1 files changed, 0 insertions, 650 deletions
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
deleted file mode 100644
index f064521c8b..0000000000
--- a/src/lib/libssl/tls13_lib.c
+++ /dev/null
@@ -1,650 +0,0 @@
-/*      $OpenBSD: tls13_lib.c,v 1.59 2021/04/07 21:48:23 tb Exp $ */
-/*
- * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
- * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <stddef.h>
-#include <openssl/evp.h>
-#include "ssl_locl.h"
-#include "ssl_tlsext.h"
-#include "tls13_internal.h"
-/*
- * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
- * by the server in server random if it is willing to downgrade but supports
- * TLSv1.3
- */
-const uint8_t tls13_downgrade_12[8] = {
-        0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
-};
-const uint8_t tls13_downgrade_11[8] = {
-        0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
-};
-/*
- * HelloRetryRequest hash - RFC 8446 section 4.1.3.
- */
-const uint8_t tls13_hello_retry_request_hash[32] = {
-        0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
-        0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
-        0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
-        0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
-};
-/*
- * Certificate Verify padding - RFC 8446 section 4.4.3.
- */
-const uint8_t tls13_cert_verify_pad[64] = {
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-};
-const uint8_t tls13_cert_client_verify_context[] =
-    "TLS 1.3, client CertificateVerify";
-const uint8_t tls13_cert_server_verify_context[] =
-    "TLS 1.3, server CertificateVerify";
-const EVP_AEAD *
-tls13_cipher_aead(const SSL_CIPHER *cipher)
-{
-        if (cipher == NULL)
-                return NULL;
-        if (cipher->algorithm_ssl != SSL_TLSV1_3)
-                return NULL;
-        switch (cipher->algorithm_enc) {
-        case SSL_AES128GCM:
-                return EVP_aead_aes_128_gcm();
-        case SSL_AES256GCM:
-                return EVP_aead_aes_256_gcm();
-        case SSL_CHACHA20POLY1305:
-                return EVP_aead_chacha20_poly1305();
-        }
-        return NULL;
-}
-const EVP_MD *
-tls13_cipher_hash(const SSL_CIPHER *cipher)
-{
-        if (cipher == NULL)
-                return NULL;
-        if (cipher->algorithm_ssl != SSL_TLSV1_3)
-                return NULL;
-        switch (cipher->algorithm2) {
-        case SSL_HANDSHAKE_MAC_SHA256:
-                return EVP_sha256();
-        case SSL_HANDSHAKE_MAC_SHA384:
-                return EVP_sha384();
-        }
-        return NULL;
-}
-static void
-tls13_alert_received_cb(uint8_t alert_desc, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
-                ctx->close_notify_recv = 1;
-                ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;
-                S3I(ctx->ssl)->warn_alert = alert_desc;
-                return;
-        }
-        if (alert_desc == TLS13_ALERT_USER_CANCELED) {
-                /*
-                 * We treat this as advisory, since a close_notify alert
-                 * SHOULD follow this alert (RFC 8446 section 6.1).
