tls_extensions.c
Go to the documentation of this file.
1 /**
2  * @file tls_extensions.c
3  * @brief Parsing and checking of TLS extensions
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.4.0
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include "tls.h"
36 #include "tls_cipher_suites.h"
37 #include "tls_extensions.h"
38 #include "tls_transcript_hash.h"
39 #include "tls_record.h"
40 #include "dtls_record.h"
41 #include "debug.h"
42 
43 //Check TLS library configuration
44 #if (TLS_SUPPORT == ENABLED)
45 
46 
47 /**
48  * @brief Parse Hello extensions
49  * @param[in] msgType Handshake message type
50  * @param[in] p Input stream where to read the list of extensions
51  * @param[in] length Number of bytes available in the input stream
52  * @param[out] extensions List of Hello extensions resulting from the parsing process
53  * @return Error code
54  **/
55 
58 {
59  error_t error;
60  size_t n;
61  uint16_t type;
62  const TlsExtension *extension;
63  const TlsExtensionList *extensionList;
64 
65  //Initialize TLS extensions
67 
68  //Check message type
70  {
71  //The implementation must accept messages both with and without the
72  //extensions field
73  if(length == 0)
74  {
75  //The extensions field is not present
76  return NO_ERROR;
77  }
78  }
79 
80  //Point to the list of extensions
81  extensionList = (TlsExtensionList *) p;
82 
83  //Malformed message?
84  if(length < sizeof(TlsExtensionList))
85  return ERROR_DECODING_FAILED;
86 
87  //If the amount of data in the message does not precisely match the format
88  //of the message, then send a fatal alert
89  if(length != (sizeof(TlsExtensionList) + ntohs(extensionList->length)))
90  return ERROR_DECODING_FAILED;
91 
92  //Point to the first extension of the list
93  p += sizeof(TlsExtensionList);
94  //Retrieve the length of the list
95  length -= sizeof(TlsExtensionList);
96 
97  //Parse the list of extensions offered by the peer
98  while(length > 0)
99  {
100  //Point to the current extension
101  extension = (TlsExtension *) p;
102 
103  //Check the length of the extension
104  if(length < sizeof(TlsExtension))
105  return ERROR_DECODING_FAILED;
106  if(length < (sizeof(TlsExtension) + ntohs(extension->length)))
107  return ERROR_DECODING_FAILED;
108 
109  //Get extension type
110  type = ntohs(extension->type);
111  //Retrieve the length of the extension
112  n = ntohs(extension->length);
113 
114  //Jump to the next extension
115  p += sizeof(TlsExtension) + n;
116  //Number of bytes left to process
117  length -= sizeof(TlsExtension) + n;
118 
119  //Test if the current extension is a duplicate
121  //Duplicate extension found?
122  if(error)
123  return error;
124 
125  //When multiple extensions of different types are present in the ClientHello
126  //or ServerHello messages, the extensions may appear in any order
128  {
129  //Check message type
131  {
132  const TlsSupportedVersionList *supportedVersionList;
133 
134  //Point to the SupportedVersions extension
135  supportedVersionList = (TlsSupportedVersionList *) extension->value;
136 
137  //Malformed extension?
138  if(n < sizeof(TlsSupportedVersionList))
139  return ERROR_DECODING_FAILED;
140  if(n != (sizeof(TlsSupportedVersionList) + supportedVersionList->length))
141  return ERROR_DECODING_FAILED;
142 
143  //Check the length of the list
144  if(supportedVersionList->length == 0)
145  return ERROR_DECODING_FAILED;
146  if((supportedVersionList->length % 2) != 0)
147  return ERROR_DECODING_FAILED;
148 
149  //The SupportedVersions extension is valid
150  extensions->supportedVersionList = supportedVersionList;
151  }
152  else if(msgType == TLS_TYPE_SERVER_HELLO ||
154  {
155  //The extension contains the selected version value
156  if(n != sizeof(uint16_t))
157  return ERROR_DECODING_FAILED;
158 
159  //The SupportedVersions extension is valid
160  extensions->selectedVersion = extension;
161  }
162  else
163  {
164  //The extension is not specified for the message in which it appears
166  }
167  }
168  else if(type == TLS_EXT_SERVER_NAME)
169  {
170  const TlsServerNameList *serverNameList;
171 
172  //Point to the ServerName extension
173  serverNameList = (TlsServerNameList *) extension->value;
174 
175  //Empty extension?
176  if(n == 0)
177  {
178  //When the server includes a ServerName extension, the data field
179  //of this extension may be empty
181  return ERROR_DECODING_FAILED;
182  }
183  else
184  {
185  //Malformed extension?
