tls_client.c
Go to the documentation of this file.
1 /**
2  * @file tls_client.c
3  * @brief Handshake message processing (TLS client)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @section Description
28  *
29  * The TLS protocol provides communications security over the Internet. The
30  * protocol allows client/server applications to communicate in a way that
31  * is designed to prevent eavesdropping, tampering, or message forgery
32  *
33  * @author Oryx Embedded SARL (www.oryx-embedded.com)
34  * @version 2.4.0
35  **/
36 
37 //Switch to the appropriate trace level
38 #define TRACE_LEVEL TLS_TRACE_LEVEL
39 
40 //Dependencies
41 #include "tls.h"
42 #include "tls_cipher_suites.h"
43 #include "tls_handshake.h"
44 #include "tls_client.h"
45 #include "tls_client_extensions.h"
46 #include "tls_client_misc.h"
47 #include "tls_common.h"
48 #include "tls_extensions.h"
49 #include "tls_certificate.h"
50 #include "tls_sign_misc.h"
51 #include "tls_key_material.h"
52 #include "tls_transcript_hash.h"
53 #include "tls_record.h"
54 #include "tls_misc.h"
55 #include "tls13_client.h"
57 #include "tls13_client_misc.h"
58 #include "dtls_record.h"
59 #include "dtls_misc.h"
60 #include "pkix/pem_import.h"
61 #include "date_time.h"
62 #include "debug.h"
63 
64 //Check TLS library configuration
65 #if (TLS_SUPPORT == ENABLED && TLS_CLIENT_SUPPORT == ENABLED)
66 
67 
68 /**
69  * @brief Send ClientHello message
70  *
71  * When a client first connects to a server, it is required to send
72  * the ClientHello as its first message. The client can also send a
73  * ClientHello in response to a HelloRequest or on its own initiative
74  * in order to renegotiate the security parameters in an existing
75  * connection
76  *
77  * @param[in] context Pointer to the TLS context
78  * @return Error code
79  **/
80 
82 {
83  error_t error;
84  size_t length;
86 
87  //Point to the buffer where to format the message
88  message = (TlsClientHello *) (context->txBuffer + context->txBufferLen);
89 
90 #if (DTLS_SUPPORT == ENABLED)
91  //DTLS protocol?
92  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
93  {
94  //When sending the first ClientHello, the client does not have a cookie yet
95  if(context->cookieLen == 0)
96  {
97  //Generate the client random value using a cryptographically-safe
98  //pseudorandom number generator
99  error = tlsGenerateRandomValue(context, context->clientRandom);
100  }
101  else
102  {
103  //When responding to a HelloVerifyRequest, the client must use the
104  //same random value as it did in the original ClientHello
105  error = NO_ERROR;
106  }
107  }
108  else
109 #endif
110  //TLS protocol?
111  {
112  //Initial or updated ClientHello?
113  if(context->state == TLS_STATE_CLIENT_HELLO)
114  {
115  //Generate the client random value using a cryptographically-safe
116  //pseudorandom number generator
117  error = tlsGenerateRandomValue(context, context->clientRandom);
118  }
119  else
120  {
121  //When responding to a HelloRetryRequest, the client must use the
122  //same random value as it did in the initial ClientHello
123  error = NO_ERROR;
124  }
125  }
126 
127 #if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
128  //Check status code
129  if(!error)
130  {
131  //In versions of TLS prior to TLS 1.3, the SessionTicket extension is used
132  //to resume a TLS session without requiring session-specific state at the
133  //TLS server
134  if(context->versionMin <= TLS_VERSION_1_2)
135  {
136  //Initial ClientHello?
137  if(context->state == TLS_STATE_CLIENT_HELLO)
138  {
139 #if (TLS_TICKET_SUPPORT == ENABLED)
140  //When presenting a ticket, the client may generate and include a
141  //session ID in the TLS ClientHello
142  if(tlsIsTicketValid(context) && context->sessionIdLen == 0)
143  {
144  //If the server accepts the ticket and the session ID is not
145  //empty, then it must respond with the same session ID present in
146  //the ClientHello. This allows the client to easily differentiate
147  //when the server is resuming a session from when it is falling
148  //back to a full handshake
149  error = tlsGenerateSessionId(context, 32);
150  }
151 #endif
152  }
153  }
154  }
155 #endif
156 
157 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
158  //Check status code
159  if(!error)
160  {
161  //TLS 1.3 supported by the client?
162  if(context->versionMax >= TLS_VERSION_1_3 &&
163  (context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM ||
164  context->transportProtocol == TLS_TRANSPORT_PROTOCOL_EAP))
165  {
166  //Initial or updated ClientHello?
167  if(context->state == TLS_STATE_CLIENT_HELLO)
168  {
169 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
170  //In compatibility mode the session ID field must be non-empty
171  if(context->sessionIdLen == 0)
172  {
173  //A client not offering a pre-TLS 1.3 session must generate a
174  //new 32-byte value. This value need not be random but should
175  //be unpredictable to avoid implementations fixating on a
176  //specific value (refer to RFC 8446, section 4.1.2)
177  error = tlsGenerateSessionId(context, 32);
178  }
179 #endif
180  //Check status code
181  if(!error)
182  {
183  //Any preferred ECDHE or FFDHE group?
184  if(tls13IsGroupSupported(context, context->preferredGroup))
185  {
186  //Pregenerate key share using preferred named group
187  error = tls13GenerateKeyShare(context, context->preferredGroup);
188  }
189  else
190  {
191  //Request group selection from the server, at the cost of an
192  //additional round trip
193  context->preferredGroup = TLS_GROUP_NONE;
194  }
195  }
196  }
197  else
198  {
199  //The updated ClientHello message is not encrypted
200  tlsFreeEncryptionEngine(&context->encryptionEngine);
201  }
202  }
203 
204  //Save current time
205  context->clientHelloTimestamp = osGetSystemTime();
206  }
207 #endif
208 
209  //Check status code
210  if(!error)
211  {
212  //Format ClientHello message
213  error = tlsFormatClientHello(context, message, &length);
214  }
215 
216  //Check status code
217  if(!error)
218  {
219  //Debug message
220  TRACE_INFO("Sending ClientHello message (%" PRIuSIZE " bytes)...\r\n", length);
222 
223  //Send handshake message
224  error = tlsSendHandshakeMessage(context, message, length,
226  }
227 
228  //Check status code
229  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
230  {
231  //Initial ClientHello?
232  if(context->state == TLS_STATE_CLIENT_HELLO)
233  {
234  //Wait for a ServerHello or HelloRetryRequest message
236  }
237  else
238  {
239  //Wait for a ServerHello message
241  }
242  }
243 
244  //Return status code
245  return error;
246 }
247 
248 
249 /**
250  * @brief Send ClientKeyExchange message
251  *
252  * This message is always sent by the client. It must immediately
253  * follow the client Certificate message, if it is sent. Otherwise,
254  * it must be the first message sent by the client after it receives
255  * the ServerHelloDone message
256  *
257  * @param[in] context Pointer to the TLS context
258  * @return Error code
259  **/
260 
262 {
263  error_t error;
264  size_t length;
266 
267  //Point to the buffer where to format the message
268  message = (TlsClientKeyExchange *) (context->txBuffer + context->txBufferLen);
269 
270  //Format ClientKeyExchange message
271  error = tlsFormatClientKeyExchange(context, message, &length);
272 
273  //Check status code
274  if(!error)
275  {
276  //Debug message
277  TRACE_INFO("Sending ClientKeyExchange message (%" PRIuSIZE " bytes)...\r\n", length);
279 
280  //Send handshake message
281  error = tlsSendHandshakeMessage(context, message, length,
283  }
284 
285  //Check status code
286  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
287  {
288  //Derive session keys from the premaster secret
289  error = tlsGenerateSessionKeys(context);
290 
291  //Key material successfully generated?
292  if(!error)
293  {
294  //Send a CertificateVerify message to the server
296  }
297  }
298 
299  //Return status code
300  return error;
301 }
302 
303 
304 /**
305  * @brief Format ClientHello message
306  * @param[in] context Pointer to the TLS context
307  * @param[out] message Buffer where to format the ClientHello message
308  * @param[out] length Length of the resulting ClientHello message
309  * @return Error code
310  **/
311 
313  TlsClientHello *message, size_t *length)
314 {
315  error_t error;
316  size_t n;
317  uint8_t *p;
318  TlsExtensionList *extensionList;
319 
320  //In TLS 1.3, the client indicates its version preferences in the
321  //SupportedVersions extension and the legacy_version field must be
322  //set to 0x0303, which is the version number for TLS 1.2
323  context->clientVersion = MIN(context->versionMax, TLS_VERSION_1_2);
324 
325 #if (DTLS_SUPPORT == ENABLED)
326  //DTLS protocol?
327  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
328  {
329  //Translate TLS version into DTLS version
330  context->clientVersion = dtlsTranslateVersion(context->clientVersion);
331  }
332 #endif
333 
334  //In previous versions of TLS, the version field is used for version
335  //negotiation and represents the highest version number supported by
336  //the client
337  message->clientVersion = htons(context->clientVersion);
338 
339  //Client random value
340  osMemcpy(message->random, context->clientRandom, 32);
341 
342  //Point to the session ID
343  p = message->sessionId;
344  //Length of the handshake message
345  *length = sizeof(TlsClientHello);
346 
347  //The session ID value identifies a session the client wishes to reuse for
348  //this connection
349  error = tlsFormatSessionId(context, p, &n);
350  //Any error to report?
351  if(error)
352  return error;
353 
354  //Fix the length of the session ID
355  message->sessionIdLen = (uint8_t) n;
356 
357  //Point to the next field
358  p += n;
359  //Adjust the length of the message
360  *length += n;
361 
362 #if (DTLS_SUPPORT == ENABLED)
363  //DTLS protocol?
