tls13_server_misc.c
Go to the documentation of this file.
1 /**
2  * @file tls13_server_misc.c
3  * @brief Helper functions for TLS 1.3 server
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include <string.h>
34 #include "tls.h"
35 #include "tls_server_misc.h"
36 #include "tls_transcript_hash.h"
37 #include "tls_ffdhe.h"
38 #include "tls_misc.h"
40 #include "tls13_server_misc.h"
41 #include "tls13_key_material.h"
42 #include "debug.h"
43 
44 //Check TLS library configuration
45 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED && \
46  TLS_MAX_VERSION >= TLS_VERSION_1_3)
47 
48 
49 /**
50  * @brief Cipher suite and key exchange method negotiation
51  * @param[in] context Pointer to the TLS context
52  * @param[in] clientHello Pointer to the ClientHello message
53  * @param[in] clientHelloLen Length of the ClientHello message
54  * @param[in] cipherSuites List of cipher suites offered by the client
55  * @param[in] extensions ClientHello extensions offered by the client
56  * @return Error code
57  **/
58 
59 error_t tls13NegotiateCipherSuite(TlsContext *context, const void *clientHello,
60  size_t clientHelloLen, const TlsCipherSuites *cipherSuites,
62 {
63  error_t error;
64 
65  //In TLS 1.3, the cipher suite concept has been changed. The key exchange
66  //mechanism is negotiated separately from the cipher suite
67  context->keyExchMethod = TLS_KEY_EXCH_NONE;
68  context->selectedIdentity = -1;
69 
70  //The PreSharedKey extension is used to negotiate the identity of the
71  //pre-shared key to be used with a given handshake in association with
72  //PSK key establishment
73  error = tls13ParseClientPreSharedKeyExtension(context, clientHello,
74  clientHelloLen, extensions->identityList, extensions->binderList);
75  //Any error to report?
76  if(error)
77  return error;
78 
79  //Externally established PSKs should influence cipher suite selection
80  if(context->selectedIdentity >= 0)
81  {
82  //Select a cipher suite indicating a hash associated with the PSK
83  error = tlsNegotiateCipherSuite(context, context->cipherSuite.prfHashAlgo,
84  cipherSuites, extensions);
85 
86  //The server must ensure that it selects a compatible PSK and cipher suite
87  if(!error)
88  {
89  //Perform PSK handshake
90  context->keyExchMethod = TLS13_KEY_EXCH_PSK;
91  }
92  else
93  {
94  //Perform a non-PSK handshake if possible
95  context->keyExchMethod = TLS_KEY_EXCH_NONE;
96  context->selectedIdentity = -1;
97  }
98  }
99 
100  //Check key exchange method
101  if(context->keyExchMethod == TLS_KEY_EXCH_NONE)
102  {
103  //Perform cipher suite negotiation
104  error = tlsNegotiateCipherSuite(context, NULL, cipherSuites, extensions);
105  //If no acceptable choices are presented, terminate the handshake
106  if(error)
107  return error;
108  }
109 
110  //If the handshake includes a HelloRetryRequest, the initial ClientHello
111  //and HelloRetryRequest are included in the transcript along with the new
112  //ClientHello
113  if(context->state != TLS_STATE_CLIENT_HELLO_2)
114  {
115  //Initialize handshake message hashing
116  error = tlsInitTranscriptHash(context);
117  //Any error to report?
118  if(error)
119  return error;
120  }
121 
122  //If the client opts to send 0-RTT data, it must supply an EarlyData
123  //extension in its ClientHello
124  error = tls13ParseClientEarlyDataExtension(context,
125  extensions->earlyDataIndication);
126  //Any error to report?
127  if(error)
128  return error;
129 
130  //The KeyShare extension contains the client's cryptographic parameters
131  error = tls13ParseClientKeyShareExtension(context, extensions->keyShareList);
132  //Any error to report?
133  if(error)
134  return error;
135 
136  //Incorrect (EC)DHE share?
137  if(extensions->keyShareList != NULL && context->namedGroup == TLS_GROUP_NONE)
138  {
139  //Select an appropriate ECDHE or FFDHE group
140  error = tls13SelectGroup(context, extensions->supportedGroupList);
141  //Any error to report?
