tls_server.c
Go to the documentation of this file.
1 /**
2  * @file tls_server.c
3  * @brief Handshake message processing (TLS server)
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @section Description
26  *
27  * The TLS protocol provides communications security over the Internet. The
28  * protocol allows client/server applications to communicate in a way that
29  * is designed to prevent eavesdropping, tampering, or message forgery
30  *
31  * @author Oryx Embedded SARL (www.oryx-embedded.com)
32  * @version 1.9.0
33  **/
34 
35 //Switch to the appropriate trace level
36 #define TRACE_LEVEL TLS_TRACE_LEVEL
37 
38 //Dependencies
39 #include <string.h>
40 #include "tls.h"
41 #include "tls_cipher_suites.h"
42 #include "tls_handshake.h"
43 #include "tls_server.h"
44 #include "tls_server_extensions.h"
45 #include "tls_server_misc.h"
46 #include "tls_common.h"
47 #include "tls_extensions.h"
48 #include "tls_signature.h"
49 #include "tls_key_material.h"
50 #include "tls_transcript_hash.h"
51 #include "tls_cache.h"
52 #include "tls_ffdhe.h"
53 #include "tls_record.h"
54 #include "tls_misc.h"
55 #include "tls13_server.h"
57 #include "tls13_server_misc.h"
58 #include "dtls_record.h"
59 #include "dtls_misc.h"
60 #include "certificate/pem_import.h"
62 #include "date_time.h"
63 #include "debug.h"
64 
65 //Check TLS library configuration
66 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED)
67 
68 
69 /**
70  * @brief Send ServerHello message
71  *
72  * The server will send this message in response to a ClientHello
73  * message when it was able to find an acceptable set of algorithms.
74  * If it cannot find such a match, it will respond with a handshake
75  * failure alert
76  *
77  * @param[in] context Pointer to the TLS context
78  * @return Error code
79  **/
80 
82 {
83  error_t error;
84  size_t length;
86 
87  //Point to the buffer where to format the message
88  message = (TlsServerHello *) (context->txBuffer + context->txBufferLen);
89 
90  //Generate the server random value using a cryptographically-safe
91  //pseudorandom number generator
92  error = tlsGenerateRandomValue(context, context->serverRandom);
93 
94  //Check status code
95  if(!error)
96  {
97  //Format ServerHello message
98  error = tlsFormatServerHello(context, message, &length);
99  }
100 
101  //Check status code
102  if(!error)
103  {
104  //Debug message
105  TRACE_INFO("Sending ServerHello message (%" PRIuSIZE " bytes)...\r\n", length);
107 
108  //Send handshake message
109  error = tlsSendHandshakeMessage(context, message, length,
111  }
112 
113  //Check status code
114  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
115  {
116  //Version of TLS prior to TLS 1.3?
117  if(context->version <= TLS_VERSION_1_2)
118  {
119 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
120  //Use abbreviated handshake?
121  if(context->resume)
122  {
123  //Derive session keys from the master secret
124  error = tlsGenerateSessionKeys(context);
125 
126  //Key material successfully generated?
127  if(!error)
128  {
129  //At this point, both client and server must send ChangeCipherSpec
130  //messages and proceed directly to Finished messages
131  context->state = TLS_STATE_SERVER_CHANGE_CIPHER_SPEC;
132  }
133  }
134  else
135 #endif
136  {
137  //Perform a full handshake
138  context->state = TLS_STATE_SERVER_CERTIFICATE;
139  }
140  }
141  else
142  {
143 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
144  //First handshake message sent by the server?
145  if(context->state == TLS_STATE_SERVER_HELLO)
146  {
147  //In middlebox compatibility mode, the server must send a dummy
148  //ChangeCipherSpec record immediately after its first handshake
149  //message
150  context->state = TLS_STATE_SERVER_CHANGE_CIPHER_SPEC;
151  }
152  else
153 #endif
154  {
155  //All handshake messages after the ServerHello are now encrypted
156  context->state = TLS_STATE_HANDSHAKE_TRAFFIC_KEYS;
157  }
158  }
159  }
160 
161  //Return status code
162  return error;
163 }
164 
165 
166 /**
167  * @brief Send ServerKeyExchange message
168  *
169  * The ServerKeyExchange message is sent by the server only when the
170  * server Certificate message does not contain enough data to allow
171  * the client to exchange a premaster secret
172  *
173  * @param[in] context Pointer to the TLS context
174  * @return Error code
175  **/
176 
178 {
179  error_t error;
180  size_t length;
182 
183  //Initialize status code
184  error = NO_ERROR;
185 
186  //Point to the buffer where to format the message
187  message = (TlsServerKeyExchange *) (context->txBuffer + context->txBufferLen);
188  //Initialize length
189  length = 0;
190 
191  //The ServerKeyExchange message is sent by the server only when the server
192  //Certificate message (if sent) does not contain enough data to allow the
193  //client to exchange a premaster secret
194  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
195  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
196  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
197  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
198  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
199  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
200  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
201  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
202  {
203  //Format ServerKeyExchange message
204  error = tlsFormatServerKeyExchange(context, message, &length);
205  }
206  else if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
207  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
208  {
209 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
210  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
211  //If no PSK identity hint is provided by the server, the
212  //ServerKeyExchange message is omitted...
213  if(context->pskIdentityHint != NULL)
214  {
215  //Format ServerKeyExchange message
216  error = tlsFormatServerKeyExchange(context, message, &length);
217  }
218 #endif
219  }
220 
221  //Check status code
222  if(!error)
223  {
224  //Any message to send?
225  if(length > 0)
226  {
227  //Debug message
228  TRACE_INFO("Sending ServerKeyExchange message (%" PRIuSIZE " bytes)...\r\n", length);
230 
231  //Send handshake message
232  error = tlsSendHandshakeMessage(context, message, length,
234  }
235  }
236 
237  //Check status code
238  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
239  {
240  //A server can optionally request a certificate from the client
241  context->state = TLS_STATE_CERTIFICATE_REQUEST;
242  }
243 
244  //Return status code
245  return error;
246 }
247 
248 
249 /**
250  * @brief Send CertificateRequest message
251  *
252  * A server can optionally request a certificate from the client, if
253  * appropriate for the selected cipher suite. This message will
254  * immediately follow the ServerKeyExchange message
255  *
256  * @param[in] context Pointer to the TLS context
257  * @return Error code
258  **/
259 
261 {
262  error_t error;
263  size_t length;
265 
266  //Initialize status code
267  error = NO_ERROR;
268 
269 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED || \
270  TLS_DSA_SIGN_SUPPORT == ENABLED || TLS_ECDSA_SIGN_SUPPORT == ENABLED)
271  //A server can optionally request a certificate from the client
272  if(context->clientAuthMode != TLS_CLIENT_AUTH_NONE)
273  {
274  //Non-anonymous key exchange?
275  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
276  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
277  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
278  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
279  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
280  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
281  context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
282  context->keyExchMethod == TLS13_KEY_EXCH_ECDHE)
283  {
284  //Point to the buffer where to format the message
285  message = (TlsCertificateRequest *) (context->txBuffer + context->txBufferLen);
286 
287  //Format CertificateRequest message
288  error = tlsFormatCertificateRequest(context, message, &length);
289 
290  //Check status code
291  if(!error)
292  {
293  //Debug message
294  TRACE_INFO("Sending CertificateRequest message (%" PRIuSIZE " bytes)...\r\n", length);
296 
297  //Send handshake message
298  error = tlsSendHandshakeMessage(context, message, length,
300  }
301  }
302  }
303 #endif
304 
305  //Check status code
306  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
307  {
308  //Version of TLS prior to TLS 1.3?
