tls_extensions.c
Go to the documentation of this file.
1 /**
2  * @file tls_extensions.c
3  * @brief Parsing and checking of TLS extensions
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_cipher_suites.h"
38 #include "tls_extensions.h"
39 #include "tls_transcript_hash.h"
40 #include "tls_record.h"
41 #include "dtls_record.h"
42 #include "debug.h"
43 
44 //Check TLS library configuration
45 #if (TLS_SUPPORT == ENABLED)
46 
47 
48 /**
49  * @brief Parse Hello extensions
50  * @param[in] msgType Handshake message type
51  * @param[in] p Input stream where to read the list of extensions
52  * @param[in] length Number of bytes available in the input stream
53  * @param[out] extensions List of Hello extensions resulting from the parsing process
54  * @return Error code
55  **/
56 
59 {
60  error_t error;
61  size_t n;
62  uint16_t type;
63  const TlsExtension *extension;
64  const TlsExtensionList *extensionList;
65 
66  //Initialize TLS extensions
67  memset(extensions, 0, sizeof(TlsHelloExtensions));
68 
69  //Check message type
71  {
72  //The implementation must accept messages both with and without the
73  //extensions field
74  if(length == 0)
75  {
76  //The extensions field is not present
77  return NO_ERROR;
78  }
79  }
80 
81  //Point to the list of extensions
82  extensionList = (TlsExtensionList *) p;
83 
84  //Malformed message?
85  if(length < sizeof(TlsExtensionList))
86  return ERROR_DECODING_FAILED;
87 
88  //If the amount of data in the message does not precisely match the format
89  //of the message, then send a fatal alert
90  if(length != (sizeof(TlsExtensionList) + ntohs(extensionList->length)))
91  return ERROR_DECODING_FAILED;
92 
93  //Point to the first extension of the list
94  p += sizeof(TlsExtensionList);
95  //Retrieve the length of the list
96  length -= sizeof(TlsExtensionList);
97 
98  //Parse the list of extensions offered by the peer
99  while(length > 0)
100  {
101  //Point to the current extension
102  extension = (TlsExtension *) p;
103 
104  //Check the length of the extension
105  if(length < sizeof(TlsExtension))
106  return ERROR_DECODING_FAILED;
107  if(length < (sizeof(TlsExtension) + ntohs(extension->length)))
108  return ERROR_DECODING_FAILED;
109 
110  //Get extension type
111  type = ntohs(extension->type);
112  //Retrieve the length of the extension
113  n = ntohs(extension->length);
114 
115  //Jump to the next extension
116  p += sizeof(TlsExtension) + n;
117  //Number of bytes left to process
118  length -= sizeof(TlsExtension) + n;
119 
120  //Test if the current extension is a duplicate
122  //Duplicate extension found?
123  if(error)
124  return error;
125 
126  //When multiple extensions of different types are present in the ClientHello
127  //or ServerHello messages, the extensions may appear in any order
129  {
130  //Check message type
132  {
133  const TlsSupportedVersionList *supportedVersionList;
134 
135  //Point to the SupportedVersions extension
136  supportedVersionList = (TlsSupportedVersionList *) extension->value;
137 
138  //Malformed extension?
139  if(n < sizeof(TlsSupportedVersionList))
140  return ERROR_DECODING_FAILED;
141  if(n != (sizeof(TlsSupportedVersionList) + supportedVersionList->length))
142  return ERROR_DECODING_FAILED;
143 
144  //Check the length of the list
145  if(supportedVersionList->length == 0)
146  return ERROR_DECODING_FAILED;
147  if((supportedVersionList->length % 2) != 0)
148  return ERROR_DECODING_FAILED;
149 
150  //The SupportedVersions extension is valid
151  extensions->supportedVersionList = supportedVersionList;
152  }
153  else if(msgType == TLS_TYPE_SERVER_HELLO ||
155  {
156  //The extension contains the selected version value
157  if(n != sizeof(uint16_t))
158  return ERROR_DECODING_FAILED;
159 
160  //The SupportedVersions extension is valid
161  extensions->selectedVersion = extension->value;
162  }
163  else
164  {
165  //The extension is not specified for the message in which it appears
167  }
168  }
169  else if(type == TLS_EXT_SERVER_NAME)
170  {
171  const TlsServerNameList *serverNameList;
172 
173  //Point to the ServerName extension
174  serverNameList = (TlsServerNameList *) extension->value;
175 
176  //Empty extension?
177  if(n == 0)
178  {
179  //When the server includes a ServerName extension, the data field
180  //of this extension may be empty
182  return ERROR_DECODING_FAILED;
183  }
184  else
185  {
186  //Malformed extension?
