1 files changed, 0 insertions, 701 deletions
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
deleted file mode 100644
index 05f125adc8..0000000000
--- a/src/lib/libssl/tls13_lib.c
+++ /dev/null
@@ -1,701 +0,0 @@
-/*      $OpenBSD: tls13_lib.c,v 1.76 2022/11/26 16:08:56 tb Exp $ */
-/*
- * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
- * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <stddef.h>
-#include <openssl/evp.h>
-#include "ssl_local.h"
-#include "ssl_tlsext.h"
-#include "tls13_internal.h"
-/*
- * RFC 8446, section 4.6.1. Servers must not indicate a lifetime longer than
- * 7 days and clients must not cache tickets for longer than 7 days.
- */
-#define TLS13_MAX_TICKET_LIFETIME       (7 * 24 * 3600)
-/*
- * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
- * by the server in server random if it is willing to downgrade but supports
- * TLSv1.3
- */
-const uint8_t tls13_downgrade_12[8] = {
-        0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
-};
-const uint8_t tls13_downgrade_11[8] = {
-        0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
-};
-/*
- * HelloRetryRequest hash - RFC 8446 section 4.1.3.
- */
-const uint8_t tls13_hello_retry_request_hash[32] = {
-        0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
-        0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
-        0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
-        0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
-};
-/*
- * Certificate Verify padding - RFC 8446 section 4.4.3.
- */
-const uint8_t tls13_cert_verify_pad[64] = {
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-};
-const uint8_t tls13_cert_client_verify_context[] =
-    "TLS 1.3, client CertificateVerify";
-const uint8_t tls13_cert_server_verify_context[] =
-    "TLS 1.3, server CertificateVerify";
-const EVP_AEAD *
-tls13_cipher_aead(const SSL_CIPHER *cipher)
-{
-        if (cipher == NULL)
-                return NULL;
-        if (cipher->algorithm_ssl != SSL_TLSV1_3)
-                return NULL;
-        switch (cipher->algorithm_enc) {
-        case SSL_AES128GCM:
-                return EVP_aead_aes_128_gcm();
-        case SSL_AES256GCM:
-                return EVP_aead_aes_256_gcm();
-        case SSL_CHACHA20POLY1305:
-                return EVP_aead_chacha20_poly1305();
-        }
-        return NULL;
-}
-const EVP_MD *
-tls13_cipher_hash(const SSL_CIPHER *cipher)
-{
-        if (cipher == NULL)
-                return NULL;
-        if (cipher->algorithm_ssl != SSL_TLSV1_3)
-                return NULL;
-        switch (cipher->algorithm2) {
-        case SSL_HANDSHAKE_MAC_SHA256:
-                return EVP_sha256();
-        case SSL_HANDSHAKE_MAC_SHA384:
-                return EVP_sha384();
-        }
-        return NULL;
-}
-void
-tls13_alert_received_cb(uint8_t alert_desc, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
-                ctx->close_notify_recv = 1;
-                ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
-                ctx->ssl->s3->warn_alert = alert_desc;
-                return;
-        }
-        if (alert_desc == TLS13_ALERT_USER_CANCELED) {
-                /*
-                 * We treat this as advisory, since a close_notify alert
-                 * SHOULD follow this alert (RFC 8446 section 6.1).
-                 */
-                return;
-        }
-        /* All other alerts are treated as fatal in TLSv1.3. */
-        ctx->ssl->s3->fatal_alert = alert_desc;
-        SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
-        ERR_asprintf_error_data("SSL alert number %d", alert_desc);
-        SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
-}
-void
-tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
-                ctx->close_notify_sent = 1;
-                return;
-        }
-        if (alert_desc == TLS13_ALERT_USER_CANCELED) {
-                return;
-        }
-        /* All other alerts are treated as fatal in TLSv1.3. */
-        if (ctx->error.code == 0)
-                SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
-}
-static void
-tls13_legacy_handshake_message_recv_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        CBS cbs;
-        if (s->msg_callback == NULL)
-                return;
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs);
-}
-static void
-tls13_legacy_handshake_message_sent_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        CBS cbs;
-        if (s->msg_callback == NULL)
-                return;
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs);
-}
-static void
-tls13_legacy_info_cb(void *arg, int state, int ret)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        ssl_info_callback(s, state, ret);
-}
-static int
-tls13_legacy_ocsp_status_recv_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        SSL *s = ctx->ssl;
-        int ret;
-        if (s->ctx->tlsext_status_cb == NULL)
-                return 1;
-        ret = s->ctx->tlsext_status_cb(s,
-            s->ctx->tlsext_status_arg);
-        if (ret < 0) {
-                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        if (ret == 0) {
-                ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
-                SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
-                return 0;
-        }
-        return 1;
-}
-static int
-tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx)
-{
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        struct tls13_secret *secret;
-        if (ctx->mode == TLS13_HS_CLIENT) {
-                secret = &secrets->server_application_traffic;
-                if (!tls13_update_server_traffic_secret(secrets))
-                        return 0;
-        } else {
-                secret = &secrets->client_application_traffic;
-                if (!tls13_update_client_traffic_secret(secrets))
-                        return 0;
-        }
-        return tls13_record_layer_set_read_traffic_key(ctx->rl,
-            secret, ssl_encryption_application);
-}
-static int
-tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx)
-{
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        struct tls13_secret *secret;
-        if (ctx->mode == TLS13_HS_CLIENT) {
-                secret = &secrets->client_application_traffic;
-                if (!tls13_update_client_traffic_secret(secrets))
-                        return 0;
-        } else {
-                secret = &secrets->server_application_traffic;
-                if (!tls13_update_server_traffic_secret(secrets))
-                        return 0;
-        }
-        return tls13_record_layer_set_write_traffic_key(ctx->rl,
-            secret, ssl_encryption_application);
-}
-/*
- * XXX arbitrarily chosen limit of 100 post handshake handshake
- * messages in an hour - to avoid a hostile peer from constantly
- * requesting certificates or key renegotiaitons, etc.
