tls_misc.c
Go to the documentation of this file.
1 /**
2  * @file tls_misc.c
3  * @brief TLS helper functions
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_cipher_suites.h"
38 #include "tls_common.h"
39 #include "tls_ffdhe.h"
40 #include "tls_misc.h"
41 #include "tls13_key_material.h"
42 #include "encoding/oid.h"
43 #include "debug.h"
44 
45 //Check TLS library configuration
46 #if (TLS_SUPPORT == ENABLED)
47 
48 
49 /**
50  * @brief Translate an error code to an alert message
51  * @param[in] context Pointer to the TLS context
52  * @param[in] errorCode Internal error code
53  * @return Error code
54  **/
55 
57 {
58  //Check current state
59  if(context->state != TLS_STATE_INIT &&
60  context->state != TLS_STATE_CLOSED)
61  {
62  //Check status code
63  switch(errorCode)
64  {
65  //The timeout interval has elapsed
66  case ERROR_TIMEOUT:
67  break;
68  //The read/write operation would have blocked
69  case ERROR_WOULD_BLOCK:
70  break;
71  //Failed to allocate memory
73  break;
74  //The read/write operation has failed
75  case ERROR_WRITE_FAILED:
76  case ERROR_READ_FAILED:
77  context->state = TLS_STATE_CLOSED;
78  break;
79  //An inappropriate message was received
82  break;
83  //A record is received with an incorrect MAC
86  break;
87  //Invalid record length
90  break;
91  //Unable to negotiate an acceptable set of security parameters
94  break;
95  //A certificate was corrupt
98  break;
99  //A certificate was of an unsupported type
102  break;
103  //A certificate has expired or is not currently valid
106  break;
107  //A field in the handshake was out of range or inconsistent with other fields
110  break;
111  //The certificate could not be matched with a known, trusted CA
112  case ERROR_UNKNOWN_CA:
114  break;
115  //A message could not be decoded because some field was incorrect
118  break;
119  //A handshake cryptographic operation failed
123  break;
124  //The protocol version the client has attempted to negotiate is not supported
127  break;
128  //Inappropriate fallback detected by the server
131  break;
132  //Handshake message not containing an extension that is mandatory
135  break;
136  //The ServerHello contains an extension not present in the ClientHello
139  break;
140  //A client certificate is desired but none was provided by the client
143  break;
144  //No application protocol supported by the server
147  break;
148  //Internal error
149  default:
151  break;
152  }
153  }
154 }
155 
156 
157 /**
158  * @brief Generate client or server random value
159  * @param[in] context Pointer to the TLS context
160  * @param[out] random Pointer to the random value
161  * @return Error code
162  **/
163 
165 {
166  error_t error;
167 
168  //Verify that the pseudorandom number generator is properly configured
169  if(context->prngAlgo != NULL && context->prngContext != NULL)
170  {
171  //Generate a 32-byte random value using a cryptographically-safe
172  //pseudorandom number generator
173  error = context->prngAlgo->read(context->prngContext, random, 32);
174  }
175  else
176  {
177  //Report an error
178  error = ERROR_NOT_CONFIGURED;
179  }
180 
181 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
182  //Check status code
183  if(!error)
184  {
185  //TLS 1.3 has a downgrade protection mechanism embedded in the server's
186  //random value
187  if(context->entity == TLS_CONNECTION_END_SERVER)
188  {
189  //Check negotiated version
190  if(context->version <= TLS_VERSION_1_1 &&
191  context->versionMax >= TLS_VERSION_1_2)
192  {
193  //If negotiating TLS 1.1 or below, TLS 1.3 servers must, and TLS 1.2
194  //servers should, set the last eight bytes of their random value to
195  //the bytes 44 4F 57 4E 47 52 44 00
196  memcpy(random + 24, tls11DowngradeRandom, 8);
197  }
198  else if(context->version == TLS_VERSION_1_2 &&
199  context->versionMax >= TLS_VERSION_1_3)
200  {
201  //If negotiating TLS 1.2, TLS 1.3 servers must set the last eight
202  //bytes of their random value to the bytes 44 4F 57 4E 47 52 44 01
203  memcpy(random + 24, tls12DowngradeRandom, 8);
204  }
205  else
206  {
207  //No downgrade protection mechanism
208  }
209  }
210  }
211 #endif
212 
213  //Return status code
214  return error;
215 }
216 
217 
218 /**
219  * @brief Set the TLS version to be used
220  * @param[in] context Pointer to the TLS context
221  * @param[in] version TLS version
222  * @return Error code
223  **/
224 
226 {
227  error_t error;
228 
229  //Initialize status code
231 
232  //Check TLS version
233  if(version >= context->versionMin && version <= context->versionMax)
234  {
235  //Save the TLS protocol version to be used
236  context->version = version;
237  //The specified TLS version is acceptable
238  error = NO_ERROR;
239  }
240 
241  //Return status code
242  return error;
243 }
244 
245 
246 /**
247  * @brief Set cipher suite
248  * @param[in] context Pointer to the TLS context
249  * @param[in] identifier Cipher suite identifier
250  * @return Error code
251  **/
252 
254 {
255  error_t error;
256  uint_t i;
257  uint_t n;
259 
260  //Initialize status code
261  error = ERROR_HANDSHAKE_FAILED;
262 
263  //Determine the number of supported cipher suites
265 
266  //Loop through the list of supported cipher suites
267  for(cipherSuite = NULL, i = 0; i < n; i++)
268  {
269  //Compare cipher suite identifiers
271  {
272  //The cipher suite is supported
274  break;
275  }
276  }
277 
278  //Restrict the use of certain cipher suites
279  if(context->numCipherSuites > 0)
280  {
281  //Loop through the list of allowed cipher suites
282  for(i = 0; i < context->numCipherSuites; i++)
283  {
284  //Compare cipher suite identifiers
285  if(context->cipherSuites[i] == identifier)
286  break;
287  }
288 
289  //Check whether the use of the cipher suite is restricted
290  if(i >= context->numCipherSuites)
291  cipherSuite = NULL;
292  }
293 
294  //Acceptable cipher suite?
