Coverage Report

Created: 2025-06-22 06:19

/src/h2o/deps/picotls/lib/picotls.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku
3
 *
4
 * Permission is hereby granted, free of charge, to any person obtaining a copy
5
 * of this software and associated documentation files (the "Software"), to
6
 * deal in the Software without restriction, including without limitation the
7
 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
8
 * sell copies of the Software, and to permit persons to whom the Software is
9
 * furnished to do so, subject to the following conditions:
10
 *
11
 * The above copyright notice and this permission notice shall be included in
12
 * all copies or substantial portions of the Software.
13
 *
14
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
19
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
20
 * IN THE SOFTWARE.
21
 */
22
#ifdef _WINDOWS
23
#include "wincompat.h"
24
#endif
25
#include <assert.h>
26
#include <stdarg.h>
27
#include <stddef.h>
28
#include <stdio.h>
29
#include <stdlib.h>
30
#include <string.h>
31
#ifndef _WINDOWS
32
#include <errno.h>
33
#include <pthread.h>
34
#include <unistd.h>
35
#include <arpa/inet.h>
36
#include <sys/time.h>
37
#endif
38
#ifdef __linux__
39
#include <sys/syscall.h>
40
#endif
41
#include "picotls.h"
42
#if PICOTLS_USE_DTRACE
43
#include "picotls-probes.h"
44
#endif
45
46
0
#define PTLS_MAX_PLAINTEXT_RECORD_SIZE 16384
47
0
#define PTLS_MAX_ENCRYPTED_RECORD_SIZE (16384 + 256)
48
49
0
#define PTLS_RECORD_VERSION_MAJOR 3
50
0
#define PTLS_RECORD_VERSION_MINOR 3
51
52
0
#define PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC 20
53
0
#define PTLS_CONTENT_TYPE_ALERT 21
54
0
#define PTLS_CONTENT_TYPE_HANDSHAKE 22
55
0
#define PTLS_CONTENT_TYPE_APPDATA 23
56
57
0
#define PTLS_PSK_KE_MODE_PSK 0
58
0
#define PTLS_PSK_KE_MODE_PSK_DHE 1
59
60
0
#define PTLS_HANDSHAKE_HEADER_SIZE 4
61
62
#define PTLS_EXTENSION_TYPE_SERVER_NAME 0
63
#define PTLS_EXTENSION_TYPE_STATUS_REQUEST 5
64
#define PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS 10
65
#define PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS 13
66
#define PTLS_EXTENSION_TYPE_ALPN 16
67
#define PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE 20
68
#define PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE 27
69
#define PTLS_EXTENSION_TYPE_PRE_SHARED_KEY 41
70
#define PTLS_EXTENSION_TYPE_EARLY_DATA 42
71
#define PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS 43
72
#define PTLS_EXTENSION_TYPE_COOKIE 44
73
#define PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES 45
74
#define PTLS_EXTENSION_TYPE_CERTIFICATE_AUTHORITIES 47
75
#define PTLS_EXTENSION_TYPE_KEY_SHARE 51
76
#define PTLS_EXTENSION_TYPE_TICKET_REQUEST 58
77
#define PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS 0xfd00
78
#define PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO 0xfe0d
79
80
#define PTLS_SERVER_NAME_TYPE_HOSTNAME 0
81
82
#define PTLS_ECH_CONFIG_VERSION 0xfe0d
83
0
#define PTLS_ECH_CLIENT_HELLO_TYPE_OUTER 0
84
0
#define PTLS_ECH_CLIENT_HELLO_TYPE_INNER 1
85
86
0
#define PTLS_ECH_CONFIRM_LENGTH 8
87
88
static const char ech_info_prefix[8] = "tls ech";
89
90
0
#define PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING "TLS 1.3, server CertificateVerify"
91
0
#define PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING "TLS 1.3, client CertificateVerify"
92
#define PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE                                                                                  \
93
    (64 + sizeof(PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING) + PTLS_MAX_DIGEST_SIZE * 2)
94
95
0
#define PTLS_EARLY_DATA_MAX_DELAY 10000 /* max. RTT (in msec) to permit early data */
96
97
#ifndef PTLS_MAX_EARLY_DATA_SKIP_SIZE
98
0
#define PTLS_MAX_EARLY_DATA_SKIP_SIZE 65536
99
#endif
100
#if defined(PTLS_DEBUG) && PTLS_DEBUG
101
#define PTLS_DEBUGF(...) fprintf(stderr, __VA_ARGS__)
102
#else
103
#define PTLS_DEBUGF(...)
104
#endif
105
106
#ifndef PTLS_MEMORY_DEBUG
107
0
#define PTLS_MEMORY_DEBUG 0
108
#endif
109
110
#if PICOTLS_USE_DTRACE
111
#define PTLS_PROBE0(LABEL, tls)                                                                                                    \
112
    do {                                                                                                                           \
113
        if (PTLS_UNLIKELY(PICOTLS_##LABEL##_ENABLED()))                                                                            \
114
            PICOTLS_##LABEL(tls);                                                                                                  \
115
    } while (0)
116
#define PTLS_PROBE(LABEL, tls, ...)                                                                                                \
117
    do {                                                                                                                           \
118
        if (PTLS_UNLIKELY(PICOTLS_##LABEL##_ENABLED()))                                                                            \
119
            PICOTLS_##LABEL((tls), __VA_ARGS__);                                                                                   \
120
    } while (0)
121
#else
122
#define PTLS_PROBE0(LABEL, tls)
123
#define PTLS_PROBE(LABEL, tls, ...)
124
#endif
125
126
/**
127
 * list of supported versions in the preferred order
128
 */
129
static const uint16_t supported_versions[] = {PTLS_PROTOCOL_VERSION_TLS13};
130
131
static const uint8_t hello_retry_random[PTLS_HELLO_RANDOM_SIZE] = {0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C,
132
                                                                   0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB,
133
                                                                   0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C};
134
135
struct st_ptls_traffic_protection_t {
136
    uint8_t secret[PTLS_MAX_DIGEST_SIZE];
137
    size_t epoch;
138
    /* the following fields are not used if the key_change callback is set */
139
    ptls_aead_context_t *aead;
140
    uint64_t seq;
141
    unsigned tls12 : 1;
142
    uint64_t tls12_enc_record_iv;
143
};
144
145
struct st_ptls_record_message_emitter_t {
146
    ptls_message_emitter_t super;
147
    size_t rec_start;
148
};
149
150
struct st_ptls_signature_algorithms_t {
151
    uint16_t list[16]; /* expand? */
152
    size_t count;
153
};
154
155
struct st_ptls_certificate_request_t {
156
    /**
157
     * context.base becomes non-NULL when a CertificateRequest is pending for processing
158
     */
159
    ptls_iovec_t context;
160
    struct st_ptls_signature_algorithms_t signature_algorithms;
161
};
162
163
struct st_decoded_ech_config_t {
164
    uint8_t id;
165
    ptls_hpke_kem_t *kem;
166
    ptls_iovec_t public_key;
167
    ptls_hpke_cipher_suite_t *cipher;
168
    uint8_t max_name_length;
169
    ptls_iovec_t public_name;
170
    ptls_iovec_t bytes;
171
};
172
173
/**
174
 * Properties for ECH. Iff ECH is used and not rejected, `aead` is non-NULL.
175
 */
176
struct st_ptls_ech_t {
177
    uint8_t offered : 1;
178
    uint8_t offered_grease : 1;
179
    uint8_t accepted : 1;
180
    uint8_t config_id;
181
    ptls_hpke_kem_t *kem;
182
    ptls_hpke_cipher_suite_t *cipher;
183
    ptls_aead_context_t *aead;
184
    uint8_t inner_client_random[PTLS_HELLO_RANDOM_SIZE];
185
    struct {
186
        ptls_iovec_t enc;
187
        uint8_t max_name_length;
188
        char *public_name;
189
        /**
190
         * retains a copy of entire ECH extension so that it can be replayed in the 2nd CH when ECH is rejected via HRR
191
         */
192
        ptls_iovec_t first_ech;
193
    } client;
194
};
195
196
struct st_ptls_t {
197
    /**
198
     * the context
199
     */
200
    ptls_context_t *ctx;
201
    /**
202
     * the state
203
     */
204
    enum en_ptls_state_t {
205
        PTLS_STATE_CLIENT_HANDSHAKE_START,
206
        PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO,
207
        PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO,
208
        PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS,
209
        PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE,
210
        PTLS_STATE_CLIENT_EXPECT_CERTIFICATE,
211
        PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY,
212
        PTLS_STATE_CLIENT_EXPECT_FINISHED,
213
        PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO,
214
        PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO,
215
        PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY,
216
        PTLS_STATE_SERVER_EXPECT_CERTIFICATE,
217
        PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY,
218
        /* ptls_send can be called if the state is below here */
219
        PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA,
220
        PTLS_STATE_SERVER_EXPECT_FINISHED,
221
        PTLS_STATE_POST_HANDSHAKE_MIN,
222
        PTLS_STATE_CLIENT_POST_HANDSHAKE = PTLS_STATE_POST_HANDSHAKE_MIN,
223
        PTLS_STATE_SERVER_POST_HANDSHAKE
224
    } state;
225
    /**
226
     * receive buffers
227
     */
228
    struct {
229
        ptls_buffer_t rec;
230
        ptls_buffer_t mess;
231
    } recvbuf;
232
    /**
233
     * key schedule
234
     */
235
    ptls_key_schedule_t *key_schedule;
236
    /**
237
     * values used for record protection
238
     */
239
    struct {
240
        struct st_ptls_traffic_protection_t dec;
241
        struct st_ptls_traffic_protection_t enc;
242
    } traffic_protection;
243
    /**
244
     * server-name passed using SNI
245
     */
246
    char *server_name;
247
    /**
248
     * result of ALPN
249
     */
250
    char *negotiated_protocol;
251
    /**
252
     * selected key-exchange
253
     */
254
    ptls_key_exchange_algorithm_t *key_share;
255
    /**
256
     * selected cipher-suite
257
     */
258
    ptls_cipher_suite_t *cipher_suite;
259
    /**
260
     * ClientHello.random that appears on the wire. When ECH is used, that of inner CH is retained separately.
261
     */
262
    uint8_t client_random[PTLS_HELLO_RANDOM_SIZE];
263
    /**
264
     * exporter master secret (either 0rtt or 1rtt)
265
     */
266
    struct {
267
        uint8_t *early;
268
        uint8_t *one_rtt;
269
    } exporter_master_secret;
270
    /**
271
     * ECH
272
     */
273
    struct st_ptls_ech_t ech;
274
    /* flags */
275
    unsigned is_server : 1;
276
    unsigned is_psk_handshake : 1;
277
    unsigned send_change_cipher_spec : 1;
278
    unsigned needs_key_update : 1;
279
    unsigned key_update_send_request : 1;
280
#if PTLS_HAVE_LOG
281
    /**
282
     * see ptls_log
283
     */
284
    ptls_log_conn_state_t log_state;
285
#endif
286
    struct {
287
        uint32_t active_conns;
288
        uint32_t generation;
289
    } log_sni;
290
    /**
291
     * misc.
292
     */
293
    union {
294
        struct {
295
            ptls_iovec_t legacy_session_id;
296
            uint8_t legacy_session_id_buf[32];
297
            ptls_key_exchange_context_t *key_share_ctx;
298
            unsigned offered_psk : 1;
299
            /**
300
             * if 1-RTT write key is active
301
             */
302
            unsigned using_early_data : 1;
303
            struct st_ptls_certificate_request_t certificate_request;
304
        } client;
305
        struct {
306
            uint8_t pending_traffic_secret[PTLS_MAX_DIGEST_SIZE];
307
            uint32_t early_data_skipped_bytes; /* if not UINT32_MAX, the server is skipping early data */
308
            uint8_t num_tickets_to_send;
309
            ptls_async_job_t *async_job;
310
        } server;
311
    };
312
    /**
313
     * certificate verify; will be used by the client and the server (if require_client_authentication is set)
314
     */
315
    struct {
316
        int (*cb)(void *verify_ctx, uint16_t algo, ptls_iovec_t data, ptls_iovec_t signature);
317
        void *verify_ctx;
318
    } certificate_verify;
319
    /**
320
     * handshake traffic secret to be commisioned (an array of `uint8_t [PTLS_MAX_DIGEST_SIZE]` or NULL)
321
     */
322
    uint8_t *pending_handshake_secret;
323
    /**
324
     * user data
325
     */
326
    void *data_ptr;
327
};
328
329
struct st_ptls_record_t {
330
    uint8_t type;
331
    uint16_t version;
332
    size_t length;
333
    const uint8_t *fragment;
334
};
335
336
0
#define MAX_UNKNOWN_EXTENSIONS 16
337
#define MAX_CERTIFICATE_TYPES 8
338
339
struct st_ptls_client_hello_t {
340
    uint16_t legacy_version;
341
    const uint8_t *random_bytes;
342
    ptls_iovec_t legacy_session_id;
343
    struct {
344
        const uint8_t *ids;
345
        size_t count;
346
    } compression_methods;
347
    uint16_t selected_version;
348
    ptls_iovec_t cipher_suites;
349
    ptls_iovec_t negotiated_groups;
350
    ptls_iovec_t key_shares;
351
    struct st_ptls_signature_algorithms_t signature_algorithms;
352
    ptls_iovec_t server_name;
353
    struct {
354
        ptls_iovec_t list[16];
355
        size_t count;
356
    } alpn;
357
    struct {
358
        uint16_t list[16];
359
        size_t count;
360
    } cert_compression_algos;
361
    struct {
362
        ptls_iovec_t all;
363
        ptls_iovec_t tbs;
364
        ptls_iovec_t ch1_hash;
365
        ptls_iovec_t signature;
366
        unsigned sent_key_share : 1;
367
    } cookie;
368
    struct {
369
        uint8_t list[MAX_CERTIFICATE_TYPES];
370
        size_t count;
371
    } server_certificate_types;
372
    unsigned status_request : 1;
373
    struct {
374
        uint8_t new_session_count;
375
        uint8_t resumption_count;
376
    } ticket_request;
377
    /**
378
     * ECH: payload.base != NULL indicates that the extension was received
379
     */
380
    struct {
381
        uint8_t type;
382
        uint8_t config_id;
383
        ptls_hpke_cipher_suite_id_t cipher_suite;
384
        ptls_iovec_t enc;
385
        ptls_iovec_t payload;
386
    } ech;
387
    struct {
388
        const uint8_t *hash_end;
389
        struct {
390
            ptls_client_hello_psk_identity_t list[4];
391
            size_t count;
392
        } identities;
393
        unsigned ke_modes;
394
        unsigned early_data_indication : 1;
395
        unsigned is_last_extension : 1;
396
    } psk;
397
    ptls_raw_extension_t unknown_extensions[MAX_UNKNOWN_EXTENSIONS + 1];
398
    size_t first_extension_at;
399
};
400
401
struct st_ptls_server_hello_t {
402
    uint8_t random_[PTLS_HELLO_RANDOM_SIZE];
403
    ptls_iovec_t legacy_session_id;
404
    int is_retry_request;
405
    union {
406
        ptls_iovec_t peerkey;
407
        struct {
408
            uint16_t selected_group;
409
            ptls_iovec_t cookie;
410
            const uint8_t *ech;
411
        } retry_request;
412
    };
413
};
414
415
struct st_ptls_key_schedule_t {
416
    unsigned generation; /* early secret (1), hanshake secret (2), master secret (3) */
417
    uint8_t secret[PTLS_MAX_DIGEST_SIZE];
418
    size_t num_hashes;
419
    struct {
420
        ptls_hash_algorithm_t *algo;
421
        ptls_hash_context_t *ctx, *ctx_outer;
422
    } hashes[1];
423
};
424
425
struct st_ptls_extension_decoder_t {
426
    uint16_t type;
427
    int (*cb)(ptls_t *tls, void *arg, const uint8_t *src, const uint8_t *const end);
428
};
429
430
struct st_ptls_extension_bitmap_t {
431
    uint64_t bits;
432
};
433
434
static const uint8_t zeroes_of_max_digest_size[PTLS_MAX_DIGEST_SIZE] = {0};
435
436
static ptls_aead_context_t *new_aead(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret,
437
                                     ptls_iovec_t hash_value, const char *label_prefix);
438
static int server_finish_handshake(ptls_t *tls, ptls_message_emitter_t *emitter, int send_cert_verify,
439
                                   struct st_ptls_signature_algorithms_t *signature_algorithms);
440
441
static int is_supported_version(uint16_t v)
442
0
{
443
0
    size_t i;
444
0
    for (i = 0; i != PTLS_ELEMENTSOF(supported_versions); ++i)
445
0
        if (supported_versions[i] == v)
446
0
            return 1;
447
0
    return 0;
448
0
}
449
450
static int extension_bitmap_testandset(struct st_ptls_extension_bitmap_t *bitmap, int hstype, uint16_t extid)
451
0
{
452
0
#define HSTYPE_TO_BIT(hstype) ((uint64_t)1 << ((hstype) + 1)) /* min(hstype) is -1 (PSEUDO_HRR) */
453
0
#define DEFINE_BIT(abbrev, hstype) static const uint64_t abbrev = HSTYPE_TO_BIT(PTLS_HANDSHAKE_TYPE_##hstype)
454
0
#define EXT(candext, allowed_bits)                                                                                                 \
455
0
    do {                                                                                                                           \
456
0
        if (PTLS_UNLIKELY(extid == PTLS_EXTENSION_TYPE_##candext)) {                                                               \
457
0
            allowed_hs_bits = allowed_bits;                                                                                        \
458
0
            goto Found;                                                                                                            \
459
0
        }                                                                                                                          \
460
0
        ext_bitmap_mask <<= 1;                                                                                                     \
461
0
    } while (0)
462
463
0
    DEFINE_BIT(CH, CLIENT_HELLO);
464
0
    DEFINE_BIT(SH, SERVER_HELLO);
465
0
    DEFINE_BIT(HRR, PSEUDO_HRR);
466
0
    DEFINE_BIT(EE, ENCRYPTED_EXTENSIONS);
467
0
    DEFINE_BIT(CR, CERTIFICATE_REQUEST);
468
0
    DEFINE_BIT(CT, CERTIFICATE);
469
0
    DEFINE_BIT(NST, NEW_SESSION_TICKET);
470
471
0
    uint64_t allowed_hs_bits, ext_bitmap_mask = 1;
472
473
    /* clang-format off */
474
    /* RFC 8446 section 4.2: "The table below indicates the messages where a given extension may appear... If an implementation
475
     * receives an extension which it recognizes and which is not specified for the message in which it appears, it MUST abort the
476
     * handshake with an "illegal_parameter" alert.
477
     *
478
     * +-------------------------+---------------+
479
     * +        Extension        |    Allowed    |
480
     * +-------------------------+---------------+ */
481
0
    EXT( SERVER_NAME             , CH + EE       );
482
0
    EXT( STATUS_REQUEST          , CH + CR + CT  );
483
0
    EXT( SUPPORTED_GROUPS        , CH + EE       );
484
0
    EXT( SIGNATURE_ALGORITHMS    , CH + CR       );
485
0
    EXT( ALPN                    , CH + EE       );
486
0
    EXT( SERVER_CERTIFICATE_TYPE , CH + EE       );
487
0
    EXT( KEY_SHARE               , CH + SH + HRR );
488
0
    EXT( PRE_SHARED_KEY          , CH + SH       );
489
0
    EXT( PSK_KEY_EXCHANGE_MODES  , CH            );
490
0
    EXT( EARLY_DATA              , CH + EE + NST );
491
0
    EXT( COOKIE                  , CH + HRR      );
492
0
    EXT( SUPPORTED_VERSIONS      , CH + SH + HRR );
493
0
    EXT( COMPRESS_CERTIFICATE    , CH + CR       ); /* from RFC 8879 */
494
0
    EXT( ENCRYPTED_CLIENT_HELLO  , CH + HRR + EE ); /* from draft-ietf-tls-esni-15 */
495
0
    EXT( ECH_OUTER_EXTENSIONS    , 0             );
496
    /* +-----------------------------------------+ */
497
    /* clang-format on */
498
499
0
    return 1;
500
501
0
Found:
502
0
    if ((allowed_hs_bits & HSTYPE_TO_BIT(hstype)) == 0)
503
0
        return 0;
504
0
    if ((bitmap->bits & ext_bitmap_mask) != 0)
505
0
        return 0;
506
0
    bitmap->bits |= ext_bitmap_mask;
507
0
    return 1;
508
509
0
#undef HSTYPE_TO_BIT
510
0
#undef DEFINE_ABBREV
511
0
#undef EXT
512
0
}
513
514
#ifndef ntoh16
515
static uint16_t ntoh16(const uint8_t *src)
516
0
{
517
0
    return (uint16_t)src[0] << 8 | src[1];
518
0
}
519
#endif
520
521
#ifndef ntoh24
522
static uint32_t ntoh24(const uint8_t *src)
523
0
{
524
0
    return (uint32_t)src[0] << 16 | (uint32_t)src[1] << 8 | src[2];
525
0
}
526
#endif
527
528
#ifndef ntoh32
529
static uint32_t ntoh32(const uint8_t *src)
530
0
{
531
0
    return (uint32_t)src[0] << 24 | (uint32_t)src[1] << 16 | (uint32_t)src[2] << 8 | src[3];
532
0
}
533
#endif
534
535
#ifndef ntoh64
536
static uint64_t ntoh64(const uint8_t *src)
537
0
{
538
0
    return (uint64_t)src[0] << 56 | (uint64_t)src[1] << 48 | (uint64_t)src[2] << 40 | (uint64_t)src[3] << 32 |
539
0
           (uint64_t)src[4] << 24 | (uint64_t)src[5] << 16 | (uint64_t)src[6] << 8 | src[7];
540
0
}
541
#endif
542
543
static void encode64(uint8_t *dst, uint64_t v)
544
0
{
545
0
    for (size_t i = 0; i < 8; ++i)
546
0
        dst[i] = (uint8_t)(v >> (56 - 8 * i));
547
0
}
548
549
static char *duplicate_as_str(const void *src, size_t len)
550
0
{
551
0
    char *dst;
552
553
0
    if ((dst = malloc(len + 1)) == NULL)
554
0
        return NULL;
555
0
    memcpy(dst, src, len);
556
0
    dst[len] = '\0';
557
0
    return dst;
558
0
}
559
560
void ptls_buffer__release_memory(ptls_buffer_t *buf)
561
0
{
562
0
    ptls_clear_memory(buf->base, buf->off);
563
0
    if (buf->is_allocated) {
564
#ifdef _WINDOWS
565
        if (buf->align_bits != 0) {
566
            _aligned_free(buf->base);
567
        } else {
568
            free(buf->base);
569
        }
570
#else
571
0
        free(buf->base);
572
0
#endif
573
0
    }
574
0
}
575
576
int ptls_buffer_reserve(ptls_buffer_t *buf, size_t delta)
577
0
{
578
0
    return ptls_buffer_reserve_aligned(buf, delta, 0);
579
0
}
580
581
int ptls_buffer_reserve_aligned(ptls_buffer_t *buf, size_t delta, uint8_t align_bits)
582
0
{
583
0
    if (buf->base == NULL)
584
0
        return PTLS_ERROR_NO_MEMORY;
585
586
0
    if (PTLS_MEMORY_DEBUG || buf->capacity < buf->off + delta ||
587
0
        (buf->align_bits < align_bits && ((uintptr_t)buf->base & (((uintptr_t)1 << align_bits) - 1)) != 0)) {
588
0
        void *newp;
589
0
        size_t new_capacity = buf->capacity;
590
0
        if (new_capacity < 1024)
591
0
            new_capacity = 1024;
592
0
        while (new_capacity < buf->off + delta) {
593
0
            new_capacity *= 2;
594
0
        }
595
0
        if (align_bits != 0) {
596
#ifdef _WINDOWS
597
            if ((newp = _aligned_malloc(new_capacity, (size_t)1 << align_bits)) == NULL)
598
                return PTLS_ERROR_NO_MEMORY;
599
#else
600
0
            if (posix_memalign(&newp, 1 << align_bits, new_capacity) != 0)
601
0
                return PTLS_ERROR_NO_MEMORY;
602
0
#endif
603
0
        } else {
604
0
            if ((newp = malloc(new_capacity)) == NULL)
605
0
                return PTLS_ERROR_NO_MEMORY;
606
0
        }
607
0
        memcpy(newp, buf->base, buf->off);
608
0
        ptls_buffer__release_memory(buf);
609
0
        buf->base = newp;
610
0
        buf->capacity = new_capacity;
611
0
        buf->is_allocated = 1;
612
0
        buf->align_bits = align_bits;
613
0
    }
614
615
0
    return 0;
616
0
}
617
618
int ptls_buffer__do_pushv(ptls_buffer_t *buf, const void *src, size_t len)
619
0
{
620
0
    int ret;
621
622
0
    if (len == 0)
623
0
        return 0;
624
0
    if ((ret = ptls_buffer_reserve(buf, len)) != 0)
625
0
        return ret;
626
0
    memcpy(buf->base + buf->off, src, len);
627
0
    buf->off += len;
628
0
    return 0;
629
0
}
630
631
int ptls_buffer__adjust_quic_blocksize(ptls_buffer_t *buf, size_t body_size)
632
0
{
633
0
    uint8_t sizebuf[PTLS_ENCODE_QUICINT_CAPACITY];
634
0
    size_t sizelen = ptls_encode_quicint(sizebuf, body_size) - sizebuf;
635
636
    /* adjust amount of space before body_size to `sizelen` bytes */
637
0
    if (sizelen != 1) {
638
0
        int ret;
639
0
        if ((ret = ptls_buffer_reserve(buf, sizelen - 1)) != 0)
640
0
            return ret;
641
0
        memmove(buf->base + buf->off - body_size - 1 + sizelen, buf->base + buf->off - body_size, body_size);
642
0
        buf->off += sizelen - 1;
643
0
    }
644
645
    /* write the size */
646
0
    memcpy(buf->base + buf->off - body_size - sizelen, sizebuf, sizelen);
647
648
0
    return 0;
649
0
}
650
651
int ptls_buffer__adjust_asn1_blocksize(ptls_buffer_t *buf, size_t body_size)
652
0
{
653
0
    fprintf(stderr, "unimplemented\n");
654
0
    abort();
655
0
}
656
657
int ptls_buffer_push_asn1_ubigint(ptls_buffer_t *buf, const void *bignum, size_t size)
658
0
{
659
0
    const uint8_t *p = bignum, *const end = p + size;
660
0
    int ret;
661
662
    /* skip zeroes */
663
0
    for (; end - p >= 1; ++p)
664
0
        if (*p != 0)
665
0
            break;
666
667
    /* emit */
668
0
    ptls_buffer_push(buf, 2);
669
0
    ptls_buffer_push_asn1_block(buf, {
670
0
        if (*p >= 0x80)
671
0
            ptls_buffer_push(buf, 0);
672
0
        if (p != end) {
673
0
            ptls_buffer_pushv(buf, p, end - p);
674
0
        } else {
675
0
            ptls_buffer_pushv(buf, "", 1);
676
0
        }
677
0
    });
678
0
    ret = 0;
679
680
0
Exit:
681
0
    return ret;
682
0
}
683
684
#if PTLS_FUZZ_HANDSHAKE
685
686
static size_t aead_encrypt(struct st_ptls_traffic_protection_t *ctx, void *output, const void *input, size_t inlen,
687
                           uint8_t content_type)
688
{
689
    memcpy(output, input, inlen);
690
    memcpy(output + inlen, &content_type, 1);
691
    return inlen + 1 + 16;
692
}
693
694
static int aead_decrypt(struct st_ptls_traffic_protection_t *ctx, void *output, size_t *outlen, const void *input, size_t inlen)
695
{
696
    if (inlen < 16) {
697
        return PTLS_ALERT_BAD_RECORD_MAC;
698
    }
699
    memcpy(output, input, inlen - 16);
700
    *outlen = inlen - 16; /* removing the 16 bytes of tag */
701
    return 0;
702
}
703
704
#else
705
706
static void build_aad(uint8_t aad[5], size_t reclen)
707
0
{
708
0
    aad[0] = PTLS_CONTENT_TYPE_APPDATA;
709
0
    aad[1] = PTLS_RECORD_VERSION_MAJOR;
710
0
    aad[2] = PTLS_RECORD_VERSION_MINOR;
711
0
    aad[3] = (uint8_t)(reclen >> 8);
712
0
    aad[4] = (uint8_t)reclen;
713
0
}
714
715
static size_t aead_encrypt(struct st_ptls_traffic_protection_t *ctx, void *output, const void *input, size_t inlen,
716
                           uint8_t content_type)
717
0
{
718
0
    ptls_iovec_t invec[2] = {ptls_iovec_init(input, inlen), ptls_iovec_init(&content_type, 1)};
719
0
    uint8_t aad[5];
720
721
0
    build_aad(aad, inlen + 1 + ctx->aead->algo->tag_size);
722
0
    ptls_aead_encrypt_v(ctx->aead, output, invec, PTLS_ELEMENTSOF(invec), ctx->seq++, aad, sizeof(aad));
723
724
0
    return inlen + 1 + ctx->aead->algo->tag_size;
725
0
}
726
727
static int aead_decrypt(struct st_ptls_traffic_protection_t *ctx, void *output, size_t *outlen, const void *input, size_t inlen)
728
0
{
729
0
    uint8_t aad[5];
730
731
0
    build_aad(aad, inlen);
732
0
    if ((*outlen = ptls_aead_decrypt(ctx->aead, output, input, inlen, ctx->seq, aad, sizeof(aad))) == SIZE_MAX)
733
0
        return PTLS_ALERT_BAD_RECORD_MAC;
734
0
    ++ctx->seq;
735
0
    return 0;
736
0
}
737
738
#endif /* #if PTLS_FUZZ_HANDSHAKE */
739
740
static void build_tls12_aad(uint8_t *aad, uint8_t type, uint64_t seq, uint16_t length)
741
0
{
742
0
    for (size_t i = 0; i < 8; ++i)
743
0
        aad[i] = (uint8_t)(seq >> (56 - i * 8));
744
0
    aad[8] = type;
745
0
    aad[9] = PTLS_RECORD_VERSION_MAJOR;
746
0
    aad[10] = PTLS_RECORD_VERSION_MINOR;
747
0
    aad[11] = length >> 8;
748
0
    aad[12] = (uint8_t)length;
749
0
}
750
751
#define buffer_push_record(buf, type, block)                                                                                       \
752
0
    do {                                                                                                                           \
753
0
        ptls_buffer_push((buf), (type), PTLS_RECORD_VERSION_MAJOR, PTLS_RECORD_VERSION_MINOR);                                     \
754
0
        ptls_buffer_push_block((buf), 2, block);                                                                                   \
755
0
    } while (0)
756
757
static int buffer_push_encrypted_records(ptls_buffer_t *buf, uint8_t type, const uint8_t *src, size_t len,
758
                                         struct st_ptls_traffic_protection_t *enc)
759
0
{
760
0
    int ret = 0;
761
762
0
    while (len != 0) {
763
0
        size_t chunk_size = len;
764
0
        if (chunk_size > PTLS_MAX_PLAINTEXT_RECORD_SIZE)
765
0
            chunk_size = PTLS_MAX_PLAINTEXT_RECORD_SIZE;
766
0
        if (enc->tls12) {
767
0
            buffer_push_record(buf, type, {
768
                /* reserve memory */
769
0
                if ((ret = ptls_buffer_reserve_aligned(
770
0
                         buf, enc->aead->algo->tls12.record_iv_size + chunk_size + enc->aead->algo->tag_size,
771
0
                         enc->aead->algo->align_bits)) != 0)
772
0
                    goto Exit;
773
                /* determine nonce, as well as prepending that walue as the record IV (AES-GCM) */
774
0
                uint64_t nonce;
775
0
                if (enc->aead->algo->tls12.record_iv_size != 0) {
776
0
                    assert(enc->aead->algo->tls12.record_iv_size == 8);
777
0
                    nonce = enc->tls12_enc_record_iv++;
778
0
                    encode64(buf->base + buf->off, nonce);
779
0
                    buf->off += 8;
780
0
                } else {
781
0
                    nonce = enc->seq;
782
0
                }
783
                /* build AAD */
784
0
                uint8_t aad[PTLS_TLS12_AAD_SIZE];
785
0
                build_tls12_aad(aad, type, enc->seq, (uint16_t)chunk_size);
786
                /* encrypt */
787
0
                buf->off += ptls_aead_encrypt(enc->aead, buf->base + buf->off, src, chunk_size, nonce, aad, sizeof(aad));
788
0
                ++enc->seq;
789
0
            });
790
0
        } else {
791
0
            buffer_push_record(buf, PTLS_CONTENT_TYPE_APPDATA, {
792
0
                if ((ret = ptls_buffer_reserve_aligned(buf, chunk_size + enc->aead->algo->tag_size + 1,
793
0
                                                       enc->aead->algo->align_bits)) != 0)
794
0
                    goto Exit;
795
0
                buf->off += aead_encrypt(enc, buf->base + buf->off, src, chunk_size, type);
796
0
            });
797
0
        }
798
0
        src += chunk_size;
799
0
        len -= chunk_size;
800
0
    }
801
802
0
Exit:
803
0
    return ret;
804
0
}
805
806
static int buffer_encrypt_record(ptls_buffer_t *buf, size_t rec_start, struct st_ptls_traffic_protection_t *enc)
807
0
{
808
0
    size_t bodylen = buf->off - rec_start - 5;
809
0
    uint8_t *tmpbuf, type = buf->base[rec_start];
810
0
    int ret;
811
812
    /* Fast path: do in-place encryption if only one record needs to be emitted. (For simplicity, do not take this path if TLS 1.2
813
     * is used, as this function will be called no more than once per connection, for encrypting an alert.) */
814
0
    if (!enc->tls12 && bodylen <= PTLS_MAX_PLAINTEXT_RECORD_SIZE) {
815
0
        size_t overhead = 1 + enc->aead->algo->tag_size;
816
0
        if ((ret = ptls_buffer_reserve_aligned(buf, overhead, enc->aead->algo->align_bits)) != 0)
817
0
            return ret;
818
0
        size_t encrypted_len = aead_encrypt(enc, buf->base + rec_start + 5, buf->base + rec_start + 5, bodylen, type);
819
0
        assert(encrypted_len == bodylen + overhead);
820
0
        buf->off += overhead;
821
0
        buf->base[rec_start] = PTLS_CONTENT_TYPE_APPDATA;
822
0
        buf->base[rec_start + 3] = (encrypted_len >> 8) & 0xff;
823
0
        buf->base[rec_start + 4] = encrypted_len & 0xff;
824
0
        return 0;
825
0
    }
826
827
    /* move plaintext to temporary buffer */
828
0
    if ((tmpbuf = malloc(bodylen)) == NULL) {
829
0
        ret = PTLS_ERROR_NO_MEMORY;
830
0
        goto Exit;
831
0
    }
832
0
    memcpy(tmpbuf, buf->base + rec_start + 5, bodylen);
833
0
    ptls_clear_memory(buf->base + rec_start, bodylen + 5);
834
0
    buf->off = rec_start;
835
836
    /* push encrypted records */
837
0
    ret = buffer_push_encrypted_records(buf, type, tmpbuf, bodylen, enc);
838
839
0
Exit:
840
0
    if (tmpbuf != NULL) {
841
0
        ptls_clear_memory(tmpbuf, bodylen);
842
0
        free(tmpbuf);
843
0
    }
844
0
    return ret;
845
0
}
846
847
static int begin_record_message(ptls_message_emitter_t *_self)
848
0
{
849
0
    struct st_ptls_record_message_emitter_t *self = (void *)_self;
850
0
    int ret;
851
852
0
    self->rec_start = self->super.buf->off;
853
0
    ptls_buffer_push(self->super.buf, PTLS_CONTENT_TYPE_HANDSHAKE, PTLS_RECORD_VERSION_MAJOR, PTLS_RECORD_VERSION_MINOR, 0, 0);
854
0
    ret = 0;
855
0
Exit:
856
0
    return ret;
857
0
}
858
859
static int commit_record_message(ptls_message_emitter_t *_self)
860
0
{
861
0
    struct st_ptls_record_message_emitter_t *self = (void *)_self;
862
0
    int ret;
863
864
0
    if (self->super.enc->aead != NULL) {
865
0
        ret = buffer_encrypt_record(self->super.buf, self->rec_start, self->super.enc);
866
0
    } else {
867
        /* TODO allow CH,SH,HRR above 16KB */
868
0
        size_t sz = self->super.buf->off - self->rec_start - 5;
869
0
        assert(sz <= PTLS_MAX_PLAINTEXT_RECORD_SIZE);
870
0
        self->super.buf->base[self->rec_start + 3] = (uint8_t)(sz >> 8);
871
0
        self->super.buf->base[self->rec_start + 4] = (uint8_t)(sz);
872
0
        ret = 0;
873
0
    }
874
875
0
    return ret;
876
0
}
877
878
#define buffer_push_extension(buf, type, block)                                                                                    \
879
0
    do {                                                                                                                           \
880
0
        ptls_buffer_push16((buf), (type));                                                                                         \
881
0
        ptls_buffer_push_block((buf), 2, block);                                                                                   \
882
0
    } while (0);
883
884
#define decode_open_extensions(src, end, hstype, exttype, block)                                                                   \
885
0
    do {                                                                                                                           \
886
0
        struct st_ptls_extension_bitmap_t bitmap = {0};                                                                            \
887
0
        ptls_decode_open_block((src), end, 2, {                                                                                    \
888
0
            while ((src) != end) {                                                                                                 \
889
0
                if ((ret = ptls_decode16((exttype), &(src), end)) != 0)                                                            \
890
0
                    goto Exit;                                                                                                     \
891
0
                if (!extension_bitmap_testandset(&bitmap, (hstype), *(exttype))) {                                                 \
892
0
                    ret = PTLS_ALERT_ILLEGAL_PARAMETER;                                                                            \
893
0
                    goto Exit;                                                                                                     \
894
0
                }                                                                                                                  \
895
0
                ptls_decode_open_block((src), end, 2, block);                                                                      \
896
0
            }                                                                                                                      \
897
0
        });                                                                                                                        \
898
0
    } while (0)
899
900
#define decode_extensions(src, end, hstype, exttype, block)                                                                        \
901
0
    do {                                                                                                                           \
902
0
        decode_open_extensions((src), end, hstype, exttype, block);                                                                \
903
0
        ptls_decode_assert_block_close((src), end);                                                                                \
904
0
    } while (0)
905
906
int ptls_decode8(uint8_t *value, const uint8_t **src, const uint8_t *end)
907
0
{
908
0
    if (*src == end)
909
0
        return PTLS_ALERT_DECODE_ERROR;
910
0
    *value = *(*src)++;
911
0
    return 0;
912
0
}
913
914
int ptls_decode16(uint16_t *value, const uint8_t **src, const uint8_t *end)
915
0
{
916
0
    if (end - *src < 2)
917
0
        return PTLS_ALERT_DECODE_ERROR;
918
0
    *value = ntoh16(*src);
919
0
    *src += 2;
920
0
    return 0;
921
0
}
922
923
int ptls_decode24(uint32_t *value, const uint8_t **src, const uint8_t *end)
924
0
{
925
0
    if (end - *src < 3)
926
0
        return PTLS_ALERT_DECODE_ERROR;
927
0
    *value = ((uint32_t)(*src)[0] << 16) | ((uint32_t)(*src)[1] << 8) | (*src)[2];
928
0
    *src += 3;
929
0
    return 0;
930
0
}
931
932
int ptls_decode32(uint32_t *value, const uint8_t **src, const uint8_t *end)
933
0
{
934
0
    if (end - *src < 4)
935
0
        return PTLS_ALERT_DECODE_ERROR;
936
0
    *value = ntoh32(*src);
937
0
    *src += 4;
938
0
    return 0;
939
0
}
940
941
int ptls_decode64(uint64_t *value, const uint8_t **src, const uint8_t *end)
942
0
{
943
0
    if (end - *src < 8)
944
0
        return PTLS_ALERT_DECODE_ERROR;
945
0
    *value = ntoh64(*src);
946
0
    *src += 8;
947
0
    return 0;
948
0
}
949
950
uint64_t ptls_decode_quicint(const uint8_t **src, const uint8_t *end)
951
0
{
952
0
    if (PTLS_UNLIKELY(*src == end))
953
0
        return UINT64_MAX;
954
955
0
    uint8_t b = *(*src)++;
956
957
0
    if (PTLS_LIKELY(b <= 0x3f))
958
0
        return b;
959
960
0
    uint64_t v = b & 0x3f;
961
0
    unsigned bytes_left = (1 << (b >> 6)) - 1;
962
0
    if (PTLS_UNLIKELY((size_t)(end - *src) < bytes_left))
963
0
        return UINT64_MAX;
964
0
    do {
965
0
        v = (v << 8) | *(*src)++;
966
0
    } while (--bytes_left != 0);
967
0
    return v;
968
0
}
969
970
static void log_secret(ptls_t *tls, const char *type, ptls_iovec_t secret)
971
0
{
972
0
    char hexbuf[PTLS_MAX_DIGEST_SIZE * 2 + 1];
973
974
0
    PTLS_PROBE(NEW_SECRET, tls, type, ptls_hexdump(hexbuf, secret.base, secret.len));
975
0
    PTLS_LOG_CONN(new_secret, tls, { PTLS_LOG_ELEMENT_SAFESTR(label, type); });
976
977
0
    if (tls->ctx->log_event != NULL)
978
0
        tls->ctx->log_event->cb(tls->ctx->log_event, tls, type, "%s", ptls_hexdump(hexbuf, secret.base, secret.len));
979
0
}
980
981
/**
982
 * This function preserves the flags and  modes (e.g., `offered`, `accepted`, `cipher`), they can be used afterwards.
983
 */
984
static void clear_ech(struct st_ptls_ech_t *ech, int is_server)
985
0
{
986
0
    if (ech->aead != NULL) {
987
0
        ptls_aead_free(ech->aead);
988
0
        ech->aead = NULL;
989
0
    }
990
0
    ptls_clear_memory(ech->inner_client_random, PTLS_HELLO_RANDOM_SIZE);
991
0
    if (!is_server) {
992
0
        free(ech->client.enc.base);
993
0
        ech->client.enc = ptls_iovec_init(NULL, 0);
994
0
        if (ech->client.public_name != NULL) {
995
0
            free(ech->client.public_name);
996
0
            ech->client.public_name = NULL;
997
0
        }
998
0
        free(ech->client.first_ech.base);
999
0
        ech->client.first_ech = ptls_iovec_init(NULL, 0);
1000
0
    }
1001
0
}
1002
1003
/**
1004
 * Decodes one ECHConfigContents (tls-esni-15 section 4). `decoded->kem` and `cipher` may be NULL even when the function returns
1005
 * zero, if the corresponding entries are not found.
