1 /* $OpenBSD: tls13_lib.c,v 1.59 2021/04/07 21:48:23 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <stddef.h> 20 21 #include <openssl/evp.h> 22 23 #include "ssl_locl.h" 24 #include "ssl_tlsext.h" 25 #include "tls13_internal.h" 26 27 /* 28 * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set 29 * by the server in server random if it is willing to downgrade but supports 30 * TLSv1.3 31 */ 32 const uint8_t tls13_downgrade_12[8] = { 33 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01, 34 }; 35 const uint8_t tls13_downgrade_11[8] = { 36 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00, 37 }; 38 39 /* 40 * HelloRetryRequest hash - RFC 8446 section 4.1.3. 41 */ 42 const uint8_t tls13_hello_retry_request_hash[32] = { 43 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 44 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91, 45 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 46 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 47 }; 48 49 /* 50 * Certificate Verify padding - RFC 8446 section 4.4.3. 51 */ 52 const uint8_t tls13_cert_verify_pad[64] = { 53 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 54 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 55 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 56 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 57 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 58 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 59 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 60 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 61 }; 62 63 const uint8_t tls13_cert_client_verify_context[] = 64 "TLS 1.3, client CertificateVerify"; 65 const uint8_t tls13_cert_server_verify_context[] = 66 "TLS 1.3, server CertificateVerify"; 67 68 const EVP_AEAD * 69 tls13_cipher_aead(const SSL_CIPHER *cipher) 70 { 71 if (cipher == NULL) 72 return NULL; 73 if (cipher->algorithm_ssl != SSL_TLSV1_3) 74 return NULL; 75 76 switch (cipher->algorithm_enc) { 77 case SSL_AES128GCM: 78 return EVP_aead_aes_128_gcm(); 79 case SSL_AES256GCM: 80 return EVP_aead_aes_256_gcm(); 81 case SSL_CHACHA20POLY1305: 82 return EVP_aead_chacha20_poly1305(); 83 } 84 85 return NULL; 86 } 87 88 const EVP_MD * 89 tls13_cipher_hash(const SSL_CIPHER *cipher) 90 { 91 if (cipher == NULL) 92 return NULL; 93 if (cipher->algorithm_ssl != SSL_TLSV1_3) 94 return NULL; 95 96 switch (cipher->algorithm2) { 97 case SSL_HANDSHAKE_MAC_SHA256: 98 return EVP_sha256(); 99 case SSL_HANDSHAKE_MAC_SHA384: 100 return EVP_sha384(); 101 } 102 103 return NULL; 104 } 105 106 static void 107 tls13_alert_received_cb(uint8_t alert_desc, void *arg) 108 { 109 struct tls13_ctx *ctx = arg; 110 111 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 112 ctx->close_notify_recv = 1; 113 ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; 114 S3I(ctx->ssl)->warn_alert = alert_desc; 115 return; 116 } 117 118 if (alert_desc == TLS13_ALERT_USER_CANCELED) { 119 /* 120 * We treat this as advisory, since a close_notify alert 121 * SHOULD follow this alert (RFC 8446 section 6.1). 122 */ 123 return; 124 } 125 126 /* All other alerts are treated as fatal in TLSv1.3. */ 127 S3I(ctx->ssl)->fatal_alert = alert_desc; 128 129 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); 130 ERR_asprintf_error_data("SSL alert number %d", alert_desc); 131 132 SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session); 133 } 134 135 static void 136 tls13_alert_sent_cb(uint8_t alert_desc, void *arg) 137 { 138 struct tls13_ctx *ctx = arg; 139 140 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 141 ctx->close_notify_sent = 1; 142 return; 143 } 144 145 if (alert_desc == TLS13_ALERT_USER_CANCELED) { 146 return; 147 } 148 149 /* All other alerts are treated as fatal in TLSv1.3. */ 150 if (ctx->error.code == 0) 151 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); 152 } 153 154 static void 155 tls13_legacy_handshake_message_recv_cb(void *arg) 156 { 157 struct tls13_ctx *ctx = arg; 158 SSL *s = ctx->ssl; 159 CBS cbs; 160 161 if (s->internal->msg_callback == NULL) 162 return; 163 164 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 165 s->internal->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, 166 CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); 