tls_server_extensions.c
Go to the documentation of this file.
1 /**
2  * @file tls_server_extensions.c
3  * @brief Formatting and parsing of extensions (TLS server)
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include <string.h>
34 #include "tls.h"
35 #include "tls_cipher_suites.h"
36 #include "tls_server_extensions.h"
37 #include "tls_extensions.h"
38 #include "tls_misc.h"
39 #include "debug.h"
40 
41 //Check TLS library configuration
42 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED)
43 
44 
45 /**
46  * @brief Format SNI extension
47  * @param[in] context Pointer to the TLS context
48  * @param[in] p Output stream where to write the ServerName extension
49  * @param[out] written Total number of bytes that have been written
50  * @return Error code
51  **/
52 
54  uint8_t *p, size_t *written)
55 {
56  size_t n = 0;
57 
58 #if (TLS_SNI_SUPPORT == ENABLED)
59  //A server that receives a ClientHello containing the SNI extension may use
60  //the information contained in the extension to guide its selection of an
61  //appropriate certificate to return to the client. In this event, the server
62  //shall include an extension of type SNI in the ServerHello
63  if(context->serverName != NULL)
64  {
65  //Full handshake?
66  if(!context->resume)
67  {
68  TlsExtension *extension;
69 
70  //Add SNI (Server Name Indication) extension
71  extension = (TlsExtension *) p;
72  //Type of the extension
73  extension->type = HTONS(TLS_EXT_SERVER_NAME);
74 
75  //The extension data field of this extension shall be empty (refer to
76  //RFC 6066, section 3)
77  extension->length = HTONS(0);
78 
79  //Compute the length, in bytes, of the ServerName extension
80  n = sizeof(TlsExtension);
81  }
82  else
83  {
84  //When resuming a session, the server must not include a ServerName
85  //extension in the ServerHello (refer to RFC 6066, section 3)
86  n = 0;
87  }
88  }
89 #endif
90 
91  //Total number of bytes that have been written
92  *written = n;
93 
94  //Successful processing
95  return NO_ERROR;
96 }
97 
98 
99 /**
100  * @brief Format MaxFragmentLength extension
101  * @param[in] context Pointer to the TLS context
102  * @param[in] p Output stream where to write the MaxFragmentLength extension
103  * @param[out] written Total number of bytes that have been written
104  * @return Error code
105  **/
106 
108  uint8_t *p, size_t *written)
109 {
110  size_t n = 0;
111 
112 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
113  //An extension type must not appear in the ServerHello unless the same
114  //extension type appeared in the corresponding ClientHello
115  if(context->maxFragLenExtReceived)
116  {
117  //Servers that receive an ClientHello containing a MaxFragmentLength
118  //extension may accept the requested maximum fragment length by including
119  //an extension of type MaxFragmentLength in the ServerHello
120  if(context->maxFragLen == 512 || context->maxFragLen == 1024 ||
121  context->maxFragLen == 2048 || context->maxFragLen == 4096)
122  {
123  TlsExtension *extension;
124 
125  //Add the MaxFragmentLength extension
126  extension = (TlsExtension *) p;
127  //Type of the extension
128  extension->type = HTONS(TLS_EXT_MAX_FRAGMENT_LENGTH);
129 
130  //The data field of this extension shall contain a MaxFragmentLength
131  //whose value is the same as the requested maximum fragment length
132  switch(context->maxFragLen)
133  {
134  case 512:
135  extension->value[0] = TLS_MAX_FRAGMENT_LENGTH_512;
136  break;
137  case 1024:
138  extension->value[0] = TLS_MAX_FRAGMENT_LENGTH_1024;
139  break;
140  case 2048:
141  extension->value[0] = TLS_MAX_FRAGMENT_LENGTH_2048;
142  break;
143  default:
144  extension->value[0] = TLS_MAX_FRAGMENT_LENGTH_4096;
145  break;
146  }
147 
148  //The extension data field contains a single byte
149  n = sizeof(uint8_t);
150  //Fix the length of the extension
151  extension->length = htons(n);
152 
153  //Compute the length, in bytes, of the MaxFragmentLength extension
154  n += sizeof(TlsExtension);
155  }
156  }
157 #endif
158 
159  //Total number of bytes that have been written
160  *written = n;
161 
162  //Successful processing
163  return NO_ERROR;
164 }
165 
166 
167 /**
168  * @brief Format RecordSizeLimit extension
169  * @param[in] context Pointer to the TLS context
170  * @param[in] p Output stream where to write the RecordSizeLimit extension
171  * @param[out] written Total number of bytes that have been written
172  * @return Error code
173  **/
174 
176  uint8_t *p, size_t *written)
177 {
178  size_t n = 0;
179 
180 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
181  //An extension type must not appear in the ServerHello unless the same
182  //extension type appeared in the corresponding ClientHello
183  if(context->recordSizeLimitExtReceived)
184  {
185  size_t recordSizeLimit;
186  TlsExtension *extension;
187 
188  //Add the RecordSizeLimit extension
189  extension = (TlsExtension *) p;
190  //Type of the extension
191  extension->type = HTONS(TLS_EXT_RECORD_SIZE_LIMIT);
192 
193  //An endpoint must not send a value higher than the protocol-defined
194  //maximum record size (refer to RFC 8449, section 4)
195  recordSizeLimit = MIN(context->rxBufferMaxLen, TLS_MAX_RECORD_LENGTH);
196 
197 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
198  //TLS 1.3 currently selected?