1006
 */
1007
static int decode_one_ech_config(ptls_hpke_kem_t **kems, ptls_hpke_cipher_suite_t **ciphers,
1008
                                 struct st_decoded_ech_config_t *decoded, const uint8_t **src, const uint8_t *const end)
1009
0
{
1010
0
    char *public_name_buf = NULL;
1011
0
    int ret;
1012
1013
0
    *decoded = (struct st_decoded_ech_config_t){0};
1014
1015
0
    if ((ret = ptls_decode8(&decoded->id, src, end)) != 0)
1016
0
        goto Exit;
1017
0
    uint16_t kem_id;
1018
0
    if ((ret = ptls_decode16(&kem_id, src, end)) != 0)
1019
0
        goto Exit;
1020
0
    for (size_t i = 0; kems[i] != NULL; ++i) {
1021
0
        if (kems[i]->id == kem_id) {
1022
0
            decoded->kem = kems[i];
1023
0
            break;
1024
0
        }
1025
0
    }
1026
0
    ptls_decode_open_block(*src, end, 2, {
1027
0
        if (*src == end) {
1028
0
            ret = PTLS_ALERT_DECODE_ERROR;
1029
0
            goto Exit;
1030
0
        }
1031
0
        decoded->public_key = ptls_iovec_init(*src, end - *src);
1032
0
        *src = end;
1033
0
    });
1034
0
    ptls_decode_open_block(*src, end, 2, {
1035
0
        do {
1036
0
            uint16_t kdf_id;
1037
0
            uint16_t aead_id;
1038
0
            if ((ret = ptls_decode16(&kdf_id, src, end)) != 0)
1039
0
                goto Exit;
1040
0
            if ((ret = ptls_decode16(&aead_id, src, end)) != 0)
1041
0
                goto Exit;
1042
0
            if (decoded->cipher == NULL) {
1043
0
                for (size_t i = 0; ciphers[i] != NULL; ++i) {
1044
0
                    if (ciphers[i]->id.kdf == kdf_id && ciphers[i]->id.aead == aead_id) {
1045
0
                        decoded->cipher = ciphers[i];
1046
0
                        break;
1047
0
                    }
1048
0
                }
1049
0
            }
1050
0
        } while (*src != end);
1051
0
    });
1052
0
    if ((ret = ptls_decode8(&decoded->max_name_length, src, end)) != 0)
1053
0
        goto Exit;
1054
1055
0
#define SKIP_DECODED()                                                                                                             \
1056
0
    do {                                                                                                                           \
1057
0
        decoded->kem = NULL;                                                                                                       \
1058
0
        decoded->cipher = NULL;                                                                                                    \
1059
0
    } while (0)
1060
1061
    /* Decode public_name. The specification requires clients to ignore (upon parsing ESNIConfigList) or reject (upon handshake)
1062
     * public names that are not DNS names or IPv4 addresses. We ignore IPv4 and v6 addresses during parsing (IPv6 addresses never
1063
     * looks like DNS names), and delegate the responsibility of rejecting non-DNS names to the certificate verify callback. */
1064
0
    ptls_decode_open_block(*src, end, 1, {
1065
0
        if (*src == end) {
1066
0
            ret = PTLS_ALERT_DECODE_ERROR;
1067
0
            goto Exit;
1068
0
        }
1069
0
        if ((public_name_buf = duplicate_as_str(*src, end - *src)) == NULL) {
1070
0
            ret = PTLS_ERROR_NO_MEMORY;
1071
0
            goto Exit;
1072
0
        }
1073
0
        if (ptls_server_name_is_ipaddr(public_name_buf)) {
1074
0
            SKIP_DECODED();
1075
0
        } else {
1076
0
            decoded->public_name = ptls_iovec_init(*src, end - *src);
1077
0
        }
1078
0
        *src = end;
1079
0
    });
1080
1081
0
    ptls_decode_block(*src, end, 2, {
1082
0
        while (*src < end) {
1083
0
            uint16_t type;
1084
0
            if ((ret = ptls_decode16(&type, src, end)) != 0)
1085
0
                goto Exit;
1086
0
            ptls_decode_open_block(*src, end, 2, { *src = end; });
1087
            /* if a critital extension is found, indicate that the config cannot be used */
1088
0
            if ((type & 0x8000) != 0)
1089
0
                SKIP_DECODED();
1090
0
        }
1091
0
    });
1092
1093
0
#undef SKIP_DECODED
1094
1095
0
Exit:
1096
0
    free(public_name_buf);
1097
0
    return ret;
1098
0
}
1099
1100
static int client_decode_ech_config_list(ptls_context_t *ctx, struct st_decoded_ech_config_t *decoded, ptls_iovec_t config_list)
1101
0
{
1102
0
    const uint8_t *src = config_list.base, *const end = src + config_list.len;
1103
0
    int match_found = 0, ret;
1104
1105
0
    *decoded = (struct st_decoded_ech_config_t){0};
1106
1107
0
    ptls_decode_block(src, end, 2, {
1108
0
        do {
1109
0
            const uint8_t *config_start = src;
1110
0
            uint16_t version;
1111
0
            if ((ret = ptls_decode16(&version, &src, end)) != 0)
1112
0
                goto Exit;
1113
0
            ptls_decode_open_block(src, end, 2, {
1114
                /* If the block is the one that we recognize, parse it, then adopt if if possible. Otherwise, skip. */
1115
0
                if (version == PTLS_ECH_CONFIG_VERSION) {
1116
0
                    struct st_decoded_ech_config_t thisconf;
1117
0
                    if ((ret = decode_one_ech_config(ctx->ech.client.kems, ctx->ech.client.ciphers, &thisconf, &src, end)) != 0)
1118
0
                        goto Exit;
1119
0
                    if (!match_found && thisconf.kem != NULL && thisconf.cipher != NULL) {
1120
0
                        *decoded = thisconf;
1121
0
                        decoded->bytes = ptls_iovec_init(config_start, end - config_start);
1122
0
                        match_found = 1;
1123
0
                    }
1124
0
                } else {
1125
0
                    src = end;
1126
0
                }
1127
0
            });
1128
0
        } while (src != end);
1129
0
    });
1130
0
    ret = 0;
1131
1132
0
Exit:
1133
0
    if (ret != 0)
1134
0
        *decoded = (struct st_decoded_ech_config_t){0};
1135
0
    return ret;
1136
0
}
1137
1138
static int client_setup_ech(struct st_ptls_ech_t *ech, struct st_decoded_ech_config_t *decoded,
1139
                            void (*random_bytes)(void *, size_t))
1140
0
{
1141
0
    ptls_buffer_t infobuf;
1142
0
    uint8_t infobuf_smallbuf[256];
1143
0
    int ret;
1144
1145
    /* setup `enc` and `aead` by running HPKE */
1146
0
    ptls_buffer_init(&infobuf, infobuf_smallbuf, sizeof(infobuf_smallbuf));
1147
0
    ptls_buffer_pushv(&infobuf, ech_info_prefix, sizeof(ech_info_prefix));
1148
0
    ptls_buffer_pushv(&infobuf, decoded->bytes.base, decoded->bytes.len);
1149
0
    if ((ret = ptls_hpke_setup_base_s(decoded->kem, decoded->cipher, &ech->client.enc, &ech->aead, decoded->public_key,
1150
0
                                      ptls_iovec_init(infobuf.base, infobuf.off))) != 0)
1151
0
        goto Exit;
1152
1153
    /* setup the rest */
1154
0
    ech->config_id = decoded->id;
1155
0
    ech->kem = decoded->kem;
1156
0
    ech->cipher = decoded->cipher;
1157
0
    random_bytes(ech->inner_client_random, PTLS_HELLO_RANDOM_SIZE);
1158
0
    ech->client.max_name_length = decoded->max_name_length;
1159
0
    if ((ech->client.public_name = duplicate_as_str(decoded->public_name.base, decoded->public_name.len)) == NULL) {
1160
0
        ret = PTLS_ERROR_NO_MEMORY;
1161
0
        goto Exit;
1162
0
    }
1163
1164
0
Exit:
1165
0
    if (ret != 0)
1166
0
        clear_ech(ech, 0);
1167
0
    return ret;
1168
0
}
1169
1170
static void client_setup_ech_grease(struct st_ptls_ech_t *ech, void (*random_bytes)(void *, size_t), ptls_hpke_kem_t **kems,
1171
                                    ptls_hpke_cipher_suite_t **ciphers, const char *sni_name)
1172
0
{
1173
0
    static const size_t x25519_key_size = 32;
1174
0
    uint8_t random_secret[PTLS_AES128_KEY_SIZE + PTLS_AES_IV_SIZE];
1175
1176
    /* pick up X25519, AES-128-GCM or bail out */
1177
0
    for (size_t i = 0; kems[i] != NULL; ++i) {
1178
0
        if (kems[i]->id == PTLS_HPKE_KEM_X25519_SHA256) {
1179
0
            ech->kem = kems[i];
1180
0
            break;
1181
0
        }
1182
0
    }
1183
0
    for (size_t i = 0; ciphers[i] != NULL; ++i) {
1184
0
        if (ciphers[i]->id.kdf == PTLS_HPKE_HKDF_SHA256 && ciphers[i]->id.aead == PTLS_HPKE_AEAD_AES_128_GCM) {
1185
0
            ech->cipher = ciphers[i];
1186
0
            break;
1187
0
        }
1188
0
    }
1189
0
    if (ech->kem == NULL || ech->cipher == NULL)
1190
0
        goto Fail;
1191
1192
    /* aead is generated from random */
1193
0
    random_bytes(random_secret, sizeof(random_secret));
1194
0
    ech->aead = ptls_aead_new_direct(ech->cipher->aead, 1, random_secret, random_secret + PTLS_AES128_KEY_SIZE);
1195
1196
    /* `enc` is random bytes */
1197
0
    if ((ech->client.enc.base = malloc(x25519_key_size)) == NULL)
1198
0
        goto Fail;
1199
0
    ech->client.enc.len = x25519_key_size;
1200
0
    random_bytes(ech->client.enc.base, ech->client.enc.len);
1201
1202
    /* setup the rest (inner_client_random is left zeros) */
1203
0
    random_bytes(&ech->config_id, sizeof(ech->config_id));
1204
0
    ech->client.max_name_length = 64;
1205
0
    if ((ech->client.public_name = duplicate_as_str(sni_name, strlen(sni_name))) == NULL)
1206
0
        goto Fail;
1207
1208
0
    return;
1209
1210
0
Fail:
1211
0
    clear_ech(ech, 0);
1212
0
}
1213
1214
0
#define ECH_CONFIRMATION_SERVER_HELLO "ech accept confirmation"
1215
0
#define ECH_CONFIRMATION_HRR "hrr ech accept confirmation"
1216
static int ech_calc_confirmation(ptls_key_schedule_t *sched, void *dst, const uint8_t *inner_random, const char *label,
1217
                                 ptls_iovec_t message)
1218
0
{
1219
0
    ptls_hash_context_t *hash = NULL;
1220
0
    uint8_t secret[PTLS_MAX_DIGEST_SIZE], transcript_hash[PTLS_MAX_DIGEST_SIZE];
1221
0
    int ret;
1222
1223
    /* calc transcript hash using the modified ServerHello / HRR */
1224
0
    if ((hash = sched->hashes[0].ctx->clone_(sched->hashes[0].ctx)) == NULL) {
1225
0
        ret = PTLS_ERROR_NO_MEMORY;
1226
0
        goto Exit;
1227
0
    }
1228
0
    hash->update(hash, message.base, message.len);
1229
0
    hash->final(hash, transcript_hash, PTLS_HASH_FINAL_MODE_FREE);
1230
0
    hash = NULL;
1231
1232
    /* HKDF extract and expand */
1233
0
    if ((ret = ptls_hkdf_extract(sched->hashes[0].algo, secret, ptls_iovec_init(NULL, 0),
1234
0
                                 ptls_iovec_init(inner_random, PTLS_HELLO_RANDOM_SIZE))) != 0)
1235
0
        goto Exit;
1236
0
    if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, dst, 8, ptls_iovec_init(secret, sched->hashes[0].algo->digest_size),
1237
0
                                      label, ptls_iovec_init(transcript_hash, sched->hashes[0].algo->digest_size), NULL)) != 0)
1238
0
        goto Exit;
1239
1240
0
Exit:
1241
0
    ptls_clear_memory(secret, sizeof(secret));
1242
0
    ptls_clear_memory(transcript_hash, sizeof(transcript_hash));
1243
0
    if (hash != NULL)
1244
0
        hash->final(hash, NULL, PTLS_HASH_FINAL_MODE_FREE);
1245
0
    return ret;
1246
0
}
1247
1248
static void key_schedule_free(ptls_key_schedule_t *sched)
1249
0
{
1250
0
    size_t i;
1251
0
    ptls_clear_memory(sched->secret, sizeof(sched->secret));
1252
0
    for (i = 0; i != sched->num_hashes; ++i) {
1253
0
        sched->hashes[i].ctx->final(sched->hashes[i].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE);
1254
0
        if (sched->hashes[i].ctx_outer != NULL)
1255
0
            sched->hashes[i].ctx_outer->final(sched->hashes[i].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE);
1256
0
    }
1257
0
    free(sched);
1258
0
}
1259
1260
static ptls_key_schedule_t *key_schedule_new(ptls_cipher_suite_t *preferred, ptls_cipher_suite_t **offered, int use_outer)
1261
0
{
1262
0
#define FOREACH_HASH(block)                                                                                                        \
1263
0
    do {                                                                                                                           \
1264
0
        ptls_cipher_suite_t *cs;                                                                                                   \
1265
0
        if ((cs = preferred) != NULL) {                                                                                            \
1266
0
            block                                                                                                                  \
1267
0
        }                                                                                                                          \
1268
0
        if (offered != NULL) {                                                                                                     \
1269
0
            size_t i, j;                                                                                                           \
1270
0
            for (i = 0; (cs = offered[i]) != NULL; ++i) {                                                                          \
1271
0
                if (preferred == NULL || cs->hash != preferred->hash) {                                                            \
1272
0
                    for (j = 0; j != i; ++j)                                                                                       \
1273
0
                        if (cs->hash == offered[j]->hash)                                                                          \
1274
0
                            break;                                                                                                 \
1275
0
                    if (j == i) {                                                                                                  \
1276
0
                        block                                                                                                      \
1277
0
                    }                                                                                                              \
1278
0
                }                                                                                                                  \
1279
0
            }                                                                                                                      \
1280
0
        }                                                                                                                          \
1281
0
    } while (0)
1282
1283
0
    ptls_key_schedule_t *sched;
1284
1285
0
    { /* allocate */
1286
0
        size_t num_hashes = 0;
1287
0
        FOREACH_HASH({ ++num_hashes; });
1288
0
        if ((sched = malloc(offsetof(ptls_key_schedule_t, hashes) + sizeof(sched->hashes[0]) * num_hashes)) == NULL)
1289
0
            return NULL;
1290
0
        *sched = (ptls_key_schedule_t){0};
1291
0
    }
1292
1293
    /* setup the hash algos and contexts */
1294
0
    FOREACH_HASH({
1295
0
        sched->hashes[sched->num_hashes].algo = cs->hash;
1296
0
        if ((sched->hashes[sched->num_hashes].ctx = cs->hash->create()) == NULL)
1297
0
            goto Fail;
1298
0
        if (use_outer) {
1299
0
            if ((sched->hashes[sched->num_hashes].ctx_outer = cs->hash->create()) == NULL)
1300
0
                goto Fail;
1301
0
        } else {
1302
0
            sched->hashes[sched->num_hashes].ctx_outer = NULL;
1303
0
        }
1304
0
        ++sched->num_hashes;
1305
0
    });
1306
1307
0
    return sched;
1308
0
Fail:
1309
0
    key_schedule_free(sched);
1310
0
    return NULL;
1311
1312
0
#undef FOREACH_HASH
1313
0
}
1314
1315
static int key_schedule_extract(ptls_key_schedule_t *sched, ptls_iovec_t ikm)
1316
0
{
1317
0
    int ret;
1318
1319
0
    if (ikm.base == NULL)
1320
0
        ikm = ptls_iovec_init(zeroes_of_max_digest_size, sched->hashes[0].algo->digest_size);
1321
1322
0
    if (sched->generation != 0 &&
1323
0
        (ret = ptls_hkdf_expand_label(sched->hashes[0].algo, sched->secret, sched->hashes[0].algo->digest_size,
1324
0
                                      ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), "derived",
1325
0
                                      ptls_iovec_init(sched->hashes[0].algo->empty_digest, sched->hashes[0].algo->digest_size),
1326
0
                                      NULL)) != 0)
1327
0
        return ret;
1328
1329
0
    ++sched->generation;
1330
0
    ret = ptls_hkdf_extract(sched->hashes[0].algo, sched->secret,
1331
0
                            ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), ikm);
1332
0
    PTLS_DEBUGF("%s: %u, %02x%02x\n", __FUNCTION__, sched->generation, (int)sched->secret[0], (int)sched->secret[1]);
1333
0
    return ret;
1334
0
}
1335
1336
static int key_schedule_select_cipher(ptls_key_schedule_t *sched, ptls_cipher_suite_t *cs, int reset, ptls_iovec_t reset_ikm)
1337
0
{
1338
0
    size_t found_slot = SIZE_MAX, i;
1339
0
    int ret;
1340
1341
0
    assert(sched->generation == 1);
1342
1343
    /* find the one, while freeing others */
1344
0
    for (i = 0; i != sched->num_hashes; ++i) {
1345
0
        if (sched->hashes[i].algo == cs->hash) {
1346
0
            assert(found_slot == SIZE_MAX);
1347
0
            found_slot = i;
1348
0
        } else {
1349
0
            sched->hashes[i].ctx->final(sched->hashes[i].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE);
1350
0
            if (sched->hashes[i].ctx_outer != NULL)
1351
0
                sched->hashes[i].ctx_outer->final(sched->hashes[i].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE);
1352
0
        }
1353
0
    }
1354
0
    if (found_slot != 0) {
1355
0
        sched->hashes[0] = sched->hashes[found_slot];
1356
0
        reset = 1;
1357
0
    }
1358
0
    sched->num_hashes = 1;
1359
1360
    /* recalculate the hash if a different hash as been selected than the one we used for calculating the early secrets */
1361
0
    if (reset) {
1362
0
        --sched->generation;
1363
0
        memset(sched->secret, 0, sizeof(sched->secret));
1364
0
        if ((ret = key_schedule_extract(sched, reset_ikm)) != 0)
1365
0
            goto Exit;
1366
0
    }
1367
1368
0
    ret = 0;
1369
0
Exit:
1370
0
    return ret;
1371
0
}
1372
1373
static void key_schedule_select_outer(ptls_key_schedule_t *sched)
1374
0
{
1375
    /* This function is called when receiving a cleartext message (Server Hello), after the cipher-suite is determined (and hence
1376
     * the hash also), if ECH was offered */
1377
0
    assert(sched->generation == 1);
1378
0
    assert(sched->num_hashes == 1);
1379
0
    assert(sched->hashes[0].ctx_outer != NULL);
1380
1381
0
    sched->hashes[0].ctx->final(sched->hashes[0].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE);
1382
0
    sched->hashes[0].ctx = sched->hashes[0].ctx_outer;
1383
0
    sched->hashes[0].ctx_outer = NULL;
1384
0
}
1385
1386
void ptls__key_schedule_update_hash(ptls_key_schedule_t *sched, const uint8_t *msg, size_t msglen, int use_outer)
1387
0
{
1388
0
    size_t i;
1389
1390
0
    PTLS_DEBUGF("%s:%p:len=%zu\n", __FUNCTION__, sched, msglen);
1391
0
    for (i = 0; i != sched->num_hashes; ++i) {
1392
0
        ptls_hash_context_t *ctx = use_outer ? sched->hashes[i].ctx_outer : sched->hashes[i].ctx;
1393
0
        ctx->update(ctx, msg, msglen);
1394
#if defined(PTLS_DEBUG) && PTLS_DEBUG
1395
        {
1396
            uint8_t digest[PTLS_MAX_DIGEST_SIZE];
1397
            ctx->final(ctx, digest, PTLS_HASH_FINAL_MODE_SNAPSHOT);
1398
            PTLS_DEBUGF("  %zu: %02x%02x%02x%02x\n", i, digest[0], digest[1], digest[2], digest[3]);
1399
        }
1400
#endif
1401
0
    }
1402
0
}
1403
1404
static void key_schedule_update_ch1hash_prefix(ptls_key_schedule_t *sched)
1405
0
{
1406
0
    uint8_t prefix[4] = {PTLS_HANDSHAKE_TYPE_MESSAGE_HASH, 0, 0, (uint8_t)sched->hashes[0].algo->digest_size};
1407
0
    ptls__key_schedule_update_hash(sched, prefix, sizeof(prefix), 0);
1408
0
}
1409
1410
static void key_schedule_extract_ch1hash(ptls_key_schedule_t *sched, uint8_t *hash)
1411
0
{
1412
0
    assert(sched->hashes[0].ctx_outer == NULL);
1413
0
    sched->hashes[0].ctx->final(sched->hashes[0].ctx, hash, PTLS_HASH_FINAL_MODE_RESET);
1414
0
}
1415
1416
static void key_schedule_transform_post_ch1hash(ptls_key_schedule_t *sched)
1417
0
{
1418
0
    size_t digest_size = sched->hashes[0].algo->digest_size;
1419
0
    ptls_hash_context_t *hashes[3] = {sched->hashes[0].ctx, sched->hashes[0].ctx_outer, NULL};
1420
0
    uint8_t ch1hash[PTLS_MAX_DIGEST_SIZE];
1421
0
    uint8_t prefix[4] = {PTLS_HANDSHAKE_TYPE_MESSAGE_HASH, 0, 0, (uint8_t)digest_size};
1422
1423
0
    for (size_t i = 0; hashes[i] != NULL; ++i) {
1424
0
        hashes[i]->final(hashes[i], ch1hash, PTLS_HASH_FINAL_MODE_RESET);
1425
0
        hashes[i]->update(hashes[i], prefix, sizeof(prefix));
1426
0
        hashes[i]->update(hashes[i], ch1hash, digest_size);
1427
0
    }
1428
1429
0
    ptls_clear_memory(ch1hash, sizeof(ch1hash));
1430
0
}
1431
1432
static int derive_secret_with_hash(ptls_key_schedule_t *sched, void *secret, const char *label, const uint8_t *hash)
1433
0
{
1434
0
    int ret = ptls_hkdf_expand_label(sched->hashes[0].algo, secret, sched->hashes[0].algo->digest_size,
1435
0
                                     ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), label,
1436
0
                                     ptls_iovec_init(hash, sched->hashes[0].algo->digest_size), NULL);
1437
0
    PTLS_DEBUGF("%s: (label=%s, hash=%02x%02x) => %02x%02x\n", __FUNCTION__, label, hash[0], hash[1], ((uint8_t *)secret)[0],
1438
0
                ((uint8_t *)secret)[1]);
1439
0
    return ret;
1440
0
}
1441
1442
static int derive_secret(ptls_key_schedule_t *sched, void *secret, const char *label)
1443
0
{
1444
0
    uint8_t hash_value[PTLS_MAX_DIGEST_SIZE];
1445
1446
0
    sched->hashes[0].ctx->final(sched->hashes[0].ctx, hash_value, PTLS_HASH_FINAL_MODE_SNAPSHOT);
1447
0
    int ret = derive_secret_with_hash(sched, secret, label, hash_value);
1448
0
    ptls_clear_memory(hash_value, sizeof(hash_value));
1449
0
    return ret;
1450
0
}
1451
1452
static int derive_secret_with_empty_digest(ptls_key_schedule_t *sched, void *secret, const char *label)
1453
0
{
1454
0
    return derive_secret_with_hash(sched, secret, label, sched->hashes[0].algo->empty_digest);
1455
0
}
1456
1457
static int derive_exporter_secret(ptls_t *tls, int is_early)
1458
0
{
1459
0
    int ret;
1460
1461
0
    if (!tls->ctx->use_exporter)
1462
0
        return 0;
1463
1464
0
    uint8_t **slot = is_early ? &tls->exporter_master_secret.early : &tls->exporter_master_secret.one_rtt;
1465
0
    assert(*slot == NULL);
1466
0
    if ((*slot = malloc(tls->key_schedule->hashes[0].algo->digest_size)) == NULL)
1467
0
        return PTLS_ERROR_NO_MEMORY;
1468
1469
0
    if ((ret = derive_secret(tls->key_schedule, *slot, is_early ? "e exp master" : "exp master")) != 0)
1470
0
        return ret;
1471
1472
0
    log_secret(tls, is_early ? "EARLY_EXPORTER_SECRET" : "EXPORTER_SECRET",
1473
0
               ptls_iovec_init(*slot, tls->key_schedule->hashes[0].algo->digest_size));
1474
1475
0
    return 0;
1476
0
}
1477
1478
static void free_exporter_master_secret(ptls_t *tls, int is_early)
1479
0
{
1480
0
    uint8_t *slot = is_early ? tls->exporter_master_secret.early : tls->exporter_master_secret.one_rtt;
1481
0
    if (slot == NULL)
1482
0
        return;
1483
0
    assert(tls->key_schedule != NULL);
1484
0
    ptls_clear_memory(slot, tls->key_schedule->hashes[0].algo->digest_size);
1485
0
    free(slot);
1486
0
}
1487
1488
static int derive_resumption_secret(ptls_key_schedule_t *sched, uint8_t *secret, ptls_iovec_t nonce)
1489
0
{
1490
0
    int ret;
1491
1492
0
    if ((ret = derive_secret(sched, secret, "res master")) != 0)
1493
0
        goto Exit;
1494
0
    if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, secret, sched->hashes[0].algo->digest_size,
1495
0
                                      ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), "resumption", nonce, NULL)) != 0)
1496
0
        goto Exit;
1497
1498
0
Exit:
1499
0
    if (ret != 0)
1500
0
        ptls_clear_memory(secret, sched->hashes[0].algo->digest_size);
1501
0
    return ret;
1502
0
}
1503
1504
static int decode_new_session_ticket(ptls_t *tls, uint32_t *lifetime, uint32_t *age_add, ptls_iovec_t *nonce, ptls_iovec_t *ticket,
1505
                                     uint32_t *max_early_data_size, const uint8_t *src, const uint8_t *const end)
1506
0
{
1507
0
    uint16_t exttype;
1508
0
    int ret;
1509
1510
0
    if ((ret = ptls_decode32(lifetime, &src, end)) != 0)
1511
0
        goto Exit;
1512
0
    if ((ret = ptls_decode32(age_add, &src, end)) != 0)
1513
0
        goto Exit;
1514
0
    ptls_decode_open_block(src, end, 1, {
1515
0
        *nonce = ptls_iovec_init(src, end - src);
1516
0
        src = end;
1517
0
    });
1518
0
    ptls_decode_open_block(src, end, 2, {
1519
0
        if (src == end) {
1520
0
            ret = PTLS_ALERT_DECODE_ERROR;
1521
0
            goto Exit;
1522
0
        }
1523
0
        *ticket = ptls_iovec_init(src, end - src);
1524
0
        src = end;
1525
0
    });
1526
1527
0
    *max_early_data_size = 0;
1528
0
    decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, &exttype, {
1529
0
        if (tls->ctx->on_extension != NULL &&
1530
0
            (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, exttype,
1531
0
                                              ptls_iovec_init(src, end - src)) != 0))
1532
0
            goto Exit;
1533
0
        switch (exttype) {
1534
0
        case PTLS_EXTENSION_TYPE_EARLY_DATA:
1535
0
            if ((ret = ptls_decode32(max_early_data_size, &src, end)) != 0)
1536
0
                goto Exit;
1537
0
            break;
1538
0
        default:
1539
0
            src = end;
1540
0
            break;
1541
0
        }
1542
0
    });
1543
1544
0
    ret = 0;
1545
0
Exit:
1546
0
    return ret;
1547
0
}
1548
1549
static int decode_stored_session_ticket(ptls_t *tls, ptls_key_exchange_algorithm_t **key_share, ptls_cipher_suite_t **cs,
1550
                                        ptls_iovec_t *secret, uint32_t *obfuscated_ticket_age, ptls_iovec_t *ticket,
1551
                                        uint32_t *max_early_data_size, const uint8_t *src, const uint8_t *const end)
1552
0
{
1553
0
    uint16_t kxid, csid;
1554
0
    uint32_t lifetime, age_add;
1555
0
    uint64_t obtained_at, now;
1556
0
    ptls_iovec_t nonce;
1557
0
    int ret;
1558
1559
    /* decode */
1560
0
    if ((ret = ptls_decode64(&obtained_at, &src, end)) != 0)
1561
0
        goto Exit;
1562
0
    if ((ret = ptls_decode16(&kxid, &src, end)) != 0)
1563
0
        goto Exit;
1564
0
    if ((ret = ptls_decode16(&csid, &src, end)) != 0)
1565
0
        goto Exit;
1566
0
    ptls_decode_open_block(src, end, 3, {
1567
0
        if ((ret = decode_new_session_ticket(tls, &lifetime, &age_add, &nonce, ticket, max_early_data_size, src, end)) != 0)
1568
0
            goto Exit;
1569
0
        src = end;
1570
0
    });
1571
0
    ptls_decode_block(src, end, 2, {
1572
0
        *secret = ptls_iovec_init(src, end - src);
1573
0
        src = end;
1574
0
    });
1575
1576
0
    { /* determine the key-exchange */
1577
0
        ptls_key_exchange_algorithm_t **cand;
1578
0
        for (cand = tls->ctx->key_exchanges; *cand != NULL; ++cand)
1579
0
            if ((*cand)->id == kxid)
1580
0
                break;
1581
0
        if (*cand == NULL) {
1582
0
            ret = PTLS_ERROR_LIBRARY;
1583
0
            goto Exit;
1584
0
        }
1585
0
        *key_share = *cand;
1586
0
    }
1587
1588
0
    { /* determine the cipher-suite */
1589
0
        ptls_cipher_suite_t **cand;
1590
0
        for (cand = tls->ctx->cipher_suites; *cand != NULL; ++cand)
1591
0
            if ((*cand)->id == csid)
1592
0
                break;
1593
0
        if (*cand == NULL) {
1594
0
            ret = PTLS_ERROR_LIBRARY;
1595
0
            goto Exit;
1596
0
        }
1597
0
        *cs = *cand;
1598
0
    }
1599
1600
    /* calculate obfuscated_ticket_age */
1601
0
    now = tls->ctx->get_time->cb(tls->ctx->get_time);
1602
0
    if (!(obtained_at <= now && now - obtained_at < 7 * 86400 * 1000)) {
1603
0
        ret = PTLS_ERROR_LIBRARY;
1604
0
        goto Exit;
1605
0
    }
1606
0
    *obfuscated_ticket_age = (uint32_t)(now - obtained_at) + age_add;
1607
1608
0
    ret = 0;
1609
0
Exit:
1610
0
    return ret;
1611
0
}
1612
1613
static int get_traffic_key(ptls_hash_algorithm_t *algo, void *key, size_t key_size, int is_iv, const void *secret,
1614
                           ptls_iovec_t hash_value, const char *label_prefix)
1615
0
{
1616
0
    return ptls_hkdf_expand_label(algo, key, key_size, ptls_iovec_init(secret, algo->digest_size), is_iv ? "iv" : "key", hash_value,
1617
0
                                  label_prefix);
1618
0
}
1619
1620
static int get_traffic_keys(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, void *key, void *iv, const void *secret,
1621
                            ptls_iovec_t hash_value, const char *label_prefix)
1622
0
{
1623
0
    int ret;
1624
1625
0
    if ((ret = get_traffic_key(hash, key, aead->key_size, 0, secret, hash_value, label_prefix)) != 0 ||
1626
0
        (ret = get_traffic_key(hash, iv, aead->iv_size, 1, secret, hash_value, label_prefix)) != 0) {
1627
0
        ptls_clear_memory(key, aead->key_size);
1628
0
        ptls_clear_memory(iv, aead->iv_size);
1629
0
    }
1630
1631
0
    return ret;
1632
0
}
1633
1634
static int setup_traffic_protection(ptls_t *tls, int is_enc, const char *secret_label, size_t epoch, uint64_t seq, int skip_notify)
1635
0
{
1636
0
    static const char *log_labels[2][4] = {
1637
0
        {NULL, "CLIENT_EARLY_TRAFFIC_SECRET", "CLIENT_HANDSHAKE_TRAFFIC_SECRET", "CLIENT_TRAFFIC_SECRET_0"},
1638
0
        {NULL, NULL, "SERVER_HANDSHAKE_TRAFFIC_SECRET", "SERVER_TRAFFIC_SECRET_0"}};
1639
0
    struct st_ptls_traffic_protection_t *ctx = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec;
1640
1641
0
    if (secret_label != NULL) {
1642
0
        int ret;
1643
0
        if ((ret = derive_secret(tls->key_schedule, ctx->secret, secret_label)) != 0)
1644
0
            return ret;
1645
0
    }
1646
1647
0
    ctx->epoch = epoch;
1648
1649
0
    log_secret(tls, log_labels[ptls_is_server(tls) == is_enc][epoch],
1650
0
               ptls_iovec_init(ctx->secret, tls->key_schedule->hashes[0].algo->digest_size));
1651
1652
    /* special path for applications having their own record layer */
1653
0
    if (tls->ctx->update_traffic_key != NULL) {
1654
0
        if (skip_notify)
1655
0
            return 0;
1656
0
        return tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, is_enc, epoch, ctx->secret);
1657
0
    }
1658
1659
0
    if (ctx->aead != NULL)
1660
0
        ptls_aead_free(ctx->aead);
1661
0
    if ((ctx->aead = ptls_aead_new(tls->cipher_suite->aead, tls->cipher_suite->hash, is_enc, ctx->secret,
1662
0
                                   tls->ctx->hkdf_label_prefix__obsolete)) == NULL)
1663
0
        return PTLS_ERROR_NO_MEMORY; /* TODO obtain error from ptls_aead_new */
1664
0
    ctx->seq = seq;
1665
1666
#if defined(PTLS_DEBUG) && PTLS_DEBUG
1667
    {
1668
        uint8_t static_iv[PTLS_MAX_IV_SIZE];
1669
        ptls_aead_get_iv(ctx->aead, static_iv);
1670
        PTLS_DEBUGF("[%s] %02x%02x,%02x%02x\n", log_labels[ptls_is_server(tls)][epoch], (unsigned)ctx->secret[0],
1671
                    (unsigned)ctx->secret[1], static_iv[0], static_iv[1]);
1672
    }
1673
#endif
1674
1675
0
    return 0;
1676
0
}
1677
1678
static int commission_handshake_secret(ptls_t *tls)
1679
0
{
1680
0
    int is_enc = !ptls_is_server(tls);
1681
1682
0
    assert(tls->pending_handshake_secret != NULL);
1683
0
    memcpy((is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec)->secret, tls->pending_handshake_secret,
1684
0
           PTLS_MAX_DIGEST_SIZE);
1685
0
    ptls_clear_memory(tls->pending_handshake_secret, PTLS_MAX_DIGEST_SIZE);
1686
0
    free(tls->pending_handshake_secret);
1687
0
    tls->pending_handshake_secret = NULL;
1688
1689
0
    return setup_traffic_protection(tls, is_enc, NULL, 2, 0, 1);
1690
0
}
1691
1692
static void log_client_random(ptls_t *tls)
1693
0
{
1694
#if PICOTLS_USE_DTRACE
1695
    char buf[sizeof(tls->client_random) * 2 + 1];
1696
#endif
1697
1698
0
    PTLS_PROBE(CLIENT_RANDOM, tls, ptls_hexdump(buf, tls->client_random, sizeof(tls->client_random)));
1699
0
    PTLS_LOG_CONN(client_random, tls, { PTLS_LOG_ELEMENT_HEXDUMP(bytes, tls->client_random, sizeof(tls->client_random)); });
1700
0
}
1701
1702
#define SESSION_IDENTIFIER_MAGIC "ptls0001" /* the number should be changed upon incompatible format change */
1703
#define SESSION_IDENTIFIER_MAGIC_SIZE (sizeof(SESSION_IDENTIFIER_MAGIC) - 1)
1704
1705
static int encode_session_identifier(ptls_context_t *ctx, ptls_buffer_t *buf, uint32_t ticket_age_add, ptls_iovec_t ticket_nonce,
1706
                                     ptls_key_schedule_t *sched, const char *server_name, uint16_t key_exchange_id, uint16_t csid,
1707
                                     const char *negotiated_protocol)
1708
0
{
1709
0
    int ret = 0;
1710
1711
0
    ptls_buffer_push_block(buf, 2, {
1712
        /* format id */
1713
0
        ptls_buffer_pushv(buf, SESSION_IDENTIFIER_MAGIC, SESSION_IDENTIFIER_MAGIC_SIZE);
1714
        /* date */
1715
0
        ptls_buffer_push64(buf, ctx->get_time->cb(ctx->get_time));
1716
        /* resumption master secret */
1717
0
        ptls_buffer_push_block(buf, 2, {
1718
0
            if ((ret = ptls_buffer_reserve(buf, sched->hashes[0].algo->digest_size)) != 0)
1719
0
                goto Exit;
1720
0
            if ((ret = derive_resumption_secret(sched, buf->base + buf->off, ticket_nonce)) != 0)
1721
0
                goto Exit;
1722
0
            buf->off += sched->hashes[0].algo->digest_size;
1723
0
        });
1724
        /* key-exchange */
1725
0
        ptls_buffer_push16(buf, key_exchange_id);
1726
        /* cipher-suite */
1727
0
        ptls_buffer_push16(buf, csid);
1728
        /* ticket_age_add */
1729
0
        ptls_buffer_push32(buf, ticket_age_add);
1730
        /* session ID context */
1731
0
        ptls_buffer_push_block(buf, 2, {
1732
0
            if (ctx->ticket_context.is_set) {
1733
0
                ptls_buffer_pushv(buf, ctx->ticket_context.bytes, sizeof(ctx->ticket_context.bytes));
1734
0
            } else if (server_name != NULL) {
1735
0
                ptls_buffer_pushv(buf, server_name, strlen(server_name));
1736
0
            }
1737
0
        });
1738
        /* alpn */
1739
0
        ptls_buffer_push_block(buf, 1, {
1740
0
            if (negotiated_protocol != NULL)
1741
0
                ptls_buffer_pushv(buf, negotiated_protocol, strlen(negotiated_protocol));
1742
0
        });
1743
0
    });
1744
1745
0
Exit:
1746
0
    return ret;
1747
0
}
1748
1749
int decode_session_identifier(uint64_t *issued_at, ptls_iovec_t *psk, uint32_t *ticket_age_add, ptls_iovec_t *ticket_ctx,
1750
                              uint16_t *key_exchange_id, uint16_t *csid, ptls_iovec_t *negotiated_protocol, const uint8_t *src,
1751
                              const uint8_t *const end)
1752
0
{
1753
0
    int ret = 0;
1754
1755
0
    ptls_decode_block(src, end, 2, {
1756
0
        if (end - src < SESSION_IDENTIFIER_MAGIC_SIZE ||
1757
0
            memcmp(src, SESSION_IDENTIFIER_MAGIC, SESSION_IDENTIFIER_MAGIC_SIZE) != 0) {
1758
0
            ret = PTLS_ALERT_DECODE_ERROR;
1759
0
            goto Exit;
1760
0
        }
1761
0
        src += SESSION_IDENTIFIER_MAGIC_SIZE;
1762
0
        if ((ret = ptls_decode64(issued_at, &src, end)) != 0)
1763
0
            goto Exit;
1764
0
        ptls_decode_open_block(src, end, 2, {
1765
0
            *psk = ptls_iovec_init(src, end - src);
1766
0
            src = end;
1767
0
        });
1768
0
        if ((ret = ptls_decode16(key_exchange_id, &src, end)) != 0)
1769
0
            goto Exit;
1770
0
        if ((ret = ptls_decode16(csid, &src, end)) != 0)
1771
0
            goto Exit;
1772
0
        if ((ret = ptls_decode32(ticket_age_add, &src, end)) != 0)
1773
0
            goto Exit;
1774
0
        ptls_decode_open_block(src, end, 2, {
1775
0
            *ticket_ctx = ptls_iovec_init(src, end - src);
1776
0
            src = end;
1777
0
        });
1778
0
        ptls_decode_open_block(src, end, 1, {
1779
0
            *negotiated_protocol = ptls_iovec_init(src, end - src);
1780
0
            src = end;
1781
0
        });
1782
0
    });
1783
1784
0
Exit:
1785
0
    return ret;
1786
0
}
1787
1788
static size_t build_certificate_verify_signdata(uint8_t *data, ptls_key_schedule_t *sched, const char *context_string)
1789
0
{
1790
0
    size_t datalen = 0;
1791
1792
0
    memset(data + datalen, 32, 64);
1793
0
    datalen += 64;
1794
0
    memcpy(data + datalen, context_string, strlen(context_string) + 1);
1795
0
    datalen += strlen(context_string) + 1;
1796
0
    sched->hashes[0].ctx->final(sched->hashes[0].ctx, data + datalen, PTLS_HASH_FINAL_MODE_SNAPSHOT);
1797
0
    datalen += sched->hashes[0].algo->digest_size;
1798
0
    assert(datalen <= PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE);
1799
1800
0
    return datalen;
1801
0
}
1802
1803
static int calc_verify_data(void *output, ptls_key_schedule_t *sched, const void *secret)
1804
0
{
1805
0
    ptls_hash_context_t *hmac;
1806
0
    uint8_t digest[PTLS_MAX_DIGEST_SIZE];
1807
0
    int ret;
1808
1809
0
    if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, digest, sched->hashes[0].algo->digest_size,
1810
0
                                      ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), "finished",
1811
0
                                      ptls_iovec_init(NULL, 0), NULL)) != 0)
1812
0
        return ret;
1813
0
    if ((hmac = ptls_hmac_create(sched->hashes[0].algo, digest, sched->hashes[0].algo->digest_size)) == NULL) {
1814
0
        ptls_clear_memory(digest, sizeof(digest));
1815
0
        return PTLS_ERROR_NO_MEMORY;
1816
0
    }
1817
1818
0
    sched->hashes[0].ctx->final(sched->hashes[0].ctx, digest, PTLS_HASH_FINAL_MODE_SNAPSHOT);
1819
0
    PTLS_DEBUGF("%s: %02x%02x,%02x%02x\n", __FUNCTION__, ((uint8_t *)secret)[0], ((uint8_t *)secret)[1], digest[0], digest[1]);
1820
0
    hmac->update(hmac, digest, sched->hashes[0].algo->digest_size);
1821
0
    ptls_clear_memory(digest, sizeof(digest));
1822
0
    hmac->final(hmac, output, PTLS_HASH_FINAL_MODE_FREE);
1823
1824
0
    return 0;
1825
0
}
1826
1827
static int verify_finished(ptls_t *tls, ptls_iovec_t message)
1828
0
{
1829
0
    uint8_t verify_data[PTLS_MAX_DIGEST_SIZE];
1830
0
    int ret;
1831
1832
0
    if (PTLS_HANDSHAKE_HEADER_SIZE + tls->key_schedule->hashes[0].algo->digest_size != message.len) {
1833
0
        ret = PTLS_ALERT_DECODE_ERROR;
1834
0
        goto Exit;
1835
0
    }
1836
1837
0
    if ((ret = calc_verify_data(verify_data, tls->key_schedule, tls->traffic_protection.dec.secret)) != 0)
1838
0
        goto Exit;
1839
0
    if (!ptls_mem_equal(message.base + PTLS_HANDSHAKE_HEADER_SIZE, verify_data, tls->key_schedule->hashes[0].algo->digest_size)) {
1840
0
        ret = PTLS_ALERT_HANDSHAKE_FAILURE;
1841
0
        goto Exit;
1842
0
    }
1843
1844
0
Exit:
1845
0
    ptls_clear_memory(verify_data, sizeof(verify_data));
1846
0
    return ret;
1847
0
}
1848
1849
static int send_finished(ptls_t *tls, ptls_message_emitter_t *emitter)
1850
0
{
1851
0
    int ret;
1852
1853
0
    ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_FINISHED, {
1854
0
        if ((ret = ptls_buffer_reserve(emitter->buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0)
1855
0
            goto Exit;
1856
0
        if ((ret = calc_verify_data(emitter->buf->base + emitter->buf->off, tls->key_schedule,
1857
0
                                    tls->traffic_protection.enc.secret)) != 0)
1858
0
            goto Exit;
1859
0
        emitter->buf->off += tls->key_schedule->hashes[0].algo->digest_size;
1860
0
    });
1861
1862
0
Exit:
1863
0
    return ret;
1864
0
}
1865
1866
static int send_session_ticket(ptls_t *tls, ptls_message_emitter_t *emitter)
1867
0
{
1868
0
    ptls_hash_context_t *msghash_backup = tls->key_schedule->hashes[0].ctx->clone_(tls->key_schedule->hashes[0].ctx);
1869
0
    ptls_buffer_t session_id;
1870
0
    char session_id_smallbuf[128];
1871
0
    uint32_t ticket_age_add;
1872
0
    int ret = 0;
1873
1874
0
    assert(tls->ctx->ticket_lifetime != 0);
1875
0
    assert(tls->ctx->encrypt_ticket != NULL);
1876
1877
0
    ptls_buffer_init(&session_id, session_id_smallbuf, sizeof(session_id_smallbuf));
1878
1879
0
    { /* calculate verify-data that will be sent by the client */
1880
0
        size_t orig_off = emitter->buf->off;
1881
0
        if (tls->pending_handshake_secret != NULL && !tls->ctx->omit_end_of_early_data) {
1882
0
            assert(tls->state == PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA);
1883
0
            ptls_buffer_push_message_body(emitter->buf, tls->key_schedule, PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA, {});
1884
0
            emitter->buf->off = orig_off;
1885
0
        }
1886
0
        ptls_buffer_push_message_body(emitter->buf, tls->key_schedule, PTLS_HANDSHAKE_TYPE_FINISHED, {
1887
0
            if ((ret = ptls_buffer_reserve(emitter->buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0)
1888
0
                goto Exit;
1889
0
            if ((ret = calc_verify_data(emitter->buf->base + emitter->buf->off, tls->key_schedule,
1890
0
                                        tls->pending_handshake_secret != NULL ? tls->pending_handshake_secret
1891
0
                                                                              : tls->traffic_protection.dec.secret)) != 0)
1892
0
                goto Exit;
1893
0
            emitter->buf->off += tls->key_schedule->hashes[0].algo->digest_size;
1894
0
        });
1895
0
        emitter->buf->off = orig_off;
1896
0
    }
1897
1898
0
    tls->ctx->random_bytes(&ticket_age_add, sizeof(ticket_age_add));
1899
1900
    /* build the raw nsk */
1901
0
    if (tls->key_share != NULL && (ret = encode_session_identifier(tls->ctx, &session_id, ticket_age_add, ptls_iovec_init(NULL, 0),
1902
0
                                                                   tls->key_schedule, tls->server_name, tls->key_share->id,
1903
0
                                                                   tls->cipher_suite->id, tls->negotiated_protocol)) != 0)
1904
0
        goto Exit;
1905
1906
    /* encrypt and send */
1907
0
    ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, {
1908
0
        ptls_buffer_push32(emitter->buf, tls->ctx->ticket_lifetime);
1909
0
        ptls_buffer_push32(emitter->buf, ticket_age_add);
1910
0
        ptls_buffer_push_block(emitter->buf, 1, {});
1911
0
        ptls_buffer_push_block(emitter->buf, 2, {
1912
0
            if ((ret = tls->ctx->encrypt_ticket->cb(tls->ctx->encrypt_ticket, tls, 1, emitter->buf,
1913
0
                                                    ptls_iovec_init(session_id.base, session_id.off))) != 0)
1914
0
                goto Exit;
1915
0
        });
1916
0
        ptls_buffer_push_block(emitter->buf, 2, {
1917
0
            if (tls->ctx->max_early_data_size != 0)
1918
0
                buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_EARLY_DATA,
1919
0
                                      { ptls_buffer_push32(emitter->buf, tls->ctx->max_early_data_size); });
1920
0
        });
1921
0
    });
1922
1923
0
Exit:
1924
0
    ptls_buffer_dispose(&session_id);
1925
1926
    /* restore handshake state */
1927
0
    tls->key_schedule->hashes[0].ctx->final(tls->key_schedule->hashes[0].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE);
1928
0
    tls->key_schedule->hashes[0].ctx = msghash_backup;
1929
1930
0
    return ret;
1931
0
}
1932
1933
static int push_change_cipher_spec(ptls_t *tls, ptls_message_emitter_t *emitter)
1934
0
{
1935
0
    int ret;
1936
1937
    /* check if we are requested to (or still need to) */
1938
0
    if (!tls->send_change_cipher_spec) {
1939
0
        ret = 0;
1940
0
        goto Exit;
1941
0
    }
1942
1943
    /* CCS is a record, can only be sent when using a record-based protocol. */
1944
0
    if (emitter->begin_message != begin_record_message) {
1945
0
        ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
1946
0
        goto Exit;
1947
0
    }
1948
1949
    /* emit CCS */
1950
0
    buffer_push_record(emitter->buf, PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, { ptls_buffer_push(emitter->buf, 1); });
1951
1952
0
    tls->send_change_cipher_spec = 0;
1953
0
    ret = 0;
1954
0
Exit:
1955
0
    return ret;
1956
0
}
1957
1958
static int push_additional_extensions(ptls_handshake_properties_t *properties, ptls_buffer_t *sendbuf)
1959
0
{
1960
0
    int ret;
1961
1962
0
    if (properties != NULL && properties->additional_extensions != NULL) {
1963
0
        ptls_raw_extension_t *ext;
1964
0
        for (ext = properties->additional_extensions; ext->type != UINT16_MAX; ++ext) {
1965
0
            buffer_push_extension(sendbuf, ext->type, { ptls_buffer_pushv(sendbuf, ext->data.base, ext->data.len); });
1966
0
        }
1967
0
    }
1968
0
    ret = 0;
1969
0
Exit:
1970
0
    return ret;
1971
0
}
1972
1973
static int push_signature_algorithms(ptls_verify_certificate_t *vc, ptls_buffer_t *sendbuf)
1974
0
{
1975
    /* The list sent when verify callback is not registered */
1976
0
    static const uint16_t default_algos[] = {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256,
1977
0
                                             PTLS_SIGNATURE_RSA_PKCS1_SHA256, PTLS_SIGNATURE_RSA_PKCS1_SHA1, UINT16_MAX};
1978
0
    int ret;
1979
1980
0
    ptls_buffer_push_block(sendbuf, 2, {
1981
0
        for (const uint16_t *p = vc != NULL ? vc->algos : default_algos; *p != UINT16_MAX; ++p)
1982
0
            ptls_buffer_push16(sendbuf, *p);
1983
0
    });
1984
1985
0
    ret = 0;
1986
0
Exit:
1987
0
    return ret;
1988
0
}
1989
1990
static int decode_signature_algorithms(struct st_ptls_signature_algorithms_t *sa, const uint8_t **src, const uint8_t *end)
1991
0
{
1992
0
    int ret;
1993
1994
0
    ptls_decode_block(*src, end, 2, {
1995
0
        do {
1996
0
            uint16_t id;
1997
0
            if ((ret = ptls_decode16(&id, src, end)) != 0)
1998
0
                goto Exit;
1999
0
            if (sa->count < PTLS_ELEMENTSOF(sa->list))
2000
0
                sa->list[sa->count++] = id;
2001
0
        } while (*src != end);
2002
0
    });
2003
2004
0
    ret = 0;
2005
0
Exit:
2006
0
    return ret;
2007
0
}
2008
2009
/**
2010
 * @param hash optional argument for restricting the underlying hash algorithm
2011
 */
2012
static int select_cipher(ptls_cipher_suite_t **selected, ptls_cipher_suite_t **candidates, const uint8_t *src,
2013
                         const uint8_t *const end, int server_preference, int server_chacha_priority, ptls_hash_algorithm_t *hash)
2014
0
{
2015
0
    size_t found_index = SIZE_MAX;
2016
0
    int ret;
2017
2018
0
    while (src != end) {
2019
0
        uint16_t id;
2020
0
        if ((ret = ptls_decode16(&id, &src, end)) != 0)
2021
0
            goto Exit;
2022
0
        for (size_t i = 0; candidates[i] != NULL; ++i) {
2023
0
            if (candidates[i]->id == id && (hash == NULL || candidates[i]->hash == hash)) {
2024
0
                if (server_preference && !(server_chacha_priority && id == PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256)) {
2025
                    /* preserve smallest matching index, and proceed to the next input */
2026
0
                    if (i < found_index) {
2027
0
                        found_index = i;
2028
0
                        break;
2029
0
                    }
2030
0
                } else {
2031
                    /* return the pointer matching to the first input that can be used */
2032
0
                    *selected = candidates[i];
2033
0
                    goto Exit;
2034
0
                }
2035
0
            }
2036
0
        }
2037
        /* first position of the server list matched (server_preference) */
2038
0
        if (found_index == 0)
2039
0
            break;
2040
        /* server preference is overridden only if the first entry of client-provided list is chachapoly */
2041
0
        server_chacha_priority = 0;
2042
0
    }
2043
0
    if (found_index != SIZE_MAX) {
2044
0
        *selected = candidates[found_index];
2045
0
        ret = 0;
2046
0
    } else {
2047
0
        ret = PTLS_ALERT_HANDSHAKE_FAILURE;
2048
0
    }
2049
2050
0
Exit:
2051
0
    return ret;
2052
0
}
2053
2054
static int push_key_share_entry(ptls_buffer_t *buf, uint16_t group, ptls_iovec_t pubkey)
2055
0
{
2056
0
    int ret;
2057
2058
0
    ptls_buffer_push16(buf, group);
2059
0
    ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, pubkey.base, pubkey.len); });
2060
0
    ret = 0;
2061
0
Exit:
2062
0
    return ret;
2063
0
}
2064
2065
static int decode_key_share_entry(uint16_t *group, ptls_iovec_t *key_exchange, const uint8_t **src, const uint8_t *const end)
2066
0
{
2067
0
    int ret;
2068
2069
0
    if ((ret = ptls_decode16(group, src, end)) != 0)
2070
0
        goto Exit;
2071
0
    ptls_decode_open_block(*src, end, 2, {
2072
0
        *key_exchange = ptls_iovec_init(*src, end - *src);
2073
0
        *src = end;
2074
0
    });
2075
2076
0
Exit:
2077
0
    return ret;
2078
0
}
2079
2080
static int select_key_share(ptls_key_exchange_algorithm_t **selected, ptls_iovec_t *peer_key,
2081
                            ptls_key_exchange_algorithm_t **candidates, const uint8_t **src, const uint8_t *const end,
2082
                            int expect_one)
2083
0
{
2084
0
    int ret;
2085
2086
0
    *selected = NULL;
2087
2088
0
    if (expect_one && *src == end) {
2089
0
        ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2090
0
        goto Exit;
2091
0
    }
2092
2093
0
    while (*src != end) {
2094
0
        uint16_t group;
2095
0
        ptls_iovec_t key;
2096
0
        if ((ret = decode_key_share_entry(&group, &key, src, end)) != 0)
2097
0
            goto Exit;
2098
0
        ptls_key_exchange_algorithm_t **c = candidates;
2099
0
        for (; *c != NULL; ++c) {
2100
0
            if (*selected == NULL && (*c)->id == group) {
2101
0
                *selected = *c;
2102
0
                *peer_key = key;
2103
0
            }
2104
0
        }
2105
0
        if (expect_one) {
2106
0
            ret = *selected != NULL ? 0 : PTLS_ALERT_ILLEGAL_PARAMETER;
2107
0
            goto Exit;
2108
0
        }
2109
0
    }
2110
2111
0
    ret = 0;
2112
2113
0
Exit:
2114
0
    return ret;
2115
0
}
2116
2117
static int emit_server_name_extension(ptls_buffer_t *buf, const char *server_name)
2118
0
{
2119
0
    int ret;
2120
2121
0
    ptls_buffer_push_block(buf, 2, {
2122
0
        ptls_buffer_push(buf, PTLS_SERVER_NAME_TYPE_HOSTNAME);
2123
0
        ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, server_name, strlen(server_name)); });
2124
0
    });
2125
2126
0
    ret = 0;
2127
0
Exit:
2128
0
    return ret;
2129
0
}
2130
2131
/**
2132
 * Within the outer ECH extension, returns the number of bytes that preceeds the AEAD-encrypted payload.