309  if(context->version <= TLS_VERSION_1_2)
310  {
311  //Send a ServerHelloDone message to the client
312  context->state = TLS_STATE_SERVER_HELLO_DONE;
313  }
314  else
315  {
316  //Send a Certificate message to the client
317  context->state = TLS_STATE_SERVER_CERTIFICATE;
318  }
319  }
320 
321  //Return status code
322  return error;
323 }
324 
325 
326 /**
327  * @brief Send ServerHelloDone message
328  *
329  * The ServerHelloDone message is sent by the server to indicate the
330  * end of the ServerHello and associated messages. After sending this
331  * message, the server will wait for a client response
332  *
333  * @param[in] context Pointer to the TLS context
334  * @return Error code
335  **/
336 
338 {
339  error_t error;
340  size_t length;
342 
343  //Point to the buffer where to format the message
344  message = (TlsServerHelloDone *) (context->txBuffer + context->txBufferLen);
345 
346  //Format ServerHelloDone message
347  error = tlsFormatServerHelloDone(context, message, &length);
348 
349  //Check status code
350  if(!error)
351  {
352  //Debug message
353  TRACE_INFO("Sending ServerHelloDone message (%" PRIuSIZE " bytes)...\r\n", length);
355 
356  //Send handshake message
357  error = tlsSendHandshakeMessage(context, message, length,
359  }
360 
361  //Check status code
362  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
363  {
364  //The client must send a Certificate message if the server requests it
365  if(context->clientAuthMode != TLS_CLIENT_AUTH_NONE)
366  context->state = TLS_STATE_CLIENT_CERTIFICATE;
367  else
368  context->state = TLS_STATE_CLIENT_KEY_EXCHANGE;
369  }
370 
371  //Return status code
372  return error;
373 }
374 
375 
376 /**
377  * @brief Format ServerHello message
378  * @param[in] context Pointer to the TLS context
379  * @param[out] message Buffer where to format the ServerHello message
380  * @param[out] length Length of the resulting ServerHello message
381  * @return Error code
382  **/
383 
385  TlsServerHello *message, size_t *length)
386 {
387  error_t error;
388  uint16_t version;
389  size_t n;
390  uint8_t *p;
391  TlsExtensionList *extensionList;
392 
393  //In TLS 1.3, the client indicates its version preferences in the
394  //SupportedVersions extension and the legacy_version field must be
395  //set to 0x0303, which is the version number for TLS 1.2
396  version = MIN(context->version, TLS_VERSION_1_2);
397 
398 #if (DTLS_SUPPORT == ENABLED)
399  //DTLS protocol?
400  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
401  {
402  //Get the corresponding DTLS version
404  }
405 #endif
406 
407  //In previous versions of TLS, the version field contains the lower of
408  //the version suggested by the client in the ClientHello and the highest
409  //supported by the server
410  message->serverVersion = htons(version);
411 
412  //Server random value
413  memcpy(message->random, context->serverRandom, 32);
414 
415  //Point to the session ID
416  p = message->sessionId;
417  //Length of the handshake message
418  *length = sizeof(TlsServerHello);
419 
420  //Version of TLS prior to TLS 1.3?
421  if(context->version <= TLS_VERSION_1_2)
422  {
423 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
424  //The session ID uniquely identifies the current session
425  memcpy(message->sessionId, context->sessionId, context->sessionIdLen);
426  message->sessionIdLen = (uint8_t) context->sessionIdLen;
427 #else
428  //The server may return an empty session ID to indicate that the session
429  //will not be cached and therefore cannot be resumed
430  message->sessionIdLen = 0;
431 #endif
432  }
433  else
434  {
435  //The legacy_session_id_echo echoes the contents of the client's
436  //legacy_session_id field
437  memcpy(message->sessionId, context->sessionId, context->sessionIdLen);
438  message->sessionIdLen = (uint8_t) context->sessionIdLen;
439  }
440 
441  //Debug message
442  TRACE_DEBUG("Session ID (%" PRIu8 " bytes):\r\n", message->sessionIdLen);
443  TRACE_DEBUG_ARRAY(" ", message->sessionId, message->sessionIdLen);
444 
445  //Advance data pointer
446  p += message->sessionIdLen;
447  //Adjust the length of the message
448  *length += message->sessionIdLen;
449 
450  //The single cipher suite selected by the server
451  STORE16BE(context->cipherSuite.identifier, p);
452  //Advance data pointer
453  p += sizeof(TlsCipherSuite);
454  //Adjust the length of the message
455  *length += sizeof(TlsCipherSuite);
456 
457  //The single compression algorithm selected by the server
458  *p = context->compressMethod;
459  //Advance data pointer
460  p += sizeof(TlsCompressMethod);
461  //Adjust the length of the message
462  *length += sizeof(TlsCompressMethod);
463 
464  //Only extensions offered by the client can appear in the server's list
465  extensionList = (TlsExtensionList *) p;
466  //Total length of the extension list
467  extensionList->length = 0;
468 
469  //Point to the first extension of the list
470  p += sizeof(TlsExtensionList);
471 
472 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
473  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 selected by the server?
474  if(context->version <= TLS_VERSION_1_2)
475  {
476 #if (TLS_SNI_SUPPORT == ENABLED)
477  //The server may include a SNI extension in the ServerHello
478  error = tlsFormatServerSniExtension(context, p, &n);
479  //Any error to report?
480  if(error)
481  return error;
482 
483  //Fix the length of the extension list
484  extensionList->length += (uint16_t) n;
485  //Point to the next field
486  p += n;
487 #endif
488 
489 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
490  //Servers that receive an ClientHello containing a MaxFragmentLength
491  //extension may accept the requested maximum fragment length by including
492  //an extension of type MaxFragmentLength in the ServerHello
493  error = tlsFormatServerMaxFragLenExtension(context, p, &n);
494  //Any error to report?
495  if(error)
496  return error;
497 
498  //Fix the length of the extension list
499  extensionList->length += (uint16_t) n;
500  //Point to the next field
501  p += n;
502 #endif
503 
504 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
505  //The value of RecordSizeLimit is the maximum size of record in octets
506  //that the endpoint is willing to receive
507  error = tlsFormatServerRecordSizeLimitExtension(context, p, &n);
508  //Any error to report?
509  if(error)
510  return error;
511 
512  //Fix the length of the extension list
513  extensionList->length += (uint16_t) n;
514  //Point to the next field
515  p += n;
516 #endif
517 
518 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
519  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
520  //A server that selects an ECC cipher suite in response to a ClientHello
521  //message including an EcPointFormats extension appends this extension
522  //to its ServerHello message
523  error = tlsFormatServerEcPointFormatsExtension(context, p, &n);
524  //Any error to report?
525  if(error)
526  return error;
527 
528  //Fix the length of the extension list
529  extensionList->length += (uint16_t) n;
530  //Point to the next field
531  p += n;
532 #endif
533 
534 #if (TLS_ALPN_SUPPORT == ENABLED)
535  //The ALPN extension contains the name of the selected protocol
536  error = tlsFormatServerAlpnExtension(context, p, &n);
537  //Any error to report?
538  if(error)
539  return error;
540 
541  //Fix the length of the extension list
542  extensionList->length += (uint16_t) n;
543  //Point to the next field
544  p += n;
545 #endif
546 
547 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
548  //The ClientCertType extension in the ServerHello indicates the type
549  //of certificates the client is requested to provide in a subsequent
550  //certificate payload
551  error = tlsFormatClientCertTypeExtension(context, p, &n);
552  //Any error to report?
553  if(error)
554  return error;
555 
556  //Fix the length of the extension list
557  extensionList->length += (uint16_t) n;
558  //Point to the next field
559  p += n;
560 
561  //With the ServerCertType extension in the ServerHello, the TLS server
562  //indicates the certificate type carried in the certificate payload
563  error = tlsFormatServerCertTypeExtension(context, p, &n);
564  //Any error to report?
