/src/h2o/deps/picotls/lib/picotls.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku |
3 | | * |
4 | | * Permission is hereby granted, free of charge, to any person obtaining a copy |
5 | | * of this software and associated documentation files (the "Software"), to |
6 | | * deal in the Software without restriction, including without limitation the |
7 | | * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or |
8 | | * sell copies of the Software, and to permit persons to whom the Software is |
9 | | * furnished to do so, subject to the following conditions: |
10 | | * |
11 | | * The above copyright notice and this permission notice shall be included in |
12 | | * all copies or substantial portions of the Software. |
13 | | * |
14 | | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
15 | | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
16 | | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
17 | | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
18 | | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
19 | | * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS |
20 | | * IN THE SOFTWARE. |
21 | | */ |
22 | | #ifdef _WINDOWS |
23 | | #include "wincompat.h" |
24 | | #endif |
25 | | #include <assert.h> |
26 | | #include <stdarg.h> |
27 | | #include <stddef.h> |
28 | | #include <stdio.h> |
29 | | #include <stdlib.h> |
30 | | #include <string.h> |
31 | | #ifndef _WINDOWS |
32 | | #include <errno.h> |
33 | | #include <pthread.h> |
34 | | #include <unistd.h> |
35 | | #include <arpa/inet.h> |
36 | | #include <sys/time.h> |
37 | | #endif |
38 | | #ifdef __linux__ |
39 | | #include <sys/syscall.h> |
40 | | #endif |
41 | | #include "picotls.h" |
42 | | #if PICOTLS_USE_DTRACE |
43 | | #include "picotls-probes.h" |
44 | | #endif |
45 | | |
46 | 0 | #define PTLS_MAX_PLAINTEXT_RECORD_SIZE 16384 |
47 | 0 | #define PTLS_MAX_ENCRYPTED_RECORD_SIZE (16384 + 256) |
48 | | |
49 | 0 | #define PTLS_RECORD_VERSION_MAJOR 3 |
50 | 0 | #define PTLS_RECORD_VERSION_MINOR 3 |
51 | | |
52 | 0 | #define PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC 20 |
53 | 0 | #define PTLS_CONTENT_TYPE_ALERT 21 |
54 | 0 | #define PTLS_CONTENT_TYPE_HANDSHAKE 22 |
55 | 0 | #define PTLS_CONTENT_TYPE_APPDATA 23 |
56 | | |
57 | 0 | #define PTLS_PSK_KE_MODE_PSK 0 |
58 | 0 | #define PTLS_PSK_KE_MODE_PSK_DHE 1 |
59 | | |
60 | 0 | #define PTLS_HANDSHAKE_HEADER_SIZE 4 |
61 | | |
62 | | #define PTLS_EXTENSION_TYPE_SERVER_NAME 0 |
63 | | #define PTLS_EXTENSION_TYPE_STATUS_REQUEST 5 |
64 | | #define PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS 10 |
65 | | #define PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS 13 |
66 | | #define PTLS_EXTENSION_TYPE_ALPN 16 |
67 | | #define PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE 20 |
68 | | #define PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE 27 |
69 | | #define PTLS_EXTENSION_TYPE_PRE_SHARED_KEY 41 |
70 | | #define PTLS_EXTENSION_TYPE_EARLY_DATA 42 |
71 | | #define PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS 43 |
72 | | #define PTLS_EXTENSION_TYPE_COOKIE 44 |
73 | | #define PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES 45 |
74 | | #define PTLS_EXTENSION_TYPE_CERTIFICATE_AUTHORITIES 47 |
75 | | #define PTLS_EXTENSION_TYPE_KEY_SHARE 51 |
76 | | #define PTLS_EXTENSION_TYPE_TICKET_REQUEST 58 |
77 | | #define PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS 0xfd00 |
78 | | #define PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO 0xfe0d |
79 | | |
80 | | #define PTLS_SERVER_NAME_TYPE_HOSTNAME 0 |
81 | | |
82 | | #define PTLS_ECH_CONFIG_VERSION 0xfe0d |
83 | 0 | #define PTLS_ECH_CLIENT_HELLO_TYPE_OUTER 0 |
84 | 0 | #define PTLS_ECH_CLIENT_HELLO_TYPE_INNER 1 |
85 | | |
86 | 0 | #define PTLS_ECH_CONFIRM_LENGTH 8 |
87 | | |
88 | | static const char ech_info_prefix[8] = "tls ech"; |
89 | | |
90 | 0 | #define PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING "TLS 1.3, server CertificateVerify" |
91 | 0 | #define PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING "TLS 1.3, client CertificateVerify" |
92 | | #define PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE \ |
93 | | (64 + sizeof(PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING) + PTLS_MAX_DIGEST_SIZE * 2) |
94 | | |
95 | 0 | #define PTLS_EARLY_DATA_MAX_DELAY 10000 /* max. RTT (in msec) to permit early data */ |
96 | | |
97 | | #ifndef PTLS_MAX_EARLY_DATA_SKIP_SIZE |
98 | 0 | #define PTLS_MAX_EARLY_DATA_SKIP_SIZE 65536 |
99 | | #endif |
100 | | #if defined(PTLS_DEBUG) && PTLS_DEBUG |
101 | | #define PTLS_DEBUGF(...) fprintf(stderr, __VA_ARGS__) |
102 | | #else |
103 | | #define PTLS_DEBUGF(...) |
104 | | #endif |
105 | | |
106 | | #ifndef PTLS_MEMORY_DEBUG |
107 | 0 | #define PTLS_MEMORY_DEBUG 0 |
108 | | #endif |
109 | | |
110 | | #if PICOTLS_USE_DTRACE |
111 | | #define PTLS_PROBE0(LABEL, tls) \ |
112 | | do { \ |
113 | | if (PTLS_UNLIKELY(PICOTLS_##LABEL##_ENABLED())) \ |
114 | | PICOTLS_##LABEL(tls); \ |
115 | | } while (0) |
116 | | #define PTLS_PROBE(LABEL, tls, ...) \ |
117 | | do { \ |
118 | | if (PTLS_UNLIKELY(PICOTLS_##LABEL##_ENABLED())) \ |
119 | | PICOTLS_##LABEL((tls), __VA_ARGS__); \ |
120 | | } while (0) |
121 | | #else |
122 | | #define PTLS_PROBE0(LABEL, tls) |
123 | | #define PTLS_PROBE(LABEL, tls, ...) |
124 | | #endif |
125 | | |
126 | | /** |
127 | | * list of supported versions in the preferred order |
128 | | */ |
129 | | static const uint16_t supported_versions[] = {PTLS_PROTOCOL_VERSION_TLS13}; |
130 | | |
131 | | static const uint8_t hello_retry_random[PTLS_HELLO_RANDOM_SIZE] = {0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, |
132 | | 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, |
133 | | 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C}; |
134 | | |
135 | | struct st_ptls_traffic_protection_t { |
136 | | uint8_t secret[PTLS_MAX_DIGEST_SIZE]; |
137 | | size_t epoch; |
138 | | /* the following fields are not used if the key_change callback is set */ |
139 | | ptls_aead_context_t *aead; |
140 | | uint64_t seq; |
141 | | unsigned tls12 : 1; |
142 | | uint64_t tls12_enc_record_iv; |
143 | | }; |
144 | | |
145 | | struct st_ptls_record_message_emitter_t { |
146 | | ptls_message_emitter_t super; |
147 | | size_t rec_start; |
148 | | }; |
149 | | |
150 | | struct st_ptls_signature_algorithms_t { |
151 | | uint16_t list[16]; /* expand? */ |
152 | | size_t count; |
153 | | }; |
154 | | |
155 | | struct st_ptls_certificate_request_t { |
156 | | /** |
157 | | * context.base becomes non-NULL when a CertificateRequest is pending for processing |
158 | | */ |
159 | | ptls_iovec_t context; |
160 | | struct st_ptls_signature_algorithms_t signature_algorithms; |
161 | | }; |
162 | | |
163 | | struct st_decoded_ech_config_t { |
164 | | uint8_t id; |
165 | | ptls_hpke_kem_t *kem; |
166 | | ptls_iovec_t public_key; |
167 | | ptls_hpke_cipher_suite_t *cipher; |
168 | | uint8_t max_name_length; |
169 | | ptls_iovec_t public_name; |
170 | | ptls_iovec_t bytes; |
171 | | }; |
172 | | |
173 | | /** |
174 | | * Properties for ECH. Iff ECH is used and not rejected, `aead` is non-NULL. |
175 | | */ |
176 | | struct st_ptls_ech_t { |
177 | | uint8_t offered : 1; |
178 | | uint8_t offered_grease : 1; |
179 | | uint8_t accepted : 1; |
180 | | uint8_t config_id; |
181 | | ptls_hpke_kem_t *kem; |
182 | | ptls_hpke_cipher_suite_t *cipher; |
183 | | ptls_aead_context_t *aead; |
184 | | uint8_t inner_client_random[PTLS_HELLO_RANDOM_SIZE]; |
185 | | struct { |
186 | | ptls_iovec_t enc; |
187 | | uint8_t max_name_length; |
188 | | char *public_name; |
189 | | /** |
190 | | * retains a copy of entire ECH extension so that it can be replayed in the 2nd CH when ECH is rejected via HRR |
191 | | */ |
192 | | ptls_iovec_t first_ech; |
193 | | } client; |
194 | | }; |
195 | | |
196 | | struct st_ptls_t { |
197 | | /** |
198 | | * the context |
199 | | */ |
200 | | ptls_context_t *ctx; |
201 | | /** |
202 | | * the state |
203 | | */ |
204 | | enum en_ptls_state_t { |
205 | | PTLS_STATE_CLIENT_HANDSHAKE_START, |
206 | | PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO, |
207 | | PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO, |
208 | | PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS, |
209 | | PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE, |
210 | | PTLS_STATE_CLIENT_EXPECT_CERTIFICATE, |
211 | | PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY, |
212 | | PTLS_STATE_CLIENT_EXPECT_FINISHED, |
213 | | PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO, |
214 | | PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO, |
215 | | PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY, |
216 | | PTLS_STATE_SERVER_EXPECT_CERTIFICATE, |
217 | | PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY, |
218 | | /* ptls_send can be called if the state is below here */ |
219 | | PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA, |
220 | | PTLS_STATE_SERVER_EXPECT_FINISHED, |
221 | | PTLS_STATE_POST_HANDSHAKE_MIN, |
222 | | PTLS_STATE_CLIENT_POST_HANDSHAKE = PTLS_STATE_POST_HANDSHAKE_MIN, |
223 | | PTLS_STATE_SERVER_POST_HANDSHAKE |
224 | | } state; |
225 | | /** |
226 | | * receive buffers |
227 | | */ |
228 | | struct { |
229 | | ptls_buffer_t rec; |
230 | | ptls_buffer_t mess; |
231 | | } recvbuf; |
232 | | /** |
233 | | * key schedule |
234 | | */ |
235 | | ptls_key_schedule_t *key_schedule; |
236 | | /** |
237 | | * values used for record protection |
238 | | */ |
239 | | struct { |
240 | | struct st_ptls_traffic_protection_t dec; |
241 | | struct st_ptls_traffic_protection_t enc; |
242 | | } traffic_protection; |
243 | | /** |
244 | | * server-name passed using SNI |
245 | | */ |
246 | | char *server_name; |
247 | | /** |
248 | | * result of ALPN |
249 | | */ |
250 | | char *negotiated_protocol; |
251 | | /** |
252 | | * selected key-exchange |
253 | | */ |
254 | | ptls_key_exchange_algorithm_t *key_share; |
255 | | /** |
256 | | * selected cipher-suite |
257 | | */ |
258 | | ptls_cipher_suite_t *cipher_suite; |
259 | | /** |
260 | | * ClientHello.random that appears on the wire. When ECH is used, that of inner CH is retained separately. |
261 | | */ |
262 | | uint8_t client_random[PTLS_HELLO_RANDOM_SIZE]; |
263 | | /** |
264 | | * exporter master secret (either 0rtt or 1rtt) |
265 | | */ |
266 | | struct { |
267 | | uint8_t *early; |
268 | | uint8_t *one_rtt; |
269 | | } exporter_master_secret; |
270 | | /** |
271 | | * ECH |
272 | | */ |
273 | | struct st_ptls_ech_t ech; |
274 | | /* flags */ |
275 | | unsigned is_server : 1; |
276 | | unsigned is_psk_handshake : 1; |
277 | | unsigned send_change_cipher_spec : 1; |
278 | | unsigned needs_key_update : 1; |
279 | | unsigned key_update_send_request : 1; |
280 | | #if PTLS_HAVE_LOG |
281 | | /** |
282 | | * see ptls_log |
283 | | */ |
284 | | ptls_log_conn_state_t log_state; |
285 | | #endif |
286 | | struct { |
287 | | uint32_t active_conns; |
288 | | uint32_t generation; |
289 | | } log_sni; |
290 | | /** |
291 | | * misc. |
292 | | */ |
293 | | union { |
294 | | struct { |
295 | | ptls_iovec_t legacy_session_id; |
296 | | uint8_t legacy_session_id_buf[32]; |
297 | | ptls_key_exchange_context_t *key_share_ctx; |
298 | | unsigned offered_psk : 1; |
299 | | /** |
300 | | * if 1-RTT write key is active |
301 | | */ |
302 | | unsigned using_early_data : 1; |
303 | | struct st_ptls_certificate_request_t certificate_request; |
304 | | } client; |
305 | | struct { |
306 | | uint8_t pending_traffic_secret[PTLS_MAX_DIGEST_SIZE]; |
307 | | uint32_t early_data_skipped_bytes; /* if not UINT32_MAX, the server is skipping early data */ |
308 | | uint8_t num_tickets_to_send; |
309 | | ptls_async_job_t *async_job; |
310 | | } server; |
311 | | }; |
312 | | /** |
313 | | * certificate verify; will be used by the client and the server (if require_client_authentication is set) |
314 | | */ |
315 | | struct { |
316 | | int (*cb)(void *verify_ctx, uint16_t algo, ptls_iovec_t data, ptls_iovec_t signature); |
317 | | void *verify_ctx; |
318 | | } certificate_verify; |
319 | | /** |
320 | | * handshake traffic secret to be commisioned (an array of `uint8_t [PTLS_MAX_DIGEST_SIZE]` or NULL) |
321 | | */ |
322 | | uint8_t *pending_handshake_secret; |
323 | | /** |
324 | | * user data |
325 | | */ |
326 | | void *data_ptr; |
327 | | }; |
328 | | |
329 | | struct st_ptls_record_t { |
330 | | uint8_t type; |
331 | | uint16_t version; |
332 | | size_t length; |
333 | | const uint8_t *fragment; |
334 | | }; |
335 | | |
336 | 0 | #define MAX_UNKNOWN_EXTENSIONS 16 |
337 | | #define MAX_CERTIFICATE_TYPES 8 |
338 | | |
339 | | struct st_ptls_client_hello_t { |
340 | | uint16_t legacy_version; |
341 | | const uint8_t *random_bytes; |
342 | | ptls_iovec_t legacy_session_id; |
343 | | struct { |
344 | | const uint8_t *ids; |
345 | | size_t count; |
346 | | } compression_methods; |
347 | | uint16_t selected_version; |
348 | | ptls_iovec_t cipher_suites; |
349 | | ptls_iovec_t negotiated_groups; |
350 | | ptls_iovec_t key_shares; |
351 | | struct st_ptls_signature_algorithms_t signature_algorithms; |
352 | | ptls_iovec_t server_name; |
353 | | struct { |
354 | | ptls_iovec_t list[16]; |
355 | | size_t count; |
356 | | } alpn; |
357 | | struct { |
358 | | uint16_t list[16]; |
359 | | size_t count; |
360 | | } cert_compression_algos; |
361 | | struct { |
362 | | ptls_iovec_t all; |
363 | | ptls_iovec_t tbs; |
364 | | ptls_iovec_t ch1_hash; |
365 | | ptls_iovec_t signature; |
366 | | unsigned sent_key_share : 1; |
367 | | } cookie; |
368 | | struct { |
369 | | uint8_t list[MAX_CERTIFICATE_TYPES]; |
370 | | size_t count; |
371 | | } server_certificate_types; |
372 | | unsigned status_request : 1; |
373 | | struct { |
374 | | uint8_t new_session_count; |
375 | | uint8_t resumption_count; |
376 | | } ticket_request; |
377 | | /** |
378 | | * ECH: payload.base != NULL indicates that the extension was received |
379 | | */ |
380 | | struct { |
381 | | uint8_t type; |
382 | | uint8_t config_id; |
383 | | ptls_hpke_cipher_suite_id_t cipher_suite; |
384 | | ptls_iovec_t enc; |
385 | | ptls_iovec_t payload; |
386 | | } ech; |
387 | | struct { |
388 | | const uint8_t *hash_end; |
389 | | struct { |
390 | | ptls_client_hello_psk_identity_t list[4]; |
391 | | size_t count; |
392 | | } identities; |
393 | | unsigned ke_modes; |
394 | | unsigned early_data_indication : 1; |
395 | | unsigned is_last_extension : 1; |
396 | | } psk; |
397 | | ptls_raw_extension_t unknown_extensions[MAX_UNKNOWN_EXTENSIONS + 1]; |
398 | | size_t first_extension_at; |
399 | | }; |
400 | | |
401 | | struct st_ptls_server_hello_t { |
402 | | uint8_t random_[PTLS_HELLO_RANDOM_SIZE]; |
403 | | ptls_iovec_t legacy_session_id; |
404 | | int is_retry_request; |
405 | | union { |
406 | | ptls_iovec_t peerkey; |
407 | | struct { |
408 | | uint16_t selected_group; |
409 | | ptls_iovec_t cookie; |
410 | | const uint8_t *ech; |
411 | | } retry_request; |
412 | | }; |
413 | | }; |
414 | | |
415 | | struct st_ptls_key_schedule_t { |
416 | | unsigned generation; /* early secret (1), hanshake secret (2), master secret (3) */ |
417 | | uint8_t secret[PTLS_MAX_DIGEST_SIZE]; |
418 | | size_t num_hashes; |
419 | | struct { |
420 | | ptls_hash_algorithm_t *algo; |
421 | | ptls_hash_context_t *ctx, *ctx_outer; |
422 | | } hashes[1]; |
423 | | }; |
424 | | |
425 | | struct st_ptls_extension_decoder_t { |
426 | | uint16_t type; |
427 | | int (*cb)(ptls_t *tls, void *arg, const uint8_t *src, const uint8_t *const end); |
428 | | }; |
429 | | |
430 | | struct st_ptls_extension_bitmap_t { |
431 | | uint64_t bits; |
432 | | }; |
433 | | |
434 | | static const uint8_t zeroes_of_max_digest_size[PTLS_MAX_DIGEST_SIZE] = {0}; |
435 | | |
436 | | static ptls_aead_context_t *new_aead(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret, |
437 | | ptls_iovec_t hash_value, const char *label_prefix); |
438 | | static int server_finish_handshake(ptls_t *tls, ptls_message_emitter_t *emitter, int send_cert_verify, |
439 | | struct st_ptls_signature_algorithms_t *signature_algorithms); |
440 | | |
441 | | static int is_supported_version(uint16_t v) |
442 | 0 | { |
443 | 0 | size_t i; |
444 | 0 | for (i = 0; i != PTLS_ELEMENTSOF(supported_versions); ++i) |
445 | 0 | if (supported_versions[i] == v) |
446 | 0 | return 1; |
447 | 0 | return 0; |
448 | 0 | } |
449 | | |
450 | | static int extension_bitmap_testandset(struct st_ptls_extension_bitmap_t *bitmap, int hstype, uint16_t extid) |
451 | 0 | { |
452 | 0 | #define HSTYPE_TO_BIT(hstype) ((uint64_t)1 << ((hstype) + 1)) /* min(hstype) is -1 (PSEUDO_HRR) */ |
453 | 0 | #define DEFINE_BIT(abbrev, hstype) static const uint64_t abbrev = HSTYPE_TO_BIT(PTLS_HANDSHAKE_TYPE_##hstype) |
454 | 0 | #define EXT(candext, allowed_bits) \ |
455 | 0 | do { \ |
456 | 0 | if (PTLS_UNLIKELY(extid == PTLS_EXTENSION_TYPE_##candext)) { \ |
457 | 0 | allowed_hs_bits = allowed_bits; \ |
458 | 0 | goto Found; \ |
459 | 0 | } \ |
460 | 0 | ext_bitmap_mask <<= 1; \ |
461 | 0 | } while (0) |
462 | |
|
463 | 0 | DEFINE_BIT(CH, CLIENT_HELLO); |
464 | 0 | DEFINE_BIT(SH, SERVER_HELLO); |
465 | 0 | DEFINE_BIT(HRR, PSEUDO_HRR); |
466 | 0 | DEFINE_BIT(EE, ENCRYPTED_EXTENSIONS); |
467 | 0 | DEFINE_BIT(CR, CERTIFICATE_REQUEST); |
468 | 0 | DEFINE_BIT(CT, CERTIFICATE); |
469 | 0 | DEFINE_BIT(NST, NEW_SESSION_TICKET); |
470 | |
|
471 | 0 | uint64_t allowed_hs_bits, ext_bitmap_mask = 1; |
472 | | |
473 | | /* clang-format off */ |
474 | | /* RFC 8446 section 4.2: "The table below indicates the messages where a given extension may appear... If an implementation |
475 | | * receives an extension which it recognizes and which is not specified for the message in which it appears, it MUST abort the |
476 | | * handshake with an "illegal_parameter" alert. |
477 | | * |
478 | | * +-------------------------+---------------+ |
479 | | * + Extension | Allowed | |
480 | | * +-------------------------+---------------+ */ |
481 | 0 | EXT( SERVER_NAME , CH + EE ); |
482 | 0 | EXT( STATUS_REQUEST , CH + CR + CT ); |
483 | 0 | EXT( SUPPORTED_GROUPS , CH + EE ); |
484 | 0 | EXT( SIGNATURE_ALGORITHMS , CH + CR ); |
485 | 0 | EXT( ALPN , CH + EE ); |
486 | 0 | EXT( SERVER_CERTIFICATE_TYPE , CH + EE ); |
487 | 0 | EXT( KEY_SHARE , CH + SH + HRR ); |
488 | 0 | EXT( PRE_SHARED_KEY , CH + SH ); |
489 | 0 | EXT( PSK_KEY_EXCHANGE_MODES , CH ); |
490 | 0 | EXT( EARLY_DATA , CH + EE + NST ); |
491 | 0 | EXT( COOKIE , CH + HRR ); |
492 | 0 | EXT( SUPPORTED_VERSIONS , CH + SH + HRR ); |
493 | 0 | EXT( COMPRESS_CERTIFICATE , CH + CR ); /* from RFC 8879 */ |
494 | 0 | EXT( ENCRYPTED_CLIENT_HELLO , CH + HRR + EE ); /* from draft-ietf-tls-esni-15 */ |
495 | 0 | EXT( ECH_OUTER_EXTENSIONS , 0 ); |
496 | | /* +-----------------------------------------+ */ |
497 | | /* clang-format on */ |
498 | | |
499 | 0 | return 1; |
500 | | |
501 | 0 | Found: |
502 | 0 | if ((allowed_hs_bits & HSTYPE_TO_BIT(hstype)) == 0) |
503 | 0 | return 0; |
504 | 0 | if ((bitmap->bits & ext_bitmap_mask) != 0) |
505 | 0 | return 0; |
506 | 0 | bitmap->bits |= ext_bitmap_mask; |
507 | 0 | return 1; |
508 | |
|
509 | 0 | #undef HSTYPE_TO_BIT |
510 | 0 | #undef DEFINE_ABBREV |
511 | 0 | #undef EXT |
512 | 0 | } |
513 | | |
514 | | #ifndef ntoh16 |
515 | | static uint16_t ntoh16(const uint8_t *src) |
516 | 0 | { |
517 | 0 | return (uint16_t)src[0] << 8 | src[1]; |
518 | 0 | } |
519 | | #endif |
520 | | |
521 | | #ifndef ntoh24 |
522 | | static uint32_t ntoh24(const uint8_t *src) |
523 | 0 | { |
524 | 0 | return (uint32_t)src[0] << 16 | (uint32_t)src[1] << 8 | src[2]; |
525 | 0 | } |
526 | | #endif |
527 | | |
528 | | #ifndef ntoh32 |
529 | | static uint32_t ntoh32(const uint8_t *src) |
530 | 0 | { |
531 | 0 | return (uint32_t)src[0] << 24 | (uint32_t)src[1] << 16 | (uint32_t)src[2] << 8 | src[3]; |
532 | 0 | } |
533 | | #endif |
534 | | |
535 | | #ifndef ntoh64 |
536 | | static uint64_t ntoh64(const uint8_t *src) |
537 | 0 | { |
538 | 0 | return (uint64_t)src[0] << 56 | (uint64_t)src[1] << 48 | (uint64_t)src[2] << 40 | (uint64_t)src[3] << 32 | |
539 | 0 | (uint64_t)src[4] << 24 | (uint64_t)src[5] << 16 | (uint64_t)src[6] << 8 | src[7]; |
540 | 0 | } |
541 | | #endif |
542 | | |
543 | | static void encode64(uint8_t *dst, uint64_t v) |
544 | 0 | { |
545 | 0 | for (size_t i = 0; i < 8; ++i) |
546 | 0 | dst[i] = (uint8_t)(v >> (56 - 8 * i)); |
547 | 0 | } |
548 | | |
549 | | static char *duplicate_as_str(const void *src, size_t len) |
550 | 0 | { |
551 | 0 | char *dst; |
552 | |
|
553 | 0 | if ((dst = malloc(len + 1)) == NULL) |
554 | 0 | return NULL; |
555 | 0 | memcpy(dst, src, len); |
556 | 0 | dst[len] = '\0'; |
557 | 0 | return dst; |
558 | 0 | } |
559 | | |
560 | | void ptls_buffer__release_memory(ptls_buffer_t *buf) |
561 | 0 | { |
562 | 0 | ptls_clear_memory(buf->base, buf->off); |
563 | 0 | if (buf->is_allocated) { |
564 | | #ifdef _WINDOWS |
565 | | if (buf->align_bits != 0) { |
566 | | _aligned_free(buf->base); |
567 | | } else { |
568 | | free(buf->base); |
569 | | } |
570 | | #else |
571 | 0 | free(buf->base); |
572 | 0 | #endif |
573 | 0 | } |
574 | 0 | } |
575 | | |
576 | | int ptls_buffer_reserve(ptls_buffer_t *buf, size_t delta) |
577 | 0 | { |
578 | 0 | return ptls_buffer_reserve_aligned(buf, delta, 0); |
579 | 0 | } |
580 | | |
581 | | int ptls_buffer_reserve_aligned(ptls_buffer_t *buf, size_t delta, uint8_t align_bits) |
582 | 0 | { |
583 | 0 | if (buf->base == NULL) |
584 | 0 | return PTLS_ERROR_NO_MEMORY; |
585 | | |
586 | 0 | if (PTLS_MEMORY_DEBUG || buf->capacity < buf->off + delta || |
587 | 0 | (buf->align_bits < align_bits && ((uintptr_t)buf->base & (((uintptr_t)1 << align_bits) - 1)) != 0)) { |
588 | 0 | void *newp; |
589 | 0 | size_t new_capacity = buf->capacity; |
590 | 0 | if (new_capacity < 1024) |
591 | 0 | new_capacity = 1024; |
592 | 0 | while (new_capacity < buf->off + delta) { |
593 | 0 | new_capacity *= 2; |
594 | 0 | } |
595 | 0 | if (align_bits != 0) { |
596 | | #ifdef _WINDOWS |
597 | | if ((newp = _aligned_malloc(new_capacity, (size_t)1 << align_bits)) == NULL) |
598 | | return PTLS_ERROR_NO_MEMORY; |
599 | | #else |
600 | 0 | if (posix_memalign(&newp, 1 << align_bits, new_capacity) != 0) |
601 | 0 | return PTLS_ERROR_NO_MEMORY; |
602 | 0 | #endif |
603 | 0 | } else { |
604 | 0 | if ((newp = malloc(new_capacity)) == NULL) |
605 | 0 | return PTLS_ERROR_NO_MEMORY; |
606 | 0 | } |
607 | 0 | memcpy(newp, buf->base, buf->off); |
608 | 0 | ptls_buffer__release_memory(buf); |
609 | 0 | buf->base = newp; |
610 | 0 | buf->capacity = new_capacity; |
611 | 0 | buf->is_allocated = 1; |
612 | 0 | buf->align_bits = align_bits; |
613 | 0 | } |
614 | | |
615 | 0 | return 0; |
616 | 0 | } |
617 | | |
618 | | int ptls_buffer__do_pushv(ptls_buffer_t *buf, const void *src, size_t len) |
619 | 0 | { |
620 | 0 | int ret; |
621 | |
|
622 | 0 | if (len == 0) |
623 | 0 | return 0; |
624 | 0 | if ((ret = ptls_buffer_reserve(buf, len)) != 0) |
625 | 0 | return ret; |
626 | 0 | memcpy(buf->base + buf->off, src, len); |
627 | 0 | buf->off += len; |
628 | 0 | return 0; |
629 | 0 | } |
630 | | |
631 | | int ptls_buffer__adjust_quic_blocksize(ptls_buffer_t *buf, size_t body_size) |
632 | 0 | { |
633 | 0 | uint8_t sizebuf[PTLS_ENCODE_QUICINT_CAPACITY]; |
634 | 0 | size_t sizelen = ptls_encode_quicint(sizebuf, body_size) - sizebuf; |
635 | | |
636 | | /* adjust amount of space before body_size to `sizelen` bytes */ |
637 | 0 | if (sizelen != 1) { |
638 | 0 | int ret; |
639 | 0 | if ((ret = ptls_buffer_reserve(buf, sizelen - 1)) != 0) |
640 | 0 | return ret; |
641 | 0 | memmove(buf->base + buf->off - body_size - 1 + sizelen, buf->base + buf->off - body_size, body_size); |
642 | 0 | buf->off += sizelen - 1; |
643 | 0 | } |
644 | | |
645 | | /* write the size */ |
646 | 0 | memcpy(buf->base + buf->off - body_size - sizelen, sizebuf, sizelen); |
647 | |
|
648 | 0 | return 0; |
649 | 0 | } |
650 | | |
651 | | int ptls_buffer__adjust_asn1_blocksize(ptls_buffer_t *buf, size_t body_size) |
652 | 0 | { |
653 | 0 | fprintf(stderr, "unimplemented\n"); |
654 | 0 | abort(); |
655 | 0 | } |
656 | | |
657 | | int ptls_buffer_push_asn1_ubigint(ptls_buffer_t *buf, const void *bignum, size_t size) |
658 | 0 | { |
659 | 0 | const uint8_t *p = bignum, *const end = p + size; |
660 | 0 | int ret; |
661 | | |
662 | | /* skip zeroes */ |
663 | 0 | for (; end - p >= 1; ++p) |
664 | 0 | if (*p != 0) |
665 | 0 | break; |
666 | | |
667 | | /* emit */ |
668 | 0 | ptls_buffer_push(buf, 2); |
669 | 0 | ptls_buffer_push_asn1_block(buf, { |
670 | 0 | if (*p >= 0x80) |
671 | 0 | ptls_buffer_push(buf, 0); |
672 | 0 | if (p != end) { |
673 | 0 | ptls_buffer_pushv(buf, p, end - p); |
674 | 0 | } else { |
675 | 0 | ptls_buffer_pushv(buf, "", 1); |
676 | 0 | } |
677 | 0 | }); |
678 | 0 | ret = 0; |
679 | |
|
680 | 0 | Exit: |
681 | 0 | return ret; |
682 | 0 | } |
683 | | |
684 | | #if PTLS_FUZZ_HANDSHAKE |
685 | | |
686 | | static size_t aead_encrypt(struct st_ptls_traffic_protection_t *ctx, void *output, const void *input, size_t inlen, |
687 | | uint8_t content_type) |
688 | | { |
689 | | memcpy(output, input, inlen); |
690 | | memcpy(output + inlen, &content_type, 1); |
691 | | return inlen + 1 + 16; |
692 | | } |
693 | | |
694 | | static int aead_decrypt(struct st_ptls_traffic_protection_t *ctx, void *output, size_t *outlen, const void *input, size_t inlen) |
695 | | { |
696 | | if (inlen < 16) { |
697 | | return PTLS_ALERT_BAD_RECORD_MAC; |
698 | | } |
699 | | memcpy(output, input, inlen - 16); |
700 | | *outlen = inlen - 16; /* removing the 16 bytes of tag */ |
701 | | return 0; |
702 | | } |
703 | | |
704 | | #else |
705 | | |
706 | | static void build_aad(uint8_t aad[5], size_t reclen) |
707 | 0 | { |
708 | 0 | aad[0] = PTLS_CONTENT_TYPE_APPDATA; |
709 | 0 | aad[1] = PTLS_RECORD_VERSION_MAJOR; |
710 | 0 | aad[2] = PTLS_RECORD_VERSION_MINOR; |
711 | 0 | aad[3] = (uint8_t)(reclen >> 8); |
712 | 0 | aad[4] = (uint8_t)reclen; |
713 | 0 | } |
714 | | |
715 | | static size_t aead_encrypt(struct st_ptls_traffic_protection_t *ctx, void *output, const void *input, size_t inlen, |
716 | | uint8_t content_type) |
717 | 0 | { |
718 | 0 | ptls_iovec_t invec[2] = {ptls_iovec_init(input, inlen), ptls_iovec_init(&content_type, 1)}; |
719 | 0 | uint8_t aad[5]; |
720 | |
|
721 | 0 | build_aad(aad, inlen + 1 + ctx->aead->algo->tag_size); |
722 | 0 | ptls_aead_encrypt_v(ctx->aead, output, invec, PTLS_ELEMENTSOF(invec), ctx->seq++, aad, sizeof(aad)); |
723 | |
|
724 | 0 | return inlen + 1 + ctx->aead->algo->tag_size; |
725 | 0 | } |
726 | | |
727 | | static int aead_decrypt(struct st_ptls_traffic_protection_t *ctx, void *output, size_t *outlen, const void *input, size_t inlen) |
728 | 0 | { |
729 | 0 | uint8_t aad[5]; |
730 | |
|
731 | 0 | build_aad(aad, inlen); |
732 | 0 | if ((*outlen = ptls_aead_decrypt(ctx->aead, output, input, inlen, ctx->seq, aad, sizeof(aad))) == SIZE_MAX) |
733 | 0 | return PTLS_ALERT_BAD_RECORD_MAC; |
734 | 0 | ++ctx->seq; |
735 | 0 | return 0; |
736 | 0 | } |
737 | | |
738 | | #endif /* #if PTLS_FUZZ_HANDSHAKE */ |
739 | | |
740 | | static void build_tls12_aad(uint8_t *aad, uint8_t type, uint64_t seq, uint16_t length) |
741 | 0 | { |
742 | 0 | for (size_t i = 0; i < 8; ++i) |
743 | 0 | aad[i] = (uint8_t)(seq >> (56 - i * 8)); |
744 | 0 | aad[8] = type; |
745 | 0 | aad[9] = PTLS_RECORD_VERSION_MAJOR; |
746 | 0 | aad[10] = PTLS_RECORD_VERSION_MINOR; |
747 | 0 | aad[11] = length >> 8; |
748 | 0 | aad[12] = (uint8_t)length; |
749 | 0 | } |
750 | | |
751 | | #define buffer_push_record(buf, type, block) \ |
752 | 0 | do { \ |
753 | 0 | ptls_buffer_push((buf), (type), PTLS_RECORD_VERSION_MAJOR, PTLS_RECORD_VERSION_MINOR); \ |
754 | 0 | ptls_buffer_push_block((buf), 2, block); \ |
755 | 0 | } while (0) |
756 | | |
757 | | static int buffer_push_encrypted_records(ptls_buffer_t *buf, uint8_t type, const uint8_t *src, size_t len, |
758 | | struct st_ptls_traffic_protection_t *enc) |
759 | 0 | { |
760 | 0 | int ret = 0; |
761 | |
|
762 | 0 | while (len != 0) { |
763 | 0 | size_t chunk_size = len; |
764 | 0 | if (chunk_size > PTLS_MAX_PLAINTEXT_RECORD_SIZE) |
765 | 0 | chunk_size = PTLS_MAX_PLAINTEXT_RECORD_SIZE; |
766 | 0 | if (enc->tls12) { |
767 | 0 | buffer_push_record(buf, type, { |
768 | | /* reserve memory */ |
769 | 0 | if ((ret = ptls_buffer_reserve_aligned( |
770 | 0 | buf, enc->aead->algo->tls12.record_iv_size + chunk_size + enc->aead->algo->tag_size, |
771 | 0 | enc->aead->algo->align_bits)) != 0) |
772 | 0 | goto Exit; |
773 | | /* determine nonce, as well as prepending that walue as the record IV (AES-GCM) */ |
774 | 0 | uint64_t nonce; |
775 | 0 | if (enc->aead->algo->tls12.record_iv_size != 0) { |
776 | 0 | assert(enc->aead->algo->tls12.record_iv_size == 8); |
777 | 0 | nonce = enc->tls12_enc_record_iv++; |
778 | 0 | encode64(buf->base + buf->off, nonce); |
779 | 0 | buf->off += 8; |
780 | 0 | } else { |
781 | 0 | nonce = enc->seq; |
782 | 0 | } |
783 | | /* build AAD */ |
784 | 0 | uint8_t aad[PTLS_TLS12_AAD_SIZE]; |
785 | 0 | build_tls12_aad(aad, type, enc->seq, (uint16_t)chunk_size); |
786 | | /* encrypt */ |
787 | 0 | buf->off += ptls_aead_encrypt(enc->aead, buf->base + buf->off, src, chunk_size, nonce, aad, sizeof(aad)); |
788 | 0 | ++enc->seq; |
789 | 0 | }); |
790 | 0 | } else { |
791 | 0 | buffer_push_record(buf, PTLS_CONTENT_TYPE_APPDATA, { |
792 | 0 | if ((ret = ptls_buffer_reserve_aligned(buf, chunk_size + enc->aead->algo->tag_size + 1, |
793 | 0 | enc->aead->algo->align_bits)) != 0) |
794 | 0 | goto Exit; |
795 | 0 | buf->off += aead_encrypt(enc, buf->base + buf->off, src, chunk_size, type); |
796 | 0 | }); |
797 | 0 | } |
798 | 0 | src += chunk_size; |
799 | 0 | len -= chunk_size; |
800 | 0 | } |
801 | | |
802 | 0 | Exit: |
803 | 0 | return ret; |
804 | 0 | } |
805 | | |
806 | | static int buffer_encrypt_record(ptls_buffer_t *buf, size_t rec_start, struct st_ptls_traffic_protection_t *enc) |
807 | 0 | { |
808 | 0 | size_t bodylen = buf->off - rec_start - 5; |
809 | 0 | uint8_t *tmpbuf, type = buf->base[rec_start]; |
810 | 0 | int ret; |
811 | | |
812 | | /* Fast path: do in-place encryption if only one record needs to be emitted. (For simplicity, do not take this path if TLS 1.2 |
813 | | * is used, as this function will be called no more than once per connection, for encrypting an alert.) */ |
814 | 0 | if (!enc->tls12 && bodylen <= PTLS_MAX_PLAINTEXT_RECORD_SIZE) { |
815 | 0 | size_t overhead = 1 + enc->aead->algo->tag_size; |
816 | 0 | if ((ret = ptls_buffer_reserve_aligned(buf, overhead, enc->aead->algo->align_bits)) != 0) |
817 | 0 | return ret; |
818 | 0 | size_t encrypted_len = aead_encrypt(enc, buf->base + rec_start + 5, buf->base + rec_start + 5, bodylen, type); |
819 | 0 | assert(encrypted_len == bodylen + overhead); |
820 | 0 | buf->off += overhead; |
821 | 0 | buf->base[rec_start] = PTLS_CONTENT_TYPE_APPDATA; |
822 | 0 | buf->base[rec_start + 3] = (encrypted_len >> 8) & 0xff; |
823 | 0 | buf->base[rec_start + 4] = encrypted_len & 0xff; |
824 | 0 | return 0; |
825 | 0 | } |
826 | | |
827 | | /* move plaintext to temporary buffer */ |
828 | 0 | if ((tmpbuf = malloc(bodylen)) == NULL) { |
829 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
830 | 0 | goto Exit; |
831 | 0 | } |
832 | 0 | memcpy(tmpbuf, buf->base + rec_start + 5, bodylen); |
833 | 0 | ptls_clear_memory(buf->base + rec_start, bodylen + 5); |
834 | 0 | buf->off = rec_start; |
835 | | |
836 | | /* push encrypted records */ |
837 | 0 | ret = buffer_push_encrypted_records(buf, type, tmpbuf, bodylen, enc); |
838 | |
|
839 | 0 | Exit: |
840 | 0 | if (tmpbuf != NULL) { |
841 | 0 | ptls_clear_memory(tmpbuf, bodylen); |
842 | 0 | free(tmpbuf); |
843 | 0 | } |
844 | 0 | return ret; |
845 | 0 | } |
846 | | |
847 | | static int begin_record_message(ptls_message_emitter_t *_self) |
848 | 0 | { |
849 | 0 | struct st_ptls_record_message_emitter_t *self = (void *)_self; |
850 | 0 | int ret; |
851 | |
|
852 | 0 | self->rec_start = self->super.buf->off; |
853 | 0 | ptls_buffer_push(self->super.buf, PTLS_CONTENT_TYPE_HANDSHAKE, PTLS_RECORD_VERSION_MAJOR, PTLS_RECORD_VERSION_MINOR, 0, 0); |
854 | 0 | ret = 0; |
855 | 0 | Exit: |
856 | 0 | return ret; |
857 | 0 | } |
858 | | |
859 | | static int commit_record_message(ptls_message_emitter_t *_self) |
860 | 0 | { |
861 | 0 | struct st_ptls_record_message_emitter_t *self = (void *)_self; |
862 | 0 | int ret; |
863 | |
|
864 | 0 | if (self->super.enc->aead != NULL) { |
865 | 0 | ret = buffer_encrypt_record(self->super.buf, self->rec_start, self->super.enc); |
866 | 0 | } else { |
867 | | /* TODO allow CH,SH,HRR above 16KB */ |
868 | 0 | size_t sz = self->super.buf->off - self->rec_start - 5; |
869 | 0 | assert(sz <= PTLS_MAX_PLAINTEXT_RECORD_SIZE); |
870 | 0 | self->super.buf->base[self->rec_start + 3] = (uint8_t)(sz >> 8); |
871 | 0 | self->super.buf->base[self->rec_start + 4] = (uint8_t)(sz); |
872 | 0 | ret = 0; |
873 | 0 | } |
874 | | |
875 | 0 | return ret; |
876 | 0 | } |
877 | | |
878 | | #define buffer_push_extension(buf, type, block) \ |
879 | 0 | do { \ |
880 | 0 | ptls_buffer_push16((buf), (type)); \ |
881 | 0 | ptls_buffer_push_block((buf), 2, block); \ |
882 | 0 | } while (0); |
883 | | |
884 | | #define decode_open_extensions(src, end, hstype, exttype, block) \ |
885 | 0 | do { \ |
886 | 0 | struct st_ptls_extension_bitmap_t bitmap = {0}; \ |
887 | 0 | ptls_decode_open_block((src), end, 2, { \ |
888 | 0 | while ((src) != end) { \ |
889 | 0 | if ((ret = ptls_decode16((exttype), &(src), end)) != 0) \ |
890 | 0 | goto Exit; \ |
891 | 0 | if (!extension_bitmap_testandset(&bitmap, (hstype), *(exttype))) { \ |
892 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; \ |
893 | 0 | goto Exit; \ |
894 | 0 | } \ |
895 | 0 | ptls_decode_open_block((src), end, 2, block); \ |
896 | 0 | } \ |
897 | 0 | }); \ |
898 | 0 | } while (0) |
899 | | |
900 | | #define decode_extensions(src, end, hstype, exttype, block) \ |
901 | 0 | do { \ |
902 | 0 | decode_open_extensions((src), end, hstype, exttype, block); \ |
903 | 0 | ptls_decode_assert_block_close((src), end); \ |
904 | 0 | } while (0) |
905 | | |
906 | | int ptls_decode8(uint8_t *value, const uint8_t **src, const uint8_t *end) |
907 | 0 | { |
908 | 0 | if (*src == end) |
909 | 0 | return PTLS_ALERT_DECODE_ERROR; |
910 | 0 | *value = *(*src)++; |
911 | 0 | return 0; |
912 | 0 | } |
913 | | |
914 | | int ptls_decode16(uint16_t *value, const uint8_t **src, const uint8_t *end) |
915 | 0 | { |
916 | 0 | if (end - *src < 2) |
917 | 0 | return PTLS_ALERT_DECODE_ERROR; |
918 | 0 | *value = ntoh16(*src); |
919 | 0 | *src += 2; |
920 | 0 | return 0; |
921 | 0 | } |
922 | | |
923 | | int ptls_decode24(uint32_t *value, const uint8_t **src, const uint8_t *end) |
924 | 0 | { |
925 | 0 | if (end - *src < 3) |
926 | 0 | return PTLS_ALERT_DECODE_ERROR; |
927 | 0 | *value = ((uint32_t)(*src)[0] << 16) | ((uint32_t)(*src)[1] << 8) | (*src)[2]; |
928 | 0 | *src += 3; |
929 | 0 | return 0; |
930 | 0 | } |
931 | | |
932 | | int ptls_decode32(uint32_t *value, const uint8_t **src, const uint8_t *end) |
933 | 0 | { |
934 | 0 | if (end - *src < 4) |
935 | 0 | return PTLS_ALERT_DECODE_ERROR; |
936 | 0 | *value = ntoh32(*src); |
937 | 0 | *src += 4; |
938 | 0 | return 0; |
939 | 0 | } |
940 | | |
941 | | int ptls_decode64(uint64_t *value, const uint8_t **src, const uint8_t *end) |
942 | 0 | { |
943 | 0 | if (end - *src < 8) |
944 | 0 | return PTLS_ALERT_DECODE_ERROR; |
945 | 0 | *value = ntoh64(*src); |
946 | 0 | *src += 8; |
947 | 0 | return 0; |
948 | 0 | } |
949 | | |
950 | | uint64_t ptls_decode_quicint(const uint8_t **src, const uint8_t *end) |
951 | 0 | { |
952 | 0 | if (PTLS_UNLIKELY(*src == end)) |
953 | 0 | return UINT64_MAX; |
954 | | |
955 | 0 | uint8_t b = *(*src)++; |
956 | |
|
957 | 0 | if (PTLS_LIKELY(b <= 0x3f)) |
958 | 0 | return b; |
959 | | |
960 | 0 | uint64_t v = b & 0x3f; |
961 | 0 | unsigned bytes_left = (1 << (b >> 6)) - 1; |
962 | 0 | if (PTLS_UNLIKELY((size_t)(end - *src) < bytes_left)) |
963 | 0 | return UINT64_MAX; |
964 | 0 | do { |
965 | 0 | v = (v << 8) | *(*src)++; |
966 | 0 | } while (--bytes_left != 0); |
967 | 0 | return v; |
968 | 0 | } |
969 | | |
970 | | static void log_secret(ptls_t *tls, const char *type, ptls_iovec_t secret) |
971 | 0 | { |
972 | 0 | char hexbuf[PTLS_MAX_DIGEST_SIZE * 2 + 1]; |
973 | |
|
974 | 0 | PTLS_PROBE(NEW_SECRET, tls, type, ptls_hexdump(hexbuf, secret.base, secret.len)); |
975 | 0 | PTLS_LOG_CONN(new_secret, tls, { PTLS_LOG_ELEMENT_SAFESTR(label, type); }); |
976 | | |
977 | 0 | if (tls->ctx->log_event != NULL) |
978 | 0 | tls->ctx->log_event->cb(tls->ctx->log_event, tls, type, "%s", ptls_hexdump(hexbuf, secret.base, secret.len)); |
979 | 0 | } |
980 | | |
981 | | /** |
982 | | * This function preserves the flags and modes (e.g., `offered`, `accepted`, `cipher`), they can be used afterwards. |
983 | | */ |
984 | | static void clear_ech(struct st_ptls_ech_t *ech, int is_server) |
985 | 0 | { |
986 | 0 | if (ech->aead != NULL) { |
987 | 0 | ptls_aead_free(ech->aead); |
988 | 0 | ech->aead = NULL; |
989 | 0 | } |
990 | 0 | ptls_clear_memory(ech->inner_client_random, PTLS_HELLO_RANDOM_SIZE); |
991 | 0 | if (!is_server) { |
992 | 0 | free(ech->client.enc.base); |
993 | 0 | ech->client.enc = ptls_iovec_init(NULL, 0); |
994 | 0 | if (ech->client.public_name != NULL) { |
995 | 0 | free(ech->client.public_name); |
996 | 0 | ech->client.public_name = NULL; |
997 | 0 | } |
998 | 0 | free(ech->client.first_ech.base); |
999 | 0 | ech->client.first_ech = ptls_iovec_init(NULL, 0); |
1000 | 0 | } |
1001 | 0 | } |
1002 | | |
1003 | | /** |
1004 | | * Decodes one ECHConfigContents (tls-esni-15 section 4). `decoded->kem` and `cipher` may be NULL even when the function returns |
1005 | | * zero, if the corresponding entries are not found. |
1006 | | */ |
1007 | | static int decode_one_ech_config(ptls_hpke_kem_t **kems, ptls_hpke_cipher_suite_t **ciphers, |
1008 | | struct st_decoded_ech_config_t *decoded, const uint8_t **src, const uint8_t *const end) |
1009 | 0 | { |
1010 | 0 | char *public_name_buf = NULL; |
1011 | 0 | int ret; |
1012 | |
|
1013 | 0 | *decoded = (struct st_decoded_ech_config_t){0}; |
1014 | |
|
1015 | 0 | if ((ret = ptls_decode8(&decoded->id, src, end)) != 0) |
1016 | 0 | goto Exit; |
1017 | 0 | uint16_t kem_id; |
1018 | 0 | if ((ret = ptls_decode16(&kem_id, src, end)) != 0) |
1019 | 0 | goto Exit; |
1020 | 0 | for (size_t i = 0; kems[i] != NULL; ++i) { |
1021 | 0 | if (kems[i]->id == kem_id) { |
1022 | 0 | decoded->kem = kems[i]; |
1023 | 0 | break; |
1024 | 0 | } |
1025 | 0 | } |
1026 | 0 | ptls_decode_open_block(*src, end, 2, { |
1027 | 0 | if (*src == end) { |
1028 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1029 | 0 | goto Exit; |
1030 | 0 | } |
1031 | 0 | decoded->public_key = ptls_iovec_init(*src, end - *src); |
1032 | 0 | *src = end; |
1033 | 0 | }); |
