/*

 * Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku

 *

 * Permission is hereby granted, free of charge, to any person obtaining a copy

 * of this software and associated documentation files (the "Software"), to

 * deal in the Software without restriction, including without limitation the

 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or

 * sell copies of the Software, and to permit persons to whom the Software is

 * furnished to do so, subject to the following conditions:

 *

 * The above copyright notice and this permission notice shall be included in

 * all copies or substantial portions of the Software.

 *

 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING

 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS

 * IN THE SOFTWARE.

 */

#ifndef picotls_h

#define picotls_h

#ifdef __cplusplus

extern "C" {

#endif

#ifdef _WINDOWS

#include "wincompat.h"

#endif

#include <assert.h>

#include <inttypes.h>

#include <string.h>

#include <sys/types.h>

#if __GNUC__ >= 3

#define PTLS_LIKELY(x) __builtin_expect(!!(x), 1)

#define PTLS_UNLIKELY(x) __builtin_expect(!!(x), 0)

#define PTLS_BUILD_ASSERT_EXPR(cond) (sizeof(char[2 * !!(!__builtin_constant_p(cond) || (cond)) - 1]) != 0)

#define PTLS_BUILD_ASSERT(cond) ((void)PTLS_BUILD_ASSERT_EXPR(cond))

#else

#define PTLS_LIKELY(x) (x)

#define PTLS_UNLIKELY(x) (x)

#define PTLS_BUILD_ASSERT(cond) 1

#endif

/* __builtin_types_compatible_p yields incorrect results when older versions of GCC is used; see #303.

 * Clang with Xcode 9.4 or prior is known to not work correctly when a pointer is const-qualified; see

 * https://github.com/h2o/quicly/pull/306#issuecomment-626037269. Older versions of clang upstream works fine, but we do not need

 * best coverage. This macro is for preventing misuse going into the master branch, having it work one of the compilers supported in

 * our CI is enough.

 */

#if ((defined(__clang__) && __clang_major__ >= 10) || __GNUC__ >= 6) && !defined(__cplusplus)

#define PTLS_ASSERT_IS_ARRAY_EXPR(a) PTLS_BUILD_ASSERT_EXPR(__builtin_types_compatible_p(__typeof__(a[0])[], __typeof__(a)))

#else

#define PTLS_ASSERT_IS_ARRAY_EXPR(a) 1

#endif

#define PTLS_ELEMENTSOF(x) (PTLS_ASSERT_IS_ARRAY_EXPR(x) * sizeof(x) / sizeof((x)[0]))

#ifdef _WINDOWS

#define PTLS_THREADLOCAL __declspec(thread)

#else

#define PTLS_THREADLOCAL __thread

#endif

#ifndef PTLS_HAVE_LOG

#ifdef _WINDOWS

#define PTLS_HAVE_LOG 0

#else

#define PTLS_HAVE_LOG 1

#endif

#endif

#ifndef PTLS_FUZZ_HANDSHAKE

#define PTLS_FUZZ_HANDSHAKE 0

#endif

#define PTLS_HELLO_RANDOM_SIZE 32

#define PTLS_AES128_KEY_SIZE 16

#define PTLS_AES256_KEY_SIZE 32

#define PTLS_AES_BLOCK_SIZE 16

#define PTLS_AES_IV_SIZE 16

#define PTLS_AESGCM_IV_SIZE 12

#define PTLS_AESGCM_TAG_SIZE 16

#define PTLS_AESGCM_CONFIDENTIALITY_LIMIT 0x2000000            /* 2^25 */

#define PTLS_AESGCM_INTEGRITY_LIMIT UINT64_C(0x40000000000000) /* 2^54 */

#define PTLS_AESCCM_CONFIDENTIALITY_LIMIT 0xB504F3             /* 2^23.5 */

#define PTLS_AESCCM_INTEGRITY_LIMIT 0xB504F3                   /* 2^23.5 */

#define PTLS_CHACHA20_KEY_SIZE 32

#define PTLS_CHACHA20_IV_SIZE 16 /* contrary to RFC 7539, follow OpenSSL way of using first 32 bits as ctr and latter 96 as IV */

#define PTLS_CHACHA20POLY1305_IV_SIZE 12

#define PTLS_CHACHA20POLY1305_TAG_SIZE 16

#define PTLS_CHACHA20POLY1305_CONFIDENTIALITY_LIMIT UINT64_MAX       /* at least 2^64 */

#define PTLS_CHACHA20POLY1305_INTEGRITY_LIMIT UINT64_C(0x1000000000) /* 2^36 */

#define PTLS_AEGIS128L_KEY_SIZE 16

#define PTLS_AEGIS128L_IV_SIZE 16

#define PTLS_AEGIS128L_TAG_SIZE 16

#define PTLS_AEGIS128L_CONFIDENTIALITY_LIMIT UINT64_MAX          /* at least 2^64 */

#define PTLS_AEGIS128L_INTEGRITY_LIMIT UINT64_C(0x1000000000000) /* 2^48 */

#define PTLS_AEGIS256_KEY_SIZE 32

#define PTLS_AEGIS256_IV_SIZE 32

#define PTLS_AEGIS256_TAG_SIZE 16

#define PTLS_AEGIS256_CONFIDENTIALITY_LIMIT UINT64_MAX          /* at least 2^64 */

#define PTLS_AEGIS256_INTEGRITY_LIMIT UINT64_C(0x1000000000000) /* 2^48 */

#define PTLS_BLOWFISH_KEY_SIZE 16

#define PTLS_BLOWFISH_BLOCK_SIZE 8

#define PTLS_QUICLB_KEY_SIZE 16 /* same as the underlying aes128ecb */

#define PTLS_QUICLB_MIN_BLOCK_SIZE 7

#define PTLS_QUICLB_MAX_BLOCK_SIZE 19 /* inclusive */

#define PTLS_QUICLB_DEFAULT_BLOCK_SIZE                                                                                             \