565  if(error)
566  return error;
567 
568  //Fix the length of the extension list
569  extensionList->length += (uint16_t) n;
570  //Point to the next field
571  p += n;
572 #endif
573 
574 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
575  //If a server implementing RFC 7627 receives the ExtendedMasterSecret
576  //extension, it must include the extension in its ServerHello message
577  error = tlsFormatServerEmsExtension(context, p, &n);
578  //Any error to report?
579  if(error)
580  return error;
581 
582  //Fix the length of the extension list
583  extensionList->length += (uint16_t) n;
584  //Point to the next field
585  p += n;
586 #endif
587 
588 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
589  //During secure renegotiation, the server must include a renegotiation_info
590  //extension containing the saved client_verify_data and server_verify_data
591  error = tlsFormatServerRenegoInfoExtension(context, p, &n);
592  //Any error to report?
593  if(error)
594  return error;
595 
596  //Fix the length of the extension list
597  extensionList->length += (uint16_t) n;
598  //Point to the next field
599  p += n;
600 #endif
601  }
602  else
603 #endif
604 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
605  //TLS 1.3 selected by the server?
606  if(context->version == TLS_VERSION_1_3)
607  {
608  //A server which negotiates TLS 1.3 must respond by sending a
609  //SupportedVersions extension containing the selected version value
610  error = tls13FormatServerSupportedVersionsExtension(context, p, &n);
611  //Any error to report?
612  if(error)
613  return error;
614 
615  //Fix the length of the extension list
616  extensionList->length += (uint16_t) n;
617  //Point to the next field
618  p += n;
619 
620  //If using (EC)DHE key establishment, servers offer exactly one
621  //KeyShareEntry in the ServerHello
622  error = tls13FormatServerKeyShareExtension(context, p, &n);
623  //Any error to report?
624  if(error)
625  return error;
626 
627  //Fix the length of the extension list
628  extensionList->length += (uint16_t) n;
629  //Point to the next field
630  p += n;
631 
632  //In order to accept PSK key establishment, the server sends a
633  //PreSharedKey extension indicating the selected identity
634  error = tls13FormatServerPreSharedKeyExtension(context, p, &n);
635  //Any error to report?
636  if(error)
637  return error;
638 
639  //Fix the length of the extension list
640  extensionList->length += (uint16_t) n;
641  //Point to the next field
642  p += n;
643  }
644  else
645 #endif
646  //Invalid TLS version?
647  {
648  //Report an error
649  return ERROR_INVALID_VERSION;
650  }
651 
652  //Any extensions included in the ServerHello message?
653  if(extensionList->length > 0)
654  {
655  //Convert the length of the extension list to network byte order
656  extensionList->length = htons(extensionList->length);
657  //Total length of the message
658  *length += sizeof(TlsExtensionList) + htons(extensionList->length);
659  }
660 
661  //Successful processing
662  return NO_ERROR;
663 }
664 
665 
666 /**
667  * @brief Format ServerKeyExchange message
668  * @param[in] context Pointer to the TLS context
669  * @param[out] message Buffer where to format the ServerKeyExchange message
670  * @param[out] length Length of the resulting ServerKeyExchange message
671  * @return Error code
672  **/
673 
676 {
677  error_t error;
678  size_t n;
679  size_t paramsLen;
680  uint8_t *p;
681  uint8_t *params;
682 
683  //Point to the beginning of the handshake message
684  p = message;
685  //Length of the handshake message
686  *length = 0;
687 
688 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
689  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
690  //PSK key exchange method?
691  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
692  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
693  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
694  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
695  {
696  //To help the client in selecting which identity to use, the server
697  //can provide a PSK identity hint in the ServerKeyExchange message
698  error = tlsFormatPskIdentityHint(context, p, &n);
699  //Any error to report?
700  if(error)
701  return error;
702 
703  //Advance data pointer
704  p += n;
705  //Adjust the length of the message
706  *length += n;
707  }
708 #endif
709 
710  //Diffie-Hellman or ECDH key exchange method?
711  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
712  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
713  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
714  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
715  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
716  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
717  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
718  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
719  {
720  //Point to the server's key exchange parameters
721  params = p;
722 
723  //Format server's key exchange parameters
724  error = tlsFormatServerKeyParams(context, p, &paramsLen);
725  //Any error to report?
726  if(error)
727  return error;
728 
729  //Advance data pointer
730  p += paramsLen;
731  //Adjust the length of the message
732  *length += paramsLen;
733  }
734  else
735  {
736  //Just for sanity
737  params = NULL;
738  paramsLen = 0;
739  }
740 
741  //For non-anonymous Diffie-Hellman and ECDH key exchanges, a signature
742  //over the server's key exchange parameters shall be generated
743  if(context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
744  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
745  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
746  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
747  {
748 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
749  //SSL 3.0, TLS 1.0 or TLS 1.1 currently selected?
750  if(context->version <= TLS_VERSION_1_1)
751  {
752  //Sign server's key exchange parameters
753  error = tlsGenerateServerKeySignature(context,
754  (TlsDigitalSignature *) p, params, paramsLen, &n);
755  }
756  else
757 #endif
758 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
759  //TLS 1.2 currently selected?
760  if(context->version == TLS_VERSION_1_2)
761  {
762  //Sign server's key exchange parameters
763  error = tls12GenerateServerKeySignature(context,
764  (Tls12DigitalSignature *) p, params, paramsLen, &n);
765  }
766  else
767 #endif
768  {
769  //Report an error
770  error = ERROR_INVALID_VERSION;
771  }
772 
773  //Any error to report?
774  if(error)
775  return error;
776 
777  //Advance data pointer
778  p += n;
779  //Adjust the length of the message
780  *length += n;
781  }
782 
783  //Successful processing
784  return NO_ERROR;
785 }
786 
787 
788 /**
789  * @brief Format CertificateRequest message
790  * @param[in] context Pointer to the TLS context
791  * @param[out] message Buffer where to format the CertificateRequest message
792  * @param[out] length Length of the resulting CertificateRequest message
793  * @return Error code
794  **/
795 
798 {
799  error_t error;
800  size_t n;
801  uint8_t *p;
802 
803  //Initialize status code
804  error = NO_ERROR;
805 
806  //Point to the beginning of the message
807  p = (uint8_t *) message;
808 
809 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
810  //Version of TLS prior to TLS 1.3?
811  if(context->version <= TLS_VERSION_1_2)
812  {
813  const char_t *pemCert;
814  size_t pemCertLen;
815  uint8_t *derCert;
816  size_t derCertSize;
817  size_t derCertLen;
818  X509CertificateInfo *certInfo;
819  TlsCertAuthorities *certAuthorities;
820 
821  //Enumerate the types of certificate types that the client may offer
822  n = 0;
823 
824 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
825  //Accept certificates that contain a RSA public key
826  message->certificateTypes[n++] = TLS_CERT_RSA_SIGN;
827 #endif
828 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
829  //Accept certificates that contain a DSA public key
830  message->certificateTypes[n++] = TLS_CERT_DSS_SIGN;
831 #endif
832 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
833  //Accept certificates that contain an ECDSA public key
834  message->certificateTypes[n++] = TLS_CERT_ECDSA_SIGN;
835 #endif
836 
837  //Fix the length of the list
838  message->certificateTypesLen = (uint8_t) n;
839  //Length of the handshake message
840  *length = sizeof(TlsCertificateRequest) + n;
841 
842  //TLS 1.2 currently selected?
