tls_server.c
Go to the documentation of this file.
1 /**
2  * @file tls_server.c
3  * @brief Handshake message processing (TLS server)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @section Description
28  *
29  * The TLS protocol provides communications security over the Internet. The
30  * protocol allows client/server applications to communicate in a way that
31  * is designed to prevent eavesdropping, tampering, or message forgery
32  *
33  * @author Oryx Embedded SARL (www.oryx-embedded.com)
34  * @version 2.4.0
35  **/
36 
37 //Switch to the appropriate trace level
38 #define TRACE_LEVEL TLS_TRACE_LEVEL
39 
40 //Dependencies
41 #include "tls.h"
42 #include "tls_cipher_suites.h"
43 #include "tls_handshake.h"
44 #include "tls_server.h"
45 #include "tls_server_extensions.h"
46 #include "tls_server_misc.h"
47 #include "tls_common.h"
48 #include "tls_extensions.h"
49 #include "tls_sign_misc.h"
50 #include "tls_key_material.h"
51 #include "tls_transcript_hash.h"
52 #include "tls_cache.h"
53 #include "tls_ffdhe.h"
54 #include "tls_record.h"
55 #include "tls_misc.h"
56 #include "tls13_server.h"
58 #include "tls13_server_misc.h"
59 #include "dtls_record.h"
60 #include "dtls_misc.h"
61 #include "pkix/pem_import.h"
62 #include "pkix/x509_cert_parse.h"
63 #include "date_time.h"
64 #include "debug.h"
65 
66 //Check TLS library configuration
67 #if (TLS_SUPPORT == ENABLED && TLS_SERVER_SUPPORT == ENABLED)
68 
69 
70 /**
71  * @brief Send ServerHello message
72  *
73  * The server will send this message in response to a ClientHello
74  * message when it was able to find an acceptable set of algorithms.
75  * If it cannot find such a match, it will respond with a handshake
76  * failure alert
77  *
78  * @param[in] context Pointer to the TLS context
79  * @return Error code
80  **/
81 
83 {
84  error_t error;
85  size_t length;
87 
88  //Point to the buffer where to format the message
89  message = (TlsServerHello *) (context->txBuffer + context->txBufferLen);
90 
91  //Generate the server random value using a cryptographically-safe
92  //pseudorandom number generator
93  error = tlsGenerateRandomValue(context, context->serverRandom);
94 
95  //Check status code
96  if(!error)
97  {
98  //Format ServerHello message
99  error = tlsFormatServerHello(context, message, &length);
100  }
101 
102  //Check status code
103  if(!error)
104  {
105  //Debug message
106  TRACE_INFO("Sending ServerHello message (%" PRIuSIZE " bytes)...\r\n", length);
108 
109  //Send handshake message
110  error = tlsSendHandshakeMessage(context, message, length,
112  }
113 
114  //Check status code
115  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
116  {
117  //Version of TLS prior to TLS 1.3?
118  if(context->version <= TLS_VERSION_1_2)
119  {
120 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
121  //Use abbreviated handshake?
122  if(context->resume)
123  {
124  //Derive session keys from the master secret
125  error = tlsGenerateSessionKeys(context);
126 
127  //Key material successfully generated?
128  if(!error)
129  {
130 #if (TLS_TICKET_SUPPORT == ENABLED)
131  //The server uses a zero-length SessionTicket extension to
132  //indicate to the client that it will send a new session ticket
133  //using the NewSessionTicket handshake message
134  if(context->sessionTicketExtSent)
135  {
136  //Send a NewSessionTicket message to the client
138  }
139  else
140 #endif
141  {
142  //At this point, both client and server must send ChangeCipherSpec
143  //messages and proceed directly to Finished messages
145  }
146  }
147  }
148  else
149 #endif
150  {
151  //Perform a full handshake
153  }
154  }
155  else
156  {
157 #if (TLS13_MIDDLEBOX_COMPAT_SUPPORT == ENABLED)
158  //First handshake message sent by the server?
159  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM &&
160  context->state == TLS_STATE_SERVER_HELLO)
161  {
162  //In middlebox compatibility mode, the server must send a dummy
163  //ChangeCipherSpec record immediately after its first handshake
164  //message
166  }
167  else
168 #endif
169  {
170  //All handshake messages after the ServerHello are now encrypted
172  }
173  }
174  }
175 
176  //Return status code
177  return error;
178 }
179 
180 
181 /**
182  * @brief Send ServerKeyExchange message
183  *
184  * The ServerKeyExchange message is sent by the server only when the
185  * server Certificate message does not contain enough data to allow
186  * the client to exchange a premaster secret
187  *
188  * @param[in] context Pointer to the TLS context
189  * @return Error code
190  **/
191 
193 {
194  error_t error;
195  size_t length;
197 
198  //Initialize status code
199  error = NO_ERROR;
200 
201  //Point to the buffer where to format the message
202  message = (TlsServerKeyExchange *) (context->txBuffer + context->txBufferLen);
203  //Initialize length
204  length = 0;
205 
206  //The ServerKeyExchange message is sent by the server only when the server
207  //Certificate message (if sent) does not contain enough data to allow the
208  //client to exchange a premaster secret
209  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
210  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
211  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
212  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
213  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
214  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
215  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
216  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
217  {
218  //Format ServerKeyExchange message
219  error = tlsFormatServerKeyExchange(context, message, &length);
220  }
221  else if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
222  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
223  {
224 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
225  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
226  //If no PSK identity hint is provided by the server, the
227  //ServerKeyExchange message is omitted...
228  if(context->pskIdentityHint != NULL)
229  {
230  //Format ServerKeyExchange message
231  error = tlsFormatServerKeyExchange(context, message, &length);
232  }
233 #endif
234  }
235 
236  //Check status code
237  if(!error)
238  {
239  //Any message to send?
240  if(length > 0)
241  {
242  //Debug message
243  TRACE_INFO("Sending ServerKeyExchange message (%" PRIuSIZE " bytes)...\r\n", length);
245 
246  //Send handshake message
247  error = tlsSendHandshakeMessage(context, message, length,
249  }
250  }
251 
252  //Check status code
253  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
254  {
255  //A server can optionally request a certificate from the client
257  }
258 
259  //Return status code
260  return error;
261 }
262 
263 
264 /**
265  * @brief Send CertificateRequest message
266  *
267  * A server can optionally request a certificate from the client, if
268  * appropriate for the selected cipher suite. This message will
269  * immediately follow the ServerKeyExchange message
270  *
271  * @param[in] context Pointer to the TLS context
272  * @return Error code
273  **/
274 
276 {
277  error_t error;
278  size_t length;
280 
281  //Initialize status code
282  error = NO_ERROR;
283 
284 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED || \
285  TLS_DSA_SIGN_SUPPORT == ENABLED || TLS_ECDSA_SIGN_SUPPORT == ENABLED)
286  //A server can optionally request a certificate from the client
287  if(context->clientAuthMode != TLS_CLIENT_AUTH_NONE)
288  {
289  //Non-anonymous key exchange?
290  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
291  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
292  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
293  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
294  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
295  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
296  context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
297  context->keyExchMethod == TLS13_KEY_EXCH_ECDHE)
298  {
299  //Point to the buffer where to format the message
300  message = (TlsCertificateRequest *) (context->txBuffer + context->txBufferLen);
301 
302  //Format CertificateRequest message
303  error = tlsFormatCertificateRequest(context, message, &length);
304 
305  //Check status code
306  if(!error)
307  {
308  //Debug message
309  TRACE_INFO("Sending CertificateRequest message (%" PRIuSIZE " bytes)...\r\n", length);
311 
312  //Send handshake message
313  error = tlsSendHandshakeMessage(context, message, length,
315  }
316  }
317  }
318 #endif
319 
320  //Check status code
321  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
322  {
323  //Version of TLS prior to TLS 1.3?
