xref: /openbsd-src/lib/libssl/tls13_lib.c (revision 5c389b79544373bccfce668b646e62e7ba9802a3) 
1 /*	$OpenBSD: tls13_lib.c,v 1.76 2022/11/26 16:08:56 tb Exp $ */
2 /*
3  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <stddef.h>
20 
21 #include <openssl/evp.h>
22 
23 #include "ssl_local.h"
24 #include "ssl_tlsext.h"
25 #include "tls13_internal.h"
26 
27 /*
28  * RFC 8446, section 4.6.1. Servers must not indicate a lifetime longer than
29  * 7 days and clients must not cache tickets for longer than 7 days.
30  */
31 
32 #define TLS13_MAX_TICKET_LIFETIME	(7 * 24 * 3600)
33 
34 /*
35  * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
36  * by the server in server random if it is willing to downgrade but supports
37  * TLSv1.3
38  */
39 const uint8_t tls13_downgrade_12[8] = {
40 	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
41 };
42 const uint8_t tls13_downgrade_11[8] = {
43 	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
44 };
45 
46 /*
47  * HelloRetryRequest hash - RFC 8446 section 4.1.3.
48  */
49 const uint8_t tls13_hello_retry_request_hash[32] = {
50 	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
51 	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
52 	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
53 	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
54 };
55 
56 /*
57  * Certificate Verify padding - RFC 8446 section 4.4.3.
58  */
59 const uint8_t tls13_cert_verify_pad[64] = {
60 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
61 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
62 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
63 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
64 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
65 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
66 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
67 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
68 };
69 
70 const uint8_t tls13_cert_client_verify_context[] =
71     "TLS 1.3, client CertificateVerify";
72 const uint8_t tls13_cert_server_verify_context[] =
73     "TLS 1.3, server CertificateVerify";
74 
75 const EVP_AEAD *
76 tls13_cipher_aead(const SSL_CIPHER *cipher)
77 {
78 	if (cipher == NULL)
79 		return NULL;
80 	if (cipher->algorithm_ssl != SSL_TLSV1_3)
81 		return NULL;
82 
83 	switch (cipher->algorithm_enc) {
84 	case SSL_AES128GCM:
85 		return EVP_aead_aes_128_gcm();
86 	case SSL_AES256GCM:
87 		return EVP_aead_aes_256_gcm();
88 	case SSL_CHACHA20POLY1305:
89 		return EVP_aead_chacha20_poly1305();
90 	}
91 
92 	return NULL;
93 }
94 
95 const EVP_MD *
96 tls13_cipher_hash(const SSL_CIPHER *cipher)
97 {
98 	if (cipher == NULL)
99 		return NULL;
100 	if (cipher->algorithm_ssl != SSL_TLSV1_3)
101 		return NULL;
102 
103 	switch (cipher->algorithm2) {
104 	case SSL_HANDSHAKE_MAC_SHA256:
105 		return EVP_sha256();
106 	case SSL_HANDSHAKE_MAC_SHA384:
107 		return EVP_sha384();
108 	}
109 
110 	return NULL;
111 }
112 
113 void
114 tls13_alert_received_cb(uint8_t alert_desc, void *arg)
115 {
116 	struct tls13_ctx *ctx = arg;
117 
118 	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
119 		ctx->close_notify_recv = 1;
120 		ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
121 		ctx->ssl->s3->warn_alert = alert_desc;
122 		return;
123 	}
124 
125 	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
126 		/*
127 		 * We treat this as advisory, since a close_notify alert
128 		 * SHOULD follow this alert (RFC 8446 section 6.1).
