tls_extensions.c
Go to the documentation of this file.
1 /**
2  * @file tls_extensions.c
3  * @brief Parsing and checking of TLS extensions
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2025 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.5.4
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include "tls.h"
36 #include "tls_cipher_suites.h"
37 #include "tls_extensions.h"
38 #include "tls_transcript_hash.h"
39 #include "tls_record.h"
40 #include "dtls_record.h"
41 #include "debug.h"
42 
43 //Check TLS library configuration
44 #if (TLS_SUPPORT == ENABLED)
45 
46 
47 /**
48  * @brief Parse Hello extensions
49  * @param[in] msgType Handshake message type
50  * @param[in] p Input stream where to read the list of extensions
51  * @param[in] length Number of bytes available in the input stream
52  * @param[out] extensions List of Hello extensions resulting from the parsing process
53  * @return Error code
54  **/
55 
58 {
59  error_t error;
60  size_t n;
61  uint16_t type;
62  const TlsExtension *extension;
63  const TlsExtensionList *extensionList;
64 
65  //Initialize TLS extensions
67 
68  //Check message type
70  {
71  //The implementation must accept messages both with and without the
72  //extensions field
73  if(length == 0)
74  {
75  //The extensions field is not present
76  return NO_ERROR;
77  }
78  }
79 
80  //Point to the list of extensions
81  extensionList = (TlsExtensionList *) p;
82 
83  //Malformed message?
84  if(length < sizeof(TlsExtensionList))
85  return ERROR_DECODING_FAILED;
86 
87  //If the amount of data in the message does not precisely match the format
88  //of the message, then send a fatal alert
89  if(length != (sizeof(TlsExtensionList) + ntohs(extensionList->length)))
90  return ERROR_DECODING_FAILED;
91 
92  //Point to the first extension of the list
93  p += sizeof(TlsExtensionList);
94  //Retrieve the length of the list
95  length -= sizeof(TlsExtensionList);
96 
97  //Parse the list of extensions offered by the peer
98  while(length > 0)
99  {
100  //Point to the current extension
101  extension = (TlsExtension *) p;
102 
103  //Check the length of the extension
104  if(length < sizeof(TlsExtension))
105  return ERROR_DECODING_FAILED;
106  if(length < (sizeof(TlsExtension) + ntohs(extension->length)))
107  return ERROR_DECODING_FAILED;
108 
109  //Get extension type
110  type = ntohs(extension->type);
111  //Retrieve the length of the extension
112  n = ntohs(extension->length);
113 
114  //Jump to the next extension
115  p += sizeof(TlsExtension) + n;
116  //Number of bytes left to process
117  length -= sizeof(TlsExtension) + n;
118 
119  //Test if the current extension is a duplicate
121  //Duplicate extension found?
122  if(error)
123  return error;
124 
125  //When multiple extensions of different types are present in the ClientHello
126  //or ServerHello messages, the extensions may appear in any order
128  {
129  //Check message type
131  {
132  const TlsSupportedVersionList *supportedVersionList;
133 
134  //Point to the SupportedVersions extension
135  supportedVersionList = (TlsSupportedVersionList *) extension->value;
136 
137  //Malformed extension?
138  if(n < sizeof(TlsSupportedVersionList))
139  return ERROR_DECODING_FAILED;
140  if(n != (sizeof(TlsSupportedVersionList) + supportedVersionList->length))
141  return ERROR_DECODING_FAILED;
142 
143  //Check the length of the list
144  if(supportedVersionList->length == 0)
145  return ERROR_DECODING_FAILED;
146  if((supportedVersionList->length % 2) != 0)
147  return ERROR_DECODING_FAILED;
148 
149  //The SupportedVersions extension is valid
150  extensions->supportedVersionList = supportedVersionList;
151  }
152  else if(msgType == TLS_TYPE_SERVER_HELLO ||
154  {
155  //The extension contains the selected version value
156  if(n != sizeof(uint16_t))
157  return ERROR_DECODING_FAILED;
158 
159  //The SupportedVersions extension is valid
160  extensions->selectedVersion = extension;
161  }
162  else
163  {
164  //The extension is not specified for the message in which it appears
166  }
167  }
168  else if(type == TLS_EXT_SERVER_NAME)
169  {
170  const TlsServerNameList *serverNameList;
171 
172  //Point to the ServerName extension
173  serverNameList = (TlsServerNameList *) extension->value;
174 
175  //Empty extension?
176  if(n == 0)
177  {
178  //When the server includes a ServerName extension, the data field
179  //of this extension may be empty
181  return ERROR_DECODING_FAILED;
182  }
183  else
184  {
185  //Malformed extension?
186  if(n < sizeof(TlsServerNameList))
187  return ERROR_DECODING_FAILED;
188  if(n != (sizeof(TlsServerNameList) + ntohs(serverNameList->length)))
189  return ERROR_DECODING_FAILED;
190 
191  //Check the length of the list
192  if(ntohs(serverNameList->length) == 0)
193  return ERROR_DECODING_FAILED;
194  }
195 
196  //The ServerName extension is valid
197  extensions->serverNameList = serverNameList;
198  }
199  else if(type == TLS_EXT_SUPPORTED_GROUPS)
200  {
201  const TlsSupportedGroupList *supportedGroupList;
202 
203  //Point to the SupportedGroups extension
204  supportedGroupList = (TlsSupportedGroupList *) extension->value;
205 
206  //Malformed extension?