187  if(n < sizeof(TlsServerNameList))
188  return ERROR_DECODING_FAILED;
189  if(n != (sizeof(TlsServerNameList) + ntohs(serverNameList->length)))
190  return ERROR_DECODING_FAILED;
191 
192  //Check the length of the list
193  if(ntohs(serverNameList->length) == 0)
194  return ERROR_DECODING_FAILED;
195  }
196 
197  //The ServerName extension is valid
198  extensions->serverNameList = serverNameList;
199  }
200  else if(type == TLS_EXT_SUPPORTED_GROUPS)
201  {
202  const TlsSupportedGroupList *supportedGroupList;
203 
204  //Point to the SupportedGroups extension
205  supportedGroupList = (TlsSupportedGroupList *) extension->value;
206 
207  //Malformed extension?
208  if(n < sizeof(TlsSupportedGroupList))
209  return ERROR_DECODING_FAILED;
210  if(n != (sizeof(TlsSupportedGroupList) + ntohs(supportedGroupList->length)))
211  return ERROR_DECODING_FAILED;
212 
213  //Check the length of the list
214  if(ntohs(supportedGroupList->length) == 0)
215  return ERROR_DECODING_FAILED;
216  if((ntohs(supportedGroupList->length) % 2) != 0)
217  return ERROR_DECODING_FAILED;
218 
219  //The SupportedGroups extension is valid
220  extensions->supportedGroupList = supportedGroupList;
221  }
222  else if(type == TLS_EXT_EC_POINT_FORMATS)
223  {
224  const TlsEcPointFormatList *ecPointFormatList;
225 
226  //Point to the EcPointFormats extension
227  ecPointFormatList = (TlsEcPointFormatList *) extension->value;
228 
229  //Malformed extension?
230  if(n < sizeof(TlsEcPointFormatList))
231  return ERROR_DECODING_FAILED;
232  if(n != (sizeof(TlsEcPointFormatList) + ecPointFormatList->length))
233  return ERROR_DECODING_FAILED;
234 
235  //Check the length of the list
236  if(ntohs(ecPointFormatList->length) == 0)
237  return ERROR_DECODING_FAILED;
238 
239  //The EcPointFormats extension is valid
240  extensions->ecPointFormatList = ecPointFormatList;
241  }
243  {
244  const TlsSignHashAlgos *signAlgoList;
245 
246  //Point to the SignatureAlgorithms extension
247  signAlgoList = (TlsSignHashAlgos *) extension->value;
248 
249  //Malformed extension?
250  if(n < sizeof(TlsSignHashAlgos))
251  return ERROR_DECODING_FAILED;
252  if(n != (sizeof(TlsSignHashAlgos) + ntohs(signAlgoList->length)))
253  return ERROR_DECODING_FAILED;
254 
255  //Check the length of the list
256  if(ntohs(signAlgoList->length) == 0)
257  return ERROR_DECODING_FAILED;
258  if((ntohs(signAlgoList->length) % 2) != 0)
259  return ERROR_DECODING_FAILED;
260 
261  //The SignatureAlgorithms extension is valid
262  extensions->signAlgoList = signAlgoList;
263  }
265  {
266  const TlsSignHashAlgos *certSignAlgoList;
267 
268  //Point to the SignatureAlgorithmsCert extension
269  certSignAlgoList = (TlsSignHashAlgos *) extension->value;
270 
271  //Malformed extension?
272  if(n < sizeof(TlsSignHashAlgos))
273  return ERROR_DECODING_FAILED;
274  if(n != (sizeof(TlsSignHashAlgos) + ntohs(certSignAlgoList->length)))
275  return ERROR_DECODING_FAILED;
276 
277  //Check the length of the list
278  if(ntohs(certSignAlgoList->length) == 0)
279  return ERROR_DECODING_FAILED;
280  if((ntohs(certSignAlgoList->length) % 2) != 0)
281  return ERROR_DECODING_FAILED;
282 
283  //The SignatureAlgorithmsCert extension is valid
284  extensions->certSignAlgoList = certSignAlgoList;
285  }
286 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
288  {
289  //Malformed extension?
290  if(n != sizeof(uint8_t))
291  return ERROR_DECODING_FAILED;
292 
293  //The MaxFragmentLength extension is valid
294  extensions->maxFragLen = extension->value;
295  }
296 #endif
297 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
298  else if(type == TLS_EXT_RECORD_SIZE_LIMIT)
299  {
300  //Malformed extension?
