tls_server.c
Go to the documentation of this file.
1 /**
2  * @file tls_server.c
3  * @brief Handshake message processing (TLS server)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @section Description
28  *
29  * The TLS protocol provides communications security over the Internet. The
30  * protocol allows client/server applications to communicate in a way that
31  * is designed to prevent eavesdropping, tampering, or message forgery
32  *
33  * @author Oryx Embedded SARL (www.oryx-embedded.com)
34  * @version 1.9.6
35  **/
36 
37 //Switch to the appropriate trace level
38 #define TRACE_LEVEL TLS_TRACE_LEVEL
39 
40 //Dependencies
41 #include <string.h>
42 #include "tls.h"
43 #include "tls_cipher_suites.h"
44 #include "tls_handshake.h"
45 #include "tls_server.h"
46 #include "tls_server_extensions.h"
47 #include "tls_server_misc.h"
48 #include "tls_common.h"
49 #include "tls_extensions.h"
50 #include "tls_signature.h"
51 #include "tls_key_material.h"
52 #include "tls_transcript_hash.h"
53 #include "tls_cache.h"
54 #include "tls_ffdhe.h"
55 #include "tls_record.h"
56 #include "tls_misc.h"
57 #include "tls13_server.h"
59 #include "tls13_server_misc.h"
60 #include "dtls_record.h"
61 #include "dtls_misc.h"
62 #include "pkix/pem_import.h"
63 #include "pkix/x509_cert_parse.h"
64 #include "date_time.h"
65 #include "debug.h"
66 
67 //Check TLS library configuration
68 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED)
69 
70 
71 /**
72  * @brief Send ServerHello message
73  *
74  * The server will send this message in response to a ClientHello
75  * message when it was able to find an acceptable set of algorithms.
76  * If it cannot find such a match, it will respond with a handshake
77  * failure alert
78  *
79  * @param[in] context Pointer to the TLS context
80  * @return Error code
81  **/
82 
84 {
85  error_t error;
86  size_t length;
88 
89  //Point to the buffer where to format the message
90  message = (TlsServerHello *) (context->txBuffer + context->txBufferLen);
91 
92  //Generate the server random value using a cryptographically-safe
93  //pseudorandom number generator
94  error = tlsGenerateRandomValue(context, context->serverRandom);
95 
96  //Check status code
97  if(!error)
98  {
99  //Format ServerHello message
100  error = tlsFormatServerHello(context, message, &length);
101  }
102 
103  //Check status code
104  if(!error)
105  {
106  //Debug message
107  TRACE_INFO("Sending ServerHello message (%" PRIuSIZE " bytes)...\r\n", length);
109 
110  //Send handshake message
111  error = tlsSendHandshakeMessage(context, message, length,
113  }
114 
115  //Check status code
116  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
117  {
118  //Version of TLS prior to TLS 1.3?
119  if(context->version <= TLS_VERSION_1_2)
120  {
121 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
122  //Use abbreviated handshake?
123  if(context->resume)
124  {
125  //Derive session keys from the master secret
126  error = tlsGenerateSessionKeys(context);
127 
128  //Key material successfully generated?
129  if(!error)
130  {
131  //At this point, both client and server must send ChangeCipherSpec
132  //messages and proceed directly to Finished messages
133  context->state = TLS_STATE_SERVER_CHANGE_CIPHER_SPEC;
134  }
135  }
136  else
137 #endif
138  {
139  //Perform a full handshake
140  context->state = TLS_STATE_SERVER_CERTIFICATE;
141  }
142  }
143  else
144  {
145 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
146  //First handshake message sent by the server?
147  if(context->state == TLS_STATE_SERVER_HELLO)
148  {
149  //In middlebox compatibility mode, the server must send a dummy
150  //ChangeCipherSpec record immediately after its first handshake
151  //message
152  context->state = TLS_STATE_SERVER_CHANGE_CIPHER_SPEC;
153  }
154  else
155 #endif
156  {
157  //All handshake messages after the ServerHello are now encrypted
158  context->state = TLS_STATE_HANDSHAKE_TRAFFIC_KEYS;
159  }
160  }
161  }
162 
163  //Return status code
164  return error;
165 }
166 
167 
168 /**
169  * @brief Send ServerKeyExchange message
170  *
171  * The ServerKeyExchange message is sent by the server only when the
172  * server Certificate message does not contain enough data to allow
173  * the client to exchange a premaster secret
174  *
175  * @param[in] context Pointer to the TLS context
176  * @return Error code
177  **/
178 
180 {
181  error_t error;
182  size_t length;
184 
185  //Initialize status code
186  error = NO_ERROR;
187 
188  //Point to the buffer where to format the message
189  message = (TlsServerKeyExchange *) (context->txBuffer + context->txBufferLen);
190  //Initialize length
191  length = 0;
192 
193  //The ServerKeyExchange message is sent by the server only when the server
194  //Certificate message (if sent) does not contain enough data to allow the
195  //client to exchange a premaster secret
196  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
197  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
198  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
199  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
200  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
201  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
202  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
203  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
204  {
205  //Format ServerKeyExchange message
206  error = tlsFormatServerKeyExchange(context, message, &length);
207  }
208  else if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
209  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
210  {
211 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
212  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
213  //If no PSK identity hint is provided by the server, the
214  //ServerKeyExchange message is omitted...
215  if(context->pskIdentityHint != NULL)
216  {
217  //Format ServerKeyExchange message
218  error = tlsFormatServerKeyExchange(context, message, &length);
219  }
220 #endif
221  }
222 
223  //Check status code
224  if(!error)
225  {
226  //Any message to send?
227  if(length > 0)
228  {
229  //Debug message
230  TRACE_INFO("Sending ServerKeyExchange message (%" PRIuSIZE " bytes)...\r\n", length);
232 
233  //Send handshake message
234  error = tlsSendHandshakeMessage(context, message, length,
236  }
237  }
238 
239  //Check status code
240  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
241  {
242  //A server can optionally request a certificate from the client
243  context->state = TLS_STATE_CERTIFICATE_REQUEST;
244  }
245 
246  //Return status code
247  return error;
248 }
249 
250 
251 /**
252  * @brief Send CertificateRequest message
253  *
254  * A server can optionally request a certificate from the client, if
255  * appropriate for the selected cipher suite. This message will
256  * immediately follow the ServerKeyExchange message
257  *
258  * @param[in] context Pointer to the TLS context
259  * @return Error code
260  **/
261 
263 {
264  error_t error;
265  size_t length;
267 
268  //Initialize status code
269  error = NO_ERROR;
270 
271 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED || \
272  TLS_DSA_SIGN_SUPPORT == ENABLED || TLS_ECDSA_SIGN_SUPPORT == ENABLED)
273  //A server can optionally request a certificate from the client
274  if(context->clientAuthMode != TLS_CLIENT_AUTH_NONE)
275  {
276  //Non-anonymous key exchange?
277  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
278  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
279  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
280  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
281  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
282  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
283  context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
284  context->keyExchMethod == TLS13_KEY_EXCH_ECDHE)
285  {
286  //Point to the buffer where to format the message
287  message = (TlsCertificateRequest *) (context->txBuffer + context->txBufferLen);
288 
289  //Format CertificateRequest message
290  error = tlsFormatCertificateRequest(context, message, &length);
291 
292  //Check status code
293  if(!error)
294  {
295  //Debug message
296  TRACE_INFO("Sending CertificateRequest message (%" PRIuSIZE " bytes)...\r\n", length);
298 
299  //Send handshake message
300  error = tlsSendHandshakeMessage(context, message, length,
302  }
303  }
304  }
305 #endif
306 
307  //Check status code
308  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
309  {
310  //Version of TLS prior to TLS 1.3?
