tls_server_extensions.c
Go to the documentation of this file.
1 /**
2  * @file tls_server_extensions.c
3  * @brief Formatting and parsing of extensions (TLS server)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_cipher_suites.h"
38 #include "tls_server_extensions.h"
39 #include "tls_extensions.h"
40 #include "tls_misc.h"
41 #include "debug.h"
42 
43 //Check TLS library configuration
44 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED)
45 
46 
47 /**
48  * @brief Format SNI extension
49  * @param[in] context Pointer to the TLS context
50  * @param[in] p Output stream where to write the ServerName extension
51  * @param[out] written Total number of bytes that have been written
52  * @return Error code
53  **/
54 
56  uint8_t *p, size_t *written)
57 {
58  size_t n = 0;
59 
60 #if (TLS_SNI_SUPPORT == ENABLED)
61  //A server that receives a ClientHello containing the SNI extension may use
62  //the information contained in the extension to guide its selection of an
63  //appropriate certificate to return to the client. In this event, the server
64  //shall include an extension of type SNI in the ServerHello
65  if(context->serverName != NULL)
66  {
67  //Full handshake?
68  if(!context->resume)
69  {
70  TlsExtension *extension;
71 
72  //Add SNI (Server Name Indication) extension
73  extension = (TlsExtension *) p;
74  //Type of the extension
75  extension->type = HTONS(TLS_EXT_SERVER_NAME);
76 
77  //The extension data field of this extension shall be empty (refer to
78  //RFC 6066, section 3)
79  extension->length = HTONS(0);
80 
81  //Compute the length, in bytes, of the ServerName extension
82  n = sizeof(TlsExtension);
83  }
84  else
85  {
86  //When resuming a session, the server must not include a ServerName
87  //extension in the ServerHello (refer to RFC 6066, section 3)
88  n = 0;
89  }
90  }
91 #endif
92 
93  //Total number of bytes that have been written
94  *written = n;
95 
96  //Successful processing
97  return NO_ERROR;
98 }
99 
100 
101 /**
102  * @brief Format MaxFragmentLength extension
103  * @param[in] context Pointer to the TLS context
104  * @param[in] p Output stream where to write the MaxFragmentLength extension
105  * @param[out] written Total number of bytes that have been written
106  * @return Error code
107  **/
108 
110  uint8_t *p, size_t *written)
111 {
112  size_t n = 0;
113 
114 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
115  //An extension type must not appear in the ServerHello unless the same
116  //extension type appeared in the corresponding ClientHello
117  if(context->maxFragLenExtReceived)
118  {
119  //Servers that receive an ClientHello containing a MaxFragmentLength
120  //extension may accept the requested maximum fragment length by including
121  //an extension of type MaxFragmentLength in the ServerHello
122  if(context->maxFragLen == 512 || context->maxFragLen == 1024 ||
123  context->maxFragLen == 2048 || context->maxFragLen == 4096)
124  {
125  TlsExtension *extension;
126 
127  //Add the MaxFragmentLength extension
128  extension = (TlsExtension *) p;
129  //Type of the extension
130  extension->type = HTONS(TLS_EXT_MAX_FRAGMENT_LENGTH);
131 
132  //The data field of this extension shall contain a MaxFragmentLength
133  //whose value is the same as the requested maximum fragment length
134  switch(context->maxFragLen)
135  {
136  case 512:
137  extension->value[0] = TLS_MAX_FRAGMENT_LENGTH_512;
138  break;
139  case 1024:
140  extension->value[0] = TLS_MAX_FRAGMENT_LENGTH_1024;
141  break;
142  case 2048:
143  extension->value[0] = TLS_MAX_FRAGMENT_LENGTH_2048;
144  break;
145  default:
146  extension->value[0] = TLS_MAX_FRAGMENT_LENGTH_4096;
147  break;
148  }
149 
150  //The extension data field contains a single byte
151  n = sizeof(uint8_t);
152  //Fix the length of the extension
153  extension->length = htons(n);
154 
155  //Compute the length, in bytes, of the MaxFragmentLength extension
156  n += sizeof(TlsExtension);
157  }
158  }
159 #endif
160 
161  //Total number of bytes that have been written
162  *written = n;
163 
164  //Successful processing
165  return NO_ERROR;
166 }
167 
168 
169 /**
170  * @brief Format RecordSizeLimit extension
171  * @param[in] context Pointer to the TLS context
172  * @param[in] p Output stream where to write the RecordSizeLimit extension
173  * @param[out] written Total number of bytes that have been written
174  * @return Error code
175  **/
176 
178  uint8_t *p, size_t *written)
179 {
180  size_t n = 0;
181 
182 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
183  //An extension type must not appear in the ServerHello unless the same
184  //extension type appeared in the corresponding ClientHello
185  if(context->recordSizeLimitExtReceived)
186  {
187  size_t recordSizeLimit;
188  TlsExtension *extension;
189 
190  //Add the RecordSizeLimit extension
191  extension = (TlsExtension *) p;
192  //Type of the extension
193  extension->type = HTONS(TLS_EXT_RECORD_SIZE_LIMIT);
194 
195  //An endpoint must not send a value higher than the protocol-defined
196  //maximum record size (refer to RFC 8449, section 4)
197  recordSizeLimit = MIN(context->rxBufferMaxLen, TLS_MAX_RECORD_LENGTH);
198 
199  //TLS 1.3 currently selected?