186  if(n < sizeof(TlsServerNameList))
187  return ERROR_DECODING_FAILED;
188  if(n != (sizeof(TlsServerNameList) + ntohs(serverNameList->length)))
189  return ERROR_DECODING_FAILED;
190 
191  //Check the length of the list
192  if(ntohs(serverNameList->length) == 0)
193  return ERROR_DECODING_FAILED;
194  }
195 
196  //The ServerName extension is valid
197  extensions->serverNameList = serverNameList;
198  }
199  else if(type == TLS_EXT_SUPPORTED_GROUPS)
200  {
201  const TlsSupportedGroupList *supportedGroupList;
202 
203  //Point to the SupportedGroups extension
204  supportedGroupList = (TlsSupportedGroupList *) extension->value;
205 
206  //Malformed extension?
207  if(n < sizeof(TlsSupportedGroupList))
208  return ERROR_DECODING_FAILED;
209  if(n != (sizeof(TlsSupportedGroupList) + ntohs(supportedGroupList->length)))
210  return ERROR_DECODING_FAILED;
211 
212  //Check the length of the list
213  if(ntohs(supportedGroupList->length) == 0)
214  return ERROR_DECODING_FAILED;
215  if((ntohs(supportedGroupList->length) % 2) != 0)
216  return ERROR_DECODING_FAILED;
217 
218  //The SupportedGroups extension is valid
219  extensions->supportedGroupList = supportedGroupList;
220  }
221  else if(type == TLS_EXT_EC_POINT_FORMATS)
222  {
223  const TlsEcPointFormatList *ecPointFormatList;
224 
225  //Point to the EcPointFormats extension
226  ecPointFormatList = (TlsEcPointFormatList *) extension->value;
227 
228  //Malformed extension?
229  if(n < sizeof(TlsEcPointFormatList))
230  return ERROR_DECODING_FAILED;
231  if(n != (sizeof(TlsEcPointFormatList) + ecPointFormatList->length))
232  return ERROR_DECODING_FAILED;
233 
234  //Check the length of the list
235  if(ntohs(ecPointFormatList->length) == 0)
236  return ERROR_DECODING_FAILED;
237 
238  //The EcPointFormats extension is valid
239  extensions->ecPointFormatList = ecPointFormatList;
240  }
242  {
243  const TlsSignSchemeList *signAlgoList;
244 
245  //Point to the SignatureAlgorithms extension
246  signAlgoList = (TlsSignSchemeList *) extension->value;
247 
248  //Malformed extension?
249  if(n < sizeof(TlsSignSchemeList))
250  return ERROR_DECODING_FAILED;
251  if(n != (sizeof(TlsSignSchemeList) + ntohs(signAlgoList->length)))
252  return ERROR_DECODING_FAILED;
253 
254  //Check the length of the list
255  if(ntohs(signAlgoList->length) == 0)
256  return ERROR_DECODING_FAILED;
257  if((ntohs(signAlgoList->length) % 2) != 0)
258  return ERROR_DECODING_FAILED;
259 
260  //The SignatureAlgorithms extension is valid
261  extensions->signAlgoList = signAlgoList;
262  }
264  {
265  const TlsSignSchemeList *certSignAlgoList;
266 
267  //Point to the SignatureAlgorithmsCert extension
268  certSignAlgoList = (TlsSignSchemeList *) extension->value;
269 
270  //Malformed extension?
271  if(n < sizeof(TlsSignSchemeList))
272  return ERROR_DECODING_FAILED;
273  if(n != (sizeof(TlsSignSchemeList) + ntohs(certSignAlgoList->length)))
274  return ERROR_DECODING_FAILED;
275 
276  //Check the length of the list
277  if(ntohs(certSignAlgoList->length) == 0)
278  return ERROR_DECODING_FAILED;
279  if((ntohs(certSignAlgoList->length) % 2) != 0)
280  return ERROR_DECODING_FAILED;
281 
282  //The SignatureAlgorithmsCert extension is valid
283  extensions->certSignAlgoList = certSignAlgoList;
284  }
285 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
287  {
288  //Malformed extension?
289  if(n != sizeof(uint8_t))
290  return ERROR_DECODING_FAILED;
291 
292  //The MaxFragmentLength extension is valid
293  extensions->maxFragLen = extension;
294  }
295 #endif
296 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
297  else if(type == TLS_EXT_RECORD_SIZE_LIMIT)
298  {
299  //Malformed extension?
300  if(n != sizeof(uint16_t))
301  return ERROR_DECODING_FAILED;
302 
303  //The RecordSizeLimit extension is valid
304  extensions->recordSizeLimit = extension;
305  }
306 #endif
307 #if (TLS_ALPN_SUPPORT == ENABLED)
308  else if(type == TLS_EXT_ALPN)
309  {
310  const TlsProtocolNameList *protocolNameList;
311 
312  //Point to the ALPN extension
313  protocolNameList = (TlsProtocolNameList *) extension->value;
314 
315  //Malformed extension?
316  if(n < sizeof(TlsProtocolNameList))
317  return ERROR_DECODING_FAILED;
318  if(n != (sizeof(TlsProtocolNameList) + ntohs(protocolNameList->length)))
319  return ERROR_DECODING_FAILED;
320 
321  //The ALPN extension is valid
322  extensions->protocolNameList = protocolNameList;
323  }
324 #endif
325 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
326  else if(type == TLS_EXT_CLIENT_CERT_TYPE)
327  {
328  //Check message type
330  {
331  const TlsCertTypeList *clientCertTypeList;
332 
333  //Point to the ClientCertType extension
334  clientCertTypeList = (TlsCertTypeList *) extension->value;
335 
336  //Malformed extension?
