/*

 * Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku

 *

 * Permission is hereby granted, free of charge, to any person obtaining a copy

 * of this software and associated documentation files (the "Software"), to

 * deal in the Software without restriction, including without limitation the

 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or

 * sell copies of the Software, and to permit persons to whom the Software is

 * furnished to do so, subject to the following conditions:

 *

 * The above copyright notice and this permission notice shall be included in

 * all copies or substantial portions of the Software.

 *

 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING

 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS

 * IN THE SOFTWARE.

 */

#ifdef _WINDOWS

#include "wincompat.h"

#else

#include <unistd.h>

#endif

#include <assert.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#define OPENSSL_API_COMPAT 0x00908000L

#include <openssl/bn.h>

#include <openssl/crypto.h>

#ifdef OPENSSL_IS_BORINGSSL

#include <openssl/curve25519.h>

#include <openssl/chacha.h>

#include <openssl/poly1305.h>

#endif

#include <openssl/ec.h>

#include <openssl/ecdh.h>

#include <openssl/err.h>

#include <openssl/evp.h>

#include <openssl/objects.h>

#include <openssl/rand.h>

#include <openssl/rsa.h>

#include <openssl/x509.h>

#include <openssl/x509v3.h>

#include <openssl/x509_vfy.h>

#include "picotls.h"

#include "picotls/openssl.h"

#ifdef OPENSSL_IS_BORINGSSL

#include "./chacha20poly1305.h"

#endif

#ifdef PTLS_HAVE_AEGIS

#include "./libaegis.h"

#endif

#ifdef _WINDOWS

#ifndef _CRT_SECURE_NO_WARNINGS

#define _CRT_SECURE_NO_WARNINGS

#endif

#pragma warning(disable : 4996)

#endif

#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L

#define OPENSSL_1_1_API 1

#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL

#define OPENSSL_1_1_API 1

#else

#define OPENSSL_1_1_API 0

#endif

#if !OPENSSL_1_1_API

#define EVP_PKEY_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_EVP_PKEY)

#define X509_STORE_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_X509_STORE)

#define X509_STORE_get0_param(p) ((p)->param)

static HMAC_CTX *HMAC_CTX_new(void)

{

    HMAC_CTX *ctx;

    if ((ctx = OPENSSL_malloc(sizeof(*ctx))) == NULL)

        return NULL;

    HMAC_CTX_init(ctx);

    return ctx;

}

static void HMAC_CTX_free(HMAC_CTX *ctx)

{

    HMAC_CTX_cleanup(ctx);

    OPENSSL_free(ctx);

}

static int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx)

{

    return EVP_CIPHER_CTX_cleanup(ctx);

}

#endif

static const ptls_openssl_signature_scheme_t rsa_signature_schemes[] = {{PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, EVP_sha256},

                                                                        {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384, EVP_sha384},

                                                                        {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512, EVP_sha512},

                                                                        {UINT16_MAX, NULL}};

static const ptls_openssl_signature_scheme_t secp256r1_signature_schemes[] = {{PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256, EVP_sha256},

                                                                              {UINT16_MAX, NULL}};

#if PTLS_OPENSSL_HAVE_SECP384R1

static const ptls_openssl_signature_scheme_t secp384r1_signature_schemes[] = {{PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384, EVP_sha384},

                                                                              {UINT16_MAX, NULL}};

#endif

#if PTLS_OPENSSL_HAVE_SECP521R1

static const ptls_openssl_signature_scheme_t secp521r1_signature_schemes[] = {{PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512, EVP_sha512},

                                                                              {UINT16_MAX, NULL}};

#endif

#if PTLS_OPENSSL_HAVE_ED25519

static const ptls_openssl_signature_scheme_t ed25519_signature_schemes[] = {{PTLS_SIGNATURE_ED25519, NULL}, {UINT16_MAX, NULL}};

#endif

/**

 * The default list sent in ClientHello.signature_algorithms. ECDSA certificates are preferred.

