tls_server_misc.c
Go to the documentation of this file.
1 /**
2  * @file tls_server_misc.c
3  * @brief Helper functions for TLS server
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include "tls.h"
37 #include "tls_cipher_suites.h"
38 #include "tls_server.h"
39 #include "tls_server_extensions.h"
40 #include "tls_server_misc.h"
41 #include "tls_common.h"
42 #include "tls_extensions.h"
43 #include "tls_certificate.h"
44 #include "tls_signature.h"
45 #include "tls_cache.h"
46 #include "tls_ffdhe.h"
47 #include "tls_record.h"
48 #include "tls_misc.h"
49 #include "pkix/pem_import.h"
50 #include "debug.h"
51 
52 //Check TLS library configuration
53 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED)
54 
55 
56 /**
57  * @brief Format PSK identity hint
58  * @param[in] context Pointer to the TLS context
59  * @param[in] p Output stream where to write the PSK identity hint
60  * @param[out] written Total number of bytes that have been written
61  * @return Error code
62  **/
63 
65  uint8_t *p, size_t *written)
66 {
67  size_t n;
68  TlsPskIdentityHint *pskIdentityHint;
69 
70  //Point to the PSK identity hint
71  pskIdentityHint = (TlsPskIdentityHint *) p;
72 
73 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
74  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
75  //Any PSK identity hint defined?
76  if(context->pskIdentityHint != NULL)
77  {
78  //Determine the length of the PSK identity hint
79  n = strlen(context->pskIdentityHint);
80  //Copy PSK identity hint
81  memcpy(pskIdentityHint->value, context->pskIdentityHint, n);
82  }
83  else
84 #endif
85  {
86  //No PSK identity hint is provided
87  n = 0;
88  }
89 
90  //The PSK identity hint is preceded by a 2-byte length field
91  pskIdentityHint->length = htons(n);
92 
93  //Total number of bytes that have been written
94  *written = sizeof(TlsPskIdentityHint) + n;
95 
96  //Successful processing
97  return NO_ERROR;
98 }
99 
100 
101 /**
102  * @brief Format server's key exchange parameters
103  * @param[in] context Pointer to the TLS context
104  * @param[in] p Output stream where to write the server's key exchange parameters
105  * @param[out] written Total number of bytes that have been written
106  * @return Error code
107  **/
108 
110  uint8_t *p, size_t *written)
111 {
112  error_t error;
113 
114 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
115  //Initialize status code
116  error = NO_ERROR;
117 
118  //Total number of bytes that have been written
119  *written = 0;
120 
121 #if (TLS_DH_ANON_KE_SUPPORT == ENABLED || TLS_DHE_RSA_KE_SUPPORT == ENABLED || \
122  TLS_DHE_DSS_KE_SUPPORT == ENABLED || TLS_DHE_PSK_KE_SUPPORT == ENABLED)
123  //Diffie-Hellman key exchange method?
124  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
125  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
126  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
127  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK)
128  {
129  size_t n;
130 
131 #if (TLS_FFDHE_SUPPORT == ENABLED)
132  const TlsFfdheGroup *ffdheGroup;
133 
134  //Get the FFDHE parameters that match the specified named group
135  ffdheGroup = tlsGetFfdheGroup(context, context->namedGroup);
136 
137  //Valid FFDHE group?
138  if(ffdheGroup != NULL)
139  {
140  //Load FFDHE parameters
141  error = tlsLoadFfdheParameters(&context->dhContext.params, ffdheGroup);
142  }
143 #endif
144 
145  //Check status code
146  if(!error)
147  {
148  //Generate an ephemeral key pair
149  error = dhGenerateKeyPair(&context->dhContext, context->prngAlgo,
150  context->prngContext);
151  }
152 
153  //Check status code
154  if(!error)
155  {
156  //Debug message
157  TRACE_DEBUG("Diffie-Hellman parameters:\r\n");
158  TRACE_DEBUG(" Prime modulus:\r\n");
159  TRACE_DEBUG_MPI(" ", &context->dhContext.params.p);
160  TRACE_DEBUG(" Generator:\r\n");
161  TRACE_DEBUG_MPI(" ", &context->dhContext.params.g);
162  TRACE_DEBUG(" Server public value:\r\n");
163  TRACE_DEBUG_MPI(" ", &context->dhContext.ya);
164 
165  //Encode the prime modulus to an opaque vector
166  error = tlsWriteMpi(&context->dhContext.params.p, p, &n);
167  }
168 
169  //Check status code
170  if(!error)
171  {
172  //Advance data pointer
173  p += n;
174  //Total number of bytes that have been written
175  *written += n;
176 
177  //Encode the generator to an opaque vector
178  error = tlsWriteMpi(&context->dhContext.params.g, p, &n);
179  }
180 
181  //Check status code
182  if(!error)
183  {
184  //Advance data pointer
185  p += n;
186  //Total number of bytes that have been written
187  *written += n;
188 
189  //Encode the server's public value to an opaque vector
190  error = tlsWriteMpi(&context->dhContext.ya, p, &n);
191  }
192 
193  //Check status code
194  if(!error)
195  {
196  //Advance data pointer
197  p += n;
198  //Adjust the length of the key exchange parameters
199  *written += n;
200  }
201  }
202  else
203 #endif
204 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
205  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
206  //ECDH key exchange method?
207  if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
208  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
209  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
210  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
211  {
212  size_t n;
213  const EcCurveInfo *curveInfo;
214 
215  //Retrieve the elliptic curve to be used
216  curveInfo = tlsGetCurveInfo(context, context->namedGroup);
217 
218  //Make sure the elliptic curve is supported
219  if(curveInfo != NULL)
220  {
221  //Load EC domain parameters
222  error = ecLoadDomainParameters(&context->ecdhContext.params,
223  curveInfo);
224 
225  //Check status code
226  if(!error)
227  {
228 #if (TLS_ECC_CALLBACK_SUPPORT == ENABLED)
229  //Any registered callback?
230  if(context->ecdhCallback != NULL)
231  {
232  //Invoke user callback function
233  error = context->ecdhCallback(context);
234  }
235  else
236 #endif
237  {
238  //No callback function defined
240  }
241 
242  //Check status code
244  {
245  //Generate an ephemeral key pair
246  error = ecdhGenerateKeyPair(&context->ecdhContext,
247  context->prngAlgo, context->prngContext);
248  }
249  }
250 
251  //Check status code
252  if(!error)
253  {
254  //Debug message
255  TRACE_DEBUG(" Server public key X:\r\n");
256  TRACE_DEBUG_MPI(" ", &context->ecdhContext.qa.x);
257  TRACE_DEBUG(" Server public key Y:\r\n");
258  TRACE_DEBUG_MPI(" ", &context->ecdhContext.qa.y);
259 
260  //Set the type of the elliptic curve domain parameters
262 
263  //Advance data pointer
264  p += sizeof(uint8_t);
265  //Total number of bytes that have been written
266  *written += sizeof(uint8_t);
267 
268  //Write elliptic curve identifier
269  STORE16BE(context->namedGroup, p);
270 
271  //Advance data pointer
272  p += sizeof(uint16_t);
273  //Total number of bytes that have been written
274  *written += sizeof(uint16_t);
275 
276  //Write server's public key
277  error = tlsWriteEcPoint(&context->ecdhContext.params,
278  &context->ecdhContext.qa, p, &n);
279  }
280 
281  //Check status code
282  if(!error)
283  {
284  //Advance data pointer
285  p +=n;
286  //Total number of bytes that have been written
287  *written += n;
288  }
289  }
290  else
291  {
292  //The specified elliptic curve is not supported
293  error = ERROR_FAILURE;
294  }
295  }
296  else
297 #endif
298  //Any other exchange method?
299  {
300  //It is not legal to send the ServerKeyExchange message when a key
301  //exchange method other than DHE_DSS, DHE_RSA, DH_anon, ECDHE_RSA,
302  //ECDHE_ECDSA or ECDH_anon is selected
303  error = ERROR_FAILURE;
304  }
305 #else
306  //Not implemented
307  error = ERROR_NOT_IMPLEMENTED;
308 #endif
309 
310  //Return status code
311  return error;
312 }
313 
314 
315 /**
316  * @brief Sign server's key exchange parameters (SSL 3.0, TLS 1.0 and TLS 1.1)
317  * @param[in] context Pointer to the TLS context
318  * @param[in] signature Output stream where to write the digital signature
319  * @param[in] params Pointer to the server's key exchange parameters
320  * @param[in] paramsLen Length of the server's key exchange parameters
321  * @param[out] written Total number of bytes that have been written
322  * @return Error code
323  **/
324 
326  TlsDigitalSignature *signature, const uint8_t *params,
327  size_t paramsLen, size_t *written)
328 {
329  error_t error;
330 
331 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
332  //Initialize status code
333  error = NO_ERROR;
334 
335  //Total number of bytes that have been written
336  *written = 0;
337 
338 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
339  //RSA certificate?
340  if(context->cert->type == TLS_CERT_RSA_SIGN)
341  {
342  Md5Context *md5Context;
343  Sha1Context *sha1Context;
344  RsaPrivateKey privateKey;
345 
346  //Initialize RSA private key
347  rsaInitPrivateKey(&privateKey);
348 
349  //Allocate a memory buffer to hold the MD5 context
350  md5Context = tlsAllocMem(sizeof(Md5Context));
351 
352  //Successful memory allocation?
