Webserver+3d print
Embed:
(wiki syntax)
Show/hide line numbers
tls_client.c
Go to the documentation of this file.
00001 /** 00002 * @file tls_client.c 00003 * @brief Handshake message processing (TLS client) 00004 * 00005 * @section License 00006 * 00007 * Copyright (C) 2010-2017 Oryx Embedded SARL. All rights reserved. 00008 * 00009 * This file is part of CycloneSSL Open. 00010 * 00011 * This program is free software; you can redistribute it and/or 00012 * modify it under the terms of the GNU General Public License 00013 * as published by the Free Software Foundation; either version 2 00014 * of the License, or (at your option) any later version. 00015 * 00016 * This program is distributed in the hope that it will be useful, 00017 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00018 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00019 * GNU General Public License for more details. 00020 * 00021 * You should have received a copy of the GNU General Public License 00022 * along with this program; if not, write to the Free Software Foundation, 00023 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 00024 * 00025 * @section Description 00026 * 00027 * The TLS protocol provides communications security over the Internet. The 00028 * protocol allows client/server applications to communicate in a way that 00029 * is designed to prevent eavesdropping, tampering, or message forgery 00030 * 00031 * @author Oryx Embedded SARL (www.oryx-embedded.com) 00032 * @version 1.7.6 00033 **/ 00034 00035 //Switch to the appropriate trace level 00036 #define TRACE_LEVEL TLS_TRACE_LEVEL 00037 00038 //Dependencies 00039 #include <string.h> 00040 #include "tls.h" 00041 #include "tls_cipher_suites.h" 00042 #include "tls_client.h" 00043 #include "tls_client_misc.h" 00044 #include "tls_common.h" 00045 #include "tls_record.h" 00046 #include "tls_misc.h" 00047 #include "pem.h" 00048 #include "date_time.h" 00049 #include "debug.h" 00050 00051 //Check SSL library configuration 00052 #if (TLS_SUPPORT == ENABLED && TLS_CLIENT_SUPPORT == ENABLED) 00053 00054 00055 /** 00056 * @brief TLS client handshake 00057 * 00058 * TLS handshake protocol is responsible for the authentication 00059 * and key exchange necessary to establish a secure session 00060 * 00061 * @param[in] context Pointer to the TLS context 00062 * @return Error code 00063 **/ 00064 00065 error_t tlsClientHandshake(TlsContext *context) 00066 { 00067 error_t error; 00068 00069 //Initialize status code 00070 error = NO_ERROR; 00071 00072 //Wait for the handshake to complete 00073 do 00074 { 00075 //Flush send buffer 00076 if(context->state != TLS_STATE_CLOSED) 00077 error = tlsWriteProtocolData(context, NULL, 0, TLS_TYPE_NONE); 00078 00079 //Check status code 00080 if(!error) 00081 { 00082 //Check whether the handshake is complete 00083 if(context->state == TLS_STATE_APPLICATION_DATA) 00084 { 00085 //At this is point, the handshake is complete and the client 00086 //starts to exchange application-layer data 00087 break; 00088 } 00089 00090 //The TLS handshake is implemented as a state machine 00091 //representing the current location in the protocol 00092 switch(context->state) 00093 { 00094 //Default state? 00095 case TLS_STATE_INIT: 00096 //The client initiates the TLS handshake by sending a ClientHello 00097 //message to the server 00098 context->state = TLS_STATE_CLIENT_HELLO; 00099 break; 00100 //Sending ClientHello message? 00101 case TLS_STATE_CLIENT_HELLO: 00102 //When a client first connects to a server, it is required to send 00103 //the ClientHello as its first message 00104 error = tlsSendClientHello(context); 00105 break; 00106 //Sending Certificate message? 00107 case TLS_STATE_CLIENT_CERTIFICATE: 00108 //This is the first message the client can send after receiving a 00109 //ServerHelloDone message. This message is only sent if the server 00110 //requests a certificate 00111 error = tlsSendCertificate(context); 00112 break; 00113 //Sending ClientKeyExchange message? 00114 case TLS_STATE_CLIENT_KEY_EXCHANGE: 00115 //This message is always sent by the client. It must immediately 00116 //follow the client certificate message, if it is sent. Otherwise, 00117 //it must be the first message sent by the client after it receives 00118 //the ServerHelloDone message 00119 error = tlsSendClientKeyExchange(context); 00120 break; 00121 //Sending CertificateVerify message? 00122 case TLS_STATE_CERTIFICATE_VERIFY: 00123 //This message is used to provide explicit verification of a client 00124 //certificate. This message is only sent following a client certificate 00125 //that has signing capability. When sent, it must immediately follow 00126 //the clientKeyExchange message 00127 error = tlsSendCertificateVerify(context); 00128 break; 00129 //Sending ChangeCipherSpec message? 00130 case TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC: 00131 //The ChangeCipherSpec message is sent by the client and to notify the 00132 //server that subsequent records will be protected under the newly 00133 //negotiated CipherSpec and keys 00134 error = tlsSendChangeCipherSpec(context); 00135 break; 00136 //Sending Finished message? 00137 case TLS_STATE_CLIENT_FINISHED: 00138 //A Finished message is always sent immediately after a changeCipherSpec 00139 //message to verify that the key exchange and authentication processes 00140 //were successful 00141 error = tlsSendFinished(context); 00142 break; 00143 //Waiting for a message from the server? 00144 case TLS_STATE_SERVER_HELLO: 00145 case TLS_STATE_SERVER_CERTIFICATE: 00146 case TLS_STATE_SERVER_KEY_EXCHANGE: 00147 case TLS_STATE_CERTIFICATE_REQUEST: 00148 case TLS_STATE_SERVER_HELLO_DONE: 00149 case TLS_STATE_SERVER_CHANGE_CIPHER_SPEC: 00150 case TLS_STATE_SERVER_FINISHED: 00151 //Parse incoming handshake message 00152 error = tlsParseServerMessage(context); 00153 break; 00154 //Sending Alert message? 00155 case TLS_STATE_CLOSING: 00156 //Mark the TLS connection as closed 00157 context->state = TLS_STATE_CLOSED; 00158 break; 00159 //TLS connection closed? 00160 case TLS_STATE_CLOSED: 00161 //Debug message 00162 TRACE_WARNING("TLS handshake failure!\r\n"); 00163 //Report an error 00164 error = ERROR_HANDSHAKE_FAILED; 00165 break; 00166 //Invalid state? 00167 default: 00168 //Report an error 00169 error = ERROR_UNEXPECTED_STATE; 00170 break; 00171 } 00172 } 00173 00174 //Abort TLS handshake if an error was encountered 00175 } while(!error); 00176 00177 //Any error to report? 00178 if(error) 00179 { 00180 //Send an alert message to the server, if applicable 00181 tlsProcessError(context, error); 00182 } 00183 00184 //Return status code 00185 return error; 00186 } 00187 00188 00189 /** 00190 * @brief Parse incoming handshake message 00191 * @param[in] context Pointer to the TLS context 00192 * @return Error code 00193 **/ 00194 00195 error_t tlsParseServerMessage(TlsContext *context) 00196 { 00197 error_t error; 00198 size_t length; 00199 void *message; 00200 TlsContentType contentType; 00201 00202 //A message can be fragmented across several records... 00203 error = tlsReadProtocolData(context, &message, &length, &contentType); 00204 00205 //Check status code 00206 if(!error) 00207 { 00208 //Handshake message received? 00209 if(contentType == TLS_TYPE_HANDSHAKE) 00210 { 00211 //Check handshake message type 00212 switch(((TlsHandshake *) message)->msgType) 00213 { 00214 //HelloRequest message received? 00215 case TLS_TYPE_HELLO_REQUEST: 00216 //The HelloRequest message can be sent at any time but it should be 00217 //ignored by the client if it arrives in the middle of a handshake 00218 error = NO_ERROR; 00219 break; 00220 //ServerHello message received? 00221 case TLS_TYPE_SERVER_HELLO: 00222 //The server will send this message in response to a ClientHello 00223 //message when it was able to find an acceptable set of algorithms 00224 error = tlsParseServerHello(context, message, length); 00225 break; 00226 //Certificate message received? 00227 case TLS_TYPE_CERTIFICATE: 00228 //The server must send a Certificate message whenever the agreed- 00229 //upon key exchange method uses certificates for authentication. This 00230 //message will always immediately follow the ServerHello message 00231 error = tlsParseCertificate(context, message, length); 00232 break; 00233 //ServerKeyExchange message received? 