1034 | 0 | ptls_decode_open_block(*src, end, 2, { |
1035 | 0 | do { |
1036 | 0 | uint16_t kdf_id; |
1037 | 0 | uint16_t aead_id; |
1038 | 0 | if ((ret = ptls_decode16(&kdf_id, src, end)) != 0) |
1039 | 0 | goto Exit; |
1040 | 0 | if ((ret = ptls_decode16(&aead_id, src, end)) != 0) |
1041 | 0 | goto Exit; |
1042 | 0 | if (decoded->cipher == NULL) { |
1043 | 0 | for (size_t i = 0; ciphers[i] != NULL; ++i) { |
1044 | 0 | if (ciphers[i]->id.kdf == kdf_id && ciphers[i]->id.aead == aead_id) { |
1045 | 0 | decoded->cipher = ciphers[i]; |
1046 | 0 | break; |
1047 | 0 | } |
1048 | 0 | } |
1049 | 0 | } |
1050 | 0 | } while (*src != end); |
1051 | 0 | }); |
1052 | 0 | if ((ret = ptls_decode8(&decoded->max_name_length, src, end)) != 0) |
1053 | 0 | goto Exit; |
1054 | | |
1055 | 0 | #define SKIP_DECODED() \ |
1056 | 0 | do { \ |
1057 | 0 | decoded->kem = NULL; \ |
1058 | 0 | decoded->cipher = NULL; \ |
1059 | 0 | } while (0) |
1060 | | |
1061 | | /* Decode public_name. The specification requires clients to ignore (upon parsing ESNIConfigList) or reject (upon handshake) |
1062 | | * public names that are not DNS names or IPv4 addresses. We ignore IPv4 and v6 addresses during parsing (IPv6 addresses never |
1063 | | * looks like DNS names), and delegate the responsibility of rejecting non-DNS names to the certificate verify callback. */ |
1064 | 0 | ptls_decode_open_block(*src, end, 1, { |
1065 | 0 | if (*src == end) { |
1066 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1067 | 0 | goto Exit; |
1068 | 0 | } |
1069 | 0 | if ((public_name_buf = duplicate_as_str(*src, end - *src)) == NULL) { |
1070 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1071 | 0 | goto Exit; |
1072 | 0 | } |
1073 | 0 | if (ptls_server_name_is_ipaddr(public_name_buf)) { |
1074 | 0 | SKIP_DECODED(); |
1075 | 0 | } else { |
1076 | 0 | decoded->public_name = ptls_iovec_init(*src, end - *src); |
1077 | 0 | } |
1078 | 0 | *src = end; |
1079 | 0 | }); |
1080 | | |
1081 | 0 | ptls_decode_block(*src, end, 2, { |
1082 | 0 | while (*src < end) { |
1083 | 0 | uint16_t type; |
1084 | 0 | if ((ret = ptls_decode16(&type, src, end)) != 0) |
1085 | 0 | goto Exit; |
1086 | 0 | ptls_decode_open_block(*src, end, 2, { *src = end; }); |
1087 | | /* if a critital extension is found, indicate that the config cannot be used */ |
1088 | 0 | if ((type & 0x8000) != 0) |
1089 | 0 | SKIP_DECODED(); |
1090 | 0 | } |
1091 | 0 | }); |
1092 | | |
1093 | 0 | #undef SKIP_DECODED |
1094 | | |
1095 | 0 | Exit: |
1096 | 0 | free(public_name_buf); |
1097 | 0 | return ret; |
1098 | 0 | } |
1099 | | |
1100 | | static int client_decode_ech_config_list(ptls_context_t *ctx, struct st_decoded_ech_config_t *decoded, ptls_iovec_t config_list) |
1101 | 0 | { |
1102 | 0 | const uint8_t *src = config_list.base, *const end = src + config_list.len; |
1103 | 0 | int match_found = 0, ret; |
1104 | |
|
1105 | 0 | *decoded = (struct st_decoded_ech_config_t){0}; |
1106 | |
|
1107 | 0 | ptls_decode_block(src, end, 2, { |
1108 | 0 | do { |
1109 | 0 | const uint8_t *config_start = src; |
1110 | 0 | uint16_t version; |
1111 | 0 | if ((ret = ptls_decode16(&version, &src, end)) != 0) |
1112 | 0 | goto Exit; |
1113 | 0 | ptls_decode_open_block(src, end, 2, { |
1114 | | /* If the block is the one that we recognize, parse it, then adopt if if possible. Otherwise, skip. */ |
1115 | 0 | if (version == PTLS_ECH_CONFIG_VERSION) { |
1116 | 0 | struct st_decoded_ech_config_t thisconf; |
1117 | 0 | if ((ret = decode_one_ech_config(ctx->ech.client.kems, ctx->ech.client.ciphers, &thisconf, &src, end)) != 0) |
1118 | 0 | goto Exit; |
1119 | 0 | if (!match_found && thisconf.kem != NULL && thisconf.cipher != NULL) { |
1120 | 0 | *decoded = thisconf; |
1121 | 0 | decoded->bytes = ptls_iovec_init(config_start, end - config_start); |
1122 | 0 | match_found = 1; |
1123 | 0 | } |
1124 | 0 | } else { |
1125 | 0 | src = end; |
1126 | 0 | } |
1127 | 0 | }); |
1128 | 0 | } while (src != end); |
1129 | 0 | }); |
1130 | 0 | ret = 0; |
1131 | |
|
1132 | 0 | Exit: |
1133 | 0 | if (ret != 0) |
1134 | 0 | *decoded = (struct st_decoded_ech_config_t){0}; |
1135 | 0 | return ret; |
1136 | 0 | } |
1137 | | |
1138 | | static int client_setup_ech(struct st_ptls_ech_t *ech, struct st_decoded_ech_config_t *decoded, |
1139 | | void (*random_bytes)(void *, size_t)) |
1140 | 0 | { |
1141 | 0 | ptls_buffer_t infobuf; |
1142 | 0 | uint8_t infobuf_smallbuf[256]; |
1143 | 0 | int ret; |
1144 | | |
1145 | | /* setup `enc` and `aead` by running HPKE */ |
1146 | 0 | ptls_buffer_init(&infobuf, infobuf_smallbuf, sizeof(infobuf_smallbuf)); |
1147 | 0 | ptls_buffer_pushv(&infobuf, ech_info_prefix, sizeof(ech_info_prefix)); |
1148 | 0 | ptls_buffer_pushv(&infobuf, decoded->bytes.base, decoded->bytes.len); |
1149 | 0 | if ((ret = ptls_hpke_setup_base_s(decoded->kem, decoded->cipher, &ech->client.enc, &ech->aead, decoded->public_key, |
1150 | 0 | ptls_iovec_init(infobuf.base, infobuf.off))) != 0) |
1151 | 0 | goto Exit; |
1152 | | |
1153 | | /* setup the rest */ |
1154 | 0 | ech->config_id = decoded->id; |
1155 | 0 | ech->kem = decoded->kem; |
1156 | 0 | ech->cipher = decoded->cipher; |
1157 | 0 | random_bytes(ech->inner_client_random, PTLS_HELLO_RANDOM_SIZE); |
1158 | 0 | ech->client.max_name_length = decoded->max_name_length; |
1159 | 0 | if ((ech->client.public_name = duplicate_as_str(decoded->public_name.base, decoded->public_name.len)) == NULL) { |
1160 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1161 | 0 | goto Exit; |
1162 | 0 | } |
1163 | | |
1164 | 0 | Exit: |
1165 | 0 | if (ret != 0) |
1166 | 0 | clear_ech(ech, 0); |
1167 | 0 | return ret; |
1168 | 0 | } |
1169 | | |
1170 | | static void client_setup_ech_grease(struct st_ptls_ech_t *ech, void (*random_bytes)(void *, size_t), ptls_hpke_kem_t **kems, |
1171 | | ptls_hpke_cipher_suite_t **ciphers, const char *sni_name) |
1172 | 0 | { |
1173 | 0 | static const size_t x25519_key_size = 32; |
1174 | 0 | uint8_t random_secret[PTLS_AES128_KEY_SIZE + PTLS_AES_IV_SIZE]; |
1175 | | |
1176 | | /* pick up X25519, AES-128-GCM or bail out */ |
1177 | 0 | for (size_t i = 0; kems[i] != NULL; ++i) { |
1178 | 0 | if (kems[i]->id == PTLS_HPKE_KEM_X25519_SHA256) { |
1179 | 0 | ech->kem = kems[i]; |
1180 | 0 | break; |
1181 | 0 | } |
1182 | 0 | } |
1183 | 0 | for (size_t i = 0; ciphers[i] != NULL; ++i) { |
1184 | 0 | if (ciphers[i]->id.kdf == PTLS_HPKE_HKDF_SHA256 && ciphers[i]->id.aead == PTLS_HPKE_AEAD_AES_128_GCM) { |
1185 | 0 | ech->cipher = ciphers[i]; |
1186 | 0 | break; |
1187 | 0 | } |
1188 | 0 | } |
1189 | 0 | if (ech->kem == NULL || ech->cipher == NULL) |
1190 | 0 | goto Fail; |
1191 | | |
1192 | | /* aead is generated from random */ |
1193 | 0 | random_bytes(random_secret, sizeof(random_secret)); |
1194 | 0 | ech->aead = ptls_aead_new_direct(ech->cipher->aead, 1, random_secret, random_secret + PTLS_AES128_KEY_SIZE); |
1195 | | |
1196 | | /* `enc` is random bytes */ |
1197 | 0 | if ((ech->client.enc.base = malloc(x25519_key_size)) == NULL) |
1198 | 0 | goto Fail; |
1199 | 0 | ech->client.enc.len = x25519_key_size; |
1200 | 0 | random_bytes(ech->client.enc.base, ech->client.enc.len); |
1201 | | |
1202 | | /* setup the rest (inner_client_random is left zeros) */ |
1203 | 0 | random_bytes(&ech->config_id, sizeof(ech->config_id)); |
1204 | 0 | ech->client.max_name_length = 64; |
1205 | 0 | if ((ech->client.public_name = duplicate_as_str(sni_name, strlen(sni_name))) == NULL) |
1206 | 0 | goto Fail; |
1207 | | |
1208 | 0 | return; |
1209 | | |
1210 | 0 | Fail: |
1211 | 0 | clear_ech(ech, 0); |
1212 | 0 | } |
1213 | | |
1214 | 0 | #define ECH_CONFIRMATION_SERVER_HELLO "ech accept confirmation" |
1215 | 0 | #define ECH_CONFIRMATION_HRR "hrr ech accept confirmation" |
1216 | | static int ech_calc_confirmation(ptls_key_schedule_t *sched, void *dst, const uint8_t *inner_random, const char *label, |
1217 | | ptls_iovec_t message) |
1218 | 0 | { |
1219 | 0 | ptls_hash_context_t *hash = NULL; |
1220 | 0 | uint8_t secret[PTLS_MAX_DIGEST_SIZE], transcript_hash[PTLS_MAX_DIGEST_SIZE]; |
1221 | 0 | int ret; |
1222 | | |
1223 | | /* calc transcript hash using the modified ServerHello / HRR */ |
1224 | 0 | if ((hash = sched->hashes[0].ctx->clone_(sched->hashes[0].ctx)) == NULL) { |
1225 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1226 | 0 | goto Exit; |
1227 | 0 | } |
1228 | 0 | hash->update(hash, message.base, message.len); |
1229 | 0 | hash->final(hash, transcript_hash, PTLS_HASH_FINAL_MODE_FREE); |
1230 | 0 | hash = NULL; |
1231 | | |
1232 | | /* HKDF extract and expand */ |
1233 | 0 | if ((ret = ptls_hkdf_extract(sched->hashes[0].algo, secret, ptls_iovec_init(NULL, 0), |
1234 | 0 | ptls_iovec_init(inner_random, PTLS_HELLO_RANDOM_SIZE))) != 0) |
1235 | 0 | goto Exit; |
1236 | 0 | if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, dst, 8, ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), |
1237 | 0 | label, ptls_iovec_init(transcript_hash, sched->hashes[0].algo->digest_size), NULL)) != 0) |
1238 | 0 | goto Exit; |
1239 | | |
1240 | 0 | Exit: |
1241 | 0 | ptls_clear_memory(secret, sizeof(secret)); |
1242 | 0 | ptls_clear_memory(transcript_hash, sizeof(transcript_hash)); |
1243 | 0 | if (hash != NULL) |
1244 | 0 | hash->final(hash, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1245 | 0 | return ret; |
1246 | 0 | } |
1247 | | |
1248 | | static void key_schedule_free(ptls_key_schedule_t *sched) |
1249 | 0 | { |
1250 | 0 | size_t i; |
1251 | 0 | ptls_clear_memory(sched->secret, sizeof(sched->secret)); |
1252 | 0 | for (i = 0; i != sched->num_hashes; ++i) { |
1253 | 0 | sched->hashes[i].ctx->final(sched->hashes[i].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1254 | 0 | if (sched->hashes[i].ctx_outer != NULL) |
1255 | 0 | sched->hashes[i].ctx_outer->final(sched->hashes[i].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1256 | 0 | } |
1257 | 0 | free(sched); |
1258 | 0 | } |
1259 | | |
1260 | | static ptls_key_schedule_t *key_schedule_new(ptls_cipher_suite_t *preferred, ptls_cipher_suite_t **offered, int use_outer) |
1261 | 0 | { |
1262 | 0 | #define FOREACH_HASH(block) \ |
1263 | 0 | do { \ |
1264 | 0 | ptls_cipher_suite_t *cs; \ |
1265 | 0 | if ((cs = preferred) != NULL) { \ |
1266 | 0 | block \ |
1267 | 0 | } \ |
1268 | 0 | if (offered != NULL) { \ |
1269 | 0 | size_t i, j; \ |
1270 | 0 | for (i = 0; (cs = offered[i]) != NULL; ++i) { \ |
1271 | 0 | if (preferred == NULL || cs->hash != preferred->hash) { \ |
1272 | 0 | for (j = 0; j != i; ++j) \ |
1273 | 0 | if (cs->hash == offered[j]->hash) \ |
1274 | 0 | break; \ |
1275 | 0 | if (j == i) { \ |
1276 | 0 | block \ |
1277 | 0 | } \ |
1278 | 0 | } \ |
1279 | 0 | } \ |
1280 | 0 | } \ |
1281 | 0 | } while (0) |
1282 | |
|
1283 | 0 | ptls_key_schedule_t *sched; |
1284 | |
|
1285 | 0 | { /* allocate */ |
1286 | 0 | size_t num_hashes = 0; |
1287 | 0 | FOREACH_HASH({ ++num_hashes; }); |
1288 | 0 | if ((sched = malloc(offsetof(ptls_key_schedule_t, hashes) + sizeof(sched->hashes[0]) * num_hashes)) == NULL) |
1289 | 0 | return NULL; |
1290 | 0 | *sched = (ptls_key_schedule_t){0}; |
1291 | 0 | } |
1292 | | |
1293 | | /* setup the hash algos and contexts */ |
1294 | 0 | FOREACH_HASH({ |
1295 | 0 | sched->hashes[sched->num_hashes].algo = cs->hash; |
1296 | 0 | if ((sched->hashes[sched->num_hashes].ctx = cs->hash->create()) == NULL) |
1297 | 0 | goto Fail; |
1298 | 0 | if (use_outer) { |
1299 | 0 | if ((sched->hashes[sched->num_hashes].ctx_outer = cs->hash->create()) == NULL) |
1300 | 0 | goto Fail; |
1301 | 0 | } else { |
1302 | 0 | sched->hashes[sched->num_hashes].ctx_outer = NULL; |
1303 | 0 | } |
1304 | 0 | ++sched->num_hashes; |
1305 | 0 | }); |
1306 | | |
1307 | 0 | return sched; |
1308 | 0 | Fail: |
1309 | 0 | key_schedule_free(sched); |
1310 | 0 | return NULL; |
1311 | |
|
1312 | 0 | #undef FOREACH_HASH |
1313 | 0 | } |
1314 | | |
1315 | | static int key_schedule_extract(ptls_key_schedule_t *sched, ptls_iovec_t ikm) |
1316 | 0 | { |
1317 | 0 | int ret; |
1318 | |
|
1319 | 0 | if (ikm.base == NULL) |
1320 | 0 | ikm = ptls_iovec_init(zeroes_of_max_digest_size, sched->hashes[0].algo->digest_size); |
1321 | |
|
1322 | 0 | if (sched->generation != 0 && |
1323 | 0 | (ret = ptls_hkdf_expand_label(sched->hashes[0].algo, sched->secret, sched->hashes[0].algo->digest_size, |
1324 | 0 | ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), "derived", |
1325 | 0 | ptls_iovec_init(sched->hashes[0].algo->empty_digest, sched->hashes[0].algo->digest_size), |
1326 | 0 | NULL)) != 0) |
1327 | 0 | return ret; |
1328 | | |
1329 | 0 | ++sched->generation; |
1330 | 0 | ret = ptls_hkdf_extract(sched->hashes[0].algo, sched->secret, |
1331 | 0 | ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), ikm); |
1332 | 0 | PTLS_DEBUGF("%s: %u, %02x%02x\n", __FUNCTION__, sched->generation, (int)sched->secret[0], (int)sched->secret[1]); |
1333 | 0 | return ret; |
1334 | 0 | } |
1335 | | |
1336 | | static int key_schedule_select_cipher(ptls_key_schedule_t *sched, ptls_cipher_suite_t *cs, int reset, ptls_iovec_t reset_ikm) |
1337 | 0 | { |
1338 | 0 | size_t found_slot = SIZE_MAX, i; |
1339 | 0 | int ret; |
1340 | |
|
1341 | 0 | assert(sched->generation == 1); |
1342 | | |
1343 | | /* find the one, while freeing others */ |
1344 | 0 | for (i = 0; i != sched->num_hashes; ++i) { |
1345 | 0 | if (sched->hashes[i].algo == cs->hash) { |
1346 | 0 | assert(found_slot == SIZE_MAX); |
1347 | 0 | found_slot = i; |
1348 | 0 | } else { |
1349 | 0 | sched->hashes[i].ctx->final(sched->hashes[i].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1350 | 0 | if (sched->hashes[i].ctx_outer != NULL) |
1351 | 0 | sched->hashes[i].ctx_outer->final(sched->hashes[i].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1352 | 0 | } |
1353 | 0 | } |
1354 | 0 | if (found_slot != 0) { |
1355 | 0 | sched->hashes[0] = sched->hashes[found_slot]; |
1356 | 0 | reset = 1; |
1357 | 0 | } |
1358 | 0 | sched->num_hashes = 1; |
1359 | | |
1360 | | /* recalculate the hash if a different hash as been selected than the one we used for calculating the early secrets */ |
1361 | 0 | if (reset) { |
1362 | 0 | --sched->generation; |
1363 | 0 | memset(sched->secret, 0, sizeof(sched->secret)); |
1364 | 0 | if ((ret = key_schedule_extract(sched, reset_ikm)) != 0) |
1365 | 0 | goto Exit; |
1366 | 0 | } |
1367 | | |
1368 | 0 | ret = 0; |
1369 | 0 | Exit: |
1370 | 0 | return ret; |
1371 | 0 | } |
1372 | | |
1373 | | static void key_schedule_select_outer(ptls_key_schedule_t *sched) |
1374 | 0 | { |
1375 | | /* This function is called when receiving a cleartext message (Server Hello), after the cipher-suite is determined (and hence |
1376 | | * the hash also), if ECH was offered */ |
1377 | 0 | assert(sched->generation == 1); |
1378 | 0 | assert(sched->num_hashes == 1); |
1379 | 0 | assert(sched->hashes[0].ctx_outer != NULL); |
1380 | | |
1381 | 0 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1382 | 0 | sched->hashes[0].ctx = sched->hashes[0].ctx_outer; |
1383 | 0 | sched->hashes[0].ctx_outer = NULL; |
1384 | 0 | } |
1385 | | |
1386 | | void ptls__key_schedule_update_hash(ptls_key_schedule_t *sched, const uint8_t *msg, size_t msglen, int use_outer) |
1387 | 0 | { |
1388 | 0 | size_t i; |
1389 | |
|
1390 | 0 | PTLS_DEBUGF("%s:%p:len=%zu\n", __FUNCTION__, sched, msglen); |
1391 | 0 | for (i = 0; i != sched->num_hashes; ++i) { |
1392 | 0 | ptls_hash_context_t *ctx = use_outer ? sched->hashes[i].ctx_outer : sched->hashes[i].ctx; |
1393 | 0 | ctx->update(ctx, msg, msglen); |
1394 | | #if defined(PTLS_DEBUG) && PTLS_DEBUG |
1395 | | { |
1396 | | uint8_t digest[PTLS_MAX_DIGEST_SIZE]; |
1397 | | ctx->final(ctx, digest, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1398 | | PTLS_DEBUGF(" %zu: %02x%02x%02x%02x\n", i, digest[0], digest[1], digest[2], digest[3]); |
1399 | | } |
1400 | | #endif |
1401 | 0 | } |
1402 | 0 | } |
1403 | | |
1404 | | static void key_schedule_update_ch1hash_prefix(ptls_key_schedule_t *sched) |
1405 | 0 | { |
1406 | 0 | uint8_t prefix[4] = {PTLS_HANDSHAKE_TYPE_MESSAGE_HASH, 0, 0, (uint8_t)sched->hashes[0].algo->digest_size}; |
1407 | 0 | ptls__key_schedule_update_hash(sched, prefix, sizeof(prefix), 0); |
1408 | 0 | } |
1409 | | |
1410 | | static void key_schedule_extract_ch1hash(ptls_key_schedule_t *sched, uint8_t *hash) |
1411 | 0 | { |
1412 | 0 | assert(sched->hashes[0].ctx_outer == NULL); |
1413 | 0 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, hash, PTLS_HASH_FINAL_MODE_RESET); |
1414 | 0 | } |
1415 | | |
1416 | | static void key_schedule_transform_post_ch1hash(ptls_key_schedule_t *sched) |
1417 | 0 | { |
1418 | 0 | size_t digest_size = sched->hashes[0].algo->digest_size; |
1419 | 0 | ptls_hash_context_t *hashes[3] = {sched->hashes[0].ctx, sched->hashes[0].ctx_outer, NULL}; |
1420 | 0 | uint8_t ch1hash[PTLS_MAX_DIGEST_SIZE]; |
1421 | 0 | uint8_t prefix[4] = {PTLS_HANDSHAKE_TYPE_MESSAGE_HASH, 0, 0, (uint8_t)digest_size}; |
1422 | |
|
1423 | 0 | for (size_t i = 0; hashes[i] != NULL; ++i) { |
1424 | 0 | hashes[i]->final(hashes[i], ch1hash, PTLS_HASH_FINAL_MODE_RESET); |
1425 | 0 | hashes[i]->update(hashes[i], prefix, sizeof(prefix)); |
1426 | 0 | hashes[i]->update(hashes[i], ch1hash, digest_size); |
1427 | 0 | } |
1428 | |
|
1429 | 0 | ptls_clear_memory(ch1hash, sizeof(ch1hash)); |
1430 | 0 | } |
1431 | | |
1432 | | static int derive_secret_with_hash(ptls_key_schedule_t *sched, void *secret, const char *label, const uint8_t *hash) |
1433 | 0 | { |
1434 | 0 | int ret = ptls_hkdf_expand_label(sched->hashes[0].algo, secret, sched->hashes[0].algo->digest_size, |
1435 | 0 | ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), label, |
1436 | 0 | ptls_iovec_init(hash, sched->hashes[0].algo->digest_size), NULL); |
1437 | 0 | PTLS_DEBUGF("%s: (label=%s, hash=%02x%02x) => %02x%02x\n", __FUNCTION__, label, hash[0], hash[1], ((uint8_t *)secret)[0], |
1438 | 0 | ((uint8_t *)secret)[1]); |
1439 | 0 | return ret; |
1440 | 0 | } |
1441 | | |
1442 | | static int derive_secret(ptls_key_schedule_t *sched, void *secret, const char *label) |
1443 | 0 | { |
1444 | 0 | uint8_t hash_value[PTLS_MAX_DIGEST_SIZE]; |
1445 | |
|
1446 | 0 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, hash_value, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1447 | 0 | int ret = derive_secret_with_hash(sched, secret, label, hash_value); |
1448 | 0 | ptls_clear_memory(hash_value, sizeof(hash_value)); |
1449 | 0 | return ret; |
1450 | 0 | } |
1451 | | |
1452 | | static int derive_secret_with_empty_digest(ptls_key_schedule_t *sched, void *secret, const char *label) |
1453 | 0 | { |
1454 | 0 | return derive_secret_with_hash(sched, secret, label, sched->hashes[0].algo->empty_digest); |
1455 | 0 | } |
1456 | | |
1457 | | static int derive_exporter_secret(ptls_t *tls, int is_early) |
1458 | 0 | { |
1459 | 0 | int ret; |
1460 | |
|
1461 | 0 | if (!tls->ctx->use_exporter) |
1462 | 0 | return 0; |
1463 | | |
1464 | 0 | uint8_t **slot = is_early ? &tls->exporter_master_secret.early : &tls->exporter_master_secret.one_rtt; |
1465 | 0 | assert(*slot == NULL); |
1466 | 0 | if ((*slot = malloc(tls->key_schedule->hashes[0].algo->digest_size)) == NULL) |
1467 | 0 | return PTLS_ERROR_NO_MEMORY; |
1468 | | |
1469 | 0 | if ((ret = derive_secret(tls->key_schedule, *slot, is_early ? "e exp master" : "exp master")) != 0) |
1470 | 0 | return ret; |
1471 | | |
1472 | 0 | log_secret(tls, is_early ? "EARLY_EXPORTER_SECRET" : "EXPORTER_SECRET", |
1473 | 0 | ptls_iovec_init(*slot, tls->key_schedule->hashes[0].algo->digest_size)); |
1474 | |
|
1475 | 0 | return 0; |
1476 | 0 | } |
1477 | | |
1478 | | static void free_exporter_master_secret(ptls_t *tls, int is_early) |
1479 | 0 | { |
1480 | 0 | uint8_t *slot = is_early ? tls->exporter_master_secret.early : tls->exporter_master_secret.one_rtt; |
1481 | 0 | if (slot == NULL) |
1482 | 0 | return; |
1483 | 0 | assert(tls->key_schedule != NULL); |
1484 | 0 | ptls_clear_memory(slot, tls->key_schedule->hashes[0].algo->digest_size); |
1485 | 0 | free(slot); |
1486 | 0 | } |
1487 | | |
1488 | | static int derive_resumption_secret(ptls_key_schedule_t *sched, uint8_t *secret, ptls_iovec_t nonce) |
1489 | 0 | { |
1490 | 0 | int ret; |
1491 | |
|
1492 | 0 | if ((ret = derive_secret(sched, secret, "res master")) != 0) |
1493 | 0 | goto Exit; |
1494 | 0 | if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, secret, sched->hashes[0].algo->digest_size, |
1495 | 0 | ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), "resumption", nonce, NULL)) != 0) |
1496 | 0 | goto Exit; |
1497 | | |
1498 | 0 | Exit: |
1499 | 0 | if (ret != 0) |
1500 | 0 | ptls_clear_memory(secret, sched->hashes[0].algo->digest_size); |
1501 | 0 | return ret; |
1502 | 0 | } |
1503 | | |
1504 | | static int decode_new_session_ticket(ptls_t *tls, uint32_t *lifetime, uint32_t *age_add, ptls_iovec_t *nonce, ptls_iovec_t *ticket, |
1505 | | uint32_t *max_early_data_size, const uint8_t *src, const uint8_t *const end) |
1506 | 0 | { |
1507 | 0 | uint16_t exttype; |
1508 | 0 | int ret; |
1509 | |
|
1510 | 0 | if ((ret = ptls_decode32(lifetime, &src, end)) != 0) |
1511 | 0 | goto Exit; |
1512 | 0 | if ((ret = ptls_decode32(age_add, &src, end)) != 0) |
1513 | 0 | goto Exit; |
1514 | 0 | ptls_decode_open_block(src, end, 1, { |
1515 | 0 | *nonce = ptls_iovec_init(src, end - src); |
1516 | 0 | src = end; |
1517 | 0 | }); |
1518 | 0 | ptls_decode_open_block(src, end, 2, { |
1519 | 0 | if (src == end) { |
1520 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1521 | 0 | goto Exit; |
1522 | 0 | } |
1523 | 0 | *ticket = ptls_iovec_init(src, end - src); |
1524 | 0 | src = end; |
1525 | 0 | }); |
1526 | | |
1527 | 0 | *max_early_data_size = 0; |
1528 | 0 | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, &exttype, { |
1529 | 0 | if (tls->ctx->on_extension != NULL && |
1530 | 0 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, exttype, |
1531 | 0 | ptls_iovec_init(src, end - src)) != 0)) |
1532 | 0 | goto Exit; |
1533 | 0 | switch (exttype) { |
1534 | 0 | case PTLS_EXTENSION_TYPE_EARLY_DATA: |
1535 | 0 | if ((ret = ptls_decode32(max_early_data_size, &src, end)) != 0) |
1536 | 0 | goto Exit; |
1537 | 0 | break; |
1538 | 0 | default: |
1539 | 0 | src = end; |
1540 | 0 | break; |
1541 | 0 | } |
1542 | 0 | }); |
1543 | | |
1544 | 0 | ret = 0; |
1545 | 0 | Exit: |
1546 | 0 | return ret; |
1547 | 0 | } |
1548 | | |
1549 | | static int decode_stored_session_ticket(ptls_t *tls, ptls_key_exchange_algorithm_t **key_share, ptls_cipher_suite_t **cs, |
1550 | | ptls_iovec_t *secret, uint32_t *obfuscated_ticket_age, ptls_iovec_t *ticket, |
1551 | | uint32_t *max_early_data_size, const uint8_t *src, const uint8_t *const end) |
1552 | 0 | { |
1553 | 0 | uint16_t kxid, csid; |
1554 | 0 | uint32_t lifetime, age_add; |
1555 | 0 | uint64_t obtained_at, now; |
1556 | 0 | ptls_iovec_t nonce; |
1557 | 0 | int ret; |
1558 | | |
1559 | | /* decode */ |
1560 | 0 | if ((ret = ptls_decode64(&obtained_at, &src, end)) != 0) |
1561 | 0 | goto Exit; |
1562 | 0 | if ((ret = ptls_decode16(&kxid, &src, end)) != 0) |
1563 | 0 | goto Exit; |
1564 | 0 | if ((ret = ptls_decode16(&csid, &src, end)) != 0) |
1565 | 0 | goto Exit; |
1566 | 0 | ptls_decode_open_block(src, end, 3, { |
1567 | 0 | if ((ret = decode_new_session_ticket(tls, &lifetime, &age_add, &nonce, ticket, max_early_data_size, src, end)) != 0) |
1568 | 0 | goto Exit; |
1569 | 0 | src = end; |
1570 | 0 | }); |
1571 | 0 | ptls_decode_block(src, end, 2, { |
1572 | 0 | *secret = ptls_iovec_init(src, end - src); |
1573 | 0 | src = end; |
1574 | 0 | }); |
1575 | | |
1576 | 0 | { /* determine the key-exchange */ |
1577 | 0 | ptls_key_exchange_algorithm_t **cand; |
1578 | 0 | for (cand = tls->ctx->key_exchanges; *cand != NULL; ++cand) |
1579 | 0 | if ((*cand)->id == kxid) |
1580 | 0 | break; |
1581 | 0 | if (*cand == NULL) { |
1582 | 0 | ret = PTLS_ERROR_LIBRARY; |
1583 | 0 | goto Exit; |
1584 | 0 | } |
1585 | 0 | *key_share = *cand; |
1586 | 0 | } |
1587 | | |
1588 | 0 | { /* determine the cipher-suite */ |
1589 | 0 | ptls_cipher_suite_t **cand; |
1590 | 0 | for (cand = tls->ctx->cipher_suites; *cand != NULL; ++cand) |
1591 | 0 | if ((*cand)->id == csid) |
1592 | 0 | break; |
1593 | 0 | if (*cand == NULL) { |
1594 | 0 | ret = PTLS_ERROR_LIBRARY; |
1595 | 0 | goto Exit; |
1596 | 0 | } |
1597 | 0 | *cs = *cand; |
1598 | 0 | } |
1599 | | |
1600 | | /* calculate obfuscated_ticket_age */ |
1601 | 0 | now = tls->ctx->get_time->cb(tls->ctx->get_time); |
1602 | 0 | if (!(obtained_at <= now && now - obtained_at < 7 * 86400 * 1000)) { |
1603 | 0 | ret = PTLS_ERROR_LIBRARY; |
1604 | 0 | goto Exit; |
1605 | 0 | } |
1606 | 0 | *obfuscated_ticket_age = (uint32_t)(now - obtained_at) + age_add; |
1607 | |
|
1608 | 0 | ret = 0; |
1609 | 0 | Exit: |
1610 | 0 | return ret; |
1611 | 0 | } |
1612 | | |
1613 | | static int get_traffic_key(ptls_hash_algorithm_t *algo, void *key, size_t key_size, int is_iv, const void *secret, |
1614 | | ptls_iovec_t hash_value, const char *label_prefix) |
1615 | 0 | { |
1616 | 0 | return ptls_hkdf_expand_label(algo, key, key_size, ptls_iovec_init(secret, algo->digest_size), is_iv ? "iv" : "key", hash_value, |
1617 | 0 | label_prefix); |
1618 | 0 | } |
1619 | | |
1620 | | static int get_traffic_keys(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, void *key, void *iv, const void *secret, |
1621 | | ptls_iovec_t hash_value, const char *label_prefix) |
1622 | 0 | { |
1623 | 0 | int ret; |
1624 | |
|
1625 | 0 | if ((ret = get_traffic_key(hash, key, aead->key_size, 0, secret, hash_value, label_prefix)) != 0 || |
1626 | 0 | (ret = get_traffic_key(hash, iv, aead->iv_size, 1, secret, hash_value, label_prefix)) != 0) { |
1627 | 0 | ptls_clear_memory(key, aead->key_size); |
1628 | 0 | ptls_clear_memory(iv, aead->iv_size); |
1629 | 0 | } |
1630 | |
|
1631 | 0 | return ret; |
1632 | 0 | } |
1633 | | |
1634 | | static int setup_traffic_protection(ptls_t *tls, int is_enc, const char *secret_label, size_t epoch, uint64_t seq, int skip_notify) |
1635 | 0 | { |
1636 | 0 | static const char *log_labels[2][4] = { |
1637 | 0 | {NULL, "CLIENT_EARLY_TRAFFIC_SECRET", "CLIENT_HANDSHAKE_TRAFFIC_SECRET", "CLIENT_TRAFFIC_SECRET_0"}, |
1638 | 0 | {NULL, NULL, "SERVER_HANDSHAKE_TRAFFIC_SECRET", "SERVER_TRAFFIC_SECRET_0"}}; |
1639 | 0 | struct st_ptls_traffic_protection_t *ctx = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
1640 | |
|
1641 | 0 | if (secret_label != NULL) { |
1642 | 0 | int ret; |
1643 | 0 | if ((ret = derive_secret(tls->key_schedule, ctx->secret, secret_label)) != 0) |
1644 | 0 | return ret; |
1645 | 0 | } |
1646 | | |
1647 | 0 | ctx->epoch = epoch; |
1648 | |
|
1649 | 0 | log_secret(tls, log_labels[ptls_is_server(tls) == is_enc][epoch], |
1650 | 0 | ptls_iovec_init(ctx->secret, tls->key_schedule->hashes[0].algo->digest_size)); |
1651 | | |
1652 | | /* special path for applications having their own record layer */ |
1653 | 0 | if (tls->ctx->update_traffic_key != NULL) { |
1654 | 0 | if (skip_notify) |
1655 | 0 | return 0; |
1656 | 0 | return tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, is_enc, epoch, ctx->secret); |
1657 | 0 | } |
1658 | | |
1659 | 0 | if (ctx->aead != NULL) |
1660 | 0 | ptls_aead_free(ctx->aead); |
1661 | 0 | if ((ctx->aead = ptls_aead_new(tls->cipher_suite->aead, tls->cipher_suite->hash, is_enc, ctx->secret, |
1662 | 0 | tls->ctx->hkdf_label_prefix__obsolete)) == NULL) |
1663 | 0 | return PTLS_ERROR_NO_MEMORY; /* TODO obtain error from ptls_aead_new */ |
1664 | 0 | ctx->seq = seq; |
1665 | |
|
1666 | | #if defined(PTLS_DEBUG) && PTLS_DEBUG |
1667 | | { |
1668 | | uint8_t static_iv[PTLS_MAX_IV_SIZE]; |
1669 | | ptls_aead_get_iv(ctx->aead, static_iv); |
1670 | | PTLS_DEBUGF("[%s] %02x%02x,%02x%02x\n", log_labels[ptls_is_server(tls)][epoch], (unsigned)ctx->secret[0], |
1671 | | (unsigned)ctx->secret[1], static_iv[0], static_iv[1]); |
1672 | | } |
1673 | | #endif |
1674 | |
|
1675 | 0 | return 0; |
1676 | 0 | } |
1677 | | |
1678 | | static int commission_handshake_secret(ptls_t *tls) |
1679 | 0 | { |
1680 | 0 | int is_enc = !ptls_is_server(tls); |
1681 | |
|
1682 | 0 | assert(tls->pending_handshake_secret != NULL); |
1683 | 0 | memcpy((is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec)->secret, tls->pending_handshake_secret, |
1684 | 0 | PTLS_MAX_DIGEST_SIZE); |
1685 | 0 | ptls_clear_memory(tls->pending_handshake_secret, PTLS_MAX_DIGEST_SIZE); |
1686 | 0 | free(tls->pending_handshake_secret); |
1687 | 0 | tls->pending_handshake_secret = NULL; |
1688 | |
|
1689 | 0 | return setup_traffic_protection(tls, is_enc, NULL, 2, 0, 1); |
1690 | 0 | } |
1691 | | |
1692 | | static void log_client_random(ptls_t *tls) |
1693 | 0 | { |
1694 | | #if PICOTLS_USE_DTRACE |
1695 | | char buf[sizeof(tls->client_random) * 2 + 1]; |
1696 | | #endif |
1697 | |
|
1698 | 0 | PTLS_PROBE(CLIENT_RANDOM, tls, ptls_hexdump(buf, tls->client_random, sizeof(tls->client_random))); |
1699 | 0 | PTLS_LOG_CONN(client_random, tls, { PTLS_LOG_ELEMENT_HEXDUMP(bytes, tls->client_random, sizeof(tls->client_random)); }); |
1700 | 0 | } |
1701 | | |
1702 | | #define SESSION_IDENTIFIER_MAGIC "ptls0001" /* the number should be changed upon incompatible format change */ |
1703 | | #define SESSION_IDENTIFIER_MAGIC_SIZE (sizeof(SESSION_IDENTIFIER_MAGIC) - 1) |
1704 | | |
1705 | | static int encode_session_identifier(ptls_context_t *ctx, ptls_buffer_t *buf, uint32_t ticket_age_add, ptls_iovec_t ticket_nonce, |
1706 | | ptls_key_schedule_t *sched, const char *server_name, uint16_t key_exchange_id, uint16_t csid, |
1707 | | const char *negotiated_protocol) |
1708 | 0 | { |
1709 | 0 | int ret = 0; |
1710 | |
|
1711 | 0 | ptls_buffer_push_block(buf, 2, { |
1712 | | /* format id */ |
1713 | 0 | ptls_buffer_pushv(buf, SESSION_IDENTIFIER_MAGIC, SESSION_IDENTIFIER_MAGIC_SIZE); |
1714 | | /* date */ |
1715 | 0 | ptls_buffer_push64(buf, ctx->get_time->cb(ctx->get_time)); |
1716 | | /* resumption master secret */ |
1717 | 0 | ptls_buffer_push_block(buf, 2, { |
1718 | 0 | if ((ret = ptls_buffer_reserve(buf, sched->hashes[0].algo->digest_size)) != 0) |
1719 | 0 | goto Exit; |
1720 | 0 | if ((ret = derive_resumption_secret(sched, buf->base + buf->off, ticket_nonce)) != 0) |
1721 | 0 | goto Exit; |
1722 | 0 | buf->off += sched->hashes[0].algo->digest_size; |
1723 | 0 | }); |
1724 | | /* key-exchange */ |
1725 | 0 | ptls_buffer_push16(buf, key_exchange_id); |
1726 | | /* cipher-suite */ |
1727 | 0 | ptls_buffer_push16(buf, csid); |
1728 | | /* ticket_age_add */ |
1729 | 0 | ptls_buffer_push32(buf, ticket_age_add); |
1730 | | /* session ID context */ |
1731 | 0 | ptls_buffer_push_block(buf, 2, { |
1732 | 0 | if (ctx->ticket_context.is_set) { |
1733 | 0 | ptls_buffer_pushv(buf, ctx->ticket_context.bytes, sizeof(ctx->ticket_context.bytes)); |
1734 | 0 | } else if (server_name != NULL) { |
1735 | 0 | ptls_buffer_pushv(buf, server_name, strlen(server_name)); |
1736 | 0 | } |
1737 | 0 | }); |
1738 | | /* alpn */ |
1739 | 0 | ptls_buffer_push_block(buf, 1, { |
1740 | 0 | if (negotiated_protocol != NULL) |
1741 | 0 | ptls_buffer_pushv(buf, negotiated_protocol, strlen(negotiated_protocol)); |
1742 | 0 | }); |
1743 | 0 | }); |
1744 | | |
1745 | 0 | Exit: |
1746 | 0 | return ret; |
1747 | 0 | } |
1748 | | |
1749 | | int decode_session_identifier(uint64_t *issued_at, ptls_iovec_t *psk, uint32_t *ticket_age_add, ptls_iovec_t *ticket_ctx, |
1750 | | uint16_t *key_exchange_id, uint16_t *csid, ptls_iovec_t *negotiated_protocol, const uint8_t *src, |
1751 | | const uint8_t *const end) |
1752 | 0 | { |
1753 | 0 | int ret = 0; |
1754 | |
|
1755 | 0 | ptls_decode_block(src, end, 2, { |
1756 | 0 | if (end - src < SESSION_IDENTIFIER_MAGIC_SIZE || |
1757 | 0 | memcmp(src, SESSION_IDENTIFIER_MAGIC, SESSION_IDENTIFIER_MAGIC_SIZE) != 0) { |
1758 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1759 | 0 | goto Exit; |
1760 | 0 | } |
1761 | 0 | src += SESSION_IDENTIFIER_MAGIC_SIZE; |
1762 | 0 | if ((ret = ptls_decode64(issued_at, &src, end)) != 0) |
1763 | 0 | goto Exit; |
1764 | 0 | ptls_decode_open_block(src, end, 2, { |
1765 | 0 | *psk = ptls_iovec_init(src, end - src); |
1766 | 0 | src = end; |
1767 | 0 | }); |
1768 | 0 | if ((ret = ptls_decode16(key_exchange_id, &src, end)) != 0) |
1769 | 0 | goto Exit; |
1770 | 0 | if ((ret = ptls_decode16(csid, &src, end)) != 0) |
1771 | 0 | goto Exit; |
1772 | 0 | if ((ret = ptls_decode32(ticket_age_add, &src, end)) != 0) |
1773 | 0 | goto Exit; |
1774 | 0 | ptls_decode_open_block(src, end, 2, { |
1775 | 0 | *ticket_ctx = ptls_iovec_init(src, end - src); |
1776 | 0 | src = end; |
1777 | 0 | }); |
1778 | 0 | ptls_decode_open_block(src, end, 1, { |
1779 | 0 | *negotiated_protocol = ptls_iovec_init(src, end - src); |
1780 | 0 | src = end; |
1781 | 0 | }); |
1782 | 0 | }); |
1783 | | |
1784 | 0 | Exit: |
1785 | 0 | return ret; |
1786 | 0 | } |
1787 | | |
1788 | | static size_t build_certificate_verify_signdata(uint8_t *data, ptls_key_schedule_t *sched, const char *context_string) |
1789 | 0 | { |
1790 | 0 | size_t datalen = 0; |
1791 | |
|
1792 | 0 | memset(data + datalen, 32, 64); |
1793 | 0 | datalen += 64; |
1794 | 0 | memcpy(data + datalen, context_string, strlen(context_string) + 1); |
1795 | 0 | datalen += strlen(context_string) + 1; |
1796 | 0 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, data + datalen, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1797 | 0 | datalen += sched->hashes[0].algo->digest_size; |
1798 | 0 | assert(datalen <= PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE); |
1799 | | |
1800 | 0 | return datalen; |
1801 | 0 | } |
1802 | | |
1803 | | static int calc_verify_data(void *output, ptls_key_schedule_t *sched, const void *secret) |
1804 | 0 | { |
1805 | 0 | ptls_hash_context_t *hmac; |
1806 | 0 | uint8_t digest[PTLS_MAX_DIGEST_SIZE]; |
1807 | 0 | int ret; |
1808 | |
|
1809 | 0 | if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, digest, sched->hashes[0].algo->digest_size, |
1810 | 0 | ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), "finished", |
1811 | 0 | ptls_iovec_init(NULL, 0), NULL)) != 0) |
1812 | 0 | return ret; |
1813 | 0 | if ((hmac = ptls_hmac_create(sched->hashes[0].algo, digest, sched->hashes[0].algo->digest_size)) == NULL) { |
1814 | 0 | ptls_clear_memory(digest, sizeof(digest)); |
1815 | 0 | return PTLS_ERROR_NO_MEMORY; |
1816 | 0 | } |
1817 | | |
1818 | 0 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, digest, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1819 | 0 | PTLS_DEBUGF("%s: %02x%02x,%02x%02x\n", __FUNCTION__, ((uint8_t *)secret)[0], ((uint8_t *)secret)[1], digest[0], digest[1]); |
1820 | 0 | hmac->update(hmac, digest, sched->hashes[0].algo->digest_size); |
1821 | 0 | ptls_clear_memory(digest, sizeof(digest)); |
1822 | 0 | hmac->final(hmac, output, PTLS_HASH_FINAL_MODE_FREE); |
1823 | |
|
1824 | 0 | return 0; |
1825 | 0 | } |
1826 | | |
1827 | | static int verify_finished(ptls_t *tls, ptls_iovec_t message) |
1828 | 0 | { |
1829 | 0 | uint8_t verify_data[PTLS_MAX_DIGEST_SIZE]; |
1830 | 0 | int ret; |
1831 | |
|
1832 | 0 | if (PTLS_HANDSHAKE_HEADER_SIZE + tls->key_schedule->hashes[0].algo->digest_size != message.len) { |
1833 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1834 | 0 | goto Exit; |
1835 | 0 | } |
1836 | | |
1837 | 0 | if ((ret = calc_verify_data(verify_data, tls->key_schedule, tls->traffic_protection.dec.secret)) != 0) |
1838 | 0 | goto Exit; |
1839 | 0 | if (!ptls_mem_equal(message.base + PTLS_HANDSHAKE_HEADER_SIZE, verify_data, tls->key_schedule->hashes[0].algo->digest_size)) { |
1840 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
1841 | 0 | goto Exit; |
1842 | 0 | } |
1843 | | |
1844 | 0 | Exit: |
1845 | 0 | ptls_clear_memory(verify_data, sizeof(verify_data)); |
1846 | 0 | return ret; |
1847 | 0 | } |
1848 | | |
1849 | | static int send_finished(ptls_t *tls, ptls_message_emitter_t *emitter) |
1850 | 0 | { |
1851 | 0 | int ret; |
1852 | |
|
1853 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_FINISHED, { |
1854 | 0 | if ((ret = ptls_buffer_reserve(emitter->buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0) |
1855 | 0 | goto Exit; |
1856 | 0 | if ((ret = calc_verify_data(emitter->buf->base + emitter->buf->off, tls->key_schedule, |
1857 | 0 | tls->traffic_protection.enc.secret)) != 0) |
1858 | 0 | goto Exit; |
1859 | 0 | emitter->buf->off += tls->key_schedule->hashes[0].algo->digest_size; |
1860 | 0 | }); |
1861 | | |
1862 | 0 | Exit: |
1863 | 0 | return ret; |
1864 | 0 | } |
1865 | | |
1866 | | static int send_session_ticket(ptls_t *tls, ptls_message_emitter_t *emitter) |
1867 | 0 | { |
1868 | 0 | ptls_hash_context_t *msghash_backup = tls->key_schedule->hashes[0].ctx->clone_(tls->key_schedule->hashes[0].ctx); |
1869 | 0 | ptls_buffer_t session_id; |
1870 | 0 | char session_id_smallbuf[128]; |
1871 | 0 | uint32_t ticket_age_add; |
1872 | 0 | int ret = 0; |
1873 | |
|
1874 | 0 | assert(tls->ctx->ticket_lifetime != 0); |
1875 | 0 | assert(tls->ctx->encrypt_ticket != NULL); |
1876 | | |
1877 | 0 | ptls_buffer_init(&session_id, session_id_smallbuf, sizeof(session_id_smallbuf)); |
1878 | |
|
1879 | 0 | { /* calculate verify-data that will be sent by the client */ |
1880 | 0 | size_t orig_off = emitter->buf->off; |
1881 | 0 | if (tls->pending_handshake_secret != NULL && !tls->ctx->omit_end_of_early_data) { |
1882 | 0 | assert(tls->state == PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA); |
1883 | 0 | ptls_buffer_push_message_body(emitter->buf, tls->key_schedule, PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA, {}); |
1884 | 0 | emitter->buf->off = orig_off; |
1885 | 0 | } |
1886 | 0 | ptls_buffer_push_message_body(emitter->buf, tls->key_schedule, PTLS_HANDSHAKE_TYPE_FINISHED, { |
1887 | 0 | if ((ret = ptls_buffer_reserve(emitter->buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0) |
1888 | 0 | goto Exit; |
1889 | 0 | if ((ret = calc_verify_data(emitter->buf->base + emitter->buf->off, tls->key_schedule, |
1890 | 0 | tls->pending_handshake_secret != NULL ? tls->pending_handshake_secret |
1891 | 0 | : tls->traffic_protection.dec.secret)) != 0) |
1892 | 0 | goto Exit; |
1893 | 0 | emitter->buf->off += tls->key_schedule->hashes[0].algo->digest_size; |
1894 | 0 | }); |
1895 | 0 | emitter->buf->off = orig_off; |
1896 | 0 | } |
1897 | | |
1898 | 0 | tls->ctx->random_bytes(&ticket_age_add, sizeof(ticket_age_add)); |
1899 | | |
1900 | | /* build the raw nsk */ |
1901 | 0 | if (tls->key_share != NULL && (ret = encode_session_identifier(tls->ctx, &session_id, ticket_age_add, ptls_iovec_init(NULL, 0), |
1902 | 0 | tls->key_schedule, tls->server_name, tls->key_share->id, |
1903 | 0 | tls->cipher_suite->id, tls->negotiated_protocol)) != 0) |
1904 | 0 | goto Exit; |
1905 | | |
1906 | | /* encrypt and send */ |
1907 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, { |
1908 | 0 | ptls_buffer_push32(emitter->buf, tls->ctx->ticket_lifetime); |