 */

static const uint16_t default_signature_schemes[] = {

#if PTLS_OPENSSL_HAVE_ED25519

    PTLS_SIGNATURE_ED25519,

#endif

    PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256,

#if PTLS_OPENSSL_HAVE_SECP384R1

    PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384,

#endif

#if PTLS_OPENSSL_HAVE_SECP521R1

    PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512,

#endif

    PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512,

    PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384,

    PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256,

    UINT16_MAX};

const ptls_openssl_signature_scheme_t *ptls_openssl_lookup_signature_schemes(EVP_PKEY *key)

{

    const ptls_openssl_signature_scheme_t *schemes = NULL;

    switch (EVP_PKEY_id(key)) {

    case EVP_PKEY_RSA:

        schemes = rsa_signature_schemes;

        break;

    case EVP_PKEY_EC: {

        EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(key);

        switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey))) {

        case NID_X9_62_prime256v1:

            schemes = secp256r1_signature_schemes;

            break;

#if PTLS_OPENSSL_HAVE_SECP384R1

        case NID_secp384r1:

            schemes = secp384r1_signature_schemes;

            break;

#endif

#if PTLS_OPENSSL_HAVE_SECP521R1

        case NID_secp521r1:

            schemes = secp521r1_signature_schemes;

            break;

#endif

        default:

            break;

        }

        EC_KEY_free(eckey);

    } break;

#if PTLS_OPENSSL_HAVE_ED25519

    case EVP_PKEY_ED25519:

        schemes = ed25519_signature_schemes;

        break;

#endif

    default:

        break;

    }

    return schemes;

}

const ptls_openssl_signature_scheme_t *ptls_openssl_select_signature_scheme(const ptls_openssl_signature_scheme_t *available,

                                                                            const uint16_t *algorithms, size_t num_algorithms)

{

    const ptls_openssl_signature_scheme_t *scheme;

    /* select the algorithm, driven by server-isde preference of `available` */

    for (scheme = available; scheme->scheme_id != UINT16_MAX; ++scheme)

        for (size_t i = 0; i != num_algorithms; ++i)

            if (algorithms[i] == scheme->scheme_id)

                return scheme;

    return NULL;

}

void ptls_openssl_random_bytes(void *buf, size_t len)

{

    int ret = RAND_bytes(buf, (int)len);

    if (ret != 1) {

        fprintf(stderr, "RAND_bytes() failed with code: %d\n", ret);

        abort();

    }

}

static EC_KEY *ecdh_generate_key(EC_GROUP *group)

{

    EC_KEY *key;

    if ((key = EC_KEY_new()) == NULL)

        return NULL;

    if (!EC_KEY_set_group(key, group) || !EC_KEY_generate_key(key)) {

        EC_KEY_free(key);

        return NULL;

    }

    return key;

}

static int ecdh_calc_secret(ptls_iovec_t *out, const EC_GROUP *group, EC_KEY *privkey, EC_POINT *peer_point)

{

    ptls_iovec_t secret;

    int ret;

    secret.len = (EC_GROUP_get_degree(group) + 7) / 8;

    if ((secret.base = malloc(secret.len)) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    if (ECDH_compute_key(secret.base, secret.len, peer_point, privkey, NULL) <= 0) {

        ret = PTLS_ALERT_HANDSHAKE_FAILURE; /* ??? */

        goto Exit;

    }

    ret = 0;

Exit:

    if (ret == 0) {

        *out = secret;

    } else {

        free(secret.base);

        *out = (ptls_iovec_t){NULL};

    }

    return ret;

}

static EC_POINT *x9_62_decode_point(const EC_GROUP *group, ptls_iovec_t vec, BN_CTX *bn_ctx)

{

    EC_POINT *point = NULL;

    if ((point = EC_POINT_new(group)) == NULL)

        return NULL;

    if (!EC_POINT_oct2point(group, point, vec.base, vec.len, bn_ctx)) {

        EC_POINT_free(point);

        return NULL;

    }

    return point;

}

static ptls_iovec_t x9_62_encode_point(const EC_GROUP *group, const EC_POINT *point, BN_CTX *bn_ctx)

{

    ptls_iovec_t vec;

    if ((vec.len = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, bn_ctx)) == 0)

        return (ptls_iovec_t){NULL};

    if ((vec.base = malloc(vec.len)) == NULL)

        return (ptls_iovec_t){NULL};

    if (EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, vec.base, vec.len, bn_ctx) != vec.len) {

        free(vec.base);

        return (ptls_iovec_t){NULL};