142  if(error)
143  return error;
144 
145  //The server corrects the mismatch with a HelloRetryRequest
146  context->state = TLS_STATE_HELLO_RETRY_REQUEST;
147  }
148  else
149  {
150  //Check key exchange method
151  if(context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
152  context->keyExchMethod == TLS13_KEY_EXCH_ECDHE)
153  {
154  //(EC)DHE key establishment is in use
155  }
156  else if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
157  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
158  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
159  {
160  //Servers must not select a key exchange mode that is not listed by
161  //the client in the PskKeyExchangeModes extension
162  error = tls13ParsePskKeModesExtension(context,
163  extensions->pskKeModeList);
164  //Any error to report?
165  if(error)
166  return error;
167 
168  //Prior to accepting PSK key establishment, the server must validate
169  //the corresponding binder value
170  error = tls13VerifyPskBinder(context, clientHello, clientHelloLen,
171  extensions->identityList, extensions->binderList,
172  context->selectedIdentity);
173  //If this value does not validate, the server must abort the handshake
174  if(error)
175  return error;
176  }
177  else
178  {
179  //If no common cryptographic parameters can be negotiated, the server
180  //must abort the handshake with an appropriate alert
181  return ERROR_HANDSHAKE_FAILED;
182  }
183  }
184 
185  //Successful processing
186  return NO_ERROR;
187 }
188 
189 
190 /**
191  * @brief Select the group to be used when performing (EC)DHE key exchange
192  * @param[in] context Pointer to the TLS context
193  * @param[in] groupList List of named groups supported by the client
194  * @return Error code
195  **/
196 
198  const TlsSupportedGroupList *groupList)
199 {
200  error_t error;
201 
202  //Initialize status code
203  error = ERROR_HANDSHAKE_FAILED;
204 
205  //Reset the named group to its default value
206  context->namedGroup = TLS_GROUP_NONE;
207 
208 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
209  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
210  //Valid SupportedGroups extension?
211  if(groupList != NULL)
212  {
213  uint_t i;
214  uint_t j;
215  uint_t n;
216  uint16_t namedGroup;
217 
218  //Get the number of named groups present in the list
219  n = ntohs(groupList->length) / sizeof(uint16_t);
220 
221  //Any preferred ECDHE or FFDHE groups?
222  if(context->numSupportedGroups > 0)
223  {
224  //Loop through the list of allowed groups (most preferred first)
225  for(i = 0; i < context->numSupportedGroups && error; i++)
226  {
227  //Loop through the list of named groups the client supports
228  for(j = 0; j < n && error; j++)
229  {
230  //Convert the named group to host byte order
231  namedGroup = ntohs(groupList->value[j]);
232 
233  //The named group to be used when performing (EC)DHE key exchange
234  //must be one of those present in the SupportedGroups extension
235  if(context->supportedGroups[i] == namedGroup)
236  {
237  //Check whether the ECDHE or FFDHE group is supported
238  if(tls13IsGroupSupported(context, namedGroup))
239  {
240  //Save the named group
241  context->namedGroup = namedGroup;
242  error = NO_ERROR;
243  }
244  }
245  }
246  }
247  }
248  else
249  {
250  //The named group to be used when performing (EC)DHE key exchange must
251  //be one of those present in the SupportedGroups extension
252  for(j = 0; j < n && error; j++)
253  {
254  //Convert the named group to host byte order
255  namedGroup = ntohs(groupList->value[j]);
256 
257  //Check whether the ECDHE or FFDHE group is supported
258  if(tls13IsGroupSupported(context, namedGroup))
259  {
260  //Save the named group
261  context->namedGroup = namedGroup;
262  error = NO_ERROR;
263  }
264  }
265  }
266  }
267 #endif
268 
269  //Return status code
270  return error;
271 }
272 
273 
274 /**
275  * @brief Verify PSK binder value
276  * @param[in] context Pointer to the TLS context
277  * @param[in] clientHello Pointer to the ClientHello message
278  * @param[in] clientHelloLen Length of the ClientHello message
279  * @param[in] identityList List of the identities that the client is willing
280  * to negotiate with the server
281  * @param[in] binderList List of HMAC values, one for each PSK offered in the
282  * PreSharedKey extension
283  * @param[in] selectedIdentity Selected PSK identity
284  * @return Error code
285  **/
286 
287 error_t tls13VerifyPskBinder(TlsContext *context, const void *clientHello,
288  size_t clientHelloLen, const Tls13PskIdentityList *identityList,
289  const Tls13PskBinderList *binderList, int_t selectedIdentity)
290 {
291 #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
292  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
293  error_t error;
294  int_t i;
295  size_t n;
296  const uint8_t *p;
297  const Tls13PskIdentity *identity;
298  const Tls13PskBinder *binder;
299  uint8_t calculatedBinder[TLS_MAX_HKDF_DIGEST_SIZE];
300 
301  //Initialize variables
302  identity = NULL;
303  binder = NULL;
304 
305  //Make sure the PreSharedKey extension is valid
306  if(identityList == NULL || binderList == NULL)
307  return ERROR_FAILURE;
308 
309  //Make sure the selected identity is valid
310  if(selectedIdentity < 0)
311  return ERROR_FAILURE;
312 
313  //Point to the list of the identities that the client is willing to
314  //negotiate with the server
315  p = identityList->value;
316  n = ntohs(identityList->length);
317 
318  //Loop through the list of PSK identities
319  for(i = 0; i <= selectedIdentity && n > 0; i++)
320  {
321  //Point to the current PskIdentity entry
322  identity = (Tls13PskIdentity *) p;
323 
324  //Malformed PreSharedKey extension?