207  if(n < sizeof(TlsSupportedGroupList))
208  return ERROR_DECODING_FAILED;
209  if(n != (sizeof(TlsSupportedGroupList) + ntohs(supportedGroupList->length)))
210  return ERROR_DECODING_FAILED;
211 
212  //Check the length of the list
213  if(ntohs(supportedGroupList->length) == 0)
214  return ERROR_DECODING_FAILED;
215  if((ntohs(supportedGroupList->length) % 2) != 0)
216  return ERROR_DECODING_FAILED;
217 
218  //The SupportedGroups extension is valid
219  extensions->supportedGroupList = supportedGroupList;
220  }
221  else if(type == TLS_EXT_EC_POINT_FORMATS)
222  {
223  const TlsEcPointFormatList *ecPointFormatList;
224 
225  //Point to the EcPointFormats extension
226  ecPointFormatList = (TlsEcPointFormatList *) extension->value;
227 
228  //Malformed extension?
229  if(n < sizeof(TlsEcPointFormatList))
230  return ERROR_DECODING_FAILED;
231  if(n != (sizeof(TlsEcPointFormatList) + ecPointFormatList->length))
232  return ERROR_DECODING_FAILED;
233 
234  //Check the length of the list
235  if(ntohs(ecPointFormatList->length) == 0)
236  return ERROR_DECODING_FAILED;
237 
238  //The EcPointFormats extension is valid
239  extensions->ecPointFormatList = ecPointFormatList;
240  }
242  {
243  const TlsSignSchemeList *signAlgoList;
244 
245  //Point to the SignatureAlgorithms extension
246  signAlgoList = (TlsSignSchemeList *) extension->value;
247 
248  //Malformed extension?
249  if(n < sizeof(TlsSignSchemeList))
250  return ERROR_DECODING_FAILED;
251  if(n != (sizeof(TlsSignSchemeList) + ntohs(signAlgoList->length)))
252  return ERROR_DECODING_FAILED;
253 
254  //Check the length of the list
255  if(ntohs(signAlgoList->length) == 0)
256  return ERROR_DECODING_FAILED;
257  if((ntohs(signAlgoList->length) % 2) != 0)
258  return ERROR_DECODING_FAILED;
259 
260  //The SignatureAlgorithms extension is valid
261  extensions->signAlgoList = signAlgoList;
262  }
264  {
265  const TlsSignSchemeList *certSignAlgoList;
266 
267  //Point to the SignatureAlgorithmsCert extension
268  certSignAlgoList = (TlsSignSchemeList *) extension->value;
269 
270  //Malformed extension?
271  if(n < sizeof(TlsSignSchemeList))
272  return ERROR_DECODING_FAILED;
273  if(n != (sizeof(TlsSignSchemeList) + ntohs(certSignAlgoList->length)))
274  return ERROR_DECODING_FAILED;
275 
276  //Check the length of the list
277  if(ntohs(certSignAlgoList->length) == 0)
278  return ERROR_DECODING_FAILED;
279  if((ntohs(certSignAlgoList->length) % 2) != 0)
280  return ERROR_DECODING_FAILED;
281 
282  //The SignatureAlgorithmsCert extension is valid
283  extensions->certSignAlgoList = certSignAlgoList;
284  }
285 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
287  {
288  //Malformed extension?
289  if(n != sizeof(uint8_t))
290  return ERROR_DECODING_FAILED;
291 
292  //The MaxFragmentLength extension is valid
293  extensions->maxFragLen = extension;
294  }
295 #endif
296 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
297  else if(type == TLS_EXT_RECORD_SIZE_LIMIT)
298  {
299  //Malformed extension?
300  if(n != sizeof(uint16_t))
301  return ERROR_DECODING_FAILED;
302 
303  //The RecordSizeLimit extension is valid
304  extensions->recordSizeLimit = extension;
305  }
306 #endif
307 #if (TLS_ALPN_SUPPORT == ENABLED)
308  else if(type == TLS_EXT_ALPN)
309  {
310  const TlsProtocolNameList *protocolNameList;
311 
312  //Point to the ALPN extension
313  protocolNameList = (TlsProtocolNameList *) extension->value;
314 
315  //Malformed extension?
316  if(n < sizeof(TlsProtocolNameList))
317  return ERROR_DECODING_FAILED;
318  if(n != (sizeof(TlsProtocolNameList) + ntohs(protocolNameList->length)))
319  return ERROR_DECODING_FAILED;
320 
321  //The ALPN extension is valid
322  extensions->protocolNameList = protocolNameList;
323  }
324 #endif
325 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
326  else if(type == TLS_EXT_CLIENT_CERT_TYPE)
327  {
328  //Check message type
330  {
331  const TlsCertTypeList *clientCertTypeList;
332 
333  //Point to the ClientCertType extension
334  clientCertTypeList = (TlsCertTypeList *) extension->value;
335 
336  //Malformed extension?