353  if(md5Context != NULL)
354  {
355  //Compute MD5(ClientHello.random + ServerHello.random +
356  //ServerKeyExchange.params)
357  md5Init(md5Context);
358  md5Update(md5Context, context->clientRandom, TLS_RANDOM_SIZE);
359  md5Update(md5Context, context->serverRandom, TLS_RANDOM_SIZE);
360  md5Update(md5Context, params, paramsLen);
361  md5Final(md5Context, context->serverVerifyData);
362 
363  //Release previously allocated memory
364  tlsFreeMem(md5Context);
365  }
366  else
367  {
368  //Failed to allocate memory
369  error = ERROR_OUT_OF_MEMORY;
370  }
371 
372  //Check status code
373  if(!error)
374  {
375  //Allocate a memory buffer to hold the SHA-1 context
376  sha1Context = tlsAllocMem(sizeof(Sha1Context));
377 
378  //Successful memory allocation?
379  if(sha1Context != NULL)
380  {
381  //Compute SHA(ClientHello.random + ServerHello.random +
382  //ServerKeyExchange.params)
383  sha1Init(sha1Context);
384  sha1Update(sha1Context, context->clientRandom, TLS_RANDOM_SIZE);
385  sha1Update(sha1Context, context->serverRandom, TLS_RANDOM_SIZE);
386  sha1Update(sha1Context, params, paramsLen);
387  sha1Final(sha1Context, context->serverVerifyData + MD5_DIGEST_SIZE);
388 
389  //Release previously allocated memory
390  tlsFreeMem(sha1Context);
391  }
392  else
393  {
394  //Failed to allocate memory
395  error = ERROR_OUT_OF_MEMORY;
396  }
397  }
398 
399  //Check status code
400  if(!error)
401  {
402  //Decode the PEM structure that holds the RSA private key
403  error = pemImportRsaPrivateKey(context->cert->privateKey,
404  context->cert->privateKeyLen, &privateKey);
405  }
406 
407  //Check status code
408  if(!error)
409  {
410  //Sign the key exchange parameters using RSA
411  error = tlsGenerateRsaSignature(&privateKey,
412  context->serverVerifyData, signature->value, written);
413  }
414 
415  //Release previously allocated resources
416  rsaFreePrivateKey(&privateKey);
417  }
418  else
419 #endif
420 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
421  //DSA certificate?
422  if(context->cert->type == TLS_CERT_DSS_SIGN)
423  {
424  Sha1Context *sha1Context;
425 
426  //Allocate a memory buffer to hold the SHA-1 context
427  sha1Context = tlsAllocMem(sizeof(Sha1Context));
428 
429  //Successful memory allocation?
430  if(sha1Context != NULL)
431  {
432  //Compute SHA(ClientHello.random + ServerHello.random +
433  //ServerKeyExchange.params)
434  sha1Init(sha1Context);
435  sha1Update(sha1Context, context->clientRandom, TLS_RANDOM_SIZE);
436  sha1Update(sha1Context, context->serverRandom, TLS_RANDOM_SIZE);
437  sha1Update(sha1Context, params, paramsLen);
438  sha1Final(sha1Context, context->serverVerifyData);
439 
440  //Release previously allocated memory
441  tlsFreeMem(sha1Context);
442  }
443  else
444  {
445  //Failed to allocate memory
446  error = ERROR_OUT_OF_MEMORY;
447  }
448 
449  //Check status code
450  if(!error)
451  {
452  //Sign the key exchange parameters using DSA
453  error = tlsGenerateDsaSignature(context, context->serverVerifyData,
454  SHA1_DIGEST_SIZE, signature->value, written);
455  }
456  }
457  else
458 #endif
459 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
460  //ECDSA certificate?
461  if(context->cert->type == TLS_CERT_ECDSA_SIGN)
462  {
463  Sha1Context *sha1Context;
464 
465  //Allocate a memory buffer to hold the SHA-1 context
466  sha1Context = tlsAllocMem(sizeof(Sha1Context));
467 
468  //Successful memory allocation?
469  if(sha1Context != NULL)
470  {
471  //Compute SHA(ClientHello.random + ServerHello.random +
472  //ServerKeyExchange.params)
473  sha1Init(sha1Context);
474  sha1Update(sha1Context, context->clientRandom, TLS_RANDOM_SIZE);
475  sha1Update(sha1Context, context->serverRandom, TLS_RANDOM_SIZE);
476  sha1Update(sha1Context, params, paramsLen);
477  sha1Final(sha1Context, context->serverVerifyData);
478 
479  //Release previously allocated memory
480  tlsFreeMem(sha1Context);
481  }
482  else
483  {
484  //Failed to allocate memory
485  error = ERROR_OUT_OF_MEMORY;
486  }
487 
488  //Check status code
489  if(!error)
490  {
491  //Sign the key exchange parameters using ECDSA
492  error = tlsGenerateEcdsaSignature(context, context->serverVerifyData,
493  SHA1_DIGEST_SIZE, signature->value, written);
494  }
495  }
496  else
497 #endif
498  //Invalid certificate?
499  {
500  //Report an error
502  }
503 
504  //Check status code
505  if(!error)
506  {
507  //Fix the length of the digitally-signed element
508  signature->length = htons(*written);
509  //Adjust the length of the signature
510  *written += sizeof(TlsDigitalSignature);
511  }
512 #else
513  //Not implemented
514  error = ERROR_NOT_IMPLEMENTED;
515 #endif
516 
517  //Return status code
518  return error;
519 }
520 
521 
522 /**
523  * @brief Sign server's key exchange parameters (TLS 1.2)
524  * @param[in] context Pointer to the TLS context
525  * @param[in] signature Output stream where to write the digital signature
526  * @param[in] params Pointer to the server's key exchange parameters
527  * @param[in] paramsLen Length of the server's key exchange parameters
528  * @param[out] written Total number of bytes that have been written
529  * @return Error code
530  **/
531 
533  Tls12DigitalSignature *signature, const uint8_t *params,
534  size_t paramsLen, size_t *written)
535 {
536  error_t error;
537 
538 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
539  //Initialize status code
540  error = NO_ERROR;
541 
542  //Total number of bytes that have been written
543  *written = 0;
544 
545 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED || \
546  TLS_DSA_SIGN_SUPPORT == ENABLED || TLS_ECDSA_SIGN_SUPPORT == ENABLED)
547  //RSA, DSA or ECDSA signature scheme?
548  if(context->signAlgo == TLS_SIGN_ALGO_RSA ||
549  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
550  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
551  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
552  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 ||
553  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 ||
554  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512 ||
555  context->signAlgo == TLS_SIGN_ALGO_DSA ||
556  context->signAlgo == TLS_SIGN_ALGO_ECDSA)
557  {
558  const HashAlgo *hashAlgo;
559  HashContext *hashContext;
560 
561  //Retrieve the hash algorithm used for signing
562  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
563  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256)
564  {
565  //The hashing is intrinsic to the signature algorithm
567  }
568  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
569  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384)
570  {
571  //The hashing is intrinsic to the signature algorithm
573  }
574  else if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
575  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
576  {
577  //The hashing is intrinsic to the signature algorithm
579  }
580  else
581  {
582  //Select the relevant hash algorithm
583  hashAlgo = tlsGetHashAlgo(context->signHashAlgo);
584  }
585 
586  //Make sure the hash algorithm is supported
587  if(hashAlgo != NULL)
588  {
589  //Allocate a memory buffer to hold the hash context
590  hashContext = tlsAllocMem(hashAlgo->contextSize);
591 
592  //Successful memory allocation?
593  if(hashContext != NULL)
594  {
595  //Compute hash(ClientHello.random + ServerHello.random +
596  //ServerKeyExchange.params)
597  hashAlgo->init(hashContext);
598  hashAlgo->update(hashContext, context->clientRandom, TLS_RANDOM_SIZE);
599  hashAlgo->update(hashContext, context->serverRandom, TLS_RANDOM_SIZE);
600  hashAlgo->update(hashContext, params, paramsLen);
601  hashAlgo->final(hashContext, NULL);
602 
603 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
604  //RSA signature scheme?
605  if(context->signAlgo == TLS_SIGN_ALGO_RSA)
606  {
607  RsaPrivateKey privateKey;
608 
609  //Initialize RSA private key
610  rsaInitPrivateKey(&privateKey);
611 
612  //Set the relevant signature algorithm
613  signature->algorithm.signature = TLS_SIGN_ALGO_RSA;
614  signature->algorithm.hash = context->signHashAlgo;
615 
616  //Decode the PEM structure that holds the RSA private key
617  error = pemImportRsaPrivateKey(context->cert->privateKey,
618  context->cert->privateKeyLen, &privateKey);
619 
620  //Check status code
621  if(!error)
622  {
623  //Generate RSA signature (RSASSA-PKCS1-v1_5 signature scheme)
624  error = rsassaPkcs1v15Sign(&privateKey, hashAlgo,
625  hashContext->digest, signature->value, written);
626  }
627 
628  //Release previously allocated resources
629  rsaFreePrivateKey(&privateKey);
630  }
631  else
632 #endif
633 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
634  //RSA-PSS signature scheme?
635  if(context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 ||
636  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 ||
637  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 ||
638  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 ||
639  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 ||
640  context->signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512)
641  {
642  RsaPrivateKey privateKey;
643 
644  //Initialize RSA private key
645  rsaInitPrivateKey(&privateKey);
646 
647  //Set the relevant signature algorithm
648  signature->algorithm.signature = context->signAlgo;
649  signature->algorithm.hash = TLS_HASH_ALGO_INTRINSIC;
650 
651  //Decode the PEM structure that holds the RSA private key
652  error = pemImportRsaPrivateKey(context->cert->privateKey,
653  context->cert->privateKeyLen, &privateKey);
654 
655  //Check status code
656  if(!error)
657  {
658  //Generate RSA signature (RSASSA-PSS signature scheme)
659  error = rsassaPssSign(context->prngAlgo, context->prngContext,
660  &privateKey, hashAlgo, hashAlgo->digestSize,
661  hashContext->digest, signature->value, written);
662  }
663 
664  //Release previously allocated resources
665  rsaFreePrivateKey(&privateKey);
666  }
667  else
668 #endif
669 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
670  //DSA signature scheme?