311  if(context->version <= TLS_VERSION_1_2)
312  {
313  //Send a ServerHelloDone message to the client
314  context->state = TLS_STATE_SERVER_HELLO_DONE;
315  }
316  else
317  {
318  //Send a Certificate message to the client
319  context->state = TLS_STATE_SERVER_CERTIFICATE;
320  }
321  }
322 
323  //Return status code
324  return error;
325 }
326 
327 
328 /**
329  * @brief Send ServerHelloDone message
330  *
331  * The ServerHelloDone message is sent by the server to indicate the
332  * end of the ServerHello and associated messages. After sending this
333  * message, the server will wait for a client response
334  *
335  * @param[in] context Pointer to the TLS context
336  * @return Error code
337  **/
338 
340 {
341  error_t error;
342  size_t length;
344 
345  //Point to the buffer where to format the message
346  message = (TlsServerHelloDone *) (context->txBuffer + context->txBufferLen);
347 
348  //Format ServerHelloDone message
349  error = tlsFormatServerHelloDone(context, message, &length);
350 
351  //Check status code
352  if(!error)
353  {
354  //Debug message
355  TRACE_INFO("Sending ServerHelloDone message (%" PRIuSIZE " bytes)...\r\n", length);
357 
358  //Send handshake message
359  error = tlsSendHandshakeMessage(context, message, length,
361  }
362 
363  //Check status code
364  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
365  {
366  //The client must send a Certificate message if the server requests it
367  if(context->clientAuthMode != TLS_CLIENT_AUTH_NONE)
368  context->state = TLS_STATE_CLIENT_CERTIFICATE;
369  else
370  context->state = TLS_STATE_CLIENT_KEY_EXCHANGE;
371  }
372 
373  //Return status code
374  return error;
375 }
376 
377 
378 /**
379  * @brief Format ServerHello message
380  * @param[in] context Pointer to the TLS context
381  * @param[out] message Buffer where to format the ServerHello message
382  * @param[out] length Length of the resulting ServerHello message
383  * @return Error code
384  **/
385 
387  TlsServerHello *message, size_t *length)
388 {
389  error_t error;
390  uint16_t version;
391  size_t n;
392  uint8_t *p;
393  TlsExtensionList *extensionList;
394 
395  //In TLS 1.3, the client indicates its version preferences in the
396  //SupportedVersions extension and the legacy_version field must be
397  //set to 0x0303, which is the version number for TLS 1.2
398  version = MIN(context->version, TLS_VERSION_1_2);
399 
400 #if (DTLS_SUPPORT == ENABLED)
401  //DTLS protocol?
402  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
403  {
404  //Get the corresponding DTLS version
406  }
407 #endif
408 
409  //In previous versions of TLS, the version field contains the lower of
410  //the version suggested by the client in the ClientHello and the highest
411  //supported by the server
412  message->serverVersion = htons(version);
413 
414  //Server random value
415  memcpy(message->random, context->serverRandom, 32);
416 
417  //Point to the session ID
418  p = message->sessionId;
419  //Length of the handshake message
420  *length = sizeof(TlsServerHello);
421 
422  //Version of TLS prior to TLS 1.3?
423  if(context->version <= TLS_VERSION_1_2)
424  {
425 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
426  //The session ID uniquely identifies the current session
427  memcpy(message->sessionId, context->sessionId, context->sessionIdLen);
428  message->sessionIdLen = (uint8_t) context->sessionIdLen;
429 #else
430  //The server may return an empty session ID to indicate that the session
431  //will not be cached and therefore cannot be resumed
432  message->sessionIdLen = 0;
433 #endif
434  }
435  else
436  {
437  //The legacy_session_id_echo echoes the contents of the client's
438  //legacy_session_id field
439  memcpy(message->sessionId, context->sessionId, context->sessionIdLen);
440  message->sessionIdLen = (uint8_t) context->sessionIdLen;
441  }
442 
443  //Debug message
444  TRACE_DEBUG("Session ID (%" PRIu8 " bytes):\r\n", message->sessionIdLen);
445  TRACE_DEBUG_ARRAY(" ", message->sessionId, message->sessionIdLen);
446 
447  //Advance data pointer
448  p += message->sessionIdLen;
449  //Adjust the length of the message
450  *length += message->sessionIdLen;
451 
452  //The cipher_suite field contains the single cipher suite selected by
453  //the server
454  STORE16BE(context->cipherSuite.identifier, p);
455 
456  //Advance data pointer
457  p += sizeof(uint16_t);
458  //Adjust the length of the message
459  *length += sizeof(uint16_t);
460 
461  //The CRIME exploit takes advantage of TLS compression, so conservative
462  //implementations do not enable compression at the TLS level
464 
465  //Advance data pointer
466  p += sizeof(uint8_t);
467  //Adjust the length of the message
468  *length += sizeof(uint8_t);
469 
470  //Only extensions offered by the client can appear in the server's list
471  extensionList = (TlsExtensionList *) p;
472  //Total length of the extension list
473  extensionList->length = 0;
474 
475  //Point to the first extension of the list
476  p += sizeof(TlsExtensionList);
477 
478 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
479  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 selected by the server?
480  if(context->version <= TLS_VERSION_1_2)
481  {
482 #if (TLS_SNI_SUPPORT == ENABLED)
483  //The server may include a SNI extension in the ServerHello
484  error = tlsFormatServerSniExtension(context, p, &n);
485  //Any error to report?
486  if(error)
487  return error;
488 
489  //Fix the length of the extension list
490  extensionList->length += (uint16_t) n;
491  //Point to the next field
492  p += n;
493 #endif
494 
495 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
496  //Servers that receive an ClientHello containing a MaxFragmentLength
497  //extension may accept the requested maximum fragment length by including
498  //an extension of type MaxFragmentLength in the ServerHello
499  error = tlsFormatServerMaxFragLenExtension(context, p, &n);
500  //Any error to report?
501  if(error)
502  return error;
503 
504  //Fix the length of the extension list
505  extensionList->length += (uint16_t) n;
506  //Point to the next field
507  p += n;
508 #endif
509 
510 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
511  //The value of RecordSizeLimit is the maximum size of record in octets
512  //that the endpoint is willing to receive
513  error = tlsFormatServerRecordSizeLimitExtension(context, p, &n);
514  //Any error to report?
515  if(error)
516  return error;
517 
518  //Fix the length of the extension list
519  extensionList->length += (uint16_t) n;
520  //Point to the next field
521  p += n;
522 #endif
523 
524 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
525  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
526  //A server that selects an ECC cipher suite in response to a ClientHello
527  //message including an EcPointFormats extension appends this extension
528  //to its ServerHello message
529  error = tlsFormatServerEcPointFormatsExtension(context, p, &n);
530  //Any error to report?
531  if(error)
532  return error;
533 
534  //Fix the length of the extension list
535  extensionList->length += (uint16_t) n;
536  //Point to the next field
537  p += n;
538 #endif
539 
540 #if (TLS_ALPN_SUPPORT == ENABLED)
541  //The ALPN extension contains the name of the selected protocol
542  error = tlsFormatServerAlpnExtension(context, p, &n);
543  //Any error to report?
544  if(error)
545  return error;
546 
547  //Fix the length of the extension list
548  extensionList->length += (uint16_t) n;
549  //Point to the next field
550  p += n;
551 #endif
552 
553 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
554  //The ClientCertType extension in the ServerHello indicates the type
555  //of certificates the client is requested to provide in a subsequent
556  //certificate payload
557  error = tlsFormatClientCertTypeExtension(context, p, &n);
558  //Any error to report?
559  if(error)
560  return error;
561 
562  //Fix the length of the extension list
563  extensionList->length += (uint16_t) n;
564  //Point to the next field
565  p += n;
566 
567  //With the ServerCertType extension in the ServerHello, the TLS server
568  //indicates the certificate type carried in the certificate payload
569  error = tlsFormatServerCertTypeExtension(context, p, &n);
570  //Any error to report?
571  if(error)
572  return error;
573 
574  //Fix the length of the extension list
575  extensionList->length += (uint16_t) n;
576  //Point to the next field
577  p += n;
578 #endif
579 
580 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
581  //If a server implementing RFC 7627 receives the ExtendedMasterSecret
582  //extension, it must include the extension in its ServerHello message
583  error = tlsFormatServerEmsExtension(context, p, &n);
584  //Any error to report?
585  if(error)
586  return error;
587 
588  //Fix the length of the extension list
589  extensionList->length += (uint16_t) n;
590  //Point to the next field
591  p += n;
592 #endif
593 
594 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
595  //During secure renegotiation, the server must include a renegotiation_info
596  //extension containing the saved client_verify_data and server_verify_data
597  error = tlsFormatServerRenegoInfoExtension(context, p, &n);
598  //Any error to report?
599  if(error)
600  return error;
601 
602  //Fix the length of the extension list
603  extensionList->length += (uint16_t) n;
604  //Point to the next field
605  p += n;
606 #endif
607  }
608  else
609 #endif
610 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
611  //TLS 1.3 selected by the server?
612  if(context->version == TLS_VERSION_1_3)
613  {
614  //A server which negotiates TLS 1.3 must respond by sending a
615  //SupportedVersions extension containing the selected version value
616  error = tls13FormatServerSupportedVersionsExtension(context, p, &n);
617  //Any error to report?
