xref: /dragonfly/crypto/libressl/ssl/tls13_lib.c (revision de0e0e4d)
1 /*	$OpenBSD: tls13_lib.c,v 1.71 2022/09/10 15:29:33 jsing Exp $ */
2 /*
3  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <stddef.h>
20 
21 #include <openssl/evp.h>
22 
23 #include "ssl_locl.h"
24 #include "ssl_tlsext.h"
25 #include "tls13_internal.h"
26 
27 /*
28  * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
29  * by the server in server random if it is willing to downgrade but supports
30  * TLSv1.3
31  */
32 const uint8_t tls13_downgrade_12[8] = {
33 	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
34 };
35 const uint8_t tls13_downgrade_11[8] = {
36 	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
37 };
38 
39 /*
40  * HelloRetryRequest hash - RFC 8446 section 4.1.3.
41  */
42 const uint8_t tls13_hello_retry_request_hash[32] = {
43 	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
44 	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
45 	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
46 	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
47 };
48 
49 /*
50  * Certificate Verify padding - RFC 8446 section 4.4.3.
51  */
52 const uint8_t tls13_cert_verify_pad[64] = {
53 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
54 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
55 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
56 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
57 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
58 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
59 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
60 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
61 };
62 
63 const uint8_t tls13_cert_client_verify_context[] =
64     "TLS 1.3, client CertificateVerify";
65 const uint8_t tls13_cert_server_verify_context[] =
66     "TLS 1.3, server CertificateVerify";
67 
68 const EVP_AEAD *
tls13_cipher_aead(const SSL_CIPHER * cipher)69 tls13_cipher_aead(const SSL_CIPHER *cipher)
70 {
71 	if (cipher == NULL)
72 		return NULL;
73 	if (cipher->algorithm_ssl != SSL_TLSV1_3)
74 		return NULL;
75 
76 	switch (cipher->algorithm_enc) {
77 	case SSL_AES128GCM:
78 		return EVP_aead_aes_128_gcm();
79 	case SSL_AES256GCM:
80 		return EVP_aead_aes_256_gcm();
81 	case SSL_CHACHA20POLY1305:
82 		return EVP_aead_chacha20_poly1305();
83 	}
84 
85 	return NULL;
86 }
87 
88 const EVP_MD *
tls13_cipher_hash(const SSL_CIPHER * cipher)89 tls13_cipher_hash(const SSL_CIPHER *cipher)
90 {
91 	if (cipher == NULL)
92 		return NULL;
93 	if (cipher->algorithm_ssl != SSL_TLSV1_3)
94 		return NULL;
95 
96 	switch (cipher->algorithm2) {
97 	case SSL_HANDSHAKE_MAC_SHA256:
98 		return EVP_sha256();
99 	case SSL_HANDSHAKE_MAC_SHA384:
100 		return EVP_sha384();
101 	}
102 
103 	return NULL;
104 }
105 
106 void
tls13_alert_received_cb(uint8_t alert_desc,void * arg)107 tls13_alert_received_cb(uint8_t alert_desc, void *arg)
108 {
109 	struct tls13_ctx *ctx = arg;
110 
111 	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
112 		ctx->close_notify_recv = 1;
113 		ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;
114 		ctx->ssl->s3->warn_alert = alert_desc;
115 		return;
116 	}
117 
118 	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
119 		/*
120 		 * We treat this as advisory, since a close_notify alert
121 		 * SHOULD follow this alert (RFC 8446 section 6.1).
