tls13_server_misc.c
Go to the documentation of this file.
1 /**
2  * @file tls13_server_misc.c
3  * @brief Helper functions for TLS 1.3 server
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_server_misc.h"
38 #include "tls_transcript_hash.h"
39 #include "tls_ffdhe.h"
40 #include "tls_misc.h"
42 #include "tls13_server_misc.h"
43 #include "tls13_key_material.h"
44 #include "debug.h"
45 
46 //Check TLS library configuration
47 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED && \
48  TLS_MAX_VERSION >= TLS_VERSION_1_3)
49 
50 
51 /**
52  * @brief Cipher suite and key exchange method negotiation
53  * @param[in] context Pointer to the TLS context
54  * @param[in] clientHello Pointer to the ClientHello message
55  * @param[in] clientHelloLen Length of the ClientHello message
56  * @param[in] cipherSuites List of cipher suites offered by the client
57  * @param[in] extensions ClientHello extensions offered by the client
58  * @return Error code
59  **/
60 
61 error_t tls13NegotiateCipherSuite(TlsContext *context, const void *clientHello,
62  size_t clientHelloLen, const TlsCipherSuites *cipherSuites,
64 {
65  error_t error;
66 
67  //In TLS 1.3, the cipher suite concept has been changed. The key exchange
68  //mechanism is negotiated separately from the cipher suite
69  context->keyExchMethod = TLS_KEY_EXCH_NONE;
70 
71  //The PreSharedKey extension is used to negotiate the identity of the
72  //pre-shared key to be used with a given handshake in association with
73  //PSK key establishment
74  error = tls13ParseClientPreSharedKeyExtension(context, clientHello,
75  clientHelloLen, extensions->identityList, extensions->binderList);
76  //Any error to report?
77  if(error)
78  return error;
79 
80  //Externally established PSKs should influence cipher suite selection
81  if(context->selectedIdentity >= 0)
82  {
83  //Select a cipher suite indicating a hash associated with the PSK
84  error = tlsNegotiateCipherSuite(context, context->cipherSuite.prfHashAlgo,
85  cipherSuites, extensions);
86 
87  //The server must ensure that it selects a compatible PSK and cipher suite
88  if(!error)
89  {
90  //Perform PSK handshake
91  context->keyExchMethod = TLS13_KEY_EXCH_PSK;
92  }
93  else
94  {
95  //Perform a non-PSK handshake if possible
96  context->keyExchMethod = TLS_KEY_EXCH_NONE;
97  context->selectedIdentity = -1;
98  }
99  }
100 
101  //Check key exchange method
102  if(context->keyExchMethod == TLS_KEY_EXCH_NONE)
103  {
104  //Perform cipher suite negotiation
105  error = tlsNegotiateCipherSuite(context, NULL, cipherSuites, extensions);
106  //If no acceptable choices are presented, terminate the handshake
107  if(error)
108  return ERROR_HANDSHAKE_FAILED;
109  }
110 
111  //If the handshake includes a HelloRetryRequest, the initial ClientHello
112  //and HelloRetryRequest are included in the transcript along with the new
113  //ClientHello
114  if(context->state != TLS_STATE_CLIENT_HELLO_2)
115  {
116  //Initialize handshake message hashing
117  error = tlsInitTranscriptHash(context);
118  //Any error to report?
119  if(error)
120  return error;
121  }
122 
123  //If the client opts to send 0-RTT data, it must supply an EarlyData
124  //extension in its ClientHello
125  error = tls13ParseClientEarlyDataExtension(context,
126  extensions->earlyDataIndication);
127  //Any error to report?
128  if(error)
129  return error;
130 
131  //The KeyShare extension contains the client's cryptographic parameters
132  error = tls13ParseClientKeyShareExtension(context, extensions->keyShareList);
133  //Any error to report?
134  if(error)
135  return error;
136 
137  //Incorrect (EC)DHE share?