295  if(cipherSuite != NULL)
296  {
297  //Check whether the cipher suite can be negotiated with the negotiated
298  //protocol version
299  if(!tlsIsCipherSuiteAcceptable(cipherSuite, context->version,
300  context->version, context->transportProtocol))
301  {
302  cipherSuite = NULL;
303  }
304  }
305 
306  //Ensure that the selected cipher suite matches all the criteria
307  if(cipherSuite != NULL)
308  {
309  //Save the negotiated cipher suite
310  context->cipherSuite = *cipherSuite;
311  //Set the key exchange method to be used
312  context->keyExchMethod = cipherSuite->keyExchMethod;
313 
314  //PRF with the SHA-256 is used for all cipher suites published prior
315  //than TLS 1.2 when TLS 1.2 is negotiated
316  if(context->cipherSuite.prfHashAlgo == NULL)
317  context->cipherSuite.prfHashAlgo = SHA256_HASH_ALGO;
318 
319  //The length of the verify data depends on the TLS version currently used
320  if(context->version == SSL_VERSION_3_0)
321  {
322  //Verify data is always 36-byte long for SSL 3.0
323  context->cipherSuite.verifyDataLen = 36;
324  }
325  else if(context->version <= TLS_VERSION_1_1)
326  {
327  //Verify data is always 12-byte long for TLS 1.0 and 1.1
328  context->cipherSuite.verifyDataLen = 12;
329  }
330  else
331  {
332  //The length of the verify data depends on the cipher suite for TLS 1.2
333  }
334 
335  //The specified cipher suite is acceptable
336  error = NO_ERROR;
337  }
338 
339  //Return status code
340  return error;
341 }
342 
343 
344 /**
345  * @brief Initialize encryption engine
346  * @param[in] context Pointer to the TLS context
347  * @param[in] encryptionEngine Pointer to the encryption/decryption engine to
348  * be initialized
349  * @param[in] entity Specifies whether client or server write keys shall be used
350  * @param[in] secret Pointer to the secret value
351  * @return Error code
352  **/
353 
355  TlsEncryptionEngine *encryptionEngine, TlsConnectionEnd entity,
356  const uint8_t *secret)
357 {
358  error_t error;
359  const CipherAlgo *cipherAlgo;
361 
362  //Point to the negotiated cipher suite
363  cipherSuite = &context->cipherSuite;
364  //Point to the cipher algorithm
365  cipherAlgo = cipherSuite->cipherAlgo;
366 
367  //Save the negotiated TLS version
368  encryptionEngine->version = context->version;
369 
370  //The sequence number is set to zero at the beginning of a connection
371  //and whenever the key is changed
372  memset(&encryptionEngine->seqNum, 0, sizeof(TlsSequenceNumber));
373 
374 #if (DTLS_SUPPORT == ENABLED)
375  //The epoch number is initially zero and is incremented each time a
376  //ChangeCipherSpec message is sent
377  encryptionEngine->epoch++;
378 
379  //Sequence numbers are maintained separately for each epoch, with each
380  //sequence number initially being 0 for each epoch
381  memset(&encryptionEngine->dtlsSeqNum, 0, sizeof(DtlsSequenceNumber));
382 #endif
383 
384 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
385  //The value of RecordSizeLimit is used to limit the size of records
386  //that are created when encoding application data and the protected
387  //handshake message into records (refer to RFC 8449, section 4)
388  if(entity == context->entity)
389  {
390  encryptionEngine->recordSizeLimit = context->recordSizeLimit;
391  }
392  else
393  {
394  encryptionEngine->recordSizeLimit = MIN(context->rxBufferMaxLen,
396  }
397 #endif
398 
399  //Set appropriate length for MAC key, encryption key, authentication
400  //tag and IV
401  encryptionEngine->macKeyLen = cipherSuite->macKeyLen;
402  encryptionEngine->encKeyLen = cipherSuite->encKeyLen;
403  encryptionEngine->fixedIvLen = cipherSuite->fixedIvLen;
404  encryptionEngine->recordIvLen = cipherSuite->recordIvLen;
405  encryptionEngine->authTagLen = cipherSuite->authTagLen;
406 
407  //Set cipher and hash algorithms
408  encryptionEngine->cipherAlgo = cipherSuite->cipherAlgo;
409  encryptionEngine->cipherMode = cipherSuite->cipherMode;
410  encryptionEngine->hashAlgo = cipherSuite->hashAlgo;
411 
412  //Initialize cipher context
413  encryptionEngine->cipherContext = NULL;
414 
415 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
416  //Initialize HMAC context
417  encryptionEngine->hmacContext = &context->hmacContext;
418 #endif
419 
420 #if (TLS_GCM_CIPHER_SUPPORT == ENABLED)
421  //Initialize GCM context
422  encryptionEngine->gcmContext = NULL;
423 #endif
424 
425 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
426  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
427  if(context->version <= TLS_VERSION_1_2)
428  {
429  const uint8_t *p;
430 
431  //Check whether client or server write keys shall be used
432  if(entity == TLS_CONNECTION_END_CLIENT)
433  {
434  //Point to the key material
435  p = context->keyBlock;
436  //Save MAC key
437  memcpy(encryptionEngine->macKey, p, cipherSuite->macKeyLen);
438 
439  //Advance current position in the key block
440  p += 2 * cipherSuite->macKeyLen;
441  //Save encryption key
442  memcpy(encryptionEngine->encKey, p, cipherSuite->encKeyLen);
443 
444  //Advance current position in the key block
445  p += 2 * cipherSuite->encKeyLen;
446  //Save initialization vector
447  memcpy(encryptionEngine->iv, p, cipherSuite->fixedIvLen);
448  }
449  else
450  {
451  //Point to the key material
452  p = context->keyBlock + cipherSuite->macKeyLen;
453  //Save MAC key
454  memcpy(encryptionEngine->macKey, p, cipherSuite->macKeyLen);
455 
456  //Advance current position in the key block
457  p += cipherSuite->macKeyLen + cipherSuite->encKeyLen;
458  //Save encryption key
459  memcpy(encryptionEngine->encKey, p, cipherSuite->encKeyLen);
460 
461  //Advance current position in the key block
462  p += cipherSuite->encKeyLen + cipherSuite->fixedIvLen;
463  //Save initialization vector
464  memcpy(encryptionEngine->iv, p, cipherSuite->fixedIvLen);
465  }
466 
467  //Successful processing
468  error = NO_ERROR;
469  }
470  else
471 #endif
472 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
473  //TLS 1.3 currently selected?
474  if(context->version == TLS_VERSION_1_3)
475  {
476  const HashAlgo *hashAlgo;
477 
478  //The hash function used by HKDF is the cipher suite hash algorithm
479  hashAlgo = cipherSuite->prfHashAlgo;
480 
481  //Make sure the hash algorithm is valid
482  if(hashAlgo != NULL)
483  {
484  //Calculate the write key
485  error = tls13HkdfExpandLabel(hashAlgo, secret, hashAlgo->digestSize,
486  "key", NULL, 0, encryptionEngine->encKey, cipherSuite->encKeyLen);
487 
488  //Debug message
489  TRACE_DEBUG("Write Key:\r\n");
490  TRACE_DEBUG_ARRAY(" ", encryptionEngine->encKey, cipherSuite->encKeyLen);
491 
492  //Check status code
493  if(!error)
494  {
495  //Calculate the write IV
496  error = tls13HkdfExpandLabel(hashAlgo, secret, hashAlgo->digestSize,
497  "iv", NULL, 0, encryptionEngine->iv, cipherSuite->fixedIvLen);
498  }
499 
500  //Debug message
501  TRACE_DEBUG("Write IV:\r\n");
502  TRACE_DEBUG_ARRAY(" ", encryptionEngine->iv, cipherSuite->fixedIvLen);
503  }
504  else
505  {
506  //Invalid HKDF hash algorithm
507  error = ERROR_FAILURE;
508  }
509  }
510  else
511 #endif
512  //Invalid TLS version?
