tls13_server_extensions.c
Go to the documentation of this file.
1 /**
2  * @file tls13_server_extensions.c
3  * @brief Formatting and parsing of extensions (TLS 1.3 server)
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include <string.h>
34 #include "tls.h"
35 #include "tls_misc.h"
37 #include "tls13_server_misc.h"
38 #include "debug.h"
39 
40 //Check TLS library configuration
41 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED && \
42  TLS_MAX_VERSION >= TLS_VERSION_1_3)
43 
44 
45 /**
46  * @brief Format SupportedVersions extension
47  * @param[in] context Pointer to the TLS context
48  * @param[in] p Output stream where to write the SupportedVersions extension
49  * @param[out] written Total number of bytes that have been written
50  * @return Error code
51  **/
52 
54  uint8_t *p, size_t *written)
55 {
56  size_t n;
57  TlsExtension *extension;
58 
59  //Add the SupportedVersions extension
60  extension = (TlsExtension *) p;
61  //Type of the extension
62  extension->type = HTONS(TLS_EXT_SUPPORTED_VERSIONS);
63 
64  //The extension contains the selected version value
65  STORE16BE(context->version, extension->value);
66 
67  //The extension data field contains a 16-bit unsigned integer
68  n = sizeof(uint16_t);
69  //Fix the length of the extension
70  extension->length = htons(n);
71 
72  //Compute the length, in bytes, of the SupportedVersions extension
73  n += sizeof(TlsExtension);
74 
75  //Total number of bytes that have been written
76  *written = n;
77 
78  //Successful processing
79  return NO_ERROR;
80 }
81 
82 
83 /**
84  * @brief Format KeyShare extension (HelloRetryRequest message)
85  * @param[in] context Pointer to the TLS context
86  * @param[in] p Output stream where to write the KeyShare extension
87  * @param[out] written Total number of bytes that have been written
88  * @return Error code
89  **/
90 
92  uint8_t *p, size_t *written)
93 {
94  size_t n = 0;
95 
96 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
97  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
98  //Check whether the selected ECDHE or FFDHE group is valid
99  if(context->namedGroup != TLS_GROUP_NONE)
100  {
101  TlsExtension *extension;
102 
103  //Add the KeyShare extension
104  extension = (TlsExtension *) p;
105  //Type of the extension
106  extension->type = HTONS(TLS_EXT_KEY_SHARE);
107 
108  //The extension contains the mutually supported group the server intends
109  //to negotiate
110  STORE16BE(context->namedGroup, extension->value);
111 
112  //The extension data field contains a 16-bit unsigned integer
113  n = sizeof(uint16_t);
114  //Fix the length of the extension
115  extension->length = htons(n);
116 
117  //Compute the length, in bytes, of the KeyShare extension
118  n += sizeof(TlsExtension);
119  }
120 #endif
121 
122  //Total number of bytes that have been written
123  *written = n;
124 
125  //Successful processing
126  return NO_ERROR;
127 }
128 
129 
130 /**
131  * @brief Format KeyShare extension (ServerHello message)
132  * @param[in] context Pointer to the TLS context
133  * @param[in] p Output stream where to write the KeyShare extension
134  * @param[out] written Total number of bytes that have been written
135  * @return Error code
136  **/
137 
139  uint8_t *p, size_t *written)
140 {
141  size_t n = 0;
142 
143 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
144  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
145  //If using (EC)DHE key establishment, servers offer exactly one
146  //KeyShareEntry in the ServerHello
147  if(context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
148  context->keyExchMethod == TLS13_KEY_EXCH_ECDHE ||
149  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
150  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
151  {
152  error_t error;
153  TlsExtension *extension;
154  Tls13KeyShareEntry *keyShareEntry;
155 
156  //Add the KeyShare extension
157  extension = (TlsExtension *) p;
158  //Type of the extension
159  extension->type = HTONS(TLS_EXT_KEY_SHARE);
160 
161  //If using (EC)DHE key establishment, servers offer exactly one
162  //KeyShareEntry in the ServerHello
163  keyShareEntry = (Tls13KeyShareEntry *) extension->value;
164 
165  //The key share value must be in the same group as the KeyShareEntry
166  //value offered by the client that the server has selected for the
167  //negotiated key exchange
168  keyShareEntry->group = htons(context->namedGroup);
169 
170 #if (TLS13_ECDHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
171  //ECDHE key exchange method?
