tls_client.c
Go to the documentation of this file.
1 /**
2  * @file tls_client.c
3  * @brief Handshake message processing (TLS client)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @section Description
28  *
29  * The TLS protocol provides communications security over the Internet. The
30  * protocol allows client/server applications to communicate in a way that
31  * is designed to prevent eavesdropping, tampering, or message forgery
32  *
33  * @author Oryx Embedded SARL (www.oryx-embedded.com)
34  * @version 1.9.6
35  **/
36 
37 //Switch to the appropriate trace level
38 #define TRACE_LEVEL TLS_TRACE_LEVEL
39 
40 //Dependencies
41 #include <string.h>
42 #include "tls.h"
43 #include "tls_cipher_suites.h"
44 #include "tls_handshake.h"
45 #include "tls_client.h"
46 #include "tls_client_extensions.h"
47 #include "tls_client_misc.h"
48 #include "tls_common.h"
49 #include "tls_extensions.h"
50 #include "tls_certificate.h"
51 #include "tls_signature.h"
52 #include "tls_key_material.h"
53 #include "tls_transcript_hash.h"
54 #include "tls_record.h"
55 #include "tls_misc.h"
56 #include "tls13_client.h"
58 #include "tls13_client_misc.h"
59 #include "dtls_record.h"
60 #include "dtls_misc.h"
61 #include "pkix/pem_import.h"
62 #include "date_time.h"
63 #include "debug.h"
64 
65 //Check TLS library configuration
66 #if (TLS_SUPPORT == ENABLED && TLS_CLIENT_SUPPORT == ENABLED)
67 
68 
69 /**
70  * @brief Send ClientHello message
71  *
72  * When a client first connects to a server, it is required to send
73  * the ClientHello as its first message. The client can also send a
74  * ClientHello in response to a HelloRequest or on its own initiative
75  * in order to renegotiate the security parameters in an existing
76  * connection
77  *
78  * @param[in] context Pointer to the TLS context
79  * @return Error code
80  **/
81 
83 {
84  error_t error;
85  size_t length;
87 
88  //Point to the buffer where to format the message
89  message = (TlsClientHello *) (context->txBuffer + context->txBufferLen);
90 
91 #if (DTLS_SUPPORT == ENABLED)
92  //DTLS protocol?
93  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
94  {
95  //When sending the first ClientHello, the client does not have a cookie yet
96  if(context->cookieLen == 0)
97  {
98  //Generate the client random value using a cryptographically-safe
99  //pseudorandom number generator
100  error = tlsGenerateRandomValue(context, context->clientRandom);
101  }
102  else
103  {
104  //When responding to a HelloVerifyRequest, the client must use the
105  //same random value as it did in the original ClientHello
106  error = NO_ERROR;
107  }
108  }
109  else
110 #endif
111  //TLS protocol?
112  {
113  //Initial or updated ClientHello?
114  if(context->state == TLS_STATE_CLIENT_HELLO)
115  {
116  //Generate the client random value using a cryptographically-safe
117  //pseudorandom number generator
118  error = tlsGenerateRandomValue(context, context->clientRandom);
119  }
120  else
121  {
122  //When responding to a HelloRetryRequest, the client must use the
123  //same random value as it did in the initial ClientHello
124  error = NO_ERROR;
125  }
126  }
127 
128 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
129  //Check status code
130  if(!error)
131  {
132  //TLS 1.3 supported by the client?
133  if(context->versionMax >= TLS_VERSION_1_3 &&
134  context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM)
135  {
136  //Initial or updated ClientHello?
137  if(context->state == TLS_STATE_CLIENT_HELLO)
138  {
139 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
140  //In compatibility mode the session ID field must be non-empty
141  if(context->sessionIdLen == 0)
142  {
143  //A client not offering a pre-TLS 1.3 session must generate a
144  //new 32-byte value (refer to RFC 8446, section 4.1.2)
145  context->sessionIdLen = 32;
146 
147  //This value need not be random but should be unpredictable to
148  //avoid implementations fixating on a specific value
149  error = tlsGenerateRandomValue(context, context->sessionId);
150  }
151 #endif
152  //Check status code
153  if(!error)
154  {
155  //Any preferred ECDHE or FFDHE group?
156  if(tls13IsGroupSupported(context, context->preferredGroup))
157  {
158  //Pregenerate key share using preferred named group
159  error = tls13GenerateKeyShare(context, context->preferredGroup);
160  }
161  else
162  {
163  //Request group selection from the server, at the cost of an
164  //additional round trip
165  context->preferredGroup = TLS_GROUP_NONE;
166  }
167  }
168  }
169  else
170  {
171  //The updated ClientHello message is not encrypted
172  tlsFreeEncryptionEngine(&context->encryptionEngine);
173  }
174  }
175 
176  //Save current time
177  context->timestamp = osGetSystemTime();
178  }
179 #endif
180 
181  //Check status code
182  if(!error)
183  {
184  //Format ClientHello message
185  error = tlsFormatClientHello(context, message, &length);
186  }
187 
188  //Check status code
189  if(!error)
190  {
191  //Debug message
192  TRACE_INFO("Sending ClientHello message (%" PRIuSIZE " bytes)...\r\n", length);
194 
195  //Send handshake message
196  error = tlsSendHandshakeMessage(context, message, length,
198  }
199 
200  //Check status code
201  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
202  {
203  //Initial ClientHello?
204  if(context->state == TLS_STATE_CLIENT_HELLO)
205  {
206  //Wait for a ServerHello or HelloRetryRequest message
207  context->state = TLS_STATE_SERVER_HELLO;
208  }
209  else
210  {
211  //Wait for a ServerHello message
212  context->state = TLS_STATE_SERVER_HELLO_2;
213  }
214  }
215 
216  //Return status code
217  return error;
218 }
219 
220 
221 /**
222  * @brief Send ClientKeyExchange message
223  *
224  * This message is always sent by the client. It must immediately
225  * follow the client Certificate message, if it is sent. Otherwise,
226  * it must be the first message sent by the client after it receives
227  * the ServerHelloDone message
228  *
229  * @param[in] context Pointer to the TLS context
230  * @return Error code
231  **/
232 
234 {
235  error_t error;
236  size_t length;
238 
239  //Point to the buffer where to format the message
240  message = (TlsClientKeyExchange *) (context->txBuffer + context->txBufferLen);
241 
242  //Format ClientKeyExchange message
243  error = tlsFormatClientKeyExchange(context, message, &length);
244 
245  //Check status code
246  if(!error)
247  {
248  //Debug message
249  TRACE_INFO("Sending ClientKeyExchange message (%" PRIuSIZE " bytes)...\r\n", length);
251 
252  //Send handshake message
253  error = tlsSendHandshakeMessage(context, message, length,
255  }
256 
257  //Check status code
258  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
259  {
260  //Derive session keys from the premaster secret
261  error = tlsGenerateSessionKeys(context);
262 
263  //Key material successfully generated?
264  if(!error)
265  {
266  //Send a CertificateVerify message to the server
267  context->state = TLS_STATE_CLIENT_CERTIFICATE_VERIFY;
268  }
269  }
270 
271  //Return status code
272  return error;
273 }
274 
275 
276 /**
277  * @brief Format ClientHello message
278  * @param[in] context Pointer to the TLS context
279  * @param[out] message Buffer where to format the ClientHello message
280  * @param[out] length Length of the resulting ClientHello message
281  * @return Error code
282  **/
283 
285  TlsClientHello *message, size_t *length)
286 {
287  error_t error;
288  size_t n;
289  uint8_t *p;
290  uint_t cipherSuiteTypes;
291  TlsExtensionList *extensionList;
292 
293  //In TLS 1.3, the client indicates its version preferences in the
294  //SupportedVersions extension and the legacy_version field must be
295  //set to 0x0303, which is the version number for TLS 1.2
296  context->clientVersion = MIN(context->versionMax, TLS_VERSION_1_2);
297 
298 #if (DTLS_SUPPORT == ENABLED)
299  //DTLS protocol?
300  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
301  {
302  //Translate TLS version into DTLS version
303  context->clientVersion = dtlsTranslateVersion(context->clientVersion);
304  }
305 #endif
306 
307  //In previous versions of TLS, the version field is used for version
308  //negotiation and represents the highest version number supported by
309  //the client
310  message->clientVersion = htons(context->clientVersion);
311 
312  //Client random value
313  memcpy(message->random, context->clientRandom, 32);
314 
315  //Point to the session ID
316  p = message->sessionId;
317  //Length of the handshake message
318  *length = sizeof(TlsClientHello);
319 
320  //The session ID value identifies a session the client wishes to reuse for
321  //this connection
322  error = tlsFormatSessionId(context, p, &n);
323  //Any error to report?
