/src/picotls/lib/picotls.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku |
3 | | * |
4 | | * Permission is hereby granted, free of charge, to any person obtaining a copy |
5 | | * of this software and associated documentation files (the "Software"), to |
6 | | * deal in the Software without restriction, including without limitation the |
7 | | * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or |
8 | | * sell copies of the Software, and to permit persons to whom the Software is |
9 | | * furnished to do so, subject to the following conditions: |
10 | | * |
11 | | * The above copyright notice and this permission notice shall be included in |
12 | | * all copies or substantial portions of the Software. |
13 | | * |
14 | | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
15 | | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
16 | | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
17 | | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
18 | | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
19 | | * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS |
20 | | * IN THE SOFTWARE. |
21 | | */ |
22 | | #ifdef _WINDOWS |
23 | | #include "wincompat.h" |
24 | | #endif |
25 | | #include <assert.h> |
26 | | #include <stdarg.h> |
27 | | #include <stddef.h> |
28 | | #include <stdio.h> |
29 | | #include <stdlib.h> |
30 | | #include <string.h> |
31 | | #ifndef _WINDOWS |
32 | | #include <errno.h> |
33 | | #include <pthread.h> |
34 | | #include <unistd.h> |
35 | | #include <sys/socket.h> |
36 | | #include <arpa/inet.h> |
37 | | #include <netinet/in.h> |
38 | | #include <sys/time.h> |
39 | | #include <sys/types.h> |
40 | | #endif |
41 | | #ifdef __linux__ |
42 | | #include <sys/syscall.h> |
43 | | #endif |
44 | | #ifdef __APPLE__ |
45 | | #include <AvailabilityMacros.h> |
46 | | #endif |
47 | | #include "picotls.h" |
48 | | #if PICOTLS_USE_DTRACE |
49 | | #include "picotls-probes.h" |
50 | | #endif |
51 | | |
52 | 71.0k | #define PTLS_MAX_PLAINTEXT_RECORD_SIZE 16384 |
53 | 1.17k | #define PTLS_MAX_ENCRYPTED_RECORD_SIZE (16384 + 256) |
54 | | |
55 | 0 | #define PTLS_RECORD_VERSION_MAJOR 3 |
56 | 0 | #define PTLS_RECORD_VERSION_MINOR 3 |
57 | | |
58 | 72.2k | #define PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC 20 |
59 | 1.44k | #define PTLS_CONTENT_TYPE_ALERT 21 |
60 | 187k | #define PTLS_CONTENT_TYPE_HANDSHAKE 22 |
61 | 286k | #define PTLS_CONTENT_TYPE_APPDATA 23 |
62 | | |
63 | 0 | #define PTLS_PSK_KE_MODE_PSK 0 |
64 | 0 | #define PTLS_PSK_KE_MODE_PSK_DHE 1 |
65 | | |
66 | 43.9k | #define PTLS_HANDSHAKE_HEADER_SIZE 4 |
67 | | |
68 | | #define PTLS_EXTENSION_TYPE_SERVER_NAME 0 |
69 | | #define PTLS_EXTENSION_TYPE_STATUS_REQUEST 5 |
70 | | #define PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS 10 |
71 | | #define PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS 13 |
72 | | #define PTLS_EXTENSION_TYPE_ALPN 16 |
73 | | #define PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE 20 |
74 | | #define PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE 27 |
75 | | #define PTLS_EXTENSION_TYPE_PRE_SHARED_KEY 41 |
76 | | #define PTLS_EXTENSION_TYPE_EARLY_DATA 42 |
77 | | #define PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS 43 |
78 | | #define PTLS_EXTENSION_TYPE_COOKIE 44 |
79 | | #define PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES 45 |
80 | | #define PTLS_EXTENSION_TYPE_CERTIFICATE_AUTHORITIES 47 |
81 | | #define PTLS_EXTENSION_TYPE_KEY_SHARE 51 |
82 | | #define PTLS_EXTENSION_TYPE_TICKET_REQUEST 58 |
83 | | #define PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS 0xfd00 |
84 | | #define PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO 0xfe0d |
85 | | |
86 | | #define PTLS_SERVER_NAME_TYPE_HOSTNAME 0 |
87 | | |
88 | | #define PTLS_ECH_CONFIG_VERSION 0xfe0d |
89 | 0 | #define PTLS_ECH_CLIENT_HELLO_TYPE_OUTER 0 |
90 | 0 | #define PTLS_ECH_CLIENT_HELLO_TYPE_INNER 1 |
91 | | |
92 | 0 | #define PTLS_ECH_CONFIRM_LENGTH 8 |
93 | | |
94 | | static const char ech_info_prefix[8] = "tls ech"; |
95 | | |
96 | 63 | #define PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING "TLS 1.3, server CertificateVerify" |
97 | 0 | #define PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING "TLS 1.3, client CertificateVerify" |
98 | | #define PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE \ |
99 | | (64 + sizeof(PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING) + PTLS_MAX_DIGEST_SIZE * 2) |
100 | | |
101 | 0 | #define PTLS_EARLY_DATA_MAX_DELAY 10000 /* max. RTT (in msec) to permit early data */ |
102 | | |
103 | | #ifndef PTLS_MAX_EARLY_DATA_SKIP_SIZE |
104 | 0 | #define PTLS_MAX_EARLY_DATA_SKIP_SIZE 65536 |
105 | | #endif |
106 | | #if defined(PTLS_DEBUG) && PTLS_DEBUG |
107 | | #define PTLS_DEBUGF(...) fprintf(stderr, __VA_ARGS__) |
108 | | #else |
109 | | #define PTLS_DEBUGF(...) |
110 | | #endif |
111 | | |
112 | | #ifndef PTLS_MEMORY_DEBUG |
113 | 3.31M | #define PTLS_MEMORY_DEBUG 0 |
114 | | #endif |
115 | | |
116 | | #if PICOTLS_USE_DTRACE |
117 | | #define PTLS_PROBE0(LABEL, tls) \ |
118 | | do { \ |
119 | | if (PTLS_UNLIKELY(PICOTLS_##LABEL##_ENABLED())) \ |
120 | | PICOTLS_##LABEL(tls); \ |
121 | | } while (0) |
122 | | #define PTLS_PROBE(LABEL, tls, ...) \ |
123 | | do { \ |
124 | | if (PTLS_UNLIKELY(PICOTLS_##LABEL##_ENABLED())) \ |
125 | | PICOTLS_##LABEL((tls), __VA_ARGS__); \ |
126 | | } while (0) |
127 | | #else |
128 | | #define PTLS_PROBE0(LABEL, tls) |
129 | | #define PTLS_PROBE(LABEL, tls, ...) |
130 | | #endif |
131 | | |
132 | | /** |
133 | | * list of supported versions in the preferred order |
134 | | */ |
135 | | static const uint16_t supported_versions[] = {PTLS_PROTOCOL_VERSION_TLS13}; |
136 | | |
137 | | static const uint8_t hello_retry_random[PTLS_HELLO_RANDOM_SIZE] = {0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, |
138 | | 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, |
139 | | 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C}; |
140 | | |
141 | | struct st_ptls_traffic_protection_t { |
142 | | uint8_t secret[PTLS_MAX_DIGEST_SIZE]; |
143 | | size_t epoch; |
144 | | /* the following fields are not used if the key_change callback is set */ |
145 | | ptls_aead_context_t *aead; |
146 | | uint64_t seq; |
147 | | unsigned tls12 : 1; |
148 | | uint64_t tls12_enc_record_iv; |
149 | | }; |
150 | | |
151 | | struct st_ptls_record_message_emitter_t { |
152 | | ptls_message_emitter_t super; |
153 | | size_t rec_start; |
154 | | }; |
155 | | |
156 | | struct st_ptls_signature_algorithms_t { |
157 | | uint16_t list[16]; /* expand? */ |
158 | | size_t count; |
159 | | }; |
160 | | |
161 | | struct st_ptls_certificate_request_t { |
162 | | /** |
163 | | * context.base becomes non-NULL when a CertificateRequest is pending for processing |
164 | | */ |
165 | | ptls_iovec_t context; |
166 | | struct st_ptls_signature_algorithms_t signature_algorithms; |
167 | | }; |
168 | | |
169 | | struct st_decoded_ech_config_t { |
170 | | uint8_t id; |
171 | | ptls_hpke_kem_t *kem; |
172 | | ptls_iovec_t public_key; |
173 | | ptls_hpke_cipher_suite_t *cipher; |
174 | | uint8_t max_name_length; |
175 | | ptls_iovec_t public_name; |
176 | | ptls_iovec_t bytes; |
177 | | }; |
178 | | |
179 | | /** |
180 | | * Properties for ECH. Iff ECH is used and not rejected, `aead` is non-NULL. |
181 | | */ |
182 | | struct st_ptls_ech_t { |
183 | | uint8_t offered : 1; |
184 | | uint8_t offered_grease : 1; |
185 | | uint8_t accepted : 1; |
186 | | uint8_t config_id; |
187 | | ptls_hpke_kem_t *kem; |
188 | | ptls_hpke_cipher_suite_t *cipher; |
189 | | ptls_aead_context_t *aead; |
190 | | uint8_t inner_client_random[PTLS_HELLO_RANDOM_SIZE]; |
191 | | struct { |
192 | | ptls_iovec_t enc; |
193 | | uint8_t max_name_length; |
194 | | char *public_name; |
195 | | /** |
196 | | * retains a copy of entire ECH extension so that it can be replayed in the 2nd CH when ECH is rejected via HRR |
197 | | */ |
198 | | ptls_iovec_t first_ech; |
199 | | } client; |
200 | | }; |
201 | | |
202 | | struct st_ptls_t { |
203 | | /** |
204 | | * the context |
205 | | */ |
206 | | ptls_context_t *ctx; |
207 | | /** |
208 | | * the state |
209 | | */ |
210 | | enum en_ptls_state_t { |
211 | | PTLS_STATE_CLIENT_HANDSHAKE_START, |
212 | | PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO, |
213 | | PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO, |
214 | | PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS, |
215 | | PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE, |
216 | | PTLS_STATE_CLIENT_EXPECT_CERTIFICATE, |
217 | | PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY, |
218 | | PTLS_STATE_CLIENT_EXPECT_FINISHED, |
219 | | PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO, |
220 | | PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO, |
221 | | PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY, |
222 | | PTLS_STATE_SERVER_EXPECT_CERTIFICATE, |
223 | | PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY, |
224 | | /* ptls_send can be called if the state is below here */ |
225 | | PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA, |
226 | | PTLS_STATE_SERVER_EXPECT_FINISHED, |
227 | | PTLS_STATE_POST_HANDSHAKE_MIN, |
228 | | PTLS_STATE_CLIENT_POST_HANDSHAKE = PTLS_STATE_POST_HANDSHAKE_MIN, |
229 | | PTLS_STATE_SERVER_POST_HANDSHAKE |
230 | | } state; |
231 | | /** |
232 | | * receive buffers |
233 | | */ |
234 | | struct { |
235 | | ptls_buffer_t rec; |
236 | | ptls_buffer_t mess; |
237 | | } recvbuf; |
238 | | /** |
239 | | * key schedule |
240 | | */ |
241 | | ptls_key_schedule_t *key_schedule; |
242 | | /** |
243 | | * values used for record protection |
244 | | */ |
245 | | struct { |
246 | | struct st_ptls_traffic_protection_t dec; |
247 | | struct st_ptls_traffic_protection_t enc; |
248 | | } traffic_protection; |
249 | | /** |
250 | | * server-name passed using SNI |
251 | | */ |
252 | | char *server_name; |
253 | | /** |
254 | | * result of ALPN |
255 | | */ |
256 | | char *negotiated_protocol; |
257 | | /** |
258 | | * selected key-exchange |
259 | | */ |
260 | | ptls_key_exchange_algorithm_t *key_share; |
261 | | /** |
262 | | * selected cipher-suite |
263 | | */ |
264 | | ptls_cipher_suite_t *cipher_suite; |
265 | | /** |
266 | | * ClientHello.random that appears on the wire. When ECH is used, that of inner CH is retained separately. |
267 | | */ |
268 | | uint8_t client_random[PTLS_HELLO_RANDOM_SIZE]; |
269 | | /** |
270 | | * exporter master secret (either 0rtt or 1rtt) |
271 | | */ |
272 | | struct { |
273 | | uint8_t *early; |
274 | | uint8_t *one_rtt; |
275 | | } exporter_master_secret; |
276 | | /** |
277 | | * ECH |
278 | | */ |
279 | | struct st_ptls_ech_t ech; |
280 | | /* flags */ |
281 | | unsigned is_server : 1; |
282 | | unsigned is_psk_handshake : 1; |
283 | | unsigned send_change_cipher_spec : 1; |
284 | | unsigned needs_key_update : 1; |
285 | | unsigned key_update_send_request : 1; |
286 | | #if PTLS_HAVE_LOG |
287 | | /** |
288 | | * see ptls_log |
289 | | */ |
290 | | ptls_log_conn_state_t log_state; |
291 | | #endif |
292 | | struct { |
293 | | uint32_t active_conns; |
294 | | uint32_t generation; |
295 | | } log_sni; |
296 | | /** |
297 | | * misc. |
298 | | */ |
299 | | union { |
300 | | struct { |
301 | | ptls_iovec_t legacy_session_id; |
302 | | uint8_t legacy_session_id_buf[32]; |
303 | | ptls_key_exchange_context_t *key_share_ctx; |
304 | | unsigned offered_psk : 1; |
305 | | /** |
306 | | * if 1-RTT write key is active |
307 | | */ |
308 | | unsigned using_early_data : 1; |
309 | | struct st_ptls_certificate_request_t certificate_request; |
310 | | } client; |
311 | | struct { |
312 | | uint8_t pending_traffic_secret[PTLS_MAX_DIGEST_SIZE]; |
313 | | uint32_t early_data_skipped_bytes; /* if not UINT32_MAX, the server is skipping early data */ |
314 | | uint8_t num_tickets_to_send; |
315 | | ptls_async_job_t *async_job; |
316 | | } server; |
317 | | }; |
318 | | /** |
319 | | * certificate verify; will be used by the client and the server (if require_client_authentication is set) |
320 | | */ |
321 | | struct { |
322 | | int (*cb)(void *verify_ctx, uint16_t algo, ptls_iovec_t data, ptls_iovec_t signature); |
323 | | void *verify_ctx; |
324 | | } certificate_verify; |
325 | | /** |
326 | | * handshake traffic secret to be commisioned (an array of `uint8_t [PTLS_MAX_DIGEST_SIZE]` or NULL) |
327 | | */ |
328 | | uint8_t *pending_handshake_secret; |
329 | | /** |
330 | | * user data |
331 | | */ |
332 | | void *data_ptr; |
333 | | }; |
334 | | |
335 | | struct st_ptls_record_t { |
336 | | uint8_t type; |
337 | | uint16_t version; |
338 | | size_t length; |
339 | | const uint8_t *fragment; |
340 | | }; |
341 | | |
342 | 0 | #define MAX_UNKNOWN_EXTENSIONS 16 |
343 | | #define MAX_CERTIFICATE_TYPES 8 |
344 | | |
345 | | struct st_ptls_client_hello_t { |
346 | | uint16_t legacy_version; |
347 | | const uint8_t *random_bytes; |
348 | | ptls_iovec_t legacy_session_id; |
349 | | struct { |
350 | | const uint8_t *ids; |
351 | | size_t count; |
352 | | } compression_methods; |
353 | | uint16_t selected_version; |
354 | | ptls_iovec_t cipher_suites; |
355 | | ptls_iovec_t negotiated_groups; |
356 | | ptls_iovec_t key_shares; |
357 | | struct st_ptls_signature_algorithms_t signature_algorithms; |
358 | | ptls_iovec_t server_name; |
359 | | struct { |
360 | | ptls_iovec_t list[16]; |
361 | | size_t count; |
362 | | } alpn; |
363 | | struct { |
364 | | uint16_t list[16]; |
365 | | size_t count; |
366 | | } cert_compression_algos; |
367 | | struct { |
368 | | ptls_iovec_t all; |
369 | | ptls_iovec_t tbs; |
370 | | ptls_iovec_t ch1_hash; |
371 | | ptls_iovec_t signature; |
372 | | unsigned sent_key_share : 1; |
373 | | } cookie; |
374 | | struct { |
375 | | uint8_t list[MAX_CERTIFICATE_TYPES]; |
376 | | size_t count; |
377 | | } server_certificate_types; |
378 | | unsigned status_request : 1; |
379 | | struct { |
380 | | uint8_t new_session_count; |
381 | | uint8_t resumption_count; |
382 | | } ticket_request; |
383 | | /** |
384 | | * ECH: payload.base != NULL indicates that the extension was received |
385 | | */ |
386 | | struct { |
387 | | uint8_t type; |
388 | | uint8_t config_id; |
389 | | ptls_hpke_cipher_suite_id_t cipher_suite; |
390 | | ptls_iovec_t enc; |
391 | | ptls_iovec_t payload; |
392 | | } ech; |
393 | | struct { |
394 | | const uint8_t *hash_end; |
395 | | struct { |
396 | | ptls_client_hello_psk_identity_t list[4]; |
397 | | size_t count; |
398 | | } identities; |
399 | | unsigned ke_modes; |
400 | | unsigned early_data_indication : 1; |
401 | | unsigned is_last_extension : 1; |
402 | | } psk; |
403 | | ptls_raw_extension_t unknown_extensions[MAX_UNKNOWN_EXTENSIONS + 1]; |
404 | | size_t first_extension_at; |
405 | | }; |
406 | | |
407 | | struct st_ptls_server_hello_t { |
408 | | uint8_t random_[PTLS_HELLO_RANDOM_SIZE]; |
409 | | ptls_iovec_t legacy_session_id; |
410 | | int is_retry_request; |
411 | | union { |
412 | | ptls_iovec_t peerkey; |
413 | | struct { |
414 | | uint16_t selected_group; |
415 | | ptls_iovec_t cookie; |
416 | | const uint8_t *ech; |
417 | | } retry_request; |
418 | | }; |
419 | | }; |
420 | | |
421 | | struct st_ptls_key_schedule_t { |
422 | | unsigned generation; /* early secret (1), hanshake secret (2), master secret (3) */ |
423 | | uint8_t secret[PTLS_MAX_DIGEST_SIZE]; |
424 | | size_t num_hashes; |
425 | | struct { |
426 | | ptls_hash_algorithm_t *algo; |
427 | | ptls_hash_context_t *ctx, *ctx_outer; |
428 | | } hashes[1]; |
429 | | }; |
430 | | |
431 | | struct st_ptls_extension_decoder_t { |
432 | | uint16_t type; |
433 | | int (*cb)(ptls_t *tls, void *arg, const uint8_t *src, const uint8_t *const end); |
434 | | }; |
435 | | |
436 | | struct st_ptls_extension_bitmap_t { |
437 | | uint64_t bits; |
438 | | }; |
439 | | |
440 | | static const uint8_t zeroes_of_max_digest_size[PTLS_MAX_DIGEST_SIZE] = {0}; |
441 | | |
442 | | static ptls_aead_context_t *new_aead(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret, |
443 | | ptls_iovec_t hash_value, const char *label_prefix); |
444 | | static int server_finish_handshake(ptls_t *tls, ptls_message_emitter_t *emitter, int send_cert_verify, |
445 | | struct st_ptls_signature_algorithms_t *signature_algorithms); |
446 | | |
447 | | static int is_supported_version(uint16_t v) |
448 | 41.7k | { |
449 | 41.7k | size_t i; |
450 | 41.7k | for (i = 0; i != PTLS_ELEMENTSOF(supported_versions); ++i) |
451 | 41.7k | if (supported_versions[i] == v) |
452 | 41.6k | return 1; |
453 | 50 | return 0; |
454 | 41.7k | } |
455 | | |
456 | | static int extension_bitmap_testandset(struct st_ptls_extension_bitmap_t *bitmap, int hstype, uint16_t extid) |
457 | 48.9k | { |
458 | 388k | #define HSTYPE_TO_BIT(hstype) ((uint64_t)1 << ((hstype) + 1)) /* min(hstype) is -1 (PSEUDO_HRR) */ |
459 | 342k | #define DEFINE_BIT(abbrev, hstype) static const uint64_t abbrev = HSTYPE_TO_BIT(PTLS_HANDSHAKE_TYPE_##hstype) |
460 | 48.9k | #define EXT(candext, allowed_bits) \ |
461 | 586k | do { \ |
462 | 586k | if (PTLS_UNLIKELY(extid == PTLS_EXTENSION_TYPE_##candext)) { \ |
463 | 45.0k | allowed_hs_bits = allowed_bits; \ |
464 | 45.0k | goto Found; \ |
465 | 45.0k | } \ |
466 | 586k | ext_bitmap_mask <<= 1; \ |
467 | 541k | } while (0) |
468 | | |
469 | 48.9k | DEFINE_BIT(CH, CLIENT_HELLO); |
470 | 48.9k | DEFINE_BIT(SH, SERVER_HELLO); |
471 | 48.9k | DEFINE_BIT(HRR, PSEUDO_HRR); |
472 | 48.9k | DEFINE_BIT(EE, ENCRYPTED_EXTENSIONS); |
473 | 48.9k | DEFINE_BIT(CR, CERTIFICATE_REQUEST); |
474 | 48.9k | DEFINE_BIT(CT, CERTIFICATE); |
475 | 48.9k | DEFINE_BIT(NST, NEW_SESSION_TICKET); |
476 | | |
477 | 48.9k | uint64_t allowed_hs_bits, ext_bitmap_mask = 1; |
478 | | |
479 | | /* clang-format off */ |
480 | | /* RFC 8446 section 4.2: "The table below indicates the messages where a given extension may appear... If an implementation |
481 | | * receives an extension which it recognizes and which is not specified for the message in which it appears, it MUST abort the |
482 | | * handshake with an "illegal_parameter" alert. |
483 | | * |
484 | | * +-------------------------+---------------+ |
485 | | * + Extension | Allowed | |
486 | | * +-------------------------+---------------+ */ |
487 | 48.9k | EXT( SERVER_NAME , CH + EE ); |
488 | 48.9k | EXT( STATUS_REQUEST , CH + CR + CT ); |
489 | 48.6k | EXT( SUPPORTED_GROUPS , CH + EE ); |
490 | 48.6k | EXT( SIGNATURE_ALGORITHMS , CH + CR ); |
491 | 48.5k | EXT( ALPN , CH + EE ); |
492 | 48.4k | EXT( SERVER_CERTIFICATE_TYPE , CH + EE ); |
493 | 48.4k | EXT( KEY_SHARE , CH + SH + HRR ); |
494 | 47.0k | EXT( PRE_SHARED_KEY , CH + SH ); |
495 | 46.9k | EXT( PSK_KEY_EXCHANGE_MODES , CH ); |
496 | 46.9k | EXT( EARLY_DATA , CH + EE + NST ); |
497 | 46.9k | EXT( COOKIE , CH + HRR ); |
498 | 45.6k | EXT( SUPPORTED_VERSIONS , CH + SH + HRR ); |
499 | 3.94k | EXT( COMPRESS_CERTIFICATE , CH + CR ); /* from RFC 8879 */ |
500 | 3.93k | EXT( ENCRYPTED_CLIENT_HELLO , CH + HRR + EE ); /* from draft-ietf-tls-esni-15 */ |
501 | 3.92k | EXT( ECH_OUTER_EXTENSIONS , 0 ); |
502 | | /* +-----------------------------------------+ */ |
503 | | /* clang-format on */ |
504 | | |
505 | 3.91k | return 1; |
506 | | |
507 | 45.0k | Found: |
508 | 45.0k | if ((allowed_hs_bits & HSTYPE_TO_BIT(hstype)) == 0) |
509 | 83 | return 0; |
510 | 45.0k | if ((bitmap->bits & ext_bitmap_mask) != 0) |
511 | 19 | return 0; |
512 | 44.9k | bitmap->bits |= ext_bitmap_mask; |
513 | 44.9k | return 1; |
514 | | |
515 | 45.0k | #undef HSTYPE_TO_BIT |
516 | 45.0k | #undef DEFINE_ABBREV |
517 | 45.0k | #undef EXT |
518 | 45.0k | } |
519 | | |
520 | | #ifndef ntoh16 |
521 | | static uint16_t ntoh16(const uint8_t *src) |
522 | 281k | { |
523 | 281k | return (uint16_t)src[0] << 8 | src[1]; |
524 | 281k | } |
525 | | #endif |
526 | | |
527 | | #ifndef ntoh24 |
528 | | static uint32_t ntoh24(const uint8_t *src) |
529 | 70.3k | { |
530 | 70.3k | return (uint32_t)src[0] << 16 | (uint32_t)src[1] << 8 | src[2]; |
531 | 70.3k | } |
532 | | #endif |
533 | | |
534 | | #ifndef ntoh32 |
535 | | static uint32_t ntoh32(const uint8_t *src) |
536 | 0 | { |
537 | 0 | return (uint32_t)src[0] << 24 | (uint32_t)src[1] << 16 | (uint32_t)src[2] << 8 | src[3]; |
538 | 0 | } |
539 | | #endif |
540 | | |
541 | | #ifndef ntoh64 |
542 | | static uint64_t ntoh64(const uint8_t *src) |
543 | 0 | { |
544 | 0 | return (uint64_t)src[0] << 56 | (uint64_t)src[1] << 48 | (uint64_t)src[2] << 40 | (uint64_t)src[3] << 32 | |
545 | 0 | (uint64_t)src[4] << 24 | (uint64_t)src[5] << 16 | (uint64_t)src[6] << 8 | src[7]; |
546 | 0 | } |
547 | | #endif |
548 | | |
549 | | static void encode64(uint8_t *dst, uint64_t v) |
550 | 0 | { |
551 | 0 | for (size_t i = 0; i < 8; ++i) |
552 | 0 | dst[i] = (uint8_t)(v >> (56 - 8 * i)); |
553 | 0 | } |
554 | | |
555 | | static char *duplicate_as_str(const void *src, size_t len) |
556 | 20 | { |
557 | 20 | char *dst; |
558 | | |
559 | 20 | if ((dst = malloc(len + 1)) == NULL) |
560 | 0 | return NULL; |
561 | 20 | memcpy(dst, src, len); |
562 | 20 | dst[len] = '\0'; |
563 | 20 | return dst; |
564 | 20 | } |
565 | | |
566 | | void ptls_buffer__release_memory(ptls_buffer_t *buf) |
567 | 184k | { |
568 | 184k | ptls_clear_memory(buf->base, buf->off); |
569 | 184k | if (buf->is_allocated) { |
570 | | #ifdef _WINDOWS |
571 | | if (buf->align_bits != 0) { |
572 | | _aligned_free(buf->base); |
573 | | } else { |
574 | | free(buf->base); |
575 | | } |
576 | | #else |
577 | 7.00k | free(buf->base); |
578 | 7.00k | #endif |
579 | 7.00k | } |
580 | 184k | } |
581 | | |
582 | | int ptls_buffer_reserve(ptls_buffer_t *buf, size_t delta) |
583 | 1.65M | { |
584 | 1.65M | return ptls_buffer_reserve_aligned(buf, delta, 0); |
585 | 1.65M | } |
586 | | |
587 | | int ptls_buffer_reserve_aligned(ptls_buffer_t *buf, size_t delta, uint8_t align_bits) |
588 | 1.65M | { |
589 | 1.65M | if (buf->base == NULL) |
590 | 0 | return PTLS_ERROR_NO_MEMORY; |
591 | | |
592 | 1.65M | if (PTLS_MEMORY_DEBUG || buf->capacity < buf->off + delta || |
593 | 1.65M | (buf->align_bits < align_bits && ((uintptr_t)buf->base & (((uintptr_t)1 << align_bits) - 1)) != 0)) { |
594 | 7.00k | void *newp; |
595 | 7.00k | size_t new_capacity = buf->capacity; |
596 | 7.00k | if (new_capacity < 1024) |
597 | 6.27k | new_capacity = 1024; |
598 | 8.20k | while (new_capacity < buf->off + delta) { |
599 | 1.19k | new_capacity *= 2; |
600 | 1.19k | } |
601 | 7.00k | if (align_bits != 0) { |
602 | | #ifdef _WINDOWS |
603 | | if ((newp = _aligned_malloc(new_capacity, (size_t)1 << align_bits)) == NULL) |
604 | | return PTLS_ERROR_NO_MEMORY; |
605 | | #else |
606 | 0 | if (posix_memalign(&newp, 1 << align_bits, new_capacity) != 0) |
607 | 0 | return PTLS_ERROR_NO_MEMORY; |
608 | 0 | #endif |
609 | 7.00k | } else { |
610 | 7.00k | if ((newp = malloc(new_capacity)) == NULL) |
611 | 0 | return PTLS_ERROR_NO_MEMORY; |
612 | 7.00k | } |
613 | 7.00k | memcpy(newp, buf->base, buf->off); |
614 | 7.00k | ptls_buffer__release_memory(buf); |
615 | 7.00k | buf->base = newp; |
616 | 7.00k | buf->capacity = new_capacity; |
617 | 7.00k | buf->is_allocated = 1; |
618 | 7.00k | buf->align_bits = align_bits; |
619 | 7.00k | } |
620 | | |
621 | 1.65M | return 0; |
622 | 1.65M | } |
623 | | |
624 | | int ptls_buffer__do_pushv(ptls_buffer_t *buf, const void *src, size_t len) |
625 | 1.67M | { |
626 | 1.67M | int ret; |
627 | | |
628 | 1.67M | if (len == 0) |
629 | 46.7k | return 0; |
630 | 1.62M | if ((ret = ptls_buffer_reserve(buf, len)) != 0) |
631 | 0 | return ret; |
632 | 1.62M | memcpy(buf->base + buf->off, src, len); |
633 | 1.62M | buf->off += len; |
634 | 1.62M | return 0; |
635 | 1.62M | } |
636 | | |
637 | | int ptls_buffer__adjust_quic_blocksize(ptls_buffer_t *buf, size_t body_size) |
638 | 0 | { |
639 | 0 | uint8_t sizebuf[PTLS_ENCODE_QUICINT_CAPACITY]; |
640 | 0 | size_t sizelen = ptls_encode_quicint(sizebuf, body_size) - sizebuf; |
641 | | |
642 | | /* adjust amount of space before body_size to `sizelen` bytes */ |
643 | 0 | if (sizelen != 1) { |
644 | 0 | int ret; |
645 | 0 | if ((ret = ptls_buffer_reserve(buf, sizelen - 1)) != 0) |
646 | 0 | return ret; |
647 | 0 | memmove(buf->base + buf->off - body_size - 1 + sizelen, buf->base + buf->off - body_size, body_size); |
648 | 0 | buf->off += sizelen - 1; |
649 | 0 | } |
650 | | |
651 | | /* write the size */ |
652 | 0 | memcpy(buf->base + buf->off - body_size - sizelen, sizebuf, sizelen); |
653 | |
|
654 | 0 | return 0; |
655 | 0 | } |
656 | | |
657 | | int ptls_buffer__adjust_asn1_blocksize(ptls_buffer_t *buf, size_t body_size) |
658 | 0 | { |
659 | 0 | fprintf(stderr, "unimplemented\n"); |
660 | 0 | abort(); |
661 | 0 | } |
662 | | |
663 | | int ptls_buffer_push_asn1_ubigint(ptls_buffer_t *buf, const void *bignum, size_t size) |
664 | 0 | { |
665 | 0 | const uint8_t *p = bignum, *const end = p + size; |
666 | 0 | int ret; |
667 | | |
668 | | /* skip zeroes */ |
669 | 0 | for (; end - p >= 1; ++p) |
670 | 0 | if (*p != 0) |
671 | 0 | break; |
672 | | |
673 | | /* emit */ |
674 | 0 | ptls_buffer_push(buf, 2); |
675 | 0 | ptls_buffer_push_asn1_block(buf, { |
676 | 0 | if (*p >= 0x80) |
677 | 0 | ptls_buffer_push(buf, 0); |
678 | 0 | if (p != end) { |
679 | 0 | ptls_buffer_pushv(buf, p, end - p); |
680 | 0 | } else { |
681 | 0 | ptls_buffer_pushv(buf, "", 1); |
682 | 0 | } |
683 | 0 | }); |
684 | 0 | ret = 0; |
685 | |
|
686 | 0 | Exit: |
687 | 0 | return ret; |
688 | 0 | } |
689 | | |
690 | | #if PTLS_FUZZ_HANDSHAKE |
691 | | |
692 | | static size_t aead_encrypt(struct st_ptls_traffic_protection_t *ctx, void *output, const void *input, size_t inlen, |
693 | | uint8_t content_type) |
694 | 0 | { |
695 | 0 | memcpy(output, input, inlen); |
696 | 0 | memcpy(output + inlen, &content_type, 1); |
697 | 0 | return inlen + 1 + 16; |
698 | 0 | } |
699 | | |
700 | | static int aead_decrypt(struct st_ptls_traffic_protection_t *ctx, void *output, size_t *outlen, const void *input, size_t inlen) |
701 | 1.14k | { |
702 | 1.14k | if (inlen < 16) { |
703 | 5 | return PTLS_ALERT_BAD_RECORD_MAC; |
704 | 5 | } |
705 | 1.13k | memcpy(output, input, inlen - 16); |
706 | 1.13k | *outlen = inlen - 16; /* removing the 16 bytes of tag */ |
707 | 1.13k | return 0; |
708 | 1.14k | } |
709 | | |
710 | | #else |
711 | | |
712 | | static void build_aad(uint8_t aad[5], size_t reclen) |
713 | | { |
714 | | aad[0] = PTLS_CONTENT_TYPE_APPDATA; |
715 | | aad[1] = PTLS_RECORD_VERSION_MAJOR; |
716 | | aad[2] = PTLS_RECORD_VERSION_MINOR; |
717 | | aad[3] = (uint8_t)(reclen >> 8); |
718 | | aad[4] = (uint8_t)reclen; |
719 | | } |
720 | | |
721 | | static size_t aead_encrypt(struct st_ptls_traffic_protection_t *ctx, void *output, const void *input, size_t inlen, |
722 | | uint8_t content_type) |
723 | | { |
724 | | ptls_iovec_t invec[2] = {ptls_iovec_init(input, inlen), ptls_iovec_init(&content_type, 1)}; |
725 | | uint8_t aad[5]; |
726 | | |
727 | | build_aad(aad, inlen + 1 + ctx->aead->algo->tag_size); |
728 | | ptls_aead_encrypt_v(ctx->aead, output, invec, PTLS_ELEMENTSOF(invec), ctx->seq++, aad, sizeof(aad)); |
729 | | |
730 | | return inlen + 1 + ctx->aead->algo->tag_size; |
731 | | } |
732 | | |
733 | | static int aead_decrypt(struct st_ptls_traffic_protection_t *ctx, void *output, size_t *outlen, const void *input, size_t inlen) |
734 | | { |
735 | | uint8_t aad[5]; |
736 | | |
737 | | build_aad(aad, inlen); |
738 | | if ((*outlen = ptls_aead_decrypt(ctx->aead, output, input, inlen, ctx->seq, aad, sizeof(aad))) == SIZE_MAX) |
739 | | return PTLS_ALERT_BAD_RECORD_MAC; |
740 | | ++ctx->seq; |
741 | | return 0; |
742 | | } |
743 | | |
744 | | #endif /* #if PTLS_FUZZ_HANDSHAKE */ |
745 | | |
746 | | static void build_tls12_aad(uint8_t *aad, uint8_t type, uint64_t seq, uint16_t length) |
747 | 0 | { |
748 | 0 | for (size_t i = 0; i < 8; ++i) |
749 | 0 | aad[i] = (uint8_t)(seq >> (56 - i * 8)); |
750 | 0 | aad[8] = type; |
751 | 0 | aad[9] = PTLS_RECORD_VERSION_MAJOR; |
752 | 0 | aad[10] = PTLS_RECORD_VERSION_MINOR; |
753 | 0 | aad[11] = length >> 8; |
754 | 0 | aad[12] = (uint8_t)length; |
755 | 0 | } |
756 | | |
757 | | #define buffer_push_record(buf, type, block) \ |
758 | 1.76k | do { \ |
759 | 1.76k | ptls_buffer_push((buf), (type), PTLS_RECORD_VERSION_MAJOR, PTLS_RECORD_VERSION_MINOR); \ |
760 | 1.76k | ptls_buffer_push_block((buf), 2, block); \ |
761 | 1.76k | } while (0) |
762 | | |
763 | | static int buffer_push_encrypted_records(ptls_buffer_t *buf, uint8_t type, const uint8_t *src, size_t len, |
764 | | struct st_ptls_traffic_protection_t *enc) |
765 | 0 | { |
766 | 0 | int ret = 0; |
767 | |
|
768 | 0 | while (len != 0) { |
769 | 0 | size_t chunk_size = len; |
770 | 0 | if (chunk_size > PTLS_MAX_PLAINTEXT_RECORD_SIZE) |
771 | 0 | chunk_size = PTLS_MAX_PLAINTEXT_RECORD_SIZE; |
772 | 0 | if (enc->tls12) { |
773 | 0 | buffer_push_record(buf, type, { |
774 | | /* reserve memory */ |
775 | 0 | if ((ret = ptls_buffer_reserve_aligned( |
776 | 0 | buf, enc->aead->algo->tls12.record_iv_size + chunk_size + enc->aead->algo->tag_size, |
777 | 0 | enc->aead->algo->align_bits)) != 0) |
778 | 0 | goto Exit; |
779 | | /* determine nonce, as well as prepending that walue as the record IV (AES-GCM) */ |
780 | 0 | uint64_t nonce; |
781 | 0 | if (enc->aead->algo->tls12.record_iv_size != 0) { |
782 | 0 | assert(enc->aead->algo->tls12.record_iv_size == 8); |
783 | 0 | nonce = enc->tls12_enc_record_iv++; |
784 | 0 | encode64(buf->base + buf->off, nonce); |
785 | 0 | buf->off += 8; |
786 | 0 | } else { |
787 | 0 | nonce = enc->seq; |
788 | 0 | } |
789 | | /* build AAD */ |
790 | 0 | uint8_t aad[PTLS_TLS12_AAD_SIZE]; |
791 | 0 | build_tls12_aad(aad, type, enc->seq, (uint16_t)chunk_size); |
792 | | /* encrypt */ |
793 | 0 | buf->off += ptls_aead_encrypt(enc->aead, buf->base + buf->off, src, chunk_size, nonce, aad, sizeof(aad)); |
794 | 0 | ++enc->seq; |
795 | 0 | }); |
796 | 0 | } else { |
797 | 0 | buffer_push_record(buf, PTLS_CONTENT_TYPE_APPDATA, { |
798 | 0 | if ((ret = ptls_buffer_reserve_aligned(buf, chunk_size + enc->aead->algo->tag_size + 1, |
799 | 0 | enc->aead->algo->align_bits)) != 0) |
800 | 0 | goto Exit; |
801 | 0 | buf->off += aead_encrypt(enc, buf->base + buf->off, src, chunk_size, type); |
802 | 0 | }); |
803 | 0 | } |
804 | 0 | src += chunk_size; |
805 | 0 | len -= chunk_size; |
806 | 0 | } |
807 | | |
808 | 0 | Exit: |
809 | 0 | return ret; |
810 | 0 | } |
811 | | |
812 | | static int buffer_encrypt_record(ptls_buffer_t *buf, size_t rec_start, struct st_ptls_traffic_protection_t *enc) |
813 | 0 | { |
814 | 0 | size_t bodylen = buf->off - rec_start - 5; |
815 | 0 | uint8_t *tmpbuf, type = buf->base[rec_start]; |
816 | 0 | int ret; |
817 | | |
818 | | /* Fast path: do in-place encryption if only one record needs to be emitted. (For simplicity, do not take this path if TLS 1.2 |
819 | | * is used, as this function will be called no more than once per connection, for encrypting an alert.) */ |
820 | 0 | if (!enc->tls12 && bodylen <= PTLS_MAX_PLAINTEXT_RECORD_SIZE) { |
821 | 0 | size_t overhead = 1 + enc->aead->algo->tag_size; |
822 | 0 | if ((ret = ptls_buffer_reserve_aligned(buf, overhead, enc->aead->algo->align_bits)) != 0) |
823 | 0 | return ret; |
824 | 0 | size_t encrypted_len = aead_encrypt(enc, buf->base + rec_start + 5, buf->base + rec_start + 5, bodylen, type); |
825 | 0 | assert(encrypted_len == bodylen + overhead); |
826 | 0 | buf->off += overhead; |
827 | 0 | buf->base[rec_start] = PTLS_CONTENT_TYPE_APPDATA; |
828 | 0 | buf->base[rec_start + 3] = (encrypted_len >> 8) & 0xff; |
829 | 0 | buf->base[rec_start + 4] = encrypted_len & 0xff; |
830 | 0 | return 0; |
831 | 0 | } |
832 | | |
833 | | /* move plaintext to temporary buffer */ |
834 | 0 | if ((tmpbuf = malloc(bodylen)) == NULL) { |
835 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
836 | 0 | goto Exit; |
837 | 0 | } |
838 | 0 | memcpy(tmpbuf, buf->base + rec_start + 5, bodylen); |
839 | 0 | ptls_clear_memory(buf->base + rec_start, bodylen + 5); |
840 | 0 | buf->off = rec_start; |
841 | | |
842 | | /* push encrypted records */ |
843 | 0 | ret = buffer_push_encrypted_records(buf, type, tmpbuf, bodylen, enc); |
844 | |
|
845 | 0 | Exit: |
846 | 0 | if (tmpbuf != NULL) { |
847 | 0 | ptls_clear_memory(tmpbuf, bodylen); |
848 | 0 | free(tmpbuf); |
849 | 0 | } |
850 | 0 | return ret; |
851 | 0 | } |
852 | | |
853 | | static int begin_record_message(ptls_message_emitter_t *_self) |
854 | 42.6k | { |
855 | 42.6k | struct st_ptls_record_message_emitter_t *self = (void *)_self; |
856 | 42.6k | int ret; |
857 | | |
858 | 42.6k | self->rec_start = self->super.buf->off; |
859 | 42.6k | ptls_buffer_push(self->super.buf, PTLS_CONTENT_TYPE_HANDSHAKE, PTLS_RECORD_VERSION_MAJOR, PTLS_RECORD_VERSION_MINOR, 0, 0); |
860 | 42.6k | ret = 0; |
861 | 42.6k | Exit: |
862 | 42.6k | return ret; |
863 | 42.6k | } |
864 | | |
865 | | static int commit_record_message(ptls_message_emitter_t *_self) |
866 | 42.6k | { |
867 | 42.6k | struct st_ptls_record_message_emitter_t *self = (void *)_self; |
868 | 42.6k | int ret; |
869 | | |
870 | 42.6k | if (self->super.enc->aead != NULL) { |
871 | 0 | ret = buffer_encrypt_record(self->super.buf, self->rec_start, self->super.enc); |
872 | 42.6k | } else { |
873 | | /* TODO allow CH,SH,HRR above 16KB */ |
874 | 42.6k | size_t sz = self->super.buf->off - self->rec_start - 5; |
875 | 42.6k | assert(sz <= PTLS_MAX_PLAINTEXT_RECORD_SIZE); |
876 | 42.6k | self->super.buf->base[self->rec_start + 3] = (uint8_t)(sz >> 8); |
877 | 42.6k | self->super.buf->base[self->rec_start + 4] = (uint8_t)(sz); |
878 | 42.6k | ret = 0; |
879 | 42.6k | } |
880 | | |
881 | 42.6k | return ret; |
882 | 42.6k | } |
883 | | |
884 | | #define buffer_push_extension(buf, type, block) \ |
885 | 0 | do { \ |
886 | 0 | ptls_buffer_push16((buf), (type)); \ |
887 | 0 | ptls_buffer_push_block((buf), 2, block); \ |
888 | 0 | } while (0); |
889 | | |
890 | | #define decode_open_extensions(src, end, hstype, exttype, block) \ |
891 | 43.2k | do { \ |
892 | 43.2k | struct st_ptls_extension_bitmap_t bitmap = {0}; \ |
893 | 43.2k | ptls_decode_open_block((src), end, 2, { \ |
894 | 43.2k | while ((src) != end) { \ |
895 | 43.2k | if ((ret = ptls_decode16((exttype), &(src), end)) != 0) \ |
896 | 43.2k | goto Exit; \ |
897 | 43.2k | if (!extension_bitmap_testandset(&bitmap, (hstype), *(exttype))) { \ |
898 | 43.2k | ret = PTLS_ALERT_ILLEGAL_PARAMETER; \ |
899 | 43.2k | goto Exit; \ |
900 | 43.2k | } \ |
901 | 43.2k | ptls_decode_open_block((src), end, 2, block); \ |
902 | 43.2k | } \ |
903 | 43.2k | }); \ |
904 | 43.2k | } while (0) |
905 | | |
906 | | #define decode_extensions(src, end, hstype, exttype, block) \ |
907 | 43.2k | do { \ |
908 | 43.2k | decode_open_extensions((src), end, hstype, exttype, block); \ |
909 | 43.2k | ptls_decode_assert_block_close((src), end); \ |
910 | 42.3k | } while (0) |
911 | | |
912 | | int ptls_decode8(uint8_t *value, const uint8_t **src, const uint8_t *end) |
913 | 42.0k | { |
914 | 42.0k | if (*src == end) |
915 | 5 | return PTLS_ALERT_DECODE_ERROR; |
916 | 42.0k | *value = *(*src)++; |
917 | 42.0k | return 0; |
918 | 42.0k | } |
919 | | |
920 | | int ptls_decode16(uint16_t *value, const uint8_t **src, const uint8_t *end) |
921 | 137k | { |
922 | 137k | if (end - *src < 2) |
923 | 44 | return PTLS_ALERT_DECODE_ERROR; |
924 | 137k | *value = ntoh16(*src); |
925 | 137k | *src += 2; |
926 | 137k | return 0; |
927 | 137k | } |
928 | | |
929 | | int ptls_decode24(uint32_t *value, const uint8_t **src, const uint8_t *end) |
930 | 0 | { |
931 | 0 | if (end - *src < 3) |
932 | 0 | return PTLS_ALERT_DECODE_ERROR; |
933 | 0 | *value = ((uint32_t)(*src)[0] << 16) | ((uint32_t)(*src)[1] << 8) | (*src)[2]; |
934 | 0 | *src += 3; |
935 | 0 | return 0; |
936 | 0 | } |
937 | | |
938 | | int ptls_decode32(uint32_t *value, const uint8_t **src, const uint8_t *end) |
939 | 0 | { |
940 | 0 | if (end - *src < 4) |
941 | 0 | return PTLS_ALERT_DECODE_ERROR; |
942 | 0 | *value = ntoh32(*src); |
943 | 0 | *src += 4; |
944 | 0 | return 0; |
945 | 0 | } |
946 | | |
947 | | int ptls_decode64(uint64_t *value, const uint8_t **src, const uint8_t *end) |
948 | 0 | { |
949 | 0 | if (end - *src < 8) |
950 | 0 | return PTLS_ALERT_DECODE_ERROR; |
951 | 0 | *value = ntoh64(*src); |
952 | 0 | *src += 8; |
953 | 0 | return 0; |
954 | 0 | } |
955 | | |
956 | | uint64_t ptls_decode_quicint(const uint8_t **src, const uint8_t *end) |
957 | 0 | { |
958 | 0 | if (PTLS_UNLIKELY(*src == end)) |
959 | 0 | return UINT64_MAX; |
960 | | |
961 | 0 | uint8_t b = *(*src)++; |
962 | |
|
963 | 0 | if (PTLS_LIKELY(b <= 0x3f)) |
964 | 0 | return b; |
965 | | |
966 | 0 | uint64_t v = b & 0x3f; |
967 | 0 | unsigned bytes_left = (1 << (b >> 6)) - 1; |
968 | 0 | if (PTLS_UNLIKELY((size_t)(end - *src) < bytes_left)) |
969 | 0 | return UINT64_MAX; |
970 | 0 | do { |
971 | 0 | v = (v << 8) | *(*src)++; |
972 | 0 | } while (--bytes_left != 0); |
973 | 0 | return v; |
974 | 0 | } |
975 | | |
976 | | static void log_secret(ptls_t *tls, const char *type, ptls_iovec_t secret) |
977 | 2.02k | { |
978 | 2.02k | char hexbuf[PTLS_MAX_DIGEST_SIZE * 2 + 1]; |
979 | | |
980 | 2.02k | PTLS_PROBE(NEW_SECRET, tls, type, ptls_hexdump(hexbuf, secret.base, secret.len)); |
981 | 2.02k | PTLS_LOG_CONN(new_secret, tls, { PTLS_LOG_ELEMENT_SAFESTR(label, type); }); |
982 | | |
983 | 2.02k | if (tls->ctx->log_event != NULL) |
984 | 0 | tls->ctx->log_event->cb(tls->ctx->log_event, tls, type, "%s", ptls_hexdump(hexbuf, secret.base, secret.len)); |
985 | 2.02k | } |
986 | | |
987 | | /** |
988 | | * This function preserves the flags and modes (e.g., `offered`, `accepted`, `cipher`), they can be used afterwards. |
989 | | */ |
990 | | static void clear_ech(struct st_ptls_ech_t *ech, int is_server) |
991 | 3.10k | { |
992 | 3.10k | if (ech->aead != NULL) { |
993 | 0 | ptls_aead_free(ech->aead); |
994 | 0 | ech->aead = NULL; |
995 | 0 | } |
996 | 3.10k | ptls_clear_memory(ech->inner_client_random, PTLS_HELLO_RANDOM_SIZE); |
997 | 3.10k | if (!is_server) { |
998 | 3.10k | free(ech->client.enc.base); |
999 | 3.10k | ech->client.enc = ptls_iovec_init(NULL, 0); |
1000 | 3.10k | if (ech->client.public_name != NULL) { |
1001 | 0 | free(ech->client.public_name); |
1002 | 0 | ech->client.public_name = NULL; |
1003 | 0 | } |
1004 | 3.10k | free(ech->client.first_ech.base); |
1005 | 3.10k | ech->client.first_ech = ptls_iovec_init(NULL, 0); |
1006 | 3.10k | } |
1007 | 3.10k | } |
1008 | | |
1009 | | /** |
1010 | | * Decodes one ECHConfigContents (tls-esni-15 section 4). `decoded->kem` and `cipher` may be NULL even when the function returns |
1011 | | * zero, if the corresponding entries are not found. |
1012 | | */ |
1013 | | static int decode_one_ech_config(ptls_hpke_kem_t **kems, ptls_hpke_cipher_suite_t **ciphers, |
1014 | | struct st_decoded_ech_config_t *decoded, const uint8_t **src, const uint8_t *const end) |
1015 | 0 | { |
1016 | 0 | char *public_name_buf = NULL; |
1017 | 0 | int ret; |
1018 | |
|
1019 | 0 | *decoded = (struct st_decoded_ech_config_t){0}; |
1020 | |
|
1021 | 0 | if ((ret = ptls_decode8(&decoded->id, src, end)) != 0) |
1022 | 0 | goto Exit; |
1023 | 0 | uint16_t kem_id; |
1024 | 0 | if ((ret = ptls_decode16(&kem_id, src, end)) != 0) |
1025 | 0 | goto Exit; |
1026 | 0 | for (size_t i = 0; kems[i] != NULL; ++i) { |
1027 | 0 | if (kems[i]->id == kem_id) { |
1028 | 0 | decoded->kem = kems[i]; |
1029 | 0 | break; |
1030 | 0 | } |
1031 | 0 | } |
1032 | 0 | ptls_decode_open_block(*src, end, 2, { |