301  if(n != sizeof(uint16_t))
302  return ERROR_DECODING_FAILED;
303 
304  //The RecordSizeLimit extension is valid
305  extensions->recordSizeLimit = extension->value;
306  }
307 #endif
308 #if (TLS_ALPN_SUPPORT == ENABLED)
309  else if(type == TLS_EXT_ALPN)
310  {
311  const TlsProtocolNameList *protocolNameList;
312 
313  //Point to the ALPN extension
314  protocolNameList = (TlsProtocolNameList *) extension->value;
315 
316  //Malformed extension?
317  if(n < sizeof(TlsProtocolNameList))
318  return ERROR_DECODING_FAILED;
319  if(n != (sizeof(TlsProtocolNameList) + ntohs(protocolNameList->length)))
320  return ERROR_DECODING_FAILED;
321 
322  //The ALPN extension is valid
323  extensions->protocolNameList = protocolNameList;
324  }
325 #endif
326 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
327  else if(type == TLS_EXT_CLIENT_CERT_TYPE)
328  {
329  //Check message type
331  {
332  const TlsCertTypeList *clientCertTypeList;
333 
334  //Point to the ClientCertType extension
335  clientCertTypeList = (TlsCertTypeList *) extension->value;
336 
337  //Malformed extension?
338  if(n < sizeof(TlsCertTypeList))
339  return ERROR_DECODING_FAILED;
340  if(n != (sizeof(TlsCertTypeList) + clientCertTypeList->length))
341  return ERROR_DECODING_FAILED;
342 
343  //The ClientCertType extension is valid
344  extensions->clientCertTypeList = clientCertTypeList;
345  }
346  else
347  {
348  //Only a single value is permitted in the ClientCertType extension
349  //when carried in the ServerHello
350  if(n != sizeof(uint8_t))
351  return ERROR_DECODING_FAILED;
352 
353  //The ClientCertType extension is valid
354  extensions->clientCertType = extension->value;
355  }
356  }
357  else if(type == TLS_EXT_SERVER_CERT_TYPE)
358  {
359  //Check message type
361  {
362  const TlsCertTypeList *serverCertTypeList;
363 
364  //Point to the ServerCertType extension
365  serverCertTypeList = (TlsCertTypeList *) extension->value;
366 
367  //Malformed extension?
368  if(n < sizeof(TlsCertTypeList))
369  return ERROR_DECODING_FAILED;
370  if(n != (sizeof(TlsCertTypeList) + serverCertTypeList->length))
371  return ERROR_DECODING_FAILED;
372 
373  //The ServerCertType extension is valid
374  extensions->serverCertTypeList = serverCertTypeList;
375  }
376  else
377  {
378  //Only a single value is permitted in the ServerCertType extension
379  //when carried in the ServerHello
380  if(n != sizeof(uint8_t))
381  return ERROR_DECODING_FAILED;
382 
383  //The ServerCertType extension is valid
384  extensions->serverCertType = extension->value;
385  }
386  }
387 #endif
388 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
390  {
391  //Malformed extension?
392  if(n != 0)
393  return ERROR_DECODING_FAILED;
394 
395  //The ExtendedMasterSecret extension is valid
396  extensions->extendedMasterSecret = extension->value;
397  }
398 #endif
399 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
400  else if(type == TLS_EXT_RENEGOTIATION_INFO)
401  {
402  const TlsRenegoInfo *renegoInfo;
403 
404  //Point to the RenegotiationInfo extension
405  renegoInfo = (TlsRenegoInfo *) extension->value;
406 
407  //Malformed extension?
408  if(n < sizeof(TlsRenegoInfo))
409  return ERROR_DECODING_FAILED;
410  if(n != (sizeof(TlsRenegoInfo) + renegoInfo->length))
411  return ERROR_DECODING_FAILED;
412 
413  //The RenegotiationInfo extension is valid
414  extensions->renegoInfo = renegoInfo;
415  }
416 #endif
417 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
418  else if(type == TLS_EXT_COOKIE)
419  {
420  const Tls13Cookie *cookie;
421 
422  //Point to the Cookie extension
423  cookie = (Tls13Cookie *) extension->value;
424 
425  //Malformed extension?
426  if(n < sizeof(Tls13Cookie))
427  return ERROR_DECODING_FAILED;
428  if(n != (sizeof(Tls13Cookie) + ntohs(cookie->length)))
429  return ERROR_DECODING_FAILED;
430 
431  //Check the length of the cookie
432  if(ntohs(cookie->length) == 0)
433  return ERROR_DECODING_FAILED;
434 
435  //The Cookie extension is valid
436  extensions->cookie = cookie;
437  }
438  else if(type == TLS_EXT_KEY_SHARE)
439  {
440  //Check message type
442  {
443  size_t k;
444  size_t m;
445  const Tls13KeyShareList *keyShareList;
446  const Tls13KeyShareEntry *keyShareEntry;
447 
448  //The extension contains a list of offered KeyShareEntry values
449  //in descending order of client preference
450  keyShareList = (Tls13KeyShareList *) extension->value;
451 
452  //Malformed extension?