618  if(error)
619  return error;
620 
621  //Fix the length of the extension list
622  extensionList->length += (uint16_t) n;
623  //Point to the next field
624  p += n;
625 
626  //If using (EC)DHE key establishment, servers offer exactly one
627  //KeyShareEntry in the ServerHello
628  error = tls13FormatServerKeyShareExtension(context, p, &n);
629  //Any error to report?
630  if(error)
631  return error;
632 
633  //Fix the length of the extension list
634  extensionList->length += (uint16_t) n;
635  //Point to the next field
636  p += n;
637 
638  //In order to accept PSK key establishment, the server sends a
639  //PreSharedKey extension indicating the selected identity
640  error = tls13FormatServerPreSharedKeyExtension(context, p, &n);
641  //Any error to report?
642  if(error)
643  return error;
644 
645  //Fix the length of the extension list
646  extensionList->length += (uint16_t) n;
647  //Point to the next field
648  p += n;
649  }
650  else
651 #endif
652  //Invalid TLS version?
653  {
654  //Report an error
655  return ERROR_INVALID_VERSION;
656  }
657 
658  //Any extensions included in the ServerHello message?
659  if(extensionList->length > 0)
660  {
661  //Convert the length of the extension list to network byte order
662  extensionList->length = htons(extensionList->length);
663  //Total length of the message
664  *length += sizeof(TlsExtensionList) + htons(extensionList->length);
665  }
666 
667  //Successful processing
668  return NO_ERROR;
669 }
670 
671 
672 /**
673  * @brief Format ServerKeyExchange message
674  * @param[in] context Pointer to the TLS context
675  * @param[out] message Buffer where to format the ServerKeyExchange message
676  * @param[out] length Length of the resulting ServerKeyExchange message
677  * @return Error code
678  **/
679 
682 {
683  error_t error;
684  size_t n;
685  size_t paramsLen;
686  uint8_t *p;
687  uint8_t *params;
688 
689  //Point to the beginning of the handshake message
690  p = message;
691  //Length of the handshake message
692  *length = 0;
693 
694 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
695  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
696  //PSK key exchange method?
697  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
698  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
699  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
700  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
701  {
702  //To help the client in selecting which identity to use, the server
703  //can provide a PSK identity hint in the ServerKeyExchange message
704  error = tlsFormatPskIdentityHint(context, p, &n);
705  //Any error to report?
706  if(error)
707  return error;
708 
709  //Advance data pointer
710  p += n;
711  //Adjust the length of the message
712  *length += n;
713  }
714 #endif
715 
716  //Diffie-Hellman or ECDH key exchange method?
717  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
718  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
719  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
720  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
721  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
722  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
723  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
724  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
725  {
726  //Point to the server's key exchange parameters
727  params = p;
728 
729  //Format server's key exchange parameters
730  error = tlsFormatServerKeyParams(context, p, &paramsLen);
731  //Any error to report?
732  if(error)
733  return error;
734 
735  //Advance data pointer
736  p += paramsLen;
737  //Adjust the length of the message
738  *length += paramsLen;
739  }
740  else
741  {
742  //Just for sanity
743  params = NULL;
744  paramsLen = 0;
745  }
746 
747  //For non-anonymous Diffie-Hellman and ECDH key exchanges, a signature
748  //over the server's key exchange parameters shall be generated
749  if(context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
750  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
751  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
752  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
753  {
754 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
755  //SSL 3.0, TLS 1.0 or TLS 1.1 currently selected?
756  if(context->version <= TLS_VERSION_1_1)
757  {
758  //Sign server's key exchange parameters
759  error = tlsGenerateServerKeySignature(context,
760  (TlsDigitalSignature *) p, params, paramsLen, &n);
761  }
762  else
763 #endif
764 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
765  //TLS 1.2 currently selected?
766  if(context->version == TLS_VERSION_1_2)
767  {
768  //Sign server's key exchange parameters
769  error = tls12GenerateServerKeySignature(context,
770  (Tls12DigitalSignature *) p, params, paramsLen, &n);
771  }
772  else
773 #endif
774  {
775  //Report an error
776  error = ERROR_INVALID_VERSION;
777  }
778 
779  //Any error to report?
780  if(error)
781  return error;
782 
783  //Advance data pointer
784  p += n;
785  //Adjust the length of the message
786  *length += n;
787  }
788 
789  //Successful processing
790  return NO_ERROR;
791 }
792 
793 
794 /**
795  * @brief Format CertificateRequest message
796  * @param[in] context Pointer to the TLS context
797  * @param[out] message Buffer where to format the CertificateRequest message
798  * @param[out] length Length of the resulting CertificateRequest message
799  * @return Error code
800  **/
801 
804 {
805  error_t error;
806  size_t n;
807  uint8_t *p;
808 
809  //Initialize status code
810  error = NO_ERROR;
811 
812  //Point to the beginning of the message
813  p = (uint8_t *) message;
814 
815 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
816  //Version of TLS prior to TLS 1.3?
817  if(context->version <= TLS_VERSION_1_2)
818  {
819  size_t pemCertLen;
820  const char_t *trustedCaList;
821  size_t trustedCaListLen;
822  uint8_t *derCert;
823  size_t derCertLen;
824  X509CertificateInfo *certInfo;
825  TlsCertAuthorities *certAuthorities;
826 
827  //Enumerate the types of certificate types that the client may offer
828  n = 0;
829 
830 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
831  //Accept certificates that contain an RSA public key
832  message->certificateTypes[n++] = TLS_CERT_RSA_SIGN;
833 #endif
834 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
835  //Accept certificates that contain a DSA public key
836  message->certificateTypes[n++] = TLS_CERT_DSS_SIGN;
837 #endif
838 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
839  //Accept certificates that contain an ECDSA public key
840  message->certificateTypes[n++] = TLS_CERT_ECDSA_SIGN;
841 #endif
842 
843  //Fix the length of the list
844  message->certificateTypesLen = (uint8_t) n;
845  //Length of the handshake message
846  *length = sizeof(TlsCertificateRequest) + n;
847 
848  //TLS 1.2 currently selected?
849  if(context->version == TLS_VERSION_1_2)
850  {
851  TlsSignHashAlgos *supportedSignAlgos;
852 
853  //Point to the list of the hash/signature algorithm pairs that the server
854  //is able to verify. Servers can minimize the computation cost by offering
855  //a restricted set of digest algorithms
856  supportedSignAlgos = PTR_OFFSET(message, *length);
857 
858  //Enumerate the hash/signature algorithm pairs in descending
859  //order of preference
860  n = 0;
861 
862 #if (TLS_SHA256_SUPPORT == ENABLED)
863  //The hash algorithm used for PRF operations can also be used for signing
864  if(context->cipherSuite.prfHashAlgo == SHA256_HASH_ALGO)
865  {
866 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
867  //ECDSA signature algorithm with SHA-256
868  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
869  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
870 #endif
871 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
872  //Check whether the X.509 parser supports RSA-PSS signatures
874  {
875  //RSASSA-PSS PSS signature algorithm with SHA-256
876  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256;
877  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
878  }
879 #endif
880 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
881  //RSASSA-PSS RSAE signature algorithm with SHA-256
882  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256;
883  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
884 #endif
885 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
886  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-256
887  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
888  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
889 #endif
890 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
891  //DSA signature algorithm with SHA-256
892  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA;
893  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
894 #endif
895  }
896 #endif
897 
898 #if (TLS_SHA384_SUPPORT == ENABLED)
899  //The hash algorithm used for PRF operations can also be used for signing
900  if(context->cipherSuite.prfHashAlgo == SHA384_HASH_ALGO)
901  {
902 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
903  //ECDSA signature algorithm with SHA-384
904  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
905  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA384;
906 #endif
907 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
908  //Check whether the X.509 parser supports RSA-PSS signatures
910  {
911  //RSASSA-PSS PSS signature algorithm with SHA-384
912  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384;
913  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
914  }
915 #endif
916 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
917  //RSASSA-PSS RSAE signature algorithm with SHA-384
918  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384;
919  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
920 #endif
921 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
922  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-384
923  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
924  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA384;
925 #endif
926  }
927 #endif
928 
929 #if (TLS_SHA1_SUPPORT == ENABLED)
930 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
931  //ECDSA signature algorithm with SHA-1
932  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
933  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
934 #endif
935 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
936  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-1
937  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
938  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
939 #endif
940 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
941  //DSA signature algorithm with SHA-1
942  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA;
943  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
944 #endif
945 #endif
946  //Fix the length of the list
947  supportedSignAlgos->length = htons(n * sizeof(TlsSignHashAlgo));
948  //Adjust the length of the message
949  *length += sizeof(TlsSignHashAlgos) + n * sizeof(TlsSignHashAlgo);
950  }
951 
952  //Point to the list of the distinguished names of acceptable certificate
953  //authorities
954  certAuthorities = PTR_OFFSET(message, *length);
955  //Adjust the length of the message
956  *length += sizeof(TlsCertAuthorities);
957 
958  //Point to the first certificate authority
959  p = certAuthorities->value;
960  //Length of the list in bytes
961  n = 0;
962 
963  //Point to the first trusted CA certificate
964  trustedCaList = context->trustedCaList;
965  //Get the total length, in bytes, of the trusted CA list
966  trustedCaListLen = context->trustedCaListLen;
967 
968  //Allocate a memory buffer to store X.509 certificate info
969  certInfo = tlsAllocMem(sizeof(X509CertificateInfo));
970 
971  //Successful memory allocation?
