tls_server_misc.c
Go to the documentation of this file.
1 /**
2  * @file tls_server_misc.c
3  * @brief Helper functions for TLS server
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include <string.h>
34 #include "tls.h"
35 #include "tls_cipher_suites.h"
36 #include "tls_server.h"
37 #include "tls_server_extensions.h"
38 #include "tls_server_misc.h"
39 #include "tls_common.h"
40 #include "tls_extensions.h"
41 #include "tls_certificate.h"
42 #include "tls_signature.h"
43 #include "tls_cache.h"
44 #include "tls_ffdhe.h"
45 #include "tls_record.h"
46 #include "tls_misc.h"
47 #include "certificate/pem_import.h"
48 #include "debug.h"
49 
50 //Check TLS library configuration
51 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED)
52 
53 
54 /**
55  * @brief Format PSK identity hint
56  * @param[in] context Pointer to the TLS context
57  * @param[in] p Output stream where to write the PSK identity hint
58  * @param[out] written Total number of bytes that have been written
59  * @return Error code
60  **/
61 
63  uint8_t *p, size_t *written)
64 {
65  size_t n;
66  TlsPskIdentityHint *pskIdentityHint;
67 
68  //Point to the PSK identity hint
69  pskIdentityHint = (TlsPskIdentityHint *) p;
70 
71 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
72  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
73  //Any PSK identity hint defined?
74  if(context->pskIdentityHint != NULL)
75  {
76  //Determine the length of the PSK identity hint
77  n = strlen(context->pskIdentityHint);
78  //Copy PSK identity hint
79  memcpy(pskIdentityHint->value, context->pskIdentityHint, n);
80  }
81  else
82 #endif
83  {
84  //No PSK identity hint is provided
85  n = 0;
86  }
87 
88  //The PSK identity hint is preceded by a 2-byte length field
89  pskIdentityHint->length = htons(n);
90 
91  //Total number of bytes that have been written
92  *written = sizeof(TlsPskIdentityHint) + n;
93 
94  //Successful processing
95  return NO_ERROR;
96 }
97 
98 
99 /**
100  * @brief Format server's key exchange parameters
101  * @param[in] context Pointer to the TLS context
102  * @param[in] p Output stream where to write the server's key exchange parameters
103  * @param[out] written Total number of bytes that have been written
104  * @return Error code
105  **/
106 
108  uint8_t *p, size_t *written)
109 {
110  error_t error;
111 
112 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
113  //Initialize status code
114  error = NO_ERROR;
115 
116  //Total number of bytes that have been written
117  *written = 0;
118 
119 #if (TLS_DH_ANON_KE_SUPPORT == ENABLED || TLS_DHE_RSA_KE_SUPPORT == ENABLED || \
120  TLS_DHE_DSS_KE_SUPPORT == ENABLED || TLS_DHE_PSK_KE_SUPPORT == ENABLED)
121  //Diffie-Hellman key exchange method?
122  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
123  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
124  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
125  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK)
126  {
127  size_t n;
128 
129 #if (TLS_FFDHE_SUPPORT == ENABLED)
130  const TlsFfdheGroup *ffdheGroup;
131 
132  //Get the FFDHE parameters that match the specified named group
133  ffdheGroup = tlsGetFfdheGroup(context, context->namedGroup);
134 
135  //Valid FFDHE group?
136  if(ffdheGroup != NULL)
137  {
138  //Load FFDHE parameters
139  error = tlsLoadFfdheParameters(&context->dhContext.params, ffdheGroup);
140  }
141 #endif
142 
143  //Check status code
144  if(!error)
145  {
146  //Generate an ephemeral key pair
147  error = dhGenerateKeyPair(&context->dhContext, context->prngAlgo,
148  context->prngContext);
149  }
150 
151  //Check status code
152  if(!error)
153  {
154  //Debug message
155  TRACE_DEBUG("Diffie-Hellman parameters:\r\n");
156  TRACE_DEBUG(" Prime modulus:\r\n");
157  TRACE_DEBUG_MPI(" ", &context->dhContext.params.p);
158  TRACE_DEBUG(" Generator:\r\n");
159  TRACE_DEBUG_MPI(" ", &context->dhContext.params.g);
160  TRACE_DEBUG(" Server public value:\r\n");
161  TRACE_DEBUG_MPI(" ", &context->dhContext.ya);
162 
163  //Encode the prime modulus to an opaque vector
164  error = tlsWriteMpi(&context->dhContext.params.p, p, &n);
165  }
166 
167  //Check status code
168  if(!error)
169  {
170  //Advance data pointer
171  p += n;
172  //Total number of bytes that have been written
173  *written += n;
174 
175  //Encode the generator to an opaque vector
176  error = tlsWriteMpi(&context->dhContext.params.g, p, &n);
177  }
178 
179  //Check status code
180  if(!error)
181  {
182  //Advance data pointer
183  p += n;
184  //Total number of bytes that have been written
185  *written += n;
186 
187  //Encode the server's public value to an opaque vector
188  error = tlsWriteMpi(&context->dhContext.ya, p, &n);
189  }
190 
191  //Check status code
192  if(!error)
193  {
194  //Advance data pointer
195  p += n;
196  //Adjust the length of the key exchange parameters
197  *written += n;
198  }
199  }
200  else
201 #endif
202 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
203  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
204  //ECDH key exchange method?
205  if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
206  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
207  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
208  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
209  {
210  size_t n;
211  const EcCurveInfo *curveInfo;
212 
213  //Retrieve the elliptic curve to be used
214  curveInfo = tlsGetCurveInfo(context, context->namedGroup);
215 
216  //Make sure the elliptic curve is supported
217  if(curveInfo != NULL)
218  {
219  //Load EC domain parameters
220  error = ecLoadDomainParameters(&context->ecdhContext.params,
221  curveInfo);
222 
223  //Check status code
224  if(!error)
225  {
226 #if (TLS_ECC_CALLBACK_SUPPORT == ENABLED)
227  //Any registered callback?
228  if(context->ecdhCallback != NULL)
229  {
230  //Invoke user callback function
231  error = context->ecdhCallback(context);
232  }
233  else
234 #endif
235  {
236  //No callback function defined
238  }
239 
240  //Check status code
242  {
243  //Generate an ephemeral key pair
244  error = ecdhGenerateKeyPair(&context->ecdhContext,
245  context->prngAlgo, context->prngContext);
246  }
247  }
248 
249  //Check status code
250  if(!error)
251  {
252  //Debug message
253  TRACE_DEBUG(" Server public key X:\r\n");
254  TRACE_DEBUG_MPI(" ", &context->ecdhContext.qa.x);
255  TRACE_DEBUG(" Server public key Y:\r\n");
256  TRACE_DEBUG_MPI(" ", &context->ecdhContext.qa.y);
257 
258  //Set the type of the elliptic curve domain parameters
260 
261  //Advance data pointer
262  p += sizeof(uint8_t);
263  //Total number of bytes that have been written
264  *written += sizeof(uint8_t);
265 
266  //Write elliptic curve identifier
267  STORE16BE(context->namedGroup, p);
268 
269  //Advance data pointer
270  p += sizeof(uint16_t);
271  //Total number of bytes that have been written
272  *written += sizeof(uint16_t);
273 
274  //Write server's public key
275  error = tlsWriteEcPoint(&context->ecdhContext.params,
276  &context->ecdhContext.qa, p, &n);
277  }
278 
279  //Check status code
280  if(!error)
281  {
282  //Advance data pointer
283  p +=n;
284  //Total number of bytes that have been written
285  *written += n;
286  }
287  }
288  else
289  {
290  //The specified elliptic curve is not supported
291  error = ERROR_FAILURE;
292  }
293  }
294  else
295 #endif
296  //Any other exchange method?
297  {
298  //It is not legal to send the ServerKeyExchange message when a key
299  //exchange method other than DHE_DSS, DHE_RSA, DH_anon, ECDHE_RSA,
300  //ECDHE_ECDSA or ECDH_anon is selected
301  error = ERROR_FAILURE;
302  }
303 #else
304  //Not implemented
305  error = ERROR_NOT_IMPLEMENTED;
306 #endif
307 
308  //Return status code
309  return error;
310 }
311 
312 
313 /**
314  * @brief Sign server's key exchange parameters (SSL 3.0, TLS 1.0 and TLS 1.1)
315  * @param[in] context Pointer to the TLS context
316  * @param[in] signature Output stream where to write the digital signature
317  * @param[in] params Pointer to the server's key exchange parameters
318  * @param[in] paramsLen Length of the server's key exchange parameters
319  * @param[out] written Total number of bytes that have been written
320  * @return Error code
321  **/
322 
324  TlsDigitalSignature *signature, const uint8_t *params,
325  size_t paramsLen, size_t *written)
326 {
327  error_t error;
328 
329 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
330  //Initialize status code
331  error = NO_ERROR;
332 
333  //Total number of bytes that have been written
334  *written = 0;
335 
336 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
337  //RSA certificate?
