tls13_server_extensions.c
Go to the documentation of this file.
1 /**
2  * @file tls13_server_extensions.c
3  * @brief Formatting and parsing of extensions (TLS 1.3 server)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_misc.h"
39 #include "tls13_server_misc.h"
40 #include "debug.h"
41 
42 //Check TLS library configuration
43 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED && \
44  TLS_MAX_VERSION >= TLS_VERSION_1_3)
45 
46 
47 /**
48  * @brief Format SupportedVersions extension
49  * @param[in] context Pointer to the TLS context
50  * @param[in] p Output stream where to write the SupportedVersions extension
51  * @param[out] written Total number of bytes that have been written
52  * @return Error code
53  **/
54 
56  uint8_t *p, size_t *written)
57 {
58  size_t n;
59  TlsExtension *extension;
60 
61  //Add the SupportedVersions extension
62  extension = (TlsExtension *) p;
63  //Type of the extension
64  extension->type = HTONS(TLS_EXT_SUPPORTED_VERSIONS);
65 
66  //The extension contains the selected version value
67  STORE16BE(context->version, extension->value);
68 
69  //The extension data field contains a 16-bit unsigned integer
70  n = sizeof(uint16_t);
71  //Fix the length of the extension
72  extension->length = htons(n);
73 
74  //Compute the length, in bytes, of the SupportedVersions extension
75  n += sizeof(TlsExtension);
76 
77  //Total number of bytes that have been written
78  *written = n;
79 
80  //Successful processing
81  return NO_ERROR;
82 }
83 
84 
85 /**
86  * @brief Format KeyShare extension (HelloRetryRequest message)
87  * @param[in] context Pointer to the TLS context
88  * @param[in] p Output stream where to write the KeyShare extension
89  * @param[out] written Total number of bytes that have been written
90  * @return Error code
91  **/
92 
94  uint8_t *p, size_t *written)
95 {
96  size_t n = 0;
97 
98 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
99  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
100  //Check whether the selected ECDHE or FFDHE group is valid
101  if(context->namedGroup != TLS_GROUP_NONE)
102  {
103  TlsExtension *extension;
104 
105  //Add the KeyShare extension
106  extension = (TlsExtension *) p;
107  //Type of the extension
108  extension->type = HTONS(TLS_EXT_KEY_SHARE);
109 
110  //The extension contains the mutually supported group the server intends
111  //to negotiate
112  STORE16BE(context->namedGroup, extension->value);
113 
114  //The extension data field contains a 16-bit unsigned integer
115  n = sizeof(uint16_t);
116  //Fix the length of the extension
117  extension->length = htons(n);
118 
119  //Compute the length, in bytes, of the KeyShare extension
120  n += sizeof(TlsExtension);
121  }
122 #endif
123 
124  //Total number of bytes that have been written
125  *written = n;
126 
127  //Successful processing
128  return NO_ERROR;
129 }
130 
131 
132 /**
133  * @brief Format KeyShare extension (ServerHello message)
134  * @param[in] context Pointer to the TLS context
135  * @param[in] p Output stream where to write the KeyShare extension
136  * @param[out] written Total number of bytes that have been written
137  * @return Error code
138  **/
139 
141  uint8_t *p, size_t *written)
142 {
143  size_t n = 0;
144 
145 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
146  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
147  //If using (EC)DHE key establishment, servers offer exactly one
148  //KeyShareEntry in the ServerHello
149  if(context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
150  context->keyExchMethod == TLS13_KEY_EXCH_ECDHE ||
151  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
152  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
153  {
154  error_t error;
155  TlsExtension *extension;
156  Tls13KeyShareEntry *keyShareEntry;
157 
158  //Add the KeyShare extension
159  extension = (TlsExtension *) p;
160  //Type of the extension
161  extension->type = HTONS(TLS_EXT_KEY_SHARE);
162 
163  //If using (EC)DHE key establishment, servers offer exactly one
164  //KeyShareEntry in the ServerHello
165  keyShareEntry = (Tls13KeyShareEntry *) extension->value;
166 
167  //The key share value must be in the same group as the KeyShareEntry
168  //value offered by the client that the server has selected for the
169  //negotiated key exchange
170  keyShareEntry->group = htons(context->namedGroup);
171 
172 #if (TLS13_ECDHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
173  //ECDHE key exchange method?