337  if(n < sizeof(TlsCertTypeList))
338  return ERROR_DECODING_FAILED;
339  if(n != (sizeof(TlsCertTypeList) + clientCertTypeList->length))
340  return ERROR_DECODING_FAILED;
341 
342  //The ClientCertType extension is valid
343  extensions->clientCertTypeList = clientCertTypeList;
344  }
345  else
346  {
347  //Only a single value is permitted in the ClientCertType extension
348  //when carried in the ServerHello
349  if(n != sizeof(uint8_t))
350  return ERROR_DECODING_FAILED;
351 
352  //The ClientCertType extension is valid
353  extensions->clientCertType = extension;
354  }
355  }
356  else if(type == TLS_EXT_SERVER_CERT_TYPE)
357  {
358  //Check message type
360  {
361  const TlsCertTypeList *serverCertTypeList;
362 
363  //Point to the ServerCertType extension
364  serverCertTypeList = (TlsCertTypeList *) extension->value;
365 
366  //Malformed extension?
367  if(n < sizeof(TlsCertTypeList))
368  return ERROR_DECODING_FAILED;
369  if(n != (sizeof(TlsCertTypeList) + serverCertTypeList->length))
370  return ERROR_DECODING_FAILED;
371 
372  //The ServerCertType extension is valid
373  extensions->serverCertTypeList = serverCertTypeList;
374  }
375  else
376  {
377  //Only a single value is permitted in the ServerCertType extension
378  //when carried in the ServerHello
379  if(n != sizeof(uint8_t))
380  return ERROR_DECODING_FAILED;
381 
382  //The ServerCertType extension is valid
383  extensions->serverCertType = extension;
384  }
385  }
386 #endif
387 #if (TLS_ENCRYPT_THEN_MAC_SUPPORT == ENABLED)
388  else if(type == TLS_EXT_ENCRYPT_THEN_MAC)
389  {
390  //The extension data field of this extension shall be empty (refer to
391  //RFC 7366, section 2)
392  if(n != 0)
393  return ERROR_DECODING_FAILED;
394 
395  //The EncryptThenMac extension is valid
396  extensions->encryptThenMac = extension;
397  }
398 #endif
399 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
401  {
402  //Malformed extension?
403  if(n != 0)
404  return ERROR_DECODING_FAILED;
405 
406  //The ExtendedMasterSecret extension is valid
407  extensions->extendedMasterSecret = extension;
408  }
409 #endif
410 #if (TLS_TICKET_SUPPORT == ENABLED)
411  else if(type == TLS_EXT_SESSION_TICKET)
412  {
413  //Check message type
415  {
416  //The server uses a zero-length SessionTicket extension to indicate
417  //to the client that it will send a new session ticket
418  if(n != 0)
419  return ERROR_DECODING_FAILED;
420  }
421 
422  //The SessionTicket extension is valid
423  extensions->sessionTicket = extension;
424  }
425 #endif
426 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
427  else if(type == TLS_EXT_RENEGOTIATION_INFO)
428  {
429  const TlsRenegoInfo *renegoInfo;
430 
431  //Point to the RenegotiationInfo extension
432  renegoInfo = (TlsRenegoInfo *) extension->value;
433 
434  //Malformed extension?
435  if(n < sizeof(TlsRenegoInfo))
436  return ERROR_DECODING_FAILED;
437  if(n != (sizeof(TlsRenegoInfo) + renegoInfo->length))
438  return ERROR_DECODING_FAILED;
439 
440  //The RenegotiationInfo extension is valid
441  extensions->renegoInfo = renegoInfo;
442  }
443 #endif
444 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
445  else if(type == TLS_EXT_COOKIE)
446  {
447  const Tls13Cookie *cookie;
448 
449  //Point to the Cookie extension
450  cookie = (Tls13Cookie *) extension->value;
451 
452  //Malformed extension?
453  if(n < sizeof(Tls13Cookie))
454  return ERROR_DECODING_FAILED;
455  if(n != (sizeof(Tls13Cookie) + ntohs(cookie->length)))
456  return ERROR_DECODING_FAILED;
457 
458  //Check the length of the cookie
459  if(ntohs(cookie->length) == 0)
460  return ERROR_DECODING_FAILED;
461 
462  //The Cookie extension is valid
463  extensions->cookie = cookie;
464  }
466  {
467  const TlsCertAuthorities *certAuthorities;
468 
469  //Point to the CertificateAuthorities extension
470  certAuthorities = (TlsCertAuthorities *) extension->value;
471 
472  //Malformed extension?
