1*62c56f98SSadaf Ebrahimi /*
2*62c56f98SSadaf Ebrahimi * TLS 1.2 and 1.3 client-side functions
3*62c56f98SSadaf Ebrahimi *
4*62c56f98SSadaf Ebrahimi * Copyright The Mbed TLS Contributors
5*62c56f98SSadaf Ebrahimi * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6*62c56f98SSadaf Ebrahimi */
7*62c56f98SSadaf Ebrahimi
8*62c56f98SSadaf Ebrahimi #include "common.h"
9*62c56f98SSadaf Ebrahimi
10*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_CLI_C)
11*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
12*62c56f98SSadaf Ebrahimi
13*62c56f98SSadaf Ebrahimi #include <string.h>
14*62c56f98SSadaf Ebrahimi
15*62c56f98SSadaf Ebrahimi #include "mbedtls/debug.h"
16*62c56f98SSadaf Ebrahimi #include "mbedtls/error.h"
17*62c56f98SSadaf Ebrahimi #include "mbedtls/platform.h"
18*62c56f98SSadaf Ebrahimi
19*62c56f98SSadaf Ebrahimi #include "ssl_client.h"
20*62c56f98SSadaf Ebrahimi #include "ssl_misc.h"
21*62c56f98SSadaf Ebrahimi #include "ssl_tls13_keys.h"
22*62c56f98SSadaf Ebrahimi #include "ssl_debug_helpers.h"
23*62c56f98SSadaf Ebrahimi
24*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
25*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_hostname_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)26*62c56f98SSadaf Ebrahimi static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
27*62c56f98SSadaf Ebrahimi unsigned char *buf,
28*62c56f98SSadaf Ebrahimi const unsigned char *end,
29*62c56f98SSadaf Ebrahimi size_t *olen)
30*62c56f98SSadaf Ebrahimi {
31*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
32*62c56f98SSadaf Ebrahimi size_t hostname_len;
33*62c56f98SSadaf Ebrahimi
34*62c56f98SSadaf Ebrahimi *olen = 0;
35*62c56f98SSadaf Ebrahimi
36*62c56f98SSadaf Ebrahimi if (ssl->hostname == NULL) {
37*62c56f98SSadaf Ebrahimi return 0;
38*62c56f98SSadaf Ebrahimi }
39*62c56f98SSadaf Ebrahimi
40*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
41*62c56f98SSadaf Ebrahimi ("client hello, adding server name extension: %s",
42*62c56f98SSadaf Ebrahimi ssl->hostname));
43*62c56f98SSadaf Ebrahimi
44*62c56f98SSadaf Ebrahimi hostname_len = strlen(ssl->hostname);
45*62c56f98SSadaf Ebrahimi
46*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9);
47*62c56f98SSadaf Ebrahimi
48*62c56f98SSadaf Ebrahimi /*
49*62c56f98SSadaf Ebrahimi * Sect. 3, RFC 6066 (TLS Extensions Definitions)
50*62c56f98SSadaf Ebrahimi *
51*62c56f98SSadaf Ebrahimi * In order to provide any of the server names, clients MAY include an
52*62c56f98SSadaf Ebrahimi * extension of type "server_name" in the (extended) client hello. The
53*62c56f98SSadaf Ebrahimi * "extension_data" field of this extension SHALL contain
54*62c56f98SSadaf Ebrahimi * "ServerNameList" where:
55*62c56f98SSadaf Ebrahimi *
56*62c56f98SSadaf Ebrahimi * struct {
57*62c56f98SSadaf Ebrahimi * NameType name_type;
58*62c56f98SSadaf Ebrahimi * select (name_type) {
59*62c56f98SSadaf Ebrahimi * case host_name: HostName;
60*62c56f98SSadaf Ebrahimi * } name;
61*62c56f98SSadaf Ebrahimi * } ServerName;
62*62c56f98SSadaf Ebrahimi *
63*62c56f98SSadaf Ebrahimi * enum {
64*62c56f98SSadaf Ebrahimi * host_name(0), (255)
65*62c56f98SSadaf Ebrahimi * } NameType;
66*62c56f98SSadaf Ebrahimi *
67*62c56f98SSadaf Ebrahimi * opaque HostName<1..2^16-1>;
68*62c56f98SSadaf Ebrahimi *
69*62c56f98SSadaf Ebrahimi * struct {
70*62c56f98SSadaf Ebrahimi * ServerName server_name_list<1..2^16-1>
71*62c56f98SSadaf Ebrahimi * } ServerNameList;
72*62c56f98SSadaf Ebrahimi *
73*62c56f98SSadaf Ebrahimi */
74*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SERVERNAME, p, 0);
75*62c56f98SSadaf Ebrahimi p += 2;
76*62c56f98SSadaf Ebrahimi
77*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(hostname_len + 5, p, 0);
78*62c56f98SSadaf Ebrahimi p += 2;
79*62c56f98SSadaf Ebrahimi
80*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(hostname_len + 3, p, 0);
81*62c56f98SSadaf Ebrahimi p += 2;
82*62c56f98SSadaf Ebrahimi
83*62c56f98SSadaf Ebrahimi *p++ = MBEDTLS_BYTE_0(MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME);
84*62c56f98SSadaf Ebrahimi
85*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
86*62c56f98SSadaf Ebrahimi p += 2;
87*62c56f98SSadaf Ebrahimi
88*62c56f98SSadaf Ebrahimi memcpy(p, ssl->hostname, hostname_len);
89*62c56f98SSadaf Ebrahimi
90*62c56f98SSadaf Ebrahimi *olen = hostname_len + 9;
91*62c56f98SSadaf Ebrahimi
92*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
93*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SERVERNAME);
94*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
95*62c56f98SSadaf Ebrahimi return 0;
96*62c56f98SSadaf Ebrahimi }
97*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
98*62c56f98SSadaf Ebrahimi
99*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_ALPN)
100*62c56f98SSadaf Ebrahimi /*
101*62c56f98SSadaf Ebrahimi * ssl_write_alpn_ext()
102*62c56f98SSadaf Ebrahimi *
103*62c56f98SSadaf Ebrahimi * Structure of the application_layer_protocol_negotiation extension in
104*62c56f98SSadaf Ebrahimi * ClientHello:
105*62c56f98SSadaf Ebrahimi *
106*62c56f98SSadaf Ebrahimi * opaque ProtocolName<1..2^8-1>;
107*62c56f98SSadaf Ebrahimi *
108*62c56f98SSadaf Ebrahimi * struct {
109*62c56f98SSadaf Ebrahimi * ProtocolName protocol_name_list<2..2^16-1>
110*62c56f98SSadaf Ebrahimi * } ProtocolNameList;
111*62c56f98SSadaf Ebrahimi *
112*62c56f98SSadaf Ebrahimi */
113*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)114*62c56f98SSadaf Ebrahimi static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
115*62c56f98SSadaf Ebrahimi unsigned char *buf,
116*62c56f98SSadaf Ebrahimi const unsigned char *end,
117*62c56f98SSadaf Ebrahimi size_t *out_len)
118*62c56f98SSadaf Ebrahimi {
119*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
120*62c56f98SSadaf Ebrahimi
121*62c56f98SSadaf Ebrahimi *out_len = 0;
122*62c56f98SSadaf Ebrahimi
123*62c56f98SSadaf Ebrahimi if (ssl->conf->alpn_list == NULL) {
124*62c56f98SSadaf Ebrahimi return 0;
125*62c56f98SSadaf Ebrahimi }
126*62c56f98SSadaf Ebrahimi
127*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding alpn extension"));
128*62c56f98SSadaf Ebrahimi
129*62c56f98SSadaf Ebrahimi
130*62c56f98SSadaf Ebrahimi /* Check we have enough space for the extension type (2 bytes), the
131*62c56f98SSadaf Ebrahimi * extension length (2 bytes) and the protocol_name_list length (2 bytes).