174  if(context->keyExchMethod == TLS13_KEY_EXCH_ECDHE ||
175  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
176  {
177  //ECDHE parameters are encoded in the opaque key_exchange field of
178  //the KeyShareEntry
179  error = ecExport(&context->ecdhContext.params,
180  &context->ecdhContext.qa, keyShareEntry->keyExchange, &n);
181  //Any error to report?
182  if(error)
183  return error;
184  }
185  else
186 #endif
187 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
188  //DHE key exchange method?
189  if(context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
190  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE)
191  {
192  //Retrieve the length of the modulus
193  n = mpiGetByteLength(&context->dhContext.params.p);
194 
195  //Diffie-Hellman parameters are encoded in the opaque key_exchange
196  //field of the KeyShareEntry
197  error = mpiExport(&context->dhContext.ya,
198  keyShareEntry->keyExchange, n, MPI_FORMAT_BIG_ENDIAN);
199  //Any error to report?
200  if(error)
201  return error;
202  }
203  else
204 #endif
205  //Unknown key exchange method?
206  {
207  //Report an error
208  return ERROR_FAILURE;
209  }
210 
211  //Set the length of the key_exchange field
212  keyShareEntry->length = htons(n);
213 
214  //Compute the length, in bytes, of the KeyShareEntry
215  n += sizeof(Tls13KeyShareEntry);
216  //Fix the length of the extension
217  extension->length = htons(n);
218 
219  //Compute the length, in bytes, of the KeyShare extension
220  n += sizeof(TlsExtension);
221  }
222 #endif
223 
224  //Total number of bytes that have been written
225  *written = n;
226 
227  //Successful processing
228  return NO_ERROR;
229 }
230 
231 
232 /**
233  * @brief Format PreSharedKey extension
234  * @param[in] context Pointer to the TLS context
235  * @param[in] p Output stream where to write the PreSharedKey extension
236  * @param[out] written Total number of bytes that have been written
237  * @return Error code
238  **/
239 
241  uint8_t *p, size_t *written)
242 {
243  size_t n = 0;
244 
245 #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
246  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
247  //PSK key exchange method?
248  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
249  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
250  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
251  {
252  TlsExtension *extension;
253 
254  //Add the PreSharedKey extension
255  extension = (TlsExtension *) p;
256  //Type of the extension
257  extension->type = HTONS(TLS_EXT_PRE_SHARED_KEY);
258 
259  //The extension contains the selected identity
260  STORE16BE(context->selectedIdentity, extension->value);
261 
262  //The extension data field contains a 16-bit unsigned integer
263  n = sizeof(uint16_t);
264  //Fix the length of the extension
265  extension->length = htons(n);
266 
267  //Compute the length, in bytes, of the PreSharedKey extension
268  n += sizeof(TlsExtension);
269  }
270 #endif
271 
272  //Total number of bytes that have been written
273  *written = n;
274 
275  //Successful processing
276  return NO_ERROR;
277 }
278 
279 
280 /**
281  * @brief Format EarlyData extension
282  * @param[in] context Pointer to the TLS context
283  * @param[in] msgType Handshake message type
284  * @param[in] p Output stream where to write the EarlyData extension
285  * @param[out] written Total number of bytes that have been written
286  * @return Error code
287  **/
288 
290  TlsMessageType msgType, uint8_t *p, size_t *written)
291 {
292  size_t n = 0;
293 
294 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
295  //The extension may appear in EncryptedExtensions and NewSessionTicket
296  //messages
298  {
299  //If the server intends to process the early data, then it returns its
300  //own EarlyData extension in EncryptedExtensions
301  if(context->earlyDataExtReceived && !context->earlyDataRejected)
302  {
303  TlsExtension *extension;
304 
