tls_common.c
Go to the documentation of this file.
1 /**
2  * @file tls_common.c
3  * @brief Handshake message processing (TLS client and server)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_cipher_suites.h"
38 #include "tls_handshake.h"
39 #include "tls_client.h"
40 #include "tls_server.h"
41 #include "tls_common.h"
42 #include "tls_certificate.h"
43 #include "tls_signature.h"
44 #include "tls_transcript_hash.h"
45 #include "tls_cache.h"
46 #include "tls_record.h"
47 #include "tls_misc.h"
48 #include "dtls_record.h"
49 #include "pkix/x509_common.h"
50 #include "debug.h"
51 
52 //Check TLS library configuration
53 #if (TLS_SUPPORT == ENABLED)
54 
55 
56 /**
57  * @brief Send Certificate message
58  * @param[in] context Pointer to the TLS context
59  * @return Error code
60  **/
61 
63 {
64  error_t error;
65  size_t length;
67 
68  //Initialize status code
69  error = NO_ERROR;
70 
71  //Point to the buffer where to format the message
72  message = (TlsCertificate *) (context->txBuffer + context->txBufferLen);
73 
74 #if (TLS_CLIENT_SUPPORT == ENABLED)
75  //Client mode?
76  if(context->entity == TLS_CONNECTION_END_CLIENT)
77  {
78  //The client must send a Certificate message if the server requests it
79  if(context->clientCertRequested)
80  {
81 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= SSL_VERSION_3_0)
82  //No suitable certificate available?
83  if(context->cert == NULL && context->version == SSL_VERSION_3_0)
84  {
85  //The client should send a no_certificate alert instead
86  error = tlsSendAlert(context, TLS_ALERT_LEVEL_WARNING,
88  }
89  else
90 #endif
91  {
92  //Format Certificate message
93  error = tlsFormatCertificate(context, message, &length);
94 
95  //Check status code
96  if(!error)
97  {
98  //Debug message
99  TRACE_INFO("Sending Certificate message (%" PRIuSIZE " bytes)...\r\n", length);
101 
102  //Send handshake message
103  error = tlsSendHandshakeMessage(context, message, length,
105  }
106  }
107  }
108  }
109  else
110 #endif
111 #if (TLS_SERVER_SUPPORT == ENABLED)
112  //Server mode?
113  if(context->entity == TLS_CONNECTION_END_SERVER)
114  {
115  //The server must send a Certificate message whenever the agreed-upon
116  //key exchange method uses certificates for authentication
117  if(context->cert != NULL)
118  {
119  //Format Certificate message
120  error = tlsFormatCertificate(context, message, &length);
121 
122  //Check status code
123  if(!error)
124  {
125  //Debug message
126  TRACE_INFO("Sending Certificate message (%" PRIuSIZE " bytes)...\r\n", length);
128 
129  //Send handshake message
130  error = tlsSendHandshakeMessage(context, message, length,
132  }
133  }
134  }
135  else
136 #endif
137  //Unsupported mode of operation?
138  {
139  //Report an error
140  error = ERROR_FAILURE;
141  }
142 
143  //Check status code
144  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
145  {
146  //Version of TLS prior to TLS 1.3?
147  if(context->version <= TLS_VERSION_1_2)
148  {
149  //Check whether TLS operates as a client or a server
150  if(context->entity == TLS_CONNECTION_END_CLIENT)
151  context->state = TLS_STATE_CLIENT_KEY_EXCHANGE;
152  else
153  context->state = TLS_STATE_SERVER_KEY_EXCHANGE;
154  }
155  else
156  {
157  //Check whether TLS operates as a client or a server
158  if(context->entity == TLS_CONNECTION_END_CLIENT)
159  {
160  //Clients must send a CertificateVerify message whenever
161  //authenticating via a certificate
162  if(context->clientCertRequested)
163  context->state = TLS_STATE_CLIENT_CERTIFICATE_VERIFY;
164  else
165  context->state = TLS_STATE_CLIENT_FINISHED;
166  }
167  else
168  {
169  //Servers must send a CertificateVerify message whenever
170  //authenticating via a certificate
171  context->state = TLS_STATE_SERVER_CERTIFICATE_VERIFY;
172  }
173  }
174  }
175 
176  //Return status code
177  return error;
178 }
179 
180 
181 /**
182  * @brief Send CertificateVerify message
183  *
184  * The CertificateVerify message is used to provide explicit verification
185  * of a client certificate. This message is only sent following a client
186  * certificate that has signing capability
187  *
188  * @param[in] context Pointer to the TLS context
189  * @return Error code
190  **/
191 
193 {
194  error_t error;
195  size_t length;
197 
198  //Initialize status code
199  error = NO_ERROR;
200 
201  //The CertificateVerify message is only sent following a client certificate
202  //that has signing capability
203  if(context->cert != NULL)
204  {
205  //Check certificate type
206  if(context->cert->type == TLS_CERT_RSA_SIGN ||
207  context->cert->type == TLS_CERT_RSA_PSS_SIGN ||
208  context->cert->type == TLS_CERT_DSS_SIGN ||
209  context->cert->type == TLS_CERT_ECDSA_SIGN ||
210  context->cert->type == TLS_CERT_ED25519_SIGN ||
211  context->cert->type == TLS_CERT_ED448_SIGN)
212  {
213  //Point to the buffer where to format the message
214  message = (TlsCertificateVerify *) (context->txBuffer + context->txBufferLen);
215 
216  //Format CertificateVerify message
217  error = tlsFormatCertificateVerify(context, message, &length);
218 
219  //Check status code
220  if(!error)
221  {
222  //Debug message
223  TRACE_INFO("Sending CertificateVerify message (%" PRIuSIZE " bytes)...\r\n", length);
225 
226  //Send handshake message
227  error = tlsSendHandshakeMessage(context, message, length,
229  }
230  }
231  }
232 
233  //Check status code
234  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
235  {
236  //Version of TLS prior to TLS 1.3?
237  if(context->version <= TLS_VERSION_1_2)
238  {
239  //Send a ChangeCipherSpec message to the server
240  context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC;
241  }
242  else
243  {
244  //Send a Finished message to the peer
245  if(context->entity == TLS_CONNECTION_END_CLIENT)
246  context->state = TLS_STATE_CLIENT_FINISHED;
247  else
248  context->state = TLS_STATE_SERVER_FINISHED;
249  }
250  }
251 
252  //Return status code
253  return error;
254 }
255 
256 
257 /**
258  * @brief Send ChangeCipherSpec message
259  *
260  * The change cipher spec message is sent by both the client and the
261  * server to notify the receiving party that subsequent records will be
262  * protected under the newly negotiated CipherSpec and keys
263  *
264  * @param[in] context Pointer to the TLS context
265  * @return Error code
266  **/
267 
269 {
270  error_t error;
271  size_t length;
273 
274  //Point to the buffer where to format the message
275  message = (TlsChangeCipherSpec *) (context->txBuffer + context->txBufferLen);
276 
277  //Format ChangeCipherSpec message
278  error = tlsFormatChangeCipherSpec(context, message, &length);
279 
280  //Check status code
281  if(!error)
282  {
283  //Debug message
284  TRACE_INFO("Sending ChangeCipherSpec message (%" PRIuSIZE " bytes)...\r\n", length);
286 
287 #if (DTLS_SUPPORT == ENABLED)
288  //DTLS protocol?
289  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
290  {
291  //Send ChangeCipherSpec message
292  error = dtlsWriteProtocolData(context, (uint8_t *) message,
294  }
295  else
296 #endif
297  //TLS protocol?
298  {
299  //Send ChangeCipherSpec message
300  error = tlsWriteProtocolData(context, (uint8_t *) message,
302  }
303  }
304 
305  //Check status code
306  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
307  {
308  //Version of TLS prior to TLS 1.3?
