tls_client.c
Go to the documentation of this file.
1 /**
2  * @file tls_client.c
3  * @brief Handshake message processing (TLS client)
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @section Description
26  *
27  * The TLS protocol provides communications security over the Internet. The
28  * protocol allows client/server applications to communicate in a way that
29  * is designed to prevent eavesdropping, tampering, or message forgery
30  *
31  * @author Oryx Embedded SARL (www.oryx-embedded.com)
32  * @version 1.9.0
33  **/
34 
35 //Switch to the appropriate trace level
36 #define TRACE_LEVEL TLS_TRACE_LEVEL
37 
38 //Dependencies
39 #include <string.h>
40 #include "tls.h"
41 #include "tls_cipher_suites.h"
42 #include "tls_handshake.h"
43 #include "tls_client.h"
44 #include "tls_client_extensions.h"
45 #include "tls_client_misc.h"
46 #include "tls_common.h"
47 #include "tls_extensions.h"
48 #include "tls_certificate.h"
49 #include "tls_signature.h"
50 #include "tls_key_material.h"
51 #include "tls_transcript_hash.h"
52 #include "tls_record.h"
53 #include "tls_misc.h"
54 #include "tls13_client.h"
56 #include "tls13_client_misc.h"
57 #include "dtls_record.h"
58 #include "dtls_misc.h"
59 #include "certificate/pem_import.h"
60 #include "date_time.h"
61 #include "debug.h"
62 
63 //Check TLS library configuration
64 #if (TLS_SUPPORT == ENABLED && TLS_CLIENT_SUPPORT == ENABLED)
65 
66 
67 /**
68  * @brief Send ClientHello message
69  *
70  * When a client first connects to a server, it is required to send
71  * the ClientHello as its first message. The client can also send a
72  * ClientHello in response to a HelloRequest or on its own initiative
73  * in order to renegotiate the security parameters in an existing
74  * connection
75  *
76  * @param[in] context Pointer to the TLS context
77  * @return Error code
78  **/
79 
81 {
82  error_t error;
83  size_t length;
85 
86  //Point to the buffer where to format the message
87  message = (TlsClientHello *) (context->txBuffer + context->txBufferLen);
88 
89 #if (DTLS_SUPPORT == ENABLED)
90  //DTLS protocol?
91  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
92  {
93  //When sending the first ClientHello, the client does not have a cookie yet
94  if(context->cookieLen == 0)
95  {
96  //Generate the client random value using a cryptographically-safe
97  //pseudorandom number generator
98  error = tlsGenerateRandomValue(context, context->clientRandom);
99  }
100  else
101  {
102  //When responding to a HelloVerifyRequest, the client must use the
103  //same random value as it did in the original ClientHello
104  error = NO_ERROR;
105  }
106  }
107  else
108 #endif
109  //TLS protocol?
110  {
111  //Initial or updated ClientHello?
112  if(context->state == TLS_STATE_CLIENT_HELLO)
113  {
114  //Generate the client random value using a cryptographically-safe
115  //pseudorandom number generator
116  error = tlsGenerateRandomValue(context, context->clientRandom);
117  }
118  else
119  {
120  //When responding to a HelloRetryRequest, the client must use the
121  //same random value as it did in the initial ClientHello
122  error = NO_ERROR;
123  }
124  }
125 
126 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
127  //Check status code
128  if(!error)
129  {
130  //TLS 1.3 supported by the client?
131  if(context->versionMax >= TLS_VERSION_1_3 &&
132  context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM)
133  {
134  //Initial or updated ClientHello?
135  if(context->state == TLS_STATE_CLIENT_HELLO)
136  {
137 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
138  //In compatibility mode the session ID field must be non-empty
139  if(context->sessionIdLen == 0)
140  {
141  //A client not offering a pre-TLS 1.3 session must generate a
142  //new 32-byte value (refer to RFC 8446, section 4.1.2)
143  context->sessionIdLen = 32;
144 
145  //This value need not be random but should be unpredictable to
146  //avoid implementations fixating on a specific value
147  error = tlsGenerateRandomValue(context, context->sessionId);
148  }
149 #endif
150  //Check status code
151  if(!error)
152  {
153  //Any preferred ECDHE or FFDHE group?
154  if(context->preferredGroup != TLS_GROUP_NONE)
155  {
156  //Pregenerate key share using preferred named group
157  error = tls13GenerateKeyShare(context, context->preferredGroup);
158  }
159  }
160  }
161  else
162  {
163  //The updated ClientHello message is not encrypted
164  tlsFreeEncryptionEngine(&context->encryptionEngine);
165  }
166  }
167 
168  //Save current time
169  context->timestamp = osGetSystemTime();
170  }
171 #endif
172 
173  //Check status code
174  if(!error)
175  {
176  //Format ClientHello message
177  error = tlsFormatClientHello(context, message, &length);
178  }
179 
180  //Check status code
181  if(!error)
182  {
183  //Debug message
184  TRACE_INFO("Sending ClientHello message (%" PRIuSIZE " bytes)...\r\n", length);
186 
187  //Send handshake message
188  error = tlsSendHandshakeMessage(context, message, length,
190  }
191 
192  //Check status code
193  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
194  {
195  //Initial ClientHello?
196  if(context->state == TLS_STATE_CLIENT_HELLO)
197  {
198  //Wait for a ServerHello or HelloRetryRequest message
199  context->state = TLS_STATE_SERVER_HELLO;
200  }
201  else
202  {
203  //Wait for a ServerHello message
204  context->state = TLS_STATE_SERVER_HELLO_2;
205  }
206  }
207 
208  //Return status code
209  return error;
210 }
211 
212 
213 /**
214  * @brief Send ClientKeyExchange message
215  *
216  * This message is always sent by the client. It must immediately
217  * follow the client Certificate message, if it is sent. Otherwise,
218  * it must be the first message sent by the client after it receives
219  * the ServerHelloDone message
220  *
221  * @param[in] context Pointer to the TLS context
222  * @return Error code
223  **/
224 
226 {
227  error_t error;
228  size_t length;
230 
231  //Point to the buffer where to format the message
232  message = (TlsClientKeyExchange *) (context->txBuffer + context->txBufferLen);
233 
234  //Format ClientKeyExchange message
235  error = tlsFormatClientKeyExchange(context, message, &length);
236 
237  //Check status code
238  if(!error)
239  {
240  //Debug message
241  TRACE_INFO("Sending ClientKeyExchange message (%" PRIuSIZE " bytes)...\r\n", length);
243 
244  //Send handshake message
245  error = tlsSendHandshakeMessage(context, message, length,
247  }
248 
249  //Check status code
250  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
251  {
252  //Derive session keys from the premaster secret
253  error = tlsGenerateSessionKeys(context);
254 
255  //Key material successfully generated?
256  if(!error)
257  {
258  //Send a CertificateVerify message to the server
259  context->state = TLS_STATE_CLIENT_CERTIFICATE_VERIFY;
260  }
261  }
262 
263  //Return status code
264  return error;
265 }
266 
267 
268 /**
269  * @brief Format ClientHello message
270  * @param[in] context Pointer to the TLS context
271  * @param[out] message Buffer where to format the ClientHello message
272  * @param[out] length Length of the resulting ClientHello message
273  * @return Error code
274  **/
275 
277  TlsClientHello *message, size_t *length)
278 {
279  error_t error;
280  size_t n;
281  uint8_t *p;
282  uint_t cipherSuiteTypes;
283  TlsExtensionList *extensionList;
284 
285  //In TLS 1.3, the client indicates its version preferences in the
286  //SupportedVersions extension and the legacy_version field must be
287  //set to 0x0303, which is the version number for TLS 1.2
288  context->clientVersion = MIN(context->versionMax, TLS_VERSION_1_2);
289 
290 #if (DTLS_SUPPORT == ENABLED)
291  //DTLS protocol?
292  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
293  {
294  //Translate TLS version into DTLS version
295  context->clientVersion = dtlsTranslateVersion(context->clientVersion);
296  }
297 #endif
298 
299  //In previous versions of TLS, the version field is used for version
300  //negotiation and represents the highest version number supported by
301  //the client
302  message->clientVersion = htons(context->clientVersion);
303 
304  //Client random value
305  memcpy(message->random, context->clientRandom, 32);
306 
307  //Point to the session ID
308  p = message->sessionId;
309  //Length of the handshake message
310  *length = sizeof(TlsClientHello);
311 
312  //The session ID value identifies a session the client wishes to reuse for
313  //this connection
314  error = tlsFormatSessionId(context, p, &n);
315  //Any error to report?