132*62c56f98SSadaf Ebrahimi */
133*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
134*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
135*62c56f98SSadaf Ebrahimi /* Skip writing extension and list length for now */
136*62c56f98SSadaf Ebrahimi p += 6;
137*62c56f98SSadaf Ebrahimi
138*62c56f98SSadaf Ebrahimi /*
139*62c56f98SSadaf Ebrahimi * opaque ProtocolName<1..2^8-1>;
140*62c56f98SSadaf Ebrahimi *
141*62c56f98SSadaf Ebrahimi * struct {
142*62c56f98SSadaf Ebrahimi * ProtocolName protocol_name_list<2..2^16-1>
143*62c56f98SSadaf Ebrahimi * } ProtocolNameList;
144*62c56f98SSadaf Ebrahimi */
145*62c56f98SSadaf Ebrahimi for (const char **cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
146*62c56f98SSadaf Ebrahimi /*
147*62c56f98SSadaf Ebrahimi * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
148*62c56f98SSadaf Ebrahimi * protocol names is less than 255.
149*62c56f98SSadaf Ebrahimi */
150*62c56f98SSadaf Ebrahimi size_t protocol_name_len = strlen(*cur);
151*62c56f98SSadaf Ebrahimi
152*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + protocol_name_len);
153*62c56f98SSadaf Ebrahimi *p++ = (unsigned char) protocol_name_len;
154*62c56f98SSadaf Ebrahimi memcpy(p, *cur, protocol_name_len);
155*62c56f98SSadaf Ebrahimi p += protocol_name_len;
156*62c56f98SSadaf Ebrahimi }
157*62c56f98SSadaf Ebrahimi
158*62c56f98SSadaf Ebrahimi *out_len = p - buf;
159*62c56f98SSadaf Ebrahimi
160*62c56f98SSadaf Ebrahimi /* List length = *out_len - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
161*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(*out_len - 6, buf, 4);
162*62c56f98SSadaf Ebrahimi
163*62c56f98SSadaf Ebrahimi /* Extension length = *out_len - 2 (ext_type) - 2 (ext_len) */
164*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(*out_len - 4, buf, 2);
165*62c56f98SSadaf Ebrahimi
166*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
167*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
168*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
169*62c56f98SSadaf Ebrahimi return 0;
170*62c56f98SSadaf Ebrahimi }
171*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_ALPN */
172*62c56f98SSadaf Ebrahimi
173*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
174*62c56f98SSadaf Ebrahimi defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
175*62c56f98SSadaf Ebrahimi /*
176*62c56f98SSadaf Ebrahimi * Function for writing a supported groups (TLS 1.3) or supported elliptic
177*62c56f98SSadaf Ebrahimi * curves (TLS 1.2) extension.
178*62c56f98SSadaf Ebrahimi *
179*62c56f98SSadaf Ebrahimi * The "extension_data" field of a supported groups extension contains a
180*62c56f98SSadaf Ebrahimi * "NamedGroupList" value (TLS 1.3 RFC8446):
181*62c56f98SSadaf Ebrahimi * enum {
182*62c56f98SSadaf Ebrahimi * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
183*62c56f98SSadaf Ebrahimi * x25519(0x001D), x448(0x001E),
184*62c56f98SSadaf Ebrahimi * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
185*62c56f98SSadaf Ebrahimi * ffdhe6144(0x0103), ffdhe8192(0x0104),
186*62c56f98SSadaf Ebrahimi * ffdhe_private_use(0x01FC..0x01FF),
187*62c56f98SSadaf Ebrahimi * ecdhe_private_use(0xFE00..0xFEFF),
188*62c56f98SSadaf Ebrahimi * (0xFFFF)
189*62c56f98SSadaf Ebrahimi * } NamedGroup;
190*62c56f98SSadaf Ebrahimi * struct {
191*62c56f98SSadaf Ebrahimi * NamedGroup named_group_list<2..2^16-1>;
192*62c56f98SSadaf Ebrahimi * } NamedGroupList;
193*62c56f98SSadaf Ebrahimi *
194*62c56f98SSadaf Ebrahimi * The "extension_data" field of a supported elliptic curves extension contains
195*62c56f98SSadaf Ebrahimi * a "NamedCurveList" value (TLS 1.2 RFC 8422):
196*62c56f98SSadaf Ebrahimi * enum {
197*62c56f98SSadaf Ebrahimi * deprecated(1..22),
198*62c56f98SSadaf Ebrahimi * secp256r1 (23), secp384r1 (24), secp521r1 (25),
199*62c56f98SSadaf Ebrahimi * x25519(29), x448(30),
200*62c56f98SSadaf Ebrahimi * reserved (0xFE00..0xFEFF),
201*62c56f98SSadaf Ebrahimi * deprecated(0xFF01..0xFF02),
202*62c56f98SSadaf Ebrahimi * (0xFFFF)
203*62c56f98SSadaf Ebrahimi * } NamedCurve;
204*62c56f98SSadaf Ebrahimi * struct {
205*62c56f98SSadaf Ebrahimi * NamedCurve named_curve_list<2..2^16-1>
206*62c56f98SSadaf Ebrahimi * } NamedCurveList;
207*62c56f98SSadaf Ebrahimi *
208*62c56f98SSadaf Ebrahimi * The TLS 1.3 supported groups extension was defined to be a compatible
209*62c56f98SSadaf Ebrahimi * generalization of the TLS 1.2 supported elliptic curves extension. They both
210*62c56f98SSadaf Ebrahimi * share the same extension identifier.
211*62c56f98SSadaf Ebrahimi *
212*62c56f98SSadaf Ebrahimi */
213*62c56f98SSadaf Ebrahimi #define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG 1
214*62c56f98SSadaf Ebrahimi #define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG 2
215*62c56f98SSadaf Ebrahimi
216*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_supported_groups_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,int flags,size_t * out_len)217*62c56f98SSadaf Ebrahimi static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
218*62c56f98SSadaf Ebrahimi unsigned char *buf,
219*62c56f98SSadaf Ebrahimi const unsigned char *end,
220*62c56f98SSadaf Ebrahimi int flags,
221*62c56f98SSadaf Ebrahimi size_t *out_len)
222*62c56f98SSadaf Ebrahimi {
223*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
224*62c56f98SSadaf Ebrahimi unsigned char *named_group_list; /* Start of named_group_list */
225*62c56f98SSadaf Ebrahimi size_t named_group_list_len; /* Length of named_group_list */
226*62c56f98SSadaf Ebrahimi const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
227*62c56f98SSadaf Ebrahimi
228*62c56f98SSadaf Ebrahimi *out_len = 0;
229*62c56f98SSadaf Ebrahimi
230*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported_groups extension"));
231*62c56f98SSadaf Ebrahimi
232*62c56f98SSadaf Ebrahimi /* Check if we have space for header and length fields:
233*62c56f98SSadaf Ebrahimi * - extension_type (2 bytes)
234*62c56f98SSadaf Ebrahimi * - extension_data_length (2 bytes)
235*62c56f98SSadaf Ebrahimi * - named_group_list_length (2 bytes)
236*62c56f98SSadaf Ebrahimi */
237*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
238*62c56f98SSadaf Ebrahimi p += 6;
239*62c56f98SSadaf Ebrahimi
240*62c56f98SSadaf Ebrahimi named_group_list = p;
241*62c56f98SSadaf Ebrahimi
242*62c56f98SSadaf Ebrahimi if (group_list == NULL) {
243*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_CONFIG;
244*62c56f98SSadaf Ebrahimi }
245*62c56f98SSadaf Ebrahimi
246*62c56f98SSadaf Ebrahimi for (; *group_list != 0; group_list++) {
247*62c56f98SSadaf Ebrahimi int propose_group = 0;
248*62c56f98SSadaf Ebrahimi
249*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("got supported group(%04x)", *group_list));
250*62c56f98SSadaf Ebrahimi
251*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
252*62c56f98SSadaf Ebrahimi if (flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG) {
253*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_ECDH)