338  if(context->cert->type == TLS_CERT_RSA_SIGN)
339  {
340  Md5Context *md5Context;
341  Sha1Context *sha1Context;
342  RsaPrivateKey privateKey;
343 
344  //Initialize RSA private key
345  rsaInitPrivateKey(&privateKey);
346 
347  //Allocate a memory buffer to hold the MD5 context
348  md5Context = tlsAllocMem(sizeof(Md5Context));
349 
350  //Successful memory allocation?
351  if(md5Context != NULL)
352  {
353  //Compute MD5(ClientHello.random + ServerHello.random +
354  //ServerKeyExchange.params)
355  md5Init(md5Context);
356  md5Update(md5Context, context->random, 64);
357  md5Update(md5Context, params, paramsLen);
358  md5Final(md5Context, context->serverVerifyData);
359 
360  //Release previously allocated memory
361  tlsFreeMem(md5Context);
362  }
363  else
364  {
365  //Failed to allocate memory
366  error = ERROR_OUT_OF_MEMORY;
367  }
368 
369  //Check status code
370  if(!error)
371  {
372  //Allocate a memory buffer to hold the SHA-1 context
373  sha1Context = tlsAllocMem(sizeof(Sha1Context));
374 
375  //Successful memory allocation?
376  if(sha1Context != NULL)
377  {
378  //Compute SHA(ClientHello.random + ServerHello.random +
379  //ServerKeyExchange.params)
380  sha1Init(sha1Context);
381  sha1Update(sha1Context, context->random, 64);
382  sha1Update(sha1Context, params, paramsLen);
383  sha1Final(sha1Context, context->serverVerifyData + MD5_DIGEST_SIZE);
384 
385  //Release previously allocated memory
386  tlsFreeMem(sha1Context);
387  }
388  else
389  {
390  //Failed to allocate memory
391  error = ERROR_OUT_OF_MEMORY;
392  }
393  }
394 
395  //Check status code
396  if(!error)
397  {
398  //Decode the PEM structure that holds the RSA private key
399  error = pemImportRsaPrivateKey(context->cert->privateKey,
400  context->cert->privateKeyLen, &privateKey);
401  }
402 
403  //Check status code
404  if(!error)
405  {
406  //Sign the key exchange parameters using RSA
407  error = tlsGenerateRsaSignature(&privateKey,
408  context->serverVerifyData, signature->value, written);
409  }
410 
411  //Release previously allocated resources
412  rsaFreePrivateKey(&privateKey);
413  }
414  else
415 #endif
416 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
417  //DSA certificate?
418  if(context->cert->type == TLS_CERT_DSS_SIGN)
419  {
420  Sha1Context *sha1Context;
421 
422  //Allocate a memory buffer to hold the SHA-1 context
423  sha1Context = tlsAllocMem(sizeof(Sha1Context));
424 
425  //Successful memory allocation?
426  if(sha1Context != NULL)
427  {
428  //Compute SHA(ClientHello.random + ServerHello.random +
429  //ServerKeyExchange.params)
430  sha1Init(sha1Context);
431  sha1Update(sha1Context, context->random, 64);
432  sha1Update(sha1Context, params, paramsLen);
433  sha1Final(sha1Context, context->serverVerifyData);
434 
435  //Release previously allocated memory
436  tlsFreeMem(sha1Context);
437  }
438  else
439  {
440  //Failed to allocate memory
441  error = ERROR_OUT_OF_MEMORY;
442  }
443 
444  //Check status code
445  if(!error)
446  {
447  //Sign the key exchange parameters using DSA
448  error = tlsGenerateDsaSignature(context, context->serverVerifyData,
449  SHA1_DIGEST_SIZE, signature->value, written);
450  }
451  }
452  else
453 #endif
454 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
455  //ECDSA certificate?
456  if(context->cert->type == TLS_CERT_ECDSA_SIGN)
457  {
458  Sha1Context *sha1Context;
459 
460  //Allocate a memory buffer to hold the SHA-1 context
461  sha1Context = tlsAllocMem(sizeof(Sha1Context));
462 
463  //Successful memory allocation?
464  if(sha1Context != NULL)
465  {
466  //Compute SHA(ClientHello.random + ServerHello.random +
467  //ServerKeyExchange.params)
468  sha1Init(sha1Context);
469  sha1Update(sha1Context, context->random, 64);
470  sha1Update(sha1Context, params, paramsLen);
471  sha1Final(sha1Context, context->serverVerifyData);
472 
473  //Release previously allocated memory
474  tlsFreeMem(sha1Context);
475  }
476  else
477  {
478  //Failed to allocate memory
479  error = ERROR_OUT_OF_MEMORY;
480  }
481 
482  //Check status code
483  if(!error)
484  {
485  //Sign the key exchange parameters using ECDSA
486  error = tlsGenerateEcdsaSignature(context, context->serverVerifyData,
487  SHA1_DIGEST_SIZE, signature->value, written);
488  }
489  }
490  else
491 #endif
492  //Invalid certificate?
493  {
494  //Report an error
496  }
497 
498  //Check status code
499  if(!error)
500  {
501  //Fix the length of the digitally-signed element
502  signature->length = htons(*written);
503  //Adjust the length of the signature
504  *written += sizeof(TlsDigitalSignature);
505  }
506 #else
507  //Not implemented
508  error = ERROR_NOT_IMPLEMENTED;
509 #endif
510 
511  //Return status code
512  return error;
513 }
514 
515 
516 /**
517  * @brief Sign server's key exchange parameters (TLS 1.2)
518  * @param[in] context Pointer to the TLS context
519  * @param[in] signature Output stream where to write the digital signature
520  * @param[in] params Pointer to the server's key exchange parameters
521  * @param[in] paramsLen Length of the server's key exchange parameters
522  * @param[out] written Total number of bytes that have been written
523  * @return Error code
524  **/
525 
527  Tls12DigitalSignature *signature, const uint8_t *params,
528  size_t paramsLen, size_t *written)
529 {
530  error_t error;
531 
532 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
533  //Initialize status code
534  error = NO_ERROR;
535 
536  //Total number of bytes that have been written
537  *written = 0;
538 
539 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED || \
540  TLS_DSA_SIGN_SUPPORT == ENABLED || TLS_ECDSA_SIGN_SUPPORT == ENABLED)
541  //RSA, DSA or ECDSA signature scheme?
542  if(context->signAlgo == TLS_SIGN_ALGO_RSA ||
543  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
544  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
545  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
546  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 ||
547  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 ||
548  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512 ||
549  context->signAlgo == TLS_SIGN_ALGO_DSA ||
550  context->signAlgo == TLS_SIGN_ALGO_ECDSA)
551  {
552  const HashAlgo *hashAlgo;
553  HashContext *hashContext;
554 
555  //Retrieve the hash algorithm used for signing
556  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
557  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256)
558  {
559  //The hashing is intrinsic to the signature algorithm
561  }
562  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
563  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384)
564  {
565  //The hashing is intrinsic to the signature algorithm
567  }
568  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
569  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
570  {
571  //The hashing is intrinsic to the signature algorithm
573  }
574  else
575  {
576  //Select the relevant hash algorithm
577  hashAlgo = tlsGetHashAlgo(context->signHashAlgo);
578  }
579 
580  //Make sure the hash algorithm is supported
581  if(hashAlgo != NULL)
582  {
583  //Allocate a memory buffer to hold the hash context
584  hashContext = tlsAllocMem(hashAlgo->contextSize);
585 
586  //Successful memory allocation?
587  if(hashContext != NULL)
588  {
589  //Compute hash(ClientHello.random + ServerHello.random +
590  //ServerKeyExchange.params)
591  hashAlgo->init(hashContext);
592  hashAlgo->update(hashContext, context->random, 64);
593  hashAlgo->update(hashContext, params, paramsLen);
594  hashAlgo->final(hashContext, NULL);
595 
596 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
597  //RSA signature scheme?
598  if(context->signAlgo == TLS_SIGN_ALGO_RSA)
599  {
600  RsaPrivateKey privateKey;
601 
602  //Initialize RSA private key
603  rsaInitPrivateKey(&privateKey);
604 
605  //Set the relevant signature algorithm
606  signature->algorithm.signature = TLS_SIGN_ALGO_RSA;
607  signature->algorithm.hash = context->signHashAlgo;
608 
609  //Decode the PEM structure that holds the RSA private key
610  error = pemImportRsaPrivateKey(context->cert->privateKey,
611  context->cert->privateKeyLen, &privateKey);
612 
613  //Check status code
614  if(!error)
615  {
616  //Generate RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
617  error = rsassaPkcs1v15Sign(&privateKey, hashAlgo,
618  hashContext->digest, signature->value, written);
619  }
620 
621  //Release previously allocated resources
622  rsaFreePrivateKey(&privateKey);
623  }
624  else
625 #endif
626 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
627  //RSA-PSS signature scheme?