1909 | 0 | ptls_buffer_push32(emitter->buf, ticket_age_add); |
1910 | 0 | ptls_buffer_push_block(emitter->buf, 1, {}); |
1911 | 0 | ptls_buffer_push_block(emitter->buf, 2, { |
1912 | 0 | if ((ret = tls->ctx->encrypt_ticket->cb(tls->ctx->encrypt_ticket, tls, 1, emitter->buf, |
1913 | 0 | ptls_iovec_init(session_id.base, session_id.off))) != 0) |
1914 | 0 | goto Exit; |
1915 | 0 | }); |
1916 | 0 | ptls_buffer_push_block(emitter->buf, 2, { |
1917 | 0 | if (tls->ctx->max_early_data_size != 0) |
1918 | 0 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_EARLY_DATA, |
1919 | 0 | { ptls_buffer_push32(emitter->buf, tls->ctx->max_early_data_size); }); |
1920 | 0 | }); |
1921 | 0 | }); |
1922 | | |
1923 | 0 | Exit: |
1924 | 0 | ptls_buffer_dispose(&session_id); |
1925 | | |
1926 | | /* restore handshake state */ |
1927 | 0 | tls->key_schedule->hashes[0].ctx->final(tls->key_schedule->hashes[0].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1928 | 0 | tls->key_schedule->hashes[0].ctx = msghash_backup; |
1929 | |
|
1930 | 0 | return ret; |
1931 | 0 | } |
1932 | | |
1933 | | static int push_change_cipher_spec(ptls_t *tls, ptls_message_emitter_t *emitter) |
1934 | 0 | { |
1935 | 0 | int ret; |
1936 | | |
1937 | | /* check if we are requested to (or still need to) */ |
1938 | 0 | if (!tls->send_change_cipher_spec) { |
1939 | 0 | ret = 0; |
1940 | 0 | goto Exit; |
1941 | 0 | } |
1942 | | |
1943 | | /* CCS is a record, can only be sent when using a record-based protocol. */ |
1944 | 0 | if (emitter->begin_message != begin_record_message) { |
1945 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
1946 | 0 | goto Exit; |
1947 | 0 | } |
1948 | | |
1949 | | /* emit CCS */ |
1950 | 0 | buffer_push_record(emitter->buf, PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, { ptls_buffer_push(emitter->buf, 1); }); |
1951 | | |
1952 | 0 | tls->send_change_cipher_spec = 0; |
1953 | 0 | ret = 0; |
1954 | 0 | Exit: |
1955 | 0 | return ret; |
1956 | 0 | } |
1957 | | |
1958 | | static int push_additional_extensions(ptls_handshake_properties_t *properties, ptls_buffer_t *sendbuf) |
1959 | 0 | { |
1960 | 0 | int ret; |
1961 | |
|
1962 | 0 | if (properties != NULL && properties->additional_extensions != NULL) { |
1963 | 0 | ptls_raw_extension_t *ext; |
1964 | 0 | for (ext = properties->additional_extensions; ext->type != UINT16_MAX; ++ext) { |
1965 | 0 | buffer_push_extension(sendbuf, ext->type, { ptls_buffer_pushv(sendbuf, ext->data.base, ext->data.len); }); |
1966 | 0 | } |
1967 | 0 | } |
1968 | 0 | ret = 0; |
1969 | 0 | Exit: |
1970 | 0 | return ret; |
1971 | 0 | } |
1972 | | |
1973 | | static int push_signature_algorithms(ptls_verify_certificate_t *vc, ptls_buffer_t *sendbuf) |
1974 | 0 | { |
1975 | | /* The list sent when verify callback is not registered */ |
1976 | 0 | static const uint16_t default_algos[] = {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256, |
1977 | 0 | PTLS_SIGNATURE_RSA_PKCS1_SHA256, PTLS_SIGNATURE_RSA_PKCS1_SHA1, UINT16_MAX}; |
1978 | 0 | int ret; |
1979 | |
|
1980 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
1981 | 0 | for (const uint16_t *p = vc != NULL ? vc->algos : default_algos; *p != UINT16_MAX; ++p) |
1982 | 0 | ptls_buffer_push16(sendbuf, *p); |
1983 | 0 | }); |
1984 | | |
1985 | 0 | ret = 0; |
1986 | 0 | Exit: |
1987 | 0 | return ret; |
1988 | 0 | } |
1989 | | |
1990 | | static int decode_signature_algorithms(struct st_ptls_signature_algorithms_t *sa, const uint8_t **src, const uint8_t *end) |
1991 | 0 | { |
1992 | 0 | int ret; |
1993 | |
|
1994 | 0 | ptls_decode_block(*src, end, 2, { |
1995 | 0 | do { |
1996 | 0 | uint16_t id; |
1997 | 0 | if ((ret = ptls_decode16(&id, src, end)) != 0) |
1998 | 0 | goto Exit; |
1999 | 0 | if (sa->count < PTLS_ELEMENTSOF(sa->list)) |
2000 | 0 | sa->list[sa->count++] = id; |
2001 | 0 | } while (*src != end); |
2002 | 0 | }); |
2003 | | |
2004 | 0 | ret = 0; |
2005 | 0 | Exit: |
2006 | 0 | return ret; |
2007 | 0 | } |
2008 | | |
2009 | | /** |
2010 | | * @param hash optional argument for restricting the underlying hash algorithm |
2011 | | */ |
2012 | | static int select_cipher(ptls_cipher_suite_t **selected, ptls_cipher_suite_t **candidates, const uint8_t *src, |
2013 | | const uint8_t *const end, int server_preference, int server_chacha_priority, ptls_hash_algorithm_t *hash) |
2014 | 0 | { |
2015 | 0 | size_t found_index = SIZE_MAX; |
2016 | 0 | int ret; |
2017 | |
|
2018 | 0 | while (src != end) { |
2019 | 0 | uint16_t id; |
2020 | 0 | if ((ret = ptls_decode16(&id, &src, end)) != 0) |
2021 | 0 | goto Exit; |
2022 | 0 | for (size_t i = 0; candidates[i] != NULL; ++i) { |
2023 | 0 | if (candidates[i]->id == id && (hash == NULL || candidates[i]->hash == hash)) { |
2024 | 0 | if (server_preference && !(server_chacha_priority && id == PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256)) { |
2025 | | /* preserve smallest matching index, and proceed to the next input */ |
2026 | 0 | if (i < found_index) { |
2027 | 0 | found_index = i; |
2028 | 0 | break; |
2029 | 0 | } |
2030 | 0 | } else { |
2031 | | /* return the pointer matching to the first input that can be used */ |
2032 | 0 | *selected = candidates[i]; |
2033 | 0 | goto Exit; |
2034 | 0 | } |
2035 | 0 | } |
2036 | 0 | } |
2037 | | /* first position of the server list matched (server_preference) */ |
2038 | 0 | if (found_index == 0) |
2039 | 0 | break; |
2040 | | /* server preference is overridden only if the first entry of client-provided list is chachapoly */ |
2041 | 0 | server_chacha_priority = 0; |
2042 | 0 | } |
2043 | 0 | if (found_index != SIZE_MAX) { |
2044 | 0 | *selected = candidates[found_index]; |
2045 | 0 | ret = 0; |
2046 | 0 | } else { |
2047 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2048 | 0 | } |
2049 | |
|
2050 | 0 | Exit: |
2051 | 0 | return ret; |
2052 | 0 | } |
2053 | | |
2054 | | static int push_key_share_entry(ptls_buffer_t *buf, uint16_t group, ptls_iovec_t pubkey) |
2055 | 0 | { |
2056 | 0 | int ret; |
2057 | |
|
2058 | 0 | ptls_buffer_push16(buf, group); |
2059 | 0 | ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, pubkey.base, pubkey.len); }); |
2060 | 0 | ret = 0; |
2061 | 0 | Exit: |
2062 | 0 | return ret; |
2063 | 0 | } |
2064 | | |
2065 | | static int decode_key_share_entry(uint16_t *group, ptls_iovec_t *key_exchange, const uint8_t **src, const uint8_t *const end) |
2066 | 0 | { |
2067 | 0 | int ret; |
2068 | |
|
2069 | 0 | if ((ret = ptls_decode16(group, src, end)) != 0) |
2070 | 0 | goto Exit; |
2071 | 0 | ptls_decode_open_block(*src, end, 2, { |
2072 | 0 | *key_exchange = ptls_iovec_init(*src, end - *src); |
2073 | 0 | *src = end; |
2074 | 0 | }); |
2075 | | |
2076 | 0 | Exit: |
2077 | 0 | return ret; |
2078 | 0 | } |
2079 | | |
2080 | | static int select_key_share(ptls_key_exchange_algorithm_t **selected, ptls_iovec_t *peer_key, |
2081 | | ptls_key_exchange_algorithm_t **candidates, const uint8_t **src, const uint8_t *const end, |
2082 | | int expect_one) |
2083 | 0 | { |
2084 | 0 | int ret; |
2085 | |
|
2086 | 0 | *selected = NULL; |
2087 | |
|
2088 | 0 | if (expect_one && *src == end) { |
2089 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2090 | 0 | goto Exit; |
2091 | 0 | } |
2092 | | |
2093 | 0 | while (*src != end) { |
2094 | 0 | uint16_t group; |
2095 | 0 | ptls_iovec_t key; |
2096 | 0 | if ((ret = decode_key_share_entry(&group, &key, src, end)) != 0) |
2097 | 0 | goto Exit; |
2098 | 0 | ptls_key_exchange_algorithm_t **c = candidates; |
2099 | 0 | for (; *c != NULL; ++c) { |
2100 | 0 | if (*selected == NULL && (*c)->id == group) { |
2101 | 0 | *selected = *c; |
2102 | 0 | *peer_key = key; |
2103 | 0 | } |
2104 | 0 | } |
2105 | 0 | if (expect_one) { |
2106 | 0 | ret = *selected != NULL ? 0 : PTLS_ALERT_ILLEGAL_PARAMETER; |
2107 | 0 | goto Exit; |
2108 | 0 | } |
2109 | 0 | } |
2110 | | |
2111 | 0 | ret = 0; |
2112 | |
|
2113 | 0 | Exit: |
2114 | 0 | return ret; |
2115 | 0 | } |
2116 | | |
2117 | | static int emit_server_name_extension(ptls_buffer_t *buf, const char *server_name) |
2118 | 0 | { |
2119 | 0 | int ret; |
2120 | |
|
2121 | 0 | ptls_buffer_push_block(buf, 2, { |
2122 | 0 | ptls_buffer_push(buf, PTLS_SERVER_NAME_TYPE_HOSTNAME); |
2123 | 0 | ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, server_name, strlen(server_name)); }); |
2124 | 0 | }); |
2125 | | |
2126 | 0 | ret = 0; |
2127 | 0 | Exit: |
2128 | 0 | return ret; |
2129 | 0 | } |
2130 | | |
2131 | | /** |
2132 | | * Within the outer ECH extension, returns the number of bytes that preceeds the AEAD-encrypted payload. |
2133 | | */ |
2134 | | static inline size_t outer_ech_header_size(size_t enc_size) |
2135 | 0 | { |
2136 | 0 | return 10 + enc_size; |
2137 | 0 | } |
2138 | | |
2139 | | /** |
2140 | | * Flag to indicate which of ClientHelloInner, EncodedClientHelloInner, ClientHelloOuter is to be generated. When ECH is inactive, |
2141 | | * only ClientHelloInner is used. |
2142 | | */ |
2143 | | enum encode_ch_mode { ENCODE_CH_MODE_INNER, ENCODE_CH_MODE_ENCODED_INNER, ENCODE_CH_MODE_OUTER }; |
2144 | | |
2145 | | static int encode_client_hello(ptls_context_t *ctx, ptls_buffer_t *sendbuf, enum encode_ch_mode mode, int is_second_flight, |
2146 | | ptls_handshake_properties_t *properties, const void *client_random, |
2147 | | ptls_key_exchange_context_t *key_share_ctx, const char *sni_name, ptls_iovec_t legacy_session_id, |
2148 | | struct st_ptls_ech_t *ech, size_t *ech_size_offset, ptls_iovec_t ech_replay, ptls_iovec_t psk_secret, |
2149 | | ptls_iovec_t psk_identity, uint32_t obfuscated_ticket_age, size_t psk_binder_size, |
2150 | | ptls_iovec_t *cookie, int using_early_data) |
2151 | 0 | { |
2152 | 0 | int ret; |
2153 | |
|
2154 | 0 | assert(mode == ENCODE_CH_MODE_INNER || ech != NULL); |
2155 | | |
2156 | 0 | ptls_buffer_push_message_body(sendbuf, NULL, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, { |
2157 | | /* legacy_version */ |
2158 | 0 | ptls_buffer_push16(sendbuf, 0x0303); |
2159 | | /* random_bytes */ |
2160 | 0 | ptls_buffer_pushv(sendbuf, client_random, PTLS_HELLO_RANDOM_SIZE); |
2161 | | /* lecagy_session_id */ |
2162 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
2163 | 0 | if (mode != ENCODE_CH_MODE_ENCODED_INNER) |
2164 | 0 | ptls_buffer_pushv(sendbuf, legacy_session_id.base, legacy_session_id.len); |
2165 | 0 | }); |
2166 | | /* cipher_suites */ |
2167 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
2168 | 0 | ptls_cipher_suite_t **cs = ctx->cipher_suites; |
2169 | 0 | for (; *cs != NULL; ++cs) |
2170 | 0 | ptls_buffer_push16(sendbuf, (*cs)->id); |
2171 | 0 | }); |
2172 | | /* legacy_compression_methods */ |
2173 | 0 | ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push(sendbuf, 0); }); |
2174 | | /* extensions */ |
2175 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
2176 | 0 | if (mode == ENCODE_CH_MODE_OUTER) { |
2177 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, { |
2178 | 0 | size_t ext_payload_from = sendbuf->off; |
2179 | 0 | ptls_buffer_push(sendbuf, PTLS_ECH_CLIENT_HELLO_TYPE_OUTER); |
2180 | 0 | ptls_buffer_push16(sendbuf, ech->cipher->id.kdf); |
2181 | 0 | ptls_buffer_push16(sendbuf, ech->cipher->id.aead); |
2182 | 0 | ptls_buffer_push(sendbuf, ech->config_id); |
2183 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
2184 | 0 | if (!is_second_flight) |
2185 | 0 | ptls_buffer_pushv(sendbuf, ech->client.enc.base, ech->client.enc.len); |
2186 | 0 | }); |
2187 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
2188 | 0 | assert(sendbuf->off - ext_payload_from == |
2189 | 0 | outer_ech_header_size(is_second_flight ? 0 : ech->client.enc.len)); |
2190 | 0 | if ((ret = ptls_buffer_reserve(sendbuf, *ech_size_offset)) != 0) |
2191 | 0 | goto Exit; |
2192 | 0 | memset(sendbuf->base + sendbuf->off, 0, *ech_size_offset); |
2193 | 0 | sendbuf->off += *ech_size_offset; |
2194 | 0 | *ech_size_offset = sendbuf->off - *ech_size_offset; |
2195 | 0 | }); |
2196 | 0 | }); |
2197 | 0 | } else if (ech->aead != NULL) { |
2198 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, |
2199 | 0 | { ptls_buffer_push(sendbuf, PTLS_ECH_CLIENT_HELLO_TYPE_INNER); }); |
2200 | 0 | } else if (ech_replay.base != NULL) { |
2201 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, |
2202 | 0 | { ptls_buffer_pushv(sendbuf, ech_replay.base, ech_replay.len); }); |
2203 | 0 | } |
2204 | 0 | if (mode == ENCODE_CH_MODE_ENCODED_INNER) { |
2205 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS, { |
2206 | 0 | ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push16(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE); }); |
2207 | 0 | }); |
2208 | 0 | } else { |
2209 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE, { |
2210 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
2211 | 0 | if (key_share_ctx != NULL && |
2212 | 0 | (ret = push_key_share_entry(sendbuf, key_share_ctx->algo->id, key_share_ctx->pubkey)) != 0) |
2213 | 0 | goto Exit; |
2214 | 0 | }); |
2215 | 0 | }); |
2216 | 0 | } |
2217 | 0 | if (sni_name != NULL) { |
2218 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_NAME, { |
2219 | 0 | if ((ret = emit_server_name_extension(sendbuf, sni_name)) != 0) |
2220 | 0 | goto Exit; |
2221 | 0 | }); |
2222 | 0 | } |
2223 | 0 | if (properties != NULL && properties->client.negotiated_protocols.count != 0) { |
2224 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ALPN, { |
2225 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
2226 | 0 | size_t i; |
2227 | 0 | for (i = 0; i != properties->client.negotiated_protocols.count; ++i) { |
2228 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
2229 | 0 | ptls_iovec_t p = properties->client.negotiated_protocols.list[i]; |
2230 | 0 | ptls_buffer_pushv(sendbuf, p.base, p.len); |
2231 | 0 | }); |
2232 | 0 | } |
2233 | 0 | }); |
2234 | 0 | }); |
2235 | 0 | } |
2236 | 0 | if (ctx->decompress_certificate != NULL) { |
2237 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE, { |
2238 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
2239 | 0 | const uint16_t *algo = ctx->decompress_certificate->supported_algorithms; |
2240 | 0 | assert(*algo != UINT16_MAX); |
2241 | 0 | for (; *algo != UINT16_MAX; ++algo) |
2242 | 0 | ptls_buffer_push16(sendbuf, *algo); |
2243 | 0 | }); |
2244 | 0 | }); |
2245 | 0 | } |
2246 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS, { |
2247 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
2248 | 0 | size_t i; |
2249 | 0 | for (i = 0; i != PTLS_ELEMENTSOF(supported_versions); ++i) |
2250 | 0 | ptls_buffer_push16(sendbuf, supported_versions[i]); |
2251 | 0 | }); |
2252 | 0 | }); |
2253 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS, { |
2254 | 0 | if ((ret = push_signature_algorithms(ctx->verify_certificate, sendbuf)) != 0) |
2255 | 0 | goto Exit; |
2256 | 0 | }); |
2257 | 0 | if (ctx->key_exchanges != NULL) { |
2258 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS, { |
2259 | 0 | ptls_key_exchange_algorithm_t **algo = ctx->key_exchanges; |
2260 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
2261 | 0 | for (; *algo != NULL; ++algo) |
2262 | 0 | ptls_buffer_push16(sendbuf, (*algo)->id); |
2263 | 0 | }); |
2264 | 0 | }); |
2265 | 0 | } |
2266 | 0 | if (cookie != NULL && cookie->base != NULL) { |
2267 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COOKIE, { |
2268 | 0 | ptls_buffer_push_block(sendbuf, 2, { ptls_buffer_pushv(sendbuf, cookie->base, cookie->len); }); |
2269 | 0 | }); |
2270 | 0 | } |
2271 | 0 | if (ctx->use_raw_public_keys) { |
2272 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE, { |
2273 | 0 | ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push(sendbuf, PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY); }); |
2274 | 0 | }); |
2275 | 0 | } |
2276 | 0 | if (ctx->save_ticket != NULL && |
2277 | 0 | (ctx->ticket_requests.client.new_session_count != 0 || ctx->ticket_requests.client.resumption_count != 0)) { |
2278 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_TICKET_REQUEST, { |
2279 | 0 | ptls_buffer_push(sendbuf, ctx->ticket_requests.client.new_session_count, |
2280 | 0 | ctx->ticket_requests.client.resumption_count); |
2281 | 0 | }); |
2282 | 0 | } |
2283 | 0 | if ((ret = push_additional_extensions(properties, sendbuf)) != 0) |
2284 | 0 | goto Exit; |
2285 | 0 | if (ctx->save_ticket != NULL || psk_secret.base != NULL) { |
2286 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES, { |
2287 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
2288 | 0 | if (!ctx->require_dhe_on_psk) |
2289 | 0 | ptls_buffer_push(sendbuf, PTLS_PSK_KE_MODE_PSK); |
2290 | 0 | ptls_buffer_push(sendbuf, PTLS_PSK_KE_MODE_PSK_DHE); |
2291 | 0 | }); |
2292 | 0 | }); |
2293 | 0 | } |
2294 | 0 | if (psk_secret.base != NULL) { |
2295 | 0 | if (using_early_data && !is_second_flight) |
2296 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_EARLY_DATA, {}); |
2297 | | /* pre-shared key "MUST be the last extension in the ClientHello" (draft-17 section 4.2.6) */ |
2298 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PRE_SHARED_KEY, { |
2299 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
2300 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
2301 | 0 | if (mode == ENCODE_CH_MODE_OUTER) { |
2302 | 0 | if ((ret = ptls_buffer_reserve(sendbuf, psk_identity.len)) != 0) |
2303 | 0 | goto Exit; |
2304 | 0 | ctx->random_bytes(sendbuf->base + sendbuf->off, psk_identity.len); |
2305 | 0 | sendbuf->off += psk_identity.len; |
2306 | 0 | } else { |
2307 | 0 | ptls_buffer_pushv(sendbuf, psk_identity.base, psk_identity.len); |
2308 | 0 | } |
2309 | 0 | }); |
2310 | 0 | uint32_t age; |
2311 | 0 | if (mode == ENCODE_CH_MODE_OUTER) { |
2312 | 0 | ctx->random_bytes(&age, sizeof(age)); |
2313 | 0 | } else { |
2314 | 0 | age = obfuscated_ticket_age; |
2315 | 0 | } |
2316 | 0 | ptls_buffer_push32(sendbuf, age); |
2317 | 0 | }); |
2318 | | /* allocate space for PSK binder. The space is filled initially filled by a random value (meeting the |
2319 | | * requirement of ClientHelloOuter), and later gets filled with the correct binder value if necessary. */ |
2320 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
2321 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
2322 | 0 | if ((ret = ptls_buffer_reserve(sendbuf, psk_binder_size)) != 0) |
2323 | 0 | goto Exit; |
2324 | 0 | ctx->random_bytes(sendbuf->base + sendbuf->off, psk_binder_size); |
2325 | 0 | sendbuf->off += psk_binder_size; |
2326 | 0 | }); |
2327 | 0 | }); |
2328 | 0 | }); |
2329 | 0 | } |
2330 | 0 | }); |
2331 | 0 | }); |
2332 | | |
2333 | 0 | Exit: |
2334 | 0 | return ret; |
2335 | 0 | } |
2336 | | |
2337 | | static int send_client_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_handshake_properties_t *properties, |
2338 | | ptls_iovec_t *cookie) |
2339 | 0 | { |
2340 | 0 | struct { |
2341 | 0 | ptls_iovec_t secret; |
2342 | 0 | ptls_iovec_t identity; |
2343 | 0 | const char *label; |
2344 | 0 | } psk = {{NULL}}; |
2345 | 0 | uint32_t obfuscated_ticket_age = 0; |
2346 | 0 | const char *sni_name = NULL; |
2347 | 0 | size_t mess_start, msghash_off; |
2348 | 0 | uint8_t binder_key[PTLS_MAX_DIGEST_SIZE]; |
2349 | 0 | ptls_buffer_t encoded_ch_inner; |
2350 | 0 | int ret, is_second_flight = tls->key_schedule != NULL; |
2351 | |
|
2352 | 0 | ptls_buffer_init(&encoded_ch_inner, "", 0); |
2353 | |
|
2354 | 0 | if (tls->server_name != NULL && !ptls_server_name_is_ipaddr(tls->server_name)) |
2355 | 0 | sni_name = tls->server_name; |
2356 | | |
2357 | | /* try to use ECH (ignore broken ECHConfigList; it is delivered insecurely) */ |
2358 | 0 | if (properties != NULL) { |
2359 | 0 | if (!is_second_flight && sni_name != NULL && tls->ctx->ech.client.ciphers != NULL) { |
2360 | 0 | if (properties->client.ech.configs.len != 0) { |
2361 | 0 | struct st_decoded_ech_config_t decoded; |
2362 | 0 | client_decode_ech_config_list(tls->ctx, &decoded, properties->client.ech.configs); |
2363 | 0 | if (decoded.kem != NULL && decoded.cipher != NULL) { |
2364 | 0 | if ((ret = client_setup_ech(&tls->ech, &decoded, tls->ctx->random_bytes)) != 0) |
2365 | 0 | goto Exit; |
2366 | 0 | } |
2367 | 0 | } else { |
2368 | | /* zero-length config indicates ECH greasing */ |
2369 | 0 | client_setup_ech_grease(&tls->ech, tls->ctx->random_bytes, tls->ctx->ech.client.kems, tls->ctx->ech.client.ciphers, |
2370 | 0 | sni_name); |
2371 | 0 | } |
2372 | 0 | } |
2373 | 0 | } |
2374 | | |
2375 | | /* use external PSK if provided */ |
2376 | 0 | if (tls->ctx->pre_shared_key.identity.base != NULL) { |
2377 | 0 | if (!is_second_flight) { |
2378 | 0 | tls->client.offered_psk = 1; |
2379 | 0 | for (size_t i = 0; tls->ctx->cipher_suites[i] != NULL; ++i) { |
2380 | 0 | if (tls->ctx->cipher_suites[i]->hash == tls->ctx->pre_shared_key.hash) { |
2381 | 0 | tls->cipher_suite = tls->ctx->cipher_suites[i]; |
2382 | 0 | break; |
2383 | 0 | } |
2384 | 0 | } |
2385 | 0 | assert(tls->cipher_suite != NULL && "no compatible cipher-suite provided that matches psk.hash"); |
2386 | 0 | if (properties != NULL && properties->client.max_early_data_size != NULL) { |
2387 | 0 | tls->client.using_early_data = 1; |
2388 | 0 | *properties->client.max_early_data_size = SIZE_MAX; |
2389 | 0 | } |
2390 | 0 | } else { |
2391 | 0 | assert(tls->cipher_suite != NULL && tls->cipher_suite->hash == tls->ctx->pre_shared_key.hash); |
2392 | 0 | } |
2393 | 0 | psk.secret = tls->ctx->pre_shared_key.secret; |
2394 | 0 | psk.identity = tls->ctx->pre_shared_key.identity; |
2395 | 0 | psk.label = "ext binder"; |
2396 | 0 | } |
2397 | | |
2398 | | /* try to setup resumption-related data, unless external PSK is used */ |
2399 | 0 | if (psk.secret.base == NULL && properties != NULL && properties->client.session_ticket.base != NULL && |
2400 | 0 | tls->ctx->key_exchanges != NULL) { |
2401 | 0 | ptls_key_exchange_algorithm_t *key_share = NULL; |
2402 | 0 | ptls_cipher_suite_t *cipher_suite = NULL; |
2403 | 0 | uint32_t max_early_data_size; |
2404 | 0 | if (decode_stored_session_ticket(tls, &key_share, &cipher_suite, &psk.secret, &obfuscated_ticket_age, &psk.identity, |
2405 | 0 | &max_early_data_size, properties->client.session_ticket.base, |
2406 | 0 | properties->client.session_ticket.base + properties->client.session_ticket.len) == 0) { |
2407 | 0 | psk.label = "res binder"; |
2408 | 0 | tls->client.offered_psk = 1; |
2409 | | /* key-share selected by HRR should not be overridden */ |
2410 | 0 | if (tls->key_share == NULL) |
2411 | 0 | tls->key_share = key_share; |
2412 | 0 | tls->cipher_suite = cipher_suite; |
2413 | 0 | if (!is_second_flight && max_early_data_size != 0 && properties->client.max_early_data_size != NULL) { |
2414 | 0 | tls->client.using_early_data = 1; |
2415 | 0 | *properties->client.max_early_data_size = max_early_data_size; |
2416 | 0 | } |
2417 | 0 | } else { |
2418 | 0 | psk.secret = ptls_iovec_init(NULL, 0); |
2419 | 0 | } |
2420 | 0 | } |
2421 | | |
2422 | | /* send 0-RTT related signals back to the client */ |
2423 | 0 | if (properties != NULL) { |
2424 | 0 | if (tls->client.using_early_data) { |
2425 | 0 | properties->client.early_data_acceptance = PTLS_EARLY_DATA_ACCEPTANCE_UNKNOWN; |
2426 | 0 | } else { |
2427 | 0 | if (properties->client.max_early_data_size != NULL) |
2428 | 0 | *properties->client.max_early_data_size = 0; |
2429 | 0 | properties->client.early_data_acceptance = PTLS_EARLY_DATA_REJECTED; |
2430 | 0 | } |
2431 | 0 | } |
2432 | | |
2433 | | /* use the default key share if still not undetermined */ |
2434 | 0 | if (tls->key_share == NULL && tls->ctx->key_exchanges != NULL && |
2435 | 0 | !(properties != NULL && properties->client.negotiate_before_key_exchange)) |
2436 | 0 | tls->key_share = tls->ctx->key_exchanges[0]; |
2437 | | |
2438 | | /* instantiate key share context */ |
2439 | 0 | assert(tls->client.key_share_ctx == NULL); |
2440 | 0 | if (tls->key_share != NULL) { |
2441 | 0 | if ((ret = tls->key_share->create(tls->key_share, &tls->client.key_share_ctx)) != 0) |
2442 | 0 | goto Exit; |
2443 | 0 | } |
2444 | | |
2445 | | /* initialize key schedule */ |
2446 | 0 | if (!is_second_flight) { |
2447 | 0 | if ((tls->key_schedule = key_schedule_new(tls->cipher_suite, tls->ctx->cipher_suites, tls->ech.aead != NULL)) == NULL) { |
2448 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
2449 | 0 | goto Exit; |
2450 | 0 | } |
2451 | 0 | if ((ret = key_schedule_extract(tls->key_schedule, psk.secret)) != 0) |
2452 | 0 | goto Exit; |
2453 | 0 | } |
2454 | | |
2455 | | /* start generating CH */ |
2456 | 0 | if ((ret = emitter->begin_message(emitter)) != 0) |
2457 | 0 | goto Exit; |
2458 | 0 | mess_start = msghash_off = emitter->buf->off; |
2459 | | |
2460 | | /* generate true (inner) CH */ |
2461 | 0 | if ((ret = encode_client_hello(tls->ctx, emitter->buf, ENCODE_CH_MODE_INNER, is_second_flight, properties, |
2462 | 0 | tls->ech.aead != NULL ? tls->ech.inner_client_random : tls->client_random, |
2463 | 0 | tls->client.key_share_ctx, sni_name, tls->client.legacy_session_id, &tls->ech, NULL, |
2464 | 0 | tls->ech.client.first_ech, psk.secret, psk.identity, obfuscated_ticket_age, |
2465 | 0 | tls->key_schedule->hashes[0].algo->digest_size, cookie, tls->client.using_early_data)) != 0) |
2466 | 0 | goto Exit; |
2467 | | |
2468 | | /* update the message hash, filling in the PSK binder HMAC if necessary */ |
2469 | 0 | if (psk.secret.base != NULL) { |
2470 | 0 | size_t psk_binder_off = emitter->buf->off - (3 + tls->key_schedule->hashes[0].algo->digest_size); |
2471 | 0 | if ((ret = derive_secret_with_empty_digest(tls->key_schedule, binder_key, psk.label)) != 0) |
2472 | 0 | goto Exit; |
2473 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + msghash_off, psk_binder_off - msghash_off, 0); |
2474 | 0 | msghash_off = psk_binder_off; |
2475 | 0 | if ((ret = calc_verify_data(emitter->buf->base + psk_binder_off + 3, tls->key_schedule, binder_key)) != 0) |
2476 | 0 | goto Exit; |
2477 | 0 | } |
2478 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + msghash_off, emitter->buf->off - msghash_off, 0); |
2479 | | |
2480 | | /* ECH */ |
2481 | 0 | if (tls->ech.aead != NULL) { |
2482 | | /* build EncodedCHInner */ |
2483 | 0 | if ((ret = encode_client_hello(tls->ctx, &encoded_ch_inner, ENCODE_CH_MODE_ENCODED_INNER, is_second_flight, properties, |
2484 | 0 | tls->ech.inner_client_random, tls->client.key_share_ctx, sni_name, |
2485 | 0 | tls->client.legacy_session_id, &tls->ech, NULL, ptls_iovec_init(NULL, 0), psk.secret, |
2486 | 0 | psk.identity, obfuscated_ticket_age, tls->key_schedule->hashes[0].algo->digest_size, cookie, |
2487 | 0 | tls->client.using_early_data)) != 0) |
2488 | 0 | goto Exit; |
2489 | 0 | if (psk.secret.base != NULL) |
2490 | 0 | memcpy(encoded_ch_inner.base + encoded_ch_inner.off - tls->key_schedule->hashes[0].algo->digest_size, |
2491 | 0 | emitter->buf->base + emitter->buf->off - tls->key_schedule->hashes[0].algo->digest_size, |
2492 | 0 | tls->key_schedule->hashes[0].algo->digest_size); |
2493 | 0 | { /* pad EncodedCHInner (following draft-ietf-tls-esni-15 6.1.3) */ |
2494 | 0 | size_t padding_len; |
2495 | 0 | if (sni_name != NULL) { |
2496 | 0 | padding_len = strlen(sni_name); |
2497 | 0 | if (padding_len < tls->ech.client.max_name_length) |
2498 | 0 | padding_len = tls->ech.client.max_name_length; |
2499 | 0 | } else { |
2500 | 0 | padding_len = tls->ech.client.max_name_length + 9; |
2501 | 0 | } |
2502 | 0 | size_t final_len = encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE + padding_len; |
2503 | 0 | final_len = (final_len + 31) / 32 * 32; |
2504 | 0 | padding_len = final_len - (encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE); |
2505 | 0 | if (padding_len != 0) { |
2506 | 0 | if ((ret = ptls_buffer_reserve(&encoded_ch_inner, padding_len)) != 0) |
2507 | 0 | goto Exit; |
2508 | 0 | memset(encoded_ch_inner.base + encoded_ch_inner.off, 0, padding_len); |
2509 | 0 | encoded_ch_inner.off += padding_len; |
2510 | 0 | } |
2511 | 0 | } |
2512 | | /* flush CHInner, build CHOuterAAD */ |
2513 | 0 | emitter->buf->off = mess_start; |
2514 | 0 | size_t ech_payload_size = encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE + tls->ech.aead->algo->tag_size, |
2515 | 0 | ech_size_offset = ech_payload_size; |
2516 | 0 | if ((ret = encode_client_hello(tls->ctx, emitter->buf, ENCODE_CH_MODE_OUTER, is_second_flight, properties, |
2517 | 0 | tls->client_random, tls->client.key_share_ctx, tls->ech.client.public_name, |
2518 | 0 | tls->client.legacy_session_id, &tls->ech, &ech_size_offset, ptls_iovec_init(NULL, 0), |
2519 | 0 | psk.secret, psk.identity, obfuscated_ticket_age, |
2520 | 0 | tls->key_schedule->hashes[0].algo->digest_size, cookie, tls->client.using_early_data)) != 0) |
2521 | 0 | goto Exit; |
2522 | | /* overwrite ECH payload */ |
2523 | 0 | ptls_aead_encrypt(tls->ech.aead, emitter->buf->base + ech_size_offset, encoded_ch_inner.base + PTLS_HANDSHAKE_HEADER_SIZE, |
2524 | 0 | encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE, is_second_flight, |
2525 | 0 | emitter->buf->base + mess_start + PTLS_HANDSHAKE_HEADER_SIZE, |
2526 | 0 | emitter->buf->off - (mess_start + PTLS_HANDSHAKE_HEADER_SIZE)); |
2527 | | /* keep the copy of the 1st ECH extension so that we can send it again in 2nd CH in response to rejection with HRR */ |
2528 | 0 | if (!is_second_flight) { |
2529 | 0 | size_t len = outer_ech_header_size(tls->ech.client.enc.len) + ech_payload_size; |
2530 | 0 | if ((tls->ech.client.first_ech.base = malloc(len)) == NULL) { |
2531 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
2532 | 0 | goto Exit; |
2533 | 0 | } |
2534 | 0 | memcpy(tls->ech.client.first_ech.base, |
2535 | 0 | emitter->buf->base + ech_size_offset - outer_ech_header_size(tls->ech.client.enc.len), len); |
2536 | 0 | tls->ech.client.first_ech.len = len; |
2537 | 0 | if (properties->client.ech.configs.len != 0) { |
2538 | 0 | tls->ech.offered = 1; |
2539 | 0 | } else { |
2540 | 0 | tls->ech.offered_grease = 1; |
2541 | 0 | } |
2542 | 0 | } |
2543 | | /* update hash */ |
2544 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + mess_start, emitter->buf->off - mess_start, 1); |
2545 | 0 | } |
2546 | | |
2547 | | /* commit CH to the record layer */ |
2548 | 0 | if ((ret = emitter->commit_message(emitter)) != 0) |
2549 | 0 | goto Exit; |
2550 | | |
2551 | 0 | if (tls->client.using_early_data) { |
2552 | 0 | assert(!is_second_flight); |
2553 | 0 | if ((ret = setup_traffic_protection(tls, 1, "c e traffic", 1, 0, 0)) != 0) |
2554 | 0 | goto Exit; |
2555 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
2556 | 0 | goto Exit; |
2557 | 0 | } |
2558 | 0 | if (psk.secret.base != NULL && !is_second_flight) { |
2559 | 0 | if ((ret = derive_exporter_secret(tls, 1)) != 0) |
2560 | 0 | goto Exit; |
2561 | 0 | } |
2562 | 0 | tls->state = cookie == NULL ? PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO : PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO; |
2563 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
2564 | |
|
2565 | 0 | Exit: |
2566 | 0 | ptls_buffer_dispose(&encoded_ch_inner); |
2567 | 0 | ptls_clear_memory(binder_key, sizeof(binder_key)); |
2568 | 0 | return ret; |
2569 | 0 | } |
2570 | | |
2571 | | ptls_cipher_suite_t *ptls_find_cipher_suite(ptls_cipher_suite_t **cipher_suites, uint16_t id) |
2572 | 0 | { |
2573 | 0 | ptls_cipher_suite_t **cs; |
2574 | 0 | if (cipher_suites == NULL) |
2575 | 0 | return NULL; |
2576 | 0 | for (cs = cipher_suites; *cs != NULL && (*cs)->id != id; ++cs) |
2577 | 0 | ; |
2578 | 0 | return *cs; |
2579 | 0 | } |
2580 | | |
2581 | | static int decode_server_hello(ptls_t *tls, struct st_ptls_server_hello_t *sh, const uint8_t *src, const uint8_t *const end) |
2582 | 0 | { |
2583 | 0 | int ret; |
2584 | |
|
2585 | 0 | *sh = (struct st_ptls_server_hello_t){{0}}; |
2586 | | |
2587 | | /* ignore legacy-version */ |
2588 | 0 | if (end - src < 2) { |
2589 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
2590 | 0 | goto Exit; |
2591 | 0 | } |
2592 | 0 | src += 2; |
2593 | | |
2594 | | /* random */ |
2595 | 0 | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
2596 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
2597 | 0 | goto Exit; |
2598 | 0 | } |
2599 | 0 | sh->is_retry_request = memcmp(src, hello_retry_random, PTLS_HELLO_RANDOM_SIZE) == 0; |
2600 | 0 | src += PTLS_HELLO_RANDOM_SIZE; |
2601 | | |
2602 | | /* legacy_session_id */ |
2603 | 0 | ptls_decode_open_block(src, end, 1, { |
2604 | 0 | if (end - src > 32) { |
2605 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
2606 | 0 | goto Exit; |
2607 | 0 | } |
2608 | 0 | sh->legacy_session_id = ptls_iovec_init(src, end - src); |
2609 | 0 | src = end; |
2610 | 0 | }); |
2611 | | |
2612 | 0 | { /* select cipher_suite */ |
2613 | 0 | uint16_t csid; |
2614 | 0 | if ((ret = ptls_decode16(&csid, &src, end)) != 0) |
2615 | 0 | goto Exit; |
2616 | 0 | if ((tls->cipher_suite = ptls_find_cipher_suite(tls->ctx->cipher_suites, csid)) == NULL) { |
2617 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2618 | 0 | goto Exit; |
2619 | 0 | } |
2620 | 0 | } |
2621 | | |
2622 | 0 | { /* legacy_compression_method */ |
2623 | 0 | uint8_t method; |
2624 | 0 | if ((ret = ptls_decode8(&method, &src, end)) != 0) |
2625 | 0 | goto Exit; |
2626 | 0 | if (method != 0) { |
2627 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2628 | 0 | goto Exit; |
2629 | 0 | } |
2630 | 0 | } |
2631 | | |
2632 | 0 | if (sh->is_retry_request) |
2633 | 0 | sh->retry_request.selected_group = UINT16_MAX; |
2634 | |
|
2635 | 0 | uint16_t exttype, found_version = UINT16_MAX, selected_psk_identity = UINT16_MAX; |
2636 | 0 | decode_extensions(src, end, sh->is_retry_request ? PTLS_HANDSHAKE_TYPE_PSEUDO_HRR : PTLS_HANDSHAKE_TYPE_SERVER_HELLO, &exttype, |
2637 | 0 | { |
2638 | 0 | if (tls->ctx->on_extension != NULL && |
2639 | 0 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_SERVER_HELLO, |
2640 | 0 | exttype, ptls_iovec_init(src, end - src)) != 0)) |
2641 | 0 | goto Exit; |
2642 | 0 | switch (exttype) { |
2643 | 0 | case PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS: |
2644 | 0 | if ((ret = ptls_decode16(&found_version, &src, end)) != 0) |
2645 | 0 | goto Exit; |
2646 | 0 | break; |
2647 | 0 | case PTLS_EXTENSION_TYPE_KEY_SHARE: |
2648 | 0 | if (tls->ctx->key_exchanges == NULL) { |
2649 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2650 | 0 | goto Exit; |
2651 | 0 | } |
2652 | 0 | if (sh->is_retry_request) { |
2653 | 0 | if ((ret = ptls_decode16(&sh->retry_request.selected_group, &src, end)) != 0) |
2654 | 0 | goto Exit; |
2655 | 0 | } else { |
2656 | 0 | uint16_t group; |
2657 | 0 | if ((ret = decode_key_share_entry(&group, &sh->peerkey, &src, end)) != 0) |
2658 | 0 | goto Exit; |
2659 | 0 | if (src != end) { |
2660 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
2661 | 0 | goto Exit; |
2662 | 0 | } |
2663 | 0 | if (tls->key_share == NULL || tls->key_share->id != group) { |
2664 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2665 | 0 | goto Exit; |
2666 | 0 | } |
2667 | 0 | } |
2668 | 0 | break; |
2669 | 0 | case PTLS_EXTENSION_TYPE_COOKIE: |
2670 | 0 | assert(sh->is_retry_request); |
2671 | 0 | ptls_decode_block(src, end, 2, { |
2672 | 0 | if (src == end) { |
2673 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
2674 | 0 | goto Exit; |
2675 | 0 | } |
2676 | 0 | sh->retry_request.cookie = ptls_iovec_init(src, end - src); |
2677 | 0 | src = end; |
2678 | 0 | }); |
2679 | 0 | break; |
2680 | 0 | case PTLS_EXTENSION_TYPE_PRE_SHARED_KEY: |
2681 | 0 | assert(!sh->is_retry_request); |
2682 | 0 | if ((ret = ptls_decode16(&selected_psk_identity, &src, end)) != 0) |
2683 | 0 | goto Exit; |
2684 | 0 | break; |
2685 | 0 | case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO: |
2686 | 0 | assert(sh->is_retry_request); |
2687 | 0 | if (!(tls->ech.offered || tls->ech.offered_grease)) { |
2688 | 0 | ret = PTLS_ALERT_UNSUPPORTED_EXTENSION; |
2689 | 0 | goto Exit; |
2690 | 0 | } |
2691 | 0 | if (end - src != PTLS_ECH_CONFIRM_LENGTH) { |
2692 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
2693 | 0 | goto Exit; |
2694 | 0 | } |
2695 | 0 | sh->retry_request.ech = src; |
2696 | 0 | src = end; |
2697 | 0 | break; |
2698 | 0 | default: |
2699 | 0 | src = end; |
2700 | 0 | break; |
2701 | 0 | } |
2702 | 0 | }); |
2703 | | |
2704 | 0 | if (!is_supported_version(found_version)) { |
2705 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2706 | 0 | goto Exit; |
2707 | 0 | } |
2708 | 0 | if (!sh->is_retry_request) { |
2709 | 0 | if (selected_psk_identity != UINT16_MAX) { |
2710 | 0 | if (!tls->client.offered_psk) { |
2711 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2712 | 0 | goto Exit; |
2713 | 0 | } |
2714 | 0 | if (selected_psk_identity != 0) { |
2715 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2716 | 0 | goto Exit; |
2717 | 0 | } |
2718 | 0 | tls->is_psk_handshake = 1; |
2719 | 0 | } |
2720 | 0 | if (sh->peerkey.base == NULL && !tls->is_psk_handshake) { |
2721 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2722 | 0 | goto Exit; |
2723 | 0 | } |
2724 | 0 | } |
2725 | | |
2726 | 0 | ret = 0; |
2727 | 0 | Exit: |
2728 | 0 | return ret; |
2729 | 0 | } |
2730 | | |
2731 | | static int handle_hello_retry_request(ptls_t *tls, ptls_message_emitter_t *emitter, struct st_ptls_server_hello_t *sh, |
2732 | | ptls_iovec_t message, ptls_handshake_properties_t *properties) |
2733 | 0 | { |
2734 | 0 | int ret; |
2735 | |
|
2736 | 0 | if (tls->client.key_share_ctx != NULL) { |
2737 | 0 | tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, NULL, ptls_iovec_init(NULL, 0)); |
2738 | 0 | tls->client.key_share_ctx = NULL; |
2739 | 0 | } |
2740 | 0 | if (tls->client.using_early_data) { |
2741 | | /* release traffic encryption key so that 2nd CH goes out in cleartext, but keep the epoch at 1 since we've already |
2742 | | * called derive-secret */ |
2743 | 0 | if (tls->ctx->update_traffic_key == NULL) { |
2744 | 0 | assert(tls->traffic_protection.enc.aead != NULL); |
2745 | 0 | ptls_aead_free(tls->traffic_protection.enc.aead); |
2746 | 0 | tls->traffic_protection.enc.aead = NULL; |
2747 | 0 | } |
2748 | 0 | tls->client.using_early_data = 0; |
2749 | 0 | } |
2750 | | |
2751 | 0 | if (sh->retry_request.selected_group != UINT16_MAX) { |
2752 | | /* we offer the first key_exchanges[0] as KEY_SHARE unless client.negotiate_before_key_exchange is set */ |
2753 | 0 | ptls_key_exchange_algorithm_t **cand; |
2754 | 0 | for (cand = tls->ctx->key_exchanges; *cand != NULL; ++cand) |
2755 | 0 | if ((*cand)->id == sh->retry_request.selected_group) |
2756 | 0 | break; |
2757 | 0 | if (*cand == NULL) { |
2758 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2759 | 0 | goto Exit; |
2760 | 0 | } |
2761 | 0 | tls->key_share = *cand; |
2762 | 0 | } else if (tls->key_share != NULL) { |
2763 | | /* retain the key-share using in first CH, if server does not specify one */ |
2764 | 0 | } else { |