199  if(context->version == TLS_VERSION_1_3)
200  {
201  //The value includes the content type and padding added in TLS 1.3
202  recordSizeLimit++;
203  }
204 #endif
205 
206  //The value of RecordSizeLimit is the maximum size of record in octets
207  //that the endpoint is willing to receive
208  STORE16BE(recordSizeLimit, extension->value);
209 
210  //The extension data field contains a 16-bit unsigned integer
211  n = sizeof(uint16_t);
212  //Fix the length of the extension
213  extension->length = htons(n);
214 
215  //Compute the length, in bytes, of the RecordSizeLimit extension
216  n += sizeof(TlsExtension);
217  }
218 #endif
219 
220  //Total number of bytes that have been written
221  *written = n;
222 
223  //Successful processing
224  return NO_ERROR;
225 }
226 
227 
228 /**
229  * @brief Format EcPointFormats extension
230  * @param[in] context Pointer to the TLS context
231  * @param[in] p Output stream where to write the EcPointFormats extension
232  * @param[out] written Total number of bytes that have been written
233  * @return Error code
234  **/
235 
237  uint8_t *p, size_t *written)
238 {
239  size_t n = 0;
240 
241 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
242  //TLS 1.3 has removed point format negotiation in favor of a single point
243  //format for each curve (refer to RFC 8446, section 1.2)
244  if(context->version <= TLS_VERSION_1_2)
245  {
246 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
247  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
248  //An extension type must not appear in the ServerHello unless the same
249  //extension type appeared in the corresponding ClientHello
250  if(context->ecPointFormatsExtReceived)
251  {
252  uint16_t identifier;
253 
254  //Retrieve the selected cipher suite
255  identifier = context->cipherSuite.identifier;
256 
257  //A server that selects an ECC cipher suite in response to a ClientHello
258  //message including an EcPointFormats extension appends this extension
259  //to its ServerHello message
261  {
262  TlsExtension *extension;
263  TlsEcPointFormatList *ecPointFormatList;
264 
265  //Add the EcPointFormats extension
266  extension = (TlsExtension *) p;
267  //Type of the extension
268  extension->type = HTONS(TLS_EXT_EC_POINT_FORMATS);
269 
270  //Point to the list of supported EC point formats
271  ecPointFormatList = (TlsEcPointFormatList *) extension->value;
272  //Items in the list are ordered according to server's preferences
273  n = 0;
274 
275  //The server can parse only the uncompressed point format...
276  ecPointFormatList->value[n++] = TLS_EC_POINT_FORMAT_UNCOMPRESSED;
277  //Fix the length of the list
278  ecPointFormatList->length = (uint8_t) n;
279 
280  //Consider the length field that precedes the list
281  n += sizeof(TlsEcPointFormatList);
282  //Fix the length of the extension
283  extension->length = htons(n);
284 
285  //Compute the length, in bytes, of the EcPointFormats extension
286  n += sizeof(TlsExtension);
287  }
288  }
289 #endif
290  }
291 #endif
292 
293  //Total number of bytes that have been written
294  *written = n;
295 
296  //Successful processing
297  return NO_ERROR;
298 }
299 
300 
301 /**
302  * @brief Format ALPN extension
303  * @param[in] context Pointer to the TLS context
304  * @param[in] p Output stream where to write the ALPN extension
305  * @param[out] written Total number of bytes that have been written
306  * @return Error code
307  **/
308 
310  uint8_t *p, size_t *written)
311 {
312  size_t n = 0;
313 
314 #if (TLS_ALPN_SUPPORT == ENABLED)
315  //The ALPN extension may be returned to the client within the extended
316  //ServerHello message
317  if(context->selectedProtocol != NULL)
318  {
319  //Empty strings must not be included
320  if(context->selectedProtocol[0] != '\0')
321  {
322  TlsExtension *extension;
323  TlsProtocolName *protocolName;
324  TlsProtocolNameList *protocolNameList;
325 
326  //Add ALPN (Application-Layer Protocol Negotiation) extension
327  extension = (TlsExtension *) p;
328  //Type of the extension
329  extension->type = HTONS(TLS_EXT_ALPN);
330 
331  //Point to the list of protocol names
332  protocolNameList = (TlsProtocolNameList *) extension->value;
333  //The list must contain exactly one protocol name
334  protocolName = (TlsProtocolName *) protocolNameList->value;
335 
336  //Retrieve the length of the protocol name
337  n = strlen(context->selectedProtocol);
338 
339  //Fill in the length field
340  protocolName->length = (uint8_t) n;
341  //Copy protocol name
342  memcpy(protocolName->value, context->selectedProtocol, n);
343 
344  //Adjust the length of the list
345  n += sizeof(TlsProtocolName);
346  //Fix the length of the list
347  protocolNameList->length = htons(n);
348 
349  //Consider the 2-byte length field that precedes the list
350  n += sizeof(TlsProtocolNameList);
351  //Fix the length of the extension
352  extension->length = htons(n);
353 
354  //Compute the length, in bytes, of the ALPN extension
355  n += sizeof(TlsExtension);
356  }
357  }
358 #endif
359 
360  //Total number of bytes that have been written
361  *written = n;
362 
363  //Successful processing
364  return NO_ERROR;
365 }
366 
367 