122 		 */
123 		return;
124 	}
125 
126 	/* All other alerts are treated as fatal in TLSv1.3. */
127 	ctx->ssl->s3->fatal_alert = alert_desc;
128 
129 	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
130 	ERR_asprintf_error_data("SSL alert number %d", alert_desc);
131 
132 	SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
133 }
134 
135 void
tls13_alert_sent_cb(uint8_t alert_desc,void * arg)136 tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
137 {
138 	struct tls13_ctx *ctx = arg;
139 
140 	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
141 		ctx->close_notify_sent = 1;
142 		return;
143 	}
144 
145 	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
146 		return;
147 	}
148 
149 	/* All other alerts are treated as fatal in TLSv1.3. */
150 	if (ctx->error.code == 0)
151 		SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
152 }
153 
154 static void
tls13_legacy_handshake_message_recv_cb(void * arg)155 tls13_legacy_handshake_message_recv_cb(void *arg)
156 {
157 	struct tls13_ctx *ctx = arg;
158 	SSL *s = ctx->ssl;
159 	CBS cbs;
160 
161 	if (s->internal->msg_callback == NULL)
162 		return;
163 
164 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
165 	ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs);
166 }
167 
168 static void
tls13_legacy_handshake_message_sent_cb(void * arg)169 tls13_legacy_handshake_message_sent_cb(void *arg)
170 {
171 	struct tls13_ctx *ctx = arg;
172 	SSL *s = ctx->ssl;
173 	CBS cbs;
174 
175 	if (s->internal->msg_callback == NULL)
176 		return;
177 
178 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
179 	ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs);
180 }
181 
182 static void
tls13_legacy_info_cb(void * arg,int state,int ret)183 tls13_legacy_info_cb(void *arg, int state, int ret)
184 {
185 	struct tls13_ctx *ctx = arg;
186 	SSL *s = ctx->ssl;
187 
188 	ssl_info_callback(s, state, ret);
189 }
190 
191 static int
tls13_legacy_ocsp_status_recv_cb(void * arg)192 tls13_legacy_ocsp_status_recv_cb(void *arg)
193 {
194 	struct tls13_ctx *ctx = arg;
195 	SSL *s = ctx->ssl;
196 	int ret;
197 
198 	if (s->ctx->internal->tlsext_status_cb == NULL)
199 		return 1;
200 
201 	ret = s->ctx->internal->tlsext_status_cb(s,
202 	    s->ctx->internal->tlsext_status_arg);
203 	if (ret < 0) {
204 		ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
205 		SSLerror(s, ERR_R_MALLOC_FAILURE);
206 		return 0;
207 	}
208 	if (ret == 0) {
209 		ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
210 		SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
211 		return 0;
212 	}
213 
214 	return 1;
215 }
216 
217 static int
tls13_phh_update_read_traffic_secret(struct tls13_ctx * ctx)218 tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx)
219 {
220 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
221 	struct tls13_secret *secret;
222 
223 	if (ctx->mode == TLS13_HS_CLIENT) {
224 		secret = &secrets->server_application_traffic;
225 		if (!tls13_update_server_traffic_secret(secrets))
226 			return 0;
227 	} else {
228 		secret = &secrets->client_application_traffic;
229 		if (!tls13_update_client_traffic_secret(secrets))
230 			return 0;
231 	}
232 
233 	return tls13_record_layer_set_read_traffic_key(ctx->rl,
234 	    secret, ssl_encryption_application);
235 }
236 
237 static int
tls13_phh_update_write_traffic_secret(struct tls13_ctx * ctx)238 tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx)
239 {
240 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
241 	struct tls13_secret *secret;
242 
243 	if (ctx->mode == TLS13_HS_CLIENT) {
244 		secret = &secrets->client_application_traffic;
245 		if (!tls13_update_client_traffic_secret(secrets))
246 			return 0;
247 	} else {
248 		secret = &secrets->server_application_traffic;
249 		if (!tls13_update_server_traffic_secret(secrets))
250 			return 0;
251 	}
252 
253 	return tls13_record_layer_set_write_traffic_key(ctx->rl,
254 	    secret, ssl_encryption_application);
255 }
256 
257 /*
258  * XXX arbitrarily chosen limit of 100 post handshake handshake
259  * messages in an hour - to avoid a hostile peer from constantly
260  * requesting certificates or key renegotiaitons, etc.