513  {
514  //Report an error
515  error = ERROR_INVALID_VERSION;
516  }
517 
518  //Check status code
519  if(!error)
520  {
521  //Check cipher mode of operation
522  if(encryptionEngine->cipherMode == CIPHER_MODE_STREAM ||
523  encryptionEngine->cipherMode == CIPHER_MODE_CBC ||
524  encryptionEngine->cipherMode == CIPHER_MODE_CCM ||
525  encryptionEngine->cipherMode == CIPHER_MODE_GCM)
526  {
527  //Allocate encryption context
528  encryptionEngine->cipherContext = tlsAllocMem(cipherAlgo->contextSize);
529 
530  //Successful memory allocation?
531  if(encryptionEngine->cipherContext != NULL)
532  {
533  //Configure the encryption engine with the write key
534  error = cipherAlgo->init(encryptionEngine->cipherContext,
535  encryptionEngine->encKey, cipherSuite->encKeyLen);
536  }
537  else
538  {
539  //Failed to allocate memory
540  error = ERROR_OUT_OF_MEMORY;
541  }
542  }
543  else if(encryptionEngine->cipherMode == CIPHER_MODE_NULL ||
544  encryptionEngine->cipherMode == CIPHER_MODE_CHACHA20_POLY1305)
545  {
546  //No need to allocate an encryption context
547  error = NO_ERROR;
548  }
549  else
550  {
551  //Unsupported mode of operation
552  error = ERROR_FAILURE;
553  }
554  }
555 
556 #if (TLS_GCM_CIPHER_SUPPORT == ENABLED)
557  //Check status code
558  if(!error)
559  {
560  //GCM cipher mode?
561  if(encryptionEngine->cipherMode == CIPHER_MODE_GCM)
562  {
563  //Allocate a memory buffer to hold the GCM context
564  encryptionEngine->gcmContext = tlsAllocMem(sizeof(GcmContext));
565 
566  //Successful memory allocation?
567  if(encryptionEngine->gcmContext != NULL)
568  {
569  //Initialize GCM context
570  error = gcmInit(encryptionEngine->gcmContext, cipherAlgo,
571  encryptionEngine->cipherContext);
572  }
573  else
574  {
575  //Failed to allocate memory
576  error = ERROR_OUT_OF_MEMORY;
577  }
578  }
579  }
580 #endif
581 
582  //Return status code
583  return error;
584 }
585 
586 
587 /**
588  * @brief Release encryption engine
589  * @param[in] encryptionEngine Pointer to the encryption/decryption engine
590  **/
591 
593 {
594  //Valid cipher context?
595  if(encryptionEngine->cipherContext != NULL)
596  {
597  //Erase cipher context
598  memset(encryptionEngine->cipherContext, 0,
599  encryptionEngine->cipherAlgo->contextSize);
600 
601  //Release memory
602  tlsFreeMem(encryptionEngine->cipherContext);
603  encryptionEngine->cipherContext = NULL;
604  }
605 
606 #if (TLS_GCM_CIPHER_SUPPORT == ENABLED)
607  //Valid GCM context?
608  if(encryptionEngine->gcmContext != NULL)
609  {
610  //Erase GCM context
611  memset(encryptionEngine->gcmContext, 0, sizeof(GcmContext));
612 
613  //Release memory
614  tlsFreeMem(encryptionEngine->gcmContext);
615  encryptionEngine->gcmContext = NULL;
616  }
617 #endif
618 
619  //Reset encryption parameters
620  encryptionEngine->cipherAlgo = NULL;
621  encryptionEngine->cipherMode = CIPHER_MODE_NULL;
622  encryptionEngine->hashAlgo = NULL;
623 }
624 
625 
626 /**
627  * @brief Encode a multiple precision integer to an opaque vector
628  * @param[in] a Pointer to a multiple precision integer
629  * @param[out] data Buffer where to store the opaque vector
630  * @param[out] length Total number of bytes that have been written
631  * @return Error code
632  **/
633 
634 error_t tlsWriteMpi(const Mpi *a, uint8_t *data, size_t *length)
635 {
636  error_t error;
637  size_t n;
638 
639  //Retrieve the actual size of the integer
640  n = mpiGetByteLength(a);
641 
642  //The data is preceded by a 2-byte length field
643  STORE16BE(n, data);
644 
645  //Convert the integer to an octet string
646  error = mpiExport(a, data + 2, n, MPI_FORMAT_BIG_ENDIAN);
647  //Conversion failed?
648  if(error)
649  return error;
650 
651  //Return the total number of bytes that have been written
652  *length = n + 2;
653  //Successful processing
654  return NO_ERROR;
655 }
656 
657 
658 /**
659  * @brief Read a multiple precision integer from an opaque vector
660  * @param[out] a Resulting multiple precision integer
661  * @param[in] data Buffer where to read the opaque vector
662  * @param[in] size Total number of bytes available in the buffer
663  * @param[out] length Total number of bytes that have been read
664  * @return Error code
665  **/
666 
667 error_t tlsReadMpi(Mpi *a, const uint8_t *data, size_t size, size_t *length)
668 {
669  error_t error;
670  size_t n;
671 
672  //Buffer underrun?
673  if(size < 2)
674  return ERROR_DECODING_FAILED;
675 
676  //Decode the length field
677  n = LOAD16BE(data);
678 
679  //Buffer underrun?
680  if(size < (n + 2))
681  return ERROR_DECODING_FAILED;
682 
683  //Convert the octet string to a multiple precision integer
684  error = mpiImport(a, data + 2, n, MPI_FORMAT_BIG_ENDIAN);
685  //Any error to report?
686  if(error)
687  return error;
688 
689  //Return the total number of bytes that have been read
690  *length = n + 2;
691  //Successful processing
692  return NO_ERROR;
693 }
694 
695 
696 /**
697  * @brief Encode an EC point to an opaque vector
698  * @param[in] params EC domain parameters
699  * @param[in] a Pointer to an EC point
700  * @param[out] data Buffer where to store the opaque vector
701  * @param[out] length Total number of bytes that have been written
702  * @return Error code
703  **/
704 
706  const EcPoint *a, uint8_t *data, size_t *length)
707 {
708 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
709  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
710  error_t error;
711 
712  //Convert the EC point to an octet string
713  error = ecExport(params, a, data + 1, length);
714  //Any error to report?
715  if(error)
716  return error;
717 
718  //Set the length of the opaque vector
719  data[0] = (uint8_t) (*length);
720 
721  //Return the total number of bytes that have been written
722  *length += 1;
723  //Successful processing
724  return NO_ERROR;
725 #else
726  //Not implemented
727  return ERROR_NOT_IMPLEMENTED;
728 #endif
729 }
730 
731 
732 /**
733  * @brief Read an EC point from an opaque vector
734  * @param[in] params EC domain parameters
735  * @param[out] a Resulting EC point
736  * @param[in] data Buffer where to read the opaque vector
737  * @param[in] size Total number of bytes available in the buffer
738  * @param[out] length Total number of bytes that have been read
739  * @return Error code
740  **/
741 
743  EcPoint *a, const uint8_t *data, size_t size, size_t *length)
744 {
745 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
746  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
747  error_t error;
748  size_t n;
749 
750  //Buffer underrun?