316  if(error)
317  return error;
318 
319  //Fix the length of the session ID
320  message->sessionIdLen = (uint8_t) n;
321 
322  //Point to the next field
323  p += n;
324  //Adjust the length of the message
325  *length += n;
326 
327 #if (DTLS_SUPPORT == ENABLED)
328  //DTLS protocol?
329  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
330  {
331  //Format Cookie field
332  error = dtlsFormatCookie(context, p, &n);
333  //Any error to report?
334  if(error)
335  return error;
336 
337  //Point to the next field
338  p += n;
339  //Adjust the length of the message
340  *length += n;
341  }
342 #endif
343 
344  //Format the list of cipher suites supported by the client
345  error = tlsFormatCipherSuites(context, &cipherSuiteTypes, p, &n);
346  //Any error to report?
347  if(error)
348  return error;
349 
350  //Point to the next field
351  p += n;
352  //Adjust the length of the message
353  *length += n;
354 
355  //Format the list of compression methods supported by the client
356  error = tlsFormatCompressMethods(context, p, &n);
357  //Any error to report?
358  if(error)
359  return error;
360 
361  //Point to the next field
362  p += n;
363  //Adjust the length of the message
364  *length += n;
365 
366  //Clients may request extended functionality from servers by sending
367  //data in the extensions field
368  extensionList = (TlsExtensionList *) p;
369  //Total length of the extension list
370  extensionList->length = 0;
371 
372  //Point to the first extension of the list
373  p += sizeof(TlsExtensionList);
374 
375  //In TLS 1.2, the client can indicate its version preferences in the
376  //SupportedVersions extension
377  error = tlsFormatClientSupportedVersionsExtension(context, p, &n);
378  //Any error to report?
379  if(error)
380  return error;
381 
382  //Fix the length of the extension list
383  extensionList->length += (uint16_t) n;
384  //Point to the next field
385  p += n;
386 
387 #if (TLS_SNI_SUPPORT == ENABLED)
388  //In order to provide the server name, clients may include a ServerName
389  //extension
390  error = tlsFormatClientSniExtension(context, p, &n);
391  //Any error to report?
392  if(error)
393  return error;
394 
395  //Fix the length of the extension list
396  extensionList->length += (uint16_t) n;
397  //Point to the next field
398  p += n;
399 #endif
400 
401 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
402  //In order to negotiate smaller maximum fragment lengths, clients may
403  //include a MaxFragmentLength extension
404  error = tlsFormatClientMaxFragLenExtension(context, p, &n);
405  //Any error to report?
406  if(error)
407  return error;
408 
409  //Fix the length of the extension list
410  extensionList->length += (uint16_t) n;
411  //Point to the next field
412  p += n;
413 #endif
414 
415 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
416  //The value of RecordSizeLimit is the maximum size of record in octets
417  //that the endpoint is willing to receive
418  error = tlsFormatClientRecordSizeLimitExtension(context, p, &n);
419  //Any error to report?
420  if(error)
421  return error;
422 
423  //Fix the length of the extension list
424  extensionList->length += (uint16_t) n;
425  //Point to the next field
426  p += n;
427 #endif
428 
429  //A client that proposes ECC/FFDHE cipher suites in its ClientHello message
430  //should send the SupportedGroups extension
431  error = tlsFormatSupportedGroupsExtension(context, cipherSuiteTypes, p, &n);
432  //Any error to report?
433  if(error)
434  return error;
435 
436  //Fix the length of the extension list
437  extensionList->length += (uint16_t) n;
438  //Point to the next field
439  p += n;
440 
441  //A client that proposes ECC cipher suites in its ClientHello message
442  //should send the EcPointFormats extension
443  error = tlsFormatClientEcPointFormatsExtension(context, cipherSuiteTypes,
444  p, &n);
445  //Any error to report?
446  if(error)
447  return error;
448 
449  //Fix the length of the extension list
450  extensionList->length += (uint16_t) n;
451  //Point to the next field
452  p += n;
453 
454  //Include the SignatureAlgorithms extension only if TLS 1.2 is supported
455  error = tlsFormatSignatureAlgorithmsExtension(context, cipherSuiteTypes,
456  p, &n);
457  //Any error to report?
458  if(error)
459  return error;
460 
461  //Fix the length of the extension list
462  extensionList->length += (uint16_t) n;
463  //Point to the next field
464  p += n;
465 
466 #if (TLS_SIGN_ALGOS_CERT_SUPPORT == ENABLED)
467  //The SignatureAlgorithmsCert extension allows a client to indicate which
468  //signature algorithms it can validate in X.509 certificates
469  error = tlsFormatSignatureAlgorithmsCertExtension(context, p, &n);
470  //Any error to report?
471  if(error)
472  return error;
473 
474  //Fix the length of the extension list
475  extensionList->length += (uint16_t) n;
476  //Point to the next field
477  p += n;
478 #endif
479 
480 #if (TLS_ALPN_SUPPORT == ENABLED)
481  //The ALPN extension contains the list of protocols advertised by the
482  //client, in descending order of preference
483  error = tlsFormatClientAlpnExtension(context, p, &n);
484  //Any error to report?
485  if(error)
486  return error;
487 
488  //Fix the length of the extension list
489  extensionList->length += (uint16_t) n;
490  //Point to the next field
491  p += n;
492 #endif
493 
494 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
495  //In order to indicate the support of raw public keys, clients include the
496  //ClientCertType extension in an extended ClientHello message
497  error = tlsFormatClientCertTypeListExtension(context, p, &n);
498  //Any error to report?
499  if(error)
500  return error;
501 
502  //Fix the length of the extension list
503  extensionList->length += (uint16_t) n;
504  //Point to the next field
505  p += n;
506 
507  //In order to indicate the support of raw public keys, clients include the
508  //ServerCertType extension in an extended ClientHello message
509  error = tlsFormatServerCertTypeListExtension(context, p, &n);
510  //Any error to report?
511  if(error)
512  return error;
513 
514  //Fix the length of the extension list
515  extensionList->length += (uint16_t) n;
516  //Point to the next field
517  p += n;
518 #endif
519 
520 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
521  //In all handshakes, a client implementing RFC 7627 must send the
522  //ExtendedMasterSecret extension in its ClientHello
523  error = tlsFormatClientEmsExtension(context, p, &n);
524  //Any error to report?
525  if(error)
526  return error;
527 
528  //Fix the length of the extension list
529  extensionList->length += (uint16_t) n;
530  //Point to the next field
531  p += n;
532 #endif
533 
534 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
535  //If the connection's secure_renegotiation flag is set to TRUE, the client
536  //must include a RenegotiationInfo extension in its ClientHello message
537  error = tlsFormatClientRenegoInfoExtension(context, p, &n);
538  //Any error to report?
539  if(error)
540  return error;
541 
542  //Fix the length of the extension list
543  extensionList->length += (uint16_t) n;
544  //Point to the next field
545  p += n;
546 #endif
547 
548 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
549  //TLS 1.3 supported by the client?
550  if(context->versionMax >= TLS_VERSION_1_3 &&
551  context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM)
552  {
553  Tls13PskIdentityList *identityList;
554  Tls13PskBinderList *binderList;
555 
556  //Clients must not use cookies in their initial ClientHello
557  if(context->state != TLS_STATE_CLIENT_HELLO)
558  {
559  //When sending the new ClientHello, the client must copy the contents
560  //of the Cookie extension received in the HelloRetryRequest into a
561  //Cookie extension in the new ClientHello
562  error = tls13FormatCookieExtension(context, p, &n);
563  //Any error to report?
564  if(error)
565  return error;
566 
567  //Fix the length of the extension list
568  extensionList->length += (uint16_t) n;
569  //Point to the next field
570  p += n;
571  }
572 
573  //The KeyShare extension contains the client's cryptographic parameters
574  error = tls13FormatClientKeyShareExtension(context, p, &n);
575  //Any error to report?