309  if(context->version <= TLS_VERSION_1_2)
310  {
311 #if (DTLS_SUPPORT == ENABLED)
312  //Release previous encryption engine first
313  tlsFreeEncryptionEngine(&context->prevEncryptionEngine);
314 
315  //Save current encryption engine for later use
316  context->prevEncryptionEngine = context->encryptionEngine;
317  //Clear current encryption engine
318  memset(&context->encryptionEngine, 0, sizeof(TlsEncryptionEngine));
319 #else
320  //Release encryption engine first
321  tlsFreeEncryptionEngine(&context->encryptionEngine);
322 #endif
323 
324  //Inform the record layer that subsequent records will be protected
325  //under the newly negotiated encryption algorithm
326  error = tlsInitEncryptionEngine(context, &context->encryptionEngine,
327  context->entity, NULL);
328 
329  //Check status code
330  if(!error)
331  {
332  //Send a Finished message to the peer
333  if(context->entity == TLS_CONNECTION_END_CLIENT)
334  context->state = TLS_STATE_CLIENT_FINISHED;
335  else
336  context->state = TLS_STATE_SERVER_FINISHED;
337  }
338  }
339  else
340  {
341 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
342  //The middlebox compatibility mode improves the chance of successfully
343  //connecting through middleboxes
344  if(context->state == TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC ||
345  context->state == TLS_STATE_SERVER_CHANGE_CIPHER_SPEC_2)
346  {
347  //The client can send its second flight
348  context->state = TLS_STATE_CLIENT_HELLO_2;
349  }
350  else if(context->state == TLS_STATE_SERVER_CHANGE_CIPHER_SPEC ||
351  context->state == TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC_2)
352  {
353  //All handshake messages after the ServerHello are now encrypted
354  context->state = TLS_STATE_HANDSHAKE_TRAFFIC_KEYS;
355  }
356  else
357 #endif
358  {
359  //Middlebox compatibility mode is not implemented
360  error = ERROR_UNEXPECTED_STATE;
361  }
362  }
363  }
364 
365  //Return status code
366  return error;
367 }
368 
369 
370 /**
371  * @brief Send Finished message
372  *
373  * A Finished message is always sent immediately after a change
374  * cipher spec message to verify that the key exchange and
375  * authentication processes were successful. It is essential that a
376  * change cipher spec message be received between the other handshake
377  * messages and the Finished message
378  *
379  * @param[in] context Pointer to the TLS context
380  * @return Error code
381  **/
382 
384 {
385  error_t error;
386  size_t length;
388 
389  //Point to the buffer where to format the message
390  message = (TlsFinished *) (context->txBuffer + context->txBufferLen);
391 
392  //Check whether TLS operates as a client or a server
393  if(context->entity == TLS_CONNECTION_END_CLIENT)
394  {
395  //The verify data is generated from all messages in this handshake
396  //up to but not including the Finished message
398  context->clientVerifyData, &context->clientVerifyDataLen);
399  }
400  else
401  {
402  //The verify data is generated from all messages in this handshake
403  //up to but not including the Finished message
405  context->serverVerifyData, &context->serverVerifyDataLen);
406  }
407 
408  //Check status code
409  if(!error)
410  {
411  //Format Finished message
412  error = tlsFormatFinished(context, message, &length);
413  }
414 
415  //Check status code
416  if(!error)
417  {
418  //Debug message
419  TRACE_INFO("Sending Finished message (%" PRIuSIZE " bytes)...\r\n", length);
421 
422  //Send handshake message
423  error = tlsSendHandshakeMessage(context, message, length,
425  }
426 
427  //Check status code
428  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
429  {
430  //Version of TLS prior to TLS 1.3?
431  if(context->version <= TLS_VERSION_1_2)
432  {
433  //Check whether TLS operates as a client or a server
434  if(context->entity == TLS_CONNECTION_END_CLIENT)
435  {
436  //Abbreviated or full handshake?
437  if(context->resume)
438  context->state = TLS_STATE_APPLICATION_DATA;
439  else
440  context->state = TLS_STATE_SERVER_CHANGE_CIPHER_SPEC;
441  }
442  else
443  {
444  //Abbreviated or full handshake?
445  if(context->resume)
446  context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC;
447  else
448  context->state = TLS_STATE_APPLICATION_DATA;
449  }
450  }
451  else
452  {
453  //Check whether TLS operates as a client or a server
454  if(context->entity == TLS_CONNECTION_END_CLIENT)
455  {
456  //Compute client application traffic keys
457  context->state = TLS_STATE_CLIENT_APP_TRAFFIC_KEYS;
458  }
459  else
460  {
461  //Compute server application traffic keys
462  context->state = TLS_STATE_SERVER_APP_TRAFFIC_KEYS;
463  }
464  }
465  }
466 
467  //Return status code
468  return error;
469 }
470 
471 
472 /**
473  * @brief Send Alert message
474  * @param[in] context Pointer to the TLS context
475  * @param[in] level Severity of the message (warning or fatal)
476  * @param[in] description Description of the alert
477  * @return Error code
478  **/
479 
480 error_t tlsSendAlert(TlsContext *context, uint8_t level, uint8_t description)
481 {
482  error_t error;
483  size_t length;
484  TlsAlert *message;
485 
486  //Point to the buffer where to format the message
487  message = (TlsAlert *) (context->txBuffer + context->txBufferLen);
488 
489  //Format Alert message
490  error = tlsFormatAlert(context, level, description, message, &length);
491 
492  //Check status code
493  if(!error)
494  {
495  //Debug message
496  TRACE_INFO("Sending Alert message (%" PRIuSIZE " bytes)...\r\n", length);
498 
499 #if (DTLS_SUPPORT == ENABLED)
500  //DTLS protocol?
501  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
502  {
503  //Send Alert message
504  error = dtlsWriteProtocolData(context, (uint8_t *) message,
506  }
507  else
508 #endif
509  //TLS protocol?
510  {
511  //Send Alert message
512  error = tlsWriteProtocolData(context, (uint8_t *) message,
514  }
515  }
516 
517  //Alert messages convey the severity of the message
519  {
520  //If an alert with a level of warning is sent, generally the
521  //connection can continue normally
523  {
524  //Either party may initiate a close by sending a close_notify alert
525  context->closeNotifySent = TRUE;
526 
527  //Update FSM state
528  context->state = TLS_STATE_CLOSING;
529  }
530  }
531  else if(level == TLS_ALERT_LEVEL_FATAL)
532  {
533  //Alert messages with a level of fatal result in the immediate
534  //termination of the connection
535  context->fatalAlertSent = TRUE;
536 
537 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
538  //Any connection terminated with a fatal alert must not be resumed
539  if(context->entity == TLS_CONNECTION_END_SERVER)
540  {
541  tlsRemoveFromCache(context);
542  }
543 #endif
544 
545  //Servers and clients must forget any session identifiers
546  memset(context->sessionId, 0, 32);
547  context->sessionIdLen = 0;
548 
549  //Update FSM state
550  context->state = TLS_STATE_CLOSING;
551  }
552 
553  //Return status code
554  return error;
555 }
556 
557 
558 /**
559  * @brief Format Certificate message
560  * @param[in] context Pointer to the TLS context
561  * @param[out] message Buffer where to format the Certificate message
562  * @param[out] length Length of the resulting Certificate message
563  * @return Error code
564  **/
565 
567  TlsCertificate *message, size_t *length)
568 {
569  error_t error;
570  size_t n;
571  uint8_t *p;
572  TlsCertificateList *certificateList;
573 
574  //Point to the beginning of the handshake message
575  p = message;
576  //Length of the handshake message
577  *length = 0;
578 
579 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
580  //TLS 1.3 currently selected?
581  if(context->version == TLS_VERSION_1_3)
582  {
583  Tls13CertRequestContext *certRequestContext;
584 
585  //Point to the certificate request context
586  certRequestContext = (Tls13CertRequestContext *) p;
587 
588  //Check whether TLS operates as a client or a server
589  if(context->entity == TLS_CONNECTION_END_CLIENT)
590  {
591  //The value of the certificate_request_context field from server's
592  //CertificateRequest message is echoed in the Certificate message
593  if(context->certRequestContextLen > 0)
594  {
595  //Copy certificate request context
596  memcpy(certRequestContext->value, context->certRequestContext,
597  context->certRequestContextLen);
598  }
599 
600  //The context is preceded by a length field
601  certRequestContext->length = (uint8_t) context->certRequestContextLen;
602  }
603  else
604  {
605  //In the case of server authentication, this field shall be zero length
606  certRequestContext->length = 0;
607  }
608 
609  //Point to the next field
610  p += sizeof(Tls13CertRequestContext) + certRequestContext->length;
611  //Adjust the length of the Certificate message
612  *length += sizeof(Tls13CertRequestContext) + certRequestContext->length;
613  }
614 #endif
615 
616  //Point to the chain of certificates
617  certificateList = (TlsCertificateList *) p;
618 
619 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
620  //Check certificate type
621  if(context->certFormat == TLS_CERT_FORMAT_RAW_PUBLIC_KEY)
622  {
623  //Format the raw public key
624  error = tlsFormatRawPublicKey(context, certificateList->value, &n);
625  }
626  else
627 #endif
628  {
629  //Format the certificate chain
630  error = tlsFormatCertificateList(context, certificateList->value, &n);
631  }
632 
633  //Check status code
634  if(!error)
635  {
636  //A 3-byte length field shall precede the certificate list
637  STORE24BE(n, certificateList->length);
638  //Adjust the length of the Certificate message
639  *length += sizeof(TlsCertificateList) + n;
640  }
641 
642  //Return status code
643  return error;
644 }
645 
646 
647 /**
648  * @brief Format CertificateVerify message
649  * @param[in] context Pointer to the TLS context
650  * @param[out] message Buffer where to format the CertificateVerify message
651  * @param[out] length Length of the resulting CertificateVerify message
652  * @return Error code
653  **/
654 
657 {
658  error_t error;
659 
660  //Length of the handshake message
661  *length = 0;
662 
663 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
664  //SSL 3.0, TLS 1.0 or TLS 1.1 currently selected?