172  if(context->keyExchMethod == TLS13_KEY_EXCH_ECDHE ||
173  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
174  {
175  //ECDHE parameters are encoded in the opaque key_exchange field of
176  //the KeyShareEntry
177  error = ecExport(&context->ecdhContext.params,
178  &context->ecdhContext.qa, keyShareEntry->keyExchange, &n);
179  //Any error to report?
180  if(error)
181  return error;
182  }
183  else
184 #endif
185 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED)
186  //DHE key exchange method?
187  if(context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
188  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE)
189  {
190  //Retrieve the length of the modulus
191  n = mpiGetByteLength(&context->dhContext.params.p);
192 
193  //Diffie-Hellman parameters are encoded in the opaque key_exchange
194  //field of the KeyShareEntry
195  error = mpiExport(&context->dhContext.ya,
196  keyShareEntry->keyExchange, n, MPI_FORMAT_BIG_ENDIAN);
197  //Any error to report?
198  if(error)
199  return error;
200  }
201  else
202 #endif
203  //Unknown key exchange method?
204  {
205  //Report an error
206  return ERROR_FAILURE;
207  }
208 
209  //Set the length of the key_exchange field
210  keyShareEntry->length = htons(n);
211 
212  //Compute the length, in bytes, of the KeyShareEntry
213  n += sizeof(Tls13KeyShareEntry);
214  //Fix the length of the extension
215  extension->length = htons(n);
216 
217  //Compute the length, in bytes, of the KeyShare extension
218  n += sizeof(TlsExtension);
219  }
220 #endif
221 
222  //Total number of bytes that have been written
223  *written = n;
224 
225  //Successful processing
226  return NO_ERROR;
227 }
228 
229 
230 /**
231  * @brief Format PreSharedKey extension
232  * @param[in] context Pointer to the TLS context
233  * @param[in] p Output stream where to write the PreSharedKey extension
234  * @param[out] written Total number of bytes that have been written
235  * @return Error code
236  **/
237 
239  uint8_t *p, size_t *written)
240 {
241  size_t n = 0;
242 
243 #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
244  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
245  //PSK key exchange method?
246  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
247  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
248  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
249  {
250  TlsExtension *extension;
251 
252  //Add the PreSharedKey extension
253  extension = (TlsExtension *) p;
254  //Type of the extension
255  extension->type = HTONS(TLS_EXT_PRE_SHARED_KEY);
256 
257  //The extension contains the selected identity
258  STORE16BE(context->selectedIdentity, extension->value);
259 
260  //The extension data field contains a 16-bit unsigned integer
261  n = sizeof(uint16_t);
262  //Fix the length of the extension
263  extension->length = htons(n);
264 
265  //Compute the length, in bytes, of the PreSharedKey extension
266  n += sizeof(TlsExtension);
267  }
268 #endif
269 
270  //Total number of bytes that have been written
271  *written = n;
272 
273  //Successful processing
274  return NO_ERROR;
275 }
276 
277 
278 /**
279  * @brief Format EarlyData extension
280  * @param[in] context Pointer to the TLS context
281  * @param[in] msgType Handshake message type
282  * @param[in] p Output stream where to write the EarlyData extension
283  * @param[out] written Total number of bytes that have been written
284  * @return Error code
285  **/
286 
288  TlsMessageType msgType, uint8_t *p, size_t *written)
289 {
290  size_t n = 0;
291 
292 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
293  //The extension may appear in EncryptedExtensions and NewSessionTicket
294  //messages
296  {
