1 files changed, 0 insertions, 644 deletions
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
deleted file mode 100644
index 20d3a38412..0000000000
--- a/src/lib/libssl/tls13_lib.c
+++ /dev/null
@@ -1,644 +0,0 @@
-/*      $OpenBSD: tls13_lib.c,v 1.63 2022/02/05 14:54:10 jsing Exp $ */
-/*
- * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
- * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <stddef.h>
-#include <openssl/evp.h>
-#include "ssl_locl.h"
-#include "ssl_tlsext.h"
-#include "tls13_internal.h"
-/*
- * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
- * by the server in server random if it is willing to downgrade but supports
- * TLSv1.3
- */
-const uint8_t tls13_downgrade_12[8] = {
-        0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
-};
-const uint8_t tls13_downgrade_11[8] = {
-        0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
-};
-/*
- * HelloRetryRequest hash - RFC 8446 section 4.1.3.
- */
-const uint8_t tls13_hello_retry_request_hash[32] = {
-        0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
-        0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
-        0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
-        0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
-};
-/*
- * Certificate Verify padding - RFC 8446 section 4.4.3.
- */
-const uint8_t tls13_cert_verify_pad[64] = {
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-};
-const uint8_t tls13_cert_client_verify_context[] =
-    "TLS 1.3, client CertificateVerify";
-const uint8_t tls13_cert_server_verify_context[] =
-    "TLS 1.3, server CertificateVerify";
-const EVP_AEAD *
-tls13_cipher_aead(const SSL_CIPHER *cipher)
-{
-        if (cipher == NULL)
-                return NULL;
-        if (cipher->algorithm_ssl != SSL_TLSV1_3)
-                return NULL;
-        switch (cipher->algorithm_enc) {
-        case SSL_AES128GCM:
-                return EVP_aead_aes_128_gcm();
-        case SSL_AES256GCM:
-                return EVP_aead_aes_256_gcm();
-        case SSL_CHACHA20POLY1305:
-                return EVP_aead_chacha20_poly1305();
-        }
-        return NULL;
-}
-const EVP_MD *
-tls13_cipher_hash(const SSL_CIPHER *cipher)
-{
-        if (cipher == NULL)
-                return NULL;
-        if (cipher->algorithm_ssl != SSL_TLSV1_3)
-                return NULL;
-        switch (cipher->algorithm2) {
-        case SSL_HANDSHAKE_MAC_SHA256:
-                return EVP_sha256();
-        case SSL_HANDSHAKE_MAC_SHA384:
-                return EVP_sha384();
-        }
-        return NULL;
-}
-static void
-tls13_alert_received_cb(uint8_t alert_desc, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
-                ctx->close_notify_recv = 1;
-                ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;
-                ctx->ssl->s3->warn_alert = alert_desc;
-                return;
-        }
-        if (alert_desc == TLS13_ALERT_USER_CANCELED) {
-                /*
-                 * We treat this as advisory, since a close_notify alert
-                 * SHOULD follow this alert (RFC 8446 section 6.1).