364  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
365  {
366  //Format Cookie field
367  error = dtlsFormatCookie(context, p, &n);
368  //Any error to report?
369  if(error)
370  return error;
371 
372  //Point to the next field
373  p += n;
374  //Adjust the length of the message
375  *length += n;
376  }
377 #endif
378 
379  //Format the list of cipher suites supported by the client
380  error = tlsFormatCipherSuites(context, p, &n);
381  //Any error to report?
382  if(error)
383  return error;
384 
385  //Point to the next field
386  p += n;
387  //Adjust the length of the message
388  *length += n;
389 
390  //Format the list of compression methods supported by the client
391  error = tlsFormatCompressMethods(context, p, &n);
392  //Any error to report?
393  if(error)
394  return error;
395 
396  //Point to the next field
397  p += n;
398  //Adjust the length of the message
399  *length += n;
400 
401  //Clients may request extended functionality from servers by sending
402  //data in the extensions field
403  extensionList = (TlsExtensionList *) p;
404  //Total length of the extension list
405  extensionList->length = 0;
406 
407  //Point to the first extension of the list
408  p += sizeof(TlsExtensionList);
409 
410  //In TLS 1.2, the client can indicate its version preferences in the
411  //SupportedVersions extension
412  error = tlsFormatClientSupportedVersionsExtension(context, p, &n);
413  //Any error to report?
414  if(error)
415  return error;
416 
417  //Fix the length of the extension list
418  extensionList->length += (uint16_t) n;
419  //Point to the next field
420  p += n;
421 
422 #if (TLS_SNI_SUPPORT == ENABLED)
423  //In order to provide the server name, clients may include a ServerName
424  //extension
425  error = tlsFormatClientSniExtension(context, p, &n);
426  //Any error to report?
427  if(error)
428  return error;
429 
430  //Fix the length of the extension list
431  extensionList->length += (uint16_t) n;
432  //Point to the next field
433  p += n;
434 #endif
435 
436 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
437  //In order to negotiate smaller maximum fragment lengths, clients may
438  //include a MaxFragmentLength extension
439  error = tlsFormatClientMaxFragLenExtension(context, p, &n);
440  //Any error to report?
441  if(error)
442  return error;
443 
444  //Fix the length of the extension list
445  extensionList->length += (uint16_t) n;
446  //Point to the next field
447  p += n;
448 #endif
449 
450 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
451  //The value of RecordSizeLimit is the maximum size of record in octets
452  //that the endpoint is willing to receive
453  error = tlsFormatClientRecordSizeLimitExtension(context, p, &n);
454  //Any error to report?
455  if(error)
456  return error;
457 
458  //Fix the length of the extension list
459  extensionList->length += (uint16_t) n;
460  //Point to the next field
461  p += n;
462 #endif
463 
464  //A client that proposes ECC/FFDHE cipher suites in its ClientHello message
465  //should send the SupportedGroups extension
466  error = tlsFormatSupportedGroupsExtension(context, p, &n);
467  //Any error to report?
468  if(error)
469  return error;
470 
471  //Fix the length of the extension list
472  extensionList->length += (uint16_t) n;
473  //Point to the next field
474  p += n;
475 
476  //A client that proposes ECC cipher suites in its ClientHello message
477  //should send the EcPointFormats extension
478  error = tlsFormatClientEcPointFormatsExtension(context, p, &n);
479  //Any error to report?
480  if(error)
481  return error;
482 
483  //Fix the length of the extension list
484  extensionList->length += (uint16_t) n;
485  //Point to the next field
486  p += n;
487 
488  //Include the SignatureAlgorithms extension only if TLS 1.2 is supported
489  error = tlsFormatSignAlgosExtension(context, p, &n);
490  //Any error to report?
491  if(error)
492  return error;
493 
494  //Fix the length of the extension list
495  extensionList->length += (uint16_t) n;
496  //Point to the next field
497  p += n;
498 
499 #if (TLS_SIGN_ALGOS_CERT_SUPPORT == ENABLED)
500  //The SignatureAlgorithmsCert extension allows a client to indicate which
501  //signature algorithms it can validate in X.509 certificates
502  error = tlsFormatSignAlgosCertExtension(context, p, &n);
503  //Any error to report?
504  if(error)
505  return error;
506 
507  //Fix the length of the extension list
508  extensionList->length += (uint16_t) n;
509  //Point to the next field
510  p += n;
511 #endif
512 
513 #if (TLS_ALPN_SUPPORT == ENABLED)
514  //The ALPN extension contains the list of protocols advertised by the
515  //client, in descending order of preference
516  error = tlsFormatClientAlpnExtension(context, p, &n);
517  //Any error to report?
518  if(error)
519  return error;
520 
521  //Fix the length of the extension list
522  extensionList->length += (uint16_t) n;
523  //Point to the next field
524  p += n;
525 #endif
526 
527 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
528  //In order to indicate the support of raw public keys, clients include the
529  //ClientCertType extension in an extended ClientHello message
530  error = tlsFormatClientCertTypeListExtension(context, p, &n);
531  //Any error to report?
532  if(error)
533  return error;
534 
535  //Fix the length of the extension list
536  extensionList->length += (uint16_t) n;
537  //Point to the next field
538  p += n;
539 
540  //In order to indicate the support of raw public keys, clients include the
541  //ServerCertType extension in an extended ClientHello message
542  error = tlsFormatServerCertTypeListExtension(context, p, &n);
543  //Any error to report?
544  if(error)
545  return error;
546 
547  //Fix the length of the extension list
548  extensionList->length += (uint16_t) n;
549  //Point to the next field
550  p += n;
551 #endif
552 
553 #if (TLS_ENCRYPT_THEN_MAC_SUPPORT == ENABLED)
554  //On connecting, the client includes the EncryptThenMac extension in its
555  //ClientHello if it wishes to use encrypt-then-MAC rather than the default
556  //MAC-then-encrypt (refer to RFC 7366, section 2)
557  error = tlsFormatClientEtmExtension(context, p, &n);
558  //Any error to report?
559  if(error)
560  return error;
561 
562  //Fix the length of the extension list
563  extensionList->length += (uint16_t) n;
564  //Point to the next field
565  p += n;
566 #endif
567 
568 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
569  //In all handshakes, a client implementing RFC 7627 must send the
570  //ExtendedMasterSecret extension in its ClientHello
571  error = tlsFormatClientEmsExtension(context, p, &n);
572  //Any error to report?
573  if(error)
574  return error;
575 
576  //Fix the length of the extension list
577  extensionList->length += (uint16_t) n;
578  //Point to the next field
579  p += n;
580 #endif
581 
582 #if (TLS_TICKET_SUPPORT == ENABLED)
583  //The SessionTicket extension is used to resume a TLS session without
584  //requiring session-specific state at the TLS server
585  error = tlsFormatClientSessionTicketExtension(context, p, &n);
586  //Any error to report?
587  if(error)
588  return error;
589 
590  //Fix the length of the extension list
591  extensionList->length += (uint16_t) n;
592  //Point to the next field
593  p += n;
594 #endif
595 
596 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
597  //If the connection's secure_renegotiation flag is set to TRUE, the client
598  //must include a RenegotiationInfo extension in its ClientHello message
599  error = tlsFormatClientRenegoInfoExtension(context, p, &n);
600  //Any error to report?
601  if(error)
602  return error;
603 
604  //Fix the length of the extension list
605  extensionList->length += (uint16_t) n;
606  //Point to the next field
607  p += n;
608 #endif
609 
610 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
611  //TLS 1.3 supported by the client?
612  if(context->versionMax >= TLS_VERSION_1_3 &&
613  (context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM ||
614  context->transportProtocol == TLS_TRANSPORT_PROTOCOL_EAP))
615  {
616  Tls13PskIdentityList *identityList;
617  Tls13PskBinderList *binderList;
618 
619  //Clients must not use cookies in their initial ClientHello
620  if(context->state != TLS_STATE_CLIENT_HELLO)
621  {
622  //When sending the new ClientHello, the client must copy the contents
623  //of the Cookie extension received in the HelloRetryRequest into a
624  //Cookie extension in the new ClientHello
625  error = tls13FormatCookieExtension(context, p, &n);
626  //Any error to report?
627  if(error)
628  return error;
629 
630  //Fix the length of the extension list
631  extensionList->length += (uint16_t) n;
632  //Point to the next field
633  p += n;
634  }
635 
636  //The KeyShare extension contains the client's cryptographic parameters
637  error = tls13FormatClientKeyShareExtension(context, p, &n);
638  //Any error to report?
639  if(error)
640  return error;
641 
642  //Fix the length of the extension list
643  extensionList->length += (uint16_t) n;
644  //Point to the next field
645  p += n;
646 
647 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
648  //If the client opts to send application data in its first flight of
649  //messages, it must supply both the PreSharedKey and EarlyData extensions
650  error = tls13FormatClientEarlyDataExtension(context, p, &n);
651  //Any error to report?
652  if(error)
653  return error;
654 
655  //Fix the length of the extension list
656  extensionList->length += (uint16_t) n;
657  //Point to the next field
658  p += n;
659 #endif
660 
661  //In order to use PSKs, clients must send a PskKeyExchangeModes extension
662  error = tls13FormatPskKeModesExtension(context, p, &n);
663  //Any error to report?
664  if(error)
665  return error;
666 
667  //Fix the length of the extension list
668  extensionList->length += (uint16_t) n;
669  //Point to the next field
670  p += n;
671 
672 #if (TLS_CERT_AUTHORITIES_SUPPORT == ENABLED)
673  //The CertificateAuthorities extension is used to indicate the CAs which
674  //an endpoint supports and which should be used by the receiving endpoint
675  //to guide certificate selection
676  error = tlsFormatCertAuthoritiesExtension(context, p, &n);
677  //Any error to report?
