1 /* $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <stddef.h> 20 21 #include <openssl/evp.h> 22 23 #include "ssl_local.h" 24 #include "ssl_tlsext.h" 25 #include "tls13_internal.h" 26 27 /* 28 * RFC 8446, section 4.6.1. Servers must not indicate a lifetime longer than 29 * 7 days and clients must not cache tickets for longer than 7 days. 30 */ 31 32 #define TLS13_MAX_TICKET_LIFETIME (7 * 24 * 3600) 33 34 /* 35 * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set 36 * by the server in server random if it is willing to downgrade but supports 37 * TLSv1.3 38 */ 39 const uint8_t tls13_downgrade_12[8] = { 40 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01, 41 }; 42 const uint8_t tls13_downgrade_11[8] = { 43 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00, 44 }; 45 46 /* 47 * HelloRetryRequest hash - RFC 8446 section 4.1.3. 48 */ 49 const uint8_t tls13_hello_retry_request_hash[32] = { 50 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 51 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91, 52 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 53 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 54 }; 55 56 /* 57 * Certificate Verify padding - RFC 8446 section 4.4.3. 58 */ 59 const uint8_t tls13_cert_verify_pad[64] = { 60 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 61 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 62 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 63 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 64 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 65 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 66 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 67 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 68 }; 69 70 const uint8_t tls13_cert_client_verify_context[] = 71 "TLS 1.3, client CertificateVerify"; 72 const uint8_t tls13_cert_server_verify_context[] = 73 "TLS 1.3, server CertificateVerify"; 74 75 const EVP_AEAD * 76 tls13_cipher_aead(const SSL_CIPHER *cipher) 77 { 78 if (cipher == NULL) 79 return NULL; 80 if (cipher->algorithm_ssl != SSL_TLSV1_3) 81 return NULL; 82 83 switch (cipher->algorithm_enc) { 84 case SSL_AES128GCM: 85 return EVP_aead_aes_128_gcm(); 86 case SSL_AES256GCM: 87 return EVP_aead_aes_256_gcm(); 88 case SSL_CHACHA20POLY1305: 89 return EVP_aead_chacha20_poly1305(); 90 } 91 92 return NULL; 93 } 94 95 const EVP_MD * 96 tls13_cipher_hash(const SSL_CIPHER *cipher) 97 { 98 if (cipher == NULL) 99 return NULL; 100 if (cipher->algorithm_ssl != SSL_TLSV1_3) 101 return NULL; 102 103 switch (cipher->algorithm2) { 104 case SSL_HANDSHAKE_MAC_SHA256: 105 return EVP_sha256(); 106 case SSL_HANDSHAKE_MAC_SHA384: 107 return EVP_sha384(); 108 } 109 110 return NULL; 111 } 112 113 static void 114 tls13_legacy_alert_cb(int sent, uint8_t alert_level, uint8_t alert_desc, 115 void *arg) 116 { 117 uint8_t alert[] = {alert_level, alert_desc}; 118 struct tls13_ctx *ctx = arg; 119 SSL *s = ctx->ssl; 120 CBS cbs; 121 122 if (s->msg_callback == NULL) 123 return; 124 125 CBS_init(&cbs, alert, sizeof(alert)); 126 ssl_msg_callback_cbs(s, sent, SSL3_RT_ALERT, &cbs); 127 } 128 129 static void 130 tls13_legacy_alert_recv_cb(uint8_t alert_level, uint8_t alert_desc, void *arg) 131 { 132 tls13_legacy_alert_cb(0, alert_level, alert_desc, arg); 133 } 134 135 static void 136 tls13_legacy_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg) 137 { 138 tls13_legacy_alert_cb(1, alert_level, alert_desc, arg); 139 } 140 141 void 142 tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg) 143 { 144 struct tls13_ctx *ctx = arg; 145 146 if (ctx->alert_recv_cb != NULL) 147 ctx->alert_recv_cb(alert_level, alert_desc, arg); 148 149 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 150 ctx->close_notify_recv = 1; 151 ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN; 152 ctx->ssl->s3->warn_alert = alert_desc; 153 return; 154 } 155 156 if (alert_desc == TLS13_ALERT_USER_CANCELED) { 157 /* 158 * We treat this as advisory, since a close_notify alert 159 * SHOULD follow this alert (RFC 8446 section 6.1). 