576  if(error)
577  return error;
578 
579  //Fix the length of the extension list
580  extensionList->length += (uint16_t) n;
581  //Point to the next field
582  p += n;
583 
584 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
585  //If the client opts to send application data in its first flight of
586  //messages, it must supply both the PreSharedKey and EarlyData extensions
587  error = tls13FormatClientEarlyDataExtension(context, p, &n);
588  //Any error to report?
589  if(error)
590  return error;
591 
592  //Fix the length of the extension list
593  extensionList->length += (uint16_t) n;
594  //Point to the next field
595  p += n;
596 #endif
597 
598  //In order to use PSKs, clients must send a PskKeyExchangeModes extension
599  error = tls13FormatPskKeModesExtension(context, p, &n);
600  //Any error to report?
601  if(error)
602  return error;
603 
604  //Fix the length of the extension list
605  extensionList->length += (uint16_t) n;
606  //Point to the next field
607  p += n;
608 
609 #if (TLS_CLIENT_HELLO_PADDING_SUPPORT == ENABLED)
610  //The first pass calculates the length of the PreSharedKey extension
611  error = tls13FormatClientPreSharedKeyExtension(context, p, &n,
612  &identityList, &binderList);
613  //Any error to report?
614  if(error)
615  return error;
616 
617  //Determine the length of the resulting message
618  n += *length + sizeof(TlsExtensionList) + extensionList->length;
619 
620  //Add a padding extension to ensure the ClientHello is never between
621  //256 and 511 bytes in length
622  error = tlsFormatClientHelloPaddingExtension(context, n, p, &n);
623  //Any error to report?
624  if(error)
625  return error;
626 
627  //Fix the length of the extension list
628  extensionList->length += (uint16_t) n;
629  //Point to the next field
630  p += n;
631 #endif
632 
633  //The extensions may appear in any order, with the exception of
634  //PreSharedKey which must be the last extension in the ClientHello
635  error = tls13FormatClientPreSharedKeyExtension(context, p, &n,
636  &identityList, &binderList);
637  //Any error to report?
638  if(error)
639  return error;
640 
641  //Fix the length of the extension list
642  extensionList->length += (uint16_t) n;
643  //Point to the next field
644  p += n;
645 
646  //Convert the length of the extension list to network byte order
647  extensionList->length = htons(extensionList->length);
648  //Total length of the message
649  *length += sizeof(TlsExtensionList) + htons(extensionList->length);
650 
651  //Fix PSK binder values in the PreSharedKey extension
652  error = tls13ComputePskBinders(context, message, *length, identityList,
653  binderList);
654  //Any error to report?
655  if(error)
656  return error;
657  }
658  else
659 #endif
660  {
661 #if (TLS_CLIENT_HELLO_PADDING_SUPPORT == ENABLED)
662  //Retrieve the actual length of the message
663  n = *length;
664 
665  //Any extensions included in the ClientHello message?
666  if(extensionList->length > 0)
667  n += sizeof(TlsExtensionList) + extensionList->length;
668 
669  //Add a padding extension to ensure the ClientHello is never between
670  //256 and 511 bytes in length
671  error = tlsFormatClientHelloPaddingExtension(context, n, p, &n);
672  //Any error to report?
673  if(error)
674  return error;
675 
676  //Fix the length of the extension list
677  extensionList->length += (uint16_t) n;
678  //Point to the next field
679  p += n;
680 #endif
681 
682  //Any extensions included in the ClientHello message?
683  if(extensionList->length > 0)
684  {
685  //Convert the length of the extension list to network byte order
686  extensionList->length = htons(extensionList->length);
687  //Total length of the message
688  *length += sizeof(TlsExtensionList) + htons(extensionList->length);
689  }
690  }
691 
692  //Successful processing
693  return NO_ERROR;
694 }
695 
696 
697 /**
698  * @brief Format ClientKeyExchange message
699  * @param[in] context Pointer to the TLS context
700  * @param[out] message Buffer where to format the ClientKeyExchange message
701  * @param[out] length Length of the resulting ClientKeyExchange message
702  * @return Error code
703  **/
704 
707 {
708  error_t error;
709  size_t n;
710  uint8_t *p;
711 
712  //Point to the beginning of the handshake message
713  p = message;
714  //Length of the handshake message
715  *length = 0;
716 
717 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
718  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
719  //PSK key exchange method?
720  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
721  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
722  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
723  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
724  {
725  //The client indicates which key to use by including a PSK identity
726  //in the ClientKeyExchange message
727  error = tlsFormatPskIdentity(context, p, &n);
728  //Any error to report?
729  if(error)
730  return error;
731 
732  //Advance data pointer
733  p += n;
734  //Adjust the length of the message
735  *length += n;
736  }
737 #endif
738 
739  //RSA, Diffie-Hellman or ECDH key exchange method?
740  if(context->keyExchMethod != TLS_KEY_EXCH_PSK)
741  {
742  //Format client's key exchange parameters
743  error = tlsFormatClientKeyParams(context, p, &n);
744  //Any error to report?
745  if(error)
746  return error;
747 
748  //Advance data pointer
749  p += n;
750  //Adjust the length of the message
751  *length += n;
752  }
753 
754 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
755  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
756  //PSK key exchange method?
757  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
758  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
759  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
760  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
761  {
762  //Invalid pre-shared key?
763  if(context->pskLen == 0)
765 
766  //Generate premaster secret
767  error = tlsGeneratePskPremasterSecret(context);
768  //Any error to report?
769  if(error)
770  return error;
771  }
772 #endif
773 
774  //Successful processing
775  return NO_ERROR;
776 }
777 
778 
779 /**
780  * @brief Parse HelloRequest message
781  *
782  * HelloRequest is a simple notification that the client should begin the
783  * negotiation process anew. In response, the client should send a ClientHello
784  * message when convenient
785  *
786  * @param[in] context Pointer to the TLS context
787  * @param[in] message Incoming HelloRequest message to parse
788  * @param[in] length Message length
789  * @return Error code
790  **/
791 
793  const TlsHelloRequest *message, size_t length)
794 {
795  error_t error;
796 
797  //Debug message
798  TRACE_INFO("HelloRequest message received (%" PRIuSIZE " bytes)...\r\n", length);
800 
801  //Check TLS version
802  if(context->version > TLS_VERSION_1_2)
804 
805  //The HelloRequest message does not contain any data
806  if(length != 0)
807  return ERROR_DECODING_FAILED;
808 
809  //Check current state
810  if(context->state == TLS_STATE_APPLICATION_DATA)
811  {
812 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
813  //Check whether the secure_renegociation flag is set
814  if(context->secureRenegoEnabled && context->secureRenegoFlag)
815  {
816  //HelloRequest is a simple notification that the client should begin
817  //the negotiation process anew
818  context->state = TLS_STATE_CLIENT_HELLO;
819 
820  //Continue processing
821  error = NO_ERROR;
822  }
823  else
824 #endif
825  {
826  //If the connection's secure_renegotiation flag is set to FALSE, it
827  //is recommended that clients refuse this renegotiation request (refer
828  //to RFC 5746, section 4.2)
829  error = tlsSendAlert(context, TLS_ALERT_LEVEL_FATAL,
831  }
832  }
833  else
834  {
835  //The HelloRequest message can be sent at any time but it should be
836  //ignored by the client if it arrives in the middle of a handshake
837  error = NO_ERROR;
838  }
839 
840  //Return status code
841  return error;
842 }
843 
844 
845 /**
846  * @brief Parse ServerHello message
847  *
848  * The server will send this message in response to a ClientHello
849  * message when it was able to find an acceptable set of algorithms.
