1 /* $OpenBSD: tls13_lib.c,v 1.71 2022/09/10 15:29:33 jsing Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <stddef.h>
20
21 #include <openssl/evp.h>
22
23 #include "ssl_locl.h"
24 #include "ssl_tlsext.h"
25 #include "tls13_internal.h"
26
27 /*
28 * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
29 * by the server in server random if it is willing to downgrade but supports
30 * TLSv1.3
31 */
32 const uint8_t tls13_downgrade_12[8] = {
33 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
34 };
35 const uint8_t tls13_downgrade_11[8] = {
36 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
37 };
38
39 /*
40 * HelloRetryRequest hash - RFC 8446 section 4.1.3.
41 */
42 const uint8_t tls13_hello_retry_request_hash[32] = {
43 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
44 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
45 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
46 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
47 };
48
49 /*
50 * Certificate Verify padding - RFC 8446 section 4.4.3.
51 */
52 const uint8_t tls13_cert_verify_pad[64] = {
53 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
54 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
55 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
56 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
57 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
58 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
59 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
60 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
61 };
62
63 const uint8_t tls13_cert_client_verify_context[] =
64 "TLS 1.3, client CertificateVerify";
65 const uint8_t tls13_cert_server_verify_context[] =
66 "TLS 1.3, server CertificateVerify";
67
68 const EVP_AEAD *
tls13_cipher_aead(const SSL_CIPHER * cipher)69 tls13_cipher_aead(const SSL_CIPHER *cipher)
70 {
71 if (cipher == NULL)
72 return NULL;
73 if (cipher->algorithm_ssl != SSL_TLSV1_3)
74 return NULL;
75
76 switch (cipher->algorithm_enc) {
77 case SSL_AES128GCM:
78 return EVP_aead_aes_128_gcm();
79 case SSL_AES256GCM:
80 return EVP_aead_aes_256_gcm();
81 case SSL_CHACHA20POLY1305:
82 return EVP_aead_chacha20_poly1305();
83 }
84
85 return NULL;
86 }
87
88 const EVP_MD *
tls13_cipher_hash(const SSL_CIPHER * cipher)89 tls13_cipher_hash(const SSL_CIPHER *cipher)
90 {
91 if (cipher == NULL)
92 return NULL;
93 if (cipher->algorithm_ssl != SSL_TLSV1_3)
94 return NULL;
95
96 switch (cipher->algorithm2) {
97 case SSL_HANDSHAKE_MAC_SHA256:
98 return EVP_sha256();
99 case SSL_HANDSHAKE_MAC_SHA384:
100 return EVP_sha384();
101 }
102
103 return NULL;
104 }
105
106 void
tls13_alert_received_cb(uint8_t alert_desc,void * arg)107 tls13_alert_received_cb(uint8_t alert_desc, void *arg)
108 {
109 struct tls13_ctx *ctx = arg;
110
111 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
112 ctx->close_notify_recv = 1;
113 ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;
114 ctx->ssl->s3->warn_alert = alert_desc;
115 return;
116 }
117
118 if (alert_desc == TLS13_ALERT_USER_CANCELED) {
119 /*
120 * We treat this as advisory, since a close_notify alert
121 * SHOULD follow this alert (RFC 8446 section 6.1).