628  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
629  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
630  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
631  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 ||
632  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 ||
633  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
634  {
635  RsaPrivateKey privateKey;
636 
637  //Initialize RSA private key
638  rsaInitPrivateKey(&privateKey);
639 
640  //Set the relevant signature algorithm
641  signature->algorithm.signature = context->signAlgo;
642  signature->algorithm.hash = TLS_HASH_ALGO_INTRINSIC;
643 
644  //Decode the PEM structure that holds the RSA private key
645  error = pemImportRsaPrivateKey(context->cert->privateKey,
646  context->cert->privateKeyLen, &privateKey);
647 
648  //Check status code
649  if(!error)
650  {
651  //Generate RSA signature (RSASSA-PSS signature scheme)
652  error = rsassaPssSign(context->prngAlgo, context->prngContext,
653  &privateKey, hashAlgo, hashAlgo->digestSize,
654  hashContext->digest, signature->value, written);
655  }
656 
657  //Release previously allocated resources
658  rsaFreePrivateKey(&privateKey);
659  }
660  else
661 #endif
662 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
663  //DSA signature scheme?
664  if(context->signAlgo == TLS_SIGN_ALGO_DSA)
665  {
666  //Set the relevant signature algorithm
667  signature->algorithm.signature = TLS_SIGN_ALGO_DSA;
668  signature->algorithm.hash = context->signHashAlgo;
669 
670  //Sign the key exchange parameters using DSA
671  error = tlsGenerateDsaSignature(context, hashContext->digest,
672  hashAlgo->digestSize, signature->value, written);
673  }
674  else
675 #endif
676 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
677  //ECDSA signature scheme?
678  if(context->signAlgo == TLS_SIGN_ALGO_ECDSA)
679  {
680  //Set the relevant signature algorithm
681  signature->algorithm.signature = TLS_SIGN_ALGO_ECDSA;
682  signature->algorithm.hash = context->signHashAlgo;
683 
684  //Sign the key exchange parameters using ECDSA
685  error = tlsGenerateEcdsaSignature(context, hashContext->digest,
686  hashAlgo->digestSize, signature->value, written);
687  }
688  else
689 #endif
690  //Invalid signature scheme?
691  {
692  //Report an error
694  }
695 
696  //Release previously allocated memory
697  tlsFreeMem(hashContext);
698  }
699  else
700  {
701  //Failed to allocate memory
702  error = ERROR_OUT_OF_MEMORY;
703  }
704  }
705  else
706  {
707  //Hash algorithm not supported
709  }
710  }
711  else
712 #endif
713 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
714  //EdDSA signature scheme?
715  if(context->signAlgo == TLS_SIGN_ALGO_ED25519 ||
716  context->signAlgo == TLS_SIGN_ALGO_ED448)
717  {
718  uint8_t *buffer;
719 
720  //A temporary buffer is needed to concatenate ClientHello.random +
721  //ServerHello.random + ServerKeyExchange.params
722  buffer = tlsAllocMem(paramsLen + 64);
723 
724  //Successful memory allocation?
725  if(buffer != NULL)
726  {
727  //Data to be verified is run through the EdDSA algorithm with no
728  //hashing
729  memcpy(buffer, context->random, 64);
730  memcpy(buffer + 64, params, paramsLen);
731 
732 #if (TLS_ED25519_SUPPORT == ENABLED)
733  //Ed25519 signature scheme?
734  if(context->signAlgo == TLS_SIGN_ALGO_ED25519)
735  {
736  //The hashing is intrinsic to the signature algorithm
737  signature->algorithm.signature = TLS_SIGN_ALGO_ED25519;
738  signature->algorithm.hash = TLS_HASH_ALGO_INTRINSIC;
739 
740  //Sign the key exchange parameters using EdDSA
741  error = tlsGenerateEddsaSignature(context, buffer, paramsLen + 64,
742  signature->value, written);
743  }
744  else
745 #endif
746 #if (TLS_ED448_SUPPORT == ENABLED)
747  //Ed448 signature scheme?
748  if(context->signAlgo == TLS_SIGN_ALGO_ED448)
749  {
750  //The hashing is intrinsic to the signature algorithm
751  signature->algorithm.signature = TLS_SIGN_ALGO_ED448;
752  signature->algorithm.hash = TLS_HASH_ALGO_INTRINSIC;
753 
754  //Sign the key exchange parameters using EdDSA
755  error = tlsGenerateEddsaSignature(context, buffer, paramsLen + 64,
756  signature->value, written);
757  }
758  else
759 #endif
760  //Invalid signature scheme?
761  {
762  //Report an error
764  }
765 
766  //Release previously allocated memory
767  tlsFreeMem(buffer);
768  }
769  else
770  {
771  //Failed to allocate memory
772  error = ERROR_OUT_OF_MEMORY;
773  }
774  }
775  else
776 #endif
777  //Invalid signature scheme?
778  {
779  //Report an error
781  }
782 
783  //Check status code
784  if(!error)
785  {
786  //Fix the length of the digitally-signed element
787  signature->length = htons(*written);
788  //Adjust the length of the message
789  *written += sizeof(Tls12DigitalSignature);
790  }
791 #else
792  //Not implemented
793  error = ERROR_NOT_IMPLEMENTED;
794 #endif
795 
796  //Return status code
797  return error;
798 }
799 
800 
801 /**
802  * @brief Check whether the ClientHello includes any SCSV cipher suites
803  * @param[in] context Pointer to the TLS context
804  * @param[in] cipherSuites List of cipher suites offered by the client
805  * @return Error code
806  **/
807 
809  const TlsCipherSuites *cipherSuites)
810 {
811  error_t error;
812  uint_t i;
813  uint_t n;
814  uint16_t serverVersion;
815 
816  //Initialize status code
817  error = NO_ERROR;
818 
819  //Get the highest version supported by the implementation (legacy version)
820  serverVersion = MIN(context->versionMax, TLS_VERSION_1_2);
821 
822 #if (DTLS_SUPPORT == ENABLED)
823  //DTLS protocol?
824  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
825  {
826  //Translate TLS version into DTLS version
828  }
829 #endif
830 
831  //Get the number of cipher suite identifiers present in the list
832  n = ntohs(cipherSuites->length) / 2;
833 
834  //Debug message
835  TRACE_DEBUG("Cipher suites:\r\n");
836 
837  //Loop through the list of cipher suite identifiers
838  for(i = 0; i < n; i++)
839  {
840  //Debug message
841  TRACE_DEBUG(" 0x%04" PRIX16 " (%s)\r\n", ntohs(cipherSuites->value[i]),
842  tlsGetCipherSuiteName(ntohs(cipherSuites->value[i])));
843 
844 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
845  //TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite?
846  if(ntohs(cipherSuites->value[i]) == TLS_EMPTY_RENEGOTIATION_INFO_SCSV)
847  {
848  //Initial handshake?
849  if(context->clientVerifyDataLen == 0)
850  {
851  //Set the secure_renegotiation flag to TRUE
852  context->secureRenegoFlag = TRUE;
853  }
854  //Secure renegotiation?
855  else
856  {
857  //When a ClientHello is received, the server must verify that it
858  //does not contain the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If
859  //the SCSV is present, the server must abort the handshake
860  error = ERROR_HANDSHAKE_FAILED;
861  break;
862  }
863  }
864  else
865 #endif
866  //TLS_FALLBACK_SCSV signaling cipher suite?
867  if(ntohs(cipherSuites->value[i]) == TLS_FALLBACK_SCSV)
868  {
869 #if (DTLS_SUPPORT == ENABLED)
870  //DTLS protocol?
871  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
872  {
873  //Test if the highest protocol version supported by the server is
874  //higher than the version indicated by the client
875  if(serverVersion < context->clientVersion)
876  {
877  //The server must respond with a fatal inappropriate_fallback alert
879  break;
880  }
881  }
882  else
883 #endif
884  //TLS protocol?
