/src/picotls/lib/picotls.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku |
3 | | * |
4 | | * Permission is hereby granted, free of charge, to any person obtaining a copy |
5 | | * of this software and associated documentation files (the "Software"), to |
6 | | * deal in the Software without restriction, including without limitation the |
7 | | * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or |
8 | | * sell copies of the Software, and to permit persons to whom the Software is |
9 | | * furnished to do so, subject to the following conditions: |
10 | | * |
11 | | * The above copyright notice and this permission notice shall be included in |
12 | | * all copies or substantial portions of the Software. |
13 | | * |
14 | | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
15 | | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
16 | | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
17 | | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
18 | | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
19 | | * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS |
20 | | * IN THE SOFTWARE. |
21 | | */ |
22 | | #ifdef _WINDOWS |
23 | | #include "wincompat.h" |
24 | | #endif |
25 | | #include <assert.h> |
26 | | #include <stdarg.h> |
27 | | #include <stddef.h> |
28 | | #include <stdio.h> |
29 | | #include <stdlib.h> |
30 | | #include <string.h> |
31 | | #ifndef _WINDOWS |
32 | | #include <errno.h> |
33 | | #include <pthread.h> |
34 | | #include <unistd.h> |
35 | | #include <arpa/inet.h> |
36 | | #include <netinet/in.h> |
37 | | #include <sys/socket.h> |
38 | | #include <sys/time.h> |
39 | | #include <sys/types.h> |
40 | | #endif |
41 | | #ifdef __linux__ |
42 | | #include <sys/syscall.h> |
43 | | #endif |
44 | | #include "picotls.h" |
45 | | #if PICOTLS_USE_DTRACE |
46 | | #include "picotls-probes.h" |
47 | | #endif |
48 | | |
49 | 97.0k | #define PTLS_MAX_PLAINTEXT_RECORD_SIZE 16384 |
50 | 12.1k | #define PTLS_MAX_ENCRYPTED_RECORD_SIZE (16384 + 256) |
51 | | |
52 | 0 | #define PTLS_RECORD_VERSION_MAJOR 3 |
53 | 0 | #define PTLS_RECORD_VERSION_MINOR 3 |
54 | | |
55 | 108k | #define PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC 20 |
56 | 12.4k | #define PTLS_CONTENT_TYPE_ALERT 21 |
57 | 261k | #define PTLS_CONTENT_TYPE_HANDSHAKE 22 |
58 | 420k | #define PTLS_CONTENT_TYPE_APPDATA 23 |
59 | | |
60 | 129 | #define PTLS_PSK_KE_MODE_PSK 0 |
61 | 129 | #define PTLS_PSK_KE_MODE_PSK_DHE 1 |
62 | | |
63 | 43.6k | #define PTLS_HANDSHAKE_HEADER_SIZE 4 |
64 | | |
65 | | #define PTLS_EXTENSION_TYPE_SERVER_NAME 0 |
66 | | #define PTLS_EXTENSION_TYPE_STATUS_REQUEST 5 |
67 | | #define PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS 10 |
68 | | #define PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS 13 |
69 | | #define PTLS_EXTENSION_TYPE_ALPN 16 |
70 | | #define PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE 20 |
71 | | #define PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE 27 |
72 | | #define PTLS_EXTENSION_TYPE_PRE_SHARED_KEY 41 |
73 | | #define PTLS_EXTENSION_TYPE_EARLY_DATA 42 |
74 | | #define PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS 43 |
75 | | #define PTLS_EXTENSION_TYPE_COOKIE 44 |
76 | | #define PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES 45 |
77 | | #define PTLS_EXTENSION_TYPE_CERTIFICATE_AUTHORITIES 47 |
78 | | #define PTLS_EXTENSION_TYPE_KEY_SHARE 51 |
79 | | #define PTLS_EXTENSION_TYPE_TICKET_REQUEST 58 |
80 | | #define PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS 0xfd00 |
81 | | #define PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO 0xfe0d |
82 | | |
83 | | #define PTLS_SERVER_NAME_TYPE_HOSTNAME 0 |
84 | | |
85 | | #define PTLS_ECH_CONFIG_VERSION 0xfe0d |
86 | 21 | #define PTLS_ECH_CLIENT_HELLO_TYPE_OUTER 0 |
87 | 0 | #define PTLS_ECH_CLIENT_HELLO_TYPE_INNER 1 |
88 | | |
89 | 0 | #define PTLS_ECH_CONFIRM_LENGTH 8 |
90 | | |
91 | | static const char ech_info_prefix[8] = "tls ech"; |
92 | | |
93 | 329 | #define PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING "TLS 1.3, server CertificateVerify" |
94 | 0 | #define PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING "TLS 1.3, client CertificateVerify" |
95 | | #define PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE \ |
96 | | (64 + sizeof(PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING) + PTLS_MAX_DIGEST_SIZE * 2) |
97 | | |
98 | 111 | #define PTLS_EARLY_DATA_MAX_DELAY 10000 /* max. RTT (in msec) to permit early data */ |
99 | | |
100 | | #ifndef PTLS_MAX_EARLY_DATA_SKIP_SIZE |
101 | 9.90k | #define PTLS_MAX_EARLY_DATA_SKIP_SIZE 65536 |
102 | | #endif |
103 | | #if defined(PTLS_DEBUG) && PTLS_DEBUG |
104 | | #define PTLS_DEBUGF(...) fprintf(stderr, __VA_ARGS__) |
105 | | #else |
106 | | #define PTLS_DEBUGF(...) |
107 | | #endif |
108 | | |
109 | | #ifndef PTLS_MEMORY_DEBUG |
110 | 3.24M | #define PTLS_MEMORY_DEBUG 0 |
111 | | #endif |
112 | | |
113 | | #if PICOTLS_USE_DTRACE |
114 | | #define PTLS_PROBE0(LABEL, tls) \ |
115 | | do { \ |
116 | | if (PTLS_UNLIKELY(PICOTLS_##LABEL##_ENABLED())) \ |
117 | | PICOTLS_##LABEL(tls); \ |
118 | | } while (0) |
119 | | #define PTLS_PROBE(LABEL, tls, ...) \ |
120 | | do { \ |
121 | | if (PTLS_UNLIKELY(PICOTLS_##LABEL##_ENABLED())) \ |
122 | | PICOTLS_##LABEL((tls), __VA_ARGS__); \ |
123 | | } while (0) |
124 | | #else |
125 | | #define PTLS_PROBE0(LABEL, tls) |
126 | | #define PTLS_PROBE(LABEL, tls, ...) |
127 | | #endif |
128 | | |
129 | | /** |
130 | | * list of supported versions in the preferred order |
131 | | */ |
132 | | static const uint16_t supported_versions[] = {PTLS_PROTOCOL_VERSION_TLS13}; |
133 | | |
134 | | static const uint8_t hello_retry_random[PTLS_HELLO_RANDOM_SIZE] = {0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, |
135 | | 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, |
136 | | 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C}; |
137 | | |
138 | | struct st_ptls_traffic_protection_t { |
139 | | uint8_t secret[PTLS_MAX_DIGEST_SIZE]; |
140 | | size_t epoch; |
141 | | /* the following fields are not used if the key_change callback is set */ |
142 | | ptls_aead_context_t *aead; |
143 | | uint64_t seq; |
144 | | unsigned tls12 : 1; |
145 | | uint64_t tls12_enc_record_iv; |
146 | | }; |
147 | | |
148 | | struct st_ptls_record_message_emitter_t { |
149 | | ptls_message_emitter_t super; |
150 | | size_t rec_start; |
151 | | }; |
152 | | |
153 | | struct st_ptls_signature_algorithms_t { |
154 | | uint16_t list[16]; /* expand? */ |
155 | | size_t count; |
156 | | }; |
157 | | |
158 | | struct st_ptls_certificate_request_t { |
159 | | /** |
160 | | * context.base becomes non-NULL when a CertificateRequest is pending for processing |
161 | | */ |
162 | | ptls_iovec_t context; |
163 | | struct st_ptls_signature_algorithms_t signature_algorithms; |
164 | | }; |
165 | | |
166 | | struct st_decoded_ech_config_t { |
167 | | uint8_t id; |
168 | | ptls_hpke_kem_t *kem; |
169 | | ptls_iovec_t public_key; |
170 | | ptls_hpke_cipher_suite_t *cipher; |
171 | | uint8_t max_name_length; |
172 | | ptls_iovec_t public_name; |
173 | | ptls_iovec_t bytes; |
174 | | }; |
175 | | |
176 | | /** |
177 | | * Properties for ECH. Iff ECH is used and not rejected, `aead` is non-NULL. |
178 | | */ |
179 | | struct st_ptls_ech_t { |
180 | | uint8_t offered : 1; |
181 | | uint8_t offered_grease : 1; |
182 | | uint8_t accepted : 1; |
183 | | uint8_t config_id; |
184 | | ptls_hpke_kem_t *kem; |
185 | | ptls_hpke_cipher_suite_t *cipher; |
186 | | ptls_aead_context_t *aead; |
187 | | uint8_t inner_client_random[PTLS_HELLO_RANDOM_SIZE]; |
188 | | struct { |
189 | | ptls_iovec_t enc; |
190 | | uint8_t max_name_length; |
191 | | char *public_name; |
192 | | /** |
193 | | * retains a copy of entire ECH extension so that it can be replayed in the 2nd CH when ECH is rejected via HRR |
194 | | */ |
195 | | ptls_iovec_t first_ech; |
196 | | } client; |
197 | | }; |
198 | | |
199 | | struct st_ptls_t { |
200 | | /** |
201 | | * the context |
202 | | */ |
203 | | ptls_context_t *ctx; |
204 | | /** |
205 | | * the state |
206 | | */ |
207 | | enum en_ptls_state_t { |
208 | | PTLS_STATE_CLIENT_HANDSHAKE_START, |
209 | | PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO, |
210 | | PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO, |
211 | | PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS, |
212 | | PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE, |
213 | | PTLS_STATE_CLIENT_EXPECT_CERTIFICATE, |
214 | | PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY, |
215 | | PTLS_STATE_CLIENT_EXPECT_FINISHED, |
216 | | PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO, |
217 | | PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO, |
218 | | PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY, |
219 | | PTLS_STATE_SERVER_EXPECT_CERTIFICATE, |
220 | | PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY, |
221 | | /* ptls_send can be called if the state is below here */ |
222 | | PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA, |
223 | | PTLS_STATE_SERVER_EXPECT_FINISHED, |
224 | | PTLS_STATE_POST_HANDSHAKE_MIN, |
225 | | PTLS_STATE_CLIENT_POST_HANDSHAKE = PTLS_STATE_POST_HANDSHAKE_MIN, |
226 | | PTLS_STATE_SERVER_POST_HANDSHAKE |
227 | | } state; |
228 | | /** |
229 | | * receive buffers |
230 | | */ |
231 | | struct { |
232 | | ptls_buffer_t rec; |
233 | | ptls_buffer_t mess; |
234 | | } recvbuf; |
235 | | /** |
236 | | * key schedule |
237 | | */ |
238 | | ptls_key_schedule_t *key_schedule; |
239 | | /** |
240 | | * values used for record protection |
241 | | */ |
242 | | struct { |
243 | | struct st_ptls_traffic_protection_t dec; |
244 | | struct st_ptls_traffic_protection_t enc; |
245 | | } traffic_protection; |
246 | | /** |
247 | | * server-name passed using SNI |
248 | | */ |
249 | | char *server_name; |
250 | | /** |
251 | | * result of ALPN |
252 | | */ |
253 | | char *negotiated_protocol; |
254 | | /** |
255 | | * selected key-exchange |
256 | | */ |
257 | | ptls_key_exchange_algorithm_t *key_share; |
258 | | /** |
259 | | * selected cipher-suite |
260 | | */ |
261 | | ptls_cipher_suite_t *cipher_suite; |
262 | | /** |
263 | | * ClientHello.random that appears on the wire. When ECH is used, that of inner CH is retained separately. |
264 | | */ |
265 | | uint8_t client_random[PTLS_HELLO_RANDOM_SIZE]; |
266 | | /** |
267 | | * exporter master secret (either 0rtt or 1rtt) |
268 | | */ |
269 | | struct { |
270 | | uint8_t *early; |
271 | | uint8_t *one_rtt; |
272 | | } exporter_master_secret; |
273 | | /** |
274 | | * ECH |
275 | | */ |
276 | | struct st_ptls_ech_t ech; |
277 | | /* flags */ |
278 | | unsigned is_server : 1; |
279 | | unsigned is_psk_handshake : 1; |
280 | | unsigned send_change_cipher_spec : 1; |
281 | | unsigned needs_key_update : 1; |
282 | | unsigned key_update_send_request : 1; |
283 | | #if PTLS_HAVE_LOG |
284 | | /** |
285 | | * see ptls_log |
286 | | */ |
287 | | ptls_log_conn_state_t log_state; |
288 | | #endif |
289 | | struct { |
290 | | uint32_t active_conns; |
291 | | uint32_t generation; |
292 | | } log_sni; |
293 | | /** |
294 | | * misc. |
295 | | */ |
296 | | union { |
297 | | struct { |
298 | | ptls_iovec_t legacy_session_id; |
299 | | uint8_t legacy_session_id_buf[32]; |
300 | | ptls_key_exchange_context_t *key_share_ctx; |
301 | | unsigned offered_psk : 1; |
302 | | /** |
303 | | * if 1-RTT write key is active |
304 | | */ |
305 | | unsigned using_early_data : 1; |
306 | | struct st_ptls_certificate_request_t certificate_request; |
307 | | } client; |
308 | | struct { |
309 | | uint8_t pending_traffic_secret[PTLS_MAX_DIGEST_SIZE]; |
310 | | uint32_t early_data_skipped_bytes; /* if not UINT32_MAX, the server is skipping early data */ |
311 | | uint8_t num_tickets_to_send; |
312 | | ptls_async_job_t *async_job; |
313 | | } server; |
314 | | }; |
315 | | /** |
316 | | * certificate verify; will be used by the client and the server (if require_client_authentication is set) |
317 | | */ |
318 | | struct { |
319 | | int (*cb)(void *verify_ctx, uint16_t algo, ptls_iovec_t data, ptls_iovec_t signature); |
320 | | void *verify_ctx; |
321 | | } certificate_verify; |
322 | | /** |
323 | | * handshake traffic secret to be commisioned (an array of `uint8_t [PTLS_MAX_DIGEST_SIZE]` or NULL) |
324 | | */ |
325 | | uint8_t *pending_handshake_secret; |
326 | | /** |
327 | | * user data |
328 | | */ |
329 | | void *data_ptr; |
330 | | }; |
331 | | |
332 | | struct st_ptls_record_t { |
333 | | uint8_t type; |
334 | | uint16_t version; |
335 | | size_t length; |
336 | | const uint8_t *fragment; |
337 | | }; |
338 | | |
339 | 0 | #define MAX_UNKNOWN_EXTENSIONS 16 |
340 | | #define MAX_CERTIFICATE_TYPES 8 |
341 | | |
342 | | struct st_ptls_client_hello_t { |
343 | | uint16_t legacy_version; |
344 | | const uint8_t *random_bytes; |
345 | | ptls_iovec_t legacy_session_id; |
346 | | struct { |
347 | | const uint8_t *ids; |
348 | | size_t count; |
349 | | } compression_methods; |
350 | | uint16_t selected_version; |
351 | | ptls_iovec_t cipher_suites; |
352 | | ptls_iovec_t negotiated_groups; |
353 | | ptls_iovec_t key_shares; |
354 | | struct st_ptls_signature_algorithms_t signature_algorithms; |
355 | | ptls_iovec_t server_name; |
356 | | struct { |
357 | | ptls_iovec_t list[16]; |
358 | | size_t count; |
359 | | } alpn; |
360 | | struct { |
361 | | uint16_t list[16]; |
362 | | size_t count; |
363 | | } cert_compression_algos; |
364 | | struct { |
365 | | ptls_iovec_t all; |
366 | | ptls_iovec_t tbs; |
367 | | ptls_iovec_t ch1_hash; |
368 | | ptls_iovec_t signature; |
369 | | unsigned sent_key_share : 1; |
370 | | } cookie; |
371 | | struct { |
372 | | uint8_t list[MAX_CERTIFICATE_TYPES]; |
373 | | size_t count; |
374 | | } server_certificate_types; |
375 | | unsigned status_request : 1; |
376 | | struct { |
377 | | uint8_t new_session_count; |
378 | | uint8_t resumption_count; |
379 | | } ticket_request; |
380 | | /** |
381 | | * ECH: payload.base != NULL indicates that the extension was received |
382 | | */ |
383 | | struct { |
384 | | uint8_t type; |
385 | | uint8_t config_id; |
386 | | ptls_hpke_cipher_suite_id_t cipher_suite; |
387 | | ptls_iovec_t enc; |
388 | | ptls_iovec_t payload; |
389 | | } ech; |
390 | | struct { |
391 | | const uint8_t *hash_end; |
392 | | struct { |
393 | | ptls_client_hello_psk_identity_t list[4]; |
394 | | size_t count; |
395 | | } identities; |
396 | | unsigned ke_modes; |
397 | | unsigned early_data_indication : 1; |
398 | | unsigned is_last_extension : 1; |
399 | | } psk; |
400 | | ptls_raw_extension_t unknown_extensions[MAX_UNKNOWN_EXTENSIONS + 1]; |
401 | | size_t first_extension_at; |
402 | | }; |
403 | | |
404 | | struct st_ptls_server_hello_t { |
405 | | uint8_t random_[PTLS_HELLO_RANDOM_SIZE]; |
406 | | ptls_iovec_t legacy_session_id; |
407 | | int is_retry_request; |
408 | | union { |
409 | | ptls_iovec_t peerkey; |
410 | | struct { |
411 | | uint16_t selected_group; |
412 | | ptls_iovec_t cookie; |
413 | | const uint8_t *ech; |
414 | | } retry_request; |
415 | | }; |
416 | | }; |
417 | | |
418 | | struct st_ptls_key_schedule_t { |
419 | | unsigned generation; /* early secret (1), hanshake secret (2), master secret (3) */ |
420 | | uint8_t secret[PTLS_MAX_DIGEST_SIZE]; |
421 | | size_t num_hashes; |
422 | | struct { |
423 | | ptls_hash_algorithm_t *algo; |
424 | | ptls_hash_context_t *ctx, *ctx_outer; |
425 | | } hashes[1]; |
426 | | }; |
427 | | |
428 | | struct st_ptls_extension_decoder_t { |
429 | | uint16_t type; |
430 | | int (*cb)(ptls_t *tls, void *arg, const uint8_t *src, const uint8_t *const end); |
431 | | }; |
432 | | |
433 | | struct st_ptls_extension_bitmap_t { |
434 | | uint64_t bits; |
435 | | }; |
436 | | |
437 | | static const uint8_t zeroes_of_max_digest_size[PTLS_MAX_DIGEST_SIZE] = {0}; |
438 | | |
439 | | static ptls_aead_context_t *new_aead(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret, |
440 | | ptls_iovec_t hash_value, const char *label_prefix); |
441 | | static int server_finish_handshake(ptls_t *tls, ptls_message_emitter_t *emitter, int send_cert_verify, |
442 | | struct st_ptls_signature_algorithms_t *signature_algorithms); |
443 | | |
444 | | static int is_supported_version(uint16_t v) |
445 | 40.1k | { |
446 | 40.1k | size_t i; |
447 | 40.3k | for (i = 0; i != PTLS_ELEMENTSOF(supported_versions); ++i) |
448 | 40.1k | if (supported_versions[i] == v) |
449 | 39.9k | return 1; |
450 | 159 | return 0; |
451 | 40.1k | } |
452 | | |
453 | | static int extension_bitmap_testandset(struct st_ptls_extension_bitmap_t *bitmap, int hstype, uint16_t extid) |
454 | 50.8k | { |
455 | 402k | #define HSTYPE_TO_BIT(hstype) ((uint64_t)1 << ((hstype) + 1)) /* min(hstype) is -1 (PSEUDO_HRR) */ |
456 | 356k | #define DEFINE_BIT(abbrev, hstype) static const uint64_t abbrev = HSTYPE_TO_BIT(PTLS_HANDSHAKE_TYPE_##hstype) |
457 | 50.8k | #define EXT(candext, allowed_bits) \ |
458 | 597k | do { \ |
459 | 597k | if (PTLS_UNLIKELY(extid == PTLS_EXTENSION_TYPE_##candext)) { \ |
460 | 46.1k | allowed_hs_bits = allowed_bits; \ |
461 | 46.1k | goto Found; \ |
462 | 46.1k | } \ |
463 | 597k | ext_bitmap_mask <<= 1; \ |
464 | 551k | } while (0) |
465 | | |
466 | 50.8k | DEFINE_BIT(CH, CLIENT_HELLO); |
467 | 50.8k | DEFINE_BIT(SH, SERVER_HELLO); |
468 | 50.8k | DEFINE_BIT(HRR, PSEUDO_HRR); |
469 | 50.8k | DEFINE_BIT(EE, ENCRYPTED_EXTENSIONS); |
470 | 50.8k | DEFINE_BIT(CR, CERTIFICATE_REQUEST); |
471 | 50.8k | DEFINE_BIT(CT, CERTIFICATE); |
472 | 50.8k | DEFINE_BIT(NST, NEW_SESSION_TICKET); |
473 | | |
474 | 50.8k | uint64_t allowed_hs_bits, ext_bitmap_mask = 1; |
475 | | |
476 | | /* clang-format off */ |
477 | | /* RFC 8446 section 4.2: "The table below indicates the messages where a given extension may appear... If an implementation |
478 | | * receives an extension which it recognizes and which is not specified for the message in which it appears, it MUST abort the |
479 | | * handshake with an "illegal_parameter" alert. |
480 | | * |
481 | | * +-------------------------+---------------+ |
482 | | * + Extension | Allowed | |
483 | | * +-------------------------+---------------+ */ |
484 | 50.8k | EXT( SERVER_NAME , CH + EE ); |
485 | 50.7k | EXT( STATUS_REQUEST , CH + CR + CT ); |
486 | 50.3k | EXT( SUPPORTED_GROUPS , CH + EE ); |
487 | 50.0k | EXT( SIGNATURE_ALGORITHMS , CH + CR ); |
488 | 49.6k | EXT( ALPN , CH + EE ); |
489 | 49.5k | EXT( SERVER_CERTIFICATE_TYPE , CH + EE ); |
490 | 49.3k | EXT( KEY_SHARE , CH + SH + HRR ); |
491 | 47.3k | EXT( PRE_SHARED_KEY , CH + SH ); |
492 | 46.8k | EXT( PSK_KEY_EXCHANGE_MODES , CH ); |
493 | 46.5k | EXT( EARLY_DATA , CH + EE + NST ); |
494 | 46.3k | EXT( COOKIE , CH + HRR ); |
495 | 45.0k | EXT( SUPPORTED_VERSIONS , CH + SH + HRR ); |
496 | 4.92k | EXT( COMPRESS_CERTIFICATE , CH + CR ); /* from RFC 8879 */ |
497 | 4.83k | EXT( ENCRYPTED_CLIENT_HELLO , CH + HRR + EE ); /* from draft-ietf-tls-esni-15 */ |
498 | 4.71k | EXT( ECH_OUTER_EXTENSIONS , 0 ); |
499 | | /* +-----------------------------------------+ */ |
500 | | /* clang-format on */ |
501 | | |
502 | 4.70k | return 1; |
503 | | |
504 | 46.1k | Found: |
505 | 46.1k | if ((allowed_hs_bits & HSTYPE_TO_BIT(hstype)) == 0) |
506 | 78 | return 0; |
507 | 46.1k | if ((bitmap->bits & ext_bitmap_mask) != 0) |
508 | 49 | return 0; |
509 | 46.0k | bitmap->bits |= ext_bitmap_mask; |
510 | 46.0k | return 1; |
511 | | |
512 | 46.1k | #undef HSTYPE_TO_BIT |
513 | 46.1k | #undef DEFINE_ABBREV |
514 | 46.1k | #undef EXT |
515 | 46.1k | } |
516 | | |
517 | | #ifndef ntoh16 |
518 | | static uint16_t ntoh16(const uint8_t *src) |
519 | 394k | { |
520 | 394k | return (uint16_t)src[0] << 8 | src[1]; |
521 | 394k | } |
522 | | #endif |
523 | | |
524 | | #ifndef ntoh24 |
525 | | static uint32_t ntoh24(const uint8_t *src) |
526 | 71.7k | { |
527 | 71.7k | return (uint32_t)src[0] << 16 | (uint32_t)src[1] << 8 | src[2]; |
528 | 71.7k | } |
529 | | #endif |
530 | | |
531 | | #ifndef ntoh32 |
532 | | static uint32_t ntoh32(const uint8_t *src) |
533 | 1.62k | { |
534 | 1.62k | return (uint32_t)src[0] << 24 | (uint32_t)src[1] << 16 | (uint32_t)src[2] << 8 | src[3]; |
535 | 1.62k | } |
536 | | #endif |
537 | | |
538 | | #ifndef ntoh64 |
539 | | static uint64_t ntoh64(const uint8_t *src) |
540 | 189 | { |
541 | 189 | return (uint64_t)src[0] << 56 | (uint64_t)src[1] << 48 | (uint64_t)src[2] << 40 | (uint64_t)src[3] << 32 | |
542 | 189 | (uint64_t)src[4] << 24 | (uint64_t)src[5] << 16 | (uint64_t)src[6] << 8 | src[7]; |
543 | 189 | } |
544 | | #endif |
545 | | |
546 | | static void encode64(uint8_t *dst, uint64_t v) |
547 | 0 | { |
548 | 0 | for (size_t i = 0; i < 8; ++i) |
549 | 0 | dst[i] = (uint8_t)(v >> (56 - 8 * i)); |
550 | 0 | } |
551 | | |
552 | | static char *duplicate_as_str(const void *src, size_t len) |
553 | 24 | { |
554 | 24 | char *dst; |
555 | | |
556 | 24 | if ((dst = malloc(len + 1)) == NULL) |
557 | 0 | return NULL; |
558 | 24 | memcpy(dst, src, len); |
559 | 24 | dst[len] = '\0'; |
560 | 24 | return dst; |
561 | 24 | } |
562 | | |
563 | | void ptls_buffer__release_memory(ptls_buffer_t *buf) |
564 | 260k | { |
565 | 260k | ptls_clear_memory(buf->base, buf->off); |
566 | 260k | if (buf->is_allocated) { |
567 | | #ifdef _WINDOWS |
568 | | if (buf->align_bits != 0) { |
569 | | _aligned_free(buf->base); |
570 | | } else { |
571 | | free(buf->base); |
572 | | } |
573 | | #else |
574 | 10.1k | free(buf->base); |
575 | 10.1k | #endif |
576 | 10.1k | } |
577 | 260k | } |
578 | | |
579 | | int ptls_buffer_reserve(ptls_buffer_t *buf, size_t delta) |
580 | 1.62M | { |
581 | 1.62M | return ptls_buffer_reserve_aligned(buf, delta, 0); |
582 | 1.62M | } |
583 | | |
584 | | int ptls_buffer_reserve_aligned(ptls_buffer_t *buf, size_t delta, uint8_t align_bits) |
585 | 1.62M | { |
586 | 1.62M | if (buf->base == NULL) |
587 | 0 | return PTLS_ERROR_NO_MEMORY; |
588 | | |
589 | 1.62M | if (PTLS_MEMORY_DEBUG || buf->capacity < buf->off + delta || |
590 | 1.62M | (buf->align_bits < align_bits && ((uintptr_t)buf->base & (((uintptr_t)1 << align_bits) - 1)) != 0)) { |
591 | 10.1k | void *newp; |
592 | 10.1k | size_t new_capacity = buf->capacity; |
593 | 10.1k | if (new_capacity < 1024) |
594 | 9.10k | new_capacity = 1024; |
595 | 12.3k | while (new_capacity < buf->off + delta) { |
596 | 2.20k | new_capacity *= 2; |
597 | 2.20k | } |
598 | 10.1k | if (align_bits != 0) { |
599 | | #ifdef _WINDOWS |
600 | | if ((newp = _aligned_malloc(new_capacity, (size_t)1 << align_bits)) == NULL) |
601 | | return PTLS_ERROR_NO_MEMORY; |
602 | | #else |
603 | 0 | if (posix_memalign(&newp, 1 << align_bits, new_capacity) != 0) |
604 | 0 | return PTLS_ERROR_NO_MEMORY; |
605 | 0 | #endif |
606 | 10.1k | } else { |
607 | 10.1k | if ((newp = malloc(new_capacity)) == NULL) |
608 | 0 | return PTLS_ERROR_NO_MEMORY; |
609 | 10.1k | } |
610 | 10.1k | memcpy(newp, buf->base, buf->off); |
611 | 10.1k | ptls_buffer__release_memory(buf); |
612 | 10.1k | buf->base = newp; |
613 | 10.1k | buf->capacity = new_capacity; |
614 | 10.1k | buf->is_allocated = 1; |
615 | 10.1k | buf->align_bits = align_bits; |
616 | 10.1k | } |
617 | | |
618 | 1.62M | return 0; |
619 | 1.62M | } |
620 | | |
621 | | int ptls_buffer__do_pushv(ptls_buffer_t *buf, const void *src, size_t len) |
622 | 1.62M | { |
623 | 1.62M | int ret; |
624 | | |
625 | 1.62M | if (len == 0) |
626 | 47.3k | return 0; |
627 | 1.58M | if ((ret = ptls_buffer_reserve(buf, len)) != 0) |
628 | 0 | return ret; |
629 | 1.58M | memcpy(buf->base + buf->off, src, len); |
630 | 1.58M | buf->off += len; |
631 | 1.58M | return 0; |
632 | 1.58M | } |
633 | | |
634 | | int ptls_buffer__adjust_quic_blocksize(ptls_buffer_t *buf, size_t body_size) |
635 | 0 | { |
636 | 0 | uint8_t sizebuf[PTLS_ENCODE_QUICINT_CAPACITY]; |
637 | 0 | size_t sizelen = ptls_encode_quicint(sizebuf, body_size) - sizebuf; |
638 | | |
639 | | /* adjust amount of space before body_size to `sizelen` bytes */ |
640 | 0 | if (sizelen != 1) { |
641 | 0 | int ret; |
642 | 0 | if ((ret = ptls_buffer_reserve(buf, sizelen - 1)) != 0) |
643 | 0 | return ret; |
644 | 0 | memmove(buf->base + buf->off - body_size - 1 + sizelen, buf->base + buf->off - body_size, body_size); |
645 | 0 | buf->off += sizelen - 1; |
646 | 0 | } |
647 | | |
648 | | /* write the size */ |
649 | 0 | memcpy(buf->base + buf->off - body_size - sizelen, sizebuf, sizelen); |
650 | |
|
651 | 0 | return 0; |
652 | 0 | } |
653 | | |
654 | | int ptls_buffer__adjust_asn1_blocksize(ptls_buffer_t *buf, size_t body_size) |
655 | 0 | { |
656 | 0 | fprintf(stderr, "unimplemented\n"); |
657 | 0 | abort(); |
658 | 0 | } |
659 | | |
660 | | int ptls_buffer_push_asn1_ubigint(ptls_buffer_t *buf, const void *bignum, size_t size) |
661 | 0 | { |
662 | 0 | const uint8_t *p = bignum, *const end = p + size; |
663 | 0 | int ret; |
664 | | |
665 | | /* skip zeroes */ |
666 | 0 | for (; end - p >= 1; ++p) |
667 | 0 | if (*p != 0) |
668 | 0 | break; |
669 | | |
670 | | /* emit */ |
671 | 0 | ptls_buffer_push(buf, 2); |
672 | 0 | ptls_buffer_push_asn1_block(buf, { |
673 | 0 | if (*p >= 0x80) |
674 | 0 | ptls_buffer_push(buf, 0); |
675 | 0 | if (p != end) { |
676 | 0 | ptls_buffer_pushv(buf, p, end - p); |
677 | 0 | } else { |
678 | 0 | ptls_buffer_pushv(buf, "", 1); |
679 | 0 | } |
680 | 0 | }); |
681 | 0 | ret = 0; |
682 | |
|
683 | 0 | Exit: |
684 | 0 | return ret; |
685 | 0 | } |
686 | | |
687 | | #if PTLS_FUZZ_HANDSHAKE |
688 | | |
689 | | static size_t aead_encrypt(struct st_ptls_traffic_protection_t *ctx, void *output, const void *input, size_t inlen, |
690 | | uint8_t content_type) |
691 | 927 | { |
692 | 927 | memcpy(output, input, inlen); |
693 | 927 | memcpy(output + inlen, &content_type, 1); |