297  //If the server intends to process the early data, then it returns its
298  //own EarlyData extension in EncryptedExtensions
299  if(context->earlyDataExtReceived && !context->earlyDataRejected)
300  {
301  TlsExtension *extension;
302 
303  //Add the EarlyData extension
304  extension = (TlsExtension *) p;
305  //Type of the extension
306  extension->type = HTONS(TLS_EXT_EARLY_DATA);
307 
308  //The extension data field of this extension is empty
309  extension->length = HTONS(0);
310 
311  //Compute the length, in bytes, of the EarlyData extension
312  n = sizeof(TlsExtension);
313  }
314  }
316  {
317  TlsExtension *extension;
318 
319  //Add the EarlyData extension
320  extension = (TlsExtension *) p;
321  //Type of the extension
322  extension->type = HTONS(TLS_EXT_EARLY_DATA);
323 
324  //The extension contains the maximum amount of 0-RTT data that the
325  //client is allowed to send when using this ticket, in bytes
326  STORE32BE(context->maxEarlyDataSize, extension->value);
327 
328  //The extension data field contains a 32-bit unsigned integer
329  n = sizeof(uint32_t);
330  //Fix the length of the extension
331  extension->length = htons(n);
332 
333  //Compute the length, in bytes, of the EarlyData extension
334  n += sizeof(TlsExtension);
335  }
336  else
337  {
338  //Just for sanity
339  }
340 #endif
341 
342  //Total number of bytes that have been written
343  *written = n;
344 
345  //Successful processing
346  return NO_ERROR;
347 }
348 
349 
350 /**
351  * @brief Parse KeyShare extension
352  * @param[in] context Pointer to the TLS context
353  * @param[in] keyShareList Pointer to the KeyShare extension
354  * @return Error code
355  **/
356 
358  const Tls13KeyShareList *keyShareList)
359 {
360 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
361  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
362  //KeyShare extension found?
363  if(keyShareList != NULL)
364  {
365  error_t error;
366  bool_t acceptable;
367  size_t n;
368  size_t length;
369  const uint8_t *p;
370  const Tls13KeyShareEntry *keyShareEntry;
371 
372  //Initialize variables
373  acceptable = FALSE;
374  keyShareEntry = NULL;
375 
376  //Point to the first KeyShareEntry of the list
377  p = keyShareList->value;
378  //Retrieve the length of the list
379  length = ntohs(keyShareList->length);
380 
381  //The extension contains a list of KeyShareEntry values offered by the
382  //client. The values are indicated in descending order of preference
383  while(length > 0 && !acceptable)
384  {
385  //Malformed extension?
386  if(length < sizeof(Tls13KeyShareEntry))
387  return ERROR_DECODING_FAILED;
388 
389  //Point to the current key share entry
390  keyShareEntry = (Tls13KeyShareEntry *) p;
391  //Retrieve the length of the key_exchange field
392  n = ntohs(keyShareEntry->length);
393 
394  //Malformed extension?
395  if(length < (sizeof(Tls13KeyShareEntry) + n))
396  return ERROR_DECODING_FAILED;
397 
398  //Initial or updated ClientHello?
399  if(context->state == TLS_STATE_CLIENT_HELLO)
400  {
401  //Check whether the ECDHE or FFDHE group is supported
402  acceptable = tls13IsGroupSupported(context,
403  ntohs(keyShareEntry->group));
404  }
405  else
406  {
407  //If the server has sent a HelloRetryRequest, the client needs
408  //to restart the handshake with an appropriate group
409  if(ntohs(keyShareEntry->group) == context->namedGroup)
410  {
411  //Check whether the ECDHE or FFDHE group is supported
412  acceptable = tls13IsGroupSupported(context,
413  ntohs(keyShareEntry->group));
414  }
415  }
416 
417  //Point to the next entry
418  p += sizeof(Tls13KeyShareEntry) + n;
419  //Remaining bytes to process
420  length -= sizeof(Tls13KeyShareEntry) + n;
421  }
422 
423  //Acceptable ECDHE or FFDHE group found?
