tls13_misc.c
Go to the documentation of this file.
1 /**
2  * @file tls13_misc.c
3  * @brief TLS 1.3 helper functions
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include <string.h>
34 #include "tls.h"
35 #include "tls_extensions.h"
36 #include "tls_certificate.h"
37 #include "tls_signature.h"
38 #include "tls_transcript_hash.h"
39 #include "tls_ffdhe.h"
40 #include "tls_misc.h"
41 #include "tls13_misc.h"
42 #include "tls13_key_material.h"
43 #include "certificate/pem_import.h"
44 #include "kdf/hkdf.h"
45 #include "debug.h"
46 
47 //Check TLS library configuration
48 #if (TLS_SUPPORT == ENABLED && TLS_MAX_VERSION >= TLS_VERSION_1_3)
49 
50 //Downgrade protection mechanism (TLS 1.1 or below)
51 const uint8_t tls11DowngradeRandom[8] =
52 {
53  0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44, 0x00
54 };
55 
56 //Downgrade protection mechanism (TLS 1.2)
57 const uint8_t tls12DowngradeRandom[8] =
58 {
59  0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44, 0x01
60 };
61 
62 //Special random value for HelloRetryRequest message
63 const uint8_t tls13HelloRetryRequestRandom[32] =
64 {
65  0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
66  0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
67  0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
68  0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
69 };
70 
71 
72 /**
73  * @brief Compute PSK binder value
74  * @param[in] context Pointer to the TLS context
75  * @param[in] clientHello Pointer to the ClientHello message
76  * @param[in] clientHelloLen Length of the ClientHello message
77  * @param[in] truncatedClientHelloLen Length of the partial ClientHello message
78  * @param[in] identity Pointer to the PSK identity
79  * @param[out] binder Buffer where to store the resulting PSK binder
80  * @param[in] binderLen Expected length of the PSK binder
81  * @return Error code
82  **/
83 
84 error_t tls13ComputePskBinder(TlsContext *context, const void *clientHello,
85  size_t clientHelloLen, size_t truncatedClientHelloLen,
86  const Tls13PskIdentity *identity, uint8_t *binder, size_t binderLen)
87 {
88  error_t error;
89  const HashAlgo *hash;
90  uint8_t *hashContext;
91  uint8_t key[TLS_MAX_HKDF_DIGEST_SIZE];
92  uint8_t digest[TLS_MAX_HKDF_DIGEST_SIZE];
93 
94  //Check parameters
95  if(truncatedClientHelloLen >= clientHelloLen)
97 
98  //The hash function used by HKDF is the cipher suite hash algorithm
99  hash = context->cipherSuite.prfHashAlgo;
100  //Make sure the hash algorithm is valid
101  if(hash == NULL)
102  return ERROR_FAILURE;
103 
104  //Check the length of the PSK binder
105  if(binderLen != hash->digestSize)
106  return ERROR_INVALID_LENGTH;
107 
108  //Allocate a memory buffer to hold the hash context
109  hashContext = tlsAllocMem(hash->contextSize);
110  //Failed to allocate memory?
111  if(hashContext == NULL)
112  return ERROR_OUT_OF_MEMORY;
113 
114  //Intialize transcript hash
115  if(context->handshakeHashContext != NULL)
116  memcpy(hashContext, context->handshakeHashContext, hash->contextSize);
117  else
118  hash->init(hashContext);
119 
120 #if (DTLS_SUPPORT == ENABLED)
121  //DTLS protocol?
122  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
123  {
124  DtlsHandshake header;
125 
126  //Handshake message type
127  header.msgType = TLS_TYPE_CLIENT_HELLO;
128  //Number of bytes in the message
129  STORE24BE(clientHelloLen, header.length);
130  //Message sequence number
131  header.msgSeq = htons(context->txMsgSeq);
132  //Fragment offset
133  STORE24BE(0, header.fragOffset);
134  //Fragment length
135  STORE24BE(clientHelloLen, header.fragLength);
136 
137  //Digest the handshake message header
138  hash->update(hashContext, &header, sizeof(DtlsHandshake));
139  }
140  else
141 #endif
142  //TLS protocol?
143  {
144  TlsHandshake header;
145 
146  //Handshake message type
147  header.msgType = TLS_TYPE_CLIENT_HELLO;
148  //Number of bytes in the message
149  STORE24BE(clientHelloLen, header.length);
150 
151  //Digest the handshake message header
152  hash->update(hashContext, &header, sizeof(TlsHandshake));
153  }
154 
155  //Digest the partial ClientHello
156  hash->update(hashContext, clientHello, truncatedClientHelloLen);
157  //Calculate transcript hash
158  hash->final(hashContext, digest);
159 
160  //Release previously allocated memory
161  tlsFreeMem(hashContext);
162 
163  //Debug message
164  TRACE_DEBUG("Transcript hash (partial ClientHello):\r\n");
165  TRACE_DEBUG_ARRAY(" ", digest, hash->digestSize);
166 
167  //Although PSKs can be established out of band, PSKs can also be established
168  //in a previous connection
169  if(tls13IsPskValid(context))
170  {
171  //Calculate early secret
172  error = hkdfExtract(hash, context->psk, context->pskLen, NULL, 0,
173  context->secret);
174  //Any error to report?
175  if(error)
176  return error;
177 
178  //Debug message
179  TRACE_DEBUG("Early secret:\r\n");
180  TRACE_DEBUG_ARRAY(" ", context->secret, hash->digestSize);
181 
182  //Calculate binder key
183  error = tls13DeriveSecret(context, context->secret, hash->digestSize,
184  "ext binder", "", 0, key, hash->digestSize);
185  //Any error to report?
186  if(error)
187  return error;
188  }
189  else if(tls13IsTicketValid(context))
190  {
191  //Calculate early secret
192  error = hkdfExtract(hash, context->ticketPsk, context->ticketPskLen,
193  NULL, 0, context->secret);
194  //Any error to report?
