tls13_misc.c
Go to the documentation of this file.
1 /**
2  * @file tls13_misc.c
3  * @brief TLS 1.3 helper functions
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_extensions.h"
38 #include "tls_certificate.h"
39 #include "tls_signature.h"
40 #include "tls_transcript_hash.h"
41 #include "tls_ffdhe.h"
42 #include "tls_misc.h"
43 #include "tls13_misc.h"
44 #include "tls13_key_material.h"
45 #include "pkix/pem_import.h"
46 #include "kdf/hkdf.h"
47 #include "debug.h"
48 
49 //Check TLS library configuration
50 #if (TLS_SUPPORT == ENABLED && TLS_MAX_VERSION >= TLS_VERSION_1_3)
51 
52 //Downgrade protection mechanism (TLS 1.1 or below)
53 const uint8_t tls11DowngradeRandom[8] =
54 {
55  0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44, 0x00
56 };
57 
58 //Downgrade protection mechanism (TLS 1.2)
59 const uint8_t tls12DowngradeRandom[8] =
60 {
61  0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44, 0x01
62 };
63 
64 //Special random value for HelloRetryRequest message
65 const uint8_t tls13HelloRetryRequestRandom[32] =
66 {
67  0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
68  0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
69  0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
70  0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
71 };
72 
73 
74 /**
75  * @brief Compute PSK binder value
76  * @param[in] context Pointer to the TLS context
77  * @param[in] clientHello Pointer to the ClientHello message
78  * @param[in] clientHelloLen Length of the ClientHello message
79  * @param[in] truncatedClientHelloLen Length of the partial ClientHello message
80  * @param[in] identity Pointer to the PSK identity
81  * @param[out] binder Buffer where to store the resulting PSK binder
82  * @param[in] binderLen Expected length of the PSK binder
83  * @return Error code
84  **/
85 
86 error_t tls13ComputePskBinder(TlsContext *context, const void *clientHello,
87  size_t clientHelloLen, size_t truncatedClientHelloLen,
88  const Tls13PskIdentity *identity, uint8_t *binder, size_t binderLen)
89 {
90  error_t error;
91  const HashAlgo *hash;
92  uint8_t *hashContext;
93  uint8_t key[TLS_MAX_HKDF_DIGEST_SIZE];
94  uint8_t digest[TLS_MAX_HKDF_DIGEST_SIZE];
95 
96  //Check parameters
97  if(truncatedClientHelloLen >= clientHelloLen)
99 
100  //The hash function used by HKDF is the cipher suite hash algorithm
101  hash = context->cipherSuite.prfHashAlgo;
102  //Make sure the hash algorithm is valid
103  if(hash == NULL)
104  return ERROR_FAILURE;
105 
106  //Check the length of the PSK binder
107  if(binderLen != hash->digestSize)
108  return ERROR_INVALID_LENGTH;
109 
110  //Allocate a memory buffer to hold the hash context
111  hashContext = tlsAllocMem(hash->contextSize);
112  //Failed to allocate memory?
113  if(hashContext == NULL)
114  return ERROR_OUT_OF_MEMORY;
115 
116  //Intialize transcript hash
117  if(context->transcriptHashContext != NULL)
118  memcpy(hashContext, context->transcriptHashContext, hash->contextSize);
119  else
120  hash->init(hashContext);
121 
122 #if (DTLS_SUPPORT == ENABLED)
123  //DTLS protocol?
124  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
125  {
126  DtlsHandshake header;
127 
128  //Handshake message type
129  header.msgType = TLS_TYPE_CLIENT_HELLO;
130  //Number of bytes in the message
131  STORE24BE(clientHelloLen, header.length);
132  //Message sequence number
133  header.msgSeq = htons(context->txMsgSeq);
134  //Fragment offset
135  STORE24BE(0, header.fragOffset);
136  //Fragment length
137  STORE24BE(clientHelloLen, header.fragLength);
138 
139  //Digest the handshake message header
140  hash->update(hashContext, &header, sizeof(DtlsHandshake));
141  }
142  else
143 #endif
144  //TLS protocol?
145  {
146  TlsHandshake header;
147 
148  //Handshake message type
149  header.msgType = TLS_TYPE_CLIENT_HELLO;
150  //Number of bytes in the message
151  STORE24BE(clientHelloLen, header.length);
152 
153  //Digest the handshake message header
154  hash->update(hashContext, &header, sizeof(TlsHandshake));
155  }
156 
157  //Digest the partial ClientHello
158  hash->update(hashContext, clientHello, truncatedClientHelloLen);
159  //Calculate transcript hash
160  hash->final(hashContext, digest);
161 
162  //Release previously allocated memory
163  tlsFreeMem(hashContext);
164 
165  //Debug message
166  TRACE_DEBUG("Transcript hash (partial ClientHello):\r\n");
167  TRACE_DEBUG_ARRAY(" ", digest, hash->digestSize);
168 
169  //Although PSKs can be established out of band, PSKs can also be established
170  //in a previous connection
171  if(tls13IsPskValid(context))
172  {
173  //Calculate early secret
174  error = hkdfExtract(hash, context->psk, context->pskLen, NULL, 0,
175  context->secret);
176  //Any error to report?
177  if(error)
178  return error;
179 
180  //Debug message
181  TRACE_DEBUG("Early secret:\r\n");
182  TRACE_DEBUG_ARRAY(" ", context->secret, hash->digestSize);
183 
184  //Calculate binder key
185  error = tls13DeriveSecret(context, context->secret, hash->digestSize,
186  "ext binder", "", 0, key, hash->digestSize);
187  //Any error to report?
188  if(error)
189  return error;
190  }
191  else if(tls13IsTicketValid(context))
192  {
193  //Calculate early secret
194  error = hkdfExtract(hash, context->ticketPsk, context->ticketPskLen,
195  NULL, 0, context->secret);
196  //Any error to report?
197  if(error)
198  return error;
199 
200  //Debug message
201  TRACE_DEBUG("Early secret:\r\n");
202  TRACE_DEBUG_ARRAY(" ", context->secret, hash->digestSize);
203 
204  //Calculate binder key
205  error = tls13DeriveSecret(context, context->secret, hash->digestSize,
206  "res binder", "", 0, key, hash->digestSize);
207  //Any error to report?