138  if(extensions->keyShareList != NULL && context->namedGroup == TLS_GROUP_NONE)
139  {
140  //Select an appropriate ECDHE or FFDHE group
141  error = tls13SelectGroup(context, extensions->supportedGroupList);
142  //Any error to report?
143  if(error)
144  return error;
145 
146  //The server corrects the mismatch with a HelloRetryRequest
147  context->state = TLS_STATE_HELLO_RETRY_REQUEST;
148  }
149  else
150  {
151  //Check key exchange method
152  if(context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
153  context->keyExchMethod == TLS13_KEY_EXCH_ECDHE)
154  {
155  //(EC)DHE key establishment is in use
156  }
157  else if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
158  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
159  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
160  {
161  //Servers must not select a key exchange mode that is not listed by
162  //the client in the PskKeyExchangeModes extension
163  error = tls13ParsePskKeModesExtension(context,
164  extensions->pskKeModeList);
165  //Any error to report?
166  if(error)
167  return error;
168 
169  //Prior to accepting PSK key establishment, the server must validate
170  //the corresponding binder value
171  error = tls13VerifyPskBinder(context, clientHello, clientHelloLen,
172  extensions->identityList, extensions->binderList,
173  context->selectedIdentity);
174  //If this value does not validate, the server must abort the handshake
175  if(error)
176  return error;
177  }
178  else
179  {
180  //If no common cryptographic parameters can be negotiated, the server
181  //must abort the handshake with an appropriate alert
182  return ERROR_HANDSHAKE_FAILED;
183  }
184  }
185 
186  //Successful processing
187  return NO_ERROR;
188 }
189 
190 
191 /**
192  * @brief Select the group to be used when performing (EC)DHE key exchange
193  * @param[in] context Pointer to the TLS context
194  * @param[in] groupList List of named groups supported by the client
195  * @return Error code
196  **/
197 
199  const TlsSupportedGroupList *groupList)
200 {
201  error_t error;
202 
203  //Initialize status code
204  error = ERROR_HANDSHAKE_FAILED;
205 
206  //Reset the named group to its default value
207  context->namedGroup = TLS_GROUP_NONE;
208 
209 #if (TLS13_DHE_KE_SUPPORT == ENABLED || TLS13_ECDHE_KE_SUPPORT == ENABLED || \
210  TLS13_PSK_DHE_KE_SUPPORT == ENABLED || TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
211  //Valid SupportedGroups extension?
212  if(groupList != NULL)
213  {
214  uint_t i;
215  uint_t j;
216  uint_t n;
217  uint16_t namedGroup;
218 
219  //Get the number of named groups present in the list
220  n = ntohs(groupList->length) / sizeof(uint16_t);
221 
222  //Any preferred ECDHE or FFDHE groups?