324  if(context->version <= TLS_VERSION_1_2)
325  {
326  //Send a ServerHelloDone message to the client
328  }
329  else
330  {
331  //Send a Certificate message to the client
333  }
334  }
335 
336  //Return status code
337  return error;
338 }
339 
340 
341 /**
342  * @brief Send ServerHelloDone message
343  *
344  * The ServerHelloDone message is sent by the server to indicate the
345  * end of the ServerHello and associated messages. After sending this
346  * message, the server will wait for a client response
347  *
348  * @param[in] context Pointer to the TLS context
349  * @return Error code
350  **/
351 
353 {
354  error_t error;
355  size_t length;
357 
358  //Point to the buffer where to format the message
359  message = (TlsServerHelloDone *) (context->txBuffer + context->txBufferLen);
360 
361  //Format ServerHelloDone message
362  error = tlsFormatServerHelloDone(context, message, &length);
363 
364  //Check status code
365  if(!error)
366  {
367  //Debug message
368  TRACE_INFO("Sending ServerHelloDone message (%" PRIuSIZE " bytes)...\r\n", length);
370 
371  //Send handshake message
372  error = tlsSendHandshakeMessage(context, message, length,
374  }
375 
376  //Check status code
377  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
378  {
379  //The client must send a Certificate message if the server requests it
380  if(context->clientAuthMode != TLS_CLIENT_AUTH_NONE)
381  {
383  }
384  else
385  {
387  }
388  }
389 
390  //Return status code
391  return error;
392 }
393 
394 
395 /**
396  * @brief Send NewSessionTicket message
397  *
398  * This NewSessionTicket message is sent by the server during the TLS handshake
399  * before the ChangeCipherSpec message
400  *
401  * @param[in] context Pointer to the TLS context
402  * @return Error code
403  **/
404 
406 {
407  error_t error;
408  size_t length;
410 
411  //Point to the buffer where to format the message
412  message = (TlsNewSessionTicket *) (context->txBuffer + context->txBufferLen);
413 
414  //Format NewSessionTicket message
415  error = tlsFormatNewSessionTicket(context, message, &length);
416 
417  //Check status code
418  if(!error)
419  {
420  //Debug message
421  TRACE_INFO("Sending NewSessionTicket message (%" PRIuSIZE " bytes)...\r\n", length);
423 
424  //Send handshake message
425  error = tlsSendHandshakeMessage(context, message, length,
427  }
428 
429  //Check status code
430  if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT)
431  {
432  //The NewSessionTicket message is sent by the server during the TLS
433  //handshake before the ChangeCipherSpec message
435  }
436 
437  //Return status code
438  return error;
439 }
440 
441 
442 /**
443  * @brief Format ServerHello message
444  * @param[in] context Pointer to the TLS context
445  * @param[out] message Buffer where to format the ServerHello message
446  * @param[out] length Length of the resulting ServerHello message
447  * @return Error code
448  **/
449 
451  TlsServerHello *message, size_t *length)
452 {
453  error_t error;
454  uint16_t version;
455  size_t n;
456  uint8_t *p;
457  TlsExtensionList *extensionList;
458 
459  //In TLS 1.3, the client indicates its version preferences in the
460  //SupportedVersions extension and the legacy_version field must be
461  //set to 0x0303, which is the version number for TLS 1.2
462  version = MIN(context->version, TLS_VERSION_1_2);
463 
464 #if (DTLS_SUPPORT == ENABLED)
465  //DTLS protocol?
466  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
467  {
468  //Get the corresponding DTLS version
470  }
471 #endif
472 
473  //In previous versions of TLS, the version field contains the lower of
474  //the version suggested by the client in the ClientHello and the highest
475  //supported by the server
476  message->serverVersion = htons(version);
477 
478  //Server random value
479  osMemcpy(message->random, context->serverRandom, 32);
480 
481  //Point to the session ID
482  p = message->sessionId;
483  //Length of the handshake message
484  *length = sizeof(TlsServerHello);
485 
486  //Version of TLS prior to TLS 1.3?
487  if(context->version <= TLS_VERSION_1_2)
488  {
489 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED)
490  //The session ID uniquely identifies the current session
491  osMemcpy(message->sessionId, context->sessionId, context->sessionIdLen);
492  message->sessionIdLen = (uint8_t) context->sessionIdLen;
493 #else
494  //The server may return an empty session ID to indicate that the session
495  //will not be cached and therefore cannot be resumed
496  message->sessionIdLen = 0;
497 #endif
498  }
499  else
500  {
501  //The legacy_session_id_echo echoes the contents of the client's
502  //legacy_session_id field
503  osMemcpy(message->sessionId, context->sessionId, context->sessionIdLen);
504  message->sessionIdLen = (uint8_t) context->sessionIdLen;
505  }
506 
507  //Debug message
508  TRACE_DEBUG("Session ID (%" PRIu8 " bytes):\r\n", message->sessionIdLen);
509  TRACE_DEBUG_ARRAY(" ", message->sessionId, message->sessionIdLen);
510 
511  //Advance data pointer
512  p += message->sessionIdLen;
513  //Adjust the length of the message
514  *length += message->sessionIdLen;
515 
516  //The cipher_suite field contains the cipher suite selected by the server
517  STORE16BE(context->cipherSuite.identifier, p);
518 
519  //Advance data pointer
520  p += sizeof(uint16_t);
521  //Adjust the length of the message
522  *length += sizeof(uint16_t);
523 
524  //The CRIME exploit takes advantage of TLS compression, so conservative
525  //implementations do not enable compression at the TLS level
527 
528  //Advance data pointer
529  p += sizeof(uint8_t);
530  //Adjust the length of the message
531  *length += sizeof(uint8_t);
532 
533  //Only extensions offered by the client can appear in the server's list
534  extensionList = (TlsExtensionList *) p;
535  //Total length of the extension list
536  extensionList->length = 0;
537 
538  //Point to the first extension of the list
539  p += sizeof(TlsExtensionList);
540 
541 #if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
542  //TLS 1.0, TLS 1.1 or TLS 1.2 selected by the server?
543  if(context->version <= TLS_VERSION_1_2)
544  {
545 #if (TLS_SNI_SUPPORT == ENABLED)
546  //The server may include a SNI extension in the ServerHello
547  error = tlsFormatServerSniExtension(context, p, &n);
548  //Any error to report?
549  if(error)
550  return error;
551 
552  //Fix the length of the extension list
553  extensionList->length += (uint16_t) n;
554  //Point to the next field
555  p += n;
556 #endif
557 
558 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
559  //Servers that receive an ClientHello containing a MaxFragmentLength
560  //extension may accept the requested maximum fragment length by including
561  //an extension of type MaxFragmentLength in the ServerHello
562  error = tlsFormatServerMaxFragLenExtension(context, p, &n);
563  //Any error to report?
564  if(error)
565  return error;
566 
567  //Fix the length of the extension list
568  extensionList->length += (uint16_t) n;
569  //Point to the next field
570  p += n;
571 #endif
572 
573 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
574  //The value of RecordSizeLimit is the maximum size of record in octets
575  //that the endpoint is willing to receive
576  error = tlsFormatServerRecordSizeLimitExtension(context, p, &n);
577  //Any error to report?
578  if(error)
579  return error;
580 
581  //Fix the length of the extension list
582  extensionList->length += (uint16_t) n;
583  //Point to the next field
584  p += n;
585 #endif
586 
587 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
588  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
589  //A server that selects an ECC cipher suite in response to a ClientHello
590  //message including an EcPointFormats extension appends this extension
591  //to its ServerHello message
592  error = tlsFormatServerEcPointFormatsExtension(context, p, &n);
593  //Any error to report?
594  if(error)
595  return error;
596 
597  //Fix the length of the extension list
598  extensionList->length += (uint16_t) n;
599  //Point to the next field
600  p += n;
601 #endif
602 
603 #if (TLS_ALPN_SUPPORT == ENABLED)
604  //The ALPN extension contains the name of the selected protocol
605  error = tlsFormatServerAlpnExtension(context, p, &n);
606  //Any error to report?
607  if(error)
608  return error;
609 
610  //Fix the length of the extension list
611  extensionList->length += (uint16_t) n;
612  //Point to the next field
613  p += n;
614 #endif
615 
616 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
617  //The ClientCertType extension in the ServerHello indicates the type
618  //of certificates the client is requested to provide in a subsequent
619  //certificate payload
620  error = tlsFormatClientCertTypeExtension(context, p, &n);
621  //Any error to report?
622  if(error)
623  return error;
624 
625  //Fix the length of the extension list
626  extensionList->length += (uint16_t) n;
627  //Point to the next field
628  p += n;
629 
630  //With the ServerCertType extension in the ServerHello, the TLS server
631  //indicates the certificate type carried in the certificate payload
632  error = tlsFormatServerCertTypeExtension(context, p, &n);
633  //Any error to report?
634  if(error)
635  return error;
636 
637  //Fix the length of the extension list
638  extensionList->length += (uint16_t) n;
639  //Point to the next field
640  p += n;
641 #endif
642 
643 #if (TLS_ENCRYPT_THEN_MAC_SUPPORT == ENABLED)
644  //On connecting, the client includes the EncryptThenMac extension in
645  //its ClientHello if it wishes to use encrypt-then-MAC rather than the
646  //default MAC-then-encrypt. If the server is capable of meeting this
647  //requirement, it responds with an EncryptThenMac in its ServerHello
648  error = tlsFormatServerEtmExtension(context, p, &n);
649  //Any error to report?
650  if(error)
651  return error;
652 
653  //Fix the length of the extension list
654  extensionList->length += (uint16_t) n;
655  //Point to the next field
656  p += n;
657 #endif
658 
659 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
660  //If a server implementing RFC 7627 receives the ExtendedMasterSecret
661  //extension, it must include the extension in its ServerHello message
662  error = tlsFormatServerEmsExtension(context, p, &n);
663  //Any error to report?