324  if(error)
325  return error;
326 
327  //Fix the length of the session ID
328  message->sessionIdLen = (uint8_t) n;
329 
330  //Point to the next field
331  p += n;
332  //Adjust the length of the message
333  *length += n;
334 
335 #if (DTLS_SUPPORT == ENABLED)
336  //DTLS protocol?
337  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
338  {
339  //Format Cookie field
340  error = dtlsFormatCookie(context, p, &n);
341  //Any error to report?
342  if(error)
343  return error;
344 
345  //Point to the next field
346  p += n;
347  //Adjust the length of the message
348  *length += n;
349  }
350 #endif
351 
352  //Format the list of cipher suites supported by the client
353  error = tlsFormatCipherSuites(context, &cipherSuiteTypes, p, &n);
354  //Any error to report?
355  if(error)
356  return error;
357 
358  //Point to the next field
359  p += n;
360  //Adjust the length of the message
361  *length += n;
362 
363  //Format the list of compression methods supported by the client
364  error = tlsFormatCompressMethods(context, p, &n);
365  //Any error to report?
366  if(error)
367  return error;
368 
369  //Point to the next field
370  p += n;
371  //Adjust the length of the message
372  *length += n;
373 
374  //Clients may request extended functionality from servers by sending
375  //data in the extensions field
376  extensionList = (TlsExtensionList *) p;
377  //Total length of the extension list
378  extensionList->length = 0;
379 
380  //Point to the first extension of the list
381  p += sizeof(TlsExtensionList);
382 
383  //In TLS 1.2, the client can indicate its version preferences in the
384  //SupportedVersions extension
385  error = tlsFormatClientSupportedVersionsExtension(context, p, &n);
386  //Any error to report?
387  if(error)
388  return error;
389 
390  //Fix the length of the extension list
391  extensionList->length += (uint16_t) n;
392  //Point to the next field
393  p += n;
394 
395 #if (TLS_SNI_SUPPORT == ENABLED)
396  //In order to provide the server name, clients may include a ServerName
397  //extension
398  error = tlsFormatClientSniExtension(context, p, &n);
399  //Any error to report?
400  if(error)
401  return error;
402 
403  //Fix the length of the extension list
404  extensionList->length += (uint16_t) n;
405  //Point to the next field
406  p += n;
407 #endif
408 
409 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
410  //In order to negotiate smaller maximum fragment lengths, clients may
411  //include a MaxFragmentLength extension
412  error = tlsFormatClientMaxFragLenExtension(context, p, &n);
413  //Any error to report?
414  if(error)
415  return error;
416 
417  //Fix the length of the extension list
418  extensionList->length += (uint16_t) n;
419  //Point to the next field
420  p += n;
421 #endif
422 
423 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
424  //The value of RecordSizeLimit is the maximum size of record in octets
425  //that the endpoint is willing to receive
426  error = tlsFormatClientRecordSizeLimitExtension(context, p, &n);
427  //Any error to report?
428  if(error)
429  return error;
430 
431  //Fix the length of the extension list
432  extensionList->length += (uint16_t) n;
433  //Point to the next field
434  p += n;
435 #endif
436 
437  //A client that proposes ECC/FFDHE cipher suites in its ClientHello message
438  //should send the SupportedGroups extension
439  error = tlsFormatSupportedGroupsExtension(context, cipherSuiteTypes, p, &n);
440  //Any error to report?
441  if(error)
442  return error;
443 
444  //Fix the length of the extension list
445  extensionList->length += (uint16_t) n;
446  //Point to the next field
447  p += n;
448 
449  //A client that proposes ECC cipher suites in its ClientHello message
450  //should send the EcPointFormats extension
451  error = tlsFormatClientEcPointFormatsExtension(context, cipherSuiteTypes,
452  p, &n);
453  //Any error to report?
454  if(error)
455  return error;
456 
457  //Fix the length of the extension list
458  extensionList->length += (uint16_t) n;
459  //Point to the next field
460  p += n;
461 
462  //Include the SignatureAlgorithms extension only if TLS 1.2 is supported
463  error = tlsFormatSignatureAlgorithmsExtension(context, cipherSuiteTypes,
464  p, &n);
465  //Any error to report?
466  if(error)
467  return error;
468 
469  //Fix the length of the extension list
470  extensionList->length += (uint16_t) n;
471  //Point to the next field
472  p += n;
473 
474 #if (TLS_SIGN_ALGOS_CERT_SUPPORT == ENABLED)
475  //The SignatureAlgorithmsCert extension allows a client to indicate which
476  //signature algorithms it can validate in X.509 certificates
477  error = tlsFormatSignatureAlgorithmsCertExtension(context, p, &n);
478  //Any error to report?
479  if(error)
480  return error;
481 
482  //Fix the length of the extension list
483  extensionList->length += (uint16_t) n;
484  //Point to the next field
485  p += n;
486 #endif
487 
488 #if (TLS_ALPN_SUPPORT == ENABLED)
489  //The ALPN extension contains the list of protocols advertised by the
490  //client, in descending order of preference
491  error = tlsFormatClientAlpnExtension(context, p, &n);
492  //Any error to report?
493  if(error)
494  return error;
495 
496  //Fix the length of the extension list
497  extensionList->length += (uint16_t) n;
498  //Point to the next field
499  p += n;
500 #endif
501 
502 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
503  //In order to indicate the support of raw public keys, clients include the
504  //ClientCertType extension in an extended ClientHello message
505  error = tlsFormatClientCertTypeListExtension(context, p, &n);
506  //Any error to report?
507  if(error)
508  return error;
509 
510  //Fix the length of the extension list
511  extensionList->length += (uint16_t) n;
512  //Point to the next field
513  p += n;
514 
515  //In order to indicate the support of raw public keys, clients include the
516  //ServerCertType extension in an extended ClientHello message
517  error = tlsFormatServerCertTypeListExtension(context, p, &n);
518  //Any error to report?
519  if(error)
520  return error;
521 
522  //Fix the length of the extension list
523  extensionList->length += (uint16_t) n;
524  //Point to the next field
525  p += n;
526 #endif
527 
528 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
529  //In all handshakes, a client implementing RFC 7627 must send the
530  //ExtendedMasterSecret extension in its ClientHello
531  error = tlsFormatClientEmsExtension(context, p, &n);
532  //Any error to report?
533  if(error)
534  return error;
535 
536  //Fix the length of the extension list
537  extensionList->length += (uint16_t) n;
538  //Point to the next field
539  p += n;
540 #endif
541 
542 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
543  //If the connection's secure_renegotiation flag is set to TRUE, the client
544  //must include a RenegotiationInfo extension in its ClientHello message
545  error = tlsFormatClientRenegoInfoExtension(context, p, &n);
546  //Any error to report?
547  if(error)
548  return error;
549 
550  //Fix the length of the extension list
551  extensionList->length += (uint16_t) n;
552  //Point to the next field
553  p += n;
554 #endif
555 
556 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
557  //TLS 1.3 supported by the client?
558  if(context->versionMax >= TLS_VERSION_1_3 &&
559  context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM)
560  {
561  Tls13PskIdentityList *identityList;
562  Tls13PskBinderList *binderList;
563 
564  //Clients must not use cookies in their initial ClientHello
565  if(context->state != TLS_STATE_CLIENT_HELLO)
566  {
567  //When sending the new ClientHello, the client must copy the contents
568  //of the Cookie extension received in the HelloRetryRequest into a
569  //Cookie extension in the new ClientHello
570  error = tls13FormatCookieExtension(context, p, &n);
571  //Any error to report?
572  if(error)
573  return error;
574 
575  //Fix the length of the extension list
576  extensionList->length += (uint16_t) n;
577  //Point to the next field
578  p += n;
579  }
580 
581  //The KeyShare extension contains the client's cryptographic parameters
582  error = tls13FormatClientKeyShareExtension(context, p, &n);
583  //Any error to report?
584  if(error)
585  return error;
586 
587  //Fix the length of the extension list
588  extensionList->length += (uint16_t) n;
589  //Point to the next field
590  p += n;
591 
592 #if (TLS13_EARLY_DATA_SUPPORT == ENABLED)
593  //If the client opts to send application data in its first flight of
594  //messages, it must supply both the PreSharedKey and EarlyData extensions
595  error = tls13FormatClientEarlyDataExtension(context, p, &n);
596  //Any error to report?
597  if(error)
598  return error;
599 
600  //Fix the length of the extension list
601  extensionList->length += (uint16_t) n;
602  //Point to the next field
603  p += n;
604 #endif
605 
606  //In order to use PSKs, clients must send a PskKeyExchangeModes extension
607  error = tls13FormatPskKeModesExtension(context, p, &n);
608  //Any error to report?
