tls_handshake.c
Go to the documentation of this file.
1 /**
2  * @file tls_handshake.c
3  * @brief TLS handshake
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2026 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.6.2
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include "tls/tls.h"
36 #include "tls/tls_handshake.h"
37 #include "tls/tls_client_fsm.h"
38 #include "tls/tls_server_fsm.h"
39 #include "tls/tls_common.h"
40 #include "tls/tls_transcript_hash.h"
41 #include "tls/tls_record.h"
42 #include "tls/tls_misc.h"
43 #include "tls13/tls13_server_misc.h"
44 #include "dtls/dtls_record.h"
45 #include "quic/tls_quic_misc.h"
46 #include "debug.h"
47 
48 //Check TLS library configuration
49 #if (TLS_SUPPORT == ENABLED)
50 
51 
52 /**
53  * @brief TLS handshake initialization
54  * @param[in] context Pointer to the TLS context
55  * @return Error code
56  **/
57 
58 error_t tlsInitHandshake(TlsContext *context)
59 {
60  //Allocate send buffer if necessary
61  if(context->txBuffer == NULL)
62  {
63  //Allocate TX buffer
64  context->txBuffer = tlsAllocMem(context->txBufferSize);
65 
66  //Failed to allocate memory?
67  if(context->txBuffer == NULL)
68  return ERROR_OUT_OF_MEMORY;
69 
70  //Clear TX buffer
71  osMemset(context->txBuffer, 0, context->txBufferSize);
72  }
73 
74  //Allocate receive buffer if necessary
75  if(context->rxBuffer == NULL)
76  {
77  //Allocate RX buffer
78  context->rxBuffer = tlsAllocMem(context->rxBufferSize);
79 
80  //Failed to allocate memory?
81  if(context->rxBuffer == NULL)
82  return ERROR_OUT_OF_MEMORY;
83 
84  //Clear RX buffer
85  osMemset(context->rxBuffer, 0, context->rxBufferSize);
86  }
87 
88 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
89  //Server mode?
90  if(context->entity == TLS_CONNECTION_END_SERVER)
91  {
92  //A server implementation may choose to reject the early data
93  context->earlyDataRejected = TRUE;
94  }
95 #endif
96 
97  //The client initiates the TLS handshake by sending a ClientHello message
98  //to the server
99  tlsChangeState(context, TLS_STATE_CLIENT_HELLO);
100 
101  //Successful processing
102  return NO_ERROR;
103 }
104 
105 
106 /**
107  * @brief Perform TLS handshake
108  *
109  * TLS handshake protocol is responsible for the authentication and key
110  * exchange necessary to establish a secure session
111  *
112  * @param[in] context Pointer to the TLS context
113  * @return Error code
114  **/
115 
116 error_t tlsPerformHandshake(TlsContext *context)
117 {
118  error_t error;
119 
120 #if (TLS_CLIENT_SUPPORT == ENABLED)
121  //Client mode?
122  if(context->entity == TLS_CONNECTION_END_CLIENT)
123  {
124  //Perform TLS handshake with the remote server
125  error = tlsPerformClientHandshake(context);
126  }
127  else
128 #endif
129 #if (TLS_SERVER_SUPPORT == ENABLED)
130  //Server mode?
131  if(context->entity == TLS_CONNECTION_END_SERVER)
132  {
133  //Perform TLS handshake with the remote client
134  error = tlsPerformServerHandshake(context);
135  }
136  else
137 #endif
138  //Unsupported mode of operation?
139  {
140  //Report an error
141  error = ERROR_INVALID_PARAMETER;
142  }
143 
144  //Return status code
145  return error;
146 }
147 
148 
149 /**
150  * @brief Send handshake message
151  * @param[in] context Pointer to the TLS context
152  * @param[in] data Pointer to the handshake message
153  * @param[in] length Length of the handshake message
154  * @param[in] type Handshake message type
155  * @return Error code
156  **/
157 
158 error_t tlsSendHandshakeMessage(TlsContext *context, const void *data,
159  size_t length, TlsMessageType type)
160 {
161  error_t error;
162 
163 #if (DTLS_SUPPORT == ENABLED)
164  //DTLS protocol?