337  if(n < sizeof(TlsCertTypeList))
338  return ERROR_DECODING_FAILED;
339  if(n != (sizeof(TlsCertTypeList) + clientCertTypeList->length))
340  return ERROR_DECODING_FAILED;
341 
342  //The ClientCertType extension is valid
343  extensions->clientCertTypeList = clientCertTypeList;
344  }
345  else
346  {
347  //Only a single value is permitted in the ClientCertType extension
348  //when carried in the ServerHello
349  if(n != sizeof(uint8_t))
350  return ERROR_DECODING_FAILED;
351 
352  //The ClientCertType extension is valid
353  extensions->clientCertType = extension;
354  }
355  }
356  else if(type == TLS_EXT_SERVER_CERT_TYPE)
357  {
358  //Check message type
360  {
361  const TlsCertTypeList *serverCertTypeList;
362 
363  //Point to the ServerCertType extension
364  serverCertTypeList = (TlsCertTypeList *) extension->value;
365 
366  //Malformed extension?
367  if(n < sizeof(TlsCertTypeList))
368  return ERROR_DECODING_FAILED;
369  if(n != (sizeof(TlsCertTypeList) + serverCertTypeList->length))
370  return ERROR_DECODING_FAILED;
371 
372  //The ServerCertType extension is valid
373  extensions->serverCertTypeList = serverCertTypeList;
374  }
375  else
376  {
377  //Only a single value is permitted in the ServerCertType extension
378  //when carried in the ServerHello
379  if(n != sizeof(uint8_t))
380  return ERROR_DECODING_FAILED;
381 
382  //The ServerCertType extension is valid
383  extensions->serverCertType = extension;
384  }
385  }
386 #endif
387 #if (TLS_ENCRYPT_THEN_MAC_SUPPORT == ENABLED)
388  else if(type == TLS_EXT_ENCRYPT_THEN_MAC)
389  {
390  //The extension data field of this extension shall be empty (refer to
391  //RFC 7366, section 2)
392  if(n != 0)
393  return ERROR_DECODING_FAILED;
394 
395  //The EncryptThenMac extension is valid
396  extensions->encryptThenMac = extension;
397  }
398 #endif
399 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
401  {
402  //Malformed extension?
403  if(n != 0)
404  return ERROR_DECODING_FAILED;
405 
406  //The ExtendedMasterSecret extension is valid
407  extensions->extendedMasterSecret = extension;
408  }
409 #endif
410 #if (TLS_TICKET_SUPPORT == ENABLED)
411  else if(type == TLS_EXT_SESSION_TICKET)
412  {
413  //Check message type
415  {
416  //The server uses a zero-length SessionTicket extension to indicate
417  //to the client that it will send a new session ticket
418  if(n != 0)
419  return ERROR_DECODING_FAILED;
420  }
421 
422  //The SessionTicket extension is valid
423  extensions->sessionTicket = extension;
424  }
425 #endif
426 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
427  else if(type == TLS_EXT_RENEGOTIATION_INFO)
428  {
429  const TlsRenegoInfo *renegoInfo;
430 
431  //Point to the RenegotiationInfo extension
432  renegoInfo = (TlsRenegoInfo *) extension->value;
433 
434  //Malformed extension?
435  if(n < sizeof(TlsRenegoInfo))
436  return ERROR_DECODING_FAILED;
437  if(n != (sizeof(TlsRenegoInfo) + renegoInfo->length))
438  return ERROR_DECODING_FAILED;
439 
440  //The RenegotiationInfo extension is valid
441  extensions->renegoInfo = renegoInfo;
442  }
443 #endif
444 #if (TLS_QUIC_SUPPORT == ENABLED)
446  {
447  //The QuicTransportParameters extension is present
448  extensions->quicTransportParams = extension;
449  }
450 #endif
451 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
452  else if(type == TLS_EXT_COOKIE)
453  {
454  const Tls13Cookie *cookie;
455 
456  //Point to the Cookie extension
457  cookie = (Tls13Cookie *) extension->value;
458 
459  //Malformed extension?
460  if(n < sizeof(Tls13Cookie))
461  return ERROR_DECODING_FAILED;
462  if(n != (sizeof(Tls13Cookie) + ntohs(cookie->length)))
463  return ERROR_DECODING_FAILED;
464 
465  //Check the length of the cookie
466  if(ntohs(cookie->length) == 0)
467  return ERROR_DECODING_FAILED;
468 
469  //The Cookie extension is valid
470  extensions->cookie = cookie;
471  }
473  {
474  const TlsCertAuthorities *certAuthorities;
475 
476  //Point to the CertificateAuthorities extension
477  certAuthorities = (TlsCertAuthorities *) extension->value;
478 
479  //Malformed extension?