200  if(context->version == TLS_VERSION_1_3)
201  {
202  //The value includes the content type and padding added in TLS 1.3
203  recordSizeLimit++;
204  }
205 
206  //The value of RecordSizeLimit is the maximum size of record in octets
207  //that the endpoint is willing to receive
208  STORE16BE(recordSizeLimit, extension->value);
209 
210  //The extension data field contains a 16-bit unsigned integer
211  n = sizeof(uint16_t);
212  //Fix the length of the extension
213  extension->length = htons(n);
214 
215  //Compute the length, in bytes, of the RecordSizeLimit extension
216  n += sizeof(TlsExtension);
217  }
218 #endif
219 
220  //Total number of bytes that have been written
221  *written = n;
222 
223  //Successful processing
224  return NO_ERROR;
225 }
226 
227 
228 /**
229  * @brief Format EcPointFormats extension
230  * @param[in] context Pointer to the TLS context
231  * @param[in] p Output stream where to write the EcPointFormats extension
232  * @param[out] written Total number of bytes that have been written
233  * @return Error code
234  **/
235 
237  uint8_t *p, size_t *written)
238 {
239  size_t n = 0;
240 
241 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
242  //TLS 1.3 has removed point format negotiation in favor of a single point
243  //format for each curve (refer to RFC 8446, section 1.2)
244  if(context->version <= TLS_VERSION_1_2)
245  {
246 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
247  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
248  //An extension type must not appear in the ServerHello unless the same
249  //extension type appeared in the corresponding ClientHello
250  if(context->ecPointFormatsExtReceived)
251  {
252  uint16_t identifier;
253 
254  //Retrieve the selected cipher suite
255  identifier = context->cipherSuite.identifier;
256 
257  //A server that selects an ECC cipher suite in response to a ClientHello
258  //message including an EcPointFormats extension appends this extension
259  //to its ServerHello message
261  {
262  TlsExtension *extension;
263  TlsEcPointFormatList *ecPointFormatList;
264 
265  //Add the EcPointFormats extension
266  extension = (TlsExtension *) p;
267  //Type of the extension
268  extension->type = HTONS(TLS_EXT_EC_POINT_FORMATS);
269 
270  //Point to the list of supported EC point formats
271  ecPointFormatList = (TlsEcPointFormatList *) extension->value;
272  //Items in the list are ordered according to server's preferences
273  n = 0;
274 
275  //The server can parse only the uncompressed point format...
276  ecPointFormatList->value[n++] = TLS_EC_POINT_FORMAT_UNCOMPRESSED;
277  //Fix the length of the list
278  ecPointFormatList->length = (uint8_t) n;
279 
280  //Consider the length field that precedes the list
281  n += sizeof(TlsEcPointFormatList);
282  //Fix the length of the extension
283  extension->length = htons(n);
284 
285  //Compute the length, in bytes, of the EcPointFormats extension
286  n += sizeof(TlsExtension);
287  }
288  }
289 #endif
290  }
291 #endif
292 
293  //Total number of bytes that have been written
294  *written = n;
295 
296  //Successful processing
297  return NO_ERROR;
298 }
299 
300 
301 /**
302  * @brief Format ALPN extension
303  * @param[in] context Pointer to the TLS context
304  * @param[in] p Output stream where to write the ALPN extension
305  * @param[out] written Total number of bytes that have been written
306  * @return Error code
307  **/
308 
310  uint8_t *p, size_t *written)
311 {
312  size_t n = 0;
313 
314 #if (TLS_ALPN_SUPPORT == ENABLED)
315  //The ALPN extension may be returned to the client within the extended
316  //ServerHello message
317  if(context->selectedProtocol != NULL)
318  {
319  //Empty strings must not be included
320  if(context->selectedProtocol[0] != '\0')
321  {
322  TlsExtension *extension;
323  TlsProtocolName *protocolName;
324  TlsProtocolNameList *protocolNameList;
325 
326  //Add ALPN (Application-Layer Protocol Negotiation) extension
327  extension = (TlsExtension *) p;
328  //Type of the extension
329  extension->type = HTONS(TLS_EXT_ALPN);
330 
331  //Point to the list of protocol names
332  protocolNameList = (TlsProtocolNameList *) extension->value;
333  //The list must contain exactly one protocol name
334  protocolName = (TlsProtocolName *) protocolNameList->value;
335 
336  //Retrieve the length of the protocol name
337  n = strlen(context->selectedProtocol);
338 
339  //Fill in the length field
340  protocolName->length = (uint8_t) n;
341  //Copy protocol name
342  memcpy(protocolName->value, context->selectedProtocol, n);
343 
344  //Adjust the length of the list
345  n += sizeof(TlsProtocolName);
346  //Fix the length of the list
347  protocolNameList->length = htons(n);
348 
349  //Consider the 2-byte length field that precedes the list
350  n += sizeof(TlsProtocolNameList);
351  //Fix the length of the extension
352  extension->length = htons(n);
353 
354  //Compute the length, in bytes, of the ALPN extension
355  n += sizeof(TlsExtension);
356  }
357  }
358 #endif
359 
360  //Total number of bytes that have been written
361  *written = n;
362 
363  //Successful processing
364  return NO_ERROR;
365 }
366 
367 
368 /**
369  * @brief Format ClientCertType extension
370  * @param[in] context Pointer to the TLS context
371  * @param[in] p Output stream where to write the ClientCertType extension
372  * @param[out] written Total number of bytes that have been written
373  * @return Error code
374  **/
375 
377  uint8_t *p, size_t *written)
378 {
379  size_t n = 0;
380 
381 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
382  //An extension type must not appear in the ServerHello unless the same
383  //extension type appeared in the corresponding ClientHello
384  if(context->clientCertTypeExtReceived)
385  {
386  TlsExtension *extension;
387 
388  //Add the ClientCertType extension
389  extension = (TlsExtension *) p;
390  //Type of the extension
391  extension->type = HTONS(TLS_EXT_CLIENT_CERT_TYPE);
392 
393  //The ClientCertType extension in the ServerHello indicates the type
394  //of certificates the client is requested to provide in a subsequent
395  //certificate payload
396  extension->value[0] = context->peerCertFormat;
397 
398  //The extension data field contains a single byte
399  n = sizeof(uint8_t);
400  //Fix the length of the extension
401  extension->length = htons(n);
402 
403  //Compute the length, in bytes, of the ClientCertType extension
404  n += sizeof(TlsExtension);