664  if(error)
665  return error;
666 
667  //Fix the length of the extension list
668  extensionList->length += (uint16_t) n;
669  //Point to the next field
670  p += n;
671 #endif
672 
673 #if (TLS_TICKET_SUPPORT == ENABLED)
674  //The server uses the SessionTicket extension to indicate to the client
675  //that it will send a new session ticket using the NewSessionTicket
676  //handshake message
677  error = tlsFormatServerSessionTicketExtension(context, p, &n);
678  //Any error to report?
679  if(error)
680  return error;
681 
682  //Fix the length of the extension list
683  extensionList->length += (uint16_t) n;
684  //Point to the next field
685  p += n;
686 #endif
687 
688 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
689  //During secure renegotiation, the server must include a renegotiation_info
690  //extension containing the saved client_verify_data and server_verify_data
691  error = tlsFormatServerRenegoInfoExtension(context, p, &n);
692  //Any error to report?
693  if(error)
694  return error;
695 
696  //Fix the length of the extension list
697  extensionList->length += (uint16_t) n;
698  //Point to the next field
699  p += n;
700 #endif
701  }
702  else
703 #endif
704 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
705  //TLS 1.3 selected by the server?
706  if(context->version == TLS_VERSION_1_3)
707  {
708  //A server which negotiates TLS 1.3 must respond by sending a
709  //SupportedVersions extension containing the selected version value
710  error = tls13FormatServerSupportedVersionsExtension(context, p, &n);
711  //Any error to report?
712  if(error)
713  return error;
714 
715  //Fix the length of the extension list
716  extensionList->length += (uint16_t) n;
717  //Point to the next field
718  p += n;
719 
720  //If using (EC)DHE key establishment, servers offer exactly one
721  //KeyShareEntry in the ServerHello
722  error = tls13FormatServerKeyShareExtension(context, p, &n);
723  //Any error to report?
724  if(error)
725  return error;
726 
727  //Fix the length of the extension list
728  extensionList->length += (uint16_t) n;
729  //Point to the next field
730  p += n;
731 
732  //In order to accept PSK key establishment, the server sends a
733  //PreSharedKey extension indicating the selected identity
734  error = tls13FormatServerPreSharedKeyExtension(context, p, &n);
735  //Any error to report?
736  if(error)
737  return error;
738 
739  //Fix the length of the extension list
740  extensionList->length += (uint16_t) n;
741  //Point to the next field
742  p += n;
743  }
744  else
745 #endif
746  //Invalid TLS version?
747  {
748  //Report an error
749  return ERROR_INVALID_VERSION;
750  }
751 
752  //Any extensions included in the ServerHello message?
753  if(extensionList->length > 0)
754  {
755  //Convert the length of the extension list to network byte order
756  extensionList->length = htons(extensionList->length);
757  //Total length of the message
758  *length += sizeof(TlsExtensionList) + htons(extensionList->length);
759  }
760 
761  //Successful processing
762  return NO_ERROR;
763 }
764 
765 
766 /**
767  * @brief Format ServerKeyExchange message
768  * @param[in] context Pointer to the TLS context
769  * @param[out] message Buffer where to format the ServerKeyExchange message
770  * @param[out] length Length of the resulting ServerKeyExchange message
771  * @return Error code
772  **/
773 
776 {
777  error_t error;
778  size_t n;
779  size_t paramsLen;
780  uint8_t *p;
781  uint8_t *params;
782 
783  //Point to the beginning of the handshake message
784  p = message;
785  //Length of the handshake message
786  *length = 0;
787 
788 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
789  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
790  //PSK key exchange method?
791  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
792  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
793  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
794  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
795  {
796  //To help the client in selecting which identity to use, the server
797  //can provide a PSK identity hint in the ServerKeyExchange message
798  error = tlsFormatPskIdentityHint(context, p, &n);
799  //Any error to report?
800  if(error)
801  return error;
802 
803  //Advance data pointer
804  p += n;
805  //Adjust the length of the message
806  *length += n;
807  }
808 #endif
809 
810  //Diffie-Hellman or ECDH key exchange method?
811  if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||
812  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
813  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
814  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
815  context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||
816  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
817  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
818  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
819  {
820  //Point to the server's key exchange parameters
821  params = p;
822 
823  //Format server's key exchange parameters
824  error = tlsFormatServerKeyParams(context, p, &paramsLen);
825  //Any error to report?
826  if(error)
827  return error;
828 
829  //Advance data pointer
830  p += paramsLen;
831  //Adjust the length of the message
832  *length += paramsLen;
833  }
834  else
835  {
836  //Just for sanity
837  params = NULL;
838  paramsLen = 0;
839  }
840 
841  //For non-anonymous Diffie-Hellman and ECDH key exchanges, a signature
842  //over the server's key exchange parameters shall be generated
843  if(context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
844  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
845  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
846  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
847  {
848 #if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)
849  //TLS 1.0 or TLS 1.1 currently selected?
850  if(context->version <= TLS_VERSION_1_1)
851  {
852  //Sign server's key exchange parameters
853  error = tlsGenerateServerKeySignature(context,
854  (TlsDigitalSignature *) p, params, paramsLen, &n);
855  }
856  else
857 #endif
858 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
859  //TLS 1.2 currently selected?
860  if(context->version == TLS_VERSION_1_2)
861  {
862  //Sign server's key exchange parameters
863  error = tls12GenerateServerKeySignature(context,
864  (Tls12DigitalSignature *) p, params, paramsLen, &n);
865  }
866  else
867 #endif
868  {
869  //Report an error
870  error = ERROR_INVALID_VERSION;
871  }
872 
873  //Any error to report?
874  if(error)
875  return error;
876 
877  //Advance data pointer
878  p += n;
879  //Adjust the length of the message
880  *length += n;
881  }
882 
883  //Successful processing
884  return NO_ERROR;
885 }
886 
887 
888 /**
889  * @brief Format CertificateRequest message
890  * @param[in] context Pointer to the TLS context
891  * @param[out] message Buffer where to format the CertificateRequest message
892  * @param[out] length Length of the resulting CertificateRequest message
893  * @return Error code
894  **/
895 
898 {
899  error_t error;
900  size_t n;
901  uint8_t *p;
902 
903  //Initialize status code
904  error = NO_ERROR;
905 
906  //Point to the beginning of the message
907  p = (uint8_t *) message;
908 
909 #if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
910  //Version of TLS prior to TLS 1.3?
911  if(context->version <= TLS_VERSION_1_2)
912  {
913  //Enumerate the types of certificate types that the client may offer
914  n = 0;
915 
916 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
917  //Accept certificates that contain an RSA public key
918  message->certificateTypes[n++] = TLS_CERT_RSA_SIGN;
919 #endif
920 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
921  //Accept certificates that contain a DSA public key
922  message->certificateTypes[n++] = TLS_CERT_DSS_SIGN;
923 #endif
924 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
925  //Accept certificates that contain an ECDSA public key
926  message->certificateTypes[n++] = TLS_CERT_ECDSA_SIGN;
927 #endif
928 
929  //Fix the length of the list
930  message->certificateTypesLen = (uint8_t) n;
931  //Length of the handshake message
932  *length = sizeof(TlsCertificateRequest) + n;
933 
934  //TLS 1.2 currently selected?
935  if(context->version == TLS_VERSION_1_2)
936  {
937  //The supported_signature_algorithms list contains the hash/signature
938  //algorithm pairs that the server is able to verify. Servers can
939  //minimize the computation cost by offering a restricted set of digest
940  //algorithms
941  error = tlsFormatSupportedSignAlgos(context, p + *length, &n);
942 
943  //Check status code
944  if(!error)
945  {
946  //Adjust the length of the message
947  *length += n;
948  }
949  }
950 
951  //Check status code
952  if(!error)
953  {
954  //The certificate_authorities list contains the distinguished names of
955  //acceptable certificate authorities, represented in DER-encoded format
956  error = tlsFormatCertAuthorities(context, p + *length, &n);
957  }
958 
959  //Check status code
960  if(!error)
961  {
962  //Adjust the length of the message
963  *length += n;
964  }
965  }
966  else
967 #endif
968 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
969  //TLS 1.3 currently selected?