195  if(error)
196  return error;
197 
198  //Debug message
199  TRACE_DEBUG("Early secret:\r\n");
200  TRACE_DEBUG_ARRAY(" ", context->secret, hash->digestSize);
201 
202  //Calculate binder key
203  error = tls13DeriveSecret(context, context->secret, hash->digestSize,
204  "res binder", "", 0, key, hash->digestSize);
205  //Any error to report?
206  if(error)
207  return error;
208  }
209  else
210  {
211  //The pre-shared key is not valid
212  return ERROR_FAILURE;
213  }
214 
215  //Debug message
216  TRACE_DEBUG("Binder key:\r\n");
217  TRACE_DEBUG_ARRAY(" ", key, hash->digestSize);
218 
219  //The PskBinderEntry is computed in the same way as the Finished message
220  //but with the base key being the binder key
221  error = tls13HkdfExpandLabel(hash, key, hash->digestSize, "finished",
222  NULL, 0, key, hash->digestSize);
223  //Any error to report?
224  if(error)
225  return error;
226 
227  //Debug message
228  TRACE_DEBUG("Finished key:\r\n");
229  TRACE_DEBUG_ARRAY(" ", key, hash->digestSize);
230 
231  //Compute PSK binder
232  error = hmacCompute(hash, key, hash->digestSize, digest, hash->digestSize,
233  binder);
234  //Any error to report?
235  if(error)
236  return error;
237 
238  //Debug message
239  TRACE_DEBUG("PSK binder:\r\n");
240  TRACE_DEBUG_ARRAY(" ", binder, binderLen);
241 
242  //Successful processing
243  return NO_ERROR;
244 }
245 
246 
247 /**
248  * @brief Key share generation
249  * @param[in] context Pointer to the TLS context
250  * @param[in] namedGroup Named group
251  * @return Error code
252  **/
253 
254 error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
255 {
256  error_t error;
257 
258 #if (TLS13_ECDHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
259  //Elliptic curve group?
260  if(tls13IsEcdheGroupSupported(context, namedGroup))
261  {
262  const EcCurveInfo *curveInfo;
263 
264  //Retrieve the elliptic curve to be used
265  curveInfo = tlsGetCurveInfo(context, namedGroup);
266 
267  //Valid elliptic curve?
268  if(curveInfo != NULL)
269  {
270  //Save the named group
271  context->namedGroup = namedGroup;
272 
273  //Load EC domain parameters
274  error = ecLoadDomainParameters(&context->ecdhContext.params, curveInfo);
275 
276  //Check status code
277  if(!error)
278  {
279  //Generate an ephemeral key pair
280  error = ecdhGenerateKeyPair(&context->ecdhContext, context->prngAlgo,
281  context->prngContext);
282  }
283  }
284  else
285  {
286  //Unsupported elliptic curve
287  error = ERROR_ILLEGAL_PARAMETER;
288  }
289  }
290  else
291 #endif
292 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
293  //Finite field group?
294  if(tls13IsFfdheGroupSupported(context, namedGroup))
295  {
296 #if (TLS_FFDHE_SUPPORT == ENABLED)
297  const TlsFfdheGroup *ffdheGroup;
298 
299  //Get the FFDHE parameters that match the specified named group
300  ffdheGroup = tlsGetFfdheGroup(context, namedGroup);
301 
302  //Valid FFDHE group?
303  if(ffdheGroup != NULL)
304  {
305  //Save the named group
306  context->namedGroup = namedGroup;
307 
308  //Load FFDHE parameters
309  error = tlsLoadFfdheParameters(&context->dhContext.params, ffdheGroup);
310 
311  //Check status code
312  if(!error)
313  {
314  //Generate an ephemeral key pair
315  error = dhGenerateKeyPair(&context->dhContext, context->prngAlgo,
316  context->prngContext);
317  }
318  }
319  else
320 #endif
321  {
322  //The specified FFDHE group is not supported
323  error = ERROR_ILLEGAL_PARAMETER;
324  }
325  }
326  else
327 #endif
328  //Unknown group?
329  {
330  //Report an error
331  error = ERROR_ILLEGAL_PARAMETER;
332  }
333 
334  //Return status code
335  return error;
336 }
337 
338 
339 /**
340  * @brief (EC)DHE shared secret generation
341  * @param[in] context Pointer to the TLS context
342  * @param[in] keyShare Pointer to the peer's (EC)DHE parameters
343  * @param[in] length Length of the (EC)DHE parameters, in bytes
344  * @return Error code
345  **/
346 
347 error_t tls13GenerateSharedSecret(TlsContext *context, const uint8_t *keyShare,
348  size_t length)
349 {
350  error_t error;
351 
352 #if (TLS13_ECDHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
353  //Elliptic curve group?
354  if(tls13IsEcdheGroupSupported(context, context->namedGroup))
355  {
356  //Read peer's public key (refer to RFC 8446, section 4.2.8.2)
357  error = ecImport(&context->ecdhContext.params,
358  &context->ecdhContext.qb, keyShare, length);
359 
360  //Check status code
361  if(!error)
362  {
363  //Verify peer's public key
364  error = ecdhCheckPublicKey(&context->ecdhContext.params,
365  &context->ecdhContext.qb);
366  }
367 
368  //Check status code
369  if(!error)
370  {
371  //ECDH shared secret calculation is performed according to IEEE Std
372  //1363-2000 (refer to RFC 8446, section 7.4.2)
373  error = ecdhComputeSharedSecret(&context->ecdhContext,
374  context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,
375  &context->premasterSecretLen);
376  }
377  }
378  else
379 #endif
380 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
381  //Finite field group?