609  if(error)
610  return error;
611 
612  //Fix the length of the extension list
613  extensionList->length += (uint16_t) n;
614  //Point to the next field
615  p += n;
616 
617 #if (TLS_CLIENT_HELLO_PADDING_SUPPORT == ENABLED)
618  //The first pass calculates the length of the PreSharedKey extension
619  error = tls13FormatClientPreSharedKeyExtension(context, p, &n,
620  &identityList, &binderList);
621  //Any error to report?
622  if(error)
623  return error;
624 
625  //Determine the length of the resulting message
626  n += *length + sizeof(TlsExtensionList) + extensionList->length;
627 
628  //Add a padding extension to ensure the ClientHello is never between
629  //256 and 511 bytes in length
630  error = tlsFormatClientHelloPaddingExtension(context, n, p, &n);
631  //Any error to report?
632  if(error)
633  return error;
634 
635  //Fix the length of the extension list
636  extensionList->length += (uint16_t) n;
637  //Point to the next field
638  p += n;
639 #endif
640 
641  //The extensions may appear in any order, with the exception of
642  //PreSharedKey which must be the last extension in the ClientHello
643  error = tls13FormatClientPreSharedKeyExtension(context, p, &n,
644  &identityList, &binderList);
645  //Any error to report?
646  if(error)
647  return error;
648 
649  //Fix the length of the extension list
650  extensionList->length += (uint16_t) n;
651  //Point to the next field
652  p += n;
653 
654  //Convert the length of the extension list to network byte order
655  extensionList->length = htons(extensionList->length);
656  //Total length of the message
657  *length += sizeof(TlsExtensionList) + htons(extensionList->length);
658 
659  //Fix PSK binder values in the PreSharedKey extension
660  error = tls13ComputePskBinders(context, message, *length, identityList,
661  binderList);
662  //Any error to report?
663  if(error)
664  return error;
665  }
666  else
667 #endif
668  {
669 #if (TLS_CLIENT_HELLO_PADDING_SUPPORT == ENABLED)
670  //Retrieve the actual length of the message
671  n = *length;
672 
673  //Any extensions included in the ClientHello message?
674  if(extensionList->length > 0)
675  n += sizeof(TlsExtensionList) + extensionList->length;
676 
677  //Add a padding extension to ensure the ClientHello is never between
678  //256 and 511 bytes in length
679  error = tlsFormatClientHelloPaddingExtension(context, n, p, &n);
680  //Any error to report?
681  if(error)
682  return error;
683 
684  //Fix the length of the extension list
685  extensionList->length += (uint16_t) n;
686  //Point to the next field
687  p += n;
688 #endif
689 
690  //Any extensions included in the ClientHello message?
691  if(extensionList->length > 0)
692  {
693  //Convert the length of the extension list to network byte order
694  extensionList->length = htons(extensionList->length);
695  //Total length of the message
696  *length += sizeof(TlsExtensionList) + htons(extensionList->length);
697  }
698  }
699 
700  //Successful processing
701  return NO_ERROR;
702 }
703 
704 
705 /**
706  * @brief Format ClientKeyExchange message
707  * @param[in] context Pointer to the TLS context
708  * @param[out] message Buffer where to format the ClientKeyExchange message
709  * @param[out] length Length of the resulting ClientKeyExchange message
710  * @return Error code
711  **/
712 
715 {
716  error_t error;
717  size_t n;
718  uint8_t *p;
719 
720  //Point to the beginning of the handshake message
721  p = message;
722  //Length of the handshake message
723  *length = 0;
724 
725 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
726  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
727  //PSK key exchange method?
728  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
729  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
730  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
731  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
732  {
733  //The client indicates which key to use by including a PSK identity
734  //in the ClientKeyExchange message
735  error = tlsFormatPskIdentity(context, p, &n);
736  //Any error to report?
737  if(error)
738  return error;
739 
740  //Advance data pointer
741  p += n;
742  //Adjust the length of the message
743  *length += n;
744  }
745 #endif
746 
747  //RSA, Diffie-Hellman or ECDH key exchange method?
748  if(context->keyExchMethod != TLS_KEY_EXCH_PSK)
749  {
750  //Format client's key exchange parameters
751  error = tlsFormatClientKeyParams(context, p, &n);
752  //Any error to report?
753  if(error)
754  return error;
755 
756  //Advance data pointer
757  p += n;
758  //Adjust the length of the message
759  *length += n;
760  }
761 
762 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
763  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
764  //PSK key exchange method?
765  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
766  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
767  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
768  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
769  {
770  //Invalid pre-shared key?
771  if(context->pskLen == 0)
773 
774  //Generate premaster secret
775  error = tlsGeneratePskPremasterSecret(context);
776  //Any error to report?
777  if(error)
778  return error;
779  }
780 #endif
781 
782  //Successful processing
783  return NO_ERROR;
784 }
785 
786 
787 /**
788  * @brief Parse HelloRequest message
789  *
790  * HelloRequest is a simple notification that the client should begin the
791  * negotiation process anew. In response, the client should send a ClientHello
792  * message when convenient
793  *
794  * @param[in] context Pointer to the TLS context
795  * @param[in] message Incoming HelloRequest message to parse
796  * @param[in] length Message length
797  * @return Error code
798  **/
799 
801  const TlsHelloRequest *message, size_t length)
802 {
803  error_t error;
804 
805  //Debug message
806  TRACE_INFO("HelloRequest message received (%" PRIuSIZE " bytes)...\r\n", length);
808 
809  //Check TLS version
810  if(context->version > TLS_VERSION_1_2)
812 
813  //The HelloRequest message does not contain any data
814  if(length != 0)
815  return ERROR_DECODING_FAILED;
816 
817  //Check current state
818  if(context->state == TLS_STATE_APPLICATION_DATA)
819  {
820 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
821  //Check whether the secure_renegociation flag is set
822  if(context->secureRenegoEnabled && context->secureRenegoFlag)
823  {
824  //HelloRequest is a simple notification that the client should begin
825  //the negotiation process anew
826  context->state = TLS_STATE_CLIENT_HELLO;
827 
828  //Continue processing
829  error = NO_ERROR;
830  }
831  else
832 #endif
833  {
834  //If the connection's secure_renegotiation flag is set to FALSE, it
835  //is recommended that clients refuse this renegotiation request (refer
836  //to RFC 5746, section 4.2)
837  error = tlsSendAlert(context, TLS_ALERT_LEVEL_FATAL,
839  }
840  }
841  else
842  {
843  //The HelloRequest message can be sent at any time but it should be
844  //ignored by the client if it arrives in the middle of a handshake
845  error = NO_ERROR;
846  }
847 
848  //Return status code
849  return error;
850 }
851 
852 
853 /**
854  * @brief Parse ServerHello message
855  *
856  * The server will send this message in response to a ClientHello
857  * message when it was able to find an acceptable set of algorithms.
858  * If it cannot find such a match, it will respond with a handshake
859  * failure alert
860  *
861  * @param[in] context Pointer to the TLS context
862  * @param[in] message Incoming ServerHello message to parse
863  * @param[in] length Message length
864  * @return Error code
865  **/
866 
868  const TlsServerHello *message, size_t length)
869 {
870  error_t error;
871  uint16_t cipherSuite;
872  uint8_t compressMethod;
873  const uint8_t *p;
875 
876  //Debug message
877  TRACE_INFO("ServerHello message received (%" PRIuSIZE " bytes)...\r\n", length);
879 
880  //Check current state
881  if(context->state != TLS_STATE_SERVER_HELLO &&
882  context->state != TLS_STATE_SERVER_HELLO_2 &&
883  context->state != TLS_STATE_SERVER_HELLO_3)
884  {
885  //Report an error
887  }
888 
889  //Check the length of the ServerHello message
890  if(length < sizeof(TlsServerHello))
891  return ERROR_DECODING_FAILED;
892 
893  //Point to the session ID
894  p = message->sessionId;
895  //Remaining bytes to process
896  length -= sizeof(TlsServerHello);
897 
898  //Check the length of the session ID
899  if(message->sessionIdLen > length)
900  return ERROR_DECODING_FAILED;
901  if(message->sessionIdLen > 32)
902  return ERROR_DECODING_FAILED;
903 
904  //Point to the next field
905  p += message->sessionIdLen;
906  //Remaining bytes to process
907  length -= message->sessionIdLen;
908 
909  //Malformed ServerHello message?
910  if(length < sizeof(uint16_t))
911  return ERROR_DECODING_FAILED;
912 
913  //Get the negotiated cipher suite
915  //Point to the next field
916  p += sizeof(uint16_t);
917  //Remaining bytes to process
918  length -= sizeof(uint16_t);
919 
920  //Malformed ServerHello message?
