Coverage Report

Created: 2024-09-06 06:47

/src/picotls/lib/openssl.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku
3
 *
4
 * Permission is hereby granted, free of charge, to any person obtaining a copy
5
 * of this software and associated documentation files (the "Software"), to
6
 * deal in the Software without restriction, including without limitation the
7
 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
8
 * sell copies of the Software, and to permit persons to whom the Software is
9
 * furnished to do so, subject to the following conditions:
10
 *
11
 * The above copyright notice and this permission notice shall be included in
12
 * all copies or substantial portions of the Software.
13
 *
14
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
19
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
20
 * IN THE SOFTWARE.
21
 */
22
23
#ifdef _WINDOWS
24
#include "wincompat.h"
25
#else
26
#include <unistd.h>
27
#endif
28
#include <assert.h>
29
#include <stdio.h>
30
#include <stdlib.h>
31
#include <string.h>
32
#define OPENSSL_API_COMPAT 0x00908000L
33
#include <openssl/bn.h>
34
#include <openssl/crypto.h>
35
#ifdef OPENSSL_IS_BORINGSSL
36
#include <openssl/curve25519.h>
37
#include <openssl/chacha.h>
38
#include <openssl/poly1305.h>
39
#endif
40
#include <openssl/ec.h>
41
#include <openssl/ecdh.h>
42
#include <openssl/err.h>
43
#include <openssl/evp.h>
44
#include <openssl/objects.h>
45
#include <openssl/rand.h>
46
#include <openssl/rsa.h>
47
#include <openssl/x509.h>
48
#include <openssl/x509v3.h>
49
#include <openssl/x509_vfy.h>
50
#include "picotls.h"
51
#include "picotls/openssl.h"
52
#ifdef OPENSSL_IS_BORINGSSL
53
#include "./chacha20poly1305.h"
54
#endif
55
#ifdef PTLS_HAVE_AEGIS
56
#include "./libaegis.h"
57
#endif
58
59
#ifdef _WINDOWS
60
#ifndef _CRT_SECURE_NO_WARNINGS
61
#define _CRT_SECURE_NO_WARNINGS
62
#endif
63
#pragma warning(disable : 4996)
64
#endif
65
66
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
67
#define OPENSSL_1_1_API 1
68
#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
69
#define OPENSSL_1_1_API 1
70
#else
71
#define OPENSSL_1_1_API 0
72
#endif
73
74
#if !OPENSSL_1_1_API
75
76
#define EVP_PKEY_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_EVP_PKEY)
77
#define X509_STORE_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_X509_STORE)
78
#define X509_STORE_get0_param(p) ((p)->param)
79
80
static HMAC_CTX *HMAC_CTX_new(void)
81
{
82
    HMAC_CTX *ctx;
83
84
    if ((ctx = OPENSSL_malloc(sizeof(*ctx))) == NULL)
85
        return NULL;
86
    HMAC_CTX_init(ctx);
87
    return ctx;
88
}
89
90
static void HMAC_CTX_free(HMAC_CTX *ctx)
91
{
92
    HMAC_CTX_cleanup(ctx);
93
    OPENSSL_free(ctx);
94
}
95
96
static int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx)
97
{
98
    return EVP_CIPHER_CTX_cleanup(ctx);
99
}
100
101
#endif
102
103
static const ptls_openssl_signature_scheme_t rsa_signature_schemes[] = {{PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, EVP_sha256},
104
                                                                        {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384, EVP_sha384},
105
                                                                        {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512, EVP_sha512},
106
                                                                        {UINT16_MAX, NULL}};
107
static const ptls_openssl_signature_scheme_t secp256r1_signature_schemes[] = {{PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256, EVP_sha256},
108
                                                                              {UINT16_MAX, NULL}};
109
#if PTLS_OPENSSL_HAVE_SECP384R1
110
static const ptls_openssl_signature_scheme_t secp384r1_signature_schemes[] = {{PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384, EVP_sha384},
111
                                                                              {UINT16_MAX, NULL}};
112
#endif
113
#if PTLS_OPENSSL_HAVE_SECP521R1
114
static const ptls_openssl_signature_scheme_t secp521r1_signature_schemes[] = {{PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512, EVP_sha512},
115
                                                                              {UINT16_MAX, NULL}};
116
#endif
117
#if PTLS_OPENSSL_HAVE_ED25519
118
static const ptls_openssl_signature_scheme_t ed25519_signature_schemes[] = {{PTLS_SIGNATURE_ED25519, NULL}, {UINT16_MAX, NULL}};
119
#endif
120
121
/**
122
 * The default list sent in ClientHello.signature_algorithms. ECDSA certificates are preferred.
123
 */
124
static const uint16_t default_signature_schemes[] = {
125
#if PTLS_OPENSSL_HAVE_ED25519
126
    PTLS_SIGNATURE_ED25519,
127
#endif
128
    PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256,
129
#if PTLS_OPENSSL_HAVE_SECP384R1
130
    PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384,
131
#endif
132
#if PTLS_OPENSSL_HAVE_SECP521R1
133
    PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512,
134
#endif
135
    PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512,
136
    PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384,
137
    PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256,
138
    UINT16_MAX};
139
140
const ptls_openssl_signature_scheme_t *ptls_openssl_lookup_signature_schemes(EVP_PKEY *key)
141
0
{
142
0
    const ptls_openssl_signature_scheme_t *schemes = NULL;
143
144
0
    switch (EVP_PKEY_id(key)) {
145
0
    case EVP_PKEY_RSA:
146
0
        schemes = rsa_signature_schemes;
147
0
        break;
148
0
    case EVP_PKEY_EC: {
149
0
        EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(key);
150
0
        switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey))) {
151
0
        case NID_X9_62_prime256v1:
152
0
            schemes = secp256r1_signature_schemes;
153
0
            break;
154
0
#if PTLS_OPENSSL_HAVE_SECP384R1
155
0
        case NID_secp384r1:
156
0
            schemes = secp384r1_signature_schemes;
157
0
            break;
158
0
#endif
159
0
#if PTLS_OPENSSL_HAVE_SECP521R1
160
0
        case NID_secp521r1:
161
0
            schemes = secp521r1_signature_schemes;
162
0
            break;
163
0
#endif
164
0
        default:
165
0
            break;
166
0
        }
167
0
        EC_KEY_free(eckey);
168
0
    } break;
169
0
#if PTLS_OPENSSL_HAVE_ED25519
170
0
    case EVP_PKEY_ED25519:
171
0
        schemes = ed25519_signature_schemes;
172
0
        break;
173
0
#endif
174
0
    default:
175
0
        break;
176
0
    }
177
178
0
    return schemes;
179
0
}
180
181
const ptls_openssl_signature_scheme_t *ptls_openssl_select_signature_scheme(const ptls_openssl_signature_scheme_t *available,
182
                                                                            const uint16_t *algorithms, size_t num_algorithms)
183
0
{
184
0
    const ptls_openssl_signature_scheme_t *scheme;
185
186
    /* select the algorithm, driven by server-isde preference of `available` */
187
0
    for (scheme = available; scheme->scheme_id != UINT16_MAX; ++scheme)
188
0
        for (size_t i = 0; i != num_algorithms; ++i)
189
0
            if (algorithms[i] == scheme->scheme_id)
190
0
                return scheme;
191
192
0
    return NULL;
193
0
}
194
195
void ptls_openssl_random_bytes(void *buf, size_t len)
196
0
{
197
0
    int ret = RAND_bytes(buf, (int)len);
198
0
    if (ret != 1) {
199
0
        fprintf(stderr, "RAND_bytes() failed with code: %d\n", ret);
200
0
        abort();
201
0
    }
202
0
}
203
204
static EC_KEY *ecdh_generate_key(EC_GROUP *group)
205
40.3k
{
206
40.3k
    EC_KEY *key;
207
208
40.3k
    if ((key = EC_KEY_new()) == NULL)
209
0
        return NULL;
210
40.3k
    if (!EC_KEY_set_group(key, group) || !EC_KEY_generate_key(key)) {
211
0
        EC_KEY_free(key);
212
0
        return NULL;
213
0
    }
214
215
40.3k
    return key;
216
40.3k
}
217
218
static int ecdh_calc_secret(ptls_iovec_t *out, const EC_GROUP *group, EC_KEY *privkey, EC_POINT *peer_point)
219
1.11k
{
220
1.11k
    ptls_iovec_t secret;
221
1.11k
    int ret;
222
223
1.11k
    secret.len = (EC_GROUP_get_degree(group) + 7) / 8;
224
1.11k
    if ((secret.base = malloc(secret.len)) == NULL) {
225
0
        ret = PTLS_ERROR_NO_MEMORY;
226
0
        goto Exit;
227
0
    }
228
1.11k
    if (ECDH_compute_key(secret.base, secret.len, peer_point, privkey, NULL) <= 0) {
229
1
        ret = PTLS_ALERT_HANDSHAKE_FAILURE; /* ??? */
230
1
        goto Exit;
231
1
    }
232
1.11k
    ret = 0;
233
234
1.11k
Exit:
235
1.11k
    if (ret == 0) {
236
1.11k
        *out = secret;
237
1.11k
    } else {
238
1
        free(secret.base);
239
1
        *out = (ptls_iovec_t){NULL};
240
1
    }
241
1.11k
    return ret;
242
1.11k
}
243
244
static EC_POINT *x9_62_decode_point(const EC_GROUP *group, ptls_iovec_t vec, BN_CTX *bn_ctx)
245
1.11k
{
246
1.11k
    EC_POINT *point = NULL;
247
248
1.11k
    if ((point = EC_POINT_new(group)) == NULL)
249
0
        return NULL;
250
1.11k
    if (!EC_POINT_oct2point(group, point, vec.base, vec.len, bn_ctx)) {
251
2
        EC_POINT_free(point);
252
2
        return NULL;
253
2
    }
254
255
1.11k
    return point;
256
1.11k
}
257
258
static ptls_iovec_t x9_62_encode_point(const EC_GROUP *group, const EC_POINT *point, BN_CTX *bn_ctx)
259
40.3k
{
260
40.3k
    ptls_iovec_t vec;
261
262
40.3k
    if ((vec.len = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, bn_ctx)) == 0)
263
0
        return (ptls_iovec_t){NULL};
264
40.3k
    if ((vec.base = malloc(vec.len)) == NULL)
265
0
        return (ptls_iovec_t){NULL};
266
40.3k
    if (EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, vec.base, vec.len, bn_ctx) != vec.len) {
267
0
        free(vec.base);
268
0
        return (ptls_iovec_t){NULL};
269
0
    }
270
271
40.3k
    return vec;
272
40.3k
}
273
274
struct st_x9_62_keyex_context_t {
275
    ptls_key_exchange_context_t super;
276
    BN_CTX *bn_ctx;
277
    EC_KEY *privkey;
278
};
279
280
static void x9_62_free_context(struct st_x9_62_keyex_context_t *ctx)
281
40.3k
{
282
40.3k
    free(ctx->super.pubkey.base);
283
40.3k
    if (ctx->privkey != NULL)
284
40.3k
        EC_KEY_free(ctx->privkey);
285
40.3k
    if (ctx->bn_ctx != NULL)
286
40.3k
        BN_CTX_free(ctx->bn_ctx);
287
40.3k
    free(ctx);
288
40.3k
}
289
290
static int x9_62_on_exchange(ptls_key_exchange_context_t **_ctx, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey)
291
40.3k