1033 | 0 | if (*src == end) { |
1034 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1035 | 0 | goto Exit; |
1036 | 0 | } |
1037 | 0 | decoded->public_key = ptls_iovec_init(*src, end - *src); |
1038 | 0 | *src = end; |
1039 | 0 | }); |
1040 | 0 | ptls_decode_open_block(*src, end, 2, { |
1041 | 0 | do { |
1042 | 0 | uint16_t kdf_id; |
1043 | 0 | uint16_t aead_id; |
1044 | 0 | if ((ret = ptls_decode16(&kdf_id, src, end)) != 0) |
1045 | 0 | goto Exit; |
1046 | 0 | if ((ret = ptls_decode16(&aead_id, src, end)) != 0) |
1047 | 0 | goto Exit; |
1048 | 0 | if (decoded->cipher == NULL) { |
1049 | 0 | for (size_t i = 0; ciphers[i] != NULL; ++i) { |
1050 | 0 | if (ciphers[i]->id.kdf == kdf_id && ciphers[i]->id.aead == aead_id) { |
1051 | 0 | decoded->cipher = ciphers[i]; |
1052 | 0 | break; |
1053 | 0 | } |
1054 | 0 | } |
1055 | 0 | } |
1056 | 0 | } while (*src != end); |
1057 | 0 | }); |
1058 | 0 | if ((ret = ptls_decode8(&decoded->max_name_length, src, end)) != 0) |
1059 | 0 | goto Exit; |
1060 | | |
1061 | 0 | #define SKIP_DECODED() \ |
1062 | 0 | do { \ |
1063 | 0 | decoded->kem = NULL; \ |
1064 | 0 | decoded->cipher = NULL; \ |
1065 | 0 | } while (0) |
1066 | | |
1067 | | /* Decode public_name. The specification requires clients to ignore (upon parsing ESNIConfigList) or reject (upon handshake) |
1068 | | * public names that are not DNS names or IPv4 addresses. We ignore IPv4 and v6 addresses during parsing (IPv6 addresses never |
1069 | | * looks like DNS names), and delegate the responsibility of rejecting non-DNS names to the certificate verify callback. */ |
1070 | 0 | ptls_decode_open_block(*src, end, 1, { |
1071 | 0 | if (*src == end) { |
1072 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1073 | 0 | goto Exit; |
1074 | 0 | } |
1075 | 0 | if ((public_name_buf = duplicate_as_str(*src, end - *src)) == NULL) { |
1076 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1077 | 0 | goto Exit; |
1078 | 0 | } |
1079 | 0 | if (ptls_server_name_is_ipaddr(public_name_buf)) { |
1080 | 0 | SKIP_DECODED(); |
1081 | 0 | } else { |
1082 | 0 | decoded->public_name = ptls_iovec_init(*src, end - *src); |
1083 | 0 | } |
1084 | 0 | *src = end; |
1085 | 0 | }); |
1086 | | |
1087 | 0 | ptls_decode_block(*src, end, 2, { |
1088 | 0 | while (*src < end) { |
1089 | 0 | uint16_t type; |
1090 | 0 | if ((ret = ptls_decode16(&type, src, end)) != 0) |
1091 | 0 | goto Exit; |
1092 | 0 | ptls_decode_open_block(*src, end, 2, { *src = end; }); |
1093 | | /* if a critital extension is found, indicate that the config cannot be used */ |
1094 | 0 | if ((type & 0x8000) != 0) |
1095 | 0 | SKIP_DECODED(); |
1096 | 0 | } |
1097 | 0 | }); |
1098 | | |
1099 | 0 | #undef SKIP_DECODED |
1100 | | |
1101 | 0 | Exit: |
1102 | 0 | free(public_name_buf); |
1103 | 0 | return ret; |
1104 | 0 | } |
1105 | | |
1106 | | static int client_decode_ech_config_list(ptls_context_t *ctx, struct st_decoded_ech_config_t *decoded, ptls_iovec_t config_list) |
1107 | 0 | { |
1108 | 0 | const uint8_t *src = config_list.base, *const end = src + config_list.len; |
1109 | 0 | int match_found = 0, ret; |
1110 | |
|
1111 | 0 | *decoded = (struct st_decoded_ech_config_t){0}; |
1112 | |
|
1113 | 0 | ptls_decode_block(src, end, 2, { |
1114 | 0 | do { |
1115 | 0 | const uint8_t *config_start = src; |
1116 | 0 | uint16_t version; |
1117 | 0 | if ((ret = ptls_decode16(&version, &src, end)) != 0) |
1118 | 0 | goto Exit; |
1119 | 0 | ptls_decode_open_block(src, end, 2, { |
1120 | | /* If the block is the one that we recognize, parse it, then adopt if if possible. Otherwise, skip. */ |
1121 | 0 | if (version == PTLS_ECH_CONFIG_VERSION) { |
1122 | 0 | struct st_decoded_ech_config_t thisconf; |
1123 | 0 | if ((ret = decode_one_ech_config(ctx->ech.client.kems, ctx->ech.client.ciphers, &thisconf, &src, end)) != 0) |
1124 | 0 | goto Exit; |
1125 | 0 | if (!match_found && thisconf.kem != NULL && thisconf.cipher != NULL) { |
1126 | 0 | *decoded = thisconf; |
1127 | 0 | decoded->bytes = ptls_iovec_init(config_start, end - config_start); |
1128 | 0 | match_found = 1; |
1129 | 0 | } |
1130 | 0 | } else { |
1131 | 0 | src = end; |
1132 | 0 | } |
1133 | 0 | }); |
1134 | 0 | } while (src != end); |
1135 | 0 | }); |
1136 | 0 | ret = 0; |
1137 | |
|
1138 | 0 | Exit: |
1139 | 0 | if (ret != 0) |
1140 | 0 | *decoded = (struct st_decoded_ech_config_t){0}; |
1141 | 0 | return ret; |
1142 | 0 | } |
1143 | | |
1144 | | static int client_setup_ech(struct st_ptls_ech_t *ech, struct st_decoded_ech_config_t *decoded, |
1145 | | void (*random_bytes)(void *, size_t)) |
1146 | 0 | { |
1147 | 0 | ptls_buffer_t infobuf; |
1148 | 0 | uint8_t infobuf_smallbuf[256]; |
1149 | 0 | int ret; |
1150 | | |
1151 | | /* setup `enc` and `aead` by running HPKE */ |
1152 | 0 | ptls_buffer_init(&infobuf, infobuf_smallbuf, sizeof(infobuf_smallbuf)); |
1153 | 0 | ptls_buffer_pushv(&infobuf, ech_info_prefix, sizeof(ech_info_prefix)); |
1154 | 0 | ptls_buffer_pushv(&infobuf, decoded->bytes.base, decoded->bytes.len); |
1155 | 0 | if ((ret = ptls_hpke_setup_base_s(decoded->kem, decoded->cipher, &ech->client.enc, &ech->aead, decoded->public_key, |
1156 | 0 | ptls_iovec_init(infobuf.base, infobuf.off))) != 0) |
1157 | 0 | goto Exit; |
1158 | | |
1159 | | /* setup the rest */ |
1160 | 0 | ech->config_id = decoded->id; |
1161 | 0 | ech->kem = decoded->kem; |
1162 | 0 | ech->cipher = decoded->cipher; |
1163 | 0 | random_bytes(ech->inner_client_random, PTLS_HELLO_RANDOM_SIZE); |
1164 | 0 | ech->client.max_name_length = decoded->max_name_length; |
1165 | 0 | if ((ech->client.public_name = duplicate_as_str(decoded->public_name.base, decoded->public_name.len)) == NULL) { |
1166 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1167 | 0 | goto Exit; |
1168 | 0 | } |
1169 | | |
1170 | 0 | Exit: |
1171 | 0 | if (ret != 0) |
1172 | 0 | clear_ech(ech, 0); |
1173 | 0 | return ret; |
1174 | 0 | } |
1175 | | |
1176 | | static void client_setup_ech_grease(struct st_ptls_ech_t *ech, void (*random_bytes)(void *, size_t), ptls_hpke_kem_t **kems, |
1177 | | ptls_hpke_cipher_suite_t **ciphers, const char *sni_name) |
1178 | 0 | { |
1179 | 0 | static const size_t x25519_key_size = 32; |
1180 | 0 | uint8_t random_secret[PTLS_AES128_KEY_SIZE + PTLS_AES_IV_SIZE]; |
1181 | | |
1182 | | /* pick up X25519, AES-128-GCM or bail out */ |
1183 | 0 | for (size_t i = 0; kems[i] != NULL; ++i) { |
1184 | 0 | if (kems[i]->id == PTLS_HPKE_KEM_X25519_SHA256) { |
1185 | 0 | ech->kem = kems[i]; |
1186 | 0 | break; |
1187 | 0 | } |
1188 | 0 | } |
1189 | 0 | for (size_t i = 0; ciphers[i] != NULL; ++i) { |
1190 | 0 | if (ciphers[i]->id.kdf == PTLS_HPKE_HKDF_SHA256 && ciphers[i]->id.aead == PTLS_HPKE_AEAD_AES_128_GCM) { |
1191 | 0 | ech->cipher = ciphers[i]; |
1192 | 0 | break; |
1193 | 0 | } |
1194 | 0 | } |
1195 | 0 | if (ech->kem == NULL || ech->cipher == NULL) |
1196 | 0 | goto Fail; |
1197 | | |
1198 | | /* aead is generated from random */ |
1199 | 0 | random_bytes(random_secret, sizeof(random_secret)); |
1200 | 0 | ech->aead = ptls_aead_new_direct(ech->cipher->aead, 1, random_secret, random_secret + PTLS_AES128_KEY_SIZE); |
1201 | | |
1202 | | /* `enc` is random bytes */ |
1203 | 0 | if ((ech->client.enc.base = malloc(x25519_key_size)) == NULL) |
1204 | 0 | goto Fail; |
1205 | 0 | ech->client.enc.len = x25519_key_size; |
1206 | 0 | random_bytes(ech->client.enc.base, ech->client.enc.len); |
1207 | | |
1208 | | /* setup the rest (inner_client_random is left zeros) */ |
1209 | 0 | random_bytes(&ech->config_id, sizeof(ech->config_id)); |
1210 | 0 | ech->client.max_name_length = 64; |
1211 | 0 | if ((ech->client.public_name = duplicate_as_str(sni_name, strlen(sni_name))) == NULL) |
1212 | 0 | goto Fail; |
1213 | | |
1214 | 0 | return; |
1215 | | |
1216 | 0 | Fail: |
1217 | 0 | clear_ech(ech, 0); |
1218 | 0 | } |
1219 | | |
1220 | 0 | #define ECH_CONFIRMATION_SERVER_HELLO "ech accept confirmation" |
1221 | 0 | #define ECH_CONFIRMATION_HRR "hrr ech accept confirmation" |
1222 | | static int ech_calc_confirmation(ptls_key_schedule_t *sched, void *dst, const uint8_t *inner_random, const char *label, |
1223 | | ptls_iovec_t message) |
1224 | 0 | { |
1225 | 0 | ptls_hash_context_t *hash = NULL; |
1226 | 0 | uint8_t secret[PTLS_MAX_DIGEST_SIZE], transcript_hash[PTLS_MAX_DIGEST_SIZE]; |
1227 | 0 | int ret; |
1228 | | |
1229 | | /* calc transcript hash using the modified ServerHello / HRR */ |
1230 | 0 | if ((hash = sched->hashes[0].ctx->clone_(sched->hashes[0].ctx)) == NULL) { |
1231 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1232 | 0 | goto Exit; |
1233 | 0 | } |
1234 | 0 | hash->update(hash, message.base, message.len); |
1235 | 0 | hash->final(hash, transcript_hash, PTLS_HASH_FINAL_MODE_FREE); |
1236 | 0 | hash = NULL; |
1237 | | |
1238 | | /* HKDF extract and expand */ |
1239 | 0 | if ((ret = ptls_hkdf_extract(sched->hashes[0].algo, secret, ptls_iovec_init(NULL, 0), |
1240 | 0 | ptls_iovec_init(inner_random, PTLS_HELLO_RANDOM_SIZE))) != 0) |
1241 | 0 | goto Exit; |
1242 | 0 | if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, dst, 8, ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), |
1243 | 0 | label, ptls_iovec_init(transcript_hash, sched->hashes[0].algo->digest_size), NULL)) != 0) |
1244 | 0 | goto Exit; |
1245 | | |
1246 | 0 | Exit: |
1247 | 0 | ptls_clear_memory(secret, sizeof(secret)); |
1248 | 0 | ptls_clear_memory(transcript_hash, sizeof(transcript_hash)); |
1249 | 0 | if (hash != NULL) |
1250 | 0 | hash->final(hash, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1251 | 0 | return ret; |
1252 | 0 | } |
1253 | | |
1254 | | static void key_schedule_free(ptls_key_schedule_t *sched) |
1255 | 2.09k | { |
1256 | 2.09k | size_t i; |
1257 | 2.09k | ptls_clear_memory(sched->secret, sizeof(sched->secret)); |
1258 | 4.18k | for (i = 0; i != sched->num_hashes; ++i) { |
1259 | 2.09k | sched->hashes[i].ctx->final(sched->hashes[i].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1260 | 2.09k | if (sched->hashes[i].ctx_outer != NULL) |
1261 | 0 | sched->hashes[i].ctx_outer->final(sched->hashes[i].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1262 | 2.09k | } |
1263 | 2.09k | free(sched); |
1264 | 2.09k | } |
1265 | | |
1266 | | static ptls_key_schedule_t *key_schedule_new(ptls_cipher_suite_t *preferred, ptls_cipher_suite_t **offered, int use_outer) |
1267 | 2.09k | { |
1268 | 2.09k | #define FOREACH_HASH(block) \ |
1269 | 4.18k | do { \ |
1270 | 4.18k | ptls_cipher_suite_t *cs; \ |
1271 | 4.18k | if ((cs = preferred) != NULL) { \ |
1272 | 0 | block \ |
1273 | 0 | } \ |
1274 | 4.18k | if (offered != NULL) { \ |
1275 | 4.18k | size_t i, j; \ |
1276 | 8.37k | for (i = 0; (cs = offered[i]) != NULL; ++i) { \ |
1277 | 4.18k | if (preferred == NULL || cs->hash != preferred->hash) { \ |
1278 | 4.18k | for (j = 0; j != i; ++j) \ |
1279 | 4.18k | if (cs->hash == offered[j]->hash) \ |
1280 | 0 | break; \ |
1281 | 4.18k | if (j == i) { \ |
1282 | 6.28k | block \ |
1283 | 4.18k | } \ |
1284 | 4.18k | } \ |
1285 | 4.18k | } \ |
1286 | 4.18k | } \ |
1287 | 4.18k | } while (0) |
1288 | | |
1289 | 2.09k | ptls_key_schedule_t *sched; |
1290 | | |
1291 | 2.09k | { /* allocate */ |
1292 | 2.09k | size_t num_hashes = 0; |
1293 | 2.09k | FOREACH_HASH({ ++num_hashes; }); |
1294 | 2.09k | if ((sched = malloc(offsetof(ptls_key_schedule_t, hashes) + sizeof(sched->hashes[0]) * num_hashes)) == NULL) |
1295 | 0 | return NULL; |
1296 | 2.09k | *sched = (ptls_key_schedule_t){0}; |
1297 | 2.09k | } |
1298 | | |
1299 | | /* setup the hash algos and contexts */ |
1300 | 2.09k | FOREACH_HASH({ |
1301 | 2.09k | sched->hashes[sched->num_hashes].algo = cs->hash; |
1302 | 2.09k | if ((sched->hashes[sched->num_hashes].ctx = cs->hash->create()) == NULL) |
1303 | 2.09k | goto Fail; |
1304 | 2.09k | if (use_outer) { |
1305 | 2.09k | if ((sched->hashes[sched->num_hashes].ctx_outer = cs->hash->create()) == NULL) |
1306 | 2.09k | goto Fail; |
1307 | 2.09k | } else { |
1308 | 2.09k | sched->hashes[sched->num_hashes].ctx_outer = NULL; |
1309 | 2.09k | } |
1310 | 2.09k | ++sched->num_hashes; |
1311 | 2.09k | }); |
1312 | | |
1313 | 2.09k | return sched; |
1314 | 0 | Fail: |
1315 | 0 | key_schedule_free(sched); |
1316 | 0 | return NULL; |
1317 | | |
1318 | 2.09k | #undef FOREACH_HASH |
1319 | 2.09k | } |
1320 | | |
1321 | | static int key_schedule_extract(ptls_key_schedule_t *sched, ptls_iovec_t ikm) |
1322 | 3.10k | { |
1323 | 3.10k | int ret; |
1324 | | |
1325 | 3.10k | if (ikm.base == NULL) |
1326 | 2.09k | ikm = ptls_iovec_init(zeroes_of_max_digest_size, sched->hashes[0].algo->digest_size); |
1327 | | |
1328 | 3.10k | if (sched->generation != 0 && |
1329 | 3.10k | (ret = ptls_hkdf_expand_label(sched->hashes[0].algo, sched->secret, sched->hashes[0].algo->digest_size, |
1330 | 1.01k | ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), "derived", |
1331 | 1.01k | ptls_iovec_init(sched->hashes[0].algo->empty_digest, sched->hashes[0].algo->digest_size), |
1332 | 1.01k | NULL)) != 0) |
1333 | 0 | return ret; |
1334 | | |
1335 | 3.10k | ++sched->generation; |
1336 | 3.10k | ret = ptls_hkdf_extract(sched->hashes[0].algo, sched->secret, |
1337 | 3.10k | ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), ikm); |
1338 | 3.10k | PTLS_DEBUGF("%s: %u, %02x%02x\n", __FUNCTION__, sched->generation, (int)sched->secret[0], (int)sched->secret[1]); |
1339 | 3.10k | return ret; |
1340 | 3.10k | } |
1341 | | |
1342 | | static int key_schedule_select_cipher(ptls_key_schedule_t *sched, ptls_cipher_suite_t *cs, int reset, ptls_iovec_t reset_ikm) |
1343 | 41.6k | { |
1344 | 41.6k | size_t found_slot = SIZE_MAX, i; |
1345 | 41.6k | int ret; |
1346 | | |
1347 | 41.6k | assert(sched->generation == 1); |
1348 | | |
1349 | | /* find the one, while freeing others */ |
1350 | 83.2k | for (i = 0; i != sched->num_hashes; ++i) { |
1351 | 41.6k | if (sched->hashes[i].algo == cs->hash) { |
1352 | 41.6k | assert(found_slot == SIZE_MAX); |
1353 | 41.6k | found_slot = i; |
1354 | 41.6k | } else { |
1355 | 0 | sched->hashes[i].ctx->final(sched->hashes[i].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1356 | 0 | if (sched->hashes[i].ctx_outer != NULL) |
1357 | 0 | sched->hashes[i].ctx_outer->final(sched->hashes[i].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1358 | 0 | } |
1359 | 41.6k | } |
1360 | 41.6k | if (found_slot != 0) { |
1361 | 0 | sched->hashes[0] = sched->hashes[found_slot]; |
1362 | 0 | reset = 1; |
1363 | 0 | } |
1364 | 41.6k | sched->num_hashes = 1; |
1365 | | |
1366 | | /* recalculate the hash if a different hash as been selected than the one we used for calculating the early secrets */ |
1367 | 41.6k | if (reset) { |
1368 | 0 | --sched->generation; |
1369 | 0 | memset(sched->secret, 0, sizeof(sched->secret)); |
1370 | 0 | if ((ret = key_schedule_extract(sched, reset_ikm)) != 0) |
1371 | 0 | goto Exit; |
1372 | 0 | } |
1373 | | |
1374 | 41.6k | ret = 0; |
1375 | 41.6k | Exit: |
1376 | 41.6k | return ret; |
1377 | 41.6k | } |
1378 | | |
1379 | | static void key_schedule_select_outer(ptls_key_schedule_t *sched) |
1380 | 0 | { |
1381 | | /* This function is called when receiving a cleartext message (Server Hello), after the cipher-suite is determined (and hence |
1382 | | * the hash also), if ECH was offered */ |
1383 | 0 | assert(sched->generation == 1); |
1384 | 0 | assert(sched->num_hashes == 1); |
1385 | 0 | assert(sched->hashes[0].ctx_outer != NULL); |
1386 | | |
1387 | 0 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1388 | 0 | sched->hashes[0].ctx = sched->hashes[0].ctx_outer; |
1389 | 0 | sched->hashes[0].ctx_outer = NULL; |
1390 | 0 | } |
1391 | | |
1392 | | void ptls__key_schedule_update_hash(ptls_key_schedule_t *sched, const uint8_t *msg, size_t msglen, int use_outer) |
1393 | 85.0k | { |
1394 | 85.0k | size_t i; |
1395 | | |
1396 | 85.0k | PTLS_DEBUGF("%s:%p:len=%zu\n", __FUNCTION__, sched, msglen); |
1397 | 170k | for (i = 0; i != sched->num_hashes; ++i) { |
1398 | 85.0k | ptls_hash_context_t *ctx = use_outer ? sched->hashes[i].ctx_outer : sched->hashes[i].ctx; |
1399 | 85.0k | ctx->update(ctx, msg, msglen); |
1400 | | #if defined(PTLS_DEBUG) && PTLS_DEBUG |
1401 | | { |
1402 | | uint8_t digest[PTLS_MAX_DIGEST_SIZE]; |
1403 | | ctx->final(ctx, digest, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1404 | | PTLS_DEBUGF(" %zu: %02x%02x%02x%02x\n", i, digest[0], digest[1], digest[2], digest[3]); |
1405 | | } |
1406 | | #endif |
1407 | 85.0k | } |
1408 | 85.0k | } |
1409 | | |
1410 | | static void key_schedule_update_ch1hash_prefix(ptls_key_schedule_t *sched) |
1411 | 0 | { |
1412 | 0 | uint8_t prefix[4] = {PTLS_HANDSHAKE_TYPE_MESSAGE_HASH, 0, 0, (uint8_t)sched->hashes[0].algo->digest_size}; |
1413 | 0 | ptls__key_schedule_update_hash(sched, prefix, sizeof(prefix), 0); |
1414 | 0 | } |
1415 | | |
1416 | | static void key_schedule_extract_ch1hash(ptls_key_schedule_t *sched, uint8_t *hash) |
1417 | 0 | { |
1418 | 0 | assert(sched->hashes[0].ctx_outer == NULL); |
1419 | 0 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, hash, PTLS_HASH_FINAL_MODE_RESET); |
1420 | 0 | } |
1421 | | |
1422 | | static void key_schedule_transform_post_ch1hash(ptls_key_schedule_t *sched) |
1423 | 40.6k | { |
1424 | 40.6k | size_t digest_size = sched->hashes[0].algo->digest_size; |
1425 | 40.6k | ptls_hash_context_t *hashes[3] = {sched->hashes[0].ctx, sched->hashes[0].ctx_outer, NULL}; |
1426 | 40.6k | uint8_t ch1hash[PTLS_MAX_DIGEST_SIZE]; |
1427 | 40.6k | uint8_t prefix[4] = {PTLS_HANDSHAKE_TYPE_MESSAGE_HASH, 0, 0, (uint8_t)digest_size}; |
1428 | | |
1429 | 81.2k | for (size_t i = 0; hashes[i] != NULL; ++i) { |
1430 | 40.6k | hashes[i]->final(hashes[i], ch1hash, PTLS_HASH_FINAL_MODE_RESET); |
1431 | 40.6k | hashes[i]->update(hashes[i], prefix, sizeof(prefix)); |
1432 | 40.6k | hashes[i]->update(hashes[i], ch1hash, digest_size); |
1433 | 40.6k | } |
1434 | | |
1435 | 40.6k | ptls_clear_memory(ch1hash, sizeof(ch1hash)); |
1436 | 40.6k | } |
1437 | | |
1438 | | static int derive_secret_with_hash(ptls_key_schedule_t *sched, void *secret, const char *label, const uint8_t *hash) |
1439 | 2.02k | { |
1440 | 2.02k | int ret = ptls_hkdf_expand_label(sched->hashes[0].algo, secret, sched->hashes[0].algo->digest_size, |
1441 | 2.02k | ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), label, |
1442 | 2.02k | ptls_iovec_init(hash, sched->hashes[0].algo->digest_size), NULL); |
1443 | 2.02k | PTLS_DEBUGF("%s: (label=%s, hash=%02x%02x) => %02x%02x\n", __FUNCTION__, label, hash[0], hash[1], ((uint8_t *)secret)[0], |
1444 | 2.02k | ((uint8_t *)secret)[1]); |
1445 | 2.02k | return ret; |
1446 | 2.02k | } |
1447 | | |
1448 | | static int derive_secret(ptls_key_schedule_t *sched, void *secret, const char *label) |
1449 | 2.02k | { |
1450 | 2.02k | uint8_t hash_value[PTLS_MAX_DIGEST_SIZE]; |
1451 | | |
1452 | 2.02k | sched->hashes[0].ctx->final(sched->hashes[0].ctx, hash_value, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1453 | 2.02k | int ret = derive_secret_with_hash(sched, secret, label, hash_value); |
1454 | 2.02k | ptls_clear_memory(hash_value, sizeof(hash_value)); |
1455 | 2.02k | return ret; |
1456 | 2.02k | } |
1457 | | |
1458 | | static int derive_secret_with_empty_digest(ptls_key_schedule_t *sched, void *secret, const char *label) |
1459 | 0 | { |
1460 | 0 | return derive_secret_with_hash(sched, secret, label, sched->hashes[0].algo->empty_digest); |
1461 | 0 | } |
1462 | | |
1463 | | static int derive_exporter_secret(ptls_t *tls, int is_early) |
1464 | 0 | { |
1465 | 0 | int ret; |
1466 | |
|
1467 | 0 | if (!tls->ctx->use_exporter) |
1468 | 0 | return 0; |
1469 | | |
1470 | 0 | uint8_t **slot = is_early ? &tls->exporter_master_secret.early : &tls->exporter_master_secret.one_rtt; |
1471 | 0 | assert(*slot == NULL); |
1472 | 0 | if ((*slot = malloc(tls->key_schedule->hashes[0].algo->digest_size)) == NULL) |
1473 | 0 | return PTLS_ERROR_NO_MEMORY; |
1474 | | |
1475 | 0 | if ((ret = derive_secret(tls->key_schedule, *slot, is_early ? "e exp master" : "exp master")) != 0) |
1476 | 0 | return ret; |
1477 | | |
1478 | 0 | log_secret(tls, is_early ? "EARLY_EXPORTER_SECRET" : "EXPORTER_SECRET", |
1479 | 0 | ptls_iovec_init(*slot, tls->key_schedule->hashes[0].algo->digest_size)); |
1480 | |
|
1481 | 0 | return 0; |
1482 | 0 | } |
1483 | | |
1484 | | static void free_exporter_master_secret(ptls_t *tls, int is_early) |
1485 | 4.18k | { |
1486 | 4.18k | uint8_t *slot = is_early ? tls->exporter_master_secret.early : tls->exporter_master_secret.one_rtt; |
1487 | 4.18k | if (slot == NULL) |
1488 | 4.18k | return; |
1489 | 0 | assert(tls->key_schedule != NULL); |
1490 | 0 | ptls_clear_memory(slot, tls->key_schedule->hashes[0].algo->digest_size); |
1491 | 0 | free(slot); |
1492 | 0 | } |
1493 | | |
1494 | | static int derive_resumption_secret(ptls_key_schedule_t *sched, uint8_t *secret, ptls_iovec_t nonce) |
1495 | 0 | { |
1496 | 0 | int ret; |
1497 | |
|
1498 | 0 | if ((ret = derive_secret(sched, secret, "res master")) != 0) |
1499 | 0 | goto Exit; |
1500 | 0 | if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, secret, sched->hashes[0].algo->digest_size, |
1501 | 0 | ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), "resumption", nonce, NULL)) != 0) |
1502 | 0 | goto Exit; |
1503 | | |
1504 | 0 | Exit: |
1505 | 0 | if (ret != 0) |
1506 | 0 | ptls_clear_memory(secret, sched->hashes[0].algo->digest_size); |
1507 | 0 | return ret; |
1508 | 0 | } |
1509 | | |
1510 | | static int decode_new_session_ticket(ptls_t *tls, uint32_t *lifetime, uint32_t *age_add, ptls_iovec_t *nonce, ptls_iovec_t *ticket, |
1511 | | uint32_t *max_early_data_size, const uint8_t *src, const uint8_t *const end) |
1512 | 0 | { |
1513 | 0 | uint16_t exttype; |
1514 | 0 | int ret; |
1515 | |
|
1516 | 0 | if ((ret = ptls_decode32(lifetime, &src, end)) != 0) |
1517 | 0 | goto Exit; |
1518 | 0 | if ((ret = ptls_decode32(age_add, &src, end)) != 0) |
1519 | 0 | goto Exit; |
1520 | 0 | ptls_decode_open_block(src, end, 1, { |
1521 | 0 | *nonce = ptls_iovec_init(src, end - src); |
1522 | 0 | src = end; |
1523 | 0 | }); |
1524 | 0 | ptls_decode_open_block(src, end, 2, { |
1525 | 0 | if (src == end) { |
1526 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1527 | 0 | goto Exit; |
1528 | 0 | } |
1529 | 0 | *ticket = ptls_iovec_init(src, end - src); |
1530 | 0 | src = end; |
1531 | 0 | }); |
1532 | | |
1533 | 0 | *max_early_data_size = 0; |
1534 | 0 | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, &exttype, { |
1535 | 0 | if (tls->ctx->on_extension != NULL && |
1536 | 0 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, exttype, |
1537 | 0 | ptls_iovec_init(src, end - src)) != 0)) |
1538 | 0 | goto Exit; |
1539 | 0 | switch (exttype) { |
1540 | 0 | case PTLS_EXTENSION_TYPE_EARLY_DATA: |
1541 | 0 | if ((ret = ptls_decode32(max_early_data_size, &src, end)) != 0) |
1542 | 0 | goto Exit; |
1543 | 0 | break; |
1544 | 0 | default: |
1545 | 0 | src = end; |
1546 | 0 | break; |
1547 | 0 | } |
1548 | 0 | }); |
1549 | | |
1550 | 0 | ret = 0; |
1551 | 0 | Exit: |
1552 | 0 | return ret; |
1553 | 0 | } |
1554 | | |
1555 | | static int decode_stored_session_ticket(ptls_t *tls, ptls_key_exchange_algorithm_t **key_share, ptls_cipher_suite_t **cs, |
1556 | | ptls_iovec_t *secret, uint32_t *obfuscated_ticket_age, ptls_iovec_t *ticket, |
1557 | | uint32_t *max_early_data_size, const uint8_t *src, const uint8_t *const end) |
1558 | 0 | { |
1559 | 0 | uint16_t kxid, csid; |
1560 | 0 | uint32_t lifetime, age_add; |
1561 | 0 | uint64_t obtained_at, now; |
1562 | 0 | ptls_iovec_t nonce; |
1563 | 0 | int ret; |
1564 | | |
1565 | | /* decode */ |
1566 | 0 | if ((ret = ptls_decode64(&obtained_at, &src, end)) != 0) |
1567 | 0 | goto Exit; |
1568 | 0 | if ((ret = ptls_decode16(&kxid, &src, end)) != 0) |
1569 | 0 | goto Exit; |
1570 | 0 | if ((ret = ptls_decode16(&csid, &src, end)) != 0) |
1571 | 0 | goto Exit; |
1572 | 0 | ptls_decode_open_block(src, end, 3, { |
1573 | 0 | if ((ret = decode_new_session_ticket(tls, &lifetime, &age_add, &nonce, ticket, max_early_data_size, src, end)) != 0) |
1574 | 0 | goto Exit; |
1575 | 0 | src = end; |
1576 | 0 | }); |
1577 | 0 | ptls_decode_block(src, end, 2, { |
1578 | 0 | *secret = ptls_iovec_init(src, end - src); |
1579 | 0 | src = end; |
1580 | 0 | }); |
1581 | | |
1582 | 0 | { /* determine the key-exchange */ |
1583 | 0 | ptls_key_exchange_algorithm_t **cand; |
1584 | 0 | for (cand = tls->ctx->key_exchanges; *cand != NULL; ++cand) |
1585 | 0 | if ((*cand)->id == kxid) |
1586 | 0 | break; |
1587 | 0 | if (*cand == NULL) { |
1588 | 0 | ret = PTLS_ERROR_LIBRARY; |
1589 | 0 | goto Exit; |
1590 | 0 | } |
1591 | 0 | *key_share = *cand; |
1592 | 0 | } |
1593 | | |
1594 | 0 | { /* determine the cipher-suite */ |
1595 | 0 | ptls_cipher_suite_t **cand; |
1596 | 0 | for (cand = tls->ctx->cipher_suites; *cand != NULL; ++cand) |
1597 | 0 | if ((*cand)->id == csid) |
1598 | 0 | break; |
1599 | 0 | if (*cand == NULL) { |
1600 | 0 | ret = PTLS_ERROR_LIBRARY; |
1601 | 0 | goto Exit; |
1602 | 0 | } |
1603 | 0 | *cs = *cand; |
1604 | 0 | } |
1605 | | |
1606 | | /* calculate obfuscated_ticket_age */ |
1607 | 0 | now = tls->ctx->get_time->cb(tls->ctx->get_time); |
1608 | 0 | if (!(obtained_at <= now && now - obtained_at < 7 * 86400 * 1000)) { |
1609 | 0 | ret = PTLS_ERROR_LIBRARY; |
1610 | 0 | goto Exit; |
1611 | 0 | } |
1612 | 0 | *obfuscated_ticket_age = (uint32_t)(now - obtained_at) + age_add; |
1613 | |
|
1614 | 0 | ret = 0; |
1615 | 0 | Exit: |
1616 | 0 | return ret; |
1617 | 0 | } |
1618 | | |
1619 | | static int get_traffic_key(ptls_hash_algorithm_t *algo, void *key, size_t key_size, int is_iv, const void *secret, |
1620 | | ptls_iovec_t hash_value, const char *label_prefix) |
1621 | 4.04k | { |
1622 | 4.04k | return ptls_hkdf_expand_label(algo, key, key_size, ptls_iovec_init(secret, algo->digest_size), is_iv ? "iv" : "key", hash_value, |
1623 | 4.04k | label_prefix); |
1624 | 4.04k | } |
1625 | | |
1626 | | static int get_traffic_keys(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, void *key, void *iv, const void *secret, |
1627 | | ptls_iovec_t hash_value, const char *label_prefix) |
1628 | 2.02k | { |
1629 | 2.02k | int ret; |
1630 | | |
1631 | 2.02k | if ((ret = get_traffic_key(hash, key, aead->key_size, 0, secret, hash_value, label_prefix)) != 0 || |
1632 | 2.02k | (ret = get_traffic_key(hash, iv, aead->iv_size, 1, secret, hash_value, label_prefix)) != 0) { |
1633 | 0 | ptls_clear_memory(key, aead->key_size); |
1634 | 0 | ptls_clear_memory(iv, aead->iv_size); |
1635 | 0 | } |
1636 | | |
1637 | 2.02k | return ret; |
1638 | 2.02k | } |
1639 | | |
1640 | | static int setup_traffic_protection(ptls_t *tls, int is_enc, const char *secret_label, size_t epoch, uint64_t seq, int skip_notify) |
1641 | 2.02k | { |
1642 | 2.02k | static const char *log_labels[2][4] = { |
1643 | 2.02k | {NULL, "CLIENT_EARLY_TRAFFIC_SECRET", "CLIENT_HANDSHAKE_TRAFFIC_SECRET", "CLIENT_TRAFFIC_SECRET_0"}, |
1644 | 2.02k | {NULL, NULL, "SERVER_HANDSHAKE_TRAFFIC_SECRET", "SERVER_TRAFFIC_SECRET_0"}}; |
1645 | 2.02k | struct st_ptls_traffic_protection_t *ctx = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
1646 | | |
1647 | 2.02k | if (secret_label != NULL) { |
1648 | 2.02k | int ret; |
1649 | 2.02k | if ((ret = derive_secret(tls->key_schedule, ctx->secret, secret_label)) != 0) |
1650 | 0 | return ret; |
1651 | 2.02k | } |
1652 | | |
1653 | 2.02k | ctx->epoch = epoch; |
1654 | | |
1655 | 2.02k | log_secret(tls, log_labels[ptls_is_server(tls) == is_enc][epoch], |
1656 | 2.02k | ptls_iovec_init(ctx->secret, tls->key_schedule->hashes[0].algo->digest_size)); |
1657 | | |
1658 | | /* special path for applications having their own record layer */ |
1659 | 2.02k | if (tls->ctx->update_traffic_key != NULL) { |
1660 | 0 | if (skip_notify) |
1661 | 0 | return 0; |
1662 | 0 | return tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, is_enc, epoch, ctx->secret); |
1663 | 0 | } |
1664 | | |
1665 | 2.02k | if (ctx->aead != NULL) |
1666 | 0 | ptls_aead_free(ctx->aead); |
1667 | 2.02k | if ((ctx->aead = ptls_aead_new(tls->cipher_suite->aead, tls->cipher_suite->hash, is_enc, ctx->secret, |
1668 | 2.02k | tls->ctx->hkdf_label_prefix__obsolete)) == NULL) |
1669 | 0 | return PTLS_ERROR_NO_MEMORY; /* TODO obtain error from ptls_aead_new */ |
1670 | 2.02k | ctx->seq = seq; |
1671 | | |
1672 | | #if defined(PTLS_DEBUG) && PTLS_DEBUG |
1673 | | { |
1674 | | uint8_t static_iv[PTLS_MAX_IV_SIZE]; |
1675 | | ptls_aead_get_iv(ctx->aead, static_iv); |
1676 | | PTLS_DEBUGF("[%s] %02x%02x,%02x%02x\n", log_labels[ptls_is_server(tls)][epoch], (unsigned)ctx->secret[0], |
1677 | | (unsigned)ctx->secret[1], static_iv[0], static_iv[1]); |
1678 | | } |
1679 | | #endif |
1680 | | |
1681 | 2.02k | return 0; |
1682 | 2.02k | } |
1683 | | |
1684 | | static int commission_handshake_secret(ptls_t *tls) |
1685 | 0 | { |
1686 | 0 | int is_enc = !ptls_is_server(tls); |
1687 | |
|
1688 | 0 | assert(tls->pending_handshake_secret != NULL); |
1689 | 0 | memcpy((is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec)->secret, tls->pending_handshake_secret, |
1690 | 0 | PTLS_MAX_DIGEST_SIZE); |
1691 | 0 | ptls_clear_memory(tls->pending_handshake_secret, PTLS_MAX_DIGEST_SIZE); |
1692 | 0 | free(tls->pending_handshake_secret); |
1693 | 0 | tls->pending_handshake_secret = NULL; |
1694 | |
|
1695 | 0 | return setup_traffic_protection(tls, is_enc, NULL, 2, 0, 1); |
1696 | 0 | } |
1697 | | |
1698 | | static void log_client_random(ptls_t *tls) |
1699 | 2.09k | { |
1700 | | #if PICOTLS_USE_DTRACE |
1701 | | char buf[sizeof(tls->client_random) * 2 + 1]; |
1702 | | #endif |
1703 | | |
1704 | 2.09k | PTLS_PROBE(CLIENT_RANDOM, tls, ptls_hexdump(buf, tls->client_random, sizeof(tls->client_random))); |
1705 | 2.09k | PTLS_LOG_CONN(client_random, tls, { PTLS_LOG_ELEMENT_HEXDUMP(bytes, tls->client_random, sizeof(tls->client_random)); }); |
1706 | 2.09k | } |
1707 | | |
1708 | | #define SESSION_IDENTIFIER_MAGIC "ptls0001" /* the number should be changed upon incompatible format change */ |
1709 | | #define SESSION_IDENTIFIER_MAGIC_SIZE (sizeof(SESSION_IDENTIFIER_MAGIC) - 1) |
1710 | | |
1711 | | static int encode_session_identifier(ptls_context_t *ctx, ptls_buffer_t *buf, uint32_t ticket_age_add, ptls_iovec_t ticket_nonce, |
1712 | | ptls_key_schedule_t *sched, const char *server_name, uint16_t key_exchange_id, uint16_t csid, |
1713 | | const char *negotiated_protocol) |
1714 | 0 | { |
1715 | 0 | int ret = 0; |
1716 | |
|
1717 | 0 | ptls_buffer_push_block(buf, 2, { |
1718 | | /* format id */ |
1719 | 0 | ptls_buffer_pushv(buf, SESSION_IDENTIFIER_MAGIC, SESSION_IDENTIFIER_MAGIC_SIZE); |
1720 | | /* date */ |
1721 | 0 | ptls_buffer_push64(buf, ctx->get_time->cb(ctx->get_time)); |
1722 | | /* resumption master secret */ |
1723 | 0 | ptls_buffer_push_block(buf, 2, { |
1724 | 0 | if ((ret = ptls_buffer_reserve(buf, sched->hashes[0].algo->digest_size)) != 0) |
1725 | 0 | goto Exit; |
1726 | 0 | if ((ret = derive_resumption_secret(sched, buf->base + buf->off, ticket_nonce)) != 0) |
1727 | 0 | goto Exit; |
1728 | 0 | buf->off += sched->hashes[0].algo->digest_size; |
1729 | 0 | }); |
1730 | | /* key-exchange */ |
1731 | 0 | ptls_buffer_push16(buf, key_exchange_id); |
1732 | | /* cipher-suite */ |
1733 | 0 | ptls_buffer_push16(buf, csid); |
1734 | | /* ticket_age_add */ |
1735 | 0 | ptls_buffer_push32(buf, ticket_age_add); |
1736 | | /* session ID context */ |
1737 | 0 | ptls_buffer_push_block(buf, 2, { |
1738 | 0 | if (ctx->ticket_context.is_set) { |
1739 | 0 | ptls_buffer_pushv(buf, ctx->ticket_context.bytes, sizeof(ctx->ticket_context.bytes)); |
1740 | 0 | } else if (server_name != NULL) { |
1741 | 0 | ptls_buffer_pushv(buf, server_name, strlen(server_name)); |
1742 | 0 | } |
1743 | 0 | }); |
1744 | | /* alpn */ |
1745 | 0 | ptls_buffer_push_block(buf, 1, { |
1746 | 0 | if (negotiated_protocol != NULL) |
1747 | 0 | ptls_buffer_pushv(buf, negotiated_protocol, strlen(negotiated_protocol)); |
1748 | 0 | }); |
1749 | 0 | }); |
1750 | | |
1751 | 0 | Exit: |
1752 | 0 | return ret; |
1753 | 0 | } |
1754 | | |
1755 | | int decode_session_identifier(uint64_t *issued_at, ptls_iovec_t *psk, uint32_t *ticket_age_add, ptls_iovec_t *ticket_ctx, |
1756 | | uint16_t *key_exchange_id, uint16_t *csid, ptls_iovec_t *negotiated_protocol, const uint8_t *src, |
1757 | | const uint8_t *const end) |
1758 | 0 | { |
1759 | 0 | int ret = 0; |
1760 | |
|
1761 | 0 | ptls_decode_block(src, end, 2, { |
1762 | 0 | if (end - src < SESSION_IDENTIFIER_MAGIC_SIZE || |
1763 | 0 | memcmp(src, SESSION_IDENTIFIER_MAGIC, SESSION_IDENTIFIER_MAGIC_SIZE) != 0) { |
1764 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1765 | 0 | goto Exit; |
1766 | 0 | } |
1767 | 0 | src += SESSION_IDENTIFIER_MAGIC_SIZE; |
1768 | 0 | if ((ret = ptls_decode64(issued_at, &src, end)) != 0) |
1769 | 0 | goto Exit; |
1770 | 0 | ptls_decode_open_block(src, end, 2, { |
1771 | 0 | *psk = ptls_iovec_init(src, end - src); |
1772 | 0 | src = end; |
1773 | 0 | }); |
1774 | 0 | if ((ret = ptls_decode16(key_exchange_id, &src, end)) != 0) |
1775 | 0 | goto Exit; |
1776 | 0 | if ((ret = ptls_decode16(csid, &src, end)) != 0) |
1777 | 0 | goto Exit; |
1778 | 0 | if ((ret = ptls_decode32(ticket_age_add, &src, end)) != 0) |
1779 | 0 | goto Exit; |
1780 | 0 | ptls_decode_open_block(src, end, 2, { |
1781 | 0 | *ticket_ctx = ptls_iovec_init(src, end - src); |
1782 | 0 | src = end; |
1783 | 0 | }); |
1784 | 0 | ptls_decode_open_block(src, end, 1, { |
1785 | 0 | *negotiated_protocol = ptls_iovec_init(src, end - src); |
1786 | 0 | src = end; |
1787 | 0 | }); |
1788 | 0 | }); |
1789 | | |
1790 | 0 | Exit: |
1791 | 0 | return ret; |
1792 | 0 | } |
1793 | | |
1794 | | static size_t build_certificate_verify_signdata(uint8_t *data, ptls_key_schedule_t *sched, const char *context_string) |
1795 | 30 | { |
1796 | 30 | size_t datalen = 0; |
1797 | | |
1798 | 30 | memset(data + datalen, 32, 64); |
1799 | 30 | datalen += 64; |
1800 | 30 | memcpy(data + datalen, context_string, strlen(context_string) + 1); |
1801 | 30 | datalen += strlen(context_string) + 1; |
1802 | 30 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, data + datalen, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1803 | 30 | datalen += sched->hashes[0].algo->digest_size; |
1804 | 30 | assert(datalen <= PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE); |
1805 | | |
1806 | 30 | return datalen; |
1807 | 30 | } |
1808 | | |
1809 | | static int calc_verify_data(void *output, ptls_key_schedule_t *sched, const void *secret) |
1810 | 11 | { |
1811 | 11 | ptls_hash_context_t *hmac; |
1812 | 11 | uint8_t digest[PTLS_MAX_DIGEST_SIZE]; |
1813 | 11 | int ret; |
1814 | | |
1815 | 11 | if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, digest, sched->hashes[0].algo->digest_size, |
1816 | 11 | ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), "finished", |
1817 | 11 | ptls_iovec_init(NULL, 0), NULL)) != 0) |
1818 | 0 | return ret; |
1819 | 11 | if ((hmac = ptls_hmac_create(sched->hashes[0].algo, digest, sched->hashes[0].algo->digest_size)) == NULL) { |
1820 | 0 | ptls_clear_memory(digest, sizeof(digest)); |
1821 | 0 | return PTLS_ERROR_NO_MEMORY; |
1822 | 0 | } |
1823 | | |
1824 | 11 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, digest, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1825 | 11 | PTLS_DEBUGF("%s: %02x%02x,%02x%02x\n", __FUNCTION__, ((uint8_t *)secret)[0], ((uint8_t *)secret)[1], digest[0], digest[1]); |
1826 | 11 | hmac->update(hmac, digest, sched->hashes[0].algo->digest_size); |
1827 | 11 | ptls_clear_memory(digest, sizeof(digest)); |
1828 | 11 | hmac->final(hmac, output, PTLS_HASH_FINAL_MODE_FREE); |
1829 | | |
1830 | 11 | return 0; |
1831 | 11 | } |
1832 | | |
1833 | | static int verify_finished(ptls_t *tls, ptls_iovec_t message) |
1834 | 17 | { |
1835 | 17 | uint8_t verify_data[PTLS_MAX_DIGEST_SIZE]; |
1836 | 17 | int ret; |
1837 | | |
1838 | 17 | if (PTLS_HANDSHAKE_HEADER_SIZE + tls->key_schedule->hashes[0].algo->digest_size != message.len) { |
1839 | 6 | ret = PTLS_ALERT_DECODE_ERROR; |
1840 | 6 | goto Exit; |
1841 | 6 | } |
1842 | | |
1843 | 11 | if ((ret = calc_verify_data(verify_data, tls->key_schedule, tls->traffic_protection.dec.secret)) != 0) |
1844 | 0 | goto Exit; |
1845 | 11 | if (!ptls_mem_equal(message.base + PTLS_HANDSHAKE_HEADER_SIZE, verify_data, tls->key_schedule->hashes[0].algo->digest_size)) { |
1846 | 11 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
1847 | 11 | goto Exit; |
1848 | 11 | } |
1849 | | |
1850 | 17 | Exit: |
1851 | 17 | ptls_clear_memory(verify_data, sizeof(verify_data)); |
1852 | 17 | return ret; |
1853 | 11 | } |
1854 | | |
1855 | | static int send_finished(ptls_t *tls, ptls_message_emitter_t *emitter) |
1856 | 0 | { |
1857 | 0 | int ret; |
1858 | |
|
1859 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_FINISHED, { |
1860 | 0 | if ((ret = ptls_buffer_reserve(emitter->buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0) |
1861 | 0 | goto Exit; |
1862 | 0 | if ((ret = calc_verify_data(emitter->buf->base + emitter->buf->off, tls->key_schedule, |
1863 | 0 | tls->traffic_protection.enc.secret)) != 0) |
1864 | 0 | goto Exit; |
1865 | 0 | emitter->buf->off += tls->key_schedule->hashes[0].algo->digest_size; |
1866 | 0 | }); |
1867 | | |
1868 | 0 | Exit: |
1869 | 0 | return ret; |
1870 | 0 | } |
1871 | | |
1872 | | static int send_session_ticket(ptls_t *tls, ptls_message_emitter_t *emitter) |
1873 | 0 | { |
1874 | 0 | ptls_hash_context_t *msghash_backup = tls->key_schedule->hashes[0].ctx->clone_(tls->key_schedule->hashes[0].ctx); |
1875 | 0 | ptls_buffer_t session_id; |
1876 | 0 | char session_id_smallbuf[128]; |
1877 | 0 | uint32_t ticket_age_add; |
1878 | 0 | int ret = 0; |
1879 | |
|
1880 | 0 | assert(tls->ctx->ticket_lifetime != 0); |
1881 | 0 | assert(tls->ctx->encrypt_ticket != NULL); |
1882 | | |
1883 | 0 | ptls_buffer_init(&session_id, session_id_smallbuf, sizeof(session_id_smallbuf)); |
1884 | |
|
1885 | 0 | { /* calculate verify-data that will be sent by the client */ |
1886 | 0 | size_t orig_off = emitter->buf->off; |
1887 | 0 | if (tls->pending_handshake_secret != NULL && !tls->ctx->omit_end_of_early_data) { |
1888 | 0 | assert(tls->state == PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA); |
1889 | 0 | ptls_buffer_push_message_body(emitter->buf, tls->key_schedule, PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA, {}); |
1890 | 0 | emitter->buf->off = orig_off; |
1891 | 0 | } |
1892 | 0 | ptls_buffer_push_message_body(emitter->buf, tls->key_schedule, PTLS_HANDSHAKE_TYPE_FINISHED, { |
1893 | 0 | if ((ret = ptls_buffer_reserve(emitter->buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0) |
1894 | 0 | goto Exit; |
1895 | 0 | if ((ret = calc_verify_data(emitter->buf->base + emitter->buf->off, tls->key_schedule, |
1896 | 0 | tls->pending_handshake_secret != NULL ? tls->pending_handshake_secret |
1897 | 0 | : tls->traffic_protection.dec.secret)) != 0) |
1898 | 0 | goto Exit; |
1899 | 0 | emitter->buf->off += tls->key_schedule->hashes[0].algo->digest_size; |
1900 | 0 | }); |
1901 | 0 | emitter->buf->off = orig_off; |
1902 | 0 | } |
1903 | | |
1904 | 0 | tls->ctx->random_bytes(&ticket_age_add, sizeof(ticket_age_add)); |
1905 | | |
1906 | | /* build the raw nsk */ |
1907 | 0 | if (tls->key_share != NULL && (ret = encode_session_identifier(tls->ctx, &session_id, ticket_age_add, ptls_iovec_init(NULL, 0), |
1908 | 0 | tls->key_schedule, tls->server_name, tls->key_share->id, |
