tls_extensions.c
Go to the documentation of this file.
1 /**
2  * @file tls_extensions.c
3  * @brief Parsing and checking of TLS extensions
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include <string.h>
34 #include "tls.h"
35 #include "tls_cipher_suites.h"
36 #include "tls_extensions.h"
37 #include "tls_transcript_hash.h"
38 #include "tls_record.h"
39 #include "dtls_record.h"
40 #include "debug.h"
41 
42 //Check TLS library configuration
43 #if (TLS_SUPPORT == ENABLED)
44 
45 
46 /**
47  * @brief Parse Hello extensions
48  * @param[in] msgType Handshake message type
49  * @param[in] p Input stream where to read the list of extensions
50  * @param[in] length Number of bytes available in the input stream
51  * @param[out] extensions List of Hello extensions resulting from the parsing process
52  * @return Error code
53  **/
54 
57 {
58  error_t error;
59  size_t n;
60  uint16_t type;
61  const TlsExtension *extension;
62  const TlsExtensionList *extensionList;
63 
64  //Initialize TLS extensions
65  memset(extensions, 0, sizeof(TlsHelloExtensions));
66 
67  //Check message type
69  {
70  //The implementation must accept messages both with and without the
71  //extensions field
72  if(length == 0)
73  {
74  //The extensions field is not present
75  return NO_ERROR;
76  }
77  }
78 
79  //Point to the list of extensions
80  extensionList = (TlsExtensionList *) p;
81 
82  //Malformed message?
83  if(length < sizeof(TlsExtensionList))
84  return ERROR_DECODING_FAILED;
85 
86  //If the amount of data in the message does not precisely match the format
87  //of the message, then send a fatal alert
88  if(length != (sizeof(TlsExtensionList) + ntohs(extensionList->length)))
89  return ERROR_DECODING_FAILED;
90 
91  //Point to the first extension of the list
92  p += sizeof(TlsExtensionList);
93  //Retrieve the length of the list
94  length -= sizeof(TlsExtensionList);
95 
96  //Parse the list of extensions offered by the peer
97  while(length > 0)
98  {
99  //Point to the current extension
100  extension = (TlsExtension *) p;
101 
102  //Check the length of the extension
103  if(length < sizeof(TlsExtension))
104  return ERROR_DECODING_FAILED;
105  if(length < (sizeof(TlsExtension) + ntohs(extension->length)))
106  return ERROR_DECODING_FAILED;
107 
108  //Get extension type
109  type = ntohs(extension->type);
110  //Retrieve the length of the extension
111  n = ntohs(extension->length);
112 
113  //Jump to the next extension
114  p += sizeof(TlsExtension) + n;
115  //Number of bytes left to process
116  length -= sizeof(TlsExtension) + n;
117 
118  //Test if the current extension is a duplicate
120  //Duplicate extension found?
121  if(error)
122  return error;
123 
124  //When multiple extensions of different types are present in the ClientHello
125  //or ServerHello messages, the extensions may appear in any order
127  {
128  //Check message type
130  {
131  const TlsSupportedVersionList *supportedVersionList;
132 
133  //Point to the SupportedVersions extension
134  supportedVersionList = (TlsSupportedVersionList *) extension->value;
135 
136  //Malformed extension?
137  if(n < sizeof(TlsSupportedVersionList))
138  return ERROR_DECODING_FAILED;
139  if(n != (sizeof(TlsSupportedVersionList) + supportedVersionList->length))
140  return ERROR_DECODING_FAILED;
141 
142  //Check the length of the list
143  if(supportedVersionList->length == 0)
144  return ERROR_DECODING_FAILED;
145  if((supportedVersionList->length % 2) != 0)
146  return ERROR_DECODING_FAILED;
147 
148  //The SupportedVersions extension is valid
149  extensions->supportedVersionList = supportedVersionList;
150  }
151  else if(msgType == TLS_TYPE_SERVER_HELLO ||
153  {
154  //The extension contains the selected version value
155  if(n != sizeof(uint16_t))
156  return ERROR_DECODING_FAILED;
157 
158  //The SupportedVersions extension is valid
159  extensions->selectedVersion = extension->value;
160  }
161  else
162  {
163  //The extension is not specified for the message in which it appears
165  }
166  }
167  else if(type == TLS_EXT_SERVER_NAME)
168  {
169  const TlsServerNameList *serverNameList;
170 
171  //Point to the ServerName extension
172  serverNameList = (TlsServerNameList *) extension->value;
173 
174  //Empty extension?