160 */ 161 return; 162 } 163 164 /* All other alerts are treated as fatal in TLSv1.3. */ 165 ctx->ssl->s3->fatal_alert = alert_desc; 166 167 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); 168 ERR_asprintf_error_data("SSL alert number %d", alert_desc); 169 170 SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session); 171 } 172 173 void 174 tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg) 175 { 176 struct tls13_ctx *ctx = arg; 177 178 if (ctx->alert_sent_cb != NULL) 179 ctx->alert_sent_cb(alert_level, alert_desc, arg); 180 181 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { 182 ctx->close_notify_sent = 1; 183 return; 184 } 185 186 if (alert_desc == TLS13_ALERT_USER_CANCELED) { 187 return; 188 } 189 190 /* All other alerts are treated as fatal in TLSv1.3. */ 191 if (ctx->error.code == 0) 192 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); 193 } 194 195 static void 196 tls13_legacy_handshake_message_recv_cb(void *arg) 197 { 198 struct tls13_ctx *ctx = arg; 199 SSL *s = ctx->ssl; 200 CBS cbs; 201 202 if (s->msg_callback == NULL) 203 return; 204 205 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 206 ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs); 207 } 208 209 static void 210 tls13_legacy_handshake_message_sent_cb(void *arg) 211 { 212 struct tls13_ctx *ctx = arg; 213 SSL *s = ctx->ssl; 214 CBS cbs; 215 216 if (s->msg_callback == NULL) 217 return; 218 219 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 220 ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs); 221 } 222 223 static void 224 tls13_legacy_info_cb(void *arg, int state, int ret) 225 { 226 struct tls13_ctx *ctx = arg; 227 SSL *s = ctx->ssl; 228 229 ssl_info_callback(s, state, ret); 230 } 231 232 static int 233 tls13_legacy_ocsp_status_recv_cb(void *arg) 234 { 235 struct tls13_ctx *ctx = arg; 236 SSL *s = ctx->ssl; 237 int ret; 238 239 if (s->ctx->tlsext_status_cb == NULL) 240 return 1; 241 242 ret = s->ctx->tlsext_status_cb(s, 243 s->ctx->tlsext_status_arg); 244 if (ret < 0) { 245 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 246 SSLerror(s, ERR_R_MALLOC_FAILURE); 247 return 0; 248 } 249 if (ret == 0) { 250 ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE; 251 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); 252 return 0; 253 } 254 255 return 1; 256 } 257 258 static int 259 tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx) 260 { 261 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 262 struct tls13_secret *secret; 263 264 if (ctx->mode == TLS13_HS_CLIENT) { 265 secret = &secrets->server_application_traffic; 266 if (!tls13_update_server_traffic_secret(secrets)) 267 return 0; 268 } else { 269 secret = &secrets->client_application_traffic; 270 if (!tls13_update_client_traffic_secret(secrets)) 271 return 0; 272 } 273 274 return tls13_record_layer_set_read_traffic_key(ctx->rl, 275 secret, ssl_encryption_application); 276 } 277 278 static int 279 tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx) 280 { 281 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 282 struct tls13_secret *secret; 283 284 if (ctx->mode == TLS13_HS_CLIENT) { 285 secret = &secrets->client_application_traffic; 286 if (!tls13_update_client_traffic_secret(secrets)) 287 return 0; 288 } else { 289 secret = &secrets->server_application_traffic; 290 if (!tls13_update_server_traffic_secret(secrets)) 291 return 0; 292 } 293 294 return tls13_record_layer_set_write_traffic_key(ctx->rl, 295 secret, ssl_encryption_application); 296 } 297 298 /* 299 * XXX arbitrarily chosen limit