00234 case TLS_TYPE_SERVER_KEY_EXCHANGE: 00235 //The ServerKeyExchange message is sent by the server only when the 00236 //server Certificate message (if sent) does not contain enough data 00237 //to allow the client to exchange a premaster secret 00238 error = tlsParseServerKeyExchange(context, message, length); 00239 break; 00240 //CertificateRequest message received? 00241 case TLS_TYPE_CERTIFICATE_REQUEST: 00242 //A non-anonymous server can optionally request a certificate from the 00243 //client, if appropriate for the selected cipher suite. This message, 00244 //if sent, will immediately follow the ServerKeyExchange message 00245 error = tlsParseCertificateRequest(context, message, length); 00246 break; 00247 //ServerHelloDone message received? 00248 case TLS_TYPE_SERVER_HELLO_DONE: 00249 //The ServerHelloDone message is sent by the server to indicate the 00250 //end of the ServerHello and associated messages 00251 error = tlsParseServerHelloDone(context, message, length); 00252 break; 00253 //Finished message received? 00254 case TLS_TYPE_FINISHED: 00255 //A Finished message is always sent immediately after a changeCipherSpec 00256 //message to verify that the key exchange and authentication processes 00257 //were successful 00258 error = tlsParseFinished(context, message, length); 00259 break; 00260 //Invalid handshake message received? 00261 default: 00262 //Report an error 00263 error = ERROR_UNEXPECTED_MESSAGE; 00264 } 00265 } 00266 //ChangeCipherSpec message received? 00267 else if(contentType == TLS_TYPE_CHANGE_CIPHER_SPEC) 00268 { 00269 //The ChangeCipherSpec message is sent by the server and to notify the 00270 //client that subsequent records will be protected under the newly 00271 //negotiated CipherSpec and keys 00272 error = tlsParseChangeCipherSpec(context, message, length); 00273 } 00274 //Alert message received? 00275 else if(contentType == TLS_TYPE_ALERT) 00276 { 00277 //Parse Alert message 00278 error = tlsParseAlert(context, message, length); 00279 } 00280 //Application data received? 00281 else 00282 { 00283 //The server cannot transmit application data 00284 //before the handshake is completed 00285 error = ERROR_UNEXPECTED_MESSAGE; 00286 } 00287 00288 //Advance data pointer 00289 context->rxBufferPos += length; 00290 //Number of bytes still pending in the receive buffer 00291 context->rxBufferLen -= length; 00292 } 00293 00294 //Return status code 00295 return error; 00296 } 00297 00298 00299 /** 00300 * @brief Send ClientHello message 00301 * 00302 * When a client first connects to a server, it is required to send 00303 * the ClientHello as its first message. The client can also send a 00304 * ClientHello in response to a HelloRequest or on its own initiative 00305 * in order to renegotiate the security parameters in an existing 00306 * connection 00307 * 00308 * @param[in] context Pointer to the TLS context 00309 * @return Error code 00310 **/ 00311 00312 error_t tlsSendClientHello(TlsContext *context) 00313 { 00314 error_t error; 00315 size_t length; 00316 TlsClientHello *message; 00317 00318 //Point to the buffer where to format the message 00319 message = (TlsClientHello *) context->txBuffer; 00320 00321 //Generate the client random value using a cryptographically-safe 00322 //pseudorandom number generator 00323 error = tlsGenerateRandomValue(context, &context->clientRandom); 00324 00325 //Check status code 00326 if(!error) 00327 { 00328 //Format ClientHello message 00329 error = tlsFormatClientHello(context, message, &length); 00330 } 00331 00332 //Check status code 00333 if(!error) 00334 { 00335 //Debug message 00336 TRACE_INFO("Sending ClientHello message (%" PRIuSIZE " bytes)...\r\n", length); 00337 TRACE_DEBUG_ARRAY(" ", message, length); 00338 00339 //Send handshake message 00340 error = tlsWriteProtocolData(context, message, length, TLS_TYPE_HANDSHAKE); 00341 } 00342 00343 //Check status code 00344 if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT) 00345 { 00346 //Prepare to receive ServerHello message... 00347 context->state = TLS_STATE_SERVER_HELLO; 00348 } 00349 00350 //Return status code 00351 return error; 00352 } 00353 00354 00355 /** 00356 * @brief Send ClientKeyExchange message 00357 * 00358 * This message is always sent by the client. It must immediately 00359 * follow the client Certificate message, if it is sent. Otherwise, 00360 * it must be the first message sent by the client after it receives 00361 * the ServerHelloDone message 00362 * 00363 * @param[in] context Pointer to the TLS context 00364 * @return Error code 00365 **/ 00366 00367 error_t tlsSendClientKeyExchange(TlsContext *context) 00368 { 00369 error_t error; 00370 size_t length; 00371 TlsClientKeyExchange *message; 00372 00373 //Point to the buffer where to format the message 00374 message = (TlsClientKeyExchange *) context->txBuffer; 00375 00376 //Format ClientKeyExchange message 00377 error = tlsFormatClientKeyExchange(context, message, &length); 00378 00379 //Check status code 00380 if(!error) 00381 { 00382 //Debug message 00383 TRACE_INFO("Sending ClientKeyExchange message (%" PRIuSIZE " bytes)...\r\n", length); 00384 TRACE_DEBUG_ARRAY(" ", message, length); 00385 00386 //Send handshake message 00387 error = tlsWriteProtocolData(context, message, length, TLS_TYPE_HANDSHAKE); 00388 } 00389 00390 //Check status code 00391 if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT) 00392 { 00393 //Derive session keys from the premaster secret 00394 error = tlsGenerateKeys(context); 00395 00396 //Key material successfully generated? 00397 if(!error) 00398 { 00399 //Prepare to send CertificateVerify message... 00400 context->state = TLS_STATE_CERTIFICATE_VERIFY; 00401 } 00402 } 00403 00404 //Return status code 00405 return error; 00406 } 00407 00408 00409 /** 00410 * @brief Send CertificateVerify message 00411 * 00412 * The CertificateVerify message is used to provide explicit verification 00413 * of a client certificate. This message is only sent following a client 00414 * certificate that has signing capability 00415 * 00416 * @param[in] context Pointer to the TLS context 00417 * @return Error code 00418 **/ 00419 00420 error_t tlsSendCertificateVerify(TlsContext *context) 00421 { 00422 error_t error; 00423 size_t length; 00424 TlsCertificateVerify *message; 00425 00426 //Initialize status code 00427 error = NO_ERROR; 00428 00429 //The CertificateVerify message is only sent following a client 00430 //certificate that has signing capability 00431 if(context->cert != NULL) 00432 { 00433 //Check certificate type 00434 if(context->cert->type == TLS_CERT_RSA_SIGN || 00435 context->cert->type == TLS_CERT_DSS_SIGN || 00436 context->cert->type == TLS_CERT_ECDSA_SIGN) 00437 { 00438 //Point to the buffer where to format the message 00439 message = (TlsCertificateVerify *) context->txBuffer; 00440 00441 //Format CertificateVerify message 00442 error = tlsFormatCertificateVerify(context, message, &length); 00443 00444 //Check status code 00445 if(!error) 00446 { 00447 //Debug message 00448 TRACE_INFO("Sending CertificateVerify message (%" PRIuSIZE " bytes)...\r\n", length); 00449 TRACE_DEBUG_ARRAY(" ", message, length); 00450 00451 //Send handshake message 00452 error = tlsWriteProtocolData(context, message, length, TLS_TYPE_HANDSHAKE); 00453 } 00454 } 00455 } 00456 00457 //Check status code 00458 if(error == NO_ERROR || error == ERROR_WOULD_BLOCK || error == ERROR_TIMEOUT) 00459 { 00460 //Prepare to send ChangeCipherSpec message... 