694 | 927 | return inlen + 1 + 16; |
695 | 927 | } |
696 | | |
697 | | static int aead_decrypt(struct st_ptls_traffic_protection_t *ctx, void *output, size_t *outlen, const void *input, size_t inlen) |
698 | 11.6k | { |
699 | 11.6k | if (inlen < 16) { |
700 | 9.50k | return PTLS_ALERT_BAD_RECORD_MAC; |
701 | 9.50k | } |
702 | 2.14k | memcpy(output, input, inlen - 16); |
703 | 2.14k | *outlen = inlen - 16; /* removing the 16 bytes of tag */ |
704 | 2.14k | return 0; |
705 | 11.6k | } |
706 | | |
707 | | #else |
708 | | |
709 | | static void build_aad(uint8_t aad[5], size_t reclen) |
710 | | { |
711 | | aad[0] = PTLS_CONTENT_TYPE_APPDATA; |
712 | | aad[1] = PTLS_RECORD_VERSION_MAJOR; |
713 | | aad[2] = PTLS_RECORD_VERSION_MINOR; |
714 | | aad[3] = (uint8_t)(reclen >> 8); |
715 | | aad[4] = (uint8_t)reclen; |
716 | | } |
717 | | |
718 | | static size_t aead_encrypt(struct st_ptls_traffic_protection_t *ctx, void *output, const void *input, size_t inlen, |
719 | | uint8_t content_type) |
720 | | { |
721 | | ptls_iovec_t invec[2] = {ptls_iovec_init(input, inlen), ptls_iovec_init(&content_type, 1)}; |
722 | | uint8_t aad[5]; |
723 | | |
724 | | build_aad(aad, inlen + 1 + ctx->aead->algo->tag_size); |
725 | | ptls_aead_encrypt_v(ctx->aead, output, invec, PTLS_ELEMENTSOF(invec), ctx->seq++, aad, sizeof(aad)); |
726 | | |
727 | | return inlen + 1 + ctx->aead->algo->tag_size; |
728 | | } |
729 | | |
730 | | static int aead_decrypt(struct st_ptls_traffic_protection_t *ctx, void *output, size_t *outlen, const void *input, size_t inlen) |
731 | | { |
732 | | uint8_t aad[5]; |
733 | | |
734 | | build_aad(aad, inlen); |
735 | | if ((*outlen = ptls_aead_decrypt(ctx->aead, output, input, inlen, ctx->seq, aad, sizeof(aad))) == SIZE_MAX) |
736 | | return PTLS_ALERT_BAD_RECORD_MAC; |
737 | | ++ctx->seq; |
738 | | return 0; |
739 | | } |
740 | | |
741 | | #endif /* #if PTLS_FUZZ_HANDSHAKE */ |
742 | | |
743 | | static void build_tls12_aad(uint8_t *aad, uint8_t type, uint64_t seq, uint16_t length) |
744 | 0 | { |
745 | 0 | for (size_t i = 0; i < 8; ++i) |
746 | 0 | aad[i] = (uint8_t)(seq >> (56 - i * 8)); |
747 | 0 | aad[8] = type; |
748 | 0 | aad[9] = PTLS_RECORD_VERSION_MAJOR; |
749 | 0 | aad[10] = PTLS_RECORD_VERSION_MINOR; |
750 | 0 | aad[11] = length >> 8; |
751 | 0 | aad[12] = (uint8_t)length; |
752 | 0 | } |
753 | | |
754 | | #define buffer_push_record(buf, type, block) \ |
755 | 3.62k | do { \ |
756 | 3.62k | ptls_buffer_push((buf), (type), PTLS_RECORD_VERSION_MAJOR, PTLS_RECORD_VERSION_MINOR); \ |
757 | 3.62k | ptls_buffer_push_block((buf), 2, block); \ |
758 | 3.62k | } while (0) |
759 | | |
760 | | static int buffer_push_encrypted_records(ptls_buffer_t *buf, uint8_t type, const uint8_t *src, size_t len, |
761 | | struct st_ptls_traffic_protection_t *enc) |
762 | 0 | { |
763 | 0 | int ret = 0; |
764 | |
|
765 | 0 | while (len != 0) { |
766 | 0 | size_t chunk_size = len; |
767 | 0 | if (chunk_size > PTLS_MAX_PLAINTEXT_RECORD_SIZE) |
768 | 0 | chunk_size = PTLS_MAX_PLAINTEXT_RECORD_SIZE; |
769 | 0 | if (enc->tls12) { |
770 | 0 | buffer_push_record(buf, type, { |
771 | | /* reserve memory */ |
772 | 0 | if ((ret = ptls_buffer_reserve_aligned( |
773 | 0 | buf, enc->aead->algo->tls12.record_iv_size + chunk_size + enc->aead->algo->tag_size, |
774 | 0 | enc->aead->algo->align_bits)) != 0) |
775 | 0 | goto Exit; |
776 | | /* determine nonce, as well as prepending that walue as the record IV (AES-GCM) */ |
777 | 0 | uint64_t nonce; |
778 | 0 | if (enc->aead->algo->tls12.record_iv_size != 0) { |
779 | 0 | assert(enc->aead->algo->tls12.record_iv_size == 8); |
780 | 0 | nonce = enc->tls12_enc_record_iv++; |
781 | 0 | encode64(buf->base + buf->off, nonce); |
782 | 0 | buf->off += 8; |
783 | 0 | } else { |
784 | 0 | nonce = enc->seq; |
785 | 0 | } |
786 | | /* build AAD */ |
787 | 0 | uint8_t aad[PTLS_TLS12_AAD_SIZE]; |
788 | 0 | build_tls12_aad(aad, type, enc->seq, (uint16_t)chunk_size); |
789 | | /* encrypt */ |
790 | 0 | buf->off += ptls_aead_encrypt(enc->aead, buf->base + buf->off, src, chunk_size, nonce, aad, sizeof(aad)); |
791 | 0 | ++enc->seq; |
792 | 0 | }); |
793 | 0 | } else { |
794 | 0 | buffer_push_record(buf, PTLS_CONTENT_TYPE_APPDATA, { |
795 | 0 | if ((ret = ptls_buffer_reserve_aligned(buf, chunk_size + enc->aead->algo->tag_size + 1, |
796 | 0 | enc->aead->algo->align_bits)) != 0) |
797 | 0 | goto Exit; |
798 | 0 | buf->off += aead_encrypt(enc, buf->base + buf->off, src, chunk_size, type); |
799 | 0 | }); |
800 | 0 | } |
801 | 0 | src += chunk_size; |
802 | 0 | len -= chunk_size; |
803 | 0 | } |
804 | | |
805 | 0 | Exit: |
806 | 0 | return ret; |
807 | 0 | } |
808 | | |
809 | | static int buffer_encrypt_record(ptls_buffer_t *buf, size_t rec_start, struct st_ptls_traffic_protection_t *enc) |
810 | 927 | { |
811 | 927 | size_t bodylen = buf->off - rec_start - 5; |
812 | 927 | uint8_t *tmpbuf, type = buf->base[rec_start]; |
813 | 927 | int ret; |
814 | | |
815 | | /* Fast path: do in-place encryption if only one record needs to be emitted. (For simplicity, do not take this path if TLS 1.2 |
816 | | * is used, as this function will be called no more than once per connection, for encrypting an alert.) */ |
817 | 927 | if (!enc->tls12 && bodylen <= PTLS_MAX_PLAINTEXT_RECORD_SIZE) { |
818 | 927 | size_t overhead = 1 + enc->aead->algo->tag_size; |
819 | 927 | if ((ret = ptls_buffer_reserve_aligned(buf, overhead, enc->aead->algo->align_bits)) != 0) |
820 | 0 | return ret; |
821 | 927 | size_t encrypted_len = aead_encrypt(enc, buf->base + rec_start + 5, buf->base + rec_start + 5, bodylen, type); |
822 | 927 | assert(encrypted_len == bodylen + overhead); |
823 | 927 | buf->off += overhead; |
824 | 927 | buf->base[rec_start] = PTLS_CONTENT_TYPE_APPDATA; |
825 | 927 | buf->base[rec_start + 3] = (encrypted_len >> 8) & 0xff; |
826 | 927 | buf->base[rec_start + 4] = encrypted_len & 0xff; |
827 | 927 | return 0; |
828 | 927 | } |
829 | | |
830 | | /* move plaintext to temporary buffer */ |
831 | 0 | if ((tmpbuf = malloc(bodylen)) == NULL) { |
832 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
833 | 0 | goto Exit; |
834 | 0 | } |
835 | 0 | memcpy(tmpbuf, buf->base + rec_start + 5, bodylen); |
836 | 0 | ptls_clear_memory(buf->base + rec_start, bodylen + 5); |
837 | 0 | buf->off = rec_start; |
838 | | |
839 | | /* push encrypted records */ |
840 | 0 | ret = buffer_push_encrypted_records(buf, type, tmpbuf, bodylen, enc); |
841 | |
|
842 | 0 | Exit: |
843 | 0 | if (tmpbuf != NULL) { |
844 | 0 | ptls_clear_memory(tmpbuf, bodylen); |
845 | 0 | free(tmpbuf); |
846 | 0 | } |
847 | 0 | return ret; |
848 | 0 | } |
849 | | |
850 | | static int begin_record_message(ptls_message_emitter_t *_self) |
851 | 41.5k | { |
852 | 41.5k | struct st_ptls_record_message_emitter_t *self = (void *)_self; |
853 | 41.5k | int ret; |
854 | | |
855 | 41.5k | self->rec_start = self->super.buf->off; |
856 | 41.5k | ptls_buffer_push(self->super.buf, PTLS_CONTENT_TYPE_HANDSHAKE, PTLS_RECORD_VERSION_MAJOR, PTLS_RECORD_VERSION_MINOR, 0, 0); |
857 | 41.5k | ret = 0; |
858 | 41.5k | Exit: |
859 | 41.5k | return ret; |
860 | 41.5k | } |
861 | | |
862 | | static int commit_record_message(ptls_message_emitter_t *_self) |
863 | 41.5k | { |
864 | 41.5k | struct st_ptls_record_message_emitter_t *self = (void *)_self; |
865 | 41.5k | int ret; |
866 | | |
867 | 41.5k | if (self->super.enc->aead != NULL) { |
868 | 913 | ret = buffer_encrypt_record(self->super.buf, self->rec_start, self->super.enc); |
869 | 40.6k | } else { |
870 | | /* TODO allow CH,SH,HRR above 16KB */ |
871 | 40.6k | size_t sz = self->super.buf->off - self->rec_start - 5; |
872 | 40.6k | assert(sz <= PTLS_MAX_PLAINTEXT_RECORD_SIZE); |
873 | 40.6k | self->super.buf->base[self->rec_start + 3] = (uint8_t)(sz >> 8); |
874 | 40.6k | self->super.buf->base[self->rec_start + 4] = (uint8_t)(sz); |
875 | 40.6k | ret = 0; |
876 | 40.6k | } |
877 | | |
878 | 41.5k | return ret; |
879 | 41.5k | } |
880 | | |
881 | | #define buffer_push_extension(buf, type, block) \ |
882 | 0 | do { \ |
883 | 0 | ptls_buffer_push16((buf), (type)); \ |
884 | 0 | ptls_buffer_push_block((buf), 2, block); \ |
885 | 0 | } while (0); |
886 | | |
887 | | #define decode_open_extensions(src, end, hstype, exttype, block) \ |
888 | 42.7k | do { \ |
889 | 42.7k | struct st_ptls_extension_bitmap_t bitmap = {0}; \ |
890 | 42.7k | ptls_decode_open_block((src), end, 2, { \ |
891 | 42.7k | while ((src) != end) { \ |
892 | 42.7k | if ((ret = ptls_decode16((exttype), &(src), end)) != 0) \ |
893 | 42.7k | goto Exit; \ |
894 | 42.7k | if (!extension_bitmap_testandset(&bitmap, (hstype), *(exttype))) { \ |
895 | 42.7k | ret = PTLS_ALERT_ILLEGAL_PARAMETER; \ |
896 | 42.7k | goto Exit; \ |
897 | 42.7k | } \ |
898 | 42.7k | ptls_decode_open_block((src), end, 2, block); \ |
899 | 42.7k | } \ |
900 | 42.7k | }); \ |
901 | 42.7k | } while (0) |
902 | | |
903 | | #define decode_extensions(src, end, hstype, exttype, block) \ |
904 | 42.7k | do { \ |
905 | 42.7k | decode_open_extensions((src), end, hstype, exttype, block); \ |
906 | 42.7k | ptls_decode_assert_block_close((src), end); \ |
907 | 40.9k | } while (0) |
908 | | |
909 | | int ptls_decode8(uint8_t *value, const uint8_t **src, const uint8_t *end) |
910 | 44.7k | { |
911 | 44.7k | if (*src == end) |
912 | 21 | return PTLS_ALERT_DECODE_ERROR; |
913 | 44.7k | *value = *(*src)++; |
914 | 44.7k | return 0; |
915 | 44.7k | } |
916 | | |
917 | | int ptls_decode16(uint16_t *value, const uint8_t **src, const uint8_t *end) |
918 | 177k | { |
919 | 177k | if (end - *src < 2) |
920 | 152 | return PTLS_ALERT_DECODE_ERROR; |
921 | 177k | *value = ntoh16(*src); |
922 | 177k | *src += 2; |
923 | 177k | return 0; |
924 | 177k | } |
925 | | |
926 | | int ptls_decode24(uint32_t *value, const uint8_t **src, const uint8_t *end) |
927 | 0 | { |
928 | 0 | if (end - *src < 3) |
929 | 0 | return PTLS_ALERT_DECODE_ERROR; |
930 | 0 | *value = ((uint32_t)(*src)[0] << 16) | ((uint32_t)(*src)[1] << 8) | (*src)[2]; |
931 | 0 | *src += 3; |
932 | 0 | return 0; |
933 | 0 | } |
934 | | |
935 | | int ptls_decode32(uint32_t *value, const uint8_t **src, const uint8_t *end) |
936 | 1.63k | { |
937 | 1.63k | if (end - *src < 4) |
938 | 4 | return PTLS_ALERT_DECODE_ERROR; |
939 | 1.62k | *value = ntoh32(*src); |
940 | 1.62k | *src += 4; |
941 | 1.62k | return 0; |
942 | 1.63k | } |
943 | | |
944 | | int ptls_decode64(uint64_t *value, const uint8_t **src, const uint8_t *end) |
945 | 189 | { |
946 | 189 | if (end - *src < 8) |
947 | 0 | return PTLS_ALERT_DECODE_ERROR; |
948 | 189 | *value = ntoh64(*src); |
949 | 189 | *src += 8; |
950 | 189 | return 0; |
951 | 189 | } |
952 | | |
953 | | uint64_t ptls_decode_quicint(const uint8_t **src, const uint8_t *end) |
954 | 0 | { |
955 | 0 | if (PTLS_UNLIKELY(*src == end)) |
956 | 0 | return UINT64_MAX; |
957 | | |
958 | 0 | uint8_t b = *(*src)++; |
959 | |
|
960 | 0 | if (PTLS_LIKELY(b <= 0x3f)) |
961 | 0 | return b; |
962 | | |
963 | 0 | uint64_t v = b & 0x3f; |
964 | 0 | unsigned bytes_left = (1 << (b >> 6)) - 1; |
965 | 0 | if (PTLS_UNLIKELY((size_t)(end - *src) < bytes_left)) |
966 | 0 | return UINT64_MAX; |
967 | 0 | do { |
968 | 0 | v = (v << 8) | *(*src)++; |
969 | 0 | } while (--bytes_left != 0); |
970 | 0 | return v; |
971 | 0 | } |
972 | | |
973 | | static void log_secret(ptls_t *tls, const char *type, ptls_iovec_t secret) |
974 | 3.03k | { |
975 | 3.03k | char hexbuf[PTLS_MAX_DIGEST_SIZE * 2 + 1]; |
976 | | |
977 | 3.03k | PTLS_PROBE(NEW_SECRET, tls, type, ptls_hexdump(hexbuf, secret.base, secret.len)); |
978 | 3.03k | PTLS_LOG_CONN(new_secret, tls, { PTLS_LOG_ELEMENT_SAFESTR(label, type); }); |
979 | | |
980 | 3.03k | if (tls->ctx->log_event != NULL) |
981 | 0 | tls->ctx->log_event->cb(tls->ctx->log_event, tls, type, "%s", ptls_hexdump(hexbuf, secret.base, secret.len)); |
982 | 3.03k | } |
983 | | |
984 | | /** |
985 | | * This function preserves the flags and modes (e.g., `offered`, `accepted`, `cipher`), they can be used afterwards. |
986 | | */ |
987 | | static void clear_ech(struct st_ptls_ech_t *ech, int is_server) |
988 | 5.79k | { |
989 | 5.79k | if (ech->aead != NULL) { |
990 | 0 | ptls_aead_free(ech->aead); |
991 | 0 | ech->aead = NULL; |
992 | 0 | } |
993 | 5.79k | ptls_clear_memory(ech->inner_client_random, PTLS_HELLO_RANDOM_SIZE); |
994 | 5.79k | if (!is_server) { |
995 | 3.32k | free(ech->client.enc.base); |
996 | 3.32k | ech->client.enc = ptls_iovec_init(NULL, 0); |
997 | 3.32k | if (ech->client.public_name != NULL) { |
998 | 0 | free(ech->client.public_name); |
999 | 0 | ech->client.public_name = NULL; |
1000 | 0 | } |
1001 | 3.32k | free(ech->client.first_ech.base); |
1002 | 3.32k | ech->client.first_ech = ptls_iovec_init(NULL, 0); |
1003 | 3.32k | } |
1004 | 5.79k | } |
1005 | | |
1006 | | /** |
1007 | | * Decodes one ECHConfigContents (tls-esni-15 section 4). `decoded->kem` and `cipher` may be NULL even when the function returns |
1008 | | * zero, if the corresponding entries are not found. |
1009 | | */ |
1010 | | static int decode_one_ech_config(ptls_hpke_kem_t **kems, ptls_hpke_cipher_suite_t **ciphers, |
1011 | | struct st_decoded_ech_config_t *decoded, const uint8_t **src, const uint8_t *const end) |
1012 | 0 | { |
1013 | 0 | char *public_name_buf = NULL; |
1014 | 0 | int ret; |
1015 | |
|
1016 | 0 | *decoded = (struct st_decoded_ech_config_t){0}; |
1017 | |
|
1018 | 0 | if ((ret = ptls_decode8(&decoded->id, src, end)) != 0) |
1019 | 0 | goto Exit; |
1020 | 0 | uint16_t kem_id; |
1021 | 0 | if ((ret = ptls_decode16(&kem_id, src, end)) != 0) |
1022 | 0 | goto Exit; |
1023 | 0 | for (size_t i = 0; kems[i] != NULL; ++i) { |
1024 | 0 | if (kems[i]->id == kem_id) { |
1025 | 0 | decoded->kem = kems[i]; |
1026 | 0 | break; |
1027 | 0 | } |
1028 | 0 | } |
1029 | 0 | ptls_decode_open_block(*src, end, 2, { |
1030 | 0 | if (*src == end) { |
1031 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1032 | 0 | goto Exit; |
1033 | 0 | } |
1034 | 0 | decoded->public_key = ptls_iovec_init(*src, end - *src); |
1035 | 0 | *src = end; |
1036 | 0 | }); |
1037 | 0 | ptls_decode_open_block(*src, end, 2, { |
1038 | 0 | do { |
1039 | 0 | uint16_t kdf_id; |
1040 | 0 | uint16_t aead_id; |
1041 | 0 | if ((ret = ptls_decode16(&kdf_id, src, end)) != 0) |
1042 | 0 | goto Exit; |
1043 | 0 | if ((ret = ptls_decode16(&aead_id, src, end)) != 0) |
1044 | 0 | goto Exit; |
1045 | 0 | if (decoded->cipher == NULL) { |
1046 | 0 | for (size_t i = 0; ciphers[i] != NULL; ++i) { |
1047 | 0 | if (ciphers[i]->id.kdf == kdf_id && ciphers[i]->id.aead == aead_id) { |
1048 | 0 | decoded->cipher = ciphers[i]; |
1049 | 0 | break; |
1050 | 0 | } |
1051 | 0 | } |
1052 | 0 | } |
1053 | 0 | } while (*src != end); |
1054 | 0 | }); |
1055 | 0 | if ((ret = ptls_decode8(&decoded->max_name_length, src, end)) != 0) |
1056 | 0 | goto Exit; |
1057 | | |
1058 | 0 | #define SKIP_DECODED() \ |
1059 | 0 | do { \ |
1060 | 0 | decoded->kem = NULL; \ |
1061 | 0 | decoded->cipher = NULL; \ |
1062 | 0 | } while (0) |
1063 | | |
1064 | | /* Decode public_name. The specification requires clients to ignore (upon parsing ESNIConfigList) or reject (upon handshake) |
1065 | | * public names that are not DNS names or IPv4 addresses. We ignore IPv4 and v6 addresses during parsing (IPv6 addresses never |
1066 | | * looks like DNS names), and delegate the responsibility of rejecting non-DNS names to the certificate verify callback. */ |
1067 | 0 | ptls_decode_open_block(*src, end, 1, { |
1068 | 0 | if (*src == end) { |
1069 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1070 | 0 | goto Exit; |
1071 | 0 | } |
1072 | 0 | if ((public_name_buf = duplicate_as_str(*src, end - *src)) == NULL) { |
1073 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1074 | 0 | goto Exit; |
1075 | 0 | } |
1076 | 0 | if (ptls_server_name_is_ipaddr(public_name_buf)) { |
1077 | 0 | SKIP_DECODED(); |
1078 | 0 | } else { |
1079 | 0 | decoded->public_name = ptls_iovec_init(*src, end - *src); |
1080 | 0 | } |
1081 | 0 | *src = end; |
1082 | 0 | }); |
1083 | | |
1084 | 0 | ptls_decode_block(*src, end, 2, { |
1085 | 0 | while (*src < end) { |
1086 | 0 | uint16_t type; |
1087 | 0 | if ((ret = ptls_decode16(&type, src, end)) != 0) |
1088 | 0 | goto Exit; |
1089 | 0 | ptls_decode_open_block(*src, end, 2, { *src = end; }); |
1090 | | /* if a critital extension is found, indicate that the config cannot be used */ |
1091 | 0 | if ((type & 0x8000) != 0) |
1092 | 0 | SKIP_DECODED(); |
1093 | 0 | } |
1094 | 0 | }); |
1095 | | |
1096 | 0 | #undef SKIP_DECODED |
1097 | | |
1098 | 0 | Exit: |
1099 | 0 | free(public_name_buf); |
1100 | 0 | return ret; |
1101 | 0 | } |
1102 | | |
1103 | | static int client_decode_ech_config_list(ptls_context_t *ctx, struct st_decoded_ech_config_t *decoded, ptls_iovec_t config_list) |
1104 | 0 | { |
1105 | 0 | const uint8_t *src = config_list.base, *const end = src + config_list.len; |
1106 | 0 | int match_found = 0, ret; |
1107 | |
|
1108 | 0 | *decoded = (struct st_decoded_ech_config_t){0}; |
1109 | |
|
1110 | 0 | ptls_decode_block(src, end, 2, { |
1111 | 0 | do { |
1112 | 0 | const uint8_t *config_start = src; |
1113 | 0 | uint16_t version; |
1114 | 0 | if ((ret = ptls_decode16(&version, &src, end)) != 0) |
1115 | 0 | goto Exit; |
1116 | 0 | ptls_decode_open_block(src, end, 2, { |
1117 | | /* If the block is the one that we recognize, parse it, then adopt if if possible. Otherwise, skip. */ |
1118 | 0 | if (version == PTLS_ECH_CONFIG_VERSION) { |
1119 | 0 | struct st_decoded_ech_config_t thisconf; |
1120 | 0 | if ((ret = decode_one_ech_config(ctx->ech.client.kems, ctx->ech.client.ciphers, &thisconf, &src, end)) != 0) |
1121 | 0 | goto Exit; |
1122 | 0 | if (!match_found && thisconf.kem != NULL && thisconf.cipher != NULL) { |
1123 | 0 | *decoded = thisconf; |
1124 | 0 | decoded->bytes = ptls_iovec_init(config_start, end - config_start); |
1125 | 0 | match_found = 1; |
1126 | 0 | } |
1127 | 0 | } else { |
1128 | 0 | src = end; |
1129 | 0 | } |
1130 | 0 | }); |
1131 | 0 | } while (src != end); |
1132 | 0 | }); |
1133 | 0 | ret = 0; |
1134 | |
|
1135 | 0 | Exit: |
1136 | 0 | if (ret != 0) |
1137 | 0 | *decoded = (struct st_decoded_ech_config_t){0}; |
1138 | 0 | return ret; |
1139 | 0 | } |
1140 | | |
1141 | | static int client_setup_ech(struct st_ptls_ech_t *ech, struct st_decoded_ech_config_t *decoded, |
1142 | | void (*random_bytes)(void *, size_t)) |
1143 | 0 | { |
1144 | 0 | ptls_buffer_t infobuf; |
1145 | 0 | uint8_t infobuf_smallbuf[256]; |
1146 | 0 | int ret; |
1147 | | |
1148 | | /* setup `enc` and `aead` by running HPKE */ |
1149 | 0 | ptls_buffer_init(&infobuf, infobuf_smallbuf, sizeof(infobuf_smallbuf)); |
1150 | 0 | ptls_buffer_pushv(&infobuf, ech_info_prefix, sizeof(ech_info_prefix)); |
1151 | 0 | ptls_buffer_pushv(&infobuf, decoded->bytes.base, decoded->bytes.len); |
1152 | 0 | if ((ret = ptls_hpke_setup_base_s(decoded->kem, decoded->cipher, &ech->client.enc, &ech->aead, decoded->public_key, |
1153 | 0 | ptls_iovec_init(infobuf.base, infobuf.off))) != 0) |
1154 | 0 | goto Exit; |
1155 | | |
1156 | | /* setup the rest */ |
1157 | 0 | ech->config_id = decoded->id; |
1158 | 0 | ech->kem = decoded->kem; |
1159 | 0 | ech->cipher = decoded->cipher; |
1160 | 0 | random_bytes(ech->inner_client_random, PTLS_HELLO_RANDOM_SIZE); |
1161 | 0 | ech->client.max_name_length = decoded->max_name_length; |
1162 | 0 | if ((ech->client.public_name = duplicate_as_str(decoded->public_name.base, decoded->public_name.len)) == NULL) { |
1163 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1164 | 0 | goto Exit; |
1165 | 0 | } |
1166 | | |
1167 | 0 | Exit: |
1168 | 0 | if (ret != 0) |
1169 | 0 | clear_ech(ech, 0); |
1170 | 0 | return ret; |
1171 | 0 | } |
1172 | | |
1173 | | static void client_setup_ech_grease(struct st_ptls_ech_t *ech, void (*random_bytes)(void *, size_t), ptls_hpke_kem_t **kems, |
1174 | | ptls_hpke_cipher_suite_t **ciphers, const char *sni_name) |
1175 | 0 | { |
1176 | 0 | static const size_t x25519_key_size = 32; |
1177 | 0 | uint8_t random_secret[PTLS_AES128_KEY_SIZE + PTLS_AES_IV_SIZE]; |
1178 | | |
1179 | | /* pick up X25519, AES-128-GCM or bail out */ |
1180 | 0 | for (size_t i = 0; kems[i] != NULL; ++i) { |
1181 | 0 | if (kems[i]->id == PTLS_HPKE_KEM_X25519_SHA256) { |
1182 | 0 | ech->kem = kems[i]; |
1183 | 0 | break; |
1184 | 0 | } |
1185 | 0 | } |
1186 | 0 | for (size_t i = 0; ciphers[i] != NULL; ++i) { |
1187 | 0 | if (ciphers[i]->id.kdf == PTLS_HPKE_HKDF_SHA256 && ciphers[i]->id.aead == PTLS_HPKE_AEAD_AES_128_GCM) { |
1188 | 0 | ech->cipher = ciphers[i]; |
1189 | 0 | break; |
1190 | 0 | } |
1191 | 0 | } |
1192 | 0 | if (ech->kem == NULL || ech->cipher == NULL) |
1193 | 0 | goto Fail; |
1194 | | |
1195 | | /* aead is generated from random */ |
1196 | 0 | random_bytes(random_secret, sizeof(random_secret)); |
1197 | 0 | ech->aead = ptls_aead_new_direct(ech->cipher->aead, 1, random_secret, random_secret + PTLS_AES128_KEY_SIZE); |
1198 | | |
1199 | | /* `enc` is random bytes */ |
1200 | 0 | if ((ech->client.enc.base = malloc(x25519_key_size)) == NULL) |
1201 | 0 | goto Fail; |
1202 | 0 | ech->client.enc.len = x25519_key_size; |
1203 | 0 | random_bytes(ech->client.enc.base, ech->client.enc.len); |
1204 | | |
1205 | | /* setup the rest (inner_client_random is left zeros) */ |
1206 | 0 | random_bytes(&ech->config_id, sizeof(ech->config_id)); |
1207 | 0 | ech->client.max_name_length = 64; |
1208 | 0 | if ((ech->client.public_name = duplicate_as_str(sni_name, strlen(sni_name))) == NULL) |
1209 | 0 | goto Fail; |
1210 | | |
1211 | 0 | return; |
1212 | | |
1213 | 0 | Fail: |
1214 | 0 | clear_ech(ech, 0); |
1215 | 0 | } |
1216 | | |
1217 | 0 | #define ECH_CONFIRMATION_SERVER_HELLO "ech accept confirmation" |
1218 | 0 | #define ECH_CONFIRMATION_HRR "hrr ech accept confirmation" |
1219 | | static int ech_calc_confirmation(ptls_key_schedule_t *sched, void *dst, const uint8_t *inner_random, const char *label, |
1220 | | ptls_iovec_t message) |
1221 | 0 | { |
1222 | 0 | ptls_hash_context_t *hash = NULL; |
1223 | 0 | uint8_t secret[PTLS_MAX_DIGEST_SIZE], transcript_hash[PTLS_MAX_DIGEST_SIZE]; |
1224 | 0 | int ret; |
1225 | | |
1226 | | /* calc transcript hash using the modified ServerHello / HRR */ |
1227 | 0 | if ((hash = sched->hashes[0].ctx->clone_(sched->hashes[0].ctx)) == NULL) { |
1228 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1229 | 0 | goto Exit; |
1230 | 0 | } |
1231 | 0 | hash->update(hash, message.base, message.len); |
1232 | 0 | hash->final(hash, transcript_hash, PTLS_HASH_FINAL_MODE_FREE); |
1233 | 0 | hash = NULL; |
1234 | | |
1235 | | /* HKDF extract and expand */ |
1236 | 0 | if ((ret = ptls_hkdf_extract(sched->hashes[0].algo, secret, ptls_iovec_init(NULL, 0), |
1237 | 0 | ptls_iovec_init(inner_random, PTLS_HELLO_RANDOM_SIZE))) != 0) |
1238 | 0 | goto Exit; |
1239 | 0 | if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, dst, 8, ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), |
1240 | 0 | label, ptls_iovec_init(transcript_hash, sched->hashes[0].algo->digest_size), NULL)) != 0) |
1241 | 0 | goto Exit; |
1242 | | |
1243 | 0 | Exit: |
1244 | 0 | ptls_clear_memory(secret, sizeof(secret)); |
1245 | 0 | ptls_clear_memory(transcript_hash, sizeof(transcript_hash)); |
1246 | 0 | if (hash != NULL) |
1247 | 0 | hash->final(hash, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1248 | 0 | return ret; |
1249 | 0 | } |
1250 | | |
1251 | | static void key_schedule_free(ptls_key_schedule_t *sched) |
1252 | 2.91k | { |
1253 | 2.91k | size_t i; |
1254 | 2.91k | ptls_clear_memory(sched->secret, sizeof(sched->secret)); |
1255 | 5.82k | for (i = 0; i != sched->num_hashes; ++i) { |
1256 | 2.91k | sched->hashes[i].ctx->final(sched->hashes[i].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1257 | 2.91k | if (sched->hashes[i].ctx_outer != NULL) |
1258 | 0 | sched->hashes[i].ctx_outer->final(sched->hashes[i].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1259 | 2.91k | } |
1260 | 2.91k | free(sched); |
1261 | 2.91k | } |
1262 | | |
1263 | | static ptls_key_schedule_t *key_schedule_new(ptls_cipher_suite_t *preferred, ptls_cipher_suite_t **offered, int use_outer) |
1264 | 2.91k | { |
1265 | 2.91k | #define FOREACH_HASH(block) \ |
1266 | 5.82k | do { \ |
1267 | 5.82k | ptls_cipher_suite_t *cs; \ |
1268 | 5.82k | if ((cs = preferred) != NULL) { \ |
1269 | 2.09k | block \ |
1270 | 1.39k | } \ |
1271 | 5.82k | if (offered != NULL) { \ |
1272 | 4.42k | size_t i, j; \ |
1273 | 8.84k | for (i = 0; (cs = offered[i]) != NULL; ++i) { \ |
1274 | 4.42k | if (preferred == NULL || cs->hash != preferred->hash) { \ |
1275 | 4.42k | for (j = 0; j != i; ++j) \ |
1276 | 4.42k | if (cs->hash == offered[j]->hash) \ |
1277 | 0 | break; \ |
1278 | 4.42k | if (j == i) { \ |
1279 | 6.63k | block \ |
1280 | 4.42k | } \ |
1281 | 4.42k | } \ |
1282 | 4.42k | } \ |
1283 | 4.42k | } \ |
1284 | 5.82k | } while (0) |
1285 | | |
1286 | 2.91k | ptls_key_schedule_t *sched; |
1287 | | |
1288 | 2.91k | { /* allocate */ |
1289 | 2.91k | size_t num_hashes = 0; |
1290 | 2.91k | FOREACH_HASH({ ++num_hashes; }); |
1291 | 2.91k | if ((sched = malloc(offsetof(ptls_key_schedule_t, hashes) + sizeof(sched->hashes[0]) * num_hashes)) == NULL) |
1292 | 0 | return NULL; |
1293 | 2.91k | *sched = (ptls_key_schedule_t){0}; |
1294 | 2.91k | } |
1295 | | |
1296 | | /* setup the hash algos and contexts */ |
1297 | 2.91k | FOREACH_HASH({ |
1298 | 2.91k | sched->hashes[sched->num_hashes].algo = cs->hash; |
1299 | 2.91k | if ((sched->hashes[sched->num_hashes].ctx = cs->hash->create()) == NULL) |
1300 | 2.91k | goto Fail; |
1301 | 2.91k | if (use_outer) { |
1302 | 2.91k | if ((sched->hashes[sched->num_hashes].ctx_outer = cs->hash->create()) == NULL) |
