tls13_client_extensions.c
Go to the documentation of this file.
1 /**
2  * @file tls13_client_extensions.c
3  * @brief Formatting and parsing of extensions (TLS 1.3 client)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_misc.h"
39 #include "debug.h"
40 
41 //Check TLS library configuration
42 #if (TLS_SUPPORT == ENABLED && TLS_CLIENT_SUPPORT == ENABLED && \
43  TLS_MAX_VERSION >= TLS_VERSION_1_3)
44 
45 
46 /**
47  * @brief Format Cookie extension
48  * @param[in] context Pointer to the TLS context
49  * @param[in] p Output stream where to write the Cookie extension
50  * @param[out] written Total number of bytes that have been written
51  * @return Error code
52  **/
53 
55  size_t *written)
56 {
57  size_t n;
58  TlsExtension *extension;
60 
61  //Initialize length field
62  n = 0;
63 
64  //When sending a HelloRetryRequest, the server may provide a Cookie
65  //extension to the client
66  if(context->cookieLen > 0)
67  {
68  //Add the Cookie extension
69  extension = (TlsExtension *) p;
70  //Type of the extension
71  extension->type = HTONS(TLS_EXT_COOKIE);
72 
73  //Point to the extension data field
74  cookie = (Tls13Cookie *) extension->value;
75 
76  //When sending the new ClientHello, the client must copy the contents
77  //of the Cookie extension received in the HelloRetryRequest
78  memcpy(cookie->value, context->cookie, context->cookieLen);
79 
80  //Set the length of the cookie
81  cookie->length = ntohs(context->cookieLen);
82 
83  //Consider the 2-byte length field that precedes the cookie
84  n = sizeof(Tls13Cookie) + context->cookieLen;
85  //Fix the length of the extension
86  extension->length = htons(n);
87 
88  //Compute the length, in bytes, of the Cookie extension
89  n += sizeof(TlsExtension);
90  }
91 
92  //Total number of bytes that have been written
93  *written = n;
94 
95  //Successful processing
96  return NO_ERROR;
97 }
98 
99 
100 /**
101  * @brief Format KeyShare extension (ClientHello message)
102  * @param[in] context Pointer to the TLS context
103  * @param[in] p Output stream where to write the KeyShare extension
104  * @param[out] written Total number of bytes that have been written
105  * @return Error code
106  **/
107 
109  uint8_t *p, size_t *written)
110 {
111  size_t n = 0;
112 
113 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
114  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
115  error_t error;
116  TlsExtension *extension;
117  Tls13KeyShareList *keyShareList;
118  Tls13KeyShareEntry *keyShareEntry;
119 
120  //Add the KeyShare extension
121  extension = (TlsExtension *) p;
122  //Type of the extension
123  extension->type = HTONS(TLS_EXT_KEY_SHARE);
124 
125  //The extension contains a list of offered KeyShareEntry values in
126  //descending order of client preference
127  keyShareList = (Tls13KeyShareList *) extension->value;
128 
129  //Point to the KeyShareEntry
130  keyShareEntry = (Tls13KeyShareEntry *) keyShareList->value;
131 
132 #if (TLS13_ECDHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
133  //Elliptic curve group?
134  if(tls13IsEcdheGroupSupported(context, context->namedGroup))
135  {
136  //Specify the named group for the key being exchanged
137  keyShareEntry->group = htons(context->namedGroup);
138 
139  //ECDHE parameters are encoded in the opaque key_exchange field of
140  //the KeyShareEntry
141  error = ecExport(&context->ecdhContext.params,
142  &context->ecdhContext.qa, keyShareEntry->keyExchange, &n);
143  //Any error to report?
144  if(error)
145  return error;
146 
147  //Set the length of the key_exchange field
148  keyShareEntry->length = htons(n);
149 
150  //Compute the length of the KeyShareEntry
151  n += sizeof(Tls13KeyShareEntry);
152  }
153  else
154 #endif
155 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
156  //Finite field group?