00461 context->state = TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC; 00462 } 00463 00464 //Return status code 00465 return error; 00466 } 00467 00468 00469 /** 00470 * @brief Format ClientHello message 00471 * @param[in] context Pointer to the TLS context 00472 * @param[out] message Buffer where to format the ClientHello message 00473 * @param[out] length Length of the resulting ClientHello message 00474 * @return Error code 00475 **/ 00476 00477 error_t tlsFormatClientHello(TlsContext *context, 00478 TlsClientHello *message, size_t *length) 00479 { 00480 uint_t i; 00481 uint_t n; 00482 uint8_t *p; 00483 TlsCipherSuites *cipherSuites; 00484 TlsCompressionMethods *compressionMethods; 00485 TlsExtensions *extensionList; 00486 00487 //This flag tells whether any ECC cipher suite is proposed by the client 00488 bool_t eccCipherSuite = FALSE; 00489 00490 //Handshake message type 00491 message->msgType = TLS_TYPE_CLIENT_HELLO; 00492 //Version of the protocol being employed by the client 00493 message->clientVersion = HTONS(TLS_MAX_VERSION); 00494 //Client random value 00495 message->random = context->clientRandom; 00496 00497 //Point to the session ID 00498 p = message->sessionId; 00499 //Total length of the message 00500 *length = sizeof(TlsClientHello); 00501 00502 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED) 00503 //The SessionID value identifies a session the client wishes 00504 //to reuse for this connection 00505 message->sessionIdLength = (uint8_t) context->sessionIdLen; 00506 memcpy(message->sessionId, context->sessionId, context->sessionIdLen); 00507 #else 00508 //Session resumption is not supported 00509 message->sessionIdLength = 0; 00510 #endif 00511 00512 //Point to the next field 00513 p += message->sessionIdLength; 00514 //Adjust the length of the message 00515 *length += message->sessionIdLength; 00516 00517 //List of cryptographic algorithms supported by the client 00518 cipherSuites = (TlsCipherSuites *) p; 00519 00520 //Debug message 00521 TRACE_DEBUG("Cipher suites:\r\n"); 00522 00523 //User preferred cipher suite list 00524 if(context->numCipherSuites > 0) 00525 { 00526 //Number of cipher suites in the array 00527 n = 0; 00528 00529 //Parse cipher suites 00530 for(i = 0; i < context->numCipherSuites; i++) 00531 { 00532 //Make sure the specified cipher suite is supported 00533 if(tlsIsCipherSuiteSupported(context->cipherSuites[i])) 00534 { 00535 //Copy cipher suite identifier 00536 cipherSuites->value[n++] = htons(context->cipherSuites[i]); 00537 00538 //Debug message 00539 TRACE_DEBUG(" 0x%04" PRIX16 " (%s)\r\n", context->cipherSuites[i], 00540 tlsGetCipherSuiteName(context->cipherSuites[i])); 00541 00542 //ECC cipher suite? 00543 if(tlsIsEccCipherSuite(context->cipherSuites[i])) 00544 eccCipherSuite = TRUE; 00545 } 00546 } 00547 } 00548 //Default cipher suite list 00549 else 00550 { 00551 //Determine the number of supported cipher suites 00552 n = tlsGetNumSupportedCipherSuites(); 00553 00554 //Parse cipher suites 00555 for(i = 0; i < n; i++) 00556 { 00557 //Copy cipher suite identifier 00558 cipherSuites->value[i] = htons(tlsSupportedCipherSuites[i].identifier); 00559 00560 //Debug message 00561 TRACE_DEBUG(" 0x%04" PRIX16 " (%s)\r\n", tlsSupportedCipherSuites[i].identifier, 00562 tlsSupportedCipherSuites[i].name); 00563 00564 //ECC cipher suite? 00565 if(tlsIsEccCipherSuite(tlsSupportedCipherSuites[i].identifier)) 00566 eccCipherSuite = TRUE; 00567 } 00568 } 00569 00570 //Length of the array, in bytes 00571 cipherSuites->length = htons(n * 2); 00572 //Point to the next field 00573 p += sizeof(TlsCipherSuites) + n * 2; 00574 //Total length of the message 00575 *length += sizeof(TlsCipherSuites) + n * 2; 00576 00577 //List of compression algorithms supported by the client 00578 compressionMethods = (TlsCompressionMethods *) p; 00579 00580 //The CRIME exploit takes advantage of TLS compression, so conservative 00581 //implementations do not enable compression at the TLS level 00582 compressionMethods->length = 1; 00583 compressionMethods->value[0] = TLS_COMPRESSION_METHOD_NULL; 00584 00585 //Point to the next field 00586 p += sizeof(TlsCompressionMethods) + compressionMethods->length; 00587 //Total length of the message 00588 *length += sizeof(TlsCompressionMethods) + compressionMethods->length; 00589 00590 //Clients may request extended functionality from servers by sending 00591 //data in the extensions field 00592 extensionList = (TlsExtensions *) p; 00593 //Total length of the extension list 00594 extensionList->length = 0; 00595 00596 //Point to the first extension of the list 00597 p += sizeof(TlsExtensions); 00598 00599 #if (TLS_SNI_SUPPORT == ENABLED) 00600 //In order to provide the server name, clients may include a ServerName extension 00601 if(context->serverName != NULL) 00602 { 00603 TlsExtension *extension; 00604 TlsServerNameList *serverNameList; 00605 TlsServerName *serverName; 00606 00607 //Determine the length of the server name 00608 n = strlen(context->serverName); 00609 00610 //Add SNI (Server Name Indication) extension 00611 extension = (TlsExtension *) p; 00612 //Type of the extension 00613 extension->type = HTONS(TLS_EXT_SERVER_NAME); 00614 00615 //Point to the list of server names 00616 serverNameList = (TlsServerNameList *) extension->value; 00617 00618 //Point to the server name 00619 serverName = (TlsServerName *) serverNameList->value; 00620 //Fill in the type and the length fields 00621 serverName->type = TLS_NAME_TYPE_HOSTNAME; 00622 serverName->length = htons(n); 00623 //Copy server name 00624 memcpy(serverName->hostname, context->serverName, n); 00625 00626 //Compute the length, in byte, of the structure 00627 n += sizeof(TlsServerName); 00628 //Fix the length of the list 00629 serverNameList->length = htons(n); 00630 00631 //Consider the 2-byte length field that precedes the list 00632 n += sizeof(TlsServerNameList); 00633 //Fix the length of the extension 00634 extension->length = htons(n); 00635 00636 //Compute the length, in bytes, of the ServerName extension 00637 n += sizeof(TlsExtension); 00638 //Fix the length of the extension list 00639 extensionList->length += n; 00640 00641 //Point to the next field 00642 p += n; 00643 //Total length of the message 00644 *length += n; 00645 } 00646 #endif 00647 00648 #if (TLS_ALPN_SUPPORT == ENABLED) 00649 //The ALPN extension contains the list of protocols advertised by the 00650 //client, in descending order of preference 00651 if(context->protocolList != NULL) 00652 { 00653 uint_t j; 00654 TlsExtension *extension; 00655 TlsProtocolNameList *protocolNameList; 00656 TlsProtocolName *protocolName; 00657 00658 //Add ALPN (Application-Layer Protocol Negotiation) extension 00659 extension = (TlsExtension *) p; 00660 //Type of the extension 00661 extension->type = HTONS(TLS_EXT_ALPN); 00662 00663 //Point to the list of protocol names 00664 protocolNameList = (TlsProtocolNameList *) extension->value; 00665 00666 //Move back to the beginning of the list 00667 i = 0; 00668 j = 0; 00669 n = 0; 00670 00671 //Parse the list of supported protocols 00672 do 00673 { 00674 //Delimiter character found? 00675 if(context->protocolList[i] == ',' || context->protocolList[i] == '\0') 00676 { 00677 //Discard empty tokens 00678 if((i - j) > 0) 00679 { 00680 //Point to the protocol name 00681 protocolName = (TlsProtocolName *) (protocolNameList->value + n); 00682 00683 //Fill in the length field 00684 protocolName->length = i - j; 00685 //Copy protocol name 00686 memcpy(protocolName->value, context->protocolList + j, i - j); 00687 00688 //Adjust the length of the list 00689 n += sizeof(TlsProtocolName) + i - j; 00690 } 00691 00692 //Move to the next token 00693 j = i + 1; 00694 } 00695 00696 //Loop until the NULL character is reached 00697 } while(context->protocolList[i++] != '\0'); 00698 00699 //Fix the length of the list 00700 protocolNameList->length = htons(n); 00701 00702 //Consider the 2-byte length field that precedes the list 00703 n += sizeof(TlsProtocolNameList); 00704 //Fix the length of the extension 00705 extension->length = htons(n); 00706 00707 //Compute the length, in bytes, of the ALPN extension 00708 n += sizeof(TlsExtension); 00709 //Fix the length of the extension list 00710 extensionList->length += n; 00711 00712 //Point to the next field 00713 p += n; 00714 //Total length of the message 00715 *length += n; 00716 } 00717 #endif 00718 00719 #if (TLS_ECDH_ANON_SUPPORT == ENABLED || TLS_ECDHE_RSA_SUPPORT == ENABLED || \ 00720 TLS_ECDHE_ECDSA_SUPPORT == ENABLED || TLS_ECDHE_PSK_SUPPORT == ENABLED) 00721 //A client that proposes ECC cipher suites in its ClientHello message 00722 //should send the EllipticCurves extension 00723 if(eccCipherSuite) 00724 { 00725 TlsExtension *extension; 00726 TlsEllipticCurveList *ellipticCurveList; 00727 00728 //Add the EllipticCurves extension 00729 extension = (TlsExtension *) p; 00730 //Type of the extension 00731 extension->type = HTONS(TLS_EXT_ELLIPTIC_CURVES); 00732 00733 //Point to the list of supported elliptic curves 00734 ellipticCurveList = (TlsEllipticCurveList *) extension->value; 00735 //Items in the list are ordered according to client's preferences 00736 n = 0; 00737 00738 #if (TLS_SECP160K1_SUPPORT == ENABLED) 00739 //Support for secp160k1 elliptic curve 00740 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP160K1); 00741 #endif 00742 #if (TLS_SECP160R1_SUPPORT == ENABLED) 00743 //Support for secp160r1 elliptic curve 00744 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP160R1); 00745 #endif 00746 #if (TLS_SECP160R2_SUPPORT == ENABLED) 00747 //Support for secp160r2 elliptic