-                 */
-                return;
-        }
-        /* All other alerts are treated as fatal in TLSv1.3. */
-        S3I(ctx->ssl)->fatal_alert = alert_desc;
-        SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
-        ERR_asprintf_error_data("SSL alert number %d", alert_desc);
-        SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
-}
-static void
-tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
-                ctx->close_notify_sent = 1;
-                return;
-        }
-        if (alert_desc == TLS13_ALERT_USER_CANCELED) {
-                return;
-        }
-        /* All other alerts are treated as fatal in TLSv1.3. */
-        if (ctx->error.code == 0)
-                SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
-}
-static void
-tls13_legacy_handshake_message_recv_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        CBS cbs;
-        if (s->internal->msg_callback == NULL)
-                return;
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        s->internal->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HANDSHAKE,
-            CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg);
-}
-static void
-tls13_legacy_handshake_message_sent_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        CBS cbs;
-        if (s->internal->msg_callback == NULL)
-                return;
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        s->internal->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HANDSHAKE,
-            CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg);
-}
-static void
-tls13_legacy_info_cb(void *arg, int state, int ret)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        void (*cb)(const SSL *, int, int);
-        if ((cb = s->internal->info_callback) == NULL)
-                cb = s->ctx->internal->info_callback;
-        if (cb != NULL)
-                cb(s, state, ret);
-}
-static int
-tls13_legacy_ocsp_status_recv_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        int ret;
-        if (s->ctx->internal->tlsext_status_cb == NULL ||
-            s->internal->tlsext_ocsp_resp == NULL)
-                return 1;
-        ret = s->ctx->internal->tlsext_status_cb(s,
-            s->ctx->internal->tlsext_status_arg);
-        if (ret < 0) {
-                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        if (ret == 0) {
-                ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
-                SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
-                return 0;
-        }
-        return 1;
-}
-static int
-tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
-{
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        if (ctx->mode == TLS13_HS_CLIENT)
-                return (tls13_update_client_traffic_secret(secrets) &&
-                    tls13_record_layer_set_write_traffic_key(ctx->rl,
-                        &secrets->client_application_traffic));
-        return (tls13_update_server_traffic_secret(secrets) &&
-            tls13_record_layer_set_read_traffic_key(ctx->rl,
-            &secrets->server_application_traffic));
-}
-static int
-tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx)
-{
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        if (ctx->mode == TLS13_HS_CLIENT)
-                return (tls13_update_server_traffic_secret(secrets) &&
-                    tls13_record_layer_set_read_traffic_key(ctx->rl,
-                    &secrets->server_application_traffic));
-        return (tls13_update_client_traffic_secret(secrets) &&
-            tls13_record_layer_set_write_traffic_key(ctx->rl,
-            &secrets->client_application_traffic));
-}
-/*
- * XXX arbitrarily chosen limit of 100 post handshake handshake
- * messages in an hour - to avoid a hostile peer from constantly
- * requesting certificates or key renegotiaitons, etc.
- */
-static int
-tls13_phh_limit_check(struct tls13_ctx *ctx)
-{
-        time_t now = time(NULL);
-        if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
-                if (ctx->phh_count > TLS13_PHH_LIMIT)
-                        return 0;
-        } else
-                ctx->phh_count = 0;
-        ctx->phh_count++;
-        ctx->phh_last_seen = now;
-        return 1;
-}
-static ssize_t
-tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
-{
-        struct tls13_handshake_msg *hs_msg = NULL;
-        CBB cbb_hs;
-        CBS cbs_hs;
-        uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
-        uint8_t key_update_request;
-        ssize_t ret;
-        if (!CBS_get_u8(cbs, &key_update_request)) {
-                alert = TLS13_ALERT_DECODE_ERROR;
-                goto err;
-        }
-        if (CBS_len(cbs) != 0) {
-                alert = TLS13_ALERT_DECODE_ERROR;
-                goto err;
-        }
-        if (key_update_request > 1) {
-                alert = TLS13_ALERT_ILLEGAL_PARAMETER;
-                goto err;
-        }
-        if (!tls13_phh_update_peer_traffic_secret(ctx))
-                goto err;