208  if(error)
209  return error;
210  }
211  else
212  {
213  //The pre-shared key is not valid
214  return ERROR_FAILURE;
215  }
216 
217  //Debug message
218  TRACE_DEBUG("Binder key:\r\n");
219  TRACE_DEBUG_ARRAY(" ", key, hash->digestSize);
220 
221  //The PskBinderEntry is computed in the same way as the Finished message
222  //but with the base key being the binder key
223  error = tls13HkdfExpandLabel(hash, key, hash->digestSize, "finished",
224  NULL, 0, key, hash->digestSize);
225  //Any error to report?
226  if(error)
227  return error;
228 
229  //Debug message
230  TRACE_DEBUG("Finished key:\r\n");
231  TRACE_DEBUG_ARRAY(" ", key, hash->digestSize);
232 
233  //Compute PSK binder
234  error = hmacCompute(hash, key, hash->digestSize, digest, hash->digestSize,
235  binder);
236  //Any error to report?
237  if(error)
238  return error;
239 
240  //Debug message
241  TRACE_DEBUG("PSK binder:\r\n");
242  TRACE_DEBUG_ARRAY(" ", binder, binderLen);
243 
244  //Successful processing
245  return NO_ERROR;
246 }
247 
248 
249 /**
250  * @brief Key share generation
251  * @param[in] context Pointer to the TLS context
252  * @param[in] namedGroup Named group
253  * @return Error code
254  **/
255 
256 error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
257 {
258  error_t error;
259 
260 #if (TLS13_ECDHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
261  //Elliptic curve group?
262  if(tls13IsEcdheGroupSupported(context, namedGroup))
263  {
264  const EcCurveInfo *curveInfo;
265 
266  //Retrieve the elliptic curve to be used
267  curveInfo = tlsGetCurveInfo(context, namedGroup);
268 
269  //Valid elliptic curve?
270  if(curveInfo != NULL)
271  {
272  //Save the named group
273  context->namedGroup = namedGroup;
274 
275  //Load EC domain parameters
276  error = ecLoadDomainParameters(&context->ecdhContext.params, curveInfo);
277 
278  //Check status code
279  if(!error)
280  {
281  //Generate an ephemeral key pair
282  error = ecdhGenerateKeyPair(&context->ecdhContext, context->prngAlgo,
283  context->prngContext);
284  }
285  }
286  else
287  {
288  //Unsupported elliptic curve
289  error = ERROR_ILLEGAL_PARAMETER;
290  }
291  }
292  else
293 #endif
294 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
295  //Finite field group?
296  if(tls13IsFfdheGroupSupported(context, namedGroup))
297  {
298 #if (TLS_FFDHE_SUPPORT == ENABLED)
299  const TlsFfdheGroup *ffdheGroup;
300 
301  //Get the FFDHE parameters that match the specified named group
302  ffdheGroup = tlsGetFfdheGroup(context, namedGroup);
303 
304  //Valid FFDHE group?
305  if(ffdheGroup != NULL)
306  {
307  //Save the named group
308  context->namedGroup = namedGroup;
309 
310  //Load FFDHE parameters
311  error = tlsLoadFfdheParameters(&context->dhContext.params, ffdheGroup);
312 
313  //Check status code
314  if(!error)
315  {
316  //Generate an ephemeral key pair
317  error = dhGenerateKeyPair(&context->dhContext, context->prngAlgo,
318  context->prngContext);
319  }
320  }
321  else
322 #endif
323  {
324  //The specified FFDHE group is not supported
325  error = ERROR_ILLEGAL_PARAMETER;
326  }
327  }
328  else
329 #endif
330  //Unknown group?
331  {
332  //Report an error
333  error = ERROR_ILLEGAL_PARAMETER;
334  }
335 
336  //Return status code
337  return error;
338 }
339 
340 
341 /**
342  * @brief (EC)DHE shared secret generation
343  * @param[in] context Pointer to the TLS context
344  * @param[in] keyShare Pointer to the peer's (EC)DHE parameters
345  * @param[in] length Length of the (EC)DHE parameters, in bytes
346  * @return Error code
347  **/
348 
349 error_t tls13GenerateSharedSecret(TlsContext *context, const uint8_t *keyShare,
350  size_t length)
351 {
352  error_t error;
353 
354 #if (TLS13_ECDHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
355  //Elliptic curve group?
356  if(tls13IsEcdheGroupSupported(context, context->namedGroup))
357  {
358  //Read peer's public key (refer to RFC 8446, section 4.2.8.2)
359  error = ecImport(&context->ecdhContext.params,
360  &context->ecdhContext.qb, keyShare, length);
361 
362  //Check status code
363  if(!error)
364  {
365  //Verify peer's public key
366  error = ecdhCheckPublicKey(&context->ecdhContext.params,
367  &context->ecdhContext.qb);
368  }
369 
370  //Check status code
371  if(!error)
372  {
373  //ECDH shared secret calculation is performed according to IEEE Std
374  //1363-2000 (refer to RFC 8446, section 7.4.2)
375  error = ecdhComputeSharedSecret(&context->ecdhContext,
376  context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,
377  &context->premasterSecretLen);
378  }
379  }
380  else
381 #endif
382 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
383  //Finite field group?
384  if(tls13IsFfdheGroupSupported(context, context->namedGroup))
385  {
386 #if (TLS_FFDHE_SUPPORT == ENABLED)
387  //Read client's public key (refer to RFC 8446, section 4.2.8.1)
388  error = mpiImport(&context->dhContext.yb, keyShare, length,
390 
391  //Check status code
392  if(!error)
393  {
394  //Verify peer's public key
395  error = dhCheckPublicKey(&context->dhContext.params,
396  &context->dhContext.yb);
397  }
398 
399  //Check status code
400  if(!error)
401  {
402  //The negotiated key (Z) is converted to a byte string by encoding in
403  //big-endian and left padded with zeros up to the size of the prime
404  //(refer to RFC 8446, section 7.4.1)
405  error = dhComputeSharedSecret(&context->dhContext,
406  context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,
407  &context->premasterSecretLen);
408  }
409 #else
410  //The specified FFDHE group is not supported
411  error = ERROR_HANDSHAKE_FAILED;
412 #endif
413  }
414  else
415 #endif
416  //Unknown group?