921  if(length < sizeof(uint8_t))
922  return ERROR_DECODING_FAILED;
923 
924  //Get the negotiated compression method
925  compressMethod = *p;
926  //Point to the next field
927  p += sizeof(uint8_t);
928  //Remaining bytes to process
929  length -= sizeof(uint8_t);
930 
931  //Server version
932  TRACE_INFO(" serverVersion = 0x%04" PRIX16 " (%s)\r\n",
933  ntohs(message->serverVersion),
934  tlsGetVersionName(ntohs(message->serverVersion)));
935 
936  //Server random value
937  TRACE_INFO(" random\r\n");
938  TRACE_INFO_ARRAY(" ", message->random, 32);
939 
940  //Session identifier
941  TRACE_INFO(" sessionId\r\n");
942  TRACE_INFO_ARRAY(" ", message->sessionId, message->sessionIdLen);
943 
944  //Cipher suite identifier
945  TRACE_INFO(" cipherSuite = 0x%04" PRIX16 " (%s)\r\n",
947 
948  //Compression method
949  TRACE_INFO(" compressMethod = 0x%02" PRIX8 "\r\n", compressMethod);
950 
951  //The CRIME exploit takes advantage of TLS compression, so conservative
952  //implementations do not accept compression at the TLS level
953  if(compressMethod != TLS_COMPRESSION_METHOD_NULL)
955 
956  //Parse the list of extensions offered by the server
958  &extensions);
959  //Any error to report?
960  if(error)
961  return error;
962 
963  //TLS protocol?
964  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM)
965  {
966  //Check whether the ServerHello message is received in response to
967  //the initial ClientHello
968  if(context->state != TLS_STATE_SERVER_HELLO_2)
969  {
970  //Release transcript hash context
971  tlsFreeTranscriptHash(context);
972 
973  //Format initial ClientHello message
974  error = tlsFormatInitialClientHello(context);
975  //Any error to report?
976  if(error)
977  return error;
978  }
979  }
980 
981  //Select TLS version
982  error = tlsSelectClientVersion(context, message, &extensions);
983  //TLS version not supported?
984  if(error)
985  return error;
986 
987  //Check the list of extensions offered by the server
988  error = tlsCheckHelloExtensions(TLS_TYPE_SERVER_HELLO, context->version,
989  &extensions);
990  //Any error to report?
991  if(error)
992  return error;
993 
994  //Save server random value
995  memcpy(context->serverRandom, message->random, 32);
996 
997 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
998  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
999  if(context->version <= TLS_VERSION_1_2)
1000  {
1001  //Reset the named group to its default value
1002  context->namedGroup = TLS_GROUP_NONE;
1003 
1004  //Check whether the server has decided to resume a previous session
1005  error = tlsResumeClientSession(context, message->sessionId,
1006  message->sessionIdLen, cipherSuite);
1007  //Any error to report?
1008  if(error)
1009  return error;
1010 
1011  //Set cipher suite
1012  error = tlsSelectCipherSuite(context, cipherSuite);
1013  //Specified cipher suite not supported?
1014  if(error)
1015  return error;
1016 
1017  //Initialize handshake message hashing
1018  error = tlsInitTranscriptHash(context);
1019  //Any error to report?
1020  if(error)
1021  return error;
1022 
1023  //Save session identifier
1024  memcpy(context->sessionId, message->sessionId, message->sessionIdLen);
1025  context->sessionIdLen = message->sessionIdLen;
1026 
1027 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1028  //Parse RenegotiationInfo extension
1029  error = tlsParseServerRenegoInfoExtension(context, &extensions);
1030  //Any error to report?
1031  if(error)
1032  return error;
1033 #endif
1034 
1035 #if (TLS_SNI_SUPPORT == ENABLED)
1036  //When the server includes a ServerName extension, the data field of
1037  //this extension may be empty
1038  error = tlsParseServerSniExtension(context, extensions.serverNameList);
1039  //Any error to report?
1040  if(error)
1041  return error;
1042 #endif
1043 
1044 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
1045  //Servers that receive an ClientHello containing a MaxFragmentLength
1046  //extension may accept the requested maximum fragment length by including
1047  //an extension of type MaxFragmentLength in the ServerHello
1048  error = tlsParseServerMaxFragLenExtension(context, extensions.maxFragLen);
1049  //Any error to report?
1050  if(error)
1051  return error;
1052 #endif
1053 
1054 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
1055  //The value of RecordSizeLimit is the maximum size of record in octets
1056  //that the peer is willing to receive
1058  extensions.recordSizeLimit);
1059  //Any error to report?
1060  if(error)
1061  return error;
1062 #endif
1063 
1064 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
1065  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1066  //A server that selects an ECC cipher suite in response to a ClientHello
1067  //message including an EcPointFormats extension appends this extension
1068  //to its ServerHello message
1069  error = tlsParseServerEcPointFormatsExtension(context,
1070  extensions.ecPointFormatList);
1071  //Any error to report?
1072  if(error)
1073  return error;
1074 #endif
1075 
1076 #if (TLS_ALPN_SUPPORT == ENABLED)
1077  //Parse ALPN extension
1078  error = tlsParseServerAlpnExtension(context, extensions.protocolNameList);
1079  //Any error to report?
1080  if(error)
1081  return error;
1082 #endif
1083 
1084 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1085  //Parse ClientCertType extension
1086  error = tlsParseClientCertTypeExtension(context, extensions.clientCertType);
1087  //Any error to report?
1088  if(error)
1089  return error;
1090 
1091  //Parse ServerCertType extension
1092  error = tlsParseServerCertTypeExtension(context, extensions.serverCertType);
1093  //Any error to report?
1094  if(error)
1095  return error;
1096 #endif
1097 
1098 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
1099  //Parse ExtendedMasterSecret extension
1100  error = tlsParseServerEmsExtension(context, extensions.extendedMasterSecret);
1101  //Any error to report?
1102  if(error)
1103  return error;
1104 #endif
1105 
1106 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
1107  //Use abbreviated handshake?
1108  if(context->resume)
1109  {
1110  //Derive session keys from the master secret
1111  error = tlsGenerateSessionKeys(context);
1112  //Unable to generate key material?
1113  if(error)
1114  return error;
1115 
1116  //At this point, both client and server must send ChangeCipherSpec
1117  //messages and proceed directly to Finished messages
1118  context->state = TLS_STATE_SERVER_CHANGE_CIPHER_SPEC;
1119  }
1120  else
1121 #endif
1122  {
1123  //Perform a full handshake
1124  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1125  context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1126  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1127  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1128  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1129  {
1130  //The Certificate message is omitted from the server's response
1131  context->state = TLS_STATE_SERVER_KEY_EXCHANGE;
1132  }
1133  else
1134  {
1135  //The server is required to send a Certificate message
1136  context->state = TLS_STATE_SERVER_CERTIFICATE;
1137  }
1138  }
1139  }
1140  else
1141 #endif
1142 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1143  //TLS 1.3 currently selected?
1144  if(context->version == TLS_VERSION_1_3)
1145  {
1146  //A client which receives a legacy_session_id_echo field that does not
1147  //match what it sent in the ClientHello must abort the handshake with an
1148  //illegal_parameter alert (RFC 8446, section 4.1.3)
1149  if(message->sessionIdLen != context->sessionIdLen ||
1150  memcmp(message->sessionId, context->sessionId, message->sessionIdLen))
1151  {
1152  //The legacy_session_id_echo field is not valid
1153  return ERROR_ILLEGAL_PARAMETER;
1154  }
1155 
1156  //Check whether the ServerHello message is received in response to the
1157  //initial or the updated ClientHello
1158  if(context->state != TLS_STATE_SERVER_HELLO_2)
1159  {
1160  //Set cipher suite
1161  error = tlsSelectCipherSuite(context, cipherSuite);
1162  //Specified cipher suite not supported?
1163  if(error)
1164  return error;
1165 
1166  //Initialize handshake message hashing
1167  error = tlsInitTranscriptHash(context);
1168  //Any error to report?
1169  if(error)
1170  return error;
1171  }
1172  else
1173  {
1174  //Clients must check that the cipher suite supplied in the ServerHello
1175  //is the same as that in the HelloRetryRequest and otherwise abort the
1176  //handshake with an illegal_parameter alert
1177  if(cipherSuite != context->cipherSuite.identifier)
1178  return ERROR_ILLEGAL_PARAMETER;
1179  }
1180 
1181  //If using (EC)DHE key establishment, servers offer exactly one
1182  //KeyShareEntry in the ServerHello
1183  error = tls13ParseServerKeyShareExtension(context,
1184  extensions.serverShare);
1185  //Any error to report?
1186  if(error)
1187  return error;
1188 
1189  //The PreSharedKey extension contains the selected PSK identity
1190  error = tls13ParseServerPreSharedKeyExtension(context,
1191  extensions.selectedIdentity);
1192  //Any error to report?