of 100 post handshake handshake 300 * messages in an hour - to avoid a hostile peer from constantly 301 * requesting certificates or key renegotiaitons, etc. 302 */ 303 static int 304 tls13_phh_limit_check(struct tls13_ctx *ctx) 305 { 306 time_t now = time(NULL); 307 308 if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) { 309 if (ctx->phh_count > TLS13_PHH_LIMIT) 310 return 0; 311 } else 312 ctx->phh_count = 0; 313 ctx->phh_count++; 314 ctx->phh_last_seen = now; 315 return 1; 316 } 317 318 static ssize_t 319 tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) 320 { 321 struct tls13_handshake_msg *hs_msg = NULL; 322 CBB cbb_hs; 323 CBS cbs_hs; 324 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 325 uint8_t key_update_request; 326 ssize_t ret; 327 328 if (!CBS_get_u8(cbs, &key_update_request)) { 329 alert = TLS13_ALERT_DECODE_ERROR; 330 goto err; 331 } 332 if (CBS_len(cbs) != 0) { 333 alert = TLS13_ALERT_DECODE_ERROR; 334 goto err; 335 } 336 if (key_update_request > 1) { 337 alert = TLS13_ALERT_ILLEGAL_PARAMETER; 338 goto err; 339 } 340 341 if (!tls13_phh_update_read_traffic_secret(ctx)) 342 goto err; 343 344 if (key_update_request == 0) 345 return TLS13_IO_SUCCESS; 346 347 /* Our peer requested that we update our write traffic keys. */ 348 if ((hs_msg = tls13_handshake_msg_new()) == NULL) 349 goto err; 350 if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE)) 351 goto err; 352 if (!CBB_add_u8(&cbb_hs, 0)) 353 goto err; 354 if (!tls13_handshake_msg_finish(hs_msg)) 355 goto err; 356 357 ctx->key_update_request = 1; 358 tls13_handshake_msg_data(hs_msg, &cbs_hs); 359 ret = tls13_record_layer_phh(ctx->rl, &cbs_hs); 360 361 tls13_handshake_msg_free(hs_msg); 362 hs_msg = NULL; 363 364 return ret; 365 366 err: 367 tls13_handshake_msg_free(hs_msg); 368 369 return tls13_send_alert(ctx->rl, alert); 370 } 371 372 /* RFC 8446 section 4.6.1 */ 373 static ssize_t 374 tls13_new_session_ticket_recv(struct tls13_ctx *ctx, CBS *cbs) 375 { 376 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 377 struct tls13_secret nonce; 378 uint32_t ticket_lifetime, ticket_age_add; 379 CBS ticket_nonce, ticket; 380 SSL_SESSION *sess = NULL; 381 int alert, session_id_length; 382 ssize_t ret = 0; 383 384 memset(&nonce, 0, sizeof(nonce)); 385 386 if (ctx->mode != TLS13_HS_CLIENT) { 387 alert = TLS13_ALERT_UNEXPECTED_MESSAGE; 388 goto err; 389 } 390 391 alert = TLS13_ALERT_DECODE_ERROR; 392 393 if (!CBS_get_u32(cbs, &ticket_lifetime)) 394 goto err; 395 if (!CBS_get_u32(cbs, &ticket_age_add)) 396 goto err; 397 if (!CBS_get_u8_length_prefixed(cbs, &ticket_nonce)) 398 goto err; 399 if (!CBS_get_u16_length_prefixed(cbs, &ticket)) 400 goto err; 401 /* Extensions can only contain early_data, which we currently ignore. */ 402 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_NST, cbs, &alert)) 403 goto err; 404 405 if (CBS_len(cbs) != 0) 406 goto err; 407 408 /* Zero indicates that the ticket should be discarded immediately. */ 409 if (ticket_lifetime == 0) { 410 ret = TLS13_IO_SUCCESS; 411 goto done; 412 } 413 414 /* Servers MUST NOT use any value larger than 7 days. */ 415 if (ticket_lifetime > TLS13_MAX_TICKET_LIFETIME) { 416 alert = TLS13_ALERT_ILLEGAL_PARAMETER; 417 goto err; 418 } 419 420 alert = TLS13_ALERT_INTERNAL_ERROR; 421 422 /* 423 * Create new session instead of modifying the current session. 424 * The current session could already be in the session cache. 