167 } 168 169 static void 170 tls13_legacy_handshake_message_sent_cb(void *arg) 171 { 172 struct tls13_ctx *ctx = arg; 173 SSL *s = ctx->ssl; 174 CBS cbs; 175 176 if (s->internal->msg_callback == NULL) 177 return; 178 179 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 180 s->internal->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, 181 CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); 182 } 183 184 static void 185 tls13_legacy_info_cb(void *arg, int state, int ret) 186 { 187 struct tls13_ctx *ctx = arg; 188 SSL *s = ctx->ssl; 189 void (*cb)(const SSL *, int, int); 190 191 if ((cb = s->internal->info_callback) == NULL) 192 cb = s->ctx->internal->info_callback; 193 if (cb != NULL) 194 cb(s, state, ret); 195 } 196 197 static int 198 tls13_legacy_ocsp_status_recv_cb(void *arg) 199 { 200 struct tls13_ctx *ctx = arg; 201 SSL *s = ctx->ssl; 202 int ret; 203 204 if (s->ctx->internal->tlsext_status_cb == NULL || 205 s->internal->tlsext_ocsp_resp == NULL) 206 return 1; 207 208 ret = s->ctx->internal->tlsext_status_cb(s, 209 s->ctx->internal->tlsext_status_arg); 210 if (ret < 0) { 211 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 212 SSLerror(s, ERR_R_MALLOC_FAILURE); 213 return 0; 214 } 215 if (ret == 0) { 216 ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE; 217 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); 218 return 0; 219 } 220 221 return 1; 222 } 223 224 static int 225 tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx) 226 { 227 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 228 229 if (ctx->mode == TLS13_HS_CLIENT) 230 return (tls13_update_client_traffic_secret(secrets) && 231 tls13_record_layer_set_write_traffic_key(ctx->rl, 232 &secrets->client_application_traffic)); 233 return (tls13_update_server_traffic_secret(secrets) && 234 tls13_record_layer_set_read_traffic_key(ctx->rl, 235 &secrets->server_application_traffic)); 236 } 237 238 static int 239 tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx) 240 { 241 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 242 243 if (ctx->mode == TLS13_HS_CLIENT) 244 return (tls13_update_server_traffic_secret(secrets) && 245 tls13_record_layer_set_read_traffic_key(ctx->rl, 246 &secrets->server_application_traffic)); 247 return (tls13_update_client_traffic_secret(secrets) && 248 tls13_record_layer_set_write_traffic_key(ctx->rl, 249 &secrets->client_application_traffic)); 250 } 251 252 /* 253 * XXX arbitrarily chosen limit of 100 post handshake handshake 254 * messages in an hour - to avoid a hostile peer from constantly 255 * requesting certificates or key renegotiaitons, etc. 256 */ 257 static int 258 tls13_phh_limit_check(struct tls13_ctx *ctx) 259 { 260 time_t now = time(NULL); 261 262 if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) { 263 if (ctx->phh_count > TLS13_PHH_LIMIT) 264 return 0; 265 } else 266 ctx->phh_count = 0; 267 ctx->phh_count++; 268 ctx->phh_last_seen = now; 269 return 1; 270 } 271 272 static ssize_t 273 tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) 274 { 275 struct tls13_handshake_msg *hs_msg = NULL; 276 CBB cbb_hs; 277 CBS cbs_hs; 278 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 279 uint8_t key_update_request; 280 ssize_t ret; 281 282 if (!CBS_get_u8(cbs, &key_update_request)) { 283 alert = TLS13_ALERT_DECODE_ERROR; 284 goto err; 285 } 286 if (CBS_len(cbs) != 0) { 287 alert = TLS13_ALERT_DECODE_ERROR; 288 goto err; 289 } 290 if (key_update_request > 1) { 291 alert = TLS13_ALERT_ILLEGAL_PARAMETER; 292 goto err; 293 } 294 295 if (!tls13_phh_update_peer_traffic_secret(ctx)) 296 goto err; 297 298 if (key_update_request == 0) 299 return TLS13_IO_SUCCESS; 300 301 /* key_update_request == 1 */ 302 if ((hs_msg = tls13_handshake_msg_new()) == NULL) 303 goto err; 304 if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE)) 305 goto err; 306 if (!CBB_add_u8(&cbb_hs, 0)) 307 goto err; 308 if (!tls13_handshake_msg_finish(hs_msg)) 309 goto err; 310 311 ctx->key_update_request = 1; 312 tls13_handshake_msg_data(hs_msg, &cbs_hs); 313 ret = tls13_record_layer_phh(ctx->rl, &cbs_hs); 314 315 tls13_handshake_msg_free(hs_msg); 316 hs_msg = NULL; 317 318 return ret; 319 320 err: 321 tls13_handshake_msg_free(hs_msg); 