417  {
418  //Report an error
419  error = ERROR_HANDSHAKE_FAILED;
420  }
421 
422  //Return status code
423  return error;
424 }
425 
426 
427 /**
428  * @brief Digital signature generation (TLS 1.3)
429  * @param[in] context Pointer to the TLS context
430  * @param[out] p Buffer where to store the digitally-signed element
431  * @param[out] length Length of the digitally-signed element
432  * @return Error code
433  **/
434 
435 error_t tls13GenerateSignature(TlsContext *context, uint8_t *p,
436  size_t *length)
437 {
438  error_t error;
439  size_t n;
440  uint8_t *buffer;
442  const HashAlgo *hashAlgo;
443 
444  //Point to the digitally-signed element
446 
447  //The hash function used by HKDF is the cipher suite hash algorithm
448  hashAlgo = context->cipherSuite.prfHashAlgo;
449  //Make sure the hash algorithm is valid
450  if(hashAlgo == NULL)
451  return ERROR_FAILURE;
452 
453  //Calculate the length of the content covered by the digital signature
454  n = hashAlgo->digestSize + 98;
455 
456  //Allocate a memory buffer
457  buffer = tlsAllocMem(n);
458  //Failed to allocate memory?
459  if(buffer == NULL)
460  return ERROR_OUT_OF_MEMORY;
461 
462  //Form a string that consists of octet 32 (0x20) repeated 64 times
463  memset(buffer, ' ', 64);
464 
465  //Append the context string. It is used to provide separation between
466  //signatures made in different contexts, helping against potential
467  //cross-protocol attacks
468  if(context->entity == TLS_CONNECTION_END_CLIENT)
469  memcpy(buffer + 64, "TLS 1.3, client CertificateVerify", 33);
470  else
471  memcpy(buffer + 64, "TLS 1.3, server CertificateVerify", 33);
472 
473  //Append a single 0 byte which serves as the separator
474  buffer[97] = 0x00;
475 
476  //Compute the transcript hash
477  error = tlsFinalizeTranscriptHash(context, hashAlgo,
478  context->transcriptHashContext, "", buffer + 98);
479 
480  //Check status code
481  if(!error)
482  {
483 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
484  //RSA-PSS signature scheme?
485  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
486  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
487  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
488  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 ||
489  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 ||
490  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
491  {
492  RsaPrivateKey privateKey;
493 
494  //Initialize RSA private key
495  rsaInitPrivateKey(&privateKey);
496 
497  //The algorithm field specifies the signature scheme and the
498  //corresponding hash algorithm
499  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256)
500  {
501  //Select rsa_pss_rsae_sha256 signature algorithm
504  }
505  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384)
506  {
507  //Select rsa_pss_rsae_sha384 signature algorithm
510  }
511  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512)
512  {
513  //Select rsa_pss_rsae_sha512 signature algorithm
516  }
517  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256)
518  {
519  //Select rsa_pss_pss_sha256 signature algorithm
522  }
523  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384)
524  {
525  //Select rsa_pss_pss_sha384 signature algorithm
528  }
529  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
530  {
531  //Select rsa_pss_pss_sha512 signature algorithm
534  }
535  else
536  {
537  //Invalid signature algorithm
539  }
540 
541  //Check status code
542  if(!error)
543  {
544  //Pre-hash the content covered by the digital signature
545  if(hashAlgo != NULL)
546  error = hashAlgo->compute(buffer, n, context->clientVerifyData);
547  else
549  }
550 
551  //Check status code
552  if(!error)
553  {
554  //Retrieve the RSA private key corresponding to the certificate sent
555  //in the previous message
556  error = pemImportRsaPrivateKey(context->cert->privateKey,
557  context->cert->privateKeyLen, &privateKey);
558  }
559 
560  //Check status code
561  if(!error)
562  {
563  //RSA signatures must use an RSASSA-PSS algorithm, regardless of
564  //whether RSASSA-PKCS1-v1_5 algorithms appear in SignatureAlgorithms
565  error = rsassaPssSign(context->prngAlgo, context->prngContext,
566  &privateKey, hashAlgo, hashAlgo->digestSize,
567  context->clientVerifyData, signature->value, length);
568  }
569 
570  //Release previously allocated resources
571  rsaFreePrivateKey(&privateKey);
572  }
573  else
574 #endif
575 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
576  //ECDSA signature scheme?
577  if(context->signAlgo == TLS_SIGN_ALGO_ECDSA)
578  {
579  //The algorithm field specifies the signature scheme, the corresponding
580  //curve and the corresponding hash algorithm
581  if(context->cert->namedCurve == TLS_GROUP_SECP256R1 &&
582  context->signHashAlgo == TLS_HASH_ALGO_SHA256)
583  {
584  //Select ecdsa_secp256r1_sha256 signature algorithm
587  }
588  else if(context->cert->namedCurve == TLS_GROUP_SECP384R1 &&
589  context->signHashAlgo == TLS_HASH_ALGO_SHA384)
590  {
591  //Select ecdsa_secp384r1_sha384 signature algorithm
594  }
595  else if(context->cert->namedCurve == TLS_GROUP_SECP521R1 &&
596  context->signHashAlgo == TLS_HASH_ALGO_SHA512)
597  {
598  //Select ecdsa_secp521r1_sha512 signature algorithm
601  }
602  else
603  {
604  //Invalid signature algorithm
606  }
607 
608  //Check status code
609  if(!error)
610  {
611  //Pre-hash the content covered by the digital signature
612  if(hashAlgo != NULL)
613  error = hashAlgo->compute(buffer, n, context->clientVerifyData);
614  else
616  }
617 
618  //Check status code
619  if(!error)
620  {
621  //Generate an ECDSA signature
622  error = tlsGenerateEcdsaSignature(context, context->clientVerifyData,
623  hashAlgo->digestSize, signature->value, length);
624  }
625  }
626  else
627 #endif
628 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
629  //EdDSA signature scheme?
630  if(context->signAlgo == TLS_SIGN_ALGO_ED25519 ||
631  context->signAlgo == TLS_SIGN_ALGO_ED448)
632  {
633  //The algorithm field specifies the signature algorithm used
634  if(context->signAlgo == TLS_SIGN_ALGO_ED25519)
635  {
636  //Select ed25519 signature algorithm
638  }
639  else if(context->signAlgo == TLS_SIGN_ALGO_ED448)
640  {
641  //Select ed448 signature algorithm
642  signature->algorithm = HTONS(TLS_SIGN_SCHEME_ED448);
643  }
644  else
645  {
646  //Invalid signature algorithm
648  }
649 
650  //Check status code
651  if(!error)
652  {
653  //Generate a signature in PureEdDSA mode, without pre-hashing
654  error = tlsGenerateEddsaSignature(context, buffer, n,
655  signature->value, length);
656  }
657  }
658  else
659 #endif
660  //Invalid signature scheme?