-                 */
-                return;
-        }
-        /* All other alerts are treated as fatal in TLSv1.3. */
-        ctx->ssl->s3->fatal_alert = alert_desc;
-        SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
-        ERR_asprintf_error_data("SSL alert number %d", alert_desc);
-        SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
-}
-static void
-tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
-                ctx->close_notify_sent = 1;
-                return;
-        }
-        if (alert_desc == TLS13_ALERT_USER_CANCELED) {
-                return;
-        }
-        /* All other alerts are treated as fatal in TLSv1.3. */
-        if (ctx->error.code == 0)
-                SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
-}
-static void
-tls13_legacy_handshake_message_recv_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        CBS cbs;
-        if (s->internal->msg_callback == NULL)
-                return;
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, CBS_data(&cbs), CBS_len(&cbs));
-}
-static void
-tls13_legacy_handshake_message_sent_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        CBS cbs;
-        if (s->internal->msg_callback == NULL)
-                return;
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        ssl_msg_callback(s, 1, SSL3_RT_HANDSHAKE, CBS_data(&cbs), CBS_len(&cbs));
-}
-static void
-tls13_legacy_info_cb(void *arg, int state, int ret)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        ssl_info_callback(s, state, ret);
-}
-static int
-tls13_legacy_ocsp_status_recv_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        int ret;
-        if (s->ctx->internal->tlsext_status_cb == NULL)
-                return 1;
-        ret = s->ctx->internal->tlsext_status_cb(s,
-            s->ctx->internal->tlsext_status_arg);
-        if (ret < 0) {
-                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        if (ret == 0) {
-                ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
-                SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
-                return 0;
-        }
-        return 1;
-}
-static int
-tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
-{
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        if (ctx->mode == TLS13_HS_CLIENT)
-                return (tls13_update_client_traffic_secret(secrets) &&
-                    tls13_record_layer_set_write_traffic_key(ctx->rl,
-                        &secrets->client_application_traffic));
-        return (tls13_update_server_traffic_secret(secrets) &&
-            tls13_record_layer_set_read_traffic_key(ctx->rl,
-            &secrets->server_application_traffic));
-}
-static int
-tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx)
-{
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        if (ctx->mode == TLS13_HS_CLIENT)
-                return (tls13_update_server_traffic_secret(secrets) &&
-                    tls13_record_layer_set_read_traffic_key(ctx->rl,
-                    &secrets->server_application_traffic));
-        return (tls13_update_client_traffic_secret(secrets) &&
-            tls13_record_layer_set_write_traffic_key(ctx->rl,
-            &secrets->client_application_traffic));
-}
-/*
- * XXX arbitrarily chosen limit of 100 post handshake handshake
- * messages in an hour - to avoid a hostile peer from constantly
- * requesting certificates or key renegotiaitons, etc.
- */
-static int
-tls13_phh_limit_check(struct tls13_ctx *ctx)
-{
-        time_t now = time(NULL);
-        if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
-                if (ctx->phh_count > TLS13_PHH_LIMIT)
-                        return 0;
-        } else
-                ctx->phh_count = 0;
-        ctx->phh_count++;
-        ctx->phh_last_seen = now;
-        return 1;
-}
-static ssize_t
-tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
-{
-        struct tls13_handshake_msg *hs_msg = NULL;
-        CBB cbb_hs;
-        CBS cbs_hs;
-        uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
-        uint8_t key_update_request;
-        ssize_t ret;
-        if (!CBS_get_u8(cbs, &key_update_request)) {
-                alert = TLS13_ALERT_DECODE_ERROR;
-                goto err;
-        }
-        if (CBS_len(cbs) != 0) {
-                alert = TLS13_ALERT_DECODE_ERROR;
-                goto err;
-        }
-        if (key_update_request > 1) {
-                alert = TLS13_ALERT_ILLEGAL_PARAMETER;
-                goto err;
-        }
-        if (!tls13_phh_update_peer_traffic_secret(ctx))
-                goto err;
-        if (key_update_request == 0)
-                return TLS13_IO_SUCCESS;
-        /* key_update_request == 1 */
-        if ((hs_msg = tls13_handshake_msg_new()) == NULL)
-                goto err;