1909 | 0 | tls->cipher_suite->id, tls->negotiated_protocol)) != 0) |
1910 | 0 | goto Exit; |
1911 | | |
1912 | | /* encrypt and send */ |
1913 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, { |
1914 | 0 | ptls_buffer_push32(emitter->buf, tls->ctx->ticket_lifetime); |
1915 | 0 | ptls_buffer_push32(emitter->buf, ticket_age_add); |
1916 | 0 | ptls_buffer_push_block(emitter->buf, 1, {}); |
1917 | 0 | ptls_buffer_push_block(emitter->buf, 2, { |
1918 | 0 | if ((ret = tls->ctx->encrypt_ticket->cb(tls->ctx->encrypt_ticket, tls, 1, emitter->buf, |
1919 | 0 | ptls_iovec_init(session_id.base, session_id.off))) != 0) |
1920 | 0 | goto Exit; |
1921 | 0 | }); |
1922 | 0 | ptls_buffer_push_block(emitter->buf, 2, { |
1923 | 0 | if (tls->ctx->max_early_data_size != 0) |
1924 | 0 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_EARLY_DATA, |
1925 | 0 | { ptls_buffer_push32(emitter->buf, tls->ctx->max_early_data_size); }); |
1926 | 0 | }); |
1927 | 0 | }); |
1928 | | |
1929 | 0 | Exit: |
1930 | 0 | ptls_buffer_dispose(&session_id); |
1931 | | |
1932 | | /* restore handshake state */ |
1933 | 0 | tls->key_schedule->hashes[0].ctx->final(tls->key_schedule->hashes[0].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1934 | 0 | tls->key_schedule->hashes[0].ctx = msghash_backup; |
1935 | |
|
1936 | 0 | return ret; |
1937 | 0 | } |
1938 | | |
1939 | | static int push_change_cipher_spec(ptls_t *tls, ptls_message_emitter_t *emitter) |
1940 | 0 | { |
1941 | 0 | int ret; |
1942 | | |
1943 | | /* check if we are requested to (or still need to) */ |
1944 | 0 | if (!tls->send_change_cipher_spec) { |
1945 | 0 | ret = 0; |
1946 | 0 | goto Exit; |
1947 | 0 | } |
1948 | | |
1949 | | /* CCS is a record, can only be sent when using a record-based protocol. */ |
1950 | 0 | if (emitter->begin_message != begin_record_message) { |
1951 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
1952 | 0 | goto Exit; |
1953 | 0 | } |
1954 | | |
1955 | | /* emit CCS */ |
1956 | 0 | buffer_push_record(emitter->buf, PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, { ptls_buffer_push(emitter->buf, 1); }); |
1957 | | |
1958 | 0 | tls->send_change_cipher_spec = 0; |
1959 | 0 | ret = 0; |
1960 | 0 | Exit: |
1961 | 0 | return ret; |
1962 | 0 | } |
1963 | | |
1964 | | static int push_additional_extensions(ptls_handshake_properties_t *properties, ptls_buffer_t *sendbuf) |
1965 | 42.6k | { |
1966 | 42.6k | int ret; |
1967 | | |
1968 | 42.6k | if (properties != NULL && properties->additional_extensions != NULL) { |
1969 | 0 | ptls_raw_extension_t *ext; |
1970 | 0 | for (ext = properties->additional_extensions; ext->type != UINT16_MAX; ++ext) { |
1971 | 0 | buffer_push_extension(sendbuf, ext->type, { ptls_buffer_pushv(sendbuf, ext->data.base, ext->data.len); }); |
1972 | 0 | } |
1973 | 0 | } |
1974 | 42.6k | ret = 0; |
1975 | 42.6k | Exit: |
1976 | 42.6k | return ret; |
1977 | 42.6k | } |
1978 | | |
1979 | | static int push_signature_algorithms(ptls_verify_certificate_t *vc, ptls_buffer_t *sendbuf) |
1980 | 42.6k | { |
1981 | | /* The list sent when verify callback is not registered */ |
1982 | 42.6k | static const uint16_t default_algos[] = {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256, |
1983 | 42.6k | PTLS_SIGNATURE_RSA_PKCS1_SHA256, PTLS_SIGNATURE_RSA_PKCS1_SHA1, UINT16_MAX}; |
1984 | 42.6k | int ret; |
1985 | | |
1986 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
1987 | 42.6k | for (const uint16_t *p = vc != NULL ? vc->algos : default_algos; *p != UINT16_MAX; ++p) |
1988 | 42.6k | ptls_buffer_push16(sendbuf, *p); |
1989 | 42.6k | }); |
1990 | | |
1991 | 42.6k | ret = 0; |
1992 | 42.6k | Exit: |
1993 | 42.6k | return ret; |
1994 | 42.6k | } |
1995 | | |
1996 | | static int decode_signature_algorithms(struct st_ptls_signature_algorithms_t *sa, const uint8_t **src, const uint8_t *end) |
1997 | 61 | { |
1998 | 61 | int ret; |
1999 | | |
2000 | 61 | ptls_decode_block(*src, end, 2, { |
2001 | 61 | do { |
2002 | 61 | uint16_t id; |
2003 | 61 | if ((ret = ptls_decode16(&id, src, end)) != 0) |
2004 | 61 | goto Exit; |
2005 | 61 | if (sa->count < PTLS_ELEMENTSOF(sa->list)) |
2006 | 61 | sa->list[sa->count++] = id; |
2007 | 61 | } while (*src != end); |
2008 | 61 | }); |
2009 | | |
2010 | 13 | ret = 0; |
2011 | 61 | Exit: |
2012 | 61 | return ret; |
2013 | 13 | } |
2014 | | |
2015 | | /** |
2016 | | * @param hash optional argument for restricting the underlying hash algorithm |
2017 | | */ |
2018 | | static int select_cipher(ptls_cipher_suite_t **selected, ptls_cipher_suite_t **candidates, const uint8_t *src, |
2019 | | const uint8_t *const end, int server_preference, int server_chacha_priority, ptls_hash_algorithm_t *hash) |
2020 | 0 | { |
2021 | 0 | size_t found_index = SIZE_MAX; |
2022 | 0 | int ret; |
2023 | |
|
2024 | 0 | while (src != end) { |
2025 | 0 | uint16_t id; |
2026 | 0 | if ((ret = ptls_decode16(&id, &src, end)) != 0) |
2027 | 0 | goto Exit; |
2028 | 0 | for (size_t i = 0; candidates[i] != NULL; ++i) { |
2029 | 0 | if (candidates[i]->id == id && (hash == NULL || candidates[i]->hash == hash)) { |
2030 | 0 | if (server_preference && !(server_chacha_priority && id == PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256)) { |
2031 | | /* preserve smallest matching index, and proceed to the next input */ |
2032 | 0 | if (i < found_index) { |
2033 | 0 | found_index = i; |
2034 | 0 | break; |
2035 | 0 | } |
2036 | 0 | } else { |
2037 | | /* return the pointer matching to the first input that can be used */ |
2038 | 0 | *selected = candidates[i]; |
2039 | 0 | goto Exit; |
2040 | 0 | } |
2041 | 0 | } |
2042 | 0 | } |
2043 | | /* first position of the server list matched (server_preference) */ |
2044 | 0 | if (found_index == 0) |
2045 | 0 | break; |
2046 | | /* server preference is overridden only if the first entry of client-provided list is chachapoly */ |
2047 | 0 | server_chacha_priority = 0; |
2048 | 0 | } |
2049 | 0 | if (found_index != SIZE_MAX) { |
2050 | 0 | *selected = candidates[found_index]; |
2051 | 0 | ret = 0; |
2052 | 0 | } else { |
2053 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2054 | 0 | } |
2055 | |
|
2056 | 0 | Exit: |
2057 | 0 | return ret; |
2058 | 0 | } |
2059 | | |
2060 | | static int push_key_share_entry(ptls_buffer_t *buf, uint16_t group, ptls_iovec_t pubkey) |
2061 | 42.6k | { |
2062 | 42.6k | int ret; |
2063 | | |
2064 | 42.6k | ptls_buffer_push16(buf, group); |
2065 | 42.6k | ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, pubkey.base, pubkey.len); }); |
2066 | 42.6k | ret = 0; |
2067 | 42.6k | Exit: |
2068 | 42.6k | return ret; |
2069 | 42.6k | } |
2070 | | |
2071 | | static int decode_key_share_entry(uint16_t *group, ptls_iovec_t *key_exchange, const uint8_t **src, const uint8_t *const end) |
2072 | 1.07k | { |
2073 | 1.07k | int ret; |
2074 | | |
2075 | 1.07k | if ((ret = ptls_decode16(group, src, end)) != 0) |
2076 | 1 | goto Exit; |
2077 | 1.07k | ptls_decode_open_block(*src, end, 2, { |
2078 | 1.07k | *key_exchange = ptls_iovec_init(*src, end - *src); |
2079 | 1.07k | *src = end; |
2080 | 1.07k | }); |
2081 | | |
2082 | 1.07k | Exit: |
2083 | 1.07k | return ret; |
2084 | 1.07k | } |
2085 | | |
2086 | | static int select_key_share(ptls_key_exchange_algorithm_t **selected, ptls_iovec_t *peer_key, |
2087 | | ptls_key_exchange_algorithm_t **candidates, const uint8_t **src, const uint8_t *const end, |
2088 | | int expect_one) |
2089 | 0 | { |
2090 | 0 | int ret; |
2091 | |
|
2092 | 0 | *selected = NULL; |
2093 | |
|
2094 | 0 | if (expect_one && *src == end) { |
2095 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2096 | 0 | goto Exit; |
2097 | 0 | } |
2098 | | |
2099 | 0 | while (*src != end) { |
2100 | 0 | uint16_t group; |
2101 | 0 | ptls_iovec_t key; |
2102 | 0 | if ((ret = decode_key_share_entry(&group, &key, src, end)) != 0) |
2103 | 0 | goto Exit; |
2104 | 0 | ptls_key_exchange_algorithm_t **c = candidates; |
2105 | 0 | for (; *c != NULL; ++c) { |
2106 | 0 | if (*selected == NULL && (*c)->id == group) { |
2107 | 0 | *selected = *c; |
2108 | 0 | *peer_key = key; |
2109 | 0 | } |
2110 | 0 | } |
2111 | 0 | if (expect_one) { |
2112 | 0 | ret = *selected != NULL ? 0 : PTLS_ALERT_ILLEGAL_PARAMETER; |
2113 | 0 | goto Exit; |
2114 | 0 | } |
2115 | 0 | } |
2116 | | |
2117 | 0 | ret = 0; |
2118 | |
|
2119 | 0 | Exit: |
2120 | 0 | return ret; |
2121 | 0 | } |
2122 | | |
2123 | | static int emit_server_name_extension(ptls_buffer_t *buf, const char *server_name) |
2124 | 0 | { |
2125 | 0 | int ret; |
2126 | |
|
2127 | 0 | ptls_buffer_push_block(buf, 2, { |
2128 | 0 | ptls_buffer_push(buf, PTLS_SERVER_NAME_TYPE_HOSTNAME); |
2129 | 0 | ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, server_name, strlen(server_name)); }); |
2130 | 0 | }); |
2131 | | |
2132 | 0 | ret = 0; |
2133 | 0 | Exit: |
2134 | 0 | return ret; |
2135 | 0 | } |
2136 | | |
2137 | | /** |
2138 | | * Within the outer ECH extension, returns the number of bytes that preceeds the AEAD-encrypted payload. |
2139 | | */ |
2140 | | static inline size_t outer_ech_header_size(size_t enc_size) |
2141 | 0 | { |
2142 | 0 | return 10 + enc_size; |
2143 | 0 | } |
2144 | | |
2145 | | /** |
2146 | | * Flag to indicate which of ClientHelloInner, EncodedClientHelloInner, ClientHelloOuter is to be generated. When ECH is inactive, |
2147 | | * only ClientHelloInner is used. |
2148 | | */ |
2149 | | enum encode_ch_mode { ENCODE_CH_MODE_INNER, ENCODE_CH_MODE_ENCODED_INNER, ENCODE_CH_MODE_OUTER }; |
2150 | | |
2151 | | static int encode_client_hello(ptls_context_t *ctx, ptls_buffer_t *sendbuf, enum encode_ch_mode mode, int is_second_flight, |
2152 | | ptls_handshake_properties_t *properties, const void *client_random, |
2153 | | ptls_key_exchange_context_t *key_share_ctx, const char *sni_name, ptls_iovec_t legacy_session_id, |
2154 | | struct st_ptls_ech_t *ech, size_t *ech_size_offset, ptls_iovec_t ech_replay, ptls_iovec_t psk_secret, |
2155 | | ptls_iovec_t psk_identity, uint32_t obfuscated_ticket_age, size_t psk_binder_size, |
2156 | | ptls_iovec_t *cookie, int using_early_data) |
2157 | 42.6k | { |
2158 | 42.6k | int ret; |
2159 | | |
2160 | 42.6k | assert(mode == ENCODE_CH_MODE_INNER || ech != NULL); |
2161 | | |
2162 | 42.6k | ptls_buffer_push_message_body(sendbuf, NULL, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, { |
2163 | | /* legacy_version */ |
2164 | 42.6k | ptls_buffer_push16(sendbuf, 0x0303); |
2165 | | /* random_bytes */ |
2166 | 42.6k | ptls_buffer_pushv(sendbuf, client_random, PTLS_HELLO_RANDOM_SIZE); |
2167 | | /* lecagy_session_id */ |
2168 | 42.6k | ptls_buffer_push_block(sendbuf, 1, { |
2169 | 42.6k | if (mode != ENCODE_CH_MODE_ENCODED_INNER) |
2170 | 42.6k | ptls_buffer_pushv(sendbuf, legacy_session_id.base, legacy_session_id.len); |
2171 | 42.6k | }); |
2172 | | /* cipher_suites */ |
2173 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
2174 | 42.6k | ptls_cipher_suite_t **cs = ctx->cipher_suites; |
2175 | 42.6k | for (; *cs != NULL; ++cs) |
2176 | 42.6k | ptls_buffer_push16(sendbuf, (*cs)->id); |
2177 | 42.6k | }); |
2178 | | /* legacy_compression_methods */ |
2179 | 42.6k | ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push(sendbuf, 0); }); |
2180 | | /* extensions */ |
2181 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
2182 | 42.6k | if (mode == ENCODE_CH_MODE_OUTER) { |
2183 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, { |
2184 | 42.6k | size_t ext_payload_from = sendbuf->off; |
2185 | 42.6k | ptls_buffer_push(sendbuf, PTLS_ECH_CLIENT_HELLO_TYPE_OUTER); |
2186 | 42.6k | ptls_buffer_push16(sendbuf, ech->cipher->id.kdf); |
2187 | 42.6k | ptls_buffer_push16(sendbuf, ech->cipher->id.aead); |
2188 | 42.6k | ptls_buffer_push(sendbuf, ech->config_id); |
2189 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
2190 | 42.6k | if (!is_second_flight) |
2191 | 42.6k | ptls_buffer_pushv(sendbuf, ech->client.enc.base, ech->client.enc.len); |
2192 | 42.6k | }); |
2193 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
2194 | 42.6k | assert(sendbuf->off - ext_payload_from == |
2195 | 42.6k | outer_ech_header_size(is_second_flight ? 0 : ech->client.enc.len)); |
2196 | 42.6k | if ((ret = ptls_buffer_reserve(sendbuf, *ech_size_offset)) != 0) |
2197 | 42.6k | goto Exit; |
2198 | 42.6k | memset(sendbuf->base + sendbuf->off, 0, *ech_size_offset); |
2199 | 42.6k | sendbuf->off += *ech_size_offset; |
2200 | 42.6k | *ech_size_offset = sendbuf->off - *ech_size_offset; |
2201 | 42.6k | }); |
2202 | 42.6k | }); |
2203 | 42.6k | } else if (ech->aead != NULL) { |
2204 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, |
2205 | 42.6k | { ptls_buffer_push(sendbuf, PTLS_ECH_CLIENT_HELLO_TYPE_INNER); }); |
2206 | 42.6k | } else if (ech_replay.base != NULL) { |
2207 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, |
2208 | 42.6k | { ptls_buffer_pushv(sendbuf, ech_replay.base, ech_replay.len); }); |
2209 | 42.6k | } |
2210 | 42.6k | if (mode == ENCODE_CH_MODE_ENCODED_INNER) { |
2211 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS, { |
2212 | 42.6k | ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push16(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE); }); |
2213 | 42.6k | }); |
2214 | 42.6k | } else { |
2215 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE, { |
2216 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
2217 | 42.6k | if (key_share_ctx != NULL && |
2218 | 42.6k | (ret = push_key_share_entry(sendbuf, key_share_ctx->algo->id, key_share_ctx->pubkey)) != 0) |
2219 | 42.6k | goto Exit; |
2220 | 42.6k | }); |
2221 | 42.6k | }); |
2222 | 42.6k | } |
2223 | 42.6k | if (sni_name != NULL) { |
2224 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_NAME, { |
2225 | 42.6k | if ((ret = emit_server_name_extension(sendbuf, sni_name)) != 0) |
2226 | 42.6k | goto Exit; |
2227 | 42.6k | }); |
2228 | 42.6k | } |
2229 | 42.6k | if (properties != NULL && properties->client.negotiated_protocols.count != 0) { |
2230 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ALPN, { |
2231 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
2232 | 42.6k | size_t i; |
2233 | 42.6k | for (i = 0; i != properties->client.negotiated_protocols.count; ++i) { |
2234 | 42.6k | ptls_buffer_push_block(sendbuf, 1, { |
2235 | 42.6k | ptls_iovec_t p = properties->client.negotiated_protocols.list[i]; |
2236 | 42.6k | ptls_buffer_pushv(sendbuf, p.base, p.len); |
2237 | 42.6k | }); |
2238 | 42.6k | } |
2239 | 42.6k | }); |
2240 | 42.6k | }); |
2241 | 42.6k | } |
2242 | 42.6k | if (ctx->decompress_certificate != NULL) { |
2243 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE, { |
2244 | 42.6k | ptls_buffer_push_block(sendbuf, 1, { |
2245 | 42.6k | const uint16_t *algo = ctx->decompress_certificate->supported_algorithms; |
2246 | 42.6k | assert(*algo != UINT16_MAX); |
2247 | 42.6k | for (; *algo != UINT16_MAX; ++algo) |
2248 | 42.6k | ptls_buffer_push16(sendbuf, *algo); |
2249 | 42.6k | }); |
2250 | 42.6k | }); |
2251 | 42.6k | } |
2252 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS, { |
2253 | 42.6k | ptls_buffer_push_block(sendbuf, 1, { |
2254 | 42.6k | size_t i; |
2255 | 42.6k | for (i = 0; i != PTLS_ELEMENTSOF(supported_versions); ++i) |
2256 | 42.6k | ptls_buffer_push16(sendbuf, supported_versions[i]); |
2257 | 42.6k | }); |
2258 | 42.6k | }); |
2259 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS, { |
2260 | 42.6k | if ((ret = push_signature_algorithms(ctx->verify_certificate, sendbuf)) != 0) |
2261 | 42.6k | goto Exit; |
2262 | 42.6k | }); |
2263 | 42.6k | if (ctx->key_exchanges != NULL) { |
2264 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS, { |
2265 | 42.6k | ptls_key_exchange_algorithm_t **algo = ctx->key_exchanges; |
2266 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
2267 | 42.6k | for (; *algo != NULL; ++algo) |
2268 | 42.6k | ptls_buffer_push16(sendbuf, (*algo)->id); |
2269 | 42.6k | }); |
2270 | 42.6k | }); |
2271 | 42.6k | } |
2272 | 42.6k | if (cookie != NULL && cookie->base != NULL) { |
2273 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COOKIE, { |
2274 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { ptls_buffer_pushv(sendbuf, cookie->base, cookie->len); }); |
2275 | 42.6k | }); |
2276 | 42.6k | } |
2277 | 42.6k | if (ctx->use_raw_public_keys) { |
2278 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE, { |
2279 | 42.6k | ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push(sendbuf, PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY); }); |
2280 | 42.6k | }); |
2281 | 42.6k | } |
2282 | 42.6k | if (ctx->save_ticket != NULL && |
2283 | 42.6k | (ctx->ticket_requests.client.new_session_count != 0 || ctx->ticket_requests.client.resumption_count != 0)) { |
2284 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_TICKET_REQUEST, { |
2285 | 42.6k | ptls_buffer_push(sendbuf, ctx->ticket_requests.client.new_session_count, |
2286 | 42.6k | ctx->ticket_requests.client.resumption_count); |
2287 | 42.6k | }); |
2288 | 42.6k | } |
2289 | 42.6k | if ((ret = push_additional_extensions(properties, sendbuf)) != 0) |
2290 | 42.6k | goto Exit; |
2291 | 42.6k | if (ctx->save_ticket != NULL || psk_secret.base != NULL) { |
2292 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES, { |
2293 | 42.6k | ptls_buffer_push_block(sendbuf, 1, { |
2294 | 42.6k | if (!ctx->require_dhe_on_psk) |
2295 | 42.6k | ptls_buffer_push(sendbuf, PTLS_PSK_KE_MODE_PSK); |
2296 | 42.6k | ptls_buffer_push(sendbuf, PTLS_PSK_KE_MODE_PSK_DHE); |
2297 | 42.6k | }); |
2298 | 42.6k | }); |
2299 | 42.6k | } |
2300 | 42.6k | if (psk_secret.base != NULL) { |
2301 | 42.6k | if (using_early_data && !is_second_flight) |
2302 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_EARLY_DATA, {}); |
2303 | | /* pre-shared key "MUST be the last extension in the ClientHello" (draft-17 section 4.2.6) */ |
2304 | 42.6k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PRE_SHARED_KEY, { |
2305 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
2306 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
2307 | 42.6k | if (mode == ENCODE_CH_MODE_OUTER) { |
2308 | 42.6k | if ((ret = ptls_buffer_reserve(sendbuf, psk_identity.len)) != 0) |
2309 | 42.6k | goto Exit; |
2310 | 42.6k | ctx->random_bytes(sendbuf->base + sendbuf->off, psk_identity.len); |
2311 | 42.6k | sendbuf->off += psk_identity.len; |
2312 | 42.6k | } else { |
2313 | 42.6k | ptls_buffer_pushv(sendbuf, psk_identity.base, psk_identity.len); |
2314 | 42.6k | } |
2315 | 42.6k | }); |
2316 | 42.6k | uint32_t age; |
2317 | 42.6k | if (mode == ENCODE_CH_MODE_OUTER) { |
2318 | 42.6k | ctx->random_bytes(&age, sizeof(age)); |
2319 | 42.6k | } else { |
2320 | 42.6k | age = obfuscated_ticket_age; |
2321 | 42.6k | } |
2322 | 42.6k | ptls_buffer_push32(sendbuf, age); |
2323 | 42.6k | }); |
2324 | | /* allocate space for PSK binder. The space is filled initially filled by a random value (meeting the |
2325 | | * requirement of ClientHelloOuter), and later gets filled with the correct binder value if necessary. */ |
2326 | 42.6k | ptls_buffer_push_block(sendbuf, 2, { |
2327 | 42.6k | ptls_buffer_push_block(sendbuf, 1, { |
2328 | 42.6k | if ((ret = ptls_buffer_reserve(sendbuf, psk_binder_size)) != 0) |
2329 | 42.6k | goto Exit; |
2330 | 42.6k | ctx->random_bytes(sendbuf->base + sendbuf->off, psk_binder_size); |
2331 | 42.6k | sendbuf->off += psk_binder_size; |
2332 | 42.6k | }); |
2333 | 42.6k | }); |
2334 | 42.6k | }); |
2335 | 42.6k | } |
2336 | 42.6k | }); |
2337 | 42.6k | }); |
2338 | | |
2339 | 42.6k | Exit: |
2340 | 42.6k | return ret; |
2341 | 42.6k | } |
2342 | | |
2343 | | static int send_client_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_handshake_properties_t *properties, |
2344 | | ptls_iovec_t *cookie) |
2345 | 42.6k | { |
2346 | 42.6k | struct { |
2347 | 42.6k | ptls_iovec_t secret; |
2348 | 42.6k | ptls_iovec_t identity; |
2349 | 42.6k | const char *label; |
2350 | 42.6k | } psk = {{NULL}}; |
2351 | 42.6k | uint32_t obfuscated_ticket_age = 0; |
2352 | 42.6k | const char *sni_name = NULL; |
2353 | 42.6k | size_t mess_start, msghash_off; |
2354 | 42.6k | uint8_t binder_key[PTLS_MAX_DIGEST_SIZE]; |
2355 | 42.6k | ptls_buffer_t encoded_ch_inner; |
2356 | 42.6k | int ret, is_second_flight = tls->key_schedule != NULL; |
2357 | | |
2358 | 42.6k | ptls_buffer_init(&encoded_ch_inner, "", 0); |
2359 | | |
2360 | 42.6k | if (tls->server_name != NULL && !ptls_server_name_is_ipaddr(tls->server_name)) |
2361 | 0 | sni_name = tls->server_name; |
2362 | | |
2363 | | /* try to use ECH (ignore broken ECHConfigList; it is delivered insecurely) */ |
2364 | 42.6k | if (properties != NULL) { |
2365 | 42.6k | if (!is_second_flight && sni_name != NULL && tls->ctx->ech.client.ciphers != NULL) { |
2366 | 0 | if (properties->client.ech.configs.len != 0) { |
2367 | 0 | struct st_decoded_ech_config_t decoded; |
2368 | 0 | client_decode_ech_config_list(tls->ctx, &decoded, properties->client.ech.configs); |
2369 | 0 | if (decoded.kem != NULL && decoded.cipher != NULL) { |
2370 | 0 | if ((ret = client_setup_ech(&tls->ech, &decoded, tls->ctx->random_bytes)) != 0) |
2371 | 0 | goto Exit; |
2372 | 0 | } |
2373 | 0 | } else { |
2374 | | /* zero-length config indicates ECH greasing */ |
2375 | 0 | client_setup_ech_grease(&tls->ech, tls->ctx->random_bytes, tls->ctx->ech.client.kems, tls->ctx->ech.client.ciphers, |
2376 | 0 | sni_name); |
2377 | 0 | } |
2378 | 0 | } |
2379 | 42.6k | } |
2380 | | |
2381 | | /* use external PSK if provided */ |
2382 | 42.6k | if (tls->ctx->pre_shared_key.identity.base != NULL) { |
2383 | 0 | if (!is_second_flight) { |
2384 | 0 | tls->client.offered_psk = 1; |
2385 | 0 | for (size_t i = 0; tls->ctx->cipher_suites[i] != NULL; ++i) { |
2386 | 0 | if (tls->ctx->cipher_suites[i]->hash == tls->ctx->pre_shared_key.hash) { |
2387 | 0 | tls->cipher_suite = tls->ctx->cipher_suites[i]; |
2388 | 0 | break; |
2389 | 0 | } |
2390 | 0 | } |
2391 | 0 | assert(tls->cipher_suite != NULL && "no compatible cipher-suite provided that matches psk.hash"); |
2392 | 0 | if (properties != NULL && properties->client.max_early_data_size != NULL) { |
2393 | 0 | tls->client.using_early_data = 1; |
2394 | 0 | *properties->client.max_early_data_size = SIZE_MAX; |
2395 | 0 | } |
2396 | 0 | } else { |
2397 | 0 | assert(tls->cipher_suite != NULL && tls->cipher_suite->hash == tls->ctx->pre_shared_key.hash); |
2398 | 0 | } |
2399 | 0 | psk.secret = tls->ctx->pre_shared_key.secret; |
2400 | 0 | psk.identity = tls->ctx->pre_shared_key.identity; |
2401 | 0 | psk.label = "ext binder"; |
2402 | 0 | } |
2403 | | |
2404 | | /* try to setup resumption-related data, unless external PSK is used */ |
2405 | 42.6k | if (psk.secret.base == NULL && properties != NULL && properties->client.session_ticket.base != NULL && |
2406 | 42.6k | tls->ctx->key_exchanges != NULL) { |
2407 | 0 | ptls_key_exchange_algorithm_t *key_share = NULL; |
2408 | 0 | ptls_cipher_suite_t *cipher_suite = NULL; |
2409 | 0 | uint32_t max_early_data_size; |
2410 | 0 | if (decode_stored_session_ticket(tls, &key_share, &cipher_suite, &psk.secret, &obfuscated_ticket_age, &psk.identity, |
2411 | 0 | &max_early_data_size, properties->client.session_ticket.base, |
2412 | 0 | properties->client.session_ticket.base + properties->client.session_ticket.len) == 0) { |
2413 | 0 | psk.label = "res binder"; |
2414 | 0 | tls->client.offered_psk = 1; |
2415 | | /* key-share selected by HRR should not be overridden */ |
2416 | 0 | if (tls->key_share == NULL) |
2417 | 0 | tls->key_share = key_share; |
2418 | 0 | tls->cipher_suite = cipher_suite; |
2419 | 0 | if (!is_second_flight && max_early_data_size != 0 && properties->client.max_early_data_size != NULL) { |
2420 | 0 | tls->client.using_early_data = 1; |
2421 | 0 | *properties->client.max_early_data_size = max_early_data_size; |
2422 | 0 | } |
2423 | 0 | } else { |
2424 | 0 | psk.secret = ptls_iovec_init(NULL, 0); |
2425 | 0 | } |
2426 | 0 | } |
2427 | | |
2428 | | /* send 0-RTT related signals back to the client */ |
2429 | 42.6k | if (properties != NULL) { |
2430 | 42.6k | if (tls->client.using_early_data) { |
2431 | 0 | properties->client.early_data_acceptance = PTLS_EARLY_DATA_ACCEPTANCE_UNKNOWN; |
2432 | 42.6k | } else { |
2433 | 42.6k | if (properties->client.max_early_data_size != NULL) |
2434 | 0 | *properties->client.max_early_data_size = 0; |
2435 | 42.6k | properties->client.early_data_acceptance = PTLS_EARLY_DATA_REJECTED; |
2436 | 42.6k | } |
2437 | 42.6k | } |
2438 | | |
2439 | | /* use the default key share if still not undetermined */ |
2440 | 42.6k | if (tls->key_share == NULL && tls->ctx->key_exchanges != NULL && |
2441 | 42.6k | !(properties != NULL && properties->client.negotiate_before_key_exchange)) |
2442 | 2.09k | tls->key_share = tls->ctx->key_exchanges[0]; |
2443 | | |
2444 | | /* instantiate key share context */ |
2445 | 42.6k | assert(tls->client.key_share_ctx == NULL); |
2446 | 42.6k | if (tls->key_share != NULL) { |
2447 | 42.6k | if ((ret = tls->key_share->create(tls->key_share, &tls->client.key_share_ctx)) != 0) |
2448 | 0 | goto Exit; |
2449 | 42.6k | } |
2450 | | |
2451 | | /* initialize key schedule */ |
2452 | 42.6k | if (!is_second_flight) { |
2453 | 2.09k | if ((tls->key_schedule = key_schedule_new(tls->cipher_suite, tls->ctx->cipher_suites, tls->ech.aead != NULL)) == NULL) { |
2454 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
2455 | 0 | goto Exit; |
2456 | 0 | } |
2457 | 2.09k | if ((ret = key_schedule_extract(tls->key_schedule, psk.secret)) != 0) |
2458 | 0 | goto Exit; |
2459 | 2.09k | } |
2460 | | |
2461 | | /* start generating CH */ |
2462 | 42.6k | if ((ret = emitter->begin_message(emitter)) != 0) |
2463 | 0 | goto Exit; |
2464 | 42.6k | mess_start = msghash_off = emitter->buf->off; |
2465 | | |
2466 | | /* generate true (inner) CH */ |
2467 | 42.6k | if ((ret = encode_client_hello(tls->ctx, emitter->buf, ENCODE_CH_MODE_INNER, is_second_flight, properties, |
2468 | 42.6k | tls->ech.aead != NULL ? tls->ech.inner_client_random : tls->client_random, |
2469 | 42.6k | tls->client.key_share_ctx, sni_name, tls->client.legacy_session_id, &tls->ech, NULL, |
2470 | 42.6k | tls->ech.client.first_ech, psk.secret, psk.identity, obfuscated_ticket_age, |
2471 | 42.6k | tls->key_schedule->hashes[0].algo->digest_size, cookie, tls->client.using_early_data)) != 0) |
2472 | 0 | goto Exit; |
2473 | | |
2474 | | /* update the message hash, filling in the PSK binder HMAC if necessary */ |
2475 | 42.6k | if (psk.secret.base != NULL) { |
2476 | 0 | size_t psk_binder_off = emitter->buf->off - (3 + tls->key_schedule->hashes[0].algo->digest_size); |
2477 | 0 | if ((ret = derive_secret_with_empty_digest(tls->key_schedule, binder_key, psk.label)) != 0) |
2478 | 0 | goto Exit; |
2479 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + msghash_off, psk_binder_off - msghash_off, 0); |
2480 | 0 | msghash_off = psk_binder_off; |
2481 | 0 | if ((ret = calc_verify_data(emitter->buf->base + psk_binder_off + 3, tls->key_schedule, binder_key)) != 0) |
2482 | 0 | goto Exit; |
2483 | 0 | } |
2484 | 42.6k | ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + msghash_off, emitter->buf->off - msghash_off, 0); |
2485 | | |
2486 | | /* ECH */ |
2487 | 42.6k | if (tls->ech.aead != NULL) { |
2488 | | /* build EncodedCHInner */ |
2489 | 0 | if ((ret = encode_client_hello(tls->ctx, &encoded_ch_inner, ENCODE_CH_MODE_ENCODED_INNER, is_second_flight, properties, |
2490 | 0 | tls->ech.inner_client_random, tls->client.key_share_ctx, sni_name, |
2491 | 0 | tls->client.legacy_session_id, &tls->ech, NULL, ptls_iovec_init(NULL, 0), psk.secret, |
2492 | 0 | psk.identity, obfuscated_ticket_age, tls->key_schedule->hashes[0].algo->digest_size, cookie, |
2493 | 0 | tls->client.using_early_data)) != 0) |
2494 | 0 | goto Exit; |
2495 | 0 | if (psk.secret.base != NULL) |
2496 | 0 | memcpy(encoded_ch_inner.base + encoded_ch_inner.off - tls->key_schedule->hashes[0].algo->digest_size, |
2497 | 0 | emitter->buf->base + emitter->buf->off - tls->key_schedule->hashes[0].algo->digest_size, |
2498 | 0 | tls->key_schedule->hashes[0].algo->digest_size); |
2499 | 0 | { /* pad EncodedCHInner (following draft-ietf-tls-esni-15 6.1.3) */ |
2500 | 0 | size_t padding_len; |
2501 | 0 | if (sni_name != NULL) { |
2502 | 0 | padding_len = strlen(sni_name); |
2503 | 0 | if (padding_len < tls->ech.client.max_name_length) |
2504 | 0 | padding_len = tls->ech.client.max_name_length; |
2505 | 0 | } else { |
2506 | 0 | padding_len = tls->ech.client.max_name_length + 9; |
2507 | 0 | } |
2508 | 0 | size_t final_len = encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE + padding_len; |
2509 | 0 | final_len = (final_len + 31) / 32 * 32; |
2510 | 0 | padding_len = final_len - (encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE); |
2511 | 0 | if (padding_len != 0) { |
2512 | 0 | if ((ret = ptls_buffer_reserve(&encoded_ch_inner, padding_len)) != 0) |
2513 | 0 | goto Exit; |
2514 | 0 | memset(encoded_ch_inner.base + encoded_ch_inner.off, 0, padding_len); |
2515 | 0 | encoded_ch_inner.off += padding_len; |
2516 | 0 | } |
2517 | 0 | } |
2518 | | /* flush CHInner, build CHOuterAAD */ |
2519 | 0 | emitter->buf->off = mess_start; |
2520 | 0 | size_t ech_payload_size = encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE + tls->ech.aead->algo->tag_size, |
2521 | 0 | ech_size_offset = ech_payload_size; |
2522 | 0 | if ((ret = encode_client_hello(tls->ctx, emitter->buf, ENCODE_CH_MODE_OUTER, is_second_flight, properties, |
2523 | 0 | tls->client_random, tls->client.key_share_ctx, tls->ech.client.public_name, |
2524 | 0 | tls->client.legacy_session_id, &tls->ech, &ech_size_offset, ptls_iovec_init(NULL, 0), |
2525 | 0 | psk.secret, psk.identity, obfuscated_ticket_age, |
2526 | 0 | tls->key_schedule->hashes[0].algo->digest_size, cookie, tls->client.using_early_data)) != 0) |
2527 | 0 | goto Exit; |
2528 | | /* overwrite ECH payload */ |
2529 | 0 | ptls_aead_encrypt(tls->ech.aead, emitter->buf->base + ech_size_offset, encoded_ch_inner.base + PTLS_HANDSHAKE_HEADER_SIZE, |
2530 | 0 | encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE, is_second_flight, |
2531 | 0 | emitter->buf->base + mess_start + PTLS_HANDSHAKE_HEADER_SIZE, |
2532 | 0 | emitter->buf->off - (mess_start + PTLS_HANDSHAKE_HEADER_SIZE)); |
2533 | | /* keep the copy of the 1st ECH extension so that we can send it again in 2nd CH in response to rejection with HRR */ |
2534 | 0 | if (!is_second_flight) { |
2535 | 0 | size_t len = outer_ech_header_size(tls->ech.client.enc.len) + ech_payload_size; |
2536 | 0 | if ((tls->ech.client.first_ech.base = malloc(len)) == NULL) { |
2537 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
2538 | 0 | goto Exit; |
2539 | 0 | } |
2540 | 0 | memcpy(tls->ech.client.first_ech.base, |
2541 | 0 | emitter->buf->base + ech_size_offset - outer_ech_header_size(tls->ech.client.enc.len), len); |
2542 | 0 | tls->ech.client.first_ech.len = len; |
2543 | 0 | if (properties->client.ech.configs.len != 0) { |
2544 | 0 | tls->ech.offered = 1; |
2545 | 0 | } else { |
2546 | 0 | tls->ech.offered_grease = 1; |
2547 | 0 | } |
2548 | 0 | } |
2549 | | /* update hash */ |
2550 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + mess_start, emitter->buf->off - mess_start, 1); |
2551 | 0 | } |
2552 | | |
2553 | | /* commit CH to the record layer */ |
2554 | 42.6k | if ((ret = emitter->commit_message(emitter)) != 0) |
2555 | 0 | goto Exit; |
2556 | | |
2557 | 42.6k | if (tls->client.using_early_data) { |
2558 | 0 | assert(!is_second_flight); |
2559 | 0 | if ((ret = setup_traffic_protection(tls, 1, "c e traffic", 1, 0, 0)) != 0) |
2560 | 0 | goto Exit; |
2561 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
2562 | 0 | goto Exit; |
2563 | 0 | } |
2564 | 42.6k | if (psk.secret.base != NULL && !is_second_flight) { |
2565 | 0 | if ((ret = derive_exporter_secret(tls, 1)) != 0) |
2566 | 0 | goto Exit; |
2567 | 0 | } |
2568 | 42.6k | tls->state = cookie == NULL ? PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO : PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO; |
2569 | 42.6k | ret = PTLS_ERROR_IN_PROGRESS; |
2570 | | |
2571 | 42.6k | Exit: |
2572 | 42.6k | ptls_buffer_dispose(&encoded_ch_inner); |
2573 | 42.6k | ptls_clear_memory(binder_key, sizeof(binder_key)); |
2574 | 42.6k | return ret; |
2575 | 42.6k | } |
2576 | | |
2577 | | ptls_cipher_suite_t *ptls_find_cipher_suite(ptls_cipher_suite_t **cipher_suites, uint16_t id) |
2578 | 42.1k | { |
2579 | 42.1k | ptls_cipher_suite_t **cs; |
2580 | 42.1k | if (cipher_suites == NULL) |
2581 | 0 | return NULL; |
2582 | 42.1k | for (cs = cipher_suites; *cs != NULL && (*cs)->id != id; ++cs) |
2583 | 52 | ; |
2584 | 42.1k | return *cs; |
2585 | 42.1k | } |
2586 | | |
2587 | | static int decode_server_hello(ptls_t *tls, struct st_ptls_server_hello_t *sh, const uint8_t *src, const uint8_t *const end) |
2588 | 42.2k | { |
2589 | 42.2k | int ret; |
2590 | | |
2591 | 42.2k | *sh = (struct st_ptls_server_hello_t){{0}}; |
2592 | | |
2593 | | /* ignore legacy-version */ |
2594 | 42.2k | if (end - src < 2) { |
2595 | 6 | ret = PTLS_ALERT_DECODE_ERROR; |
2596 | 6 | goto Exit; |
2597 | 6 | } |
2598 | 42.2k | src += 2; |
2599 | | |
2600 | | /* random */ |
2601 | 42.2k | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
2602 | 11 | ret = PTLS_ALERT_DECODE_ERROR; |
2603 | 11 | goto Exit; |
2604 | 11 | } |
2605 | 42.2k | sh->is_retry_request = memcmp(src, hello_retry_random, PTLS_HELLO_RANDOM_SIZE) == 0; |
2606 | 42.2k | src += PTLS_HELLO_RANDOM_SIZE; |
2607 | | |
2608 | | /* legacy_session_id */ |
2609 | 42.2k | ptls_decode_open_block(src, end, 1, { |
2610 | 42.2k | if (end - src > 32) { |
2611 | 42.2k | ret = PTLS_ALERT_DECODE_ERROR; |
2612 | 42.2k | goto Exit; |
2613 | 42.2k | } |
2614 | 42.2k | sh->legacy_session_id = ptls_iovec_init(src, end - src); |
2615 | 42.2k | src = end; |
2616 | 42.2k | }); |
2617 | | |
2618 | 42.1k | { /* select cipher_suite */ |
2619 | 42.1k | uint16_t csid; |
2620 | 42.1k | if ((ret = ptls_decode16(&csid, &src, end)) != 0) |
2621 | 2 | goto Exit; |
2622 | 42.1k | if ((tls->cipher_suite = ptls_find_cipher_suite(tls->ctx->cipher_suites, csid)) == NULL) { |
2623 | 52 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2624 | 52 | goto Exit; |
2625 | 52 | } |
2626 | 42.1k | } |
2627 | | |
2628 | 42.0k | { /* legacy_compression_method */ |
2629 | 42.0k | uint8_t method; |
2630 | 42.0k | if ((ret = ptls_decode8(&method, &src, end)) != 0) |
2631 | 5 | goto Exit; |
2632 | 42.0k | if (method != 0) { |
2633 | 8 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2634 | 8 | goto Exit; |
2635 | 8 | } |
2636 | 42.0k | } |
2637 | | |
2638 | 42.0k | if (sh->is_retry_request) |
2639 | 40.7k | sh->retry_request.selected_group = UINT16_MAX; |
2640 | | |
2641 | 42.0k | uint16_t exttype, found_version = UINT16_MAX, selected_psk_identity = UINT16_MAX; |
2642 | 42.0k | decode_extensions(src, end, sh->is_retry_request ? PTLS_HANDSHAKE_TYPE_PSEUDO_HRR : PTLS_HANDSHAKE_TYPE_SERVER_HELLO, &exttype, |
2643 | 42.0k | { |
2644 | 42.0k | if (tls->ctx->on_extension != NULL && |
2645 | 42.0k | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_SERVER_HELLO, |
2646 | 42.0k | exttype, ptls_iovec_init(src, end - src)) != 0)) |
2647 | 42.0k | goto Exit; |
2648 | 42.0k | switch (exttype) { |
2649 | 42.0k | case PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS: |
2650 | 42.0k | if ((ret = ptls_decode16(&found_version, &src, end)) != 0) |
2651 | 42.0k | goto Exit; |
2652 | 42.0k | break; |
2653 | 42.0k | case PTLS_EXTENSION_TYPE_KEY_SHARE: |
2654 | 42.0k | if (tls->ctx->key_exchanges == NULL) { |
2655 | 42.0k | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2656 | 42.0k | goto Exit; |
2657 | 42.0k | } |
2658 | 42.0k | if (sh->is_retry_request) { |
2659 | 42.0k | if ((ret = ptls_decode16(&sh->retry_request.selected_group, &src, end)) != 0) |
2660 | 42.0k | goto Exit; |
2661 | 42.0k | } else { |
2662 | 42.0k | uint16_t group; |
2663 | 42.0k | if ((ret = decode_key_share_entry(&group, &sh->peerkey, &src, end)) != 0) |
2664 | 42.0k | goto Exit; |
2665 | 42.0k | if (src != end) { |
2666 | 42.0k | ret = PTLS_ALERT_DECODE_ERROR; |
2667 | 42.0k | goto Exit; |
2668 | 42.0k | } |
2669 | 42.0k | if (tls->key_share == NULL || tls->key_share->id != group) { |
2670 | 42.0k | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2671 | 42.0k | goto Exit; |
2672 | 42.0k | } |
2673 | 42.0k | } |
2674 | 42.0k | break; |
2675 | 42.0k | case PTLS_EXTENSION_TYPE_COOKIE: |
2676 | 42.0k | assert(sh->is_retry_request); |
2677 | 42.0k | ptls_decode_block(src, end, 2, { |
2678 | 42.0k | if (src == end) { |
2679 | 42.0k | ret = PTLS_ALERT_DECODE_ERROR; |
2680 | 42.0k | goto Exit; |
2681 | 42.0k | } |
2682 | 42.0k | sh->retry_request.cookie = ptls_iovec_init(src, end - src); |
2683 | 42.0k | src = end; |
2684 | 42.0k | }); |
2685 | 42.0k | break; |
2686 | 42.0k | case PTLS_EXTENSION_TYPE_PRE_SHARED_KEY: |
2687 | 42.0k | assert(!sh->is_retry_request); |
2688 | 42.0k | if ((ret = ptls_decode16(&selected_psk_identity, &src, end)) != 0) |
2689 | 42.0k | goto Exit; |
2690 | 42.0k | break; |
2691 | 42.0k | case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO: |
2692 | 42.0k | assert(sh->is_retry_request); |
2693 | 42.0k | if (!(tls->ech.offered || tls->ech.offered_grease)) { |
2694 | 42.0k | ret = PTLS_ALERT_UNSUPPORTED_EXTENSION; |
2695 | 42.0k | goto Exit; |
2696 | 42.0k | } |
2697 | 42.0k | if (end - src != PTLS_ECH_CONFIRM_LENGTH) { |
2698 | 42.0k | ret = PTLS_ALERT_DECODE_ERROR; |
2699 | 42.0k | goto Exit; |
2700 | 42.0k | } |
2701 | 42.0k | sh->retry_request.ech = src; |
2702 | 42.0k | src = end; |
2703 | 42.0k | break; |
2704 | 42.0k | default: |
2705 | 42.0k | src = end; |
2706 | 42.0k | break; |
2707 | 42.0k | } |
2708 | 42.0k | }); |
2709 | | |
2710 | 41.7k | if (!is_supported_version(found_version)) { |
2711 | 50 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2712 | 50 | goto Exit; |
2713 | 50 | } |
2714 | 41.6k | if (!sh->is_retry_request) { |
2715 | 1.04k | if (selected_psk_identity != UINT16_MAX) { |
2716 | 26 | if (!tls->client.offered_psk) { |
2717 | 26 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2718 | 26 | goto Exit; |
2719 | 26 | } |
2720 | 0 | if (selected_psk_identity != 0) { |
2721 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2722 | 0 | goto Exit; |
2723 | 0 | } |
2724 | 0 | tls->is_psk_handshake = 1; |
2725 | 0 | } |
2726 | 1.01k | if (sh->peerkey.base == NULL && !tls->is_psk_handshake) { |
2727 | 4 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2728 | 4 | goto Exit; |
2729 | 4 | } |
2730 | 1.01k | } |
2731 | | |
2732 | 41.6k | ret = 0; |
2733 | 42.2k | Exit: |
2734 | 42.2k | return ret; |
2735 | 41.6k | } |
2736 | | |
2737 | | static int handle_hello_retry_request(ptls_t *tls, ptls_message_emitter_t *emitter, struct st_ptls_server_hello_t *sh, |
2738 | | ptls_iovec_t message, ptls_handshake_properties_t *properties) |
2739 | 40.6k | { |
2740 | 40.6k | int ret; |
2741 | | |
2742 | 40.6k | if (tls->client.key_share_ctx != NULL) { |
2743 | 40.6k | tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, NULL, ptls_iovec_init(NULL, 0)); |
2744 | 40.6k | tls->client.key_share_ctx = NULL; |
2745 | 40.6k | } |
2746 | 40.6k | if (tls->client.using_early_data) { |
2747 | | /* release traffic encryption key so that 2nd CH goes out in cleartext, but keep the epoch at 1 since we've already |
2748 | | * called derive-secret */ |
2749 | 0 | if (tls->ctx->update_traffic_key == NULL) { |
2750 | 0 | assert(tls->traffic_protection.enc.aead != NULL); |