223  if(context->numSupportedGroups > 0)
224  {
225  //Loop through the list of allowed groups (most preferred first)
226  for(i = 0; i < context->numSupportedGroups && error; i++)
227  {
228  //Loop through the list of named groups the client supports
229  for(j = 0; j < n && error; j++)
230  {
231  //Convert the named group to host byte order
232  namedGroup = ntohs(groupList->value[j]);
233 
234  //The named group to be used when performing (EC)DHE key exchange
235  //must be one of those present in the SupportedGroups extension
236  if(context->supportedGroups[i] == namedGroup)
237  {
238  //Check whether the ECDHE or FFDHE group is supported
239  if(tls13IsGroupSupported(context, namedGroup))
240  {
241  //Save the named group
242  context->namedGroup = namedGroup;
243  error = NO_ERROR;
244  }
245  }
246  }
247  }
248  }
249  else
250  {
251  //The named group to be used when performing (EC)DHE key exchange must
252  //be one of those present in the SupportedGroups extension
253  for(j = 0; j < n && error; j++)
254  {
255  //Convert the named group to host byte order
256  namedGroup = ntohs(groupList->value[j]);
257 
258  //Check whether the ECDHE or FFDHE group is supported
259  if(tls13IsGroupSupported(context, namedGroup))
260  {
261  //Save the named group
262  context->namedGroup = namedGroup;
263  error = NO_ERROR;
264  }
265  }
266  }
267  }
268 #endif
269 
270  //Return status code
271  return error;
272 }
273 
274 
275 /**
276  * @brief Verify PSK binder value
277  * @param[in] context Pointer to the TLS context
278  * @param[in] clientHello Pointer to the ClientHello message
279  * @param[in] clientHelloLen Length of the ClientHello message
280  * @param[in] identityList List of the identities that the client is willing
281  * to negotiate with the server
282  * @param[in] binderList List of HMAC values, one for each PSK offered in the
283  * PreSharedKey extension
284  * @param[in] selectedIdentity Selected PSK identity
285  * @return Error code
286  **/
287 
288 error_t tls13VerifyPskBinder(TlsContext *context, const void *clientHello,
289  size_t clientHelloLen, const Tls13PskIdentityList *identityList,
290  const Tls13PskBinderList *binderList, int_t selectedIdentity)
291 {
292 #if (TLS13_PSK_KE_SUPPORT == ENABLED || TLS13_PSK_DHE_KE_SUPPORT == ENABLED || \
293  TLS13_PSK_ECDHE_KE_SUPPORT == ENABLED)
294  error_t error;
295  int_t i;
296  size_t n;
297  const uint8_t *p;
298  const Tls13PskIdentity *identity;
299  const Tls13PskBinder *binder;
300  uint8_t calculatedBinder[TLS_MAX_HKDF_DIGEST_SIZE];
301 
302  //Initialize variables
303  identity = NULL;
304  binder = NULL;
305 
306  //Make sure the PreSharedKey extension is valid
307  if(identityList == NULL || binderList == NULL)
308  return ERROR_FAILURE;
309 
310  //Make sure the selected identity is valid
311  if(selectedIdentity < 0)
312  return ERROR_FAILURE;
313 
314  //Point to the list of the identities that the client is willing to
315  //negotiate with the server
316  p = identityList->value;
317  n = ntohs(identityList->length);
318 
319  //Loop through the list of PSK identities
320  for(i = 0; i <= selectedIdentity && n > 0; i++)
321  {
322  //Point to the current PskIdentity entry
323  identity = (Tls13PskIdentity *) p;
324 
325  //Malformed PreSharedKey extension?
326  if(n < sizeof(TlsPskIdentity))
327  return ERROR_DECODING_FAILED;
328  if(n < (sizeof(TlsPskIdentity) + ntohs(identity->length)))
329  return ERROR_DECODING_FAILED;
330 
331  //Point to the obfuscated_ticket_age field
332  p += sizeof(TlsPskIdentity) + ntohs(identity->length);
333  n -= sizeof(TlsPskIdentity) + ntohs(identity->length);
334 
335  //The obfuscated_ticket_age field is a 32-bit unsigned integer
336  if(n < sizeof(uint32_t))
337  return ERROR_DECODING_FAILED;
338 
339  //Point to the next PskIdentity entry
340  p += sizeof(uint32_t);
341  n -= sizeof(uint32_t);
342  }
343 
344  //Make sure the selected identity is within the range supplied by the client
345  if(selectedIdentity >= i)
346  return ERROR_FAILURE;
347 
348  //Point to the list of HMAC values, one for each PSK offered in the
349  //PreSharedKey extension
350  p = binderList->value;
351  n = ntohs(binderList->length);
352 
353  //Loop through the list of PSK binders
354  for(i = 0; i <= selectedIdentity && n > 0; i++)
355  {
356  //Point to the PskBinderEntry
357  binder = (Tls13PskBinder *) p;
358 
359  //Malformed PreSharedKey extension?