-        if (key_update_request == 0)
-                return TLS13_IO_SUCCESS;
-        /* key_update_request == 1 */
-        if ((hs_msg = tls13_handshake_msg_new()) == NULL)
-                goto err;
-        if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
-                goto err;
-        if (!CBB_add_u8(&cbb_hs, 0))
-                goto err;
-        if (!tls13_handshake_msg_finish(hs_msg))
-                goto err;
-        ctx->key_update_request = 1;
-        tls13_handshake_msg_data(hs_msg, &cbs_hs);
-        ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
-        tls13_handshake_msg_free(hs_msg);
-        hs_msg = NULL;
-        return ret;
- err:
-        tls13_handshake_msg_free(hs_msg);
-        return tls13_send_alert(ctx->rl, alert);
-}
-static void
-tls13_phh_done_cb(void *cb_arg)
-{
-        struct tls13_ctx *ctx = cb_arg;
-        if (ctx->key_update_request) {
-                tls13_phh_update_local_traffic_secret(ctx);
-                ctx->key_update_request = 0;
-        }
-}
-static ssize_t
-tls13_phh_received_cb(void *cb_arg, CBS *cbs)
-{
-        ssize_t ret = TLS13_IO_FAILURE;
-        struct tls13_ctx *ctx = cb_arg;
-        CBS phh_cbs;
-        if (!tls13_phh_limit_check(ctx))
-                return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
-        if ((ctx->hs_msg == NULL) &&
-            ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
-                return TLS13_IO_FAILURE;
-        if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs))
-                return TLS13_IO_FAILURE;
-        if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl))
-            != TLS13_IO_SUCCESS)
-                return ret;
-        if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs))
-                return TLS13_IO_FAILURE;
-        switch(tls13_handshake_msg_type(ctx->hs_msg)) {
-        case TLS13_MT_KEY_UPDATE:
-                ret = tls13_key_update_recv(ctx, &phh_cbs);
-                break;
-        case TLS13_MT_NEW_SESSION_TICKET:
-                /* XXX do nothing for now and ignore this */
-                break;
-        case TLS13_MT_CERTIFICATE_REQUEST:
-                /* XXX add support if we choose to advertise this */
-                /* FALLTHROUGH */
-        default:
-                ret = TLS13_IO_FAILURE; /* XXX send alert */
-                break;
-        }
-        tls13_handshake_msg_free(ctx->hs_msg);
-        ctx->hs_msg = NULL;
-        return ret;
-}
-static const struct tls13_record_layer_callbacks rl_callbacks = {
-        .wire_read = tls13_legacy_wire_read_cb,
-        .wire_write = tls13_legacy_wire_write_cb,
-        .alert_recv = tls13_alert_received_cb,
-        .alert_sent = tls13_alert_sent_cb,
-        .phh_recv = tls13_phh_received_cb,
-        .phh_sent = tls13_phh_done_cb,
-};
-struct tls13_ctx *
-tls13_ctx_new(int mode)
-{
-        struct tls13_ctx *ctx = NULL;
-        if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
-                goto err;
-        ctx->mode = mode;
-        if ((ctx->rl = tls13_record_layer_new(&rl_callbacks, ctx)) == NULL)
-                goto err;
-        ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
-        ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
-        ctx->info_cb = tls13_legacy_info_cb;
-        ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
-        ctx->middlebox_compat = 1;
-        return ctx;
- err:
-        tls13_ctx_free(ctx);
-        return NULL;
-}
-void
-tls13_ctx_free(struct tls13_ctx *ctx)
-{
-        if (ctx == NULL)
-                return;
-        tls13_error_clear(&ctx->error);
-        tls13_record_layer_free(ctx->rl);
-        tls13_handshake_msg_free(ctx->hs_msg);
-        freezero(ctx, sizeof(struct tls13_ctx));
-}
-int
-tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
-    int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
-{
-        CBB cert_data, cert_exts;
-        uint8_t *data;
-        int cert_len;
-        if ((cert_len = i2d_X509(cert, NULL)) < 0)
-                return 0;
-        if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
-                return 0;
-        if (!CBB_add_space(&cert_data, &data, cert_len))
-                return 0;
-        if (i2d_X509(cert, &data) != cert_len)
-                return 0;
-        if (build_extensions != NULL) {
-                if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
-                        return 0;
-        } else {
-                if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
-                        return 0;
-        }
-        if (!CBB_flush(cbb))
-                return 0;
-        return 1;
-}
-int
-tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
-{
-        struct tls13_handshake_msg *hm = NULL;
-        unsigned char buf[EVP_MAX_MD_SIZE];
-        size_t hash_len;
-        CBB cbb;
-        CBS cbs;
-        SSL *s = ctx->ssl;
-        int ret = 0;
-        /*
-         * Replace ClientHello with synthetic handshake message - see
-         * RFC 8446 section 4.4.1.