- */
-static int
-tls13_phh_limit_check(struct tls13_ctx *ctx)
-{
-        time_t now = time(NULL);
-        if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
-                if (ctx->phh_count > TLS13_PHH_LIMIT)
-                        return 0;
-        } else
-                ctx->phh_count = 0;
-        ctx->phh_count++;
-        ctx->phh_last_seen = now;
-        return 1;
-}
-static ssize_t
-tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
-{
-        struct tls13_handshake_msg *hs_msg = NULL;
-        CBB cbb_hs;
-        CBS cbs_hs;
-        uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
-        uint8_t key_update_request;
-        ssize_t ret;
-        if (!CBS_get_u8(cbs, &key_update_request)) {
-                alert = TLS13_ALERT_DECODE_ERROR;
-                goto err;
-        }
-        if (CBS_len(cbs) != 0) {
-                alert = TLS13_ALERT_DECODE_ERROR;
-                goto err;
-        }
-        if (key_update_request > 1) {
-                alert = TLS13_ALERT_ILLEGAL_PARAMETER;
-                goto err;
-        }
-        if (!tls13_phh_update_read_traffic_secret(ctx))
-                goto err;
-        if (key_update_request == 0)
-                return TLS13_IO_SUCCESS;
-        /* Our peer requested that we update our write traffic keys. */
-        if ((hs_msg = tls13_handshake_msg_new()) == NULL)
-                goto err;
-        if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
-                goto err;
-        if (!CBB_add_u8(&cbb_hs, 0))
-                goto err;
-        if (!tls13_handshake_msg_finish(hs_msg))
-                goto err;
-        ctx->key_update_request = 1;
-        tls13_handshake_msg_data(hs_msg, &cbs_hs);
-        ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
-        tls13_handshake_msg_free(hs_msg);
-        hs_msg = NULL;
-        return ret;
- err:
-        tls13_handshake_msg_free(hs_msg);
-        return tls13_send_alert(ctx->rl, alert);
-}
-/* RFC 8446 section 4.6.1 */
-static ssize_t
-tls13_new_session_ticket_recv(struct tls13_ctx *ctx, CBS *cbs)
-{
-        struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
-        struct tls13_secret nonce;
-        uint32_t ticket_lifetime, ticket_age_add;
-        CBS ticket_nonce, ticket;
-        SSL_SESSION *sess = NULL;
-        int alert, session_id_length;
-        ssize_t ret = 0;
-        memset(&nonce, 0, sizeof(nonce));
-        if (ctx->mode != TLS13_HS_CLIENT) {
-                alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
-                goto err;
-        }
-        alert = TLS13_ALERT_DECODE_ERROR;
-        if (!CBS_get_u32(cbs, &ticket_lifetime))
-                goto err;
-        if (!CBS_get_u32(cbs, &ticket_age_add))
-                goto err;
-        if (!CBS_get_u8_length_prefixed(cbs, &ticket_nonce))
-                goto err;
-        if (!CBS_get_u16_length_prefixed(cbs, &ticket))
-                goto err;
-        /* Extensions can only contain early_data, which we currently ignore. */
-        if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_NST, cbs, &alert))
-                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
-        /* Zero indicates that the ticket should be discarded immediately. */
-        if (ticket_lifetime == 0) {
-                ret = TLS13_IO_SUCCESS;
-                goto done;
-        }
-        /* Servers MUST NOT use any value larger than 7 days. */
-        if (ticket_lifetime > TLS13_MAX_TICKET_LIFETIME) {
-                alert = TLS13_ALERT_ILLEGAL_PARAMETER;
-                goto err;
-        }
-        alert = TLS13_ALERT_INTERNAL_ERROR;
-        /*
-         * Create new session instead of modifying the current session.