405  }
406 #endif
407 
408  //Total number of bytes that have been written
409  *written = n;
410 
411  //Successful processing
412  return NO_ERROR;
413 }
414 
415 
416 /**
417  * @brief Format ServerCertType extension
418  * @param[in] context Pointer to the TLS context
419  * @param[in] p Output stream where to write the ServerCertType extension
420  * @param[out] written Total number of bytes that have been written
421  * @return Error code
422  **/
423 
425  uint8_t *p, size_t *written)
426 {
427  size_t n = 0;
428 
429 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
430  //An extension type must not appear in the ServerHello unless the same
431  //extension type appeared in the corresponding ClientHello
432  if(context->serverCertTypeExtReceived)
433  {
434  TlsExtension *extension;
435 
436  //Add the ServerCertType extension
437  extension = (TlsExtension *) p;
438  //Type of the extension
439  extension->type = HTONS(TLS_EXT_SERVER_CERT_TYPE);
440 
441  //With the ServerCertType extension in the ServerHello, the TLS server
442  //indicates the certificate type carried in the certificate payload
443  extension->value[0] = context->certFormat;
444 
445  //The extension data field contains a single byte
446  n = sizeof(uint8_t);
447  //Fix the length of the extension
448  extension->length = htons(n);
449 
450  //Compute the length, in bytes, of the ServerCertType extension
451  n += sizeof(TlsExtension);
452  }
453 #endif
454 
455  //Total number of bytes that have been written
456  *written = n;
457 
458  //Successful processing
459  return NO_ERROR;
460 }
461 
462 
463 /**
464  * @brief Format ExtendedMasterSecret extension
465  * @param[in] context Pointer to the TLS context
466  * @param[in] p Output stream where to write the ExtendedMasterSecret extension
467  * @param[out] written Total number of bytes that have been written
468  * @return Error code
469  **/
470 
472  uint8_t *p, size_t *written)
473 {
474  size_t n = 0;
475 
476 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
477  //If the server receives a ClientHello without the ExtendedMasterSecret
478  //extension, then it must not include the extension in the ServerHello
479  if(context->extendedMasterSecretExtReceived)
480  {
481  TlsExtension *extension;
482 
483  //Add the ExtendedMasterSecret extension
484  extension = (TlsExtension *) p;
485  //Type of the extension
486  extension->type = HTONS(TLS_EXT_EXTENDED_MASTER_SECRET);
487 
488  //The extension data field of this extension is empty
489  extension->length = HTONS(0);
490 
491  //Compute the length, in bytes, of the ExtendedMasterSecret extension
492  n = sizeof(TlsExtension);
493  }
494 #endif
495 
496  //Total number of bytes that have been written
497  *written = n;
498 
499  //Successful processing
500  return NO_ERROR;
501 }
502 
503 
504 /**
505  * @brief Format RenegotiationInfo extension
506  * @param[in] context Pointer to the TLS context
507  * @param[in] p Output stream where to write the RenegotiationInfo extension
508  * @param[out] written Total number of bytes that have been written
509  * @return Error code
510  **/
511 
513  uint8_t *p, size_t *written)
514 {
515  size_t n = 0;
516 
517 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
518  //Check whether secure renegotiation is enabled
519  if(context->secureRenegoEnabled)
520  {
521  //During secure renegotiation, the server must include a renegotiation_info
522  //extension containing the saved client_verify_data and server_verify_data
523  if(context->secureRenegoFlag)
524  {
525  TlsExtension *extension;
526  TlsRenegoInfo *renegoInfo;
527 
528  //Determine the length of the renegotiated_connection field
529  n = context->clientVerifyDataLen + context->serverVerifyDataLen;
530 
531  //Add the RenegotiationInfo extension
532  extension = (TlsExtension *) p;
533  //Type of the extension
534  extension->type = HTONS(TLS_EXT_RENEGOTIATION_INFO);
535 
536  //Point to the renegotiated_connection field
537  renegoInfo = (TlsRenegoInfo *) extension->value;
538  //Set the length of the verify data
539  renegoInfo->length = (uint8_t) n;
540 
541  //Copy the saved client_verify_data
542  memcpy(renegoInfo->value, context->clientVerifyData,
543  context->clientVerifyDataLen);
544 
545  //Copy the saved client_verify_data
546  memcpy(renegoInfo->value + context->clientVerifyDataLen,
547  context->serverVerifyData, context->serverVerifyDataLen);
548 
549  //Consider the length field that precedes the renegotiated_connection
550  //field
551  n += sizeof(TlsRenegoInfo);
552  //Fix the length of the extension
553  extension->length = htons(n);
554 
555  //Compute the length, in bytes, of the RenegotiationInfo extension
556  n += sizeof(TlsExtension);
557  }
558  }
559 #endif
560 
561  //Total number of bytes that have been written
562  *written = n;
563 
564  //Successful processing
565  return NO_ERROR;
566 }
567 
568 
569 /**
570  * @brief Parse SupportedVersions extension
571  * @param[in] context Pointer to the TLS context
572  * @param[in] supportedVersionList Pointer to the SupportedVersions extension
573  * @return Error code
574  **/
575 
577  const TlsSupportedVersionList *supportedVersionList)
578 {
579  error_t error;
580  uint_t i;
581  uint_t j;
582  uint_t n;
583 
584  //Supported TLS versions
585  const uint16_t supportedVersions[] =
586  {
592  };
593 
594  //Initialize status code
596 
597  //Retrieve the number of items in the list
598  n = supportedVersionList->length / sizeof(uint16_t);
599 
600  //Loop through the list of TLS versions supported by the server
601  for(i = 0; i < arraysize(supportedVersions) && error; i++)
602  {
603  //The extension contains a list of TLS versions supported by the client
604  for(j = 0; j < n && error; j++)
605  {
606  //Servers must only select a version of TLS present in that extension
607  //and must ignore any unknown versions
608  if(ntohs(supportedVersionList->value[j]) == supportedVersions[i])
609  {
610  //Set the TLS version to be used
611  error = tlsSelectVersion(context, supportedVersions[i]);
612  }
613  }
614  }
615 
616  //Return status code
617  return error;
618 }
619 
620 
621 /**
622  * @brief Parse SNI extension
623  * @param[in] context Pointer to the TLS context
624  * @param[in] serverNameList Pointer to the SNI extension
625  * @return Error code
626  **/
627 
629  const TlsServerNameList *serverNameList)
630 {
631 #if (TLS_SNI_SUPPORT == ENABLED)
632  //SNI extension found?