2133
 */
2134
static inline size_t outer_ech_header_size(size_t enc_size)
2135
0
{
2136
0
    return 10 + enc_size;
2137
0
}
2138
2139
/**
2140
 * Flag to indicate which of ClientHelloInner, EncodedClientHelloInner, ClientHelloOuter is to be generated. When ECH is inactive,
2141
 * only ClientHelloInner is used.
2142
 */
2143
enum encode_ch_mode { ENCODE_CH_MODE_INNER, ENCODE_CH_MODE_ENCODED_INNER, ENCODE_CH_MODE_OUTER };
2144
2145
static int encode_client_hello(ptls_context_t *ctx, ptls_buffer_t *sendbuf, enum encode_ch_mode mode, int is_second_flight,
2146
                               ptls_handshake_properties_t *properties, const void *client_random,
2147
                               ptls_key_exchange_context_t *key_share_ctx, const char *sni_name, ptls_iovec_t legacy_session_id,
2148
                               struct st_ptls_ech_t *ech, size_t *ech_size_offset, ptls_iovec_t ech_replay, ptls_iovec_t psk_secret,
2149
                               ptls_iovec_t psk_identity, uint32_t obfuscated_ticket_age, size_t psk_binder_size,
2150
                               ptls_iovec_t *cookie, int using_early_data)
2151
0
{
2152
0
    int ret;
2153
2154
0
    assert(mode == ENCODE_CH_MODE_INNER || ech != NULL);
2155
2156
0
    ptls_buffer_push_message_body(sendbuf, NULL, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, {
2157
        /* legacy_version */
2158
0
        ptls_buffer_push16(sendbuf, 0x0303);
2159
        /* random_bytes */
2160
0
        ptls_buffer_pushv(sendbuf, client_random, PTLS_HELLO_RANDOM_SIZE);
2161
        /* lecagy_session_id */
2162
0
        ptls_buffer_push_block(sendbuf, 1, {
2163
0
            if (mode != ENCODE_CH_MODE_ENCODED_INNER)
2164
0
                ptls_buffer_pushv(sendbuf, legacy_session_id.base, legacy_session_id.len);
2165
0
        });
2166
        /* cipher_suites */
2167
0
        ptls_buffer_push_block(sendbuf, 2, {
2168
0
            ptls_cipher_suite_t **cs = ctx->cipher_suites;
2169
0
            for (; *cs != NULL; ++cs)
2170
0
                ptls_buffer_push16(sendbuf, (*cs)->id);
2171
0
        });
2172
        /* legacy_compression_methods */
2173
0
        ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push(sendbuf, 0); });
2174
        /* extensions */
2175
0
        ptls_buffer_push_block(sendbuf, 2, {
2176
0
            if (mode == ENCODE_CH_MODE_OUTER) {
2177
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, {
2178
0
                    size_t ext_payload_from = sendbuf->off;
2179
0
                    ptls_buffer_push(sendbuf, PTLS_ECH_CLIENT_HELLO_TYPE_OUTER);
2180
0
                    ptls_buffer_push16(sendbuf, ech->cipher->id.kdf);
2181
0
                    ptls_buffer_push16(sendbuf, ech->cipher->id.aead);
2182
0
                    ptls_buffer_push(sendbuf, ech->config_id);
2183
0
                    ptls_buffer_push_block(sendbuf, 2, {
2184
0
                        if (!is_second_flight)
2185
0
                            ptls_buffer_pushv(sendbuf, ech->client.enc.base, ech->client.enc.len);
2186
0
                    });
2187
0
                    ptls_buffer_push_block(sendbuf, 2, {
2188
0
                        assert(sendbuf->off - ext_payload_from ==
2189
0
                               outer_ech_header_size(is_second_flight ? 0 : ech->client.enc.len));
2190
0
                        if ((ret = ptls_buffer_reserve(sendbuf, *ech_size_offset)) != 0)
2191
0
                            goto Exit;
2192
0
                        memset(sendbuf->base + sendbuf->off, 0, *ech_size_offset);
2193
0
                        sendbuf->off += *ech_size_offset;
2194
0
                        *ech_size_offset = sendbuf->off - *ech_size_offset;
2195
0
                    });
2196
0
                });
2197
0
            } else if (ech->aead != NULL) {
2198
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO,
2199
0
                                      { ptls_buffer_push(sendbuf, PTLS_ECH_CLIENT_HELLO_TYPE_INNER); });
2200
0
            } else if (ech_replay.base != NULL) {
2201
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO,
2202
0
                                      { ptls_buffer_pushv(sendbuf, ech_replay.base, ech_replay.len); });
2203
0
            }
2204
0
            if (mode == ENCODE_CH_MODE_ENCODED_INNER) {
2205
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS, {
2206
0
                    ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push16(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE); });
2207
0
                });
2208
0
            } else {
2209
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE, {
2210
0
                    ptls_buffer_push_block(sendbuf, 2, {
2211
0
                        if (key_share_ctx != NULL &&
2212
0
                            (ret = push_key_share_entry(sendbuf, key_share_ctx->algo->id, key_share_ctx->pubkey)) != 0)
2213
0
                            goto Exit;
2214
0
                    });
2215
0
                });
2216
0
            }
2217
0
            if (sni_name != NULL) {
2218
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_NAME, {
2219
0
                    if ((ret = emit_server_name_extension(sendbuf, sni_name)) != 0)
2220
0
                        goto Exit;
2221
0
                });
2222
0
            }
2223
0
            if (properties != NULL && properties->client.negotiated_protocols.count != 0) {
2224
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ALPN, {
2225
0
                    ptls_buffer_push_block(sendbuf, 2, {
2226
0
                        size_t i;
2227
0
                        for (i = 0; i != properties->client.negotiated_protocols.count; ++i) {
2228
0
                            ptls_buffer_push_block(sendbuf, 1, {
2229
0
                                ptls_iovec_t p = properties->client.negotiated_protocols.list[i];
2230
0
                                ptls_buffer_pushv(sendbuf, p.base, p.len);
2231
0
                            });
2232
0
                        }
2233
0
                    });
2234
0
                });
2235
0
            }
2236
0
            if (ctx->decompress_certificate != NULL) {
2237
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE, {
2238
0
                    ptls_buffer_push_block(sendbuf, 1, {
2239
0
                        const uint16_t *algo = ctx->decompress_certificate->supported_algorithms;
2240
0
                        assert(*algo != UINT16_MAX);
2241
0
                        for (; *algo != UINT16_MAX; ++algo)
2242
0
                            ptls_buffer_push16(sendbuf, *algo);
2243
0
                    });
2244
0
                });
2245
0
            }
2246
0
            buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS, {
2247
0
                ptls_buffer_push_block(sendbuf, 1, {
2248
0
                    size_t i;
2249
0
                    for (i = 0; i != PTLS_ELEMENTSOF(supported_versions); ++i)
2250
0
                        ptls_buffer_push16(sendbuf, supported_versions[i]);
2251
0
                });
2252
0
            });
2253
0
            buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS, {
2254
0
                if ((ret = push_signature_algorithms(ctx->verify_certificate, sendbuf)) != 0)
2255
0
                    goto Exit;
2256
0
            });
2257
0
            if (ctx->key_exchanges != NULL) {
2258
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS, {
2259
0
                    ptls_key_exchange_algorithm_t **algo = ctx->key_exchanges;
2260
0
                    ptls_buffer_push_block(sendbuf, 2, {
2261
0
                        for (; *algo != NULL; ++algo)
2262
0
                            ptls_buffer_push16(sendbuf, (*algo)->id);
2263
0
                    });
2264
0
                });
2265
0
            }
2266
0
            if (cookie != NULL && cookie->base != NULL) {
2267
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COOKIE, {
2268
0
                    ptls_buffer_push_block(sendbuf, 2, { ptls_buffer_pushv(sendbuf, cookie->base, cookie->len); });
2269
0
                });
2270
0
            }
2271
0
            if (ctx->use_raw_public_keys) {
2272
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE, {
2273
0
                    ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push(sendbuf, PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY); });
2274
0
                });
2275
0
            }
2276
0
            if (ctx->save_ticket != NULL &&
2277
0
                (ctx->ticket_requests.client.new_session_count != 0 || ctx->ticket_requests.client.resumption_count != 0)) {
2278
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_TICKET_REQUEST, {
2279
0
                    ptls_buffer_push(sendbuf, ctx->ticket_requests.client.new_session_count,
2280
0
                                     ctx->ticket_requests.client.resumption_count);
2281
0
                });
2282
0
            }
2283
0
            if ((ret = push_additional_extensions(properties, sendbuf)) != 0)
2284
0
                goto Exit;
2285
0
            if (ctx->save_ticket != NULL || psk_secret.base != NULL) {
2286
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES, {
2287
0
                    ptls_buffer_push_block(sendbuf, 1, {
2288
0
                        if (!ctx->require_dhe_on_psk)
2289
0
                            ptls_buffer_push(sendbuf, PTLS_PSK_KE_MODE_PSK);
2290
0
                        ptls_buffer_push(sendbuf, PTLS_PSK_KE_MODE_PSK_DHE);
2291
0
                    });
2292
0
                });
2293
0
            }
2294
0
            if (psk_secret.base != NULL) {
2295
0
                if (using_early_data && !is_second_flight)
2296
0
                    buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_EARLY_DATA, {});
2297
                /* pre-shared key "MUST be the last extension in the ClientHello" (draft-17 section 4.2.6) */
2298
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PRE_SHARED_KEY, {
2299
0
                    ptls_buffer_push_block(sendbuf, 2, {
2300
0
                        ptls_buffer_push_block(sendbuf, 2, {
2301
0
                            if (mode == ENCODE_CH_MODE_OUTER) {
2302
0
                                if ((ret = ptls_buffer_reserve(sendbuf, psk_identity.len)) != 0)
2303
0
                                    goto Exit;
2304
0
                                ctx->random_bytes(sendbuf->base + sendbuf->off, psk_identity.len);
2305
0
                                sendbuf->off += psk_identity.len;
2306
0
                            } else {
2307
0
                                ptls_buffer_pushv(sendbuf, psk_identity.base, psk_identity.len);
2308
0
                            }
2309
0
                        });
2310
0
                        uint32_t age;
2311
0
                        if (mode == ENCODE_CH_MODE_OUTER) {
2312
0
                            ctx->random_bytes(&age, sizeof(age));
2313
0
                        } else {
2314
0
                            age = obfuscated_ticket_age;
2315
0
                        }
2316
0
                        ptls_buffer_push32(sendbuf, age);
2317
0
                    });
2318
                    /* allocate space for PSK binder. The space is filled initially filled by a random value (meeting the
2319
                     * requirement of ClientHelloOuter), and later gets filled with the correct binder value if necessary. */
2320
0
                    ptls_buffer_push_block(sendbuf, 2, {
2321
0
                        ptls_buffer_push_block(sendbuf, 1, {
2322
0
                            if ((ret = ptls_buffer_reserve(sendbuf, psk_binder_size)) != 0)
2323
0
                                goto Exit;
2324
0
                            ctx->random_bytes(sendbuf->base + sendbuf->off, psk_binder_size);
2325
0
                            sendbuf->off += psk_binder_size;
2326
0
                        });
2327
0
                    });
2328
0
                });
2329
0
            }
2330
0
        });
2331
0
    });
2332
2333
0
Exit:
2334
0
    return ret;
2335
0
}
2336
2337
static int send_client_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_handshake_properties_t *properties,
2338
                             ptls_iovec_t *cookie)
2339
0
{
2340
0
    struct {
2341
0
        ptls_iovec_t secret;
2342
0
        ptls_iovec_t identity;
2343
0
        const char *label;
2344
0
    } psk = {{NULL}};
2345
0
    uint32_t obfuscated_ticket_age = 0;
2346
0
    const char *sni_name = NULL;
2347
0
    size_t mess_start, msghash_off;
2348
0
    uint8_t binder_key[PTLS_MAX_DIGEST_SIZE];
2349
0
    ptls_buffer_t encoded_ch_inner;
2350
0
    int ret, is_second_flight = tls->key_schedule != NULL;
2351
2352
0
    ptls_buffer_init(&encoded_ch_inner, "", 0);
2353
2354
0
    if (tls->server_name != NULL && !ptls_server_name_is_ipaddr(tls->server_name))
2355
0
        sni_name = tls->server_name;
2356
2357
    /* try to use ECH (ignore broken ECHConfigList; it is delivered insecurely) */
2358
0
    if (properties != NULL) {
2359
0
        if (!is_second_flight && sni_name != NULL && tls->ctx->ech.client.ciphers != NULL) {
2360
0
            if (properties->client.ech.configs.len != 0) {
2361
0
                struct st_decoded_ech_config_t decoded;
2362
0
                client_decode_ech_config_list(tls->ctx, &decoded, properties->client.ech.configs);
2363
0
                if (decoded.kem != NULL && decoded.cipher != NULL) {
2364
0
                    if ((ret = client_setup_ech(&tls->ech, &decoded, tls->ctx->random_bytes)) != 0)
2365
0
                        goto Exit;
2366
0
                }
2367
0
            } else {
2368
                /* zero-length config indicates ECH greasing */
2369
0
                client_setup_ech_grease(&tls->ech, tls->ctx->random_bytes, tls->ctx->ech.client.kems, tls->ctx->ech.client.ciphers,
2370
0
                                        sni_name);
2371
0
            }
2372
0
        }
2373
0
    }
2374
2375
    /* use external PSK if provided */
2376
0
    if (tls->ctx->pre_shared_key.identity.base != NULL) {
2377
0
        if (!is_second_flight) {
2378
0
            tls->client.offered_psk = 1;
2379
0
            for (size_t i = 0; tls->ctx->cipher_suites[i] != NULL; ++i) {
2380
0
                if (tls->ctx->cipher_suites[i]->hash == tls->ctx->pre_shared_key.hash) {
2381
0
                    tls->cipher_suite = tls->ctx->cipher_suites[i];
2382
0
                    break;
2383
0
                }
2384
0
            }
2385
0
            assert(tls->cipher_suite != NULL && "no compatible cipher-suite provided that matches psk.hash");
2386
0
            if (properties != NULL && properties->client.max_early_data_size != NULL) {
2387
0
                tls->client.using_early_data = 1;
2388
0
                *properties->client.max_early_data_size = SIZE_MAX;
2389
0
            }
2390
0
        } else {
2391
0
            assert(tls->cipher_suite != NULL && tls->cipher_suite->hash == tls->ctx->pre_shared_key.hash);
2392
0
        }
2393
0
        psk.secret = tls->ctx->pre_shared_key.secret;
2394
0
        psk.identity = tls->ctx->pre_shared_key.identity;
2395
0
        psk.label = "ext binder";
2396
0
    }
2397
2398
    /* try to setup resumption-related data, unless external PSK is used */
2399
0
    if (psk.secret.base == NULL && properties != NULL && properties->client.session_ticket.base != NULL &&
2400
0
        tls->ctx->key_exchanges != NULL) {
2401
0
        ptls_key_exchange_algorithm_t *key_share = NULL;
2402
0
        ptls_cipher_suite_t *cipher_suite = NULL;
2403
0
        uint32_t max_early_data_size;
2404
0
        if (decode_stored_session_ticket(tls, &key_share, &cipher_suite, &psk.secret, &obfuscated_ticket_age, &psk.identity,
2405
0
                                         &max_early_data_size, properties->client.session_ticket.base,
2406
0
                                         properties->client.session_ticket.base + properties->client.session_ticket.len) == 0) {
2407
0
            psk.label = "res binder";
2408
0
            tls->client.offered_psk = 1;
2409
            /* key-share selected by HRR should not be overridden */
2410
0
            if (tls->key_share == NULL)
2411
0
                tls->key_share = key_share;
2412
0
            tls->cipher_suite = cipher_suite;
2413
0
            if (!is_second_flight && max_early_data_size != 0 && properties->client.max_early_data_size != NULL) {
2414
0
                tls->client.using_early_data = 1;
2415
0
                *properties->client.max_early_data_size = max_early_data_size;
2416
0
            }
2417
0
        } else {
2418
0
            psk.secret = ptls_iovec_init(NULL, 0);
2419
0
        }
2420
0
    }
2421
2422
    /* send 0-RTT related signals back to the client */
2423
0
    if (properties != NULL) {
2424
0
        if (tls->client.using_early_data) {
2425
0
            properties->client.early_data_acceptance = PTLS_EARLY_DATA_ACCEPTANCE_UNKNOWN;
2426
0
        } else {
2427
0
            if (properties->client.max_early_data_size != NULL)
2428
0
                *properties->client.max_early_data_size = 0;
2429
0
            properties->client.early_data_acceptance = PTLS_EARLY_DATA_REJECTED;
2430
0
        }
2431
0
    }
2432
2433
    /* use the default key share if still not undetermined */
2434
0
    if (tls->key_share == NULL && tls->ctx->key_exchanges != NULL &&
2435
0
        !(properties != NULL && properties->client.negotiate_before_key_exchange))
2436
0
        tls->key_share = tls->ctx->key_exchanges[0];
2437
2438
    /* instantiate key share context */
2439
0
    assert(tls->client.key_share_ctx == NULL);
2440
0
    if (tls->key_share != NULL) {
2441
0
        if ((ret = tls->key_share->create(tls->key_share, &tls->client.key_share_ctx)) != 0)
2442
0
            goto Exit;
2443
0
    }
2444
2445
    /* initialize key schedule */
2446
0
    if (!is_second_flight) {
2447
0
        if ((tls->key_schedule = key_schedule_new(tls->cipher_suite, tls->ctx->cipher_suites, tls->ech.aead != NULL)) == NULL) {
2448
0
            ret = PTLS_ERROR_NO_MEMORY;
2449
0
            goto Exit;
2450
0
        }
2451
0
        if ((ret = key_schedule_extract(tls->key_schedule, psk.secret)) != 0)
2452
0
            goto Exit;
2453
0
    }
2454
2455
    /* start generating CH */
2456
0
    if ((ret = emitter->begin_message(emitter)) != 0)
2457
0
        goto Exit;
2458
0
    mess_start = msghash_off = emitter->buf->off;
2459
2460
    /* generate true (inner) CH */
2461
0
    if ((ret = encode_client_hello(tls->ctx, emitter->buf, ENCODE_CH_MODE_INNER, is_second_flight, properties,
2462
0
                                   tls->ech.aead != NULL ? tls->ech.inner_client_random : tls->client_random,
2463
0
                                   tls->client.key_share_ctx, sni_name, tls->client.legacy_session_id, &tls->ech, NULL,
2464
0
                                   tls->ech.client.first_ech, psk.secret, psk.identity, obfuscated_ticket_age,
2465
0
                                   tls->key_schedule->hashes[0].algo->digest_size, cookie, tls->client.using_early_data)) != 0)
2466
0
        goto Exit;
2467
2468
    /* update the message hash, filling in the PSK binder HMAC if necessary */
2469
0
    if (psk.secret.base != NULL) {
2470
0
        size_t psk_binder_off = emitter->buf->off - (3 + tls->key_schedule->hashes[0].algo->digest_size);
2471
0
        if ((ret = derive_secret_with_empty_digest(tls->key_schedule, binder_key, psk.label)) != 0)
2472
0
            goto Exit;
2473
0
        ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + msghash_off, psk_binder_off - msghash_off, 0);
2474
0
        msghash_off = psk_binder_off;
2475
0
        if ((ret = calc_verify_data(emitter->buf->base + psk_binder_off + 3, tls->key_schedule, binder_key)) != 0)
2476
0
            goto Exit;
2477
0
    }
2478
0
    ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + msghash_off, emitter->buf->off - msghash_off, 0);
2479
2480
    /* ECH */
2481
0
    if (tls->ech.aead != NULL) {
2482
        /* build EncodedCHInner */
2483
0
        if ((ret = encode_client_hello(tls->ctx, &encoded_ch_inner, ENCODE_CH_MODE_ENCODED_INNER, is_second_flight, properties,
2484
0
                                       tls->ech.inner_client_random, tls->client.key_share_ctx, sni_name,
2485
0
                                       tls->client.legacy_session_id, &tls->ech, NULL, ptls_iovec_init(NULL, 0), psk.secret,
2486
0
                                       psk.identity, obfuscated_ticket_age, tls->key_schedule->hashes[0].algo->digest_size, cookie,
2487
0
                                       tls->client.using_early_data)) != 0)
2488
0
            goto Exit;
2489
0
        if (psk.secret.base != NULL)
2490
0
            memcpy(encoded_ch_inner.base + encoded_ch_inner.off - tls->key_schedule->hashes[0].algo->digest_size,
2491
0
                   emitter->buf->base + emitter->buf->off - tls->key_schedule->hashes[0].algo->digest_size,
2492
0
                   tls->key_schedule->hashes[0].algo->digest_size);
2493
0
        { /* pad EncodedCHInner (following draft-ietf-tls-esni-15 6.1.3) */
2494
0
            size_t padding_len;
2495
0
            if (sni_name != NULL) {
2496
0
                padding_len = strlen(sni_name);
2497
0
                if (padding_len < tls->ech.client.max_name_length)
2498
0
                    padding_len = tls->ech.client.max_name_length;
2499
0
            } else {
2500
0
                padding_len = tls->ech.client.max_name_length + 9;
2501
0
            }
2502
0
            size_t final_len = encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE + padding_len;
2503
0
            final_len = (final_len + 31) / 32 * 32;
2504
0
            padding_len = final_len - (encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE);
2505
0
            if (padding_len != 0) {
2506
0
                if ((ret = ptls_buffer_reserve(&encoded_ch_inner, padding_len)) != 0)
2507
0
                    goto Exit;
2508
0
                memset(encoded_ch_inner.base + encoded_ch_inner.off, 0, padding_len);
2509
0
                encoded_ch_inner.off += padding_len;
2510
0
            }
2511
0
        }
2512
        /* flush CHInner, build CHOuterAAD */
2513
0
        emitter->buf->off = mess_start;
2514
0
        size_t ech_payload_size = encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE + tls->ech.aead->algo->tag_size,
2515
0
               ech_size_offset = ech_payload_size;
2516
0
        if ((ret = encode_client_hello(tls->ctx, emitter->buf, ENCODE_CH_MODE_OUTER, is_second_flight, properties,
2517
0
                                       tls->client_random, tls->client.key_share_ctx, tls->ech.client.public_name,
2518
0
                                       tls->client.legacy_session_id, &tls->ech, &ech_size_offset, ptls_iovec_init(NULL, 0),
2519
0
                                       psk.secret, psk.identity, obfuscated_ticket_age,
2520
0
                                       tls->key_schedule->hashes[0].algo->digest_size, cookie, tls->client.using_early_data)) != 0)
2521
0
            goto Exit;
2522
        /* overwrite ECH payload */
2523
0
        ptls_aead_encrypt(tls->ech.aead, emitter->buf->base + ech_size_offset, encoded_ch_inner.base + PTLS_HANDSHAKE_HEADER_SIZE,
2524
0
                          encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE, is_second_flight,
2525
0
                          emitter->buf->base + mess_start + PTLS_HANDSHAKE_HEADER_SIZE,
2526
0
                          emitter->buf->off - (mess_start + PTLS_HANDSHAKE_HEADER_SIZE));
2527
        /* keep the copy of the 1st ECH extension so that we can send it again in 2nd CH in response to rejection with HRR */
2528
0
        if (!is_second_flight) {
2529
0
            size_t len = outer_ech_header_size(tls->ech.client.enc.len) + ech_payload_size;
2530
0
            if ((tls->ech.client.first_ech.base = malloc(len)) == NULL) {
2531
0
                ret = PTLS_ERROR_NO_MEMORY;
2532
0
                goto Exit;
2533
0
            }
2534
0
            memcpy(tls->ech.client.first_ech.base,
2535
0
                   emitter->buf->base + ech_size_offset - outer_ech_header_size(tls->ech.client.enc.len), len);
2536
0
            tls->ech.client.first_ech.len = len;
2537
0
            if (properties->client.ech.configs.len != 0) {
2538
0
                tls->ech.offered = 1;
2539
0
            } else {
2540
0
                tls->ech.offered_grease = 1;
2541
0
            }
2542
0
        }
2543
        /* update hash */
2544
0
        ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + mess_start, emitter->buf->off - mess_start, 1);
2545
0
    }
2546
2547
    /* commit CH to the record layer */
2548
0
    if ((ret = emitter->commit_message(emitter)) != 0)
2549
0
        goto Exit;
2550
2551
0
    if (tls->client.using_early_data) {
2552
0
        assert(!is_second_flight);
2553
0
        if ((ret = setup_traffic_protection(tls, 1, "c e traffic", 1, 0, 0)) != 0)
2554
0
            goto Exit;
2555
0
        if ((ret = push_change_cipher_spec(tls, emitter)) != 0)
2556
0
            goto Exit;
2557
0
    }
2558
0
    if (psk.secret.base != NULL && !is_second_flight) {
2559
0
        if ((ret = derive_exporter_secret(tls, 1)) != 0)
2560
0
            goto Exit;
2561
0
    }
2562
0
    tls->state = cookie == NULL ? PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO : PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO;
2563
0
    ret = PTLS_ERROR_IN_PROGRESS;
2564
2565
0
Exit:
2566
0
    ptls_buffer_dispose(&encoded_ch_inner);
2567
0
    ptls_clear_memory(binder_key, sizeof(binder_key));
2568
0
    return ret;
2569
0
}
2570
2571
ptls_cipher_suite_t *ptls_find_cipher_suite(ptls_cipher_suite_t **cipher_suites, uint16_t id)
2572
0
{
2573
0
    ptls_cipher_suite_t **cs;
2574
0
    if (cipher_suites == NULL)
2575
0
        return NULL;
2576
0
    for (cs = cipher_suites; *cs != NULL && (*cs)->id != id; ++cs)
2577
0
        ;
2578
0
    return *cs;
2579
0
}
2580
2581
static int decode_server_hello(ptls_t *tls, struct st_ptls_server_hello_t *sh, const uint8_t *src, const uint8_t *const end)
2582
0
{
2583
0
    int ret;
2584
2585
0
    *sh = (struct st_ptls_server_hello_t){{0}};
2586
2587
    /* ignore legacy-version */
2588
0
    if (end - src < 2) {
2589
0
        ret = PTLS_ALERT_DECODE_ERROR;
2590
0
        goto Exit;
2591
0
    }
2592
0
    src += 2;
2593
2594
    /* random */
2595
0
    if (end - src < PTLS_HELLO_RANDOM_SIZE) {
2596
0
        ret = PTLS_ALERT_DECODE_ERROR;
2597
0
        goto Exit;
2598
0
    }
2599
0
    sh->is_retry_request = memcmp(src, hello_retry_random, PTLS_HELLO_RANDOM_SIZE) == 0;
2600
0
    src += PTLS_HELLO_RANDOM_SIZE;
2601
2602
    /* legacy_session_id */
2603
0
    ptls_decode_open_block(src, end, 1, {
2604
0
        if (end - src > 32) {
2605
0
            ret = PTLS_ALERT_DECODE_ERROR;
2606
0
            goto Exit;
2607
0
        }
2608
0
        sh->legacy_session_id = ptls_iovec_init(src, end - src);
2609
0
        src = end;
2610
0
    });
2611
2612
0
    { /* select cipher_suite */
2613
0
        uint16_t csid;
2614
0
        if ((ret = ptls_decode16(&csid, &src, end)) != 0)
2615
0
            goto Exit;
2616
0
        if ((tls->cipher_suite = ptls_find_cipher_suite(tls->ctx->cipher_suites, csid)) == NULL) {
2617
0
            ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2618
0
            goto Exit;
2619
0
        }
2620
0
    }
2621
2622
0
    { /* legacy_compression_method */
2623
0
        uint8_t method;
2624
0
        if ((ret = ptls_decode8(&method, &src, end)) != 0)
2625
0
            goto Exit;
2626
0
        if (method != 0) {
2627
0
            ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2628
0
            goto Exit;
2629
0
        }
2630
0
    }
2631
2632
0
    if (sh->is_retry_request)
2633
0
        sh->retry_request.selected_group = UINT16_MAX;
2634
2635
0
    uint16_t exttype, found_version = UINT16_MAX, selected_psk_identity = UINT16_MAX;
2636
0
    decode_extensions(src, end, sh->is_retry_request ? PTLS_HANDSHAKE_TYPE_PSEUDO_HRR : PTLS_HANDSHAKE_TYPE_SERVER_HELLO, &exttype,
2637
0
                      {
2638
0
                          if (tls->ctx->on_extension != NULL &&
2639
0
                              (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_SERVER_HELLO,
2640
0
                                                                exttype, ptls_iovec_init(src, end - src)) != 0))
2641
0
                              goto Exit;
2642
0
                          switch (exttype) {
2643
0
                          case PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS:
2644
0
                              if ((ret = ptls_decode16(&found_version, &src, end)) != 0)
2645
0
                                  goto Exit;
2646
0
                              break;
2647
0
                          case PTLS_EXTENSION_TYPE_KEY_SHARE:
2648
0
                              if (tls->ctx->key_exchanges == NULL) {
2649
0
                                  ret = PTLS_ALERT_HANDSHAKE_FAILURE;
2650
0
                                  goto Exit;
2651
0
                              }
2652
0
                              if (sh->is_retry_request) {
2653
0
                                  if ((ret = ptls_decode16(&sh->retry_request.selected_group, &src, end)) != 0)
2654
0
                                      goto Exit;
2655
0
                              } else {
2656
0
                                  uint16_t group;
2657
0
                                  if ((ret = decode_key_share_entry(&group, &sh->peerkey, &src, end)) != 0)
2658
0
                                      goto Exit;
2659
0
                                  if (src != end) {
2660
0
                                      ret = PTLS_ALERT_DECODE_ERROR;
2661
0
                                      goto Exit;
2662
0
                                  }
2663
0
                                  if (tls->key_share == NULL || tls->key_share->id != group) {
2664
0
                                      ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2665
0
                                      goto Exit;
2666
0
                                  }
2667
0
                              }
2668
0
                              break;
2669
0
                          case PTLS_EXTENSION_TYPE_COOKIE:
2670
0
                              assert(sh->is_retry_request);
2671
0
                              ptls_decode_block(src, end, 2, {
2672
0
                                  if (src == end) {
2673
0
                                      ret = PTLS_ALERT_DECODE_ERROR;
2674
0
                                      goto Exit;
2675
0
                                  }
2676
0
                                  sh->retry_request.cookie = ptls_iovec_init(src, end - src);
2677
0
                                  src = end;
2678
0
                              });
2679
0
                              break;
2680
0
                          case PTLS_EXTENSION_TYPE_PRE_SHARED_KEY:
2681
0
                              assert(!sh->is_retry_request);
2682
0
                              if ((ret = ptls_decode16(&selected_psk_identity, &src, end)) != 0)
2683
0
                                  goto Exit;
2684
0
                              break;
2685
0
                          case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO:
2686
0
                              assert(sh->is_retry_request);
2687
0
                              if (!(tls->ech.offered || tls->ech.offered_grease)) {
2688
0
                                  ret = PTLS_ALERT_UNSUPPORTED_EXTENSION;
2689
0
                                  goto Exit;
2690
0
                              }
2691
0
                              if (end - src != PTLS_ECH_CONFIRM_LENGTH) {
2692
0
                                  ret = PTLS_ALERT_DECODE_ERROR;
2693
0
                                  goto Exit;
2694
0
                              }
2695
0
                              sh->retry_request.ech = src;
2696
0
                              src = end;
2697
0
                              break;
2698
0
                          default:
2699
0
                              src = end;
2700
0
                              break;
2701
0
                          }
2702
0
                      });
2703
2704
0
    if (!is_supported_version(found_version)) {
2705
0
        ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2706
0
        goto Exit;
2707
0
    }
2708
0
    if (!sh->is_retry_request) {
2709
0
        if (selected_psk_identity != UINT16_MAX) {
2710
0
            if (!tls->client.offered_psk) {
2711
0
                ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2712
0
                goto Exit;
2713
0
            }
2714
0
            if (selected_psk_identity != 0) {
2715
0
                ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2716
0
                goto Exit;
2717
0
            }
2718
0
            tls->is_psk_handshake = 1;
2719
0
        }
2720
0
        if (sh->peerkey.base == NULL && !tls->is_psk_handshake) {
2721
0
            ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2722
0
            goto Exit;
2723
0
        }
2724
0
    }
2725
2726
0
    ret = 0;
2727
0
Exit:
2728
0
    return ret;
2729
0
}
2730
2731
static int handle_hello_retry_request(ptls_t *tls, ptls_message_emitter_t *emitter, struct st_ptls_server_hello_t *sh,
2732
                                      ptls_iovec_t message, ptls_handshake_properties_t *properties)
2733
0
{
2734
0
    int ret;
2735
2736
0
    if (tls->client.key_share_ctx != NULL) {
2737
0
        tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, NULL, ptls_iovec_init(NULL, 0));
2738
0
        tls->client.key_share_ctx = NULL;
2739
0
    }
2740
0
    if (tls->client.using_early_data) {
2741
        /* release traffic encryption key so that 2nd CH goes out in cleartext, but keep the epoch at 1 since we've already
2742
         * called derive-secret */
2743
0
        if (tls->ctx->update_traffic_key == NULL) {
2744
0
            assert(tls->traffic_protection.enc.aead != NULL);
2745
0
            ptls_aead_free(tls->traffic_protection.enc.aead);
2746
0
            tls->traffic_protection.enc.aead = NULL;
2747
0
        }
2748
0
        tls->client.using_early_data = 0;
2749
0
    }
2750
2751
0
    if (sh->retry_request.selected_group != UINT16_MAX) {
2752
        /* we offer the first key_exchanges[0] as KEY_SHARE unless client.negotiate_before_key_exchange is set */
2753
0
        ptls_key_exchange_algorithm_t **cand;
2754
0
        for (cand = tls->ctx->key_exchanges; *cand != NULL; ++cand)
2755
0
            if ((*cand)->id == sh->retry_request.selected_group)
2756
0
                break;
2757
0
        if (*cand == NULL) {
2758
0
            ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2759
0
            goto Exit;
2760
0
        }
2761
0
        tls->key_share = *cand;
2762
0
    } else if (tls->key_share != NULL) {
2763
        /* retain the key-share using in first CH, if server does not specify one */
2764
0
    } else {
2765
0
        ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2766
0
        goto Exit;
2767
0
    }
2768
2769
0
    ret = send_client_hello(tls, emitter, properties, &sh->retry_request.cookie);
2770
2771
0
Exit:
2772
0
    return ret;
2773
0
}
2774
2775
static int client_ech_select_hello(ptls_t *tls, ptls_iovec_t message, size_t confirm_hash_off, const char *label)
2776
0
{
2777
0
    uint8_t confirm_hash_delivered[PTLS_ECH_CONFIRM_LENGTH], confirm_hash_expected[PTLS_ECH_CONFIRM_LENGTH];
2778
0
    int ret = 0;
2779
2780
    /* Determine if ECH has been accepted by checking the confirmation hash. `confirm_hash_off` set to zero indicates that HRR was
2781
     * received wo. ECH extension, which is an indication that ECH was rejected. */
2782
0
    if (confirm_hash_off != 0) {
2783
0
        memcpy(confirm_hash_delivered, message.base + confirm_hash_off, sizeof(confirm_hash_delivered));
2784
0
        memset(message.base + confirm_hash_off, 0, sizeof(confirm_hash_delivered));
2785
0
        if ((ret = ech_calc_confirmation(tls->key_schedule, confirm_hash_expected, tls->ech.inner_client_random, label, message)) !=
2786
0
            0)
2787
0
            goto Exit;
2788
0
        tls->ech.accepted = ptls_mem_equal(confirm_hash_delivered, confirm_hash_expected, sizeof(confirm_hash_delivered));
2789
0
        memcpy(message.base + confirm_hash_off, confirm_hash_delivered, sizeof(confirm_hash_delivered));
2790
0
        if (tls->ech.accepted)
2791
0
            goto Exit;
2792
0
    }
2793
2794
    /* dispose ECH AEAD state to indicate rejection, adopting outer CH for the rest of the handshake */
2795
0
    ptls_aead_free(tls->ech.aead);
2796
0
    tls->ech.aead = NULL;
2797
0
    key_schedule_select_outer(tls->key_schedule);
2798
2799
0
Exit:
2800
0
    PTLS_PROBE(ECH_SELECTION, tls, !!tls->ech.accepted);
2801
0
    PTLS_LOG_CONN(ech_selection, tls, { PTLS_LOG_ELEMENT_BOOL(is_ech, tls->ech.accepted); });
2802
0
    ptls_clear_memory(confirm_hash_expected, sizeof(confirm_hash_expected));
2803
0
    return ret;
2804
0
}
2805
2806
static int client_handle_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message,
2807
                               ptls_handshake_properties_t *properties)
2808
0
{
2809
0
    struct st_ptls_server_hello_t sh;
2810
0
    ptls_iovec_t ecdh_secret = {NULL};
2811
0
    int ret;
2812
2813
0
    if ((ret = decode_server_hello(tls, &sh, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len)) != 0)
2814
0
        goto Exit;
2815
0
    if (!(sh.legacy_session_id.len == tls->client.legacy_session_id.len &&
2816
0
          ptls_mem_equal(sh.legacy_session_id.base, tls->client.legacy_session_id.base, tls->client.legacy_session_id.len))) {
2817
0
        ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2818
0
        goto Exit;
2819
0
    }
2820
2821
0
    if (sh.is_retry_request) {
2822
0
        if ((ret = key_schedule_select_cipher(tls->key_schedule, tls->cipher_suite, 0, tls->ctx->pre_shared_key.secret)) != 0)
2823
0
            goto Exit;
2824
0
        key_schedule_transform_post_ch1hash(tls->key_schedule);
2825
0
        if (tls->ech.aead != NULL) {
2826
0
            size_t confirm_hash_off = 0;
2827
0
            if (tls->ech.offered) {
2828
0
                if (sh.retry_request.ech != NULL)
2829
0
                    confirm_hash_off = sh.retry_request.ech - message.base;
2830
0
            } else {
2831
0
                assert(tls->ech.offered_grease);
2832
0
            }
2833
0
            if ((ret = client_ech_select_hello(tls, message, confirm_hash_off, ECH_CONFIRMATION_HRR)) != 0)
2834
0
                goto Exit;
2835
0
        }
2836
0
        ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
2837
0
        return handle_hello_retry_request(tls, emitter, &sh, message, properties);
2838
0
    }
2839
2840
0
    if ((ret = key_schedule_select_cipher(tls->key_schedule, tls->cipher_suite, tls->client.offered_psk && !tls->is_psk_handshake,
2841
0
                                          ptls_iovec_init(NULL, 0))) != 0)
2842
0
        goto Exit;
2843
2844
    /* check if ECH is accepted */
2845
0
    if (tls->ech.aead != NULL) {
2846
0
        size_t confirm_hash_off = 0;
2847
0
        if (tls->ech.offered) {
2848
0
            confirm_hash_off =
2849
0
                PTLS_HANDSHAKE_HEADER_SIZE + 2 /* legacy_version */ + PTLS_HELLO_RANDOM_SIZE - PTLS_ECH_CONFIRM_LENGTH;
2850
0
        } else {
2851
0
            assert(tls->ech.offered_grease);
2852
0
        }
2853
0
        if ((ret = client_ech_select_hello(tls, message, confirm_hash_off, ECH_CONFIRMATION_SERVER_HELLO)) != 0)
2854
0
            goto Exit;
2855
0
    }
2856
2857
    /* clear sensitive and space-consuming ECH state, now that are done with handling sending and decoding Hellos */
2858
0
    clear_ech(&tls->ech, 0);
2859
0
    if (tls->key_schedule->hashes[0].ctx_outer != NULL) {
2860
0
        tls->key_schedule->hashes[0].ctx_outer->final(tls->key_schedule->hashes[0].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE);
2861
0
        tls->key_schedule->hashes[0].ctx_outer = NULL;
2862
0
    }
2863
2864
    /* if the client offered external PSK but the server did not use that, we call it a handshake failure */
2865
0
    if (tls->ctx->pre_shared_key.identity.base != NULL && !tls->is_psk_handshake) {
2866
0
        ret = PTLS_ALERT_HANDSHAKE_FAILURE;
2867
0
        goto Exit;
2868
0
    }
2869
2870
0
    ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
2871
2872
0
    if (sh.peerkey.base != NULL) {
2873
0
        if ((ret = tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, &ecdh_secret, sh.peerkey)) != 0) {
2874
0
            assert(ecdh_secret.base == NULL);
2875
0
            goto Exit;
2876
0
        }
2877
0
    }
2878
2879
0
    if ((ret = key_schedule_extract(tls->key_schedule, ecdh_secret)) != 0)
2880
0
        goto Exit;
2881
0
    if ((ret = setup_traffic_protection(tls, 0, "s hs traffic", 2, 0, 0)) != 0)
2882
0
        goto Exit;
2883
0
    if (tls->client.using_early_data) {
2884
0
        if ((tls->pending_handshake_secret = malloc(PTLS_MAX_DIGEST_SIZE)) == NULL) {
2885
0
            ret = PTLS_ERROR_NO_MEMORY;
2886
0
            goto Exit;
2887
0
        }
2888
0
        if ((ret = derive_secret(tls->key_schedule, tls->pending_handshake_secret, "c hs traffic")) != 0)
2889
0
            goto Exit;
2890
0
        if (tls->ctx->update_traffic_key != NULL &&
2891
0
            (ret = tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, 1, 2, tls->pending_handshake_secret)) != 0)
2892
0
            goto Exit;
2893
0
    } else {
2894
0
        if ((ret = setup_traffic_protection(tls, 1, "c hs traffic", 2, 0, 0)) != 0)
2895
0
            goto Exit;
2896
0
    }
2897
2898
0
    tls->state = PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS;
2899
0
    ret = PTLS_ERROR_IN_PROGRESS;
2900
2901
0
Exit:
2902
0
    if (ecdh_secret.base != NULL) {
2903
0
        ptls_clear_memory(ecdh_secret.base, ecdh_secret.len);
2904
0
        free(ecdh_secret.base);
2905
0
    }
2906
0
    return ret;
2907
0
}
2908
2909
static int should_collect_unknown_extension(ptls_t *tls, ptls_handshake_properties_t *properties, uint16_t type)
2910
0
{
2911
0
    return properties != NULL && properties->collect_extension != NULL && properties->collect_extension(tls, properties, type);
2912
0
}
2913
2914
static int collect_unknown_extension(ptls_t *tls, uint16_t type, const uint8_t *src, const uint8_t *const end,
2915
                                     ptls_raw_extension_t *slots)
2916
0
{
2917
0
    size_t i;
2918
0
    for (i = 0; slots[i].type != UINT16_MAX; ++i) {
2919
0
        assert(i < MAX_UNKNOWN_EXTENSIONS);
2920
0
        if (slots[i].type == type)
2921
0
            return PTLS_ALERT_ILLEGAL_PARAMETER;
2922
0
    }
2923
0
    if (i < MAX_UNKNOWN_EXTENSIONS) {
2924
0
        slots[i].type = type;
2925
0
        slots[i].data = ptls_iovec_init(src, end - src);
2926
0
        slots[i + 1].type = UINT16_MAX;
2927
0
    }
2928
0
    return 0;
2929
0
}
2930
2931
static int report_unknown_extensions(ptls_t *tls, ptls_handshake_properties_t *properties, ptls_raw_extension_t *slots)
2932
0
{
2933
0
    if (properties != NULL && properties->collect_extension != NULL) {
2934
0
        assert(properties->collected_extensions != NULL);
2935
0
        return properties->collected_extensions(tls, properties, slots);
2936
0
    } else {
2937
0
        return 0;
2938
0
    }
2939
0
}
2940
2941
static int client_handle_encrypted_extensions(ptls_t *tls, ptls_iovec_t message, ptls_handshake_properties_t *properties)
2942
0
{
2943
0
    const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len;
2944
0
    uint16_t type;
2945
0
    static const ptls_raw_extension_t no_unknown_extensions = {UINT16_MAX};
2946
0
    ptls_raw_extension_t *unknown_extensions = (ptls_raw_extension_t *)&no_unknown_extensions;
2947
0
    int ret, skip_early_data = 1;
2948
0
    uint8_t server_offered_cert_type = PTLS_CERTIFICATE_TYPE_X509;
2949
2950
0
    decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, &type, {
2951
0
        if (tls->ctx->on_extension != NULL &&
2952
0
            (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, type,
2953
0
                                              ptls_iovec_init(src, end - src)) != 0))
2954
0
            goto Exit;
2955
0
        switch (type) {
2956
0
        case PTLS_EXTENSION_TYPE_SERVER_NAME:
2957
0
            if (src != end) {
2958
0
                ret = PTLS_ALERT_DECODE_ERROR;
2959
0
                goto Exit;
2960
0
            }
2961
0
            if (!(tls->server_name != NULL && !ptls_server_name_is_ipaddr(tls->server_name))) {