curve 00748 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP160R2); 00749 #endif 00750 #if (TLS_SECP192K1_SUPPORT == ENABLED) 00751 //Support for secp192k1 elliptic curve 00752 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP192K1); 00753 #endif 00754 #if (TLS_SECP192R1_SUPPORT == ENABLED) 00755 //Support for secp192r1 elliptic curve 00756 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP192R1); 00757 #endif 00758 #if (TLS_SECP224K1_SUPPORT == ENABLED) 00759 //Support for secp224k1 elliptic curve 00760 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP224K1); 00761 #endif 00762 #if (TLS_SECP224R1_SUPPORT == ENABLED) 00763 //Support for secp224r1 elliptic curve 00764 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP224R1); 00765 #endif 00766 #if (TLS_SECP256K1_SUPPORT == ENABLED) 00767 //Support for secp256k1 elliptic curve 00768 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP256K1); 00769 #endif 00770 #if (TLS_SECP256R1_SUPPORT == ENABLED) 00771 //Support for secp256r1 elliptic curve 00772 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP256R1); 00773 #endif 00774 #if (TLS_SECP384R1_SUPPORT == ENABLED) 00775 //Support for secp384r1 elliptic curve 00776 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP384R1); 00777 #endif 00778 #if (TLS_SECP521R1_SUPPORT == ENABLED) 00779 //Support for secp521r1 elliptic curve 00780 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_SECP521R1); 00781 #endif 00782 #if (TLS_BRAINPOOLP256R1_SUPPORT == ENABLED) 00783 //Support for brainpoolP256r1 elliptic curve 00784 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_BRAINPOOLP256R1); 00785 #endif 00786 #if (TLS_BRAINPOOLP384R1_SUPPORT == ENABLED) 00787 //Support for brainpoolP384r1 elliptic curve 00788 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_BRAINPOOLP384R1); 00789 #endif 00790 #if (TLS_BRAINPOOLP512R1_SUPPORT == ENABLED) 00791 //Support for brainpoolP512r1 elliptic curve 00792 ellipticCurveList->value[n++] = HTONS(TLS_EC_CURVE_BRAINPOOLP512R1); 00793 #endif 00794 00795 //Compute the length, in bytes, of the list 00796 n *= 2; 00797 //Fix the length of the list 00798 ellipticCurveList->length = htons(n); 00799 00800 //Consider the 2-byte length field that precedes the list 00801 n += sizeof(TlsEllipticCurveList); 00802 //Fix the length of the extension 00803 extension->length = htons(n); 00804 00805 //Compute the length, in bytes, of the EllipticCurves extension 00806 n += sizeof(TlsExtension); 00807 //Fix the length of the extension list 00808 extensionList->length += n; 00809 00810 //Point to the next field 00811 p += n; 00812 //Total length of the message 00813 *length += n; 00814 } 00815 00816 //A client that proposes ECC cipher suites in its ClientHello message 00817 //should send the EcPointFormats extension 00818 if(eccCipherSuite) 00819 { 00820 TlsExtension *extension; 00821 TlsEcPointFormatList *ecPointFormatList; 00822 00823 //Add the EcPointFormats extension 00824 extension = (TlsExtension *) p; 00825 //Type of the extension 00826 extension->type = HTONS(TLS_EXT_EC_POINT_FORMATS); 00827 00828 //Point to the list of supported EC point formats 00829 ecPointFormatList = (TlsEcPointFormatList *) extension->value; 00830 //Items in the list are ordered according to client's preferences 00831 n = 0; 00832 00833 //The client can parse only the uncompressed point format... 00834 ecPointFormatList->value[n++] = TLS_EC_POINT_FORMAT_UNCOMPRESSED; 00835 //Fix the length of the list 00836 ecPointFormatList->length = n; 00837 00838 //Consider the 2-byte length field that precedes the list 00839 n += sizeof(TlsEcPointFormatList); 00840 //Fix the length of the extension 00841 extension->length = htons(n); 00842 00843 //Compute the length, in bytes, of the EcPointFormats extension 00844 n += sizeof(TlsExtension); 00845 //Fix the length of the extension list 00846 extensionList->length += n; 00847 00848 //Point to the next field 00849 p += n; 00850 //Total length of the message 00851 *length += n; 00852 } 00853 #endif 00854 00855 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2) 00856 //Include the SignatureAlgorithms extension only if TLS 1.2 is supported 00857 { 00858 TlsExtension *extension; 00859 TlsSignHashAlgos *supportedSignAlgos; 00860 00861 //Add the SignatureAlgorithms extension 00862 extension = (TlsExtension *) p; 00863 //Type of the extension 00864 extension->type = HTONS(TLS_EXT_SIGNATURE_ALGORITHMS); 00865 00866 //Point to the list of the hash/signature algorithm pairs that 00867 //the server is able to verify 00868 supportedSignAlgos = (TlsSignHashAlgos *) extension->value; 00869 00870 //Enumerate the hash/signature algorithm pairs in descending 00871 //order of preference 00872 n = 0; 00873 00874 #if (TLS_RSA_SIGN_SUPPORT == ENABLED) 00875 //MD5 with RSA is always supported 00876 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA; 00877 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_MD5; 00878 //SHA-1 with RSA is always supported 00879 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA; 00880 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1; 00881 #if (TLS_SHA224_SUPPORT == ENABLED) 00882 //SHA-224 with RSA support is optional 00883 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA; 00884 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA224; 00885 #endif 00886 //SHA-256 with RSA is always supported 00887 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA; 00888 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256; 00889 #if (TLS_SHA384_SUPPORT == ENABLED) 00890 //SHA-384 with RSA support is optional 00891 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA; 00892 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA384; 00893 #endif 00894 #if (TLS_SHA512_SUPPORT == ENABLED) 00895 //SHA-512 with RSA support is optional 00896 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_RSA; 00897 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA512; 00898 #endif 00899 #endif 00900 00901 #if (TLS_DSA_SIGN_SUPPORT == ENABLED) 00902 //DSA with SHA-1 is always supported 00903 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA; 00904 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1; 00905 #if (TLS_SHA224_SUPPORT == ENABLED) 00906 //DSA with SHA-224 support is optional 00907 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA; 00908 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA224; 00909 #endif 00910 //DSA with SHA-256 is always supported 00911 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_DSA; 00912 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256; 00913 #endif 00914 00915 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED) 00916 //Any ECC cipher suite proposed by the client? 00917 if(eccCipherSuite) 00918 { 00919 //ECDSA with SHA-1 is always supported 00920 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA; 00921 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA1; 00922 #if (TLS_SHA224_SUPPORT == ENABLED) 00923 //ECDSA with SHA-224 support is optional 00924 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA; 00925 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA224; 00926 #endif 00927 //ECDSA with SHA-256 is always supported 00928 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA; 00929 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA256; 00930 #if (TLS_SHA384_SUPPORT == ENABLED) 00931 //ECDSA with SHA-384 support is optional 00932 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA; 00933 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA384; 00934 #endif 00935 #if (TLS_SHA512_SUPPORT == ENABLED) 00936 //ECDSA with SHA-512 support is optional 00937 supportedSignAlgos->value[n].signature = TLS_SIGN_ALGO_ECDSA; 00938 supportedSignAlgos->value[n++].hash = TLS_HASH_ALGO_SHA512; 00939 #endif 00940 } 00941 #endif 00942 00943 //Compute the length, in bytes, of the list 00944 n *= sizeof(TlsSignHashAlgo); 00945 //Fix the length of the list 00946 supportedSignAlgos->length = htons(n); 00947 00948 //Consider the 2-byte length field that precedes the list 00949 n += sizeof(TlsSignHashAlgos); 00950 //Fix the length of the extension 00951 extension->length = htons(n); 00952 00953 //Compute the length, in bytes, of the SignatureAlgorithms extension 00954 n += sizeof(TlsExtension); 00955 //Fix the length of the extension list 00956 extensionList->length += n; 00957 00958 //Point to the next field 00959 p += n; 00960 //Total length of the message 00961 *length += n; 