-         */
-        if (!tls1_transcript_hash_init(s))
-                goto err;
-        if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
-                goto err;
-        if ((hm = tls13_handshake_msg_new()) == NULL)
-                goto err;
-        if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
-                goto err;
-        if (!CBB_add_bytes(&cbb, buf, hash_len))
-                goto err;
-        if (!tls13_handshake_msg_finish(hm))
-                goto err;
-        tls13_handshake_msg_data(hm, &cbs);
-        tls1_transcript_reset(ctx->ssl);
-        if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
-                goto err;
-        ret = 1;
- err:
-        tls13_handshake_msg_free(hm);
-        return ret;
-}
-int
-tls13_clienthello_hash_init(struct tls13_ctx *ctx)
-{
-        if (ctx->hs->tls13.clienthello_md_ctx != NULL)
-                return 0;
-        if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
-                return 0;
-        if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
-            EVP_sha256(), NULL))
-                return 0;
-        if ((ctx->hs->tls13.clienthello_hash == NULL) &&
-            (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
-            NULL)
-                return 0;
-        return 1;
-}
-void
-tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
-{
-        EVP_MD_CTX_free(hs->clienthello_md_ctx);
-        hs->clienthello_md_ctx = NULL;
-        freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
-        hs->clienthello_hash = NULL;
-}
-int
-tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
-    size_t len)
-{
-        return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
-}
-int
-tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
-{
-        return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
-            CBS_len(cbs));
-}
-int
-tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
-{
-        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
-            ctx->hs->tls13.clienthello_hash,
-            &ctx->hs->tls13.clienthello_hash_len))
-                return 0;
-        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
-        ctx->hs->tls13.clienthello_md_ctx = NULL;
-        return 1;
-}
-int
-tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
-{
-        unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
-        unsigned int new_ch_hash_len;
-        if (ctx->hs->tls13.clienthello_hash == NULL)
-                return 0;
-        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
-            new_ch_hash, &new_ch_hash_len))
-                return 0;
-        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
-        ctx->hs->tls13.clienthello_md_ctx = NULL;
-        if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
-                return 0;
-        if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
-            new_ch_hash_len) != 0)
-                return 0;
-        return 1;
-}
-int
-tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
-    const uint8_t *context_value, size_t context_value_len, uint8_t *out,
-    size_t out_len)
-{
-        struct tls13_secret context, export_out, export_secret;
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        EVP_MD_CTX *md_ctx = NULL;
-        unsigned int md_out_len;
-        int md_len;
-        int ret = 0;
-        /*
-         * RFC 8446 Section 7.5.
-         */
-        memset(&context, 0, sizeof(context));
-        memset(&export_secret, 0, sizeof(export_secret));
-        export_out.data = out;
-        export_out.len = out_len;
-        if (!ctx->handshake_completed)
-                return 0;
-        md_len = EVP_MD_size(secrets->digest);
-        if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE)
-                goto err;
-        if (!tls13_secret_init(&export_secret, md_len))
-                goto err;
-        if (!tls13_secret_init(&context, md_len))
-                goto err;
-        /* In TLSv1.3 no context is equivalent to an empty context. */
-        if (context_value == NULL) {
-                context_value = "";
-                context_value_len = 0;
-        }
-        if ((md_ctx = EVP_MD_CTX_new()) == NULL)
-                goto err;
-        if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL))
-                goto err;
-        if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len))
-                goto err;
-        if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len))
-                goto err;
-        if (md_len != md_out_len)
-                goto err;
-        if (!tls13_derive_secret_with_label_length(&export_secret,
-            secrets->digest, &secrets->exporter_master, label, label_len,
-            &secrets->empty_hash))
-                goto err;
-        if (!tls13_hkdf_expand_label(&export_out, secrets->digest,
-            &export_secret, "exporter", &context))
-                goto err;
-        ret = 1;
- err:
-        EVP_MD_CTX_free(md_ctx);
-        tls13_secret_cleanup(&context);
-        tls13_secret_cleanup(&export_secret);
-        return ret;
-}

diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c deleted file mode 100644 index f064521c8b..0000000000 --- a/src/lib/libssl/tls13_lib.c +++ /dev/null
@@ -1,650 +0,0 @@
1	/* $OpenBSD: tls13_lib.c,v 1.59 2021/04/07 21:48:23 tb Exp $ */
2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5	*
6	* Permission to use, copy, modify, and distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#include <stddef.h>
20
21	#include <openssl/evp.h>
22
23	#include "ssl_locl.h"
24	#include "ssl_tlsext.h"
25	#include "tls13_internal.h"
26
27	/*
28	* Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
29	* by the server in server random if it is willing to downgrade but supports
30	* TLSv1.3
31	*/
32	const uint8_t tls13_downgrade_12[8] = {
33	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
34	};
35	const uint8_t tls13_downgrade_11[8] = {
36	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
37	};
38
39	/*
40	* HelloRetryRequest hash - RFC 8446 section 4.1.3.
41	*/
42	const uint8_t tls13_hello_retry_request_hash[32] = {
43	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
44	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
45	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
46	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
47	};
48
49	/*
50	* Certificate Verify padding - RFC 8446 section 4.4.3.