2751 | 0 | ptls_aead_free(tls->traffic_protection.enc.aead); |
2752 | 0 | tls->traffic_protection.enc.aead = NULL; |
2753 | 0 | } |
2754 | 0 | tls->client.using_early_data = 0; |
2755 | 0 | } |
2756 | | |
2757 | 40.6k | if (sh->retry_request.selected_group != UINT16_MAX) { |
2758 | | /* we offer the first key_exchanges[0] as KEY_SHARE unless client.negotiate_before_key_exchange is set */ |
2759 | 305 | ptls_key_exchange_algorithm_t **cand; |
2760 | 334 | for (cand = tls->ctx->key_exchanges; *cand != NULL; ++cand) |
2761 | 305 | if ((*cand)->id == sh->retry_request.selected_group) |
2762 | 276 | break; |
2763 | 305 | if (*cand == NULL) { |
2764 | 29 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2765 | 29 | goto Exit; |
2766 | 29 | } |
2767 | 276 | tls->key_share = *cand; |
2768 | 40.3k | } else if (tls->key_share != NULL) { |
2769 | | /* retain the key-share using in first CH, if server does not specify one */ |
2770 | 40.3k | } else { |
2771 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2772 | 0 | goto Exit; |
2773 | 0 | } |
2774 | | |
2775 | 40.5k | ret = send_client_hello(tls, emitter, properties, &sh->retry_request.cookie); |
2776 | | |
2777 | 40.6k | Exit: |
2778 | 40.6k | return ret; |
2779 | 40.5k | } |
2780 | | |
2781 | | static int client_ech_select_hello(ptls_t *tls, ptls_iovec_t message, size_t confirm_hash_off, const char *label) |
2782 | 0 | { |
2783 | 0 | uint8_t confirm_hash_delivered[PTLS_ECH_CONFIRM_LENGTH], confirm_hash_expected[PTLS_ECH_CONFIRM_LENGTH]; |
2784 | 0 | int ret = 0; |
2785 | | |
2786 | | /* Determine if ECH has been accepted by checking the confirmation hash. `confirm_hash_off` set to zero indicates that HRR was |
2787 | | * received wo. ECH extension, which is an indication that ECH was rejected. */ |
2788 | 0 | if (confirm_hash_off != 0) { |
2789 | 0 | memcpy(confirm_hash_delivered, message.base + confirm_hash_off, sizeof(confirm_hash_delivered)); |
2790 | 0 | memset(message.base + confirm_hash_off, 0, sizeof(confirm_hash_delivered)); |
2791 | 0 | if ((ret = ech_calc_confirmation(tls->key_schedule, confirm_hash_expected, tls->ech.inner_client_random, label, message)) != |
2792 | 0 | 0) |
2793 | 0 | goto Exit; |
2794 | 0 | tls->ech.accepted = ptls_mem_equal(confirm_hash_delivered, confirm_hash_expected, sizeof(confirm_hash_delivered)); |
2795 | 0 | memcpy(message.base + confirm_hash_off, confirm_hash_delivered, sizeof(confirm_hash_delivered)); |
2796 | 0 | if (tls->ech.accepted) |
2797 | 0 | goto Exit; |
2798 | 0 | } |
2799 | | |
2800 | | /* dispose ECH AEAD state to indicate rejection, adopting outer CH for the rest of the handshake */ |
2801 | 0 | ptls_aead_free(tls->ech.aead); |
2802 | 0 | tls->ech.aead = NULL; |
2803 | 0 | key_schedule_select_outer(tls->key_schedule); |
2804 | |
|
2805 | 0 | Exit: |
2806 | 0 | PTLS_PROBE(ECH_SELECTION, tls, !!tls->ech.accepted); |
2807 | 0 | PTLS_LOG_CONN(ech_selection, tls, { PTLS_LOG_ELEMENT_BOOL(is_ech, tls->ech.accepted); }); |
2808 | 0 | ptls_clear_memory(confirm_hash_expected, sizeof(confirm_hash_expected)); |
2809 | 0 | return ret; |
2810 | 0 | } |
2811 | | |
2812 | | static int client_handle_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, |
2813 | | ptls_handshake_properties_t *properties) |
2814 | 42.2k | { |
2815 | 42.2k | struct st_ptls_server_hello_t sh; |
2816 | 42.2k | ptls_iovec_t ecdh_secret = {NULL}; |
2817 | 42.2k | int ret; |
2818 | | |
2819 | 42.2k | if ((ret = decode_server_hello(tls, &sh, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len)) != 0) |
2820 | 641 | goto Exit; |
2821 | 41.6k | if (!(sh.legacy_session_id.len == tls->client.legacy_session_id.len && |
2822 | 41.6k | ptls_mem_equal(sh.legacy_session_id.base, tls->client.legacy_session_id.base, tls->client.legacy_session_id.len))) { |
2823 | 5 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2824 | 5 | goto Exit; |
2825 | 5 | } |
2826 | | |
2827 | 41.6k | if (sh.is_retry_request) { |
2828 | 40.6k | if ((ret = key_schedule_select_cipher(tls->key_schedule, tls->cipher_suite, 0, tls->ctx->pre_shared_key.secret)) != 0) |
2829 | 0 | goto Exit; |
2830 | 40.6k | key_schedule_transform_post_ch1hash(tls->key_schedule); |
2831 | 40.6k | if (tls->ech.aead != NULL) { |
2832 | 0 | size_t confirm_hash_off = 0; |
2833 | 0 | if (tls->ech.offered) { |
2834 | 0 | if (sh.retry_request.ech != NULL) |
2835 | 0 | confirm_hash_off = sh.retry_request.ech - message.base; |
2836 | 0 | } else { |
2837 | 0 | assert(tls->ech.offered_grease); |
2838 | 0 | } |
2839 | 0 | if ((ret = client_ech_select_hello(tls, message, confirm_hash_off, ECH_CONFIRMATION_HRR)) != 0) |
2840 | 0 | goto Exit; |
2841 | 0 | } |
2842 | 40.6k | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
2843 | 40.6k | return handle_hello_retry_request(tls, emitter, &sh, message, properties); |
2844 | 40.6k | } |
2845 | | |
2846 | 1.01k | if ((ret = key_schedule_select_cipher(tls->key_schedule, tls->cipher_suite, tls->client.offered_psk && !tls->is_psk_handshake, |
2847 | 1.01k | ptls_iovec_init(NULL, 0))) != 0) |
2848 | 0 | goto Exit; |
2849 | | |
2850 | | /* check if ECH is accepted */ |
2851 | 1.01k | if (tls->ech.aead != NULL) { |
2852 | 0 | size_t confirm_hash_off = 0; |
2853 | 0 | if (tls->ech.offered) { |
2854 | 0 | confirm_hash_off = |
2855 | 0 | PTLS_HANDSHAKE_HEADER_SIZE + 2 /* legacy_version */ + PTLS_HELLO_RANDOM_SIZE - PTLS_ECH_CONFIRM_LENGTH; |
2856 | 0 | } else { |
2857 | 0 | assert(tls->ech.offered_grease); |
2858 | 0 | } |
2859 | 0 | if ((ret = client_ech_select_hello(tls, message, confirm_hash_off, ECH_CONFIRMATION_SERVER_HELLO)) != 0) |
2860 | 0 | goto Exit; |
2861 | 0 | } |
2862 | | |
2863 | | /* clear sensitive and space-consuming ECH state, now that are done with handling sending and decoding Hellos */ |
2864 | 1.01k | clear_ech(&tls->ech, 0); |
2865 | 1.01k | if (tls->key_schedule->hashes[0].ctx_outer != NULL) { |
2866 | 0 | tls->key_schedule->hashes[0].ctx_outer->final(tls->key_schedule->hashes[0].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE); |
2867 | 0 | tls->key_schedule->hashes[0].ctx_outer = NULL; |
2868 | 0 | } |
2869 | | |
2870 | | /* if the client offered external PSK but the server did not use that, we call it a handshake failure */ |
2871 | 1.01k | if (tls->ctx->pre_shared_key.identity.base != NULL && !tls->is_psk_handshake) { |
2872 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2873 | 0 | goto Exit; |
2874 | 0 | } |
2875 | | |
2876 | 1.01k | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
2877 | | |
2878 | 1.01k | if (sh.peerkey.base != NULL) { |
2879 | 1.01k | if ((ret = tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, &ecdh_secret, sh.peerkey)) != 0) { |
2880 | 2 | assert(ecdh_secret.base == NULL); |
2881 | 2 | goto Exit; |
2882 | 2 | } |
2883 | 1.01k | } |
2884 | | |
2885 | 1.01k | if ((ret = key_schedule_extract(tls->key_schedule, ecdh_secret)) != 0) |
2886 | 0 | goto Exit; |
2887 | 1.01k | if ((ret = setup_traffic_protection(tls, 0, "s hs traffic", 2, 0, 0)) != 0) |
2888 | 0 | goto Exit; |
2889 | 1.01k | if (tls->client.using_early_data) { |
2890 | 0 | if ((tls->pending_handshake_secret = malloc(PTLS_MAX_DIGEST_SIZE)) == NULL) { |
2891 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
2892 | 0 | goto Exit; |
2893 | 0 | } |
2894 | 0 | if ((ret = derive_secret(tls->key_schedule, tls->pending_handshake_secret, "c hs traffic")) != 0) |
2895 | 0 | goto Exit; |
2896 | 0 | if (tls->ctx->update_traffic_key != NULL && |
2897 | 0 | (ret = tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, 1, 2, tls->pending_handshake_secret)) != 0) |
2898 | 0 | goto Exit; |
2899 | 1.01k | } else { |
2900 | 1.01k | if ((ret = setup_traffic_protection(tls, 1, "c hs traffic", 2, 0, 0)) != 0) |
2901 | 0 | goto Exit; |
2902 | 1.01k | } |
2903 | | |
2904 | 1.01k | tls->state = PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS; |
2905 | 1.01k | ret = PTLS_ERROR_IN_PROGRESS; |
2906 | | |
2907 | 1.65k | Exit: |
2908 | 1.65k | if (ecdh_secret.base != NULL) { |
2909 | 1.01k | ptls_clear_memory(ecdh_secret.base, ecdh_secret.len); |
2910 | 1.01k | free(ecdh_secret.base); |
2911 | 1.01k | } |
2912 | 1.65k | return ret; |
2913 | 1.01k | } |
2914 | | |
2915 | | static int should_collect_unknown_extension(ptls_t *tls, ptls_handshake_properties_t *properties, uint16_t type) |
2916 | 382 | { |
2917 | 382 | return properties != NULL && properties->collect_extension != NULL && properties->collect_extension(tls, properties, type); |
2918 | 382 | } |
2919 | | |
2920 | | static int collect_unknown_extension(ptls_t *tls, uint16_t type, const uint8_t *src, const uint8_t *const end, |
2921 | | ptls_raw_extension_t *slots) |
2922 | 0 | { |
2923 | 0 | size_t i; |
2924 | 0 | for (i = 0; slots[i].type != UINT16_MAX; ++i) { |
2925 | 0 | assert(i < MAX_UNKNOWN_EXTENSIONS); |
2926 | 0 | if (slots[i].type == type) |
2927 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
2928 | 0 | } |
2929 | 0 | if (i < MAX_UNKNOWN_EXTENSIONS) { |
2930 | 0 | slots[i].type = type; |
2931 | 0 | slots[i].data = ptls_iovec_init(src, end - src); |
2932 | 0 | slots[i + 1].type = UINT16_MAX; |
2933 | 0 | } |
2934 | 0 | return 0; |
2935 | 0 | } |
2936 | | |
2937 | | static int report_unknown_extensions(ptls_t *tls, ptls_handshake_properties_t *properties, ptls_raw_extension_t *slots) |
2938 | 658 | { |
2939 | 658 | if (properties != NULL && properties->collect_extension != NULL) { |
2940 | 0 | assert(properties->collected_extensions != NULL); |
2941 | 0 | return properties->collected_extensions(tls, properties, slots); |
2942 | 658 | } else { |
2943 | 658 | return 0; |
2944 | 658 | } |
2945 | 658 | } |
2946 | | |
2947 | | static int client_handle_encrypted_extensions(ptls_t *tls, ptls_iovec_t message, ptls_handshake_properties_t *properties) |
2948 | 938 | { |
2949 | 938 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
2950 | 938 | uint16_t type; |
2951 | 938 | static const ptls_raw_extension_t no_unknown_extensions = {UINT16_MAX}; |
2952 | 938 | ptls_raw_extension_t *unknown_extensions = (ptls_raw_extension_t *)&no_unknown_extensions; |
2953 | 938 | int ret, skip_early_data = 1; |
2954 | 938 | uint8_t server_offered_cert_type = PTLS_CERTIFICATE_TYPE_X509; |
2955 | | |
2956 | 938 | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, &type, { |
2957 | 938 | if (tls->ctx->on_extension != NULL && |
2958 | 938 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, type, |
2959 | 938 | ptls_iovec_init(src, end - src)) != 0)) |
2960 | 938 | goto Exit; |
2961 | 938 | switch (type) { |
2962 | 938 | case PTLS_EXTENSION_TYPE_SERVER_NAME: |
2963 | 938 | if (src != end) { |
2964 | 938 | ret = PTLS_ALERT_DECODE_ERROR; |
2965 | 938 | goto Exit; |
2966 | 938 | } |
2967 | 938 | if (!(tls->server_name != NULL && !ptls_server_name_is_ipaddr(tls->server_name))) { |
2968 | 938 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2969 | 938 | goto Exit; |
2970 | 938 | } |
2971 | 938 | break; |
2972 | 938 | case PTLS_EXTENSION_TYPE_ALPN: |
2973 | 938 | ptls_decode_block(src, end, 2, { |
2974 | 938 | ptls_decode_open_block(src, end, 1, { |
2975 | 938 | if (src == end) { |
2976 | 938 | ret = PTLS_ALERT_DECODE_ERROR; |
2977 | 938 | goto Exit; |
2978 | 938 | } |
2979 | 938 | if ((ret = ptls_set_negotiated_protocol(tls, (const char *)src, end - src)) != 0) |
2980 | 938 | goto Exit; |
2981 | 938 | src = end; |
2982 | 938 | }); |
2983 | 938 | if (src != end) { |
2984 | 938 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2985 | 938 | goto Exit; |
2986 | 938 | } |
2987 | 938 | }); |
2988 | 938 | break; |
2989 | 938 | case PTLS_EXTENSION_TYPE_EARLY_DATA: |
2990 | 938 | if (!tls->client.using_early_data) { |
2991 | 938 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2992 | 938 | goto Exit; |
2993 | 938 | } |
2994 | 938 | skip_early_data = 0; |
2995 | 938 | break; |
2996 | 938 | case PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE: |
2997 | 938 | if (end - src != 1) { |
2998 | 938 | ret = PTLS_ALERT_DECODE_ERROR; |
2999 | 938 | goto Exit; |
3000 | 938 | } |
3001 | 938 | server_offered_cert_type = *src; |
3002 | 938 | src = end; |
3003 | 938 | break; |
3004 | 938 | case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO: { |
3005 | | /* accept retry_configs only if we offered ECH but rejected */ |
3006 | 938 | if (!((tls->ech.offered || tls->ech.offered_grease) && !ptls_is_ech_handshake(tls, NULL, NULL, NULL))) { |
3007 | 938 | ret = PTLS_ALERT_UNSUPPORTED_EXTENSION; |
3008 | 938 | goto Exit; |
3009 | 938 | } |
3010 | | /* parse retry_config, and if it is applicable, provide that to the application */ |
3011 | 938 | struct st_decoded_ech_config_t decoded; |
3012 | 938 | if ((ret = client_decode_ech_config_list(tls->ctx, &decoded, ptls_iovec_init(src, end - src))) != 0) |
3013 | 938 | goto Exit; |
3014 | 938 | if (decoded.kem != NULL && decoded.cipher != NULL && properties != NULL && |
3015 | 938 | properties->client.ech.retry_configs != NULL) { |
3016 | 938 | if ((properties->client.ech.retry_configs->base = malloc(end - src)) == NULL) { |
3017 | 938 | ret = PTLS_ERROR_NO_MEMORY; |
3018 | 938 | goto Exit; |
3019 | 938 | } |
3020 | 938 | memcpy(properties->client.ech.retry_configs->base, src, end - src); |
3021 | 938 | properties->client.ech.retry_configs->len = end - src; |
3022 | 938 | } |
3023 | 938 | src = end; |
3024 | 938 | } break; |
3025 | 938 | default: |
3026 | 938 | if (should_collect_unknown_extension(tls, properties, type)) { |
3027 | 938 | if (unknown_extensions == &no_unknown_extensions) { |
3028 | 938 | if ((unknown_extensions = malloc(sizeof(*unknown_extensions) * (MAX_UNKNOWN_EXTENSIONS + 1))) == NULL) { |
3029 | 938 | ret = PTLS_ERROR_NO_MEMORY; |
3030 | 938 | goto Exit; |
3031 | 938 | } |
3032 | 938 | unknown_extensions[0].type = UINT16_MAX; |
3033 | 938 | } |
3034 | 938 | if ((ret = collect_unknown_extension(tls, type, src, end, unknown_extensions)) != 0) |
3035 | 938 | goto Exit; |
3036 | 938 | } |
3037 | 938 | break; |
3038 | 938 | } |
3039 | 938 | src = end; |
3040 | 938 | }); |
3041 | | |
3042 | 669 | if (server_offered_cert_type != |
3043 | 669 | (tls->ctx->use_raw_public_keys ? PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY : PTLS_CERTIFICATE_TYPE_X509)) { |
3044 | 11 | ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE; |
3045 | 11 | goto Exit; |
3046 | 11 | } |
3047 | | |
3048 | 658 | if (tls->client.using_early_data) { |
3049 | 0 | if (skip_early_data) |
3050 | 0 | tls->client.using_early_data = 0; |
3051 | 0 | if (properties != NULL) |
3052 | 0 | properties->client.early_data_acceptance = skip_early_data ? PTLS_EARLY_DATA_REJECTED : PTLS_EARLY_DATA_ACCEPTED; |
3053 | 0 | } |
3054 | 658 | if ((ret = report_unknown_extensions(tls, properties, unknown_extensions)) != 0) |
3055 | 0 | goto Exit; |
3056 | | |
3057 | 658 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3058 | 658 | tls->state = |
3059 | 658 | tls->is_psk_handshake ? PTLS_STATE_CLIENT_EXPECT_FINISHED : PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE; |
3060 | 658 | ret = PTLS_ERROR_IN_PROGRESS; |
3061 | | |
3062 | 938 | Exit: |
3063 | 938 | if (unknown_extensions != &no_unknown_extensions) |
3064 | 0 | free(unknown_extensions); |
3065 | 938 | return ret; |
3066 | 658 | } |
3067 | | |
3068 | | static int decode_certificate_request(ptls_t *tls, struct st_ptls_certificate_request_t *cr, const uint8_t *src, |
3069 | | const uint8_t *const end) |
3070 | 256 | { |
3071 | 256 | int ret; |
3072 | 256 | uint16_t exttype = 0; |
3073 | | |
3074 | | /* certificate request context */ |
3075 | 256 | ptls_decode_open_block(src, end, 1, { |
3076 | 256 | size_t len = end - src; |
3077 | 256 | if (len > 255) { |
3078 | 256 | ret = PTLS_ALERT_DECODE_ERROR; |
3079 | 256 | goto Exit; |
3080 | 256 | } |
3081 | 256 | if ((cr->context.base = malloc(len != 0 ? len : 1)) == NULL) { |
3082 | 256 | ret = PTLS_ERROR_NO_MEMORY; |
3083 | 256 | goto Exit; |
3084 | 256 | } |
3085 | 256 | cr->context.len = len; |
3086 | 256 | memcpy(cr->context.base, src, len); |
3087 | 256 | src = end; |
3088 | 256 | }); |
3089 | | |
3090 | | /* decode extensions */ |
3091 | 253 | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, &exttype, { |
3092 | 253 | if (tls->ctx->on_extension != NULL && |
3093 | 253 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, exttype, |
3094 | 253 | ptls_iovec_init(src, end - src)) != 0)) |
3095 | 253 | goto Exit; |
3096 | 253 | switch (exttype) { |
3097 | 253 | case PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS: |
3098 | 253 | if ((ret = decode_signature_algorithms(&cr->signature_algorithms, &src, end)) != 0) |
3099 | 253 | goto Exit; |
3100 | 253 | break; |
3101 | 253 | } |
3102 | 253 | src = end; |
3103 | 253 | }); |
3104 | | |
3105 | 12 | if (cr->signature_algorithms.count == 0) { |
3106 | 3 | ret = PTLS_ALERT_MISSING_EXTENSION; |
3107 | 3 | goto Exit; |
3108 | 3 | } |
3109 | | |
3110 | 9 | ret = 0; |
3111 | 256 | Exit: |
3112 | 256 | return ret; |
3113 | 9 | } |
3114 | | |
3115 | | int ptls_build_certificate_message(ptls_buffer_t *buf, ptls_iovec_t context, ptls_iovec_t *certificates, size_t num_certificates, |
3116 | | ptls_iovec_t ocsp_status) |
3117 | 0 | { |
3118 | 0 | int ret; |
3119 | |
|
3120 | 0 | ptls_buffer_push_block(buf, 1, { ptls_buffer_pushv(buf, context.base, context.len); }); |
3121 | 0 | ptls_buffer_push_block(buf, 3, { |
3122 | 0 | size_t i; |
3123 | 0 | for (i = 0; i != num_certificates; ++i) { |
3124 | 0 | ptls_buffer_push_block(buf, 3, { ptls_buffer_pushv(buf, certificates[i].base, certificates[i].len); }); |
3125 | 0 | ptls_buffer_push_block(buf, 2, { |
3126 | 0 | if (i == 0 && ocsp_status.len != 0) { |
3127 | 0 | buffer_push_extension(buf, PTLS_EXTENSION_TYPE_STATUS_REQUEST, { |
3128 | 0 | ptls_buffer_push(buf, 1); /* status_type == ocsp */ |
3129 | 0 | ptls_buffer_push_block(buf, 3, { ptls_buffer_pushv(buf, ocsp_status.base, ocsp_status.len); }); |
3130 | 0 | }); |
3131 | 0 | } |
3132 | 0 | }); |
3133 | 0 | } |
3134 | 0 | }); |
3135 | | |
3136 | 0 | ret = 0; |
3137 | 0 | Exit: |
3138 | 0 | return ret; |
3139 | 0 | } |
3140 | | |
3141 | | static int default_emit_certificate_cb(ptls_emit_certificate_t *_self, ptls_t *tls, ptls_message_emitter_t *emitter, |
3142 | | ptls_key_schedule_t *key_sched, ptls_iovec_t context, int push_status_request, |
3143 | | const uint16_t *compress_algos, size_t num_compress_algos) |
3144 | 0 | { |
3145 | 0 | int ret; |
3146 | |
|
3147 | 0 | ptls_push_message(emitter, key_sched, PTLS_HANDSHAKE_TYPE_CERTIFICATE, { |
3148 | 0 | if ((ret = ptls_build_certificate_message(emitter->buf, context, tls->ctx->certificates.list, tls->ctx->certificates.count, |
3149 | 0 | ptls_iovec_init(NULL, 0))) != 0) |
3150 | 0 | goto Exit; |
3151 | 0 | }); |
3152 | | |
3153 | 0 | ret = 0; |
3154 | 0 | Exit: |
3155 | 0 | return ret; |
3156 | 0 | } |
3157 | | |
3158 | | static int send_certificate(ptls_t *tls, ptls_message_emitter_t *emitter, |
3159 | | struct st_ptls_signature_algorithms_t *signature_algorithms, ptls_iovec_t context, |
3160 | | int push_status_request, const uint16_t *compress_algos, size_t num_compress_algos) |
3161 | 0 | { |
3162 | 0 | int ret; |
3163 | |
|
3164 | 0 | if (signature_algorithms->count == 0) { |
3165 | 0 | ret = PTLS_ALERT_MISSING_EXTENSION; |
3166 | 0 | goto Exit; |
3167 | 0 | } |
3168 | | |
3169 | 0 | { /* send Certificate (or the equivalent) */ |
3170 | 0 | static ptls_emit_certificate_t default_emit_certificate = {default_emit_certificate_cb}; |
3171 | 0 | ptls_emit_certificate_t *emit_certificate = |
3172 | 0 | tls->ctx->emit_certificate != NULL ? tls->ctx->emit_certificate : &default_emit_certificate; |
3173 | 0 | Redo: |
3174 | 0 | if ((ret = emit_certificate->cb(emit_certificate, tls, emitter, tls->key_schedule, context, push_status_request, |
3175 | 0 | compress_algos, num_compress_algos)) != 0) { |
3176 | 0 | if (ret == PTLS_ERROR_DELEGATE) { |
3177 | 0 | assert(emit_certificate != &default_emit_certificate); |
3178 | 0 | emit_certificate = &default_emit_certificate; |
3179 | 0 | goto Redo; |
3180 | 0 | } |
3181 | 0 | goto Exit; |
3182 | 0 | } |
3183 | 0 | } |
3184 | | |
3185 | 0 | Exit: |
3186 | 0 | return ret; |
3187 | 0 | } |
3188 | | |
3189 | | static int send_certificate_verify(ptls_t *tls, ptls_message_emitter_t *emitter, |
3190 | | struct st_ptls_signature_algorithms_t *signature_algorithms, const char *context_string) |
3191 | 0 | { |
3192 | 0 | size_t start_off = emitter->buf->off; |
3193 | 0 | int ret; |
3194 | |
|
3195 | 0 | if (tls->ctx->sign_certificate == NULL) |
3196 | 0 | return 0; |
3197 | | /* build and send CertificateVerify */ |
3198 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY, { |
3199 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
3200 | 0 | size_t algo_off = sendbuf->off; |
3201 | 0 | ptls_buffer_push16(sendbuf, 0); /* filled in later */ |
3202 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
3203 | 0 | uint16_t algo; |
3204 | 0 | uint8_t data[PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE]; |
3205 | 0 | size_t datalen = build_certificate_verify_signdata(data, tls->key_schedule, context_string); |
3206 | 0 | if ((ret = tls->ctx->sign_certificate->cb( |
3207 | 0 | tls->ctx->sign_certificate, tls, tls->is_server ? &tls->server.async_job : NULL, &algo, sendbuf, |
3208 | 0 | ptls_iovec_init(data, datalen), signature_algorithms != NULL ? signature_algorithms->list : NULL, |
3209 | 0 | signature_algorithms != NULL ? signature_algorithms->count : 0)) == PTLS_ERROR_ASYNC_OPERATION) { |
3210 | 0 | assert(tls->is_server || !"async operation only supported on the server-side"); |
3211 | 0 | assert(tls->server.async_job != NULL); |
3212 | | /* Reset the output to the end of the previous handshake message. CertificateVerify will be rebuilt when the async |
3213 | | * operation completes. */ |
3214 | 0 | emitter->buf->off = start_off; |
3215 | 0 | goto Exit; |
3216 | 0 | } |
3217 | 0 | assert(!tls->is_server || tls->server.async_job == NULL); |
3218 | 0 | if (ret != 0) |
3219 | 0 | goto Exit; |
3220 | 0 | sendbuf->base[algo_off] = (uint8_t)(algo >> 8); |
3221 | 0 | sendbuf->base[algo_off + 1] = (uint8_t)algo; |
3222 | 0 | }); |
3223 | 0 | }); |
3224 | 0 | Exit: |
3225 | 0 | return ret; |
3226 | 0 | } |
3227 | | |
3228 | | static int client_handle_certificate_request(ptls_t *tls, ptls_iovec_t message, ptls_handshake_properties_t *properties) |
3229 | 256 | { |
3230 | 256 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3231 | 256 | int ret = 0; |
3232 | | |
3233 | 256 | assert(!tls->is_psk_handshake && "state machine asserts that this message is never delivered when PSK is used"); |
3234 | | |
3235 | 256 | if ((ret = decode_certificate_request(tls, &tls->client.certificate_request, src, end)) != 0) |
3236 | 247 | return ret; |
3237 | | |
3238 | | /* This field SHALL be zero length unless used for the post-handshake authentication exchanges (section 4.3.2) */ |
3239 | 9 | if (tls->client.certificate_request.context.len != 0) |
3240 | 2 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
3241 | | |
3242 | 7 | tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE; |
3243 | 7 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3244 | | |
3245 | 7 | return PTLS_ERROR_IN_PROGRESS; |
3246 | 9 | } |
3247 | | |
3248 | | static int handle_certificate(ptls_t *tls, const uint8_t *src, const uint8_t *end, int *got_certs) |
3249 | 361 | { |
3250 | 361 | ptls_iovec_t certs[16]; |
3251 | 361 | size_t num_certs = 0; |
3252 | 361 | int ret = 0; |
3253 | | |
3254 | | /* certificate request context */ |
3255 | 361 | ptls_decode_open_block(src, end, 1, { |
3256 | 361 | if (src != end) { |
3257 | 361 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3258 | 361 | goto Exit; |
3259 | 361 | } |
3260 | 361 | }); |
3261 | | /* certificate_list */ |
3262 | 339 | ptls_decode_block(src, end, 3, { |
3263 | 339 | while (src != end) { |
3264 | 339 | ptls_decode_open_block(src, end, 3, { |
3265 | 339 | if (num_certs < PTLS_ELEMENTSOF(certs)) |
3266 | 339 | certs[num_certs++] = ptls_iovec_init(src, end - src); |
3267 | 339 | src = end; |
3268 | 339 | }); |
3269 | 339 | uint16_t type; |
3270 | 339 | decode_open_extensions(src, end, PTLS_HANDSHAKE_TYPE_CERTIFICATE, &type, { |
3271 | 339 | if (tls->ctx->on_extension != NULL && |
3272 | 339 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_CERTIFICATE, type, |
3273 | 339 | ptls_iovec_init(src, end - src)) != 0)) |
3274 | 339 | goto Exit; |
3275 | 339 | src = end; |
3276 | 339 | }); |
3277 | 339 | } |
3278 | 339 | }); |
3279 | | |
3280 | 79 | if (tls->ctx->verify_certificate != NULL) { |
3281 | 0 | const char *server_name = NULL; |
3282 | 0 | if (!ptls_is_server(tls)) { |
3283 | 0 | if (tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL)) { |
3284 | 0 | server_name = tls->ech.client.public_name; |
3285 | 0 | } else { |
3286 | 0 | server_name = tls->server_name; |
3287 | 0 | } |
3288 | 0 | } |
3289 | 0 | if ((ret = tls->ctx->verify_certificate->cb(tls->ctx->verify_certificate, tls, server_name, &tls->certificate_verify.cb, |
3290 | 0 | &tls->certificate_verify.verify_ctx, certs, num_certs)) != 0) |
3291 | 0 | goto Exit; |
3292 | 0 | } |
3293 | | |
3294 | 79 | *got_certs = num_certs != 0; |
3295 | | |
3296 | 361 | Exit: |
3297 | 361 | return ret; |
3298 | 79 | } |
3299 | | |
3300 | | static int client_do_handle_certificate(ptls_t *tls, const uint8_t *src, const uint8_t *end) |
3301 | 361 | { |
3302 | 361 | int got_certs, ret; |
3303 | | |
3304 | 361 | if ((ret = handle_certificate(tls, src, end, &got_certs)) != 0) |
3305 | 282 | return ret; |
3306 | 79 | if (!got_certs) |
3307 | 1 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
3308 | | |
3309 | 78 | return 0; |
3310 | 79 | } |
3311 | | |
3312 | | static int client_handle_certificate(ptls_t *tls, ptls_iovec_t message) |
3313 | 361 | { |
3314 | 361 | int ret; |
3315 | | |
3316 | 361 | if ((ret = client_do_handle_certificate(tls, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len)) != 0) |
3317 | 283 | return ret; |
3318 | | |
3319 | 78 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3320 | | |
3321 | 78 | tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY; |
3322 | 78 | return PTLS_ERROR_IN_PROGRESS; |
3323 | 361 | } |
3324 | | |
3325 | | static int client_handle_compressed_certificate(ptls_t *tls, ptls_iovec_t message) |
3326 | 2 | { |
3327 | 2 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3328 | 2 | uint16_t algo; |
3329 | 2 | uint32_t uncompressed_size; |
3330 | 2 | uint8_t *uncompressed = NULL; |
3331 | 2 | int ret; |
3332 | | |
3333 | 2 | if (tls->ctx->decompress_certificate == NULL) { |
3334 | 2 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
3335 | 2 | goto Exit; |
3336 | 2 | } |
3337 | | |
3338 | | /* decode */ |
3339 | 0 | if ((ret = ptls_decode16(&algo, &src, end)) != 0) |
3340 | 0 | goto Exit; |
3341 | 0 | if ((ret = ptls_decode24(&uncompressed_size, &src, end)) != 0) |
3342 | 0 | goto Exit; |
3343 | 0 | if (uncompressed_size > 65536) { /* TODO find a sensible number */ |
3344 | 0 | ret = PTLS_ALERT_BAD_CERTIFICATE; |
3345 | 0 | goto Exit; |
3346 | 0 | } |
3347 | 0 | if ((uncompressed = malloc(uncompressed_size)) == NULL) { |
3348 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
3349 | 0 | goto Exit; |
3350 | 0 | } |
3351 | 0 | ptls_decode_block(src, end, 3, { |
3352 | 0 | if ((ret = tls->ctx->decompress_certificate->cb(tls->ctx->decompress_certificate, tls, algo, |
3353 | 0 | ptls_iovec_init(uncompressed, uncompressed_size), |
3354 | 0 | ptls_iovec_init(src, end - src))) != 0) |
3355 | 0 | goto Exit; |
3356 | 0 | src = end; |
3357 | 0 | }); |
3358 | | |
3359 | | /* handle */ |
3360 | 0 | if ((ret = client_do_handle_certificate(tls, uncompressed, uncompressed + uncompressed_size)) != 0) |
3361 | 0 | goto Exit; |
3362 | | |
3363 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3364 | 0 | tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY; |
3365 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
3366 | |
|
3367 | 2 | Exit: |
3368 | 2 | free(uncompressed); |
3369 | 2 | return ret; |
3370 | 0 | } |
3371 | | |
3372 | | static int server_handle_certificate(ptls_t *tls, ptls_iovec_t message) |
3373 | 0 | { |
3374 | 0 | int got_certs, ret; |
3375 | |
|
3376 | 0 | if ((ret = handle_certificate(tls, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len, &got_certs)) != 0) |
3377 | 0 | return ret; |
3378 | | |
3379 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3380 | |
|
3381 | 0 | if (got_certs) { |
3382 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY; |
3383 | 0 | } else { |
3384 | | /* Client did not provide certificate, and the verifier says we can fail open. Therefore, the next message is Finished. */ |
3385 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
3386 | 0 | } |
3387 | |
|
3388 | 0 | return PTLS_ERROR_IN_PROGRESS; |
3389 | 0 | } |
3390 | | |
3391 | | static int handle_certificate_verify(ptls_t *tls, ptls_iovec_t message, const char *context_string) |
3392 | 63 | { |
3393 | 63 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3394 | 63 | uint16_t algo; |
3395 | 63 | ptls_iovec_t signature; |
3396 | 63 | uint8_t signdata[PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE]; |
3397 | 63 | size_t signdata_size; |
3398 | 63 | int ret; |
3399 | | |
3400 | | /* decode */ |
3401 | 63 | if ((ret = ptls_decode16(&algo, &src, end)) != 0) |
3402 | 3 | goto Exit; |
3403 | 60 | ptls_decode_block(src, end, 2, { |
3404 | 60 | signature = ptls_iovec_init(src, end - src); |
3405 | 60 | src = end; |
3406 | 60 | }); |
3407 | | |
3408 | 30 | signdata_size = build_certificate_verify_signdata(signdata, tls->key_schedule, context_string); |
3409 | 30 | if (tls->certificate_verify.cb != NULL) { |
3410 | 0 | ret = tls->certificate_verify.cb(tls->certificate_verify.verify_ctx, algo, ptls_iovec_init(signdata, signdata_size), |
3411 | 0 | signature); |
3412 | 30 | } else { |
3413 | 30 | ret = 0; |
3414 | 30 | } |
3415 | 30 | ptls_clear_memory(signdata, signdata_size); |
3416 | 30 | tls->certificate_verify.cb = NULL; |
3417 | 30 | if (ret != 0) { |
3418 | 0 | goto Exit; |
3419 | 0 | } |
3420 | | |
3421 | 30 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3422 | | |
3423 | 63 | Exit: |
3424 | 63 | return ret; |
3425 | 30 | } |
3426 | | |
3427 | | static int client_handle_certificate_verify(ptls_t *tls, ptls_iovec_t message) |
3428 | 63 | { |
3429 | 63 | int ret = handle_certificate_verify(tls, message, PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING); |
3430 | | |
3431 | 63 | if (ret == 0) { |
3432 | 30 | tls->state = PTLS_STATE_CLIENT_EXPECT_FINISHED; |
3433 | 30 | ret = PTLS_ERROR_IN_PROGRESS; |
3434 | 30 | } |
3435 | | |
3436 | 63 | return ret; |
3437 | 63 | } |
3438 | | |
3439 | | static int server_handle_certificate_verify(ptls_t *tls, ptls_iovec_t message) |
3440 | 0 | { |
3441 | 0 | int ret = handle_certificate_verify(tls, message, PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING); |
3442 | |
|
3443 | 0 | if (ret == 0) { |
3444 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
3445 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
3446 | 0 | } |
3447 | |
|
3448 | 0 | return ret; |
3449 | 0 | } |
3450 | | |
3451 | | static int client_handle_finished(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message) |
3452 | 17 | { |
3453 | 17 | uint8_t send_secret[PTLS_MAX_DIGEST_SIZE]; |
3454 | 17 | int alert_ech_required = tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL), ret; |
3455 | | |
3456 | 17 | if ((ret = verify_finished(tls, message)) != 0) |
3457 | 17 | goto Exit; |
3458 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3459 | | |
3460 | | /* update traffic keys by using messages upto ServerFinished, but commission them after sending ClientFinished */ |
3461 | 0 | if ((ret = key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0))) != 0) |
3462 | 0 | goto Exit; |
3463 | 0 | if ((ret = setup_traffic_protection(tls, 0, "s ap traffic", 3, 0, 0)) != 0) |
3464 | 0 | goto Exit; |
3465 | 0 | if ((ret = derive_secret(tls->key_schedule, send_secret, "c ap traffic")) != 0) |
3466 | 0 | goto Exit; |
3467 | 0 | if ((ret = derive_exporter_secret(tls, 0)) != 0) |
3468 | 0 | goto Exit; |
3469 | | |
3470 | | /* if sending early data, emit EOED and commision the client handshake traffic secret */ |
3471 | 0 | if (tls->pending_handshake_secret != NULL) { |
3472 | 0 | assert(tls->traffic_protection.enc.aead != NULL || tls->ctx->update_traffic_key != NULL); |
3473 | 0 | if (tls->client.using_early_data && !tls->ctx->omit_end_of_early_data) |
3474 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA, {}); |
3475 | 0 | tls->client.using_early_data = 0; |
3476 | 0 | if ((ret = commission_handshake_secret(tls)) != 0) |
3477 | 0 | goto Exit; |
3478 | 0 | } |
3479 | | |
3480 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
3481 | 0 | goto Exit; |
3482 | | |
3483 | 0 | if (!alert_ech_required && tls->client.certificate_request.context.base != NULL) { |
3484 | 0 | if ((ret = send_certificate(tls, emitter, &tls->client.certificate_request.signature_algorithms, |
3485 | 0 | tls->client.certificate_request.context, 0, NULL, 0)) == 0) |
3486 | 0 | ret = send_certificate_verify(tls, emitter, &tls->client.certificate_request.signature_algorithms, |
3487 | 0 | PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING); |
3488 | 0 | free(tls->client.certificate_request.context.base); |
3489 | 0 | tls->client.certificate_request.context = ptls_iovec_init(NULL, 0); |
3490 | 0 | if (ret != 0) |
3491 | 0 | goto Exit; |
3492 | 0 | } |
3493 | | |
3494 | 0 | ret = send_finished(tls, emitter); |
3495 | |
|
3496 | 0 | memcpy(tls->traffic_protection.enc.secret, send_secret, sizeof(send_secret)); |
3497 | 0 | if ((ret = setup_traffic_protection(tls, 1, NULL, 3, 0, 0)) != 0) |
3498 | 0 | goto Exit; |
3499 | | |
3500 | 0 | tls->state = PTLS_STATE_CLIENT_POST_HANDSHAKE; |
3501 | | |
3502 | | /* if ECH was rejected, close the connection with ECH_REQUIRED alert after verifying messages up to Finished */ |
3503 | 0 | if (alert_ech_required) |
3504 | 0 | ret = PTLS_ALERT_ECH_REQUIRED; |
3505 | |
|
3506 | 17 | Exit: |
3507 | 17 | ptls_clear_memory(send_secret, sizeof(send_secret)); |
3508 | 17 | return ret; |
3509 | 0 | } |
3510 | | |
3511 | | static int client_handle_new_session_ticket(ptls_t *tls, ptls_iovec_t message) |
3512 | 0 | { |
3513 | 0 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3514 | 0 | ptls_iovec_t ticket_nonce; |
3515 | 0 | int ret; |
3516 | |
|
3517 | 0 | { /* verify the format */ |
3518 | 0 | uint32_t ticket_lifetime, ticket_age_add, max_early_data_size; |
3519 | 0 | ptls_iovec_t ticket; |
3520 | 0 | if ((ret = decode_new_session_ticket(tls, &ticket_lifetime, &ticket_age_add, &ticket_nonce, &ticket, &max_early_data_size, |
3521 | 0 | src, end)) != 0) |
3522 | 0 | return ret; |
3523 | 0 | } |
3524 | | |
3525 | | /* do nothing if use of session ticket is disabled */ |
3526 | 0 | if (tls->ctx->save_ticket == NULL) |
3527 | 0 | return 0; |
3528 | | |
3529 | | /* save the extension, along with the key of myself */ |
3530 | 0 | ptls_buffer_t ticket_buf; |
3531 | 0 | ptls_buffer_init(&ticket_buf, "", 0); |
3532 | 0 | ptls_buffer_push64(&ticket_buf, tls->ctx->get_time->cb(tls->ctx->get_time)); |
3533 | 0 | ptls_buffer_push16(&ticket_buf, tls->key_share->id); |
3534 | 0 | ptls_buffer_push16(&ticket_buf, tls->cipher_suite->id); |
3535 | 0 | ptls_buffer_push_block(&ticket_buf, 3, { ptls_buffer_pushv(&ticket_buf, src, end - src); }); |
3536 | 0 | ptls_buffer_push_block(&ticket_buf, 2, { |
3537 | 0 | if ((ret = ptls_buffer_reserve(&ticket_buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0) |
3538 | 0 | goto Exit; |
3539 | 0 | if ((ret = derive_resumption_secret(tls->key_schedule, ticket_buf.base + ticket_buf.off, ticket_nonce)) != 0) |
3540 | 0 | goto Exit; |
3541 | 0 | ticket_buf.off += tls->key_schedule->hashes[0].algo->digest_size; |
3542 | 0 | }); |
3543 | | |
3544 | 0 | if ((ret = tls->ctx->save_ticket->cb(tls->ctx->save_ticket, tls, ptls_iovec_init(ticket_buf.base, ticket_buf.off))) != 0) |
3545 | 0 | goto Exit; |
3546 | | |
3547 | 0 | ret = 0; |
3548 | 0 | Exit: |
3549 | 0 | ptls_buffer_dispose(&ticket_buf); |
3550 | 0 | return ret; |
3551 | 0 | } |
3552 | | |
3553 | | static int client_hello_decode_server_name(ptls_iovec_t *name, const uint8_t **src, const uint8_t *const end) |
3554 | 0 | { |
3555 | 0 | int ret = 0; |
3556 | |
|
3557 | 0 | ptls_decode_open_block(*src, end, 2, { |
3558 | 0 | do { |
3559 | 0 | uint8_t type; |
3560 | 0 | if ((ret = ptls_decode8(&type, src, end)) != 0) |
3561 | 0 | goto Exit; |
3562 | 0 | ptls_decode_open_block(*src, end, 2, { |
3563 | 0 | switch (type) { |
3564 | 0 | case PTLS_SERVER_NAME_TYPE_HOSTNAME: |
3565 | 0 | if (memchr(*src, '\0', end - *src) != 0) { |
3566 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3567 | 0 | goto Exit; |
3568 | 0 | } |
3569 | 0 | *name = ptls_iovec_init(*src, end - *src); |
3570 | 0 | break; |
3571 | 0 | default: |
3572 | 0 | break; |
3573 | 0 | } |
3574 | 0 | *src = end; |
3575 | 0 | }); |
3576 | 0 | } while (*src != end); |
3577 | 0 | }); |
3578 | | |
3579 | 0 | Exit: |
3580 | 0 | return ret; |
3581 | 0 | } |
3582 | | |
3583 | | static int select_negotiated_group(ptls_key_exchange_algorithm_t **selected, ptls_key_exchange_algorithm_t **candidates, |
3584 | | const uint8_t *src, const uint8_t *const end) |
3585 | 0 | { |
3586 | 0 | int ret; |
3587 | |
|
3588 | 0 | ptls_decode_block(src, end, 2, { |
3589 | 0 | while (src != end) { |
3590 | 0 | uint16_t group; |
3591 | 0 | if ((ret = ptls_decode16(&group, &src, end)) != 0) |
3592 | 0 | goto Exit; |
3593 | 0 | ptls_key_exchange_algorithm_t **c = candidates; |
3594 | 0 | for (; *c != NULL; ++c) { |
3595 | 0 | if ((*c)->id == group) { |
3596 | 0 | *selected = *c; |
3597 | 0 | return 0; |
3598 | 0 | } |
3599 | 0 | } |
3600 | 0 | } |
3601 | 0 | }); |
3602 | | |
3603 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
3604 | |
|
3605 | 0 | Exit: |
3606 | 0 | return ret; |
3607 | 0 | } |
3608 | | |
3609 | | static int decode_client_hello(ptls_context_t *ctx, struct st_ptls_client_hello_t *ch, const uint8_t *src, const uint8_t *const end, |
3610 | | ptls_handshake_properties_t *properties, ptls_t *tls_cbarg) |
3611 | 0 | { |
3612 | 0 | const uint8_t *start = src; |
3613 | 0 | uint16_t exttype = 0; |
3614 | 0 | int ret; |
3615 | | |
3616 | | /* decode protocol version (do not bare to decode something older than TLS 1.0) */ |
3617 | 0 | if ((ret = ptls_decode16(&ch->legacy_version, &src, end)) != 0) |
3618 | 0 | goto Exit; |
3619 | 0 | if (ch->legacy_version < 0x0301) { |
3620 | 0 | ret = PTLS_ALERT_PROTOCOL_VERSION; |
3621 | 0 | goto Exit; |
3622 | 0 | } |
3623 | | |
3624 | | /* skip random */ |
3625 | 0 | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
3626 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3627 | 0 | goto Exit; |
3628 | 0 | } |
3629 | 0 | ch->random_bytes = src; |
3630 | 0 | src += PTLS_HELLO_RANDOM_SIZE; |
3631 | | |
3632 | | /* skip legacy_session_id */ |
3633 | 0 | ptls_decode_open_block(src, end, 1, { |
3634 | 0 | if (end - src > 32) { |
3635 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3636 | 0 | goto Exit; |
3637 | 0 | } |
3638 | 0 | ch->legacy_session_id = ptls_iovec_init(src, end - src); |
3639 | 0 | src = end; |
3640 | 0 | }); |
3641 | | |
3642 | | /* decode and select from ciphersuites */ |
3643 | 0 | ptls_decode_open_block(src, end, 2, { |
3644 | 0 | if ((end - src) % 2 != 0) { |