325  if(n < sizeof(TlsPskIdentity))
326  return ERROR_DECODING_FAILED;
327  if(n < (sizeof(TlsPskIdentity) + ntohs(identity->length)))
328  return ERROR_DECODING_FAILED;
329 
330  //Point to the obfuscated_ticket_age field
331  p += sizeof(TlsPskIdentity) + ntohs(identity->length);
332  n -= sizeof(TlsPskIdentity) + ntohs(identity->length);
333 
334  //The obfuscated_ticket_age field is a 32-bit unsigned integer
335  if(n < sizeof(uint32_t))
336  return ERROR_DECODING_FAILED;
337 
338  //Point to the next PskIdentity entry
339  p += sizeof(uint32_t);
340  n -= sizeof(uint32_t);
341  }
342 
343  //Make sure the selected identity is within the range supplied by the client
344  if(selectedIdentity >= i)
345  return ERROR_FAILURE;
346 
347  //Point to the list of HMAC values, one for each PSK offered in the
348  //PreSharedKey extension
349  p = binderList->value;
350  n = ntohs(binderList->length);
351 
352  //Loop through the list of PSK binders
353  for(i = 0; i <= selectedIdentity && n > 0; i++)
354  {
355  //Point to the PskBinderEntry
356  binder = (Tls13PskBinder *) p;
357 
358  //Malformed PreSharedKey extension?
359  if(n < sizeof(Tls13PskBinder))
360  return ERROR_DECODING_FAILED;
361  if(n < (sizeof(Tls13PskBinder) + binder->length))
362  return ERROR_DECODING_FAILED;
363 
364  //Point to the next PskBinderEntry
365  p += sizeof(Tls13PskBinder) + binder->length;
366  n -= sizeof(Tls13PskBinder) + binder->length;
367  }
368 
369  //Make sure the selected identity is within the range supplied by the client
370  if(selectedIdentity >= i)
371  return ERROR_FAILURE;
372 
373  //Check the length of the PSK binder
374  if(binder->length > TLS_MAX_HKDF_DIGEST_SIZE)
376 
377  //The PSK binder is computed as an HMAC over a transcript hash containing
378  //a partial ClientHello up to the binders list itself
379  n = (uint8_t *) binderList - (uint8_t *) clientHello;
380 
381  //Compute PSK binder value
382  error = tls13ComputePskBinder(context, clientHello, clientHelloLen,
383  n, identity, calculatedBinder, binder->length);
384  //Any error to report?