972  if(certInfo != NULL)
973  {
974  //Loop through the list of trusted CA certificates
975  while(trustedCaListLen > 0 && error == NO_ERROR)
976  {
977  //The first pass calculates the length of the DER-encoded certificate
978  error = pemImportCertificate(trustedCaList, trustedCaListLen, NULL,
979  &derCertLen, &pemCertLen);
980 
981  //Check status code
982  if(!error)
983  {
984  //Allocate a memory buffer to hold the DER-encoded certificate
985  derCert = tlsAllocMem(derCertLen);
986 
987  //Successful memory allocation?
988  if(derCert != NULL)
989  {
990  //The second pass decodes the PEM certificate
991  error = pemImportCertificate(trustedCaList, trustedCaListLen,
992  derCert, &derCertLen, NULL);
993 
994  //Check status code
995  if(!error)
996  {
997  //Parse X.509 certificate
998  error = x509ParseCertificate(derCert, derCertLen, certInfo);
999  }
1000 
1001  //Valid CA certificate?
1002  if(!error)
1003  {
1004  //Adjust the length of the message
1005  *length += certInfo->tbsCert.subject.rawDataLen + 2;
1006 
1007  //Sanity check
1008  if(*length <= context->txBufferMaxLen)
1009  {
1010  //Each distinguished name is preceded by a 2-byte length field
1011  STORE16BE(certInfo->tbsCert.subject.rawDataLen, p);
1012 
1013  //The distinguished name shall be DER-encoded
1014  memcpy(p + 2, certInfo->tbsCert.subject.rawData,
1015  certInfo->tbsCert.subject.rawDataLen);
1016 
1017  //Advance write pointer
1018  p += certInfo->tbsCert.subject.rawDataLen + 2;
1019  n += certInfo->tbsCert.subject.rawDataLen + 2;
1020  }
1021  else
1022  {
1023  //Report an error
1024  error = ERROR_MESSAGE_TOO_LONG;
1025  }
1026  }
1027  else
1028  {
1029  //Discard current CA certificate
1030  error = NO_ERROR;
1031  }
1032 
1033  //Free previously allocated memory
1034  tlsFreeMem(derCert);
1035  }
1036  else
1037  {
1038  //Failed to allocate memory
1039  error = ERROR_OUT_OF_MEMORY;
1040  }
1041 
1042  //Advance read pointer
1043  trustedCaList += pemCertLen;
1044  trustedCaListLen -= pemCertLen;
1045  }
1046  else
1047  {
1048  //End of file detected
1049  trustedCaListLen = 0;
1050  error = NO_ERROR;
1051  }
1052  }
1053 
1054  //Fix the length of the list
1055  certAuthorities->length = htons(n);
1056 
1057  //Free previously allocated memory
1058  tlsFreeMem(certInfo);
1059  }
1060  else
1061  {
1062  //Failed to allocate memory
1063  error = ERROR_OUT_OF_MEMORY;
1064  }
1065  }
1066  else
1067 #endif
1068 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1069  //TLS 1.3 currently selected?
1070  if(context->version == TLS_VERSION_1_3)
1071  {
1072  Tls13CertRequestContext *certRequestContext;
1073  TlsExtensionList *extensionList;
1074 
1075  //Point to the certificate_request_context field
1076  certRequestContext = (Tls13CertRequestContext *) p;
1077 
1078  //The certificate_request_context field shall be zero length unless
1079  //used for the post-handshake authentication exchange
1080  certRequestContext->length = 0;
1081 
1082  //Point to the next field
1083  p += sizeof(Tls13CertRequestContext);
1084  //Length of the handshake message
1085  *length = sizeof(Tls13CertRequestContext);
1086 
1087  //The extensions describe the parameters of the certificate being
1088  //requested
1089  extensionList = (TlsExtensionList *) p;
1090  //Total length of the extension list
1091  extensionList->length = 0;
1092 
1093  //Point to the first extension of the list
1094  p += sizeof(TlsExtensionList);
1095  //Adjust the length of the message
1096  *length += sizeof(TlsExtensionList);
1097 
1098  //The SignatureAlgorithms extension must be specified
1099  error = tlsFormatSignatureAlgorithmsExtension(context,
1101 
1102 #if (TLS_SIGN_ALGOS_CERT_SUPPORT == ENABLED)
1103  //Check status code
1104  if(!error)
1105  {
1106  //Fix the length of the extension list
1107  extensionList->length += (uint16_t) n;
1108  //Point to the next field
1109  p += n;
1110 
1111  //The SignatureAlgorithmsCert extension may optionally be included
1112  error = tlsFormatSignatureAlgorithmsCertExtension(context, p, &n);
1113  }
1114 #endif
1115 
1116  //Check status code
1117  if(!error)
1118  {
1119  //Fix the length of the extension list
1120  extensionList->length += (uint16_t) n;
1121  //Point to the next field
1122  p += n;
1123  }
1124 
1125  //Convert the length of the extension list to network byte order
1126  extensionList->length = htons(extensionList->length);
1127  //Total length of the message
1128  *length += htons(extensionList->length);
1129  }
1130  else
1131 #endif
1132  //Invalid TLS version?
1133  {
1134  //Report an error
1135  error = ERROR_INVALID_VERSION;
1136  }
1137 
1138  //Return status code
1139  return error;
1140 }
1141 
1142 
1143 /**
1144  * @brief Format ServerHelloDone message
1145  * @param[in] context Pointer to the TLS context
1146  * @param[out] message Buffer where to format the ServerHelloDone message
1147  * @param[out] length Length of the resulting ServerHelloDone message
1148  * @return Error code
1149  **/
1150 
1152  TlsServerHelloDone *message, size_t *length)
1153 {
1154  //The ServerHelloDone message does not contain any data
1155  *length = 0;
1156 
1157  //Successful processing
1158  return NO_ERROR;
1159 }
1160 
1161 
1162 /**
1163  * @brief Parse ClientHello message
1164  *
1165  * When a client first connects to a server, it is required to send
1166  * the ClientHello as its first message. The client can also send a
1167  * ClientHello in response to a HelloRequest or on its own initiative
1168  * in order to renegotiate the security parameters in an existing
1169  * connection
1170  *
1171  * @param[in] context Pointer to the TLS context
1172  * @param[in] message Incoming ClientHello message to parse
1173  * @param[in] length Message length
1174  * @return Error code
1175  **/
1176 
1178  const TlsClientHello *message, size_t length)
1179 {
1180  error_t error;
1181  size_t n;
1182  const uint8_t *p;
1183  const TlsCipherSuites *cipherSuites;
1184  const TlsCompressMethods *compressMethods;
1186 #if (DTLS_SUPPORT == ENABLED)
1187  const DtlsCookie *cookie;
1188 #endif
1189 
1190  //Debug message
1191  TRACE_INFO("ClientHello message received (%" PRIuSIZE " bytes)...\r\n", length);
1193 
1194  //Check current state
1195  if(context->state == TLS_STATE_CLIENT_HELLO)
1196  {
1197  //When a client first connects to a server, it is required to send
1198  //the ClientHello as its first message
1199  }
1200  else if(context->state == TLS_STATE_CLIENT_HELLO_2)
1201  {
1202 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1203  //The client will also send a updated ClientHello when the server has
1204  //responded to its initial ClientHello with a HelloRetryRequest
1205  context->updatedClientHelloReceived = TRUE;
1206 #endif
1207  }
1208  else if(context->state == TLS_STATE_APPLICATION_DATA)
1209  {
1210 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1211  //Version of TLS prior to TLS 1.3?