254*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list) &&
255*62c56f98SSadaf Ebrahimi (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
256*62c56f98SSadaf Ebrahimi MBEDTLS_ECP_DP_NONE)) {
257*62c56f98SSadaf Ebrahimi propose_group = 1;
258*62c56f98SSadaf Ebrahimi }
259*62c56f98SSadaf Ebrahimi #endif
260*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_FFDH)
261*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
262*62c56f98SSadaf Ebrahimi propose_group = 1;
263*62c56f98SSadaf Ebrahimi }
264*62c56f98SSadaf Ebrahimi #endif
265*62c56f98SSadaf Ebrahimi }
266*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
267*62c56f98SSadaf Ebrahimi
268*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
269*62c56f98SSadaf Ebrahimi if ((flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG) &&
270*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list) &&
271*62c56f98SSadaf Ebrahimi (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
272*62c56f98SSadaf Ebrahimi MBEDTLS_ECP_DP_NONE)) {
273*62c56f98SSadaf Ebrahimi propose_group = 1;
274*62c56f98SSadaf Ebrahimi }
275*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC */
276*62c56f98SSadaf Ebrahimi
277*62c56f98SSadaf Ebrahimi if (propose_group) {
278*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
279*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(*group_list, p, 0);
280*62c56f98SSadaf Ebrahimi p += 2;
281*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
282*62c56f98SSadaf Ebrahimi mbedtls_ssl_named_group_to_str(*group_list),
283*62c56f98SSadaf Ebrahimi *group_list));
284*62c56f98SSadaf Ebrahimi }
285*62c56f98SSadaf Ebrahimi }
286*62c56f98SSadaf Ebrahimi
287*62c56f98SSadaf Ebrahimi /* Length of named_group_list */
288*62c56f98SSadaf Ebrahimi named_group_list_len = p - named_group_list;
289*62c56f98SSadaf Ebrahimi if (named_group_list_len == 0) {
290*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("No group available."));
291*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
292*62c56f98SSadaf Ebrahimi }
293*62c56f98SSadaf Ebrahimi
294*62c56f98SSadaf Ebrahimi /* Write extension_type */
295*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, buf, 0);
296*62c56f98SSadaf Ebrahimi /* Write extension_data_length */
297*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(named_group_list_len + 2, buf, 2);
298*62c56f98SSadaf Ebrahimi /* Write length of named_group_list */
299*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(named_group_list_len, buf, 4);
300*62c56f98SSadaf Ebrahimi
301*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "Supported groups extension",
302*62c56f98SSadaf Ebrahimi buf + 4, named_group_list_len + 2);
303*62c56f98SSadaf Ebrahimi
304*62c56f98SSadaf Ebrahimi *out_len = p - buf;
305*62c56f98SSadaf Ebrahimi
306*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
307*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(
308*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS);
309*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
310*62c56f98SSadaf Ebrahimi
311*62c56f98SSadaf Ebrahimi return 0;
312*62c56f98SSadaf Ebrahimi }
313*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
314*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
315*62c56f98SSadaf Ebrahimi
316*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_client_hello_cipher_suites(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,int * tls12_uses_ec,size_t * out_len)317*62c56f98SSadaf Ebrahimi static int ssl_write_client_hello_cipher_suites(
318*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl,
319*62c56f98SSadaf Ebrahimi unsigned char *buf,
320*62c56f98SSadaf Ebrahimi unsigned char *end,
321*62c56f98SSadaf Ebrahimi int *tls12_uses_ec,
322*62c56f98SSadaf Ebrahimi size_t *out_len)
323*62c56f98SSadaf Ebrahimi {
324*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
325*62c56f98SSadaf Ebrahimi const int *ciphersuite_list;
326*62c56f98SSadaf Ebrahimi unsigned char *cipher_suites; /* Start of the cipher_suites list */
327*62c56f98SSadaf Ebrahimi size_t cipher_suites_len;
328*62c56f98SSadaf Ebrahimi
329*62c56f98SSadaf Ebrahimi *tls12_uses_ec = 0;
330*62c56f98SSadaf Ebrahimi *out_len = 0;
331*62c56f98SSadaf Ebrahimi
332*62c56f98SSadaf Ebrahimi /*
333*62c56f98SSadaf Ebrahimi * Ciphersuite list
334*62c56f98SSadaf Ebrahimi *
335*62c56f98SSadaf Ebrahimi * This is a list of the symmetric cipher options supported by
336*62c56f98SSadaf Ebrahimi * the client, specifically the record protection algorithm
337*62c56f98SSadaf Ebrahimi * ( including secret key length ) and a hash to be used with
338*62c56f98SSadaf Ebrahimi * HKDF, in descending order of client preference.
339*62c56f98SSadaf Ebrahimi */
340*62c56f98SSadaf Ebrahimi ciphersuite_list = ssl->conf->ciphersuite_list;
341*62c56f98SSadaf Ebrahimi
342*62c56f98SSadaf Ebrahimi /* Check there is space for the cipher suite list length (2 bytes). */
343*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
344*62c56f98SSadaf Ebrahimi p += 2;
345*62c56f98SSadaf Ebrahimi
346*62c56f98SSadaf Ebrahimi /* Write cipher_suites
347*62c56f98SSadaf Ebrahimi * CipherSuite cipher_suites<2..2^16-2>;
348*62c56f98SSadaf Ebrahimi */
349*62c56f98SSadaf Ebrahimi cipher_suites = p;
350*62c56f98SSadaf Ebrahimi for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
351*62c56f98SSadaf Ebrahimi int cipher_suite = ciphersuite_list[i];
352*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
353*62c56f98SSadaf Ebrahimi
354*62c56f98SSadaf Ebrahimi ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
355*62c56f98SSadaf Ebrahimi
356*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
357*62c56f98SSadaf Ebrahimi ssl->handshake->min_tls_version,
358*62c56f98SSadaf Ebrahimi ssl->tls_version) != 0) {
359*62c56f98SSadaf Ebrahimi continue;
360*62c56f98SSadaf Ebrahimi }
361*62c56f98SSadaf Ebrahimi
362*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
363*62c56f98SSadaf Ebrahimi (defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
364*62c56f98SSadaf Ebrahimi defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
365*62c56f98SSadaf Ebrahimi defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED))
366*62c56f98SSadaf Ebrahimi *tls12_uses_ec |= mbedtls_ssl_ciphersuite_uses_ec(ciphersuite_info);
367*62c56f98SSadaf Ebrahimi #endif
368*62c56f98SSadaf Ebrahimi
369*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, add ciphersuite: %04x, %s",
370*62c56f98SSadaf Ebrahimi (unsigned int) cipher_suite,
371*62c56f98SSadaf Ebrahimi ciphersuite_info->name));
372*62c56f98SSadaf Ebrahimi
373*62c56f98SSadaf Ebrahimi /* Check there is space for the cipher suite identifier (2 bytes). */
374*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
375*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(cipher_suite, p, 0);
376*62c56f98SSadaf Ebrahimi p += 2;
377*62c56f98SSadaf Ebrahimi }
378*62c56f98SSadaf Ebrahimi
379*62c56f98SSadaf Ebrahimi /*
