Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Move tls13_exporter() code.

It makes more sense to have tls13_exporter() in tls13_key_schedule.c,
rather than tls13_lib.c

ok tb@

Error out if the out secret wasn't properly initialized

Calling HKDF_expand() with a length of 0 happens to succeed due to a quirk
in the API inherited from BoringSSL. This hides caller-side errors during
development. Error out to catch such mistakes early on.

ok jsing

Initialize hkdf_label to NULL.

Needed for an upcoming diff adding a NULL check to CBB_finish().

ok jsing

Avoid local variable in tls13_secret_init().

suggested by jsing

Use KNF for licence comment

ok jsing

Move tls13_secrets_destroy() below _create()

ok jsing

Convert tls13_secrets_{create,destroy}() to tls13_secret_{init,cleanup}()

ok jsing

Add tls13_secret_{init,cleanup}()

These are two functions that will help streamlining various functions
in the TLSv1.3 code that do not need to know about the interna of this
struct.

input/ok jsing

Implement exporter for TLSv1.3.

This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.

Issue reported by nmathewson on github.

ok inoguchi@ tb@

branches: 1.8.6;
Correct update of application traffic secrets to use an empty context
rather than the hash of an empty context

ok jsing@

NULL out mdctx to prevent possible double free introduced in version 1.4
Spotted by maestre@, ok tb@

Avoid a double allocation and memory leak.

Reported by Ben L <bobsayshilol at live dot co dot uk>

Fix last of the empty hash nonsense
ok jsing@

Fix the TLSv1.3 key schedule implementation.

When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.

ok beck@ tb@

KNF

Move #include <openssl/evp.h> to the header.

discussed with beck and jsing

Add initial TLS 1.3 key schedule support with basic regress tests
ok jsing@ tb@

Move tls13_exporter() code.

It makes more sense to have tls13_exporter() in tls13_key_schedule.c,
rather than tls13_lib.c

ok tb@

Error out if the out secret wasn't properly initialized

Calling HKDF_expand() with a length of 0 happens to succeed due to a quirk
in the API inherited from BoringSSL. This hides caller-side errors during
development. Error out to catch such mistakes early on.

ok jsing

Initialize hkdf_label to NULL.

Needed for an upcoming diff adding a NULL check to CBB_finish().

ok jsing

Avoid local variable in tls13_secret_init().

suggested by jsing

Use KNF for licence comment

ok jsing

Move tls13_secrets_destroy() below _create()

ok jsing

Convert tls13_secrets_{create,destroy}() to tls13_secret_{init,cleanup}()

ok jsing

Add tls13_secret_{init,cleanup}()

These are two functions that will help streamlining various functions
in the TLSv1.3 code that do not need to know about the interna of this
struct.

input/ok jsing

Implement exporter for TLSv1.3.

This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.

Issue reported by nmathewson on github.

ok inoguchi@ tb@

branches: 1.8.6;
Correct update of application traffic secrets to use an empty context
rather than the hash of an empty context

ok jsing@

NULL out mdctx to prevent possible double free introduced in version 1.4
Spotted by maestre@, ok tb@

Avoid a double allocation and memory leak.

Reported by Ben L <bobsayshilol at live dot co dot uk>

Fix last of the empty hash nonsense
ok jsing@

Fix the TLSv1.3 key schedule implementation.

When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.

ok beck@ tb@

KNF

Move #include <openssl/evp.h> to the header.

discussed with beck and jsing

Add initial TLS 1.3 key schedule support with basic regress tests
ok jsing@ tb@

Error out if the out secret wasn't properly initialized

Calling HKDF_expand() with a length of 0 happens to succeed due to a quirk
in the API inherited from BoringSSL. This hides caller-side errors during
development. Error out to catch such mistakes early on.

ok jsing

Initialize hkdf_label to NULL.

Needed for an upcoming diff adding a NULL check to CBB_finish().

ok jsing

Avoid local variable in tls13_secret_init().

suggested by jsing

Use KNF for licence comment

ok jsing

Move tls13_secrets_destroy() below _create()

ok jsing

Convert tls13_secrets_{create,destroy}() to tls13_secret_{init,cleanup}()

ok jsing

Add tls13_secret_{init,cleanup}()

These are two functions that will help streamlining various functions
in the TLSv1.3 code that do not need to know about the interna of this
struct.

input/ok jsing

Implement exporter for TLSv1.3.

This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.

Issue reported by nmathewson on github.

ok inoguchi@ tb@

branches: 1.8.6;
Correct update of application traffic secrets to use an empty context
rather than the hash of an empty context

ok jsing@

NULL out mdctx to prevent possible double free introduced in version 1.4
Spotted by maestre@, ok tb@

Avoid a double allocation and memory leak.

Reported by Ben L <bobsayshilol at live dot co dot uk>

Fix last of the empty hash nonsense
ok jsing@

Fix the TLSv1.3 key schedule implementation.

When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.

ok beck@ tb@

KNF

Move #include <openssl/evp.h> to the header.

discussed with beck and jsing

Add initial TLS 1.3 key schedule support with basic regress tests
ok jsing@ tb@

Initialize hkdf_label to NULL.

