TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7320e6436b25ef69583b97bd3a57bdaa6c64f7a5 / . / library / ssl_client.c
blob: 9a65b57a6f47dbe42078ccf90f1ac78ff89a37b2 [file] [log] [blame]
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]1/*
2 * TLS 1.2 and 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22#include "common.h"
23
24#if defined(MBEDTLS_SSL_CLI_C)
25#if defined(MBEDTLS_SSL_PROTO_TLS1_3) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
26
Ronald Cron58b80382022-02-18 18:41:08 +0100[diff] [blame]27#if defined(MBEDTLS_PLATFORM_C)
28#include "mbedtls/platform.h"
29#else
30#include <stdlib.h>
31#define mbedtls_calloc calloc
32#define mbedtls_free free
33#endif
34
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]35#include <string.h>
36
37#include "mbedtls/debug.h"
38#include "mbedtls/error.h"
Ronald Cron58b80382022-02-18 18:41:08 +0100[diff] [blame]39#if defined(MBEDTLS_HAVE_TIME)
40#include "mbedtls/platform_time.h"
41#endif
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]42
43#include "ssl_client.h"
44#include "ssl_misc.h"
45#include "ecdh_misc.h"
46#include "ssl_tls13_keys.h"
47#include "ssl_debug_helpers.h"
48
49#if defined(MBEDTLS_SSL_ALPN)
50/*
Ronald Cron71c23322022-02-18 17:29:39 +0100[diff] [blame]51 * ssl_write_alpn_ext()
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]52 *
53 * Structure of the application_layer_protocol_negotiation extension in
54 * ClientHello:
55 *
56 * opaque ProtocolName<1..2^8-1>;
57 *
58 * struct {
59 * ProtocolName protocol_name_list<2..2^16-1>
60 * } ProtocolNameList;
61 *
62 */
Ronald Cron71c23322022-02-18 17:29:39 +0100[diff] [blame]63static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
64 unsigned char *buf,
65 const unsigned char *end,
66 size_t *out_len )
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]67{
68 unsigned char *p = buf;
69
70 *out_len = 0;
71
72 if( ssl->conf->alpn_list == NULL )
73 return( 0 );
74
75 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
76
77
78 /* Check we have enough space for the extension type (2 bytes), the
79 * extension length (2 bytes) and the protocol_name_list length (2 bytes).
80 */
81 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
82 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, p, 0 );
83 /* Skip writing extension and list length for now */
84 p += 6;
85
86 /*
87 * opaque ProtocolName<1..2^8-1>;
88 *
89 * struct {
90 * ProtocolName protocol_name_list<2..2^16-1>
91 * } ProtocolNameList;
92 */
93 for( const char **cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
94 {
95 /*
96 * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
97 * protocol names is less than 255.
98 */
99 size_t protocol_name_len = strlen( *cur );
100
101 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 + protocol_name_len );
102 *p++ = (unsigned char)protocol_name_len;
103 memcpy( p, *cur, protocol_name_len );
104 p += protocol_name_len;
105 }
106
107 *out_len = p - buf;
108
109 /* List length = *out_len - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
110 MBEDTLS_PUT_UINT16_BE( *out_len - 6, buf, 4 );
111
112 /* Extension length = *out_len - 2 (ext_type) - 2 (ext_len) */
113 MBEDTLS_PUT_UINT16_BE( *out_len - 4, buf, 2 );
114
115 return( 0 );
116}
117#endif /* MBEDTLS_SSL_ALPN */
118
119/* Write cipher_suites
120 * CipherSuite cipher_suites<2..2^16-2>;
121 */
Ronald Crond491c2d2022-02-19 18:30:46 +0100[diff] [blame]122/**
123 * \brief Validate cipher suite against config in SSL context.