970  if(context->version == TLS_VERSION_1_3)
971  {
972  Tls13CertRequestContext *certRequestContext;
973  TlsExtensionList *extensionList;
974 
975  //Point to the certificate_request_context field
976  certRequestContext = (Tls13CertRequestContext *) p;
977 
978  //The certificate_request_context field shall be zero length unless
979  //used for the post-handshake authentication exchange
980  certRequestContext->length = 0;
981 
982  //Point to the next field
983  p += sizeof(Tls13CertRequestContext);
984  //Length of the handshake message
985  *length = sizeof(Tls13CertRequestContext);
986 
987  //The extensions describe the parameters of the certificate being
988  //requested
989  extensionList = (TlsExtensionList *) p;
990  //Total length of the extension list
991  extensionList->length = 0;
992 
993  //Point to the first extension of the list
994  p += sizeof(TlsExtensionList);
995  //Adjust the length of the message
996  *length += sizeof(TlsExtensionList);
997 
998  //The SignatureAlgorithms extension contains the list of signature
999  //algorithms which the server would accept (refer to RFC 8446,
1000  //section 4.3.2)
1001  error = tlsFormatSignAlgosExtension(context, p, &n);
1002 
1003 #if (TLS_SIGN_ALGOS_CERT_SUPPORT == ENABLED)
1004  //Check status code
1005  if(!error)
1006  {
1007  //Fix the length of the extension list
1008  extensionList->length += (uint16_t) n;
1009  //Point to the next field
1010  p += n;
1011 
1012  //The SignatureAlgorithmsCert extension may optionally be included
1013  error = tlsFormatSignAlgosCertExtension(context, p, &n);
1014  }
1015 #endif
1016 
1017 #if (TLS_CERT_AUTHORITIES_SUPPORT == ENABLED)
1018  //Check status code
1019  if(!error)
1020  {
1021  //Fix the length of the extension list
1022  extensionList->length += (uint16_t) n;
1023  //Point to the next field
1024  p += n;
1025 
1026  //The CertificateAuthorities extension is used to indicate the CAs
1027  //which an endpoint supports and which should be used by the receiving
1028  //endpoint to guide certificate selection
1029  error = tlsFormatCertAuthoritiesExtension(context, p, &n);
1030  }
1031 #endif
1032 
1033  //Check status code
1034  if(!error)
1035  {
1036  //Fix the length of the extension list
1037  extensionList->length += (uint16_t) n;
1038  //Point to the next field
1039  p += n;
1040  }
1041 
1042  //Convert the length of the extension list to network byte order
1043  extensionList->length = htons(extensionList->length);
1044  //Total length of the message
1045  *length += htons(extensionList->length);
1046  }
1047  else
1048 #endif
1049  //Invalid TLS version?
1050  {
1051  //Report an error
1052  error = ERROR_INVALID_VERSION;
1053  }
1054 
1055  //Return status code
1056  return error;
1057 }
1058 
1059 
1060 /**
1061  * @brief Format ServerHelloDone message
1062  * @param[in] context Pointer to the TLS context
1063  * @param[out] message Buffer where to format the ServerHelloDone message
1064  * @param[out] length Length of the resulting ServerHelloDone message
1065  * @return Error code
1066  **/
1067 
1069  TlsServerHelloDone *message, size_t *length)
1070 {
1071  //The ServerHelloDone message does not contain any data
1072  *length = 0;
1073 
1074  //Successful processing
1075  return NO_ERROR;
1076 }
1077 
1078 
1079 /**
1080  * @brief Format NewSessionTicket message
1081  * @param[in] context Pointer to the TLS context
1082  * @param[out] message Buffer where to format the NewSessionTicket message
1083  * @param[out] length Length of the resulting NewSessionTicket message
1084  * @return Error code
1085  **/
1086 
1089 {
1090 #if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2 && \
1091  TLS_TICKET_SUPPORT == ENABLED)
1092  error_t error;
1093  size_t n;
1094  TlsPlaintextSessionState *state;
1095 
1096  //The ticket_lifetime_hint field contains a hint from the server about how
1097  //long the ticket should be stored
1098  message->ticketLifetimeHint = HTONL(TLS_TICKET_LIFETIME / 1000);
1099 
1100  //The ticket itself is opaque to the client
1101  state = (TlsPlaintextSessionState *) message->ticket;
1102 
1103  //Save session state
1104  state->version = context->version;
1105  state->cipherSuite = context->cipherSuite.identifier;
1106  osMemcpy(state->secret, context->masterSecret, TLS_MASTER_SECRET_SIZE);
1107  state->ticketTimestamp = osGetSystemTime();
1108  state->ticketLifetime = TLS_TICKET_LIFETIME;
1109 
1110 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
1111  //Extended master secret computation
1112  state->extendedMasterSecret = context->emsExtReceived;
1113 #endif
1114 
1115  //Make sure a valid callback has been registered
1116  if(context->ticketEncryptCallback != NULL)
1117  {
1118  //Encrypt the state information
1119  error = context->ticketEncryptCallback(context, (uint8_t *) state,
1120  sizeof(TlsPlaintextSessionState), message->ticket, &n,
1121  context->ticketParam);
1122  }
1123  else
1124  {
1125  //Report en error
1126  error = ERROR_FAILURE;
1127  }
1128 
1129  //Check status code
1130  if(!error)
1131  {
1132  //Fix the length of the ticket
1133  message->ticketLen = htons(n);
1134 
1135  //Total length of the message
1136  *length = sizeof(TlsNewSessionTicket) + n;
1137  }
1138 
1139  //Return status code
1140  return error;
1141 #else
1142  //Session ticket mechanism is not implemented
1143  return ERROR_NOT_IMPLEMENTED;
1144 #endif
1145 }
1146 
1147 
1148 /**
1149  * @brief Parse ClientHello message
1150  *
1151  * When a client first connects to a server, it is required to send
1152  * the ClientHello as its first message. The client can also send a
1153  * ClientHello in response to a HelloRequest or on its own initiative
1154  * in order to renegotiate the security parameters in an existing
1155  * connection
1156  *
1157  * @param[in] context Pointer to the TLS context
1158  * @param[in] message Incoming ClientHello message to parse
1159  * @param[in] length Message length
1160  * @return Error code
1161  **/
1162 
1164  const TlsClientHello *message, size_t length)
1165 {
1166  error_t error;
1167  size_t n;
1168  const uint8_t *p;
1169  const TlsCipherSuites *cipherSuites;
1170  const TlsCompressMethods *compressMethods;
1172 #if (DTLS_SUPPORT == ENABLED)
1173  const DtlsCookie *cookie;
1174 #endif
1175 
1176  //Debug message
1177  TRACE_INFO("ClientHello message received (%" PRIuSIZE " bytes)...\r\n", length);
1179 
1180  //Check current state
1181  if(context->state == TLS_STATE_CLIENT_HELLO)
1182  {
1183  //When a client first connects to a server, it is required to send
1184  //the ClientHello as its first message
1185  }
1186  else if(context->state == TLS_STATE_CLIENT_HELLO_2)
1187  {
1188 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1189  //The client will also send a updated ClientHello when the server has
1190  //responded to its initial ClientHello with a HelloRetryRequest
1191  context->updatedClientHelloReceived = TRUE;
1192 #endif
1193  }
1194  else if(context->state == TLS_STATE_APPLICATION_DATA)
1195  {
1196 #if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1197  //Version of TLS prior to TLS 1.3?
1198  if(context->version <= TLS_VERSION_1_2)
1199  {
1200 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1201  //Check whether secure renegotiation is enabled
1202  if(context->secureRenegoEnabled)
1203  {
1204  //Make sure the secure_renegociation flag is set
1205  if(!context->secureRenegoFlag)
1206  {
1207  //If the connection's secure_renegotiation flag is set to
1208  //FALSE, it is recommended that servers do not permit legacy
1209  //renegotiation (refer to RFC 5746, section 4.4)
1210  return ERROR_HANDSHAKE_FAILED;
1211  }
1212  }
1213  else
1214 #endif
1215  {
1216  //Secure renegotiation is disabled
1217  return ERROR_HANDSHAKE_FAILED;
1218  }
1219  }
1220  else
1221 #endif
1222  {
1223  //Because TLS 1.3 forbids renegotiation, if a server has negotiated
1224  //TLS 1.3 and receives a ClientHello at any other time, it must
1225  //terminate the connection with an unexpected_message alert
1226  return ERROR_UNEXPECTED_MESSAGE;
1227  }
1228  }
1229  else
1230  {
1231  //Report an error
1232  return ERROR_UNEXPECTED_MESSAGE;
1233  }
1234 
1235  //Check the length of the ClientHello message
1236  if(length < sizeof(TlsClientHello))
1237  return ERROR_DECODING_FAILED;
1238 
1239  //Get the version the client wishes to use during this session
1240  context->clientVersion = ntohs(message->clientVersion);
1241 
1242  //Point to the session ID
1243  p = message->sessionId;
1244  //Remaining bytes to process
1245  n = length - sizeof(TlsClientHello);
1246 
1247  //Check the length of the session ID
1248  if(message->sessionIdLen > n)
1249  return ERROR_DECODING_FAILED;
1250  if(message->sessionIdLen > 32)
1251  return ERROR_DECODING_FAILED;
1252 
1253  //Debug message
1254  TRACE_DEBUG("Session ID (%" PRIu8 " bytes):\r\n", message->sessionIdLen);
1255  TRACE_DEBUG_ARRAY(" ", message->sessionId, message->sessionIdLen);
1256 
1257  //Point to the next field
1258  p += message->sessionIdLen;
1259  //Remaining bytes to process
1260  n -= message->sessionIdLen;
1261 
1262 #if (DTLS_SUPPORT == ENABLED)
1263  //DTLS protocol?
