1*32b31808SJens Wiklander /* 2*32b31808SJens Wiklander * TLS 1.2 and 1.3 client-side functions 3*32b31808SJens Wiklander * 4*32b31808SJens Wiklander * Copyright The Mbed TLS Contributors 5*32b31808SJens Wiklander * SPDX-License-Identifier: Apache-2.0 6*32b31808SJens Wiklander * 7*32b31808SJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 8*32b31808SJens Wiklander * not use this file except in compliance with the License. 9*32b31808SJens Wiklander * You may obtain a copy of the License at 10*32b31808SJens Wiklander * 11*32b31808SJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 12*32b31808SJens Wiklander * 13*32b31808SJens Wiklander * Unless required by applicable law or agreed to in writing, software 14*32b31808SJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15*32b31808SJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16*32b31808SJens Wiklander * See the License for the specific language governing permissions and 17*32b31808SJens Wiklander * limitations under the License. 18*32b31808SJens Wiklander * 19*32b31808SJens Wiklander * This file is part of mbed TLS ( https://tls.mbed.org ) 20*32b31808SJens Wiklander */ 21*32b31808SJens Wiklander 22*32b31808SJens Wiklander #include "common.h" 23*32b31808SJens Wiklander 24*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) 25*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 26*32b31808SJens Wiklander 27*32b31808SJens Wiklander #include <string.h> 28*32b31808SJens Wiklander 29*32b31808SJens Wiklander #include "mbedtls/debug.h" 30*32b31808SJens Wiklander #include "mbedtls/error.h" 31*32b31808SJens Wiklander #include "mbedtls/platform.h" 32*32b31808SJens Wiklander 33*32b31808SJens Wiklander #include "ssl_client.h" 34*32b31808SJens Wiklander #include "ssl_misc.h" 35*32b31808SJens Wiklander #include "ssl_tls13_keys.h" 36*32b31808SJens Wiklander #include "ssl_debug_helpers.h" 37*32b31808SJens Wiklander 38*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 39*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 40*32b31808SJens Wiklander static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl, 41*32b31808SJens Wiklander unsigned char *buf, 42*32b31808SJens Wiklander const unsigned char *end, 43*32b31808SJens Wiklander size_t *olen) 44*32b31808SJens Wiklander { 45*32b31808SJens Wiklander unsigned char *p = buf; 46*32b31808SJens Wiklander size_t hostname_len; 47*32b31808SJens Wiklander 48*32b31808SJens Wiklander *olen = 0; 49*32b31808SJens Wiklander 50*32b31808SJens Wiklander if (ssl->hostname == NULL) { 51*32b31808SJens Wiklander return 0; 52*32b31808SJens Wiklander } 53*32b31808SJens Wiklander 54*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, 55*32b31808SJens Wiklander ("client hello, adding server name extension: %s", 56*32b31808SJens Wiklander ssl->hostname)); 57*32b31808SJens Wiklander 58*32b31808SJens Wiklander hostname_len = strlen(ssl->hostname); 59*32b31808SJens Wiklander 60*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9); 61*32b31808SJens Wiklander 62*32b31808SJens Wiklander /* 63*32b31808SJens Wiklander * Sect. 3, RFC 6066 (TLS Extensions Definitions) 64*32b31808SJens Wiklander * 65*32b31808SJens Wiklander * In order to provide any of the server names, clients MAY include an 66*32b31808SJens Wiklander * extension of type "server_name" in the (extended) client hello. The 67*32b31808SJens Wiklander * "extension_data" field of this extension SHALL contain 68*32b31808SJens Wiklander * "ServerNameList" where: 69*32b31808SJens Wiklander * 70*32b31808SJens Wiklander * struct { 71*32b31808SJens Wiklander * NameType name_type; 72*32b31808SJens Wiklander * select (name_type) { 73*32b31808SJens Wiklander * case host_name: HostName; 74*32b31808SJens Wiklander * } name; 75*32b31808SJens Wiklander * } ServerName; 76*32b31808SJens Wiklander * 77*32b31808SJens Wiklander * enum { 78*32b31808SJens Wiklander * host_name(0), (255) 79*32b31808SJens Wiklander * } NameType; 80*32b31808SJens Wiklander * 81*32b31808SJens Wiklander * opaque HostName<1..2^16-1>; 82*32b31808SJens Wiklander * 83*32b31808SJens Wiklander * struct { 84*32b31808SJens Wiklander * ServerName server_name_list<1..2^16-1> 85*32b31808SJens Wiklander * } ServerNameList; 86*32b31808SJens Wiklander * 87*32b31808SJens Wiklander */ 88*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SERVERNAME, p, 0); 89*32b31808SJens Wiklander p += 2; 90*32b31808SJens Wiklander 91*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(hostname_len + 5, p, 0); 92*32b31808SJens Wiklander p += 2; 93*32b31808SJens Wiklander 94*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(hostname_len + 3, p, 0); 95*32b31808SJens Wiklander p += 2; 96*32b31808SJens Wiklander 97*32b31808SJens Wiklander *p++ = MBEDTLS_BYTE_0(MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME); 98*32b31808SJens Wiklander 99*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0); 100*32b31808SJens Wiklander p += 2; 101*32b31808SJens Wiklander 102*32b31808SJens Wiklander memcpy(p, ssl->hostname, hostname_len); 103*32b31808SJens Wiklander 104*32b31808SJens Wiklander *olen = hostname_len + 9; 105*32b31808SJens Wiklander 106*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 107*32b31808SJens Wiklander mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SERVERNAME); 108*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 109*32b31808SJens Wiklander return 0; 110*32b31808SJens Wiklander } 111*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 112*32b31808SJens Wiklander 113*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ALPN) 114*32b31808SJens Wiklander /* 115*32b31808SJens Wiklander * ssl_write_alpn_ext() 116*32b31808SJens Wiklander * 117*32b31808SJens Wiklander * Structure of the application_layer_protocol_negotiation extension in 118*32b31808SJens Wiklander * ClientHello: 119*32b31808SJens Wiklander * 120*32b31808SJens Wiklander * opaque ProtocolName<1..2^8-1>; 121*32b31808SJens Wiklander * 122*32b31808SJens Wiklander * struct { 123*32b31808SJens Wiklander * ProtocolName protocol_name_list<2..2^16-1> 124*32b31808SJens Wiklander * } ProtocolNameList; 125*32b31808SJens Wiklander * 126*32b31808SJens Wiklander */ 127*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 128*32b31808SJens Wiklander static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl, 129*32b31808SJens Wiklander unsigned char *buf, 130*32b31808SJens Wiklander const unsigned char *end, 131*32b31808SJens Wiklander size_t *out_len) 132*32b31808SJens Wiklander { 133*32b31808SJens Wiklander unsigned char *p = buf; 134*32b31808SJens Wiklander 135*32b31808SJens Wiklander *out_len = 0; 136*32b31808SJens Wiklander 137*32b31808SJens Wiklander if (ssl->conf->alpn_list == NULL) { 138*32b31808SJens Wiklander return 0; 139*32b31808SJens Wiklander } 140*32b31808SJens Wiklander 141*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding alpn extension")); 142*32b31808SJens Wiklander 143*32b31808SJens Wiklander 144*32b31808SJens Wiklander /* Check we have enough space for the extension type (2 bytes), the 145*32b31808SJens Wiklander * extension length (2 bytes) and the protocol_name_list length (2 bytes). 