{
292
40.3k
    struct st_x9_62_keyex_context_t *ctx = (struct st_x9_62_keyex_context_t *)*_ctx;
293
40.3k
    const EC_GROUP *group = EC_KEY_get0_group(ctx->privkey);
294
40.3k
    EC_POINT *peer_point = NULL;
295
40.3k
    int ret;
296
297
40.3k
    if (secret == NULL) {
298
39.2k
        ret = 0;
299
39.2k
        goto Exit;
300
39.2k
    }
301
302
1.11k
    if ((peer_point = x9_62_decode_point(group, peerkey, ctx->bn_ctx)) == NULL) {
303
2
        ret = PTLS_ALERT_DECODE_ERROR;
304
2
        goto Exit;
305
2
    }
306
1.11k
    if ((ret = ecdh_calc_secret(secret, group, ctx->privkey, peer_point)) != 0)
307
1
        goto Exit;
308
309
40.3k
Exit:
310
40.3k
    if (peer_point != NULL)
311
1.11k
        EC_POINT_free(peer_point);
312
40.3k
    if (release) {
313
40.3k
        x9_62_free_context(ctx);
314
40.3k
        *_ctx = NULL;
315
40.3k
    }
316
40.3k
    return ret;
317
1.11k
}
318
319
static int x9_62_create_context(ptls_key_exchange_algorithm_t *algo, struct st_x9_62_keyex_context_t **ctx)
320
40.3k
{
321
40.3k
    int ret;
322
323
40.3k
    if ((*ctx = (struct st_x9_62_keyex_context_t *)malloc(sizeof(**ctx))) == NULL) {
324
0
        ret = PTLS_ERROR_NO_MEMORY;
325
0
        goto Exit;
326
0
    }
327
40.3k
    **ctx = (struct st_x9_62_keyex_context_t){{algo, {NULL}, x9_62_on_exchange}};
328
329
40.3k
    if (((*ctx)->bn_ctx = BN_CTX_new()) == NULL) {
330
0
        ret = PTLS_ERROR_NO_MEMORY;
331
0
        goto Exit;
332
0
    }
333
334
40.3k
    ret = 0;
335
40.3k
Exit:
336
40.3k
    if (ret != 0 && *ctx != NULL) {
337
0
        x9_62_free_context(*ctx);
338
0
        *ctx = NULL;
339
0
    }
340
40.3k
    return ret;
341
40.3k
}
342
343
static int x9_62_setup_pubkey(struct st_x9_62_keyex_context_t *ctx)
344
40.3k
{
345
40.3k
    const EC_GROUP *group = EC_KEY_get0_group(ctx->privkey);
346
40.3k
    const EC_POINT *pubkey = EC_KEY_get0_public_key(ctx->privkey);
347
40.3k
    if ((ctx->super.pubkey = x9_62_encode_point(group, pubkey, ctx->bn_ctx)).base == NULL)
348
0
        return PTLS_ERROR_NO_MEMORY;
349
40.3k
    return 0;
350
40.3k
}
351
352
static int x9_62_create_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx)
353
40.3k
{
354
40.3k
    EC_GROUP *group = NULL;
355
40.3k
    struct st_x9_62_keyex_context_t *ctx = NULL;
356
40.3k
    int ret;
357
358
    /* FIXME use a global? */
359
40.3k
    if ((group = EC_GROUP_new_by_curve_name((int)algo->data)) == NULL) {
360
0
        ret = PTLS_ERROR_LIBRARY;
361
0
        goto Exit;
362
0
    }
363
40.3k
    if ((ret = x9_62_create_context(algo, &ctx)) != 0)
364
0
        goto Exit;
365
40.3k
    if ((ctx->privkey = ecdh_generate_key(group)) == NULL) {
366
0
        ret = PTLS_ERROR_LIBRARY;
367
0
        goto Exit;
368
0
    }
369
40.3k
    if ((ret = x9_62_setup_pubkey(ctx)) != 0)
370
0
        goto Exit;
371
40.3k
    ret = 0;
372
373
40.3k
Exit:
374
40.3k
    if (group != NULL)
375
40.3k
        EC_GROUP_free(group);
376
40.3k
    if (ret == 0) {
377
40.3k
        *_ctx = &ctx->super;
378
40.3k
    } else {
379
0
        if (ctx != NULL)
380
0
            x9_62_free_context(ctx);
381
0
        *_ctx = NULL;
382
0
    }
383
384
40.3k
    return ret;
385
40.3k
}
386
387
static int x9_62_init_key(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx, EC_KEY *eckey)
388
0
{
389
0
    struct st_x9_62_keyex_context_t *ctx = NULL;
390
0
    int ret;
391
392
0
    if ((ret = x9_62_create_context(algo, &ctx)) != 0)
393
0
        goto Exit;
394
0
    ctx->privkey = eckey;
395
0
    if ((ret = x9_62_setup_pubkey(ctx)) != 0)
396
0
        goto Exit;
397
0
    ret = 0;
398
399
0
Exit:
400
0
    if (ret == 0) {
401
0
        *_ctx = &ctx->super;
402
0
    } else {
403
0
        if (ctx != NULL)
404
0
            x9_62_free_context(ctx);
405
0
        *_ctx = NULL;
406
0
    }
407
0
    return ret;
408
0
}
409
410
static int x9_62_key_exchange(EC_GROUP *group, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey, BN_CTX *bn_ctx)
411
0
{
412
0
    EC_POINT *peer_point = NULL;
413
0
    EC_KEY *privkey = NULL;
414
0
    int ret;
415
416
0
    *pubkey = (ptls_iovec_t){NULL};
417
0
    *secret = (ptls_iovec_t){NULL};
418
419
    /* decode peer key */
420
0
    if ((peer_point = x9_62_decode_point(group, peerkey, bn_ctx)) == NULL) {
421
0
        ret = PTLS_ALERT_DECODE_ERROR;
422
0
        goto Exit;
423
0
    }
424
425
    /* create private key */
426
0
    if ((privkey = ecdh_generate_key(group)) == NULL) {
427
0
        ret = PTLS_ERROR_NO_MEMORY;
428
0
        goto Exit;
429
0
    }
430
431
    /* encode public key */
432
0
    if ((*pubkey = x9_62_encode_point(group, EC_KEY_get0_public_key(privkey), bn_ctx)).base == NULL) {
433
0
        ret = PTLS_ERROR_NO_MEMORY;
434
0
        goto Exit;
435
0
    }
436
437
    /* allocate space for secret */
438
0
    secret->len = (EC_GROUP_get_degree(group) + 7) / 8;
439
0
    if ((secret->base = malloc(secret->len)) == NULL) {
440
0
        ret = PTLS_ERROR_NO_MEMORY;
441
0
        goto Exit;
442
0
    }
443
444
    /* calc secret */
445
0
    if (ECDH_compute_key(secret->base, secret->len, peer_point, privkey, NULL) <= 0) {
446
0
        ret = PTLS_ALERT_HANDSHAKE_FAILURE; /* ??? */
447
0
        goto Exit;
448
0
    }
449
450
0
    ret = 0;
451
452
0
Exit:
453
0
    if (peer_point != NULL)
454
0
        EC_POINT_free(peer_point);
455
0
    if (privkey != NULL)
456
0
        EC_KEY_free(privkey);
457
0
    if (ret != 0) {
458
0
        free(pubkey->base);
459
0
        *pubkey = (ptls_iovec_t){NULL};
460
0
        free(secret->base);
461
0
        *secret = (ptls_iovec_t){NULL};
462
0
    }
463
0
    return ret;
464
0
}
465
466
static int secp_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey)
467
0
{
468
0
    EC_GROUP *group = NULL;
469
0
    BN_CTX *bn_ctx = NULL;
470
0
    int ret;
471
472
0
    if ((group = EC_GROUP_new_by_curve_name((int)algo->data)) == NULL) {
473
0
        ret = PTLS_ERROR_LIBRARY;
474
0
        goto Exit;
475
0
    }
476
0
    if ((bn_ctx = BN_CTX_new()) == NULL) {
477
0
        ret = PTLS_ERROR_NO_MEMORY;
478
0
        goto Exit;
479
0
    }
480
481
0
    ret = x9_62_key_exchange(group, pubkey, secret, peerkey, bn_ctx);
482
483
0
Exit:
484
0
    if (bn_ctx != NULL)
485
0
        BN_CTX_free(bn_ctx);
486
0
    if (group != NULL)
487
0
        EC_GROUP_free(group);
488
0
    return ret;
489
0
}
490
491
#if PTLS_OPENSSL_HAVE_X25519
492
493
struct st_evp_keyex_context_t {
494
    ptls_key_exchange_context_t super;
495
    EVP_PKEY *privkey;
496
};
497
498
static void evp_keyex_free(struct st_evp_keyex_context_t *ctx)
499
0
{
500
0
    if (ctx->privkey != NULL)
501
0
        EVP_PKEY_free(ctx->privkey);
502
0
    if (ctx->super.pubkey.base != NULL)
503
0
        OPENSSL_free(ctx->super.pubkey.base);
504
0
    free(ctx);
505
0
}
506
507
static int evp_keyex_on_exchange(ptls_key_exchange_context_t **_ctx, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey)
508
0
{
509
0
    struct st_evp_keyex_context_t *ctx = (void *)*_ctx;
510
0
    EVP_PKEY *evppeer = NULL;
511
0
    EVP_PKEY_CTX *evpctx = NULL;
512
0
    int ret;
513
514
0
    if (secret == NULL) {
515
0
        ret = 0;
516
0
        goto Exit;
517
0
    }
518
519
0
    secret->base = NULL;
520
521
0
    if (peerkey.len != ctx->super.pubkey.len) {
522
0
        ret = PTLS_ALERT_DECRYPT_ERROR;
523
0
        goto Exit;
524
0
    }
525
526
#ifdef OPENSSL_IS_BORINGSSL
527
#define X25519_KEY_SIZE 32
528
    if (ctx->super.algo->id == PTLS_GROUP_X25519) {
529
        /* allocate memory to return secret */
530
        if ((secret->base = malloc(X25519_KEY_SIZE)) == NULL) {
531
            ret = PTLS_ERROR_NO_MEMORY;
532
            goto Exit;
533
        }
534
        secret->len = X25519_KEY_SIZE;
535
        /* fetch raw key and derive the secret */
536
        uint8_t sk_raw[X25519_KEY_SIZE];
537
        size_t sk_raw_len = sizeof(sk_raw);
538
        if (EVP_PKEY_get_raw_private_key(ctx->privkey, sk_raw, &sk_raw_len) != 1) {
539
            ret = PTLS_ERROR_LIBRARY;
540
            goto Exit;
541
        }
542
        assert(sk_raw_len == sizeof(sk_raw));
543
        X25519(secret->base, sk_raw, peerkey.base);
544
        ptls_clear_memory(sk_raw, sizeof(sk_raw));
545
        /* check bad key */
546
        static const uint8_t zeros[X25519_KEY_SIZE] = {0};
547
        if (ptls_mem_equal(secret->base, zeros, X25519_KEY_SIZE)) {
548
            ret = PTLS_ERROR_INCOMPATIBLE_KEY;
549
            goto Exit;
550
        }
551
        /* success */
552
        ret = 0;
553
        goto Exit;
554
    }
555
#undef X25519_KEY_SIZE
556
#endif
557
558
0
    if ((evppeer = EVP_PKEY_new()) == NULL) {
559
0
        ret = PTLS_ERROR_NO_MEMORY;
560
0
        goto Exit;
561
0
    }
562
0
    if (EVP_PKEY_copy_parameters(evppeer, ctx->privkey) <= 0) {
563
0
        ret = PTLS_ERROR_LIBRARY;
564
0
        goto Exit;
565
0
    }
566
0
    if (EVP_PKEY_set1_tls_encodedpoint(evppeer, peerkey.base, peerkey.len) <= 0) {
567
0
        ret = PTLS_ERROR_LIBRARY;
568
0
        goto Exit;
569
0
    }
570
0
    if ((evpctx = EVP_PKEY_CTX_new(ctx->privkey, NULL)) == NULL) {
571
0
        ret = PTLS_ERROR_LIBRARY;
572
0
        goto Exit;
573
0
    }
574
0
    if (EVP_PKEY_derive_init(evpctx) <= 0) {
575
0
        ret = PTLS_ERROR_LIBRARY;
576
0
        goto Exit;
577
0
    }
578
0
    if (EVP_PKEY_derive_set_peer(evpctx, evppeer) <= 0) {
579
0
        ret = PTLS_ERROR_LIBRARY;
580
0
        goto Exit;
581
0
    }
582
0
    if (EVP_PKEY_derive(evpctx, NULL, &secret->len) <= 0) {
583
0
        ret = PTLS_ERROR_LIBRARY;
584
0
        goto Exit;
585
0
    }
586
0
    if ((secret->base = malloc(secret->len)) == NULL) {
587
0
        ret = PTLS_ERROR_NO_MEMORY;
588
0
        goto Exit;
589
0
    }
590
0
    if (EVP_PKEY_derive(evpctx, secret->base, &secret->len) <= 0) {
591
0
        ret = PTLS_ERROR_LIBRARY;
592
0
        goto Exit;
593
0
    }
594
595
0
    ret = 0;
596
0
Exit:
597
0
    if (evpctx != NULL)
598
0
        EVP_PKEY_CTX_free(evpctx);
599
0
    if (evppeer != NULL)
600
0
        EVP_PKEY_free(evppeer);
601
0
    if (ret != 0)
602
0
        free(secret->base);
603
0
    if (release) {
604
0
        evp_keyex_free(ctx);
605
0
        *_ctx = NULL;
606
0
    }
607
0
    return ret;
608
0
}
609
610
/**
611
 * Upon success, ownership of `pkey` is transferred to the object being created. Otherwise, the refcount remains unchanged.