    }

    return vec;

}

struct st_x9_62_keyex_context_t {

    ptls_key_exchange_context_t super;

    BN_CTX *bn_ctx;

    EC_KEY *privkey;

};

static void x9_62_free_context(struct st_x9_62_keyex_context_t *ctx)

{

    free(ctx->super.pubkey.base);

    if (ctx->privkey != NULL)

        EC_KEY_free(ctx->privkey);

    if (ctx->bn_ctx != NULL)

        BN_CTX_free(ctx->bn_ctx);

    free(ctx);

}

static int x9_62_on_exchange(ptls_key_exchange_context_t **_ctx, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey)

{

    struct st_x9_62_keyex_context_t *ctx = (struct st_x9_62_keyex_context_t *)*_ctx;

    const EC_GROUP *group = EC_KEY_get0_group(ctx->privkey);

    EC_POINT *peer_point = NULL;

    int ret;

    if (secret == NULL) {

        ret = 0;

        goto Exit;

    }

    if ((peer_point = x9_62_decode_point(group, peerkey, ctx->bn_ctx)) == NULL) {

        ret = PTLS_ALERT_DECODE_ERROR;

        goto Exit;

    }

    if ((ret = ecdh_calc_secret(secret, group, ctx->privkey, peer_point)) != 0)

        goto Exit;

Exit:

    if (peer_point != NULL)

        EC_POINT_free(peer_point);

    if (release) {

        x9_62_free_context(ctx);

        *_ctx = NULL;

    }

    return ret;

}

static int x9_62_create_context(ptls_key_exchange_algorithm_t *algo, struct st_x9_62_keyex_context_t **ctx)

{

    int ret;

    if ((*ctx = (struct st_x9_62_keyex_context_t *)malloc(sizeof(**ctx))) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    **ctx = (struct st_x9_62_keyex_context_t){{algo, {NULL}, x9_62_on_exchange}};

    if (((*ctx)->bn_ctx = BN_CTX_new()) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    ret = 0;

Exit:

    if (ret != 0 && *ctx != NULL) {

        x9_62_free_context(*ctx);

        *ctx = NULL;

    }

    return ret;

}

static int x9_62_setup_pubkey(struct st_x9_62_keyex_context_t *ctx)

{

    const EC_GROUP *group = EC_KEY_get0_group(ctx->privkey);

    const EC_POINT *pubkey = EC_KEY_get0_public_key(ctx->privkey);

    if ((ctx->super.pubkey = x9_62_encode_point(group, pubkey, ctx->bn_ctx)).base == NULL)

        return PTLS_ERROR_NO_MEMORY;

    return 0;

}

static int x9_62_create_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx)

{

    EC_GROUP *group = NULL;

    struct st_x9_62_keyex_context_t *ctx = NULL;

    int ret;

    /* FIXME use a global? */

    if ((group = EC_GROUP_new_by_curve_name((int)algo->data)) == NULL) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if ((ret = x9_62_create_context(algo, &ctx)) != 0)

        goto Exit;

    if ((ctx->privkey = ecdh_generate_key(group)) == NULL) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if ((ret = x9_62_setup_pubkey(ctx)) != 0)

        goto Exit;

    ret = 0;

Exit:

    if (group != NULL)

        EC_GROUP_free(group);

    if (ret == 0) {

        *_ctx = &ctx->super;

    } else {

        if (ctx != NULL)

            x9_62_free_context(ctx);

        *_ctx = NULL;

    }

    return ret;

}

static int x9_62_init_key(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx, EC_KEY *eckey)

{

    struct st_x9_62_keyex_context_t *ctx = NULL;

    int ret;

    if ((ret = x9_62_create_context(algo, &ctx)) != 0)

        goto Exit;

    ctx->privkey = eckey;

    if ((ret = x9_62_setup_pubkey(ctx)) != 0)

        goto Exit;

    ret = 0;

Exit:

    if (ret == 0) {

        *_ctx = &ctx->super;

    } else {

        if (ctx != NULL)

            x9_62_free_context(ctx);

        *_ctx = NULL;