633  if(serverNameList != NULL)
634  {
635  size_t i;
636  size_t n;
637  size_t length;
638  const TlsServerName *serverName;
639 
640  //In order to provide the server name, clients may include ServerName
641  //extension
642  if(context->serverName != NULL)
643  {
644  //Release memory
645  tlsFreeMem(context->serverName);
646  context->serverName = NULL;
647  }
648 
649  //Retrieve the length of the list
650  length = ntohs(serverNameList->length);
651 
652  //Loop through the list of server names advertised by the client
653  for(i = 0; i < length; i += sizeof(TlsServerName) + n)
654  {
655  //Point to the current server name
656  serverName = (TlsServerName *) (serverNameList->value + i);
657 
658  //Malformed extension?
659  if(length < (i + sizeof(TlsServerName)))
660  return ERROR_DECODING_FAILED;
661  if(length < (i + sizeof(TlsServerName) + ntohs(serverName->length)))
662  return ERROR_DECODING_FAILED;
663 
664  //Retrieve the length of the server name
665  n = ntohs(serverName->length);
666 
667  //Empty strings must not be included in the list
668  if(n == 0)
669  return ERROR_DECODING_FAILED;
670 
671  //Currently, the only server names supported are DNS hostnames
672  if(serverName->type == TLS_NAME_TYPE_HOSTNAME)
673  {
674  //The server name must be a valid DNS hostname
675  if(!tlsCheckDnsHostname(serverName->hostname, n))
677 
678  //The ServerNameList must not contain more than one name of the
679  //same type (refer to RFC 6066, section 3)
680  if(context->serverName != NULL)
682 
683  //Check the length of the name
685  {
686  //Allocate a memory block to hold the server name
687  context->serverName = tlsAllocMem(n + 1);
688  //Failed to allocate memory?
689  if(context->serverName == NULL)
690  return ERROR_OUT_OF_MEMORY;
691 
692  //Save server name
693  memcpy(context->serverName, serverName->hostname, n);
694  //Properly terminate the string with a NULL character
695  context->serverName[n] = '\0';
696  }
697  }
698  }
699  }
700 #endif
701 
702  //Successful processing
703  return NO_ERROR;
704 }
705 
706 
707 /**
708  * @brief Parse MaxFragmentLength extension
709  * @param[in] context Pointer to the TLS context
710  * @param[in] maxFragLen Pointer to the MaxFragmentLength extension
711  * @return Error code
712  **/
713 
715  const uint8_t *maxFragLen)
716 {
717  error_t error;
718 
719  //Initialize status code
720  error = NO_ERROR;
721 
722 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
723  //MaxFragmentLength extension found?
724  if(maxFragLen != NULL)
725  {
726  size_t n;
727 
728  //Retrieve the value advertised by the client
729  switch(*maxFragLen)
730  {
732  n = 512;
733  break;
735  n = 1024;
736  break;
738  n = 2048;
739  break;
741  n = 4096;
742  break;
743  default:
744  n = 0;
745  break;
746  }
747 
748  //Acceptable value?
749  if(n > 0)
750  {
751  //Once a maximum fragment length has been successfully negotiated,
752  //the server must immediately begin fragmenting messages (including
753  //handshake messages) to ensure that no fragment larger than the
754  //negotiated length is sent
755  context->maxFragLen = n;
756  }
757  else
758  {
759  //If a server receives a maximum fragment length negotiation request
760  //for a value other than the allowed values, it must abort the handshake
761  //with an illegal_parameter alert
762  error = ERROR_ILLEGAL_PARAMETER;
763  }
764 
765  //The ClientHello includes a MaxFragmentLength extension
766  context->maxFragLenExtReceived = TRUE;
767  }
768  else
769  {
770  //The ClientHello does not contain any MaxFragmentLength extension
771  context->maxFragLenExtReceived = FALSE;
772  }
773 #endif
774 
775  //Return status code
776  return error;
777 }
778 
779 
780 /**
781  * @brief Parse RecordSizeLimit extension
782  * @param[in] context Pointer to the TLS context
783  * @param[in] recordSizeLimit Pointer to the RecordSizeLimit extension
784  * @return Error code
785  **/
786 
788  const uint8_t *recordSizeLimit)
789 {
790 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
791  //RecordSizeLimit extension found?