1303 | 2.91k | goto Fail; |
1304 | 2.91k | } else { |
1305 | 2.91k | sched->hashes[sched->num_hashes].ctx_outer = NULL; |
1306 | 2.91k | } |
1307 | 2.91k | ++sched->num_hashes; |
1308 | 2.91k | }); |
1309 | | |
1310 | 2.91k | return sched; |
1311 | 0 | Fail: |
1312 | 0 | key_schedule_free(sched); |
1313 | 0 | return NULL; |
1314 | | |
1315 | 2.91k | #undef FOREACH_HASH |
1316 | 2.91k | } |
1317 | | |
1318 | | static int key_schedule_extract(ptls_key_schedule_t *sched, ptls_iovec_t ikm) |
1319 | 4.40k | { |
1320 | 4.40k | int ret; |
1321 | | |
1322 | 4.40k | if (ikm.base == NULL) |
1323 | 3.02k | ikm = ptls_iovec_init(zeroes_of_max_digest_size, sched->hashes[0].algo->digest_size); |
1324 | | |
1325 | 4.40k | if (sched->generation != 0 && |
1326 | 4.40k | (ret = ptls_hkdf_expand_label(sched->hashes[0].algo, sched->secret, sched->hashes[0].algo->digest_size, |
1327 | 1.64k | ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), "derived", |
1328 | 1.64k | ptls_iovec_init(sched->hashes[0].algo->empty_digest, sched->hashes[0].algo->digest_size), |
1329 | 1.64k | NULL)) != 0) |
1330 | 0 | return ret; |
1331 | | |
1332 | 4.40k | ++sched->generation; |
1333 | 4.40k | ret = ptls_hkdf_extract(sched->hashes[0].algo, sched->secret, |
1334 | 4.40k | ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), ikm); |
1335 | 4.40k | PTLS_DEBUGF("%s: %u, %02x%02x\n", __FUNCTION__, sched->generation, (int)sched->secret[0], (int)sched->secret[1]); |
1336 | 4.40k | return ret; |
1337 | 4.40k | } |
1338 | | |
1339 | | static int key_schedule_select_cipher(ptls_key_schedule_t *sched, ptls_cipher_suite_t *cs, int reset, ptls_iovec_t reset_ikm) |
1340 | 39.1k | { |
1341 | 39.1k | size_t found_slot = SIZE_MAX, i; |
1342 | 39.1k | int ret; |
1343 | | |
1344 | 39.1k | assert(sched->generation == 1); |
1345 | | |
1346 | | /* find the one, while freeing others */ |
1347 | 78.3k | for (i = 0; i != sched->num_hashes; ++i) { |
1348 | 39.1k | if (sched->hashes[i].algo == cs->hash) { |
1349 | 39.1k | assert(found_slot == SIZE_MAX); |
1350 | 39.1k | found_slot = i; |
1351 | 39.1k | } else { |
1352 | 0 | sched->hashes[i].ctx->final(sched->hashes[i].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1353 | 0 | if (sched->hashes[i].ctx_outer != NULL) |
1354 | 0 | sched->hashes[i].ctx_outer->final(sched->hashes[i].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1355 | 0 | } |
1356 | 39.1k | } |
1357 | 39.1k | if (found_slot != 0) { |
1358 | 0 | sched->hashes[0] = sched->hashes[found_slot]; |
1359 | 0 | reset = 1; |
1360 | 0 | } |
1361 | 39.1k | sched->num_hashes = 1; |
1362 | | |
1363 | | /* recalculate the hash if a different hash as been selected than the one we used for calculating the early secrets */ |
1364 | 39.1k | if (reset) { |
1365 | 0 | --sched->generation; |
1366 | 0 | memset(sched->secret, 0, sizeof(sched->secret)); |
1367 | 0 | if ((ret = key_schedule_extract(sched, reset_ikm)) != 0) |
1368 | 0 | goto Exit; |
1369 | 0 | } |
1370 | | |
1371 | 39.1k | ret = 0; |
1372 | 39.1k | Exit: |
1373 | 39.1k | return ret; |
1374 | 39.1k | } |
1375 | | |
1376 | | static void key_schedule_select_outer(ptls_key_schedule_t *sched) |
1377 | 0 | { |
1378 | | /* This function is called when receiving a cleartext message (Server Hello), after the cipher-suite is determined (and hence |
1379 | | * the hash also), if ECH was offered */ |
1380 | 0 | assert(sched->generation == 1); |
1381 | 0 | assert(sched->num_hashes == 1); |
1382 | 0 | assert(sched->hashes[0].ctx_outer != NULL); |
1383 | | |
1384 | 0 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1385 | 0 | sched->hashes[0].ctx = sched->hashes[0].ctx_outer; |
1386 | 0 | sched->hashes[0].ctx_outer = NULL; |
1387 | 0 | } |
1388 | | |
1389 | | void ptls__key_schedule_update_hash(ptls_key_schedule_t *sched, const uint8_t *msg, size_t msglen, int use_outer) |
1390 | 82.2k | { |
1391 | 82.2k | size_t i; |
1392 | | |
1393 | 82.2k | PTLS_DEBUGF("%s:%p:len=%zu\n", __FUNCTION__, sched, msglen); |
1394 | 164k | for (i = 0; i != sched->num_hashes; ++i) { |
1395 | 82.2k | ptls_hash_context_t *ctx = use_outer ? sched->hashes[i].ctx_outer : sched->hashes[i].ctx; |
1396 | 82.2k | ctx->update(ctx, msg, msglen); |
1397 | | #if defined(PTLS_DEBUG) && PTLS_DEBUG |
1398 | | { |
1399 | | uint8_t digest[PTLS_MAX_DIGEST_SIZE]; |
1400 | | ctx->final(ctx, digest, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1401 | | PTLS_DEBUGF(" %zu: %02x%02x%02x%02x\n", i, digest[0], digest[1], digest[2], digest[3]); |
1402 | | } |
1403 | | #endif |
1404 | 82.2k | } |
1405 | 82.2k | } |
1406 | | |
1407 | | static void key_schedule_update_ch1hash_prefix(ptls_key_schedule_t *sched) |
1408 | 0 | { |
1409 | 0 | uint8_t prefix[4] = {PTLS_HANDSHAKE_TYPE_MESSAGE_HASH, 0, 0, (uint8_t)sched->hashes[0].algo->digest_size}; |
1410 | 0 | ptls__key_schedule_update_hash(sched, prefix, sizeof(prefix), 0); |
1411 | 0 | } |
1412 | | |
1413 | | static void key_schedule_extract_ch1hash(ptls_key_schedule_t *sched, uint8_t *hash) |
1414 | 0 | { |
1415 | 0 | assert(sched->hashes[0].ctx_outer == NULL); |
1416 | 0 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, hash, PTLS_HASH_FINAL_MODE_RESET); |
1417 | 0 | } |
1418 | | |
1419 | | static void key_schedule_transform_post_ch1hash(ptls_key_schedule_t *sched) |
1420 | 38.2k | { |
1421 | 38.2k | size_t digest_size = sched->hashes[0].algo->digest_size; |
1422 | 38.2k | ptls_hash_context_t *hashes[3] = {sched->hashes[0].ctx, sched->hashes[0].ctx_outer, NULL}; |
1423 | 38.2k | uint8_t ch1hash[PTLS_MAX_DIGEST_SIZE]; |
1424 | 38.2k | uint8_t prefix[4] = {PTLS_HANDSHAKE_TYPE_MESSAGE_HASH, 0, 0, (uint8_t)digest_size}; |
1425 | | |
1426 | 76.4k | for (size_t i = 0; hashes[i] != NULL; ++i) { |
1427 | 38.2k | hashes[i]->final(hashes[i], ch1hash, PTLS_HASH_FINAL_MODE_RESET); |
1428 | 38.2k | hashes[i]->update(hashes[i], prefix, sizeof(prefix)); |
1429 | 38.2k | hashes[i]->update(hashes[i], ch1hash, digest_size); |
1430 | 38.2k | } |
1431 | | |
1432 | 38.2k | ptls_clear_memory(ch1hash, sizeof(ch1hash)); |
1433 | 38.2k | } |
1434 | | |
1435 | | static int derive_secret_with_hash(ptls_key_schedule_t *sched, void *secret, const char *label, const uint8_t *hash) |
1436 | 3.41k | { |
1437 | 3.41k | int ret = ptls_hkdf_expand_label(sched->hashes[0].algo, secret, sched->hashes[0].algo->digest_size, |
1438 | 3.41k | ptls_iovec_init(sched->secret, sched->hashes[0].algo->digest_size), label, |
1439 | 3.41k | ptls_iovec_init(hash, sched->hashes[0].algo->digest_size), NULL); |
1440 | 3.41k | PTLS_DEBUGF("%s: (label=%s, hash=%02x%02x) => %02x%02x\n", __FUNCTION__, label, hash[0], hash[1], ((uint8_t *)secret)[0], |
1441 | 3.41k | ((uint8_t *)secret)[1]); |
1442 | 3.41k | return ret; |
1443 | 3.41k | } |
1444 | | |
1445 | | static int derive_secret(ptls_key_schedule_t *sched, void *secret, const char *label) |
1446 | 3.40k | { |
1447 | 3.40k | uint8_t hash_value[PTLS_MAX_DIGEST_SIZE]; |
1448 | | |
1449 | 3.40k | sched->hashes[0].ctx->final(sched->hashes[0].ctx, hash_value, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1450 | 3.40k | int ret = derive_secret_with_hash(sched, secret, label, hash_value); |
1451 | 3.40k | ptls_clear_memory(hash_value, sizeof(hash_value)); |
1452 | 3.40k | return ret; |
1453 | 3.40k | } |
1454 | | |
1455 | | static int derive_secret_with_empty_digest(ptls_key_schedule_t *sched, void *secret, const char *label) |
1456 | 1 | { |
1457 | 1 | return derive_secret_with_hash(sched, secret, label, sched->hashes[0].algo->empty_digest); |
1458 | 1 | } |
1459 | | |
1460 | | static int derive_exporter_secret(ptls_t *tls, int is_early) |
1461 | 262 | { |
1462 | 262 | int ret; |
1463 | | |
1464 | 262 | if (!tls->ctx->use_exporter) |
1465 | 262 | return 0; |
1466 | | |
1467 | 0 | uint8_t **slot = is_early ? &tls->exporter_master_secret.early : &tls->exporter_master_secret.one_rtt; |
1468 | 0 | assert(*slot == NULL); |
1469 | 0 | if ((*slot = malloc(tls->key_schedule->hashes[0].algo->digest_size)) == NULL) |
1470 | 0 | return PTLS_ERROR_NO_MEMORY; |
1471 | | |
1472 | 0 | if ((ret = derive_secret(tls->key_schedule, *slot, is_early ? "e exp master" : "exp master")) != 0) |
1473 | 0 | return ret; |
1474 | | |
1475 | 0 | log_secret(tls, is_early ? "EARLY_EXPORTER_SECRET" : "EXPORTER_SECRET", |
1476 | 0 | ptls_iovec_init(*slot, tls->key_schedule->hashes[0].algo->digest_size)); |
1477 | |
|
1478 | 0 | return 0; |
1479 | 0 | } |
1480 | | |
1481 | | static void free_exporter_master_secret(ptls_t *tls, int is_early) |
1482 | 8.81k | { |
1483 | 8.81k | uint8_t *slot = is_early ? tls->exporter_master_secret.early : tls->exporter_master_secret.one_rtt; |
1484 | 8.81k | if (slot == NULL) |
1485 | 8.81k | return; |
1486 | 0 | assert(tls->key_schedule != NULL); |
1487 | 0 | ptls_clear_memory(slot, tls->key_schedule->hashes[0].algo->digest_size); |
1488 | 0 | free(slot); |
1489 | 0 | } |
1490 | | |
1491 | | static int derive_resumption_secret(ptls_key_schedule_t *sched, uint8_t *secret, ptls_iovec_t nonce) |
1492 | 113 | { |
1493 | 113 | int ret; |
1494 | | |
1495 | 113 | if ((ret = derive_secret(sched, secret, "res master")) != 0) |
1496 | 0 | goto Exit; |
1497 | 113 | if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, secret, sched->hashes[0].algo->digest_size, |
1498 | 113 | ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), "resumption", nonce, NULL)) != 0) |
1499 | 0 | goto Exit; |
1500 | | |
1501 | 113 | Exit: |
1502 | 113 | if (ret != 0) |
1503 | 0 | ptls_clear_memory(secret, sched->hashes[0].algo->digest_size); |
1504 | 113 | return ret; |
1505 | 113 | } |
1506 | | |
1507 | | static int decode_new_session_ticket(ptls_t *tls, uint32_t *lifetime, uint32_t *age_add, ptls_iovec_t *nonce, ptls_iovec_t *ticket, |
1508 | | uint32_t *max_early_data_size, const uint8_t *src, const uint8_t *const end) |
1509 | 0 | { |
1510 | 0 | uint16_t exttype; |
1511 | 0 | int ret; |
1512 | |
|
1513 | 0 | if ((ret = ptls_decode32(lifetime, &src, end)) != 0) |
1514 | 0 | goto Exit; |
1515 | 0 | if ((ret = ptls_decode32(age_add, &src, end)) != 0) |
1516 | 0 | goto Exit; |
1517 | 0 | ptls_decode_open_block(src, end, 1, { |
1518 | 0 | *nonce = ptls_iovec_init(src, end - src); |
1519 | 0 | src = end; |
1520 | 0 | }); |
1521 | 0 | ptls_decode_open_block(src, end, 2, { |
1522 | 0 | if (src == end) { |
1523 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1524 | 0 | goto Exit; |
1525 | 0 | } |
1526 | 0 | *ticket = ptls_iovec_init(src, end - src); |
1527 | 0 | src = end; |
1528 | 0 | }); |
1529 | | |
1530 | 0 | *max_early_data_size = 0; |
1531 | 0 | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, &exttype, { |
1532 | 0 | if (tls->ctx->on_extension != NULL && |
1533 | 0 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, exttype, |
1534 | 0 | ptls_iovec_init(src, end - src)) != 0)) |
1535 | 0 | goto Exit; |
1536 | 0 | switch (exttype) { |
1537 | 0 | case PTLS_EXTENSION_TYPE_EARLY_DATA: |
1538 | 0 | if ((ret = ptls_decode32(max_early_data_size, &src, end)) != 0) |
1539 | 0 | goto Exit; |
1540 | 0 | break; |
1541 | 0 | default: |
1542 | 0 | src = end; |
1543 | 0 | break; |
1544 | 0 | } |
1545 | 0 | }); |
1546 | | |
1547 | 0 | ret = 0; |
1548 | 0 | Exit: |
1549 | 0 | return ret; |
1550 | 0 | } |
1551 | | |
1552 | | static int decode_stored_session_ticket(ptls_t *tls, ptls_key_exchange_algorithm_t **key_share, ptls_cipher_suite_t **cs, |
1553 | | ptls_iovec_t *secret, uint32_t *obfuscated_ticket_age, ptls_iovec_t *ticket, |
1554 | | uint32_t *max_early_data_size, const uint8_t *src, const uint8_t *const end) |
1555 | 0 | { |
1556 | 0 | uint16_t kxid, csid; |
1557 | 0 | uint32_t lifetime, age_add; |
1558 | 0 | uint64_t obtained_at, now; |
1559 | 0 | ptls_iovec_t nonce; |
1560 | 0 | int ret; |
1561 | | |
1562 | | /* decode */ |
1563 | 0 | if ((ret = ptls_decode64(&obtained_at, &src, end)) != 0) |
1564 | 0 | goto Exit; |
1565 | 0 | if ((ret = ptls_decode16(&kxid, &src, end)) != 0) |
1566 | 0 | goto Exit; |
1567 | 0 | if ((ret = ptls_decode16(&csid, &src, end)) != 0) |
1568 | 0 | goto Exit; |
1569 | 0 | ptls_decode_open_block(src, end, 3, { |
1570 | 0 | if ((ret = decode_new_session_ticket(tls, &lifetime, &age_add, &nonce, ticket, max_early_data_size, src, end)) != 0) |
1571 | 0 | goto Exit; |
1572 | 0 | src = end; |
1573 | 0 | }); |
1574 | 0 | ptls_decode_block(src, end, 2, { |
1575 | 0 | *secret = ptls_iovec_init(src, end - src); |
1576 | 0 | src = end; |
1577 | 0 | }); |
1578 | | |
1579 | 0 | { /* determine the key-exchange */ |
1580 | 0 | ptls_key_exchange_algorithm_t **cand; |
1581 | 0 | for (cand = tls->ctx->key_exchanges; *cand != NULL; ++cand) |
1582 | 0 | if ((*cand)->id == kxid) |
1583 | 0 | break; |
1584 | 0 | if (*cand == NULL) { |
1585 | 0 | ret = PTLS_ERROR_LIBRARY; |
1586 | 0 | goto Exit; |
1587 | 0 | } |
1588 | 0 | *key_share = *cand; |
1589 | 0 | } |
1590 | | |
1591 | 0 | { /* determine the cipher-suite */ |
1592 | 0 | ptls_cipher_suite_t **cand; |
1593 | 0 | for (cand = tls->ctx->cipher_suites; *cand != NULL; ++cand) |
1594 | 0 | if ((*cand)->id == csid) |
1595 | 0 | break; |
1596 | 0 | if (*cand == NULL) { |
1597 | 0 | ret = PTLS_ERROR_LIBRARY; |
1598 | 0 | goto Exit; |
1599 | 0 | } |
1600 | 0 | *cs = *cand; |
1601 | 0 | } |
1602 | | |
1603 | | /* calculate obfuscated_ticket_age */ |
1604 | 0 | now = tls->ctx->get_time->cb(tls->ctx->get_time); |
1605 | 0 | if (!(obtained_at <= now && now - obtained_at < 7 * 86400 * 1000)) { |
1606 | 0 | ret = PTLS_ERROR_LIBRARY; |
1607 | 0 | goto Exit; |
1608 | 0 | } |
1609 | 0 | *obfuscated_ticket_age = (uint32_t)(now - obtained_at) + age_add; |
1610 | |
|
1611 | 0 | ret = 0; |
1612 | 0 | Exit: |
1613 | 0 | return ret; |
1614 | 0 | } |
1615 | | |
1616 | | static int get_traffic_key(ptls_hash_algorithm_t *algo, void *key, size_t key_size, int is_iv, const void *secret, |
1617 | | ptls_iovec_t hash_value, const char *label_prefix) |
1618 | 6.06k | { |
1619 | 6.06k | return ptls_hkdf_expand_label(algo, key, key_size, ptls_iovec_init(secret, algo->digest_size), is_iv ? "iv" : "key", hash_value, |
1620 | 6.06k | label_prefix); |
1621 | 6.06k | } |
1622 | | |
1623 | | static int get_traffic_keys(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, void *key, void *iv, const void *secret, |
1624 | | ptls_iovec_t hash_value, const char *label_prefix) |
1625 | 3.03k | { |
1626 | 3.03k | int ret; |
1627 | | |
1628 | 3.03k | if ((ret = get_traffic_key(hash, key, aead->key_size, 0, secret, hash_value, label_prefix)) != 0 || |
1629 | 3.03k | (ret = get_traffic_key(hash, iv, aead->iv_size, 1, secret, hash_value, label_prefix)) != 0) { |
1630 | 0 | ptls_clear_memory(key, aead->key_size); |
1631 | 0 | ptls_clear_memory(iv, aead->iv_size); |
1632 | 0 | } |
1633 | | |
1634 | 3.03k | return ret; |
1635 | 3.03k | } |
1636 | | |
1637 | | static int setup_traffic_protection(ptls_t *tls, int is_enc, const char *secret_label, size_t epoch, uint64_t seq, int skip_notify) |
1638 | 3.03k | { |
1639 | 3.03k | static const char *log_labels[2][4] = { |
1640 | 3.03k | {NULL, "CLIENT_EARLY_TRAFFIC_SECRET", "CLIENT_HANDSHAKE_TRAFFIC_SECRET", "CLIENT_TRAFFIC_SECRET_0"}, |
1641 | 3.03k | {NULL, NULL, "SERVER_HANDSHAKE_TRAFFIC_SECRET", "SERVER_TRAFFIC_SECRET_0"}}; |
1642 | 3.03k | struct st_ptls_traffic_protection_t *ctx = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
1643 | | |
1644 | 3.03k | if (secret_label != NULL) { |
1645 | 3.03k | int ret; |
1646 | 3.03k | if ((ret = derive_secret(tls->key_schedule, ctx->secret, secret_label)) != 0) |
1647 | 0 | return ret; |
1648 | 3.03k | } |
1649 | | |
1650 | 3.03k | ctx->epoch = epoch; |
1651 | | |
1652 | 3.03k | log_secret(tls, log_labels[ptls_is_server(tls) == is_enc][epoch], |
1653 | 3.03k | ptls_iovec_init(ctx->secret, tls->key_schedule->hashes[0].algo->digest_size)); |
1654 | | |
1655 | | /* special path for applications having their own record layer */ |
1656 | 3.03k | if (tls->ctx->update_traffic_key != NULL) { |
1657 | 0 | if (skip_notify) |
1658 | 0 | return 0; |
1659 | 0 | return tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, is_enc, epoch, ctx->secret); |
1660 | 0 | } |
1661 | | |
1662 | 3.03k | if (ctx->aead != NULL) |
1663 | 262 | ptls_aead_free(ctx->aead); |
1664 | 3.03k | if ((ctx->aead = ptls_aead_new(tls->cipher_suite->aead, tls->cipher_suite->hash, is_enc, ctx->secret, |
1665 | 3.03k | tls->ctx->hkdf_label_prefix__obsolete)) == NULL) |
1666 | 0 | return PTLS_ERROR_NO_MEMORY; /* TODO obtain error from ptls_aead_new */ |
1667 | 3.03k | ctx->seq = seq; |
1668 | | |
1669 | | #if defined(PTLS_DEBUG) && PTLS_DEBUG |
1670 | | { |
1671 | | uint8_t static_iv[PTLS_MAX_IV_SIZE]; |
1672 | | ptls_aead_get_iv(ctx->aead, static_iv); |
1673 | | PTLS_DEBUGF("[%s] %02x%02x,%02x%02x\n", log_labels[ptls_is_server(tls)][epoch], (unsigned)ctx->secret[0], |
1674 | | (unsigned)ctx->secret[1], static_iv[0], static_iv[1]); |
1675 | | } |
1676 | | #endif |
1677 | | |
1678 | 3.03k | return 0; |
1679 | 3.03k | } |
1680 | | |
1681 | | static int commission_handshake_secret(ptls_t *tls) |
1682 | 0 | { |
1683 | 0 | int is_enc = !ptls_is_server(tls); |
1684 | |
|
1685 | 0 | assert(tls->pending_handshake_secret != NULL); |
1686 | 0 | memcpy((is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec)->secret, tls->pending_handshake_secret, |
1687 | 0 | PTLS_MAX_DIGEST_SIZE); |
1688 | 0 | ptls_clear_memory(tls->pending_handshake_secret, PTLS_MAX_DIGEST_SIZE); |
1689 | 0 | free(tls->pending_handshake_secret); |
1690 | 0 | tls->pending_handshake_secret = NULL; |
1691 | |
|
1692 | 0 | return setup_traffic_protection(tls, is_enc, NULL, 2, 0, 1); |
1693 | 0 | } |
1694 | | |
1695 | | static void log_client_random(ptls_t *tls) |
1696 | 2.95k | { |
1697 | | #if PICOTLS_USE_DTRACE |
1698 | | char buf[sizeof(tls->client_random) * 2 + 1]; |
1699 | | #endif |
1700 | | |
1701 | 2.95k | PTLS_PROBE(CLIENT_RANDOM, tls, ptls_hexdump(buf, tls->client_random, sizeof(tls->client_random))); |
1702 | 2.95k | PTLS_LOG_CONN(client_random, tls, { PTLS_LOG_ELEMENT_HEXDUMP(bytes, tls->client_random, sizeof(tls->client_random)); }); |
1703 | 2.95k | } |
1704 | | |
1705 | | #define SESSION_IDENTIFIER_MAGIC "ptls0001" /* the number should be changed upon incompatible format change */ |
1706 | | #define SESSION_IDENTIFIER_MAGIC_SIZE (sizeof(SESSION_IDENTIFIER_MAGIC) - 1) |
1707 | | |
1708 | | static int encode_session_identifier(ptls_context_t *ctx, ptls_buffer_t *buf, uint32_t ticket_age_add, ptls_iovec_t ticket_nonce, |
1709 | | ptls_key_schedule_t *sched, const char *server_name, uint16_t key_exchange_id, uint16_t csid, |
1710 | | const char *negotiated_protocol) |
1711 | 113 | { |
1712 | 113 | int ret = 0; |
1713 | | |
1714 | 113 | ptls_buffer_push_block(buf, 2, { |
1715 | | /* format id */ |
1716 | 113 | ptls_buffer_pushv(buf, SESSION_IDENTIFIER_MAGIC, SESSION_IDENTIFIER_MAGIC_SIZE); |
1717 | | /* date */ |
1718 | 113 | ptls_buffer_push64(buf, ctx->get_time->cb(ctx->get_time)); |
1719 | | /* resumption master secret */ |
1720 | 113 | ptls_buffer_push_block(buf, 2, { |
1721 | 113 | if ((ret = ptls_buffer_reserve(buf, sched->hashes[0].algo->digest_size)) != 0) |
1722 | 113 | goto Exit; |
1723 | 113 | if ((ret = derive_resumption_secret(sched, buf->base + buf->off, ticket_nonce)) != 0) |
1724 | 113 | goto Exit; |
1725 | 113 | buf->off += sched->hashes[0].algo->digest_size; |
1726 | 113 | }); |
1727 | | /* key-exchange */ |
1728 | 113 | ptls_buffer_push16(buf, key_exchange_id); |
1729 | | /* cipher-suite */ |
1730 | 113 | ptls_buffer_push16(buf, csid); |
1731 | | /* ticket_age_add */ |
1732 | 113 | ptls_buffer_push32(buf, ticket_age_add); |
1733 | | /* session ID context */ |
1734 | 113 | ptls_buffer_push_block(buf, 2, { |
1735 | 113 | if (ctx->ticket_context.is_set) { |
1736 | 113 | ptls_buffer_pushv(buf, ctx->ticket_context.bytes, sizeof(ctx->ticket_context.bytes)); |
1737 | 113 | } else if (server_name != NULL) { |
1738 | 113 | ptls_buffer_pushv(buf, server_name, strlen(server_name)); |
1739 | 113 | } |
1740 | 113 | }); |
1741 | | /* alpn */ |
1742 | 113 | ptls_buffer_push_block(buf, 1, { |
1743 | 113 | if (negotiated_protocol != NULL) |
1744 | 113 | ptls_buffer_pushv(buf, negotiated_protocol, strlen(negotiated_protocol)); |
1745 | 113 | }); |
1746 | 113 | }); |
1747 | | |
1748 | 113 | Exit: |
1749 | 113 | return ret; |
1750 | 113 | } |
1751 | | |
1752 | | int decode_session_identifier(uint64_t *issued_at, ptls_iovec_t *psk, uint32_t *ticket_age_add, ptls_iovec_t *ticket_ctx, |
1753 | | uint16_t *key_exchange_id, uint16_t *csid, ptls_iovec_t *negotiated_protocol, const uint8_t *src, |
1754 | | const uint8_t *const end) |
1755 | 189 | { |
1756 | 189 | int ret = 0; |
1757 | | |
1758 | 189 | ptls_decode_block(src, end, 2, { |
1759 | 189 | if (end - src < SESSION_IDENTIFIER_MAGIC_SIZE || |
1760 | 189 | memcmp(src, SESSION_IDENTIFIER_MAGIC, SESSION_IDENTIFIER_MAGIC_SIZE) != 0) { |
1761 | 189 | ret = PTLS_ALERT_DECODE_ERROR; |
1762 | 189 | goto Exit; |
1763 | 189 | } |
1764 | 189 | src += SESSION_IDENTIFIER_MAGIC_SIZE; |
1765 | 189 | if ((ret = ptls_decode64(issued_at, &src, end)) != 0) |
1766 | 189 | goto Exit; |
1767 | 189 | ptls_decode_open_block(src, end, 2, { |
1768 | 189 | *psk = ptls_iovec_init(src, end - src); |
1769 | 189 | src = end; |
1770 | 189 | }); |
1771 | 189 | if ((ret = ptls_decode16(key_exchange_id, &src, end)) != 0) |
1772 | 189 | goto Exit; |
1773 | 189 | if ((ret = ptls_decode16(csid, &src, end)) != 0) |
1774 | 189 | goto Exit; |
1775 | 189 | if ((ret = ptls_decode32(ticket_age_add, &src, end)) != 0) |
1776 | 189 | goto Exit; |
1777 | 189 | ptls_decode_open_block(src, end, 2, { |
1778 | 189 | *ticket_ctx = ptls_iovec_init(src, end - src); |
1779 | 189 | src = end; |
1780 | 189 | }); |
1781 | 189 | ptls_decode_open_block(src, end, 1, { |
1782 | 189 | *negotiated_protocol = ptls_iovec_init(src, end - src); |
1783 | 189 | src = end; |
1784 | 189 | }); |
1785 | 189 | }); |
1786 | | |
1787 | 189 | Exit: |
1788 | 189 | return ret; |
1789 | 189 | } |
1790 | | |
1791 | | static size_t build_certificate_verify_signdata(uint8_t *data, ptls_key_schedule_t *sched, const char *context_string) |
1792 | 33 | { |
1793 | 33 | size_t datalen = 0; |
1794 | | |
1795 | 33 | memset(data + datalen, 32, 64); |
1796 | 33 | datalen += 64; |
1797 | 33 | memcpy(data + datalen, context_string, strlen(context_string) + 1); |
1798 | 33 | datalen += strlen(context_string) + 1; |
1799 | 33 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, data + datalen, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1800 | 33 | datalen += sched->hashes[0].algo->digest_size; |
1801 | 33 | assert(datalen <= PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE); |
1802 | | |
1803 | 33 | return datalen; |
1804 | 33 | } |
1805 | | |
1806 | | static int calc_verify_data(void *output, ptls_key_schedule_t *sched, const void *secret) |
1807 | 390 | { |
1808 | 390 | ptls_hash_context_t *hmac; |
1809 | 390 | uint8_t digest[PTLS_MAX_DIGEST_SIZE]; |
1810 | 390 | int ret; |
1811 | | |
1812 | 390 | if ((ret = ptls_hkdf_expand_label(sched->hashes[0].algo, digest, sched->hashes[0].algo->digest_size, |
1813 | 390 | ptls_iovec_init(secret, sched->hashes[0].algo->digest_size), "finished", |
1814 | 390 | ptls_iovec_init(NULL, 0), NULL)) != 0) |
1815 | 0 | return ret; |
1816 | 390 | if ((hmac = ptls_hmac_create(sched->hashes[0].algo, digest, sched->hashes[0].algo->digest_size)) == NULL) { |
1817 | 0 | ptls_clear_memory(digest, sizeof(digest)); |
1818 | 0 | return PTLS_ERROR_NO_MEMORY; |
1819 | 0 | } |
1820 | | |
1821 | 390 | sched->hashes[0].ctx->final(sched->hashes[0].ctx, digest, PTLS_HASH_FINAL_MODE_SNAPSHOT); |
1822 | 390 | PTLS_DEBUGF("%s: %02x%02x,%02x%02x\n", __FUNCTION__, ((uint8_t *)secret)[0], ((uint8_t *)secret)[1], digest[0], digest[1]); |
1823 | 390 | hmac->update(hmac, digest, sched->hashes[0].algo->digest_size); |
1824 | 390 | ptls_clear_memory(digest, sizeof(digest)); |
1825 | 390 | hmac->final(hmac, output, PTLS_HASH_FINAL_MODE_FREE); |
1826 | | |
1827 | 390 | return 0; |
1828 | 390 | } |
1829 | | |
1830 | | static int verify_finished(ptls_t *tls, ptls_iovec_t message) |
1831 | 34 | { |
1832 | 34 | uint8_t verify_data[PTLS_MAX_DIGEST_SIZE]; |
1833 | 34 | int ret; |
1834 | | |
1835 | 34 | if (PTLS_HANDSHAKE_HEADER_SIZE + tls->key_schedule->hashes[0].algo->digest_size != message.len) { |
1836 | 20 | ret = PTLS_ALERT_DECODE_ERROR; |
1837 | 20 | goto Exit; |
1838 | 20 | } |
1839 | | |
1840 | 14 | if ((ret = calc_verify_data(verify_data, tls->key_schedule, tls->traffic_protection.dec.secret)) != 0) |
1841 | 0 | goto Exit; |
1842 | 14 | if (!ptls_mem_equal(message.base + PTLS_HANDSHAKE_HEADER_SIZE, verify_data, tls->key_schedule->hashes[0].algo->digest_size)) { |
1843 | 14 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
1844 | 14 | goto Exit; |
1845 | 14 | } |
1846 | | |
1847 | 34 | Exit: |
1848 | 34 | ptls_clear_memory(verify_data, sizeof(verify_data)); |
1849 | 34 | return ret; |
1850 | 14 | } |
1851 | | |
1852 | | static int send_finished(ptls_t *tls, ptls_message_emitter_t *emitter) |
1853 | 262 | { |
1854 | 262 | int ret; |
1855 | | |
1856 | 262 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_FINISHED, { |
1857 | 262 | if ((ret = ptls_buffer_reserve(emitter->buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0) |
1858 | 262 | goto Exit; |
1859 | 262 | if ((ret = calc_verify_data(emitter->buf->base + emitter->buf->off, tls->key_schedule, |
1860 | 262 | tls->traffic_protection.enc.secret)) != 0) |
1861 | 262 | goto Exit; |
1862 | 262 | emitter->buf->off += tls->key_schedule->hashes[0].algo->digest_size; |
1863 | 262 | }); |
1864 | | |
1865 | 262 | Exit: |
1866 | 262 | return ret; |
1867 | 262 | } |
1868 | | |