165  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
166  {
167  DtlsHandshake *message;
168 
169  //Point to the handshake message header
170  message = (DtlsHandshake *) data;
171 
172  //Make room for the handshake message header
173  osMemmove(message->data, data, length);
174 
175  //Handshake message type
176  message->msgType = type;
177  //Number of bytes in the message
178  STORE24BE(length, message->length);
179  //Message sequence number
180  message->msgSeq = htons(context->txMsgSeq);
181  //Fragment offset
182  STORE24BE(0, message->fragOffset);
183  //Fragment length
184  STORE24BE(length, message->fragLength);
185 
186  //Whenever a new message is generated, the message sequence number is
187  //incremented by one (refer to RFC 6347, section 4.2.2)
188  context->txMsgSeq++;
189 
190  //Total length of the handshake message
191  length += sizeof(DtlsHandshake);
192  }
193  else
194 #endif
195  //TLS protocol?
196  {
197  TlsHandshake *message;
198 
199  //Point to the handshake message header
200  message = (TlsHandshake *) data;
201 
202  //Make room for the handshake message header
203  osMemmove(message->data, data, length);
204 
205  //Handshake message type
206  message->msgType = type;
207  //Number of bytes in the message
208  STORE24BE(length, message->length);
209 
210  //Total length of the handshake message
211  length += sizeof(TlsHandshake);
212  }
213 
214  //The HelloRequest message must not be included in the message hashes
215  //that are maintained throughout the handshake and used in the Finished
216  //messages and the CertificateVerify message
217  if(type != TLS_TYPE_HELLO_REQUEST)
218  {
219  tlsUpdateTranscriptHash(context, data, length);
220  }
221 
222  //TLS protocol?
223  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM ||
224  context->transportProtocol == TLS_TRANSPORT_PROTOCOL_EAP)
225  {
226  //Send handshake message
227  error = tlsWriteProtocolData(context, data, length, TLS_TYPE_HANDSHAKE);
228  }
229 #if (DTLS_SUPPORT == ENABLED)
230  //DTLS protocol?
231  else if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
232  {
233  //Send handshake message
234  error = dtlsWriteProtocolData(context, data, length, TLS_TYPE_HANDSHAKE);
235  }
236 #endif
237 #if (TLS_QUIC_SUPPORT == ENABLED)
238  //QUIC protocol?
239  else if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_QUIC)
240  {
241  //TLS handshake messages are carried directly over the QUIC transport
242  //(refer to RFC 9001, section 3)
243  error = tlsSendQuicHandshakeMessage(context, data, length);
244  }
245 #endif
246  //Unknown protocol?
247  else
248  {
249  //Report an error
250  error = ERROR_INVALID_PROTOCOL;
251  }
252 
253  //Return status code
254  return error;
255 }
256 
257 
258 /**
259  * @brief Receive peer's message
260  * @param[in] context Pointer to the TLS context
261  * @return Error code
262  **/
263 
264 error_t tlsReceiveHandshakeMessage(TlsContext *context)
265 {
266  error_t error;
267  size_t length;
268  uint8_t *data;
269  TlsContentType contentType;
270 
271 #if (DTLS_SUPPORT == ENABLED)
272  //DTLS protocol?
273  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
274  {
275  //A message can be fragmented across several DTLS records
276  error = dtlsReadProtocolData(context, &data, &length, &contentType);
277  }
278  else
279 #endif
280  //TLS protocol?
281  {
282  //A message can be fragmented across several TLS records
283  error = tlsReadProtocolData(context, &data, &length, &contentType);
284  }
285 
286  //Check status code
287  if(!error)
288  {
289  //Advance data pointer
290  context->rxBufferPos += length;
291  //Number of bytes still pending in the receive buffer
292  context->rxBufferLen -= length;
293 
294  //Handshake message received?
295  if(contentType == TLS_TYPE_HANDSHAKE)
296  {
297  //Parse handshake message
298  error = tlsParseHandshakeMessage(context, data, length);
299  }
300  //ChangeCipherSpec message received?
301  else if(contentType == TLS_TYPE_CHANGE_CIPHER_SPEC)
302  {
303  //The ChangeCipherSpec message is sent by an endpoint to notify the
304  //peer that subsequent records will be protected under the newly
305  //negotiated CipherSpec and keys
306  error = tlsParseChangeCipherSpec(context, (TlsChangeCipherSpec *) data,
307  length);
308  }
309  //Alert message received?