1212  if(context->version <= TLS_VERSION_1_2)
1213  {
1214 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1215  //Check whether secure renegotiation is enabled
1216  if(context->secureRenegoEnabled)
1217  {
1218  //Make sure the secure_renegociation flag is set
1219  if(!context->secureRenegoFlag)
1220  {
1221  //If the connection's secure_renegotiation flag is set to
1222  //FALSE, it is recommended that servers do not permit legacy
1223  //renegotiation (refer to RFC 5746, section 4.4)
1224  return ERROR_HANDSHAKE_FAILED;
1225  }
1226  }
1227  else
1228 #endif
1229  {
1230  //Secure renegotiation is disabled
1231  return ERROR_HANDSHAKE_FAILED;
1232  }
1233  }
1234  else
1235 #endif
1236  {
1237  //Because TLS 1.3 forbids renegotiation, if a server has negotiated
1238  //TLS 1.3 and receives a ClientHello at any other time, it must
1239  //terminate the connection with an unexpected_message alert
1240  return ERROR_UNEXPECTED_MESSAGE;
1241  }
1242  }
1243  else
1244  {
1245  //Report an error
1246  return ERROR_UNEXPECTED_MESSAGE;
1247  }
1248 
1249  //Check the length of the ClientHello message
1250  if(length < sizeof(TlsClientHello))
1251  return ERROR_DECODING_FAILED;
1252 
1253  //Get the version the client wishes to use during this session
1254  context->clientVersion = ntohs(message->clientVersion);
1255 
1256  //Point to the session ID
1257  p = message->sessionId;
1258  //Remaining bytes to process
1259  n = length - sizeof(TlsClientHello);
1260 
1261  //Check the length of the session ID
1262  if(message->sessionIdLen > n)
1263  return ERROR_DECODING_FAILED;
1264  if(message->sessionIdLen > 32)
1265  return ERROR_DECODING_FAILED;
1266 
1267  //Debug message
1268  TRACE_DEBUG("Session ID (%" PRIu8 " bytes):\r\n", message->sessionIdLen);
1269  TRACE_DEBUG_ARRAY(" ", message->sessionId, message->sessionIdLen);
1270 
1271  //Point to the next field
1272  p += message->sessionIdLen;
1273  //Remaining bytes to process
1274  n -= message->sessionIdLen;
1275 
1276 #if (DTLS_SUPPORT == ENABLED)
1277  //DTLS protocol?
1278  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
1279  {
1280  //Point to the Cookie field
1281  cookie = (DtlsCookie *) p;
1282 
1283  //Malformed ClientHello message?
1284  if(n < sizeof(DtlsCookie))
1285  return ERROR_DECODING_FAILED;
1286  if(n < (sizeof(DtlsCookie) + cookie->length))
1287  return ERROR_DECODING_FAILED;
1288 
1289  //Check the length of the cookie
1290  if(cookie->length > DTLS_MAX_COOKIE_SIZE)
1291  return ERROR_ILLEGAL_PARAMETER;
1292 
1293  //Point to the next field
1294  p += sizeof(DtlsCookie) + cookie->length;
1295  //Remaining bytes to process
1296  n -= sizeof(DtlsCookie) + cookie->length;
1297  }
1298  else
1299  {
1300  //Just for sanity
1301  cookie = NULL;
1302  }
1303 #endif
1304 
1305  //List of cryptographic algorithms supported by the client
1306  cipherSuites = (TlsCipherSuites *) p;
1307 
1308  //Malformed ClientHello message?
1309  if(n < sizeof(TlsCipherSuites))
1310  return ERROR_DECODING_FAILED;
1311  if(n < (sizeof(TlsCipherSuites) + ntohs(cipherSuites->length)))
1312  return ERROR_DECODING_FAILED;
1313 
1314  //Check the length of the list
1315  if(ntohs(cipherSuites->length) == 0)
1316  return ERROR_DECODING_FAILED;
1317  if((ntohs(cipherSuites->length) % 2) != 0)
1318  return ERROR_DECODING_FAILED;
1319 
1320  //Point to the next field
1321  p += sizeof(TlsCipherSuites) + ntohs(cipherSuites->length);
1322  //Remaining bytes to process
1323  n -= sizeof(TlsCipherSuites) + ntohs(cipherSuites->length);
1324 
1325  //List of compression algorithms supported by the client
1326  compressMethods = (TlsCompressMethods *) p;
1327 
1328  //Malformed ClientHello message?
1329  if(n < sizeof(TlsCompressMethods))
1330  return ERROR_DECODING_FAILED;
1331  if(n < (sizeof(TlsCompressMethods) + compressMethods->length))
1332  return ERROR_DECODING_FAILED;
1333 
1334  //Check the length of the list
1335  if(compressMethods->length == 0)
1336  return ERROR_DECODING_FAILED;
1337 
1338  //Point to the next field
1339  p += sizeof(TlsCompressMethods) + compressMethods->length;
1340  //Remaining bytes to process
1341  n -= sizeof(TlsCompressMethods) + compressMethods->length;
1342 
1343  //Parse the list of extensions offered by the client
1345  //Any error to report?
1346  if(error)
1347  return error;
1348 
1349  //Check whether the ClientHello includes any SCSV cipher suites
1350  error = tlsCheckSignalingCipherSuiteValues(context, cipherSuites);
1351  //Any error to report?
1352  if(error)
1353  return error;
1354 
1355 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1356  //Parse RenegotiationInfo extension
1357  error = tlsParseClientRenegoInfoExtension(context, extensions.renegoInfo);
1358  //Any error to report?
1359  if(error)
1360  return error;
1361 #endif
1362 
1363 #if (DTLS_SUPPORT == ENABLED)
1364  //DTLS protocol?
1365  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
1366  {
1367  DtlsClientParameters clientParams;
1368 
1369  //The server should use client parameters (version, random, session_id,
1370  //cipher_suites, compression_method) to generate its cookie
1371  clientParams.version = ntohs(message->clientVersion);
1372  clientParams.random = message->random;
1373  clientParams.randomLen = 32;
1374  clientParams.sessionId = message->sessionId;
1375  clientParams.sessionIdLen = message->sessionIdLen;
1376  clientParams.cipherSuites = (const uint8_t *) cipherSuites->value;
1377  clientParams.cipherSuitesLen = ntohs(cipherSuites->length);
1378  clientParams.compressMethods = compressMethods->value;
1379  clientParams.compressMethodsLen = compressMethods->length;
1380 
1381  //Verify that the cookie is valid
1382  error = dtlsVerifyCookie(context, cookie, &clientParams);
1383  //Any error to report?
1384  if(error)
1385  return error;
1386 
1387  //The server may respond with a HelloVerifyRequest message containing
1388  //a stateless cookie
1389  if(context->state == TLS_STATE_HELLO_VERIFY_REQUEST)
1390  {
1391  //Exit immediately
1392  return NO_ERROR;
1393  }
1394  }
1395 #endif
1396 
1397  //Perform version negotiation
1398  error = tlsNegotiateVersion(context, ntohs(message->clientVersion),
1399  extensions.supportedVersionList);
1400  //Any error to report?
1401  if(error)
1402  return error;
1403 
1404  //Check the list of extensions offered by the client
1405  error = tlsCheckHelloExtensions(TLS_TYPE_CLIENT_HELLO, context->version,
1406  &extensions);
1407  //Any error to report?
1408  if(error)
1409  return error;
1410 
1411  //The SignatureAlgorithms extension is not meaningful for TLS versions
1412  //prior to 1.2 (refer to RFC 5246, section 7.4.1.4.1)
1413  if(context->version <= TLS_VERSION_1_1)
1414  {
1415  //Even if clients do offer it, the rules specified in RFC 6066 require
1416  //servers to ignore extensions they do not understand
1417  extensions.signAlgoList = NULL;
1418  extensions.certSignAlgoList = NULL;
1419  }
1420 
1421  //Save client random value
1422  memcpy(context->clientRandom, message->random, 32);
1423 
1424 #if (TLS_SNI_SUPPORT == ENABLED)
1425  //In order to provide the server name, clients may include a ServerName
1426  //extension
1427  error = tlsParseClientSniExtension(context, extensions.serverNameList);
1428  //Any error to report?
1429  if(error)
1430  return error;
1431 #endif
1432 
1433 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1434  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
1435  if(context->version <= TLS_VERSION_1_2)
1436  {
1437  //The server attempts to resume TLS session via session ID
1438  error = tlsResumeServerSession(context, message->sessionId,
1439  message->sessionIdLen, cipherSuites, &extensions);
1440  //Any error to report?
1441  if(error)
1442  return error;
1443 
1444  //Full handshake?