473  if(n < sizeof(TlsCertAuthorities))
474  return ERROR_DECODING_FAILED;
475  if(n != (sizeof(TlsCertAuthorities) + ntohs(certAuthorities->length)))
476  return ERROR_DECODING_FAILED;
477 
478  //Check the length of the list
479  if(ntohs(certAuthorities->length) < 3)
480  return ERROR_DECODING_FAILED;
481 
482  //The CertificateAuthorities extension is valid
483  extensions->certAuthorities = certAuthorities;
484  }
485  else if(type == TLS_EXT_KEY_SHARE)
486  {
487  //Check message type
489  {
490  size_t k;
491  size_t m;
492  const Tls13KeyShareList *keyShareList;
493  const Tls13KeyShareEntry *keyShareEntry;
494 
495  //The extension contains a list of offered KeyShareEntry values
496  //in descending order of client preference
497  keyShareList = (Tls13KeyShareList *) extension->value;
498 
499  //Malformed extension?
500  if(n < sizeof(Tls13KeyShareList))
501  return ERROR_DECODING_FAILED;
502  if(n != (sizeof(Tls13KeyShareList) + ntohs(keyShareList->length)))
503  return ERROR_DECODING_FAILED;
504 
505  //Point to the first KeyShareEntry of the list
506  p = keyShareList->value;
507  //Retrieve the length of the list
508  m = ntohs(keyShareList->length);
509 
510  //Parse the list of key share entries offered by the peer
511  while(m > 0)
512  {
513  //Malformed extension?
514  if(m < sizeof(Tls13KeyShareEntry))
515  return ERROR_DECODING_FAILED;
516 
517  //Point to the current key share entry
518  keyShareEntry = (Tls13KeyShareEntry *) p;
519  //Retrieve the length of the key_exchange field
520  k = ntohs(keyShareEntry->length);
521 
522  //Malformed extension?
523  if(m < (sizeof(Tls13KeyShareEntry) + k))
524  return ERROR_DECODING_FAILED;
525 
526  //Point to the next entry
527  p += sizeof(Tls13KeyShareEntry) + k;
528  //Remaining bytes to process
529  m -= sizeof(Tls13KeyShareEntry) + k;
530 
531  //Clients must not offer multiple KeyShareEntry values for the
532  //same group. Servers may check for violations of this rule and
533  //abort the handshake with an illegal_parameter alert
534  error = tls13CheckDuplicateKeyShare(ntohs(keyShareEntry->group),
535  p, m);
536  //Any error to report?
537  if(error)
539  }
540 
541  //The KeyShare extension is valid
542  extensions->keyShareList = keyShareList;
543  }
545  {
546  //The extension contains the mutually supported group the server
547  //intends to negotiate
548  if(n != sizeof(uint16_t))
549  return ERROR_DECODING_FAILED;
550 
551  //The KeyShare extension is valid
552  extensions->selectedGroup = extension;
553  }
554  else if(msgType == TLS_TYPE_SERVER_HELLO)
555  {
556  const Tls13KeyShareEntry *serverShare;
557 
558  //The extension contains a single KeyShareEntry value that is in
559  //the same group as one of the client's shares
560  serverShare = (Tls13KeyShareEntry *) extension->value;
561 
562  //Malformed extension?
563  if(n < sizeof(Tls13KeyShareEntry))
564  return ERROR_DECODING_FAILED;
565  if(n != (sizeof(Tls13KeyShareEntry) + ntohs(serverShare->length)))
566  return ERROR_DECODING_FAILED;
567 
568  //The KeyShare extension is valid
569  extensions->serverShare = serverShare;
570  }
571  else
572  {
573  //The extension is not specified for the message in which it appears
574 #if (TLS_MAX_EMPTY_RECORDS > 0)
576 #else
578 #endif
579  }
580  }
582  {
583  const Tls13PskKeModeList *pskKeModeList;
584 
585  //The extension contains the list of PSK key exchange modes that
586  //are supported by the client
587  pskKeModeList = (Tls13PskKeModeList *) extension->value;
588 
589  //Malformed extension?
590  if(n < sizeof(Tls13PskKeModeList))
591  return ERROR_DECODING_FAILED;
592  if(n != (sizeof(Tls13PskKeModeList) + pskKeModeList->length))
593  return ERROR_DECODING_FAILED;
594 
595  //The PskKeyExchangeModes extension is valid
596  extensions->pskKeModeList = pskKeModeList;
597  }
598  else if(type == TLS_EXT_PRE_SHARED_KEY)
599  {
600  //Check message type
602  {
603  const Tls13PskIdentityList *identityList;
604  const Tls13PskBinderList *binderList;
605 
606  //The PreSharedKey extension must be the last extension in the
607  //ClientHello. Servers must check that it is the last extension and
608  //otherwise fail the handshake with an illegal_parameter alert
609  if(length != 0)
611 
612  //The extension contains a list of the identities that the client
613  //is willing to negotiate with the server
614  identityList = (Tls13PskIdentityList *) extension->value;
615 
616  //Malformed extension?