424  if(acceptable)
425  {
426  //Generate an ephemeral key pair
427  error = tls13GenerateKeyShare(context, ntohs(keyShareEntry->group));
428  //Any error to report?
429  if(error)
430  return error;
431 
432  //Compute (EC)DHE shared secret
433  error = tls13GenerateSharedSecret(context, keyShareEntry->keyExchange,
434  ntohs(keyShareEntry->length));
435  //Any error to report?
436  if(error)
437  return error;
438 
439  //Elliptic curve group?
440  if(tls13IsEcdheGroupSupported(context, context->namedGroup))
441  {
442  //ECDHE key exchange mechanism provides forward secrecy
443  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK)
444  context->keyExchMethod = TLS13_KEY_EXCH_PSK_ECDHE;
445  else
446  context->keyExchMethod = TLS13_KEY_EXCH_ECDHE;
447  }
448  //Finite field group?
449  else if(tls13IsFfdheGroupSupported(context, context->namedGroup))
450  {
451  //DHE key exchange mechanism provides forward secrecy
452  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK)
453  context->keyExchMethod = TLS13_KEY_EXCH_PSK_DHE;
454  else
455  context->keyExchMethod = TLS13_KEY_EXCH_DHE;
456  }
457  //Unknown group?
458  else
459  {
460  //Just for sanity
461  return ERROR_FAILURE;
462  }
463  }
464  else
465  {
466  //If no common cryptographic parameters can be negotiated, the server
467  //must abort the handshake with an appropriate alert
468  if(context->state == TLS_STATE_CLIENT_HELLO_2)
469  return ERROR_HANDSHAKE_FAILED;
470  }
471  }
472 #endif
473 
474  //Successful processing
475  return NO_ERROR;
476 }
477 
478 
479 /**
480  * @brief Parse PskKeyExchangeModes extension
481  * @param[in] context Pointer to the TLS context
482  * @param[in] pskKeModeList Pointer to the PskKeyExchangeModes extension
483  * @return Error code
484  **/
485 
487  const Tls13PskKeModeList *pskKeModeList)
488 {
489  error_t error;
490  uint_t i;
491 
492  //PSK key exchange method?
493  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
494  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
495  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
496  {
497  //PskKeyExchangeModes extension found?
498  if(pskKeModeList != NULL)
499  {
500  //Initialize status code
501  error = ERROR_HANDSHAKE_FAILED;
502 
503  //The extension contains a list of supported PSK key exchange modes
504  for(i = 0; i < pskKeModeList->length && error; i++)
505  {
506 #if (TLS13_PSK_KE_SUPPORT == ENABLED)
507  //PSK-only key establishment?
508  if(pskKeModeList->value[i] == TLS_PSK_KEY_EXCH_MODE_PSK_KE)
509  {
510  //Servers must not select a key exchange mode that is not listed
511  //by the client
512  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK)
513  {
514  error = NO_ERROR;
515  }
516  }
517  else
518 #endif
519 #if (TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
520  //PSK with (EC)DHE key establishment?
521  if(pskKeModeList->value[i] == TLS_PSK_KEY_EXCH_MODE_PSK_DHE_KE)
522  {
523  //Servers must not select a key exchange mode that is not listed
524  //by the client
525  if(context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
526  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
527  {
528  error = NO_ERROR;
529  }
530  }
531  else
532 #endif
533  //Unknown key exchange method?