2962
0
                ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2963
0
                goto Exit;
2964
0
            }
2965
0
            break;
2966
0
        case PTLS_EXTENSION_TYPE_ALPN:
2967
0
            ptls_decode_block(src, end, 2, {
2968
0
                ptls_decode_open_block(src, end, 1, {
2969
0
                    if (src == end) {
2970
0
                        ret = PTLS_ALERT_DECODE_ERROR;
2971
0
                        goto Exit;
2972
0
                    }
2973
0
                    if ((ret = ptls_set_negotiated_protocol(tls, (const char *)src, end - src)) != 0)
2974
0
                        goto Exit;
2975
0
                    src = end;
2976
0
                });
2977
0
                if (src != end) {
2978
0
                    ret = PTLS_ALERT_HANDSHAKE_FAILURE;
2979
0
                    goto Exit;
2980
0
                }
2981
0
            });
2982
0
            break;
2983
0
        case PTLS_EXTENSION_TYPE_EARLY_DATA:
2984
0
            if (!tls->client.using_early_data) {
2985
0
                ret = PTLS_ALERT_ILLEGAL_PARAMETER;
2986
0
                goto Exit;
2987
0
            }
2988
0
            skip_early_data = 0;
2989
0
            break;
2990
0
        case PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE:
2991
0
            if (end - src != 1) {
2992
0
                ret = PTLS_ALERT_DECODE_ERROR;
2993
0
                goto Exit;
2994
0
            }
2995
0
            server_offered_cert_type = *src;
2996
0
            src = end;
2997
0
            break;
2998
0
        case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO: {
2999
            /* accept retry_configs only if we offered ECH but rejected */
3000
0
            if (!((tls->ech.offered || tls->ech.offered_grease) && !ptls_is_ech_handshake(tls, NULL, NULL, NULL))) {
3001
0
                ret = PTLS_ALERT_UNSUPPORTED_EXTENSION;
3002
0
                goto Exit;
3003
0
            }
3004
            /* parse retry_config, and if it is applicable, provide that to the application */
3005
0
            struct st_decoded_ech_config_t decoded;
3006
0
            if ((ret = client_decode_ech_config_list(tls->ctx, &decoded, ptls_iovec_init(src, end - src))) != 0)
3007
0
                goto Exit;
3008
0
            if (decoded.kem != NULL && decoded.cipher != NULL && properties != NULL &&
3009
0
                properties->client.ech.retry_configs != NULL) {
3010
0
                if ((properties->client.ech.retry_configs->base = malloc(end - src)) == NULL) {
3011
0
                    ret = PTLS_ERROR_NO_MEMORY;
3012
0
                    goto Exit;
3013
0
                }
3014
0
                memcpy(properties->client.ech.retry_configs->base, src, end - src);
3015
0
                properties->client.ech.retry_configs->len = end - src;
3016
0
            }
3017
0
            src = end;
3018
0
        } break;
3019
0
        default:
3020
0
            if (should_collect_unknown_extension(tls, properties, type)) {
3021
0
                if (unknown_extensions == &no_unknown_extensions) {
3022
0
                    if ((unknown_extensions = malloc(sizeof(*unknown_extensions) * (MAX_UNKNOWN_EXTENSIONS + 1))) == NULL) {
3023
0
                        ret = PTLS_ERROR_NO_MEMORY;
3024
0
                        goto Exit;
3025
0
                    }
3026
0
                    unknown_extensions[0].type = UINT16_MAX;
3027
0
                }
3028
0
                if ((ret = collect_unknown_extension(tls, type, src, end, unknown_extensions)) != 0)
3029
0
                    goto Exit;
3030
0
            }
3031
0
            break;
3032
0
        }
3033
0
        src = end;
3034
0
    });
3035
3036
0
    if (server_offered_cert_type !=
3037
0
        (tls->ctx->use_raw_public_keys ? PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY : PTLS_CERTIFICATE_TYPE_X509)) {
3038
0
        ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE;
3039
0
        goto Exit;
3040
0
    }
3041
3042
0
    if (tls->client.using_early_data) {
3043
0
        if (skip_early_data)
3044
0
            tls->client.using_early_data = 0;
3045
0
        if (properties != NULL)
3046
0
            properties->client.early_data_acceptance = skip_early_data ? PTLS_EARLY_DATA_REJECTED : PTLS_EARLY_DATA_ACCEPTED;
3047
0
    }
3048
0
    if ((ret = report_unknown_extensions(tls, properties, unknown_extensions)) != 0)
3049
0
        goto Exit;
3050
3051
0
    ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
3052
0
    tls->state =
3053
0
        tls->is_psk_handshake ? PTLS_STATE_CLIENT_EXPECT_FINISHED : PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE;
3054
0
    ret = PTLS_ERROR_IN_PROGRESS;
3055
3056
0
Exit:
3057
0
    if (unknown_extensions != &no_unknown_extensions)
3058
0
        free(unknown_extensions);
3059
0
    return ret;
3060
0
}
3061
3062
static int decode_certificate_request(ptls_t *tls, struct st_ptls_certificate_request_t *cr, const uint8_t *src,
3063
                                      const uint8_t *const end)
3064
0
{
3065
0
    int ret;
3066
0
    uint16_t exttype = 0;
3067
3068
    /* certificate request context */
3069
0
    ptls_decode_open_block(src, end, 1, {
3070
0
        size_t len = end - src;
3071
0
        if (len > 255) {
3072
0
            ret = PTLS_ALERT_DECODE_ERROR;
3073
0
            goto Exit;
3074
0
        }
3075
0
        if ((cr->context.base = malloc(len != 0 ? len : 1)) == NULL) {
3076
0
            ret = PTLS_ERROR_NO_MEMORY;
3077
0
            goto Exit;
3078
0
        }
3079
0
        cr->context.len = len;
3080
0
        memcpy(cr->context.base, src, len);
3081
0
        src = end;
3082
0
    });
3083
3084
    /* decode extensions */
3085
0
    decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, &exttype, {
3086
0
        if (tls->ctx->on_extension != NULL &&
3087
0
            (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, exttype,
3088
0
                                              ptls_iovec_init(src, end - src)) != 0))
3089
0
            goto Exit;
3090
0
        switch (exttype) {
3091
0
        case PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS:
3092
0
            if ((ret = decode_signature_algorithms(&cr->signature_algorithms, &src, end)) != 0)
3093
0
                goto Exit;
3094
0
            break;
3095
0
        }
3096
0
        src = end;
3097
0
    });
3098
3099
0
    if (cr->signature_algorithms.count == 0) {
3100
0
        ret = PTLS_ALERT_MISSING_EXTENSION;
3101
0
        goto Exit;
3102
0
    }
3103
3104
0
    ret = 0;
3105
0
Exit:
3106
0
    return ret;
3107
0
}
3108
3109
int ptls_build_certificate_message(ptls_buffer_t *buf, ptls_iovec_t context, ptls_iovec_t *certificates, size_t num_certificates,
3110
                                   ptls_iovec_t ocsp_status)
3111
0
{
3112
0
    int ret;
3113
3114
0
    ptls_buffer_push_block(buf, 1, { ptls_buffer_pushv(buf, context.base, context.len); });
3115
0
    ptls_buffer_push_block(buf, 3, {
3116
0
        size_t i;
3117
0
        for (i = 0; i != num_certificates; ++i) {
3118
0
            ptls_buffer_push_block(buf, 3, { ptls_buffer_pushv(buf, certificates[i].base, certificates[i].len); });
3119
0
            ptls_buffer_push_block(buf, 2, {
3120
0
                if (i == 0 && ocsp_status.len != 0) {
3121
0
                    buffer_push_extension(buf, PTLS_EXTENSION_TYPE_STATUS_REQUEST, {
3122
0
                        ptls_buffer_push(buf, 1); /* status_type == ocsp */
3123
0
                        ptls_buffer_push_block(buf, 3, { ptls_buffer_pushv(buf, ocsp_status.base, ocsp_status.len); });
3124
0
                    });
3125
0
                }
3126
0
            });
3127
0
        }
3128
0
    });
3129
3130
0
    ret = 0;
3131
0
Exit:
3132
0
    return ret;
3133
0
}
3134
3135
static int default_emit_certificate_cb(ptls_emit_certificate_t *_self, ptls_t *tls, ptls_message_emitter_t *emitter,
3136
                                       ptls_key_schedule_t *key_sched, ptls_iovec_t context, int push_status_request,
3137
                                       const uint16_t *compress_algos, size_t num_compress_algos)
3138
0
{
3139
0
    int ret;
3140
3141
0
    ptls_push_message(emitter, key_sched, PTLS_HANDSHAKE_TYPE_CERTIFICATE, {
3142
0
        if ((ret = ptls_build_certificate_message(emitter->buf, context, tls->ctx->certificates.list, tls->ctx->certificates.count,
3143
0
                                                  ptls_iovec_init(NULL, 0))) != 0)
3144
0
            goto Exit;
3145
0
    });
3146
3147
0
    ret = 0;
3148
0
Exit:
3149
0
    return ret;
3150
0
}
3151
3152
static int send_certificate(ptls_t *tls, ptls_message_emitter_t *emitter,
3153
                            struct st_ptls_signature_algorithms_t *signature_algorithms, ptls_iovec_t context,
3154
                            int push_status_request, const uint16_t *compress_algos, size_t num_compress_algos)
3155
0
{
3156
0
    int ret;
3157
3158
0
    if (signature_algorithms->count == 0) {
3159
0
        ret = PTLS_ALERT_MISSING_EXTENSION;
3160
0
        goto Exit;
3161
0
    }
3162
3163
0
    { /* send Certificate (or the equivalent) */
3164
0
        static ptls_emit_certificate_t default_emit_certificate = {default_emit_certificate_cb};
3165
0
        ptls_emit_certificate_t *emit_certificate =
3166
0
            tls->ctx->emit_certificate != NULL ? tls->ctx->emit_certificate : &default_emit_certificate;
3167
0
    Redo:
3168
0
        if ((ret = emit_certificate->cb(emit_certificate, tls, emitter, tls->key_schedule, context, push_status_request,
3169
0
                                        compress_algos, num_compress_algos)) != 0) {
3170
0
            if (ret == PTLS_ERROR_DELEGATE) {
3171
0
                assert(emit_certificate != &default_emit_certificate);
3172
0
                emit_certificate = &default_emit_certificate;
3173
0
                goto Redo;
3174
0
            }
3175
0
            goto Exit;
3176
0
        }
3177
0
    }
3178
3179
0
Exit:
3180
0
    return ret;
3181
0
}
3182
3183
static int send_certificate_verify(ptls_t *tls, ptls_message_emitter_t *emitter,
3184
                                   struct st_ptls_signature_algorithms_t *signature_algorithms, const char *context_string)
3185
0
{
3186
0
    size_t start_off = emitter->buf->off;
3187
0
    int ret;
3188
3189
0
    if (tls->ctx->sign_certificate == NULL)
3190
0
        return 0;
3191
    /* build and send CertificateVerify */
3192
0
    ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY, {
3193
0
        ptls_buffer_t *sendbuf = emitter->buf;
3194
0
        size_t algo_off = sendbuf->off;
3195
0
        ptls_buffer_push16(sendbuf, 0); /* filled in later */
3196
0
        ptls_buffer_push_block(sendbuf, 2, {
3197
0
            uint16_t algo;
3198
0
            uint8_t data[PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE];
3199
0
            size_t datalen = build_certificate_verify_signdata(data, tls->key_schedule, context_string);
3200
0
            if ((ret = tls->ctx->sign_certificate->cb(
3201
0
                     tls->ctx->sign_certificate, tls, tls->is_server ? &tls->server.async_job : NULL, &algo, sendbuf,
3202
0
                     ptls_iovec_init(data, datalen), signature_algorithms != NULL ? signature_algorithms->list : NULL,
3203
0
                     signature_algorithms != NULL ? signature_algorithms->count : 0)) != 0) {
3204
0
                if (ret == PTLS_ERROR_ASYNC_OPERATION) {
3205
0
                    assert(tls->is_server || !"async operation only supported on the server-side");
3206
0
                    assert(tls->server.async_job != NULL);
3207
                    /* Reset the output to the end of the previous handshake message. CertificateVerify will be rebuilt when the
3208
                     * async operation completes. */
3209
0
                    emitter->buf->off = start_off;
3210
0
                } else {
3211
0
                    assert(tls->server.async_job == NULL);
3212
0
                }
3213
0
                goto Exit;
3214
0
            }
3215
0
            assert(tls->server.async_job == NULL);
3216
0
            sendbuf->base[algo_off] = (uint8_t)(algo >> 8);
3217
0
            sendbuf->base[algo_off + 1] = (uint8_t)algo;
3218
0
        });
3219
0
    });
3220
0
Exit:
3221
0
    return ret;
3222
0
}
3223
3224
static int client_handle_certificate_request(ptls_t *tls, ptls_iovec_t message, ptls_handshake_properties_t *properties)
3225
0
{
3226
0
    const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len;
3227
0
    int ret = 0;
3228
3229
0
    assert(!tls->is_psk_handshake && "state machine asserts that this message is never delivered when PSK is used");
3230
3231
0
    if ((ret = decode_certificate_request(tls, &tls->client.certificate_request, src, end)) != 0)
3232
0
        return ret;
3233
3234
    /* This field SHALL be zero length unless used for the post-handshake authentication exchanges (section 4.3.2) */
3235
0
    if (tls->client.certificate_request.context.len != 0)
3236
0
        return PTLS_ALERT_ILLEGAL_PARAMETER;
3237
3238
0
    tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE;
3239
0
    ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
3240
3241
0
    return PTLS_ERROR_IN_PROGRESS;
3242
0
}
3243
3244
static int handle_certificate(ptls_t *tls, const uint8_t *src, const uint8_t *end, int *got_certs)
3245
0
{
3246
0
    ptls_iovec_t certs[16];
3247
0
    size_t num_certs = 0;
3248
0
    int ret = 0;
3249
3250
    /* certificate request context */
3251
0
    ptls_decode_open_block(src, end, 1, {
3252
0
        if (src != end) {
3253
0
            ret = PTLS_ALERT_ILLEGAL_PARAMETER;
3254
0
            goto Exit;
3255
0
        }
3256
0
    });
3257
    /* certificate_list */
3258
0
    ptls_decode_block(src, end, 3, {
3259
0
        while (src != end) {
3260
0
            ptls_decode_open_block(src, end, 3, {
3261
0
                if (num_certs < PTLS_ELEMENTSOF(certs))
3262
0
                    certs[num_certs++] = ptls_iovec_init(src, end - src);
3263
0
                src = end;
3264
0
            });
3265
0
            uint16_t type;
3266
0
            decode_open_extensions(src, end, PTLS_HANDSHAKE_TYPE_CERTIFICATE, &type, {
3267
0
                if (tls->ctx->on_extension != NULL &&
3268
0
                    (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_CERTIFICATE, type,
3269
0
                                                      ptls_iovec_init(src, end - src)) != 0))
3270
0
                    goto Exit;
3271
0
                src = end;
3272
0
            });
3273
0
        }
3274
0
    });
3275
3276
0
    if (tls->ctx->verify_certificate != NULL) {
3277
0
        const char *server_name = NULL;
3278
0
        if (!ptls_is_server(tls)) {
3279
0
            if (tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL)) {
3280
0
                server_name = tls->ech.client.public_name;
3281
0
            } else {
3282
0
                server_name = tls->server_name;
3283
0
            }
3284
0
        }
3285
0
        if ((ret = tls->ctx->verify_certificate->cb(tls->ctx->verify_certificate, tls, server_name, &tls->certificate_verify.cb,
3286
0
                                                    &tls->certificate_verify.verify_ctx, certs, num_certs)) != 0)
3287
0
            goto Exit;
3288
0
    }
3289
3290
0
    *got_certs = num_certs != 0;
3291
3292
0
Exit:
3293
0
    return ret;
3294
0
}
3295
3296
static int client_do_handle_certificate(ptls_t *tls, const uint8_t *src, const uint8_t *end)
3297
0
{
3298
0
    int got_certs, ret;
3299
3300
0
    if ((ret = handle_certificate(tls, src, end, &got_certs)) != 0)
3301
0
        return ret;
3302
0
    if (!got_certs)
3303
0
        return PTLS_ALERT_ILLEGAL_PARAMETER;
3304
3305
0
    return 0;
3306
0
}
3307
3308
static int client_handle_certificate(ptls_t *tls, ptls_iovec_t message)
3309
0
{
3310
0
    int ret;
3311
3312
0
    if ((ret = client_do_handle_certificate(tls, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len)) != 0)
3313
0
        return ret;
3314
3315
0
    ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
3316
3317
0
    tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY;
3318
0
    return PTLS_ERROR_IN_PROGRESS;
3319
0
}
3320
3321
static int client_handle_compressed_certificate(ptls_t *tls, ptls_iovec_t message)
3322
0
{
3323
0
    const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len;
3324
0
    uint16_t algo;
3325
0
    uint32_t uncompressed_size;
3326
0
    uint8_t *uncompressed = NULL;
3327
0
    int ret;
3328
3329
0
    if (tls->ctx->decompress_certificate == NULL) {
3330
0
        ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
3331
0
        goto Exit;
3332
0
    }
3333
3334
    /* decode */
3335
0
    if ((ret = ptls_decode16(&algo, &src, end)) != 0)
3336
0
        goto Exit;
3337
0
    if ((ret = ptls_decode24(&uncompressed_size, &src, end)) != 0)
3338
0
        goto Exit;
3339
0
    if (uncompressed_size > 65536) { /* TODO find a sensible number */
3340
0
        ret = PTLS_ALERT_BAD_CERTIFICATE;
3341
0
        goto Exit;
3342
0
    }
3343
0
    if ((uncompressed = malloc(uncompressed_size)) == NULL) {
3344
0
        ret = PTLS_ERROR_NO_MEMORY;
3345
0
        goto Exit;
3346
0
    }
3347
0
    ptls_decode_block(src, end, 3, {
3348
0
        if ((ret = tls->ctx->decompress_certificate->cb(tls->ctx->decompress_certificate, tls, algo,
3349
0
                                                        ptls_iovec_init(uncompressed, uncompressed_size),
3350
0
                                                        ptls_iovec_init(src, end - src))) != 0)
3351
0
            goto Exit;
3352
0
        src = end;
3353
0
    });
3354
3355
    /* handle */
3356
0
    if ((ret = client_do_handle_certificate(tls, uncompressed, uncompressed + uncompressed_size)) != 0)
3357
0
        goto Exit;
3358
3359
0
    ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
3360
0
    tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY;
3361
0
    ret = PTLS_ERROR_IN_PROGRESS;
3362
3363
0
Exit:
3364
0
    free(uncompressed);
3365
0
    return ret;
3366
0
}
3367
3368
static int server_handle_certificate(ptls_t *tls, ptls_iovec_t message)
3369
0
{
3370
0
    int got_certs, ret;
3371
3372
0
    if ((ret = handle_certificate(tls, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len, &got_certs)) != 0)
3373
0
        return ret;
3374
3375
0
    ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
3376
3377
0
    if (got_certs) {
3378
0
        tls->state = PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY;
3379
0
    } else {
3380
        /* Client did not provide certificate, and the verifier says we can fail open. Therefore, the next message is Finished. */
3381
0
        tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED;
3382
0
    }
3383
3384
0
    return PTLS_ERROR_IN_PROGRESS;
3385
0
}
3386
3387
static int handle_certificate_verify(ptls_t *tls, ptls_iovec_t message, const char *context_string)
3388
0
{
3389
0
    const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len;
3390
0
    uint16_t algo;
3391
0
    ptls_iovec_t signature;
3392
0
    uint8_t signdata[PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE];
3393
0
    size_t signdata_size;
3394
0
    int ret;
3395
3396
    /* decode */
3397
0
    if ((ret = ptls_decode16(&algo, &src, end)) != 0)
3398
0
        goto Exit;
3399
0
    ptls_decode_block(src, end, 2, {
3400
0
        signature = ptls_iovec_init(src, end - src);
3401
0
        src = end;
3402
0
    });
3403
3404
0
    signdata_size = build_certificate_verify_signdata(signdata, tls->key_schedule, context_string);
3405
0
    if (tls->certificate_verify.cb != NULL) {
3406
0
        ret = tls->certificate_verify.cb(tls->certificate_verify.verify_ctx, algo, ptls_iovec_init(signdata, signdata_size),
3407
0
                                         signature);
3408
0
    } else {
3409
0
        ret = 0;
3410
0
    }
3411
0
    ptls_clear_memory(signdata, signdata_size);
3412
0
    tls->certificate_verify.cb = NULL;
3413
0
    if (ret != 0) {
3414
0
        goto Exit;
3415
0
    }
3416
3417
0
    ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
3418
3419
0
Exit:
3420
0
    return ret;
3421
0
}
3422
3423
static int client_handle_certificate_verify(ptls_t *tls, ptls_iovec_t message)
3424
0
{
3425
0
    int ret = handle_certificate_verify(tls, message, PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING);
3426
3427
0
    if (ret == 0) {
3428
0
        tls->state = PTLS_STATE_CLIENT_EXPECT_FINISHED;
3429
0
        ret = PTLS_ERROR_IN_PROGRESS;
3430
0
    }
3431
3432
0
    return ret;
3433
0
}
3434
3435
static int server_handle_certificate_verify(ptls_t *tls, ptls_iovec_t message)
3436
0
{
3437
0
    int ret = handle_certificate_verify(tls, message, PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING);
3438
3439
0
    if (ret == 0) {
3440
0
        tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED;
3441
0
        ret = PTLS_ERROR_IN_PROGRESS;
3442
0
    }
3443
3444
0
    return ret;
3445
0
}
3446
3447
static int client_handle_finished(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message)
3448
0
{
3449
0
    uint8_t send_secret[PTLS_MAX_DIGEST_SIZE];
3450
0
    int alert_ech_required = tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL), ret;
3451
3452
0
    if ((ret = verify_finished(tls, message)) != 0)
3453
0
        goto Exit;
3454
0
    ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
3455
3456
    /* update traffic keys by using messages upto ServerFinished, but commission them after sending ClientFinished */
3457
0
    if ((ret = key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0))) != 0)
3458
0
        goto Exit;
3459
0
    if ((ret = setup_traffic_protection(tls, 0, "s ap traffic", 3, 0, 0)) != 0)
3460
0
        goto Exit;
3461
0
    if ((ret = derive_secret(tls->key_schedule, send_secret, "c ap traffic")) != 0)
3462
0
        goto Exit;
3463
0
    if ((ret = derive_exporter_secret(tls, 0)) != 0)
3464
0
        goto Exit;
3465
3466
    /* if sending early data, emit EOED and commision the client handshake traffic secret */
3467
0
    if (tls->pending_handshake_secret != NULL) {
3468
0
        assert(tls->traffic_protection.enc.aead != NULL || tls->ctx->update_traffic_key != NULL);
3469
0
        if (tls->client.using_early_data && !tls->ctx->omit_end_of_early_data)
3470
0
            ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA, {});
3471
0
        tls->client.using_early_data = 0;
3472
0
        if ((ret = commission_handshake_secret(tls)) != 0)
3473
0
            goto Exit;
3474
0
    }
3475
3476
0
    if ((ret = push_change_cipher_spec(tls, emitter)) != 0)
3477
0
        goto Exit;
3478
3479
0
    if (!alert_ech_required && tls->client.certificate_request.context.base != NULL) {
3480
0
        if ((ret = send_certificate(tls, emitter, &tls->client.certificate_request.signature_algorithms,
3481
0
                                    tls->client.certificate_request.context, 0, NULL, 0)) == 0)
3482
0
            ret = send_certificate_verify(tls, emitter, &tls->client.certificate_request.signature_algorithms,
3483
0
                                          PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING);
3484
0
        free(tls->client.certificate_request.context.base);
3485
0
        tls->client.certificate_request.context = ptls_iovec_init(NULL, 0);
3486
0
        if (ret != 0)
3487
0
            goto Exit;
3488
0
    }
3489
3490
0
    ret = send_finished(tls, emitter);
3491
3492
0
    memcpy(tls->traffic_protection.enc.secret, send_secret, sizeof(send_secret));
3493
0
    if ((ret = setup_traffic_protection(tls, 1, NULL, 3, 0, 0)) != 0)
3494
0
        goto Exit;
3495
3496
0
    tls->state = PTLS_STATE_CLIENT_POST_HANDSHAKE;
3497
3498
    /* if ECH was rejected, close the connection with ECH_REQUIRED alert after verifying messages up to Finished */
3499
0
    if (alert_ech_required)
3500
0
        ret = PTLS_ALERT_ECH_REQUIRED;
3501
3502
0
Exit:
3503
0
    ptls_clear_memory(send_secret, sizeof(send_secret));
3504
0
    return ret;
3505
0
}
3506
3507
static int client_handle_new_session_ticket(ptls_t *tls, ptls_iovec_t message)
3508
0
{
3509
0
    const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len;
3510
0
    ptls_iovec_t ticket_nonce;
3511
0
    int ret;
3512
3513
0
    { /* verify the format */
3514
0
        uint32_t ticket_lifetime, ticket_age_add, max_early_data_size;
3515
0
        ptls_iovec_t ticket;
3516
0
        if ((ret = decode_new_session_ticket(tls, &ticket_lifetime, &ticket_age_add, &ticket_nonce, &ticket, &max_early_data_size,
3517
0
                                             src, end)) != 0)
3518
0
            return ret;
3519
0
    }
3520
3521
    /* do nothing if use of session ticket is disabled */
3522
0
    if (tls->ctx->save_ticket == NULL)
3523
0
        return 0;
3524
3525
    /* save the extension, along with the key of myself */
3526
0
    ptls_buffer_t ticket_buf;
3527
0
    ptls_buffer_init(&ticket_buf, "", 0);
3528
0
    ptls_buffer_push64(&ticket_buf, tls->ctx->get_time->cb(tls->ctx->get_time));
3529
0
    ptls_buffer_push16(&ticket_buf, tls->key_share->id);
3530
0
    ptls_buffer_push16(&ticket_buf, tls->cipher_suite->id);
3531
0
    ptls_buffer_push_block(&ticket_buf, 3, { ptls_buffer_pushv(&ticket_buf, src, end - src); });
3532
0
    ptls_buffer_push_block(&ticket_buf, 2, {
3533
0
        if ((ret = ptls_buffer_reserve(&ticket_buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0)
3534
0
            goto Exit;
3535
0
        if ((ret = derive_resumption_secret(tls->key_schedule, ticket_buf.base + ticket_buf.off, ticket_nonce)) != 0)
3536
0
            goto Exit;
3537
0
        ticket_buf.off += tls->key_schedule->hashes[0].algo->digest_size;
3538
0
    });
3539
3540
0
    if ((ret = tls->ctx->save_ticket->cb(tls->ctx->save_ticket, tls, ptls_iovec_init(ticket_buf.base, ticket_buf.off))) != 0)
3541
0
        goto Exit;
3542
3543
0
    ret = 0;
3544
0
Exit:
3545
0
    ptls_buffer_dispose(&ticket_buf);
3546
0
    return ret;
3547
0
}
3548
3549
static int client_hello_decode_server_name(ptls_iovec_t *name, const uint8_t **src, const uint8_t *const end)
3550
0
{
3551
0
    int ret = 0;
3552
3553
0
    ptls_decode_open_block(*src, end, 2, {
3554
0
        do {
3555
0
            uint8_t type;
3556
0
            if ((ret = ptls_decode8(&type, src, end)) != 0)
3557
0
                goto Exit;
3558
0
            ptls_decode_open_block(*src, end, 2, {
3559
0
                switch (type) {
3560
0
                case PTLS_SERVER_NAME_TYPE_HOSTNAME:
3561
0
                    if (memchr(*src, '\0', end - *src) != 0) {
3562
0
                        ret = PTLS_ALERT_ILLEGAL_PARAMETER;
3563
0
                        goto Exit;
3564
0
                    }
3565
0
                    *name = ptls_iovec_init(*src, end - *src);
3566
0
                    break;
3567
0
                default:
3568
0
                    break;
3569
0
                }
3570
0
                *src = end;
3571
0
            });
3572
0
        } while (*src != end);
3573
0
    });
3574
3575
0
Exit:
3576
0
    return ret;
3577
0
}
3578
3579
static int select_negotiated_group(ptls_key_exchange_algorithm_t **selected, ptls_key_exchange_algorithm_t **candidates,
3580
                                   const uint8_t *src, const uint8_t *const end)
3581
0
{
3582
0
    int ret;
3583
3584
0
    ptls_decode_block(src, end, 2, {
3585
0
        while (src != end) {
3586
0
            uint16_t group;
3587
0
            if ((ret = ptls_decode16(&group, &src, end)) != 0)
3588
0
                goto Exit;
3589
0
            ptls_key_exchange_algorithm_t **c = candidates;
3590
0
            for (; *c != NULL; ++c) {
3591
0
                if ((*c)->id == group) {
3592
0
                    *selected = *c;
3593
0
                    return 0;
3594
0
                }
3595
0
            }
3596
0
        }
3597
0
    });
3598
3599
0
    ret = PTLS_ALERT_HANDSHAKE_FAILURE;
3600
3601
0
Exit:
3602
0
    return ret;
3603
0
}
3604
3605
static int decode_client_hello(ptls_context_t *ctx, struct st_ptls_client_hello_t *ch, const uint8_t *src, const uint8_t *const end,
3606
                               ptls_handshake_properties_t *properties, ptls_t *tls_cbarg)
3607
0
{
3608
0
    const uint8_t *start = src;
3609
0
    uint16_t exttype = 0;
3610
0
    int ret;
3611
3612
    /* decode protocol version (do not bare to decode something older than TLS 1.0) */
3613
0
    if ((ret = ptls_decode16(&ch->legacy_version, &src, end)) != 0)
3614
0
        goto Exit;
3615
0
    if (ch->legacy_version < 0x0301) {
3616
0
        ret = PTLS_ALERT_PROTOCOL_VERSION;
3617
0
        goto Exit;
3618
0
    }
3619
3620
    /* skip random */
3621
0
    if (end - src < PTLS_HELLO_RANDOM_SIZE) {
3622
0
        ret = PTLS_ALERT_DECODE_ERROR;
3623
0
        goto Exit;
3624
0
    }
3625
0
    ch->random_bytes = src;
3626
0
    src += PTLS_HELLO_RANDOM_SIZE;
3627
3628
    /* skip legacy_session_id */
3629
0
    ptls_decode_open_block(src, end, 1, {
3630
0
        if (end - src > 32) {
3631
0
            ret = PTLS_ALERT_DECODE_ERROR;
3632
0
            goto Exit;
3633
0
        }
3634
0
        ch->legacy_session_id = ptls_iovec_init(src, end - src);
3635
0
        src = end;
3636
0
    });
3637
3638
    /* decode and select from ciphersuites */
3639
0
    ptls_decode_open_block(src, end, 2, {
3640
0
        if ((end - src) % 2 != 0) {
3641
0
            ret = PTLS_ALERT_DECODE_ERROR;
3642
0
            goto Exit;
3643
0
        }
3644
0
        ch->cipher_suites = ptls_iovec_init(src, end - src);
3645
0
        src = end;
3646
0
    });
3647
3648
    /* decode legacy_compression_methods */
3649
0
    ptls_decode_open_block(src, end, 1, {
3650
0
        if (src == end) {
3651
0
            ret = PTLS_ALERT_DECODE_ERROR;
3652
0
            goto Exit;
3653
0
        }
3654
0
        ch->compression_methods.ids = src;
3655
0
        ch->compression_methods.count = end - src;
3656
0
        src = end;
3657
0
    });
3658
3659
    /* In TLS versions 1.2 and earlier CH might not have an extensions block (or they might, see what OpenSSL 1.0.0 sends); so bail
3660
     * out if that is the case after parsing the main variables. Zero is returned as it is a valid ClientHello. However
3661
     * `ptls_t::selected_version` remains zero indicating that no compatible version were found. */
3662
0
    if (src == end) {
3663
0
        ret = 0;
3664
0
        goto Exit;
3665
0
    }
3666
3667
    /* decode extensions */
3668
0
    ch->first_extension_at = src - start + 2;
3669
0
    decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, &exttype, {
3670
0
        ch->psk.is_last_extension = 0;
3671
0
        if (ctx->on_extension != NULL && tls_cbarg != NULL &&
3672
0
            (ret = ctx->on_extension->cb(ctx->on_extension, tls_cbarg, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, exttype,
3673
0
                                         ptls_iovec_init(src, end - src)) != 0))
3674
0
            goto Exit;
3675
0
        switch (exttype) {
3676
0
        case PTLS_EXTENSION_TYPE_SERVER_NAME:
3677
0
            if ((ret = client_hello_decode_server_name(&ch->server_name, &src, end)) != 0)
3678
0
                goto Exit;
3679
0
            if (src != end) {
3680
0
                ret = PTLS_ALERT_DECODE_ERROR;
3681
0
                goto Exit;
3682
0
            }
3683
0
            break;
3684
0
        case PTLS_EXTENSION_TYPE_ALPN:
3685
0
            ptls_decode_block(src, end, 2, {
3686
0
                do {
3687
0
                    ptls_decode_open_block(src, end, 1, {
3688
                        /* rfc7301 3.1: empty strings MUST NOT be included */
3689
0
                        if (src == end) {
3690
0
                            ret = PTLS_ALERT_DECODE_ERROR;
3691
0
                            goto Exit;
3692
0
                        }
3693
0
                        if (ch->alpn.count < PTLS_ELEMENTSOF(ch->alpn.list))
3694
0
                            ch->alpn.list[ch->alpn.count++] = ptls_iovec_init(src, end - src);
3695
0
                        src = end;
3696
0
                    });
3697
0
                } while (src != end);
3698
0
            });
3699
0
            break;
3700
0
        case PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE:
3701
0
            ptls_decode_block(src, end, 1, {
3702
0
                size_t list_size = end - src;
3703
3704
                /* RFC7250 4.1: No empty list, no list with single x509 element */
3705
0
                if (list_size == 0 || (list_size == 1 && *src == PTLS_CERTIFICATE_TYPE_X509)) {
3706
0
                    ret = PTLS_ALERT_DECODE_ERROR;
3707
0
                    goto Exit;
3708
0
                }
3709
3710
0
                do {
3711
0
                    if (ch->server_certificate_types.count < PTLS_ELEMENTSOF(ch->server_certificate_types.list))
3712
0
                        ch->server_certificate_types.list[ch->server_certificate_types.count++] = *src;
3713
0
                    src++;
3714
0
                } while (src != end);
3715
0
            });
3716
0
            break;
3717
0
        case PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE:
3718
0
            ptls_decode_block(src, end, 1, {
3719
0
                do {
3720
0
                    uint16_t id;
3721
0
                    if ((ret = ptls_decode16(&id, &src, end)) != 0)
3722
0
                        goto Exit;
3723
0
                    if (ch->cert_compression_algos.count < PTLS_ELEMENTSOF(ch->cert_compression_algos.list))
3724
0
                        ch->cert_compression_algos.list[ch->cert_compression_algos.count++] = id;
3725
0
                } while (src != end);
3726
0
            });
3727
0
            break;
3728
0
        case PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS:
3729
0
            ch->negotiated_groups = ptls_iovec_init(src, end - src);
3730
0
            break;
3731
0
        case PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS:
3732
0
            if ((ret = decode_signature_algorithms(&ch->signature_algorithms, &src, end)) != 0)
3733
0
                goto Exit;
3734
0
            break;
3735
0
        case PTLS_EXTENSION_TYPE_KEY_SHARE:
3736
0
            ch->key_shares = ptls_iovec_init(src, end - src);
3737
0
            break;
3738
0
        case PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS:
3739
0
            ptls_decode_block(src, end, 1, {
3740
0
                size_t selected_index = PTLS_ELEMENTSOF(supported_versions);
3741
0
                do {
3742
0
                    size_t i;
3743
0
                    uint16_t v;
3744
0
                    if ((ret = ptls_decode16(&v, &src, end)) != 0)
3745
0
                        goto Exit;
3746
0
                    for (i = 0; i != selected_index; ++i) {
3747
0
                        if (supported_versions[i] == v) {
3748
0
                            selected_index = i;
3749
0
                            break;
3750
0
                        }
3751
0
                    }
3752
0
                } while (src != end);
3753
0
                if (selected_index != PTLS_ELEMENTSOF(supported_versions))
3754
0
                    ch->selected_version = supported_versions[selected_index];
3755
0
            });
3756
0
            break;
3757
0
        case PTLS_EXTENSION_TYPE_COOKIE:
3758
0
            if (properties == NULL || properties->server.cookie.key == NULL) {
3759
0
                ret = PTLS_ALERT_ILLEGAL_PARAMETER;
3760
0
                goto Exit;
3761
0
            }
3762
0
            ch->cookie.all = ptls_iovec_init(src, end - src);
3763
0
            ptls_decode_block(src, end, 2, {
3764
0
                ch->cookie.tbs.base = (void *)src;
3765
0
                ptls_decode_open_block(src, end, 2, {
3766
0
                    ptls_decode_open_block(src, end, 1, {
3767
0
                        ch->cookie.ch1_hash = ptls_iovec_init(src, end - src);
3768
0
                        src = end;
3769
0
                    });
3770
0
                    uint8_t sent_key_share;
3771
0
                    if ((ret = ptls_decode8(&sent_key_share, &src, end)) != 0)
3772
0
                        goto Exit;
3773
0
                    switch (sent_key_share) {
3774
0
                    case 0:
3775
0
                        assert(!ch->cookie.sent_key_share);
3776
0
                        break;
3777
0
                    case 1:
3778
0
                        ch->cookie.sent_key_share = 1;
3779
0
                        break;
3780
0
                    default:
3781
0
                        ret = PTLS_ALERT_DECODE_ERROR;
3782
0
                        goto Exit;
3783
0
                    }
3784
0
                });
3785
0
                ch->cookie.tbs.len = src - ch->cookie.tbs.base;
3786
0
                ptls_decode_block(src, end, 1, {
3787
0
                    ch->cookie.signature = ptls_iovec_init(src, end - src);
3788
0
                    src = end;
3789
0
                });
3790
0
            });
3791
0
            break;
3792
0
        case PTLS_EXTENSION_TYPE_PRE_SHARED_KEY: {
3793
0
            size_t num_identities = 0;
3794
0
            ptls_decode_open_block(src, end, 2, {
3795
0
                do {
3796
0
                    ptls_client_hello_psk_identity_t psk = {{NULL}};
3797
0
                    ptls_decode_open_block(src, end, 2, {
3798
0
                        if (end - src < 1) {
3799
0
                            ret = PTLS_ALERT_DECODE_ERROR;
3800
0
                            goto Exit;
3801
0
                        }
3802
0
                        psk.identity = ptls_iovec_init(src, end - src);
3803
0
                        src = end;
3804
0
                    });
3805
0
                    if ((ret = ptls_decode32(&psk.obfuscated_ticket_age, &src, end)) != 0)
3806
0
                        goto Exit;
3807
0
                    if (ch->psk.identities.count < PTLS_ELEMENTSOF(ch->psk.identities.list))
3808
0
                        ch->psk.identities.list[ch->psk.identities.count++] = psk;
3809
0
                    ++num_identities;
3810
0
                } while (src != end);
3811
0
            });
3812
0
            ch->psk.hash_end = src;
3813
0
            ptls_decode_block(src, end, 2, {
3814
0
                size_t num_binders = 0;
3815
0
                do {
3816
0
                    ptls_decode_open_block(src, end, 1, {
3817
0
                        if (num_binders < ch->psk.identities.count)
3818
0
                            ch->psk.identities.list[num_binders].binder = ptls_iovec_init(src, end - src);
3819
0
                        src = end;
3820
0
                    });
3821
0
                    ++num_binders;
3822
0
                } while (src != end);
3823
0
                if (num_identities != num_binders) {
3824
0
                    ret = PTLS_ALERT_ILLEGAL_PARAMETER;
3825
0
                    goto Exit;
3826
0
                }
3827
0
            });
3828
0
            ch->psk.is_last_extension = 1;
3829
0
        } break;
3830
0
        case PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES:
3831
0
            ptls_decode_block(src, end, 1, {
3832
0
                do {
3833
0
                    uint8_t mode;
3834
0
                    if ((ret = ptls_decode8(&mode, &src, end)) != 0)
3835
0
                        goto Exit;
3836
0
                    if (mode < sizeof(ch->psk.ke_modes) * 8)
3837
0
                        ch->psk.ke_modes |= 1u << mode;
3838
0
                } while (src != end);
3839
0
            });
3840
0
            break;
3841
0
        case PTLS_EXTENSION_TYPE_EARLY_DATA:
3842
0
            ch->psk.early_data_indication = 1;
3843
0
            break;
3844
0
        case PTLS_EXTENSION_TYPE_STATUS_REQUEST:
3845
0
            ch->status_request = 1;
3846
0
            break;
3847
0
        case PTLS_EXTENSION_TYPE_TICKET_REQUEST:
3848
0
            if (end - src != 2) {
3849
0
                ret = PTLS_ALERT_DECODE_ERROR;
3850
0
                goto Exit;
3851
0
            }
3852
0
            ch->ticket_request.new_session_count = *src++;
3853
0
            ch->ticket_request.resumption_count = *src++;
3854
0
            break;
3855
0
        case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO:
3856
0
            if ((ret = ptls_decode8(&ch->ech.type, &src, end)) != 0)
3857
0
                goto Exit;
3858
0
            switch (ch->ech.type) {
3859
0
            case PTLS_ECH_CLIENT_HELLO_TYPE_OUTER:
3860
0
                if ((ret = ptls_decode16(&ch->ech.cipher_suite.kdf, &src, end)) != 0 ||
3861
0
                    (ret = ptls_decode16(&ch->ech.cipher_suite.aead, &src, end)) != 0)
3862
0
                    goto Exit;
3863
0
                if ((ret = ptls_decode8(&ch->ech.config_id, &src, end)) != 0)
3864
0
                    goto Exit;
3865
0
                ptls_decode_open_block(src, end, 2, {
3866
0
                    ch->ech.enc = ptls_iovec_init(src, end - src);
3867
0
                    src = end;
3868
0
                });
3869
0
                ptls_decode_open_block(src, end, 2, {
3870
0
                    if (src == end) {
3871
0
                        ret = PTLS_ALERT_DECODE_ERROR;
3872
0
                        goto Exit;
3873
0
                    }
3874
0
                    ch->ech.payload = ptls_iovec_init(src, end - src);
3875
0
                    src = end;
3876
0
                });
3877
0
                break;
3878
0
            case PTLS_ECH_CLIENT_HELLO_TYPE_INNER:
3879
0
                if (src != end) {
3880
0
                    ret = PTLS_ALERT_DECODE_ERROR;
3881
0
                    goto Exit;
3882
0
                }
3883
0
                ch->ech.payload = ptls_iovec_init("", 0); /* non-zero base indicates that the extension was received */
3884
0
                break;
3885
0
            default:
3886
0
                ret = PTLS_ALERT_ILLEGAL_PARAMETER;
3887
0
                goto Exit;
3888
0
            }
3889
0
            src = end;
3890
0
            break;
3891
0
        default:
3892
0
            if (tls_cbarg != NULL && should_collect_unknown_extension(tls_cbarg, properties, exttype)) {
3893
0
                if ((ret = collect_unknown_extension(tls_cbarg, exttype, src, end, ch->unknown_extensions)) != 0)
3894
0
                    goto Exit;
3895
0
            }
3896
0
            break;
3897
0
        }
3898
0
        src = end;
3899
0
    });
3900
3901
0
    ret = 0;
3902
0
Exit:
3903
0
    return ret;
3904
0
}
3905
3906
static int rebuild_ch_inner_extensions(ptls_buffer_t *buf, const uint8_t **src, const uint8_t *const end, const uint8_t *outer_ext,
3907
                                       const uint8_t *outer_ext_end)
3908
0
{
3909
0
    int ret;
3910
3911
0
    ptls_buffer_push_block(buf, 2, {
3912
0
        ptls_decode_open_block(*src, end, 2, {
3913
0
            while (*src != end) {
3914
0
                uint16_t exttype;
3915
0
                if ((ret = ptls_decode16(&exttype, src, end)) != 0)
3916
0
                    goto Exit;
3917
0
                ptls_decode_open_block(*src, end, 2, {
3918
0
                    if (exttype == PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS) {
3919
0
                        ptls_decode_open_block(*src, end, 1, {
3920
0
                            do {
3921
0
                                uint16_t reftype;
3922
0
                                uint16_t outertype;
3923
0
                                uint16_t outersize;
3924
0
                                if ((ret = ptls_decode16(&reftype, src, end)) != 0)
3925
0
                                    goto Exit;
3926
0
                                if (reftype == PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO) {
3927
0
                                    ret = PTLS_ALERT_ILLEGAL_PARAMETER;
3928
0
                                    goto Exit;
3929
0
                                }
3930
0
                                while (1) {
3931
0
                                    if (ptls_decode16(&outertype, &outer_ext, outer_ext_end) != 0 ||
3932
0
                                        ptls_decode16(&outersize, &outer_ext, outer_ext_end) != 0) {
3933
0
                                        ret = PTLS_ALERT_ILLEGAL_PARAMETER;
3934
0
                                        goto Exit;
3935
0
                                    }
3936
0
                                    assert(outer_ext_end - outer_ext >= outersize);
3937
0
                                    if (outertype == reftype)
3938
0
                                        break;
3939
0