453  if(n < sizeof(Tls13KeyShareList))
454  return ERROR_DECODING_FAILED;
455  if(n != (sizeof(Tls13KeyShareList) + ntohs(keyShareList->length)))
456  return ERROR_DECODING_FAILED;
457 
458  //Point to the first KeyShareEntry of the list
459  p = keyShareList->value;
460  //Retrieve the length of the list
461  m = ntohs(keyShareList->length);
462 
463  //Parse the list of key share entries offered by the peer
464  while(m > 0)
465  {
466  //Malformed extension?
467  if(m < sizeof(Tls13KeyShareEntry))
468  return ERROR_DECODING_FAILED;
469 
470  //Point to the current key share entry
471  keyShareEntry = (Tls13KeyShareEntry *) p;
472  //Retrieve the length of the key_exchange field
473  k = ntohs(keyShareEntry->length);
474 
475  //Malformed extension?
476  if(m < (sizeof(Tls13KeyShareEntry) + k))
477  return ERROR_DECODING_FAILED;
478 
479  //Point to the next entry
480  p += sizeof(Tls13KeyShareEntry) + k;
481  //Remaining bytes to process
482  m -= sizeof(Tls13KeyShareEntry) + k;
483 
484  //Clients must not offer multiple KeyShareEntry values for the
485  //same group. Servers may check for violations of this rule and
486  //abort the handshake with an illegal_parameter alert
487  error = tls13CheckDuplicateKeyShare(ntohs(keyShareEntry->group),
488  p, m);
489  //Any error to report?
490  if(error)
492  }
493 
494  //The KeyShare extension is valid
495  extensions->keyShareList = keyShareList;
496  }
498  {
499  //The extension contains the mutually supported group the server
500  //intends to negotiate
501  if(n != sizeof(uint16_t))
502  return ERROR_DECODING_FAILED;
503 
504  //The KeyShare extension is valid
505  extensions->selectedGroup = extension->value;
506  }
507  else if(msgType == TLS_TYPE_SERVER_HELLO)
508  {
509  const Tls13KeyShareEntry *serverShare;
510 
511  //The extension contains a single KeyShareEntry value that is in
512  //the same group as one of the client's shares
513  serverShare = (Tls13KeyShareEntry *) extension->value;
514 
515  //Malformed extension?
516  if(n < sizeof(Tls13KeyShareEntry))
517  return ERROR_DECODING_FAILED;
518  if(n != (sizeof(Tls13KeyShareEntry) + ntohs(serverShare->length)))
519  return ERROR_DECODING_FAILED;
520 
521  //The KeyShare extension is valid
522  extensions->serverShare = serverShare;
523  }
524  else
525  {
526  //The extension is not specified for the message in which it appears
527 #if (TLS_MAX_EMPTY_RECORDS > 0)
529 #else
531 #endif
532  }
533  }
535  {
536  const Tls13PskKeModeList *pskKeModeList;
537 
538  //The extension contains the list of PSK key exchange modes that
539  //are supported by the client
540  pskKeModeList = (Tls13PskKeModeList *) extension->value;
541 
542  //Malformed extension?
543  if(n < sizeof(Tls13PskKeModeList))
544  return ERROR_DECODING_FAILED;
545  if(n != (sizeof(Tls13PskKeModeList) + pskKeModeList->length))
546  return ERROR_DECODING_FAILED;
547 
548  //The PskKeyExchangeModes extension is valid
549  extensions->pskKeModeList = pskKeModeList;
550  }
551  else if(type == TLS_EXT_PRE_SHARED_KEY)
552  {
553  //Check message type
555  {
556  const Tls13PskIdentityList *identityList;
557  const Tls13PskBinderList *binderList;
558 
559  //The PreSharedKey extension must be the last extension in the
560  //ClientHello. Servers must check that it is the last extension and
561  //otherwise fail the handshake with an illegal_parameter alert
562  if(length != 0)
564 
565  //The extension contains a list of the identities that the client
566  //is willing to negotiate with the server
567  identityList = (Tls13PskIdentityList *) extension->value;
568 
569  //Malformed extension?