385  if(error)
387 
388  //Debug message
389  TRACE_DEBUG("PSK binder:\r\n");
390  TRACE_DEBUG_ARRAY(" ", binder->value, binder->length);
391  TRACE_DEBUG("Calculated PSK binder:\r\n");
392  TRACE_DEBUG_ARRAY(" ", calculatedBinder, binder->length);
393 
394  //Prior to accepting PSK key establishment, the server must validate the
395  //corresponding binder value
396  if(memcmp(calculatedBinder, binder->value, binder->length))
397  {
398  //If this value does not validate, the server must abort the handshake
400  }
401 
402  //Successful verification
403  return NO_ERROR;
404 #else
405  //Not implemented
406  return ERROR_NOT_IMPLEMENTED;
407 #endif
408 }
409 
410 
411 /**
412  * @brief Process early data
413  * @param[in] context Pointer to the TLS context
414  * @param[in] data Pointer to the early data
415  * @param[in] length Length of the early data, in bytes
416  * @return Error code
417  **/
418 
419 error_t tls13ProcessEarlyData(TlsContext *context, const uint8_t *data,
420  size_t length)
421 {
422  //Check TLS version
423  if(context->version != TLS_VERSION_1_3)
425 
426  //Check current state
427  if(context->state != TLS_STATE_CLIENT_HELLO_2)
429 
430  //If the client opts to send 0-RTT data, it must supply an EarlyData
431  //extension in its ClientHello (refer to RFC 8446, section 4.2.10)
432  if(!context->earlyDataExtReceived)
434 
435  //Amount of 0-RTT data received by the server
436  context->earlyDataLen += length;
437 
438  //Discard records which fail deprotection (up to the configured
439  //max_early_data_size)
440  if(context->earlyDataLen > context->maxEarlyDataSize)
441  return ERROR_BAD_RECORD_MAC;
442 
443  //Debug message
444  TRACE_INFO("Discarding early data (%" PRIuSIZE " bytes)...\r\n", length);
445 
446  //The server may opt to reject early data
447  return NO_ERROR;
448 }
449 
450 
451 /**
452  * @brief Session ticket generation
453  * @param[in] context Pointer to the TLS context
454  * @param[in] message Pointer to the NewSessionTicket message
455  * @param[in] ticket Output stream where to write the session ticket
456  * @param[out] length Length of the session ticket, in bytes
457  * @return Error code
458  **/
459 
461  const Tls13NewSessionTicket *message, uint8_t *ticket, size_t *length)
462 {
463 #if (TLS_TICKET_SUPPORT == ENABLED)
464  error_t error;
465  size_t n;
466  Tls13SessionState *state;
467  const HashAlgo *hashAlgo;
468 
469  //Point to the session state information
470  state = (Tls13SessionState *) ticket;
471 
472  //Save session state
473  state->version = context->version;
474  state->cipherSuite = context->cipherSuite.identifier;
475  state->ticketTimestamp = osGetSystemTime();
476  state->ticketLifetime = ntohl(message->ticketLifetime);
477  state->ticketAgeAdd = ntohl(message->ticketAgeAdd);
478  memcpy(state->ticketNonce, message->ticketNonce, message->ticketNonceLen);
479  memset(state->ticketPsk, 0, TLS_MAX_HKDF_DIGEST_SIZE);
480 
481  //The hash function used by HKDF is the cipher suite hash algorithm
482  hashAlgo = context->cipherSuite.prfHashAlgo;
483  //Make sure the hash algorithm is valid
484  if(hashAlgo == NULL)
485  return ERROR_FAILURE;
486 
487  //Compute the PSK associated with the ticket
488  error = tls13HkdfExpandLabel(hashAlgo, context->resumptionMasterSecret,
489  hashAlgo->digestSize, "resumption", message->ticketNonce,
490  message->ticketNonceLen, state->ticketPsk, hashAlgo->digestSize);
491  //Any error?
492  if(error)
493  return error;
494 
495  //Save the length of the ticket PSK
496  state->ticketPskLen = hashAlgo->digestSize;
497 
498  //Compute the length of the session state
499  n = sizeof(Tls13SessionState);
500 
501  //Make sure a valid callback has been registered
502  if(context->ticketEncryptCallback == NULL)
503  return ERROR_FAILURE;
504 
505  //Encrypt the state information
506  error = context->ticketEncryptCallback(context, (uint8_t *) state, n,
507  ticket, length, context->ticketParam);
508  //Any error to report?
509  if(error)
510  return error;
511 
512  //Successful processing
513  return NO_ERROR;
514 #else
515  //Session ticket mechanism is not implemented
516  return ERROR_NOT_IMPLEMENTED;
517 #endif
518 }
519 
520 
521 /**
522  * @brief Session ticket verification
523  * @param[in] context Pointer to the TLS context
524  * @param[in] ticket Pointer to the encrypted ticket
525  * @param[in] length Length of the encrypted ticket, in bytes
526  * @param[in] obfuscatedTicketAge Obfuscated version of the ticket age
527  * @return Error code
528  **/
529 
530 error_t tls13VerifyTicket(TlsContext *context, const uint8_t *ticket,
531  size_t length, uint32_t obfuscatedTicketAge)
532 {
533 #if (TLS_TICKET_SUPPORT == ENABLED)
534  error_t error;
535  systime_t serverTicketAge;
536  Tls13SessionState *state;
537  const HashAlgo *hashAlgo;
538 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
540  systime_t clientTicketAge;
541 #endif
542 
543  //Make sure a valid callback has been registered
544  if(context->ticketDecryptCallback == NULL)
546 
547  //Check the length of the ticket
548  if(length == 0)
550 
551  //Allocate a buffer to store the decrypted state information
552  state = tlsAllocMem(length);
553  //Failed to allocate memory?