1264  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
1265  {
1266  //Point to the Cookie field
1267  cookie = (DtlsCookie *) p;
1268 
1269  //Malformed ClientHello message?
1270  if(n < sizeof(DtlsCookie))
1271  return ERROR_DECODING_FAILED;
1272  if(n < (sizeof(DtlsCookie) + cookie->length))
1273  return ERROR_DECODING_FAILED;
1274 
1275  //Check the length of the cookie
1276  if(cookie->length > DTLS_MAX_COOKIE_SIZE)
1277  return ERROR_ILLEGAL_PARAMETER;
1278 
1279  //Point to the next field
1280  p += sizeof(DtlsCookie) + cookie->length;
1281  //Remaining bytes to process
1282  n -= sizeof(DtlsCookie) + cookie->length;
1283  }
1284  else
1285  {
1286  //Just for sanity
1287  cookie = NULL;
1288  }
1289 #endif
1290 
1291  //List of cryptographic algorithms supported by the client
1292  cipherSuites = (TlsCipherSuites *) p;
1293 
1294  //Malformed ClientHello message?
1295  if(n < sizeof(TlsCipherSuites))
1296  return ERROR_DECODING_FAILED;
1297  if(n < (sizeof(TlsCipherSuites) + ntohs(cipherSuites->length)))
1298  return ERROR_DECODING_FAILED;
1299 
1300  //Check the length of the list
1301  if(ntohs(cipherSuites->length) == 0)
1302  return ERROR_DECODING_FAILED;
1303  if((ntohs(cipherSuites->length) % 2) != 0)
1304  return ERROR_DECODING_FAILED;
1305 
1306  //Point to the next field
1307  p += sizeof(TlsCipherSuites) + ntohs(cipherSuites->length);
1308  //Remaining bytes to process
1309  n -= sizeof(TlsCipherSuites) + ntohs(cipherSuites->length);
1310 
1311  //List of compression algorithms supported by the client
1312  compressMethods = (TlsCompressMethods *) p;
1313 
1314  //Malformed ClientHello message?
1315  if(n < sizeof(TlsCompressMethods))
1316  return ERROR_DECODING_FAILED;
1317  if(n < (sizeof(TlsCompressMethods) + compressMethods->length))
1318  return ERROR_DECODING_FAILED;
1319 
1320  //Check the length of the list
1321  if(compressMethods->length == 0)
1322  return ERROR_DECODING_FAILED;
1323 
1324  //Point to the next field
1325  p += sizeof(TlsCompressMethods) + compressMethods->length;
1326  //Remaining bytes to process
1327  n -= sizeof(TlsCompressMethods) + compressMethods->length;
1328 
1329  //Parse the list of extensions offered by the client
1331  //Any error to report?
1332  if(error)
1333  return error;
1334 
1335  //Check whether the ClientHello includes any SCSV cipher suites
1336  error = tlsCheckSignalingCipherSuiteValues(context, cipherSuites);
1337  //Any error to report?
1338  if(error)
1339  return error;
1340 
1341 #if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)
1342  //Parse RenegotiationInfo extension
1343  error = tlsParseClientRenegoInfoExtension(context, &extensions);
1344  //Any error to report?
1345  if(error)
1346  return error;
1347 #endif
1348 
1349 #if (DTLS_SUPPORT == ENABLED)
1350  //DTLS protocol?
1351  if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)
1352  {
1353  DtlsClientParameters clientParams;
1354 
1355  //The server should use client parameters (version, random, session_id,
1356  //cipher_suites, compression_method) to generate its cookie
1357  clientParams.version = ntohs(message->clientVersion);
1358  clientParams.random = message->random;
1359  clientParams.randomLen = 32;
1360  clientParams.sessionId = message->sessionId;
1361  clientParams.sessionIdLen = message->sessionIdLen;
1362  clientParams.cipherSuites = (const uint8_t *) cipherSuites->value;
1363  clientParams.cipherSuitesLen = ntohs(cipherSuites->length);
1364  clientParams.compressMethods = compressMethods->value;
1365  clientParams.compressMethodsLen = compressMethods->length;
1366 
1367  //Verify that the cookie is valid
1368  error = dtlsVerifyCookie(context, cookie, &clientParams);
1369  //Any error to report?
1370  if(error)
1371  return error;
1372 
1373  //The server may respond with a HelloVerifyRequest message containing
1374  //a stateless cookie
1375  if(context->state == TLS_STATE_HELLO_VERIFY_REQUEST)
1376  {
1377  //Exit immediately
1378  return NO_ERROR;
1379  }
1380  }
1381 #endif
1382 
1383  //Perform version negotiation
1384  error = tlsNegotiateVersion(context, ntohs(message->clientVersion),
1385  extensions.supportedVersionList);
1386  //Any error to report?
1387  if(error)
1388  return error;
1389 
1390  //Check the list of extensions offered by the client
1391  error = tlsCheckHelloExtensions(TLS_TYPE_CLIENT_HELLO, context->version,
1392  &extensions);
1393  //Any error to report?
1394  if(error)
1395  return error;
1396 
1397  //The SignatureAlgorithms extension is not meaningful for TLS versions
1398  //prior to 1.2 (refer to RFC 5246, section 7.4.1.4.1)
1399  if(context->version <= TLS_VERSION_1_1)
1400  {
1401  //Even if clients do offer it, the rules specified in RFC 6066 require
1402  //servers to ignore extensions they do not understand
1403  extensions.signAlgoList = NULL;
1404  extensions.certSignAlgoList = NULL;
1405  }
1406 
1407  //Save client random value
1408  osMemcpy(context->clientRandom, message->random, 32);
1409 
1410 #if (TLS_SNI_SUPPORT == ENABLED)
1411  //In order to provide the server name, clients may include a ServerName
1412  //extension
1413  error = tlsParseClientSniExtension(context, extensions.serverNameList);
1414  //Any error to report?
1415  if(error)
1416  return error;
1417 #endif
1418 
1419 #if (TLS_ALPN_SUPPORT == ENABLED)
1420  //Parse ALPN extension
1421  error = tlsParseClientAlpnExtension(context, extensions.protocolNameList);
1422  //Any error to report?
1423  if(error)
1424  return error;
1425 #endif
1426 
1427 #if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)
1428  //TLS 1.0, TLS 1.1 or TLS 1.2 currently selected?
1429  if(context->version <= TLS_VERSION_1_2)
1430  {
1431 #if (TLS_TICKET_SUPPORT == ENABLED)
1432  //Parse SessionTicket extension
1433  error = tlsParseClientSessionTicketExtension(context,
1434  extensions.sessionTicket);
1435  //Any error to report?
1436  if(error)
1437  return error;
1438 
1439  //The server attempts to resume TLS session via session ticket
1440  error = tlsResumeStatelessSession(context, message->sessionId,
1441  message->sessionIdLen, cipherSuites, &extensions);
1442 #else
1443  //No session ticket presented by the client
1444  error = ERROR_NO_TICKET;
1445 #endif
1446 
1447  //If a ticket is presented by the client, the server must not attempt
1448  //to use the session ID in the ClientHello for stateful session
1449  //resumption (refer to RFC 5077, section 3.4)
1450  if(error == ERROR_NO_TICKET)
1451  {
1452  //The server attempts to resume TLS session via session ID
1453  error = tlsResumeStatefulSession(context, message->sessionId,
1454  message->sessionIdLen, cipherSuites, &extensions);
1455  //Any error to report?
1456  if(error)
1457  return error;
1458  }
1459 
1460  //Full handshake?
1461  if(!context->resume)
1462  {
1463  //Perform cipher suite negotiation
1464  error = tlsNegotiateCipherSuite(context, NULL, cipherSuites,
1465  &extensions);
1466  //If no acceptable choices are presented, terminate the handshake
1467  if(error)
1468  return ERROR_HANDSHAKE_FAILED;
1469 
1470  //Parse the list of compression methods supported by the client
1471  error = tlsParseCompressMethods(context, compressMethods);
1472  //Any error to report?
1473  if(error)
1474  return error;
1475  }
1476 
1477  //Initialize handshake message hashing
1478  error = tlsInitTranscriptHash(context);
1479  //Any error to report?
1480  if(error)
1481  return error;
1482 
1483 #if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \
1484  TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1485  //A client that proposes ECC cipher suites in its ClientHello message
1486  //may send the EcPointFormats extension
1487  error = tlsParseClientEcPointFormatsExtension(context,
1488  extensions.ecPointFormatList);
1489  //Any error to report?