1193  if(error)
1194  return error;
1195 
1196  //In TLS 1.3, the cipher suite concept has been changed. The key exchange
1197  //mechanism is negotiated separately from the cipher suite
1198  if(context->keyExchMethod == TLS_KEY_EXCH_NONE)
1199  return ERROR_HANDSHAKE_FAILED;
1200 
1201 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
1202  //The middlebox compatibility mode improves the chance of successfully
1203  //connecting through middleboxes
1204  if(context->state == TLS_STATE_SERVER_HELLO)
1205  {
1206  //In middlebox compatibility mode, the client sends a dummy
1207  //ChangeCipherSpec record immediately before its second flight
1208  context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC_2;
1209  }
1210  else
1211 #endif
1212  {
1213  //All handshake messages after the ServerHello are now encrypted
1214  context->state = TLS_STATE_HANDSHAKE_TRAFFIC_KEYS;
1215  }
1216  }
1217  else
1218 #endif
1219  //Invalid TLS version?
1220  {
1221  //Just for sanity
1222  return ERROR_INVALID_VERSION;
1223  }
1224 
1225  //Successful processing
1226  return NO_ERROR;
1227 }
1228 
1229 
1230 /**
1231  * @brief Parse ServerKeyExchange message
1232  *
1233  * The ServerKeyExchange message is sent by the server only when the
1234  * server Certificate message does not contain enough data to allow
1235  * the client to exchange a premaster secret
1236  *
1237  * @param[in] context Pointer to the TLS context
1238  * @param[in] message Incoming ServerKeyExchange message to parse
1239  * @param[in] length Message length
1240  * @return Error code
1241  **/
1242 
1244  const TlsServerKeyExchange *message, size_t length)
1245 {
1246  error_t error;
1247  size_t n;
1248  size_t paramsLen;
1249  const uint8_t *p;
1250  const uint8_t *params;
1251 
1252  //Initialize variables
1253  params = NULL;
1254  paramsLen = 0;
1255 
1256  //Debug message
1257  TRACE_INFO("ServerKeyExchange message received (%" PRIuSIZE " bytes)...\r\n", length);
1259 
1260  //Check TLS version
1261  if(context->version > TLS_VERSION_1_2)
1262  return ERROR_UNEXPECTED_MESSAGE;
1263 
1264  //Check current state
1265  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE)
1266  return ERROR_UNEXPECTED_MESSAGE;
1267 
1268  //Point to the beginning of the handshake message
1269  p = message;
1270 
1271 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1272  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1273  //PSK key exchange method?
1274  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1275  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
1276  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1277  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1278  {
1279  //To help the client in selecting which identity to use, the server
1280  //can provide a PSK identity hint in the ServerKeyExchange message
1281  error = tlsParsePskIdentityHint(context, p, length, &n);
1282  //Any error to report?
1283  if(error)
1284  return error;
1285 
1286  //Point to the next field
1287  p += n;
1288  //Remaining bytes to process
1289  length -= n;
1290  }
1291 #endif
1292 
1293  //Diffie-Hellman or ECDH key exchange method?
1294  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1295  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1296  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1297  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1298  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1299  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1300  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1301  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1302  {
1303  //Point to the server's key exchange parameters
1304  params = p;
1305 
1306  //Parse server's key exchange parameters
1307  error = tlsParseServerKeyParams(context, p, length, &paramsLen);
1308  //Any error to report?
1309  if(error)
1310  return error;
1311 
1312  //Point to the next field
1313  p += paramsLen;
1314  //Remaining bytes to process
1315  length -= paramsLen;
1316  }
1317 
1318  //For non-anonymous Diffie-Hellman and ECDH key exchanges, the signature
1319  //over the server's key exchange parameters shall be verified
1320  if(context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1321  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1322  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1323  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
1324  {
1325 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
1326  //SSL 3.0, TLS 1.0 or TLS 1.1 currently selected?
1327  if(context->version <= TLS_VERSION_1_1)
1328  {
1329  //Signature verification
1330  error = tlsVerifyServerKeySignature(context,
1331  (TlsDigitalSignature *) p, length, params, paramsLen, &n);
1332  }
1333  else
1334 #endif
1335 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1336  //TLS 1.2 currently selected?
1337  if(context->version == TLS_VERSION_1_2)
1338  {
1339  //Signature verification
1340  error = tls12VerifyServerKeySignature(context,
1341  (Tls12DigitalSignature *) p, length, params, paramsLen, &n);
1342  }
1343  else
1344 #endif
1345  {
1346  //Report an error
1347  error = ERROR_INVALID_VERSION;
1348  }
1349 
1350  //Any error to report?
1351  if(error)
1352  return error;
1353 
1354  //Point to the next field
1355  p += n;
1356  //Remaining bytes to process
1357  length -= n;
1358  }
1359 
1360  //If the amount of data in the message does not precisely match the format
1361  //of the ServerKeyExchange message, then send a fatal alert
1362  if(length != 0)
1363  return ERROR_DECODING_FAILED;
1364 
1365  //Anomynous server?
1366  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1367  context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1368  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1369  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1370  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1371  {
1372  //An anonymous server cannot request client authentication
1373  context->state = TLS_STATE_SERVER_HELLO_DONE;
1374  }
1375  else
1376  {
1377  //A non-anonymous server can optionally request a certificate from
1378  //the client, if appropriate for the selected cipher suite
1379  context->state = TLS_STATE_CERTIFICATE_REQUEST;
1380  }
1381 
1382  //Successful processing
1383  return NO_ERROR;
1384 }
1385 
1386 
1387 /**
1388  * @brief Parse CertificateRequest message
1389  *
1390  * A server can optionally request a certificate from the client, if
1391  * appropriate for the selected cipher suite. This message will
1392  * immediately follow the ServerKeyExchange message
1393  *
1394  * @param[in] context Pointer to the TLS context
1395  * @param[in] message Incoming CertificateRequest message to parse
1396  * @param[in] length Message length
1397  * @return Error code
1398  **/
1399 
1401  const TlsCertificateRequest *message, size_t length)
1402 {
1403  error_t error;
1404  uint_t i;
1405  uint_t j;
1406  size_t n;
1407  uint_t certTypesLen;
1408  bool_t acceptable;
1409  const uint8_t *p;
1410  const uint8_t *certTypes;
1411  const TlsCertAuthorities *certAuthorities;
1412  const TlsSignHashAlgos *supportedSignAlgos;
1413  const TlsSignHashAlgos *supportedCertSignAlgos;
1414 
1415  //Debug message
1416  TRACE_INFO("CertificateRequest message received (%" PRIuSIZE " bytes)...\r\n", length);
1418 
1419  //Check key exchange method
1420  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1421  context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1422  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1423  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1424  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1425  {
1426  //It is a fatal handshake failure alert for an anonymous server to
1427  //request client authentication
1428  return ERROR_HANDSHAKE_FAILED;
1429  }
1430  else if(context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1431  {
1432  //If no PSK identity hint is provided by the server, then the
1433  //ServerKeyExchange message is omitted
1434  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE &&
1435  context->state != TLS_STATE_CERTIFICATE_REQUEST)
1436  {
1437  //Handshake failure
1438  return ERROR_UNEXPECTED_MESSAGE;
1439  }
1440  }
1441  else if(context->keyExchMethod == TLS13_KEY_EXCH_PSK ||
1442  context->keyExchMethod == TLS13_KEY_EXCH_PSK_DHE ||
1443  context->keyExchMethod == TLS13_KEY_EXCH_PSK_ECDHE)
1444  {
1445  //Servers which are authenticating with a PSK must not send the
1446  //CertificateRequest message in the main handshake
1447  return ERROR_HANDSHAKE_FAILED;
1448  }
1449  else
1450  {
1451  //Check current state
1452  if(context->state != TLS_STATE_CERTIFICATE_REQUEST)
1453  return ERROR_UNEXPECTED_MESSAGE;
1454  }
1455 
1456  //The server requests a certificate from the client, so that connection
1457  //can be mutually authenticated
1458  context->clientCertRequested = TRUE;
1459 
1460  //Point to the beginning of the handshake message
1461  p = (uint8_t *) message;
1462 
1463 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1464  //Version of TLS prior to TLS 1.3?
1465  if(context->version <= TLS_VERSION_1_2)
1466  {
1467  //Check the length of the ServerKeyExchange message
1468  if(length < sizeof(TlsCertificateRequest))
1469  return ERROR_DECODING_FAILED;
1470 
1471  //Remaining bytes to process
1472  length -= sizeof(TlsCertificateRequest);
1473 
1474  //Retrieve the length of the list
1475  n = message->certificateTypesLen;
1476  //Malformed CertificateRequest message?
