This commit was manufactured by cvs2git to create tag 'tb_20250414'.tb_20250414

author: cvs2svn <admin@example.com> 2025-04-14 17:32:06 +0000
committer: cvs2svn <admin@example.com> 2025-04-14 17:32:06 +0000
commit: eb8dd9dca1228af0cd132f515509051ecfabf6f6 (patch)
tree: edb6da6af7e865d488dc1a29309f1e1ec226e603 /src/lib/libssl/tls13_lib.c
parent: 247f0352e0ed72a4f476db9dc91f4d982bc83eb2 (diff)
download: openbsd-tb_20250414.tar.gz
openbsd-tb_20250414.tar.bz2
openbsd-tb_20250414.zip
1 files changed, 0 insertions, 737 deletions
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
deleted file mode 100644
index 331a3ad1a7..0000000000
--- a/src/lib/libssl/tls13_lib.c
+++ /dev/null
@@ -1,737 +0,0 @@
-/*      $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */
-/*
- * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
- * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <stddef.h>
-#include <openssl/evp.h>
-#include "ssl_local.h"
-#include "ssl_tlsext.h"
-#include "tls13_internal.h"
-/*
- * RFC 8446, section 4.6.1. Servers must not indicate a lifetime longer than
- * 7 days and clients must not cache tickets for longer than 7 days.
- */
-#define TLS13_MAX_TICKET_LIFETIME       (7 * 24 * 3600)
-/*
- * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
- * by the server in server random if it is willing to downgrade but supports
- * TLSv1.3
- */
-const uint8_t tls13_downgrade_12[8] = {
-        0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
-};
-const uint8_t tls13_downgrade_11[8] = {
-        0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
-};
-/*
- * HelloRetryRequest hash - RFC 8446 section 4.1.3.
- */
-const uint8_t tls13_hello_retry_request_hash[32] = {
-        0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
-        0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
-        0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
-        0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
-};
-/*
- * Certificate Verify padding - RFC 8446 section 4.4.3.
- */
-const uint8_t tls13_cert_verify_pad[64] = {
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-};
-const uint8_t tls13_cert_client_verify_context[] =
-    "TLS 1.3, client CertificateVerify";
-const uint8_t tls13_cert_server_verify_context[] =
-    "TLS 1.3, server CertificateVerify";
-const EVP_AEAD *
-tls13_cipher_aead(const SSL_CIPHER *cipher)
-{
-        if (cipher == NULL)
-                return NULL;
-        if (cipher->algorithm_ssl != SSL_TLSV1_3)
-                return NULL;
-        switch (cipher->algorithm_enc) {
-        case SSL_AES128GCM:
-                return EVP_aead_aes_128_gcm();
-        case SSL_AES256GCM:
-                return EVP_aead_aes_256_gcm();
-        case SSL_CHACHA20POLY1305:
-                return EVP_aead_chacha20_poly1305();
-        }
-        return NULL;
-}
-const EVP_MD *
-tls13_cipher_hash(const SSL_CIPHER *cipher)
-{
-        if (cipher == NULL)
-                return NULL;
-        if (cipher->algorithm_ssl != SSL_TLSV1_3)
-                return NULL;
-        switch (cipher->algorithm2) {
-        case SSL_HANDSHAKE_MAC_SHA256:
-                return EVP_sha256();
-        case SSL_HANDSHAKE_MAC_SHA384:
-                return EVP_sha384();
-        }
-        return NULL;
-}
-static void
-tls13_legacy_alert_cb(int sent, uint8_t alert_level, uint8_t alert_desc,
-    void *arg)
-{
-        uint8_t alert[] = {alert_level, alert_desc};
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        CBS cbs;
-        if (s->msg_callback == NULL)
-                return;
-        CBS_init(&cbs, alert, sizeof(alert));
-        ssl_msg_callback_cbs(s, sent, SSL3_RT_ALERT, &cbs);
-}
-static void
-tls13_legacy_alert_recv_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
-{
-        tls13_legacy_alert_cb(0, alert_level, alert_desc, arg);
-}
-static void
-tls13_legacy_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
-{
-        tls13_legacy_alert_cb(1, alert_level, alert_desc, arg);
-}
-void
-tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        if (ctx->alert_recv_cb != NULL)
-                ctx->alert_recv_cb(alert_level, alert_desc, arg);
-        if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
-                ctx->close_notify_recv = 1;
-                ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
-                ctx->ssl->s3->warn_alert = alert_desc;
-                return;
-        }
-        if (alert_desc == TLS13_ALERT_USER_CANCELED) {
-                /*
-                 * We treat this as advisory, since a close_notify alert
-                 * SHOULD follow this alert (RFC 8446 section 6.1).