843  if(context->version == TLS_VERSION_1_2)
844  {
845  TlsSignHashAlgos *supportedSignAlgos;
846 
847  //Point to the list of the hash/signature algorithm pairs that the server
848  //is able to verify. Servers can minimize the computation cost by offering
849  //a restricted set of digest algorithms
850  supportedSignAlgos = PTR_OFFSET(message, *length);
851 
852  //Enumerate the hash/signature algorithm pairs in descending
853  //order of preference
854  n = 0;
855 
856 #if (TLS_SHA256_SUPPORT == ENABLED)
857  //The hash algorithm used for PRF operations can also be used for signing
858  if(context->cipherSuite.prfHashAlgo == SHA256_HASH_ALGO)
859  {
860 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
861  //ECDSA signature algorithm with SHA-256
862  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
863  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
864 #endif
865 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
866  //Check whether the X.509 parser supports RSA-PSS signatures
868  {
869  //RSASSA-PSS PSS signature algorithm with SHA-256
870  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256;
871  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
872  }
873 #endif
874 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
875  //RSASSA-PSS RSAE signature algorithm with SHA-256
876  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256;
877  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
878 #endif
879 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
880  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-256
881  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
882  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
883 #endif
884 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
885  //DSA signature algorithm with SHA-256
886  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA;
887  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256;
888 #endif
889  }
890 #endif
891 
892 #if (TLS_SHA384_SUPPORT == ENABLED)
893  //The hash algorithm used for PRF operations can also be used for signing
894  if(context->cipherSuite.prfHashAlgo == SHA384_HASH_ALGO)
895  {
896 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
897  //ECDSA signature algorithm with SHA-384
898  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
899  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA384;
900 #endif
901 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
902  //Check whether the X.509 parser supports RSA-PSS signatures
904  {
905  //RSASSA-PSS PSS signature algorithm with SHA-384
906  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384;
907  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
908  }
909 #endif
910 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
911  //RSASSA-PSS RSAE signature algorithm with SHA-384
912  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384;
913  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_INTRINSIC;
914 #endif
915 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
916  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-384
917  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
918  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA384;
919 #endif
920  }
921 #endif
922 
923 #if (TLS_SHA1_SUPPORT == ENABLED)
924 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
925  //ECDSA signature algorithm with SHA-1
926  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA;
927  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
928 #endif
929 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
930  //RSASSA-PKCS1-v1_5 signature algorithm with SHA-1
931  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA;
932  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
933 #endif
934 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
935  //DSA signature algorithm with SHA-1
936  supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA;
937  supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1;
938 #endif
939 #endif
940  //Fix the length of the list
941  supportedSignAlgos->length = htons(n * sizeof(TlsSignHashAlgo));
942  //Adjust the length of the message
943  *length += sizeof(TlsSignHashAlgos) + n * sizeof(TlsSignHashAlgo);
944  }
945 
946  //Point to the list of the distinguished names of acceptable certificate
947  //authorities
948  certAuthorities = PTR_OFFSET(message, *length);
949  //Adjust the length of the message
950  *length += sizeof(TlsCertAuthorities);
951 
952  //Point to the first certificate authority
953  p = certAuthorities->value;
954  //Length of the list in bytes
955  n = 0;
956 
957  //Point to the first trusted CA certificate
958  pemCert = context->trustedCaList;
959  //Get the total length, in bytes, of the trusted CA list
960  pemCertLen = context->trustedCaListLen;
961 
962  //DER encoded certificate
963  derCert = NULL;
964  derCertSize = 0;
965  derCertLen = 0;
966 
967  //Allocate a memory buffer to store X.509 certificate info
968  certInfo = tlsAllocMem(sizeof(X509CertificateInfo));
969 
970  //Successful memory allocation?
971  if(certInfo != NULL)
972  {
973  //Loop through the list of trusted CA certificates
974  while(pemCertLen > 0)
975  {
976  //Decode PEM certificate
977  error = pemImportCertificate(&pemCert, &pemCertLen,
978  &derCert, &derCertSize, &derCertLen);
979 
980  //Any error to report?
981  if(error)
982  {
983  //End of file detected
984  error = NO_ERROR;
985  break;
986  }
987 
988  //Parse X.509 certificate
989  error = x509ParseCertificate(derCert, derCertLen, certInfo);
990 
991  //Valid CA certificate?
992  if(!error)
993  {
994  //Adjust the length of the message
995  *length += certInfo->subject.rawDataLen + 2;
996 
997  //Prevent the buffer from overflowing
998  if(*length > context->txBufferMaxLen)
999  {
1000  //Report an error
1001  error = ERROR_MESSAGE_TOO_LONG;
1002  break;
1003  }
1004 
1005  //Each distinguished name is preceded by a 2-byte length field
1006  STORE16BE(certInfo->subject.rawDataLen, p);
1007  //The distinguished name shall be DER encoded
1008  memcpy(p + 2, certInfo->subject.rawData, certInfo->subject.rawDataLen);
1009 
1010  //Advance data pointer
1011  p += certInfo->subject.rawDataLen + 2;
1012  //Adjust the length of the list
1013  n += certInfo->subject.rawDataLen + 2;
1014  }
1015  else
1016  {
1017  //Discard current CA certificate
1018  error = NO_ERROR;
1019  }
1020  }
1021 
1022  //Free previously allocated memory
1023  tlsFreeMem(derCert);
1024  tlsFreeMem(certInfo);
1025 
1026  //Fix the length of the list
1027  certAuthorities->length = htons(n);
1028  }
1029  else
1030  {
1031  //Report an error
1032  error = ERROR_OUT_OF_MEMORY;
1033  }
1034  }
1035  else
1036 #endif
1037 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1038  //TLS 1.3 currently selected?
1039  if(context->version == TLS_VERSION_1_3)
1040  {
1041  Tls13CertRequestContext *certRequestContext;
1042  TlsExtensionList *extensionList;
1043 
1044  //Point to the certificate_request_context field
1045  certRequestContext = (Tls13CertRequestContext *) p;
1046 
1047  //The certificate_request_context field shall be zero length unless
1048  //used for the post-handshake authentication exchange
1049  certRequestContext->length = 0;
1050 
1051  //Point to the next field
1052  p += sizeof(Tls13CertRequestContext);
1053  //Length of the handshake message
1054  *length = sizeof(Tls13CertRequestContext);
1055 
1056  //The extensions describe the parameters of the certificate being
1057  //requested
1058  extensionList = (TlsExtensionList *) p;
1059  //Total length of the extension list
1060  extensionList->length = 0;
1061 
1062  //Point to the first extension of the list
1063  p += sizeof(TlsExtensionList);
1064  //Adjust the length of the message
1065  *length += sizeof(TlsExtensionList);
1066 
1067  //The SignatureAlgorithms extension must be specified
1068  error = tlsFormatSignatureAlgorithmsExtension(context,
1070 
1071 #if (TLS_SIGN_ALGOS_CERT_SUPPORT == ENABLED)
1072  //Check status code
1073  if(!error)
1074  {
1075  //Fix the length of the extension list
1076  extensionList->length += (uint16_t) n;
1077  //Point to the next field
1078  p += n;
1079 
1080  //The SignatureAlgorithmsCert extension may optionally be included
1081  error = tlsFormatSignatureAlgorithmsCertExtension(context, p, &n);
1082  }
1083 #endif
1084 
1085  //Check status code
1086  if(!error)
1087  {
1088  //Fix the length of the extension list
1089  extensionList->length += (uint16_t) n;
1090  //Point to the next field
1091  p += n;
1092  }
1093 
1094  //Convert the length of the extension list to network byte order
1095  extensionList->length = htons(extensionList->length);
1096  //Total length of the message
1097  *length += htons(extensionList->length);
1098  }
1099  else
1100 #endif
1101  //Invalid TLS version?