-         * The current session could already be in the session cache.
-         */
-        if ((sess = ssl_session_dup(ctx->ssl->session, 0)) == NULL)
-                goto err;
-        sess->time = time(NULL);
-        sess->tlsext_tick_lifetime_hint = ticket_lifetime;
-        sess->tlsext_tick_age_add = ticket_age_add;
-        if (!CBS_stow(&ticket, &sess->tlsext_tick, &sess->tlsext_ticklen))
-                goto err;
-        /* XXX - ensure this doesn't overflow session_id if hash is changed. */
-        if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
-            sess->session_id, &session_id_length, EVP_sha256(), NULL))
-                goto err;
-        sess->session_id_length = session_id_length;
-        if (!CBS_stow(&ticket_nonce, &nonce.data, &nonce.len))
-                goto err;
-        if (!tls13_secret_init(&sess->resumption_master_secret, 256))
-                goto err;
-        if (!tls13_derive_secret(&sess->resumption_master_secret,
-            secrets->digest, &secrets->resumption_master, "resumption",
-            &nonce))
-                goto err;
-        SSL_SESSION_free(ctx->ssl->session);
-        ctx->ssl->session = sess;
-        sess = NULL;
-        ssl_update_cache(ctx->ssl, SSL_SESS_CACHE_CLIENT);
-        ret = TLS13_IO_SUCCESS;
-        goto done;
- err:
-        ret = tls13_send_alert(ctx->rl, alert);
- done:
-        tls13_secret_cleanup(&nonce);
-        SSL_SESSION_free(sess);
-        return ret;
-}
-ssize_t
-tls13_phh_received_cb(void *cb_arg)
-{
-        ssize_t ret = TLS13_IO_FAILURE;
-        struct tls13_ctx *ctx = cb_arg;
-        CBS cbs;
-        if (!tls13_phh_limit_check(ctx))
-                return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
-        if ((ctx->hs_msg == NULL) &&
-            ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
-                return TLS13_IO_FAILURE;
-        if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) !=
-            TLS13_IO_SUCCESS)
-                return ret;
-        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
-                return TLS13_IO_FAILURE;
-        switch(tls13_handshake_msg_type(ctx->hs_msg)) {
-        case TLS13_MT_KEY_UPDATE:
-                ret = tls13_key_update_recv(ctx, &cbs);
-                break;
-        case TLS13_MT_NEW_SESSION_TICKET:
-                ret = tls13_new_session_ticket_recv(ctx, &cbs);
-                break;
-        case TLS13_MT_CERTIFICATE_REQUEST:
-                /* XXX add support if we choose to advertise this */
-                /* FALLTHROUGH */
-        default:
-                ret = TLS13_IO_FAILURE; /* XXX send alert */
-                break;
-        }
-        tls13_handshake_msg_free(ctx->hs_msg);
-        ctx->hs_msg = NULL;
-        return ret;
-}
-void
-tls13_phh_done_cb(void *cb_arg)
-{
-        struct tls13_ctx *ctx = cb_arg;
-        if (ctx->key_update_request) {
-                tls13_phh_update_write_traffic_secret(ctx);
-                ctx->key_update_request = 0;
-        }
-}
-static const struct tls13_record_layer_callbacks tls13_rl_callbacks = {
-        .wire_read = tls13_legacy_wire_read_cb,
-        .wire_write = tls13_legacy_wire_write_cb,
-        .wire_flush = tls13_legacy_wire_flush_cb,
-        .alert_recv = tls13_alert_received_cb,
-        .alert_sent = tls13_alert_sent_cb,
-        .phh_recv = tls13_phh_received_cb,
-        .phh_sent = tls13_phh_done_cb,
-};
-struct tls13_ctx *
-tls13_ctx_new(int mode, SSL *ssl)
-{
-        struct tls13_ctx *ctx = NULL;
-        if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
-                goto err;
-        ctx->hs = &ssl->s3->hs;
-        ctx->mode = mode;
-        ctx->ssl = ssl;
-        if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
-                goto err;
-        ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
-        ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
-        ctx->info_cb = tls13_legacy_info_cb;
-        ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
-        ctx->middlebox_compat = 1;
-        ssl->tls13 = ctx;
-        if (SSL_is_quic(ssl)) {
-                if (!tls13_quic_init(ctx))
-                        goto err;
-        }
-        return ctx;
- err:
-        tls13_ctx_free(ctx);
-        return NULL;
-}
-void
-tls13_ctx_free(struct tls13_ctx *ctx)
-{
-        if (ctx == NULL)
-                return;
-        tls13_error_clear(&ctx->error);
-        tls13_record_layer_free(ctx->rl);
-        tls13_handshake_msg_free(ctx->hs_msg);
-        freezero(ctx, sizeof(struct tls13_ctx));
-}
-int
-tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
-    int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
-{
-        CBB cert_data, cert_exts;
-        uint8_t *data;
-        int cert_len;
-        if ((cert_len = i2d_X509(cert, NULL)) < 0)
-                return 0;
-        if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
-                return 0;
-        if (!CBB_add_space(&cert_data, &data, cert_len))
-                return 0;