617  if(n < sizeof(Tls13PskIdentityList))
618  return ERROR_DECODING_FAILED;
619  if(n < (sizeof(Tls13PskIdentityList) + ntohs(identityList->length)))
620  return ERROR_DECODING_FAILED;
621 
622  //Remaining bytes to process
623  n -= sizeof(Tls13PskIdentityList) + ntohs(identityList->length);
624 
625  //The extension also contains a series of HMAC values, one for each
626  //PSK offered in the PreSharedKey extension and in the same order
627  binderList = (Tls13PskBinderList *) (extension->value +
628  sizeof(Tls13PskIdentityList) + ntohs(identityList->length));
629 
630  //Malformed extension?
631  if(n < sizeof(Tls13PskBinderList))
632  return ERROR_DECODING_FAILED;
633  if(n != (sizeof(Tls13PskBinderList) + ntohs(binderList->length)))
634  return ERROR_DECODING_FAILED;
635 
636  //The PreSharedKey extension is valid
637  extensions->identityList = identityList;
638  extensions->binderList = binderList;
639  }
640  else if(msgType == TLS_TYPE_SERVER_HELLO)
641  {
642  //The extension contains the chosen identity expressed as a 0-based
643  //index into the identities in the client's list
644  if(n != sizeof(uint16_t))
645  return ERROR_DECODING_FAILED;
646 
647  //The PreSharedKey extension is valid
648  extensions->selectedIdentity = extension;
649  }
650  else
651  {
652  //The extension is not specified for the message in which it appears
654  }
655  }
656  else if(type == TLS_EXT_EARLY_DATA)
657  {
658  //Check message type
661  {
662  //The extension data field is empty
663  if(n != 0)
664  return ERROR_DECODING_FAILED;
665  }
667  {
668  //The extension data field contains an unsigned 32-bit integer
669  if(n != sizeof(uint32_t))
670  return ERROR_DECODING_FAILED;
671  }
672  else
673  {
674  //The extension is not specified for the message in which it appears
676  }
677 
678  //The EarlyData extension is valid
679  extensions->earlyDataIndication = extension;
680  }
681 #endif
682  else
683  {
684  //If a client receives an extension type in the ServerHello that it
685  //did not request in the associated ClientHello, it must abort the
686  //handshake with an unsupported_extension fatal alert
690  {
691  //Report an error
693  }
694  }
695  }
696 
697  //Successful processing
698  return NO_ERROR;
699 }
700 
701 
702 /**
703  * @brief Check Hello extensions
704  * @param[in] msgType Handshake message type
705  * @param[in] version TLS version
706  * @param[in] extensions List of Hello extensions offered by the peer
707  * @return Error code
708  **/
709 
712 {
713  error_t error;
714 
715  //Initialize status code
716  error = NO_ERROR;
717 
718 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED && TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
719  //A client must treat receipt of both MaxFragmentLength and RecordSizeLimit
720  //extensions as a fatal error, and it should generate an illegal_parameter
721  //alert (refer to RFC 8449, section 5)
722  if(extensions->maxFragLen != NULL && extensions->recordSizeLimit != NULL)
723  {
724  //ServerHello or EncryptedExtensions message?
727  {
728  error = ERROR_ILLEGAL_PARAMETER;
729  }
730  }
731 #endif
732 
733 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
734  //If an implementation receives an extension which it recognizes and which
735  //is not specified for the message in which it appears it must abort the
736  //handshake with an illegal_parameter alert (refer to RFC 8446, section 4.2)
737  if(version == TLS_VERSION_1_3)
738  {
739  //SupportedVersions extension found?
740  if(extensions->supportedVersionList != NULL ||
741  extensions->selectedVersion != NULL)
742  {
743  //The extension can only appear in CH, SH and HRR messages
747  {
748  error = ERROR_ILLEGAL_PARAMETER;
749  }
750  }
751 
752  //ServerName extension found?
753  if(extensions->serverNameList != NULL)
754  {
755  //The extension can only appear in CH and EE messages
758  {
759  error = ERROR_ILLEGAL_PARAMETER;
760  }
761  }
762 
763  //SupportedGroups extension found?
764  if(extensions->supportedGroupList != NULL)
765  {
766  //The extension can only appear in CH and EE messages
769  {
770  error = ERROR_ILLEGAL_PARAMETER;
771  }
772  }
773 
774  //EcPointFormats extension found?
775  if(extensions->ecPointFormatList != NULL)
776  {
777  //The extension can only appear in CH
779  {
780  error = ERROR_ILLEGAL_PARAMETER;
781  }
782  }
783 
784  //SignatureAlgorithms extension found?
785  if(extensions->signAlgoList != NULL)
786  {
787  //The extension can only appear in CH and CR messages
790  {
791  error = ERROR_ILLEGAL_PARAMETER;
792  }
793  }
794 
795  //SignatureAlgorithmsCert extension found?
796  if(extensions->certSignAlgoList != NULL)
797  {
798  //The extension can only appear in CH and CR messages
801  {
802  error = ERROR_ILLEGAL_PARAMETER;
803  }
804  }
805 
806 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
807  //MaxFragmentLength extension found?
