tls_handshake.c
Go to the documentation of this file.
1 /**
2  * @file tls_handshake.c
3  * @brief TLS handshake
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include "tls.h"
34 #include "tls_cipher_suites.h"
35 #include "tls_handshake.h"
36 #include "tls_client.h"
37 #include "tls_server.h"
38 #include "tls_common.h"
39 #include "tls_transcript_hash.h"
40 #include "tls_cache.h"
41 #include "tls_record.h"
42 #include "tls_misc.h"
43 #include "tls13_client.h"
44 #include "tls13_client_misc.h"
45 #include "tls13_server.h"
46 #include "tls13_server_misc.h"
47 #include "tls13_common.h"
48 #include "tls13_key_material.h"
49 #include "dtls_record.h"
50 #include "debug.h"
51 
52 //Check TLS library configuration
53 #if (TLS_SUPPORT == ENABLED)
54 
55 
56 /**
57  * @brief TLS handshake initialization
58  * @param[in] context Pointer to the TLS context
59  * @return Error code
60  **/
61 
63 {
64  //Allocate send buffer if necessary
65  if(context->txBuffer == NULL)
66  {
67  //Allocate TX buffer
68  context->txBuffer = tlsAllocMem(context->txBufferSize);
69 
70  //Failed to allocate memory?
71  if(context->txBuffer == NULL)
72  return ERROR_OUT_OF_MEMORY;
73 
74  //Clear TX buffer
75  memset(context->txBuffer, 0, context->txBufferSize);
76  }
77 
78  //Allocate receive buffer if necessary
79  if(context->rxBuffer == NULL)
80  {
81  //Allocate RX buffer
82  context->rxBuffer = tlsAllocMem(context->rxBufferSize);
83 
84  //Failed to allocate memory?
85  if(context->rxBuffer == NULL)
86  return ERROR_OUT_OF_MEMORY;
87 
88  //Clear RX buffer
89  memset(context->rxBuffer, 0, context->rxBufferSize);
90  }
91 
92 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
93  //TLS operates as a server?
94  if(context->entity == TLS_CONNECTION_END_SERVER)
95  {
96  //A server implementation may choose to reject the early data
97  context->earlyDataRejected = TRUE;
98  }
99 #endif
100 
101  //The client initiates the TLS handshake by sending a ClientHello message
102  //to the server
103  context->state = TLS_STATE_CLIENT_HELLO;
104 
105  //Successful processing
106  return NO_ERROR;
107 }
108 
109 
110 /**
111  * @brief Perform TLS handshake
112  *
113  * TLS handshake protocol is responsible for the authentication and key
114  * exchange necessary to establish a secure session
115  *
116  * @param[in] context Pointer to the TLS context
117  * @return Error code
118  **/
119 
121 {
122  error_t error;
123 
124  //Check whether TLS operates as a client or a server
125  if(context->entity == TLS_CONNECTION_END_CLIENT)
126  {
127  //Perform TLS handshake with the remote server
128  error = tlsPerformClientHandshake(context);
129  }
130  else if(context->entity == TLS_CONNECTION_END_SERVER)
131  {
132  //Perform TLS handshake with the remote client
133  error = tlsPerformServerHandshake(context);
134  }
135  else
136  {
137  //Report an error
138  error = ERROR_INVALID_PARAMETER;
139  }
140 
141  //Return status code
142  return error;
143 }
144 
145 
146 /**
147  * @brief TLS client handshake
148  * @param[in] context Pointer to the TLS context
149  * @return Error code
150  **/
151 
153 {
154 #if (TLS_CLIENT_SUPPORT == ENABLED)
155  error_t error;
156 
157  //Initialize status code
158  error = NO_ERROR;
159 
160  //Wait for the handshake to complete
161  while(!error)
162  {
163  //TLS protocol?
164  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM)
165  {
166  //Check current state
167  if(context->state != TLS_STATE_INIT &&
168  context->state != TLS_STATE_CLOSED)
169  {
170  //Flush send buffer
171  error = tlsWriteProtocolData(context, NULL, 0, TLS_TYPE_NONE);
172  //Any error to report?
173  if(error)
174  break;
175  }
176  }
177 
178  //Check whether the handshake is complete
179  if(context->state == TLS_STATE_APPLICATION_DATA)
180  {
181  //At this is point, the handshake is complete and the client starts
182  //to exchange application-layer data
183  break;
184  }
185 
186  //The TLS handshake is implemented as a state machine representing the
187  //current location in the protocol
188  switch(context->state)
189  {
190  //Initial state?
191  case TLS_STATE_INIT:
192  //TLS handshake initialization
193  error = tlsInitHandshake(context);
194  break;
195 
196  //Sending ClientHello message?