554  if(state == NULL)
555  return ERROR_OUT_OF_MEMORY;
556 
557  //Start of exception handling block
558  do
559  {
560  //Decrypt the received ticket
561  error = context->ticketDecryptCallback(context, ticket, length,
562  (uint8_t *) state, &length, context->ticketParam);
563  //Any error to report?
564  if(error)
565  break;
566 
567  //Check the length of the decrypted ticket
568  if(length != sizeof(Tls13SessionState))
569  {
570  //The ticket is malformed
571  error = ERROR_INVALID_TICKET;
572  break;
573  }
574 
575  //Check TLS version
576  if(state->version != TLS_VERSION_1_3)
577  {
578  //The ticket is not valid
579  error = ERROR_INVALID_TICKET;
580  break;
581  }
582 
583  //Compute the time since the ticket was issued
584  serverTicketAge = osGetSystemTime() - state->ticketTimestamp;
585 
586  //Verify ticket's validity
587  if(serverTicketAge >= (state->ticketLifetime * 1000))
588  {
589  //The ticket is not valid
590  error = ERROR_INVALID_TICKET;
591  break;
592  }
593 
594 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
595  //Compute the ticket age for the selected PSK identity by subtracting
596  //ticket_age_add from obfuscated_ticket_age modulo 2^32
597  clientTicketAge = obfuscatedTicketAge - state->ticketAgeAdd;
598 
599  //Calculate the difference between the client's view and the server's
600  //view of the age of the ticket
601  if(clientTicketAge < serverTicketAge)
602  delta = serverTicketAge - clientTicketAge;
603  else
604  delta = clientTicketAge - serverTicketAge;
605 
606  //For PSKs provisioned via NewSessionTicket, the server must validate
607  //that the ticket age for the selected PSK identity is within a small
608  //tolerance of the time since the ticket was issued
610  {
611  //If it is not, the server should proceed with the handshake but
612  //reject 0-RTT, and should not take any other action that assumes
613  //that this ClientHello is fresh (refer to RFC 8446, 4.2.10)
614  context->earlyDataRejected = TRUE;
615  }
616 #endif
617 
618  //Any ticket must only be resumed with a cipher suite that has the same
619  //KDF hash algorithm as that used to establish the original connection
620  error = tlsSelectCipherSuite(context, state->cipherSuite);
621  //Any error to report?
622  if(error)
623  break;
624 
625  //Point to the cipher suite hash algorithm
626  hashAlgo = context->cipherSuite.prfHashAlgo;
627  //Make sure the hash algorithm is valid
628  if(hashAlgo == NULL)
629  {
630  //The ticket is malformed
631  error = ERROR_INVALID_TICKET;
632  break;
633  }
634 
635  //The server must ensure that it selects a compatible PSK and cipher suite
636  if(state->ticketPskLen != hashAlgo->digestSize)
637  {
638  //The ticket is malformed
639  error = ERROR_INVALID_TICKET;
640  break;
641  }
642 
643  //Restore ticket PSK
644  memcpy(context->ticketPsk, state->ticketPsk, state->ticketPskLen);
645  context->ticketPskLen = state->ticketPskLen;
646 
647  //Retrieve the hash algorithm associated with the ticket
648  if(hashAlgo == tlsGetHashAlgo(TLS_HASH_ALGO_SHA256))
649  context->ticketHashAlgo = TLS_HASH_ALGO_SHA256;
650  else if(hashAlgo == tlsGetHashAlgo(TLS_HASH_ALGO_SHA384))
651  context->ticketHashAlgo = TLS_HASH_ALGO_SHA384;
652  else
653  context->ticketHashAlgo = TLS_HASH_ALGO_NONE;
654 
655  //End of exception handling block
656  } while(0);
657 
658  //Release state information
659  memset(state, 0, length);
660  tlsFreeMem(state);
661 
662  //Return status code
663  return error;
664 #else
665  //Session ticket mechanism is not implemented
667 #endif
668 }
669 
670 #endif
TLS (Transport Layer Security)
uint32_t systime_t
Definition: compiler_port.h:44
__start_packed struct @98 Tls13PskIdentity
PSK identity.
systime_t osGetSystemTime(void)
Retrieve system time.
error_t tls13NegotiateCipherSuite(TlsContext *context, const void *clientHello, size_t clientHelloLen, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
FFDHE key exchange.