808  if(extensions->maxFragLen != NULL)
809  {
810  //The extension can only appear in CH and EE messages
813  {
814  error = ERROR_ILLEGAL_PARAMETER;
815  }
816  }
817 #endif
818 
819 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
820  //RecordSizeLimit extension found?
821  if(extensions->recordSizeLimit != NULL)
822  {
823  //The extension can only appear in CH and EE messages
826  {
827  error = ERROR_ILLEGAL_PARAMETER;
828  }
829  }
830 #endif
831 
832 #if (TLS_ALPN_SUPPORT == ENABLED)
833  //ALPN extension found?
834  if(extensions->protocolNameList != NULL)
835  {
836  //The extension can only appear in CH and EE messages
839  {
840  error = ERROR_ILLEGAL_PARAMETER;
841  }
842  }
843 #endif
844 
845 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
846  //ClientCertType extension found?
847  if(extensions->clientCertTypeList != NULL ||
848  extensions->clientCertType != NULL)
849  {
850  //The extension can only appear in CH and EE messages
853  {
854  error = ERROR_ILLEGAL_PARAMETER;
855  }
856  }
857 
858  //ServerCertType extension found?
859  if(extensions->serverCertTypeList != NULL ||
860  extensions->serverCertType != NULL)
861  {
862  //The extension can only appear in CH and EE messages
865  {
866  error = ERROR_ILLEGAL_PARAMETER;
867  }
868  }
869 #endif
870 
871 #if (TLS_ENCRYPT_THEN_MAC_SUPPORT == ENABLED)
872  //EncryptThenMac extension found?
873  else if(extensions->encryptThenMac != NULL)
874  {
875  //The extension can only appear in CH
877  {
878  error = ERROR_ILLEGAL_PARAMETER;
879  }
880  }
881 #endif
882 
883 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
884  //ExtendedMasterSecret extension found?
885  if(extensions->extendedMasterSecret != NULL)
886  {
887  //The extension can only appear in CH
889  {
890  error = ERROR_ILLEGAL_PARAMETER;
891  }
892  }
893 #endif
894 
895 #if (TLS_TICKET_SUPPORT == ENABLED)
896  //SessionTicket extension found?
897  if(extensions->sessionTicket != NULL)
898  {
899  //The extension can only appear in CH
901  {
902  error = ERROR_ILLEGAL_PARAMETER;
903  }
904  }
905 #endif
906 
907 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
908  //RenegotiationInfo extension found?
909  if(extensions->renegoInfo != NULL)
910  {
911  //The extension can only appear in CH
913  {
914  error = ERROR_ILLEGAL_PARAMETER;
915  }
916  }
917 #endif
918 
919  //Cookie extension found?
920  if(extensions->cookie != NULL)
921  {
922  //The extension can only appear in CH and HRR messages
925  {
926  error = ERROR_ILLEGAL_PARAMETER;
927  }
928  }
929 
930  //CertificateAuthorities extension found?
931  if(extensions->certAuthorities != NULL)
932  {
933  //The extension can only appear in CH and CR messages
936  {
937  error = ERROR_ILLEGAL_PARAMETER;
938  }
939  }
940 
941  //KeyShare extension found?
942  if(extensions->keyShareList != NULL ||
943  extensions->serverShare != NULL ||
944  extensions->selectedGroup != NULL)
945  {
946  //The extension can only appear in CH, SH and HRR messages
950  {
951  error = ERROR_ILLEGAL_PARAMETER;
952  }
953  }
954 
955  //PskKeyExchangeModes extension found?
956  if(extensions->pskKeModeList != NULL)
957  {
958  //The extension can only appear in CH message
960  {
961  error = ERROR_ILLEGAL_PARAMETER;
962  }
963  }
964 
965  //PreSharedKey extension found?
966  if(extensions->identityList != NULL ||
967  extensions->binderList != NULL ||
968  extensions->selectedIdentity != NULL)
969  {
970  //The extension can only appear in CH and SH messages
973  {
974  error = ERROR_ILLEGAL_PARAMETER;
975  }
976  }
977 
978  //EarlyData extension found?