1869 | | static int send_session_ticket(ptls_t *tls, ptls_message_emitter_t *emitter) |
1870 | 113 | { |
1871 | 113 | ptls_hash_context_t *msghash_backup = tls->key_schedule->hashes[0].ctx->clone_(tls->key_schedule->hashes[0].ctx); |
1872 | 113 | ptls_buffer_t session_id; |
1873 | 113 | char session_id_smallbuf[128]; |
1874 | 113 | uint32_t ticket_age_add; |
1875 | 113 | int ret = 0; |
1876 | | |
1877 | 113 | assert(tls->ctx->ticket_lifetime != 0); |
1878 | 113 | assert(tls->ctx->encrypt_ticket != NULL); |
1879 | | |
1880 | 113 | ptls_buffer_init(&session_id, session_id_smallbuf, sizeof(session_id_smallbuf)); |
1881 | | |
1882 | 113 | { /* calculate verify-data that will be sent by the client */ |
1883 | 113 | size_t orig_off = emitter->buf->off; |
1884 | 113 | if (tls->pending_handshake_secret != NULL && !tls->ctx->omit_end_of_early_data) { |
1885 | 0 | assert(tls->state == PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA); |
1886 | 0 | ptls_buffer_push_message_body(emitter->buf, tls->key_schedule, PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA, {}); |
1887 | 0 | emitter->buf->off = orig_off; |
1888 | 0 | } |
1889 | 113 | ptls_buffer_push_message_body(emitter->buf, tls->key_schedule, PTLS_HANDSHAKE_TYPE_FINISHED, { |
1890 | 113 | if ((ret = ptls_buffer_reserve(emitter->buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0) |
1891 | 113 | goto Exit; |
1892 | 113 | if ((ret = calc_verify_data(emitter->buf->base + emitter->buf->off, tls->key_schedule, |
1893 | 113 | tls->pending_handshake_secret != NULL ? tls->pending_handshake_secret |
1894 | 113 | : tls->traffic_protection.dec.secret)) != 0) |
1895 | 113 | goto Exit; |
1896 | 113 | emitter->buf->off += tls->key_schedule->hashes[0].algo->digest_size; |
1897 | 113 | }); |
1898 | 113 | emitter->buf->off = orig_off; |
1899 | 113 | } |
1900 | | |
1901 | 0 | tls->ctx->random_bytes(&ticket_age_add, sizeof(ticket_age_add)); |
1902 | | |
1903 | | /* build the raw nsk */ |
1904 | 113 | if (tls->key_share != NULL && (ret = encode_session_identifier(tls->ctx, &session_id, ticket_age_add, ptls_iovec_init(NULL, 0), |
1905 | 113 | tls->key_schedule, tls->server_name, tls->key_share->id, |
1906 | 113 | tls->cipher_suite->id, tls->negotiated_protocol)) != 0) |
1907 | 0 | goto Exit; |
1908 | | |
1909 | | /* encrypt and send */ |
1910 | 113 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET, { |
1911 | 113 | ptls_buffer_push32(emitter->buf, tls->ctx->ticket_lifetime); |
1912 | 113 | ptls_buffer_push32(emitter->buf, ticket_age_add); |
1913 | 113 | ptls_buffer_push_block(emitter->buf, 1, {}); |
1914 | 113 | ptls_buffer_push_block(emitter->buf, 2, { |
1915 | 113 | if ((ret = tls->ctx->encrypt_ticket->cb(tls->ctx->encrypt_ticket, tls, 1, emitter->buf, |
1916 | 113 | ptls_iovec_init(session_id.base, session_id.off))) != 0) |
1917 | 113 | goto Exit; |
1918 | 113 | }); |
1919 | 113 | ptls_buffer_push_block(emitter->buf, 2, { |
1920 | 113 | if (tls->ctx->max_early_data_size != 0) |
1921 | 113 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_EARLY_DATA, |
1922 | 113 | { ptls_buffer_push32(emitter->buf, tls->ctx->max_early_data_size); }); |
1923 | 113 | }); |
1924 | 113 | }); |
1925 | | |
1926 | 113 | Exit: |
1927 | 113 | ptls_buffer_dispose(&session_id); |
1928 | | |
1929 | | /* restore handshake state */ |
1930 | 113 | tls->key_schedule->hashes[0].ctx->final(tls->key_schedule->hashes[0].ctx, NULL, PTLS_HASH_FINAL_MODE_FREE); |
1931 | 113 | tls->key_schedule->hashes[0].ctx = msghash_backup; |
1932 | | |
1933 | 113 | return ret; |
1934 | 113 | } |
1935 | | |
1936 | | static int push_change_cipher_spec(ptls_t *tls, ptls_message_emitter_t *emitter) |
1937 | 276 | { |
1938 | 276 | int ret; |
1939 | | |
1940 | | /* check if we are requested to (or still need to) */ |
1941 | 276 | if (!tls->send_change_cipher_spec) { |
1942 | 201 | ret = 0; |
1943 | 201 | goto Exit; |
1944 | 201 | } |
1945 | | |
1946 | | /* CCS is a record, can only be sent when using a record-based protocol. */ |
1947 | 75 | if (emitter->begin_message != begin_record_message) { |
1948 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
1949 | 0 | goto Exit; |
1950 | 0 | } |
1951 | | |
1952 | | /* emit CCS */ |
1953 | 75 | buffer_push_record(emitter->buf, PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, { ptls_buffer_push(emitter->buf, 1); }); |
1954 | | |
1955 | 75 | tls->send_change_cipher_spec = 0; |
1956 | 75 | ret = 0; |
1957 | 276 | Exit: |
1958 | 276 | return ret; |
1959 | 75 | } |
1960 | | |
1961 | | static int push_additional_extensions(ptls_handshake_properties_t *properties, ptls_buffer_t *sendbuf) |
1962 | 40.5k | { |
1963 | 40.5k | int ret; |
1964 | | |
1965 | 40.5k | if (properties != NULL && properties->additional_extensions != NULL) { |
1966 | 0 | ptls_raw_extension_t *ext; |
1967 | 0 | for (ext = properties->additional_extensions; ext->type != UINT16_MAX; ++ext) { |
1968 | 0 | buffer_push_extension(sendbuf, ext->type, { ptls_buffer_pushv(sendbuf, ext->data.base, ext->data.len); }); |
1969 | 0 | } |
1970 | 0 | } |
1971 | 40.5k | ret = 0; |
1972 | 40.5k | Exit: |
1973 | 40.5k | return ret; |
1974 | 40.5k | } |
1975 | | |
1976 | | static int push_signature_algorithms(ptls_verify_certificate_t *vc, ptls_buffer_t *sendbuf) |
1977 | 40.2k | { |
1978 | | /* The list sent when verify callback is not registered */ |
1979 | 40.2k | static const uint16_t default_algos[] = {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256, |
1980 | 40.2k | PTLS_SIGNATURE_RSA_PKCS1_SHA256, PTLS_SIGNATURE_RSA_PKCS1_SHA1, UINT16_MAX}; |
1981 | 40.2k | int ret; |
1982 | | |
1983 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
1984 | 40.2k | for (const uint16_t *p = vc != NULL ? vc->algos : default_algos; *p != UINT16_MAX; ++p) |
1985 | 40.2k | ptls_buffer_push16(sendbuf, *p); |
1986 | 40.2k | }); |
1987 | | |
1988 | 40.2k | ret = 0; |
1989 | 40.2k | Exit: |
1990 | 40.2k | return ret; |
1991 | 40.2k | } |
1992 | | |
1993 | | static int decode_signature_algorithms(struct st_ptls_signature_algorithms_t *sa, const uint8_t **src, const uint8_t *end) |
1994 | 409 | { |
1995 | 409 | int ret; |
1996 | | |
1997 | 409 | ptls_decode_block(*src, end, 2, { |
1998 | 409 | do { |
1999 | 409 | uint16_t id; |
2000 | 409 | if ((ret = ptls_decode16(&id, src, end)) != 0) |
2001 | 409 | goto Exit; |
2002 | 409 | if (sa->count < PTLS_ELEMENTSOF(sa->list)) |
2003 | 409 | sa->list[sa->count++] = id; |
2004 | 409 | } while (*src != end); |
2005 | 409 | }); |
2006 | | |
2007 | 306 | ret = 0; |
2008 | 409 | Exit: |
2009 | 409 | return ret; |
2010 | 306 | } |
2011 | | |
2012 | | /** |
2013 | | * @param hash optional argument for restricting the underlying hash algorithm |
2014 | | */ |
2015 | | static int select_cipher(ptls_cipher_suite_t **selected, ptls_cipher_suite_t **candidates, const uint8_t *src, |
2016 | | const uint8_t *const end, int server_preference, int server_chacha_priority, ptls_hash_algorithm_t *hash) |
2017 | 758 | { |
2018 | 758 | size_t found_index = SIZE_MAX; |
2019 | 758 | int ret; |
2020 | | |
2021 | 1.81k | while (src != end) { |
2022 | 1.78k | uint16_t id; |
2023 | 1.78k | if ((ret = ptls_decode16(&id, &src, end)) != 0) |
2024 | 0 | goto Exit; |
2025 | 4.39k | for (size_t i = 0; candidates[i] != NULL; ++i) { |
2026 | 3.33k | if (candidates[i]->id == id && (hash == NULL || candidates[i]->hash == hash)) { |
2027 | 723 | if (server_preference && !(server_chacha_priority && id == PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256)) { |
2028 | | /* preserve smallest matching index, and proceed to the next input */ |
2029 | 0 | if (i < found_index) { |
2030 | 0 | found_index = i; |
2031 | 0 | break; |
2032 | 0 | } |
2033 | 723 | } else { |
2034 | | /* return the pointer matching to the first input that can be used */ |
2035 | 723 | *selected = candidates[i]; |
2036 | 723 | goto Exit; |
2037 | 723 | } |
2038 | 723 | } |
2039 | 3.33k | } |
2040 | | /* first position of the server list matched (server_preference) */ |
2041 | 1.06k | if (found_index == 0) |
2042 | 0 | break; |
2043 | | /* server preference is overridden only if the first entry of client-provided list is chachapoly */ |
2044 | 1.06k | server_chacha_priority = 0; |
2045 | 1.06k | } |
2046 | 35 | if (found_index != SIZE_MAX) { |
2047 | 0 | *selected = candidates[found_index]; |
2048 | 0 | ret = 0; |
2049 | 35 | } else { |
2050 | 35 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2051 | 35 | } |
2052 | | |
2053 | 758 | Exit: |
2054 | 758 | return ret; |
2055 | 35 | } |
2056 | | |
2057 | | static int push_key_share_entry(ptls_buffer_t *buf, uint16_t group, ptls_iovec_t pubkey) |
2058 | 40.2k | { |
2059 | 40.2k | int ret; |
2060 | | |
2061 | 40.2k | ptls_buffer_push16(buf, group); |
2062 | 40.2k | ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, pubkey.base, pubkey.len); }); |
2063 | 40.2k | ret = 0; |
2064 | 40.2k | Exit: |
2065 | 40.2k | return ret; |
2066 | 40.2k | } |
2067 | | |
2068 | | static int decode_key_share_entry(uint16_t *group, ptls_iovec_t *key_exchange, const uint8_t **src, const uint8_t *const end) |
2069 | 2.68k | { |
2070 | 2.68k | int ret; |
2071 | | |
2072 | 2.68k | if ((ret = ptls_decode16(group, src, end)) != 0) |
2073 | 7 | goto Exit; |
2074 | 2.68k | ptls_decode_open_block(*src, end, 2, { |
2075 | 2.68k | *key_exchange = ptls_iovec_init(*src, end - *src); |
2076 | 2.68k | *src = end; |
2077 | 2.68k | }); |
2078 | | |
2079 | 2.68k | Exit: |
2080 | 2.68k | return ret; |
2081 | 2.68k | } |
2082 | | |
2083 | | static int select_key_share(ptls_key_exchange_algorithm_t **selected, ptls_iovec_t *peer_key, |
2084 | | ptls_key_exchange_algorithm_t **candidates, const uint8_t **src, const uint8_t *const end, |
2085 | | int expect_one) |
2086 | 567 | { |
2087 | 567 | int ret; |
2088 | | |
2089 | 567 | *selected = NULL; |
2090 | | |
2091 | 567 | if (expect_one && *src == end) { |
2092 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2093 | 0 | goto Exit; |
2094 | 0 | } |
2095 | | |
2096 | 2.03k | while (*src != end) { |
2097 | 1.51k | uint16_t group; |
2098 | 1.51k | ptls_iovec_t key; |
2099 | 1.51k | if ((ret = decode_key_share_entry(&group, &key, src, end)) != 0) |
2100 | 45 | goto Exit; |
2101 | 1.47k | ptls_key_exchange_algorithm_t **c = candidates; |
2102 | 2.94k | for (; *c != NULL; ++c) { |
2103 | 1.47k | if (*selected == NULL && (*c)->id == group) { |
2104 | 290 | *selected = *c; |
2105 | 290 | *peer_key = key; |
2106 | 290 | } |
2107 | 1.47k | } |
2108 | 1.47k | if (expect_one) { |
2109 | 0 | ret = *selected != NULL ? 0 : PTLS_ALERT_ILLEGAL_PARAMETER; |
2110 | 0 | goto Exit; |
2111 | 0 | } |
2112 | 1.47k | } |
2113 | | |
2114 | 522 | ret = 0; |
2115 | | |
2116 | 567 | Exit: |
2117 | 567 | return ret; |
2118 | 522 | } |
2119 | | |
2120 | | static int emit_server_name_extension(ptls_buffer_t *buf, const char *server_name) |
2121 | 0 | { |
2122 | 0 | int ret; |
2123 | |
|
2124 | 0 | ptls_buffer_push_block(buf, 2, { |
2125 | 0 | ptls_buffer_push(buf, PTLS_SERVER_NAME_TYPE_HOSTNAME); |
2126 | 0 | ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, server_name, strlen(server_name)); }); |
2127 | 0 | }); |
2128 | | |
2129 | 0 | ret = 0; |
2130 | 0 | Exit: |
2131 | 0 | return ret; |
2132 | 0 | } |
2133 | | |
2134 | | /** |
2135 | | * Within the outer ECH extension, returns the number of bytes that preceeds the AEAD-encrypted payload. |
2136 | | */ |
2137 | | static inline size_t outer_ech_header_size(size_t enc_size) |
2138 | 0 | { |
2139 | 0 | return 10 + enc_size; |
2140 | 0 | } |
2141 | | |
2142 | | /** |
2143 | | * Flag to indicate which of ClientHelloInner, EncodedClientHelloInner, ClientHelloOuter is to be generated. When ECH is inactive, |
2144 | | * only ClientHelloInner is used. |
2145 | | */ |
2146 | | enum encode_ch_mode { ENCODE_CH_MODE_INNER, ENCODE_CH_MODE_ENCODED_INNER, ENCODE_CH_MODE_OUTER }; |
2147 | | |
2148 | | static int encode_client_hello(ptls_context_t *ctx, ptls_buffer_t *sendbuf, enum encode_ch_mode mode, int is_second_flight, |
2149 | | ptls_handshake_properties_t *properties, const void *client_random, |
2150 | | ptls_key_exchange_context_t *key_share_ctx, const char *sni_name, ptls_iovec_t legacy_session_id, |
2151 | | struct st_ptls_ech_t *ech, size_t *ech_size_offset, ptls_iovec_t ech_replay, ptls_iovec_t psk_secret, |
2152 | | ptls_iovec_t psk_identity, uint32_t obfuscated_ticket_age, size_t psk_binder_size, |
2153 | | ptls_iovec_t *cookie, int using_early_data) |
2154 | 40.2k | { |
2155 | 40.2k | int ret; |
2156 | | |
2157 | 40.2k | assert(mode == ENCODE_CH_MODE_INNER || ech != NULL); |
2158 | | |
2159 | 40.2k | ptls_buffer_push_message_body(sendbuf, NULL, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, { |
2160 | | /* legacy_version */ |
2161 | 40.2k | ptls_buffer_push16(sendbuf, 0x0303); |
2162 | | /* random_bytes */ |
2163 | 40.2k | ptls_buffer_pushv(sendbuf, client_random, PTLS_HELLO_RANDOM_SIZE); |
2164 | | /* lecagy_session_id */ |
2165 | 40.2k | ptls_buffer_push_block(sendbuf, 1, { |
2166 | 40.2k | if (mode != ENCODE_CH_MODE_ENCODED_INNER) |
2167 | 40.2k | ptls_buffer_pushv(sendbuf, legacy_session_id.base, legacy_session_id.len); |
2168 | 40.2k | }); |
2169 | | /* cipher_suites */ |
2170 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
2171 | 40.2k | ptls_cipher_suite_t **cs = ctx->cipher_suites; |
2172 | 40.2k | for (; *cs != NULL; ++cs) |
2173 | 40.2k | ptls_buffer_push16(sendbuf, (*cs)->id); |
2174 | 40.2k | }); |
2175 | | /* legacy_compression_methods */ |
2176 | 40.2k | ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push(sendbuf, 0); }); |
2177 | | /* extensions */ |
2178 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
2179 | 40.2k | if (mode == ENCODE_CH_MODE_OUTER) { |
2180 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, { |
2181 | 40.2k | size_t ext_payload_from = sendbuf->off; |
2182 | 40.2k | ptls_buffer_push(sendbuf, PTLS_ECH_CLIENT_HELLO_TYPE_OUTER); |
2183 | 40.2k | ptls_buffer_push16(sendbuf, ech->cipher->id.kdf); |
2184 | 40.2k | ptls_buffer_push16(sendbuf, ech->cipher->id.aead); |
2185 | 40.2k | ptls_buffer_push(sendbuf, ech->config_id); |
2186 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
2187 | 40.2k | if (!is_second_flight) |
2188 | 40.2k | ptls_buffer_pushv(sendbuf, ech->client.enc.base, ech->client.enc.len); |
2189 | 40.2k | }); |
2190 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
2191 | 40.2k | assert(sendbuf->off - ext_payload_from == |
2192 | 40.2k | outer_ech_header_size(is_second_flight ? 0 : ech->client.enc.len)); |
2193 | 40.2k | if ((ret = ptls_buffer_reserve(sendbuf, *ech_size_offset)) != 0) |
2194 | 40.2k | goto Exit; |
2195 | 40.2k | memset(sendbuf->base + sendbuf->off, 0, *ech_size_offset); |
2196 | 40.2k | sendbuf->off += *ech_size_offset; |
2197 | 40.2k | *ech_size_offset = sendbuf->off - *ech_size_offset; |
2198 | 40.2k | }); |
2199 | 40.2k | }); |
2200 | 40.2k | } else if (ech->aead != NULL) { |
2201 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, |
2202 | 40.2k | { ptls_buffer_push(sendbuf, PTLS_ECH_CLIENT_HELLO_TYPE_INNER); }); |
2203 | 40.2k | } else if (ech_replay.base != NULL) { |
2204 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, |
2205 | 40.2k | { ptls_buffer_pushv(sendbuf, ech_replay.base, ech_replay.len); }); |
2206 | 40.2k | } |
2207 | 40.2k | if (mode == ENCODE_CH_MODE_ENCODED_INNER) { |
2208 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS, { |
2209 | 40.2k | ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push16(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE); }); |
2210 | 40.2k | }); |
2211 | 40.2k | } else { |
2212 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE, { |
2213 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
2214 | 40.2k | if (key_share_ctx != NULL && |
2215 | 40.2k | (ret = push_key_share_entry(sendbuf, key_share_ctx->algo->id, key_share_ctx->pubkey)) != 0) |
2216 | 40.2k | goto Exit; |
2217 | 40.2k | }); |
2218 | 40.2k | }); |
2219 | 40.2k | } |
2220 | 40.2k | if (sni_name != NULL) { |
2221 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_NAME, { |
2222 | 40.2k | if ((ret = emit_server_name_extension(sendbuf, sni_name)) != 0) |
2223 | 40.2k | goto Exit; |
2224 | 40.2k | }); |
2225 | 40.2k | } |
2226 | 40.2k | if (properties != NULL && properties->client.negotiated_protocols.count != 0) { |
2227 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ALPN, { |
2228 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
2229 | 40.2k | size_t i; |
2230 | 40.2k | for (i = 0; i != properties->client.negotiated_protocols.count; ++i) { |
2231 | 40.2k | ptls_buffer_push_block(sendbuf, 1, { |
2232 | 40.2k | ptls_iovec_t p = properties->client.negotiated_protocols.list[i]; |
2233 | 40.2k | ptls_buffer_pushv(sendbuf, p.base, p.len); |
2234 | 40.2k | }); |
2235 | 40.2k | } |
2236 | 40.2k | }); |
2237 | 40.2k | }); |
2238 | 40.2k | } |
2239 | 40.2k | if (ctx->decompress_certificate != NULL) { |
2240 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE, { |
2241 | 40.2k | ptls_buffer_push_block(sendbuf, 1, { |
2242 | 40.2k | const uint16_t *algo = ctx->decompress_certificate->supported_algorithms; |
2243 | 40.2k | assert(*algo != UINT16_MAX); |
2244 | 40.2k | for (; *algo != UINT16_MAX; ++algo) |
2245 | 40.2k | ptls_buffer_push16(sendbuf, *algo); |
2246 | 40.2k | }); |
2247 | 40.2k | }); |
2248 | 40.2k | } |
2249 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS, { |
2250 | 40.2k | ptls_buffer_push_block(sendbuf, 1, { |
2251 | 40.2k | size_t i; |
2252 | 40.2k | for (i = 0; i != PTLS_ELEMENTSOF(supported_versions); ++i) |
2253 | 40.2k | ptls_buffer_push16(sendbuf, supported_versions[i]); |
2254 | 40.2k | }); |
2255 | 40.2k | }); |
2256 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS, { |
2257 | 40.2k | if ((ret = push_signature_algorithms(ctx->verify_certificate, sendbuf)) != 0) |
2258 | 40.2k | goto Exit; |
2259 | 40.2k | }); |
2260 | 40.2k | if (ctx->key_exchanges != NULL) { |
2261 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS, { |
2262 | 40.2k | ptls_key_exchange_algorithm_t **algo = ctx->key_exchanges; |
2263 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
2264 | 40.2k | for (; *algo != NULL; ++algo) |
2265 | 40.2k | ptls_buffer_push16(sendbuf, (*algo)->id); |
2266 | 40.2k | }); |
2267 | 40.2k | }); |
2268 | 40.2k | } |
2269 | 40.2k | if (cookie != NULL && cookie->base != NULL) { |
2270 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COOKIE, { |
2271 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { ptls_buffer_pushv(sendbuf, cookie->base, cookie->len); }); |
2272 | 40.2k | }); |
2273 | 40.2k | } |
2274 | 40.2k | if (ctx->use_raw_public_keys) { |
2275 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE, { |
2276 | 40.2k | ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push(sendbuf, PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY); }); |
2277 | 40.2k | }); |
2278 | 40.2k | } |
2279 | 40.2k | if (ctx->save_ticket != NULL && |
2280 | 40.2k | (ctx->ticket_requests.client.new_session_count != 0 || ctx->ticket_requests.client.resumption_count != 0)) { |
2281 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_TICKET_REQUEST, { |
2282 | 40.2k | ptls_buffer_push(sendbuf, ctx->ticket_requests.client.new_session_count, |
2283 | 40.2k | ctx->ticket_requests.client.resumption_count); |
2284 | 40.2k | }); |
2285 | 40.2k | } |
2286 | 40.2k | if ((ret = push_additional_extensions(properties, sendbuf)) != 0) |
2287 | 40.2k | goto Exit; |
2288 | 40.2k | if (ctx->save_ticket != NULL || psk_secret.base != NULL) { |
2289 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES, { |
2290 | 40.2k | ptls_buffer_push_block(sendbuf, 1, { |
2291 | 40.2k | if (!ctx->require_dhe_on_psk) |
2292 | 40.2k | ptls_buffer_push(sendbuf, PTLS_PSK_KE_MODE_PSK); |
2293 | 40.2k | ptls_buffer_push(sendbuf, PTLS_PSK_KE_MODE_PSK_DHE); |
2294 | 40.2k | }); |
2295 | 40.2k | }); |
2296 | 40.2k | } |
2297 | 40.2k | if (psk_secret.base != NULL) { |
2298 | 40.2k | if (using_early_data && !is_second_flight) |
2299 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_EARLY_DATA, {}); |
2300 | | /* pre-shared key "MUST be the last extension in the ClientHello" (draft-17 section 4.2.6) */ |
2301 | 40.2k | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PRE_SHARED_KEY, { |
2302 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
2303 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
2304 | 40.2k | if (mode == ENCODE_CH_MODE_OUTER) { |
2305 | 40.2k | if ((ret = ptls_buffer_reserve(sendbuf, psk_identity.len)) != 0) |
2306 | 40.2k | goto Exit; |
2307 | 40.2k | ctx->random_bytes(sendbuf->base + sendbuf->off, psk_identity.len); |
2308 | 40.2k | sendbuf->off += psk_identity.len; |
2309 | 40.2k | } else { |
2310 | 40.2k | ptls_buffer_pushv(sendbuf, psk_identity.base, psk_identity.len); |
2311 | 40.2k | } |
2312 | 40.2k | }); |
2313 | 40.2k | uint32_t age; |
2314 | 40.2k | if (mode == ENCODE_CH_MODE_OUTER) { |
2315 | 40.2k | ctx->random_bytes(&age, sizeof(age)); |
2316 | 40.2k | } else { |
2317 | 40.2k | age = obfuscated_ticket_age; |
2318 | 40.2k | } |
2319 | 40.2k | ptls_buffer_push32(sendbuf, age); |
2320 | 40.2k | }); |
2321 | | /* allocate space for PSK binder. The space is filled initially filled by a random value (meeting the |
2322 | | * requirement of ClientHelloOuter), and later gets filled with the correct binder value if necessary. */ |
2323 | 40.2k | ptls_buffer_push_block(sendbuf, 2, { |
2324 | 40.2k | ptls_buffer_push_block(sendbuf, 1, { |
2325 | 40.2k | if ((ret = ptls_buffer_reserve(sendbuf, psk_binder_size)) != 0) |
2326 | 40.2k | goto Exit; |
2327 | 40.2k | ctx->random_bytes(sendbuf->base + sendbuf->off, psk_binder_size); |
2328 | 40.2k | sendbuf->off += psk_binder_size; |
2329 | 40.2k | }); |
2330 | 40.2k | }); |
2331 | 40.2k | }); |
2332 | 40.2k | } |
2333 | 40.2k | }); |
2334 | 40.2k | }); |
2335 | | |
2336 | 40.2k | Exit: |
2337 | 40.2k | return ret; |
2338 | 40.2k | } |
2339 | | |
2340 | | static int send_client_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_handshake_properties_t *properties, |
2341 | | ptls_iovec_t *cookie) |
2342 | 40.2k | { |
2343 | 40.2k | struct { |
2344 | 40.2k | ptls_iovec_t secret; |
2345 | 40.2k | ptls_iovec_t identity; |
2346 | 40.2k | const char *label; |
2347 | 40.2k | } psk = {{NULL}}; |
2348 | 40.2k | uint32_t obfuscated_ticket_age = 0; |
2349 | 40.2k | const char *sni_name = NULL; |
2350 | 40.2k | size_t mess_start, msghash_off; |
2351 | 40.2k | uint8_t binder_key[PTLS_MAX_DIGEST_SIZE]; |
2352 | 40.2k | ptls_buffer_t encoded_ch_inner; |
2353 | 40.2k | int ret, is_second_flight = tls->key_schedule != NULL; |
2354 | | |
2355 | 40.2k | ptls_buffer_init(&encoded_ch_inner, "", 0); |
2356 | | |
2357 | 40.2k | if (tls->server_name != NULL && !ptls_server_name_is_ipaddr(tls->server_name)) |
2358 | 0 | sni_name = tls->server_name; |
2359 | | |
2360 | | /* try to use ECH (ignore broken ECHConfigList; it is delivered insecurely) */ |
2361 | 40.2k | if (properties != NULL) { |
2362 | 40.2k | if (!is_second_flight && sni_name != NULL && tls->ctx->ech.client.ciphers != NULL) { |
2363 | 0 | if (properties->client.ech.configs.len != 0) { |
2364 | 0 | struct st_decoded_ech_config_t decoded; |
2365 | 0 | client_decode_ech_config_list(tls->ctx, &decoded, properties->client.ech.configs); |
2366 | 0 | if (decoded.kem != NULL && decoded.cipher != NULL) { |
2367 | 0 | if ((ret = client_setup_ech(&tls->ech, &decoded, tls->ctx->random_bytes)) != 0) |
2368 | 0 | goto Exit; |
2369 | 0 | } |
2370 | 0 | } else { |
2371 | | /* zero-length config indicates ECH greasing */ |
2372 | 0 | client_setup_ech_grease(&tls->ech, tls->ctx->random_bytes, tls->ctx->ech.client.kems, tls->ctx->ech.client.ciphers, |
2373 | 0 | sni_name); |
2374 | 0 | } |
2375 | 0 | } |
2376 | 40.2k | } |
2377 | | |
2378 | | /* use external PSK if provided */ |
2379 | 40.2k | if (tls->ctx->pre_shared_key.identity.base != NULL) { |
2380 | 0 | if (!is_second_flight) { |
2381 | 0 | tls->client.offered_psk = 1; |
2382 | 0 | for (size_t i = 0; tls->ctx->cipher_suites[i] != NULL; ++i) { |
2383 | 0 | if (tls->ctx->cipher_suites[i]->hash == tls->ctx->pre_shared_key.hash) { |
2384 | 0 | tls->cipher_suite = tls->ctx->cipher_suites[i]; |
2385 | 0 | break; |
2386 | 0 | } |
2387 | 0 | } |
2388 | 0 | assert(tls->cipher_suite != NULL && "no compatible cipher-suite provided that matches psk.hash"); |
2389 | 0 | if (properties != NULL && properties->client.max_early_data_size != NULL) { |
2390 | 0 | tls->client.using_early_data = 1; |
2391 | 0 | *properties->client.max_early_data_size = SIZE_MAX; |
2392 | 0 | } |
2393 | 0 | } else { |
2394 | 0 | assert(tls->cipher_suite != NULL && tls->cipher_suite->hash == tls->ctx->pre_shared_key.hash); |
2395 | 0 | } |
2396 | 0 | psk.secret = tls->ctx->pre_shared_key.secret; |
2397 | 0 | psk.identity = tls->ctx->pre_shared_key.identity; |
2398 | 0 | psk.label = "ext binder"; |
2399 | 0 | } |
2400 | | |
2401 | | /* try to setup resumption-related data, unless external PSK is used */ |
2402 | 40.2k | if (psk.secret.base == NULL && properties != NULL && properties->client.session_ticket.base != NULL && |
2403 | 40.2k | tls->ctx->key_exchanges != NULL) { |
2404 | 0 | ptls_key_exchange_algorithm_t *key_share = NULL; |
2405 | 0 | ptls_cipher_suite_t *cipher_suite = NULL; |
2406 | 0 | uint32_t max_early_data_size; |
2407 | 0 | if (decode_stored_session_ticket(tls, &key_share, &cipher_suite, &psk.secret, &obfuscated_ticket_age, &psk.identity, |
2408 | 0 | &max_early_data_size, properties->client.session_ticket.base, |
2409 | 0 | properties->client.session_ticket.base + properties->client.session_ticket.len) == 0) { |
2410 | 0 | psk.label = "res binder"; |
2411 | 0 | tls->client.offered_psk = 1; |