382  if(tls13IsFfdheGroupSupported(context, context->namedGroup))
383  {
384 #if (TLS_FFDHE_SUPPORT == ENABLED)
385  //Read client's public key (refer to RFC 8446, section 4.2.8.1)
386  error = mpiImport(&context->dhContext.yb, keyShare, length,
388 
389  //Check status code
390  if(!error)
391  {
392  //Verify peer's public key
393  error = dhCheckPublicKey(&context->dhContext.params,
394  &context->dhContext.yb);
395  }
396 
397  //Check status code
398  if(!error)
399  {
400  //The negotiated key (Z) is converted to a byte string by encoding in
401  //big-endian and left padded with zeros up to the size of the prime
402  //(refer to RFC 8446, section 7.4.1)
403  error = dhComputeSharedSecret(&context->dhContext,
404  context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,
405  &context->premasterSecretLen);
406  }
407 #else
408  //The specified FFDHE group is not supported
409  error = ERROR_HANDSHAKE_FAILED;
410 #endif
411  }
412  else
413 #endif
414  //Unknown group?
415  {
416  //Report an error
417  error = ERROR_HANDSHAKE_FAILED;
418  }
419 
420  //Return status code
421  return error;
422 }
423 
424 
425 /**
426  * @brief Digital signature generation (TLS 1.3)
427  * @param[in] context Pointer to the TLS context
428  * @param[out] p Buffer where to store the digitally-signed element
429  * @param[out] length Length of the digitally-signed element
430  * @return Error code
431  **/
432 
433 error_t tls13GenerateSignature(TlsContext *context, uint8_t *p,
434  size_t *length)
435 {
436  error_t error;
437  size_t n;
438  uint8_t *buffer;
440  const HashAlgo *hashAlgo;
441 
442  //Point to the digitally-signed element
444 
445  //The hash function used by HKDF is the cipher suite hash algorithm
446  hashAlgo = context->cipherSuite.prfHashAlgo;
447  //Make sure the hash algorithm is valid
448  if(hashAlgo == NULL)
449  return ERROR_FAILURE;
450 
451  //Calculate the length of the content covered by the digital signature
452  n = hashAlgo->digestSize + 98;
453 
454  //Allocate a memory buffer
455  buffer = tlsAllocMem(n);
456  //Failed to allocate memory?
457  if(buffer == NULL)
458  return ERROR_OUT_OF_MEMORY;
459 
460  //Form a string that consists of octet 32 (0x20) repeated 64 times
461  memset(buffer, ' ', 64);
462 
463  //Append the context string. It is used to provide separation between
464  //signatures made in different contexts, helping against potential
465  //cross-protocol attacks
466  if(context->entity == TLS_CONNECTION_END_CLIENT)
467  memcpy(buffer + 64, "TLS 1.3, client CertificateVerify", 33);
468  else
469  memcpy(buffer + 64, "TLS 1.3, server CertificateVerify", 33);
470 
471  //Append a single 0 byte which serves as the separator
472  buffer[97] = 0x00;
473 
474  //Compute the transcript hash
475  error = tlsFinalizeTranscriptHash(context, hashAlgo,
476  context->handshakeHashContext, "", buffer + 98);
477 
478  //Check status code
479  if(!error)
480  {
481 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
482  //RSA-PSS signature scheme?
483  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
484  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
485  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
486  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 ||
487  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 ||
488  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
489  {
490  RsaPrivateKey privateKey;
491 
492  //Initialize RSA private key
493  rsaInitPrivateKey(&privateKey);
494 
495  //The algorithm field specifies the signature scheme and the
496  //corresponding hash algorithm
497  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256)
498  {
499  //Select rsa_pss_rsae_sha256 signature algorithm
502  }
503  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384)
504  {
505  //Select rsa_pss_rsae_sha384 signature algorithm
508  }
509  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512)
510  {
511  //Select rsa_pss_rsae_sha512 signature algorithm
514  }
515  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256)
516  {
517  //Select rsa_pss_pss_sha256 signature algorithm
520  }
521  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384)
522  {
523  //Select rsa_pss_pss_sha384 signature algorithm
526  }
527  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
528  {
529  //Select rsa_pss_pss_sha512 signature algorithm
532  }
533  else
534  {
535  //Invalid signature algorithm
537  }
538 
539  //Check status code
540  if(!error)
541  {
542  //Pre-hash the content covered by the digital signature
543  if(hashAlgo != NULL)
544  error = hashAlgo->compute(buffer, n, context->clientVerifyData);
545  else
547  }
548 
549  //Check status code
550  if(!error)
551  {
552  //Retrieve the RSA private key corresponding to the certificate sent
553  //in the previous message
554  error = pemImportRsaPrivateKey(context->cert->privateKey,
555  context->cert->privateKeyLen, &privateKey);
556  }
557 
558  //Check status code
559  if(!error)
560  {
561  //RSA signatures must use an RSASSA-PSS algorithm, regardless of
562  //whether RSASSA-PKCS1-v1_5 algorithms appear in SignatureAlgorithms
563  error = rsassaPssSign(context->prngAlgo, context->prngContext,
564  &privateKey, hashAlgo, hashAlgo->digestSize,
565  context->clientVerifyData, signature->value, length);
566  }
567 
568  //Release previously allocated resources
569  rsaFreePrivateKey(&privateKey);
570  }
571  else
572 #endif
573 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
574  //ECDSA signature scheme?
575  if(context->signAlgo == TLS_SIGN_ALGO_ECDSA)
576  {
577  //The algorithm field specifies the signature scheme, the corresponding
578  //curve and the corresponding hash algorithm
579  if(context->cert->namedCurve == TLS_GROUP_SECP256R1 &&
580  context->signHashAlgo == TLS_HASH_ALGO_SHA256)
581  {
582  //Select ecdsa_secp256r1_sha256 signature algorithm
585  }
586  else if(context->cert->namedCurve == TLS_GROUP_SECP384R1 &&
587  context->signHashAlgo == TLS_HASH_ALGO_SHA384)
588  {
589  //Select ecdsa_secp384r1_sha384 signature algorithm
592  }
593  else if(context->cert->namedCurve == TLS_GROUP_SECP521R1 &&
594  context->signHashAlgo == TLS_HASH_ALGO_SHA512)
595  {
596  //Select ecdsa_secp521r1_sha512 signature algorithm
599  }
600  else
601  {
602  //Invalid signature algorithm
604  }
605 
606  //Check status code
607  if(!error)
608  {
609  //Pre-hash the content covered by the digital signature
610  if(hashAlgo != NULL)
611  error = hashAlgo->compute(buffer, n, context->clientVerifyData);
612  else
614  }
615 
616  //Check status code
617  if(!error)
618  {
619  //Generate an ECDSA signature
620  error = tlsGenerateEcdsaSignature(context, context->clientVerifyData,
621  hashAlgo->digestSize, signature->value, length);
622  }
623  }
624  else
625 #endif
626 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
627  //EdDSA signature scheme?