850  * If it cannot find such a match, it will respond with a handshake
851  * failure alert
852  *
853  * @param[in] context Pointer to the TLS context
854  * @param[in] message Incoming ServerHello message to parse
855  * @param[in] length Message length
856  * @return Error code
857  **/
858 
860  const TlsServerHello *message, size_t length)
861 {
862  error_t error;
863  const uint8_t *p;
865  TlsCompressMethod compressMethod;
867 
868  //Debug message
869  TRACE_INFO("ServerHello message received (%" PRIuSIZE " bytes)...\r\n", length);
871 
872  //Check current state
873  if(context->state != TLS_STATE_SERVER_HELLO &&
874  context->state != TLS_STATE_SERVER_HELLO_2 &&
875  context->state != TLS_STATE_SERVER_HELLO_3)
876  {
877  //Report an error
879  }
880 
881  //Check the length of the ServerHello message
882  if(length < sizeof(TlsServerHello))
883  return ERROR_DECODING_FAILED;
884 
885  //Point to the session ID
886  p = message->sessionId;
887  //Remaining bytes to process
888  length -= sizeof(TlsServerHello);
889 
890  //Check the length of the session ID
891  if(message->sessionIdLen > length)
892  return ERROR_DECODING_FAILED;
893  if(message->sessionIdLen > 32)
894  return ERROR_DECODING_FAILED;
895 
896  //Point to the next field
897  p += message->sessionIdLen;
898  //Remaining bytes to process
899  length -= message->sessionIdLen;
900 
901  //Malformed ServerHello message?
902  if(length < sizeof(TlsCipherSuite))
903  return ERROR_DECODING_FAILED;
904 
905  //Get the negotiated cipher suite
907  //Point to the next field
908  p += sizeof(TlsCipherSuite);
909  //Remaining bytes to process
910  length -= sizeof(TlsCipherSuite);
911 
912  //Malformed ServerHello message?
913  if(length < sizeof(TlsCompressMethod))
914  return ERROR_DECODING_FAILED;
915 
916  //Get the negotiated compression method
917  compressMethod = *p;
918  //Point to the next field
919  p += sizeof(TlsCompressMethod);
920  //Remaining bytes to process
921  length -= sizeof(TlsCompressMethod);
922 
923  //Server version
924  TRACE_INFO(" serverVersion = 0x%04" PRIX16 " (%s)\r\n",
925  ntohs(message->serverVersion),
926  tlsGetVersionName(ntohs(message->serverVersion)));
927 
928  //Server random value
929  TRACE_INFO(" random\r\n");
930  TRACE_INFO_ARRAY(" ", message->random, 32);
931 
932  //Session identifier
933  TRACE_INFO(" sessionId\r\n");
934  TRACE_INFO_ARRAY(" ", message->sessionId, message->sessionIdLen);
935 
936  //Cipher suite identifier
937  TRACE_INFO(" cipherSuite = 0x%04" PRIX16 " (%s)\r\n",
939 
940  //Compression method
941  TRACE_INFO(" compressMethod = 0x%02" PRIX8 "\r\n", compressMethod);
942 
943  //Parse the list of extensions offered by the server
945  &extensions);
946  //Any error to report?
947  if(error)
948  return error;
949 
950  //TLS protocol?
951  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM)
952  {
953  //Check whether the ServerHello message is received in response to
954  //the initial ClientHello
955  if(context->state != TLS_STATE_SERVER_HELLO_2)
956  {
957  //Release transcript hash context
958  tlsFreeTranscriptHash(context);
959 
960  //Format initial ClientHello message
961  error = tlsFormatInitialClientHello(context);
962  //Any error to report?
963  if(error)
964  return error;
965  }
966  }
967 
968  //Select TLS version
969  error = tlsSelectClientVersion(context, message, &extensions);
970  //TLS version not supported?
971  if(error)
972  return error;
973 
974  //Check the list of extensions offered by the server
975  error = tlsCheckHelloExtensions(TLS_TYPE_SERVER_HELLO, context->version,
976  &extensions);
977  //Any error to report?
978  if(error)
979  return error;
980 
981  //Save server random value
982  memcpy(context->serverRandom, message->random, 32);
983 
984 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
985  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
986  if(context->version <= TLS_VERSION_1_2)
987  {
988  //Reset the named group to its default value
989  context->namedGroup = TLS_GROUP_NONE;
990 
991  //Check whether the server has decided to resume a previous session
992  error = tlsResumeClientSession(context, message->sessionId,
993  message->sessionIdLen, cipherSuite, compressMethod);
994  //Any error to report?
995  if(error)
996  return error;
997 
998  //Set cipher suite
999  error = tlsSelectCipherSuite(context, cipherSuite);
1000  //Specified cipher suite not supported?
1001  if(error)
1002  return error;
1003 
1004  //Set compression method
1005  error = tlsSelectCompressMethod(context, compressMethod);
1006  //Specified compression method not supported?
1007  if(error)
1008  return error;
1009 
1010  //Initialize handshake message hashing
1011  error = tlsInitTranscriptHash(context);
1012  //Any error to report?
1013  if(error)
1014  return error;
1015 
1016  //Save session identifier
1017  memcpy(context->sessionId, message->sessionId, message->sessionIdLen);
1018  context->sessionIdLen = message->sessionIdLen;
1019 
1020 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1021  //Parse RenegotiationInfo extension
1022  error = tlsParseServerRenegoInfoExtension(context, &extensions);
1023  //Any error to report?
1024  if(error)
1025  return error;
1026 #endif
1027 
1028 #if (TLS_SNI_SUPPORT == ENABLED)
1029  //When the server includes a ServerName extension, the data field of
1030  //this extension may be empty
1031  error = tlsParseServerSniExtension(context, extensions.serverNameList);
1032  //Any error to report?
1033  if(error)
1034  return error;
1035 #endif
1036 
1037 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
1038  //Servers that receive an ClientHello containing a MaxFragmentLength
1039  //extension may accept the requested maximum fragment length by including
1040  //an extension of type MaxFragmentLength in the ServerHello
1041  error = tlsParseServerMaxFragLenExtension(context, extensions.maxFragLen);
1042  //Any error to report?
1043  if(error)
1044  return error;
1045 #endif
1046 
1047 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
1048  //The value of RecordSizeLimit is the maximum size of record in octets
1049  //that the peer is willing to receive
1051  extensions.recordSizeLimit);
1052  //Any error to report?
1053  if(error)
1054  return error;
1055 #endif
1056 
1057 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
1058  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1059  //A server that selects an ECC cipher suite in response to a ClientHello
1060  //message including an EcPointFormats extension appends this extension
1061  //to its ServerHello message
1062  error = tlsParseServerEcPointFormatsExtension(context,
1063  extensions.ecPointFormatList);
1064  //Any error to report?
1065  if(error)
1066  return error;
1067 #endif
1068 
1069 #if (TLS_ALPN_SUPPORT == ENABLED)
1070  //Parse ALPN extension
1071  error = tlsParseServerAlpnExtension(context, extensions.protocolNameList);
1072  //Any error to report?
1073  if(error)
1074  return error;
1075 #endif
1076 
1077 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1078  //Parse ClientCertType extension
1079  error = tlsParseClientCertTypeExtension(context, extensions.clientCertType);
1080  //Any error to report?
1081  if(error)
1082  return error;
1083 
1084  //Parse ServerCertType extension
1085  error = tlsParseServerCertTypeExtension(context, extensions.serverCertType);
1086  //Any error to report?
1087  if(error)
1088  return error;
1089 #endif
1090 
1091 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
1092  //Parse ExtendedMasterSecret extension
1093  error = tlsParseServerEmsExtension(context, extensions.extendedMasterSecret);
1094  //Any error to report?
1095  if(error)
1096  return error;
1097 #endif
1098 
1099 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
1100  //Use abbreviated handshake?
1101  if(context->resume)
1102  {
1103  //Derive session keys from the master secret
1104  error = tlsGenerateSessionKeys(context);
1105  //Unable to generate key material?
1106  if(error)
1107  return error;
1108 
1109  //At this point, both client and server must send ChangeCipherSpec
1110  //messages and proceed directly to Finished messages
1111  context->state = TLS_STATE_SERVER_CHANGE_CIPHER_SPEC;
1112  }
1113  else
1114 #endif
1115  {
1116  //Perform a full handshake
1117  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1118  context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1119  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1120  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1121  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1122  {
1123  //The Certificate message is omitted from the server's response
1124  context->state = TLS_STATE_SERVER_KEY_EXCHANGE;
1125  }
1126  else
1127  {
1128  //The server is required to send a Certificate message
1129  context->state = TLS_STATE_SERVER_CERTIFICATE;
1130  }
1131  }
1132  }
1133  else
1134 #endif
1135 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1136  //TLS 1.3 currently selected?