    }

    return ret;

}

static int x9_62_key_exchange(EC_GROUP *group, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey, BN_CTX *bn_ctx)

{

    EC_POINT *peer_point = NULL;

    EC_KEY *privkey = NULL;

    int ret;

    *pubkey = (ptls_iovec_t){NULL};

    *secret = (ptls_iovec_t){NULL};

    /* decode peer key */

    if ((peer_point = x9_62_decode_point(group, peerkey, bn_ctx)) == NULL) {

        ret = PTLS_ALERT_DECODE_ERROR;

        goto Exit;

    }

    /* create private key */

    if ((privkey = ecdh_generate_key(group)) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    /* encode public key */

    if ((*pubkey = x9_62_encode_point(group, EC_KEY_get0_public_key(privkey), bn_ctx)).base == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    /* allocate space for secret */

    secret->len = (EC_GROUP_get_degree(group) + 7) / 8;

    if ((secret->base = malloc(secret->len)) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    /* calc secret */

    if (ECDH_compute_key(secret->base, secret->len, peer_point, privkey, NULL) <= 0) {

        ret = PTLS_ALERT_HANDSHAKE_FAILURE; /* ??? */

        goto Exit;

    }

    ret = 0;

Exit:

    if (peer_point != NULL)

        EC_POINT_free(peer_point);

    if (privkey != NULL)

        EC_KEY_free(privkey);

    if (ret != 0) {

        free(pubkey->base);

        *pubkey = (ptls_iovec_t){NULL};

        free(secret->base);

        *secret = (ptls_iovec_t){NULL};

    }

    return ret;

}

static int secp_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey)

{

    EC_GROUP *group = NULL;

    BN_CTX *bn_ctx = NULL;

    int ret;

    if ((group = EC_GROUP_new_by_curve_name((int)algo->data)) == NULL) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if ((bn_ctx = BN_CTX_new()) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    ret = x9_62_key_exchange(group, pubkey, secret, peerkey, bn_ctx);

Exit:

    if (bn_ctx != NULL)

        BN_CTX_free(bn_ctx);

    if (group != NULL)

        EC_GROUP_free(group);

    return ret;

}

#if PTLS_OPENSSL_HAVE_X25519

struct st_evp_keyex_context_t {

    ptls_key_exchange_context_t super;

    EVP_PKEY *privkey;

};

static void evp_keyex_free(struct st_evp_keyex_context_t *ctx)

{

    if (ctx->privkey != NULL)

        EVP_PKEY_free(ctx->privkey);

    if (ctx->super.pubkey.base != NULL)

        OPENSSL_free(ctx->super.pubkey.base);

    free(ctx);

}

static int evp_keyex_on_exchange(ptls_key_exchange_context_t **_ctx, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey)

{

    struct st_evp_keyex_context_t *ctx = (void *)*_ctx;

    EVP_PKEY *evppeer = NULL;

    EVP_PKEY_CTX *evpctx = NULL;

    int ret;

    if (secret == NULL) {

        ret = 0;

        goto Exit;

    }

    secret->base = NULL;

    if (peerkey.len != ctx->super.pubkey.len) {

        ret = PTLS_ALERT_DECRYPT_ERROR;

        goto Exit;

    }

#ifdef OPENSSL_IS_BORINGSSL

#define X25519_KEY_SIZE 32

    if (ctx->super.algo->id == PTLS_GROUP_X25519) {

        /* allocate memory to return secret */

        if ((secret->base = malloc(X25519_KEY_SIZE)) == NULL) {

            ret = PTLS_ERROR_NO_MEMORY;

            goto Exit;

        }

        secret->len = X25519_KEY_SIZE;

        /* fetch raw key and derive the secret */

        uint8_t sk_raw[X25519_KEY_SIZE];

        size_t sk_raw_len = sizeof(sk_raw);

        if (EVP_PKEY_get_raw_private_key(ctx->privkey, sk_raw, &sk_raw_len) != 1) {

            ret = PTLS_ERROR_LIBRARY;

            goto Exit;

        }

        assert(sk_raw_len == sizeof(sk_raw));

        X25519(secret->base, sk_raw, peerkey.base);

        ptls_clear_memory(sk_raw, sizeof(sk_raw));