129 		 */
130 		return;
131 	}
132 
133 	/* All other alerts are treated as fatal in TLSv1.3. */
134 	ctx->ssl->s3->fatal_alert = alert_desc;
135 
136 	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
137 	ERR_asprintf_error_data("SSL alert number %d", alert_desc);
138 
139 	SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
140 }
141 
142 void
143 tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
144 {
145 	struct tls13_ctx *ctx = arg;
146 
147 	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
148 		ctx->close_notify_sent = 1;
149 		return;
150 	}
151 
152 	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
153 		return;
154 	}
155 
156 	/* All other alerts are treated as fatal in TLSv1.3. */
157 	if (ctx->error.code == 0)
158 		SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
159 }
160 
161 static void
162 tls13_legacy_handshake_message_recv_cb(void *arg)
163 {
164 	struct tls13_ctx *ctx = arg;
165 	SSL *s = ctx->ssl;
166 	CBS cbs;
167 
168 	if (s->msg_callback == NULL)
169 		return;
170 
171 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
172 	ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs);
173 }
174 
175 static void
176 tls13_legacy_handshake_message_sent_cb(void *arg)
177 {
178 	struct tls13_ctx *ctx = arg;
179 	SSL *s = ctx->ssl;
180 	CBS cbs;
181 
182 	if (s->msg_callback == NULL)
183 		return;
184 
185 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
186 	ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs);
187 }
188 
189 static void
190 tls13_legacy_info_cb(void *arg, int state, int ret)
191 {
192 	struct tls13_ctx *ctx = arg;
193 	SSL *s = ctx->ssl;
194 
195 	ssl_info_callback(s, state, ret);
196 }
197 
198 static int
199 tls13_legacy_ocsp_status_recv_cb(void *arg)
200 {
201 	struct tls13_ctx *ctx = arg;
202 	SSL *s = ctx->ssl;
203 	int ret;
204 
205 	if (s->ctx->tlsext_status_cb == NULL)
206 		return 1;
207 
208 	ret = s->ctx->tlsext_status_cb(s,
209 	    s->ctx->tlsext_status_arg);
210 	if (ret < 0) {
211 		ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
212 		SSLerror(s, ERR_R_MALLOC_FAILURE);
213 		return 0;
214 	}
215 	if (ret == 0) {
216 		ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
217 		SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
218 		return 0;
219 	}
220 
221 	return 1;
222 }
223 
224 static int
225 tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx)
226 {
227 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
228 	struct tls13_secret *secret;
229 
230 	if (ctx->mode == TLS13_HS_CLIENT) {
231 		secret = &secrets->server_application_traffic;
232 		if (!tls13_update_server_traffic_secret(secrets))
233 			return 0;
234 	} else {
235 		secret = &secrets->client_application_traffic;
236 		if (!tls13_update_client_traffic_secret(secrets))
237 			return 0;
238 	}
239 
240 	return tls13_record_layer_set_read_traffic_key(ctx->rl,
241 	    secret, ssl_encryption_application);
242 }
243 
244 static int
245 tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx)
246 {
247 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
248 	struct tls13_secret *secret;
249 
250 	if (ctx->mode == TLS13_HS_CLIENT) {
251 		secret = &secrets->client_application_traffic;
252 		if (!tls13_update_client_traffic_secret(secrets))
253 			return 0;
254 	} else {
255 		secret = &secrets->server_application_traffic;
256 		if (!tls13_update_server_traffic_secret(secrets))
257 			return 0;
258 	}
259 
260 	return tls13_record_layer_set_write_traffic_key(ctx->rl,
261 	    secret, ssl_encryption_application);
262 }
263 
264 /*
265  * XXX arbitrarily chosen limit of 100 post handshake handshake
266  * messages in an hour - to avoid a hostile peer from constantly
267  * requesting certificates or key renegotiaitons, etc.