146*32b31808SJens Wiklander */ 147*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); 148*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0); 149*32b31808SJens Wiklander /* Skip writing extension and list length for now */ 150*32b31808SJens Wiklander p += 6; 151*32b31808SJens Wiklander 152*32b31808SJens Wiklander /* 153*32b31808SJens Wiklander * opaque ProtocolName<1..2^8-1>; 154*32b31808SJens Wiklander * 155*32b31808SJens Wiklander * struct { 156*32b31808SJens Wiklander * ProtocolName protocol_name_list<2..2^16-1> 157*32b31808SJens Wiklander * } ProtocolNameList; 158*32b31808SJens Wiklander */ 159*32b31808SJens Wiklander for (const char **cur = ssl->conf->alpn_list; *cur != NULL; cur++) { 160*32b31808SJens Wiklander /* 161*32b31808SJens Wiklander * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of 162*32b31808SJens Wiklander * protocol names is less than 255. 163*32b31808SJens Wiklander */ 164*32b31808SJens Wiklander size_t protocol_name_len = strlen(*cur); 165*32b31808SJens Wiklander 166*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + protocol_name_len); 167*32b31808SJens Wiklander *p++ = (unsigned char) protocol_name_len; 168*32b31808SJens Wiklander memcpy(p, *cur, protocol_name_len); 169*32b31808SJens Wiklander p += protocol_name_len; 170*32b31808SJens Wiklander } 171*32b31808SJens Wiklander 172*32b31808SJens Wiklander *out_len = p - buf; 173*32b31808SJens Wiklander 174*32b31808SJens Wiklander /* List length = *out_len - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 175*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(*out_len - 6, buf, 4); 176*32b31808SJens Wiklander 177*32b31808SJens Wiklander /* Extension length = *out_len - 2 (ext_type) - 2 (ext_len) */ 178*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(*out_len - 4, buf, 2); 179*32b31808SJens Wiklander 180*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 181*32b31808SJens Wiklander mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN); 182*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 183*32b31808SJens Wiklander return 0; 184*32b31808SJens Wiklander } 185*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ALPN */ 186*32b31808SJens Wiklander 187*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 188*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 189*32b31808SJens Wiklander /* 190*32b31808SJens Wiklander * Function for writing a supported groups (TLS 1.3) or supported elliptic 191*32b31808SJens Wiklander * curves (TLS 1.2) extension. 192*32b31808SJens Wiklander * 193*32b31808SJens Wiklander * The "extension_data" field of a supported groups extension contains a 194*32b31808SJens Wiklander * "NamedGroupList" value (TLS 1.3 RFC8446): 195*32b31808SJens Wiklander * enum { 196*32b31808SJens Wiklander * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), 197*32b31808SJens Wiklander * x25519(0x001D), x448(0x001E), 198*32b31808SJens Wiklander * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102), 199*32b31808SJens Wiklander * ffdhe6144(0x0103), ffdhe8192(0x0104), 200*32b31808SJens Wiklander * ffdhe_private_use(0x01FC..0x01FF), 201*32b31808SJens Wiklander * ecdhe_private_use(0xFE00..0xFEFF), 202*32b31808SJens Wiklander * (0xFFFF) 203*32b31808SJens Wiklander * } NamedGroup; 204*32b31808SJens Wiklander * struct { 205*32b31808SJens Wiklander * NamedGroup named_group_list<2..2^16-1>; 206*32b31808SJens Wiklander * } NamedGroupList; 207*32b31808SJens Wiklander * 208*32b31808SJens Wiklander * The "extension_data" field of a supported elliptic curves extension contains 209*32b31808SJens Wiklander * a "NamedCurveList" value (TLS 1.2 RFC 8422): 210*32b31808SJens Wiklander * enum { 211*32b31808SJens Wiklander * deprecated(1..22), 212*32b31808SJens Wiklander * secp256r1 (23), secp384r1 (24), secp521r1 (25), 213*32b31808SJens Wiklander * x25519(29), x448(30), 214*32b31808SJens Wiklander * reserved (0xFE00..0xFEFF), 215*32b31808SJens Wiklander * deprecated(0xFF01..0xFF02), 216*32b31808SJens Wiklander * (0xFFFF) 217*32b31808SJens Wiklander * } NamedCurve; 218*32b31808SJens Wiklander * struct { 219*32b31808SJens Wiklander * NamedCurve named_curve_list<2..2^16-1> 220*32b31808SJens Wiklander * } NamedCurveList; 221*32b31808SJens Wiklander * 222*32b31808SJens Wiklander * The TLS 1.3 supported groups extension was defined to be a compatible 223*32b31808SJens Wiklander * generalization of the TLS 1.2 supported elliptic curves extension. They both 224*32b31808SJens Wiklander * share the same extension identifier. 225*32b31808SJens Wiklander * 226*32b31808SJens Wiklander * DHE groups are not supported yet. 227*32b31808SJens Wiklander */ 228*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 229*32b31808SJens Wiklander static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl, 230*32b31808SJens Wiklander unsigned char *buf, 231*32b31808SJens Wiklander const unsigned char *end, 232*32b31808SJens Wiklander size_t *out_len) 233*32b31808SJens Wiklander { 234*32b31808SJens Wiklander unsigned char *p = buf; 235*32b31808SJens Wiklander unsigned char *named_group_list; /* Start of named_group_list */ 236*32b31808SJens Wiklander size_t named_group_list_len; /* Length of named_group_list */ 237*32b31808SJens Wiklander const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 238*32b31808SJens Wiklander 239*32b31808SJens Wiklander *out_len = 0; 240*32b31808SJens Wiklander 241*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported_groups extension")); 242*32b31808SJens Wiklander 243*32b31808SJens Wiklander /* Check if we have space for header and length fields: 244*32b31808SJens Wiklander * - extension_type (2 bytes) 245*32b31808SJens Wiklander * - extension_data_length (2 bytes) 246*32b31808SJens Wiklander * - named_group_list_length (2 bytes) 247*32b31808SJens Wiklander */ 248*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); 249*32b31808SJens Wiklander p += 6; 250*32b31808SJens Wiklander 251*32b31808SJens Wiklander named_group_list = p; 252*32b31808SJens Wiklander 253*32b31808SJens Wiklander if (group_list == NULL) { 254*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_CONFIG; 255*32b31808SJens Wiklander } 256*32b31808SJens Wiklander 257*32b31808SJens Wiklander for (; *group_list != 0; group_list++) { 258*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("got supported