-        if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
-                goto err;
-        if (!CBB_add_u8(&cbb_hs, 0))
-                goto err;
-        if (!tls13_handshake_msg_finish(hs_msg))
-                goto err;
-        ctx->key_update_request = 1;
-        tls13_handshake_msg_data(hs_msg, &cbs_hs);
-        ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
-        tls13_handshake_msg_free(hs_msg);
-        hs_msg = NULL;
-        return ret;
- err:
-        tls13_handshake_msg_free(hs_msg);
-        return tls13_send_alert(ctx->rl, alert);
-}
-static void
-tls13_phh_done_cb(void *cb_arg)
-{
-        struct tls13_ctx *ctx = cb_arg;
-        if (ctx->key_update_request) {
-                tls13_phh_update_local_traffic_secret(ctx);
-                ctx->key_update_request = 0;
-        }
-}
-static ssize_t
-tls13_phh_received_cb(void *cb_arg, CBS *cbs)
-{
-        ssize_t ret = TLS13_IO_FAILURE;
-        struct tls13_ctx *ctx = cb_arg;
-        CBS phh_cbs;
-        if (!tls13_phh_limit_check(ctx))
-                return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
-        if ((ctx->hs_msg == NULL) &&
-            ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
-                return TLS13_IO_FAILURE;
-        if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs))
-                return TLS13_IO_FAILURE;
-        if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl))
-            != TLS13_IO_SUCCESS)
-                return ret;
-        if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs))
-                return TLS13_IO_FAILURE;
-        switch(tls13_handshake_msg_type(ctx->hs_msg)) {
-        case TLS13_MT_KEY_UPDATE:
-                ret = tls13_key_update_recv(ctx, &phh_cbs);
-                break;
-        case TLS13_MT_NEW_SESSION_TICKET:
-                /* XXX do nothing for now and ignore this */
-                break;
-        case TLS13_MT_CERTIFICATE_REQUEST:
-                /* XXX add support if we choose to advertise this */
-                /* FALLTHROUGH */
-        default:
-                ret = TLS13_IO_FAILURE; /* XXX send alert */
-                break;
-        }
-        tls13_handshake_msg_free(ctx->hs_msg);
-        ctx->hs_msg = NULL;
-        return ret;
-}
-static const struct tls13_record_layer_callbacks rl_callbacks = {
-        .wire_read = tls13_legacy_wire_read_cb,
-        .wire_write = tls13_legacy_wire_write_cb,
-        .wire_flush = tls13_legacy_wire_flush_cb,
-        .alert_recv = tls13_alert_received_cb,
-        .alert_sent = tls13_alert_sent_cb,
-        .phh_recv = tls13_phh_received_cb,
-        .phh_sent = tls13_phh_done_cb,
-};
-struct tls13_ctx *
-tls13_ctx_new(int mode)
-{
-        struct tls13_ctx *ctx = NULL;
-        if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
-                goto err;
-        ctx->mode = mode;
-        if ((ctx->rl = tls13_record_layer_new(&rl_callbacks, ctx)) == NULL)
-                goto err;
-        ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
-        ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
-        ctx->info_cb = tls13_legacy_info_cb;
-        ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
-        ctx->middlebox_compat = 1;
-        return ctx;
- err:
-        tls13_ctx_free(ctx);
-        return NULL;
-}
-void
-tls13_ctx_free(struct tls13_ctx *ctx)
-{
-        if (ctx == NULL)
-                return;
-        tls13_error_clear(&ctx->error);
-        tls13_record_layer_free(ctx->rl);
-        tls13_handshake_msg_free(ctx->hs_msg);
-        freezero(ctx, sizeof(struct tls13_ctx));
-}
-int
-tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
-    int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
-{
-        CBB cert_data, cert_exts;
-        uint8_t *data;
-        int cert_len;
-        if ((cert_len = i2d_X509(cert, NULL)) < 0)
-                return 0;
-        if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
-                return 0;
-        if (!CBB_add_space(&cert_data, &data, cert_len))
-                return 0;
-        if (i2d_X509(cert, &data) != cert_len)
-                return 0;
-        if (build_extensions != NULL) {
-                if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
-                        return 0;
-        } else {
-                if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
-                        return 0;
-        }
-        if (!CBB_flush(cbb))
-                return 0;
-        return 1;
-}
-int
-tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
-{
-        struct tls13_handshake_msg *hm = NULL;
-        unsigned char buf[EVP_MAX_MD_SIZE];
-        size_t hash_len;
-        CBB cbb;
-        CBS cbs;
-        SSL *s = ctx->ssl;
-        int ret = 0;
-        /*
-         * Replace ClientHello with synthetic handshake message - see
-         * RFC 8446 section 4.4.1.