-        if (i2d_X509(cert, &data) != cert_len)
-                return 0;
-        if (build_extensions != NULL) {
-                if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
-                        return 0;
-        } else {
-                if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
-                        return 0;
-        }
-        if (!CBB_flush(cbb))
-                return 0;
-        return 1;
-}
-int
-tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
-{
-        struct tls13_handshake_msg *hm = NULL;
-        unsigned char buf[EVP_MAX_MD_SIZE];
-        size_t hash_len;
-        CBB cbb;
-        CBS cbs;
-        SSL *s = ctx->ssl;
-        int ret = 0;
-        /*
-         * Replace ClientHello with synthetic handshake message - see
-         * RFC 8446 section 4.4.1.
-         */
-        if (!tls1_transcript_hash_init(s))
-                goto err;
-        if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
-                goto err;
-        if ((hm = tls13_handshake_msg_new()) == NULL)
-                goto err;
-        if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
-                goto err;
-        if (!CBB_add_bytes(&cbb, buf, hash_len))
-                goto err;
-        if (!tls13_handshake_msg_finish(hm))
-                goto err;
-        tls13_handshake_msg_data(hm, &cbs);
-        tls1_transcript_reset(ctx->ssl);
-        if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
-                goto err;
-        ret = 1;
- err:
-        tls13_handshake_msg_free(hm);
-        return ret;
-}
-int
-tls13_clienthello_hash_init(struct tls13_ctx *ctx)
-{
-        if (ctx->hs->tls13.clienthello_md_ctx != NULL)
-                return 0;
-        if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
-                return 0;
-        if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
-            EVP_sha256(), NULL))
-                return 0;
-        if ((ctx->hs->tls13.clienthello_hash == NULL) &&
-            (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
-            NULL)
-                return 0;
-        return 1;
-}
-void
-tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
-{
-        EVP_MD_CTX_free(hs->clienthello_md_ctx);
-        hs->clienthello_md_ctx = NULL;
-        freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
-        hs->clienthello_hash = NULL;
-}
-int
-tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
-    size_t len)
-{
-        return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
-}
-int
-tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
-{
-        return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
-            CBS_len(cbs));
-}
-int
-tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
-{
-        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
-            ctx->hs->tls13.clienthello_hash,
-            &ctx->hs->tls13.clienthello_hash_len))
-                return 0;
-        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
-        ctx->hs->tls13.clienthello_md_ctx = NULL;
-        return 1;
-}
-int
-tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
-{
-        unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
-        unsigned int new_ch_hash_len;
-        if (ctx->hs->tls13.clienthello_hash == NULL)
-                return 0;
-        if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
-            new_ch_hash, &new_ch_hash_len))
-                return 0;
-        EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
-        ctx->hs->tls13.clienthello_md_ctx = NULL;
-        if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
-                return 0;
-        if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
-            new_ch_hash_len) != 0)
-                return 0;
-        return 1;
-}

diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c deleted file mode 100644 index 05f125adc8..0000000000 --- a/src/lib/libssl/tls13_lib.c +++ /dev/null
@@ -1,701 +0,0 @@
1	/* $OpenBSD: tls13_lib.c,v 1.76 2022/11/26 16:08:56 tb Exp $ */
2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5	*
6	* Permission to use, copy, modify, and distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#include <stddef.h>
20
21	#include <openssl/evp.h>
22
23	#include "ssl_local.h"
24	#include "ssl_tlsext.h"
25	#include "tls13_internal.h"
26
27	/*
28	* RFC 8446, section 4.6.1. Servers must not indicate a lifetime longer than
29	* 7 days and clients must not cache tickets for longer than 7 days.
30	*/
31
32	#define TLS13_MAX_TICKET_LIFETIME (7 * 24 * 3600)
33
34	/*
35	* Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
36	* by the server in server random if it is willing to downgrade but supports
37	* TLSv1.3
38	*/
39	const uint8_t tls13_downgrade_12[8] = {
40	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
41	};
42	const uint8_t tls13_downgrade_11[8] = {
43	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
44	};
45
46	/*
47	* HelloRetryRequest hash - RFC 8446 section 4.1.3.