2765 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2766 | 0 | goto Exit; |
2767 | 0 | } |
2768 | | |
2769 | 0 | ret = send_client_hello(tls, emitter, properties, &sh->retry_request.cookie); |
2770 | |
|
2771 | 0 | Exit: |
2772 | 0 | return ret; |
2773 | 0 | } |
2774 | | |
2775 | | static int client_ech_select_hello(ptls_t *tls, ptls_iovec_t message, size_t confirm_hash_off, const char *label) |
2776 | 0 | { |
2777 | 0 | uint8_t confirm_hash_delivered[PTLS_ECH_CONFIRM_LENGTH], confirm_hash_expected[PTLS_ECH_CONFIRM_LENGTH]; |
2778 | 0 | int ret = 0; |
2779 | | |
2780 | | /* Determine if ECH has been accepted by checking the confirmation hash. `confirm_hash_off` set to zero indicates that HRR was |
2781 | | * received wo. ECH extension, which is an indication that ECH was rejected. */ |
2782 | 0 | if (confirm_hash_off != 0) { |
2783 | 0 | memcpy(confirm_hash_delivered, message.base + confirm_hash_off, sizeof(confirm_hash_delivered)); |
2784 | 0 | memset(message.base + confirm_hash_off, 0, sizeof(confirm_hash_delivered)); |
2785 | 0 | if ((ret = ech_calc_confirmation(tls->key_schedule, confirm_hash_expected, tls->ech.inner_client_random, label, message)) != |
2786 | 0 | 0) |
2787 | 0 | goto Exit; |
2788 | 0 | tls->ech.accepted = ptls_mem_equal(confirm_hash_delivered, confirm_hash_expected, sizeof(confirm_hash_delivered)); |
2789 | 0 | memcpy(message.base + confirm_hash_off, confirm_hash_delivered, sizeof(confirm_hash_delivered)); |
2790 | 0 | if (tls->ech.accepted) |
2791 | 0 | goto Exit; |
2792 | 0 | } |
2793 | | |
2794 | | /* dispose ECH AEAD state to indicate rejection, adopting outer CH for the rest of the handshake */ |
2795 | 0 | ptls_aead_free(tls->ech.aead); |
2796 | 0 | tls->ech.aead = NULL; |
2797 | 0 | key_schedule_select_outer(tls->key_schedule); |
2798 | |
|
2799 | 0 | Exit: |
2800 | 0 | PTLS_PROBE(ECH_SELECTION, tls, !!tls->ech.accepted); |
2801 | 0 | PTLS_LOG_CONN(ech_selection, tls, { PTLS_LOG_ELEMENT_BOOL(is_ech, tls->ech.accepted); }); |
2802 | 0 | ptls_clear_memory(confirm_hash_expected, sizeof(confirm_hash_expected)); |
2803 | 0 | return ret; |
2804 | 0 | } |
2805 | | |
2806 | | static int client_handle_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, |
2807 | | ptls_handshake_properties_t *properties) |
2808 | 0 | { |
2809 | 0 | struct st_ptls_server_hello_t sh; |
2810 | 0 | ptls_iovec_t ecdh_secret = {NULL}; |
2811 | 0 | int ret; |
2812 | |
|
2813 | 0 | if ((ret = decode_server_hello(tls, &sh, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len)) != 0) |
2814 | 0 | goto Exit; |
2815 | 0 | if (!(sh.legacy_session_id.len == tls->client.legacy_session_id.len && |
2816 | 0 | ptls_mem_equal(sh.legacy_session_id.base, tls->client.legacy_session_id.base, tls->client.legacy_session_id.len))) { |
2817 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2818 | 0 | goto Exit; |
2819 | 0 | } |
2820 | | |
2821 | 0 | if (sh.is_retry_request) { |
2822 | 0 | if ((ret = key_schedule_select_cipher(tls->key_schedule, tls->cipher_suite, 0, tls->ctx->pre_shared_key.secret)) != 0) |
2823 | 0 | goto Exit; |
2824 | 0 | key_schedule_transform_post_ch1hash(tls->key_schedule); |
2825 | 0 | if (tls->ech.aead != NULL) { |
2826 | 0 | size_t confirm_hash_off = 0; |
2827 | 0 | if (tls->ech.offered) { |
2828 | 0 | if (sh.retry_request.ech != NULL) |
2829 | 0 | confirm_hash_off = sh.retry_request.ech - message.base; |
2830 | 0 | } else { |
2831 | 0 | assert(tls->ech.offered_grease); |
2832 | 0 | } |
2833 | 0 | if ((ret = client_ech_select_hello(tls, message, confirm_hash_off, ECH_CONFIRMATION_HRR)) != 0) |
2834 | 0 | goto Exit; |
2835 | 0 | } |
2836 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
2837 | 0 | return handle_hello_retry_request(tls, emitter, &sh, message, properties); |
2838 | 0 | } |
2839 | | |
2840 | 0 | if ((ret = key_schedule_select_cipher(tls->key_schedule, tls->cipher_suite, tls->client.offered_psk && !tls->is_psk_handshake, |
2841 | 0 | ptls_iovec_init(NULL, 0))) != 0) |
2842 | 0 | goto Exit; |
2843 | | |
2844 | | /* check if ECH is accepted */ |
2845 | 0 | if (tls->ech.aead != NULL) { |
2846 | 0 | size_t confirm_hash_off = 0; |
2847 | 0 | if (tls->ech.offered) { |
2848 | 0 | confirm_hash_off = |
2849 | 0 | PTLS_HANDSHAKE_HEADER_SIZE + 2 /* legacy_version */ + PTLS_HELLO_RANDOM_SIZE - PTLS_ECH_CONFIRM_LENGTH; |
2850 | 0 | } else { |
2851 | 0 | assert(tls->ech.offered_grease); |
2852 | 0 | } |
2853 | 0 | if ((ret = client_ech_select_hello(tls, message, confirm_hash_off, ECH_CONFIRMATION_SERVER_HELLO)) != 0) |
2854 | 0 | goto Exit; |
2855 | 0 | } |
2856 | | |
2857 | | /* clear sensitive and space-consuming ECH state, now that are done with handling sending and decoding Hellos */ |
2858 | 0 | clear_ech(&tls->ech, 0); |
2859 | 0 | if (tls->key_schedule->hashes[0].ctx_outer != NULL) { |
2860 | 0 | tls->key_schedule->hashes[0].ctx_outer->final(tls->key_schedule->hashes[0].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE); |
2861 | 0 | tls->key_schedule->hashes[0].ctx_outer = NULL; |
2862 | 0 | } |
2863 | | |
2864 | | /* if the client offered external PSK but the server did not use that, we call it a handshake failure */ |
2865 | 0 | if (tls->ctx->pre_shared_key.identity.base != NULL && !tls->is_psk_handshake) { |
2866 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2867 | 0 | goto Exit; |
2868 | 0 | } |
2869 | | |
2870 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
2871 | |
|
2872 | 0 | if (sh.peerkey.base != NULL) { |
2873 | 0 | if ((ret = tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, &ecdh_secret, sh.peerkey)) != 0) { |
2874 | 0 | assert(ecdh_secret.base == NULL); |
2875 | 0 | goto Exit; |
2876 | 0 | } |
2877 | 0 | } |
2878 | | |
2879 | 0 | if ((ret = key_schedule_extract(tls->key_schedule, ecdh_secret)) != 0) |
2880 | 0 | goto Exit; |
2881 | 0 | if ((ret = setup_traffic_protection(tls, 0, "s hs traffic", 2, 0, 0)) != 0) |
2882 | 0 | goto Exit; |
2883 | 0 | if (tls->client.using_early_data) { |
2884 | 0 | if ((tls->pending_handshake_secret = malloc(PTLS_MAX_DIGEST_SIZE)) == NULL) { |
2885 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
2886 | 0 | goto Exit; |
2887 | 0 | } |
2888 | 0 | if ((ret = derive_secret(tls->key_schedule, tls->pending_handshake_secret, "c hs traffic")) != 0) |
2889 | 0 | goto Exit; |
2890 | 0 | if (tls->ctx->update_traffic_key != NULL && |
2891 | 0 | (ret = tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, 1, 2, tls->pending_handshake_secret)) != 0) |
2892 | 0 | goto Exit; |
2893 | 0 | } else { |
2894 | 0 | if ((ret = setup_traffic_protection(tls, 1, "c hs traffic", 2, 0, 0)) != 0) |
2895 | 0 | goto Exit; |
2896 | 0 | } |
2897 | | |
2898 | 0 | tls->state = PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS; |
2899 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
2900 | |
|
2901 | 0 | Exit: |
2902 | 0 | if (ecdh_secret.base != NULL) { |
2903 | 0 | ptls_clear_memory(ecdh_secret.base, ecdh_secret.len); |
2904 | 0 | free(ecdh_secret.base); |
2905 | 0 | } |
2906 | 0 | return ret; |
2907 | 0 | } |
2908 | | |
2909 | | static int should_collect_unknown_extension(ptls_t *tls, ptls_handshake_properties_t *properties, uint16_t type) |
2910 | 0 | { |
2911 | 0 | return properties != NULL && properties->collect_extension != NULL && properties->collect_extension(tls, properties, type); |
2912 | 0 | } |
2913 | | |
2914 | | static int collect_unknown_extension(ptls_t *tls, uint16_t type, const uint8_t *src, const uint8_t *const end, |
2915 | | ptls_raw_extension_t *slots) |
2916 | 0 | { |
2917 | 0 | size_t i; |
2918 | 0 | for (i = 0; slots[i].type != UINT16_MAX; ++i) { |
2919 | 0 | assert(i < MAX_UNKNOWN_EXTENSIONS); |
2920 | 0 | if (slots[i].type == type) |
2921 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
2922 | 0 | } |
2923 | 0 | if (i < MAX_UNKNOWN_EXTENSIONS) { |
2924 | 0 | slots[i].type = type; |
2925 | 0 | slots[i].data = ptls_iovec_init(src, end - src); |
2926 | 0 | slots[i + 1].type = UINT16_MAX; |
2927 | 0 | } |
2928 | 0 | return 0; |
2929 | 0 | } |
2930 | | |
2931 | | static int report_unknown_extensions(ptls_t *tls, ptls_handshake_properties_t *properties, ptls_raw_extension_t *slots) |
2932 | 0 | { |
2933 | 0 | if (properties != NULL && properties->collect_extension != NULL) { |
2934 | 0 | assert(properties->collected_extensions != NULL); |
2935 | 0 | return properties->collected_extensions(tls, properties, slots); |
2936 | 0 | } else { |
2937 | 0 | return 0; |
2938 | 0 | } |
2939 | 0 | } |
2940 | | |
2941 | | static int client_handle_encrypted_extensions(ptls_t *tls, ptls_iovec_t message, ptls_handshake_properties_t *properties) |
2942 | 0 | { |
2943 | 0 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
2944 | 0 | uint16_t type; |
2945 | 0 | static const ptls_raw_extension_t no_unknown_extensions = {UINT16_MAX}; |
2946 | 0 | ptls_raw_extension_t *unknown_extensions = (ptls_raw_extension_t *)&no_unknown_extensions; |
2947 | 0 | int ret, skip_early_data = 1; |
2948 | 0 | uint8_t server_offered_cert_type = PTLS_CERTIFICATE_TYPE_X509; |
2949 | |
|
2950 | 0 | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, &type, { |
2951 | 0 | if (tls->ctx->on_extension != NULL && |
2952 | 0 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, type, |
2953 | 0 | ptls_iovec_init(src, end - src)) != 0)) |
2954 | 0 | goto Exit; |
2955 | 0 | switch (type) { |
2956 | 0 | case PTLS_EXTENSION_TYPE_SERVER_NAME: |
2957 | 0 | if (src != end) { |
2958 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
2959 | 0 | goto Exit; |
2960 | 0 | } |
2961 | 0 | if (!(tls->server_name != NULL && !ptls_server_name_is_ipaddr(tls->server_name))) { |
2962 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2963 | 0 | goto Exit; |
2964 | 0 | } |
2965 | 0 | break; |
2966 | 0 | case PTLS_EXTENSION_TYPE_ALPN: |
2967 | 0 | ptls_decode_block(src, end, 2, { |
2968 | 0 | ptls_decode_open_block(src, end, 1, { |
2969 | 0 | if (src == end) { |
2970 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
2971 | 0 | goto Exit; |
2972 | 0 | } |
2973 | 0 | if ((ret = ptls_set_negotiated_protocol(tls, (const char *)src, end - src)) != 0) |
2974 | 0 | goto Exit; |
2975 | 0 | src = end; |
2976 | 0 | }); |
2977 | 0 | if (src != end) { |
2978 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2979 | 0 | goto Exit; |
2980 | 0 | } |
2981 | 0 | }); |
2982 | 0 | break; |
2983 | 0 | case PTLS_EXTENSION_TYPE_EARLY_DATA: |
2984 | 0 | if (!tls->client.using_early_data) { |
2985 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2986 | 0 | goto Exit; |
2987 | 0 | } |
2988 | 0 | skip_early_data = 0; |
2989 | 0 | break; |
2990 | 0 | case PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE: |
2991 | 0 | if (end - src != 1) { |
2992 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
2993 | 0 | goto Exit; |
2994 | 0 | } |
2995 | 0 | server_offered_cert_type = *src; |
2996 | 0 | src = end; |
2997 | 0 | break; |
2998 | 0 | case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO: { |
2999 | | /* accept retry_configs only if we offered ECH but rejected */ |
3000 | 0 | if (!((tls->ech.offered || tls->ech.offered_grease) && !ptls_is_ech_handshake(tls, NULL, NULL, NULL))) { |
3001 | 0 | ret = PTLS_ALERT_UNSUPPORTED_EXTENSION; |
3002 | 0 | goto Exit; |
3003 | 0 | } |
3004 | | /* parse retry_config, and if it is applicable, provide that to the application */ |
3005 | 0 | struct st_decoded_ech_config_t decoded; |
3006 | 0 | if ((ret = client_decode_ech_config_list(tls->ctx, &decoded, ptls_iovec_init(src, end - src))) != 0) |
3007 | 0 | goto Exit; |
3008 | 0 | if (decoded.kem != NULL && decoded.cipher != NULL && properties != NULL && |
3009 | 0 | properties->client.ech.retry_configs != NULL) { |
3010 | 0 | if ((properties->client.ech.retry_configs->base = malloc(end - src)) == NULL) { |
3011 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
3012 | 0 | goto Exit; |
3013 | 0 | } |
3014 | 0 | memcpy(properties->client.ech.retry_configs->base, src, end - src); |
3015 | 0 | properties->client.ech.retry_configs->len = end - src; |
3016 | 0 | } |
3017 | 0 | src = end; |
3018 | 0 | } break; |
3019 | 0 | default: |
3020 | 0 | if (should_collect_unknown_extension(tls, properties, type)) { |
3021 | 0 | if (unknown_extensions == &no_unknown_extensions) { |
3022 | 0 | if ((unknown_extensions = malloc(sizeof(*unknown_extensions) * (MAX_UNKNOWN_EXTENSIONS + 1))) == NULL) { |
3023 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
3024 | 0 | goto Exit; |
3025 | 0 | } |
3026 | 0 | unknown_extensions[0].type = UINT16_MAX; |
3027 | 0 | } |
3028 | 0 | if ((ret = collect_unknown_extension(tls, type, src, end, unknown_extensions)) != 0) |
3029 | 0 | goto Exit; |
3030 | 0 | } |
3031 | 0 | break; |
3032 | 0 | } |
3033 | 0 | src = end; |
3034 | 0 | }); |
3035 | | |
3036 | 0 | if (server_offered_cert_type != |
3037 | 0 | (tls->ctx->use_raw_public_keys ? PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY : PTLS_CERTIFICATE_TYPE_X509)) { |
3038 | 0 | ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE; |
3039 | 0 | goto Exit; |
3040 | 0 | } |
3041 | | |
3042 | 0 | if (tls->client.using_early_data) { |
3043 | 0 | if (skip_early_data) |
3044 | 0 | tls->client.using_early_data = 0; |
3045 | 0 | if (properties != NULL) |
3046 | 0 | properties->client.early_data_acceptance = skip_early_data ? PTLS_EARLY_DATA_REJECTED : PTLS_EARLY_DATA_ACCEPTED; |
3047 | 0 | } |
3048 | 0 | if ((ret = report_unknown_extensions(tls, properties, unknown_extensions)) != 0) |
3049 | 0 | goto Exit; |
3050 | | |
3051 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3052 | 0 | tls->state = |
3053 | 0 | tls->is_psk_handshake ? PTLS_STATE_CLIENT_EXPECT_FINISHED : PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE; |
3054 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
3055 | |
|
3056 | 0 | Exit: |
3057 | 0 | if (unknown_extensions != &no_unknown_extensions) |
3058 | 0 | free(unknown_extensions); |
3059 | 0 | return ret; |
3060 | 0 | } |
3061 | | |
3062 | | static int decode_certificate_request(ptls_t *tls, struct st_ptls_certificate_request_t *cr, const uint8_t *src, |
3063 | | const uint8_t *const end) |
3064 | 0 | { |
3065 | 0 | int ret; |
3066 | 0 | uint16_t exttype = 0; |
3067 | | |
3068 | | /* certificate request context */ |
3069 | 0 | ptls_decode_open_block(src, end, 1, { |
3070 | 0 | size_t len = end - src; |
3071 | 0 | if (len > 255) { |
3072 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3073 | 0 | goto Exit; |
3074 | 0 | } |
3075 | 0 | if ((cr->context.base = malloc(len != 0 ? len : 1)) == NULL) { |
3076 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
3077 | 0 | goto Exit; |
3078 | 0 | } |
3079 | 0 | cr->context.len = len; |
3080 | 0 | memcpy(cr->context.base, src, len); |
3081 | 0 | src = end; |
3082 | 0 | }); |
3083 | | |
3084 | | /* decode extensions */ |
3085 | 0 | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, &exttype, { |
3086 | 0 | if (tls->ctx->on_extension != NULL && |
3087 | 0 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, exttype, |
3088 | 0 | ptls_iovec_init(src, end - src)) != 0)) |
3089 | 0 | goto Exit; |
3090 | 0 | switch (exttype) { |
3091 | 0 | case PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS: |
3092 | 0 | if ((ret = decode_signature_algorithms(&cr->signature_algorithms, &src, end)) != 0) |
3093 | 0 | goto Exit; |
3094 | 0 | break; |
3095 | 0 | } |
3096 | 0 | src = end; |
3097 | 0 | }); |
3098 | | |
3099 | 0 | if (cr->signature_algorithms.count == 0) { |
3100 | 0 | ret = PTLS_ALERT_MISSING_EXTENSION; |
3101 | 0 | goto Exit; |
3102 | 0 | } |
3103 | | |
3104 | 0 | ret = 0; |
3105 | 0 | Exit: |
3106 | 0 | return ret; |
3107 | 0 | } |
3108 | | |
3109 | | int ptls_build_certificate_message(ptls_buffer_t *buf, ptls_iovec_t context, ptls_iovec_t *certificates, size_t num_certificates, |
3110 | | ptls_iovec_t ocsp_status) |
3111 | 0 | { |
3112 | 0 | int ret; |
3113 | |
|
3114 | 0 | ptls_buffer_push_block(buf, 1, { ptls_buffer_pushv(buf, context.base, context.len); }); |
3115 | 0 | ptls_buffer_push_block(buf, 3, { |
3116 | 0 | size_t i; |
3117 | 0 | for (i = 0; i != num_certificates; ++i) { |
3118 | 0 | ptls_buffer_push_block(buf, 3, { ptls_buffer_pushv(buf, certificates[i].base, certificates[i].len); }); |
3119 | 0 | ptls_buffer_push_block(buf, 2, { |
3120 | 0 | if (i == 0 && ocsp_status.len != 0) { |
3121 | 0 | buffer_push_extension(buf, PTLS_EXTENSION_TYPE_STATUS_REQUEST, { |
3122 | 0 | ptls_buffer_push(buf, 1); /* status_type == ocsp */ |
3123 | 0 | ptls_buffer_push_block(buf, 3, { ptls_buffer_pushv(buf, ocsp_status.base, ocsp_status.len); }); |
3124 | 0 | }); |
3125 | 0 | } |
3126 | 0 | }); |
3127 | 0 | } |
3128 | 0 | }); |
3129 | | |
3130 | 0 | ret = 0; |
3131 | 0 | Exit: |
3132 | 0 | return ret; |
3133 | 0 | } |
3134 | | |
3135 | | static int default_emit_certificate_cb(ptls_emit_certificate_t *_self, ptls_t *tls, ptls_message_emitter_t *emitter, |
3136 | | ptls_key_schedule_t *key_sched, ptls_iovec_t context, int push_status_request, |
3137 | | const uint16_t *compress_algos, size_t num_compress_algos) |
3138 | 0 | { |
3139 | 0 | int ret; |
3140 | |
|
3141 | 0 | ptls_push_message(emitter, key_sched, PTLS_HANDSHAKE_TYPE_CERTIFICATE, { |
3142 | 0 | if ((ret = ptls_build_certificate_message(emitter->buf, context, tls->ctx->certificates.list, tls->ctx->certificates.count, |
3143 | 0 | ptls_iovec_init(NULL, 0))) != 0) |
3144 | 0 | goto Exit; |
3145 | 0 | }); |
3146 | | |
3147 | 0 | ret = 0; |
3148 | 0 | Exit: |
3149 | 0 | return ret; |
3150 | 0 | } |
3151 | | |
3152 | | static int send_certificate(ptls_t *tls, ptls_message_emitter_t *emitter, |
3153 | | struct st_ptls_signature_algorithms_t *signature_algorithms, ptls_iovec_t context, |
3154 | | int push_status_request, const uint16_t *compress_algos, size_t num_compress_algos) |
3155 | 0 | { |
3156 | 0 | int ret; |
3157 | |
|
3158 | 0 | if (signature_algorithms->count == 0) { |
3159 | 0 | ret = PTLS_ALERT_MISSING_EXTENSION; |
3160 | 0 | goto Exit; |
3161 | 0 | } |
3162 | | |
3163 | 0 | { /* send Certificate (or the equivalent) */ |
3164 | 0 | static ptls_emit_certificate_t default_emit_certificate = {default_emit_certificate_cb}; |
3165 | 0 | ptls_emit_certificate_t *emit_certificate = |
3166 | 0 | tls->ctx->emit_certificate != NULL ? tls->ctx->emit_certificate : &default_emit_certificate; |
3167 | 0 | Redo: |
3168 | 0 | if ((ret = emit_certificate->cb(emit_certificate, tls, emitter, tls->key_schedule, context, push_status_request, |
3169 | 0 | compress_algos, num_compress_algos)) != 0) { |
3170 | 0 | if (ret == PTLS_ERROR_DELEGATE) { |
3171 | 0 | assert(emit_certificate != &default_emit_certificate); |
3172 | 0 | emit_certificate = &default_emit_certificate; |
3173 | 0 | goto Redo; |
3174 | 0 | } |
3175 | 0 | goto Exit; |
3176 | 0 | } |
3177 | 0 | } |
3178 | | |
3179 | 0 | Exit: |
3180 | 0 | return ret; |
3181 | 0 | } |
3182 | | |
3183 | | static int send_certificate_verify(ptls_t *tls, ptls_message_emitter_t *emitter, |
3184 | | struct st_ptls_signature_algorithms_t *signature_algorithms, const char *context_string) |
3185 | 0 | { |
3186 | 0 | size_t start_off = emitter->buf->off; |
3187 | 0 | int ret; |
3188 | |
|
3189 | 0 | if (tls->ctx->sign_certificate == NULL) |
3190 | 0 | return 0; |
3191 | | /* build and send CertificateVerify */ |
3192 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY, { |
3193 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
3194 | 0 | size_t algo_off = sendbuf->off; |
3195 | 0 | ptls_buffer_push16(sendbuf, 0); /* filled in later */ |
3196 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
3197 | 0 | uint16_t algo; |
3198 | 0 | uint8_t data[PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE]; |
3199 | 0 | size_t datalen = build_certificate_verify_signdata(data, tls->key_schedule, context_string); |
3200 | 0 | if ((ret = tls->ctx->sign_certificate->cb( |
3201 | 0 | tls->ctx->sign_certificate, tls, tls->is_server ? &tls->server.async_job : NULL, &algo, sendbuf, |
3202 | 0 | ptls_iovec_init(data, datalen), signature_algorithms != NULL ? signature_algorithms->list : NULL, |
3203 | 0 | signature_algorithms != NULL ? signature_algorithms->count : 0)) != 0) { |
3204 | 0 | if (ret == PTLS_ERROR_ASYNC_OPERATION) { |
3205 | 0 | assert(tls->is_server || !"async operation only supported on the server-side"); |
3206 | 0 | assert(tls->server.async_job != NULL); |
3207 | | /* Reset the output to the end of the previous handshake message. CertificateVerify will be rebuilt when the |
3208 | | * async operation completes. */ |
3209 | 0 | emitter->buf->off = start_off; |
3210 | 0 | } else { |
3211 | 0 | assert(tls->server.async_job == NULL); |
3212 | 0 | } |
3213 | 0 | goto Exit; |
3214 | 0 | } |
3215 | 0 | assert(tls->server.async_job == NULL); |
3216 | 0 | sendbuf->base[algo_off] = (uint8_t)(algo >> 8); |
3217 | 0 | sendbuf->base[algo_off + 1] = (uint8_t)algo; |
3218 | 0 | }); |
3219 | 0 | }); |
3220 | 0 | Exit: |
3221 | 0 | return ret; |
3222 | 0 | } |
3223 | | |
3224 | | static int client_handle_certificate_request(ptls_t *tls, ptls_iovec_t message, ptls_handshake_properties_t *properties) |
3225 | 0 | { |
3226 | 0 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3227 | 0 | int ret = 0; |
3228 | |
|
3229 | 0 | assert(!tls->is_psk_handshake && "state machine asserts that this message is never delivered when PSK is used"); |
3230 | | |
3231 | 0 | if ((ret = decode_certificate_request(tls, &tls->client.certificate_request, src, end)) != 0) |
3232 | 0 | return ret; |
3233 | | |
3234 | | /* This field SHALL be zero length unless used for the post-handshake authentication exchanges (section 4.3.2) */ |
3235 | 0 | if (tls->client.certificate_request.context.len != 0) |
3236 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
3237 | | |
3238 | 0 | tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE; |
3239 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3240 | |
|
3241 | 0 | return PTLS_ERROR_IN_PROGRESS; |
3242 | 0 | } |
3243 | | |
3244 | | static int handle_certificate(ptls_t *tls, const uint8_t *src, const uint8_t *end, int *got_certs) |
3245 | 0 | { |
3246 | 0 | ptls_iovec_t certs[16]; |
3247 | 0 | size_t num_certs = 0; |
3248 | 0 | int ret = 0; |
3249 | | |
3250 | | /* certificate request context */ |
3251 | 0 | ptls_decode_open_block(src, end, 1, { |
3252 | 0 | if (src != end) { |
3253 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3254 | 0 | goto Exit; |
3255 | 0 | } |
3256 | 0 | }); |
3257 | | /* certificate_list */ |
3258 | 0 | ptls_decode_block(src, end, 3, { |
3259 | 0 | while (src != end) { |
3260 | 0 | ptls_decode_open_block(src, end, 3, { |
3261 | 0 | if (num_certs < PTLS_ELEMENTSOF(certs)) |
3262 | 0 | certs[num_certs++] = ptls_iovec_init(src, end - src); |
3263 | 0 | src = end; |
3264 | 0 | }); |
3265 | 0 | uint16_t type; |
3266 | 0 | decode_open_extensions(src, end, PTLS_HANDSHAKE_TYPE_CERTIFICATE, &type, { |
3267 | 0 | if (tls->ctx->on_extension != NULL && |
3268 | 0 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_CERTIFICATE, type, |
3269 | 0 | ptls_iovec_init(src, end - src)) != 0)) |
3270 | 0 | goto Exit; |
3271 | 0 | src = end; |
3272 | 0 | }); |
3273 | 0 | } |
3274 | 0 | }); |
3275 | | |
3276 | 0 | if (tls->ctx->verify_certificate != NULL) { |
3277 | 0 | const char *server_name = NULL; |
3278 | 0 | if (!ptls_is_server(tls)) { |
3279 | 0 | if (tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL)) { |
3280 | 0 | server_name = tls->ech.client.public_name; |
3281 | 0 | } else { |
3282 | 0 | server_name = tls->server_name; |
3283 | 0 | } |
3284 | 0 | } |
3285 | 0 | if ((ret = tls->ctx->verify_certificate->cb(tls->ctx->verify_certificate, tls, server_name, &tls->certificate_verify.cb, |
3286 | 0 | &tls->certificate_verify.verify_ctx, certs, num_certs)) != 0) |
3287 | 0 | goto Exit; |
3288 | 0 | } |
3289 | | |
3290 | 0 | *got_certs = num_certs != 0; |
3291 | |
|
3292 | 0 | Exit: |
3293 | 0 | return ret; |
3294 | 0 | } |
3295 | | |
3296 | | static int client_do_handle_certificate(ptls_t *tls, const uint8_t *src, const uint8_t *end) |
3297 | 0 | { |
3298 | 0 | int got_certs, ret; |
3299 | |
|
3300 | 0 | if ((ret = handle_certificate(tls, src, end, &got_certs)) != 0) |
3301 | 0 | return ret; |
3302 | 0 | if (!got_certs) |
3303 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
3304 | | |
3305 | 0 | return 0; |
3306 | 0 | } |
3307 | | |
3308 | | static int client_handle_certificate(ptls_t *tls, ptls_iovec_t message) |
3309 | 0 | { |
3310 | 0 | int ret; |
3311 | |
|
3312 | 0 | if ((ret = client_do_handle_certificate(tls, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len)) != 0) |
3313 | 0 | return ret; |
3314 | | |
3315 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3316 | |
|
3317 | 0 | tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY; |
3318 | 0 | return PTLS_ERROR_IN_PROGRESS; |
3319 | 0 | } |
3320 | | |
3321 | | static int client_handle_compressed_certificate(ptls_t *tls, ptls_iovec_t message) |
3322 | 0 | { |
3323 | 0 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3324 | 0 | uint16_t algo; |
3325 | 0 | uint32_t uncompressed_size; |
3326 | 0 | uint8_t *uncompressed = NULL; |
3327 | 0 | int ret; |
3328 | |
|
3329 | 0 | if (tls->ctx->decompress_certificate == NULL) { |
3330 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
3331 | 0 | goto Exit; |
3332 | 0 | } |
3333 | | |
3334 | | /* decode */ |
3335 | 0 | if ((ret = ptls_decode16(&algo, &src, end)) != 0) |
3336 | 0 | goto Exit; |
3337 | 0 | if ((ret = ptls_decode24(&uncompressed_size, &src, end)) != 0) |
3338 | 0 | goto Exit; |
3339 | 0 | if (uncompressed_size > 65536) { /* TODO find a sensible number */ |
3340 | 0 | ret = PTLS_ALERT_BAD_CERTIFICATE; |
3341 | 0 | goto Exit; |
3342 | 0 | } |
3343 | 0 | if ((uncompressed = malloc(uncompressed_size)) == NULL) { |
3344 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
3345 | 0 | goto Exit; |
3346 | 0 | } |
3347 | 0 | ptls_decode_block(src, end, 3, { |
3348 | 0 | if ((ret = tls->ctx->decompress_certificate->cb(tls->ctx->decompress_certificate, tls, algo, |
3349 | 0 | ptls_iovec_init(uncompressed, uncompressed_size), |
3350 | 0 | ptls_iovec_init(src, end - src))) != 0) |
3351 | 0 | goto Exit; |
3352 | 0 | src = end; |
3353 | 0 | }); |
3354 | | |
3355 | | /* handle */ |
3356 | 0 | if ((ret = client_do_handle_certificate(tls, uncompressed, uncompressed + uncompressed_size)) != 0) |
3357 | 0 | goto Exit; |
3358 | | |
3359 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3360 | 0 | tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY; |
3361 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
3362 | |
|
3363 | 0 | Exit: |
3364 | 0 | free(uncompressed); |
3365 | 0 | return ret; |
3366 | 0 | } |
3367 | | |
3368 | | static int server_handle_certificate(ptls_t *tls, ptls_iovec_t message) |
3369 | 0 | { |
3370 | 0 | int got_certs, ret; |
3371 | |
|
3372 | 0 | if ((ret = handle_certificate(tls, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len, &got_certs)) != 0) |
3373 | 0 | return ret; |
3374 | | |
3375 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3376 | |
|
3377 | 0 | if (got_certs) { |
3378 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY; |
3379 | 0 | } else { |
3380 | | /* Client did not provide certificate, and the verifier says we can fail open. Therefore, the next message is Finished. */ |
3381 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
3382 | 0 | } |
3383 | |
|
3384 | 0 | return PTLS_ERROR_IN_PROGRESS; |
3385 | 0 | } |
3386 | | |
3387 | | static int handle_certificate_verify(ptls_t *tls, ptls_iovec_t message, const char *context_string) |
3388 | 0 | { |
3389 | 0 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3390 | 0 | uint16_t algo; |
3391 | 0 | ptls_iovec_t signature; |
3392 | 0 | uint8_t signdata[PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE]; |
3393 | 0 | size_t signdata_size; |
3394 | 0 | int ret; |
3395 | | |
3396 | | /* decode */ |
3397 | 0 | if ((ret = ptls_decode16(&algo, &src, end)) != 0) |
3398 | 0 | goto Exit; |
3399 | 0 | ptls_decode_block(src, end, 2, { |
3400 | 0 | signature = ptls_iovec_init(src, end - src); |
3401 | 0 | src = end; |
3402 | 0 | }); |
3403 | | |
3404 | 0 | signdata_size = build_certificate_verify_signdata(signdata, tls->key_schedule, context_string); |
3405 | 0 | if (tls->certificate_verify.cb != NULL) { |
3406 | 0 | ret = tls->certificate_verify.cb(tls->certificate_verify.verify_ctx, algo, ptls_iovec_init(signdata, signdata_size), |
3407 | 0 | signature); |
3408 | 0 | } else { |
3409 | 0 | ret = 0; |
3410 | 0 | } |
3411 | 0 | ptls_clear_memory(signdata, signdata_size); |
3412 | 0 | tls->certificate_verify.cb = NULL; |
3413 | 0 | if (ret != 0) { |
3414 | 0 | goto Exit; |
3415 | 0 | } |
3416 | | |
3417 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3418 | |
|
3419 | 0 | Exit: |
3420 | 0 | return ret; |
3421 | 0 | } |
3422 | | |
3423 | | static int client_handle_certificate_verify(ptls_t *tls, ptls_iovec_t message) |
3424 | 0 | { |
3425 | 0 | int ret = handle_certificate_verify(tls, message, PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING); |
3426 | |
|
3427 | 0 | if (ret == 0) { |
3428 | 0 | tls->state = PTLS_STATE_CLIENT_EXPECT_FINISHED; |
3429 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
3430 | 0 | } |
3431 | |
|
3432 | 0 | return ret; |
3433 | 0 | } |
3434 | | |
3435 | | static int server_handle_certificate_verify(ptls_t *tls, ptls_iovec_t message) |
3436 | 0 | { |
3437 | 0 | int ret = handle_certificate_verify(tls, message, PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING); |
3438 | |
|
3439 | 0 | if (ret == 0) { |
3440 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
3441 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
3442 | 0 | } |
3443 | |
|
3444 | 0 | return ret; |
3445 | 0 | } |
3446 | | |
3447 | | static int client_handle_finished(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message) |
3448 | 0 | { |
3449 | 0 | uint8_t send_secret[PTLS_MAX_DIGEST_SIZE]; |
3450 | 0 | int alert_ech_required = tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL), ret; |
3451 | |
|
3452 | 0 | if ((ret = verify_finished(tls, message)) != 0) |
3453 | 0 | goto Exit; |
3454 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3455 | | |
3456 | | /* update traffic keys by using messages upto ServerFinished, but commission them after sending ClientFinished */ |
3457 | 0 | if ((ret = key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0))) != 0) |
3458 | 0 | goto Exit; |
3459 | 0 | if ((ret = setup_traffic_protection(tls, 0, "s ap traffic", 3, 0, 0)) != 0) |
3460 | 0 | goto Exit; |
3461 | 0 | if ((ret = derive_secret(tls->key_schedule, send_secret, "c ap traffic")) != 0) |
3462 | 0 | goto Exit; |
3463 | 0 | if ((ret = derive_exporter_secret(tls, 0)) != 0) |
3464 | 0 | goto Exit; |
3465 | | |
3466 | | /* if sending early data, emit EOED and commision the client handshake traffic secret */ |
3467 | 0 | if (tls->pending_handshake_secret != NULL) { |
3468 | 0 | assert(tls->traffic_protection.enc.aead != NULL || tls->ctx->update_traffic_key != NULL); |
3469 | 0 | if (tls->client.using_early_data && !tls->ctx->omit_end_of_early_data) |
3470 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA, {}); |
3471 | 0 | tls->client.using_early_data = 0; |
3472 | 0 | if ((ret = commission_handshake_secret(tls)) != 0) |
3473 | 0 | goto Exit; |
3474 | 0 | } |
3475 | | |
3476 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
3477 | 0 | goto Exit; |
3478 | | |
3479 | 0 | if (!alert_ech_required && tls->client.certificate_request.context.base != NULL) { |
3480 | 0 | if ((ret = send_certificate(tls, emitter, &tls->client.certificate_request.signature_algorithms, |
3481 | 0 | tls->client.certificate_request.context, 0, NULL, 0)) == 0) |
3482 | 0 | ret = send_certificate_verify(tls, emitter, &tls->client.certificate_request.signature_algorithms, |
3483 | 0 | PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING); |
3484 | 0 | free(tls->client.certificate_request.context.base); |
3485 | 0 | tls->client.certificate_request.context = ptls_iovec_init(NULL, 0); |
3486 | 0 | if (ret != 0) |
3487 | 0 | goto Exit; |
3488 | 0 | } |
3489 | | |
3490 | 0 | ret = send_finished(tls, emitter); |
3491 | |
|
3492 | 0 | memcpy(tls->traffic_protection.enc.secret, send_secret, sizeof(send_secret)); |
3493 | 0 | if ((ret = setup_traffic_protection(tls, 1, NULL, 3, 0, 0)) != 0) |
3494 | 0 | goto Exit; |
3495 | | |
3496 | 0 | tls->state = PTLS_STATE_CLIENT_POST_HANDSHAKE; |
3497 | | |
3498 | | /* if ECH was rejected, close the connection with ECH_REQUIRED alert after verifying messages up to Finished */ |
3499 | 0 | if (alert_ech_required) |
3500 | 0 | ret = PTLS_ALERT_ECH_REQUIRED; |
3501 | |
|
3502 | 0 | Exit: |
3503 | 0 | ptls_clear_memory(send_secret, sizeof(send_secret)); |
3504 | 0 | return ret; |
3505 | 0 | } |
3506 | | |
3507 | | static int client_handle_new_session_ticket(ptls_t *tls, ptls_iovec_t message) |
3508 | 0 | { |
3509 | 0 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3510 | 0 | ptls_iovec_t ticket_nonce; |
3511 | 0 | int ret; |
3512 | |
|
3513 | 0 | { /* verify the format */ |
3514 | 0 | uint32_t ticket_lifetime, ticket_age_add, max_early_data_size; |
3515 | 0 | ptls_iovec_t ticket; |
3516 | 0 | if ((ret = decode_new_session_ticket(tls, &ticket_lifetime, &ticket_age_add, &ticket_nonce, &ticket, &max_early_data_size, |
3517 | 0 | src, end)) != 0) |
3518 | 0 | return ret; |
3519 | 0 | } |
3520 | | |
3521 | | /* do nothing if use of session ticket is disabled */ |
3522 | 0 | if (tls->ctx->save_ticket == NULL) |
3523 | 0 | return 0; |
3524 | | |
3525 | | /* save the extension, along with the key of myself */ |
3526 | 0 | ptls_buffer_t ticket_buf; |
3527 | 0 | ptls_buffer_init(&ticket_buf, "", 0); |
3528 | 0 | ptls_buffer_push64(&ticket_buf, tls->ctx->get_time->cb(tls->ctx->get_time)); |
3529 | 0 | ptls_buffer_push16(&ticket_buf, tls->key_share->id); |
3530 | 0 | ptls_buffer_push16(&ticket_buf, tls->cipher_suite->id); |
3531 | 0 | ptls_buffer_push_block(&ticket_buf, 3, { ptls_buffer_pushv(&ticket_buf, src, end - src); }); |
3532 | 0 | ptls_buffer_push_block(&ticket_buf, 2, { |
3533 | 0 | if ((ret = ptls_buffer_reserve(&ticket_buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0) |
3534 | 0 | goto Exit; |
3535 | 0 | if ((ret = derive_resumption_secret(tls->key_schedule, ticket_buf.base + ticket_buf.off, ticket_nonce)) != 0) |
3536 | 0 | goto Exit; |
3537 | 0 | ticket_buf.off += tls->key_schedule->hashes[0].algo->digest_size; |
3538 | 0 | }); |
3539 | | |
3540 | 0 | if ((ret = tls->ctx->save_ticket->cb(tls->ctx->save_ticket, tls, ptls_iovec_init(ticket_buf.base, ticket_buf.off))) != 0) |
3541 | 0 | goto Exit; |
3542 | | |
3543 | 0 | ret = 0; |
3544 | 0 | Exit: |
3545 | 0 | ptls_buffer_dispose(&ticket_buf); |
3546 | 0 | return ret; |
3547 | 0 | } |
3548 | | |
3549 | | static int client_hello_decode_server_name(ptls_iovec_t *name, const uint8_t **src, const uint8_t *const end) |
3550 | 0 | { |
3551 | 0 | int ret = 0; |
3552 | |
|
3553 | 0 | ptls_decode_open_block(*src, end, 2, { |
3554 | 0 | do { |
3555 | 0 | uint8_t type; |
3556 | 0 | if ((ret = ptls_decode8(&type, src, end)) != 0) |
3557 | 0 | goto Exit; |
3558 | 0 | ptls_decode_open_block(*src, end, 2, { |
3559 | 0 | switch (type) { |
3560 | 0 | case PTLS_SERVER_NAME_TYPE_HOSTNAME: |
3561 | 0 | if (memchr(*src, '\0', end - *src) != 0) { |
3562 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3563 | 0 | goto Exit; |
3564 | 0 | } |
3565 | 0 | *name = ptls_iovec_init(*src, end - *src); |
3566 | 0 | break; |
3567 | 0 | default: |
3568 | 0 | break; |
3569 | 0 | } |
3570 | 0 | *src = end; |
3571 | 0 | }); |
3572 | 0 | } while (*src != end); |
3573 | 0 | }); |
3574 | | |
3575 | 0 | Exit: |
3576 | 0 | return ret; |
3577 | 0 | } |
3578 | | |
3579 | | static int select_negotiated_group(ptls_key_exchange_algorithm_t **selected, ptls_key_exchange_algorithm_t **candidates, |
3580 | | const uint8_t *src, const uint8_t *const end) |
3581 | 0 | { |
3582 | 0 | int ret; |
3583 | |
|
3584 | 0 | ptls_decode_block(src, end, 2, { |
3585 | 0 | while (src != end) { |
3586 | 0 | uint16_t group; |
3587 | 0 | if ((ret = ptls_decode16(&group, &src, end)) != 0) |
3588 | 0 | goto Exit; |
3589 | 0 | ptls_key_exchange_algorithm_t **c = candidates; |
3590 | 0 | for (; *c != NULL; ++c) { |
3591 | 0 | if ((*c)->id == group) { |
3592 | 0 | *selected = *c; |
3593 | 0 | return 0; |
3594 | 0 | } |
3595 | 0 | } |
3596 | 0 | } |
3597 | 0 | }); |
3598 | | |
3599 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
3600 | |
|
3601 | 0 | Exit: |
3602 | 0 | return ret; |
3603 | 0 | } |
3604 | | |
3605 | | static int decode_client_hello(ptls_context_t *ctx, struct st_ptls_client_hello_t *ch, const uint8_t *src, const uint8_t *const end, |
3606 | | ptls_handshake_properties_t *properties, ptls_t *tls_cbarg) |
3607 | 0 | { |
3608 | 0 | const uint8_t *start = src; |
3609 | 0 | uint16_t exttype = 0; |
3610 | 0 | int ret; |
3611 | | |
3612 | | /* decode protocol version (do not bare to decode something older than TLS 1.0) */ |
3613 | 0 | if ((ret = ptls_decode16(&ch->legacy_version, &src, end)) != 0) |
3614 | 0 | goto Exit; |
3615 | 0 | if (ch->legacy_version < 0x0301) { |
3616 | 0 | ret = PTLS_ALERT_PROTOCOL_VERSION; |
3617 | 0 | goto Exit; |
3618 | 0 | } |
3619 | | |
3620 | | /* skip random */ |
3621 | 0 | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
3622 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3623 | 0 | goto Exit; |
3624 | 0 | } |
3625 | 0 | ch->random_bytes = src; |
3626 | 0 | src += PTLS_HELLO_RANDOM_SIZE; |
3627 | | |
3628 | | /* skip legacy_session_id */ |
3629 | 0 | ptls_decode_open_block(src, end, 1, { |
3630 | 0 | if (end - src > 32) { |
3631 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3632 | 0 | goto Exit; |
3633 | 0 | } |
3634 | 0 | ch->legacy_session_id = ptls_iovec_init(src, end - src); |
3635 | 0 | src = end; |
3636 | 0 | }); |
3637 | | |
3638 | | /* decode and select from ciphersuites */ |
3639 | 0 | ptls_decode_open_block(src, end, 2, { |
3640 | 0 | if ((end - src) % 2 != 0) { |
3641 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3642 | 0 | goto Exit; |
3643 | 0 | } |
3644 | 0 | ch->cipher_suites = ptls_iovec_init(src, end - src); |
3645 | 0 | src = end; |
3646 | 0 | }); |
3647 | | |
3648 | | /* decode legacy_compression_methods */ |
3649 | 0 | ptls_decode_open_block(src, end, 1, { |
3650 | 0 | if (src == end) { |
3651 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3652 | 0 | goto Exit; |
3653 | 0 | } |
3654 | 0 | ch->compression_methods.ids = src; |
3655 | 0 | ch->compression_methods.count = end - src; |
3656 | 0 | src = end; |
3657 | 0 | }); |
3658 | | |
3659 | | /* In TLS versions 1.2 and earlier CH might not have an extensions block (or they might, see what OpenSSL 1.0.0 sends); so bail |
3660 | | * out if that is the case after parsing the main variables. Zero is returned as it is a valid ClientHello. However |