00962 } 00963 #endif 00964 00965 //Check whether the extension list is empty 00966 if(extensionList->length > 0) 00967 { 00968 //Convert the length of the extension list to network byte order 00969 extensionList->length = htons(extensionList->length); 00970 //Total length of the message 00971 *length += sizeof(TlsExtensions); 00972 } 00973 00974 //Fix the length field 00975 STORE24BE(*length - sizeof(TlsHandshake), message->length); 00976 00977 //Successful processing 00978 return NO_ERROR; 00979 } 00980 00981 00982 /** 00983 * @brief Format ClientKeyExchange message 00984 * @param[in] context Pointer to the TLS context 00985 * @param[out] message Buffer where to format the ClientKeyExchange message 00986 * @param[out] length Length of the resulting ClientKeyExchange message 00987 * @return Error code 00988 **/ 00989 00990 error_t tlsFormatClientKeyExchange(TlsContext *context, 00991 TlsClientKeyExchange *message, size_t *length) 00992 { 00993 error_t error; 00994 size_t n; 00995 uint8_t *p; 00996 00997 //Handshake message type 00998 message->msgType = TLS_TYPE_CLIENT_KEY_EXCHANGE; 00999 01000 //Point to the body of the handshake message 01001 p = message->data; 01002 //Length of the handshake message 01003 *length = 0; 01004 01005 //PSK key exchange method? 01006 if(context->keyExchMethod == TLS_KEY_EXCH_PSK || 01007 context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK || 01008 context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK || 01009 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK) 01010 { 01011 //The client indicates which key to use by including a PSK identity 01012 //in the ClientKeyExchange message 01013 error = tlsFormatPskIdentity(context, p, &n); 01014 //Any error to report? 01015 if(error) 01016 return error; 01017 01018 //Advance data pointer 01019 p += n; 01020 //Adjust the length of the message 01021 *length += n; 01022 } 01023 01024 //RSA, Diffie-Hellman or ECDH key exchange method? 01025 if(context->keyExchMethod != TLS_KEY_EXCH_PSK) 01026 { 01027 //Format client's key exchange parameters 01028 error = tlsFormatClientKeyParams(context, p, &n); 01029 //Any error to report? 01030 if(error) 01031 return error; 01032 01033 //Advance data pointer 01034 p += n; 01035 //Adjust the length of the message 01036 *length += n; 01037 } 01038 01039 //PSK key exchange method? 01040 if(context->keyExchMethod == TLS_KEY_EXCH_PSK || 01041 context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK || 01042 context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK || 01043 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK) 01044 { 01045 //Generate premaster secret 01046 error = tlsGeneratePskPremasterSecret(context); 01047 //Any error to report? 01048 if(error) 01049 return error; 01050 } 01051 01052 //Fix the length field 01053 STORE24BE(*length, message->length); 01054 //Length of the complete handshake message 01055 *length += sizeof(TlsHandshake); 01056 01057 //Successful processing 01058 return NO_ERROR; 01059 } 01060 01061 01062 /** 01063 * @brief Format CertificateVerify message 01064 * @param[in] context Pointer to the TLS context 01065 * @param[out] message Buffer where to format the CertificateVerify message 01066 * @param[out] length Length of the resulting CertificateVerify message 01067 * @return Error code 01068 **/ 01069 01070 error_t tlsFormatCertificateVerify(TlsContext *context, 01071 TlsCertificateVerify *message, size_t *length) 01072 { 01073 error_t error; 01074 01075 //Initialize message length 01076 *length = 0; 01077 01078 //Handshake message type 01079 message->msgType = TLS_TYPE_CERTIFICATE_VERIFY; 01080 01081 #if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1) 01082 //SSL 3.0, TLS 1.0 or TLS 1.1 currently selected? 01083 if(context->version <= TLS_VERSION_1_1) 01084 { 01085 TlsDigitalSignature *signature; 01086 01087 //Point to the digitally-signed element 01088 signature = (TlsDigitalSignature *) message->signature; 01089 01090 #if (TLS_RSA_SIGN_SUPPORT == ENABLED) 01091 //The client's certificate contains a valid RSA public key? 01092 if(context->cert->type == TLS_CERT_RSA_SIGN) 01093 { 01094 RsaPrivateKey privateKey; 01095 01096 //Initialize RSA private key 01097 rsaInitPrivateKey(&privateKey); 01098 01099 //Digest all the handshake messages starting at ClientHello (using MD5) 01100 error = tlsFinalizeHandshakeHash(context, MD5_HASH_ALGO, 01101 context->handshakeMd5Context, "", context->verifyData); 01102 01103 //Check status code 01104 if(!error) 01105 { 01106 //Digest all the handshake messages starting at ClientHello (using SHA-1) 01107 error = tlsFinalizeHandshakeHash(context, SHA1_HASH_ALGO, 01108 context->handshakeSha1Context, "", context->verifyData + MD5_DIGEST_SIZE); 01109 } 01110 01111 //Check status code 01112 if(!error) 01113 { 01114 //Decode the PEM structure that holds the RSA private key 01115 error = pemReadRsaPrivateKey(context->cert->privateKey, 01116 context->cert->privateKeyLength, &privateKey); 01117 } 01118 01119 //Check status code 01120 if(!error) 01121 { 01122 //Generate a RSA signature using the client's private key 01123 error = tlsGenerateRsaSignature(&privateKey, 01124 context->verifyData, signature->value, length); 01125 } 01126 01127 //Release previously allocated resources 01128 rsaFreePrivateKey(&privateKey); 01129 } 01130 else 01131 #endif 01132 #if (TLS_DSA_SIGN_SUPPORT == ENABLED) 01133 //The client's certificate contains a valid DSA public key? 01134 if(context->cert->type == TLS_CERT_DSS_SIGN) 01135 { 01136 DsaPrivateKey privateKey; 01137 01138 //Initialize DSA private key 01139 dsaInitPrivateKey(&privateKey); 01140 01141 //Digest all the handshake messages starting at ClientHello 01142 error = tlsFinalizeHandshakeHash(context, SHA1_HASH_ALGO, 01143 context->handshakeSha1Context, "", context->verifyData); 01144 01145 //Check status code 01146 if(!error) 01147 { 01148 //Decode the PEM structure that holds the DSA private key 01149 error = pemReadDsaPrivateKey(context->cert->privateKey, 01150 context->cert->privateKeyLength, &privateKey); 01151 } 01152 01153 //Check status code 01154 if(!error) 01155 { 01156 //Generate a DSA signature using the client's private key 01157 error = tlsGenerateDsaSignature(context->prngAlgo, 01158 context->prngContext, &privateKey, context->verifyData, 01159 SHA1_DIGEST_SIZE, signature->value, length); 01160 } 01161 01162 //Release previously allocated resources 01163 dsaFreePrivateKey(&privateKey); 01164 } 01165 else 01166 #endif 01167 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED) 01168 //The client's certificate contains a valid ECDSA public key? 01169 if(context->cert->type == TLS_CERT_ECDSA_SIGN) 01170 { 01171 EcDomainParameters params; 01172 Mpi privateKey; 01173 01174 //Initialize EC domain parameters 01175 ecInitDomainParameters(¶ms); 01176 //Initialize EC private key 01177 mpiInit(&privateKey); 01178 01179 //Digest all the handshake messages starting at ClientHello 01180 error = tlsFinalizeHandshakeHash(context, SHA1_HASH_ALGO, 01181 context->handshakeSha1Context, "", context->verifyData); 01182 01183 //Check status code 01184 if(!error) 01185 { 01186 //Decode the PEM structure that holds the EC domain parameters 01187 error = pemReadEcParameters(context->cert->privateKey, 01188 context->cert->privateKeyLength, ¶ms); 01189 } 01190 01191 //Check status code 01192 if(!error) 01193 { 01194 //Decode the PEM structure that holds the EC private key 01195 error = pemReadEcPrivateKey(context->cert->privateKey, 01196 context->cert->privateKeyLength, &privateKey); 01197 } 01198 01199 //Check status code 01200 if(!error) 01201 { 01202 //Generate an ECDSA signature using the client's private key 01203 error = tlsGenerateEcdsaSignature(¶ms, context->prngAlgo, 01204 context->prngContext, &privateKey, context->verifyData, 01205 SHA1_DIGEST_SIZE, signature->value, length); 01206 } 01207 01208 //Release previously allocated resources 01209 ecFreeDomainParameters(¶ms); 01210 mpiFree(&privateKey); 01211 } 01212 else 01213 #endif 01214 //Invalid signature algorithm? 01215 { 01216 //Report an error 01217 error = ERROR_UNSUPPORTED_SIGNATURE_ALGO; 01218 } 01219 01220 //Length of the signature 01221 signature->length = htons(*length); 01222 //Total length of the digitally-signed element 01223 *length += sizeof(TlsDigitalSignature); 01224 } 01225 else 01226 #endif 01227 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2) 01228 //TLS 1.2 currently selected? 