1137  if(context->version == TLS_VERSION_1_3)
1138  {
1139  //A client which receives a legacy_session_id_echo field that does not
1140  //match what it sent in the ClientHello must abort the handshake with an
1141  //illegal_parameter alert (RFC 8446, section 4.1.3)
1142  if(message->sessionIdLen != context->sessionIdLen ||
1143  memcmp(message->sessionId, context->sessionId, message->sessionIdLen))
1144  {
1145  //The legacy_session_id_echo field is not valid
1146  return ERROR_ILLEGAL_PARAMETER;
1147  }
1148 
1149  //Check whether the ServerHello message is received in response to the
1150  //initial or the updated ClientHello
1151  if(context->state != TLS_STATE_SERVER_HELLO_2)
1152  {
1153  //Set cipher suite
1154  error = tlsSelectCipherSuite(context, cipherSuite);
1155  //Specified cipher suite not supported?
1156  if(error)
1157  return error;
1158 
1159  //Initialize handshake message hashing
1160  error = tlsInitTranscriptHash(context);
1161  //Any error to report?
1162  if(error)
1163  return error;
1164  }
1165  else
1166  {
1167  //Clients must check that the cipher suite supplied in the ServerHello
1168  //is the same as that in the HelloRetryRequest and otherwise abort the
1169  //handshake with an illegal_parameter alert
1170  if(cipherSuite != context->cipherSuite.identifier)
1171  return ERROR_ILLEGAL_PARAMETER;
1172  }
1173 
1174  //Set compression method
1175  error = tlsSelectCompressMethod(context, compressMethod);
1176  //Specified compression method not supported?
1177  if(error)
1178  return error;
1179 
1180  //If using (EC)DHE key establishment, servers offer exactly one
1181  //KeyShareEntry in the ServerHello
1182  error = tls13ParseServerKeyShareExtension(context,
1183  extensions.serverShare);
1184  //Any error to report?
1185  if(error)
1186  return error;
1187 
1188  //The PreSharedKey extension contains the selected PSK identity
1189  error = tls13ParseServerPreSharedKeyExtension(context,
1190  extensions.selectedIdentity);
1191  //Any error to report?
1192  if(error)
1193  return error;
1194 
1195  //In TLS 1.3, the cipher suite concept has been changed. The key exchange
1196  //mechanism is negotiated separately from the cipher suite
1197  if(context->keyExchMethod == TLS_KEY_EXCH_NONE)
1198  return ERROR_HANDSHAKE_FAILED;
1199 
1200 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
1201  //The middlebox compatibility mode improves the chance of successfully
1202  //connecting through middleboxes
1203  if(context->state == TLS_STATE_SERVER_HELLO)
1204  {
1205  //In middlebox compatibility mode, the client sends a dummy
1206  //ChangeCipherSpec record immediately before its second flight
1207  context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC_2;
1208  }
1209  else
1210 #endif
1211  {
1212  //All handshake messages after the ServerHello are now encrypted
1213  context->state = TLS_STATE_HANDSHAKE_TRAFFIC_KEYS;
1214  }
1215  }
1216  else
1217 #endif
1218  //Invalid TLS version?
1219  {
1220  //Just for sanity
1221  return ERROR_INVALID_VERSION;
1222  }
1223 
1224  //Successful processing
1225  return NO_ERROR;
1226 }
1227 
1228 
1229 /**
1230  * @brief Parse ServerKeyExchange message
1231  *
1232  * The ServerKeyExchange message is sent by the server only when the
1233  * server Certificate message does not contain enough data to allow
1234  * the client to exchange a premaster secret
1235  *
1236  * @param[in] context Pointer to the TLS context
1237  * @param[in] message Incoming ServerKeyExchange message to parse
1238  * @param[in] length Message length
1239  * @return Error code
1240  **/
1241 
1243  const TlsServerKeyExchange *message, size_t length)
1244 {
1245  error_t error;
1246  size_t n;
1247  size_t paramsLen;
1248  const uint8_t *p;
1249  const uint8_t *params;
1250 
1251  //Initialize variables
1252  params = NULL;
1253  paramsLen = 0;
1254 
1255  //Debug message
1256  TRACE_INFO("ServerKeyExchange message received (%" PRIuSIZE " bytes)...\r\n", length);
1258 
1259  //Check TLS version
1260  if(context->version > TLS_VERSION_1_2)
1261  return ERROR_UNEXPECTED_MESSAGE;
1262 
1263  //Check current state
1264  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE)
1265  return ERROR_UNEXPECTED_MESSAGE;
1266 
1267  //Point to the beginning of the handshake message
1268  p = message;
1269 
1270 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1271  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1272  //PSK key exchange method?
1273  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1274  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
1275  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1276  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1277  {
1278  //To help the client in selecting which identity to use, the server
1279  //can provide a PSK identity hint in the ServerKeyExchange message
1280  error = tlsParsePskIdentityHint(context, p, length, &n);
1281  //Any error to report?
1282  if(error)
1283  return error;
1284 
1285  //Point to the next field
1286  p += n;
1287  //Remaining bytes to process
1288  length -= n;
1289  }
1290 #endif
1291 
1292  //Diffie-Hellman or ECDH key exchange method?
1293  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1294  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1295  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1296  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1297  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1298  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1299  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1300  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1301  {
1302  //Point to the server's key exchange parameters
1303  params = p;
1304 
1305  //Parse server's key exchange parameters
1306  error = tlsParseServerKeyParams(context, p, length, &paramsLen);
1307  //Any error to report?
1308  if(error)
1309  return error;
1310 
1311  //Point to the next field
1312  p += paramsLen;
1313  //Remaining bytes to process
1314  length -= paramsLen;
1315  }
1316 
1317  //For non-anonymous Diffie-Hellman and ECDH key exchanges, the signature
1318  //over the server's key exchange parameters shall be verified
1319  if(context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1320  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1321  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1322  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
1323  {
1324 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
1325  //SSL 3.0, TLS 1.0 or TLS 1.1 currently selected?
1326  if(context->version <= TLS_VERSION_1_1)
1327  {
1328  //Signature verification
1329  error = tlsVerifyServerKeySignature(context,
1330  (TlsDigitalSignature *) p, length, params, paramsLen, &n);
1331  }
1332  else
1333 #endif
1334 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1335  //TLS 1.2 currently selected?
1336  if(context->version == TLS_VERSION_1_2)
1337  {
1338  //Signature verification
1339  error = tls12VerifyServerKeySignature(context,
1340  (Tls12DigitalSignature *) p, length, params, paramsLen, &n);
1341  }
1342  else
1343 #endif
1344  {
1345  //Report an error
1346  error = ERROR_INVALID_VERSION;
1347  }
1348 
1349  //Any error to report?
1350  if(error)
1351  return error;
1352 
1353  //Point to the next field
1354  p += n;
1355  //Remaining bytes to process
1356  length -= n;
1357  }
1358 
1359  //If the amount of data in the message does not precisely match the format
1360  //of the ServerKeyExchange message, then send a fatal alert
1361  if(length != 0)
1362  return ERROR_DECODING_FAILED;
1363 
1364  //Anomynous server?