661  {
662  //Report an error
664  }
665  }
666 
667  //Release memory buffer
668  tlsFreeMem(buffer);
669 
670  //Check status code
671  if(!error)
672  {
673  //The signature is preceded by a 2-byte length field
674  signature->length = htons(*length);
675  //Total length of the digitally-signed element
676  *length += sizeof(Tls13DigitalSignature);
677  }
678 
679  //Return status code
680  return error;
681 }
682 
683 
684 /**
685  * @brief Digital signature verification (TLS 1.3)
686  * @param[in] context Pointer to the TLS context
687  * @param[in] p Pointer to the digitally-signed element to be verified
688  * @param[in] length Length of the digitally-signed element
689  * @return Error code
690  **/
691 
692 error_t tls13VerifySignature(TlsContext *context, const uint8_t *p,
693  size_t length)
694 {
695  error_t error;
696  size_t n;
697  uint8_t *buffer;
698  Tls13SignatureScheme signAlgo;
700  const HashAlgo *hashAlgo;
701 
702  //Point to the digitally-signed element
704 
705  //Malformed CertificateVerify message?
706  if(length < sizeof(Tls13DigitalSignature))
707  return ERROR_DECODING_FAILED;
708  if(length != (sizeof(Tls13DigitalSignature) + ntohs(signature->length)))
709  return ERROR_DECODING_FAILED;
710 
711  //The hash function used by HKDF is the cipher suite hash algorithm
712  hashAlgo = context->cipherSuite.prfHashAlgo;
713  //Make sure the hash algorithm is valid
714  if(hashAlgo == NULL)
715  return ERROR_FAILURE;
716 
717  //Calculate the length of the content covered by the digital signature
718  n = hashAlgo->digestSize + 98;
719 
720  //Allocate a memory buffer
721  buffer = tlsAllocMem(n);
722  //Failed to allocate memory?
723  if(buffer == NULL)
724  return ERROR_OUT_OF_MEMORY;
725 
726  //Form a string that consists of octet 32 (0x20) repeated 64 times
727  memset(buffer, ' ', 64);
728 
729  //Append the context string. It is used to provide separation between
730  //signatures made in different contexts, helping against potential
731  //cross-protocol attacks
732  if(context->entity == TLS_CONNECTION_END_CLIENT)
733  memcpy(buffer + 64, "TLS 1.3, server CertificateVerify", 33);
734  else
735  memcpy(buffer + 64, "TLS 1.3, client CertificateVerify", 33);
736 
737  //Append a single 0 byte which serves as the separator
738  buffer[97] = 0x00;
739 
740  //Compute the transcript hash
741  error = tlsFinalizeTranscriptHash(context, hashAlgo,
742  context->transcriptHashContext, "", buffer + 98);
743 
744  //Check status code
745  if(!error)
746  {
747  //The algorithm field specifies the signature scheme
748  signAlgo = (Tls13SignatureScheme) ntohs(signature->algorithm);
749 
750 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
751  //RSASSA-PSS signature scheme?
752  if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA256 ||
758  {
759  //Enforce the type of the certificate provided by the peer
760  if(context->peerCertType == TLS_CERT_RSA_SIGN)
761  {
762  //Retrieve the hash algorithm used for signing
765  else if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA384)
767  else if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA512)
769  else
770  hashAlgo = NULL;
771  }
772  else if(context->peerCertType == TLS_CERT_RSA_PSS_SIGN)
773  {
774  //Retrieve the hash algorithm used for signing
775  if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA256)
777  else if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA384)
779  else if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA512)
781  else
782  hashAlgo = NULL;
783  }
784  else
785  {
786  //Invalid certificate
787  hashAlgo = NULL;
788  }
789 
790  //Pre-hash the content covered by the digital signature
791  if(hashAlgo != NULL)
792  error = hashAlgo->compute(buffer, n, context->clientVerifyData);
793  else
794  error = ERROR_ILLEGAL_PARAMETER;
795 
796  //Check status code
797  if(!error)
798  {
799  //Verify RSASSA-PSS signature
800  error = rsassaPssVerify(&context->peerRsaPublicKey, hashAlgo,
801  hashAlgo->digestSize, context->clientVerifyData,
802  signature->value, ntohs(signature->length));
803  }
804  }
805  else
806 #endif
807 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
808  //ECDSA signature scheme?
812  {
813  //Enforce the type of the certificate provided by the peer
814  if(context->peerCertType == TLS_CERT_ECDSA_SIGN)
815  {
816  //Retrieve the hash algorithm used for signing
817  if(context->peerEcParams.name == NULL)
818  {
819  //Invalid signature scheme
820  hashAlgo = NULL;
821  }
822  else if(signAlgo == TLS_SIGN_SCHEME_ECDSA_SECP256R1_SHA256 &&
823  strcmp(context->peerEcParams.name, "secp256r1") == 0)
824  {
825  //Select SHA-256 hash algorithm
827  }
828  else if(signAlgo == TLS_SIGN_SCHEME_ECDSA_SECP384R1_SHA384 &&
829  strcmp(context->peerEcParams.name, "secp384r1") == 0)
830  {
831  //Select SHA-384 hash algorithm
833  }
834  else if(signAlgo == TLS_SIGN_SCHEME_ECDSA_SECP521R1_SHA512 &&
835  strcmp(context->peerEcParams.name, "secp521r1") == 0)
836  {
837  //Select SHA-512 hash algorithm
839  }
840  else
841  {
842  //Invalid signature scheme
843  hashAlgo = NULL;
844  }
845  }
846  else
847  {
848  //Invalid certificate
849  hashAlgo = NULL;
850  }
851 
852  //Pre-hash the content covered by the digital signature
853  if(hashAlgo != NULL)
854  error = hashAlgo->compute(buffer, n, context->clientVerifyData);
855  else
856  error = ERROR_ILLEGAL_PARAMETER;
857 
858  //Check status code
859  if(!error)
860  {
861  //Verify ECDSA signature
862  error = tlsVerifyEcdsaSignature(context, context->clientVerifyData,
863  hashAlgo->digestSize, signature->value, ntohs(signature->length));
864  }
865  }
866  else
867 #endif
868 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED && TLS_ED25519_SUPPORT == ENABLED)
869  //Ed25519 signature scheme?