3645 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3646 | 0 | goto Exit; |
3647 | 0 | } |
3648 | 0 | ch->cipher_suites = ptls_iovec_init(src, end - src); |
3649 | 0 | src = end; |
3650 | 0 | }); |
3651 | | |
3652 | | /* decode legacy_compression_methods */ |
3653 | 0 | ptls_decode_open_block(src, end, 1, { |
3654 | 0 | if (src == end) { |
3655 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3656 | 0 | goto Exit; |
3657 | 0 | } |
3658 | 0 | ch->compression_methods.ids = src; |
3659 | 0 | ch->compression_methods.count = end - src; |
3660 | 0 | src = end; |
3661 | 0 | }); |
3662 | | |
3663 | | /* In TLS versions 1.2 and earlier CH might not have an extensions block (or they might, see what OpenSSL 1.0.0 sends); so bail |
3664 | | * out if that is the case after parsing the main variables. Zero is returned as it is a valid ClientHello. However |
3665 | | * `ptls_t::selected_version` remains zero indicating that no compatible version were found. */ |
3666 | 0 | if (src == end) { |
3667 | 0 | ret = 0; |
3668 | 0 | goto Exit; |
3669 | 0 | } |
3670 | | |
3671 | | /* decode extensions */ |
3672 | 0 | ch->first_extension_at = src - start + 2; |
3673 | 0 | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, &exttype, { |
3674 | 0 | ch->psk.is_last_extension = 0; |
3675 | 0 | if (ctx->on_extension != NULL && tls_cbarg != NULL && |
3676 | 0 | (ret = ctx->on_extension->cb(ctx->on_extension, tls_cbarg, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, exttype, |
3677 | 0 | ptls_iovec_init(src, end - src)) != 0)) |
3678 | 0 | goto Exit; |
3679 | 0 | switch (exttype) { |
3680 | 0 | case PTLS_EXTENSION_TYPE_SERVER_NAME: |
3681 | 0 | if ((ret = client_hello_decode_server_name(&ch->server_name, &src, end)) != 0) |
3682 | 0 | goto Exit; |
3683 | 0 | if (src != end) { |
3684 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3685 | 0 | goto Exit; |
3686 | 0 | } |
3687 | 0 | break; |
3688 | 0 | case PTLS_EXTENSION_TYPE_ALPN: |
3689 | 0 | ptls_decode_block(src, end, 2, { |
3690 | 0 | do { |
3691 | 0 | ptls_decode_open_block(src, end, 1, { |
3692 | | /* rfc7301 3.1: empty strings MUST NOT be included */ |
3693 | 0 | if (src == end) { |
3694 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3695 | 0 | goto Exit; |
3696 | 0 | } |
3697 | 0 | if (ch->alpn.count < PTLS_ELEMENTSOF(ch->alpn.list)) |
3698 | 0 | ch->alpn.list[ch->alpn.count++] = ptls_iovec_init(src, end - src); |
3699 | 0 | src = end; |
3700 | 0 | }); |
3701 | 0 | } while (src != end); |
3702 | 0 | }); |
3703 | 0 | break; |
3704 | 0 | case PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE: |
3705 | 0 | ptls_decode_block(src, end, 1, { |
3706 | 0 | size_t list_size = end - src; |
3707 | | |
3708 | | /* RFC7250 4.1: No empty list, no list with single x509 element */ |
3709 | 0 | if (list_size == 0 || (list_size == 1 && *src == PTLS_CERTIFICATE_TYPE_X509)) { |
3710 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3711 | 0 | goto Exit; |
3712 | 0 | } |
3713 | |
|
3714 | 0 | do { |
3715 | 0 | if (ch->server_certificate_types.count < PTLS_ELEMENTSOF(ch->server_certificate_types.list)) |
3716 | 0 | ch->server_certificate_types.list[ch->server_certificate_types.count++] = *src; |
3717 | 0 | src++; |
3718 | 0 | } while (src != end); |
3719 | 0 | }); |
3720 | 0 | break; |
3721 | 0 | case PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE: |
3722 | 0 | ptls_decode_block(src, end, 1, { |
3723 | 0 | do { |
3724 | 0 | uint16_t id; |
3725 | 0 | if ((ret = ptls_decode16(&id, &src, end)) != 0) |
3726 | 0 | goto Exit; |
3727 | 0 | if (ch->cert_compression_algos.count < PTLS_ELEMENTSOF(ch->cert_compression_algos.list)) |
3728 | 0 | ch->cert_compression_algos.list[ch->cert_compression_algos.count++] = id; |
3729 | 0 | } while (src != end); |
3730 | 0 | }); |
3731 | 0 | break; |
3732 | 0 | case PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS: |
3733 | 0 | ch->negotiated_groups = ptls_iovec_init(src, end - src); |
3734 | 0 | break; |
3735 | 0 | case PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS: |
3736 | 0 | if ((ret = decode_signature_algorithms(&ch->signature_algorithms, &src, end)) != 0) |
3737 | 0 | goto Exit; |
3738 | 0 | break; |
3739 | 0 | case PTLS_EXTENSION_TYPE_KEY_SHARE: |
3740 | 0 | ch->key_shares = ptls_iovec_init(src, end - src); |
3741 | 0 | break; |
3742 | 0 | case PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS: |
3743 | 0 | ptls_decode_block(src, end, 1, { |
3744 | 0 | size_t selected_index = PTLS_ELEMENTSOF(supported_versions); |
3745 | 0 | do { |
3746 | 0 | size_t i; |
3747 | 0 | uint16_t v; |
3748 | 0 | if ((ret = ptls_decode16(&v, &src, end)) != 0) |
3749 | 0 | goto Exit; |
3750 | 0 | for (i = 0; i != selected_index; ++i) { |
3751 | 0 | if (supported_versions[i] == v) { |
3752 | 0 | selected_index = i; |
3753 | 0 | break; |
3754 | 0 | } |
3755 | 0 | } |
3756 | 0 | } while (src != end); |
3757 | 0 | if (selected_index != PTLS_ELEMENTSOF(supported_versions)) |
3758 | 0 | ch->selected_version = supported_versions[selected_index]; |
3759 | 0 | }); |
3760 | 0 | break; |
3761 | 0 | case PTLS_EXTENSION_TYPE_COOKIE: |
3762 | 0 | if (properties == NULL || properties->server.cookie.key == NULL) { |
3763 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3764 | 0 | goto Exit; |
3765 | 0 | } |
3766 | 0 | ch->cookie.all = ptls_iovec_init(src, end - src); |
3767 | 0 | ptls_decode_block(src, end, 2, { |
3768 | 0 | ch->cookie.tbs.base = (void *)src; |
3769 | 0 | ptls_decode_open_block(src, end, 2, { |
3770 | 0 | ptls_decode_open_block(src, end, 1, { |
3771 | 0 | ch->cookie.ch1_hash = ptls_iovec_init(src, end - src); |
3772 | 0 | src = end; |
3773 | 0 | }); |
3774 | 0 | uint8_t sent_key_share; |
3775 | 0 | if ((ret = ptls_decode8(&sent_key_share, &src, end)) != 0) |
3776 | 0 | goto Exit; |
3777 | 0 | switch (sent_key_share) { |
3778 | 0 | case 0: |
3779 | 0 | assert(!ch->cookie.sent_key_share); |
3780 | 0 | break; |
3781 | 0 | case 1: |
3782 | 0 | ch->cookie.sent_key_share = 1; |
3783 | 0 | break; |
3784 | 0 | default: |
3785 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3786 | 0 | goto Exit; |
3787 | 0 | } |
3788 | 0 | }); |
3789 | 0 | ch->cookie.tbs.len = src - ch->cookie.tbs.base; |
3790 | 0 | ptls_decode_block(src, end, 1, { |
3791 | 0 | ch->cookie.signature = ptls_iovec_init(src, end - src); |
3792 | 0 | src = end; |
3793 | 0 | }); |
3794 | 0 | }); |
3795 | 0 | break; |
3796 | 0 | case PTLS_EXTENSION_TYPE_PRE_SHARED_KEY: { |
3797 | 0 | size_t num_identities = 0; |
3798 | 0 | ptls_decode_open_block(src, end, 2, { |
3799 | 0 | do { |
3800 | 0 | ptls_client_hello_psk_identity_t psk = {{NULL}}; |
3801 | 0 | ptls_decode_open_block(src, end, 2, { |
3802 | 0 | if (end - src < 1) { |
3803 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3804 | 0 | goto Exit; |
3805 | 0 | } |
3806 | 0 | psk.identity = ptls_iovec_init(src, end - src); |
3807 | 0 | src = end; |
3808 | 0 | }); |
3809 | 0 | if ((ret = ptls_decode32(&psk.obfuscated_ticket_age, &src, end)) != 0) |
3810 | 0 | goto Exit; |
3811 | 0 | if (ch->psk.identities.count < PTLS_ELEMENTSOF(ch->psk.identities.list)) |
3812 | 0 | ch->psk.identities.list[ch->psk.identities.count++] = psk; |
3813 | 0 | ++num_identities; |
3814 | 0 | } while (src != end); |
3815 | 0 | }); |
3816 | 0 | ch->psk.hash_end = src; |
3817 | 0 | ptls_decode_block(src, end, 2, { |
3818 | 0 | size_t num_binders = 0; |
3819 | 0 | do { |
3820 | 0 | ptls_decode_open_block(src, end, 1, { |
3821 | 0 | if (num_binders < ch->psk.identities.count) |
3822 | 0 | ch->psk.identities.list[num_binders].binder = ptls_iovec_init(src, end - src); |
3823 | 0 | src = end; |
3824 | 0 | }); |
3825 | 0 | ++num_binders; |
3826 | 0 | } while (src != end); |
3827 | 0 | if (num_identities != num_binders) { |
3828 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3829 | 0 | goto Exit; |
3830 | 0 | } |
3831 | 0 | }); |
3832 | 0 | ch->psk.is_last_extension = 1; |
3833 | 0 | } break; |
3834 | 0 | case PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES: |
3835 | 0 | ptls_decode_block(src, end, 1, { |
3836 | 0 | do { |
3837 | 0 | uint8_t mode; |
3838 | 0 | if ((ret = ptls_decode8(&mode, &src, end)) != 0) |
3839 | 0 | goto Exit; |
3840 | 0 | if (mode < sizeof(ch->psk.ke_modes) * 8) |
3841 | 0 | ch->psk.ke_modes |= 1u << mode; |
3842 | 0 | } while (src != end); |
3843 | 0 | }); |
3844 | 0 | break; |
3845 | 0 | case PTLS_EXTENSION_TYPE_EARLY_DATA: |
3846 | 0 | ch->psk.early_data_indication = 1; |
3847 | 0 | break; |
3848 | 0 | case PTLS_EXTENSION_TYPE_STATUS_REQUEST: |
3849 | 0 | ch->status_request = 1; |
3850 | 0 | break; |
3851 | 0 | case PTLS_EXTENSION_TYPE_TICKET_REQUEST: |
3852 | 0 | if (end - src != 2) { |
3853 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3854 | 0 | goto Exit; |
3855 | 0 | } |
3856 | 0 | ch->ticket_request.new_session_count = *src++; |
3857 | 0 | ch->ticket_request.resumption_count = *src++; |
3858 | 0 | break; |
3859 | 0 | case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO: |
3860 | 0 | if ((ret = ptls_decode8(&ch->ech.type, &src, end)) != 0) |
3861 | 0 | goto Exit; |
3862 | 0 | switch (ch->ech.type) { |
3863 | 0 | case PTLS_ECH_CLIENT_HELLO_TYPE_OUTER: |
3864 | 0 | if ((ret = ptls_decode16(&ch->ech.cipher_suite.kdf, &src, end)) != 0 || |
3865 | 0 | (ret = ptls_decode16(&ch->ech.cipher_suite.aead, &src, end)) != 0) |
3866 | 0 | goto Exit; |
3867 | 0 | if ((ret = ptls_decode8(&ch->ech.config_id, &src, end)) != 0) |
3868 | 0 | goto Exit; |
3869 | 0 | ptls_decode_open_block(src, end, 2, { |
3870 | 0 | ch->ech.enc = ptls_iovec_init(src, end - src); |
3871 | 0 | src = end; |
3872 | 0 | }); |
3873 | 0 | ptls_decode_open_block(src, end, 2, { |
3874 | 0 | if (src == end) { |
3875 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3876 | 0 | goto Exit; |
3877 | 0 | } |
3878 | 0 | ch->ech.payload = ptls_iovec_init(src, end - src); |
3879 | 0 | src = end; |
3880 | 0 | }); |
3881 | 0 | break; |
3882 | 0 | case PTLS_ECH_CLIENT_HELLO_TYPE_INNER: |
3883 | 0 | if (src != end) { |
3884 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3885 | 0 | goto Exit; |
3886 | 0 | } |
3887 | 0 | ch->ech.payload = ptls_iovec_init("", 0); /* non-zero base indicates that the extension was received */ |
3888 | 0 | break; |
3889 | 0 | default: |
3890 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3891 | 0 | goto Exit; |
3892 | 0 | } |
3893 | 0 | src = end; |
3894 | 0 | break; |
3895 | 0 | default: |
3896 | 0 | if (tls_cbarg != NULL && should_collect_unknown_extension(tls_cbarg, properties, exttype)) { |
3897 | 0 | if ((ret = collect_unknown_extension(tls_cbarg, exttype, src, end, ch->unknown_extensions)) != 0) |
3898 | 0 | goto Exit; |
3899 | 0 | } |
3900 | 0 | break; |
3901 | 0 | } |
3902 | 0 | src = end; |
3903 | 0 | }); |
3904 | | |
3905 | 0 | ret = 0; |
3906 | 0 | Exit: |
3907 | 0 | return ret; |
3908 | 0 | } |
3909 | | |
3910 | | static int rebuild_ch_inner_extensions(ptls_buffer_t *buf, const uint8_t **src, const uint8_t *const end, const uint8_t *outer_ext, |
3911 | | const uint8_t *outer_ext_end) |
3912 | 0 | { |
3913 | 0 | int ret; |
3914 | |
|
3915 | 0 | ptls_buffer_push_block(buf, 2, { |
3916 | 0 | ptls_decode_open_block(*src, end, 2, { |
3917 | 0 | while (*src != end) { |
3918 | 0 | uint16_t exttype; |
3919 | 0 | if ((ret = ptls_decode16(&exttype, src, end)) != 0) |
3920 | 0 | goto Exit; |
3921 | 0 | ptls_decode_open_block(*src, end, 2, { |
3922 | 0 | if (exttype == PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS) { |
3923 | 0 | ptls_decode_open_block(*src, end, 1, { |
3924 | 0 | do { |
3925 | 0 | uint16_t reftype; |
3926 | 0 | uint16_t outertype; |
3927 | 0 | uint16_t outersize; |
3928 | 0 | if ((ret = ptls_decode16(&reftype, src, end)) != 0) |
3929 | 0 | goto Exit; |
3930 | 0 | if (reftype == PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO) { |
3931 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3932 | 0 | goto Exit; |
3933 | 0 | } |
3934 | 0 | while (1) { |
3935 | 0 | if (ptls_decode16(&outertype, &outer_ext, outer_ext_end) != 0 || |
3936 | 0 | ptls_decode16(&outersize, &outer_ext, outer_ext_end) != 0) { |
3937 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3938 | 0 | goto Exit; |
3939 | 0 | } |
3940 | 0 | assert(outer_ext_end - outer_ext >= outersize); |
3941 | 0 | if (outertype == reftype) |
3942 | 0 | break; |
3943 | 0 | outer_ext += outersize; |
3944 | 0 | } |
3945 | 0 | buffer_push_extension(buf, reftype, { |
3946 | 0 | ptls_buffer_pushv(buf, outer_ext, outersize); |
3947 | 0 | outer_ext += outersize; |
3948 | 0 | }); |
3949 | 0 | } while (*src != end); |
3950 | 0 | }); |
3951 | 0 | } else { |
3952 | 0 | buffer_push_extension(buf, exttype, { |
3953 | 0 | ptls_buffer_pushv(buf, *src, end - *src); |
3954 | 0 | *src = end; |
3955 | 0 | }); |
3956 | 0 | } |
3957 | 0 | }); |
3958 | 0 | } |
3959 | 0 | }); |
3960 | 0 | }); |
3961 | | |
3962 | 0 | Exit: |
3963 | 0 | return ret; |
3964 | 0 | } |
3965 | | |
3966 | | static int rebuild_ch_inner(ptls_buffer_t *buf, const uint8_t *src, const uint8_t *const end, |
3967 | | struct st_ptls_client_hello_t *outer_ch, const uint8_t *outer_ext, const uint8_t *outer_ext_end) |
3968 | 0 | { |
3969 | 0 | #define COPY_BLOCK(capacity) \ |
3970 | 0 | do { \ |
3971 | 0 | ptls_decode_open_block(src, end, (capacity), { \ |
3972 | 0 | ptls_buffer_push_block(buf, (capacity), { ptls_buffer_pushv(buf, src, end - src); }); \ |
3973 | 0 | src = end; \ |
3974 | 0 | }); \ |
3975 | 0 | } while (0) |
3976 | |
|
3977 | 0 | int ret; |
3978 | |
|
3979 | 0 | ptls_buffer_push_message_body(buf, NULL, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, { |
3980 | 0 | { /* legacy_version */ |
3981 | 0 | uint16_t legacy_version; |
3982 | 0 | if ((ret = ptls_decode16(&legacy_version, &src, end)) != 0) |
3983 | 0 | goto Exit; |
3984 | 0 | ptls_buffer_push16(buf, legacy_version); |
3985 | 0 | } |
3986 | | |
3987 | | /* hello random */ |
3988 | 0 | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
3989 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3990 | 0 | goto Exit; |
3991 | 0 | } |
3992 | 0 | ptls_buffer_pushv(buf, src, PTLS_HELLO_RANDOM_SIZE); |
3993 | 0 | src += PTLS_HELLO_RANDOM_SIZE; |
3994 | |
|
3995 | 0 | ptls_decode_open_block(src, end, 1, { |
3996 | 0 | if (src != end) { |
3997 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3998 | 0 | goto Exit; |
3999 | 0 | } |
4000 | 0 | }); |
4001 | 0 | ptls_buffer_push_block(buf, 1, |
4002 | 0 | { ptls_buffer_pushv(buf, outer_ch->legacy_session_id.base, outer_ch->legacy_session_id.len); }); |
4003 | | |
4004 | | /* cipher-suites and legacy-compression-methods */ |
4005 | 0 | COPY_BLOCK(2); |
4006 | 0 | COPY_BLOCK(1); |
4007 | | |
4008 | | /* extensions */ |
4009 | 0 | if ((ret = rebuild_ch_inner_extensions(buf, &src, end, outer_ext, outer_ext_end)) != 0) |
4010 | 0 | goto Exit; |
4011 | 0 | }); |
4012 | | |
4013 | | /* padding must be all zero */ |
4014 | 0 | for (; src != end; ++src) { |
4015 | 0 | if (*src != '\0') { |
4016 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4017 | 0 | goto Exit; |
4018 | 0 | } |
4019 | 0 | } |
4020 | | |
4021 | 0 | Exit: |
4022 | 0 | return ret; |
4023 | |
|
4024 | 0 | #undef COPY_BLOCK |
4025 | 0 | } |
4026 | | |
4027 | | /* Wrapper function for invoking the on_client_hello callback, taking an exhaustive list of parameters as arguments. The intention |
4028 | | * is to not miss setting them as we add new parameters to the struct. */ |
4029 | | static inline int call_on_client_hello_cb(ptls_t *tls, ptls_iovec_t server_name, ptls_iovec_t raw_message, |
4030 | | ptls_iovec_t cipher_suites, ptls_iovec_t *alpns, size_t num_alpns, |
4031 | | const uint16_t *sig_algos, size_t num_sig_algos, const uint16_t *cert_comp_algos, |
4032 | | size_t num_cert_comp_algos, const uint8_t *server_cert_types, |
4033 | | size_t num_server_cert_types, const ptls_client_hello_psk_identity_t *psk_identities, |
4034 | | size_t num_psk_identities, int incompatible_version) |
4035 | 0 | { |
4036 | 0 | if (tls->ctx->on_client_hello == NULL) |
4037 | 0 | return 0; |
4038 | | |
4039 | 0 | ptls_on_client_hello_parameters_t params = {server_name, |
4040 | 0 | raw_message, |
4041 | 0 | cipher_suites, |
4042 | 0 | {alpns, num_alpns}, |
4043 | 0 | {sig_algos, num_sig_algos}, |
4044 | 0 | {cert_comp_algos, num_cert_comp_algos}, |
4045 | 0 | {server_cert_types, num_server_cert_types}, |
4046 | 0 | {psk_identities, num_psk_identities}, |
4047 | 0 | incompatible_version}; |
4048 | 0 | return tls->ctx->on_client_hello->cb(tls->ctx->on_client_hello, tls, ¶ms); |
4049 | 0 | } |
4050 | | |
4051 | | static int check_client_hello_constraints(ptls_context_t *ctx, struct st_ptls_client_hello_t *ch, const void *prev_random, |
4052 | | int ech_is_inner_ch, ptls_iovec_t raw_message, ptls_t *tls_cbarg) |
4053 | 0 | { |
4054 | 0 | int is_second_flight = prev_random != 0; |
4055 | | |
4056 | | /* The following check is necessary so that we would be able to track the connection in SSLKEYLOGFILE, even though it might not |
4057 | | * be for the safety of the protocol. */ |
4058 | 0 | if (is_second_flight && !ptls_mem_equal(ch->random_bytes, prev_random, PTLS_HELLO_RANDOM_SIZE)) |
4059 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
4060 | | |
4061 | | /* bail out if CH cannot be handled as TLS 1.3 */ |
4062 | 0 | if (!is_supported_version(ch->selected_version)) { |
4063 | | /* ECH: server MUST abort with an "illegal_parameter" alert if the client offers TLS 1.2 or below (draft-15 7.1) */ |
4064 | 0 | if (ech_is_inner_ch) |
4065 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4066 | | /* fail with PROTOCOL_VERSION alert, after providing the applications the raw CH and SNI to help them fallback */ |
4067 | 0 | if (!is_second_flight) { |
4068 | 0 | int ret; |
4069 | 0 | if ((ret = call_on_client_hello_cb(tls_cbarg, ch->server_name, raw_message, ch->cipher_suites, ch->alpn.list, |
4070 | 0 | ch->alpn.count, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 1)) != 0) |
4071 | 0 | return ret; |
4072 | 0 | } |
4073 | 0 | return PTLS_ALERT_PROTOCOL_VERSION; |
4074 | 0 | } |
4075 | | |
4076 | | /* Check TLS 1.3-specific constraints. Hereafter, we might exit without calling on_client_hello. That's fine because this CH is |
4077 | | * ought to be rejected. */ |
4078 | 0 | if (ch->legacy_version <= 0x0300) { |
4079 | | /* RFC 8446 Appendix D.5: any endpoint receiving a Hello message with legacy_version set to 0x0300 MUST abort the handshake |
4080 | | * with a "protocol_version" alert. */ |
4081 | 0 | return PTLS_ALERT_PROTOCOL_VERSION; |
4082 | 0 | } |
4083 | 0 | if (!(ch->compression_methods.count == 1 && ch->compression_methods.ids[0] == 0)) |
4084 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4085 | | /* pre-shared key */ |
4086 | 0 | if (ch->psk.hash_end != NULL) { |
4087 | | /* PSK must be the last extension */ |
4088 | 0 | if (!ch->psk.is_last_extension) |
4089 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4090 | 0 | } else { |
4091 | 0 | if (ch->psk.early_data_indication) |
4092 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4093 | 0 | } |
4094 | | |
4095 | 0 | if (ech_is_inner_ch && ch->ech.payload.base == NULL) |
4096 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4097 | 0 | if (ch->ech.payload.base != NULL && |
4098 | 0 | ch->ech.type != (ech_is_inner_ch ? PTLS_ECH_CLIENT_HELLO_TYPE_INNER : PTLS_ECH_CLIENT_HELLO_TYPE_OUTER)) |
4099 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4100 | | |
4101 | 0 | return 0; |
4102 | 0 | } |
4103 | | |
4104 | | static int vec_is_string(ptls_iovec_t x, const char *y) |
4105 | 0 | { |
4106 | 0 | return strncmp((const char *)x.base, y, x.len) == 0 && y[x.len] == '\0'; |
4107 | 0 | } |
4108 | | |
4109 | | /** |
4110 | | * Looks for a PSK identity that can be used, and if found, updates the handshake state and returns the necessary variables. If |
4111 | | * `ptls_context_t::pre_shared_key` is set, only tries handshake using those keys provided. Otherwise, tries resumption. |
4112 | | */ |
4113 | | static int try_psk_handshake(ptls_t *tls, size_t *psk_index, int *accept_early_data, struct st_ptls_client_hello_t *ch, |
4114 | | ptls_iovec_t ch_trunc, int is_second_flight) |
4115 | 0 | { |
4116 | 0 | ptls_buffer_t decbuf; |
4117 | 0 | ptls_iovec_t secret, ticket_ctx, ticket_negotiated_protocol; |
4118 | 0 | uint64_t issue_at, now = tls->ctx->get_time->cb(tls->ctx->get_time); |
4119 | 0 | uint32_t age_add; |
4120 | 0 | uint16_t ticket_key_exchange_id, ticket_csid; |
4121 | 0 | uint8_t binder_key[PTLS_MAX_DIGEST_SIZE]; |
4122 | 0 | int ret; |
4123 | |
|
4124 | 0 | ptls_buffer_init(&decbuf, "", 0); |
4125 | |
|
4126 | 0 | for (*psk_index = 0; *psk_index < ch->psk.identities.count; ++*psk_index) { |
4127 | 0 | ptls_client_hello_psk_identity_t *identity = ch->psk.identities.list + *psk_index; |
4128 | | |
4129 | | /* negotiate using fixed pre-shared key */ |
4130 | 0 | if (tls->ctx->pre_shared_key.identity.base != NULL) { |
4131 | 0 | if (identity->identity.len == tls->ctx->pre_shared_key.identity.len && |
4132 | 0 | memcmp(identity->identity.base, tls->ctx->pre_shared_key.identity.base, identity->identity.len) == 0) { |
4133 | 0 | *accept_early_data = ch->psk.early_data_indication && *psk_index == 0; |
4134 | 0 | tls->key_share = NULL; |
4135 | 0 | secret = tls->ctx->pre_shared_key.secret; |
4136 | 0 | goto Found; |
4137 | 0 | } |
4138 | 0 | continue; |
4139 | 0 | } |
4140 | | |
4141 | | /* decrypt ticket and decode */ |
4142 | 0 | if (tls->ctx->encrypt_ticket == NULL || tls->ctx->key_exchanges == NULL) |
4143 | 0 | continue; |
4144 | 0 | int can_accept_early_data = *psk_index == 0; |
4145 | 0 | decbuf.off = 0; |
4146 | 0 | switch (tls->ctx->encrypt_ticket->cb(tls->ctx->encrypt_ticket, tls, 0, &decbuf, identity->identity)) { |
4147 | 0 | case 0: /* decrypted */ |
4148 | 0 | break; |
4149 | 0 | case PTLS_ERROR_REJECT_EARLY_DATA: /* decrypted, but early data is rejected */ |
4150 | 0 | can_accept_early_data = 0; |
4151 | 0 | break; |
4152 | 0 | default: /* decryption failure */ |
4153 | 0 | continue; |
4154 | 0 | } |
4155 | 0 | if (decode_session_identifier(&issue_at, &secret, &age_add, &ticket_ctx, &ticket_key_exchange_id, &ticket_csid, |
4156 | 0 | &ticket_negotiated_protocol, decbuf.base, decbuf.base + decbuf.off) != 0) |
4157 | 0 | continue; |
4158 | | /* check age */ |
4159 | 0 | if (now < issue_at) |
4160 | 0 | continue; |
4161 | 0 | if (now - issue_at > (uint64_t)tls->ctx->ticket_lifetime * 1000) |
4162 | 0 | continue; |
4163 | 0 | *accept_early_data = 0; |
4164 | 0 | if (ch->psk.early_data_indication && can_accept_early_data) { |
4165 | | /* accept early-data if abs(diff) between the reported age and the actual age is within += 10 seconds */ |
4166 | 0 | int64_t delta = (now - issue_at) - (identity->obfuscated_ticket_age - age_add); |
4167 | 0 | if (delta < 0) |
4168 | 0 | delta = -delta; |
4169 | 0 | if (tls->ctx->max_early_data_size != 0 && delta <= PTLS_EARLY_DATA_MAX_DELAY) |
4170 | 0 | *accept_early_data = 1; |
4171 | 0 | } |
4172 | | /* check ticket context */ |
4173 | 0 | if (tls->ctx->ticket_context.is_set) { |
4174 | 0 | if (!(ticket_ctx.len == sizeof(tls->ctx->ticket_context.bytes) && |
4175 | 0 | memcmp(ticket_ctx.base, tls->ctx->ticket_context.bytes, ticket_ctx.len) == 0)) |
4176 | 0 | continue; |
4177 | 0 | } else { |
4178 | | /* check server-name */ |
4179 | 0 | if (ticket_ctx.len != 0) { |
4180 | 0 | if (tls->server_name == NULL) |
4181 | 0 | continue; |
4182 | 0 | if (!vec_is_string(ticket_ctx, tls->server_name)) |
4183 | 0 | continue; |
4184 | 0 | } else { |
4185 | 0 | if (tls->server_name != NULL) |
4186 | 0 | continue; |
4187 | 0 | } |
4188 | 0 | } |
4189 | 0 | { /* check key-exchange */ |
4190 | 0 | ptls_key_exchange_algorithm_t **a; |
4191 | 0 | for (a = tls->ctx->key_exchanges; *a != NULL && (*a)->id != ticket_key_exchange_id; ++a) |
4192 | 0 | ; |
4193 | 0 | if (*a == NULL) |
4194 | 0 | continue; |
4195 | 0 | tls->key_share = *a; |
4196 | 0 | } |
4197 | | /* check cipher-suite */ |
4198 | 0 | if (ticket_csid != tls->cipher_suite->id) |
4199 | 0 | continue; |
4200 | | /* check negotiated-protocol */ |
4201 | 0 | if (ticket_negotiated_protocol.len != 0) { |
4202 | 0 | if (tls->negotiated_protocol == NULL) |
4203 | 0 | continue; |
4204 | 0 | if (!vec_is_string(ticket_negotiated_protocol, tls->negotiated_protocol)) |
4205 | 0 | continue; |
4206 | 0 | } |
4207 | | /* check the length of the decrypted psk and the PSK binder */ |
4208 | 0 | if (secret.len != tls->key_schedule->hashes[0].algo->digest_size) |
4209 | 0 | continue; |
4210 | 0 | if (ch->psk.identities.list[*psk_index].binder.len != tls->key_schedule->hashes[0].algo->digest_size) |
4211 | 0 | continue; |
4212 | | |
4213 | | /* found */ |
4214 | 0 | goto Found; |
4215 | 0 | } |
4216 | | |
4217 | | /* not found */ |
4218 | 0 | *psk_index = SIZE_MAX; |
4219 | 0 | *accept_early_data = 0; |
4220 | 0 | tls->key_share = NULL; |
4221 | 0 | ret = 0; |
4222 | 0 | goto Exit; |
4223 | | |
4224 | 0 | Found: |
4225 | 0 | if (!is_second_flight && (ret = key_schedule_extract(tls->key_schedule, secret)) != 0) |
4226 | 0 | goto Exit; |
4227 | 0 | if ((ret = derive_secret_with_empty_digest(tls->key_schedule, binder_key, |
4228 | 0 | tls->ctx->pre_shared_key.secret.base != NULL ? "ext binder" : "res binder")) != 0) |
4229 | 0 | goto Exit; |
4230 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, ch_trunc.base, ch_trunc.len, 0); |
4231 | 0 | if ((ret = calc_verify_data(binder_key /* to conserve space, reuse binder_key for storing verify_data */, tls->key_schedule, |
4232 | 0 | binder_key)) != 0) |
4233 | 0 | goto Exit; |
4234 | 0 | if (!ptls_mem_equal(ch->psk.identities.list[*psk_index].binder.base, binder_key, |
4235 | 0 | tls->key_schedule->hashes[0].algo->digest_size)) { |
4236 | 0 | ret = PTLS_ALERT_DECRYPT_ERROR; |
4237 | 0 | goto Exit; |
4238 | 0 | } |
4239 | 0 | ret = 0; |
4240 | |
|
4241 | 0 | Exit: |
4242 | 0 | ptls_buffer_dispose(&decbuf); |
4243 | 0 | ptls_clear_memory(binder_key, sizeof(binder_key)); |
4244 | 0 | return ret; |
4245 | 0 | } |
4246 | | |
4247 | | static int calc_cookie_signature(ptls_t *tls, ptls_handshake_properties_t *properties, |
4248 | | ptls_key_exchange_algorithm_t *negotiated_group, ptls_iovec_t tbs, uint8_t *sig) |
4249 | 0 | { |
4250 | 0 | ptls_hash_algorithm_t *algo = tls->ctx->cipher_suites[0]->hash; |
4251 | 0 | ptls_hash_context_t *hctx; |
4252 | |
|
4253 | 0 | if ((hctx = ptls_hmac_create(algo, properties->server.cookie.key, algo->digest_size)) == NULL) |
4254 | 0 | return PTLS_ERROR_NO_MEMORY; |
4255 | | |
4256 | 0 | #define UPDATE_BLOCK(p, _len) \ |
4257 | 0 | do { \ |
4258 | 0 | size_t len = (_len); \ |
4259 | 0 | assert(len < UINT8_MAX); \ |
4260 | 0 | uint8_t len8 = (uint8_t)len; \ |
4261 | 0 | hctx->update(hctx, &len8, 1); \ |
4262 | 0 | hctx->update(hctx, (p), len); \ |
4263 | 0 | } while (0) |
4264 | 0 | #define UPDATE16(_v) \ |
4265 | 0 | do { \ |
4266 | 0 | uint16_t v = (_v); \ |
4267 | 0 | uint8_t b[2] = {v >> 8, v & 0xff}; \ |
4268 | 0 | hctx->update(hctx, b, 2); \ |
4269 | 0 | } while (0) |
4270 | | |
4271 | 0 | UPDATE_BLOCK(tls->client_random, sizeof(tls->client_random)); |
4272 | 0 | UPDATE_BLOCK(tls->server_name, tls->server_name != NULL ? strlen(tls->server_name) : 0); |
4273 | 0 | UPDATE16(tls->cipher_suite->id); |
4274 | 0 | UPDATE16(negotiated_group != NULL ? negotiated_group->id : 0); |
4275 | 0 | UPDATE_BLOCK(properties->server.cookie.additional_data.base, properties->server.cookie.additional_data.len); |
4276 | | |
4277 | 0 | UPDATE_BLOCK(tbs.base, tbs.len); |
4278 | | |
4279 | 0 | #undef UPDATE_BLOCK |
4280 | 0 | #undef UPDATE16 |
4281 | | |
4282 | 0 | hctx->final(hctx, sig, PTLS_HASH_FINAL_MODE_FREE); |
4283 | 0 | return 0; |
4284 | 0 | } |
4285 | | |
4286 | | static int certificate_type_exists(uint8_t *list, size_t count, uint8_t desired_type) |
4287 | 0 | { |
4288 | | /* empty type list means that we default to x509 */ |
4289 | 0 | if (desired_type == PTLS_CERTIFICATE_TYPE_X509 && count == 0) |
4290 | 0 | return 1; |
4291 | 0 | for (size_t i = 0; i < count; i++) { |
4292 | 0 | if (list[i] == desired_type) |
4293 | 0 | return 1; |
4294 | 0 | } |
4295 | 0 | return 0; |
4296 | 0 | } |
4297 | | |
4298 | | static int server_handle_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, |
4299 | | ptls_handshake_properties_t *properties) |
4300 | 0 | { |
4301 | 0 | #define EMIT_SERVER_HELLO(sched, fill_rand, extensions, post_action) \ |
4302 | 0 | do { \ |
4303 | 0 | size_t sh_start_off; \ |
4304 | 0 | ptls_push_message(emitter, NULL, PTLS_HANDSHAKE_TYPE_SERVER_HELLO, { \ |
4305 | 0 | sh_start_off = emitter->buf->off - PTLS_HANDSHAKE_HEADER_SIZE; \ |
4306 | 0 | ptls_buffer_push16(emitter->buf, 0x0303 /* legacy version */); \ |
4307 | 0 | if ((ret = ptls_buffer_reserve(emitter->buf, PTLS_HELLO_RANDOM_SIZE)) != 0) \ |
4308 | 0 | goto Exit; \ |
4309 | 0 | do { \ |
4310 | 0 | fill_rand \ |
4311 | 0 | } while (0); \ |
4312 | 0 | emitter->buf->off += PTLS_HELLO_RANDOM_SIZE; \ |
4313 | 0 | ptls_buffer_push_block(emitter->buf, 1, \ |
4314 | 0 | { ptls_buffer_pushv(emitter->buf, ch->legacy_session_id.base, ch->legacy_session_id.len); }); \ |
4315 | 0 | ptls_buffer_push16(emitter->buf, tls->cipher_suite->id); \ |
4316 | 0 | ptls_buffer_push(emitter->buf, 0); \ |
4317 | 0 | ptls_buffer_push_block(emitter->buf, 2, { \ |
4318 | 0 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS, \ |
4319 | 0 | { ptls_buffer_push16(emitter->buf, ch->selected_version); }); \ |
4320 | 0 | do { \ |
4321 | 0 | extensions \ |
4322 | 0 | } while (0); \ |
4323 | 0 | }); \ |
4324 | 0 | }); \ |
4325 | 0 | do { \ |
4326 | 0 | post_action \ |
4327 | 0 | } while (0); \ |
4328 | 0 | ptls__key_schedule_update_hash((sched), emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off, 0); \ |
4329 | 0 | } while (0) |
4330 | |
|
4331 | 0 | #define EMIT_HELLO_RETRY_REQUEST(sched, negotiated_group, additional_extensions, post_action) \ |
4332 | 0 | EMIT_SERVER_HELLO((sched), { memcpy(emitter->buf->base + emitter->buf->off, hello_retry_random, PTLS_HELLO_RANDOM_SIZE); }, \ |
4333 | 0 | { \ |
4334 | 0 | ptls_key_exchange_algorithm_t *_negotiated_group = (negotiated_group); \ |
4335 | 0 | if (_negotiated_group != NULL) { \ |
4336 | 0 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_KEY_SHARE, \ |
4337 | 0 | { ptls_buffer_push16(emitter->buf, _negotiated_group->id); }); \ |
4338 | 0 | } \ |
4339 | 0 | do { \ |
4340 | 0 | additional_extensions \ |
4341 | 0 | } while (0); \ |
4342 | 0 | }, \ |
4343 | 0 | post_action) |
4344 | 0 | struct st_ptls_client_hello_t *ch; |
4345 | 0 | struct { |
4346 | 0 | ptls_key_exchange_algorithm_t *algorithm; |
4347 | 0 | ptls_iovec_t peer_key; |
4348 | 0 | } key_share = {NULL}; |
4349 | 0 | struct { |
4350 | 0 | uint8_t *encoded_ch_inner; |
4351 | 0 | uint8_t *ch_outer_aad; |
4352 | 0 | ptls_buffer_t ch_inner; |
4353 | 0 | } ech = {NULL}; |
4354 | 0 | enum { HANDSHAKE_MODE_FULL, HANDSHAKE_MODE_PSK, HANDSHAKE_MODE_PSK_DHE } mode; |
4355 | 0 | size_t psk_index = SIZE_MAX; |
4356 | 0 | ptls_iovec_t pubkey = {0}, ecdh_secret = {0}; |
4357 | 0 | int accept_early_data = 0, is_second_flight = tls->state == PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO, ret; |
4358 | |
|
4359 | 0 | ptls_buffer_init(&ech.ch_inner, "", 0); |
4360 | |
|
4361 | 0 | if ((ch = malloc(sizeof(*ch))) == NULL) { |
4362 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4363 | 0 | goto Exit; |
4364 | 0 | } |
4365 | | |
4366 | 0 | *ch = (struct st_ptls_client_hello_t){.unknown_extensions = {{UINT16_MAX}}}; |
4367 | | |
4368 | | /* decode ClientHello */ |
4369 | 0 | if ((ret = decode_client_hello(tls->ctx, ch, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len, properties, |
4370 | 0 | tls)) != 0) |
4371 | 0 | goto Exit; |
4372 | 0 | if ((ret = check_client_hello_constraints(tls->ctx, ch, is_second_flight ? tls->client_random : NULL, 0, message, tls)) != 0) |
4373 | 0 | goto Exit; |
4374 | 0 | if (!is_second_flight) { |
4375 | 0 | memcpy(tls->client_random, ch->random_bytes, PTLS_HELLO_RANDOM_SIZE); |
4376 | 0 | log_client_random(tls); |
4377 | 0 | } else { |
4378 | | /* consistency check for ECH extension in response to HRR */ |
4379 | 0 | if (tls->ech.aead != NULL) { |
4380 | 0 | if (ch->ech.payload.base == NULL) { |
4381 | 0 | ret = PTLS_ALERT_MISSING_EXTENSION; |
4382 | 0 | goto Exit; |
4383 | 0 | } |
4384 | 0 | if (!(ch->ech.config_id == tls->ech.config_id && ch->ech.cipher_suite.kdf == tls->ech.cipher->id.kdf && |
4385 | 0 | ch->ech.cipher_suite.aead == tls->ech.cipher->id.aead && ch->ech.enc.len == 0)) { |
4386 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4387 | 0 | goto Exit; |
4388 | 0 | } |
4389 | 0 | } |
4390 | 0 | } |
4391 | | |
4392 | | /* ECH */ |
4393 | 0 | if (ch->ech.payload.base != NULL) { |
4394 | 0 | if (ch->ech.type != PTLS_ECH_CLIENT_HELLO_TYPE_OUTER) { |
4395 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4396 | 0 | goto Exit; |
4397 | 0 | } |
4398 | 0 | if (!is_second_flight) |
4399 | 0 | tls->ech.offered = 1; |
4400 | | /* obtain AEAD context for opening inner CH */ |
4401 | 0 | if (!is_second_flight && ch->ech.payload.base != NULL && tls->ctx->ech.server.create_opener != NULL) { |
4402 | 0 | if ((tls->ech.aead = tls->ctx->ech.server.create_opener->cb( |
4403 | 0 | tls->ctx->ech.server.create_opener, &tls->ech.kem, &tls->ech.cipher, tls, ch->ech.config_id, |
4404 | 0 | ch->ech.cipher_suite, ch->ech.enc, ptls_iovec_init(ech_info_prefix, sizeof(ech_info_prefix)))) != NULL) |
4405 | 0 | tls->ech.config_id = ch->ech.config_id; |
4406 | 0 | } |
4407 | 0 | if (!is_second_flight) { |
4408 | 0 | PTLS_PROBE(ECH_SELECTION, tls, tls->ech.aead != NULL); |
4409 | 0 | PTLS_LOG_CONN(ech_selection, tls, { PTLS_LOG_ELEMENT_BOOL(is_ech, tls->ech.aead != NULL); }); |
4410 | 0 | } |
4411 | 0 | if (tls->ech.aead != NULL) { |
4412 | | /* now that AEAD context is available, create AAD and decrypt inner CH */ |
4413 | 0 | if ((ech.encoded_ch_inner = malloc(ch->ech.payload.len - tls->ech.aead->algo->tag_size)) == NULL || |
4414 | 0 | (ech.ch_outer_aad = malloc(message.len - PTLS_HANDSHAKE_HEADER_SIZE)) == NULL) { |
4415 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4416 | 0 | goto Exit; |
4417 | 0 | } |
4418 | 0 | memcpy(ech.ch_outer_aad, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.len - PTLS_HANDSHAKE_HEADER_SIZE); |
4419 | 0 | memset(ech.ch_outer_aad + (ch->ech.payload.base - (message.base + PTLS_HANDSHAKE_HEADER_SIZE)), 0, ch->ech.payload.len); |
4420 | 0 | if (ptls_aead_decrypt(tls->ech.aead, ech.encoded_ch_inner, ch->ech.payload.base, ch->ech.payload.len, is_second_flight, |
4421 | 0 | ech.ch_outer_aad, message.len - PTLS_HANDSHAKE_HEADER_SIZE) != SIZE_MAX) { |
4422 | 0 | tls->ech.accepted = 1; |
4423 | | /* successfully decrypted EncodedCHInner, build CHInner */ |
4424 | 0 | if ((ret = rebuild_ch_inner(&ech.ch_inner, ech.encoded_ch_inner, |
4425 | 0 | ech.encoded_ch_inner + ch->ech.payload.len - tls->ech.aead->algo->tag_size, ch, |
4426 | 0 | message.base + PTLS_HANDSHAKE_HEADER_SIZE + ch->first_extension_at, |
4427 | 0 | message.base + message.len)) != 0) |
4428 | 0 | goto Exit; |
4429 | | /* treat inner ch as the message being received, re-decode it */ |
4430 | 0 | message = ptls_iovec_init(ech.ch_inner.base, ech.ch_inner.off); |
4431 | 0 | *ch = (struct st_ptls_client_hello_t){.unknown_extensions = {{UINT16_MAX}}}; |
4432 | 0 | if ((ret = decode_client_hello(tls->ctx, ch, ech.ch_inner.base + PTLS_HANDSHAKE_HEADER_SIZE, |
4433 | 0 | ech.ch_inner.base + ech.ch_inner.off, properties, tls)) != 0) |
4434 | 0 | goto Exit; |
4435 | 0 | if ((ret = check_client_hello_constraints(tls->ctx, ch, is_second_flight ? tls->ech.inner_client_random : NULL, 1, |
4436 | 0 | message, tls)) != 0) |
4437 | 0 | goto Exit; |
4438 | 0 | if (!is_second_flight) |
4439 | 0 | memcpy(tls->ech.inner_client_random, ch->random_bytes, PTLS_HELLO_RANDOM_SIZE); |
4440 | 0 | } else if (is_second_flight) { |
4441 | | /* decryption failure of inner CH in 2nd CH is fatal */ |
4442 | 0 | ret = PTLS_ALERT_DECRYPT_ERROR; |
4443 | 0 | goto Exit; |
4444 | 0 | } else { |
4445 | | /* decryption failure of 1st CH indicates key mismatch; dispose of AEAD context to indicate adoption of outerCH */ |
4446 | 0 | ptls_aead_free(tls->ech.aead); |
4447 | 0 | tls->ech.aead = NULL; |
4448 | 0 | } |
4449 | 0 | } |
4450 | 0 | } else if (tls->ech.offered) { |
4451 | 0 | assert(is_second_flight); |
4452 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4453 | 0 | goto Exit; |
4454 | 0 | } |
4455 | | |
4456 | 0 | if (tls->ctx->require_dhe_on_psk) |
4457 | 0 | ch->psk.ke_modes &= ~(1u << PTLS_PSK_KE_MODE_PSK); |
4458 | | |
4459 | | /* handle client_random, legacy_session_id, SNI, ESNI */ |
4460 | 0 | if (!is_second_flight) { |
4461 | 0 | if (ch->legacy_session_id.len != 0) |
4462 | 0 | tls->send_change_cipher_spec = 1; |
4463 | 0 | ptls_iovec_t server_name = {NULL}; |
4464 | 0 | if (ch->server_name.base != NULL) |
4465 | 0 | server_name = ch->server_name; |
4466 | 0 | if ((ret = call_on_client_hello_cb(tls, server_name, message, ch->cipher_suites, ch->alpn.list, ch->alpn.count, |
4467 | 0 | ch->signature_algorithms.list, ch->signature_algorithms.count, |
4468 | 0 | ch->cert_compression_algos.list, ch->cert_compression_algos.count, |
4469 | 0 | ch->server_certificate_types.list, ch->server_certificate_types.count, |
4470 | 0 | ch->psk.identities.list, ch->psk.identities.count, 0)) != 0) |
4471 | 0 | goto Exit; |
4472 | 0 | if (!certificate_type_exists(ch->server_certificate_types.list, ch->server_certificate_types.count, |
4473 | 0 | tls->ctx->use_raw_public_keys ? PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY |
4474 | 0 | : PTLS_CERTIFICATE_TYPE_X509)) { |
4475 | 0 | ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE; |
4476 | 0 | goto Exit; |
4477 | 0 | } |
4478 | 0 | } else { |
4479 | 0 | if (ch->psk.early_data_indication) { |
4480 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
4481 | 0 | goto Exit; |
4482 | 0 | } |
4483 | | /* We compare SNI only when the value is saved by the on_client_hello callback. This should be OK because we are |
4484 | | * ignoring the value unless the callback saves the server-name. */ |
4485 | 0 | if (tls->server_name != NULL) { |
4486 | 0 | size_t l = strlen(tls->server_name); |
4487 | 0 | if (!(ch->server_name.len == l && memcmp(ch->server_name.base, tls->server_name, l) == 0)) { |
4488 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
4489 | 0 | goto Exit; |
4490 | 0 | } |
4491 | 0 | } |
4492 | 0 | } |
4493 | | |
4494 | 0 | { /* select (or check) cipher-suite, create key_schedule */ |
4495 | 0 | ptls_cipher_suite_t *cs; |
4496 | 0 | if ((ret = select_cipher(&cs, tls->ctx->cipher_suites, ch->cipher_suites.base, |
4497 | 0 | ch->cipher_suites.base + ch->cipher_suites.len, tls->ctx->server_cipher_preference, |
4498 | 0 | tls->ctx->server_cipher_chacha_priority, tls->ctx->pre_shared_key.hash)) != 0) |
4499 | 0 | goto Exit; |
4500 | 0 | if (!is_second_flight) { |
4501 | 0 | tls->cipher_suite = cs; |
4502 | 0 | if ((tls->key_schedule = key_schedule_new(cs, NULL, 0)) == NULL) { |
4503 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4504 | 0 | goto Exit; |
4505 | 0 | } |
4506 | 0 | } else { |
4507 | 0 | if (tls->cipher_suite != cs) { |
4508 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
4509 | 0 | goto Exit; |
4510 | 0 | } |
4511 | 0 | } |
4512 | 0 | } |
4513 | | |
4514 | | /* select key_share */ |
4515 | 0 | if (key_share.algorithm == NULL && ch->key_shares.base != NULL && tls->ctx->key_exchanges != NULL) { |