199  //When a client first connects to a server, it is required to send
200  //the ClientHello as its first message
201  error = tlsSendClientHello(context);
202  break;
203 
204  //Sending Certificate message?
206  //This is the first message the client can send after receiving a
207  //ServerHelloDone message. This message is only sent if the server
208  //requests a certificate
209  error = tlsSendCertificate(context);
210  break;
211 
212  //Sending CertificateVerify message?
214  //This message is used to provide explicit verification of a client
215  //certificate. This message is only sent following a client certificate
216  //that has signing capability. When sent, it must immediately follow
217  //the clientKeyExchange message
218  error = tlsSendCertificateVerify(context);
219  break;
220 
221  //Sending ChangeCipherSpec message?
224  //The ChangeCipherSpec message is sent by the client and to notify the
225  //server that subsequent records will be protected under the newly
226  //negotiated CipherSpec and keys
227  error = tlsSendChangeCipherSpec(context);
228  break;
229 
230  //Sending Finished message?
232  //A Finished message is always sent immediately after a ChangeCipherSpec
233  //message to verify that the key exchange and authentication processes
234  //were successful
235  error = tlsSendFinished(context);
236  break;
237 
238 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
239  //Sending ClientKeyExchange message?
241  //This message is always sent by the client. It must immediately
242  //follow the client certificate message, if it is sent. Otherwise,
243  //it must be the first message sent by the client after it receives
244  //the ServerHelloDone message
245  error = tlsSendClientKeyExchange(context);
246  break;
247 #endif
248 
249 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
250  //Sending EndOfEarlyData message?
252  //The EndOfEarlyData message indicates that all 0-RTT application
253  //data messages, if any, have been transmitted and that the following
254  //records are protected under handshake traffic keys
255  error = tls13SendEndOfEarlyData(context);
256  break;
257 
258  //Handshake traffic key generation?
260  //Compute handshake traffic keys
261  error = tls13GenerateHandshakeTrafficKeys(context);
262  break;
263 
264  //Server application traffic key generation?
266  //Compute server application traffic keys
267  error = tls13GenerateServerAppTrafficKeys(context);
268  break;
269 
270  //Client application traffic key generation?
272  //Compute client application traffic keys
273  error = tls13GenerateClientAppTrafficKeys(context);
274  break;
275 
276  //Sending KeyUpdate message?
278  //The KeyUpdate handshake message is used to indicate that the sender
279  //is updating its sending cryptographic keys
280  error = tls13SendKeyUpdate(context);
281  break;
282 #endif
283 
284  //Waiting for a message from the server?
296  //Receive server's message
297  error = tlsReceiveHandshakeMessage(context);
298  break;
299 
300  //Sending Alert message?
301  case TLS_STATE_CLOSING:
302  //Mark the TLS connection as closed
303  context->state = TLS_STATE_CLOSED;
304  break;
305 
306  //TLS connection closed?
307  case TLS_STATE_CLOSED:
308  //Debug message
309  TRACE_WARNING("TLS handshake failure!\r\n");
310  //Report an error
311  error = ERROR_HANDSHAKE_FAILED;
312  break;
313 
314  //Invalid state?
315  default:
316  //Report an error
317  error = ERROR_UNEXPECTED_STATE;
318  break;
319  }
320  }
321 
322  //Any error to report?
323  if(error)
324  {
325  //Send an alert message to the server, if applicable
326  tlsProcessError(context, error);
327  }
328 
329  //Return status code
330  return error;
331 #else
332  //Client mode of operation not implemented
333  return ERROR_NOT_IMPLEMENTED;
334 #endif
335 }
336 
337 
338 /**
339  * @brief TLS server handshake
340  * @param[in] context Pointer to the TLS context
341  * @return Error code
342  **/
343 
345 {
346 #if (TLS_SERVER_SUPPORT == ENABLED)
347  error_t error;
348 
349  //Initialize status code
350  error = NO_ERROR;
351 
352  //Wait for the handshake to complete
353  while(!error)
354  {
355  //TLS protocol?
356  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM)
357  {
358  //Check current state
359  if(context->state != TLS_STATE_INIT &&
360  context->state != TLS_STATE_CLOSED)
361  {
362  //Flush send buffer
363  error = tlsWriteProtocolData(context, NULL, 0, TLS_TYPE_NONE);
364  //Any error to report?
365  if(error)
366  break;
367  }
368  }
369 
370  //Check whether the handshake is complete
371  if(context->state == TLS_STATE_APPLICATION_DATA)
372  {
373  //At this is point, the handshake is complete and the server starts
374  //to exchange application-layer data
375  break;
376  }
377 
378  //The TLS handshake is implemented as a state machine representing the
379  //current location in the protocol
380  switch(context->state)
381  {
382  //Initial state?