792  if(recordSizeLimit != NULL)
793  {
794  uint16_t n;
795 
796  //The value of RecordSizeLimit is the maximum size of record in octets
797  //that the peer is willing to receive
798  n = LOAD16BE(recordSizeLimit);
799 
800  //Endpoints must not send a RecordSizeLimit extension with a value
801  //smaller than 64
802  if(n < 64)
803  {
804  //An endpoint must treat receipt of a smaller value as a fatal error
805  //and generate an illegal_parameter alert
807  }
808 
809  //TLS 1.3 currently selected?
810  if(context->version == TLS_VERSION_1_3)
811  {
812  //The value includes the content type and padding added in TLS 1.3
813  n--;
814  }
815 
816  //Initial or updated ClientHello?
817  if(context->state == TLS_STATE_CLIENT_HELLO_2)
818  {
819  //When responding to a HelloRetryRequest, the client must send the
820  //same ClientHello without modification
821  if(!context->recordSizeLimitExtReceived ||
822  context->recordSizeLimit != n)
823  {
825  }
826  }
827 
828  //The peer can include any limit up to the protocol-defined limit for
829  //maximum record size. Even if a larger value is provided by a peer, an
830  //endpoint must not send records larger than the protocol-defined limit
831  context->recordSizeLimit = MIN(n, TLS_MAX_RECORD_LENGTH);
832 
833  //The ClientHello includes a RecordSizeLimit extension
834  context->recordSizeLimitExtReceived = TRUE;
835  }
836  else
837  {
838  //Initial or updated ClientHello?
839  if(context->state == TLS_STATE_CLIENT_HELLO_2)
840  {
841  //When responding to a HelloRetryRequest, the client must send the
842  //same ClientHello without modification
843  if(context->recordSizeLimitExtReceived)
845  }
846 
847  //If this extension is not negotiated, endpoints can send records of any
848  //size permitted by the protocol or other negotiated extensions
849  context->recordSizeLimit = TLS_MAX_RECORD_LENGTH;
850 
851  //The RecordSizeLimit extension is not supported by the client
852  context->recordSizeLimitExtReceived = FALSE;
853  }
854 #endif
855 
856  //Successful processing
857  return NO_ERROR;
858 }
859 
860 
861 /**
862  * @brief Parse EcPointFormats extension
863  * @param[in] context Pointer to the TLS context
864  * @param[in] ecPointFormatList Pointer to the EcPointFormats extension
865  * @return Error code
866  **/
867 
869  const TlsEcPointFormatList *ecPointFormatList)
870 {
871  error_t error;
872 
873 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
874  //Initialize status code
875  error = NO_ERROR;
876 
877 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
878  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
879  //EcPointFormats extension found?
880  if(ecPointFormatList != NULL)
881  {
882  uint_t i;
883 
884  //The ClientHello includes a EcPointFormats extension
885  context->ecPointFormatsExtReceived = TRUE;
886 
887  //Loop through the list of supported EC point formats
888  for(i = 0; i < ecPointFormatList->length; i++)
889  {
890  //Uncompressed point format?
891  if(ecPointFormatList->value[i] == TLS_EC_POINT_FORMAT_UNCOMPRESSED)
892  {
893  break;
894  }
895  }
896 
897  //The uncompressed point format must be supported by any TLS application
898  //that supports this extension (refer to RFC 4492, section 5.1)
899  if(i >= ecPointFormatList->length)
900  {
901  //Report an error
902  error = ERROR_ILLEGAL_PARAMETER;
903  }
904  }
905  else
906  {
907  //If no SupportedPointsFormat extension is sent, the uncompressed format
908  //has to be used
909  context->ecPointFormatsExtReceived = FALSE;
910  }
911 #endif
912 #else
913  //Not implemented
914  error = ERROR_NOT_IMPLEMENTED;
915 #endif
916 
917  //Return status code
918  return error;
919 }
920 
921 
922 /**
923  * @brief Parse ALPN extension
924  * @param[in] context Pointer to the TLS context
925  * @param[in] protocolNameList Pointer to the ALPN extension
926  * @return Error code
927  **/
928 
930  const TlsProtocolNameList *protocolNameList)
931 {
932 #if (TLS_ALPN_SUPPORT == ENABLED)
933  //ALPN extension found?
934  if(protocolNameList != NULL)
935  {
936  size_t i;
937  size_t n;
938  size_t length;
939  const TlsProtocolName *protocolName;
940 
941  //When session resumption is used, the previous contents of this
942  //extension are irrelevant
943  if(context->selectedProtocol != NULL)
944  {
945  //Release memory
946  tlsFreeMem(context->selectedProtocol);
947  context->selectedProtocol = NULL;
948  }
949 
950  //Retrieve the length of the list
951  length = ntohs(protocolNameList->length);
952 
953  //The list must not be be empty
954  if(length == 0)
955  return ERROR_DECODING_FAILED;
956 
957  //Loop through the list of protocols advertised by the client
958  for(i = 0; i < length; i += sizeof(TlsProtocolName) + n)
959  {
960  //Point to the current protocol
961  protocolName = (TlsProtocolName *) (protocolNameList->value + i);
962 
963  //Malformed extension?
964  if(length < (i + sizeof(TlsProtocolName)))
965  return ERROR_DECODING_FAILED;
966  if(length < (i + sizeof(TlsProtocolName) + protocolName->length))
967  return ERROR_DECODING_FAILED;
968 
969  //Retrieve the length of the protocol name
970  n = protocolName->length;
971 
972  //Empty strings must not be included in the list
973  if(n == 0)
974  return ERROR_DECODING_FAILED;
975 
976  //Check whether the protocol is supported by the server
977  if(tlsIsAlpnProtocolSupported(context, protocolName->value, n))
978  {
979  //Select the current protocol
980  if(context->selectedProtocol == NULL)
981  {
982  //Allocate a memory block to hold the protocol name
983  context->selectedProtocol = tlsAllocMem(n + 1);
984  //Failed to allocate memory?