4516 | 0 | const uint8_t *src = ch->key_shares.base, *const end = src + ch->key_shares.len; |
4517 | 0 | ptls_decode_block(src, end, 2, { |
4518 | 0 | if ((ret = select_key_share(&key_share.algorithm, &key_share.peer_key, tls->ctx->key_exchanges, &src, end, 0)) != 0) |
4519 | 0 | goto Exit; |
4520 | 0 | }); |
4521 | 0 | } |
4522 | | |
4523 | 0 | if (!is_second_flight) { |
4524 | 0 | if (ch->cookie.all.len != 0 && key_share.algorithm != NULL) { |
4525 | |
|
4526 | 0 | { /* use cookie to check the integrity of the handshake, and update the context */ |
4527 | 0 | uint8_t sig[PTLS_MAX_DIGEST_SIZE]; |
4528 | 0 | size_t sigsize = tls->ctx->cipher_suites[0]->hash->digest_size; |
4529 | 0 | if ((ret = calc_cookie_signature(tls, properties, key_share.algorithm, ch->cookie.tbs, sig)) != 0) |
4530 | 0 | goto Exit; |
4531 | 0 | if (!(ch->cookie.signature.len == sigsize && ptls_mem_equal(ch->cookie.signature.base, sig, sigsize))) { |
4532 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
4533 | 0 | goto Exit; |
4534 | 0 | } |
4535 | 0 | } |
4536 | | /* integrity check passed; update states */ |
4537 | 0 | key_schedule_update_ch1hash_prefix(tls->key_schedule); |
4538 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, ch->cookie.ch1_hash.base, ch->cookie.ch1_hash.len, 0); |
4539 | 0 | key_schedule_extract(tls->key_schedule, |
4540 | 0 | tls->ctx->pre_shared_key.secret /* this argument will be a zero-length vector unless external PSK |
4541 | 0 | is used, and that's fine; we never resume when sending HRR */); |
4542 | | /* ... reusing sendbuf to rebuild HRR for hash calculation */ |
4543 | 0 | size_t hrr_start = emitter->buf->off; |
4544 | 0 | EMIT_HELLO_RETRY_REQUEST(tls->key_schedule, ch->cookie.sent_key_share ? key_share.algorithm : NULL, |
4545 | 0 | { |
4546 | 0 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_COOKIE, { |
4547 | 0 | ptls_buffer_pushv(emitter->buf, ch->cookie.all.base, ch->cookie.all.len); |
4548 | 0 | }); |
4549 | 0 | }, |
4550 | 0 | {}); |
4551 | 0 | emitter->buf->off = hrr_start; |
4552 | 0 | is_second_flight = 1; |
4553 | |
|
4554 | 0 | } else if (ch->key_shares.base != NULL && tls->ctx->key_exchanges != NULL && |
4555 | 0 | (key_share.algorithm == NULL || (properties != NULL && properties->server.enforce_retry))) { |
4556 | | /* send HelloRetryRequest, when trying to negotiate the key share but enforced by config or upon key-share mismatch */ |
4557 | 0 | if (ch->negotiated_groups.base == NULL) { |
4558 | 0 | ret = PTLS_ALERT_MISSING_EXTENSION; |
4559 | 0 | goto Exit; |
4560 | 0 | } |
4561 | 0 | ptls_key_exchange_algorithm_t *negotiated_group; |
4562 | 0 | if ((ret = select_negotiated_group(&negotiated_group, tls->ctx->key_exchanges, ch->negotiated_groups.base, |
4563 | 0 | ch->negotiated_groups.base + ch->negotiated_groups.len)) != 0) |
4564 | 0 | goto Exit; |
4565 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4566 | 0 | assert(tls->key_schedule->generation == 0); |
4567 | | |
4568 | | /* Either send a stateless retry (w. cookies) or a stateful one. When sending the latter, run the state machine. At the |
4569 | | * moment, stateless retry is disabled when ECH is used (do we need to support it?). */ |
4570 | 0 | int retry_uses_cookie = |
4571 | 0 | properties != NULL && properties->server.retry_uses_cookie && !ptls_is_ech_handshake(tls, NULL, NULL, NULL); |
4572 | 0 | if (!retry_uses_cookie) { |
4573 | 0 | key_schedule_transform_post_ch1hash(tls->key_schedule); |
4574 | 0 | key_schedule_extract(tls->key_schedule, tls->ctx->pre_shared_key.secret /* see comment above */); |
4575 | 0 | } |
4576 | 0 | size_t ech_confirm_off = 0; |
4577 | 0 | EMIT_HELLO_RETRY_REQUEST( |
4578 | 0 | tls->key_schedule, key_share.algorithm != NULL ? NULL : negotiated_group, |
4579 | 0 | { |
4580 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
4581 | 0 | if (ptls_is_ech_handshake(tls, NULL, NULL, NULL)) { |
4582 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, { |
4583 | 0 | if ((ret = ptls_buffer_reserve(sendbuf, PTLS_ECH_CONFIRM_LENGTH)) != 0) |
4584 | 0 | goto Exit; |
4585 | 0 | memset(sendbuf->base + sendbuf->off, 0, PTLS_ECH_CONFIRM_LENGTH); |
4586 | 0 | ech_confirm_off = sendbuf->off; |
4587 | 0 | sendbuf->off += PTLS_ECH_CONFIRM_LENGTH; |
4588 | 0 | }); |
4589 | 0 | } |
4590 | 0 | if (retry_uses_cookie) { |
4591 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COOKIE, { |
4592 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4593 | | /* push to-be-signed data */ |
4594 | 0 | size_t tbs_start = sendbuf->off; |
4595 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4596 | | /* first block of the cookie data is the hash(ch1) */ |
4597 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
4598 | 0 | size_t sz = tls->cipher_suite->hash->digest_size; |
4599 | 0 | if ((ret = ptls_buffer_reserve(sendbuf, sz)) != 0) |
4600 | 0 | goto Exit; |
4601 | 0 | key_schedule_extract_ch1hash(tls->key_schedule, sendbuf->base + sendbuf->off); |
4602 | 0 | sendbuf->off += sz; |
4603 | 0 | }); |
4604 | | /* second is if we have sent key_share extension */ |
4605 | 0 | ptls_buffer_push(sendbuf, key_share.algorithm == NULL); |
4606 | | /* we can add more data here */ |
4607 | 0 | }); |
4608 | 0 | size_t tbs_len = sendbuf->off - tbs_start; |
4609 | | /* push the signature */ |
4610 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
4611 | 0 | size_t sz = tls->ctx->cipher_suites[0]->hash->digest_size; |
4612 | 0 | if ((ret = ptls_buffer_reserve(sendbuf, sz)) != 0) |
4613 | 0 | goto Exit; |
4614 | 0 | if ((ret = calc_cookie_signature(tls, properties, negotiated_group, |
4615 | 0 | ptls_iovec_init(sendbuf->base + tbs_start, tbs_len), |
4616 | 0 | sendbuf->base + sendbuf->off)) != 0) |
4617 | 0 | goto Exit; |
4618 | 0 | sendbuf->off += sz; |
4619 | 0 | }); |
4620 | 0 | }); |
4621 | 0 | }); |
4622 | 0 | } |
4623 | 0 | }, |
4624 | 0 | { |
4625 | 0 | if (ech_confirm_off != 0 && |
4626 | 0 | (ret = ech_calc_confirmation( |
4627 | 0 | tls->key_schedule, emitter->buf->base + ech_confirm_off, tls->ech.inner_client_random, |
4628 | 0 | ECH_CONFIRMATION_HRR, |
4629 | 0 | ptls_iovec_init(emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off))) != 0) |
4630 | 0 | goto Exit; |
4631 | 0 | }); |
4632 | 0 | if (retry_uses_cookie) { |
4633 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
4634 | 0 | goto Exit; |
4635 | 0 | ret = PTLS_ERROR_STATELESS_RETRY; |
4636 | 0 | } else { |
4637 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO; |
4638 | 0 | if (ch->psk.early_data_indication) |
4639 | 0 | tls->server.early_data_skipped_bytes = 0; |
4640 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
4641 | 0 | } |
4642 | 0 | goto Exit; |
4643 | 0 | } |
4644 | 0 | } |
4645 | | |
4646 | | /* handle unknown extensions */ |
4647 | 0 | if ((ret = report_unknown_extensions(tls, properties, ch->unknown_extensions)) != 0) |
4648 | 0 | goto Exit; |
4649 | | |
4650 | | /* try psk handshake */ |
4651 | 0 | if (ch->psk.hash_end != 0 && (ch->psk.ke_modes & ((1u << PTLS_PSK_KE_MODE_PSK) | (1u << PTLS_PSK_KE_MODE_PSK_DHE))) != 0 && |
4652 | 0 | !tls->ctx->require_client_authentication && |
4653 | 0 | ((!is_second_flight && tls->ctx->encrypt_ticket != NULL) || tls->ctx->pre_shared_key.identity.base != NULL)) { |
4654 | 0 | if ((ret = try_psk_handshake(tls, &psk_index, &accept_early_data, ch, |
4655 | 0 | ptls_iovec_init(message.base, ch->psk.hash_end - message.base), is_second_flight)) != 0) { |
4656 | 0 | goto Exit; |
4657 | 0 | } |
4658 | 0 | } |
4659 | | |
4660 | | /* If the server was setup to use an external PSK but failed to agree, abort the handshake. Because external PSK is a form of |
4661 | | * mutual authentication, it makes sense to abort (at least as the default). */ |
4662 | 0 | if (tls->ctx->pre_shared_key.identity.base != NULL && psk_index == SIZE_MAX) { |
4663 | 0 | ret = PTLS_ALERT_UNKNOWN_PSK_IDENTITY; |
4664 | 0 | goto Exit; |
4665 | 0 | } |
4666 | | |
4667 | | /* If client authentication is enabled, we always force a full handshake. |
4668 | | * TODO: Check for `post_handshake_auth` extension and if that is present, do not force full handshake! |
4669 | | * Remove also the check `!require_client_authentication` above. |
4670 | | * |
4671 | | * adjust key_schedule, determine handshake mode |
4672 | | */ |
4673 | 0 | if (psk_index == SIZE_MAX || tls->ctx->require_client_authentication) { |
4674 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4675 | 0 | if (!is_second_flight) { |
4676 | 0 | assert(tls->key_schedule->generation == 0); |
4677 | 0 | key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0)); |
4678 | 0 | } |
4679 | 0 | mode = HANDSHAKE_MODE_FULL; |
4680 | 0 | if (properties != NULL) |
4681 | 0 | properties->server.selected_psk_binder.len = 0; |
4682 | 0 | } else { |
4683 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, ch->psk.hash_end, message.base + message.len - ch->psk.hash_end, 0); |
4684 | 0 | if ((ch->psk.ke_modes & (1u << PTLS_PSK_KE_MODE_PSK)) != 0) { |
4685 | 0 | mode = HANDSHAKE_MODE_PSK; |
4686 | 0 | } else { |
4687 | 0 | assert((ch->psk.ke_modes & (1u << PTLS_PSK_KE_MODE_PSK_DHE)) != 0); |
4688 | 0 | mode = HANDSHAKE_MODE_PSK_DHE; |
4689 | 0 | } |
4690 | 0 | tls->is_psk_handshake = 1; |
4691 | 0 | if (properties != NULL) { |
4692 | 0 | ptls_iovec_t *selected = &ch->psk.identities.list[psk_index].binder; |
4693 | 0 | memcpy(properties->server.selected_psk_binder.base, selected->base, selected->len); |
4694 | 0 | properties->server.selected_psk_binder.len = selected->len; |
4695 | 0 | } |
4696 | 0 | } |
4697 | | |
4698 | | /* determine number of tickets to send */ |
4699 | 0 | if (ch->psk.ke_modes != 0 && tls->ctx->ticket_lifetime != 0) { |
4700 | 0 | if (ch->ticket_request.new_session_count != 0) { |
4701 | 0 | tls->server.num_tickets_to_send = |
4702 | 0 | tls->is_psk_handshake ? ch->ticket_request.resumption_count : ch->ticket_request.new_session_count; |
4703 | 0 | } else { |
4704 | 0 | tls->server.num_tickets_to_send = 1; |
4705 | 0 | } |
4706 | 0 | uint8_t max_tickets = tls->ctx->ticket_requests.server.max_count; |
4707 | 0 | if (max_tickets == 0) |
4708 | 0 | max_tickets = PTLS_DEFAULT_MAX_TICKETS_TO_SERVE; |
4709 | 0 | if (tls->server.num_tickets_to_send > max_tickets) |
4710 | 0 | tls->server.num_tickets_to_send = max_tickets; |
4711 | 0 | } else { |
4712 | 0 | tls->server.num_tickets_to_send = 0; |
4713 | 0 | } |
4714 | |
|
4715 | 0 | if (accept_early_data && tls->ctx->max_early_data_size != 0 && psk_index == 0) { |
4716 | 0 | if ((tls->pending_handshake_secret = malloc(PTLS_MAX_DIGEST_SIZE)) == NULL) { |
4717 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4718 | 0 | goto Exit; |
4719 | 0 | } |
4720 | 0 | if ((ret = derive_exporter_secret(tls, 1)) != 0) |
4721 | 0 | goto Exit; |
4722 | 0 | if ((ret = setup_traffic_protection(tls, 0, "c e traffic", 1, 0, 0)) != 0) |
4723 | 0 | goto Exit; |
4724 | 0 | } |
4725 | | |
4726 | | /* run key-exchange, to obtain pubkey and secret */ |
4727 | 0 | if (mode != HANDSHAKE_MODE_PSK) { |
4728 | 0 | if (key_share.algorithm == NULL) { |
4729 | 0 | ret = ch->key_shares.base != NULL ? PTLS_ALERT_HANDSHAKE_FAILURE : PTLS_ALERT_MISSING_EXTENSION; |
4730 | 0 | goto Exit; |
4731 | 0 | } |
4732 | 0 | if ((ret = key_share.algorithm->exchange(key_share.algorithm, &pubkey, &ecdh_secret, key_share.peer_key)) != 0) { |
4733 | 0 | assert(pubkey.base == NULL); |
4734 | 0 | assert(ecdh_secret.base == NULL); |
4735 | 0 | goto Exit; |
4736 | 0 | } |
4737 | 0 | tls->key_share = key_share.algorithm; |
4738 | 0 | } |
4739 | | |
4740 | 0 | { /* send ServerHello */ |
4741 | 0 | size_t ech_confirm_off = 0; |
4742 | 0 | EMIT_SERVER_HELLO( |
4743 | 0 | tls->key_schedule, |
4744 | 0 | { |
4745 | 0 | tls->ctx->random_bytes(emitter->buf->base + emitter->buf->off, PTLS_HELLO_RANDOM_SIZE); |
4746 | | /* when accepting CHInner, last 8 byte of SH.random is zero for the handshake transcript */ |
4747 | 0 | if (ptls_is_ech_handshake(tls, NULL, NULL, NULL)) { |
4748 | 0 | ech_confirm_off = emitter->buf->off + PTLS_HELLO_RANDOM_SIZE - PTLS_ECH_CONFIRM_LENGTH; |
4749 | 0 | memset(emitter->buf->base + ech_confirm_off, 0, PTLS_ECH_CONFIRM_LENGTH); |
4750 | 0 | } |
4751 | 0 | }, |
4752 | 0 | { |
4753 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
4754 | 0 | if (mode != HANDSHAKE_MODE_PSK) { |
4755 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE, { |
4756 | 0 | ptls_buffer_push16(sendbuf, key_share.algorithm->id); |
4757 | 0 | ptls_buffer_push_block(sendbuf, 2, { ptls_buffer_pushv(sendbuf, pubkey.base, pubkey.len); }); |
4758 | 0 | }); |
4759 | 0 | } |
4760 | 0 | if (mode != HANDSHAKE_MODE_FULL) { |
4761 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PRE_SHARED_KEY, |
4762 | 0 | { ptls_buffer_push16(sendbuf, (uint16_t)psk_index); }); |
4763 | 0 | } |
4764 | 0 | }, |
4765 | 0 | { |
4766 | 0 | if (ech_confirm_off != 0 && |
4767 | 0 | (ret = ech_calc_confirmation( |
4768 | 0 | tls->key_schedule, emitter->buf->base + ech_confirm_off, tls->ech.inner_client_random, |
4769 | 0 | ECH_CONFIRMATION_SERVER_HELLO, |
4770 | 0 | ptls_iovec_init(emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off))) != 0) |
4771 | 0 | goto Exit; |
4772 | 0 | }); |
4773 | 0 | } |
4774 | | |
4775 | | /* processing of ECH is complete; dispose state */ |
4776 | 0 | clear_ech(&tls->ech, 1); |
4777 | |
|
4778 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
4779 | 0 | goto Exit; |
4780 | | |
4781 | | /* create protection contexts for the handshake */ |
4782 | 0 | assert(tls->key_schedule->generation == 1); |
4783 | 0 | key_schedule_extract(tls->key_schedule, ecdh_secret); |
4784 | 0 | if ((ret = setup_traffic_protection(tls, 1, "s hs traffic", 2, 0, 0)) != 0) |
4785 | 0 | goto Exit; |
4786 | 0 | if (tls->pending_handshake_secret != NULL) { |
4787 | 0 | if ((ret = derive_secret(tls->key_schedule, tls->pending_handshake_secret, "c hs traffic")) != 0) |
4788 | 0 | goto Exit; |
4789 | 0 | if (tls->ctx->update_traffic_key != NULL && |
4790 | 0 | (ret = tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, 0, 2, tls->pending_handshake_secret)) != 0) |
4791 | 0 | goto Exit; |
4792 | 0 | } else { |
4793 | 0 | if ((ret = setup_traffic_protection(tls, 0, "c hs traffic", 2, 0, 0)) != 0) |
4794 | 0 | goto Exit; |
4795 | 0 | if (ch->psk.early_data_indication) |
4796 | 0 | tls->server.early_data_skipped_bytes = 0; |
4797 | 0 | } |
4798 | | |
4799 | | /* send EncryptedExtensions */ |
4800 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, { |
4801 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
4802 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4803 | 0 | if (tls->server_name != NULL) { |
4804 | | /* In this event, the server SHALL include an extension of type "server_name" in the (extended) server hello. |
4805 | | * The "extension_data" field of this extension SHALL be empty. (RFC 6066 section 3) */ |
4806 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_NAME, {}); |
4807 | 0 | } |
4808 | 0 | if (tls->ctx->use_raw_public_keys) { |
4809 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE, |
4810 | 0 | { ptls_buffer_push(sendbuf, PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY); }); |
4811 | 0 | } |
4812 | 0 | if (tls->negotiated_protocol != NULL) { |
4813 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ALPN, { |
4814 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4815 | 0 | ptls_buffer_push_block(sendbuf, 1, { |
4816 | 0 | ptls_buffer_pushv(sendbuf, tls->negotiated_protocol, strlen(tls->negotiated_protocol)); |
4817 | 0 | }); |
4818 | 0 | }); |
4819 | 0 | }); |
4820 | 0 | } |
4821 | 0 | if (tls->pending_handshake_secret != NULL) |
4822 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_EARLY_DATA, {}); |
4823 | | /* send ECH retry_configs, if ECH was offered by rejected, even though we (the server) could have accepted ECH */ |
4824 | 0 | if (tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL) && tls->ctx->ech.server.create_opener != NULL && |
4825 | 0 | tls->ctx->ech.server.retry_configs.len != 0) |
4826 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, { |
4827 | 0 | ptls_buffer_pushv(sendbuf, tls->ctx->ech.server.retry_configs.base, tls->ctx->ech.server.retry_configs.len); |
4828 | 0 | }); |
4829 | 0 | if (ch->ticket_request.new_session_count != 0 && tls->server.num_tickets_to_send != 0) |
4830 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_TICKET_REQUEST, |
4831 | 0 | { ptls_buffer_push(sendbuf, tls->server.num_tickets_to_send); }); |
4832 | 0 | if ((ret = push_additional_extensions(properties, sendbuf)) != 0) |
4833 | 0 | goto Exit; |
4834 | 0 | }); |
4835 | 0 | }); |
4836 | | |
4837 | 0 | if (mode == HANDSHAKE_MODE_FULL) { |
4838 | | /* send certificate request if client authentication is activated */ |
4839 | 0 | if (tls->ctx->require_client_authentication) { |
4840 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, { |
4841 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
4842 | | /* certificate_request_context: this field SHALL be zero length, unless the certificate request is used for post- |
4843 | | * handshake authentication. */ |
4844 | 0 | ptls_buffer_push(sendbuf, 0); |
4845 | | /* extensions */ |
4846 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4847 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS, { |
4848 | 0 | if ((ret = push_signature_algorithms(tls->ctx->verify_certificate, sendbuf)) != 0) |
4849 | 0 | goto Exit; |
4850 | 0 | }); |
4851 | | /* certificate authorities entension */ |
4852 | 0 | if (tls->ctx->client_ca_names.count > 0) { |
4853 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_CERTIFICATE_AUTHORITIES, { |
4854 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4855 | 0 | for (size_t i = 0; i != tls->ctx->client_ca_names.count; ++i) { |
4856 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4857 | 0 | ptls_iovec_t name = tls->ctx->client_ca_names.list[i]; |
4858 | 0 | ptls_buffer_pushv(sendbuf, name.base, name.len); |
4859 | 0 | }); |
4860 | 0 | } |
4861 | 0 | }); |
4862 | 0 | }); |
4863 | 0 | } |
4864 | 0 | }); |
4865 | 0 | }); |
4866 | | |
4867 | 0 | if (ret != 0) { |
4868 | 0 | goto Exit; |
4869 | 0 | } |
4870 | 0 | } |
4871 | | |
4872 | | /* send certificate */ |
4873 | 0 | if ((ret = send_certificate(tls, emitter, &ch->signature_algorithms, ptls_iovec_init(NULL, 0), ch->status_request, |
4874 | 0 | ch->cert_compression_algos.list, ch->cert_compression_algos.count)) != 0) |
4875 | 0 | goto Exit; |
4876 | | /* send certificateverify, finished, and complete the handshake */ |
4877 | 0 | if ((ret = server_finish_handshake(tls, emitter, 1, &ch->signature_algorithms)) != 0) |
4878 | 0 | goto Exit; |
4879 | 0 | } else { |
4880 | | /* send finished, and complete the handshake */ |
4881 | 0 | if ((ret = server_finish_handshake(tls, emitter, 0, NULL)) != 0) |
4882 | 0 | goto Exit; |
4883 | 0 | } |
4884 | | |
4885 | 0 | Exit: |
4886 | 0 | free(pubkey.base); |
4887 | 0 | if (ecdh_secret.base != NULL) { |
4888 | 0 | ptls_clear_memory(ecdh_secret.base, ecdh_secret.len); |
4889 | 0 | free(ecdh_secret.base); |
4890 | 0 | } |
4891 | 0 | free(ech.encoded_ch_inner); |
4892 | 0 | free(ech.ch_outer_aad); |
4893 | 0 | ptls_buffer_dispose(&ech.ch_inner); |
4894 | 0 | free(ch); |
4895 | 0 | return ret; |
4896 | |
|
4897 | 0 | #undef EMIT_SERVER_HELLO |
4898 | 0 | #undef EMIT_HELLO_RETRY_REQUEST |
4899 | 0 | } |
4900 | | |
4901 | | static int server_finish_handshake(ptls_t *tls, ptls_message_emitter_t *emitter, int send_cert_verify, |
4902 | | struct st_ptls_signature_algorithms_t *signature_algorithms) |
4903 | 0 | { |
4904 | 0 | int ret; |
4905 | |
|
4906 | 0 | if (send_cert_verify) { |
4907 | 0 | if ((ret = send_certificate_verify(tls, emitter, signature_algorithms, PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING)) != |
4908 | 0 | 0) { |
4909 | 0 | if (ret == PTLS_ERROR_ASYNC_OPERATION) { |
4910 | 0 | tls->state = PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY; |
4911 | 0 | } |
4912 | 0 | goto Exit; |
4913 | 0 | } |
4914 | 0 | } |
4915 | | |
4916 | 0 | if ((ret = send_finished(tls, emitter)) != 0) |
4917 | 0 | goto Exit; |
4918 | | |
4919 | 0 | assert(tls->key_schedule->generation == 2); |
4920 | 0 | if ((ret = key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0))) != 0) |
4921 | 0 | goto Exit; |
4922 | 0 | if ((ret = setup_traffic_protection(tls, 1, "s ap traffic", 3, 0, 0)) != 0) |
4923 | 0 | goto Exit; |
4924 | 0 | if ((ret = derive_secret(tls->key_schedule, tls->server.pending_traffic_secret, "c ap traffic")) != 0) |
4925 | 0 | goto Exit; |
4926 | 0 | if ((ret = derive_exporter_secret(tls, 0)) != 0) |
4927 | 0 | goto Exit; |
4928 | | |
4929 | 0 | if (tls->pending_handshake_secret != NULL) { |
4930 | 0 | if (tls->ctx->omit_end_of_early_data) { |
4931 | 0 | if ((ret = commission_handshake_secret(tls)) != 0) |
4932 | 0 | goto Exit; |
4933 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
4934 | 0 | } else { |
4935 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA; |
4936 | 0 | } |
4937 | 0 | } else if (tls->ctx->require_client_authentication) { |
4938 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_CERTIFICATE; |
4939 | 0 | } else { |
4940 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
4941 | 0 | } |
4942 | | |
4943 | | /* send session ticket if necessary */ |
4944 | 0 | if (tls->server.num_tickets_to_send != 0) { |
4945 | 0 | assert(tls->ctx->ticket_lifetime != 0); |
4946 | 0 | for (uint8_t i = 0; i < tls->server.num_tickets_to_send; ++i) |
4947 | 0 | if ((ret = send_session_ticket(tls, emitter)) != 0) |
4948 | 0 | goto Exit; |
4949 | 0 | } |
4950 | | |
4951 | 0 | if (tls->ctx->require_client_authentication) { |
4952 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
4953 | 0 | } else { |
4954 | 0 | ret = 0; |
4955 | 0 | } |
4956 | |
|
4957 | 0 | Exit: |
4958 | 0 | return ret; |
4959 | 0 | } |
4960 | | |
4961 | | static int server_handle_end_of_early_data(ptls_t *tls, ptls_iovec_t message) |
4962 | 0 | { |
4963 | 0 | int ret; |
4964 | |
|
4965 | 0 | if ((ret = commission_handshake_secret(tls)) != 0) |
4966 | 0 | goto Exit; |
4967 | | |
4968 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4969 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
4970 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
4971 | |
|
4972 | 0 | Exit: |
4973 | 0 | return ret; |
4974 | 0 | } |
4975 | | |
4976 | | static int server_handle_finished(ptls_t *tls, ptls_iovec_t message) |
4977 | 0 | { |
4978 | 0 | int ret; |
4979 | |
|
4980 | 0 | if ((ret = verify_finished(tls, message)) != 0) |
4981 | 0 | return ret; |
4982 | | |
4983 | 0 | memcpy(tls->traffic_protection.dec.secret, tls->server.pending_traffic_secret, sizeof(tls->server.pending_traffic_secret)); |
4984 | 0 | ptls_clear_memory(tls->server.pending_traffic_secret, sizeof(tls->server.pending_traffic_secret)); |
4985 | 0 | if ((ret = setup_traffic_protection(tls, 0, NULL, 3, 0, 0)) != 0) |
4986 | 0 | return ret; |
4987 | | |
4988 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4989 | |
|
4990 | 0 | tls->state = PTLS_STATE_SERVER_POST_HANDSHAKE; |
4991 | 0 | return 0; |
4992 | 0 | } |
4993 | | |
4994 | | static int update_traffic_key(ptls_t *tls, int is_enc) |
4995 | 0 | { |
4996 | 0 | struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
4997 | 0 | uint8_t secret[PTLS_MAX_DIGEST_SIZE]; |
4998 | 0 | int ret; |
4999 | |
|
5000 | 0 | ptls_hash_algorithm_t *hash = tls->key_schedule->hashes[0].algo; |
5001 | 0 | if ((ret = ptls_hkdf_expand_label(hash, secret, hash->digest_size, ptls_iovec_init(tp->secret, hash->digest_size), |
5002 | 0 | "traffic upd", ptls_iovec_init(NULL, 0), NULL)) != 0) |
5003 | 0 | goto Exit; |
5004 | 0 | memcpy(tp->secret, secret, sizeof(secret)); |
5005 | 0 | ret = setup_traffic_protection(tls, is_enc, NULL, 3, 0, 1); |
5006 | |
|
5007 | 0 | Exit: |
5008 | 0 | ptls_clear_memory(secret, sizeof(secret)); |
5009 | 0 | return ret; |
5010 | 0 | } |
5011 | | |
5012 | | static int handle_key_update(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message) |
5013 | 0 | { |
5014 | 0 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
5015 | 0 | int ret; |
5016 | | |
5017 | | /* validate */ |
5018 | 0 | if (end - src != 1 || *src > 1) |
5019 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5020 | | |
5021 | | /* update receive key */ |
5022 | 0 | if ((ret = update_traffic_key(tls, 0)) != 0) |
5023 | 0 | return ret; |
5024 | | |
5025 | 0 | if (*src) { |
5026 | 0 | if (tls->ctx->update_traffic_key != NULL) |
5027 | 0 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
5028 | 0 | tls->needs_key_update = 1; |
5029 | 0 | } |
5030 | | |
5031 | 0 | return 0; |
5032 | 0 | } |
5033 | | |
5034 | | static int parse_record_header(struct st_ptls_record_t *rec, const uint8_t *src) |
5035 | 72.1k | { |
5036 | 72.1k | rec->type = src[0]; |
5037 | 72.1k | rec->version = ntoh16(src + 1); |
5038 | 72.1k | rec->length = ntoh16(src + 3); |
5039 | | |
5040 | 72.1k | if (rec->length > |
5041 | 72.1k | (size_t)(rec->type == PTLS_CONTENT_TYPE_APPDATA ? PTLS_MAX_ENCRYPTED_RECORD_SIZE : PTLS_MAX_PLAINTEXT_RECORD_SIZE)) |
5042 | 7 | return PTLS_ALERT_DECODE_ERROR; |
5043 | | |
5044 | 72.1k | return 0; |
5045 | 72.1k | } |
5046 | | |
5047 | | static int parse_record(ptls_t *tls, struct st_ptls_record_t *rec, const uint8_t *src, size_t *len) |
5048 | 72.1k | { |
5049 | 72.1k | int ret; |
5050 | | |
5051 | 72.1k | assert(*len != 0); |
5052 | | |
5053 | | /* Check if the first byte is something that we can handle, otherwise do not bother parsing / buffering the entire record as it |
5054 | | * is obviously broken. SSL 2.0 handshakes fall into this path as well. */ |
5055 | 72.1k | if (tls->recvbuf.rec.base == NULL) { |
5056 | 72.1k | uint8_t type = src[0]; |
5057 | 72.1k | switch (type) { |
5058 | 224 | case PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC: |
5059 | 267 | case PTLS_CONTENT_TYPE_ALERT: |
5060 | 70.9k | case PTLS_CONTENT_TYPE_HANDSHAKE: |
5061 | 72.1k | case PTLS_CONTENT_TYPE_APPDATA: |
5062 | 72.1k | break; |
5063 | 54 | default: |
5064 | 54 | return PTLS_ALERT_DECODE_ERROR; |
5065 | 72.1k | } |
5066 | 72.1k | } |
5067 | | |
5068 | 72.1k | if (tls->recvbuf.rec.base == NULL && *len >= 5) { |
5069 | | /* fast path */ |
5070 | 72.0k | if ((ret = parse_record_header(rec, src)) != 0) |
5071 | 7 | return ret; |
5072 | 72.0k | if (5 + rec->length <= *len) { |
5073 | 71.9k | rec->fragment = src + 5; |
5074 | 71.9k | *len = rec->length + 5; |
5075 | 71.9k | return 0; |
5076 | 71.9k | } |
5077 | 72.0k | } |
5078 | | |
5079 | | /* slow path */ |
5080 | 128 | const uint8_t *const end = src + *len; |
5081 | 128 | *rec = (struct st_ptls_record_t){0}; |
5082 | | |
5083 | 128 | if (tls->recvbuf.rec.base == NULL) { |
5084 | 128 | ptls_buffer_init(&tls->recvbuf.rec, "", 0); |
5085 | 128 | if ((ret = ptls_buffer_reserve(&tls->recvbuf.rec, 5)) != 0) |
5086 | 0 | return ret; |
5087 | 128 | } |
5088 | | |
5089 | | /* fill and parse the header */ |
5090 | 676 | while (tls->recvbuf.rec.off < 5) { |
5091 | 575 | if (src == end) |
5092 | 27 | return PTLS_ERROR_IN_PROGRESS; |
5093 | 548 | tls->recvbuf.rec.base[tls->recvbuf.rec.off++] = *src++; |
5094 | 548 | } |
5095 | 101 | if ((ret = parse_record_header(rec, tls->recvbuf.rec.base)) != 0) |
5096 | 0 | return ret; |
5097 | | |
5098 | | /* fill the fragment */ |
5099 | 101 | size_t addlen = rec->length + 5 - tls->recvbuf.rec.off; |
5100 | 101 | if (addlen != 0) { |
5101 | 101 | if ((ret = ptls_buffer_reserve(&tls->recvbuf.rec, addlen)) != 0) |
5102 | 0 | return ret; |
5103 | 101 | if (addlen > (size_t)(end - src)) |
5104 | 101 | addlen = end - src; |
5105 | 101 | if (addlen != 0) { |
5106 | 38 | memcpy(tls->recvbuf.rec.base + tls->recvbuf.rec.off, src, addlen); |
5107 | 38 | tls->recvbuf.rec.off += addlen; |
5108 | 38 | src += addlen; |
5109 | 38 | } |
5110 | 101 | } |
5111 | | |
5112 | | /* set rec->fragment if a complete record has been parsed */ |
5113 | 101 | if (tls->recvbuf.rec.off == rec->length + 5) { |
5114 | 0 | rec->fragment = tls->recvbuf.rec.base + 5; |
5115 | 0 | ret = 0; |
5116 | 101 | } else { |
5117 | 101 | ret = PTLS_ERROR_IN_PROGRESS; |
5118 | 101 | } |
5119 | | |
5120 | 101 | *len -= end - src; |
5121 | 101 | return ret; |
5122 | 101 | } |
5123 | | |
5124 | | static void update_open_count(ptls_context_t *ctx, ssize_t delta) |
5125 | 4.18k | { |
5126 | 4.18k | if (ctx->update_open_count != NULL) |
5127 | 0 | ctx->update_open_count->cb(ctx->update_open_count, delta); |
5128 | 4.18k | } |
5129 | | |
5130 | | static ptls_t *new_instance(ptls_context_t *ctx, int is_server) |
5131 | 2.09k | { |
5132 | 2.09k | ptls_t *tls; |
5133 | | |
5134 | | /* check consistency of `ptls_context_t` before instantiating a connection object */ |
5135 | 2.09k | assert(ctx->get_time != NULL && "please set ctx->get_time to `&ptls_get_time`; see #92"); |
5136 | 2.09k | if (ctx->pre_shared_key.identity.base != NULL) { |
5137 | 0 | assert(ctx->pre_shared_key.identity.len != 0 && ctx->pre_shared_key.secret.base != NULL && |
5138 | 0 | ctx->pre_shared_key.secret.len != 0 && ctx->pre_shared_key.hash != NULL && |
5139 | 0 | "`ptls_context_t::pre_shared_key` in incosistent state"); |
5140 | 2.09k | } else { |
5141 | 2.09k | assert(ctx->pre_shared_key.identity.len == 0 && ctx->pre_shared_key.secret.base == NULL && |
5142 | 2.09k | ctx->pre_shared_key.secret.len == 0 && ctx->pre_shared_key.hash == NULL && |
5143 | 2.09k | "`ptls_context_t::pre_shared_key` in inconsitent state"); |
5144 | 2.09k | } |
5145 | | |
5146 | 2.09k | if ((tls = malloc(sizeof(*tls))) == NULL) |
5147 | 0 | return NULL; |
5148 | | |
5149 | 2.09k | update_open_count(ctx, 1); |
5150 | 2.09k | *tls = (ptls_t){ctx}; |
5151 | 2.09k | tls->is_server = is_server; |
5152 | 2.09k | tls->send_change_cipher_spec = ctx->send_change_cipher_spec; |
5153 | | |
5154 | 2.09k | #if PTLS_HAVE_LOG |
5155 | 2.09k | if (ptls_log_conn_state_override != NULL) { |
5156 | 0 | tls->log_state = *ptls_log_conn_state_override; |
5157 | 2.09k | } else { |
5158 | 2.09k | ptls_log_init_conn_state(&tls->log_state, ctx->random_bytes); |
5159 | 2.09k | } |
5160 | 2.09k | #endif |
5161 | | |
5162 | 2.09k | return tls; |
5163 | 2.09k | } |
5164 | | |
5165 | | ptls_t *ptls_client_new(ptls_context_t *ctx) |
5166 | 2.09k | { |
5167 | 2.09k | ptls_t *tls = new_instance(ctx, 0); |
5168 | 2.09k | tls->state = PTLS_STATE_CLIENT_HANDSHAKE_START; |
5169 | 2.09k | tls->ctx->random_bytes(tls->client_random, sizeof(tls->client_random)); |
5170 | 2.09k | log_client_random(tls); |
5171 | 2.09k | if (tls->send_change_cipher_spec) { |
5172 | 0 | tls->client.legacy_session_id = |
5173 | 0 | ptls_iovec_init(tls->client.legacy_session_id_buf, sizeof(tls->client.legacy_session_id_buf)); |
5174 | 0 | tls->ctx->random_bytes(tls->client.legacy_session_id.base, tls->client.legacy_session_id.len); |
5175 | 0 | } |
5176 | | |
5177 | 2.09k | PTLS_PROBE(NEW, tls, 0); |
5178 | 2.09k | PTLS_LOG_CONN(new, tls, { PTLS_LOG_ELEMENT_BOOL(is_server, 0); }); |
5179 | 0 | return tls; |
5180 | 2.09k | } |
5181 | | |
5182 | | ptls_t *ptls_server_new(ptls_context_t *ctx) |
5183 | 0 | { |
5184 | 0 | ptls_t *tls = new_instance(ctx, 1); |
5185 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO; |
5186 | 0 | tls->server.early_data_skipped_bytes = UINT32_MAX; |
5187 | |
|
5188 | 0 | PTLS_PROBE(NEW, tls, 1); |
5189 | 0 | PTLS_LOG_CONN(new, tls, { PTLS_LOG_ELEMENT_BOOL(is_server, 1); }); |
5190 | 0 | return tls; |
5191 | 0 | } |
5192 | | |
5193 | | #define export_tls_params(output, is_server, session_reused, protocol_version, cipher, client_random, server_name, \ |
5194 | | negotiated_protocol, ver_block) \ |
5195 | 0 | do { \ |
5196 | 0 | const char *_server_name = (server_name); \ |
5197 | 0 | ptls_iovec_t _negotiated_protocol = (negotiated_protocol); \ |
5198 | 0 | ptls_buffer_push_block((output), 2, { \ |
5199 | 0 | ptls_buffer_push((output), (is_server)); \ |
5200 | 0 | ptls_buffer_push((output), (session_reused)); \ |
5201 | 0 | ptls_buffer_push16((output), (protocol_version)); \ |
5202 | 0 | ptls_buffer_push16((output), (cipher)->id); \ |
5203 | 0 | ptls_buffer_pushv((output), (client_random), PTLS_HELLO_RANDOM_SIZE); \ |
5204 | 0 | ptls_buffer_push_block((output), 2, { \ |
5205 | 0 | size_t len = _server_name != NULL ? strlen(_server_name) : 0; \ |
5206 | 0 | ptls_buffer_pushv((output), _server_name, len); \ |
5207 | 0 | }); \ |
5208 | 0 | ptls_buffer_push_block((output), 2, \ |
5209 | 0 | { ptls_buffer_pushv((output), _negotiated_protocol.base, _negotiated_protocol.len); }); \ |
5210 | 0 | ptls_buffer_push_block((output), 2, {ver_block}); /* version-specific block */ \ |
5211 | 0 | ptls_buffer_push_block((output), 2, {}); /* for future extensions */ \ |
5212 | 0 | }); \ |
5213 | 0 | } while (0) |
5214 | | |
5215 | | static int export_tls12_params(ptls_buffer_t *output, int is_server, int session_reused, ptls_cipher_suite_t *cipher, |
5216 | | const void *client_random, const char *server_name, ptls_iovec_t negotiated_protocol, |
5217 | | const void *enc_key, const void *enc_iv, uint64_t enc_seq, uint64_t enc_record_iv, |
5218 | | const void *dec_key, const void *dec_iv, uint64_t dec_seq) |
5219 | 0 | { |
5220 | 0 | int ret; |
5221 | |
|
5222 | 0 | export_tls_params(output, is_server, session_reused, PTLS_PROTOCOL_VERSION_TLS12, cipher, client_random, server_name, |
5223 | 0 | negotiated_protocol, { |
5224 | 0 | ptls_buffer_pushv(output, enc_key, cipher->aead->key_size); |
5225 | 0 | ptls_buffer_pushv(output, enc_iv, cipher->aead->tls12.fixed_iv_size); |
5226 | 0 | ptls_buffer_push64(output, enc_seq); |
5227 | 0 | if (cipher->aead->tls12.record_iv_size != 0) |
5228 | 0 | ptls_buffer_push64(output, enc_record_iv); |
5229 | 0 | ptls_buffer_pushv(output, dec_key, cipher->aead->key_size); |
5230 | 0 | ptls_buffer_pushv(output, dec_iv, cipher->aead->tls12.fixed_iv_size); |
5231 | 0 | ptls_buffer_push64(output, dec_seq); |
5232 | 0 | }); |
5233 | 0 | ret = 0; |
5234 | |
|
5235 | 0 | Exit: |
5236 | 0 | return ret; |
5237 | 0 | } |
5238 | | |
5239 | | int ptls_build_tls12_export_params(ptls_context_t *ctx, ptls_buffer_t *output, int is_server, int session_reused, |
5240 | | ptls_cipher_suite_t *cipher, const void *master_secret, const void *hello_randoms, |
5241 | | uint64_t next_send_record_iv, const char *server_name, ptls_iovec_t negotiated_protocol) |
5242 | 0 | { |
5243 | 0 | assert(cipher->aead->tls12.fixed_iv_size + cipher->aead->tls12.record_iv_size != 0 || !"given cipher-suite supports TLS/1.2"); |
5244 | | |
5245 | 0 | uint8_t key_block[(PTLS_MAX_SECRET_SIZE + PTLS_MAX_IV_SIZE) * 2]; |
5246 | 0 | size_t key_block_len = (cipher->aead->key_size + cipher->aead->tls12.fixed_iv_size) * 2; |
5247 | 0 | int ret; |
5248 | |
|
5249 | 0 | assert(key_block_len <= sizeof(key_block)); |
5250 | | |
5251 | | /* generate key block */ |
5252 | 0 | if ((ret = |
5253 | 0 | ptls_tls12_phash(cipher->hash, key_block, key_block_len, ptls_iovec_init(master_secret, PTLS_TLS12_MASTER_SECRET_SIZE), |
5254 | 0 | "key expansion", ptls_iovec_init(hello_randoms, PTLS_HELLO_RANDOM_SIZE * 2))) != 0) |
5255 | 0 | goto Exit; |
5256 | | |
5257 | | /* determine key locations */ |
5258 | 0 | struct { |
5259 | 0 | const void *key; |
5260 | 0 | const void *iv; |
5261 | 0 | } client_secret, server_secret, *enc_secret = is_server ? &server_secret : &client_secret, |
5262 | 0 | *dec_secret = is_server ? &client_secret : &server_secret; |
5263 | 0 | client_secret.key = key_block; |
5264 | 0 | server_secret.key = key_block + cipher->aead->key_size; |
5265 | 0 | client_secret.iv = key_block + cipher->aead->key_size * 2; |
5266 | 0 | server_secret.iv = key_block + cipher->aead->key_size * 2 + cipher->aead->tls12.fixed_iv_size; |
5267 | | |
5268 | | /* Serialize prams. Sequence number of the first application record is 1, because Finished is the only message sent after |
5269 | | * ChangeCipherSpec. */ |
5270 | 0 | ret = export_tls12_params(output, is_server, session_reused, cipher, (uint8_t *)hello_randoms + PTLS_HELLO_RANDOM_SIZE, |
5271 | 0 | server_name, negotiated_protocol, enc_secret->key, enc_secret->iv, 1, next_send_record_iv, |
5272 | 0 | dec_secret->key, dec_secret->iv, 1); |
5273 | |
|
5274 | 0 | Exit: |
5275 | 0 | ptls_clear_memory(key_block, sizeof(key_block)); |
5276 | 0 | return ret; |
5277 | 0 | } |
5278 | | |
5279 | | int ptls_export(ptls_t *tls, ptls_buffer_t *output) |
5280 | 0 | { |
5281 | 0 | ptls_iovec_t negotiated_protocol = |
5282 | 0 | ptls_iovec_init(tls->negotiated_protocol, tls->negotiated_protocol != NULL ? strlen(tls->negotiated_protocol) : 0); |
5283 | 0 | int ret; |
5284 | |
|
5285 | 0 | if (tls->state != PTLS_STATE_SERVER_POST_HANDSHAKE) { |
5286 | 0 | ret = PTLS_ERROR_LIBRARY; |
5287 | 0 | goto Exit; |
5288 | 0 | } |
5289 | | |
5290 | 0 | if (ptls_get_protocol_version(tls) == PTLS_PROTOCOL_VERSION_TLS13) { |
5291 | 0 | export_tls_params(output, tls->is_server, tls->is_psk_handshake, PTLS_PROTOCOL_VERSION_TLS13, tls->cipher_suite, |
5292 | 0 | tls->client_random, tls->server_name, negotiated_protocol, { |
5293 | 0 | ptls_buffer_pushv(output, tls->traffic_protection.enc.secret, tls->cipher_suite->hash->digest_size); |
5294 | 0 | ptls_buffer_push64(output, tls->traffic_protection.enc.seq); |
5295 | 0 | ptls_buffer_pushv(output, tls->traffic_protection.dec.secret, tls->cipher_suite->hash->digest_size); |
5296 | 0 | ptls_buffer_push64(output, tls->traffic_protection.dec.seq); |
5297 | 0 | }); |
5298 | 0 | ret = 0; |
5299 | 0 | } else { |
5300 | 0 | if ((ret = export_tls12_params(output, tls->is_server, tls->is_psk_handshake, tls->cipher_suite, tls->client_random, |
5301 | 0 | tls->server_name, negotiated_protocol, tls->traffic_protection.enc.secret, |
5302 | 0 | tls->traffic_protection.enc.secret + PTLS_MAX_SECRET_SIZE, tls->traffic_protection.enc.seq, |
5303 | 0 | tls->traffic_protection.enc.tls12_enc_record_iv, tls->traffic_protection.dec.secret, |
5304 | 0 | tls->traffic_protection.dec.secret + PTLS_MAX_SECRET_SIZE, |
5305 | 0 | tls->traffic_protection.dec.seq)) != 0) |
5306 | 0 | goto Exit; |
5307 | 0 | } |
5308 | | |
5309 | 0 | Exit: |
5310 | 0 | return ret; |
5311 | 0 | } |
5312 | | |
5313 | | static int import_tls12_traffic_protection(ptls_t *tls, int is_enc, const uint8_t **src, const uint8_t *const end) |
5314 | 0 | { |
5315 | 0 | struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
5316 | |
|
5317 | 0 | if ((size_t)(end - *src) < tls->cipher_suite->aead->key_size + tls->cipher_suite->aead->tls12.fixed_iv_size + sizeof(uint64_t)) |
5318 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5319 | | |
5320 | | /* set properties */ |
5321 | 0 | memcpy(tp->secret, *src, tls->cipher_suite->aead->key_size); |
5322 | 0 | *src += tls->cipher_suite->aead->key_size; |
5323 | 0 | memcpy(tp->secret + PTLS_MAX_SECRET_SIZE, *src, tls->cipher_suite->aead->tls12.fixed_iv_size); |
5324 | 0 | *src += tls->cipher_suite->aead->tls12.fixed_iv_size; |
5325 | 0 | if (ptls_decode64(&tp->seq, src, end) != 0) |
5326 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5327 | 0 | if (is_enc && tls->cipher_suite->aead->tls12.record_iv_size != 0) { |
5328 | 0 | if (ptls_decode64(&tp->tls12_enc_record_iv, src, end) != 0) |
5329 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5330 | 0 | } |
5331 | 0 | tp->tls12 = 1; |
5332 | | |
5333 | | /* instantiate aead */ |
5334 | 0 | if ((tp->aead = ptls_aead_new_direct(tls->cipher_suite->aead, is_enc, tp->secret, tp->secret + PTLS_MAX_SECRET_SIZE)) == NULL) |