665  if(context->version <= TLS_VERSION_1_1)
666  {
667  //In TLS version prior to 1.2, the digitally-signed element combines
668  //MD5 and SHA-1
669  error = tlsGenerateSignature(context, message, length);
670  }
671  else
672 #endif
673 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
674  //TLS 1.2 currently selected?
675  if(context->version == TLS_VERSION_1_2)
676  {
677  //In TLS 1.2, the MD5/SHA-1 combination in the digitally-signed element
678  //has been replaced with a single hash. The signed element now includes
679  //a field that explicitly specifies the hash algorithm used
680  error = tls12GenerateSignature(context, message, length);
681  }
682  else
683 #endif
684 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
685  //TLS 1.3 currently selected?
686  if(context->version == TLS_VERSION_1_3)
687  {
688  //In TLS 1.3, the signed element specifies the signature algorithm used.
689  //The content that is covered under the signature is the transcript hash
690  //output
691  error = tls13GenerateSignature(context, message, length);
692  }
693  else
694 #endif
695  //Invalid TLS version?
696  {
697  //Report an error
698  error = ERROR_INVALID_VERSION;
699  }
700 
701  //Return status code
702  return error;
703 }
704 
705 
706 /**
707  * @brief Format ChangeCipherSpec message
708  * @param[in] context Pointer to the TLS context
709  * @param[out] message Buffer where to format the ChangeCipherSpec message
710  * @param[out] length Length of the resulting ChangeCipherSpec message
711  * @return Error code
712  **/
713 
716 {
717  //The message consists of a single byte of value 1
718  message->type = 1;
719 
720  //Length of the ChangeCipherSpec message
721  *length = sizeof(TlsChangeCipherSpec);
722 
723  //Successful processing
724  return NO_ERROR;
725 }
726 
727 
728 /**
729  * @brief Format Finished message
730  * @param[in] context Pointer to the TLS context
731  * @param[out] message Buffer where to format the Finished message
732  * @param[out] length Length of the resulting Finished message
733  * @return Error code
734  **/
735 
737  TlsFinished *message, size_t *length)
738 {
739  //Check whether TLS operates as a client or a server
740  if(context->entity == TLS_CONNECTION_END_CLIENT)
741  {
742  //Copy the client's verify data
743  memcpy(message, context->clientVerifyData, context->clientVerifyDataLen);
744  //Length of the handshake message
745  *length = context->clientVerifyDataLen;
746  }
747  else
748  {
749  //Copy the server's verify data
750  memcpy(message, context->serverVerifyData, context->serverVerifyDataLen);
751  //Length of the handshake message
752  *length = context->serverVerifyDataLen;
753  }
754 
755  //Successful processing
756  return NO_ERROR;
757 }
758 
759 
760 /**
761  * @brief Format Alert message
762  * @param[in] context Pointer to the TLS context
763  * @param[in] level Severity of the message (warning or fatal)
764  * @param[in] description Description of the alert
765  * @param[out] message Buffer where to format the Alert message
766  * @param[out] length Length of the resulting Alert message
767  * @return Error code
768  **/
769 
771  uint8_t description, TlsAlert *message, size_t *length)
772 {
773  //Severity of the message
774  message->level = level;
775  //Description of the alert
776  message->description = description;
777 
778  //Length of the Alert message
779  *length = sizeof(TlsAlert);
780 
781  //Successful processing
782  return NO_ERROR;
783 }
784 
785 
786 /**
787  * @brief Format SignatureAlgorithms extension
788  * @param[in] context Pointer to the TLS context
789  * @param[in] cipherSuiteTypes Types of cipher suites proposed by the client
790  * @param[in] p Output stream where to write the SignatureAlgorithms extension
791  * @param[out] written Total number of bytes that have been written
792  * @return Error code
793  **/
794 
796  uint_t cipherSuiteTypes, uint8_t *p, size_t *written)
797 {
798  size_t n = 0;
799 
800 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
801  //This extension is not meaningful for TLS versions prior to 1.2. Clients
802  //must not offer it if they are offering prior versions (refer to RFC 5246,
803  //section 7.4.1.4.1)
804  if(context->versionMax >= TLS_VERSION_1_2)
805  {
806  TlsExtension *extension;
807  TlsSignHashAlgos *supportedSignAlgos;
808 
809  //Add the SignatureAlgorithms extension
810  extension = (TlsExtension *) p;
811  //Type of the extension
812  extension->type = HTONS(TLS_EXT_SIGNATURE_ALGORITHMS);
813 
814  //Point to the list of the hash/signature algorithm pairs that the
815  //server is able to verify
816  supportedSignAlgos = (TlsSignHashAlgos *) extension->value;
817 
818  //Enumerate the hash/signature algorithm pairs in descending order
819  //of preference
820  n = 0;
821 
823 #if (TLS_ED25519_SUPPORT == ENABLED)
824  //Ed25519 signature algorithm (PureEdDSA mode)
825  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ED25519;
826  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
827 #endif
828 #if (TLS_ED448_SUPPORT == ENABLED)
829  //Ed448 signature algorithm (PureEdDSA mode)
830  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ED448;
831  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
832 #endif
833 #endif
834 
835 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
836  //Any ECC cipher suite proposed by the client?
837  if((cipherSuiteTypes & TLS_CIPHER_SUITE_TYPE_ECC) != 0 ||
838  (cipherSuiteTypes & TLS_CIPHER_SUITE_TYPE_TLS13) != 0)
839  {
840 #if (TLS_SHA256_SUPPORT == ENABLED)
841  //ECDSA signature algorithm with SHA-256
842  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
843  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
844 #endif
845 #if (TLS_SHA384_SUPPORT == ENABLED)
846  //ECDSA signature algorithm with SHA-384
847  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
848  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA384;
849 #endif
850 #if (TLS_SHA512_SUPPORT == ENABLED)
851  //ECDSA signature algorithm with SHA-512
852  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
853  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA512;
854 #endif
855  }
856 #endif
857 
858 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
859  //Check whether the X.509 parser supports RSA-PSS signatures
861  {
862 #if (TLS_SHA256_SUPPORT == ENABLED)
863  //RSASSA-PSS PSS signature algorithm with SHA-256
864  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256;
865  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
866 #endif
867 #if (TLS_SHA384_SUPPORT == ENABLED)
868  //RSASSA-PSS PSS signature algorithm with SHA-384
869  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384;
870  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
871 #endif
872 #if (TLS_SHA512_SUPPORT == ENABLED)
873  //RSASSA-PSS PSS signature algorithm with SHA-512
874  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512;
875  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
876 #endif
877  }
878 #endif
879 
880 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
881 #if (TLS_SHA256_SUPPORT == ENABLED)
882  //RSASSA-PSS RSAE signature algorithm with SHA-256
883  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256;
884  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
885 #endif
886 #if (TLS_SHA384_SUPPORT == ENABLED)
887  //RSASSA-PSS RSAE signature algorithm with SHA-384
888  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384;
889  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
890 #endif
891 #if (TLS_SHA512_SUPPORT == ENABLED)
892  //RSASSA-PSS RSAE signature algorithm with SHA-512
893  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512;
894  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
895 #endif
896 #endif
897 
898 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
899 #if (TLS_SHA256_SUPPORT == ENABLED)
900  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-256
901  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
902  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
903 #endif
904 #if (TLS_SHA384_SUPPORT == ENABLED)
905  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-384
906  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
907  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA384;
908 #endif
909 #if (TLS_SHA512_SUPPORT == ENABLED)
910  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-512
911  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
912  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA512;
913 #endif
914 #endif
915 
916 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
917  //Any ECC cipher suite proposed by the client?