985  if(context->selectedProtocol == NULL)
986  return ERROR_OUT_OF_MEMORY;
987 
988  //Save protocol name
989  memcpy(context->selectedProtocol, protocolName->value, n);
990  //Properly terminate the string with a NULL character
991  context->selectedProtocol[n] = '\0';
992  }
993  }
994  }
995 
996  //ALPN protocol selection failed?
997  if(context->protocolList != NULL && context->selectedProtocol == NULL)
998  {
999  //Report an error if unknown ALPN protocols are disallowed
1000  if(!context->unknownProtocolsAllowed)
1001  {
1002  //In the event that the server supports no protocols that the
1003  //client advertises, then the server shall respond with a fatal
1004  //no_application_protocol alert
1006  }
1007  }
1008  }
1009 #endif
1010 
1011  //Successful processing
1012  return NO_ERROR;
1013 }
1014 
1015 
1016 /**
1017  * @brief Parse ClientCertType extension
1018  * @param[in] context Pointer to the TLS context
1019  * @param[in] clientCertTypeList Pointer to the ClientCertType extension
1020  * @return Error code
1021  **/
1022 
1024  const TlsCertTypeList *clientCertTypeList)
1025 {
1026  error_t error;
1027 
1028  //Initialize status code
1029  error = NO_ERROR;
1030 
1031 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1032  //ClientCertType extension found?
1033  if(clientCertTypeList != NULL)
1034  {
1035  //If the server does not send any CertificateRequest message, then the
1036  //ClientCertType extension in the ServerHello must be omitted
1037  if(context->clientAuthMode != TLS_CLIENT_AUTH_NONE)
1038  {
1039  uint_t i;
1040 
1041  //The ClientCertType extension carries a list of supported certificate
1042  //types, sorted by client preference
1043  for(i = 0; i < clientCertTypeList->length; i++)
1044  {
1045  //Check certificate type
1046  if(clientCertTypeList->value[i] == TLS_CERT_FORMAT_X509)
1047  {
1048  //Select X.509 certificate format
1049  context->peerCertFormat = TLS_CERT_FORMAT_X509;
1050  //Exit immediately
1051  break;
1052  }
1053  else if(clientCertTypeList->value[i] == TLS_CERT_FORMAT_RAW_PUBLIC_KEY)
1054  {
1055  //Ensure the server is able to process raw public keys
1056  if(context->rpkVerifyCallback != NULL)
1057  {
1058  //Select raw public key format
1059  context->peerCertFormat = TLS_CERT_FORMAT_RAW_PUBLIC_KEY;
1060  //Exit immediately
1061  break;
1062  }
1063  }
1064  else
1065  {
1066  //Unsupported certificate type
1067  }
1068  }
1069 
1070  //If the server does not have any certificate type in common with the
1071  //client, then the server terminates the session with a fatal alert
1072  if(i >= clientCertTypeList->length)
1073  {
1074  //Report an error
1076  }
1077 
1078  //The ClientHello includes a ClientCertType extension
1079  context->clientCertTypeExtReceived = TRUE;
1080  }
1081  }
1082  else
1083  {
1084  //The ClientHello does not contain any ClientCertType extension
1085  context->clientCertTypeExtReceived = FALSE;
1086  //Select default certificate format
1087  context->peerCertFormat = TLS_CERT_FORMAT_X509;
1088  }
1089 #endif
1090 
1091  //Return status code
1092  return error;
1093 }
1094 
1095 
1096 /**
1097  * @brief Parse ServerCertType extension
1098  * @param[in] context Pointer to the TLS context
1099  * @param[in] serverCertTypeList Pointer to the ServerCertType extension
1100  * @return Error code
1101  **/
1102 
1104  const TlsCertTypeList *serverCertTypeList)
1105 {
1106  error_t error;
1107 
1108  //Initialize status code
1109  error = NO_ERROR;
1110 
1111 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1112  //ServerCertType extension found?
1113  if(serverCertTypeList != NULL)
1114  {
1115  uint_t i;
1116 
1117  //The ServerCertType extension carries a list of supported certificate
1118  //types, sorted by client preference
1119  for(i = 0; i < serverCertTypeList->length; i++)
1120  {
1121  //Check certificate type
1122  if(serverCertTypeList->value[i] == TLS_CERT_FORMAT_X509 ||
1123  serverCertTypeList->value[i] == TLS_CERT_FORMAT_RAW_PUBLIC_KEY)
1124  {
1125  //The certificate type is selected from one of the values provided
1126  //by the client
1127  context->certFormat = (TlsCertificateFormat) serverCertTypeList->value[i];
1128 
1129  //We are done
1130  break;
1131  }
1132  }
1133 
1134  //If the server does not have any certificate type in common with the
1135  //client, then the server terminates the session with a fatal alert
1136  if(i >= serverCertTypeList->length)
1137  {
1138  //Report an error
1140  }
1141 
1142  //The ClientHello includes a ServerCertType extension
1143  context->serverCertTypeExtReceived = TRUE;
1144  }
1145  else
1146  {
1147  //The ClientHello does not contain any ServerCertType extension
1148  context->serverCertTypeExtReceived = FALSE;
1149  //Select default certificate format
1150  context->certFormat = TLS_CERT_FORMAT_X509;
1151  }
1152 #endif
1153 
1154  //Return status code
1155  return error;
1156 }
1157 
1158 
1159 /**
1160  * @brief Parse ExtendedMasterSecret extension
1161  * @param[in] context Pointer to the TLS context
1162  * @param[in] extendedMasterSecret Pointer to the ExtendedMasterSecret extension
1163  * @return Error code
1164  **/
1165 
1167  const uint8_t *extendedMasterSecret)
1168 {
1169  error_t error;
1170 
1171  //Initialize status code
1172  error = NO_ERROR;
1173 
1174 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
1175  //ExtendedMasterSecret extension found?