751  if(size < 1)
752  return ERROR_DECODING_FAILED;
753 
754  //The EC point representation is preceded by a length field
755  n = data[0];
756 
757  //Invalid EC point representation?
758  if(n == 0)
759  return ERROR_DECODING_FAILED;
760 
761  //Buffer underrun?
762  if(size < (n + 1))
763  return ERROR_DECODING_FAILED;
764 
765  //Convert the octet string to an EC point
766  error = ecImport(params, a, data + 1, n);
767  //Any error to report?
768  if(error)
769  return error;
770 
771  //Return the total number of bytes that have been read
772  *length = n + 1;
773  //Successful processing
774  return NO_ERROR;
775 #else
776  //Not implemented
777  return ERROR_NOT_IMPLEMENTED;
778 #endif
779 }
780 
781 
782 /**
783  * @brief Convert TLS version to string representation
784  * @param[in] version Version number
785  * @return Cipher suite name
786  **/
787 
789 {
790  //TLS versions
791  static const char_t *label[] =
792  {
793  "SSL 3.0",
794  "TLS 1.0",
795  "TLS 1.1",
796  "TLS 1.2",
797  "TLS 1.3",
798  "DTLS 1.0",
799  "DTLS 1.2",
800  "Unknown"
801  };
802 
803  //Check current version
804  if(version == SSL_VERSION_3_0)
805  return label[0];
806  else if(version == TLS_VERSION_1_0)
807  return label[1];
808  else if(version == TLS_VERSION_1_1)
809  return label[2];
810  else if(version == TLS_VERSION_1_2)
811  return label[3];
812  else if(version == TLS_VERSION_1_3)
813  return label[4];
814  else if(version == DTLS_VERSION_1_0)
815  return label[5];
816  else if(version == DTLS_VERSION_1_2)
817  return label[6];
818  else
819  return label[7];
820 }
821 
822 
823 /**
824  * @brief Get the hash algorithm that matches the specified identifier
825  * @param[in] hashAlgoId Hash algorithm identifier
826  * @return Pointer to the hash algorithm
827  **/
828 
829 const HashAlgo *tlsGetHashAlgo(uint8_t hashAlgoId)
830 {
831  const HashAlgo *hashAlgo;
832 
833  //Check hash algorithm identifier
834  switch(hashAlgoId)
835  {
836 #if (TLS_MD5_SUPPORT == ENABLED)
837  //MD5 hash identifier?
838  case TLS_HASH_ALGO_MD5:
839  hashAlgo = MD5_HASH_ALGO;
840  break;
841 #endif
842 #if (TLS_SHA1_SUPPORT == ENABLED)
843  //SHA-1 hash identifier?
844  case TLS_HASH_ALGO_SHA1:
845  hashAlgo = SHA1_HASH_ALGO;
846  break;
847 #endif
848 #if (TLS_SHA224_SUPPORT == ENABLED)
849  //SHA-224 hash identifier?
851  hashAlgo = SHA224_HASH_ALGO;
852  break;
853 #endif
854 #if (TLS_SHA256_SUPPORT == ENABLED)
855  //SHA-256 hash identifier?
857  hashAlgo = SHA256_HASH_ALGO;
858  break;
859 #endif
860 #if (TLS_SHA384_SUPPORT == ENABLED)
861  //SHA-384 hash identifier?
863  hashAlgo = SHA384_HASH_ALGO;
864  break;
865 #endif
866 #if (TLS_SHA512_SUPPORT == ENABLED)
867  //SHA-512 hash identifier?
869  hashAlgo = SHA512_HASH_ALGO;
870  break;
871 #endif
872  //Unknown hash identifier?
873  default:
874  hashAlgo = NULL;
875  break;
876  }
877 
878  //Return a pointer to the corresponding hash algorithm
879  return hashAlgo;
880 }
881 
882 
883 /**
884  * @brief Get the EC domain parameters that match the specified named curve
885  * @param[in] context Pointer to the TLS context
886  * @param[in] namedCurve Elliptic curve identifier
887  * @return Elliptic curve domain parameters
888  **/
889 
890 const EcCurveInfo *tlsGetCurveInfo(TlsContext *context, uint16_t namedCurve)
891 {
892  uint_t i;
893  const EcCurveInfo *curveInfo;
894 
895  //Default elliptic curve domain parameters
896  curveInfo = NULL;
897 
898 #if (TLS_ECDH_SUPPORT == ENABLED)
899  //Check named curve
900  switch(namedCurve)
901  {
902 #if (TLS_SECP160K1_SUPPORT == ENABLED)
903  //secp160k1 elliptic curve?
904  case TLS_GROUP_SECP160K1:
905  curveInfo = ecGetCurveInfo(SECP160K1_OID, sizeof(SECP160K1_OID));
906  break;
907 #endif
908 #if (TLS_SECP160R1_SUPPORT == ENABLED)
909  //secp160r1 elliptic curve?
910  case TLS_GROUP_SECP160R1:
911  curveInfo = ecGetCurveInfo(SECP160R1_OID, sizeof(SECP160R1_OID));
912  break;
913 #endif
914 #if (TLS_SECP160R2_SUPPORT == ENABLED)
915  //secp160r2 elliptic curve?
916  case TLS_GROUP_SECP160R2:
917  curveInfo = ecGetCurveInfo(SECP160R2_OID, sizeof(SECP160R2_OID));
918  break;
919 #endif
920 #if (TLS_SECP192K1_SUPPORT == ENABLED)
921  //secp192k1 elliptic curve?
922  case TLS_GROUP_SECP192K1:
923  curveInfo = ecGetCurveInfo(SECP192K1_OID, sizeof(SECP192K1_OID));
924  break;
925 #endif
926 #if (TLS_SECP192R1_SUPPORT == ENABLED)
927  //secp192r1 elliptic curve?
928  case TLS_GROUP_SECP192R1:
929  curveInfo = ecGetCurveInfo(SECP192R1_OID, sizeof(SECP192R1_OID));
930  break;
931 #endif
932 #if (TLS_SECP224K1_SUPPORT == ENABLED)
933  //secp224k1 elliptic curve?
934  case TLS_GROUP_SECP224K1:
935  curveInfo = ecGetCurveInfo(SECP224K1_OID, sizeof(SECP224K1_OID));
936  break;
937 #endif
938 #if (TLS_SECP224R1_SUPPORT == ENABLED)
939  //secp224r1 elliptic curve?
940  case TLS_GROUP_SECP224R1:
941  curveInfo = ecGetCurveInfo(SECP224R1_OID, sizeof(SECP224R1_OID));
942  break;
943 #endif
944 #if (TLS_SECP256K1_SUPPORT == ENABLED)
945  //secp256k1 elliptic curve?
946  case TLS_GROUP_SECP256K1:
947  curveInfo = ecGetCurveInfo(SECP256K1_OID, sizeof(SECP256K1_OID));
948  break;
949 #endif
950 #if (TLS_SECP256R1_SUPPORT == ENABLED)
951  //secp256r1 elliptic curve?
952  case TLS_GROUP_SECP256R1:
953  curveInfo = ecGetCurveInfo(SECP256R1_OID, sizeof(SECP256R1_OID));
954  break;
955 #endif
956 #if (TLS_SECP384R1_SUPPORT == ENABLED)
957  //secp384r1 elliptic curve?