124 *
125 * \param ssl SSL context
126 * \param suite_info Cipher suite to validate
127 *
128 * \return 0 if valid, else 1
129 */
130static int ssl_validate_ciphersuite(
131 const mbedtls_ssl_context *ssl,
132 const mbedtls_ssl_ciphersuite_t *suite_info )
133{
134 if( suite_info == NULL )
135 return( 1 );
136
137 if( ( suite_info->min_minor_ver > ssl->conf->max_minor_ver ) ||
138 ( suite_info->max_minor_ver < ssl->conf->min_minor_ver ) )
139 return( 1 );
140
141#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
142#if defined(MBEDTLS_SSL_PROTO_DTLS)
143 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
144 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
145 return( 1 );
146#endif
147
148#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
149 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
150 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
151 return( 1 );
152#endif
153
154 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
155#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
156 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
157 mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
158 {
159 return( 1 );
160 }
161#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
162#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
163
164 return( 0 );
165}
166
Ronald Cron71c23322022-02-18 17:29:39 +0100[diff] [blame]167static int ssl_write_client_hello_cipher_suites(
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]168 mbedtls_ssl_context *ssl,
169 unsigned char *buf,
170 unsigned char *end,
Ronald Crond491c2d2022-02-19 18:30:46 +0100[diff] [blame]171 int *tls12_uses_ec,
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]172 size_t *out_len )
173{
174 unsigned char *p = buf;
175 const int *ciphersuite_list;
176 unsigned char *cipher_suites; /* Start of the cipher_suites list */
177 size_t cipher_suites_len;
178
Ronald Crond491c2d2022-02-19 18:30:46 +0100[diff] [blame]179 *tls12_uses_ec = 0;
180 *out_len = 0;
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]181
182 /*
183 * Ciphersuite list
184 *
185 * This is a list of the symmetric cipher options supported by
186 * the client, specifically the record protection algorithm
187 * ( including secret key length ) and a hash to be used with
188 * HKDF, in descending order of client preference.
189 */
190 ciphersuite_list = ssl->conf->ciphersuite_list;
191
192 /* Check there is space for the cipher suite list length (2 bytes). */
193 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
194 p += 2;
195
196 /* Write cipher_suites */
197 cipher_suites = p;
198 for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
199 {
200 int cipher_suite = ciphersuite_list[i];
201 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
202
203 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
Ronald Crond491c2d2022-02-19 18:30:46 +0100[diff] [blame]204
205 if( ssl_validate_ciphersuite( ssl, ciphersuite_info ) )
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]206 continue;
Ronald Crond491c2d2022-02-19 18:30:46 +0100[diff] [blame]207
208#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
209 ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
210 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) )
211 *tls12_uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
212#endif
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]213
214 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x, %s",
215 (unsigned int) cipher_suite,
216 ciphersuite_info->name ) );
217
218 /* Check there is space for the cipher suite identifier (2 bytes). */
219 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
220 MBEDTLS_PUT_UINT16_BE( cipher_suite, p, 0 );
221 p += 2;
222 }
223
Ronald Crond491c2d2022-02-19 18:30:46 +0100[diff] [blame]224 /*
225 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
226 */
227#if defined(MBEDTLS_SSL_RENEGOTIATION)
228 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
229#endif
230 {
231 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
232 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
233 MBEDTLS_PUT_UINT16_BE( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0 );
234 p += 2;
235 }
236
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]237 /* Write the cipher_suites length in number of bytes */
238 cipher_suites_len = p - cipher_suites;
239 MBEDTLS_PUT_UINT16_BE( cipher_suites_len, buf, 0 );
240 MBEDTLS_SSL_DEBUG_MSG( 3,
241 ( "client hello, got %" MBEDTLS_PRINTF_SIZET " cipher suites",
242 cipher_suites_len/2 ) );
243
244 /* Output the total length of cipher_suites field. */
245 *out_len = p - buf;
246
247 return( 0 );
248}
249
250/*
Ronald Cron5456a7f2022-02-18 17:38:42 +0100[diff] [blame]251 * Structure of the TLS 1.3 ClientHello message:
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]252 *
253 * struct {
254 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
255 * Random random;
256 * opaque legacy_session_id<0..32>;
257 * CipherSuite cipher_suites<2..2^16-2>;
258 * opaque legacy_compression_methods<1..2^8-1>;
259 * Extension extensions<8..2^16-1>;
260 * } ClientHello;
Ronald Cron5456a7f2022-02-18 17:38:42 +0100[diff] [blame]261 *