1365  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1366  context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1367  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1368  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1369  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1370  {
1371  //An anonymous server cannot request client authentication
1372  context->state = TLS_STATE_SERVER_HELLO_DONE;
1373  }
1374  else
1375  {
1376  //A non-anonymous server can optionally request a certificate from
1377  //the client, if appropriate for the selected cipher suite
1378  context->state = TLS_STATE_CERTIFICATE_REQUEST;
1379  }
1380 
1381  //Successful processing
1382  return NO_ERROR;
1383 }
1384 
1385 
1386 /**
1387  * @brief Parse CertificateRequest message
1388  *
1389  * A server can optionally request a certificate from the client, if
1390  * appropriate for the selected cipher suite. This message will
1391  * immediately follow the ServerKeyExchange message
1392  *
1393  * @param[in] context Pointer to the TLS context
1394  * @param[in] message Incoming CertificateRequest message to parse
1395  * @param[in] length Message length
1396  * @return Error code
1397  **/
1398 
1400  const TlsCertificateRequest *message, size_t length)
1401 {
1402  error_t error;
1403  uint_t i;
1404  uint_t j;
1405  size_t n;
1406  uint_t certTypesLen;
1407  bool_t acceptable;
1408  const uint8_t *p;
1409  const uint8_t *certTypes;
1410  const TlsCertAuthorities *certAuthorities;
1411  const TlsSignHashAlgos *supportedSignAlgos;
1412  const TlsSignHashAlgos *supportedCertSignAlgos;
1413 
1414  //Debug message
1415  TRACE_INFO("CertificateRequest message received (%" PRIuSIZE " bytes)...\r\n", length);
1417 
1418  //Check key exchange method
1419  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1420  context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1421  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1422  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1423  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1424  {
1425  //It is a fatal handshake failure alert for an anonymous server to
1426  //request client authentication
1427  return ERROR_HANDSHAKE_FAILED;
1428  }
1429  else if(context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1430  {
1431  //If no PSK identity hint is provided by the server, then the
1432  //ServerKeyExchange message is omitted
1433  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE &&
1434  context->state != TLS_STATE_CERTIFICATE_REQUEST)
1435  {
1436  //Handshake failure
1437  return ERROR_UNEXPECTED_MESSAGE;
1438  }
1439  }
1440  else if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
1441  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
1442  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
1443  {
1444  //Servers which are authenticating with a PSK must not send the
1445  //CertificateRequest message in the main handshake
1446  return ERROR_HANDSHAKE_FAILED;
1447  }
1448  else
1449  {
1450  //Check current state
1451  if(context->state != TLS_STATE_CERTIFICATE_REQUEST)
1452  return ERROR_UNEXPECTED_MESSAGE;
1453  }
1454 
1455  //The server requests a certificate from the client, so that connection
1456  //can be mutually authenticated
1457  context->clientCertRequested = TRUE;
1458 
1459  //Point to the beginning of the handshake message
1460  p = (uint8_t *) message;
1461 
1462 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1463  //Version of TLS prior to TLS 1.3?
1464  if(context->version <= TLS_VERSION_1_2)
1465  {
1466  //Check the length of the ServerKeyExchange message
1467  if(length < sizeof(TlsCertificateRequest))
1468  return ERROR_DECODING_FAILED;
1469 
1470  //Remaining bytes to process
1471  length -= sizeof(TlsCertificateRequest);
1472 
1473  //Retrieve the length of the list
1474  n = message->certificateTypesLen;
1475  //Malformed CertificateRequest message?
1476  if(n > length)
1477  return ERROR_DECODING_FAILED;
1478 
1479  //Point to the list of supported certificate types
1480  certTypes = message->certificateTypes;
1481  certTypesLen = message->certificateTypesLen;
1482 
1483  //Point to the next field
1484  p += sizeof(TlsCertificateRequest) + n;
1485  //Remaining bytes to process
1486  length -= n;
1487 
1488  //TLS 1.2 currently selected?
1489  if(context->version == TLS_VERSION_1_2)
1490  {
1491  //Malformed CertificateRequest message?
1492  if(length < sizeof(TlsSignHashAlgos))
1493  return ERROR_DECODING_FAILED;
1494 
1495  //Point to the list of the hash/signature algorithm pairs
1496  supportedSignAlgos = (TlsSignHashAlgos *) p;
1497  //Remaining bytes to process
1498  length -= sizeof(TlsSignHashAlgos);
1499 
1500  //Retrieve the length of the list
1501  n = ntohs(supportedSignAlgos->length);
1502  //Malformed CertificateRequest message?
1503  if(n > length)
1504  return ERROR_DECODING_FAILED;
1505 
1506  //Point to the next field
1507  p += sizeof(TlsSignHashAlgos) + n;
1508  //Remaining bytes to process
1509  length -= n;
1510  }
1511  else
1512  {
1513  //Implementations prior to TLS 1.2 do not include a list of supported
1514  //hash/signature algorithm pairs
1515  supportedSignAlgos = NULL;
1516  }
1517 
1518  //List of signature algorithms that may appear in X.509 certificates
1519  supportedCertSignAlgos = supportedSignAlgos;
1520 
1521  //Malformed CertificateRequest message?
1522  if(length < sizeof(TlsCertAuthorities))
1523  return ERROR_DECODING_FAILED;
1524 
1525  //Point to the list of acceptable certificate authorities
1526  certAuthorities = (TlsCertAuthorities *) p;
1527  //Remaining bytes to process
1528  length -= sizeof(TlsCertAuthorities);
1529 
1530  //Retrieve the length of the list
1531  n = ntohs(certAuthorities->length);
1532  //Malformed CertificateRequest message?
1533  if(n != length)
1534  return ERROR_DECODING_FAILED;
1535  }
1536  else
1537 #endif
1538 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1539  //TLS 1.3 currently selected?
1540  if(context->version == TLS_VERSION_1_3)
1541  {
1543  const Tls13CertRequestContext *certRequestContext;
1544 
1545  //Unused parameters
1546  certTypes = NULL;
1547  certTypesLen = 0;
1548  certAuthorities = NULL;
1549 
1550  //Malformed CertificateRequest message?
1551  if(length < sizeof(Tls13CertRequestContext))
1552  return ERROR_DECODING_FAILED;
1553 
1554  //Point to the certificate_request_context field
1555  certRequestContext = (Tls13CertRequestContext *) p;
1556  //Remaining bytes to process
1557  length -= sizeof(Tls13CertRequestContext);
1558 
1559  //Retrieve the length of the field
1560  n = certRequestContext->length;
1561  //Malformed CertificateRequest message?
1562  if(n > length)
1563  return ERROR_DECODING_FAILED;
1564 
1565  //The certificate_request_context field shall be zero length unless
1566  //used for the post-handshake authentication exchange
1567  if(certRequestContext->length != 0)
1568  return ERROR_ILLEGAL_PARAMETER;
1569 
1570  //Point to the next field
1571  p += sizeof(Tls13CertRequestContext) + n;
1572  //Remaining bytes to process
1573  length -= n;
1574 
1575  //The extensions describe the parameters of the certificate being
1576  //requested
1578  length, &extensions);
1579  //Any error to report?
1580  if(error)
1581  return error;
1582 
1583  //Check the list of extensions offered by the server
1585  context->version, &extensions);
1586  //Any error to report?
1587  if(error)
1588  return error;
1589 
1590  //The SignatureAlgorithms extension must be specified (refer to RFC 8446,
1591  //section 4.3.2)
1592  if(extensions.signAlgoList == NULL)
1593  return ERROR_MISSING_EXTENSION;
1594 
1595  //Point to the list of the hash/signature algorithm pairs that
1596  //the server is able to verify
1597  supportedSignAlgos = extensions.signAlgoList;
1598 
1599  //If no SignatureAlgorithmsCert extension is present, then the
1600  //SignatureAlgorithms extension also applies to signatures appearing
1601  //in certificates (RFC 8446, section 4.2.3)
1602  if(extensions.certSignAlgoList != NULL)
1603  supportedCertSignAlgos = extensions.certSignAlgoList;
1604  else
1605  supportedCertSignAlgos = extensions.signAlgoList;
1606  }
1607  else
1608 #endif
1609  //Invalid TLS version?
1610  {
1611  //Report an error
1612  return ERROR_INVALID_VERSION;
1613  }
1614 
1615  //No suitable certificate has been found for the moment
1616  context->cert = NULL;
1617  acceptable = FALSE;
1618 
1619  //Select the most appropriate certificate (2-pass process)
1620  for(i = 0; i < 2 && !acceptable; i++)
1621  {
1622  //Loop through the list of available certificates
1623  for(j = 0; j < context->numCerts && !acceptable; j++)
1624  {
1625  //Check whether the current certificate is suitable
1626  acceptable = tlsIsCertificateAcceptable(context, &context->certs[j],
1627  certTypes, certTypesLen, supportedSignAlgos, supportedCertSignAlgos,
1628  NULL, certAuthorities);
1629 
1630  //TLS 1.2 and TLS 1.3 require additional examinations
1631  if(acceptable && context->version >= TLS_VERSION_1_2)
1632  {
1633  //The hash and signature algorithms used in the signature of the
1634  //CertificateVerify message must be one of those present in the
1635  //SupportedSignatureAlgorithms field
1636  error = tlsSelectSignatureScheme(context, &context->certs[j],
1637  supportedSignAlgos);
1638 
1639  //Check status code
1640  if(error)
1641  {
1642  acceptable = FALSE;
1643  }
1644  }
1645 
1646  //If all the requirements were met, the certificate can be used
1647  if(acceptable)
1648  {
1649  context->cert = &context->certs[j];
1650  }
1651  }
1652 
1653  //The second pass relaxes the constraints
1654  supportedCertSignAlgos = NULL;
1655  certAuthorities = NULL;
1656  }
1657 
1658  //Version of TLS prior to TLS 1.3?