5335 | 0 | return PTLS_ERROR_NO_MEMORY; |
5336 | | |
5337 | 0 | return 0; |
5338 | 0 | } |
5339 | | |
5340 | | static int import_tls13_traffic_protection(ptls_t *tls, int is_enc, const uint8_t **src, const uint8_t *const end) |
5341 | 0 | { |
5342 | 0 | struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
5343 | | |
5344 | | /* set properties */ |
5345 | 0 | memcpy(tp->secret, *src, tls->cipher_suite->hash->digest_size); |
5346 | 0 | *src += tls->cipher_suite->hash->digest_size; |
5347 | 0 | if (ptls_decode64(&tp->seq, src, end) != 0) |
5348 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5349 | | |
5350 | 0 | if (setup_traffic_protection(tls, is_enc, NULL, 3, tp->seq, 0) != 0) |
5351 | 0 | return PTLS_ERROR_INCOMPATIBLE_KEY; |
5352 | | |
5353 | 0 | return 0; |
5354 | 0 | } |
5355 | | |
5356 | | int ptls_import(ptls_context_t *ctx, ptls_t **tls, ptls_iovec_t params) |
5357 | 0 | { |
5358 | 0 | const uint8_t *src = params.base, *const end = src + params.len; |
5359 | 0 | uint16_t protocol_version, csid; |
5360 | 0 | int ret; |
5361 | |
|
5362 | 0 | *tls = NULL; |
5363 | | |
5364 | | /* TODO handle flags like psk_handshake, ech_handshake as we add support for TLS/1.3 import */ |
5365 | 0 | ptls_decode_block(src, end, 2, { |
5366 | | /* instantiate, based on the is_server flag */ |
5367 | 0 | if (end - src < 2) { |
5368 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
5369 | 0 | goto Exit; |
5370 | 0 | } |
5371 | 0 | if ((*tls = new_instance(ctx, *src++)) == NULL) { |
5372 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
5373 | 0 | goto Exit; |
5374 | 0 | } |
5375 | 0 | (*tls)->is_psk_handshake = *src++; |
5376 | | /* determine protocol version and cipher suite */ |
5377 | 0 | if ((ret = ptls_decode16(&protocol_version, &src, end)) != 0) |
5378 | 0 | goto Exit; |
5379 | 0 | if ((ret = ptls_decode16(&csid, &src, end)) != 0) |
5380 | 0 | goto Exit; |
5381 | | /* other version-independent stuff */ |
5382 | 0 | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
5383 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
5384 | 0 | goto Exit; |
5385 | 0 | } |
5386 | 0 | memcpy((*tls)->client_random, src, PTLS_HELLO_RANDOM_SIZE); |
5387 | 0 | src += PTLS_HELLO_RANDOM_SIZE; |
5388 | 0 | ptls_decode_open_block(src, end, 2, { |
5389 | 0 | if (src != end) { |
5390 | 0 | if ((ret = ptls_set_server_name(*tls, (const char *)src, end - src)) != 0) |
5391 | 0 | goto Exit; |
5392 | 0 | src = end; |
5393 | 0 | } |
5394 | 0 | }); |
5395 | 0 | ptls_decode_open_block(src, end, 2, { |
5396 | 0 | if (src != end) { |
5397 | 0 | if ((ret = ptls_set_negotiated_protocol(*tls, (const char *)src, end - src)) != 0) |
5398 | 0 | goto Exit; |
5399 | 0 | src = end; |
5400 | 0 | } |
5401 | 0 | }); |
5402 | | /* version-dependent stuff */ |
5403 | 0 | ptls_decode_open_block(src, end, 2, { |
5404 | 0 | switch (protocol_version) { |
5405 | 0 | case PTLS_PROTOCOL_VERSION_TLS12: |
5406 | 0 | (*tls)->cipher_suite = ptls_find_cipher_suite(ctx->tls12_cipher_suites, csid); |
5407 | 0 | if ((*tls)->cipher_suite == NULL) { |
5408 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5409 | 0 | goto Exit; |
5410 | 0 | } |
5411 | | /* setup AEAD keys */ |
5412 | 0 | if ((ret = import_tls12_traffic_protection(*tls, 1, &src, end)) != 0) |
5413 | 0 | goto Exit; |
5414 | 0 | if ((ret = import_tls12_traffic_protection(*tls, 0, &src, end)) != 0) |
5415 | 0 | goto Exit; |
5416 | 0 | break; |
5417 | 0 | case PTLS_PROTOCOL_VERSION_TLS13: |
5418 | 0 | (*tls)->cipher_suite = ptls_find_cipher_suite(ctx->cipher_suites, csid); |
5419 | 0 | if ((*tls)->cipher_suite == NULL) { |
5420 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5421 | 0 | goto Exit; |
5422 | 0 | } |
5423 | | /* setup AEAD keys */ |
5424 | 0 | if (((*tls)->key_schedule = key_schedule_new((*tls)->cipher_suite, NULL, (*tls)->ech.aead != NULL)) == NULL) { |
5425 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
5426 | 0 | goto Exit; |
5427 | 0 | } |
5428 | 0 | if ((ret = import_tls13_traffic_protection(*tls, 1, &src, end)) != 0) |
5429 | 0 | goto Exit; |
5430 | 0 | if ((ret = import_tls13_traffic_protection(*tls, 0, &src, end)) != 0) |
5431 | 0 | goto Exit; |
5432 | 0 | break; |
5433 | 0 | default: |
5434 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
5435 | 0 | goto Exit; |
5436 | 0 | } |
5437 | 0 | }); |
5438 | | /* extensions */ |
5439 | 0 | ptls_decode_open_block(src, end, 2, { |
5440 | 0 | src = end; /* unused */ |
5441 | 0 | }); |
5442 | 0 | }); |
5443 | | |
5444 | 0 | (*tls)->state = ptls_is_server(*tls) ? PTLS_STATE_SERVER_POST_HANDSHAKE : PTLS_STATE_CLIENT_POST_HANDSHAKE; |
5445 | |
|
5446 | 0 | Exit: |
5447 | 0 | if (ret != 0) { |
5448 | 0 | if (*tls != NULL) { |
5449 | 0 | ptls_free(*tls); |
5450 | 0 | *tls = NULL; |
5451 | 0 | } |
5452 | 0 | } |
5453 | 0 | return ret; |
5454 | 0 | } |
5455 | | |
5456 | | void ptls_free(ptls_t *tls) |
5457 | 2.09k | { |
5458 | 2.09k | PTLS_PROBE0(FREE, tls); |
5459 | 2.09k | PTLS_LOG_CONN(free, tls, {}); |
5460 | | |
5461 | 0 | ptls_buffer_dispose(&tls->recvbuf.rec); |
5462 | 2.09k | ptls_buffer_dispose(&tls->recvbuf.mess); |
5463 | 2.09k | free_exporter_master_secret(tls, 1); |
5464 | 2.09k | free_exporter_master_secret(tls, 0); |
5465 | 2.09k | if (tls->key_schedule != NULL) |
5466 | 2.09k | key_schedule_free(tls->key_schedule); |
5467 | 2.09k | if (tls->traffic_protection.dec.aead != NULL) |
5468 | 1.01k | ptls_aead_free(tls->traffic_protection.dec.aead); |
5469 | 2.09k | if (tls->traffic_protection.enc.aead != NULL) |
5470 | 1.01k | ptls_aead_free(tls->traffic_protection.enc.aead); |
5471 | 2.09k | free(tls->server_name); |
5472 | 2.09k | free(tls->negotiated_protocol); |
5473 | 2.09k | clear_ech(&tls->ech, tls->is_server); |
5474 | 2.09k | if (tls->is_server) { |
5475 | 0 | if (tls->server.async_job != NULL) |
5476 | 0 | tls->server.async_job->destroy_(tls->server.async_job); |
5477 | 2.09k | } else { |
5478 | 2.09k | if (tls->client.key_share_ctx != NULL) |
5479 | 1.05k | tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, NULL, ptls_iovec_init(NULL, 0)); |
5480 | 2.09k | if (tls->client.certificate_request.context.base != NULL) |
5481 | 253 | free(tls->client.certificate_request.context.base); |
5482 | 2.09k | } |
5483 | 2.09k | if (tls->certificate_verify.cb != NULL) |
5484 | 0 | tls->certificate_verify.cb(tls->certificate_verify.verify_ctx, 0, ptls_iovec_init(NULL, 0), ptls_iovec_init(NULL, 0)); |
5485 | 2.09k | if (tls->pending_handshake_secret != NULL) { |
5486 | 0 | ptls_clear_memory(tls->pending_handshake_secret, PTLS_MAX_DIGEST_SIZE); |
5487 | 0 | free(tls->pending_handshake_secret); |
5488 | 0 | } |
5489 | 2.09k | update_open_count(tls->ctx, -1); |
5490 | 2.09k | ptls_clear_memory(tls, sizeof(*tls)); |
5491 | 2.09k | free(tls); |
5492 | 2.09k | } |
5493 | | |
5494 | | ptls_context_t *ptls_get_context(ptls_t *tls) |
5495 | 0 | { |
5496 | 0 | return tls->ctx; |
5497 | 0 | } |
5498 | | |
5499 | | void ptls_set_context(ptls_t *tls, ptls_context_t *ctx) |
5500 | 0 | { |
5501 | 0 | update_open_count(ctx, 1); |
5502 | 0 | update_open_count(tls->ctx, -1); |
5503 | 0 | tls->ctx = ctx; |
5504 | 0 | } |
5505 | | |
5506 | | ptls_async_job_t *ptls_get_async_job(ptls_t *tls) |
5507 | 0 | { |
5508 | 0 | return tls->server.async_job; |
5509 | 0 | } |
5510 | | |
5511 | | ptls_iovec_t ptls_get_client_random(ptls_t *tls) |
5512 | 0 | { |
5513 | 0 | return ptls_iovec_init(tls->client_random, PTLS_HELLO_RANDOM_SIZE); |
5514 | 0 | } |
5515 | | |
5516 | | ptls_cipher_suite_t *ptls_get_cipher(ptls_t *tls) |
5517 | 0 | { |
5518 | 0 | return tls->cipher_suite; |
5519 | 0 | } |
5520 | | |
5521 | | uint16_t ptls_get_protocol_version(ptls_t *tls) |
5522 | 0 | { |
5523 | 0 | if (tls->traffic_protection.enc.tls12) |
5524 | 0 | return PTLS_PROTOCOL_VERSION_TLS12; |
5525 | | |
5526 | 0 | return PTLS_PROTOCOL_VERSION_TLS13; |
5527 | 0 | } |
5528 | | |
5529 | | int ptls_get_traffic_keys(ptls_t *tls, int is_enc, uint8_t *key, uint8_t *iv, uint64_t *seq) |
5530 | 0 | { |
5531 | 0 | struct st_ptls_traffic_protection_t *ctx = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
5532 | 0 | int ret; |
5533 | |
|
5534 | 0 | if ((ret = get_traffic_keys(tls->cipher_suite->aead, tls->cipher_suite->hash, key, iv, ctx->secret, ptls_iovec_init(NULL, 0), |
5535 | 0 | NULL)) != 0) |
5536 | 0 | return ret; |
5537 | 0 | *seq = ctx->seq; |
5538 | 0 | return 0; |
5539 | 0 | } |
5540 | | |
5541 | | const char *ptls_get_server_name(ptls_t *tls) |
5542 | 0 | { |
5543 | 0 | return tls->server_name; |
5544 | 0 | } |
5545 | | |
5546 | | int ptls_set_server_name(ptls_t *tls, const char *server_name, size_t server_name_len) |
5547 | 0 | { |
5548 | 0 | char *duped = NULL; |
5549 | |
|
5550 | 0 | if (server_name != NULL && |
5551 | 0 | (duped = duplicate_as_str(server_name, server_name_len != 0 ? server_name_len : strlen(server_name))) == NULL) |
5552 | 0 | return PTLS_ERROR_NO_MEMORY; |
5553 | | |
5554 | 0 | free(tls->server_name); |
5555 | 0 | tls->server_name = duped; |
5556 | |
|
5557 | 0 | return 0; |
5558 | 0 | } |
5559 | | |
5560 | | const char *ptls_get_negotiated_protocol(ptls_t *tls) |
5561 | 0 | { |
5562 | 0 | return tls->negotiated_protocol; |
5563 | 0 | } |
5564 | | |
5565 | | int ptls_set_negotiated_protocol(ptls_t *tls, const char *protocol, size_t protocol_len) |
5566 | 20 | { |
5567 | 20 | char *duped = NULL; |
5568 | | |
5569 | 20 | if (protocol != NULL && (duped = duplicate_as_str(protocol, protocol_len != 0 ? protocol_len : strlen(protocol))) == NULL) |
5570 | 0 | return PTLS_ERROR_NO_MEMORY; |
5571 | | |
5572 | 20 | free(tls->negotiated_protocol); |
5573 | 20 | tls->negotiated_protocol = duped; |
5574 | | |
5575 | 20 | return 0; |
5576 | 20 | } |
5577 | | |
5578 | | int ptls_handshake_is_complete(ptls_t *tls) |
5579 | 0 | { |
5580 | 0 | return tls->state >= PTLS_STATE_POST_HANDSHAKE_MIN; |
5581 | 0 | } |
5582 | | |
5583 | | int ptls_is_psk_handshake(ptls_t *tls) |
5584 | 0 | { |
5585 | 0 | return tls->is_psk_handshake; |
5586 | 0 | } |
5587 | | |
5588 | | int ptls_is_ech_handshake(ptls_t *tls, uint8_t *config_id, ptls_hpke_kem_t **kem, ptls_hpke_cipher_suite_t **cipher) |
5589 | 0 | { |
5590 | 0 | if (tls->ech.accepted) { |
5591 | 0 | if (config_id != NULL) |
5592 | 0 | *config_id = tls->ech.config_id; |
5593 | 0 | if (kem != NULL) |
5594 | 0 | *kem = tls->ech.kem; |
5595 | 0 | if (cipher != NULL) |
5596 | 0 | *cipher = tls->ech.cipher; |
5597 | 0 | return 1; |
5598 | 0 | } |
5599 | 0 | return 0; |
5600 | 0 | } |
5601 | | |
5602 | | void **ptls_get_data_ptr(ptls_t *tls) |
5603 | 0 | { |
5604 | 0 | return &tls->data_ptr; |
5605 | 0 | } |
5606 | | |
5607 | | ptls_log_conn_state_t *ptls_get_log_state(ptls_t *tls) |
5608 | 0 | { |
5609 | 0 | #if PTLS_HAVE_LOG |
5610 | 0 | return &tls->log_state; |
5611 | | #else |
5612 | | return &ptls_log.dummy_conn_state; |
5613 | | #endif |
5614 | 0 | } |
5615 | | |
5616 | | static int handle_client_handshake_message(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, int is_end_of_record, |
5617 | | ptls_handshake_properties_t *properties) |
5618 | 43.9k | { |
5619 | 43.9k | uint8_t type = message.base[0]; |
5620 | 43.9k | int ret; |
5621 | | |
5622 | 43.9k | switch (tls->state) { |
5623 | 1.83k | case PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO: |
5624 | 42.3k | case PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO: |
5625 | 42.3k | if (type == PTLS_HANDSHAKE_TYPE_SERVER_HELLO && is_end_of_record) { |
5626 | 42.2k | ret = client_handle_hello(tls, emitter, message, properties); |
5627 | 42.2k | } else { |
5628 | 42 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5629 | 42 | } |
5630 | 42.3k | break; |
5631 | 952 | case PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS: |
5632 | 952 | if (type == PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS) { |
5633 | 938 | ret = client_handle_encrypted_extensions(tls, message, properties); |
5634 | 938 | } else { |
5635 | 14 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5636 | 14 | } |
5637 | 952 | break; |
5638 | 618 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE: |
5639 | 618 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { |
5640 | 256 | ret = client_handle_certificate_request(tls, message, properties); |
5641 | 256 | break; |
5642 | 256 | } |
5643 | | /* fall through */ |
5644 | 365 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE: |
5645 | 365 | switch (type) { |
5646 | 361 | case PTLS_HANDSHAKE_TYPE_CERTIFICATE: |
5647 | 361 | ret = client_handle_certificate(tls, message); |
5648 | 361 | break; |
5649 | 2 | case PTLS_HANDSHAKE_TYPE_COMPRESSED_CERTIFICATE: |
5650 | 2 | ret = client_handle_compressed_certificate(tls, message); |
5651 | 2 | break; |
5652 | 2 | default: |
5653 | 2 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5654 | 2 | break; |
5655 | 365 | } |
5656 | 365 | break; |
5657 | 365 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY: |
5658 | 73 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { |
5659 | 63 | ret = client_handle_certificate_verify(tls, message); |
5660 | 63 | } else { |
5661 | 10 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5662 | 10 | } |
5663 | 73 | break; |
5664 | 26 | case PTLS_STATE_CLIENT_EXPECT_FINISHED: |
5665 | 26 | if (type == PTLS_HANDSHAKE_TYPE_FINISHED && is_end_of_record) { |
5666 | 17 | ret = client_handle_finished(tls, emitter, message); |
5667 | 17 | } else { |
5668 | 9 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5669 | 9 | } |
5670 | 26 | break; |
5671 | 0 | case PTLS_STATE_CLIENT_POST_HANDSHAKE: |
5672 | 0 | switch (type) { |
5673 | 0 | case PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET: |
5674 | 0 | ret = client_handle_new_session_ticket(tls, message); |
5675 | 0 | break; |
5676 | 0 | case PTLS_HANDSHAKE_TYPE_KEY_UPDATE: |
5677 | 0 | ret = handle_key_update(tls, emitter, message); |
5678 | 0 | break; |
5679 | 0 | default: |
5680 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5681 | 0 | break; |
5682 | 0 | } |
5683 | 0 | break; |
5684 | 0 | default: |
5685 | 0 | assert(!"unexpected state"); |
5686 | 0 | ret = PTLS_ALERT_INTERNAL_ERROR; |
5687 | 0 | break; |
5688 | 43.9k | } |
5689 | | |
5690 | 43.9k | PTLS_PROBE(RECEIVE_MESSAGE, tls, message.base[0], message.base + PTLS_HANDSHAKE_HEADER_SIZE, |
5691 | 43.9k | message.len - PTLS_HANDSHAKE_HEADER_SIZE, ret); |
5692 | 43.9k | PTLS_LOG_CONN(receive_message, tls, { |
5693 | 43.9k | PTLS_LOG_ELEMENT_UNSIGNED(message, message.base[0]); |
5694 | 43.9k | PTLS_LOG_ELEMENT_UNSIGNED(len, message.len - PTLS_HANDSHAKE_HEADER_SIZE); |
5695 | 43.9k | PTLS_LOG_ELEMENT_SIGNED(result, ret); |
5696 | 43.9k | }); |
5697 | | |
5698 | 0 | return ret; |
5699 | 43.9k | } |
5700 | | |
5701 | | static int handle_server_handshake_message(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, int is_end_of_record, |
5702 | | ptls_handshake_properties_t *properties) |
5703 | 0 | { |
5704 | 0 | uint8_t type = message.base[0]; |
5705 | 0 | int ret; |
5706 | |
|
5707 | 0 | switch (tls->state) { |
5708 | 0 | case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO: |
5709 | 0 | case PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO: |
5710 | 0 | if (type == PTLS_HANDSHAKE_TYPE_CLIENT_HELLO && is_end_of_record) { |
5711 | 0 | ret = server_handle_hello(tls, emitter, message, properties); |
5712 | 0 | } else { |
5713 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5714 | 0 | } |
5715 | 0 | break; |
5716 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE: |
5717 | 0 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE) { |
5718 | 0 | ret = server_handle_certificate(tls, message); |
5719 | 0 | } else { |
5720 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5721 | 0 | } |
5722 | 0 | break; |
5723 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY: |
5724 | 0 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { |
5725 | 0 | ret = server_handle_certificate_verify(tls, message); |
5726 | 0 | } else { |
5727 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5728 | 0 | } |
5729 | 0 | break; |
5730 | 0 | case PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA: |
5731 | 0 | assert(!tls->ctx->omit_end_of_early_data); |
5732 | 0 | if (type == PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA) { |
5733 | 0 | ret = server_handle_end_of_early_data(tls, message); |
5734 | 0 | } else { |
5735 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5736 | 0 | } |
5737 | 0 | break; |
5738 | 0 | case PTLS_STATE_SERVER_EXPECT_FINISHED: |
5739 | 0 | if (type == PTLS_HANDSHAKE_TYPE_FINISHED && is_end_of_record) { |
5740 | 0 | ret = server_handle_finished(tls, message); |
5741 | 0 | } else { |
5742 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5743 | 0 | } |
5744 | 0 | break; |
5745 | 0 | case PTLS_STATE_SERVER_POST_HANDSHAKE: |
5746 | 0 | switch (type) { |
5747 | 0 | case PTLS_HANDSHAKE_TYPE_KEY_UPDATE: |
5748 | 0 | ret = handle_key_update(tls, emitter, message); |
5749 | 0 | break; |
5750 | 0 | default: |
5751 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5752 | 0 | break; |
5753 | 0 | } |
5754 | 0 | break; |
5755 | 0 | default: |
5756 | 0 | assert(!"unexpected state"); |
5757 | 0 | ret = PTLS_ALERT_INTERNAL_ERROR; |
5758 | 0 | break; |
5759 | 0 | } |
5760 | | |
5761 | 0 | PTLS_PROBE(RECEIVE_MESSAGE, tls, message.base[0], message.base + PTLS_HANDSHAKE_HEADER_SIZE, |
5762 | 0 | message.len - PTLS_HANDSHAKE_HEADER_SIZE, ret); |
5763 | 0 | PTLS_LOG_CONN(receive_message, tls, { |
5764 | 0 | PTLS_LOG_ELEMENT_UNSIGNED(message, message.base[0]); |
5765 | 0 | PTLS_LOG_ELEMENT_UNSIGNED(len, message.len - PTLS_HANDSHAKE_HEADER_SIZE); |
5766 | 0 | PTLS_LOG_ELEMENT_SIGNED(result, ret); |
5767 | 0 | }); |
5768 | | |
5769 | 0 | return ret; |
5770 | 0 | } |
5771 | | |
5772 | | static int handle_alert(ptls_t *tls, const uint8_t *src, size_t len) |
5773 | 32 | { |
5774 | 32 | if (len != 2) |
5775 | 17 | return PTLS_ALERT_DECODE_ERROR; |
5776 | | |
5777 | 15 | uint8_t desc = src[1]; |
5778 | | |
5779 | | /* all fatal alerts and USER_CANCELLED warning tears down the connection immediately, regardless of the transmitted level */ |
5780 | 15 | return PTLS_ALERT_TO_PEER_ERROR(desc); |
5781 | 32 | } |
5782 | | |
5783 | | static int message_buffer_is_overflow(ptls_context_t *ctx, size_t size) |
5784 | 53.3k | { |
5785 | 53.3k | if (ctx->max_buffer_size == 0) |
5786 | 53.3k | return 0; |
5787 | 0 | if (size <= ctx->max_buffer_size) |
5788 | 0 | return 0; |
5789 | 0 | return 1; |
5790 | 0 | } |
5791 | | |
5792 | | static int handle_handshake_record(ptls_t *tls, |
5793 | | int (*cb)(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, |
5794 | | int is_end_of_record, ptls_handshake_properties_t *properties), |
5795 | | ptls_message_emitter_t *emitter, struct st_ptls_record_t *rec, |
5796 | | ptls_handshake_properties_t *properties) |
5797 | 71.6k | { |
5798 | 71.6k | int ret; |
5799 | | |
5800 | | /* handshake */ |
5801 | 71.6k | if (rec->type != PTLS_CONTENT_TYPE_HANDSHAKE) |
5802 | 5 | return PTLS_ALERT_DECODE_ERROR; |
5803 | | |
5804 | | /* flatten the unhandled messages */ |
5805 | 71.6k | const uint8_t *src, *src_end; |
5806 | 71.6k | if (tls->recvbuf.mess.base == NULL) { |
5807 | 45.0k | src = rec->fragment; |
5808 | 45.0k | src_end = src + rec->length; |
5809 | 45.0k | } else { |
5810 | 26.6k | if (message_buffer_is_overflow(tls->ctx, tls->recvbuf.mess.off + rec->length)) |
5811 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5812 | 26.6k | if ((ret = ptls_buffer_reserve(&tls->recvbuf.mess, rec->length)) != 0) |
5813 | 0 | return ret; |
5814 | 26.6k | memcpy(tls->recvbuf.mess.base + tls->recvbuf.mess.off, rec->fragment, rec->length); |
5815 | 26.6k | tls->recvbuf.mess.off += rec->length; |
5816 | 26.6k | src = tls->recvbuf.mess.base; |
5817 | 26.6k | src_end = src + tls->recvbuf.mess.off; |
5818 | 26.6k | } |
5819 | | |
5820 | | /* handle the messages */ |
5821 | 71.6k | ret = PTLS_ERROR_IN_PROGRESS; |
5822 | 114k | while (src_end - src >= 4) { |
5823 | 70.3k | size_t mess_len = 4 + ntoh24(src + 1); |
5824 | 70.3k | if (src_end - src < (int)mess_len) |
5825 | 26.4k | break; |
5826 | 43.9k | ret = cb(tls, emitter, ptls_iovec_init(src, mess_len), src_end - src == mess_len, properties); |
5827 | 43.9k | switch (ret) { |
5828 | 0 | case 0: |
5829 | 0 | case PTLS_ERROR_ASYNC_OPERATION: |
5830 | 42.3k | case PTLS_ERROR_IN_PROGRESS: |
5831 | 42.3k | break; |
5832 | 1.61k | default: |
5833 | 1.61k | ptls_buffer_dispose(&tls->recvbuf.mess); |
5834 | 1.61k | return ret; |
5835 | 43.9k | } |
5836 | 42.3k | src += mess_len; |
5837 | 42.3k | } |
5838 | | |
5839 | | /* keep last partial message in buffer */ |
5840 | 70.0k | if (src != src_end) { |
5841 | 26.7k | size_t new_size = src_end - src; |
5842 | 26.7k | if (message_buffer_is_overflow(tls->ctx, new_size)) |
5843 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5844 | 26.7k | if (tls->recvbuf.mess.base == NULL) { |
5845 | 1.19k | ptls_buffer_init(&tls->recvbuf.mess, "", 0); |
5846 | 1.19k | if ((ret = ptls_buffer_reserve(&tls->recvbuf.mess, new_size)) != 0) |
5847 | 0 | return ret; |
5848 | 1.19k | memcpy(tls->recvbuf.mess.base, src, new_size); |
5849 | 25.5k | } else { |
5850 | 25.5k | memmove(tls->recvbuf.mess.base, src, new_size); |
5851 | 25.5k | } |
5852 | 26.7k | tls->recvbuf.mess.off = new_size; |
5853 | 26.7k | ret = PTLS_ERROR_IN_PROGRESS; |
5854 | 43.3k | } else { |
5855 | 43.3k | ptls_buffer_dispose(&tls->recvbuf.mess); |
5856 | 43.3k | } |
5857 | | |
5858 | 70.0k | return ret; |
5859 | 70.0k | } |
5860 | | |
5861 | | static int handle_input(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_buffer_t *decryptbuf, const void *input, size_t *inlen, |
5862 | | ptls_handshake_properties_t *properties) |
5863 | 72.1k | { |
5864 | 72.1k | struct st_ptls_record_t rec; |
5865 | 72.1k | int ret; |
5866 | | |
5867 | | /* extract the record */ |
5868 | 72.1k | if ((ret = parse_record(tls, &rec, input, inlen)) != 0) |
5869 | 189 | return ret; |
5870 | 71.9k | assert(rec.fragment != NULL); |
5871 | | |
5872 | | /* decrypt the record */ |
5873 | 71.9k | if (rec.type == PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { |
5874 | 218 | if (tls->state < PTLS_STATE_POST_HANDSHAKE_MIN) { |
5875 | 218 | if (!(rec.length == 1 && rec.fragment[0] == 0x01)) |
5876 | 24 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
5877 | 218 | } else { |
5878 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5879 | 0 | } |
5880 | 194 | ret = PTLS_ERROR_IN_PROGRESS; |
5881 | 194 | goto NextRecord; |
5882 | 218 | } |
5883 | 71.7k | if (tls->traffic_protection.dec.aead != NULL && rec.type != PTLS_CONTENT_TYPE_ALERT) { |
5884 | 1.14k | size_t decrypted_length; |
5885 | 1.14k | if (rec.type != PTLS_CONTENT_TYPE_APPDATA) |
5886 | 1 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5887 | 1.14k | if ((ret = ptls_buffer_reserve(decryptbuf, 5 + rec.length)) != 0) |
5888 | 0 | return ret; |
5889 | 1.14k | if ((ret = aead_decrypt(&tls->traffic_protection.dec, decryptbuf->base + decryptbuf->off, &decrypted_length, rec.fragment, |
5890 | 1.14k | rec.length)) != 0) { |
5891 | 5 | if (tls->is_server && tls->server.early_data_skipped_bytes != UINT32_MAX) |
5892 | 0 | goto ServerSkipEarlyData; |
5893 | 5 | return ret; |
5894 | 5 | } |
5895 | 1.13k | rec.length = decrypted_length; |
5896 | 1.13k | rec.fragment = decryptbuf->base + decryptbuf->off; |
5897 | | /* skip padding */ |
5898 | 1.91k | for (; rec.length != 0; --rec.length) |
5899 | 1.90k | if (rec.fragment[rec.length - 1] != 0) |
5900 | 1.12k | break; |
5901 | 1.13k | if (rec.length == 0) |
5902 | 13 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
5903 | 1.12k | rec.type = rec.fragment[--rec.length]; |
5904 | 70.6k | } else if (rec.type == PTLS_CONTENT_TYPE_APPDATA && tls->is_server && tls->server.early_data_skipped_bytes != UINT32_MAX) { |
5905 | 0 | goto ServerSkipEarlyData; |
5906 | 0 | } |
5907 | | |
5908 | 71.7k | if (tls->recvbuf.mess.base != NULL || rec.type == PTLS_CONTENT_TYPE_HANDSHAKE) { |
5909 | | /* handshake record */ |
5910 | 71.6k | ret = handle_handshake_record(tls, tls->is_server ? handle_server_handshake_message : handle_client_handshake_message, |
5911 | 71.6k | emitter, &rec, properties); |
5912 | 71.6k | } else { |
5913 | | /* handling of an alert or an application record */ |
5914 | 52 | switch (rec.type) { |
5915 | 6 | case PTLS_CONTENT_TYPE_APPDATA: |
5916 | 6 | if (tls->state >= PTLS_STATE_POST_HANDSHAKE_MIN) { |
5917 | 0 | decryptbuf->off += rec.length; |
5918 | 0 | ret = 0; |
5919 | 6 | } else if (tls->state == PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA) { |
5920 | 0 | if (tls->traffic_protection.dec.aead != NULL) |
5921 | 0 | decryptbuf->off += rec.length; |
5922 | 0 | ret = 0; |
5923 | 6 | } else { |
5924 | 6 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5925 | 6 | } |
5926 | 6 | break; |
5927 | 32 | case PTLS_CONTENT_TYPE_ALERT: |
5928 | 32 | ret = handle_alert(tls, rec.fragment, rec.length); |
5929 | 32 | break; |
5930 | 14 | default: |
5931 | 14 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5932 | 14 | break; |
5933 | 52 | } |
5934 | 52 | } |
5935 | | |
5936 | 71.9k | NextRecord: |
5937 | 71.9k | ptls_buffer_dispose(&tls->recvbuf.rec); |
5938 | 71.9k | return ret; |
5939 | | |
5940 | 0 | ServerSkipEarlyData: |
5941 | 0 | tls->server.early_data_skipped_bytes += (uint32_t)rec.length; |
5942 | 0 | if (tls->server.early_data_skipped_bytes > PTLS_MAX_EARLY_DATA_SKIP_SIZE) |
5943 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5944 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
5945 | 0 | goto NextRecord; |
5946 | 0 | } |
5947 | | |
5948 | | static int handle_input_tls12(ptls_t *tls, ptls_buffer_t *decryptbuf, const void *input, size_t *inlen) |
5949 | 0 | { |
5950 | 0 | struct st_ptls_record_t rec; |
5951 | 0 | int ret; |
5952 | | |
5953 | | /* extract the record, or bail out */ |
5954 | 0 | if ((ret = parse_record(tls, &rec, input, inlen)) != 0) |
5955 | 0 | return ret; |
5956 | 0 | assert(rec.fragment != NULL); |
5957 | | |
5958 | 0 | const uint8_t *src = rec.fragment, *end = src + rec.length; |
5959 | 0 | uint64_t nonce; |
5960 | 0 | uint8_t aad[PTLS_TLS12_AAD_SIZE]; |
5961 | | |
5962 | | /* determine the nonce */ |
5963 | 0 | if (tls->traffic_protection.dec.aead->algo->tls12.record_iv_size != 0) { |
5964 | 0 | assert(tls->traffic_protection.dec.aead->algo->tls12.record_iv_size == 8); |
5965 | 0 | if ((ret = ptls_decode64(&nonce, &src, end)) != 0) |
5966 | 0 | goto Exit; |
5967 | 0 | } else { |
5968 | 0 | nonce = tls->traffic_protection.dec.seq; |
5969 | 0 | } |
5970 | | |
5971 | | /* determine cleartext length */ |
5972 | 0 | size_t textlen = end - src; |
5973 | 0 | if (textlen < tls->traffic_protection.dec.aead->algo->tag_size) { |
5974 | 0 | ret = PTLS_ALERT_BAD_RECORD_MAC; |
5975 | 0 | goto Exit; |
5976 | 0 | } |
5977 | 0 | textlen -= tls->traffic_protection.dec.aead->algo->tag_size; |
5978 | | |
5979 | | /* build aad */ |
5980 | 0 | build_tls12_aad(aad, rec.type, tls->traffic_protection.dec.seq, (uint16_t)textlen); |
5981 | | |
5982 | | /* decrypt input to decryptbuf */ |
5983 | 0 | if ((ret = ptls_buffer_reserve(decryptbuf, textlen)) != 0) |
5984 | 0 | goto Exit; |
5985 | 0 | if (ptls_aead_decrypt(tls->traffic_protection.dec.aead, decryptbuf->base + decryptbuf->off, src, end - src, nonce, aad, |
5986 | 0 | sizeof(aad)) != textlen) { |
5987 | 0 | ret = PTLS_ALERT_BAD_RECORD_MAC; |
5988 | 0 | goto Exit; |
5989 | 0 | } |
5990 | 0 | ++tls->traffic_protection.dec.seq; |
5991 | | |
5992 | | /* record-type specific action */ |
5993 | 0 | switch (rec.type) { |
5994 | 0 | case PTLS_CONTENT_TYPE_APPDATA: |
5995 | | /* if application data, retain the bytes being decrypted */ |
5996 | 0 | decryptbuf->off += textlen; |
5997 | 0 | break; |
5998 | 0 | case PTLS_CONTENT_TYPE_ALERT: |
5999 | | /* submit alert without adjusting decryptbuf, so that the decrypted data would be dropped after handling the alert */ |
6000 | 0 | ret = handle_alert(tls, decryptbuf->base + decryptbuf->off, textlen); |
6001 | 0 | break; |
6002 | 0 | default: |
6003 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
6004 | 0 | break; |
6005 | 0 | } |
6006 | | |
6007 | 0 | Exit: |
6008 | 0 | ptls_buffer_dispose(&tls->recvbuf.rec); |
6009 | 0 | ptls_clear_memory(aad, sizeof(aad)); |
6010 | 0 | return 0; |
6011 | 0 | } |
6012 | | |
6013 | | static void init_record_message_emitter(ptls_t *tls, struct st_ptls_record_message_emitter_t *emitter, ptls_buffer_t *sendbuf) |
6014 | 4.18k | { |
6015 | 4.18k | *emitter = (struct st_ptls_record_message_emitter_t){ |
6016 | 4.18k | {sendbuf, &tls->traffic_protection.enc, 5, begin_record_message, commit_record_message}}; |
6017 | 4.18k | } |
6018 | | |
6019 | | int ptls_handshake(ptls_t *tls, ptls_buffer_t *_sendbuf, const void *input, size_t *inlen, ptls_handshake_properties_t *properties) |
6020 | 4.18k | { |
6021 | 4.18k | struct st_ptls_record_message_emitter_t emitter; |
6022 | 4.18k | int ret; |
6023 | | |
6024 | 4.18k | assert(tls->state < PTLS_STATE_POST_HANDSHAKE_MIN); |
6025 | | |
6026 | 4.18k | init_record_message_emitter(tls, &emitter, _sendbuf); |
6027 | 4.18k | size_t sendbuf_orig_off = emitter.super.buf->off; |
6028 | | |
6029 | | /* special handlings */ |
6030 | 4.18k | switch (tls->state) { |
6031 | 2.09k | case PTLS_STATE_CLIENT_HANDSHAKE_START: { |
6032 | 2.09k | assert(input == NULL || *inlen == 0); |
6033 | 2.09k | return send_client_hello(tls, &emitter.super, properties, NULL); |
6034 | 2.09k | } |
6035 | 0 | case PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY: |
6036 | 0 | return server_finish_handshake(tls, &emitter.super, 1, NULL); |
6037 | 2.09k | default: |
6038 | 2.09k | break; |
6039 | 4.18k | } |
6040 | | |
6041 | 2.09k | const uint8_t *src = input, *const src_end = src + *inlen; |
6042 | 2.09k | ptls_buffer_t decryptbuf; |
6043 | | |
6044 | 2.09k | ptls_buffer_init(&decryptbuf, "", 0); |
6045 | | |
6046 | | /* perform handhake until completion or until all the input has been swallowed */ |
6047 | 2.09k | ret = PTLS_ERROR_IN_PROGRESS; |
6048 | 74.2k | while (ret == PTLS_ERROR_IN_PROGRESS && src != src_end) { |
6049 | 72.1k | size_t consumed = src_end - src; |
6050 | 72.1k | ret = handle_input(tls, &emitter.super, &decryptbuf, src, &consumed, properties); |
6051 | 72.1k | src += consumed; |
6052 | 72.1k | assert(decryptbuf.off == 0); |
6053 | 72.1k | } |
6054 | | |
6055 | 2.09k | ptls_buffer_dispose(&decryptbuf); |
6056 | | |
6057 | 2.09k | switch (ret) { |
6058 | 0 | case 0: |
6059 | 315 | case PTLS_ERROR_IN_PROGRESS: |
6060 | 315 | case PTLS_ERROR_STATELESS_RETRY: |
6061 | 315 | case PTLS_ERROR_ASYNC_OPERATION: |
6062 | 315 | break; |
6063 | 1.77k | default: |
6064 | | /* Flush handshake messages that have been written partially. ECH_REQUIRED sticks out because it is a message sent |
6065 | | * post-handshake compared to other alerts that are generating *during* the handshake. */ |
6066 | 1.77k | if (ret != PTLS_ALERT_ECH_REQUIRED) { |
6067 | 1.77k | ptls_clear_memory(emitter.super.buf->base + sendbuf_orig_off, emitter.super.buf->off - sendbuf_orig_off); |
6068 | 1.77k | emitter.super.buf->off = sendbuf_orig_off; |
6069 | 1.77k | } |
6070 | | /* send alert immediately */ |
6071 | 1.77k | if (PTLS_ERROR_GET_CLASS(ret) != PTLS_ERROR_CLASS_PEER_ALERT) |
6072 | 1.76k | if (ptls_send_alert(tls, emitter.super.buf, PTLS_ALERT_LEVEL_FATAL, |
6073 | 1.76k | PTLS_ERROR_GET_CLASS(ret) == PTLS_ERROR_CLASS_SELF_ALERT ? ret : PTLS_ALERT_INTERNAL_ERROR) != 0) |
6074 | 0 | emitter.super.buf->off = sendbuf_orig_off; |
6075 | 1.77k | break; |
6076 | 2.09k | } |
6077 | | |
6078 | 2.09k | *inlen -= src_end - src; |
6079 | 2.09k | return ret; |
6080 | 2.09k | } |
6081 | | |
6082 | | int ptls_receive(ptls_t *tls, ptls_buffer_t *decryptbuf, const void *_input, size_t *inlen) |
6083 | 0 | { |
6084 | 0 | const uint8_t *input = (const uint8_t *)_input, *const end = input + *inlen; |
6085 | 0 | size_t decryptbuf_orig_size = decryptbuf->off; |
6086 | 0 | int ret = 0; |
6087 | |
|
6088 | 0 | assert(tls->state >= PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA); |
6089 | | |
6090 | | /* loop until we decrypt some application data (or an error) */ |
6091 | 0 | while (ret == 0 && input != end && decryptbuf_orig_size == decryptbuf->off) { |
6092 | 0 | size_t consumed = end - input; |
6093 | 0 | if (tls->traffic_protection.dec.tls12) { |
6094 | 0 | ret = handle_input_tls12(tls, decryptbuf, input, &consumed); |
6095 | 0 | } else { |
6096 | 0 | ret = handle_input(tls, NULL, decryptbuf, input, &consumed, NULL); |
6097 | 0 | } |
6098 | 0 | input += consumed; |
6099 | |
|
6100 | 0 | switch (ret) { |
6101 | 0 | case 0: |
6102 | 0 | break; |
6103 | 0 | case PTLS_ERROR_IN_PROGRESS: |
6104 | 0 | ret = 0; |
6105 | 0 | break; |
6106 | 0 | case PTLS_ERROR_CLASS_PEER_ALERT + PTLS_ALERT_CLOSE_NOTIFY: |
6107 | | /* TODO send close alert */ |
6108 | 0 | break; |
6109 | 0 | default: |
6110 | 0 | if (PTLS_ERROR_GET_CLASS(ret) == PTLS_ERROR_CLASS_SELF_ALERT) { |
6111 | | /* TODO send alert */ |
6112 | 0 | } |
6113 | 0 | break; |
6114 | 0 | } |
6115 | 0 | } |
6116 | | |
6117 | 0 | *inlen -= end - input; |
6118 | |
|
6119 | 0 | return ret; |
6120 | 0 | } |
6121 | | |
6122 | | static int update_send_key(ptls_t *tls, ptls_buffer_t *_sendbuf, int request_update) |
6123 | 0 | { |
6124 | 0 | struct st_ptls_record_message_emitter_t emitter; |
6125 | 0 | int ret; |
6126 | |
|
6127 | 0 | init_record_message_emitter(tls, &emitter, _sendbuf); |
6128 | 0 | size_t sendbuf_orig_off = emitter.super.buf->off; |
6129 | |
|
6130 | 0 | ptls_push_message(&emitter.super, NULL, PTLS_HANDSHAKE_TYPE_KEY_UPDATE, |
6131 | 0 | { ptls_buffer_push(emitter.super.buf, !!request_update); }); |
6132 | 0 | if ((ret = update_traffic_key(tls, 1)) != 0) |
6133 | 0 | goto Exit; |
6134 | 0 | ret = 0; |
6135 | |
|
6136 | 0 | Exit: |
6137 | 0 | if (ret != 0) |
6138 | 0 | emitter.super.buf->off = sendbuf_orig_off; |
6139 | 0 | return ret; |
6140 | 0 | } |
6141 | | |
6142 | | int ptls_send(ptls_t *tls, ptls_buffer_t *sendbuf, const void *input, size_t inlen) |
6143 | 0 | { |
6144 | 0 | assert(tls->traffic_protection.enc.aead != NULL); |
6145 | | |
6146 | | /* "For AES-GCM, up to 2^24.5 full-size records (about 24 million) may be encrypted on a given connection while keeping a |
6147 | | * safety margin of approximately 2^-57 for Authenticated Encryption (AE) security." (RFC 8446 section 5.5). |
6148 | | * |
6149 | | * Key updates do not happen with tls 1.2, check `key_schedule` to see if we are using tls/1.3 |
6150 | | */ |
6151 | 0 | if (tls->traffic_protection.enc.seq >= 16777216 && tls->key_schedule != NULL) |
6152 | 0 | tls->needs_key_update = 1; |
6153 | |
|
6154 | 0 | if (tls->needs_key_update) { |
6155 | 0 | int ret; |
6156 | 0 | if ((ret = update_send_key(tls, sendbuf, tls->key_update_send_request)) != 0) |
6157 | 0 | return ret; |
6158 | 0 | tls->needs_key_update = 0; |
6159 | 0 | tls->key_update_send_request = 0; |
6160 | 0 | } |
6161 | | |
6162 | 0 | return buffer_push_encrypted_records(sendbuf, PTLS_CONTENT_TYPE_APPDATA, input, inlen, &tls->traffic_protection.enc); |
6163 | 0 | } |
6164 | | |
6165 | | int ptls_update_key(ptls_t *tls, int request_update) |
6166 | 0 | { |
6167 | 0 | assert(tls->ctx->update_traffic_key == NULL); |
6168 | 0 | tls->needs_key_update = 1; |
6169 | 0 | tls->key_update_send_request = request_update; |
6170 | 0 | return 0; |
6171 | 0 | } |
6172 | | |
6173 | | size_t ptls_get_record_overhead(ptls_t *tls) |
6174 | 0 | { |
6175 | 0 | ptls_aead_algorithm_t *algo = tls->traffic_protection.enc.aead->algo; |
6176 | |
|
6177 | 0 | if (tls->traffic_protection.enc.tls12) { |
6178 | 0 | return 5 + algo->tls12.record_iv_size + algo->tag_size; |
6179 | 0 | } else { |
6180 | 0 | return 6 + algo->tag_size; |
6181 | 0 | } |
6182 | 0 | } |
6183 | | |
6184 | | int ptls_send_alert(ptls_t *tls, ptls_buffer_t *sendbuf, uint8_t level, uint8_t description) |
6185 | 1.76k | { |
6186 | 1.76k | size_t rec_start = sendbuf->off; |
6187 | 1.76k | int ret = 0; |
6188 | | |
6189 | 1.76k | buffer_push_record(sendbuf, PTLS_CONTENT_TYPE_ALERT, { ptls_buffer_push(sendbuf, level, description); }); |
6190 | | /* encrypt the alert if we have the encryption keys, unless when it is the early data key */ |
6191 | 1.76k | if (tls->traffic_protection.enc.aead != NULL && !(tls->state <= PTLS_STATE_CLIENT_EXPECT_FINISHED)) { |
6192 | 0 | if ((ret = buffer_encrypt_record(sendbuf, rec_start, &tls->traffic_protection.enc)) != 0) |
6193 | 0 | goto Exit; |
6194 | 0 | } |
6195 | | |
6196 | 1.76k | Exit: |
6197 | 1.76k | return ret; |
6198 | 1.76k | } |
6199 | | |
6200 | | int ptls_export_secret(ptls_t *tls, void *output, size_t outlen, const char *label, ptls_iovec_t context_value, int is_early) |
6201 | 0 | { |
6202 | 0 | ptls_hash_algorithm_t *algo = tls->key_schedule->hashes[0].algo; |
6203 | 0 | uint8_t *master_secret = is_early ? tls->exporter_master_secret.early : tls->exporter_master_secret.one_rtt, |
6204 | 0 | derived_secret[PTLS_MAX_DIGEST_SIZE], context_value_hash[PTLS_MAX_DIGEST_SIZE]; |
6205 | 0 | int ret; |
6206 | |
|
6207 | 0 | if (master_secret == NULL) { |
6208 | 0 | if (is_early) { |
6209 | 0 | switch (tls->state) { |
6210 | 0 | case PTLS_STATE_CLIENT_HANDSHAKE_START: |
6211 | 0 | case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO: |
6212 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
6213 | 0 | break; |
6214 | 0 | default: |
6215 | 0 | ret = PTLS_ERROR_NOT_AVAILABLE; |
6216 | 0 | break; |
6217 | 0 | } |
6218 | 0 | } else { |
6219 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
6220 | 0 | } |
6221 | 0 | return ret; |
6222 | 0 | } |
6223 | | |
6224 | 0 | if ((ret = ptls_calc_hash(algo, context_value_hash, context_value.base, context_value.len)) != 0) |
6225 | 0 | return ret; |
6226 | | |
6227 | 0 | if ((ret = ptls_hkdf_expand_label(algo, derived_secret, algo->digest_size, ptls_iovec_init(master_secret, algo->digest_size), |
6228 | 0 | label, ptls_iovec_init(algo->empty_digest, algo->digest_size), NULL)) != 0) |
6229 | 0 | goto Exit; |
6230 | 0 | ret = ptls_hkdf_expand_label(algo, output, outlen, ptls_iovec_init(derived_secret, algo->digest_size), "exporter", |
6231 | 0 | ptls_iovec_init(context_value_hash, algo->digest_size), NULL); |
6232 | |
|
6233 | 0 | Exit: |
6234 | 0 | ptls_clear_memory(derived_secret, sizeof(derived_secret)); |
6235 | 0 | ptls_clear_memory(context_value_hash, sizeof(context_value_hash)); |
6236 | 0 | return ret; |
6237 | 0 | } |
6238 | | |
6239 | | struct st_picotls_hmac_context_t { |
6240 | | ptls_hash_context_t super; |
6241 | | ptls_hash_algorithm_t *algo; |
6242 | | ptls_hash_context_t *hash; |
6243 | | uint8_t key[1]; |
6244 | | }; |
6245 | | |
6246 | | static void hmac_update(ptls_hash_context_t *_ctx, const void *src, size_t len) |
6247 | 17.2k | { |
6248 | 17.2k | struct st_picotls_hmac_context_t *ctx = (struct st_picotls_hmac_context_t *)_ctx; |
6249 | 17.2k | ctx->hash->update(ctx->hash, src, len); |
6250 | 17.2k | } |
6251 | | |
6252 | | static void hmac_apply_key(struct st_picotls_hmac_context_t *ctx, uint8_t pad) |
6253 | 27.4k | { |
6254 | 27.4k | size_t i; |
6255 | | |
6256 | 1.78M | for (i = 0; i != ctx->algo->block_size; ++i) |
6257 | 1.75M | ctx->key[i] ^= pad; |
6258 | 27.4k | ctx->hash->update(ctx->hash, ctx->key, ctx->algo->block_size); |
6259 | 1.78M | for (i = 0; i != ctx->algo->block_size; ++i) |
6260 | 1.75M | ctx->key[i] ^= pad; |
6261 | 27.4k | } |
6262 | | |