870  if(signAlgo == TLS_SIGN_SCHEME_ED25519)
871  {
872  //Enforce the type of the certificate provided by the peer
873  if(context->peerCertType == TLS_CERT_ED25519_SIGN)
874  {
875  //Verify EdDSA signature (PureEdDSA mode)
876  error = tlsVerifyEddsaSignature(context, buffer, n,
877  signature->value, ntohs(signature->length));
878  }
879  else
880  {
881  //Invalid certificate
882  error = ERROR_ILLEGAL_PARAMETER;
883  }
884  }
885  else
886 #endif
887 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED && TLS_ED448_SUPPORT == ENABLED)
888  //Ed448 signature scheme?
889  if(signAlgo == TLS_SIGN_SCHEME_ED448)
890  {
891  //Enforce the type of the certificate provided by the peer
892  if(context->peerCertType == TLS_CERT_ED448_SIGN)
893  {
894  //Verify EdDSA signature (PureEdDSA mode)
895  error = tlsVerifyEddsaSignature(context, buffer, n,
896  signature->value, ntohs(signature->length));
897  }
898  else
899  {
900  //Invalid certificate
901  error = ERROR_ILLEGAL_PARAMETER;
902  }
903  }
904  else
905 #endif
906  //Unknown signature scheme?
907  {
908  //Report an error
909  error = ERROR_ILLEGAL_PARAMETER;
910  }
911  }
912 
913  //Release memory buffer
914  tlsFreeMem(buffer);
915 
916  //Return status code
917  return error;
918 }
919 
920 
921 /**
922  * @brief Hash ClientHello1 in the transcript when HelloRetryRequest is used
923  * @param[in] context Pointer to the TLS context
924  * @return Error code
925  **/
926 
928 {
930  const HashAlgo *hash;
931 
932  //Invalid hash context?
933  if(context->transcriptHashContext == NULL)
934  return ERROR_FAILURE;
935 
936  //The hash function used by HKDF is the cipher suite hash algorithm
937  hash = context->cipherSuite.prfHashAlgo;
938  //Make sure the hash algorithm is valid
939  if(hash == NULL)
940  return ERROR_FAILURE;
941 
942  //Point to the buffer where to format the handshake message
943  message = (TlsHandshake *) context->txBuffer;
944 
945  //Handshake message type
946  message->msgType = TLS_TYPE_MESSAGE_HASH;
947  //Number of bytes in the message
948  STORE24BE(hash->digestSize, message->length);
949 
950  //Compute Hash(ClientHello1)
951  hash->final(context->transcriptHashContext, message->data);
952  //Re-initialize hash algorithm context
953  hash->init(context->transcriptHashContext);
954 
955  //When the server responds to a ClientHello with a HelloRetryRequest, the
956  //value of ClientHello1 is replaced with a special synthetic handshake
957  //message of handshake type MessageHash containing Hash(ClientHello1)
958  hash->update(context->transcriptHashContext, message,
959  hash->digestSize + sizeof(TlsHandshake));
960 
961  //Successful processing
962  return NO_ERROR;
963 }
964 
965 
966 /**
967  * @brief Check whether an externally established PSK is valid
968  * @param[in] context Pointer to the TLS context
969  * @return TRUE is the PSK is valid, else FALSE
970  **/
971 
973 {
974  bool_t valid = FALSE;
975 
976  //Make sure the hash algorithm associated with the PSK is valid
977  if(tlsGetHashAlgo(context->pskHashAlgo) != NULL)
978  {
979  //Valid PSK?
980  if(context->psk != NULL && context->pskLen > 0)
981  {
982  //Check whether TLS operates as a client or a server
983  if(context->entity == TLS_CONNECTION_END_CLIENT)
984  {
985  //Valid PSK identity?
986  if(context->pskIdentity != NULL)
987  {
988  valid = TRUE;
989  }
990  }
991  else
992  {
993  valid = TRUE;
994  }
995  }
996  }
997 
998  //Return TRUE is the PSK is valid, else FALSE
999  return valid;
1000 }
1001 
1002 
1003 /**
1004  * @brief Check whether a session ticket is valid
1005  * @param[in] context Pointer to the TLS context
1006  * @return TRUE is the session ticket is valid, else FALSE
1007  **/
1008 
1010 {
1011  bool_t valid = FALSE;
1012 
1013  //Make sure the hash algorithm associated with the ticket is valid
1014  if(tlsGetHashAlgo(context->ticketHashAlgo) != NULL)
1015  {
1016  //Valid ticket PSK?
1017  if(context->ticketPskLen > 0)
1018  {
1019  //Check whether TLS operates as a client or a server
1020  if(context->entity == TLS_CONNECTION_END_CLIENT)
1021  {
1022  //Valid ticket?
1023  if(context->ticket != NULL && context->ticketLen > 0)
1024  {
1025  valid = TRUE;
1026  }
1027  }
1028  else
1029  {
1030  valid = TRUE;
1031  }
1032  }
1033  }
1034 
1035  //Return TRUE is the ticket is valid, else FALSE
1036  return valid;
1037 }
1038 
1039 
1040 /**
1041  * @brief Check whether a given named group is supported
1042  * @param[in] context Pointer to the TLS context
1043  * @param[in] namedGroup Named group
1044  * @return TRUE is the named group is supported, else FALSE
1045  **/
1046 
1047 bool_t tls13IsGroupSupported(TlsContext *context, uint16_t namedGroup)
1048 {
1049  bool_t acceptable;
1050 
1051  //Initialize flag
1052  acceptable = FALSE;
1053 
1054  //Check whether the ECDHE of FFDHE group is supported
1055  if(tls13IsEcdheGroupSupported(context, namedGroup))
1056  {
1057  acceptable = TRUE;
1058  }
1059  else if(tls13IsFfdheGroupSupported(context, namedGroup))
1060  {
1061  acceptable = TRUE;
1062  }
1063  else
1064  {
1065  acceptable = FALSE;
1066  }
1067 
1068  //Return TRUE is the named group is supported
1069  return acceptable;
1070 }
1071 
1072 
1073 /**
1074  * @brief Check whether a given ECDHE group is supported
1075  * @param[in] context Pointer to the TLS context
1076  * @param[in] namedGroup Named group
1077  * @return TRUE is the ECDHE group is supported, else FALSE
1078  **/
1079 
1080 bool_t tls13IsEcdheGroupSupported(TlsContext *context, uint16_t namedGroup)
1081 {
1082  bool_t acceptable;
1083 
1084  //Initialize flag
1085  acceptable = FALSE;
1086 
1087 #if (TLS13_ECDHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
1088  //Elliptic curve group?