        /* check bad key */

        static const uint8_t zeros[X25519_KEY_SIZE] = {0};

        if (ptls_mem_equal(secret->base, zeros, X25519_KEY_SIZE)) {

            ret = PTLS_ERROR_INCOMPATIBLE_KEY;

            goto Exit;

        }

        /* success */

        ret = 0;

        goto Exit;

    }

#undef X25519_KEY_SIZE

#endif

    if ((evppeer = EVP_PKEY_new()) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    if (EVP_PKEY_copy_parameters(evppeer, ctx->privkey) <= 0) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if (EVP_PKEY_set1_tls_encodedpoint(evppeer, peerkey.base, peerkey.len) <= 0) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if ((evpctx = EVP_PKEY_CTX_new(ctx->privkey, NULL)) == NULL) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if (EVP_PKEY_derive_init(evpctx) <= 0) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if (EVP_PKEY_derive_set_peer(evpctx, evppeer) <= 0) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if (EVP_PKEY_derive(evpctx, NULL, &secret->len) <= 0) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if ((secret->base = malloc(secret->len)) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    if (EVP_PKEY_derive(evpctx, secret->base, &secret->len) <= 0) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    ret = 0;

Exit:

    if (evpctx != NULL)

        EVP_PKEY_CTX_free(evpctx);

    if (evppeer != NULL)

        EVP_PKEY_free(evppeer);

    if (ret != 0)

        free(secret->base);

    if (release) {

        evp_keyex_free(ctx);

        *_ctx = NULL;

    }

    return ret;

}

/**

 * Upon success, ownership of `pkey` is transferred to the object being created. Otherwise, the refcount remains unchanged.

 */

static int evp_keyex_init(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx, EVP_PKEY *pkey)

{

    struct st_evp_keyex_context_t *ctx = NULL;

    int ret;

    /* instantiate */

    if ((ctx = malloc(sizeof(*ctx))) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    *ctx = (struct st_evp_keyex_context_t){{algo, {NULL}, evp_keyex_on_exchange}, pkey};

    /* set public key */

    if ((ctx->super.pubkey.len = EVP_PKEY_get1_tls_encodedpoint(ctx->privkey, &ctx->super.pubkey.base)) == 0) {

        ctx->super.pubkey.base = NULL;

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    *_ctx = &ctx->super;

    ret = 0;

Exit:

    if (ret != 0 && ctx != NULL) {

        ctx->privkey = NULL; /* do not decrement refcount of pkey in case of error */

        evp_keyex_free(ctx);

    }

    return ret;

}

static int evp_keyex_create(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **ctx)

{

    EVP_PKEY_CTX *evpctx = NULL;

    EVP_PKEY *pkey = NULL;

    int ret;

    /* generate private key */

    if ((evpctx = EVP_PKEY_CTX_new_id((int)algo->data, NULL)) == NULL) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if (EVP_PKEY_keygen_init(evpctx) <= 0) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    if (EVP_PKEY_keygen(evpctx, &pkey) <= 0) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

    /* setup */

    if ((ret = evp_keyex_init(algo, ctx, pkey)) != 0)

        goto Exit;

    pkey = NULL;

    ret = 0;

Exit:

    if (pkey != NULL)

        EVP_PKEY_free(pkey);

    if (evpctx != NULL)

        EVP_PKEY_CTX_free(evpctx);

    return ret;

}

static int evp_keyex_exchange(ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *outpubkey, ptls_iovec_t *secret,

                              ptls_iovec_t peerkey)

{

    ptls_key_exchange_context_t *ctx = NULL;

    int ret;

    outpubkey->base = NULL;

    if ((ret = evp_keyex_create(algo, &ctx)) != 0)

        goto Exit;

    if ((outpubkey->base = malloc(ctx->pubkey.len)) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    memcpy(outpubkey->base, ctx->pubkey.base, ctx->pubkey.len);

    outpubkey->len = ctx->pubkey.len;

    ret = evp_keyex_on_exchange(&ctx, 1, secret, peerkey);

    assert(ctx == NULL);