1445  if(!context->resume)
1446  {
1447  //Perform cipher suite negotiation
1448  error = tlsNegotiateCipherSuite(context, NULL, cipherSuites,
1449  &extensions);
1450  //If no acceptable choices are presented, terminate the handshake
1451  if(error)
1452  return ERROR_HANDSHAKE_FAILED;
1453 
1454  //Parse the list of compression methods supported by the client
1455  error = tlsParseCompressMethods(context, compressMethods);
1456  //Any error to report?
1457  if(error)
1458  return error;
1459  }
1460 
1461  //Initialize handshake message hashing
1462  error = tlsInitTranscriptHash(context);
1463  //Any error to report?
1464  if(error)
1465  return error;
1466 
1467 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
1468  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1469  //A client that proposes ECC cipher suites in its ClientHello message
1470  //may send the EcPointFormats extension
1471  error = tlsParseClientEcPointFormatsExtension(context,
1472  extensions.ecPointFormatList);
1473  //Any error to report?
1474  if(error)
1475  return error;
1476 #endif
1477 
1478 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
1479  //Parse ExtendedMasterSecret extension
1480  error = tlsParseClientEmsExtension(context,
1481  extensions.extendedMasterSecret);
1482  //Any error to report?
1483  if(error)
1484  return error;
1485 #endif
1486  }
1487  else
1488 #endif
1489 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1490  //TLS 1.3 currently selected?
1491  if(context->version == TLS_VERSION_1_3)
1492  {
1493  //Save the client's legacy_session_id field
1494  memcpy(context->sessionId, message->sessionId, message->sessionIdLen);
1495  context->sessionIdLen = message->sessionIdLen;
1496 
1497  //Perform cipher suite and key exchange method negotiation
1498  error = tls13NegotiateCipherSuite(context, message, length, cipherSuites,
1499  &extensions);
1500  //If no acceptable choices are presented, terminate the handshake
1501  if(error)
1502  return error;
1503 
1504  //Parse the list of compression methods supported by the client
1505  error = tlsParseCompressMethods(context, compressMethods);
1506  //Any error to report?
1507  if(error)
1508  return error;
1509 
1510  //When a PSK is used and early data is allowed for that PSK, the client
1511  //can send application data in its first flight of messages
1512  if(extensions.earlyDataIndication != NULL)
1513  {
1514  //If the client opts to do so, it must supply both the PreSharedKey
1515  //and EarlyData extensions (refer to RFC 8446, section 4.2.10)
1516  if(extensions.identityList == NULL || extensions.binderList == NULL)
1517  {
1518  context->earlyDataRejected = TRUE;
1519  }
1520  }
1521  }
1522  else
1523 #endif
1524  //Invalid TLS version?
1525  {
1526  //Just for sanity
1527  return ERROR_INVALID_VERSION;
1528  }
1529 
1530 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED && TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
1531  //A server that supports the RecordSizeLimit extension must ignore a
1532  //MaxFragmentLength that appears in a ClientHello if both extensions
1533  //appear (refer to RFC 8449, section 5)
1534  if(extensions.maxFragLen != NULL && extensions.recordSizeLimit != NULL)
1535  extensions.maxFragLen = NULL;
1536 #endif
1537 
1538 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
1539  //In order to negotiate smaller maximum fragment lengths, clients may
1540  //include a MaxFragmentLength extension
1541  error = tlsParseClientMaxFragLenExtension(context, extensions.maxFragLen);
1542  //Any error to report?
1543  if(error)
1544  return error;
1545 #endif
1546 
1547 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
1548  //The value of RecordSizeLimit is the maximum size of record in octets
1549  //that the peer is willing to receive
1551  extensions.recordSizeLimit);
1552  //Any error to report?
1553  if(error)
1554  return error;
1555 #endif
1556 
1557 #if (TLS_ALPN_SUPPORT == ENABLED)
1558  //Parse ALPN extension
1559  error = tlsParseClientAlpnExtension(context, extensions.protocolNameList);
1560  //Any error to report?
1561  if(error)
1562  return error;
1563 #endif
1564 
1565 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1566  //Parse ClientCertType extension
1567  error = tlsParseClientCertTypeListExtension(context,
1568  extensions.clientCertTypeList);
1569  //Any error to report?
1570  if(error)
1571  return error;
1572 
1573  //Parse ServerCertType extension
1574  error = tlsParseServerCertTypeListExtension(context,
1575  extensions.serverCertTypeList);
1576  //Any error to report?
1577  if(error)
1578  return error;
1579 #endif
1580 
1581  //Version of TLS prior to TLS 1.3?
1582  if(context->version <= TLS_VERSION_1_2)
1583  {
1584  //Send a ServerHello message to the client
1585  context->state = TLS_STATE_SERVER_HELLO;
1586  }
1587  else
1588  {
1589  //Send a ServerHello or a HelloRetryRequest message to the client
1590  if(context->state == TLS_STATE_CLIENT_HELLO)
1591  context->state = TLS_STATE_SERVER_HELLO;
1592  else if(context->state == TLS_STATE_CLIENT_HELLO_2)
1593  context->state = TLS_STATE_SERVER_HELLO_2;
1594  else
1595  context->state = TLS_STATE_HELLO_RETRY_REQUEST;
1596  }
1597 
1598  //Successful processing
1599  return NO_ERROR;
1600 }
1601 
1602 
1603 /**
1604  * @brief Parse ClientKeyExchange message
1605  *
1606  * This message is always sent by the client. It must immediately
1607  * follow the client Certificate message, if it is sent. Otherwise,
1608  * it must be the first message sent by the client after it receives
1609  * the ServerHelloDone message
1610  *
1611  * @param[in] context Pointer to the TLS context
1612  * @param[in] message Incoming ClientKeyExchange message to parse
1613  * @param[in] length Message length
1614  * @return Error code
1615  **/
1616 
1618  const TlsClientKeyExchange *message, size_t length)
1619 {
1620  error_t error;
1621  size_t n;
1622  const uint8_t *p;
1623 
1624  //Debug message
1625  TRACE_INFO("ClientKeyExchange message received (%" PRIuSIZE " bytes)...\r\n", length);
1627 
1628  //Check TLS version
1629  if(context->version > TLS_VERSION_1_2)
1630  return ERROR_UNEXPECTED_MESSAGE;
1631 
1632  //Check current state
1633  if(context->state == TLS_STATE_CLIENT_CERTIFICATE)
1634  {
1635  //A an non-anonymous server can optionally request a certificate from the client
1636  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1637  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1638  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1639  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1640  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1641  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1642  {
1643  //If client authentication is required by the server for the handshake
1644  //to continue, it may respond with a fatal handshake failure alert
1645  if(context->clientAuthMode == TLS_CLIENT_AUTH_REQUIRED)
1646  return ERROR_HANDSHAKE_FAILED;
1647  }
1648  }
1649  else if(context->state != TLS_STATE_CLIENT_KEY_EXCHANGE)
1650  {
1651  //Send a fatal alert to the client
1652  return ERROR_UNEXPECTED_MESSAGE;
1653  }
1654 
1655  //Point to the beginning of the handshake message
1656  p = message;
1657 
1658 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1659  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1660  //PSK key exchange method?
1661  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1662  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
1663  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1664  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1665  {
1666  //The PSK identity is sent in cleartext
1667  error = tlsParsePskIdentity(context, p, length, &n);
1668  //Any error to report?
1669  if(error)
1670  return error;
1671 
1672  //Point to the next field
1673  p += n;
1674  //Remaining bytes to process
1675  length -= n;
1676  }
1677 #endif
1678 
1679  //RSA, Diffie-Hellman or ECDH key exchange method?
1680  if(context->keyExchMethod != TLS_KEY_EXCH_PSK)
1681  {
1682  //Parse client's key exchange parameters
1683  error = tlsParseClientKeyParams(context, p, length, &n);
1684  //Any error to report?
1685  if(error)
1686  return error;
1687 
1688  //Point to the next field
1689  p += n;
1690  //Remaining bytes to process
1691  length -= n;
1692  }
1693 
1694  //If the amount of data in the message does not precisely match the format
1695  //of the ClientKeyExchange message, then send a fatal alert
1696  if(length != 0)
1697  return ERROR_DECODING_FAILED;
1698 
1699 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1700  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1701  //PSK key exchange method?
1702  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1703  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
1704  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1705  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1706  {
1707  //Invalid pre-shared key?
1708  if(context->pskLen == 0)
1709  return ERROR_INVALID_KEY_LENGTH;
1710 
1711  //Generate premaster secret
1712  error = tlsGeneratePskPremasterSecret(context);
1713  //Any error to report?
1714  if(error)
1715  return error;
1716  }
1717 #endif
1718 
1719  //Derive session keys from the premaster secret
1720  error = tlsGenerateSessionKeys(context);
1721  //Unable to generate key material?