885  {
886  //Test if the highest protocol version supported by the server is
887  //higher than the version indicated by the client
888  if(serverVersion > context->clientVersion)
889  {
890  //The server must respond with a fatal inappropriate_fallback alert
892  break;
893  }
894  }
895  }
896  }
897 
898  //Return status code
899  return error;
900 }
901 
902 
903 /**
904  * @brief Resume TLS session via session ID
905  * @param[in] context Pointer to the TLS context
906  * @param[in] sessionId Pointer to the session ID offered by the client
907  * @param[in] sessionIdLen Length of the session ID, in bytes
908  * @param[in] cipherSuites List of cipher suites offered by the client
909  * @param[in] extensions ClientHello extensions offered by the client
910  * @return Error code
911  **/
912 
914  size_t sessionIdLen, const TlsCipherSuites *cipherSuites,
916 {
917  error_t error;
918 
919 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
920  //Initialize status code
921  error = NO_ERROR;
922 
923 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
924  //Check whether session caching is supported
925  if(context->cache != NULL)
926  {
927  uint_t i;
928  uint_t n;
929  TlsSessionState *session;
930 
931  //If the session ID was non-empty, the server will look in its
932  //session cache for a match
933  session = tlsFindCache(context->cache, sessionId, sessionIdLen);
934 
935  //Matching session found?
936  if(session != NULL)
937  {
938  //Whenever a client already knows the highest protocol version known
939  //to a server (for example, when resuming a session), it should
940  //initiate the connection in that native protocol
941  if(session->version != context->version)
942  session = NULL;
943  }
944 
945  //Matching session found?
946  if(session != NULL)
947  {
948  //Get the total number of cipher suites offered by the client
949  n = ntohs(cipherSuites->length) / 2;
950 
951  //Loop through the list of cipher suite identifiers
952  for(i = 0; i < n; i++)
953  {
954  //Matching cipher suite?
955  if(ntohs(cipherSuites->value[i]) == session->cipherSuite)
956  break;
957  }
958 
959  //If the cipher suite is not present in the list cipher suites offered
960  //by the client, the server must not perform the abbreviated handshake
961  if(i >= n)
962  session = NULL;
963  }
964 
965 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
966  //Matching session found?
967  if(session != NULL)
968  {
969  //ExtendedMasterSecret extension found?
970  if(extensions->extendedMasterSecret != NULL)
971  {
972  //If the original session did not use the ExtendedMasterSecret
973  //extension but the new ClientHello contains the extension, then
974  //the server must not perform the abbreviated handshake
975  if(!session->extendedMasterSecret)
976  session = NULL;
977  }
978  }
979 #endif
980 
981  //Check whether the server has decided to resume a previous session
982  if(session != NULL)
983  {
984  //Perform abbreviated handshake
985  context->resume = TRUE;
986  //Restore cached session parameters
987  tlsRestoreSessionState(context, session);
988 
989  //Select the relevant cipher suite
990  error = tlsSelectCipherSuite(context, session->cipherSuite);
991  }
992  else
993  {
994  //Perform a full handshake
995  context->resume = FALSE;
996  //Session ID is limited to 32 bytes
997  context->sessionIdLen = 32;
998 
999  //Generate a new random ID
1000  error = context->prngAlgo->read(context->prngContext,
1001  context->sessionId, context->sessionIdLen);
1002  }
1003  }
1004  else
1005 #endif
1006  {
1007  //Perform a full handshake
1008  context->resume = FALSE;
1009  //The session cannot be resumed
1010  context->sessionIdLen = 0;
1011  }
1012 #else
1013  //Not implemented
1014  error = ERROR_NOT_IMPLEMENTED;
1015 #endif
1016 
1017  //Return status code
1018  return error;
1019 }
1020 
1021 
1022 /**
1023  * @brief Version negotiation
1024  * @param[in] context Pointer to the TLS context
1025  * @param[in] clientVersion Highest version number supported by the client (legacy version)
1026  * @param[in] supportedVersionList Pointer to the SupportedVersions extensions
1027  * @return Error code
1028  **/
1029 
1031  const TlsSupportedVersionList *supportedVersionList)
1032 {
1033  error_t error;
1034  uint16_t serverVersion;
1035 
1036  //Get the highest version supported by the implementation
1037  serverVersion = context->versionMax;
1038 
1039 #if (DTLS_SUPPORT == ENABLED)
1040  //DTLS protocol?
1041  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
1042  {
1043  //In DTLS 1.2, the client can indicate its version preferences in the
1044  //SupportedVersions extension
1045  if(supportedVersionList != NULL && context->versionMax >= TLS_VERSION_1_2)
1046  {
1047  //If the SupportedVersions extension is present in the ClientHello,
1048  //servers must only select a version of DTLS present in that extension
1050  (DtlsSupportedVersionList *) supportedVersionList);
1051  }
1052  else
1053  {
1054  //If the SupportedVersions extension is not present, servers must
1055  //negotiate DTLS 1.2 or prior
1057 
1058  //Translate TLS version into DTLS version
1060 
1061  //If a DTLS server receives a ClientHello containing a version number
1062  //greater than the highest version supported by the server, it must
1063  //reply according to the highest version supported by the server
1065 
1066  //Set the DTLS version to be used
1067  error = dtlsSelectVersion(context, serverVersion);
1068  }
1069  }
1070  else
1071 #endif
1072  //TLS protocol?
1073  {
1074  //In TLS 1.2, the client can indicate its version preferences in the
1075  //SupportedVersions extension
1076  if(supportedVersionList != NULL && context->versionMax >= TLS_VERSION_1_2)
1077  {
1078  //If the SupportedVersions extension is present in the ClientHello,
1079  //servers must only select a version of TLS present in that extension
1081  supportedVersionList);
1082 
1083  //Check status code
1084  if(!error)
1085  {
1086  //Check whether TLS 1.3 has been negotiated
1087  if(context->version == TLS_VERSION_1_3)
1088  {
1089  //The legacy_version field must be set to 0x0303, which is the
1090  //version number for TLS 1.2
1093  }
1094  }
1095  }
1096  else
1097  {
1098  //If the SupportedVersions extension is not present, servers must
1099  //negotiate TLS 1.2 or prior, even if the legacy_version of the
1100  //ClientHello is 0x0304 or later (refer to RFC 8446, section 4.2.1)
1102 
1103  //If a TLS server receives a ClientHello containing a version number
1104  //greater than the highest version supported by the server, it must
1105  //reply according to the highest version supported by the server
1107 
1108  //Set the TLS version to be used
1109  error = tlsSelectVersion(context, serverVersion);
1110  }
1111  }
1112 
1113  //Return status code
1114  return error;
1115 }
1116 
1117 
1118 /**
1119  * @brief Cipher suite negotiation
1120  * @param[in] context Pointer to the TLS context
1121  * @param[in] hashAlgo Desired KDF hash algorithm
1122  * @param[in] cipherSuites List of cipher suites offered by the client
1123  * @param[in] extensions ClientHello extensions offered by the client
1124  * @return Error code
1125  **/
1126 
1128  const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
1129 {
1130  error_t error;
1131  uint_t i;
1132  uint_t j;
1133  uint_t k;
1134  uint_t n;
1135 
1136  //Initialize status code
1137  error = ERROR_HANDSHAKE_FAILED;
1138 
1139  //If no SignatureAlgorithmsCert extension is present in the ClientHello
1140  //message, then the SignatureAlgorithms extension also applies to signatures
1141  //appearing in certificates (RFC 8446, section 4.2.3)
1142  if(extensions->certSignAlgoList == NULL)
1143  {
1144  extensions->certSignAlgoList = extensions->signAlgoList;
1145  }
1146 
1147  //Get the total number of cipher suites offered by the client
1148  n = ntohs(cipherSuites->length) / 2;
1149 
1150  //Select the most appropriate cipher suite (2-pass process)
1151  for(k = 0; k < 2 && error; k++)
1152  {
1153  //Any preferred cipher suites?