262 * Structure of the (D)TLS 1.2 ClientHello message:
263 *
264 * struct {
265 * ProtocolVersion client_version;
266 * Random random;
267 * SessionID session_id;
268 * opaque cookie<0..2^8-1>; // DTLS 1.2 ONLY
269 * CipherSuite cipher_suites<2..2^16-2>;
270 * CompressionMethod compression_methods<1..2^8-1>;
271 * select (extensions_present) {
272 * case false:
273 * struct {};
274 * case true:
275 * Extension extensions<0..2^16-1>;
276 * };
277 * } ClientHello;
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]278 */
Ronald Cron71c23322022-02-18 17:29:39 +0100[diff] [blame]279static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
280 unsigned char *buf,
281 unsigned char *end,
282 size_t *out_len )
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]283{
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]284 int ret;
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]285 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
286#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
287 unsigned char propose_tls12 = 0;
288#endif
289#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
290 unsigned char propose_tls13 = 0;
291#endif
Ronald Crond491c2d2022-02-19 18:30:46 +0100[diff] [blame]292
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]293 unsigned char *p = buf;
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]294 unsigned char *p_extensions_len; /* Pointer to extensions length */
295 size_t output_len; /* Length of buffer used by function */
296 size_t extensions_len; /* Length of the list of extensions*/
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]297 int tls12_uses_ec = 0;
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]298
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]299 *out_len = 0;
300
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]301#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
302 propose_tls12 = ( handshake->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_3 )
303 &&
304 ( MBEDTLS_SSL_MINOR_VERSION_3 <= ssl->minor_ver );
305#endif
306#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
307 propose_tls13 = ( handshake->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_4 )
308 &&
309 ( MBEDTLS_SSL_MINOR_VERSION_4 <= ssl->minor_ver );
310#endif
311
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]312 /*
Ronald Cron1614eb62022-02-18 17:53:01 +0100[diff] [blame]313 * Write client_version (TLS 1.2) or legacy_version (TLS 1.3)
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]314 *
Ronald Cron1614eb62022-02-18 17:53:01 +0100[diff] [blame]315 * In all cases this is the TLS 1.2 version.
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]316 */
317 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Ronald Cron1614eb62022-02-18 17:53:01 +0100[diff] [blame]318 mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
319 MBEDTLS_SSL_MINOR_VERSION_3,
320 ssl->conf->transport, p );
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]321 p += 2;
322
Ronald Cron58b80382022-02-18 18:41:08 +0100[diff] [blame]323 /* ...
324 * Random random;
325 * ...
326 *
327 * with for TLS 1.2
328 * struct {
329 * uint32 gmt_unix_time;
330 * opaque random_bytes[28];
331 * } Random;
332 *
333 * and for TLS 1.3
334 * opaque Random[32];
335 *
336 * The random bytes have been prepared by ssl_prepare_client_hello() into
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]337 * the handshake->randbytes buffer and are copied here into the output
338 * buffer.
Ronald Cron58b80382022-02-18 18:41:08 +0100[diff] [blame]339 */
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]340 MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]341 memcpy( p, handshake->randbytes, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]342 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
343 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
344 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
345
Ronald Cron021b1782022-02-19 17:32:53 +0100[diff] [blame]346 /* TLS 1.2:
347 * ...
348 * SessionID session_id;
349 * ...
350 * with
351 * opaque SessionID<0..32>;
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]352 *
Ronald Cron021b1782022-02-19 17:32:53 +0100[diff] [blame]353 * TLS 1.3:
354 * ...
355 * opaque legacy_session_id<0..32>;
356 * ...
357 *
358 * The (legacy) session identifier bytes have been by
359 * ssl_prepare_client_hello() into the ssl->session_negotiate->id buffer
360 * and are copied here into the output buffer.
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]361 */
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]362 MBEDTLS_SSL_CHK_BUF_PTR( p, end, ssl->session_negotiate->id_len + 1 );
363 *p++ = (unsigned char)ssl->session_negotiate->id_len;
364 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
365 p += ssl->session_negotiate->id_len;
366
367 MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id,
368 ssl->session_negotiate->id_len );
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]369
Ronald Crona874aa82022-02-19 18:11:26 +0100[diff] [blame]370 /* DTLS 1.2 ONLY
371 * ...
372 * opaque cookie<0..2^8-1>;
373 * ...