group(%04x)", *group_list)); 259*32b31808SJens Wiklander 260*32b31808SJens Wiklander #if defined(MBEDTLS_ECP_C) 261*32b31808SJens Wiklander if ((mbedtls_ssl_conf_is_tls13_enabled(ssl->conf) && 262*32b31808SJens Wiklander mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) || 263*32b31808SJens Wiklander (mbedtls_ssl_conf_is_tls12_enabled(ssl->conf) && 264*32b31808SJens Wiklander mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list))) { 265*32b31808SJens Wiklander if (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) == 266*32b31808SJens Wiklander MBEDTLS_ECP_DP_NONE) { 267*32b31808SJens Wiklander continue; 268*32b31808SJens Wiklander } 269*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 270*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(*group_list, p, 0); 271*32b31808SJens Wiklander p += 2; 272*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )", 273*32b31808SJens Wiklander mbedtls_ssl_get_curve_name_from_tls_id(*group_list), 274*32b31808SJens Wiklander *group_list)); 275*32b31808SJens Wiklander } 276*32b31808SJens Wiklander #endif /* MBEDTLS_ECP_C */ 277*32b31808SJens Wiklander /* Add DHE groups here */ 278*32b31808SJens Wiklander 279*32b31808SJens Wiklander } 280*32b31808SJens Wiklander 281*32b31808SJens Wiklander /* Length of named_group_list */ 282*32b31808SJens Wiklander named_group_list_len = p - named_group_list; 283*32b31808SJens Wiklander if (named_group_list_len == 0) { 284*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("No group available.")); 285*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 286*32b31808SJens Wiklander } 287*32b31808SJens Wiklander 288*32b31808SJens Wiklander /* Write extension_type */ 289*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, buf, 0); 290*32b31808SJens Wiklander /* Write extension_data_length */ 291*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(named_group_list_len + 2, buf, 2); 292*32b31808SJens Wiklander /* Write length of named_group_list */ 293*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(named_group_list_len, buf, 4); 294*32b31808SJens Wiklander 295*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "Supported groups extension", 296*32b31808SJens Wiklander buf + 4, named_group_list_len + 2); 297*32b31808SJens Wiklander 298*32b31808SJens Wiklander *out_len = p - buf; 299*32b31808SJens Wiklander 300*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 301*32b31808SJens Wiklander mbedtls_ssl_tls13_set_hs_sent_ext_mask( 302*32b31808SJens Wiklander ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS); 303*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 304*32b31808SJens Wiklander 305*32b31808SJens Wiklander return 0; 306*32b31808SJens Wiklander } 307*32b31808SJens Wiklander 308*32b31808SJens Wiklander #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 309*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 310*32b31808SJens Wiklander 311*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 312*32b31808SJens Wiklander static int ssl_write_client_hello_cipher_suites( 313*32b31808SJens Wiklander mbedtls_ssl_context *ssl, 314*32b31808SJens Wiklander unsigned char *buf, 315*32b31808SJens Wiklander unsigned char *end, 316*32b31808SJens Wiklander int *tls12_uses_ec, 317*32b31808SJens Wiklander size_t *out_len) 318*32b31808SJens Wiklander { 319*32b31808SJens Wiklander unsigned char *p = buf; 320*32b31808SJens Wiklander const int *ciphersuite_list; 321*32b31808SJens Wiklander unsigned char *cipher_suites; /* Start of the cipher_suites list */ 322*32b31808SJens Wiklander size_t cipher_suites_len; 323*32b31808SJens Wiklander 324*32b31808SJens Wiklander *tls12_uses_ec = 0; 325*32b31808SJens Wiklander *out_len = 0; 326*32b31808SJens Wiklander 327*32b31808SJens Wiklander /* 328*32b31808SJens Wiklander * Ciphersuite list 329*32b31808SJens Wiklander * 330*32b31808SJens Wiklander * This is a list of the symmetric cipher options supported by 331*32b31808SJens Wiklander * the client, specifically the record protection algorithm 332*32b31808SJens Wiklander * ( including secret key length ) and a hash to be used with 333*32b31808SJens Wiklander * HKDF, in descending order of client preference. 334*32b31808SJens Wiklander */ 335*32b31808SJens Wiklander ciphersuite_list = ssl->conf->ciphersuite_list; 336*32b31808SJens Wiklander 337*32b31808SJens Wiklander /* Check there is space for the cipher suite list length (2 bytes). */ 338*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 339*32b31808SJens Wiklander p += 2; 340*32b31808SJens Wiklander 341*32b31808SJens Wiklander /* Write cipher_suites 342*32b31808SJens Wiklander * CipherSuite cipher_suites<2..2^16-2>; 343*32b31808SJens Wiklander */ 344*32b31808SJens Wiklander cipher_suites = p; 345*32b31808SJens Wiklander for (size_t i = 0; ciphersuite_list[i] != 0; i++) { 346*32b31808SJens Wiklander int cipher_suite = ciphersuite_list[i]; 347*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 348*32b31808SJens Wiklander 349*32b31808SJens Wiklander ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite); 350*32b31808SJens Wiklander 351*32b31808SJens Wiklander if (mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info, 352*32b31808SJens Wiklander ssl->handshake->min_tls_version, 353*32b31808SJens Wiklander ssl->tls_version) != 0) { 354*32b31808SJens Wiklander continue; 355*32b31808SJens Wiklander } 356*32b31808SJens Wiklander 357*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 358*32b31808SJens Wiklander (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 359*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)) 360*32b31808SJens Wiklander *tls12_uses_ec |= mbedtls_ssl_ciphersuite_uses_ec(ciphersuite_info); 361*32b31808SJens Wiklander #endif 362*32b31808SJens Wiklander 363*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, add ciphersuite: %04x, %s", 364*32b31808SJens Wiklander (unsigned int) cipher_suite, 365*32b31808SJens Wiklander ciphersuite_info->name)); 366*32b31808SJens Wiklander 367*32b31808SJens Wiklander /* Check there is space for the cipher suite identifier (2 bytes). */ 368*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 369*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(cipher_suite, p, 0); 370*32b31808SJens Wiklander p += 2; 371*32b31808SJens Wiklander } 372*32b31808SJens Wiklander 373*32b31808SJens Wiklander /* 374*32b31808SJens Wiklander * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 375*32b31808SJens Wiklander */ 376*32b31808SJens Wiklander int renegotiating = 0; 377*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 378*32b31808SJens Wiklander renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE); 379*32b31808SJens Wiklander #endif 380*32b31808SJens Wiklander if (!renegotiating) { 