958  case TLS_GROUP_SECP384R1:
959  curveInfo = ecGetCurveInfo(SECP384R1_OID, sizeof(SECP384R1_OID));
960  break;
961 #endif
962 #if (TLS_SECP521R1_SUPPORT == ENABLED)
963  //secp521r1 elliptic curve?
964  case TLS_GROUP_SECP521R1:
965  curveInfo = ecGetCurveInfo(SECP521R1_OID, sizeof(SECP521R1_OID));
966  break;
967 #endif
968 #if (TLS_BRAINPOOLP256R1_SUPPORT == ENABLED)
969  //brainpoolP256r1 elliptic curve?
973  break;
974 #endif
975 #if (TLS_BRAINPOOLP384R1_SUPPORT == ENABLED)
976  //brainpoolP384r1 elliptic curve?
980  break;
981 #endif
982 #if (TLS_BRAINPOOLP512R1_SUPPORT == ENABLED)
983  //brainpoolP512r1 elliptic curve?
987  break;
988 #endif
989 #if (TLS_X25519_SUPPORT == ENABLED)
990  //Curve25519 elliptic curve?
992  curveInfo = ecGetCurveInfo(X25519_OID, sizeof(X25519_OID));
993  break;
994 #endif
995 #if (TLS_X448_SUPPORT == ENABLED)
996  //Curve448 elliptic curve?
997  case TLS_GROUP_ECDH_X448:
998  curveInfo = ecGetCurveInfo(X448_OID, sizeof(X448_OID));
999  break;
1000 #endif
1001  //Unknown elliptic curve identifier?
1002  default:
1003  curveInfo = NULL;
1004  break;
1005  }
1006 #endif
1007 
1008  //Restrict the use of certain elliptic curves
1009  if(context->numSupportedGroups > 0)
1010  {
1011  //Loop through the list of allowed named groups
1012  for(i = 0; i < context->numSupportedGroups; i++)
1013  {
1014  //Compare named groups
1015  if(context->supportedGroups[i] == namedCurve)
1016  break;
1017  }
1018 
1019  //Check whether the use of the elliptic curve is restricted
1020  if(i >= context->numSupportedGroups)
1021  curveInfo = NULL;
1022  }
1023 
1024  //Return elliptic curve domain parameters, if any
1025  return curveInfo;
1026 }
1027 
1028 
1029 /**
1030  * @brief Get the named curve that matches the specified OID
1031  * @param[in] oid Object identifier
1032  * @param[in] length OID length
1033  * @return Named curve
1034  **/
1035 
1036 TlsNamedGroup tlsGetNamedCurve(const uint8_t *oid, size_t length)
1037 {
1038  TlsNamedGroup namedCurve;
1039 
1040  //Default named curve
1041  namedCurve = TLS_GROUP_NONE;
1042 
1043 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1044  //Invalid parameters?
1045  if(oid == NULL || length == 0)
1046  {
1047  namedCurve = TLS_GROUP_NONE;
1048  }
1049 #if (TLS_SECP160K1_SUPPORT == ENABLED)
1050  //secp160k1 elliptic curve?
1051  else if(!oidComp(oid, length, SECP160K1_OID, sizeof(SECP160K1_OID)))
1052  {
1053  namedCurve = TLS_GROUP_SECP160K1;
1054  }
1055 #endif
1056 #if (TLS_SECP160R1_SUPPORT == ENABLED)
1057  //secp160r1 elliptic curve?
1058  else if(!oidComp(oid, length, SECP160R1_OID, sizeof(SECP160R1_OID)))
1059  {
1060  namedCurve = TLS_GROUP_SECP160R1;
1061  }
1062 #endif
1063 #if (TLS_SECP160R2_SUPPORT == ENABLED)
1064  //secp160r2 elliptic curve?
1065  else if(!oidComp(oid, length, SECP160R2_OID, sizeof(SECP160R2_OID)))
1066  {
1067  namedCurve = TLS_GROUP_SECP160R2;
1068  }
1069 #endif
1070 #if (TLS_SECP192K1_SUPPORT == ENABLED)
1071  //secp192k1 elliptic curve?
1072  else if(!oidComp(oid, length, SECP192K1_OID, sizeof(SECP192K1_OID)))
1073  {
1074  namedCurve = TLS_GROUP_SECP192K1;
1075  }
1076 #endif
1077 #if (TLS_SECP192R1_SUPPORT == ENABLED)
1078  //secp192r1 elliptic curve?
1079  else if(!oidComp(oid, length, SECP192R1_OID, sizeof(SECP192R1_OID)))
1080  {
1081  namedCurve = TLS_GROUP_SECP192R1;
1082  }
1083 #endif
1084 #if (TLS_SECP224K1_SUPPORT == ENABLED)
1085  //secp224k1 elliptic curve?
1086  else if(!oidComp(oid, length, SECP224K1_OID, sizeof(SECP224K1_OID)))
1087  {
1088  namedCurve = TLS_GROUP_SECP224K1;
1089  }
1090 #endif
1091 #if (TLS_SECP224R1_SUPPORT == ENABLED)
1092  //secp224r1 elliptic curve?
1093  else if(!oidComp(oid, length, SECP224R1_OID, sizeof(SECP224R1_OID)))
1094  {
1095  namedCurve = TLS_GROUP_SECP224R1;
1096  }
1097 #endif
1098 #if (TLS_SECP256K1_SUPPORT == ENABLED)
1099  //secp256k1 elliptic curve?
1100  else if(!oidComp(oid, length, SECP256K1_OID, sizeof(SECP256K1_OID)))
1101  {
1102  namedCurve = TLS_GROUP_SECP256K1;
1103  }
1104 #endif
1105 #if (TLS_SECP256R1_SUPPORT == ENABLED)
1106  //secp256r1 elliptic curve?
1107  else if(!oidComp(oid, length, SECP256R1_OID, sizeof(SECP256R1_OID)))
1108  {
1109  namedCurve = TLS_GROUP_SECP256R1;
1110  }
1111 #endif
1112 #if (TLS_SECP384R1_SUPPORT == ENABLED)
1113  //secp384r1 elliptic curve?
1114  else if(!oidComp(oid, length, SECP384R1_OID, sizeof(SECP384R1_OID)))
1115  {
1116  namedCurve = TLS_GROUP_SECP384R1;
1117  }
1118 #endif
1119 #if (TLS_SECP521R1_SUPPORT == ENABLED)
1120  //secp521r1 elliptic curve?
1121  else if(!oidComp(oid, length, SECP521R1_OID, sizeof(SECP521R1_OID)))
1122  {
1123  namedCurve = TLS_GROUP_SECP521R1;
1124  }
1125 #endif
1126 #if (TLS_BRAINPOOLP256R1_SUPPORT == ENABLED)
1127  //brainpoolP256r1 elliptic curve?
1129  {
1130  namedCurve = TLS_GROUP_BRAINPOOLP256R1;
1131  }
1132 #endif
1133 #if (TLS_BRAINPOOLP384R1_SUPPORT == ENABLED)
1134  //brainpoolP384r1 elliptic curve?