157  if(tls13IsFfdheGroupSupported(context, context->namedGroup))
158  {
159 #if (TLS_FFDHE_SUPPORT == ENABLED)
160  //Specify the named group for the key being exchanged
161  keyShareEntry->group = htons(context->namedGroup);
162 
163  //Retrieve the length of the modulus
164  n = mpiGetByteLength(&context->dhContext.params.p);
165 
166  //Diffie-Hellman parameters are encoded in the opaque key_exchange field
167  //of the KeyShareEntry
168  error = mpiExport(&context->dhContext.ya,
169  keyShareEntry->keyExchange, n, MPI_FORMAT_BIG_ENDIAN);
170  //Any error to report?
171  if(error)
172  return error;
173 
174  //Set the length of the key_exchange field
175  keyShareEntry->length = htons(n);
176 
177  //Compute the length of the KeyShareEntry
178  n += sizeof(Tls13KeyShareEntry);
179 #endif
180  }
181  else
182 #endif
183  //Unknown group?
184  {
185  //Clients may send an empty client_shares vector in order to request group
186  //selection from the server, at the cost of an additional round trip
187  }
188 
189  //Fix the length of the list of offered key shares
190  keyShareList->length = htons(n);
191 
192  //Consider the 2-byte length field that precedes the list
193  n += sizeof(Tls13KeyShareList);
194  //Fix the length of the extension
195  extension->length = htons(n);
196 
197  //Compute the length, in bytes, of the KeyShare extension
198  n += sizeof(TlsExtension);
199 #endif
200 
201  //Total number of bytes that have been written
202  *written = n;
203 
204  //Successful processing
205  return NO_ERROR;
206 }
207 
208 
209 /**
210  * @brief Format PskKeyExchangeModes extension
211  * @param[in] context Pointer to the TLS context
212  * @param[in] p Output stream where to write the PskKeyExchangeModes extension
213  * @param[out] written Total number of bytes that have been written
214  * @return Error code
215  **/
216 
218  uint8_t *p, size_t *written)
219 {
220  size_t n = 0;
221 
222 #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
223  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
224  TlsExtension *extension;
225  Tls13PskKeModeList *pskKeModeList;
226 
227  //Add the PskKeyExchangeModes extension
228  extension = (TlsExtension *) p;
229  //Type of the extension
230  extension->type = HTONS(TLS_EXT_PSK_KEY_EXCHANGE_MODES);
231 
232  //Point to the extension data field
233  pskKeModeList = (Tls13PskKeModeList *) extension->value;
234  //The extension contains a list of supported PSK key exchange modes
235  n = 0;
236 
238  //PSK with (EC)DHE key establishment
239  pskKeModeList->value[n++] = TLS_PSK_KEY_EXCH_MODE_PSK_DHE_KE;
240 #endif
241 #if (TLS13_PSK_KE_SUPPORT == ENABLED)
242  //PSK-only key establishment
243  pskKeModeList->value[n++] = TLS_PSK_KEY_EXCH_MODE_PSK_KE;
244 #endif
245 
246  //Fix the length of the list
247  pskKeModeList->length = (uint8_t) n;
248 
249  //Consider the length field that precedes the list
250  n += sizeof(Tls13PskKeModeList);
251  //Fix the length of the extension
252  extension->length = htons(n);
253 
254  //Compute the length, in bytes, of the PskKeyExchangeModes extension
255  n += sizeof(TlsExtension);
256 #endif
257 
258  //Total number of bytes that have been written
259  *written = n;
260 
261  //Successful processing
262  return NO_ERROR;
263 }
264 
265 
266 /**
267  * @brief Format PreSharedKey extension
268  * @param[in] context Pointer to the TLS context
269  * @param[in] p Output stream where to write the PreSharedKey extension
270  * @param[out] written Total number of bytes that have been written