360  if(n < sizeof(Tls13PskBinder))
361  return ERROR_DECODING_FAILED;
362  if(n < (sizeof(Tls13PskBinder) + binder->length))
363  return ERROR_DECODING_FAILED;
364 
365  //Point to the next PskBinderEntry
366  p += sizeof(Tls13PskBinder) + binder->length;
367  n -= sizeof(Tls13PskBinder) + binder->length;
368  }
369 
370  //Make sure the selected identity is within the range supplied by the client
371  if(selectedIdentity >= i)
372  return ERROR_FAILURE;
373 
374  //Check the length of the PSK binder
375  if(binder->length > TLS_MAX_HKDF_DIGEST_SIZE)
377 
378  //The PSK binder is computed as an HMAC over a transcript hash containing
379  //a partial ClientHello up to the binders list itself
380  n = (uint8_t *) binderList - (uint8_t *) clientHello;
381 
382  //Compute PSK binder value
383  error = tls13ComputePskBinder(context, clientHello, clientHelloLen,
384  n, identity, calculatedBinder, binder->length);
385  //Any error to report?
386  if(error)
388 
389  //Debug message
390  TRACE_DEBUG("PSK binder:\r\n");
391  TRACE_DEBUG_ARRAY(" ", binder->value, binder->length);
392  TRACE_DEBUG("Calculated PSK binder:\r\n");
393  TRACE_DEBUG_ARRAY(" ", calculatedBinder, binder->length);
394 
395  //Prior to accepting PSK key establishment, the server must validate the
396  //corresponding binder value
397  if(memcmp(calculatedBinder, binder->value, binder->length))
398  {
399  //If this value does not validate, the server must abort the handshake
401  }
402 
403  //Successful verification
404  return NO_ERROR;
405 #else
406  //Not implemented
407  return ERROR_NOT_IMPLEMENTED;
408 #endif
409 }
410 
411 
412 /**
413  * @brief Process early data
414  * @param[in] context Pointer to the TLS context
415  * @param[in] data Pointer to the early data
416  * @param[in] length Length of the early data, in bytes
417  * @return Error code
418  **/
419 
420 error_t tls13ProcessEarlyData(TlsContext *context, const uint8_t *data,
421  size_t length)
422 {
423  //Check TLS version
424  if(context->version != TLS_VERSION_1_3)
426 
427  //Check current state
428  if(context->state != TLS_STATE_CLIENT_HELLO_2)
430 
431  //If the client opts to send 0-RTT data, it must supply an EarlyData
432  //extension in its ClientHello (refer to RFC 8446, section 4.2.10)
433  if(!context->earlyDataExtReceived)
435 
436  //Amount of 0-RTT data received by the server
437  context->earlyDataLen += length;
438 
439  //Discard records which fail deprotection (up to the configured
440  //max_early_data_size)
441  if(context->earlyDataLen > context->maxEarlyDataSize)
442  return ERROR_BAD_RECORD_MAC;
443 
444  //Debug message
445  TRACE_INFO("Discarding early data (%" PRIuSIZE " bytes)...\r\n", length);
446 
447  //The server may opt to reject early data
448  return NO_ERROR;
449 }
450 
451 
452 /**
453  * @brief Session ticket generation
454  * @param[in] context Pointer to the TLS context
455  * @param[in] message Pointer to the NewSessionTicket message
456  * @param[in] ticket Output stream where to write the session ticket
457  * @param[out] length Length of the session ticket, in bytes
458  * @return Error code
459  **/
460 
462  const Tls13NewSessionTicket *message, uint8_t *ticket, size_t *length)
463 {
464 #if (TLS_TICKET_SUPPORT == ENABLED)
465  error_t error;
466  size_t n;
467  Tls13SessionState *state;
468  const HashAlgo *hashAlgo;
469 
470  //Point to the session state information
471  state = (Tls13SessionState *) ticket;
472 
473  //Save session state
474  state->version = context->version;
475  state->cipherSuite = context->cipherSuite.identifier;
476  state->ticketTimestamp = osGetSystemTime();
477  state->ticketLifetime = ntohl(message->ticketLifetime);
478  state->ticketAgeAdd = ntohl(message->ticketAgeAdd);
479  memcpy(state->ticketNonce, message->ticketNonce, message->ticketNonceLen);
480  memset(state->ticketPsk, 0, TLS_MAX_HKDF_DIGEST_SIZE);
481 
482  //The hash function used by HKDF is the cipher suite hash algorithm
483  hashAlgo = context->cipherSuite.prfHashAlgo;
484  //Make sure the hash algorithm is valid
485  if(hashAlgo == NULL)
486  return ERROR_FAILURE;
487 
488  //Compute the PSK associated with the ticket
489  error = tls13HkdfExpandLabel(hashAlgo, context->resumptionMasterSecret,
490  hashAlgo->digestSize, "resumption", message->ticketNonce,
491  message->ticketNonceLen, state->ticketPsk, hashAlgo->digestSize);
492  //Any error?