381*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("adding EMPTY_RENEGOTIATION_INFO_SCSV")); 382*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 383*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0); 384*32b31808SJens Wiklander p += 2; 385*32b31808SJens Wiklander } 386*32b31808SJens Wiklander 387*32b31808SJens Wiklander /* Write the cipher_suites length in number of bytes */ 388*32b31808SJens Wiklander cipher_suites_len = p - cipher_suites; 389*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(cipher_suites_len, buf, 0); 390*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, 391*32b31808SJens Wiklander ("client hello, got %" MBEDTLS_PRINTF_SIZET " cipher suites", 392*32b31808SJens Wiklander cipher_suites_len/2)); 393*32b31808SJens Wiklander 394*32b31808SJens Wiklander /* Output the total length of cipher_suites field. */ 395*32b31808SJens Wiklander *out_len = p - buf; 396*32b31808SJens Wiklander 397*32b31808SJens Wiklander return 0; 398*32b31808SJens Wiklander } 399*32b31808SJens Wiklander 400*32b31808SJens Wiklander /* 401*32b31808SJens Wiklander * Structure of the TLS 1.3 ClientHello message: 402*32b31808SJens Wiklander * 403*32b31808SJens Wiklander * struct { 404*32b31808SJens Wiklander * ProtocolVersion legacy_version = 0x0303; // TLS v1.2 405*32b31808SJens Wiklander * Random random; 406*32b31808SJens Wiklander * opaque legacy_session_id<0..32>; 407*32b31808SJens Wiklander * CipherSuite cipher_suites<2..2^16-2>; 408*32b31808SJens Wiklander * opaque legacy_compression_methods<1..2^8-1>; 409*32b31808SJens Wiklander * Extension extensions<8..2^16-1>; 410*32b31808SJens Wiklander * } ClientHello; 411*32b31808SJens Wiklander * 412*32b31808SJens Wiklander * Structure of the (D)TLS 1.2 ClientHello message: 413*32b31808SJens Wiklander * 414*32b31808SJens Wiklander * struct { 415*32b31808SJens Wiklander * ProtocolVersion client_version; 416*32b31808SJens Wiklander * Random random; 417*32b31808SJens Wiklander * SessionID session_id; 418*32b31808SJens Wiklander * opaque cookie<0..2^8-1>; // DTLS 1.2 ONLY 419*32b31808SJens Wiklander * CipherSuite cipher_suites<2..2^16-2>; 420*32b31808SJens Wiklander * CompressionMethod compression_methods<1..2^8-1>; 421*32b31808SJens Wiklander * select (extensions_present) { 422*32b31808SJens Wiklander * case false: 423*32b31808SJens Wiklander * struct {}; 424*32b31808SJens Wiklander * case true: 425*32b31808SJens Wiklander * Extension extensions<0..2^16-1>; 426*32b31808SJens Wiklander * }; 427*32b31808SJens Wiklander * } ClientHello; 428*32b31808SJens Wiklander */ 429*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 430*32b31808SJens Wiklander static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl, 431*32b31808SJens Wiklander unsigned char *buf, 432*32b31808SJens Wiklander unsigned char *end, 433*32b31808SJens Wiklander size_t *out_len, 434*32b31808SJens Wiklander size_t *binders_len) 435*32b31808SJens Wiklander { 436*32b31808SJens Wiklander int ret; 437*32b31808SJens Wiklander mbedtls_ssl_handshake_params *handshake = ssl->handshake; 438*32b31808SJens Wiklander unsigned char *p = buf; 439*32b31808SJens Wiklander unsigned char *p_extensions_len; /* Pointer to extensions length */ 440*32b31808SJens Wiklander size_t output_len; /* Length of buffer used by function */ 441*32b31808SJens Wiklander size_t extensions_len; /* Length of the list of extensions*/ 442*32b31808SJens Wiklander int tls12_uses_ec = 0; 443*32b31808SJens Wiklander 444*32b31808SJens Wiklander *out_len = 0; 445*32b31808SJens Wiklander *binders_len = 0; 446*32b31808SJens Wiklander 447*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 448*32b31808SJens Wiklander unsigned char propose_tls12 = 449*32b31808SJens Wiklander (handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) 450*32b31808SJens Wiklander && 451*32b31808SJens Wiklander (MBEDTLS_SSL_VERSION_TLS1_2 <= ssl->tls_version); 452*32b31808SJens Wiklander #endif 453*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 454*32b31808SJens Wiklander unsigned char propose_tls13 = 455*32b31808SJens Wiklander (handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3) 456*32b31808SJens Wiklander && 457*32b31808SJens Wiklander (MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version); 458*32b31808SJens Wiklander #endif 459*32b31808SJens Wiklander 460*32b31808SJens Wiklander /* 461*32b31808SJens Wiklander * Write client_version (TLS 1.2) or legacy_version (TLS 1.3) 462*32b31808SJens Wiklander * 463*32b31808SJens Wiklander * In all cases this is the TLS 1.2 version. 464*32b31808SJens Wiklander */ 465*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 466*32b31808SJens Wiklander mbedtls_ssl_write_version(p, ssl->conf->transport, 467*32b31808SJens Wiklander MBEDTLS_SSL_VERSION_TLS1_2); 468*32b31808SJens Wiklander p += 2; 469*32b31808SJens Wiklander 470*32b31808SJens Wiklander /* ... 471*32b31808SJens Wiklander * Random random; 472*32b31808SJens Wiklander * ... 473*32b31808SJens Wiklander * 474*32b31808SJens Wiklander * The random bytes have been prepared by ssl_prepare_client_hello() into 475*32b31808SJens Wiklander * the handshake->randbytes buffer and are copied here into the output 476*32b31808SJens Wiklander * buffer. 477*32b31808SJens Wiklander */ 478*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_CLIENT_HELLO_RANDOM_LEN); 479*32b31808SJens Wiklander memcpy(p, handshake->randbytes, MBEDTLS_CLIENT_HELLO_RANDOM_LEN); 480*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", 481*32b31808SJens Wiklander p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN); 482*32b31808SJens Wiklander p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN; 483*32b31808SJens Wiklander 484*32b31808SJens Wiklander /* TLS 1.2: 485*32b31808SJens Wiklander * ... 486*32b31808SJens Wiklander * SessionID session_id; 487*32b31808SJens Wiklander * ... 488*32b31808SJens Wiklander * with 489*32b31808SJens Wiklander * opaque SessionID<0..32>; 490*32b31808SJens Wiklander * 491*32b31808SJens Wiklander * TLS 1.3: 492*32b31808SJens Wiklander * ... 493*32b31808SJens Wiklander * opaque legacy_session_id<0..32>; 494*32b31808SJens Wiklander * ... 495*32b31808SJens Wiklander * 496*32b31808SJens Wiklander * The (legacy) session identifier bytes have been prepared by 497*32b31808SJens Wiklander * ssl_prepare_client_hello() into the ssl->session_negotiate->id buffer 498*32b31808SJens Wiklander * and are copied here into the output buffer. 