1477  if(n > length)
1478  return ERROR_DECODING_FAILED;
1479 
1480  //Point to the list of supported certificate types
1481  certTypes = message->certificateTypes;
1482  certTypesLen = message->certificateTypesLen;
1483 
1484  //Point to the next field
1485  p += sizeof(TlsCertificateRequest) + n;
1486  //Remaining bytes to process
1487  length -= n;
1488 
1489  //TLS 1.2 currently selected?
1490  if(context->version == TLS_VERSION_1_2)
1491  {
1492  //Malformed CertificateRequest message?
1493  if(length < sizeof(TlsSignHashAlgos))
1494  return ERROR_DECODING_FAILED;
1495 
1496  //Point to the list of the hash/signature algorithm pairs
1497  supportedSignAlgos = (TlsSignHashAlgos *) p;
1498  //Remaining bytes to process
1499  length -= sizeof(TlsSignHashAlgos);
1500 
1501  //Retrieve the length of the list
1502  n = ntohs(supportedSignAlgos->length);
1503  //Malformed CertificateRequest message?
1504  if(n > length)
1505  return ERROR_DECODING_FAILED;
1506 
1507  //The supported_signature_algorithms field cannot be emtpy (refer to
1508  //RFC 5246, section 7.4.4)
1509  if(n == 0)
1510  return ERROR_DECODING_FAILED;
1511  if((n % 2) != 0)
1512  return ERROR_DECODING_FAILED;
1513 
1514  //Point to the next field
1515  p += sizeof(TlsSignHashAlgos) + n;
1516  //Remaining bytes to process
1517  length -= n;
1518  }
1519  else
1520  {
1521  //Implementations prior to TLS 1.2 do not include a list of supported
1522  //hash/signature algorithm pairs
1523  supportedSignAlgos = NULL;
1524  }
1525 
1526  //List of signature algorithms that may appear in X.509 certificates
1527  supportedCertSignAlgos = supportedSignAlgos;
1528 
1529  //Malformed CertificateRequest message?
1530  if(length < sizeof(TlsCertAuthorities))
1531  return ERROR_DECODING_FAILED;
1532 
1533  //Point to the list of acceptable certificate authorities
1534  certAuthorities = (TlsCertAuthorities *) p;
1535  //Remaining bytes to process
1536  length -= sizeof(TlsCertAuthorities);
1537 
1538  //Retrieve the length of the list
1539  n = ntohs(certAuthorities->length);
1540  //Malformed CertificateRequest message?
1541  if(n != length)
1542  return ERROR_DECODING_FAILED;
1543  }
1544  else
1545 #endif
1546 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1547  //TLS 1.3 currently selected?
1548  if(context->version == TLS_VERSION_1_3)
1549  {
1551  const Tls13CertRequestContext *certRequestContext;
1552 
1553  //Unused parameters
1554  certTypes = NULL;
1555  certTypesLen = 0;
1556  certAuthorities = NULL;
1557 
1558  //Malformed CertificateRequest message?
1559  if(length < sizeof(Tls13CertRequestContext))
1560  return ERROR_DECODING_FAILED;
1561 
1562  //Point to the certificate_request_context field
1563  certRequestContext = (Tls13CertRequestContext *) p;
1564  //Remaining bytes to process
1565  length -= sizeof(Tls13CertRequestContext);
1566 
1567  //Retrieve the length of the field
1568  n = certRequestContext->length;
1569  //Malformed CertificateRequest message?
1570  if(n > length)
1571  return ERROR_DECODING_FAILED;
1572 
1573  //The certificate_request_context field shall be zero length unless
1574  //used for the post-handshake authentication exchange
1575  if(certRequestContext->length != 0)
1576  return ERROR_ILLEGAL_PARAMETER;
1577 
1578  //Point to the next field
1579  p += sizeof(Tls13CertRequestContext) + n;
1580  //Remaining bytes to process
1581  length -= n;
1582 
1583  //The extensions describe the parameters of the certificate being
1584  //requested
1586  length, &extensions);
1587  //Any error to report?
1588  if(error)
1589  return error;
1590 
1591  //Check the list of extensions offered by the server
1593  context->version, &extensions);
1594  //Any error to report?
1595  if(error)
1596  return error;
1597 
1598  //The SignatureAlgorithms extension must be specified (refer to RFC 8446,
1599  //section 4.3.2)
1600  if(extensions.signAlgoList == NULL)
1601  return ERROR_MISSING_EXTENSION;
1602 
1603  //Point to the list of the hash/signature algorithm pairs that
1604  //the server is able to verify
1605  supportedSignAlgos = extensions.signAlgoList;
1606 
1607  //If no SignatureAlgorithmsCert extension is present, then the
1608  //SignatureAlgorithms extension also applies to signatures appearing
1609  //in certificates (RFC 8446, section 4.2.3)
1610  if(extensions.certSignAlgoList != NULL)
1611  supportedCertSignAlgos = extensions.certSignAlgoList;
1612  else
1613  supportedCertSignAlgos = extensions.signAlgoList;
1614  }
1615  else
1616 #endif
1617  //Invalid TLS version?
1618  {
1619  //Report an error
1620  return ERROR_INVALID_VERSION;
1621  }
1622 
1623  //No suitable certificate has been found for the moment
1624  context->cert = NULL;
1625  acceptable = FALSE;
1626 
1627  //Select the most appropriate certificate (2-pass process)
1628  for(i = 0; i < 2 && !acceptable; i++)
1629  {
1630  //Loop through the list of available certificates
1631  for(j = 0; j < context->numCerts && !acceptable; j++)
1632  {
1633  //Check whether the current certificate is suitable
1634  acceptable = tlsIsCertificateAcceptable(context, &context->certs[j],
1635  certTypes, certTypesLen, supportedSignAlgos, supportedCertSignAlgos,
1636  NULL, certAuthorities);
1637 
1638  //TLS 1.2 and TLS 1.3 require additional examinations
1639  if(acceptable && context->version >= TLS_VERSION_1_2)
1640  {
1641  //The hash and signature algorithms used in the signature of the
1642  //CertificateVerify message must be one of those present in the
1643  //SupportedSignatureAlgorithms field
1644  error = tlsSelectSignatureScheme(context, &context->certs[j],
1645  supportedSignAlgos);
1646 
1647  //Check status code
1648  if(error)
1649  {
1650  acceptable = FALSE;
1651  }
1652  }
1653 
1654  //If all the requirements were met, the certificate can be used
1655  if(acceptable)
1656  {
1657  context->cert = &context->certs[j];
1658  }
1659  }
1660 
1661  //The second pass relaxes the constraints
1662  supportedCertSignAlgos = NULL;
1663  certAuthorities = NULL;
1664  }
1665 
1666  //Version of TLS prior to TLS 1.3?
1667  if(context->version <= TLS_VERSION_1_2)
1668  {
1669  //Wait for a ServerHelloDone message
1670  context->state = TLS_STATE_SERVER_HELLO_DONE;
1671  }
1672  else
1673  {
1674  //Wait for a Certificate message
1675  context->state = TLS_STATE_SERVER_CERTIFICATE;
1676  }
1677 
1678  //Successful processing
1679  return NO_ERROR;
1680 }
1681 
1682 
1683 /**
1684  * @brief Parse ServerHelloDone message
1685  *
1686  * The ServerHelloDone message is sent by the server to indicate the
1687  * end of the ServerHello and associated messages. After sending this
1688  * message, the server will wait for a client response
1689  *
1690  * @param[in] context Pointer to the TLS context
1691  * @param[in] message Incoming ServerHelloDone message to parse
1692  * @param[in] length Message length
1693  * @return Error code
1694  **/
1695 
1697  const TlsServerHelloDone *message, size_t length)
1698 {
1699  //Debug message
1700  TRACE_INFO("ServerHelloDone message received (%" PRIuSIZE " bytes)...\r\n", length);
1702 
1703  //Check TLS version
1704  if(context->version > TLS_VERSION_1_2)
1705  return ERROR_UNEXPECTED_MESSAGE;
1706 
1707  //Check key exchange method
1708  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1709  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1710  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1711  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1712  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
1713  {
1714  //The server may omit the CertificateRequest message and go
1715  //directly to the ServerHelloDone message
1716  if(context->state != TLS_STATE_CERTIFICATE_REQUEST &&
1717  context->state != TLS_STATE_SERVER_HELLO_DONE)
1718  {
1719  //Handshake failure
1720  return ERROR_UNEXPECTED_MESSAGE;
1721  }
1722  }
1723  else if(context->keyExchMethod == TLS_KEY_EXCH_PSK)
1724  {
1725  //If no PSK identity hint is provided by the server, the
1726  //ServerKeyExchange message is omitted
1727  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE &&
1728  context->state != TLS_STATE_SERVER_HELLO_DONE)
1729  {
1730  //Handshake failure
1731  return ERROR_UNEXPECTED_MESSAGE;
1732  }
1733  }
1734  else if(context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1735  {
1736  //The server may omit the ServerKeyExchange message and/or
1737  //the CertificateRequest message
1738  if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE &&
1739  context->state != TLS_STATE_CERTIFICATE_REQUEST &&
1740  context->state != TLS_STATE_SERVER_HELLO_DONE)
1741  {
1742  //Handshake failure
1743  return ERROR_UNEXPECTED_MESSAGE;
1744  }
1745  }
1746  else
1747  {
1748  //Check current state
1749  if(context->state != TLS_STATE_SERVER_HELLO_DONE)
1750  return ERROR_UNEXPECTED_MESSAGE;
1751  }
1752 
1753  //The ServerHelloDone message does not contain any data
1754  if(length != 0)
1755  return ERROR_DECODING_FAILED;
1756 
1757  //The client must send a Certificate message if the server requests it
1758  context->state = TLS_STATE_CLIENT_CERTIFICATE;
1759 
1760  //Successful processing
1761  return NO_ERROR;
1762 }
1763 
1764 #endif
@ TLS13_KEY_EXCH_PSK
Definition: tls.h:1047
error_t tlsParseHelloRequest(TlsContext *context, const TlsHelloRequest *message, size_t length)
Parse HelloRequest message.