1154  if(context->numCipherSuites > 0)
1155  {
1156  //Loop through the list of allowed cipher suites (most preferred first)
1157  for(i = 0; i < context->numCipherSuites && error; i++)
1158  {
1159  //Loop through the list of cipher suites offered by the client
1160  for(j = 0; j < n && error; j++)
1161  {
1162  //If the list contains cipher suites the server does not
1163  //recognize, support, or wish to use, the server must ignore
1164  //those cipher suites, and process the remaining ones as usual
1165  if(context->cipherSuites[i] == ntohs(cipherSuites->value[j]))
1166  {
1167  //Select current cipher suite
1168  error = tlsSelectCipherSuite(context, context->cipherSuites[i]);
1169 
1170  //If a KDF hash algorithm has been specified, the server must
1171  //select a compatible cipher suite
1172  if(!error && hashAlgo != NULL)
1173  {
1174  //Make sure the selected cipher suite is compatible
1175  if(context->cipherSuite.prfHashAlgo != hashAlgo)
1176  error = ERROR_HANDSHAKE_FAILED;
1177  }
1178 
1179  //Check status code
1180  if(!error)
1181  {
1182  //Select the group to be used when performing (EC)DHE key
1183  //exchange
1184  error = tlsSelectGroup(context, extensions->supportedGroupList);
1185  }
1186 
1187  //Check status code
1188  if(!error)
1189  {
1190  //Select the appropriate certificate
1191  error = tlsSelectCertificate(context, extensions);
1192  }
1193  }
1194  }
1195  }
1196  }
1197  else
1198  {
1199  //The cipher suite list contains the combinations of cryptographic
1200  //algorithms supported by the client in order of the client's preference
1201  for(j = 0; j < n && error; j++)
1202  {
1203  //If the list contains cipher suites the server does not recognize,
1204  //support, or wish to use, the server must ignore those cipher suites,
1205  //and process the remaining ones as usual
1206  error = tlsSelectCipherSuite(context, ntohs(cipherSuites->value[j]));
1207 
1208  //If a KDF hash algorithm has been specified, the server must select
1209  //a compatible cipher suite
1210  if(!error && hashAlgo != NULL)
1211  {
1212  //Make sure the selected cipher suite is compatible
1213  if(context->cipherSuite.prfHashAlgo != hashAlgo)
1214  error = ERROR_HANDSHAKE_FAILED;
1215  }
1216 
1217  //Check status code
1218  if(!error)
1219  {
1220  //Select the group to be used when performing (EC)DHE key exchange
1221  error = tlsSelectGroup(context, extensions->supportedGroupList);
1222  }
1223 
1224  //Check status code
1225  if(!error)
1226  {
1227  //Select the appropriate certificate
1228  error = tlsSelectCertificate(context, extensions);
1229  }
1230  }
1231  }
1232 
1233  //The second pass relaxes the constraints
1234  extensions->certSignAlgoList = NULL;
1235  }
1236 
1237  //Return status code
1238  return error;
1239 }
1240 
1241 
1242 /**
1243  * @brief Select the group to be used when performing (EC)DHE key exchange
1244  * @param[in] context Pointer to the TLS context
1245  * @param[in] groupList List of named groups supported by the client
1246  * @return Error code
1247  **/
1248 
1250  const TlsSupportedGroupList *groupList)
1251 {
1252  error_t error;
1253 
1254  //Initialize status code
1255  error = NO_ERROR;
1256 
1257 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1258  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
1259  if(context->version <= TLS_VERSION_1_2)
1260  {
1261  //ECC cipher suite?
1262  if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1263  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1264  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1265  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1266  {
1267  //One of the proposed ECC cipher suites must be negotiated only if the
1268  //server can successfully complete the handshake while using the curves
1269  //and point formats supported by the client
1270  error = tlsSelectEcdheGroup(context, groupList);
1271  }
1272 #if (TLS_FFDHE_SUPPORT == ENABLED)
1273  //FFDHE cipher suite?
1274  else if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1275  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1276  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1277  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK)
1278  {
1279  //If none of the client-proposed FFDHE groups are known and acceptable
1280  //to the server, then the server must not select an FFDHE cipher suite
1281  error = tlsSelectFfdheGroup(context, groupList);
1282  }
1283 #endif
1284  else
1285  {
1286  //The selected cipher suite does not provide forward secrecy
1287  }
1288  }
1289 #endif
1290 
1291  //Return status code
1292  return error;
1293 }
1294 
1295 
1296 /**
1297  * @brief Select the named curve to be used when performing ECDHE key exchange
1298  * @param[in] context Pointer to the TLS context
1299  * @param[in] groupList List of named groups supported by the peer
1300  * @return Error code
1301  **/
1302 
1304  const TlsSupportedGroupList *groupList)
1305 {
1306  error_t error;
1307  uint_t i;
1308  uint_t j;
1309  uint_t n;
1310  uint16_t namedGroup;
1311 
1312  //Initialize status code
1313  error = ERROR_HANDSHAKE_FAILED;
1314 
1315  //Reset the named group to its default value
1316  context->namedGroup = TLS_GROUP_NONE;
1317 
1318  //Check whether a list of named groups is offered by the client
1319  if(groupList != NULL)
1320  {
1321  //Get the number of named groups present in the list
1322  n = ntohs(groupList->length) / sizeof(uint16_t);
1323 
1324  //Any preferred groups?
1325  if(context->numSupportedGroups > 0)
1326  {
1327  //Loop through the list of allowed groups (most preferred first)
1328  for(i = 0; i < context->numSupportedGroups && error; i++)
1329  {
1330  //Loop through the list of named groups the client supports
1331  for(j = 0; j < n && error; j++)
1332  {
1333  //Convert the named group to host byte order
1334  namedGroup = ntohs(groupList->value[j]);
1335 
1336  //The named group to be used when performing ECDH key exchange
1337  //must be one of those present in the SupportedGroups extension
1338  if(context->supportedGroups[i] == namedGroup)
1339  {
1340  //Acceptable elliptic curve found?
1341  if(tlsGetCurveInfo(context, namedGroup) != NULL)
1342  {
1343  //Save the named curve
1344  context->namedGroup = namedGroup;
1345  error = NO_ERROR;
1346  }
1347  }
1348  }
1349  }
1350  }
1351  else
1352  {
1353  //The named group to be used when performing ECDH key exchange must
1354  //be one of those present in the SupportedGroups extension
1355  for(j = 0; j < n && error; j++)
1356  {
1357  //Convert the named group to host byte order
1358  namedGroup = ntohs(groupList->value[j]);
1359 
1360  //Acceptable elliptic curve found?
1361  if(tlsGetCurveInfo(context, namedGroup) != NULL)
1362  {
1363  //Save the named curve
1364  context->namedGroup = namedGroup;
1365  error = NO_ERROR;
1366  }
1367  }
1368  }
1369  }
1370  else
1371  {
1372  //A client that proposes ECC cipher suites may choose not to include
1373  //the SupportedGroups extension. In this case, the server is free to
1374  //choose any one of the elliptic curves it supports
1375  if(tlsGetCurveInfo(context, TLS_GROUP_SECP256R1) != NULL)
1376  {
1377 
1378  //Select secp256r1 elliptic curve
1379  context->namedGroup = TLS_GROUP_SECP256R1;
1380  error = NO_ERROR;
1381  }
1382  else if(tlsGetCurveInfo(context, TLS_GROUP_SECP384R1) != NULL)
1383  {
1384  //Select secp384r1 elliptic curve
1385  context->namedGroup = TLS_GROUP_SECP384R1;
1386  error = NO_ERROR;
1387  }
1388  else
1389  {
1390  //Just for sanity
1391  context->namedGroup = TLS_GROUP_NONE;
1392  }
1393  }
1394 
1395  //Return status code
1396  return error;
1397 }
1398 
1399 
1400 /**
1401  * @brief Certificate selection process
1402  * @param[in] context Pointer to the TLS context
1403  * @param[in] extensions ClientHello extensions offered by the client
1404  * @return Error code
1405  **/
1406 
1409 {
1410  error_t error;
1411  uint_t i;
1412  uint_t n;
1413  bool_t acceptable;
1414  uint8_t certTypes[2];
1415 
1416  //Initialize status code
1417  error = NO_ERROR;
1418 
1419  //Number of certificate types
1420  n = 0;
1421 
1422 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1423  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
1424  if(context->version <= TLS_VERSION_1_2)
1425  {
1426  //The server requires a valid certificate whenever the agreed-upon key
1427  //exchange method uses certificates for authentication
1428  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1429  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1430  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1431  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1432  {
1433  //RSA, DHE_RSA, ECDHE_RSA and RSA_PSK key exchange methods require
1434  //a RSA certificate
1435  certTypes[n++] = TLS_CERT_RSA_SIGN;
1436  }
1437  else if(context->keyExchMethod == TLS_KEY_EXCH_DH_RSA)
1438  {
1439  //In DH_RSA, the server's certificate must contain a Diffie-Hellman
1440  //public key and be signed with RSA
1441  certTypes[n++] = TLS_CERT_RSA_FIXED_DH;
1442  }
1443  else if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_RSA)
1444  {
1445  //In ECDH_RSA, the server's certificate must contain an ECDH-capable
1446  //public key and be signed with RSA
1447  certTypes[n++] = TLS_CERT_RSA_FIXED_ECDH;
1448  }
1449  else if(context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS)
1450  {
1451  //DHE_DSS key exchange method requires a DSA certificate
1452  certTypes[n++] = TLS_CERT_DSS_SIGN;
1453  }
1454  else if(context->keyExchMethod == TLS_KEY_EXCH_DH_DSS)
1455  {
1456  //In DH_DSS, the server's certificate must contain a Diffie-Hellman
1457  //public key and be signed with DSA
1458  certTypes[n++] = TLS_CERT_DSS_FIXED_DH;
1459  }
1460  else if(context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
1461  {
1462  //ECDHE_ECDSA key exchange method requires an ECDSA certificate
1463  certTypes[n++] = TLS_CERT_ECDSA_SIGN;
1464  }
1465  else if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_ECDSA)
1466  {
1467  //In ECDH_ECDSA, the server's certificate must contain an ECDH-capable
1468  //public key and be signed with ECDSA
1469  certTypes[n++] = TLS_CERT_ECDSA_FIXED_ECDH;
1470  }
1471  else
1472  {
1473  //DH_anon and ECDH_anon key exchange methods do not require any
1474  //certificate
1475  }
1476  }
1477  else
1478 #endif
1479 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1480  //TLS 1.3 currently selected?