                                    outer_ext += outersize;
3940
0
                                }
3941
0
                                buffer_push_extension(buf, reftype, {
3942
0
                                    ptls_buffer_pushv(buf, outer_ext, outersize);
3943
0
                                    outer_ext += outersize;
3944
0
                                });
3945
0
                            } while (*src != end);
3946
0
                        });
3947
0
                    } else {
3948
0
                        buffer_push_extension(buf, exttype, {
3949
0
                            ptls_buffer_pushv(buf, *src, end - *src);
3950
0
                            *src = end;
3951
0
                        });
3952
0
                    }
3953
0
                });
3954
0
            }
3955
0
        });
3956
0
    });
3957
3958
0
Exit:
3959
0
    return ret;
3960
0
}
3961
3962
static int rebuild_ch_inner(ptls_buffer_t *buf, const uint8_t *src, const uint8_t *const end,
3963
                            struct st_ptls_client_hello_t *outer_ch, const uint8_t *outer_ext, const uint8_t *outer_ext_end)
3964
0
{
3965
0
#define COPY_BLOCK(capacity)                                                                                                       \
3966
0
    do {                                                                                                                           \
3967
0
        ptls_decode_open_block(src, end, (capacity), {                                                                             \
3968
0
            ptls_buffer_push_block(buf, (capacity), { ptls_buffer_pushv(buf, src, end - src); });                                  \
3969
0
            src = end;                                                                                                             \
3970
0
        });                                                                                                                        \
3971
0
    } while (0)
3972
3973
0
    int ret;
3974
3975
0
    ptls_buffer_push_message_body(buf, NULL, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, {
3976
0
        { /* legacy_version */
3977
0
            uint16_t legacy_version;
3978
0
            if ((ret = ptls_decode16(&legacy_version, &src, end)) != 0)
3979
0
                goto Exit;
3980
0
            ptls_buffer_push16(buf, legacy_version);
3981
0
        }
3982
3983
        /* hello random */
3984
0
        if (end - src < PTLS_HELLO_RANDOM_SIZE) {
3985
0
            ret = PTLS_ALERT_DECODE_ERROR;
3986
0
            goto Exit;
3987
0
        }
3988
0
        ptls_buffer_pushv(buf, src, PTLS_HELLO_RANDOM_SIZE);
3989
0
        src += PTLS_HELLO_RANDOM_SIZE;
3990
3991
0
        ptls_decode_open_block(src, end, 1, {
3992
0
            if (src != end) {
3993
0
                ret = PTLS_ALERT_ILLEGAL_PARAMETER;
3994
0
                goto Exit;
3995
0
            }
3996
0
        });
3997
0
        ptls_buffer_push_block(buf, 1,
3998
0
                               { ptls_buffer_pushv(buf, outer_ch->legacy_session_id.base, outer_ch->legacy_session_id.len); });
3999
4000
        /* cipher-suites and legacy-compression-methods */
4001
0
        COPY_BLOCK(2);
4002
0
        COPY_BLOCK(1);
4003
4004
        /* extensions */
4005
0
        if ((ret = rebuild_ch_inner_extensions(buf, &src, end, outer_ext, outer_ext_end)) != 0)
4006
0
            goto Exit;
4007
0
    });
4008
4009
    /* padding must be all zero */
4010
0
    for (; src != end; ++src) {
4011
0
        if (*src != '\0') {
4012
0
            ret = PTLS_ALERT_ILLEGAL_PARAMETER;
4013
0
            goto Exit;
4014
0
        }
4015
0
    }
4016
4017
0
Exit:
4018
0
    return ret;
4019
4020
0
#undef COPY_BLOCK
4021
0
}
4022
4023
/* Wrapper function for invoking the on_client_hello callback, taking an exhaustive list of parameters as arguments. The intention
4024
 * is to not miss setting them as we add new parameters to the struct. */
4025
static inline int call_on_client_hello_cb(ptls_t *tls, ptls_iovec_t server_name, ptls_iovec_t raw_message,
4026
                                          ptls_iovec_t cipher_suites, ptls_iovec_t *alpns, size_t num_alpns,
4027
                                          const uint16_t *sig_algos, size_t num_sig_algos, const uint16_t *cert_comp_algos,
4028
                                          size_t num_cert_comp_algos, const uint8_t *server_cert_types,
4029
                                          size_t num_server_cert_types, const ptls_client_hello_psk_identity_t *psk_identities,
4030
                                          size_t num_psk_identities, int incompatible_version)
4031
0
{
4032
0
    if (tls->ctx->on_client_hello == NULL)
4033
0
        return 0;
4034
4035
0
    ptls_on_client_hello_parameters_t params = {server_name,
4036
0
                                                raw_message,
4037
0
                                                cipher_suites,
4038
0
                                                {alpns, num_alpns},
4039
0
                                                {sig_algos, num_sig_algos},
4040
0
                                                {cert_comp_algos, num_cert_comp_algos},
4041
0
                                                {server_cert_types, num_server_cert_types},
4042
0
                                                {psk_identities, num_psk_identities},
4043
0
                                                incompatible_version};
4044
0
    return tls->ctx->on_client_hello->cb(tls->ctx->on_client_hello, tls, &params);
4045
0
}
4046
4047
static int check_client_hello_constraints(ptls_context_t *ctx, struct st_ptls_client_hello_t *ch, const void *prev_random,
4048
                                          int ech_is_inner_ch, ptls_iovec_t raw_message, ptls_t *tls_cbarg)
4049
0
{
4050
0
    int is_second_flight = prev_random != 0;
4051
4052
    /* The following check is necessary so that we would be able to track the connection in SSLKEYLOGFILE, even though it might not
4053
     * be for the safety of the protocol. */
4054
0
    if (is_second_flight && !ptls_mem_equal(ch->random_bytes, prev_random, PTLS_HELLO_RANDOM_SIZE))
4055
0
        return PTLS_ALERT_HANDSHAKE_FAILURE;
4056
4057
    /* bail out if CH cannot be handled as TLS 1.3 */
4058
0
    if (!is_supported_version(ch->selected_version)) {
4059
        /* ECH: server MUST abort with an "illegal_parameter" alert if the client offers TLS 1.2 or below (draft-15 7.1) */
4060
0
        if (ech_is_inner_ch)
4061
0
            return PTLS_ALERT_ILLEGAL_PARAMETER;
4062
        /* fail with PROTOCOL_VERSION alert, after providing the applications the raw CH and SNI to help them fallback */
4063
0
        if (!is_second_flight) {
4064
0
            int ret;
4065
0
            if ((ret = call_on_client_hello_cb(tls_cbarg, ch->server_name, raw_message, ch->cipher_suites, ch->alpn.list,
4066
0
                                               ch->alpn.count, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 1)) != 0)
4067
0
                return ret;
4068
0
        }
4069
0
        return PTLS_ALERT_PROTOCOL_VERSION;
4070
0
    }
4071
4072
    /* Check TLS 1.3-specific constraints. Hereafter, we might exit without calling on_client_hello. That's fine because this CH is
4073
     * ought to be rejected. */
4074
0
    if (ch->legacy_version <= 0x0300) {
4075
        /* RFC 8446 Appendix D.5: any endpoint receiving a Hello message with legacy_version set to 0x0300 MUST abort the handshake
4076
         * with a "protocol_version" alert. */
4077
0
        return PTLS_ALERT_PROTOCOL_VERSION;
4078
0
    }
4079
0
    if (!(ch->compression_methods.count == 1 && ch->compression_methods.ids[0] == 0))
4080
0
        return PTLS_ALERT_ILLEGAL_PARAMETER;
4081
    /* pre-shared key */
4082
0
    if (ch->psk.hash_end != NULL) {
4083
        /* PSK must be the last extension */
4084
0
        if (!ch->psk.is_last_extension)
4085
0
            return PTLS_ALERT_ILLEGAL_PARAMETER;
4086
0
    } else {
4087
0
        if (ch->psk.early_data_indication)
4088
0
            return PTLS_ALERT_ILLEGAL_PARAMETER;
4089
0
    }
4090
4091
0
    if (ech_is_inner_ch && ch->ech.payload.base == NULL)
4092
0
        return PTLS_ALERT_ILLEGAL_PARAMETER;
4093
0
    if (ch->ech.payload.base != NULL &&
4094
0
        ch->ech.type != (ech_is_inner_ch ? PTLS_ECH_CLIENT_HELLO_TYPE_INNER : PTLS_ECH_CLIENT_HELLO_TYPE_OUTER))
4095
0
        return PTLS_ALERT_ILLEGAL_PARAMETER;
4096
4097
0
    return 0;
4098
0
}
4099
4100
static int vec_is_string(ptls_iovec_t x, const char *y)
4101
0
{
4102
0
    return strncmp((const char *)x.base, y, x.len) == 0 && y[x.len] == '\0';
4103
0
}
4104
4105
/**
4106
 * Looks for a PSK identity that can be used, and if found, updates the handshake state and returns the necessary variables. If
4107
 * `ptls_context_t::pre_shared_key` is set, only tries handshake using those keys provided. Otherwise, tries resumption.
4108
 */
4109
static int try_psk_handshake(ptls_t *tls, size_t *psk_index, int *accept_early_data, struct st_ptls_client_hello_t *ch,
4110
                             ptls_iovec_t ch_trunc, int is_second_flight)
4111
0
{
4112
0
    ptls_buffer_t decbuf;
4113
0
    ptls_iovec_t secret, ticket_ctx, ticket_negotiated_protocol;
4114
0
    uint64_t issue_at, now = tls->ctx->get_time->cb(tls->ctx->get_time);
4115
0
    uint32_t age_add;
4116
0
    uint16_t ticket_key_exchange_id, ticket_csid;
4117
0
    uint8_t binder_key[PTLS_MAX_DIGEST_SIZE];
4118
0
    int ret;
4119
4120
0
    ptls_buffer_init(&decbuf, "", 0);
4121
4122
0
    for (*psk_index = 0; *psk_index < ch->psk.identities.count; ++*psk_index) {
4123
0
        ptls_client_hello_psk_identity_t *identity = ch->psk.identities.list + *psk_index;
4124
4125
        /* negotiate using fixed pre-shared key */
4126
0
        if (tls->ctx->pre_shared_key.identity.base != NULL) {
4127
0
            if (identity->identity.len == tls->ctx->pre_shared_key.identity.len &&
4128
0
                memcmp(identity->identity.base, tls->ctx->pre_shared_key.identity.base, identity->identity.len) == 0) {
4129
0
                *accept_early_data = ch->psk.early_data_indication && *psk_index == 0;
4130
0
                tls->key_share = NULL;
4131
0
                secret = tls->ctx->pre_shared_key.secret;
4132
0
                goto Found;
4133
0
            }
4134
0
            continue;
4135
0
        }
4136
4137
        /* decrypt ticket and decode */
4138
0
        if (tls->ctx->encrypt_ticket == NULL || tls->ctx->key_exchanges == NULL)
4139
0
            continue;
4140
0
        int can_accept_early_data = *psk_index == 0;
4141
0
        decbuf.off = 0;
4142
0
        switch (tls->ctx->encrypt_ticket->cb(tls->ctx->encrypt_ticket, tls, 0, &decbuf, identity->identity)) {
4143
0
        case 0: /* decrypted */
4144
0
            break;
4145
0
        case PTLS_ERROR_REJECT_EARLY_DATA: /* decrypted, but early data is rejected */
4146
0
            can_accept_early_data = 0;
4147
0
            break;
4148
0
        default: /* decryption failure */
4149
0
            continue;
4150
0
        }
4151
0
        if (decode_session_identifier(&issue_at, &secret, &age_add, &ticket_ctx, &ticket_key_exchange_id, &ticket_csid,
4152
0
                                      &ticket_negotiated_protocol, decbuf.base, decbuf.base + decbuf.off) != 0)
4153
0
            continue;
4154
        /* check age */
4155
0
        if (now < issue_at)
4156
0
            continue;
4157
0
        if (now - issue_at > (uint64_t)tls->ctx->ticket_lifetime * 1000)
4158
0
            continue;
4159
0
        *accept_early_data = 0;
4160
0
        if (ch->psk.early_data_indication && can_accept_early_data) {
4161
            /* accept early-data if abs(diff) between the reported age and the actual age is within += 10 seconds */
4162
0
            int64_t delta = (now - issue_at) - (identity->obfuscated_ticket_age - age_add);
4163
0
            if (delta < 0)
4164
0
                delta = -delta;
4165
0
            if (tls->ctx->max_early_data_size != 0 && delta <= PTLS_EARLY_DATA_MAX_DELAY)
4166
0
                *accept_early_data = 1;
4167
0
        }
4168
        /* check ticket context */
4169
0
        if (tls->ctx->ticket_context.is_set) {
4170
0
            if (!(ticket_ctx.len == sizeof(tls->ctx->ticket_context.bytes) &&
4171
0
                  memcmp(ticket_ctx.base, tls->ctx->ticket_context.bytes, ticket_ctx.len) == 0))
4172
0
                continue;
4173
0
        } else {
4174
            /* check server-name */
4175
0
            if (ticket_ctx.len != 0) {
4176
0
                if (tls->server_name == NULL)
4177
0
                    continue;
4178
0
                if (!vec_is_string(ticket_ctx, tls->server_name))
4179
0
                    continue;
4180
0
            } else {
4181
0
                if (tls->server_name != NULL)
4182
0
                    continue;
4183
0
            }
4184
0
        }
4185
0
        { /* check key-exchange */
4186
0
            ptls_key_exchange_algorithm_t **a;
4187
0
            for (a = tls->ctx->key_exchanges; *a != NULL && (*a)->id != ticket_key_exchange_id; ++a)
4188
0
                ;
4189
0
            if (*a == NULL)
4190
0
                continue;
4191
0
            tls->key_share = *a;
4192
0
        }
4193
        /* check cipher-suite */
4194
0
        if (ticket_csid != tls->cipher_suite->id)
4195
0
            continue;
4196
        /* check negotiated-protocol */
4197
0
        if (ticket_negotiated_protocol.len != 0) {
4198
0
            if (tls->negotiated_protocol == NULL)
4199
0
                continue;
4200
0
            if (!vec_is_string(ticket_negotiated_protocol, tls->negotiated_protocol))
4201
0
                continue;
4202
0
        }
4203
        /* check the length of the decrypted psk and the PSK binder */
4204
0
        if (secret.len != tls->key_schedule->hashes[0].algo->digest_size)
4205
0
            continue;
4206
0
        if (ch->psk.identities.list[*psk_index].binder.len != tls->key_schedule->hashes[0].algo->digest_size)
4207
0
            continue;
4208
4209
        /* found */
4210
0
        goto Found;
4211
0
    }
4212
4213
    /* not found */
4214
0
    *psk_index = SIZE_MAX;
4215
0
    *accept_early_data = 0;
4216
0
    tls->key_share = NULL;
4217
0
    ret = 0;
4218
0
    goto Exit;
4219
4220
0
Found:
4221
0
    if (!is_second_flight && (ret = key_schedule_extract(tls->key_schedule, secret)) != 0)
4222
0
        goto Exit;
4223
0
    if ((ret = derive_secret_with_empty_digest(tls->key_schedule, binder_key,
4224
0
                                               tls->ctx->pre_shared_key.secret.base != NULL ? "ext binder" : "res binder")) != 0)
4225
0
        goto Exit;
4226
0
    ptls__key_schedule_update_hash(tls->key_schedule, ch_trunc.base, ch_trunc.len, 0);
4227
0
    if ((ret = calc_verify_data(binder_key /* to conserve space, reuse binder_key for storing verify_data */, tls->key_schedule,
4228
0
                                binder_key)) != 0)
4229
0
        goto Exit;
4230
0
    if (!ptls_mem_equal(ch->psk.identities.list[*psk_index].binder.base, binder_key,
4231
0
                        tls->key_schedule->hashes[0].algo->digest_size)) {
4232
0
        ret = PTLS_ALERT_DECRYPT_ERROR;
4233
0
        goto Exit;
4234
0
    }
4235
0
    ret = 0;
4236
4237
0
Exit:
4238
0
    ptls_buffer_dispose(&decbuf);
4239
0
    ptls_clear_memory(binder_key, sizeof(binder_key));
4240
0
    return ret;
4241
0
}
4242
4243
static int calc_cookie_signature(ptls_t *tls, ptls_handshake_properties_t *properties,
4244
                                 ptls_key_exchange_algorithm_t *negotiated_group, ptls_iovec_t tbs, uint8_t *sig)
4245
0
{
4246
0
    ptls_hash_algorithm_t *algo = tls->ctx->cipher_suites[0]->hash;
4247
0
    ptls_hash_context_t *hctx;
4248
4249
0
    if ((hctx = ptls_hmac_create(algo, properties->server.cookie.key, algo->digest_size)) == NULL)
4250
0
        return PTLS_ERROR_NO_MEMORY;
4251
4252
0
#define UPDATE_BLOCK(p, _len)                                                                                                      \
4253
0
    do {                                                                                                                           \
4254
0
        size_t len = (_len);                                                                                                       \
4255
0
        assert(len < UINT8_MAX);                                                                                                   \
4256
0
        uint8_t len8 = (uint8_t)len;                                                                                               \
4257
0
        hctx->update(hctx, &len8, 1);                                                                                              \
4258
0
        hctx->update(hctx, (p), len);                                                                                              \
4259
0
    } while (0)
4260
0
#define UPDATE16(_v)                                                                                                               \
4261
0
    do {                                                                                                                           \
4262
0
        uint16_t v = (_v);                                                                                                         \
4263
0
        uint8_t b[2] = {v >> 8, v & 0xff};                                                                                         \
4264
0
        hctx->update(hctx, b, 2);                                                                                                  \
4265
0
    } while (0)
4266
4267
0
    UPDATE_BLOCK(tls->client_random, sizeof(tls->client_random));
4268
0
    UPDATE_BLOCK(tls->server_name, tls->server_name != NULL ? strlen(tls->server_name) : 0);
4269
0
    UPDATE16(tls->cipher_suite->id);
4270
0
    UPDATE16(negotiated_group != NULL ? negotiated_group->id : 0);
4271
0
    UPDATE_BLOCK(properties->server.cookie.additional_data.base, properties->server.cookie.additional_data.len);
4272
4273
0
    UPDATE_BLOCK(tbs.base, tbs.len);
4274
4275
0
#undef UPDATE_BLOCK
4276
0
#undef UPDATE16
4277
4278
0
    hctx->final(hctx, sig, PTLS_HASH_FINAL_MODE_FREE);
4279
0
    return 0;
4280
0
}
4281
4282
static int certificate_type_exists(uint8_t *list, size_t count, uint8_t desired_type)
4283
0
{
4284
    /* empty type list means that we default to x509 */
4285
0
    if (desired_type == PTLS_CERTIFICATE_TYPE_X509 && count == 0)
4286
0
        return 1;
4287
0
    for (size_t i = 0; i < count; i++) {
4288
0
        if (list[i] == desired_type)
4289
0
            return 1;
4290
0
    }
4291
0
    return 0;
4292
0
}
4293
4294
static int server_handle_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message,
4295
                               ptls_handshake_properties_t *properties)
4296
0
{
4297
0
#define EMIT_SERVER_HELLO(sched, fill_rand, extensions, post_action)                                                               \
4298
0
    do {                                                                                                                           \
4299
0
        size_t sh_start_off;                                                                                                       \
4300
0
        ptls_push_message(emitter, NULL, PTLS_HANDSHAKE_TYPE_SERVER_HELLO, {                                                       \
4301
0
            sh_start_off = emitter->buf->off - PTLS_HANDSHAKE_HEADER_SIZE;                                                         \
4302
0
            ptls_buffer_push16(emitter->buf, 0x0303 /* legacy version */);                                                         \
4303
0
            if ((ret = ptls_buffer_reserve(emitter->buf, PTLS_HELLO_RANDOM_SIZE)) != 0)                                            \
4304
0
                goto Exit;                                                                                                         \
4305
0
            do {                                                                                                                   \
4306
0
                fill_rand                                                                                                          \
4307
0
            } while (0);                                                                                                           \
4308
0
            emitter->buf->off += PTLS_HELLO_RANDOM_SIZE;                                                                           \
4309
0
            ptls_buffer_push_block(emitter->buf, 1,                                                                                \
4310
0
                                   { ptls_buffer_pushv(emitter->buf, ch->legacy_session_id.base, ch->legacy_session_id.len); });   \
4311
0
            ptls_buffer_push16(emitter->buf, tls->cipher_suite->id);                                                               \
4312
0
            ptls_buffer_push(emitter->buf, 0);                                                                                     \
4313
0
            ptls_buffer_push_block(emitter->buf, 2, {                                                                              \
4314
0
                buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS,                                        \
4315
0
                                      { ptls_buffer_push16(emitter->buf, ch->selected_version); });                                \
4316
0
                do {                                                                                                               \
4317
0
                    extensions                                                                                                     \
4318
0
                } while (0);                                                                                                       \
4319
0
            });                                                                                                                    \
4320
0
        });                                                                                                                        \
4321
0
        do {                                                                                                                       \
4322
0
            post_action                                                                                                            \
4323
0
        } while (0);                                                                                                               \
4324
0
        ptls__key_schedule_update_hash((sched), emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off, 0);           \
4325
0
    } while (0)
4326
4327
0
#define EMIT_HELLO_RETRY_REQUEST(sched, negotiated_group, additional_extensions, post_action)                                      \
4328
0
    EMIT_SERVER_HELLO((sched), { memcpy(emitter->buf->base + emitter->buf->off, hello_retry_random, PTLS_HELLO_RANDOM_SIZE); },    \
4329
0
                      {                                                                                                            \
4330
0
                          ptls_key_exchange_algorithm_t *_negotiated_group = (negotiated_group);                                   \
4331
0
                          if (_negotiated_group != NULL) {                                                                         \
4332
0
                              buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_KEY_SHARE,                                   \
4333
0
                                                    { ptls_buffer_push16(emitter->buf, _negotiated_group->id); });                 \
4334
0
                          }                                                                                                        \
4335
0
                          do {                                                                                                     \
4336
0
                              additional_extensions                                                                                \
4337
0
                          } while (0);                                                                                             \
4338
0
                      },                                                                                                           \
4339
0
                      post_action)
4340
0
    struct st_ptls_client_hello_t *ch;
4341
0
    struct {
4342
0
        ptls_key_exchange_algorithm_t *algorithm;
4343
0
        ptls_iovec_t peer_key;
4344
0
    } key_share = {NULL};
4345
0
    struct {
4346
0
        uint8_t *encoded_ch_inner;
4347
0
        uint8_t *ch_outer_aad;
4348
0
        ptls_buffer_t ch_inner;
4349
0
    } ech = {NULL};
4350
0
    enum { HANDSHAKE_MODE_FULL, HANDSHAKE_MODE_PSK, HANDSHAKE_MODE_PSK_DHE } mode;
4351
0
    size_t psk_index = SIZE_MAX;
4352
0
    ptls_iovec_t pubkey = {0}, ecdh_secret = {0};
4353
0
    int accept_early_data = 0, is_second_flight = tls->state == PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO, ret;
4354
4355
0
    ptls_buffer_init(&ech.ch_inner, "", 0);
4356
4357
0
    if ((ch = malloc(sizeof(*ch))) == NULL) {
4358
0
        ret = PTLS_ERROR_NO_MEMORY;
4359
0
        goto Exit;
4360
0
    }
4361
4362
0
    *ch = (struct st_ptls_client_hello_t){.unknown_extensions = {{UINT16_MAX}}};
4363
4364
    /* decode ClientHello */
4365
0
    if ((ret = decode_client_hello(tls->ctx, ch, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len, properties,
4366
0
                                   tls)) != 0)
4367
0
        goto Exit;
4368
0
    if ((ret = check_client_hello_constraints(tls->ctx, ch, is_second_flight ? tls->client_random : NULL, 0, message, tls)) != 0)
4369
0
        goto Exit;
4370
0
    if (!is_second_flight) {
4371
0
        memcpy(tls->client_random, ch->random_bytes, PTLS_HELLO_RANDOM_SIZE);
4372
0
        log_client_random(tls);
4373
0
    } else {
4374
        /* consistency check for ECH extension in response to HRR */
4375
0
        if (tls->ech.aead != NULL) {
4376
0
            if (ch->ech.payload.base == NULL) {
4377
0
                ret = PTLS_ALERT_MISSING_EXTENSION;
4378
0
                goto Exit;
4379
0
            }
4380
0
            if (!(ch->ech.config_id == tls->ech.config_id && ch->ech.cipher_suite.kdf == tls->ech.cipher->id.kdf &&
4381
0
                  ch->ech.cipher_suite.aead == tls->ech.cipher->id.aead && ch->ech.enc.len == 0)) {
4382
0
                ret = PTLS_ALERT_ILLEGAL_PARAMETER;
4383
0
                goto Exit;
4384
0
            }
4385
0
        }
4386
0
    }
4387
4388
    /* ECH */
4389
0
    if (ch->ech.payload.base != NULL) {
4390
0
        if (ch->ech.type != PTLS_ECH_CLIENT_HELLO_TYPE_OUTER) {
4391
0
            ret = PTLS_ALERT_ILLEGAL_PARAMETER;
4392
0
            goto Exit;
4393
0
        }
4394
0
        if (!is_second_flight)
4395
0
            tls->ech.offered = 1;
4396
        /* obtain AEAD context for opening inner CH */
4397
0
        if (!is_second_flight && ch->ech.payload.base != NULL && tls->ctx->ech.server.create_opener != NULL) {
4398
0
            if ((tls->ech.aead = tls->ctx->ech.server.create_opener->cb(
4399
0
                     tls->ctx->ech.server.create_opener, &tls->ech.kem, &tls->ech.cipher, tls, ch->ech.config_id,
4400
0
                     ch->ech.cipher_suite, ch->ech.enc, ptls_iovec_init(ech_info_prefix, sizeof(ech_info_prefix)))) != NULL)
4401
0
                tls->ech.config_id = ch->ech.config_id;
4402
0
        }
4403
0
        if (!is_second_flight) {
4404
0
            PTLS_PROBE(ECH_SELECTION, tls, tls->ech.aead != NULL);
4405
0
            PTLS_LOG_CONN(ech_selection, tls, { PTLS_LOG_ELEMENT_BOOL(is_ech, tls->ech.aead != NULL); });
4406
0
        }
4407
0
        if (tls->ech.aead != NULL) {
4408
            /* now that AEAD context is available, create AAD and decrypt inner CH */
4409
0
            if ((ech.encoded_ch_inner = malloc(ch->ech.payload.len - tls->ech.aead->algo->tag_size)) == NULL ||
4410
0
                (ech.ch_outer_aad = malloc(message.len - PTLS_HANDSHAKE_HEADER_SIZE)) == NULL) {
4411
0
                ret = PTLS_ERROR_NO_MEMORY;
4412
0
                goto Exit;
4413
0
            }
4414
0
            memcpy(ech.ch_outer_aad, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.len - PTLS_HANDSHAKE_HEADER_SIZE);
4415
0
            memset(ech.ch_outer_aad + (ch->ech.payload.base - (message.base + PTLS_HANDSHAKE_HEADER_SIZE)), 0, ch->ech.payload.len);
4416
0
            if (ptls_aead_decrypt(tls->ech.aead, ech.encoded_ch_inner, ch->ech.payload.base, ch->ech.payload.len, is_second_flight,
4417
0
                                  ech.ch_outer_aad, message.len - PTLS_HANDSHAKE_HEADER_SIZE) != SIZE_MAX) {
4418
0
                tls->ech.accepted = 1;
4419
                /* successfully decrypted EncodedCHInner, build CHInner */
4420
0
                if ((ret = rebuild_ch_inner(&ech.ch_inner, ech.encoded_ch_inner,
4421
0
                                            ech.encoded_ch_inner + ch->ech.payload.len - tls->ech.aead->algo->tag_size, ch,
4422
0
                                            message.base + PTLS_HANDSHAKE_HEADER_SIZE + ch->first_extension_at,
4423
0
                                            message.base + message.len)) != 0)
4424
0
                    goto Exit;
4425
                /* treat inner ch as the message being received, re-decode it */
4426
0
                message = ptls_iovec_init(ech.ch_inner.base, ech.ch_inner.off);
4427
0
                *ch = (struct st_ptls_client_hello_t){.unknown_extensions = {{UINT16_MAX}}};
4428
0
                if ((ret = decode_client_hello(tls->ctx, ch, ech.ch_inner.base + PTLS_HANDSHAKE_HEADER_SIZE,
4429
0
                                               ech.ch_inner.base + ech.ch_inner.off, properties, tls)) != 0)
4430
0
                    goto Exit;
4431
0
                if ((ret = check_client_hello_constraints(tls->ctx, ch, is_second_flight ? tls->ech.inner_client_random : NULL, 1,
4432
0
                                                          message, tls)) != 0)
4433
0
                    goto Exit;
4434
0
                if (!is_second_flight)
4435
0
                    memcpy(tls->ech.inner_client_random, ch->random_bytes, PTLS_HELLO_RANDOM_SIZE);
4436
0
            } else if (is_second_flight) {
4437
                /* decryption failure of inner CH in 2nd CH is fatal */
4438
0
                ret = PTLS_ALERT_DECRYPT_ERROR;
4439
0
                goto Exit;
4440
0
            } else {
4441
                /* decryption failure of 1st CH indicates key mismatch; dispose of AEAD context to indicate adoption of outerCH */
4442
0
                ptls_aead_free(tls->ech.aead);
4443
0
                tls->ech.aead = NULL;
4444
0
            }
4445
0
        }
4446
0
    } else if (tls->ech.offered) {
4447
0
        assert(is_second_flight);
4448
0
        ret = PTLS_ALERT_ILLEGAL_PARAMETER;
4449
0
        goto Exit;
4450
0
    }
4451
4452
0
    if (tls->ctx->require_dhe_on_psk)
4453
0
        ch->psk.ke_modes &= ~(1u << PTLS_PSK_KE_MODE_PSK);
4454
4455
    /* handle client_random, legacy_session_id, SNI, ESNI */
4456
0
    if (!is_second_flight) {
4457
0
        if (ch->legacy_session_id.len != 0)
4458
0
            tls->send_change_cipher_spec = 1;
4459
0
        ptls_iovec_t server_name = {NULL};
4460
0
        if (ch->server_name.base != NULL)
4461
0
            server_name = ch->server_name;
4462
0
        if ((ret = call_on_client_hello_cb(tls, server_name, message, ch->cipher_suites, ch->alpn.list, ch->alpn.count,
4463
0
                                           ch->signature_algorithms.list, ch->signature_algorithms.count,
4464
0
                                           ch->cert_compression_algos.list, ch->cert_compression_algos.count,
4465
0
                                           ch->server_certificate_types.list, ch->server_certificate_types.count,
4466
0
                                           ch->psk.identities.list, ch->psk.identities.count, 0)) != 0)
4467
0
            goto Exit;
4468
0
        if (!certificate_type_exists(ch->server_certificate_types.list, ch->server_certificate_types.count,
4469
0
                                     tls->ctx->use_raw_public_keys ? PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY
4470
0
                                                                   : PTLS_CERTIFICATE_TYPE_X509)) {
4471
0
            ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE;
4472
0
            goto Exit;
4473
0
        }
4474
0
    } else {
4475
0
        if (ch->psk.early_data_indication) {
4476
0
            ret = PTLS_ALERT_DECODE_ERROR;
4477
0
            goto Exit;
4478
0
        }
4479
        /* We compare SNI only when the value is saved by the on_client_hello callback. This should be OK because we are
4480
         * ignoring the value unless the callback saves the server-name. */
4481
0
        if (tls->server_name != NULL) {
4482
0
            size_t l = strlen(tls->server_name);
4483
0
            if (!(ch->server_name.len == l && memcmp(ch->server_name.base, tls->server_name, l) == 0)) {
4484
0
                ret = PTLS_ALERT_HANDSHAKE_FAILURE;
4485
0
                goto Exit;
4486
0
            }
4487
0
        }
4488
0
    }
4489
4490
0
    { /* select (or check) cipher-suite, create key_schedule */
4491
0
        ptls_cipher_suite_t *cs;
4492
0
        if ((ret = select_cipher(&cs, tls->ctx->cipher_suites, ch->cipher_suites.base,
4493
0
                                 ch->cipher_suites.base + ch->cipher_suites.len, tls->ctx->server_cipher_preference,
4494
0
                                 tls->ctx->server_cipher_chacha_priority, tls->ctx->pre_shared_key.hash)) != 0)
4495
0
            goto Exit;
4496
0
        if (!is_second_flight) {
4497
0
            tls->cipher_suite = cs;
4498
0
            if ((tls->key_schedule = key_schedule_new(cs, NULL, 0)) == NULL) {
4499
0
                ret = PTLS_ERROR_NO_MEMORY;
4500
0
                goto Exit;
4501
0
            }
4502
0
        } else {
4503
0
            if (tls->cipher_suite != cs) {
4504
0
                ret = PTLS_ALERT_HANDSHAKE_FAILURE;
4505
0
                goto Exit;
4506
0
            }
4507
0
        }
4508
0
    }
4509
4510
    /* select key_share */
4511
0
    if (key_share.algorithm == NULL && ch->key_shares.base != NULL && tls->ctx->key_exchanges != NULL) {
4512
0
        const uint8_t *src = ch->key_shares.base, *const end = src + ch->key_shares.len;
4513
0
        ptls_decode_block(src, end, 2, {
4514
0
            if ((ret = select_key_share(&key_share.algorithm, &key_share.peer_key, tls->ctx->key_exchanges, &src, end, 0)) != 0)
4515
0
                goto Exit;
4516
0
        });
4517
0
    }
4518
4519
0
    if (!is_second_flight) {
4520
0
        if (ch->cookie.all.len != 0 && key_share.algorithm != NULL) {
4521
4522
0
            { /* use cookie to check the integrity of the handshake, and update the context */
4523
0
                uint8_t sig[PTLS_MAX_DIGEST_SIZE];
4524
0
                size_t sigsize = tls->ctx->cipher_suites[0]->hash->digest_size;
4525
0
                if ((ret = calc_cookie_signature(tls, properties, key_share.algorithm, ch->cookie.tbs, sig)) != 0)
4526
0
                    goto Exit;
4527
0
                if (!(ch->cookie.signature.len == sigsize && ptls_mem_equal(ch->cookie.signature.base, sig, sigsize))) {
4528
0
                    ret = PTLS_ALERT_HANDSHAKE_FAILURE;
4529
0
                    goto Exit;
4530
0
                }
4531
0
            }
4532
            /* integrity check passed; update states */
4533
0
            key_schedule_update_ch1hash_prefix(tls->key_schedule);
4534
0
            ptls__key_schedule_update_hash(tls->key_schedule, ch->cookie.ch1_hash.base, ch->cookie.ch1_hash.len, 0);
4535
0
            key_schedule_extract(tls->key_schedule,
4536
0
                                 tls->ctx->pre_shared_key.secret /* this argument will be a zero-length vector unless external PSK
4537
0
                                                                  is used, and that's fine; we never resume when sending HRR */);
4538
            /* ... reusing sendbuf to rebuild HRR for hash calculation */
4539
0
            size_t hrr_start = emitter->buf->off;
4540
0
            EMIT_HELLO_RETRY_REQUEST(tls->key_schedule, ch->cookie.sent_key_share ? key_share.algorithm : NULL,
4541
0
                                     {
4542
0
                                         buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_COOKIE, {
4543
0
                                             ptls_buffer_pushv(emitter->buf, ch->cookie.all.base, ch->cookie.all.len);
4544
0
                                         });
4545
0
                                     },
4546
0
                                     {});
4547
0
            emitter->buf->off = hrr_start;
4548
0
            is_second_flight = 1;
4549
4550
0
        } else if (ch->key_shares.base != NULL && tls->ctx->key_exchanges != NULL &&
4551
0
                   (key_share.algorithm == NULL || (properties != NULL && properties->server.enforce_retry))) {
4552
            /* send HelloRetryRequest, when trying to negotiate the key share but enforced by config or upon key-share mismatch */
4553
0
            if (ch->negotiated_groups.base == NULL) {
4554
0
                ret = PTLS_ALERT_MISSING_EXTENSION;
4555
0
                goto Exit;
4556
0
            }
4557
0
            ptls_key_exchange_algorithm_t *negotiated_group;
4558
0
            if ((ret = select_negotiated_group(&negotiated_group, tls->ctx->key_exchanges, ch->negotiated_groups.base,
4559
0
                                               ch->negotiated_groups.base + ch->negotiated_groups.len)) != 0)
4560
0
                goto Exit;
4561
0
            ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
4562
0
            assert(tls->key_schedule->generation == 0);
4563
4564
            /* Either send a stateless retry (w. cookies) or a stateful one. When sending the latter, run the state machine. At the
4565
             * moment, stateless retry is disabled when ECH is used (do we need to support it?). */
4566
0
            int retry_uses_cookie =
4567
0
                properties != NULL && properties->server.retry_uses_cookie && !ptls_is_ech_handshake(tls, NULL, NULL, NULL);
4568
0
            if (!retry_uses_cookie) {
4569
0
                key_schedule_transform_post_ch1hash(tls->key_schedule);
4570
0
                key_schedule_extract(tls->key_schedule, tls->ctx->pre_shared_key.secret /* see comment above */);
4571
0
            }
4572
0
            size_t ech_confirm_off = 0;
4573
0
            EMIT_HELLO_RETRY_REQUEST(
4574
0
                tls->key_schedule, key_share.algorithm != NULL ? NULL : negotiated_group,
4575
0
                {
4576
0
                    ptls_buffer_t *sendbuf = emitter->buf;
4577
0
                    if (ptls_is_ech_handshake(tls, NULL, NULL, NULL)) {
4578
0
                        buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, {
4579
0
                            if ((ret = ptls_buffer_reserve(sendbuf, PTLS_ECH_CONFIRM_LENGTH)) != 0)
4580
0
                                goto Exit;
4581
0
                            memset(sendbuf->base + sendbuf->off, 0, PTLS_ECH_CONFIRM_LENGTH);
4582
0
                            ech_confirm_off = sendbuf->off;
4583
0
                            sendbuf->off += PTLS_ECH_CONFIRM_LENGTH;
4584
0
                        });
4585
0
                    }
4586
0
                    if (retry_uses_cookie) {
4587
0
                        buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COOKIE, {
4588
0
                            ptls_buffer_push_block(sendbuf, 2, {
4589
                                /* push to-be-signed data */
4590
0
                                size_t tbs_start = sendbuf->off;
4591
0
                                ptls_buffer_push_block(sendbuf, 2, {
4592
                                    /* first block of the cookie data is the hash(ch1) */
4593
0
                                    ptls_buffer_push_block(sendbuf, 1, {
4594
0
                                        size_t sz = tls->cipher_suite->hash->digest_size;
4595
0
                                        if ((ret = ptls_buffer_reserve(sendbuf, sz)) != 0)
4596
0
                                            goto Exit;
4597
0
                                        key_schedule_extract_ch1hash(tls->key_schedule, sendbuf->base + sendbuf->off);
4598
0
                                        sendbuf->off += sz;
4599
0
                                    });
4600
                                    /* second is if we have sent key_share extension */
4601
0
                                    ptls_buffer_push(sendbuf, key_share.algorithm == NULL);
4602
                                    /* we can add more data here */
4603
0
                                });
4604
0
                                size_t tbs_len = sendbuf->off - tbs_start;
4605
                                /* push the signature */
4606
0
                                ptls_buffer_push_block(sendbuf, 1, {
4607
0
                                    size_t sz = tls->ctx->cipher_suites[0]->hash->digest_size;
4608
0
                                    if ((ret = ptls_buffer_reserve(sendbuf, sz)) != 0)
4609
0
                                        goto Exit;
4610
0
                                    if ((ret = calc_cookie_signature(tls, properties, negotiated_group,
4611
0
                                                                     ptls_iovec_init(sendbuf->base + tbs_start, tbs_len),
4612
0
                                                                     sendbuf->base + sendbuf->off)) != 0)
4613
0
                                        goto Exit;
4614
0
                                    sendbuf->off += sz;
4615
0
                                });
4616
0
                            });
4617
0
                        });
4618
0
                    }
4619
0
                },
4620
0
                {
4621
0
                    if (ech_confirm_off != 0 &&
4622
0
                        (ret = ech_calc_confirmation(
4623
0
                             tls->key_schedule, emitter->buf->base + ech_confirm_off, tls->ech.inner_client_random,
4624
0
                             ECH_CONFIRMATION_HRR,
4625
0
                             ptls_iovec_init(emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off))) != 0)
4626
0
                        goto Exit;
4627
0
                });
4628
0
            if (retry_uses_cookie) {
4629
0
                if ((ret = push_change_cipher_spec(tls, emitter)) != 0)
4630
0
                    goto Exit;
4631
0
                ret = PTLS_ERROR_STATELESS_RETRY;
4632
0
            } else {
4633
0
                tls->state = PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO;
4634
0
                if (ch->psk.early_data_indication)
4635
0
                    tls->server.early_data_skipped_bytes = 0;
4636
0
                ret = PTLS_ERROR_IN_PROGRESS;
4637
0
            }
4638
0
            goto Exit;
4639
0
        }
4640
0
    }
4641
4642
    /* handle unknown extensions */
4643
0
    if ((ret = report_unknown_extensions(tls, properties, ch->unknown_extensions)) != 0)
4644
0
        goto Exit;
4645
4646
    /* try psk handshake */
4647
0
    if (ch->psk.hash_end != 0 && (ch->psk.ke_modes & ((1u << PTLS_PSK_KE_MODE_PSK) | (1u << PTLS_PSK_KE_MODE_PSK_DHE))) != 0 &&
4648
0
        !tls->ctx->require_client_authentication &&
4649
0
        ((!is_second_flight && tls->ctx->encrypt_ticket != NULL) || tls->ctx->pre_shared_key.identity.base != NULL)) {
4650
0
        if ((ret = try_psk_handshake(tls, &psk_index, &accept_early_data, ch,
4651
0
                                     ptls_iovec_init(message.base, ch->psk.hash_end - message.base), is_second_flight)) != 0) {
4652
0
            goto Exit;
4653
0
        }
4654
0
    }
4655
4656
    /* If the server was setup to use an external PSK but failed to agree, abort the handshake. Because external PSK is a form of
4657
     * mutual authentication, it makes sense to abort (at least as the default). */
4658
0
    if (tls->ctx->pre_shared_key.identity.base != NULL && psk_index == SIZE_MAX) {
4659
0
        ret = PTLS_ALERT_UNKNOWN_PSK_IDENTITY;
4660
0
        goto Exit;
4661
0
    }
4662
4663
    /* If client authentication is enabled, we always force a full handshake.