3661 | | * `ptls_t::selected_version` remains zero indicating that no compatible version were found. */ |
3662 | 0 | if (src == end) { |
3663 | 0 | ret = 0; |
3664 | 0 | goto Exit; |
3665 | 0 | } |
3666 | | |
3667 | | /* decode extensions */ |
3668 | 0 | ch->first_extension_at = src - start + 2; |
3669 | 0 | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, &exttype, { |
3670 | 0 | ch->psk.is_last_extension = 0; |
3671 | 0 | if (ctx->on_extension != NULL && tls_cbarg != NULL && |
3672 | 0 | (ret = ctx->on_extension->cb(ctx->on_extension, tls_cbarg, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, exttype, |
3673 | 0 | ptls_iovec_init(src, end - src)) != 0)) |
3674 | 0 | goto Exit; |
3675 | 0 | switch (exttype) { |
3676 | 0 | case PTLS_EXTENSION_TYPE_SERVER_NAME: |
3677 | 0 | if ((ret = client_hello_decode_server_name(&ch->server_name, &src, end)) != 0) |
3678 | 0 | goto Exit; |
3679 | 0 | if (src != end) { |
3680 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3681 | 0 | goto Exit; |
3682 | 0 | } |
3683 | 0 | break; |
3684 | 0 | case PTLS_EXTENSION_TYPE_ALPN: |
3685 | 0 | ptls_decode_block(src, end, 2, { |
3686 | 0 | do { |
3687 | 0 | ptls_decode_open_block(src, end, 1, { |
3688 | | /* rfc7301 3.1: empty strings MUST NOT be included */ |
3689 | 0 | if (src == end) { |
3690 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3691 | 0 | goto Exit; |
3692 | 0 | } |
3693 | 0 | if (ch->alpn.count < PTLS_ELEMENTSOF(ch->alpn.list)) |
3694 | 0 | ch->alpn.list[ch->alpn.count++] = ptls_iovec_init(src, end - src); |
3695 | 0 | src = end; |
3696 | 0 | }); |
3697 | 0 | } while (src != end); |
3698 | 0 | }); |
3699 | 0 | break; |
3700 | 0 | case PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE: |
3701 | 0 | ptls_decode_block(src, end, 1, { |
3702 | 0 | size_t list_size = end - src; |
3703 | | |
3704 | | /* RFC7250 4.1: No empty list, no list with single x509 element */ |
3705 | 0 | if (list_size == 0 || (list_size == 1 && *src == PTLS_CERTIFICATE_TYPE_X509)) { |
3706 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3707 | 0 | goto Exit; |
3708 | 0 | } |
3709 | |
|
3710 | 0 | do { |
3711 | 0 | if (ch->server_certificate_types.count < PTLS_ELEMENTSOF(ch->server_certificate_types.list)) |
3712 | 0 | ch->server_certificate_types.list[ch->server_certificate_types.count++] = *src; |
3713 | 0 | src++; |
3714 | 0 | } while (src != end); |
3715 | 0 | }); |
3716 | 0 | break; |
3717 | 0 | case PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE: |
3718 | 0 | ptls_decode_block(src, end, 1, { |
3719 | 0 | do { |
3720 | 0 | uint16_t id; |
3721 | 0 | if ((ret = ptls_decode16(&id, &src, end)) != 0) |
3722 | 0 | goto Exit; |
3723 | 0 | if (ch->cert_compression_algos.count < PTLS_ELEMENTSOF(ch->cert_compression_algos.list)) |
3724 | 0 | ch->cert_compression_algos.list[ch->cert_compression_algos.count++] = id; |
3725 | 0 | } while (src != end); |
3726 | 0 | }); |
3727 | 0 | break; |
3728 | 0 | case PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS: |
3729 | 0 | ch->negotiated_groups = ptls_iovec_init(src, end - src); |
3730 | 0 | break; |
3731 | 0 | case PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS: |
3732 | 0 | if ((ret = decode_signature_algorithms(&ch->signature_algorithms, &src, end)) != 0) |
3733 | 0 | goto Exit; |
3734 | 0 | break; |
3735 | 0 | case PTLS_EXTENSION_TYPE_KEY_SHARE: |
3736 | 0 | ch->key_shares = ptls_iovec_init(src, end - src); |
3737 | 0 | break; |
3738 | 0 | case PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS: |
3739 | 0 | ptls_decode_block(src, end, 1, { |
3740 | 0 | size_t selected_index = PTLS_ELEMENTSOF(supported_versions); |
3741 | 0 | do { |
3742 | 0 | size_t i; |
3743 | 0 | uint16_t v; |
3744 | 0 | if ((ret = ptls_decode16(&v, &src, end)) != 0) |
3745 | 0 | goto Exit; |
3746 | 0 | for (i = 0; i != selected_index; ++i) { |
3747 | 0 | if (supported_versions[i] == v) { |
3748 | 0 | selected_index = i; |
3749 | 0 | break; |
3750 | 0 | } |
3751 | 0 | } |
3752 | 0 | } while (src != end); |
3753 | 0 | if (selected_index != PTLS_ELEMENTSOF(supported_versions)) |
3754 | 0 | ch->selected_version = supported_versions[selected_index]; |
3755 | 0 | }); |
3756 | 0 | break; |
3757 | 0 | case PTLS_EXTENSION_TYPE_COOKIE: |
3758 | 0 | if (properties == NULL || properties->server.cookie.key == NULL) { |
3759 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3760 | 0 | goto Exit; |
3761 | 0 | } |
3762 | 0 | ch->cookie.all = ptls_iovec_init(src, end - src); |
3763 | 0 | ptls_decode_block(src, end, 2, { |
3764 | 0 | ch->cookie.tbs.base = (void *)src; |
3765 | 0 | ptls_decode_open_block(src, end, 2, { |
3766 | 0 | ptls_decode_open_block(src, end, 1, { |
3767 | 0 | ch->cookie.ch1_hash = ptls_iovec_init(src, end - src); |
3768 | 0 | src = end; |
3769 | 0 | }); |
3770 | 0 | uint8_t sent_key_share; |
3771 | 0 | if ((ret = ptls_decode8(&sent_key_share, &src, end)) != 0) |
3772 | 0 | goto Exit; |
3773 | 0 | switch (sent_key_share) { |
3774 | 0 | case 0: |
3775 | 0 | assert(!ch->cookie.sent_key_share); |
3776 | 0 | break; |
3777 | 0 | case 1: |
3778 | 0 | ch->cookie.sent_key_share = 1; |
3779 | 0 | break; |
3780 | 0 | default: |
3781 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3782 | 0 | goto Exit; |
3783 | 0 | } |
3784 | 0 | }); |
3785 | 0 | ch->cookie.tbs.len = src - ch->cookie.tbs.base; |
3786 | 0 | ptls_decode_block(src, end, 1, { |
3787 | 0 | ch->cookie.signature = ptls_iovec_init(src, end - src); |
3788 | 0 | src = end; |
3789 | 0 | }); |
3790 | 0 | }); |
3791 | 0 | break; |
3792 | 0 | case PTLS_EXTENSION_TYPE_PRE_SHARED_KEY: { |
3793 | 0 | size_t num_identities = 0; |
3794 | 0 | ptls_decode_open_block(src, end, 2, { |
3795 | 0 | do { |
3796 | 0 | ptls_client_hello_psk_identity_t psk = {{NULL}}; |
3797 | 0 | ptls_decode_open_block(src, end, 2, { |
3798 | 0 | if (end - src < 1) { |
3799 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3800 | 0 | goto Exit; |
3801 | 0 | } |
3802 | 0 | psk.identity = ptls_iovec_init(src, end - src); |
3803 | 0 | src = end; |
3804 | 0 | }); |
3805 | 0 | if ((ret = ptls_decode32(&psk.obfuscated_ticket_age, &src, end)) != 0) |
3806 | 0 | goto Exit; |
3807 | 0 | if (ch->psk.identities.count < PTLS_ELEMENTSOF(ch->psk.identities.list)) |
3808 | 0 | ch->psk.identities.list[ch->psk.identities.count++] = psk; |
3809 | 0 | ++num_identities; |
3810 | 0 | } while (src != end); |
3811 | 0 | }); |
3812 | 0 | ch->psk.hash_end = src; |
3813 | 0 | ptls_decode_block(src, end, 2, { |
3814 | 0 | size_t num_binders = 0; |
3815 | 0 | do { |
3816 | 0 | ptls_decode_open_block(src, end, 1, { |
3817 | 0 | if (num_binders < ch->psk.identities.count) |
3818 | 0 | ch->psk.identities.list[num_binders].binder = ptls_iovec_init(src, end - src); |
3819 | 0 | src = end; |
3820 | 0 | }); |
3821 | 0 | ++num_binders; |
3822 | 0 | } while (src != end); |
3823 | 0 | if (num_identities != num_binders) { |
3824 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3825 | 0 | goto Exit; |
3826 | 0 | } |
3827 | 0 | }); |
3828 | 0 | ch->psk.is_last_extension = 1; |
3829 | 0 | } break; |
3830 | 0 | case PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES: |
3831 | 0 | ptls_decode_block(src, end, 1, { |
3832 | 0 | do { |
3833 | 0 | uint8_t mode; |
3834 | 0 | if ((ret = ptls_decode8(&mode, &src, end)) != 0) |
3835 | 0 | goto Exit; |
3836 | 0 | if (mode < sizeof(ch->psk.ke_modes) * 8) |
3837 | 0 | ch->psk.ke_modes |= 1u << mode; |
3838 | 0 | } while (src != end); |
3839 | 0 | }); |
3840 | 0 | break; |
3841 | 0 | case PTLS_EXTENSION_TYPE_EARLY_DATA: |
3842 | 0 | ch->psk.early_data_indication = 1; |
3843 | 0 | break; |
3844 | 0 | case PTLS_EXTENSION_TYPE_STATUS_REQUEST: |
3845 | 0 | ch->status_request = 1; |
3846 | 0 | break; |
3847 | 0 | case PTLS_EXTENSION_TYPE_TICKET_REQUEST: |
3848 | 0 | if (end - src != 2) { |
3849 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3850 | 0 | goto Exit; |
3851 | 0 | } |
3852 | 0 | ch->ticket_request.new_session_count = *src++; |
3853 | 0 | ch->ticket_request.resumption_count = *src++; |
3854 | 0 | break; |
3855 | 0 | case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO: |
3856 | 0 | if ((ret = ptls_decode8(&ch->ech.type, &src, end)) != 0) |
3857 | 0 | goto Exit; |
3858 | 0 | switch (ch->ech.type) { |
3859 | 0 | case PTLS_ECH_CLIENT_HELLO_TYPE_OUTER: |
3860 | 0 | if ((ret = ptls_decode16(&ch->ech.cipher_suite.kdf, &src, end)) != 0 || |
3861 | 0 | (ret = ptls_decode16(&ch->ech.cipher_suite.aead, &src, end)) != 0) |
3862 | 0 | goto Exit; |
3863 | 0 | if ((ret = ptls_decode8(&ch->ech.config_id, &src, end)) != 0) |
3864 | 0 | goto Exit; |
3865 | 0 | ptls_decode_open_block(src, end, 2, { |
3866 | 0 | ch->ech.enc = ptls_iovec_init(src, end - src); |
3867 | 0 | src = end; |
3868 | 0 | }); |
3869 | 0 | ptls_decode_open_block(src, end, 2, { |
3870 | 0 | if (src == end) { |
3871 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3872 | 0 | goto Exit; |
3873 | 0 | } |
3874 | 0 | ch->ech.payload = ptls_iovec_init(src, end - src); |
3875 | 0 | src = end; |
3876 | 0 | }); |
3877 | 0 | break; |
3878 | 0 | case PTLS_ECH_CLIENT_HELLO_TYPE_INNER: |
3879 | 0 | if (src != end) { |
3880 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3881 | 0 | goto Exit; |
3882 | 0 | } |
3883 | 0 | ch->ech.payload = ptls_iovec_init("", 0); /* non-zero base indicates that the extension was received */ |
3884 | 0 | break; |
3885 | 0 | default: |
3886 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3887 | 0 | goto Exit; |
3888 | 0 | } |
3889 | 0 | src = end; |
3890 | 0 | break; |
3891 | 0 | default: |
3892 | 0 | if (tls_cbarg != NULL && should_collect_unknown_extension(tls_cbarg, properties, exttype)) { |
3893 | 0 | if ((ret = collect_unknown_extension(tls_cbarg, exttype, src, end, ch->unknown_extensions)) != 0) |
3894 | 0 | goto Exit; |
3895 | 0 | } |
3896 | 0 | break; |
3897 | 0 | } |
3898 | 0 | src = end; |
3899 | 0 | }); |
3900 | | |
3901 | 0 | ret = 0; |
3902 | 0 | Exit: |
3903 | 0 | return ret; |
3904 | 0 | } |
3905 | | |
3906 | | static int rebuild_ch_inner_extensions(ptls_buffer_t *buf, const uint8_t **src, const uint8_t *const end, const uint8_t *outer_ext, |
3907 | | const uint8_t *outer_ext_end) |
3908 | 0 | { |
3909 | 0 | int ret; |
3910 | |
|
3911 | 0 | ptls_buffer_push_block(buf, 2, { |
3912 | 0 | ptls_decode_open_block(*src, end, 2, { |
3913 | 0 | while (*src != end) { |
3914 | 0 | uint16_t exttype; |
3915 | 0 | if ((ret = ptls_decode16(&exttype, src, end)) != 0) |
3916 | 0 | goto Exit; |
3917 | 0 | ptls_decode_open_block(*src, end, 2, { |
3918 | 0 | if (exttype == PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS) { |
3919 | 0 | ptls_decode_open_block(*src, end, 1, { |
3920 | 0 | do { |
3921 | 0 | uint16_t reftype; |
3922 | 0 | uint16_t outertype; |
3923 | 0 | uint16_t outersize; |
3924 | 0 | if ((ret = ptls_decode16(&reftype, src, end)) != 0) |
3925 | 0 | goto Exit; |
3926 | 0 | if (reftype == PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO) { |
3927 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3928 | 0 | goto Exit; |
3929 | 0 | } |
3930 | 0 | while (1) { |
3931 | 0 | if (ptls_decode16(&outertype, &outer_ext, outer_ext_end) != 0 || |
3932 | 0 | ptls_decode16(&outersize, &outer_ext, outer_ext_end) != 0) { |
3933 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3934 | 0 | goto Exit; |
3935 | 0 | } |
3936 | 0 | assert(outer_ext_end - outer_ext >= outersize); |
3937 | 0 | if (outertype == reftype) |
3938 | 0 | break; |
3939 | 0 | outer_ext += outersize; |
3940 | 0 | } |
3941 | 0 | buffer_push_extension(buf, reftype, { |
3942 | 0 | ptls_buffer_pushv(buf, outer_ext, outersize); |
3943 | 0 | outer_ext += outersize; |
3944 | 0 | }); |
3945 | 0 | } while (*src != end); |
3946 | 0 | }); |
3947 | 0 | } else { |
3948 | 0 | buffer_push_extension(buf, exttype, { |
3949 | 0 | ptls_buffer_pushv(buf, *src, end - *src); |
3950 | 0 | *src = end; |
3951 | 0 | }); |
3952 | 0 | } |
3953 | 0 | }); |
3954 | 0 | } |
3955 | 0 | }); |
3956 | 0 | }); |
3957 | | |
3958 | 0 | Exit: |
3959 | 0 | return ret; |
3960 | 0 | } |
3961 | | |
3962 | | static int rebuild_ch_inner(ptls_buffer_t *buf, const uint8_t *src, const uint8_t *const end, |
3963 | | struct st_ptls_client_hello_t *outer_ch, const uint8_t *outer_ext, const uint8_t *outer_ext_end) |
3964 | 0 | { |
3965 | 0 | #define COPY_BLOCK(capacity) \ |
3966 | 0 | do { \ |
3967 | 0 | ptls_decode_open_block(src, end, (capacity), { \ |
3968 | 0 | ptls_buffer_push_block(buf, (capacity), { ptls_buffer_pushv(buf, src, end - src); }); \ |
3969 | 0 | src = end; \ |
3970 | 0 | }); \ |
3971 | 0 | } while (0) |
3972 | |
|
3973 | 0 | int ret; |
3974 | |
|
3975 | 0 | ptls_buffer_push_message_body(buf, NULL, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, { |
3976 | 0 | { /* legacy_version */ |
3977 | 0 | uint16_t legacy_version; |
3978 | 0 | if ((ret = ptls_decode16(&legacy_version, &src, end)) != 0) |
3979 | 0 | goto Exit; |
3980 | 0 | ptls_buffer_push16(buf, legacy_version); |
3981 | 0 | } |
3982 | | |
3983 | | /* hello random */ |
3984 | 0 | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
3985 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3986 | 0 | goto Exit; |
3987 | 0 | } |
3988 | 0 | ptls_buffer_pushv(buf, src, PTLS_HELLO_RANDOM_SIZE); |
3989 | 0 | src += PTLS_HELLO_RANDOM_SIZE; |
3990 | |
|
3991 | 0 | ptls_decode_open_block(src, end, 1, { |
3992 | 0 | if (src != end) { |
3993 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3994 | 0 | goto Exit; |
3995 | 0 | } |
3996 | 0 | }); |
3997 | 0 | ptls_buffer_push_block(buf, 1, |
3998 | 0 | { ptls_buffer_pushv(buf, outer_ch->legacy_session_id.base, outer_ch->legacy_session_id.len); }); |
3999 | | |
4000 | | /* cipher-suites and legacy-compression-methods */ |
4001 | 0 | COPY_BLOCK(2); |
4002 | 0 | COPY_BLOCK(1); |
4003 | | |
4004 | | /* extensions */ |
4005 | 0 | if ((ret = rebuild_ch_inner_extensions(buf, &src, end, outer_ext, outer_ext_end)) != 0) |
4006 | 0 | goto Exit; |
4007 | 0 | }); |
4008 | | |
4009 | | /* padding must be all zero */ |
4010 | 0 | for (; src != end; ++src) { |
4011 | 0 | if (*src != '\0') { |
4012 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4013 | 0 | goto Exit; |
4014 | 0 | } |
4015 | 0 | } |
4016 | | |
4017 | 0 | Exit: |
4018 | 0 | return ret; |
4019 | |
|
4020 | 0 | #undef COPY_BLOCK |
4021 | 0 | } |
4022 | | |
4023 | | /* Wrapper function for invoking the on_client_hello callback, taking an exhaustive list of parameters as arguments. The intention |
4024 | | * is to not miss setting them as we add new parameters to the struct. */ |
4025 | | static inline int call_on_client_hello_cb(ptls_t *tls, ptls_iovec_t server_name, ptls_iovec_t raw_message, |
4026 | | ptls_iovec_t cipher_suites, ptls_iovec_t *alpns, size_t num_alpns, |
4027 | | const uint16_t *sig_algos, size_t num_sig_algos, const uint16_t *cert_comp_algos, |
4028 | | size_t num_cert_comp_algos, const uint8_t *server_cert_types, |
4029 | | size_t num_server_cert_types, const ptls_client_hello_psk_identity_t *psk_identities, |
4030 | | size_t num_psk_identities, int incompatible_version) |
4031 | 0 | { |
4032 | 0 | if (tls->ctx->on_client_hello == NULL) |
4033 | 0 | return 0; |
4034 | | |
4035 | 0 | ptls_on_client_hello_parameters_t params = {server_name, |
4036 | 0 | raw_message, |
4037 | 0 | cipher_suites, |
4038 | 0 | {alpns, num_alpns}, |
4039 | 0 | {sig_algos, num_sig_algos}, |
4040 | 0 | {cert_comp_algos, num_cert_comp_algos}, |
4041 | 0 | {server_cert_types, num_server_cert_types}, |
4042 | 0 | {psk_identities, num_psk_identities}, |
4043 | 0 | incompatible_version}; |
4044 | 0 | return tls->ctx->on_client_hello->cb(tls->ctx->on_client_hello, tls, ¶ms); |
4045 | 0 | } |
4046 | | |
4047 | | static int check_client_hello_constraints(ptls_context_t *ctx, struct st_ptls_client_hello_t *ch, const void *prev_random, |
4048 | | int ech_is_inner_ch, ptls_iovec_t raw_message, ptls_t *tls_cbarg) |
4049 | 0 | { |
4050 | 0 | int is_second_flight = prev_random != 0; |
4051 | | |
4052 | | /* The following check is necessary so that we would be able to track the connection in SSLKEYLOGFILE, even though it might not |
4053 | | * be for the safety of the protocol. */ |
4054 | 0 | if (is_second_flight && !ptls_mem_equal(ch->random_bytes, prev_random, PTLS_HELLO_RANDOM_SIZE)) |
4055 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
4056 | | |
4057 | | /* bail out if CH cannot be handled as TLS 1.3 */ |
4058 | 0 | if (!is_supported_version(ch->selected_version)) { |
4059 | | /* ECH: server MUST abort with an "illegal_parameter" alert if the client offers TLS 1.2 or below (draft-15 7.1) */ |
4060 | 0 | if (ech_is_inner_ch) |
4061 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4062 | | /* fail with PROTOCOL_VERSION alert, after providing the applications the raw CH and SNI to help them fallback */ |
4063 | 0 | if (!is_second_flight) { |
4064 | 0 | int ret; |
4065 | 0 | if ((ret = call_on_client_hello_cb(tls_cbarg, ch->server_name, raw_message, ch->cipher_suites, ch->alpn.list, |
4066 | 0 | ch->alpn.count, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 1)) != 0) |
4067 | 0 | return ret; |
4068 | 0 | } |
4069 | 0 | return PTLS_ALERT_PROTOCOL_VERSION; |
4070 | 0 | } |
4071 | | |
4072 | | /* Check TLS 1.3-specific constraints. Hereafter, we might exit without calling on_client_hello. That's fine because this CH is |
4073 | | * ought to be rejected. */ |
4074 | 0 | if (ch->legacy_version <= 0x0300) { |
4075 | | /* RFC 8446 Appendix D.5: any endpoint receiving a Hello message with legacy_version set to 0x0300 MUST abort the handshake |
4076 | | * with a "protocol_version" alert. */ |
4077 | 0 | return PTLS_ALERT_PROTOCOL_VERSION; |
4078 | 0 | } |
4079 | 0 | if (!(ch->compression_methods.count == 1 && ch->compression_methods.ids[0] == 0)) |
4080 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4081 | | /* pre-shared key */ |
4082 | 0 | if (ch->psk.hash_end != NULL) { |
4083 | | /* PSK must be the last extension */ |
4084 | 0 | if (!ch->psk.is_last_extension) |
4085 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4086 | 0 | } else { |
4087 | 0 | if (ch->psk.early_data_indication) |
4088 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4089 | 0 | } |
4090 | | |
4091 | 0 | if (ech_is_inner_ch && ch->ech.payload.base == NULL) |
4092 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4093 | 0 | if (ch->ech.payload.base != NULL && |
4094 | 0 | ch->ech.type != (ech_is_inner_ch ? PTLS_ECH_CLIENT_HELLO_TYPE_INNER : PTLS_ECH_CLIENT_HELLO_TYPE_OUTER)) |
4095 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4096 | | |
4097 | 0 | return 0; |
4098 | 0 | } |
4099 | | |
4100 | | static int vec_is_string(ptls_iovec_t x, const char *y) |
4101 | 0 | { |
4102 | 0 | return strncmp((const char *)x.base, y, x.len) == 0 && y[x.len] == '\0'; |
4103 | 0 | } |
4104 | | |
4105 | | /** |
4106 | | * Looks for a PSK identity that can be used, and if found, updates the handshake state and returns the necessary variables. If |
4107 | | * `ptls_context_t::pre_shared_key` is set, only tries handshake using those keys provided. Otherwise, tries resumption. |
4108 | | */ |
4109 | | static int try_psk_handshake(ptls_t *tls, size_t *psk_index, int *accept_early_data, struct st_ptls_client_hello_t *ch, |
4110 | | ptls_iovec_t ch_trunc, int is_second_flight) |
4111 | 0 | { |
4112 | 0 | ptls_buffer_t decbuf; |
4113 | 0 | ptls_iovec_t secret, ticket_ctx, ticket_negotiated_protocol; |
4114 | 0 | uint64_t issue_at, now = tls->ctx->get_time->cb(tls->ctx->get_time); |
4115 | 0 | uint32_t age_add; |
4116 | 0 | uint16_t ticket_key_exchange_id, ticket_csid; |
4117 | 0 | uint8_t binder_key[PTLS_MAX_DIGEST_SIZE]; |
4118 | 0 | int ret; |
4119 | |
|
4120 | 0 | ptls_buffer_init(&decbuf, "", 0); |
4121 | |
|
4122 | 0 | for (*psk_index = 0; *psk_index < ch->psk.identities.count; ++*psk_index) { |
4123 | 0 | ptls_client_hello_psk_identity_t *identity = ch->psk.identities.list + *psk_index; |
4124 | | |
4125 | | /* negotiate using fixed pre-shared key */ |
4126 | 0 | if (tls->ctx->pre_shared_key.identity.base != NULL) { |
4127 | 0 | if (identity->identity.len == tls->ctx->pre_shared_key.identity.len && |
4128 | 0 | memcmp(identity->identity.base, tls->ctx->pre_shared_key.identity.base, identity->identity.len) == 0) { |
4129 | 0 | *accept_early_data = ch->psk.early_data_indication && *psk_index == 0; |
4130 | 0 | tls->key_share = NULL; |
4131 | 0 | secret = tls->ctx->pre_shared_key.secret; |
4132 | 0 | goto Found; |
4133 | 0 | } |
4134 | 0 | continue; |
4135 | 0 | } |
4136 | | |
4137 | | /* decrypt ticket and decode */ |
4138 | 0 | if (tls->ctx->encrypt_ticket == NULL || tls->ctx->key_exchanges == NULL) |
4139 | 0 | continue; |
4140 | 0 | int can_accept_early_data = *psk_index == 0; |
4141 | 0 | decbuf.off = 0; |
4142 | 0 | switch (tls->ctx->encrypt_ticket->cb(tls->ctx->encrypt_ticket, tls, 0, &decbuf, identity->identity)) { |
4143 | 0 | case 0: /* decrypted */ |
4144 | 0 | break; |
4145 | 0 | case PTLS_ERROR_REJECT_EARLY_DATA: /* decrypted, but early data is rejected */ |
4146 | 0 | can_accept_early_data = 0; |
4147 | 0 | break; |
4148 | 0 | default: /* decryption failure */ |
4149 | 0 | continue; |
4150 | 0 | } |
4151 | 0 | if (decode_session_identifier(&issue_at, &secret, &age_add, &ticket_ctx, &ticket_key_exchange_id, &ticket_csid, |
4152 | 0 | &ticket_negotiated_protocol, decbuf.base, decbuf.base + decbuf.off) != 0) |
4153 | 0 | continue; |
4154 | | /* check age */ |
4155 | 0 | if (now < issue_at) |
4156 | 0 | continue; |
4157 | 0 | if (now - issue_at > (uint64_t)tls->ctx->ticket_lifetime * 1000) |
4158 | 0 | continue; |
4159 | 0 | *accept_early_data = 0; |
4160 | 0 | if (ch->psk.early_data_indication && can_accept_early_data) { |
4161 | | /* accept early-data if abs(diff) between the reported age and the actual age is within += 10 seconds */ |
4162 | 0 | int64_t delta = (now - issue_at) - (identity->obfuscated_ticket_age - age_add); |
4163 | 0 | if (delta < 0) |
4164 | 0 | delta = -delta; |
4165 | 0 | if (tls->ctx->max_early_data_size != 0 && delta <= PTLS_EARLY_DATA_MAX_DELAY) |
4166 | 0 | *accept_early_data = 1; |
4167 | 0 | } |
4168 | | /* check ticket context */ |
4169 | 0 | if (tls->ctx->ticket_context.is_set) { |
4170 | 0 | if (!(ticket_ctx.len == sizeof(tls->ctx->ticket_context.bytes) && |
4171 | 0 | memcmp(ticket_ctx.base, tls->ctx->ticket_context.bytes, ticket_ctx.len) == 0)) |
4172 | 0 | continue; |
4173 | 0 | } else { |
4174 | | /* check server-name */ |
4175 | 0 | if (ticket_ctx.len != 0) { |
4176 | 0 | if (tls->server_name == NULL) |
4177 | 0 | continue; |
4178 | 0 | if (!vec_is_string(ticket_ctx, tls->server_name)) |
4179 | 0 | continue; |
4180 | 0 | } else { |
4181 | 0 | if (tls->server_name != NULL) |
4182 | 0 | continue; |
4183 | 0 | } |
4184 | 0 | } |
4185 | 0 | { /* check key-exchange */ |
4186 | 0 | ptls_key_exchange_algorithm_t **a; |
4187 | 0 | for (a = tls->ctx->key_exchanges; *a != NULL && (*a)->id != ticket_key_exchange_id; ++a) |
4188 | 0 | ; |
4189 | 0 | if (*a == NULL) |
4190 | 0 | continue; |
4191 | 0 | tls->key_share = *a; |
4192 | 0 | } |
4193 | | /* check cipher-suite */ |
4194 | 0 | if (ticket_csid != tls->cipher_suite->id) |
4195 | 0 | continue; |
4196 | | /* check negotiated-protocol */ |
4197 | 0 | if (ticket_negotiated_protocol.len != 0) { |
4198 | 0 | if (tls->negotiated_protocol == NULL) |
4199 | 0 | continue; |
4200 | 0 | if (!vec_is_string(ticket_negotiated_protocol, tls->negotiated_protocol)) |
4201 | 0 | continue; |
4202 | 0 | } |
4203 | | /* check the length of the decrypted psk and the PSK binder */ |
4204 | 0 | if (secret.len != tls->key_schedule->hashes[0].algo->digest_size) |
4205 | 0 | continue; |
4206 | 0 | if (ch->psk.identities.list[*psk_index].binder.len != tls->key_schedule->hashes[0].algo->digest_size) |
4207 | 0 | continue; |
4208 | | |
4209 | | /* found */ |
4210 | 0 | goto Found; |
4211 | 0 | } |
4212 | | |
4213 | | /* not found */ |
4214 | 0 | *psk_index = SIZE_MAX; |
4215 | 0 | *accept_early_data = 0; |
4216 | 0 | tls->key_share = NULL; |
4217 | 0 | ret = 0; |
4218 | 0 | goto Exit; |
4219 | | |
4220 | 0 | Found: |
4221 | 0 | if (!is_second_flight && (ret = key_schedule_extract(tls->key_schedule, secret)) != 0) |
4222 | 0 | goto Exit; |
4223 | 0 | if ((ret = derive_secret_with_empty_digest(tls->key_schedule, binder_key, |
4224 | 0 | tls->ctx->pre_shared_key.secret.base != NULL ? "ext binder" : "res binder")) != 0) |
4225 | 0 | goto Exit; |
4226 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, ch_trunc.base, ch_trunc.len, 0); |
4227 | 0 | if ((ret = calc_verify_data(binder_key /* to conserve space, reuse binder_key for storing verify_data */, tls->key_schedule, |
4228 | 0 | binder_key)) != 0) |
4229 | 0 | goto Exit; |
4230 | 0 | if (!ptls_mem_equal(ch->psk.identities.list[*psk_index].binder.base, binder_key, |
4231 | 0 | tls->key_schedule->hashes[0].algo->digest_size)) { |
4232 | 0 | ret = PTLS_ALERT_DECRYPT_ERROR; |
4233 | 0 | goto Exit; |
4234 | 0 | } |
4235 | 0 | ret = 0; |
4236 | |
|
4237 | 0 | Exit: |
4238 | 0 | ptls_buffer_dispose(&decbuf); |
4239 | 0 | ptls_clear_memory(binder_key, sizeof(binder_key)); |
4240 | 0 | return ret; |
4241 | 0 | } |
4242 | | |
4243 | | static int calc_cookie_signature(ptls_t *tls, ptls_handshake_properties_t *properties, |
4244 | | ptls_key_exchange_algorithm_t *negotiated_group, ptls_iovec_t tbs, uint8_t *sig) |
4245 | 0 | { |
4246 | 0 | ptls_hash_algorithm_t *algo = tls->ctx->cipher_suites[0]->hash; |
4247 | 0 | ptls_hash_context_t *hctx; |
4248 | |
|
4249 | 0 | if ((hctx = ptls_hmac_create(algo, properties->server.cookie.key, algo->digest_size)) == NULL) |
4250 | 0 | return PTLS_ERROR_NO_MEMORY; |
4251 | | |
4252 | 0 | #define UPDATE_BLOCK(p, _len) \ |
4253 | 0 | do { \ |
4254 | 0 | size_t len = (_len); \ |
4255 | 0 | assert(len < UINT8_MAX); \ |
4256 | 0 | uint8_t len8 = (uint8_t)len; \ |
4257 | 0 | hctx->update(hctx, &len8, 1); \ |
4258 | 0 | hctx->update(hctx, (p), len); \ |
4259 | 0 | } while (0) |
4260 | 0 | #define UPDATE16(_v) \ |
4261 | 0 | do { \ |
4262 | 0 | uint16_t v = (_v); \ |
4263 | 0 | uint8_t b[2] = {v >> 8, v & 0xff}; \ |
4264 | 0 | hctx->update(hctx, b, 2); \ |
4265 | 0 | } while (0) |
4266 | | |
4267 | 0 | UPDATE_BLOCK(tls->client_random, sizeof(tls->client_random)); |
4268 | 0 | UPDATE_BLOCK(tls->server_name, tls->server_name != NULL ? strlen(tls->server_name) : 0); |
4269 | 0 | UPDATE16(tls->cipher_suite->id); |
4270 | 0 | UPDATE16(negotiated_group != NULL ? negotiated_group->id : 0); |
4271 | 0 | UPDATE_BLOCK(properties->server.cookie.additional_data.base, properties->server.cookie.additional_data.len); |
4272 | | |
4273 | 0 | UPDATE_BLOCK(tbs.base, tbs.len); |
4274 | | |
4275 | 0 | #undef UPDATE_BLOCK |
4276 | 0 | #undef UPDATE16 |
4277 | | |
4278 | 0 | hctx->final(hctx, sig, PTLS_HASH_FINAL_MODE_FREE); |
4279 | 0 | return 0; |
4280 | 0 | } |
4281 | | |
4282 | | static int certificate_type_exists(uint8_t *list, size_t count, uint8_t desired_type) |
4283 | 0 | { |
4284 | | /* empty type list means that we default to x509 */ |
4285 | 0 | if (desired_type == PTLS_CERTIFICATE_TYPE_X509 && count == 0) |
4286 | 0 | return 1; |
4287 | 0 | for (size_t i = 0; i < count; i++) { |
4288 | 0 | if (list[i] == desired_type) |
4289 | 0 | return 1; |
4290 | 0 | } |
4291 | 0 | return 0; |
4292 | 0 | } |
4293 | | |
4294 | | static int server_handle_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, |
4295 | | ptls_handshake_properties_t *properties) |
4296 | 0 | { |
4297 | 0 | #define EMIT_SERVER_HELLO(sched, fill_rand, extensions, post_action) \ |
4298 | 0 | do { \ |
4299 | 0 | size_t sh_start_off; \ |
4300 | 0 | ptls_push_message(emitter, NULL, PTLS_HANDSHAKE_TYPE_SERVER_HELLO, { \ |
4301 | 0 | sh_start_off = emitter->buf->off - PTLS_HANDSHAKE_HEADER_SIZE; \ |
4302 | 0 | ptls_buffer_push16(emitter->buf, 0x0303 /* legacy version */); \ |
4303 | 0 | if ((ret = ptls_buffer_reserve(emitter->buf, PTLS_HELLO_RANDOM_SIZE)) != 0) \ |
4304 | 0 | goto Exit; \ |
4305 | 0 | do { \ |
4306 | 0 | fill_rand \ |
4307 | 0 | } while (0); \ |
4308 | 0 | emitter->buf->off += PTLS_HELLO_RANDOM_SIZE; \ |
4309 | 0 | ptls_buffer_push_block(emitter->buf, 1, \ |
4310 | 0 | { ptls_buffer_pushv(emitter->buf, ch->legacy_session_id.base, ch->legacy_session_id.len); }); \ |
4311 | 0 | ptls_buffer_push16(emitter->buf, tls->cipher_suite->id); \ |
4312 | 0 | ptls_buffer_push(emitter->buf, 0); \ |
4313 | 0 | ptls_buffer_push_block(emitter->buf, 2, { \ |
4314 | 0 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS, \ |
4315 | 0 | { ptls_buffer_push16(emitter->buf, ch->selected_version); }); \ |
4316 | 0 | do { \ |
4317 | 0 | extensions \ |
4318 | 0 | } while (0); \ |
4319 | 0 | }); \ |
4320 | 0 | }); \ |
4321 | 0 | do { \ |
4322 | 0 | post_action \ |
4323 | 0 | } while (0); \ |
4324 | 0 | ptls__key_schedule_update_hash((sched), emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off, 0); \ |
4325 | 0 | } while (0) |
4326 | |
|
4327 | 0 | #define EMIT_HELLO_RETRY_REQUEST(sched, negotiated_group, additional_extensions, post_action) \ |
4328 | 0 | EMIT_SERVER_HELLO((sched), { memcpy(emitter->buf->base + emitter->buf->off, hello_retry_random, PTLS_HELLO_RANDOM_SIZE); }, \ |
4329 | 0 | { \ |
4330 | 0 | ptls_key_exchange_algorithm_t *_negotiated_group = (negotiated_group); \ |
4331 | 0 | if (_negotiated_group != NULL) { \ |
4332 | 0 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_KEY_SHARE, \ |
4333 | 0 | { ptls_buffer_push16(emitter->buf, _negotiated_group->id); }); \ |
4334 | 0 | } \ |
4335 | 0 | do { \ |
4336 | 0 | additional_extensions \ |
4337 | 0 | } while (0); \ |
4338 | 0 | }, \ |
4339 | 0 | post_action) |
4340 | 0 | struct st_ptls_client_hello_t *ch; |
4341 | 0 | struct { |
4342 | 0 | ptls_key_exchange_algorithm_t *algorithm; |
4343 | 0 | ptls_iovec_t peer_key; |
4344 | 0 | } key_share = {NULL}; |
4345 | 0 | struct { |
4346 | 0 | uint8_t *encoded_ch_inner; |
4347 | 0 | uint8_t *ch_outer_aad; |
4348 | 0 | ptls_buffer_t ch_inner; |
4349 | 0 | } ech = {NULL}; |
4350 | 0 | enum { HANDSHAKE_MODE_FULL, HANDSHAKE_MODE_PSK, HANDSHAKE_MODE_PSK_DHE } mode; |
4351 | 0 | size_t psk_index = SIZE_MAX; |
4352 | 0 | ptls_iovec_t pubkey = {0}, ecdh_secret = {0}; |
4353 | 0 | int accept_early_data = 0, is_second_flight = tls->state == PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO, ret; |
4354 | |
|
4355 | 0 | ptls_buffer_init(&ech.ch_inner, "", 0); |
4356 | |
|
4357 | 0 | if ((ch = malloc(sizeof(*ch))) == NULL) { |
4358 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4359 | 0 | goto Exit; |
4360 | 0 | } |
4361 | | |
4362 | 0 | *ch = (struct st_ptls_client_hello_t){.unknown_extensions = {{UINT16_MAX}}}; |
4363 | | |
4364 | | /* decode ClientHello */ |
4365 | 0 | if ((ret = decode_client_hello(tls->ctx, ch, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len, properties, |
4366 | 0 | tls)) != 0) |
4367 | 0 | goto Exit; |
4368 | 0 | if ((ret = check_client_hello_constraints(tls->ctx, ch, is_second_flight ? tls->client_random : NULL, 0, message, tls)) != 0) |
4369 | 0 | goto Exit; |
4370 | 0 | if (!is_second_flight) { |
4371 | 0 | memcpy(tls->client_random, ch->random_bytes, PTLS_HELLO_RANDOM_SIZE); |
4372 | 0 | log_client_random(tls); |
4373 | 0 | } else { |
4374 | | /* consistency check for ECH extension in response to HRR */ |
4375 | 0 | if (tls->ech.aead != NULL) { |
4376 | 0 | if (ch->ech.payload.base == NULL) { |
4377 | 0 | ret = PTLS_ALERT_MISSING_EXTENSION; |
4378 | 0 | goto Exit; |
4379 | 0 | } |
4380 | 0 | if (!(ch->ech.config_id == tls->ech.config_id && ch->ech.cipher_suite.kdf == tls->ech.cipher->id.kdf && |
4381 | 0 | ch->ech.cipher_suite.aead == tls->ech.cipher->id.aead && ch->ech.enc.len == 0)) { |
4382 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4383 | 0 | goto Exit; |
4384 | 0 | } |
4385 | 0 | } |
4386 | 0 | } |
4387 | | |
4388 | | /* ECH */ |
4389 | 0 | if (ch->ech.payload.base != NULL) { |
4390 | 0 | if (ch->ech.type != PTLS_ECH_CLIENT_HELLO_TYPE_OUTER) { |
4391 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4392 | 0 | goto Exit; |
4393 | 0 | } |
4394 | 0 | if (!is_second_flight) |
4395 | 0 | tls->ech.offered = 1; |
4396 | | /* obtain AEAD context for opening inner CH */ |
4397 | 0 | if (!is_second_flight && ch->ech.payload.base != NULL && tls->ctx->ech.server.create_opener != NULL) { |
4398 | 0 | if ((tls->ech.aead = tls->ctx->ech.server.create_opener->cb( |
4399 | 0 | tls->ctx->ech.server.create_opener, &tls->ech.kem, &tls->ech.cipher, tls, ch->ech.config_id, |
4400 | 0 | ch->ech.cipher_suite, ch->ech.enc, ptls_iovec_init(ech_info_prefix, sizeof(ech_info_prefix)))) != NULL) |
4401 | 0 | tls->ech.config_id = ch->ech.config_id; |
4402 | 0 | } |
4403 | 0 | if (!is_second_flight) { |
4404 | 0 | PTLS_PROBE(ECH_SELECTION, tls, tls->ech.aead != NULL); |
4405 | 0 | PTLS_LOG_CONN(ech_selection, tls, { PTLS_LOG_ELEMENT_BOOL(is_ech, tls->ech.aead != NULL); }); |
4406 | 0 | } |
4407 | 0 | if (tls->ech.aead != NULL) { |
4408 | | /* now that AEAD context is available, create AAD and decrypt inner CH */ |
4409 | 0 | if ((ech.encoded_ch_inner = malloc(ch->ech.payload.len - tls->ech.aead->algo->tag_size)) == NULL || |
4410 | 0 | (ech.ch_outer_aad = malloc(message.len - PTLS_HANDSHAKE_HEADER_SIZE)) == NULL) { |
4411 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4412 | 0 | goto Exit; |
4413 | 0 | } |
4414 | 0 | memcpy(ech.ch_outer_aad, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.len - PTLS_HANDSHAKE_HEADER_SIZE); |
4415 | 0 | memset(ech.ch_outer_aad + (ch->ech.payload.base - (message.base + PTLS_HANDSHAKE_HEADER_SIZE)), 0, ch->ech.payload.len); |
4416 | 0 | if (ptls_aead_decrypt(tls->ech.aead, ech.encoded_ch_inner, ch->ech.payload.base, ch->ech.payload.len, is_second_flight, |
4417 | 0 | ech.ch_outer_aad, message.len - PTLS_HANDSHAKE_HEADER_SIZE) != SIZE_MAX) { |
4418 | 0 | tls->ech.accepted = 1; |
4419 | | /* successfully decrypted EncodedCHInner, build CHInner */ |
4420 | 0 | if ((ret = rebuild_ch_inner(&ech.ch_inner, ech.encoded_ch_inner, |
4421 | 0 | ech.encoded_ch_inner + ch->ech.payload.len - tls->ech.aead->algo->tag_size, ch, |
4422 | 0 | message.base + PTLS_HANDSHAKE_HEADER_SIZE + ch->first_extension_at, |
4423 | 0 | message.base + message.len)) != 0) |
4424 | 0 | goto Exit; |
4425 | | /* treat inner ch as the message being received, re-decode it */ |
4426 | 0 | message = ptls_iovec_init(ech.ch_inner.base, ech.ch_inner.off); |
4427 | 0 | *ch = (struct st_ptls_client_hello_t){.unknown_extensions = {{UINT16_MAX}}}; |
4428 | 0 | if ((ret = decode_client_hello(tls->ctx, ch, ech.ch_inner.base + PTLS_HANDSHAKE_HEADER_SIZE, |
4429 | 0 | ech.ch_inner.base + ech.ch_inner.off, properties, tls)) != 0) |
4430 | 0 | goto Exit; |
4431 | 0 | if ((ret = check_client_hello_constraints(tls->ctx, ch, is_second_flight ? tls->ech.inner_client_random : NULL, 1, |
4432 | 0 | message, tls)) != 0) |
4433 | 0 | goto Exit; |
4434 | 0 | if (!is_second_flight) |
4435 | 0 | memcpy(tls->ech.inner_client_random, ch->random_bytes, PTLS_HELLO_RANDOM_SIZE); |
4436 | 0 | } else if (is_second_flight) { |
4437 | | /* decryption failure of inner CH in 2nd CH is fatal */ |
4438 | 0 | ret = PTLS_ALERT_DECRYPT_ERROR; |
4439 | 0 | goto Exit; |
4440 | 0 | } else { |
4441 | | /* decryption failure of 1st CH indicates key mismatch; dispose of AEAD context to indicate adoption of outerCH */ |
4442 | 0 | ptls_aead_free(tls->ech.aead); |
4443 | 0 | tls->ech.aead = NULL; |
4444 | 0 | } |
4445 | 0 | } |
4446 | 0 | } else if (tls->ech.offered) { |
4447 | 0 | assert(is_second_flight); |
4448 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4449 | 0 | goto Exit; |
4450 | 0 | } |
4451 | | |
4452 | 0 | if (tls->ctx->require_dhe_on_psk) |
4453 | 0 | ch->psk.ke_modes &= ~(1u << PTLS_PSK_KE_MODE_PSK); |
4454 | | |
4455 | | /* handle client_random, legacy_session_id, SNI, ESNI */ |
4456 | 0 | if (!is_second_flight) { |
4457 | 0 | if (ch->legacy_session_id.len != 0) |
4458 | 0 | tls->send_change_cipher_spec = 1; |
4459 | 0 | ptls_iovec_t server_name = {NULL}; |
4460 | 0 | if (ch->server_name.base != NULL) |
4461 | 0 | server_name = ch->server_name; |
4462 | 0 | if ((ret = call_on_client_hello_cb(tls, server_name, message, ch->cipher_suites, ch->alpn.list, ch->alpn.count, |
4463 | 0 | ch->signature_algorithms.list, ch->signature_algorithms.count, |
4464 | 0 | ch->cert_compression_algos.list, ch->cert_compression_algos.count, |
4465 | 0 | ch->server_certificate_types.list, ch->server_certificate_types.count, |
4466 | 0 | ch->psk.identities.list, ch->psk.identities.count, 0)) != 0) |
4467 | 0 | goto Exit; |
4468 | 0 | if (!certificate_type_exists(ch->server_certificate_types.list, ch->server_certificate_types.count, |
4469 | 0 | tls->ctx->use_raw_public_keys ? PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY |
4470 | 0 | : PTLS_CERTIFICATE_TYPE_X509)) { |
4471 | 0 | ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE; |
4472 | 0 | goto Exit; |
4473 | 0 | } |
4474 | 0 | } else { |
4475 | 0 | if (ch->psk.early_data_indication) { |
4476 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
4477 | 0 | goto Exit; |
4478 | 0 | } |
4479 | | /* We compare SNI only when the value is saved by the on_client_hello callback. This should be OK because we are |
4480 | | * ignoring the value unless the callback saves the server-name. */ |
4481 | 0 | if (tls->server_name != NULL) { |
4482 | 0 | size_t l = strlen(tls->server_name); |
4483 | 0 | if (!(ch->server_name.len == l && memcmp(ch->server_name.base, tls->server_name, l) == 0)) { |
4484 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
4485 | 0 | goto Exit; |
4486 | 0 | } |
4487 | 0 | } |
4488 | 0 | } |
4489 | | |
4490 | 0 | { /* select (or check) cipher-suite, create key_schedule */ |
4491 | 0 | ptls_cipher_suite_t *cs; |
4492 | 0 | if ((ret = select_cipher(&cs, tls->ctx->cipher_suites, ch->cipher_suites.base, |
4493 | 0 | ch->cipher_suites.base + ch->cipher_suites.len, tls->ctx->server_cipher_preference, |
4494 | 0 | tls->ctx->server_cipher_chacha_priority, tls->ctx->pre_shared_key.hash)) != 0) |
4495 | 0 | goto Exit; |
4496 | 0 | if (!is_second_flight) { |
4497 | 0 | tls->cipher_suite = cs; |
4498 | 0 | if ((tls->key_schedule = key_schedule_new(cs, NULL, 0)) == NULL) { |
4499 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4500 | 0 | goto Exit; |
4501 | 0 | } |
4502 | 0 | } else { |
4503 | 0 | if (tls->cipher_suite != cs) { |
4504 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
4505 | 0 | goto Exit; |
4506 | 0 | } |
4507 | 0 | } |
4508 | 0 | } |
4509 | | |
4510 | | /* select key_share */ |
4511 | 0 | if (key_share.algorithm == NULL && ch->key_shares.base != NULL && tls->ctx->key_exchanges != NULL) { |
4512 | 0 | const uint8_t *src = ch->key_shares.base, *const end = src + ch->key_shares.len; |
4513 | 0 | ptls_decode_block(src, end, 2, { |