534  {
535  //Just for sanity
536  }
537  }
538  }
539  else
540  {
541  //A client must provide a PskKeyExchangeModes extension if it offers a
542  //PreSharedKey extension
543  error = ERROR_MISSING_EXTENSION;
544  }
545  }
546  else
547  {
548  //If no acceptable PSKs are found, the server should perform a non-PSK
549  //handshake if possible
550  error = NO_ERROR;
551  }
552 
553  //Return status code
554  return error;
555 }
556 
557 
558 /**
559  * @brief Parse PreSharedKey extension
560  * @param[in] context Pointer to the TLS context
561  * @param[in] clientHello Pointer to the ClientHello message
562  * @param[in] clientHelloLen Length of the ClientHello message
563  * @param[in] identityList List of the identities that the client is willing
564  * to negotiate with the server
565  * @param[in] binderList List of HMAC values, one for each PSK offered in the
566  * PreSharedKey extension
567  * @return Error code
568  **/
569 
571  const TlsClientHello *clientHello, size_t clientHelloLen,
572  const Tls13PskIdentityList *identityList, const Tls13PskBinderList *binderList)
573 {
574  #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
575  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
576  //PreSharedKey extension found?
577  if(identityList != NULL && binderList != NULL)
578  {
579  error_t error;
580  int_t i;
581  size_t n;
582  size_t m;
583  uint32_t obfuscatedTicketAge;
584  const uint8_t *p;
585  const uint8_t *q;
586  const Tls13PskIdentity *identity;
587  const Tls13PskBinder *binder;
588  const HashAlgo *hashAlgo;
589 
590  //Initialize variables
591  identity = NULL;
592  binder = NULL;
593 
594  //Debug message
595  TRACE_DEBUG("PSK identity list:\r\n");
596  TRACE_DEBUG_ARRAY(" ", identityList, ntohs(identityList->length) + 2);
597  TRACE_DEBUG("PSK binder list:\r\n");
598  TRACE_DEBUG_ARRAY(" ", binderList, ntohs(binderList->length) + 2);
599 
600  //Point to the list of the identities that the client is willing to
601  //negotiate with the server
602  p = identityList->value;
603  n = ntohs(identityList->length);
604 
605  //Point to the list of HMAC values, one for each PSK offered in the
606  //PreSharedKey extension
607  q = binderList->value;
608  m = ntohs(binderList->length);
609 
610  //Loop through the list of PSK identities
611  for(i = 0; n > 0; i++)
612  {
613  //Point to the current PskIdentity entry
614  identity = (Tls13PskIdentity *) p;
615 
616  //Malformed PreSharedKey extension?
617  if(n < sizeof(TlsPskIdentity))
618  return ERROR_DECODING_FAILED;
619  if(n < (sizeof(TlsPskIdentity) + ntohs(identity->length)))
620  return ERROR_DECODING_FAILED;
621 
622  //Debug message
623  TRACE_DEBUG("PSK identity #%u:\r\n", i);
624  TRACE_DEBUG_ARRAY(" ", identity->value, ntohs(identity->length));
625 
626  //Point to the obfuscated_ticket_age field
627  p += sizeof(TlsPskIdentity) + ntohs(identity->length);
628  n -= sizeof(TlsPskIdentity) + ntohs(identity->length);
629 
630  //Malformed PreSharedKey extension?
631  if(n < sizeof(uint32_t))
632  return ERROR_DECODING_FAILED;
633 
634  //The obfuscated_ticket_age field is a 32-bit unsigned integer
635  obfuscatedTicketAge = LOAD32BE(p);
636 
637  //Point to the next PskIdentity entry
638  p += sizeof(uint32_t);
639  n -= sizeof(uint32_t);
640 
641  //Point to the PskBinderEntry
642  binder = (Tls13PskBinder *) q;
643 
644  //If the binder is not present, the server must abort the handshake
645  if(context->selectedIdentity >= 0 && m == 0)
647 
648  //Malformed PreSharedKey extension?