-                 */
-                return;
-        }
-        /* All other alerts are treated as fatal in TLSv1.3. */
-        ctx->ssl->s3->fatal_alert = alert_desc;
-        SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
-        ERR_asprintf_error_data("SSL alert number %d", alert_desc);
-        SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
-}
-void
-tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        if (ctx->alert_sent_cb != NULL)
-                ctx->alert_sent_cb(alert_level, alert_desc, arg);
-        if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
-                ctx->close_notify_sent = 1;
-                return;
-        }
-        if (alert_desc == TLS13_ALERT_USER_CANCELED) {
-                return;
-        }
-        /* All other alerts are treated as fatal in TLSv1.3. */
-        if (ctx->error.code == 0)
-                SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
-}
-static void
-tls13_legacy_handshake_message_recv_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        CBS cbs;
-        if (s->msg_callback == NULL)
-                return;
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs);
-}
-static void
-tls13_legacy_handshake_message_sent_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        CBS cbs;
-        if (s->msg_callback == NULL)
-                return;
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs);
-}
-static void
-tls13_legacy_info_cb(void *arg, int state, int ret)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        ssl_info_callback(s, state, ret);
-}
-static int
-tls13_legacy_ocsp_status_recv_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        int ret;
-        if (s->ctx->tlsext_status_cb == NULL)
-                return 1;
-        ret = s->ctx->tlsext_status_cb(s,
-            s->ctx->tlsext_status_arg);
-        if (ret < 0) {
-                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        if (ret == 0) {
-                ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
-                SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
-                return 0;
-        }
-        return 1;
-}
-static int
-tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx)
-{
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        struct tls13_secret *secret;
-        if (ctx->mode == TLS13_HS_CLIENT) {
-                secret = &secrets->server_application_traffic;
-                if (!tls13_update_server_traffic_secret(secrets))
-                        return 0;
-        } else {
-                secret = &secrets->client_application_traffic;
-                if (!tls13_update_client_traffic_secret(secrets))
-                        return 0;
-        }
-        return tls13_record_layer_set_read_traffic_key(ctx->rl,
-            secret, ssl_encryption_application);
-}
-static int
-tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx)
-{
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        struct tls13_secret *secret;
-        if (ctx->mode == TLS13_HS_CLIENT) {
-                secret = &secrets->client_application_traffic;
-                if (!tls13_update_client_traffic_secret(secrets))
-                        return 0;
-        } else {
-                secret = &secrets->server_application_traffic;
-                if (!tls13_update_server_traffic_secret(secrets))
-                        return 0;
-        }
-        return tls13_record_layer_set_write_traffic_key(ctx->rl,
-            secret, ssl_encryption_application);
-}
-/*
- * XXX arbitrarily chosen limit of 100 post handshake handshake
- * messages in an hour - to avoid a hostile peer from constantly
- * requesting certificates or key renegotiaitons, etc.
- */
-static int
-tls13_phh_limit_check(struct tls13_ctx *ctx)
-{
-        time_t now = time(NULL);
-        if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
-                if (ctx->phh_count > TLS13_PHH_LIMIT)
-                        return 0;
-        } else
-                ctx->phh_count = 0;
-        ctx->phh_count++;
-        ctx->phh_last_seen = now;
-        return 1;
-}
-static ssize_t
-tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
-{
-        struct tls13_handshake_msg *hs_msg = NULL;
-        CBB cbb_hs;
-        CBS cbs_hs;
-        uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
-        uint8_t key_update_request;
-        ssize_t ret;
-        if (!CBS_get_u8(cbs, &key_update_request)) {
-                alert = TLS13_ALERT_DECODE_ERROR;
-                goto err;
-        }
-        if (CBS_len(cbs) != 0) {
-                alert = TLS13_ALERT_DECODE_ERROR;
-                goto err;
-        }
-        if (key_update_request > 1) {
-                alert = TLS13_ALERT_ILLEGAL_PARAMETER;
-                goto err;
-        }
-        if (!tls13_phh_update_read_traffic_secret(ctx))
-                goto err;
-        if (key_update_request == 0)
-                return TLS13_IO_SUCCESS;
-        /* Our peer requested that we update our write traffic keys. */
-        if ((hs_msg = tls13_handshake_msg_new()) == NULL)
-                goto err;
-        if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
-                goto err;
-        if (!CBB_add_u8(&cbb_hs, 0))
-                goto err;
-        if (!tls13_handshake_msg_finish(hs_msg))
-                goto err;
-        ctx->key_update_request = 1;
-        tls13_handshake_msg_data(hs_msg, &cbs_hs);
-        ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
-        tls13_handshake_msg_free(hs_msg);
-        hs_msg = NULL;
-        return ret;
- err:
-        tls13_handshake_msg_free(hs_msg);
-        return tls13_send_alert(ctx->rl, alert);
-}
-/* RFC 8446 section 4.6.1 */
-static ssize_t
-tls13_new_session_ticket_recv(struct tls13_ctx *ctx, CBS *cbs)
-{
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        struct tls13_secret nonce;
-        uint32_t ticket_lifetime, ticket_age_add;
-        CBS ticket_nonce, ticket;
-        SSL_SESSION *sess = NULL;
-        int alert, session_id_length;
-        ssize_t ret = 0;
-        memset(&nonce, 0, sizeof(nonce));
-        if (ctx->mode != TLS13_HS_CLIENT) {
-                alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
-                goto err;
-        }
-        alert = TLS13_ALERT_DECODE_ERROR;
-        if (!CBS_get_u32(cbs, &ticket_lifetime))
-                goto err;
-        if (!CBS_get_u32(cbs, &ticket_age_add))
-                goto err;
-        if (!CBS_get_u8_length_prefixed(cbs, &ticket_nonce))
-                goto err;
-        if (!CBS_get_u16_length_prefixed(cbs, &ticket))
-                goto err;
-        /* Extensions can only contain early_data, which we currently ignore. */
-        if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_NST, cbs, &alert))
-                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
-        /* Zero indicates that the ticket should be discarded immediately. */
-        if (ticket_lifetime == 0) {
-                ret = TLS13_IO_SUCCESS;
-                goto done;
-        }
-        /* Servers MUST NOT use any value larger than 7 days. */
-        if (ticket_lifetime > TLS13_MAX_TICKET_LIFETIME) {
-                alert = TLS13_ALERT_ILLEGAL_PARAMETER;
-                goto err;
-        }
-        alert = TLS13_ALERT_INTERNAL_ERROR;
-        /*
-         * Create new session instead of modifying the current session.