628  if(context->signAlgo == TLS_SIGN_ALGO_ED25519 ||
629  context->signAlgo == TLS_SIGN_ALGO_ED448)
630  {
631  //The algorithm field specifies the signature algorithm used
632  if(context->signAlgo == TLS_SIGN_ALGO_ED25519)
633  {
634  //Select ed25519 signature algorithm
636  }
637  else if(context->signAlgo == TLS_SIGN_ALGO_ED448)
638  {
639  //Select ed448 signature algorithm
640  signature->algorithm = HTONS(TLS_SIGN_SCHEME_ED448);
641  }
642  else
643  {
644  //Invalid signature algorithm
646  }
647 
648  //Check status code
649  if(!error)
650  {
651  //Generate a signature in PureEdDSA mode, without pre-hashing
652  error = tlsGenerateEddsaSignature(context, buffer, n,
653  signature->value, length);
654  }
655  }
656  else
657 #endif
658  //Invalid signature scheme?
659  {
660  //Report an error
662  }
663  }
664 
665  //Release memory buffer
666  tlsFreeMem(buffer);
667 
668  //Check status code
669  if(!error)
670  {
671  //The signature is preceded by a 2-byte length field
672  signature->length = htons(*length);
673  //Total length of the digitally-signed element
674  *length += sizeof(Tls13DigitalSignature);
675  }
676 
677  //Return status code
678  return error;
679 }
680 
681 
682 /**
683  * @brief Digital signature verification (TLS 1.3)
684  * @param[in] context Pointer to the TLS context
685  * @param[in] p Pointer to the digitally-signed element to be verified
686  * @param[in] length Length of the digitally-signed element
687  * @return Error code
688  **/
689 
690 error_t tls13VerifySignature(TlsContext *context, const uint8_t *p,
691  size_t length)
692 {
693  error_t error;
694  size_t n;
695  uint8_t *buffer;
696  Tls13SignatureScheme signAlgo;
698  const HashAlgo *hashAlgo;
699 
700  //Point to the digitally-signed element
702 
703  //Malformed CertificateVerify message?
704  if(length < sizeof(Tls13DigitalSignature))
705  return ERROR_DECODING_FAILED;
706  if(length != (sizeof(Tls13DigitalSignature) + ntohs(signature->length)))
707  return ERROR_DECODING_FAILED;
708 
709  //The hash function used by HKDF is the cipher suite hash algorithm
710  hashAlgo = context->cipherSuite.prfHashAlgo;
711  //Make sure the hash algorithm is valid
712  if(hashAlgo == NULL)
713  return ERROR_FAILURE;
714 
715  //Calculate the length of the content covered by the digital signature
716  n = hashAlgo->digestSize + 98;
717 
718  //Allocate a memory buffer
719  buffer = tlsAllocMem(n);
720  //Failed to allocate memory?
721  if(buffer == NULL)
722  return ERROR_OUT_OF_MEMORY;
723 
724  //Form a string that consists of octet 32 (0x20) repeated 64 times
725  memset(buffer, ' ', 64);
726 
727  //Append the context string. It is used to provide separation between
728  //signatures made in different contexts, helping against potential
729  //cross-protocol attacks
730  if(context->entity == TLS_CONNECTION_END_CLIENT)
731  memcpy(buffer + 64, "TLS 1.3, server CertificateVerify", 33);
732  else
733  memcpy(buffer + 64, "TLS 1.3, client CertificateVerify", 33);
734 
735  //Append a single 0 byte which serves as the separator
736  buffer[97] = 0x00;
737 
738  //Compute the transcript hash
739  error = tlsFinalizeTranscriptHash(context, hashAlgo,
740  context->handshakeHashContext, "", buffer + 98);
741 
742  //Check status code
743  if(!error)
744  {
745  //The algorithm field specifies the signature scheme
746  signAlgo = (Tls13SignatureScheme) ntohs(signature->algorithm);
747 
748 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
749  //RSASSA-PSS signature scheme?
750  if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA256 ||
756  {
757  //Enforce the type of the certificate provided by the peer
758  if(context->peerCertType == TLS_CERT_RSA_SIGN)
759  {
760  //Retrieve the hash algorithm used for signing
763  else if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA384)
765  else if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA512)
767  else
768  hashAlgo = NULL;
769  }
770  else if(context->peerCertType == TLS_CERT_RSA_PSS_SIGN)
771  {
772  //Retrieve the hash algorithm used for signing
773  if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA256)
775  else if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA384)
777  else if(signAlgo == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA512)
779  else
780  hashAlgo = NULL;
781  }
782  else
783  {
784  //Invalid certificate
785  hashAlgo = NULL;
786  }
787 
788  //Pre-hash the content covered by the digital signature
789  if(hashAlgo != NULL)
790  error = hashAlgo->compute(buffer, n, context->clientVerifyData);
791  else
792  error = ERROR_INVALID_SIGNATURE;
793 
794  //Check status code
795  if(!error)
796  {
797  //Verify RSASSA-PSS signature
798  error = rsassaPssVerify(&context->peerRsaPublicKey, hashAlgo,
799  hashAlgo->digestSize, context->clientVerifyData,
800  signature->value, ntohs(signature->length));
801  }
802  }
803  else
804 #endif
805 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
806  //ECDSA signature scheme?