175  if(n == 0)
176  {
177  //When the server includes a ServerName extension, the data field
178  //of this extension may be empty
180  return ERROR_DECODING_FAILED;
181  }
182  else
183  {
184  //Malformed extension?
185  if(n < sizeof(TlsServerNameList))
186  return ERROR_DECODING_FAILED;
187  if(n != (sizeof(TlsServerNameList) + ntohs(serverNameList->length)))
188  return ERROR_DECODING_FAILED;
189 
190  //Check the length of the list
191  if(ntohs(serverNameList->length) == 0)
192  return ERROR_DECODING_FAILED;
193  }
194 
195  //The ServerName extension is valid
196  extensions->serverNameList = serverNameList;
197  }
198  else if(type == TLS_EXT_SUPPORTED_GROUPS)
199  {
200  const TlsSupportedGroupList *supportedGroupList;
201 
202  //Point to the SupportedGroups extension
203  supportedGroupList = (TlsSupportedGroupList *) extension->value;
204 
205  //Malformed extension?
206  if(n < sizeof(TlsSupportedGroupList))
207  return ERROR_DECODING_FAILED;
208  if(n != (sizeof(TlsSupportedGroupList) + ntohs(supportedGroupList->length)))
209  return ERROR_DECODING_FAILED;
210 
211  //Check the length of the list
212  if(ntohs(supportedGroupList->length) == 0)
213  return ERROR_DECODING_FAILED;
214  if((ntohs(supportedGroupList->length) % 2) != 0)
215  return ERROR_DECODING_FAILED;
216 
217  //The SupportedGroups extension is valid
218  extensions->supportedGroupList = supportedGroupList;
219  }
220  else if(type == TLS_EXT_EC_POINT_FORMATS)
221  {
222  const TlsEcPointFormatList *ecPointFormatList;
223 
224  //Point to the EcPointFormats extension
225  ecPointFormatList = (TlsEcPointFormatList *) extension->value;
226 
227  //Malformed extension?
228  if(n < sizeof(TlsEcPointFormatList))
229  return ERROR_DECODING_FAILED;
230  if(n != (sizeof(TlsEcPointFormatList) + ecPointFormatList->length))
231  return ERROR_DECODING_FAILED;
232 
233  //Check the length of the list
234  if(ntohs(ecPointFormatList->length) == 0)
235  return ERROR_DECODING_FAILED;
236 
237  //The EcPointFormats extension is valid
238  extensions->ecPointFormatList = ecPointFormatList;
239  }
241  {
242  const TlsSignHashAlgos *signAlgoList;
243 
244  //Point to the SignatureAlgorithms extension
245  signAlgoList = (TlsSignHashAlgos *) extension->value;
246 
247  //Malformed extension?
248  if(n < sizeof(TlsSignHashAlgos))
249  return ERROR_DECODING_FAILED;
250  if(n != (sizeof(TlsSignHashAlgos) + ntohs(signAlgoList->length)))
251  return ERROR_DECODING_FAILED;
252 
253  //Check the length of the list
254  if(ntohs(signAlgoList->length) == 0)
255  return ERROR_DECODING_FAILED;
256  if((ntohs(signAlgoList->length) % 2) != 0)
257  return ERROR_DECODING_FAILED;
258 
259  //The SignatureAlgorithms extension is valid
260  extensions->signAlgoList = signAlgoList;
261  }
263  {
264  const TlsSignHashAlgos *certSignAlgoList;
265 
266  //Point to the SignatureAlgorithmsCert extension
267  certSignAlgoList = (TlsSignHashAlgos *) extension->value;
268 
269  //Malformed extension?
270  if(n < sizeof(TlsSignHashAlgos))
271  return ERROR_DECODING_FAILED;
272  if(n != (sizeof(TlsSignHashAlgos) + ntohs(certSignAlgoList->length)))
273  return ERROR_DECODING_FAILED;
274 
275  //Check the length of the list
276  if(ntohs(certSignAlgoList->length) == 0)
277  return ERROR_DECODING_FAILED;
278  if((ntohs(certSignAlgoList->length) % 2) != 0)
279  return ERROR_DECODING_FAILED;
280 
281  //The SignatureAlgorithmsCert extension is valid
282  extensions->certSignAlgoList = certSignAlgoList;
283  }
284 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
286  {
287  //Malformed extension?