383  case TLS_STATE_INIT:
384  //TLS handshake initialization
385  error = tlsInitHandshake(context);
386  break;
387 
388  //Sending ServerHello message?
391  //The server will send this message in response to a ClientHello
392  //message when it was able to find an acceptable set of algorithms
393  error = tlsSendServerHello(context);
394  break;
395 
396  //Sending Certificate message?
398  //The server must send a Certificate message whenever the agreed-
399  //upon key exchange method uses certificates for authentication. This
400  //message will always immediately follow the ServerHello message
401  error = tlsSendCertificate(context);
402  break;
403 
404  //Sending Certificate message?
406  //A non-anonymous server can optionally request a certificate from the
407  //client, if appropriate for the selected cipher suite. This message,
408  //if sent, will immediately follow the ServerKeyExchange message
409  error = tlsSendCertificateRequest(context);
410  break;
411 
412  //Sending ChangeCipherSpec message?
415  //The ChangeCipherSpec message is sent by the server and to notify the
416  //client that subsequent records will be protected under the newly
417  //negotiated CipherSpec and keys
418  error = tlsSendChangeCipherSpec(context);
419  break;
420 
421  //Sending Finished message?
423  //A Finished message is always sent immediately after a ChangeCipherSpec
424  //message to verify that the key exchange and authentication processes
425  //were successful
426  error = tlsSendFinished(context);
427  break;
428 
429 #if (DTLS_SUPPORT == ENABLED)
430  //Sending HelloVerifyRequest message?
432  //When the client sends its ClientHello message to the server, the
433  //server may respond with a HelloVerifyRequest message
434  error = dtlsSendHelloVerifyRequest(context);
435  break;
436 #endif
437 
438 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
439  //Sending ServerKeyExchange message?
441  //The ServerKeyExchange message is sent by the server only when the
442  //server Certificate message (if sent) does not contain enough data
443  //to allow the client to exchange a premaster secret
444  error = tlsSendServerKeyExchange(context);
445  break;
446 
447  //Sending ServerHelloDone message?
449  //The ServerHelloDone message is sent by the server to indicate the
450  //end of the ServerHello and associated messages
451  error = tlsSendServerHelloDone(context);
452  break;
453 #endif
454 
455 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
456  //Sending HelloRetryRequest message?
458  //The server sends a HelloRetryRequest message if the ClientHello
459  //message does not contain sufficient information to proceed with
460  //the handshake
461  error = tls13SendHelloRetryRequest(context);
462  break;
463 
464  //Handshake traffic key generation?
466  //Compute handshake traffic keys
467  error = tls13GenerateHandshakeTrafficKeys(context);
468  break;
469 
470  //Sending EncryptedExtensions message?
472  //The server sends the EncryptedExtensions message immediately after
473  //the ServerHello message. The EncryptedExtensions message contains
474  //extensions that can be protected
475  error = tls13SendEncryptedExtensions(context);
476  break;
477 
478  //Sending CertificateVerify message?
480  //Servers must send this message when authenticating via a
481  //certificate. When sent, this message must appear immediately
482  //after the Certificate message
483  error = tlsSendCertificateVerify(context);
484  break;
485 
486  //Server application traffic key generation?
488  //Compute server application traffic keys
489  error = tls13GenerateServerAppTrafficKeys(context);
490  break;
491 
492  //Client application traffic key generation?
494  //Compute client application traffic keys
495  error = tls13GenerateClientAppTrafficKeys(context);
496  break;
497 
498  //Sending NewSessionTicket message message?
500  //At any time after the server has received the client Finished
501  //message, it may send a NewSessionTicket message
502  error = tls13SendNewSessionTicket(context);
503  break;
504 
505  //Sending KeyUpdate message?
507  //The KeyUpdate handshake message is used to indicate that the sender
508  //is updating its sending cryptographic keys
509  error = tls13SendKeyUpdate(context);
510  break;
511 #endif
512 
513  //Waiting for a message from the client?
521  //Receive client's message
522  error = tlsReceiveHandshakeMessage(context);
523  break;
524 
525  //Sending Alert message?
526  case TLS_STATE_CLOSING:
527  //Mark the TLS connection as closed
528  context->state = TLS_STATE_CLOSED;
529  break;
530 
531  //TLS connection closed?
532  case TLS_STATE_CLOSED:
533  //Debug message
534  TRACE_WARNING("TLS handshake failure!\r\n");
535  //Report an error
536  error = ERROR_HANDSHAKE_FAILED;
537  break;
538 
539  //Invalid state?
540  default:
541  //Report an error
542  error = ERROR_UNEXPECTED_STATE;
543  break;
544  }
545  }
546 
547  //Successful TLS handshake?