810  {
811  //Enforce the type of the certificate provided by the peer
812  if(context->peerCertType == TLS_CERT_ECDSA_SIGN)
813  {
814  //Retrieve the hash algorithm used for signing
815  if(context->peerEcParams.name == NULL)
816  {
817  //Invalid signature scheme
818  hashAlgo = NULL;
819  }
820  else if(signAlgo == TLS_SIGN_SCHEME_ECDSA_SECP256R1_SHA256 &&
821  strcmp(context->peerEcParams.name, "secp256r1") == 0)
822  {
823  //Select SHA-256 hash algorithm
825  }
826  else if(signAlgo == TLS_SIGN_SCHEME_ECDSA_SECP384R1_SHA384 &&
827  strcmp(context->peerEcParams.name, "secp384r1") == 0)
828  {
829  //Select SHA-384 hash algorithm
831  }
832  else if(signAlgo == TLS_SIGN_SCHEME_ECDSA_SECP521R1_SHA512 &&
833  strcmp(context->peerEcParams.name, "secp521r1") == 0)
834  {
835  //Select SHA-512 hash algorithm
837  }
838  else
839  {
840  //Invalid signature scheme
841  hashAlgo = NULL;
842  }
843  }
844  else
845  {
846  //Invalid certificate
847  hashAlgo = NULL;
848  }
849 
850  //Pre-hash the content covered by the digital signature
851  if(hashAlgo != NULL)
852  error = hashAlgo->compute(buffer, n, context->clientVerifyData);
853  else
854  error = ERROR_INVALID_SIGNATURE;
855 
856  //Check status code
857  if(!error)
858  {
859  //Verify ECDSA signature
860  error = tlsVerifyEcdsaSignature(context, context->clientVerifyData,
861  hashAlgo->digestSize, signature->value, ntohs(signature->length));
862  }
863  }
864  else
865 #endif
866 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED && TLS_ED25519_SUPPORT == ENABLED)
867  //Ed25519 signature scheme?
868  if(signAlgo == TLS_SIGN_SCHEME_ED25519)
869  {
870  //Enforce the type of the certificate provided by the peer
871  if(context->peerCertType == TLS_CERT_ED25519_SIGN)
872  {
873  //Verify EdDSA signature (PureEdDSA mode)
874  error = tlsVerifyEddsaSignature(context, buffer, n,
875  signature->value, ntohs(signature->length));
876  }
877  else
878  {
879  //Invalid certificate
880  error = ERROR_INVALID_SIGNATURE;
881  }
882  }
883  else
884 #endif
885 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED && TLS_ED448_SUPPORT == ENABLED)
886  //Ed448 signature scheme?
887  if(signAlgo == TLS_SIGN_SCHEME_ED448)
888  {
889  //Enforce the type of the certificate provided by the peer
890  if(context->peerCertType == TLS_CERT_ED448_SIGN)
891  {
892  //Verify EdDSA signature (PureEdDSA mode)
893  error = tlsVerifyEddsaSignature(context, buffer, n,
894  signature->value, ntohs(signature->length));
895  }
896  else
897  {
898  //Invalid certificate
899  error = ERROR_INVALID_SIGNATURE;
900  }
901  }
902  else
903 #endif
904  //Unknown signature scheme?
905  {
906  //Report an error
907  error = ERROR_INVALID_SIGNATURE;
908  }
909  }
910 
911  //Release memory buffer
912  tlsFreeMem(buffer);
913 
914  //Return status code
915  return error;
916 }
917 
918 
919 /**
920  * @brief Hash ClientHello1 in the transcript when HelloRetryRequest is used
921  * @param[in] context Pointer to the TLS context
922  * @return Error code
923  **/
924 
926 {
928  const HashAlgo *hash;
929 
930  //Invalid has context?
931  if(context->handshakeHashContext == NULL)
932  return ERROR_FAILURE;
933 
934  //The hash function used by HKDF is the cipher suite hash algorithm
935  hash = context->cipherSuite.prfHashAlgo;
936  //Make sure the hash algorithm is valid
937  if(hash == NULL)
938  return ERROR_FAILURE;
939 
940  //Point to the buffer where to format the handshake message
941  message = (TlsHandshake *) context->txBuffer;
942 
943  //Handshake message type
944  message->msgType = TLS_TYPE_MESSAGE_HASH;
945  //Number of bytes in the message
946  STORE24BE(hash->digestSize, message->length);
947 
948  //Compute Hash(ClientHello1)
949  hash->final(context->handshakeHashContext, message->data);
950  //Re-initialize hash algorithm context
951  hash->init(context->handshakeHashContext);
952 
953  //When the server responds to a ClientHello with a HelloRetryRequest, the
954  //value of ClientHello1 is replaced with a special synthetic handshake
955  //message of handshake type MessageHash containing Hash(ClientHello1)
956  hash->update(context->handshakeHashContext, message,
957  hash->digestSize + sizeof(TlsHandshake));
958 
959  //Successful processing
960  return NO_ERROR;
961 }
962 
963 
964 /**
965  * @brief Check whether an externally established PSK is valid
966  * @param[in] context Pointer to the TLS context
967  * @return TRUE is the PSK is valid, else FALSE
968  **/
969 
971 {
972  bool_t valid = FALSE;
973 
974  //Make sure the hash algorithm associated with the PSK is valid
975  if(tlsGetHashAlgo(context->pskHashAlgo) != NULL)
976  {
977  //Valid PSK?
978  if(context->psk != NULL && context->pskLen > 0)
979  {
980  //Check whether TLS operates as a client or a server
981  if(context->entity == TLS_CONNECTION_END_CLIENT)
982  {
983  //Valid PSK identity?