    8 /* when the quiclb cipher is used, the blob passed to ptls_cipher_encrypt can be anything between the min and max above;     \

         however, 8 is the default set in `ptls_cipher_algorithm_t::block_size` */

#define PTLS_SHA256_BLOCK_SIZE 64

#define PTLS_SHA256_DIGEST_SIZE 32

#define PTLS_SHA384_BLOCK_SIZE 128

#define PTLS_SHA384_DIGEST_SIZE 48

#define PTLS_SHA512_BLOCK_SIZE 128

#define PTLS_SHA512_DIGEST_SIZE 64

#define PTLS_MAX_SECRET_SIZE 32

#define PTLS_MAX_IV_SIZE 32

#define PTLS_MAX_DIGEST_SIZE 64

/* versions */

#define PTLS_PROTOCOL_VERSION_TLS12 0x0303

#define PTLS_PROTOCOL_VERSION_TLS13 0x0304

/* cipher-suites */

#define PTLS_CIPHER_SUITE_AES_128_GCM_SHA256 0x1301

#define PTLS_CIPHER_SUITE_NAME_AES_128_GCM_SHA256 "TLS_AES_128_GCM_SHA256"

#define PTLS_CIPHER_SUITE_AES_256_GCM_SHA384 0x1302

#define PTLS_CIPHER_SUITE_NAME_AES_256_GCM_SHA384 "TLS_AES_256_GCM_SHA384"

#define PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256 0x1303

#define PTLS_CIPHER_SUITE_NAME_CHACHA20_POLY1305_SHA256 "TLS_CHACHA20_POLY1305_SHA256"

#define PTLS_CIPHER_SUITE_AEGIS256_SHA512 0x1306

#define PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA512 "TLS_AEGIS_256_SHA512"

#define PTLS_CIPHER_SUITE_AEGIS128L_SHA256 0x1307

#define PTLS_CIPHER_SUITE_NAME_AEGIS128L_SHA256 "TLS_AEGIS_128L_SHA256"

/* TLS/1.2 cipher-suites that we support (for compatibility, OpenSSL names are used) */

#define PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xc02b

#define PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 "ECDHE-ECDSA-AES128-GCM-SHA256"

#define PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xc02c

#define PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 "ECDHE-ECDSA-AES256-GCM-SHA384"

#define PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xc02f

#define PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_AES_128_GCM_SHA256 "ECDHE-RSA-AES128-GCM-SHA256"

#define PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xc030

#define PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_AES_256_GCM_SHA384 "ECDHE-RSA-AES256-GCM-SHA384"

#define PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xcca8

#define PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 "ECDHE-RSA-CHACHA20-POLY1305"

#define PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xcca9

#define PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 "ECDHE-ECDSA-CHACHA20-POLY1305"

/* negotiated_groups */

#define PTLS_GROUP_SECP256R1 23

#define PTLS_GROUP_NAME_SECP256R1 "secp256r1"

#define PTLS_GROUP_SECP384R1 24

#define PTLS_GROUP_NAME_SECP384R1 "secp384r1"

#define PTLS_GROUP_SECP521R1 25

#define PTLS_GROUP_NAME_SECP521R1 "secp521r1"

#define PTLS_GROUP_X25519 29

#define PTLS_GROUP_NAME_X25519 "x25519"

#define PTLS_GROUP_X448 30

#define PTLS_GROUP_NAME_X448 "x448"

#define PTLS_GROUP_SECP256R1MLKEM768 4587

#define PTLS_GROUP_NAME_SECP256R1MLKEM768 "SecP256r1MLKEM768"

#define PTLS_GROUP_X25519MLKEM768 4588

#define PTLS_GROUP_NAME_X25519MLKEM768 "X25519MLKEM768"

#define PTLS_GROUP_SECP384R1MLKEM1024 4589

#define PTLS_GROUP_NAME_SECP384R1MLKEM1024 "SecP384r1MLKEM1024"

#define PTLS_GROUP_MLKEM512 512

#define PTLS_GROUP_NAME_MLKEM512 "MLKEM512"

#define PTLS_GROUP_MLKEM768 513

#define PTLS_GROUP_NAME_MLKEM768 "MLKEM768"

#define PTLS_GROUP_MLKEM1024 514

#define PTLS_GROUP_NAME_MLKEM1024 "MLKEM1024"

/* signature algorithms */

#define PTLS_SIGNATURE_RSA_PKCS1_SHA1 0x0201

#define PTLS_SIGNATURE_RSA_PKCS1_SHA256 0x0401

#define PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256 0x0403

#define PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384 0x0503

#define PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512 0x0603

#define PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256 0x0804

#define PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384 0x0805

#define PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512 0x0806

#define PTLS_SIGNATURE_ED25519 0x0807

/* HPKE */

#define PTLS_HPKE_MODE_BASE 0

#define PTLS_HPKE_MODE_PSK 1

#define PTLS_HPKE_MODE_AUTH 2

#define PTLS_HPKE_MODE_AUTH_PSK 3

#define PTLS_HPKE_KEM_P256_SHA256 16

#define PTLS_HPKE_KEM_P384_SHA384 17

#define PTLS_HPKE_KEM_X25519_SHA256 32

#define PTLS_HPKE_HKDF_SHA256 1

#define PTLS_HPKE_HKDF_SHA384 2

#define PTLS_HPKE_HKDF_SHA512 3

#define PTLS_HPKE_AEAD_AES_128_GCM 1

#define PTLS_HPKE_AEAD_AES_256_GCM 2

#define PTLS_HPKE_AEAD_CHACHA20POLY1305 3

/* error classes and macros */

#define PTLS_ERROR_CLASS_SELF_ALERT 0

#define PTLS_ERROR_CLASS_PEER_ALERT 0x100

#define PTLS_ERROR_CLASS_INTERNAL 0x200

#define PTLS_ERROR_GET_CLASS(e) ((e) & ~0xff)

#define PTLS_ALERT_TO_SELF_ERROR(e) ((e) + PTLS_ERROR_CLASS_SELF_ALERT)

#define PTLS_ALERT_TO_PEER_ERROR(e) ((e) + PTLS_ERROR_CLASS_PEER_ALERT)

#define PTLS_ERROR_TO_ALERT(e) ((e) & 0xff)

/* the HKDF prefix */

#define PTLS_HKDF_EXPAND_LABEL_PREFIX "tls13 "