Needed for an upcoming diff adding a NULL check to CBB_finish().

ok jsing

Avoid local variable in tls13_secret_init().

suggested by jsing

Use KNF for licence comment

ok jsing

Move tls13_secrets_destroy() below _create()

ok jsing

Convert tls13_secrets_{create,destroy}() to tls13_secret_{init,cleanup}()

ok jsing

Add tls13_secret_{init,cleanup}()

These are two functions that will help streamlining various functions
in the TLSv1.3 code that do not need to know about the interna of this
struct.

input/ok jsing

Implement exporter for TLSv1.3.

This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.

Issue reported by nmathewson on github.

ok inoguchi@ tb@

branches: 1.8.6;
Correct update of application traffic secrets to use an empty context
rather than the hash of an empty context

ok jsing@

NULL out mdctx to prevent possible double free introduced in version 1.4
Spotted by maestre@, ok tb@

Avoid a double allocation and memory leak.

Reported by Ben L <bobsayshilol at live dot co dot uk>

Fix last of the empty hash nonsense
ok jsing@

Fix the TLSv1.3 key schedule implementation.

When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.

ok beck@ tb@

KNF

Move #include <openssl/evp.h> to the header.

discussed with beck and jsing

Add initial TLS 1.3 key schedule support with basic regress tests
ok jsing@ tb@

Avoid local variable in tls13_secret_init().

suggested by jsing

Use KNF for licence comment

ok jsing

Move tls13_secrets_destroy() below _create()

ok jsing

Convert tls13_secrets_{create,destroy}() to tls13_secret_{init,cleanup}()

ok jsing

Add tls13_secret_{init,cleanup}()

These are two functions that will help streamlining various functions
in the TLSv1.3 code that do not need to know about the interna of this
struct.

input/ok jsing

Implement exporter for TLSv1.3.

This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.

Issue reported by nmathewson on github.

ok inoguchi@ tb@

Correct update of application traffic secrets to use an empty context
rather than the hash of an empty context

ok jsing@

NULL out mdctx to prevent possible double free introduced in version 1.4
Spotted by maestre@, ok tb@

Avoid a double allocation and memory leak.

Reported by Ben L <bobsayshilol at live dot co dot uk>

Fix last of the empty hash nonsense
ok jsing@

Fix the TLSv1.3 key schedule implementation.

When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.

ok beck@ tb@

KNF

Move #include <openssl/evp.h> to the header.

discussed with beck and jsing

Add initial TLS 1.3 key schedule support with basic regress tests
ok jsing@ tb@

Implement exporter for TLSv1.3.

This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.

Issue reported by nmathewson on github.

ok inoguchi@ tb@

Correct update of application traffic secrets to use an empty context
rather than the hash of an empty context

ok jsing@

NULL out mdctx to prevent possible double free introduced in version 1.4
Spotted by maestre@, ok tb@

Avoid a double allocation and memory leak.

Reported by Ben L <bobsayshilol at live dot co dot uk>

Fix last of the empty hash nonsense
ok jsing@

Fix the TLSv1.3 key schedule implementation.

When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.

ok beck@ tb@

KNF

Move #include <openssl/evp.h> to the header.

discussed with beck and jsing

Add initial TLS 1.3 key schedule support with basic regress tests
ok jsing@ tb@

Correct update of application traffic secrets to use an empty context
rather than the hash of an empty context

ok jsing@

NULL out mdctx to prevent possible double free introduced in version 1.4
Spotted by maestre@, ok tb@

Avoid a double allocation and memory leak.

Reported by Ben L <bobsayshilol at live dot co dot uk>

Fix last of the empty hash nonsense
ok jsing@

Fix the TLSv1.3 key schedule implementation.

When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.

ok beck@ tb@

KNF

Move #include <openssl/evp.h> to the header.

discussed with beck and jsing

Add initial TLS 1.3 key schedule support with basic regress tests
ok jsing@ tb@

NULL out mdctx to prevent possible double free introduced in version 1.4
Spotted by maestre@, ok tb@

Avoid a double allocation and memory leak.

Reported by Ben L <bobsayshilol at live dot co dot uk>

Fix last of the empty hash nonsense
ok jsing@

Fix the TLSv1.3 key schedule implementation.

When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.

ok beck@ tb@

KNF

Move #include <openssl/evp.h> to the header.

discussed with beck and jsing

Add initial TLS 1.3 key schedule support with basic regress tests
ok jsing@ tb@

Avoid a double allocation and memory leak.

Reported by Ben L <bobsayshilol at live dot co dot uk>

Fix last of the empty hash nonsense
ok jsing@

Fix the TLSv1.3 key schedule implementation.

When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.

ok beck@ tb@

KNF

Move #include <openssl/evp.h> to the header.

discussed with beck and jsing

Add initial TLS 1.3 key schedule support with basic regress tests
ok jsing@ tb@

KNF

Move #include <openssl/evp.h> to the header.

discussed with beck and jsing

Add initial TLS 1.3 key schedule support with basic regress tests
ok jsing@ tb@