310  else if(contentType == TLS_TYPE_ALERT)
311  {
312  //Parse Alert message
313  error = tlsParseAlert(context, (TlsAlert *) data, length);
314  }
315 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
316  //Application data received?
317  else if(contentType == TLS_TYPE_APPLICATION_DATA)
318  {
319 #if (TLS_SERVER_SUPPORT == ENABLED)
320  //Server mode?
321  if(context->entity == TLS_CONNECTION_END_SERVER)
322  {
323  //Process early data
324  error = tls13ProcessEarlyData(context, data, length);
325  }
326  else
327 #endif
328  {
329  //The server cannot transmit application data before the handshake
330  //is completed
331  error = ERROR_UNEXPECTED_MESSAGE;
332  }
333  }
334  //ACK message received?
335  else if(contentType == TLS_TYPE_ACK)
336  {
337 #if (DTLS_SUPPORT == ENABLED)
338  //DTLS protocol?
339  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
340  {
341  //Parse ACK message
342  error = dtls13ParseAck(context, (Dtls13Ack *) data, length);
343  }
344  else
345 #endif
346  {
347  //Report an error
348  error = ERROR_UNEXPECTED_MESSAGE;
349  }
350  }
351 #endif
352  //Unexpected message received?
353  else
354  {
355  //Abort the handshake with an unexpected_message alert
356  error = ERROR_UNEXPECTED_MESSAGE;
357  }
358  }
359 
360  //Return status code
361  return error;
362 }
363 
364 
365 /**
366  * @brief Parse handshake message
367  * @param[in] context Pointer to the TLS context
368  * @param[in] message Pointer to the handshake message to parse
369  * @param[in] length Length of the handshake messaged
370  * @return Error code
371  **/
372 
373 error_t tlsParseHandshakeMessage(TlsContext *context, const uint8_t *message,
374  size_t length)
375 {
376  error_t error;
377  uint8_t msgType;
378  size_t n;
379  const void *p;
380 
381 #if (DTLS_SUPPORT == ENABLED)
382  //DTLS protocol?
383  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
384  {
385  //Retrieve handshake message type
386  msgType = ((DtlsHandshake *) message)->msgType;
387  //Point to the handshake message
388  p = message + sizeof(DtlsHandshake);
389  //Calculate the length of the handshake message
390  n = length - sizeof(DtlsHandshake);
391  }
392  else
393 #endif
394  //TLS protocol?
395  {
396  //Retrieve handshake message type
397  msgType = ((TlsHandshake *) message)->msgType;
398  //Point to the handshake message
399  p = message + sizeof(TlsHandshake);
400  //Calculate the length of the handshake message
401  n = length - sizeof(TlsHandshake);
402  }
403 
404 #if (TLS_MAX_KEY_UPDATE_MESSAGES > 0)
405  //Reset the count of consecutive KeyUpdate messages
406  if(msgType != TLS_TYPE_KEY_UPDATE)
407  {
408  context->keyUpdateCount = 0;
409  }
410 #endif
411 
412 #if (TLS_CLIENT_SUPPORT == ENABLED)
413  //Client mode?
414  if(context->entity == TLS_CONNECTION_END_CLIENT)
415  {
416  //Parse server's handshake message
417  error = tlsParseServerHandshakeMessage(context, msgType, p, n);
418 
419  //Update the hash value with the incoming handshake message
420  tlsUpdateTranscriptHash(context, message, length);
421  }
422  else
423 #endif
424 #if (TLS_SERVER_SUPPORT == ENABLED)
425  //Server mode?
426  if(context->entity == TLS_CONNECTION_END_SERVER)
427  {
428  //Update the hash value with the incoming handshake message
429  if(msgType == TLS_TYPE_CLIENT_KEY_EXCHANGE)
430  {
431  tlsUpdateTranscriptHash(context, message, length);
432  }
433 
434  //Parse client's handshake message
435  error = tlsParseClientHandshakeMessage(context, msgType, p, n);
436 
437  //Update the hash value with the incoming handshake message
438  if(msgType != TLS_TYPE_CLIENT_KEY_EXCHANGE)
439  {
440  tlsUpdateTranscriptHash(context, message, length);
441  }
442  }
443  else
444 #endif
445  //Unsupported mode of operation?