1490  if(error)
1491  return error;
1492 #endif
1493 
1494 #if (TLS_ENCRYPT_THEN_MAC_SUPPORT == ENABLED)
1495  //On connecting, the client includes the EncryptThenMac extension in
1496  //its ClientHello if it wishes to use encrypt-then-MAC rather than the
1497  //default MAC-then-encrypt (refer to RFC 7366, section 2)
1498  error = tlsParseClientEtmExtension(context,
1499  extensions.encryptThenMac);
1500  //Any error to report?
1501  if(error)
1502  return error;
1503 #endif
1504 
1505 #if (TLS_EXT_MASTER_SECRET_SUPPORT == ENABLED)
1506  //Parse ExtendedMasterSecret extension
1507  error = tlsParseClientEmsExtension(context,
1508  extensions.extendedMasterSecret);
1509  //Any error to report?
1510  if(error)
1511  return error;
1512 #endif
1513  }
1514  else
1515 #endif
1516 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
1517  //TLS 1.3 currently selected?
1518  if(context->version == TLS_VERSION_1_3)
1519  {
1520  //Save the client's legacy_session_id field
1521  osMemcpy(context->sessionId, message->sessionId, message->sessionIdLen);
1522  context->sessionIdLen = message->sessionIdLen;
1523 
1524  //Perform cipher suite and key exchange method negotiation
1525  error = tls13NegotiateCipherSuite(context, message, length, cipherSuites,
1526  &extensions);
1527  //If no acceptable choices are presented, terminate the handshake
1528  if(error)
1529  return error;
1530 
1531  //Parse the list of compression methods supported by the client
1532  error = tlsParseCompressMethods(context, compressMethods);
1533  //Any error to report?
1534  if(error)
1535  return error;
1536 
1537  //When a PSK is used and early data is allowed for that PSK, the client
1538  //can send application data in its first flight of messages
1539  if(extensions.earlyDataIndication != NULL)
1540  {
1541  //If the client opts to do so, it must supply both the PreSharedKey
1542  //and EarlyData extensions (refer to RFC 8446, section 4.2.10)
1543  if(extensions.identityList == NULL || extensions.binderList == NULL)
1544  {
1545  context->earlyDataRejected = TRUE;
1546  }
1547  }
1548  }
1549  else
1550 #endif
1551  //Invalid TLS version?
1552  {
1553  //Just for sanity
1554  return ERROR_INVALID_VERSION;
1555  }
1556 
1557 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED && TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
1558  //A server that supports the RecordSizeLimit extension must ignore a
1559  //MaxFragmentLength that appears in a ClientHello if both extensions
1560  //appear (refer to RFC 8449, section 5)
1561  if(extensions.maxFragLen != NULL && extensions.recordSizeLimit != NULL)
1562  {
1563  extensions.maxFragLen = NULL;
1564  }
1565 #endif
1566 
1567 #if (TLS_MAX_FRAG_LEN_SUPPORT == ENABLED)
1568  //In order to negotiate smaller maximum fragment lengths, clients may
1569  //include a MaxFragmentLength extension
1570  error = tlsParseClientMaxFragLenExtension(context, extensions.maxFragLen);
1571  //Any error to report?
1572  if(error)
1573  return error;
1574 #endif
1575 
1576 #if (TLS_RECORD_SIZE_LIMIT_SUPPORT == ENABLED)
1577  //The value of RecordSizeLimit is the maximum size of record in octets
1578  //that the peer is willing to receive
1580  extensions.recordSizeLimit);
1581  //Any error to report?
1582  if(error)
1583  return error;
1584 #endif
1585 
1586 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
1587  //Parse ClientCertType extension
1588  error = tlsParseClientCertTypeListExtension(context,
1589  extensions.clientCertTypeList);
1590  //Any error to report?
1591  if(error)
1592  return error;
1593 
1594  //Parse ServerCertType extension
1595  error = tlsParseServerCertTypeListExtension(context,
1596  extensions.serverCertTypeList);
1597  //Any error to report?
1598  if(error)
1599  return error;
1600 #endif
1601 
1602  //Another handshake message cannot be packed in the same record as the
1603  //ClientHello
1604  if(context->rxBufferLen != 0)
1605  return ERROR_UNEXPECTED_MESSAGE;
1606 
1607  //Version of TLS prior to TLS 1.3?
1608  if(context->version <= TLS_VERSION_1_2)
1609  {
1610  //Send a ServerHello message to the client
1612  }
1613  else
1614  {
1615  //Send a ServerHello or a HelloRetryRequest message to the client
1616  if(context->state == TLS_STATE_CLIENT_HELLO)
1617  {
1619  }
1620  else if(context->state == TLS_STATE_CLIENT_HELLO_2)
1621  {
1623  }
1624  else
1625  {
1627  }
1628  }
1629 
1630  //Successful processing
1631  return NO_ERROR;
1632 }
1633 
1634 
1635 /**
1636  * @brief Parse ClientKeyExchange message
1637  *
1638  * This message is always sent by the client. It must immediately
1639  * follow the client Certificate message, if it is sent. Otherwise,
1640  * it must be the first message sent by the client after it receives
1641  * the ServerHelloDone message
1642  *
1643  * @param[in] context Pointer to the TLS context
1644  * @param[in] message Incoming ClientKeyExchange message to parse
1645  * @param[in] length Message length
1646  * @return Error code
1647  **/
1648 
1650  const TlsClientKeyExchange *message, size_t length)
1651 {
1652  error_t error;
1653  size_t n;
1654  const uint8_t *p;
1655 
1656  //Debug message
1657  TRACE_INFO("ClientKeyExchange message received (%" PRIuSIZE " bytes)...\r\n", length);
1659 
1660  //Check TLS version
1661  if(context->version > TLS_VERSION_1_2)
1662  return ERROR_UNEXPECTED_MESSAGE;
1663 
1664  //Check current state
1665  if(context->state == TLS_STATE_CLIENT_CERTIFICATE)
1666  {
1667  //A an non-anonymous server can optionally request a certificate from the client
1668  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1669  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1670  context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1671  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1672  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1673  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1674  {
1675  //If client authentication is required by the server for the handshake
1676  //to continue, it may respond with a fatal handshake failure alert
1677  if(context->clientAuthMode == TLS_CLIENT_AUTH_REQUIRED)
1678  return ERROR_HANDSHAKE_FAILED;
1679  }
1680  }
1681  else if(context->state != TLS_STATE_CLIENT_KEY_EXCHANGE)
1682  {
1683  //Send a fatal alert to the client
1684  return ERROR_UNEXPECTED_MESSAGE;
1685  }
1686 
1687  //Point to the beginning of the handshake message
1688  p = message;
1689 
1690 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1691  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1692  //PSK key exchange method?
1693  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1694  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
1695  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1696  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1697  {
1698  //The PSK identity is sent in cleartext
1699  error = tlsParsePskIdentity(context, p, length, &n);
1700  //Any error to report?
1701  if(error)
1702  return error;
1703 
1704  //Point to the next field
1705  p += n;
1706  //Remaining bytes to process
1707  length -= n;
1708  }
1709 #endif
1710 
1711  //RSA, Diffie-Hellman or ECDH key exchange method?
1712  if(context->keyExchMethod != TLS_KEY_EXCH_PSK)
1713  {
1714  //Parse client's key exchange parameters
1715  error = tlsParseClientKeyParams(context, p, length, &n);
1716  //Any error to report?
1717  if(error)
1718  return error;
1719 
1720  //Point to the next field
1721  p += n;
1722  //Remaining bytes to process
1723  length -= n;
1724  }
1725 
1726  //If the amount of data in the message does not precisely match the format
1727  //of the ClientKeyExchange message, then send a fatal alert
1728  if(length != 0)
1729  return ERROR_DECODING_FAILED;
1730 
1731 #if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \
1732  TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)
1733  //PSK key exchange method?
1734  if(context->keyExchMethod == TLS_KEY_EXCH_PSK ||
1735  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK ||
1736  context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK ||
1737  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)
1738  {
1739  //Invalid pre-shared key?
1740  if(context->pskLen == 0)
1741  return ERROR_INVALID_KEY_LENGTH;
1742 
1743  //Generate premaster secret
1744  error = tlsGeneratePskPremasterSecret(context);
1745  //Any error to report?
1746  if(error)
1747  return error;
1748  }
1749 #endif
1750 
1751  //Derive session keys from the premaster secret
1752  error = tlsGenerateSessionKeys(context);
1753  //Unable to generate key material?
1754  if(error)
1755  return error;
1756 
1757  //The client must send a CertificateVerify message when the Certificate
1758  //message is non-empty
1759  if(context->peerCertType != TLS_CERT_NONE)
1760  {
1762  }
1763  else
1764  {
1766  }
1767 
1768  //Successful processing
1769  return NO_ERROR;
1770 }
1771 
1772 #endif
uint8_t message[]
Definition: chap.h:154
uint8_t version
Definition: coap_common.h:177
#define PRIuSIZE
#define htons(value)
Definition: cpu_endian.h:413
#define STORE16BE(a, p)
Definition: cpu_endian.h:262
#define ntohs(value)
Definition: cpu_endian.h:421
#define HTONL(value)
Definition: cpu_endian.h:411
Date and time management.