271  * @param[out] identityList Pointer to the list of the identities that the
272  * client is willing to negotiate with the server
273  * @param[out] binderList Pointer to the list of HMAC values, one for each PSK
274  * offered in the PreSharedKey extension
275  * @return Error code
276  **/
277 
279  uint8_t *p, size_t *written, Tls13PskIdentityList **identityList,
280  Tls13PskBinderList **binderList)
281 {
282  size_t n = 0;
283 
284 #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
285  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
286  //Check whether the client is attempting a PSK key establishment
287  if(tls13IsPskValid(context) || tls13IsTicketValid(context))
288  {
289  error_t error;
290  size_t m;
291  uint16_t cipherSuite;
292  uint32_t ticketAge;
293  TlsExtension *extension;
294  TlsPskIdentity *pskIdentity;
295  Tls13PskBinder *pskBinder;
296  const HashAlgo *hashAlgo;
297 
298  //Add the PreSharedKey extension
299  extension = (TlsExtension *) p;
300  //Type of the extension
301  extension->type = HTONS(TLS_EXT_PRE_SHARED_KEY);
302 
303  //Point to the extension data field
304  *identityList = (Tls13PskIdentityList *) extension->value;
305  //Point to the first PskIdentity entry of the list
306  pskIdentity = (TlsPskIdentity *) (*identityList)->value;
307 
308  //Although PSKs can be established out of band, PSKs can also be
309  //established in a previous connection
310  if(tls13IsPskValid(context))
311  {
312  //Retrieve the length of the PSK identity
313  n = strlen(context->pskIdentity);
314  //Copy PSK identity
315  memcpy(pskIdentity->value, context->pskIdentity, n);
316 
317  //For externally established PSKs, the hash algorithm must be set when
318  //the PSK is established or default to SHA-256 if no such algorithm is
319  //defined
320  hashAlgo = tlsGetHashAlgo(context->pskHashAlgo);
321 
322  //Retrieve the cipher suite associated with the PSK, if any
323  cipherSuite = context->pskCipherSuite;
324 
325  //For PSK identities established externally, an obfuscated_ticket_age
326  //of 0 should be used (refer to RFC 8446, section 4.2.11)
327  ticketAge = 0;
328  }
329  else if(tls13IsTicketValid(context))
330  {
331  //Retrieve the length of the session ticket
332  n = context->ticketLen;
333  //Copy session ticket
334  memcpy(pskIdentity->value, context->ticket, n);
335 
336  //Each PSK is associated with a single hash algorithm. For PSKs
337  //established via the ticket mechanism, this is the KDF hash algorithm
338  //on the connection where the ticket was established
339  hashAlgo = tlsGetHashAlgo(context->ticketHashAlgo);
340 
341  //Retrieve the cipher suite associated with the ticket
342  cipherSuite = context->ticketCipherSuite;
343 
344  //The client's view of the age of a ticket is the time since the
345  //receipt of the NewSessionTicket message
346  ticketAge = context->timestamp - context->ticketTimestamp;
347 
348  //The obfuscated_ticket_age field contains an obfuscated version of
349  //the ticket age formed by taking the age in milliseconds and adding
350  //the ticket_age_add value that was included with the ticket
351  ticketAge += context->ticketAgeAdd;
352  }
353  else
354  {
355  //Just for sanity
356  return ERROR_FAILURE;
357  }
358 
359  //Valid cipher suite provisioned?
360  if(cipherSuite != 0)
361  {
362  //Restore the cipher suite associated with the PSK
363  error = tlsSelectCipherSuite(context, cipherSuite);
364  //Any error to report?