649  if(m < sizeof(Tls13PskBinder))
650  return ERROR_DECODING_FAILED;
651  if(m < (sizeof(Tls13PskBinder) + binder->length))
652  return ERROR_DECODING_FAILED;
653 
654  //Debug message
655  TRACE_DEBUG("PSK binder #%u:\r\n", i);
656  TRACE_DEBUG_ARRAY(" ", binder->value, binder->length);
657 
658  //Point to the next PskBinderEntry
659  q += sizeof(Tls13PskBinder) + binder->length;
660  m -= sizeof(Tls13PskBinder) + binder->length;
661 
662  //The server should select a single PSK
663  if(context->selectedIdentity < 0)
664  {
665  //Any registered callback?
666  if(context->pskCallback != NULL)
667  {
668  //Check whether the PSK identity provided by the client matches
669  //any externally established PSK
670  error = context->pskCallback(context, identity->value,
671  ntohs(identity->length));
672 
673  //Valid PSK?
674  if(!error && tls13IsPskValid(context))
675  {
676  //For externally established PSKs, the hash algorithm must be
677  //set when the PSK is established
678  hashAlgo = tlsGetHashAlgo(context->pskHashAlgo);
679 
680  //Make sure the hash algorithm is valid
681  if(hashAlgo != NULL)
682  {
683  //Save the hash algorithm associated with the PSK
684  context->cipherSuite.prfHashAlgo = hashAlgo;
685 
686  //The server's chosen identity is expressed as a 0-based
687  //index into the identities in the client's list
688  context->selectedIdentity = i;
689  }
690  }
691  }
692  }
693 
694  //The server should select a single PSK
695  if(context->selectedIdentity < 0)
696  {
697  //Decrypt the received ticket and verify the ticket's validity
698  error = tls13VerifyTicket(context, identity->value,
699  htons(identity->length), obfuscatedTicketAge);
700 
701  //Valid ticket?
702  if(!error)
703  {
704  //The server's chosen identity is expressed as a 0-based index
705  //into the identities in the client's list
706  context->selectedIdentity = i;
707  }
708  }
709  }
710 
711  //Extra binders found?
712  if(m != 0)
714  }
715 #endif
716 
717  //Successful processing
718  return NO_ERROR;
719 }
720 
721 
722 /**
723  * @brief Parse EarlyData extension
724  * @param[in] context Pointer to the TLS context
725  * @param[in] earlyDataIndication Pointer to the EarlyData extension
726  * @return Error code
727  **/
728 
730  const uint8_t *earlyDataIndication)
731 {
732  //EarlyData extension found?
733  if(earlyDataIndication != NULL)
734  {
735  //Early data is not permitted after a HelloRetryRequest (refer to
736  //RFC 8446, section 4.1.2)
737  if(context->state == TLS_STATE_CLIENT_HELLO_2)
738  context->earlyDataRejected = TRUE;
739 
740  //In order to accept early data, the server must have accepted a PSK
741  //cipher suite and selected the first key offered in the client's
742  //PreSharedKey extension (refer to RFC 8446, section 4.2.10)
743  if(context->selectedIdentity != 0)
744  context->earlyDataRejected = TRUE;
745 
746  //A valid EarlyData extension has been received
747  context->earlyDataExtReceived = TRUE;
748  }
749  else
750  {
751  //The ClientHello message does not contain any EarlyData extension
752  context->earlyDataExtReceived = FALSE;
753  }
754 
755  //Successful processing
756  return NO_ERROR;
757 }
758 
759 #endif
TLS (Transport Layer Security)
__start_packed struct @95 Tls13KeyShareEntry
Key share entry.
__start_packed struct @98 Tls13PskIdentity
PSK identity.
TlsMessageType
Handshake message type.
Definition: tls.h:926
error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
Debugging facilities.
uint8_t p
Definition: ndp.h:295
bool_t tls13IsGroupSupported(TlsContext *context, uint16_t namedGroup)
Generic error code.
Definition: error.h:43
Helper functions for TLS 1.3 server.