268  */
269 static int
270 tls13_phh_limit_check(struct tls13_ctx *ctx)
271 {
272 	time_t now = time(NULL);
273 
274 	if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
275 		if (ctx->phh_count > TLS13_PHH_LIMIT)
276 			return 0;
277 	} else
278 		ctx->phh_count = 0;
279 	ctx->phh_count++;
280 	ctx->phh_last_seen = now;
281 	return 1;
282 }
283 
284 static ssize_t
285 tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
286 {
287 	struct tls13_handshake_msg *hs_msg = NULL;
288 	CBB cbb_hs;
289 	CBS cbs_hs;
290 	uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
291 	uint8_t key_update_request;
292 	ssize_t ret;
293 
294 	if (!CBS_get_u8(cbs, &key_update_request)) {
295 		alert = TLS13_ALERT_DECODE_ERROR;
296 		goto err;
297 	}
298 	if (CBS_len(cbs) != 0) {
299 		alert = TLS13_ALERT_DECODE_ERROR;
300 		goto err;
301 	}
302 	if (key_update_request > 1) {
303 		alert = TLS13_ALERT_ILLEGAL_PARAMETER;
304 		goto err;
305 	}
306 
307 	if (!tls13_phh_update_read_traffic_secret(ctx))
308 		goto err;
309 
310 	if (key_update_request == 0)
311 		return TLS13_IO_SUCCESS;
312 
313 	/* Our peer requested that we update our write traffic keys. */
314 	if ((hs_msg = tls13_handshake_msg_new()) == NULL)
315 		goto err;
316 	if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
317 		goto err;
318 	if (!CBB_add_u8(&cbb_hs, 0))
319 		goto err;
320 	if (!tls13_handshake_msg_finish(hs_msg))
321 		goto err;
322 
323 	ctx->key_update_request = 1;
324 	tls13_handshake_msg_data(hs_msg, &cbs_hs);
325 	ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
326 
327 	tls13_handshake_msg_free(hs_msg);
328 	hs_msg = NULL;
329 
330 	return ret;
331 
332  err:
333 	tls13_handshake_msg_free(hs_msg);
334 
335 	return tls13_send_alert(ctx->rl, alert);
336 }
337 
338 /* RFC 8446 section 4.6.1 */
339 static ssize_t
340 tls13_new_session_ticket_recv(struct tls13_ctx *ctx, CBS *cbs)
341 {
342 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
343 	struct tls13_secret nonce;
344 	uint32_t ticket_lifetime, ticket_age_add;
345 	CBS ticket_nonce, ticket;
346 	SSL_SESSION *sess = NULL;
347 	int alert, session_id_length;
348 	ssize_t ret = 0;
349 
350 	memset(&nonce, 0, sizeof(nonce));
351 
352 	if (ctx->mode != TLS13_HS_CLIENT) {
353 		alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
354 		goto err;
355 	}
356 
357 	alert = TLS13_ALERT_DECODE_ERROR;
358 
359 	if (!CBS_get_u32(cbs, &ticket_lifetime))
360 		goto err;
361 	if (!CBS_get_u32(cbs, &ticket_age_add))
362 		goto err;
363 	if (!CBS_get_u8_length_prefixed(cbs, &ticket_nonce))
364 		goto err;
365 	if (!CBS_get_u16_length_prefixed(cbs, &ticket))
366 		goto err;
367 	/* Extensions can only contain early_data, which we currently ignore. */
368 	if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_NST, cbs, &alert))
369 		goto err;
370 
371 	if (CBS_len(cbs) != 0)
372 		goto err;
373 
374 	/* Zero indicates that the ticket should be discarded immediately. */
375 	if (ticket_lifetime == 0) {
376 		ret = TLS13_IO_SUCCESS;
377 		goto done;
378 	}
379 
380 	/* Servers MUST NOT use any value larger than 7 days. */
381 	if (ticket_lifetime > TLS13_MAX_TICKET_LIFETIME) {
382 		alert = TLS13_ALERT_ILLEGAL_PARAMETER;
383 		goto err;
384 	}
385 
386 	alert = TLS13_ALERT_INTERNAL_ERROR;
387 
388 	/*
389 	 * Create new session instead of modifying the current session.
390 	 * The current session could already be in the session cache.