/* alerts */

#define PTLS_ALERT_LEVEL_WARNING 1

#define PTLS_ALERT_LEVEL_FATAL 2

#define PTLS_ALERT_CLOSE_NOTIFY 0

#define PTLS_ALERT_UNEXPECTED_MESSAGE 10

#define PTLS_ALERT_BAD_RECORD_MAC 20

#define PTLS_ALERT_HANDSHAKE_FAILURE 40

#define PTLS_ALERT_BAD_CERTIFICATE 42

#define PTLS_ALERT_UNSUPPORTED_CERTIFICATE 43

#define PTLS_ALERT_CERTIFICATE_REVOKED 44

#define PTLS_ALERT_CERTIFICATE_EXPIRED 45

#define PTLS_ALERT_CERTIFICATE_UNKNOWN 46

#define PTLS_ALERT_ILLEGAL_PARAMETER 47

#define PTLS_ALERT_UNKNOWN_CA 48

#define PTLS_ALERT_ACCESS_DENIED 49

#define PTLS_ALERT_DECODE_ERROR 50

#define PTLS_ALERT_DECRYPT_ERROR 51

#define PTLS_ALERT_PROTOCOL_VERSION 70

#define PTLS_ALERT_INTERNAL_ERROR 80

#define PTLS_ALERT_USER_CANCELED 90

#define PTLS_ALERT_MISSING_EXTENSION 109

#define PTLS_ALERT_UNSUPPORTED_EXTENSION 110

#define PTLS_ALERT_UNRECOGNIZED_NAME 112

#define PTLS_ALERT_UNKNOWN_PSK_IDENTITY 115

#define PTLS_ALERT_CERTIFICATE_REQUIRED 116

#define PTLS_ALERT_NO_APPLICATION_PROTOCOL 120

#define PTLS_ALERT_ECH_REQUIRED 121

/* TLS 1.2 */

#define PTLS_TLS12_MASTER_SECRET_SIZE 48

#define PTLS_TLS12_AAD_SIZE 13

#define PTLS_TLS12_AESGCM_FIXED_IV_SIZE 4

#define PTLS_TLS12_AESGCM_RECORD_IV_SIZE 8

#define PTLS_TLS12_CHACHAPOLY_FIXED_IV_SIZE 12

#define PTLS_TLS12_CHACHAPOLY_RECORD_IV_SIZE 0

/* internal errors */

#define PTLS_ERROR_NO_MEMORY (PTLS_ERROR_CLASS_INTERNAL + 1)

#define PTLS_ERROR_IN_PROGRESS (PTLS_ERROR_CLASS_INTERNAL + 2)

#define PTLS_ERROR_LIBRARY (PTLS_ERROR_CLASS_INTERNAL + 3)

#define PTLS_ERROR_INCOMPATIBLE_KEY (PTLS_ERROR_CLASS_INTERNAL + 4)

#define PTLS_ERROR_SESSION_NOT_FOUND (PTLS_ERROR_CLASS_INTERNAL + 5)

#define PTLS_ERROR_STATELESS_RETRY (PTLS_ERROR_CLASS_INTERNAL + 6)

#define PTLS_ERROR_NOT_AVAILABLE (PTLS_ERROR_CLASS_INTERNAL + 7)

#define PTLS_ERROR_COMPRESSION_FAILURE (PTLS_ERROR_CLASS_INTERNAL + 8)

#define PTLS_ERROR_REJECT_EARLY_DATA (PTLS_ERROR_CLASS_INTERNAL + 9)

#define PTLS_ERROR_DELEGATE (PTLS_ERROR_CLASS_INTERNAL + 10)

#define PTLS_ERROR_ASYNC_OPERATION (PTLS_ERROR_CLASS_INTERNAL + 11)

#define PTLS_ERROR_BLOCK_OVERFLOW (PTLS_ERROR_CLASS_INTERNAL + 12)

#define PTLS_ERROR_INCORRECT_BASE64 (PTLS_ERROR_CLASS_INTERNAL + 50)

#define PTLS_ERROR_PEM_LABEL_NOT_FOUND (PTLS_ERROR_CLASS_INTERNAL + 51)

#define PTLS_ERROR_BER_INCORRECT_ENCODING (PTLS_ERROR_CLASS_INTERNAL + 52)

#define PTLS_ERROR_BER_MALFORMED_TYPE (PTLS_ERROR_CLASS_INTERNAL + 53)

#define PTLS_ERROR_BER_MALFORMED_LENGTH (PTLS_ERROR_CLASS_INTERNAL + 54)

#define PTLS_ERROR_BER_EXCESSIVE_LENGTH (PTLS_ERROR_CLASS_INTERNAL + 55)

#define PTLS_ERROR_BER_ELEMENT_TOO_SHORT (PTLS_ERROR_CLASS_INTERNAL + 56)

#define PTLS_ERROR_BER_UNEXPECTED_EOC (PTLS_ERROR_CLASS_INTERNAL + 57)

#define PTLS_ERROR_DER_INDEFINITE_LENGTH (PTLS_ERROR_CLASS_INTERNAL + 58)

#define PTLS_ERROR_INCORRECT_ASN1_SYNTAX (PTLS_ERROR_CLASS_INTERNAL + 59)

#define PTLS_ERROR_INCORRECT_PEM_KEY_VERSION (PTLS_ERROR_CLASS_INTERNAL + 60)

#define PTLS_ERROR_INCORRECT_PEM_ECDSA_KEY_VERSION (PTLS_ERROR_CLASS_INTERNAL + 61)

#define PTLS_ERROR_INCORRECT_PEM_ECDSA_CURVE (PTLS_ERROR_CLASS_INTERNAL + 62)

#define PTLS_ERROR_INCORRECT_PEM_ECDSA_KEYSIZE (PTLS_ERROR_CLASS_INTERNAL + 63)

#define PTLS_ERROR_INCORRECT_ASN1_ECDSA_KEY_SYNTAX (PTLS_ERROR_CLASS_INTERNAL + 64)

#define PTLS_HANDSHAKE_TYPE_CLIENT_HELLO 1

#define PTLS_HANDSHAKE_TYPE_SERVER_HELLO 2

#define PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET 4

#define PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA 5

#define PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS 8

#define PTLS_HANDSHAKE_TYPE_CERTIFICATE 11

#define PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST 13

#define PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY 15

#define PTLS_HANDSHAKE_TYPE_FINISHED 20

#define PTLS_HANDSHAKE_TYPE_KEY_UPDATE 24

#define PTLS_HANDSHAKE_TYPE_COMPRESSED_CERTIFICATE 25

#define PTLS_HANDSHAKE_TYPE_MESSAGE_HASH 254

#define PTLS_HANDSHAKE_TYPE_PSEUDO_HRR -1

#define PTLS_CERTIFICATE_TYPE_X509 0

#define PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY 2

#define PTLS_ZERO_DIGEST_SHA256                                                                                                    \