918  if((cipherSuiteTypes & TLS_CIPHER_SUITE_TYPE_ECC) != 0 ||
919  (cipherSuiteTypes & TLS_CIPHER_SUITE_TYPE_TLS13) != 0)
920  {
921 #if (TLS_SHA1_SUPPORT == ENABLED)
922  //ECDSA signature algorithm with SHA-1
923  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
924  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
925 #endif
926 #if (TLS_SHA224_SUPPORT == ENABLED)
927  //ECDSA signature algorithm with SHA-224
928  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
929  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA224;
930 #endif
931  }
932 #endif
933 
934 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
935 #if (TLS_SHA1_SUPPORT == ENABLED)
936  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-1
937  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
938  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
939 #endif
940 #if (TLS_SHA224_SUPPORT == ENABLED)
941  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-224
942  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
943  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA224;
944 #endif
945 #if (TLS_MD5_SUPPORT == ENABLED)
946  //RSASSA-PKCS1-v1_5 signature algorithm with MD5
947  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
948  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_MD5;
949 #endif
950 #endif
951 
952 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
953 #if (TLS_SHA1_SUPPORT == ENABLED)
954  //DSA signature algorithm with SHA-1
955  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA;
956  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
957 #endif
958 #if (TLS_SHA224_SUPPORT == ENABLED)
959  //DSA signature algorithm with SHA-224
960  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA;
961  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA224;
962 #endif
963 #if (TLS_SHA256_SUPPORT == ENABLED)
964  //DSA signature algorithm with SHA-256
965  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA;
966  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
967 #endif
968 #endif
969 
970  //Compute the length, in bytes, of the list
971  n *= sizeof(TlsSignHashAlgo);
972  //Fix the length of the list
973  supportedSignAlgos->length = htons(n);
974 
975  //Consider the 2-byte length field that precedes the list
976  n += sizeof(TlsSignHashAlgos);
977  //Fix the length of the extension
978  extension->length = htons(n);
979 
980  //Compute the length, in bytes, of the SignatureAlgorithms extension
981  n += sizeof(TlsExtension);
982  }
983 #endif
984 
985  //Total number of bytes that have been written
986  *written = n;
987 
988  //Successful processing
989  return NO_ERROR;
990 }
991 
992 
993 /**
994  * @brief Format SignatureAlgorithmsCert extension
995  * @param[in] context Pointer to the TLS context
996  * @param[in] p Output stream where to write the SignatureAlgorithmsCert extension
997  * @param[out] written Total number of bytes that have been written
998  * @return Error code
999  **/
1000 
1002  uint8_t *p, size_t *written)
1003 {
1004  size_t n = 0;
1005 
1006 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1007  //TLS 1.2 implementations should also process this extension
1008  if(context->versionMax >= TLS_VERSION_1_2)
1009  {
1010  TlsExtension *extension;
1011  TlsSignHashAlgos *supportedSignAlgos;
1012 
1013  //Add the SignatureAlgorithmsCert extension
1014  extension = (TlsExtension *) p;
1015  //Type of the extension
1016  extension->type = HTONS(TLS_EXT_SIGNATURE_ALGORITHMS_CERT);
1017 
1018  //The SignatureAlgorithmsCert extension allows a client to indicate
1019  //which signature algorithms it can validate in X.509 certificates
1020  supportedSignAlgos = (TlsSignHashAlgos *) extension->value;
1021 
1022  //Enumerate the hash/signature algorithm pairs in descending order
1023  //of preference
1024  n = 0;
1025 
1026  //Ed25519 signature algorithm (PureEdDSA mode)
1028  {
1029  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ED25519;
1030  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
1031  }
1032 
1033  //Ed448 signature algorithm (PureEdDSA mode)
1035  {
1036  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ED448;
1037  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
1038  }
1039 
1040  //ECDSA signature algorithm with SHA-256
1043  {
1044  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
1045  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
1046  }
1047 
1048  //ECDSA signature algorithm with SHA-384
1051  {
1052  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
1053  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA384;
1054  }
1055 
1056  //ECDSA signature algorithm with SHA-512
1059  {
1060  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
1061  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA512;
1062  }
1063 
1064  //RSASSA-PSS PSS signature algorithm with SHA-256
1067  {
1068  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256;
1069  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
1070  }
1071 
1072  //RSASSA-PSS PSS signature algorithm with SHA-384
1075  {
1076  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384;
1077  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
1078  }
1079 
1080  //RSASSA-PSS PSS signature algorithm with SHA-512
1083  {
1084  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512;
1085  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
1086  }
1087 
1088  //RSASSA-PSS RSAE signature algorithm with SHA-256
1091  {
1092  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256;
1093  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
1094  }
1095 
1096  //RSASSA-PSS RSAE signature algorithm with SHA-384
1099  {
1100  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384;
1101  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
1102  }
1103 
1104  //RSASSA-PSS RSAE signature algorithm with SHA-512
1107  {
1108  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512;
1109  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
1110  }
1111 
1112  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-256
1115  {
1116  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
1117  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
1118  }
1119 
1120  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-384
1123  {
1124  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
1125  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA384;
1126  }
1127 
1128  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-512
1131  {
1132  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
1133  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA512;
1134  }
1135 
1136  //ECDSA signature algorithm with SHA-1
1139  {
1140  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
1141  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
1142  }
1143 
1144  //ECDSA signature algorithm with SHA-224
1147  {
1148  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
1149  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA224;
1150  }
1151 
1152  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-1
1155  {
1156  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
1157  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
1158  }
1159 
1160  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-224
1163  {
1164  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
1165  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA224;
1166  }
1167 
1168  //RSASSA-PKCS1-v1_5 signature algorithm with MD5
1171  {
1172  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
1173  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_MD5;
1174  }
1175 
1176  //DSA signature algorithm with SHA-1
1179  {
1180  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA;
1181  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
1182  }
1183 
1184  //DSA signature algorithm with SHA-224
1187  {
1188  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA;
1189  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA224;
1190  }
1191 
1192  //DSA signature algorithm with SHA-256
1195  {
1196  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA;
1197  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
1198  }
1199 
1200  //Compute the length, in bytes, of the list
1201  n *= sizeof(TlsSignHashAlgo);
1202  //Fix the length of the list
1203  supportedSignAlgos->length = htons(n);
1204 
1205  //Consider the 2-byte length field that precedes the list
1206  n += sizeof(TlsSignHashAlgos);
1207  //Fix the length of the extension
1208  extension->length = htons(n);
1209 
1210  //Compute the length, in bytes, of the SignatureAlgorithmsCert extension
1211  n += sizeof(TlsExtension);
1212  }
1213 #endif
1214 
1215  //Total number of bytes that have been written
1216  *written = n;
1217 
1218  //Successful processing
1219  return NO_ERROR;
1220 }
1221 
1222 
1223 /**
1224  * @brief Parse Certificate message
1225  * @param[in] context Pointer to the TLS context
1226  * @param[in] message Incoming Certificate message to parse
1227  * @param[in] length Message length
1228  * @return Error code
1229  **/
1230 
1232  const TlsCertificate *message, size_t length)
1233 {
1234  error_t error;
1235  size_t n;
1236  const uint8_t *p;
1237  const TlsCertificateList *certificateList;
1238 
1239  //Debug message
1240  TRACE_INFO("Certificate message received (%" PRIuSIZE " bytes)...\r\n", length);
1242 
1243  //Check whether TLS operates as a client or a server
1244  if(context->entity == TLS_CONNECTION_END_CLIENT)
1245  {
1246  //Version of TLS prior to TLS 1.3?
1247  if(context->version <= TLS_VERSION_1_2)
1248  {
1249  //Check current state
1250  if(context->state != TLS_STATE_SERVER_CERTIFICATE)
1251  return ERROR_UNEXPECTED_MESSAGE;
1252  }
1253  else
1254  {
1255  //The CertificateRequest message is optional
1256  if(context->state != TLS_STATE_CERTIFICATE_REQUEST &&
1257  context->state != TLS_STATE_SERVER_CERTIFICATE)
1258  {
1259  return ERROR_UNEXPECTED_MESSAGE;
1260  }
1261  }
1262  }
1263  else
1264  {
1265  //Check current state
1266  if(context->state != TLS_STATE_CLIENT_CERTIFICATE)
1267  return ERROR_UNEXPECTED_MESSAGE;
1268  }
1269 
1270  //Point to the beginning of the handshake message
1271  p = message;
1272 
1273 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1274  //TLS 1.3 currently selected?
1275  if(context->version == TLS_VERSION_1_3)
1276  {
1277  const Tls13CertRequestContext *certRequestContext;
1278 
1279  //Point to the certificate request context
1280  certRequestContext = (Tls13CertRequestContext *) p;
1281 
1282  //Malformed Certificate message?