-         */
-        if (!tls1_transcript_hash_init(s))
-                goto err;
-        if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
-                goto err;
-        if ((hm = tls13_handshake_msg_new()) == NULL)
-                goto err;
-        if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
-                goto err;
-        if (!CBB_add_bytes(&cbb, buf, hash_len))
-                goto err;
-        if (!tls13_handshake_msg_finish(hm))
-                goto err;
-        tls13_handshake_msg_data(hm, &cbs);
-        tls1_transcript_reset(ctx->ssl);
-        if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
-                goto err;
-        ret = 1;
- err:
-        tls13_handshake_msg_free(hm);
-        return ret;
-}
-int
-tls13_clienthello_hash_init(struct tls13_ctx *ctx)
-{
-        if (ctx->hs->tls13.clienthello_md_ctx != NULL)
-                return 0;
-        if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
-                return 0;
-        if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
-            EVP_sha256(), NULL))
-                return 0;
-        if ((ctx->hs->tls13.clienthello_hash == NULL) &&
-            (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
-            NULL)
-                return 0;
-        return 1;
-}
-void
-tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
-{
-        EVP_MD_CTX_free(hs->clienthello_md_ctx);
-        hs->clienthello_md_ctx = NULL;
-        freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
-        hs->clienthello_hash = NULL;
-}
-int
-tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
-    size_t len)
-{
-        return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
-}
-int
-tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
-{
-        return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
-            CBS_len(cbs));
-}
-int
-tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
-{
-        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
-            ctx->hs->tls13.clienthello_hash,
-            &ctx->hs->tls13.clienthello_hash_len))
-                return 0;
-        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
-        ctx->hs->tls13.clienthello_md_ctx = NULL;
-        return 1;
-}
-int
-tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
-{
-        unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
-        unsigned int new_ch_hash_len;
-        if (ctx->hs->tls13.clienthello_hash == NULL)
-                return 0;
-        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
-            new_ch_hash, &new_ch_hash_len))
-                return 0;
-        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
-        ctx->hs->tls13.clienthello_md_ctx = NULL;
-        if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
-                return 0;
-        if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
-            new_ch_hash_len) != 0)
-                return 0;
-        return 1;
-}
-int
-tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
-    const uint8_t *context_value, size_t context_value_len, uint8_t *out,
-    size_t out_len)
-{
-        struct tls13_secret context, export_out, export_secret;
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        EVP_MD_CTX *md_ctx = NULL;
-        unsigned int md_out_len;
-        int md_len;
-        int ret = 0;
-        /*
-         * RFC 8446 Section 7.5.
-         */
-        memset(&context, 0, sizeof(context));
-        memset(&export_secret, 0, sizeof(export_secret));
-        export_out.data = out;
-        export_out.len = out_len;
-        if (!ctx->handshake_completed)
-                return 0;
-        md_len = EVP_MD_size(secrets->digest);
-        if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE)
-                goto err;
-        if (!tls13_secret_init(&export_secret, md_len))
-                goto err;
-        if (!tls13_secret_init(&context, md_len))
-                goto err;
-        /* In TLSv1.3 no context is equivalent to an empty context. */
-        if (context_value == NULL) {
-                context_value = "";
-                context_value_len = 0;
-        }
-        if ((md_ctx = EVP_MD_CTX_new()) == NULL)
-                goto err;
-        if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL))
-                goto err;
-        if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len))
-                goto err;
-        if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len))
-                goto err;
-        if (md_len != md_out_len)
-                goto err;
-        if (!tls13_derive_secret_with_label_length(&export_secret,
-            secrets->digest, &secrets->exporter_master, label, label_len,
-            &secrets->empty_hash))
-                goto err;
-        if (!tls13_hkdf_expand_label(&export_out, secrets->digest,
-            &export_secret, "exporter", &context))
-                goto err;
-        ret = 1;
- err:
-        EVP_MD_CTX_free(md_ctx);
-        tls13_secret_cleanup(&context);
-        tls13_secret_cleanup(&export_secret);
-        return ret;
-}

diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c deleted file mode 100644 index 20d3a38412..0000000000 --- a/src/lib/libssl/tls13_lib.c +++ /dev/null
@@ -1,644 +0,0 @@
1	/* $OpenBSD: tls13_lib.c,v 1.63 2022/02/05 14:54:10 jsing Exp $ */
2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5	*
6	* Permission to use, copy, modify, and distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#include <stddef.h>
20
21	#include <openssl/evp.h>
22
23	#include "ssl_locl.h"
24	#include "ssl_tlsext.h"
25	#include "tls13_internal.h"
26
27	/*
28	* Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
29	* by the server in server random if it is willing to downgrade but supports
30	* TLSv1.3
31	*/
32	const uint8_t tls13_downgrade_12[8] = {
33	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
34	};
35	const uint8_t tls13_downgrade_11[8] = {
36	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
37	};
38
39	/*
40	* HelloRetryRequest hash - RFC 8446 section 4.1.3.
41	*/
42	const uint8_t tls13_hello_retry_request_hash[32] = {
43	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
44	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
45	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
46	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
47	};
48
49	/*
50	* Certificate Verify padding - RFC 8446 section 4.4.3.