01229 if(context->version == TLS_VERSION_1_2) 01230 { 01231 TlsDigitalSignature2 *signature; 01232 const HashAlgo *hashAlgo; 01233 01234 //Point to the digitally-signed element 01235 signature = (TlsDigitalSignature2 *) message->signature; 01236 01237 //Retrieve the hash algorithm to be used for signing 01238 hashAlgo = tlsGetHashAlgo(context->signHashAlgo); 01239 01240 //Digest all the handshake messages starting at ClientHello 01241 if(hashAlgo == SHA1_HASH_ALGO) 01242 { 01243 //Use SHA-1 hash algorithm 01244 error = tlsFinalizeHandshakeHash(context, SHA1_HASH_ALGO, 01245 context->handshakeSha1Context, "", context->verifyData); 01246 } 01247 else if(hashAlgo == context->prfHashAlgo) 01248 { 01249 //Use PRF hash algorithm (SHA-256 or SHA-384) 01250 error = tlsFinalizeHandshakeHash(context, hashAlgo, 01251 context->handshakeHashContext, "", context->verifyData); 01252 } 01253 else 01254 { 01255 //The specified hash algorithm is not supported 01256 error = ERROR_UNSUPPORTED_SIGNATURE_ALGO; 01257 } 01258 01259 //Handshake message hash successfully computed? 01260 if(!error) 01261 { 01262 #if (TLS_RSA_SIGN_SUPPORT == ENABLED) 01263 //The client's certificate contains a valid RSA public key? 01264 if(context->cert->type == TLS_CERT_RSA_SIGN) 01265 { 01266 RsaPrivateKey privateKey; 01267 01268 //Initialize RSA private key 01269 rsaInitPrivateKey(&privateKey); 01270 01271 //Set the relevant signature algorithm 01272 signature->algorithm.signature = TLS_SIGN_ALGO_RSA; 01273 signature->algorithm.hash = context->signHashAlgo; 01274 01275 //Decode the PEM structure that holds the RSA private key 01276 error = pemReadRsaPrivateKey(context->cert->privateKey, 01277 context->cert->privateKeyLength, &privateKey); 01278 01279 //Check status code 01280 if(!error) 01281 { 01282 //Use the signature algorithm defined in PKCS #1 v1.5 01283 error = rsassaPkcs1v15Sign(&privateKey, hashAlgo, 01284 context->verifyData, signature->value, length); 01285 } 01286 01287 //Release previously allocated resources 01288 rsaFreePrivateKey(&privateKey); 01289 } 01290 else 01291 #endif 01292 #if (TLS_DSA_SIGN_SUPPORT == ENABLED) 01293 //The client's certificate contains a valid DSA public key? 01294 if(context->cert->type == TLS_CERT_DSS_SIGN) 01295 { 01296 DsaPrivateKey privateKey; 01297 01298 //Initialize DSA private key 01299 dsaInitPrivateKey(&privateKey); 01300 01301 //Set the relevant signature algorithm 01302 signature->algorithm.signature = TLS_SIGN_ALGO_DSA; 01303 signature->algorithm.hash = context->signHashAlgo; 01304 01305 //Decode the PEM structure that holds the DSA private key 01306 error = pemReadDsaPrivateKey(context->cert->privateKey, 01307 context->cert->privateKeyLength, &privateKey); 01308 01309 //Check status code 01310 if(!error) 01311 { 01312 //Generate a DSA signature using the client's private key 01313 error = tlsGenerateDsaSignature(context->prngAlgo, 01314 context->prngContext, &privateKey, context->verifyData, 01315 hashAlgo->digestSize, signature->value, length); 01316 } 01317 01318 //Release previously allocated resources 01319 dsaFreePrivateKey(&privateKey); 01320 } 01321 else 01322 #endif 01323 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED) 01324 //The client's certificate contains a valid ECDSA public key? 01325 if(context->cert->type == TLS_CERT_ECDSA_SIGN) 01326 { 01327 EcDomainParameters params; 01328 Mpi privateKey; 01329 01330 //Initialize EC domain parameters 01331 ecInitDomainParameters(¶ms); 01332 //Initialize EC private key 01333 mpiInit(&privateKey); 01334 01335 //Set the relevant signature algorithm 01336 signature->algorithm.signature = TLS_SIGN_ALGO_ECDSA; 01337 signature->algorithm.hash = context->signHashAlgo; 01338 01339 //Decode the PEM structure that holds the EC domain parameters 01340 error = pemReadEcParameters(context->cert->privateKey, 01341 context->cert->privateKeyLength, ¶ms); 01342 01343 //Check status code 01344 if(!error) 01345 { 01346 //Decode the PEM structure that holds the EC private key 01347 error = pemReadEcPrivateKey(context->cert->privateKey, 01348 context->cert->privateKeyLength, &privateKey); 01349 } 01350 01351 //Check status code 01352 if(!error) 01353 { 01354 //Generate an ECDSA signature using the client's private key 01355 error = tlsGenerateEcdsaSignature(¶ms, context->prngAlgo, 01356 context->prngContext, &privateKey, context->verifyData, 01357 hashAlgo->digestSize, signature->value, length); 01358 } 01359 01360 //Release previously allocated resources 01361 ecFreeDomainParameters(¶ms); 01362 mpiFree(&privateKey); 01363 } 01364 else 01365 #endif 01366 //Invalid signature algorithm? 01367 { 01368 //Report an error 01369 error = ERROR_UNSUPPORTED_SIGNATURE_ALGO; 01370 } 01371 } 01372 01373 //Length of the signature 01374 signature->length = htons(*length); 01375 //Length of the digitally-signed element 01376 *length += sizeof(TlsDigitalSignature2); 01377 } 01378 else 01379 #endif 01380 { 01381 //The negotiated TLS version is not valid 01382 error = ERROR_INVALID_VERSION; 01383 } 01384 01385 //Fix the length field 01386 STORE24BE(*length, message->length); 01387 //Length of the complete handshake message 01388 *length += sizeof(TlsHandshake); 01389 01390 //Return status code 01391 return error; 01392 } 01393 01394 01395 /** 01396 * @brief Parse ServerHello message 01397 * 01398 * The server will send this message in response to a ClientHello 01399 * message when it was able to find an acceptable set of algorithms. 01400 * If it cannot find such a match, it will respond with a handshake 01401 * failure alert 01402 * 01403 * @param[in] context Pointer to the TLS context 01404 * @param[in] message Incoming ServerHello message to parse 01405 * @param[in] length Message length 01406 * @return Error code 01407 **/ 01408 01409 error_t tlsParseServerHello(TlsContext *context, const TlsServerHello *message, size_t length) 01410 { 01411 error_t error; 01412 size_t n; 01413 const uint8_t *p; 01414 TlsCipherSuite cipherSuite; 01415 TlsCompressionMethod compressionMethod; 01416 01417 //Debug message 01418 TRACE_INFO("ServerHello message received (%" PRIuSIZE " bytes)...\r\n", length); 01419 TRACE_DEBUG_ARRAY(" ", message, length); 01420 01421 //Check the length of the ServerHello message 01422 if(length < sizeof(TlsServerHello)) 01423 return ERROR_DECODING_FAILED; 01424 01425 //Check current state 01426 if(context->state != TLS_STATE_SERVER_HELLO) 01427 return ERROR_UNEXPECTED_MESSAGE; 01428 01429 //Point to the session ID 01430 p = (uint8_t *) message + sizeof(TlsServerHello); 01431 //Remaining bytes to process 01432 n = length - sizeof(TlsServerHello); 01433 01434 //Check the length of the session ID 01435 if(message->sessionIdLength > n) 01436 return ERROR_DECODING_FAILED; 01437 if(message->sessionIdLength > 32) 01438 return ERROR_ILLEGAL_PARAMETER; 01439 01440 //Point to the next field 01441 p += message->sessionIdLength; 01442 //Remaining bytes to process 01443 n -= message->sessionIdLength; 01444 01445 //Malformed ServerHello message? 01446 if(n < (sizeof(TlsCipherSuite) + sizeof(TlsCompressionMethod))) 01447 return ERROR_DECODING_FAILED; 01448 01449 //Get the negotiated cipher suite 01450 cipherSuite = LOAD16BE(p); 01451 //Point to the next field 01452 p += sizeof(TlsCipherSuite); 01453 //Remaining bytes to process 01454 n -= sizeof(TlsCipherSuite); 01455 01456 //Get the negotiated compression method 01457 compressionMethod = *p; 01458 //Point to the next field 01459 p += sizeof(TlsCompressionMethod); 01460 //Remaining bytes to process 01461 n -= sizeof(TlsCompressionMethod); 01462 01463 //Server version 01464 TRACE_INFO(" serverVersion = 0x%04" PRIX16 " (%s)\r\n", ntohs(message->serverVersion), 01465 tlsGetVersionName(ntohs(message->serverVersion))); 01466 //Server random value 01467 TRACE_INFO(" random\r\n"); 01468 TRACE_INFO_ARRAY(" ", &message->random, sizeof(TlsRandom)); 01469 //Session identifier 01470 TRACE_INFO(" sessionId\r\n"); 01471 TRACE_INFO_ARRAY(" ", message->sessionId, message->sessionIdLength); 01472 //Cipher suite identifier 01473 TRACE_INFO(" cipherSuite = 0x%04" PRIX16 " (%s)\r\n", 01474 cipherSuite, tlsGetCipherSuiteName(cipherSuite)); 01475 //Compression method 01476 TRACE_INFO(" compressionMethod = 0x%02" PRIX8 "\r\n", compressionMethod); 01477 01478 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED) 01479 //Check whether the session ID matches the value that was supplied by the client 01480 if(message->sessionIdLength > 0 && message->sessionIdLength == context->sessionIdLen && 01481 !memcmp(message->sessionId, context->sessionId, context->sessionIdLen)) 01482 { 01483 //For resumed sessions, the selected cipher suite and compression 01484 //method shall be the same as the session being resumed 01485 if(cipherSuite != context->cipherSuite || 01486 compressionMethod != context->compressionMethod) 01487 { 01488 //The session ID is no more valid 01489 context->sessionIdLen = 0; 01490 //When renegotiating, if the server tries to use another 01491 //version or compression method than previously, abort 01492 return ERROR_HANDSHAKE_FAILED; 01493 } 01494 01495 //Perform abbreviated handshake 01496 context->resume = TRUE; 01497 } 01498 else 01499 #endif 01500 { 01501 //Perform a full handshake 01502 context->resume = FALSE; 01503 } 01504 01505 //Save server random value 01506 context->serverRandom = message->random; 01507 01508 //Save session identifier 01509 memcpy(context->sessionId, message->sessionId, message->sessionIdLength); 01510 context->sessionIdLen = message->sessionIdLength; 01511 01512 //Set the TLS version to use 01513 error = tlsSetVersion(context, ntohs(message->serverVersion)); 01514 //The specified TLS version is not supported? 