305  //Add the EarlyData extension
306  extension = (TlsExtension *) p;
307  //Type of the extension
308  extension->type = HTONS(TLS_EXT_EARLY_DATA);
309 
310  //The extension data field of this extension is empty
311  extension->length = HTONS(0);
312 
313  //Compute the length, in bytes, of the EarlyData extension
314  n = sizeof(TlsExtension);
315  }
316  }
318  {
319  TlsExtension *extension;
320 
321  //Add the EarlyData extension
322  extension = (TlsExtension *) p;
323  //Type of the extension
324  extension->type = HTONS(TLS_EXT_EARLY_DATA);
325 
326  //The extension contains the maximum amount of 0-RTT data that the
327  //client is allowed to send when using this ticket, in bytes
328  STORE32BE(context->maxEarlyDataSize, extension->value);
329 
330  //The extension data field contains a 32-bit unsigned integer
331  n = sizeof(uint32_t);
332  //Fix the length of the extension
333  extension->length = htons(n);
334 
335  //Compute the length, in bytes, of the EarlyData extension
336  n += sizeof(TlsExtension);
337  }
338  else
339  {
340  //Just for sanity
341  }
342 #endif
343 
344  //Total number of bytes that have been written
345  *written = n;
346 
347  //Successful processing
348  return NO_ERROR;
349 }
350 
351 
352 /**
353  * @brief Parse KeyShare extension
354  * @param[in] context Pointer to the TLS context
355  * @param[in] keyShareList Pointer to the KeyShare extension
356  * @return Error code
357  **/
358 
360  const Tls13KeyShareList *keyShareList)
361 {
362 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
363  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
364  //KeyShare extension found?
365  if(keyShareList != NULL)
366  {
367  error_t error;
368  bool_t acceptable;
369  size_t n;
370  size_t length;
371  const uint8_t *p;
372  const Tls13KeyShareEntry *keyShareEntry;
373 
374  //Initialize variables
375  acceptable = FALSE;
376  keyShareEntry = NULL;
377 
378  //Point to the first KeyShareEntry of the list
379  p = keyShareList->value;
380  //Retrieve the length of the list
381  length = ntohs(keyShareList->length);
382 
383  //The extension contains a list of KeyShareEntry values offered by the
384  //client. The values are indicated in descending order of preference
385  while(length > 0 && !acceptable)
386  {
387  //Malformed extension?
388  if(length < sizeof(Tls13KeyShareEntry))
389  return ERROR_DECODING_FAILED;
390 
391  //Point to the current key share entry
392  keyShareEntry = (Tls13KeyShareEntry *) p;
393  //Retrieve the length of the key_exchange field
394  n = ntohs(keyShareEntry->length);
395 
396  //Malformed extension?
397  if(length < (sizeof(Tls13KeyShareEntry) + n))
398  return ERROR_DECODING_FAILED;
399 
400  //Initial or updated ClientHello?
401  if(context->state == TLS_STATE_CLIENT_HELLO)
402  {
403  //Check whether the ECDHE or FFDHE group is supported
404  acceptable = tls13IsGroupSupported(context,
405  ntohs(keyShareEntry->group));
406  }
407  else
408  {
409  //If the server has sent a HelloRetryRequest, the client needs
410  //to restart the handshake with an appropriate group
411  if(ntohs(keyShareEntry->group) == context->namedGroup)
412  {
413  //Check whether the ECDHE or FFDHE group is supported
414  acceptable = tls13IsGroupSupported(context,
415  ntohs(keyShareEntry->group));
416  }
417  }
418 
419  //Point to the next entry
420  p += sizeof(Tls13KeyShareEntry) + n;
421  //Remaining bytes to process
422  length -= sizeof(Tls13KeyShareEntry) + n;
423  }
424 
425  //Acceptable ECDHE or FFDHE group found?
426  if(acceptable)
427  {
428  //Generate an ephemeral key pair
429  error = tls13GenerateKeyShare(context, ntohs(keyShareEntry->group));
430  //Any error to report?
431  if(error)
432  return error;
433 
434  //Compute (EC)DHE shared secret
435  error = tls13GenerateSharedSecret(context, keyShareEntry->keyExchange,
436  ntohs(keyShareEntry->length));
437  //Any error to report?
438  if(error)
439  return error;
440 
441  //Elliptic curve group?