    {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24,                               \

     0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}

#define PTLS_ZERO_DIGEST_SHA384                                                                                                    \

    {0x38, 0xb0, 0x60, 0xa7, 0x51, 0xac, 0x96, 0x38, 0x4c, 0xd9, 0x32, 0x7e, 0xb1, 0xb1, 0xe3, 0x6a,                               \

     0x21, 0xfd, 0xb7, 0x11, 0x14, 0xbe, 0x07, 0x43, 0x4c, 0x0c, 0xc7, 0xbf, 0x63, 0xf6, 0xe1, 0xda,                               \

     0x27, 0x4e, 0xde, 0xbf, 0xe7, 0x6f, 0x65, 0xfb, 0xd5, 0x1a, 0xd2, 0xf1, 0x48, 0x98, 0xb9, 0x5b}

#define PTLS_ZERO_DIGEST_SHA512                                                                                                    \

    {0xcf, 0x83, 0xe1, 0x35, 0x7e, 0xef, 0xb8, 0xbd, 0xf1, 0x54, 0x28, 0x50, 0xd6, 0x6d, 0x80, 0x07,                               \

     0xd6, 0x20, 0xe4, 0x05, 0x0b, 0x57, 0x15, 0xdc, 0x83, 0xf4, 0xa9, 0x21, 0xd3, 0x6c, 0xe9, 0xce,                               \

     0x47, 0xd0, 0xd1, 0x3c, 0x5d, 0x85, 0xf2, 0xb0, 0xff, 0x83, 0x18, 0xd2, 0x87, 0x7e, 0xec, 0x2f,                               \

     0x63, 0xb9, 0x31, 0xbd, 0x47, 0x41, 0x7a, 0x81, 0xa5, 0x38, 0x32, 0x7a, 0xf9, 0x27, 0xda, 0x3e}

#define PTLS_TO__STR(n) #n

#define PTLS_TO_STR(n) PTLS_TO__STR(n)

/**

 * default maximum of tickets to send (see ptls_context_t::ticket_requests.server.max_count)

 */

#define PTLS_DEFAULT_MAX_TICKETS_TO_SERVE 4

typedef struct st_ptls_t ptls_t;

typedef struct st_ptls_context_t ptls_context_t;

typedef struct st_ptls_key_schedule_t ptls_key_schedule_t;

/**

 * represents a sequence of octets

 */

typedef struct st_ptls_iovec_t {

    uint8_t *base;

    size_t len;

} ptls_iovec_t;

/**

 * used for storing output

 */

typedef struct st_ptls_buffer_t {

    uint8_t *base;

    size_t capacity;

    size_t off;

    uint8_t is_allocated; /* boolean */

    uint8_t align_bits;   /* if particular alignment is required, set to log2(alignment); otherwize zero */

} ptls_buffer_t;

/**

 * key exchange context built by ptls_key_exchange_algorithm::create.

 */

typedef struct st_ptls_key_exchange_context_t {

    /**

     * the underlying algorithm

     */

    const struct st_ptls_key_exchange_algorithm_t *algo;

    /**

     * public key of this context

     */

    ptls_iovec_t pubkey;

    /**

     * This function can be used for deriving a shared secret or for destroying the context.

     * When `secret` is non-NULL, this callback derives the shared secret using the private key of the context and the peer key

     * being given, and sets the value in `secret`. The memory pointed to by `secret->base` must be freed by the caller by calling

     * `free`. When `release` is set, the callee frees resources allocated to the context and set *keyex to NULL. Upon failure

     * (i.e., when an PTLS error code is returned), `*pubkey` and `*secret` either remain unchanged or are zero-cleared.

     */

    int (*on_exchange)(struct st_ptls_key_exchange_context_t **keyex, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey);

} ptls_key_exchange_context_t;

/**

 * A key exchange algorithm.

 */

typedef const struct st_ptls_key_exchange_algorithm_t {

    /**

     * ID defined by the TLS specification

     */

    uint16_t id;

    /**

     * Creates a context for asynchronous key exchange. The function is called when ClientHello is generated. The on_exchange

     * callback of the created context is called when the client receives ServerHello.

     */

    int (*create)(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **ctx);

    /**

     * Implements synchronous key exchange. Called when ServerHello is generated.

     * Given a public key provided by the peer (`peerkey`), this callback generates an ephemeral private and public key, and returns

     * the public key (`pubkey`) and a secret (`secret`) derived from the peerkey and private key.

     * Upon failure (i.e., when an PTLS error code is returned), `*pubkey` and `*secret` either remain unchanged or are

     * zero-cleared.

     */

    int (*exchange)(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret,

                    ptls_iovec_t peerkey);

    /**

     * crypto-specific data

     */

    intptr_t data;

    /**

     * Description as defined in the IANA TLS registry

     */

    const char *name;

} ptls_key_exchange_algorithm_t;

/**

 * context of a symmetric cipher

 */

typedef struct st_ptls_cipher_context_t {

    const struct st_ptls_cipher_algorithm_t *algo;

    /* field above this line must not be altered by the crypto binding */

    void (*do_dispose)(struct st_ptls_cipher_context_t *ctx);

    void (*do_init)(struct st_ptls_cipher_context_t *ctx, const void *iv);

    void (*do_transform)(struct st_ptls_cipher_context_t *ctx, void *output, const void *input, size_t len);

} ptls_cipher_context_t;

/**

 * a symmetric cipher

 */

typedef const struct st_ptls_cipher_algorithm_t {

    const char *name;

    size_t key_size;

    size_t block_size;

    size_t iv_size;

    size_t context_size;

    int (*setup_crypto)(ptls_cipher_context_t *ctx, int is_enc, const void *key);

} ptls_cipher_algorithm_t;

/**

 * This object specifies symmetric cipher to be calculated alongside the AEAD encryption.