480  if(n < sizeof(TlsCertAuthorities))
481  return ERROR_DECODING_FAILED;
482  if(n != (sizeof(TlsCertAuthorities) + ntohs(certAuthorities->length)))
483  return ERROR_DECODING_FAILED;
484 
485  //Check the length of the list
486  if(ntohs(certAuthorities->length) < 3)
487  return ERROR_DECODING_FAILED;
488 
489  //The CertificateAuthorities extension is valid
490  extensions->certAuthorities = certAuthorities;
491  }
492  else if(type == TLS_EXT_KEY_SHARE)
493  {
494  //Check message type
496  {
497  size_t k;
498  size_t m;
499  const Tls13KeyShareList *keyShareList;
500  const Tls13KeyShareEntry *keyShareEntry;
501 
502  //The extension contains a list of offered KeyShareEntry values
503  //in descending order of client preference
504  keyShareList = (Tls13KeyShareList *) extension->value;
505 
506  //Malformed extension?
507  if(n < sizeof(Tls13KeyShareList))
508  return ERROR_DECODING_FAILED;
509  if(n != (sizeof(Tls13KeyShareList) + ntohs(keyShareList->length)))
510  return ERROR_DECODING_FAILED;
511 
512  //Point to the first KeyShareEntry of the list
513  p = keyShareList->value;
514  //Retrieve the length of the list
515  m = ntohs(keyShareList->length);
516 
517  //Parse the list of key share entries offered by the peer
518  while(m > 0)
519  {
520  //Malformed extension?
521  if(m < sizeof(Tls13KeyShareEntry))
522  return ERROR_DECODING_FAILED;
523 
524  //Point to the current key share entry
525  keyShareEntry = (Tls13KeyShareEntry *) p;
526  //Retrieve the length of the key_exchange field
527  k = ntohs(keyShareEntry->length);
528 
529  //Malformed extension?
530  if(m < (sizeof(Tls13KeyShareEntry) + k))
531  return ERROR_DECODING_FAILED;
532 
533  //Point to the next entry
534  p += sizeof(Tls13KeyShareEntry) + k;
535  //Remaining bytes to process
536  m -= sizeof(Tls13KeyShareEntry) + k;
537 
538  //Clients must not offer multiple KeyShareEntry values for the
539  //same group. Servers may check for violations of this rule and
540  //abort the handshake with an illegal_parameter alert
541  error = tls13CheckDuplicateKeyShare(ntohs(keyShareEntry->group),
542  p, m);
543  //Any error to report?
544  if(error)
546  }
547 
548  //The KeyShare extension is valid
549  extensions->keyShareList = keyShareList;
550  }
552  {
553  //The extension contains the mutually supported group the server
554  //intends to negotiate
555  if(n != sizeof(uint16_t))
556  return ERROR_DECODING_FAILED;
557 
558  //The KeyShare extension is valid
559  extensions->selectedGroup = extension;
560  }
561  else if(msgType == TLS_TYPE_SERVER_HELLO)
562  {
563  const Tls13KeyShareEntry *serverShare;
564 
565  //The extension contains a single KeyShareEntry value that is in
566  //the same group as one of the client's shares
567  serverShare = (Tls13KeyShareEntry *) extension->value;
568 
569  //Malformed extension?
570  if(n < sizeof(Tls13KeyShareEntry))
571  return ERROR_DECODING_FAILED;
572  if(n != (sizeof(Tls13KeyShareEntry) + ntohs(serverShare->length)))
573  return ERROR_DECODING_FAILED;
574 
575  //The KeyShare extension is valid
576  extensions->serverShare = serverShare;
577  }
578  else
579  {
580  //The extension is not specified for the message in which it appears
581 #if (TLS_MAX_EMPTY_RECORDS > 0)
583 #else
585 #endif
586  }
587  }
589  {
590  const Tls13PskKeModeList *pskKeModeList;
591 
592  //The extension contains the list of PSK key exchange modes that
593  //are supported by the client
594  pskKeModeList = (Tls13PskKeModeList *) extension->value;
595 
596  //Malformed extension?
597  if(n < sizeof(Tls13PskKeModeList))
598  return ERROR_DECODING_FAILED;
599  if(n != (sizeof(Tls13PskKeModeList) + pskKeModeList->length))
600  return ERROR_DECODING_FAILED;
601 
602  //The PskKeyExchangeModes extension is valid
603  extensions->pskKeModeList = pskKeModeList;
604  }
605  else if(type == TLS_EXT_PRE_SHARED_KEY)
606  {
607  //Check message type
609  {
610  const Tls13PskIdentityList *identityList;
611  const Tls13PskBinderList *binderList;
612 
613  //The PreSharedKey extension must be the last extension in the
614  //ClientHello. Servers must check that it is the last extension and
615  //otherwise fail the handshake with an illegal_parameter alert
616  if(length != 0)
618 
619  //The extension contains a list of the identities that the client
620  //is willing to negotiate with the server
621  identityList = (Tls13PskIdentityList *) extension->value;
622 
623  //Malformed extension?