499*32b31808SJens Wiklander */ 500*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, ssl->session_negotiate->id_len + 1); 501*32b31808SJens Wiklander *p++ = (unsigned char) ssl->session_negotiate->id_len; 502*32b31808SJens Wiklander memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len); 503*32b31808SJens Wiklander p += ssl->session_negotiate->id_len; 504*32b31808SJens Wiklander 505*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id, 506*32b31808SJens Wiklander ssl->session_negotiate->id_len); 507*32b31808SJens Wiklander 508*32b31808SJens Wiklander /* DTLS 1.2 ONLY 509*32b31808SJens Wiklander * ... 510*32b31808SJens Wiklander * opaque cookie<0..2^8-1>; 511*32b31808SJens Wiklander * ... 512*32b31808SJens Wiklander */ 513*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS) 514*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 515*32b31808SJens Wiklander #if !defined(MBEDTLS_SSL_PROTO_TLS1_3) 516*32b31808SJens Wiklander uint8_t cookie_len = 0; 517*32b31808SJens Wiklander #else 518*32b31808SJens Wiklander uint16_t cookie_len = 0; 519*32b31808SJens Wiklander #endif /* !MBEDTLS_SSL_PROTO_TLS1_3 */ 520*32b31808SJens Wiklander 521*32b31808SJens Wiklander if (handshake->cookie != NULL) { 522*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie", 523*32b31808SJens Wiklander handshake->cookie, 524*32b31808SJens Wiklander handshake->cookie_len); 525*32b31808SJens Wiklander cookie_len = handshake->cookie_len; 526*32b31808SJens Wiklander } 527*32b31808SJens Wiklander 528*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, cookie_len + 1); 529*32b31808SJens Wiklander *p++ = (unsigned char) cookie_len; 530*32b31808SJens Wiklander if (cookie_len > 0) { 531*32b31808SJens Wiklander memcpy(p, handshake->cookie, cookie_len); 532*32b31808SJens Wiklander p += cookie_len; 533*32b31808SJens Wiklander } 534*32b31808SJens Wiklander } 535*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */ 536*32b31808SJens Wiklander 537*32b31808SJens Wiklander /* Write cipher_suites */ 538*32b31808SJens Wiklander ret = ssl_write_client_hello_cipher_suites(ssl, p, end, 539*32b31808SJens Wiklander &tls12_uses_ec, 540*32b31808SJens Wiklander &output_len); 541*32b31808SJens Wiklander if (ret != 0) { 542*32b31808SJens Wiklander return ret; 543*32b31808SJens Wiklander } 544*32b31808SJens Wiklander p += output_len; 545*32b31808SJens Wiklander 546*32b31808SJens Wiklander /* Write legacy_compression_methods (TLS 1.3) or 547*32b31808SJens Wiklander * compression_methods (TLS 1.2) 548*32b31808SJens Wiklander * 549*32b31808SJens Wiklander * For every TLS 1.3 ClientHello, this vector MUST contain exactly 550*32b31808SJens Wiklander * one byte set to zero, which corresponds to the 'null' compression 551*32b31808SJens Wiklander * method in prior versions of TLS. 552*32b31808SJens Wiklander * 553*32b31808SJens Wiklander * For TLS 1.2 ClientHello, for security reasons we do not support 554*32b31808SJens Wiklander * compression anymore, thus also just the 'null' compression method. 555*32b31808SJens Wiklander */ 556*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 557*32b31808SJens Wiklander *p++ = 1; 558*32b31808SJens Wiklander *p++ = MBEDTLS_SSL_COMPRESS_NULL; 559*32b31808SJens Wiklander 560*32b31808SJens Wiklander /* Write extensions */ 561*32b31808SJens Wiklander 562*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 563*32b31808SJens Wiklander /* Keeping track of the included extensions */ 564*32b31808SJens Wiklander handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; 565*32b31808SJens Wiklander #endif 566*32b31808SJens Wiklander 567*32b31808SJens Wiklander /* First write extensions, then the total length */ 568*32b31808SJens Wiklander MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 569*32b31808SJens Wiklander p_extensions_len = p; 570*32b31808SJens Wiklander p += 2; 571*32b31808SJens Wiklander 572*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 573*32b31808SJens Wiklander /* Write server name extension */ 574*32b31808SJens Wiklander ret = ssl_write_hostname_ext(ssl, p, end, &output_len); 575*32b31808SJens Wiklander if (ret != 0) { 576*32b31808SJens Wiklander return ret; 577*32b31808SJens Wiklander } 578*32b31808SJens Wiklander p += output_len; 579*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 580*32b31808SJens Wiklander 581*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ALPN) 582*32b31808SJens Wiklander ret = ssl_write_alpn_ext(ssl, p, end, &output_len); 583*32b31808SJens Wiklander if (ret != 0) { 584*32b31808SJens Wiklander return ret; 585*32b31808SJens Wiklander } 586*32b31808SJens Wiklander p += output_len; 587*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ALPN */ 588*32b31808SJens Wiklander 589*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 590*32b31808SJens Wiklander if (propose_tls13) { 591*32b31808SJens Wiklander ret = mbedtls_ssl_tls13_write_client_hello_exts(ssl, p, end, 592*32b31808SJens Wiklander &output_len); 593*32b31808SJens Wiklander if (ret != 0) { 594*32b31808SJens Wiklander return ret; 595*32b31808SJens Wiklander } 596*32b31808SJens Wiklander p += output_len; 597*32b31808SJens Wiklander } 598*32b31808SJens Wiklander #endif 599*32b31808SJens Wiklander 600*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 601*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 602*32b31808SJens Wiklander if ( 603*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 604*32b31808SJens Wiklander (propose_tls13 && 605*32b31808SJens Wiklander mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) || 606*32b31808SJens Wiklander #endif 607*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 608*32b31808SJens Wiklander (propose_tls12 && tls12_uses_ec) || 609*32b31808SJens Wiklander #endif 610*32b31808SJens Wiklander 0) { 611*32b31808SJens Wiklander ret = ssl_write_supported_groups_ext(ssl, p, end, &output_len); 612*32b31808SJens Wiklander if (ret != 0) { 613*32b31808SJens Wiklander return ret; 614*32b31808SJens Wiklander } 615*32b31808SJens Wiklander p += output_len; 616*32b31808SJens Wiklander } 617*32b31808SJens Wiklander #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 618*32b31808SJens Wiklander 619*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 620*32b31808SJens Wiklander if ( 621*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 622*32b31808SJens Wiklander (propose_tls13 && mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl)) || 623*32b31808SJens Wiklander #endif 624*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 625*32b31808SJens Wiklander propose_tls12 || 626*32b31808SJens Wiklander #endif 627*32b31808SJens Wiklander 0) { 628*32b31808SJens Wiklander ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len); 629*32b31808SJens Wiklander if (ret != 0) { 630*32b31808SJens Wiklander return ret; 631*32b31808SJens Wiklander } 632*32b31808SJens Wiklander p += output_len; 633*32b31808SJens Wiklander } 634*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 635*32b31808SJens Wiklander 636*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 637*32b31808SJens Wiklander if (propose_tls12) { 638*32b31808SJens Wiklander ret = mbedtls_ssl_tls12_write_client_hello_exts(ssl, p, end, 639*32b31808SJens Wiklander tls12_uses_ec, 640*32b31808SJens Wiklander &output_len); 641*32b31808SJens Wiklander if (ret != 0) { 642*32b31808SJens Wiklander return ret; 643*32b31808SJens Wiklander } 644*32b31808SJens Wiklander p += output_len; 645*32b31808SJens Wiklander } 646*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 647*32b31808SJens Wiklander 648*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 649*32b31808SJens Wiklander /* The "pre_shared_key" extension (RFC 8446 Section 4.2.11) 650*32b31808SJens Wiklander * MUST be the last extension in the ClientHello. 