548  if(!error)
549  {
550 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
551  //Version of TLS prior to TLS 1.3?
552  if(context->version <= TLS_VERSION_1_2)
553  {
554  //Save current session in the session cache for further reuse
555  tlsSaveToCache(context);
556  }
557 #endif
558  }
559  else
560  {
561  //Send an alert message to the client, if applicable
562  tlsProcessError(context, error);
563  }
564 
565  //Return status code
566  return error;
567 #else
568  //Server mode of operation not implemented
569  return ERROR_NOT_IMPLEMENTED;
570 #endif
571 }
572 
573 
574 /**
575  * @brief Send handshake message
576  * @param[in] context Pointer to the TLS context
577  * @param[in] data Pointer to the handshake message
578  * @param[in] length Length of the handshake message
579  * @param[in] type Handshake message type
580  * @return Error code
581  **/
582 
584  const void *data, size_t length, TlsMessageType type)
585 {
586  error_t error;
587 
588 #if (DTLS_SUPPORT == ENABLED)
589  //DTLS protocol?
590  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
591  {
593 
594  //Point to the handshake message header
595  message = (DtlsHandshake *) data;
596 
597  //Make room for the handshake message header
598  memmove(message->data, data, length);
599 
600  //Handshake message type
601  message->msgType = type;
602  //Number of bytes in the message
603  STORE24BE(length, message->length);
604  //Message sequence number
605  message->msgSeq = htons(context->txMsgSeq);
606  //Fragment offset
607  STORE24BE(0, message->fragOffset);
608  //Fragment length
609  STORE24BE(length, message->fragLength);
610 
611  //Whenever a new message is generated, the message sequence
612  //number is incremented by one
613  context->txMsgSeq++;
614 
615  //Total length of the handshake message
616  length += sizeof(DtlsHandshake);
617  }
618  else
619 #endif
620  //TLS protocol?
621  {
623 
624  //Point to the handshake message header
625  message = (TlsHandshake *) data;
626 
627  //Make room for the handshake message header
628  memmove(message->data, data, length);
629 
630  //Handshake message type
631  message->msgType = type;
632  //Number of bytes in the message
633  STORE24BE(length, message->length);
634 
635  //Total length of the handshake message
636  length += sizeof(TlsHandshake);
637  }
638 
639  //The HelloRequest message must not be included in the message hashes
640  //that are maintained throughout the handshake and used in the Finished
641  //messages and the CertificateVerify message
643  {
645  }
646 
647 #if (DTLS_SUPPORT == ENABLED)
648  //DTLS protocol?
649  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
650  {
651  //Send handshake message
653  }
654  else
655 #endif
656  //TLS protocol?
657  {
658  //Send handshake message
660  }
661 
662  //Return status code
663  return error;
664 }
665 
666 
667 /**
668  * @brief Receive peer's message
669  * @param[in] context Pointer to the TLS context
670  * @return Error code
671  **/
672 
674 {
675  error_t error;
676  size_t length;
677  uint8_t *data;
678  TlsContentType contentType;
679 
680 #if (DTLS_SUPPORT == ENABLED)
681  //DTLS protocol?
682  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
683  {
684  //A message can be fragmented across several DTLS records
685  error = dtlsReadProtocolData(context, &data, &length, &contentType);
686  }
687  else
688 #endif
689  //TLS protocol?
690  {
691  //A message can be fragmented across several TLS records
692  error = tlsReadProtocolData(context, &data, &length, &contentType);
693  }
694 
695  //Check status code
696  if(!error)
697  {
698  //Advance data pointer
699  context->rxBufferPos += length;
700  //Number of bytes still pending in the receive buffer
701  context->rxBufferLen -= length;
702 
703  //Handshake message received?
704  if(contentType == TLS_TYPE_HANDSHAKE)
705  {
706  //Parse handshake message
707  error = tlsParseHandshakeMessage(context, data, length);
708  }
709  //ChangeCipherSpec message received?
710  else if(contentType == TLS_TYPE_CHANGE_CIPHER_SPEC)
711  {
712  //The ChangeCipherSpec message is sent by an endpoint to notify the
713  //peer that subsequent records will be protected under the newly
714  //negotiated CipherSpec and keys
716  length);
717  }
718  //Alert message received?
719  else if(contentType == TLS_TYPE_ALERT)
720  {
721  //Parse Alert message
722  error = tlsParseAlert(context, (TlsAlert *) data, length);
723  }
724 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
725  //Application data received?
726  else if(contentType == TLS_TYPE_APPLICATION_DATA)
727  {
728 #if (TLS_SERVER_SUPPORT == ENABLED)
729  //TLS operates as a server?