624  if(n < sizeof(Tls13PskIdentityList))
625  return ERROR_DECODING_FAILED;
626  if(n < (sizeof(Tls13PskIdentityList) + ntohs(identityList->length)))
627  return ERROR_DECODING_FAILED;
628 
629  //Remaining bytes to process
630  n -= sizeof(Tls13PskIdentityList) + ntohs(identityList->length);
631 
632  //The extension also contains a series of HMAC values, one for each
633  //PSK offered in the PreSharedKey extension and in the same order
634  binderList = (Tls13PskBinderList *) (extension->value +
635  sizeof(Tls13PskIdentityList) + ntohs(identityList->length));
636 
637  //Malformed extension?
638  if(n < sizeof(Tls13PskBinderList))
639  return ERROR_DECODING_FAILED;
640  if(n != (sizeof(Tls13PskBinderList) + ntohs(binderList->length)))
641  return ERROR_DECODING_FAILED;
642 
643  //The PreSharedKey extension is valid
644  extensions->identityList = identityList;
645  extensions->binderList = binderList;
646  }
647  else if(msgType == TLS_TYPE_SERVER_HELLO)
648  {
649  //The extension contains the chosen identity expressed as a 0-based
650  //index into the identities in the client's list
651  if(n != sizeof(uint16_t))
652  return ERROR_DECODING_FAILED;
653 
654  //The PreSharedKey extension is valid
655  extensions->selectedIdentity = extension;
656  }
657  else
658  {
659  //The extension is not specified for the message in which it appears
661  }
662  }
663  else if(type == TLS_EXT_EARLY_DATA)
664  {
665  //Check message type
668  {
669  //The extension data field is empty
670  if(n != 0)
671  return ERROR_DECODING_FAILED;
672  }
674  {
675  //The extension data field contains an unsigned 32-bit integer
676  if(n != sizeof(uint32_t))
677  return ERROR_DECODING_FAILED;
678  }
679  else
680  {
681  //The extension is not specified for the message in which it appears
683  }
684 
685  //The EarlyData extension is valid
686  extensions->earlyDataIndication = extension;
687  }
688 #endif
689  else
690  {
691  //If a client receives an extension type in the ServerHello that it
692  //did not request in the associated ClientHello, it must abort the
693  //handshake with an unsupported_extension fatal alert
697  {
698  //Report an error
700  }
701  }
702  }
703 
704  //Successful processing
705  return NO_ERROR;
706 }
707 
708 
709 /**
710  * @brief Check Hello extensions
711  * @param[in] msgType Handshake message type
712  * @param[in] version TLS version
713  * @param[in] extensions List of Hello extensions offered by the peer
714  * @return Error code
715  **/
716 
719 {
720  error_t error;
721 
722  //Initialize status code
723  error = NO_ERROR;
724 
725 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED && TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
726  //A client must treat receipt of both MaxFragmentLength and RecordSizeLimit
727  //extensions as a fatal error, and it should generate an illegal_parameter
728  //alert (refer to RFC 8449, section 5)
729  if(extensions->maxFragLen != NULL && extensions->recordSizeLimit != NULL)
730  {
731  //ServerHello or EncryptedExtensions message?
734  {
735  error = ERROR_ILLEGAL_PARAMETER;
736  }
737  }
738 #endif
739 
740 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
741  //If an implementation receives an extension which it recognizes and which
742  //is not specified for the message in which it appears it must abort the
743  //handshake with an illegal_parameter alert (refer to RFC 8446, section 4.2)
744  if(version == TLS_VERSION_1_3)
745  {
746  //SupportedVersions extension found?
747  if(extensions->supportedVersionList != NULL ||
748  extensions->selectedVersion != NULL)
749  {
750  //The extension can only appear in CH, SH and HRR messages
754  {
755  error = ERROR_ILLEGAL_PARAMETER;
756  }
757  }
758 
759  //ServerName extension found?
760  if(extensions->serverNameList != NULL)
761  {
762  //The extension can only appear in CH and EE messages
765  {
766  error = ERROR_ILLEGAL_PARAMETER;
767  }
768  }
769 
770  //SupportedGroups extension found?
771  if(extensions->supportedGroupList != NULL)
772  {
773  //The extension can only appear in CH and EE messages
776  {
777  error = ERROR_ILLEGAL_PARAMETER;
778  }
779  }
780 
781  //EcPointFormats extension found?
782  if(extensions->ecPointFormatList != NULL)
783  {
784  //The extension can only appear in CH
786  {
787  error = ERROR_ILLEGAL_PARAMETER;
788  }
789  }
790 
791  //SignatureAlgorithms extension found?
792  if(extensions->signAlgoList != NULL)
793  {
794  //The extension can only appear in CH and CR messages
797  {
798  error = ERROR_ILLEGAL_PARAMETER;
799  }
800  }
801 
802  //SignatureAlgorithmsCert extension found?
803  if(extensions->certSignAlgoList != NULL)
804  {
805  //The extension can only appear in CH and CR messages
808  {
809  error = ERROR_ILLEGAL_PARAMETER;
810  }
811  }
812 
813 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
814  //MaxFragmentLength extension found?
815  if(extensions->maxFragLen != NULL)
816  {
817  //The extension can only appear in CH and EE messages
820  {
821  error = ERROR_ILLEGAL_PARAMETER;
822  }
823  }
824 #endif
825 
826 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
827  //RecordSizeLimit extension found?