1102  {
1103  //Report an error
1104  error = ERROR_INVALID_VERSION;
1105  }
1106 
1107  //Return status code
1108  return error;
1109 }
1110 
1111 
1112 /**
1113  * @brief Format ServerHelloDone message
1114  * @param[in] context Pointer to the TLS context
1115  * @param[out] message Buffer where to format the ServerHelloDone message
1116  * @param[out] length Length of the resulting ServerHelloDone message
1117  * @return Error code
1118  **/
1119 
1121  TlsServerHelloDone *message, size_t *length)
1122 {
1123  //The ServerHelloDone message does not contain any data
1124  *length = 0;
1125 
1126  //Successful processing
1127  return NO_ERROR;
1128 }
1129 
1130 
1131 /**
1132  * @brief Parse ClientHello message
1133  *
1134  * When a client first connects to a server, it is required to send
1135  * the ClientHello as its first message. The client can also send a
1136  * ClientHello in response to a HelloRequest or on its own initiative
1137  * in order to renegotiate the security parameters in an existing
1138  * connection
1139  *
1140  * @param[in] context Pointer to the TLS context
1141  * @param[in] message Incoming ClientHello message to parse
1142  * @param[in] length Message length
1143  * @return Error code
1144  **/
1145 
1147  const TlsClientHello *message, size_t length)
1148 {
1149  error_t error;
1150  size_t n;
1151  const uint8_t *p;
1152  const TlsCipherSuites *cipherSuites;
1153  const TlsCompressMethods *compressMethods;
1155 #if (DTLS_SUPPORT == ENABLED)
1156  const DtlsCookie *cookie;
1157 #endif
1158 
1159  //Debug message
1160  TRACE_INFO("ClientHello message received (%" PRIuSIZE " bytes)...\r\n", length);
1162 
1163  //Check current state
1164  if(context->state == TLS_STATE_CLIENT_HELLO)
1165  {
1166  //When a client first connects to a server, it is required to send
1167  //the ClientHello as its first message
1168  }
1169  else if(context->state == TLS_STATE_CLIENT_HELLO_2)
1170  {
1171 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1172  //The client will also send a updated ClientHello when the server has
1173  //responded to its initial ClientHello with a HelloRetryRequest
1174  context->updatedClientHelloReceived = TRUE;
1175 #endif
1176  }
1177  else if(context->state == TLS_STATE_APPLICATION_DATA)
1178  {
1179 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1180  //Version of TLS prior to TLS 1.3?
1181  if(context->version <= TLS_VERSION_1_2)
1182  {
1183 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1184  //Check whether secure renegotiation is enabled
1185  if(context->secureRenegoEnabled)
1186  {
1187  //Make sure the secure_renegociation flag is set
1188  if(!context->secureRenegoFlag)
1189  {
1190  //If the connection's secure_renegotiation flag is set to
1191  //FALSE, it is recommended that servers do not permit legacy
1192  //renegotiation (refer to RFC 5746, section 4.4)
1193  return ERROR_HANDSHAKE_FAILED;
1194  }
1195  }
1196  else
1197 #endif
1198  {
1199  //Secure renegotiation is disabled
1200  return ERROR_HANDSHAKE_FAILED;
1201  }
1202  }
1203  else
1204 #endif
1205  {
1206  //Because TLS 1.3 forbids renegotiation, if a server has negotiated
1207  //TLS 1.3 and receives a ClientHello at any other time, it must
1208  //terminate the connection with an unexpected_message alert
1209  return ERROR_UNEXPECTED_MESSAGE;
1210  }
1211  }
1212  else
1213  {
1214  //Report an error
1215  return ERROR_UNEXPECTED_MESSAGE;
1216  }
1217 
1218  //Check the length of the ClientHello message
1219  if(length < sizeof(TlsClientHello))
1220  return ERROR_DECODING_FAILED;
1221 
1222  //Get the version the client wishes to use during this session
1223  context->clientVersion = ntohs(message->clientVersion);
1224 
1225  //Point to the session ID
1226  p = message->sessionId;
1227  //Remaining bytes to process
1228  n = length - sizeof(TlsClientHello);
1229 
1230  //Check the length of the session ID
1231  if(message->sessionIdLen > n)
1232  return ERROR_DECODING_FAILED;
1233  if(message->sessionIdLen > 32)
1234  return ERROR_DECODING_FAILED;
1235 
1236  //Debug message
1237  TRACE_DEBUG("Session ID (%" PRIu8 " bytes):\r\n", message->sessionIdLen);
1238  TRACE_DEBUG_ARRAY(" ", message->sessionId, message->sessionIdLen);
1239 
1240  //Point to the next field
1241  p += message->sessionIdLen;
1242  //Remaining bytes to process
1243  n -= message->sessionIdLen;
1244 
1245 #if (DTLS_SUPPORT == ENABLED)
1246  //DTLS protocol?
1247  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
1248  {
1249  //Point to the Cookie field
1250  cookie = (DtlsCookie *) p;
1251 
1252  //Malformed ClientHello message?
1253  if(n < sizeof(DtlsCookie))
1254  return ERROR_DECODING_FAILED;
1255  if(n < (sizeof(DtlsCookie) + cookie->length))
1256  return ERROR_DECODING_FAILED;
1257 
1258  //Check the length of the cookie
1259  if(cookie->length > DTLS_MAX_COOKIE_SIZE)
1260  return ERROR_ILLEGAL_PARAMETER;
1261 
1262  //Point to the next field
1263  p += sizeof(DtlsCookie) + cookie->length;
1264  //Remaining bytes to process
1265  n -= sizeof(DtlsCookie) + cookie->length;
1266  }
1267  else
1268  {
1269  //Just for sanity
1270  cookie = NULL;
1271  }
1272 #endif
1273 
1274  //List of cryptographic algorithms supported by the client
1275  cipherSuites = (TlsCipherSuites *) p;
1276 
1277  //Malformed ClientHello message?
1278  if(n < sizeof(TlsCipherSuites))
1279  return ERROR_DECODING_FAILED;
1280  if(n < (sizeof(TlsCipherSuites) + ntohs(cipherSuites->length)))
1281  return ERROR_DECODING_FAILED;
1282 
1283  //Check the length of the list
1284  if(ntohs(cipherSuites->length) == 0)
1285  return ERROR_DECODING_FAILED;
1286  if((ntohs(cipherSuites->length) % 2) != 0)
1287  return ERROR_DECODING_FAILED;
1288 
1289  //Point to the next field
1290  p += sizeof(TlsCipherSuites) + ntohs(cipherSuites->length);
1291  //Remaining bytes to process
1292  n -= sizeof(TlsCipherSuites) + ntohs(cipherSuites->length);
1293 
1294  //List of compression algorithms supported by the client
1295  compressMethods = (TlsCompressMethods *) p;
1296 
1297  //Malformed ClientHello message?
1298  if(n < sizeof(TlsCompressMethods))
1299  return ERROR_DECODING_FAILED;
1300  if(n < (sizeof(TlsCompressMethods) + compressMethods->length))
1301  return ERROR_DECODING_FAILED;
1302 
1303  //Check the length of the list
1304  if(compressMethods->length == 0)
1305  return ERROR_DECODING_FAILED;
1306 
1307  //Point to the next field
1308  p += sizeof(TlsCompressMethods) + compressMethods->length;
1309  //Remaining bytes to process
1310  n -= sizeof(TlsCompressMethods) + compressMethods->length;
1311 
1312  //Parse the list of extensions offered by the client
1314  //Any error to report?
1315  if(error)
1316  return error;
1317 
1318  //Check whether the ClientHello includes any SCSV cipher suites
1319  error = tlsCheckSignalingCipherSuiteValues(context, cipherSuites);
1320  //Any error to report?
1321  if(error)
1322  return error;
1323 
1324 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1325  //Parse RenegotiationInfo extension
1326  error = tlsParseClientRenegoInfoExtension(context, extensions.renegoInfo);
1327  //Any error to report?
1328  if(error)
1329  return error;
1330 #endif
1331 
1332 #if (DTLS_SUPPORT == ENABLED)
1333  //DTLS protocol?