678  if(error)
679  return error;
680 
681  //Fix the length of the extension list
682  extensionList->length += (uint16_t) n;
683  //Point to the next field
684  p += n;
685 #endif
686 
687 #if (TLS_CLIENT_HELLO_PADDING_SUPPORT == ENABLED)
688  //The first pass calculates the length of the PreSharedKey extension
689  error = tls13FormatClientPreSharedKeyExtension(context, p, &n,
690  &identityList, &binderList);
691  //Any error to report?
692  if(error)
693  return error;
694 
695  //Determine the length of the resulting message
696  n += *length + sizeof(TlsExtensionList) + extensionList->length;
697 
698  //Add a padding extension to ensure the ClientHello is never between
699  //256 and 511 bytes in length
700  error = tlsFormatClientHelloPaddingExtension(context, n, p, &n);
701  //Any error to report?
702  if(error)
703  return error;
704 
705  //Fix the length of the extension list
706  extensionList->length += (uint16_t) n;
707  //Point to the next field
708  p += n;
709 #endif
710 
711  //The extensions may appear in any order, with the exception of
712  //PreSharedKey which must be the last extension in the ClientHello
713  error = tls13FormatClientPreSharedKeyExtension(context, p, &n,
714  &identityList, &binderList);
715  //Any error to report?
716  if(error)
717  return error;
718 
719  //Fix the length of the extension list
720  extensionList->length += (uint16_t) n;
721  //Point to the next field
722  p += n;
723 
724  //Convert the length of the extension list to network byte order
725  extensionList->length = htons(extensionList->length);
726  //Total length of the message
727  *length += sizeof(TlsExtensionList) + htons(extensionList->length);
728 
729  //Fix PSK binder values in the PreSharedKey extension
730  error = tls13ComputePskBinders(context, message, *length, identityList,
731  binderList);
732  //Any error to report?
733  if(error)
734  return error;
735  }
736  else
737 #endif
738  {
739 #if (TLS_CLIENT_HELLO_PADDING_SUPPORT == ENABLED)
740  //Retrieve the actual length of the message
741  n = *length;
742 
743  //Any extensions included in the ClientHello message?
744  if(extensionList->length > 0)
745  {
746  n += sizeof(TlsExtensionList) + extensionList->length;
747  }
748 
749  //Add a padding extension to ensure the ClientHello is never between
750  //256 and 511 bytes in length
751  error = tlsFormatClientHelloPaddingExtension(context, n, p, &n);
752  //Any error to report?
753  if(error)
754  return error;
755 
756  //Fix the length of the extension list
757  extensionList->length += (uint16_t) n;
758  //Point to the next field
759  p += n;
760 #endif
761 
762  //Any extensions included in the ClientHello message?
763  if(extensionList->length > 0)
764  {
765  //Convert the length of the extension list to network byte order
766  extensionList->length = htons(extensionList->length);
767  //Total length of the message
768  *length += sizeof(TlsExtensionList) + htons(extensionList->length);
769  }
770  }
771 
772  //Successful processing
773  return NO_ERROR;
774 }
775 
776 
777 /**
778  * @brief Format ClientKeyExchange message
779  * @param[in] context Pointer to the TLS context
780  * @param[out] message Buffer where to format the ClientKeyExchange message
781  * @param[out] length Length of the resulting ClientKeyExchange message
782  * @return Error code
783  **/
784 
787 {
788  error_t error;
789  size_t n;
790  uint8_t *p;
791 
792  //Point to the beginning of the handshake message
793  p = message;
794  //Length of the handshake message
795  *length = 0;
796 
797 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
798  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
799  //PSK key exchange method?
800  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
801  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
802  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
803  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
804  {
805  //The client indicates which key to use by including a PSK identity
806  //in the ClientKeyExchange message
807  error = tlsFormatPskIdentity(context, p, &n);
808  //Any error to report?
809  if(error)
810  return error;
811 
812  //Advance data pointer
813  p += n;
814  //Adjust the length of the message
815  *length += n;
816  }
817 #endif
818 
819  //RSA, Diffie-Hellman or ECDH key exchange method?
820  if(context->keyExchMethod != TLS_KEY_EXCH_PSK)
821  {
822  //Format client's key exchange parameters
823  error = tlsFormatClientKeyParams(context, p, &n);
824  //Any error to report?
825  if(error)
826  return error;
827 
828  //Advance data pointer
829  p += n;
830  //Adjust the length of the message
831  *length += n;
832  }
833 
834 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
835  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
836  //PSK key exchange method?
837  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
838  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
839  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
840  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
841  {
842  //Invalid pre-shared key?
843  if(context->pskLen == 0)
845 
846  //Generate premaster secret
847  error = tlsGeneratePskPremasterSecret(context);
848  //Any error to report?
849  if(error)
850  return error;
851  }
852 #endif
853 
854  //Successful processing
855  return NO_ERROR;
856 }
857 
858 
859 /**
860  * @brief Parse HelloRequest message
861  *
862  * HelloRequest is a simple notification that the client should begin the
863  * negotiation process anew. In response, the client should send a ClientHello
864  * message when convenient
865  *
866  * @param[in] context Pointer to the TLS context
867  * @param[in] message Incoming HelloRequest message to parse
868  * @param[in] length Message length
869  * @return Error code
870  **/
871 
873  const TlsHelloRequest *message, size_t length)
874 {
875  error_t error;
876 
877  //Debug message
878  TRACE_INFO("HelloRequest message received (%" PRIuSIZE " bytes)...\r\n", length);
880 
881  //Check TLS version
882  if(context->version > TLS_VERSION_1_2)
884 
885  //The HelloRequest message does not contain any data
886  if(length != 0)
887  return ERROR_DECODING_FAILED;
888 
889  //Check current state
890  if(context->state == TLS_STATE_APPLICATION_DATA)
891  {
892 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
893  //Check whether the secure_renegociation flag is set
894  if(context->secureRenegoEnabled && context->secureRenegoFlag)
895  {
896  //Release existing session ticket, if any
897  if(context->ticket != NULL)
898  {
899  osMemset(context->ticket, 0, context->ticketLen);
900  tlsFreeMem(context->ticket);
901  context->ticket = NULL;
902  context->ticketLen = 0;
903  }
904 
905 #if (DTLS_SUPPORT == ENABLED)
906  //Release DTLS cookie
907  if(context->cookie != NULL)
908  {
909  tlsFreeMem(context->cookie);
910  context->cookie = NULL;
911  context->cookieLen = 0;
912  }
913 #endif
914  //HelloRequest is a simple notification that the client should begin
915  //the negotiation process anew
917 
918  //Continue processing
919  error = NO_ERROR;
920  }
921  else
922 #endif
923  {
924  //If the connection's secure_renegotiation flag is set to FALSE, it
925  //is recommended that clients refuse this renegotiation request (refer
926  //to RFC 5746, section 4.2)
927  error = tlsSendAlert(context, TLS_ALERT_LEVEL_FATAL,
929  }
930  }
931  else
932  {
933  //The HelloRequest message can be sent at any time but it should be
934  //ignored by the client if it arrives in the middle of a handshake
935  error = NO_ERROR;
936  }
937 
938  //Return status code
939  return error;
940 }
941 
942 
943 /**
944  * @brief Parse ServerHello message
945  *
946  * The server will send this message in response to a ClientHello
947  * message when it was able to find an acceptable set of algorithms.
948  * If it cannot find such a match, it will respond with a handshake
949  * failure alert
950  *
951  * @param[in] context Pointer to the TLS context
952  * @param[in] message Incoming ServerHello message to parse
953  * @param[in] length Message length
954  * @return Error code
955  **/
956 
958  const TlsServerHello *message, size_t length)
959 {
960  error_t error;
961  uint16_t cipherSuite;
962  uint8_t compressMethod;
963  const uint8_t *p;
965 
966  //Debug message
967  TRACE_INFO("ServerHello message received (%" PRIuSIZE " bytes)...\r\n", length);
969 
970  //Check current state
971  if(context->state != TLS_STATE_SERVER_HELLO &&
972  context->state != TLS_STATE_SERVER_HELLO_2 &&
973  context->state != TLS_STATE_SERVER_HELLO_3)
974  {
975  //Report an error
977  }
978 
979  //Check the length of the ServerHello message
980  if(length < sizeof(TlsServerHello))
981  return ERROR_DECODING_FAILED;
982 
983  //Point to the session ID
984  p = message->sessionId;
985  //Remaining bytes to process
986  length -= sizeof(TlsServerHello);
987 
988  //Check the length of the session ID
989  if(message->sessionIdLen > length)
990  return ERROR_DECODING_FAILED;
991  if(message->sessionIdLen > 32)
992  return ERROR_DECODING_FAILED;
993 
994  //Point to the next field
995  p += message->sessionIdLen;
996  //Remaining bytes to process
997  length -= message->sessionIdLen;
998 
999  //Malformed ServerHello message?
1000  if(length < sizeof(uint16_t))
1001  return ERROR_DECODING_FAILED;
1002 
1003  //Get the negotiated cipher suite
1004  cipherSuite = LOAD16BE(p);
1005  //Point to the next field
1006  p += sizeof(uint16_t);
1007  //Remaining bytes to process
1008  length -= sizeof(uint16_t);
1009 
1010  //Malformed ServerHello message?