365  if(error)
366  return error;
367  }
368  else
369  {
370  //Make sure the hash algorithm is valid
371  if(hashAlgo == NULL)
372  return ERROR_FAILURE;
373 
374  //Restore the hash algorithm associated with the PSK
375  context->cipherSuite.prfHashAlgo = hashAlgo;
376  }
377 
378  //Fix the length of the PSK identity
379  pskIdentity->length = htons(n);
380  //Consider the length field that precedes the PSK identity
381  n += sizeof(TlsPskIdentity);
382 
383  //The obfuscated_ticket_age field is a 32-bit unsigned integer
384  STORE32BE(ticketAge, (uint8_t *) pskIdentity + n);
385  //Compute the length of the PskIdentity entry
386  n += sizeof(uint32_t);
387 
388  //Fix the length of the list of PSK identities
389  (*identityList)->length = htons(n);
390  //Consider the 2-byte length field that precedes the list
391  n += sizeof(Tls13PskIdentityList);
392 
393  //Point to the list of PSK binders
394  *binderList = (Tls13PskBinderList *) ((uint8_t *) *identityList + n);
395  //Point to the first PskBinderEntry of the list
396  pskBinder = (Tls13PskBinder *) (*binderList)->value;
397 
398  //The PSK binder consists of Hash.length bytes
399  m = hashAlgo->digestSize;
400  //The value of the PSK binder will be calculated in a second step
401  memset(pskBinder->value, 0, m);
402 
403  //Fix the length of the PSK binder
404  pskBinder->length = (uint8_t) m;
405  //Consider the length field that precedes the PSK binder
406  m += sizeof(Tls13PskBinder);
407 
408  //Fix the length of the list of PSK binders
409  (*binderList)->length = htons(m);
410  //Consider the 2-byte length field that precedes the list
411  n += sizeof(Tls13PskBinderList) + m;
412 
413  //Fix the length of the extension
414  extension->length = htons(n);
415  //Compute the length, in bytes, of the PreSharedKey extension
416  n += sizeof(TlsExtension);
417  }
418  else
419 #endif
420  {
421  //PSK key establishment is not used
422  *identityList = NULL;
423  *binderList = NULL;
424  }
425 
426  //Total number of bytes that have been written
427  *written = n;
428 
429  //Successful processing
430  return NO_ERROR;
431 }
432 
433 
434 /**
435  * @brief Format EarlyData extension
436  * @param[in] context Pointer to the TLS context
437  * @param[in] p Output stream where to write the EarlyData extension
438  * @param[out] written Total number of bytes that have been written
439  * @return Error code
440  **/
441 
443  uint8_t *p, size_t *written)
444 {
445  size_t n = 0;
446 
447 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
448  //If the client opts to send application data in its first flight of
449  //messages, it must supply both the PreSharedKey and EarlyData extensions
450  if(context->earlyDataEnabled && !context->earlyDataRejected)
451  {
452  TlsExtension *extension;
453 
454  //Add the EarlyData extension
455  extension = (TlsExtension *) p;
456  //Type of the extension
457  extension->type = HTONS(TLS_EXT_EARLY_DATA);
458 
459  //The extension data field of this extension is empty
460  extension->length = HTONS(0);
461 
462  //Compute the length, in bytes, of the EarlyData extension
463  n = sizeof(TlsExtension);
464  }
465 #endif
466 
467  //Total number of bytes that have been written
468  *written = n;
469 
470  //Successful processing
471  return NO_ERROR;
472 }
473 
474 
475 /**
476  * @brief Parse SupportedVersions extension
477  * @param[in] context Pointer to the TLS context
478  * @param[in] selectedVersion Pointer to the SupportedVersions extension
479  * @return Error code
480  **/
481 
483  const uint8_t *selectedVersion)
484 {
485  error_t error;
486  uint16_t version;
487 
488  //The extension contains the selected version value
489  version = LOAD16BE(selectedVersion);
490 
491  //If the SupportedVersions extension contains a version prior to TLS 1.3,
492  //the client must abort the handshake with an illegal_parameter alert
495 
496  //Debug message
497  TRACE_INFO(" selectedVersion = 0x%04" PRIX16 " (%s)\r\n",
499 
500  //Set the TLS version to be used
501  error = tlsSelectVersion(context, version);
502  //Specified TLS/DTLS version not supported?
503  if(error)
504  return error;
505 
506  //Successful processing
507  return NO_ERROR;
508 }
509 
510 
511 /**
512  * @brief Parse Cookie extension
513  * @param[in] context Pointer to the TLS context
514  * @param[in] cookie Pointer to the Cookie extension
515  * @return Error code
516  **/
517 
519  const Tls13Cookie *cookie)
520 {
521  //Cookie extension found?