322 323 return tls13_send_alert(ctx->rl, alert); 324 } 325 326 static void 327 tls13_phh_done_cb(void *cb_arg) 328 { 329 struct tls13_ctx *ctx = cb_arg; 330 331 if (ctx->key_update_request) { 332 tls13_phh_update_local_traffic_secret(ctx); 333 ctx->key_update_request = 0; 334 } 335 } 336 337 static ssize_t 338 tls13_phh_received_cb(void *cb_arg, CBS *cbs) 339 { 340 ssize_t ret = TLS13_IO_FAILURE; 341 struct tls13_ctx *ctx = cb_arg; 342 CBS phh_cbs; 343 344 if (!tls13_phh_limit_check(ctx)) 345 return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 346 347 if ((ctx->hs_msg == NULL) && 348 ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)) 349 return TLS13_IO_FAILURE; 350 351 if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs)) 352 return TLS13_IO_FAILURE; 353 354 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) 355 != TLS13_IO_SUCCESS) 356 return ret; 357 358 if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs)) 359 return TLS13_IO_FAILURE; 360 361 switch(tls13_handshake_msg_type(ctx->hs_msg)) { 362 case TLS13_MT_KEY_UPDATE: 363 ret = tls13_key_update_recv(ctx, &phh_cbs); 364 break; 365 case TLS13_MT_NEW_SESSION_TICKET: 366 /* XXX do nothing for now and ignore this */ 367 break; 368 case TLS13_MT_CERTIFICATE_REQUEST: 369 /* XXX add support if we choose to advertise this */ 370 /* FALLTHROUGH */ 371 default: 372 ret = TLS13_IO_FAILURE; /* XXX send alert */ 373 break; 374 } 375 376 tls13_handshake_msg_free(ctx->hs_msg); 377 ctx->hs_msg = NULL; 378 return ret; 379 } 380 381 static const struct tls13_record_layer_callbacks rl_callbacks = { 382 .wire_read = tls13_legacy_wire_read_cb, 383 .wire_write = tls13_legacy_wire_write_cb, 384 .alert_recv = tls13_alert_received_cb, 385 .alert_sent = tls13_alert_sent_cb, 386 .phh_recv = tls13_phh_received_cb, 387 .phh_sent = tls13_phh_done_cb, 388 }; 389 390 struct tls13_ctx * 391 tls13_ctx_new(int mode) 392 { 393 struct tls13_ctx *ctx = NULL; 394 395 if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL) 396 goto err; 397 398 ctx->mode = mode; 399 400 if ((ctx->rl = tls13_record_layer_new(&rl_callbacks, ctx)) == NULL) 401 goto err; 402 403 ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; 404 ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb; 405 ctx->info_cb = tls13_legacy_info_cb; 406 ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb; 407 408 ctx->middlebox_compat = 1; 409 410 return ctx; 411 412 err: 413 tls13_ctx_free(ctx); 414 415 return NULL; 416 } 417 418 void 419 tls13_ctx_free(struct tls13_ctx *ctx) 420 { 421 if (ctx == NULL) 422 return; 423 424 tls13_error_clear(&ctx->error); 425 tls13_record_layer_free(ctx->rl); 426 tls13_handshake_msg_free(ctx->hs_msg); 427 428 freezero(ctx, sizeof(struct tls13_ctx)); 429 } 430 431 int 432 tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, 433 int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb)) 434 { 435 CBB cert_data, cert_exts; 436 uint8_t *data; 437 int cert_len; 438 439 if ((cert_len = i2d_X509(cert, NULL)) < 0) 440 return 0; 441 442 if (!CBB_add_u24_length_prefixed(cbb, &cert_data)) 443 return 0; 444 if (!CBB_add_space(&cert_data, &data, cert_len)) 445 return 0; 446 if (i2d_X509(cert, &data) != cert_len) 447 return 0; 448 if (build_extensions != NULL) { 449 if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb)) 450 return 0; 451 } else { 452 if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) 453 return 0; 454 } 455 if (!CBB_flush(cbb)) 456 return 0; 457 458 return 1; 459 } 460 461 int 462 tls13_synthetic_handshake_message(struct tls13_ctx *ctx) 463 { 464 struct tls13_handshake_msg *hm = NULL; 465 unsigned char buf[EVP_MAX_MD_SIZE]; 466 size_t hash_len; 467 CBB cbb; 468 CBS cbs; 469 SSL *s = ctx->ssl; 470 int ret = 0; 471 472 /* 473 * Replace ClientHello with synthetic handshake message - see 474 * RFC 8446 section 4.4.1. 