671  if(context->signAlgo == TLS_SIGN_ALGO_DSA)
672  {
673  //Set the relevant signature algorithm
674  signature->algorithm.signature = TLS_SIGN_ALGO_DSA;
675  signature->algorithm.hash = context->signHashAlgo;
676 
677  //Sign the key exchange parameters using DSA
678  error = tlsGenerateDsaSignature(context, hashContext->digest,
679  hashAlgo->digestSize, signature->value, written);
680  }
681  else
682 #endif
683 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
684  //ECDSA signature scheme?
685  if(context->signAlgo == TLS_SIGN_ALGO_ECDSA)
686  {
687  //Set the relevant signature algorithm
688  signature->algorithm.signature = TLS_SIGN_ALGO_ECDSA;
689  signature->algorithm.hash = context->signHashAlgo;
690 
691  //Sign the key exchange parameters using ECDSA
692  error = tlsGenerateEcdsaSignature(context, hashContext->digest,
693  hashAlgo->digestSize, signature->value, written);
694  }
695  else
696 #endif
697  //Invalid signature scheme?
698  {
699  //Report an error
701  }
702 
703  //Release previously allocated memory
704  tlsFreeMem(hashContext);
705  }
706  else
707  {
708  //Failed to allocate memory
709  error = ERROR_OUT_OF_MEMORY;
710  }
711  }
712  else
713  {
714  //Hash algorithm not supported
716  }
717  }
718  else
719 #endif
720 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
721  //EdDSA signature scheme?
722  if(context->signAlgo == TLS_SIGN_ALGO_ED25519 ||
723  context->signAlgo == TLS_SIGN_ALGO_ED448)
724  {
725  uint8_t *buffer;
726 
727  //A temporary buffer is needed to concatenate ClientHello.random +
728  //ServerHello.random + ServerKeyExchange.params
729  buffer = tlsAllocMem(paramsLen + 2 * TLS_RANDOM_SIZE);
730 
731  //Successful memory allocation?
732  if(buffer != NULL)
733  {
734  //Data to be verified is run through the EdDSA algorithm with no
735  //hashing
736  memcpy(buffer, context->clientRandom, TLS_RANDOM_SIZE);
737  memcpy(buffer + 32, context->serverRandom, TLS_RANDOM_SIZE);
738  memcpy(buffer + 64, params, paramsLen);
739 
740 #if (TLS_ED25519_SUPPORT == ENABLED)
741  //Ed25519 signature scheme?
742  if(context->signAlgo == TLS_SIGN_ALGO_ED25519)
743  {
744  //The hashing is intrinsic to the signature algorithm
745  signature->algorithm.signature = TLS_SIGN_ALGO_ED25519;
746  signature->algorithm.hash = TLS_HASH_ALGO_INTRINSIC;
747 
748  //Sign the key exchange parameters using EdDSA
749  error = tlsGenerateEddsaSignature(context, buffer, paramsLen + 64,
750  signature->value, written);
751  }
752  else
753 #endif
754 #if (TLS_ED448_SUPPORT == ENABLED)
755  //Ed448 signature scheme?
756  if(context->signAlgo == TLS_SIGN_ALGO_ED448)
757  {
758  //The hashing is intrinsic to the signature algorithm
759  signature->algorithm.signature = TLS_SIGN_ALGO_ED448;
760  signature->algorithm.hash = TLS_HASH_ALGO_INTRINSIC;
761 
762  //Sign the key exchange parameters using EdDSA
763  error = tlsGenerateEddsaSignature(context, buffer, paramsLen + 64,
764  signature->value, written);
765  }
766  else
767 #endif
768  //Invalid signature scheme?
769  {
770  //Report an error
772  }
773 
774  //Release previously allocated memory
775  tlsFreeMem(buffer);
776  }
777  else
778  {
779  //Failed to allocate memory
780  error = ERROR_OUT_OF_MEMORY;
781  }
782  }
783  else
784 #endif
785  //Invalid signature scheme?
786  {
787  //Report an error
789  }
790 
791  //Check status code
792  if(!error)
793  {
794  //Fix the length of the digitally-signed element
795  signature->length = htons(*written);
796  //Adjust the length of the message
797  *written += sizeof(Tls12DigitalSignature);
798  }
799 #else
800  //Not implemented
801  error = ERROR_NOT_IMPLEMENTED;
802 #endif
803 
804  //Return status code
805  return error;
806 }
807 
808 
809 /**
810  * @brief Check whether the ClientHello includes any SCSV cipher suites
811  * @param[in] context Pointer to the TLS context
812  * @param[in] cipherSuites List of cipher suites offered by the client
813  * @return Error code
814  **/
815 
817  const TlsCipherSuites *cipherSuites)
818 {
819  error_t error;
820  uint_t i;
821  uint_t n;
822  uint16_t serverVersion;
823 
824  //Initialize status code
825  error = NO_ERROR;
826 
827  //Get the highest version supported by the implementation (legacy version)
828  serverVersion = MIN(context->versionMax, TLS_VERSION_1_2);
829 
830 #if (DTLS_SUPPORT == ENABLED)
831  //DTLS protocol?
832  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
833  {
834  //Translate TLS version into DTLS version
836  }
837 #endif
838 
839  //Get the number of cipher suite identifiers present in the list
840  n = ntohs(cipherSuites->length) / 2;
841 
842  //Debug message
843  TRACE_DEBUG("Cipher suites:\r\n");
844 
845  //Loop through the list of cipher suite identifiers
846  for(i = 0; i < n; i++)
847  {
848  //Debug message
849  TRACE_DEBUG(" 0x%04" PRIX16 " (%s)\r\n", ntohs(cipherSuites->value[i]),
850  tlsGetCipherSuiteName(ntohs(cipherSuites->value[i])));
851 
852 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
853  //TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite?
854  if(ntohs(cipherSuites->value[i]) == TLS_EMPTY_RENEGOTIATION_INFO_SCSV)
855  {
856  //Initial handshake?
857  if(context->clientVerifyDataLen == 0)
858  {
859  //Set the secure_renegotiation flag to TRUE
860  context->secureRenegoFlag = TRUE;
861  }
862  //Secure renegotiation?
863  else
864  {
865  //When a ClientHello is received, the server must verify that it
866  //does not contain the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If
867  //the SCSV is present, the server must abort the handshake
868  error = ERROR_HANDSHAKE_FAILED;
869  break;
870  }
871  }
872  else
873 #endif
874  //TLS_FALLBACK_SCSV signaling cipher suite?
875  if(ntohs(cipherSuites->value[i]) == TLS_FALLBACK_SCSV)
876  {
877 #if (DTLS_SUPPORT == ENABLED)
878  //DTLS protocol?
879  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
880  {
881  //Test if the highest protocol version supported by the server is
882  //higher than the version indicated by the client
883  if(serverVersion < context->clientVersion)
884  {
885  //The server must respond with a fatal inappropriate_fallback alert
887  break;
888  }
889  }
890  else
891 #endif
892  //TLS protocol?
893  {
894  //Test if the highest protocol version supported by the server is
895  //higher than the version indicated by the client
896  if(serverVersion > context->clientVersion)
897  {
898  //The server must respond with a fatal inappropriate_fallback alert
900  break;
901  }
902  }
903  }
904  }
905 
906  //Return status code
907  return error;
908 }
909 
910 
911 /**
912  * @brief Resume TLS session via session ID
913  * @param[in] context Pointer to the TLS context
914  * @param[in] sessionId Pointer to the session ID offered by the client
915  * @param[in] sessionIdLen Length of the session ID, in bytes
916  * @param[in] cipherSuites List of cipher suites offered by the client
917  * @param[in] extensions ClientHello extensions offered by the client
918  * @return Error code
919  **/
920 
922  size_t sessionIdLen, const TlsCipherSuites *cipherSuites,
924 {
925  error_t error;
926 
927 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
928  //Initialize status code
929  error = NO_ERROR;
930 
931 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
932  //Check whether session caching is supported
933  if(context->cache != NULL)
934  {
935  uint_t i;
936  uint_t n;
937  TlsSessionState *session;
938 
939  //If the session ID was non-empty, the server will look in its
940  //session cache for a match
941  session = tlsFindCache(context->cache, sessionId, sessionIdLen);
942 
943  //Matching session found?
944  if(session != NULL)
945  {
946  //Whenever a client already knows the highest protocol version known
947  //to a server (for example, when resuming a session), it should
948  //initiate the connection in that native protocol
949  if(session->version != context->version)
950  session = NULL;
951  }
952 
953  //Matching session found?
954  if(session != NULL)
955  {
956  //Get the total number of cipher suites offered by the client
957  n = ntohs(cipherSuites->length) / 2;
958 
959  //Loop through the list of cipher suite identifiers
960  for(i = 0; i < n; i++)
961  {
962  //Matching cipher suite?
963  if(ntohs(cipherSuites->value[i]) == session->cipherSuite)
964  break;
965  }
966 
967  //If the cipher suite is not present in the list cipher suites offered
968  //by the client, the server must not perform the abbreviated handshake
969  if(i >= n)
970  session = NULL;
971  }
972 
973 #if (TLS_SNI_SUPPORT == ENABLED)
974  //Matching session found?
975  if(session != NULL)
976  {
977  //ServerName extension found?