1481  if(context->version == TLS_VERSION_1_3)
1482  {
1483  //If PSK is not being used, then (EC)DHE and certificate-based
1484  //authentication are always used
1485  if(context->selectedIdentity < 0)
1486  {
1487  //TLS 1.3 removes support for DSA certificates
1488  certTypes[n++] = TLS_CERT_RSA_SIGN;
1489  certTypes[n++] = TLS_CERT_ECDSA_SIGN;
1490  }
1491  }
1492  else
1493 #endif
1494  //Invalid TLS version?
1495  {
1496  //Abort certificate selection process
1497  error = ERROR_INVALID_VERSION;
1498  }
1499 
1500  //Check whether a certificate is required
1501  if(n > 0)
1502  {
1503  //Reset currently selected certificate
1504  context->cert = NULL;
1505 
1506  //Loop through the list of available certificates
1507  for(i = 0; i < context->numCerts && context->cert == NULL; i++)
1508  {
1509  //Check whether the current certificate is acceptable
1510  acceptable = tlsIsCertificateAcceptable(context, &context->certs[i],
1511  certTypes, n, extensions->signAlgoList, extensions->certSignAlgoList,
1512  extensions->supportedGroupList, NULL);
1513 
1514  //The certificate must be appropriate for the negotiated cipher
1515  //suite and any negotiated extensions
1516  if(acceptable)
1517  {
1518  //The hash algorithm to be used when generating signatures must
1519  //be one of those present in the SignatureAlgorithms extension
1520  error = tlsSelectSignatureScheme(context, &context->certs[i],
1521  extensions->signAlgoList);
1522 
1523  //Check status code
1524  if(!error)
1525  {
1526  //If all the requirements were met, the certificate can be
1527  //used in conjunction with the selected cipher suite
1528  context->cert = &context->certs[i];
1529  }
1530  }
1531  }
1532 
1533  //Do not accept the specified cipher suite unless a suitable
1534  //certificate has been found
1535  if(context->cert == NULL)
1536  error = ERROR_NO_CERTIFICATE;
1537  }
1538 
1539  //Return status code
1540  return error;
1541 }
1542 
1543 
1544 /**
1545  * @brief Parse the list of compression methods supported by the client
1546  * @param[in] context Pointer to the TLS context
1547  * @param[in] compressMethods List of compression methods
1548  * @return Error code
1549  **/
1550 
1552  const TlsCompressMethods *compressMethods)
1553 {
1554  error_t error;
1555  uint_t i;
1556 
1557  //Initialize status code
1558  error = ERROR_ILLEGAL_PARAMETER;
1559 
1560  //Version of TLS prior to TLS 1.3?
1561  if(context->version <= TLS_VERSION_1_2)
1562  {
1563  //The list of the compression methods supported by the client is sorted
1564  //by client preference
1565  for(i = 0; i < compressMethods->length && error; i++)
1566  {
1567  //Check whether the current compression algorithm is supported
1568  error = tlsSelectCompressMethod(context, compressMethods->value[i]);
1569  }
1570  }
1571  else
1572  {
1573  //For every TLS 1.3 ClientHello, this vector must contain exactly one
1574  //byte, set to zero which corresponds to the null compression method
1575  if(compressMethods->length == 1)
1576  {
1577  //If a ClientHello is received with any other value in this field,
1578  //the server must abort the handshake with an illegal_parameter alert
1579  error = tlsSelectCompressMethod(context, compressMethods->value[0]);
1580  }
1581  }
1582 
1583  //Return status code
1584  return error;
1585 }
1586 
1587 
1588 /**
1589  * @brief Parse PSK identity
1590  * @param[in] context Pointer to the TLS context
1591  * @param[in] p Input stream where to read the PSK identity hint
1592  * @param[in] length Number of bytes available in the input stream
1593  * @param[out] consumed Total number of bytes that have been consumed
1594  * @return Error code
1595  **/
1596 
1598  const uint8_t *p, size_t length, size_t *consumed)
1599 {
1600  size_t n;
1601  TlsPskIdentity *pskIdentity;
1602 
1603  //Point to the PSK identity
1604  pskIdentity = (TlsPskIdentity *) p;
1605 
1606  //Malformed ClientKeyExchange message?
1607  if(length < sizeof(TlsPskIdentity))
1608  return ERROR_DECODING_FAILED;
1609  if(length < (sizeof(TlsPskIdentity) + ntohs(pskIdentity->length)))
1610  return ERROR_DECODING_FAILED;
1611 
1612  //Retrieve the length of the PSK identity
1613  n = ntohs(pskIdentity->length);
1614 
1615 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1616  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1617  //Any registered callback?
1618  if(context->pskCallback != NULL)
1619  {
1620  error_t error;
1621 
1622  //The server selects which key to use depending on the the PSK identity
1623  //provided by the client
1624  error = context->pskCallback(context, pskIdentity->value, n);
1625  //Any error to report?
1626  if(error)
1627  return ERROR_UNKNOWN_IDENTITY;
1628  }
1629 #endif
1630 
1631  //Total number of bytes that have been consumed
1632  *consumed = sizeof(TlsPskIdentity) + n;
1633 
1634  //Successful processing
1635  return NO_ERROR;
1636 }
1637 
1638 
1639 /**
1640  * @brief Parse client's key exchange parameters
1641  * @param[in] context Pointer to the TLS context
1642  * @param[in] p Input stream where to read the client's key exchange parameters
1643  * @param[in] length Number of bytes available in the input stream
1644  * @param[out] consumed Total number of bytes that have been consumed
1645  * @return Error code
1646  **/
1647 
1649  const uint8_t *p, size_t length, size_t *consumed)
1650 {
1651  error_t error;
1652 
1653 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1654  //Initialize status code
1655  error = NO_ERROR;
1656 
1657 #if (TLS_RSA_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED)
1658  //RSA key exchange method?
1659  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1660  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1661  {
1662  size_t n;
1663  uint16_t version;
1664  RsaPrivateKey privateKey;
1665 
1666  //The RSA-encrypted premaster secret in a ClientKeyExchange is preceded by
1667  //two length bytes. SSL 3.0 implementations do not include these bytes
1668  if(context->version > SSL_VERSION_3_0)
1669  {
1670  //Malformed ClientKeyExchange message?
1671  if(length < 2)
1672  return ERROR_DECODING_FAILED;
1673 
1674  //Decode the length field
1675  n = LOAD16BE(p);
1676 
1677  //Check the length of the RSA-encrypted premaster secret
1678  if(n > (length - 2))
1679  return ERROR_DECODING_FAILED;
1680 
1681  //Save the length of the RSA-encrypted premaster secret
1682  length = n;
1683  //Advance the pointer over the length field
1684  p += 2;
1685  //Total number of bytes that have been consumed
1686  *consumed = length + 2;
1687  }
1688  else
1689  {
1690  //Total number of bytes that have been consumed
1691  *consumed = length;
1692  }
1693 
1694  //Initialize RSA private key
1695  rsaInitPrivateKey(&privateKey);
1696 
1697  //Decode the PEM structure that holds the RSA private key
1698  error = pemImportRsaPrivateKey(context->cert->privateKey,
1699  context->cert->privateKeyLen, &privateKey);
1700 
1701  //Check status code
1702  if(!error)
1703  {
1704  //Decrypt the premaster secret using the server private key
1705  error = rsaesPkcs1v15Decrypt(&privateKey, p, length,
1706  context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,
1707  &context->premasterSecretLen);
1708  }
1709 
1710  //Release RSA private key
1711  rsaFreePrivateKey(&privateKey);
1712 
1713  //Retrieve the latest version supported by the client. This is used
1714  //to detect version roll-back attacks
1715  version = LOAD16BE(context->premasterSecret);
1716 
1717  //The best way to avoid vulnerability to the Bleichenbacher attack is to
1718  //treat incorrectly formatted messages in a manner indistinguishable from
1719  //correctly formatted RSA blocks
1720  if(error || context->premasterSecretLen != 48 || version != context->clientVersion)
1721  {
1722  //When it receives an incorrectly formatted RSA block, the server
1723  //should generate a random 48-byte value and proceed using it as
1724  //the premaster secret
1725  error = context->prngAlgo->read(context->prngContext,
1726  context->premasterSecret, 48);
1727 
1728  //Fix the length of the premaster secret
1729  context->premasterSecretLen = 48;
1730  }
1731  }
1732  else
1733 #endif
1734 #if (TLS_DH_ANON_KE_SUPPORT == ENABLED || TLS_DHE_RSA_KE_SUPPORT == ENABLED || \
1735  TLS_DHE_DSS_KE_SUPPORT == ENABLED || TLS_DHE_PSK_KE_SUPPORT == ENABLED)
1736  //Diffie-Hellman key exchange method?