Definition: tls_client.c:800
#define htons(value)
Definition: cpu_endian.h:392
DTLS (Datagram Transport Layer Security)
Parsing and checking of TLS extensions.
error_t tls13ParseServerPreSharedKeyExtension(TlsContext *context, const uint8_t *selectedIdentity)
TLS helper functions.
#define TRACE_INFO_ARRAY(p, a, n)
Definition: debug.h:95
bool_t tlsIsCertificateAcceptable(TlsContext *context, const TlsCertDesc *cert, const uint8_t *certTypes, size_t numCertTypes, const TlsSignHashAlgos *signHashAlgos, const TlsSignHashAlgos *certSignHashAlgos, const TlsSupportedGroupList *curveList, const TlsCertAuthorities *certAuthorities)
Check whether a certificate is acceptable.
uint8_t length
Definition: dtls_misc.h:149
Date and time management.
__start_packed struct @95 Tls13PskIdentityList
List of PSK identities.
int bool_t
Definition: compiler_port.h:49
__start_packed struct @82 Tls12DigitalSignature
Digitally-signed element (TLS 1.2)
TLS cipher suites.
__start_packed struct @69 TlsExtensionList
List of TLS extensions.
@ TLS_ALERT_NO_RENEGOTIATION
Definition: tls.h:996
@ ERROR_WOULD_BLOCK
Definition: error.h:95
void TlsServerHelloDone
ServerHelloDone message.
Definition: tls.h:1662
@ TLS13_KEY_EXCH_PSK_DHE
Definition: tls.h:1048
error_t tlsFormatClientSupportedVersionsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SupportedVersions extension.
Key material generation.
TLS handshake.
@ TLS_STATE_SERVER_KEY_EXCHANGE
Definition: tls.h:1301
error_t tlsGeneratePskPremasterSecret(TlsContext *context)
Premaster secret generation (for PSK cipher suites)
@ TLS_COMPRESSION_METHOD_NULL
Definition: tls.h:1015
error_t tlsVerifyServerKeySignature(TlsContext *context, const TlsDigitalSignature *signature, size_t length, const uint8_t *params, size_t paramsLen, size_t *consumed)
Verify server's key exchange parameters signature (SSL 3.0, TLS 1.0 and TLS 1.1)
error_t tls13GenerateKeyShare(TlsContext *context, uint16_t namedGroup)
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
RSA/DSA/ECDSA/EdDSA signature generation and verification.
@ ERROR_UNEXPECTED_MESSAGE
Definition: error.h:192
__start_packed struct @97 Tls13PskBinderList
List of PSK binders.
error_t tlsSelectSignatureScheme(TlsContext *context, const TlsCertDesc *cert, const TlsSignHashAlgos *supportedSignAlgos)
Select the algorithm to be used when generating digital signatures.
Definition: tls_signature.c:60
uint8_t p
Definition: ndp.h:298
Helper functions for TLS client.
error_t tlsParseServerRecordSizeLimitExtension(TlsContext *context, const uint8_t *recordSizeLimit)
Parse RecordSizeLimit extension.
#define TRUE
Definition: os_port.h:50
error_t tlsFormatClientEcPointFormatsExtension(TlsContext *context, uint_t cipherSuiteTypes, uint8_t *p, size_t *written)
Format EcPointFormats extension.
@ TLS_STATE_CERTIFICATE_REQUEST
Definition: tls.h:1303
error_t tlsFormatClientKeyExchange(TlsContext *context, TlsClientKeyExchange *message, size_t *length)
Format ClientKeyExchange message.
Definition: tls_client.c:713
@ TLS_TRANSPORT_PROTOCOL_DATAGRAM
Definition: tls.h:851
error_t tls13FormatClientEarlyDataExtension(TlsContext *context, uint8_t *p, size_t *written)
__start_packed struct @81 TlsDigitalSignature
Digitally-signed element (SSL 3.0, TLS 1.0 and TLS 1.1)
error_t tlsParseServerCertTypeExtension(TlsContext *context, const uint8_t *serverCertType)
Parse ServerCertType extension.
@ TLS_STATE_APPLICATION_DATA
Definition: tls.h:1319
error_t tlsFormatClientKeyParams(TlsContext *context, uint8_t *p, size_t *written)
Format client's key exchange parameters.
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:228
error_t tlsFormatSessionId(TlsContext *context, uint8_t *p, size_t *written)
Format session ID.
error_t tlsParseServerSniExtension(TlsContext *context, const TlsServerNameList *serverNameList)
Parse SNI extension.
error_t tls13ParseServerKeyShareExtension(TlsContext *context, const Tls13KeyShareEntry *serverShare)
error_t tlsParseServerEmsExtension(TlsContext *context, const uint8_t *extendedMasterSecret)
Parse ExtendedMasterSecret extension.
@ ERROR_INVALID_VERSION
Definition: error.h:116
error_t tlsFormatCipherSuites(TlsContext *context, uint_t *cipherSuiteTypes, uint8_t *p, size_t *written)
Format the list of cipher suites supported by the client.
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
error_t tlsParsePskIdentityHint(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse PSK identity hint.
error_t tlsFormatClientSniExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SNI extension.
@ TLS_STATE_CLIENT_HELLO
Definition: tls.h:1290
@ TLS_KEY_EXCH_RSA
Definition: tls.h:1027
@ TLS_STATE_SERVER_HELLO
Definition: tls.h:1295
error_t tlsFormatSignatureAlgorithmsExtension(TlsContext *context, uint_t cipherSuiteTypes, uint8_t *p, size_t *written)
Format SignatureAlgorithms extension.
Definition: tls_common.c:795
@ TLS_KEY_EXCH_ECDHE_ECDSA
Definition: tls.h:1036
@ TLS_KEY_EXCH_ECDHE_RSA
Definition: tls.h:1034
#define FALSE
Definition: os_port.h:46
@ TLS_KEY_EXCH_ECDH_ANON
Definition: tls.h:1037
bool_t tls13IsGroupSupported(TlsContext *context, uint16_t namedGroup)
error_t tlsSendAlert(TlsContext *context, uint8_t level, uint8_t description)
Send Alert message.
Definition: tls_common.c:480
PEM file import functions.
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
DTLS record protocol.
error_t tlsSendClientKeyExchange(TlsContext *context)
Send ClientKeyExchange message.
Definition: tls_client.c:233
error_t tlsFormatClientRenegoInfoExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RenegotiationInfo extension.
void tlsFreeEncryptionEngine(TlsEncryptionEngine *encryptionEngine)
Release encryption engine.
Definition: tls_misc.c:592
#define TLS_VERSION_1_2
Definition: tls.h:94
@ TLS_GROUP_NONE
Definition: tls.h:1207
@ TLS_KEY_EXCH_DH_ANON
Definition: tls.h:1032
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:253
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
@ TLS_TYPE_CLIENT_HELLO
Definition: tls.h:933
error_t tlsSelectClientVersion(TlsContext *context, const TlsServerHello *message, const TlsHelloExtensions *extensions)
Version selection.
Helper functions for TLS 1.3 client.
@ ERROR_MISSING_EXTENSION
Definition: error.h:238
#define TLS_VERSION_1_3
Definition: tls.h:95
@ TLS_TYPE_SERVER_HELLO
Definition: tls.h:934
Handshake message processing (TLS client and server)
__start_packed struct @67 TlsCertAuthorities
List of certificate authorities.
@ ERROR_INVALID_KEY_LENGTH
Definition: error.h:105
TLS record protocol.