978  if(session->serverName != NULL && context->serverName != NULL)
979  {
980  //A server that implements this extension must not accept the
981  //request to resume the session if the ServerName extension contains
982  //a different name (refer to RFC 6066, section 3)
983  if(strcmp(session->serverName, context->serverName))
984  {
985  //Instead, the server proceeds with a full handshake to establish
986  //a new session
987  session = NULL;
988  }
989  }
990  else if(session->serverName == NULL && context->serverName == NULL)
991  {
992  //The ServerName extension is not present
993  }
994  else
995  {
996  //The server proceeds with a full handshake to establish a new
997  //session
998  session = NULL;
999  }
1000  }
1001 #endif
1002 
1003 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
1004  //Matching session found?
1005  if(session != NULL)
1006  {
1007  //ExtendedMasterSecret extension found?
1008  if(extensions->extendedMasterSecret != NULL)
1009  {
1010  //If the original session did not use the ExtendedMasterSecret
1011  //extension but the new ClientHello contains the extension, then
1012  //the server must not perform the abbreviated handshake
1013  if(!session->extendedMasterSecret)
1014  session = NULL;
1015  }
1016  }
1017 #endif
1018 
1019  //Check whether the server has decided to resume a previous session
1020  if(session != NULL)
1021  {
1022  //Perform abbreviated handshake
1023  context->resume = TRUE;
1024  //Restore cached session parameters
1025  tlsRestoreSessionState(context, session);
1026 
1027  //Select the relevant cipher suite
1028  error = tlsSelectCipherSuite(context, session->cipherSuite);
1029  }
1030  else
1031  {
1032  //Perform a full handshake
1033  context->resume = FALSE;
1034  //Session ID is limited to 32 bytes
1035  context->sessionIdLen = 32;
1036 
1037  //Generate a new random ID
1038  error = context->prngAlgo->read(context->prngContext,
1039  context->sessionId, context->sessionIdLen);
1040  }
1041  }
1042  else
1043 #endif
1044  {
1045  //Perform a full handshake
1046  context->resume = FALSE;
1047  //The session cannot be resumed
1048  context->sessionIdLen = 0;
1049  }
1050 #else
1051  //Not implemented
1052  error = ERROR_NOT_IMPLEMENTED;
1053 #endif
1054 
1055  //Return status code
1056  return error;
1057 }
1058 
1059 
1060 /**
1061  * @brief Version negotiation
1062  * @param[in] context Pointer to the TLS context
1063  * @param[in] clientVersion Highest version number supported by the client (legacy version)
1064  * @param[in] supportedVersionList Pointer to the SupportedVersions extensions
1065  * @return Error code
1066  **/
1067 
1069  const TlsSupportedVersionList *supportedVersionList)
1070 {
1071  error_t error;
1072  uint16_t serverVersion;
1073 
1074  //Get the highest version supported by the implementation
1075  serverVersion = context->versionMax;
1076 
1077 #if (DTLS_SUPPORT == ENABLED)
1078  //DTLS protocol?
1079  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
1080  {
1081  //In DTLS 1.2, the client can indicate its version preferences in the
1082  //SupportedVersions extension
1083  if(supportedVersionList != NULL && context->versionMax >= TLS_VERSION_1_2)
1084  {
1085  //If the SupportedVersions extension is present in the ClientHello,
1086  //servers must only select a version of DTLS present in that extension
1088  (DtlsSupportedVersionList *) supportedVersionList);
1089  }
1090  else
1091  {
1092  //If the SupportedVersions extension is not present, servers must
1093  //negotiate DTLS 1.2 or prior
1095 
1096  //Translate TLS version into DTLS version
1098 
1099  //If a DTLS server receives a ClientHello containing a version number
1100  //greater than the highest version supported by the server, it must
1101  //reply according to the highest version supported by the server
1103 
1104  //Set the DTLS version to be used
1105  error = dtlsSelectVersion(context, serverVersion);
1106  }
1107  }
1108  else
1109 #endif
1110  //TLS protocol?
1111  {
1112  //In TLS 1.2, the client can indicate its version preferences in the
1113  //SupportedVersions extension
1114  if(supportedVersionList != NULL && context->versionMax >= TLS_VERSION_1_2)
1115  {
1116  //If the SupportedVersions extension is present in the ClientHello,
1117  //servers must only select a version of TLS present in that extension
1119  supportedVersionList);
1120 
1121  //Check status code
1122  if(!error)
1123  {
1124  //Check whether TLS 1.3 has been negotiated
1125  if(context->version == TLS_VERSION_1_3)
1126  {
1127  //The legacy_version field must be set to 0x0303, which is the
1128  //version number for TLS 1.2
1131  }
1132  }
1133  }
1134  else
1135  {
1136  //If the SupportedVersions extension is not present, servers must
1137  //negotiate TLS 1.2 or prior, even if the legacy_version of the
1138  //ClientHello is 0x0304 or later (refer to RFC 8446, section 4.2.1)
1140 
1141  //If a TLS server receives a ClientHello containing a version number
1142  //greater than the highest version supported by the server, it must
1143  //reply according to the highest version supported by the server
1145 
1146  //Set the TLS version to be used
1147  error = tlsSelectVersion(context, serverVersion);
1148  }
1149  }
1150 
1151  //Return status code
1152  return error;
1153 }
1154 
1155 
1156 /**
1157  * @brief Cipher suite negotiation
1158  * @param[in] context Pointer to the TLS context
1159  * @param[in] hashAlgo Desired KDF hash algorithm
1160  * @param[in] cipherSuites List of cipher suites offered by the client
1161  * @param[in] extensions ClientHello extensions offered by the client
1162  * @return Error code
1163  **/
1164 
1166  const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
1167 {
1168  error_t error;
1169  uint_t i;
1170  uint_t j;
1171  uint_t k;
1172  uint_t n;
1173 
1174  //Initialize status code
1175  error = ERROR_HANDSHAKE_FAILED;
1176 
1177  //If no SignatureAlgorithmsCert extension is present in the ClientHello
1178  //message, then the SignatureAlgorithms extension also applies to signatures
1179  //appearing in certificates (RFC 8446, section 4.2.3)
1180  if(extensions->certSignAlgoList == NULL)
1181  {
1182  extensions->certSignAlgoList = extensions->signAlgoList;
1183  }
1184 
1185  //Get the total number of cipher suites offered by the client
1186  n = ntohs(cipherSuites->length) / 2;
1187 
1188  //Select the most appropriate cipher suite (2-pass process)
1189  for(k = 0; k < 2 && error; k++)
1190  {
1191  //Any preferred cipher suites?
1192  if(context->numCipherSuites > 0)
1193  {
1194  //Loop through the list of allowed cipher suites (most preferred first)
1195  for(i = 0; i < context->numCipherSuites && error; i++)
1196  {
1197  //Loop through the list of cipher suites offered by the client
1198  for(j = 0; j < n && error; j++)
1199  {
1200  //If the list contains cipher suites the server does not
1201  //recognize, support, or wish to use, the server must ignore
1202  //those cipher suites, and process the remaining ones as usual
1203  if(context->cipherSuites[i] == ntohs(cipherSuites->value[j]))
1204  {
1205  //Select current cipher suite
1206  error = tlsSelectCipherSuite(context, context->cipherSuites[i]);
1207 
1208  //If a KDF hash algorithm has been specified, the server must
1209  //select a compatible cipher suite
1210  if(!error && hashAlgo != NULL)
1211  {
1212  //Make sure the selected cipher suite is compatible
1213  if(context->cipherSuite.prfHashAlgo != hashAlgo)
1214  error = ERROR_HANDSHAKE_FAILED;
1215  }
1216 
1217  //Check status code
1218  if(!error)
1219  {
1220  //Select the group to be used when performing (EC)DHE key
1221  //exchange
1222  error = tlsSelectGroup(context, extensions->supportedGroupList);
1223  }
1224 
1225  //Check status code
1226  if(!error)
1227  {
1228  //Select the appropriate certificate
1229  error = tlsSelectCertificate(context, extensions);
1230  }
1231  }
1232  }
1233  }
1234  }
1235  else
1236  {
1237  //The cipher suite list contains the combinations of cryptographic
1238  //algorithms supported by the client in order of the client's preference
1239  for(j = 0; j < n && error; j++)
1240  {
1241  //If the list contains cipher suites the server does not recognize,
1242  //support, or wish to use, the server must ignore those cipher suites,
1243  //and process the remaining ones as usual
1244  error = tlsSelectCipherSuite(context, ntohs(cipherSuites->value[j]));
1245 
1246  //If a KDF hash algorithm has been specified, the server must select
1247  //a compatible cipher suite
1248  if(!error && hashAlgo != NULL)
1249  {
1250  //Make sure the selected cipher suite is compatible
1251  if(context->cipherSuite.prfHashAlgo != hashAlgo)
1252  error = ERROR_HANDSHAKE_FAILED;
1253  }
1254 
1255  //Check status code
1256  if(!error)
1257  {
1258  //Select the group to be used when performing (EC)DHE key exchange
1259  error = tlsSelectGroup(context, extensions->supportedGroupList);
1260  }
1261 
1262  //Check status code
1263  if(!error)
1264  {
1265  //Select the appropriate certificate
1266  error = tlsSelectCertificate(context, extensions);
1267  }
1268  }
1269  }
1270 
1271  //The second pass relaxes the constraints
1272  extensions->certSignAlgoList = NULL;
1273  }
1274 
1275  //Return status code
1276  return error;
1277 }
1278 
1279 
1280 /**
1281  * @brief Select the group to be used when performing (EC)DHE key exchange
1282  * @param[in] context Pointer to the TLS context
1283  * @param[in] groupList List of named groups supported by the client
1284  * @return Error code
1285  **/
1286 
1288  const TlsSupportedGroupList *groupList)
1289 {
1290  error_t error;
1291 
1292  //Initialize status code
1293  error = NO_ERROR;
1294 
1295 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1296  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
1297  if(context->version <= TLS_VERSION_1_2)
1298  {
1299  //ECC cipher suite?