48	*/
49	const uint8_t tls13_hello_retry_request_hash[32] = {
50	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
51	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
52	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
53	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
54	};
55
56	/*
57	* Certificate Verify padding - RFC 8446 section 4.4.3.
58	*/
59	const uint8_t tls13_cert_verify_pad[64] = {
60	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
61	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
62	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
63	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
64	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
65	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
66	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
67	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
68	};
69
70	const uint8_t tls13_cert_client_verify_context[] =
71	"TLS 1.3, client CertificateVerify";
72	const uint8_t tls13_cert_server_verify_context[] =
73	"TLS 1.3, server CertificateVerify";
74
75	const EVP_AEAD *
76	tls13_cipher_aead(const SSL_CIPHER *cipher)
77	{
78	if (cipher == NULL)
79	return NULL;
80	if (cipher->algorithm_ssl != SSL_TLSV1_3)
81	return NULL;
82
83	switch (cipher->algorithm_enc) {
84	case SSL_AES128GCM:
85	return EVP_aead_aes_128_gcm();
86	case SSL_AES256GCM:
87	return EVP_aead_aes_256_gcm();
88	case SSL_CHACHA20POLY1305:
89	return EVP_aead_chacha20_poly1305();
90	}
91
92	return NULL;
93	}
94
95	const EVP_MD *
96	tls13_cipher_hash(const SSL_CIPHER *cipher)
97	{
98	if (cipher == NULL)
99	return NULL;
100	if (cipher->algorithm_ssl != SSL_TLSV1_3)
101	return NULL;
102
103	switch (cipher->algorithm2) {
104	case SSL_HANDSHAKE_MAC_SHA256:
105	return EVP_sha256();
106	case SSL_HANDSHAKE_MAC_SHA384:
107	return EVP_sha384();
108	}
109
110	return NULL;
111	}
112
113	void
114	tls13_alert_received_cb(uint8_t alert_desc, void *arg)
115	{
116	struct tls13_ctx *ctx = arg;
117
118	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
119	ctx->close_notify_recv = 1;
120	ctx->ssl->shutdown \|= SSL_RECEIVED_SHUTDOWN;
121	ctx->ssl->s3->warn_alert = alert_desc;
122	return;
123	}
124
125	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
126	/*
127	* We treat this as advisory, since a close_notify alert
128	* SHOULD follow this alert (RFC 8446 section 6.1).
129	*/
130	return;
131	}
132
133	/* All other alerts are treated as fatal in TLSv1.3. */
134	ctx->ssl->s3->fatal_alert = alert_desc;
135
136	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
137	ERR_asprintf_error_data("SSL alert number %d", alert_desc);
138
139	SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
140	}
141
142	void
143	tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
144	{
145	struct tls13_ctx *ctx = arg;
146
147	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
148	ctx->close_notify_sent = 1;
149	return;
150	}
151
152	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
153	return;
154	}
155
156	/* All other alerts are treated as fatal in TLSv1.3. */
157	if (ctx->error.code == 0)
158	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
159	}
160
161	static void
162	tls13_legacy_handshake_message_recv_cb(void *arg)
163	{
164	struct tls13_ctx *ctx = arg;
165	SSL *s = ctx->ssl;
166	CBS cbs;
167
168	if (s->msg_callback == NULL)
169	return;
170
171	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
172	ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs);
173	}
174
175	static void
176	tls13_legacy_handshake_message_sent_cb(void *arg)
177	{
178	struct tls13_ctx *ctx = arg;
179	SSL *s = ctx->ssl;
180	CBS cbs;
181
182	if (s->msg_callback == NULL)
183	return;
184
185	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
186	ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs);
187	}
188
189	static void
190	tls13_legacy_info_cb(void *arg, int state, int ret)
191	{
192	struct tls13_ctx *ctx = arg;
193	SSL *s = ctx->ssl;
194
195	ssl_info_callback(s, state, ret);
196	}
197
198	static int
199	tls13_legacy_ocsp_status_recv_cb(void *arg)
200	{
201	struct tls13_ctx *ctx = arg;
202	SSL *s = ctx->ssl;
203	int ret;
204
205	if (s->ctx->tlsext_status_cb == NULL)
206	return 1;
207
208	ret = s->ctx->tlsext_status_cb(s,
209	s->ctx->tlsext_status_arg);
210	if (ret < 0) {
211	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
212	SSLerror(s, ERR_R_MALLOC_FAILURE);
213	return 0;
214	}
215	if (ret == 0) {
216	ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
217	SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
218	return 0;
219	}
220
221	return 1;
222	}
223
224	static int
225	tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx)
226	{
227	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
228	struct tls13_secret *secret;
229
230	if (ctx->mode == TLS13_HS_CLIENT) {
231	secret = &secrets->server_application_traffic;
232	if (!tls13_update_server_traffic_secret(secrets))
233	return 0;
234	} else {
235	secret = &secrets->client_application_traffic;
236	if (!tls13_update_client_traffic_secret(secrets))
237	return 0;
238	}
239
240	return tls13_record_layer_set_read_traffic_key(ctx->rl,
241	secret, ssl_encryption_application);
242	}
243
244	static int
245	tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx)
246	{
247	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
248	struct tls13_secret *secret;
249
250	if (ctx->mode == TLS13_HS_CLIENT) {
251	secret = &secrets->client_application_traffic;
252	if (!tls13_update_client_traffic_secret(secrets))
253	return 0;
254	} else {
255	secret = &secrets->server_application_traffic;
256	if (!tls13_update_server_traffic_secret(secrets))
257	return 0;
258	}
259
260	return tls13_record_layer_set_write_traffic_key(ctx->rl,
261	secret, ssl_encryption_application);
262	}
263
264	/*
265	* XXX arbitrarily chosen limit of 100 post handshake handshake
266	* messages in an hour - to avoid a hostile peer from constantly
267	* requesting certificates or key renegotiaitons, etc.