 * QUIC stacks can use this object to apply QUIC header protection and AEAD encryption in one shot.

 */

typedef struct st_ptls_aead_supplementary_encryption_t {

    /**

     * Cipher context to be used.

     */

    ptls_cipher_context_t *ctx;

    /**

     * Input to the cipher.

     * This field may point to the output of AEAD encryption, in which case the input will be read after AEAD encryption is

     * complete.

     */

    const void *input;

    /**

     * Output.

     */

    uint8_t output[16];

} ptls_aead_supplementary_encryption_t;

/**

 * AEAD context.

 * AEAD implementations are allowed to stuff data at the end of the struct; see `ptls_aead_algorithm_t::setup_crypto`.

 * Ciphers for TLS over TCP MUST implement `do_encrypt`, `do_encrypt_v`, `do_decrypt`.

 * `do_encrypt_init`, `~update`, `~final` are obsolete, and therefore may not be available.

 */

typedef struct st_ptls_aead_context_t {

    /**

     * Points to the algorithm. This field is governed by picotls core; backends must not alter.

     */

    const struct st_ptls_aead_algorithm_t *algo;

    /**

     * Mandatory callback that disposes of all the backend-specific data.

     */

    void (*dispose_crypto)(struct st_ptls_aead_context_t *ctx);

    /**

     * Mandatory callback that returns the static IV. The size of IV is available as `ptls_aead_algorithm_t::iv_size`.

     */

    void (*do_get_iv)(struct st_ptls_aead_context_t *ctx, void *iv);

    /**

     * Mandatory callback that sets the static IV. The size of IV is available as `ptls_aead_algorithm_t::iv_size`.

     */

    void (*do_set_iv)(struct st_ptls_aead_context_t *ctx, const void *iv);

    /**

     * Deprecated.

     */

    void (*do_encrypt_init)(struct st_ptls_aead_context_t *ctx, uint64_t seq, const void *aad, size_t aadlen);

    /**

     * Deprecated.

     */

    size_t (*do_encrypt_update)(struct st_ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen);

    /**

     * Deprecated.

     */

    size_t (*do_encrypt_final)(struct st_ptls_aead_context_t *ctx, void *output);

    /**

     * Mandatory callback that does "one-shot" encryption of an AEAD block.

     * When `supp` is set to non-NULL, the callback must also encrypt the supplementary block.

     * Backends may set this field to `ptls_aead__do_encrypt` that calls `do_encrypt_v` and `ptls_cipher_*` functions for handling

     * the supplimentary block.

     */

    void (*do_encrypt)(struct st_ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,

                       const void *aad, size_t aadlen, ptls_aead_supplementary_encryption_t *supp);

    /**

     * Variant of `do_encrypt` that gathers input from multiple blocks. Support for this callback is also mandatory.

     * Legacy backends may set this field to `ptls_aead__do_encrypt_v` that calls `do_encrypt_init`, `do_encrypt_update`,

     * `do_encrypt_final`.

     */

    void (*do_encrypt_v)(struct st_ptls_aead_context_t *ctx, void *output, ptls_iovec_t *input, size_t incnt, uint64_t seq,

                         const void *aad, size_t aadlen);

    /**

     * Mandatory callback for decrypting an AEAD block.

     * If successful, returns the amount of cleartext bytes being written to output. Otherwise, returns SIZE_MAX.

     */

    size_t (*do_decrypt)(struct st_ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,

                         const void *aad, size_t aadlen);

} ptls_aead_context_t;

/**

 * An AEAD cipher.

 */

typedef const struct st_ptls_aead_algorithm_t {

    /**

     * name (following the convention of `openssl ciphers -v ALL`)

     */

    const char *name;

    /**

     * confidentiality_limit (max records / packets sent before re-key)

     */

    const uint64_t confidentiality_limit;

    /**

     * integrity_limit (max decryption failure records / packets before re-key)

     */

    const uint64_t integrity_limit;

    /**

     * the underlying key stream

     */

    ptls_cipher_algorithm_t *ctr_cipher;

    /**

     * the underlying ecb cipher (might not be available)

     */

    ptls_cipher_algorithm_t *ecb_cipher;

    /**

     * key size

     */

    size_t key_size;

    /**

     * size of the IV

     */

    size_t iv_size;

    /**

     * size of the tag

     */

    size_t tag_size;

    /**

     * TLS/1.2 Security Parameters (AEAD without support for TLS 1.2 must set both values to 0)

     */

    struct {

        size_t fixed_iv_size;

        size_t record_iv_size;

    } tls12;

    /**

     * if encrypted bytes are going to be written using non-temporal store instructions (i.e., skip cache)

     */

    unsigned non_temporal : 1;

    /**

     * log2(alignment) being required

     */

    uint8_t align_bits;

    /**

     * size of memory allocated for `ptls_aead_context_t`

     */

    size_t context_size;

    /**

     * Backend callback called to setup `ptls_aead_context_t`.

     * Backends are allowed to stuff arbitrary data at the end of `ptls_aead_context_t`; actual size of the memory chunk being

     * allocated is that specified by `ptls_aead_algorithm_t::context_size`. When the `setup_crypto` callback is called, all the

     * fields outside of `ptls_aead_context_t` will be in undefined state; it is the responsibility of the callback to initialize

     * them, as well as the callbacks of `ptls_aead_context_t` that the backend supports.

     * A non-zero return value indicates failure, in which case the error will propagate as `ptls_aead_new` returning NULL.

     */

    int (*setup_crypto)(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv);

} ptls_aead_algorithm_t;

/**

 *

 */

typedef enum en_ptls_hash_final_mode_t {

    /**

     * obtains the digest and frees the context

     */

    PTLS_HASH_FINAL_MODE_FREE = 0,

    /**

     * obtains the digest and reset the context to initial state

     */

    PTLS_HASH_FINAL_MODE_RESET = 1,

    /**

     * obtains the digest while leaving the context as-is

     */

    PTLS_HASH_FINAL_MODE_SNAPSHOT = 2

} ptls_hash_final_mode_t;

/**

 * A hash context.