651*32b31808SJens Wiklander */ 652*32b31808SJens Wiklander if (propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) { 653*32b31808SJens Wiklander ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( 654*32b31808SJens Wiklander ssl, p, end, &output_len, binders_len); 655*32b31808SJens Wiklander if (ret != 0) { 656*32b31808SJens Wiklander return ret; 657*32b31808SJens Wiklander } 658*32b31808SJens Wiklander p += output_len; 659*32b31808SJens Wiklander } 660*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 661*32b31808SJens Wiklander 662*32b31808SJens Wiklander /* Write the length of the list of extensions. */ 663*32b31808SJens Wiklander extensions_len = p - p_extensions_len - 2; 664*32b31808SJens Wiklander 665*32b31808SJens Wiklander if (extensions_len == 0) { 666*32b31808SJens Wiklander p = p_extensions_len; 667*32b31808SJens Wiklander } else { 668*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0); 669*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, total extension length: %" \ 670*32b31808SJens Wiklander MBEDTLS_PRINTF_SIZET, extensions_len)); 671*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", 672*32b31808SJens Wiklander p_extensions_len, extensions_len); 673*32b31808SJens Wiklander } 674*32b31808SJens Wiklander 675*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 676*32b31808SJens Wiklander MBEDTLS_SSL_PRINT_EXTS( 677*32b31808SJens Wiklander 3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->sent_extensions); 678*32b31808SJens Wiklander #endif 679*32b31808SJens Wiklander 680*32b31808SJens Wiklander *out_len = p - buf; 681*32b31808SJens Wiklander return 0; 682*32b31808SJens Wiklander } 683*32b31808SJens Wiklander 684*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 685*32b31808SJens Wiklander static int ssl_generate_random(mbedtls_ssl_context *ssl) 686*32b31808SJens Wiklander { 687*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 688*32b31808SJens Wiklander unsigned char *randbytes = ssl->handshake->randbytes; 689*32b31808SJens Wiklander size_t gmt_unix_time_len = 0; 690*32b31808SJens Wiklander 691*32b31808SJens Wiklander /* 692*32b31808SJens Wiklander * Generate the random bytes 693*32b31808SJens Wiklander * 694*32b31808SJens Wiklander * TLS 1.2 case: 695*32b31808SJens Wiklander * struct { 696*32b31808SJens Wiklander * uint32 gmt_unix_time; 697*32b31808SJens Wiklander * opaque random_bytes[28]; 698*32b31808SJens Wiklander * } Random; 699*32b31808SJens Wiklander * 700*32b31808SJens Wiklander * TLS 1.3 case: 701*32b31808SJens Wiklander * opaque Random[32]; 702*32b31808SJens Wiklander */ 703*32b31808SJens Wiklander if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 704*32b31808SJens Wiklander #if defined(MBEDTLS_HAVE_TIME) 705*32b31808SJens Wiklander mbedtls_time_t gmt_unix_time = mbedtls_time(NULL); 706*32b31808SJens Wiklander MBEDTLS_PUT_UINT32_BE(gmt_unix_time, randbytes, 0); 707*32b31808SJens Wiklander gmt_unix_time_len = 4; 708*32b31808SJens Wiklander 709*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, 710*32b31808SJens Wiklander ("client hello, current time: %" MBEDTLS_PRINTF_LONGLONG, 711*32b31808SJens Wiklander (long long) gmt_unix_time)); 712*32b31808SJens Wiklander #endif /* MBEDTLS_HAVE_TIME */ 713*32b31808SJens Wiklander } 714*32b31808SJens Wiklander 715*32b31808SJens Wiklander ret = ssl->conf->f_rng(ssl->conf->p_rng, 716*32b31808SJens Wiklander randbytes + gmt_unix_time_len, 717*32b31808SJens Wiklander MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len); 718*32b31808SJens Wiklander return ret; 719*32b31808SJens Wiklander } 720*32b31808SJens Wiklander 721*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 722*32b31808SJens Wiklander static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl) 723*32b31808SJens Wiklander { 724*32b31808SJens Wiklander int ret; 725*32b31808SJens Wiklander size_t session_id_len; 726*32b31808SJens Wiklander mbedtls_ssl_session *session_negotiate = ssl->session_negotiate; 727*32b31808SJens Wiklander 728*32b31808SJens Wiklander if (session_negotiate == NULL) { 729*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 730*32b31808SJens Wiklander } 731*32b31808SJens Wiklander 732*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 733*32b31808SJens Wiklander defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 734*32b31808SJens Wiklander defined(MBEDTLS_HAVE_TIME) 735*32b31808SJens Wiklander 736*32b31808SJens Wiklander /* Check if a tls13 ticket has been configured. */ 737*32b31808SJens Wiklander if (ssl->handshake->resume != 0 && 738*32b31808SJens Wiklander session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 739*32b31808SJens Wiklander session_negotiate->ticket != NULL) { 740*32b31808SJens Wiklander mbedtls_time_t now = mbedtls_time(NULL); 741*32b31808SJens Wiklander uint64_t age = (uint64_t) (now - session_negotiate->ticket_received); 742*32b31808SJens Wiklander if (session_negotiate->ticket_received > now || 743*32b31808SJens Wiklander age > session_negotiate->ticket_lifetime) { 744*32b31808SJens Wiklander /* Without valid ticket, disable session resumption.*/ 745*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG( 746*32b31808SJens Wiklander 3, ("Ticket expired, disable session resumption")); 747*32b31808SJens Wiklander ssl->handshake->resume = 0; 748*32b31808SJens Wiklander } 749*32b31808SJens Wiklander } 750*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && 751*32b31808SJens Wiklander MBEDTLS_SSL_SESSION_TICKETS && 752*32b31808SJens Wiklander MBEDTLS_HAVE_TIME */ 753*32b31808SJens Wiklander 754*32b31808SJens Wiklander if (ssl->conf->f_rng == NULL) { 755*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); 756*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_NO_RNG; 757*32b31808SJens Wiklander } 758*32b31808SJens Wiklander 759*32b31808SJens Wiklander /* Bet on the highest configured version if we are not in a TLS 1.2 760*32b31808SJens Wiklander * renegotiation or session resumption. 