51	*/
52	const uint8_t tls13_cert_verify_pad[64] = {
53	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
54	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
55	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
56	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
57	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
58	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
59	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
60	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
61	};
62
63	const uint8_t tls13_cert_client_verify_context[] =
64	"TLS 1.3, client CertificateVerify";
65	const uint8_t tls13_cert_server_verify_context[] =
66	"TLS 1.3, server CertificateVerify";
67
68	const EVP_AEAD *
69	tls13_cipher_aead(const SSL_CIPHER *cipher)
70	{
71	if (cipher == NULL)
72	return NULL;
73	if (cipher->algorithm_ssl != SSL_TLSV1_3)
74	return NULL;
75
76	switch (cipher->algorithm_enc) {
77	case SSL_AES128GCM:
78	return EVP_aead_aes_128_gcm();
79	case SSL_AES256GCM:
80	return EVP_aead_aes_256_gcm();
81	case SSL_CHACHA20POLY1305:
82	return EVP_aead_chacha20_poly1305();
83	}
84
85	return NULL;
86	}
87
88	const EVP_MD *
89	tls13_cipher_hash(const SSL_CIPHER *cipher)
90	{
91	if (cipher == NULL)
92	return NULL;
93	if (cipher->algorithm_ssl != SSL_TLSV1_3)
94	return NULL;
95
96	switch (cipher->algorithm2) {
97	case SSL_HANDSHAKE_MAC_SHA256:
98	return EVP_sha256();
99	case SSL_HANDSHAKE_MAC_SHA384:
100	return EVP_sha384();
101	}
102
103	return NULL;
104	}
105
106	static void
107	tls13_alert_received_cb(uint8_t alert_desc, void *arg)
108	{
109	struct tls13_ctx *ctx = arg;
110
111	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
112	ctx->close_notify_recv = 1;
113	ctx->ssl->internal->shutdown \|= SSL_RECEIVED_SHUTDOWN;
114	ctx->ssl->s3->warn_alert = alert_desc;
115	return;
116	}
117
118	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
119	/*
120	* We treat this as advisory, since a close_notify alert
121	* SHOULD follow this alert (RFC 8446 section 6.1).
122	*/
123	return;
124	}
125
126	/* All other alerts are treated as fatal in TLSv1.3. */
127	ctx->ssl->s3->fatal_alert = alert_desc;
128
129	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
130	ERR_asprintf_error_data("SSL alert number %d", alert_desc);
131
132	SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
133	}
134
135	static void
136	tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
137	{
138	struct tls13_ctx *ctx = arg;
139
140	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
141	ctx->close_notify_sent = 1;
142	return;
143	}
144
145	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
146	return;
147	}
148
149	/* All other alerts are treated as fatal in TLSv1.3. */
150	if (ctx->error.code == 0)
151	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
152	}
153
154	static void
155	tls13_legacy_handshake_message_recv_cb(void *arg)
156	{
157	struct tls13_ctx *ctx = arg;
158	SSL *s = ctx->ssl;
159	CBS cbs;
160
161	if (s->internal->msg_callback == NULL)
162	return;
163
164	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
165	ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, CBS_data(&cbs), CBS_len(&cbs));
166	}
167
168	static void
169	tls13_legacy_handshake_message_sent_cb(void *arg)
170	{
171	struct tls13_ctx *ctx = arg;
172	SSL *s = ctx->ssl;
173	CBS cbs;
174
175	if (s->internal->msg_callback == NULL)
176	return;
177
178	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
179	ssl_msg_callback(s, 1, SSL3_RT_HANDSHAKE, CBS_data(&cbs), CBS_len(&cbs));
180	}
181
182	static void
183	tls13_legacy_info_cb(void *arg, int state, int ret)
184	{
185	struct tls13_ctx *ctx = arg;
186	SSL *s = ctx->ssl;
187