493  if(error)
494  return error;
495 
496  //Save the length of the ticket PSK
497  state->ticketPskLen = hashAlgo->digestSize;
498 
499  //Compute the length of the session state
500  n = sizeof(Tls13SessionState);
501 
502  //Make sure a valid callback has been registered
503  if(context->ticketEncryptCallback == NULL)
504  return ERROR_FAILURE;
505 
506  //Encrypt the state information
507  error = context->ticketEncryptCallback(context, (uint8_t *) state, n,
508  ticket, length, context->ticketParam);
509  //Any error to report?
510  if(error)
511  return error;
512 
513  //Successful processing
514  return NO_ERROR;
515 #else
516  //Session ticket mechanism is not implemented
517  return ERROR_NOT_IMPLEMENTED;
518 #endif
519 }
520 
521 
522 /**
523  * @brief Session ticket verification
524  * @param[in] context Pointer to the TLS context
525  * @param[in] ticket Pointer to the encrypted ticket
526  * @param[in] length Length of the encrypted ticket, in bytes
527  * @param[in] obfuscatedTicketAge Obfuscated version of the ticket age
528  * @return Error code
529  **/
530 
531 error_t tls13VerifyTicket(TlsContext *context, const uint8_t *ticket,
532  size_t length, uint32_t obfuscatedTicketAge)
533 {
534 #if (TLS_TICKET_SUPPORT == ENABLED)
535  error_t error;
536  systime_t serverTicketAge;
537  Tls13SessionState *state;
538  const HashAlgo *hashAlgo;
539 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
541  systime_t clientTicketAge;
542 #endif
543 
544  //Make sure a valid callback has been registered
545  if(context->ticketDecryptCallback == NULL)
547 
548  //Check the length of the ticket
549  if(length == 0)
551 
552  //Allocate a buffer to store the decrypted state information
553  state = tlsAllocMem(length);
554  //Failed to allocate memory?
555  if(state == NULL)
556  return ERROR_OUT_OF_MEMORY;
557 
558  //Start of exception handling block
559  do
560  {
561  //Decrypt the received ticket
562  error = context->ticketDecryptCallback(context, ticket, length,
563  (uint8_t *) state, &length, context->ticketParam);
564  //Any error to report?