612
 */
613
static int evp_keyex_init(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx, EVP_PKEY *pkey)
614
0
{
615
0
    struct st_evp_keyex_context_t *ctx = NULL;
616
0
    int ret;
617
618
    /* instantiate */
619
0
    if ((ctx = malloc(sizeof(*ctx))) == NULL) {
620
0
        ret = PTLS_ERROR_NO_MEMORY;
621
0
        goto Exit;
622
0
    }
623
0
    *ctx = (struct st_evp_keyex_context_t){{algo, {NULL}, evp_keyex_on_exchange}, pkey};
624
625
    /* set public key */
626
0
    if ((ctx->super.pubkey.len = EVP_PKEY_get1_tls_encodedpoint(ctx->privkey, &ctx->super.pubkey.base)) == 0) {
627
0
        ctx->super.pubkey.base = NULL;
628
0
        ret = PTLS_ERROR_NO_MEMORY;
629
0
        goto Exit;
630
0
    }
631
632
0
    *_ctx = &ctx->super;
633
0
    ret = 0;
634
0
Exit:
635
0
    if (ret != 0 && ctx != NULL) {
636
0
        ctx->privkey = NULL; /* do not decrement refcount of pkey in case of error */
637
0
        evp_keyex_free(ctx);
638
0
    }
639
0
    return ret;
640
0
}
641
642
static int evp_keyex_create(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **ctx)
643
0
{
644
0
    EVP_PKEY_CTX *evpctx = NULL;
645
0
    EVP_PKEY *pkey = NULL;
646
0
    int ret;
647
648
    /* generate private key */
649
0
    if ((evpctx = EVP_PKEY_CTX_new_id((int)algo->data, NULL)) == NULL) {
650
0
        ret = PTLS_ERROR_LIBRARY;
651
0
        goto Exit;
652
0
    }
653
0
    if (EVP_PKEY_keygen_init(evpctx) <= 0) {
654
0
        ret = PTLS_ERROR_LIBRARY;
655
0
        goto Exit;
656
0
    }
657
0
    if (EVP_PKEY_keygen(evpctx, &pkey) <= 0) {
658
0
        ret = PTLS_ERROR_LIBRARY;
659
0
        goto Exit;
660
0
    }
661
662
    /* setup */
663
0
    if ((ret = evp_keyex_init(algo, ctx, pkey)) != 0)
664
0
        goto Exit;
665
0
    pkey = NULL;
666
0
    ret = 0;
667
668
0
Exit:
669
0
    if (pkey != NULL)
670
0
        EVP_PKEY_free(pkey);
671
0
    if (evpctx != NULL)
672
0
        EVP_PKEY_CTX_free(evpctx);
673
0
    return ret;
674
0
}
675
676
static int evp_keyex_exchange(ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *outpubkey, ptls_iovec_t *secret,
677
                              ptls_iovec_t peerkey)
678
0
{
679
0
    ptls_key_exchange_context_t *ctx = NULL;
680
0
    int ret;
681
682
0
    outpubkey->base = NULL;
683
684
0
    if ((ret = evp_keyex_create(algo, &ctx)) != 0)
685
0
        goto Exit;
686
0
    if ((outpubkey->base = malloc(ctx->pubkey.len)) == NULL) {
687
0
        ret = PTLS_ERROR_NO_MEMORY;
688
0
        goto Exit;
689
0
    }
690
0
    memcpy(outpubkey->base, ctx->pubkey.base, ctx->pubkey.len);
691
0
    outpubkey->len = ctx->pubkey.len;
692
0
    ret = evp_keyex_on_exchange(&ctx, 1, secret, peerkey);
693
0
    assert(ctx == NULL);
694
695
0
Exit:
696
0
    if (ctx != NULL)
697
0
        evp_keyex_on_exchange(&ctx, 1, NULL, ptls_iovec_init(NULL, 0));
698
0
    if (ret != 0)
699
0
        free(outpubkey->base);
700
0
    return ret;
701
0
}
702
703
#endif
704
705
int ptls_openssl_create_key_exchange(ptls_key_exchange_context_t **ctx, EVP_PKEY *pkey)
706
0
{
707
0
    int ret, id;
708
709
0
    switch (id = EVP_PKEY_id(pkey)) {
710
711
0
    case EVP_PKEY_EC: {
712
        /* obtain eckey */
713
0
        EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
714
715
        /* determine algo */
716
0
        ptls_key_exchange_algorithm_t *algo;
717
0
        switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey))) {
718
0
        case NID_X9_62_prime256v1:
719
0
            algo = &ptls_openssl_secp256r1;
720
0
            break;
721
0
#if PTLS_OPENSSL_HAVE_SECP384R1
722
0
        case NID_secp384r1:
723
0
            algo = &ptls_openssl_secp384r1;
724
0
            break;
725
0
#endif
726
0
#if PTLS_OPENSSL_HAVE_SECP521R1
727
0
        case NID_secp521r1:
728
0
            algo = &ptls_openssl_secp521r1;
729
0
            break;
730
0
#endif
731
0
        default:
732
0
            EC_KEY_free(eckey);
733
0
            return PTLS_ERROR_INCOMPATIBLE_KEY;
734
0
        }
735
736
        /* load key */
737
0
        if ((ret = x9_62_init_key(algo, ctx, eckey)) != 0) {
738
0
            EC_KEY_free(eckey);
739
0
            return ret;
740
0
        }
741
742
0
        return 0;
743
0
    } break;
744
745
0
#if PTLS_OPENSSL_HAVE_X25519
746
0
    case NID_X25519:
747
0
        if ((ret = evp_keyex_init(&ptls_openssl_x25519, ctx, pkey)) != 0)
748
0
            return ret;
749
0
        EVP_PKEY_up_ref(pkey);
750
0
        return 0;
751
0
#endif
752
753
0
    default:
754
0
        return PTLS_ERROR_INCOMPATIBLE_KEY;
755
0
    }
756
0
}
757
758
#if PTLS_OPENSSL_HAVE_ASYNC
759
760
struct async_sign_ctx {
761
    ptls_async_job_t super;
762
    const ptls_openssl_signature_scheme_t *scheme;
763
    EVP_MD_CTX *ctx;
764
    ASYNC_WAIT_CTX *waitctx;
765
    ASYNC_JOB *job;
766
    size_t siglen;
767
    uint8_t sig[0]; // must be last, see `async_sign_ctx_new`
768
};
769
770
static void async_sign_ctx_free(ptls_async_job_t *_self)
771
0
{
772
0
    struct async_sign_ctx *self = (void *)_self;
773
774
    /* Once the async operation is complete, the user might call `ptls_free` instead of `ptls_handshake`. In such case, to avoid
775
     * desynchronization, let the backend read the result from the socket. The code below is a loop, but it is not going to block;
776
     * it is the responsibility of the user to refrain from calling `ptls_free` until the asynchronous operation is complete. */
777
0
    if (self->job != NULL) {
778
0
        int ret;
779
0
        while (ASYNC_start_job(&self->job, self->waitctx, &ret, NULL, NULL, 0) == ASYNC_PAUSE)
780
0
            ;
781
0
    }
782
783
0
    EVP_MD_CTX_destroy(self->ctx);
784
0
    ASYNC_WAIT_CTX_free(self->waitctx);
785
0
    free(self);
786
0
}
787
788
int async_sign_ctx_get_fd(ptls_async_job_t *_self)
789
0
{
790
0
    struct async_sign_ctx *self = (void *)_self;
791
0
    OSSL_ASYNC_FD fds[1];
792
0
    size_t numfds;
793
794
0
    ASYNC_WAIT_CTX_get_all_fds(self->waitctx, NULL, &numfds);
795
0
    assert(numfds == 1);
796
0
    ASYNC_WAIT_CTX_get_all_fds(self->waitctx, fds, &numfds);
797
0
    return (int)fds[0];
798
0
}
799
800
static ptls_async_job_t *async_sign_ctx_new(const ptls_openssl_signature_scheme_t *scheme, EVP_MD_CTX *ctx, size_t siglen)
801
0
{
802
0
    struct async_sign_ctx *self;
803
804
0
    if ((self = malloc(offsetof(struct async_sign_ctx, sig) + siglen)) == NULL)
805
0
        return NULL;
806
807
0
    self->super = (ptls_async_job_t){async_sign_ctx_free, async_sign_ctx_get_fd};
808
0
    self->scheme = scheme;
809
0
    self->ctx = ctx;
810
0
    self->waitctx = ASYNC_WAIT_CTX_new();
811
0
    self->job = NULL;
812
0
    self->siglen = siglen;
813
0
    memset(self->sig, 0, siglen);
814
815
0
    return &self->super;
816
0
}
817
818
static int do_sign_async_job(void *_async)
819
0
{
820
0
    struct async_sign_ctx *async = *(struct async_sign_ctx **)_async;
821
0
    return EVP_DigestSignFinal(async->ctx, async->sig, &async->siglen);
822
0
}
823
824
static int do_sign_async(ptls_buffer_t *outbuf, ptls_async_job_t **_async)
825
0
{
826
0
    struct async_sign_ctx *async = (void *)*_async;
827
0
    int ret;
828
829
0
    switch (ASYNC_start_job(&async->job, async->waitctx, &ret, do_sign_async_job, &async, sizeof(async))) {
830
0
    case ASYNC_PAUSE:
831
0
        return PTLS_ERROR_ASYNC_OPERATION; // async operation inflight; bail out without getting rid of async context
832
0
    case ASYNC_ERR:
833
0
        ret = PTLS_ERROR_LIBRARY;
834
0
        break;
835
0
    case ASYNC_NO_JOBS:
836
0
        ret = PTLS_ERROR_LIBRARY;
837
0
        break;
838
0
    case ASYNC_FINISH:
839
0
        async->job = NULL;
840
0
        ptls_buffer_pushv(outbuf, async->sig, async->siglen);
841
0
        ret = 0;
842
0
        break;
843
0
    default:
844
0
        ret = PTLS_ERROR_LIBRARY;
845
0
        break;
846
0
    }
847
848
0
Exit:
849
0
    async_sign_ctx_free(&async->super);
850
0
    *_async = NULL;
851
0
    return ret;
852
0
}
853
854
#endif
855
856
static int do_sign(EVP_PKEY *key, const ptls_openssl_signature_scheme_t *scheme, ptls_buffer_t *outbuf, ptls_iovec_t input,
857
                   ptls_async_job_t **async)
858
0
{
859
0
    EVP_MD_CTX *ctx = NULL;
860
0
    const EVP_MD *md = scheme->scheme_md != NULL ? scheme->scheme_md() : NULL;
861
0
    EVP_PKEY_CTX *pkey_ctx;
862
0
    size_t siglen;
863
0
    int ret;
864
865
0
    if ((ctx = EVP_MD_CTX_create()) == NULL) {
866
0
        ret = PTLS_ERROR_NO_MEMORY;
867
0
        goto Exit;
868
0
    }
869
870
0
    if (EVP_DigestSignInit(ctx, &pkey_ctx, md, NULL, key) != 1) {
871
0
        ret = PTLS_ERROR_LIBRARY;
872
0
        goto Exit;
873
0
    }
874
875
0
#if PTLS_OPENSSL_HAVE_ED25519
876
0
    if (EVP_PKEY_id(key) == EVP_PKEY_ED25519) {
877
        /* ED25519 requires the use of the all-at-once function that appeared in OpenSSL 1.1.1, hence different path */
878
0
        if (EVP_DigestSign(ctx, NULL, &siglen, input.base, input.len) != 1) {
879
0
            ret = PTLS_ERROR_LIBRARY;
880
0
            goto Exit;
881
0
        }
882
0
        if ((ret = ptls_buffer_reserve(outbuf, siglen)) != 0)
883
0
            goto Exit;
884
0
        if (EVP_DigestSign(ctx, outbuf->base + outbuf->off, &siglen, input.base, input.len) != 1) {
885
0
            ret = PTLS_ERROR_LIBRARY;
886
0
            goto Exit;
887
0
        }
888
0
    } else
889
0
#endif
890
0
    {
891
0
        if (EVP_PKEY_id(key) == EVP_PKEY_RSA) {
892
0
            if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) != 1) {
893
0
                ret = PTLS_ERROR_LIBRARY;
894
0
                goto Exit;
895
0
            }
896
0
            if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1) != 1) {
897
0
                ret = PTLS_ERROR_LIBRARY;
898
0
                goto Exit;
899
0
            }
900
0
            if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, md) != 1) {
901
0
                ret = PTLS_ERROR_LIBRARY;
902
0
                goto Exit;
903
0
            }
904
0
        }
905
0
        if (EVP_DigestSignUpdate(ctx, input.base, input.len) != 1) {
906
0
            ret = PTLS_ERROR_LIBRARY;
907
0
            goto Exit;
908
0
        }
909
0
        if (EVP_DigestSignFinal(ctx, NULL, &siglen) != 1) {
910
0
            ret = PTLS_ERROR_LIBRARY;
911
0
            goto Exit;
912
0
        }
913
        /* If permitted by the caller (by providing a non-NULL `async` slot), use the asynchronous signing method and return
914
         * immediately. */
915
0
#if PTLS_OPENSSL_HAVE_ASYNC
916
0
        if (async != NULL) {
917
0
            if ((*async = async_sign_ctx_new(scheme, ctx, siglen)) == NULL) {
918
0
                ret = PTLS_ERROR_NO_MEMORY;
919
0
                goto Exit;
920
0
            }
921
0
            return do_sign_async(outbuf, async);
922
0
        }
923
0
#endif
924
        /* Otherwise, generate signature synchronously. */
925
0
        if ((ret = ptls_buffer_reserve(outbuf, siglen)) != 0)
926
0
            goto Exit;
927
0
        if (EVP_DigestSignFinal(ctx, outbuf->base + outbuf->off, &siglen) != 1) {
928
0
            ret = PTLS_ERROR_LIBRARY;
929
0
            goto Exit;
930
0
        }
931
0
    }
932
933
0
    outbuf->off += siglen;
934
935
0
    ret = 0;
936
0
Exit:
937
0
    if (ctx != NULL)
938
0
        EVP_MD_CTX_destroy(ctx);
939
0
    return ret;
940
0
}
941
942
struct cipher_context_t {
943
    ptls_cipher_context_t super;