-         * The current session could already be in the session cache.
-         */
-        if ((sess = ssl_session_dup(ctx->ssl->session, 0)) == NULL)
-                goto err;
-        sess->time = time(NULL);
-        sess->tlsext_tick_lifetime_hint = ticket_lifetime;
-        sess->tlsext_tick_age_add = ticket_age_add;
-        if (!CBS_stow(&ticket, &sess->tlsext_tick, &sess->tlsext_ticklen))
-                goto err;
-        /* XXX - ensure this doesn't overflow session_id if hash is changed. */
-        if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
-            sess->session_id, &session_id_length, EVP_sha256(), NULL))
-                goto err;
-        sess->session_id_length = session_id_length;
-        if (!CBS_stow(&ticket_nonce, &nonce.data, &nonce.len))
-                goto err;
-        if (!tls13_secret_init(&sess->resumption_master_secret, 256))
-                goto err;
-        if (!tls13_derive_secret(&sess->resumption_master_secret,
-            secrets->digest, &secrets->resumption_master, "resumption",
-            &nonce))
-                goto err;
-        SSL_SESSION_free(ctx->ssl->session);
-        ctx->ssl->session = sess;
-        sess = NULL;
-        ssl_update_cache(ctx->ssl, SSL_SESS_CACHE_CLIENT);
-        ret = TLS13_IO_SUCCESS;
-        goto done;
- err:
-        ret = tls13_send_alert(ctx->rl, alert);
- done:
-        tls13_secret_cleanup(&nonce);
-        SSL_SESSION_free(sess);
-        return ret;
-}
-ssize_t
-tls13_phh_received_cb(void *cb_arg)
-{
-        ssize_t ret = TLS13_IO_FAILURE;
-        struct tls13_ctx *ctx = cb_arg;
-        CBS cbs;
-        if (!tls13_phh_limit_check(ctx))
-                return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
-        if ((ctx->hs_msg == NULL) &&
-            ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
-                return TLS13_IO_FAILURE;
-        if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) !=
-            TLS13_IO_SUCCESS)
-                return ret;
-        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
-                return TLS13_IO_FAILURE;
-        switch(tls13_handshake_msg_type(ctx->hs_msg)) {
-        case TLS13_MT_KEY_UPDATE:
-                ret = tls13_key_update_recv(ctx, &cbs);
-                break;
-        case TLS13_MT_NEW_SESSION_TICKET:
-                ret = tls13_new_session_ticket_recv(ctx, &cbs);
-                break;
-        case TLS13_MT_CERTIFICATE_REQUEST:
-                /* XXX add support if we choose to advertise this */
-                /* FALLTHROUGH */
-        default:
-                ret = TLS13_IO_FAILURE; /* XXX send alert */
-                break;
-        }
-        tls13_handshake_msg_free(ctx->hs_msg);
-        ctx->hs_msg = NULL;
-        return ret;
-}
-void
-tls13_phh_done_cb(void *cb_arg)
-{
-        struct tls13_ctx *ctx = cb_arg;
-        if (ctx->key_update_request) {
-                tls13_phh_update_write_traffic_secret(ctx);
-                ctx->key_update_request = 0;
-        }
-}
-static const struct tls13_record_layer_callbacks tls13_rl_callbacks = {
-        .wire_read = tls13_legacy_wire_read_cb,
-        .wire_write = tls13_legacy_wire_write_cb,
-        .wire_flush = tls13_legacy_wire_flush_cb,
-        .alert_recv = tls13_alert_received_cb,
-        .alert_sent = tls13_alert_sent_cb,
-        .phh_recv = tls13_phh_received_cb,
-        .phh_sent = tls13_phh_done_cb,
-};
-struct tls13_ctx *
-tls13_ctx_new(int mode, SSL *ssl)
-{
-        struct tls13_ctx *ctx = NULL;
-        if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
-                goto err;
-        ctx->hs = &ssl->s3->hs;
-        ctx->mode = mode;
-        ctx->ssl = ssl;
-        if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
-                goto err;
-        ctx->alert_sent_cb = tls13_legacy_alert_sent_cb;
-        ctx->alert_recv_cb = tls13_legacy_alert_recv_cb;
-        ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
-        ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
-        ctx->info_cb = tls13_legacy_info_cb;
-        ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
-        ctx->middlebox_compat = 1;
-        ssl->tls13 = ctx;
-        if (SSL_is_quic(ssl)) {
-                if (!tls13_quic_init(ctx))
-                        goto err;
-        }
-        return ctx;
- err:
-        tls13_ctx_free(ctx);
-        return NULL;
-}
-void
-tls13_ctx_free(struct tls13_ctx *ctx)
-{
-        if (ctx == NULL)
-                return;
-        tls13_error_clear(&ctx->error);
-        tls13_record_layer_free(ctx->rl);
-        tls13_handshake_msg_free(ctx->hs_msg);
-        freezero(ctx, sizeof(struct tls13_ctx));
-}
-int
-tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
-    int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
-{
-        CBB cert_data, cert_exts;
-        uint8_t *data;
-        int cert_len;
-        if ((cert_len = i2d_X509(cert, NULL)) < 0)
-                return 0;
-        if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