51	*/
52	const uint8_t tls13_cert_verify_pad[64] = {
53	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
54	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
55	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
56	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
57	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
58	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
59	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
60	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
61	};
62
63	const uint8_t tls13_cert_client_verify_context[] =
64	"TLS 1.3, client CertificateVerify";
65	const uint8_t tls13_cert_server_verify_context[] =
66	"TLS 1.3, server CertificateVerify";
67
68	const EVP_AEAD *
69	tls13_cipher_aead(const SSL_CIPHER *cipher)
70	{
71	if (cipher == NULL)
72	return NULL;
73	if (cipher->algorithm_ssl != SSL_TLSV1_3)
74	return NULL;
75
76	switch (cipher->algorithm_enc) {
77	case SSL_AES128GCM:
78	return EVP_aead_aes_128_gcm();
79	case SSL_AES256GCM:
80	return EVP_aead_aes_256_gcm();
81	case SSL_CHACHA20POLY1305:
82	return EVP_aead_chacha20_poly1305();
83	}
84
85	return NULL;
86	}
87
88	const EVP_MD *
89	tls13_cipher_hash(const SSL_CIPHER *cipher)
90	{
91	if (cipher == NULL)
92	return NULL;
93	if (cipher->algorithm_ssl != SSL_TLSV1_3)
94	return NULL;
95
96	switch (cipher->algorithm2) {
97	case SSL_HANDSHAKE_MAC_SHA256:
98	return EVP_sha256();
99	case SSL_HANDSHAKE_MAC_SHA384:
100	return EVP_sha384();
101	}
102
103	return NULL;
104	}
105
106	static void
107	tls13_alert_received_cb(uint8_t alert_desc, void *arg)
108	{
109	struct tls13_ctx *ctx = arg;
110
111	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
112	ctx->close_notify_recv = 1;
113	ctx->ssl->internal->shutdown \|= SSL_RECEIVED_SHUTDOWN;
114	S3I(ctx->ssl)->warn_alert = alert_desc;
115	return;
116	}
117
118	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
119	/*
120	* We treat this as advisory, since a close_notify alert
121	* SHOULD follow this alert (RFC 8446 section 6.1).
122	*/
123	return;
124	}
125
126	/* All other alerts are treated as fatal in TLSv1.3. */
127	S3I(ctx->ssl)->fatal_alert = alert_desc;
128
129	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
130	ERR_asprintf_error_data("SSL alert number %d", alert_desc);
131
132	SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
133	}
134
135	static void
136	tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
137	{
138	struct tls13_ctx *ctx = arg;
139
140	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
141	ctx->close_notify_sent = 1;
142	return;
143	}
144
145	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
146	return;
147	}
148
149	/* All other alerts are treated as fatal in TLSv1.3. */
150	if (ctx->error.code == 0)
151	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
152	}
153
154	static void
155	tls13_legacy_handshake_message_recv_cb(void *arg)
156	{
157	struct tls13_ctx *ctx = arg;
158	SSL *s = ctx->ssl;
159	CBS cbs;
160
161	if (s->internal->msg_callback == NULL)
162	return;
163
164	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
165	s->internal->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HANDSHAKE,
166	CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg);
167	}
168
169	static void
170	tls13_legacy_handshake_message_sent_cb(void *arg)
171	{
172	struct tls13_ctx *ctx = arg;
173	SSL *s = ctx->ssl;
174	CBS cbs;
175
176	if (s->internal->msg_callback == NULL)
177	return;
178
179	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
180	s->internal->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HANDSHAKE,
181	CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg);
182	}
183
184	static void
185	tls13_legacy_info_cb(void *arg, int state, int ret)
186	{
187	struct tls13_ctx *ctx = arg;