368 /**
369  * @brief Format ClientCertType extension
370  * @param[in] context Pointer to the TLS context
371  * @param[in] p Output stream where to write the ClientCertType extension
372  * @param[out] written Total number of bytes that have been written
373  * @return Error code
374  **/
375 
377  uint8_t *p, size_t *written)
378 {
379  size_t n = 0;
380 
381 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
382  //An extension type must not appear in the ServerHello unless the same
383  //extension type appeared in the corresponding ClientHello
384  if(context->clientCertTypeExtReceived)
385  {
386  TlsExtension *extension;
387 
388  //Add the ClientCertType extension
389  extension = (TlsExtension *) p;
390  //Type of the extension
391  extension->type = HTONS(TLS_EXT_CLIENT_CERT_TYPE);
392 
393  //The ClientCertType extension in the ServerHello indicates the type
394  //of certificates the client is requested to provide in a subsequent
395  //certificate payload
396  extension->value[0] = context->peerCertFormat;
397 
398  //The extension data field contains a single byte
399  n = sizeof(uint8_t);
400  //Fix the length of the extension
401  extension->length = htons(n);
402 
403  //Compute the length, in bytes, of the ClientCertType extension
404  n += sizeof(TlsExtension);
405  }
406 #endif
407 
408  //Total number of bytes that have been written
409  *written = n;
410 
411  //Successful processing
412  return NO_ERROR;
413 }
414 
415 
416 /**
417  * @brief Format ServerCertType extension
418  * @param[in] context Pointer to the TLS context
419  * @param[in] p Output stream where to write the ServerCertType extension
420  * @param[out] written Total number of bytes that have been written
421  * @return Error code
422  **/
423 
425  uint8_t *p, size_t *written)
426 {
427  size_t n = 0;
428 
429 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
430  //An extension type must not appear in the ServerHello unless the same
431  //extension type appeared in the corresponding ClientHello
432  if(context->serverCertTypeExtReceived)
433  {
434  TlsExtension *extension;
435 
436  //Add the ServerCertType extension
437  extension = (TlsExtension *) p;
438  //Type of the extension
439  extension->type = HTONS(TLS_EXT_SERVER_CERT_TYPE);
440 
441  //With the ServerCertType extension in the ServerHello, the TLS server
442  //indicates the certificate type carried in the certificate payload
443  extension->value[0] = context->certFormat;
444 
445  //The extension data field contains a single byte
446  n = sizeof(uint8_t);
447  //Fix the length of the extension
448  extension->length = htons(n);
449 
450  //Compute the length, in bytes, of the ServerCertType extension
451  n += sizeof(TlsExtension);
452  }
453 #endif
454 
455  //Total number of bytes that have been written
456  *written = n;
457 
458  //Successful processing
459  return NO_ERROR;
460 }
461 
462 
463 /**
464  * @brief Format ExtendedMasterSecret extension
465  * @param[in] context Pointer to the TLS context
466  * @param[in] p Output stream where to write the ExtendedMasterSecret extension
467  * @param[out] written Total number of bytes that have been written
468  * @return Error code
469  **/
470 
472  uint8_t *p, size_t *written)
473 {
474  size_t n = 0;
475 
476 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
477  //If the server receives a ClientHello without the ExtendedMasterSecret
478  //extension, then it must not include the extension in the ServerHello
479  if(context->extendedMasterSecretExtReceived)
480  {
481  TlsExtension *extension;
482 
483  //Add the ExtendedMasterSecret extension
484  extension = (TlsExtension *) p;
485  //Type of the extension
486  extension->type = HTONS(TLS_EXT_EXTENDED_MASTER_SECRET);
487 
488  //The extension data field of this extension is empty
489  extension->length = HTONS(0);
490 
491  //Compute the length, in bytes, of the ExtendedMasterSecret extension
492  n = sizeof(TlsExtension);
493  }
494 #endif
495 
496  //Total number of bytes that have been written
497  *written = n;
498 
499  //Successful processing
500  return NO_ERROR;
501 }
502 
503 
504 /**
505  * @brief Format RenegotiationInfo extension
506  * @param[in] context Pointer to the TLS context
507  * @param[in] p Output stream where to write the RenegotiationInfo extension
508  * @param[out] written Total number of bytes that have been written
509  * @return Error code
510  **/
511 
513  uint8_t *p, size_t *written)
514 {
515  size_t n = 0;
516 
517 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
518  //Check whether secure renegotiation is enabled
519  if(context->secureRenegoEnabled)
520  {
521  //During secure renegotiation, the server must include a renegotiation_info
522  //extension containing the saved client_verify_data and server_verify_data
523  if(context->secureRenegoFlag)
524  {
525  TlsExtension *extension;
526  TlsRenegoInfo *renegoInfo;
527 
528  //Determine the length of the renegotiated_connection field
529  n = context->clientVerifyDataLen + context->serverVerifyDataLen;
530 
531  //Add the RenegotiationInfo extension
532  extension = (TlsExtension *) p;
533  //Type of the extension
534  extension->type = HTONS(TLS_EXT_RENEGOTIATION_INFO);