 */

typedef struct st_ptls_hash_context_t {

    /**

     * feeds additional data into the hash context

     */

    void (*update)(struct st_ptls_hash_context_t *ctx, const void *src, size_t len);

    /**

     * returns the digest and performs necessary operation specified by mode

     */

    void (*final)(struct st_ptls_hash_context_t *ctx, void *md, ptls_hash_final_mode_t mode);

    /**

     * creates a copy of the hash context

     */

    struct st_ptls_hash_context_t *(*clone_)(struct st_ptls_hash_context_t *src);

} ptls_hash_context_t;

/**

 * A hash algorithm and its properties.

 */

typedef const struct st_ptls_hash_algorithm_t {

    /**

     * name of the hash algorithm

     */

    const char *name;

    /**

     * block size

     */

    size_t block_size;

    /**

     * digest size

     */

    size_t digest_size;

    /**

     * constructor that creates the hash context

     */

    ptls_hash_context_t *(*create)(void);

    /**

     * digest of zero-length octets

     */

    uint8_t empty_digest[PTLS_MAX_DIGEST_SIZE];

} ptls_hash_algorithm_t;

typedef const struct st_ptls_cipher_suite_t {

    /**

     * ID as defined by the TLS Cipher Suites registry

     */

    uint16_t id;

    /**

     * underlying AEAD algorithm

     */

    ptls_aead_algorithm_t *aead;

    /**

     * underlying hash algorithm

     */

    ptls_hash_algorithm_t *hash;

    /**

     * value of the "Description" field of the TLS Cipher Suites registry

     */

    const char *name;

} ptls_cipher_suite_t;

struct st_ptls_traffic_protection_t;

typedef struct st_ptls_message_emitter_t {

    ptls_buffer_t *buf;

    struct st_ptls_traffic_protection_t *enc;

    size_t record_header_length;

    int (*begin_message)(struct st_ptls_message_emitter_t *self);

    int (*commit_message)(struct st_ptls_message_emitter_t *self);

} ptls_message_emitter_t;

/**

 * HPKE KEM

 */

typedef const struct st_ptls_hpke_kem_t {

    uint16_t id;

    ptls_key_exchange_algorithm_t *keyex;

    ptls_hash_algorithm_t *hash;

} ptls_hpke_kem_t;

typedef struct st_ptls_hpke_cipher_suite_id_t {

    uint16_t kdf;

    uint16_t aead;

} ptls_hpke_cipher_suite_id_t;

typedef const struct st_ptls_hpke_cipher_suite_t {

    ptls_hpke_cipher_suite_id_t id;

    const char *name; /* in form of "<kdf>/<aead>" using the sames specified in IANA HPKE registry */

    ptls_hash_algorithm_t *hash;

    ptls_aead_algorithm_t *aead;

} ptls_hpke_cipher_suite_t;

#define PTLS_CALLBACK_TYPE0(ret, name)                                                                                             \

    typedef struct st_ptls_##name##_t {                                                                                            \

        ret (*cb)(struct st_ptls_##name##_t * self);                                                                               \

    } ptls_##name##_t

#define PTLS_CALLBACK_TYPE(ret, name, ...)                                                                                         \

    typedef struct st_ptls_##name##_t {                                                                                            \

        ret (*cb)(struct st_ptls_##name##_t * self, __VA_ARGS__);                                                                  \

    } ptls_##name##_t

typedef struct st_ptls_client_hello_psk_identity_t {

    ptls_iovec_t identity;

    uint32_t obfuscated_ticket_age;

    ptls_iovec_t binder;

} ptls_client_hello_psk_identity_t;

/**

 * arguments passsed to the on_client_hello callback

 */

typedef struct st_ptls_on_client_hello_parameters_t {

    /**

     * SNI value received from the client. The value is {NULL, 0} if the extension was absent.

     */

    ptls_iovec_t server_name;

    /**

     * Raw value of the client_hello message.

     */

    ptls_iovec_t raw_message;

    /**

     * points to the cipher-suites section of the raw_message (see above)

     */

    ptls_iovec_t cipher_suites;

    /**

     *

     */

    struct {

        ptls_iovec_t *list;

        size_t count;

    } negotiated_protocols;

    struct {

        const uint16_t *list;

        size_t count;

    } signature_algorithms;

    struct {

        const uint16_t *list;

        size_t count;

    } certificate_compression_algorithms;

    struct {

        const uint8_t *list;

        size_t count;

    } server_certificate_types;

    struct {

        const ptls_client_hello_psk_identity_t *list;

        size_t count;

    } psk_identities;

    /**

     * set to 1 if ClientHello is too old (or too new) to be handled by picotls

     */

    unsigned incompatible_version : 1;

} ptls_on_client_hello_parameters_t;

/**

 * returns current time in milliseconds (ptls_get_time can be used to return the physical time)

 */

PTLS_CALLBACK_TYPE0(uint64_t, get_time);

/**

 * after receiving ClientHello, the core calls the optional callback to give a chance to the swap the context depending on the input

 * values. The callback is required to call `ptls_set_server_name` if an SNI extension needs to be sent to the client.

 */

PTLS_CALLBACK_TYPE(int, on_client_hello, ptls_t *tls, ptls_on_client_hello_parameters_t *params);

/**

 * callback to generate the certificate message. `ptls_context::certificates` are set when the callback is set to NULL.

 */

PTLS_CALLBACK_TYPE(int, emit_certificate, ptls_t *tls, ptls_message_emitter_t *emitter, ptls_key_schedule_t *key_sched,

                   ptls_iovec_t context, int push_status_request, const uint16_t *compress_algos, size_t num_compress_algos);

/**

 * An object that represents an asynchronous task (e.g., RSA signature generation).

 * When `ptls_handshake` returns `PTLS_ERROR_ASYNC_OPERATION`, it has an associated task in flight. The user should obtain the

 * reference to the associated task by calling `ptls_get_async_job`, then either wait for the file descriptor obtained from

 * the `get_fd` callback to become readable, or set a completion callback via `set_completion_callback` and wait for its

 * invocation. Once notified, the user should invoke `ptls_handshake` again.

 * Async jobs typically provide support for only one of the two methods.