261  */
262 static int
tls13_phh_limit_check(struct tls13_ctx * ctx)263 tls13_phh_limit_check(struct tls13_ctx *ctx)
264 {
265 	time_t now = time(NULL);
266 
267 	if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
268 		if (ctx->phh_count > TLS13_PHH_LIMIT)
269 			return 0;
270 	} else
271 		ctx->phh_count = 0;
272 	ctx->phh_count++;
273 	ctx->phh_last_seen = now;
274 	return 1;
275 }
276 
277 static ssize_t
tls13_key_update_recv(struct tls13_ctx * ctx,CBS * cbs)278 tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
279 {
280 	struct tls13_handshake_msg *hs_msg = NULL;
281 	CBB cbb_hs;
282 	CBS cbs_hs;
283 	uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
284 	uint8_t key_update_request;
285 	ssize_t ret;
286 
287 	if (!CBS_get_u8(cbs, &key_update_request)) {
288 		alert = TLS13_ALERT_DECODE_ERROR;
289 		goto err;
290 	}
291 	if (CBS_len(cbs) != 0) {
292 		alert = TLS13_ALERT_DECODE_ERROR;
293 		goto err;
294 	}
295 	if (key_update_request > 1) {
296 		alert = TLS13_ALERT_ILLEGAL_PARAMETER;
297 		goto err;
298 	}
299 
300 	if (!tls13_phh_update_read_traffic_secret(ctx))
301 		goto err;
302 
303 	if (key_update_request == 0)
304 		return TLS13_IO_SUCCESS;
305 
306 	/* Our peer requested that we update our write traffic keys. */
307 	if ((hs_msg = tls13_handshake_msg_new()) == NULL)
308 		goto err;
309 	if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
310 		goto err;
311 	if (!CBB_add_u8(&cbb_hs, 0))
312 		goto err;
313 	if (!tls13_handshake_msg_finish(hs_msg))
314 		goto err;
315 
316 	ctx->key_update_request = 1;
317 	tls13_handshake_msg_data(hs_msg, &cbs_hs);
318 	ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
319 
320 	tls13_handshake_msg_free(hs_msg);
321 	hs_msg = NULL;
322 
323 	return ret;
324 
325  err:
326 	tls13_handshake_msg_free(hs_msg);
327 
328 	return tls13_send_alert(ctx->rl, alert);
329 }
330 
331 ssize_t
tls13_phh_received_cb(void * cb_arg)332 tls13_phh_received_cb(void *cb_arg)
333 {
334 	ssize_t ret = TLS13_IO_FAILURE;
335 	struct tls13_ctx *ctx = cb_arg;
336 	CBS cbs;
337 
338 	if (!tls13_phh_limit_check(ctx))
339 		return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
340 
341 	if ((ctx->hs_msg == NULL) &&
342 	    ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
343 		return TLS13_IO_FAILURE;
344 
345 	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) !=
346 	    TLS13_IO_SUCCESS)
347 		return ret;
348 
349 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
350 		return TLS13_IO_FAILURE;
351 
352 	switch(tls13_handshake_msg_type(ctx->hs_msg)) {
353 	case TLS13_MT_KEY_UPDATE:
354 		ret = tls13_key_update_recv(ctx, &cbs);
355 		break;
356 	case TLS13_MT_NEW_SESSION_TICKET:
357 		/* XXX do nothing for now and ignore this */
358 		break;
359 	case TLS13_MT_CERTIFICATE_REQUEST:
360 		/* XXX add support if we choose to advertise this */
361 		/* FALLTHROUGH */
362 	default:
363 		ret = TLS13_IO_FAILURE; /* XXX send alert */
364 		break;
365 	}
366 
367 	tls13_handshake_msg_free(ctx->hs_msg);
368 	ctx->hs_msg = NULL;
369 	return ret;
370 }
371 
372 void
tls13_phh_done_cb(void * cb_arg)373 tls13_phh_done_cb(void *cb_arg)