380*62c56f98SSadaf Ebrahimi * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
381*62c56f98SSadaf Ebrahimi */
382*62c56f98SSadaf Ebrahimi int renegotiating = 0;
383*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_RENEGOTIATION)
384*62c56f98SSadaf Ebrahimi renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
385*62c56f98SSadaf Ebrahimi #endif
386*62c56f98SSadaf Ebrahimi if (!renegotiating) {
387*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("adding EMPTY_RENEGOTIATION_INFO_SCSV"));
388*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
389*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0);
390*62c56f98SSadaf Ebrahimi p += 2;
391*62c56f98SSadaf Ebrahimi }
392*62c56f98SSadaf Ebrahimi
393*62c56f98SSadaf Ebrahimi /* Write the cipher_suites length in number of bytes */
394*62c56f98SSadaf Ebrahimi cipher_suites_len = p - cipher_suites;
395*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(cipher_suites_len, buf, 0);
396*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
397*62c56f98SSadaf Ebrahimi ("client hello, got %" MBEDTLS_PRINTF_SIZET " cipher suites",
398*62c56f98SSadaf Ebrahimi cipher_suites_len/2));
399*62c56f98SSadaf Ebrahimi
400*62c56f98SSadaf Ebrahimi /* Output the total length of cipher_suites field. */
401*62c56f98SSadaf Ebrahimi *out_len = p - buf;
402*62c56f98SSadaf Ebrahimi
403*62c56f98SSadaf Ebrahimi return 0;
404*62c56f98SSadaf Ebrahimi }
405*62c56f98SSadaf Ebrahimi
406*62c56f98SSadaf Ebrahimi /*
407*62c56f98SSadaf Ebrahimi * Structure of the TLS 1.3 ClientHello message:
408*62c56f98SSadaf Ebrahimi *
409*62c56f98SSadaf Ebrahimi * struct {
410*62c56f98SSadaf Ebrahimi * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
411*62c56f98SSadaf Ebrahimi * Random random;
412*62c56f98SSadaf Ebrahimi * opaque legacy_session_id<0..32>;
413*62c56f98SSadaf Ebrahimi * CipherSuite cipher_suites<2..2^16-2>;
414*62c56f98SSadaf Ebrahimi * opaque legacy_compression_methods<1..2^8-1>;
415*62c56f98SSadaf Ebrahimi * Extension extensions<8..2^16-1>;
416*62c56f98SSadaf Ebrahimi * } ClientHello;
417*62c56f98SSadaf Ebrahimi *
418*62c56f98SSadaf Ebrahimi * Structure of the (D)TLS 1.2 ClientHello message:
419*62c56f98SSadaf Ebrahimi *
420*62c56f98SSadaf Ebrahimi * struct {
421*62c56f98SSadaf Ebrahimi * ProtocolVersion client_version;
422*62c56f98SSadaf Ebrahimi * Random random;
423*62c56f98SSadaf Ebrahimi * SessionID session_id;
424*62c56f98SSadaf Ebrahimi * opaque cookie<0..2^8-1>; // DTLS 1.2 ONLY
425*62c56f98SSadaf Ebrahimi * CipherSuite cipher_suites<2..2^16-2>;
426*62c56f98SSadaf Ebrahimi * CompressionMethod compression_methods<1..2^8-1>;
427*62c56f98SSadaf Ebrahimi * select (extensions_present) {
428*62c56f98SSadaf Ebrahimi * case false:
429*62c56f98SSadaf Ebrahimi * struct {};
430*62c56f98SSadaf Ebrahimi * case true:
431*62c56f98SSadaf Ebrahimi * Extension extensions<0..2^16-1>;
432*62c56f98SSadaf Ebrahimi * };
433*62c56f98SSadaf Ebrahimi * } ClientHello;
434*62c56f98SSadaf Ebrahimi */
435*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_client_hello_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len,size_t * binders_len)436*62c56f98SSadaf Ebrahimi static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
437*62c56f98SSadaf Ebrahimi unsigned char *buf,
438*62c56f98SSadaf Ebrahimi unsigned char *end,
439*62c56f98SSadaf Ebrahimi size_t *out_len,
440*62c56f98SSadaf Ebrahimi size_t *binders_len)
441*62c56f98SSadaf Ebrahimi {
442*62c56f98SSadaf Ebrahimi int ret;
443*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_params *handshake = ssl->handshake;
444*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
445*62c56f98SSadaf Ebrahimi unsigned char *p_extensions_len; /* Pointer to extensions length */
446*62c56f98SSadaf Ebrahimi size_t output_len; /* Length of buffer used by function */
447*62c56f98SSadaf Ebrahimi size_t extensions_len; /* Length of the list of extensions*/
448*62c56f98SSadaf Ebrahimi int tls12_uses_ec = 0;
449*62c56f98SSadaf Ebrahimi
450*62c56f98SSadaf Ebrahimi *out_len = 0;
451*62c56f98SSadaf Ebrahimi *binders_len = 0;
452*62c56f98SSadaf Ebrahimi
453*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
454*62c56f98SSadaf Ebrahimi unsigned char propose_tls12 =
455*62c56f98SSadaf Ebrahimi (handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2)
456*62c56f98SSadaf Ebrahimi &&
457*62c56f98SSadaf Ebrahimi (MBEDTLS_SSL_VERSION_TLS1_2 <= ssl->tls_version);
458*62c56f98SSadaf Ebrahimi #endif
459*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
460*62c56f98SSadaf Ebrahimi unsigned char propose_tls13 =
461*62c56f98SSadaf Ebrahimi (handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3)
462*62c56f98SSadaf Ebrahimi &&
463*62c56f98SSadaf Ebrahimi (MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version);
464*62c56f98SSadaf Ebrahimi #endif
465*62c56f98SSadaf Ebrahimi
466*62c56f98SSadaf Ebrahimi /*
467*62c56f98SSadaf Ebrahimi * Write client_version (TLS 1.2) or legacy_version (TLS 1.3)
468*62c56f98SSadaf Ebrahimi *
469*62c56f98SSadaf Ebrahimi * In all cases this is the TLS 1.2 version.
470*62c56f98SSadaf Ebrahimi */
471*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
472*62c56f98SSadaf Ebrahimi mbedtls_ssl_write_version(p, ssl->conf->transport,
473*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_VERSION_TLS1_2);
474*62c56f98SSadaf Ebrahimi p += 2;
475*62c56f98SSadaf Ebrahimi
476*62c56f98SSadaf Ebrahimi /* ...
477*62c56f98SSadaf Ebrahimi * Random random;
478*62c56f98SSadaf Ebrahimi * ...
479*62c56f98SSadaf Ebrahimi *
480*62c56f98SSadaf Ebrahimi * The random bytes have been prepared by ssl_prepare_client_hello() into
481*62c56f98SSadaf Ebrahimi * the handshake->randbytes buffer and are copied here into the output
482*62c56f98SSadaf Ebrahimi * buffer.
483*62c56f98SSadaf Ebrahimi */
484*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
485*62c56f98SSadaf Ebrahimi memcpy(p, handshake->randbytes, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
486*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",
487*62c56f98SSadaf Ebrahimi p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
488*62c56f98SSadaf Ebrahimi p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
489*62c56f98SSadaf Ebrahimi
490*62c56f98SSadaf Ebrahimi /* TLS 1.2:
491*62c56f98SSadaf Ebrahimi * ...
492*62c56f98SSadaf Ebrahimi * SessionID session_id;
493*62c56f98SSadaf Ebrahimi * ...
494*62c56f98SSadaf Ebrahimi * with
495*62c56f98SSadaf Ebrahimi * opaque SessionID<0..32>;
496*62c56f98SSadaf Ebrahimi *
497*62c56f98SSadaf Ebrahimi * TLS 1.3:
498*62c56f98SSadaf Ebrahimi * ...
499*62c56f98SSadaf Ebrahimi * opaque legacy_session_id<0..32>;
500*62c56f98SSadaf Ebrahimi * ...
501*62c56f98SSadaf Ebrahimi *
502*62c56f98SSadaf Ebrahimi * The (legacy) session identifier bytes have been prepared by
503*62c56f98SSadaf Ebrahimi * ssl_prepare_client_hello() into the ssl->session_negotiate->id buffer
504*62c56f98SSadaf Ebrahimi * and are copied here into the output buffer.