1334  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
1335  {
1336  DtlsClientParameters clientParams;
1337 
1338  //The server should use client parameters (version, random, session_id,
1339  //cipher_suites, compression_method) to generate its cookie
1340  clientParams.version = ntohs(message->clientVersion);
1341  clientParams.random = message->random;
1342  clientParams.randomLen = 32;
1343  clientParams.sessionId = message->sessionId;
1344  clientParams.sessionIdLen = message->sessionIdLen;
1345  clientParams.cipherSuites = (const uint8_t *) cipherSuites->value;
1346  clientParams.cipherSuitesLen = ntohs(cipherSuites->length);
1347  clientParams.compressMethods = compressMethods->value;
1348  clientParams.compressMethodsLen = compressMethods->length;
1349 
1350  //Verify that the cookie is valid
1351  error = dtlsVerifyCookie(context, cookie, &clientParams);
1352  //Any error to report?
1353  if(error)
1354  return error;
1355 
1356  //The server may respond with a HelloVerifyRequest message containing
1357  //a stateless cookie
1358  if(context->state == TLS_STATE_HELLO_VERIFY_REQUEST)
1359  {
1360  //Exit immediately
1361  return NO_ERROR;
1362  }
1363  }
1364 #endif
1365 
1366  //Perform version negotiation
1367  error = tlsNegotiateVersion(context, ntohs(message->clientVersion),
1368  extensions.supportedVersionList);
1369  //Any error to report?
1370  if(error)
1371  return error;
1372 
1373  //Check the list of extensions offered by the client
1374  error = tlsCheckHelloExtensions(TLS_TYPE_CLIENT_HELLO, context->version,
1375  &extensions);
1376  //Any error to report?
1377  if(error)
1378  return error;
1379 
1380  //The SignatureAlgorithms extension is not meaningful for TLS versions
1381  //prior to 1.2 (refer to RFC 5246, section 7.4.1.4.1)
1382  if(context->version <= TLS_VERSION_1_1)
1383  {
1384  //Even if clients do offer it, the rules specified in RFC 6066 require
1385  //servers to ignore extensions they do not understand
1386  extensions.signAlgoList = NULL;
1387  extensions.certSignAlgoList = NULL;
1388  }
1389 
1390  //Save client random value
1391  memcpy(context->clientRandom, message->random, 32);
1392 
1393 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1394  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
1395  if(context->version <= TLS_VERSION_1_2)
1396  {
1397  //The server attempts to resume TLS session via session ID
1398  error = tlsResumeServerSession(context, message->sessionId,
1399  message->sessionIdLen, cipherSuites, &extensions);
1400  //Any error to report?
1401  if(error)
1402  return error;
1403 
1404  //Full handshake?
1405  if(!context->resume)
1406  {
1407  //Perform cipher suite negotiation
1408  error = tlsNegotiateCipherSuite(context, NULL, cipherSuites,
1409  &extensions);
1410  //If no acceptable choices are presented, terminate the handshake
1411  if(error)
1412  return error;
1413 
1414  //Parse the list of compression methods supported by the client
1415  error = tlsParseCompressMethods(context, compressMethods);
1416  //Any error to report?
1417  if(error)
1418  return error;
1419  }
1420 
1421  //Initialize handshake message hashing
1422  error = tlsInitTranscriptHash(context);
1423  //Any error to report?
1424  if(error)
1425  return error;
1426 
1427 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
1428  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1429  //A client that proposes ECC cipher suites in its ClientHello message
1430  //may send the EcPointFormats extension
1431  error = tlsParseClientEcPointFormatsExtension(context,
1432  extensions.ecPointFormatList);
1433  //Any error to report?
1434  if(error)
1435  return error;
1436 #endif
1437 
1438 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
1439  //Parse ExtendedMasterSecret extension
1440  error = tlsParseClientEmsExtension(context,
1441  extensions.extendedMasterSecret);
1442  //Any error to report?
1443  if(error)
1444  return error;
1445 #endif
1446  }
1447  else
1448 #endif
1449 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1450  //TLS 1.3 currently selected?
1451  if(context->version == TLS_VERSION_1_3)
1452  {
1453  //Save the client's legacy_session_id field
1454  memcpy(context->sessionId, message->sessionId, message->sessionIdLen);
1455  context->sessionIdLen = message->sessionIdLen;
1456 
1457  //Perform cipher suite and key exchange method negotiation
1458  error = tls13NegotiateCipherSuite(context, message, length, cipherSuites,
1459  &extensions);
1460  //If no acceptable choices are presented, terminate the handshake
1461  if(error)
1462  return error;
1463 
1464  //Parse the list of compression methods supported by the client
1465  error = tlsParseCompressMethods(context, compressMethods);
1466  //Any error to report?
1467  if(error)
1468  return error;
1469 
1470  //When a PSK is used and early data is allowed for that PSK, the client
1471  //can send application data in its first flight of messages
1472  if(extensions.earlyDataIndication != NULL)
1473  {
1474  //If the client opts to do so, it must supply both the PreSharedKey
1475  //and EarlyData extensions (refer to RFC 8446, section 4.2.10)
1476  if(extensions.identityList == NULL || extensions.binderList == NULL)
1477  {
1478  context->earlyDataRejected = TRUE;
1479  }
1480  }
1481  }
1482  else
1483 #endif
1484  //Invalid TLS version?
1485  {
1486  //Just for sanity
1487  return ERROR_INVALID_VERSION;
1488  }
1489 
1490 #if (TLS_SNI_SUPPORT == ENABLED)
1491  //In order to provide the server name, clients may include a ServerName
1492  //extension
1493  error = tlsParseClientSniExtension(context, extensions.serverNameList);
1494  //Any error to report?
1495  if(error)
1496  return error;
1497 #endif
1498 
1499 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED && TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
1500  //A server that supports the RecordSizeLimit extension must ignore a
1501  //MaxFragmentLength that appears in a ClientHello if both extensions
1502  //appear (refer to RFC 8449, section 5)
1503  if(extensions.maxFragLen != NULL && extensions.recordSizeLimit != NULL)
1504  extensions.maxFragLen = NULL;
1505 #endif
1506 
1507 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
1508  //In order to negotiate smaller maximum fragment lengths, clients may
1509  //include a MaxFragmentLength extension
1510  error = tlsParseClientMaxFragLenExtension(context, extensions.maxFragLen);
1511  //Any error to report?
1512  if(error)
1513  return error;
1514 #endif
1515 
1516 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
1517  //The value of RecordSizeLimit is the maximum size of record in octets
1518  //that the peer is willing to receive
1520  extensions.recordSizeLimit);
1521  //Any error to report?
1522  if(error)
1523  return error;
1524 #endif
1525 
1526 #if (TLS_ALPN_SUPPORT == ENABLED)
1527  //Parse ALPN extension
1528  error = tlsParseClientAlpnExtension(context, extensions.protocolNameList);
1529  //Any error to report?
1530  if(error)
1531  return error;
1532 #endif
1533 
1534 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1535  //Parse ClientCertType extension
1536  error = tlsParseClientCertTypeListExtension(context,
1537  extensions.clientCertTypeList);
1538  //Any error to report?
1539  if(error)
1540  return error;
1541 
1542  //Parse ServerCertType extension
1543  error = tlsParseServerCertTypeListExtension(context,
1544  extensions.serverCertTypeList);
1545  //Any error to report?
1546  if(error)
1547  return error;
1548 #endif
1549 
1550  //Version of TLS prior to TLS 1.3?