446  {
447  //Report an error
448  error = ERROR_FAILURE;
449  }
450 
451  //Return status code
452  return error;
453 }
454 
455 #endif
Dtls13Ack
Dtls13Ack
Definition: dtls13_misc.h:84
tlsAllocMem
#define tlsAllocMem(size)
Definition: tls.h:889
htons
#define htons(value)
Definition: cpu_endian.h:413
tls_misc.h
TLS helper functions.
TLS_TRANSPORT_PROTOCOL_QUIC
@ TLS_TRANSPORT_PROTOCOL_QUIC
Definition: tls.h:1018
tls_server_fsm.h
TLS state machine (TLS server)
tlsPerformHandshake
error_t tlsPerformHandshake(TlsContext *context)
Perform TLS handshake.
Definition: tls_handshake.c:116
tls_handshake.h
TLS handshake.
ERROR_UNEXPECTED_MESSAGE
@ ERROR_UNEXPECTED_MESSAGE
Definition: error.h:195
tls_quic_misc.h
QUIC helper functions.
p
uint8_t p
Definition: ndp.h:300
message
uint8_t message[]
Definition: chap.h:154
tlsPerformClientHandshake
error_t tlsPerformClientHandshake(TlsContext *context)
TLS client handshake.
Definition: tls_client_fsm.c:58
TRUE
#define TRUE
Definition: os_port.h:50
TLS_TYPE_CHANGE_CIPHER_SPEC
@ TLS_TYPE_CHANGE_CIPHER_SPEC
Definition: tls.h:1085
data
uint8_t data[]
Definition: ethernet.h:224
TLS_TYPE_HANDSHAKE
@ TLS_TYPE_HANDSHAKE
Definition: tls.h:1087
tlsPerformServerHandshake
error_t tlsPerformServerHandshake(TlsContext *context)
TLS server handshake.
Definition: tls_server_fsm.c:58
TLS_TRANSPORT_PROTOCOL_DATAGRAM
@ TLS_TRANSPORT_PROTOCOL_DATAGRAM
Definition: tls.h:1017
TlsMessageType
TlsMessageType
Handshake message type.
Definition: tls.h:1100
tlsParseChangeCipherSpec
error_t tlsParseChangeCipherSpec(TlsContext *context, const TlsChangeCipherSpec *message, size_t length)
Parse ChangeCipherSpec message.
Definition: tls_common.c:1345
type
uint8_t type
Definition: coap_common.h:176
ERROR_OUT_OF_MEMORY
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
TLS_TYPE_ACK
@ TLS_TYPE_ACK
Definition: tls.h:1091
tlsReceiveHandshakeMessage
error_t tlsReceiveHandshakeMessage(TlsContext *context)
Receive peer's message.
Definition: tls_handshake.c:264
TlsChangeCipherSpec
TlsChangeCipherSpec
Definition: tls.h:2005
tlsSendHandshakeMessage
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
Definition: tls_handshake.c:158
TLS_STATE_CLIENT_HELLO
@ TLS_STATE_CLIENT_HELLO
Definition: tls.h:1559
TlsHandshake
TlsHandshake
Definition: tls.h:1897
tlsParseAlert
error_t tlsParseAlert(TlsContext *context, const TlsAlert *message, size_t length)
Parse Alert message.
Definition: tls_common.c:1610
ERROR_INVALID_PARAMETER
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
TlsContext
#define TlsContext
Definition: tls.h:36
error_t
error_t
Error codes.
Definition: error.h:43
dtls_record.h
DTLS record layer.
TLS_CONNECTION_END_SERVER
@ TLS_CONNECTION_END_SERVER
Definition: tls.h:1030
ERROR_FAILURE
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
TlsAlert
TlsAlert
Definition: tls.h:2016
TLS_TYPE_APPLICATION_DATA
@ TLS_TYPE_APPLICATION_DATA
Definition: tls.h:1088
TLS_TYPE_ALERT
@ TLS_TYPE_ALERT
Definition: tls.h:1086
tls_common.h
Handshake message processing (TLS client and server)
tls_record.h
TLS record protocol.
tlsReadProtocolData
error_t tlsReadProtocolData(TlsContext *context, uint8_t **data, size_t *length, TlsContentType *contentType)
Read protocol data.