188	SSL *s = ctx->ssl;
189	void (cb)(const SSL , int, int);
190
191	if ((cb = s->internal->info_callback) == NULL)
192	cb = s->ctx->internal->info_callback;
193	if (cb != NULL)
194	cb(s, state, ret);
195	}
196
197	static int
198	tls13_legacy_ocsp_status_recv_cb(void *arg)
199	{
200	struct tls13_ctx *ctx = arg;
201	SSL *s = ctx->ssl;
202	int ret;
203
204	if (s->ctx->internal->tlsext_status_cb == NULL \|\|
205	s->internal->tlsext_ocsp_resp == NULL)
206	return 1;
207
208	ret = s->ctx->internal->tlsext_status_cb(s,
209	s->ctx->internal->tlsext_status_arg);
210	if (ret < 0) {
211	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
212	SSLerror(s, ERR_R_MALLOC_FAILURE);
213	return 0;
214	}
215	if (ret == 0) {
216	ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
217	SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
218	return 0;
219	}
220
221	return 1;
222	}
223
224	static int
225	tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
226	{
227	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
228
229	if (ctx->mode == TLS13_HS_CLIENT)
230	return (tls13_update_client_traffic_secret(secrets) &&
231	tls13_record_layer_set_write_traffic_key(ctx->rl,
232	&secrets->client_application_traffic));
233	return (tls13_update_server_traffic_secret(secrets) &&
234	tls13_record_layer_set_read_traffic_key(ctx->rl,
235	&secrets->server_application_traffic));
236	}
237
238	static int
239	tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx)
240	{
241	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
242
243	if (ctx->mode == TLS13_HS_CLIENT)
244	return (tls13_update_server_traffic_secret(secrets) &&
245	tls13_record_layer_set_read_traffic_key(ctx->rl,
246	&secrets->server_application_traffic));
247	return (tls13_update_client_traffic_secret(secrets) &&
248	tls13_record_layer_set_write_traffic_key(ctx->rl,
249	&secrets->client_application_traffic));
250	}
251
252	/*
253	* XXX arbitrarily chosen limit of 100 post handshake handshake
254	* messages in an hour - to avoid a hostile peer from constantly
255	* requesting certificates or key renegotiaitons, etc.
256	*/
257	static int
258	tls13_phh_limit_check(struct tls13_ctx *ctx)
259	{
260	time_t now = time(NULL);
261
262	if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
263	if (ctx->phh_count > TLS13_PHH_LIMIT)
264	return 0;
265	} else
266	ctx->phh_count = 0;
267	ctx->phh_count++;
268	ctx->phh_last_seen = now;
269	return 1;
270	}
271
272	static ssize_t
273	tls13_key_update_recv(struct tls13_ctx ctx, CBS cbs)
274	{
275	struct tls13_handshake_msg *hs_msg = NULL;
276	CBB cbb_hs;
277	CBS cbs_hs;
278	uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
279	uint8_t key_update_request;
280	ssize_t ret;
281
282	if (!CBS_get_u8(cbs, &key_update_request)) {
283	alert = TLS13_ALERT_DECODE_ERROR;
284	goto err;
285	}
286	if (CBS_len(cbs) != 0) {
287	alert = TLS13_ALERT_DECODE_ERROR;
288	goto err;
289	}
290	if (key_update_request > 1) {
291	alert = TLS13_ALERT_ILLEGAL_PARAMETER;
292	goto err;
293	}
294
295	if (!tls13_phh_update_peer_traffic_secret(ctx))
296	goto err;
297
298	if (key_update_request == 0)
299	return TLS13_IO_SUCCESS;
300
301	/* key_update_request == 1 */
302	if ((hs_msg = tls13_handshake_msg_new()) == NULL)
303	goto err;
304	if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
305	goto err;
306	if (!CBB_add_u8(&cbb_hs, 0))
307	goto err;
308	if (!tls13_handshake_msg_finish(hs_msg))
309	goto err;
310
311	ctx->key_update_request = 1;
312	tls13_handshake_msg_data(hs_msg, &cbs_hs);
313	ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
314
315	tls13_handshake_msg_free(hs_msg);
316	hs_msg = NULL;
317
318	return ret;
319
320	err:
321	tls13_handshake_msg_free(hs_msg);
322
323	return tls13_send_alert(ctx->rl, alert);
324	}
325
326	static void