1089  if(namedGroup == TLS_GROUP_SECP256R1 ||
1090  namedGroup == TLS_GROUP_SECP384R1 ||
1091  namedGroup == TLS_GROUP_SECP521R1 ||
1092  namedGroup == TLS_GROUP_ECDH_X25519 ||
1093  namedGroup == TLS_GROUP_ECDH_X448 ||
1094  namedGroup == TLS_GROUP_BRAINPOOLP256R1_TLS13 ||
1095  namedGroup == TLS_GROUP_BRAINPOOLP384R1_TLS13 ||
1096  namedGroup == TLS_GROUP_BRAINPOOLP512R1_TLS13)
1097  {
1098  //Check whether the ECDHE group is supported
1099  if(tlsGetCurveInfo(context, namedGroup) != NULL)
1100  {
1101  acceptable = TRUE;
1102  }
1103  }
1104 #endif
1105 
1106  //Return TRUE is the named group is supported
1107  return acceptable;
1108 }
1109 
1110 
1111 /**
1112  * @brief Check whether a given FFDHE group is supported
1113  * @param[in] context Pointer to the TLS context
1114  * @param[in] namedGroup Named group
1115  * @return TRUE is the FFDHE group is supported, else FALSE
1116  **/
1117 
1118 bool_t tls13IsFfdheGroupSupported(TlsContext *context, uint16_t namedGroup)
1119 {
1120  bool_t acceptable;
1121 
1122  //Initialize flag
1123  acceptable = FALSE;
1124 
1125 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
1126  //Finite field group?
1127  if(namedGroup == TLS_GROUP_FFDHE2048 ||
1128  namedGroup == TLS_GROUP_FFDHE3072 ||
1129  namedGroup == TLS_GROUP_FFDHE4096 ||
1130  namedGroup == TLS_GROUP_FFDHE6144 ||
1131  namedGroup == TLS_GROUP_FFDHE8192)
1132  {
1133 #if (TLS_FFDHE_SUPPORT == ENABLED)
1134  //Check whether the FFDHE group is supported
1135  if(tlsGetFfdheGroup(context, namedGroup) != NULL)
1136  {
1137  acceptable = TRUE;
1138  }
1139 #endif
1140  }
1141 #endif
1142 
1143  //Return TRUE is the named group is supported
1144  return acceptable;
1145 }
1146 
1147 
1148 /**
1149  * @brief Check whether the specified key share group is a duplicate
1150  * @param[in] namedGroup Named group
1151  * @param[in] p List of key share entries
1152  * @param[in] length Length of the list, in bytes
1153  * @return Error code
1154  **/
1155 
1156 error_t tls13CheckDuplicateKeyShare(uint16_t namedGroup, const uint8_t *p,
1157  size_t length)
1158 {
1159  size_t n;
1160  const Tls13KeyShareEntry *keyShareEntry;
1161 
1162  //Parse the list of key share entries offered by the peer
1163  while(length > 0)
1164  {
1165  //Malformed extension?
1166  if(length < sizeof(Tls13KeyShareEntry))
1167  return ERROR_DECODING_FAILED;
1168 
1169  //Point to the current key share entry
1170  keyShareEntry = (Tls13KeyShareEntry *) p;
1171  //Retrieve the length of the key_exchange field
1172  n = ntohs(keyShareEntry->length);
1173 
1174  //Malformed extension?
1175  if(length < (sizeof(Tls13KeyShareEntry) + n))
1176  return ERROR_DECODING_FAILED;
1177 
1178  //Clients must not offer multiple KeyShareEntry values for the same
1179  //group. Servers may check for violations of this rule and abort the
1180  //handshake with an illegal_parameter alert
1181  if(ntohs(keyShareEntry->group) == namedGroup)
1182  return ERROR_ILLEGAL_PARAMETER;
1183 
1184  //Jump to the next key share entry
1185  p += sizeof(Tls13KeyShareEntry) + n;
1186  //Number of bytes left to process
1187  length -= sizeof(Tls13KeyShareEntry) + n;
1188  }
1189 
1190  //Successful verification
1191  return NO_ERROR;
1192 }
1193 
1194 
1195 /**
1196  * @brief Format certificate extensions
1197  * @param[in] p Output stream where to write the list of extensions
1198  * @param[out] written Total number of bytes that have been written
1199  * @return Error code
1200  **/
1201 
1202 error_t tls13FormatCertExtensions(uint8_t *p, size_t *written)
1203 {
1204  TlsExtensionList *extensionList;
1205 
1206  //Point to the list of extensions
1207  extensionList = (TlsExtensionList *) p;
1208 
1209  //Extensions in the Certificate message from the server must correspond to
1210  //ones from the ClientHello message. Extensions in the Certificate message
1211  //from the client must correspond to extensions in the CertificateRequest
1212  //message from the server
1213  extensionList->length = HTONS(0);
1214 
1215  //Total number of bytes that have been written
1216  *written = sizeof(TlsExtensionList);
1217 
1218  //Successful processing
1219  return NO_ERROR;
1220 }
1221 
1222 
1223 /**
1224  * @brief Parse certificate extensions
1225  * @param[in] p Input stream where to read the list of extensions
1226  * @param[in] length Number of bytes available in the input stream
1227  * @return Error code
1228  **/
1229 
1230 error_t tls13ParseCertExtensions(const uint8_t *p, size_t length,
1231  size_t *consumed)
1232 {
1233  error_t error;
1234  size_t n;
1236  const TlsExtensionList *extensionList;
1237 
1238  //Point to the list of extensions
1239  extensionList = (TlsExtensionList *) p;
1240 
1241  //Malformed CertificateEntry?
1242  if(length < sizeof(TlsExtensionList))
1243  return ERROR_DECODING_FAILED;
1244 
1245  //Retrieve the length of the list
1246  n = sizeof(TlsExtensionList) + ntohs(extensionList->length);
1247 
1248  //Malformed CertificateEntry?
1249  if(length < n)
1250  return ERROR_DECODING_FAILED;
1251 
1252  //Parse the list of extensions for the current CertificateEntry
1254  &extensions);
1255  //Any error to report?