505*62c56f98SSadaf Ebrahimi */
506*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, ssl->session_negotiate->id_len + 1);
507*62c56f98SSadaf Ebrahimi *p++ = (unsigned char) ssl->session_negotiate->id_len;
508*62c56f98SSadaf Ebrahimi memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
509*62c56f98SSadaf Ebrahimi p += ssl->session_negotiate->id_len;
510*62c56f98SSadaf Ebrahimi
511*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id,
512*62c56f98SSadaf Ebrahimi ssl->session_negotiate->id_len);
513*62c56f98SSadaf Ebrahimi
514*62c56f98SSadaf Ebrahimi /* DTLS 1.2 ONLY
515*62c56f98SSadaf Ebrahimi * ...
516*62c56f98SSadaf Ebrahimi * opaque cookie<0..2^8-1>;
517*62c56f98SSadaf Ebrahimi * ...
518*62c56f98SSadaf Ebrahimi */
519*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS)
520*62c56f98SSadaf Ebrahimi if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
521*62c56f98SSadaf Ebrahimi #if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
522*62c56f98SSadaf Ebrahimi uint8_t cookie_len = 0;
523*62c56f98SSadaf Ebrahimi #else
524*62c56f98SSadaf Ebrahimi uint16_t cookie_len = 0;
525*62c56f98SSadaf Ebrahimi #endif /* !MBEDTLS_SSL_PROTO_TLS1_3 */
526*62c56f98SSadaf Ebrahimi
527*62c56f98SSadaf Ebrahimi if (handshake->cookie != NULL) {
528*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
529*62c56f98SSadaf Ebrahimi handshake->cookie,
530*62c56f98SSadaf Ebrahimi handshake->cookie_len);
531*62c56f98SSadaf Ebrahimi cookie_len = handshake->cookie_len;
532*62c56f98SSadaf Ebrahimi }
533*62c56f98SSadaf Ebrahimi
534*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, cookie_len + 1);
535*62c56f98SSadaf Ebrahimi *p++ = (unsigned char) cookie_len;
536*62c56f98SSadaf Ebrahimi if (cookie_len > 0) {
537*62c56f98SSadaf Ebrahimi memcpy(p, handshake->cookie, cookie_len);
538*62c56f98SSadaf Ebrahimi p += cookie_len;
539*62c56f98SSadaf Ebrahimi }
540*62c56f98SSadaf Ebrahimi }
541*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
542*62c56f98SSadaf Ebrahimi
543*62c56f98SSadaf Ebrahimi /* Write cipher_suites */
544*62c56f98SSadaf Ebrahimi ret = ssl_write_client_hello_cipher_suites(ssl, p, end,
545*62c56f98SSadaf Ebrahimi &tls12_uses_ec,
546*62c56f98SSadaf Ebrahimi &output_len);
547*62c56f98SSadaf Ebrahimi if (ret != 0) {
548*62c56f98SSadaf Ebrahimi return ret;
549*62c56f98SSadaf Ebrahimi }
550*62c56f98SSadaf Ebrahimi p += output_len;
551*62c56f98SSadaf Ebrahimi
552*62c56f98SSadaf Ebrahimi /* Write legacy_compression_methods (TLS 1.3) or
553*62c56f98SSadaf Ebrahimi * compression_methods (TLS 1.2)
554*62c56f98SSadaf Ebrahimi *
555*62c56f98SSadaf Ebrahimi * For every TLS 1.3 ClientHello, this vector MUST contain exactly
556*62c56f98SSadaf Ebrahimi * one byte set to zero, which corresponds to the 'null' compression
557*62c56f98SSadaf Ebrahimi * method in prior versions of TLS.
558*62c56f98SSadaf Ebrahimi *
559*62c56f98SSadaf Ebrahimi * For TLS 1.2 ClientHello, for security reasons we do not support
560*62c56f98SSadaf Ebrahimi * compression anymore, thus also just the 'null' compression method.
561*62c56f98SSadaf Ebrahimi */
562*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
563*62c56f98SSadaf Ebrahimi *p++ = 1;
564*62c56f98SSadaf Ebrahimi *p++ = MBEDTLS_SSL_COMPRESS_NULL;
565*62c56f98SSadaf Ebrahimi
566*62c56f98SSadaf Ebrahimi /* Write extensions */
567*62c56f98SSadaf Ebrahimi
568*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
569*62c56f98SSadaf Ebrahimi /* Keeping track of the included extensions */
570*62c56f98SSadaf Ebrahimi handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
571*62c56f98SSadaf Ebrahimi #endif
572*62c56f98SSadaf Ebrahimi
573*62c56f98SSadaf Ebrahimi /* First write extensions, then the total length */
574*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
575*62c56f98SSadaf Ebrahimi p_extensions_len = p;
576*62c56f98SSadaf Ebrahimi p += 2;
577*62c56f98SSadaf Ebrahimi
578*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
579*62c56f98SSadaf Ebrahimi /* Write server name extension */
580*62c56f98SSadaf Ebrahimi ret = ssl_write_hostname_ext(ssl, p, end, &output_len);
581*62c56f98SSadaf Ebrahimi if (ret != 0) {
582*62c56f98SSadaf Ebrahimi return ret;
583*62c56f98SSadaf Ebrahimi }
584*62c56f98SSadaf Ebrahimi p += output_len;
585*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
586*62c56f98SSadaf Ebrahimi
587*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_ALPN)
588*62c56f98SSadaf Ebrahimi ret = ssl_write_alpn_ext(ssl, p, end, &output_len);
589*62c56f98SSadaf Ebrahimi if (ret != 0) {
590*62c56f98SSadaf Ebrahimi return ret;
591*62c56f98SSadaf Ebrahimi }
592*62c56f98SSadaf Ebrahimi p += output_len;
593*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_ALPN */
594*62c56f98SSadaf Ebrahimi
595*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
596*62c56f98SSadaf Ebrahimi if (propose_tls13) {
597*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_client_hello_exts(ssl, p, end,
598*62c56f98SSadaf Ebrahimi &output_len);
599*62c56f98SSadaf Ebrahimi if (ret != 0) {
600*62c56f98SSadaf Ebrahimi return ret;
601*62c56f98SSadaf Ebrahimi }
602*62c56f98SSadaf Ebrahimi p += output_len;
603*62c56f98SSadaf Ebrahimi }
604*62c56f98SSadaf Ebrahimi #endif
605*62c56f98SSadaf Ebrahimi
606*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
607*62c56f98SSadaf Ebrahimi defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
608*62c56f98SSadaf Ebrahimi {
609*62c56f98SSadaf Ebrahimi int ssl_write_supported_groups_ext_flags = 0;
610*62c56f98SSadaf Ebrahimi
611*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
612*62c56f98SSadaf Ebrahimi if (propose_tls13 && mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
613*62c56f98SSadaf Ebrahimi ssl_write_supported_groups_ext_flags |=
614*62c56f98SSadaf Ebrahimi SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
615*62c56f98SSadaf Ebrahimi }
616*62c56f98SSadaf Ebrahimi #endif
617*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
618*62c56f98SSadaf Ebrahimi if (propose_tls12 && tls12_uses_ec) {
619*62c56f98SSadaf Ebrahimi ssl_write_supported_groups_ext_flags |=
620*62c56f98SSadaf Ebrahimi SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG;
621*62c56f98SSadaf Ebrahimi }
622*62c56f98SSadaf Ebrahimi #endif
623*62c56f98SSadaf Ebrahimi if (ssl_write_supported_groups_ext_flags != 0) {
624*62c56f98SSadaf Ebrahimi ret = ssl_write_supported_groups_ext(ssl, p, end,
625*62c56f98SSadaf Ebrahimi ssl_write_supported_groups_ext_flags,
626*62c56f98SSadaf Ebrahimi &output_len);
627*62c56f98SSadaf Ebrahimi if (ret != 0) {
628*62c56f98SSadaf Ebrahimi return ret;
629*62c56f98SSadaf Ebrahimi }
630*62c56f98SSadaf Ebrahimi p += output_len;
631*62c56f98SSadaf Ebrahimi }
632*62c56f98SSadaf Ebrahimi }
633*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
634*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
635*62c56f98SSadaf Ebrahimi
636*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
637*62c56f98SSadaf Ebrahimi int write_sig_alg_ext = 0;
638*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
639*62c56f98SSadaf Ebrahimi write_sig_alg_ext = write_sig_alg_ext ||
640*62c56f98SSadaf Ebrahimi (propose_tls13 && mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl));
641*62c56f98SSadaf Ebrahimi #endif
642*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
643*62c56f98SSadaf Ebrahimi write_sig_alg_ext = write_sig_alg_ext || propose_tls12;
644*62c56f98SSadaf Ebrahimi #endif
645*62c56f98SSadaf Ebrahimi
646*62c56f98SSadaf Ebrahimi if (write_sig_alg_ext) {
647*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len);
648*62c56f98SSadaf Ebrahimi if (ret != 0) {
649*62c56f98SSadaf Ebrahimi return ret;
650*62c56f98SSadaf Ebrahimi }
651*62c56f98SSadaf Ebrahimi p += output_len;
652*62c56f98SSadaf Ebrahimi }
653*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
654*62c56f98SSadaf Ebrahimi
655*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
656*62c56f98SSadaf Ebrahimi if (propose_tls12) {
657*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls12_write_client_hello_exts(ssl, p, end,
658*62c56f98SSadaf Ebrahimi tls12_uses_ec,
659*62c56f98SSadaf Ebrahimi &output_len);
660*62c56f98SSadaf Ebrahimi if (ret != 0) {
661*62c56f98SSadaf Ebrahimi return ret;
662*62c56f98SSadaf Ebrahimi }
663*62c56f98SSadaf Ebrahimi p += output_len;
664*62c56f98SSadaf Ebrahimi }
665*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
666*62c56f98SSadaf Ebrahimi
667*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
668*62c56f98SSadaf Ebrahimi /* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
669*62c56f98SSadaf Ebrahimi * MUST be the last extension in the ClientHello.