01515 if(error) 01516 return error; 01517 01518 //Set cipher suite 01519 error = tlsSetCipherSuite(context, cipherSuite); 01520 //The specified cipher suite is not supported? 01521 if(error) 01522 return error; 01523 01524 //Set compression method 01525 error = tlsSetCompressionMethod(context, compressionMethod); 01526 //The specified compression method is not supported? 01527 if(error) 01528 return error; 01529 01530 //Initialize handshake message hashing 01531 error = tlsInitHandshakeHash(context); 01532 //Any error to report? 01533 if(error) 01534 return error; 01535 01536 //Update the hash value with the incoming handshake message 01537 tlsUpdateHandshakeHash(context, message, length); 01538 01539 #if (TLS_SESSION_RESUME_SUPPORT == ENABLED) 01540 //Use abbreviated handshake? 01541 if(context->resume) 01542 { 01543 //Derive session keys from the master secret 01544 error = tlsGenerateKeys(context); 01545 //Unable to generate key material? 01546 if(error) 01547 return error; 01548 01549 //At this point, both client and server must send ChangeCipherSpec 01550 //messages and proceed directly to Finished messages 01551 context->state = TLS_STATE_SERVER_CHANGE_CIPHER_SPEC; 01552 } 01553 else 01554 #endif 01555 { 01556 //Perform a full handshake 01557 if(context->keyExchMethod == TLS_KEY_EXCH_PSK || 01558 context->keyExchMethod == TLS_KEY_EXCH_DH_ANON || 01559 context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK || 01560 context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON || 01561 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK) 01562 { 01563 //The Certificate message is omitted from the server's response 01564 context->state = TLS_STATE_SERVER_KEY_EXCHANGE; 01565 } 01566 else 01567 { 01568 //The server is required to send a Certificate message 01569 context->state = TLS_STATE_SERVER_CERTIFICATE; 01570 } 01571 } 01572 01573 //Successful processing 01574 return NO_ERROR; 01575 } 01576 01577 01578 /** 01579 * @brief Parse ServerKeyExchange message 01580 * 01581 * The ServerKeyExchange message is sent by the server only when the 01582 * server Certificate message does not contain enough data to allow 01583 * the client to exchange a premaster secret 01584 * 01585 * @param[in] context Pointer to the TLS context 01586 * @param[in] message Incoming ServerKeyExchange message to parse 01587 * @param[in] length Message length 01588 * @return Error code 01589 **/ 01590 01591 error_t tlsParseServerKeyExchange(TlsContext *context, const TlsServerKeyExchange *message, size_t length) 01592 { 01593 error_t error; 01594 size_t n; 01595 size_t paramsLen; 01596 const uint8_t *p; 01597 const uint8_t *params; 01598 01599 //Debug message 01600 TRACE_INFO("ServerKeyExchange message received (%" PRIuSIZE " bytes)...\r\n", length); 01601 TRACE_DEBUG_ARRAY(" ", message, length); 01602 01603 //Check the length of the ServerKeyExchange message 01604 if(length < sizeof(TlsServerKeyExchange)) 01605 return ERROR_DECODING_FAILED; 01606 01607 //Check current state 01608 if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE) 01609 return ERROR_UNEXPECTED_MESSAGE; 01610 01611 //Update the hash value with the incoming handshake message 01612 tlsUpdateHandshakeHash(context, message, length); 01613 01614 //Point to the body of the handshake message 01615 p = message->data; 01616 //Remaining bytes to process 01617 length -= sizeof(TlsServerKeyExchange); 01618 01619 //PSK key exchange method? 01620 if(context->keyExchMethod == TLS_KEY_EXCH_PSK || 01621 context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK || 01622 context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK || 01623 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK) 01624 { 01625 //To help the client in selecting which identity to use, the server 01626 //can provide a PSK identity hint in the ServerKeyExchange message 01627 error = tlsParsePskIdentityHint(context, p, length, &n); 01628 //Any error to report? 01629 if(error) 01630 return error; 01631 01632 //Point to the next field 01633 p += n; 01634 //Remaining bytes to process 01635 length -= n; 01636 } 01637 01638 //Diffie-Hellman or ECDH key exchange method? 01639 if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON || 01640 context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA || 01641 context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS || 01642 context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK || 01643 context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON || 01644 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA || 01645 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA || 01646 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK) 01647 { 01648 //Point to the server's key exchange parameters 01649 params = p; 01650 01651 //Parse server's key exchange parameters 01652 error = tlsParseServerKeyParams(context, p, length, ¶msLen); 01653 //Any error to report? 01654 if(error) 01655 return error; 01656 01657 //Point to the next field 01658 p += paramsLen; 01659 //Remaining bytes to process 01660 length -= paramsLen; 01661 } 01662 01663 //Non-anonymous Diffie-Hellman and ECDH key exchange method? 01664 if(context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA || 01665 context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS || 01666 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA || 01667 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA) 01668 { 01669 //For non-anonymous Diffie-Hellman and ECDH key exchanges, the signature 01670 //over the server's key exchange parameters shall be verified 01671 error = tlsVerifyServerKeySignature(context, p, length, params, paramsLen, &n); 01672 //Any error to report? 01673 if(error) 01674 return error; 01675 01676 //Point to the next field 01677 p += n; 01678 //Remaining bytes to process 01679 length -= n; 01680 } 01681 01682 //If the amount of data in the message does not precisely match the format 01683 //of the ServerKeyExchange message, then send a fatal alert 01684 if(length != 0) 01685 return ERROR_DECODING_FAILED; 01686 01687 //Anomynous server? 01688 if(context->keyExchMethod == TLS_KEY_EXCH_PSK || 01689 context->keyExchMethod == TLS_KEY_EXCH_DH_ANON || 01690 context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK || 01691 context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON || 01692 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK) 01693 { 01694 //An anonymous server cannot request client authentication 01695 context->state = TLS_STATE_SERVER_HELLO_DONE; 01696 } 01697 else 01698 { 01699 //A non-anonymous server can optionally request a certificate from 01700 //the client, if appropriate for the selected cipher suite 01701 context->state = TLS_STATE_CERTIFICATE_REQUEST; 01702 } 01703 01704 //Successful processing 01705 return NO_ERROR; 01706 } 01707 01708 01709 /** 01710 * @brief Parse CertificateRequest message 01711 * 01712 * A server can optionally request a certificate from the client, if 01713 * appropriate for the selected cipher suite. This message will 01714 * immediately follow the ServerKeyExchange message 01715 * 01716 * @param[in] context Pointer to the TLS context 01717 * @param[in] message Incoming CertificateRequest message to parse 01718 * @param[in] length Message length 01719 * @return Error code 01720 **/ 01721 01722 error_t tlsParseCertificateRequest(TlsContext *context, const TlsCertificateRequest *message, size_t length) 01723 { 01724 uint_t i; 01725 size_t n; 01726 uint8_t *p; 01727 bool_t acceptable; 01728 TlsSignHashAlgos *supportedSignAlgos; 01729 TlsCertAuthorities *certAuthorities; 01730 01731 //Debug message 01732 TRACE_INFO("CertificateRequest message received (%" PRIuSIZE " bytes)...