570  if(n < sizeof(Tls13PskIdentityList))
571  return ERROR_DECODING_FAILED;
572  if(n < (sizeof(Tls13PskIdentityList) + ntohs(identityList->length)))
573  return ERROR_DECODING_FAILED;
574 
575  //Remaining bytes to process
576  n -= sizeof(Tls13PskIdentityList) + ntohs(identityList->length);
577 
578  //The extension also contains a series of HMAC values, one for each
579  //PSK offered in the PreSharedKey extension and in the same order
580  binderList = (Tls13PskBinderList *) (extension->value +
581  sizeof(Tls13PskIdentityList) + ntohs(identityList->length));
582 
583  //Malformed extension?
584  if(n < sizeof(Tls13PskBinderList))
585  return ERROR_DECODING_FAILED;
586  if(n != (sizeof(Tls13PskBinderList) + ntohs(binderList->length)))
587  return ERROR_DECODING_FAILED;
588 
589  //The PreSharedKey extension is valid
590  extensions->identityList = identityList;
591  extensions->binderList = binderList;
592  }
593  else if(msgType == TLS_TYPE_SERVER_HELLO)
594  {
595  //The extension contains the chosen identity expressed as a 0-based
596  //index into the identities in the client's list
597  if(n != sizeof(uint16_t))
598  return ERROR_DECODING_FAILED;
599 
600  //The PreSharedKey extension is valid
601  extensions->selectedIdentity = extension->value;
602  }
603  else
604  {
605  //The extension is not specified for the message in which it appears
607  }
608  }
609  else if(type == TLS_EXT_EARLY_DATA)
610  {
611  //Check message type
614  {
615  //The extension data field is empty
616  if(n != 0)
617  return ERROR_DECODING_FAILED;
618  }
620  {
621  //The extension data field contains an unsigned 32-bit integer
622  if(n != sizeof(uint32_t))
623  return ERROR_DECODING_FAILED;
624  }
625  else
626  {
627  //The extension is not specified for the message in which it appears
629  }
630 
631  //The EarlyData extension is valid
632  extensions->earlyDataIndication = extension->value;
633  }
634 #endif
635  else
636  {
637  //If a client receives an extension type in the ServerHello that it
638  //did not request in the associated ClientHello, it must abort the
639  //handshake with an unsupported_extension fatal alert
643  {
644  //Report an error
646  }
647  }
648  }
649 
650  //Successful processing
651  return NO_ERROR;
652 }
653 
654 
655 /**
656  * @brief Check Hello extensions
657  * @param[in] msgType Handshake message type
658  * @param[in] version TLS version
659  * @param[in] extensions List of Hello extensions offered by the peer
660  * @return Error code
661  **/
662 
665 {
666  error_t error;
667 
668  //Initialize status code
669  error = NO_ERROR;
670 
671 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED && TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
672  //A client must treat receipt of both MaxFragmentLength and RecordSizeLimit
673  //extensions as a fatal error, and it should generate an illegal_parameter
674  //alert (refer to RFC 8449, section 5)
675  if(extensions->maxFragLen != NULL && extensions->recordSizeLimit != NULL)
676  {
677  //ServerHello or EncryptedExtensions message?
680  {
681  error = ERROR_ILLEGAL_PARAMETER;
682  }
683  }
684 #endif
685 
686 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
687  //If an implementation receives an extension which it recognizes and which
688  //is not specified for the message in which it appears it must abort the
689  //handshake with an illegal_parameter alert (refer to RFC 8446, section 4.2)
690  if(version == TLS_VERSION_1_3)
691  {
692  //SupportedVersions extension found?
693  if(extensions->supportedVersionList != NULL ||
694  extensions->selectedVersion != NULL)
695  {
696  //The extension can only appear in CH, SH and HRR messages
700  {
701  error = ERROR_ILLEGAL_PARAMETER;
702  }
703  }
704 
705  //ServerName extension found?
706  if(extensions->serverNameList != NULL)
707  {
708  //The extension can only appear in CH and EE messages
711  {
712  error = ERROR_ILLEGAL_PARAMETER;
713  }
714  }
715 
716  //SupportedGroups extension found?
717  if(extensions->supportedGroupList != NULL)
718  {
719  //The extension can only appear in CH and EE messages
722  {
723  error = ERROR_ILLEGAL_PARAMETER;
724  }
725  }
726 
727  //EcPointFormats extension found?
728  if(extensions->ecPointFormatList != NULL)
729  {
730  //The extension can only appear in CH
732  {
733  error = ERROR_ILLEGAL_PARAMETER;
734  }
735  }
736 
737  //SignatureAlgorithms extension found?