730  if(context->entity == TLS_CONNECTION_END_SERVER)
731  {
732  //Process early data
733  error = tls13ProcessEarlyData(context, data, length);
734  }
735  else
736 #endif
737  {
738  //The server cannot transmit application data before the handshake
739  //is completed
740  error = ERROR_UNEXPECTED_MESSAGE;
741  }
742  }
743 #endif
744  //Unexpected message received?
745  else
746  {
747  //Abort the handshake with an unexpected_message alert
748  error = ERROR_UNEXPECTED_MESSAGE;
749  }
750  }
751 
752  //Return status code
753  return error;
754 }
755 
756 
757 /**
758  * @brief Parse handshake message
759  * @param[in] context Pointer to the TLS context
760  * @param[in] message Pointer to the handshake message to parse
761  * @param[in] length Length of the handshake messaged
762  * @return Error code
763  **/
764 
766  const uint8_t *message, size_t length)
767 {
768  error_t error;
769  uint8_t msgType;
770  size_t n;
771  const void *p;
772 
773 #if (DTLS_SUPPORT == ENABLED)
774  //DTLS protocol?
775  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
776  {
777  //Retrieve handshake message type
778  msgType = ((DtlsHandshake *) message)->msgType;
779  //Point to the handshake message
780  p = message + sizeof(DtlsHandshake);
781  //Calculate the length of the handshake message
782  n = length - sizeof(DtlsHandshake);
783  }
784  else
785 #endif
786  //TLS protocol?
787  {
788  //Retrieve handshake message type
789  msgType = ((TlsHandshake *) message)->msgType;
790  //Point to the handshake message
791  p = message + sizeof(TlsHandshake);
792  //Calculate the length of the handshake message
793  n = length - sizeof(TlsHandshake);
794  }
795 
796 #if (TLS_MAX_KEY_UPDATE_MESSAGES > 0)
797  //Reset the count of consecutive KeyUpdate messages
799  context->keyUpdateCount = 0;
800 #endif
801 
802 #if (TLS_CLIENT_SUPPORT == ENABLED)
803  //TLS operates as a client?
804  if(context->entity == TLS_CONNECTION_END_CLIENT)
805  {
806  //Parse server's handshake message
807  error = tlsParseServerHandshakeMessage(context, msgType, p, n);
808 
809  //Update the hash value with the incoming handshake message
811  }
812  else
813 #endif
814 #if (TLS_SERVER_SUPPORT == ENABLED)
815  //TLS operates as a server?
816  if(context->entity == TLS_CONNECTION_END_SERVER)
817  {
818  //Update the hash value with the incoming handshake message
820  {
822  }
823 
824  //Parse client's handshake message
825  error = tlsParseClientHandshakeMessage(context, msgType, p, n);
826 
827  //Update the hash value with the incoming handshake message
829  {
831  }
832  }
833  else
834 #endif
835  //Unsupported mode of operation?
836  {
837  //Report an error
838  error = ERROR_FAILURE;
839  }
840 
841  //Return status code
842  return error;
843 }
844 
845 
846 /**
847  * @brief Parse client's handshake message
848  * @param[in] context Pointer to the TLS context
849  * @param[in] msgType Handshake message type
850  * @param[in] message Pointer to the handshake message to parse
851  * @param[in] length Length of the handshake messaged
852  * @return Error code
853  **/
854 
856  const void *message, size_t length)
857 {
858 #if (TLS_SERVER_SUPPORT == ENABLED)
859  error_t error;
860 
861  //Check handshake message type
862  switch(msgType)
863  {
864  //ClientHello message received?
866  //When a client first connects to a server, it is required to send the
867  //ClientHello as its first message
868  error = tlsParseClientHello(context, message, length);
869  break;
870 
871  //Certificate message received?
873  //This is the first message the client can send after receiving a
874  //ServerHelloDone message. This message is only sent if the server
875  //requests a certificate
876  error = tlsParseCertificate(context, message, length);
877  break;
878 
879  //CertificateVerify message received?
881  //This message is used to provide explicit verification of a client
882  //certificate. This message is only sent following a client certificate
883  //that has signing capability. When sent, it must immediately follow
884  //the clientKeyExchange message
885  error = tlsParseCertificateVerify(context, message, length);
886  break;
887 
888  //Finished message received?
889  case TLS_TYPE_FINISHED:
890  //A Finished message is always sent immediately after a ChangeCipherSpec
891  //message to verify that the key exchange and authentication processes
892  //were successful
893  error = tlsParseFinished(context, message, length);
894  break;
895 
896 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
897  //ClientKeyExchange message received?
899  //This message must immediately follow the client certificate message, if
900  //it is sent. Otherwise, it must be the first message sent by the client
901  //after it receives the ServerHelloDone message
902  error = tlsParseClientKeyExchange(context, message, length);
903  break;
904 #endif
905 
906 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
907  //KeyUpdate message received?