522  if(cookie != NULL)
523  {
524  size_t n;
525 
526  //Retrieve the length of the cookie
527  n = ntohs(cookie->length);
528 
529  //Clients must abort the handshake with an illegal_parameter alert if the
530  //HelloRetryRequest would not result in any change in the ClientHello
531  if(n == 0)
533 
534  //Check the length of the cookie
537 
538  //Sanity check
539  if(context->cookie != NULL)
540  {
541  //Release memory
542  tlsFreeMem(context->cookie);
543  context->cookie = NULL;
544  context->cookieLen = 0;
545  }
546 
547  //Allocate a memory block to store the cookie
548  context->cookie = tlsAllocMem(n);
549  //Failed to allocate memory?
550  if(context->cookie == NULL)
551  return ERROR_OUT_OF_MEMORY;
552 
553  //Save cookie
554  memcpy(context->cookie, cookie->value, n);
555  context->cookieLen = n;
556  }
557 
558  //Successful processing
559  return NO_ERROR;
560 }
561 
562 
563 /**
564  * @brief Parse KeyShare extension (HelloRetryRequest message)
565  * @param[in] context Pointer to the TLS context
566  * @param[in] selectedGroup Pointer to the KeyShare extension
567  * @return Error code
568  **/
569 
571  const uint8_t *selectedGroup)
572 {
573  error_t error;
574 
575  //Initialize status code
576  error = NO_ERROR;
577 
578 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
579  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
580  //KeyShare extension found?
581  if(selectedGroup != NULL)
582  {
583  uint16_t namedGroup;
584 
585  //The KeyShare extension contains the mutually supported group the server
586  //intends to negotiate
587  namedGroup = LOAD16BE(selectedGroup);
588 
589  //Check whether the server has selected a different ECDHE or FFDHE group
590  if(namedGroup != context->namedGroup)
591  {
592  //Generate an ephemeral key pair
593  error = tls13GenerateKeyShare(context, namedGroup);
594  }
595  }
596 #else
597  //KeyShare extension found?
598  if(selectedGroup != NULL)
599  {
600  //If a client receives an extension type that it did not request in the
601  //ClientHello, it must abort the handshake with an unsupported_extension
602  //fatal alert
604  }
605 #endif
606 
607  //Return status code
608  return error;
609 }
610 
611 
612 /**
613  * @brief Parse KeyShare extension (ServerHello message)
614  * @param[in] context Pointer to the TLS context
615  * @param[in] serverShare Pointer to the KeyShare extension
616  * @return Error code
617  **/
618 
620  const Tls13KeyShareEntry *serverShare)
621 {
622 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
623  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
624  //If using (EC)DHE key establishment, servers offer exactly one KeyShareEntry
625  //in the ServerHello
626  if(serverShare != NULL)
627  {
628  error_t error;
629  uint16_t namedGroup;
630 
631  //Convert the selected NamedGroup to host byte order
632  namedGroup = ntohs(serverShare->group);
633 
634  //Elliptic curve group?
635  if(tls13IsEcdheGroupSupported(context, namedGroup))
636  {
637  //ECDHE key exchange mechanism provides forward secrecy
638  context->keyExchMethod = TLS13_KEY_EXCH_ECDHE;
639  }
640  //Finite field group?
641  else if(tls13IsFfdheGroupSupported(context, namedGroup))
642  {
643  //DHE key exchange mechanism provides forward secrecy
644  context->keyExchMethod = TLS13_KEY_EXCH_DHE;
645  }
646  //Unknown group?
647  else
648  {
649  //Servers must not send a KeyShareEntry for any group not indicated
650  //in the client's SupportedGroups extension
652  }
653 
654  //The client must verify that the selected NamedGroup in the ServerHello
655  //is the same as that in the HelloRetryRequest
656  if(namedGroup != context->namedGroup)
658 
659  //Compute (EC)DHE shared secret
660  error = tls13GenerateSharedSecret(context, serverShare->keyExchange,
661  ntohs(serverShare->length));
662  //Any error to report?
663  if(error)
664  return error;
665  }
666  else
667  {
668  //PSKs can be used alone, at the cost of losing forward secrecy for
669  //the application data
670  context->keyExchMethod = TLS_KEY_EXCH_NONE;
671  }
672 #else
673  //KeyShareEntry extension found?