1300  if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1301  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1302  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1303  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1304  {
1305  //One of the proposed ECC cipher suites must be negotiated only if the
1306  //server can successfully complete the handshake while using the curves
1307  //and point formats supported by the client
1308  error = tlsSelectEcdheGroup(context, groupList);
1309  }
1310 #if (TLS_FFDHE_SUPPORT == ENABLED)
1311  //FFDHE cipher suite?
1312  else if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1313  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1314  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1315  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK)
1316  {
1317  //If none of the client-proposed FFDHE groups are known and acceptable
1318  //to the server, then the server must not select an FFDHE cipher suite
1319  error = tlsSelectFfdheGroup(context, groupList);
1320  }
1321 #endif
1322  else
1323  {
1324  //The selected cipher suite does not provide forward secrecy
1325  }
1326  }
1327 #endif
1328 
1329  //Return status code
1330  return error;
1331 }
1332 
1333 
1334 /**
1335  * @brief Select the named curve to be used when performing ECDHE key exchange
1336  * @param[in] context Pointer to the TLS context
1337  * @param[in] groupList List of named groups supported by the peer
1338  * @return Error code
1339  **/
1340 
1342  const TlsSupportedGroupList *groupList)
1343 {
1344  error_t error;
1345  uint_t i;
1346  uint_t j;
1347  uint_t n;
1348  uint16_t namedGroup;
1349 
1350  //Initialize status code
1351  error = ERROR_HANDSHAKE_FAILED;
1352 
1353  //Reset the named group to its default value
1354  context->namedGroup = TLS_GROUP_NONE;
1355 
1356  //Check whether a list of named groups is offered by the client
1357  if(groupList != NULL)
1358  {
1359  //Get the number of named groups present in the list
1360  n = ntohs(groupList->length) / sizeof(uint16_t);
1361 
1362  //Any preferred groups?
1363  if(context->numSupportedGroups > 0)
1364  {
1365  //Loop through the list of allowed groups (most preferred first)
1366  for(i = 0; i < context->numSupportedGroups && error; i++)
1367  {
1368  //Loop through the list of named groups the client supports
1369  for(j = 0; j < n && error; j++)
1370  {
1371  //Convert the named group to host byte order
1372  namedGroup = ntohs(groupList->value[j]);
1373 
1374  //The named group to be used when performing ECDH key exchange
1375  //must be one of those present in the SupportedGroups extension
1376  if(context->supportedGroups[i] == namedGroup)
1377  {
1378  //Acceptable elliptic curve found?
1379  if(tlsGetCurveInfo(context, namedGroup) != NULL)
1380  {
1381  //Save the named curve
1382  context->namedGroup = namedGroup;
1383  error = NO_ERROR;
1384  }
1385  }
1386  }
1387  }
1388  }
1389  else
1390  {
1391  //The named group to be used when performing ECDH key exchange must
1392  //be one of those present in the SupportedGroups extension
1393  for(j = 0; j < n && error; j++)
1394  {
1395  //Convert the named group to host byte order
1396  namedGroup = ntohs(groupList->value[j]);
1397 
1398  //Acceptable elliptic curve found?
1399  if(tlsGetCurveInfo(context, namedGroup) != NULL)
1400  {
1401  //Save the named curve
1402  context->namedGroup = namedGroup;
1403  error = NO_ERROR;
1404  }
1405  }
1406  }
1407  }
1408  else
1409  {
1410  //A client that proposes ECC cipher suites may choose not to include
1411  //the SupportedGroups extension. In this case, the server is free to
1412  //choose any one of the elliptic curves it supports
1413  if(tlsGetCurveInfo(context, TLS_GROUP_SECP256R1) != NULL)
1414  {
1415 
1416  //Select secp256r1 elliptic curve
1417  context->namedGroup = TLS_GROUP_SECP256R1;
1418  error = NO_ERROR;
1419  }
1420  else if(tlsGetCurveInfo(context, TLS_GROUP_SECP384R1) != NULL)
1421  {
1422  //Select secp384r1 elliptic curve
1423  context->namedGroup = TLS_GROUP_SECP384R1;
1424  error = NO_ERROR;
1425  }
1426  else
1427  {
1428  //Just for sanity
1429  context->namedGroup = TLS_GROUP_NONE;
1430  }
1431  }
1432 
1433  //Return status code
1434  return error;
1435 }
1436 
1437 
1438 /**
1439  * @brief Certificate selection process
1440  * @param[in] context Pointer to the TLS context
1441  * @param[in] extensions ClientHello extensions offered by the client
1442  * @return Error code
1443  **/
1444 
1447 {
1448  error_t error;
1449  uint_t i;
1450  uint_t n;
1451  bool_t acceptable;
1452  uint8_t certTypes[2];
1453 
1454  //Initialize status code
1455  error = NO_ERROR;
1456 
1457  //Number of certificate types
1458  n = 0;
1459 
1460 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1461  //SSL 3.0, TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
1462  if(context->version <= TLS_VERSION_1_2)
1463  {
1464  //The server requires a valid certificate whenever the agreed-upon key
1465  //exchange method uses certificates for authentication
1466  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1467  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1468  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1469  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1470  {
1471  //RSA, DHE_RSA, ECDHE_RSA and RSA_PSK key exchange methods require
1472  //an RSA certificate
1473  certTypes[n++] = TLS_CERT_RSA_SIGN;
1474  }
1475  else if(context->keyExchMethod == TLS_KEY_EXCH_DH_RSA)
1476  {
1477  //In DH_RSA, the server's certificate must contain a Diffie-Hellman
1478  //public key and be signed with RSA
1479  certTypes[n++] = TLS_CERT_RSA_FIXED_DH;
1480  }
1481  else if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_RSA)
1482  {
1483  //In ECDH_RSA, the server's certificate must contain an ECDH-capable
1484  //public key and be signed with RSA
1485  certTypes[n++] = TLS_CERT_RSA_FIXED_ECDH;
1486  }
1487  else if(context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS)
1488  {
1489  //DHE_DSS key exchange method requires a DSA certificate
1490  certTypes[n++] = TLS_CERT_DSS_SIGN;
1491  }
1492  else if(context->keyExchMethod == TLS_KEY_EXCH_DH_DSS)
1493  {
1494  //In DH_DSS, the server's certificate must contain a Diffie-Hellman
1495  //public key and be signed with DSA
1496  certTypes[n++] = TLS_CERT_DSS_FIXED_DH;
1497  }
1498  else if(context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
1499  {
1500  //ECDHE_ECDSA key exchange method requires an ECDSA certificate
1501  certTypes[n++] = TLS_CERT_ECDSA_SIGN;
1502  }
1503  else if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_ECDSA)
1504  {
1505  //In ECDH_ECDSA, the server's certificate must contain an ECDH-capable
1506  //public key and be signed with ECDSA
1507  certTypes[n++] = TLS_CERT_ECDSA_FIXED_ECDH;
1508  }
1509  else
1510  {
1511  //DH_anon and ECDH_anon key exchange methods do not require any
1512  //certificate
1513  }
1514  }
1515  else
1516 #endif
1517 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1518  //TLS 1.3 currently selected?
1519  if(context->version == TLS_VERSION_1_3)
1520  {
1521  //If PSK is not being used, then (EC)DHE and certificate-based
1522  //authentication are always used
1523  if(context->selectedIdentity < 0)
1524  {
1525  //TLS 1.3 removes support for DSA certificates
1526  certTypes[n++] = TLS_CERT_RSA_SIGN;
1527  certTypes[n++] = TLS_CERT_ECDSA_SIGN;
1528  }
1529  }
1530  else
1531 #endif
1532  //Invalid TLS version?
1533  {
1534  //Abort certificate selection process
1535  error = ERROR_INVALID_VERSION;
1536  }
1537 
1538  //Check whether a certificate is required
1539  if(n > 0)
1540  {
1541  //Reset currently selected certificate
1542  context->cert = NULL;
1543 
1544  //Loop through the list of available certificates
1545  for(i = 0; i < context->numCerts && context->cert == NULL; i++)
1546  {
1547  //Check whether the current certificate is acceptable
1548  acceptable = tlsIsCertificateAcceptable(context, &context->certs[i],
1549  certTypes, n, extensions->signAlgoList, extensions->certSignAlgoList,
1550  extensions->supportedGroupList, NULL);
1551 
1552  //The certificate must be appropriate for the negotiated cipher
1553  //suite and any negotiated extensions
1554  if(acceptable)
1555  {
1556  //The hash algorithm to be used when generating signatures must
1557  //be one of those present in the SignatureAlgorithms extension
1558  error = tlsSelectSignatureScheme(context, &context->certs[i],
1559  extensions->signAlgoList);
1560 
1561  //Check status code
1562  if(!error)
1563  {
1564  //If all the requirements were met, the certificate can be
1565  //used in conjunction with the selected cipher suite
1566  context->cert = &context->certs[i];
1567  }
1568  }
1569  }
1570 
1571  //Do not accept the specified cipher suite unless a suitable
1572  //certificate has been found
1573  if(context->cert == NULL)
1574  error = ERROR_NO_CERTIFICATE;
1575  }
1576 
1577  //Return status code
1578  return error;
1579 }
1580 
1581 
1582 /**
1583  * @brief Parse the list of compression methods supported by the client
1584  * @param[in] context Pointer to the TLS context
1585  * @param[in] compressMethods List of compression methods
1586  * @return Error code
1587  **/
1588 
1590  const TlsCompressMethods *compressMethods)
1591 {
1592  error_t error;
1593  uint_t i;
1594 
1595  //Initialize status code
1596  error = ERROR_ILLEGAL_PARAMETER;
1597 
1598  //Version of TLS prior to TLS 1.3?