1722  if(error)
1723  return error;
1724 
1725  //Update FSM state
1726  if(context->peerCertType != TLS_CERT_NONE)
1727  context->state = TLS_STATE_CLIENT_CERTIFICATE_VERIFY;
1728  else
1729  context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC;
1730 
1731  //Successful processing
1732  return NO_ERROR;
1733 }
1734 
1735 #endif
#define tlsAllocMem(size)
Definition: tls.h:757
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256
Definition: tls.h:1115
#define htons(value)
Definition: cpu_endian.h:392
DTLS (Datagram Transport Layer Security)
Parsing and checking of TLS extensions.
@ TLS_SIGN_ALGO_DSA
Definition: tls.h:1113
error_t tlsFormatServerEmsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ExtendedMasterSecret extension.
TLS helper functions.
const uint8_t * random
Definition: dtls_misc.h:220
X.509 certificate parsing.
uint8_t length
Definition: dtls_misc.h:149
Date and time management.
error_t tlsParsePskIdentity(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse PSK identity.
#define SHA256_HASH_ALGO
Definition: sha256.h:46
@ TLS_STATE_HELLO_RETRY_REQUEST
Definition: tls.h:1294
__start_packed struct @82 Tls12DigitalSignature
Digitally-signed element (TLS 1.2)
TLS cipher suites.
__start_packed struct @69 TlsExtensionList
List of TLS extensions.
error_t tlsParseClientKeyParams(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse client's key exchange parameters.
bool_t x509IsSignAlgoSupported(X509SignatureAlgo signAlgo)
Check whether a given signature algorithm is supported.
Definition: x509_common.c:170
error_t tlsFormatPskIdentityHint(TlsContext *context, uint8_t *p, size_t *written)
Format PSK identity hint.
Handshake message processing (TLS 1.3 server)
@ ERROR_WOULD_BLOCK
Definition: error.h:95
void TlsServerHelloDone
ServerHelloDone message.
Definition: tls.h:1662
Key material generation.
TLS handshake.
@ TLS_TYPE_SERVER_HELLO_DONE
Definition: tls.h:943
error_t tlsGeneratePskPremasterSecret(TlsContext *context)
Premaster secret generation (for PSK cipher suites)
error_t tls12GenerateServerKeySignature(TlsContext *context, Tls12DigitalSignature *signature, const uint8_t *params, size_t paramsLen, size_t *written)
Sign server's key exchange parameters (TLS 1.2)
@ TLS_COMPRESSION_METHOD_NULL
Definition: tls.h:1015
error_t tlsParseClientEcPointFormatsExtension(TlsContext *context, const TlsEcPointFormatList *ecPointFormatList)
Parse EcPointFormats extension.
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
RSA/DSA/ECDSA/EdDSA signature generation and verification.
error_t tlsNegotiateVersion(TlsContext *context, uint16_t clientVersion, const TlsSupportedVersionList *supportedVersionList)
Version negotiation.
@ ERROR_UNEXPECTED_MESSAGE
Definition: error.h:192
error_t tlsSendCertificateRequest(TlsContext *context)
Send CertificateRequest message.
Definition: tls_server.c:262
uint8_t p
Definition: ndp.h:298
error_t tlsParseServerCertTypeListExtension(TlsContext *context, const TlsCertTypeList *serverCertTypeList)
Parse ServerCertType extension.
#define TRUE
Definition: os_port.h:50
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384
Definition: tls.h:1121
@ TLS_STATE_CERTIFICATE_REQUEST
Definition: tls.h:1303
size_t rawDataLen
Definition: x509_common.h:571
error_t tlsFormatServerRenegoInfoExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RenegotiationInfo extension.
X.509 certificate.
Definition: x509_common.h:920
@ TLS_CIPHER_SUITE_TYPE_ECC
@ TLS_TRANSPORT_PROTOCOL_DATAGRAM
Definition: tls.h:851
__start_packed struct @81 TlsDigitalSignature
Digitally-signed element (SSL 3.0, TLS 1.0 and TLS 1.1)
uint16_t version
Definition: dtls_misc.h:172
Session cache management.
@ TLS_HASH_ALGO_SHA1
Definition: tls.h:1096
@ TLS_STATE_APPLICATION_DATA
Definition: tls.h:1319
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:228
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
@ TLS13_KEY_EXCH_ECDHE
Definition: tls.h:1046
@ TLS_CERT_DSS_SIGN
Definition: tls.h:1073
error_t tlsFormatServerHelloDone(TlsContext *context, TlsServerHelloDone *message, size_t *length)
Format ServerHelloDone message.
Definition: tls_server.c:1151
__start_packed struct @56 DtlsCookie
Cookie.
error_t tlsParseClientCertTypeListExtension(TlsContext *context, const TlsCertTypeList *clientCertTypeList)
Parse ClientCertType extension.
@ ERROR_INVALID_VERSION
Definition: error.h:116
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
error_t tlsParseClientHello(TlsContext *context, const TlsClientHello *message, size_t length)
Parse ClientHello message.
Definition: tls_server.c:1177
error_t tlsFormatServerSniExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SNI extension.
#define DTLS_MAX_COOKIE_SIZE
Definition: dtls_misc.h:75
error_t tlsFormatServerKeyParams(TlsContext *context, uint8_t *p, size_t *written)
Format server's key exchange parameters.
@ TLS_STATE_CLIENT_HELLO
Definition: tls.h:1290
error_t tlsSendServerHelloDone(TlsContext *context)
Send ServerHelloDone message.
Definition: tls_server.c:339
error_t tlsParseClientMaxFragLenExtension(TlsContext *context, const uint8_t *maxFragLen)
Parse MaxFragmentLength extension.
@ TLS_KEY_EXCH_RSA
Definition: tls.h:1027
error_t tlsParseClientKeyExchange(TlsContext *context, const TlsClientKeyExchange *message, size_t length)
Parse ClientKeyExchange message.
Definition: tls_server.c:1617
@ TLS_STATE_SERVER_HELLO
Definition: tls.h:1295
@ TLS_STATE_HELLO_VERIFY_REQUEST
Definition: tls.h:1293
error_t tlsFormatSignatureAlgorithmsExtension(TlsContext *context, uint_t cipherSuiteTypes, uint8_t *p, size_t *written)
Format SignatureAlgorithms extension.
Definition: tls_common.c:795
@ TLS_KEY_EXCH_ECDHE_ECDSA
Definition: tls.h:1036
@ TLS_KEY_EXCH_ECDHE_RSA
Definition: tls.h:1034
error_t pemImportCertificate(const char_t *input, size_t inputLen, uint8_t *output, size_t *outputLen, size_t *consumed)
Decode a PEM file containing a certificate.
Definition: pem_import.c:60
__start_packed struct @62 TlsCipherSuites
Cipher suites.
@ TLS_KEY_EXCH_ECDH_ANON
Definition: tls.h:1037
error_t tlsFormatServerRecordSizeLimitExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RecordSizeLimit extension.
PEM file import functions.
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
error_t tlsParseClientRecordSizeLimitExtension(TlsContext *context, const uint8_t *recordSizeLimit)
Parse RecordSizeLimit extension.
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
DTLS record protocol.
error_t tlsSendServerKeyExchange(TlsContext *context)
Send ServerKeyExchange message.
Definition: tls_server.c:179
#define TLS_VERSION_1_2
Definition: tls.h:94
Formatting and parsing of extensions (TLS 1.3 server)
@ TLS_KEY_EXCH_DH_ANON
Definition: tls.h:1032
Client parameters.
Definition: dtls_misc.h:217
const uint8_t * cipherSuites
Definition: dtls_misc.h:224
@ TLS13_KEY_EXCH_DHE
Definition: tls.h:1045
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
@ TLS_HASH_ALGO_INTRINSIC
Definition: tls.h:1101
#define STORE16BE(a, p)
Definition: cpu_endian.h:246
@ TLS_TYPE_CLIENT_HELLO
Definition: tls.h:933
error_t tlsFormatClientCertTypeExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ClientCertType extension.
error_t tlsFormatServerHello(TlsContext *context, TlsServerHello *message, size_t *length)
Format ServerHello message.
Definition: tls_server.c:386
#define TLS_VERSION_1_3
Definition: tls.h:95
@ TLS_TYPE_SERVER_HELLO
Definition: tls.h:934
Handshake message processing (TLS client and server)
@ TLS_HASH_ALGO_SHA384
Definition: tls.h:1099
__start_packed struct @67 TlsCertAuthorities
List of certificate authorities.