4664
     * TODO: Check for `post_handshake_auth` extension and if that is present, do not force full handshake!
4665
     *       Remove also the check `!require_client_authentication` above.
4666
     *
4667
     * adjust key_schedule, determine handshake mode
4668
     */
4669
0
    if (psk_index == SIZE_MAX || tls->ctx->require_client_authentication) {
4670
0
        ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
4671
0
        if (!is_second_flight) {
4672
0
            assert(tls->key_schedule->generation == 0);
4673
0
            key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0));
4674
0
        }
4675
0
        mode = HANDSHAKE_MODE_FULL;
4676
0
        if (properties != NULL)
4677
0
            properties->server.selected_psk_binder.len = 0;
4678
0
    } else {
4679
0
        ptls__key_schedule_update_hash(tls->key_schedule, ch->psk.hash_end, message.base + message.len - ch->psk.hash_end, 0);
4680
0
        if ((ch->psk.ke_modes & (1u << PTLS_PSK_KE_MODE_PSK)) != 0) {
4681
0
            mode = HANDSHAKE_MODE_PSK;
4682
0
        } else {
4683
0
            assert((ch->psk.ke_modes & (1u << PTLS_PSK_KE_MODE_PSK_DHE)) != 0);
4684
0
            mode = HANDSHAKE_MODE_PSK_DHE;
4685
0
        }
4686
0
        tls->is_psk_handshake = 1;
4687
0
        if (properties != NULL) {
4688
0
            ptls_iovec_t *selected = &ch->psk.identities.list[psk_index].binder;
4689
0
            memcpy(properties->server.selected_psk_binder.base, selected->base, selected->len);
4690
0
            properties->server.selected_psk_binder.len = selected->len;
4691
0
        }
4692
0
    }
4693
4694
    /* determine number of tickets to send */
4695
0
    if (ch->psk.ke_modes != 0 && tls->ctx->ticket_lifetime != 0) {
4696
0
        if (ch->ticket_request.new_session_count != 0) {
4697
0
            tls->server.num_tickets_to_send =
4698
0
                tls->is_psk_handshake ? ch->ticket_request.resumption_count : ch->ticket_request.new_session_count;
4699
0
        } else {
4700
0
            tls->server.num_tickets_to_send = 1;
4701
0
        }
4702
0
        uint8_t max_tickets = tls->ctx->ticket_requests.server.max_count;
4703
0
        if (max_tickets == 0)
4704
0
            max_tickets = PTLS_DEFAULT_MAX_TICKETS_TO_SERVE;
4705
0
        if (tls->server.num_tickets_to_send > max_tickets)
4706
0
            tls->server.num_tickets_to_send = max_tickets;
4707
0
    } else {
4708
0
        tls->server.num_tickets_to_send = 0;
4709
0
    }
4710
4711
0
    if (accept_early_data && tls->ctx->max_early_data_size != 0 && psk_index == 0) {
4712
0
        if ((tls->pending_handshake_secret = malloc(PTLS_MAX_DIGEST_SIZE)) == NULL) {
4713
0
            ret = PTLS_ERROR_NO_MEMORY;
4714
0
            goto Exit;
4715
0
        }
4716
0
        if ((ret = derive_exporter_secret(tls, 1)) != 0)
4717
0
            goto Exit;
4718
0
        if ((ret = setup_traffic_protection(tls, 0, "c e traffic", 1, 0, 0)) != 0)
4719
0
            goto Exit;
4720
0
    }
4721
4722
    /* run key-exchange, to obtain pubkey and secret */
4723
0
    if (mode != HANDSHAKE_MODE_PSK) {
4724
0
        if (key_share.algorithm == NULL) {
4725
0
            ret = ch->key_shares.base != NULL ? PTLS_ALERT_HANDSHAKE_FAILURE : PTLS_ALERT_MISSING_EXTENSION;
4726
0
            goto Exit;
4727
0
        }
4728
0
        if ((ret = key_share.algorithm->exchange(key_share.algorithm, &pubkey, &ecdh_secret, key_share.peer_key)) != 0) {
4729
0
            assert(pubkey.base == NULL);
4730
0
            assert(ecdh_secret.base == NULL);
4731
0
            goto Exit;
4732
0
        }
4733
0
        tls->key_share = key_share.algorithm;
4734
0
    }
4735
4736
0
    { /* send ServerHello */
4737
0
        size_t ech_confirm_off = 0;
4738
0
        EMIT_SERVER_HELLO(
4739
0
            tls->key_schedule,
4740
0
            {
4741
0
                tls->ctx->random_bytes(emitter->buf->base + emitter->buf->off, PTLS_HELLO_RANDOM_SIZE);
4742
                /* when accepting CHInner, last 8 byte of SH.random is zero for the handshake transcript */
4743
0
                if (ptls_is_ech_handshake(tls, NULL, NULL, NULL)) {
4744
0
                    ech_confirm_off = emitter->buf->off + PTLS_HELLO_RANDOM_SIZE - PTLS_ECH_CONFIRM_LENGTH;
4745
0
                    memset(emitter->buf->base + ech_confirm_off, 0, PTLS_ECH_CONFIRM_LENGTH);
4746
0
                }
4747
0
            },
4748
0
            {
4749
0
                ptls_buffer_t *sendbuf = emitter->buf;
4750
0
                if (mode != HANDSHAKE_MODE_PSK) {
4751
0
                    buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE, {
4752
0
                        ptls_buffer_push16(sendbuf, key_share.algorithm->id);
4753
0
                        ptls_buffer_push_block(sendbuf, 2, { ptls_buffer_pushv(sendbuf, pubkey.base, pubkey.len); });
4754
0
                    });
4755
0
                }
4756
0
                if (mode != HANDSHAKE_MODE_FULL) {
4757
0
                    buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PRE_SHARED_KEY,
4758
0
                                          { ptls_buffer_push16(sendbuf, (uint16_t)psk_index); });
4759
0
                }
4760
0
            },
4761
0
            {
4762
0
                if (ech_confirm_off != 0 &&
4763
0
                    (ret = ech_calc_confirmation(
4764
0
                         tls->key_schedule, emitter->buf->base + ech_confirm_off, tls->ech.inner_client_random,
4765
0
                         ECH_CONFIRMATION_SERVER_HELLO,
4766
0
                         ptls_iovec_init(emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off))) != 0)
4767
0
                    goto Exit;
4768
0
            });
4769
0
    }
4770
4771
    /* processing of ECH is complete; dispose state */
4772
0
    clear_ech(&tls->ech, 1);
4773
4774
0
    if ((ret = push_change_cipher_spec(tls, emitter)) != 0)
4775
0
        goto Exit;
4776
4777
    /* create protection contexts for the handshake */
4778
0
    assert(tls->key_schedule->generation == 1);
4779
0
    key_schedule_extract(tls->key_schedule, ecdh_secret);
4780
0
    if ((ret = setup_traffic_protection(tls, 1, "s hs traffic", 2, 0, 0)) != 0)
4781
0
        goto Exit;
4782
0
    if (tls->pending_handshake_secret != NULL) {
4783
0
        if ((ret = derive_secret(tls->key_schedule, tls->pending_handshake_secret, "c hs traffic")) != 0)
4784
0
            goto Exit;
4785
0
        if (tls->ctx->update_traffic_key != NULL &&
4786
0
            (ret = tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, 0, 2, tls->pending_handshake_secret)) != 0)
4787
0
            goto Exit;
4788
0
    } else {
4789
0
        if ((ret = setup_traffic_protection(tls, 0, "c hs traffic", 2, 0, 0)) != 0)
4790
0
            goto Exit;
4791
0
        if (ch->psk.early_data_indication)
4792
0
            tls->server.early_data_skipped_bytes = 0;
4793
0
    }
4794
4795
    /* send EncryptedExtensions */
4796
0
    ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, {
4797
0
        ptls_buffer_t *sendbuf = emitter->buf;
4798
0
        ptls_buffer_push_block(sendbuf, 2, {
4799
0
            if (tls->server_name != NULL) {
4800
                /* In this event, the server SHALL include an extension of type "server_name" in the (extended) server hello.
4801
                 * The "extension_data" field of this extension SHALL be empty. (RFC 6066 section 3) */
4802
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_NAME, {});
4803
0
            }
4804
0
            if (tls->ctx->use_raw_public_keys) {
4805
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE,
4806
0
                                      { ptls_buffer_push(sendbuf, PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY); });
4807
0
            }
4808
0
            if (tls->negotiated_protocol != NULL) {
4809
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ALPN, {
4810
0
                    ptls_buffer_push_block(sendbuf, 2, {
4811
0
                        ptls_buffer_push_block(sendbuf, 1, {
4812
0
                            ptls_buffer_pushv(sendbuf, tls->negotiated_protocol, strlen(tls->negotiated_protocol));
4813
0
                        });
4814
0
                    });
4815
0
                });
4816
0
            }
4817
0
            if (tls->pending_handshake_secret != NULL)
4818
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_EARLY_DATA, {});
4819
            /* send ECH retry_configs, if ECH was offered by rejected, even though we (the server) could have accepted ECH */
4820
0
            if (tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL) && tls->ctx->ech.server.create_opener != NULL &&
4821
0
                tls->ctx->ech.server.retry_configs.len != 0)
4822
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, {
4823
0
                    ptls_buffer_pushv(sendbuf, tls->ctx->ech.server.retry_configs.base, tls->ctx->ech.server.retry_configs.len);
4824
0
                });
4825
0
            if (ch->ticket_request.new_session_count != 0 && tls->server.num_tickets_to_send != 0)
4826
0
                buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_TICKET_REQUEST,
4827
0
                                      { ptls_buffer_push(sendbuf, tls->server.num_tickets_to_send); });
4828
0
            if ((ret = push_additional_extensions(properties, sendbuf)) != 0)
4829
0
                goto Exit;
4830
0
        });
4831
0
    });
4832
4833
0
    if (mode == HANDSHAKE_MODE_FULL) {
4834
        /* send certificate request if client authentication is activated */
4835
0
        if (tls->ctx->require_client_authentication) {
4836
0
            ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, {
4837
0
                ptls_buffer_t *sendbuf = emitter->buf;
4838
                /* certificate_request_context: this field SHALL be zero length, unless the certificate request is used for post-
4839
                 * handshake authentication. */
4840
0
                ptls_buffer_push(sendbuf, 0);
4841
                /* extensions */
4842
0
                ptls_buffer_push_block(sendbuf, 2, {
4843
0
                    buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS, {
4844
0
                        if ((ret = push_signature_algorithms(tls->ctx->verify_certificate, sendbuf)) != 0)
4845
0
                            goto Exit;
4846
0
                    });
4847
                    /* certificate authorities entension */
4848
0
                    if (tls->ctx->client_ca_names.count > 0) {
4849
0
                        buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_CERTIFICATE_AUTHORITIES, {
4850
0
                            ptls_buffer_push_block(sendbuf, 2, {
4851
0
                                for (size_t i = 0; i != tls->ctx->client_ca_names.count; ++i) {
4852
0
                                    ptls_buffer_push_block(sendbuf, 2, {
4853
0
                                        ptls_iovec_t name = tls->ctx->client_ca_names.list[i];
4854
0
                                        ptls_buffer_pushv(sendbuf, name.base, name.len);
4855
0
                                    });
4856
0
                                }
4857
0
                            });
4858
0
                        });
4859
0
                    }
4860
0
                });
4861
0
            });
4862
4863
0
            if (ret != 0) {
4864
0
                goto Exit;
4865
0
            }
4866
0
        }
4867
4868
        /* send certificate */
4869
0
        if ((ret = send_certificate(tls, emitter, &ch->signature_algorithms, ptls_iovec_init(NULL, 0), ch->status_request,
4870
0
                                    ch->cert_compression_algos.list, ch->cert_compression_algos.count)) != 0)
4871
0
            goto Exit;
4872
        /* send certificateverify, finished, and complete the handshake */
4873
0
        if ((ret = server_finish_handshake(tls, emitter, 1, &ch->signature_algorithms)) != 0)
4874
0
            goto Exit;
4875
0
    } else {
4876
        /* send finished, and complete the handshake */
4877
0
        if ((ret = server_finish_handshake(tls, emitter, 0, NULL)) != 0)
4878
0
            goto Exit;
4879
0
    }
4880
4881
0
Exit:
4882
0
    free(pubkey.base);
4883
0
    if (ecdh_secret.base != NULL) {
4884
0
        ptls_clear_memory(ecdh_secret.base, ecdh_secret.len);
4885
0
        free(ecdh_secret.base);
4886
0
    }
4887
0
    free(ech.encoded_ch_inner);
4888
0
    free(ech.ch_outer_aad);
4889
0
    ptls_buffer_dispose(&ech.ch_inner);
4890
0
    free(ch);
4891
0
    return ret;
4892
4893
0
#undef EMIT_SERVER_HELLO
4894
0
#undef EMIT_HELLO_RETRY_REQUEST
4895
0
}
4896
4897
static int server_finish_handshake(ptls_t *tls, ptls_message_emitter_t *emitter, int send_cert_verify,
4898
                                   struct st_ptls_signature_algorithms_t *signature_algorithms)
4899
0
{
4900
0
    int ret;
4901
4902
0
    if (send_cert_verify) {
4903
0
        if ((ret = send_certificate_verify(tls, emitter, signature_algorithms, PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING)) !=
4904
0
            0) {
4905
0
            if (ret == PTLS_ERROR_ASYNC_OPERATION) {
4906
0
                tls->state = PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY;
4907
0
            }
4908
0
            goto Exit;
4909
0
        }
4910
0
    }
4911
4912
0
    if ((ret = send_finished(tls, emitter)) != 0)
4913
0
        goto Exit;
4914
4915
0
    assert(tls->key_schedule->generation == 2);
4916
0
    if ((ret = key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0))) != 0)
4917
0
        goto Exit;
4918
0
    if ((ret = setup_traffic_protection(tls, 1, "s ap traffic", 3, 0, 0)) != 0)
4919
0
        goto Exit;
4920
0
    if ((ret = derive_secret(tls->key_schedule, tls->server.pending_traffic_secret, "c ap traffic")) != 0)
4921
0
        goto Exit;
4922
0
    if ((ret = derive_exporter_secret(tls, 0)) != 0)
4923
0
        goto Exit;
4924
4925
0
    if (tls->pending_handshake_secret != NULL) {
4926
0
        if (tls->ctx->omit_end_of_early_data) {
4927
0
            if ((ret = commission_handshake_secret(tls)) != 0)
4928
0
                goto Exit;
4929
0
            tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED;
4930
0
        } else {
4931
0
            tls->state = PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA;
4932
0
        }
4933
0
    } else if (tls->ctx->require_client_authentication) {
4934
0
        tls->state = PTLS_STATE_SERVER_EXPECT_CERTIFICATE;
4935
0
    } else {
4936
0
        tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED;
4937
0
    }
4938
4939
    /* send session ticket if necessary */
4940
0
    if (tls->server.num_tickets_to_send != 0) {
4941
0
        assert(tls->ctx->ticket_lifetime != 0);
4942
0
        for (uint8_t i = 0; i < tls->server.num_tickets_to_send; ++i)
4943
0
            if ((ret = send_session_ticket(tls, emitter)) != 0)
4944
0
                goto Exit;
4945
0
    }
4946
4947
0
    if (tls->ctx->require_client_authentication) {
4948
0
        ret = PTLS_ERROR_IN_PROGRESS;
4949
0
    } else {
4950
0
        ret = 0;
4951
0
    }
4952
4953
0
Exit:
4954
0
    return ret;
4955
0
}
4956
4957
static int server_handle_end_of_early_data(ptls_t *tls, ptls_iovec_t message)
4958
0
{
4959
0
    int ret;
4960
4961
0
    if ((ret = commission_handshake_secret(tls)) != 0)
4962
0
        goto Exit;
4963
4964
0
    ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
4965
0
    tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED;
4966
0
    ret = PTLS_ERROR_IN_PROGRESS;
4967
4968
0
Exit:
4969
0
    return ret;
4970
0
}
4971
4972
static int server_handle_finished(ptls_t *tls, ptls_iovec_t message)
4973
0
{
4974
0
    int ret;
4975
4976
0
    if ((ret = verify_finished(tls, message)) != 0)
4977
0
        return ret;
4978
4979
0
    memcpy(tls->traffic_protection.dec.secret, tls->server.pending_traffic_secret, sizeof(tls->server.pending_traffic_secret));
4980
0
    ptls_clear_memory(tls->server.pending_traffic_secret, sizeof(tls->server.pending_traffic_secret));
4981
0
    if ((ret = setup_traffic_protection(tls, 0, NULL, 3, 0, 0)) != 0)
4982
0
        return ret;
4983
4984
0
    ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0);
4985
4986
0
    tls->state = PTLS_STATE_SERVER_POST_HANDSHAKE;
4987
0
    return 0;
4988
0
}
4989
4990
static int update_traffic_key(ptls_t *tls, int is_enc)
4991
0
{
4992
0
    struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec;
4993
0
    uint8_t secret[PTLS_MAX_DIGEST_SIZE];
4994
0
    int ret;
4995
4996
0
    ptls_hash_algorithm_t *hash = tls->key_schedule->hashes[0].algo;
4997
0
    if ((ret = ptls_hkdf_expand_label(hash, secret, hash->digest_size, ptls_iovec_init(tp->secret, hash->digest_size),
4998
0
                                      "traffic upd", ptls_iovec_init(NULL, 0), NULL)) != 0)
4999
0
        goto Exit;
5000
0
    memcpy(tp->secret, secret, sizeof(secret));
5001
0
    ret = setup_traffic_protection(tls, is_enc, NULL, 3, 0, 1);
5002
5003
0
Exit:
5004
0
    ptls_clear_memory(secret, sizeof(secret));
5005
0
    return ret;
5006
0
}
5007
5008
static int handle_key_update(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message)
5009
0
{
5010
0
    const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len;
5011
0
    int ret;
5012
5013
    /* validate */
5014
0
    if (end - src != 1 || *src > 1)
5015
0
        return PTLS_ALERT_DECODE_ERROR;
5016
5017
    /* update receive key */
5018
0
    if ((ret = update_traffic_key(tls, 0)) != 0)
5019
0
        return ret;
5020
5021
0
    if (*src) {
5022
0
        if (tls->ctx->update_traffic_key != NULL)
5023
0
            return PTLS_ALERT_UNEXPECTED_MESSAGE;
5024
0
        tls->needs_key_update = 1;
5025
0
    }
5026
5027
0
    return 0;
5028
0
}
5029
5030
static int parse_record_header(struct st_ptls_record_t *rec, const uint8_t *src)
5031
0
{
5032
0
    rec->type = src[0];
5033
0
    rec->version = ntoh16(src + 1);
5034
0
    rec->length = ntoh16(src + 3);
5035
5036
0
    if (rec->length >
5037
0
        (size_t)(rec->type == PTLS_CONTENT_TYPE_APPDATA ? PTLS_MAX_ENCRYPTED_RECORD_SIZE : PTLS_MAX_PLAINTEXT_RECORD_SIZE))
5038
0
        return PTLS_ALERT_DECODE_ERROR;
5039
5040
0
    return 0;
5041
0
}
5042
5043
static int parse_record(ptls_t *tls, struct st_ptls_record_t *rec, const uint8_t *src, size_t *len)
5044
0
{
5045
0
    int ret;
5046
5047
0
    assert(*len != 0);
5048
5049
    /* Check if the first byte is something that we can handle, otherwise do not bother parsing / buffering the entire record as it
5050
     * is obviously broken. SSL 2.0 handshakes fall into this path as well. */
5051
0
    if (tls->recvbuf.rec.base == NULL) {
5052
0
        uint8_t type = src[0];
5053
0
        switch (type) {
5054
0
        case PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC:
5055
0
        case PTLS_CONTENT_TYPE_ALERT:
5056
0
        case PTLS_CONTENT_TYPE_HANDSHAKE:
5057
0
        case PTLS_CONTENT_TYPE_APPDATA:
5058
0
            break;
5059
0
        default:
5060
0
            return PTLS_ALERT_DECODE_ERROR;
5061
0
        }
5062
0
    }
5063
5064
0
    if (tls->recvbuf.rec.base == NULL && *len >= 5) {
5065
        /* fast path */
5066
0
        if ((ret = parse_record_header(rec, src)) != 0)
5067
0
            return ret;
5068
0
        if (5 + rec->length <= *len) {
5069
0
            rec->fragment = src + 5;
5070
0
            *len = rec->length + 5;
5071
0
            return 0;
5072
0
        }
5073
0
    }
5074
5075
    /* slow path */
5076
0
    const uint8_t *const end = src + *len;
5077
0
    *rec = (struct st_ptls_record_t){0};
5078
5079
0
    if (tls->recvbuf.rec.base == NULL) {
5080
0
        ptls_buffer_init(&tls->recvbuf.rec, "", 0);
5081
0
        if ((ret = ptls_buffer_reserve(&tls->recvbuf.rec, 5)) != 0)
5082
0
            return ret;
5083
0
    }
5084
5085
    /* fill and parse the header */
5086
0
    while (tls->recvbuf.rec.off < 5) {
5087
0
        if (src == end)
5088
0
            return PTLS_ERROR_IN_PROGRESS;
5089
0
        tls->recvbuf.rec.base[tls->recvbuf.rec.off++] = *src++;
5090
0
    }
5091
0
    if ((ret = parse_record_header(rec, tls->recvbuf.rec.base)) != 0)
5092
0
        return ret;
5093
5094
    /* fill the fragment */
5095
0
    size_t addlen = rec->length + 5 - tls->recvbuf.rec.off;
5096
0
    if (addlen != 0) {
5097
0
        if ((ret = ptls_buffer_reserve(&tls->recvbuf.rec, addlen)) != 0)
5098
0
            return ret;
5099
0
        if (addlen > (size_t)(end - src))
5100
0
            addlen = end - src;
5101
0
        if (addlen != 0) {
5102
0
            memcpy(tls->recvbuf.rec.base + tls->recvbuf.rec.off, src, addlen);
5103
0
            tls->recvbuf.rec.off += addlen;
5104
0
            src += addlen;
5105
0
        }
5106
0
    }
5107
5108
    /* set rec->fragment if a complete record has been parsed */
5109
0
    if (tls->recvbuf.rec.off == rec->length + 5) {
5110
0
        rec->fragment = tls->recvbuf.rec.base + 5;
5111
0
        ret = 0;
5112
0
    } else {
5113
0
        ret = PTLS_ERROR_IN_PROGRESS;
5114
0
    }
5115
5116
0
    *len -= end - src;
5117
0
    return ret;
5118
0
}
5119
5120
static void update_open_count(ptls_context_t *ctx, ssize_t delta)
5121
0
{
5122
0
    if (ctx->update_open_count != NULL)
5123
0
        ctx->update_open_count->cb(ctx->update_open_count, delta);
5124
0
}
5125
5126
static ptls_t *new_instance(ptls_context_t *ctx, int is_server)
5127
0
{
5128
0
    ptls_t *tls;
5129
5130
    /* check consistency of `ptls_context_t` before instantiating a connection object */
5131
0
    assert(ctx->get_time != NULL && "please set ctx->get_time to `&ptls_get_time`; see #92");
5132
0
    if (ctx->pre_shared_key.identity.base != NULL) {
5133
0
        assert(ctx->pre_shared_key.identity.len != 0 && ctx->pre_shared_key.secret.base != NULL &&
5134
0
               ctx->pre_shared_key.secret.len != 0 && ctx->pre_shared_key.hash != NULL &&
5135
0
               "`ptls_context_t::pre_shared_key` in incosistent state");
5136
0
    } else {
5137
0
        assert(ctx->pre_shared_key.identity.len == 0 && ctx->pre_shared_key.secret.base == NULL &&
5138
0
               ctx->pre_shared_key.secret.len == 0 && ctx->pre_shared_key.hash == NULL &&
5139
0
               "`ptls_context_t::pre_shared_key` in inconsitent state");
5140
0
    }
5141
5142
0
    if ((tls = malloc(sizeof(*tls))) == NULL)
5143
0
        return NULL;
5144
5145
0
    update_open_count(ctx, 1);
5146
0
    *tls = (ptls_t){ctx};
5147
0
    tls->is_server = is_server;
5148
0
    tls->send_change_cipher_spec = ctx->send_change_cipher_spec;
5149
5150
0
#if PTLS_HAVE_LOG
5151
0
    if (ptls_log_conn_state_override != NULL) {
5152
0
        tls->log_state = *ptls_log_conn_state_override;
5153
0
    } else {
5154
0
        ptls_log_init_conn_state(&tls->log_state, ctx->random_bytes);
5155
0
    }
5156
0
#endif
5157
5158
0
    return tls;
5159
0
}
5160
5161
ptls_t *ptls_client_new(ptls_context_t *ctx)
5162
0
{
5163
0
    ptls_t *tls = new_instance(ctx, 0);
5164
0
    tls->state = PTLS_STATE_CLIENT_HANDSHAKE_START;
5165
0
    tls->ctx->random_bytes(tls->client_random, sizeof(tls->client_random));
5166
0
    log_client_random(tls);
5167
0
    if (tls->send_change_cipher_spec) {
5168
0
        tls->client.legacy_session_id =
5169
0
            ptls_iovec_init(tls->client.legacy_session_id_buf, sizeof(tls->client.legacy_session_id_buf));
5170
0
        tls->ctx->random_bytes(tls->client.legacy_session_id.base, tls->client.legacy_session_id.len);
5171
0
    }
5172
5173
0
    PTLS_PROBE(NEW, tls, 0);
5174
0
    PTLS_LOG_CONN(new, tls, { PTLS_LOG_ELEMENT_BOOL(is_server, 0); });
5175
0
    return tls;
5176
0
}
5177
5178
ptls_t *ptls_server_new(ptls_context_t *ctx)
5179
0
{
5180
0
    ptls_t *tls = new_instance(ctx, 1);
5181
0
    tls->state = PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO;
5182
0
    tls->server.early_data_skipped_bytes = UINT32_MAX;
5183
5184
0
    PTLS_PROBE(NEW, tls, 1);
5185
0
    PTLS_LOG_CONN(new, tls, { PTLS_LOG_ELEMENT_BOOL(is_server, 1); });
5186
0
    return tls;
5187
0
}
5188
5189
#define export_tls_params(output, is_server, session_reused, protocol_version, cipher, client_random, server_name,                 \
5190
                          negotiated_protocol, ver_block)                                                                          \
5191
0
    do {                                                                                                                           \
5192
0
        const char *_server_name = (server_name);                                                                                  \
5193
0
        ptls_iovec_t _negotiated_protocol = (negotiated_protocol);                                                                 \
5194
0
        ptls_buffer_push_block((output), 2, {                                                                                      \
5195
0
            ptls_buffer_push((output), (is_server));                                                                               \
5196
0
            ptls_buffer_push((output), (session_reused));                                                                          \
5197
0
            ptls_buffer_push16((output), (protocol_version));                                                                      \
5198
0
            ptls_buffer_push16((output), (cipher)->id);                                                                            \
5199
0
            ptls_buffer_pushv((output), (client_random), PTLS_HELLO_RANDOM_SIZE);                                                  \
5200
0
            ptls_buffer_push_block((output), 2, {                                                                                  \
5201
0
                size_t len = _server_name != NULL ? strlen(_server_name) : 0;                                                      \
5202
0
                ptls_buffer_pushv((output), _server_name, len);                                                                    \
5203
0
            });                                                                                                                    \
5204
0
            ptls_buffer_push_block((output), 2,                                                                                    \
5205
0
                                   { ptls_buffer_pushv((output), _negotiated_protocol.base, _negotiated_protocol.len); });         \
5206
0
            ptls_buffer_push_block((output), 2, {ver_block}); /* version-specific block */                                         \
5207
0
            ptls_buffer_push_block((output), 2, {});          /* for future extensions */                                          \
5208
0
        });                                                                                                                        \
5209
0
    } while (0)
5210
5211
static int export_tls12_params(ptls_buffer_t *output, int is_server, int session_reused, ptls_cipher_suite_t *cipher,
5212
                               const void *client_random, const char *server_name, ptls_iovec_t negotiated_protocol,
5213
                               const void *enc_key, const void *enc_iv, uint64_t enc_seq, uint64_t enc_record_iv,
5214
                               const void *dec_key, const void *dec_iv, uint64_t dec_seq)
5215
0
{
5216
0
    int ret;
5217
5218
0
    export_tls_params(output, is_server, session_reused, PTLS_PROTOCOL_VERSION_TLS12, cipher, client_random, server_name,
5219
0
                      negotiated_protocol, {
5220
0
                          ptls_buffer_pushv(output, enc_key, cipher->aead->key_size);
5221
0
                          ptls_buffer_pushv(output, enc_iv, cipher->aead->tls12.fixed_iv_size);
5222
0
                          ptls_buffer_push64(output, enc_seq);
5223
0
                          if (cipher->aead->tls12.record_iv_size != 0)
5224
0
                              ptls_buffer_push64(output, enc_record_iv);
5225
0
                          ptls_buffer_pushv(output, dec_key, cipher->aead->key_size);
5226
0
                          ptls_buffer_pushv(output, dec_iv, cipher->aead->tls12.fixed_iv_size);
5227
0
                          ptls_buffer_push64(output, dec_seq);
5228
0
                      });
5229
0
    ret = 0;
5230
5231
0
Exit:
5232
0
    return ret;
5233
0
}
5234
5235
int ptls_build_tls12_export_params(ptls_context_t *ctx, ptls_buffer_t *output, int is_server, int session_reused,
5236
                                   ptls_cipher_suite_t *cipher, const void *master_secret, const void *hello_randoms,
5237
                                   uint64_t next_send_record_iv, const char *server_name, ptls_iovec_t negotiated_protocol)
5238
0
{
5239
0
    assert(cipher->aead->tls12.fixed_iv_size + cipher->aead->tls12.record_iv_size != 0 || !"given cipher-suite supports TLS/1.2");
5240
5241
0
    uint8_t key_block[(PTLS_MAX_SECRET_SIZE + PTLS_MAX_IV_SIZE) * 2];
5242
0
    size_t key_block_len = (cipher->aead->key_size + cipher->aead->tls12.fixed_iv_size) * 2;
5243
0
    int ret;
5244
5245
0
    assert(key_block_len <= sizeof(key_block));
5246
5247
    /* generate key block */
5248
0
    if ((ret =
5249
0
             ptls_tls12_phash(cipher->hash, key_block, key_block_len, ptls_iovec_init(master_secret, PTLS_TLS12_MASTER_SECRET_SIZE),
5250
0
                              "key expansion", ptls_iovec_init(hello_randoms, PTLS_HELLO_RANDOM_SIZE * 2))) != 0)
5251
0
        goto Exit;
5252
5253
    /* determine key locations */
5254
0
    struct {
5255
0
        const void *key;
5256
0
        const void *iv;
5257
0
    } client_secret, server_secret, *enc_secret = is_server ? &server_secret : &client_secret,
5258
0
                                    *dec_secret = is_server ? &client_secret : &server_secret;
5259
0
    client_secret.key = key_block;
5260
0
    server_secret.key = key_block + cipher->aead->key_size;
5261
0
    client_secret.iv = key_block + cipher->aead->key_size * 2;
5262
0
    server_secret.iv = key_block + cipher->aead->key_size * 2 + cipher->aead->tls12.fixed_iv_size;
5263
5264
    /* Serialize prams. Sequence number of the first application record is 1, because Finished is the only message sent after
5265
     * ChangeCipherSpec. */
5266
0
    ret = export_tls12_params(output, is_server, session_reused, cipher, (uint8_t *)hello_randoms + PTLS_HELLO_RANDOM_SIZE,
5267
0
                              server_name, negotiated_protocol, enc_secret->key, enc_secret->iv, 1, next_send_record_iv,
5268
0
                              dec_secret->key, dec_secret->iv, 1);
5269
5270
0
Exit:
5271
0
    ptls_clear_memory(key_block, sizeof(key_block));
5272
0
    return ret;
5273
0
}
5274
5275
int ptls_export(ptls_t *tls, ptls_buffer_t *output)
5276
0
{
5277
0
    ptls_iovec_t negotiated_protocol =
5278
0
        ptls_iovec_init(tls->negotiated_protocol, tls->negotiated_protocol != NULL ? strlen(tls->negotiated_protocol) : 0);
5279
0
    int ret;
5280
5281
0
    if (tls->state != PTLS_STATE_SERVER_POST_HANDSHAKE) {
5282
0
        ret = PTLS_ERROR_LIBRARY;
5283
0
        goto Exit;
5284
0
    }
5285
5286
0
    if (ptls_get_protocol_version(tls) == PTLS_PROTOCOL_VERSION_TLS13) {
5287
0
        export_tls_params(output, tls->is_server, tls->is_psk_handshake, PTLS_PROTOCOL_VERSION_TLS13, tls->cipher_suite,
5288
0
                          tls->client_random, tls->server_name, negotiated_protocol, {
5289
0
                              ptls_buffer_pushv(output, tls->traffic_protection.enc.secret, tls->cipher_suite->hash->digest_size);
5290
0
                              ptls_buffer_push64(output, tls->traffic_protection.enc.seq);
5291
0
                              ptls_buffer_pushv(output, tls->traffic_protection.dec.secret, tls->cipher_suite->hash->digest_size);
5292
0
                              ptls_buffer_push64(output, tls->traffic_protection.dec.seq);
5293
0
                          });
5294
0
        ret = 0;
5295
0
    } else {
5296
0
        if ((ret = export_tls12_params(output, tls->is_server, tls->is_psk_handshake, tls->cipher_suite, tls->client_random,
5297
0
                                       tls->server_name, negotiated_protocol, tls->traffic_protection.enc.secret,
5298
0
                                       tls->traffic_protection.enc.secret + PTLS_MAX_SECRET_SIZE, tls->traffic_protection.enc.seq,
5299
0
                                       tls->traffic_protection.enc.tls12_enc_record_iv, tls->traffic_protection.dec.secret,
5300
0
                                       tls->traffic_protection.dec.secret + PTLS_MAX_SECRET_SIZE,
5301
0
                                       tls->traffic_protection.dec.seq)) != 0)
5302
0
            goto Exit;
5303
0
    }
5304
5305
0
Exit:
5306
0
    return ret;
5307
0
}
5308
5309
static int import_tls12_traffic_protection(ptls_t *tls, int is_enc, const uint8_t **src, const uint8_t *const end)
5310
0
{
5311
0
    struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec;
5312
5313
0
    if ((size_t)(end - *src) < tls->cipher_suite->aead->key_size + tls->cipher_suite->aead->tls12.fixed_iv_size + sizeof(uint64_t))
5314
0
        return PTLS_ALERT_DECODE_ERROR;
5315
5316
    /* set properties */
5317
0
    memcpy(tp->secret, *src, tls->cipher_suite->aead->key_size);
5318
0
    *src += tls->cipher_suite->aead->key_size;
5319
0
    memcpy(tp->secret + PTLS_MAX_SECRET_SIZE, *src, tls->cipher_suite->aead->tls12.fixed_iv_size);
5320
0
    *src += tls->cipher_suite->aead->tls12.fixed_iv_size;
5321
0
    if (ptls_decode64(&tp->seq, src, end) != 0)
5322
0
        return PTLS_ALERT_DECODE_ERROR;
5323
0
    if (is_enc && tls->cipher_suite->aead->tls12.record_iv_size != 0) {
5324
0
        if (ptls_decode64(&tp->tls12_enc_record_iv, src, end) != 0)
5325
0
            return PTLS_ALERT_DECODE_ERROR;
5326
0
    }
5327
0
    tp->tls12 = 1;
5328
5329