Debugging facilities.
#define tlsFreeMem(p)
Definition: tls.h:760
uint8_t p
Definition: ndp.h:295
TLS 1.3 key schedule.
bool_t tls13IsGroupSupported(TlsContext *context, uint16_t namedGroup)
Generic error code.
Definition: error.h:43
uint8_t message[]
Definition: chap.h:150
Helper functions for TLS 1.3 server.
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:836
error_t tls13GenerateTicket(TlsContext *context, const Tls13NewSessionTicket *message, uint8_t *ticket, size_t *length)
#define TLS_VERSION_1_3
Definition: tls.h:90
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:99
error_t tls13ProcessEarlyData(TlsContext *context, const uint8_t *data, size_t length)
__start_packed struct @100 Tls13PskBinder
PSK binder.
error_t tlsInitTranscriptHash(TlsContext *context)
Initialize handshake message hashing.
__start_packed struct @75 TlsSupportedGroupList
List of supported groups.
#define TRUE
Definition: os_port.h:48
error_t tls13ParseClientPreSharedKeyExtension(TlsContext *context, const TlsClientHello *clientHello, size_t clientHelloLen, const Tls13PskIdentityList *identityList, const Tls13PskBinderList *binderList)
__start_packed struct @101 Tls13PskBinderList
List of PSK binders.
#define ntohl(value)
Definition: cpu_endian.h:397
TLS helper functions.
error_t tlsNegotiateCipherSuite(TlsContext *context, const HashAlgo *hashAlgo, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
Cipher suite negotiation.
#define ntohs(value)
Definition: cpu_endian.h:396
signed int int_t
Definition: compiler_port.h:42
__start_packed struct @106 Tls13NewSessionTicket
NewSessionTicket message (TLS 1.3)
error_t tls13VerifyTicket(TlsContext *context, const uint8_t *ticket, size_t length, uint32_t obfuscatedTicketAge)
error_t tls13ParseClientKeyShareExtension(TlsContext *context, const Tls13KeyShareList *keyShareList)
__start_packed struct @79 TlsPskIdentity
PSK identity.
error_t tls13HkdfExpandLabel(const HashAlgo *hash, const uint8_t *secret, size_t secretLen, const char_t *label, const uint8_t *context, size_t contextLen, uint8_t *output, size_t outputLen)
Helper functions for TLS server.
error_t tls13ComputePskBinder(TlsContext *context, const void *clientHello, size_t clientHelloLen, size_t truncatedClientHelloLen, const Tls13PskIdentity *identity, uint8_t *binder, size_t binderLen)
#define TRACE_INFO(...)
Definition: debug.h:86
Success.
Definition: error.h:42
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:247
error_t
Error codes.
Definition: error.h:40
uint8_t extensions[]
Definition: tls13_misc.h:322
unsigned int uint_t
Definition: compiler_port.h:43
error_t tls13ParsePskKeModesExtension(TlsContext *context, const Tls13PskKeModeList *pskKeModeList)
__start_packed struct @99 Tls13PskIdentityList
List of PSK identities.
uint8_t data[]
Definition: dtls_misc.h:167
#define PRIuSIZE
Definition: compiler_port.h:72
__start_packed struct @62 TlsCipherSuites
Cipher suites.
error_t tls13ParseClientEarlyDataExtension(TlsContext *context, const uint8_t *earlyDataIndication)
Hello extensions.
Definition: tls.h:1878
Transcript hash calculation.
uint8_t delta
Definition: coap_common.h:196
#define tlsAllocMem(size)
Definition: tls.h:755
size_t digestSize
Definition: crypto.h:1061
error_t tls13VerifyPskBinder(TlsContext *context, const void *clientHello, size_t clientHelloLen, const Tls13PskIdentityList *identityList, const Tls13PskBinderList *binderList, int_t selectedIdentity)
#define TLS_MAX_HKDF_DIGEST_SIZE
Definition: tls.h:815
Common interface for hash algorithms.
Definition: crypto.h:1054
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
__start_packed struct @109 Tls13SessionState
Session state information.
error_t tls13SelectGroup(TlsContext *context, const TlsSupportedGroupList *groupList)
#define TlsContext
Definition: tls.h:34
#define TLS13_TICKET_AGE_TOLERANCE
Definition: tls13_misc.h:104
Formatting and parsing of extensions (TLS 1.3 server)
#define TRACE_DEBUG(...)
Definition: debug.h:98