-                return 0;
-        if (!CBB_add_space(&cert_data, &data, cert_len))
-                return 0;
-        if (i2d_X509(cert, &data) != cert_len)
-                return 0;
-        if (build_extensions != NULL) {
-                if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
-                        return 0;
-        } else {
-                if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
-                        return 0;
-        }
-        if (!CBB_flush(cbb))
-                return 0;
-        return 1;
-}
-int
-tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
-{
-        struct tls13_handshake_msg *hm = NULL;
-        unsigned char buf[EVP_MAX_MD_SIZE];
-        size_t hash_len;
-        CBB cbb;
-        CBS cbs;
-        SSL *s = ctx->ssl;
-        int ret = 0;
-        /*
-         * Replace ClientHello with synthetic handshake message - see
-         * RFC 8446 section 4.4.1.
-         */
-        if (!tls1_transcript_hash_init(s))
-                goto err;
-        if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
-                goto err;
-        if ((hm = tls13_handshake_msg_new()) == NULL)
-                goto err;
-        if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
-                goto err;
-        if (!CBB_add_bytes(&cbb, buf, hash_len))
-                goto err;
-        if (!tls13_handshake_msg_finish(hm))
-                goto err;
-        tls13_handshake_msg_data(hm, &cbs);
-        tls1_transcript_reset(ctx->ssl);
-        if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
-                goto err;
-        ret = 1;
- err:
-        tls13_handshake_msg_free(hm);
-        return ret;
-}
-int
-tls13_clienthello_hash_init(struct tls13_ctx *ctx)
-{
-        if (ctx->hs->tls13.clienthello_md_ctx != NULL)
-                return 0;
-        if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
-                return 0;
-        if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
-            EVP_sha256(), NULL))
-                return 0;
-        if ((ctx->hs->tls13.clienthello_hash == NULL) &&
-            (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
-            NULL)
-                return 0;
-        return 1;
-}
-void
-tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
-{
-        EVP_MD_CTX_free(hs->clienthello_md_ctx);
-        hs->clienthello_md_ctx = NULL;
-        freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
-        hs->clienthello_hash = NULL;
-}
-int
-tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
-    size_t len)
-{
-        return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
-}
-int
-tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
-{
-        return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
-            CBS_len(cbs));
-}
-int
-tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
-{
-        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
-            ctx->hs->tls13.clienthello_hash,
-            &ctx->hs->tls13.clienthello_hash_len))
-                return 0;
-        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
-        ctx->hs->tls13.clienthello_md_ctx = NULL;
-        return 1;
-}
-int
-tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
-{
-        unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
-        unsigned int new_ch_hash_len;
-        if (ctx->hs->tls13.clienthello_hash == NULL)
-                return 0;
-        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
-            new_ch_hash, &new_ch_hash_len))
-                return 0;
-        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
-        ctx->hs->tls13.clienthello_md_ctx = NULL;
-        if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
-                return 0;
-        if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
-            new_ch_hash_len) != 0)
-                return 0;
-        return 1;
-}
author	cvs2svn <admin@example.com>	2025-04-14 17:32:06 +0000
committer	cvs2svn <admin@example.com>	2025-04-14 17:32:06 +0000
commit	eb8dd9dca1228af0cd132f515509051ecfabf6f6 (patch)
tree	edb6da6af7e865d488dc1a29309f1e1ec226e603 /src/lib/libssl/tls13_lib.c
parent	247f0352e0ed72a4f476db9dc91f4d982bc83eb2 (diff)
download	openbsd-tb_20250414.tar.gz openbsd-tb_20250414.tar.bz2 openbsd-tb_20250414.zip

diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c deleted file mode 100644 index 331a3ad1a7..0000000000 --- a/src/lib/libssl/tls13_lib.c +++ /dev/null
@@ -1,737 +0,0 @@
1	/* $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */
2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5	*
6	* Permission to use, copy, modify, and distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#include <stddef.h>
20
21	#include <openssl/evp.h>
22
23	#include "ssl_local.h"
24	#include "ssl_tlsext.h"
25	#include "tls13_internal.h"
26
27	/*
28	* RFC 8446, section 4.6.1. Servers must not indicate a lifetime longer than
29	* 7 days and clients must not cache tickets for longer than 7 days.