1176  if(extendedMasterSecret != NULL)
1177  {
1178  //SSL 3.0 currently selected?
1179  if(context->version == SSL_VERSION_3_0)
1180  {
1181  //If the client chooses to support SSL 3.0, the resulting session
1182  //must use the legacy master secret computation
1183  context->extendedMasterSecretExtReceived = FALSE;
1184  }
1185  else
1186  {
1187  //Use the extended master secret computation
1188  context->extendedMasterSecretExtReceived = TRUE;
1189  }
1190  }
1191  else
1192  {
1193  //Abbreviated handshake?
1194  if(context->resume)
1195  {
1196  //If the original session used the ExtendedMasterSecret extension but
1197  //the new ClientHello does not contain it, the server must abort the
1198  //abbreviated handshake
1199  if(context->extendedMasterSecretExtReceived)
1200  {
1201  //Report an error
1202  error = ERROR_HANDSHAKE_FAILED;
1203  }
1204  }
1205 
1206  //If the client and server choose to continue a full handshake without
1207  //the extension, they must use the standard master secret derivation
1208  //for the new session
1209  context->extendedMasterSecretExtReceived = FALSE;
1210  }
1211 #endif
1212 
1213  //Return status code
1214  return error;
1215 }
1216 
1217 
1218 /**
1219  * @brief Parse RenegotiationInfo extension
1220  * @param[in] context Pointer to the TLS context
1221  * @param[in] renegoInfo Pointer to the RenegotiationInfo extension
1222  * @return Error code
1223  **/
1224 
1226  const TlsRenegoInfo *renegoInfo)
1227 {
1228  error_t error;
1229 
1230  //Initialize status code
1231  error = NO_ERROR;
1232 
1233 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1234  //RenegotiationInfo extension found?
1235  if(renegoInfo != NULL)
1236  {
1237  //Initial handshake?
1238  if(context->clientVerifyDataLen == 0)
1239  {
1240  //Set the secure_renegotiation flag to TRUE
1241  context->secureRenegoFlag = TRUE;
1242 
1243  //The server must then verify that the length of the
1244  //renegotiated_connection field is zero
1245  if(renegoInfo->length != 0)
1246  {
1247  //If it is not, the server must abort the handshake
1248  error = ERROR_HANDSHAKE_FAILED;
1249  }
1250  }
1251  //Secure renegotiation?
1252  else
1253  {
1254  //Check the length of the renegotiated_connection field
1255  if(renegoInfo->length != context->clientVerifyDataLen)
1256  {
1257  //The server must abort the handshake
1258  error = ERROR_HANDSHAKE_FAILED;
1259  }
1260  else
1261  {
1262  //Verify that the value of the renegotiated_connection field
1263  //is equal to the saved client_verify_data value
1264  if(memcmp(renegoInfo->value, context->clientVerifyData,
1265  context->clientVerifyDataLen))
1266  {
1267  //If it is not, the server must abort the handshake
1268  error = ERROR_HANDSHAKE_FAILED;
1269  }
1270  }
1271  }
1272  }
1273  else
1274  {
1275  //Secure renegotiation?
1276  if(context->clientVerifyDataLen != 0 || context->serverVerifyDataLen != 0)
1277  {
1278  //The server must verify that the renegotiation_info extension is
1279  //present. If it is not, the server must abort the handshake
1280  error = ERROR_HANDSHAKE_FAILED;
1281  }
1282  }
1283 #endif
1284 
1285  //Return status code
1286  return error;
1287 }
1288 
1289 #endif
#define TLS_MAX_RECORD_LENGTH
Definition: tls.h:830
#define tlsAllocMem(size)
Definition: tls.h:757
@ TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: tls.h:1138
#define htons(value)
Definition: cpu_endian.h:392
Parsing and checking of TLS extensions.
error_t tlsFormatServerEmsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ExtendedMasterSecret extension.
@ TLS_CERT_FORMAT_RAW_PUBLIC_KEY
Definition: tls.h:1061
TLS helper functions.
uint8_t length
Definition: dtls_misc.h:149
TLS cipher suites.
error_t tlsParseClientSupportedVersionsExtension(TlsContext *context, const TlsSupportedVersionList *supportedVersionList)
Parse SupportedVersions extension.
error_t tlsParseClientEcPointFormatsExtension(TlsContext *context, const TlsEcPointFormatList *ecPointFormatList)
Parse EcPointFormats extension.
@ ERROR_VERSION_NOT_SUPPORTED
Definition: error.h:67
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
uint8_t p
Definition: ndp.h:298
error_t tlsParseServerCertTypeListExtension(TlsContext *context, const TlsCertTypeList *serverCertTypeList)
Parse ServerCertType extension.
error_t tlsSelectVersion(TlsContext *context, uint16_t version)
Set the TLS version to be used.
Definition: tls_misc.c:225
#define TRUE
Definition: os_port.h:50
error_t tlsFormatServerRenegoInfoExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RenegotiationInfo extension.
bool_t tlsIsAlpnProtocolSupported(TlsContext *context, const char_t *protocol, size_t length)
Check whether the specified ALPN protocol is supported.