188	ssl_info_callback(s, state, ret);
189	}
190
191	static int
192	tls13_legacy_ocsp_status_recv_cb(void *arg)
193	{
194	struct tls13_ctx *ctx = arg;
195	SSL *s = ctx->ssl;
196	int ret;
197
198	if (s->ctx->internal->tlsext_status_cb == NULL)
199	return 1;
200
201	ret = s->ctx->internal->tlsext_status_cb(s,
202	s->ctx->internal->tlsext_status_arg);
203	if (ret < 0) {
204	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
205	SSLerror(s, ERR_R_MALLOC_FAILURE);
206	return 0;
207	}
208	if (ret == 0) {
209	ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
210	SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
211	return 0;
212	}
213
214	return 1;
215	}
216
217	static int
218	tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
219	{
220	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
221
222	if (ctx->mode == TLS13_HS_CLIENT)
223	return (tls13_update_client_traffic_secret(secrets) &&
224	tls13_record_layer_set_write_traffic_key(ctx->rl,
225	&secrets->client_application_traffic));
226	return (tls13_update_server_traffic_secret(secrets) &&
227	tls13_record_layer_set_read_traffic_key(ctx->rl,
228	&secrets->server_application_traffic));
229	}
230
231	static int
232	tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx)
233	{
234	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
235
236	if (ctx->mode == TLS13_HS_CLIENT)
237	return (tls13_update_server_traffic_secret(secrets) &&
238	tls13_record_layer_set_read_traffic_key(ctx->rl,
239	&secrets->server_application_traffic));
240	return (tls13_update_client_traffic_secret(secrets) &&
241	tls13_record_layer_set_write_traffic_key(ctx->rl,
242	&secrets->client_application_traffic));
243	}
244
245	/*
246	* XXX arbitrarily chosen limit of 100 post handshake handshake
247	* messages in an hour - to avoid a hostile peer from constantly
248	* requesting certificates or key renegotiaitons, etc.
249	*/
250	static int
251	tls13_phh_limit_check(struct tls13_ctx *ctx)
252	{
253	time_t now = time(NULL);
254
255	if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
256	if (ctx->phh_count > TLS13_PHH_LIMIT)
257	return 0;
258	} else
259	ctx->phh_count = 0;
260	ctx->phh_count++;
261	ctx->phh_last_seen = now;
262	return 1;
263	}
264
265	static ssize_t
266	tls13_key_update_recv(struct tls13_ctx ctx, CBS cbs)
267	{
268	struct tls13_handshake_msg *hs_msg = NULL;
269	CBB cbb_hs;
270	CBS cbs_hs;
271	uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
272	uint8_t key_update_request;
273	ssize_t ret;
274
275	if (!CBS_get_u8(cbs, &key_update_request)) {
276	alert = TLS13_ALERT_DECODE_ERROR;
277	goto err;
278	}
279	if (CBS_len(cbs) != 0) {
280	alert = TLS13_ALERT_DECODE_ERROR;
281	goto err;
282	}
283	if (key_update_request > 1) {
284	alert = TLS13_ALERT_ILLEGAL_PARAMETER;
285	goto err;
286	}
287
288	if (!tls13_phh_update_peer_traffic_secret(ctx))
289	goto err;
290
291	if (key_update_request == 0)
292	return TLS13_IO_SUCCESS;
293
294	/* key_update_request == 1 */
295	if ((hs_msg = tls13_handshake_msg_new()) == NULL)
296	goto err;
297	if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
298	goto err;
299	if (!CBB_add_u8(&cbb_hs, 0))
300	goto err;
301	if (!tls13_handshake_msg_finish(hs_msg))
302	goto err;
303
304	ctx->key_update_request = 1;
305	tls13_handshake_msg_data(hs_msg, &cbs_hs);
306	ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
307
308	tls13_handshake_msg_free(hs_msg);
309	hs_msg = NULL;
310
311	return ret;
312
313	err:
314	tls13_handshake_msg_free(hs_msg);
315
316	return tls13_send_alert(ctx->rl, alert);
317	}
318
319	static void
320	tls13_phh_done_cb(void *cb_arg)
321	{
322	struct tls13_ctx *ctx = cb_arg;
323
324	if (ctx->key_update_request) {