30	*/
31
32	#define TLS13_MAX_TICKET_LIFETIME (7 * 24 * 3600)
33
34	/*
35	* Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
36	* by the server in server random if it is willing to downgrade but supports
37	* TLSv1.3
38	*/
39	const uint8_t tls13_downgrade_12[8] = {
40	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
41	};
42	const uint8_t tls13_downgrade_11[8] = {
43	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
44	};
45
46	/*
47	* HelloRetryRequest hash - RFC 8446 section 4.1.3.
48	*/
49	const uint8_t tls13_hello_retry_request_hash[32] = {
50	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
51	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
52	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
53	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
54	};
55
56	/*
57	* Certificate Verify padding - RFC 8446 section 4.4.3.
58	*/
59	const uint8_t tls13_cert_verify_pad[64] = {
60	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
61	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
62	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
63	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
64	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
65	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
66	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
67	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
68	};
69
70	const uint8_t tls13_cert_client_verify_context[] =
71	"TLS 1.3, client CertificateVerify";
72	const uint8_t tls13_cert_server_verify_context[] =
73	"TLS 1.3, server CertificateVerify";
74
75	const EVP_AEAD *
76	tls13_cipher_aead(const SSL_CIPHER *cipher)
77	{
78	if (cipher == NULL)
79	return NULL;
80	if (cipher->algorithm_ssl != SSL_TLSV1_3)
81	return NULL;
82
83	switch (cipher->algorithm_enc) {
84	case SSL_AES128GCM:
85	return EVP_aead_aes_128_gcm();
86	case SSL_AES256GCM:
87	return EVP_aead_aes_256_gcm();
88	case SSL_CHACHA20POLY1305:
89	return EVP_aead_chacha20_poly1305();
90	}
91
92	return NULL;
93	}
94
95	const EVP_MD *
96	tls13_cipher_hash(const SSL_CIPHER *cipher)
97	{
98	if (cipher == NULL)
99	return NULL;
100	if (cipher->algorithm_ssl != SSL_TLSV1_3)
101	return NULL;
102
103	switch (cipher->algorithm2) {
104	case SSL_HANDSHAKE_MAC_SHA256:
105	return EVP_sha256();
106	case SSL_HANDSHAKE_MAC_SHA384:
107	return EVP_sha384();
108	}
109
110	return NULL;
111	}
112
113	static void
114	tls13_legacy_alert_cb(int sent, uint8_t alert_level, uint8_t alert_desc,
115	void *arg)
116	{
117	uint8_t alert[] = {alert_level, alert_desc};
118	struct tls13_ctx *ctx = arg;
119	SSL *s = ctx->ssl;
120	CBS cbs;
121
122	if (s->msg_callback == NULL)
123	return;
124
125	CBS_init(&cbs, alert, sizeof(alert));
126	ssl_msg_callback_cbs(s, sent, SSL3_RT_ALERT, &cbs);
127	}
128
129	static void
130	tls13_legacy_alert_recv_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
131	{
132	tls13_legacy_alert_cb(0, alert_level, alert_desc, arg);
133	}
134
135	static void
136	tls13_legacy_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
137	{
138	tls13_legacy_alert_cb(1, alert_level, alert_desc, arg);
139	}
140
141	void
142	tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
143	{
144	struct tls13_ctx *ctx = arg;
145
146	if (ctx->alert_recv_cb != NULL)
147	ctx->alert_recv_cb(alert_level, alert_desc, arg);
148
149	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
150	ctx->close_notify_recv = 1;
151	ctx->ssl->shutdown \|= SSL_RECEIVED_SHUTDOWN;
152	ctx->ssl->s3->warn_alert = alert_desc;
153	return;
154	}
155
156	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
157	/*
158	* We treat this as advisory, since a close_notify alert
159	* SHOULD follow this alert (RFC 8446 section 6.1).