979  if(extensions->earlyDataIndication != NULL)
980  {
981  //The extension can only appear in CH, EE and NST messages
985  {
986  error = ERROR_ILLEGAL_PARAMETER;
987  }
988  }
989  }
990 
991  //Check mandatory-to-implement extensions
993  {
994  //A client must provide a PskKeyExchangeModes extension if it offers a
995  //PreSharedKey extension (refer to RFC 8446, section 4.2.9)
996  if(extensions->identityList != NULL || extensions->binderList != NULL)
997  {
998  //If a client offers PreSharedKey without a PskKeyExchangeModes
999  //extension, the servers must abort the handshake
1000  if(extensions->pskKeModeList == NULL)
1001  {
1002  error = ERROR_MISSING_EXTENSION;
1003  }
1004  }
1005 
1006  //If the ClientHello does not contain a PreSharedKey extension, it must
1007  //contain both a SignatureAlgorithms extension and a SupportedGroups
1008  //extension (refer to RFC 8446, section 9.2)
1009  if(extensions->identityList == NULL || extensions->binderList == NULL)
1010  {
1011  //Servers receiving a ClientHello which does not conform to these
1012  //requirements must abort the handshake with a missing_extension
1013  //alert
1014  if(extensions->signAlgoList == NULL ||
1015  extensions->supportedGroupList == NULL)
1016  {
1017  error = ERROR_MISSING_EXTENSION;
1018  }
1019  }
1020 
1021  //If the ClientHello contains a SupportedGroups extension, it must also
1022  //contain a KeyShare extension, and vice versa
1023  if(extensions->supportedGroupList != NULL &&
1024  extensions->keyShareList == NULL)
1025  {
1026  error = ERROR_MISSING_EXTENSION;
1027  }
1028  else if(extensions->keyShareList != NULL &&
1029  extensions->supportedGroupList == NULL)
1030  {
1031  error = ERROR_MISSING_EXTENSION;
1032  }
1033  }
1034 #endif
1035 
1036  //Return status code
1037  return error;
1038 }
1039 
1040 
1041 /**
1042  * @brief Check whether the specified extension type is a duplicate
1043  * @param[in] type Extension type
1044  * @param[in] p Input stream where to read the list of extensions
1045  * @param[in] length Number of bytes available in the input stream
1046  * @return Error code
1047  **/
1048 
1049 error_t tlsCheckDuplicateExtension(uint16_t type, const uint8_t *p,
1050  size_t length)
1051 {
1052  size_t n;
1053  const TlsExtension *extension;
1054 
1055  //Parse the list of extensions offered by the peer
1056  while(length > 0)
1057  {
1058  //Point to the current extension
1059  extension = (TlsExtension *) p;
1060 
1061  //Check the length of the extension
1062  if(length < sizeof(TlsExtension))
1063  return ERROR_DECODING_FAILED;
1064  if(length < (sizeof(TlsExtension) + ntohs(extension->length)))
1065  return ERROR_DECODING_FAILED;
1066 
1067  //There must not be more than one extension of the same type (refer to
1068  //RFC 5246, section 7.4.1.4)
1069  if(ntohs(extension->type) == type)
1070  {
1072  {
1073  return ERROR_DECODING_FAILED;
1074  }
1075  else
1076  {
1077  return ERROR_ILLEGAL_PARAMETER;
1078  }
1079  }
1080 
1081  //Retrieve the length of the extension
1082  n = ntohs(extension->length);
1083 
1084  //Jump to the next extension
1085  p += sizeof(TlsExtension) + n;
1086  //Number of bytes left to process
1087  length -= sizeof(TlsExtension) + n;
1088  }
1089 
1090  //Successful verification
1091  return NO_ERROR;
1092 }
1093 
1094 
1095 /**
1096  * @brief Check whether the specified ALPN protocol is supported
1097  * @param[in] context Pointer to the TLS context
1098  * @param[in] protocol Pointer to the protocol name
1099  * @param[in] length Length of the protocol name, in bytes
1100  * @return TRUE if the specified protocol is supported, else FALSE
1101  **/
1102 
1104  const char_t *protocol, size_t length)
1105 {
1106  bool_t supported;
1107 
1108  //Initialize flag
1109  supported = FALSE;
1110 
1111 #if (TLS_ALPN_SUPPORT == ENABLED)
1112  //Sanity check
1113  if(context->protocolList != NULL)
1114  {
1115  size_t i;
1116  size_t j;
1117 
1118  //Move back to the beginning of the list
1119  i = 0;
1120  j = 0;
1121 
1122  //Parse the list of supported protocols
1123  do
1124  {
1125  //Delimiter character found?
1126  if(context->protocolList[i] == ',' || context->protocolList[i] == '\0')
1127  {
1128  //Check the length of the protocol name
1129  if(length == (i - j))
1130  {
1131  //Compare protocol names
1132  if(!osMemcmp(protocol, context->protocolList + j, i - j))
1133  {
1134  //The specified protocol is supported
1135  supported = TRUE;
1136  //We are done
1137  break;
1138  }
1139  }
1140 
1141  //Move to the next token
1142  j = i + 1;
1143  }
1144 
1145  //Loop until the NULL character is reached
1146  } while(context->protocolList[i++] != '\0');
1147  }
1148 #endif
1149 
1150  //Return TRUE if the specified protocol is supported
1151  return supported;
1152 }
1153 
1154 #endif
uint8_t type
Definition: coap_common.h:176
uint8_t version
Definition: coap_common.h:177
char char_t
Definition: compiler_port.h:48
int bool_t
Definition: compiler_port.h:53
#define ntohs(value)
Definition: cpu_endian.h:421
Debugging facilities.
uint8_t n
uint8_t cookie[]
Definition: dtls_misc.h:206
DTLS record protocol.
error_t
Error codes.