1136  {
1137  namedCurve = TLS_GROUP_BRAINPOOLP384R1;
1138  }
1139 #endif
1140 #if (TLS_BRAINPOOLP512R1_SUPPORT == ENABLED)
1141  //brainpoolP512r1 elliptic curve?
1143  {
1144  namedCurve = TLS_GROUP_BRAINPOOLP512R1;
1145  }
1146 #endif
1147  //Unknown identifier?
1148  else
1149  {
1150  namedCurve = TLS_GROUP_NONE;
1151  }
1152 #endif
1153 
1154  //Return the corresponding named curve
1155  return namedCurve;
1156 }
1157 
1158 
1159 /**
1160  * @brief Compute overhead caused by encryption
1161  * @param[in] encryptionEngine Pointer to the encryption engine
1162  * @param[in] payloadLen Length of the payload, in bytes
1163  * @return Overhead, in bytes, caused by encryption
1164  **/
1165 
1167  size_t payloadLen)
1168 {
1169  size_t n;
1170 
1171  //Initialize variable
1172  n = 0;
1173 
1174  //Message authentication?
1175  if(encryptionEngine->hashAlgo != NULL)
1176  n += encryptionEngine->hashAlgo->digestSize;
1177 
1178  //Check cipher mode
1179  if(encryptionEngine->cipherMode == CIPHER_MODE_CBC)
1180  {
1181  //TLS 1.1 and 1.2 use an explicit IV
1182  if(encryptionEngine->version >= TLS_VERSION_1_1)
1183  n += encryptionEngine->recordIvLen;
1184 
1185  //Padding is added to force the length of the plaintext to be an
1186  //integral multiple of the cipher's block length
1187  n += encryptionEngine->cipherAlgo->blockSize -
1188  ((payloadLen + n) % encryptionEngine->cipherAlgo->blockSize);
1189  }
1190  else if(encryptionEngine->cipherMode == CIPHER_MODE_CCM ||
1191  encryptionEngine->cipherMode == CIPHER_MODE_GCM)
1192  {
1193  //Consider the explicit nonce and the authentication tag
1194  n += encryptionEngine->recordIvLen + encryptionEngine->authTagLen;
1195  }
1196  else if(encryptionEngine->cipherMode == CIPHER_MODE_CHACHA20_POLY1305)
1197  {
1198  //Consider the authentication tag only
1199  n += encryptionEngine->authTagLen;
1200  }
1201  else
1202  {
1203  //Stream ciphers do not cause any overhead
1204  }
1205 
1206  //Return the total overhead caused by encryption
1207  return n;
1208 }
1209 
1210 
1211 /**
1212  * @brief DNS hostname verification
1213  * @param[in] name Pointer to the hostname
1214  * @param[in] length Length of the hostname
1215  * @return The function returns TRUE is the name is a valid DNS hostname
1216  **/
1217 
1219 {
1220  size_t i;
1221  bool_t valid;
1222 
1223  //Initialize flag
1224  valid = TRUE;
1225 
1226  //Loop through the hostname
1227  for(i = 0; i < length && valid; i++)
1228  {
1229  //DNS hostnames must start with a letter, end with a letter or
1230  //digit, and have as interior characters only letters, digits,
1231  //and hyphen (refer to RFC 1034, section 3.5)
1232  if(name[i] == '-' || name[i] == '.')
1233  {
1234  //Valid character
1235  }
1236  else if(name[i] >= '0' && name[i] <= '9')
1237  {
1238  //Valid character
1239  }
1240  else if(name[i] >= 'A' && name[i] <= 'Z')
1241  {
1242  //Valid character
1243  }
1244  else if(name[i] >= 'a' && name[i] <= 'z')
1245  {
1246  //Valid character
1247  }
1248  else
1249  {
1250  //Invalid character
1251  valid = FALSE;
1252  }
1253  }
1254 
1255  //Return TRUE is the name is a valid DNS hostname
1256  return valid;
1257 }
1258 
1259 #endif
@ TLS_GROUP_BRAINPOOLP512R1_TLS13
Definition: tls.h:1240
#define TLS_MAX_RECORD_LENGTH
Definition: tls.h:830
#define tlsAllocMem(size)
Definition: tls.h:757
TLS helper functions.
@ TLS_ALERT_DECODE_ERROR
Definition: tls.h:988
uint8_t length
Definition: dtls_misc.h:149
@ TLS_ALERT_UNEXPECTED_MESSAGE
Definition: tls.h:973
size_t fixedIvLen
Length of the fixed part of the IV.
Definition: tls.h:1950
@ TLS_GROUP_BRAINPOOLP256R1_TLS13
Definition: tls.h:1238
#define SHA256_HASH_ALGO
Definition: sha256.h:46
int bool_t
Definition: compiler_port.h:49
@ TLS_GROUP_SECP160R2
Definition: tls.h:1224
TLS cipher suites.
const EcCurveInfo * ecGetCurveInfo(const uint8_t *oid, size_t length)
Get the elliptic curve that matches the specified OID.
Definition: ec_curves.c:2172
@ TLS_ALERT_CERTIFICATE_REQUIRED
Definition: tls.h:1004
#define SHA1_HASH_ALGO
Definition: sha1.h:46
size_t encKeyLen
Length of the encryption key.
Definition: tls.h:1948
error_t tlsInitEncryptionEngine(TlsContext *context, TlsEncryptionEngine *encryptionEngine, TlsConnectionEnd entity, const uint8_t *secret)
Initialize encryption engine.
Definition: tls_misc.c:354
DtlsSequenceNumber dtlsSeqNum
Record sequence number.
Definition: tls.h:1964
@ CIPHER_MODE_CBC
Definition: crypto.h:1082
@ ERROR_WOULD_BLOCK
Definition: error.h:95
uint8_t a
Definition: ndp.h:410
#define SHA512_HASH_ALGO
Definition: sha512.h:46
const uint8_t X25519_OID[3]
Definition: ec_curves.c:92
Arbitrary precision integer.
Definition: mpi.h:69
@ TLS_ALERT_ILLEGAL_PARAMETER
Definition: tls.h:985
@ ERROR_VERSION_NOT_SUPPORTED
Definition: error.h:67
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
error_t ecImport(const EcDomainParameters *params, EcPoint *r, const uint8_t *data, size_t length)
Convert an octet string to an EC point.
Definition: ec.c:214
@ ERROR_DECRYPTION_FAILED
Definition: error.h:236
@ TLS_ALERT_UNSUPPORTED_EXTENSION
Definition: tls.h:998
@ ERROR_UNEXPECTED_MESSAGE
Definition: error.h:192
OID (Object Identifier)
uint8_t p
Definition: ndp.h:298
@ CIPHER_MODE_GCM
Definition: crypto.h:1087
@ TLS_ALERT_RECORD_OVERFLOW
Definition: tls.h:976
error_t tlsSelectVersion(TlsContext *context, uint16_t version)
Set the TLS version to be used.
Definition: tls_misc.c:225
TlsConnectionEnd
TLS connection end.