160	*/
161	return;
162	}
163
164	/* All other alerts are treated as fatal in TLSv1.3. */
165	ctx->ssl->s3->fatal_alert = alert_desc;
166
167	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
168	ERR_asprintf_error_data("SSL alert number %d", alert_desc);
169
170	SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
171	}
172
173	void
174	tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
175	{
176	struct tls13_ctx *ctx = arg;
177
178	if (ctx->alert_sent_cb != NULL)
179	ctx->alert_sent_cb(alert_level, alert_desc, arg);
180
181	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
182	ctx->close_notify_sent = 1;
183	return;
184	}
185
186	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
187	return;
188	}
189
190	/* All other alerts are treated as fatal in TLSv1.3. */
191	if (ctx->error.code == 0)
192	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
193	}
194
195	static void
196	tls13_legacy_handshake_message_recv_cb(void *arg)
197	{
198	struct tls13_ctx *ctx = arg;
199	SSL *s = ctx->ssl;
200	CBS cbs;
201
202	if (s->msg_callback == NULL)
203	return;
204
205	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
206	ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs);
207	}
208
209	static void
210	tls13_legacy_handshake_message_sent_cb(void *arg)
211	{
212	struct tls13_ctx *ctx = arg;
213	SSL *s = ctx->ssl;
214	CBS cbs;
215
216	if (s->msg_callback == NULL)
217	return;
218
219	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
220	ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs);
221	}
222
223	static void
224	tls13_legacy_info_cb(void *arg, int state, int ret)
225	{
226	struct tls13_ctx *ctx = arg;
227	SSL *s = ctx->ssl;
228
229	ssl_info_callback(s, state, ret);
230	}
231
232	static int
233	tls13_legacy_ocsp_status_recv_cb(void *arg)
234	{
235	struct tls13_ctx *ctx = arg;
236	SSL *s = ctx->ssl;
237	int ret;
238
239	if (s->ctx->tlsext_status_cb == NULL)
240	return 1;
241
242	ret = s->ctx->tlsext_status_cb(s,
243	s->ctx->tlsext_status_arg);
244	if (ret < 0) {
245	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
246	SSLerror(s, ERR_R_MALLOC_FAILURE);
247	return 0;
248	}
249	if (ret == 0) {
250	ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
251	SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
252	return 0;
253	}
254
255	return 1;
256	}
257
258	static int
259	tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx)
260	{
261	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
262	struct tls13_secret *secret;
263
264	if (ctx->mode == TLS13_HS_CLIENT) {
265	secret = &secrets->server_application_traffic;
266	if (!tls13_update_server_traffic_secret(secrets))
267	return 0;
268	} else {
269	secret = &secrets->client_application_traffic;
270	if (!tls13_update_client_traffic_secret(secrets))
271	return 0;
272	}
273
274	return tls13_record_layer_set_read_traffic_key(ctx->rl,
275	secret, ssl_encryption_application);
276	}
277
278	static int
279	tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx)
280	{
281	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
282	struct tls13_secret *secret;
283
284	if (ctx->mode == TLS13_HS_CLIENT) {
285	secret = &secrets->client_application_traffic;
286	if (!tls13_update_client_traffic_secret(secrets))
287	return 0;
288	} else {
289	secret = &secrets->server_application_traffic;
290	if (!tls13_update_server_traffic_secret(secrets))
291	return 0;
292	}
293
294	return tls13_record_layer_set_write_traffic_key(ctx->rl,
295	secret, ssl_encryption_application);
296	}
297
298	/*
299	* XXX arbitrarily chosen limit of 100 post handshake handshake
300	* messages in an hour - to avoid a hostile peer from constantly
301	* requesting certificates or key renegotiaitons, etc.
302	*/
303	static int
304	tls13_phh_limit_check(struct tls13_ctx *ctx)
305	{
306	time_t now = time(NULL);
307
308	if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
309	if (ctx->phh_count > TLS13_PHH_LIMIT)
310	return 0;
311	} else
312	ctx->phh_count = 0;
313	ctx->phh_count++;
314	ctx->phh_last_seen = now;
315	return 1;
316	}
317
318	static ssize_t
319	tls13_key_update_recv(struct tls13_ctx ctx, CBS cbs)
320	{
321	struct tls13_handshake_msg *hs_msg = NULL;
322	CBB cbb_hs;
323	CBS cbs_hs;
324	uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
325	uint8_t key_update_request;
326	ssize_t ret;
327
328	if (!CBS_get_u8(cbs, &key_update_request)) {
329	alert = TLS13_ALERT_DECODE_ERROR;
330	goto err;
331	}
332	if (CBS_len(cbs) != 0) {
333	alert = TLS13_ALERT_DECODE_ERROR;
334	goto err;
335	}
336	if (key_update_request > 1) {
337	alert = TLS13_ALERT_ILLEGAL_PARAMETER;
338	goto err;
339	}
340
341	if (!tls13_phh_update_read_traffic_secret(ctx))
342	goto err;
343
344	if (key_update_request == 0)
345	return TLS13_IO_SUCCESS;
346
347	/* Our peer requested that we update our write traffic keys. */
348	if ((hs_msg = tls13_handshake_msg_new()) == NULL)
349	goto err;
350	if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
351	goto err;
352	if (!CBB_add_u8(&cbb_hs, 0))
353	goto err;
354	if (!tls13_handshake_msg_finish(hs_msg))
355	goto err;
356
357	ctx->key_update_request = 1;
358	tls13_handshake_msg_data(hs_msg, &cbs_hs);
359	ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
360
361	tls13_handshake_msg_free(hs_msg);
362	hs_msg = NULL;
363
364	return ret;
365
366	err:
367	tls13_handshake_msg_free(hs_msg);
368
369	return tls13_send_alert(ctx->rl, alert);
370	}
371
372	/* RFC 8446 section 4.6.1 */
373	static ssize_t
374	tls13_new_session_ticket_recv(struct tls13_ctx ctx, CBS cbs)
375	{
376	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
377	struct tls13_secret nonce;
378	uint32_t ticket_lifetime, ticket_age_add;
379	CBS ticket_nonce, ticket;
380	SSL_SESSION *sess = NULL;
381	int alert, session_id_length;
382	ssize_t ret = 0;
383
384	memset(&nonce, 0, sizeof(nonce));
385
386	if (ctx->mode != TLS13_HS_CLIENT) {
387	alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
388	goto err;
389	}
390
391	alert = TLS13_ALERT_DECODE_ERROR;
392
393	if (!CBS_get_u32(cbs, &ticket_lifetime))
394	goto err;
395	if (!CBS_get_u32(cbs, &ticket_age_add))
396	goto err;
397	if (!CBS_get_u8_length_prefixed(cbs, &ticket_nonce))
398	goto err;
399	if (!CBS_get_u16_length_prefixed(cbs, &ticket))
400	goto err;
401	/* Extensions can only contain early_data, which we currently ignore. */
402	if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_NST, cbs, &alert))
403	goto err;
404
405	if (CBS_len(cbs) != 0)
406	goto err;
407
408	/* Zero indicates that the ticket should be discarded immediately. */
409	if (ticket_lifetime == 0) {
410	ret = TLS13_IO_SUCCESS;
411	goto done;
412	}
413
414	/* Servers MUST NOT use any value larger than 7 days. */
415	if (ticket_lifetime > TLS13_MAX_TICKET_LIFETIME) {
416	alert = TLS13_ALERT_ILLEGAL_PARAMETER;
417	goto err;
418	}
419
420	alert = TLS13_ALERT_INTERNAL_ERROR;
421
422	/*
423	* Create new session instead of modifying the current session.