535 
536  //Point to the renegotiated_connection field
537  renegoInfo = (TlsRenegoInfo *) extension->value;
538  //Set the length of the verify data
539  renegoInfo->length = (uint8_t) n;
540 
541  //Copy the saved client_verify_data
542  memcpy(renegoInfo->value, context->clientVerifyData,
543  context->clientVerifyDataLen);
544 
545  //Copy the saved client_verify_data
546  memcpy(renegoInfo->value + context->clientVerifyDataLen,
547  context->serverVerifyData, context->serverVerifyDataLen);
548 
549  //Consider the length field that precedes the renegotiated_connection
550  //field
551  n += sizeof(TlsRenegoInfo);
552  //Fix the length of the extension
553  extension->length = htons(n);
554 
555  //Compute the length, in bytes, of the RenegotiationInfo extension
556  n += sizeof(TlsExtension);
557  }
558  }
559 #endif
560 
561  //Total number of bytes that have been written
562  *written = n;
563 
564  //Successful processing
565  return NO_ERROR;
566 }
567 
568 
569 /**
570  * @brief Parse SupportedVersions extension
571  * @param[in] context Pointer to the TLS context
572  * @param[in] supportedVersionList Pointer to the SupportedVersions extension
573  * @return Error code
574  **/
575 
577  const TlsSupportedVersionList *supportedVersionList)
578 {
579  error_t error;
580  uint_t i;
581  uint_t j;
582  uint_t n;
583 
584  //Supported TLS versions
585  const uint16_t supportedVersions[] =
586  {
592  };
593 
594  //Initialize status code
596 
597  //Retrieve the number of items in the list
598  n = supportedVersionList->length / sizeof(uint16_t);
599 
600  //Loop through the list of TLS versions supported by the server
601  for(i = 0; i < arraysize(supportedVersions) && error; i++)
602  {
603  //The extension contains a list of TLS versions supported by the client
604  for(j = 0; j < n && error; j++)
605  {
606  //Servers must only select a version of TLS present in that extension
607  //and must ignore any unknown versions
608  if(ntohs(supportedVersionList->value[j]) == supportedVersions[i])
609  {
610  //Set the TLS version to be used
611  error = tlsSelectVersion(context, supportedVersions[i]);
612  }
613  }
614  }
615 
616  //Return status code
617  return error;
618 }
619 
620 
621 /**
622  * @brief Parse SNI extension
623  * @param[in] context Pointer to the TLS context
624  * @param[in] serverNameList Pointer to the SNI extension
625  * @return Error code
626  **/
627 
629  const TlsServerNameList *serverNameList)
630 {
631 #if (TLS_SNI_SUPPORT == ENABLED)
632  //SNI extension found?
633  if(serverNameList != NULL)
634  {
635  size_t i;
636  size_t n;
637  size_t length;
638  const TlsServerName *serverName;
639 
640  //In order to provide the server name, clients may include ServerName
641  //extension
642  if(context->serverName != NULL)
643  {
644  //Release memory
645  tlsFreeMem(context->serverName);
646  context->serverName = NULL;
647  }
648 
649  //Retrieve the length of the list
650  length = ntohs(serverNameList->length);
651 
652  //Loop through the list of server names advertised by the client
653  for(i = 0; i < length; i += sizeof(TlsServerName) + n)
654  {
655  //Point to the current server name
656  serverName = (TlsServerName *) (serverNameList->value + i);
657 
658  //Malformed extension?
659  if(length < (i + sizeof(TlsServerName)))
660  return ERROR_DECODING_FAILED;
661  if(length < (i + sizeof(TlsServerName) + ntohs(serverName->length)))
662  return ERROR_DECODING_FAILED;
663 
664  //Retrieve the length of the server name
665  n = ntohs(serverName->length);
666 
667  //Empty strings must not be included in the list
668  if(n > 0 && n <= TLS_MAX_SERVER_NAME_LEN)
669  {
670  //Currently, the only server names supported are DNS hostnames
671  if(serverName->type == TLS_NAME_TYPE_HOSTNAME)
672  {
673  //In practice, current client implementations only send one name
674  if(context->serverName == NULL)
675  {
676  //Allocate a memory block to hold the server name
677  context->serverName = tlsAllocMem(n + 1);
678  //Failed to allocate memory?
679  if(context->serverName == NULL)
680  return ERROR_OUT_OF_MEMORY;
681 
682  //Save server name
683  memcpy(context->serverName, serverName->hostname, n);
684  //Properly terminate the string with a NULL character
685  context->serverName[n] = '\0';
686  }
687  }
688  }
689  }
690  }
691 #endif
692 
693  //Successful processing
694  return NO_ERROR;
695 }
696 
697 
698 /**
699  * @brief Parse MaxFragmentLength extension
700  * @param[in] context Pointer to the TLS context
701  * @param[in] maxFragLen Pointer to the MaxFragmentLength extension
702  * @return Error code
703  **/
704 
706  const uint8_t *maxFragLen)
707 {
708  error_t error;
709 
710  //Initialize status code
711  error = NO_ERROR;
712 
713 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
714  //MaxFragmentLength extension found?
715  if(maxFragLen != NULL)
716  {
717  size_t n;
718 
719  //Retrieve the value advertised by the client
720  switch(*maxFragLen)
721  {
723  n = 512;
724  break;
726  n = 1024;
727  break;
729  n = 2048;
730  break;
732  n = 4096;
733  break;
734  default:
735  n = 0;
736  break;
737  }
738 
739  //Acceptable value?