738  if(extensions->signAlgoList != NULL)
739  {
740  //The extension can only appear in CH and CR messages
743  {
744  error = ERROR_ILLEGAL_PARAMETER;
745  }
746  }
747 
748  //SignatureAlgorithmsCert extension found?
749  if(extensions->certSignAlgoList != NULL)
750  {
751  //The extension can only appear in CH and CR messages
754  {
755  error = ERROR_ILLEGAL_PARAMETER;
756  }
757  }
758 
759 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
760  //MaxFragmentLength extension found?
761  if(extensions->maxFragLen != NULL)
762  {
763  //The extension can only appear in CH and EE messages
766  {
767  error = ERROR_ILLEGAL_PARAMETER;
768  }
769  }
770 #endif
771 
772 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
773  //RecordSizeLimit extension found?
774  if(extensions->recordSizeLimit != NULL)
775  {
776  //The extension can only appear in CH and EE messages
779  {
780  error = ERROR_ILLEGAL_PARAMETER;
781  }
782  }
783 #endif
784 
785 #if (TLS_ALPN_SUPPORT == ENABLED)
786  //ALPN extension found?
787  if(extensions->protocolNameList != NULL)
788  {
789  //The extension can only appear in CH and EE messages
792  {
793  error = ERROR_ILLEGAL_PARAMETER;
794  }
795  }
796 #endif
797 
798 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
799  //ClientCertType extension found?
800  if(extensions->clientCertTypeList != NULL ||
801  extensions->clientCertType != NULL)
802  {
803  //The extension can only appear in CH and EE messages
806  {
807  error = ERROR_ILLEGAL_PARAMETER;
808  }
809  }
810 
811  //ServerCertType extension found?
812  if(extensions->serverCertTypeList != NULL ||
813  extensions->serverCertType != NULL)
814  {
815  //The extension can only appear in CH and EE messages
818  {
819  error = ERROR_ILLEGAL_PARAMETER;
820  }
821  }
822 #endif
823 
824 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
825  //ExtendedMasterSecret extension found?
826  if(extensions->extendedMasterSecret != NULL)
827  {
828  //The extension can only appear in CH
830  {
831  error = ERROR_ILLEGAL_PARAMETER;
832  }
833  }
834 #endif
835 
836 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
837  //RenegotiationInfo extension found?
838  if(extensions->renegoInfo != NULL)
839  {
840  //The extension can only appear in CH
842  {
843  error = ERROR_ILLEGAL_PARAMETER;
844  }
845  }
846 #endif
847 
848  //Cookie extension found?
849  if(extensions->cookie != NULL)
850  {
851  //The extension can only appear in CH and HRR messages
854  {
855  error = ERROR_ILLEGAL_PARAMETER;
856  }
857  }
858 
859  //KeyShare extension found?
860  if(extensions->keyShareList != NULL ||
861  extensions->serverShare != NULL ||
862  extensions->selectedGroup != NULL)
863  {
864  //The extension can only appear in CH, SH and HRR messages
868  {
869  error = ERROR_ILLEGAL_PARAMETER;
870  }
871  }
872 
873  //PskKeyExchangeModes extension found?
874  if(extensions->pskKeModeList != NULL)
875  {
876  //The extension can only appear in CH message
878  {
879  error = ERROR_ILLEGAL_PARAMETER;
880  }
881  }
882 
883  //PreSharedKey extension found?
884  if(extensions->identityList != NULL ||
885  extensions->binderList != NULL ||
886  extensions->selectedIdentity != NULL)
887  {
888  //The extension can only appear in CH and SH messages
891  {
892  error = ERROR_ILLEGAL_PARAMETER;
893  }
894  }
895 
896  //EarlyData extension found?