442  if(tls13IsEcdheGroupSupported(context, context->namedGroup))
443  {
444  //ECDHE key exchange mechanism provides forward secrecy
445  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK)
446  context->keyExchMethod = TLS13_KEY_EXCH_PSK_ECDHE;
447  else
448  context->keyExchMethod = TLS13_KEY_EXCH_ECDHE;
449  }
450  //Finite field group?
451  else if(tls13IsFfdheGroupSupported(context, context->namedGroup))
452  {
453  //DHE key exchange mechanism provides forward secrecy
454  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK)
455  context->keyExchMethod = TLS13_KEY_EXCH_PSK_DHE;
456  else
457  context->keyExchMethod = TLS13_KEY_EXCH_DHE;
458  }
459  //Unknown group?
460  else
461  {
462  //Just for sanity
463  return ERROR_FAILURE;
464  }
465  }
466  else
467  {
468  //If no common cryptographic parameters can be negotiated, the server
469  //must abort the handshake with an appropriate alert
470  if(context->state == TLS_STATE_CLIENT_HELLO_2)
471  return ERROR_HANDSHAKE_FAILED;
472  }
473  }
474 #endif
475 
476  //Successful processing
477  return NO_ERROR;
478 }
479 
480 
481 /**
482  * @brief Parse PskKeyExchangeModes extension
483  * @param[in] context Pointer to the TLS context
484  * @param[in] pskKeModeList Pointer to the PskKeyExchangeModes extension
485  * @return Error code
486  **/
487 
489  const Tls13PskKeModeList *pskKeModeList)
490 {
491  error_t error;
492  uint_t i;
493 
494  //PSK key exchange method?
495  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
496  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
497  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
498  {
499  //PskKeyExchangeModes extension found?
500  if(pskKeModeList != NULL)
501  {
502  //Initialize status code
503  error = ERROR_HANDSHAKE_FAILED;
504 
505  //The extension contains a list of supported PSK key exchange modes
506  for(i = 0; i < pskKeModeList->length && error; i++)
507  {
508 #if (TLS13_PSK_KE_SUPPORT == ENABLED)
509  //PSK-only key establishment?
510  if(pskKeModeList->value[i] == TLS_PSK_KEY_EXCH_MODE_PSK_KE)
511  {
512  //Servers must not select a key exchange mode that is not listed
513  //by the client
514  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK)
515  {
516  error = NO_ERROR;
517  }
518  }
519  else
520 #endif
521 #if (TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
522  //PSK with (EC)DHE key establishment?
523  if(pskKeModeList->value[i] == TLS_PSK_KEY_EXCH_MODE_PSK_DHE_KE)
524  {
525  //Servers must not select a key exchange mode that is not listed
526  //by the client
527  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
528  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
529  {
530  error = NO_ERROR;
531  }
532  }
533  else
534 #endif
535  //Unknown key exchange method?
536  {
537  //Just for sanity
538  }
539  }
540  }
541  else
542  {
543  //A client must provide a PskKeyExchangeModes extension if it offers a
544  //PreSharedKey extension
545  error = ERROR_MISSING_EXTENSION;
546  }
547  }
548  else
549  {
550  //If no acceptable PSKs are found, the server should perform a non-PSK
551  //handshake if possible
552  error = NO_ERROR;
553  }
554 
555  //Return status code
556  return error;
557 }
558 
559 
560 /**
561  * @brief Parse PreSharedKey extension
562  * @param[in] context Pointer to the TLS context
563  * @param[in] clientHello Pointer to the ClientHello message
564  * @param[in] clientHelloLen Length of the ClientHello message
565  * @param[in] identityList List of the identities that the client is willing
566  * to negotiate with the server
567  * @param[in] binderList List of HMAC values, one for each PSK offered in the
568  * PreSharedKey extension
569  * @return Error code
570  **/
571 
573  const TlsClientHello *clientHello, size_t clientHelloLen,
574  const Tls13PskIdentityList *identityList, const Tls13PskBinderList *binderList)
575 {
576  #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
577  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
578  //PreSharedKey extension found?