268	*/
269	static int
270	tls13_phh_limit_check(struct tls13_ctx *ctx)
271	{
272	time_t now = time(NULL);
273
274	if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
275	if (ctx->phh_count > TLS13_PHH_LIMIT)
276	return 0;
277	} else
278	ctx->phh_count = 0;
279	ctx->phh_count++;
280	ctx->phh_last_seen = now;
281	return 1;
282	}
283
284	static ssize_t
285	tls13_key_update_recv(struct tls13_ctx ctx, CBS cbs)
286	{
287	struct tls13_handshake_msg *hs_msg = NULL;
288	CBB cbb_hs;
289	CBS cbs_hs;
290	uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
291	uint8_t key_update_request;
292	ssize_t ret;
293
294	if (!CBS_get_u8(cbs, &key_update_request)) {
295	alert = TLS13_ALERT_DECODE_ERROR;
296	goto err;
297	}
298	if (CBS_len(cbs) != 0) {
299	alert = TLS13_ALERT_DECODE_ERROR;
300	goto err;
301	}
302	if (key_update_request > 1) {
303	alert = TLS13_ALERT_ILLEGAL_PARAMETER;
304	goto err;
305	}
306
307	if (!tls13_phh_update_read_traffic_secret(ctx))
308	goto err;
309
310	if (key_update_request == 0)
311	return TLS13_IO_SUCCESS;
312
313	/* Our peer requested that we update our write traffic keys. */
314	if ((hs_msg = tls13_handshake_msg_new()) == NULL)
315	goto err;
316	if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
317	goto err;
318	if (!CBB_add_u8(&cbb_hs, 0))
319	goto err;
320	if (!tls13_handshake_msg_finish(hs_msg))
321	goto err;
322
323	ctx->key_update_request = 1;
324	tls13_handshake_msg_data(hs_msg, &cbs_hs);
325	ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
326
327	tls13_handshake_msg_free(hs_msg);
328	hs_msg = NULL;
329
330	return ret;
331
332	err:
333	tls13_handshake_msg_free(hs_msg);
334
335	return tls13_send_alert(ctx->rl, alert);
336	}
337
338	/* RFC 8446 section 4.6.1 */
339	static ssize_t
340	tls13_new_session_ticket_recv(struct tls13_ctx ctx, CBS cbs)
341	{
342	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
343	struct tls13_secret nonce;
344	uint32_t ticket_lifetime, ticket_age_add;
345	CBS ticket_nonce, ticket;
346	SSL_SESSION *sess = NULL;
347	int alert, session_id_length;
348	ssize_t ret = 0;
349
350	memset(&nonce, 0, sizeof(nonce));
351
352	if (ctx->mode != TLS13_HS_CLIENT) {
353	alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
354	goto err;
355	}
356
357	alert = TLS13_ALERT_DECODE_ERROR;
358
359	if (!CBS_get_u32(cbs, &ticket_lifetime))
360	goto err;
361	if (!CBS_get_u32(cbs, &ticket_age_add))
362	goto err;
363	if (!CBS_get_u8_length_prefixed(cbs, &ticket_nonce))
364	goto err;
365	if (!CBS_get_u16_length_prefixed(cbs, &ticket))
366	goto err;
367	/* Extensions can only contain early_data, which we currently ignore. */
368	if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_NST, cbs, &alert))
369	goto err;
370
371	if (CBS_len(cbs) != 0)
372	goto err;
373
374	/* Zero indicates that the ticket should be discarded immediately. */
375	if (ticket_lifetime == 0) {
376	ret = TLS13_IO_SUCCESS;
377	goto done;
378	}
379
380	/* Servers MUST NOT use any value larger than 7 days. */
381	if (ticket_lifetime > TLS13_MAX_TICKET_LIFETIME) {
382	alert = TLS13_ALERT_ILLEGAL_PARAMETER;
383	goto err;
384	}
385
386	alert = TLS13_ALERT_INTERNAL_ERROR;
387
388	/*
389	* Create new session instead of modifying the current session.