740  if(n > 0)
741  {
742  //Once a maximum fragment length has been successfully negotiated,
743  //the server must immediately begin fragmenting messages (including
744  //handshake messages) to ensure that no fragment larger than the
745  //negotiated length is sent
746  context->maxFragLen = n;
747  }
748  else
749  {
750  //If a server receives a maximum fragment length negotiation request
751  //for a value other than the allowed values, it must abort the handshake
752  //with an illegal_parameter alert
753  error = ERROR_ILLEGAL_PARAMETER;
754  }
755 
756  //The ClientHello includes a MaxFragmentLength extension
757  context->maxFragLenExtReceived = TRUE;
758  }
759  else
760  {
761  //The ClientHello does not contain any MaxFragmentLength extension
762  context->maxFragLenExtReceived = FALSE;
763  }
764 #endif
765 
766  //Return status code
767  return error;
768 }
769 
770 
771 /**
772  * @brief Parse RecordSizeLimit extension
773  * @param[in] context Pointer to the TLS context
774  * @param[in] recordSizeLimit Pointer to the RecordSizeLimit extension
775  * @return Error code
776  **/
777 
779  const uint8_t *recordSizeLimit)
780 {
781  error_t error;
782 
783  //Initialize status code
784  error = NO_ERROR;
785 
786 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
787  //RecordSizeLimit extension found?
788  if(recordSizeLimit != NULL)
789  {
790  uint16_t n;
791 
792  //The value of RecordSizeLimit is the maximum size of record in octets
793  //that the peer is willing to receive
794  n = LOAD16BE(recordSizeLimit);
795 
796  //Endpoints must not send a RecordSizeLimit extension with a value
797  //smaller than 64
798  if(n < 64)
799  {
800  //An endpoint must treat receipt of a smaller value as a fatal error
801  //and generate an illegal_parameter alert
802  error = ERROR_ILLEGAL_PARAMETER;
803  }
804  else
805  {
806 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
807  //TLS 1.3 currently selected?
808  if(context->version == TLS_VERSION_1_3)
809  {
810  //The value includes the content type and padding added in TLS 1.3
811  n--;
812  }
813 #endif
814  //The peer can include any limit up to the protocol-defined limit for
815  //maximum record size. Even if a larger value is provided by a peer, an
816  //endpoint must not send records larger than the protocol-defined limit
817  context->recordSizeLimit = MIN(n, TLS_MAX_RECORD_LENGTH);
818  }
819 
820  //The ClientHello includes a RecordSizeLimit extension
821  context->recordSizeLimitExtReceived = TRUE;
822  }
823  else
824  {
825  //The ClientHello does not contain any RecordSizeLimit extension
826  context->recordSizeLimitExtReceived = FALSE;
827  }
828 #endif
829 
830  //Return status code
831  return error;
832 }
833 
834 
835 /**
836  * @brief Parse EcPointFormats extension
837  * @param[in] context Pointer to the TLS context
838  * @param[in] ecPointFormatList Pointer to the EcPointFormats extension
839  * @return Error code
840  **/
841 
843  const TlsEcPointFormatList *ecPointFormatList)
844 {
845  error_t error;
846 
847 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
848  //Initialize status code
849  error = NO_ERROR;
850 
851 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
852  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
853  //EcPointFormats extension found?
854  if(ecPointFormatList != NULL)
855  {
856  uint_t i;
857 
858  //The ClientHello includes a EcPointFormats extension
859  context->ecPointFormatsExtReceived = TRUE;
860 
861  //Loop through the list of supported EC point formats
862  for(i = 0; i < ecPointFormatList->length; i++)
863  {
864  //Uncompressed point format?
865  if(ecPointFormatList->value[i] == TLS_EC_POINT_FORMAT_UNCOMPRESSED)
866  {
867  break;
868  }
869  }
870 
871  //The uncompressed point format must be supported by any TLS application
872  //that supports this extension (refer to RFC 4492, section 5.1)
873  if(i >= ecPointFormatList->length)
874  {
875  //Report an error
876  error = ERROR_ILLEGAL_PARAMETER;
877  }
878  }
879  else
880  {
881  //If no SupportedPointsFormat extension is sent, the uncompressed format
882  //has to be used
883  context->ecPointFormatsExtReceived = FALSE;
884  }
885 #endif
886 #else
887  //Not implemented
888  error = ERROR_NOT_IMPLEMENTED;
889 #endif
890 
891  //Return status code
892  return error;
893 }
894 
895 
896 /**
897  * @brief Parse ALPN extension
898  * @param[in] context Pointer to the TLS context
899  * @param[in] protocolNameList Pointer to the ALPN extension
900  * @return Error code
901  **/
902 
904  const TlsProtocolNameList *protocolNameList)
905 {
906 #if (TLS_ALPN_SUPPORT == ENABLED)
907  //ALPN extension found?