425 */ 426 if ((sess = ssl_session_dup(ctx->ssl->session, 0)) == NULL) 427 goto err; 428 429 sess->time = time(NULL); 430 431 sess->tlsext_tick_lifetime_hint = ticket_lifetime; 432 sess->tlsext_tick_age_add = ticket_age_add; 433 434 if (!CBS_stow(&ticket, &sess->tlsext_tick, &sess->tlsext_ticklen)) 435 goto err; 436 437 /* XXX - ensure this doesn't overflow session_id if hash is changed. */ 438 if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket), 439 sess->session_id, &session_id_length, EVP_sha256(), NULL)) 440 goto err; 441 sess->session_id_length = session_id_length; 442 443 if (!CBS_stow(&ticket_nonce, &nonce.data, &nonce.len)) 444 goto err; 445 446 if (!tls13_secret_init(&sess->resumption_master_secret, 256)) 447 goto err; 448 449 if (!tls13_derive_secret(&sess->resumption_master_secret, 450 secrets->digest, &secrets->resumption_master, "resumption", 451 &nonce)) 452 goto err; 453 454 SSL_SESSION_free(ctx->ssl->session); 455 ctx->ssl->session = sess; 456 sess = NULL; 457 458 ssl_update_cache(ctx->ssl, SSL_SESS_CACHE_CLIENT); 459 460 ret = TLS13_IO_SUCCESS; 461 goto done; 462 463 err: 464 ret = tls13_send_alert(ctx->rl, alert); 465 466 done: 467 tls13_secret_cleanup(&nonce); 468 SSL_SESSION_free(sess); 469 470 return ret; 471 } 472 473 ssize_t 474 tls13_phh_received_cb(void *cb_arg) 475 { 476 ssize_t ret = TLS13_IO_FAILURE; 477 struct tls13_ctx *ctx = cb_arg; 478 CBS cbs; 479 480 if (!tls13_phh_limit_check(ctx)) 481 return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 482 483 if ((ctx->hs_msg == NULL) && 484 ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)) 485 return TLS13_IO_FAILURE; 486 487 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) != 488 TLS13_IO_SUCCESS) 489 return ret; 490 491 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) 492 return TLS13_IO_FAILURE; 493 494 switch(tls13_handshake_msg_type(ctx->hs_msg)) { 495 case TLS13_MT_KEY_UPDATE: 496 ret = tls13_key_update_recv(ctx, &cbs); 497 break; 498 case TLS13_MT_NEW_SESSION_TICKET: 499 ret = tls13_new_session_ticket_recv(ctx, &cbs); 500 break; 501 case TLS13_MT_CERTIFICATE_REQUEST: 502 /* XXX add support if we choose to advertise this */ 503 /* FALLTHROUGH */ 504 default: 505 ret = TLS13_IO_FAILURE; /* XXX send alert */ 506 break; 507 } 508 509 tls13_handshake_msg_free(ctx->hs_msg); 510 ctx->hs_msg = NULL; 511 return ret; 512 } 513 514 void 515 tls13_phh_done_cb(void *cb_arg) 516 { 517 struct tls13_ctx *ctx = cb_arg; 518 519 if (ctx->key_update_request) { 520 tls13_phh_update_write_traffic_secret(ctx); 521 ctx->key_update_request = 0; 522 } 523 } 524 525 static const struct tls13_record_layer_callbacks tls13_rl_callbacks = { 526 .wire_read = tls13_legacy_wire_read_cb, 527 .wire_write = tls13_legacy_wire_write_cb, 528 .wire_flush = tls13_legacy_wire_flush_cb, 529 530 .alert_recv = tls13_alert_received_cb, 531 .alert_sent = tls13_alert_sent_cb, 532 .phh_recv = tls13_phh_received_cb, 533 .phh_sent = tls13_phh_done_cb, 534 }; 535 536 struct tls13_ctx * 537 tls13_ctx_new(int mode, SSL *ssl) 538 { 539 struct tls13_ctx *ctx = NULL; 540 541 if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL) 542 goto err; 543 544 ctx->hs = &ssl->s3->hs; 545 ctx->mode = mode; 546 ctx->ssl = ssl; 547 548 if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL) 549 goto err; 550 551 ctx->alert_sent_cb = tls13_legacy_alert_sent_cb; 552 ctx->alert_recv_cb = tls13_legacy_alert_recv_cb; 553 ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; 554 ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb; 555 ctx->info_cb = tls13_legacy_info_cb; 556 ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb; 557 558 ctx->middlebox_compat = 1; 559 560 ssl->tls13 = ctx; 561 562 if (SSL_is_quic(ssl)) { 563 if (!tls13_quic_init(ctx)) 564 goto err; 565 } 566 567 return ctx; 568 569 err: 570 tls13_ctx_free(ctx); 571 572 return NULL; 573 } 574 575 void 576 tls13_ctx_free(struct tls13_ctx *ctx) 577 { 578 if (ctx == NULL) 579 return; 580 581 tls13_error_clear(&ctx->error); 582 tls13_record_layer_free(ctx->rl); 583 tls13_handshake_msg_free(ctx->hs_msg); 584 585 freezero(ctx, sizeof(struct tls13_ctx)); 586 } 587 588 int 589 tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, 