1737  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1738  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1739  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1740  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK)
1741  {
1742  size_t n;
1743 
1744  //Convert the client's public value to a multiple precision integer
1745  error = tlsReadMpi(&context->dhContext.yb, p, length, &n);
1746 
1747  //Check status code
1748  if(!error)
1749  {
1750  //Total number of bytes that have been consumed
1751  *consumed = n;
1752 
1753  //Verify client's public value
1754  error = dhCheckPublicKey(&context->dhContext.params,
1755  &context->dhContext.yb);
1756  }
1757 
1758  //Check status code
1759  if(!error)
1760  {
1761  //Calculate the negotiated key Z
1762  error = dhComputeSharedSecret(&context->dhContext,
1763  context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,
1764  &context->premasterSecretLen);
1765  }
1766 
1767  //Check status code
1768  if(!error)
1769  {
1770  //Leading bytes of Z that contain all zero bits are stripped before
1771  //it is used as the premaster secret (RFC 4346, section 8.2.1)
1772  for(n = 0; n < context->premasterSecretLen; n++)
1773  {
1774  if(context->premasterSecret[n] != 0x00)
1775  break;
1776  }
1777 
1778  //Any leading zero bytes?
1779  if(n > 0)
1780  {
1781  //Strip leading zero bytes from the negotiated key
1782  memmove(context->premasterSecret, context->premasterSecret + n,
1783  context->premasterSecretLen - n);
1784 
1785  //Adjust the length of the premaster secret
1786  context->premasterSecretLen -= n;
1787  }
1788  }
1789  }
1790  else
1791 #endif
1792 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
1793  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1794  //ECDH key exchange method?
1795  if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1796  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1797  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1798  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1799  {
1800  size_t n;
1801 
1802  //Decode client's public key
1803  error = tlsReadEcPoint(&context->ecdhContext.params,
1804  &context->ecdhContext.qb, p, length, &n);
1805 
1806  //Check status code
1807  if(!error)
1808  {
1809  //Total number of bytes that have been consumed
1810  *consumed = n;
1811 
1812  //Verify client's public key and make sure that it is on the same
1813  //elliptic curve as the server's ECDH key
1814  error = ecdhCheckPublicKey(&context->ecdhContext.params,
1815  &context->ecdhContext.qb);
1816  }
1817 
1818  //Check status code
1819  if(!error)
1820  {
1821 #if (TLS_ECC_CALLBACK_SUPPORT == ENABLED)
1822  //Any registered callback?
1823  if(context->ecdhCallback != NULL)
1824  {
1825  //Invoke user callback function
1826  error = context->ecdhCallback(context);
1827  }
1828  else
1829 #endif
1830  {
1831  //No callback function defined
1833  }
1834 
1835  //Check status code
1837  {
1838  //Calculate the shared secret Z. Leading zeros found in this octet
1839  //string must not be truncated (see RFC 4492, section 5.10)
1840  error = ecdhComputeSharedSecret(&context->ecdhContext,
1841  context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,
1842  &context->premasterSecretLen);
1843  }
1844  }
1845  }
1846  else
1847 #endif
1848  //Invalid key exchange method?
1849  {
1850  //The specified key exchange method is not supported
1852  }
1853 #else
1854  //Not implemented
1855  error = ERROR_NOT_IMPLEMENTED;
1856 #endif
1857 
1858  //Return status code
1859  return error;
1860 }
1861 
1862 #endif
TLS (Transport Layer Security)
error_t tlsSelectSignatureScheme(TlsContext *context, const TlsCertDesc *cert, const TlsSignHashAlgos *supportedSignAlgos)
Select the algorithm to be used when generating digital signatures.
Definition: tls_signature.c:58
uint16_t version
Definition: dtls_misc.h:163
error_t rsaesPkcs1v15Decrypt(const RsaPrivateKey *key, const uint8_t *ciphertext, size_t ciphertextLen, uint8_t *message, size_t messageSize, size_t *messageLen)
RSAES-PKCS1-v1_5 decryption operation.
Definition: rsa.c:269
void rsaInitPrivateKey(RsaPrivateKey *key)
Initialize a RSA private key.
Definition: rsa.c:126
error_t tlsRestoreSessionState(TlsContext *context, const TlsSessionState *session)
Restore TLS session.
Definition: tls.c:2466
error_t tlsSelectVersion(TlsContext *context, uint16_t version)
Set the TLS version to be used.
Definition: tls_misc.c:219
uint8_t digest[1]
Definition: crypto.h:1046
error_t tlsWriteEcPoint(const EcDomainParameters *params, const EcPoint *a, uint8_t *data, size_t *length)
Encode an EC point to an opaque vector.
Definition: tls_misc.c:712
void sha1Init(Sha1Context *context)
Initialize SHA-1 message digest context.
Definition: sha1.c:124
FFDHE key exchange.
Debugging facilities.
#define tlsFreeMem(p)
Definition: tls.h:760
error_t ecLoadDomainParameters(EcDomainParameters *params, const EcCurveInfo *curveInfo)
Load EC domain parameters.
Definition: ec.c:91
uint8_t p
Definition: ndp.h:295
uint8_t sessionIdLen
Definition: tls.h:1609
Generic error code.
Definition: error.h:43
SHA-1 algorithm context.
Definition: sha1.h:54
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:836
HashAlgoInit init
Definition: crypto.h:1063
FFDHE parameters.
Definition: tls_ffdhe.h:45
#define TLS_PREMASTER_SECRET_SIZE
Definition: tls.h:720
Elliptic curve parameters.
Definition: ec_curves.h:290
error_t tlsResumeServerSession(TlsContext *context, const uint8_t *sessionId, size_t sessionIdLen, const TlsCipherSuites *cipherSuites, const TlsHelloExtensions *extensions)
Resume TLS session via session ID.
error_t tlsGenerateRsaSignature(const RsaPrivateKey *key, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
Generate RSA signature (SSL 3.0, TLS 1.0 and TLS 1.1)
__start_packed struct @57 DtlsSupportedVersionList
List of supported versions.
error_t tlsGenerateDsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, uint8_t *signature, size_t *signatureLen)
Generate DSA signature.
#define TLS_VERSION_1_3
Definition: tls.h:90
uint8_t sessionId[]
Definition: tls.h:1610
__start_packed struct @63 TlsCompressMethods
Compression methods.
uint16_t version
TLS protocol version.
Definition: tls.h:1822
#define htons(value)
Definition: cpu_endian.h:390
#define SHA1_DIGEST_SIZE
Definition: sha1.h:38
error_t tlsSelectCompressMethod(TlsContext *context, uint8_t identifier)
Set compression method.
Definition: tls_misc.c:345
TLS session state.
Definition: tls.h:1820
Generic hash algorithm context.
Definition: crypto.h:1044
error_t tlsCheckSignalingCipherSuiteValues(TlsContext *context, const TlsCipherSuites *cipherSuites)
Check whether the ClientHello includes any SCSV cipher suites.
error_t pemImportRsaPrivateKey(const char_t *input, size_t length, RsaPrivateKey *key)
Decode a PEM file containing a RSA private key.
Definition: pem_import.c:211
#define MAX(a, b)
Definition: os_port.h:64
error_t tlsParseCompressMethods(TlsContext *context, const TlsCompressMethods *compressMethods)
Parse the list of compression methods supported by the client.
error_t tlsWriteMpi(const Mpi *a, uint8_t *data, size_t *length)
Encode a multiple precision integer to an opaque vector.
Definition: tls_misc.c:641
__start_packed struct @75 TlsSupportedGroupList
List of supported groups.
error_t tlsLoadFfdheParameters(DhParameters *params, const TlsFfdheGroup *ffdheGroup)
Load FFDHE parameters.
Definition: tls_ffdhe.c:373
#define TRUE
Definition: os_port.h:48
bool_t extendedMasterSecret
Extended master secret computation.
Definition: tls.h:1830
#define TRACE_DEBUG_MPI(p, a)
Definition: debug.h:101
void md5Final(Md5Context *context, uint8_t *digest)
Finish the MD5 message digest.
Definition: md5.c:192
error_t dhGenerateKeyPair(DhContext *context, const PrngAlgo *prngAlgo, void *prngContext)
Diffie-Hellman key pair generation.