984  if(context->pskIdentity != NULL)
985  {
986  valid = TRUE;
987  }
988  }
989  else
990  {
991  valid = TRUE;
992  }
993  }
994  }
995 
996  //Return TRUE is the PSK is valid, else FALSE
997  return valid;
998 }
999 
1000 
1001 /**
1002  * @brief Check whether a session ticket is valid
1003  * @param[in] context Pointer to the TLS context
1004  * @return TRUE is the session ticket is valid, else FALSE
1005  **/
1006 
1008 {
1009  bool_t valid = FALSE;
1010 
1011  //Make sure the hash algorithm associated with the ticket is valid
1012  if(tlsGetHashAlgo(context->ticketHashAlgo) != NULL)
1013  {
1014  //Valid ticket PSK?
1015  if(context->ticketPskLen > 0)
1016  {
1017  //Check whether TLS operates as a client or a server
1018  if(context->entity == TLS_CONNECTION_END_CLIENT)
1019  {
1020  //Valid ticket?
1021  if(context->ticket != NULL && context->ticketLen > 0)
1022  {
1023  valid = TRUE;
1024  }
1025  }
1026  else
1027  {
1028  valid = TRUE;
1029  }
1030  }
1031  }
1032 
1033  //Return TRUE is the ticket is valid, else FALSE
1034  return valid;
1035 }
1036 
1037 
1038 /**
1039  * @brief Check whether a given named group is supported
1040  * @param[in] context Pointer to the TLS context
1041  * @param[in] namedGroup Named group
1042  * @return TRUE is the named group is supported, else FALSE
1043  **/
1044 
1045 bool_t tls13IsGroupSupported(TlsContext *context, uint16_t namedGroup)
1046 {
1047  bool_t acceptable;
1048 
1049  //Initialize flag
1050  acceptable = FALSE;
1051 
1052  //Check whether the ECDHE of FFDHE group is supported
1053  if(tls13IsEcdheGroupSupported(context, namedGroup))
1054  {
1055  acceptable = TRUE;
1056  }
1057  else if(tls13IsFfdheGroupSupported(context, namedGroup))
1058  {
1059  acceptable = TRUE;
1060  }
1061  else
1062  {
1063  acceptable = FALSE;
1064  }
1065 
1066  //Return TRUE is the named group is supported
1067  return acceptable;
1068 }
1069 
1070 
1071 /**
1072  * @brief Check whether a given ECDHE group is supported
1073  * @param[in] context Pointer to the TLS context
1074  * @param[in] namedGroup Named group
1075  * @return TRUE is the ECDHE group is supported, else FALSE
1076  **/
1077 
1078 bool_t tls13IsEcdheGroupSupported(TlsContext *context, uint16_t namedGroup)
1079 {
1080  bool_t acceptable;
1081 
1082  //Initialize flag
1083  acceptable = FALSE;
1084 
1085 #if (TLS13_ECDHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
1086  //Elliptic curve group?
1087  if(namedGroup == TLS_GROUP_SECP224R1 ||
1088  namedGroup == TLS_GROUP_SECP256R1 ||
1089  namedGroup == TLS_GROUP_SECP384R1 ||
1090  namedGroup == TLS_GROUP_SECP521R1 ||
1091  namedGroup == TLS_GROUP_ECDH_X25519 ||
1092  namedGroup == TLS_GROUP_ECDH_X448)
1093  {
1094  //Check whether the ECDHE group is supported
1095  if(tlsGetCurveInfo(context, namedGroup) != NULL)
1096  {
1097  acceptable = TRUE;
1098  }
1099  }
1100 #endif
1101 
1102  //Return TRUE is the named group is supported
1103  return acceptable;
1104 }
1105 
1106 
1107 /**
1108  * @brief Check whether a given FFDHE group is supported
1109  * @param[in] context Pointer to the TLS context
1110  * @param[in] namedGroup Named group
1111  * @return TRUE is the FFDHE group is supported, else FALSE
1112  **/
1113 
1114 bool_t tls13IsFfdheGroupSupported(TlsContext *context, uint16_t namedGroup)
1115 {
1116  bool_t acceptable;
1117 
1118  //Initialize flag
1119  acceptable = FALSE;
1120 
1121 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
1122  //Finite field group?
1123  if(namedGroup == TLS_GROUP_FFDHE2048 ||
1124  namedGroup == TLS_GROUP_FFDHE3072 ||
1125  namedGroup == TLS_GROUP_FFDHE4096 ||
1126  namedGroup == TLS_GROUP_FFDHE6144 ||
1127  namedGroup == TLS_GROUP_FFDHE8192)
1128  {
1129 #if (TLS_FFDHE_SUPPORT == ENABLED)
1130  //Check whether the FFDHE group is supported
1131  if(tlsGetFfdheGroup(context, namedGroup) != NULL)
1132  {
1133  acceptable = TRUE;
1134  }
1135 #endif
1136  }
1137 #endif
1138 
1139  //Return TRUE is the named group is supported
1140  return acceptable;
1141 }
1142 
1143 
1144 /**
1145  * @brief Check whether the specified key share group is a duplicate
1146  * @param[in] namedGroup Named group
1147  * @param[in] p List of key share entries
1148  * @param[in] length Length of the list, in bytes
1149  * @return Error code
1150  **/
1151 
1152 error_t tls13CheckDuplicateKeyShare(uint16_t namedGroup, const uint8_t *p,
1153  size_t length)
1154 {
1155  size_t n;
1156  const Tls13KeyShareEntry *keyShareEntry;
1157 
1158  //Parse the list of key share entries offered by the peer
1159  while(length > 0)
1160  {
1161  //Malformed extension?
1162  if(length < sizeof(Tls13KeyShareEntry))
1163  return ERROR_DECODING_FAILED;
1164 
1165  //Point to the current key share entry
1166  keyShareEntry = (Tls13KeyShareEntry *) p;
1167  //Retrieve the length of the key_exchange field
1168  n = ntohs(keyShareEntry->length);
1169 
1170  //Malformed extension?