390	* The current session could already be in the session cache.
391	*/
392	if ((sess = ssl_session_dup(ctx->ssl->session, 0)) == NULL)
393	goto err;
394
395	sess->time = time(NULL);
396
397	sess->tlsext_tick_lifetime_hint = ticket_lifetime;
398	sess->tlsext_tick_age_add = ticket_age_add;
399
400	if (!CBS_stow(&ticket, &sess->tlsext_tick, &sess->tlsext_ticklen))
401	goto err;
402
403	/* XXX - ensure this doesn't overflow session_id if hash is changed. */
404	if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
405	sess->session_id, &session_id_length, EVP_sha256(), NULL))
406	goto err;
407	sess->session_id_length = session_id_length;
408
409	if (!CBS_stow(&ticket_nonce, &nonce.data, &nonce.len))
410	goto err;
411
412	if (!tls13_secret_init(&sess->resumption_master_secret, 256))
413	goto err;
414
415	if (!tls13_derive_secret(&sess->resumption_master_secret,
416	secrets->digest, &secrets->resumption_master, "resumption",
417	&nonce))
418	goto err;
419
420	SSL_SESSION_free(ctx->ssl->session);
421	ctx->ssl->session = sess;
422	sess = NULL;
423
424	ssl_update_cache(ctx->ssl, SSL_SESS_CACHE_CLIENT);
425
426	ret = TLS13_IO_SUCCESS;
427	goto done;
428
429	err:
430	ret = tls13_send_alert(ctx->rl, alert);
431
432	done:
433	tls13_secret_cleanup(&nonce);
434	SSL_SESSION_free(sess);
435
436	return ret;
437	}
438
439	ssize_t
440	tls13_phh_received_cb(void *cb_arg)
441	{
442	ssize_t ret = TLS13_IO_FAILURE;
443	struct tls13_ctx *ctx = cb_arg;
444	CBS cbs;
445
446	if (!tls13_phh_limit_check(ctx))
447	return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
448
449	if ((ctx->hs_msg == NULL) &&
450	((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
451	return TLS13_IO_FAILURE;
452
453	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) !=
454	TLS13_IO_SUCCESS)
455	return ret;
456
457	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
458	return TLS13_IO_FAILURE;
459
460	switch(tls13_handshake_msg_type(ctx->hs_msg)) {
461	case TLS13_MT_KEY_UPDATE:
462	ret = tls13_key_update_recv(ctx, &cbs);
463	break;
464	case TLS13_MT_NEW_SESSION_TICKET:
465	ret = tls13_new_session_ticket_recv(ctx, &cbs);
466	break;
467	case TLS13_MT_CERTIFICATE_REQUEST:
468	/* XXX add support if we choose to advertise this */
469	/* FALLTHROUGH */
470	default:
471	ret = TLS13_IO_FAILURE; /* XXX send alert */
472	break;
473	}
474
475	tls13_handshake_msg_free(ctx->hs_msg);
476	ctx->hs_msg = NULL;
477	return ret;
478	}
479
480	void
481	tls13_phh_done_cb(void *cb_arg)
482	{
483	struct tls13_ctx *ctx = cb_arg;
484
485	if (ctx->key_update_request) {
486	tls13_phh_update_write_traffic_secret(ctx);
487	ctx->key_update_request = 0;
488	}
489	}
490
491	static const struct tls13_record_layer_callbacks tls13_rl_callbacks = {
492	.wire_read = tls13_legacy_wire_read_cb,
493	.wire_write = tls13_legacy_wire_write_cb,
494	.wire_flush = tls13_legacy_wire_flush_cb,
495
496	.alert_recv = tls13_alert_received_cb,
497	.alert_sent = tls13_alert_sent_cb,
498	.phh_recv = tls13_phh_received_cb,
499	.phh_sent = tls13_phh_done_cb,
500	};
501
502	struct tls13_ctx *
503	tls13_ctx_new(int mode, SSL *ssl)
504	{
505	struct tls13_ctx *ctx = NULL;
506
507	if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
508	goto err;
509
510	ctx->hs = &ssl->s3->hs;
511	ctx->mode = mode;
512	ctx->ssl = ssl;
513
514	if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
515	goto err;
516
517	ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
518	ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
519	ctx->info_cb = tls13_legacy_info_cb;
520	ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
521
522	ctx->middlebox_compat = 1;
523
524	ssl->tls13 = ctx;
525
526	if (SSL_is_quic(ssl)) {
527	if (!tls13_quic_init(ctx))
528	goto err;
529	}
530
531	return ctx;
532
533	err:
534	tls13_ctx_free(ctx);
535
536	return NULL;
537	}
538
539	void
540	tls13_ctx_free(struct tls13_ctx *ctx)
541	{
542	if (ctx == NULL)
543	return;
544
545	tls13_error_clear(&ctx->error);