1283  if(length < sizeof(Tls13CertRequestContext))
1284  return ERROR_DECODING_FAILED;
1285  if(length < (sizeof(Tls13CertRequestContext) + certRequestContext->length))
1286  return ERROR_DECODING_FAILED;
1287 
1288  //Point to the next field
1289  p += sizeof(Tls13CertRequestContext) + certRequestContext->length;
1290  //Remaining bytes to process
1291  length -= sizeof(Tls13CertRequestContext) + certRequestContext->length;
1292  }
1293 #endif
1294 
1295  //Point to the chain of certificates
1296  certificateList = (TlsCertificateList *) p;
1297 
1298  //Malformed Certificate message?
1299  if(length < sizeof(TlsCertificateList))
1300  return ERROR_DECODING_FAILED;
1301 
1302  //Get the size occupied by the certificate list
1303  n = LOAD24BE(certificateList->length);
1304  //Remaining bytes to process
1305  length -= sizeof(TlsCertificateList);
1306 
1307  //Malformed Certificate message?
1308  if(n != length)
1309  return ERROR_DECODING_FAILED;
1310 
1311  //Non-empty certificate list?
1312  if(n > 0)
1313  {
1314 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1315  //Check certificate type
1316  if(context->peerCertFormat == TLS_CERT_FORMAT_RAW_PUBLIC_KEY)
1317  {
1318  //Parse the raw public key
1319  error = tlsParseRawPublicKey(context, certificateList->value, n);
1320  }
1321  else
1322 #endif
1323  {
1324  //Parse the certificate chain
1325  error = tlsParseCertificateList(context, certificateList->value, n);
1326  }
1327  }
1328  else
1329  {
1330 #if (TLS_SERVER_SUPPORT == ENABLED)
1331  //Server mode?
1332  if(context->entity == TLS_CONNECTION_END_SERVER)
1333  {
1334  //Check whether client authentication is required
1335  if(context->clientAuthMode == TLS_CLIENT_AUTH_REQUIRED)
1336  {
1337  //Version of TLS prior to TLS 1.3?
1338  if(context->version <= TLS_VERSION_1_2)
1339  {
1340  //If the client does not send any certificates, the server
1341  //responds with a fatal handshake_failure alert (refer to
1342  //RFC 5246, section 7.4.6)
1343  error = ERROR_HANDSHAKE_FAILED;
1344  }
1345  else
1346  {
1347  //If the client does not send any certificates, the server
1348  //aborts the handshake with a certificate_required alert (refer
1349  //to RFC 8446, section 4.4.2.4)
1351  }
1352  }
1353  else
1354  {
1355  //The client did not send any certificates
1356  context->peerCertType = TLS_CERT_NONE;
1357  //The server may continue the handshake without client authentication
1358  error = NO_ERROR;
1359  }
1360  }
1361  else
1362 #endif
1363  //Client mode?
1364  {
1365  //The server's certificate list must always be non-empty (refer to
1366  //RFC 8446, section 4.4.2)
1367  error = ERROR_DECODING_FAILED;
1368  }
1369  }
1370 
1371  //Check status code
1372  if(!error)
1373  {
1374  //Version of TLS prior to TLS 1.3?
1375  if(context->version <= TLS_VERSION_1_2)
1376  {
1377  //Check whether TLS operates as a client or a server
1378  if(context->entity == TLS_CONNECTION_END_CLIENT)
1379  {
1380  //The server does not send a ServerKeyExchange message when RSA
1381  //key exchange method is used
1382  if(context->keyExchMethod == TLS_KEY_EXCH_RSA)
1383  context->state = TLS_STATE_CERTIFICATE_REQUEST;
1384  else
1385  context->state = TLS_STATE_SERVER_KEY_EXCHANGE;
1386  }
1387  else
1388  {
1389  //Wait for a ClientKeyExchange message from the client
1390  context->state = TLS_STATE_CLIENT_KEY_EXCHANGE;
1391  }
1392  }
1393  else
1394  {
1395  //Check whether TLS operates as a client or a server
1396  if(context->entity == TLS_CONNECTION_END_CLIENT)
1397  {
1398  //The server must send a CertificateVerify message immediately
1399  //after the Certificate message
1400  context->state = TLS_STATE_SERVER_CERTIFICATE_VERIFY;
1401  }
1402  else
1403  {
1404  //The client must send a CertificateVerify message when the
1405  //Certificate message is non-empty
1406  if(context->peerCertType != TLS_CERT_NONE)
1407  context->state = TLS_STATE_CLIENT_CERTIFICATE_VERIFY;
1408  else
1409  context->state = TLS_STATE_CLIENT_FINISHED;
1410  }
1411  }
1412  }
1413 
1414  //Return status code
1415  return error;
1416 }
1417 
1418 
1419 /**
1420  * @brief Parse CertificateVerify message
1421  *
1422  * The CertificateVerify message is used to provide explicit verification
1423  * of a client certificate. This message is only sent following a client
1424  * certificate that has signing capability
1425  *
1426  * @param[in] context Pointer to the TLS context
1427  * @param[in] message Incoming CertificateVerify message to parse
1428  * @param[in] length Message length
1429  * @return Error code
1430  **/
1431 
1433  const TlsCertificateVerify *message, size_t length)
1434 {
1435  error_t error;
1436 
1437  //Debug message
1438  TRACE_INFO("CertificateVerify message received (%" PRIuSIZE " bytes)...\r\n", length);
1440 
1441  //Check whether TLS operates as a client or a server
1442  if(context->entity == TLS_CONNECTION_END_CLIENT)
1443  {
1444  //Check current state
1445  if(context->state != TLS_STATE_SERVER_CERTIFICATE_VERIFY)
1446  return ERROR_UNEXPECTED_MESSAGE;
1447  }
1448  else
1449  {
1450  //Check current state
1451  if(context->state != TLS_STATE_CLIENT_CERTIFICATE_VERIFY)
1452  return ERROR_UNEXPECTED_MESSAGE;
1453  }
1454 
1455 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
1456  //SSL 3.0, TLS 1.0 or TLS 1.1 currently selected?
1457  if(context->version <= TLS_VERSION_1_1)
1458  {
1459  //In TLS version prior to 1.2, the digitally-signed element combines
1460  //MD5 and SHA-1
1461  error = tlsVerifySignature(context, message, length);
1462  }
1463  else
1464 #endif
1465 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1466  //TLS 1.2 currently selected?
1467  if(context->version == TLS_VERSION_1_2)
1468  {
1469  //In TLS 1.2, the MD5/SHA-1 combination in the digitally-signed element
1470  //has been replaced with a single hash. The signed element now includes
1471  //a field that explicitly specifies the hash algorithm used
1472  error = tls12VerifySignature(context, message, length);
1473  }
1474  else
1475 #endif
1476 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1477  //TLS 1.3 currently selected?
1478  if(context->version == TLS_VERSION_1_3)
1479  {
1480  //In TLS 1.3, the signed element specifies the signature algorithm used.
1481  //The content that is covered under the signature is the transcript hash
1482  //output
1483  error = tls13VerifySignature(context, message, length);
1484  }
1485  else
1486 #endif
1487  //Invalid TLS version?
1488  {
1489  //Report an error
1490  error = ERROR_INVALID_VERSION;
1491  }
1492 
1493  //Check status code
1494  if(!error)
1495  {
1496  //Version of TLS prior to TLS 1.3?
1497  if(context->version <= TLS_VERSION_1_2)
1498  {
1499  //Wait for a ChangeCipherSpec message from the client
1500  context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC;
1501  }
1502  else
1503  {
1504  //Wait for a Finished message from the peer
1505  if(context->entity == TLS_CONNECTION_END_CLIENT)
1506  context->state = TLS_STATE_SERVER_FINISHED;
1507  else
1508  context->state = TLS_STATE_CLIENT_FINISHED;
1509  }
1510  }
1511 
1512  //Return status code
1513  return error;
1514 }
1515 
1516 
1517 /**
1518  * @brief Parse ChangeCipherSpec message
1519  * @param[in] context Pointer to the TLS context
1520  * @param[in] message Incoming ChangeCipherSpec message to parse
1521  * @param[in] length Message length
1522  * @return Error code
1523  **/
1524 
1526  const TlsChangeCipherSpec *message, size_t length)
1527 {
1528  error_t error;
1529 
1530  //Debug message
1531  TRACE_INFO("ChangeCipherSpec message received (%" PRIuSIZE " bytes)...\r\n", length);
1533 
1534  //Check the length of the ChangeCipherSpec message
1535  if(length != sizeof(TlsChangeCipherSpec))
1536  return ERROR_DECODING_FAILED;
1537 
1538  //The message consists of a single byte of value 1
1539  if(message->type != 0x01)
1540  return ERROR_DECODING_FAILED;
1541 
1542  //Version of TLS prior to TLS 1.3?