374 {
375 	struct tls13_ctx *ctx = cb_arg;
376 
377 	if (ctx->key_update_request) {
378 		tls13_phh_update_write_traffic_secret(ctx);
379 		ctx->key_update_request = 0;
380 	}
381 }
382 
383 static const struct tls13_record_layer_callbacks tls13_rl_callbacks = {
384 	.wire_read = tls13_legacy_wire_read_cb,
385 	.wire_write = tls13_legacy_wire_write_cb,
386 	.wire_flush = tls13_legacy_wire_flush_cb,
387 
388 	.alert_recv = tls13_alert_received_cb,
389 	.alert_sent = tls13_alert_sent_cb,
390 	.phh_recv = tls13_phh_received_cb,
391 	.phh_sent = tls13_phh_done_cb,
392 };
393 
394 struct tls13_ctx *
tls13_ctx_new(int mode,SSL * ssl)395 tls13_ctx_new(int mode, SSL *ssl)
396 {
397 	struct tls13_ctx *ctx = NULL;
398 
399 	if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
400 		goto err;
401 
402 	ctx->hs = &ssl->s3->hs;
403 	ctx->mode = mode;
404 	ctx->ssl = ssl;
405 
406 	if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
407 		goto err;
408 
409 	ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
410 	ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
411 	ctx->info_cb = tls13_legacy_info_cb;
412 	ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
413 
414 	ctx->middlebox_compat = 1;
415 
416 	ssl->internal->tls13 = ctx;
417 
418 	if (SSL_is_quic(ssl)) {
419 		if (!tls13_quic_init(ctx))
420 			goto err;
421 	}
422 
423 	return ctx;
424 
425  err:
426 	tls13_ctx_free(ctx);
427 
428 	return NULL;
429 }
430 
431 void
tls13_ctx_free(struct tls13_ctx * ctx)432 tls13_ctx_free(struct tls13_ctx *ctx)
433 {
434 	if (ctx == NULL)
435 		return;
436 
437 	tls13_error_clear(&ctx->error);
438 	tls13_record_layer_free(ctx->rl);
439 	tls13_handshake_msg_free(ctx->hs_msg);
440 
441 	freezero(ctx, sizeof(struct tls13_ctx));
442 }
443 
444 int
tls13_cert_add(struct tls13_ctx * ctx,CBB * cbb,X509 * cert,int (* build_extensions)(SSL * s,uint16_t msg_type,CBB * cbb))445 tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
446     int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
447 {
448 	CBB cert_data, cert_exts;
449 	uint8_t *data;
450 	int cert_len;
451 
452 	if ((cert_len = i2d_X509(cert, NULL)) < 0)
453 		return 0;
454 
455 	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
456 		return 0;
457 	if (!CBB_add_space(&cert_data, &data, cert_len))
458 		return 0;
459 	if (i2d_X509(cert, &data) != cert_len)
460 		return 0;
461 	if (build_extensions != NULL) {
462 		if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
463 			return 0;
464 	} else {
465 		if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
466 			return 0;
467 	}
468 	if (!CBB_flush(cbb))
469 		return 0;
470 
471 	return 1;
472 }
473 
474 int
tls13_synthetic_handshake_message(struct tls13_ctx * ctx)475 tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
476 {
477 	struct tls13_handshake_msg *hm = NULL;
478 	unsigned char buf[EVP_MAX_MD_SIZE];
479 	size_t hash_len;
480 	CBB cbb;
481 	CBS cbs;
482 	SSL *s = ctx->ssl;
483 	int ret = 0;
484 
485 	/*
486 	 * Replace ClientHello with synthetic handshake message - see
487 	 * RFC 8446 section 4.4.1.