4514 | 0 | if ((ret = select_key_share(&key_share.algorithm, &key_share.peer_key, tls->ctx->key_exchanges, &src, end, 0)) != 0) |
4515 | 0 | goto Exit; |
4516 | 0 | }); |
4517 | 0 | } |
4518 | | |
4519 | 0 | if (!is_second_flight) { |
4520 | 0 | if (ch->cookie.all.len != 0 && key_share.algorithm != NULL) { |
4521 | |
|
4522 | 0 | { /* use cookie to check the integrity of the handshake, and update the context */ |
4523 | 0 | uint8_t sig[PTLS_MAX_DIGEST_SIZE]; |
4524 | 0 | size_t sigsize = tls->ctx->cipher_suites[0]->hash->digest_size; |
4525 | 0 | if ((ret = calc_cookie_signature(tls, properties, key_share.algorithm, ch->cookie.tbs, sig)) != 0) |
4526 | 0 | goto Exit; |
4527 | 0 | if (!(ch->cookie.signature.len == sigsize && ptls_mem_equal(ch->cookie.signature.base, sig, sigsize))) { |
4528 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
4529 | 0 | goto Exit; |
4530 | 0 | } |
4531 | 0 | } |
4532 | | /* integrity check passed; update states */ |
4533 | 0 | key_schedule_update_ch1hash_prefix(tls->key_schedule); |
4534 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, ch->cookie.ch1_hash.base, ch->cookie.ch1_hash.len, 0); |
4535 | 0 | key_schedule_extract(tls->key_schedule, |
4536 | 0 | tls->ctx->pre_shared_key.secret /* this argument will be a zero-length vector unless external PSK |
4537 | 0 | is used, and that's fine; we never resume when sending HRR */); |
4538 | | /* ... reusing sendbuf to rebuild HRR for hash calculation */ |
4539 | 0 | size_t hrr_start = emitter->buf->off; |
4540 | 0 | EMIT_HELLO_RETRY_REQUEST(tls->key_schedule, ch->cookie.sent_key_share ? key_share.algorithm : NULL, |
4541 | 0 | { |
4542 | 0 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_COOKIE, { |
4543 | 0 | ptls_buffer_pushv(emitter->buf, ch->cookie.all.base, ch->cookie.all.len); |
4544 | 0 | }); |
4545 | 0 | }, |
4546 | 0 | {}); |
4547 | 0 | emitter->buf->off = hrr_start; |
4548 | 0 | is_second_flight = 1; |
4549 | |
|
4550 | 0 | } else if (ch->key_shares.base != NULL && tls->ctx->key_exchanges != NULL && |
4551 | 0 | (key_share.algorithm == NULL || (properties != NULL && properties->server.enforce_retry))) { |
4552 | | /* send HelloRetryRequest, when trying to negotiate the key share but enforced by config or upon key-share mismatch */ |
4553 | 0 | if (ch->negotiated_groups.base == NULL) { |
4554 | 0 | ret = PTLS_ALERT_MISSING_EXTENSION; |
4555 | 0 | goto Exit; |
4556 | 0 | } |
4557 | 0 | ptls_key_exchange_algorithm_t *negotiated_group; |
4558 | 0 | if ((ret = select_negotiated_group(&negotiated_group, tls->ctx->key_exchanges, ch->negotiated_groups.base, |
4559 | 0 | ch->negotiated_groups.base + ch->negotiated_groups.len)) != 0) |
4560 | 0 | goto Exit; |
4561 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4562 | 0 | assert(tls->key_schedule->generation == 0); |
4563 | | |
4564 | | /* Either send a stateless retry (w. cookies) or a stateful one. When sending the latter, run the state machine. At the |
4565 | | * moment, stateless retry is disabled when ECH is used (do we need to support it?). */ |
4566 | 0 | int retry_uses_cookie = |
4567 | 0 | properties != NULL && properties->server.retry_uses_cookie && !ptls_is_ech_handshake(tls, NULL, NULL, NULL); |
4568 | 0 | if (!retry_uses_cookie) { |
4569 | 0 | key_schedule_transform_post_ch1hash(tls->key_schedule); |
4570 | 0 | key_schedule_extract(tls->key_schedule, tls->ctx->pre_shared_key.secret /* see comment above */); |
4571 | 0 | } |
4572 | 0 | size_t ech_confirm_off = 0; |
4573 | 0 | EMIT_HELLO_RETRY_REQUEST( |
4574 | 0 | tls->key_schedule, key_share.algorithm != NULL ? NULL : negotiated_group, |
4575 | 0 | { |
4576 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
4577 | 0 | if (ptls_is_ech_handshake(tls, NULL, NULL, NULL)) { |
4578 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, { |
4579 | 0 | if ((ret = ptls_buffer_reserve(sendbuf, PTLS_ECH_CONFIRM_LENGTH)) != 0) |
4580 | 0 | goto Exit; |
4581 | 0 | memset(sendbuf->base + sendbuf->off, 0, PTLS_ECH_CONFIRM_LENGTH); |
4582 | 0 | ech_confirm_off = sendbuf->off; |
4583 | 0 | sendbuf->off += PTLS_ECH_CONFIRM_LENGTH; |
4584 | 0 | }); |
4585 | 0 | } |
4586 | 0 | if (retry_uses_cookie) { |
4587 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COOKIE, { |
4588 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4589 | | /* push to-be-signed data */ |
4590 | 0 | size_t tbs_start = sendbuf->off; |
4591 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4592 | | /* first block of the cookie data is the hash(ch1) */ |
4593 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
4594 | 0 | size_t sz = tls->cipher_suite->hash->digest_size; |
4595 | 0 | if ((ret = ptls_buffer_reserve(sendbuf, sz)) != 0) |
4596 | 0 | goto Exit; |
4597 | 0 | key_schedule_extract_ch1hash(tls->key_schedule, sendbuf->base + sendbuf->off); |
4598 | 0 | sendbuf->off += sz; |
4599 | 0 | }); |
4600 | | /* second is if we have sent key_share extension */ |
4601 | 0 | ptls_buffer_push(sendbuf, key_share.algorithm == NULL); |
4602 | | /* we can add more data here */ |
4603 | 0 | }); |
4604 | 0 | size_t tbs_len = sendbuf->off - tbs_start; |
4605 | | /* push the signature */ |
4606 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
4607 | 0 | size_t sz = tls->ctx->cipher_suites[0]->hash->digest_size; |
4608 | 0 | if ((ret = ptls_buffer_reserve(sendbuf, sz)) != 0) |
4609 | 0 | goto Exit; |
4610 | 0 | if ((ret = calc_cookie_signature(tls, properties, negotiated_group, |
4611 | 0 | ptls_iovec_init(sendbuf->base + tbs_start, tbs_len), |
4612 | 0 | sendbuf->base + sendbuf->off)) != 0) |
4613 | 0 | goto Exit; |
4614 | 0 | sendbuf->off += sz; |
4615 | 0 | }); |
4616 | 0 | }); |
4617 | 0 | }); |
4618 | 0 | } |
4619 | 0 | }, |
4620 | 0 | { |
4621 | 0 | if (ech_confirm_off != 0 && |
4622 | 0 | (ret = ech_calc_confirmation( |
4623 | 0 | tls->key_schedule, emitter->buf->base + ech_confirm_off, tls->ech.inner_client_random, |
4624 | 0 | ECH_CONFIRMATION_HRR, |
4625 | 0 | ptls_iovec_init(emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off))) != 0) |
4626 | 0 | goto Exit; |
4627 | 0 | }); |
4628 | 0 | if (retry_uses_cookie) { |
4629 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
4630 | 0 | goto Exit; |
4631 | 0 | ret = PTLS_ERROR_STATELESS_RETRY; |
4632 | 0 | } else { |
4633 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO; |
4634 | 0 | if (ch->psk.early_data_indication) |
4635 | 0 | tls->server.early_data_skipped_bytes = 0; |
4636 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
4637 | 0 | } |
4638 | 0 | goto Exit; |
4639 | 0 | } |
4640 | 0 | } |
4641 | | |
4642 | | /* handle unknown extensions */ |
4643 | 0 | if ((ret = report_unknown_extensions(tls, properties, ch->unknown_extensions)) != 0) |
4644 | 0 | goto Exit; |
4645 | | |
4646 | | /* try psk handshake */ |
4647 | 0 | if (ch->psk.hash_end != 0 && (ch->psk.ke_modes & ((1u << PTLS_PSK_KE_MODE_PSK) | (1u << PTLS_PSK_KE_MODE_PSK_DHE))) != 0 && |
4648 | 0 | !tls->ctx->require_client_authentication && |
4649 | 0 | ((!is_second_flight && tls->ctx->encrypt_ticket != NULL) || tls->ctx->pre_shared_key.identity.base != NULL)) { |
4650 | 0 | if ((ret = try_psk_handshake(tls, &psk_index, &accept_early_data, ch, |
4651 | 0 | ptls_iovec_init(message.base, ch->psk.hash_end - message.base), is_second_flight)) != 0) { |
4652 | 0 | goto Exit; |
4653 | 0 | } |
4654 | 0 | } |
4655 | | |
4656 | | /* If the server was setup to use an external PSK but failed to agree, abort the handshake. Because external PSK is a form of |
4657 | | * mutual authentication, it makes sense to abort (at least as the default). */ |
4658 | 0 | if (tls->ctx->pre_shared_key.identity.base != NULL && psk_index == SIZE_MAX) { |
4659 | 0 | ret = PTLS_ALERT_UNKNOWN_PSK_IDENTITY; |
4660 | 0 | goto Exit; |
4661 | 0 | } |
4662 | | |
4663 | | /* If client authentication is enabled, we always force a full handshake. |
4664 | | * TODO: Check for `post_handshake_auth` extension and if that is present, do not force full handshake! |
4665 | | * Remove also the check `!require_client_authentication` above. |
4666 | | * |
4667 | | * adjust key_schedule, determine handshake mode |
4668 | | */ |
4669 | 0 | if (psk_index == SIZE_MAX || tls->ctx->require_client_authentication) { |
4670 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4671 | 0 | if (!is_second_flight) { |
4672 | 0 | assert(tls->key_schedule->generation == 0); |
4673 | 0 | key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0)); |
4674 | 0 | } |
4675 | 0 | mode = HANDSHAKE_MODE_FULL; |
4676 | 0 | if (properties != NULL) |
4677 | 0 | properties->server.selected_psk_binder.len = 0; |
4678 | 0 | } else { |
4679 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, ch->psk.hash_end, message.base + message.len - ch->psk.hash_end, 0); |
4680 | 0 | if ((ch->psk.ke_modes & (1u << PTLS_PSK_KE_MODE_PSK)) != 0) { |
4681 | 0 | mode = HANDSHAKE_MODE_PSK; |
4682 | 0 | } else { |
4683 | 0 | assert((ch->psk.ke_modes & (1u << PTLS_PSK_KE_MODE_PSK_DHE)) != 0); |
4684 | 0 | mode = HANDSHAKE_MODE_PSK_DHE; |
4685 | 0 | } |
4686 | 0 | tls->is_psk_handshake = 1; |
4687 | 0 | if (properties != NULL) { |
4688 | 0 | ptls_iovec_t *selected = &ch->psk.identities.list[psk_index].binder; |
4689 | 0 | memcpy(properties->server.selected_psk_binder.base, selected->base, selected->len); |
4690 | 0 | properties->server.selected_psk_binder.len = selected->len; |
4691 | 0 | } |
4692 | 0 | } |
4693 | | |
4694 | | /* determine number of tickets to send */ |
4695 | 0 | if (ch->psk.ke_modes != 0 && tls->ctx->ticket_lifetime != 0) { |
4696 | 0 | if (ch->ticket_request.new_session_count != 0) { |
4697 | 0 | tls->server.num_tickets_to_send = |
4698 | 0 | tls->is_psk_handshake ? ch->ticket_request.resumption_count : ch->ticket_request.new_session_count; |
4699 | 0 | } else { |
4700 | 0 | tls->server.num_tickets_to_send = 1; |
4701 | 0 | } |
4702 | 0 | uint8_t max_tickets = tls->ctx->ticket_requests.server.max_count; |
4703 | 0 | if (max_tickets == 0) |
4704 | 0 | max_tickets = PTLS_DEFAULT_MAX_TICKETS_TO_SERVE; |
4705 | 0 | if (tls->server.num_tickets_to_send > max_tickets) |
4706 | 0 | tls->server.num_tickets_to_send = max_tickets; |
4707 | 0 | } else { |
4708 | 0 | tls->server.num_tickets_to_send = 0; |
4709 | 0 | } |
4710 | |
|
4711 | 0 | if (accept_early_data && tls->ctx->max_early_data_size != 0 && psk_index == 0) { |
4712 | 0 | if ((tls->pending_handshake_secret = malloc(PTLS_MAX_DIGEST_SIZE)) == NULL) { |
4713 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4714 | 0 | goto Exit; |
4715 | 0 | } |
4716 | 0 | if ((ret = derive_exporter_secret(tls, 1)) != 0) |
4717 | 0 | goto Exit; |
4718 | 0 | if ((ret = setup_traffic_protection(tls, 0, "c e traffic", 1, 0, 0)) != 0) |
4719 | 0 | goto Exit; |
4720 | 0 | } |
4721 | | |
4722 | | /* run key-exchange, to obtain pubkey and secret */ |
4723 | 0 | if (mode != HANDSHAKE_MODE_PSK) { |
4724 | 0 | if (key_share.algorithm == NULL) { |
4725 | 0 | ret = ch->key_shares.base != NULL ? PTLS_ALERT_HANDSHAKE_FAILURE : PTLS_ALERT_MISSING_EXTENSION; |
4726 | 0 | goto Exit; |
4727 | 0 | } |
4728 | 0 | if ((ret = key_share.algorithm->exchange(key_share.algorithm, &pubkey, &ecdh_secret, key_share.peer_key)) != 0) { |
4729 | 0 | assert(pubkey.base == NULL); |
4730 | 0 | assert(ecdh_secret.base == NULL); |
4731 | 0 | goto Exit; |
4732 | 0 | } |
4733 | 0 | tls->key_share = key_share.algorithm; |
4734 | 0 | } |
4735 | | |
4736 | 0 | { /* send ServerHello */ |
4737 | 0 | size_t ech_confirm_off = 0; |
4738 | 0 | EMIT_SERVER_HELLO( |
4739 | 0 | tls->key_schedule, |
4740 | 0 | { |
4741 | 0 | tls->ctx->random_bytes(emitter->buf->base + emitter->buf->off, PTLS_HELLO_RANDOM_SIZE); |
4742 | | /* when accepting CHInner, last 8 byte of SH.random is zero for the handshake transcript */ |
4743 | 0 | if (ptls_is_ech_handshake(tls, NULL, NULL, NULL)) { |
4744 | 0 | ech_confirm_off = emitter->buf->off + PTLS_HELLO_RANDOM_SIZE - PTLS_ECH_CONFIRM_LENGTH; |
4745 | 0 | memset(emitter->buf->base + ech_confirm_off, 0, PTLS_ECH_CONFIRM_LENGTH); |
4746 | 0 | } |
4747 | 0 | }, |
4748 | 0 | { |
4749 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
4750 | 0 | if (mode != HANDSHAKE_MODE_PSK) { |
4751 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE, { |
4752 | 0 | ptls_buffer_push16(sendbuf, key_share.algorithm->id); |
4753 | 0 | ptls_buffer_push_block(sendbuf, 2, { ptls_buffer_pushv(sendbuf, pubkey.base, pubkey.len); }); |
4754 | 0 | }); |
4755 | 0 | } |
4756 | 0 | if (mode != HANDSHAKE_MODE_FULL) { |
4757 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PRE_SHARED_KEY, |
4758 | 0 | { ptls_buffer_push16(sendbuf, (uint16_t)psk_index); }); |
4759 | 0 | } |
4760 | 0 | }, |
4761 | 0 | { |
4762 | 0 | if (ech_confirm_off != 0 && |
4763 | 0 | (ret = ech_calc_confirmation( |
4764 | 0 | tls->key_schedule, emitter->buf->base + ech_confirm_off, tls->ech.inner_client_random, |
4765 | 0 | ECH_CONFIRMATION_SERVER_HELLO, |
4766 | 0 | ptls_iovec_init(emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off))) != 0) |
4767 | 0 | goto Exit; |
4768 | 0 | }); |
4769 | 0 | } |
4770 | | |
4771 | | /* processing of ECH is complete; dispose state */ |
4772 | 0 | clear_ech(&tls->ech, 1); |
4773 | |
|
4774 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
4775 | 0 | goto Exit; |
4776 | | |
4777 | | /* create protection contexts for the handshake */ |
4778 | 0 | assert(tls->key_schedule->generation == 1); |
4779 | 0 | key_schedule_extract(tls->key_schedule, ecdh_secret); |
4780 | 0 | if ((ret = setup_traffic_protection(tls, 1, "s hs traffic", 2, 0, 0)) != 0) |
4781 | 0 | goto Exit; |
4782 | 0 | if (tls->pending_handshake_secret != NULL) { |
4783 | 0 | if ((ret = derive_secret(tls->key_schedule, tls->pending_handshake_secret, "c hs traffic")) != 0) |
4784 | 0 | goto Exit; |
4785 | 0 | if (tls->ctx->update_traffic_key != NULL && |
4786 | 0 | (ret = tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, 0, 2, tls->pending_handshake_secret)) != 0) |
4787 | 0 | goto Exit; |
4788 | 0 | } else { |
4789 | 0 | if ((ret = setup_traffic_protection(tls, 0, "c hs traffic", 2, 0, 0)) != 0) |
4790 | 0 | goto Exit; |
4791 | 0 | if (ch->psk.early_data_indication) |
4792 | 0 | tls->server.early_data_skipped_bytes = 0; |
4793 | 0 | } |
4794 | | |
4795 | | /* send EncryptedExtensions */ |
4796 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, { |
4797 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
4798 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4799 | 0 | if (tls->server_name != NULL) { |
4800 | | /* In this event, the server SHALL include an extension of type "server_name" in the (extended) server hello. |
4801 | | * The "extension_data" field of this extension SHALL be empty. (RFC 6066 section 3) */ |
4802 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_NAME, {}); |
4803 | 0 | } |
4804 | 0 | if (tls->ctx->use_raw_public_keys) { |
4805 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE, |
4806 | 0 | { ptls_buffer_push(sendbuf, PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY); }); |
4807 | 0 | } |
4808 | 0 | if (tls->negotiated_protocol != NULL) { |
4809 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ALPN, { |
4810 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4811 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
4812 | 0 | ptls_buffer_pushv(sendbuf, tls->negotiated_protocol, strlen(tls->negotiated_protocol)); |
4813 | 0 | }); |
4814 | 0 | }); |
4815 | 0 | }); |
4816 | 0 | } |
4817 | 0 | if (tls->pending_handshake_secret != NULL) |
4818 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_EARLY_DATA, {}); |
4819 | | /* send ECH retry_configs, if ECH was offered by rejected, even though we (the server) could have accepted ECH */ |
4820 | 0 | if (tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL) && tls->ctx->ech.server.create_opener != NULL && |
4821 | 0 | tls->ctx->ech.server.retry_configs.len != 0) |
4822 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, { |
4823 | 0 | ptls_buffer_pushv(sendbuf, tls->ctx->ech.server.retry_configs.base, tls->ctx->ech.server.retry_configs.len); |
4824 | 0 | }); |
4825 | 0 | if (ch->ticket_request.new_session_count != 0 && tls->server.num_tickets_to_send != 0) |
4826 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_TICKET_REQUEST, |
4827 | 0 | { ptls_buffer_push(sendbuf, tls->server.num_tickets_to_send); }); |
4828 | 0 | if ((ret = push_additional_extensions(properties, sendbuf)) != 0) |
4829 | 0 | goto Exit; |
4830 | 0 | }); |
4831 | 0 | }); |
4832 | | |
4833 | 0 | if (mode == HANDSHAKE_MODE_FULL) { |
4834 | | /* send certificate request if client authentication is activated */ |
4835 | 0 | if (tls->ctx->require_client_authentication) { |
4836 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, { |
4837 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
4838 | | /* certificate_request_context: this field SHALL be zero length, unless the certificate request is used for post- |
4839 | | * handshake authentication. */ |
4840 | 0 | ptls_buffer_push(sendbuf, 0); |
4841 | | /* extensions */ |
4842 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4843 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS, { |
4844 | 0 | if ((ret = push_signature_algorithms(tls->ctx->verify_certificate, sendbuf)) != 0) |
4845 | 0 | goto Exit; |
4846 | 0 | }); |
4847 | | /* certificate authorities entension */ |
4848 | 0 | if (tls->ctx->client_ca_names.count > 0) { |
4849 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_CERTIFICATE_AUTHORITIES, { |
4850 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4851 | 0 | for (size_t i = 0; i != tls->ctx->client_ca_names.count; ++i) { |
4852 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4853 | 0 | ptls_iovec_t name = tls->ctx->client_ca_names.list[i]; |
4854 | 0 | ptls_buffer_pushv(sendbuf, name.base, name.len); |
4855 | 0 | }); |
4856 | 0 | } |
4857 | 0 | }); |
4858 | 0 | }); |
4859 | 0 | } |
4860 | 0 | }); |
4861 | 0 | }); |
4862 | | |
4863 | 0 | if (ret != 0) { |
4864 | 0 | goto Exit; |
4865 | 0 | } |
4866 | 0 | } |
4867 | | |
4868 | | /* send certificate */ |
4869 | 0 | if ((ret = send_certificate(tls, emitter, &ch->signature_algorithms, ptls_iovec_init(NULL, 0), ch->status_request, |
4870 | 0 | ch->cert_compression_algos.list, ch->cert_compression_algos.count)) != 0) |
4871 | 0 | goto Exit; |
4872 | | /* send certificateverify, finished, and complete the handshake */ |
4873 | 0 | if ((ret = server_finish_handshake(tls, emitter, 1, &ch->signature_algorithms)) != 0) |
4874 | 0 | goto Exit; |
4875 | 0 | } else { |
4876 | | /* send finished, and complete the handshake */ |
4877 | 0 | if ((ret = server_finish_handshake(tls, emitter, 0, NULL)) != 0) |
4878 | 0 | goto Exit; |
4879 | 0 | } |
4880 | | |
4881 | 0 | Exit: |
4882 | 0 | free(pubkey.base); |
4883 | 0 | if (ecdh_secret.base != NULL) { |
4884 | 0 | ptls_clear_memory(ecdh_secret.base, ecdh_secret.len); |
4885 | 0 | free(ecdh_secret.base); |
4886 | 0 | } |
4887 | 0 | free(ech.encoded_ch_inner); |
4888 | 0 | free(ech.ch_outer_aad); |
4889 | 0 | ptls_buffer_dispose(&ech.ch_inner); |
4890 | 0 | free(ch); |
4891 | 0 | return ret; |
4892 | |
|
4893 | 0 | #undef EMIT_SERVER_HELLO |
4894 | 0 | #undef EMIT_HELLO_RETRY_REQUEST |
4895 | 0 | } |
4896 | | |
4897 | | static int server_finish_handshake(ptls_t *tls, ptls_message_emitter_t *emitter, int send_cert_verify, |
4898 | | struct st_ptls_signature_algorithms_t *signature_algorithms) |
4899 | 0 | { |
4900 | 0 | int ret; |
4901 | |
|
4902 | 0 | if (send_cert_verify) { |
4903 | 0 | if ((ret = send_certificate_verify(tls, emitter, signature_algorithms, PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING)) != |
4904 | 0 | 0) { |
4905 | 0 | if (ret == PTLS_ERROR_ASYNC_OPERATION) { |
4906 | 0 | tls->state = PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY; |
4907 | 0 | } |
4908 | 0 | goto Exit; |
4909 | 0 | } |
4910 | 0 | } |
4911 | | |
4912 | 0 | if ((ret = send_finished(tls, emitter)) != 0) |
4913 | 0 | goto Exit; |
4914 | | |
4915 | 0 | assert(tls->key_schedule->generation == 2); |
4916 | 0 | if ((ret = key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0))) != 0) |
4917 | 0 | goto Exit; |
4918 | 0 | if ((ret = setup_traffic_protection(tls, 1, "s ap traffic", 3, 0, 0)) != 0) |
4919 | 0 | goto Exit; |
4920 | 0 | if ((ret = derive_secret(tls->key_schedule, tls->server.pending_traffic_secret, "c ap traffic")) != 0) |
4921 | 0 | goto Exit; |
4922 | 0 | if ((ret = derive_exporter_secret(tls, 0)) != 0) |
4923 | 0 | goto Exit; |
4924 | | |
4925 | 0 | if (tls->pending_handshake_secret != NULL) { |
4926 | 0 | if (tls->ctx->omit_end_of_early_data) { |
4927 | 0 | if ((ret = commission_handshake_secret(tls)) != 0) |
4928 | 0 | goto Exit; |
4929 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
4930 | 0 | } else { |
4931 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA; |
4932 | 0 | } |
4933 | 0 | } else if (tls->ctx->require_client_authentication) { |
4934 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_CERTIFICATE; |
4935 | 0 | } else { |
4936 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
4937 | 0 | } |
4938 | | |
4939 | | /* send session ticket if necessary */ |
4940 | 0 | if (tls->server.num_tickets_to_send != 0) { |
4941 | 0 | assert(tls->ctx->ticket_lifetime != 0); |
4942 | 0 | for (uint8_t i = 0; i < tls->server.num_tickets_to_send; ++i) |
4943 | 0 | if ((ret = send_session_ticket(tls, emitter)) != 0) |
4944 | 0 | goto Exit; |
4945 | 0 | } |
4946 | | |
4947 | 0 | if (tls->ctx->require_client_authentication) { |
4948 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
4949 | 0 | } else { |
4950 | 0 | ret = 0; |
4951 | 0 | } |
4952 | |
|
4953 | 0 | Exit: |
4954 | 0 | return ret; |
4955 | 0 | } |
4956 | | |
4957 | | static int server_handle_end_of_early_data(ptls_t *tls, ptls_iovec_t message) |
4958 | 0 | { |
4959 | 0 | int ret; |
4960 | |
|
4961 | 0 | if ((ret = commission_handshake_secret(tls)) != 0) |
4962 | 0 | goto Exit; |
4963 | | |
4964 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4965 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
4966 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
4967 | |
|
4968 | 0 | Exit: |
4969 | 0 | return ret; |
4970 | 0 | } |
4971 | | |
4972 | | static int server_handle_finished(ptls_t *tls, ptls_iovec_t message) |
4973 | 0 | { |
4974 | 0 | int ret; |
4975 | |
|
4976 | 0 | if ((ret = verify_finished(tls, message)) != 0) |
4977 | 0 | return ret; |
4978 | | |
4979 | 0 | memcpy(tls->traffic_protection.dec.secret, tls->server.pending_traffic_secret, sizeof(tls->server.pending_traffic_secret)); |
4980 | 0 | ptls_clear_memory(tls->server.pending_traffic_secret, sizeof(tls->server.pending_traffic_secret)); |
4981 | 0 | if ((ret = setup_traffic_protection(tls, 0, NULL, 3, 0, 0)) != 0) |
4982 | 0 | return ret; |
4983 | | |
4984 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4985 | |
|
4986 | 0 | tls->state = PTLS_STATE_SERVER_POST_HANDSHAKE; |
4987 | 0 | return 0; |
4988 | 0 | } |
4989 | | |
4990 | | static int update_traffic_key(ptls_t *tls, int is_enc) |
4991 | 0 | { |
4992 | 0 | struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
4993 | 0 | uint8_t secret[PTLS_MAX_DIGEST_SIZE]; |
4994 | 0 | int ret; |
4995 | |
|
4996 | 0 | ptls_hash_algorithm_t *hash = tls->key_schedule->hashes[0].algo; |
4997 | 0 | if ((ret = ptls_hkdf_expand_label(hash, secret, hash->digest_size, ptls_iovec_init(tp->secret, hash->digest_size), |
4998 | 0 | "traffic upd", ptls_iovec_init(NULL, 0), NULL)) != 0) |
4999 | 0 | goto Exit; |
5000 | 0 | memcpy(tp->secret, secret, sizeof(secret)); |
5001 | 0 | ret = setup_traffic_protection(tls, is_enc, NULL, 3, 0, 1); |
5002 | |
|
5003 | 0 | Exit: |
5004 | 0 | ptls_clear_memory(secret, sizeof(secret)); |
5005 | 0 | return ret; |
5006 | 0 | } |
5007 | | |
5008 | | static int handle_key_update(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message) |
5009 | 0 | { |
5010 | 0 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
5011 | 0 | int ret; |
5012 | | |
5013 | | /* validate */ |
5014 | 0 | if (end - src != 1 || *src > 1) |
5015 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5016 | | |
5017 | | /* update receive key */ |
5018 | 0 | if ((ret = update_traffic_key(tls, 0)) != 0) |
5019 | 0 | return ret; |
5020 | | |
5021 | 0 | if (*src) { |
5022 | 0 | if (tls->ctx->update_traffic_key != NULL) |
5023 | 0 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
5024 | 0 | tls->needs_key_update = 1; |
5025 | 0 | } |
5026 | | |
5027 | 0 | return 0; |
5028 | 0 | } |
5029 | | |
5030 | | static int parse_record_header(struct st_ptls_record_t *rec, const uint8_t *src) |
5031 | 0 | { |
5032 | 0 | rec->type = src[0]; |
5033 | 0 | rec->version = ntoh16(src + 1); |
5034 | 0 | rec->length = ntoh16(src + 3); |
5035 | |
|
5036 | 0 | if (rec->length > |
5037 | 0 | (size_t)(rec->type == PTLS_CONTENT_TYPE_APPDATA ? PTLS_MAX_ENCRYPTED_RECORD_SIZE : PTLS_MAX_PLAINTEXT_RECORD_SIZE)) |
5038 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5039 | | |
5040 | 0 | return 0; |
5041 | 0 | } |
5042 | | |
5043 | | static int parse_record(ptls_t *tls, struct st_ptls_record_t *rec, const uint8_t *src, size_t *len) |
5044 | 0 | { |
5045 | 0 | int ret; |
5046 | |
|
5047 | 0 | assert(*len != 0); |
5048 | | |
5049 | | /* Check if the first byte is something that we can handle, otherwise do not bother parsing / buffering the entire record as it |
5050 | | * is obviously broken. SSL 2.0 handshakes fall into this path as well. */ |
5051 | 0 | if (tls->recvbuf.rec.base == NULL) { |
5052 | 0 | uint8_t type = src[0]; |
5053 | 0 | switch (type) { |
5054 | 0 | case PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC: |
5055 | 0 | case PTLS_CONTENT_TYPE_ALERT: |
5056 | 0 | case PTLS_CONTENT_TYPE_HANDSHAKE: |
5057 | 0 | case PTLS_CONTENT_TYPE_APPDATA: |
5058 | 0 | break; |
5059 | 0 | default: |
5060 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5061 | 0 | } |
5062 | 0 | } |
5063 | | |
5064 | 0 | if (tls->recvbuf.rec.base == NULL && *len >= 5) { |
5065 | | /* fast path */ |
5066 | 0 | if ((ret = parse_record_header(rec, src)) != 0) |
5067 | 0 | return ret; |
5068 | 0 | if (5 + rec->length <= *len) { |
5069 | 0 | rec->fragment = src + 5; |
5070 | 0 | *len = rec->length + 5; |
5071 | 0 | return 0; |
5072 | 0 | } |
5073 | 0 | } |
5074 | | |
5075 | | /* slow path */ |
5076 | 0 | const uint8_t *const end = src + *len; |
5077 | 0 | *rec = (struct st_ptls_record_t){0}; |
5078 | |
|
5079 | 0 | if (tls->recvbuf.rec.base == NULL) { |
5080 | 0 | ptls_buffer_init(&tls->recvbuf.rec, "", 0); |
5081 | 0 | if ((ret = ptls_buffer_reserve(&tls->recvbuf.rec, 5)) != 0) |
5082 | 0 | return ret; |
5083 | 0 | } |
5084 | | |
5085 | | /* fill and parse the header */ |
5086 | 0 | while (tls->recvbuf.rec.off < 5) { |
5087 | 0 | if (src == end) |
5088 | 0 | return PTLS_ERROR_IN_PROGRESS; |
5089 | 0 | tls->recvbuf.rec.base[tls->recvbuf.rec.off++] = *src++; |
5090 | 0 | } |
5091 | 0 | if ((ret = parse_record_header(rec, tls->recvbuf.rec.base)) != 0) |
5092 | 0 | return ret; |
5093 | | |
5094 | | /* fill the fragment */ |
5095 | 0 | size_t addlen = rec->length + 5 - tls->recvbuf.rec.off; |
5096 | 0 | if (addlen != 0) { |
5097 | 0 | if ((ret = ptls_buffer_reserve(&tls->recvbuf.rec, addlen)) != 0) |
5098 | 0 | return ret; |
5099 | 0 | if (addlen > (size_t)(end - src)) |
5100 | 0 | addlen = end - src; |
5101 | 0 | if (addlen != 0) { |
5102 | 0 | memcpy(tls->recvbuf.rec.base + tls->recvbuf.rec.off, src, addlen); |
5103 | 0 | tls->recvbuf.rec.off += addlen; |
5104 | 0 | src += addlen; |
5105 | 0 | } |
5106 | 0 | } |
5107 | | |
5108 | | /* set rec->fragment if a complete record has been parsed */ |
5109 | 0 | if (tls->recvbuf.rec.off == rec->length + 5) { |
5110 | 0 | rec->fragment = tls->recvbuf.rec.base + 5; |
5111 | 0 | ret = 0; |
5112 | 0 | } else { |
5113 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
5114 | 0 | } |
5115 | |
|
5116 | 0 | *len -= end - src; |
5117 | 0 | return ret; |
5118 | 0 | } |
5119 | | |
5120 | | static void update_open_count(ptls_context_t *ctx, ssize_t delta) |
5121 | 0 | { |
5122 | 0 | if (ctx->update_open_count != NULL) |
5123 | 0 | ctx->update_open_count->cb(ctx->update_open_count, delta); |
5124 | 0 | } |
5125 | | |
5126 | | static ptls_t *new_instance(ptls_context_t *ctx, int is_server) |
5127 | 0 | { |
5128 | 0 | ptls_t *tls; |
5129 | | |
5130 | | /* check consistency of `ptls_context_t` before instantiating a connection object */ |
5131 | 0 | assert(ctx->get_time != NULL && "please set ctx->get_time to `&ptls_get_time`; see #92"); |
5132 | 0 | if (ctx->pre_shared_key.identity.base != NULL) { |
5133 | 0 | assert(ctx->pre_shared_key.identity.len != 0 && ctx->pre_shared_key.secret.base != NULL && |
5134 | 0 | ctx->pre_shared_key.secret.len != 0 && ctx->pre_shared_key.hash != NULL && |
5135 | 0 | "`ptls_context_t::pre_shared_key` in incosistent state"); |
5136 | 0 | } else { |
5137 | 0 | assert(ctx->pre_shared_key.identity.len == 0 && ctx->pre_shared_key.secret.base == NULL && |
5138 | 0 | ctx->pre_shared_key.secret.len == 0 && ctx->pre_shared_key.hash == NULL && |
5139 | 0 | "`ptls_context_t::pre_shared_key` in inconsitent state"); |
5140 | 0 | } |
5141 | | |
5142 | 0 | if ((tls = malloc(sizeof(*tls))) == NULL) |
5143 | 0 | return NULL; |
5144 | | |
5145 | 0 | update_open_count(ctx, 1); |
5146 | 0 | *tls = (ptls_t){ctx}; |
5147 | 0 | tls->is_server = is_server; |
5148 | 0 | tls->send_change_cipher_spec = ctx->send_change_cipher_spec; |
5149 | |
|
5150 | 0 | #if PTLS_HAVE_LOG |
5151 | 0 | if (ptls_log_conn_state_override != NULL) { |
5152 | 0 | tls->log_state = *ptls_log_conn_state_override; |
5153 | 0 | } else { |
5154 | 0 | ptls_log_init_conn_state(&tls->log_state, ctx->random_bytes); |
5155 | 0 | } |
5156 | 0 | #endif |
5157 | |
|
5158 | 0 | return tls; |
5159 | 0 | } |
5160 | | |
5161 | | ptls_t *ptls_client_new(ptls_context_t *ctx) |
5162 | 0 | { |
5163 | 0 | ptls_t *tls = new_instance(ctx, 0); |
5164 | 0 | tls->state = PTLS_STATE_CLIENT_HANDSHAKE_START; |
5165 | 0 | tls->ctx->random_bytes(tls->client_random, sizeof(tls->client_random)); |
5166 | 0 | log_client_random(tls); |
5167 | 0 | if (tls->send_change_cipher_spec) { |
5168 | 0 | tls->client.legacy_session_id = |
5169 | 0 | ptls_iovec_init(tls->client.legacy_session_id_buf, sizeof(tls->client.legacy_session_id_buf)); |
5170 | 0 | tls->ctx->random_bytes(tls->client.legacy_session_id.base, tls->client.legacy_session_id.len); |
5171 | 0 | } |
5172 | |
|
5173 | 0 | PTLS_PROBE(NEW, tls, 0); |
5174 | 0 | PTLS_LOG_CONN(new, tls, { PTLS_LOG_ELEMENT_BOOL(is_server, 0); }); |
5175 | 0 | return tls; |
5176 | 0 | } |
5177 | | |
5178 | | ptls_t *ptls_server_new(ptls_context_t *ctx) |
5179 | 0 | { |
5180 | 0 | ptls_t *tls = new_instance(ctx, 1); |
5181 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO; |
5182 | 0 | tls->server.early_data_skipped_bytes = UINT32_MAX; |
5183 | |
|
5184 | 0 | PTLS_PROBE(NEW, tls, 1); |
5185 | 0 | PTLS_LOG_CONN(new, tls, { PTLS_LOG_ELEMENT_BOOL(is_server, 1); }); |
5186 | 0 | return tls; |
5187 | 0 | } |
5188 | | |
5189 | | #define export_tls_params(output, is_server, session_reused, protocol_version, cipher, client_random, server_name, \ |
5190 | | negotiated_protocol, ver_block) \ |
5191 | 0 | do { \ |
5192 | 0 | const char *_server_name = (server_name); \ |
5193 | 0 | ptls_iovec_t _negotiated_protocol = (negotiated_protocol); \ |
5194 | 0 | ptls_buffer_push_block((output), 2, { \ |
5195 | 0 | ptls_buffer_push((output), (is_server)); \ |
5196 | 0 | ptls_buffer_push((output), (session_reused)); \ |
5197 | 0 | ptls_buffer_push16((output), (protocol_version)); \ |
5198 | 0 | ptls_buffer_push16((output), (cipher)->id); \ |
5199 | 0 | ptls_buffer_pushv((output), (client_random), PTLS_HELLO_RANDOM_SIZE); \ |
5200 | 0 | ptls_buffer_push_block((output), 2, { \ |
5201 | 0 | size_t len = _server_name != NULL ? strlen(_server_name) : 0; \ |
5202 | 0 | ptls_buffer_pushv((output), _server_name, len); \ |
5203 | 0 | }); \ |
5204 | 0 | ptls_buffer_push_block((output), 2, \ |
5205 | 0 | { ptls_buffer_pushv((output), _negotiated_protocol.base, _negotiated_protocol.len); }); \ |
5206 | 0 | ptls_buffer_push_block((output), 2, {ver_block}); /* version-specific block */ \ |
5207 | 0 | ptls_buffer_push_block((output), 2, {}); /* for future extensions */ \ |
5208 | 0 | }); \ |
5209 | 0 | } while (0) |
5210 | | |
5211 | | static int export_tls12_params(ptls_buffer_t *output, int is_server, int session_reused, ptls_cipher_suite_t *cipher, |
5212 | | const void *client_random, const char *server_name, ptls_iovec_t negotiated_protocol, |
5213 | | const void *enc_key, const void *enc_iv, uint64_t enc_seq, uint64_t enc_record_iv, |
5214 | | const void *dec_key, const void *dec_iv, uint64_t dec_seq) |
5215 | 0 | { |
5216 | 0 | int ret; |
5217 | |
|
5218 | 0 | export_tls_params(output, is_server, session_reused, PTLS_PROTOCOL_VERSION_TLS12, cipher, client_random, server_name, |
5219 | 0 | negotiated_protocol, { |
5220 | 0 | ptls_buffer_pushv(output, enc_key, cipher->aead->key_size); |
5221 | 0 | ptls_buffer_pushv(output, enc_iv, cipher->aead->tls12.fixed_iv_size); |
5222 | 0 | ptls_buffer_push64(output, enc_seq); |
5223 | 0 | if (cipher->aead->tls12.record_iv_size != 0) |
5224 | 0 | ptls_buffer_push64(output, enc_record_iv); |
5225 | 0 | ptls_buffer_pushv(output, dec_key, cipher->aead->key_size); |
5226 | 0 | ptls_buffer_pushv(output, dec_iv, cipher->aead->tls12.fixed_iv_size); |
5227 | 0 | ptls_buffer_push64(output, dec_seq); |
5228 | 0 | }); |
5229 | 0 | ret = 0; |
5230 | |
|
5231 | 0 | Exit: |
5232 | 0 | return ret; |
5233 | 0 | } |
5234 | | |
5235 | | int ptls_build_tls12_export_params(ptls_context_t *ctx, ptls_buffer_t *output, int is_server, int session_reused, |
5236 | | ptls_cipher_suite_t *cipher, const void *master_secret, const void *hello_randoms, |
5237 | | uint64_t next_send_record_iv, const char *server_name, ptls_iovec_t negotiated_protocol) |
5238 | 0 | { |
5239 | 0 | assert(cipher->aead->tls12.fixed_iv_size + cipher->aead->tls12.record_iv_size != 0 || !"given cipher-suite supports TLS/1.2"); |
5240 | | |
5241 | 0 | uint8_t key_block[(PTLS_MAX_SECRET_SIZE + PTLS_MAX_IV_SIZE) * 2]; |
5242 | 0 | size_t key_block_len = (cipher->aead->key_size + cipher->aead->tls12.fixed_iv_size) * 2; |
5243 | 0 | int ret; |
5244 | |
|
5245 | 0 | assert(key_block_len <= sizeof(key_block)); |
5246 | | |
5247 | | /* generate key block */ |
5248 | 0 | if ((ret = |
5249 | 0 | ptls_tls12_phash(cipher->hash, key_block, key_block_len, ptls_iovec_init(master_secret, PTLS_TLS12_MASTER_SECRET_SIZE), |
5250 | 0 | "key expansion", ptls_iovec_init(hello_randoms, PTLS_HELLO_RANDOM_SIZE * 2))) != 0) |
5251 | 0 | goto Exit; |
5252 | | |
5253 | | /* determine key locations */ |
5254 | 0 | struct { |
5255 | 0 | const void *key; |
5256 | 0 | const void *iv; |
5257 | 0 | } client_secret, server_secret, *enc_secret = is_server ? &server_secret : &client_secret, |
5258 | 0 | *dec_secret = is_server ? &client_secret : &server_secret; |
5259 | 0 | client_secret.key = key_block; |
5260 | 0 | server_secret.key = key_block + cipher->aead->key_size; |
5261 | 0 | client_secret.iv = key_block + cipher->aead->key_size * 2; |
5262 | 0 | server_secret.iv = key_block + cipher->aead->key_size * 2 + cipher->aead->tls12.fixed_iv_size; |
5263 | | |
5264 | | /* Serialize prams. Sequence number of the first application record is 1, because Finished is the only message sent after |
5265 | | * ChangeCipherSpec. */ |
5266 | 0 | ret = export_tls12_params(output, is_server, session_reused, cipher, (uint8_t *)hello_randoms + PTLS_HELLO_RANDOM_SIZE, |
5267 | 0 | server_name, negotiated_protocol, enc_secret->key, enc_secret->iv, 1, next_send_record_iv, |
5268 | 0 | dec_secret->key, dec_secret->iv, 1); |
5269 | |
|
5270 | 0 | Exit: |
5271 | 0 | ptls_clear_memory(key_block, sizeof(key_block)); |
5272 | 0 | return ret; |
5273 | 0 | } |
5274 | | |
5275 | | int ptls_export(ptls_t *tls, ptls_buffer_t *output) |
5276 | 0 | { |
5277 | 0 | ptls_iovec_t negotiated_protocol = |
5278 | 0 | ptls_iovec_init(tls->negotiated_protocol, tls->negotiated_protocol != NULL ? strlen(tls->negotiated_protocol) : 0); |
5279 | 0 | int ret; |
5280 | |
|
5281 | 0 | if (tls->state != PTLS_STATE_SERVER_POST_HANDSHAKE) { |
5282 | 0 | ret = PTLS_ERROR_LIBRARY; |
5283 | 0 | goto Exit; |
5284 | 0 | } |
5285 | | |
5286 | 0 | if (ptls_get_protocol_version(tls) == PTLS_PROTOCOL_VERSION_TLS13) { |
5287 | 0 | export_tls_params(output, tls->is_server, tls->is_psk_handshake, PTLS_PROTOCOL_VERSION_TLS13, tls->cipher_suite, |
5288 | 0 | tls->client_random, tls->server_name, negotiated_protocol, { |
5289 | 0 | ptls_buffer_pushv(output, tls->traffic_protection.enc.secret, tls->cipher_suite->hash->digest_size); |
5290 | 0 | ptls_buffer_push64(output, tls->traffic_protection.enc.seq); |
5291 | 0 | ptls_buffer_pushv(output, tls->traffic_protection.dec.secret, tls->cipher_suite->hash->digest_size); |
5292 | 0 | ptls_buffer_push64(output, tls->traffic_protection.dec.seq); |
5293 | 0 | }); |
5294 | 0 | ret = 0; |
5295 | 0 | } else { |
5296 | 0 | if ((ret = export_tls12_params(output, tls->is_server, tls->is_psk_handshake, tls->cipher_suite, tls->client_random, |
5297 | 0 | tls->server_name, negotiated_protocol, tls->traffic_protection.enc.secret, |
5298 | 0 | tls->traffic_protection.enc.secret + PTLS_MAX_SECRET_SIZE, tls->traffic_protection.enc.seq, |
5299 | 0 | tls->traffic_protection.enc.tls12_enc_record_iv, tls->traffic_protection.dec.secret, |
5300 | 0 | tls->traffic_protection.dec.secret + PTLS_MAX_SECRET_SIZE, |
5301 | 0 | tls->traffic_protection.dec.seq)) != 0) |
5302 | 0 | goto Exit; |
5303 | 0 | } |
5304 | | |
5305 | 0 | Exit: |
5306 | 0 | return ret; |
5307 | 0 | } |
5308 | | |
5309 | | static int import_tls12_traffic_protection(ptls_t *tls, int is_enc, const uint8_t **src, const uint8_t *const end) |
5310 | 0 | { |
5311 | 0 | struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
5312 | |
|
5313 | 0 | if ((size_t)(end - *src) < tls->cipher_suite->aead->key_size + tls->cipher_suite->aead->tls12.fixed_iv_size + sizeof(uint64_t)) |
5314 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5315 | | |
5316 | | /* set properties */ |
5317 | 0 | memcpy(tp->secret, *src, tls->cipher_suite->aead->key_size); |
5318 | 0 | *src += tls->cipher_suite->aead->key_size; |
5319 | 0 | memcpy(tp->secret + PTLS_MAX_SECRET_SIZE, *src, tls->cipher_suite->aead->tls12.fixed_iv_size); |
5320 | 0 | *src += tls->cipher_suite->aead->tls12.fixed_iv_size; |
5321 | 0 | if (ptls_decode64(&tp->seq, src, end) != 0) |
5322 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5323 | 0 | if (is_enc && tls->cipher_suite->aead->tls12.record_iv_size != 0) { |
5324 | 0 | if (ptls_decode64(&tp->tls12_enc_record_iv, src, end) != 0) |
5325 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5326 | 0 | } |
5327 | 0 | tp->tls12 = 1; |