6263 | | static void hmac_final(ptls_hash_context_t *_ctx, void *md, ptls_hash_final_mode_t mode) |
6264 | 17.2k | { |
6265 | 17.2k | struct st_picotls_hmac_context_t *ctx = (struct st_picotls_hmac_context_t *)_ctx; |
6266 | | |
6267 | 17.2k | assert(mode != PTLS_HASH_FINAL_MODE_SNAPSHOT || !"not supported"); |
6268 | | |
6269 | 17.2k | if (md != NULL) { |
6270 | 10.1k | ctx->hash->final(ctx->hash, md, PTLS_HASH_FINAL_MODE_RESET); |
6271 | 10.1k | hmac_apply_key(ctx, 0x5c); |
6272 | 10.1k | ctx->hash->update(ctx->hash, md, ctx->algo->digest_size); |
6273 | 10.1k | } |
6274 | 17.2k | ctx->hash->final(ctx->hash, md, mode); |
6275 | | |
6276 | 17.2k | switch (mode) { |
6277 | 10.1k | case PTLS_HASH_FINAL_MODE_FREE: |
6278 | 10.1k | ptls_clear_memory(ctx->key, ctx->algo->block_size); |
6279 | 10.1k | free(ctx); |
6280 | 10.1k | break; |
6281 | 7.08k | case PTLS_HASH_FINAL_MODE_RESET: |
6282 | 7.08k | hmac_apply_key(ctx, 0x36); |
6283 | 7.08k | break; |
6284 | 0 | default: |
6285 | 0 | assert(!"FIXME"); |
6286 | 0 | break; |
6287 | 17.2k | } |
6288 | 17.2k | } |
6289 | | |
6290 | | int ptls_calc_hash(ptls_hash_algorithm_t *algo, void *output, const void *src, size_t len) |
6291 | 0 | { |
6292 | 0 | ptls_hash_context_t *ctx; |
6293 | |
|
6294 | 0 | if ((ctx = algo->create()) == NULL) |
6295 | 0 | return PTLS_ERROR_NO_MEMORY; |
6296 | 0 | ctx->update(ctx, src, len); |
6297 | 0 | ctx->final(ctx, output, PTLS_HASH_FINAL_MODE_FREE); |
6298 | 0 | return 0; |
6299 | 0 | } |
6300 | | |
6301 | | ptls_hash_context_t *ptls_hmac_create(ptls_hash_algorithm_t *algo, const void *key, size_t key_size) |
6302 | 10.1k | { |
6303 | 10.1k | struct st_picotls_hmac_context_t *ctx; |
6304 | | |
6305 | 10.1k | assert(key_size <= algo->block_size); |
6306 | | |
6307 | 10.1k | if ((ctx = malloc(offsetof(struct st_picotls_hmac_context_t, key) + algo->block_size)) == NULL) |
6308 | 0 | return NULL; |
6309 | | |
6310 | 10.1k | *ctx = (struct st_picotls_hmac_context_t){{hmac_update, hmac_final}, algo}; |
6311 | 10.1k | if ((ctx->hash = algo->create()) == NULL) { |
6312 | 0 | free(ctx); |
6313 | 0 | return NULL; |
6314 | 0 | } |
6315 | 10.1k | memset(ctx->key, 0, algo->block_size); |
6316 | 10.1k | memcpy(ctx->key, key, key_size); |
6317 | | |
6318 | 10.1k | hmac_apply_key(ctx, 0x36); |
6319 | | |
6320 | 10.1k | return &ctx->super; |
6321 | 10.1k | } |
6322 | | |
6323 | | int ptls_hkdf_extract(ptls_hash_algorithm_t *algo, void *output, ptls_iovec_t salt, ptls_iovec_t ikm) |
6324 | 3.10k | { |
6325 | 3.10k | ptls_hash_context_t *hash; |
6326 | | |
6327 | 3.10k | if (salt.len == 0) |
6328 | 0 | salt = ptls_iovec_init(zeroes_of_max_digest_size, algo->digest_size); |
6329 | | |
6330 | 3.10k | if ((hash = ptls_hmac_create(algo, salt.base, salt.len)) == NULL) |
6331 | 0 | return PTLS_ERROR_NO_MEMORY; |
6332 | 3.10k | hash->update(hash, ikm.base, ikm.len); |
6333 | 3.10k | hash->final(hash, output, PTLS_HASH_FINAL_MODE_FREE); |
6334 | 3.10k | return 0; |
6335 | 3.10k | } |
6336 | | |
6337 | | int ptls_hkdf_expand(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t prk, ptls_iovec_t info) |
6338 | 7.08k | { |
6339 | 7.08k | ptls_hash_context_t *hmac = NULL; |
6340 | 7.08k | size_t i; |
6341 | 7.08k | uint8_t digest[PTLS_MAX_DIGEST_SIZE]; |
6342 | | |
6343 | 14.1k | for (i = 0; (i * algo->digest_size) < outlen; ++i) { |
6344 | 7.08k | if (hmac == NULL) { |
6345 | 7.08k | if ((hmac = ptls_hmac_create(algo, prk.base, prk.len)) == NULL) |
6346 | 0 | return PTLS_ERROR_NO_MEMORY; |
6347 | 7.08k | } else { |
6348 | 0 | hmac->update(hmac, digest, algo->digest_size); |
6349 | 0 | } |
6350 | 7.08k | hmac->update(hmac, info.base, info.len); |
6351 | 7.08k | uint8_t gen = (uint8_t)(i + 1); |
6352 | 7.08k | hmac->update(hmac, &gen, 1); |
6353 | 7.08k | hmac->final(hmac, digest, 1); |
6354 | | |
6355 | 7.08k | size_t off_start = i * algo->digest_size, off_end = off_start + algo->digest_size; |
6356 | 7.08k | if (off_end > outlen) |
6357 | 4.04k | off_end = outlen; |
6358 | 7.08k | memcpy((uint8_t *)output + off_start, digest, off_end - off_start); |
6359 | 7.08k | } |
6360 | | |
6361 | 7.08k | if (hmac != NULL) |
6362 | 7.08k | hmac->final(hmac, NULL, PTLS_HASH_FINAL_MODE_FREE); |
6363 | | |
6364 | 7.08k | ptls_clear_memory(digest, algo->digest_size); |
6365 | | |
6366 | 7.08k | return 0; |
6367 | 7.08k | } |
6368 | | |
6369 | | int ptls_hkdf_expand_label(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t secret, const char *label, |
6370 | | ptls_iovec_t hash_value, const char *label_prefix) |
6371 | 7.08k | { |
6372 | 7.08k | ptls_buffer_t hkdf_label; |
6373 | 7.08k | uint8_t hkdf_label_buf[80]; |
6374 | 7.08k | int ret; |
6375 | | |
6376 | 7.08k | ptls_buffer_init(&hkdf_label, hkdf_label_buf, sizeof(hkdf_label_buf)); |
6377 | | |
6378 | 7.08k | ptls_buffer_push16(&hkdf_label, (uint16_t)outlen); |
6379 | 7.08k | ptls_buffer_push_block(&hkdf_label, 1, { |
6380 | 7.08k | if (label_prefix == NULL) |
6381 | 7.08k | label_prefix = PTLS_HKDF_EXPAND_LABEL_PREFIX; |
6382 | 7.08k | ptls_buffer_pushv(&hkdf_label, label_prefix, strlen(label_prefix)); |
6383 | 7.08k | ptls_buffer_pushv(&hkdf_label, label, strlen(label)); |
6384 | 7.08k | }); |
6385 | 7.08k | ptls_buffer_push_block(&hkdf_label, 1, { ptls_buffer_pushv(&hkdf_label, hash_value.base, hash_value.len); }); |
6386 | | |
6387 | 7.08k | ret = ptls_hkdf_expand(algo, output, outlen, secret, ptls_iovec_init(hkdf_label.base, hkdf_label.off)); |
6388 | | |
6389 | 7.08k | Exit: |
6390 | 7.08k | ptls_buffer_dispose(&hkdf_label); |
6391 | 7.08k | return ret; |
6392 | 7.08k | } |
6393 | | |
6394 | | int ptls_tls12_phash(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t secret, const char *label, |
6395 | | ptls_iovec_t seed) |
6396 | 0 | { |
6397 | 0 | ptls_hash_context_t *hmac; |
6398 | 0 | uint8_t An[PTLS_MAX_DIGEST_SIZE]; |
6399 | 0 | size_t output_off = 0; |
6400 | |
|
6401 | 0 | if ((hmac = ptls_hmac_create(algo, secret.base, secret.len)) == NULL) |
6402 | 0 | return PTLS_ERROR_NO_MEMORY; |
6403 | | |
6404 | | /* A(1) = HMAC_hash(secret, label + seed) */ |
6405 | 0 | if (label != NULL) |
6406 | 0 | hmac->update(hmac, label, strlen(label)); |
6407 | 0 | hmac->update(hmac, seed.base, seed.len); |
6408 | 0 | hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_RESET); |
6409 | |
|
6410 | 0 | while (1) { |
6411 | | /* output += HMAC_hash(secret, A(i) + label + seed) */ |
6412 | 0 | hmac->update(hmac, An, algo->digest_size); |
6413 | 0 | if (label != NULL) |
6414 | 0 | hmac->update(hmac, label, strlen(label)); |
6415 | 0 | hmac->update(hmac, seed.base, seed.len); |
6416 | 0 | if (outlen - output_off <= algo->digest_size) { |
6417 | | /* digest of last chunk is at first written to An then the necessary bytes are copied to output */ |
6418 | 0 | hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_FREE); |
6419 | 0 | memcpy((uint8_t *)output + output_off, An, outlen - output_off); |
6420 | 0 | break; |
6421 | 0 | } |
6422 | 0 | hmac->final(hmac, (uint8_t *)output + output_off, PTLS_HASH_FINAL_MODE_RESET); |
6423 | 0 | output_off += algo->digest_size; |
6424 | | |
6425 | | /* A(i) = HMAC_hash(secret, A(i-1)) */ |
6426 | 0 | hmac->update(hmac, An, algo->digest_size); |
6427 | 0 | hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_RESET); |
6428 | 0 | } |
6429 | |
|
6430 | 0 | ptls_clear_memory(An, algo->digest_size); |
6431 | |
|
6432 | 0 | return 0; |
6433 | 0 | } |
6434 | | |
6435 | | ptls_cipher_context_t *ptls_cipher_new(ptls_cipher_algorithm_t *algo, int is_enc, const void *key) |
6436 | 0 | { |
6437 | 0 | ptls_cipher_context_t *ctx; |
6438 | |
|
6439 | 0 | if ((ctx = (ptls_cipher_context_t *)malloc(algo->context_size)) == NULL) |
6440 | 0 | return NULL; |
6441 | 0 | *ctx = (ptls_cipher_context_t){algo}; |
6442 | 0 | if (algo->setup_crypto(ctx, is_enc, key) != 0) { |
6443 | 0 | free(ctx); |
6444 | 0 | ctx = NULL; |
6445 | 0 | } |
6446 | 0 | return ctx; |
6447 | 0 | } |
6448 | | |
6449 | | void ptls_cipher_free(ptls_cipher_context_t *ctx) |
6450 | 0 | { |
6451 | 0 | ctx->do_dispose(ctx); |
6452 | 0 | free(ctx); |
6453 | 0 | } |
6454 | | |
6455 | | ptls_aead_context_t *new_aead(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret, |
6456 | | ptls_iovec_t hash_value, const char *label_prefix) |
6457 | 2.02k | { |
6458 | 2.02k | ptls_aead_context_t *ctx = NULL; |
6459 | 2.02k | struct { |
6460 | 2.02k | uint8_t key[PTLS_MAX_SECRET_SIZE]; |
6461 | 2.02k | uint8_t iv[PTLS_MAX_IV_SIZE]; |
6462 | 2.02k | } key_iv; |
6463 | 2.02k | int ret; |
6464 | | |
6465 | 2.02k | if ((ret = get_traffic_keys(aead, hash, key_iv.key, key_iv.iv, secret, hash_value, label_prefix)) != 0) |
6466 | 0 | goto Exit; |
6467 | 2.02k | ctx = ptls_aead_new_direct(aead, is_enc, key_iv.key, key_iv.iv); |
6468 | 2.02k | Exit: |
6469 | 2.02k | ptls_clear_memory(&key_iv, sizeof(key_iv)); |
6470 | 2.02k | return ctx; |
6471 | 2.02k | } |
6472 | | |
6473 | | ptls_aead_context_t *ptls_aead_new(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret, |
6474 | | const char *label_prefix) |
6475 | 2.02k | { |
6476 | 2.02k | return new_aead(aead, hash, is_enc, secret, ptls_iovec_init(NULL, 0), label_prefix); |
6477 | 2.02k | } |
6478 | | |
6479 | | ptls_aead_context_t *ptls_aead_new_direct(ptls_aead_algorithm_t *aead, int is_enc, const void *key, const void *iv) |
6480 | 2.02k | { |
6481 | 2.02k | ptls_aead_context_t *ctx; |
6482 | | |
6483 | 2.02k | if ((ctx = (ptls_aead_context_t *)malloc(aead->context_size)) == NULL) |
6484 | 0 | return NULL; |
6485 | | |
6486 | 2.02k | *ctx = (ptls_aead_context_t){aead}; |
6487 | | |
6488 | 2.02k | if (aead->setup_crypto(ctx, is_enc, key, iv) != 0) { |
6489 | 0 | free(ctx); |
6490 | 0 | return NULL; |
6491 | 0 | } |
6492 | | |
6493 | 2.02k | return ctx; |
6494 | 2.02k | } |
6495 | | |
6496 | | void ptls_aead_free(ptls_aead_context_t *ctx) |
6497 | 2.02k | { |
6498 | 2.02k | ctx->dispose_crypto(ctx); |
6499 | 2.02k | free(ctx); |
6500 | 2.02k | } |
6501 | | |
6502 | | void ptls_aead_xor_iv(ptls_aead_context_t *ctx, const void *_bytes, size_t len) |
6503 | 0 | { |
6504 | 0 | const uint8_t *bytes = _bytes; |
6505 | 0 | uint8_t iv[PTLS_MAX_IV_SIZE]; |
6506 | |
|
6507 | 0 | ptls_aead_get_iv(ctx, iv); |
6508 | 0 | for (size_t i = 0; i < len; ++i) |
6509 | 0 | iv[i] ^= bytes[i]; |
6510 | 0 | ptls_aead_set_iv(ctx, iv); |
6511 | 0 | } |
6512 | | |
6513 | | void ptls_aead__build_iv(ptls_aead_algorithm_t *algo, uint8_t *iv, const uint8_t *static_iv, uint64_t seq) |
6514 | 0 | { |
6515 | 0 | size_t iv_size = algo->iv_size, i; |
6516 | 0 | const uint8_t *s = static_iv; |
6517 | 0 | uint8_t *d = iv; |
6518 | | |
6519 | | /* build iv */ |
6520 | 0 | for (i = iv_size - 8; i != 0; --i) |
6521 | 0 | *d++ = *s++; |
6522 | 0 | i = 64; |
6523 | 0 | do { |
6524 | 0 | i -= 8; |
6525 | 0 | *d++ = *s++ ^ (uint8_t)(seq >> i); |
6526 | 0 | } while (i != 0); |
6527 | 0 | } |
6528 | | |
6529 | | static void clear_memory(void *p, size_t len) |
6530 | 313k | { |
6531 | 313k | if (len != 0) |
6532 | 140k | memset(p, 0, len); |
6533 | 313k | } |
6534 | | |
6535 | | void (*volatile ptls_clear_memory)(void *p, size_t len) = clear_memory; |
6536 | | |
6537 | | static int mem_equal(const void *_x, const void *_y, size_t len) |
6538 | 41.6k | { |
6539 | 41.6k | const volatile uint8_t *x = _x, *y = _y; |
6540 | 41.6k | uint8_t t = 0; |
6541 | | |
6542 | 41.9k | for (; len != 0; --len) |
6543 | 352 | t |= *x++ ^ *y++; |
6544 | | |
6545 | 41.6k | return t == 0; |
6546 | 41.6k | } |
6547 | | |
6548 | | int (*volatile ptls_mem_equal)(const void *x, const void *y, size_t len) = mem_equal; |
6549 | | |
6550 | | static uint64_t get_time(ptls_get_time_t *self) |
6551 | 0 | { |
6552 | 0 | struct timeval tv; |
6553 | 0 | gettimeofday(&tv, NULL); |
6554 | 0 | return (uint64_t)tv.tv_sec * 1000 + tv.tv_usec / 1000; |
6555 | 0 | } |
6556 | | |
6557 | | ptls_get_time_t ptls_get_time = {get_time}; |
6558 | | |
6559 | | int ptls_is_server(ptls_t *tls) |
6560 | 2.02k | { |
6561 | 2.02k | return tls->is_server; |
6562 | 2.02k | } |
6563 | | |
6564 | | struct st_ptls_raw_message_emitter_t { |
6565 | | ptls_message_emitter_t super; |
6566 | | size_t start_off; |
6567 | | size_t *epoch_offsets; |
6568 | | }; |
6569 | | |
6570 | | static int begin_raw_message(ptls_message_emitter_t *_self) |
6571 | 0 | { |
6572 | 0 | struct st_ptls_raw_message_emitter_t *self = (void *)_self; |
6573 | |
|
6574 | 0 | self->start_off = self->super.buf->off; |
6575 | 0 | return 0; |
6576 | 0 | } |
6577 | | |
6578 | | static int commit_raw_message(ptls_message_emitter_t *_self) |
6579 | 0 | { |
6580 | 0 | struct st_ptls_raw_message_emitter_t *self = (void *)_self; |
6581 | 0 | size_t epoch; |
6582 | | |
6583 | | /* epoch is the key epoch, with the only exception being 2nd CH generated after 0-RTT key */ |
6584 | 0 | epoch = self->super.enc->epoch; |
6585 | 0 | if (epoch == 1 && self->super.buf->base[self->start_off] == PTLS_HANDSHAKE_TYPE_CLIENT_HELLO) |
6586 | 0 | epoch = 0; |
6587 | |
|
6588 | 0 | for (++epoch; epoch < 5; ++epoch) { |
6589 | 0 | assert(self->epoch_offsets[epoch] == self->start_off); |
6590 | 0 | self->epoch_offsets[epoch] = self->super.buf->off; |
6591 | 0 | } |
6592 | | |
6593 | 0 | self->start_off = SIZE_MAX; |
6594 | |
|
6595 | 0 | return 0; |
6596 | 0 | } |
6597 | | |
6598 | | size_t ptls_get_read_epoch(ptls_t *tls) |
6599 | 0 | { |
6600 | 0 | switch (tls->state) { |
6601 | 0 | case PTLS_STATE_CLIENT_HANDSHAKE_START: |
6602 | 0 | case PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO: |
6603 | 0 | case PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO: |
6604 | 0 | case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO: |
6605 | 0 | case PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO: |
6606 | 0 | return 0; /* plaintext */ |
6607 | 0 | case PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA: |
6608 | 0 | assert(!tls->ctx->omit_end_of_early_data); |
6609 | 0 | return 1; /* 0-rtt */ |
6610 | 0 | case PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS: |
6611 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE: |
6612 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE: |
6613 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY: |
6614 | 0 | case PTLS_STATE_CLIENT_EXPECT_FINISHED: |
6615 | 0 | case PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY: |
6616 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE: |
6617 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY: |
6618 | 0 | case PTLS_STATE_SERVER_EXPECT_FINISHED: |
6619 | 0 | return 2; /* handshake */ |
6620 | 0 | case PTLS_STATE_CLIENT_POST_HANDSHAKE: |
6621 | 0 | case PTLS_STATE_SERVER_POST_HANDSHAKE: |
6622 | 0 | return 3; /* 1-rtt */ |
6623 | 0 | default: |
6624 | 0 | assert(!"invalid state"); |
6625 | 0 | return SIZE_MAX; |
6626 | 0 | } |
6627 | 0 | } |
6628 | | |
6629 | | int ptls_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input, |
6630 | | size_t inlen, ptls_handshake_properties_t *properties) |
6631 | 0 | { |
6632 | 0 | return tls->is_server ? ptls_server_handle_message(tls, sendbuf, epoch_offsets, in_epoch, input, inlen, properties) |
6633 | 0 | : ptls_client_handle_message(tls, sendbuf, epoch_offsets, in_epoch, input, inlen, properties); |
6634 | 0 | } |
6635 | | |
6636 | | int ptls_client_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input, |
6637 | | size_t inlen, ptls_handshake_properties_t *properties) |
6638 | 0 | { |
6639 | 0 | assert(!tls->is_server); |
6640 | | |
6641 | 0 | struct st_ptls_raw_message_emitter_t emitter = { |
6642 | 0 | {sendbuf, &tls->traffic_protection.enc, 0, begin_raw_message, commit_raw_message}, SIZE_MAX, epoch_offsets}; |
6643 | 0 | struct st_ptls_record_t rec = {PTLS_CONTENT_TYPE_HANDSHAKE, 0, inlen, input}; |
6644 | |
|
6645 | 0 | if (input == NULL) |
6646 | 0 | return send_client_hello(tls, &emitter.super, properties, NULL); |
6647 | | |
6648 | 0 | if (ptls_get_read_epoch(tls) != in_epoch) |
6649 | 0 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
6650 | | |
6651 | 0 | return handle_handshake_record(tls, handle_client_handshake_message, &emitter.super, &rec, properties); |
6652 | 0 | } |
6653 | | |
6654 | | int ptls_server_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input, |
6655 | | size_t inlen, ptls_handshake_properties_t *properties) |
6656 | 0 | { |
6657 | 0 | assert(tls->is_server); |
6658 | | |
6659 | 0 | struct st_ptls_raw_message_emitter_t emitter = { |
6660 | 0 | {sendbuf, &tls->traffic_protection.enc, 0, begin_raw_message, commit_raw_message}, SIZE_MAX, epoch_offsets}; |
6661 | 0 | struct st_ptls_record_t rec = {PTLS_CONTENT_TYPE_HANDSHAKE, 0, inlen, input}; |
6662 | |
|
6663 | 0 | if (tls->state == PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY) { |
6664 | 0 | assert(input == NULL || inlen == 0); |
6665 | 0 | return server_finish_handshake(tls, &emitter.super, 1, NULL); |
6666 | 0 | } |
6667 | | |
6668 | 0 | assert(input != NULL); |
6669 | | |
6670 | 0 | if (ptls_get_read_epoch(tls) != in_epoch) |
6671 | 0 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
6672 | | |
6673 | 0 | return handle_handshake_record(tls, handle_server_handshake_message, &emitter.super, &rec, properties); |
6674 | 0 | } |
6675 | | |
6676 | | /** |
6677 | | * checks if given name looks like an IP address |
6678 | | */ |
6679 | | int ptls_server_name_is_ipaddr(const char *name) |
6680 | 0 | { |
6681 | 0 | #ifdef AF_INET |
6682 | 0 | struct sockaddr_in sin; |
6683 | 0 | if (inet_pton(AF_INET, name, &sin) == 1) |
6684 | 0 | return 1; |
6685 | 0 | #endif |
6686 | 0 | #ifdef AF_INET6 |
6687 | 0 | struct sockaddr_in6 sin6; |
6688 | 0 | if (inet_pton(AF_INET6, name, &sin6) == 1) |
6689 | 0 | return 1; |
6690 | 0 | #endif |
6691 | 0 | return 0; |
6692 | 0 | } |
6693 | | |
6694 | | int ptls_ech_encode_config(ptls_buffer_t *buf, uint8_t config_id, ptls_hpke_kem_t *kem, ptls_iovec_t public_key, |
6695 | | ptls_hpke_cipher_suite_t **ciphers, uint8_t max_name_length, const char *public_name) |
6696 | 0 | { |
6697 | 0 | int ret; |
6698 | |
|
6699 | 0 | ptls_buffer_push16(buf, PTLS_ECH_CONFIG_VERSION); |
6700 | 0 | ptls_buffer_push_block(buf, 2, { |
6701 | 0 | ptls_buffer_push(buf, config_id); |
6702 | 0 | ptls_buffer_push16(buf, kem->id); |
6703 | 0 | ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, public_key.base, public_key.len); }); |
6704 | 0 | ptls_buffer_push_block(buf, 2, { |
6705 | 0 | for (size_t i = 0; ciphers[i] != NULL; ++i) { |
6706 | 0 | ptls_buffer_push16(buf, ciphers[i]->id.kdf); |
6707 | 0 | ptls_buffer_push16(buf, ciphers[i]->id.aead); |
6708 | 0 | } |
6709 | 0 | }); |
6710 | 0 | ptls_buffer_push(buf, max_name_length); |
6711 | 0 | ptls_buffer_push_block(buf, 1, { ptls_buffer_pushv(buf, public_name, strlen(public_name)); }); |
6712 | 0 | ptls_buffer_push_block(buf, 2, {/* extensions */}); |
6713 | 0 | }); |
6714 | | |
6715 | 0 | Exit: |
6716 | 0 | return ret; |
6717 | 0 | } |
6718 | | |
6719 | | static char *byte_to_hex(char *dst, uint8_t v) |
6720 | 0 | { |
6721 | 0 | *dst++ = "0123456789abcdef"[v >> 4]; |
6722 | 0 | *dst++ = "0123456789abcdef"[v & 0xf]; |
6723 | 0 | return dst; |
6724 | 0 | } |
6725 | | |
6726 | | char *ptls_hexdump(char *dst, const void *_src, size_t len) |
6727 | 0 | { |
6728 | 0 | char *buf = dst; |
6729 | 0 | const uint8_t *src = _src; |
6730 | |
|
6731 | 0 | for (size_t i = 0; i != len; ++i) |
6732 | 0 | dst = byte_to_hex(dst, src[i]); |
6733 | 0 | *dst = '\0'; |
6734 | 0 | return buf; |
6735 | 0 | } |
6736 | | |
6737 | | char *ptls_jsonescape(char *buf, const char *unsafe_str, size_t len) |
6738 | 0 | { |
6739 | 0 | char *dst = buf; |
6740 | 0 | const uint8_t *src = (const uint8_t *)unsafe_str, *end = src + len; |
6741 | |
|
6742 | 0 | for (; src != end; ++src) { |
6743 | 0 | switch (*src) { |
6744 | 0 | #define MAP(ch, escaped) \ |
6745 | 0 | case ch: \ |
6746 | 0 | memcpy(dst, (escaped), sizeof(escaped) - 1); \ |
6747 | 0 | dst += sizeof(escaped) - 1; \ |
6748 | 0 | break |
6749 | 0 | MAP('"', "\\\""); |
6750 | 0 | MAP('\\', "\\\\"); |
6751 | 0 | MAP('/', "\\/"); |
6752 | 0 | MAP('\b', "\\b"); |
6753 | 0 | MAP('\f', "\\f"); |
6754 | 0 | MAP('\n', "\\n"); |
6755 | 0 | MAP('\r', "\\r"); |
6756 | 0 | MAP('\t', "\\t"); |
6757 | 0 | #undef MAP |
6758 | 0 | default: |
6759 | 0 | if (*src < 0x20 || *src == 0x7f) { |
6760 | 0 | *dst++ = '\\'; |
6761 | 0 | *dst++ = 'u'; |
6762 | 0 | *dst++ = '0'; |
6763 | 0 | *dst++ = '0'; |
6764 | 0 | dst = byte_to_hex(dst, *src); |
6765 | 0 | } else { |
6766 | 0 | *dst++ = *src; |
6767 | 0 | } |
6768 | 0 | break; |
6769 | 0 | } |
6770 | 0 | } |
6771 | 0 | *dst = '\0'; |
6772 | |
|
6773 | 0 | return dst; |
6774 | 0 | } |
6775 | | |
6776 | | void ptls_build_v4_mapped_v6_address(struct in6_addr *v6, const struct in_addr *v4) |
6777 | 0 | { |
6778 | 0 | *v6 = (struct in6_addr){.s6_addr[10] = 0xff, .s6_addr[11] = 0xff}; |
6779 | 0 | memcpy(&v6->s6_addr[12], &v4->s_addr, 4); |
6780 | 0 | } |
6781 | | |
6782 | | struct st_ptls_log_t ptls_log = { |
6783 | | .dummy_conn_state = {.random_ = 1 /* never log */}, |
6784 | | ._generation = 1, /* starts from 1 so that recalc can be forced by setting to zero (i.e., the initial) */ |
6785 | | }; |
6786 | | PTLS_THREADLOCAL ptls_log_conn_state_t *ptls_log_conn_state_override = NULL; |
6787 | | |
6788 | | #if PTLS_HAVE_LOG |
6789 | | |
6790 | | static struct { |
6791 | | /** |
6792 | | * list of connections; the slot is connected if points != NULL |
6793 | | */ |
6794 | | struct { |
6795 | | /** |
6796 | | * file descriptor |
6797 | | */ |
6798 | | int fd; |
6799 | | /** |
6800 | | * see `ptls_log_add_fd` |
6801 | | */ |
6802 | | char *points; |
6803 | | /** |
6804 | | * |
6805 | | */ |
6806 | | char *snis; |
6807 | | /** |
6808 | | * list of addresses terminated by ip6addr_any |
6809 | | */ |
6810 | | struct in6_addr *addresses; |
6811 | | /** |
6812 | | * |
6813 | | */ |
6814 | | float sample_ratio; |
6815 | | /** |
6816 | | * |
6817 | | */ |
6818 | | unsigned appdata : 1; |
6819 | | } conns[sizeof(((struct st_ptls_log_state_t *)NULL)->active_conns) * 8]; |
6820 | | /** |
6821 | | * counts the number of writes that failed |
6822 | | */ |
6823 | | size_t num_lost; |
6824 | | /** |
6825 | | * anchor of the single-linked list of log points; the tail refers to itself (i.e., point->next == point) |
6826 | | */ |
6827 | | struct st_ptls_log_point_t *points; |
6828 | | /** |
6829 | | * |
6830 | | */ |
6831 | | pthread_mutex_t mutex; |
6832 | | } logctx = {.mutex = PTHREAD_MUTEX_INITIALIZER}; |
6833 | | |
6834 | | static PTLS_THREADLOCAL struct { |
6835 | | ptls_buffer_t buf; /* buf.base == NULL upon failre */ |
6836 | | char smallbuf[128]; |
6837 | | struct { |
6838 | | char buf[sizeof(",\"tid\":-9223372036854775808")]; |
6839 | | size_t len; |
6840 | | } tid; |
6841 | | } logbuf; |
6842 | | |
6843 | | static void close_log_fd(size_t slot) |
6844 | 0 | { |
6845 | 0 | assert(logctx.conns[slot].fd >= 0 && logctx.conns[slot].points != NULL); |
6846 | | |
6847 | 0 | close(logctx.conns[slot].fd); |
6848 | | |
6849 | | /* clear the connection information */ |
6850 | 0 | logctx.conns[slot].fd = -1; |
6851 | 0 | logctx.conns[slot].sample_ratio = 0; |
6852 | 0 | free(logctx.conns[slot].points); |
6853 | 0 | logctx.conns[slot].points = NULL; |
6854 | 0 | free(logctx.conns[slot].snis); |
6855 | 0 | logctx.conns[slot].snis = NULL; |
6856 | 0 | free(logctx.conns[slot].addresses); |
6857 | 0 | logctx.conns[slot].addresses = NULL; |
6858 | 0 | logctx.conns[slot].appdata = 0; |
6859 | 0 | ++ptls_log._generation; |
6860 | 0 | } |
6861 | | |
6862 | | static char *duplicate_stringlist(const char *input) |
6863 | 0 | { |
6864 | 0 | if (input == NULL) |
6865 | 0 | return strdup(""); |
6866 | | |
6867 | 0 | char *result; |
6868 | 0 | const char *in_tail; |
6869 | |
|
6870 | 0 | for (in_tail = input; in_tail[0] != '\0'; in_tail += strlen(in_tail) + 1) |
6871 | 0 | ; |
6872 | 0 | ++in_tail; |
6873 | 0 | if ((result = malloc(in_tail - input)) == NULL) |
6874 | 0 | return NULL; |
6875 | 0 | memcpy(result, input, in_tail - input); |
6876 | 0 | return result; |
6877 | 0 | } |
6878 | | |
6879 | | static int is_in_stringlist(const char *list, const char *search_for) |
6880 | 0 | { |
6881 | 0 | if (list[0] == '\0') |
6882 | 0 | return 1; |
6883 | | |
6884 | 0 | if (search_for == NULL) |
6885 | 0 | return 0; |
6886 | | |
6887 | 0 | for (const char *element = list; element[0] != '\0'; element += strlen(element) + 1) |
6888 | 0 | if (strcmp(element, search_for) == 0) |
6889 | 0 | return 1; |
6890 | 0 | return 0; |
6891 | 0 | } |
6892 | | |
6893 | | static int is_in_addresslist(const struct in6_addr *list, const struct in6_addr *search_for) |
6894 | 0 | { |
6895 | 0 | #define IS_EQUAL(x, y) (memcmp((x), (y), sizeof(struct in6_addr)) == 0) |
6896 | |
|
6897 | 0 | if (IS_EQUAL(&list[0], &in6addr_any)) |
6898 | 0 | return 1; |
6899 | | |
6900 | 0 | if (IS_EQUAL(search_for, &in6addr_any)) |
6901 | 0 | return 0; |
6902 | | |
6903 | 0 | for (const struct in6_addr *element = list; !IS_EQUAL(element, &in6addr_any); ++element) |
6904 | 0 | if (IS_EQUAL(element, search_for)) |
6905 | 0 | return 1; |
6906 | 0 | return 0; |
6907 | |
|
6908 | 0 | #undef IS_EQUAL |
6909 | 0 | } |
6910 | | |
6911 | | void ptls_log__recalc_point(int caller_locked, struct st_ptls_log_point_t *point) |
6912 | 5 | { |
6913 | 5 | if (!caller_locked) |
6914 | 5 | pthread_mutex_lock(&logctx.mutex); |
6915 | | |
6916 | 5 | if (point->state.generation != ptls_log._generation) { |
6917 | | /* update active bitmap */ |
6918 | 5 | uint32_t new_active = 0; |
6919 | 165 | for (size_t slot = 0; slot < PTLS_ELEMENTSOF(logctx.conns); ++slot) |
6920 | 160 | if (logctx.conns[slot].points != NULL && is_in_stringlist(logctx.conns[slot].points, point->name)) |
6921 | 0 | new_active |= (uint32_t)1 << slot; |
6922 | 5 | point->state.active_conns = new_active; |
6923 | 5 | point->state.generation = ptls_log._generation; |
6924 | 5 | } |
6925 | | |
6926 | 5 | if (!caller_locked) |
6927 | 5 | pthread_mutex_unlock(&logctx.mutex); |
6928 | 5 | } |
6929 | | |
6930 | | void ptls_log__recalc_conn(int caller_locked, struct st_ptls_log_conn_state_t *conn, const char *(*get_sni)(void *), |
6931 | | void *get_sni_arg) |
6932 | 0 | { |
6933 | 0 | if (!caller_locked) |
6934 | 0 | pthread_mutex_lock(&logctx.mutex); |
6935 | |
|
6936 | 0 | if (conn->state.generation != ptls_log._generation) { |
6937 | | /* update active bitmap */ |
6938 | 0 | uint32_t new_active = 0; |
6939 | 0 | const char *sni = get_sni != NULL ? get_sni(get_sni_arg) : NULL; |
6940 | 0 | for (size_t slot = 0; slot < PTLS_ELEMENTSOF(logctx.conns); ++slot) { |
6941 | 0 | if (logctx.conns[slot].points != NULL && conn->random_ < logctx.conns[slot].sample_ratio && |
6942 | 0 | is_in_stringlist(logctx.conns[slot].snis, sni) && is_in_addresslist(logctx.conns[slot].addresses, &conn->address)) { |
6943 | 0 | new_active |= (uint32_t)1 << slot; |
6944 | 0 | } |
6945 | 0 | } |
6946 | 0 | conn->state.active_conns = new_active; |
6947 | 0 | conn->state.generation = ptls_log._generation; |
6948 | 0 | } |
6949 | |
|
6950 | 0 | if (!caller_locked) |
6951 | 0 | pthread_mutex_unlock(&logctx.mutex); |
6952 | 0 | } |
6953 | | |
6954 | | static int expand_logbuf_or_invalidate(const char *prefix, size_t prefix_len, size_t capacity) |
6955 | 0 | { |
6956 | 0 | if (logbuf.buf.base == NULL) |
6957 | 0 | return 0; |
6958 | | |
6959 | 0 | if (ptls_buffer_reserve(&logbuf.buf, prefix_len + capacity) != 0) { |
6960 | 0 | ptls_buffer_dispose(&logbuf.buf); |
6961 | 0 | assert(logbuf.buf.base == NULL); |
6962 | 0 | return 0; |
6963 | 0 | } |
6964 | | |
6965 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, prefix, prefix_len); |
6966 | 0 | logbuf.buf.off += prefix_len; |
6967 | |
|
6968 | 0 | return 1; |
6969 | 0 | } |
6970 | | |
6971 | | __attribute__((format(printf, 4, 5))) static void pushf_logbuf_or_invalidate(const char *prefix, size_t prefix_len, size_t capacity, |
6972 | | const char *fmt, ...) |
6973 | 0 | { |
6974 | 0 | if (!expand_logbuf_or_invalidate(prefix, prefix_len, capacity)) |
6975 | 0 | return; |
6976 | | |
6977 | 0 | va_list args; |
6978 | 0 | va_start(args, fmt); |
6979 | 0 | int l = vsnprintf((char *)logbuf.buf.base + logbuf.buf.off, logbuf.buf.capacity - logbuf.buf.off, fmt, args); |
6980 | 0 | va_end(args); |
6981 | |
|
6982 | 0 | assert(l < logbuf.buf.capacity - logbuf.buf.off && "insufficent capacity"); |
6983 | 0 | logbuf.buf.off += l; |
6984 | 0 | } |
6985 | | |
6986 | | void ptls_log__do_push_element_safestr(const char *prefix, size_t prefix_len, const char *s, size_t l) |
6987 | 0 | { |
6988 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, l + 2)) { |
6989 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
6990 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, s, l); |
6991 | 0 | logbuf.buf.off += l; |
6992 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
6993 | 0 | } |
6994 | 0 | } |
6995 | | |
6996 | | void ptls_log__do_push_element_unsafestr(const char *prefix, size_t prefix_len, const char *s, size_t l) |
6997 | 0 | { |
6998 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, l * (sizeof("\\uXXXX") - 1) + 2)) { |
6999 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
7000 | 0 | logbuf.buf.off = (uint8_t *)ptls_jsonescape((char *)logbuf.buf.base + logbuf.buf.off, s, l) - logbuf.buf.base; |
7001 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
7002 | 0 | } |
7003 | 0 | } |
7004 | | |
7005 | | void ptls_log__do_push_element_hexdump(const char *prefix, size_t prefix_len, const void *s, size_t l) |
7006 | 0 | { |
7007 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, l * 2 + 2)) { |
7008 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
7009 | 0 | ptls_hexdump((char *)logbuf.buf.base + logbuf.buf.off, s, l); |
7010 | 0 | logbuf.buf.off += l * 2; |
7011 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
7012 | 0 | } |
7013 | 0 | } |
7014 | | |
7015 | | void ptls_log__do_push_element_signed32(const char *prefix, size_t prefix_len, int32_t v) |
7016 | 0 | { |
7017 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("-2147483648"), "%" PRId32, v); |
7018 | 0 | } |
7019 | | |
7020 | | void ptls_log__do_push_element_signed64(const char *prefix, size_t prefix_len, int64_t v) |
7021 | 0 | { |
7022 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("-9223372036854775808"), "%" PRId64, v); |
7023 | 0 | } |
7024 | | |
7025 | | void ptls_log__do_push_element_unsigned32(const char *prefix, size_t prefix_len, uint32_t v) |
7026 | 0 | { |
7027 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("4294967295"), "%" PRIu32, v); |
7028 | 0 | } |
7029 | | |
7030 | | void ptls_log__do_push_element_unsigned64(const char *prefix, size_t prefix_len, uint64_t v) |
7031 | 0 | { |
7032 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("18446744073709551615"), "%" PRIu64, v); |
7033 | 0 | } |
7034 | | |
7035 | | void ptls_log__do_push_element_bool(const char *prefix, size_t prefix_len, int v) |
7036 | 0 | { |
7037 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, 5)) { |
7038 | 0 | if (v) { |
7039 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, "true", 4); |
7040 | 0 | logbuf.buf.off += 4; |
7041 | 0 | } else { |
7042 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, "false", 5); |
7043 | 0 | logbuf.buf.off += 5; |
7044 | 0 | } |
7045 | 0 | } |
7046 | 0 | } |
7047 | | |
7048 | | void ptls_log__do_write_start(struct st_ptls_log_point_t *point, int add_time) |
7049 | 0 | { |
7050 | 0 | assert(logbuf.buf.base == NULL); |
7051 | 0 | ptls_buffer_init(&logbuf.buf, logbuf.smallbuf, sizeof(logbuf.smallbuf)); |
7052 | | |
7053 | | /* add module and type name */ |
7054 | 0 | const char *colon_at = strchr(point->name, ':'); |
7055 | 0 | int written = snprintf((char *)logbuf.buf.base, logbuf.buf.capacity, "{\"module\":\"%.*s\",\"type\":\"%s\"", |
7056 | 0 | (int)(colon_at - point->name), point->name, colon_at + 1); |
7057 | | |
7058 | | /* obtain and stringify thread id once */ |
7059 | 0 | if (logbuf.tid.len == 0) { |
7060 | 0 | #if defined(__linux__) |
7061 | 0 | logbuf.tid.len = sprintf(logbuf.tid.buf, ",\"tid\":%" PRId64, (int64_t)syscall(SYS_gettid)); |
7062 | | #elif defined(__APPLE__) |
7063 | | uint64_t t = 0; |
7064 | | #if MAC_OS_X_VERSION_MAX_ALLOWED < 1060 || defined(__POWERPC__) |
7065 | | t = pthread_mach_thread_np(pthread_self()); |
7066 | | #else |
7067 | | (void)pthread_threadid_np(NULL, &t); |
7068 | | #endif |
7069 | | logbuf.tid.len = sprintf(logbuf.tid.buf, ",\"tid\":%" PRIu64, t); |
7070 | | #else |
7071 | | /* other platforms: skip emitting tid, by keeping logbuf.tid.len == 0 */ |
7072 | | #endif |
7073 | 0 | } |
7074 | | /* append tid */ |
7075 | 0 | assert(written > 0 && written + logbuf.tid.len < logbuf.buf.capacity); |
7076 | 0 | memcpy((char *)logbuf.buf.base + written, logbuf.tid.buf, logbuf.tid.len + 1); |
7077 | 0 | written += logbuf.tid.len; |
7078 | | |
7079 | | /* append time if requested */ |
7080 | 0 | if (add_time) { |
7081 | 0 | struct timeval tv; |
7082 | 0 | gettimeofday(&tv, NULL); |
7083 | 0 | written += snprintf((char *)logbuf.buf.base + written, logbuf.buf.capacity - written, ",\"time\":%" PRIu64, |
7084 | 0 | (uint64_t)tv.tv_sec * 1000 + tv.tv_usec / 1000); |
7085 | 0 | } |
7086 | 0 | assert(written > 0 && written < logbuf.buf.capacity && "caller MUST provide smallbuf suffient to emit the prefix"); |
7087 | | |
7088 | 0 | logbuf.buf.off = (size_t)written; |
7089 | 0 | } |
7090 | | |
7091 | | int ptls_log__do_write_end(struct st_ptls_log_point_t *point, struct st_ptls_log_conn_state_t *conn, const char *(*get_sni)(void *), |
7092 | | void *get_sni_arg, int includes_appdata) |
7093 | 0 | { |
7094 | 0 | if (!expand_logbuf_or_invalidate("}\n", 2, 0)) |
7095 | 0 | return 0; |
7096 | | |
7097 | 0 | int needs_appdata = 0; |
7098 | |
|
7099 | 0 | pthread_mutex_lock(&logctx.mutex); |
7100 | | |
7101 | | /* calc the active conn bits, updating stale information if necessary */ |
7102 | 0 | if (point->state.generation != ptls_log._generation) |
7103 | 0 | ptls_log__recalc_point(1, point); |
7104 | 0 | uint32_t active = point->state.active_conns; |
7105 | 0 | if (conn != NULL && conn->state.generation != ptls_log._generation) { |
7106 | 0 | ptls_log__recalc_conn(1, conn, get_sni, get_sni_arg); |
7107 | 0 | active &= conn->state.active_conns; |
7108 | 0 | } |
7109 | | |
7110 | | /* iterate through the active connctions */ |
7111 | 0 | for (size_t slot = 0; active != 0; ++slot, active >>= 1) { |
7112 | 0 | if ((active & 1) == 0) |
7113 | 0 | continue; |
7114 | | |
7115 | 0 | assert(logctx.conns[slot].points != NULL); |
7116 | | |
7117 | 0 | if (logctx.conns[slot].appdata != includes_appdata) { |
7118 | 0 | if (!includes_appdata && ptls_log.may_include_appdata) |
7119 | 0 | needs_appdata = 1; |
7120 | 0 | continue; |
7121 | 0 | } |
7122 | | |
7123 | | /* write */ |
7124 | 0 | ssize_t wret; |
7125 | 0 | while ((wret = write(logctx.conns[slot].fd, logbuf.buf.base, logbuf.buf.off)) == -1 && errno == EINTR) |
7126 | 0 | ; |
7127 | 0 | if (wret == logbuf.buf.off) { |
7128 | | /* success */ |
7129 | 0 | } else if (wret > 0 || (wret == -1 && (errno == EAGAIN || errno == EWOULDBLOCK))) { |
7130 | | /* partial write or buffer full */ |
7131 | 0 | ++logctx.num_lost; |
7132 | 0 | } else { |
7133 | | /* write error; close and unregister the connection */ |
7134 | 0 | close_log_fd(slot); |
7135 | 0 | } |
7136 | 0 | } |
7137 | | |
7138 | 0 | pthread_mutex_unlock(&logctx.mutex); |
7139 | |
|
7140 | 0 | if (includes_appdata) |
7141 | 0 | assert(!needs_appdata); |
7142 | | |
7143 | 0 | ptls_buffer_dispose(&logbuf.buf); |
7144 | 0 | assert(logbuf.buf.base == NULL); |
7145 | 0 | return needs_appdata; |
7146 | 0 | } |
7147 | | |
7148 | | #endif |
7149 | | |
7150 | | void ptls_log_init_conn_state(ptls_log_conn_state_t *state, void (*random_bytes)(void *, size_t)) |
7151 | 2.09k | { |
7152 | 2.09k | uint32_t r; |
7153 | 2.09k | random_bytes(&r, sizeof(r)); |
7154 | | |
7155 | 2.09k | *state = (ptls_log_conn_state_t){ |
7156 | 2.09k | .random_ = (float)r / ((uint64_t)UINT32_MAX + 1), /* [0..1), so that any(r) < sample_ratio where sample_ratio is [0..1] */ |
7157 | 2.09k | .address = in6addr_any, |
7158 | 2.09k | }; |
7159 | 2.09k | } |
7160 | | |
7161 | | size_t ptls_log_num_lost(void) |
7162 | 0 | { |
7163 | 0 | #if PTLS_HAVE_LOG |
7164 | 0 | return logctx.num_lost; |
7165 | | #else |
7166 | | return 0; |
7167 | | #endif |
7168 | 0 | } |
7169 | | |
7170 | | int ptls_log_add_fd(int fd, float sample_ratio, const char *_points, const char *_snis, const char *_addresses, int appdata) |
7171 | 0 | { |
7172 | 0 | #if PTLS_HAVE_LOG |
7173 | |
|
7174 | 0 | char *points = NULL, *snis = NULL; |
7175 | 0 | struct in6_addr *addresses = NULL; |
7176 | 0 | int ret; |
7177 | |
|
7178 | 0 | pthread_mutex_lock(&logctx.mutex); |
7179 | |
|
7180 | 0 | if ((points = duplicate_stringlist(_points)) == NULL) { |
7181 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7182 | 0 | goto Exit; |
7183 | 0 | } |
7184 | 0 | if ((snis = duplicate_stringlist(_snis)) == NULL) { |
7185 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7186 | 0 | goto Exit; |
7187 | 0 | } |
7188 | 0 | { |
7189 | 0 | size_t num_addresses = 0; |
7190 | 0 | for (const char *input = _addresses; input != NULL && *input != '\0'; input += strlen(input) + 1) |
7191 | 0 | ++num_addresses; |
7192 | 0 | if ((addresses = malloc(sizeof(*addresses) * (num_addresses + 1))) == NULL) { |
7193 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7194 | 0 | goto Exit; |
7195 | 0 | } |
7196 | 0 | size_t index = 0; |
7197 | 0 | for (const char *input = _addresses; input != NULL && *input != '\0'; input += strlen(input) + 1) { |
7198 | | /* note: for consistency to the handling of points, erroneous input is ignored. V4 addresses will use the mapped form |
7199 | | * (::ffff:192.0.2.1) */ |
7200 | 0 | if (!inet_pton(AF_INET6, input, &addresses[index])) { |
7201 | 0 | struct in_addr v4; |
7202 | 0 | if (!inet_pton(AF_INET, input, &v4)) |
7203 | 0 | continue; |
7204 | 0 | ptls_build_v4_mapped_v6_address(&addresses[index], &v4); |
7205 | 0 | } |
7206 | 0 | if (memcmp(&addresses[index], &in6addr_any, sizeof(struct in6_addr)) == 0) |
7207 | 0 | continue; |
7208 | 0 | ++index; |
7209 | 0 | } |
7210 | 0 | addresses[index] = in6addr_any; |
7211 | 0 | } |
7212 | | |
7213 | | /* find slot, or return if not available */ |
7214 | 0 | size_t slot_index; |
7215 | 0 | for (slot_index = 0; slot_index < PTLS_ELEMENTSOF(logctx.conns); ++slot_index) |
7216 | 0 | if (logctx.conns[slot_index].points == NULL) |
7217 | 0 | break; |
7218 | 0 | if (slot_index == PTLS_ELEMENTSOF(logctx.conns)) { |
7219 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7220 | 0 | goto Exit; |
7221 | 0 | } |
7222 | | |
7223 | | /* setup the slot */ |
7224 | 0 | logctx.conns[slot_index].fd = fd; |
7225 | 0 | logctx.conns[slot_index].points = points; |
7226 | 0 | logctx.conns[slot_index].snis = snis; |
7227 | 0 | logctx.conns[slot_index].addresses = addresses; |
7228 | 0 | logctx.conns[slot_index].sample_ratio = sample_ratio; |
7229 | 0 | logctx.conns[slot_index].appdata = appdata; |
7230 | 0 | ++ptls_log._generation; |
7231 | |
|
7232 | 0 | ret = 0; /* success */ |
7233 | |
|
7234 | 0 | Exit: |
7235 | 0 | pthread_mutex_unlock(&logctx.mutex); |
7236 | 0 | if (ret != 0) { |
7237 | 0 | free(points); |
7238 | 0 | free(snis); |
7239 | 0 | free(addresses); |
7240 | 0 | } |
7241 | 0 | return ret; |
7242 | |
|
7243 | | #else |
7244 | | return PTLS_ERROR_NOT_AVAILABLE; |
7245 | | #endif |
7246 | 0 | } |