908  if(protocolNameList != NULL)
909  {
910  size_t i;
911  size_t n;
912  size_t length;
913  const TlsProtocolName *protocolName;
914 
915  //When session resumption is used, the previous contents of this
916  //extension are irrelevant
917  if(context->selectedProtocol != NULL)
918  {
919  //Release memory
920  tlsFreeMem(context->selectedProtocol);
921  context->selectedProtocol = NULL;
922  }
923 
924  //Retrieve the length of the list
925  length = ntohs(protocolNameList->length);
926 
927  //The list must not be be empty
928  if(length == 0)
929  return ERROR_DECODING_FAILED;
930 
931  //Loop through the list of protocols advertised by the client
932  for(i = 0; i < length; i += sizeof(TlsProtocolName) + n)
933  {
934  //Point to the current protocol
935  protocolName = (TlsProtocolName *) (protocolNameList->value + i);
936 
937  //Malformed extension?
938  if(length < (i + sizeof(TlsProtocolName)))
939  return ERROR_DECODING_FAILED;
940  if(length < (i + sizeof(TlsProtocolName) + protocolName->length))
941  return ERROR_DECODING_FAILED;
942 
943  //Retrieve the length of the protocol name
944  n = protocolName->length;
945 
946  //Empty strings must not be included in the list
947  if(n == 0)
948  return ERROR_DECODING_FAILED;
949 
950  //Check whether the protocol is supported by the server
951  if(tlsIsAlpnProtocolSupported(context, protocolName->value, n))
952  {
953  //Select the current protocol
954  if(context->selectedProtocol == NULL)
955  {
956  //Allocate a memory block to hold the protocol name
957  context->selectedProtocol = tlsAllocMem(n + 1);
958  //Failed to allocate memory?
959  if(context->selectedProtocol == NULL)
960  return ERROR_OUT_OF_MEMORY;
961 
962  //Save protocol name
963  memcpy(context->selectedProtocol, protocolName->value, n);
964  //Properly terminate the string with a NULL character
965  context->selectedProtocol[n] = '\0';
966  }
967  }
968  }
969 
970  //ALPN protocol selection failed?
971  if(context->protocolList != NULL && context->selectedProtocol == NULL)
972  {
973  //Report an error if unknown ALPN protocols are disallowed
974  if(!context->unknownProtocolsAllowed)
975  {
976  //In the event that the server supports no protocols that the
977  //client advertises, then the server shall respond with a fatal
978  //no_application_protocol alert
980  }
981  }
982  }
983 #endif
984 
985  //Successful processing
986  return NO_ERROR;
987 }
988 
989 
990 /**
991  * @brief Parse ClientCertType extension
992  * @param[in] context Pointer to the TLS context
993  * @param[in] clientCertTypeList Pointer to the ClientCertType extension
994  * @return Error code
995  **/
996 
998  const TlsCertTypeList *clientCertTypeList)
999 {
1000  error_t error;
1001 
1002  //Initialize status code
1003  error = NO_ERROR;
1004 
1005 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1006  //ClientCertType extension found?
1007  if(clientCertTypeList != NULL)
1008  {
1009  //If the server does not send any CertificateRequest message, then the
1010  //ClientCertType extension in the ServerHello must be omitted
1011  if(context->clientAuthMode != TLS_CLIENT_AUTH_NONE)
1012  {
1013  uint_t i;
1014 
1015  //The ClientCertType extension carries a list of supported certificate
1016  //types, sorted by client preference
1017  for(i = 0; i < clientCertTypeList->length; i++)
1018  {
1019  //Check certificate type
1020  if(clientCertTypeList->value[i] == TLS_CERT_FORMAT_X509)
1021  {
1022  //Select X.509 certificate format
1023  context->peerCertFormat = TLS_CERT_FORMAT_X509;
1024  //Exit immediately
1025  break;
1026  }
1027  else if(clientCertTypeList->value[i] == TLS_CERT_FORMAT_RAW_PUBLIC_KEY)
1028  {
1029  //Ensure the server is able to process raw public keys
1030  if(context->rpkVerifyCallback != NULL)
1031  {
1032  //Select raw public key format
1033  context->peerCertFormat = TLS_CERT_FORMAT_RAW_PUBLIC_KEY;
1034  //Exit immediately
1035  break;
1036  }
1037  }
1038  else
1039  {
1040  //Unsupported certificate type
1041  }
1042  }
1043 
1044  //If the server does not have any certificate type in common with the
1045  //client, then the server terminates the session with a fatal alert
1046  if(i >= clientCertTypeList->length)
1047  {
1048  //Report an error
1050  }
1051 
1052  //The ClientHello includes a ClientCertType extension
1053  context->clientCertTypeExtReceived = TRUE;
1054  }
1055  }
1056  else
1057  {
1058  //The ClientHello does not contain any ClientCertType extension
1059  context->clientCertTypeExtReceived = FALSE;
1060  //Select default certificate format
1061  context->peerCertFormat = TLS_CERT_FORMAT_X509;
1062  }
1063 #endif
1064 
1065  //Return status code
1066  return error;
1067 }
1068 
1069 
1070 /**
1071  * @brief Parse ServerCertType extension
1072  * @param[in] context Pointer to the TLS context
1073  * @param[in] serverCertTypeList Pointer to the ServerCertType extension
1074  * @return Error code
1075  **/
1076 
1078  const TlsCertTypeList *serverCertTypeList)
1079 {
1080  error_t error;
1081 
1082  //Initialize status code
1083  error = NO_ERROR;
1084 
1085 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1086  //ServerCertType extension found?