288  if(n != sizeof(uint8_t))
289  return ERROR_DECODING_FAILED;
290 
291  //The MaxFragmentLength extension is valid
292  extensions->maxFragLen = extension->value;
293  }
294 #endif
295 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
296  else if(type == TLS_EXT_RECORD_SIZE_LIMIT)
297  {
298  //Malformed extension?
299  if(n != sizeof(uint16_t))
300  return ERROR_DECODING_FAILED;
301 
302  //The RecordSizeLimit extension is valid
303  extensions->recordSizeLimit = extension->value;
304  }
305 #endif
306 #if (TLS_ALPN_SUPPORT == ENABLED)
307  else if(type == TLS_EXT_ALPN)
308  {
309  const TlsProtocolNameList *protocolNameList;
310 
311  //Point to the ALPN extension
312  protocolNameList = (TlsProtocolNameList *) extension->value;
313 
314  //Malformed extension?
315  if(n < sizeof(TlsProtocolNameList))
316  return ERROR_DECODING_FAILED;
317  if(n != (sizeof(TlsProtocolNameList) + ntohs(protocolNameList->length)))
318  return ERROR_DECODING_FAILED;
319 
320  //The ALPN extension is valid
321  extensions->protocolNameList = protocolNameList;
322  }
323 #endif
324 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
325  else if(type == TLS_EXT_CLIENT_CERT_TYPE)
326  {
327  //Check message type
329  {
330  const TlsCertTypeList *clientCertTypeList;
331 
332  //Point to the ClientCertType extension
333  clientCertTypeList = (TlsCertTypeList *) extension->value;
334 
335  //Malformed extension?
336  if(n < sizeof(TlsCertTypeList))
337  return ERROR_DECODING_FAILED;
338  if(n != (sizeof(TlsCertTypeList) + clientCertTypeList->length))
339  return ERROR_DECODING_FAILED;
340 
341  //The ClientCertType extension is valid
342  extensions->clientCertTypeList = clientCertTypeList;
343  }
344  else
345  {
346  //Only a single value is permitted in the ClientCertType extension
347  //when carried in the ServerHello
348  if(n != sizeof(uint8_t))
349  return ERROR_DECODING_FAILED;
350 
351  //The ClientCertType extension is valid
352  extensions->clientCertType = extension->value;
353  }
354  }
355  else if(type == TLS_EXT_SERVER_CERT_TYPE)
356  {
357  //Check message type
359  {
360  const TlsCertTypeList *serverCertTypeList;
361 
362  //Point to the ServerCertType extension
363  serverCertTypeList = (TlsCertTypeList *) extension->value;
364 
365  //Malformed extension?
366  if(n < sizeof(TlsCertTypeList))
367  return ERROR_DECODING_FAILED;
368  if(n != (sizeof(TlsCertTypeList) + serverCertTypeList->length))
369  return ERROR_DECODING_FAILED;
370 
371  //The ServerCertType extension is valid
372  extensions->serverCertTypeList = serverCertTypeList;
373  }
374  else
375  {
376  //Only a single value is permitted in the ServerCertType extension
377  //when carried in the ServerHello
378  if(n != sizeof(uint8_t))
379  return ERROR_DECODING_FAILED;
380 
381  //The ServerCertType extension is valid
382  extensions->serverCertType = extension->value;
383  }
384  }
385 #endif
386 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
388  {
389  //Malformed extension?
390  if(n != 0)
391  return ERROR_DECODING_FAILED;
392 
393  //The ExtendedMasterSecret extension is valid
394  extensions->extendedMasterSecret = extension->value;
395  }
396 #endif
397 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
398  else if(type == TLS_EXT_RENEGOTIATION_INFO)
399  {
400  const TlsRenegoInfo *renegoInfo;
401 
402  //Point to the RenegotiationInfo extension
403  renegoInfo = (TlsRenegoInfo *) extension->value;
404 
405  //Malformed extension?