325	tls13_phh_update_local_traffic_secret(ctx);
326	ctx->key_update_request = 0;
327	}
328	}
329
330	static ssize_t
331	tls13_phh_received_cb(void cb_arg, CBS cbs)
332	{
333	ssize_t ret = TLS13_IO_FAILURE;
334	struct tls13_ctx *ctx = cb_arg;
335	CBS phh_cbs;
336
337	if (!tls13_phh_limit_check(ctx))
338	return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
339
340	if ((ctx->hs_msg == NULL) &&
341	((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
342	return TLS13_IO_FAILURE;
343
344	if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs))
345	return TLS13_IO_FAILURE;
346
347	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl))
348	!= TLS13_IO_SUCCESS)
349	return ret;
350
351	if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs))
352	return TLS13_IO_FAILURE;
353
354	switch(tls13_handshake_msg_type(ctx->hs_msg)) {
355	case TLS13_MT_KEY_UPDATE:
356	ret = tls13_key_update_recv(ctx, &phh_cbs);
357	break;
358	case TLS13_MT_NEW_SESSION_TICKET:
359	/* XXX do nothing for now and ignore this */
360	break;
361	case TLS13_MT_CERTIFICATE_REQUEST:
362	/* XXX add support if we choose to advertise this */
363	/* FALLTHROUGH */
364	default:
365	ret = TLS13_IO_FAILURE; /* XXX send alert */
366	break;
367	}
368
369	tls13_handshake_msg_free(ctx->hs_msg);
370	ctx->hs_msg = NULL;
371	return ret;
372	}
373
374	static const struct tls13_record_layer_callbacks rl_callbacks = {
375	.wire_read = tls13_legacy_wire_read_cb,
376	.wire_write = tls13_legacy_wire_write_cb,
377	.wire_flush = tls13_legacy_wire_flush_cb,
378	.alert_recv = tls13_alert_received_cb,
379	.alert_sent = tls13_alert_sent_cb,
380	.phh_recv = tls13_phh_received_cb,
381	.phh_sent = tls13_phh_done_cb,
382	};
383
384	struct tls13_ctx *
385	tls13_ctx_new(int mode)
386	{
387	struct tls13_ctx *ctx = NULL;
388
389	if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
390	goto err;
391
392	ctx->mode = mode;
393
394	if ((ctx->rl = tls13_record_layer_new(&rl_callbacks, ctx)) == NULL)
395	goto err;
396
397	ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
398	ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
399	ctx->info_cb = tls13_legacy_info_cb;
400	ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
401
402	ctx->middlebox_compat = 1;
403
404	return ctx;
405
406	err:
407	tls13_ctx_free(ctx);
408
409	return NULL;
410	}
411
412	void
413	tls13_ctx_free(struct tls13_ctx *ctx)
414	{
415	if (ctx == NULL)
416	return;
417
418	tls13_error_clear(&ctx->error);
419	tls13_record_layer_free(ctx->rl);
420	tls13_handshake_msg_free(ctx->hs_msg);
421
422	freezero(ctx, sizeof(struct tls13_ctx));
423	}
424
425	int
426	tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,
427	int (build_extensions)(SSL s, uint16_t msg_type, CBB *cbb))
428	{
429	CBB cert_data, cert_exts;
430	uint8_t *data;
431	int cert_len;
432
433	if ((cert_len = i2d_X509(cert, NULL)) < 0)
434	return 0;
435
436	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
437	return 0;
438	if (!CBB_add_space(&cert_data, &data, cert_len))
439	return 0;
440	if (i2d_X509(cert, &data) != cert_len)
441	return 0;
442	if (build_extensions != NULL) {
443	if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
444	return 0;
445	} else {
446	if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
447	return 0;
448	}
449	if (!CBB_flush(cbb))
450	return 0;
451
452	return 1;
453	}
454
455	int
456	tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
457	{
458	struct tls13_handshake_msg *hm = NULL;
459	unsigned char buf[EVP_MAX_MD_SIZE];
460	size_t hash_len;
461	CBB cbb;
462	CBS cbs;
463	SSL *s = ctx->ssl;
464	int ret = 0;
465
466	/*
467	* Replace ClientHello with synthetic handshake message - see
468	* RFC 8446 section 4.4.1.