2412 | | /* key-share selected by HRR should not be overridden */ |
2413 | 0 | if (tls->key_share == NULL) |
2414 | 0 | tls->key_share = key_share; |
2415 | 0 | tls->cipher_suite = cipher_suite; |
2416 | 0 | if (!is_second_flight && max_early_data_size != 0 && properties->client.max_early_data_size != NULL) { |
2417 | 0 | tls->client.using_early_data = 1; |
2418 | 0 | *properties->client.max_early_data_size = max_early_data_size; |
2419 | 0 | } |
2420 | 0 | } else { |
2421 | 0 | psk.secret = ptls_iovec_init(NULL, 0); |
2422 | 0 | } |
2423 | 0 | } |
2424 | | |
2425 | | /* send 0-RTT related signals back to the client */ |
2426 | 40.2k | if (properties != NULL) { |
2427 | 40.2k | if (tls->client.using_early_data) { |
2428 | 0 | properties->client.early_data_acceptance = PTLS_EARLY_DATA_ACCEPTANCE_UNKNOWN; |
2429 | 40.2k | } else { |
2430 | 40.2k | if (properties->client.max_early_data_size != NULL) |
2431 | 0 | *properties->client.max_early_data_size = 0; |
2432 | 40.2k | properties->client.early_data_acceptance = PTLS_EARLY_DATA_REJECTED; |
2433 | 40.2k | } |
2434 | 40.2k | } |
2435 | | |
2436 | | /* use the default key share if still not undetermined */ |
2437 | 40.2k | if (tls->key_share == NULL && tls->ctx->key_exchanges != NULL && |
2438 | 40.2k | !(properties != NULL && properties->client.negotiate_before_key_exchange)) |
2439 | 2.21k | tls->key_share = tls->ctx->key_exchanges[0]; |
2440 | | |
2441 | | /* instantiate key share context */ |
2442 | 40.2k | assert(tls->client.key_share_ctx == NULL); |
2443 | 40.2k | if (tls->key_share != NULL) { |
2444 | 40.2k | if ((ret = tls->key_share->create(tls->key_share, &tls->client.key_share_ctx)) != 0) |
2445 | 0 | goto Exit; |
2446 | 40.2k | } |
2447 | | |
2448 | | /* initialize key schedule */ |
2449 | 40.2k | if (!is_second_flight) { |
2450 | 2.21k | if ((tls->key_schedule = key_schedule_new(tls->cipher_suite, tls->ctx->cipher_suites, tls->ech.aead != NULL)) == NULL) { |
2451 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
2452 | 0 | goto Exit; |
2453 | 0 | } |
2454 | 2.21k | if ((ret = key_schedule_extract(tls->key_schedule, psk.secret)) != 0) |
2455 | 0 | goto Exit; |
2456 | 2.21k | } |
2457 | | |
2458 | | /* start generating CH */ |
2459 | 40.2k | if ((ret = emitter->begin_message(emitter)) != 0) |
2460 | 0 | goto Exit; |
2461 | 40.2k | mess_start = msghash_off = emitter->buf->off; |
2462 | | |
2463 | | /* generate true (inner) CH */ |
2464 | 40.2k | if ((ret = encode_client_hello(tls->ctx, emitter->buf, ENCODE_CH_MODE_INNER, is_second_flight, properties, |
2465 | 40.2k | tls->ech.aead != NULL ? tls->ech.inner_client_random : tls->client_random, |
2466 | 40.2k | tls->client.key_share_ctx, sni_name, tls->client.legacy_session_id, &tls->ech, NULL, |
2467 | 40.2k | tls->ech.client.first_ech, psk.secret, psk.identity, obfuscated_ticket_age, |
2468 | 40.2k | tls->key_schedule->hashes[0].algo->digest_size, cookie, tls->client.using_early_data)) != 0) |
2469 | 0 | goto Exit; |
2470 | | |
2471 | | /* update the message hash, filling in the PSK binder HMAC if necessary */ |
2472 | 40.2k | if (psk.secret.base != NULL) { |
2473 | 0 | size_t psk_binder_off = emitter->buf->off - (3 + tls->key_schedule->hashes[0].algo->digest_size); |
2474 | 0 | if ((ret = derive_secret_with_empty_digest(tls->key_schedule, binder_key, psk.label)) != 0) |
2475 | 0 | goto Exit; |
2476 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + msghash_off, psk_binder_off - msghash_off, 0); |
2477 | 0 | msghash_off = psk_binder_off; |
2478 | 0 | if ((ret = calc_verify_data(emitter->buf->base + psk_binder_off + 3, tls->key_schedule, binder_key)) != 0) |
2479 | 0 | goto Exit; |
2480 | 0 | } |
2481 | 40.2k | ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + msghash_off, emitter->buf->off - msghash_off, 0); |
2482 | | |
2483 | | /* ECH */ |
2484 | 40.2k | if (tls->ech.aead != NULL) { |
2485 | | /* build EncodedCHInner */ |
2486 | 0 | if ((ret = encode_client_hello(tls->ctx, &encoded_ch_inner, ENCODE_CH_MODE_ENCODED_INNER, is_second_flight, properties, |
2487 | 0 | tls->ech.inner_client_random, tls->client.key_share_ctx, sni_name, |
2488 | 0 | tls->client.legacy_session_id, &tls->ech, NULL, ptls_iovec_init(NULL, 0), psk.secret, |
2489 | 0 | psk.identity, obfuscated_ticket_age, tls->key_schedule->hashes[0].algo->digest_size, cookie, |
2490 | 0 | tls->client.using_early_data)) != 0) |
2491 | 0 | goto Exit; |
2492 | 0 | if (psk.secret.base != NULL) |
2493 | 0 | memcpy(encoded_ch_inner.base + encoded_ch_inner.off - tls->key_schedule->hashes[0].algo->digest_size, |
2494 | 0 | emitter->buf->base + emitter->buf->off - tls->key_schedule->hashes[0].algo->digest_size, |
2495 | 0 | tls->key_schedule->hashes[0].algo->digest_size); |
2496 | 0 | { /* pad EncodedCHInner (following draft-ietf-tls-esni-15 6.1.3) */ |
2497 | 0 | size_t padding_len; |
2498 | 0 | if (sni_name != NULL) { |
2499 | 0 | padding_len = strlen(sni_name); |
2500 | 0 | if (padding_len < tls->ech.client.max_name_length) |
2501 | 0 | padding_len = tls->ech.client.max_name_length; |
2502 | 0 | } else { |
2503 | 0 | padding_len = tls->ech.client.max_name_length + 9; |
2504 | 0 | } |
2505 | 0 | size_t final_len = encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE + padding_len; |
2506 | 0 | final_len = (final_len + 31) / 32 * 32; |
2507 | 0 | padding_len = final_len - (encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE); |
2508 | 0 | if (padding_len != 0) { |
2509 | 0 | if ((ret = ptls_buffer_reserve(&encoded_ch_inner, padding_len)) != 0) |
2510 | 0 | goto Exit; |
2511 | 0 | memset(encoded_ch_inner.base + encoded_ch_inner.off, 0, padding_len); |
2512 | 0 | encoded_ch_inner.off += padding_len; |
2513 | 0 | } |
2514 | 0 | } |
2515 | | /* flush CHInner, build CHOuterAAD */ |
2516 | 0 | emitter->buf->off = mess_start; |
2517 | 0 | size_t ech_payload_size = encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE + tls->ech.aead->algo->tag_size, |
2518 | 0 | ech_size_offset = ech_payload_size; |
2519 | 0 | if ((ret = encode_client_hello(tls->ctx, emitter->buf, ENCODE_CH_MODE_OUTER, is_second_flight, properties, |
2520 | 0 | tls->client_random, tls->client.key_share_ctx, tls->ech.client.public_name, |
2521 | 0 | tls->client.legacy_session_id, &tls->ech, &ech_size_offset, ptls_iovec_init(NULL, 0), |
2522 | 0 | psk.secret, psk.identity, obfuscated_ticket_age, |
2523 | 0 | tls->key_schedule->hashes[0].algo->digest_size, cookie, tls->client.using_early_data)) != 0) |
2524 | 0 | goto Exit; |
2525 | | /* overwrite ECH payload */ |
2526 | 0 | ptls_aead_encrypt(tls->ech.aead, emitter->buf->base + ech_size_offset, encoded_ch_inner.base + PTLS_HANDSHAKE_HEADER_SIZE, |
2527 | 0 | encoded_ch_inner.off - PTLS_HANDSHAKE_HEADER_SIZE, is_second_flight, |
2528 | 0 | emitter->buf->base + mess_start + PTLS_HANDSHAKE_HEADER_SIZE, |
2529 | 0 | emitter->buf->off - (mess_start + PTLS_HANDSHAKE_HEADER_SIZE)); |
2530 | | /* keep the copy of the 1st ECH extension so that we can send it again in 2nd CH in response to rejection with HRR */ |
2531 | 0 | if (!is_second_flight) { |
2532 | 0 | size_t len = outer_ech_header_size(tls->ech.client.enc.len) + ech_payload_size; |
2533 | 0 | if ((tls->ech.client.first_ech.base = malloc(len)) == NULL) { |
2534 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
2535 | 0 | goto Exit; |
2536 | 0 | } |
2537 | 0 | memcpy(tls->ech.client.first_ech.base, |
2538 | 0 | emitter->buf->base + ech_size_offset - outer_ech_header_size(tls->ech.client.enc.len), len); |
2539 | 0 | tls->ech.client.first_ech.len = len; |
2540 | 0 | if (properties->client.ech.configs.len != 0) { |
2541 | 0 | tls->ech.offered = 1; |
2542 | 0 | } else { |
2543 | 0 | tls->ech.offered_grease = 1; |
2544 | 0 | } |
2545 | 0 | } |
2546 | | /* update hash */ |
2547 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, emitter->buf->base + mess_start, emitter->buf->off - mess_start, 1); |
2548 | 0 | } |
2549 | | |
2550 | | /* commit CH to the record layer */ |
2551 | 40.2k | if ((ret = emitter->commit_message(emitter)) != 0) |
2552 | 0 | goto Exit; |
2553 | | |
2554 | 40.2k | if (tls->client.using_early_data) { |
2555 | 0 | assert(!is_second_flight); |
2556 | 0 | if ((ret = setup_traffic_protection(tls, 1, "c e traffic", 1, 0, 0)) != 0) |
2557 | 0 | goto Exit; |
2558 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
2559 | 0 | goto Exit; |
2560 | 0 | } |
2561 | 40.2k | if (psk.secret.base != NULL && !is_second_flight) { |
2562 | 0 | if ((ret = derive_exporter_secret(tls, 1)) != 0) |
2563 | 0 | goto Exit; |
2564 | 0 | } |
2565 | 40.2k | tls->state = cookie == NULL ? PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO : PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO; |
2566 | 40.2k | ret = PTLS_ERROR_IN_PROGRESS; |
2567 | | |
2568 | 40.2k | Exit: |
2569 | 40.2k | ptls_buffer_dispose(&encoded_ch_inner); |
2570 | 40.2k | ptls_clear_memory(binder_key, sizeof(binder_key)); |
2571 | 40.2k | return ret; |
2572 | 40.2k | } |
2573 | | |
2574 | | ptls_cipher_suite_t *ptls_find_cipher_suite(ptls_cipher_suite_t **cipher_suites, uint16_t id) |
2575 | 39.6k | { |
2576 | 39.6k | ptls_cipher_suite_t **cs; |
2577 | 39.6k | if (cipher_suites == NULL) |
2578 | 0 | return NULL; |
2579 | 39.7k | for (cs = cipher_suites; *cs != NULL && (*cs)->id != id; ++cs) |
2580 | 54 | ; |
2581 | 39.6k | return *cs; |
2582 | 39.6k | } |
2583 | | |
2584 | | static int decode_server_hello(ptls_t *tls, struct st_ptls_server_hello_t *sh, const uint8_t *src, const uint8_t *const end) |
2585 | 39.8k | { |
2586 | 39.8k | int ret; |
2587 | | |
2588 | 39.8k | *sh = (struct st_ptls_server_hello_t){{0}}; |
2589 | | |
2590 | | /* ignore legacy-version */ |
2591 | 39.8k | if (end - src < 2) { |
2592 | 8 | ret = PTLS_ALERT_DECODE_ERROR; |
2593 | 8 | goto Exit; |
2594 | 8 | } |
2595 | 39.8k | src += 2; |
2596 | | |
2597 | | /* random */ |
2598 | 39.8k | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
2599 | 10 | ret = PTLS_ALERT_DECODE_ERROR; |
2600 | 10 | goto Exit; |
2601 | 10 | } |
2602 | 39.8k | sh->is_retry_request = memcmp(src, hello_retry_random, PTLS_HELLO_RANDOM_SIZE) == 0; |
2603 | 39.8k | src += PTLS_HELLO_RANDOM_SIZE; |
2604 | | |
2605 | | /* legacy_session_id */ |
2606 | 39.8k | ptls_decode_open_block(src, end, 1, { |
2607 | 39.8k | if (end - src > 32) { |
2608 | 39.8k | ret = PTLS_ALERT_DECODE_ERROR; |
2609 | 39.8k | goto Exit; |
2610 | 39.8k | } |
2611 | 39.8k | sh->legacy_session_id = ptls_iovec_init(src, end - src); |
2612 | 39.8k | src = end; |
2613 | 39.8k | }); |
2614 | | |
2615 | 39.6k | { /* select cipher_suite */ |
2616 | 39.6k | uint16_t csid; |
2617 | 39.6k | if ((ret = ptls_decode16(&csid, &src, end)) != 0) |
2618 | 4 | goto Exit; |
2619 | 39.6k | if ((tls->cipher_suite = ptls_find_cipher_suite(tls->ctx->cipher_suites, csid)) == NULL) { |
2620 | 54 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2621 | 54 | goto Exit; |
2622 | 54 | } |
2623 | 39.6k | } |
2624 | | |
2625 | 39.6k | { /* legacy_compression_method */ |
2626 | 39.6k | uint8_t method; |
2627 | 39.6k | if ((ret = ptls_decode8(&method, &src, end)) != 0) |
2628 | 6 | goto Exit; |
2629 | 39.6k | if (method != 0) { |
2630 | 10 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2631 | 10 | goto Exit; |
2632 | 10 | } |
2633 | 39.6k | } |
2634 | | |
2635 | 39.5k | if (sh->is_retry_request) |
2636 | 38.1k | sh->retry_request.selected_group = UINT16_MAX; |
2637 | | |
2638 | 39.5k | uint16_t exttype, found_version = UINT16_MAX, selected_psk_identity = UINT16_MAX; |
2639 | 39.5k | decode_extensions(src, end, sh->is_retry_request ? PTLS_HANDSHAKE_TYPE_PSEUDO_HRR : PTLS_HANDSHAKE_TYPE_SERVER_HELLO, &exttype, |
2640 | 39.5k | { |
2641 | 39.5k | if (tls->ctx->on_extension != NULL && |
2642 | 39.5k | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_SERVER_HELLO, |
2643 | 39.5k | exttype, ptls_iovec_init(src, end - src)) != 0)) |
2644 | 39.5k | goto Exit; |
2645 | 39.5k | switch (exttype) { |
2646 | 39.5k | case PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS: |
2647 | 39.5k | if ((ret = ptls_decode16(&found_version, &src, end)) != 0) |
2648 | 39.5k | goto Exit; |
2649 | 39.5k | break; |
2650 | 39.5k | case PTLS_EXTENSION_TYPE_KEY_SHARE: |
2651 | 39.5k | if (tls->ctx->key_exchanges == NULL) { |
2652 | 39.5k | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2653 | 39.5k | goto Exit; |
2654 | 39.5k | } |
2655 | 39.5k | if (sh->is_retry_request) { |
2656 | 39.5k | if ((ret = ptls_decode16(&sh->retry_request.selected_group, &src, end)) != 0) |
2657 | 39.5k | goto Exit; |
2658 | 39.5k | } else { |
2659 | 39.5k | uint16_t group; |
2660 | 39.5k | if ((ret = decode_key_share_entry(&group, &sh->peerkey, &src, end)) != 0) |
2661 | 39.5k | goto Exit; |
2662 | 39.5k | if (src != end) { |
2663 | 39.5k | ret = PTLS_ALERT_DECODE_ERROR; |
2664 | 39.5k | goto Exit; |
2665 | 39.5k | } |
2666 | 39.5k | if (tls->key_share == NULL || tls->key_share->id != group) { |
2667 | 39.5k | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2668 | 39.5k | goto Exit; |
2669 | 39.5k | } |
2670 | 39.5k | } |
2671 | 39.5k | break; |
2672 | 39.5k | case PTLS_EXTENSION_TYPE_COOKIE: |
2673 | 39.5k | assert(sh->is_retry_request); |
2674 | 39.5k | ptls_decode_block(src, end, 2, { |
2675 | 39.5k | if (src == end) { |
2676 | 39.5k | ret = PTLS_ALERT_DECODE_ERROR; |
2677 | 39.5k | goto Exit; |
2678 | 39.5k | } |
2679 | 39.5k | sh->retry_request.cookie = ptls_iovec_init(src, end - src); |
2680 | 39.5k | src = end; |
2681 | 39.5k | }); |
2682 | 39.5k | break; |
2683 | 39.5k | case PTLS_EXTENSION_TYPE_PRE_SHARED_KEY: |
2684 | 39.5k | assert(!sh->is_retry_request); |
2685 | 39.5k | if ((ret = ptls_decode16(&selected_psk_identity, &src, end)) != 0) |
2686 | 39.5k | goto Exit; |
2687 | 39.5k | break; |
2688 | 39.5k | case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO: |
2689 | 39.5k | assert(sh->is_retry_request); |
2690 | 39.5k | if (!(tls->ech.offered || tls->ech.offered_grease)) { |
2691 | 39.5k | ret = PTLS_ALERT_UNSUPPORTED_EXTENSION; |
2692 | 39.5k | goto Exit; |
2693 | 39.5k | } |
2694 | 39.5k | if (end - src != PTLS_ECH_CONFIRM_LENGTH) { |
2695 | 39.5k | ret = PTLS_ALERT_DECODE_ERROR; |
2696 | 39.5k | goto Exit; |
2697 | 39.5k | } |
2698 | 39.5k | sh->retry_request.ech = src; |
2699 | 39.5k | src = end; |
2700 | 39.5k | break; |
2701 | 39.5k | default: |
2702 | 39.5k | src = end; |
2703 | 39.5k | break; |
2704 | 39.5k | } |
2705 | 39.5k | }); |
2706 | | |
2707 | 39.2k | if (!is_supported_version(found_version)) { |
2708 | 56 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2709 | 56 | goto Exit; |
2710 | 56 | } |
2711 | 39.1k | if (!sh->is_retry_request) { |
2712 | 1.14k | if (selected_psk_identity != UINT16_MAX) { |
2713 | 25 | if (!tls->client.offered_psk) { |
2714 | 25 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2715 | 25 | goto Exit; |
2716 | 25 | } |
2717 | 0 | if (selected_psk_identity != 0) { |
2718 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2719 | 0 | goto Exit; |
2720 | 0 | } |
2721 | 0 | tls->is_psk_handshake = 1; |
2722 | 0 | } |
2723 | 1.12k | if (sh->peerkey.base == NULL && !tls->is_psk_handshake) { |
2724 | 6 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2725 | 6 | goto Exit; |
2726 | 6 | } |
2727 | 1.12k | } |
2728 | | |
2729 | 39.1k | ret = 0; |
2730 | 39.8k | Exit: |
2731 | 39.8k | return ret; |
2732 | 39.1k | } |
2733 | | |
2734 | | static int handle_hello_retry_request(ptls_t *tls, ptls_message_emitter_t *emitter, struct st_ptls_server_hello_t *sh, |
2735 | | ptls_iovec_t message, ptls_handshake_properties_t *properties) |
2736 | 38.0k | { |
2737 | 38.0k | int ret; |
2738 | | |
2739 | 38.0k | if (tls->client.key_share_ctx != NULL) { |
2740 | 38.0k | tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, NULL, ptls_iovec_init(NULL, 0)); |
2741 | 38.0k | tls->client.key_share_ctx = NULL; |
2742 | 38.0k | } |
2743 | 38.0k | if (tls->client.using_early_data) { |
2744 | | /* release traffic encryption key so that 2nd CH goes out in cleartext, but keep the epoch at 1 since we've already |
2745 | | * called derive-secret */ |
2746 | 0 | if (tls->ctx->update_traffic_key == NULL) { |
2747 | 0 | assert(tls->traffic_protection.enc.aead != NULL); |
2748 | 0 | ptls_aead_free(tls->traffic_protection.enc.aead); |
2749 | 0 | tls->traffic_protection.enc.aead = NULL; |
2750 | 0 | } |
2751 | 0 | tls->client.using_early_data = 0; |
2752 | 0 | } |
2753 | | |
2754 | 38.0k | if (sh->retry_request.selected_group != UINT16_MAX) { |
2755 | | /* we offer the first key_exchanges[0] as KEY_SHARE unless client.negotiate_before_key_exchange is set */ |
2756 | 258 | ptls_key_exchange_algorithm_t **cand; |
2757 | 286 | for (cand = tls->ctx->key_exchanges; *cand != NULL; ++cand) |
2758 | 258 | if ((*cand)->id == sh->retry_request.selected_group) |
2759 | 230 | break; |
2760 | 258 | if (*cand == NULL) { |
2761 | 28 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2762 | 28 | goto Exit; |
2763 | 28 | } |
2764 | 230 | tls->key_share = *cand; |
2765 | 37.7k | } else if (tls->key_share != NULL) { |
2766 | | /* retain the key-share using in first CH, if server does not specify one */ |
2767 | 37.7k | } else { |
2768 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2769 | 0 | goto Exit; |
2770 | 0 | } |
2771 | | |
2772 | 38.0k | ret = send_client_hello(tls, emitter, properties, &sh->retry_request.cookie); |
2773 | | |
2774 | 38.0k | Exit: |
2775 | 38.0k | return ret; |
2776 | 38.0k | } |
2777 | | |
2778 | | static int client_ech_select_hello(ptls_t *tls, ptls_iovec_t message, size_t confirm_hash_off, const char *label) |
2779 | 0 | { |
2780 | 0 | uint8_t confirm_hash_delivered[PTLS_ECH_CONFIRM_LENGTH], confirm_hash_expected[PTLS_ECH_CONFIRM_LENGTH]; |
2781 | 0 | int ret = 0; |
2782 | | |
2783 | | /* Determine if ECH has been accepted by checking the confirmation hash. `confirm_hash_off` set to zero indicates that HRR was |
2784 | | * received wo. ECH extension, which is an indication that ECH was rejected. */ |
2785 | 0 | if (confirm_hash_off != 0) { |
2786 | 0 | memcpy(confirm_hash_delivered, message.base + confirm_hash_off, sizeof(confirm_hash_delivered)); |
2787 | 0 | memset(message.base + confirm_hash_off, 0, sizeof(confirm_hash_delivered)); |
2788 | 0 | if ((ret = ech_calc_confirmation(tls->key_schedule, confirm_hash_expected, tls->ech.inner_client_random, label, message)) != |
2789 | 0 | 0) |
2790 | 0 | goto Exit; |
2791 | 0 | tls->ech.accepted = ptls_mem_equal(confirm_hash_delivered, confirm_hash_expected, sizeof(confirm_hash_delivered)); |
2792 | 0 | memcpy(message.base + confirm_hash_off, confirm_hash_delivered, sizeof(confirm_hash_delivered)); |
2793 | 0 | if (tls->ech.accepted) |
2794 | 0 | goto Exit; |
2795 | 0 | } |
2796 | | |
2797 | | /* dispose ECH AEAD state to indicate rejection, adopting outer CH for the rest of the handshake */ |
2798 | 0 | ptls_aead_free(tls->ech.aead); |
2799 | 0 | tls->ech.aead = NULL; |
2800 | 0 | key_schedule_select_outer(tls->key_schedule); |
2801 | |
|
2802 | 0 | Exit: |
2803 | 0 | PTLS_PROBE(ECH_SELECTION, tls, !!tls->ech.accepted); |
2804 | 0 | PTLS_LOG_CONN(ech_selection, tls, { PTLS_LOG_ELEMENT_BOOL(is_ech, tls->ech.accepted); }); |
2805 | 0 | ptls_clear_memory(confirm_hash_expected, sizeof(confirm_hash_expected)); |
2806 | 0 | return ret; |
2807 | 0 | } |
2808 | | |
2809 | | static int client_handle_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, |
2810 | | ptls_handshake_properties_t *properties) |
2811 | 39.8k | { |
2812 | 39.8k | struct st_ptls_server_hello_t sh; |
2813 | 39.8k | ptls_iovec_t ecdh_secret = {NULL}; |
2814 | 39.8k | int ret; |
2815 | | |
2816 | 39.8k | if ((ret = decode_server_hello(tls, &sh, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len)) != 0) |
2817 | 673 | goto Exit; |
2818 | 39.1k | if (!(sh.legacy_session_id.len == tls->client.legacy_session_id.len && |
2819 | 39.1k | ptls_mem_equal(sh.legacy_session_id.base, tls->client.legacy_session_id.base, tls->client.legacy_session_id.len))) { |
2820 | 3 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2821 | 3 | goto Exit; |
2822 | 3 | } |
2823 | | |
2824 | 39.1k | if (sh.is_retry_request) { |
2825 | 38.0k | if ((ret = key_schedule_select_cipher(tls->key_schedule, tls->cipher_suite, 0, tls->ctx->pre_shared_key.secret)) != 0) |
2826 | 0 | goto Exit; |
2827 | 38.0k | key_schedule_transform_post_ch1hash(tls->key_schedule); |
2828 | 38.0k | if (tls->ech.aead != NULL) { |
2829 | 0 | size_t confirm_hash_off = 0; |
2830 | 0 | if (tls->ech.offered) { |
2831 | 0 | if (sh.retry_request.ech != NULL) |
2832 | 0 | confirm_hash_off = sh.retry_request.ech - message.base; |
2833 | 0 | } else { |
2834 | 0 | assert(tls->ech.offered_grease); |
2835 | 0 | } |
2836 | 0 | if ((ret = client_ech_select_hello(tls, message, confirm_hash_off, ECH_CONFIRMATION_HRR)) != 0) |
2837 | 0 | goto Exit; |
2838 | 0 | } |
2839 | 38.0k | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
2840 | 38.0k | return handle_hello_retry_request(tls, emitter, &sh, message, properties); |
2841 | 38.0k | } |
2842 | | |
2843 | 1.11k | if ((ret = key_schedule_select_cipher(tls->key_schedule, tls->cipher_suite, tls->client.offered_psk && !tls->is_psk_handshake, |
2844 | 1.11k | ptls_iovec_init(NULL, 0))) != 0) |
2845 | 0 | goto Exit; |
2846 | | |
2847 | | /* check if ECH is accepted */ |
2848 | 1.11k | if (tls->ech.aead != NULL) { |
2849 | 0 | size_t confirm_hash_off = 0; |
2850 | 0 | if (tls->ech.offered) { |
2851 | 0 | confirm_hash_off = |
2852 | 0 | PTLS_HANDSHAKE_HEADER_SIZE + 2 /* legacy_version */ + PTLS_HELLO_RANDOM_SIZE - PTLS_ECH_CONFIRM_LENGTH; |
2853 | 0 | } else { |
2854 | 0 | assert(tls->ech.offered_grease); |
2855 | 0 | } |
2856 | 0 | if ((ret = client_ech_select_hello(tls, message, confirm_hash_off, ECH_CONFIRMATION_SERVER_HELLO)) != 0) |
2857 | 0 | goto Exit; |
2858 | 0 | } |
2859 | | |
2860 | | /* clear sensitive and space-consuming ECH state, now that are done with handling sending and decoding Hellos */ |
2861 | 1.11k | clear_ech(&tls->ech, 0); |
2862 | 1.11k | if (tls->key_schedule->hashes[0].ctx_outer != NULL) { |
2863 | 0 | tls->key_schedule->hashes[0].ctx_outer->final(tls->key_schedule->hashes[0].ctx_outer, NULL, PTLS_HASH_FINAL_MODE_FREE); |
2864 | 0 | tls->key_schedule->hashes[0].ctx_outer = NULL; |
2865 | 0 | } |
2866 | | |
2867 | | /* if the client offered external PSK but the server did not use that, we call it a handshake failure */ |
2868 | 1.11k | if (tls->ctx->pre_shared_key.identity.base != NULL && !tls->is_psk_handshake) { |
2869 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2870 | 0 | goto Exit; |
2871 | 0 | } |
2872 | | |
2873 | 1.11k | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
2874 | | |
2875 | 1.11k | if (sh.peerkey.base != NULL) { |
2876 | 1.11k | if ((ret = tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, &ecdh_secret, sh.peerkey)) != 0) { |
2877 | 2 | assert(ecdh_secret.base == NULL); |
2878 | 2 | goto Exit; |
2879 | 2 | } |
2880 | 1.11k | } |
2881 | | |
2882 | 1.11k | if ((ret = key_schedule_extract(tls->key_schedule, ecdh_secret)) != 0) |
2883 | 0 | goto Exit; |
2884 | 1.11k | if ((ret = setup_traffic_protection(tls, 0, "s hs traffic", 2, 0, 0)) != 0) |
2885 | 0 | goto Exit; |
2886 | 1.11k | if (tls->client.using_early_data) { |
2887 | 0 | if ((tls->pending_handshake_secret = malloc(PTLS_MAX_DIGEST_SIZE)) == NULL) { |
2888 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
2889 | 0 | goto Exit; |
2890 | 0 | } |
2891 | 0 | if ((ret = derive_secret(tls->key_schedule, tls->pending_handshake_secret, "c hs traffic")) != 0) |
2892 | 0 | goto Exit; |
2893 | 0 | if (tls->ctx->update_traffic_key != NULL && |
2894 | 0 | (ret = tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, 1, 2, tls->pending_handshake_secret)) != 0) |
2895 | 0 | goto Exit; |
2896 | 1.11k | } else { |
2897 | 1.11k | if ((ret = setup_traffic_protection(tls, 1, "c hs traffic", 2, 0, 0)) != 0) |
2898 | 0 | goto Exit; |
2899 | 1.11k | } |
2900 | | |
2901 | 1.11k | tls->state = PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS; |
2902 | 1.11k | ret = PTLS_ERROR_IN_PROGRESS; |
2903 | | |
2904 | 1.78k | Exit: |
2905 | 1.78k | if (ecdh_secret.base != NULL) { |
2906 | 1.11k | ptls_clear_memory(ecdh_secret.base, ecdh_secret.len); |
2907 | 1.11k | free(ecdh_secret.base); |
2908 | 1.11k | } |
2909 | 1.78k | return ret; |
2910 | 1.11k | } |
2911 | | |
2912 | | static int should_collect_unknown_extension(ptls_t *tls, ptls_handshake_properties_t *properties, uint16_t type) |
2913 | 1.40k | { |
2914 | 1.40k | return properties != NULL && properties->collect_extension != NULL && properties->collect_extension(tls, properties, type); |
2915 | 1.40k | } |
2916 | | |
2917 | | static int collect_unknown_extension(ptls_t *tls, uint16_t type, const uint8_t *src, const uint8_t *const end, |
2918 | | ptls_raw_extension_t *slots) |
2919 | 0 | { |
2920 | 0 | size_t i; |
2921 | 0 | for (i = 0; slots[i].type != UINT16_MAX; ++i) { |
2922 | 0 | assert(i < MAX_UNKNOWN_EXTENSIONS); |
2923 | 0 | if (slots[i].type == type) |
2924 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
2925 | 0 | } |
2926 | 0 | if (i < MAX_UNKNOWN_EXTENSIONS) { |
2927 | 0 | slots[i].type = type; |
2928 | 0 | slots[i].data = ptls_iovec_init(src, end - src); |
2929 | 0 | slots[i + 1].type = UINT16_MAX; |
2930 | 0 | } |
2931 | 0 | return 0; |
2932 | 0 | } |
2933 | | |
2934 | | static int report_unknown_extensions(ptls_t *tls, ptls_handshake_properties_t *properties, ptls_raw_extension_t *slots) |
2935 | 1.13k | { |
2936 | 1.13k | if (properties != NULL && properties->collect_extension != NULL) { |
2937 | 0 | assert(properties->collected_extensions != NULL); |
2938 | 0 | return properties->collected_extensions(tls, properties, slots); |