391 	 */
392 	if ((sess = ssl_session_dup(ctx->ssl->session, 0)) == NULL)
393 		goto err;
394 
395 	sess->time = time(NULL);
396 
397 	sess->tlsext_tick_lifetime_hint = ticket_lifetime;
398 	sess->tlsext_tick_age_add = ticket_age_add;
399 
400 	if (!CBS_stow(&ticket, &sess->tlsext_tick, &sess->tlsext_ticklen))
401 		goto err;
402 
403 	/* XXX - ensure this doesn't overflow session_id if hash is changed. */
404 	if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
405 	    sess->session_id, &session_id_length, EVP_sha256(), NULL))
406 		goto err;
407 	sess->session_id_length = session_id_length;
408 
409 	if (!CBS_stow(&ticket_nonce, &nonce.data, &nonce.len))
410 		goto err;
411 
412 	if (!tls13_secret_init(&sess->resumption_master_secret, 256))
413 		goto err;
414 
415 	if (!tls13_derive_secret(&sess->resumption_master_secret,
416 	    secrets->digest, &secrets->resumption_master, "resumption",
417 	    &nonce))
418 		goto err;
419 
420 	SSL_SESSION_free(ctx->ssl->session);
421 	ctx->ssl->session = sess;
422 	sess = NULL;
423 
424 	ssl_update_cache(ctx->ssl, SSL_SESS_CACHE_CLIENT);
425 
426 	ret = TLS13_IO_SUCCESS;
427 	goto done;
428 
429  err:
430 	ret = tls13_send_alert(ctx->rl, alert);
431 
432  done:
433 	tls13_secret_cleanup(&nonce);
434 	SSL_SESSION_free(sess);
435 
436 	return ret;
437 }
438 
439 ssize_t
440 tls13_phh_received_cb(void *cb_arg)
441 {
442 	ssize_t ret = TLS13_IO_FAILURE;
443 	struct tls13_ctx *ctx = cb_arg;
444 	CBS cbs;
445 
446 	if (!tls13_phh_limit_check(ctx))
447 		return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
448 
449 	if ((ctx->hs_msg == NULL) &&
450 	    ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
451 		return TLS13_IO_FAILURE;
452 
453 	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) !=
454 	    TLS13_IO_SUCCESS)
455 		return ret;
456 
457 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
458 		return TLS13_IO_FAILURE;
459 
460 	switch(tls13_handshake_msg_type(ctx->hs_msg)) {
461 	case TLS13_MT_KEY_UPDATE:
462 		ret = tls13_key_update_recv(ctx, &cbs);
463 		break;
464 	case TLS13_MT_NEW_SESSION_TICKET:
465 		ret = tls13_new_session_ticket_recv(ctx, &cbs);
466 		break;
467 	case TLS13_MT_CERTIFICATE_REQUEST:
468 		/* XXX add support if we choose to advertise this */
469 		/* FALLTHROUGH */
470 	default:
471 		ret = TLS13_IO_FAILURE; /* XXX send alert */
472 		break;
473 	}
474 
475 	tls13_handshake_msg_free(ctx->hs_msg);
476 	ctx->hs_msg = NULL;
477 	return ret;
478 }
479 
480 void
481 tls13_phh_done_cb(void *cb_arg)
482 {
483 	struct tls13_ctx *ctx = cb_arg;
484 
485 	if (ctx->key_update_request) {
486 		tls13_phh_update_write_traffic_secret(ctx);
487 		ctx->key_update_request = 0;
488 	}
489 }
490 
491 static const struct tls13_record_layer_callbacks tls13_rl_callbacks = {
492 	.wire_read = tls13_legacy_wire_read_cb,
493 	.wire_write = tls13_legacy_wire_write_cb,
494 	.wire_flush = tls13_legacy_wire_flush_cb,
495 
496 	.alert_recv = tls13_alert_received_cb,
497 	.alert_sent = tls13_alert_sent_cb,
498 	.phh_recv = tls13_phh_received_cb,
499 	.phh_sent = tls13_phh_done_cb,
500 };
501 
502 struct tls13_ctx *
503 tls13_ctx_new(int mode, SSL *ssl)
504 {
505 	struct tls13_ctx *ctx = NULL;
506 
507 	if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
508 		goto err;
509 
510 	ctx->hs = &ssl->s3->hs;
511 	ctx->mode = mode;
512 	ctx->ssl = ssl;
513 
514 	if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
515 		goto err;
516 
517 	ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
518 	ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
519 	ctx->info_cb = tls13_legacy_info_cb;
520 	ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
521 
522 	ctx->middlebox_compat = 1;
523 
524 	ssl->tls13 = ctx;
525 
526 	if (SSL_is_quic(ssl)) {
527 		if (!tls13_quic_init(ctx))
528 			goto err;
529 	}
530 
531 	return ctx;
532 
533  err:
534 	tls13_ctx_free(ctx);
535 
536 	return NULL;
537 }
538 
539 void
540 tls13_ctx_free(struct tls13_ctx *ctx)
541 {
542 	if (ctx == NULL)
543 		return;
544 
545 	tls13_error_clear(&ctx->error);
546 	tls13_record_layer_free(ctx->rl);