565  if(error)
566  break;
567 
568  //Check the length of the decrypted ticket
569  if(length != sizeof(Tls13SessionState))
570  {
571  //The ticket is malformed
572  error = ERROR_INVALID_TICKET;
573  break;
574  }
575 
576  //Check TLS version
577  if(state->version != TLS_VERSION_1_3)
578  {
579  //The ticket is not valid
580  error = ERROR_INVALID_TICKET;
581  break;
582  }
583 
584  //Compute the time since the ticket was issued
585  serverTicketAge = osGetSystemTime() - state->ticketTimestamp;
586 
587  //Verify ticket's validity
588  if(serverTicketAge >= (state->ticketLifetime * 1000))
589  {
590  //The ticket is not valid
591  error = ERROR_INVALID_TICKET;
592  break;
593  }
594 
595 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
596  //Compute the ticket age for the selected PSK identity by subtracting
597  //ticket_age_add from obfuscated_ticket_age modulo 2^32
598  clientTicketAge = obfuscatedTicketAge - state->ticketAgeAdd;
599 
600  //Calculate the difference between the client's view and the server's
601  //view of the age of the ticket
602  if(clientTicketAge < serverTicketAge)
603  delta = serverTicketAge - clientTicketAge;
604  else
605  delta = clientTicketAge - serverTicketAge;
606 
607  //For PSKs provisioned via NewSessionTicket, the server must validate
608  //that the ticket age for the selected PSK identity is within a small
609  //tolerance of the time since the ticket was issued
611  {
612  //If it is not, the server should proceed with the handshake but
613  //reject 0-RTT, and should not take any other action that assumes
614  //that this ClientHello is fresh (refer to RFC 8446, 4.2.10)
615  context->earlyDataRejected = TRUE;
616  }
617 #endif
618 
619  //Any ticket must only be resumed with a cipher suite that has the same
620  //KDF hash algorithm as that used to establish the original connection
621  error = tlsSelectCipherSuite(context, state->cipherSuite);
622  //Any error to report?
623  if(error)
624  break;
625 
626  //Point to the cipher suite hash algorithm
627  hashAlgo = context->cipherSuite.prfHashAlgo;
628  //Make sure the hash algorithm is valid
629  if(hashAlgo == NULL)
630  {
631  //The ticket is malformed
632  error = ERROR_INVALID_TICKET;
633  break;
634  }
635 
636  //The server must ensure that it selects a compatible PSK and cipher suite
637  if(state->ticketPskLen != hashAlgo->digestSize)
638  {
639  //The ticket is malformed
640  error = ERROR_INVALID_TICKET;
641  break;
642  }
643 
644  //Restore ticket PSK
645  memcpy(context->ticketPsk, state->ticketPsk, state->ticketPskLen);
646  context->ticketPskLen = state->ticketPskLen;
647 
648  //Retrieve the hash algorithm associated with the ticket
649  if(hashAlgo == tlsGetHashAlgo(TLS_HASH_ALGO_SHA256))
650  context->ticketHashAlgo = TLS_HASH_ALGO_SHA256;
651  else if(hashAlgo == tlsGetHashAlgo(TLS_HASH_ALGO_SHA384))
652  context->ticketHashAlgo = TLS_HASH_ALGO_SHA384;
653  else
654  context->ticketHashAlgo = TLS_HASH_ALGO_NONE;
655 
656  //End of exception handling block
657  } while(0);
658 
659  //Release state information
660  memset(state, 0, length);
661  tlsFreeMem(state);
662 
663  //Return status code
664  return error;
665 #else
666  //Session ticket mechanism is not implemented
668 #endif
669 }
670 
671 #endif
#define tlsAllocMem(size)
Definition: tls.h:757
error_t tls13ParseClientPreSharedKeyExtension(TlsContext *context, const TlsClientHello *clientHello, size_t clientHelloLen, const Tls13PskIdentityList *identityList, const Tls13PskBinderList *binderList)
TLS helper functions.
uint8_t length
Definition: dtls_misc.h:149
__start_packed struct @94 Tls13PskIdentity
PSK identity.