374 */
375#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS)
376 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
377 {
378 unsigned char cookie_len = 0;
379
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]380 if( handshake->cookie != NULL )
Ronald Crona874aa82022-02-19 18:11:26 +0100[diff] [blame]381 {
382 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]383 handshake->cookie,
384 handshake->verify_cookie_len );
385 cookie_len = handshake->verify_cookie_len;
Ronald Crona874aa82022-02-19 18:11:26 +0100[diff] [blame]386 }
387
388 MBEDTLS_SSL_CHK_BUF_PTR( p, end, cookie_len + 1 );
389 *p++ = cookie_len;
390 if( cookie_len > 0 )
391 {
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]392 memcpy( p, handshake->cookie, cookie_len );
Ronald Crona874aa82022-02-19 18:11:26 +0100[diff] [blame]393 p += cookie_len;
394 }
395 }
396#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
397
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]398 /* Write cipher_suites */
Ronald Crond491c2d2022-02-19 18:30:46 +0100[diff] [blame]399 ret = ssl_write_client_hello_cipher_suites( ssl, p, end,
400 &tls12_uses_ec,
401 &output_len );
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]402 if( ret != 0 )
403 return( ret );
404 p += output_len;
405
Ronald Cron42c1cbf2022-02-20 10:24:39 +0100[diff] [blame]406 /* Write legacy_compression_methods (TLS 1.3) or
407 * compression_methods (TLS 1.2)
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]408 *
409 * For every TLS 1.3 ClientHello, this vector MUST contain exactly
410 * one byte set to zero, which corresponds to the 'null' compression
411 * method in prior versions of TLS.
Ronald Cron42c1cbf2022-02-20 10:24:39 +0100[diff] [blame]412 *
413 * For TLS 1.2 ClientHello, for security reasons we do not support
414 * compression anymore, thus also just the 'null' compression method.
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]415 */
416 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
417 *p++ = 1;
418 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
419
420 /* Write extensions */
421
422#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
423 /* Keeping track of the included extensions */
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]424 handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]425#endif
426
427 /* First write extensions, then the total length */
428 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
429 p_extensions_len = p;
430 p += 2;
431
Ronald Crondf823bf2022-03-29 18:57:54 +0200[diff] [blame]432#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
433 /* Write server name extension */
434 ret = mbedtls_ssl_write_hostname_ext( ssl, p, end, &output_len );
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]435 if( ret != 0 )
436 return( ret );
437 p += output_len;
Ronald Crondf823bf2022-03-29 18:57:54 +0200[diff] [blame]438#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]439
440#if defined(MBEDTLS_SSL_ALPN)
Ronald Cron71c23322022-02-18 17:29:39 +0100[diff] [blame]441 ret = ssl_write_alpn_ext( ssl, p, end, &output_len );
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]442 if( ret != 0 )
443 return( ret );
444 p += output_len;
445#endif /* MBEDTLS_SSL_ALPN */
446
447#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]448 if( propose_tls13 )
449 {
450 ret = mbedtls_ssl_tls13_write_client_hello_exts( ssl, p, end,
451 &output_len );
452 if( ret != 0 )
453 return( ret );
454 p += output_len;
455 }
Ronald Crondf823bf2022-03-29 18:57:54 +0200[diff] [blame]456#endif
457
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]458#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
459 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
460 if(
Ronald Crondf823bf2022-03-29 18:57:54 +0200[diff] [blame]461#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]462 ( propose_tls13 &&
463 mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) ||
464#endif
465#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
466 ( propose_tls12 && tls12_uses_ec ) ||
467#endif
468 0 )
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]469 {
470 ret = mbedtls_ssl_write_supported_groups_ext( ssl, p, end, &output_len );
471 if( ret != 0 )
472 return( ret );
473 p += output_len;
474 }
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]475#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]476
Ronald Cron11e18572022-03-17 13:44:33 +0100[diff] [blame]477#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]478 if(
479#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
480 ( propose_tls13 && mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) ) ||
481#endif