1256  if(error)
1257  return error;
1258 
1259  //Check the list of extensions
1261  &extensions);
1262  //Any error to report?
1263  if(error)
1264  return error;
1265 
1266  //Total number of bytes that have been consumed
1267  *consumed = n;
1268 
1269  //Successful processing
1270  return NO_ERROR;
1271 }
1272 
1273 #endif
@ TLS_GROUP_BRAINPOOLP512R1_TLS13
Definition: tls.h:1240
#define tlsAllocMem(size)
Definition: tls.h:757
@ TLS_TYPE_MESSAGE_HASH
Definition: tls.h:951
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256
Definition: tls.h:1115
#define htons(value)
Definition: cpu_endian.h:392
Parsing and checking of TLS extensions.
TLS helper functions.
uint8_t length
Definition: dtls_misc.h:149
__start_packed struct @94 Tls13PskIdentity
PSK identity.
@ TLS_GROUP_BRAINPOOLP256R1_TLS13
Definition: tls.h:1238
int bool_t
Definition: compiler_port.h:49
__start_packed struct @69 TlsExtensionList
List of TLS extensions.
error_t pemImportRsaPrivateKey(const char_t *input, size_t length, RsaPrivateKey *privateKey)
Decode a PEM file containing an RSA private key.
Definition: pem_import.c:382
@ TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA256
Definition: tls13_misc.h:142
error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
error_t ecImport(const EcDomainParameters *params, EcPoint *r, const uint8_t *data, size_t length)
Convert an octet string to an EC point.
Definition: ec.c:214
RSA/DSA/ECDSA/EdDSA signature generation and verification.
error_t tlsFinalizeTranscriptHash(TlsContext *context, const HashAlgo *hash, const void *hashContext, const char_t *label, uint8_t *output)
Finalize hash calculation from previous handshake messages.
uint8_t p
Definition: ndp.h:298
error_t tls13DigestClientHello1(TlsContext *context)
__start_packed struct @59 DtlsHandshake
DTLS handshake message.
error_t dhCheckPublicKey(DhParameters *params, const Mpi *publicKey)
Check Diffie-Hellman public value.
Definition: dh.c:154
@ TLS_SIGN_SCHEME_ED25519
Definition: tls13_misc.h:155
__start_packed struct @91 Tls13KeyShareEntry
Key share entry.
#define TRUE
Definition: os_port.h:50
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384
Definition: tls.h:1121
@ TLS_GROUP_SECP256R1
Definition: tls.h:1230
size_t digestSize
Definition: crypto.h:1135
@ TLS_TRANSPORT_PROTOCOL_DATAGRAM
Definition: tls.h:851
error_t tls13ParseCertExtensions(const uint8_t *p, size_t length, size_t *consumed)
uint8_t signature
Definition: tls.h:1370
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:228
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
@ TLS_SIGN_SCHEME_ECDSA_SECP256R1_SHA256
Definition: tls13_misc.h:149
FFDHE parameters.
Definition: tls_ffdhe.h:47
@ TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA384
Definition: tls13_misc.h:146
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512
Definition: tls.h:1122
error_t mpiImport(Mpi *r, const uint8_t *data, uint_t length, MpiFormat format)
Octet string to integer conversion.
Definition: mpi.c:533
void rsaInitPrivateKey(RsaPrivateKey *key)
Initialize an RSA private key.
Definition: rsa.c:131
@ TLS_GROUP_FFDHE6144
Definition: tls.h:1251
@ TLS_SIGN_ALGO_ED448
Definition: tls.h:1119
TLS 1.3 helper functions.
@ TLS_TYPE_CERTIFICATE
Definition: tls.h:940
@ TLS_HASH_ALGO_SHA512
Definition: tls.h:1100
error_t ecLoadDomainParameters(EcDomainParameters *params, const EcCurveInfo *curveInfo)
Load EC domain parameters.
Definition: ec.c:93
#define FALSE
Definition: os_port.h:46
error_t dhComputeSharedSecret(DhContext *context, uint8_t *output, size_t outputSize, size_t *outputLen)
Compute Diffie-Hellman shared secret.
Definition: dh.c:190
bool_t tls13IsGroupSupported(TlsContext *context, uint16_t namedGroup)
Elliptic curve parameters.
Definition: ec_curves.h:292
PEM file import functions.
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
Tls13SignatureScheme
Signature schemes (TLS 1.3)
Definition: tls13_misc.h:135
@ TLS_GROUP_ECDH_X25519
Definition: tls.h:1236
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
@ TLS_CERT_ED25519_SIGN
Definition: tls.h:1083
HashAlgoCompute compute
Definition: crypto.h:1138
@ TLS_SIGN_SCHEME_ECDSA_SECP384R1_SHA384
Definition: tls13_misc.h:150
void rsaFreePrivateKey(RsaPrivateKey *key)
Release an RSA private key.
Definition: rsa.c:150
@ TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA512
Definition: tls13_misc.h:147
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:829
#define TLS_PREMASTER_SECRET_SIZE
Definition: tls.h:722
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
error_t rsassaPssSign(const PrngAlgo *prngAlgo, void *prngContext, const RsaPrivateKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
RSASSA-PSS signature generation operation.
Definition: rsa.c:920
@ TLS_GROUP_FFDHE4096
Definition: tls.h:1250
@ TLS_TYPE_CLIENT_HELLO
Definition: tls.h:933
#define TLS_VERSION_1_3
Definition: tls.h:95
@ TLS_HASH_ALGO_SHA384
Definition: tls.h:1099
@ TLS_CERT_RSA_PSS_SIGN
Definition: tls.h:1082
@ ERROR_INVALID_LENGTH
Definition: error.h:109
@ TLS_GROUP_SECP384R1
Definition: tls.h:1231
@ TLS_SIGN_SCHEME_ED448
Definition: tls13_misc.h:156
@ TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA256
Definition: tls13_misc.h:145
@ TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA512
Definition: tls13_misc.h:144
@ TLS_SIGN_ALGO_ED25519
Definition: tls.h:1118
__start_packed struct @84 TlsHandshake
TLS handshake message.
@ TLS_HASH_ALGO_SHA256
Definition: tls.h:1098
@ TLS_CERT_ED448_SIGN
Definition: tls.h:1084
error_t tls13VerifySignature(TlsContext *context, const uint8_t *p, size_t length)
@ TLS_CERT_RSA_SIGN
Definition: tls.h:1072
@ TLS_GROUP_FFDHE2048
Definition: tls.h:1248
const TlsFfdheGroup * tlsGetFfdheGroup(TlsContext *context, uint16_t namedGroup)
Get the FFDHE parameters that match the specified named group.