828  if(extensions->recordSizeLimit != NULL)
829  {
830  //The extension can only appear in CH and EE messages
833  {
834  error = ERROR_ILLEGAL_PARAMETER;
835  }
836  }
837 #endif
838 
839 #if (TLS_ALPN_SUPPORT == ENABLED)
840  //ALPN extension found?
841  if(extensions->protocolNameList != NULL)
842  {
843  //The extension can only appear in CH and EE messages
846  {
847  error = ERROR_ILLEGAL_PARAMETER;
848  }
849  }
850 #endif
851 
852 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
853  //ClientCertType extension found?
854  if(extensions->clientCertTypeList != NULL ||
855  extensions->clientCertType != NULL)
856  {
857  //The extension can only appear in CH and EE messages
860  {
861  error = ERROR_ILLEGAL_PARAMETER;
862  }
863  }
864 
865  //ServerCertType extension found?
866  if(extensions->serverCertTypeList != NULL ||
867  extensions->serverCertType != NULL)
868  {
869  //The extension can only appear in CH and EE messages
872  {
873  error = ERROR_ILLEGAL_PARAMETER;
874  }
875  }
876 #endif
877 
878 #if (TLS_ENCRYPT_THEN_MAC_SUPPORT == ENABLED)
879  //EncryptThenMac extension found?
880  else if(extensions->encryptThenMac != NULL)
881  {
882  //The extension can only appear in CH
884  {
885  error = ERROR_ILLEGAL_PARAMETER;
886  }
887  }
888 #endif
889 
890 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
891  //ExtendedMasterSecret extension found?
892  if(extensions->extendedMasterSecret != NULL)
893  {
894  //The extension can only appear in CH
896  {
897  error = ERROR_ILLEGAL_PARAMETER;
898  }
899  }
900 #endif
901 
902 #if (TLS_TICKET_SUPPORT == ENABLED)
903  //SessionTicket extension found?
904  if(extensions->sessionTicket != NULL)
905  {
906  //The extension can only appear in CH
908  {
909  error = ERROR_ILLEGAL_PARAMETER;
910  }
911  }
912 #endif
913 
914 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
915  //RenegotiationInfo extension found?
916  if(extensions->renegoInfo != NULL)
917  {
918  //The extension can only appear in CH
920  {
921  error = ERROR_ILLEGAL_PARAMETER;
922  }
923  }
924 #endif
925 
926 #if (TLS_QUIC_SUPPORT == ENABLED)
927  //QuicTransportParameters extension found?
928  if(extensions->quicTransportParams != NULL)
929  {
930  //The extension can only appear in CH and EE messages
933  {
934  error = ERROR_ILLEGAL_PARAMETER;
935  }
936  }
937 #endif
938 
939  //Cookie extension found?
940  if(extensions->cookie != NULL)
941  {
942  //The extension can only appear in CH and HRR messages
945  {
946  error = ERROR_ILLEGAL_PARAMETER;
947  }
948  }
949 
950  //CertificateAuthorities extension found?
951  if(extensions->certAuthorities != NULL)
952  {
953  //The extension can only appear in CH and CR messages
956  {
957  error = ERROR_ILLEGAL_PARAMETER;
958  }
959  }
960 
961  //KeyShare extension found?
962  if(extensions->keyShareList != NULL ||
963  extensions->serverShare != NULL ||
964  extensions->selectedGroup != NULL)
965  {
966  //The extension can only appear in CH, SH and HRR messages
970  {
971  error = ERROR_ILLEGAL_PARAMETER;
972  }
973  }
974 
975  //PskKeyExchangeModes extension found?
976  if(extensions->pskKeModeList != NULL)
977  {
978  //The extension can only appear in CH message
980  {
981  error = ERROR_ILLEGAL_PARAMETER;
982  }
983  }
984 
985  //PreSharedKey extension found?
986  if(extensions->identityList != NULL ||
987  extensions->binderList != NULL ||
988  extensions->selectedIdentity != NULL)
989  {
990  //The extension can only appear in CH and SH messages
993  {
994  error = ERROR_ILLEGAL_PARAMETER;
995  }
996  }
997 
998  //EarlyData extension found?