1011  if(length < sizeof(uint8_t))
1012  return ERROR_DECODING_FAILED;
1013 
1014  //Get the negotiated compression method
1015  compressMethod = *p;
1016  //Point to the next field
1017  p += sizeof(uint8_t);
1018  //Remaining bytes to process
1019  length -= sizeof(uint8_t);
1020 
1021  //Server version
1022  TRACE_INFO(" serverVersion = 0x%04" PRIX16 " (%s)\r\n",
1023  ntohs(message->serverVersion),
1024  tlsGetVersionName(ntohs(message->serverVersion)));
1025 
1026  //Server random value
1027  TRACE_DEBUG(" random\r\n");
1028  TRACE_DEBUG_ARRAY(" ", message->random, 32);
1029 
1030  //Session identifier
1031  TRACE_DEBUG(" sessionId\r\n");
1032  TRACE_DEBUG_ARRAY(" ", message->sessionId, message->sessionIdLen);
1033 
1034  //Cipher suite identifier
1035  TRACE_INFO(" cipherSuite = 0x%04" PRIX16 " (%s)\r\n",
1037 
1038  //Compression method
1039  TRACE_DEBUG(" compressMethod = 0x%02" PRIX8 "\r\n", compressMethod);
1040 
1041  //The CRIME exploit takes advantage of TLS compression, so conservative
1042  //implementations do not accept compression at the TLS level
1043  if(compressMethod != TLS_COMPRESSION_METHOD_NULL)
1044  return ERROR_ILLEGAL_PARAMETER;
1045 
1046  //Parse the list of extensions offered by the server
1048  &extensions);
1049  //Any error to report?
1050  if(error)
1051  return error;
1052 
1053  //TLS protocol?
1054  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM ||
1055  context->transportProtocol == TLS_TRANSPORT_PROTOCOL_EAP)
1056  {
1057  //Check whether the ServerHello message is received in response to the
1058  //initial ClientHello
1059  if(context->state != TLS_STATE_SERVER_HELLO_2)
1060  {
1061  //Release transcript hash context
1062  tlsFreeTranscriptHash(context);
1063 
1064  //Format initial ClientHello message
1065  error = tlsFormatInitialClientHello(context);
1066  //Any error to report?
1067  if(error)
1068  return error;
1069  }
1070  }
1071 
1072  //Select TLS version
1073  error = tlsSelectClientVersion(context, message, &extensions);
1074  //TLS version not supported?
1075  if(error)
1076  return error;
1077 
1078  //Check the list of extensions offered by the server
1079  error = tlsCheckHelloExtensions(TLS_TYPE_SERVER_HELLO, context->version,
1080  &extensions);
1081  //Any error to report?
1082  if(error)
1083  return error;
1084 
1085  //Save server random value
1086  osMemcpy(context->serverRandom, message->random, 32);
1087 
1088 #if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1089  //TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
1090  if(context->version <= TLS_VERSION_1_2)
1091  {
1092  //Reset the named group to its default value
1093  context->namedGroup = TLS_GROUP_NONE;
1094 
1095  //Check whether the server has decided to resume a previous session
1096  error = tlsResumeSession(context, message->sessionId,
1097  message->sessionIdLen, cipherSuite);
1098  //Any error to report?
1099  if(error)
1100  return error;
1101 
1102  //Set cipher suite
1103  error = tlsSelectCipherSuite(context, cipherSuite);
1104  //Specified cipher suite not supported?
1105  if(error)
1106  return error;
1107 
1108  //Initialize handshake message hashing
1109  error = tlsInitTranscriptHash(context);
1110  //Any error to report?
1111  if(error)
1112  return error;
1113 
1114  //Save session identifier
1115  osMemcpy(context->sessionId, message->sessionId, message->sessionIdLen);
1116  context->sessionIdLen = message->sessionIdLen;
1117 
1118 #if (TLS_TICKET_SUPPORT == ENABLED)
1119  //Parse SessionTicket extension
1120  error = tlsParseServerSessionTicketExtension(context,
1121  extensions.sessionTicket);
1122  //Any error to report?
1123  if(error)
1124  return error;
1125 #endif
1126 
1127 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1128  //Parse RenegotiationInfo extension
1129  error = tlsParseServerRenegoInfoExtension(context, &extensions);
1130  //Any error to report?
1131  if(error)
1132  return error;
1133 #endif
1134 
1135 #if (TLS_SNI_SUPPORT == ENABLED)
1136  //When the server includes a ServerName extension, the data field of
1137  //this extension may be empty
1138  error = tlsParseServerSniExtension(context, extensions.serverNameList);
1139  //Any error to report?
1140  if(error)
1141  return error;
1142 #endif
1143 
1144 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
1145  //Servers that receive an ClientHello containing a MaxFragmentLength
1146  //extension may accept the requested maximum fragment length by including
1147  //an extension of type MaxFragmentLength in the ServerHello
1148  error = tlsParseServerMaxFragLenExtension(context, extensions.maxFragLen);
1149  //Any error to report?
1150  if(error)
1151  return error;
1152 #endif
1153 
1154 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
1155  //The value of RecordSizeLimit is the maximum size of record in octets
1156  //that the peer is willing to receive
1158  extensions.recordSizeLimit);
1159  //Any error to report?
1160  if(error)
1161  return error;
1162 #endif
1163 
1164 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
1165  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1166  //A server that selects an ECC cipher suite in response to a ClientHello
1167  //message including an EcPointFormats extension appends this extension
1168  //to its ServerHello message
1169  error = tlsParseServerEcPointFormatsExtension(context,
1170  extensions.ecPointFormatList);
1171  //Any error to report?
1172  if(error)
1173  return error;
1174 #endif
1175 
1176 #if (TLS_ALPN_SUPPORT == ENABLED)
1177  //Parse ALPN extension
1178  error = tlsParseServerAlpnExtension(context, extensions.protocolNameList);
1179  //Any error to report?
1180  if(error)
1181  return error;
1182 #endif
1183 
1184 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1185  //Parse ClientCertType extension
1186  error = tlsParseClientCertTypeExtension(context, extensions.clientCertType);
1187  //Any error to report?
1188  if(error)
1189  return error;
1190 
1191  //Parse ServerCertType extension
1192  error = tlsParseServerCertTypeExtension(context, extensions.serverCertType);
1193  //Any error to report?
1194  if(error)
1195  return error;
1196 #endif
1197 
1198 #if (TLS_ENCRYPT_THEN_MAC_SUPPORT == ENABLED)
1199  //Parse EncryptThenMac extension
1200  error = tlsParseServerEtmExtension(context, extensions.encryptThenMac);
1201  //Any error to report?
1202  if(error)
1203  return error;
1204 #endif
1205 
1206 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
1207  //Parse ExtendedMasterSecret extension
1208  error = tlsParseServerEmsExtension(context, extensions.extendedMasterSecret);
1209  //Any error to report?
1210  if(error)
1211  return error;
1212 #endif
1213 
1214 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
1215  //Use abbreviated handshake?
1216  if(context->resume)
1217  {
1218  //Derive session keys from the master secret
1219  error = tlsGenerateSessionKeys(context);
1220  //Unable to generate key material?
1221  if(error)
1222  return error;
1223 
1224 #if (TLS_TICKET_SUPPORT == ENABLED)
1225  //The server uses the SessionTicket extension to indicate to the client
1226  //that it will send a new session ticket using the NewSessionTicket
1227  //handshake message
1228  if(context->sessionTicketExtReceived)
1229  {
1230  //Wait for a NewSessionTicket message from the server
1232  }
1233  else
1234 #endif
1235  {
1236  //At this point, both client and server must send ChangeCipherSpec
1237  //messages and proceed directly to Finished messages
1239  }
1240  }
1241  else
1242 #endif
1243  {
1244  //Perform a full handshake
1245  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1246  context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1247  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1248  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1249  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1250  {
1251  //The Certificate message is omitted from the server's response
1253  }
1254  else
1255  {
1256  //The server is required to send a Certificate message
1258  }
1259  }
1260  }
1261  else
1262 #endif
1263 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1264  //TLS 1.3 currently selected?
1265  if(context->version == TLS_VERSION_1_3)
1266  {
1267  //A client which receives a legacy_session_id_echo field that does not
1268  //match what it sent in the ClientHello must abort the handshake with an
1269  //illegal_parameter alert (RFC 8446, section 4.1.3)
1270  if(message->sessionIdLen != context->sessionIdLen ||
1271  osMemcmp(message->sessionId, context->sessionId, message->sessionIdLen))
1272  {
1273  //The legacy_session_id_echo field is not valid
1274  return ERROR_ILLEGAL_PARAMETER;
1275  }
1276 
1277  //Check whether the ServerHello message is received in response to the
1278  //initial or the updated ClientHello
1279  if(context->state != TLS_STATE_SERVER_HELLO_2)
1280  {
1281  //Set cipher suite
1282  error = tlsSelectCipherSuite(context, cipherSuite);
1283  //Specified cipher suite not supported?
1284  if(error)
1285  return error;
1286 
1287  //Initialize handshake message hashing
1288  error = tlsInitTranscriptHash(context);
1289  //Any error to report?
1290  if(error)
1291  return error;
1292  }
1293  else
1294  {
1295  //Clients must check that the cipher suite supplied in the ServerHello
1296  //is the same as that in the HelloRetryRequest and otherwise abort the
1297  //handshake with an illegal_parameter alert
1298  if(cipherSuite != context->cipherSuite.identifier)
1299  return ERROR_ILLEGAL_PARAMETER;
1300  }
1301 
1302  //If using (EC)DHE key establishment, servers offer exactly one
1303  //KeyShareEntry in the ServerHello
1304  error = tls13ParseServerKeyShareExtension(context,
1305  extensions.serverShare);
1306  //Any error to report?
1307  if(error)
1308  return error;
1309 
1310  //The PreSharedKey extension contains the selected PSK identity
1311  error = tls13ParseServerPreSharedKeyExtension(context,
1312  extensions.selectedIdentity);
1313  //Any error to report?