1087  if(serverCertTypeList != NULL)
1088  {
1089  uint_t i;
1090 
1091  //The ServerCertType extension carries a list of supported certificate
1092  //types, sorted by client preference
1093  for(i = 0; i < serverCertTypeList->length; i++)
1094  {
1095  //Check certificate type
1096  if(serverCertTypeList->value[i] == TLS_CERT_FORMAT_X509 ||
1097  serverCertTypeList->value[i] == TLS_CERT_FORMAT_RAW_PUBLIC_KEY)
1098  {
1099  //The certificate type is selected from one of the values provided
1100  //by the client
1101  context->certFormat = (TlsCertificateFormat) serverCertTypeList->value[i];
1102 
1103  //We are done
1104  break;
1105  }
1106  }
1107 
1108  //If the server does not have any certificate type in common with the
1109  //client, then the server terminates the session with a fatal alert
1110  if(i >= serverCertTypeList->length)
1111  {
1112  //Report an error
1114  }
1115 
1116  //The ClientHello includes a ServerCertType extension
1117  context->serverCertTypeExtReceived = TRUE;
1118  }
1119  else
1120  {
1121  //The ClientHello does not contain any ServerCertType extension
1122  context->serverCertTypeExtReceived = FALSE;
1123  //Select default certificate format
1124  context->certFormat = TLS_CERT_FORMAT_X509;
1125  }
1126 #endif
1127 
1128  //Return status code
1129  return error;
1130 }
1131 
1132 
1133 /**
1134  * @brief Parse ExtendedMasterSecret extension
1135  * @param[in] context Pointer to the TLS context
1136  * @param[in] extendedMasterSecret Pointer to the ExtendedMasterSecret extension
1137  * @return Error code
1138  **/
1139 
1141  const uint8_t *extendedMasterSecret)
1142 {
1143  error_t error;
1144 
1145  //Initialize status code
1146  error = NO_ERROR;
1147 
1148 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
1149  //ExtendedMasterSecret extension found?
1150  if(extendedMasterSecret != NULL)
1151  {
1152  //SSL 3.0 currently selected?
1153  if(context->version == SSL_VERSION_3_0)
1154  {
1155  //If the client chooses to support SSL 3.0, the resulting session
1156  //must use the legacy master secret computation
1157  context->extendedMasterSecretExtReceived = FALSE;
1158  }
1159  else
1160  {
1161  //Use the extended master secret computation
1162  context->extendedMasterSecretExtReceived = TRUE;
1163  }
1164  }
1165  else
1166  {
1167  //Abbreviated handshake?
1168  if(context->resume)
1169  {
1170  //If the original session used the ExtendedMasterSecret extension but
1171  //the new ClientHello does not contain it, the server must abort the
1172  //abbreviated handshake
1173  if(context->extendedMasterSecretExtReceived)
1174  {
1175  //Report an error
1176  error = ERROR_HANDSHAKE_FAILED;
1177  }
1178  }
1179 
1180  //If the client and server choose to continue a full handshake without
1181  //the extension, they must use the standard master secret derivation
1182  //for the new session
1183  context->extendedMasterSecretExtReceived = FALSE;
1184  }
1185 #endif
1186 
1187  //Return status code
1188  return error;
1189 }
1190 
1191 
1192 /**
1193  * @brief Parse RenegotiationInfo extension
1194  * @param[in] context Pointer to the TLS context
1195  * @param[in] renegoInfo Pointer to the RenegotiationInfo extension
1196  * @return Error code
1197  **/
1198 
1200  const TlsRenegoInfo *renegoInfo)
1201 {
1202  error_t error;
1203 
1204  //Initialize status code
1205  error = NO_ERROR;
1206 
1207 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1208  //RenegotiationInfo extension found?
1209  if(renegoInfo != NULL)
1210  {
1211  //Initial handshake?
1212  if(context->clientVerifyDataLen == 0)
1213  {
1214  //Set the secure_renegotiation flag to TRUE
1215  context->secureRenegoFlag = TRUE;
1216 
1217  //The server must then verify that the length of the
1218  //renegotiated_connection field is zero
1219  if(renegoInfo->length != 0)
1220  {
1221  //If it is not, the server must abort the handshake
1222  error = ERROR_HANDSHAKE_FAILED;
1223  }
1224  }
1225  //Secure renegotiation?
1226  else
1227  {
1228  //Check the length of the renegotiated_connection field
1229  if(renegoInfo->length != context->clientVerifyDataLen)
1230  {
1231  //The server must abort the handshake
1232  error = ERROR_HANDSHAKE_FAILED;
1233  }
1234  else
1235  {
1236  //Verify that the value of the renegotiated_connection field
1237  //is equal to the saved client_verify_data value
1238  if(memcmp(renegoInfo->value, context->clientVerifyData,
1239  context->clientVerifyDataLen))
1240  {
1241  //If it is not, the server must abort the handshake
1242  error = ERROR_HANDSHAKE_FAILED;
1243  }
1244  }
1245  }
1246  }
1247  else
1248  {
1249  //Secure renegotiation?