999  if(extensions->earlyDataIndication != NULL)
1000  {
1001  //The extension can only appear in CH, EE and NST messages
1005  {
1006  error = ERROR_ILLEGAL_PARAMETER;
1007  }
1008  }
1009  }
1010 
1011  //Check mandatory-to-implement extensions
1013  {
1014  //A client must provide a PskKeyExchangeModes extension if it offers a
1015  //PreSharedKey extension (refer to RFC 8446, section 4.2.9)
1016  if(extensions->identityList != NULL || extensions->binderList != NULL)
1017  {
1018  //If a client offers PreSharedKey without a PskKeyExchangeModes
1019  //extension, the servers must abort the handshake
1020  if(extensions->pskKeModeList == NULL)
1021  {
1022  error = ERROR_MISSING_EXTENSION;
1023  }
1024  }
1025 
1026  //If the ClientHello does not contain a PreSharedKey extension, it must
1027  //contain both a SignatureAlgorithms extension and a SupportedGroups
1028  //extension (refer to RFC 8446, section 9.2)
1029  if(extensions->identityList == NULL || extensions->binderList == NULL)
1030  {
1031  //Servers receiving a ClientHello which does not conform to these
1032  //requirements must abort the handshake with a missing_extension
1033  //alert
1034  if(extensions->signAlgoList == NULL ||
1035  extensions->supportedGroupList == NULL)
1036  {
1037  error = ERROR_MISSING_EXTENSION;
1038  }
1039  }
1040 
1041  //If the ClientHello contains a SupportedGroups extension, it must also
1042  //contain a KeyShare extension, and vice versa
1043  if(extensions->supportedGroupList != NULL &&
1044  extensions->keyShareList == NULL)
1045  {
1046  error = ERROR_MISSING_EXTENSION;
1047  }
1048  else if(extensions->keyShareList != NULL &&
1049  extensions->supportedGroupList == NULL)
1050  {
1051  error = ERROR_MISSING_EXTENSION;
1052  }
1053  }
1054 #endif
1055 
1056  //Return status code
1057  return error;
1058 }
1059 
1060 
1061 /**
1062  * @brief Check whether the specified extension type is a duplicate
1063  * @param[in] type Extension type
1064  * @param[in] p Input stream where to read the list of extensions
1065  * @param[in] length Number of bytes available in the input stream
1066  * @return Error code
1067  **/
1068 
1069 error_t tlsCheckDuplicateExtension(uint16_t type, const uint8_t *p,
1070  size_t length)
1071 {
1072  size_t n;
1073  const TlsExtension *extension;
1074 
1075  //Parse the list of extensions offered by the peer
1076  while(length > 0)
1077  {
1078  //Point to the current extension
1079  extension = (TlsExtension *) p;
1080 
1081  //Check the length of the extension
1082  if(length < sizeof(TlsExtension))
1083  return ERROR_DECODING_FAILED;
1084  if(length < (sizeof(TlsExtension) + ntohs(extension->length)))
1085  return ERROR_DECODING_FAILED;
1086 
1087  //There must not be more than one extension of the same type (refer to
1088  //RFC 5246, section 7.4.1.4)
1089  if(ntohs(extension->type) == type)
1090  {
1092  {
1093  return ERROR_DECODING_FAILED;
1094  }
1095  else
1096  {
1097  return ERROR_ILLEGAL_PARAMETER;
1098  }
1099  }
1100 
1101  //Retrieve the length of the extension
1102  n = ntohs(extension->length);
1103 
1104  //Jump to the next extension
1105  p += sizeof(TlsExtension) + n;
1106  //Number of bytes left to process
1107  length -= sizeof(TlsExtension) + n;
1108  }
1109 
1110  //Successful verification
1111  return NO_ERROR;
1112 }
1113 
1114 
1115 /**
1116  * @brief Check whether the specified ALPN protocol is supported
1117  * @param[in] context Pointer to the TLS context
1118  * @param[in] protocol Pointer to the protocol name
1119  * @param[in] length Length of the protocol name, in bytes
1120  * @return TRUE if the specified protocol is supported, else FALSE
1121  **/
1122 
1124  const char_t *protocol, size_t length)
1125 {
1126  bool_t supported;
1127 
1128  //Initialize flag
1129  supported = FALSE;
1130 
1131 #if (TLS_ALPN_SUPPORT == ENABLED)
1132  //Sanity check
1133  if(context->protocolList != NULL)
1134  {
1135  size_t i;
1136  size_t j;
1137 
1138  //Move back to the beginning of the list
1139  i = 0;
1140  j = 0;
1141 
1142  //Parse the list of supported protocols
1143  do
1144  {
1145  //Delimiter character found?
1146  if(context->protocolList[i] == ',' || context->protocolList[i] == '\0')
1147  {
1148  //Check the length of the protocol name
1149  if(length == (i - j))
1150  {
1151  //Compare protocol names
1152  if(!osMemcmp(protocol, context->protocolList + j, i - j))
1153  {
1154  //The specified protocol is supported
1155  supported = TRUE;
1156  //We are done
1157  break;
1158  }
1159  }
1160 
1161  //Move to the next token
1162  j = i + 1;
1163  }
1164 
1165  //Loop until the NULL character is reached
1166  } while(context->protocolList[i++] != '\0');
1167  }
1168 #endif
1169 
1170  //Return TRUE if the specified protocol is supported
1171  return supported;
1172 }
1173 
1174 #endif
@ TLS_EXT_PSK_KEY_EXCHANGE_MODES
Definition: tls.h:1389
@ TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: tls.h:1351
Parsing and checking of TLS extensions.
uint8_t extensions[]
Definition: ntp_common.h:213
Tls13PskBinderList
Definition: tls13_misc.h:275
int bool_t
Definition: compiler_port.h:61
TLS cipher suites.
uint8_t protocol
Definition: ipv4.h:327
Tls13Cookie
Definition: tls13_misc.h:197
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:244
@ TLS_EXT_SUPPORTED_VERSIONS
Definition: tls.h:1387
uint8_t p
Definition: ndp.h:300
error_t tlsCheckDuplicateExtension(uint16_t type, const uint8_t *p, size_t length)
Check whether the specified extension type is a duplicate.