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:836
#define LOAD32BE(p)
Definition: cpu_endian.h:192
#define htons(value)
Definition: cpu_endian.h:390
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:99
uint8_t m
Definition: ndp.h:299
__start_packed struct @100 Tls13PskBinder
PSK binder.
#define HTONS(value)
Definition: cpu_endian.h:388
__start_packed struct @97 Tls13PskKeModeList
List of PSK key exchange modes.
#define TRUE
Definition: os_port.h:48
error_t tls13FormatServerSupportedVersionsExtension(TlsContext *context, uint8_t *p, size_t *written)
error_t tls13ParseClientPreSharedKeyExtension(TlsContext *context, const TlsClientHello *clientHello, size_t clientHelloLen, const Tls13PskIdentityList *identityList, const Tls13PskBinderList *binderList)
__start_packed struct @101 Tls13PskBinderList
List of PSK binders.
TLS helper functions.
#define STORE32BE(a, p)
Definition: cpu_endian.h:268
__start_packed struct @68 TlsExtension
TLS extension.
#define ntohs(value)
Definition: cpu_endian.h:396
signed int int_t
Definition: compiler_port.h:42
error_t tls13FormatServerKeyShareExtension(TlsContext *context, uint8_t *p, size_t *written)
error_t tls13VerifyTicket(TlsContext *context, const uint8_t *ticket, size_t length, uint32_t obfuscatedTicketAge)
error_t tls13ParseClientKeyShareExtension(TlsContext *context, const Tls13KeyShareList *keyShareList)
bool_t tls13IsFfdheGroupSupported(TlsContext *context, uint16_t namedGroup)
error_t tls13FormatServerEarlyDataExtension(TlsContext *context, TlsMessageType msgType, uint8_t *p, size_t *written)
__start_packed struct @79 TlsPskIdentity
PSK identity.
error_t ecExport(const EcDomainParameters *params, const EcPoint *a, uint8_t *data, size_t *length)
Convert an EC point to an octet string.
Definition: ec.c:281
Success.
Definition: error.h:42
error_t
Error codes.
Definition: error.h:40
error_t mpiExport(const Mpi *a, uint8_t *data, uint_t length, MpiFormat format)
Integer to octet string conversion.
Definition: mpi.c:596
bool_t tls13IsPskValid(TlsContext *context)
unsigned int uint_t
Definition: compiler_port.h:43
error_t tls13ParsePskKeModesExtension(TlsContext *context, const Tls13PskKeModeList *pskKeModeList)
#define STORE16BE(a, p)
Definition: cpu_endian.h:244
__start_packed struct @99 Tls13PskIdentityList
List of PSK identities.
error_t tls13FormatSelectedGroupExtension(TlsContext *context, uint8_t *p, size_t *written)
error_t tls13GenerateSharedSecret(TlsContext *context, const uint8_t *keyShare, size_t length)
error_t tls13ParseClientEarlyDataExtension(TlsContext *context, const uint8_t *earlyDataIndication)
__start_packed struct @96 Tls13KeyShareList
List of key shares.
Common interface for hash algorithms.
Definition: crypto.h:1054
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
__start_packed struct @85 TlsClientHello
ClientHello message.
uint8_t msgType
Definition: dtls_misc.h:177
uint_t mpiGetByteLength(const Mpi *a)
Get the actual length in bytes.
Definition: mpi.c:154
#define FALSE
Definition: os_port.h:44
#define TlsContext
Definition: tls.h:34
int bool_t
Definition: compiler_port.h:47
error_t tls13FormatServerPreSharedKeyExtension(TlsContext *context, uint8_t *p, size_t *written)
Formatting and parsing of extensions (TLS 1.3 server)
#define TRACE_DEBUG(...)
Definition: debug.h:98
bool_t tls13IsEcdheGroupSupported(TlsContext *context, uint16_t namedGroup)