Exit:

    if (ctx != NULL)

        evp_keyex_on_exchange(&ctx, 1, NULL, ptls_iovec_init(NULL, 0));

    if (ret != 0)

        free(outpubkey->base);

    return ret;

}

#endif

int ptls_openssl_create_key_exchange(ptls_key_exchange_context_t **ctx, EVP_PKEY *pkey)

{

    int ret, id;

    switch (id = EVP_PKEY_id(pkey)) {

    case EVP_PKEY_EC: {

        /* obtain eckey */

        EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);

        /* determine algo */

        ptls_key_exchange_algorithm_t *algo;

        switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey))) {

        case NID_X9_62_prime256v1:

            algo = &ptls_openssl_secp256r1;

            break;

#if PTLS_OPENSSL_HAVE_SECP384R1

        case NID_secp384r1:

            algo = &ptls_openssl_secp384r1;

            break;

#endif

#if PTLS_OPENSSL_HAVE_SECP521R1

        case NID_secp521r1:

            algo = &ptls_openssl_secp521r1;

            break;

#endif

        default:

            EC_KEY_free(eckey);

            return PTLS_ERROR_INCOMPATIBLE_KEY;

        }

        /* load key */

        if ((ret = x9_62_init_key(algo, ctx, eckey)) != 0) {

            EC_KEY_free(eckey);

            return ret;

        }

        return 0;

    } break;

#if PTLS_OPENSSL_HAVE_X25519

    case NID_X25519:

        if ((ret = evp_keyex_init(&ptls_openssl_x25519, ctx, pkey)) != 0)

            return ret;

        EVP_PKEY_up_ref(pkey);

        return 0;

#endif

    default:

        return PTLS_ERROR_INCOMPATIBLE_KEY;

    }

}

#if PTLS_OPENSSL_HAVE_ASYNC

struct async_sign_ctx {

    ptls_async_job_t super;

    const ptls_openssl_signature_scheme_t *scheme;

    EVP_MD_CTX *ctx;

    ASYNC_WAIT_CTX *waitctx;

    ASYNC_JOB *job;

    size_t siglen;

    uint8_t sig[0]; // must be last, see `async_sign_ctx_new`

};

static void async_sign_ctx_free(ptls_async_job_t *_self)

{

    struct async_sign_ctx *self = (void *)_self;

    /* Once the async operation is complete, the user might call `ptls_free` instead of `ptls_handshake`. In such case, to avoid

     * desynchronization, let the backend read the result from the socket. The code below is a loop, but it is not going to block;

     * it is the responsibility of the user to refrain from calling `ptls_free` until the asynchronous operation is complete. */

    if (self->job != NULL) {

        int ret;

        while (ASYNC_start_job(&self->job, self->waitctx, &ret, NULL, NULL, 0) == ASYNC_PAUSE)

            ;

    }

    EVP_MD_CTX_destroy(self->ctx);

    ASYNC_WAIT_CTX_free(self->waitctx);

    free(self);

}

int async_sign_ctx_get_fd(ptls_async_job_t *_self)

{

    struct async_sign_ctx *self = (void *)_self;

    OSSL_ASYNC_FD fds[1];

    size_t numfds;

    ASYNC_WAIT_CTX_get_all_fds(self->waitctx, NULL, &numfds);

    assert(numfds == 1);

    ASYNC_WAIT_CTX_get_all_fds(self->waitctx, fds, &numfds);

    return (int)fds[0];

}

static ptls_async_job_t *async_sign_ctx_new(const ptls_openssl_signature_scheme_t *scheme, EVP_MD_CTX *ctx, size_t siglen)

{

    struct async_sign_ctx *self;

    if ((self = malloc(offsetof(struct async_sign_ctx, sig) + siglen)) == NULL)

        return NULL;

    self->super = (ptls_async_job_t){async_sign_ctx_free, async_sign_ctx_get_fd};

    self->scheme = scheme;

    self->ctx = ctx;

    self->waitctx = ASYNC_WAIT_CTX_new();

    self->job = NULL;

    self->siglen = siglen;

    memset(self->sig, 0, siglen);

    return &self->super;

}

static int do_sign_async_job(void *_async)

{

    struct async_sign_ctx *async = *(struct async_sign_ctx **)_async;

    return EVP_DigestSignFinal(async->ctx, async->sig, &async->siglen);