#define TRUE
Definition: os_port.h:50
bool_t tlsIsAlpnProtocolSupported(TlsContext *context, const char_t *protocol, size_t length)
Check whether the specified ALPN protocol is supported.
TlsEcPointFormatList
Definition: tls.h:1780
TlsRenegoInfo
Definition: tls.h:1802
TlsMessageType
Handshake message type.
Definition: tls.h:1083
uint8_t type
Definition: coap_common.h:176
#define osMemcmp(p1, p2, length)
Definition: os_port.h:156
uint8_t version
Definition: coap_common.h:177
TlsProtocolNameList
Definition: tls.h:1758
Tls13KeyShareEntry
Definition: tls13_misc.h:209
TlsExtension
Definition: tls.h:1691
@ TLS_EXT_EARLY_DATA
Definition: tls.h:1386
@ TLS_EXT_SESSION_TICKET
Definition: tls.h:1383
@ TLS_EXT_QUIC_TRANSPORT_PARAMETERS
Definition: tls.h:1399
@ TLS_EXT_SERVER_NAME
Definition: tls.h:1350
@ TLS_EXT_SIGNATURE_ALGORITHMS_CERT
Definition: tls.h:1393
TlsExtensionList
Definition: tls.h:1702
#define FALSE
Definition: os_port.h:46
TlsCertAuthorities
Definition: tls.h:1657
@ ERROR_UNSUPPORTED_EXTENSION
Definition: error.h:246
@ TLS_EXT_CLIENT_CERT_TYPE
Definition: tls.h:1369
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:43
DTLS record protocol.
@ TLS_EXT_EXTENDED_MASTER_SECRET
Definition: tls.h:1373
@ TLS_EXT_SUPPORTED_GROUPS
Definition: tls.h:1360
@ TLS_EXT_RENEGOTIATION_INFO
Definition: tls.h:1402
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
@ TLS_EXT_ENCRYPT_THEN_MAC
Definition: tls.h:1372
@ TLS_TYPE_CLIENT_HELLO
Definition: tls.h:1085
@ TLS_EXT_KEY_SHARE
Definition: tls.h:1394
@ ERROR_MISSING_EXTENSION
Definition: error.h:245
#define TLS_VERSION_1_3
Definition: tls.h:97
@ TLS_TYPE_SERVER_HELLO
Definition: tls.h:1086
TlsServerNameList
Definition: tls.h:1736
@ TLS_TYPE_ENCRYPTED_EXTENSIONS
Definition: tls.h:1091
TLS record protocol.
@ TLS_EXT_COOKIE
Definition: tls.h:1388
TlsSignSchemeList
Definition: tls.h:1635
@ TLS_EXT_CERTIFICATE_AUTHORITIES
Definition: tls.h:1390
uint8_t length
Definition: tcp.h:375
@ TLS_EXT_EC_POINT_FORMATS
Definition: tls.h:1361
@ TLS_EXT_ALPN
Definition: tls.h:1366
Hello extensions.
Definition: tls.h:2253
Tls13KeyShareList
Definition: tls13_misc.h:220
Transcript hash calculation.
#define ntohs(value)
Definition: cpu_endian.h:421
char char_t
Definition: compiler_port.h:55
uint8_t msgType
uint8_t m
Definition: ndp.h:304
uint8_t n
@ TLS_EXT_SERVER_CERT_TYPE
Definition: tls.h:1370
Tls13PskKeModeList
Definition: tls13_misc.h:231
@ TLS_TYPE_CERTIFICATE_REQUEST
Definition: tls.h:1096
@ TLS_EXT_PRE_SHARED_KEY
Definition: tls.h:1385
TLS (Transport Layer Security)
uint8_t cookie[]
Definition: dtls_misc.h:206
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
@ TLS_EXT_SIGNATURE_ALGORITHMS
Definition: tls.h:1363
@ TLS_TYPE_NEW_SESSION_TICKET
Definition: tls.h:1088
@ ERROR_DECODING_FAILED
Definition: error.h:242
Tls13PskIdentityList
Definition: tls13_misc.h:253
@ TLS_TYPE_HELLO_RETRY_REQUEST
Definition: tls.h:1090
#define osMemset(p, value, length)
Definition: os_port.h:138
TlsSupportedGroupList
Definition: tls.h:1769
error_t tls13CheckDuplicateKeyShare(uint16_t namedGroup, const uint8_t *p, size_t length)
Check whether the specified key share group is a duplicate.
Definition: tls13_misc.c:1384
TlsSupportedVersionList
Definition: tls.h:1713
TlsCertTypeList
Definition: tls.h:1791
@ NO_ERROR
Success.
Definition: error.h:44
@ TLS_EXT_RECORD_SIZE_LIMIT
Definition: tls.h:1377
Debugging facilities.