897  if(extensions->earlyDataIndication != NULL)
898  {
899  //The extension can only appear in CH, EE and NST messages
903  {
904  error = ERROR_ILLEGAL_PARAMETER;
905  }
906  }
907  }
908 
909  //Check mandatory-to-implement extensions
911  {
912  //A client must provide a PskKeyExchangeModes extension if it offers a
913  //PreSharedKey extension (refer to RFC 8446, section 4.2.9)
914  if(extensions->identityList != NULL || extensions->binderList != NULL)
915  {
916  //If a client offers PreSharedKey without a PskKeyExchangeModes
917  //extension, the servers must abort the handshake
918  if(extensions->pskKeModeList == NULL)
919  {
920  error = ERROR_MISSING_EXTENSION;
921  }
922  }
923 
924  //If the ClientHello does not contain a PreSharedKey extension, it must
925  //contain both a SignatureAlgorithms extension and a SupportedGroups
926  //extension (refer to RFC 8446, section 9.2)
927  if(extensions->identityList == NULL || extensions->binderList == NULL)
928  {
929  //Servers receiving a ClientHello which does not conform to these
930  //requirements must abort the handshake with a missing_extension
931  //alert
932  if(extensions->signAlgoList == NULL ||
933  extensions->supportedGroupList == NULL)
934  {
935  error = ERROR_MISSING_EXTENSION;
936  }
937  }
938 
939  //If the ClientHello contains a SupportedGroups extension, it must also
940  //contain a KeyShare extension, and vice versa
941  if(extensions->supportedGroupList != NULL &&
942  extensions->keyShareList == NULL)
943  {
944  error = ERROR_MISSING_EXTENSION;
945  }
946  else if(extensions->keyShareList != NULL &&
947  extensions->supportedGroupList == NULL)
948  {
949  error = ERROR_MISSING_EXTENSION;
950  }
951  }
952 #endif
953 
954  //Return status code
955  return error;
956 }
957 
958 
959 /**
960  * @brief Check whether the specified extension type is a duplicate
961  * @param[in] type Extension type
962  * @param[in] p Input stream where to read the list of extensions
963  * @param[in] length Number of bytes available in the input stream
964  * @return Error code
965  **/
966 
967 error_t tlsCheckDuplicateExtension(uint16_t type, const uint8_t *p,
968  size_t length)
969 {
970  size_t n;
971  const TlsExtension *extension;
972 
973  //Parse the list of extensions offered by the peer
974  while(length > 0)
975  {
976  //Point to the current extension
977  extension = (TlsExtension *) p;
978 
979  //Check the length of the extension
980  if(length < sizeof(TlsExtension))
981  return ERROR_DECODING_FAILED;
982  if(length < (sizeof(TlsExtension) + ntohs(extension->length)))
983  return ERROR_DECODING_FAILED;
984 
985  //There must not be more than one extension of the same type (refer to
986  //RFC 5246, section 7.4.1.4)
987  if(ntohs(extension->type) == type)
988  {
990  return ERROR_DECODING_FAILED;
991  else
993  }
994 
995  //Retrieve the length of the extension
996  n = ntohs(extension->length);
997 
998  //Jump to the next extension
999  p += sizeof(TlsExtension) + n;
1000  //Number of bytes left to process
1001  length -= sizeof(TlsExtension) + n;
1002  }
1003 
1004  //Successful verification
1005  return NO_ERROR;
1006 }
1007 
1008 
1009 /**
1010  * @brief Check whether the specified ALPN protocol is supported
1011  * @param[in] context Pointer to the TLS context
1012  * @param[in] protocol Pointer to the protocol name
1013  * @param[in] length Length of the protocol name, in bytes
1014  * @return TRUE if the specified protocol is supported, else FALSE
1015  **/
1016 
1018  const char_t *protocol, size_t length)
1019 {
1020  bool_t supported;
1021 
1022  //Initialize flag
1023  supported = FALSE;
1024 
1025 #if (TLS_ALPN_SUPPORT == ENABLED)
1026  //Sanity check
1027  if(context->protocolList != NULL)
1028  {
1029  size_t i;
1030  size_t j;
1031 
1032  //Move back to the beginning of the list
1033  i = 0;
1034  j = 0;
1035 
1036  //Parse the list of supported protocols
1037  do
1038  {
1039  //Delimiter character found?
1040  if(context->protocolList[i] == ',' || context->protocolList[i] == '\0')
1041  {
1042  //Check the length of the protocol name
1043  if(length == (i - j))
1044  {
1045  //Compare protocol names
1046  if(!memcmp(protocol, context->protocolList + j, i - j))
1047  {
1048  //The specified protocol is supported
1049  supported = TRUE;
1050  //We are done
1051  break;
1052  }
1053  }
1054 
1055  //Move to the next token
1056  j = i + 1;
1057  }
1058 
1059  //Loop until the NULL character is reached
1060  } while(context->protocolList[i++] != '\0');
1061  }
1062 #endif
1063 
1064  //Return TRUE if the specified protocol is supported
1065  return supported;
1066 }
1067 
1068 #endif
@ TLS_EXT_PSK_KEY_EXCHANGE_MODES
Definition: tls.h:1168
@ TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: tls.h:1138
Parsing and checking of TLS extensions.
uint8_t length
Definition: dtls_misc.h:149
__start_packed struct @95 Tls13PskIdentityList
List of PSK identities.
int bool_t
Definition: compiler_port.h:49
TLS cipher suites.