590 int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb)) 591 { 592 CBB cert_data, cert_exts; 593 uint8_t *data; 594 int cert_len; 595 596 if ((cert_len = i2d_X509(cert, NULL)) < 0) 597 return 0; 598 599 if (!CBB_add_u24_length_prefixed(cbb, &cert_data)) 600 return 0; 601 if (!CBB_add_space(&cert_data, &data, cert_len)) 602 return 0; 603 if (i2d_X509(cert, &data) != cert_len) 604 return 0; 605 if (build_extensions != NULL) { 606 if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb)) 607 return 0; 608 } else { 609 if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) 610 return 0; 611 } 612 if (!CBB_flush(cbb)) 613 return 0; 614 615 return 1; 616 } 617 618 int 619 tls13_synthetic_handshake_message(struct tls13_ctx *ctx) 620 { 621 struct tls13_handshake_msg *hm = NULL; 622 unsigned char buf[EVP_MAX_MD_SIZE]; 623 size_t hash_len; 624 CBB cbb; 625 CBS cbs; 626 SSL *s = ctx->ssl; 627 int ret = 0; 628 629 /* 630 * Replace ClientHello with synthetic handshake message - see 631 * RFC 8446 section 4.4.1. 632 */ 633 if (!tls1_transcript_hash_init(s)) 634 goto err; 635 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 636 goto err; 637 638 if ((hm = tls13_handshake_msg_new()) == NULL) 639 goto err; 640 if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH)) 641 goto err; 642 if (!CBB_add_bytes(&cbb, buf, hash_len)) 643 goto err; 644 if (!tls13_handshake_msg_finish(hm)) 645 goto err; 646 647 tls13_handshake_msg_data(hm, &cbs); 648 649 tls1_transcript_reset(ctx->ssl); 650 if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) 651 goto err; 652 653 ret = 1; 654 655 err: 656 tls13_handshake_msg_free(hm); 657 658 return ret; 659 } 660 661 int 662 tls13_clienthello_hash_init(struct tls13_ctx *ctx) 663 { 664 if (ctx->hs->tls13.clienthello_md_ctx != NULL) 665 return 0; 666 if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL) 667 return 0; 668 if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx, 669 EVP_sha256(), NULL)) 670 return 0; 671 672 if ((ctx->hs->tls13.clienthello_hash == NULL) && 673 (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) == 674 NULL) 675 return 0; 676 677 return 1; 678 } 679 680 void 681 tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */ 682 { 683 EVP_MD_CTX_free(hs->clienthello_md_ctx); 684 hs->clienthello_md_ctx = NULL; 685 freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE); 686 hs->clienthello_hash = NULL; 687 } 688 689 int 690 tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data, 691 size_t len) 692 { 693 return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len); 694 } 695 696 int 697 tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs) 698 { 699 return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs), 700 CBS_len(cbs)); 701 } 702 703 int 704 tls13_clienthello_hash_finalize(struct tls13_ctx *ctx) 705 { 706 if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, 707 ctx->hs->tls13.clienthello_hash, 708 &ctx->hs->tls13.clienthello_hash_len)) 709 return 0; 710 EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); 711 ctx->hs->tls13.clienthello_md_ctx = NULL; 712 return 1; 713 } 714 715 int 716 tls13_clienthello_hash_validate(struct tls13_ctx *ctx) 717 { 718 unsigned char new_ch_hash[EVP_MAX_MD_SIZE]; 719 unsigned int new_ch_hash_len; 720 721 if (ctx->hs->tls13.clienthello_hash == NULL) 722 return 0; 723 724 if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, 725 new_ch_hash, &new_ch_hash_len)) 726 return 0; 727 EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); 728 ctx->hs->tls13.clienthello_md_ctx = NULL; 729 730 if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len) 731 return 0; 732 if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash, 733 new_ch_hash_len) != 0) 734 return 0; 735 736 return 1; 737 } 738