579  if(identityList != NULL && binderList != NULL)
580  {
581  error_t error;
582  int_t i;
583  size_t n;
584  size_t m;
585  uint32_t obfuscatedTicketAge;
586  const uint8_t *p;
587  const uint8_t *q;
588  const Tls13PskIdentity *identity;
589  const Tls13PskBinder *binder;
590  const HashAlgo *hashAlgo;
591 
592  //Initialize variables
593  identity = NULL;
594  binder = NULL;
595 
596  //Reset the server's chosen identity to its default value
597  context->selectedIdentity = -1;
598 
599  //Debug message
600  TRACE_DEBUG("PSK identity list:\r\n");
601  TRACE_DEBUG_ARRAY(" ", identityList, ntohs(identityList->length) + 2);
602  TRACE_DEBUG("PSK binder list:\r\n");
603  TRACE_DEBUG_ARRAY(" ", binderList, ntohs(binderList->length) + 2);
604 
605  //Point to the list of the identities that the client is willing to
606  //negotiate with the server
607  p = identityList->value;
608  n = ntohs(identityList->length);
609 
610  //Point to the list of HMAC values, one for each PSK offered in the
611  //PreSharedKey extension
612  q = binderList->value;
613  m = ntohs(binderList->length);
614 
615  //Loop through the list of PSK identities
616  for(i = 0; n > 0; i++)
617  {
618  //Point to the current PskIdentity entry
619  identity = (Tls13PskIdentity *) p;
620 
621  //Malformed PreSharedKey extension?
622  if(n < sizeof(TlsPskIdentity))
623  return ERROR_DECODING_FAILED;
624  if(n < (sizeof(TlsPskIdentity) + ntohs(identity->length)))
625  return ERROR_DECODING_FAILED;
626 
627  //Debug message
628  TRACE_DEBUG("PSK identity #%u:\r\n", i);
629  TRACE_DEBUG_ARRAY(" ", identity->value, ntohs(identity->length));
630 
631  //Point to the obfuscated_ticket_age field
632  p += sizeof(TlsPskIdentity) + ntohs(identity->length);
633  n -= sizeof(TlsPskIdentity) + ntohs(identity->length);
634 
635  //Malformed PreSharedKey extension?
636  if(n < sizeof(uint32_t))
637  return ERROR_DECODING_FAILED;
638 
639  //The obfuscated_ticket_age field is a 32-bit unsigned integer
640  obfuscatedTicketAge = LOAD32BE(p);
641 
642  //Point to the next PskIdentity entry
643  p += sizeof(uint32_t);
644  n -= sizeof(uint32_t);
645 
646  //Point to the PskBinderEntry
647  binder = (Tls13PskBinder *) q;
648 
649  //If the binder is not present, the server must abort the handshake
650  if(context->selectedIdentity >= 0 && m == 0)
652 
653  //Malformed PreSharedKey extension?
654  if(m < sizeof(Tls13PskBinder))
655  return ERROR_DECODING_FAILED;
656  if(m < (sizeof(Tls13PskBinder) + binder->length))
657  return ERROR_DECODING_FAILED;
658 
659  //Debug message
660  TRACE_DEBUG("PSK binder #%u:\r\n", i);
661  TRACE_DEBUG_ARRAY(" ", binder->value, binder->length);
662 
663  //Point to the next PskBinderEntry
664  q += sizeof(Tls13PskBinder) + binder->length;
665  m -= sizeof(Tls13PskBinder) + binder->length;
666 
667  //The server should select a single PSK
668  if(context->selectedIdentity < 0)
669  {
670  //Any registered callback?
671  if(context->pskCallback != NULL)
672  {
673  //Check whether the PSK identity provided by the client matches
674  //any externally established PSK
675  error = context->pskCallback(context, identity->value,
676  ntohs(identity->length));
677 
678  //Valid PSK?
679  if(!error && tls13IsPskValid(context))
680  {
681  //For externally established PSKs, the hash algorithm must be
682  //set when the PSK is established
683  hashAlgo = tlsGetHashAlgo(context->pskHashAlgo);
684 
685  //Make sure the hash algorithm is valid
686  if(hashAlgo != NULL)
687  {
688  //Save the hash algorithm associated with the PSK
689  context->cipherSuite.prfHashAlgo = hashAlgo;
690 
691  //The server's chosen identity is expressed as a 0-based
692  //index into the identities in the client's list
693  context->selectedIdentity = i;
694  }
695  }
696  }
697  }
698 
699  //The server should select a single PSK
700  if(context->selectedIdentity < 0)
701  {
702  //Decrypt the received ticket and verify the ticket's validity
703  error = tls13VerifyTicket(context, identity->value,
704  htons(identity->length), obfuscatedTicketAge);
705 
706  //Valid ticket?