1599  if(context->version <= TLS_VERSION_1_2)
1600  {
1601  //The list of the compression methods supported by the client is sorted
1602  //by client preference
1603  for(i = 0; i < compressMethods->length && error; i++)
1604  {
1605  //The CRIME exploit takes advantage of TLS compression, so conservative
1606  //implementations do not accept compression at the TLS level
1607  if(compressMethods->value[i] == TLS_COMPRESSION_METHOD_NULL)
1608  {
1609  error = NO_ERROR;
1610  }
1611  }
1612  }
1613  else
1614  {
1615  //For every TLS 1.3 ClientHello, this vector must contain exactly one
1616  //byte, set to zero which corresponds to the null compression method
1617  if(compressMethods->length == 1)
1618  {
1619  //If a ClientHello is received with any other value in this field,
1620  //the server must abort the handshake with an illegal_parameter alert
1621  if(compressMethods->value[0] == TLS_COMPRESSION_METHOD_NULL)
1622  {
1623  error = NO_ERROR;
1624  }
1625  }
1626  }
1627 
1628  //Return status code
1629  return error;
1630 }
1631 
1632 
1633 /**
1634  * @brief Parse PSK identity
1635  * @param[in] context Pointer to the TLS context
1636  * @param[in] p Input stream where to read the PSK identity hint
1637  * @param[in] length Number of bytes available in the input stream
1638  * @param[out] consumed Total number of bytes that have been consumed
1639  * @return Error code
1640  **/
1641 
1643  const uint8_t *p, size_t length, size_t *consumed)
1644 {
1645  size_t n;
1646  TlsPskIdentity *pskIdentity;
1647 
1648  //Point to the PSK identity
1649  pskIdentity = (TlsPskIdentity *) p;
1650 
1651  //Malformed ClientKeyExchange message?
1652  if(length < sizeof(TlsPskIdentity))
1653  return ERROR_DECODING_FAILED;
1654  if(length < (sizeof(TlsPskIdentity) + ntohs(pskIdentity->length)))
1655  return ERROR_DECODING_FAILED;
1656 
1657  //Retrieve the length of the PSK identity
1658  n = ntohs(pskIdentity->length);
1659 
1660 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1661  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1662  //Any registered callback?
1663  if(context->pskCallback != NULL)
1664  {
1665  error_t error;
1666 
1667  //The server selects which key to use depending on the the PSK identity
1668  //provided by the client
1669  error = context->pskCallback(context, pskIdentity->value, n);
1670  //Any error to report?
1671  if(error)
1672  return ERROR_UNKNOWN_IDENTITY;
1673  }
1674 #endif
1675 
1676  //Total number of bytes that have been consumed
1677  *consumed = sizeof(TlsPskIdentity) + n;
1678 
1679  //Successful processing
1680  return NO_ERROR;
1681 }
1682 
1683 
1684 /**
1685  * @brief Parse client's key exchange parameters
1686  * @param[in] context Pointer to the TLS context
1687  * @param[in] p Input stream where to read the client's key exchange parameters
1688  * @param[in] length Number of bytes available in the input stream
1689  * @param[out] consumed Total number of bytes that have been consumed
1690  * @return Error code
1691  **/
1692 
1694  const uint8_t *p, size_t length, size_t *consumed)
1695 {
1696  error_t error;
1697 
1698 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1699  //Initialize status code
1700  error = NO_ERROR;
1701 
1702 #if (TLS_RSA_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED)
1703  //RSA key exchange method?
1704  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1705  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1706  {
1707  size_t n;
1708  uint32_t bad;
1709  uint16_t version;
1710  RsaPrivateKey privateKey;
1711  uint8_t randPremasterSecret[48];
1712 
1713  //The RSA-encrypted premaster secret in a ClientKeyExchange is preceded by
1714  //two length bytes. SSL 3.0 implementations do not include these bytes
1715  if(context->version > SSL_VERSION_3_0)
1716  {
1717  //Malformed ClientKeyExchange message?
1718  if(length < 2)
1719  return ERROR_DECODING_FAILED;
1720 
1721  //Decode the length field
1722  n = LOAD16BE(p);
1723 
1724  //Check the length of the RSA-encrypted premaster secret
1725  if(n > (length - 2))
1726  return ERROR_DECODING_FAILED;
1727 
1728  //Save the length of the RSA-encrypted premaster secret
1729  length = n;
1730  //Advance the pointer over the length field
1731  p += 2;
1732  //Total number of bytes that have been consumed
1733  *consumed = length + 2;
1734  }
1735  else
1736  {
1737  //Total number of bytes that have been consumed
1738  *consumed = length;
1739  }
1740 
1741  //Initialize RSA private key
1742  rsaInitPrivateKey(&privateKey);
1743 
1744  //Decode the PEM structure that holds the RSA private key
1745  error = pemImportRsaPrivateKey(context->cert->privateKey,
1746  context->cert->privateKeyLen, &privateKey);
1747 
1748  //Check status code
1749  if(!error)
1750  {
1751  //Decrypt the premaster secret using the server private key
1752  error = rsaesPkcs1v15Decrypt(&privateKey, p, length,
1753  context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,
1754  &context->premasterSecretLen);
1755  }
1756 
1757  //Release RSA private key
1758  rsaFreePrivateKey(&privateKey);
1759 
1760  //Retrieve the latest version supported by the client. This is used
1761  //to detect version roll-back attacks
1762  version = LOAD16BE(context->premasterSecret);
1763 
1764  //The best way to avoid vulnerability to the Bleichenbacher attack is to
1765  //treat incorrectly formatted messages in a manner indistinguishable from
1766  //correctly formatted RSA blocks
1767  bad = CRYPTO_TEST_NZ_32(error);
1768  bad |= CRYPTO_TEST_NEQ_32(context->premasterSecretLen, 48);
1769  bad |= CRYPTO_TEST_NEQ_16(version, context->clientVersion);
1770 
1771  //Generate a random 48-byte value
1772  error = context->prngAlgo->read(context->prngContext,
1773  randPremasterSecret, 48);
1774 
1775  //When it receives an incorrectly formatted RSA block, the server should
1776  //proceed using the random 48-byte value as the premaster secret
1777  for(n = 0; n < 48; n++)
1778  {
1779  context->premasterSecret[n] = CRYPTO_SELECT_8(
1780  context->premasterSecret[n], randPremasterSecret[n], bad);
1781  }
1782 
1783  //Fix the length of the premaster secret
1784  context->premasterSecretLen = 48;
1785  }
1786  else
1787 #endif
1788 #if (TLS_DH_ANON_KE_SUPPORT == ENABLED || TLS_DHE_RSA_KE_SUPPORT == ENABLED || \
1789  TLS_DHE_DSS_KE_SUPPORT == ENABLED || TLS_DHE_PSK_KE_SUPPORT == ENABLED)
1790  //Diffie-Hellman key exchange method?
1791  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
1792  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1793  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1794  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK)
1795  {
1796  size_t n;
1797 
1798  //Convert the client's public value to a multiple precision integer
1799  error = tlsReadMpi(&context->dhContext.yb, p, length, &n);
1800 
1801  //Check status code
1802  if(!error)
1803  {
1804  //Total number of bytes that have been consumed
1805  *consumed = n;
1806 
1807  //Verify client's public value
1808  error = dhCheckPublicKey(&context->dhContext.params,
1809  &context->dhContext.yb);
1810  }
1811 
1812  //Check status code
1813  if(!error)
1814  {
1815  //Calculate the negotiated key Z
1816  error = dhComputeSharedSecret(&context->dhContext,
1817  context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,
1818  &context->premasterSecretLen);
1819  }
1820 
1821  //Check status code
1822  if(!error)
1823  {
1824  //Leading bytes of Z that contain all zero bits are stripped before
1825  //it is used as the premaster secret (RFC 4346, section 8.2.1)
1826  for(n = 0; n < context->premasterSecretLen; n++)
1827  {
1828  if(context->premasterSecret[n] != 0x00)
1829  break;
1830  }
1831 
1832  //Any leading zero bytes?
1833  if(n > 0)
1834  {
1835  //Strip leading zero bytes from the negotiated key
1836  memmove(context->premasterSecret, context->premasterSecret + n,
1837  context->premasterSecretLen - n);
1838 
1839  //Adjust the length of the premaster secret
1840  context->premasterSecretLen -= n;
1841  }
1842  }
1843  }
1844  else
1845 #endif
1846 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
1847  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1848  //ECDH key exchange method?
1849  if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
1850  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1851  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1852  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1853  {
1854  size_t n;
1855 
1856  //Decode client's public key
1857  error = tlsReadEcPoint(&context->ecdhContext.params,
1858  &context->ecdhContext.qb, p, length, &n);
1859 
1860  //Check status code
1861  if(!error)
1862  {
1863  //Total number of bytes that have been consumed
1864  *consumed = n;
1865 
1866  //Verify client's public key and make sure that it is on the same
1867  //elliptic curve as the server's ECDH key
1868  error = ecdhCheckPublicKey(&context->ecdhContext.params,
1869  &context->ecdhContext.qb);
1870  }
1871 
1872  //Check status code
1873  if(!error)
1874  {
1875 #if (TLS_ECC_CALLBACK_SUPPORT == ENABLED)
1876  //Any registered callback?