670*62c56f98SSadaf Ebrahimi */
671*62c56f98SSadaf Ebrahimi if (propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {
672*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
673*62c56f98SSadaf Ebrahimi ssl, p, end, &output_len, binders_len);
674*62c56f98SSadaf Ebrahimi if (ret != 0) {
675*62c56f98SSadaf Ebrahimi return ret;
676*62c56f98SSadaf Ebrahimi }
677*62c56f98SSadaf Ebrahimi p += output_len;
678*62c56f98SSadaf Ebrahimi }
679*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
680*62c56f98SSadaf Ebrahimi
681*62c56f98SSadaf Ebrahimi /* Write the length of the list of extensions. */
682*62c56f98SSadaf Ebrahimi extensions_len = p - p_extensions_len - 2;
683*62c56f98SSadaf Ebrahimi
684*62c56f98SSadaf Ebrahimi if (extensions_len == 0) {
685*62c56f98SSadaf Ebrahimi p = p_extensions_len;
686*62c56f98SSadaf Ebrahimi } else {
687*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
688*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, total extension length: %" \
689*62c56f98SSadaf Ebrahimi MBEDTLS_PRINTF_SIZET, extensions_len));
690*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions",
691*62c56f98SSadaf Ebrahimi p_extensions_len, extensions_len);
692*62c56f98SSadaf Ebrahimi }
693*62c56f98SSadaf Ebrahimi
694*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
695*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXTS(
696*62c56f98SSadaf Ebrahimi 3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->sent_extensions);
697*62c56f98SSadaf Ebrahimi #endif
698*62c56f98SSadaf Ebrahimi
699*62c56f98SSadaf Ebrahimi *out_len = p - buf;
700*62c56f98SSadaf Ebrahimi return 0;
701*62c56f98SSadaf Ebrahimi }
702*62c56f98SSadaf Ebrahimi
703*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_generate_random(mbedtls_ssl_context * ssl)704*62c56f98SSadaf Ebrahimi static int ssl_generate_random(mbedtls_ssl_context *ssl)
705*62c56f98SSadaf Ebrahimi {
706*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
707*62c56f98SSadaf Ebrahimi unsigned char *randbytes = ssl->handshake->randbytes;
708*62c56f98SSadaf Ebrahimi size_t gmt_unix_time_len = 0;
709*62c56f98SSadaf Ebrahimi
710*62c56f98SSadaf Ebrahimi /*
711*62c56f98SSadaf Ebrahimi * Generate the random bytes
712*62c56f98SSadaf Ebrahimi *
713*62c56f98SSadaf Ebrahimi * TLS 1.2 case:
714*62c56f98SSadaf Ebrahimi * struct {
715*62c56f98SSadaf Ebrahimi * uint32 gmt_unix_time;
716*62c56f98SSadaf Ebrahimi * opaque random_bytes[28];
717*62c56f98SSadaf Ebrahimi * } Random;
718*62c56f98SSadaf Ebrahimi *
719*62c56f98SSadaf Ebrahimi * TLS 1.3 case:
720*62c56f98SSadaf Ebrahimi * opaque Random[32];
721*62c56f98SSadaf Ebrahimi */
722*62c56f98SSadaf Ebrahimi if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
723*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_HAVE_TIME)
724*62c56f98SSadaf Ebrahimi mbedtls_time_t gmt_unix_time = mbedtls_time(NULL);
725*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT32_BE(gmt_unix_time, randbytes, 0);
726*62c56f98SSadaf Ebrahimi gmt_unix_time_len = 4;
727*62c56f98SSadaf Ebrahimi
728*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
729*62c56f98SSadaf Ebrahimi ("client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
730*62c56f98SSadaf Ebrahimi (long long) gmt_unix_time));
731*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_HAVE_TIME */
732*62c56f98SSadaf Ebrahimi }
733*62c56f98SSadaf Ebrahimi
734*62c56f98SSadaf Ebrahimi ret = ssl->conf->f_rng(ssl->conf->p_rng,
735*62c56f98SSadaf Ebrahimi randbytes + gmt_unix_time_len,
736*62c56f98SSadaf Ebrahimi MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len);
737*62c56f98SSadaf Ebrahimi return ret;
738*62c56f98SSadaf Ebrahimi }
739*62c56f98SSadaf Ebrahimi
740*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_prepare_client_hello(mbedtls_ssl_context * ssl)741*62c56f98SSadaf Ebrahimi static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
742*62c56f98SSadaf Ebrahimi {
743*62c56f98SSadaf Ebrahimi int ret;
744*62c56f98SSadaf Ebrahimi size_t session_id_len;
745*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session_negotiate = ssl->session_negotiate;
746*62c56f98SSadaf Ebrahimi
747*62c56f98SSadaf Ebrahimi if (session_negotiate == NULL) {
748*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
749*62c56f98SSadaf Ebrahimi }
750*62c56f98SSadaf Ebrahimi
751*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
752*62c56f98SSadaf Ebrahimi defined(MBEDTLS_SSL_SESSION_TICKETS) && \
753*62c56f98SSadaf Ebrahimi defined(MBEDTLS_HAVE_TIME)
754*62c56f98SSadaf Ebrahimi
755*62c56f98SSadaf Ebrahimi /* Check if a tls13 ticket has been configured. */
756*62c56f98SSadaf Ebrahimi if (ssl->handshake->resume != 0 &&
757*62c56f98SSadaf Ebrahimi session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
758*62c56f98SSadaf Ebrahimi session_negotiate->ticket != NULL) {
759*62c56f98SSadaf Ebrahimi mbedtls_time_t now = mbedtls_time(NULL);
760*62c56f98SSadaf Ebrahimi uint64_t age = (uint64_t) (now - session_negotiate->ticket_received);
761*62c56f98SSadaf Ebrahimi if (session_negotiate->ticket_received > now ||
762*62c56f98SSadaf Ebrahimi age > session_negotiate->ticket_lifetime) {
763*62c56f98SSadaf Ebrahimi /* Without valid ticket, disable session resumption.*/
764*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
765*62c56f98SSadaf Ebrahimi 3, ("Ticket expired, disable session resumption"));
766*62c56f98SSadaf Ebrahimi ssl->handshake->resume = 0;
767*62c56f98SSadaf Ebrahimi }
768*62c56f98SSadaf Ebrahimi }
769*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
770*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_SESSION_TICKETS &&
771*62c56f98SSadaf Ebrahimi MBEDTLS_HAVE_TIME */
772*62c56f98SSadaf Ebrahimi
773*62c56f98SSadaf Ebrahimi if (ssl->conf->f_rng == NULL) {
774*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
775*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_NO_RNG;
776*62c56f98SSadaf Ebrahimi }
777*62c56f98SSadaf Ebrahimi
778*62c56f98SSadaf Ebrahimi /* Bet on the highest configured version if we are not in a TLS 1.2
779*62c56f98SSadaf Ebrahimi * renegotiation or session resumption.