Definition: error.h:43
@ ERROR_UNSUPPORTED_EXTENSION
Definition: error.h:244
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:242
@ ERROR_MISSING_EXTENSION
Definition: error.h:243
@ ERROR_DECODING_FAILED
Definition: error.h:240
@ NO_ERROR
Success.
Definition: error.h:44
uint8_t protocol
Definition: ipv4.h:296
uint8_t msgType
uint8_t p
Definition: ndp.h:300
uint8_t m
Definition: ndp.h:304
#define osMemset(p, value, length)
Definition: os_port.h:135
#define osMemcmp(p1, p2, length)
Definition: os_port.h:153
#define TRUE
Definition: os_port.h:50
#define FALSE
Definition: os_port.h:46
Hello extensions.
Definition: tls.h:2081
uint8_t length
Definition: tcp.h:368
error_t tls13CheckDuplicateKeyShare(uint16_t namedGroup, const uint8_t *p, size_t length)
Check whether the specified key share group is a duplicate.
Definition: tls13_misc.c:708
Tls13PskBinderList
Definition: tls13_misc.h:247
Tls13KeyShareList
Definition: tls13_misc.h:192
Tls13KeyShareEntry
Definition: tls13_misc.h:181
Tls13Cookie
Definition: tls13_misc.h:169
uint8_t extensions[]
Definition: tls13_misc.h:300
Tls13PskIdentityList
Definition: tls13_misc.h:225
Tls13PskKeModeList
Definition: tls13_misc.h:203
TLS (Transport Layer Security)
TlsCertAuthorities
Definition: tls.h:1544
TlsSupportedVersionList
Definition: tls.h:1578
TlsEcPointFormatList
Definition: tls.h:1645
TlsProtocolNameList
Definition: tls.h:1623
TlsExtension
Definition: tls.h:1556
TlsServerNameList
Definition: tls.h:1601
TlsExtensionList
Definition: tls.h:1567
TlsCertTypeList
Definition: tls.h:1656
@ TLS_EXT_RENEGOTIATION_INFO
Definition: tls.h:1320
@ TLS_EXT_SIGNATURE_ALGORITHMS_CERT
Definition: tls.h:1311
@ TLS_EXT_EARLY_DATA
Definition: tls.h:1304
@ TLS_EXT_PRE_SHARED_KEY
Definition: tls.h:1303
@ TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: tls.h:1269
@ TLS_EXT_CERTIFICATE_AUTHORITIES
Definition: tls.h:1308
@ TLS_EXT_SERVER_CERT_TYPE
Definition: tls.h:1288
@ TLS_EXT_CLIENT_CERT_TYPE
Definition: tls.h:1287
@ TLS_EXT_KEY_SHARE
Definition: tls.h:1312
@ TLS_EXT_ENCRYPT_THEN_MAC
Definition: tls.h:1290
@ TLS_EXT_SIGNATURE_ALGORITHMS
Definition: tls.h:1281
@ TLS_EXT_SUPPORTED_VERSIONS
Definition: tls.h:1305
@ TLS_EXT_EC_POINT_FORMATS
Definition: tls.h:1279
@ TLS_EXT_RECORD_SIZE_LIMIT
Definition: tls.h:1295
@ TLS_EXT_SESSION_TICKET
Definition: tls.h:1301
@ TLS_EXT_SUPPORTED_GROUPS
Definition: tls.h:1278
@ TLS_EXT_COOKIE
Definition: tls.h:1306
@ TLS_EXT_PSK_KEY_EXCHANGE_MODES
Definition: tls.h:1307
@ TLS_EXT_ALPN
Definition: tls.h:1284
@ TLS_EXT_SERVER_NAME
Definition: tls.h:1268
@ TLS_EXT_EXTENDED_MASTER_SECRET
Definition: tls.h:1291
TlsSupportedGroupList
Definition: tls.h:1634
TlsSignSchemeList
Definition: tls.h:1522
TlsRenegoInfo
Definition: tls.h:1667
#define TLS_VERSION_1_3
Definition: tls.h:97
#define TlsContext
Definition: tls.h:36
TlsMessageType
Handshake message type.
Definition: tls.h:1024
@ TLS_TYPE_SERVER_HELLO
Definition: tls.h:1027
@ TLS_TYPE_CLIENT_HELLO
Definition: tls.h:1026
@ TLS_TYPE_ENCRYPTED_EXTENSIONS
Definition: tls.h:1032
@ TLS_TYPE_NEW_SESSION_TICKET
Definition: tls.h:1029
@ TLS_TYPE_CERTIFICATE_REQUEST
Definition: tls.h:1037
@ TLS_TYPE_HELLO_RETRY_REQUEST
Definition: tls.h:1031
TLS cipher suites.
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
bool_t tlsIsAlpnProtocolSupported(TlsContext *context, const char_t *protocol, size_t length)
Check whether the specified ALPN protocol is supported.
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
error_t tlsCheckDuplicateExtension(uint16_t type, const uint8_t *p, size_t length)
Check whether the specified extension type is a duplicate.
Parsing and checking of TLS extensions.
TLS record protocol.
Transcript hash calculation.