406  if(n < sizeof(TlsRenegoInfo))
407  return ERROR_DECODING_FAILED;
408  if(n != (sizeof(TlsRenegoInfo) + renegoInfo->length))
409  return ERROR_DECODING_FAILED;
410 
411  //The RenegotiationInfo extension is valid
412  extensions->renegoInfo = renegoInfo;
413  }
414 #endif
415 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
416  else if(type == TLS_EXT_COOKIE)
417  {
418  const Tls13Cookie *cookie;
419 
420  //Point to the Cookie extension
421  cookie = (Tls13Cookie *) extension->value;
422 
423  //Malformed extension?
424  if(n < sizeof(Tls13Cookie))
425  return ERROR_DECODING_FAILED;
426  if(n != (sizeof(Tls13Cookie) + ntohs(cookie->length)))
427  return ERROR_DECODING_FAILED;
428 
429  //Check the length of the cookie
430  if(ntohs(cookie->length) == 0)
431  return ERROR_DECODING_FAILED;
432 
433  //The Cookie extension is valid
434  extensions->cookie = cookie;
435  }
436  else if(type == TLS_EXT_KEY_SHARE)
437  {
438  //Check message type
440  {
441  size_t k;
442  size_t m;
443  const Tls13KeyShareList *keyShareList;
444  const Tls13KeyShareEntry *keyShareEntry;
445 
446  //The extension contains a list of offered KeyShareEntry values
447  //in descending order of client preference
448  keyShareList = (Tls13KeyShareList *) extension->value;
449 
450  //Malformed extension?
451  if(n < sizeof(Tls13KeyShareList))
452  return ERROR_DECODING_FAILED;
453  if(n != (sizeof(Tls13KeyShareList) + ntohs(keyShareList->length)))
454  return ERROR_DECODING_FAILED;
455 
456  //Point to the first KeyShareEntry of the list
457  p = keyShareList->value;
458  //Retrieve the length of the list
459  m = ntohs(keyShareList->length);
460 
461  //Parse the list of key share entries offered by the peer
462  while(m > 0)
463  {
464  //Malformed extension?
465  if(m < sizeof(Tls13KeyShareEntry))
466  return ERROR_DECODING_FAILED;
467 
468  //Point to the current key share entry
469  keyShareEntry = (Tls13KeyShareEntry *) p;
470  //Retrieve the length of the key_exchange field
471  k = ntohs(keyShareEntry->length);
472 
473  //Malformed extension?
474  if(m < (sizeof(Tls13KeyShareEntry) + k))
475  return ERROR_DECODING_FAILED;
476 
477  //Point to the next entry
478  p += sizeof(Tls13KeyShareEntry) + k;
479  //Remaining bytes to process
480  m -= sizeof(Tls13KeyShareEntry) + k;
481 
482  //Clients must not offer multiple KeyShareEntry values for the
483  //same group. Servers may check for violations of this rule and
484  //abort the handshake with an illegal_parameter alert
485  error = tls13CheckDuplicateKeyShare(ntohs(keyShareEntry->group),
486  p, m);
487  //Any error to report?
488  if(error)
490  }
491 
492  //The KeyShare extension is valid
493  extensions->keyShareList = keyShareList;
494  }
496  {
497  //The extension contains the mutually supported group the server
498  //intends to negotiate
499  if(n != sizeof(uint16_t))
500  return ERROR_DECODING_FAILED;
501 
502  //The KeyShare extension is valid
503  extensions->selectedGroup = extension->value;
504  }
505  else if(msgType == TLS_TYPE_SERVER_HELLO)
506  {
507  const Tls13KeyShareEntry *serverShare;
508 
509  //The extension contains a single KeyShareEntry value that is in
510  //the same group as one of the client's shares
511  serverShare = (Tls13KeyShareEntry *) extension->value;
512 
513  //Malformed extension?
514  if(n < sizeof(Tls13KeyShareEntry))
515  return ERROR_DECODING_FAILED;
516  if(n != (sizeof(Tls13KeyShareEntry) + ntohs(serverShare->length)))
517  return ERROR_DECODING_FAILED;
518 
519  //The KeyShare extension is valid
520  extensions->serverShare = serverShare;
521  }
522  else
523  {
524  //The extension is not specified for the message in which it appears
525 #if (TLS_MAX_EMPTY_RECORDS > 0)
527 #else
529 #endif
530  }
531  }
533  {
534  const Tls13PskKeModeList *pskKeModeList;
535 
536  //The extension contains the list of PSK key exchange modes that
537  //are supported by the client
538  pskKeModeList = (Tls13PskKeModeList *) extension->value;
539 
540  //Malformed extension?