1314  if(error)
1315  return error;
1316 
1317  //In TLS 1.3, the cipher suite concept has been changed. The key exchange
1318  //mechanism is negotiated separately from the cipher suite
1319  if(context->keyExchMethod == TLS_KEY_EXCH_NONE)
1320  return ERROR_HANDSHAKE_FAILED;
1321 
1322 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
1323  //The middlebox compatibility mode improves the chance of successfully
1324  //connecting through middleboxes
1325  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM &&
1326  context->state == TLS_STATE_SERVER_HELLO)
1327  {
1328  //In middlebox compatibility mode, the client sends a dummy
1329  //ChangeCipherSpec record immediately before its second flight
1331  }
1332  else
1333 #endif
1334  {
1335  //All handshake messages after the ServerHello are now encrypted
1337  }
1338  }
1339  else
1340 #endif
1341  //Invalid TLS version?
1342  {
1343  //Just for sanity
1344  return ERROR_INVALID_VERSION;
1345  }
1346 
1347  //Successful processing
1348  return NO_ERROR;
1349 }
1350 
1351 
1352 /**
1353  * @brief Parse ServerKeyExchange message
1354  *
1355  * The ServerKeyExchange message is sent by the server only when the
1356  * server Certificate message does not contain enough data to allow
1357  * the client to exchange a premaster secret
1358  *
1359  * @param[in] context Pointer to the TLS context
1360  * @param[in] message Incoming ServerKeyExchange message to parse
1361  * @param[in] length Message length
1362  * @return Error code
1363  **/
1364 
1366  const TlsServerKeyExchange *message, size_t length)
1367 {
1368  error_t error;
1369  size_t n;
1370  size_t paramsLen;
1371  const uint8_t *p;
1372  const uint8_t *params;
1373 
1374  //Initialize variables
1375  params = NULL;
1376  paramsLen = 0;
1377 
1378  //Debug message
1379  TRACE_INFO("ServerKeyExchange message received (%" PRIuSIZE " bytes)...\r\n", length);
1381 
1382  //Check TLS version
1383  if(context->version > TLS_VERSION_1_2)
1384  return ERROR_UNEXPECTED_MESSAGE;
1385 
1386  //Check current state
1387  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE)
1388  return ERROR_UNEXPECTED_MESSAGE;
1389 
1390  //Point to the beginning of the handshake message
1391  p = message;
1392 
1393 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1394  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1395  //PSK key exchange method?
1396  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1397  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
1398  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1399  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1400  {
1401  //To help the client in selecting which identity to use, the server
1402  //can provide a PSK identity hint in the ServerKeyExchange message
1403  error = tlsParsePskIdentityHint(context, p, length, &n);
1404  //Any error to report?
1405  if(error)
1406  return error;
1407 
1408  //Point to the next field
1409  p += n;
1410  //Remaining bytes to process
1411  length -= n;
1412  }
1413 #endif
1414 
1415  //Diffie-Hellman or ECDH key exchange method?
1416  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1417  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1418  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1419  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1420  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1421  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1422  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1423  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1424  {
1425  //Point to the server's key exchange parameters
1426  params = p;
1427 
1428  //Parse server's key exchange parameters
1429  error = tlsParseServerKeyParams(context, p, length, &paramsLen);
1430  //Any error to report?
1431  if(error)
1432  return error;
1433 
1434  //Point to the next field
1435  p += paramsLen;
1436  //Remaining bytes to process
1437  length -= paramsLen;
1438  }
1439 
1440  //For non-anonymous Diffie-Hellman and ECDH key exchanges, the signature
1441  //over the server's key exchange parameters shall be verified
1442  if(context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1443  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1444  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1445  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
1446  {
1447 #if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
1448  //TLS 1.0 or TLS 1.1 currently selected?
1449  if(context->version <= TLS_VERSION_1_1)
1450  {
1451  //Signature verification
1452  error = tlsVerifyServerKeySignature(context,
1453  (TlsDigitalSignature *) p, length, params, paramsLen, &n);
1454  }
1455  else
1456 #endif
1457 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1458  //TLS 1.2 currently selected?
1459  if(context->version == TLS_VERSION_1_2)
1460  {
1461  //Signature verification
1462  error = tls12VerifyServerKeySignature(context,
1463  (Tls12DigitalSignature *) p, length, params, paramsLen, &n);
1464  }
1465  else
1466 #endif
1467  {
1468  //Report an error
1469  error = ERROR_INVALID_VERSION;
1470  }
1471 
1472  //Any error to report?
1473  if(error)
1474  return error;
1475 
1476  //Point to the next field
1477  p += n;
1478  //Remaining bytes to process
1479  length -= n;
1480  }
1481 
1482  //If the amount of data in the message does not precisely match the format
1483  //of the ServerKeyExchange message, then send a fatal alert
1484  if(length != 0)
1485  return ERROR_DECODING_FAILED;
1486 
1487  //Anomynous server?
1488  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1489  context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1490  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1491  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1492  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1493  {
1494  //An anonymous server cannot request client authentication
1496  }
1497  else
1498  {
1499  //A non-anonymous server can optionally request a certificate from
1500  //the client, if appropriate for the selected cipher suite
1502  }
1503 
1504  //Successful processing
1505  return NO_ERROR;
1506 }
1507 
1508 
1509 /**
1510  * @brief Parse CertificateRequest message
1511  *
1512  * A server can optionally request a certificate from the client, if
1513  * appropriate for the selected cipher suite. This message will
1514  * immediately follow the ServerKeyExchange message
1515  *
1516  * @param[in] context Pointer to the TLS context
1517  * @param[in] message Incoming CertificateRequest message to parse
1518  * @param[in] length Message length
1519  * @return Error code
1520  **/
1521 
1523  const TlsCertificateRequest *message, size_t length)
1524 {
1525  error_t error;
1526  uint_t i;
1527  uint_t j;
1528  size_t n;
1529  uint_t certTypesLen;
1530  bool_t acceptable;
1531  const uint8_t *p;
1532  const uint8_t *certTypes;
1533  const TlsCertAuthorities *certAuthorities;
1534  const TlsSignSchemeList *signAlgoList;
1535  const TlsSignSchemeList *certSignAlgoList;
1536 
1537  //Debug message
1538  TRACE_INFO("CertificateRequest message received (%" PRIuSIZE " bytes)...\r\n", length);
1540 
1541  //Check key exchange method
1542  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1543  context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1544  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1545  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1546  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1547  {
1548  //It is a fatal handshake failure alert for an anonymous server to
1549  //request client authentication
1550  return ERROR_HANDSHAKE_FAILED;
1551  }
1552  else if(context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1553  {
1554  //If no PSK identity hint is provided by the server, then the
1555  //ServerKeyExchange message is omitted
1556  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE &&
1557  context->state != TLS_STATE_CERTIFICATE_REQUEST)
1558  {
1559  //Handshake failure
1560  return ERROR_UNEXPECTED_MESSAGE;
1561  }
1562  }
1563  else if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
1564  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
1565  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
1566  {
1567  //Servers which are authenticating with a PSK must not send the
1568  //CertificateRequest message in the main handshake
1569  return ERROR_HANDSHAKE_FAILED;
1570  }
1571  else
1572  {
1573  //Check current state
1574  if(context->state != TLS_STATE_CERTIFICATE_REQUEST)
1575  return ERROR_UNEXPECTED_MESSAGE;
1576  }
1577 
1578  //The server requests a certificate from the client, so that connection
1579  //can be mutually authenticated
1580  context->clientCertRequested = TRUE;
1581 
1582  //Point to the beginning of the handshake message
1583  p = (uint8_t *) message;
1584 
1585 #if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1586  //Version of TLS prior to TLS 1.3?
1587  if(context->version <= TLS_VERSION_1_2)
1588  {
1589  //Check the length of the ServerKeyExchange message
1590  if(length < sizeof(TlsCertificateRequest))
1591  return ERROR_DECODING_FAILED;
1592 
1593  //Remaining bytes to process
1594  length -= sizeof(TlsCertificateRequest);
1595 
1596  //Retrieve the length of the list
1597  n = message->certificateTypesLen;
1598  //Malformed CertificateRequest message?
1599  if(n > length)
1600  return ERROR_DECODING_FAILED;
1601 
1602  //Point to the list of supported certificate types
1603  certTypes = message->certificateTypes;
1604  certTypesLen = message->certificateTypesLen;
1605 
1606  //Point to the next field
1607  p += sizeof(TlsCertificateRequest) + n;
1608  //Remaining bytes to process
1609  length -= n;
1610 
1611  //TLS 1.2 currently selected?
1612  if(context->version == TLS_VERSION_1_2)
1613  {
1614  //Malformed CertificateRequest message?
1615  if(length < sizeof(TlsSignSchemeList))
1616  return ERROR_DECODING_FAILED;
1617 
1618  //Point to the list of the hash/signature algorithm pairs
1619  signAlgoList = (TlsSignSchemeList *) p;
1620  //Remaining bytes to process
1621  length -= sizeof(TlsSignSchemeList);
1622 
1623  //Retrieve the length of the list
1624  n = ntohs(signAlgoList->length);
1625  //Malformed CertificateRequest message?
1626  if(n > length)
1627  return ERROR_DECODING_FAILED;
1628 
1629  //The supported_signature_algorithms field cannot be empty (refer to
1630  //RFC 5246, section 7.4.4)
1631  if(n == 0)
1632  return ERROR_DECODING_FAILED;
1633  if((n % 2) != 0)
1634  return ERROR_DECODING_FAILED;
1635 
1636  //Point to the next field
1637  p += sizeof(TlsSignSchemeList) + n;
1638  //Remaining bytes to process
1639  length -= n;
1640  }
1641  else
1642  {
1643  //Implementations prior to TLS 1.2 do not include a list of supported
1644  //hash/signature algorithm pairs
1645  signAlgoList = NULL;
1646  }
1647 
1648  //List of signature algorithms that may appear in X.509 certificates
1649  certSignAlgoList = signAlgoList;
1650 
1651  //Malformed CertificateRequest message?