944
    EVP_CIPHER_CTX *evp;
945
};
946
947
static void cipher_dispose(ptls_cipher_context_t *_ctx)
948
0
{
949
0
    struct cipher_context_t *ctx = (struct cipher_context_t *)_ctx;
950
0
    EVP_CIPHER_CTX_free(ctx->evp);
951
0
}
952
953
static void cipher_do_init(ptls_cipher_context_t *_ctx, const void *iv)
954
0
{
955
0
    struct cipher_context_t *ctx = (struct cipher_context_t *)_ctx;
956
0
    int ret;
957
0
    ret = EVP_EncryptInit_ex(ctx->evp, NULL, NULL, NULL, iv);
958
0
    assert(ret);
959
0
}
960
961
static int cipher_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key, const EVP_CIPHER *cipher,
962
                               void (*do_transform)(ptls_cipher_context_t *, void *, const void *, size_t))
963
0
{
964
0
    struct cipher_context_t *ctx = (struct cipher_context_t *)_ctx;
965
966
0
    ctx->super.do_dispose = cipher_dispose;
967
0
    ctx->super.do_init = cipher_do_init;
968
0
    ctx->super.do_transform = do_transform;
969
970
0
    if ((ctx->evp = EVP_CIPHER_CTX_new()) == NULL)
971
0
        return PTLS_ERROR_NO_MEMORY;
972
973
0
    if (is_enc) {
974
0
        if (!EVP_EncryptInit_ex(ctx->evp, cipher, NULL, key, NULL))
975
0
            goto Error;
976
0
    } else {
977
0
        if (!EVP_DecryptInit_ex(ctx->evp, cipher, NULL, key, NULL))
978
0
            goto Error;
979
0
        EVP_CIPHER_CTX_set_padding(ctx->evp, 0); /* required to disable one block buffering in ECB mode */
980
0
    }
981
982
0
    return 0;
983
0
Error:
984
0
    EVP_CIPHER_CTX_free(ctx->evp);
985
0
    return PTLS_ERROR_LIBRARY;
986
0
}
987
988
static void cipher_encrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t _len)
989
0
{
990
0
    struct cipher_context_t *ctx = (struct cipher_context_t *)_ctx;
991
0
    int len = (int)_len, ret = EVP_EncryptUpdate(ctx->evp, output, &len, input, len);
992
0
    assert(ret);
993
0
    assert(len == (int)_len);
994
0
}
995
996
static void cipher_decrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t _len)
997
0
{
998
0
    struct cipher_context_t *ctx = (struct cipher_context_t *)_ctx;
999
0
    int len = (int)_len, ret = EVP_DecryptUpdate(ctx->evp, output, &len, input, len);
1000
0
    assert(ret);
1001
0
    assert(len == (int)_len);
1002
0
}
1003
1004
static int aes128ecb_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
1005
0
{
1006
0
    return cipher_setup_crypto(ctx, is_enc, key, EVP_aes_128_ecb(), is_enc ? cipher_encrypt : cipher_decrypt);
1007
0
}
1008
1009
static int aes256ecb_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
1010
0
{
1011
0
    return cipher_setup_crypto(ctx, is_enc, key, EVP_aes_256_ecb(), is_enc ? cipher_encrypt : cipher_decrypt);
1012
0
}
1013
1014
static int aes128ctr_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
1015
0
{
1016
0
    return cipher_setup_crypto(ctx, 1, key, EVP_aes_128_ctr(), cipher_encrypt);
1017
0
}
1018
1019
static int aes256ctr_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
1020
0
{
1021
0
    return cipher_setup_crypto(ctx, 1, key, EVP_aes_256_ctr(), cipher_encrypt);
1022
0
}
1023
1024
#if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
1025
#ifdef OPENSSL_IS_BORINGSSL
1026
1027
struct boringssl_chacha20_context_t {
1028
    ptls_cipher_context_t super;
1029
    uint8_t key[PTLS_CHACHA20_KEY_SIZE];
1030
    uint8_t iv[12];
1031
    struct {
1032
        uint32_t ctr;
1033
        uint8_t bytes[64];
1034
        size_t len;
1035
    } keystream;
1036
};
1037
1038
static void boringssl_chacha20_dispose(ptls_cipher_context_t *_ctx)
1039
{
1040
    struct boringssl_chacha20_context_t *ctx = (struct boringssl_chacha20_context_t *)_ctx;
1041
1042
    ptls_clear_memory(ctx->key, sizeof(ctx->key));
1043
    ptls_clear_memory(ctx->iv, sizeof(ctx->iv));
1044
    ptls_clear_memory(ctx->keystream.bytes, sizeof(ctx->keystream.bytes));
1045
}
1046
1047
static void boringssl_chacha20_init(ptls_cipher_context_t *_ctx, const void *_iv)
1048
{
1049
    struct boringssl_chacha20_context_t *ctx = (struct boringssl_chacha20_context_t *)_ctx;
1050
    const uint8_t *iv = _iv;
1051
1052
    memcpy(ctx->iv, iv + 4, sizeof(ctx->iv));
1053
    ctx->keystream.ctr = iv[0] | ((uint32_t)iv[1] << 8) | ((uint32_t)iv[2] << 16) | ((uint32_t)iv[3] << 24);
1054
    ctx->keystream.len = 0;
1055
}
1056
1057
static inline void boringssl_chacha20_transform_buffered(struct boringssl_chacha20_context_t *ctx, uint8_t **output,
1058
                                                         const uint8_t **input, size_t *len)
1059
{
1060
    size_t apply_len = *len < ctx->keystream.len ? *len : ctx->keystream.len;
1061
    const uint8_t *ks = ctx->keystream.bytes + sizeof(ctx->keystream.bytes) - ctx->keystream.len;
1062
    ctx->keystream.len -= apply_len;
1063
1064
    *len -= apply_len;
1065
    for (size_t i = 0; i < apply_len; ++i)
1066
        *(*output)++ = *(*input)++ ^ *ks++;
1067
}
1068
1069
static void boringssl_chacha20_transform(ptls_cipher_context_t *_ctx, void *_output, const void *_input, size_t len)
1070
{
1071
    struct boringssl_chacha20_context_t *ctx = (struct boringssl_chacha20_context_t *)_ctx;
1072
    uint8_t *output = _output;
1073
    const uint8_t *input = _input;
1074
1075
    if (len == 0)
1076
        return;
1077
1078
    if (ctx->keystream.len != 0) {
1079
        boringssl_chacha20_transform_buffered(ctx, &output, &input, &len);
1080
        if (len == 0)
1081
            return;
1082
    }
1083
1084
    assert(ctx->keystream.len == 0);
1085
1086
    if (len >= sizeof(ctx->keystream.bytes)) {
1087
        size_t blocks = len / CHACHA20POLY1305_BLOCKSIZE;
1088
        CRYPTO_chacha_20(output, input, blocks * CHACHA20POLY1305_BLOCKSIZE, ctx->key, ctx->iv, ctx->keystream.ctr);
1089
        ctx->keystream.ctr += blocks;
1090
        output += blocks * CHACHA20POLY1305_BLOCKSIZE;
1091
        input += blocks * CHACHA20POLY1305_BLOCKSIZE;
1092
        len -= blocks * CHACHA20POLY1305_BLOCKSIZE;
1093
        if (len == 0)
1094
            return;
1095
    }
1096
1097
    memset(ctx->keystream.bytes, 0, CHACHA20POLY1305_BLOCKSIZE);
1098
    CRYPTO_chacha_20(ctx->keystream.bytes, ctx->keystream.bytes, CHACHA20POLY1305_BLOCKSIZE, ctx->key, ctx->iv,
1099
                     ctx->keystream.ctr++);
1100
    ctx->keystream.len = sizeof(ctx->keystream.bytes);
1101
1102
    boringssl_chacha20_transform_buffered(ctx, &output, &input, &len);
1103
    assert(len == 0);
1104
}
1105
1106
static int boringssl_chacha20_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key)
1107
{
1108
    struct boringssl_chacha20_context_t *ctx = (struct boringssl_chacha20_context_t *)_ctx;
1109
1110
    ctx->super.do_dispose = boringssl_chacha20_dispose;
1111
    ctx->super.do_init = boringssl_chacha20_init;
1112
    ctx->super.do_transform = boringssl_chacha20_transform;
1113
    memcpy(ctx->key, key, sizeof(ctx->key));
1114
1115
    return 0;
1116
}
1117
1118
#else
1119
1120
static int chacha20_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
1121
0
{
1122
0
    return cipher_setup_crypto(ctx, 1, key, EVP_chacha20(), cipher_encrypt);
1123
0
}
1124
1125
#endif
1126
#endif
1127
1128
#if PTLS_OPENSSL_HAVE_BF
1129
1130
static int bfecb_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
1131
0
{
1132
0
    return cipher_setup_crypto(ctx, is_enc, key, EVP_bf_ecb(), is_enc ? cipher_encrypt : cipher_decrypt);
1133
0
}
1134
1135
#endif
1136
1137
struct aead_crypto_context_t {
1138
    ptls_aead_context_t super;
1139
    EVP_CIPHER_CTX *evp_ctx;
1140
    uint8_t static_iv[PTLS_MAX_IV_SIZE];
1141
};
1142
1143
static void aead_dispose_crypto(ptls_aead_context_t *_ctx)
1144
2.22k
{
1145
2.22k
    struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx;
1146
1147
2.22k
    if (ctx->evp_ctx != NULL)
1148
2.22k
        EVP_CIPHER_CTX_free(ctx->evp_ctx);
1149
2.22k
}
1150
1151
static void aead_get_iv(ptls_aead_context_t *_ctx, void *iv)
1152
0
{
1153
0
    struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx;
1154
1155
0
    memcpy(iv, ctx->static_iv, ctx->super.algo->iv_size);
1156
0
}
1157
1158
static void aead_set_iv(ptls_aead_context_t *_ctx, const void *iv)
1159
0
{
1160
0
    struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx;
1161
1162
0
    memcpy(ctx->static_iv, iv, ctx->super.algo->iv_size);
1163
0
}
1164
1165
static void aead_do_encrypt_init(ptls_aead_context_t *_ctx, uint64_t seq, const void *aad, size_t aadlen)
1166
0
{
1167
0
    struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx;
1168
0
    uint8_t iv[PTLS_MAX_IV_SIZE];
1169
0
    int ret;
1170
1171
0
    ptls_aead__build_iv(ctx->super.algo, iv, ctx->static_iv, seq);
1172
0
    ret = EVP_EncryptInit_ex(ctx->evp_ctx, NULL, NULL, NULL, iv);
1173
0
    assert(ret);
1174
1175
0
    if (aadlen != 0) {
1176
0
        int blocklen;
1177
0
        ret = EVP_EncryptUpdate(ctx->evp_ctx, NULL, &blocklen, aad, (int)aadlen);
1178
0
        assert(ret);
1179
0
    }
1180
0
}
1181
1182
static size_t aead_do_encrypt_update(ptls_aead_context_t *_ctx, void *output, const void *input, size_t inlen)
1183
0
{
1184
0
    struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx;
1185
0
    int blocklen, ret;
1186
1187
0
    ret = EVP_EncryptUpdate(ctx->evp_ctx, output, &blocklen, input, (int)inlen);
1188
0
    assert(ret);
1189
1190
0
    return blocklen;
1191
0
}
1192
1193
static size_t aead_do_encrypt_final(ptls_aead_context_t *_ctx, void *_output)
1194
0
{
1195
0
    struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx;
1196
0
    uint8_t *output = _output;
1197
0
    size_t off = 0, tag_size = ctx->super.algo->tag_size;
1198
0
    int blocklen, ret;
1199
1200
0
    ret = EVP_EncryptFinal_ex(ctx->evp_ctx, output + off, &blocklen);
1201
0
    assert(ret);
1202
0
    off += blocklen;
1203
0
    ret = EVP_CIPHER_CTX_ctrl(ctx->evp_ctx, EVP_CTRL_GCM_GET_TAG, (int)tag_size, output + off);
1204
0
    assert(ret);
1205
0
    off += tag_size;
1206
1207
0
    return off;
1208
0
}
1209
1210
static size_t aead_do_decrypt(ptls_aead_context_t *_ctx, void *_output, const void *input, size_t inlen, uint64_t seq,
1211
                              const void *aad, size_t aadlen)
1212
0
{
1213
0
    struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx;
1214
0
    uint8_t *output = _output, iv[PTLS_MAX_IV_SIZE];
1215
0
    size_t off = 0, tag_size = ctx->super.algo->tag_size;
1216
0
    int blocklen, ret;
1217
1218
0
    if (inlen < tag_size)
1219
0
        return SIZE_MAX;
1220
1221
0
    ptls_aead__build_iv(ctx->super.algo, iv, ctx->static_iv, seq);
1222
0
    ret = EVP_DecryptInit_ex(ctx->evp_ctx, NULL, NULL, NULL, iv);
1223
0
    assert(ret);
1224
0
    if (aadlen != 0) {
1225
0
        ret = EVP_DecryptUpdate(ctx->evp_ctx, NULL, &blocklen, aad, (int)aadlen);
1226
0
        assert(ret);
1227
0
    }
1228
0
    ret = EVP_DecryptUpdate(ctx->evp_ctx, output + off, &blocklen, input, (int)(inlen - tag_size));
1229
0
    assert(ret);
1230
0
    off += blocklen;
1231
0
    if (!EVP_CIPHER_CTX_ctrl(ctx->evp_ctx, EVP_CTRL_GCM_SET_TAG, (int)tag_size, (void *)((uint8_t *)input + inlen - tag_size)))
1232
0
        return SIZE_MAX;
1233
0
    if (!EVP_DecryptFinal_ex(ctx->evp_ctx, output + off, &blocklen))
1234
0
        return SIZE_MAX;
1235
0
    off += blocklen;
1236
1237
0
    return off;
1238
0
}
1239
1240
static int aead_setup_crypto(ptls_aead_context_t *_ctx, int is_enc, const void *key, const void *iv, const EVP_CIPHER *cipher)
1241
2.22k