Definition: tls.h:859
@ TLS_GROUP_SECP256K1
Definition: tls.h:1229
#define TRUE
Definition: os_port.h:50
@ TLS_GROUP_SECP256R1
Definition: tls.h:1230
size_t digestSize
Definition: crypto.h:1135
@ TLS_GROUP_SECP224K1
Definition: tls.h:1227
const uint8_t SECP224R1_OID[5]
Definition: ec_curves.c:68
size_t authTagLen
Length of the authentication tag.
Definition: tls.h:1952
uint16_t version
Definition: dtls_misc.h:172
const uint8_t BRAINPOOLP512R1_OID[9]
Definition: ec_curves.c:90
size_t blockSize
Definition: crypto.h:1155
Structure describing a cipher suite.
Definition: tls.h:1812
const uint8_t SECP160K1_OID[5]
Definition: ec_curves.c:56
@ TLS_HASH_ALGO_SHA1
Definition: tls.h:1096
const uint8_t SECP256K1_OID[5]
Definition: ec_curves.c:70
error_t tlsWriteMpi(const Mpi *a, uint8_t *data, size_t *length)
Encode a multiple precision integer to an opaque vector.
Definition: tls_misc.c:634
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:228
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
HmacContext * hmacContext
HMAC context.
Definition: tls.h:1957
const uint8_t BRAINPOOLP384R1_OID[9]
Definition: ec_curves.c:88
char_t name[]
@ ERROR_BAD_RECORD_MAC
Definition: error.h:226
@ ERROR_NOT_CONFIGURED
Definition: error.h:215
@ ERROR_UNSUPPORTED_CERTIFICATE
Definition: error.h:231
uint16_t errorCode
Definition: tftp_common.h:136
@ TLS_ALERT_DECRYPT_ERROR
Definition: tls.h:989
error_t mpiImport(Mpi *r, const uint8_t *data, uint_t length, MpiFormat format)
Octet string to integer conversion.
Definition: mpi.c:533
EC domain parameters.
Definition: ec.h:63
@ ERROR_INVALID_VERSION
Definition: error.h:116
size_t recordIvLen
Length of the IV.
Definition: tls.h:1951
@ TLS_GROUP_BRAINPOOLP256R1
Definition: tls.h:1233
const uint8_t SECP256R1_OID[8]
Definition: ec_curves.c:72
int_t oidComp(const uint8_t *oid1, size_t oidLen1, const uint8_t *oid2, size_t oidLen2)
Compare object identifiers.
Definition: oid.c:101
const uint8_t SECP224K1_OID[5]
Definition: ec_curves.c:66
@ TLS_HASH_ALGO_SHA224
Definition: tls.h:1097
CipherAlgoInit init
Definition: crypto.h:1156
@ TLS_ALERT_UNKNOWN_CA
Definition: tls.h:986
const uint8_t SECP521R1_OID[5]
Definition: ec_curves.c:76
@ TLS_HASH_ALGO_SHA512
Definition: tls.h:1100
#define DTLS_VERSION_1_0
Definition: dtls_misc.h:35
TlsSequenceNumber seqNum
TLS sequence number.
Definition: tls.h:1961
#define FALSE
Definition: os_port.h:46
Elliptic curve parameters.
Definition: ec_curves.h:292
error_t tlsSendAlert(TlsContext *context, uint8_t level, uint8_t description)
Send Alert message.
Definition: tls_common.c:480
error_t mpiExport(const Mpi *a, uint8_t *data, uint_t length, MpiFormat format)
Integer to octet string conversion.
Definition: mpi.c:618
@ ERROR_UNSUPPORTED_EXTENSION
Definition: error.h:239
@ TLS_GROUP_ECDH_X25519
Definition: tls.h:1236
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
uint8_t encKey[32]
Encryption key.
Definition: tls.h:1947
@ TLS_ALERT_BAD_RECORD_MAC
Definition: tls.h:974
@ TLS_CONNECTION_END_SERVER
Definition: tls.h:862
void tlsFreeEncryptionEngine(TlsEncryptionEngine *encryptionEngine)
Release encryption engine.
Definition: tls_misc.c:592
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:829
#define TLS_VERSION_1_2
Definition: tls.h:94
@ TLS_GROUP_NONE
Definition: tls.h:1207
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
uint8_t identifier[]
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:253
uint16_t epoch
Counter value incremented on every cipher state change.
Definition: tls.h:1963
#define STORE16BE(a, p)
Definition: cpu_endian.h:246
#define MD5_HASH_ALGO
Definition: md5.h:46
@ TLS_ALERT_UNSUPPORTED_CERTIFICATE
Definition: tls.h:981
bool_t tlsCheckDnsHostname(const char_t *name, size_t length)
DNS hostname verification.
Definition: tls_misc.c:1218
@ ERROR_MISSING_EXTENSION
Definition: error.h:238
#define TLS_VERSION_1_3
Definition: tls.h:95
Handshake message processing (TLS client and server)
@ TLS_HASH_ALGO_SHA384
Definition: tls.h:1099
@ TLS_GROUP_SECP384R1
Definition: tls.h:1231
@ TLS_GROUP_SECP192K1
Definition: tls.h:1225
const HashAlgo * hashAlgo
Hash algorithm for MAC operations.
Definition: tls.h:1956
uint8_t oid[1]
Definition: mib_common.h:186
@ ERROR_BAD_CERTIFICATE
Definition: error.h:230
error_t tlsWriteEcPoint(const EcDomainParameters *params, const EcPoint *a, uint8_t *data, size_t *length)
Encode an EC point to an opaque vector.
Definition: tls_misc.c:705
@ TLS_ALERT_MISSING_EXTENSION
Definition: tls.h:997
@ TLS_HASH_ALGO_SHA256
Definition: tls.h:1098
#define SSL_VERSION_3_0
Definition: tls.h:91
__start_packed struct @55 DtlsSequenceNumber
Sequence number.
const uint8_t SECP160R1_OID[5]
Definition: ec_curves.c:58
uint16_t version
Negotiated TLS version.
Definition: tls.h:1944
Elliptic curve point.
Definition: ec.h:51
size_t tlsComputeEncryptionOverhead(TlsEncryptionEngine *encryptionEngine, size_t payloadLen)
Compute overhead caused by encryption.
Definition: tls_misc.c:1166
TlsNamedGroup tlsGetNamedCurve(const uint8_t *oid, size_t length)
Get the named curve that matches the specified OID.
Definition: tls_misc.c:1036
Encryption engine.
Definition: tls.h:1942
@ CIPHER_MODE_STREAM
Definition: crypto.h:1080
@ TLS_GROUP_BRAINPOOLP512R1
Definition: tls.h:1235
@ TLS_GROUP_SECP160K1
Definition: tls.h:1222
#define MIN(a, b)
Definition: os_port.h:62
uint8_t iv[16]
Initialization vector.