Debugging facilities.
#define TRACE_DEBUG_ARRAY(p, a, n)
Definition: debug.h:108
#define TRACE_DEBUG(...)
Definition: debug.h:107
#define TRACE_INFO(...)
Definition: debug.h:95
uint8_t n
uint16_t dtlsTranslateVersion(uint16_t version)
Translate TLS version into DTLS version.
Definition: dtls_misc.c:112
error_t dtlsVerifyCookie(TlsContext *context, const DtlsCookie *cookie, const DtlsClientParameters *clientParams)
Cookie verification.
Definition: dtls_misc.c:178
DTLS (Datagram Transport Layer Security)
uint8_t cookie[]
Definition: dtls_misc.h:206
DtlsCookie
Definition: dtls_misc.h:154
#define DTLS_MAX_COOKIE_SIZE
Definition: dtls_misc.h:76
DTLS record protocol.
error_t
Error codes.
Definition: error.h:43
@ ERROR_ILLEGAL_PARAMETER
Definition: error.h:242
@ ERROR_WOULD_BLOCK
Definition: error.h:96
@ ERROR_INVALID_KEY_LENGTH
Definition: error.h:107
@ ERROR_TIMEOUT
Definition: error.h:95
@ ERROR_HANDSHAKE_FAILED
Definition: error.h:232
@ ERROR_DECODING_FAILED
Definition: error.h:240
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66
@ NO_ERROR
Success.
Definition: error.h:44
@ ERROR_NO_TICKET
Definition: error.h:228
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
@ ERROR_UNEXPECTED_MESSAGE
Definition: error.h:194
@ ERROR_INVALID_VERSION
Definition: error.h:118
uint8_t p
Definition: ndp.h:300
#define osMemcpy(dest, src, length)
Definition: os_port.h:141
#define MIN(a, b)
Definition: os_port.h:63
#define TRUE
Definition: os_port.h:50
systime_t osGetSystemTime(void)
Retrieve system time.
PEM file import functions.
Client parameters.
Definition: dtls_misc.h:223
const uint8_t * compressMethods
Definition: dtls_misc.h:231
const uint8_t * cipherSuites
Definition: dtls_misc.h:229
size_t compressMethodsLen
Definition: dtls_misc.h:232
const uint8_t * random
Definition: dtls_misc.h:225
const uint8_t * sessionId
Definition: dtls_misc.h:227
Hello extensions.
Definition: tls.h:2081
uint8_t length
Definition: tcp.h:368
uint8_t extensions[]
Definition: tls13_misc.h:300
Tls13CertRequestContext
Definition: tls13_misc.h:258
Handshake message processing (TLS 1.3 server)
error_t tls13FormatServerKeyShareExtension(TlsContext *context, uint8_t *p, size_t *written)
Format KeyShare extension (ServerHello message)
error_t tls13FormatServerPreSharedKeyExtension(TlsContext *context, uint8_t *p, size_t *written)
Format PreSharedKey extension.
error_t tls13FormatServerSupportedVersionsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SupportedVersions extension.
Formatting and parsing of extensions (TLS 1.3 server)
error_t tls13NegotiateCipherSuite(TlsContext *context, const void *clientHello, size_t clientHelloLen, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
Cipher suite and key exchange method negotiation.
Helper functions for TLS 1.3 server.
TLS (Transport Layer Security)
TlsClientHello
Definition: tls.h:1757
@ TLS_STATE_SERVER_CHANGE_CIPHER_SPEC
Definition: tls.h:1461
@ TLS_STATE_SERVER_CERTIFICATE
Definition: tls.h:1449
@ TLS_STATE_CLIENT_CERTIFICATE_VERIFY
Definition: tls.h:1456
@ TLS_STATE_SERVER_HELLO_2
Definition: tls.h:1445
@ TLS_STATE_HELLO_VERIFY_REQUEST
Definition: tls.h:1442
@ TLS_STATE_CLIENT_HELLO_2
Definition: tls.h:1440
@ TLS_STATE_SERVER_HELLO
Definition: tls.h:1444
@ TLS_STATE_APPLICATION_DATA
Definition: tls.h:1468
@ TLS_STATE_NEW_SESSION_TICKET
Definition: tls.h:1466
@ TLS_STATE_HELLO_RETRY_REQUEST
Definition: tls.h:1443
@ TLS_STATE_SERVER_HELLO_DONE
Definition: tls.h:1453
@ TLS_STATE_CLIENT_HELLO
Definition: tls.h:1439
@ TLS_STATE_CERTIFICATE_REQUEST
Definition: tls.h:1452
@ TLS_STATE_HANDSHAKE_TRAFFIC_KEYS
Definition: tls.h:1447
@ TLS_STATE_CLIENT_KEY_EXCHANGE
Definition: tls.h:1455
@ TLS_STATE_CLIENT_CERTIFICATE
Definition: tls.h:1454
@ TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC
Definition: tls.h:1457
@ TLS_KEY_EXCH_DHE_RSA
Definition: tls.h:1127
@ TLS_KEY_EXCH_RSA
Definition: tls.h:1125
@ TLS_KEY_EXCH_ECDHE_ECDSA
Definition: tls.h:1134
@ TLS_KEY_EXCH_DHE_PSK
Definition: tls.h:1138
@ TLS_KEY_EXCH_DH_ANON
Definition: tls.h:1130
@ TLS_KEY_EXCH_RSA_PSK
Definition: tls.h:1137
@ TLS13_KEY_EXCH_ECDHE
Definition: tls.h:1144
@ TLS13_KEY_EXCH_DHE
Definition: tls.h:1143
@ TLS_KEY_EXCH_ECDH_ANON
Definition: tls.h:1135
@ TLS_KEY_EXCH_DHE_DSS
Definition: tls.h:1129
@ TLS_KEY_EXCH_ECDHE_RSA
Definition: tls.h:1132
@ TLS_KEY_EXCH_ECDHE_PSK
Definition: tls.h:1139
@ TLS_KEY_EXCH_PSK
Definition: tls.h:1136
@ TLS_TRANSPORT_PROTOCOL_STREAM
Definition: tls.h:941
@ TLS_TRANSPORT_PROTOCOL_DATAGRAM
Definition: tls.h:942
@ TLS_COMPRESSION_METHOD_NULL
Definition: tls.h:1113
TlsServerHello
Definition: tls.h:1770
Tls12DigitalSignature
Definition: tls.h:1712
TlsCipherSuites
Definition: tls.h:1500
@ TLS_CLIENT_AUTH_REQUIRED
Definition: tls.h:966
@ TLS_CLIENT_AUTH_NONE
Definition: tls.h:964
void TlsServerKeyExchange
ServerKeyExchange message.
Definition: tls.h:1784
TlsDigitalSignature
Definition: tls.h:1700
TlsExtensionList
Definition: tls.h:1567
void TlsServerHelloDone
ServerHelloDone message.
Definition: tls.h:1802
void TlsClientKeyExchange
ClientKeyExchange message.
Definition: tls.h:1809
@ TLS_CERT_RSA_SIGN
Definition: tls.h:1171
@ TLS_CERT_DSS_SIGN
Definition: tls.h:1172
@ TLS_CERT_ECDSA_SIGN
Definition: tls.h:1178
@ TLS_CERT_NONE
Definition: tls.h:1170
#define TLS_VERSION_1_1
Definition: tls.h:95
#define TLS_VERSION_1_3
Definition: tls.h:97
#define TlsContext
Definition: tls.h:36
#define TLS_TICKET_LIFETIME
Definition: tls.h:164
TlsCertificateRequest
Definition: tls.h:1795
TlsPlaintextSessionState
Definition: tls.h:1873
TlsNewSessionTicket
Definition: tls.h:1828
#define TLS_MASTER_SECRET_SIZE
Definition: tls.h:794
@ TLS_TYPE_SERVER_HELLO
Definition: tls.h:1027
@ TLS_TYPE_CLIENT_HELLO
Definition: tls.h:1026
@ TLS_TYPE_SERVER_HELLO_DONE
Definition: tls.h:1038
@ TLS_TYPE_SERVER_KEY_EXCHANGE
Definition: tls.h:1036
@ TLS_TYPE_NEW_SESSION_TICKET
Definition: tls.h:1029
@ TLS_TYPE_CERTIFICATE_REQUEST
Definition: tls.h:1037
TlsCompressMethods
Definition: tls.h:1511
#define TLS_VERSION_1_2
Definition: tls.h:96
Session cache management.