1171  if(length < (sizeof(Tls13KeyShareEntry) + n))
1172  return ERROR_DECODING_FAILED;
1173 
1174  //Clients must not offer multiple KeyShareEntry values for the same
1175  //group. Servers may check for violations of this rule and abort the
1176  //handshake with an illegal_parameter alert
1177  if(ntohs(keyShareEntry->group) == namedGroup)
1178  return ERROR_ILLEGAL_PARAMETER;
1179 
1180  //Jump to the next key share entry
1181  p += sizeof(Tls13KeyShareEntry) + n;
1182  //Number of bytes left to process
1183  length -= sizeof(Tls13KeyShareEntry) + n;
1184  }
1185 
1186  //Successful verification
1187  return NO_ERROR;
1188 }
1189 
1190 
1191 /**
1192  * @brief Format certificate extensions
1193  * @param[in] p Output stream where to write the list of extensions
1194  * @param[out] written Total number of bytes that have been written
1195  * @return Error code
1196  **/
1197 
1198 error_t tls13FormatCertExtensions(uint8_t *p, size_t *written)
1199 {
1200  TlsExtensionList *extensionList;
1201 
1202  //Point to the list of extensions
1203  extensionList = (TlsExtensionList *) p;
1204 
1205  //Extensions in the Certificate message from the server must correspond to
1206  //ones from the ClientHello message. Extensions in the Certificate message
1207  //from the client must correspond to extensions in the CertificateRequest
1208  //message from the server
1209  extensionList->length = HTONS(0);
1210 
1211  //Total number of bytes that have been written
1212  *written = sizeof(TlsExtensionList);
1213 
1214  //Successful processing
1215  return NO_ERROR;
1216 }
1217 
1218 
1219 /**
1220  * @brief Parse certificate extensions
1221  * @param[in] p Input stream where to read the list of extensions
1222  * @param[in] length Number of bytes available in the input stream
1223  * @return Error code
1224  **/
1225 
1226 error_t tls13ParseCertExtensions(const uint8_t *p, size_t length,
1227  size_t *consumed)
1228 {
1229  error_t error;
1230  size_t n;
1232  const TlsExtensionList *extensionList;
1233 
1234  //Point to the list of extensions
1235  extensionList = (TlsExtensionList *) p;
1236 
1237  //Malformed CertificateEntry?
1238  if(length < sizeof(TlsExtensionList))
1239  return ERROR_DECODING_FAILED;
1240 
1241  //Retrieve the length of the list
1242  n = sizeof(TlsExtensionList) + ntohs(extensionList->length);
1243 
1244  //Malformed CertificateEntry?
1245  if(length < n)
1246  return ERROR_DECODING_FAILED;
1247 
1248  //Parse the list of extensions for the current CertificateEntry
1250  &extensions);
1251  //Any error to report?
1252  if(error)
1253  return error;
1254 
1255  //Check the list of extensions
1257  &extensions);
1258  //Any error to report?
1259  if(error)
1260  return error;
1261 
1262  //Total number of bytes that have been consumed
1263  *consumed = n;
1264 
1265  //Successful processing
1266  return NO_ERROR;
1267 }
1268 
1269 #endif
TLS (Transport Layer Security)
error_t tlsVerifyEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, const uint8_t *signature, size_t signatureLen)
Verify ECDSA signature.
__start_packed struct @95 Tls13KeyShareEntry
Key share entry.
void rsaInitPrivateKey(RsaPrivateKey *key)
Initialize a RSA private key.
Definition: rsa.c:126
__start_packed struct @98 Tls13PskIdentity
PSK identity.
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
bool_t tls13IsTicketValid(TlsContext *context)
error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
FFDHE key exchange.
Debugging facilities.
#define tlsFreeMem(p)
Definition: tls.h:760
uint8_t hash
Definition: tls.h:1363
error_t ecLoadDomainParameters(EcDomainParameters *params, const EcCurveInfo *curveInfo)
Load EC domain parameters.
Definition: ec.c:91
uint8_t p
Definition: ndp.h:295
TLS 1.3 key schedule.
bool_t tls13IsGroupSupported(TlsContext *context, uint16_t namedGroup)
Generic error code.
Definition: error.h:43
HKDF (HMAC-based Key Derivation Function)
uint8_t message[]
Definition: chap.h:150
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:836
Invalid parameter.
Definition: error.h:45
FFDHE parameters.
Definition: tls_ffdhe.h:45
#define TLS_PREMASTER_SECRET_SIZE
Definition: tls.h:720
Elliptic curve parameters.
Definition: ec_curves.h:290
error_t tls13DeriveSecret(TlsContext *context, const uint8_t *secret, size_t secretLen, const char_t *label, const char_t *message, size_t messageLen, uint8_t *output, size_t outputLen)
HashAlgoCompute compute
Definition: crypto.h:1062
#define TLS_VERSION_1_3
Definition: tls.h:90
__start_packed struct @59 DtlsHandshake
DTLS handshake message.
error_t ecImport(const EcDomainParameters *params, EcPoint *r, const uint8_t *data, size_t length)
Convert an octet string to an EC point.
Definition: ec.c:208
#define htons(value)
Definition: cpu_endian.h:390
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:99
error_t mpiImport(Mpi *r, const uint8_t *data, uint_t length, MpiFormat format)
Octet string to integer conversion.
Definition: mpi.c:511
__start_packed struct @84 TlsHandshake
TLS handshake message.
error_t pemImportRsaPrivateKey(const char_t *input, size_t length, RsaPrivateKey *key)
Decode a PEM file containing a RSA private key.
Definition: pem_import.c:211
#define HTONS(value)
Definition: cpu_endian.h:388
error_t tlsLoadFfdheParameters(DhParameters *params, const TlsFfdheGroup *ffdheGroup)
Load FFDHE parameters.
Definition: tls_ffdhe.c:373
#define TRUE
Definition: os_port.h:48
Tls13SignatureScheme
Signature schemes (TLS 1.3)
Definition: tls13_misc.h:133
error_t dhGenerateKeyPair(DhContext *context, const PrngAlgo *prngAlgo, void *prngContext)
Diffie-Hellman key pair generation.