546	tls13_record_layer_free(ctx->rl);
547	tls13_handshake_msg_free(ctx->hs_msg);
548
549	freezero(ctx, sizeof(struct tls13_ctx));
550	}
551
552	int
553	tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,
554	int (build_extensions)(SSL s, uint16_t msg_type, CBB *cbb))
555	{
556	CBB cert_data, cert_exts;
557	uint8_t *data;
558	int cert_len;
559
560	if ((cert_len = i2d_X509(cert, NULL)) < 0)
561	return 0;
562
563	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
564	return 0;
565	if (!CBB_add_space(&cert_data, &data, cert_len))
566	return 0;
567	if (i2d_X509(cert, &data) != cert_len)
568	return 0;
569	if (build_extensions != NULL) {
570	if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
571	return 0;
572	} else {
573	if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
574	return 0;
575	}
576	if (!CBB_flush(cbb))
577	return 0;
578
579	return 1;
580	}
581
582	int
583	tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
584	{
585	struct tls13_handshake_msg *hm = NULL;
586	unsigned char buf[EVP_MAX_MD_SIZE];
587	size_t hash_len;
588	CBB cbb;
589	CBS cbs;
590	SSL *s = ctx->ssl;
591	int ret = 0;
592
593	/*
594	* Replace ClientHello with synthetic handshake message - see
595	* RFC 8446 section 4.4.1.
596	*/
597	if (!tls1_transcript_hash_init(s))
598	goto err;
599	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
600	goto err;
601
602	if ((hm = tls13_handshake_msg_new()) == NULL)
603	goto err;
604	if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
605	goto err;
606	if (!CBB_add_bytes(&cbb, buf, hash_len))
607	goto err;
608	if (!tls13_handshake_msg_finish(hm))
609	goto err;
610
611	tls13_handshake_msg_data(hm, &cbs);
612
613	tls1_transcript_reset(ctx->ssl);
614	if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
615	goto err;
616
617	ret = 1;
618
619	err:
620	tls13_handshake_msg_free(hm);
621
622	return ret;
623	}
624
625	int
626	tls13_clienthello_hash_init(struct tls13_ctx *ctx)
627	{
628	if (ctx->hs->tls13.clienthello_md_ctx != NULL)
629	return 0;
630	if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
631	return 0;
632	if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
633	EVP_sha256(), NULL))
634	return 0;
635
636	if ((ctx->hs->tls13.clienthello_hash == NULL) &&
637	(ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
638	NULL)
639	return 0;
640
641	return 1;
642	}
643
644	void
645	tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st hs) / XXX */
646	{
647	EVP_MD_CTX_free(hs->clienthello_md_ctx);
648	hs->clienthello_md_ctx = NULL;
649	freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
650	hs->clienthello_hash = NULL;
651	}
652
653	int
654	tls13_clienthello_hash_update_bytes(struct tls13_ctx ctx, void data,
655	size_t len)
656	{
657	return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
658	}
659
660	int
661	tls13_clienthello_hash_update(struct tls13_ctx ctx, CBS cbs)
662	{
663	return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
664	CBS_len(cbs));
665	}
666
667	int
668	tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
669	{
670	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
671	ctx->hs->tls13.clienthello_hash,
672	&ctx->hs->tls13.clienthello_hash_len))
673	return 0;
674	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
675	ctx->hs->tls13.clienthello_md_ctx = NULL;
676	return 1;
677	}
678
679	int
680	tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
681	{
682	unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
683	unsigned int new_ch_hash_len;
684
685	if (ctx->hs->tls13.clienthello_hash == NULL)
686	return 0;
687
688	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
689	new_ch_hash, &new_ch_hash_len))
690	return 0;
691	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
692	ctx->hs->tls13.clienthello_md_ctx = NULL;
693
694	if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
695	return 0;
696	if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
697	new_ch_hash_len) != 0)
698	return 0;
699
700	return 1;
701	}