1543  if(context->version <= TLS_VERSION_1_2)
1544  {
1545  //Check whether TLS operates as a client or a server
1546  if(context->entity == TLS_CONNECTION_END_CLIENT)
1547  {
1548  //Check current state
1549  if(context->state != TLS_STATE_SERVER_CHANGE_CIPHER_SPEC)
1550  return ERROR_UNEXPECTED_MESSAGE;
1551  }
1552  else
1553  {
1554  //Check current state
1555  if(context->state != TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC)
1556  return ERROR_UNEXPECTED_MESSAGE;
1557  }
1558 
1559  //Release decryption engine first
1560  tlsFreeEncryptionEngine(&context->decryptionEngine);
1561 
1562  //Check whether TLS operates as a client or a server
1563  if(context->entity == TLS_CONNECTION_END_CLIENT)
1564  {
1565  //Initialize decryption engine using server write keys
1566  error = tlsInitEncryptionEngine(context, &context->decryptionEngine,
1568  //Any error to report?
1569  if(error)
1570  return error;
1571 
1572  //Wait for a Finished message from the server
1573  context->state = TLS_STATE_SERVER_FINISHED;
1574  }
1575  else
1576  {
1577  //Initialize decryption engine using client write keys
1578  error = tlsInitEncryptionEngine(context, &context->decryptionEngine,
1580  //Any error to report?
1581  if(error)
1582  return error;
1583 
1584  //Wait for a Finished message from the client
1585  context->state = TLS_STATE_CLIENT_FINISHED;
1586  }
1587 
1588 #if (DTLS_SUPPORT == ENABLED)
1589  //DTLS protocol?
1590  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
1591  {
1592  //Initialize sliding window
1593  dtlsInitReplayWindow(context);
1594  }
1595 #endif
1596  }
1597  else
1598  {
1599  //In TLS 1.3, the ChangeCipherSpec message is used only for compatibility
1600  //purposes and must be dropped without further processing
1601  if(context->entity == TLS_CONNECTION_END_CLIENT)
1602  {
1603  //A ChangeCipherSpec message received received before the first
1604  //ClientHello message or after the server's Finished message must
1605  //be treated as an unexpected record type
1606  if(context->state != TLS_STATE_SERVER_HELLO &&
1607  context->state != TLS_STATE_SERVER_HELLO_2 &&
1608  context->state != TLS_STATE_ENCRYPTED_EXTENSIONS &&
1609  context->state != TLS_STATE_CERTIFICATE_REQUEST &&
1610  context->state != TLS_STATE_SERVER_CERTIFICATE &&
1611  context->state != TLS_STATE_SERVER_CERTIFICATE_VERIFY &&
1612  context->state != TLS_STATE_SERVER_FINISHED)
1613  {
1614  //Report an error
1615  return ERROR_UNEXPECTED_MESSAGE;
1616  }
1617  }
1618  else
1619  {
1620  //A ChangeCipherSpec message received received before the first
1621  //ClientHello message or after the client's Finished message must
1622  //be treated as an unexpected record type
1623  if(context->state != TLS_STATE_CLIENT_HELLO_2 &&
1624  context->state != TLS_STATE_CLIENT_CERTIFICATE &&
1625  context->state != TLS_STATE_CLIENT_CERTIFICATE_VERIFY &&
1626  context->state != TLS_STATE_CLIENT_FINISHED)
1627  {
1628  //Report an error
1629  return ERROR_UNEXPECTED_MESSAGE;
1630  }
1631  }
1632 
1633 #if (TLS_MAX_CHANGE_CIPHER_SPEC_MESSAGES > 0)
1634  //Increment the count of consecutive ChangeCipherSpec messages
1635  context->changeCipherSpecCount++;
1636 
1637  //Do not allow too many consecutive ChangeCipherSpec messages
1638  if(context->changeCipherSpecCount > TLS_MAX_CHANGE_CIPHER_SPEC_MESSAGES)
1639  return ERROR_UNEXPECTED_MESSAGE;
1640 #endif
1641  }
1642 
1643  //Successful processing
1644  return NO_ERROR;
1645 }
1646 
1647 
1648 /**
1649  * @brief Parse Finished message
1650  * @param[in] context Pointer to the TLS context
1651  * @param[in] message Incoming Finished message to parse
1652  * @param[in] length Message length
1653  * @return Error code
1654  **/
1655 
1657  const TlsFinished *message, size_t length)
1658 {
1659  error_t error;
1660 
1661  //Debug message
1662  TRACE_INFO("Finished message received (%" PRIuSIZE " bytes)...\r\n", length);
1664 
1665  //Check whether TLS operates as a client or a server
1666  if(context->entity == TLS_CONNECTION_END_CLIENT)
1667  {
1668  //Check current state
1669  if(context->state != TLS_STATE_SERVER_FINISHED)
1670  return ERROR_UNEXPECTED_MESSAGE;
1671 
1672  //The verify data is generated from all messages in this handshake
1673  //up to but not including the Finished message
1675  context->serverVerifyData, &context->serverVerifyDataLen);
1676  //Unable to generate the verify data?
1677  if(error)
1678  return error;
1679 
1680  //Check the length of the Finished message
1681  if(length != context->serverVerifyDataLen)
1682  {
1683 #if (TLS_MAX_EMPTY_RECORDS > 0)
1684  return ERROR_INVALID_SIGNATURE;
1685 #else
1686  return ERROR_DECODING_FAILED;
1687 #endif
1688  }
1689 
1690  //Check the resulting verify data
1691  if(memcmp(message, context->serverVerifyData, context->serverVerifyDataLen))
1692  return ERROR_INVALID_SIGNATURE;
1693  }
1694  else
1695  {
1696  //Check current state
1697  if(context->state != TLS_STATE_CLIENT_FINISHED)
1698  return ERROR_UNEXPECTED_MESSAGE;
1699 
1700  //The verify data is generated from all messages in this handshake
1701  //up to but not including the Finished message
1703  context->clientVerifyData, &context->clientVerifyDataLen);
1704  //Unable to generate the verify data?
1705  if(error)
1706  return error;
1707 
1708  //Check the length of the Finished message
1709  if(length != context->clientVerifyDataLen)
1710  {
1711 #if (TLS_MAX_EMPTY_RECORDS > 0)
1712  return ERROR_INVALID_SIGNATURE;
1713 #else
1714  return ERROR_DECODING_FAILED;
1715 #endif
1716  }
1717 
1718  //Check the resulting verify data
1719  if(memcmp(message, context->clientVerifyData, context->clientVerifyDataLen))
1720  return ERROR_INVALID_SIGNATURE;
1721  }
1722 
1723  //Version of TLS prior to TLS 1.3?
1724  if(context->version <= TLS_VERSION_1_2)
1725  {
1726  //Check whether TLS operates as a client or a server
1727  if(context->entity == TLS_CONNECTION_END_CLIENT)
1728  {
1729  //Abbreviated or full handshake?
1730  if(context->resume)
1731  context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC;
1732  else
1733  context->state = TLS_STATE_APPLICATION_DATA;
1734  }
1735  else
1736  {
1737  //Abbreviated or full handshake?
1738  if(context->resume)
1739  context->state = TLS_STATE_APPLICATION_DATA;
1740  else
1741  context->state = TLS_STATE_SERVER_CHANGE_CIPHER_SPEC;
1742  }
1743  }
1744  else
1745  {
1746  //Check whether TLS operates as a client or a server
1747  if(context->entity == TLS_CONNECTION_END_CLIENT)
1748  {
1749  //Compute server application traffic keys
1750  context->state = TLS_STATE_SERVER_APP_TRAFFIC_KEYS;
1751  }
1752  else
1753  {
1754  //Compute client application traffic keys
1755  context->state = TLS_STATE_CLIENT_APP_TRAFFIC_KEYS;
1756  }
1757  }
1758 
1759  //Successful processing
1760  return NO_ERROR;
1761 }
1762 
1763 
1764 /**
1765  * @brief Parse Alert message
1766  * @param[in] context Pointer to the TLS context
1767  * @param[in] message Incoming Alert message to parse
1768  * @param[in] length Message length
1769  * @return Error code
1770  **/
1771 
1773  const TlsAlert *message, size_t length)
1774 {
1775  //Debug message
1776  TRACE_INFO("Alert message received (%" PRIuSIZE " bytes)...\r\n", length);
1778 
1779  //Check message length
1780  if(length != sizeof(TlsAlert))
1781  return ERROR_INVALID_LENGTH;
1782 
1783  //Debug message
1784  TRACE_DEBUG(" Level = %" PRIu8 "\r\n", message->level);
1785  TRACE_DEBUG(" Description = %" PRIu8 "\r\n", message->description);
1786 
1787  //Alert messages convey the severity of the message
1788  if(message->level == TLS_ALERT_LEVEL_WARNING)
1789  {
1790 #if (TLS_MAX_WARNING_ALERTS > 0)
1791  //Increment the count of consecutive warning alerts
1792  context->alertCount++;
1793 
1794  //Do not allow too many consecutive warning alerts
1795  if(context->alertCount > TLS_MAX_WARNING_ALERTS)
1796  return ERROR_UNEXPECTED_MESSAGE;
1797 #endif
1798 
1799  //Check alert type
1800  if(message->description == TLS_ALERT_CLOSE_NOTIFY)
1801  {
1802  //A closure alert has been received
1803  context->closeNotifyReceived = TRUE;
1804 
1805  //Close down the connection immediately
1806  if(context->state == TLS_STATE_APPLICATION_DATA)
1807  context->state = TLS_STATE_CLOSING;
1808  }
1809  else if(message->description == TLS_ALERT_USER_CANCELED)
1810  {
1811  //This alert notifies the recipient that the sender is canceling the
1812  //handshake for some reason unrelated to a protocol failure
1813  }
1814  else
1815  {
1816  //TLS 1.3 currently selected?