122 */
123 return;
124 }
125
126 /* All other alerts are treated as fatal in TLSv1.3. */
127 ctx->ssl->s3->fatal_alert = alert_desc;
128
129 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
130 ERR_asprintf_error_data("SSL alert number %d", alert_desc);
131
132 SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
133 }
134
135 void
tls13_alert_sent_cb(uint8_t alert_desc,void * arg)136 tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
137 {
138 struct tls13_ctx *ctx = arg;
139
140 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
141 ctx->close_notify_sent = 1;
142 return;
143 }
144
145 if (alert_desc == TLS13_ALERT_USER_CANCELED) {
146 return;
147 }
148
149 /* All other alerts are treated as fatal in TLSv1.3. */
150 if (ctx->error.code == 0)
151 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
152 }
153
154 static void
tls13_legacy_handshake_message_recv_cb(void * arg)155 tls13_legacy_handshake_message_recv_cb(void *arg)
156 {
157 struct tls13_ctx *ctx = arg;
158 SSL *s = ctx->ssl;
159 CBS cbs;
160
161 if (s->internal->msg_callback == NULL)
162 return;
163
164 tls13_handshake_msg_data(ctx->hs_msg, &cbs);
165 ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs);
166 }
167
168 static void
tls13_legacy_handshake_message_sent_cb(void * arg)169 tls13_legacy_handshake_message_sent_cb(void *arg)
170 {
171 struct tls13_ctx *ctx = arg;
172 SSL *s = ctx->ssl;
173 CBS cbs;
174
175 if (s->internal->msg_callback == NULL)
176 return;
177
178 tls13_handshake_msg_data(ctx->hs_msg, &cbs);
179 ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs);
180 }
181
182 static void
tls13_legacy_info_cb(void * arg,int state,int ret)183 tls13_legacy_info_cb(void *arg, int state, int ret)
184 {
185 struct tls13_ctx *ctx = arg;
186 SSL *s = ctx->ssl;
187
188 ssl_info_callback(s, state, ret);
189 }
190
191 static int
tls13_legacy_ocsp_status_recv_cb(void * arg)192 tls13_legacy_ocsp_status_recv_cb(void *arg)
193 {
194 struct tls13_ctx *ctx = arg;
195 SSL *s = ctx->ssl;
196 int ret;
197
198 if (s->ctx->internal->tlsext_status_cb == NULL)
199 return 1;
200
201 ret = s->ctx->internal->tlsext_status_cb(s,
202 s->ctx->internal->tlsext_status_arg);
203 if (ret < 0) {
204 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
205 SSLerror(s, ERR_R_MALLOC_FAILURE);
206 return 0;
207 }
208 if (ret == 0) {
209 ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
210 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
211 return 0;
212 }
213
214 return 1;
215 }
216
217 static int
tls13_phh_update_read_traffic_secret(struct tls13_ctx * ctx)218 tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx)
219 {
220 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
221 struct tls13_secret *secret;
222
223 if (ctx->mode == TLS13_HS_CLIENT) {
224 secret = &secrets->server_application_traffic;
225 if (!tls13_update_server_traffic_secret(secrets))
226 return 0;
227 } else {
228 secret = &secrets->client_application_traffic;
229 if (!tls13_update_client_traffic_secret(secrets))
230 return 0;
231 }
232
233 return tls13_record_layer_set_read_traffic_key(ctx->rl,
234 secret, ssl_encryption_application);
235 }
236
237 static int
tls13_phh_update_write_traffic_secret(struct tls13_ctx * ctx)238 tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx)
239 {
240 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
241 struct tls13_secret *secret;
242
243 if (ctx->mode == TLS13_HS_CLIENT) {
244 secret = &secrets->client_application_traffic;
245 if (!tls13_update_client_traffic_secret(secrets))
246 return 0;
247 } else {
248 secret = &secrets->server_application_traffic;
249 if (!tls13_update_server_traffic_secret(secrets))
250 return 0;
251 }
252
253 return tls13_record_layer_set_write_traffic_key(ctx->rl,
254 secret, ssl_encryption_application);
255 }
256
257 /*
258 * XXX arbitrarily chosen limit of 100 post handshake handshake
259 * messages in an hour - to avoid a hostile peer from constantly
260 * requesting certificates or key renegotiaitons, etc.