 */

typedef struct st_ptls_async_job_t {

    void (*destroy_)(struct st_ptls_async_job_t *self);

    /**

     * optional callback returning a file descriptor that becomes readable when the job is complete

     */

    int (*get_fd)(struct st_ptls_async_job_t *self);

    /**

     * optional callback for setting a completion callback

     */

    void (*set_completion_callback)(struct st_ptls_async_job_t *self, void (*cb)(void *), void *cbdata);

} ptls_async_job_t;

/**

 * When gerenating CertificateVerify, the core calls the callback to sign the handshake context using the certificate. This callback

 * supports asynchronous mode; see `ptls_openssl_sign_certificate_t` for more information.

 */

PTLS_CALLBACK_TYPE(int, sign_certificate, ptls_t *tls, ptls_async_job_t **async, uint16_t *selected_algorithm,

                   ptls_buffer_t *output, ptls_iovec_t input, const uint16_t *algorithms, size_t num_algorithms);

/**

 * after receiving Certificate, the core calls the callback to verify the certificate chain and to obtain a pointer to a

 * callback that should be used for verifying CertificateVerify. If an error occurs between a successful return from this

 * callback to the invocation of the verify_sign callback, verify_sign is called with both data and sign set to an empty buffer.

 * The implementor of the callback should use that as the opportunity to free any temporary data allocated for the verify_sign

 * callback.

 * The name of the server to be verified, if any, is provided explicitly as `server_name`. When ECH is offered by the client but

 * the was rejected by the server, this value can be different from that being sent via `ptls_get_server_name`.

 */

typedef struct st_ptls_verify_certificate_t {

    int (*cb)(struct st_ptls_verify_certificate_t *self, ptls_t *tls, const char *server_name,

              int (**verify_sign)(void *verify_ctx, uint16_t algo, ptls_iovec_t data, ptls_iovec_t sign), void **verify_data,

              ptls_iovec_t *certs, size_t num_certs);

    /**

     * list of signature algorithms being supported, terminated by UINT16_MAX

     */

    const uint16_t *algos;

} ptls_verify_certificate_t;

/**

 * Encrypt-and-signs (or verify-and-decrypts) a ticket (server-only).

 * When used for encryption (i.e., is_encrypt being set), the function should return 0 if successful, or else a non-zero value.

 * When used for decryption, the function should return 0 (successful), PTLS_ERROR_REJECT_EARLY_DATA (successful, but 0-RTT is

 * forbidden), or any other value to indicate failure.

 */

PTLS_CALLBACK_TYPE(int, encrypt_ticket, ptls_t *tls, int is_encrypt, ptls_buffer_t *dst, ptls_iovec_t src);

/**

 * saves a ticket (client-only)

 */

PTLS_CALLBACK_TYPE(int, save_ticket, ptls_t *tls, ptls_iovec_t input);

/**

 * event logging (incl. secret logging)

 */

typedef struct st_ptls_log_event_t {

    void (*cb)(struct st_ptls_log_event_t *self, ptls_t *tls, const char *type, const char *fmt, ...)

        __attribute__((format(printf, 4, 5)));

} ptls_log_event_t;

/**

 * reference counting

 */

PTLS_CALLBACK_TYPE(void, update_open_count, ssize_t delta);

/**

 * applications that have their own record layer can set this function to derive their own traffic keys from the traffic secret.

 * The cipher-suite that is being associated to the connection can be obtained by calling the ptls_get_cipher function.

 */

PTLS_CALLBACK_TYPE(int, update_traffic_key, ptls_t *tls, int is_enc, size_t epoch, const void *secret);

/**

 * callback for every extension detected during decoding

 */

PTLS_CALLBACK_TYPE(int, on_extension, ptls_t *tls, uint8_t hstype, uint16_t exttype, ptls_iovec_t extdata);

/**

 *

 */

typedef struct st_ptls_decompress_certificate_t {

    /**

     * list of supported algorithms terminated by UINT16_MAX

     */

    const uint16_t *supported_algorithms;

    /**

     * callback that decompresses the message

     */

    int (*cb)(struct st_ptls_decompress_certificate_t *self, ptls_t *tls, uint16_t algorithm, ptls_iovec_t output,

              ptls_iovec_t input);

} ptls_decompress_certificate_t;

/**

 * ECH: creates the AEAD context to be used for "Open"-ing inner CH. Given `config_id`, the callback looks up the ECH config and the

 * corresponding private key, invokes `ptls_hpke_setup_base_r` with provided `cipher`, `enc`, and `info_prefix` (which will be

 * "tls ech" || 00).

 */

PTLS_CALLBACK_TYPE(ptls_aead_context_t *, ech_create_opener, ptls_hpke_kem_t **kem, ptls_hpke_cipher_suite_t **cipher, ptls_t *tls,

                   uint8_t config_id, ptls_hpke_cipher_suite_id_t cipher_id, ptls_iovec_t enc, ptls_iovec_t info_prefix);

/**

 * the configuration

 */

struct st_ptls_context_t {

    /**

     * PRNG to be used

     */

    void (*random_bytes)(void *buf, size_t len);

    /**

     *

     */

    ptls_get_time_t *get_time;

    /**

     * list of supported key-exchange algorithms terminated by NULL

     */

    ptls_key_exchange_algorithm_t **key_exchanges;

    /**

     * list of supported cipher-suites terminated by NULL

     */

    ptls_cipher_suite_t **cipher_suites;

    /**

     * list of certificates

     */

    struct {

        ptls_iovec_t *list;

        size_t count;

    } certificates;

    /**

     * External pre-shared key used for mutual authentication. Unless when using PSK, all the fields must be set to NULL / 0.