908  case TLS_TYPE_KEY_UPDATE:
909  //The KeyUpdate handshake message is used to indicate that the client is
910  //updating its sending cryptographic keys. This message can be sent by
911  //the client after it has sent a Finished message
912  error = tls13ParseKeyUpdate(context, message, length);
913  break;
914 #endif
915 
916  //Invalid handshake message received?
917  default:
918  //Report an error
919  error = ERROR_UNEXPECTED_MESSAGE;
920  break;
921  }
922 
923  //Return status code
924  return error;
925 #else
926  //Server mode of operation not implemented
927  return ERROR_NOT_IMPLEMENTED;
928 #endif
929 }
930 
931 
932 /**
933  * @brief Parse server's handshake message
934  * @param[in] context Pointer to the TLS context
935  * @param[in] msgType Handshake message type
936  * @param[in] message Pointer to the handshake message to parse
937  * @param[in] length Length of the handshake messaged
938  * @return Error code
939  **/
940 
942  const void *message, size_t length)
943 {
944 #if (TLS_CLIENT_SUPPORT == ENABLED)
945  error_t error;
946 
947  //Check handshake message type
948  switch(msgType)
949  {
950  //HelloRequest message received?
952  //HelloRequest is a simple notification that the client should begin the
953  //negotiation process anew
954  error = tlsParseHelloRequest(context, message, length);
955  break;
956 
957  //ServerHello message received?
959 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
960  //For backward compatibility with middleboxes the HelloRetryRequest
961  //message uses the same structure as the ServerHello, but with Random
962  //field set to a special value
964  {
965  //The server sends a HelloRetryRequest message if the ClientHello
966  //message does not contain sufficient information to proceed with
967  //the handshake
968  error = tls13ParseHelloRetryRequest(context, message, length);
969  }
970  else
971 #endif
972  {
973  //The server will send this message in response to a ClientHello
974  //message when it was able to find an acceptable set of algorithms
975  error = tlsParseServerHello(context, message, length);
976  }
977  break;
978 
979  //Certificate message received?
981  //The server must send a Certificate message whenever the agreed-upon
982  //key exchange method uses certificates for authentication. This message
983  //will always immediately follow the ServerHello message
984  error = tlsParseCertificate(context, message, length);
985  break;
986 
987  //CertificateRequest message received?
989  //A non-anonymous server can optionally request a certificate from the
990  //client, if appropriate for the selected cipher suite. This message,
991  //if sent, will immediately follow the ServerKeyExchange message
992  error = tlsParseCertificateRequest(context, message, length);
993  break;
994 
995  //Finished message received?
996  case TLS_TYPE_FINISHED:
997  //A Finished message is always sent immediately after a ChangeCipherSpec
998  //message to verify that the key exchange and authentication processes
999  //were successful
1000  error = tlsParseFinished(context, message, length);
1001  break;
1002 
1003 #if (DTLS_SUPPORT == ENABLED)
1004  //HelloVerifyRequest message received?
1006  //When the client sends its ClientHello message to the server, the server
1007  //may respond with a HelloVerifyRequest message
1008  error = dtlsParseHelloVerifyRequest(context, message, length);
1009  break;
1010 #endif
1011 
1012 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1013  //ServerKeyExchange message received?
1015  //The ServerKeyExchange message is sent by the server only when the
1016  //server Certificate message (if sent) does not contain enough data
1017  //to allow the client to exchange a premaster secret
1018  error = tlsParseServerKeyExchange(context, message, length);
1019  break;
1020 
1021  //ServerHelloDone message received?
1023  //The ServerHelloDone message is sent by the server to indicate the end
1024  //of the ServerHello and associated messages
1025  error = tlsParseServerHelloDone(context, message, length);
1026  break;
1027 #endif
1028 
1029 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1030  //EncryptedExtensions message received?
1032  //The server sends the EncryptedExtensions message immediately after
1033  //the ServerHello message. The EncryptedExtensions message contains
1034  //extensions that can be protected
1035  error = tls13ParseEncryptedExtensions(context, message, length);
1036  break;
1037 
1038  //CertificateVerify message received?
1040  //Servers must send this message when authenticating via a certificate.
1041  //When sent, this message must appear immediately after the Certificate
1042  //message
1043  error = tlsParseCertificateVerify(context, message, length);
1044  break;
1045 
1046  //NewSessionTicket message received?
1048  //At any time after the server has received the client Finished message,
1049  //it may send a NewSessionTicket message
1050  error = tls13ParseNewSessionTicket(context, message, length);
1051  break;
1052 
1053  //KeyUpdate message received?