469	*/
470	if (!tls1_transcript_hash_init(s))
471	goto err;
472	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
473	goto err;
474
475	if ((hm = tls13_handshake_msg_new()) == NULL)
476	goto err;
477	if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
478	goto err;
479	if (!CBB_add_bytes(&cbb, buf, hash_len))
480	goto err;
481	if (!tls13_handshake_msg_finish(hm))
482	goto err;
483
484	tls13_handshake_msg_data(hm, &cbs);
485
486	tls1_transcript_reset(ctx->ssl);
487	if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
488	goto err;
489
490	ret = 1;
491
492	err:
493	tls13_handshake_msg_free(hm);
494
495	return ret;
496	}
497
498	int
499	tls13_clienthello_hash_init(struct tls13_ctx *ctx)
500	{
501	if (ctx->hs->tls13.clienthello_md_ctx != NULL)
502	return 0;
503	if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
504	return 0;
505	if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
506	EVP_sha256(), NULL))
507	return 0;
508
509	if ((ctx->hs->tls13.clienthello_hash == NULL) &&
510	(ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
511	NULL)
512	return 0;
513
514	return 1;
515	}
516
517	void
518	tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st hs) / XXX */
519	{
520	EVP_MD_CTX_free(hs->clienthello_md_ctx);
521	hs->clienthello_md_ctx = NULL;
522	freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
523	hs->clienthello_hash = NULL;
524	}
525
526	int
527	tls13_clienthello_hash_update_bytes(struct tls13_ctx ctx, void data,
528	size_t len)
529	{
530	return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
531	}
532
533	int
534	tls13_clienthello_hash_update(struct tls13_ctx ctx, CBS cbs)
535	{
536	return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
537	CBS_len(cbs));
538	}
539
540	int
541	tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
542	{
543	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
544	ctx->hs->tls13.clienthello_hash,
545	&ctx->hs->tls13.clienthello_hash_len))
546	return 0;
547	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
548	ctx->hs->tls13.clienthello_md_ctx = NULL;
549	return 1;
550	}
551
552	int
553	tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
554	{
555	unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
556	unsigned int new_ch_hash_len;
557
558	if (ctx->hs->tls13.clienthello_hash == NULL)
559	return 0;
560
561	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
562	new_ch_hash, &new_ch_hash_len))
563	return 0;
564	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
565	ctx->hs->tls13.clienthello_md_ctx = NULL;
566
567	if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
568	return 0;
569	if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
570	new_ch_hash_len) != 0)
571	return 0;
572
573	return 1;
574	}
575
576	int
577	tls13_exporter(struct tls13_ctx ctx, const uint8_t label, size_t label_len,
578	const uint8_t context_value, size_t context_value_len, uint8_t out,
579	size_t out_len)
580	{
581	struct tls13_secret context, export_out, export_secret;
582	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
583	EVP_MD_CTX *md_ctx = NULL;
584	unsigned int md_out_len;
585	int md_len;
586	int ret = 0;
587
588	/*
589	* RFC 8446 Section 7.5.
590	*/
591
592	memset(&context, 0, sizeof(context));
593	memset(&export_secret, 0, sizeof(export_secret));
594
595	export_out.data = out;
596	export_out.len = out_len;
597
598	if (!ctx->handshake_completed)
599	return 0;
600
601	md_len = EVP_MD_size(secrets->digest);
602	if (md_len <= 0 \|\| md_len > EVP_MAX_MD_SIZE)
603	goto err;
604
605	if (!tls13_secret_init(&export_secret, md_len))
606	goto err;
607	if (!tls13_secret_init(&context, md_len))
608	goto err;
609
610	/* In TLSv1.3 no context is equivalent to an empty context. */
611	if (context_value == NULL) {
612	context_value = "";
613	context_value_len = 0;
614	}
615
616	if ((md_ctx = EVP_MD_CTX_new()) == NULL)
617	goto err;
618	if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL))
619	goto err;
620	if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len))
621	goto err;
622	if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len))
623	goto err;
624	if (md_len != md_out_len)
625	goto err;
626
627	if (!tls13_derive_secret_with_label_length(&export_secret,
628	secrets->digest, &secrets->exporter_master, label, label_len,
629	&secrets->empty_hash))
630	goto err;
631
632	if (!tls13_hkdf_expand_label(&export_out, secrets->digest,
633	&export_secret, "exporter", &context))
634	goto err;
635
636	ret = 1;
637
638	err:
639	EVP_MD_CTX_free(md_ctx);
640	tls13_secret_cleanup(&context);
641	tls13_secret_cleanup(&export_secret);
642
643	return ret;
644	}