1817  if(context->version == TLS_VERSION_1_3)
1818  {
1819  //Unknown alert types must be treated as error alerts
1820  return ERROR_DECODING_FAILED;
1821  }
1822  }
1823  }
1824  else if(message->level == TLS_ALERT_LEVEL_FATAL)
1825  {
1826  //A fatal alert message has been received
1827  context->fatalAlertReceived = TRUE;
1828 
1829 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1830  //Any connection terminated with a fatal alert must not be resumed
1831  if(context->entity == TLS_CONNECTION_END_SERVER)
1832  {
1833  tlsRemoveFromCache(context);
1834  }
1835 #endif
1836 
1837  //Servers and clients must forget any session identifiers
1838  memset(context->sessionId, 0, 32);
1839  context->sessionIdLen = 0;
1840 
1841  //Alert messages with a level of fatal result in the immediate
1842  //termination of the connection
1843  context->state = TLS_STATE_CLOSED;
1844  }
1845  else
1846  {
1847  //Report an error
1848  return ERROR_ILLEGAL_PARAMETER;
1849  }
1850 
1851  //Successful processing
1852  return NO_ERROR;
1853 }
1854 
1855 #endif
#define TLS_EDDSA_SIGN_SUPPORT
Definition: tls.h:351
#define TLS_MAX_CHANGE_CIPHER_SPEC_MESSAGES
Definition: tls.h:743
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256
Definition: tls.h:1115
#define htons(value)
Definition: cpu_endian.h:392
@ TLS_SIGN_ALGO_DSA
Definition: tls.h:1113
@ TLS_CERT_FORMAT_RAW_PUBLIC_KEY
Definition: tls.h:1061
TLS helper functions.
X.509 common definitions.
#define TRACE_INFO_ARRAY(p, a, n)
Definition: debug.h:95
uint8_t length
Definition: dtls_misc.h:149
__start_packed struct @88 TlsChangeCipherSpec
ChangeCipherSpec message.
TLS cipher suites.
void dtlsInitReplayWindow(TlsContext *context)
Initialize sliding window.
Definition: dtls_misc.c:443
bool_t x509IsSignAlgoSupported(X509SignatureAlgo signAlgo)
Check whether a given signature algorithm is supported.
Definition: x509_common.c:170
error_t tlsInitEncryptionEngine(TlsContext *context, TlsEncryptionEngine *encryptionEngine, TlsConnectionEnd entity, const uint8_t *secret)
Initialize encryption engine.
Definition: tls_misc.c:354
@ TLS_ALERT_CLOSE_NOTIFY
Definition: tls.h:972
bool_t x509IsHashAlgoSupported(X509HashAlgo hashAlgo)
Check whether a given hash algorithm is supported.
Definition: x509_common.c:238
@ ERROR_WOULD_BLOCK
Definition: error.h:95
error_t tlsSendChangeCipherSpec(TlsContext *context)
Send ChangeCipherSpec message.
Definition: tls_common.c:268
TLS handshake.
@ TLS_STATE_SERVER_KEY_EXCHANGE
Definition: tls.h:1301
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
RSA/DSA/ECDSA/EdDSA signature generation and verification.
error_t tlsSendCertificate(TlsContext *context)
Send Certificate message.
Definition: tls_common.c:62
@ ERROR_UNEXPECTED_MESSAGE
Definition: error.h:192
uint8_t p
Definition: ndp.h:298
#define TRUE
Definition: os_port.h:50
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384
Definition: tls.h:1121
@ TLS_STATE_CERTIFICATE_REQUEST
Definition: tls.h:1303
@ TLS_TYPE_CHANGE_CIPHER_SPEC
Definition: tls.h:917
@ TLS_CIPHER_SUITE_TYPE_ECC
@ TLS_TRANSPORT_PROTOCOL_DATAGRAM
Definition: tls.h:851
Session cache management.
@ TLS_HASH_ALGO_SHA1
Definition: tls.h:1096
error_t tlsParseChangeCipherSpec(TlsContext *context, const TlsChangeCipherSpec *message, size_t length)
Parse ChangeCipherSpec message.
Definition: tls_common.c:1525
@ TLS_STATE_APPLICATION_DATA
Definition: tls.h:1319
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:228
@ TLS_ALERT_NO_CERTIFICATE
Definition: tls.h:979
@ TLS_STATE_SERVER_APP_TRAFFIC_KEYS
Definition: tls.h:1316
@ TLS_CERT_DSS_SIGN
Definition: tls.h:1073
error_t tlsFormatCertificateVerify(TlsContext *context, TlsCertificateVerify *message, size_t *length)
Format CertificateVerify message.
Definition: tls_common.c:655
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512
Definition: tls.h:1122
@ ERROR_INVALID_VERSION
Definition: error.h:116
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
error_t tlsFormatFinished(TlsContext *context, TlsFinished *message, size_t *length)
Format Finished message.
Definition: tls_common.c:736
@ TLS_CIPHER_SUITE_TYPE_TLS13
@ TLS_SIGN_ALGO_ED448
Definition: tls.h:1119
@ TLS_EXT_SIGNATURE_ALGORITHMS_CERT
Definition: tls.h:1172
uint8_t level
Definition: tls.h:1702
@ TLS_HASH_ALGO_SHA224
Definition: tls.h:1097
@ TLS_KEY_EXCH_RSA
Definition: tls.h:1027
@ TLS_TYPE_CERTIFICATE
Definition: tls.h:940
void TlsFinished
Finished message.
Definition: tls.h:1683
@ TLS_STATE_SERVER_HELLO
Definition: tls.h:1295
error_t tlsFormatSignatureAlgorithmsExtension(TlsContext *context, uint_t cipherSuiteTypes, uint8_t *p, size_t *written)
Format SignatureAlgorithms extension.
Definition: tls_common.c:795
@ TLS_ALERT_LEVEL_WARNING
Definition: tls.h:961
@ TLS_HASH_ALGO_SHA512
Definition: tls.h:1100
error_t tlsSendAlert(TlsContext *context, uint8_t level, uint8_t description)
Send Alert message.
Definition: tls_common.c:480
error_t tlsParseAlert(TlsContext *context, const TlsAlert *message, size_t length)
Parse Alert message.
Definition: tls_common.c:1772
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
error_t tlsComputeVerifyData(TlsContext *context, TlsConnectionEnd entity, uint8_t *verifyData, size_t *verifyDataLen)
Compute verify data from previous handshake messages.
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
DTLS record protocol.
@ TLS_CERT_ED25519_SIGN
Definition: tls.h:1083
@ TLS_CONNECTION_END_SERVER
Definition: tls.h:862
void tlsFreeEncryptionEngine(TlsEncryptionEngine *encryptionEngine)
Release encryption engine.
Definition: tls_misc.c:592
#define TLS_VERSION_1_2
Definition: tls.h:94
void TlsCertificateVerify
CertificateVerify message.
Definition: tls.h:1676
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
@ TLS_HASH_ALGO_INTRINSIC
Definition: tls.h:1101
@ X509_SIGN_ALGO_ECDSA
Definition: x509_common.h:527
error_t tlsRemoveFromCache(TlsContext *context)
Remove current session from cache.
Definition: tls_cache.c:263
@ TLS_STATE_SERVER_FINISHED
Definition: tls.h:1314
@ TLS_TYPE_ALERT
Definition: tls.h:918
#define TLS_VERSION_1_3
Definition: tls.h:95
Handshake message processing (TLS client and server)
@ TLS_HASH_ALGO_SHA384
Definition: tls.h:1099
@ TLS_CERT_RSA_PSS_SIGN
Definition: tls.h:1082
@ ERROR_INVALID_LENGTH
Definition: error.h:109
@ X509_HASH_ALGO_SHA1
Definition: x509_common.h:541
error_t tlsFormatAlert(TlsContext *context, uint8_t level, uint8_t description, TlsAlert *message, size_t *length)
Format Alert message.