674  if(serverShare != NULL)
675  {
676  //If a client receives an extension type that it did not request in the
677  //ClientHello, it must abort the handshake with an unsupported_extension
678  //fatal alert
680  }
681  else
682  {
683  //Perform a PSK handshake if possible
684  context->keyExchMethod = TLS_KEY_EXCH_NONE;
685  }
686 #endif
687 
688  //Successful processing
689  return NO_ERROR;
690 }
691 
692 
693 /**
694  * @brief Parse PreSharedKey extension
695  * @param[in] context Pointer to the TLS context
696  * @param[in] selectedIdentity Pointer to the PreSharedKey extension
697  * @return Error code
698  **/
699 
701  const uint8_t *selectedIdentity)
702 {
703  //Reset the server's selected_identity to its default value
704  context->selectedIdentity = -1;
705 
706 #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
707  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
708  //PreSharedKey extension found?
709  if(selectedIdentity != NULL)
710  {
711  const HashAlgo *hashAlgo;
712 
713  //If a client receives an extension type that it did not request in the
714  //ClientHello, it must abort the handshake with an unsupported_extension
715  //fatal alert
716  if(!tls13IsPskValid(context) && !tls13IsTicketValid(context))
718 
719  //In order to accept PSK key establishment, the server sends a
720  //PreSharedKey extension indicating the selected identity
721  context->selectedIdentity = LOAD16BE(selectedIdentity);
722 
723  //Clients must verify that the server's selected_identity is within the
724  //range supplied by the client (refer to RFC 8446, section 4.2.11)
725  if(context->selectedIdentity != 0)
727 
728  //Point to the cipher suite hash algorithm
729  hashAlgo = context->cipherSuite.prfHashAlgo;
730  //Make sure the hash algorithm is valid
731  if(hashAlgo == NULL)
732  return ERROR_FAILURE;
733 
734  //Clients must also verify that the server has selected a cipher suite
735  //indicating a hash algorithm associated with the PSK
736  if(tls13IsPskValid(context))
737  {
738  //PSK incompatible with the selected cipher suite?
739  if(tlsGetHashAlgo(context->pskHashAlgo) != hashAlgo)
741  }
742  else if(tls13IsTicketValid(context))
743  {
744  //PSK incompatible with the selected cipher suite?
745  if(tlsGetHashAlgo(context->ticketHashAlgo) != hashAlgo)
747  }
748  else
749  {
750  //Just for sanity
751  }
752 
753  //PSKs can be used with (EC)DHE key exchange in order to provide forward
754  //secrecy in combination with shared keys, or can be used alone, at the
755  //cost of losing forward secrecy for the application data
756 #if (TLS13_PSK_KE_SUPPORT == ENABLED)
757  if(context->keyExchMethod == TLS_KEY_EXCH_NONE)
758  context->keyExchMethod = TLS13_KEY_EXCH_PSK;
759 #endif
760 #if (TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
761  if(context->keyExchMethod == TLS13_KEY_EXCH_DHE)
762  context->keyExchMethod = TLS13_KEY_EXCH_PSK_DHE;
763 #endif
764 #if (TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
765  if(context->keyExchMethod == TLS13_KEY_EXCH_ECDHE)
766  context->keyExchMethod = TLS13_KEY_EXCH_PSK_ECDHE;
767 #endif
768  }
769 #else
770  //PreSharedKey extension found?
771  if(selectedIdentity != NULL)
772  {
773  //If a client receives an extension type that it did not request in the
774  //ClientHello, it must abort the handshake with an unsupported_extension
775  //fatal alert
777  }
778 #endif
779 
780  //Successful processing
781  return NO_ERROR;
782 }
783 
784 
785 /**
786  * @brief Parse EarlyData extension
787  * @param[in] msgType Handshake message type
788  * @param[in] context Pointer to the TLS context
789  * @param[in] earlyDataIndication Pointer to the EarlyData extension
790  * @return Error code
791  **/
792 
794  TlsMessageType msgType, const uint8_t *earlyDataIndication)
795 {
796 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
797  //The extension may appear in EncryptedExtensions and NewSessionTicket
798  //messages
800  {
801  //EarlyData extension found?