}

static int do_sign_async(ptls_buffer_t *outbuf, ptls_async_job_t **_async)

{

    struct async_sign_ctx *async = (void *)*_async;

    int ret;

    switch (ASYNC_start_job(&async->job, async->waitctx, &ret, do_sign_async_job, &async, sizeof(async))) {

    case ASYNC_PAUSE:

        return PTLS_ERROR_ASYNC_OPERATION; // async operation inflight; bail out without getting rid of async context

    case ASYNC_ERR:

        ret = PTLS_ERROR_LIBRARY;

        break;

    case ASYNC_NO_JOBS:

        ret = PTLS_ERROR_LIBRARY;

        break;

    case ASYNC_FINISH:

        async->job = NULL;

        ptls_buffer_pushv(outbuf, async->sig, async->siglen);

        ret = 0;

        break;

    default:

        ret = PTLS_ERROR_LIBRARY;

        break;

    }

Exit:

    async_sign_ctx_free(&async->super);

    *_async = NULL;

    return ret;

}

#endif

static int do_sign(EVP_PKEY *key, const ptls_openssl_signature_scheme_t *scheme, ptls_buffer_t *outbuf, ptls_iovec_t input,

                   ptls_async_job_t **async)

{

    EVP_MD_CTX *ctx = NULL;

    const EVP_MD *md = scheme->scheme_md != NULL ? scheme->scheme_md() : NULL;

    EVP_PKEY_CTX *pkey_ctx;

    size_t siglen;

    int ret;

    if ((ctx = EVP_MD_CTX_create()) == NULL) {

        ret = PTLS_ERROR_NO_MEMORY;

        goto Exit;

    }

    if (EVP_DigestSignInit(ctx, &pkey_ctx, md, NULL, key) != 1) {

        ret = PTLS_ERROR_LIBRARY;

        goto Exit;

    }

#if PTLS_OPENSSL_HAVE_ED25519

    if (EVP_PKEY_id(key) == EVP_PKEY_ED25519) {

        /* ED25519 requires the use of the all-at-once function that appeared in OpenSSL 1.1.1, hence different path */

        if (EVP_DigestSign(ctx, NULL, &siglen, input.base, input.len) != 1) {

            ret = PTLS_ERROR_LIBRARY;

            goto Exit;

        }

        if ((ret = ptls_buffer_reserve(outbuf, siglen)) != 0)

            goto Exit;

        if (EVP_DigestSign(ctx, outbuf->base + outbuf->off, &siglen, input.base, input.len) != 1) {

            ret = PTLS_ERROR_LIBRARY;

            goto Exit;

        }

    } else

#endif

    {

        if (EVP_PKEY_id(key) == EVP_PKEY_RSA) {

            if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) != 1) {

                ret = PTLS_ERROR_LIBRARY;

                goto Exit;

            }

            if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1) != 1) {

                ret = PTLS_ERROR_LIBRARY;

                goto Exit;

            }

            if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, md) != 1) {

                ret = PTLS_ERROR_LIBRARY;

                goto Exit;

            }

        }

        if (EVP_DigestSignUpdate(ctx, input.base, input.len) != 1) {

            ret = PTLS_ERROR_LIBRARY;

            goto Exit;

        }

        if (EVP_DigestSignFinal(ctx, NULL, &siglen) != 1) {

            ret = PTLS_ERROR_LIBRARY;

            goto Exit;

        }

        /* If permitted by the caller (by providing a non-NULL `async` slot), use the asynchronous signing method and return

         * immediately. */

#if PTLS_OPENSSL_HAVE_ASYNC

        if (async != NULL) {

            if ((*async = async_sign_ctx_new(scheme, ctx, siglen)) == NULL) {

                ret = PTLS_ERROR_NO_MEMORY;

                goto Exit;

            }

            return do_sign_async(outbuf, async);

        }

#endif

        /* Otherwise, generate signature synchronously. */

        if ((ret = ptls_buffer_reserve(outbuf, siglen)) != 0)

            goto Exit;

        if (EVP_DigestSignFinal(ctx, outbuf->base + outbuf->off, &siglen) != 1) {