541  if(n < sizeof(Tls13PskKeModeList))
542  return ERROR_DECODING_FAILED;
543  if(n != (sizeof(Tls13PskKeModeList) + pskKeModeList->length))
544  return ERROR_DECODING_FAILED;
545 
546  //The PskKeyExchangeModes extension is valid
547  extensions->pskKeModeList = pskKeModeList;
548  }
549  else if(type == TLS_EXT_PRE_SHARED_KEY)
550  {
551  //Check message type
553  {
554  const Tls13PskIdentityList *identityList;
555  const Tls13PskBinderList *binderList;
556 
557  //The PreSharedKey extension must be the last extension in the
558  //ClientHello. Servers must check that it is the last extension and
559  //otherwise fail the handshake with an illegal_parameter alert
560  if(length != 0)
562 
563  //The extension contains a list of the identities that the client
564  //is willing to negotiate with the server
565  identityList = (Tls13PskIdentityList *) extension->value;
566 
567  //Malformed extension?
568  if(n < sizeof(Tls13PskIdentityList))
569  return ERROR_DECODING_FAILED;
570  if(n < (sizeof(Tls13PskIdentityList) + ntohs(identityList->length)))
571  return ERROR_DECODING_FAILED;
572 
573  //Remaining bytes to process
574  n -= sizeof(Tls13PskIdentityList) + ntohs(identityList->length);
575 
576  //The extension also contains a series of HMAC values, one for each
577  //PSK offered in the PreSharedKey extension and in the same order
578  binderList = (Tls13PskBinderList *) (extension->value +
579  sizeof(Tls13PskIdentityList) + ntohs(identityList->length));
580 
581  //Malformed extension?
582  if(n < sizeof(Tls13PskBinderList))
583  return ERROR_DECODING_FAILED;
584  if(n != (sizeof(Tls13PskBinderList) + ntohs(binderList->length)))
585  return ERROR_DECODING_FAILED;
586 
587  //The PreSharedKey extension is valid
588  extensions->identityList = identityList;
589  extensions->binderList = binderList;
590  }
591  else if(msgType == TLS_TYPE_SERVER_HELLO)
592  {
593  //The extension contains the chosen identity expressed as a 0-based
594  //index into the identities in the client's list
595  if(n != sizeof(uint16_t))
596  return ERROR_DECODING_FAILED;
597 
598  //The PreSharedKey extension is valid
599  extensions->selectedIdentity = extension->value;
600  }
601  else
602  {
603  //The extension is not specified for the message in which it appears
605  }
606  }
607  else if(type == TLS_EXT_EARLY_DATA)
608  {
609  //Check message type
612  {
613  //The extension data field is empty
614  if(n != 0)
615  return ERROR_DECODING_FAILED;
616  }
618  {
619  //The extension data field contains an unsigned 32-bit integer
620  if(n != sizeof(uint32_t))
621  return ERROR_DECODING_FAILED;
622  }
623  else
624  {
625  //The extension is not specified for the message in which it appears
627  }
628 
629  //The EarlyData extension is valid
630  extensions->earlyDataIndication = extension->value;
631  }
632 #endif
633  else
634  {
635  //If a client receives an extension type in the ServerHello that it
636  //did not request in the associated ClientHello, it must abort the
637  //handshake with an unsupported_extension fatal alert
641  {
642  //Report an error
644  }
645  }
646  }
647 
648  //Successful processing
649  return NO_ERROR;
650 }
651 
652 
653 /**
654  * @brief Check Hello extensions
655  * @param[in] msgType Handshake message type
656  * @param[in] version TLS version
657  * @param[in] extensions List of Hello extensions offered by the peer
658  * @return Error code
659  **/
660 
663 {
664  error_t error;
665 
666  //Initialize status code
667  error = NO_ERROR;
668 
669 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED && TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
670  //A client must treat receipt of both MaxFragmentLength and RecordSizeLimit
671  //extensions as a fatal error, and it should generate an illegal_parameter
672  //alert (refer to RFC 8449, section 5)
673  if(extensions->maxFragLen != NULL && extensions->recordSizeLimit != NULL)
674  {
675  //ServerHello or EncryptedExtensions message?