2939 | 1.13k | } else { |
2940 | 1.13k | return 0; |
2941 | 1.13k | } |
2942 | 1.13k | } |
2943 | | |
2944 | | static int client_handle_encrypted_extensions(ptls_t *tls, ptls_iovec_t message, ptls_handshake_properties_t *properties) |
2945 | 1.02k | { |
2946 | 1.02k | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
2947 | 1.02k | uint16_t type; |
2948 | 1.02k | static const ptls_raw_extension_t no_unknown_extensions = {UINT16_MAX}; |
2949 | 1.02k | ptls_raw_extension_t *unknown_extensions = (ptls_raw_extension_t *)&no_unknown_extensions; |
2950 | 1.02k | int ret, skip_early_data = 1; |
2951 | 1.02k | uint8_t server_offered_cert_type = PTLS_CERTIFICATE_TYPE_X509; |
2952 | | |
2953 | 1.02k | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, &type, { |
2954 | 1.02k | if (tls->ctx->on_extension != NULL && |
2955 | 1.02k | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, type, |
2956 | 1.02k | ptls_iovec_init(src, end - src)) != 0)) |
2957 | 1.02k | goto Exit; |
2958 | 1.02k | switch (type) { |
2959 | 1.02k | case PTLS_EXTENSION_TYPE_SERVER_NAME: |
2960 | 1.02k | if (src != end) { |
2961 | 1.02k | ret = PTLS_ALERT_DECODE_ERROR; |
2962 | 1.02k | goto Exit; |
2963 | 1.02k | } |
2964 | 1.02k | if (!(tls->server_name != NULL && !ptls_server_name_is_ipaddr(tls->server_name))) { |
2965 | 1.02k | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2966 | 1.02k | goto Exit; |
2967 | 1.02k | } |
2968 | 1.02k | break; |
2969 | 1.02k | case PTLS_EXTENSION_TYPE_ALPN: |
2970 | 1.02k | ptls_decode_block(src, end, 2, { |
2971 | 1.02k | ptls_decode_open_block(src, end, 1, { |
2972 | 1.02k | if (src == end) { |
2973 | 1.02k | ret = PTLS_ALERT_DECODE_ERROR; |
2974 | 1.02k | goto Exit; |
2975 | 1.02k | } |
2976 | 1.02k | if ((ret = ptls_set_negotiated_protocol(tls, (const char *)src, end - src)) != 0) |
2977 | 1.02k | goto Exit; |
2978 | 1.02k | src = end; |
2979 | 1.02k | }); |
2980 | 1.02k | if (src != end) { |
2981 | 1.02k | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2982 | 1.02k | goto Exit; |
2983 | 1.02k | } |
2984 | 1.02k | }); |
2985 | 1.02k | break; |
2986 | 1.02k | case PTLS_EXTENSION_TYPE_EARLY_DATA: |
2987 | 1.02k | if (!tls->client.using_early_data) { |
2988 | 1.02k | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
2989 | 1.02k | goto Exit; |
2990 | 1.02k | } |
2991 | 1.02k | skip_early_data = 0; |
2992 | 1.02k | break; |
2993 | 1.02k | case PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE: |
2994 | 1.02k | if (end - src != 1) { |
2995 | 1.02k | ret = PTLS_ALERT_DECODE_ERROR; |
2996 | 1.02k | goto Exit; |
2997 | 1.02k | } |
2998 | 1.02k | server_offered_cert_type = *src; |
2999 | 1.02k | src = end; |
3000 | 1.02k | break; |
3001 | 1.02k | case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO: { |
3002 | | /* accept retry_configs only if we offered ECH but rejected */ |
3003 | 1.02k | if (!((tls->ech.offered || tls->ech.offered_grease) && !ptls_is_ech_handshake(tls, NULL, NULL, NULL))) { |
3004 | 1.02k | ret = PTLS_ALERT_UNSUPPORTED_EXTENSION; |
3005 | 1.02k | goto Exit; |
3006 | 1.02k | } |
3007 | | /* parse retry_config, and if it is applicable, provide that to the application */ |
3008 | 1.02k | struct st_decoded_ech_config_t decoded; |
3009 | 1.02k | if ((ret = client_decode_ech_config_list(tls->ctx, &decoded, ptls_iovec_init(src, end - src))) != 0) |
3010 | 1.02k | goto Exit; |
3011 | 1.02k | if (decoded.kem != NULL && decoded.cipher != NULL && properties != NULL && |
3012 | 1.02k | properties->client.ech.retry_configs != NULL) { |
3013 | 1.02k | if ((properties->client.ech.retry_configs->base = malloc(end - src)) == NULL) { |
3014 | 1.02k | ret = PTLS_ERROR_NO_MEMORY; |
3015 | 1.02k | goto Exit; |
3016 | 1.02k | } |
3017 | 1.02k | memcpy(properties->client.ech.retry_configs->base, src, end - src); |
3018 | 1.02k | properties->client.ech.retry_configs->len = end - src; |
3019 | 1.02k | } |
3020 | 1.02k | src = end; |
3021 | 1.02k | } break; |
3022 | 1.02k | default: |
3023 | 1.02k | if (should_collect_unknown_extension(tls, properties, type)) { |
3024 | 1.02k | if (unknown_extensions == &no_unknown_extensions) { |
3025 | 1.02k | if ((unknown_extensions = malloc(sizeof(*unknown_extensions) * (MAX_UNKNOWN_EXTENSIONS + 1))) == NULL) { |
3026 | 1.02k | ret = PTLS_ERROR_NO_MEMORY; |
3027 | 1.02k | goto Exit; |
3028 | 1.02k | } |
3029 | 1.02k | unknown_extensions[0].type = UINT16_MAX; |
3030 | 1.02k | } |
3031 | 1.02k | if ((ret = collect_unknown_extension(tls, type, src, end, unknown_extensions)) != 0) |
3032 | 1.02k | goto Exit; |
3033 | 1.02k | } |
3034 | 1.02k | break; |
3035 | 1.02k | } |
3036 | 1.02k | src = end; |
3037 | 1.02k | }); |
3038 | | |
3039 | 738 | if (server_offered_cert_type != |
3040 | 738 | (tls->ctx->use_raw_public_keys ? PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY : PTLS_CERTIFICATE_TYPE_X509)) { |
3041 | 11 | ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE; |
3042 | 11 | goto Exit; |
3043 | 11 | } |
3044 | | |
3045 | 727 | if (tls->client.using_early_data) { |
3046 | 0 | if (skip_early_data) |
3047 | 0 | tls->client.using_early_data = 0; |
3048 | 0 | if (properties != NULL) |
3049 | 0 | properties->client.early_data_acceptance = skip_early_data ? PTLS_EARLY_DATA_REJECTED : PTLS_EARLY_DATA_ACCEPTED; |
3050 | 0 | } |
3051 | 727 | if ((ret = report_unknown_extensions(tls, properties, unknown_extensions)) != 0) |
3052 | 0 | goto Exit; |
3053 | | |
3054 | 727 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3055 | 727 | tls->state = |
3056 | 727 | tls->is_psk_handshake ? PTLS_STATE_CLIENT_EXPECT_FINISHED : PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE; |
3057 | 727 | ret = PTLS_ERROR_IN_PROGRESS; |
3058 | | |
3059 | 1.02k | Exit: |
3060 | 1.02k | if (unknown_extensions != &no_unknown_extensions) |
3061 | 0 | free(unknown_extensions); |
3062 | 1.02k | return ret; |
3063 | 727 | } |
3064 | | |
3065 | | static int decode_certificate_request(ptls_t *tls, struct st_ptls_certificate_request_t *cr, const uint8_t *src, |
3066 | | const uint8_t *const end) |
3067 | 284 | { |
3068 | 284 | int ret; |
3069 | 284 | uint16_t exttype = 0; |
3070 | | |
3071 | | /* certificate request context */ |
3072 | 284 | ptls_decode_open_block(src, end, 1, { |
3073 | 284 | size_t len = end - src; |
3074 | 284 | if (len > 255) { |
3075 | 284 | ret = PTLS_ALERT_DECODE_ERROR; |
3076 | 284 | goto Exit; |
3077 | 284 | } |
3078 | 284 | if ((cr->context.base = malloc(len != 0 ? len : 1)) == NULL) { |
3079 | 284 | ret = PTLS_ERROR_NO_MEMORY; |
3080 | 284 | goto Exit; |
3081 | 284 | } |
3082 | 284 | cr->context.len = len; |
3083 | 284 | memcpy(cr->context.base, src, len); |
3084 | 284 | src = end; |
3085 | 284 | }); |
3086 | | |
3087 | | /* decode extensions */ |
3088 | 280 | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, &exttype, { |
3089 | 280 | if (tls->ctx->on_extension != NULL && |
3090 | 280 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, exttype, |
3091 | 280 | ptls_iovec_init(src, end - src)) != 0)) |
3092 | 280 | goto Exit; |
3093 | 280 | switch (exttype) { |
3094 | 280 | case PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS: |
3095 | 280 | if ((ret = decode_signature_algorithms(&cr->signature_algorithms, &src, end)) != 0) |
3096 | 280 | goto Exit; |
3097 | 280 | break; |
3098 | 280 | } |
3099 | 280 | src = end; |
3100 | 280 | }); |
3101 | | |
3102 | 16 | if (cr->signature_algorithms.count == 0) { |
3103 | 6 | ret = PTLS_ALERT_MISSING_EXTENSION; |
3104 | 6 | goto Exit; |
3105 | 6 | } |
3106 | | |
3107 | 10 | ret = 0; |
3108 | 284 | Exit: |
3109 | 284 | return ret; |
3110 | 10 | } |
3111 | | |
3112 | | int ptls_build_certificate_message(ptls_buffer_t *buf, ptls_iovec_t context, ptls_iovec_t *certificates, size_t num_certificates, |
3113 | | ptls_iovec_t ocsp_status) |
3114 | 262 | { |
3115 | 262 | int ret; |
3116 | | |
3117 | 262 | ptls_buffer_push_block(buf, 1, { ptls_buffer_pushv(buf, context.base, context.len); }); |
3118 | 262 | ptls_buffer_push_block(buf, 3, { |
3119 | 262 | size_t i; |
3120 | 262 | for (i = 0; i != num_certificates; ++i) { |
3121 | 262 | ptls_buffer_push_block(buf, 3, { ptls_buffer_pushv(buf, certificates[i].base, certificates[i].len); }); |
3122 | 262 | ptls_buffer_push_block(buf, 2, { |
3123 | 262 | if (i == 0 && ocsp_status.len != 0) { |
3124 | 262 | buffer_push_extension(buf, PTLS_EXTENSION_TYPE_STATUS_REQUEST, { |
3125 | 262 | ptls_buffer_push(buf, 1); /* status_type == ocsp */ |
3126 | 262 | ptls_buffer_push_block(buf, 3, { ptls_buffer_pushv(buf, ocsp_status.base, ocsp_status.len); }); |
3127 | 262 | }); |
3128 | 262 | } |
3129 | 262 | }); |
3130 | 262 | } |
3131 | 262 | }); |
3132 | | |
3133 | 262 | ret = 0; |
3134 | 262 | Exit: |
3135 | 262 | return ret; |
3136 | 262 | } |
3137 | | |
3138 | | static int default_emit_certificate_cb(ptls_emit_certificate_t *_self, ptls_t *tls, ptls_message_emitter_t *emitter, |
3139 | | ptls_key_schedule_t *key_sched, ptls_iovec_t context, int push_status_request, |
3140 | | const uint16_t *compress_algos, size_t num_compress_algos) |
3141 | 262 | { |
3142 | 262 | int ret; |
3143 | | |
3144 | 262 | ptls_push_message(emitter, key_sched, PTLS_HANDSHAKE_TYPE_CERTIFICATE, { |
3145 | 262 | if ((ret = ptls_build_certificate_message(emitter->buf, context, tls->ctx->certificates.list, tls->ctx->certificates.count, |
3146 | 262 | ptls_iovec_init(NULL, 0))) != 0) |
3147 | 262 | goto Exit; |
3148 | 262 | }); |
3149 | | |
3150 | 262 | ret = 0; |
3151 | 262 | Exit: |
3152 | 262 | return ret; |
3153 | 262 | } |
3154 | | |
3155 | | static int send_certificate(ptls_t *tls, ptls_message_emitter_t *emitter, |
3156 | | struct st_ptls_signature_algorithms_t *signature_algorithms, ptls_iovec_t context, |
3157 | | int push_status_request, const uint16_t *compress_algos, size_t num_compress_algos) |
3158 | 276 | { |
3159 | 276 | int ret; |
3160 | | |
3161 | 276 | if (signature_algorithms->count == 0) { |
3162 | 14 | ret = PTLS_ALERT_MISSING_EXTENSION; |
3163 | 14 | goto Exit; |
3164 | 14 | } |
3165 | | |
3166 | 262 | { /* send Certificate (or the equivalent) */ |
3167 | 262 | static ptls_emit_certificate_t default_emit_certificate = {default_emit_certificate_cb}; |
3168 | 262 | ptls_emit_certificate_t *emit_certificate = |
3169 | 262 | tls->ctx->emit_certificate != NULL ? tls->ctx->emit_certificate : &default_emit_certificate; |
3170 | 262 | Redo: |
3171 | 262 | if ((ret = emit_certificate->cb(emit_certificate, tls, emitter, tls->key_schedule, context, push_status_request, |
3172 | 262 | compress_algos, num_compress_algos)) != 0) { |
3173 | 0 | if (ret == PTLS_ERROR_DELEGATE) { |
3174 | 0 | assert(emit_certificate != &default_emit_certificate); |
3175 | 0 | emit_certificate = &default_emit_certificate; |
3176 | 0 | goto Redo; |
3177 | 0 | } |
3178 | 0 | goto Exit; |
3179 | 0 | } |
3180 | 262 | } |
3181 | | |
3182 | 276 | Exit: |
3183 | 276 | return ret; |
3184 | 262 | } |
3185 | | |
3186 | | static int send_certificate_verify(ptls_t *tls, ptls_message_emitter_t *emitter, |
3187 | | struct st_ptls_signature_algorithms_t *signature_algorithms, const char *context_string) |
3188 | 262 | { |
3189 | 262 | size_t start_off = emitter->buf->off; |
3190 | 262 | int ret; |
3191 | | |
3192 | 262 | if (tls->ctx->sign_certificate == NULL) |
3193 | 262 | return 0; |
3194 | | /* build and send CertificateVerify */ |
3195 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY, { |
3196 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
3197 | 0 | size_t algo_off = sendbuf->off; |
3198 | 0 | ptls_buffer_push16(sendbuf, 0); /* filled in later */ |
3199 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
3200 | 0 | uint16_t algo; |
3201 | 0 | uint8_t data[PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE]; |
3202 | 0 | size_t datalen = build_certificate_verify_signdata(data, tls->key_schedule, context_string); |
3203 | 0 | if ((ret = tls->ctx->sign_certificate->cb( |
3204 | 0 | tls->ctx->sign_certificate, tls, tls->is_server ? &tls->server.async_job : NULL, &algo, sendbuf, |
3205 | 0 | ptls_iovec_init(data, datalen), signature_algorithms != NULL ? signature_algorithms->list : NULL, |
3206 | 0 | signature_algorithms != NULL ? signature_algorithms->count : 0)) != 0) { |
3207 | 0 | if (ret == PTLS_ERROR_ASYNC_OPERATION) { |
3208 | 0 | assert(tls->is_server || !"async operation only supported on the server-side"); |
3209 | 0 | assert(tls->server.async_job != NULL); |
3210 | | /* Reset the output to the end of the previous handshake message. CertificateVerify will be rebuilt when the |
3211 | | * async operation completes. */ |
3212 | 0 | emitter->buf->off = start_off; |
3213 | 0 | } else { |
3214 | 0 | assert(tls->server.async_job == NULL); |
3215 | 0 | } |
3216 | 0 | goto Exit; |
3217 | 0 | } |
3218 | 0 | assert(tls->server.async_job == NULL); |
3219 | 0 | sendbuf->base[algo_off] = (uint8_t)(algo >> 8); |
3220 | 0 | sendbuf->base[algo_off + 1] = (uint8_t)algo; |
3221 | 0 | }); |
3222 | 0 | }); |
3223 | 0 | Exit: |
3224 | 0 | return ret; |
3225 | 0 | } |
3226 | | |
3227 | | static int client_handle_certificate_request(ptls_t *tls, ptls_iovec_t message, ptls_handshake_properties_t *properties) |
3228 | 284 | { |
3229 | 284 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3230 | 284 | int ret = 0; |
3231 | | |
3232 | 284 | assert(!tls->is_psk_handshake && "state machine asserts that this message is never delivered when PSK is used"); |
3233 | | |
3234 | 284 | if ((ret = decode_certificate_request(tls, &tls->client.certificate_request, src, end)) != 0) |
3235 | 274 | return ret; |
3236 | | |
3237 | | /* This field SHALL be zero length unless used for the post-handshake authentication exchanges (section 4.3.2) */ |
3238 | 10 | if (tls->client.certificate_request.context.len != 0) |
3239 | 3 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
3240 | | |
3241 | 7 | tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE; |
3242 | 7 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3243 | | |
3244 | 7 | return PTLS_ERROR_IN_PROGRESS; |
3245 | 10 | } |
3246 | | |
3247 | | static int handle_certificate(ptls_t *tls, const uint8_t *src, const uint8_t *end, int *got_certs) |
3248 | 390 | { |
3249 | 390 | ptls_iovec_t certs[16]; |
3250 | 390 | size_t num_certs = 0; |
3251 | 390 | int ret = 0; |
3252 | | |
3253 | | /* certificate request context */ |
3254 | 390 | ptls_decode_open_block(src, end, 1, { |
3255 | 390 | if (src != end) { |
3256 | 390 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3257 | 390 | goto Exit; |
3258 | 390 | } |
3259 | 390 | }); |
3260 | | /* certificate_list */ |
3261 | 368 | ptls_decode_block(src, end, 3, { |
3262 | 368 | while (src != end) { |
3263 | 368 | ptls_decode_open_block(src, end, 3, { |
3264 | 368 | if (num_certs < PTLS_ELEMENTSOF(certs)) |
3265 | 368 | certs[num_certs++] = ptls_iovec_init(src, end - src); |
3266 | 368 | src = end; |
3267 | 368 | }); |
3268 | 368 | uint16_t type; |
3269 | 368 | decode_open_extensions(src, end, PTLS_HANDSHAKE_TYPE_CERTIFICATE, &type, { |
3270 | 368 | if (tls->ctx->on_extension != NULL && |
3271 | 368 | (ret = tls->ctx->on_extension->cb(tls->ctx->on_extension, tls, PTLS_HANDSHAKE_TYPE_CERTIFICATE, type, |
3272 | 368 | ptls_iovec_init(src, end - src)) != 0)) |
3273 | 368 | goto Exit; |
3274 | 368 | src = end; |
3275 | 368 | }); |
3276 | 368 | } |
3277 | 368 | }); |
3278 | | |
3279 | 87 | if (tls->ctx->verify_certificate != NULL) { |
3280 | 0 | const char *server_name = NULL; |
3281 | 0 | if (!ptls_is_server(tls)) { |
3282 | 0 | if (tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL)) { |
3283 | 0 | server_name = tls->ech.client.public_name; |
3284 | 0 | } else { |
3285 | 0 | server_name = tls->server_name; |
3286 | 0 | } |
3287 | 0 | } |
3288 | 0 | if ((ret = tls->ctx->verify_certificate->cb(tls->ctx->verify_certificate, tls, server_name, &tls->certificate_verify.cb, |
3289 | 0 | &tls->certificate_verify.verify_ctx, certs, num_certs)) != 0) |
3290 | 0 | goto Exit; |
3291 | 0 | } |
3292 | | |
3293 | 87 | *got_certs = num_certs != 0; |
3294 | | |
3295 | 390 | Exit: |
3296 | 390 | return ret; |
3297 | 87 | } |
3298 | | |
3299 | | static int client_do_handle_certificate(ptls_t *tls, const uint8_t *src, const uint8_t *end) |
3300 | 390 | { |
3301 | 390 | int got_certs, ret; |
3302 | | |
3303 | 390 | if ((ret = handle_certificate(tls, src, end, &got_certs)) != 0) |
3304 | 303 | return ret; |
3305 | 87 | if (!got_certs) |
3306 | 1 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
3307 | | |
3308 | 86 | return 0; |
3309 | 87 | } |
3310 | | |
3311 | | static int client_handle_certificate(ptls_t *tls, ptls_iovec_t message) |
3312 | 390 | { |
3313 | 390 | int ret; |
3314 | | |
3315 | 390 | if ((ret = client_do_handle_certificate(tls, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len)) != 0) |
3316 | 304 | return ret; |
3317 | | |
3318 | 86 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3319 | | |
3320 | 86 | tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY; |
3321 | 86 | return PTLS_ERROR_IN_PROGRESS; |
3322 | 390 | } |
3323 | | |
3324 | | static int client_handle_compressed_certificate(ptls_t *tls, ptls_iovec_t message) |
3325 | 2 | { |
3326 | 2 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3327 | 2 | uint16_t algo; |
3328 | 2 | uint32_t uncompressed_size; |
3329 | 2 | uint8_t *uncompressed = NULL; |
3330 | 2 | int ret; |
3331 | | |
3332 | 2 | if (tls->ctx->decompress_certificate == NULL) { |
3333 | 2 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
3334 | 2 | goto Exit; |
3335 | 2 | } |
3336 | | |
3337 | | /* decode */ |
3338 | 0 | if ((ret = ptls_decode16(&algo, &src, end)) != 0) |
3339 | 0 | goto Exit; |
3340 | 0 | if ((ret = ptls_decode24(&uncompressed_size, &src, end)) != 0) |
3341 | 0 | goto Exit; |
3342 | 0 | if (uncompressed_size > 65536) { /* TODO find a sensible number */ |
3343 | 0 | ret = PTLS_ALERT_BAD_CERTIFICATE; |
3344 | 0 | goto Exit; |
3345 | 0 | } |
3346 | 0 | if ((uncompressed = malloc(uncompressed_size)) == NULL) { |
3347 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
3348 | 0 | goto Exit; |
3349 | 0 | } |
3350 | 0 | ptls_decode_block(src, end, 3, { |
3351 | 0 | if ((ret = tls->ctx->decompress_certificate->cb(tls->ctx->decompress_certificate, tls, algo, |
3352 | 0 | ptls_iovec_init(uncompressed, uncompressed_size), |
3353 | 0 | ptls_iovec_init(src, end - src))) != 0) |
3354 | 0 | goto Exit; |
3355 | 0 | src = end; |
3356 | 0 | }); |
3357 | | |
3358 | | /* handle */ |
3359 | 0 | if ((ret = client_do_handle_certificate(tls, uncompressed, uncompressed + uncompressed_size)) != 0) |
3360 | 0 | goto Exit; |
3361 | | |
3362 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3363 | 0 | tls->state = PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY; |
3364 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
3365 | |
|
3366 | 2 | Exit: |
3367 | 2 | free(uncompressed); |
3368 | 2 | return ret; |
3369 | 0 | } |
3370 | | |
3371 | | static int server_handle_certificate(ptls_t *tls, ptls_iovec_t message) |
3372 | 0 | { |
3373 | 0 | int got_certs, ret; |
3374 | |
|
3375 | 0 | if ((ret = handle_certificate(tls, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len, &got_certs)) != 0) |
3376 | 0 | return ret; |
3377 | | |
3378 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3379 | |
|
3380 | 0 | if (got_certs) { |
3381 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY; |
3382 | 0 | } else { |
3383 | | /* Client did not provide certificate, and the verifier says we can fail open. Therefore, the next message is Finished. */ |
3384 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
3385 | 0 | } |
3386 | |
|
3387 | 0 | return PTLS_ERROR_IN_PROGRESS; |
3388 | 0 | } |
3389 | | |
3390 | | static int handle_certificate_verify(ptls_t *tls, ptls_iovec_t message, const char *context_string) |
3391 | 67 | { |
3392 | 67 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3393 | 67 | uint16_t algo; |
3394 | 67 | ptls_iovec_t signature; |
3395 | 67 | uint8_t signdata[PTLS_MAX_CERTIFICATE_VERIFY_SIGNDATA_SIZE]; |
3396 | 67 | size_t signdata_size; |
3397 | 67 | int ret; |
3398 | | |
3399 | | /* decode */ |
3400 | 67 | if ((ret = ptls_decode16(&algo, &src, end)) != 0) |
3401 | 1 | goto Exit; |
3402 | 66 | ptls_decode_block(src, end, 2, { |
3403 | 66 | signature = ptls_iovec_init(src, end - src); |
3404 | 66 | src = end; |
3405 | 66 | }); |
3406 | | |
3407 | 33 | signdata_size = build_certificate_verify_signdata(signdata, tls->key_schedule, context_string); |
3408 | 33 | if (tls->certificate_verify.cb != NULL) { |
3409 | 0 | ret = tls->certificate_verify.cb(tls->certificate_verify.verify_ctx, algo, ptls_iovec_init(signdata, signdata_size), |
3410 | 0 | signature); |
3411 | 33 | } else { |
3412 | 33 | ret = 0; |
3413 | 33 | } |
3414 | 33 | ptls_clear_memory(signdata, signdata_size); |
3415 | 33 | tls->certificate_verify.cb = NULL; |
3416 | 33 | if (ret != 0) { |
3417 | 0 | goto Exit; |
3418 | 0 | } |
3419 | | |
3420 | 33 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3421 | | |
3422 | 67 | Exit: |
3423 | 67 | return ret; |
3424 | 33 | } |
3425 | | |
3426 | | static int client_handle_certificate_verify(ptls_t *tls, ptls_iovec_t message) |
3427 | 67 | { |
3428 | 67 | int ret = handle_certificate_verify(tls, message, PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING); |
3429 | | |
3430 | 67 | if (ret == 0) { |
3431 | 33 | tls->state = PTLS_STATE_CLIENT_EXPECT_FINISHED; |
3432 | 33 | ret = PTLS_ERROR_IN_PROGRESS; |
3433 | 33 | } |
3434 | | |
3435 | 67 | return ret; |
3436 | 67 | } |
3437 | | |
3438 | | static int server_handle_certificate_verify(ptls_t *tls, ptls_iovec_t message) |
3439 | 0 | { |
3440 | 0 | int ret = handle_certificate_verify(tls, message, PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING); |
3441 | |
|
3442 | 0 | if (ret == 0) { |
3443 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
3444 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
3445 | 0 | } |
3446 | |
|
3447 | 0 | return ret; |
3448 | 0 | } |
3449 | | |
3450 | | static int client_handle_finished(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message) |
3451 | 18 | { |
3452 | 18 | uint8_t send_secret[PTLS_MAX_DIGEST_SIZE]; |
3453 | 18 | int alert_ech_required = tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL), ret; |
3454 | | |
3455 | 18 | if ((ret = verify_finished(tls, message)) != 0) |
3456 | 18 | goto Exit; |
3457 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
3458 | | |
3459 | | /* update traffic keys by using messages upto ServerFinished, but commission them after sending ClientFinished */ |
3460 | 0 | if ((ret = key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0))) != 0) |
3461 | 0 | goto Exit; |
3462 | 0 | if ((ret = setup_traffic_protection(tls, 0, "s ap traffic", 3, 0, 0)) != 0) |
3463 | 0 | goto Exit; |
3464 | 0 | if ((ret = derive_secret(tls->key_schedule, send_secret, "c ap traffic")) != 0) |
3465 | 0 | goto Exit; |
3466 | 0 | if ((ret = derive_exporter_secret(tls, 0)) != 0) |
3467 | 0 | goto Exit; |
3468 | | |
3469 | | /* if sending early data, emit EOED and commision the client handshake traffic secret */ |
3470 | 0 | if (tls->pending_handshake_secret != NULL) { |
3471 | 0 | assert(tls->traffic_protection.enc.aead != NULL || tls->ctx->update_traffic_key != NULL); |
3472 | 0 | if (tls->client.using_early_data && !tls->ctx->omit_end_of_early_data) |
3473 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA, {}); |
3474 | 0 | tls->client.using_early_data = 0; |
3475 | 0 | if ((ret = commission_handshake_secret(tls)) != 0) |
3476 | 0 | goto Exit; |
3477 | 0 | } |
3478 | | |
3479 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
3480 | 0 | goto Exit; |
3481 | | |
3482 | 0 | if (!alert_ech_required && tls->client.certificate_request.context.base != NULL) { |
3483 | 0 | if ((ret = send_certificate(tls, emitter, &tls->client.certificate_request.signature_algorithms, |
3484 | 0 | tls->client.certificate_request.context, 0, NULL, 0)) == 0) |
3485 | 0 | ret = send_certificate_verify(tls, emitter, &tls->client.certificate_request.signature_algorithms, |
3486 | 0 | PTLS_CLIENT_CERTIFICATE_VERIFY_CONTEXT_STRING); |
3487 | 0 | free(tls->client.certificate_request.context.base); |
3488 | 0 | tls->client.certificate_request.context = ptls_iovec_init(NULL, 0); |
3489 | 0 | if (ret != 0) |
3490 | 0 | goto Exit; |
3491 | 0 | } |
3492 | | |
3493 | 0 | ret = send_finished(tls, emitter); |
3494 | |
|
3495 | 0 | memcpy(tls->traffic_protection.enc.secret, send_secret, sizeof(send_secret)); |
3496 | 0 | if ((ret = setup_traffic_protection(tls, 1, NULL, 3, 0, 0)) != 0) |
3497 | 0 | goto Exit; |
3498 | | |
3499 | 0 | tls->state = PTLS_STATE_CLIENT_POST_HANDSHAKE; |
3500 | | |
3501 | | /* if ECH was rejected, close the connection with ECH_REQUIRED alert after verifying messages up to Finished */ |
3502 | 0 | if (alert_ech_required) |
3503 | 0 | ret = PTLS_ALERT_ECH_REQUIRED; |
3504 | |
|
3505 | 18 | Exit: |
3506 | 18 | ptls_clear_memory(send_secret, sizeof(send_secret)); |
3507 | 18 | return ret; |
3508 | 0 | } |
3509 | | |
3510 | | static int client_handle_new_session_ticket(ptls_t *tls, ptls_iovec_t message) |
3511 | 0 | { |
3512 | 0 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
3513 | 0 | ptls_iovec_t ticket_nonce; |
3514 | 0 | int ret; |
3515 | |
|
3516 | 0 | { /* verify the format */ |
3517 | 0 | uint32_t ticket_lifetime, ticket_age_add, max_early_data_size; |
3518 | 0 | ptls_iovec_t ticket; |
3519 | 0 | if ((ret = decode_new_session_ticket(tls, &ticket_lifetime, &ticket_age_add, &ticket_nonce, &ticket, &max_early_data_size, |
3520 | 0 | src, end)) != 0) |
3521 | 0 | return ret; |