1877  if(context->ecdhCallback != NULL)
1878  {
1879  //Invoke user callback function
1880  error = context->ecdhCallback(context);
1881  }
1882  else
1883 #endif
1884  {
1885  //No callback function defined
1887  }
1888 
1889  //Check status code
1891  {
1892  //Calculate the shared secret Z. Leading zeros found in this octet
1893  //string must not be truncated (see RFC 4492, section 5.10)
1894  error = ecdhComputeSharedSecret(&context->ecdhContext,
1895  context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,
1896  &context->premasterSecretLen);
1897  }
1898  }
1899  }
1900  else
1901 #endif
1902  //Invalid key exchange method?
1903  {
1904  //The specified key exchange method is not supported
1906  }
1907 #else
1908  //Not implemented
1909  error = ERROR_NOT_IMPLEMENTED;
1910 #endif
1911 
1912  //Return status code
1913  return error;
1914 }
1915 
1916 #endif
@ TLS_CERT_ECDSA_FIXED_ECDH
Definition: tls.h:1081
#define tlsAllocMem(size)
Definition: tls.h:757
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256
Definition: tls.h:1115
#define htons(value)
Definition: cpu_endian.h:392
Parsing and checking of TLS extensions.
@ TLS_SIGN_ALGO_DSA
Definition: tls.h:1113
void sha1Update(Sha1Context *context, const void *data, size_t length)
Update the SHA-1 context with a portion of the message being hashed.
Definition: sha1.c:152
TLS helper functions.
bool_t tlsIsCertificateAcceptable(TlsContext *context, const TlsCertDesc *cert, const uint8_t *certTypes, size_t numCertTypes, const TlsSignHashAlgos *signHashAlgos, const TlsSignHashAlgos *certSignHashAlgos, const TlsSupportedGroupList *curveList, const TlsCertAuthorities *certAuthorities)
Check whether a certificate is acceptable.
uint8_t length
Definition: dtls_misc.h:149
@ ERROR_UNKNOWN_IDENTITY
Definition: error.h:254
HashAlgoInit init
Definition: crypto.h:1139
@ ERROR_UNSUPPORTED_ELLIPTIC_CURVE
Definition: error.h:131
error_t tlsParsePskIdentity(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse PSK identity.
int bool_t
Definition: compiler_port.h:49
__start_packed struct @82 Tls12DigitalSignature
Digitally-signed element (TLS 1.2)
TLS cipher suites.
error_t tlsParseClientSupportedVersionsExtension(TlsContext *context, const TlsSupportedVersionList *supportedVersionList)
Parse SupportedVersions extension.
error_t tlsParseClientKeyParams(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse client's key exchange parameters.
error_t dtlsSelectVersion(TlsContext *context, uint16_t version)
Set the DTLS version to be used.
Definition: dtls_misc.c:54
error_t pemImportRsaPrivateKey(const char_t *input, size_t length, RsaPrivateKey *privateKey)
Decode a PEM file containing an RSA private key.
Definition: pem_import.c:382
error_t tlsFormatPskIdentityHint(TlsContext *context, uint8_t *p, size_t *written)
Format PSK identity hint.
error_t tls12GenerateServerKeySignature(TlsContext *context, Tls12DigitalSignature *signature, const uint8_t *params, size_t paramsLen, size_t *written)
Sign server's key exchange parameters (TLS 1.2)
@ TLS_COMPRESSION_METHOD_NULL
Definition: tls.h:1015
@ ERROR_VERSION_NOT_SUPPORTED
Definition: error.h:67
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:237
RSA/DSA/ECDSA/EdDSA signature generation and verification.
error_t tlsNegotiateVersion(TlsContext *context, uint16_t clientVersion, const TlsSupportedVersionList *supportedVersionList)
Version negotiation.
error_t tlsSelectSignatureScheme(TlsContext *context, const TlsCertDesc *cert, const TlsSignHashAlgos *supportedSignAlgos)
Select the algorithm to be used when generating digital signatures.
Definition: tls_signature.c:60
uint8_t p
Definition: ndp.h:298
error_t tlsSelectVersion(TlsContext *context, uint16_t version)
Set the TLS version to be used.
Definition: tls_misc.c:225
error_t dhCheckPublicKey(DhParameters *params, const Mpi *publicKey)
Check Diffie-Hellman public value.
Definition: dh.c:154
#define TRUE
Definition: os_port.h:50
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384
Definition: tls.h:1121
@ TLS_GROUP_SECP256R1
Definition: tls.h:1230
size_t digestSize
Definition: crypto.h:1135
void md5Init(Md5Context *context)
Initialize MD5 message digest context.
Definition: md5.c:136
@ TLS_TRANSPORT_PROTOCOL_DATAGRAM
Definition: tls.h:851
HashAlgoUpdate update
Definition: crypto.h:1140
__start_packed struct @81 TlsDigitalSignature
Digitally-signed element (SSL 3.0, TLS 1.0 and TLS 1.1)
uint8_t signature
Definition: tls.h:1370
uint16_t version
Definition: dtls_misc.h:172
Session cache management.
error_t tlsSelectEcdheGroup(TlsContext *context, const TlsSupportedGroupList *groupList)
Select the named curve to be used when performing ECDHE key exchange.
#define CRYPTO_TEST_NEQ_16(a, b)
Definition: crypto.h:993
@ TLS_KEY_EXCH_DH_DSS
Definition: tls.h:1030
error_t tlsWriteMpi(const Mpi *a, uint8_t *data, size_t *length)
Encode a multiple precision integer to an opaque vector.
Definition: tls_misc.c:634
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:228
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
FFDHE parameters.
Definition: tls_ffdhe.h:47
@ TLS_CERT_DSS_SIGN
Definition: tls.h:1073
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512
Definition: tls.h:1122
@ TLS_KEY_EXCH_ECDH_RSA
Definition: tls.h:1033
@ ERROR_INVALID_VERSION
Definition: error.h:116
error_t rsaesPkcs1v15Decrypt(const RsaPrivateKey *key, const uint8_t *ciphertext, size_t ciphertextLen, uint8_t *message, size_t messageSize, size_t *messageLen)
RSAES-PKCS1-v1_5 decryption operation.
Definition: rsa.c:274
__start_packed struct @57 DtlsSupportedVersionList
List of supported versions.
#define TLS_RANDOM_SIZE
Definition: tls.h:834
error_t dtlsParseClientSupportedVersionsExtension(TlsContext *context, const DtlsSupportedVersionList *supportedVersionList)
Parse SupportedVersions extension.
Definition: dtls_misc.c:395
void rsaInitPrivateKey(RsaPrivateKey *key)
Initialize an RSA private key.
Definition: rsa.c:131
error_t tlsRestoreSessionState(TlsContext *context, const TlsSessionState *session)
Restore TLS session.
Definition: tls.c:2585
@ TLS_SIGN_ALGO_ED448
Definition: tls.h:1119
size_t contextSize
Definition: crypto.h:1133
TlsSessionState * tlsFindCache(TlsCache *cache, const uint8_t *sessionId, size_t sessionIdLen)
Search the session cache for a given session ID.
Definition: tls_cache.c:97
error_t tlsFormatServerKeyParams(TlsContext *context, uint8_t *p, size_t *written)
Format server's key exchange parameters.
uint8_t sessionIdLen
Definition: tls.h:1615
void md5Final(Md5Context *context, uint8_t *digest)
Finish the MD5 message digest.
Definition: md5.c:197
@ TLS_KEY_EXCH_RSA
Definition: tls.h:1027
void md5Update(Md5Context *context, const void *data, size_t length)
Update the MD5 context with a portion of the message being hashed.
Definition: md5.c:158
error_t tlsGenerateRsaSignature(const RsaPrivateKey *key, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
Generate RSA signature (SSL 3.0, TLS 1.0 and TLS 1.1)
@ TLS_HASH_ALGO_SHA512
Definition: tls.h:1100
uint16_t cipherSuite
Cipher suite identifier.
Definition: tls.h:1837
@ TLS_KEY_EXCH_ECDHE_ECDSA
Definition: tls.h:1036
error_t ecLoadDomainParameters(EcDomainParameters *params, const EcCurveInfo *curveInfo)
Load EC domain parameters.
Definition: ec.c:93
@ TLS_KEY_EXCH_ECDHE_RSA
Definition: tls.h:1034
uint16_t clientVersion
Definition: tls.h:1613
#define FALSE
Definition: os_port.h:46
error_t dhComputeSharedSecret(DhContext *context, uint8_t *output, size_t outputSize, size_t *outputLen)
Compute Diffie-Hellman shared secret.
Definition: dh.c:190
__start_packed struct @62 TlsCipherSuites
Cipher suites.
@ TLS_KEY_EXCH_ECDH_ANON
Definition: tls.h:1037
Elliptic curve parameters.
Definition: ec_curves.h:292
PEM file import functions.
void sha1Init(Sha1Context *context)
Initialize SHA-1 message digest context.
Definition: sha1.c:129
#define TlsContext
Definition: tls.h:36
@ ERROR_UNSUPPORTED_KEY_EXCH_METHOD
Definition: error.h:129
error_t
Error codes.
Definition: error.h:42
#define CRYPTO_TEST_NZ_32(a)
Definition: crypto.h:1021
void rsaFreePrivateKey(RsaPrivateKey *key)
Release an RSA private key.
Definition: rsa.c:150
const HashAlgo * tlsGetHashAlgo(uint8_t hashAlgoId)
Get the hash algorithm that matches the specified identifier.
Definition: tls_misc.c:829
#define TLS_VERSION_1_2
Definition: tls.h:94
#define TLS_PREMASTER_SECRET_SIZE
Definition: tls.h:722
@ TLS_GROUP_NONE
Definition: tls.h:1207
@ TLS_KEY_EXCH_DH_ANON
Definition: tls.h:1032
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
error_t tlsSelectCipherSuite(TlsContext *context, uint16_t identifier)
Set cipher suite.