678  {
679  error = ERROR_ILLEGAL_PARAMETER;
680  }
681  }
682 #endif
683 
684 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
685  //If an implementation receives an extension which it recognizes and which
686  //is not specified for the message in which it appears it must abort the
687  //handshake with an illegal_parameter alert (refer to RFC 8446, section 4.2)
688  if(version == TLS_VERSION_1_3)
689  {
690  //SupportedVersions extension found?
691  if(extensions->supportedVersionList != NULL ||
692  extensions->selectedVersion != NULL)
693  {
694  //The extension can only appear in CH, SH and HRR messages
698  {
699  error = ERROR_ILLEGAL_PARAMETER;
700  }
701  }
702 
703  //ServerName extension found?
704  if(extensions->serverNameList != NULL)
705  {
706  //The extension can only appear in CH and EE messages
709  {
710  error = ERROR_ILLEGAL_PARAMETER;
711  }
712  }
713 
714  //SupportedGroups extension found?
715  if(extensions->supportedGroupList != NULL)
716  {
717  //The extension can only appear in CH and EE messages
720  {
721  error = ERROR_ILLEGAL_PARAMETER;
722  }
723  }
724 
725  //EcPointFormats extension found?
726  if(extensions->ecPointFormatList != NULL)
727  {
728  //The extension can only appear in CH
730  {
731  error = ERROR_ILLEGAL_PARAMETER;
732  }
733  }
734 
735  //SignatureAlgorithms extension found?
736  if(extensions->signAlgoList != NULL)
737  {
738  //The extension can only appear in CH and CR messages
741  {
742  error = ERROR_ILLEGAL_PARAMETER;
743  }
744  }
745 
746  //SignatureAlgorithmsCert extension found?
747  if(extensions->certSignAlgoList != NULL)
748  {
749  //The extension can only appear in CH and CR messages
752  {
753  error = ERROR_ILLEGAL_PARAMETER;
754  }
755  }
756 
757 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
758  //MaxFragmentLength extension found?
759  if(extensions->maxFragLen != NULL)
760  {
761  //The extension can only appear in CH and EE messages
764  {
765  error = ERROR_ILLEGAL_PARAMETER;
766  }
767  }
768 #endif
769 
770 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
771  //RecordSizeLimit extension found?
772  if(extensions->recordSizeLimit != NULL)
773  {
774  //The extension can only appear in CH and EE messages
777  {
778  error = ERROR_ILLEGAL_PARAMETER;
779  }
780  }
781 #endif
782 
783 #if (TLS_ALPN_SUPPORT == ENABLED)
784  //ALPN extension found?
785  if(extensions->protocolNameList != NULL)
786  {
787  //The extension can only appear in CH and EE messages
790  {
791  error = ERROR_ILLEGAL_PARAMETER;
792  }
793  }
794 #endif
795 
796 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
797  //ClientCertType extension found?
798  if(extensions->clientCertTypeList != NULL ||
799  extensions->clientCertType != NULL)
800  {
801  //The extension can only appear in CH and EE messages
804  {
805  error = ERROR_ILLEGAL_PARAMETER;
806  }
807  }
808 
809  //ServerCertType extension found?
810  if(extensions->serverCertTypeList != NULL ||
811  extensions->serverCertType != NULL)
812  {
813  //The extension can only appear in CH and EE messages
816  {
817  error = ERROR_ILLEGAL_PARAMETER;
818  }
819  }
820 #endif
821 
822 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
823  //ExtendedMasterSecret extension found?
824  if(extensions->extendedMasterSecret != NULL)
825  {
826  //The extension can only appear in CH
828  {
829  error = ERROR_ILLEGAL_PARAMETER;
830  }
831  }
832 #endif
833 
834 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
835  //RenegotiationInfo extension found?
836  if(extensions->renegoInfo != NULL)
837  {
838  //The extension can only appear in CH
840  {
841  error = ERROR_ILLEGAL_PARAMETER;
842  }
843  }
844 #endif
845 
846  //Cookie extension found?
847  if(extensions->cookie != NULL)
848  {
849  //The extension can only appear in CH and HRR messages
852  {
853  error = ERROR_ILLEGAL_PARAMETER;
854  }
855  }
856 
857  //KeyShare extension found?