482#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
483 propose_tls12 ||
484#endif
485 0 )
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]486 {
487 ret = mbedtls_ssl_write_sig_alg_ext( ssl, p, end, &output_len );
488 if( ret != 0 )
489 return( ret );
490 p += output_len;
491 }
492#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]493
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]494#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
495 if( propose_tls12 )
496 {
497 ret = mbedtls_ssl_tls12_write_client_hello_exts( ssl, p, end,
498 tls12_uses_ec,
499 &output_len );
500 if( ret != 0 )
501 return( ret );
502 p += output_len;
503 }
504#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]505
506 /* Write the length of the list of extensions. */
507 extensions_len = p - p_extensions_len - 2;
Ronald Cron4079abc2022-02-20 10:35:26 +0100[diff] [blame]508
509 if( extensions_len == 0 )
510 p = p_extensions_len;
511 else
512 {
513 MBEDTLS_PUT_UINT16_BE( extensions_len, p_extensions_len, 0 );
514 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %" \
515 MBEDTLS_PRINTF_SIZET, extensions_len ) );
516 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions",
517 p_extensions_len, extensions_len );
518 }
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]519
520 *out_len = p - buf;
521 return( 0 );
522}
523
Ronald Cron58b80382022-02-18 18:41:08 +0100[diff] [blame]524static int ssl_generate_random( mbedtls_ssl_context *ssl )
525{
526 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
527 unsigned char *randbytes = ssl->handshake->randbytes;
528 size_t gmt_unix_time_len = 0;
529
530 /*
531 * Generate the random bytes
532 *
533 * TLS 1.2 case:
534 * struct {
535 * uint32 gmt_unix_time;
536 * opaque random_bytes[28];
537 * } Random;
538 *
539 * TLS 1.3 case:
540 * opaque Random[32];
541 */
542 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
543 {
544#if defined(MBEDTLS_HAVE_TIME)
545 mbedtls_time_t gmt_unix_time = mbedtls_time( NULL );
546 MBEDTLS_PUT_UINT32_BE( gmt_unix_time, randbytes, 0 );
547 gmt_unix_time_len = 4;
548
549 MBEDTLS_SSL_DEBUG_MSG( 3,
550 ( "client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
551 (long long) gmt_unix_time ) );
552#endif /* MBEDTLS_HAVE_TIME */
553 }
554
555 ret = ssl->conf->f_rng( ssl->conf->p_rng,
556 randbytes + gmt_unix_time_len,
557 MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len );
558 return( ret );
559}
560
Ronald Cron71c23322022-02-18 17:29:39 +0100[diff] [blame]561static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl )
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]562{
563 int ret;
Ronald Cron021b1782022-02-19 17:32:53 +0100[diff] [blame]564 size_t session_id_len;
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]565
566 if( ssl->conf->f_rng == NULL )
567 {
568 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
569 return( MBEDTLS_ERR_SSL_NO_RNG );
570 }
571
Ronald Cron86a477f2022-02-18 17:45:10 +0100[diff] [blame]572 /* Bet on the highest configured version if we are not in a TLS 1.2
573 * renegotiation or session resumption.
574 */
575#if defined(MBEDTLS_SSL_RENEGOTIATION)
576 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
577 ssl->handshake->min_minor_ver = ssl->minor_ver;
578 else
579#endif
580 {
581 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
582
583 if( ssl->handshake->resume )
584 {
585 ssl->minor_ver = ssl->session_negotiate->minor_ver;
586 ssl->handshake->min_minor_ver = ssl->minor_ver;
587 }
588 else
589 {
590 ssl->minor_ver = ssl->conf->max_minor_ver;
591 ssl->handshake->min_minor_ver = ssl->conf->min_minor_ver;
592 }
593 }
594
Ronald Cron58b80382022-02-18 18:41:08 +0100[diff] [blame]595 /*
596 * But when responding to a verify request where we MUST reuse the
597 * previoulsy generated random bytes (RFC 6347 4.2.1), generate the
598 * random bytes.
599 */
600#if defined(MBEDTLS_SSL_PROTO_DTLS)
601 if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
602 ( ssl->handshake->cookie == NULL ) )
603#endif
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]604 {
Ronald Cron58b80382022-02-18 18:41:08 +0100[diff] [blame]605 ret = ssl_generate_random( ssl );
606 if( ret != 0 )
607 {
608 MBEDTLS_SSL_DEBUG_RET( 1, "Random bytes generation failed", ret );
609 return( ret );
610 }
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]611 }
612
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]613 /*
Ronald Cron021b1782022-02-19 17:32:53 +0100[diff] [blame]614 * Prepare session identifier. But in the case of a TLS 1.2 session
615 * renegotiation or session resumption, the initial value of the session
616 * identifier length below is equal to zero.