1652  if(length < sizeof(TlsCertAuthorities))
1653  return ERROR_DECODING_FAILED;
1654 
1655  //Point to the list of acceptable certificate authorities
1656  certAuthorities = (TlsCertAuthorities *) p;
1657  //Remaining bytes to process
1658  length -= sizeof(TlsCertAuthorities);
1659 
1660  //Retrieve the length of the list
1661  n = ntohs(certAuthorities->length);
1662  //Malformed CertificateRequest message?
1663  if(n != length)
1664  return ERROR_DECODING_FAILED;
1665  }
1666  else
1667 #endif
1668 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1669  //TLS 1.3 currently selected?
1670  if(context->version == TLS_VERSION_1_3)
1671  {
1673  const Tls13CertRequestContext *certRequestContext;
1674 
1675  //Unused parameters
1676  certTypes = NULL;
1677  certTypesLen = 0;
1678 
1679  //Malformed CertificateRequest message?
1680  if(length < sizeof(Tls13CertRequestContext))
1681  return ERROR_DECODING_FAILED;
1682 
1683  //Point to the certificate_request_context field
1684  certRequestContext = (Tls13CertRequestContext *) p;
1685  //Remaining bytes to process
1686  length -= sizeof(Tls13CertRequestContext);
1687 
1688  //Retrieve the length of the field
1689  n = certRequestContext->length;
1690  //Malformed CertificateRequest message?
1691  if(n > length)
1692  return ERROR_DECODING_FAILED;
1693 
1694  //The certificate_request_context field shall be zero length unless
1695  //used for the post-handshake authentication exchange
1696  if(certRequestContext->length != 0)
1697  return ERROR_ILLEGAL_PARAMETER;
1698 
1699  //Point to the next field
1700  p += sizeof(Tls13CertRequestContext) + n;
1701  //Remaining bytes to process
1702  length -= n;
1703 
1704  //The extensions describe the parameters of the certificate being
1705  //requested
1707  length, &extensions);
1708  //Any error to report?
1709  if(error)
1710  return error;
1711 
1712  //Check the list of extensions offered by the server
1714  context->version, &extensions);
1715  //Any error to report?
1716  if(error)
1717  return error;
1718 
1719  //The SignatureAlgorithms extension must be specified (refer to RFC 8446,
1720  //section 4.3.2)
1721  if(extensions.signAlgoList == NULL)
1722  return ERROR_MISSING_EXTENSION;
1723 
1724  //Point to the list of the hash/signature algorithm pairs that
1725  //the server is able to verify
1726  signAlgoList = extensions.signAlgoList;
1727 
1728  //If no SignatureAlgorithmsCert extension is present, then the
1729  //SignatureAlgorithms extension also applies to signatures appearing
1730  //in certificates (RFC 8446, section 4.2.3)
1731  if(extensions.certSignAlgoList != NULL)
1732  {
1733  certSignAlgoList = extensions.certSignAlgoList;
1734  }
1735  else
1736  {
1737  certSignAlgoList = extensions.signAlgoList;
1738  }
1739 
1740  //The CertificateAuthorities extension is used to indicate the CAs which
1741  //an endpoint supports and which should be used by the receiving endpoint
1742  //to guide certificate selection
1743  certAuthorities = extensions.certAuthorities;
1744  }
1745  else
1746 #endif
1747  //Invalid TLS version?
1748  {
1749  //Report an error
1750  return ERROR_INVALID_VERSION;
1751  }
1752 
1753  //No suitable certificate has been found for the moment
1754  context->cert = NULL;
1755  acceptable = FALSE;
1756 
1757  //Select the most appropriate certificate (2-pass process)
1758  for(i = 0; i < 2 && !acceptable; i++)
1759  {
1760  //Loop through the list of available certificates
1761  for(j = 0; j < TLS_MAX_CERTIFICATES && !acceptable; j++)
1762  {
1763  //Check whether the current certificate is suitable
1764  acceptable = tlsIsCertificateAcceptable(context, &context->certs[j],
1765  certTypes, certTypesLen, NULL, certSignAlgoList, certAuthorities);
1766 
1767  //TLS 1.2 and TLS 1.3 require additional examinations
1768  if(acceptable)
1769  {
1770  //The hash and signature algorithms used in the signature of the
1771  //CertificateVerify message must be one of those present in the
1772  //SupportedSignatureAlgorithms field
1773  error = tlsSelectSignAlgo(context, &context->certs[j],
1774  signAlgoList);
1775 
1776  //Check status code
1777  if(error)
1778  {
1779  acceptable = FALSE;
1780  }
1781  }
1782 
1783  //If all the requirements were met, the certificate can be used
1784  if(acceptable)
1785  {
1786  context->cert = &context->certs[j];
1787  }
1788  }
1789 
1790  //The second pass relaxes the constraints
1791  certSignAlgoList = NULL;
1792  certAuthorities = NULL;
1793  }
1794 
1795  //Version of TLS prior to TLS 1.3?
1796  if(context->version <= TLS_VERSION_1_2)
1797  {
1798  //Wait for a ServerHelloDone message
1800  }
1801  else
1802  {
1803  //Wait for a Certificate message
1805  }
1806 
1807  //Successful processing
1808  return NO_ERROR;
1809 }
1810 
1811 
1812 /**
1813  * @brief Parse ServerHelloDone message
1814  *
1815  * The ServerHelloDone message is sent by the server to indicate the
1816  * end of the ServerHello and associated messages. After sending this
1817  * message, the server will wait for a client response
1818  *
1819  * @param[in] context Pointer to the TLS context
1820  * @param[in] message Incoming ServerHelloDone message to parse
1821  * @param[in] length Message length
1822  * @return Error code
1823  **/
1824 
1826  const TlsServerHelloDone *message, size_t length)
1827 {
1828  //Debug message
1829  TRACE_INFO("ServerHelloDone message received (%" PRIuSIZE " bytes)...\r\n", length);
1831 
1832  //Check TLS version
1833  if(context->version > TLS_VERSION_1_2)
1834  return ERROR_UNEXPECTED_MESSAGE;
1835 
1836  //Check key exchange method
1837  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1838  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1839  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1840  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1841  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
1842  {
1843  //The server may omit the CertificateRequest message and go
1844  //directly to the ServerHelloDone message
1845  if(context->state != TLS_STATE_CERTIFICATE_REQUEST &&
1846  context->state != TLS_STATE_SERVER_HELLO_DONE)
1847  {
1848  //Handshake failure
1849  return ERROR_UNEXPECTED_MESSAGE;
1850  }
1851  }
1852  else if(context->keyExchMethod == TLS_KEY_EXCH_PSK)
1853  {
1854  //If no PSK identity hint is provided by the server, the
1855  //ServerKeyExchange message is omitted
1856  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE &&
1857  context->state != TLS_STATE_SERVER_HELLO_DONE)
1858  {
1859  //Handshake failure
1860  return ERROR_UNEXPECTED_MESSAGE;
1861  }
1862  }
1863  else if(context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1864  {
1865  //The server may omit the ServerKeyExchange message and/or
1866  //the CertificateRequest message
1867  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE &&
1868  context->state != TLS_STATE_CERTIFICATE_REQUEST &&
1869  context->state != TLS_STATE_SERVER_HELLO_DONE)
1870  {
1871  //Handshake failure
1872  return ERROR_UNEXPECTED_MESSAGE;
1873  }
1874  }
1875  else
1876  {
1877  //Check current state
1878  if(context->state != TLS_STATE_SERVER_HELLO_DONE)
1879  return ERROR_UNEXPECTED_MESSAGE;
1880  }
1881 
1882  //The ServerHelloDone message does not contain any data
1883  if(length != 0)
1884  return ERROR_DECODING_FAILED;
1885 
1886  //Another handshake message cannot be packed in the same record as the
1887  //ServerHelloDone
1888  if(context->rxBufferLen != 0)
1889  return ERROR_UNEXPECTED_MESSAGE;
1890 
1891  //The client must send a Certificate message if the server requests it
1893 
1894  //Successful processing
1895  return NO_ERROR;
1896 }
1897 
1898 
1899 /**
1900  * @brief Parse NewSessionTicket message
1901  *
1902  * This NewSessionTicket message is sent by the server during the TLS handshake
1903  * before the ChangeCipherSpec message
1904  *
1905  * @param[in] context Pointer to the TLS context
1906  * @param[in] message Incoming NewSessionTicket message to parse
1907  * @param[in] length Message length
1908  * @return Error code
1909  **/
1910 
1912  const TlsNewSessionTicket *message, size_t length)
1913 {
1914  size_t n;
1915 
1916  //Debug message
1917  TRACE_INFO("NewSessionTicket message received (%" PRIuSIZE " bytes)...\r\n", length);
1919 
1920  //Check TLS version
1921  if(context->version > TLS_VERSION_1_2)
1922  return ERROR_UNEXPECTED_MESSAGE;
1923 
1924  //Check current state
1925  if(context->state != TLS_STATE_NEW_SESSION_TICKET)
1926  return ERROR_UNEXPECTED_MESSAGE;
1927 
1928  //Check the length of the NewSessionTicket message
1929  if(length < sizeof(TlsNewSessionTicket))
1930  return ERROR_DECODING_FAILED;
1931 
1932  //Retrieve the length of the ticket
1933  n = ntohs(message->ticketLen);
1934 
1935  //Malformed NewSessionTicket message?
1936  if(length != (sizeof(TlsNewSessionTicket) + n))
1937  return ERROR_DECODING_FAILED;
1938 
1939 #if (TLS_TICKET_SUPPORT == ENABLED)
1940  //This message must not be sent if the server did not include a SessionTicket
1941  //extension in the ServerHello (refer to RFC 5077, section 3.3)
1942  if(!context->sessionTicketExtReceived)
1943  return ERROR_UNEXPECTED_MESSAGE;
1944 
1945  //Check the length of the session ticket
1946  if(n > 0 && n <= TLS_MAX_TICKET_SIZE)
1947  {
1948  //Release existing session ticket, if any
1949  if(context->ticket != NULL)
1950  {
1951  osMemset(context->ticket, 0, context->ticketLen);
1952  tlsFreeMem(context->ticket);
1953  context->ticket = NULL;
1954  context->ticketLen = 0;
1955  }
1956 
1957  //Allocate a memory block to hold the ticket
1958  context->ticket = tlsAllocMem(n);
1959  //Failed to allocate memory?