Definition: tls.h:1949
@ TLS_GROUP_SECP521R1
Definition: tls.h:1232
@ TLS_GROUP_SECP192R1
Definition: tls.h:1226
@ TLS_ALERT_PROTOCOL_VERSION
Definition: tls.h:991
@ TLS_GROUP_SECP160R1
Definition: tls.h:1223
const uint8_t SECP192R1_OID[8]
Definition: ec_curves.c:64
error_t tls13HkdfExpandLabel(const HashAlgo *hash, const uint8_t *secret, size_t secretLen, const char_t *label, const uint8_t *context, size_t contextLen, uint8_t *output, size_t outputLen)
@ TLS_GROUP_BRAINPOOLP384R1_TLS13
Definition: tls.h:1239
@ TLS_HASH_ALGO_MD5
Definition: tls.h:1095
const uint8_t SECP384R1_OID[5]
Definition: ec_curves.c:74
const uint8_t X448_OID[3]
Definition: ec_curves.c:94
bool_t tlsIsCipherSuiteAcceptable(const TlsCipherSuiteInfo *cipherSuite, uint16_t minVersion, uint16_t maxVersion, TlsTransportProtocol transportProtocol)
Check whether a cipher suite can be used with a given protocol version.
uint8_t macKey[48]
MAC key.
Definition: tls.h:1945
#define SHA384_HASH_ALGO
Definition: sha384.h:47
#define TRACE_DEBUG(...)
Definition: debug.h:106
const uint8_t SECP192K1_OID[5]
Definition: ec_curves.c:62
@ ERROR_TIMEOUT
Definition: error.h:94
char char_t
Definition: compiler_port.h:43
@ TLS_GROUP_SECP224R1
Definition: tls.h:1228
GCM context.
Definition: gcm.h:47
#define TLS_VERSION_1_1
Definition: tls.h:93
@ CIPHER_MODE_CCM
Definition: crypto.h:1086
error_t tlsReadMpi(Mpi *a, const uint8_t *data, size_t size, size_t *length)
Read a multiple precision integer from an opaque vector.
Definition: tls_misc.c:667
@ TLS_ALERT_BAD_CERTIFICATE
Definition: tls.h:980
size_t contextSize
Definition: crypto.h:1153
@ TLS_ALERT_INAPPROPRIATE_FALLBACK
Definition: tls.h:994
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:107
void * cipherContext
Cipher context.
Definition: tls.h:1954
@ ERROR_NO_APPLICATION_PROTOCOL
Definition: error.h:241
@ TLS_ALERT_LEVEL_FATAL
Definition: tls.h:962
__start_packed struct @61 TlsSequenceNumber
Sequence number.
uint8_t n
uint16_t cipherSuite
Cipher suite identifier.
Definition: tls13_misc.h:372
@ ERROR_READ_FAILED
Definition: error.h:220
@ ERROR_WRITE_FAILED
Definition: error.h:219
@ ERROR_INAPPROPRIATE_FALLBACK
Definition: error.h:240
error_t gcmInit(GcmContext *context, const CipherAlgo *cipherAlgo, void *cipherContext)
Initialize GCM context.
Definition: gcm.c:78
#define TLS_VERSION_1_0
Definition: tls.h:92
@ TLS_ALERT_CERTIFICATE_EXPIRED
Definition: tls.h:983
const TlsCipherSuiteInfo tlsSupportedCipherSuites[]
@ TLS_STATE_INIT
Definition: tls.h:1289
@ ERROR_CERTIFICATE_EXPIRED
Definition: error.h:232
@ TLS_ALERT_NO_APPLICATION_PROTOCOL
Definition: tls.h:1005
@ TLS_CONNECTION_END_CLIENT
Definition: tls.h:861
const EcCurveInfo * tlsGetCurveInfo(TlsContext *context, uint16_t namedCurve)
Get the EC domain parameters that match the specified named curve.
Definition: tls_misc.c:890
Common interface for encryption algorithms.
Definition: crypto.h:1150
@ MPI_FORMAT_BIG_ENDIAN
Definition: mpi.h:61
TLS (Transport Layer Security)
const uint8_t tls11DowngradeRandom[8]
const uint8_t tls12DowngradeRandom[8]
error_t ecExport(const EcDomainParameters *params, const EcPoint *a, uint8_t *data, size_t *length)
Convert an EC point to an octet string.
Definition: ec.c:287
const uint8_t SECP160R2_OID[5]
Definition: ec_curves.c:60
const CipherAlgo * cipherAlgo
Cipher algorithm.
Definition: tls.h:1953
@ ERROR_UNKNOWN_CA
Definition: error.h:234
uint8_t random[32]
Definition: tls.h:1614
TLS 1.3 key schedule.
#define SHA224_HASH_ALGO
Definition: sha224.h:47
size_t macKeyLen
Length of the MAC key.
Definition: tls.h:1946
Common interface for hash algorithms.
Definition: crypto.h:1128
FFDHE key exchange.
@ CIPHER_MODE_NULL
Definition: crypto.h:1079
GcmContext * gcmContext
GCM context.
Definition: tls.h:1959
@ CIPHER_MODE_CHACHA20_POLY1305
Definition: crypto.h:1088
void tlsProcessError(TlsContext *context, error_t errorCode)
Translate an error code to an alert message.
Definition: tls_misc.c:56
uint8_t payloadLen
Definition: ipv6.h:343
const char_t * tlsGetVersionName(uint16_t version)
Convert TLS version to string representation.
Definition: tls_misc.c:788
uint_t tlsGetNumSupportedCipherSuites(void)
Determine the number of cipher suites supported.
TlsNamedGroup
Named groups.
Definition: tls.h:1205
@ ERROR_RECORD_OVERFLOW
Definition: error.h:227
@ ERROR_DECODING_FAILED
Definition: error.h:235
unsigned int uint_t
Definition: compiler_port.h:45
#define LOAD16BE(p)
Definition: cpu_endian.h:170
uint8_t data[]
Definition: dtls_misc.h:176
@ TLS_GROUP_ECDH_X448
Definition: tls.h:1237
#define tlsFreeMem(p)
Definition: tls.h:762
@ TLS_ALERT_HANDSHAKE_FAILURE
Definition: tls.h:978
@ ERROR_CERTIFICATE_REQUIRED
Definition: error.h:133
error_t tlsGenerateRandomValue(TlsContext *context, uint8_t *random)
Generate client or server random value.
Definition: tls_misc.c:164
@ TLS_ALERT_INTERNAL_ERROR
Definition: tls.h:993
@ ERROR_INVALID_SIGNATURE
Definition: error.h:223
size_t recordSizeLimit
Maximum size of record in octets.
Definition: tls.h:1967
#define DTLS_VERSION_1_2
Definition: dtls_misc.h:36
CipherMode cipherMode
Cipher mode of operation.
Definition: tls.h:1955
@ NO_ERROR
Success.
Definition: error.h:44
Debugging facilities.
error_t tlsReadEcPoint(const EcDomainParameters *params, EcPoint *a, const uint8_t *data, size_t size, size_t *length)
Read an EC point from an opaque vector.
Definition: tls_misc.c:742
@ TLS_GROUP_BRAINPOOLP384R1
Definition: tls.h:1234
const uint8_t BRAINPOOLP256R1_OID[9]
Definition: ec_curves.c:84
uint_t mpiGetByteLength(const Mpi *a)
Get the actual length in bytes.
Definition: mpi.c:156
@ TLS_STATE_CLOSED
Definition: tls.h:1321