@ TLS_CIPHER_SUITE_TYPE_ECC
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:228
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
@ ERROR_UNSUPPORTED_CERTIFICATE
Definition: error.h:231
error_t tlsParseClientCertTypeListExtension(TlsContext *context, const TlsCertTypeList *clientCertTypeList)
Parse ClientCertType extension.
error_t tlsFormatServerSniExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SNI extension.
@ TLS_MAX_FRAGMENT_LENGTH_4096
Definition: tls.h:1197
error_t tlsParseClientMaxFragLenExtension(TlsContext *context, const uint8_t *maxFragLen)
Parse MaxFragmentLength extension.
@ TLS_EXT_SERVER_NAME
Definition: tls.h:1137
#define FALSE
Definition: os_port.h:46
error_t tlsFormatServerRecordSizeLimitExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RecordSizeLimit extension.
error_t tlsParseClientRecordSizeLimitExtension(TlsContext *context, const uint8_t *recordSizeLimit)
Parse RecordSizeLimit extension.
TlsCertificateFormat
Certificate formats.
Definition: tls.h:1057
@ TLS_EXT_CLIENT_CERT_TYPE
Definition: tls.h:1156
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
@ TLS_EXT_EXTENDED_MASTER_SECRET
Definition: tls.h:1160
__start_packed struct @71 TlsServerName
Server name.
#define TLS_VERSION_1_2
Definition: tls.h:94
@ TLS_EXT_RENEGOTIATION_INFO
Definition: tls.h:1174
uint8_t identifier[]
#define STORE16BE(a, p)
Definition: cpu_endian.h:246
error_t tlsFormatClientCertTypeExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ClientCertType extension.
bool_t tlsCheckDnsHostname(const char_t *name, size_t length)
DNS hostname verification.
Definition: tls_misc.c:1218
#define TLS_VERSION_1_3
Definition: tls.h:95
@ TLS_MAX_FRAGMENT_LENGTH_2048
Definition: tls.h:1196
#define SSL_VERSION_3_0
Definition: tls.h:91
__start_packed struct @74 TlsProtocolNameList
List of protocol names.
@ TLS_EC_POINT_FORMAT_UNCOMPRESSED
Definition: tls.h:1265
error_t tlsParseClientAlpnExtension(TlsContext *context, const TlsProtocolNameList *protocolNameList)
Parse ALPN extension.
@ TLS_CLIENT_AUTH_NONE
Definition: tls.h:872
#define MIN(a, b)
Definition: os_port.h:62
__start_packed struct @68 TlsExtension
TLS extension.
@ TLS_EXT_EC_POINT_FORMATS
Definition: tls.h:1148
@ TLS_EXT_ALPN
Definition: tls.h:1153
error_t tlsFormatServerMaxFragLenExtension(TlsContext *context, uint8_t *p, size_t *written)
Format MaxFragmentLength extension.
#define ntohs(value)
Definition: cpu_endian.h:398
#define TLS_VERSION_1_1
Definition: tls.h:93
@ TLS_STATE_CLIENT_HELLO_2
Definition: tls.h:1291
@ ERROR_NO_APPLICATION_PROTOCOL
Definition: error.h:241
#define HTONS(value)
Definition: cpu_endian.h:390
uint8_t n
__start_packed struct @72 TlsServerNameList
List of server names.
__start_packed struct @77 TlsCertTypeList
List of supported certificate types.
error_t tlsParseClientRenegoInfoExtension(TlsContext *context, const TlsRenegoInfo *renegoInfo)
Parse RenegotiationInfo extension.
error_t tlsFormatServerEcPointFormatsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format EcPointFormats extension.
__start_packed struct @70 TlsSupportedVersionList
List of supported versions.
#define TLS_VERSION_1_0
Definition: tls.h:92
@ TLS_EXT_SERVER_CERT_TYPE
Definition: tls.h:1157
@ TLS_NAME_TYPE_HOSTNAME
Definition: tls.h:1184
@ TLS_MAX_FRAGMENT_LENGTH_1024
Definition: tls.h:1195
TLS (Transport Layer Security)
error_t tlsParseClientSniExtension(TlsContext *context, const TlsServerNameList *serverNameList)
Parse SNI extension.
Formatting and parsing of extensions (TLS server)
#define TLS_MAX_SERVER_NAME_LEN
Definition: tls.h:673
@ ERROR_DECODING_FAILED
Definition: error.h:235
error_t tlsFormatServerCertTypeExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ServerCertType extension.
unsigned int uint_t
Definition: compiler_port.h:45
#define LOAD16BE(p)
Definition: cpu_endian.h:170
TlsCipherSuiteType tlsGetCipherSuiteType(uint16_t identifier)
Check whether the specified identifier matches an ECC or FFDHE cipher suite.
#define tlsFreeMem(p)
Definition: tls.h:762
__start_packed struct @76 TlsEcPointFormatList
List of supported EC point formats.
error_t tlsFormatServerAlpnExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ALPN extension.
__start_packed struct @73 TlsProtocolName
Protocol name.
error_t tlsParseClientEmsExtension(TlsContext *context, const uint8_t *extendedMasterSecret)
Parse ExtendedMasterSecret extension.
__start_packed struct @78 TlsRenegoInfo
Renegotiated connection.
@ NO_ERROR
Success.
Definition: error.h:44
@ TLS_EXT_RECORD_SIZE_LIMIT
Definition: tls.h:1162
Debugging facilities.
@ TLS_CERT_FORMAT_X509
Definition: tls.h:1059
@ TLS_MAX_FRAGMENT_LENGTH_512
Definition: tls.h:1194
#define arraysize(a)
Definition: os_port.h:70