1960  if(context->ticket == NULL)
1961  return ERROR_OUT_OF_MEMORY;
1962 
1963  //Copy session ticket
1964  osMemcpy(context->ticket, message->ticket, n);
1965  context->ticketLen = n;
1966 
1967  //The lifetime is relative to when the ticket is received (refer to
1968  //RFC 5077, appendix A)
1969  context->ticketTimestamp = osGetSystemTime();
1970 
1971  //The ticket_lifetime_hint field contains a hint from the server about
1972  //how long the ticket should be stored. A ticket lifetime value of zero
1973  //indicates that the lifetime of the ticket is unspecified
1974  context->ticketLifetime = ntohl(message->ticketLifetimeHint);
1975 
1976  //If the client receives a session ticket from the server, then it
1977  //discards any session ID that was sent in the ServerHello (refer to
1978  //RFC 5077, section 3.4)
1979  context->sessionIdLen = 0;
1980  }
1981 #endif
1982 
1983  //The NewSessionTicket message is sent by the server during the TLS handshake
1984  //before the ChangeCipherSpec message
1986 
1987  //Successful processing
1988  return NO_ERROR;
1989 }
1990 
1991 #endif
uint8_t message[]
Definition: chap.h:154
unsigned int uint_t
Definition: compiler_port.h:50
#define PRIuSIZE
int bool_t
Definition: compiler_port.h:53
#define ntohl(value)
Definition: cpu_endian.h:422
#define htons(value)
Definition: cpu_endian.h:413
#define ntohs(value)
Definition: cpu_endian.h:421
#define LOAD16BE(p)
Definition: cpu_endian.h:186
Date and time management.
Debugging facilities.
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:108
#define TRACE_DEBUG(...)
Definition: debug.h:107
#define TRACE_INFO(...)
Definition: debug.h:95
uint8_t n
uint16_t dtlsTranslateVersion(uint16_t version)
Translate TLS version into DTLS version.
Definition: dtls_misc.c:112
error_t dtlsFormatCookie(TlsContext *context, uint8_t *p, size_t *written)
Format Cookie field.
Definition: dtls_misc.c:144
DTLS (Datagram Transport Layer Security)
DTLS record protocol.
error_t
Error codes.
Definition: error.h:43
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:242
@ ERROR_WOULD_BLOCK
Definition: error.h:96
@ ERROR_MISSING_EXTENSION
Definition: error.h:243
@ ERROR_INVALID_KEY_LENGTH
Definition: error.h:107
@ ERROR_TIMEOUT
Definition: error.h:95
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:232
@ ERROR_DECODING_FAILED
Definition: error.h:240
@ NO_ERROR
Success.
Definition: error.h:44
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
@ ERROR_UNEXPECTED_MESSAGE
Definition: error.h:194
@ ERROR_INVALID_VERSION
Definition: error.h:118
uint8_t p
Definition: ndp.h:300
#define osMemset(p, value, length)
Definition: os_port.h:135
#define osMemcpy(dest, src, length)
Definition: os_port.h:141
#define MIN(a, b)
Definition: os_port.h:63
#define osMemcmp(p1, p2, length)
Definition: os_port.h:153
#define TRUE
Definition: os_port.h:50
#define FALSE
Definition: os_port.h:46
systime_t osGetSystemTime(void)
Retrieve system time.
PEM file import functions.
Hello extensions.
Definition: tls.h:2081
uint8_t length
Definition: tcp.h:368
Handshake message processing (TLS 1.3 client)
error_t tls13FormatClientPreSharedKeyExtension(TlsContext *context, uint8_t *p, size_t *written, Tls13PskIdentityList **identityList, Tls13PskBinderList **binderList)
Format PreSharedKey extension.
error_t tls13ParseServerPreSharedKeyExtension(TlsContext *context, const TlsExtension *selectedIdentity)
Parse PreSharedKey extension.
error_t tls13FormatClientKeyShareExtension(TlsContext *context, uint8_t *p, size_t *written)
Format KeyShare extension (ClientHello message)
error_t tls13ParseServerKeyShareExtension(TlsContext *context, const Tls13KeyShareEntry *serverShare)
Parse KeyShare extension (ServerHello message)
error_t tls13FormatCookieExtension(TlsContext *context, uint8_t *p, size_t *written)
Format Cookie extension.
error_t tls13FormatClientEarlyDataExtension(TlsContext *context, uint8_t *p, size_t *written)
Format EarlyData extension.
error_t tls13FormatPskKeModesExtension(TlsContext *context, uint8_t *p, size_t *written)
Format PskKeyExchangeModes extension.
Formatting and parsing of extensions (TLS 1.3 client)
error_t tls13ComputePskBinders(TlsContext *context, const void *clientHello, size_t clientHelloLen, const Tls13PskIdentityList *identityList, Tls13PskBinderList *binderList)
Compute PSK binder values.
Helper functions for TLS 1.3 client.
bool_t tls13IsGroupSupported(TlsContext *context, uint16_t namedGroup)
Check whether a given named group is supported.
Definition: tls13_misc.c:576
error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
Key share generation.
Definition: tls13_misc.c:260
Tls13PskBinderList
Definition: tls13_misc.h:247
uint8_t extensions[]
Definition: tls13_misc.h:300
Tls13PskIdentityList
Definition: tls13_misc.h:225
Tls13CertRequestContext
Definition: tls13_misc.h:258
TLS (Transport Layer Security)
#define tlsAllocMem(size)
Definition: tls.h:846
TlsClientHello
Definition: tls.h:1757
TlsCertAuthorities
Definition: tls.h:1544
@ TLS_STATE_SERVER_CHANGE_CIPHER_SPEC
Definition: tls.h:1461
@ TLS_STATE_SERVER_CERTIFICATE
Definition: tls.h:1449
@ TLS_STATE_CLIENT_CERTIFICATE_VERIFY
Definition: tls.h:1456
@ TLS_STATE_SERVER_HELLO_2
Definition: tls.h:1445
@ TLS_STATE_SERVER_HELLO
Definition: tls.h:1444
@ TLS_STATE_APPLICATION_DATA
Definition: tls.h:1468
@ TLS_STATE_SERVER_KEY_EXCHANGE
Definition: tls.h:1450
@ TLS_STATE_NEW_SESSION_TICKET
Definition: tls.h:1466
@ TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC_2
Definition: tls.h:1458
@ TLS_STATE_SERVER_HELLO_3
Definition: tls.h:1446
@ TLS_STATE_SERVER_HELLO_DONE
Definition: tls.h:1453
@ TLS_STATE_CLIENT_HELLO
Definition: tls.h:1439
@ TLS_STATE_CERTIFICATE_REQUEST
Definition: tls.h:1452
@ TLS_STATE_HANDSHAKE_TRAFFIC_KEYS
Definition: tls.h:1447
@ TLS_STATE_CLIENT_CERTIFICATE
Definition: tls.h:1454
@ TLS_KEY_EXCH_DHE_RSA
Definition: tls.h:1127
@ TLS_KEY_EXCH_RSA
Definition: tls.h:1125
@ TLS_KEY_EXCH_ECDHE_ECDSA
Definition: tls.h:1134
@ TLS13_KEY_EXCH_PSK_DHE
Definition: tls.h:1146
@ TLS_KEY_EXCH_DHE_PSK
Definition: tls.h:1138
@ TLS_KEY_EXCH_DH_ANON
Definition: tls.h:1130
@ TLS_KEY_EXCH_RSA_PSK
Definition: tls.h:1137
@ TLS13_KEY_EXCH_PSK
Definition: tls.h:1145
@ TLS_KEY_EXCH_ECDH_ANON
Definition: tls.h:1135
@ TLS13_KEY_EXCH_PSK_ECDHE
Definition: tls.h:1147
@ TLS_KEY_EXCH_DHE_DSS
Definition: tls.h:1129
@ TLS_KEY_EXCH_NONE
Definition: tls.h:1124
@ TLS_KEY_EXCH_ECDHE_RSA
Definition: tls.h:1132
@ TLS_KEY_EXCH_ECDHE_PSK
Definition: tls.h:1139
@ TLS_KEY_EXCH_PSK
Definition: tls.h:1136
@ TLS_ALERT_NO_RENEGOTIATION
Definition: tls.h:1094
#define TLS_MAX_CERTIFICATES
Definition: tls.h:262
@ TLS_TRANSPORT_PROTOCOL_STREAM
Definition: tls.h:941
@ TLS_TRANSPORT_PROTOCOL_DATAGRAM
Definition: tls.h:942
@ TLS_TRANSPORT_PROTOCOL_EAP
Definition: tls.h:943
@ TLS_COMPRESSION_METHOD_NULL
Definition: tls.h:1113
#define tlsFreeMem(p)
Definition: tls.h:851
TlsServerHello
Definition: tls.h:1770
Tls12DigitalSignature
Definition: tls.h:1712
void TlsHelloRequest
HelloRequest message.
Definition: tls.h:1744
void TlsServerKeyExchange
ServerKeyExchange message.
Definition: tls.h:1784
TlsDigitalSignature
Definition: tls.h:1700
TlsExtensionList
Definition: tls.h:1567
void TlsServerHelloDone
ServerHelloDone message.
Definition: tls.h:1802
#define TLS_MAX_TICKET_SIZE
Definition: tls.h:157
void TlsClientKeyExchange
ClientKeyExchange message.