327	tls13_phh_done_cb(void *cb_arg)
328	{
329	struct tls13_ctx *ctx = cb_arg;
330
331	if (ctx->key_update_request) {
332	tls13_phh_update_local_traffic_secret(ctx);
333	ctx->key_update_request = 0;
334	}
335	}
336
337	static ssize_t
338	tls13_phh_received_cb(void cb_arg, CBS cbs)
339	{
340	ssize_t ret = TLS13_IO_FAILURE;
341	struct tls13_ctx *ctx = cb_arg;
342	CBS phh_cbs;
343
344	if (!tls13_phh_limit_check(ctx))
345	return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
346
347	if ((ctx->hs_msg == NULL) &&
348	((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
349	return TLS13_IO_FAILURE;
350
351	if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs))
352	return TLS13_IO_FAILURE;
353
354	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl))
355	!= TLS13_IO_SUCCESS)
356	return ret;
357
358	if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs))
359	return TLS13_IO_FAILURE;
360
361	switch(tls13_handshake_msg_type(ctx->hs_msg)) {
362	case TLS13_MT_KEY_UPDATE:
363	ret = tls13_key_update_recv(ctx, &phh_cbs);
364	break;
365	case TLS13_MT_NEW_SESSION_TICKET:
366	/* XXX do nothing for now and ignore this */
367	break;
368	case TLS13_MT_CERTIFICATE_REQUEST:
369	/* XXX add support if we choose to advertise this */
370	/* FALLTHROUGH */
371	default:
372	ret = TLS13_IO_FAILURE; /* XXX send alert */
373	break;
374	}
375
376	tls13_handshake_msg_free(ctx->hs_msg);
377	ctx->hs_msg = NULL;
378	return ret;
379	}
380
381	static const struct tls13_record_layer_callbacks rl_callbacks = {
382	.wire_read = tls13_legacy_wire_read_cb,
383	.wire_write = tls13_legacy_wire_write_cb,
384	.alert_recv = tls13_alert_received_cb,
385	.alert_sent = tls13_alert_sent_cb,
386	.phh_recv = tls13_phh_received_cb,
387	.phh_sent = tls13_phh_done_cb,
388	};
389
390	struct tls13_ctx *
391	tls13_ctx_new(int mode)
392	{
393	struct tls13_ctx *ctx = NULL;
394
395	if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
396	goto err;
397
398	ctx->mode = mode;
399
400	if ((ctx->rl = tls13_record_layer_new(&rl_callbacks, ctx)) == NULL)
401	goto err;
402
403	ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
404	ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
405	ctx->info_cb = tls13_legacy_info_cb;
406	ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
407
408	ctx->middlebox_compat = 1;
409
410	return ctx;
411
412	err:
413	tls13_ctx_free(ctx);
414
415	return NULL;
416	}
417
418	void
419	tls13_ctx_free(struct tls13_ctx *ctx)
420	{
421	if (ctx == NULL)
422	return;
423
424	tls13_error_clear(&ctx->error);
425	tls13_record_layer_free(ctx->rl);
426	tls13_handshake_msg_free(ctx->hs_msg);
427
428	freezero(ctx, sizeof(struct tls13_ctx));
429	}
430
431	int
432	tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,
433	int (build_extensions)(SSL s, uint16_t msg_type, CBB *cbb))
434	{
435	CBB cert_data, cert_exts;
436	uint8_t *data;
437	int cert_len;
438
439	if ((cert_len = i2d_X509(cert, NULL)) < 0)
440	return 0;
441
442	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
443	return 0;
444	if (!CBB_add_space(&cert_data, &data, cert_len))
445	return 0;
446	if (i2d_X509(cert, &data) != cert_len)
447	return 0;
448	if (build_extensions != NULL) {
449	if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
450	return 0;
451	} else {
452	if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
453	return 0;
454	}
455	if (!CBB_flush(cbb))
456	return 0;
457
458	return 1;
459	}
460
461	int
462	tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
463	{
464	struct tls13_handshake_msg *hm = NULL;
465	unsigned char buf[EVP_MAX_MD_SIZE];
466	size_t hash_len;
467	CBB cbb;
468	CBS cbs;
469	SSL *s = ctx->ssl;
470	int ret = 0;
471
472	/*
473	* Replace ClientHello with synthetic handshake message - see
474	* RFC 8446 section 4.4.1.