761*32b31808SJens Wiklander */ 762*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 763*32b31808SJens Wiklander if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 764*32b31808SJens Wiklander ssl->handshake->min_tls_version = ssl->tls_version; 765*32b31808SJens Wiklander } else 766*32b31808SJens Wiklander #endif 767*32b31808SJens Wiklander { 768*32b31808SJens Wiklander if (ssl->handshake->resume) { 769*32b31808SJens Wiklander ssl->tls_version = session_negotiate->tls_version; 770*32b31808SJens Wiklander ssl->handshake->min_tls_version = ssl->tls_version; 771*32b31808SJens Wiklander } else { 772*32b31808SJens Wiklander ssl->tls_version = ssl->conf->max_tls_version; 773*32b31808SJens Wiklander ssl->handshake->min_tls_version = ssl->conf->min_tls_version; 774*32b31808SJens Wiklander } 775*32b31808SJens Wiklander } 776*32b31808SJens Wiklander 777*32b31808SJens Wiklander /* 778*32b31808SJens Wiklander * Generate the random bytes, except when responding to a verify request 779*32b31808SJens Wiklander * where we MUST reuse the previously generated random bytes 780*32b31808SJens Wiklander * (RFC 6347 4.2.1). 781*32b31808SJens Wiklander */ 782*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 783*32b31808SJens Wiklander if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || 784*32b31808SJens Wiklander (ssl->handshake->cookie == NULL)) 785*32b31808SJens Wiklander #endif 786*32b31808SJens Wiklander { 787*32b31808SJens Wiklander ret = ssl_generate_random(ssl); 788*32b31808SJens Wiklander if (ret != 0) { 789*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "Random bytes generation failed", ret); 790*32b31808SJens Wiklander return ret; 791*32b31808SJens Wiklander } 792*32b31808SJens Wiklander } 793*32b31808SJens Wiklander 794*32b31808SJens Wiklander /* 795*32b31808SJens Wiklander * Prepare session identifier. At that point, the length of the session 796*32b31808SJens Wiklander * identifier in the SSL context `ssl->session_negotiate->id_len` is equal 797*32b31808SJens Wiklander * to zero, except in the case of a TLS 1.2 session renegotiation or 798*32b31808SJens Wiklander * session resumption. 799*32b31808SJens Wiklander */ 800*32b31808SJens Wiklander session_id_len = session_negotiate->id_len; 801*32b31808SJens Wiklander 802*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 803*32b31808SJens Wiklander if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 804*32b31808SJens Wiklander if (session_id_len < 16 || session_id_len > 32 || 805*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 806*32b31808SJens Wiklander ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 807*32b31808SJens Wiklander #endif 808*32b31808SJens Wiklander ssl->handshake->resume == 0) { 809*32b31808SJens Wiklander session_id_len = 0; 810*32b31808SJens Wiklander } 811*32b31808SJens Wiklander 812*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 813*32b31808SJens Wiklander /* 814*32b31808SJens Wiklander * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 815*32b31808SJens Wiklander * generate and include a Session ID in the TLS ClientHello." 816*32b31808SJens Wiklander */ 817*32b31808SJens Wiklander int renegotiating = 0; 818*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 819*32b31808SJens Wiklander if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 820*32b31808SJens Wiklander renegotiating = 1; 821*32b31808SJens Wiklander } 822*32b31808SJens Wiklander #endif 823*32b31808SJens Wiklander if (!renegotiating) { 824*32b31808SJens Wiklander if ((session_negotiate->ticket != NULL) && 825*32b31808SJens Wiklander (session_negotiate->ticket_len != 0)) { 826*32b31808SJens Wiklander session_id_len = 32; 827*32b31808SJens Wiklander } 828*32b31808SJens Wiklander } 829*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 830*32b31808SJens Wiklander } 831*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 832*32b31808SJens Wiklander 833*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 834*32b31808SJens Wiklander if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 835*32b31808SJens Wiklander /* 836*32b31808SJens Wiklander * Create a legacy session identifier for the purpose of middlebox 837*32b31808SJens Wiklander * compatibility only if one has not been created already, which is 838*32b31808SJens Wiklander * the case if we are here for the TLS 1.3 second ClientHello. 839*32b31808SJens Wiklander * 840*32b31808SJens Wiklander * Versions of TLS before TLS 1.3 supported a "session resumption" 841*32b31808SJens Wiklander * feature which has been merged with pre-shared keys in TLS 1.3 842*32b31808SJens Wiklander * version. A client which has a cached session ID set by a pre-TLS 1.3 843*32b31808SJens Wiklander * server SHOULD set this field to that value. In compatibility mode, 844*32b31808SJens Wiklander * this field MUST be non-empty, so a client not offering a pre-TLS 1.3 845*32b31808SJens Wiklander * session MUST generate a new 32-byte value. This value need not be 846*32b31808SJens Wiklander * random but SHOULD be unpredictable to avoid implementations fixating 847*32b31808SJens Wiklander * on a specific value (also known as ossification). Otherwise, it MUST 848*32b31808SJens Wiklander * be set as a zero-length vector ( i.e., a zero-valued single byte 849*32b31808SJens Wiklander * length field ). 850*32b31808SJens Wiklander */ 851*32b31808SJens Wiklander session_id_len = 32; 852*32b31808SJens Wiklander } 853*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ 854*32b31808SJens Wiklander 855*32b31808SJens Wiklander if (session_id_len != session_negotiate->id_len) { 856*32b31808SJens Wiklander session_negotiate->id_len = session_id_len; 857*32b31808SJens Wiklander if (session_id_len > 0) { 858*32b31808SJens Wiklander ret = ssl->conf->f_rng(ssl->conf->p_rng, 859*32b31808SJens Wiklander session_negotiate->id, 860*32b31808SJens Wiklander session_id_len); 861*32b31808SJens Wiklander if (ret != 0) { 862*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "creating session id failed", ret); 863*32b31808SJens Wiklander return ret; 864*32b31808SJens Wiklander } 865*32b31808SJens Wiklander } 866*32b31808SJens Wiklander } 867*32b31808SJens Wiklander 868*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 869*32b31808SJens Wiklander defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 870*32b31808SJens Wiklander defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 871*32b31808SJens Wiklander if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 872*32b31808SJens Wiklander ssl->handshake->resume) { 873*32b31808SJens Wiklander int hostname_mismatch = ssl->hostname != NULL || 874*32b31808SJens Wiklander session_negotiate->hostname != NULL; 875*32b31808SJens Wiklander if (ssl->hostname != NULL && session_negotiate->hostname != NULL) { 876*32b31808SJens Wiklander hostname_mismatch = strcmp( 877*32b31808SJens Wiklander ssl->hostname, session_negotiate->hostname) != 0; 878*32b31808SJens Wiklander } 879*32b31808SJens Wiklander 880*32b31808SJens Wiklander if (hostname_mismatch) { 881*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG( 882*32b31808SJens Wiklander 1, ("Hostname mismatch the session ticket, " 883*32b31808SJens Wiklander "disable session resumption.")); 884*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 885*32b31808SJens Wiklander } 886*32b31808SJens Wiklander } else { 887*32b31808SJens Wiklander return mbedtls_ssl_session_set_hostname(session_negotiate, 888*32b31808SJens Wiklander ssl->hostname); 889*32b31808SJens Wiklander } 890*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && 891*32b31808SJens Wiklander MBEDTLS_SSL_SESSION_TICKETS && 892*32b31808SJens Wiklander MBEDTLS_SSL_SERVER_NAME_INDICATION */ 893*32b31808SJens Wiklander 894*32b31808SJens Wiklander return 0; 895*32b31808SJens Wiklander } 896*32b31808SJens Wiklander /* 897*32b31808SJens Wiklander * Write ClientHello handshake message. 898*32b31808SJens Wiklander * Handler for MBEDTLS_SSL_CLIENT_HELLO 899*32b31808SJens Wiklander */ 900*32b31808SJens Wiklander int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) 901*32b31808SJens Wiklander { 902*32b31808SJens Wiklander int ret = 0; 903*32b31808SJens Wiklander unsigned char *buf; 904*32b31808SJens Wiklander size_t buf_len, msg_len, binders_len; 905*32b31808SJens Wiklander 906*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client hello")); 907*32b31808SJens Wiklander 908*32b31808SJens Wiklander MBEDTLS_SSL_PROC_CHK(ssl_prepare_client_hello(ssl)); 909*32b31808SJens Wiklander 910*32b31808SJens Wiklander MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( 911*32b31808SJens Wiklander ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, 912*32b31808SJens Wiklander &buf, &buf_len)); 913*32b31808SJens Wiklander 914*32b31808SJens Wiklander MBEDTLS_SSL_PROC_CHK(ssl_write_client_hello_body(ssl, buf, 915*32b31808SJens Wiklander buf + buf_len, 916*32b31808SJens Wiklander &msg_len, 917*32b31808SJens Wiklander &binders_len)); 918*32b31808SJens Wiklander 919*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS) 920*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 921*32b31808SJens Wiklander ssl->out_msglen = msg_len + 4; 922*32b31808SJens Wiklander mbedtls_ssl_send_flight_completed(ssl); 923*32b31808SJens Wiklander 924*32b31808SJens Wiklander /* 925*32b31808SJens Wiklander * The two functions below may try to send data on the network and 926*32b31808SJens Wiklander * can return with the MBEDTLS_ERR_SSL_WANT_READ error code when they 927*32b31808SJens Wiklander * fail to do so and the transmission has to be retried later. In that 928*32b31808SJens Wiklander * case as in fatal error cases, we return immediately. But we must have 929*32b31808SJens Wiklander * set the handshake state to the next state at that point to ensure 930*32b31808SJens Wiklander * that we will not write and send again a ClientHello when we 931*32b31808SJens Wiklander * eventually succeed in sending the pending data. 932*32b31808SJens Wiklander */ 933*32b31808SJens Wiklander mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); 934*32b31808SJens Wiklander 935*32b31808SJens Wiklander if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 936*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 937*32b31808SJens Wiklander return ret; 938*32b31808SJens Wiklander } 939*32b31808SJens Wiklander 940*32b31808SJens Wiklander if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 941*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); 942*32b31808SJens Wiklander return ret; 943*32b31808SJens Wiklander } 944*32b31808SJens Wiklander } else 945*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */ 946*32b31808SJens Wiklander { 947*32b31808SJens Wiklander 948*32b31808SJens Wiklander ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, 949*32b31808SJens Wiklander MBEDTLS_SSL_HS_CLIENT_HELLO, 950*32b31808SJens Wiklander msg_len); 951*32b31808SJens Wiklander if (ret != 0) { 952*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_add_hs_hdr_to_checksum", ret); 953*32b31808SJens Wiklander return ret; 954*32b31808SJens Wiklander } 955*32b31808SJens Wiklander ret = ssl->handshake->update_checksum(ssl, buf, msg_len - binders_len); 956*32b31808SJens Wiklander if (ret != 0) { 957*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret); 958*32b31808SJens Wiklander return ret; 959*32b31808SJens Wiklander } 960*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 961*32b31808SJens Wiklander if (binders_len > 0) { 962*32b31808SJens Wiklander MBEDTLS_SSL_PROC_CHK( 963*32b31808SJens Wiklander mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( 964*32b31808SJens Wiklander ssl, buf + msg_len - binders_len, buf + msg_len)); 965*32b31808SJens Wiklander ret = ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len, 966*32b31808SJens Wiklander binders_len); 967*32b31808SJens Wiklander if (ret != 0) { 968*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret); 969*32b31808SJens Wiklander return ret; 970*32b31808SJens Wiklander } 971*32b31808SJens Wiklander } 972*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 973*32b31808SJens Wiklander 974*32b31808SJens Wiklander MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, 975*32b31808SJens Wiklander buf_len, 976*32b31808SJens Wiklander msg_len)); 977*32b31808SJens Wiklander 978*32b31808SJens Wiklander /* 979*32b31808SJens Wiklander * Set next state. Note that if TLS 1.3 is proposed, this may be 980*32b31808SJens Wiklander * overwritten by mbedtls_ssl_tls13_finalize_client_hello(). 981*32b31808SJens Wiklander */ 982*32b31808SJens Wiklander mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); 983*32b31808SJens Wiklander 984*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 985*32b31808SJens Wiklander if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 && 986*32b31808SJens Wiklander MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version) { 987*32b31808SJens Wiklander ret = mbedtls_ssl_tls13_finalize_client_hello(ssl); 988*32b31808SJens Wiklander } 989*32b31808SJens Wiklander #endif 990*32b31808SJens Wiklander } 991*32b31808SJens Wiklander 992*32b31808SJens Wiklander cleanup: 993*32b31808SJens Wiklander 994*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client hello")); 995*32b31808SJens Wiklander return ret; 996*32b31808SJens Wiklander } 997*32b31808SJens Wiklander 998*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 || MBEDTLS_SSL_PROTO_TLS1_2 */ 999*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_CLI_C */ 1000