858  if(extensions->keyShareList != NULL ||
859  extensions->serverShare != NULL ||
860  extensions->selectedGroup != NULL)
861  {
862  //The extension can only appear in CH, SH and HRR messages
866  {
867  error = ERROR_ILLEGAL_PARAMETER;
868  }
869  }
870 
871  //PskKeyExchangeModes extension found?
872  if(extensions->pskKeModeList != NULL)
873  {
874  //The extension can only appear in CH message
876  {
877  error = ERROR_ILLEGAL_PARAMETER;
878  }
879  }
880 
881  //PreSharedKey extension found?
882  if(extensions->identityList != NULL ||
883  extensions->binderList != NULL ||
884  extensions->selectedIdentity != NULL)
885  {
886  //The extension can only appear in CH and SH messages
889  {
890  error = ERROR_ILLEGAL_PARAMETER;
891  }
892  }
893 
894  //EarlyData extension found?
895  if(extensions->earlyDataIndication != NULL)
896  {
897  //The extension can only appear in CH, EE and NST messages
901  {
902  error = ERROR_ILLEGAL_PARAMETER;
903  }
904  }
905  }
906 
907  //Check mandatory-to-implement extensions
909  {
910  //A client must provide a PskKeyExchangeModes extension if it offers a
911  //PreSharedKey extension (refer to RFC 8446, section 4.2.9)
912  if(extensions->identityList != NULL || extensions->binderList != NULL)
913  {
914  //If a client offers PreSharedKey without a PskKeyExchangeModes
915  //extension, the servers must abort the handshake
916  if(extensions->pskKeModeList == NULL)
917  {
918  error = ERROR_MISSING_EXTENSION;
919  }
920  }
921 
922  //If the ClientHello does not contain a PreSharedKey extension, it must
923  //contain both a SignatureAlgorithms extension and a SupportedGroups
924  //extension (refer to RFC 8446, section 9.2)
925  if(extensions->identityList == NULL || extensions->binderList == NULL)
926  {
927  //Servers receiving a ClientHello which does not conform to these
928  //requirements must abort the handshake with a missing_extension
929  //alert
930  if(extensions->signAlgoList == NULL ||
931  extensions->supportedGroupList == NULL)
932  {
933  error = ERROR_MISSING_EXTENSION;
934  }
935  }
936 
937  //If the ClientHello contains a SupportedGroups extension, it must also
938  //contain a KeyShare extension, and vice versa
939  if(extensions->supportedGroupList != NULL &&
940  extensions->keyShareList == NULL)
941  {
942  error = ERROR_MISSING_EXTENSION;
943  }
944  else if(extensions->keyShareList != NULL &&
945  extensions->supportedGroupList == NULL)
946  {
947  error = ERROR_MISSING_EXTENSION;
948  }
949  }
950 #endif
951 
952  //Return status code
953  return error;
954 }
955 
956 
957 /**
958  * @brief Check whether the specified extension type is a duplicate
959  * @param[in] type Extension type
960  * @param[in] p Input stream where to read the list of extensions
961  * @param[in] length Number of bytes available in the input stream
962  * @return Error code
963  **/
964 
965 error_t tlsCheckDuplicateExtension(uint16_t type, const uint8_t *p,
966  size_t length)
967 {
968  size_t n;
969  const TlsExtension *extension;
970 
971  //Parse the list of extensions offered by the peer
972  while(length > 0)
973  {
974  //Point to the current extension
975  extension = (TlsExtension *) p;
976 
977  //Check the length of the extension
978  if(length < sizeof(TlsExtension))
979  return ERROR_DECODING_FAILED;
980  if(length < (sizeof(TlsExtension) + ntohs(extension->length)))
981  return ERROR_DECODING_FAILED;
982 
983  //There must not be more than one extension of the same type (refer to
984  //RFC 5246, section 7.4.1.4)
985  if(ntohs(extension->type) == type)
986  {
988  return ERROR_DECODING_FAILED;
989  else
991  }
992 
993  //Retrieve the length of the extension
994  n = ntohs(extension->length);
995 
996  //Jump to the next extension
997  p += sizeof(TlsExtension) + n;
998  //Number of bytes left to process
999  length -= sizeof(TlsExtension) + n;
1000  }
1001 
1002  //Successful verification
1003  return NO_ERROR;
1004 }
1005 
1006 
1007 /**
1008  * @brief Check whether the specified ALPN protocol is supported
1009  * @param[in] context Pointer to the TLS context
1010  * @param[in] protocol Pointer to the protocol name
1011  * @param[in] length Length of the protocol name, in bytes
1012  * @return TRUE if the specified protocol is supported, else FALSE
1013  **/
1014 
1016  const char_t *protocol, size_t length)
1017 {
1018  bool_t supported;
1019 
1020  //Initialize flag
1021  supported = FALSE;
1022 
1023 #if (TLS_ALPN_SUPPORT == ENABLED)
1024  //Sanity check
1025  if(context->protocolList != NULL)
1026  {
1027  size_t i;
1028  size_t j;
1029 
1030  //Move back to the beginning of the list
1031  i = 0;
1032  j = 0;
1033 
1034  //Parse the list of supported protocols
1035  do
1036  {
1037  //Delimiter character found?