@ TLS_STATE_CLIENT_CERTIFICATE_VERIFY
Definition: tls.h:1307
@ TLS_STATE_SERVER_CHANGE_CIPHER_SPEC
Definition: tls.h:1312
error_t tlsFormatClientAlpnExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ALPN extension.
@ TLS_STATE_SERVER_HELLO_3
Definition: tls.h:1297
error_t tlsParseServerEcPointFormatsExtension(TlsContext *context, const TlsEcPointFormatList *ecPointFormatList)
Parse EcPointFormats extension.
error_t tlsFormatInitialClientHello(TlsContext *context)
Format initial ClientHello message.
error_t tls13FormatCookieExtension(TlsContext *context, uint8_t *p, size_t *written)
#define TRACE_INFO(...)
Definition: debug.h:94
#define MIN(a, b)
Definition: os_port.h:62
@ TLS_TYPE_CLIENT_KEY_EXCHANGE
Definition: tls.h:945
@ TLS_KEY_EXCH_DHE_PSK
Definition: tls.h:1040
uint16_t dtlsTranslateVersion(uint16_t version)
Translate TLS version into DTLS version.
Definition: dtls_misc.c:113
error_t tls13FormatClientPreSharedKeyExtension(TlsContext *context, uint8_t *p, size_t *written, Tls13PskIdentityList **identityList, Tls13PskBinderList **binderList)
error_t tlsFormatSupportedGroupsExtension(TlsContext *context, uint_t cipherSuiteTypes, uint8_t *p, size_t *written)
Format SupportedGroups extension.
Hello extensions.
Definition: tls.h:1894
error_t tls12VerifyServerKeySignature(TlsContext *context, const Tls12DigitalSignature *signature, size_t length, const uint8_t *params, size_t paramsLen, size_t *consumed)
Verify server's key exchange parameters signature (TLS 1.2)
Transcript hash calculation.
error_t tls13FormatPskKeModesExtension(TlsContext *context, uint8_t *p, size_t *written)
@ TLS_STATE_HANDSHAKE_TRAFFIC_KEYS
Definition: tls.h:1298
@ TLS_KEY_EXCH_RSA_PSK
Definition: tls.h:1039
__start_packed struct @85 TlsClientHello
ClientHello message.
Formatting and parsing of extensions (TLS client)
#define ntohs(value)
Definition: cpu_endian.h:398
error_t tlsFormatClientHelloPaddingExtension(TlsContext *context, size_t clientHelloLen, uint8_t *p, size_t *written)
Format ClientHello Padding extension.
__start_packed struct @87 TlsCertificateRequest
CertificateRequest message.
@ ERROR_TIMEOUT
Definition: error.h:94
__start_packed struct @98 Tls13CertRequestContext
Certificate request context.
#define TLS_VERSION_1_1
Definition: tls.h:93
@ TLS_KEY_EXCH_NONE
Definition: tls.h:1026
@ TLS13_KEY_EXCH_PSK_ECDHE
Definition: tls.h:1049
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:107
const char_t * tlsGetCipherSuiteName(uint16_t identifier)
Convert cipher suite identifier to string representation.
void TlsClientKeyExchange
ClientKeyExchange message.
Definition: tls.h:1669
@ TLS_STATE_SERVER_CERTIFICATE
Definition: tls.h:1300
error_t tlsParseClientCertTypeExtension(TlsContext *context, const uint8_t *clientCertType)
Parse ClientCertType extension.
@ TLS_ALERT_LEVEL_FATAL
Definition: tls.h:962
uint8_t n
uint8_t extensions[]
Definition: tls13_misc.h:327
uint16_t cipherSuite
Cipher suite identifier.
Definition: tls13_misc.h:372
void TlsHelloRequest
HelloRequest message.
Definition: tls.h:1604
@ TLS_STATE_CLIENT_CERTIFICATE
Definition: tls.h:1305
@ TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC_2
Definition: tls.h:1309
error_t tlsFormatClientEmsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ExtendedMasterSecret extension.
__start_packed struct @86 TlsServerHello
ServerHello message.
@ TLS_KEY_EXCH_PSK
Definition: tls.h:1038
error_t tlsInitTranscriptHash(TlsContext *context)
Initialize handshake message hashing.
error_t tlsFormatSignatureAlgorithmsCertExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SignatureAlgorithmsCert extension.
Definition: tls_common.c:1001
@ TLS_KEY_EXCH_ECDHE_PSK
Definition: tls.h:1041
error_t tlsParseServerHelloDone(TlsContext *context, const TlsServerHelloDone *message, size_t length)
Parse ServerHelloDone message.
Definition: tls_client.c:1696
error_t tlsResumeClientSession(TlsContext *context, const uint8_t *sessionId, size_t sessionIdLen, uint16_t cipherSuite)
Resume TLS session via session ID.
Certificate handling.
Formatting and parsing of extensions (TLS 1.3 client)
uint8_t message[]
Definition: chap.h:152
error_t tlsParseServerHello(TlsContext *context, const TlsServerHello *message, size_t length)
Parse ServerHello message.
Definition: tls_client.c:867
error_t tlsFormatClientCertTypeListExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ClientCertType extension.
error_t tls13ComputePskBinders(TlsContext *context, const void *clientHello, size_t clientHelloLen, const Tls13PskIdentityList *identityList, Tls13PskBinderList *binderList)
@ TLS_TYPE_CERTIFICATE_REQUEST
Definition: tls.h:942
error_t tls13FormatClientKeyShareExtension(TlsContext *context, uint8_t *p, size_t *written)
TLS (Transport Layer Security)
@ TLS_KEY_EXCH_DHE_DSS
Definition: tls.h:1031
error_t tlsParseCertificateRequest(TlsContext *context, const TlsCertificateRequest *message, size_t length)
Parse CertificateRequest message.
Definition: tls_client.c:1400
@ TLS_TRANSPORT_PROTOCOL_STREAM
Definition: tls.h:850
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
error_t tlsParseServerRenegoInfoExtension(TlsContext *context, const TlsHelloExtensions *extensions)
Parse RenegotiationInfo extension.
error_t tlsFormatClientRecordSizeLimitExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RecordSizeLimit extension.
error_t tlsParseServerKeyParams(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse server's key exchange parameters.
error_t tlsParseServerAlpnExtension(TlsContext *context, const TlsProtocolNameList *protocolNameList)
Parse ALPN extension.
error_t tlsSendClientHello(TlsContext *context)
Send ClientHello message.
Definition: tls_client.c:82
error_t tlsGenerateSessionKeys(TlsContext *context)
Generate session keys.
const char_t * tlsGetVersionName(uint16_t version)
Convert TLS version to string representation.
Definition: tls_misc.c:788
error_t tlsFormatServerCertTypeListExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ServerCertType extension.
@ ERROR_DECODING_FAILED
Definition: error.h:235
error_t tlsFormatPskIdentity(TlsContext *context, uint8_t *p, size_t *written)
Format PSK identity.
#define PRIuSIZE
Definition: compiler_port.h:78
unsigned int uint_t
Definition: compiler_port.h:45
#define LOAD16BE(p)
Definition: cpu_endian.h:170
Handshake message processing (TLS client)
@ TLS_STATE_SERVER_HELLO_DONE
Definition: tls.h:1304
@ TLS_STATE_SERVER_HELLO_2
Definition: tls.h:1296
error_t tlsParseServerMaxFragLenExtension(TlsContext *context, const uint8_t *maxFragLen)
Parse MaxFragmentLength extension.
error_t tlsGenerateRandomValue(TlsContext *context, uint8_t *random)
Generate client or server random value.
Definition: tls_misc.c:164
Handshake message processing (TLS 1.3 client)
error_t dtlsFormatCookie(TlsContext *context, uint8_t *p, size_t *written)
Format Cookie field.
Definition: dtls_misc.c:140
@ TLS_KEY_EXCH_DHE_RSA
Definition: tls.h:1029
error_t tlsParseServerKeyExchange(TlsContext *context, const TlsServerKeyExchange *message, size_t length)
Parse ServerKeyExchange message.
Definition: tls_client.c:1243
void TlsServerKeyExchange
ServerKeyExchange message.
Definition: tls.h:1644
@ NO_ERROR
Success.
Definition: error.h:44
Debugging facilities.
error_t tlsFormatClientHello(TlsContext *context, TlsClientHello *message, size_t *length)
Format ClientHello message.
Definition: tls_client.c:284
void tlsFreeTranscriptHash(TlsContext *context)
Release transcript hash context.
error_t tlsFormatCompressMethods(TlsContext *context, uint8_t *p, size_t *written)
Format the list of compression methods supported by the client.
error_t tlsFormatClientMaxFragLenExtension(TlsContext *context, uint8_t *p, size_t *written)
Format MaxFragmentLength extension.
systime_t osGetSystemTime(void)
Retrieve system time.