802  if(earlyDataIndication != NULL)
803  {
804  //If a client receives an extension type that it did not request in the
805  //ClientHello, it must abort the handshake with an unsupported_extension
806  //fatal alert
807  if(!context->earlyDataEnabled || context->earlyDataRejected)
809 
810  //If the server has supplied an EarlyData extension, the client must
811  //verify that the server's selected_identity is 0. If any other value
812  //is returned, it must abort the handshake with an illegal_parameter
813  //fatal alert
814  if(context->selectedIdentity != 0)
816 
817  //A valid EarlyData extension has been received
818  context->earlyDataExtReceived = TRUE;
819  }
820  else
821  {
822  //The EncryptedExtensions message does not contain any EarlyData
823  //extension
824  context->earlyDataExtReceived = FALSE;
825  }
826  }
828  {
829  //The extension contains the maximum amount of 0-RTT data that the client
830  //is allowed to send
831  if(earlyDataIndication != NULL)
832  context->maxEarlyDataSize = LOAD32BE(earlyDataIndication);
833  else
834  context->maxEarlyDataSize = 0;
835  }
836  else
837  {
838  //Just for sanity
839  }
840 #else
841  //Check message type
843  {
844  //EarlyData extension found?
845  if(earlyDataIndication != NULL)
846  {
847  //If a client receives an extension type that it did not request in the
848  //ClientHello, it must abort the handshake with an unsupported_extension
849  //fatal alert
851  }
852  }
854  {
855  //Early data is not implemented
856  context->maxEarlyDataSize = 0;
857  }
858  else
859  {
860  //Just for sanity
861  }
862 #endif
863 
864  //Successful processing
865  return NO_ERROR;
866 }
867 
868 #endif
@ TLS13_KEY_EXCH_PSK
Definition: tls.h:1047
@ TLS_EXT_PSK_KEY_EXCHANGE_MODES
Definition: tls.h:1168
#define tlsAllocMem(size)
Definition: tls.h:757
#define htons(value)
Definition: cpu_endian.h:392
error_t tls13ParseServerPreSharedKeyExtension(TlsContext *context, const uint8_t *selectedIdentity)
TLS helper functions.
#define TLS13_PSK_DHE_KE_SUPPORT
Definition: tls13_misc.h:57
__start_packed struct @95 Tls13PskIdentityList
List of PSK identities.
error_t tls13ParseSelectedGroupExtension(TlsContext *context, const uint8_t *selectedGroup)
@ TLS13_KEY_EXCH_PSK_DHE
Definition: tls.h:1048
#define LOAD32BE(p)
Definition: cpu_endian.h:194
error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
__start_packed struct @97 Tls13PskBinderList
List of PSK binders.
uint8_t p
Definition: ndp.h:298
error_t tlsSelectVersion(TlsContext *context, uint16_t version)
Set the TLS version to be used.
Definition: tls_misc.c:225
__start_packed struct @91 Tls13KeyShareEntry
Key share entry.
#define TRUE
Definition: os_port.h:50
size_t digestSize
Definition: crypto.h:1135
#define TLS13_MAX_COOKIE_SIZE
Definition: tls13_misc.h:85
error_t tls13FormatClientEarlyDataExtension(TlsContext *context, uint8_t *p, size_t *written)
uint16_t version
Definition: dtls_misc.h:172
TlsMessageType
Handshake message type.
Definition: tls.h:930
__start_packed struct @93 Tls13PskKeModeList
List of PSK key exchange modes.
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
__start_packed struct @90 Tls13Cookie
Cookie.
error_t tls13ParseServerKeyShareExtension(TlsContext *context, const Tls13KeyShareEntry *serverShare)
@ TLS13_KEY_EXCH_ECDHE
Definition: tls.h:1046
@ TLS_EXT_EARLY_DATA
Definition: tls.h:1165
@ TLS_PSK_KEY_EXCH_MODE_PSK_KE
Definition: tls13_misc.h:166
@ TLS_PSK_KEY_EXCH_MODE_PSK_DHE_KE
Definition: tls13_misc.h:167
#define FALSE
Definition: os_port.h:46
error_t mpiExport(const Mpi *a, uint8_t *data, uint_t length, MpiFormat format)
Integer to octet string conversion.