3522 | 0 | } |
3523 | | |
3524 | | /* do nothing if use of session ticket is disabled */ |
3525 | 0 | if (tls->ctx->save_ticket == NULL) |
3526 | 0 | return 0; |
3527 | | |
3528 | | /* save the extension, along with the key of myself */ |
3529 | 0 | ptls_buffer_t ticket_buf; |
3530 | 0 | ptls_buffer_init(&ticket_buf, "", 0); |
3531 | 0 | ptls_buffer_push64(&ticket_buf, tls->ctx->get_time->cb(tls->ctx->get_time)); |
3532 | 0 | ptls_buffer_push16(&ticket_buf, tls->key_share->id); |
3533 | 0 | ptls_buffer_push16(&ticket_buf, tls->cipher_suite->id); |
3534 | 0 | ptls_buffer_push_block(&ticket_buf, 3, { ptls_buffer_pushv(&ticket_buf, src, end - src); }); |
3535 | 0 | ptls_buffer_push_block(&ticket_buf, 2, { |
3536 | 0 | if ((ret = ptls_buffer_reserve(&ticket_buf, tls->key_schedule->hashes[0].algo->digest_size)) != 0) |
3537 | 0 | goto Exit; |
3538 | 0 | if ((ret = derive_resumption_secret(tls->key_schedule, ticket_buf.base + ticket_buf.off, ticket_nonce)) != 0) |
3539 | 0 | goto Exit; |
3540 | 0 | ticket_buf.off += tls->key_schedule->hashes[0].algo->digest_size; |
3541 | 0 | }); |
3542 | | |
3543 | 0 | if ((ret = tls->ctx->save_ticket->cb(tls->ctx->save_ticket, tls, ptls_iovec_init(ticket_buf.base, ticket_buf.off))) != 0) |
3544 | 0 | goto Exit; |
3545 | | |
3546 | 0 | ret = 0; |
3547 | 0 | Exit: |
3548 | 0 | ptls_buffer_dispose(&ticket_buf); |
3549 | 0 | return ret; |
3550 | 0 | } |
3551 | | |
3552 | | static int client_hello_decode_server_name(ptls_iovec_t *name, const uint8_t **src, const uint8_t *const end) |
3553 | 122 | { |
3554 | 122 | int ret = 0; |
3555 | | |
3556 | 122 | ptls_decode_open_block(*src, end, 2, { |
3557 | 122 | do { |
3558 | 122 | uint8_t type; |
3559 | 122 | if ((ret = ptls_decode8(&type, src, end)) != 0) |
3560 | 122 | goto Exit; |
3561 | 122 | ptls_decode_open_block(*src, end, 2, { |
3562 | 122 | switch (type) { |
3563 | 122 | case PTLS_SERVER_NAME_TYPE_HOSTNAME: |
3564 | 122 | if (memchr(*src, '\0', end - *src) != 0) { |
3565 | 122 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3566 | 122 | goto Exit; |
3567 | 122 | } |
3568 | 122 | *name = ptls_iovec_init(*src, end - *src); |
3569 | 122 | break; |
3570 | 122 | default: |
3571 | 122 | break; |
3572 | 122 | } |
3573 | 122 | *src = end; |
3574 | 122 | }); |
3575 | 122 | } while (*src != end); |
3576 | 122 | }); |
3577 | | |
3578 | 122 | Exit: |
3579 | 122 | return ret; |
3580 | 122 | } |
3581 | | |
3582 | | static int select_negotiated_group(ptls_key_exchange_algorithm_t **selected, ptls_key_exchange_algorithm_t **candidates, |
3583 | | const uint8_t *src, const uint8_t *const end) |
3584 | 220 | { |
3585 | 220 | int ret; |
3586 | | |
3587 | 220 | ptls_decode_block(src, end, 2, { |
3588 | 220 | while (src != end) { |
3589 | 220 | uint16_t group; |
3590 | 220 | if ((ret = ptls_decode16(&group, &src, end)) != 0) |
3591 | 220 | goto Exit; |
3592 | 220 | ptls_key_exchange_algorithm_t **c = candidates; |
3593 | 220 | for (; *c != NULL; ++c) { |
3594 | 220 | if ((*c)->id == group) { |
3595 | 220 | *selected = *c; |
3596 | 220 | return 0; |
3597 | 220 | } |
3598 | 220 | } |
3599 | 220 | } |
3600 | 220 | }); |
3601 | | |
3602 | 18 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
3603 | | |
3604 | 59 | Exit: |
3605 | 59 | return ret; |
3606 | 18 | } |
3607 | | |
3608 | | static int decode_client_hello(ptls_context_t *ctx, struct st_ptls_client_hello_t *ch, const uint8_t *src, const uint8_t *const end, |
3609 | | ptls_handshake_properties_t *properties, ptls_t *tls_cbarg) |
3610 | 1.97k | { |
3611 | 1.97k | const uint8_t *start = src; |
3612 | 1.97k | uint16_t exttype = 0; |
3613 | 1.97k | int ret; |
3614 | | |
3615 | | /* decode protocol version (do not bare to decode something older than TLS 1.0) */ |
3616 | 1.97k | if ((ret = ptls_decode16(&ch->legacy_version, &src, end)) != 0) |
3617 | 6 | goto Exit; |
3618 | 1.97k | if (ch->legacy_version < 0x0301) { |
3619 | 13 | ret = PTLS_ALERT_PROTOCOL_VERSION; |
3620 | 13 | goto Exit; |
3621 | 13 | } |
3622 | | |
3623 | | /* skip random */ |
3624 | 1.95k | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
3625 | 25 | ret = PTLS_ALERT_DECODE_ERROR; |
3626 | 25 | goto Exit; |
3627 | 25 | } |
3628 | 1.93k | ch->random_bytes = src; |
3629 | 1.93k | src += PTLS_HELLO_RANDOM_SIZE; |
3630 | | |
3631 | | /* skip legacy_session_id */ |
3632 | 1.93k | ptls_decode_open_block(src, end, 1, { |
3633 | 1.93k | if (end - src > 32) { |
3634 | 1.93k | ret = PTLS_ALERT_DECODE_ERROR; |
3635 | 1.93k | goto Exit; |
3636 | 1.93k | } |
3637 | 1.93k | ch->legacy_session_id = ptls_iovec_init(src, end - src); |
3638 | 1.93k | src = end; |
3639 | 1.93k | }); |
3640 | | |
3641 | | /* decode and select from ciphersuites */ |
3642 | 1.91k | ptls_decode_open_block(src, end, 2, { |
3643 | 1.91k | if ((end - src) % 2 != 0) { |
3644 | 1.91k | ret = PTLS_ALERT_DECODE_ERROR; |
3645 | 1.91k | goto Exit; |
3646 | 1.91k | } |
3647 | 1.91k | ch->cipher_suites = ptls_iovec_init(src, end - src); |
3648 | 1.91k | src = end; |
3649 | 1.91k | }); |
3650 | | |
3651 | | /* decode legacy_compression_methods */ |
3652 | 1.87k | ptls_decode_open_block(src, end, 1, { |
3653 | 1.87k | if (src == end) { |
3654 | 1.87k | ret = PTLS_ALERT_DECODE_ERROR; |
3655 | 1.87k | goto Exit; |
3656 | 1.87k | } |
3657 | 1.87k | ch->compression_methods.ids = src; |
3658 | 1.87k | ch->compression_methods.count = end - src; |
3659 | 1.87k | src = end; |
3660 | 1.87k | }); |
3661 | | |
3662 | | /* In TLS versions 1.2 and earlier CH might not have an extensions block (or they might, see what OpenSSL 1.0.0 sends); so bail |
3663 | | * out if that is the case after parsing the main variables. Zero is returned as it is a valid ClientHello. However |
3664 | | * `ptls_t::selected_version` remains zero indicating that no compatible version were found. */ |
3665 | 1.85k | if (src == end) { |
3666 | 12 | ret = 0; |
3667 | 12 | goto Exit; |
3668 | 12 | } |
3669 | | |
3670 | | /* decode extensions */ |
3671 | 1.84k | ch->first_extension_at = src - start + 2; |
3672 | 1.84k | decode_extensions(src, end, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, &exttype, { |
3673 | 1.84k | ch->psk.is_last_extension = 0; |
3674 | 1.84k | if (ctx->on_extension != NULL && tls_cbarg != NULL && |
3675 | 1.84k | (ret = ctx->on_extension->cb(ctx->on_extension, tls_cbarg, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, exttype, |
3676 | 1.84k | ptls_iovec_init(src, end - src)) != 0)) |
3677 | 1.84k | goto Exit; |
3678 | 1.84k | switch (exttype) { |
3679 | 1.84k | case PTLS_EXTENSION_TYPE_SERVER_NAME: |
3680 | 1.84k | if ((ret = client_hello_decode_server_name(&ch->server_name, &src, end)) != 0) |
3681 | 1.84k | goto Exit; |
3682 | 1.84k | if (src != end) { |
3683 | 1.84k | ret = PTLS_ALERT_DECODE_ERROR; |
3684 | 1.84k | goto Exit; |
3685 | 1.84k | } |
3686 | 1.84k | break; |
3687 | 1.84k | case PTLS_EXTENSION_TYPE_ALPN: |
3688 | 1.84k | ptls_decode_block(src, end, 2, { |
3689 | 1.84k | do { |
3690 | 1.84k | ptls_decode_open_block(src, end, 1, { |
3691 | | /* rfc7301 3.1: empty strings MUST NOT be included */ |
3692 | 1.84k | if (src == end) { |
3693 | 1.84k | ret = PTLS_ALERT_DECODE_ERROR; |
3694 | 1.84k | goto Exit; |
3695 | 1.84k | } |
3696 | 1.84k | if (ch->alpn.count < PTLS_ELEMENTSOF(ch->alpn.list)) |
3697 | 1.84k | ch->alpn.list[ch->alpn.count++] = ptls_iovec_init(src, end - src); |
3698 | 1.84k | src = end; |
3699 | 1.84k | }); |
3700 | 1.84k | } while (src != end); |
3701 | 1.84k | }); |
3702 | 1.84k | break; |
3703 | 1.84k | case PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE: |
3704 | 1.84k | ptls_decode_block(src, end, 1, { |
3705 | 1.84k | size_t list_size = end - src; |
3706 | | |
3707 | | /* RFC7250 4.1: No empty list, no list with single x509 element */ |
3708 | 1.84k | if (list_size == 0 || (list_size == 1 && *src == PTLS_CERTIFICATE_TYPE_X509)) { |
3709 | 1.84k | ret = PTLS_ALERT_DECODE_ERROR; |
3710 | 1.84k | goto Exit; |
3711 | 1.84k | } |
3712 | | |
3713 | 1.84k | do { |
3714 | 1.84k | if (ch->server_certificate_types.count < PTLS_ELEMENTSOF(ch->server_certificate_types.list)) |
3715 | 1.84k | ch->server_certificate_types.list[ch->server_certificate_types.count++] = *src; |
3716 | 1.84k | src++; |
3717 | 1.84k | } while (src != end); |
3718 | 1.84k | }); |
3719 | 1.84k | break; |
3720 | 1.84k | case PTLS_EXTENSION_TYPE_COMPRESS_CERTIFICATE: |
3721 | 1.84k | ptls_decode_block(src, end, 1, { |
3722 | 1.84k | do { |
3723 | 1.84k | uint16_t id; |
3724 | 1.84k | if ((ret = ptls_decode16(&id, &src, end)) != 0) |
3725 | 1.84k | goto Exit; |
3726 | 1.84k | if (ch->cert_compression_algos.count < PTLS_ELEMENTSOF(ch->cert_compression_algos.list)) |
3727 | 1.84k | ch->cert_compression_algos.list[ch->cert_compression_algos.count++] = id; |
3728 | 1.84k | } while (src != end); |
3729 | 1.84k | }); |
3730 | 1.84k | break; |
3731 | 1.84k | case PTLS_EXTENSION_TYPE_SUPPORTED_GROUPS: |
3732 | 1.84k | ch->negotiated_groups = ptls_iovec_init(src, end - src); |
3733 | 1.84k | break; |
3734 | 1.84k | case PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS: |
3735 | 1.84k | if ((ret = decode_signature_algorithms(&ch->signature_algorithms, &src, end)) != 0) |
3736 | 1.84k | goto Exit; |
3737 | 1.84k | break; |
3738 | 1.84k | case PTLS_EXTENSION_TYPE_KEY_SHARE: |
3739 | 1.84k | ch->key_shares = ptls_iovec_init(src, end - src); |
3740 | 1.84k | break; |
3741 | 1.84k | case PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS: |
3742 | 1.84k | ptls_decode_block(src, end, 1, { |
3743 | 1.84k | size_t selected_index = PTLS_ELEMENTSOF(supported_versions); |
3744 | 1.84k | do { |
3745 | 1.84k | size_t i; |
3746 | 1.84k | uint16_t v; |
3747 | 1.84k | if ((ret = ptls_decode16(&v, &src, end)) != 0) |
3748 | 1.84k | goto Exit; |
3749 | 1.84k | for (i = 0; i != selected_index; ++i) { |
3750 | 1.84k | if (supported_versions[i] == v) { |
3751 | 1.84k | selected_index = i; |
3752 | 1.84k | break; |
3753 | 1.84k | } |
3754 | 1.84k | } |
3755 | 1.84k | } while (src != end); |
3756 | 1.84k | if (selected_index != PTLS_ELEMENTSOF(supported_versions)) |
3757 | 1.84k | ch->selected_version = supported_versions[selected_index]; |
3758 | 1.84k | }); |
3759 | 1.84k | break; |
3760 | 1.84k | case PTLS_EXTENSION_TYPE_COOKIE: |
3761 | 1.84k | if (properties == NULL || properties->server.cookie.key == NULL) { |
3762 | 1.84k | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3763 | 1.84k | goto Exit; |
3764 | 1.84k | } |
3765 | 1.84k | ch->cookie.all = ptls_iovec_init(src, end - src); |
3766 | 1.84k | ptls_decode_block(src, end, 2, { |
3767 | 1.84k | ch->cookie.tbs.base = (void *)src; |
3768 | 1.84k | ptls_decode_open_block(src, end, 2, { |
3769 | 1.84k | ptls_decode_open_block(src, end, 1, { |
3770 | 1.84k | ch->cookie.ch1_hash = ptls_iovec_init(src, end - src); |
3771 | 1.84k | src = end; |
3772 | 1.84k | }); |
3773 | 1.84k | uint8_t sent_key_share; |
3774 | 1.84k | if ((ret = ptls_decode8(&sent_key_share, &src, end)) != 0) |
3775 | 1.84k | goto Exit; |
3776 | 1.84k | switch (sent_key_share) { |
3777 | 1.84k | case 0: |
3778 | 1.84k | assert(!ch->cookie.sent_key_share); |
3779 | 1.84k | break; |
3780 | 1.84k | case 1: |
3781 | 1.84k | ch->cookie.sent_key_share = 1; |
3782 | 1.84k | break; |
3783 | 1.84k | default: |
3784 | 1.84k | ret = PTLS_ALERT_DECODE_ERROR; |
3785 | 1.84k | goto Exit; |
3786 | 1.84k | } |
3787 | 1.84k | }); |
3788 | 1.84k | ch->cookie.tbs.len = src - ch->cookie.tbs.base; |
3789 | 1.84k | ptls_decode_block(src, end, 1, { |
3790 | 1.84k | ch->cookie.signature = ptls_iovec_init(src, end - src); |
3791 | 1.84k | src = end; |
3792 | 1.84k | }); |
3793 | 1.84k | }); |
3794 | 1.84k | break; |
3795 | 1.84k | case PTLS_EXTENSION_TYPE_PRE_SHARED_KEY: { |
3796 | 1.84k | size_t num_identities = 0; |
3797 | 1.84k | ptls_decode_open_block(src, end, 2, { |
3798 | 1.84k | do { |
3799 | 1.84k | ptls_client_hello_psk_identity_t psk = {{NULL}}; |
3800 | 1.84k | ptls_decode_open_block(src, end, 2, { |
3801 | 1.84k | if (end - src < 1) { |
3802 | 1.84k | ret = PTLS_ALERT_DECODE_ERROR; |
3803 | 1.84k | goto Exit; |
3804 | 1.84k | } |
3805 | 1.84k | psk.identity = ptls_iovec_init(src, end - src); |
3806 | 1.84k | src = end; |
3807 | 1.84k | }); |
3808 | 1.84k | if ((ret = ptls_decode32(&psk.obfuscated_ticket_age, &src, end)) != 0) |
3809 | 1.84k | goto Exit; |
3810 | 1.84k | if (ch->psk.identities.count < PTLS_ELEMENTSOF(ch->psk.identities.list)) |
3811 | 1.84k | ch->psk.identities.list[ch->psk.identities.count++] = psk; |
3812 | 1.84k | ++num_identities; |
3813 | 1.84k | } while (src != end); |
3814 | 1.84k | }); |
3815 | 1.84k | ch->psk.hash_end = src; |
3816 | 1.84k | ptls_decode_block(src, end, 2, { |
3817 | 1.84k | size_t num_binders = 0; |
3818 | 1.84k | do { |
3819 | 1.84k | ptls_decode_open_block(src, end, 1, { |
3820 | 1.84k | if (num_binders < ch->psk.identities.count) |
3821 | 1.84k | ch->psk.identities.list[num_binders].binder = ptls_iovec_init(src, end - src); |
3822 | 1.84k | src = end; |
3823 | 1.84k | }); |
3824 | 1.84k | ++num_binders; |
3825 | 1.84k | } while (src != end); |
3826 | 1.84k | if (num_identities != num_binders) { |
3827 | 1.84k | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3828 | 1.84k | goto Exit; |
3829 | 1.84k | } |
3830 | 1.84k | }); |
3831 | 1.84k | ch->psk.is_last_extension = 1; |
3832 | 1.84k | } break; |
3833 | 1.84k | case PTLS_EXTENSION_TYPE_PSK_KEY_EXCHANGE_MODES: |
3834 | 1.84k | ptls_decode_block(src, end, 1, { |
3835 | 1.84k | do { |
3836 | 1.84k | uint8_t mode; |
3837 | 1.84k | if ((ret = ptls_decode8(&mode, &src, end)) != 0) |
3838 | 1.84k | goto Exit; |
3839 | 1.84k | if (mode < sizeof(ch->psk.ke_modes) * 8) |
3840 | 1.84k | ch->psk.ke_modes |= 1u << mode; |
3841 | 1.84k | } while (src != end); |
3842 | 1.84k | }); |
3843 | 1.84k | break; |
3844 | 1.84k | case PTLS_EXTENSION_TYPE_EARLY_DATA: |
3845 | 1.84k | ch->psk.early_data_indication = 1; |
3846 | 1.84k | break; |
3847 | 1.84k | case PTLS_EXTENSION_TYPE_STATUS_REQUEST: |
3848 | 1.84k | ch->status_request = 1; |
3849 | 1.84k | break; |
3850 | 1.84k | case PTLS_EXTENSION_TYPE_TICKET_REQUEST: |
3851 | 1.84k | if (end - src != 2) { |
3852 | 1.84k | ret = PTLS_ALERT_DECODE_ERROR; |
3853 | 1.84k | goto Exit; |
3854 | 1.84k | } |
3855 | 1.84k | ch->ticket_request.new_session_count = *src++; |
3856 | 1.84k | ch->ticket_request.resumption_count = *src++; |
3857 | 1.84k | break; |
3858 | 1.84k | case PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO: |
3859 | 1.84k | if ((ret = ptls_decode8(&ch->ech.type, &src, end)) != 0) |
3860 | 1.84k | goto Exit; |
3861 | 1.84k | switch (ch->ech.type) { |
3862 | 1.84k | case PTLS_ECH_CLIENT_HELLO_TYPE_OUTER: |
3863 | 1.84k | if ((ret = ptls_decode16(&ch->ech.cipher_suite.kdf, &src, end)) != 0 || |
3864 | 1.84k | (ret = ptls_decode16(&ch->ech.cipher_suite.aead, &src, end)) != 0) |
3865 | 1.84k | goto Exit; |
3866 | 1.84k | if ((ret = ptls_decode8(&ch->ech.config_id, &src, end)) != 0) |
3867 | 1.84k | goto Exit; |
3868 | 1.84k | ptls_decode_open_block(src, end, 2, { |
3869 | 1.84k | ch->ech.enc = ptls_iovec_init(src, end - src); |
3870 | 1.84k | src = end; |
3871 | 1.84k | }); |
3872 | 1.84k | ptls_decode_open_block(src, end, 2, { |
3873 | 1.84k | if (src == end) { |
3874 | 1.84k | ret = PTLS_ALERT_DECODE_ERROR; |
3875 | 1.84k | goto Exit; |
3876 | 1.84k | } |
3877 | 1.84k | ch->ech.payload = ptls_iovec_init(src, end - src); |
3878 | 1.84k | src = end; |
3879 | 1.84k | }); |
3880 | 1.84k | break; |
3881 | 1.84k | case PTLS_ECH_CLIENT_HELLO_TYPE_INNER: |
3882 | 1.84k | if (src != end) { |
3883 | 1.84k | ret = PTLS_ALERT_DECODE_ERROR; |
3884 | 1.84k | goto Exit; |
3885 | 1.84k | } |
3886 | 1.84k | ch->ech.payload = ptls_iovec_init("", 0); /* non-zero base indicates that the extension was received */ |
3887 | 1.84k | break; |
3888 | 1.84k | default: |
3889 | 1.84k | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3890 | 1.84k | goto Exit; |
3891 | 1.84k | } |
3892 | 1.84k | src = end; |
3893 | 1.84k | break; |
3894 | 1.84k | default: |
3895 | 1.84k | if (tls_cbarg != NULL && should_collect_unknown_extension(tls_cbarg, properties, exttype)) { |
3896 | 1.84k | if ((ret = collect_unknown_extension(tls_cbarg, exttype, src, end, ch->unknown_extensions)) != 0) |
3897 | 1.84k | goto Exit; |
3898 | 1.84k | } |
3899 | 1.84k | break; |
3900 | 1.84k | } |
3901 | 1.84k | src = end; |
3902 | 1.84k | }); |
3903 | | |
3904 | 909 | ret = 0; |
3905 | 1.97k | Exit: |
3906 | 1.97k | return ret; |
3907 | 909 | } |
3908 | | |
3909 | | static int rebuild_ch_inner_extensions(ptls_buffer_t *buf, const uint8_t **src, const uint8_t *const end, const uint8_t *outer_ext, |
3910 | | const uint8_t *outer_ext_end) |
3911 | 0 | { |
3912 | 0 | int ret; |
3913 | |
|
3914 | 0 | ptls_buffer_push_block(buf, 2, { |
3915 | 0 | ptls_decode_open_block(*src, end, 2, { |
3916 | 0 | while (*src != end) { |
3917 | 0 | uint16_t exttype; |
3918 | 0 | if ((ret = ptls_decode16(&exttype, src, end)) != 0) |
3919 | 0 | goto Exit; |
3920 | 0 | ptls_decode_open_block(*src, end, 2, { |
3921 | 0 | if (exttype == PTLS_EXTENSION_TYPE_ECH_OUTER_EXTENSIONS) { |
3922 | 0 | ptls_decode_open_block(*src, end, 1, { |
3923 | 0 | do { |
3924 | 0 | uint16_t reftype; |
3925 | 0 | uint16_t outertype; |
3926 | 0 | uint16_t outersize; |
3927 | 0 | if ((ret = ptls_decode16(&reftype, src, end)) != 0) |
3928 | 0 | goto Exit; |
3929 | 0 | if (reftype == PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO) { |
3930 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3931 | 0 | goto Exit; |
3932 | 0 | } |
3933 | 0 | while (1) { |
3934 | 0 | if (ptls_decode16(&outertype, &outer_ext, outer_ext_end) != 0 || |
3935 | 0 | ptls_decode16(&outersize, &outer_ext, outer_ext_end) != 0) { |
3936 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3937 | 0 | goto Exit; |
3938 | 0 | } |
3939 | 0 | assert(outer_ext_end - outer_ext >= outersize); |
3940 | 0 | if (outertype == reftype) |
3941 | 0 | break; |
3942 | 0 | outer_ext += outersize; |
3943 | 0 | } |
3944 | 0 | buffer_push_extension(buf, reftype, { |
3945 | 0 | ptls_buffer_pushv(buf, outer_ext, outersize); |
3946 | 0 | outer_ext += outersize; |
3947 | 0 | }); |
3948 | 0 | } while (*src != end); |
3949 | 0 | }); |
3950 | 0 | } else { |
3951 | 0 | buffer_push_extension(buf, exttype, { |
3952 | 0 | ptls_buffer_pushv(buf, *src, end - *src); |
3953 | 0 | *src = end; |
3954 | 0 | }); |
3955 | 0 | } |
3956 | 0 | }); |
3957 | 0 | } |
3958 | 0 | }); |
3959 | 0 | }); |
3960 | | |
3961 | 0 | Exit: |
3962 | 0 | return ret; |
3963 | 0 | } |
3964 | | |
3965 | | static int rebuild_ch_inner(ptls_buffer_t *buf, const uint8_t *src, const uint8_t *const end, |
3966 | | struct st_ptls_client_hello_t *outer_ch, const uint8_t *outer_ext, const uint8_t *outer_ext_end) |
3967 | 0 | { |
3968 | 0 | #define COPY_BLOCK(capacity) \ |
3969 | 0 | do { \ |
3970 | 0 | ptls_decode_open_block(src, end, (capacity), { \ |
3971 | 0 | ptls_buffer_push_block(buf, (capacity), { ptls_buffer_pushv(buf, src, end - src); }); \ |
3972 | 0 | src = end; \ |
3973 | 0 | }); \ |
3974 | 0 | } while (0) |
3975 | |
|
3976 | 0 | int ret; |
3977 | |
|
3978 | 0 | ptls_buffer_push_message_body(buf, NULL, PTLS_HANDSHAKE_TYPE_CLIENT_HELLO, { |
3979 | 0 | { /* legacy_version */ |
3980 | 0 | uint16_t legacy_version; |
3981 | 0 | if ((ret = ptls_decode16(&legacy_version, &src, end)) != 0) |
3982 | 0 | goto Exit; |
3983 | 0 | ptls_buffer_push16(buf, legacy_version); |
3984 | 0 | } |
3985 | | |
3986 | | /* hello random */ |
3987 | 0 | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
3988 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
3989 | 0 | goto Exit; |
3990 | 0 | } |
3991 | 0 | ptls_buffer_pushv(buf, src, PTLS_HELLO_RANDOM_SIZE); |
3992 | 0 | src += PTLS_HELLO_RANDOM_SIZE; |
3993 | |
|
3994 | 0 | ptls_decode_open_block(src, end, 1, { |
3995 | 0 | if (src != end) { |
3996 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
3997 | 0 | goto Exit; |
3998 | 0 | } |
3999 | 0 | }); |
4000 | 0 | ptls_buffer_push_block(buf, 1, |
4001 | 0 | { ptls_buffer_pushv(buf, outer_ch->legacy_session_id.base, outer_ch->legacy_session_id.len); }); |
4002 | | |
4003 | | /* cipher-suites and legacy-compression-methods */ |
4004 | 0 | COPY_BLOCK(2); |
4005 | 0 | COPY_BLOCK(1); |
4006 | | |
4007 | | /* extensions */ |
4008 | 0 | if ((ret = rebuild_ch_inner_extensions(buf, &src, end, outer_ext, outer_ext_end)) != 0) |
4009 | 0 | goto Exit; |
4010 | 0 | }); |
4011 | | |
4012 | | /* padding must be all zero */ |
4013 | 0 | for (; src != end; ++src) { |
4014 | 0 | if (*src != '\0') { |
4015 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4016 | 0 | goto Exit; |
4017 | 0 | } |
4018 | 0 | } |
4019 | | |
4020 | 0 | Exit: |
4021 | 0 | return ret; |
4022 | |
|
4023 | 0 | #undef COPY_BLOCK |
4024 | 0 | } |
4025 | | |
4026 | | /* Wrapper function for invoking the on_client_hello callback, taking an exhaustive list of parameters as arguments. The intention |
4027 | | * is to not miss setting them as we add new parameters to the struct. */ |
4028 | | static inline int call_on_client_hello_cb(ptls_t *tls, ptls_iovec_t server_name, ptls_iovec_t raw_message, |
4029 | | ptls_iovec_t cipher_suites, ptls_iovec_t *alpns, size_t num_alpns, |
4030 | | const uint16_t *sig_algos, size_t num_sig_algos, const uint16_t *cert_comp_algos, |
4031 | | size_t num_cert_comp_algos, const uint8_t *server_cert_types, |
4032 | | size_t num_server_cert_types, const ptls_client_hello_psk_identity_t *psk_identities, |
4033 | | size_t num_psk_identities, int incompatible_version) |
4034 | 847 | { |
4035 | 847 | if (tls->ctx->on_client_hello == NULL) |
4036 | 847 | return 0; |
4037 | | |
4038 | 0 | ptls_on_client_hello_parameters_t params = {server_name, |
4039 | 0 | raw_message, |
4040 | 0 | cipher_suites, |
4041 | 0 | {alpns, num_alpns}, |
4042 | 0 | {sig_algos, num_sig_algos}, |
4043 | 0 | {cert_comp_algos, num_cert_comp_algos}, |
4044 | 0 | {server_cert_types, num_server_cert_types}, |
4045 | 0 | {psk_identities, num_psk_identities}, |
4046 | 0 | incompatible_version}; |
4047 | 0 | return tls->ctx->on_client_hello->cb(tls->ctx->on_client_hello, tls, ¶ms); |
4048 | 847 | } |
4049 | | |
4050 | | static int check_client_hello_constraints(ptls_context_t *ctx, struct st_ptls_client_hello_t *ch, const void *prev_random, |
4051 | | int ech_is_inner_ch, ptls_iovec_t raw_message, ptls_t *tls_cbarg) |
4052 | 921 | { |
4053 | 921 | int is_second_flight = prev_random != 0; |
4054 | | |
4055 | | /* The following check is necessary so that we would be able to track the connection in SSLKEYLOGFILE, even though it might not |
4056 | | * be for the safety of the protocol. */ |
4057 | 921 | if (is_second_flight && !ptls_mem_equal(ch->random_bytes, prev_random, PTLS_HELLO_RANDOM_SIZE)) |
4058 | 17 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
4059 | | |
4060 | | /* bail out if CH cannot be handled as TLS 1.3 */ |
4061 | 904 | if (!is_supported_version(ch->selected_version)) { |
4062 | | /* ECH: server MUST abort with an "illegal_parameter" alert if the client offers TLS 1.2 or below (draft-15 7.1) */ |
4063 | 103 | if (ech_is_inner_ch) |
4064 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4065 | | /* fail with PROTOCOL_VERSION alert, after providing the applications the raw CH and SNI to help them fallback */ |
4066 | 103 | if (!is_second_flight) { |
4067 | 102 | int ret; |
4068 | 102 | if ((ret = call_on_client_hello_cb(tls_cbarg, ch->server_name, raw_message, ch->cipher_suites, ch->alpn.list, |
4069 | 102 | ch->alpn.count, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 1)) != 0) |
4070 | 0 | return ret; |
4071 | 102 | } |
4072 | 103 | return PTLS_ALERT_PROTOCOL_VERSION; |
4073 | 103 | } |
4074 | | |
4075 | | /* Check TLS 1.3-specific constraints. Hereafter, we might exit without calling on_client_hello. That's fine because this CH is |
4076 | | * ought to be rejected. */ |
4077 | 801 | if (ch->legacy_version <= 0x0300) { |
4078 | | /* RFC 8446 Appendix D.5: any endpoint receiving a Hello message with legacy_version set to 0x0300 MUST abort the handshake |
4079 | | * with a "protocol_version" alert. */ |
4080 | 0 | return PTLS_ALERT_PROTOCOL_VERSION; |
4081 | 0 | } |
4082 | 801 | if (!(ch->compression_methods.count == 1 && ch->compression_methods.ids[0] == 0)) |
4083 | 24 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4084 | | /* pre-shared key */ |
4085 | 777 | if (ch->psk.hash_end != NULL) { |
4086 | | /* PSK must be the last extension */ |
4087 | 218 | if (!ch->psk.is_last_extension) |
4088 | 1 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4089 | 559 | } else { |
4090 | 559 | if (ch->psk.early_data_indication) |
4091 | 2 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4092 | 559 | } |
4093 | | |
4094 | 774 | if (ech_is_inner_ch && ch->ech.payload.base == NULL) |
4095 | 0 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4096 | 774 | if (ch->ech.payload.base != NULL && |
4097 | 774 | ch->ech.type != (ech_is_inner_ch ? PTLS_ECH_CLIENT_HELLO_TYPE_INNER : PTLS_ECH_CLIENT_HELLO_TYPE_OUTER)) |
4098 | 1 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
4099 | | |
4100 | 773 | return 0; |
4101 | 774 | } |
4102 | | |
4103 | | static int vec_is_string(ptls_iovec_t x, const char *y) |
4104 | 0 | { |
4105 | 0 | return strncmp((const char *)x.base, y, x.len) == 0 && y[x.len] == '\0'; |
4106 | 0 | } |
4107 | | |
4108 | | /** |
4109 | | * Looks for a PSK identity that can be used, and if found, updates the handshake state and returns the necessary variables. If |
4110 | | * `ptls_context_t::pre_shared_key` is set, only tries handshake using those keys provided. Otherwise, tries resumption. |
4111 | | */ |