Definition: dh.c:89
TLS record protocol.
error_t tlsReadEcPoint(const EcDomainParameters *params, EcPoint *a, const uint8_t *data, size_t size, size_t *length)
Read an EC point from an opaque vector.
Definition: tls_misc.c:749
error_t rsassaPssSign(const PrngAlgo *prngAlgo, void *prngContext, const RsaPrivateKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
RSASSA-PSS signature generation operation.
Definition: rsa.c:884
error_t tlsSelectCertificate(TlsContext *context, const TlsHelloExtensions *extensions)
Certificate selection process.
Parsing and checking of TLS extensions.
TLS helper functions.
error_t tlsNegotiateCipherSuite(TlsContext *context, const HashAlgo *hashAlgo, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
Cipher suite negotiation.
error_t tlsFormatServerKeyParams(TlsContext *context, uint8_t *p, size_t *written)
Format server&#39;s key exchange parameters.
error_t dtlsParseClientSupportedVersionsExtension(TlsContext *context, const DtlsSupportedVersionList *supportedVersionList)
Parse SupportedVersions extension.
Definition: dtls_misc.c:393
#define ntohs(value)
Definition: cpu_endian.h:396
error_t tlsReadMpi(Mpi *a, const uint8_t *data, size_t size, size_t *length)
Read a multiple precision integer from an opaque vector.
Definition: tls_misc.c:674
uint16_t dtlsTranslateVersion(uint16_t version)
Translate TLS version into DTLS version.
Definition: dtls_misc.c:111
__start_packed struct @70 TlsSupportedVersionList
List of supported versions.
error_t tlsSelectEcdheGroup(TlsContext *context, const TlsSupportedGroupList *groupList)
Select the named curve to be used when performing ECDHE key exchange.
PEM file import functions.
size_t contextSize
Definition: crypto.h:1059
const TlsFfdheGroup * tlsGetFfdheGroup(TlsContext *context, uint16_t namedGroup)
Get the FFDHE parameters that match the specified named group.
Definition: tls_ffdhe.c:313
#define LOAD16BE(p)
Definition: cpu_endian.h:168
error_t ecdhCheckPublicKey(const EcDomainParameters *params, EcPoint *publicKey)
Check ECDH public key.
Definition: ecdh.c:270
Handshake message processing (TLS client and server)
error_t tlsSelectFfdheGroup(TlsContext *context, const TlsSupportedGroupList *groupList)
Select the named group to be used when performing FFDHE key exchange.
Definition: tls_ffdhe.c:173
MD5 algorithm context.
Definition: md5.h:54
__start_packed struct @79 TlsPskIdentity
PSK identity.
#define MIN(a, b)
Definition: os_port.h:60
uint8_t signature
Definition: tls.h:1364
#define TLS_VERSION_1_2
Definition: tls.h:83
Helper functions for TLS server.
error_t tlsParseClientSupportedVersionsExtension(TlsContext *context, const TlsSupportedVersionList *supportedVersionList)
Parse SupportedVersions extension.
__start_packed struct @82 Tls12DigitalSignature
Digitally-signed element (TLS 1.2)
error_t ecdhGenerateKeyPair(EcdhContext *context, const PrngAlgo *prngAlgo, void *prngContext)
ECDH key pair generation.
Definition: ecdh.c:85
void rsaFreePrivateKey(RsaPrivateKey *key)
Release a RSA private key.
Definition: rsa.c:145
error_t tls12GenerateServerKeySignature(TlsContext *context, Tls12DigitalSignature *signature, const uint8_t *params, size_t paramsLen, size_t *written)
Sign server&#39;s key exchange parameters (TLS 1.2)
uint16_t serverVersion
Definition: dtls_misc.h:192
TLS cipher suites.
void sha1Final(Sha1Context *context, uint8_t *digest)
Finish the SHA-1 message digest.
Definition: sha1.c:186
error_t dhCheckPublicKey(DhParameters *params, const Mpi *publicKey)
Check Diffie-Hellman public value.
Definition: dh.c:152
Success.
Definition: error.h:42
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:247
error_t
Error codes.
Definition: error.h:40
error_t rsassaPkcs1v15Sign(const RsaPrivateKey *key, const HashAlgo *hash, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
RSASSA-PKCS1-v1_5 signature generation operation.
Definition: rsa.c:642
uint8_t extensions[]
Definition: tls13_misc.h:322
error_t tlsParseClientKeyParams(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse client&#39;s key exchange parameters.
unsigned int uint_t
Definition: compiler_port.h:43
#define STORE16BE(a, p)
Definition: cpu_endian.h:244
uint16_t clientVersion
Definition: tls.h:1607
__start_packed struct @62 TlsCipherSuites
Cipher suites.
TlsSessionState * tlsFindCache(TlsCache *cache, const uint8_t *sessionId, size_t sessionIdLen)
Search the session cache for a given session ID.
Definition: tls_cache.c:95
void sha1Update(Sha1Context *context, const void *data, size_t length)
Update the SHA-1 context with a portion of the message being hashed.
Definition: sha1.c:147
__start_packed struct @81 TlsDigitalSignature
Digitally-signed element (SSL 3.0, TLS 1.0 and TLS 1.1)
error_t dhComputeSharedSecret(DhContext *context, uint8_t *output, size_t outputSize, size_t *outputLen)
Compute Diffie-Hellman shared secret.
Definition: dh.c:188
Hello extensions.
Definition: tls.h:1878
error_t tlsGenerateEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, uint8_t *signature, size_t *signatureLen)
Generate ECDSA signature.
error_t tlsGenerateServerKeySignature(TlsContext *context, TlsDigitalSignature *signature, const uint8_t *params, size_t paramsLen, size_t *written)
Sign server&#39;s key exchange parameters (SSL 3.0, TLS 1.0 and TLS 1.1)
error_t tlsGenerateEddsaSignature(TlsContext *context, const uint8_t *message, size_t messageLen, uint8_t *signature, size_t *signatureLen)
Generate EdDSA signature.
void md5Init(Md5Context *context)
Initialize MD5 message digest context.
Definition: md5.c:131
#define MD5_DIGEST_SIZE
Definition: md5.h:38
const char_t * tlsGetCipherSuiteName(uint16_t identifier)
Convert cipher suite identifier to string representation.
bool_t tlsIsCertificateAcceptable(TlsContext *context, const TlsCertDesc *cert, const uint8_t *certTypes, size_t numCertTypes, const TlsSignHashAlgos *signHashAlgos, const TlsSignHashAlgos *certSignHashAlgos, const TlsSupportedGroupList *curveList, const TlsCertAuthorities *certAuthorities)
Check whether a certificate is acceptable.
RSA/DSA/ECDSA/EdDSA signature generation and verification.
HashAlgoFinal final
Definition: crypto.h:1065
#define tlsAllocMem(size)
Definition: tls.h:755
uint16_t cipherSuite
Cipher suite identifier.
Definition: tls.h:1823
error_t tlsFormatPskIdentityHint(TlsContext *context, uint8_t *p, size_t *written)
Format PSK identity hint.
size_t digestSize
Definition: crypto.h:1061
error_t ecdhComputeSharedSecret(EcdhContext *context, uint8_t *output, size_t outputSize, size_t *outputLen)
Compute ECDH shared secret.
Definition: ecdh.c:383
Common interface for hash algorithms.
Definition: crypto.h:1054
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
Handshake message processing (TLS server)
const EcCurveInfo * tlsGetCurveInfo(TlsContext *context, uint16_t namedCurve)
Get the EC domain parameters that match the specified named curve.
Definition: tls_misc.c:897
RSA private key.
Definition: rsa.h:57
HashAlgoUpdate update
Definition: crypto.h:1064
#define FALSE
Definition: os_port.h:44
#define TlsContext
Definition: tls.h:34
Formatting and parsing of extensions (TLS server)
error_t tlsNegotiateVersion(TlsContext *context, uint16_t clientVersion, const TlsSupportedVersionList *supportedVersionList)
Version negotiation.
error_t dtlsSelectVersion(TlsContext *context, uint16_t version)
Set the DTLS version to be used.
Definition: dtls_misc.c:52
int bool_t
Definition: compiler_port.h:47
Session cache management.
error_t tlsSelectGroup(TlsContext *context, const TlsSupportedGroupList *groupList)
Select the group to be used when performing (EC)DHE key exchange.
error_t tlsParsePskIdentity(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse PSK identity.
Certificate handling.
#define SSL_VERSION_3_0
Definition: tls.h:80
#define TRACE_DEBUG(...)
Definition: debug.h:98
__start_packed struct @80 TlsPskIdentityHint
PSK identity hint.
void md5Update(Md5Context *context, const void *data, size_t length)
Update the MD5 context with a portion of the message being hashed.
Definition: md5.c:153