{
1242
2.22k
    struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx;
1243
2.22k
    int ret;
1244
1245
2.22k
    ctx->super.dispose_crypto = aead_dispose_crypto;
1246
2.22k
    ctx->super.do_get_iv = aead_get_iv;
1247
2.22k
    ctx->super.do_set_iv = aead_set_iv;
1248
2.22k
    if (is_enc) {
1249
1.11k
        ctx->super.do_encrypt_init = aead_do_encrypt_init;
1250
1.11k
        ctx->super.do_encrypt_update = aead_do_encrypt_update;
1251
1.11k
        ctx->super.do_encrypt_final = aead_do_encrypt_final;
1252
1.11k
        ctx->super.do_encrypt = ptls_aead__do_encrypt;
1253
1.11k
        ctx->super.do_encrypt_v = ptls_aead__do_encrypt_v;
1254
1.11k
        ctx->super.do_decrypt = NULL;
1255
1.11k
    } else {
1256
1.11k
        ctx->super.do_encrypt_init = NULL;
1257
1.11k
        ctx->super.do_encrypt_update = NULL;
1258
1.11k
        ctx->super.do_encrypt_final = NULL;
1259
1.11k
        ctx->super.do_encrypt = NULL;
1260
1.11k
        ctx->super.do_encrypt_v = NULL;
1261
1.11k
        ctx->super.do_decrypt = aead_do_decrypt;
1262
1.11k
    }
1263
2.22k
    ctx->evp_ctx = NULL;
1264
1265
2.22k
    if ((ctx->evp_ctx = EVP_CIPHER_CTX_new()) == NULL) {
1266
0
        ret = PTLS_ERROR_NO_MEMORY;
1267
0
        goto Error;
1268
0
    }
1269
2.22k
    if (is_enc) {
1270
1.11k
        if (!EVP_EncryptInit_ex(ctx->evp_ctx, cipher, NULL, key, NULL)) {
1271
0
            ret = PTLS_ERROR_LIBRARY;
1272
0
            goto Error;
1273
0
        }
1274
1.11k
    } else {
1275
1.11k
        if (!EVP_DecryptInit_ex(ctx->evp_ctx, cipher, NULL, key, NULL)) {
1276
0
            ret = PTLS_ERROR_LIBRARY;
1277
0
            goto Error;
1278
0
        }
1279
1.11k
    }
1280
2.22k
    if (!EVP_CIPHER_CTX_ctrl(ctx->evp_ctx, EVP_CTRL_GCM_SET_IVLEN, (int)ctx->super.algo->iv_size, NULL)) {
1281
0
        ret = PTLS_ERROR_LIBRARY;
1282
0
        goto Error;
1283
0
    }
1284
1285
2.22k
    memcpy(ctx->static_iv, iv, ctx->super.algo->iv_size);
1286
1287
2.22k
    return 0;
1288
1289
0
Error:
1290
0
    aead_dispose_crypto(&ctx->super);
1291
0
    return ret;
1292
2.22k
}
1293
1294
static int aead_aes128gcm_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv)
1295
2.22k
{
1296
2.22k
    return aead_setup_crypto(ctx, is_enc, key, iv, EVP_aes_128_gcm());
1297
2.22k
}
1298
1299
static int aead_aes256gcm_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv)
1300
0
{
1301
0
    return aead_setup_crypto(ctx, is_enc, key, iv, EVP_aes_256_gcm());
1302
0
}
1303
1304
#if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
1305
#ifdef OPENSSL_IS_BORINGSSL
1306
1307
struct boringssl_chacha20poly1305_context_t {
1308
    struct chacha20poly1305_context_t super;
1309
    poly1305_state poly1305;
1310
};
1311
1312
static void boringssl_poly1305_init(struct chacha20poly1305_context_t *_ctx, const void *key)
1313
{
1314
    struct boringssl_chacha20poly1305_context_t *ctx = (struct boringssl_chacha20poly1305_context_t *)_ctx;
1315
    CRYPTO_poly1305_init(&ctx->poly1305, key);
1316
}
1317
1318
static void boringssl_poly1305_update(struct chacha20poly1305_context_t *_ctx, const void *input, size_t len)
1319
{
1320
    struct boringssl_chacha20poly1305_context_t *ctx = (struct boringssl_chacha20poly1305_context_t *)_ctx;
1321
    CRYPTO_poly1305_update(&ctx->poly1305, input, len);
1322
}
1323
1324
static void boringssl_poly1305_finish(struct chacha20poly1305_context_t *_ctx, void *tag)
1325
{
1326
    struct boringssl_chacha20poly1305_context_t *ctx = (struct boringssl_chacha20poly1305_context_t *)_ctx;
1327
    CRYPTO_poly1305_finish(&ctx->poly1305, tag);
1328
}
1329
1330
static int boringssl_chacha20poly1305_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv)
1331
{
1332
    return chacha20poly1305_setup_crypto(ctx, is_enc, key, iv, &ptls_openssl_chacha20, boringssl_poly1305_init,
1333
                                         boringssl_poly1305_update, boringssl_poly1305_finish);
1334
}
1335
1336
#else
1337
1338
static int aead_chacha20poly1305_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv)
1339
0
{
1340
0
    return aead_setup_crypto(ctx, is_enc, key, iv, EVP_chacha20_poly1305());
1341
0
}
1342
1343
#endif
1344
#endif
1345
1346
62.6k
#define _sha256_final(ctx, md) SHA256_Final((md), (ctx))
1347
62.6k
ptls_define_hash(sha256, SHA256_CTX, SHA256_Init, SHA256_Update, _sha256_final);
1348
1349
0
#define _sha384_final(ctx, md) SHA384_Final((md), (ctx))
1350
0
ptls_define_hash(sha384, SHA512_CTX, SHA384_Init, SHA384_Update, _sha384_final);
1351
1352
0
#define _sha512_final(ctx, md) SHA512_Final((md), (ctx))
1353
0
ptls_define_hash(sha512, SHA512_CTX, SHA512_Init, SHA512_Update, _sha512_final);
1354
1355
static int sign_certificate(ptls_sign_certificate_t *_self, ptls_t *tls, ptls_async_job_t **async, uint16_t *selected_algorithm,
1356
                            ptls_buffer_t *outbuf, ptls_iovec_t input, const uint16_t *algorithms, size_t num_algorithms)
1357
0
{
1358
0
    ptls_openssl_sign_certificate_t *self = (ptls_openssl_sign_certificate_t *)_self;
1359
0
    const ptls_openssl_signature_scheme_t *scheme;
1360
1361
    /* Just resume the asynchronous operation, if one is in flight. */
1362
0
#if PTLS_OPENSSL_HAVE_ASYNC
1363
0
    if (async != NULL && *async != NULL) {
1364
0
        struct async_sign_ctx *sign_ctx = (struct async_sign_ctx *)(*async);
1365
0
        *selected_algorithm = sign_ctx->scheme->scheme_id;
1366
0
        return do_sign_async(outbuf, async);
1367
0
    }
1368
0
#endif
1369
1370
    /* Select the algorithm or return failure if none found. */
1371
0
    if ((scheme = ptls_openssl_select_signature_scheme(self->schemes, algorithms, num_algorithms)) == NULL)
1372
0
        return PTLS_ALERT_HANDSHAKE_FAILURE;
1373
0
    *selected_algorithm = scheme->scheme_id;
1374
1375
0
#if PTLS_OPENSSL_HAVE_ASYNC
1376
0
    if (!self->async && async != NULL) {
1377
        /* indicate to `do_sign` that async mode is disabled for this operation */
1378
0
        assert(*async == NULL);
1379
0
        async = NULL;
1380
0
    }
1381
0
#endif
1382
0
    return do_sign(self->key, scheme, outbuf, input, async);
1383
0
}
1384
1385
static X509 *to_x509(ptls_iovec_t vec)
1386
0
{
1387
0
    const uint8_t *p = vec.base;
1388
0
    return d2i_X509(NULL, &p, (long)vec.len);
1389
0
}
1390
1391
static int verify_sign(void *verify_ctx, uint16_t algo, ptls_iovec_t data, ptls_iovec_t signature)
1392
0
{
1393
0
    EVP_PKEY *key = verify_ctx;
1394
0
    const ptls_openssl_signature_scheme_t *scheme;
1395
0
    EVP_MD_CTX *ctx = NULL;
1396
0
    EVP_PKEY_CTX *pkey_ctx = NULL;
1397
0
    int ret = 0;
1398
1399
0
    if (data.base == NULL)
1400
0
        goto Exit;
1401
1402
0
    if ((scheme = ptls_openssl_lookup_signature_schemes(key)) == NULL) {
1403
0
        ret = PTLS_ERROR_LIBRARY;
1404
0
        goto Exit;
1405
0
    }
1406
0
    for (; scheme->scheme_id != UINT16_MAX; ++scheme)
1407
0
        if (scheme->scheme_id == algo)
1408
0
            goto SchemeFound;
1409
0
    ret = PTLS_ALERT_ILLEGAL_PARAMETER;
1410
0
    goto Exit;
1411
1412
0
SchemeFound:
1413
0
    if ((ctx = EVP_MD_CTX_create()) == NULL) {
1414
0
        ret = PTLS_ERROR_NO_MEMORY;
1415
0
        goto Exit;
1416
0
    }
1417
1418
0
#if PTLS_OPENSSL_HAVE_ED25519
1419
0
    if (EVP_PKEY_id(key) == EVP_PKEY_ED25519) {
1420
        /* ED25519 requires the use of the all-at-once function that appeared in OpenSSL 1.1.1, hence different path */
1421
0
        if (EVP_DigestVerifyInit(ctx, &pkey_ctx, NULL, NULL, key) != 1) {
1422
0
            ret = PTLS_ERROR_LIBRARY;
1423
0
            goto Exit;
1424
0
        }
1425
0
        if (EVP_DigestVerify(ctx, signature.base, signature.len, data.base, data.len) != 1) {
1426
0
            ret = PTLS_ERROR_LIBRARY;
1427
0
            goto Exit;
1428
0
        }
1429
0
    } else
1430
0
#endif
1431
0
    {
1432
0
        if (EVP_DigestVerifyInit(ctx, &pkey_ctx, scheme->scheme_md(), NULL, key) != 1) {
1433
0
            ret = PTLS_ERROR_LIBRARY;
1434
0
            goto Exit;
1435
0
        }
1436
1437
0
        if (EVP_PKEY_id(key) == EVP_PKEY_RSA) {
1438
0
            if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) != 1) {
1439
0
                ret = PTLS_ERROR_LIBRARY;
1440
0
                goto Exit;
1441
0
            }
1442
0
            if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1) != 1) {
1443
0
                ret = PTLS_ERROR_LIBRARY;
1444
0
                goto Exit;
1445
0
            }
1446
0
            if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, scheme->scheme_md()) != 1) {
1447
0
                ret = PTLS_ERROR_LIBRARY;
1448
0
                goto Exit;
1449
0
            }
1450
0
        }
1451
0
        if (EVP_DigestVerifyUpdate(ctx, data.base, data.len) != 1) {
1452
0
            ret = PTLS_ERROR_LIBRARY;
1453
0
            goto Exit;
1454
0
        }
1455
0
        if (EVP_DigestVerifyFinal(ctx, signature.base, signature.len) != 1) {
1456
0
            ret = PTLS_ALERT_DECRYPT_ERROR;
1457
0
            goto Exit;
1458
0
        }
1459
0
    }
1460
1461
0
    ret = 0;
1462
1463
0
Exit:
1464
0
    if (ctx != NULL)
1465
0
        EVP_MD_CTX_destroy(ctx);
1466
0
    EVP_PKEY_free(key);
1467
0
    return ret;
1468
0
}
1469
1470
int ptls_openssl_init_sign_certificate(ptls_openssl_sign_certificate_t *self, EVP_PKEY *key)
1471
0
{
1472
0
    *self = (ptls_openssl_sign_certificate_t){.super = {sign_certificate}, .async = 0 /* libssl has it off by default too */};
1473
1474
0
    if ((self->schemes = ptls_openssl_lookup_signature_schemes(key)) == NULL)
1475
0
        return PTLS_ERROR_INCOMPATIBLE_KEY;
1476
0
    EVP_PKEY_up_ref(key);
1477
0
    self->key = key;
1478
1479
0
    return 0;
1480
0
}
1481
1482
void ptls_openssl_dispose_sign_certificate(ptls_openssl_sign_certificate_t *self)
1483
0
{
1484
0
    EVP_PKEY_free(self->key);
1485
0
}
1486
1487
static int serialize_cert(X509 *cert, ptls_iovec_t *dst)
1488
0
{
1489
0
    int len = i2d_X509(cert, NULL);
1490
0
    assert(len > 0);
1491
1492
0
    if ((dst->base = malloc(len)) == NULL)
1493
0
        return PTLS_ERROR_NO_MEMORY;
1494
0
    unsigned char *p = dst->base;
1495
0
    dst->len = i2d_X509(cert, &p);
1496
0
    assert(len == dst->len);
1497
1498
0
    return 0;
1499
0
}
1500
1501
int ptls_openssl_load_certificates(ptls_context_t *ctx, X509 *cert, STACK_OF(X509) * chain)
1502
0
{
1503
0
    ptls_iovec_t *list = NULL;
1504
0
    size_t slot = 0, count = (cert != NULL) + (chain != NULL ? sk_X509_num(chain) : 0);
1505
0
    int ret;
1506
1507
0
    assert(ctx->certificates.list == NULL);
1508
1509
0
    if ((list = malloc(sizeof(*list) * count)) == NULL) {
1510
0
        ret = PTLS_ERROR_NO_MEMORY;
1511
0
        goto Exit;
1512
0
    }
1513
0
    if (cert != NULL) {
1514
0
        if ((ret = serialize_cert(cert, list + slot++)) != 0)
1515
0
            goto Exit;
1516
0
    }
1517
0
    if (chain != NULL) {
1518
0
        int i;
1519
0
        for (i = 0; i != sk_X509_num(chain); ++i) {
1520
0
            if ((ret = serialize_cert(sk_X509_value(chain, i), list + slot++)) != 0)
1521
0
                goto Exit;
1522
0
        }
1523
0
    }
1524
1525
0
    assert(slot == count);
1526
1527
0
    ctx->certificates.list = list;
1528
0
    ctx->certificates.count = count;
1529
0
    ret = 0;
1530
1531
0
Exit:
1532
0
    if (ret != 0 && list != NULL) {
1533
0
        size_t i;
1534
0
        for (i = 0; i != slot; ++i)
1535