424	* The current session could already be in the session cache.
425	*/
426	if ((sess = ssl_session_dup(ctx->ssl->session, 0)) == NULL)
427	goto err;
428
429	sess->time = time(NULL);
430
431	sess->tlsext_tick_lifetime_hint = ticket_lifetime;
432	sess->tlsext_tick_age_add = ticket_age_add;
433
434	if (!CBS_stow(&ticket, &sess->tlsext_tick, &sess->tlsext_ticklen))
435	goto err;
436
437	/* XXX - ensure this doesn't overflow session_id if hash is changed. */
438	if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
439	sess->session_id, &session_id_length, EVP_sha256(), NULL))
440	goto err;
441	sess->session_id_length = session_id_length;
442
443	if (!CBS_stow(&ticket_nonce, &nonce.data, &nonce.len))
444	goto err;
445
446	if (!tls13_secret_init(&sess->resumption_master_secret, 256))
447	goto err;
448
449	if (!tls13_derive_secret(&sess->resumption_master_secret,
450	secrets->digest, &secrets->resumption_master, "resumption",
451	&nonce))
452	goto err;
453
454	SSL_SESSION_free(ctx->ssl->session);
455	ctx->ssl->session = sess;
456	sess = NULL;
457
458	ssl_update_cache(ctx->ssl, SSL_SESS_CACHE_CLIENT);
459
460	ret = TLS13_IO_SUCCESS;
461	goto done;
462
463	err:
464	ret = tls13_send_alert(ctx->rl, alert);
465
466	done:
467	tls13_secret_cleanup(&nonce);
468	SSL_SESSION_free(sess);
469
470	return ret;
471	}
472
473	ssize_t
474	tls13_phh_received_cb(void *cb_arg)
475	{
476	ssize_t ret = TLS13_IO_FAILURE;
477	struct tls13_ctx *ctx = cb_arg;
478	CBS cbs;
479
480	if (!tls13_phh_limit_check(ctx))
481	return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
482
483	if ((ctx->hs_msg == NULL) &&
484	((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
485	return TLS13_IO_FAILURE;
486
487	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) !=
488	TLS13_IO_SUCCESS)
489	return ret;
490
491	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
492	return TLS13_IO_FAILURE;
493
494	switch(tls13_handshake_msg_type(ctx->hs_msg)) {
495	case TLS13_MT_KEY_UPDATE:
496	ret = tls13_key_update_recv(ctx, &cbs);
497	break;
498	case TLS13_MT_NEW_SESSION_TICKET:
499	ret = tls13_new_session_ticket_recv(ctx, &cbs);
500	break;
501	case TLS13_MT_CERTIFICATE_REQUEST:
502	/* XXX add support if we choose to advertise this */
503	/* FALLTHROUGH */
504	default:
505	ret = TLS13_IO_FAILURE; /* XXX send alert */
506	break;
507	}
508
509	tls13_handshake_msg_free(ctx->hs_msg);
510	ctx->hs_msg = NULL;
511	return ret;
512	}
513
514	void
515	tls13_phh_done_cb(void *cb_arg)
516	{
517	struct tls13_ctx *ctx = cb_arg;
518
519	if (ctx->key_update_request) {
520	tls13_phh_update_write_traffic_secret(ctx);
521	ctx->key_update_request = 0;
522	}
523	}
524
525	static const struct tls13_record_layer_callbacks tls13_rl_callbacks = {
526	.wire_read = tls13_legacy_wire_read_cb,
527	.wire_write = tls13_legacy_wire_write_cb,
528	.wire_flush = tls13_legacy_wire_flush_cb,
529
530	.alert_recv = tls13_alert_received_cb,
531	.alert_sent = tls13_alert_sent_cb,
532	.phh_recv = tls13_phh_received_cb,
533	.phh_sent = tls13_phh_done_cb,
534	};
535
536	struct tls13_ctx *
537	tls13_ctx_new(int mode, SSL *ssl)
538	{
539	struct tls13_ctx *ctx = NULL;
540
541	if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
542	goto err;
543
544	ctx->hs = &ssl->s3->hs;
545	ctx->mode = mode;
546	ctx->ssl = ssl;
547
548	if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
549	goto err;
550
551	ctx->alert_sent_cb = tls13_legacy_alert_sent_cb;
552	ctx->alert_recv_cb = tls13_legacy_alert_recv_cb;
553	ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
554	ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
555	ctx->info_cb = tls13_legacy_info_cb;
556	ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
557
558	ctx->middlebox_compat = 1;
559
560	ssl->tls13 = ctx;
561
562	if (SSL_is_quic(ssl)) {
563	if (!tls13_quic_init(ctx))
564	goto err;
565	}
566
567	return ctx;
568
569	err:
570	tls13_ctx_free(ctx);
571
572	return NULL;
573	}
574
575	void
576	tls13_ctx_free(struct tls13_ctx *ctx)
577	{
578	if (ctx == NULL)
579	return;