TLS cipher suites.
error_t tlsFormatCertAuthorities(TlsContext *context, uint8_t *p, size_t *written)
Format the list of distinguished names of acceptable CAs.
Definition: tls_common.c:882
error_t tlsFormatCertAuthoritiesExtension(TlsContext *context, uint8_t *p, size_t *written)
Format CertificateAuthorities extension.
Definition: tls_common.c:830
Handshake message processing (TLS client and server)
error_t tlsParseHelloExtensions(TlsMessageType msgType, const uint8_t *p, size_t length, TlsHelloExtensions *extensions)
Parse Hello extensions.
error_t tlsCheckHelloExtensions(TlsMessageType msgType, uint16_t version, TlsHelloExtensions *extensions)
Check Hello extensions.
Parsing and checking of TLS extensions.
FFDHE key exchange.
error_t tlsSendHandshakeMessage(TlsContext *context, const void *data, size_t length, TlsMessageType type)
Send handshake message.
TLS handshake.
error_t tlsGenerateSessionKeys(TlsContext *context)
Generate session keys.
error_t tlsGeneratePskPremasterSecret(TlsContext *context)
Premaster secret generation (for PSK cipher suites)
Key material generation.
error_t tlsGenerateRandomValue(TlsContext *context, uint8_t *random)
Generate client or server random value.
Definition: tls_misc.c:207
void tlsChangeState(TlsContext *context, TlsState newState)
Update TLS state.
Definition: tls_misc.c:54
TLS helper functions.
TLS record protocol.
error_t tlsSendServerHelloDone(TlsContext *context)
Send ServerHelloDone message.
Definition: tls_server.c:352
error_t tlsParseClientKeyExchange(TlsContext *context, const TlsClientKeyExchange *message, size_t length)
Parse ClientKeyExchange message.
Definition: tls_server.c:1649
error_t tlsParseClientHello(TlsContext *context, const TlsClientHello *message, size_t length)
Parse ClientHello message.
Definition: tls_server.c:1163
error_t tlsFormatCertificateRequest(TlsContext *context, TlsCertificateRequest *message, size_t *length)
Format CertificateRequest message.
Definition: tls_server.c:896
error_t tlsFormatServerHello(TlsContext *context, TlsServerHello *message, size_t *length)
Format ServerHello message.
Definition: tls_server.c:450
error_t tlsSendServerKeyExchange(TlsContext *context)
Send ServerKeyExchange message.
Definition: tls_server.c:192
error_t tlsSendCertificateRequest(TlsContext *context)
Send CertificateRequest message.
Definition: tls_server.c:275
error_t tlsSendServerHello(TlsContext *context)
Send ServerHello message.
Definition: tls_server.c:82
error_t tlsSendNewSessionTicket(TlsContext *context)
Send NewSessionTicket message.
Definition: tls_server.c:405
error_t tlsFormatServerHelloDone(TlsContext *context, TlsServerHelloDone *message, size_t *length)
Format ServerHelloDone message.
Definition: tls_server.c:1068
error_t tlsFormatNewSessionTicket(TlsContext *context, TlsNewSessionTicket *message, size_t *length)
Format NewSessionTicket message.
Definition: tls_server.c:1087
error_t tlsFormatServerKeyExchange(TlsContext *context, TlsServerKeyExchange *message, size_t *length)
Format ServerKeyExchange message.
Definition: tls_server.c:774
Handshake message processing (TLS server)
error_t tlsFormatServerEmsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ExtendedMasterSecret extension.
error_t tlsParseClientRenegoInfoExtension(TlsContext *context, const TlsHelloExtensions *extensions)
Parse RenegotiationInfo extension.
error_t tlsParseClientMaxFragLenExtension(TlsContext *context, const TlsExtension *maxFragLen)
Parse MaxFragmentLength extension.
error_t tlsParseClientSessionTicketExtension(TlsContext *context, const TlsExtension *sessionTicket)
Parse SessionTicket extension.
error_t tlsParseClientEmsExtension(TlsContext *context, const TlsExtension *extendedMasterSecret)
Parse ExtendedMasterSecret extension.
error_t tlsFormatServerCertTypeExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ServerCertType extension.
error_t tlsFormatClientCertTypeExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ClientCertType extension.
error_t tlsFormatServerSessionTicketExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SessionTicket extension.
error_t tlsFormatServerEtmExtension(TlsContext *context, uint8_t *p, size_t *written)
Format EncryptThenMac extension.
error_t tlsFormatServerMaxFragLenExtension(TlsContext *context, uint8_t *p, size_t *written)
Format MaxFragmentLength extension.
error_t tlsParseClientEtmExtension(TlsContext *context, const TlsExtension *encryptThenMac)
Parse EncryptThenMac extension.
error_t tlsParseClientCertTypeListExtension(TlsContext *context, const TlsCertTypeList *clientCertTypeList)
Parse ClientCertType extension.
error_t tlsParseClientAlpnExtension(TlsContext *context, const TlsProtocolNameList *protocolNameList)
Parse ALPN extension.
error_t tlsParseServerCertTypeListExtension(TlsContext *context, const TlsCertTypeList *serverCertTypeList)
Parse ServerCertType extension.
error_t tlsFormatServerEcPointFormatsExtension(TlsContext *context, uint8_t *p, size_t *written)
Format EcPointFormats extension.
error_t tlsParseClientSniExtension(TlsContext *context, const TlsServerNameList *serverNameList)
Parse SNI extension.
error_t tlsParseClientRecordSizeLimitExtension(TlsContext *context, const TlsExtension *recordSizeLimit)
Parse RecordSizeLimit extension.
error_t tlsFormatServerSniExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SNI extension.
error_t tlsFormatServerRecordSizeLimitExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RecordSizeLimit extension.
error_t tlsParseClientEcPointFormatsExtension(TlsContext *context, const TlsEcPointFormatList *ecPointFormatList)
Parse EcPointFormats extension.
error_t tlsFormatServerRenegoInfoExtension(TlsContext *context, uint8_t *p, size_t *written)
Format RenegotiationInfo extension.
error_t tlsFormatServerAlpnExtension(TlsContext *context, uint8_t *p, size_t *written)
Format ALPN extension.
Formatting and parsing of extensions (TLS server)
error_t tlsFormatServerKeyParams(TlsContext *context, uint8_t *p, size_t *written)
Format server's key exchange parameters.
error_t tls12GenerateServerKeySignature(TlsContext *context, Tls12DigitalSignature *signature, const uint8_t *params, size_t paramsLen, size_t *written)
Sign server's key exchange parameters (TLS 1.2)
error_t tlsNegotiateCipherSuite(TlsContext *context, const HashAlgo *hashAlgo, const TlsCipherSuites *cipherSuites, TlsHelloExtensions *extensions)
Cipher suite negotiation.
error_t tlsParseCompressMethods(TlsContext *context, const TlsCompressMethods *compressMethods)
Parse the list of compression methods supported by the client.
error_t tlsParsePskIdentity(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse PSK identity.
error_t tlsResumeStatefulSession(TlsContext *context, const uint8_t *sessionId, size_t sessionIdLen, const TlsCipherSuites *cipherSuites, const TlsHelloExtensions *extensions)
Resume TLS session via session ID.
error_t tlsGenerateServerKeySignature(TlsContext *context, TlsDigitalSignature *signature, const uint8_t *params, size_t paramsLen, size_t *written)
Sign server's key exchange parameters (TLS 1.0 and TLS 1.1)
error_t tlsCheckSignalingCipherSuiteValues(TlsContext *context, const TlsCipherSuites *cipherSuites)
Check whether the ClientHello includes any SCSV cipher suites.
error_t tlsResumeStatelessSession(TlsContext *context, const uint8_t *sessionId, size_t sessionIdLen, const TlsCipherSuites *cipherSuites, const TlsHelloExtensions *extensions)
Resume TLS session via session ticket.
error_t tlsNegotiateVersion(TlsContext *context, uint16_t clientVersion, const TlsSupportedVersionList *supportedVersionList)
Version negotiation.
error_t tlsParseClientKeyParams(TlsContext *context, const uint8_t *p, size_t length, size_t *consumed)
Parse client's key exchange parameters.
error_t tlsFormatPskIdentityHint(TlsContext *context, uint8_t *p, size_t *written)
Format PSK identity hint.
Helper functions for TLS server.
error_t tlsFormatSignAlgosCertExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SignatureAlgorithmsCert extension.
error_t tlsFormatSupportedSignAlgos(TlsContext *context, uint8_t *p, size_t *written)
Format the list of supported signature algorithms.
error_t tlsFormatSignAlgosExtension(TlsContext *context, uint8_t *p, size_t *written)
Format SignatureAlgorithms extension.
Helper functions for signature generation and verification.
error_t tlsInitTranscriptHash(TlsContext *context)
Initialize handshake message hashing.
Transcript hash calculation.
X.509 certificate parsing.