547 	tls13_handshake_msg_free(ctx->hs_msg);
548 
549 	freezero(ctx, sizeof(struct tls13_ctx));
550 }
551 
552 int
553 tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
554     int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
555 {
556 	CBB cert_data, cert_exts;
557 	uint8_t *data;
558 	int cert_len;
559 
560 	if ((cert_len = i2d_X509(cert, NULL)) < 0)
561 		return 0;
562 
563 	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
564 		return 0;
565 	if (!CBB_add_space(&cert_data, &data, cert_len))
566 		return 0;
567 	if (i2d_X509(cert, &data) != cert_len)
568 		return 0;
569 	if (build_extensions != NULL) {
570 		if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
571 			return 0;
572 	} else {
573 		if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
574 			return 0;
575 	}
576 	if (!CBB_flush(cbb))
577 		return 0;
578 
579 	return 1;
580 }
581 
582 int
583 tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
584 {
585 	struct tls13_handshake_msg *hm = NULL;
586 	unsigned char buf[EVP_MAX_MD_SIZE];
587 	size_t hash_len;
588 	CBB cbb;
589 	CBS cbs;
590 	SSL *s = ctx->ssl;
591 	int ret = 0;
592 
593 	/*
594 	 * Replace ClientHello with synthetic handshake message - see
595 	 * RFC 8446 section 4.4.1.
596 	 */
597 	if (!tls1_transcript_hash_init(s))
598 		goto err;
599 	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
600 		goto err;
601 
602 	if ((hm = tls13_handshake_msg_new()) == NULL)
603 		goto err;
604 	if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
605 		goto err;
606 	if (!CBB_add_bytes(&cbb, buf, hash_len))
607 		goto err;
608 	if (!tls13_handshake_msg_finish(hm))
609 		goto err;
610 
611 	tls13_handshake_msg_data(hm, &cbs);
612 
613 	tls1_transcript_reset(ctx->ssl);
614 	if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
615 		goto err;
616 
617 	ret = 1;
618 
619  err:
620 	tls13_handshake_msg_free(hm);
621 
622 	return ret;
623 }
624 
625 int
626 tls13_clienthello_hash_init(struct tls13_ctx *ctx)
627 {
628 	if (ctx->hs->tls13.clienthello_md_ctx != NULL)
629 		return 0;
630 	if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
631 		return 0;
632 	if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
633 	    EVP_sha256(), NULL))
634 		return 0;
635 
636 	if ((ctx->hs->tls13.clienthello_hash == NULL) &&
637 	    (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
638 	    NULL)
639 		return 0;
640 
641 	return 1;
642 }
643 
644 void
645 tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
646 {
647 	EVP_MD_CTX_free(hs->clienthello_md_ctx);
648 	hs->clienthello_md_ctx = NULL;
649 	freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
650 	hs->clienthello_hash = NULL;
651 }
652 
653 int
654 tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
655     size_t len)
656 {
657 	return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
658 }
659 
660 int
661 tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
662 {
663 	return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
664 	    CBS_len(cbs));
665 }
666 
667 int
668 tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
669 {
670 	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
671 	    ctx->hs->tls13.clienthello_hash,
672 	    &ctx->hs->tls13.clienthello_hash_len))
673 		return 0;
674 	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
675 	ctx->hs->tls13.clienthello_md_ctx = NULL;
676 	return 1;
677 }
678 
679 int
680 tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
681 {
682 	unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
683 	unsigned int new_ch_hash_len;
684 
685 	if (ctx->hs->tls13.clienthello_hash == NULL)
686 		return 0;
687 
688 	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
689 	    new_ch_hash, &new_ch_hash_len))
690 		return 0;
691 	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
692 	ctx->hs->tls13.clienthello_md_ctx = NULL;
693 
694 	if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
695 		return 0;
696 	if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
697 	    new_ch_hash_len) != 0)
698 		return 0;
699 
700 	return 1;
701 }
702