580
581	tls13_error_clear(&ctx->error);
582	tls13_record_layer_free(ctx->rl);
583	tls13_handshake_msg_free(ctx->hs_msg);
584
585	freezero(ctx, sizeof(struct tls13_ctx));
586	}
587
588	int
589	tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,
590	int (build_extensions)(SSL s, uint16_t msg_type, CBB *cbb))
591	{
592	CBB cert_data, cert_exts;
593	uint8_t *data;
594	int cert_len;
595
596	if ((cert_len = i2d_X509(cert, NULL)) < 0)
597	return 0;
598
599	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
600	return 0;
601	if (!CBB_add_space(&cert_data, &data, cert_len))
602	return 0;
603	if (i2d_X509(cert, &data) != cert_len)
604	return 0;
605	if (build_extensions != NULL) {
606	if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
607	return 0;
608	} else {
609	if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
610	return 0;
611	}
612	if (!CBB_flush(cbb))
613	return 0;
614
615	return 1;
616	}
617
618	int
619	tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
620	{
621	struct tls13_handshake_msg *hm = NULL;
622	unsigned char buf[EVP_MAX_MD_SIZE];
623	size_t hash_len;
624	CBB cbb;
625	CBS cbs;
626	SSL *s = ctx->ssl;
627	int ret = 0;
628
629	/*
630	* Replace ClientHello with synthetic handshake message - see
631	* RFC 8446 section 4.4.1.
632	*/
633	if (!tls1_transcript_hash_init(s))
634	goto err;
635	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
636	goto err;
637
638	if ((hm = tls13_handshake_msg_new()) == NULL)
639	goto err;
640	if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
641	goto err;
642	if (!CBB_add_bytes(&cbb, buf, hash_len))
643	goto err;
644	if (!tls13_handshake_msg_finish(hm))
645	goto err;
646
647	tls13_handshake_msg_data(hm, &cbs);
648
649	tls1_transcript_reset(ctx->ssl);
650	if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
651	goto err;
652
653	ret = 1;
654
655	err:
656	tls13_handshake_msg_free(hm);
657
658	return ret;
659	}
660
661	int
662	tls13_clienthello_hash_init(struct tls13_ctx *ctx)
663	{
664	if (ctx->hs->tls13.clienthello_md_ctx != NULL)
665	return 0;
666	if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
667	return 0;
668	if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
669	EVP_sha256(), NULL))
670	return 0;
671
672	if ((ctx->hs->tls13.clienthello_hash == NULL) &&
673	(ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
674	NULL)
675	return 0;
676
677	return 1;
678	}
679
680	void
681	tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st hs) / XXX */
682	{
683	EVP_MD_CTX_free(hs->clienthello_md_ctx);
684	hs->clienthello_md_ctx = NULL;
685	freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
686	hs->clienthello_hash = NULL;
687	}
688
689	int
690	tls13_clienthello_hash_update_bytes(struct tls13_ctx ctx, void data,
691	size_t len)
692	{
693	return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
694	}
695
696	int
697	tls13_clienthello_hash_update(struct tls13_ctx ctx, CBS cbs)
698	{
699	return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
700	CBS_len(cbs));
701	}
702
703	int
704	tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
705	{
706	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
707	ctx->hs->tls13.clienthello_hash,
708	&ctx->hs->tls13.clienthello_hash_len))
709	return 0;
710	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
711	ctx->hs->tls13.clienthello_md_ctx = NULL;
712	return 1;
713	}
714
715	int
716	tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
717	{
718	unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
719	unsigned int new_ch_hash_len;
720
721	if (ctx->hs->tls13.clienthello_hash == NULL)
722	return 0;
723
724	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
725	new_ch_hash, &new_ch_hash_len))
726	return 0;
727	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
728	ctx->hs->tls13.clienthello_md_ctx = NULL;
729
730	if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
731	return 0;
732	if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
733	new_ch_hash_len) != 0)
734	return 0;
735
736	return 1;
737	}