707  if(!error)
708  {
709  //The server's chosen identity is expressed as a 0-based index
710  //into the identities in the client's list
711  context->selectedIdentity = i;
712  }
713  }
714  }
715 
716  //Extra binders found?
717  if(m != 0)
719  }
720  else
721 #endif
722  {
723  //Initial or updated ClientHello?
724  if(context->state == TLS_STATE_CLIENT_HELLO_2)
725  {
726  //When responding to a HelloRetryRequest, the client must send the
727  //same ClientHello without modification
728  if(context->selectedIdentity >= 0)
730  }
731 
732  //The ClientHello message does not contain any PreSharedKey extension
733  context->selectedIdentity = -1;
734  }
735 
736  //Successful processing
737  return NO_ERROR;
738 }
739 
740 
741 /**
742  * @brief Parse EarlyData extension
743  * @param[in] context Pointer to the TLS context
744  * @param[in] earlyDataIndication Pointer to the EarlyData extension
745  * @return Error code
746  **/
747 
749  const uint8_t *earlyDataIndication)
750 {
751  //EarlyData extension found?
752  if(earlyDataIndication != NULL)
753  {
754  //Early data is not permitted after a HelloRetryRequest (refer to
755  //RFC 8446, section 4.1.2)
756  if(context->state == TLS_STATE_CLIENT_HELLO_2)
757  {
758  context->earlyDataRejected = TRUE;
759  }
760 
761  //In order to accept early data, the server must have accepted a PSK
762  //cipher suite and selected the first key offered in the client's
763  //PreSharedKey extension (refer to RFC 8446, section 4.2.10)
764  if(context->selectedIdentity != 0)
765  {
766  context->earlyDataRejected = TRUE;
767  }
768 
769  //A valid EarlyData extension has been received
770  context->earlyDataExtReceived = TRUE;
771  }
772  else
773  {
774  //The ClientHello message does not contain any EarlyData extension
775  context->earlyDataExtReceived = FALSE;
776  }
777 
778  //Successful processing
779  return NO_ERROR;
780 }
781 
782 #endif
@ TLS13_KEY_EXCH_PSK
Definition: tls.h:1047
error_t tls13ParseClientPreSharedKeyExtension(TlsContext *context, const TlsClientHello *clientHello, size_t clientHelloLen, const Tls13PskIdentityList *identityList, const Tls13PskBinderList *binderList)
#define htons(value)
Definition: cpu_endian.h:392
TLS helper functions.
uint8_t length
Definition: dtls_misc.h:149
__start_packed struct @94 Tls13PskIdentity
PSK identity.
__start_packed struct @95 Tls13PskIdentityList
List of PSK identities.
int bool_t
Definition: compiler_port.h:49
error_t tls13FormatSelectedGroupExtension(TlsContext *context, uint8_t *p, size_t *written)
@ TLS13_KEY_EXCH_PSK_DHE
Definition: tls.h:1048
signed int int_t
Definition: compiler_port.h:44
#define LOAD32BE(p)
Definition: cpu_endian.h:194
error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
__start_packed struct @97 Tls13PskBinderList
List of PSK binders.
@ TLS_EXT_SUPPORTED_VERSIONS
Definition: tls.h:1166
uint8_t p
Definition: ndp.h:298
__start_packed struct @91 Tls13KeyShareEntry
Key share entry.
#define TRUE
Definition: os_port.h:50
TlsMessageType
Handshake message type.
Definition: tls.h:930
error_t tls13ParsePskKeModesExtension(TlsContext *context, const Tls13PskKeModeList *pskKeModeList)
error_t tls13ParseClientKeyShareExtension(TlsContext *context, const Tls13KeyShareList *keyShareList)
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:228
__start_packed struct @93 Tls13PskKeModeList
List of PSK key exchange modes.