Definition: tls.h:1809
#define TLS_VERSION_1_1
Definition: tls.h:95
TlsSignSchemeList
Definition: tls.h:1522
#define TLS_VERSION_1_3
Definition: tls.h:97
#define TlsContext
Definition: tls.h:36
TlsCertificateRequest
Definition: tls.h:1795
uint16_t cipherSuite
Cipher suite identifier.
Definition: tls.h:1866
@ TLS_ALERT_LEVEL_FATAL
Definition: tls.h:1059
TlsNewSessionTicket
Definition: tls.h:1828
@ TLS_GROUP_NONE
Definition: tls.h:1353
@ TLS_TYPE_SERVER_HELLO
Definition: tls.h:1027
@ TLS_TYPE_CLIENT_HELLO
Definition: tls.h:1026
@ TLS_TYPE_CLIENT_KEY_EXCHANGE
Definition: tls.h:1040
@ TLS_TYPE_CERTIFICATE_REQUEST
Definition: tls.h:1037
#define TLS_VERSION_1_2
Definition: tls.h:96
bool_t tlsIsCertificateAcceptable(TlsContext *context, const TlsCertDesc *cert, const uint8_t *certTypes, size_t numCertTypes, const TlsSupportedGroupList *curveList, const TlsSignSchemeList *certSignAlgoList, const TlsCertAuthorities *certAuthorities)
Check whether a certificate is acceptable.
X.509 certificate handling.
const char_t * tlsGetCipherSuiteName(uint16_t identifier)
Convert cipher suite identifier to string representation.
TLS cipher suites.
error_t tlsFormatClientHello(TlsContext *context, TlsClientHello *message, size_t *length)
Format ClientHello message.
Definition: tls_client.c:312
error_t tlsFormatClientKeyExchange(TlsContext *context, TlsClientKeyExchange *message, size_t *length)
Format ClientKeyExchange message.
Definition: tls_client.c:785
error_t tlsParseServerKeyExchange(TlsContext *context, const TlsServerKeyExchange *message, size_t length)
Parse ServerKeyExchange message.
Definition: tls_client.c:1365
error_t tlsParseNewSessionTicket(TlsContext *context, const TlsNewSessionTicket *message, size_t length)
Parse NewSessionTicket message.
Definition: tls_client.c:1911
error_t tlsSendClientKeyExchange(TlsContext *context)
Send ClientKeyExchange message.
Definition: tls_client.c:261
error_t tlsParseHelloRequest(TlsContext *context, const TlsHelloRequest *message, size_t length)
Parse HelloRequest message.
Definition: tls_client.c:872
error_t tlsParseServerHello(TlsContext *context, const TlsServerHello *message, size_t length)
Parse ServerHello message.
Definition: tls_client.c:957
error_t tlsParseCertificateRequest(TlsContext *context, const TlsCertificateRequest *message, size_t length)
Parse CertificateRequest message.
Definition: tls_client.c:1522
error_t tlsSendClientHello(TlsContext *context)
Send ClientHello message.
Definition: tls_client.c:81
error_t tlsParseServerHelloDone(TlsContext *context, const TlsServerHelloDone *message, size_t length)
Parse ServerHelloDone message.
Definition: tls_client.c:1825
Handshake message processing (TLS client)
error_t tlsFormatClientMaxFragLenExtension(TlsContext *context, uint8_t *p, size_t *written)
Format MaxFragmentLength extension.
error_t tlsParseServerEcPointFormatsExtension(TlsContext *context, const TlsEcPointFormatList *ecPointFormatList)
Parse EcPointFormats extension.
error_t tlsFormatSupportedGroupsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SupportedGroups extension.
error_t tlsFormatClientSessionTicketExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SessionTicket extension.
error_t tlsFormatClientAlpnExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ALPN extension.
error_t tlsParseServerAlpnExtension(TlsContext *context, const TlsProtocolNameList *protocolNameList)
Parse ALPN extension.
error_t tlsFormatClientSniExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SNI extension.
error_t tlsFormatClientEtmExtension(TlsContext *context, uint8_t *p, size_t *written)
Format EncryptThenMac extension.
error_t tlsParseServerEmsExtension(TlsContext *context, const TlsExtension *extendedMasterSecret)
Parse ExtendedMasterSecret extension.
error_t tlsParseServerEtmExtension(TlsContext *context, const TlsExtension *encryptThenMac)
Parse EncryptThenMac extension.
error_t tlsParseServerCertTypeExtension(TlsContext *context, const TlsExtension *serverCertType)
Parse ServerCertType extension.
error_t tlsFormatClientRecordSizeLimitExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RecordSizeLimit extension.
error_t tlsFormatClientEmsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ExtendedMasterSecret extension.
error_t tlsFormatClientEcPointFormatsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format EcPointFormats extension.
error_t tlsParseServerRenegoInfoExtension(TlsContext *context, const TlsHelloExtensions *extensions)
Parse RenegotiationInfo extension.
error_t tlsParseServerSniExtension(TlsContext *context, const TlsServerNameList *serverNameList)
Parse SNI extension.
error_t tlsFormatServerCertTypeListExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ServerCertType extension.
error_t tlsFormatClientRenegoInfoExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RenegotiationInfo extension.
error_t tlsParseClientCertTypeExtension(TlsContext *context, const TlsExtension *clientCertType)
Parse ClientCertType extension.
error_t tlsFormatClientHelloPaddingExtension(TlsContext *context, size_t clientHelloLen, uint8_t *p, size_t *written)
Format ClientHello Padding extension.
error_t tlsFormatClientSupportedVersionsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SupportedVersions extension.
error_t tlsParseServerMaxFragLenExtension(TlsContext *context, const TlsExtension *maxFragLen)
Parse MaxFragmentLength extension.
error_t tlsParseServerRecordSizeLimitExtension(TlsContext *context, const TlsExtension *recordSizeLimit)
Parse RecordSizeLimit extension.
error_t tlsFormatClientCertTypeListExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ClientCertType extension.
error_t tlsParseServerSessionTicketExtension(TlsContext *context, const TlsExtension *sessionTicket)
Parse SessionTicket extension.
Formatting and parsing of extensions (TLS client)
error_t tlsFormatInitialClientHello(TlsContext *context)
Format initial ClientHello message.
error_t tlsFormatCompressMethods(TlsContext *context, uint8_t *p, size_t *written)
Format the list of compression methods supported by the client.
error_t tlsFormatSessionId(TlsContext *context, uint8_t *p, size_t *written)
Format session ID.
error_t tlsFormatCipherSuites(TlsContext *context, uint8_t *p, size_t *written)
Format the list of cipher suites supported by the client.
error_t tlsResumeSession(TlsContext *context, const uint8_t *sessionId, size_t sessionIdLen, uint16_t cipherSuite)
Resume TLS session via session ID.
error_t tlsFormatPskIdentity(TlsContext *context, uint8_t *p, size_t *written)
Format PSK identity.
error_t tlsParsePskIdentityHint(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse PSK identity hint.
error_t tlsVerifyServerKeySignature(TlsContext *context, const TlsDigitalSignature *signature, size_t length, const uint8_t *params, size_t paramsLen, size_t *consumed)
Verify server's key exchange parameters signature (TLS 1.0 and TLS 1.1)
__weak_func error_t tls12VerifyServerKeySignature(TlsContext *context, const Tls12DigitalSignature *signature, size_t length, const uint8_t *params, size_t paramsLen, size_t *consumed)
Verify server's key exchange parameters signature (TLS 1.2)
__weak_func error_t tlsFormatClientKeyParams(TlsContext *context, uint8_t *p, size_t *written)
Format client's key exchange parameters.
bool_t tlsIsTicketValid(TlsContext *context)
Check whether a session ticket is valid.
error_t tlsParseServerKeyParams(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse server's key exchange parameters.
error_t tlsSelectClientVersion(TlsContext *context, const TlsServerHello *message, const TlsHelloExtensions *extensions)
Version selection.
Helper functions for TLS client.
error_t tlsFormatCertAuthoritiesExtension(TlsContext *context, uint8_t *p, size_t *written)
Format CertificateAuthorities extension.
Definition: tls_common.c:830
error_t tlsSendAlert(TlsContext *context, uint8_t level, uint8_t description)
Send Alert message.
Definition: tls_common.c:516
Handshake message processing (TLS client and server)
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
Parsing and checking of TLS extensions.
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
TLS handshake.
error_t tlsGenerateSessionKeys(TlsContext *context)
Generate session keys.
error_t tlsGeneratePskPremasterSecret(TlsContext *context)
Premaster secret generation (for PSK cipher suites)
Key material generation.
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:333
error_t tlsGenerateRandomValue(TlsContext *context, uint8_t *random)
Generate client or server random value.
Definition: tls_misc.c:207
void tlsFreeEncryptionEngine(TlsEncryptionEngine *encryptionEngine)
Release encryption engine.
Definition: tls_misc.c:917
void tlsChangeState(TlsContext *context, TlsState newState)
Update TLS state.
Definition: tls_misc.c:54
const char_t * tlsGetVersionName(uint16_t version)
Convert TLS version to string representation.
Definition: tls_misc.c:1112
error_t tlsGenerateSessionId(TlsContext *context, size_t length)
Generate a random session identifier.
Definition: tls_misc.c:268
TLS helper functions.
TLS record protocol.
error_t tlsFormatSignAlgosCertExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SignatureAlgorithmsCert extension.
error_t tlsSelectSignAlgo(TlsContext *context, const TlsCertDesc *cert, const TlsSignSchemeList *signAlgoList)
Select the algorithm to be used when generating digital signatures.
Definition: tls_sign_misc.c:85
error_t tlsFormatSignAlgosExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SignatureAlgorithms extension.
Helper functions for signature generation and verification.
void tlsFreeTranscriptHash(TlsContext *context)
Release transcript hash context.
error_t tlsInitTranscriptHash(TlsContext *context)
Initialize handshake message hashing.
Transcript hash calculation.