Definition: mpi.c:618
@ ERROR_UNSUPPORTED_EXTENSION
Definition: error.h:239
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:829
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
@ TLS13_KEY_EXCH_DHE
Definition: tls.h:1045
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:253
@ TLS_EXT_KEY_SHARE
Definition: tls.h:1173
#define TLS_VERSION_1_3
Definition: tls.h:95
@ TLS_TYPE_ENCRYPTED_EXTENSIONS
Definition: tls.h:939
@ TLS_EXT_COOKIE
Definition: tls.h:1167
error_t tls13FormatCookieExtension(TlsContext *context, uint8_t *p, size_t *written)
#define TRACE_INFO(...)
Definition: debug.h:94
error_t tls13ParseServerEarlyDataExtension(TlsContext *context, TlsMessageType msgType, const uint8_t *earlyDataIndication)
__start_packed struct @68 TlsExtension
TLS extension.
#define ENABLED
Definition: os_port.h:37
error_t tls13FormatClientPreSharedKeyExtension(TlsContext *context, uint8_t *p, size_t *written, Tls13PskIdentityList **identityList, Tls13PskBinderList **binderList)
error_t tls13FormatPskKeModesExtension(TlsContext *context, uint8_t *p, size_t *written)
error_t tls13GenerateSharedSecret(TlsContext *context, const uint8_t *keyShare, size_t length)
#define ntohs(value)
Definition: cpu_endian.h:398
bool_t tls13IsEcdheGroupSupported(TlsContext *context, uint16_t namedGroup)
@ TLS_KEY_EXCH_NONE
Definition: tls.h:1026
@ TLS13_KEY_EXCH_PSK_ECDHE
Definition: tls.h:1049
error_t tls13ParseServerSupportedVersionsExtension(TlsContext *context, const uint8_t *selectedVersion)
uint8_t m
Definition: ndp.h:302
#define HTONS(value)
Definition: cpu_endian.h:390
uint8_t n
uint16_t cipherSuite
Cipher suite identifier.
Definition: tls13_misc.h:372
bool_t tls13IsPskValid(TlsContext *context)
bool_t tls13IsFfdheGroupSupported(TlsContext *context, uint16_t namedGroup)
bool_t tls13IsTicketValid(TlsContext *context)
uint8_t msgType
Definition: dtls_misc.h:186
error_t tls13ParseCookieExtension(TlsContext *context, const Tls13Cookie *cookie)
Formatting and parsing of extensions (TLS 1.3 client)
@ TLS_EXT_PRE_SHARED_KEY
Definition: tls.h:1164
error_t tls13FormatClientKeyShareExtension(TlsContext *context, uint8_t *p, size_t *written)
@ MPI_FORMAT_BIG_ENDIAN
Definition: mpi.h:61
TLS (Transport Layer Security)
uint8_t cookie[]
Definition: dtls_misc.h:203
error_t ecExport(const EcDomainParameters *params, const EcPoint *a, uint8_t *data, size_t *length)
Convert an EC point to an octet string.
Definition: ec.c:287
__start_packed struct @79 TlsPskIdentity
PSK identity.
Common interface for hash algorithms.
Definition: crypto.h:1128
__start_packed struct @92 Tls13KeyShareList
List of key shares.
const char_t * tlsGetVersionName(uint16_t version)
Convert TLS version to string representation.
Definition: tls_misc.c:788
@ TLS_TYPE_NEW_SESSION_TICKET
Definition: tls.h:936
#define LOAD16BE(p)
Definition: cpu_endian.h:170
#define TLS13_PSK_ECDHE_KE_SUPPORT
Definition: tls13_misc.h:64
#define tlsFreeMem(p)
Definition: tls.h:762
__start_packed struct @96 Tls13PskBinder
PSK binder.
#define STORE32BE(a, p)
Definition: cpu_endian.h:270
@ NO_ERROR
Success.
Definition: error.h:44
Debugging facilities.
uint_t mpiGetByteLength(const Mpi *a)
Get the actual length in bytes.
Definition: mpi.c:156