Definition: tls_common.c:770
error_t tls12GenerateSignature(TlsContext *context, uint8_t *p, size_t *length)
TLS record protocol.
@ TLS_STATE_CLIENT_CERTIFICATE_VERIFY
Definition: tls.h:1307
@ TLS_TYPE_CERTIFICATE_VERIFY
Definition: tls.h:944
@ TLS_STATE_SERVER_CHANGE_CIPHER_SPEC
Definition: tls.h:1312
@ TLS_SIGN_ALGO_ED25519
Definition: tls.h:1118
@ TLS_HASH_ALGO_SHA256
Definition: tls.h:1098
#define SSL_VERSION_3_0
Definition: tls.h:91
@ TLS_ALERT_USER_CANCELED
Definition: tls.h:995
@ TLS_CERT_ED448_SIGN
Definition: tls.h:1084
#define TLS_MAX_WARNING_ALERTS
Definition: tls.h:729
error_t tls13VerifySignature(TlsContext *context, const uint8_t *p, size_t length)
error_t tlsFormatRawPublicKey(TlsContext *context, uint8_t *p, size_t *written)
Format raw public key.
error_t dtlsWriteProtocolData(TlsContext *context, const uint8_t *data, size_t length, TlsContentType contentType)
Write protocol data.
Definition: dtls_record.c:60
@ TLS_CERT_RSA_SIGN
Definition: tls.h:1072
#define TRACE_INFO(...)
Definition: debug.h:94
@ X509_HASH_ALGO_SHA224
Definition: x509_common.h:542
Encryption engine.
Definition: tls.h:1942
@ TLS_STATE_CLIENT_APP_TRAFFIC_KEYS
Definition: tls.h:1311
__start_packed struct @89 TlsAlert
Alert message.
__start_packed struct @68 TlsExtension
TLS extension.
@ X509_SIGN_ALGO_RSA
Definition: x509_common.h:524
@ TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC
Definition: tls.h:1308
#define ENABLED
Definition: os_port.h:37
__start_packed struct @66 TlsCertificateList
List of certificates.
error_t tlsFormatCertificateList(TlsContext *context, uint8_t *p, size_t *written)
Format certificate chain.
error_t tlsParseCertificate(TlsContext *context, const TlsCertificate *message, size_t length)
Parse Certificate message.
Definition: tls_common.c:1231
error_t tlsVerifySignature(TlsContext *context, const uint8_t *p, size_t length)
Digital signature verification (SSL 3.0, TLS 1.0 and TLS 1.1)
@ TLS_HASH_ALGO_MD5
Definition: tls.h:1095
Transcript hash calculation.
@ TLS_STATE_HANDSHAKE_TRAFFIC_KEYS
Definition: tls.h:1298
error_t tlsParseCertificateList(TlsContext *context, const uint8_t *p, size_t length)
Parse certificate chain.
#define TRACE_DEBUG(...)
Definition: debug.h:106
@ ERROR_TIMEOUT
Definition: error.h:94
__start_packed struct @98 Tls13CertRequestContext
Certificate request context.
@ X509_HASH_ALGO_MD5
Definition: x509_common.h:540
#define TLS_VERSION_1_1
Definition: tls.h:93
__start_packed struct @64 TlsSignHashAlgo
Signature algorithm.
@ TLS_STATE_CLIENT_HELLO_2
Definition: tls.h:1291
@ TLS_STATE_CLOSING
Definition: tls.h:1320
@ TLS_STATE_SERVER_CERTIFICATE_VERIFY
Definition: tls.h:1302
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:107
@ X509_SIGN_ALGO_RSA_PSS
Definition: x509_common.h:525
error_t tlsParseRawPublicKey(TlsContext *context, const uint8_t *p, size_t length)
Parse raw public key.
error_t tlsFormatChangeCipherSpec(TlsContext *context, TlsChangeCipherSpec *message, size_t *length)
Format ChangeCipherSpec message.
Definition: tls_common.c:714
@ TLS_STATE_SERVER_CERTIFICATE
Definition: tls.h:1300
@ TLS_CLIENT_AUTH_REQUIRED
Definition: tls.h:874
@ TLS_ALERT_LEVEL_FATAL
Definition: tls.h:962
#define HTONS(value)
Definition: cpu_endian.h:390
error_t tls13GenerateSignature(TlsContext *context, uint8_t *p, size_t *length)
uint8_t n
@ ERROR_UNEXPECTED_STATE
Definition: error.h:98
@ TLS_STATE_CLIENT_KEY_EXCHANGE
Definition: tls.h:1306
@ X509_HASH_ALGO_SHA512
Definition: x509_common.h:545
error_t tlsParseFinished(TlsContext *context, const TlsFinished *message, size_t length)
Parse Finished message.
Definition: tls_common.c:1656
@ TLS_TYPE_FINISHED
Definition: tls.h:946
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512
Definition: tls.h:1117
@ TLS_STATE_CLIENT_CERTIFICATE
Definition: tls.h:1305
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256
Definition: tls.h:1120
@ TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC_2
Definition: tls.h:1309
@ TLS_STATE_ENCRYPTED_EXTENSIONS
Definition: tls.h:1299
Handshake message processing (TLS server)
error_t tlsFormatSignatureAlgorithmsCertExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SignatureAlgorithmsCert extension.
Definition: tls_common.c:1001
error_t tlsWriteProtocolData(TlsContext *context, const uint8_t *data, size_t length, TlsContentType contentType)
Write protocol data.
Definition: tls_record.c:55
#define LOAD24BE(p)
Definition: cpu_endian.h:181
@ TLS_CONNECTION_END_CLIENT
Definition: tls.h:861
Certificate handling.
uint8_t message[]
Definition: chap.h:152
error_t tlsSendFinished(TlsContext *context)
Send Finished message.
Definition: tls_common.c:383
@ X509_HASH_ALGO_SHA384
Definition: x509_common.h:544
@ X509_HASH_ALGO_SHA256
Definition: x509_common.h:543
TLS (Transport Layer Security)
@ TLS_SIGN_ALGO_RSA
Definition: tls.h:1112
error_t tlsParseCertificateVerify(TlsContext *context, const TlsCertificateVerify *message, size_t length)
Parse CertificateVerify message.
Definition: tls_common.c:1432
#define STORE24BE(a, p)
Definition: cpu_endian.h:257
@ TLS_CERT_ECDSA_SIGN
Definition: tls.h:1079
@ TLS_EXT_SIGNATURE_ALGORITHMS
Definition: tls.h:1150
@ TLS_CERT_NONE
Definition: tls.h:1071
@ TLS_STATE_SERVER_CHANGE_CIPHER_SPEC_2
Definition: tls.h:1313
@ X509_SIGN_ALGO_ED25519
Definition: x509_common.h:528
@ ERROR_DECODING_FAILED
Definition: error.h:235
error_t tlsGenerateSignature(TlsContext *context, uint8_t *p, size_t *length)
Digital signature generation(SSL 3.0, TLS 1.0 or TLS 1.1)
#define PRIuSIZE
Definition: compiler_port.h:78
unsigned int uint_t
Definition: compiler_port.h:45
Handshake message processing (TLS client)
@ TLS_STATE_SERVER_HELLO_2
Definition: tls.h:1296
@ TLS_STATE_CLIENT_FINISHED
Definition: tls.h:1310
@ ERROR_CERTIFICATE_REQUIRED
Definition: error.h:133
@ ERROR_INVALID_SIGNATURE
Definition: error.h:223
@ TLS_SIGN_ALGO_ECDSA
Definition: tls.h:1114
error_t tls12VerifySignature(TlsContext *context, const uint8_t *p, size_t length)
error_t tlsFormatCertificate(TlsContext *context, TlsCertificate *message, size_t *length)
Format Certificate message.
Definition: tls_common.c:566
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384
Definition: tls.h:1116
@ NO_ERROR
Success.
Definition: error.h:44
Debugging facilities.
error_t tlsSendCertificateVerify(TlsContext *context)
Send CertificateVerify message.
Definition: tls_common.c:192
@ X509_SIGN_ALGO_DSA
Definition: x509_common.h:526
void TlsCertificate
Certificate message.
Definition: tls.h:1637
@ X509_SIGN_ALGO_ED448
Definition: x509_common.h:529
uint8_t description
Definition: tls.h:1703
@ TLS_STATE_CLOSED
Definition: tls.h:1321