1054  case TLS_TYPE_KEY_UPDATE:
1055  //The KeyUpdate handshake message is used to indicate that the server
1056  //is updating its sending cryptographic keys. This message can be sent
1057  //by the server after it has sent a Finished message
1058  error = tls13ParseKeyUpdate(context, message, length);
1059  break;
1060 #endif
1061 
1062  //Invalid handshake message received?
1063  default:
1064  //Report an error
1065  error = ERROR_UNEXPECTED_MESSAGE;
1066  }
1067 
1068  //Return status code
1069  return error;
1070 #else
1071  //Client mode of operation not implemented
1072  return ERROR_NOT_IMPLEMENTED;
1073 #endif
1074 }
1075 
1076 #endif
TLS (Transport Layer Security)
error_t tls13SendHelloRetryRequest(TlsContext *context)
error_t tlsParseHandshakeMessage(TlsContext *context, const uint8_t *message, size_t length)
Parse handshake message.
error_t dtlsReadProtocolData(TlsContext *context, uint8_t **data, size_t *length, TlsContentType *contentType)
Read protocol data.
Definition: dtls_record.c:126
error_t tlsSendServerKeyExchange(TlsContext *context)
Send ServerKeyExchange message.
Definition: tls_server.c:177
error_t tlsParseChangeCipherSpec(TlsContext *context, const TlsChangeCipherSpec *message, size_t length)
Parse ChangeCipherSpec message.
Definition: tls_common.c:1498
error_t dtlsParseHelloVerifyRequest(TlsContext *context, const DtlsHelloVerifyRequest *message, size_t length)
Parse HelloVerifyRequest message.
Definition: dtls_misc.c:321
TlsMessageType
Handshake message type.
Definition: tls.h:926
Handshake message processing (TLS client)
error_t tls13ParseNewSessionTicket(TlsContext *context, const Tls13NewSessionTicket *message, size_t length)
Handshake message processing (TLS 1.3 client)
error_t tlsReceiveHandshakeMessage(TlsContext *context)
Receive peer&#39;s message.
error_t tlsParseServerHello(TlsContext *context, const TlsServerHello *message, size_t length)
Parse ServerHello message.
Definition: tls_client.c:859
Debugging facilities.
error_t tls13ParseHelloRetryRequest(TlsContext *context, const Tls13HelloRetryRequest *message, size_t length)
uint8_t p
Definition: ndp.h:295
TLS 1.3 key schedule.
Generic error code.
Definition: error.h:43
uint8_t message[]
Definition: chap.h:150
Helper functions for TLS 1.3 server.
Invalid parameter.
Definition: error.h:45
error_t tlsPerformHandshake(TlsContext *context)
Perform TLS handshake.
error_t tlsParseCertificateVerify(TlsContext *context, const TlsCertificateVerify *message, size_t length)
Parse CertificateVerify message.
Definition: tls_common.c:1405
error_t tlsSendClientKeyExchange(TlsContext *context)
Send ClientKeyExchange message.
Definition: tls_client.c:225
error_t tls13SendEncryptedExtensions(TlsContext *context)
__start_packed struct @59 DtlsHandshake
DTLS handshake message.
error_t tlsPerformClientHandshake(TlsContext *context)
TLS client handshake.
error_t tlsSendServerHelloDone(TlsContext *context)
Send ServerHelloDone message.
Definition: tls_server.c:337
char_t type
error_t tlsSendChangeCipherSpec(TlsContext *context)
Send ChangeCipherSpec message.
Definition: tls_common.c:266
#define htons(value)
Definition: cpu_endian.h:390
error_t tls13ProcessEarlyData(TlsContext *context, const uint8_t *data, size_t length)
error_t tls13GenerateHandshakeTrafficKeys(TlsContext *context)
error_t tlsSendFinished(TlsContext *context)
Send Finished message.
Definition: tls_common.c:381
__start_packed struct @84 TlsHandshake
TLS handshake message.
bool_t tls13IsHelloRetryRequest(const TlsServerHello *message, size_t length)
Handshake message processing (TLS 1.3 client and server)
error_t tlsParseAlert(TlsContext *context, const TlsAlert *message, size_t length)
Parse Alert message.
Definition: tls_common.c:1745
error_t tls13SendKeyUpdate(TlsContext *context)
#define TRUE
Definition: os_port.h:48
error_t tlsParseClientHandshakeMessage(TlsContext *context, uint8_t msgType, const void *message, size_t length)
Parse client&#39;s handshake message.
__start_packed struct @89 TlsAlert
Alert message.
error_t tlsSendServerHello(TlsContext *context)
Send ServerHello message.
Definition: tls_server.c:81
error_t tlsWriteProtocolData(TlsContext *context, const uint8_t *data, size_t length, TlsContentType contentType)
Write protocol data.