261 */
262 static int
tls13_phh_limit_check(struct tls13_ctx * ctx)263 tls13_phh_limit_check(struct tls13_ctx *ctx)
264 {
265 time_t now = time(NULL);
266
267 if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
268 if (ctx->phh_count > TLS13_PHH_LIMIT)
269 return 0;
270 } else
271 ctx->phh_count = 0;
272 ctx->phh_count++;
273 ctx->phh_last_seen = now;
274 return 1;
275 }
276
277 static ssize_t
tls13_key_update_recv(struct tls13_ctx * ctx,CBS * cbs)278 tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
279 {
280 struct tls13_handshake_msg *hs_msg = NULL;
281 CBB cbb_hs;
282 CBS cbs_hs;
283 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
284 uint8_t key_update_request;
285 ssize_t ret;
286
287 if (!CBS_get_u8(cbs, &key_update_request)) {
288 alert = TLS13_ALERT_DECODE_ERROR;
289 goto err;
290 }
291 if (CBS_len(cbs) != 0) {
292 alert = TLS13_ALERT_DECODE_ERROR;
293 goto err;
294 }
295 if (key_update_request > 1) {
296 alert = TLS13_ALERT_ILLEGAL_PARAMETER;
297 goto err;
298 }
299
300 if (!tls13_phh_update_read_traffic_secret(ctx))
301 goto err;
302
303 if (key_update_request == 0)
304 return TLS13_IO_SUCCESS;
305
306 /* Our peer requested that we update our write traffic keys. */
307 if ((hs_msg = tls13_handshake_msg_new()) == NULL)
308 goto err;
309 if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
310 goto err;
311 if (!CBB_add_u8(&cbb_hs, 0))
312 goto err;
313 if (!tls13_handshake_msg_finish(hs_msg))
314 goto err;
315
316 ctx->key_update_request = 1;
317 tls13_handshake_msg_data(hs_msg, &cbs_hs);
318 ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
319
320 tls13_handshake_msg_free(hs_msg);
321 hs_msg = NULL;
322
323 return ret;
324
325 err:
326 tls13_handshake_msg_free(hs_msg);
327
328 return tls13_send_alert(ctx->rl, alert);
329 }
330
331 ssize_t
tls13_phh_received_cb(void * cb_arg)332 tls13_phh_received_cb(void *cb_arg)
333 {
334 ssize_t ret = TLS13_IO_FAILURE;
335 struct tls13_ctx *ctx = cb_arg;
336 CBS cbs;
337
338 if (!tls13_phh_limit_check(ctx))
339 return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
340
341 if ((ctx->hs_msg == NULL) &&
342 ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
343 return TLS13_IO_FAILURE;
344
345 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) !=
346 TLS13_IO_SUCCESS)
347 return ret;
348
349 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
350 return TLS13_IO_FAILURE;
351
352 switch(tls13_handshake_msg_type(ctx->hs_msg)) {
353 case TLS13_MT_KEY_UPDATE:
354 ret = tls13_key_update_recv(ctx, &cbs);
355 break;
356 case TLS13_MT_NEW_SESSION_TICKET:
357 /* XXX do nothing for now and ignore this */
358 break;
359 case TLS13_MT_CERTIFICATE_REQUEST:
360 /* XXX add support if we choose to advertise this */
361 /* FALLTHROUGH */
362 default:
363 ret = TLS13_IO_FAILURE; /* XXX send alert */
364 break;
365 }
366
367 tls13_handshake_msg_free(ctx->hs_msg);
368 ctx->hs_msg = NULL;
369 return ret;
370 }
371
372 void
tls13_phh_done_cb(void * cb_arg)373 tls13_phh_done_cb(void *cb_arg)