@ ERROR_INVALID_KEY_LENGTH
Definition: error.h:105
error_t tlsNegotiateCipherSuite(TlsContext *context, const HashAlgo *hashAlgo, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
Cipher suite negotiation.
TLS record protocol.
@ TLS_STATE_CLIENT_CERTIFICATE_VERIFY
Definition: tls.h:1307
@ TLS_STATE_SERVER_CHANGE_CIPHER_SPEC
Definition: tls.h:1312
@ TLS_HASH_ALGO_SHA256
Definition: tls.h:1098
@ TLS_CERT_RSA_SIGN
Definition: tls.h:1072
const uint8_t * rawData
Definition: x509_common.h:570
#define TRACE_INFO(...)
Definition: debug.h:94
error_t tlsParseClientAlpnExtension(TlsContext *context, const TlsProtocolNameList *protocolNameList)
Parse ALPN extension.
@ ERROR_MESSAGE_TOO_LONG
Definition: error.h:134
@ TLS_CLIENT_AUTH_NONE
Definition: tls.h:872
#define MIN(a, b)
Definition: os_port.h:62
@ TLS_KEY_EXCH_DHE_PSK
Definition: tls.h:1040
error_t tlsResumeServerSession(TlsContext *context, const uint8_t *sessionId, size_t sessionIdLen, const TlsCipherSuites *cipherSuites, const TlsHelloExtensions *extensions)
Resume TLS session via session ID.
uint16_t dtlsTranslateVersion(uint16_t version)
Translate TLS version into DTLS version.
Definition: dtls_misc.c:113
@ TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC
Definition: tls.h:1308
Helper functions for TLS 1.3 server.
error_t tlsFormatServerMaxFragLenExtension(TlsContext *context, uint8_t *p, size_t *written)
Format MaxFragmentLength extension.
Hello extensions.
Definition: tls.h:1894
Transcript hash calculation.
@ TLS_STATE_HANDSHAKE_TRAFFIC_KEYS
Definition: tls.h:1298
@ TLS_KEY_EXCH_RSA_PSK
Definition: tls.h:1039
__start_packed struct @85 TlsClientHello
ClientHello message.
#define ntohs(value)
Definition: cpu_endian.h:398
#define SHA384_HASH_ALGO
Definition: sha384.h:47
@ TLS_TYPE_SERVER_KEY_EXCHANGE
Definition: tls.h:941
error_t tlsFormatCertificateRequest(TlsContext *context, TlsCertificateRequest *message, size_t *length)
Format CertificateRequest message.
Definition: tls_server.c:802
__start_packed struct @87 TlsCertificateRequest
CertificateRequest message.
#define TRACE_DEBUG(...)
Definition: debug.h:106
@ ERROR_TIMEOUT
Definition: error.h:94
char char_t
Definition: compiler_port.h:43
__start_packed struct @98 Tls13CertRequestContext
Certificate request context.
#define TLS_VERSION_1_1
Definition: tls.h:93
__start_packed struct @64 TlsSignHashAlgo
Signature algorithm.
@ TLS_STATE_CLIENT_HELLO_2
Definition: tls.h:1291
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:107
@ X509_SIGN_ALGO_RSA_PSS
Definition: x509_common.h:525
void TlsClientKeyExchange
ClientKeyExchange message.
Definition: tls.h:1669
@ TLS_STATE_SERVER_CERTIFICATE
Definition: tls.h:1300
@ TLS_CLIENT_AUTH_REQUIRED
Definition: tls.h:874
error_t tlsParseCompressMethods(TlsContext *context, const TlsCompressMethods *compressMethods)
Parse the list of compression methods supported by the client.
uint8_t n
uint8_t extensions[]
Definition: tls13_misc.h:327
@ TLS_STATE_CLIENT_KEY_EXCHANGE
Definition: tls.h:1306
error_t tlsParseClientRenegoInfoExtension(TlsContext *context, const TlsRenegoInfo *renegoInfo)
Parse RenegotiationInfo extension.
error_t tlsFormatServerEcPointFormatsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format EcPointFormats extension.
@ TLS_STATE_CLIENT_CERTIFICATE
Definition: tls.h:1305
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256
Definition: tls.h:1120
__start_packed struct @86 TlsServerHello
ServerHello message.
@ TLS_KEY_EXCH_PSK
Definition: tls.h:1038
error_t tlsInitTranscriptHash(TlsContext *context)
Initialize handshake message hashing.
Handshake message processing (TLS server)
error_t tlsFormatSignatureAlgorithmsCertExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SignatureAlgorithmsCert extension.
Definition: tls_common.c:1001
@ TLS_KEY_EXCH_ECDHE_PSK
Definition: tls.h:1041
#define PTR_OFFSET(addr, offset)
Definition: os_port.h:40
const uint8_t * sessionId
Definition: dtls_misc.h:222
uint8_t message[]
Definition: chap.h:152
@ TLS_TYPE_CERTIFICATE_REQUEST
Definition: tls.h:942
error_t tls13FormatServerPreSharedKeyExtension(TlsContext *context, uint8_t *p, size_t *written)
const uint8_t * compressMethods
Definition: dtls_misc.h:226
TLS (Transport Layer Security)
uint8_t cookie[]
Definition: dtls_misc.h:203
@ TLS_SIGN_ALGO_RSA
Definition: tls.h:1112
error_t tlsCheckSignalingCipherSuiteValues(TlsContext *context, const TlsCipherSuites *cipherSuites)
Check whether the ClientHello includes any SCSV cipher suites.
error_t tlsParseClientSniExtension(TlsContext *context, const TlsServerNameList *serverNameList)
Parse SNI extension.
@ TLS_CERT_ECDSA_SIGN
Definition: tls.h:1079
__start_packed struct @63 TlsCompressMethods
Compression methods.
@ TLS_KEY_EXCH_DHE_DSS
Definition: tls.h:1031
error_t x509ParseCertificate(const uint8_t *data, size_t length, X509CertificateInfo *certInfo)
Parse a X.509 certificate.
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
@ TLS_CERT_NONE
Definition: tls.h:1071
FFDHE key exchange.
Helper functions for TLS server.
error_t tlsGenerateSessionKeys(TlsContext *context)
Generate session keys.
Formatting and parsing of extensions (TLS server)
size_t compressMethodsLen
Definition: dtls_misc.h:227
error_t tlsGenerateServerKeySignature(TlsContext *context, TlsDigitalSignature *signature, const uint8_t *params, size_t paramsLen, size_t *written)
Sign server's key exchange parameters (SSL 3.0, TLS 1.0 and TLS 1.1)
@ ERROR_DECODING_FAILED
Definition: error.h:235
#define PRIuSIZE
Definition: compiler_port.h:78
error_t tlsFormatServerCertTypeExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ServerCertType extension.
error_t tls13FormatServerKeyShareExtension(TlsContext *context, uint8_t *p, size_t *written)
@ TLS_STATE_SERVER_HELLO_DONE
Definition: tls.h:1304
#define tlsFreeMem(p)
Definition: tls.h:762
@ TLS_STATE_SERVER_HELLO_2
Definition: tls.h:1296
error_t tls13FormatServerSupportedVersionsExtension(TlsContext *context, uint8_t *p, size_t *written)
error_t tlsGenerateRandomValue(TlsContext *context, uint8_t *random)
Generate client or server random value.
Definition: tls_misc.c:164
@ TLS_SIGN_ALGO_ECDSA
Definition: tls.h:1114
@ TLS_KEY_EXCH_DHE_RSA
Definition: tls.h:1029
error_t tlsFormatServerAlpnExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ALPN extension.
error_t tls13NegotiateCipherSuite(TlsContext *context, const void *clientHello, size_t clientHelloLen, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
void TlsServerKeyExchange
ServerKeyExchange message.
Definition: tls.h:1644
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384
Definition: tls.h:1116
error_t dtlsVerifyCookie(TlsContext *context, const DtlsCookie *cookie, const DtlsClientParameters *clientParams)
Cookie verification.
Definition: dtls_misc.c:174
error_t tlsParseClientEmsExtension(TlsContext *context, const uint8_t *extendedMasterSecret)
Parse ExtendedMasterSecret extension.
X509TbsCertificate tbsCert
Definition: x509_common.h:922
@ NO_ERROR
Success.
Definition: error.h:44
Debugging facilities.
error_t tlsSendServerHello(TlsContext *context)
Send ServerHello message.
Definition: tls_server.c:83
error_t tlsFormatServerKeyExchange(TlsContext *context, TlsServerKeyExchange *message, size_t *length)
Format ServerKeyExchange message.
Definition: tls_server.c:680