5328 | | |
5329 | | /* instantiate aead */ |
5330 | 0 | if ((tp->aead = ptls_aead_new_direct(tls->cipher_suite->aead, is_enc, tp->secret, tp->secret + PTLS_MAX_SECRET_SIZE)) == NULL) |
5331 | 0 | return PTLS_ERROR_NO_MEMORY; |
5332 | | |
5333 | 0 | return 0; |
5334 | 0 | } |
5335 | | |
5336 | | static int import_tls13_traffic_protection(ptls_t *tls, int is_enc, const uint8_t **src, const uint8_t *const end) |
5337 | 0 | { |
5338 | 0 | struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
5339 | | |
5340 | | /* set properties */ |
5341 | 0 | memcpy(tp->secret, *src, tls->cipher_suite->hash->digest_size); |
5342 | 0 | *src += tls->cipher_suite->hash->digest_size; |
5343 | 0 | if (ptls_decode64(&tp->seq, src, end) != 0) |
5344 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5345 | | |
5346 | 0 | if (setup_traffic_protection(tls, is_enc, NULL, 3, tp->seq, 0) != 0) |
5347 | 0 | return PTLS_ERROR_INCOMPATIBLE_KEY; |
5348 | | |
5349 | 0 | return 0; |
5350 | 0 | } |
5351 | | |
5352 | | int ptls_import(ptls_context_t *ctx, ptls_t **tls, ptls_iovec_t params) |
5353 | 0 | { |
5354 | 0 | const uint8_t *src = params.base, *const end = src + params.len; |
5355 | 0 | uint16_t protocol_version, csid; |
5356 | 0 | int ret; |
5357 | |
|
5358 | 0 | *tls = NULL; |
5359 | | |
5360 | | /* TODO handle flags like psk_handshake, ech_handshake as we add support for TLS/1.3 import */ |
5361 | 0 | ptls_decode_block(src, end, 2, { |
5362 | | /* instantiate, based on the is_server flag */ |
5363 | 0 | if (end - src < 2) { |
5364 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
5365 | 0 | goto Exit; |
5366 | 0 | } |
5367 | 0 | if ((*tls = new_instance(ctx, *src++)) == NULL) { |
5368 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
5369 | 0 | goto Exit; |
5370 | 0 | } |
5371 | 0 | (*tls)->is_psk_handshake = *src++; |
5372 | | /* determine protocol version and cipher suite */ |
5373 | 0 | if ((ret = ptls_decode16(&protocol_version, &src, end)) != 0) |
5374 | 0 | goto Exit; |
5375 | 0 | if ((ret = ptls_decode16(&csid, &src, end)) != 0) |
5376 | 0 | goto Exit; |
5377 | | /* other version-independent stuff */ |
5378 | 0 | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
5379 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
5380 | 0 | goto Exit; |
5381 | 0 | } |
5382 | 0 | memcpy((*tls)->client_random, src, PTLS_HELLO_RANDOM_SIZE); |
5383 | 0 | src += PTLS_HELLO_RANDOM_SIZE; |
5384 | 0 | ptls_decode_open_block(src, end, 2, { |
5385 | 0 | if (src != end) { |
5386 | 0 | if ((ret = ptls_set_server_name(*tls, (const char *)src, end - src)) != 0) |
5387 | 0 | goto Exit; |
5388 | 0 | src = end; |
5389 | 0 | } |
5390 | 0 | }); |
5391 | 0 | ptls_decode_open_block(src, end, 2, { |
5392 | 0 | if (src != end) { |
5393 | 0 | if ((ret = ptls_set_negotiated_protocol(*tls, (const char *)src, end - src)) != 0) |
5394 | 0 | goto Exit; |
5395 | 0 | src = end; |
5396 | 0 | } |
5397 | 0 | }); |
5398 | | /* version-dependent stuff */ |
5399 | 0 | ptls_decode_open_block(src, end, 2, { |
5400 | 0 | switch (protocol_version) { |
5401 | 0 | case PTLS_PROTOCOL_VERSION_TLS12: |
5402 | 0 | (*tls)->cipher_suite = ptls_find_cipher_suite(ctx->tls12_cipher_suites, csid); |
5403 | 0 | if ((*tls)->cipher_suite == NULL) { |
5404 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5405 | 0 | goto Exit; |
5406 | 0 | } |
5407 | | /* setup AEAD keys */ |
5408 | 0 | if ((ret = import_tls12_traffic_protection(*tls, 1, &src, end)) != 0) |
5409 | 0 | goto Exit; |
5410 | 0 | if ((ret = import_tls12_traffic_protection(*tls, 0, &src, end)) != 0) |
5411 | 0 | goto Exit; |
5412 | 0 | break; |
5413 | 0 | case PTLS_PROTOCOL_VERSION_TLS13: |
5414 | 0 | (*tls)->cipher_suite = ptls_find_cipher_suite(ctx->cipher_suites, csid); |
5415 | 0 | if ((*tls)->cipher_suite == NULL) { |
5416 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5417 | 0 | goto Exit; |
5418 | 0 | } |
5419 | | /* setup AEAD keys */ |
5420 | 0 | if (((*tls)->key_schedule = key_schedule_new((*tls)->cipher_suite, NULL, (*tls)->ech.aead != NULL)) == NULL) { |
5421 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
5422 | 0 | goto Exit; |
5423 | 0 | } |
5424 | 0 | if ((ret = import_tls13_traffic_protection(*tls, 1, &src, end)) != 0) |
5425 | 0 | goto Exit; |
5426 | 0 | if ((ret = import_tls13_traffic_protection(*tls, 0, &src, end)) != 0) |
5427 | 0 | goto Exit; |
5428 | 0 | break; |
5429 | 0 | default: |
5430 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
5431 | 0 | goto Exit; |
5432 | 0 | } |
5433 | 0 | }); |
5434 | | /* extensions */ |
5435 | 0 | ptls_decode_open_block(src, end, 2, { |
5436 | 0 | src = end; /* unused */ |
5437 | 0 | }); |
5438 | 0 | }); |
5439 | | |
5440 | 0 | (*tls)->state = ptls_is_server(*tls) ? PTLS_STATE_SERVER_POST_HANDSHAKE : PTLS_STATE_CLIENT_POST_HANDSHAKE; |
5441 | |
|
5442 | 0 | Exit: |
5443 | 0 | if (ret != 0) { |
5444 | 0 | if (*tls != NULL) { |
5445 | 0 | ptls_free(*tls); |
5446 | 0 | *tls = NULL; |
5447 | 0 | } |
5448 | 0 | } |
5449 | 0 | return ret; |
5450 | 0 | } |
5451 | | |
5452 | | void ptls_free(ptls_t *tls) |
5453 | 0 | { |
5454 | 0 | PTLS_PROBE0(FREE, tls); |
5455 | 0 | PTLS_LOG_CONN(free, tls, {}); |
5456 | | |
5457 | 0 | ptls_buffer_dispose(&tls->recvbuf.rec); |
5458 | 0 | ptls_buffer_dispose(&tls->recvbuf.mess); |
5459 | 0 | free_exporter_master_secret(tls, 1); |
5460 | 0 | free_exporter_master_secret(tls, 0); |
5461 | 0 | if (tls->key_schedule != NULL) |
5462 | 0 | key_schedule_free(tls->key_schedule); |
5463 | 0 | if (tls->traffic_protection.dec.aead != NULL) |
5464 | 0 | ptls_aead_free(tls->traffic_protection.dec.aead); |
5465 | 0 | if (tls->traffic_protection.enc.aead != NULL) |
5466 | 0 | ptls_aead_free(tls->traffic_protection.enc.aead); |
5467 | 0 | free(tls->server_name); |
5468 | 0 | free(tls->negotiated_protocol); |
5469 | 0 | clear_ech(&tls->ech, tls->is_server); |
5470 | 0 | if (tls->is_server) { |
5471 | 0 | if (tls->server.async_job != NULL) |
5472 | 0 | tls->server.async_job->destroy_(tls->server.async_job); |
5473 | 0 | } else { |
5474 | 0 | if (tls->client.key_share_ctx != NULL) |
5475 | 0 | tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, NULL, ptls_iovec_init(NULL, 0)); |
5476 | 0 | if (tls->client.certificate_request.context.base != NULL) |
5477 | 0 | free(tls->client.certificate_request.context.base); |
5478 | 0 | } |
5479 | 0 | if (tls->certificate_verify.cb != NULL) |
5480 | 0 | tls->certificate_verify.cb(tls->certificate_verify.verify_ctx, 0, ptls_iovec_init(NULL, 0), ptls_iovec_init(NULL, 0)); |
5481 | 0 | if (tls->pending_handshake_secret != NULL) { |
5482 | 0 | ptls_clear_memory(tls->pending_handshake_secret, PTLS_MAX_DIGEST_SIZE); |
5483 | 0 | free(tls->pending_handshake_secret); |
5484 | 0 | } |
5485 | 0 | update_open_count(tls->ctx, -1); |
5486 | 0 | ptls_clear_memory(tls, sizeof(*tls)); |
5487 | 0 | free(tls); |
5488 | 0 | } |
5489 | | |
5490 | | ptls_context_t *ptls_get_context(ptls_t *tls) |
5491 | 0 | { |
5492 | 0 | return tls->ctx; |
5493 | 0 | } |
5494 | | |
5495 | | void ptls_set_context(ptls_t *tls, ptls_context_t *ctx) |
5496 | 0 | { |
5497 | 0 | update_open_count(ctx, 1); |
5498 | 0 | update_open_count(tls->ctx, -1); |
5499 | 0 | tls->ctx = ctx; |
5500 | 0 | } |
5501 | | |
5502 | | ptls_async_job_t *ptls_get_async_job(ptls_t *tls) |
5503 | 0 | { |
5504 | 0 | return tls->server.async_job; |
5505 | 0 | } |
5506 | | |
5507 | | ptls_iovec_t ptls_get_client_random(ptls_t *tls) |
5508 | 0 | { |
5509 | 0 | return ptls_iovec_init(tls->client_random, PTLS_HELLO_RANDOM_SIZE); |
5510 | 0 | } |
5511 | | |
5512 | | ptls_cipher_suite_t *ptls_get_cipher(ptls_t *tls) |
5513 | 0 | { |
5514 | 0 | return tls->cipher_suite; |
5515 | 0 | } |
5516 | | |
5517 | | uint16_t ptls_get_protocol_version(ptls_t *tls) |
5518 | 0 | { |
5519 | 0 | if (tls->traffic_protection.enc.tls12) |
5520 | 0 | return PTLS_PROTOCOL_VERSION_TLS12; |
5521 | | |
5522 | 0 | return PTLS_PROTOCOL_VERSION_TLS13; |
5523 | 0 | } |
5524 | | |
5525 | | int ptls_get_traffic_keys(ptls_t *tls, int is_enc, uint8_t *key, uint8_t *iv, uint64_t *seq) |
5526 | 0 | { |
5527 | 0 | struct st_ptls_traffic_protection_t *ctx = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
5528 | 0 | int ret; |
5529 | |
|
5530 | 0 | if ((ret = get_traffic_keys(tls->cipher_suite->aead, tls->cipher_suite->hash, key, iv, ctx->secret, ptls_iovec_init(NULL, 0), |
5531 | 0 | NULL)) != 0) |
5532 | 0 | return ret; |
5533 | 0 | *seq = ctx->seq; |
5534 | 0 | return 0; |
5535 | 0 | } |
5536 | | |
5537 | | const char *ptls_get_server_name(ptls_t *tls) |
5538 | 0 | { |
5539 | 0 | return tls->server_name; |
5540 | 0 | } |
5541 | | |
5542 | | int ptls_set_server_name(ptls_t *tls, const char *server_name, size_t server_name_len) |
5543 | 0 | { |
5544 | 0 | char *duped = NULL; |
5545 | |
|
5546 | 0 | if (server_name != NULL && |
5547 | 0 | (duped = duplicate_as_str(server_name, server_name_len != 0 ? server_name_len : strlen(server_name))) == NULL) |
5548 | 0 | return PTLS_ERROR_NO_MEMORY; |
5549 | | |
5550 | 0 | free(tls->server_name); |
5551 | 0 | tls->server_name = duped; |
5552 | |
|
5553 | 0 | return 0; |
5554 | 0 | } |
5555 | | |
5556 | | const char *ptls_get_negotiated_protocol(ptls_t *tls) |
5557 | 0 | { |
5558 | 0 | return tls->negotiated_protocol; |
5559 | 0 | } |
5560 | | |
5561 | | int ptls_set_negotiated_protocol(ptls_t *tls, const char *protocol, size_t protocol_len) |
5562 | 0 | { |
5563 | 0 | char *duped = NULL; |
5564 | |
|
5565 | 0 | if (protocol != NULL && (duped = duplicate_as_str(protocol, protocol_len != 0 ? protocol_len : strlen(protocol))) == NULL) |
5566 | 0 | return PTLS_ERROR_NO_MEMORY; |
5567 | | |
5568 | 0 | free(tls->negotiated_protocol); |
5569 | 0 | tls->negotiated_protocol = duped; |
5570 | |
|
5571 | 0 | return 0; |
5572 | 0 | } |
5573 | | |
5574 | | int ptls_handshake_is_complete(ptls_t *tls) |
5575 | 0 | { |
5576 | 0 | return tls->state >= PTLS_STATE_POST_HANDSHAKE_MIN; |
5577 | 0 | } |
5578 | | |
5579 | | int ptls_is_psk_handshake(ptls_t *tls) |
5580 | 0 | { |
5581 | 0 | return tls->is_psk_handshake; |
5582 | 0 | } |
5583 | | |
5584 | | int ptls_is_ech_handshake(ptls_t *tls, uint8_t *config_id, ptls_hpke_kem_t **kem, ptls_hpke_cipher_suite_t **cipher) |
5585 | 0 | { |
5586 | 0 | if (tls->ech.accepted) { |
5587 | 0 | if (config_id != NULL) |
5588 | 0 | *config_id = tls->ech.config_id; |
5589 | 0 | if (kem != NULL) |
5590 | 0 | *kem = tls->ech.kem; |
5591 | 0 | if (cipher != NULL) |
5592 | 0 | *cipher = tls->ech.cipher; |
5593 | 0 | return 1; |
5594 | 0 | } |
5595 | 0 | return 0; |
5596 | 0 | } |
5597 | | |
5598 | | void **ptls_get_data_ptr(ptls_t *tls) |
5599 | 0 | { |
5600 | 0 | return &tls->data_ptr; |
5601 | 0 | } |
5602 | | |
5603 | | ptls_log_conn_state_t *ptls_get_log_state(ptls_t *tls) |
5604 | 0 | { |
5605 | 0 | #if PTLS_HAVE_LOG |
5606 | 0 | return &tls->log_state; |
5607 | | #else |
5608 | | return &ptls_log.dummy_conn_state; |
5609 | | #endif |
5610 | 0 | } |
5611 | | |
5612 | | static int handle_client_handshake_message(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, int is_end_of_record, |
5613 | | ptls_handshake_properties_t *properties) |
5614 | 0 | { |
5615 | 0 | uint8_t type = message.base[0]; |
5616 | 0 | int ret; |
5617 | |
|
5618 | 0 | switch (tls->state) { |
5619 | 0 | case PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO: |
5620 | 0 | case PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO: |
5621 | 0 | if (type == PTLS_HANDSHAKE_TYPE_SERVER_HELLO && is_end_of_record) { |
5622 | 0 | ret = client_handle_hello(tls, emitter, message, properties); |
5623 | 0 | } else { |
5624 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5625 | 0 | } |
5626 | 0 | break; |
5627 | 0 | case PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS: |
5628 | 0 | if (type == PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS) { |
5629 | 0 | ret = client_handle_encrypted_extensions(tls, message, properties); |
5630 | 0 | } else { |
5631 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5632 | 0 | } |
5633 | 0 | break; |
5634 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE: |
5635 | 0 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { |
5636 | 0 | ret = client_handle_certificate_request(tls, message, properties); |
5637 | 0 | break; |
5638 | 0 | } |
5639 | | /* fall through */ |
5640 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE: |
5641 | 0 | switch (type) { |
5642 | 0 | case PTLS_HANDSHAKE_TYPE_CERTIFICATE: |
5643 | 0 | ret = client_handle_certificate(tls, message); |
5644 | 0 | break; |
5645 | 0 | case PTLS_HANDSHAKE_TYPE_COMPRESSED_CERTIFICATE: |
5646 | 0 | ret = client_handle_compressed_certificate(tls, message); |
5647 | 0 | break; |
5648 | 0 | default: |
5649 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5650 | 0 | break; |
5651 | 0 | } |
5652 | 0 | break; |
5653 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY: |
5654 | 0 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { |
5655 | 0 | ret = client_handle_certificate_verify(tls, message); |
5656 | 0 | } else { |
5657 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5658 | 0 | } |
5659 | 0 | break; |
5660 | 0 | case PTLS_STATE_CLIENT_EXPECT_FINISHED: |
5661 | 0 | if (type == PTLS_HANDSHAKE_TYPE_FINISHED && is_end_of_record) { |
5662 | 0 | ret = client_handle_finished(tls, emitter, message); |
5663 | 0 | } else { |
5664 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5665 | 0 | } |
5666 | 0 | break; |
5667 | 0 | case PTLS_STATE_CLIENT_POST_HANDSHAKE: |
5668 | 0 | switch (type) { |
5669 | 0 | case PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET: |
5670 | 0 | ret = client_handle_new_session_ticket(tls, message); |
5671 | 0 | break; |
5672 | 0 | case PTLS_HANDSHAKE_TYPE_KEY_UPDATE: |
5673 | 0 | ret = handle_key_update(tls, emitter, message); |
5674 | 0 | break; |
5675 | 0 | default: |
5676 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5677 | 0 | break; |
5678 | 0 | } |
5679 | 0 | break; |
5680 | 0 | default: |
5681 | 0 | assert(!"unexpected state"); |
5682 | 0 | ret = PTLS_ALERT_INTERNAL_ERROR; |
5683 | 0 | break; |
5684 | 0 | } |
5685 | | |
5686 | 0 | PTLS_PROBE(RECEIVE_MESSAGE, tls, message.base[0], message.base + PTLS_HANDSHAKE_HEADER_SIZE, |
5687 | 0 | message.len - PTLS_HANDSHAKE_HEADER_SIZE, ret); |
5688 | 0 | PTLS_LOG_CONN(receive_message, tls, { |
5689 | 0 | PTLS_LOG_ELEMENT_UNSIGNED(message, message.base[0]); |
5690 | 0 | PTLS_LOG_ELEMENT_UNSIGNED(len, message.len - PTLS_HANDSHAKE_HEADER_SIZE); |
5691 | 0 | PTLS_LOG_ELEMENT_SIGNED(result, ret); |
5692 | 0 | }); |
5693 | | |
5694 | 0 | return ret; |
5695 | 0 | } |
5696 | | |
5697 | | static int handle_server_handshake_message(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, int is_end_of_record, |
5698 | | ptls_handshake_properties_t *properties) |
5699 | 0 | { |
5700 | 0 | uint8_t type = message.base[0]; |
5701 | 0 | int ret; |
5702 | |
|
5703 | 0 | switch (tls->state) { |
5704 | 0 | case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO: |
5705 | 0 | case PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO: |
5706 | 0 | if (type == PTLS_HANDSHAKE_TYPE_CLIENT_HELLO && is_end_of_record) { |
5707 | 0 | ret = server_handle_hello(tls, emitter, message, properties); |
5708 | 0 | } else { |
5709 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5710 | 0 | } |
5711 | 0 | break; |
5712 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE: |
5713 | 0 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE) { |
5714 | 0 | ret = server_handle_certificate(tls, message); |
5715 | 0 | } else { |
5716 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5717 | 0 | } |
5718 | 0 | break; |
5719 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY: |
5720 | 0 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { |
5721 | 0 | ret = server_handle_certificate_verify(tls, message); |
5722 | 0 | } else { |
5723 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5724 | 0 | } |
5725 | 0 | break; |
5726 | 0 | case PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA: |
5727 | 0 | assert(!tls->ctx->omit_end_of_early_data); |
5728 | 0 | if (type == PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA) { |
5729 | 0 | ret = server_handle_end_of_early_data(tls, message); |
5730 | 0 | } else { |
5731 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5732 | 0 | } |
5733 | 0 | break; |
5734 | 0 | case PTLS_STATE_SERVER_EXPECT_FINISHED: |
5735 | 0 | if (type == PTLS_HANDSHAKE_TYPE_FINISHED && is_end_of_record) { |
5736 | 0 | ret = server_handle_finished(tls, message); |
5737 | 0 | } else { |
5738 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5739 | 0 | } |
5740 | 0 | break; |
5741 | 0 | case PTLS_STATE_SERVER_POST_HANDSHAKE: |
5742 | 0 | switch (type) { |
5743 | 0 | case PTLS_HANDSHAKE_TYPE_KEY_UPDATE: |
5744 | 0 | ret = handle_key_update(tls, emitter, message); |
5745 | 0 | break; |
5746 | 0 | default: |
5747 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5748 | 0 | break; |
5749 | 0 | } |
5750 | 0 | break; |
5751 | 0 | default: |
5752 | 0 | assert(!"unexpected state"); |
5753 | 0 | ret = PTLS_ALERT_INTERNAL_ERROR; |
5754 | 0 | break; |
5755 | 0 | } |
5756 | | |
5757 | 0 | PTLS_PROBE(RECEIVE_MESSAGE, tls, message.base[0], message.base + PTLS_HANDSHAKE_HEADER_SIZE, |
5758 | 0 | message.len - PTLS_HANDSHAKE_HEADER_SIZE, ret); |
5759 | 0 | PTLS_LOG_CONN(receive_message, tls, { |
5760 | 0 | PTLS_LOG_ELEMENT_UNSIGNED(message, message.base[0]); |
5761 | 0 | PTLS_LOG_ELEMENT_UNSIGNED(len, message.len - PTLS_HANDSHAKE_HEADER_SIZE); |
5762 | 0 | PTLS_LOG_ELEMENT_SIGNED(result, ret); |
5763 | 0 | }); |
5764 | | |
5765 | 0 | return ret; |
5766 | 0 | } |
5767 | | |
5768 | | static int handle_alert(ptls_t *tls, const uint8_t *src, size_t len) |
5769 | 0 | { |
5770 | 0 | if (len != 2) |
5771 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5772 | | |
5773 | 0 | uint8_t desc = src[1]; |
5774 | | |
5775 | | /* all fatal alerts and USER_CANCELLED warning tears down the connection immediately, regardless of the transmitted level */ |
5776 | 0 | return PTLS_ALERT_TO_PEER_ERROR(desc); |
5777 | 0 | } |
5778 | | |
5779 | | static int message_buffer_is_overflow(ptls_context_t *ctx, size_t size) |
5780 | 0 | { |
5781 | 0 | if (ctx->max_buffer_size == 0) |
5782 | 0 | return 0; |
5783 | 0 | if (size <= ctx->max_buffer_size) |
5784 | 0 | return 0; |
5785 | 0 | return 1; |
5786 | 0 | } |
5787 | | |
5788 | | static int handle_handshake_record(ptls_t *tls, |
5789 | | int (*cb)(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, |
5790 | | int is_end_of_record, ptls_handshake_properties_t *properties), |
5791 | | ptls_message_emitter_t *emitter, struct st_ptls_record_t *rec, |
5792 | | ptls_handshake_properties_t *properties) |
5793 | 0 | { |
5794 | 0 | int ret; |
5795 | | |
5796 | | /* handshake */ |
5797 | 0 | if (rec->type != PTLS_CONTENT_TYPE_HANDSHAKE) |
5798 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5799 | | |
5800 | | /* flatten the unhandled messages */ |
5801 | 0 | const uint8_t *src, *src_end; |
5802 | 0 | if (tls->recvbuf.mess.base == NULL) { |
5803 | 0 | src = rec->fragment; |
5804 | 0 | src_end = src + rec->length; |
5805 | 0 | } else { |
5806 | 0 | if (message_buffer_is_overflow(tls->ctx, tls->recvbuf.mess.off + rec->length)) |
5807 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5808 | 0 | if ((ret = ptls_buffer_reserve(&tls->recvbuf.mess, rec->length)) != 0) |
5809 | 0 | return ret; |
5810 | 0 | memcpy(tls->recvbuf.mess.base + tls->recvbuf.mess.off, rec->fragment, rec->length); |
5811 | 0 | tls->recvbuf.mess.off += rec->length; |
5812 | 0 | src = tls->recvbuf.mess.base; |
5813 | 0 | src_end = src + tls->recvbuf.mess.off; |
5814 | 0 | } |
5815 | | |
5816 | | /* handle the messages */ |
5817 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
5818 | 0 | while (src_end - src >= 4) { |
5819 | 0 | size_t mess_len = 4 + ntoh24(src + 1); |
5820 | 0 | if (src_end - src < (int)mess_len) |
5821 | 0 | break; |
5822 | 0 | ret = cb(tls, emitter, ptls_iovec_init(src, mess_len), src_end - src == mess_len, properties); |
5823 | 0 | switch (ret) { |
5824 | 0 | case 0: |
5825 | 0 | case PTLS_ERROR_ASYNC_OPERATION: |
5826 | 0 | case PTLS_ERROR_IN_PROGRESS: |
5827 | 0 | break; |
5828 | 0 | default: |
5829 | 0 | ptls_buffer_dispose(&tls->recvbuf.mess); |
5830 | 0 | return ret; |
5831 | 0 | } |
5832 | 0 | src += mess_len; |
5833 | 0 | } |
5834 | | |
5835 | | /* keep last partial message in buffer */ |
5836 | 0 | if (src != src_end) { |
5837 | 0 | size_t new_size = src_end - src; |
5838 | 0 | if (message_buffer_is_overflow(tls->ctx, new_size)) |
5839 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5840 | 0 | if (tls->recvbuf.mess.base == NULL) { |
5841 | 0 | ptls_buffer_init(&tls->recvbuf.mess, "", 0); |
5842 | 0 | if ((ret = ptls_buffer_reserve(&tls->recvbuf.mess, new_size)) != 0) |
5843 | 0 | return ret; |
5844 | 0 | memcpy(tls->recvbuf.mess.base, src, new_size); |
5845 | 0 | } else { |
5846 | 0 | memmove(tls->recvbuf.mess.base, src, new_size); |
5847 | 0 | } |
5848 | 0 | tls->recvbuf.mess.off = new_size; |
5849 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
5850 | 0 | } else { |
5851 | 0 | ptls_buffer_dispose(&tls->recvbuf.mess); |
5852 | 0 | } |
5853 | | |
5854 | 0 | return ret; |
5855 | 0 | } |
5856 | | |
5857 | | static int handle_input(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_buffer_t *decryptbuf, const void *input, size_t *inlen, |
5858 | | ptls_handshake_properties_t *properties) |
5859 | 0 | { |
5860 | 0 | struct st_ptls_record_t rec; |
5861 | 0 | int ret; |
5862 | | |
5863 | | /* extract the record */ |
5864 | 0 | if ((ret = parse_record(tls, &rec, input, inlen)) != 0) |
5865 | 0 | return ret; |
5866 | 0 | assert(rec.fragment != NULL); |
5867 | | |
5868 | | /* decrypt the record */ |
5869 | 0 | if (rec.type == PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { |
5870 | 0 | if (tls->state < PTLS_STATE_POST_HANDSHAKE_MIN) { |
5871 | 0 | if (!(rec.length == 1 && rec.fragment[0] == 0x01)) |
5872 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
5873 | 0 | } else { |
5874 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5875 | 0 | } |
5876 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
5877 | 0 | goto NextRecord; |
5878 | 0 | } |
5879 | 0 | if (tls->traffic_protection.dec.aead != NULL && rec.type != PTLS_CONTENT_TYPE_ALERT) { |
5880 | 0 | size_t decrypted_length; |
5881 | 0 | if (rec.type != PTLS_CONTENT_TYPE_APPDATA) |
5882 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5883 | 0 | if ((ret = ptls_buffer_reserve(decryptbuf, 5 + rec.length)) != 0) |
5884 | 0 | return ret; |
5885 | 0 | if ((ret = aead_decrypt(&tls->traffic_protection.dec, decryptbuf->base + decryptbuf->off, &decrypted_length, rec.fragment, |
5886 | 0 | rec.length)) != 0) { |
5887 | 0 | if (tls->is_server && tls->server.early_data_skipped_bytes != UINT32_MAX) |
5888 | 0 | goto ServerSkipEarlyData; |
5889 | 0 | return ret; |
5890 | 0 | } |
5891 | 0 | rec.length = decrypted_length; |
5892 | 0 | rec.fragment = decryptbuf->base + decryptbuf->off; |
5893 | | /* skip padding */ |
5894 | 0 | for (; rec.length != 0; --rec.length) |
5895 | 0 | if (rec.fragment[rec.length - 1] != 0) |
5896 | 0 | break; |
5897 | 0 | if (rec.length == 0) |
5898 | 0 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
5899 | 0 | rec.type = rec.fragment[--rec.length]; |
5900 | 0 | } else if (rec.type == PTLS_CONTENT_TYPE_APPDATA && tls->is_server && tls->server.early_data_skipped_bytes != UINT32_MAX) { |
5901 | 0 | goto ServerSkipEarlyData; |
5902 | 0 | } |
5903 | | |
5904 | 0 | if (tls->recvbuf.mess.base != NULL || rec.type == PTLS_CONTENT_TYPE_HANDSHAKE) { |
5905 | | /* handshake record */ |
5906 | 0 | ret = handle_handshake_record(tls, tls->is_server ? handle_server_handshake_message : handle_client_handshake_message, |
5907 | 0 | emitter, &rec, properties); |
5908 | 0 | } else { |
5909 | | /* handling of an alert or an application record */ |
5910 | 0 | switch (rec.type) { |
5911 | 0 | case PTLS_CONTENT_TYPE_APPDATA: |
5912 | 0 | if (tls->state >= PTLS_STATE_POST_HANDSHAKE_MIN) { |
5913 | 0 | decryptbuf->off += rec.length; |
5914 | 0 | ret = 0; |
5915 | 0 | } else if (tls->state == PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA) { |
5916 | 0 | if (tls->traffic_protection.dec.aead != NULL) |
5917 | 0 | decryptbuf->off += rec.length; |
5918 | 0 | ret = 0; |
5919 | 0 | } else { |
5920 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5921 | 0 | } |
5922 | 0 | break; |
5923 | 0 | case PTLS_CONTENT_TYPE_ALERT: |
5924 | 0 | ret = handle_alert(tls, rec.fragment, rec.length); |
5925 | 0 | break; |
5926 | 0 | default: |
5927 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5928 | 0 | break; |
5929 | 0 | } |
5930 | 0 | } |
5931 | | |
5932 | 0 | NextRecord: |
5933 | 0 | ptls_buffer_dispose(&tls->recvbuf.rec); |
5934 | 0 | return ret; |
5935 | | |
5936 | 0 | ServerSkipEarlyData: |
5937 | 0 | tls->server.early_data_skipped_bytes += (uint32_t)rec.length; |
5938 | 0 | if (tls->server.early_data_skipped_bytes > PTLS_MAX_EARLY_DATA_SKIP_SIZE) |
5939 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5940 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
5941 | 0 | goto NextRecord; |
5942 | 0 | } |
5943 | | |
5944 | | static int handle_input_tls12(ptls_t *tls, ptls_buffer_t *decryptbuf, const void *input, size_t *inlen) |
5945 | 0 | { |
5946 | 0 | struct st_ptls_record_t rec; |
5947 | 0 | int ret; |
5948 | | |
5949 | | /* extract the record, or bail out */ |
5950 | 0 | if ((ret = parse_record(tls, &rec, input, inlen)) != 0) |
5951 | 0 | return ret; |
5952 | 0 | assert(rec.fragment != NULL); |
5953 | | |
5954 | 0 | const uint8_t *src = rec.fragment, *end = src + rec.length; |
5955 | 0 | uint64_t nonce; |
5956 | 0 | uint8_t aad[PTLS_TLS12_AAD_SIZE]; |
5957 | | |
5958 | | /* determine the nonce */ |
5959 | 0 | if (tls->traffic_protection.dec.aead->algo->tls12.record_iv_size != 0) { |
5960 | 0 | assert(tls->traffic_protection.dec.aead->algo->tls12.record_iv_size == 8); |
5961 | 0 | if ((ret = ptls_decode64(&nonce, &src, end)) != 0) |
5962 | 0 | goto Exit; |
5963 | 0 | } else { |
5964 | 0 | nonce = tls->traffic_protection.dec.seq; |
5965 | 0 | } |
5966 | | |
5967 | | /* determine cleartext length */ |
5968 | 0 | size_t textlen = end - src; |
5969 | 0 | if (textlen < tls->traffic_protection.dec.aead->algo->tag_size) { |
5970 | 0 | ret = PTLS_ALERT_BAD_RECORD_MAC; |
5971 | 0 | goto Exit; |
5972 | 0 | } |
5973 | 0 | textlen -= tls->traffic_protection.dec.aead->algo->tag_size; |
5974 | | |
5975 | | /* build aad */ |
5976 | 0 | build_tls12_aad(aad, rec.type, tls->traffic_protection.dec.seq, (uint16_t)textlen); |
5977 | | |
5978 | | /* decrypt input to decryptbuf */ |
5979 | 0 | if ((ret = ptls_buffer_reserve(decryptbuf, textlen)) != 0) |
5980 | 0 | goto Exit; |
5981 | 0 | if (ptls_aead_decrypt(tls->traffic_protection.dec.aead, decryptbuf->base + decryptbuf->off, src, end - src, nonce, aad, |
5982 | 0 | sizeof(aad)) != textlen) { |
5983 | 0 | ret = PTLS_ALERT_BAD_RECORD_MAC; |
5984 | 0 | goto Exit; |
5985 | 0 | } |
5986 | 0 | ++tls->traffic_protection.dec.seq; |
5987 | | |
5988 | | /* record-type specific action */ |
5989 | 0 | switch (rec.type) { |
5990 | 0 | case PTLS_CONTENT_TYPE_APPDATA: |
5991 | | /* if application data, retain the bytes being decrypted */ |
5992 | 0 | decryptbuf->off += textlen; |
5993 | 0 | break; |
5994 | 0 | case PTLS_CONTENT_TYPE_ALERT: |
5995 | | /* submit alert without adjusting decryptbuf, so that the decrypted data would be dropped after handling the alert */ |
5996 | 0 | ret = handle_alert(tls, decryptbuf->base + decryptbuf->off, textlen); |
5997 | 0 | break; |
5998 | 0 | default: |
5999 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
6000 | 0 | break; |
6001 | 0 | } |
6002 | | |
6003 | 0 | Exit: |
6004 | 0 | ptls_buffer_dispose(&tls->recvbuf.rec); |
6005 | 0 | ptls_clear_memory(aad, sizeof(aad)); |
6006 | 0 | return 0; |
6007 | 0 | } |
6008 | | |
6009 | | static void init_record_message_emitter(ptls_t *tls, struct st_ptls_record_message_emitter_t *emitter, ptls_buffer_t *sendbuf) |
6010 | 0 | { |
6011 | 0 | *emitter = (struct st_ptls_record_message_emitter_t){ |
6012 | 0 | {sendbuf, &tls->traffic_protection.enc, 5, begin_record_message, commit_record_message}}; |
6013 | 0 | } |
6014 | | |
6015 | | int ptls_handshake(ptls_t *tls, ptls_buffer_t *_sendbuf, const void *input, size_t *inlen, ptls_handshake_properties_t *properties) |
6016 | 0 | { |
6017 | 0 | struct st_ptls_record_message_emitter_t emitter; |
6018 | 0 | int ret; |
6019 | |
|
6020 | 0 | assert(tls->state < PTLS_STATE_POST_HANDSHAKE_MIN); |
6021 | | |
6022 | 0 | init_record_message_emitter(tls, &emitter, _sendbuf); |
6023 | 0 | size_t sendbuf_orig_off = emitter.super.buf->off; |
6024 | | |
6025 | | /* special handlings */ |
6026 | 0 | switch (tls->state) { |
6027 | 0 | case PTLS_STATE_CLIENT_HANDSHAKE_START: { |
6028 | 0 | assert(input == NULL || *inlen == 0); |
6029 | 0 | return send_client_hello(tls, &emitter.super, properties, NULL); |
6030 | 0 | } |
6031 | 0 | case PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY: |
6032 | 0 | return server_finish_handshake(tls, &emitter.super, 1, NULL); |
6033 | 0 | default: |
6034 | 0 | break; |
6035 | 0 | } |
6036 | | |
6037 | 0 | const uint8_t *src = input, *const src_end = src + *inlen; |
6038 | 0 | ptls_buffer_t decryptbuf; |
6039 | |
|
6040 | 0 | ptls_buffer_init(&decryptbuf, "", 0); |
6041 | | |
6042 | | /* perform handhake until completion or until all the input has been swallowed */ |
6043 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
6044 | 0 | while (ret == PTLS_ERROR_IN_PROGRESS && src != src_end) { |
6045 | 0 | size_t consumed = src_end - src; |
6046 | 0 | ret = handle_input(tls, &emitter.super, &decryptbuf, src, &consumed, properties); |
6047 | 0 | src += consumed; |
6048 | 0 | assert(decryptbuf.off == 0); |
6049 | 0 | } |
6050 | | |
6051 | 0 | ptls_buffer_dispose(&decryptbuf); |
6052 | |
|
6053 | 0 | switch (ret) { |
6054 | 0 | case 0: |
6055 | 0 | case PTLS_ERROR_IN_PROGRESS: |
6056 | 0 | case PTLS_ERROR_STATELESS_RETRY: |
6057 | 0 | case PTLS_ERROR_ASYNC_OPERATION: |
6058 | 0 | break; |
6059 | 0 | default: |
6060 | | /* Flush handshake messages that have been written partially. ECH_REQUIRED sticks out because it is a message sent |
6061 | | * post-handshake compared to other alerts that are generating *during* the handshake. */ |
6062 | 0 | if (ret != PTLS_ALERT_ECH_REQUIRED) { |
6063 | 0 | ptls_clear_memory(emitter.super.buf->base + sendbuf_orig_off, emitter.super.buf->off - sendbuf_orig_off); |
6064 | 0 | emitter.super.buf->off = sendbuf_orig_off; |
6065 | 0 | } |
6066 | | /* send alert immediately */ |
6067 | 0 | if (PTLS_ERROR_GET_CLASS(ret) != PTLS_ERROR_CLASS_PEER_ALERT) |
6068 | 0 | if (ptls_send_alert(tls, emitter.super.buf, PTLS_ALERT_LEVEL_FATAL, |
6069 | 0 | PTLS_ERROR_GET_CLASS(ret) == PTLS_ERROR_CLASS_SELF_ALERT ? ret : PTLS_ALERT_INTERNAL_ERROR) != 0) |
6070 | 0 | emitter.super.buf->off = sendbuf_orig_off; |
6071 | 0 | break; |
6072 | 0 | } |
6073 | | |
6074 | 0 | *inlen -= src_end - src; |
6075 | 0 | return ret; |
6076 | 0 | } |
6077 | | |
6078 | | int ptls_receive(ptls_t *tls, ptls_buffer_t *decryptbuf, const void *_input, size_t *inlen) |
6079 | 0 | { |
6080 | 0 | const uint8_t *input = (const uint8_t *)_input, *const end = input + *inlen; |
6081 | 0 | size_t decryptbuf_orig_size = decryptbuf->off; |
6082 | 0 | int ret = 0; |
6083 | |
|
6084 | 0 | assert(tls->state >= PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA); |
6085 | | |
6086 | | /* loop until we decrypt some application data (or an error) */ |
6087 | 0 | while (ret == 0 && input != end && decryptbuf_orig_size == decryptbuf->off) { |
6088 | 0 | size_t consumed = end - input; |
6089 | 0 | if (tls->traffic_protection.dec.tls12) { |
6090 | 0 | ret = handle_input_tls12(tls, decryptbuf, input, &consumed); |
6091 | 0 | } else { |
6092 | 0 | ret = handle_input(tls, NULL, decryptbuf, input, &consumed, NULL); |
6093 | 0 | } |
6094 | 0 | input += consumed; |
6095 | |
|
6096 | 0 | switch (ret) { |
6097 | 0 | case 0: |
6098 | 0 | break; |
6099 | 0 | case PTLS_ERROR_IN_PROGRESS: |
6100 | 0 | ret = 0; |
6101 | 0 | break; |
6102 | 0 | case PTLS_ERROR_CLASS_PEER_ALERT + PTLS_ALERT_CLOSE_NOTIFY: |
6103 | | /* TODO send close alert */ |
6104 | 0 | break; |
6105 | 0 | default: |
6106 | 0 | if (PTLS_ERROR_GET_CLASS(ret) == PTLS_ERROR_CLASS_SELF_ALERT) { |
6107 | | /* TODO send alert */ |
6108 | 0 | } |
6109 | 0 | break; |
6110 | 0 | } |
6111 | 0 | } |
6112 | | |
6113 | 0 | *inlen -= end - input; |
6114 | |
|
6115 | 0 | return ret; |
6116 | 0 | } |
6117 | | |
6118 | | static int update_send_key(ptls_t *tls, ptls_buffer_t *_sendbuf, int request_update) |
6119 | 0 | { |
6120 | 0 | struct st_ptls_record_message_emitter_t emitter; |
6121 | 0 | int ret; |
6122 | |
|
6123 | 0 | init_record_message_emitter(tls, &emitter, _sendbuf); |
6124 | 0 | size_t sendbuf_orig_off = emitter.super.buf->off; |
6125 | |
|
6126 | 0 | ptls_push_message(&emitter.super, NULL, PTLS_HANDSHAKE_TYPE_KEY_UPDATE, |
6127 | 0 | { ptls_buffer_push(emitter.super.buf, !!request_update); }); |
6128 | 0 | if ((ret = update_traffic_key(tls, 1)) != 0) |
6129 | 0 | goto Exit; |
6130 | 0 | ret = 0; |
6131 | |
|
6132 | 0 | Exit: |
6133 | 0 | if (ret != 0) |
6134 | 0 | emitter.super.buf->off = sendbuf_orig_off; |
6135 | 0 | return ret; |
6136 | 0 | } |
6137 | | |
6138 | | int ptls_send(ptls_t *tls, ptls_buffer_t *sendbuf, const void *input, size_t inlen) |
6139 | 0 | { |
6140 | 0 | assert(tls->traffic_protection.enc.aead != NULL); |
6141 | | |
6142 | | /* "For AES-GCM, up to 2^24.5 full-size records (about 24 million) may be encrypted on a given connection while keeping a |
6143 | | * safety margin of approximately 2^-57 for Authenticated Encryption (AE) security." (RFC 8446 section 5.5). |
6144 | | * |
6145 | | * Key updates do not happen with tls 1.2, check `key_schedule` to see if we are using tls/1.3 |
6146 | | */ |
6147 | 0 | if (tls->traffic_protection.enc.seq >= 16777216 && tls->key_schedule != NULL) |
6148 | 0 | tls->needs_key_update = 1; |
6149 | |
|
6150 | 0 | if (tls->needs_key_update) { |
6151 | 0 | int ret; |
6152 | 0 | if ((ret = update_send_key(tls, sendbuf, tls->key_update_send_request)) != 0) |
6153 | 0 | return ret; |
6154 | 0 | tls->needs_key_update = 0; |
6155 | 0 | tls->key_update_send_request = 0; |
6156 | 0 | } |
6157 | | |
6158 | 0 | return buffer_push_encrypted_records(sendbuf, PTLS_CONTENT_TYPE_APPDATA, input, inlen, &tls->traffic_protection.enc); |
6159 | 0 | } |
6160 | | |
6161 | | int ptls_update_key(ptls_t *tls, int request_update) |
6162 | 0 | { |
6163 | 0 | assert(tls->ctx->update_traffic_key == NULL); |
6164 | 0 | tls->needs_key_update = 1; |
6165 | 0 | tls->key_update_send_request = request_update; |
6166 | 0 | return 0; |
6167 | 0 | } |
6168 | | |
6169 | | size_t ptls_get_record_overhead(ptls_t *tls) |
6170 | 0 | { |
6171 | 0 | ptls_aead_algorithm_t *algo = tls->traffic_protection.enc.aead->algo; |
6172 | |
|
6173 | 0 | if (tls->traffic_protection.enc.tls12) { |
6174 | 0 | return 5 + algo->tls12.record_iv_size + algo->tag_size; |
6175 | 0 | } else { |
6176 | 0 | return 6 + algo->tag_size; |
6177 | 0 | } |
6178 | 0 | } |
6179 | | |
6180 | | int ptls_send_alert(ptls_t *tls, ptls_buffer_t *sendbuf, uint8_t level, uint8_t description) |
6181 | 0 | { |
6182 | 0 | size_t rec_start = sendbuf->off; |
6183 | 0 | int ret = 0; |
6184 | |
|
6185 | 0 | buffer_push_record(sendbuf, PTLS_CONTENT_TYPE_ALERT, { ptls_buffer_push(sendbuf, level, description); }); |
6186 | | /* encrypt the alert if we have the encryption keys, unless when it is the early data key */ |
6187 | 0 | if (tls->traffic_protection.enc.aead != NULL && !(tls->state <= PTLS_STATE_CLIENT_EXPECT_FINISHED)) { |
6188 | 0 | if ((ret = buffer_encrypt_record(sendbuf, rec_start, &tls->traffic_protection.enc)) != 0) |
6189 | 0 | goto Exit; |
6190 | 0 | } |
6191 | | |
6192 | 0 | Exit: |
6193 | 0 | return ret; |
6194 | 0 | } |
6195 | | |
6196 | | int ptls_export_secret(ptls_t *tls, void *output, size_t outlen, const char *label, ptls_iovec_t context_value, int is_early) |
6197 | 0 | { |
6198 | 0 | ptls_hash_algorithm_t *algo = tls->key_schedule->hashes[0].algo; |
6199 | 0 | uint8_t *master_secret = is_early ? tls->exporter_master_secret.early : tls->exporter_master_secret.one_rtt, |
6200 | 0 | derived_secret[PTLS_MAX_DIGEST_SIZE], context_value_hash[PTLS_MAX_DIGEST_SIZE]; |
6201 | 0 | int ret; |
6202 | |
|
6203 | 0 | if (master_secret == NULL) { |
6204 | 0 | if (is_early) { |
6205 | 0 | switch (tls->state) { |
6206 | 0 | case PTLS_STATE_CLIENT_HANDSHAKE_START: |
6207 | 0 | case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO: |
6208 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
6209 | 0 | break; |
6210 | 0 | default: |
6211 | 0 | ret = PTLS_ERROR_NOT_AVAILABLE; |
6212 | 0 | break; |
6213 | 0 | } |
6214 | 0 | } else { |
6215 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
6216 | 0 | } |
6217 | 0 | return ret; |
6218 | 0 | } |
6219 | | |
6220 | 0 | if ((ret = ptls_calc_hash(algo, context_value_hash, context_value.base, context_value.len)) != 0) |
6221 | 0 | return ret; |
6222 | | |
6223 | 0 | if ((ret = ptls_hkdf_expand_label(algo, derived_secret, algo->digest_size, ptls_iovec_init(master_secret, algo->digest_size), |
6224 | 0 | label, ptls_iovec_init(algo->empty_digest, algo->digest_size), NULL)) != 0) |
6225 | 0 | goto Exit; |
6226 | 0 | ret = ptls_hkdf_expand_label(algo, output, outlen, ptls_iovec_init(derived_secret, algo->digest_size), "exporter", |
6227 | 0 | ptls_iovec_init(context_value_hash, algo->digest_size), NULL); |
6228 | |
|
6229 | 0 | Exit: |
6230 | 0 | ptls_clear_memory(derived_secret, sizeof(derived_secret)); |
6231 | 0 | ptls_clear_memory(context_value_hash, sizeof(context_value_hash)); |
6232 | 0 | return ret; |
6233 | 0 | } |
6234 | | |
6235 | | struct st_picotls_hmac_context_t { |
6236 | | ptls_hash_context_t super; |
6237 | | ptls_hash_algorithm_t *algo; |
6238 | | ptls_hash_context_t *hash; |
6239 | | uint8_t key[1]; |
6240 | | }; |
6241 | | |
6242 | | static void hmac_update(ptls_hash_context_t *_ctx, const void *src, size_t len) |
6243 | 0 | { |
6244 | 0 | struct st_picotls_hmac_context_t *ctx = (struct st_picotls_hmac_context_t *)_ctx; |
6245 | 0 | ctx->hash->update(ctx->hash, src, len); |
6246 | 0 | } |
6247 | | |
6248 | | static void hmac_apply_key(struct st_picotls_hmac_context_t *ctx, uint8_t pad) |
6249 | 0 | { |
6250 | 0 | size_t i; |
6251 | |
|
6252 | 0 | for (i = 0; i != ctx->algo->block_size; ++i) |
6253 | 0 | ctx->key[i] ^= pad; |
6254 | 0 | ctx->hash->update(ctx->hash, ctx->key, ctx->algo->block_size); |
6255 | 0 | for (i = 0; i != ctx->algo->block_size; ++i) |
6256 | 0 | ctx->key[i] ^= pad; |
6257 | 0 | } |
6258 | | |