1038  if(context->protocolList[i] == ',' || context->protocolList[i] == '\0')
1039  {
1040  //Check the length of the protocol name
1041  if(length == (i - j))
1042  {
1043  //Compare protocol names
1044  if(!memcmp(protocol, context->protocolList + j, i - j))
1045  {
1046  //The specified protocol is supported
1047  supported = TRUE;
1048  //We are done
1049  break;
1050  }
1051  }
1052 
1053  //Move to the next token
1054  j = i + 1;
1055  }
1056 
1057  //Loop until the NULL character is reached
1058  } while(context->protocolList[i++] != '\0');
1059  }
1060 #endif
1061 
1062  //Return TRUE if the specified protocol is supported
1063  return supported;
1064 }
1065 
1066 #endif
TLS (Transport Layer Security)
uint16_t version
Definition: dtls_misc.h:163
__start_packed struct @95 Tls13KeyShareEntry
Key share entry.
__start_packed struct @78 TlsRenegoInfo
Renegotiated connection.
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
TlsMessageType
Handshake message type.
Definition: tls.h:926
char char_t
Definition: compiler_port.h:41
Debugging facilities.
uint8_t p
Definition: ndp.h:295
#define TLS_VERSION_1_3
Definition: tls.h:90
char_t type
error_t tlsCheckDuplicateExtension(uint16_t type, const uint8_t *p, size_t length)
Check whether the specified extension type is a duplicate.
__start_packed struct @74 TlsProtocolNameList
List of protocol names.
uint8_t m
Definition: ndp.h:299
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
__start_packed struct @97 Tls13PskKeModeList
List of PSK key exchange modes.
__start_packed struct @75 TlsSupportedGroupList
List of supported groups.
#define TRUE
Definition: os_port.h:48
TLS record protocol.
__start_packed struct @101 Tls13PskBinderList
List of PSK binders.
Parsing and checking of TLS extensions.
__start_packed struct @68 TlsExtension
TLS extension.
#define ntohs(value)
Definition: cpu_endian.h:396
__start_packed struct @70 TlsSupportedVersionList
List of supported versions.
__start_packed struct @76 TlsEcPointFormatList
List of supported EC point formats.
DTLS record protocol.
__start_packed struct @69 TlsExtensionList
List of TLS extensions.
uint8_t cookie[]
Definition: dtls_misc.h:194
TLS cipher suites.
Success.
Definition: error.h:42
error_t
Error codes.
Definition: error.h:40
uint8_t extensions[]
Definition: tls13_misc.h:322
__start_packed struct @99 Tls13PskIdentityList
List of PSK identities.
error_t tls13CheckDuplicateKeyShare(uint16_t namedGroup, const uint8_t *p, size_t length)
__start_packed struct @94 Tls13Cookie
Cookie.
Hello extensions.
Definition: tls.h:1878
Transcript hash calculation.
__start_packed struct @72 TlsServerNameList
List of server names.
__start_packed struct @77 TlsCertTypeList
List of supported certificate types.
__start_packed struct @96 Tls13KeyShareList
List of key shares.
uint8_t protocol
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
uint8_t msgType
Definition: dtls_misc.h:177
bool_t tlsIsAlpnProtocolSupported(TlsContext *context, const char_t *protocol, size_t length)
Check whether the specified ALPN protocol is supported.
#define FALSE
Definition: os_port.h:44
#define TlsContext
Definition: tls.h:34
int bool_t
Definition: compiler_port.h:47
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.