Definition: tls_ffdhe.c:315
error_t tlsLoadFfdheParameters(DhParameters *params, const TlsFfdheGroup *ffdheGroup)
Load FFDHE parameters.
Definition: tls_ffdhe.c:375
error_t hmacCompute(const HashAlgo *hash, const void *key, size_t keyLen, const void *data, size_t dataLen, uint8_t *digest)
Compute HMAC using the specified hash function.
Definition: hmac.c:85
@ TLS_GROUP_SECP521R1
Definition: tls.h:1232
@ TLS_GROUP_FFDHE3072
Definition: tls.h:1249
Hello extensions.
Definition: tls.h:1894
@ TLS_SIGN_SCHEME_ECDSA_SECP521R1_SHA512
Definition: tls13_misc.h:151
error_t tls13HkdfExpandLabel(const HashAlgo *hash, const uint8_t *secret, size_t secretLen, const char_t *label, const uint8_t *context, size_t contextLen, uint8_t *output, size_t outputLen)
@ TLS_GROUP_BRAINPOOLP384R1_TLS13
Definition: tls.h:1239
Transcript hash calculation.
error_t ecdhComputeSharedSecret(EcdhContext *context, uint8_t *output, size_t outputSize, size_t *outputLen)
Compute ECDH shared secret.
Definition: ecdh.c:385
uint8_t hash
Definition: tls.h:1369
error_t tls13GenerateSharedSecret(TlsContext *context, const uint8_t *keyShare, size_t length)
#define ntohs(value)
Definition: cpu_endian.h:398
#define TRACE_DEBUG(...)
Definition: debug.h:106
error_t tlsVerifyEddsaSignature(TlsContext *context, const uint8_t *message, size_t messageLen, const uint8_t *signature, size_t signatureLen)
Verify EdDSA signature.
error_t tls13ComputePskBinder(TlsContext *context, const void *clientHello, size_t clientHelloLen, size_t truncatedClientHelloLen, const Tls13PskIdentity *identity, uint8_t *binder, size_t binderLen)
bool_t tls13IsEcdheGroupSupported(TlsContext *context, uint16_t namedGroup)
error_t tls13DeriveSecret(TlsContext *context, const uint8_t *secret, size_t secretLen, const char_t *label, const char_t *message, size_t messageLen, uint8_t *output, size_t outputLen)
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:107
@ TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA384
Definition: tls13_misc.h:143
#define HTONS(value)
Definition: cpu_endian.h:390
uint8_t n
error_t tls13GenerateSignature(TlsContext *context, uint8_t *p, size_t *length)
RSA private key.
Definition: rsa.h:59
uint8_t extensions[]
Definition: tls13_misc.h:327
HKDF (HMAC-based Key Derivation Function)
error_t rsassaPssVerify(const RsaPublicKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PSS signature verification operation.
Definition: rsa.c:1040
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512
Definition: tls.h:1117
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256
Definition: tls.h:1120
bool_t tls13IsPskValid(TlsContext *context)
bool_t tls13IsFfdheGroupSupported(TlsContext *context, uint16_t namedGroup)
__start_packed struct @99 Tls13DigitalSignature
Digitally-signed element (TLS 1.3)
bool_t tls13IsTicketValid(TlsContext *context)
#define TLS_MAX_HKDF_DIGEST_SIZE
Definition: tls.h:817
@ TLS_CONNECTION_END_CLIENT
Definition: tls.h:861
Certificate handling.
uint8_t message[]
Definition: chap.h:152
const EcCurveInfo * tlsGetCurveInfo(TlsContext *context, uint16_t namedCurve)
Get the EC domain parameters that match the specified named curve.
Definition: tls_misc.c:890
@ MPI_FORMAT_BIG_ENDIAN
Definition: mpi.h:61
TLS (Transport Layer Security)
const uint8_t tls11DowngradeRandom[8]
const uint8_t tls12DowngradeRandom[8]
#define STORE24BE(a, p)
Definition: cpu_endian.h:257
@ TLS_CERT_ECDSA_SIGN
Definition: tls.h:1079
error_t tlsGenerateEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, uint8_t *signature, size_t *signatureLen)
Generate ECDSA signature.
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
TLS 1.3 key schedule.
error_t tlsGenerateEddsaSignature(TlsContext *context, const uint8_t *message, size_t messageLen, uint8_t *signature, size_t *signatureLen)
Generate EdDSA signature.
Common interface for hash algorithms.
Definition: crypto.h:1128
error_t hkdfExtract(const HashAlgo *hash, const uint8_t *ikm, size_t ikmLen, const uint8_t *salt, size_t saltLen, uint8_t *prk)
HKDF extract step.
Definition: hkdf.c:97
FFDHE key exchange.
@ ERROR_UNSUPPORTED_SIGNATURE_ALGO
Definition: error.h:130
error_t dhGenerateKeyPair(DhContext *context, const PrngAlgo *prngAlgo, void *prngContext)
Diffie-Hellman key pair generation.
Definition: dh.c:91
@ ERROR_DECODING_FAILED
Definition: error.h:235
@ TLS_GROUP_ECDH_X448
Definition: tls.h:1237
#define tlsFreeMem(p)
Definition: tls.h:762
@ TLS_SIGN_ALGO_ECDSA
Definition: tls.h:1114
error_t ecdhCheckPublicKey(const EcDomainParameters *params, EcPoint *publicKey)
Check ECDH public key.
Definition: ecdh.c:272
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384
Definition: tls.h:1116
@ TLS_GROUP_FFDHE8192
Definition: tls.h:1252
error_t tls13CheckDuplicateKeyShare(uint16_t namedGroup, const uint8_t *p, size_t length)
@ NO_ERROR
Success.
Definition: error.h:44
error_t tls13FormatCertExtensions(uint8_t *p, size_t *written)
error_t tlsVerifyEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, const uint8_t *signature, size_t signatureLen)
Verify ECDSA signature.
Debugging facilities.
const uint8_t tls13HelloRetryRequestRandom[32]
error_t ecdhGenerateKeyPair(EcdhContext *context, const PrngAlgo *prngAlgo, void *prngContext)
ECDH key pair generation.
Definition: ecdh.c:87