Definition: tls_record.c:157
TLS_TRANSPORT_PROTOCOL_EAP
@ TLS_TRANSPORT_PROTOCOL_EAP
Definition: tls.h:1019
dtlsWriteProtocolData
error_t dtlsWriteProtocolData(TlsContext *context, const uint8_t *data, size_t length, TlsContentType contentType)
Write protocol data.
Definition: dtls_record.c:62
length
uint8_t length
Definition: tcp.h:375
ERROR_INVALID_PROTOCOL
@ ERROR_INVALID_PROTOCOL
Definition: error.h:101
TLS_TYPE_CLIENT_KEY_EXCHANGE
@ TLS_TYPE_CLIENT_KEY_EXCHANGE
Definition: tls.h:1116
tls13_server_misc.h
Helper functions for TLS 1.3 server.
tls_client_fsm.h
TLS state machine (TLS client)
tlsUpdateTranscriptHash
void tlsUpdateTranscriptHash(TlsContext *context, const void *data, size_t length)
Update hash value with a handshake message.
Definition: tls_transcript_hash.c:193
tls_transcript_hash.h
Transcript hash calculation.
dtls13ParseAck
error_t dtls13ParseAck(TlsContext *context, const Dtls13Ack *message, size_t length)
Parse ACK message.
Definition: dtls13_misc.c:257
TlsContentType
TlsContentType
Content type.
Definition: tls.h:1083
msgType
uint8_t msgType
Definition: mqtt_sn_common.h:183
dtlsReadProtocolData
error_t dtlsReadProtocolData(TlsContext *context, uint8_t **data, size_t *length, TlsContentType *contentType)
Read protocol data.
Definition: dtls_record.c:167
n
uint8_t n
Definition: dhcpv6_common.h:416
tlsParseHandshakeMessage
error_t tlsParseHandshakeMessage(TlsContext *context, const uint8_t *message, size_t length)
Parse handshake message.
Definition: tls_handshake.c:373
DtlsHandshake
DtlsHandshake
Definition: dtls_misc.h:200
tlsWriteProtocolData
error_t tlsWriteProtocolData(TlsContext *context, const uint8_t *data, size_t length, TlsContentType contentType)
Write protocol data.
Definition: tls_record.c:54
TLS_CONNECTION_END_CLIENT
@ TLS_CONNECTION_END_CLIENT
Definition: tls.h:1029
tls.h
TLS (Transport Layer Security)
STORE24BE
#define STORE24BE(a, p)
Definition: cpu_endian.h:273
TLS_TRANSPORT_PROTOCOL_STREAM
@ TLS_TRANSPORT_PROTOCOL_STREAM
Definition: tls.h:1016
tlsSendQuicHandshakeMessage
error_t tlsSendQuicHandshakeMessage(TlsContext *context, const uint8_t *message, size_t length)
Send handshake message.
Definition: tls_quic_misc.c:212
tlsParseServerHandshakeMessage
error_t tlsParseServerHandshakeMessage(TlsContext *context, uint8_t msgType, const void *message, size_t length)
Parse server's handshake message.
Definition: tls_client_fsm.c:263
tlsParseClientHandshakeMessage
error_t tlsParseClientHandshakeMessage(TlsContext *context, uint8_t msgType, const void *message, size_t length)
Parse client's handshake message.
Definition: tls_server_fsm.c:335
tlsChangeState
void tlsChangeState(TlsContext *context, TlsState newState)
Update TLS state.
Definition: tls_misc.c:54
TLS_TYPE_HELLO_REQUEST
@ TLS_TYPE_HELLO_REQUEST
Definition: tls.h:1101
osMemset
#define osMemset(p, value, length)
Definition: os_port.h:138
TLS_TYPE_KEY_UPDATE
@ TLS_TYPE_KEY_UPDATE
Definition: tls.h:1121
tls13ProcessEarlyData
error_t tls13ProcessEarlyData(TlsContext *context, const uint8_t *data, size_t length)
Process early data.
Definition: tls13_server_misc.c:600
NO_ERROR
@ NO_ERROR
Success.
Definition: error.h:44
debug.h
Debugging facilities.
osMemmove
#define osMemmove(dest, src, length)
Definition: os_port.h:150
tlsInitHandshake
error_t tlsInitHandshake(TlsContext *context)
TLS handshake initialization.
Definition: tls_handshake.c:58