h:62
error_t tls13ParseServerKeyShareExtension(TlsContext *context, const Tls13KeyShareEntry *serverShare)
#define LOAD16BE(p)
Definition: cpu_endian.h:168
__start_packed struct @79 TlsPskIdentity
PSK identity.
uint16_t cipherSuite
Cipher suite identifier.
Definition: tls13_misc.h:367
#define TRACE_INFO(...)
Definition: debug.h:86
uint8_t cookie[]
Definition: dtls_misc.h:194
error_t tls13ParseServerPreSharedKeyExtension(TlsContext *context, const uint8_t *selectedIdentity)
error_t ecExport(const EcDomainParameters *params, const EcPoint *a, uint8_t *data, size_t *length)
Convert an EC point to an octet string.
Definition: ec.c:281
Success.
Definition: error.h:42
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:247
const char_t * tlsGetVersionName(uint16_t version)
Convert TLS version to string representation.
Definition: tls_misc.c:795
error_t
Error codes.
Definition: error.h:40
#define TLS13_MAX_COOKIE_SIZE
Definition: tls13_misc.h:83
error_t mpiExport(const Mpi *a, uint8_t *data, uint_t length, MpiFormat format)
Integer to octet string conversion.
Definition: mpi.c:596
bool_t tls13IsPskValid(TlsContext *context)
__start_packed struct @99 Tls13PskIdentityList
List of PSK identities.
error_t tls13ParseServerEarlyDataExtension(TlsContext *context, TlsMessageType msgType, const uint8_t *earlyDataIndication)
__start_packed struct @94 Tls13Cookie
Cookie.
error_t tls13GenerateSharedSecret(TlsContext *context, const uint8_t *keyShare, size_t length)
error_t tls13FormatClientPreSharedKeyExtension(TlsContext *context, uint8_t *p, size_t *written, Tls13PskIdentityList **identityList, Tls13PskBinderList **binderList)
#define tlsAllocMem(size)
Definition: tls.h:755
__start_packed struct @96 Tls13KeyShareList
List of key shares.
size_t digestSize
Definition: crypto.h:1061
Common interface for hash algorithms.
Definition: crypto.h:1054
uint8_t n
error_t tls13FormatCookieExtension(TlsContext *context, uint8_t *p, size_t *written)
uint8_t msgType
Definition: dtls_misc.h:177
uint_t mpiGetByteLength(const Mpi *a)
Get the actual length in bytes.
Definition: mpi.c:154
#define FALSE
Definition: os_port.h:44
#define TlsContext
Definition: tls.h:34
error_t tls13FormatClientEarlyDataExtension(TlsContext *context, uint8_t *p, size_t *written)
bool_t tls13IsEcdheGroupSupported(TlsContext *context, uint16_t namedGroup)