374 {
375 struct tls13_ctx *ctx = cb_arg;
376
377 if (ctx->key_update_request) {
378 tls13_phh_update_write_traffic_secret(ctx);
379 ctx->key_update_request = 0;
380 }
381 }
382
383 static const struct tls13_record_layer_callbacks tls13_rl_callbacks = {
384 .wire_read = tls13_legacy_wire_read_cb,
385 .wire_write = tls13_legacy_wire_write_cb,
386 .wire_flush = tls13_legacy_wire_flush_cb,
387
388 .alert_recv = tls13_alert_received_cb,
389 .alert_sent = tls13_alert_sent_cb,
390 .phh_recv = tls13_phh_received_cb,
391 .phh_sent = tls13_phh_done_cb,
392 };
393
394 struct tls13_ctx *
tls13_ctx_new(int mode,SSL * ssl)395 tls13_ctx_new(int mode, SSL *ssl)
396 {
397 struct tls13_ctx *ctx = NULL;
398
399 if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
400 goto err;
401
402 ctx->hs = &ssl->s3->hs;
403 ctx->mode = mode;
404 ctx->ssl = ssl;
405
406 if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
407 goto err;
408
409 ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
410 ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
411 ctx->info_cb = tls13_legacy_info_cb;
412 ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
413
414 ctx->middlebox_compat = 1;
415
416 ssl->internal->tls13 = ctx;
417
418 if (SSL_is_quic(ssl)) {
419 if (!tls13_quic_init(ctx))
420 goto err;
421 }
422
423 return ctx;
424
425 err:
426 tls13_ctx_free(ctx);
427
428 return NULL;
429 }
430
431 void
tls13_ctx_free(struct tls13_ctx * ctx)432 tls13_ctx_free(struct tls13_ctx *ctx)
433 {
434 if (ctx == NULL)
435 return;
436
437 tls13_error_clear(&ctx->error);
438 tls13_record_layer_free(ctx->rl);
439 tls13_handshake_msg_free(ctx->hs_msg);
440
441 freezero(ctx, sizeof(struct tls13_ctx));
442 }
443
444 int
tls13_cert_add(struct tls13_ctx * ctx,CBB * cbb,X509 * cert,int (* build_extensions)(SSL * s,uint16_t msg_type,CBB * cbb))445 tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
446 int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
447 {
448 CBB cert_data, cert_exts;
449 uint8_t *data;
450 int cert_len;
451
452 if ((cert_len = i2d_X509(cert, NULL)) < 0)
453 return 0;
454
455 if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
456 return 0;
457 if (!CBB_add_space(&cert_data, &data, cert_len))
458 return 0;
459 if (i2d_X509(cert, &data) != cert_len)
460 return 0;
461 if (build_extensions != NULL) {
462 if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
463 return 0;
464 } else {
465 if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
466 return 0;
467 }
468 if (!CBB_flush(cbb))
469 return 0;
470
471 return 1;
472 }
473
474 int
tls13_synthetic_handshake_message(struct tls13_ctx * ctx)475 tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
476 {
477 struct tls13_handshake_msg *hm = NULL;
478 unsigned char buf[EVP_MAX_MD_SIZE];
479 size_t hash_len;
480 CBB cbb;
481 CBS cbs;
482 SSL *s = ctx->ssl;
483 int ret = 0;
484
485 /*
486 * Replace ClientHello with synthetic handshake message - see
487 * RFC 8446 section 4.4.1.