6259 | | static void hmac_final(ptls_hash_context_t *_ctx, void *md, ptls_hash_final_mode_t mode) |
6260 | 0 | { |
6261 | 0 | struct st_picotls_hmac_context_t *ctx = (struct st_picotls_hmac_context_t *)_ctx; |
6262 | |
|
6263 | 0 | assert(mode != PTLS_HASH_FINAL_MODE_SNAPSHOT || !"not supported"); |
6264 | | |
6265 | 0 | if (md != NULL) { |
6266 | 0 | ctx->hash->final(ctx->hash, md, PTLS_HASH_FINAL_MODE_RESET); |
6267 | 0 | hmac_apply_key(ctx, 0x5c); |
6268 | 0 | ctx->hash->update(ctx->hash, md, ctx->algo->digest_size); |
6269 | 0 | } |
6270 | 0 | ctx->hash->final(ctx->hash, md, mode); |
6271 | |
|
6272 | 0 | switch (mode) { |
6273 | 0 | case PTLS_HASH_FINAL_MODE_FREE: |
6274 | 0 | ptls_clear_memory(ctx->key, ctx->algo->block_size); |
6275 | 0 | free(ctx); |
6276 | 0 | break; |
6277 | 0 | case PTLS_HASH_FINAL_MODE_RESET: |
6278 | 0 | hmac_apply_key(ctx, 0x36); |
6279 | 0 | break; |
6280 | 0 | default: |
6281 | 0 | assert(!"FIXME"); |
6282 | 0 | break; |
6283 | 0 | } |
6284 | 0 | } |
6285 | | |
6286 | | int ptls_calc_hash(ptls_hash_algorithm_t *algo, void *output, const void *src, size_t len) |
6287 | 0 | { |
6288 | 0 | ptls_hash_context_t *ctx; |
6289 | |
|
6290 | 0 | if ((ctx = algo->create()) == NULL) |
6291 | 0 | return PTLS_ERROR_NO_MEMORY; |
6292 | 0 | ctx->update(ctx, src, len); |
6293 | 0 | ctx->final(ctx, output, PTLS_HASH_FINAL_MODE_FREE); |
6294 | 0 | return 0; |
6295 | 0 | } |
6296 | | |
6297 | | ptls_hash_context_t *ptls_hmac_create(ptls_hash_algorithm_t *algo, const void *key, size_t key_size) |
6298 | 0 | { |
6299 | 0 | struct st_picotls_hmac_context_t *ctx; |
6300 | |
|
6301 | 0 | assert(key_size <= algo->block_size); |
6302 | | |
6303 | 0 | if ((ctx = malloc(offsetof(struct st_picotls_hmac_context_t, key) + algo->block_size)) == NULL) |
6304 | 0 | return NULL; |
6305 | | |
6306 | 0 | *ctx = (struct st_picotls_hmac_context_t){{hmac_update, hmac_final}, algo}; |
6307 | 0 | if ((ctx->hash = algo->create()) == NULL) { |
6308 | 0 | free(ctx); |
6309 | 0 | return NULL; |
6310 | 0 | } |
6311 | 0 | memset(ctx->key, 0, algo->block_size); |
6312 | 0 | memcpy(ctx->key, key, key_size); |
6313 | |
|
6314 | 0 | hmac_apply_key(ctx, 0x36); |
6315 | |
|
6316 | 0 | return &ctx->super; |
6317 | 0 | } |
6318 | | |
6319 | | int ptls_hkdf_extract(ptls_hash_algorithm_t *algo, void *output, ptls_iovec_t salt, ptls_iovec_t ikm) |
6320 | 0 | { |
6321 | 0 | ptls_hash_context_t *hash; |
6322 | |
|
6323 | 0 | if (salt.len == 0) |
6324 | 0 | salt = ptls_iovec_init(zeroes_of_max_digest_size, algo->digest_size); |
6325 | |
|
6326 | 0 | if ((hash = ptls_hmac_create(algo, salt.base, salt.len)) == NULL) |
6327 | 0 | return PTLS_ERROR_NO_MEMORY; |
6328 | 0 | hash->update(hash, ikm.base, ikm.len); |
6329 | 0 | hash->final(hash, output, PTLS_HASH_FINAL_MODE_FREE); |
6330 | 0 | return 0; |
6331 | 0 | } |
6332 | | |
6333 | | int ptls_hkdf_expand(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t prk, ptls_iovec_t info) |
6334 | 0 | { |
6335 | 0 | ptls_hash_context_t *hmac = NULL; |
6336 | 0 | size_t i; |
6337 | 0 | uint8_t digest[PTLS_MAX_DIGEST_SIZE]; |
6338 | |
|
6339 | 0 | for (i = 0; (i * algo->digest_size) < outlen; ++i) { |
6340 | 0 | if (hmac == NULL) { |
6341 | 0 | if ((hmac = ptls_hmac_create(algo, prk.base, prk.len)) == NULL) |
6342 | 0 | return PTLS_ERROR_NO_MEMORY; |
6343 | 0 | } else { |
6344 | 0 | hmac->update(hmac, digest, algo->digest_size); |
6345 | 0 | } |
6346 | 0 | hmac->update(hmac, info.base, info.len); |
6347 | 0 | uint8_t gen = (uint8_t)(i + 1); |
6348 | 0 | hmac->update(hmac, &gen, 1); |
6349 | 0 | hmac->final(hmac, digest, 1); |
6350 | |
|
6351 | 0 | size_t off_start = i * algo->digest_size, off_end = off_start + algo->digest_size; |
6352 | 0 | if (off_end > outlen) |
6353 | 0 | off_end = outlen; |
6354 | 0 | memcpy((uint8_t *)output + off_start, digest, off_end - off_start); |
6355 | 0 | } |
6356 | | |
6357 | 0 | if (hmac != NULL) |
6358 | 0 | hmac->final(hmac, NULL, PTLS_HASH_FINAL_MODE_FREE); |
6359 | |
|
6360 | 0 | ptls_clear_memory(digest, algo->digest_size); |
6361 | |
|
6362 | 0 | return 0; |
6363 | 0 | } |
6364 | | |
6365 | | int ptls_hkdf_expand_label(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t secret, const char *label, |
6366 | | ptls_iovec_t hash_value, const char *label_prefix) |
6367 | 0 | { |
6368 | 0 | ptls_buffer_t hkdf_label; |
6369 | 0 | uint8_t hkdf_label_buf[80]; |
6370 | 0 | int ret; |
6371 | |
|
6372 | 0 | ptls_buffer_init(&hkdf_label, hkdf_label_buf, sizeof(hkdf_label_buf)); |
6373 | |
|
6374 | 0 | ptls_buffer_push16(&hkdf_label, (uint16_t)outlen); |
6375 | 0 | ptls_buffer_push_block(&hkdf_label, 1, { |
6376 | 0 | if (label_prefix == NULL) |
6377 | 0 | label_prefix = PTLS_HKDF_EXPAND_LABEL_PREFIX; |
6378 | 0 | ptls_buffer_pushv(&hkdf_label, label_prefix, strlen(label_prefix)); |
6379 | 0 | ptls_buffer_pushv(&hkdf_label, label, strlen(label)); |
6380 | 0 | }); |
6381 | 0 | ptls_buffer_push_block(&hkdf_label, 1, { ptls_buffer_pushv(&hkdf_label, hash_value.base, hash_value.len); }); |
6382 | | |
6383 | 0 | ret = ptls_hkdf_expand(algo, output, outlen, secret, ptls_iovec_init(hkdf_label.base, hkdf_label.off)); |
6384 | |
|
6385 | 0 | Exit: |
6386 | 0 | ptls_buffer_dispose(&hkdf_label); |
6387 | 0 | return ret; |
6388 | 0 | } |
6389 | | |
6390 | | int ptls_tls12_phash(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t secret, const char *label, |
6391 | | ptls_iovec_t seed) |
6392 | 0 | { |
6393 | 0 | ptls_hash_context_t *hmac; |
6394 | 0 | uint8_t An[PTLS_MAX_DIGEST_SIZE]; |
6395 | 0 | size_t output_off = 0; |
6396 | |
|
6397 | 0 | if ((hmac = ptls_hmac_create(algo, secret.base, secret.len)) == NULL) |
6398 | 0 | return PTLS_ERROR_NO_MEMORY; |
6399 | | |
6400 | | /* A(1) = HMAC_hash(secret, label + seed) */ |
6401 | 0 | if (label != NULL) |
6402 | 0 | hmac->update(hmac, label, strlen(label)); |
6403 | 0 | hmac->update(hmac, seed.base, seed.len); |
6404 | 0 | hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_RESET); |
6405 | |
|
6406 | 0 | while (1) { |
6407 | | /* output += HMAC_hash(secret, A(i) + label + seed) */ |
6408 | 0 | hmac->update(hmac, An, algo->digest_size); |
6409 | 0 | if (label != NULL) |
6410 | 0 | hmac->update(hmac, label, strlen(label)); |
6411 | 0 | hmac->update(hmac, seed.base, seed.len); |
6412 | 0 | if (outlen - output_off <= algo->digest_size) { |
6413 | | /* digest of last chunk is at first written to An then the necessary bytes are copied to output */ |
6414 | 0 | hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_FREE); |
6415 | 0 | memcpy((uint8_t *)output + output_off, An, outlen - output_off); |
6416 | 0 | break; |
6417 | 0 | } |
6418 | 0 | hmac->final(hmac, (uint8_t *)output + output_off, PTLS_HASH_FINAL_MODE_RESET); |
6419 | 0 | output_off += algo->digest_size; |
6420 | | |
6421 | | /* A(i) = HMAC_hash(secret, A(i-1)) */ |
6422 | 0 | hmac->update(hmac, An, algo->digest_size); |
6423 | 0 | hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_RESET); |
6424 | 0 | } |
6425 | |
|
6426 | 0 | ptls_clear_memory(An, algo->digest_size); |
6427 | |
|
6428 | 0 | return 0; |
6429 | 0 | } |
6430 | | |
6431 | | ptls_cipher_context_t *ptls_cipher_new(ptls_cipher_algorithm_t *algo, int is_enc, const void *key) |
6432 | 0 | { |
6433 | 0 | ptls_cipher_context_t *ctx; |
6434 | |
|
6435 | 0 | if ((ctx = (ptls_cipher_context_t *)malloc(algo->context_size)) == NULL) |
6436 | 0 | return NULL; |
6437 | 0 | *ctx = (ptls_cipher_context_t){algo}; |
6438 | 0 | if (algo->setup_crypto(ctx, is_enc, key) != 0) { |
6439 | 0 | free(ctx); |
6440 | 0 | ctx = NULL; |
6441 | 0 | } |
6442 | 0 | return ctx; |
6443 | 0 | } |
6444 | | |
6445 | | void ptls_cipher_free(ptls_cipher_context_t *ctx) |
6446 | 0 | { |
6447 | 0 | ctx->do_dispose(ctx); |
6448 | 0 | free(ctx); |
6449 | 0 | } |
6450 | | |
6451 | | ptls_aead_context_t *new_aead(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret, |
6452 | | ptls_iovec_t hash_value, const char *label_prefix) |
6453 | 0 | { |
6454 | 0 | ptls_aead_context_t *ctx = NULL; |
6455 | 0 | struct { |
6456 | 0 | uint8_t key[PTLS_MAX_SECRET_SIZE]; |
6457 | 0 | uint8_t iv[PTLS_MAX_IV_SIZE]; |
6458 | 0 | } key_iv; |
6459 | 0 | int ret; |
6460 | |
|
6461 | 0 | if ((ret = get_traffic_keys(aead, hash, key_iv.key, key_iv.iv, secret, hash_value, label_prefix)) != 0) |
6462 | 0 | goto Exit; |
6463 | 0 | ctx = ptls_aead_new_direct(aead, is_enc, key_iv.key, key_iv.iv); |
6464 | 0 | Exit: |
6465 | 0 | ptls_clear_memory(&key_iv, sizeof(key_iv)); |
6466 | 0 | return ctx; |
6467 | 0 | } |
6468 | | |
6469 | | ptls_aead_context_t *ptls_aead_new(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret, |
6470 | | const char *label_prefix) |
6471 | 0 | { |
6472 | 0 | return new_aead(aead, hash, is_enc, secret, ptls_iovec_init(NULL, 0), label_prefix); |
6473 | 0 | } |
6474 | | |
6475 | | ptls_aead_context_t *ptls_aead_new_direct(ptls_aead_algorithm_t *aead, int is_enc, const void *key, const void *iv) |
6476 | 0 | { |
6477 | 0 | ptls_aead_context_t *ctx; |
6478 | |
|
6479 | 0 | if ((ctx = (ptls_aead_context_t *)malloc(aead->context_size)) == NULL) |
6480 | 0 | return NULL; |
6481 | | |
6482 | 0 | *ctx = (ptls_aead_context_t){aead}; |
6483 | |
|
6484 | 0 | if (aead->setup_crypto(ctx, is_enc, key, iv) != 0) { |
6485 | 0 | free(ctx); |
6486 | 0 | return NULL; |
6487 | 0 | } |
6488 | | |
6489 | 0 | return ctx; |
6490 | 0 | } |
6491 | | |
6492 | | void ptls_aead_free(ptls_aead_context_t *ctx) |
6493 | 0 | { |
6494 | 0 | ctx->dispose_crypto(ctx); |
6495 | 0 | free(ctx); |
6496 | 0 | } |
6497 | | |
6498 | | void ptls_aead_xor_iv(ptls_aead_context_t *ctx, const void *_bytes, size_t len) |
6499 | 0 | { |
6500 | 0 | const uint8_t *bytes = _bytes; |
6501 | 0 | uint8_t iv[PTLS_MAX_IV_SIZE]; |
6502 | |
|
6503 | 0 | ptls_aead_get_iv(ctx, iv); |
6504 | 0 | for (size_t i = 0; i < len; ++i) |
6505 | 0 | iv[i] ^= bytes[i]; |
6506 | 0 | ptls_aead_set_iv(ctx, iv); |
6507 | 0 | } |
6508 | | |
6509 | | void ptls_aead__build_iv(ptls_aead_algorithm_t *algo, uint8_t *iv, const uint8_t *static_iv, uint64_t seq) |
6510 | 0 | { |
6511 | 0 | size_t iv_size = algo->iv_size, i; |
6512 | 0 | const uint8_t *s = static_iv; |
6513 | 0 | uint8_t *d = iv; |
6514 | | |
6515 | | /* build iv */ |
6516 | 0 | for (i = iv_size - 8; i != 0; --i) |
6517 | 0 | *d++ = *s++; |
6518 | 0 | i = 64; |
6519 | 0 | do { |
6520 | 0 | i -= 8; |
6521 | 0 | *d++ = *s++ ^ (uint8_t)(seq >> i); |
6522 | 0 | } while (i != 0); |
6523 | 0 | } |
6524 | | |
6525 | | static void clear_memory(void *p, size_t len) |
6526 | 0 | { |
6527 | 0 | if (len != 0) |
6528 | 0 | memset(p, 0, len); |
6529 | 0 | } |
6530 | | |
6531 | | void (*volatile ptls_clear_memory)(void *p, size_t len) = clear_memory; |
6532 | | |
6533 | | static int mem_equal(const void *_x, const void *_y, size_t len) |
6534 | 0 | { |
6535 | 0 | const volatile uint8_t *x = _x, *y = _y; |
6536 | 0 | uint8_t t = 0; |
6537 | |
|
6538 | 0 | for (; len != 0; --len) |
6539 | 0 | t |= *x++ ^ *y++; |
6540 | |
|
6541 | 0 | return t == 0; |
6542 | 0 | } |
6543 | | |
6544 | | int (*volatile ptls_mem_equal)(const void *x, const void *y, size_t len) = mem_equal; |
6545 | | |
6546 | | static uint64_t get_time(ptls_get_time_t *self) |
6547 | 0 | { |
6548 | 0 | struct timeval tv; |
6549 | 0 | gettimeofday(&tv, NULL); |
6550 | 0 | return (uint64_t)tv.tv_sec * 1000 + tv.tv_usec / 1000; |
6551 | 0 | } |
6552 | | |
6553 | | ptls_get_time_t ptls_get_time = {get_time}; |
6554 | | |
6555 | | int ptls_is_server(ptls_t *tls) |
6556 | 0 | { |
6557 | 0 | return tls->is_server; |
6558 | 0 | } |
6559 | | |
6560 | | struct st_ptls_raw_message_emitter_t { |
6561 | | ptls_message_emitter_t super; |
6562 | | size_t start_off; |
6563 | | size_t *epoch_offsets; |
6564 | | }; |
6565 | | |
6566 | | static int begin_raw_message(ptls_message_emitter_t *_self) |
6567 | 0 | { |
6568 | 0 | struct st_ptls_raw_message_emitter_t *self = (void *)_self; |
6569 | |
|
6570 | 0 | self->start_off = self->super.buf->off; |
6571 | 0 | return 0; |
6572 | 0 | } |
6573 | | |
6574 | | static int commit_raw_message(ptls_message_emitter_t *_self) |
6575 | 0 | { |
6576 | 0 | struct st_ptls_raw_message_emitter_t *self = (void *)_self; |
6577 | 0 | size_t epoch; |
6578 | | |
6579 | | /* epoch is the key epoch, with the only exception being 2nd CH generated after 0-RTT key */ |
6580 | 0 | epoch = self->super.enc->epoch; |
6581 | 0 | if (epoch == 1 && self->super.buf->base[self->start_off] == PTLS_HANDSHAKE_TYPE_CLIENT_HELLO) |
6582 | 0 | epoch = 0; |
6583 | |
|
6584 | 0 | for (++epoch; epoch < 5; ++epoch) { |
6585 | 0 | assert(self->epoch_offsets[epoch] == self->start_off); |
6586 | 0 | self->epoch_offsets[epoch] = self->super.buf->off; |
6587 | 0 | } |
6588 | | |
6589 | 0 | self->start_off = SIZE_MAX; |
6590 | |
|
6591 | 0 | return 0; |
6592 | 0 | } |
6593 | | |
6594 | | size_t ptls_get_read_epoch(ptls_t *tls) |
6595 | 0 | { |
6596 | 0 | switch (tls->state) { |
6597 | 0 | case PTLS_STATE_CLIENT_HANDSHAKE_START: |
6598 | 0 | case PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO: |
6599 | 0 | case PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO: |
6600 | 0 | case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO: |
6601 | 0 | case PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO: |
6602 | 0 | return 0; /* plaintext */ |
6603 | 0 | case PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA: |
6604 | 0 | assert(!tls->ctx->omit_end_of_early_data); |
6605 | 0 | return 1; /* 0-rtt */ |
6606 | 0 | case PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS: |
6607 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE: |
6608 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE: |
6609 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY: |
6610 | 0 | case PTLS_STATE_CLIENT_EXPECT_FINISHED: |
6611 | 0 | case PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY: |
6612 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE: |
6613 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY: |
6614 | 0 | case PTLS_STATE_SERVER_EXPECT_FINISHED: |
6615 | 0 | return 2; /* handshake */ |
6616 | 0 | case PTLS_STATE_CLIENT_POST_HANDSHAKE: |
6617 | 0 | case PTLS_STATE_SERVER_POST_HANDSHAKE: |
6618 | 0 | return 3; /* 1-rtt */ |
6619 | 0 | default: |
6620 | 0 | assert(!"invalid state"); |
6621 | 0 | return SIZE_MAX; |
6622 | 0 | } |
6623 | 0 | } |
6624 | | |
6625 | | int ptls_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input, |
6626 | | size_t inlen, ptls_handshake_properties_t *properties) |
6627 | 0 | { |
6628 | 0 | return tls->is_server ? ptls_server_handle_message(tls, sendbuf, epoch_offsets, in_epoch, input, inlen, properties) |
6629 | 0 | : ptls_client_handle_message(tls, sendbuf, epoch_offsets, in_epoch, input, inlen, properties); |
6630 | 0 | } |
6631 | | |
6632 | | int ptls_client_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input, |
6633 | | size_t inlen, ptls_handshake_properties_t *properties) |
6634 | 0 | { |
6635 | 0 | assert(!tls->is_server); |
6636 | | |
6637 | 0 | struct st_ptls_raw_message_emitter_t emitter = { |
6638 | 0 | {sendbuf, &tls->traffic_protection.enc, 0, begin_raw_message, commit_raw_message}, SIZE_MAX, epoch_offsets}; |
6639 | 0 | struct st_ptls_record_t rec = {PTLS_CONTENT_TYPE_HANDSHAKE, 0, inlen, input}; |
6640 | |
|
6641 | 0 | if (input == NULL) |
6642 | 0 | return send_client_hello(tls, &emitter.super, properties, NULL); |
6643 | | |
6644 | 0 | if (ptls_get_read_epoch(tls) != in_epoch) |
6645 | 0 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
6646 | | |
6647 | 0 | return handle_handshake_record(tls, handle_client_handshake_message, &emitter.super, &rec, properties); |
6648 | 0 | } |
6649 | | |
6650 | | int ptls_server_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input, |
6651 | | size_t inlen, ptls_handshake_properties_t *properties) |
6652 | 0 | { |
6653 | 0 | assert(tls->is_server); |
6654 | | |
6655 | 0 | struct st_ptls_raw_message_emitter_t emitter = { |
6656 | 0 | {sendbuf, &tls->traffic_protection.enc, 0, begin_raw_message, commit_raw_message}, SIZE_MAX, epoch_offsets}; |
6657 | 0 | struct st_ptls_record_t rec = {PTLS_CONTENT_TYPE_HANDSHAKE, 0, inlen, input}; |
6658 | |
|
6659 | 0 | if (tls->state == PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY) { |
6660 | 0 | assert(input == NULL || inlen == 0); |
6661 | 0 | return server_finish_handshake(tls, &emitter.super, 1, NULL); |
6662 | 0 | } |
6663 | | |
6664 | 0 | assert(input != NULL); |
6665 | | |
6666 | 0 | if (ptls_get_read_epoch(tls) != in_epoch) |
6667 | 0 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
6668 | | |
6669 | 0 | return handle_handshake_record(tls, handle_server_handshake_message, &emitter.super, &rec, properties); |
6670 | 0 | } |
6671 | | |
6672 | | /** |
6673 | | * checks if given name looks like an IP address |
6674 | | */ |
6675 | | int ptls_server_name_is_ipaddr(const char *name) |
6676 | 0 | { |
6677 | 0 | #ifdef AF_INET |
6678 | 0 | struct sockaddr_in sin; |
6679 | 0 | if (inet_pton(AF_INET, name, &sin) == 1) |
6680 | 0 | return 1; |
6681 | 0 | #endif |
6682 | 0 | #ifdef AF_INET6 |
6683 | 0 | struct sockaddr_in6 sin6; |
6684 | 0 | if (inet_pton(AF_INET6, name, &sin6) == 1) |
6685 | 0 | return 1; |
6686 | 0 | #endif |
6687 | 0 | return 0; |
6688 | 0 | } |
6689 | | |
6690 | | int ptls_ech_encode_config(ptls_buffer_t *buf, uint8_t config_id, ptls_hpke_kem_t *kem, ptls_iovec_t public_key, |
6691 | | ptls_hpke_cipher_suite_t **ciphers, uint8_t max_name_length, const char *public_name) |
6692 | 0 | { |
6693 | 0 | int ret; |
6694 | |
|
6695 | 0 | ptls_buffer_push16(buf, PTLS_ECH_CONFIG_VERSION); |
6696 | 0 | ptls_buffer_push_block(buf, 2, { |
6697 | 0 | ptls_buffer_push(buf, config_id); |
6698 | 0 | ptls_buffer_push16(buf, kem->id); |
6699 | 0 | ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, public_key.base, public_key.len); }); |
6700 | 0 | ptls_buffer_push_block(buf, 2, { |
6701 | 0 | for (size_t i = 0; ciphers[i] != NULL; ++i) { |
6702 | 0 | ptls_buffer_push16(buf, ciphers[i]->id.kdf); |
6703 | 0 | ptls_buffer_push16(buf, ciphers[i]->id.aead); |
6704 | 0 | } |
6705 | 0 | }); |
6706 | 0 | ptls_buffer_push(buf, max_name_length); |
6707 | 0 | ptls_buffer_push_block(buf, 1, { ptls_buffer_pushv(buf, public_name, strlen(public_name)); }); |
6708 | 0 | ptls_buffer_push_block(buf, 2, {/* extensions */}); |
6709 | 0 | }); |
6710 | | |
6711 | 0 | Exit: |
6712 | 0 | return ret; |
6713 | 0 | } |
6714 | | |
6715 | | static char *byte_to_hex(char *dst, uint8_t v) |
6716 | 0 | { |
6717 | 0 | *dst++ = "0123456789abcdef"[v >> 4]; |
6718 | 0 | *dst++ = "0123456789abcdef"[v & 0xf]; |
6719 | 0 | return dst; |
6720 | 0 | } |
6721 | | |
6722 | | char *ptls_hexdump(char *dst, const void *_src, size_t len) |
6723 | 0 | { |
6724 | 0 | char *buf = dst; |
6725 | 0 | const uint8_t *src = _src; |
6726 | |
|
6727 | 0 | for (size_t i = 0; i != len; ++i) |
6728 | 0 | dst = byte_to_hex(dst, src[i]); |
6729 | 0 | *dst = '\0'; |
6730 | 0 | return buf; |
6731 | 0 | } |
6732 | | |
6733 | | char *ptls_jsonescape(char *buf, const char *unsafe_str, size_t len) |
6734 | 0 | { |
6735 | 0 | char *dst = buf; |
6736 | 0 | const uint8_t *src = (const uint8_t *)unsafe_str, *end = src + len; |
6737 | |
|
6738 | 0 | for (; src != end; ++src) { |
6739 | 0 | switch (*src) { |
6740 | 0 | #define MAP(ch, escaped) \ |
6741 | 0 | case ch: \ |
6742 | 0 | memcpy(dst, (escaped), sizeof(escaped) - 1); \ |
6743 | 0 | dst += sizeof(escaped) - 1; \ |
6744 | 0 | break |
6745 | 0 | MAP('"', "\\\""); |
6746 | 0 | MAP('\\', "\\\\"); |
6747 | 0 | MAP('/', "\\/"); |
6748 | 0 | MAP('\b', "\\b"); |
6749 | 0 | MAP('\f', "\\f"); |
6750 | 0 | MAP('\n', "\\n"); |
6751 | 0 | MAP('\r', "\\r"); |
6752 | 0 | MAP('\t', "\\t"); |
6753 | 0 | #undef MAP |
6754 | 0 | default: |
6755 | 0 | if (*src < 0x20 || *src == 0x7f) { |
6756 | 0 | *dst++ = '\\'; |
6757 | 0 | *dst++ = 'u'; |
6758 | 0 | *dst++ = '0'; |
6759 | 0 | *dst++ = '0'; |
6760 | 0 | dst = byte_to_hex(dst, *src); |
6761 | 0 | } else { |
6762 | 0 | *dst++ = *src; |
6763 | 0 | } |
6764 | 0 | break; |
6765 | 0 | } |
6766 | 0 | } |
6767 | 0 | *dst = '\0'; |
6768 | |
|
6769 | 0 | return dst; |
6770 | 0 | } |
6771 | | |
6772 | | void ptls_build_v4_mapped_v6_address(struct in6_addr *v6, const struct in_addr *v4) |
6773 | 0 | { |
6774 | 0 | *v6 = (struct in6_addr){.s6_addr[10] = 0xff, .s6_addr[11] = 0xff}; |
6775 | 0 | memcpy(&v6->s6_addr[12], &v4->s_addr, 4); |
6776 | 0 | } |
6777 | | |
6778 | | struct st_ptls_log_t ptls_log = { |
6779 | | .dummy_conn_state = {.random_ = 1 /* never log */}, |
6780 | | ._generation = 1, /* starts from 1 so that recalc can be forced by setting to zero (i.e., the initial) */ |
6781 | | }; |
6782 | | PTLS_THREADLOCAL ptls_log_conn_state_t *ptls_log_conn_state_override = NULL; |
6783 | | |
6784 | | #if PTLS_HAVE_LOG |
6785 | | |
6786 | | static struct { |
6787 | | /** |
6788 | | * list of connections; the slot is connected if points != NULL |
6789 | | */ |
6790 | | struct { |
6791 | | /** |
6792 | | * file descriptor |
6793 | | */ |
6794 | | int fd; |
6795 | | /** |
6796 | | * see `ptls_log_add_fd` |
6797 | | */ |
6798 | | char *points; |
6799 | | /** |
6800 | | * |
6801 | | */ |
6802 | | char *snis; |
6803 | | /** |
6804 | | * list of addresses terminated by ip6addr_any |
6805 | | */ |
6806 | | struct in6_addr *addresses; |
6807 | | /** |
6808 | | * |
6809 | | */ |
6810 | | float sample_ratio; |
6811 | | /** |
6812 | | * |
6813 | | */ |
6814 | | unsigned appdata : 1; |
6815 | | } conns[sizeof(((struct st_ptls_log_state_t *)NULL)->active_conns) * 8]; |
6816 | | /** |
6817 | | * counts the number of writes that failed |
6818 | | */ |
6819 | | size_t num_lost; |
6820 | | /** |
6821 | | * anchor of the single-linked list of log points; the tail refers to itself (i.e., point->next == point) |
6822 | | */ |
6823 | | struct st_ptls_log_point_t *points; |
6824 | | /** |
6825 | | * |
6826 | | */ |
6827 | | pthread_mutex_t mutex; |
6828 | | } logctx = {.mutex = PTHREAD_MUTEX_INITIALIZER}; |
6829 | | |
6830 | | static PTLS_THREADLOCAL struct { |
6831 | | ptls_buffer_t buf; /* buf.base == NULL upon failre */ |
6832 | | char smallbuf[128]; |
6833 | | struct { |
6834 | | char buf[sizeof(",\"tid\":-9223372036854775808")]; |
6835 | | size_t len; |
6836 | | } tid; |
6837 | | } logbuf; |
6838 | | |
6839 | | static void close_log_fd(size_t slot) |
6840 | 0 | { |
6841 | 0 | assert(logctx.conns[slot].fd >= 0 && logctx.conns[slot].points != NULL); |
6842 | | |
6843 | 0 | close(logctx.conns[slot].fd); |
6844 | | |
6845 | | /* clear the connection information */ |
6846 | 0 | logctx.conns[slot].fd = -1; |
6847 | 0 | logctx.conns[slot].sample_ratio = 0; |
6848 | 0 | free(logctx.conns[slot].points); |
6849 | 0 | logctx.conns[slot].points = NULL; |
6850 | 0 | free(logctx.conns[slot].snis); |
6851 | 0 | logctx.conns[slot].snis = NULL; |
6852 | 0 | free(logctx.conns[slot].addresses); |
6853 | 0 | logctx.conns[slot].addresses = NULL; |
6854 | 0 | logctx.conns[slot].appdata = 0; |
6855 | 0 | ++ptls_log._generation; |
6856 | 0 | } |
6857 | | |
6858 | | static char *duplicate_stringlist(const char *input) |
6859 | 0 | { |
6860 | 0 | if (input == NULL) |
6861 | 0 | return strdup(""); |
6862 | | |
6863 | 0 | char *result; |
6864 | 0 | const char *in_tail; |
6865 | |
|
6866 | 0 | for (in_tail = input; in_tail[0] != '\0'; in_tail += strlen(in_tail) + 1) |
6867 | 0 | ; |
6868 | 0 | ++in_tail; |
6869 | 0 | if ((result = malloc(in_tail - input)) == NULL) |
6870 | 0 | return NULL; |
6871 | 0 | memcpy(result, input, in_tail - input); |
6872 | 0 | return result; |
6873 | 0 | } |
6874 | | |
6875 | | static int is_in_stringlist(const char *list, const char *search_for) |
6876 | 0 | { |
6877 | 0 | if (list[0] == '\0') |
6878 | 0 | return 1; |
6879 | | |
6880 | 0 | if (search_for == NULL) |
6881 | 0 | return 0; |
6882 | | |
6883 | 0 | for (const char *element = list; element[0] != '\0'; element += strlen(element) + 1) |
6884 | 0 | if (strcmp(element, search_for) == 0) |
6885 | 0 | return 1; |
6886 | 0 | return 0; |
6887 | 0 | } |
6888 | | |
6889 | | static int is_in_addresslist(const struct in6_addr *list, const struct in6_addr *search_for) |
6890 | 0 | { |
6891 | 0 | #define IS_EQUAL(x, y) (memcmp((x), (y), sizeof(struct in6_addr)) == 0) |
6892 | |
|
6893 | 0 | if (IS_EQUAL(&list[0], &in6addr_any)) |
6894 | 0 | return 1; |
6895 | | |
6896 | 0 | if (IS_EQUAL(search_for, &in6addr_any)) |
6897 | 0 | return 0; |
6898 | | |
6899 | 0 | for (const struct in6_addr *element = list; !IS_EQUAL(element, &in6addr_any); ++element) |
6900 | 0 | if (IS_EQUAL(element, search_for)) |
6901 | 0 | return 1; |
6902 | 0 | return 0; |
6903 | |
|
6904 | 0 | #undef IS_EQUAL |
6905 | 0 | } |
6906 | | |
6907 | | void ptls_log__recalc_point(int caller_locked, struct st_ptls_log_point_t *point) |
6908 | 13 | { |
6909 | 13 | if (!caller_locked) |
6910 | 13 | pthread_mutex_lock(&logctx.mutex); |
6911 | | |
6912 | 13 | if (point->state.generation != ptls_log._generation) { |
6913 | | /* update active bitmap */ |
6914 | 13 | uint32_t new_active = 0; |
6915 | 429 | for (size_t slot = 0; slot < PTLS_ELEMENTSOF(logctx.conns); ++slot) |
6916 | 416 | if (logctx.conns[slot].points != NULL && is_in_stringlist(logctx.conns[slot].points, point->name)) |
6917 | 0 | new_active |= (uint32_t)1 << slot; |
6918 | 13 | point->state.active_conns = new_active; |
6919 | 13 | point->state.generation = ptls_log._generation; |
6920 | 13 | } |
6921 | | |
6922 | 13 | if (!caller_locked) |
6923 | 13 | pthread_mutex_unlock(&logctx.mutex); |
6924 | 13 | } |
6925 | | |
6926 | | void ptls_log__recalc_conn(int caller_locked, struct st_ptls_log_conn_state_t *conn, const char *(*get_sni)(void *), |
6927 | | void *get_sni_arg) |
6928 | 0 | { |
6929 | 0 | if (!caller_locked) |
6930 | 0 | pthread_mutex_lock(&logctx.mutex); |
6931 | |
|
6932 | 0 | if (conn->state.generation != ptls_log._generation) { |
6933 | | /* update active bitmap */ |
6934 | 0 | uint32_t new_active = 0; |
6935 | 0 | const char *sni = get_sni != NULL ? get_sni(get_sni_arg) : NULL; |
6936 | 0 | for (size_t slot = 0; slot < PTLS_ELEMENTSOF(logctx.conns); ++slot) { |
6937 | 0 | if (logctx.conns[slot].points != NULL && conn->random_ < logctx.conns[slot].sample_ratio && |
6938 | 0 | is_in_stringlist(logctx.conns[slot].snis, sni) && is_in_addresslist(logctx.conns[slot].addresses, &conn->address)) { |
6939 | 0 | new_active |= (uint32_t)1 << slot; |
6940 | 0 | } |
6941 | 0 | } |
6942 | 0 | conn->state.active_conns = new_active; |
6943 | 0 | conn->state.generation = ptls_log._generation; |
6944 | 0 | } |
6945 | |
|
6946 | 0 | if (!caller_locked) |
6947 | 0 | pthread_mutex_unlock(&logctx.mutex); |
6948 | 0 | } |
6949 | | |
6950 | | static int expand_logbuf_or_invalidate(const char *prefix, size_t prefix_len, size_t capacity) |
6951 | 0 | { |
6952 | 0 | if (logbuf.buf.base == NULL) |
6953 | 0 | return 0; |
6954 | | |
6955 | 0 | if (ptls_buffer_reserve(&logbuf.buf, prefix_len + capacity) != 0) { |
6956 | 0 | ptls_buffer_dispose(&logbuf.buf); |
6957 | 0 | assert(logbuf.buf.base == NULL); |
6958 | 0 | return 0; |
6959 | 0 | } |
6960 | | |
6961 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, prefix, prefix_len); |
6962 | 0 | logbuf.buf.off += prefix_len; |
6963 | |
|
6964 | 0 | return 1; |
6965 | 0 | } |
6966 | | |
6967 | | __attribute__((format(printf, 4, 5))) static void pushf_logbuf_or_invalidate(const char *prefix, size_t prefix_len, size_t capacity, |
6968 | | const char *fmt, ...) |
6969 | 0 | { |
6970 | 0 | if (!expand_logbuf_or_invalidate(prefix, prefix_len, capacity)) |
6971 | 0 | return; |
6972 | | |
6973 | 0 | va_list args; |
6974 | 0 | va_start(args, fmt); |
6975 | 0 | int l = vsnprintf((char *)logbuf.buf.base + logbuf.buf.off, logbuf.buf.capacity - logbuf.buf.off, fmt, args); |
6976 | 0 | va_end(args); |
6977 | |
|
6978 | 0 | assert(l < logbuf.buf.capacity - logbuf.buf.off && "insufficent capacity"); |
6979 | 0 | logbuf.buf.off += l; |
6980 | 0 | } |
6981 | | |
6982 | | void ptls_log__do_push_element_safestr(const char *prefix, size_t prefix_len, const char *s, size_t l) |
6983 | 0 | { |
6984 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, l + 2)) { |
6985 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
6986 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, s, l); |
6987 | 0 | logbuf.buf.off += l; |
6988 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
6989 | 0 | } |
6990 | 0 | } |
6991 | | |
6992 | | void ptls_log__do_push_element_unsafestr(const char *prefix, size_t prefix_len, const char *s, size_t l) |
6993 | 0 | { |
6994 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, l * (sizeof("\\uXXXX") - 1) + 2)) { |
6995 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
6996 | 0 | logbuf.buf.off = (uint8_t *)ptls_jsonescape((char *)logbuf.buf.base + logbuf.buf.off, s, l) - logbuf.buf.base; |
6997 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
6998 | 0 | } |
6999 | 0 | } |
7000 | | |
7001 | | void ptls_log__do_push_element_hexdump(const char *prefix, size_t prefix_len, const void *s, size_t l) |
7002 | 0 | { |
7003 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, l * 2 + 2)) { |
7004 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
7005 | 0 | ptls_hexdump((char *)logbuf.buf.base + logbuf.buf.off, s, l); |
7006 | 0 | logbuf.buf.off += l * 2; |
7007 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
7008 | 0 | } |
7009 | 0 | } |
7010 | | |
7011 | | void ptls_log__do_push_element_signed32(const char *prefix, size_t prefix_len, int32_t v) |
7012 | 0 | { |
7013 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("-2147483648"), "%" PRId32, v); |
7014 | 0 | } |
7015 | | |
7016 | | void ptls_log__do_push_element_signed64(const char *prefix, size_t prefix_len, int64_t v) |
7017 | 0 | { |
7018 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("-9223372036854775808"), "%" PRId64, v); |
7019 | 0 | } |
7020 | | |
7021 | | void ptls_log__do_push_element_unsigned32(const char *prefix, size_t prefix_len, uint32_t v) |
7022 | 0 | { |
7023 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("4294967295"), "%" PRIu32, v); |
7024 | 0 | } |
7025 | | |
7026 | | void ptls_log__do_push_element_unsigned64(const char *prefix, size_t prefix_len, uint64_t v) |
7027 | 0 | { |
7028 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("18446744073709551615"), "%" PRIu64, v); |
7029 | 0 | } |
7030 | | |
7031 | | void ptls_log__do_push_element_bool(const char *prefix, size_t prefix_len, int v) |
7032 | 0 | { |
7033 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, 5)) { |
7034 | 0 | if (v) { |
7035 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, "true", 4); |
7036 | 0 | logbuf.buf.off += 4; |
7037 | 0 | } else { |
7038 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, "false", 5); |
7039 | 0 | logbuf.buf.off += 5; |
7040 | 0 | } |
7041 | 0 | } |
7042 | 0 | } |
7043 | | |
7044 | | void ptls_log__do_write_start(struct st_ptls_log_point_t *point, int add_time) |
7045 | 0 | { |
7046 | 0 | assert(logbuf.buf.base == NULL); |
7047 | 0 | ptls_buffer_init(&logbuf.buf, logbuf.smallbuf, sizeof(logbuf.smallbuf)); |
7048 | | |
7049 | | /* add module and type name */ |
7050 | 0 | const char *colon_at = strchr(point->name, ':'); |
7051 | 0 | int written = snprintf((char *)logbuf.buf.base, logbuf.buf.capacity, "{\"module\":\"%.*s\",\"type\":\"%s\"", |
7052 | 0 | (int)(colon_at - point->name), point->name, colon_at + 1); |
7053 | | |
7054 | | /* obtain and stringify thread id once */ |
7055 | 0 | if (logbuf.tid.len == 0) { |
7056 | 0 | #if defined(__linux__) |
7057 | 0 | logbuf.tid.len = sprintf(logbuf.tid.buf, ",\"tid\":%" PRId64, (int64_t)syscall(SYS_gettid)); |
7058 | | #elif defined(__APPLE__) |
7059 | | uint64_t t = 0; |
7060 | | (void)pthread_threadid_np(NULL, &t); |
7061 | | logbuf.tid.len = sprintf(logbuf.tid.buf, ",\"tid\":%" PRIu64, t); |
7062 | | #else |
7063 | | /* other platforms: skip emitting tid, by keeping logbuf.tid.len == 0 */ |
7064 | | #endif |
7065 | 0 | } |
7066 | | /* append tid */ |
7067 | 0 | assert(written > 0 && written + logbuf.tid.len < logbuf.buf.capacity); |
7068 | 0 | memcpy((char *)logbuf.buf.base + written, logbuf.tid.buf, logbuf.tid.len + 1); |
7069 | 0 | written += logbuf.tid.len; |
7070 | | |
7071 | | /* append time if requested */ |
7072 | 0 | if (add_time) { |
7073 | 0 | struct timeval tv; |
7074 | 0 | gettimeofday(&tv, NULL); |
7075 | 0 | written += snprintf((char *)logbuf.buf.base + written, logbuf.buf.capacity - written, ",\"time\":%" PRIu64, |
7076 | 0 | (uint64_t)tv.tv_sec * 1000 + tv.tv_usec / 1000); |
7077 | 0 | } |
7078 | 0 | assert(written > 0 && written < logbuf.buf.capacity && "caller MUST provide smallbuf suffient to emit the prefix"); |
7079 | | |
7080 | 0 | logbuf.buf.off = (size_t)written; |
7081 | 0 | } |
7082 | | |
7083 | | int ptls_log__do_write_end(struct st_ptls_log_point_t *point, struct st_ptls_log_conn_state_t *conn, const char *(*get_sni)(void *), |
7084 | | void *get_sni_arg, int includes_appdata) |
7085 | 0 | { |
7086 | 0 | if (!expand_logbuf_or_invalidate("}\n", 2, 0)) |
7087 | 0 | return 0; |
7088 | | |
7089 | 0 | int needs_appdata = 0; |
7090 | |
|
7091 | 0 | pthread_mutex_lock(&logctx.mutex); |
7092 | | |
7093 | | /* calc the active conn bits, updating stale information if necessary */ |
7094 | 0 | if (point->state.generation != ptls_log._generation) |
7095 | 0 | ptls_log__recalc_point(1, point); |
7096 | 0 | uint32_t active = point->state.active_conns; |
7097 | 0 | if (conn != NULL && conn->state.generation != ptls_log._generation) { |
7098 | 0 | ptls_log__recalc_conn(1, conn, get_sni, get_sni_arg); |
7099 | 0 | active &= conn->state.active_conns; |
7100 | 0 | } |
7101 | | |
7102 | | /* iterate through the active connctions */ |
7103 | 0 | for (size_t slot = 0; active != 0; ++slot, active >>= 1) { |
7104 | 0 | if ((active & 1) == 0) |
7105 | 0 | continue; |
7106 | | |
7107 | 0 | assert(logctx.conns[slot].points != NULL); |
7108 | | |
7109 | 0 | if (logctx.conns[slot].appdata != includes_appdata) { |
7110 | 0 | if (!includes_appdata && ptls_log.may_include_appdata) |
7111 | 0 | needs_appdata = 1; |
7112 | 0 | continue; |
7113 | 0 | } |
7114 | | |
7115 | | /* write */ |
7116 | 0 | ssize_t wret; |
7117 | 0 | while ((wret = write(logctx.conns[slot].fd, logbuf.buf.base, logbuf.buf.off)) == -1 && errno == EINTR) |
7118 | 0 | ; |
7119 | 0 | if (wret == logbuf.buf.off) { |
7120 | | /* success */ |
7121 | 0 | } else if (wret > 0 || (wret == -1 && (errno == EAGAIN || errno == EWOULDBLOCK))) { |
7122 | | /* partial write or buffer full */ |
7123 | 0 | ++logctx.num_lost; |
7124 | 0 | } else { |
7125 | | /* write error; close and unregister the connection */ |
7126 | 0 | close_log_fd(slot); |
7127 | 0 | } |
7128 | 0 | } |
7129 | | |
7130 | 0 | pthread_mutex_unlock(&logctx.mutex); |
7131 | |
|
7132 | 0 | if (includes_appdata) |
7133 | 0 | assert(!needs_appdata); |
7134 | | |
7135 | 0 | ptls_buffer_dispose(&logbuf.buf); |
7136 | 0 | assert(logbuf.buf.base == NULL); |
7137 | 0 | return needs_appdata; |
7138 | 0 | } |
7139 | | |
7140 | | #endif |
7141 | | |
7142 | | void ptls_log_init_conn_state(ptls_log_conn_state_t *state, void (*random_bytes)(void *, size_t)) |
7143 | 0 | { |
7144 | 0 | uint32_t r; |
7145 | 0 | random_bytes(&r, sizeof(r)); |
7146 | |
|
7147 | 0 | *state = (ptls_log_conn_state_t){ |
7148 | 0 | .random_ = (float)r / ((uint64_t)UINT32_MAX + 1), /* [0..1), so that any(r) < sample_ratio where sample_ratio is [0..1] */ |
7149 | 0 | .address = in6addr_any, |
7150 | 0 | }; |
7151 | 0 | } |
7152 | | |
7153 | | size_t ptls_log_num_lost(void) |
7154 | 0 | { |
7155 | 0 | #if PTLS_HAVE_LOG |
7156 | 0 | return logctx.num_lost; |
7157 | | #else |
7158 | | return 0; |
7159 | | #endif |
7160 | 0 | } |
7161 | | |
7162 | | int ptls_log_add_fd(int fd, float sample_ratio, const char *_points, const char *_snis, const char *_addresses, int appdata) |
7163 | 0 | { |
7164 | 0 | #if PTLS_HAVE_LOG |
7165 | |
|
7166 | 0 | char *points = NULL, *snis = NULL; |
7167 | 0 | struct in6_addr *addresses = NULL; |
7168 | 0 | int ret; |
7169 | |
|
7170 | 0 | pthread_mutex_lock(&logctx.mutex); |
7171 | |
|
7172 | 0 | if ((points = duplicate_stringlist(_points)) == NULL) { |
7173 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7174 | 0 | goto Exit; |
7175 | 0 | } |
7176 | 0 | if ((snis = duplicate_stringlist(_snis)) == NULL) { |
7177 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7178 | 0 | goto Exit; |
7179 | 0 | } |
7180 | 0 | { |
7181 | 0 | size_t num_addresses = 0; |
7182 | 0 | for (const char *input = _addresses; input != NULL && *input != '\0'; input += strlen(input) + 1) |
7183 | 0 | ++num_addresses; |
7184 | 0 | if ((addresses = malloc(sizeof(*addresses) * (num_addresses + 1))) == NULL) { |
7185 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7186 | 0 | goto Exit; |
7187 | 0 | } |
7188 | 0 | size_t index = 0; |
7189 | 0 | for (const char *input = _addresses; input != NULL && *input != '\0'; input += strlen(input) + 1) { |
7190 | | /* note: for consistency to the handling of points, erroneous input is ignored. V4 addresses will use the mapped form |
7191 | | * (::ffff:192.0.2.1) */ |
7192 | 0 | if (!inet_pton(AF_INET6, input, &addresses[index])) { |
7193 | 0 | struct in_addr v4; |
7194 | 0 | if (!inet_pton(AF_INET, input, &v4)) |
7195 | 0 | continue; |
7196 | 0 | ptls_build_v4_mapped_v6_address(&addresses[index], &v4); |
7197 | 0 | } |
7198 | 0 | if (memcmp(&addresses[index], &in6addr_any, sizeof(struct in6_addr)) == 0) |
7199 | 0 | continue; |
7200 | 0 | ++index; |
7201 | 0 | } |
7202 | 0 | addresses[index] = in6addr_any; |
7203 | 0 | } |
7204 | | |
7205 | | /* find slot, or return if not available */ |
7206 | 0 | size_t slot_index; |
7207 | 0 | for (slot_index = 0; slot_index < PTLS_ELEMENTSOF(logctx.conns); ++slot_index) |
7208 | 0 | if (logctx.conns[slot_index].points == NULL) |
7209 | 0 | break; |
7210 | 0 | if (slot_index == PTLS_ELEMENTSOF(logctx.conns)) { |
7211 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7212 | 0 | goto Exit; |
7213 | 0 | } |
7214 | | |
7215 | | /* setup the slot */ |
7216 | 0 | logctx.conns[slot_index].fd = fd; |
7217 | 0 | logctx.conns[slot_index].points = points; |
7218 | 0 | logctx.conns[slot_index].snis = snis; |
7219 | 0 | logctx.conns[slot_index].addresses = addresses; |
7220 | 0 | logctx.conns[slot_index].sample_ratio = sample_ratio; |
7221 | 0 | logctx.conns[slot_index].appdata = appdata; |
7222 | 0 | ++ptls_log._generation; |
7223 | |
|
7224 | 0 | ret = 0; /* success */ |
7225 | |
|
7226 | 0 | Exit: |
7227 | 0 | pthread_mutex_unlock(&logctx.mutex); |
7228 | 0 | if (ret != 0) { |
7229 | 0 | free(points); |
7230 | 0 | free(snis); |
7231 | 0 | free(addresses); |
7232 | 0 | } |
7233 | 0 | return ret; |
7234 | |
|
7235 | | #else |
7236 | | return PTLS_ERROR_NOT_AVAILABLE; |
7237 | | #endif |
7238 | 0 | } |