1551  if(context->version <= TLS_VERSION_1_2)
1552  {
1553  //Send a ServerHello message to the client
1554  context->state = TLS_STATE_SERVER_HELLO;
1555  }
1556  else
1557  {
1558  //Send a ServerHello or a HelloRetryRequest message to the client
1559  if(context->state == TLS_STATE_CLIENT_HELLO)
1560  context->state = TLS_STATE_SERVER_HELLO;
1561  else if(context->state == TLS_STATE_CLIENT_HELLO_2)
1562  context->state = TLS_STATE_SERVER_HELLO_2;
1563  else
1564  context->state = TLS_STATE_HELLO_RETRY_REQUEST;
1565  }
1566 
1567  //Successful processing
1568  return NO_ERROR;
1569 }
1570 
1571 
1572 /**
1573  * @brief Parse ClientKeyExchange message
1574  *
1575  * This message is always sent by the client. It must immediately
1576  * follow the client Certificate message, if it is sent. Otherwise,
1577  * it must be the first message sent by the client after it receives
1578  * the ServerHelloDone message
1579  *
1580  * @param[in] context Pointer to the TLS context
1581  * @param[in] message Incoming ClientKeyExchange message to parse
1582  * @param[in] length Message length
1583  * @return Error code
1584  **/
1585 
1587  const TlsClientKeyExchange *message, size_t length)
1588 {
1589  error_t error;
1590  size_t n;
1591  const uint8_t *p;
1592 
1593  //Debug message
1594  TRACE_INFO("ClientKeyExchange message received (%" PRIuSIZE " bytes)...\r\n", length);
1596 
1597  //Check TLS version
1598  if(context->version > TLS_VERSION_1_2)
1599  return ERROR_UNEXPECTED_MESSAGE;
1600 
1601  //Check current state
1602  if(context->state == TLS_STATE_CLIENT_CERTIFICATE)
1603  {
1604  //A an non-anonymous server can optionally request a certificate from the client
1605  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1606  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1607  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1608  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1609  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1610  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1611  {
1612  //If client authentication is required by the server for the handshake
1613  //to continue, it may respond with a fatal handshake failure alert
1614  if(context->clientAuthMode == TLS_CLIENT_AUTH_REQUIRED)
1615  return ERROR_HANDSHAKE_FAILED;
1616  }
1617  }
1618  else if(context->state != TLS_STATE_CLIENT_KEY_EXCHANGE)
1619  {
1620  //Send a fatal alert to the client
1621  return ERROR_UNEXPECTED_MESSAGE;
1622  }
1623 
1624  //Point to the beginning of the handshake message
1625  p = message;
1626 
1627 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1628  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1629  //PSK key exchange method?
1630  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1631  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
1632  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1633  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1634  {
1635  //The PSK identity is sent in cleartext
1636  error = tlsParsePskIdentity(context, p, length, &n);
1637  //Any error to report?
1638  if(error)
1639  return error;
1640 
1641  //Point to the next field
1642  p += n;
1643  //Remaining bytes to process
1644  length -= n;
1645  }
1646 #endif
1647 
1648  //RSA, Diffie-Hellman or ECDH key exchange method?
1649  if(context->keyExchMethod != TLS_KEY_EXCH_PSK)
1650  {
1651  //Parse client's key exchange parameters
1652  error = tlsParseClientKeyParams(context, p, length, &n);
1653  //Any error to report?
1654  if(error)
1655  return error;
1656 
1657  //Point to the next field
1658  p += n;
1659  //Remaining bytes to process
1660  length -= n;
1661  }
1662 
1663  //If the amount of data in the message does not precisely match the format
1664  //of the ClientKeyExchange message, then send a fatal alert
1665  if(length != 0)
1666  return ERROR_DECODING_FAILED;
1667 
1668 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1669  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1670  //PSK key exchange method?
1671  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1672  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
1673  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1674  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1675  {
1676  //Invalid pre-shared key?
1677  if(context->pskLen == 0)
1678  return ERROR_INVALID_KEY_LENGTH;
1679 
1680  //Generate premaster secret
1681  error = tlsGeneratePskPremasterSecret(context);
1682  //Any error to report?
1683  if(error)
1684  return error;
1685  }
1686 #endif
1687 
1688  //Derive session keys from the premaster secret
1689  error = tlsGenerateSessionKeys(context);
1690  //Unable to generate key material?
1691  if(error)
1692  return error;
1693 
1694  //Update FSM state
1695  if(context->peerCertType != TLS_CERT_NONE)
1696  context->state = TLS_STATE_CLIENT_CERTIFICATE_VERIFY;
1697  else
1698  context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC;
1699 
1700  //Successful processing
1701  return NO_ERROR;
1702 }
1703 
1704 #endif
TLS (Transport Layer Security)
error_t tlsFormatSignatureAlgorithmsCertExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SignatureAlgorithmsCert extension.
Definition: tls_common.c:999
uint16_t version
Definition: dtls_misc.h:163
error_t tlsSendServerKeyExchange(TlsContext *context)
Send ServerKeyExchange message.
Definition: tls_server.c:177
#define DTLS_MAX_COOKIE_SIZE
Definition: dtls_misc.h:73
error_t tlsFormatServerAlpnExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ALPN extension.
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
void TlsServerHelloDone
ServerHelloDone message.
Definition: tls.h:1656
char char_t
Definition: compiler_port.h:41
__start_packed struct @87 TlsCertificateRequest
CertificateRequest message.
error_t tls13NegotiateCipherSuite(TlsContext *context, const void *clientHello, size_t clientHelloLen, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
FFDHE key exchange.
error_t tlsGenerateSessionKeys(TlsContext *context)
Generate session keys.
const uint8_t * sessionId
Definition: dtls_misc.h:213
Debugging facilities.
#define tlsFreeMem(p)
Definition: tls.h:760
uint8_t p
Definition: ndp.h:295
error_t tlsFormatServerRenegoInfoExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RenegotiationInfo extension.
error_t tlsFormatSignatureAlgorithmsExtension(TlsContext *context, uint_t cipherSuiteTypes, uint8_t *p, size_t *written)
Format SignatureAlgorithms extension.
Definition: tls_common.c:793
error_t tlsFormatServerEmsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ExtendedMasterSecret extension.
error_t tlsParseClientMaxFragLenExtension(TlsContext *context, const uint8_t *maxFragLen)
Parse MaxFragmentLength extension.
uint8_t message[]
Definition: chap.h:150
Helper functions for TLS 1.3 server.
size_t rawDataLen
Definition: x509_common.h:476
error_t tlsResumeServerSession(TlsContext *context, const uint8_t *sessionId, size_t sessionIdLen, const TlsCipherSuites *cipherSuites, const TlsHelloExtensions *extensions)
Resume TLS session via session ID.
error_t tlsParseServerCertTypeListExtension(TlsContext *context, const TlsCertTypeList *serverCertTypeList)
Parse ServerCertType extension.
error_t tlsParseClientRecordSizeLimitExtension(TlsContext *context, const uint8_t *recordSizeLimit)
Parse RecordSizeLimit extension.
__start_packed struct @56 DtlsCookie
Cookie.
#define TLS_VERSION_1_3
Definition: tls.h:90
error_t tlsSendServerHelloDone(TlsContext *context)
Send ServerHelloDone message.
Definition: tls_server.c:337
error_t tlsParseClientAlpnExtension(TlsContext *context, const TlsProtocolNameList *protocolNameList)
Parse ALPN extension.
__start_packed struct @63 TlsCompressMethods
Compression methods.
#define htons(value)
Definition: cpu_endian.h:390
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:99
error_t tlsParseClientRenegoInfoExtension(TlsContext *context, const TlsRenegoInfo *renegoInfo)
Parse RenegotiationInfo extension.
#define PTR_OFFSET(addr, offset)
Definition: os_port.h:38
error_t tlsCheckSignalingCipherSuiteValues(TlsContext *context, const TlsCipherSuites *cipherSuites)
Check whether the ClientHello includes any SCSV cipher suites.
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
error_t tlsInitTranscriptHash(TlsContext *context)
Initialize handshake message hashing.
error_t tlsParseCompressMethods(TlsContext *context, const TlsCompressMethods *compressMethods)
Parse the list of compression methods supported by the client.
#define TRUE
Definition: os_port.h:48
error_t tls13FormatServerSupportedVersionsExtension(TlsContext *context, uint8_t *p, size_t *written)
__start_packed struct @86 TlsServerHello
ServerHello message.
error_t tlsSendServerHello(TlsContext *context)
Send ServerHello message.