488 */
489 if (!tls1_transcript_hash_init(s))
490 goto err;
491 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
492 goto err;
493
494 if ((hm = tls13_handshake_msg_new()) == NULL)
495 goto err;
496 if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
497 goto err;
498 if (!CBB_add_bytes(&cbb, buf, hash_len))
499 goto err;
500 if (!tls13_handshake_msg_finish(hm))
501 goto err;
502
503 tls13_handshake_msg_data(hm, &cbs);
504
505 tls1_transcript_reset(ctx->ssl);
506 if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
507 goto err;
508
509 ret = 1;
510
511 err:
512 tls13_handshake_msg_free(hm);
513
514 return ret;
515 }
516
517 int
tls13_clienthello_hash_init(struct tls13_ctx * ctx)518 tls13_clienthello_hash_init(struct tls13_ctx *ctx)
519 {
520 if (ctx->hs->tls13.clienthello_md_ctx != NULL)
521 return 0;
522 if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
523 return 0;
524 if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
525 EVP_sha256(), NULL))
526 return 0;
527
528 if ((ctx->hs->tls13.clienthello_hash == NULL) &&
529 (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
530 NULL)
531 return 0;
532
533 return 1;
534 }
535
536 void
tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st * hs)537 tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
538 {
539 EVP_MD_CTX_free(hs->clienthello_md_ctx);
540 hs->clienthello_md_ctx = NULL;
541 freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
542 hs->clienthello_hash = NULL;
543 }
544
545 int
tls13_clienthello_hash_update_bytes(struct tls13_ctx * ctx,void * data,size_t len)546 tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
547 size_t len)
548 {
549 return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
550 }
551
552 int
tls13_clienthello_hash_update(struct tls13_ctx * ctx,CBS * cbs)553 tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
554 {
555 return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
556 CBS_len(cbs));
557 }
558
559 int
tls13_clienthello_hash_finalize(struct tls13_ctx * ctx)560 tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
561 {
562 if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
563 ctx->hs->tls13.clienthello_hash,
564 &ctx->hs->tls13.clienthello_hash_len))
565 return 0;
566 EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
567 ctx->hs->tls13.clienthello_md_ctx = NULL;
568 return 1;
569 }
570
571 int
tls13_clienthello_hash_validate(struct tls13_ctx * ctx)572 tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
573 {
574 unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
575 unsigned int new_ch_hash_len;
576
577 if (ctx->hs->tls13.clienthello_hash == NULL)
578 return 0;
579
580 if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
581 new_ch_hash, &new_ch_hash_len))
582 return 0;
583 EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
584 ctx->hs->tls13.clienthello_md_ctx = NULL;
585
586 if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
587 return 0;
588 if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
589 new_ch_hash_len) != 0)
590 return 0;
591
592 return 1;
593 }
594
595 int
tls13_exporter(struct tls13_ctx * ctx,const uint8_t * label,size_t label_len,const uint8_t * context_value,size_t context_value_len,uint8_t * out,size_t out_len)596 tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
597 const uint8_t *context_value, size_t context_value_len, uint8_t *out,
598 size_t out_len)
599 {
600 struct tls13_secret context, export_out, export_secret;
601 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
602 EVP_MD_CTX *md_ctx = NULL;
603 unsigned int md_out_len;
604 int md_len;
605 int ret = 0;
606
607 /*
608 * RFC 8446 Section 7.5.
609 */
610
611 memset(&context, 0, sizeof(context));
612 memset(&export_secret, 0, sizeof(export_secret));
613
614 export_out.data = out;
615 export_out.len = out_len;
616
617 if (!ctx->handshake_completed)
618 return 0;
619
620 md_len = EVP_MD_size(secrets->digest);
621 if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE)
622 goto err;
623
624 if (!tls13_secret_init(&export_secret, md_len))
625 goto err;
626 if (!tls13_secret_init(&context, md_len))
627 goto err;
628
629 /* In TLSv1.3 no context is equivalent to an empty context. */
630 if (context_value == NULL) {
631 context_value = "";
632 context_value_len = 0;
633 }
634
635 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
636 goto err;
637 if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL))
638 goto err;
639 if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len))
640 goto err;
641 if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len))
642 goto err;
643 if (md_len != md_out_len)
644 goto err;
645
646 if (!tls13_derive_secret_with_label_length(&export_secret,
647 secrets->digest, &secrets->exporter_master, label, label_len,
648 &secrets->empty_hash))
649 goto err;
650
651 if (!tls13_hkdf_expand_label(&export_out, secrets->digest,
652 &export_secret, "exporter", &context))
653 goto err;
654
655 ret = 1;
656
657 err:
658 EVP_MD_CTX_free(md_ctx);
659 tls13_secret_cleanup(&context);
660 tls13_secret_cleanup(&export_secret);
661
662 return ret;
663 }
664