1250  if(context->clientVerifyDataLen != 0 || context->serverVerifyDataLen != 0)
1251  {
1252  //The server must verify that the renegotiation_info extension is
1253  //present. If it is not, the server must abort the handshake
1254  error = ERROR_HANDSHAKE_FAILED;
1255  }
1256  }
1257 #endif
1258 
1259  //Return status code
1260  return error;
1261 }
1262 
1263 #endif
TLS (Transport Layer Security)
__start_packed struct @78 TlsRenegoInfo
Renegotiated connection.
error_t tlsFormatServerAlpnExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ALPN extension.
TlsCipherSuiteType tlsGetCipherSuiteType(uint16_t identifier)
Check whether the specified identifier matches an ECC or FFDHE cipher suite.
__start_packed struct @73 TlsProtocolName
Protocol name.
error_t tlsSelectVersion(TlsContext *context, uint16_t version)
Set the TLS version to be used.
Definition: tls_misc.c:219
Debugging facilities.
#define tlsFreeMem(p)
Definition: tls.h:760
uint8_t p
Definition: ndp.h:295
error_t tlsFormatServerRenegoInfoExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RenegotiationInfo extension.
TlsCertificateFormat
Certificate formats.
Definition: tls.h:1052
error_t tlsFormatServerEmsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ExtendedMasterSecret extension.
error_t tlsParseClientMaxFragLenExtension(TlsContext *context, const uint8_t *maxFragLen)
Parse MaxFragmentLength extension.
error_t tlsParseServerCertTypeListExtension(TlsContext *context, const TlsCertTypeList *serverCertTypeList)
Parse ServerCertType extension.
error_t tlsParseClientRecordSizeLimitExtension(TlsContext *context, const uint8_t *recordSizeLimit)
Parse RecordSizeLimit extension.
#define TLS_VERSION_1_3
Definition: tls.h:90
error_t tlsParseClientAlpnExtension(TlsContext *context, const TlsProtocolNameList *protocolNameList)
Parse ALPN extension.
#define htons(value)
Definition: cpu_endian.h:390
error_t tlsParseClientRenegoInfoExtension(TlsContext *context, const TlsRenegoInfo *renegoInfo)
Parse RenegotiationInfo extension.
__start_packed struct @74 TlsProtocolNameList
List of protocol names.
#define HTONS(value)
Definition: cpu_endian.h:388
#define TRUE
Definition: os_port.h:48
#define TLS_MAX_RECORD_LENGTH
Definition: tls.h:828
error_t tlsFormatServerMaxFragLenExtension(TlsContext *context, uint8_t *p, size_t *written)
Format MaxFragmentLength extension.
#define arraysize(a)
Definition: os_port.h:68
Parsing and checking of TLS extensions.
TLS helper functions.
__start_packed struct @68 TlsExtension
TLS extension.
error_t tlsParseClientEcPointFormatsExtension(TlsContext *context, const TlsEcPointFormatList *ecPointFormatList)
Parse EcPointFormats extension.
#define ntohs(value)
Definition: cpu_endian.h:396
__start_packed struct @70 TlsSupportedVersionList
List of supported versions.
__start_packed struct @76 TlsEcPointFormatList
List of supported EC point formats.
error_t tlsParseClientEmsExtension(TlsContext *context, const uint8_t *extendedMasterSecret)
Parse ExtendedMasterSecret extension.
#define LOAD16BE(p)
Definition: cpu_endian.h:168
#define MIN(a, b)
Definition: os_port.h:60
error_t tlsParseClientCertTypeListExtension(TlsContext *context, const TlsCertTypeList *clientCertTypeList)
Parse ClientCertType extension.
uint8_t identifier[]
#define TLS_VERSION_1_2
Definition: tls.h:83
#define TLS_VERSION_1_1
Definition: tls.h:82
error_t tlsParseClientSupportedVersionsExtension(TlsContext *context, const TlsSupportedVersionList *supportedVersionList)
Parse SupportedVersions extension.
TLS cipher suites.
Success.
Definition: error.h:42
error_t
Error codes.
Definition: error.h:40
__start_packed struct @71 TlsServerName
Server name.
error_t tlsFormatServerRecordSizeLimitExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RecordSizeLimit extension.
error_t tlsFormatServerCertTypeExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ServerCertType extension.
unsigned int uint_t
Definition: compiler_port.h:43
#define STORE16BE(a, p)
Definition: cpu_endian.h:244
#define TLS_VERSION_1_0
Definition: tls.h:81
error_t tlsFormatClientCertTypeExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ClientCertType extension.
#define TLS_MAX_SERVER_NAME_LEN
Definition: tls.h:671
__start_packed struct @72 TlsServerNameList
List of server names.
__start_packed struct @77 TlsCertTypeList
List of supported certificate types.
error_t tlsFormatServerEcPointFormatsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format EcPointFormats extension.
#define tlsAllocMem(size)
Definition: tls.h:755
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
bool_t tlsIsAlpnProtocolSupported(TlsContext *context, const char_t *protocol, size_t length)
Check whether the specified ALPN protocol is supported.
#define FALSE
Definition: os_port.h:44
#define TlsContext
Definition: tls.h:34
error_t tlsFormatServerSniExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SNI extension.
Formatting and parsing of extensions (TLS server)
error_t tlsParseClientSniExtension(TlsContext *context, const TlsServerNameList *serverNameList)
Parse SNI extension.
#define SSL_VERSION_3_0
Definition: tls.h:80