    /* instantiate aead */
5330
0
    if ((tp->aead = ptls_aead_new_direct(tls->cipher_suite->aead, is_enc, tp->secret, tp->secret + PTLS_MAX_SECRET_SIZE)) == NULL)
5331
0
        return PTLS_ERROR_NO_MEMORY;
5332
5333
0
    return 0;
5334
0
}
5335
5336
static int import_tls13_traffic_protection(ptls_t *tls, int is_enc, const uint8_t **src, const uint8_t *const end)
5337
0
{
5338
0
    struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec;
5339
5340
    /* set properties */
5341
0
    memcpy(tp->secret, *src, tls->cipher_suite->hash->digest_size);
5342
0
    *src += tls->cipher_suite->hash->digest_size;
5343
0
    if (ptls_decode64(&tp->seq, src, end) != 0)
5344
0
        return PTLS_ALERT_DECODE_ERROR;
5345
5346
0
    if (setup_traffic_protection(tls, is_enc, NULL, 3, tp->seq, 0) != 0)
5347
0
        return PTLS_ERROR_INCOMPATIBLE_KEY;
5348
5349
0
    return 0;
5350
0
}
5351
5352
int ptls_import(ptls_context_t *ctx, ptls_t **tls, ptls_iovec_t params)
5353
0
{
5354
0
    const uint8_t *src = params.base, *const end = src + params.len;
5355
0
    uint16_t protocol_version, csid;
5356
0
    int ret;
5357
5358
0
    *tls = NULL;
5359
5360
    /* TODO handle flags like psk_handshake, ech_handshake as we add support for TLS/1.3 import */
5361
0
    ptls_decode_block(src, end, 2, {
5362
        /* instantiate, based on the is_server flag */
5363
0
        if (end - src < 2) {
5364
0
            ret = PTLS_ALERT_DECODE_ERROR;
5365
0
            goto Exit;
5366
0
        }
5367
0
        if ((*tls = new_instance(ctx, *src++)) == NULL) {
5368
0
            ret = PTLS_ERROR_NO_MEMORY;
5369
0
            goto Exit;
5370
0
        }
5371
0
        (*tls)->is_psk_handshake = *src++;
5372
        /* determine protocol version and cipher suite */
5373
0
        if ((ret = ptls_decode16(&protocol_version, &src, end)) != 0)
5374
0
            goto Exit;
5375
0
        if ((ret = ptls_decode16(&csid, &src, end)) != 0)
5376
0
            goto Exit;
5377
        /* other version-independent stuff */
5378
0
        if (end - src < PTLS_HELLO_RANDOM_SIZE) {
5379
0
            ret = PTLS_ALERT_DECODE_ERROR;
5380
0
            goto Exit;
5381
0
        }
5382
0
        memcpy((*tls)->client_random, src, PTLS_HELLO_RANDOM_SIZE);
5383
0
        src += PTLS_HELLO_RANDOM_SIZE;
5384
0
        ptls_decode_open_block(src, end, 2, {
5385
0
            if (src != end) {
5386
0
                if ((ret = ptls_set_server_name(*tls, (const char *)src, end - src)) != 0)
5387
0
                    goto Exit;
5388
0
                src = end;
5389
0
            }
5390
0
        });
5391
0
        ptls_decode_open_block(src, end, 2, {
5392
0
            if (src != end) {
5393
0
                if ((ret = ptls_set_negotiated_protocol(*tls, (const char *)src, end - src)) != 0)
5394
0
                    goto Exit;
5395
0
                src = end;
5396
0
            }
5397
0
        });
5398
        /* version-dependent stuff */
5399
0
        ptls_decode_open_block(src, end, 2, {
5400
0
            switch (protocol_version) {
5401
0
            case PTLS_PROTOCOL_VERSION_TLS12:
5402
0
                (*tls)->cipher_suite = ptls_find_cipher_suite(ctx->tls12_cipher_suites, csid);
5403
0
                if ((*tls)->cipher_suite == NULL) {
5404
0
                    ret = PTLS_ALERT_HANDSHAKE_FAILURE;
5405
0
                    goto Exit;
5406
0
                }
5407
                /* setup AEAD keys */
5408
0
                if ((ret = import_tls12_traffic_protection(*tls, 1, &src, end)) != 0)
5409
0
                    goto Exit;
5410
0
                if ((ret = import_tls12_traffic_protection(*tls, 0, &src, end)) != 0)
5411
0
                    goto Exit;
5412
0
                break;
5413
0
            case PTLS_PROTOCOL_VERSION_TLS13:
5414
0
                (*tls)->cipher_suite = ptls_find_cipher_suite(ctx->cipher_suites, csid);
5415
0
                if ((*tls)->cipher_suite == NULL) {
5416
0
                    ret = PTLS_ALERT_HANDSHAKE_FAILURE;
5417
0
                    goto Exit;
5418
0
                }
5419
                /* setup AEAD keys */
5420
0
                if (((*tls)->key_schedule = key_schedule_new((*tls)->cipher_suite, NULL, (*tls)->ech.aead != NULL)) == NULL) {
5421
0
                    ret = PTLS_ERROR_NO_MEMORY;
5422
0
                    goto Exit;
5423
0
                }
5424
0
                if ((ret = import_tls13_traffic_protection(*tls, 1, &src, end)) != 0)
5425
0
                    goto Exit;
5426
0
                if ((ret = import_tls13_traffic_protection(*tls, 0, &src, end)) != 0)
5427
0
                    goto Exit;
5428
0
                break;
5429
0
            default:
5430
0
                ret = PTLS_ALERT_ILLEGAL_PARAMETER;
5431
0
                goto Exit;
5432
0
            }
5433
0
        });
5434
        /* extensions */
5435
0
        ptls_decode_open_block(src, end, 2, {
5436
0
            src = end; /* unused */
5437
0
        });
5438
0
    });
5439
5440
0
    (*tls)->state = ptls_is_server(*tls) ? PTLS_STATE_SERVER_POST_HANDSHAKE : PTLS_STATE_CLIENT_POST_HANDSHAKE;
5441
5442
0
Exit:
5443
0
    if (ret != 0) {
5444
0
        if (*tls != NULL) {
5445
0
            ptls_free(*tls);
5446
0
            *tls = NULL;
5447
0
        }
5448
0
    }
5449
0
    return ret;
5450
0
}
5451
5452
void ptls_free(ptls_t *tls)
5453
0
{
5454
0
    PTLS_PROBE0(FREE, tls);
5455
0
    PTLS_LOG_CONN(free, tls, {});
5456
5457
0
    ptls_buffer_dispose(&tls->recvbuf.rec);
5458
0
    ptls_buffer_dispose(&tls->recvbuf.mess);
5459
0
    free_exporter_master_secret(tls, 1);
5460
0
    free_exporter_master_secret(tls, 0);
5461
0
    if (tls->key_schedule != NULL)
5462
0
        key_schedule_free(tls->key_schedule);
5463
0
    if (tls->traffic_protection.dec.aead != NULL)
5464
0
        ptls_aead_free(tls->traffic_protection.dec.aead);
5465
0
    if (tls->traffic_protection.enc.aead != NULL)
5466
0
        ptls_aead_free(tls->traffic_protection.enc.aead);
5467
0
    free(tls->server_name);
5468
0
    free(tls->negotiated_protocol);
5469
0
    clear_ech(&tls->ech, tls->is_server);
5470
0
    if (tls->is_server) {
5471
0
        if (tls->server.async_job != NULL)
5472
0
            tls->server.async_job->destroy_(tls->server.async_job);
5473
0
    } else {
5474
0
        if (tls->client.key_share_ctx != NULL)
5475
0
            tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, NULL, ptls_iovec_init(NULL, 0));
5476
0
        if (tls->client.certificate_request.context.base != NULL)
5477
0
            free(tls->client.certificate_request.context.base);
5478
0
    }
5479
0
    if (tls->certificate_verify.cb != NULL)
5480
0
        tls->certificate_verify.cb(tls->certificate_verify.verify_ctx, 0, ptls_iovec_init(NULL, 0), ptls_iovec_init(NULL, 0));
5481
0
    if (tls->pending_handshake_secret != NULL) {
5482
0
        ptls_clear_memory(tls->pending_handshake_secret, PTLS_MAX_DIGEST_SIZE);
5483
0
        free(tls->pending_handshake_secret);
5484
0
    }
5485
0
    update_open_count(tls->ctx, -1);
5486
0
    ptls_clear_memory(tls, sizeof(*tls));
5487
0
    free(tls);
5488
0
}
5489
5490
ptls_context_t *ptls_get_context(ptls_t *tls)
5491
0
{
5492
0
    return tls->ctx;
5493
0
}
5494
5495
void ptls_set_context(ptls_t *tls, ptls_context_t *ctx)
5496
0
{
5497
0
    update_open_count(ctx, 1);
5498
0
    update_open_count(tls->ctx, -1);
5499
0
    tls->ctx = ctx;
5500
0
}
5501
5502
ptls_async_job_t *ptls_get_async_job(ptls_t *tls)
5503
0
{
5504
0
    return tls->server.async_job;
5505
0
}
5506
5507
ptls_iovec_t ptls_get_client_random(ptls_t *tls)
5508
0
{
5509
0
    return ptls_iovec_init(tls->client_random, PTLS_HELLO_RANDOM_SIZE);
5510
0
}
5511
5512
ptls_cipher_suite_t *ptls_get_cipher(ptls_t *tls)
5513
0
{
5514
0
    return tls->cipher_suite;
5515
0
}
5516
5517
uint16_t ptls_get_protocol_version(ptls_t *tls)
5518
0
{
5519
0
    if (tls->traffic_protection.enc.tls12)
5520
0
        return PTLS_PROTOCOL_VERSION_TLS12;
5521
5522
0
    return PTLS_PROTOCOL_VERSION_TLS13;
5523
0
}
5524
5525
int ptls_get_traffic_keys(ptls_t *tls, int is_enc, uint8_t *key, uint8_t *iv, uint64_t *seq)
5526
0
{
5527
0
    struct st_ptls_traffic_protection_t *ctx = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec;
5528
0
    int ret;
5529
5530
0
    if ((ret = get_traffic_keys(tls->cipher_suite->aead, tls->cipher_suite->hash, key, iv, ctx->secret, ptls_iovec_init(NULL, 0),
5531
0
                                NULL)) != 0)
5532
0
        return ret;
5533
0
    *seq = ctx->seq;
5534
0
    return 0;
5535
0
}
5536
5537
const char *ptls_get_server_name(ptls_t *tls)
5538
0
{
5539
0
    return tls->server_name;
5540
0
}
5541
5542
int ptls_set_server_name(ptls_t *tls, const char *server_name, size_t server_name_len)
5543
0
{
5544
0
    char *duped = NULL;
5545
5546
0
    if (server_name != NULL &&
5547
0
        (duped = duplicate_as_str(server_name, server_name_len != 0 ? server_name_len : strlen(server_name))) == NULL)
5548
0
        return PTLS_ERROR_NO_MEMORY;
5549
5550
0
    free(tls->server_name);
5551
0
    tls->server_name = duped;
5552
5553
0
    return 0;
5554
0
}
5555
5556
const char *ptls_get_negotiated_protocol(ptls_t *tls)
5557
0
{
5558
0
    return tls->negotiated_protocol;
5559
0
}
5560
5561
int ptls_set_negotiated_protocol(ptls_t *tls, const char *protocol, size_t protocol_len)
5562
0
{
5563
0
    char *duped = NULL;
5564
5565
0
    if (protocol != NULL && (duped = duplicate_as_str(protocol, protocol_len != 0 ? protocol_len : strlen(protocol))) == NULL)
5566
0
        return PTLS_ERROR_NO_MEMORY;
5567
5568
0
    free(tls->negotiated_protocol);
5569
0
    tls->negotiated_protocol = duped;
5570
5571
0
    return 0;
5572
0
}
5573
5574
int ptls_handshake_is_complete(ptls_t *tls)
5575
0
{
5576
0
    return tls->state >= PTLS_STATE_POST_HANDSHAKE_MIN;
5577
0
}
5578
5579
int ptls_is_psk_handshake(ptls_t *tls)
5580
0
{
5581
0
    return tls->is_psk_handshake;
5582
0
}
5583
5584
int ptls_is_ech_handshake(ptls_t *tls, uint8_t *config_id, ptls_hpke_kem_t **kem, ptls_hpke_cipher_suite_t **cipher)
5585
0
{
5586
0
    if (tls->ech.accepted) {
5587
0
        if (config_id != NULL)
5588
0
            *config_id = tls->ech.config_id;
5589
0
        if (kem != NULL)
5590
0
            *kem = tls->ech.kem;
5591
0
        if (cipher != NULL)
5592
0
            *cipher = tls->ech.cipher;
5593
0
        return 1;
5594
0
    }
5595
0
    return 0;
5596
0
}
5597
5598
void **ptls_get_data_ptr(ptls_t *tls)
5599
0
{
5600
0
    return &tls->data_ptr;
5601
0
}
5602
5603
ptls_log_conn_state_t *ptls_get_log_state(ptls_t *tls)
5604
0
{
5605
0
#if PTLS_HAVE_LOG
5606
0
    return &tls->log_state;
5607
#else
5608
    return &ptls_log.dummy_conn_state;
5609
#endif
5610
0
}
5611
5612
static int handle_client_handshake_message(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, int is_end_of_record,
5613
                                           ptls_handshake_properties_t *properties)
5614
0
{
5615
0
    uint8_t type = message.base[0];
5616
0
    int ret;
5617
5618
0
    switch (tls->state) {
5619
0
    case PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO:
5620
0
    case PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO:
5621
0
        if (type == PTLS_HANDSHAKE_TYPE_SERVER_HELLO && is_end_of_record) {
5622
0
            ret = client_handle_hello(tls, emitter, message, properties);
5623
0
        } else {
5624
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5625
0
        }
5626
0
        break;
5627
0
    case PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS:
5628
0
        if (type == PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS) {
5629
0
            ret = client_handle_encrypted_extensions(tls, message, properties);
5630
0
        } else {
5631
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5632
0
        }
5633
0
        break;
5634
0
    case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE:
5635
0
        if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) {
5636
0
            ret = client_handle_certificate_request(tls, message, properties);
5637
0
            break;
5638
0
        }
5639
    /* fall through */
5640
0
    case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE:
5641
0
        switch (type) {
5642
0
        case PTLS_HANDSHAKE_TYPE_CERTIFICATE:
5643
0
            ret = client_handle_certificate(tls, message);
5644
0
            break;
5645
0
        case PTLS_HANDSHAKE_TYPE_COMPRESSED_CERTIFICATE:
5646
0
            ret = client_handle_compressed_certificate(tls, message);
5647
0
            break;
5648
0
        default:
5649
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5650
0
            break;
5651
0
        }
5652
0
        break;
5653
0
    case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY:
5654
0
        if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
5655
0
            ret = client_handle_certificate_verify(tls, message);
5656
0
        } else {
5657
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5658
0
        }
5659
0
        break;
5660
0
    case PTLS_STATE_CLIENT_EXPECT_FINISHED:
5661
0
        if (type == PTLS_HANDSHAKE_TYPE_FINISHED && is_end_of_record) {
5662
0
            ret = client_handle_finished(tls, emitter, message);
5663
0
        } else {
5664
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5665
0
        }
5666
0
        break;
5667
0
    case PTLS_STATE_CLIENT_POST_HANDSHAKE:
5668
0
        switch (type) {
5669
0
        case PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET:
5670
0
            ret = client_handle_new_session_ticket(tls, message);
5671
0
            break;
5672
0
        case PTLS_HANDSHAKE_TYPE_KEY_UPDATE:
5673
0
            ret = handle_key_update(tls, emitter, message);
5674
0
            break;
5675
0
        default:
5676
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5677
0
            break;
5678
0
        }
5679
0
        break;
5680
0
    default:
5681
0
        assert(!"unexpected state");
5682
0
        ret = PTLS_ALERT_INTERNAL_ERROR;
5683
0
        break;
5684
0
    }
5685
5686
0
    PTLS_PROBE(RECEIVE_MESSAGE, tls, message.base[0], message.base + PTLS_HANDSHAKE_HEADER_SIZE,
5687
0
               message.len - PTLS_HANDSHAKE_HEADER_SIZE, ret);
5688
0
    PTLS_LOG_CONN(receive_message, tls, {
5689
0
        PTLS_LOG_ELEMENT_UNSIGNED(message, message.base[0]);
5690
0
        PTLS_LOG_ELEMENT_UNSIGNED(len, message.len - PTLS_HANDSHAKE_HEADER_SIZE);
5691
0
        PTLS_LOG_ELEMENT_SIGNED(result, ret);
5692
0
    });
5693
5694
0
    return ret;
5695
0
}
5696
5697
static int handle_server_handshake_message(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, int is_end_of_record,
5698
                                           ptls_handshake_properties_t *properties)
5699
0
{
5700
0
    uint8_t type = message.base[0];
5701
0
    int ret;
5702
5703
0
    switch (tls->state) {
5704
0
    case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO:
5705
0
    case PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO:
5706
0
        if (type == PTLS_HANDSHAKE_TYPE_CLIENT_HELLO && is_end_of_record) {
5707
0
            ret = server_handle_hello(tls, emitter, message, properties);
5708
0
        } else {
5709
0
            ret = PTLS_ALERT_HANDSHAKE_FAILURE;
5710
0
        }
5711
0
        break;
5712
0
    case PTLS_STATE_SERVER_EXPECT_CERTIFICATE:
5713
0
        if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE) {
5714
0
            ret = server_handle_certificate(tls, message);
5715
0
        } else {
5716
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5717
0
        }
5718
0
        break;
5719
0
    case PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY:
5720
0
        if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) {
5721
0
            ret = server_handle_certificate_verify(tls, message);
5722
0
        } else {
5723
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5724
0
        }
5725
0
        break;
5726
0
    case PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA:
5727
0
        assert(!tls->ctx->omit_end_of_early_data);
5728
0
        if (type == PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA) {
5729
0
            ret = server_handle_end_of_early_data(tls, message);
5730
0
        } else {
5731
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5732
0
        }
5733
0
        break;
5734
0
    case PTLS_STATE_SERVER_EXPECT_FINISHED:
5735
0
        if (type == PTLS_HANDSHAKE_TYPE_FINISHED && is_end_of_record) {
5736
0
            ret = server_handle_finished(tls, message);
5737
0
        } else {
5738
0
            ret = PTLS_ALERT_HANDSHAKE_FAILURE;
5739
0
        }
5740
0
        break;
5741
0
    case PTLS_STATE_SERVER_POST_HANDSHAKE:
5742
0
        switch (type) {
5743
0
        case PTLS_HANDSHAKE_TYPE_KEY_UPDATE:
5744
0
            ret = handle_key_update(tls, emitter, message);
5745
0
            break;
5746
0
        default:
5747
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5748
0
            break;
5749
0
        }
5750
0
        break;
5751
0
    default:
5752
0
        assert(!"unexpected state");
5753
0
        ret = PTLS_ALERT_INTERNAL_ERROR;
5754
0
        break;
5755
0
    }
5756
5757
0
    PTLS_PROBE(RECEIVE_MESSAGE, tls, message.base[0], message.base + PTLS_HANDSHAKE_HEADER_SIZE,
5758
0
               message.len - PTLS_HANDSHAKE_HEADER_SIZE, ret);
5759
0
    PTLS_LOG_CONN(receive_message, tls, {
5760
0
        PTLS_LOG_ELEMENT_UNSIGNED(message, message.base[0]);
5761
0
        PTLS_LOG_ELEMENT_UNSIGNED(len, message.len - PTLS_HANDSHAKE_HEADER_SIZE);
5762
0
        PTLS_LOG_ELEMENT_SIGNED(result, ret);
5763
0
    });
5764
5765
0
    return ret;
5766
0
}
5767
5768
static int handle_alert(ptls_t *tls, const uint8_t *src, size_t len)
5769
0
{
5770
0
    if (len != 2)
5771
0
        return PTLS_ALERT_DECODE_ERROR;
5772
5773
0
    uint8_t desc = src[1];
5774
5775
    /* all fatal alerts and USER_CANCELLED warning tears down the connection immediately, regardless of the transmitted level */
5776
0
    return PTLS_ALERT_TO_PEER_ERROR(desc);
5777
0
}
5778
5779
static int message_buffer_is_overflow(ptls_context_t *ctx, size_t size)
5780
0
{
5781
0
    if (ctx->max_buffer_size == 0)
5782
0
        return 0;
5783
0
    if (size <= ctx->max_buffer_size)
5784
0
        return 0;
5785
0
    return 1;
5786
0
}
5787
5788
static int handle_handshake_record(ptls_t *tls,
5789
                                   int (*cb)(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message,
5790
                                             int is_end_of_record, ptls_handshake_properties_t *properties),
5791
                                   ptls_message_emitter_t *emitter, struct st_ptls_record_t *rec,
5792
                                   ptls_handshake_properties_t *properties)
5793
0
{
5794
0
    int ret;
5795
5796
    /* handshake */
5797
0
    if (rec->type != PTLS_CONTENT_TYPE_HANDSHAKE)
5798
0
        return PTLS_ALERT_DECODE_ERROR;
5799
5800
    /* flatten the unhandled messages */
5801
0
    const uint8_t *src, *src_end;
5802
0
    if (tls->recvbuf.mess.base == NULL) {
5803
0
        src = rec->fragment;
5804
0
        src_end = src + rec->length;
5805
0
    } else {
5806
0
        if (message_buffer_is_overflow(tls->ctx, tls->recvbuf.mess.off + rec->length))
5807
0
            return PTLS_ALERT_HANDSHAKE_FAILURE;
5808
0
        if ((ret = ptls_buffer_reserve(&tls->recvbuf.mess, rec->length)) != 0)
5809
0
            return ret;
5810
0
        memcpy(tls->recvbuf.mess.base + tls->recvbuf.mess.off, rec->fragment, rec->length);
5811
0
        tls->recvbuf.mess.off += rec->length;
5812
0
        src = tls->recvbuf.mess.base;
5813
0
        src_end = src + tls->recvbuf.mess.off;
5814
0
    }
5815
5816
    /* handle the messages */
5817
0
    ret = PTLS_ERROR_IN_PROGRESS;
5818
0
    while (src_end - src >= 4) {
5819
0
        size_t mess_len = 4 + ntoh24(src + 1);
5820
0
        if (src_end - src < (int)mess_len)
5821
0
            break;
5822
0
        ret = cb(tls, emitter, ptls_iovec_init(src, mess_len), src_end - src == mess_len, properties);
5823
0
        switch (ret) {
5824
0
        case 0:
5825
0
        case PTLS_ERROR_ASYNC_OPERATION:
5826
0
        case PTLS_ERROR_IN_PROGRESS:
5827
0
            break;
5828
0
        default:
5829
0
            ptls_buffer_dispose(&tls->recvbuf.mess);
5830
0
            return ret;
5831
0
        }
5832
0
        src += mess_len;
5833
0
    }
5834
5835
    /* keep last partial message in buffer */
5836
0
    if (src != src_end) {
5837
0
        size_t new_size = src_end - src;
5838
0
        if (message_buffer_is_overflow(tls->ctx, new_size))
5839
0
            return PTLS_ALERT_HANDSHAKE_FAILURE;
5840
0
        if (tls->recvbuf.mess.base == NULL) {
5841
0
            ptls_buffer_init(&tls->recvbuf.mess, "", 0);
5842
0
            if ((ret = ptls_buffer_reserve(&tls->recvbuf.mess, new_size)) != 0)
5843
0
                return ret;
5844
0
            memcpy(tls->recvbuf.mess.base, src, new_size);
5845
0
        } else {
5846
0
            memmove(tls->recvbuf.mess.base, src, new_size);
5847
0
        }
5848
0
        tls->recvbuf.mess.off = new_size;
5849
0
        ret = PTLS_ERROR_IN_PROGRESS;
5850
0
    } else {
5851
0
        ptls_buffer_dispose(&tls->recvbuf.mess);
5852
0
    }
5853
5854
0
    return ret;
5855
0
}
5856
5857
static int handle_input(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_buffer_t *decryptbuf, const void *input, size_t *inlen,
5858
                        ptls_handshake_properties_t *properties)
5859
0
{
5860
0
    struct st_ptls_record_t rec;
5861
0
    int ret;
5862
5863
    /* extract the record */
5864
0
    if ((ret = parse_record(tls, &rec, input, inlen)) != 0)
5865
0
        return ret;
5866
0
    assert(rec.fragment != NULL);
5867
5868
    /* decrypt the record */
5869
0
    if (rec.type == PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) {
5870
0
        if (tls->state < PTLS_STATE_POST_HANDSHAKE_MIN) {
5871
0
            if (!(rec.length == 1 && rec.fragment[0] == 0x01))
5872
0
                return PTLS_ALERT_ILLEGAL_PARAMETER;
5873
0
        } else {
5874
0
            return PTLS_ALERT_HANDSHAKE_FAILURE;
5875
0
        }
5876
0
        ret = PTLS_ERROR_IN_PROGRESS;
5877
0
        goto NextRecord;
5878
0
    }
5879
0
    if (tls->traffic_protection.dec.aead != NULL && rec.type != PTLS_CONTENT_TYPE_ALERT) {
5880
0
        size_t decrypted_length;
5881
0
        if (rec.type != PTLS_CONTENT_TYPE_APPDATA)
5882
0
            return PTLS_ALERT_HANDSHAKE_FAILURE;
5883
0
        if ((ret = ptls_buffer_reserve(decryptbuf, 5 + rec.length)) != 0)
5884
0
            return ret;
5885
0
        if ((ret = aead_decrypt(&tls->traffic_protection.dec, decryptbuf->base + decryptbuf->off, &decrypted_length, rec.fragment,
5886
0
                                rec.length)) != 0) {
5887
0
            if (tls->is_server && tls->server.early_data_skipped_bytes != UINT32_MAX)
5888
0
                goto ServerSkipEarlyData;
5889
0
            return ret;
5890
0
        }
5891
0
        rec.length = decrypted_length;
5892
0
        rec.fragment = decryptbuf->base + decryptbuf->off;
5893
        /* skip padding */
5894
0
        for (; rec.length != 0; --rec.length)
5895
0
            if (rec.fragment[rec.length - 1] != 0)
5896
0
                break;
5897
0
        if (rec.length == 0)
5898
0
            return PTLS_ALERT_UNEXPECTED_MESSAGE;
5899
0
        rec.type = rec.fragment[--rec.length];
5900
0
    } else if (rec.type == PTLS_CONTENT_TYPE_APPDATA && tls->is_server && tls->server.early_data_skipped_bytes != UINT32_MAX) {
5901
0
        goto ServerSkipEarlyData;
5902
0
    }
5903
5904
0
    if (tls->recvbuf.mess.base != NULL || rec.type == PTLS_CONTENT_TYPE_HANDSHAKE) {
5905
        /* handshake record */
5906
0
        ret = handle_handshake_record(tls, tls->is_server ? handle_server_handshake_message : handle_client_handshake_message,
5907
0
                                      emitter, &rec, properties);
5908
0
    } else {
5909
        /* handling of an alert or an application record */
5910
0
        switch (rec.type) {
5911
0
        case PTLS_CONTENT_TYPE_APPDATA:
5912
0
            if (tls->state >= PTLS_STATE_POST_HANDSHAKE_MIN) {
5913
0
                decryptbuf->off += rec.length;
5914
0
                ret = 0;
5915
0
            } else if (tls->state == PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA) {
5916
0
                if (tls->traffic_protection.dec.aead != NULL)
5917
0
                    decryptbuf->off += rec.length;
5918
0
                ret = 0;
5919
0
            } else {
5920
0
                ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5921
0
            }
5922
0
            break;
5923
0
        case PTLS_CONTENT_TYPE_ALERT:
5924
0
            ret = handle_alert(tls, rec.fragment, rec.length);
5925
0
            break;
5926
0
        default:
5927
0
            ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
5928
0
            break;
5929
0
        }
5930
0
    }
5931
5932
0
NextRecord:
5933
0
    ptls_buffer_dispose(&tls->recvbuf.rec);
5934
0
    return ret;
5935
5936
0
ServerSkipEarlyData:
5937
0
    tls->server.early_data_skipped_bytes += (uint32_t)rec.length;
5938
0
    if (tls->server.early_data_skipped_bytes > PTLS_MAX_EARLY_DATA_SKIP_SIZE)
5939
0
        return PTLS_ALERT_HANDSHAKE_FAILURE;
5940
0
    ret = PTLS_ERROR_IN_PROGRESS;
5941
0
    goto NextRecord;
5942
0
}
5943
5944
static int handle_input_tls12(ptls_t *tls, ptls_buffer_t *decryptbuf, const void *input, size_t *inlen)
5945
0
{
5946
0
    struct st_ptls_record_t rec;
5947
0
    int ret;
5948
5949
    /* extract the record, or bail out */
5950
0
    if ((ret = parse_record(tls, &rec, input, inlen)) != 0)
5951
0
        return ret;
5952
0
    assert(rec.fragment != NULL);
5953
5954
0
    const uint8_t *src = rec.fragment, *end = src + rec.length;
5955
0
    uint64_t nonce;
5956
0
    uint8_t aad[PTLS_TLS12_AAD_SIZE];
5957
5958
    /* determine the nonce */
5959
0
    if (tls->traffic_protection.dec.aead->algo->tls12.record_iv_size != 0) {
5960
0
        assert(tls->traffic_protection.dec.aead->algo->tls12.record_iv_size == 8);
5961
0
        if ((ret = ptls_decode64(&nonce, &src, end)) != 0)
5962
0
            goto Exit;
5963
0
    } else {
5964
0
        nonce = tls->traffic_protection.dec.seq;
5965
0
    }
5966
5967
    /* determine cleartext length */
5968
0
    size_t textlen = end - src;
5969
0
    if (textlen < tls->traffic_protection.dec.aead->algo->tag_size) {
5970
0
        ret = PTLS_ALERT_BAD_RECORD_MAC;
5971
0
        goto Exit;
5972
0
    }
5973
0
    textlen -= tls->traffic_protection.dec.aead->algo->tag_size;
5974
5975
    /* build aad */
5976
0
    build_tls12_aad(aad, rec.type, tls->traffic_protection.dec.seq, (uint16_t)textlen);
5977
5978
    /* decrypt input to decryptbuf */
5979
0
    if ((ret = ptls_buffer_reserve(decryptbuf, textlen)) != 0)
5980
0
        goto Exit;
5981
0
    if (ptls_aead_decrypt(tls->traffic_protection.dec.aead, decryptbuf->base + decryptbuf->off, src, end - src, nonce, aad,
5982
0
                          sizeof(aad)) != textlen) {
5983
0
        ret = PTLS_ALERT_BAD_RECORD_MAC;
5984
0
        goto Exit;
5985
0
    }
5986
0
    ++tls->traffic_protection.dec.seq;
5987
5988
    /* record-type specific action */
5989
0
    switch (rec.type) {
5990
0
    case PTLS_CONTENT_TYPE_APPDATA:
5991
        /* if application data, retain the bytes being decrypted */
5992
0
        decryptbuf->off += textlen;
5993
0
        break;
5994
0
    case PTLS_CONTENT_TYPE_ALERT:
5995
        /* submit alert without adjusting decryptbuf, so that the decrypted data would be dropped after handling the alert */
5996
0
        ret = handle_alert(tls, decryptbuf->base + decryptbuf->off, textlen);
5997
0
        break;
5998
0
    default:
5999
0
        ret = PTLS_ALERT_UNEXPECTED_MESSAGE;
6000
0
        break;
6001
0
    }
6002
6003
0
Exit:
6004
0
    ptls_buffer_dispose(&tls->recvbuf.rec);
6005
0
    ptls_clear_memory(aad, sizeof(aad));
6006
0
    return 0;
6007
0
}
6008
6009
static void init_record_message_emitter(ptls_t *tls, struct st_ptls_record_message_emitter_t *emitter, ptls_buffer_t *sendbuf)
6010
0
{
6011
0
    *emitter = (struct st_ptls_record_message_emitter_t){
6012
0
        {sendbuf, &tls->traffic_protection.enc, 5, begin_record_message, commit_record_message}};
6013
0
}
6014
6015
int ptls_handshake(ptls_t *tls, ptls_buffer_t *_sendbuf, const void *input, size_t *inlen, ptls_handshake_properties_t *properties)
6016
0
{
6017
0
    struct st_ptls_record_message_emitter_t emitter;
6018
0
    int ret;
6019
6020
0
    assert(tls->state < PTLS_STATE_POST_HANDSHAKE_MIN);
6021
6022
0
    init_record_message_emitter(tls, &emitter, _sendbuf);
6023
0
    size_t sendbuf_orig_off = emitter.super.buf->off;
6024
6025
    /* special handlings */
6026
0
    switch (tls->state) {
6027
0
    case PTLS_STATE_CLIENT_HANDSHAKE_START: {
6028
0
        assert(input == NULL || *inlen == 0);
6029
0
        return send_client_hello(tls, &emitter.super, properties, NULL);
6030
0
    }
6031
0
    case PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY:
6032
0
        return server_finish_handshake(tls, &emitter.super, 1, NULL);
6033
0
    default:
6034
0
        break;
6035
0
    }
6036
6037
0
    const uint8_t *src = input, *const src_end = src + *inlen;
6038
0
    ptls_buffer_t decryptbuf;
6039
6040
0
    ptls_buffer_init(&decryptbuf, "", 0);
6041
6042
    /* perform handhake until completion or until all the input has been swallowed */
6043
0
    ret = PTLS_ERROR_IN_PROGRESS;
6044
0
    while (ret == PTLS_ERROR_IN_PROGRESS && src != src_end) {
6045
0
        size_t consumed = src_end - src;
6046
0
        ret = handle_input(tls, &emitter.super, &decryptbuf, src, &consumed, properties);
6047
0
        src += consumed;
6048
0
        assert(decryptbuf.off == 0);
6049
0
    }
6050
6051
0
    ptls_buffer_dispose(&decryptbuf);
6052
6053
0
    switch (ret) {
6054
0
    case 0:
6055
0
    case PTLS_ERROR_IN_PROGRESS:
6056
0
    case PTLS_ERROR_STATELESS_RETRY:
6057
0
    case PTLS_ERROR_ASYNC_OPERATION:
6058
0
        break;
6059
0
    default:
6060
        /* Flush handshake messages that have been written partially. ECH_REQUIRED sticks out because it is a message sent
6061
         * post-handshake compared to other alerts that are generating *during* the handshake. */
6062
0
        if (ret != PTLS_ALERT_ECH_REQUIRED) {
6063
0
            ptls_clear_memory(emitter.super.buf->base + sendbuf_orig_off, emitter.super.buf->off - sendbuf_orig_off);
6064
0
            emitter.super.buf->off = sendbuf_orig_off;
6065
0
        }
6066
        /* send alert immediately */
6067
0
        if (PTLS_ERROR_GET_CLASS(ret) != PTLS_ERROR_CLASS_PEER_ALERT)
6068
0
            if (ptls_send_alert(tls, emitter.super.buf, PTLS_ALERT_LEVEL_FATAL,
6069
0
                                PTLS_ERROR_GET_CLASS(ret) == PTLS_ERROR_CLASS_SELF_ALERT ? ret : PTLS_ALERT_INTERNAL_ERROR) != 0)
6070
0
                emitter.super.buf->off = sendbuf_orig_off;
6071
0
        break;
6072
0
    }
6073
6074
0
    *inlen -= src_end - src;
6075
0
    return ret;
6076
0
}
6077
6078
int ptls_receive(ptls_t *tls, ptls_buffer_t *decryptbuf, const void *_input, size_t *inlen)
6079
0
{
6080
0
    const uint8_t *input = (const uint8_t *)_input, *const end = input + *inlen;
6081
0
    size_t decryptbuf_orig_size = decryptbuf->off;
6082
0
    int ret = 0;
6083
6084
0
    assert(tls->state >= PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA);
6085
6086
    /* loop until we decrypt some application data (or an error) */
6087
0
    while (ret == 0 && input != end && decryptbuf_orig_size == decryptbuf->off) {
6088
0
        size_t consumed = end - input;
6089
0
        if (tls->traffic_protection.dec.tls12) {
6090
0
            ret = handle_input_tls12(tls, decryptbuf, input, &consumed);
6091
0
        } else {
6092
0
            ret = handle_input(tls, NULL, decryptbuf, input, &consumed, NULL);
6093
0
        }
6094
0
        input += consumed;
6095
6096
0
        switch (ret) {
6097
0
        case 0:
6098
0
            break;
6099
0
        case PTLS_ERROR_IN_PROGRESS:
6100
0
            ret = 0;
6101
0
            break;
6102
0
        case PTLS_ERROR_CLASS_PEER_ALERT + PTLS_ALERT_CLOSE_NOTIFY:
6103
            /* TODO send close alert */
6104
0
            break;
6105
0
        default:
6106
0
            if (PTLS_ERROR_GET_CLASS(ret) == PTLS_ERROR_CLASS_SELF_ALERT) {
6107
                /* TODO send alert */
6108
0
            }
6109
0
            break;
6110
0
        }
6111
0
    }
6112
6113
0
    *inlen -= end - input;
6114
6115
0
    return ret;
6116
0
}
6117
6118
static int update_send_key(ptls_t *tls, ptls_buffer_t *_sendbuf, int request_update)
6119
0
{
6120
0
    struct st_ptls_record_message_emitter_t emitter;
6121
0
    int ret;
6122
6123
0
    init_record_message_emitter(tls, &emitter, _sendbuf);
6124
0
    size_t sendbuf_orig_off = emitter.super.buf->off;
6125
6126
0
    ptls_push_message(&emitter.super, NULL, PTLS_HANDSHAKE_TYPE_KEY_UPDATE,
6127
0
                      { ptls_buffer_push(emitter.super.buf, !!request_update); });
6128
0
    if ((ret = update_traffic_key(tls, 1)) != 0)
6129
0
        goto Exit;
6130
0
    ret = 0;
6131
6132
0
Exit:
6133
0
    if (ret != 0)
6134
0
        emitter.super.buf->off = sendbuf_orig_off;
6135
0
    return ret;
6136
0
}
6137
6138
int ptls_send(ptls_t *tls, ptls_buffer_t *sendbuf, const void *input, size_t inlen)
6139
0
{
6140
0
    assert(tls->traffic_protection.enc.aead != NULL);
6141
6142
    /* "For AES-GCM, up to 2^24.5 full-size records (about 24 million) may be encrypted on a given connection while keeping a
6143
     * safety margin of approximately 2^-57 for Authenticated Encryption (AE) security." (RFC 8446 section 5.5).