Definition: tls_server.c:81
error_t tlsFormatServerMaxFragLenExtension(TlsContext *context, uint8_t *p, size_t *written)
Format MaxFragmentLength extension.
error_t tlsFormatServerKeyExchange(TlsContext *context, TlsServerKeyExchange *message, size_t *length)
Format ServerKeyExchange message.
Definition: tls_server.c:674
TLS record protocol.
DTLS (Datagram Transport Layer Security)
Parsing and checking of TLS extensions.
#define SHA256_HASH_ALGO
Definition: sha256.h:42
TLS helper functions.
error_t tlsNegotiateCipherSuite(TlsContext *context, const HashAlgo *hashAlgo, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
Cipher suite negotiation.
void TlsClientKeyExchange
ClientKeyExchange message.
Definition: tls.h:1663
error_t tlsFormatServerKeyParams(TlsContext *context, uint8_t *p, size_t *written)
Format server&#39;s key exchange parameters.
error_t tlsParseClientEcPointFormatsExtension(TlsContext *context, const TlsEcPointFormatList *ecPointFormatList)
Parse EcPointFormats extension.
void TlsServerKeyExchange
ServerKeyExchange message.
Definition: tls.h:1638
Client parameters.
Definition: dtls_misc.h:208
#define ntohs(value)
Definition: cpu_endian.h:396
TLS handshake.
error_t tlsGeneratePskPremasterSecret(TlsContext *context)
Premaster secret generation (for PSK cipher suites)
__start_packed struct @102 Tls13CertRequestContext
Certificate request context.
error_t tls13FormatServerKeyShareExtension(TlsContext *context, uint8_t *p, size_t *written)
uint16_t dtlsTranslateVersion(uint16_t version)
Translate TLS version into DTLS version.
Definition: dtls_misc.c:111
__start_packed struct @64 TlsSignHashAlgo
Signature algorithm.
uint16_t TlsCipherSuite
Cipher suite.
Definition: tls.h:1325
Date and time management.
DTLS record protocol.
error_t tlsGenerateRandomValue(TlsContext *context, uint8_t *random)
Generate client or server random value.
Definition: tls_misc.c:158
#define SHA384_HASH_ALGO
Definition: sha384.h:43
PEM file import functions.
error_t tlsFormatServerHello(TlsContext *context, TlsServerHello *message, size_t *length)
Format ServerHello message.
Definition: tls_server.c:384
error_t tlsParseClientEmsExtension(TlsContext *context, const uint8_t *extendedMasterSecret)
Parse ExtendedMasterSecret extension.
error_t x509ParseCertificate(const uint8_t *data, size_t length, X509CertificateInfo *certInfo)
Parse a X.509 certificate.
Handshake message processing (TLS client and server)
uint8_t TlsCompressMethod
Compression method.
Definition: tls.h:1343
error_t tlsParseClientHello(TlsContext *context, const TlsClientHello *message, size_t length)
Parse ClientHello message.
Definition: tls_server.c:1146
__start_packed struct @69 TlsExtensionList
List of TLS extensions.
size_t compressMethodsLen
Definition: dtls_misc.h:218
#define MIN(a, b)
Definition: os_port.h:60
error_t tlsParseClientCertTypeListExtension(TlsContext *context, const TlsCertTypeList *clientCertTypeList)
Parse ClientCertType extension.
error_t tlsParseClientKeyExchange(TlsContext *context, const TlsClientKeyExchange *message, size_t length)
Parse ClientKeyExchange message.
Definition: tls_server.c:1586
const uint8_t * rawData
Definition: x509_common.h:475
#define TLS_VERSION_1_2
Definition: tls.h:83
Helper functions for TLS server.
error_t pemImportCertificate(const char_t **input, size_t *inputLen, uint8_t **output, size_t *outputSize, size_t *outputLen)
Decode a PEM file containing a certificate.
Definition: pem_import.c:1687
#define TLS_VERSION_1_1
Definition: tls.h:82
const uint8_t * compressMethods
Definition: dtls_misc.h:217
bool_t x509IsSignAlgoSupported(X509SignatureAlgo signAlgo)
Check whether a given signature algorithm is supported.
Definition: x509_common.c:305
__start_packed struct @82 Tls12DigitalSignature
Digitally-signed element (TLS 1.2)
#define TRACE_INFO(...)
Definition: debug.h:86
uint8_t cookie[]
Definition: dtls_misc.h:194
error_t tls12GenerateServerKeySignature(TlsContext *context, Tls12DigitalSignature *signature, const uint8_t *params, size_t paramsLen, size_t *written)
Sign server&#39;s key exchange parameters (TLS 1.2)
TLS cipher suites.
Success.
Definition: error.h:42
error_t
Error codes.
Definition: error.h:40
error_t tlsFormatCertificateRequest(TlsContext *context, TlsCertificateRequest *message, size_t *length)
Format CertificateRequest message.
Definition: tls_server.c:796
error_t tlsFormatServerRecordSizeLimitExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RecordSizeLimit extension.
uint8_t extensions[]
Definition: tls13_misc.h:322
error_t tlsFormatServerCertTypeExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ServerCertType extension.
error_t tlsParseClientKeyParams(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse client&#39;s key exchange parameters.
#define STORE16BE(a, p)
Definition: cpu_endian.h:244
__start_packed struct @67 TlsCertAuthorities
List of certificate authorities.
#define PRIuSIZE
Definition: compiler_port.h:72
__start_packed struct @62 TlsCipherSuites
Cipher suites.
X.509 certificate.
Definition: x509_common.h:748
__start_packed struct @81 TlsDigitalSignature
Digitally-signed element (SSL 3.0, TLS 1.0 and TLS 1.1)
error_t tlsFormatClientCertTypeExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ClientCertType extension.
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
Hello extensions.
Definition: tls.h:1878
const uint8_t * cipherSuites
Definition: dtls_misc.h:215
error_t tlsGenerateServerKeySignature(TlsContext *context, TlsDigitalSignature *signature, const uint8_t *params, size_t paramsLen, size_t *written)
Sign server&#39;s key exchange parameters (SSL 3.0, TLS 1.0 and TLS 1.1)
Key material generation.
error_t tlsSendCertificateRequest(TlsContext *context)
Send CertificateRequest message.
Definition: tls_server.c:260
Transcript hash calculation.
RSA/DSA/ECDSA/EdDSA signature generation and verification.
error_t tlsFormatServerEcPointFormatsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format EcPointFormats extension.
#define tlsAllocMem(size)
Definition: tls.h:755
X.509 certificate parsing.
error_t tlsFormatPskIdentityHint(TlsContext *context, uint8_t *p, size_t *written)
Format PSK identity hint.
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
__start_packed struct @85 TlsClientHello
ClientHello message.
Handshake message processing (TLS 1.3 server)
Handshake message processing (TLS server)
error_t tlsFormatServerHelloDone(TlsContext *context, TlsServerHelloDone *message, size_t *length)
Format ServerHelloDone message.
Definition: tls_server.c:1120
#define TlsContext
Definition: tls.h:34
error_t tlsFormatServerSniExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SNI extension.
Formatting and parsing of extensions (TLS server)
error_t tlsNegotiateVersion(TlsContext *context, uint16_t clientVersion, const TlsSupportedVersionList *supportedVersionList)
Version negotiation.
error_t tlsParseClientSniExtension(TlsContext *context, const TlsServerNameList *serverNameList)
Parse SNI extension.
Session cache management.
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
error_t tlsParsePskIdentity(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse PSK identity.
error_t dtlsVerifyCookie(TlsContext *context, const DtlsCookie *cookie, const DtlsClientParameters *clientParams)
Cookie verification.
Definition: dtls_misc.c:172
error_t tls13FormatServerPreSharedKeyExtension(TlsContext *context, uint8_t *p, size_t *written)
Formatting and parsing of extensions (TLS 1.3 server)
const uint8_t * random
Definition: dtls_misc.h:211
#define TRACE_DEBUG(...)
Definition: debug.h:98