\r\n", length); 01733 TRACE_DEBUG_ARRAY(" ", message, length); 01734 01735 //Check the length of the ServerKeyExchange message 01736 if(length < sizeof(TlsCertificateRequest)) 01737 return ERROR_DECODING_FAILED; 01738 01739 //Check key exchange method 01740 if(context->keyExchMethod == TLS_KEY_EXCH_PSK || 01741 context->keyExchMethod == TLS_KEY_EXCH_DH_ANON || 01742 context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK || 01743 context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON || 01744 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK) 01745 { 01746 //It is a fatal handshake failure alert for an anonymous 01747 //server to request client authentication 01748 return ERROR_HANDSHAKE_FAILED; 01749 } 01750 else if(context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK) 01751 { 01752 //If no PSK identity hint is provided by the server, the 01753 //ServerKeyExchange message is omitted... 01754 if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE && 01755 context->state != TLS_STATE_CERTIFICATE_REQUEST) 01756 { 01757 //Handshake failure 01758 return ERROR_UNEXPECTED_MESSAGE; 01759 } 01760 } 01761 else 01762 { 01763 //Check current state 01764 if(context->state != TLS_STATE_CERTIFICATE_REQUEST) 01765 return ERROR_UNEXPECTED_MESSAGE; 01766 } 01767 01768 //Update the hash value with the incoming handshake message 01769 tlsUpdateHandshakeHash(context, message, length); 01770 01771 //The server requests a certificate from the client, so that 01772 //the connection can be mutually authenticated 01773 context->clientCertRequested = TRUE; 01774 01775 //Point to the beginning of the message 01776 p = (uint8_t *) message; 01777 //Remaining bytes to process 01778 length -= sizeof(TlsCertificateRequest); 01779 01780 //Retrieve the size of the list of supported certificate types 01781 n = message->certificateTypesLength; 01782 //Make sure the length field is valid 01783 if(n > length) 01784 return ERROR_DECODING_FAILED; 01785 01786 //Point to the next field 01787 p += sizeof(TlsCertificateRequest) + n; 01788 //Remaining bytes to process 01789 length -= n; 01790 01791 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2) 01792 //TLS 1.2 currently selected? 01793 if(context->version == TLS_VERSION_1_2) 01794 { 01795 //Malformed CertificateRequest message? 01796 if(length < sizeof(TlsSignHashAlgos)) 01797 return ERROR_DECODING_FAILED; 01798 01799 //Point to the list of the hash/signature algorithm pairs that 01800 //the server is able to verify 01801 supportedSignAlgos = (TlsSignHashAlgos *) p; 01802 //Remaining bytes to process 01803 length -= sizeof(TlsSignHashAlgos); 01804 01805 //Get the size of the list 01806 n = ntohs(supportedSignAlgos->length); 01807 //Make sure the length field is valid 01808 if(n > length) 01809 return ERROR_DECODING_FAILED; 01810 01811 //Point to the next field 01812 p += sizeof(TlsSignHashAlgos) + n; 01813 //Remaining bytes to process 01814 length -= n; 01815 } 01816 //SSL 3.0, TLS 1.0 or TLS 1.1 currently selected? 01817 else 01818 #endif 01819 { 01820 //Implementations prior to TLS 1.2 do not include a 01821 //list of supported hash/signature algorithm pairs 01822 supportedSignAlgos = NULL; 01823 } 01824 01825 //Malformed CertificateRequest message? 01826 if(length < sizeof(TlsCertAuthorities)) 01827 return ERROR_DECODING_FAILED; 01828 01829 //Point to the list of the distinguished names of acceptable 01830 //certificate authorities 01831 certAuthorities = (TlsCertAuthorities *) p; 01832 //Remaining bytes to process 01833 length -= sizeof(TlsCertAuthorities); 01834 01835 //Get the size of the list 01836 n = ntohs(certAuthorities->length); 01837 //Make sure the length field is valid 01838 if(n > length) 01839 return ERROR_DECODING_FAILED; 01840 01841 //No suitable certificate has been found for the moment 01842 context->cert = NULL; 01843 01844 //Loop through the list of available certificates 01845 for(i = 0; i < context->numCerts; i++) 01846 { 01847 //Check whether the current certificate is suitable 01848 acceptable = tlsIsCertificateAcceptable(&context->certs[i], 01849 message->certificateTypes, message->certificateTypesLength, 01850 supportedSignAlgos, NULL, certAuthorities); 01851 01852 #if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2) 01853 //TLS 1.2 requires additional examinations 01854 if(acceptable && context->version == TLS_VERSION_1_2) 01855 { 01856 //The hash and signature algorithms used in the signature of the CertificateVerify 01857 //message must be one of those present in the SupportedSignatureAlgorithms field 01858 if(tlsSelectSignHashAlgo(context, context->certs[i].signAlgo, supportedSignAlgos)) 01859 acceptable = FALSE; 01860 } 01861 #endif 01862 01863 //If all the requirements were met, the certificate can be 01864 //used to authenticate the client 01865 if(acceptable) 01866 { 01867 context->cert = &context->certs[i]; 01868 break; 01869 } 01870 } 01871 01872 //Prepare to receive ServerHelloDone message... 01873 context->state = TLS_STATE_SERVER_HELLO_DONE; 01874 //Successful processing 01875 return NO_ERROR; 01876 } 01877 01878 01879 /** 01880 * @brief Parse ServerHelloDone message 01881 * 01882 * The ServerHelloDone message is sent by the server to indicate the 01883 * end of the ServerHello and associated messages. After sending this 01884 * message, the server will wait for a client response 01885 * 01886 * @param[in] context Pointer to the TLS context 01887 * @param[in] message Incoming ServerHelloDone message to parse 01888 * @param[in] length Message length 01889 * @return Error code 01890 **/ 01891 01892 error_t tlsParseServerHelloDone(TlsContext *context, const TlsServerHelloDone *message, size_t length) 01893 { 01894 //Debug message 01895 TRACE_INFO("ServerHelloDone message received (%" PRIuSIZE " bytes)...\r\n", length); 01896 TRACE_DEBUG_ARRAY(" ", message, length); 01897 01898 //Check the length of the ServerHelloDone message 01899 if(length != sizeof(TlsServerHelloDone)) 01900 return ERROR_DECODING_FAILED; 01901 01902 //Check key exchange method 01903 if(context->keyExchMethod == TLS_KEY_EXCH_RSA || 01904 context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA || 01905 context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS || 01906 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA || 01907 context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA) 01908 { 01909 //The server may omit the CertificateRequest message and go 01910 //directly to the ServerHelloDone message 01911 if(context->state != TLS_STATE_CERTIFICATE_REQUEST && 01912 context->state != TLS_STATE_SERVER_HELLO_DONE) 01913 { 01914 //Handshake failure 01915 return ERROR_UNEXPECTED_MESSAGE; 01916 } 01917 } 01918 else if(context->keyExchMethod == TLS_KEY_EXCH_PSK) 01919 { 01920 //If no PSK identity hint is provided by the server, the 01921 //ServerKeyExchange message is omitted 01922 if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE && 01923 context->state != TLS_STATE_SERVER_HELLO_DONE) 01924 { 01925 //Handshake failure 01926 return ERROR_UNEXPECTED_MESSAGE; 01927 } 01928 } 01929 else if(context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK) 01930 { 01931 //The server may omit the ServerKeyExchange message and/or 01932 //the CertificateRequest message 01933 if(context->state != TLS_STATE_SERVER_KEY_EXCHANGE && 01934 context->state != TLS_STATE_CERTIFICATE_REQUEST && 01935 context->state != TLS_STATE_SERVER_HELLO_DONE) 01936 { 01937 //Handshake failure 01938 return ERROR_UNEXPECTED_MESSAGE; 01939 } 01940 } 01941 else 01942 { 01943 //Check current state 01944 if(context->state != TLS_STATE_SERVER_HELLO_DONE) 01945 return ERROR_UNEXPECTED_MESSAGE; 01946 } 01947 01948 //Update the hash value with the incoming handshake message 01949 tlsUpdateHandshakeHash(context, message, length); 01950 01951 //Prepare to send client Certificate message... 01952 context->state = TLS_STATE_CLIENT_CERTIFICATE; 01953 //Successful processing 01954 return NO_ERROR; 01955 } 01956 01957 #endif 01958
Generated on Tue Jul 12 2022 17:10:17 by
1.7.2