475	*/
476	if (!tls1_transcript_hash_init(s))
477	goto err;
478	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
479	goto err;
480
481	if ((hm = tls13_handshake_msg_new()) == NULL)
482	goto err;
483	if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
484	goto err;
485	if (!CBB_add_bytes(&cbb, buf, hash_len))
486	goto err;
487	if (!tls13_handshake_msg_finish(hm))
488	goto err;
489
490	tls13_handshake_msg_data(hm, &cbs);
491
492	tls1_transcript_reset(ctx->ssl);
493	if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
494	goto err;
495
496	ret = 1;
497
498	err:
499	tls13_handshake_msg_free(hm);
500
501	return ret;
502	}
503
504	int
505	tls13_clienthello_hash_init(struct tls13_ctx *ctx)
506	{
507	if (ctx->hs->tls13.clienthello_md_ctx != NULL)
508	return 0;
509	if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
510	return 0;
511	if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
512	EVP_sha256(), NULL))
513	return 0;
514
515	if ((ctx->hs->tls13.clienthello_hash == NULL) &&
516	(ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
517	NULL)
518	return 0;
519
520	return 1;
521	}
522
523	void
524	tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st hs) / XXX */
525	{
526	EVP_MD_CTX_free(hs->clienthello_md_ctx);
527	hs->clienthello_md_ctx = NULL;
528	freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
529	hs->clienthello_hash = NULL;
530	}
531
532	int
533	tls13_clienthello_hash_update_bytes(struct tls13_ctx ctx, void data,
534	size_t len)
535	{
536	return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
537	}
538
539	int
540	tls13_clienthello_hash_update(struct tls13_ctx ctx, CBS cbs)
541	{
542	return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
543	CBS_len(cbs));
544	}
545
546	int
547	tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
548	{
549	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
550	ctx->hs->tls13.clienthello_hash,
551	&ctx->hs->tls13.clienthello_hash_len))
552	return 0;
553	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
554	ctx->hs->tls13.clienthello_md_ctx = NULL;
555	return 1;
556	}
557
558	int
559	tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
560	{
561	unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
562	unsigned int new_ch_hash_len;
563
564	if (ctx->hs->tls13.clienthello_hash == NULL)
565	return 0;
566
567	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
568	new_ch_hash, &new_ch_hash_len))
569	return 0;
570	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
571	ctx->hs->tls13.clienthello_md_ctx = NULL;
572
573	if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
574	return 0;
575	if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
576	new_ch_hash_len) != 0)
577	return 0;
578
579	return 1;
580	}
581
582	int
583	tls13_exporter(struct tls13_ctx ctx, const uint8_t label, size_t label_len,
584	const uint8_t context_value, size_t context_value_len, uint8_t out,
585	size_t out_len)
586	{
587	struct tls13_secret context, export_out, export_secret;
588	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
589	EVP_MD_CTX *md_ctx = NULL;
590	unsigned int md_out_len;
591	int md_len;
592	int ret = 0;
593
594	/*
595	* RFC 8446 Section 7.5.
596	*/
597
598	memset(&context, 0, sizeof(context));
599	memset(&export_secret, 0, sizeof(export_secret));
600
601	export_out.data = out;
602	export_out.len = out_len;
603
604	if (!ctx->handshake_completed)
605	return 0;
606
607	md_len = EVP_MD_size(secrets->digest);
608	if (md_len <= 0 \|\| md_len > EVP_MAX_MD_SIZE)
609	goto err;
610
611	if (!tls13_secret_init(&export_secret, md_len))
612	goto err;
613	if (!tls13_secret_init(&context, md_len))
614	goto err;
615
616	/* In TLSv1.3 no context is equivalent to an empty context. */
617	if (context_value == NULL) {
618	context_value = "";
619	context_value_len = 0;
620	}
621
622	if ((md_ctx = EVP_MD_CTX_new()) == NULL)
623	goto err;
624	if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL))
625	goto err;
626	if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len))
627	goto err;
628	if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len))
629	goto err;
630	if (md_len != md_out_len)
631	goto err;
632
633	if (!tls13_derive_secret_with_label_length(&export_secret,
634	secrets->digest, &secrets->exporter_master, label, label_len,
635	&secrets->empty_hash))
636	goto err;
637
638	if (!tls13_hkdf_expand_label(&export_out, secrets->digest,
639	&export_secret, "exporter", &context))
640	goto err;
641
642	ret = 1;
643
644	err:
645	EVP_MD_CTX_free(md_ctx);
646	tls13_secret_cleanup(&context);
647	tls13_secret_cleanup(&export_secret);
648
649	return ret;
650	}