     */

    struct {

        ptls_iovec_t identity;

        ptls_iovec_t secret;

        /**

         * (mandatory) hash algorithm associated to the PSK; cipher-suites not sharing the same `ptls_hash_algorithm_t` will be

         * ignored

         */

        ptls_hash_algorithm_t *hash;

    } pre_shared_key;

    /**

     * ECH

     */

    struct {

        struct {

            /**

             * list of HPKE symmetric cipher-suites (set to NULL to disable ECH altogether)

             */

            ptls_hpke_cipher_suite_t **ciphers;

            /**

             * KEMs being supported

             */

            ptls_hpke_kem_t **kems;

        } client;

        struct {

            /**

             * callback that does ECDH key exchange and returns the AEAD context

             */

            ptls_ech_create_opener_t *create_opener;

            /**

             * ECHConfigList to be sent to the client when there is mismatch (or when the client sends a grease)

             */

            ptls_iovec_t retry_configs;

        } server;

    } ech;

    /**

     *

     */

    ptls_on_client_hello_t *on_client_hello;

    /**

     *

     */

    ptls_emit_certificate_t *emit_certificate;

    /**

     *

     */

    ptls_sign_certificate_t *sign_certificate;

    /**

     *

     */

    ptls_verify_certificate_t *verify_certificate;

    /**

     * lifetime of a session ticket (server-only)

     */

    uint32_t ticket_lifetime;

    /**

     * maximum permitted size of early data (server-only)

     */

    uint32_t max_early_data_size;

    /**

     * maximum size of the message buffer (default: 0 = unlimited = 3 + 2^24 bytes)

     */

    size_t max_buffer_size;

    /**

     * this field is obsolete and ignored

     */

    const char *hkdf_label_prefix__obsolete;

    /**

     * if set, psk handshakes use (ec)dhe

     */

    unsigned require_dhe_on_psk : 1;

    /**

     * if exporter master secrets should be recorded

     */

    unsigned use_exporter : 1;

    /**

     * if ChangeCipherSpec record should be sent during handshake. If the client sends CCS, the server sends one in response

     * regardless of the value of this flag. See RFC 8446 Appendix D.3.

     */

    unsigned send_change_cipher_spec : 1;

    /**

     * if set, the server requests client certificates to authenticate the client

     */

    unsigned require_client_authentication : 1;

    /**

     * if set, EOED will not be emitted or accepted

     */

    unsigned omit_end_of_early_data : 1;

    /**

     * This option turns on support for Raw Public Keys (RFC 7250).

     *

     * When running as a client, this option instructs the client to request the server to send raw public keys in place of X.509

     * certificate chain. The client should set its `certificate_verify` callback to one that is capable of validating the raw

     * public key that will be sent by the server.

     *

     * When running as a server, this option instructs the server to only handle clients requesting the use of raw public keys. If

     * the client does not, the handshake is rejected. Note however that the rejection happens only after the `on_client_hello`

     * callback is being called. Therefore, applications can support both X.509 and raw public keys by swapping `ptls_context_t` to

     * the correct one when that callback is being called (like handling swapping the contexts based on the value of SNI).

     */

    unsigned use_raw_public_keys : 1;

    /**

     * boolean indicating if the cipher-suite should be chosen based on server's preference

     */

    unsigned server_cipher_preference : 1;

    /**

     * boolean indicating if ChaCha20-Poly1305 should be reprioritized to the top of the server cipher list if a ChaCha20-Poly1305

     * cipher is at the top of the client cipher list

     */

    unsigned server_cipher_chacha_priority : 1;

    /**

     *

     */

    ptls_encrypt_ticket_t *encrypt_ticket;

    /**

     *

     */

    ptls_save_ticket_t *save_ticket;

    /**

     *

     */

    ptls_log_event_t *log_event;

    /**

     *

     */

    ptls_update_open_count_t *update_open_count;

    /**

     *

     */

    ptls_update_traffic_key_t *update_traffic_key;

    /**

     *

     */

    ptls_decompress_certificate_t *decompress_certificate;

    /**

     *

     */

    ptls_on_extension_t *on_extension;

    /**

     * (optional) list of supported tls12 cipher-suites terminated by NULL

     */

    ptls_cipher_suite_t **tls12_cipher_suites;

    /**

     * (optional) session ID Context to segment resumption

     */

    struct {

        uint8_t bytes[PTLS_SHA256_DIGEST_SIZE];

        unsigned is_set : 1;

    } ticket_context;

    /**

     * (optional) list of CAs advertised to clients as supported in the CertificateRequest message; each item must be DNs in DER

     * format. The values are sent to the client only when `ptls_context_t::require_client_authentication` is set to true.

     */

    struct {

        const ptls_iovec_t *list;

        size_t count;

    } client_ca_names;

    /**

     * (optional)

     */

    struct {

        /**

         * if set to non-zero and if the save_ticket callback is provided, a ticket_request extension containing the specified

         * values is sent

         */

        struct {

            uint8_t new_session_count;

            uint8_t resumption_count;

        } client;

        /**

         * if set to non-zero, the maximum number of tickets being sent is capped to the specifed value; if set to zero, the maximum

         * adopted is PTLS_DEFAULT_MAX_TICKETS_TO_SERVE.

         */

        struct {

            uint8_t max_count;

        } server;

    } ticket_requests;

};

typedef struct st_ptls_raw_extension_t {

    uint16_t type;

    ptls_iovec_t data;

} ptls_raw_extension_t;

typedef enum en_ptls_early_data_acceptance_t {

    PTLS_EARLY_DATA_ACCEPTANCE_UNKNOWN = 0,

    PTLS_EARLY_DATA_REJECTED,

    PTLS_EARLY_DATA_ACCEPTED

} ptls_early_data_acceptance_t;

/**

 * optional arguments to client-driven handshake

 */

#ifdef _WINDOWS

/* suppress warning C4201: nonstandard extension used: nameless struct/union */

#pragma warning(push)

#pragma warning(disable : 4201)

#endif

typedef struct st_ptls_handshake_properties_t {

    union {

        struct {

            /**

             * list of protocols offered through ALPN

             */

            struct {

                const ptls_iovec_t *list;

                size_t count;

            } negotiated_protocols;

            /**

             * session ticket sent to the application via save_ticket callback

             */

            ptls_iovec_t session_ticket;

            /**

             * pointer to store the maximum size of early-data that can be sent immediately. If set to non-NULL, the first call to

             * ptls_handshake (or ptls_handle_message) will set `*max_early_data` to the value obtained from the session ticket, or

             * to zero if early-data cannot be sent. If NULL, early data will not be used.

             */

            size_t *max_early_data_size;

            /**

             * If early-data has been accepted by peer, or if the state is still unknown. The state changes anytime after handshake

             * keys become available. Applications can peek the tri-state variable every time it calls `ptls_hanshake` or

             * `ptls_handle_message` to determine the result at the earliest moment. This is an output parameter.

             */

            ptls_early_data_acceptance_t early_data_acceptance;

            /**

             * negotiate the key exchange method before sending key_share

             */

            unsigned negotiate_before_key_exchange : 1;

            /**

             * ECH