0
            free(list[i].base);
1536
0
        free(list);
1537
0
    }
1538
0
    return ret;
1539
0
}
1540
1541
static int verify_cert_chain(X509_STORE *store, X509 *cert, STACK_OF(X509) * chain, int is_server, const char *server_name,
1542
                             int *ossl_x509_err)
1543
0
{
1544
0
    X509_STORE_CTX *verify_ctx;
1545
0
    int ret;
1546
0
    *ossl_x509_err = 0;
1547
1548
    /* verify certificate chain */
1549
0
    if ((verify_ctx = X509_STORE_CTX_new()) == NULL) {
1550
0
        ret = PTLS_ERROR_NO_MEMORY;
1551
0
        goto Exit;
1552
0
    }
1553
0
    if (X509_STORE_CTX_init(verify_ctx, store, cert, chain) != 1) {
1554
0
        ret = PTLS_ERROR_LIBRARY;
1555
0
        goto Exit;
1556
0
    }
1557
1558
0
    { /* setup verify params */
1559
0
        X509_VERIFY_PARAM *params = X509_STORE_CTX_get0_param(verify_ctx);
1560
0
        X509_VERIFY_PARAM_set_purpose(params, is_server ? X509_PURPOSE_SSL_CLIENT : X509_PURPOSE_SSL_SERVER);
1561
0
        X509_VERIFY_PARAM_set_depth(params, 98); /* use the default of OpenSSL 1.0.2 and above; see `man SSL_CTX_set_verify` */
1562
        /* when _acting_ as client, set the server name if provided*/
1563
0
        if (!is_server && server_name != NULL) {
1564
0
            if (ptls_server_name_is_ipaddr(server_name)) {
1565
0
                X509_VERIFY_PARAM_set1_ip_asc(params, server_name);
1566
0
            } else {
1567
0
                X509_VERIFY_PARAM_set1_host(params, server_name, strlen(server_name));
1568
0
                X509_VERIFY_PARAM_set_hostflags(params, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
1569
0
            }
1570
0
        }
1571
0
    }
1572
1573
0
    if (X509_verify_cert(verify_ctx) != 1) {
1574
0
        *ossl_x509_err = X509_STORE_CTX_get_error(verify_ctx);
1575
0
        switch (*ossl_x509_err) {
1576
0
        case X509_V_ERR_OUT_OF_MEM:
1577
0
            ret = PTLS_ERROR_NO_MEMORY;
1578
0
            break;
1579
0
        case X509_V_ERR_CERT_REVOKED:
1580
0
            ret = PTLS_ALERT_CERTIFICATE_REVOKED;
1581
0
            break;
1582
0
        case X509_V_ERR_CERT_NOT_YET_VALID:
1583
0
        case X509_V_ERR_CERT_HAS_EXPIRED:
1584
0
            ret = PTLS_ALERT_CERTIFICATE_EXPIRED;
1585
0
            break;
1586
0
        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
1587
0
        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
1588
0
        case X509_V_ERR_CERT_UNTRUSTED:
1589
0
        case X509_V_ERR_CERT_REJECTED:
1590
0
            ret = PTLS_ALERT_UNKNOWN_CA;
1591
0
            break;
1592
0
        case X509_V_ERR_HOSTNAME_MISMATCH:
1593
0
        case X509_V_ERR_INVALID_CA:
1594
0
            ret = PTLS_ALERT_BAD_CERTIFICATE;
1595
0
            break;
1596
0
        default:
1597
0
            ret = PTLS_ALERT_CERTIFICATE_UNKNOWN;
1598
0
            break;
1599
0
        }
1600
0
        goto Exit;
1601
0
    }
1602
1603
0
    ret = 0;
1604
1605
0
Exit:
1606
0
    if (verify_ctx != NULL)
1607
0
        X509_STORE_CTX_free(verify_ctx);
1608
0
    return ret;
1609
0
}
1610
1611
static int verify_cert(ptls_verify_certificate_t *_self, ptls_t *tls, const char *server_name,
1612
                       int (**verifier)(void *, uint16_t, ptls_iovec_t, ptls_iovec_t), void **verify_data, ptls_iovec_t *certs,
1613
                       size_t num_certs)
1614
0
{
1615
0
    ptls_openssl_verify_certificate_t *self = (ptls_openssl_verify_certificate_t *)_self;
1616
0
    X509 *cert = NULL;
1617
0
    STACK_OF(X509) *chain = sk_X509_new_null();
1618
0
    size_t i;
1619
0
    int ossl_x509_err, ret;
1620
1621
    /* If any certs are given, convert them to OpenSSL representation, then verify the cert chain. If no certs are given, just give
1622
     * the override_callback to see if we want to stay fail open. */
1623
0
    if (num_certs != 0) {
1624
0
        if ((cert = to_x509(certs[0])) == NULL) {
1625
0
            ret = PTLS_ALERT_BAD_CERTIFICATE;
1626
0
            goto Exit;
1627
0
        }
1628
0
        for (i = 1; i != num_certs; ++i) {
1629
0
            X509 *interm = to_x509(certs[i]);
1630
0
            if (interm == NULL) {
1631
0
                ret = PTLS_ALERT_BAD_CERTIFICATE;
1632
0
                goto Exit;
1633
0
            }
1634
0
            sk_X509_push(chain, interm);
1635
0
        }
1636
0
        ret = verify_cert_chain(self->cert_store, cert, chain, ptls_is_server(tls), server_name, &ossl_x509_err);
1637
0
    } else {
1638
0
        ret = PTLS_ALERT_CERTIFICATE_REQUIRED;
1639
0
        ossl_x509_err = 0;
1640
0
    }
1641
1642
    /* When override callback is available, let it override the error. */
1643
0
    if (self->override_callback != NULL)
1644
0
        ret = self->override_callback->cb(self->override_callback, tls, ret, ossl_x509_err, cert, chain);
1645
1646
0
    if (ret != 0 || num_certs == 0)
1647
0
        goto Exit;
1648
1649
    /* extract public key for verifying the TLS handshake signature */
1650
0
    if ((*verify_data = X509_get_pubkey(cert)) == NULL) {
1651
0
        ret = PTLS_ALERT_BAD_CERTIFICATE;
1652
0
        goto Exit;
1653
0
    }
1654
0
    *verifier = verify_sign;
1655
1656
0
Exit:
1657
0
    if (chain != NULL)
1658
0
        sk_X509_pop_free(chain, X509_free);
1659
0
    if (cert != NULL)
1660
0
        X509_free(cert);
1661
0
    return ret;
1662
0
}
1663
1664
int ptls_openssl_init_verify_certificate(ptls_openssl_verify_certificate_t *self, X509_STORE *store)
1665
0
{
1666
0
    *self = (ptls_openssl_verify_certificate_t){{verify_cert, default_signature_schemes}, NULL};
1667
1668
0
    if (store != NULL) {
1669
0
        X509_STORE_up_ref(store);
1670
0
        self->cert_store = store;
1671
0
    } else {
1672
        /* use default store */
1673
0
        if ((self->cert_store = ptls_openssl_create_default_certificate_store()) == NULL)
1674
0
            return -1;
1675
0
    }
1676
1677
0
    return 0;
1678
0
}
1679
1680
void ptls_openssl_dispose_verify_certificate(ptls_openssl_verify_certificate_t *self)
1681
0
{
1682
0
    X509_STORE_free(self->cert_store);
1683
0
}
1684
1685
X509_STORE *ptls_openssl_create_default_certificate_store(void)
1686
0
{
1687
0
    X509_STORE *store;
1688
0
    X509_LOOKUP *lookup;
1689
1690
0
    if ((store = X509_STORE_new()) == NULL)
1691
0
        goto Error;
1692
0
    if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) == NULL)
1693
0
        goto Error;
1694
0
    X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
1695
0
    if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir())) == NULL)
1696
0
        goto Error;
1697
0
    X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
1698
1699
0
    return store;
1700
0
Error:
1701
0
    if (store != NULL)
1702
0
        X509_STORE_free(store);
1703
0
    return NULL;
1704
0
}
1705
1706
static int verify_raw_cert(ptls_verify_certificate_t *_self, ptls_t *tls, const char *server_name,
1707
                           int (**verifier)(void *, uint16_t algo, ptls_iovec_t, ptls_iovec_t), void **verify_data,
1708
                           ptls_iovec_t *certs, size_t num_certs)
1709
0
{
1710
0
    ptls_openssl_raw_pubkey_verify_certificate_t *self = (ptls_openssl_raw_pubkey_verify_certificate_t *)_self;
1711
0
    int ret = PTLS_ALERT_BAD_CERTIFICATE;
1712
0
    ptls_iovec_t expected_pubkey = {0};
1713
1714
0
    assert(num_certs != 0);
1715
1716
0
    if (num_certs != 1)
1717
0
        goto Exit;
1718
1719
0
    int r = i2d_PUBKEY(self->expected_pubkey, &expected_pubkey.base);
1720
0
    if (r <= 0) {
1721
0
        ret = PTLS_ALERT_BAD_CERTIFICATE;
1722
0
        goto Exit;
1723
0
    }
1724
1725
0
    expected_pubkey.len = r;
1726
0
    if (certs[0].len != expected_pubkey.len)
1727
0
        goto Exit;
1728
1729
0
    if (!ptls_mem_equal(expected_pubkey.base, certs[0].base, certs[0].len))
1730
0
        goto Exit;
1731
1732
0
    EVP_PKEY_up_ref(self->expected_pubkey);
1733
0
    *verify_data = self->expected_pubkey;
1734
0
    *verifier = verify_sign;
1735
0
    ret = 0;
1736
0
Exit:
1737
0
    OPENSSL_free(expected_pubkey.base);
1738
0
    return ret;
1739
0
}
1740
1741
int ptls_openssl_raw_pubkey_init_verify_certificate(ptls_openssl_raw_pubkey_verify_certificate_t *self, EVP_PKEY *expected_pubkey)
1742
0
{
1743
0
    EVP_PKEY_up_ref(expected_pubkey);
1744
0
    *self = (ptls_openssl_raw_pubkey_verify_certificate_t){{verify_raw_cert, default_signature_schemes}, expected_pubkey};
1745
0
    return 0;
1746
0
}
1747
void ptls_openssl_raw_pubkey_dispose_verify_certificate(ptls_openssl_raw_pubkey_verify_certificate_t *self)
1748
0
{
1749
0
    EVP_PKEY_free(self->expected_pubkey);
1750
0
}
1751
1752
0
#define TICKET_LABEL_SIZE 16
1753
0
#define TICKET_IV_SIZE EVP_MAX_IV_LENGTH
1754
1755
int ptls_openssl_encrypt_ticket(ptls_buffer_t *buf, ptls_iovec_t src,
1756
                                int (*cb)(unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc))
1757
0
{
1758
0
    EVP_CIPHER_CTX *cctx = NULL;
1759
0
    HMAC_CTX *hctx = NULL;
1760
0
    uint8_t *dst;
1761
0
    int clen, ret;
1762
1763
0
    if ((cctx = EVP_CIPHER_CTX_new()) == NULL) {
1764
0
        ret = PTLS_ERROR_NO_MEMORY;
1765
0
        goto Exit;
1766
0
    }
1767
0
    if ((hctx = HMAC_CTX_new()) == NULL) {
1768
0
        ret = PTLS_ERROR_NO_MEMORY;
1769
0
        goto Exit;
1770
0
    }
1771
1772
0
    if ((ret = ptls_buffer_reserve(buf, TICKET_LABEL_SIZE + TICKET_IV_SIZE + src.len + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE)) !=
1773
0
        0)
1774
0
        goto Exit;
1775
0
    dst = buf->base + buf->off;
1776
1777
    /* fill label and iv, as well as obtaining the keys */
1778
0
    if (!(*cb)(dst, dst + TICKET_LABEL_SIZE, cctx, hctx, 1)) {
1779
0
        ret = PTLS_ERROR_LIBRARY;
1780
0
        goto Exit;
1781
0
    }
1782
0
    dst += TICKET_LABEL_SIZE + TICKET_IV_SIZE;
1783
1784
    /* encrypt */
1785
0
    if (!EVP_EncryptUpdate(cctx, dst, &clen, src.base, (int)src.len)) {
1786
0
        ret = PTLS_ERROR_LIBRARY;
1787
0
        goto Exit;
1788
0
    }
1789
0
    dst += clen;
1790
0
    if (!EVP_EncryptFinal_ex(cctx, dst, &clen)) {
1791
0
        ret = PTLS_ERROR_LIBRARY;
1792
0
        goto Exit;
1793
0
    }
1794
0
    dst += clen;
1795
1796
    /* append hmac */
1797
0
    if (!HMAC_Update(hctx, buf->base + buf->off, dst - (buf->base + buf->off)) || !HMAC_Final(hctx, dst, NULL)) {
1798
0
        ret = PTLS_ERROR_LIBRARY;
1799
0
        goto Exit;
1800
0
    }
1801
0
    dst += HMAC_size(hctx);
1802
1803
0
    assert(dst <= buf->base + buf->capacity);
1804
0
    buf->off += dst - (buf->base + buf->off);
1805
0
    ret = 0;
1806
1807
0
Exit:
1808
0
    if (cctx != NULL)
1809
0
        EVP_CIPHER_CTX_free(cctx);
1810
0
    if (hctx != NULL)
1811
0
        HMAC_CTX_free(hctx);
1812
0
    return ret;
1813
0
}
1814
1815
int ptls_openssl_decrypt_ticket(ptls_buffer_t *buf, ptls_iovec_t src,
1816
                                int (*cb)(unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc))
1817
0
{
1818
0
    EVP_CIPHER_CTX *cctx = NULL;
1819
0
    HMAC_CTX *hctx = NULL;
1820
0
    int clen, ret;
1821
1822
0
    if ((cctx = EVP_CIPHER_CTX_new()) == NULL) {
1823
0
        ret = PTLS_ERROR_NO_MEMORY;
1824
0
        goto Exit;
1825
0
    }
1826
0
    if ((hctx = HMAC_CTX_new()) == NULL) {
1827
0
        ret = PTLS_ERROR_NO_MEMORY;
1828
0
        goto Exit;
1829
0
    }
1830
1831
    /* obtain cipher and hash context.