Definition: tls_record.c:58
error_t tlsSendCertificateVerify(TlsContext *context)
Send CertificateVerify message.
Definition: tls_common.c:190
TLS record protocol.
TLS helper functions.
error_t tlsSaveToCache(TlsContext *context)
Save current session in cache.
Definition: tls_cache.c:167
error_t tlsPerformServerHandshake(TlsContext *context)
TLS server handshake.
TLS handshake.
__start_packed struct @88 TlsChangeCipherSpec
ChangeCipherSpec message.
error_t tls13SendNewSessionTicket(TlsContext *context)
void tlsProcessError(TlsContext *context, error_t errorCode)
Translate an error code to an alert message.
Definition: tls_misc.c:54
DTLS record protocol.
#define STORE24BE(a, p)
Definition: cpu_endian.h:255
Handshake message processing (TLS client and server)
TlsContentType
Content type.
Definition: tls.h:910
error_t tlsParseClientHello(TlsContext *context, const TlsClientHello *message, size_t length)
Parse ClientHello message.
Definition: tls_server.c:1146
error_t tlsParseServerHandshakeMessage(TlsContext *context, uint8_t msgType, const void *message, size_t length)
Parse server&#39;s handshake message.
error_t tlsParseClientKeyExchange(TlsContext *context, const TlsClientKeyExchange *message, size_t length)
Parse ClientKeyExchange message.
Definition: tls_server.c:1586
#define TLS_VERSION_1_2
Definition: tls.h:83
error_t tls13GenerateClientAppTrafficKeys(TlsContext *context)
TLS cipher suites.
Success.
Definition: error.h:42
error_t tls13ParseEncryptedExtensions(TlsContext *context, const Tls13EncryptedExtensions *message, size_t length)
error_t tlsParseHelloRequest(TlsContext *context, const TlsHelloRequest *message, size_t length)
Parse HelloRequest message.
Definition: tls_client.c:792
error_t
Error codes.
Definition: error.h:40
#define TRACE_WARNING(...)
Definition: debug.h:78
error_t tlsParseFinished(TlsContext *context, const TlsFinished *message, size_t length)
Parse Finished message.
Definition: tls_common.c:1629
uint8_t data[]
Definition: dtls_misc.h:167
error_t tlsParseCertificate(TlsContext *context, const TlsCertificate *message, size_t length)
Parse Certificate message.
Definition: tls_common.c:1229
error_t dtlsSendHelloVerifyRequest(TlsContext *context)
Send HelloVerifyRequest message.
Definition: dtls_misc.c:239
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
void tlsUpdateTranscriptHash(TlsContext *context, const void *data, size_t length)
Update hash value with a handshake message.
error_t tlsSendCertificate(TlsContext *context)
Send Certificate message.
Definition: tls_common.c:60
error_t tlsSendCertificateRequest(TlsContext *context)
Send CertificateRequest message.
Definition: tls_server.c:260
error_t tlsReadProtocolData(TlsContext *context, uint8_t **data, size_t *length, TlsContentType *contentType)
Read protocol data.
Definition: tls_record.c:151
Transcript hash calculation.
#define tlsAllocMem(size)
Definition: tls.h:755
error_t tlsSendClientHello(TlsContext *context)
Send ClientHello message.
Definition: tls_client.c:80
error_t tlsInitHandshake(TlsContext *context)
TLS handshake initialization.
Definition: tls_handshake.c:62
error_t dtlsWriteProtocolData(TlsContext *context, const uint8_t *data, size_t length, TlsContentType contentType)
Write protocol data.
Definition: dtls_record.c:56
Helper functions for TLS 1.3 client.
error_t tlsParseServerHelloDone(TlsContext *context, const TlsServerHelloDone *message, size_t length)
Parse ServerHelloDone message.
Definition: tls_client.c:1688
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
Handshake message processing (TLS 1.3 server)
Handshake message processing (TLS server)
uint8_t msgType
Definition: dtls_misc.h:177
error_t tlsParseCertificateRequest(TlsContext *context, const TlsCertificateRequest *message, size_t length)
Parse CertificateRequest message.
Definition: tls_client.c:1399
error_t tls13ParseKeyUpdate(TlsContext *context, const Tls13KeyUpdate *message, size_t length)
#define TlsContext
Definition: tls.h:34
Session cache management.
error_t tlsParseServerKeyExchange(TlsContext *context, const TlsServerKeyExchange *message, size_t length)
Parse ServerKeyExchange message.
Definition: tls_client.c:1242
error_t tls13GenerateServerAppTrafficKeys(TlsContext *context)
error_t tls13SendEndOfEarlyData(TlsContext *context)