__start_packed struct @95 Tls13PskIdentityList
List of PSK identities.
error_t tls13VerifyPskBinder(TlsContext *context, const void *clientHello, size_t clientHelloLen, const Tls13PskIdentityList *identityList, const Tls13PskBinderList *binderList, int_t selectedIdentity)
signed int int_t
Definition: compiler_port.h:44
error_t tls13GenerateTicket(TlsContext *context, const Tls13NewSessionTicket *message, uint8_t *ticket, size_t *length)
uint8_t delta
Definition: coap_common.h:198
__start_packed struct @97 Tls13PskBinderList
List of PSK binders.
uint8_t p
Definition: ndp.h:298
#define TRUE
Definition: os_port.h:50
size_t digestSize
Definition: crypto.h:1135
#define TLS13_TICKET_AGE_TOLERANCE
Definition: tls13_misc.h:106
error_t tls13ParsePskKeModesExtension(TlsContext *context, const Tls13PskKeModeList *pskKeModeList)
error_t tls13ParseClientKeyShareExtension(TlsContext *context, const Tls13KeyShareList *keyShareList)
error_t tls13ParseClientEarlyDataExtension(TlsContext *context, const uint8_t *earlyDataIndication)
__start_packed struct @62 TlsCipherSuites
Cipher suites.
bool_t tls13IsGroupSupported(TlsContext *context, uint16_t namedGroup)
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:829
Formatting and parsing of extensions (TLS 1.3 server)
Generic error code.
Definition: error.h:45
error_t tls13ProcessEarlyData(TlsContext *context, const uint8_t *data, size_t length)
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:253
#define TLS_VERSION_1_3
Definition: tls.h:95
error_t tlsNegotiateCipherSuite(TlsContext *context, const HashAlgo *hashAlgo, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
Cipher suite negotiation.
#define TRACE_INFO(...)
Definition: debug.h:94
Helper functions for TLS 1.3 server.
Hello extensions.
Definition: tls.h:1894
error_t tls13HkdfExpandLabel(const HashAlgo *hash, const uint8_t *secret, size_t secretLen, const char_t *label, const uint8_t *context, size_t contextLen, uint8_t *output, size_t outputLen)
Transcript hash calculation.
error_t tls13VerifyTicket(TlsContext *context, const uint8_t *ticket, size_t length, uint32_t obfuscatedTicketAge)
#define ntohs(value)
Definition: cpu_endian.h:398
#define TRACE_DEBUG(...)
Definition: debug.h:106
error_t tls13ComputePskBinder(TlsContext *context, const void *clientHello, size_t clientHelloLen, size_t truncatedClientHelloLen, const Tls13PskIdentity *identity, uint8_t *binder, size_t binderLen)
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:107
uint8_t n
uint8_t extensions[]
Definition: tls13_misc.h:327
error_t tlsInitTranscriptHash(TlsContext *context)
Initialize handshake message hashing.
#define TLS_MAX_HKDF_DIGEST_SIZE
Definition: tls.h:817
__start_packed struct @75 TlsSupportedGroupList
List of supported groups.
uint8_t message[]
Definition: chap.h:152
TLS (Transport Layer Security)
__start_packed struct @102 Tls13NewSessionTicket
NewSessionTicket message (TLS 1.3)
__start_packed struct @79 TlsPskIdentity
PSK identity.
TLS 1.3 key schedule.
Common interface for hash algorithms.
Definition: crypto.h:1128
FFDHE key exchange.
Helper functions for TLS server.
error_t tls13SelectGroup(TlsContext *context, const TlsSupportedGroupList *groupList)
#define PRIuSIZE
Definition: compiler_port.h:78
unsigned int uint_t
Definition: compiler_port.h:45
uint8_t data[]
Definition: dtls_misc.h:176
#define tlsFreeMem(p)
Definition: tls.h:762
__start_packed struct @96 Tls13PskBinder
PSK binder.
error_t tls13NegotiateCipherSuite(TlsContext *context, const void *clientHello, size_t clientHelloLen, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
uint32_t systime_t
Definition: compiler_port.h:46
__start_packed struct @105 Tls13SessionState
Session state information.
#define ntohl(value)
Definition: cpu_endian.h:399
Success.
Definition: error.h:44
Debugging facilities.
systime_t osGetSystemTime(void)
Retrieve system time.