Definition: dh.c:89
const uint8_t tls12DowngradeRandom[8]
error_t rsassaPssSign(const PrngAlgo *prngAlgo, void *prngContext, const RsaPrivateKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
RSASSA-PSS signature generation operation.
Definition: rsa.c:884
Parsing and checking of TLS extensions.
TLS helper functions.
#define ntohs(value)
Definition: cpu_endian.h:396
error_t tlsVerifyEddsaSignature(TlsContext *context, const uint8_t *message, size_t messageLen, const uint8_t *signature, size_t signatureLen)
Verify EdDSA signature.
TLS 1.3 helper functions.
error_t hkdfExtract(const HashAlgo *hash, const uint8_t *ikm, size_t ikmLen, const uint8_t *salt, size_t saltLen, uint8_t *prk)
HKDF extract step.
Definition: hkdf.c:95
PEM file import functions.
bool_t tls13IsFfdheGroupSupported(TlsContext *context, uint16_t namedGroup)
#define STORE24BE(a, p)
Definition: cpu_endian.h:255
const TlsFfdheGroup * tlsGetFfdheGroup(TlsContext *context, uint16_t namedGroup)
Get the FFDHE parameters that match the specified named group.
Definition: tls_ffdhe.c:313
error_t ecdhCheckPublicKey(const EcDomainParameters *params, EcPoint *publicKey)
Check ECDH public key.
Definition: ecdh.c:270
__start_packed struct @69 TlsExtensionList
List of TLS extensions.
error_t tls13GenerateSignature(TlsContext *context, uint8_t *p, size_t *length)
uint8_t signature
Definition: tls.h:1364
error_t tls13DigestClientHello1(TlsContext *context)
error_t tls13HkdfExpandLabel(const HashAlgo *hash, const uint8_t *secret, size_t secretLen, const char_t *label, const uint8_t *context, size_t contextLen, uint8_t *output, size_t outputLen)
error_t tls13ComputePskBinder(TlsContext *context, const void *clientHello, size_t clientHelloLen, size_t truncatedClientHelloLen, const Tls13PskIdentity *identity, uint8_t *binder, size_t binderLen)
error_t ecdhGenerateKeyPair(EcdhContext *context, const PrngAlgo *prngAlgo, void *prngContext)
ECDH key pair generation.
Definition: ecdh.c:85
void rsaFreePrivateKey(RsaPrivateKey *key)
Release a RSA private key.
Definition: rsa.c:145
error_t dhCheckPublicKey(DhParameters *params, const Mpi *publicKey)
Check Diffie-Hellman public value.
Definition: dh.c:152
Success.
Definition: error.h:42
error_t tls13VerifySignature(TlsContext *context, const uint8_t *p, size_t length)
error_t
Error codes.
Definition: error.h:40
uint8_t extensions[]
Definition: tls13_misc.h:322
bool_t tls13IsPskValid(TlsContext *context)
error_t tlsFinalizeTranscriptHash(TlsContext *context, const HashAlgo *hash, const void *hashContext, const char_t *label, uint8_t *output)
Finalize hash calculation from previous handshake messages.
error_t tls13CheckDuplicateKeyShare(uint16_t namedGroup, const uint8_t *p, size_t length)
error_t tls13GenerateSharedSecret(TlsContext *context, const uint8_t *keyShare, size_t length)
error_t dhComputeSharedSecret(DhContext *context, uint8_t *output, size_t outputSize, size_t *outputLen)
Compute Diffie-Hellman shared secret.
Definition: dh.c:188
error_t hmacCompute(const HashAlgo *hash, const void *key, size_t keyLen, const void *data, size_t dataLen, uint8_t *digest)
Compute HMAC using the specified hash function.
Definition: hmac.c:83
Hello extensions.
Definition: tls.h:1878
__start_packed struct @103 Tls13DigitalSignature
Digitally-signed element (TLS 1.3)
error_t tlsGenerateEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, uint8_t *signature, size_t *signatureLen)
Generate ECDSA signature.
const uint8_t tls13HelloRetryRequestRandom[32]
error_t tlsGenerateEddsaSignature(TlsContext *context, const uint8_t *message, size_t messageLen, uint8_t *signature, size_t *signatureLen)
Generate EdDSA signature.
Transcript hash calculation.
RSA/DSA/ECDSA/EdDSA signature generation and verification.
#define tlsAllocMem(size)
Definition: tls.h:755
error_t rsassaPssVerify(const RsaPublicKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, const uint8_t *signature, size_t signatureLen)
RSASSA-PSS signature verification operation.
Definition: rsa.c:1004
size_t digestSize
Definition: crypto.h:1061
#define TLS_MAX_HKDF_DIGEST_SIZE
Definition: tls.h:815
error_t ecdhComputeSharedSecret(EcdhContext *context, uint8_t *output, size_t outputSize, size_t *outputLen)
Compute ECDH shared secret.
Definition: ecdh.c:383
Common interface for hash algorithms.
Definition: crypto.h:1054
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
const EcCurveInfo * tlsGetCurveInfo(TlsContext *context, uint16_t namedCurve)
Get the EC domain parameters that match the specified named curve.
Definition: tls_misc.c:897
RSA private key.
Definition: rsa.h:57
#define FALSE
Definition: os_port.h:44
#define TlsContext
Definition: tls.h:34
const uint8_t tls11DowngradeRandom[8]
int bool_t
Definition: compiler_port.h:47
error_t tls13FormatCertExtensions(uint8_t *p, size_t *written)
error_t tls13ParseCertExtensions(const uint8_t *p, size_t length, size_t *consumed)
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
Certificate handling.
#define TRACE_DEBUG(...)
Definition: debug.h:98
bool_t tls13IsEcdheGroupSupported(TlsContext *context, uint16_t namedGroup)