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]617 */
Ronald Cron021b1782022-02-19 17:32:53 +0100[diff] [blame]618 session_id_len = ssl->session_negotiate->id_len;
619
620#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
621 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]622 {
Ronald Cron021b1782022-02-19 17:32:53 +0100[diff] [blame]623 if( session_id_len < 16 || session_id_len > 32 ||
624#if defined(MBEDTLS_SSL_RENEGOTIATION)
625 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
626#endif
627 ssl->handshake->resume == 0 )
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]628 {
Ronald Cron021b1782022-02-19 17:32:53 +0100[diff] [blame]629 session_id_len = 0;
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]630 }
Ronald Cron021b1782022-02-19 17:32:53 +0100[diff] [blame]631
632#if defined(MBEDTLS_SSL_SESSION_TICKETS)
633 /*
634 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
635 * generate and include a Session ID in the TLS ClientHello."
636 */
637#if defined(MBEDTLS_SSL_RENEGOTIATION)
638 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
639#endif
640 {
641 if( ( ssl->session_negotiate->ticket != NULL ) &&
642 ( ssl->session_negotiate->ticket_len != 0 ) )
643 {
644 session_id_len = 32;
645 }
646 }
647#endif /* MBEDTLS_SSL_SESSION_TICKETS */
648 }
649#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
650
651#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
652 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
653 {
654 /*
655 * Create a legacy session identifier for the purpose of middlebox
656 * compatibility only if one has not been created already, which is
657 * the case if we are here for the TLS 1.3 second ClientHello.
658 *
659 * Versions of TLS before TLS 1.3 supported a "session resumption"
660 * feature which has been merged with pre-shared keys in TLS 1.3
661 * version. A client which has a cached session ID set by a pre-TLS 1.3
662 * server SHOULD set this field to that value. In compatibility mode,
663 * this field MUST be non-empty, so a client not offering a pre-TLS 1.3
664 * session MUST generate a new 32-byte value. This value need not be
665 * random but SHOULD be unpredictable to avoid implementations fixating
666 * on a specific value (also known as ossification). Otherwise, it MUST
667 * be set as a zero-length vector ( i.e., a zero-valued single byte
668 * length field ).
669 */
670 session_id_len = 32;
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]671 }
672#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
673
Ronald Cron021b1782022-02-19 17:32:53 +0100[diff] [blame]674 if( session_id_len != ssl->session_negotiate->id_len )
675 {
676 ssl->session_negotiate->id_len = session_id_len;
677 if( session_id_len > 0 )
678 {
679 ret = ssl->conf->f_rng( ssl->conf->p_rng,
680 ssl->session_negotiate->id,
681 session_id_len );
682 if( ret != 0 )
683 {
684 MBEDTLS_SSL_DEBUG_RET( 1, "creating session id failed", ret );
685 return( ret );
686 }
687 }
688 }
689
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]690 return( 0 );
691}
692
693/*
694 * Write ClientHello handshake message.
695 * Handler for MBEDTLS_SSL_CLIENT_HELLO
696 */
697int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl )
698{
699 int ret = 0;
700 unsigned char *buf;
701 size_t buf_len, msg_len;
702
703 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
704
Ronald Cron71c23322022-02-18 17:29:39 +0100[diff] [blame]705 MBEDTLS_SSL_PROC_CHK( ssl_prepare_client_hello( ssl ) );
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]706
707 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
708 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
709 &buf, &buf_len ) );
710
Ronald Cron71c23322022-02-18 17:29:39 +0100[diff] [blame]711 MBEDTLS_SSL_PROC_CHK( ssl_write_client_hello_body( ssl, buf,
712 buf + buf_len,
713 &msg_len ) );
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]714
Ronald Cron5f4e9122022-02-21 09:50:36 +0100[diff] [blame]715#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS)
716 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
717 {
718 ssl->out_msglen = msg_len + 4;
719 mbedtls_ssl_send_flight_completed( ssl );
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]720
Ronald Cron5f4e9122022-02-21 09:50:36 +0100[diff] [blame]721 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
722 {
723 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
724 return( ret );
725 }
726
727 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
728 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
729 {
730 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
731 return( ret );
732 }
733 }
734 else
735#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
736 {
737 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
738 buf, msg_len );
739 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl,
740 buf_len,
741 msg_len ) );
742 }
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]743
744 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
745
746cleanup:
747
748 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
749 return ret;
750}
751
752#endif /* MBEDTLS_SSL_PROTO_TLS1_3 || MBEDTLS_SSL_PROTO_TLS1_2 */
753#endif /* MBEDTLS_SSL_CLI_C */