1659  if(context->version <= TLS_VERSION_1_2)
1660  {
1661  //Wait for a ServerHelloDone message
1662  context->state = TLS_STATE_SERVER_HELLO_DONE;
1663  }
1664  else
1665  {
1666  //Wait for a Certificate message
1667  context->state = TLS_STATE_SERVER_CERTIFICATE;
1668  }
1669 
1670  //Successful processing
1671  return NO_ERROR;
1672 }
1673 
1674 
1675 /**
1676  * @brief Parse ServerHelloDone message
1677  *
1678  * The ServerHelloDone message is sent by the server to indicate the
1679  * end of the ServerHello and associated messages. After sending this
1680  * message, the server will wait for a client response
1681  *
1682  * @param[in] context Pointer to the TLS context
1683  * @param[in] message Incoming ServerHelloDone message to parse
1684  * @param[in] length Message length
1685  * @return Error code
1686  **/
1687 
1689  const TlsServerHelloDone *message, size_t length)
1690 {
1691  //Debug message
1692  TRACE_INFO("ServerHelloDone message received (%" PRIuSIZE " bytes)...\r\n", length);
1694 
1695  //Check TLS version
1696  if(context->version > TLS_VERSION_1_2)
1697  return ERROR_UNEXPECTED_MESSAGE;
1698 
1699  //Check key exchange method
1700  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1701  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1702  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1703  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1704  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
1705  {
1706  //The server may omit the CertificateRequest message and go
1707  //directly to the ServerHelloDone message
1708  if(context->state != TLS_STATE_CERTIFICATE_REQUEST &&
1709  context->state != TLS_STATE_SERVER_HELLO_DONE)
1710  {
1711  //Handshake failure
1712  return ERROR_UNEXPECTED_MESSAGE;
1713  }
1714  }
1715  else if(context->keyExchMethod == TLS_KEY_EXCH_PSK)
1716  {
1717  //If no PSK identity hint is provided by the server, the
1718  //ServerKeyExchange message is omitted
1719  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE &&
1720  context->state != TLS_STATE_SERVER_HELLO_DONE)
1721  {
1722  //Handshake failure
1723  return ERROR_UNEXPECTED_MESSAGE;
1724  }
1725  }
1726  else if(context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1727  {
1728  //The server may omit the ServerKeyExchange message and/or
1729  //the CertificateRequest message
1730  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE &&
1731  context->state != TLS_STATE_CERTIFICATE_REQUEST &&
1732  context->state != TLS_STATE_SERVER_HELLO_DONE)
1733  {
1734  //Handshake failure
1735  return ERROR_UNEXPECTED_MESSAGE;
1736  }
1737  }
1738  else
1739  {
1740  //Check current state
1741  if(context->state != TLS_STATE_SERVER_HELLO_DONE)
1742  return ERROR_UNEXPECTED_MESSAGE;
1743  }
1744 
1745  //The ServerHelloDone message does not contain any data
1746  if(length != 0)
1747  return ERROR_DECODING_FAILED;
1748 
1749  //The client must send a Certificate message if the server requests it
1750  context->state = TLS_STATE_CLIENT_CERTIFICATE;
1751 
1752  //Successful processing
1753  return NO_ERROR;
1754 }
1755 
1756 #endif
TLS (Transport Layer Security)
error_t tlsSelectSignatureScheme(TlsContext *context, const TlsCertDesc *cert, const TlsSignHashAlgos *supportedSignAlgos)
Select the algorithm to be used when generating digital signatures.
Definition: tls_signature.c:58
error_t tlsFormatSignatureAlgorithmsCertExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SignatureAlgorithmsCert extension.
Definition: tls_common.c:999
Formatting and parsing of extensions (TLS 1.3 client)
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
error_t tlsSelectClientVersion(TlsContext *context, const TlsServerHello *message, const TlsHelloExtensions *extensions)
Version selection.
error_t tlsFormatSessionId(TlsContext *context, uint8_t *p, size_t *written)
Format session ID.
void TlsServerHelloDone
ServerHelloDone message.
Definition: tls.h:1656
Handshake message processing (TLS client)
__start_packed struct @87 TlsCertificateRequest
CertificateRequest message.
Helper functions for TLS client.
error_t dtlsFormatCookie(TlsContext *context, uint8_t *p, size_t *written)
Format Cookie field.
Definition: dtls_misc.c:138
Handshake message processing (TLS 1.3 client)
systime_t osGetSystemTime(void)
Retrieve system time.
error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
error_t tlsGenerateSessionKeys(TlsContext *context)
Generate session keys.
error_t tlsParseServerHello(TlsContext *context, const TlsServerHello *message, size_t length)
Parse ServerHello message.
Definition: tls_client.c:859
Debugging facilities.
error_t tlsFormatClientEmsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ExtendedMasterSecret extension.
uint8_t p
Definition: ndp.h:295
error_t tlsParseServerEcPointFormatsExtension(TlsContext *context, const TlsEcPointFormatList *ecPointFormatList)
Parse EcPointFormats extension.
error_t tlsFormatSignatureAlgorithmsExtension(TlsContext *context, uint_t cipherSuiteTypes, uint8_t *p, size_t *written)
Format SignatureAlgorithms extension.
Definition: tls_common.c:793
void TlsHelloRequest
HelloRequest message.
Definition: tls.h:1598
uint8_t message[]
Definition: chap.h:150
error_t tls13FormatClientKeyShareExtension(TlsContext *context, uint8_t *p, size_t *written)
error_t tls12VerifyServerKeySignature(TlsContext *context, const Tls12DigitalSignature *signature, size_t length, const uint8_t *params, size_t paramsLen, size_t *consumed)
Verify server&#39;s key exchange parameters signature (TLS 1.2)
error_t tlsSendClientKeyExchange(TlsContext *context)
Send ClientKeyExchange message.
Definition: tls_client.c:225
error_t tlsFormatClientCertTypeListExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ClientCertType extension.
#define TLS_VERSION_1_3
Definition: tls.h:90
#define htons(value)
Definition: cpu_endian.h:390
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:99
error_t tlsSelectCompressMethod(TlsContext *context, uint8_t identifier)
Set compression method.
Definition: tls_misc.c:345
error_t tlsFormatPskIdentity(TlsContext *context, uint8_t *p, size_t *written)
Format PSK identity.
void tlsFreeTranscriptHash(TlsContext *context)
Release transcript hash context.
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
error_t tlsInitTranscriptHash(TlsContext *context)
Initialize handshake message hashing.
error_t tls13FormatPskKeModesExtension(TlsContext *context, uint8_t *p, size_t *written)
error_t tlsParseServerRenegoInfoExtension(TlsContext *context, const TlsHelloExtensions *extensions)
Parse RenegotiationInfo extension.
#define TRUE
Definition: os_port.h:48
__start_packed struct @86 TlsServerHello
ServerHello message.
error_t tlsFormatClientRenegoInfoExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RenegotiationInfo extension.
TLS record protocol.
DTLS (Datagram Transport Layer Security)
__start_packed struct @101 Tls13PskBinderList
List of PSK binders.
Parsing and checking of TLS extensions.
TLS helper functions.
error_t tlsFormatCipherSuites(TlsContext *context, uint_t *cipherSuiteTypes, uint8_t *p, size_t *written)
Format the list of cipher suites supported by the client.
void TlsClientKeyExchange
ClientKeyExchange message.
Definition: tls.h:1663
void TlsServerKeyExchange
ServerKeyExchange message.
Definition: tls.h:1638
error_t tlsFormatClientHello(TlsContext *context, TlsClientHello *message, size_t *length)
Format ClientHello message.
Definition: tls_client.c:276
error_t tlsParseServerKeyParams(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse server&#39;s key exchange parameters.