Definition: tls_misc.c:253
@ TLS_HASH_ALGO_INTRINSIC
Definition: tls.h:1101
#define STORE16BE(a, p)
Definition: cpu_endian.h:246
@ TLS_KEY_EXCH_ECDH_ECDSA
Definition: tls.h:1035
error_t rsassaPssSign(const PrngAlgo *prngAlgo, void *prngContext, const RsaPrivateKey *key, const HashAlgo *hash, size_t saltLen, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
RSASSA-PSS signature generation operation.
Definition: rsa.c:920
#define TLS_VERSION_1_3
Definition: tls.h:95
Handshake message processing (TLS client and server)
@ TLS_HASH_ALGO_SHA384
Definition: tls.h:1099
@ TLS_EMPTY_RENEGOTIATION_INFO_SCSV
error_t tlsNegotiateCipherSuite(TlsContext *context, const HashAlgo *hashAlgo, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
Cipher suite negotiation.
@ TLS_GROUP_SECP384R1
Definition: tls.h:1231
TLS record protocol.
error_t tlsWriteEcPoint(const EcDomainParameters *params, const EcPoint *a, uint8_t *data, size_t *length)
Encode an EC point to an opaque vector.
Definition: tls_misc.c:705
#define CRYPTO_SELECT_8(a, b, c)
Definition: crypto.h:977
@ TLS_SIGN_ALGO_ED25519
Definition: tls.h:1118
MD5 algorithm context.
Definition: md5.h:58
@ ERROR_NO_CERTIFICATE
Definition: error.h:229
#define SSL_VERSION_3_0
Definition: tls.h:91
@ TLS_HASH_ALGO_SHA256
Definition: tls.h:1098
@ TLS_CERT_RSA_SIGN
Definition: tls.h:1072
const TlsFfdheGroup * tlsGetFfdheGroup(TlsContext *context, uint16_t namedGroup)
Get the FFDHE parameters that match the specified named group.
Definition: tls_ffdhe.c:315
error_t tlsLoadFfdheParameters(DhParameters *params, const TlsFfdheGroup *ffdheGroup)
Load FFDHE parameters.
Definition: tls_ffdhe.c:375
#define MIN(a, b)
Definition: os_port.h:62
error_t tlsSelectFfdheGroup(TlsContext *context, const TlsSupportedGroupList *groupList)
Select the named group to be used when performing FFDHE key exchange.
Definition: tls_ffdhe.c:175
@ TLS_KEY_EXCH_DHE_PSK
Definition: tls.h:1040
error_t tlsResumeServerSession(TlsContext *context, const uint8_t *sessionId, size_t sessionIdLen, const TlsCipherSuites *cipherSuites, const TlsHelloExtensions *extensions)
Resume TLS session via session ID.
uint16_t dtlsTranslateVersion(uint16_t version)
Translate TLS version into DTLS version.
Definition: dtls_misc.c:113
#define MD5_DIGEST_SIZE
Definition: md5.h:40
Hello extensions.
Definition: tls.h:1894
@ TLS_FALLBACK_SCSV
error_t ecdhComputeSharedSecret(EcdhContext *context, uint8_t *output, size_t outputSize, size_t *outputLen)
Compute ECDH shared secret.
Definition: ecdh.c:385
@ TLS_KEY_EXCH_RSA_PSK
Definition: tls.h:1039
HashAlgoFinal final
Definition: crypto.h:1141
char_t * serverName
ServerName extension.
Definition: tls.h:1856
uint16_t serverVersion
Definition: dtls_misc.h:201
#define ntohs(value)
Definition: cpu_endian.h:398
@ TLS_EC_CURVE_TYPE_NAMED_CURVE
Definition: tls.h:1279
#define TRACE_DEBUG(...)
Definition: debug.h:106
#define MAX(a, b)
Definition: os_port.h:66
#define SHA1_DIGEST_SIZE
Definition: sha1.h:40
error_t tlsReadMpi(Mpi *a, const uint8_t *data, size_t size, size_t *length)
Read a multiple precision integer from an opaque vector.
Definition: tls_misc.c:667
const char_t * tlsGetCipherSuiteName(uint16_t identifier)
Convert cipher suite identifier to string representation.
uint8_t digest[1]
Definition: crypto.h:1120
error_t tlsParseCompressMethods(TlsContext *context, const TlsCompressMethods *compressMethods)
Parse the list of compression methods supported by the client.
TLS session state.
Definition: tls.h:1834
uint8_t n
RSA private key.
Definition: rsa.h:59
uint8_t extensions[]
Definition: tls13_misc.h:327
error_t tlsSelectCertificate(TlsContext *context, const TlsHelloExtensions *extensions)
Certificate selection process.
__start_packed struct @70 TlsSupportedVersionList
List of supported versions.
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512
Definition: tls.h:1117
#define CRYPTO_TEST_NEQ_32(a, b)
Definition: crypto.h:1029
@ ERROR_INAPPROPRIATE_FALLBACK
Definition: error.h:240
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256
Definition: tls.h:1120
Handshake message processing (TLS server)
@ TLS_KEY_EXCH_ECDHE_PSK
Definition: tls.h:1041
uint8_t sessionId[]
Definition: tls.h:1616
@ TLS_CERT_RSA_FIXED_ECDH
Definition: tls.h:1080
Certificate handling.
__start_packed struct @80 TlsPskIdentityHint
PSK identity hint.
__start_packed struct @75 TlsSupportedGroupList
List of supported groups.
const EcCurveInfo * tlsGetCurveInfo(TlsContext *context, uint16_t namedCurve)
Get the EC domain parameters that match the specified named curve.
Definition: tls_misc.c:890
error_t tlsSelectGroup(TlsContext *context, const TlsSupportedGroupList *groupList)
Select the group to be used when performing (EC)DHE key exchange.
TLS (Transport Layer Security)
@ TLS_SIGN_ALGO_RSA
Definition: tls.h:1112
error_t tlsCheckSignalingCipherSuiteValues(TlsContext *context, const TlsCipherSuites *cipherSuites)
Check whether the ClientHello includes any SCSV cipher suites.
uint16_t version
TLS protocol version.
Definition: tls.h:1836
SHA-1 algorithm context.
Definition: sha1.h:58
@ TLS_CERT_ECDSA_SIGN
Definition: tls.h:1079
__start_packed struct @63 TlsCompressMethods
Compression methods.
@ TLS_KEY_EXCH_DHE_DSS
Definition: tls.h:1031
error_t tlsGenerateEcdsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, uint8_t *signature, size_t *signatureLen)
Generate ECDSA signature.
__start_packed struct @79 TlsPskIdentity
PSK identity.
error_t tlsGenerateEddsaSignature(TlsContext *context, const uint8_t *message, size_t messageLen, uint8_t *signature, size_t *signatureLen)
Generate EdDSA signature.
error_t tlsGenerateDsaSignature(TlsContext *context, const uint8_t *digest, size_t digestLen, uint8_t *signature, size_t *signatureLen)
Generate DSA signature.
Common interface for hash algorithms.
Definition: crypto.h:1128
FFDHE key exchange.
error_t rsassaPkcs1v15Sign(const RsaPrivateKey *key, const HashAlgo *hash, const uint8_t *digest, uint8_t *signature, size_t *signatureLen)
RSASSA-PKCS1-v1_5 signature generation operation.
Definition: rsa.c:678
Helper functions for TLS server.
Formatting and parsing of extensions (TLS server)
@ ERROR_UNSUPPORTED_SIGNATURE_ALGO
Definition: error.h:130
error_t dhGenerateKeyPair(DhContext *context, const PrngAlgo *prngAlgo, void *prngContext)
Diffie-Hellman key pair generation.
Definition: dh.c:91
error_t tlsGenerateServerKeySignature(TlsContext *context, TlsDigitalSignature *signature, const uint8_t *params, size_t paramsLen, size_t *written)
Sign server's key exchange parameters (SSL 3.0, TLS 1.0 and TLS 1.1)
@ ERROR_DECODING_FAILED
Definition: error.h:235
unsigned int uint_t
Definition: compiler_port.h:45
#define TRACE_DEBUG_MPI(p, a)
Definition: debug.h:109
#define LOAD16BE(p)
Definition: cpu_endian.h:170
#define tlsFreeMem(p)
Definition: tls.h:762
@ TLS_CERT_DSS_FIXED_DH
Definition: tls.h:1075
@ TLS_CERT_RSA_FIXED_DH
Definition: tls.h:1074
@ TLS_SIGN_ALGO_ECDSA
Definition: tls.h:1114
error_t ecdhCheckPublicKey(const EcDomainParameters *params, EcPoint *publicKey)
Check ECDH public key.
Definition: ecdh.c:272
@ TLS_KEY_EXCH_DHE_RSA
Definition: tls.h:1029
void sha1Final(Sha1Context *context, uint8_t *digest)
Finish the SHA-1 message digest.
Definition: sha1.c:191
Generic hash algorithm context.
Definition: crypto.h:1118
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384
Definition: tls.h:1116
@ NO_ERROR
Success.
Definition: error.h:44
Debugging facilities.
@ TLS_KEY_EXCH_DH_RSA
Definition: tls.h:1028
error_t tlsReadEcPoint(const EcDomainParameters *params, EcPoint *a, const uint8_t *data, size_t size, size_t *length)
Read an EC point from an opaque vector.
Definition: tls_misc.c:742
error_t ecdhGenerateKeyPair(EcdhContext *context, const PrngAlgo *prngAlgo, void *prngContext)
ECDH key pair generation.
Definition: ecdh.c:87