475 */ 476 if (!tls1_transcript_hash_init(s)) 477 goto err; 478 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 479 goto err; 480 481 if ((hm = tls13_handshake_msg_new()) == NULL) 482 goto err; 483 if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH)) 484 goto err; 485 if (!CBB_add_bytes(&cbb, buf, hash_len)) 486 goto err; 487 if (!tls13_handshake_msg_finish(hm)) 488 goto err; 489 490 tls13_handshake_msg_data(hm, &cbs); 491 492 tls1_transcript_reset(ctx->ssl); 493 if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) 494 goto err; 495 496 ret = 1; 497 498 err: 499 tls13_handshake_msg_free(hm); 500 501 return ret; 502 } 503 504 int 505 tls13_clienthello_hash_init(struct tls13_ctx *ctx) 506 { 507 if (ctx->hs->tls13.clienthello_md_ctx != NULL) 508 return 0; 509 if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL) 510 return 0; 511 if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx, 512 EVP_sha256(), NULL)) 513 return 0; 514 515 if ((ctx->hs->tls13.clienthello_hash == NULL) && 516 (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) == 517 NULL) 518 return 0; 519 520 return 1; 521 } 522 523 void 524 tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */ 525 { 526 EVP_MD_CTX_free(hs->clienthello_md_ctx); 527 hs->clienthello_md_ctx = NULL; 528 freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE); 529 hs->clienthello_hash = NULL; 530 } 531 532 int 533 tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data, 534 size_t len) 535 { 536 return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len); 537 } 538 539 int 540 tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs) 541 { 542 return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs), 543 CBS_len(cbs)); 544 } 545 546 int 547 tls13_clienthello_hash_finalize(struct tls13_ctx *ctx) 548 { 549 if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, 550 ctx->hs->tls13.clienthello_hash, 551 &ctx->hs->tls13.clienthello_hash_len)) 552 return 0; 553 EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); 554 ctx->hs->tls13.clienthello_md_ctx = NULL; 555 return 1; 556 } 557 558 int 559 tls13_clienthello_hash_validate(struct tls13_ctx *ctx) 560 { 561 unsigned char new_ch_hash[EVP_MAX_MD_SIZE]; 562 unsigned int new_ch_hash_len; 563 564 if (ctx->hs->tls13.clienthello_hash == NULL) 565 return 0; 566 567 if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, 568 new_ch_hash, &new_ch_hash_len)) 569 return 0; 570 EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); 571 ctx->hs->tls13.clienthello_md_ctx = NULL; 572 573 if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len) 574 return 0; 575 if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash, 576 new_ch_hash_len) != 0) 577 return 0; 578 579 return 1; 580 } 581 582 int 583 tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, 584 const uint8_t *context_value, size_t context_value_len, uint8_t *out, 585 size_t out_len) 586 { 587 struct tls13_secret context, export_out, export_secret; 588 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 589 EVP_MD_CTX *md_ctx = NULL; 590 unsigned int md_out_len; 591 int md_len; 592 int ret = 0; 593 594 /* 595 * RFC 8446 Section 7.5. 596 */ 597 598 memset(&context, 0, sizeof(context)); 599 memset(&export_secret, 0, sizeof(export_secret)); 600 601 export_out.data = out; 602 export_out.len = out_len; 603 604 if (!ctx->handshake_completed) 605 return 0; 606 607 md_len = EVP_MD_size(secrets->digest); 608 if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE) 609 goto err; 610 611 if (!tls13_secret_init(&export_secret, md_len)) 612 goto err; 613 if (!tls13_secret_init(&context, md_len)) 614 goto err; 615 616 /* In TLSv1.3 no context is equivalent to an empty context. */ 617 if (context_value == NULL) { 618 context_value = ""; 619 context_value_len = 0; 620 } 621 622 if ((md_ctx = EVP_MD_CTX_new()) == NULL) 623 goto err; 624 if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL)) 625 goto err; 626 if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len)) 627 goto err; 628 if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len)) 629 goto err; 630 if (md_len != md_out_len) 631 goto err; 632 633 if (!tls13_derive_secret_with_label_length(&export_secret, 634 secrets->digest, &secrets->exporter_master, label, label_len, 635 &secrets->empty_hash)) 636 goto err; 637 638 if (!tls13_hkdf_expand_label(&export_out, secrets->digest, 639 &export_secret, "exporter", &context)) 640 goto err; 641 642 ret = 1; 643 644 err: 645 EVP_MD_CTX_free(md_ctx); 646 tls13_secret_cleanup(&context); 647 tls13_secret_cleanup(&export_secret); 648 649 return ret; 650 } 651