#define ntohs(value)
Definition: cpu_endian.h:396
TLS handshake.
error_t tlsGeneratePskPremasterSecret(TlsContext *context)
Premaster secret generation (for PSK cipher suites)
error_t tlsParsePskIdentityHint(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse PSK identity hint.
__start_packed struct @102 Tls13CertRequestContext
Certificate request context.
uint16_t dtlsTranslateVersion(uint16_t version)
Translate TLS version into DTLS version.
Definition: dtls_misc.c:111
error_t tlsFormatClientSniExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SNI extension.
uint16_t TlsCipherSuite
Cipher suite.
Definition: tls.h:1325
Date and time management.
Formatting and parsing of extensions (TLS client)
error_t tlsVerifyServerKeySignature(TlsContext *context, const TlsDigitalSignature *signature, size_t length, const uint8_t *params, size_t paramsLen, size_t *consumed)
Verify server&#39;s key exchange parameters signature (SSL 3.0, TLS 1.0 and TLS 1.1)
DTLS record protocol.
error_t tlsGenerateRandomValue(TlsContext *context, uint8_t *random)
Generate client or server random value.
Definition: tls_misc.c:158
error_t tlsSendAlert(TlsContext *context, uint8_t level, uint8_t description)
Send Alert message.
Definition: tls_common.c:478
PEM file import functions.
error_t tlsFormatClientKeyExchange(TlsContext *context, TlsClientKeyExchange *message, size_t *length)
Format ClientKeyExchange message.
Definition: tls_client.c:705
error_t tlsParseServerAlpnExtension(TlsContext *context, const TlsProtocolNameList *protocolNameList)
Parse ALPN extension.
error_t tls13ParseServerKeyShareExtension(TlsContext *context, const Tls13KeyShareEntry *serverShare)
#define LOAD16BE(p)
Definition: cpu_endian.h:168
Handshake message processing (TLS client and server)
uint8_t TlsCompressMethod
Compression method.
Definition: tls.h:1343
__start_packed struct @69 TlsExtensionList
List of TLS extensions.
error_t tlsParseServerCertTypeExtension(TlsContext *context, const uint8_t *serverCertType)
Parse ServerCertType extension.
#define MIN(a, b)
Definition: os_port.h:60
error_t tlsFormatCompressMethods(TlsContext *context, uint8_t *p, size_t *written)
Format the list of compression methods supported by the client.
error_t tlsParseClientCertTypeExtension(TlsContext *context, const uint8_t *clientCertType)
Parse ClientCertType extension.
error_t tlsParseServerSniExtension(TlsContext *context, const TlsServerNameList *serverNameList)
Parse SNI extension.
uint16_t cipherSuite
Cipher suite identifier.
Definition: tls13_misc.h:367
#define TLS_VERSION_1_2
Definition: tls.h:83
#define TLS_VERSION_1_1
Definition: tls.h:82
__start_packed struct @82 Tls12DigitalSignature
Digitally-signed element (TLS 1.2)
#define TRACE_INFO(...)
Definition: debug.h:86
error_t tls13ComputePskBinders(TlsContext *context, const void *clientHello, size_t clientHelloLen, const Tls13PskIdentityList *identityList, Tls13PskBinderList *binderList)
error_t tls13ParseServerPreSharedKeyExtension(TlsContext *context, const uint8_t *selectedIdentity)
TLS cipher suites.
Success.
Definition: error.h:42
error_t tlsFormatClientMaxFragLenExtension(TlsContext *context, uint8_t *p, size_t *written)
Format MaxFragmentLength extension.
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:247
error_t tlsParseHelloRequest(TlsContext *context, const TlsHelloRequest *message, size_t length)
Parse HelloRequest message.
Definition: tls_client.c:792
const char_t * tlsGetVersionName(uint16_t version)
Convert TLS version to string representation.
Definition: tls_misc.c:795
error_t tlsParseServerRecordSizeLimitExtension(TlsContext *context, const uint8_t *recordSizeLimit)
Parse RecordSizeLimit extension.
error_t
Error codes.
Definition: error.h:40
error_t tlsParseServerMaxFragLenExtension(TlsContext *context, const uint8_t *maxFragLen)
Parse MaxFragmentLength extension.
uint8_t extensions[]
Definition: tls13_misc.h:322
unsigned int uint_t
Definition: compiler_port.h:43
error_t tlsFormatClientSupportedVersionsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SupportedVersions extension.
__start_packed struct @99 Tls13PskIdentityList
List of PSK identities.
__start_packed struct @67 TlsCertAuthorities
List of certificate authorities.
#define PRIuSIZE
Definition: compiler_port.h:72
error_t tlsFormatSupportedGroupsExtension(TlsContext *context, uint_t cipherSuiteTypes, uint8_t *p, size_t *written)
Format SupportedGroups extension.
__start_packed struct @81 TlsDigitalSignature
Digitally-signed element (SSL 3.0, TLS 1.0 and TLS 1.1)
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
error_t tlsFormatClientKeyParams(TlsContext *context, uint8_t *p, size_t *written)
Format client&#39;s key exchange parameters.
Hello extensions.
Definition: tls.h:1878
#define TRACE_INFO_ARRAY(p, a, n)
Definition: debug.h:87
Key material generation.
void tlsFreeEncryptionEngine(TlsEncryptionEngine *encryptionEngine)
Release encryption engine.
Definition: tls_misc.c:599
error_t tlsFormatClientHelloPaddingExtension(TlsContext *context, size_t clientHelloLen, uint8_t *p, size_t *written)
Format ClientHello Padding extension.
const char_t * tlsGetCipherSuiteName(uint16_t identifier)
Convert cipher suite identifier to string representation.
error_t tls13FormatClientPreSharedKeyExtension(TlsContext *context, uint8_t *p, size_t *written, Tls13PskIdentityList **identityList, Tls13PskBinderList **binderList)
Transcript hash calculation.
bool_t tlsIsCertificateAcceptable(TlsContext *context, const TlsCertDesc *cert, const uint8_t *certTypes, size_t numCertTypes, const TlsSignHashAlgos *signHashAlgos, const TlsSignHashAlgos *certSignHashAlgos, const TlsSupportedGroupList *curveList, const TlsCertAuthorities *certAuthorities)
Check whether a certificate is acceptable.
RSA/DSA/ECDSA/EdDSA signature generation and verification.
error_t tlsSendClientHello(TlsContext *context)
Send ClientHello message.
Definition: tls_client.c:80
error_t tlsFormatClientEcPointFormatsExtension(TlsContext *context, uint_t cipherSuiteTypes, uint8_t *p, size_t *written)
Format EcPointFormats extension.
Helper functions for TLS 1.3 client.
error_t tlsParseServerHelloDone(TlsContext *context, const TlsServerHelloDone *message, size_t length)
Parse ServerHelloDone message.
Definition: tls_client.c:1688
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
error_t tls13FormatCookieExtension(TlsContext *context, uint8_t *p, size_t *written)
__start_packed struct @85 TlsClientHello
ClientHello message.
error_t tlsFormatClientAlpnExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ALPN extension.
error_t tlsResumeClientSession(TlsContext *context, const uint8_t *sessionId, size_t sessionIdLen, uint16_t cipherSuite, uint8_t compressMethod)
Resume TLS session via session ID.
error_t tlsParseCertificateRequest(TlsContext *context, const TlsCertificateRequest *message, size_t length)
Parse CertificateRequest message.
Definition: tls_client.c:1399
error_t tlsFormatInitialClientHello(TlsContext *context)
Format initial ClientHello message.
#define FALSE
Definition: os_port.h:44
#define TlsContext
Definition: tls.h:34
int bool_t
Definition: compiler_port.h:47
error_t tlsFormatClientRecordSizeLimitExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RecordSizeLimit extension.
error_t tlsFormatServerCertTypeListExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ServerCertType extension.
error_t tls13FormatClientEarlyDataExtension(TlsContext *context, uint8_t *p, size_t *written)
error_t tlsParseServerKeyExchange(TlsContext *context, const TlsServerKeyExchange *message, size_t length)
Parse ServerKeyExchange message.
Definition: tls_client.c:1242
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
error_t tlsParseServerEmsExtension(TlsContext *context, const uint8_t *extendedMasterSecret)
Parse ExtendedMasterSecret extension.
Certificate handling.