780*62c56f98SSadaf Ebrahimi */
781*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_RENEGOTIATION)
782*62c56f98SSadaf Ebrahimi if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
783*62c56f98SSadaf Ebrahimi ssl->handshake->min_tls_version = ssl->tls_version;
784*62c56f98SSadaf Ebrahimi } else
785*62c56f98SSadaf Ebrahimi #endif
786*62c56f98SSadaf Ebrahimi {
787*62c56f98SSadaf Ebrahimi if (ssl->handshake->resume) {
788*62c56f98SSadaf Ebrahimi ssl->tls_version = session_negotiate->tls_version;
789*62c56f98SSadaf Ebrahimi ssl->handshake->min_tls_version = ssl->tls_version;
790*62c56f98SSadaf Ebrahimi } else {
791*62c56f98SSadaf Ebrahimi ssl->handshake->min_tls_version = ssl->conf->min_tls_version;
792*62c56f98SSadaf Ebrahimi }
793*62c56f98SSadaf Ebrahimi }
794*62c56f98SSadaf Ebrahimi
795*62c56f98SSadaf Ebrahimi /*
796*62c56f98SSadaf Ebrahimi * Generate the random bytes, except when responding to a verify request
797*62c56f98SSadaf Ebrahimi * where we MUST reuse the previously generated random bytes
798*62c56f98SSadaf Ebrahimi * (RFC 6347 4.2.1).
799*62c56f98SSadaf Ebrahimi */
800*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_DTLS)
801*62c56f98SSadaf Ebrahimi if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
802*62c56f98SSadaf Ebrahimi (ssl->handshake->cookie == NULL))
803*62c56f98SSadaf Ebrahimi #endif
804*62c56f98SSadaf Ebrahimi {
805*62c56f98SSadaf Ebrahimi ret = ssl_generate_random(ssl);
806*62c56f98SSadaf Ebrahimi if (ret != 0) {
807*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "Random bytes generation failed", ret);
808*62c56f98SSadaf Ebrahimi return ret;
809*62c56f98SSadaf Ebrahimi }
810*62c56f98SSadaf Ebrahimi }
811*62c56f98SSadaf Ebrahimi
812*62c56f98SSadaf Ebrahimi /*
813*62c56f98SSadaf Ebrahimi * Prepare session identifier. At that point, the length of the session
814*62c56f98SSadaf Ebrahimi * identifier in the SSL context `ssl->session_negotiate->id_len` is equal
815*62c56f98SSadaf Ebrahimi * to zero, except in the case of a TLS 1.2 session renegotiation or
816*62c56f98SSadaf Ebrahimi * session resumption.
817*62c56f98SSadaf Ebrahimi */
818*62c56f98SSadaf Ebrahimi session_id_len = session_negotiate->id_len;
819*62c56f98SSadaf Ebrahimi
820*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
821*62c56f98SSadaf Ebrahimi if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
822*62c56f98SSadaf Ebrahimi if (session_id_len < 16 || session_id_len > 32 ||
823*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_RENEGOTIATION)
824*62c56f98SSadaf Ebrahimi ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
825*62c56f98SSadaf Ebrahimi #endif
826*62c56f98SSadaf Ebrahimi ssl->handshake->resume == 0) {
827*62c56f98SSadaf Ebrahimi session_id_len = 0;
828*62c56f98SSadaf Ebrahimi }
829*62c56f98SSadaf Ebrahimi
830*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
831*62c56f98SSadaf Ebrahimi /*
832*62c56f98SSadaf Ebrahimi * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
833*62c56f98SSadaf Ebrahimi * generate and include a Session ID in the TLS ClientHello."
834*62c56f98SSadaf Ebrahimi */
835*62c56f98SSadaf Ebrahimi int renegotiating = 0;
836*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_RENEGOTIATION)
837*62c56f98SSadaf Ebrahimi if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
838*62c56f98SSadaf Ebrahimi renegotiating = 1;
839*62c56f98SSadaf Ebrahimi }
840*62c56f98SSadaf Ebrahimi #endif
841*62c56f98SSadaf Ebrahimi if (!renegotiating) {
842*62c56f98SSadaf Ebrahimi if ((session_negotiate->ticket != NULL) &&
843*62c56f98SSadaf Ebrahimi (session_negotiate->ticket_len != 0)) {
844*62c56f98SSadaf Ebrahimi session_id_len = 32;
845*62c56f98SSadaf Ebrahimi }
846*62c56f98SSadaf Ebrahimi }
847*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
848*62c56f98SSadaf Ebrahimi }
849*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
850*62c56f98SSadaf Ebrahimi
851*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
852*62c56f98SSadaf Ebrahimi if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
853*62c56f98SSadaf Ebrahimi /*
854*62c56f98SSadaf Ebrahimi * Create a legacy session identifier for the purpose of middlebox
855*62c56f98SSadaf Ebrahimi * compatibility only if one has not been created already, which is
856*62c56f98SSadaf Ebrahimi * the case if we are here for the TLS 1.3 second ClientHello.
857*62c56f98SSadaf Ebrahimi *
858*62c56f98SSadaf Ebrahimi * Versions of TLS before TLS 1.3 supported a "session resumption"
859*62c56f98SSadaf Ebrahimi * feature which has been merged with pre-shared keys in TLS 1.3
860*62c56f98SSadaf Ebrahimi * version. A client which has a cached session ID set by a pre-TLS 1.3
861*62c56f98SSadaf Ebrahimi * server SHOULD set this field to that value. In compatibility mode,
862*62c56f98SSadaf Ebrahimi * this field MUST be non-empty, so a client not offering a pre-TLS 1.3
863*62c56f98SSadaf Ebrahimi * session MUST generate a new 32-byte value. This value need not be
864*62c56f98SSadaf Ebrahimi * random but SHOULD be unpredictable to avoid implementations fixating
865*62c56f98SSadaf Ebrahimi * on a specific value (also known as ossification). Otherwise, it MUST
866*62c56f98SSadaf Ebrahimi * be set as a zero-length vector ( i.e., a zero-valued single byte
867*62c56f98SSadaf Ebrahimi * length field ).