1832
     * Note: no need to handle renew, since in picotls we always send a new ticket to minimize the chance of ticket reuse */
1833
0
    if (src.len < TICKET_LABEL_SIZE + TICKET_IV_SIZE) {
1834
0
        ret = PTLS_ALERT_DECODE_ERROR;
1835
0
        goto Exit;
1836
0
    }
1837
0
    if (!(*cb)(src.base, src.base + TICKET_LABEL_SIZE, cctx, hctx, 0)) {
1838
0
        ret = PTLS_ERROR_LIBRARY;
1839
0
        goto Exit;
1840
0
    }
1841
1842
    /* check hmac, and exclude label, iv, hmac */
1843
0
    size_t hmac_size = HMAC_size(hctx);
1844
0
    if (src.len < TICKET_LABEL_SIZE + TICKET_IV_SIZE + hmac_size) {
1845
0
        ret = PTLS_ALERT_DECODE_ERROR;
1846
0
        goto Exit;
1847
0
    }
1848
0
    src.len -= hmac_size;
1849
0
    uint8_t hmac[EVP_MAX_MD_SIZE];
1850
0
    if (!HMAC_Update(hctx, src.base, src.len) || !HMAC_Final(hctx, hmac, NULL)) {
1851
0
        ret = PTLS_ERROR_LIBRARY;
1852
0
        goto Exit;
1853
0
    }
1854
0
    if (!ptls_mem_equal(src.base + src.len, hmac, hmac_size)) {
1855
0
        ret = PTLS_ALERT_HANDSHAKE_FAILURE;
1856
0
        goto Exit;
1857
0
    }
1858
0
    src.base += TICKET_LABEL_SIZE + TICKET_IV_SIZE;
1859
0
    src.len -= TICKET_LABEL_SIZE + TICKET_IV_SIZE;
1860
1861
    /* decrypt */
1862
0
    if ((ret = ptls_buffer_reserve(buf, src.len)) != 0)
1863
0
        goto Exit;
1864
0
    if (!EVP_DecryptUpdate(cctx, buf->base + buf->off, &clen, src.base, (int)src.len)) {
1865
0
        ret = PTLS_ERROR_LIBRARY;
1866
0
        goto Exit;
1867
0
    }
1868
0
    buf->off += clen;
1869
0
    if (!EVP_DecryptFinal_ex(cctx, buf->base + buf->off, &clen)) {
1870
0
        ret = PTLS_ERROR_LIBRARY;
1871
0
        goto Exit;
1872
0
    }
1873
0
    buf->off += clen;
1874
1875
0
    ret = 0;
1876
1877
0
Exit:
1878
0
    if (cctx != NULL)
1879
0
        EVP_CIPHER_CTX_free(cctx);
1880
0
    if (hctx != NULL)
1881
0
        HMAC_CTX_free(hctx);
1882
0
    return ret;
1883
0
}
1884
1885
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1886
int ptls_openssl_encrypt_ticket_evp(ptls_buffer_t *buf, ptls_iovec_t src,
1887
                                    int (*cb)(unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx,
1888
                                              int enc))
1889
{
1890
    EVP_CIPHER_CTX *cctx = NULL;
1891
    EVP_MAC *mac = NULL;
1892
    EVP_MAC_CTX *hctx = NULL;
1893
    size_t hlen;
1894
    uint8_t *dst;
1895
    int clen, ret;
1896
1897
    if ((cctx = EVP_CIPHER_CTX_new()) == NULL) {
1898
        ret = PTLS_ERROR_NO_MEMORY;
1899
        goto Exit;
1900
    }
1901
    if ((mac = EVP_MAC_fetch(NULL, "HMAC", NULL)) == NULL) {
1902
        ret = PTLS_ERROR_NO_MEMORY;
1903
        goto Exit;
1904
    }
1905
    if ((hctx = EVP_MAC_CTX_new(mac)) == NULL) {
1906
        ret = PTLS_ERROR_NO_MEMORY;
1907
        goto Exit;
1908
    }
1909
1910
    if ((ret = ptls_buffer_reserve(buf, TICKET_LABEL_SIZE + TICKET_IV_SIZE + src.len + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE)) !=
1911
        0)
1912
        goto Exit;
1913
    dst = buf->base + buf->off;
1914
1915
    /* fill label and iv, as well as obtaining the keys */
1916
    if (!(*cb)(dst, dst + TICKET_LABEL_SIZE, cctx, hctx, 1)) {
1917
        ret = PTLS_ERROR_LIBRARY;
1918
        goto Exit;
1919
    }
1920
    dst += TICKET_LABEL_SIZE + TICKET_IV_SIZE;
1921
1922
    /* encrypt */
1923
    if (!EVP_EncryptUpdate(cctx, dst, &clen, src.base, (int)src.len)) {
1924
        ret = PTLS_ERROR_LIBRARY;
1925
        goto Exit;
1926
    }
1927
    dst += clen;
1928
    if (!EVP_EncryptFinal_ex(cctx, dst, &clen)) {
1929
        ret = PTLS_ERROR_LIBRARY;
1930
        goto Exit;
1931
    }
1932
    dst += clen;
1933
1934
    /* append hmac */
1935
    if (!EVP_MAC_update(hctx, buf->base + buf->off, dst - (buf->base + buf->off)) ||
1936
        !EVP_MAC_final(hctx, dst, &hlen, EVP_MAC_CTX_get_mac_size(hctx))) {
1937
        ret = PTLS_ERROR_LIBRARY;
1938
        goto Exit;
1939
    }
1940
    dst += hlen;
1941
1942
    assert(dst <= buf->base + buf->capacity);
1943
    buf->off += dst - (buf->base + buf->off);
1944
    ret = 0;
1945
1946
Exit:
1947
    if (cctx != NULL)
1948
        EVP_CIPHER_CTX_free(cctx);
1949
    if (hctx != NULL)
1950
        EVP_MAC_CTX_free(hctx);
1951
    if (mac != NULL)
1952
        EVP_MAC_free(mac);
1953
    return ret;
1954
}
1955
1956
int ptls_openssl_decrypt_ticket_evp(ptls_buffer_t *buf, ptls_iovec_t src,
1957
                                    int (*cb)(unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx,
1958
                                              int enc))
1959
{
1960
    EVP_CIPHER_CTX *cctx = NULL;
1961
    EVP_MAC *mac = NULL;
1962
    EVP_MAC_CTX *hctx = NULL;
1963
    size_t hlen;
1964
    int clen, ret;
1965
1966
    if ((cctx = EVP_CIPHER_CTX_new()) == NULL) {
1967
        ret = PTLS_ERROR_NO_MEMORY;
1968
        goto Exit;
1969
    }
1970
    if ((mac = EVP_MAC_fetch(NULL, "HMAC", NULL)) == NULL) {
1971
        ret = PTLS_ERROR_NO_MEMORY;
1972
        goto Exit;
1973
    }
1974
    if ((hctx = EVP_MAC_CTX_new(mac)) == NULL) {
1975
        ret = PTLS_ERROR_NO_MEMORY;
1976
        goto Exit;
1977
    }
1978
1979
    /* obtain cipher and hash context.
1980
     * Note: no need to handle renew, since in picotls we always send a new ticket to minimize the chance of ticket reuse */
1981
    if (src.len < TICKET_LABEL_SIZE + TICKET_IV_SIZE) {
1982
        ret = PTLS_ALERT_DECODE_ERROR;
1983
        goto Exit;
1984
    }
1985
    if (!(*cb)(src.base, src.base + TICKET_LABEL_SIZE, cctx, hctx, 0)) {
1986
        ret = PTLS_ERROR_LIBRARY;
1987
        goto Exit;
1988
    }
1989
1990
    /* check hmac, and exclude label, iv, hmac */
1991
    size_t hmac_size = EVP_MAC_CTX_get_mac_size(hctx);
1992
    if (src.len < TICKET_LABEL_SIZE + TICKET_IV_SIZE + hmac_size) {
1993
        ret = PTLS_ALERT_DECODE_ERROR;
1994
        goto Exit;
1995
    }
1996
    src.len -= hmac_size;
1997
    uint8_t hmac[EVP_MAX_MD_SIZE];
1998
    if (!EVP_MAC_update(hctx, src.base, src.len) || !EVP_MAC_final(hctx, hmac, &hlen, sizeof(hmac))) {
1999
        ret = PTLS_ERROR_LIBRARY;
2000
        goto Exit;
2001
    }
2002
    if (!ptls_mem_equal(src.base + src.len, hmac, hmac_size)) {
2003
        ret = PTLS_ALERT_HANDSHAKE_FAILURE;
2004
        goto Exit;
2005
    }
2006
    src.base += TICKET_LABEL_SIZE + TICKET_IV_SIZE;
2007
    src.len -= TICKET_LABEL_SIZE + TICKET_IV_SIZE;
2008
2009
    /* decrypt */
2010
    if ((ret = ptls_buffer_reserve(buf, src.len)) != 0)
2011
        goto Exit;
2012
    if (!EVP_DecryptUpdate(cctx, buf->base + buf->off, &clen, src.base, (int)src.len)) {
2013
        ret = PTLS_ERROR_LIBRARY;
2014
        goto Exit;
2015
    }
2016
    buf->off += clen;
2017
    if (!EVP_DecryptFinal_ex(cctx, buf->base + buf->off, &clen)) {
2018
        ret = PTLS_ERROR_LIBRARY;
2019
        goto Exit;
2020
    }
2021
    buf->off += clen;
2022
2023
    ret = 0;
2024
2025
Exit:
2026
    if (cctx != NULL)
2027
        EVP_CIPHER_CTX_free(cctx);
2028
    if (hctx != NULL)
2029
        EVP_MAC_CTX_free(hctx);
2030
    if (mac != NULL)
2031
        EVP_MAC_free(mac);
2032
    return ret;
2033
}
2034
#endif
2035
2036
ptls_key_exchange_algorithm_t ptls_openssl_secp256r1 = {.id = PTLS_GROUP_SECP256R1,
2037
                                                        .name = PTLS_GROUP_NAME_SECP256R1,
2038
                                                        .create = x9_62_create_key_exchange,
2039
                                                        .exchange = secp_key_exchange,
2040
                                                        .data = NID_X9_62_prime256v1};
2041
#if PTLS_OPENSSL_HAVE_SECP384R1
2042
ptls_key_exchange_algorithm_t ptls_openssl_secp384r1 = {.id = PTLS_GROUP_SECP384R1,
2043
                                                        .name = PTLS_GROUP_NAME_SECP384R1,
2044
                                                        .create = x9_62_create_key_exchange,
2045
                                                        .exchange = secp_key_exchange,
2046
                                                        .data = NID_secp384r1};
2047
#endif
2048
#if PTLS_OPENSSL_HAVE_SECP521R1
2049
ptls_key_exchange_algorithm_t ptls_openssl_secp521r1 = {.id = PTLS_GROUP_SECP521R1,
2050
                                                        .name = PTLS_GROUP_NAME_SECP521R1,
2051
                                                        .create = x9_62_create_key_exchange,
2052
                                                        .exchange = secp_key_exchange,
2053
                                                        .data = NID_secp521r1};
2054
#endif
2055
#if PTLS_OPENSSL_HAVE_X25519
2056
ptls_key_exchange_algorithm_t ptls_openssl_x25519 = {.id = PTLS_GROUP_X25519,
2057
                                                     .name = PTLS_GROUP_NAME_X25519,
2058
                                                     .create = evp_keyex_create,
2059
                                                     .exchange = evp_keyex_exchange,
2060
                                                     .data = NID_X25519};
2061
#endif
2062
ptls_key_exchange_algorithm_t *ptls_openssl_key_exchanges[] = {&ptls_openssl_secp256r1, NULL};
2063
ptls_cipher_algorithm_t ptls_openssl_aes128ecb = {
2064
    "AES128-ECB",          PTLS_AES128_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 0 /* iv size */, sizeof(struct cipher_context_t),
2065
    aes128ecb_setup_crypto};
2066
ptls_cipher_algorithm_t ptls_openssl_aes128ctr = {
2067
    "AES128-CTR", PTLS_AES128_KEY_SIZE, 1, PTLS_AES_IV_SIZE, sizeof(struct cipher_context_t), aes128ctr_setup_crypto};
2068
ptls_aead_algorithm_t ptls_openssl_aes128gcm = {"AES128-GCM",
2069
                                                PTLS_AESGCM_CONFIDENTIALITY_LIMIT,
2070
                                                PTLS_AESGCM_INTEGRITY_LIMIT,
2071
                                                &ptls_openssl_aes128ctr,
2072
                                                &ptls_openssl_aes128ecb,
2073
                                                PTLS_AES128_KEY_SIZE,
2074
                                                PTLS_AESGCM_IV_SIZE,
2075
                                                PTLS_AESGCM_TAG_SIZE,
2076
                                                {PTLS_TLS12_AESGCM_FIXED_IV_SIZE, PTLS_TLS12_AESGCM_RECORD_IV_SIZE},
2077
                                                0,
2078
                                                0,
2079
                                                sizeof(struct aead_crypto_context_t),
2080
                                                aead_aes128gcm_setup_crypto};
2081
ptls_cipher_algorithm_t ptls_openssl_aes256ecb = {
2082
    "AES256-ECB",          PTLS_AES256_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 0 /* iv size */, sizeof(struct cipher_context_t),
2083
    aes256ecb_setup_crypto};
2084
ptls_cipher_algorithm_t ptls_openssl_aes256ctr = {
2085
    "AES256-CTR",          PTLS_AES256_KEY_SIZE, 1 /* block size */, PTLS_AES_IV_SIZE, sizeof(struct cipher_context_t),
2086
    aes256ctr_setup_crypto};
2087
ptls_aead_algorithm_t ptls_openssl_aes256gcm = {"AES256-GCM",
2088
                                                PTLS_AESGCM_CONFIDENTIALITY_LIMIT,
2089
                                                PTLS_AESGCM_INTEGRITY_LIMIT,
2090
                                                &ptls_openssl_aes256ctr,
2091
                                                &ptls_openssl_aes256ecb,
2092
                                                PTLS_AES256_KEY_SIZE,
2093
                                                PTLS_AESGCM_IV_SIZE,
2094
                                                PTLS_AESGCM_TAG_SIZE,
2095
                                                {PTLS_TLS12_AESGCM_FIXED_IV_SIZE, PTLS_TLS12_AESGCM_RECORD_IV_SIZE},
2096
                                                0,
2097
                                                0,
2098
                                                sizeof(struct aead_crypto_context_t),
2099
                                                aead_aes256gcm_setup_crypto};
2100
ptls_hash_algorithm_t ptls_openssl_sha256 = {"sha256", PTLS_SHA256_BLOCK_SIZE, PTLS_SHA256_DIGEST_SIZE, sha256_create,
2101