6144
     *
6145
     * Key updates do not happen with tls 1.2, check `key_schedule` to see if we are using tls/1.3
6146
     */
6147
0
    if (tls->traffic_protection.enc.seq >= 16777216 && tls->key_schedule != NULL)
6148
0
        tls->needs_key_update = 1;
6149
6150
0
    if (tls->needs_key_update) {
6151
0
        int ret;
6152
0
        if ((ret = update_send_key(tls, sendbuf, tls->key_update_send_request)) != 0)
6153
0
            return ret;
6154
0
        tls->needs_key_update = 0;
6155
0
        tls->key_update_send_request = 0;
6156
0
    }
6157
6158
0
    return buffer_push_encrypted_records(sendbuf, PTLS_CONTENT_TYPE_APPDATA, input, inlen, &tls->traffic_protection.enc);
6159
0
}
6160
6161
int ptls_update_key(ptls_t *tls, int request_update)
6162
0
{
6163
0
    assert(tls->ctx->update_traffic_key == NULL);
6164
0
    tls->needs_key_update = 1;
6165
0
    tls->key_update_send_request = request_update;
6166
0
    return 0;
6167
0
}
6168
6169
size_t ptls_get_record_overhead(ptls_t *tls)
6170
0
{
6171
0
    ptls_aead_algorithm_t *algo = tls->traffic_protection.enc.aead->algo;
6172
6173
0
    if (tls->traffic_protection.enc.tls12) {
6174
0
        return 5 + algo->tls12.record_iv_size + algo->tag_size;
6175
0
    } else {
6176
0
        return 6 + algo->tag_size;
6177
0
    }
6178
0
}
6179
6180
int ptls_send_alert(ptls_t *tls, ptls_buffer_t *sendbuf, uint8_t level, uint8_t description)
6181
0
{
6182
0
    size_t rec_start = sendbuf->off;
6183
0
    int ret = 0;
6184
6185
0
    buffer_push_record(sendbuf, PTLS_CONTENT_TYPE_ALERT, { ptls_buffer_push(sendbuf, level, description); });
6186
    /* encrypt the alert if we have the encryption keys, unless when it is the early data key */
6187
0
    if (tls->traffic_protection.enc.aead != NULL && !(tls->state <= PTLS_STATE_CLIENT_EXPECT_FINISHED)) {
6188
0
        if ((ret = buffer_encrypt_record(sendbuf, rec_start, &tls->traffic_protection.enc)) != 0)
6189
0
            goto Exit;
6190
0
    }
6191
6192
0
Exit:
6193
0
    return ret;
6194
0
}
6195
6196
int ptls_export_secret(ptls_t *tls, void *output, size_t outlen, const char *label, ptls_iovec_t context_value, int is_early)
6197
0
{
6198
0
    ptls_hash_algorithm_t *algo = tls->key_schedule->hashes[0].algo;
6199
0
    uint8_t *master_secret = is_early ? tls->exporter_master_secret.early : tls->exporter_master_secret.one_rtt,
6200
0
            derived_secret[PTLS_MAX_DIGEST_SIZE], context_value_hash[PTLS_MAX_DIGEST_SIZE];
6201
0
    int ret;
6202
6203
0
    if (master_secret == NULL) {
6204
0
        if (is_early) {
6205
0
            switch (tls->state) {
6206
0
            case PTLS_STATE_CLIENT_HANDSHAKE_START:
6207
0
            case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO:
6208
0
                ret = PTLS_ERROR_IN_PROGRESS;
6209
0
                break;
6210
0
            default:
6211
0
                ret = PTLS_ERROR_NOT_AVAILABLE;
6212
0
                break;
6213
0
            }
6214
0
        } else {
6215
0
            ret = PTLS_ERROR_IN_PROGRESS;
6216
0
        }
6217
0
        return ret;
6218
0
    }
6219
6220
0
    if ((ret = ptls_calc_hash(algo, context_value_hash, context_value.base, context_value.len)) != 0)
6221
0
        return ret;
6222
6223
0
    if ((ret = ptls_hkdf_expand_label(algo, derived_secret, algo->digest_size, ptls_iovec_init(master_secret, algo->digest_size),
6224
0
                                      label, ptls_iovec_init(algo->empty_digest, algo->digest_size), NULL)) != 0)
6225
0
        goto Exit;
6226
0
    ret = ptls_hkdf_expand_label(algo, output, outlen, ptls_iovec_init(derived_secret, algo->digest_size), "exporter",
6227
0
                                 ptls_iovec_init(context_value_hash, algo->digest_size), NULL);
6228
6229
0
Exit:
6230
0
    ptls_clear_memory(derived_secret, sizeof(derived_secret));
6231
0
    ptls_clear_memory(context_value_hash, sizeof(context_value_hash));
6232
0
    return ret;
6233
0
}
6234
6235
struct st_picotls_hmac_context_t {
6236
    ptls_hash_context_t super;
6237
    ptls_hash_algorithm_t *algo;
6238
    ptls_hash_context_t *hash;
6239
    uint8_t key[1];
6240
};
6241
6242
static void hmac_update(ptls_hash_context_t *_ctx, const void *src, size_t len)
6243
0
{
6244
0
    struct st_picotls_hmac_context_t *ctx = (struct st_picotls_hmac_context_t *)_ctx;
6245
0
    ctx->hash->update(ctx->hash, src, len);
6246
0
}
6247
6248
static void hmac_apply_key(struct st_picotls_hmac_context_t *ctx, uint8_t pad)
6249
0
{
6250
0
    size_t i;
6251
6252
0
    for (i = 0; i != ctx->algo->block_size; ++i)
6253
0
        ctx->key[i] ^= pad;
6254
0
    ctx->hash->update(ctx->hash, ctx->key, ctx->algo->block_size);
6255
0
    for (i = 0; i != ctx->algo->block_size; ++i)
6256
0
        ctx->key[i] ^= pad;
6257
0
}
6258
6259
static void hmac_final(ptls_hash_context_t *_ctx, void *md, ptls_hash_final_mode_t mode)
6260
0
{
6261
0
    struct st_picotls_hmac_context_t *ctx = (struct st_picotls_hmac_context_t *)_ctx;
6262
6263
0
    assert(mode != PTLS_HASH_FINAL_MODE_SNAPSHOT || !"not supported");
6264
6265
0
    if (md != NULL) {
6266
0
        ctx->hash->final(ctx->hash, md, PTLS_HASH_FINAL_MODE_RESET);
6267
0
        hmac_apply_key(ctx, 0x5c);
6268
0
        ctx->hash->update(ctx->hash, md, ctx->algo->digest_size);
6269
0
    }
6270
0
    ctx->hash->final(ctx->hash, md, mode);
6271
6272
0
    switch (mode) {
6273
0
    case PTLS_HASH_FINAL_MODE_FREE:
6274
0
        ptls_clear_memory(ctx->key, ctx->algo->block_size);
6275
0
        free(ctx);
6276
0
        break;
6277
0
    case PTLS_HASH_FINAL_MODE_RESET:
6278
0
        hmac_apply_key(ctx, 0x36);
6279
0
        break;
6280
0
    default:
6281
0
        assert(!"FIXME");
6282
0
        break;
6283
0
    }
6284
0
}
6285
6286
int ptls_calc_hash(ptls_hash_algorithm_t *algo, void *output, const void *src, size_t len)
6287
0
{
6288
0
    ptls_hash_context_t *ctx;
6289
6290
0
    if ((ctx = algo->create()) == NULL)
6291
0
        return PTLS_ERROR_NO_MEMORY;
6292
0
    ctx->update(ctx, src, len);
6293
0
    ctx->final(ctx, output, PTLS_HASH_FINAL_MODE_FREE);
6294
0
    return 0;
6295
0
}
6296
6297
ptls_hash_context_t *ptls_hmac_create(ptls_hash_algorithm_t *algo, const void *key, size_t key_size)
6298
0
{
6299
0
    struct st_picotls_hmac_context_t *ctx;
6300
6301
0
    assert(key_size <= algo->block_size);
6302
6303
0
    if ((ctx = malloc(offsetof(struct st_picotls_hmac_context_t, key) + algo->block_size)) == NULL)
6304
0
        return NULL;
6305
6306
0
    *ctx = (struct st_picotls_hmac_context_t){{hmac_update, hmac_final}, algo};
6307
0
    if ((ctx->hash = algo->create()) == NULL) {
6308
0
        free(ctx);
6309
0
        return NULL;
6310
0
    }
6311
0
    memset(ctx->key, 0, algo->block_size);
6312
0
    memcpy(ctx->key, key, key_size);
6313
6314
0
    hmac_apply_key(ctx, 0x36);
6315
6316
0
    return &ctx->super;
6317
0
}
6318
6319
int ptls_hkdf_extract(ptls_hash_algorithm_t *algo, void *output, ptls_iovec_t salt, ptls_iovec_t ikm)
6320
0
{
6321
0
    ptls_hash_context_t *hash;
6322
6323
0
    if (salt.len == 0)
6324
0
        salt = ptls_iovec_init(zeroes_of_max_digest_size, algo->digest_size);
6325
6326
0
    if ((hash = ptls_hmac_create(algo, salt.base, salt.len)) == NULL)
6327
0
        return PTLS_ERROR_NO_MEMORY;
6328
0
    hash->update(hash, ikm.base, ikm.len);
6329
0
    hash->final(hash, output, PTLS_HASH_FINAL_MODE_FREE);
6330
0
    return 0;
6331
0
}
6332
6333
int ptls_hkdf_expand(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t prk, ptls_iovec_t info)
6334
0
{
6335
0
    ptls_hash_context_t *hmac = NULL;
6336
0
    size_t i;
6337
0
    uint8_t digest[PTLS_MAX_DIGEST_SIZE];
6338
6339
0
    for (i = 0; (i * algo->digest_size) < outlen; ++i) {
6340
0
        if (hmac == NULL) {
6341
0
            if ((hmac = ptls_hmac_create(algo, prk.base, prk.len)) == NULL)
6342
0
                return PTLS_ERROR_NO_MEMORY;
6343
0
        } else {
6344
0
            hmac->update(hmac, digest, algo->digest_size);
6345
0
        }
6346
0
        hmac->update(hmac, info.base, info.len);
6347
0
        uint8_t gen = (uint8_t)(i + 1);
6348
0
        hmac->update(hmac, &gen, 1);
6349
0
        hmac->final(hmac, digest, 1);
6350
6351
0
        size_t off_start = i * algo->digest_size, off_end = off_start + algo->digest_size;
6352
0
        if (off_end > outlen)
6353
0
            off_end = outlen;
6354
0
        memcpy((uint8_t *)output + off_start, digest, off_end - off_start);
6355
0
    }
6356
6357
0
    if (hmac != NULL)
6358
0
        hmac->final(hmac, NULL, PTLS_HASH_FINAL_MODE_FREE);
6359
6360
0
    ptls_clear_memory(digest, algo->digest_size);
6361
6362
0
    return 0;
6363
0
}
6364
6365
int ptls_hkdf_expand_label(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t secret, const char *label,
6366
                           ptls_iovec_t hash_value, const char *label_prefix)
6367
0
{
6368
0
    ptls_buffer_t hkdf_label;
6369
0
    uint8_t hkdf_label_buf[80];
6370
0
    int ret;
6371
6372
0
    ptls_buffer_init(&hkdf_label, hkdf_label_buf, sizeof(hkdf_label_buf));
6373
6374
0
    ptls_buffer_push16(&hkdf_label, (uint16_t)outlen);
6375
0
    ptls_buffer_push_block(&hkdf_label, 1, {
6376
0
        if (label_prefix == NULL)
6377
0
            label_prefix = PTLS_HKDF_EXPAND_LABEL_PREFIX;
6378
0
        ptls_buffer_pushv(&hkdf_label, label_prefix, strlen(label_prefix));
6379
0
        ptls_buffer_pushv(&hkdf_label, label, strlen(label));
6380
0
    });
6381
0
    ptls_buffer_push_block(&hkdf_label, 1, { ptls_buffer_pushv(&hkdf_label, hash_value.base, hash_value.len); });
6382
6383
0
    ret = ptls_hkdf_expand(algo, output, outlen, secret, ptls_iovec_init(hkdf_label.base, hkdf_label.off));
6384
6385
0
Exit:
6386
0
    ptls_buffer_dispose(&hkdf_label);
6387
0
    return ret;
6388
0
}
6389
6390
int ptls_tls12_phash(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t secret, const char *label,
6391
                     ptls_iovec_t seed)
6392
0
{
6393
0
    ptls_hash_context_t *hmac;
6394
0
    uint8_t An[PTLS_MAX_DIGEST_SIZE];
6395
0
    size_t output_off = 0;
6396
6397
0
    if ((hmac = ptls_hmac_create(algo, secret.base, secret.len)) == NULL)
6398
0
        return PTLS_ERROR_NO_MEMORY;
6399
6400
    /* A(1) = HMAC_hash(secret, label + seed) */
6401
0
    if (label != NULL)
6402
0
        hmac->update(hmac, label, strlen(label));
6403
0
    hmac->update(hmac, seed.base, seed.len);
6404
0
    hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_RESET);
6405
6406
0
    while (1) {
6407
        /* output += HMAC_hash(secret, A(i) + label + seed) */
6408
0
        hmac->update(hmac, An, algo->digest_size);
6409
0
        if (label != NULL)
6410
0
            hmac->update(hmac, label, strlen(label));
6411
0
        hmac->update(hmac, seed.base, seed.len);
6412
0
        if (outlen - output_off <= algo->digest_size) {
6413
            /* digest of last chunk is at first written to An then the necessary bytes are copied to output */
6414
0
            hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_FREE);
6415
0
            memcpy((uint8_t *)output + output_off, An, outlen - output_off);
6416
0
            break;
6417
0
        }
6418
0
        hmac->final(hmac, (uint8_t *)output + output_off, PTLS_HASH_FINAL_MODE_RESET);
6419
0
        output_off += algo->digest_size;
6420
6421
        /* A(i) = HMAC_hash(secret, A(i-1)) */
6422
0
        hmac->update(hmac, An, algo->digest_size);
6423
0
        hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_RESET);
6424
0
    }
6425
6426
0
    ptls_clear_memory(An, algo->digest_size);
6427
6428
0
    return 0;
6429
0
}
6430
6431
ptls_cipher_context_t *ptls_cipher_new(ptls_cipher_algorithm_t *algo, int is_enc, const void *key)
6432
0
{
6433
0
    ptls_cipher_context_t *ctx;
6434
6435
0
    if ((ctx = (ptls_cipher_context_t *)malloc(algo->context_size)) == NULL)
6436
0
        return NULL;
6437
0
    *ctx = (ptls_cipher_context_t){algo};
6438
0
    if (algo->setup_crypto(ctx, is_enc, key) != 0) {
6439
0
        free(ctx);
6440
0
        ctx = NULL;
6441
0
    }
6442
0
    return ctx;
6443
0
}
6444
6445
void ptls_cipher_free(ptls_cipher_context_t *ctx)
6446
0
{
6447
0
    ctx->do_dispose(ctx);
6448
0
    free(ctx);
6449
0
}
6450
6451
ptls_aead_context_t *new_aead(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret,
6452
                              ptls_iovec_t hash_value, const char *label_prefix)
6453
0
{
6454
0
    ptls_aead_context_t *ctx = NULL;
6455
0
    struct {
6456
0
        uint8_t key[PTLS_MAX_SECRET_SIZE];
6457
0
        uint8_t iv[PTLS_MAX_IV_SIZE];
6458
0
    } key_iv;
6459
0
    int ret;
6460
6461
0
    if ((ret = get_traffic_keys(aead, hash, key_iv.key, key_iv.iv, secret, hash_value, label_prefix)) != 0)
6462
0
        goto Exit;
6463
0
    ctx = ptls_aead_new_direct(aead, is_enc, key_iv.key, key_iv.iv);
6464
0
Exit:
6465
0
    ptls_clear_memory(&key_iv, sizeof(key_iv));
6466
0
    return ctx;
6467
0
}
6468
6469
ptls_aead_context_t *ptls_aead_new(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret,
6470
                                   const char *label_prefix)
6471
0
{
6472
0
    return new_aead(aead, hash, is_enc, secret, ptls_iovec_init(NULL, 0), label_prefix);
6473
0
}
6474
6475
ptls_aead_context_t *ptls_aead_new_direct(ptls_aead_algorithm_t *aead, int is_enc, const void *key, const void *iv)
6476
0
{
6477
0
    ptls_aead_context_t *ctx;
6478
6479
0
    if ((ctx = (ptls_aead_context_t *)malloc(aead->context_size)) == NULL)
6480
0
        return NULL;
6481
6482
0
    *ctx = (ptls_aead_context_t){aead};
6483
6484
0
    if (aead->setup_crypto(ctx, is_enc, key, iv) != 0) {
6485
0
        free(ctx);
6486
0
        return NULL;
6487
0
    }
6488
6489
0
    return ctx;
6490
0
}
6491
6492
void ptls_aead_free(ptls_aead_context_t *ctx)
6493
0
{
6494
0
    ctx->dispose_crypto(ctx);
6495
0
    free(ctx);
6496
0
}
6497
6498
void ptls_aead_xor_iv(ptls_aead_context_t *ctx, const void *_bytes, size_t len)
6499
0
{
6500
0
    const uint8_t *bytes = _bytes;
6501
0
    uint8_t iv[PTLS_MAX_IV_SIZE];
6502
6503
0
    ptls_aead_get_iv(ctx, iv);
6504
0
    for (size_t i = 0; i < len; ++i)
6505
0
        iv[i] ^= bytes[i];
6506
0
    ptls_aead_set_iv(ctx, iv);
6507
0
}
6508
6509
void ptls_aead__build_iv(ptls_aead_algorithm_t *algo, uint8_t *iv, const uint8_t *static_iv, uint64_t seq)
6510
0
{
6511
0
    size_t iv_size = algo->iv_size, i;
6512
0
    const uint8_t *s = static_iv;
6513
0
    uint8_t *d = iv;
6514
6515
    /* build iv */
6516
0
    for (i = iv_size - 8; i != 0; --i)
6517
0
        *d++ = *s++;
6518
0
    i = 64;
6519
0
    do {
6520
0
        i -= 8;
6521
0
        *d++ = *s++ ^ (uint8_t)(seq >> i);
6522
0
    } while (i != 0);
6523
0
}
6524
6525
static void clear_memory(void *p, size_t len)
6526
0
{
6527
0
    if (len != 0)
6528
0
        memset(p, 0, len);
6529
0
}
6530
6531
void (*volatile ptls_clear_memory)(void *p, size_t len) = clear_memory;
6532
6533
static int mem_equal(const void *_x, const void *_y, size_t len)
6534
0
{
6535
0
    const volatile uint8_t *x = _x, *y = _y;
6536
0
    uint8_t t = 0;
6537
6538
0
    for (; len != 0; --len)
6539
0
        t |= *x++ ^ *y++;
6540
6541
0
    return t == 0;
6542
0
}
6543
6544
int (*volatile ptls_mem_equal)(const void *x, const void *y, size_t len) = mem_equal;
6545
6546
static uint64_t get_time(ptls_get_time_t *self)
6547
0
{
6548
0
    struct timeval tv;
6549
0
    gettimeofday(&tv, NULL);
6550
0
    return (uint64_t)tv.tv_sec * 1000 + tv.tv_usec / 1000;
6551
0
}
6552
6553
ptls_get_time_t ptls_get_time = {get_time};
6554
6555
int ptls_is_server(ptls_t *tls)
6556
0
{
6557
0
    return tls->is_server;
6558
0
}
6559
6560
struct st_ptls_raw_message_emitter_t {
6561
    ptls_message_emitter_t super;
6562
    size_t start_off;
6563
    size_t *epoch_offsets;
6564
};
6565
6566
static int begin_raw_message(ptls_message_emitter_t *_self)
6567
0
{
6568
0
    struct st_ptls_raw_message_emitter_t *self = (void *)_self;
6569
6570
0
    self->start_off = self->super.buf->off;
6571
0
    return 0;
6572
0
}
6573
6574
static int commit_raw_message(ptls_message_emitter_t *_self)
6575
0
{
6576
0
    struct st_ptls_raw_message_emitter_t *self = (void *)_self;
6577
0
    size_t epoch;
6578
6579
    /* epoch is the key epoch, with the only exception being 2nd CH generated after 0-RTT key */
6580
0
    epoch = self->super.enc->epoch;
6581
0
    if (epoch == 1 && self->super.buf->base[self->start_off] == PTLS_HANDSHAKE_TYPE_CLIENT_HELLO)
6582
0
        epoch = 0;
6583
6584
0
    for (++epoch; epoch < 5; ++epoch) {
6585
0
        assert(self->epoch_offsets[epoch] == self->start_off);
6586
0
        self->epoch_offsets[epoch] = self->super.buf->off;
6587
0
    }
6588
6589
0
    self->start_off = SIZE_MAX;
6590
6591
0
    return 0;
6592
0
}
6593
6594
size_t ptls_get_read_epoch(ptls_t *tls)
6595
0
{
6596
0
    switch (tls->state) {
6597
0
    case PTLS_STATE_CLIENT_HANDSHAKE_START:
6598
0
    case PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO:
6599
0
    case PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO:
6600
0
    case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO:
6601
0
    case PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO:
6602
0
        return 0; /* plaintext */
6603
0
    case PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA:
6604
0
        assert(!tls->ctx->omit_end_of_early_data);
6605
0
        return 1; /* 0-rtt */
6606
0
    case PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS:
6607
0
    case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE:
6608
0
    case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE:
6609
0
    case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY:
6610
0
    case PTLS_STATE_CLIENT_EXPECT_FINISHED:
6611
0
    case PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY:
6612
0
    case PTLS_STATE_SERVER_EXPECT_CERTIFICATE:
6613
0
    case PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY:
6614
0
    case PTLS_STATE_SERVER_EXPECT_FINISHED:
6615
0
        return 2; /* handshake */
6616
0
    case PTLS_STATE_CLIENT_POST_HANDSHAKE:
6617
0
    case PTLS_STATE_SERVER_POST_HANDSHAKE:
6618
0
        return 3; /* 1-rtt */
6619
0
    default:
6620
0
        assert(!"invalid state");
6621
0
        return SIZE_MAX;
6622
0
    }
6623
0
}
6624
6625
int ptls_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input,
6626
                        size_t inlen, ptls_handshake_properties_t *properties)
6627
0
{
6628
0
    return tls->is_server ? ptls_server_handle_message(tls, sendbuf, epoch_offsets, in_epoch, input, inlen, properties)
6629
0
                          : ptls_client_handle_message(tls, sendbuf, epoch_offsets, in_epoch, input, inlen, properties);
6630
0
}
6631
6632
int ptls_client_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input,
6633
                               size_t inlen, ptls_handshake_properties_t *properties)
6634
0
{
6635
0
    assert(!tls->is_server);
6636
6637
0
    struct st_ptls_raw_message_emitter_t emitter = {
6638
0
        {sendbuf, &tls->traffic_protection.enc, 0, begin_raw_message, commit_raw_message}, SIZE_MAX, epoch_offsets};
6639
0
    struct st_ptls_record_t rec = {PTLS_CONTENT_TYPE_HANDSHAKE, 0, inlen, input};
6640
6641
0
    if (input == NULL)
6642
0
        return send_client_hello(tls, &emitter.super, properties, NULL);
6643
6644
0
    if (ptls_get_read_epoch(tls) != in_epoch)
6645
0
        return PTLS_ALERT_UNEXPECTED_MESSAGE;
6646
6647
0
    return handle_handshake_record(tls, handle_client_handshake_message, &emitter.super, &rec, properties);
6648
0
}
6649
6650
int ptls_server_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input,
6651
                               size_t inlen, ptls_handshake_properties_t *properties)
6652
0
{
6653
0
    assert(tls->is_server);
6654
6655
0
    struct st_ptls_raw_message_emitter_t emitter = {
6656
0
        {sendbuf, &tls->traffic_protection.enc, 0, begin_raw_message, commit_raw_message}, SIZE_MAX, epoch_offsets};
6657
0
    struct st_ptls_record_t rec = {PTLS_CONTENT_TYPE_HANDSHAKE, 0, inlen, input};
6658
6659
0
    if (tls->state == PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY) {
6660
0
        assert(input == NULL || inlen == 0);
6661
0
        return server_finish_handshake(tls, &emitter.super, 1, NULL);
6662
0
    }
6663
6664
0
    assert(input != NULL);
6665
6666
0
    if (ptls_get_read_epoch(tls) != in_epoch)
6667
0
        return PTLS_ALERT_UNEXPECTED_MESSAGE;
6668
6669
0
    return handle_handshake_record(tls, handle_server_handshake_message, &emitter.super, &rec, properties);
6670
0
}
6671
6672
/**
6673
 * checks if given name looks like an IP address
6674
 */
6675
int ptls_server_name_is_ipaddr(const char *name)
6676
0
{
6677
0
#ifdef AF_INET
6678
0
    struct sockaddr_in sin;
6679
0
    if (inet_pton(AF_INET, name, &sin) == 1)
6680
0
        return 1;
6681
0
#endif
6682
0
#ifdef AF_INET6
6683
0
    struct sockaddr_in6 sin6;
6684
0
    if (inet_pton(AF_INET6, name, &sin6) == 1)
6685
0
        return 1;
6686
0
#endif
6687
0
    return 0;
6688
0
}
6689
6690
int ptls_ech_encode_config(ptls_buffer_t *buf, uint8_t config_id, ptls_hpke_kem_t *kem, ptls_iovec_t public_key,
6691
                           ptls_hpke_cipher_suite_t **ciphers, uint8_t max_name_length, const char *public_name)
6692
0
{
6693
0
    int ret;
6694
6695
0
    ptls_buffer_push16(buf, PTLS_ECH_CONFIG_VERSION);
6696
0
    ptls_buffer_push_block(buf, 2, {
6697
0
        ptls_buffer_push(buf, config_id);
6698
0
        ptls_buffer_push16(buf, kem->id);
6699
0
        ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, public_key.base, public_key.len); });
6700
0
        ptls_buffer_push_block(buf, 2, {
6701
0
            for (size_t i = 0; ciphers[i] != NULL; ++i) {
6702
0
                ptls_buffer_push16(buf, ciphers[i]->id.kdf);
6703
0
                ptls_buffer_push16(buf, ciphers[i]->id.aead);
6704
0
            }
6705
0
        });
6706
0
        ptls_buffer_push(buf, max_name_length);
6707
0
        ptls_buffer_push_block(buf, 1, { ptls_buffer_pushv(buf, public_name, strlen(public_name)); });
6708
0
        ptls_buffer_push_block(buf, 2, {/* extensions */});
6709
0
    });
6710
6711
0
Exit:
6712
0
    return ret;
6713
0
}
6714
6715
static char *byte_to_hex(char *dst, uint8_t v)
6716
0
{
6717
0
    *dst++ = "0123456789abcdef"[v >> 4];
6718
0
    *dst++ = "0123456789abcdef"[v & 0xf];
6719
0
    return dst;
6720
0
}
6721
6722
char *ptls_hexdump(char *dst, const void *_src, size_t len)
6723
0
{
6724
0
    char *buf = dst;
6725
0
    const uint8_t *src = _src;
6726
6727
0
    for (size_t i = 0; i != len; ++i)
6728
0
        dst = byte_to_hex(dst, src[i]);
6729
0
    *dst = '\0';
6730
0
    return buf;
6731
0
}
6732
6733
char *ptls_jsonescape(char *buf, const char *unsafe_str, size_t len)
6734
0
{
6735
0
    char *dst = buf;
6736
0
    const uint8_t *src = (const uint8_t *)unsafe_str, *end = src + len;
6737
6738
0
    for (; src != end; ++src) {
6739
0
        switch (*src) {
6740
0
#define MAP(ch, escaped)                                                                                                           \
6741
0
    case ch:                                                                                                                       \
6742
0
        memcpy(dst, (escaped), sizeof(escaped) - 1);                                                                               \
6743
0
        dst += sizeof(escaped) - 1;                                                                                                \
6744
0
        break
6745
0
            MAP('"', "\\\"");
6746
0
            MAP('\\', "\\\\");
6747
0
            MAP('/', "\\/");
6748
0
            MAP('\b', "\\b");
6749
0
            MAP('\f', "\\f");
6750
0
            MAP('\n', "\\n");
6751
0
            MAP('\r', "\\r");
6752
0
            MAP('\t', "\\t");
6753
0
#undef MAP
6754
0
        default:
6755
0
            if (*src < 0x20 || *src == 0x7f) {
6756
0
                *dst++ = '\\';
6757
0
                *dst++ = 'u';
6758
0
                *dst++ = '0';
6759
0
                *dst++ = '0';
6760
0
                dst = byte_to_hex(dst, *src);
6761
0
            } else {
6762
0
                *dst++ = *src;
6763
0
            }
6764
0
            break;
6765
0
        }
6766
0
    }
6767
0
    *dst = '\0';
6768
6769
0
    return dst;
6770
0
}
6771
6772
void ptls_build_v4_mapped_v6_address(struct in6_addr *v6, const struct in_addr *v4)
6773
0
{
6774
0
    *v6 = (struct in6_addr){.s6_addr[10] = 0xff, .s6_addr[11] = 0xff};
6775
0
    memcpy(&v6->s6_addr[12], &v4->s_addr, 4);
6776
0
}
6777
6778
struct st_ptls_log_t ptls_log = {
6779
    .dummy_conn_state = {.random_ = 1 /* never log */},
6780
    ._generation = 1, /* starts from 1 so that recalc can be forced by setting to zero (i.e., the initial) */
6781
};
6782
PTLS_THREADLOCAL ptls_log_conn_state_t *ptls_log_conn_state_override = NULL;
6783
6784
#if PTLS_HAVE_LOG
6785
6786
static struct {
6787
    /**
6788
     * list of connections; the slot is connected if points != NULL
6789
     */
6790
    struct {
6791
        /**
6792
         * file descriptor
6793
         */
6794
        int fd;
6795
        /**
6796
         * see `ptls_log_add_fd`
6797
         */
6798
        char *points;
6799
        /**
6800
         *
6801
         */
6802
        char *snis;
6803
        /**
6804
         * list of addresses terminated by ip6addr_any
6805
         */
6806
        struct in6_addr *addresses;
6807
        /**
6808
         *
6809
         */
6810
        float sample_ratio;
6811
        /**
6812
         *
6813
         */
6814
        unsigned appdata : 1;
6815
    } conns[sizeof(((struct st_ptls_log_state_t *)NULL)->active_conns) * 8];
6816
    /**
6817
     * counts the number of writes that failed
6818
     */
6819
    size_t num_lost;
6820
    /**
6821
     * anchor of the single-linked list of log points; the tail refers to itself (i.e., point->next == point)
6822
     */
6823
    struct st_ptls_log_point_t *points;
6824
    /**
6825
     *
6826
     */
6827
    pthread_mutex_t mutex;
6828
} logctx = {.mutex = PTHREAD_MUTEX_INITIALIZER};
6829
6830
static PTLS_THREADLOCAL struct {
6831
    ptls_buffer_t buf; /* buf.base == NULL upon failre */
6832
    char smallbuf[128];
6833
    struct {
6834
        char buf[sizeof(",\"tid\":-9223372036854775808")];
6835
        size_t len;
6836
    } tid;
6837
} logbuf;
6838
6839
static void close_log_fd(size_t slot)
6840
0
{
6841
0
    assert(logctx.conns[slot].fd >= 0 && logctx.conns[slot].points != NULL);
6842
6843
0
    close(logctx.conns[slot].fd);
6844
6845
    /* clear the connection information */
6846
0
    logctx.conns[slot].fd = -1;
6847
0
    logctx.conns[slot].sample_ratio = 0;
6848
0
    free(logctx.conns[slot].points);
6849
0
    logctx.conns[slot].points = NULL;
6850
0
    free(logctx.conns[slot].snis);
6851
0
    logctx.conns[slot].snis = NULL;
6852
0
    free(logctx.conns[slot].addresses);
6853
0
    logctx.conns[slot].addresses = NULL;
6854
0
    logctx.conns[slot].appdata = 0;
6855
0
    ++ptls_log._generation;
6856
0
}
6857
6858
static char *duplicate_stringlist(const char *input)
6859
0
{
6860
0
    if (input == NULL)
6861
0
        return strdup("");
6862
6863
0
    char *result;
6864
0
    const char *in_tail;
6865
6866
0
    for (in_tail = input; in_tail[0] != '\0'; in_tail += strlen(in_tail) + 1)
6867
0
        ;
6868
0
    ++in_tail;
6869
0
    if ((result = malloc(in_tail - input)) == NULL)
6870
0
        return NULL;
6871
0
    memcpy(result, input, in_tail - input);
6872
0
    return result;
6873
0
}
6874
6875
static int is_in_stringlist(const char *list, const char *search_for)
6876
0
{
6877
0
    if (list[0] == '\0')
6878
0
        return 1;
6879
6880
0
    if (search_for == NULL)
6881
0
        return 0;
6882
6883
0
    for (const char *element = list; element[0] != '\0'; element += strlen(element) + 1)
6884
0
        if (strcmp(element, search_for) == 0)
6885
0
            return 1;
6886
0
    return 0;
6887
0
}
6888
6889
static int is_in_addresslist(const struct in6_addr *list, const struct in6_addr *search_for)
6890
0
{
6891
0
#define IS_EQUAL(x, y) (memcmp((x), (y), sizeof(struct in6_addr)) == 0)
6892
6893
0
    if (IS_EQUAL(&list[0], &in6addr_any))
6894
0
        return 1;
6895
6896
0
    if (IS_EQUAL(search_for, &in6addr_any))
6897
0
        return 0;
6898
6899
0
    for (const struct in6_addr *element = list; !IS_EQUAL(element, &in6addr_any); ++element)
6900
0
        if (IS_EQUAL(element, search_for))
6901
0
            return 1;
6902
0
    return 0;
6903
6904
0
#undef IS_EQUAL
6905
0
}
6906
6907
void ptls_log__recalc_point(int caller_locked, struct st_ptls_log_point_t *point)
6908
13
{
6909
13
    if (!caller_locked)
6910
13
        pthread_mutex_lock(&logctx.mutex);
6911
6912
13
    if (point->state.generation != ptls_log._generation) {
6913
        /* update active bitmap */
6914
13
        uint32_t new_active = 0;
6915
429
        for (size_t slot = 0; slot < PTLS_ELEMENTSOF(logctx.conns); ++slot)
6916
416
            if (logctx.conns[slot].points != NULL && is_in_stringlist(logctx.conns[slot].points, point->name))
6917
0
                new_active |= (uint32_t)1 << slot;
6918
13
        point->state.active_conns = new_active;
6919
13
        point->state.generation = ptls_log._generation;
6920
13
    }
6921
6922
13
    if (!caller_locked)
6923
13
        pthread_mutex_unlock(&logctx.mutex);
6924
13
}
6925
6926
void ptls_log__recalc_conn(int caller_locked, struct st_ptls_log_conn_state_t *conn, const char *(*get_sni)(void *),
6927
                           void *get_sni_arg)
6928
0
{
6929
0
    if (!caller_locked)
6930
0
        pthread_mutex_lock(&logctx.mutex);
6931
6932
0
    if (conn->state.generation != ptls_log._generation) {
6933
        /* update active bitmap */
6934
0
        uint32_t new_active = 0;
6935
0
        const char *sni = get_sni != NULL ? get_sni(get_sni_arg) : NULL;
6936
0
        for (size_t slot = 0; slot < PTLS_ELEMENTSOF(logctx.conns); ++slot) {
6937
0
            if (logctx.conns[slot].points != NULL && conn->random_ < logctx.conns[slot].sample_ratio &&
6938
0
                is_in_stringlist(logctx.conns[slot].snis, sni) && is_in_addresslist(logctx.conns[slot].addresses, &conn->address)) {
6939
0
                new_active |= (uint32_t)1 << slot;
6940
0
            }
6941
0
        }
6942
0
        conn->state.active_conns = new_active;
6943
0
        conn->state.generation = ptls_log._generation;
6944
0
    }
6945
6946
0
    if (!caller_locked)
6947
0
        pthread_mutex_unlock(&logctx.mutex);
6948
0
}
6949
6950
static int expand_logbuf_or_invalidate(const char *prefix, size_t prefix_len, size_t capacity)
6951
0
{
6952
0
    if (logbuf.buf.base == NULL)
6953
0
        return 0;
6954
6955
0
    if (ptls_buffer_reserve(&logbuf.buf, prefix_len + capacity) != 0) {
6956
0
        ptls_buffer_dispose(&logbuf.buf);
6957
0
        assert(logbuf.buf.base == NULL);
6958
0
        return 0;
6959
0
    }
6960
6961
0
    memcpy(logbuf.buf.base + logbuf.buf.off, prefix, prefix_len);
6962
0
    logbuf.buf.off += prefix_len;
6963
6964
0
    return 1;
6965
0
}
6966
6967
__attribute__((format(printf, 4, 5))) static void pushf_logbuf_or_invalidate(const char *prefix, size_t prefix_len, size_t capacity,
6968
                                                                             const char *fmt, ...)
6969
0
{
6970
0
    if (!expand_logbuf_or_invalidate(prefix, prefix_len, capacity))
6971
0
        return;
6972
6973
0
    va_list args;
6974
0
    va_start(args, fmt);
6975
0
    int l = vsnprintf((char *)logbuf.buf.base + logbuf.buf.off, logbuf.buf.capacity - logbuf.buf.off, fmt, args);
6976
0
    va_end(args);
6977
6978
0
    assert(l < logbuf.buf.capacity - logbuf.buf.off && "insufficent capacity");
6979
0
    logbuf.buf.off += l;
6980
0
}
6981
6982
void ptls_log__do_push_element_safestr(const char *prefix, size_t prefix_len, const char *s, size_t l)
6983
0
{
6984
0
    if (expand_logbuf_or_invalidate(prefix, prefix_len, l + 2)) {
6985
0
        logbuf.buf.base[logbuf.buf.off++] = '"';
6986
0
        memcpy(logbuf.buf.base + logbuf.buf.off, s, l);
6987
0
        logbuf.buf.off += l;
6988
0
        logbuf.buf.base[logbuf.buf.off++] = '"';
6989
0
    }
6990
0
}
6991
6992
void ptls_log__do_push_element_unsafestr(const char *prefix, size_t prefix_len, const char *s, size_t l)
6993
0
{
6994
0
    if (expand_logbuf_or_invalidate(prefix, prefix_len, l * (sizeof("\\uXXXX") - 1) + 2)) {
6995
0
        logbuf.buf.base[logbuf.buf.off++] = '"';
6996
0
        logbuf.buf.off = (uint8_t *)ptls_jsonescape((char *)logbuf.buf.base + logbuf.buf.off, s, l) - logbuf.buf.base;
6997
0
        logbuf.buf.base[logbuf.buf.off++] = '"';
6998
0
    }
6999
0
}
7000
7001
void ptls_log__do_push_element_hexdump(const char *prefix, size_t prefix_len, const void *s, size_t l)
7002
0
{
7003
0
    if (expand_logbuf_or_invalidate(prefix, prefix_len, l * 2 + 2)) {
7004
0
        logbuf.buf.base[logbuf.buf.off++] = '"';
7005
0
        ptls_hexdump((char *)logbuf.buf.base + logbuf.buf.off, s, l);
7006
0
        logbuf.buf.off += l * 2;
7007
0
        logbuf.buf.base[logbuf.buf.off++] = '"';
7008
0
    }
7009
0
}
7010
7011
void ptls_log__do_push_element_signed32(const char *prefix, size_t prefix_len, int32_t v)
7012
0
{
7013
0
    pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("-2147483648"), "%" PRId32, v);
7014
0
}
7015
7016
void ptls_log__do_push_element_signed64(const char *prefix, size_t prefix_len, int64_t v)
7017
0
{
7018
0
    pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("-9223372036854775808"), "%" PRId64, v);
7019
0
}
7020
7021
void ptls_log__do_push_element_unsigned32(const char *prefix, size_t prefix_len, uint32_t v)
7022
0
{
7023
0
    pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("4294967295"), "%" PRIu32, v);
7024
0
}
7025
7026
void ptls_log__do_push_element_unsigned64(const char *prefix, size_t prefix_len, uint64_t v)
7027
0
{
7028
0
    pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("18446744073709551615"), "%" PRIu64, v);
7029
0
}
7030
7031
void ptls_log__do_push_element_bool(const char *prefix, size_t prefix_len, int v)
7032
0
{
7033
0
    if (expand_logbuf_or_invalidate(prefix, prefix_len, 5)) {
7034
0
        if (v) {
7035
0
            memcpy(logbuf.buf.base + logbuf.buf.off, "true", 4);
7036
0
            logbuf.buf.off += 4;
7037
0
        } else {
7038
0
            memcpy(logbuf.buf.base + logbuf.buf.off, "false", 5);
7039
0
            logbuf.buf.off += 5;
7040
0
        }
7041
0
    }
7042
0
}
7043
7044
void ptls_log__do_write_start(struct st_ptls_log_point_t *point, int add_time)
7045
0
{
7046
0
    assert(logbuf.buf.base == NULL);
7047
0
    ptls_buffer_init(&logbuf.buf, logbuf.smallbuf, sizeof(logbuf.smallbuf));
7048
7049
    /* add module and type name */
7050
0
    const char *colon_at = strchr(point->name, ':');
7051
0
    int written = snprintf((char *)logbuf.buf.base, logbuf.buf.capacity, "{\"module\":\"%.*s\",\"type\":\"%s\"",
7052
0
                           (int)(colon_at - point->name), point->name, colon_at + 1);
7053
7054
    /* obtain and stringify thread id once */
7055
0
    if (logbuf.tid.len == 0) {
7056
0
#if defined(__linux__)
7057
0
        logbuf.tid.len = sprintf(logbuf.tid.buf, ",\"tid\":%" PRId64, (int64_t)syscall(SYS_gettid));
7058
#elif defined(__APPLE__)
7059
        uint64_t t = 0;
7060
        (void)pthread_threadid_np(NULL, &t);
7061
        logbuf.tid.len = sprintf(logbuf.tid.buf, ",\"tid\":%" PRIu64, t);
7062
#else
7063
        /* other platforms: skip emitting tid, by keeping logbuf.tid.len == 0 */
7064
#endif
7065
0
    }
7066
    /* append tid */
7067
0
    assert(written > 0 && written + logbuf.tid.len < logbuf.buf.capacity);
7068
0
    memcpy((char *)logbuf.buf.base + written, logbuf.tid.buf, logbuf.tid.len + 1);
7069
0
    written += logbuf.tid.len;
7070
7071
    /* append time if requested */
7072
0
    if (add_time) {
7073
0
        struct timeval tv;
7074
0
        gettimeofday(&tv, NULL);
7075
0
        written += snprintf((char *)logbuf.buf.base + written, logbuf.buf.capacity - written, ",\"time\":%" PRIu64,
7076
0
                            (uint64_t)tv.tv_sec * 1000 + tv.tv_usec / 1000);
7077
0
    }
7078
0
    assert(written > 0 && written < logbuf.buf.capacity && "caller MUST provide smallbuf suffient to emit the prefix");
7079
7080
0
    logbuf.buf.off = (size_t)written;
7081
0
}
7082
7083
int ptls_log__do_write_end(struct st_ptls_log_point_t *point, struct st_ptls_log_conn_state_t *conn, const char *(*get_sni)(void *),
7084
                           void *get_sni_arg, int includes_appdata)
7085
0
{
7086
0
    if (!expand_logbuf_or_invalidate("}\n", 2, 0))
7087
0
        return 0;
7088
7089
0
    int needs_appdata = 0;
7090
7091
0
    pthread_mutex_lock(&logctx.mutex);
7092
7093
    /* calc the active conn bits, updating stale information if necessary */
7094
0
    if (point->state.generation != ptls_log._generation)
7095
0
        ptls_log__recalc_point(1, point);
7096
0
    uint32_t active = point->state.active_conns;
7097
0
    if (conn != NULL && conn->state.generation != ptls_log._generation) {
7098
0
        ptls_log__recalc_conn(1, conn, get_sni, get_sni_arg);
7099
0
        active &= conn->state.active_conns;
7100
0
    }
7101
7102
    /* iterate through the active connctions */
7103
0
    for (size_t slot = 0; active != 0; ++slot, active >>= 1) {
7104
0
        if ((active & 1) == 0)
7105
0
            continue;
7106
7107
0
        assert(logctx.conns[slot].points != NULL);
7108
7109
0
        if (logctx.conns[slot].appdata != includes_appdata) {
7110
0
            if (!includes_appdata && ptls_log.may_include_appdata)
7111
0
                needs_appdata = 1;
7112
0
            continue;
7113
0
        }
7114
7115
        /* write */
7116
0
        ssize_t wret;
7117
0
        while ((wret = write(logctx.conns[slot].fd, logbuf.buf.base, logbuf.buf.off)) == -1 && errno == EINTR)
7118
0
            ;
7119
0
        if (wret == logbuf.buf.off) {
7120
            /* success */
7121
0
        } else if (wret > 0 || (wret == -1 && (errno == EAGAIN || errno == EWOULDBLOCK))) {
7122
            /* partial write or buffer full */
7123
0
            ++logctx.num_lost;
7124
0
        } else {
7125
            /* write error; close and unregister the connection */
7126
0
            close_log_fd(slot);
7127
0
        }
7128
0
    }
7129
7130
0
    pthread_mutex_unlock(&logctx.mutex);
7131
7132
0
    if (includes_appdata)
7133
0
        assert(!needs_appdata);
7134
7135
0
    ptls_buffer_dispose(&logbuf.buf);
7136
0
    assert(logbuf.buf.base == NULL);
7137
0
    return needs_appdata;
7138
0
}
7139
7140
#endif
7141
7142
void ptls_log_init_conn_state(ptls_log_conn_state_t *state, void (*random_bytes)(void *, size_t))
7143
0
{
7144
0
    uint32_t r;
7145
0
    random_bytes(&r, sizeof(r));
7146
7147
0
    *state = (ptls_log_conn_state_t){
7148
0
        .random_ = (float)r / ((uint64_t)UINT32_MAX + 1), /* [0..1), so that any(r) < sample_ratio where sample_ratio is [0..1] */
7149
0
        .address = in6addr_any,
7150
0
    };
7151
0
}
7152
7153
size_t ptls_log_num_lost(void)
7154
0
{
7155
0
#if PTLS_HAVE_LOG
7156
0
    return logctx.num_lost;
7157
#else
7158
    return 0;
7159
#endif
7160
0
}
7161
7162
int ptls_log_add_fd(int fd, float sample_ratio, const char *_points, const char *_snis, const char *_addresses, int appdata)
7163
0
{
7164
0
#if PTLS_HAVE_LOG
7165
7166
0
    char *points = NULL, *snis = NULL;
7167
0
    struct in6_addr *addresses = NULL;
7168
0
    int ret;
7169
7170
0
    pthread_mutex_lock(&logctx.mutex);
7171
7172
0
    if ((points = duplicate_stringlist(_points)) == NULL) {
7173
0
        ret = PTLS_ERROR_NO_MEMORY;
7174
0
        goto Exit;
7175
0
    }
7176
0
    if ((snis = duplicate_stringlist(_snis)) == NULL) {
7177
0
        ret = PTLS_ERROR_NO_MEMORY;
7178
0
        goto Exit;
7179
0
    }
7180
0
    {
7181
0
        size_t num_addresses = 0;
7182
0
        for (const char *input = _addresses; input != NULL && *input != '\0'; input += strlen(input) + 1)
7183
0
            ++num_addresses;
7184
0
        if ((addresses = malloc(sizeof(*addresses) * (num_addresses + 1))) == NULL) {
7185
0
            ret = PTLS_ERROR_NO_MEMORY;
7186
0
            goto Exit;
7187
0
        }
7188
0
        size_t index = 0;
7189
0
        for (const char *input = _addresses; input != NULL && *input != '\0'; input += strlen(input) + 1) {
7190
            /* note: for consistency to the handling of points, erroneous input is ignored. V4 addresses will use the mapped form
7191
             * (::ffff:192.0.2.1) */
7192
0
            if (!inet_pton(AF_INET6, input, &addresses[index])) {
7193
0
                struct in_addr v4;
7194
0
                if (!inet_pton(AF_INET, input, &v4))
7195
0
                    continue;
7196
0
                ptls_build_v4_mapped_v6_address(&addresses[index], &v4);
7197
0
            }
7198
0
            if (memcmp(&addresses[index], &in6addr_any, sizeof(struct in6_addr)) == 0)
7199
0
                continue;
7200
0
            ++index;
7201
0
        }
7202
0
        addresses[index] = in6addr_any;
7203
0
    }
7204
7205
    /* find slot, or return if not available */
7206
0
    size_t slot_index;
7207
0
    for (slot_index = 0; slot_index < PTLS_ELEMENTSOF(logctx.conns); ++slot_index)
7208
0
        if (logctx.conns[slot_index].points == NULL)
7209
0
            break;
7210
0
    if (slot_index == PTLS_ELEMENTSOF(logctx.conns)) {
7211
0
        ret = PTLS_ERROR_NO_MEMORY;
7212
0
        goto Exit;
7213
0
    }
7214
7215
    /* setup the slot */
7216
0
    logctx.conns[slot_index].fd = fd;
7217
0
    logctx.conns[slot_index].points = points;
7218
0
    logctx.conns[slot_index].snis = snis;
7219
0
    logctx.conns[slot_index].addresses = addresses;
7220
0
    logctx.conns[slot_index].sample_ratio = sample_ratio;
7221
0
    logctx.conns[slot_index].appdata = appdata;
7222
0
    ++ptls_log._generation;
7223
7224
0
    ret = 0; /* success */
7225
7226
0
Exit:
7227
0
    pthread_mutex_unlock(&logctx.mutex);
7228
0
    if (ret != 0) {
7229
0
        free(points);
7230
0
        free(snis);
7231
0
        free(addresses);
7232
0
    }
7233
0
    return ret;
7234
7235
#else
7236
    return PTLS_ERROR_NOT_AVAILABLE;
7237
#endif
7238
0
}