488 	 */
489 	if (!tls1_transcript_hash_init(s))
490 		goto err;
491 	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
492 		goto err;
493 
494 	if ((hm = tls13_handshake_msg_new()) == NULL)
495 		goto err;
496 	if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
497 		goto err;
498 	if (!CBB_add_bytes(&cbb, buf, hash_len))
499 		goto err;
500 	if (!tls13_handshake_msg_finish(hm))
501 		goto err;
502 
503 	tls13_handshake_msg_data(hm, &cbs);
504 
505 	tls1_transcript_reset(ctx->ssl);
506 	if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
507 		goto err;
508 
509 	ret = 1;
510 
511  err:
512 	tls13_handshake_msg_free(hm);
513 
514 	return ret;
515 }
516 
517 int
tls13_clienthello_hash_init(struct tls13_ctx * ctx)518 tls13_clienthello_hash_init(struct tls13_ctx *ctx)
519 {
520 	if (ctx->hs->tls13.clienthello_md_ctx != NULL)
521 		return 0;
522 	if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
523 		return 0;
524 	if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
525 	    EVP_sha256(), NULL))
526 		return 0;
527 
528 	if ((ctx->hs->tls13.clienthello_hash == NULL) &&
529 	    (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
530 	    NULL)
531 		return 0;
532 
533 	return 1;
534 }
535 
536 void
tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st * hs)537 tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
538 {
539 	EVP_MD_CTX_free(hs->clienthello_md_ctx);
540 	hs->clienthello_md_ctx = NULL;
541 	freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
542 	hs->clienthello_hash = NULL;
543 }
544 
545 int
tls13_clienthello_hash_update_bytes(struct tls13_ctx * ctx,void * data,size_t len)546 tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
547     size_t len)
548 {
549 	return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
550 }
551 
552 int
tls13_clienthello_hash_update(struct tls13_ctx * ctx,CBS * cbs)553 tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
554 {
555 	return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
556 	    CBS_len(cbs));
557 }
558 
559 int
tls13_clienthello_hash_finalize(struct tls13_ctx * ctx)560 tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
561 {
562 	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
563 	    ctx->hs->tls13.clienthello_hash,
564 	    &ctx->hs->tls13.clienthello_hash_len))
565 		return 0;
566 	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
567 	ctx->hs->tls13.clienthello_md_ctx = NULL;
568 	return 1;
569 }
570 
571 int
tls13_clienthello_hash_validate(struct tls13_ctx * ctx)572 tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
573 {
574 	unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
575 	unsigned int new_ch_hash_len;
576 
577 	if (ctx->hs->tls13.clienthello_hash == NULL)
578 		return 0;
579 
580 	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
581 	    new_ch_hash, &new_ch_hash_len))
582 		return 0;
583 	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
584 	ctx->hs->tls13.clienthello_md_ctx = NULL;
585 
586 	if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
587 		return 0;
588 	if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
589 	    new_ch_hash_len) != 0)
590 		return 0;
591 
592 	return 1;
593 }
594 
595 int
tls13_exporter(struct tls13_ctx * ctx,const uint8_t * label,size_t label_len,const uint8_t * context_value,size_t context_value_len,uint8_t * out,size_t out_len)596 tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
597     const uint8_t *context_value, size_t context_value_len, uint8_t *out,
598     size_t out_len)
599 {
600 	struct tls13_secret context, export_out, export_secret;
601 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
602 	EVP_MD_CTX *md_ctx = NULL;
603 	unsigned int md_out_len;
604 	int md_len;
605 	int ret = 0;
606 
607 	/*
608 	 * RFC 8446 Section 7.5.
609 	 */
610 
611 	memset(&context, 0, sizeof(context));
612 	memset(&export_secret, 0, sizeof(export_secret));
613 
614 	export_out.data = out;
615 	export_out.len = out_len;
616 
617 	if (!ctx->handshake_completed)
618 		return 0;
619 
620 	md_len = EVP_MD_size(secrets->digest);
621 	if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE)
622 		goto err;
623 
624 	if (!tls13_secret_init(&export_secret, md_len))
625 		goto err;
626 	if (!tls13_secret_init(&context, md_len))
627 		goto err;
628 
629 	/* In TLSv1.3 no context is equivalent to an empty context. */
630 	if (context_value == NULL) {
631 		context_value = "";
632 		context_value_len = 0;
633 	}
634 
635 	if ((md_ctx = EVP_MD_CTX_new()) == NULL)
636 		goto err;
637 	if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL))
638 		goto err;
639 	if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len))
640 		goto err;
641 	if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len))
642 		goto err;
643 	if (md_len != md_out_len)
644 		goto err;
645 
646 	if (!tls13_derive_secret_with_label_length(&export_secret,
647 	    secrets->digest, &secrets->exporter_master, label, label_len,
648 	    &secrets->empty_hash))
649 		goto err;
650 
651 	if (!tls13_hkdf_expand_label(&export_out, secrets->digest,
652 	    &export_secret, "exporter", &context))
653 		goto err;
654 
655 	ret = 1;
656 
657  err:
658 	EVP_MD_CTX_free(md_ctx);
659 	tls13_secret_cleanup(&context);
660 	tls13_secret_cleanup(&export_secret);
661 
662 	return ret;
663 }
664