__start_packed struct @69 TlsExtensionList
List of TLS extensions.
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
__start_packed struct @97 Tls13PskBinderList
List of PSK binders.
@ TLS_EXT_SUPPORTED_VERSIONS
Definition: tls.h:1166
uint8_t p
Definition: ndp.h:298
error_t tlsCheckDuplicateExtension(uint16_t type, const uint8_t *p, size_t length)
Check whether the specified extension type is a duplicate.
__start_packed struct @91 Tls13KeyShareEntry
Key share entry.
#define TRUE
Definition: os_port.h:50
bool_t tlsIsAlpnProtocolSupported(TlsContext *context, const char_t *protocol, size_t length)
Check whether the specified ALPN protocol is supported.
uint16_t version
Definition: dtls_misc.h:172
TlsMessageType
Handshake message type.
Definition: tls.h:930
__start_packed struct @93 Tls13PskKeModeList
List of PSK key exchange modes.
__start_packed struct @90 Tls13Cookie
Cookie.
@ TLS_EXT_EARLY_DATA
Definition: tls.h:1165
@ TLS_EXT_SERVER_NAME
Definition: tls.h:1137
@ TLS_EXT_SIGNATURE_ALGORITHMS_CERT
Definition: tls.h:1172
#define FALSE
Definition: os_port.h:46
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
@ ERROR_UNSUPPORTED_EXTENSION
Definition: error.h:239
char_t type
@ TLS_EXT_CLIENT_CERT_TYPE
Definition: tls.h:1156
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
DTLS record protocol.
@ TLS_EXT_EXTENDED_MASTER_SECRET
Definition: tls.h:1160
uint8_t protocol
@ TLS_EXT_SUPPORTED_GROUPS
Definition: tls.h:1147
@ TLS_EXT_RENEGOTIATION_INFO
Definition: tls.h:1174
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
@ TLS_TYPE_CLIENT_HELLO
Definition: tls.h:933
@ TLS_EXT_KEY_SHARE
Definition: tls.h:1173
@ ERROR_MISSING_EXTENSION
Definition: error.h:238
#define TLS_VERSION_1_3
Definition: tls.h:95
@ TLS_TYPE_SERVER_HELLO
Definition: tls.h:934
@ TLS_TYPE_ENCRYPTED_EXTENSIONS
Definition: tls.h:939
TLS record protocol.
@ TLS_EXT_COOKIE
Definition: tls.h:1167
__start_packed struct @74 TlsProtocolNameList
List of protocol names.
__start_packed struct @68 TlsExtension
TLS extension.
@ TLS_EXT_EC_POINT_FORMATS
Definition: tls.h:1148
@ TLS_EXT_ALPN
Definition: tls.h:1153
Hello extensions.
Definition: tls.h:1894
Transcript hash calculation.
#define ntohs(value)
Definition: cpu_endian.h:398
char char_t
Definition: compiler_port.h:43
uint8_t m
Definition: ndp.h:302
uint8_t n
uint8_t extensions[]
Definition: tls13_misc.h:327
__start_packed struct @72 TlsServerNameList
List of server names.
__start_packed struct @77 TlsCertTypeList
List of supported certificate types.
__start_packed struct @70 TlsSupportedVersionList
List of supported versions.
@ TLS_EXT_SERVER_CERT_TYPE
Definition: tls.h:1157
uint8_t msgType
Definition: dtls_misc.h:186
__start_packed struct @75 TlsSupportedGroupList
List of supported groups.
@ TLS_TYPE_CERTIFICATE_REQUEST
Definition: tls.h:942
@ TLS_EXT_PRE_SHARED_KEY
Definition: tls.h:1164
TLS (Transport Layer Security)
uint8_t cookie[]
Definition: dtls_misc.h:203
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
@ TLS_EXT_SIGNATURE_ALGORITHMS
Definition: tls.h:1150
__start_packed struct @92 Tls13KeyShareList
List of key shares.
@ TLS_TYPE_NEW_SESSION_TICKET
Definition: tls.h:936
@ ERROR_DECODING_FAILED
Definition: error.h:235
@ TLS_TYPE_HELLO_RETRY_REQUEST
Definition: tls.h:938
__start_packed struct @76 TlsEcPointFormatList
List of supported EC point formats.
error_t tls13CheckDuplicateKeyShare(uint16_t namedGroup, const uint8_t *p, size_t length)
__start_packed struct @78 TlsRenegoInfo
Renegotiated connection.
@ NO_ERROR
Success.
Definition: error.h:44
@ TLS_EXT_RECORD_SIZE_LIMIT
Definition: tls.h:1162
Debugging facilities.