                                             PTLS_ZERO_DIGEST_SHA256};
2102
ptls_hash_algorithm_t ptls_openssl_sha384 = {"sha384", PTLS_SHA384_BLOCK_SIZE, PTLS_SHA384_DIGEST_SIZE, sha384_create,
2103
                                             PTLS_ZERO_DIGEST_SHA384};
2104
ptls_hash_algorithm_t ptls_openssl_sha512 = {"sha512", PTLS_SHA512_BLOCK_SIZE, PTLS_SHA512_DIGEST_SIZE, sha512_create,
2105
                                             PTLS_ZERO_DIGEST_SHA512};
2106
ptls_cipher_suite_t ptls_openssl_aes128gcmsha256 = {.id = PTLS_CIPHER_SUITE_AES_128_GCM_SHA256,
2107
                                                    .name = PTLS_CIPHER_SUITE_NAME_AES_128_GCM_SHA256,
2108
                                                    .aead = &ptls_openssl_aes128gcm,
2109
                                                    .hash = &ptls_openssl_sha256};
2110
ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_rsa_aes128gcmsha256 = {.id = PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2111
                                                                    .name =
2112
                                                                        PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2113
                                                                    .aead = &ptls_openssl_aes128gcm,
2114
                                                                    .hash = &ptls_openssl_sha256};
2115
ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_ecdsa_aes128gcmsha256 = {
2116
    .id = PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2117
    .name = PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2118
    .aead = &ptls_openssl_aes128gcm,
2119
    .hash = &ptls_openssl_sha256};
2120
ptls_cipher_suite_t ptls_openssl_aes256gcmsha384 = {.id = PTLS_CIPHER_SUITE_AES_256_GCM_SHA384,
2121
                                                    .name = PTLS_CIPHER_SUITE_NAME_AES_256_GCM_SHA384,
2122
                                                    .aead = &ptls_openssl_aes256gcm,
2123
                                                    .hash = &ptls_openssl_sha384};
2124
ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_rsa_aes256gcmsha384 = {.id = PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
2125
                                                                    .name =
2126
                                                                        PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
2127
                                                                    .aead = &ptls_openssl_aes256gcm,
2128
                                                                    .hash = &ptls_openssl_sha384};
2129
ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_ecdsa_aes256gcmsha384 = {
2130
    .id = PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
2131
    .name = PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
2132
    .aead = &ptls_openssl_aes256gcm,
2133
    .hash = &ptls_openssl_sha384};
2134
#if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
2135
ptls_cipher_algorithm_t ptls_openssl_chacha20 = {
2136
    .name = "CHACHA20",
2137
    .key_size = PTLS_CHACHA20_KEY_SIZE,
2138
    .block_size = 1,
2139
    .iv_size = PTLS_CHACHA20_IV_SIZE,
2140
#ifdef OPENSSL_IS_BORINGSSL
2141
    .context_size = sizeof(struct boringssl_chacha20_context_t),
2142
    .setup_crypto = boringssl_chacha20_setup_crypto,
2143
#else
2144
    .context_size = sizeof(struct cipher_context_t),
2145
    .setup_crypto = chacha20_setup_crypto,
2146
#endif
2147
};
2148
ptls_aead_algorithm_t ptls_openssl_chacha20poly1305 = {
2149
    .name = "CHACHA20-POLY1305",
2150
    .confidentiality_limit = PTLS_CHACHA20POLY1305_CONFIDENTIALITY_LIMIT,
2151
    .integrity_limit = PTLS_CHACHA20POLY1305_INTEGRITY_LIMIT,
2152
    .ctr_cipher = &ptls_openssl_chacha20,
2153
    .ecb_cipher = NULL,
2154
    .key_size = PTLS_CHACHA20_KEY_SIZE,
2155
    .iv_size = PTLS_CHACHA20POLY1305_IV_SIZE,
2156
    .tag_size = PTLS_CHACHA20POLY1305_TAG_SIZE,
2157
    .tls12 = {.fixed_iv_size = PTLS_TLS12_CHACHAPOLY_FIXED_IV_SIZE, .record_iv_size = PTLS_TLS12_CHACHAPOLY_RECORD_IV_SIZE},
2158
    .non_temporal = 0,
2159
    .align_bits = 0,
2160
#ifdef OPENSSL_IS_BORINGSSL
2161
    .context_size = sizeof(struct boringssl_chacha20poly1305_context_t),
2162
    .setup_crypto = boringssl_chacha20poly1305_setup_crypto,
2163
#else
2164
    .context_size = sizeof(struct aead_crypto_context_t),
2165
    .setup_crypto = aead_chacha20poly1305_setup_crypto,
2166
#endif
2167
};
2168
ptls_cipher_suite_t ptls_openssl_chacha20poly1305sha256 = {.id = PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256,
2169
                                                           .name = PTLS_CIPHER_SUITE_NAME_CHACHA20_POLY1305_SHA256,
2170
                                                           .aead = &ptls_openssl_chacha20poly1305,
2171
                                                           .hash = &ptls_openssl_sha256};
2172
ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_rsa_chacha20poly1305sha256 = {
2173
    .id = PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
2174
    .name = PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
2175
    .aead = &ptls_openssl_chacha20poly1305,
2176
    .hash = &ptls_openssl_sha256};
2177
ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_ecdsa_chacha20poly1305sha256 = {
2178
    .id = PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
2179
    .name = PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
2180
    .aead = &ptls_openssl_chacha20poly1305,
2181
    .hash = &ptls_openssl_sha256};
2182
#endif
2183
2184
#if PTLS_HAVE_AEGIS
2185
ptls_aead_algorithm_t ptls_openssl_aegis128l = {
2186
    .name = "AEGIS-128L",
2187
    .confidentiality_limit = PTLS_AEGIS128L_CONFIDENTIALITY_LIMIT,
2188
    .integrity_limit = PTLS_AEGIS128L_INTEGRITY_LIMIT,
2189
    .ctr_cipher = NULL,
2190
    .ecb_cipher = NULL,
2191
    .key_size = PTLS_AEGIS128L_KEY_SIZE,
2192
    .iv_size = PTLS_AEGIS128L_IV_SIZE,
2193
    .tag_size = PTLS_AEGIS128L_TAG_SIZE,
2194
    .tls12 = {.fixed_iv_size = 0, .record_iv_size = 0},
2195
    .non_temporal = 0,
2196
    .align_bits = 0,
2197
    .context_size = sizeof(struct aegis128l_context_t),
2198
    .setup_crypto = aegis128l_setup_crypto,
2199
};
2200
ptls_cipher_suite_t ptls_openssl_aegis128lsha256 = {.id = PTLS_CIPHER_SUITE_AEGIS128L_SHA256,
2201
                                                    .name = PTLS_CIPHER_SUITE_NAME_AEGIS128L_SHA256,
2202
                                                    .aead = &ptls_openssl_aegis128l,
2203
                                                    .hash = &ptls_openssl_sha256};
2204
2205
ptls_aead_algorithm_t ptls_openssl_aegis256 = {
2206
    .name = "AEGIS-256",
2207
    .confidentiality_limit = PTLS_AEGIS256_CONFIDENTIALITY_LIMIT,
2208
    .integrity_limit = PTLS_AEGIS256_INTEGRITY_LIMIT,
2209
    .ctr_cipher = NULL,
2210
    .ecb_cipher = NULL,
2211
    .key_size = PTLS_AEGIS256_KEY_SIZE,
2212
    .iv_size = PTLS_AEGIS256_IV_SIZE,
2213
    .tag_size = PTLS_AEGIS256_TAG_SIZE,
2214
    .tls12 = {.fixed_iv_size = 0, .record_iv_size = 0},
2215
    .non_temporal = 0,
2216
    .align_bits = 0,
2217
    .context_size = sizeof(struct aegis256_context_t),
2218
    .setup_crypto = aegis256_setup_crypto,
2219
};
2220
ptls_cipher_suite_t ptls_openssl_aegis256sha512 = {.id = PTLS_CIPHER_SUITE_AEGIS256_SHA512,
2221
                                                   .name = PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA512,
2222
                                                   .aead = &ptls_openssl_aegis256,
2223
                                                   .hash = &ptls_openssl_sha512};
2224
#endif
2225
2226
ptls_cipher_suite_t *ptls_openssl_cipher_suites[] = { // ciphers used with sha384 (must be first)
2227
    &ptls_openssl_aes256gcmsha384,
2228
2229
    // ciphers used with sha256
2230
    &ptls_openssl_aes128gcmsha256,
2231
#if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
2232
    &ptls_openssl_chacha20poly1305sha256,
2233
#endif
2234
    NULL};
2235
2236
ptls_cipher_suite_t *ptls_openssl_cipher_suites_all[] = { // ciphers used with sha384 (must be first)
2237
#if PTLS_HAVE_AEGIS
2238
    &ptls_openssl_aegis256sha512,
2239
#endif
2240
    &ptls_openssl_aes256gcmsha384,
2241
2242
// ciphers used with sha256
2243
#if PTLS_HAVE_AEGIS
2244
    &ptls_openssl_aegis128lsha256,
2245
#endif
2246
    &ptls_openssl_aes128gcmsha256,
2247
#if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
2248
    &ptls_openssl_chacha20poly1305sha256,
2249
#endif
2250
    NULL};
2251
2252
ptls_cipher_suite_t *ptls_openssl_tls12_cipher_suites[] = {&ptls_openssl_tls12_ecdhe_rsa_aes128gcmsha256,
2253
                                                           &ptls_openssl_tls12_ecdhe_ecdsa_aes128gcmsha256,
2254
                                                           &ptls_openssl_tls12_ecdhe_rsa_aes256gcmsha384,
2255
                                                           &ptls_openssl_tls12_ecdhe_ecdsa_aes256gcmsha384,
2256
#if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
2257
                                                           &ptls_openssl_tls12_ecdhe_rsa_chacha20poly1305sha256,
2258
                                                           &ptls_openssl_tls12_ecdhe_ecdsa_chacha20poly1305sha256,
2259
#endif
2260
                                                           NULL};
2261
2262
#if PTLS_OPENSSL_HAVE_BF
2263
ptls_cipher_algorithm_t ptls_openssl_bfecb = {"BF-ECB",        PTLS_BLOWFISH_KEY_SIZE,          PTLS_BLOWFISH_BLOCK_SIZE,
2264
                                              0 /* iv size */, sizeof(struct cipher_context_t), bfecb_setup_crypto};
2265
#endif
2266
2267
ptls_hpke_kem_t ptls_openssl_hpke_kem_p256sha256 = {PTLS_HPKE_KEM_P256_SHA256, &ptls_openssl_secp256r1, &ptls_openssl_sha256};
2268
ptls_hpke_kem_t ptls_openssl_hpke_kem_p384sha384 = {PTLS_HPKE_KEM_P384_SHA384, &ptls_openssl_secp384r1, &ptls_openssl_sha384};
2269
#if PTLS_OPENSSL_HAVE_X25519
2270
ptls_hpke_kem_t ptls_openssl_hpke_kem_x25519sha256 = {PTLS_HPKE_KEM_X25519_SHA256, &ptls_openssl_x25519, &ptls_openssl_sha256};
2271
#endif
2272
ptls_hpke_kem_t *ptls_openssl_hpke_kems[] = {&ptls_openssl_hpke_kem_p384sha384,
2273
#if PTLS_OPENSSL_HAVE_X25519
2274
                                             &ptls_openssl_hpke_kem_x25519sha256,
2275
#endif
2276
                                             &ptls_openssl_hpke_kem_p256sha256, NULL};
2277
2278
ptls_hpke_cipher_suite_t ptls_openssl_hpke_aes128gcmsha256 = {
2279
    .id = {.kdf = PTLS_HPKE_HKDF_SHA256, .aead = PTLS_HPKE_AEAD_AES_128_GCM},
2280
    .name = "HKDF-SHA256/AES-128-GCM",
2281
    .hash = &ptls_openssl_sha256,
2282
    .aead = &ptls_openssl_aes128gcm};
2283
ptls_hpke_cipher_suite_t ptls_openssl_hpke_aes128gcmsha512 = {
2284
    .id = {.kdf = PTLS_HPKE_HKDF_SHA512, .aead = PTLS_HPKE_AEAD_AES_128_GCM},
2285
    .name = "HKDF-SHA512/AES-128-GCM",
2286
    .hash = &ptls_openssl_sha512,
2287
    .aead = &ptls_openssl_aes128gcm};
2288
ptls_hpke_cipher_suite_t ptls_openssl_hpke_aes256gcmsha384 = {
2289
    .id = {.kdf = PTLS_HPKE_HKDF_SHA384, .aead = PTLS_HPKE_AEAD_AES_256_GCM},
2290
    .name = "HKDF-SHA384/AES-256-GCM",
2291
    .hash = &ptls_openssl_sha384,
2292
    .aead = &ptls_openssl_aes256gcm};
2293
#if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
2294
ptls_hpke_cipher_suite_t ptls_openssl_hpke_chacha20poly1305sha256 = {
2295
    .id = {.kdf = PTLS_HPKE_HKDF_SHA256, .aead = PTLS_HPKE_AEAD_CHACHA20POLY1305},
2296
    .name = "HKDF-SHA256/ChaCha20Poly1305",
2297
    .hash = &ptls_openssl_sha256,
2298
    .aead = &ptls_openssl_chacha20poly1305};
2299
#endif
2300
ptls_hpke_cipher_suite_t *ptls_openssl_hpke_cipher_suites[] = {&ptls_openssl_hpke_aes128gcmsha256,
2301
                                                               &ptls_openssl_hpke_aes256gcmsha384,
2302
#if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
2303
                                                               &ptls_openssl_hpke_chacha20poly1305sha256,
2304
#endif
2305
                                                               &ptls_openssl_hpke_aes128gcmsha512, /* likely only for tests */
2306
                                                               NULL};