@ TLS13_KEY_EXCH_ECDHE
Definition: tls.h:1046
error_t tls13ParseClientEarlyDataExtension(TlsContext *context, const uint8_t *earlyDataIndication)
@ TLS_EXT_EARLY_DATA
Definition: tls.h:1165
@ TLS_STATE_CLIENT_HELLO
Definition: tls.h:1290
@ TLS_PSK_KEY_EXCH_MODE_PSK_KE
Definition: tls13_misc.h:166
@ TLS_PSK_KEY_EXCH_MODE_PSK_DHE_KE
Definition: tls13_misc.h:167
#define FALSE
Definition: os_port.h:46
bool_t tls13IsGroupSupported(TlsContext *context, uint16_t namedGroup)
error_t mpiExport(const Mpi *a, uint8_t *data, uint_t length, MpiFormat format)
Integer to octet string conversion.
Definition: mpi.c:618
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:829
@ TLS_GROUP_NONE
Definition: tls.h:1207
Formatting and parsing of extensions (TLS 1.3 server)
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
@ TLS13_KEY_EXCH_DHE
Definition: tls.h:1045
#define STORE16BE(a, p)
Definition: cpu_endian.h:246
error_t tls13FormatServerEarlyDataExtension(TlsContext *context, TlsMessageType msgType, uint8_t *p, size_t *written)
@ TLS_EXT_KEY_SHARE
Definition: tls.h:1173
@ ERROR_MISSING_EXTENSION
Definition: error.h:238
@ TLS_TYPE_ENCRYPTED_EXTENSIONS
Definition: tls.h:939
__start_packed struct @68 TlsExtension
TLS extension.
Helper functions for TLS 1.3 server.
error_t tls13VerifyTicket(TlsContext *context, const uint8_t *ticket, size_t length, uint32_t obfuscatedTicketAge)
__start_packed struct @85 TlsClientHello
ClientHello message.
error_t tls13GenerateSharedSecret(TlsContext *context, const uint8_t *keyShare, size_t length)
#define ntohs(value)
Definition: cpu_endian.h:398
#define TRACE_DEBUG(...)
Definition: debug.h:106
bool_t tls13IsEcdheGroupSupported(TlsContext *context, uint16_t namedGroup)
@ TLS13_KEY_EXCH_PSK_ECDHE
Definition: tls.h:1049
@ TLS_STATE_CLIENT_HELLO_2
Definition: tls.h:1291
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:107
uint8_t m
Definition: ndp.h:302
#define HTONS(value)
Definition: cpu_endian.h:390
uint8_t n
bool_t tls13IsPskValid(TlsContext *context)
bool_t tls13IsFfdheGroupSupported(TlsContext *context, uint16_t namedGroup)
uint8_t msgType
Definition: dtls_misc.h:186
@ TLS_EXT_PRE_SHARED_KEY
Definition: tls.h:1164
error_t tls13FormatServerPreSharedKeyExtension(TlsContext *context, uint8_t *p, size_t *written)
@ MPI_FORMAT_BIG_ENDIAN
Definition: mpi.h:61
TLS (Transport Layer Security)
error_t ecExport(const EcDomainParameters *params, const EcPoint *a, uint8_t *data, size_t *length)
Convert an EC point to an octet string.
Definition: ec.c:287
__start_packed struct @79 TlsPskIdentity
PSK identity.
Common interface for hash algorithms.
Definition: crypto.h:1128
__start_packed struct @92 Tls13KeyShareList
List of key shares.
@ TLS_TYPE_NEW_SESSION_TICKET
Definition: tls.h:936
@ ERROR_DECODING_FAILED
Definition: error.h:235
unsigned int uint_t
Definition: compiler_port.h:45
error_t tls13FormatServerKeyShareExtension(TlsContext *context, uint8_t *p, size_t *written)
error_t tls13FormatServerSupportedVersionsExtension(TlsContext *context, uint8_t *p, size_t *written)
__start_packed struct @96 Tls13PskBinder
PSK binder.
#define STORE32BE(a, p)
Definition: cpu_endian.h:270
@ NO_ERROR
Success.
Definition: error.h:44
Debugging facilities.
uint_t mpiGetByteLength(const Mpi *a)
Get the actual length in bytes.
Definition: mpi.c:156