868*62c56f98SSadaf Ebrahimi */
869*62c56f98SSadaf Ebrahimi session_id_len = 32;
870*62c56f98SSadaf Ebrahimi }
871*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
872*62c56f98SSadaf Ebrahimi
873*62c56f98SSadaf Ebrahimi if (session_id_len != session_negotiate->id_len) {
874*62c56f98SSadaf Ebrahimi session_negotiate->id_len = session_id_len;
875*62c56f98SSadaf Ebrahimi if (session_id_len > 0) {
876*62c56f98SSadaf Ebrahimi ret = ssl->conf->f_rng(ssl->conf->p_rng,
877*62c56f98SSadaf Ebrahimi session_negotiate->id,
878*62c56f98SSadaf Ebrahimi session_id_len);
879*62c56f98SSadaf Ebrahimi if (ret != 0) {
880*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "creating session id failed", ret);
881*62c56f98SSadaf Ebrahimi return ret;
882*62c56f98SSadaf Ebrahimi }
883*62c56f98SSadaf Ebrahimi }
884*62c56f98SSadaf Ebrahimi }
885*62c56f98SSadaf Ebrahimi
886*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
887*62c56f98SSadaf Ebrahimi defined(MBEDTLS_SSL_SESSION_TICKETS) && \
888*62c56f98SSadaf Ebrahimi defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
889*62c56f98SSadaf Ebrahimi if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
890*62c56f98SSadaf Ebrahimi ssl->handshake->resume) {
891*62c56f98SSadaf Ebrahimi int hostname_mismatch = ssl->hostname != NULL ||
892*62c56f98SSadaf Ebrahimi session_negotiate->hostname != NULL;
893*62c56f98SSadaf Ebrahimi if (ssl->hostname != NULL && session_negotiate->hostname != NULL) {
894*62c56f98SSadaf Ebrahimi hostname_mismatch = strcmp(
895*62c56f98SSadaf Ebrahimi ssl->hostname, session_negotiate->hostname) != 0;
896*62c56f98SSadaf Ebrahimi }
897*62c56f98SSadaf Ebrahimi
898*62c56f98SSadaf Ebrahimi if (hostname_mismatch) {
899*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
900*62c56f98SSadaf Ebrahimi 1, ("Hostname mismatch the session ticket, "
901*62c56f98SSadaf Ebrahimi "disable session resumption."));
902*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
903*62c56f98SSadaf Ebrahimi }
904*62c56f98SSadaf Ebrahimi } else {
905*62c56f98SSadaf Ebrahimi return mbedtls_ssl_session_set_hostname(session_negotiate,
906*62c56f98SSadaf Ebrahimi ssl->hostname);
907*62c56f98SSadaf Ebrahimi }
908*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
909*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_SESSION_TICKETS &&
910*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_SERVER_NAME_INDICATION */
911*62c56f98SSadaf Ebrahimi
912*62c56f98SSadaf Ebrahimi return 0;
913*62c56f98SSadaf Ebrahimi }
914*62c56f98SSadaf Ebrahimi /*
915*62c56f98SSadaf Ebrahimi * Write ClientHello handshake message.
916*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_CLIENT_HELLO
917*62c56f98SSadaf Ebrahimi */
mbedtls_ssl_write_client_hello(mbedtls_ssl_context * ssl)918*62c56f98SSadaf Ebrahimi int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl)
919*62c56f98SSadaf Ebrahimi {
920*62c56f98SSadaf Ebrahimi int ret = 0;
921*62c56f98SSadaf Ebrahimi unsigned char *buf;
922*62c56f98SSadaf Ebrahimi size_t buf_len, msg_len, binders_len;
923*62c56f98SSadaf Ebrahimi
924*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client hello"));
925*62c56f98SSadaf Ebrahimi
926*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_prepare_client_hello(ssl));
927*62c56f98SSadaf Ebrahimi
928*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
929*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
930*62c56f98SSadaf Ebrahimi &buf, &buf_len));
931*62c56f98SSadaf Ebrahimi
932*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_write_client_hello_body(ssl, buf,
933*62c56f98SSadaf Ebrahimi buf + buf_len,
934*62c56f98SSadaf Ebrahimi &msg_len,
935*62c56f98SSadaf Ebrahimi &binders_len));
936*62c56f98SSadaf Ebrahimi
937*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS)
938*62c56f98SSadaf Ebrahimi if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
939*62c56f98SSadaf Ebrahimi ssl->out_msglen = msg_len + 4;
940*62c56f98SSadaf Ebrahimi mbedtls_ssl_send_flight_completed(ssl);
941*62c56f98SSadaf Ebrahimi
942*62c56f98SSadaf Ebrahimi /*
943*62c56f98SSadaf Ebrahimi * The two functions below may try to send data on the network and
944*62c56f98SSadaf Ebrahimi * can return with the MBEDTLS_ERR_SSL_WANT_READ error code when they
945*62c56f98SSadaf Ebrahimi * fail to do so and the transmission has to be retried later. In that
946*62c56f98SSadaf Ebrahimi * case as in fatal error cases, we return immediately. But we must have
947*62c56f98SSadaf Ebrahimi * set the handshake state to the next state at that point to ensure
948*62c56f98SSadaf Ebrahimi * that we will not write and send again a ClientHello when we
949*62c56f98SSadaf Ebrahimi * eventually succeed in sending the pending data.
950*62c56f98SSadaf Ebrahimi */
951*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
952*62c56f98SSadaf Ebrahimi
953*62c56f98SSadaf Ebrahimi if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
954*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
955*62c56f98SSadaf Ebrahimi return ret;
956*62c56f98SSadaf Ebrahimi }
957*62c56f98SSadaf Ebrahimi
958*62c56f98SSadaf Ebrahimi if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
959*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
960*62c56f98SSadaf Ebrahimi return ret;
961*62c56f98SSadaf Ebrahimi }
962*62c56f98SSadaf Ebrahimi } else
963*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
964*62c56f98SSadaf Ebrahimi {
965*62c56f98SSadaf Ebrahimi
966*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
967*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_HS_CLIENT_HELLO,
968*62c56f98SSadaf Ebrahimi msg_len);
969*62c56f98SSadaf Ebrahimi if (ret != 0) {
970*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_add_hs_hdr_to_checksum", ret);
971*62c56f98SSadaf Ebrahimi return ret;
972*62c56f98SSadaf Ebrahimi }
973*62c56f98SSadaf Ebrahimi ret = ssl->handshake->update_checksum(ssl, buf, msg_len - binders_len);
974*62c56f98SSadaf Ebrahimi if (ret != 0) {
975*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
976*62c56f98SSadaf Ebrahimi return ret;
977*62c56f98SSadaf Ebrahimi }
978*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
979*62c56f98SSadaf Ebrahimi if (binders_len > 0) {
980*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(
981*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
982*62c56f98SSadaf Ebrahimi ssl, buf + msg_len - binders_len, buf + msg_len));
983*62c56f98SSadaf Ebrahimi ret = ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len,
984*62c56f98SSadaf Ebrahimi binders_len);
985*62c56f98SSadaf Ebrahimi if (ret != 0) {
986*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
987*62c56f98SSadaf Ebrahimi return ret;
988*62c56f98SSadaf Ebrahimi }
989*62c56f98SSadaf Ebrahimi }
990*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
991*62c56f98SSadaf Ebrahimi
992*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl,
993*62c56f98SSadaf Ebrahimi buf_len,
994*62c56f98SSadaf Ebrahimi msg_len));
995*62c56f98SSadaf Ebrahimi
996*62c56f98SSadaf Ebrahimi /*
997*62c56f98SSadaf Ebrahimi * Set next state. Note that if TLS 1.3 is proposed, this may be
998*62c56f98SSadaf Ebrahimi * overwritten by mbedtls_ssl_tls13_finalize_client_hello().
999*62c56f98SSadaf Ebrahimi */
1000*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
1001*62c56f98SSadaf Ebrahimi
1002*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1003*62c56f98SSadaf Ebrahimi if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
1004*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version) {
1005*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_finalize_client_hello(ssl);
1006*62c56f98SSadaf Ebrahimi }
1007*62c56f98SSadaf Ebrahimi #endif
1008*62c56f98SSadaf Ebrahimi }
1009*62c56f98SSadaf Ebrahimi
1010*62c56f98SSadaf Ebrahimi cleanup:
1011*62c56f98SSadaf Ebrahimi
1012*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client hello"));
1013*62c56f98SSadaf Ebrahimi return ret;
1014*62c56f98SSadaf Ebrahimi }
1015*62c56f98SSadaf Ebrahimi
1016*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_PROTO_TLS1_3 || MBEDTLS_SSL_PROTO_TLS1_2 */
1017*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_CLI_C */
1018