4112 | | static int try_psk_handshake(ptls_t *tls, size_t *psk_index, int *accept_early_data, struct st_ptls_client_hello_t *ch, |
4113 | | ptls_iovec_t ch_trunc, int is_second_flight) |
4114 | 125 | { |
4115 | 125 | ptls_buffer_t decbuf; |
4116 | 125 | ptls_iovec_t secret, ticket_ctx, ticket_negotiated_protocol; |
4117 | 125 | uint64_t issue_at, now = tls->ctx->get_time->cb(tls->ctx->get_time); |
4118 | 125 | uint32_t age_add; |
4119 | 125 | uint16_t ticket_key_exchange_id, ticket_csid; |
4120 | 125 | uint8_t binder_key[PTLS_MAX_DIGEST_SIZE]; |
4121 | 125 | int ret; |
4122 | | |
4123 | 125 | ptls_buffer_init(&decbuf, "", 0); |
4124 | | |
4125 | 313 | for (*psk_index = 0; *psk_index < ch->psk.identities.count; ++*psk_index) { |
4126 | 189 | ptls_client_hello_psk_identity_t *identity = ch->psk.identities.list + *psk_index; |
4127 | | |
4128 | | /* negotiate using fixed pre-shared key */ |
4129 | 189 | if (tls->ctx->pre_shared_key.identity.base != NULL) { |
4130 | 0 | if (identity->identity.len == tls->ctx->pre_shared_key.identity.len && |
4131 | 0 | memcmp(identity->identity.base, tls->ctx->pre_shared_key.identity.base, identity->identity.len) == 0) { |
4132 | 0 | *accept_early_data = ch->psk.early_data_indication && *psk_index == 0; |
4133 | 0 | tls->key_share = NULL; |
4134 | 0 | secret = tls->ctx->pre_shared_key.secret; |
4135 | 0 | goto Found; |
4136 | 0 | } |
4137 | 0 | continue; |
4138 | 0 | } |
4139 | | |
4140 | | /* decrypt ticket and decode */ |
4141 | 189 | if (tls->ctx->encrypt_ticket == NULL || tls->ctx->key_exchanges == NULL) |
4142 | 0 | continue; |
4143 | 189 | int can_accept_early_data = *psk_index == 0; |
4144 | 189 | decbuf.off = 0; |
4145 | 189 | switch (tls->ctx->encrypt_ticket->cb(tls->ctx->encrypt_ticket, tls, 0, &decbuf, identity->identity)) { |
4146 | 189 | case 0: /* decrypted */ |
4147 | 189 | break; |
4148 | 0 | case PTLS_ERROR_REJECT_EARLY_DATA: /* decrypted, but early data is rejected */ |
4149 | 0 | can_accept_early_data = 0; |
4150 | 0 | break; |
4151 | 0 | default: /* decryption failure */ |
4152 | 0 | continue; |
4153 | 189 | } |
4154 | 189 | if (decode_session_identifier(&issue_at, &secret, &age_add, &ticket_ctx, &ticket_key_exchange_id, &ticket_csid, |
4155 | 189 | &ticket_negotiated_protocol, decbuf.base, decbuf.base + decbuf.off) != 0) |
4156 | 0 | continue; |
4157 | | /* check age */ |
4158 | 189 | if (now < issue_at) |
4159 | 0 | continue; |
4160 | 189 | if (now - issue_at > (uint64_t)tls->ctx->ticket_lifetime * 1000) |
4161 | 0 | continue; |
4162 | 189 | *accept_early_data = 0; |
4163 | 189 | if (ch->psk.early_data_indication && can_accept_early_data) { |
4164 | | /* accept early-data if abs(diff) between the reported age and the actual age is within += 10 seconds */ |
4165 | 111 | int64_t delta = (now - issue_at) - (identity->obfuscated_ticket_age - age_add); |
4166 | 111 | if (delta < 0) |
4167 | 0 | delta = -delta; |
4168 | 111 | if (tls->ctx->max_early_data_size != 0 && delta <= PTLS_EARLY_DATA_MAX_DELAY) |
4169 | 0 | *accept_early_data = 1; |
4170 | 111 | } |
4171 | | /* check ticket context */ |
4172 | 189 | if (tls->ctx->ticket_context.is_set) { |
4173 | 0 | if (!(ticket_ctx.len == sizeof(tls->ctx->ticket_context.bytes) && |
4174 | 0 | memcmp(ticket_ctx.base, tls->ctx->ticket_context.bytes, ticket_ctx.len) == 0)) |
4175 | 0 | continue; |
4176 | 189 | } else { |
4177 | | /* check server-name */ |
4178 | 189 | if (ticket_ctx.len != 0) { |
4179 | 0 | if (tls->server_name == NULL) |
4180 | 0 | continue; |
4181 | 0 | if (!vec_is_string(ticket_ctx, tls->server_name)) |
4182 | 0 | continue; |
4183 | 189 | } else { |
4184 | 189 | if (tls->server_name != NULL) |
4185 | 0 | continue; |
4186 | 189 | } |
4187 | 189 | } |
4188 | 189 | { /* check key-exchange */ |
4189 | 189 | ptls_key_exchange_algorithm_t **a; |
4190 | 189 | for (a = tls->ctx->key_exchanges; *a != NULL && (*a)->id != ticket_key_exchange_id; ++a) |
4191 | 0 | ; |
4192 | 189 | if (*a == NULL) |
4193 | 0 | continue; |
4194 | 189 | tls->key_share = *a; |
4195 | 189 | } |
4196 | | /* check cipher-suite */ |
4197 | 189 | if (ticket_csid != tls->cipher_suite->id) |
4198 | 86 | continue; |
4199 | | /* check negotiated-protocol */ |
4200 | 103 | if (ticket_negotiated_protocol.len != 0) { |
4201 | 0 | if (tls->negotiated_protocol == NULL) |
4202 | 0 | continue; |
4203 | 0 | if (!vec_is_string(ticket_negotiated_protocol, tls->negotiated_protocol)) |
4204 | 0 | continue; |
4205 | 0 | } |
4206 | | /* check the length of the decrypted psk and the PSK binder */ |
4207 | 103 | if (secret.len != tls->key_schedule->hashes[0].algo->digest_size) |
4208 | 0 | continue; |
4209 | 103 | if (ch->psk.identities.list[*psk_index].binder.len != tls->key_schedule->hashes[0].algo->digest_size) |
4210 | 102 | continue; |
4211 | | |
4212 | | /* found */ |
4213 | 1 | goto Found; |
4214 | 103 | } |
4215 | | |
4216 | | /* not found */ |
4217 | 124 | *psk_index = SIZE_MAX; |
4218 | 124 | *accept_early_data = 0; |
4219 | 124 | tls->key_share = NULL; |
4220 | 124 | ret = 0; |
4221 | 124 | goto Exit; |
4222 | | |
4223 | 1 | Found: |
4224 | 1 | if (!is_second_flight && (ret = key_schedule_extract(tls->key_schedule, secret)) != 0) |
4225 | 0 | goto Exit; |
4226 | 1 | if ((ret = derive_secret_with_empty_digest(tls->key_schedule, binder_key, |
4227 | 1 | tls->ctx->pre_shared_key.secret.base != NULL ? "ext binder" : "res binder")) != 0) |
4228 | 0 | goto Exit; |
4229 | 1 | ptls__key_schedule_update_hash(tls->key_schedule, ch_trunc.base, ch_trunc.len, 0); |
4230 | 1 | if ((ret = calc_verify_data(binder_key /* to conserve space, reuse binder_key for storing verify_data */, tls->key_schedule, |
4231 | 1 | binder_key)) != 0) |
4232 | 0 | goto Exit; |
4233 | 1 | if (!ptls_mem_equal(ch->psk.identities.list[*psk_index].binder.base, binder_key, |
4234 | 1 | tls->key_schedule->hashes[0].algo->digest_size)) { |
4235 | 1 | ret = PTLS_ALERT_DECRYPT_ERROR; |
4236 | 1 | goto Exit; |
4237 | 1 | } |
4238 | 0 | ret = 0; |
4239 | |
|
4240 | 125 | Exit: |
4241 | 125 | ptls_buffer_dispose(&decbuf); |
4242 | 125 | ptls_clear_memory(binder_key, sizeof(binder_key)); |
4243 | 125 | return ret; |
4244 | 0 | } |
4245 | | |
4246 | | static int calc_cookie_signature(ptls_t *tls, ptls_handshake_properties_t *properties, |
4247 | | ptls_key_exchange_algorithm_t *negotiated_group, ptls_iovec_t tbs, uint8_t *sig) |
4248 | 0 | { |
4249 | 0 | ptls_hash_algorithm_t *algo = tls->ctx->cipher_suites[0]->hash; |
4250 | 0 | ptls_hash_context_t *hctx; |
4251 | |
|
4252 | 0 | if ((hctx = ptls_hmac_create(algo, properties->server.cookie.key, algo->digest_size)) == NULL) |
4253 | 0 | return PTLS_ERROR_NO_MEMORY; |
4254 | | |
4255 | 0 | #define UPDATE_BLOCK(p, _len) \ |
4256 | 0 | do { \ |
4257 | 0 | size_t len = (_len); \ |
4258 | 0 | assert(len < UINT8_MAX); \ |
4259 | 0 | uint8_t len8 = (uint8_t)len; \ |
4260 | 0 | hctx->update(hctx, &len8, 1); \ |
4261 | 0 | hctx->update(hctx, (p), len); \ |
4262 | 0 | } while (0) |
4263 | 0 | #define UPDATE16(_v) \ |
4264 | 0 | do { \ |
4265 | 0 | uint16_t v = (_v); \ |
4266 | 0 | uint8_t b[2] = {v >> 8, v & 0xff}; \ |
4267 | 0 | hctx->update(hctx, b, 2); \ |
4268 | 0 | } while (0) |
4269 | | |
4270 | 0 | UPDATE_BLOCK(tls->client_random, sizeof(tls->client_random)); |
4271 | 0 | UPDATE_BLOCK(tls->server_name, tls->server_name != NULL ? strlen(tls->server_name) : 0); |
4272 | 0 | UPDATE16(tls->cipher_suite->id); |
4273 | 0 | UPDATE16(negotiated_group != NULL ? negotiated_group->id : 0); |
4274 | 0 | UPDATE_BLOCK(properties->server.cookie.additional_data.base, properties->server.cookie.additional_data.len); |
4275 | | |
4276 | 0 | UPDATE_BLOCK(tbs.base, tbs.len); |
4277 | | |
4278 | 0 | #undef UPDATE_BLOCK |
4279 | 0 | #undef UPDATE16 |
4280 | | |
4281 | 0 | hctx->final(hctx, sig, PTLS_HASH_FINAL_MODE_FREE); |
4282 | 0 | return 0; |
4283 | 0 | } |
4284 | | |
4285 | | static int certificate_type_exists(uint8_t *list, size_t count, uint8_t desired_type) |
4286 | 745 | { |
4287 | | /* empty type list means that we default to x509 */ |
4288 | 745 | if (desired_type == PTLS_CERTIFICATE_TYPE_X509 && count == 0) |
4289 | 716 | return 1; |
4290 | 90 | for (size_t i = 0; i < count; i++) { |
4291 | 77 | if (list[i] == desired_type) |
4292 | 16 | return 1; |
4293 | 77 | } |
4294 | 13 | return 0; |
4295 | 29 | } |
4296 | | |
4297 | | static int server_handle_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, |
4298 | | ptls_handshake_properties_t *properties) |
4299 | 1.97k | { |
4300 | 1.97k | #define EMIT_SERVER_HELLO(sched, fill_rand, extensions, post_action) \ |
4301 | 1.97k | do { \ |
4302 | 437 | size_t sh_start_off; \ |
4303 | 437 | ptls_push_message(emitter, NULL, PTLS_HANDSHAKE_TYPE_SERVER_HELLO, { \ |
4304 | 437 | sh_start_off = emitter->buf->off - PTLS_HANDSHAKE_HEADER_SIZE; \ |
4305 | 437 | ptls_buffer_push16(emitter->buf, 0x0303 /* legacy version */); \ |
4306 | 437 | if ((ret = ptls_buffer_reserve(emitter->buf, PTLS_HELLO_RANDOM_SIZE)) != 0) \ |
4307 | 437 | goto Exit; \ |
4308 | 437 | do { \ |
4309 | 437 | fill_rand \ |
4310 | 437 | } while (0); \ |
4311 | 437 | emitter->buf->off += PTLS_HELLO_RANDOM_SIZE; \ |
4312 | 437 | ptls_buffer_push_block(emitter->buf, 1, \ |
4313 | 437 | { ptls_buffer_pushv(emitter->buf, ch->legacy_session_id.base, ch->legacy_session_id.len); }); \ |
4314 | 437 | ptls_buffer_push16(emitter->buf, tls->cipher_suite->id); \ |
4315 | 437 | ptls_buffer_push(emitter->buf, 0); \ |
4316 | 437 | ptls_buffer_push_block(emitter->buf, 2, { \ |
4317 | 437 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_SUPPORTED_VERSIONS, \ |
4318 | 437 | { ptls_buffer_push16(emitter->buf, ch->selected_version); }); \ |
4319 | 437 | do { \ |
4320 | 437 | extensions \ |
4321 | 437 | } while (0); \ |
4322 | 437 | }); \ |
4323 | 437 | }); \ |
4324 | 437 | do { \ |
4325 | 874 | post_action \ |
4326 | 437 | } while (0); \ |
4327 | 437 | ptls__key_schedule_update_hash((sched), emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off, 0); \ |
4328 | 437 | } while (0) |
4329 | | |
4330 | 1.97k | #define EMIT_HELLO_RETRY_REQUEST(sched, negotiated_group, additional_extensions, post_action) \ |
4331 | 1.97k | EMIT_SERVER_HELLO((sched), { memcpy(emitter->buf->base + emitter->buf->off, hello_retry_random, PTLS_HELLO_RANDOM_SIZE); }, \ |
4332 | 161 | { \ |
4333 | 161 | ptls_key_exchange_algorithm_t *_negotiated_group = (negotiated_group); \ |
4334 | 161 | if (_negotiated_group != NULL) { \ |
4335 | 161 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_KEY_SHARE, \ |
4336 | 161 | { ptls_buffer_push16(emitter->buf, _negotiated_group->id); }); \ |
4337 | 161 | } \ |
4338 | 161 | do { \ |
4339 | 161 | additional_extensions \ |
4340 | 161 | } while (0); \ |
4341 | 161 | }, \ |
4342 | 161 | post_action) |
4343 | 1.97k | struct st_ptls_client_hello_t *ch; |
4344 | 1.97k | struct { |
4345 | 1.97k | ptls_key_exchange_algorithm_t *algorithm; |
4346 | 1.97k | ptls_iovec_t peer_key; |
4347 | 1.97k | } key_share = {NULL}; |
4348 | 1.97k | struct { |
4349 | 1.97k | uint8_t *encoded_ch_inner; |
4350 | 1.97k | uint8_t *ch_outer_aad; |
4351 | 1.97k | ptls_buffer_t ch_inner; |
4352 | 1.97k | } ech = {NULL}; |
4353 | 1.97k | enum { HANDSHAKE_MODE_FULL, HANDSHAKE_MODE_PSK, HANDSHAKE_MODE_PSK_DHE } mode; |
4354 | 1.97k | size_t psk_index = SIZE_MAX; |
4355 | 1.97k | ptls_iovec_t pubkey = {0}, ecdh_secret = {0}; |
4356 | 1.97k | int accept_early_data = 0, is_second_flight = tls->state == PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO, ret; |
4357 | | |
4358 | 1.97k | ptls_buffer_init(&ech.ch_inner, "", 0); |
4359 | | |
4360 | 1.97k | if ((ch = malloc(sizeof(*ch))) == NULL) { |
4361 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4362 | 0 | goto Exit; |
4363 | 0 | } |
4364 | | |
4365 | 1.97k | *ch = (struct st_ptls_client_hello_t){.unknown_extensions = {{UINT16_MAX}}}; |
4366 | | |
4367 | | /* decode ClientHello */ |
4368 | 1.97k | if ((ret = decode_client_hello(tls->ctx, ch, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.base + message.len, properties, |
4369 | 1.97k | tls)) != 0) |
4370 | 1.05k | goto Exit; |
4371 | 921 | if ((ret = check_client_hello_constraints(tls->ctx, ch, is_second_flight ? tls->client_random : NULL, 0, message, tls)) != 0) |
4372 | 148 | goto Exit; |
4373 | 773 | if (!is_second_flight) { |
4374 | 745 | memcpy(tls->client_random, ch->random_bytes, PTLS_HELLO_RANDOM_SIZE); |
4375 | 745 | log_client_random(tls); |
4376 | 745 | } else { |
4377 | | /* consistency check for ECH extension in response to HRR */ |
4378 | 28 | if (tls->ech.aead != NULL) { |
4379 | 0 | if (ch->ech.payload.base == NULL) { |
4380 | 0 | ret = PTLS_ALERT_MISSING_EXTENSION; |
4381 | 0 | goto Exit; |
4382 | 0 | } |
4383 | 0 | if (!(ch->ech.config_id == tls->ech.config_id && ch->ech.cipher_suite.kdf == tls->ech.cipher->id.kdf && |
4384 | 0 | ch->ech.cipher_suite.aead == tls->ech.cipher->id.aead && ch->ech.enc.len == 0)) { |
4385 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4386 | 0 | goto Exit; |
4387 | 0 | } |
4388 | 0 | } |
4389 | 28 | } |
4390 | | |
4391 | | /* ECH */ |
4392 | 773 | if (ch->ech.payload.base != NULL) { |
4393 | 10 | if (ch->ech.type != PTLS_ECH_CLIENT_HELLO_TYPE_OUTER) { |
4394 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4395 | 0 | goto Exit; |
4396 | 0 | } |
4397 | 10 | if (!is_second_flight) |
4398 | 8 | tls->ech.offered = 1; |
4399 | | /* obtain AEAD context for opening inner CH */ |
4400 | 10 | if (!is_second_flight && ch->ech.payload.base != NULL && tls->ctx->ech.server.create_opener != NULL) { |
4401 | 0 | if ((tls->ech.aead = tls->ctx->ech.server.create_opener->cb( |
4402 | 0 | tls->ctx->ech.server.create_opener, &tls->ech.kem, &tls->ech.cipher, tls, ch->ech.config_id, |
4403 | 0 | ch->ech.cipher_suite, ch->ech.enc, ptls_iovec_init(ech_info_prefix, sizeof(ech_info_prefix)))) != NULL) |
4404 | 0 | tls->ech.config_id = ch->ech.config_id; |
4405 | 0 | } |
4406 | 10 | if (!is_second_flight) { |
4407 | 8 | PTLS_PROBE(ECH_SELECTION, tls, tls->ech.aead != NULL); |
4408 | 8 | PTLS_LOG_CONN(ech_selection, tls, { PTLS_LOG_ELEMENT_BOOL(is_ech, tls->ech.aead != NULL); }); |
4409 | 8 | } |
4410 | 10 | if (tls->ech.aead != NULL) { |
4411 | | /* now that AEAD context is available, create AAD and decrypt inner CH */ |
4412 | 0 | if ((ech.encoded_ch_inner = malloc(ch->ech.payload.len - tls->ech.aead->algo->tag_size)) == NULL || |
4413 | 0 | (ech.ch_outer_aad = malloc(message.len - PTLS_HANDSHAKE_HEADER_SIZE)) == NULL) { |
4414 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4415 | 0 | goto Exit; |
4416 | 0 | } |
4417 | 0 | memcpy(ech.ch_outer_aad, message.base + PTLS_HANDSHAKE_HEADER_SIZE, message.len - PTLS_HANDSHAKE_HEADER_SIZE); |
4418 | 0 | memset(ech.ch_outer_aad + (ch->ech.payload.base - (message.base + PTLS_HANDSHAKE_HEADER_SIZE)), 0, ch->ech.payload.len); |
4419 | 0 | if (ptls_aead_decrypt(tls->ech.aead, ech.encoded_ch_inner, ch->ech.payload.base, ch->ech.payload.len, is_second_flight, |
4420 | 0 | ech.ch_outer_aad, message.len - PTLS_HANDSHAKE_HEADER_SIZE) != SIZE_MAX) { |
4421 | 0 | tls->ech.accepted = 1; |
4422 | | /* successfully decrypted EncodedCHInner, build CHInner */ |
4423 | 0 | if ((ret = rebuild_ch_inner(&ech.ch_inner, ech.encoded_ch_inner, |
4424 | 0 | ech.encoded_ch_inner + ch->ech.payload.len - tls->ech.aead->algo->tag_size, ch, |
4425 | 0 | message.base + PTLS_HANDSHAKE_HEADER_SIZE + ch->first_extension_at, |
4426 | 0 | message.base + message.len)) != 0) |
4427 | 0 | goto Exit; |
4428 | | /* treat inner ch as the message being received, re-decode it */ |
4429 | 0 | message = ptls_iovec_init(ech.ch_inner.base, ech.ch_inner.off); |
4430 | 0 | *ch = (struct st_ptls_client_hello_t){.unknown_extensions = {{UINT16_MAX}}}; |
4431 | 0 | if ((ret = decode_client_hello(tls->ctx, ch, ech.ch_inner.base + PTLS_HANDSHAKE_HEADER_SIZE, |
4432 | 0 | ech.ch_inner.base + ech.ch_inner.off, properties, tls)) != 0) |
4433 | 0 | goto Exit; |
4434 | 0 | if ((ret = check_client_hello_constraints(tls->ctx, ch, is_second_flight ? tls->ech.inner_client_random : NULL, 1, |
4435 | 0 | message, tls)) != 0) |
4436 | 0 | goto Exit; |
4437 | 0 | if (!is_second_flight) |
4438 | 0 | memcpy(tls->ech.inner_client_random, ch->random_bytes, PTLS_HELLO_RANDOM_SIZE); |
4439 | 0 | } else if (is_second_flight) { |
4440 | | /* decryption failure of inner CH in 2nd CH is fatal */ |
4441 | 0 | ret = PTLS_ALERT_DECRYPT_ERROR; |
4442 | 0 | goto Exit; |
4443 | 0 | } else { |
4444 | | /* decryption failure of 1st CH indicates key mismatch; dispose of AEAD context to indicate adoption of outerCH */ |
4445 | 0 | ptls_aead_free(tls->ech.aead); |
4446 | 0 | tls->ech.aead = NULL; |
4447 | 0 | } |
4448 | 0 | } |
4449 | 763 | } else if (tls->ech.offered) { |
4450 | 1 | assert(is_second_flight); |
4451 | 1 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
4452 | 1 | goto Exit; |
4453 | 1 | } |
4454 | | |
4455 | 772 | if (tls->ctx->require_dhe_on_psk) |
4456 | 0 | ch->psk.ke_modes &= ~(1u << PTLS_PSK_KE_MODE_PSK); |
4457 | | |
4458 | | /* handle client_random, legacy_session_id, SNI, ESNI */ |
4459 | 772 | if (!is_second_flight) { |
4460 | 745 | if (ch->legacy_session_id.len != 0) |
4461 | 201 | tls->send_change_cipher_spec = 1; |
4462 | 745 | ptls_iovec_t server_name = {NULL}; |
4463 | 745 | if (ch->server_name.base != NULL) |
4464 | 3 | server_name = ch->server_name; |
4465 | 745 | if ((ret = call_on_client_hello_cb(tls, server_name, message, ch->cipher_suites, ch->alpn.list, ch->alpn.count, |
4466 | 745 | ch->signature_algorithms.list, ch->signature_algorithms.count, |
4467 | 745 | ch->cert_compression_algos.list, ch->cert_compression_algos.count, |
4468 | 745 | ch->server_certificate_types.list, ch->server_certificate_types.count, |
4469 | 745 | ch->psk.identities.list, ch->psk.identities.count, 0)) != 0) |
4470 | 0 | goto Exit; |
4471 | 745 | if (!certificate_type_exists(ch->server_certificate_types.list, ch->server_certificate_types.count, |
4472 | 745 | tls->ctx->use_raw_public_keys ? PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY |
4473 | 745 | : PTLS_CERTIFICATE_TYPE_X509)) { |
4474 | 13 | ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE; |
4475 | 13 | goto Exit; |
4476 | 13 | } |
4477 | 745 | } else { |
4478 | 27 | if (ch->psk.early_data_indication) { |
4479 | 1 | ret = PTLS_ALERT_DECODE_ERROR; |
4480 | 1 | goto Exit; |
4481 | 1 | } |
4482 | | /* We compare SNI only when the value is saved by the on_client_hello callback. This should be OK because we are |
4483 | | * ignoring the value unless the callback saves the server-name. */ |
4484 | 26 | if (tls->server_name != NULL) { |
4485 | 0 | size_t l = strlen(tls->server_name); |
4486 | 0 | if (!(ch->server_name.len == l && memcmp(ch->server_name.base, tls->server_name, l) == 0)) { |
4487 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
4488 | 0 | goto Exit; |
4489 | 0 | } |
4490 | 0 | } |
4491 | 26 | } |
4492 | | |
4493 | 758 | { /* select (or check) cipher-suite, create key_schedule */ |
4494 | 758 | ptls_cipher_suite_t *cs; |
4495 | 758 | if ((ret = select_cipher(&cs, tls->ctx->cipher_suites, ch->cipher_suites.base, |
4496 | 758 | ch->cipher_suites.base + ch->cipher_suites.len, tls->ctx->server_cipher_preference, |
4497 | 758 | tls->ctx->server_cipher_chacha_priority, tls->ctx->pre_shared_key.hash)) != 0) |
4498 | 35 | goto Exit; |
4499 | 723 | if (!is_second_flight) { |
4500 | 698 | tls->cipher_suite = cs; |
4501 | 698 | if ((tls->key_schedule = key_schedule_new(cs, NULL, 0)) == NULL) { |
4502 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4503 | 0 | goto Exit; |
4504 | 0 | } |
4505 | 698 | } else { |
4506 | 25 | if (tls->cipher_suite != cs) { |
4507 | 1 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
4508 | 1 | goto Exit; |
4509 | 1 | } |
4510 | 25 | } |
4511 | 723 | } |
4512 | | |
4513 | | /* select key_share */ |
4514 | 722 | if (key_share.algorithm == NULL && ch->key_shares.base != NULL && tls->ctx->key_exchanges != NULL) { |
4515 | 595 | const uint8_t *src = ch->key_shares.base, *const end = src + ch->key_shares.len; |
4516 | 595 | ptls_decode_block(src, end, 2, { |
4517 | 595 | if ((ret = select_key_share(&key_share.algorithm, &key_share.peer_key, tls->ctx->key_exchanges, &src, end, 0)) != 0) |
4518 | 595 | goto Exit; |
4519 | 595 | }); |
4520 | 595 | } |
4521 | | |
4522 | 637 | if (!is_second_flight) { |
4523 | 613 | if (ch->cookie.all.len != 0 && key_share.algorithm != NULL) { |
4524 | |
|
4525 | 0 | { /* use cookie to check the integrity of the handshake, and update the context */ |
4526 | 0 | uint8_t sig[PTLS_MAX_DIGEST_SIZE]; |
4527 | 0 | size_t sigsize = tls->ctx->cipher_suites[0]->hash->digest_size; |
4528 | 0 | if ((ret = calc_cookie_signature(tls, properties, key_share.algorithm, ch->cookie.tbs, sig)) != 0) |
4529 | 0 | goto Exit; |
4530 | 0 | if (!(ch->cookie.signature.len == sigsize && ptls_mem_equal(ch->cookie.signature.base, sig, sigsize))) { |
4531 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
4532 | 0 | goto Exit; |
4533 | 0 | } |
4534 | 0 | } |
4535 | | /* integrity check passed; update states */ |
4536 | 0 | key_schedule_update_ch1hash_prefix(tls->key_schedule); |
4537 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, ch->cookie.ch1_hash.base, ch->cookie.ch1_hash.len, 0); |
4538 | 0 | key_schedule_extract(tls->key_schedule, |
4539 | 0 | tls->ctx->pre_shared_key.secret /* this argument will be a zero-length vector unless external PSK |
4540 | 0 | is used, and that's fine; we never resume when sending HRR */); |
4541 | | /* ... reusing sendbuf to rebuild HRR for hash calculation */ |
4542 | 0 | size_t hrr_start = emitter->buf->off; |
4543 | 0 | EMIT_HELLO_RETRY_REQUEST(tls->key_schedule, ch->cookie.sent_key_share ? key_share.algorithm : NULL, |
4544 | 0 | { |
4545 | 0 | buffer_push_extension(emitter->buf, PTLS_EXTENSION_TYPE_COOKIE, { |
4546 | 0 | ptls_buffer_pushv(emitter->buf, ch->cookie.all.base, ch->cookie.all.len); |
4547 | 0 | }); |
4548 | 0 | }, |
4549 | 0 | {}); |
4550 | 0 | emitter->buf->off = hrr_start; |
4551 | 0 | is_second_flight = 1; |
4552 | |
|
4553 | 613 | } else if (ch->key_shares.base != NULL && tls->ctx->key_exchanges != NULL && |
4554 | 613 | (key_share.algorithm == NULL || (properties != NULL && properties->server.enforce_retry))) { |
4555 | | /* send HelloRetryRequest, when trying to negotiate the key share but enforced by config or upon key-share mismatch */ |
4556 | 225 | if (ch->negotiated_groups.base == NULL) { |
4557 | 5 | ret = PTLS_ALERT_MISSING_EXTENSION; |
4558 | 5 | goto Exit; |
4559 | 5 | } |
4560 | 220 | ptls_key_exchange_algorithm_t *negotiated_group; |
4561 | 220 | if ((ret = select_negotiated_group(&negotiated_group, tls->ctx->key_exchanges, ch->negotiated_groups.base, |
4562 | 220 | ch->negotiated_groups.base + ch->negotiated_groups.len)) != 0) |
4563 | 59 | goto Exit; |
4564 | 161 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4565 | 161 | assert(tls->key_schedule->generation == 0); |
4566 | | |
4567 | | /* Either send a stateless retry (w. cookies) or a stateful one. When sending the latter, run the state machine. At the |
4568 | | * moment, stateless retry is disabled when ECH is used (do we need to support it?). */ |
4569 | 161 | int retry_uses_cookie = |
4570 | 161 | properties != NULL && properties->server.retry_uses_cookie && !ptls_is_ech_handshake(tls, NULL, NULL, NULL); |
4571 | 161 | if (!retry_uses_cookie) { |
4572 | 161 | key_schedule_transform_post_ch1hash(tls->key_schedule); |
4573 | 161 | key_schedule_extract(tls->key_schedule, tls->ctx->pre_shared_key.secret /* see comment above */); |
4574 | 161 | } |
4575 | 161 | size_t ech_confirm_off = 0; |
4576 | 161 | EMIT_HELLO_RETRY_REQUEST( |
4577 | 161 | tls->key_schedule, key_share.algorithm != NULL ? NULL : negotiated_group, |
4578 | 161 | { |
4579 | 161 | ptls_buffer_t *sendbuf = emitter->buf; |
4580 | 161 | if (ptls_is_ech_handshake(tls, NULL, NULL, NULL)) { |
4581 | 161 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, { |
4582 | 161 | if ((ret = ptls_buffer_reserve(sendbuf, PTLS_ECH_CONFIRM_LENGTH)) != 0) |
4583 | 161 | goto Exit; |
4584 | 161 | memset(sendbuf->base + sendbuf->off, 0, PTLS_ECH_CONFIRM_LENGTH); |
4585 | 161 | ech_confirm_off = sendbuf->off; |
4586 | 161 | sendbuf->off += PTLS_ECH_CONFIRM_LENGTH; |
4587 | 161 | }); |
4588 | 161 | } |
4589 | 161 | if (retry_uses_cookie) { |
4590 | 161 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_COOKIE, { |
4591 | 161 | ptls_buffer_push_block(sendbuf, 2, { |
4592 | | /* push to-be-signed data */ |
4593 | 161 | size_t tbs_start = sendbuf->off; |
4594 | 161 | ptls_buffer_push_block(sendbuf, 2, { |
4595 | | /* first block of the cookie data is the hash(ch1) */ |
4596 | 161 | ptls_buffer_push_block(sendbuf, 1, { |
4597 | 161 | size_t sz = tls->cipher_suite->hash->digest_size; |
4598 | 161 | if ((ret = ptls_buffer_reserve(sendbuf, sz)) != 0) |
4599 | 161 | goto Exit; |
4600 | 161 | key_schedule_extract_ch1hash(tls->key_schedule, sendbuf->base + sendbuf->off); |
4601 | 161 | sendbuf->off += sz; |
4602 | 161 | }); |
4603 | | /* second is if we have sent key_share extension */ |
4604 | 161 | ptls_buffer_push(sendbuf, key_share.algorithm == NULL); |
4605 | | /* we can add more data here */ |
4606 | 161 | }); |
4607 | 161 | size_t tbs_len = sendbuf->off - tbs_start; |
4608 | | /* push the signature */ |
4609 | 161 | ptls_buffer_push_block(sendbuf, 1, { |
4610 | 161 | size_t sz = tls->ctx->cipher_suites[0]->hash->digest_size; |
4611 | 161 | if ((ret = ptls_buffer_reserve(sendbuf, sz)) != 0) |
4612 | 161 | goto Exit; |
4613 | 161 | if ((ret = calc_cookie_signature(tls, properties, negotiated_group, |
4614 | 161 | ptls_iovec_init(sendbuf->base + tbs_start, tbs_len), |
4615 | 161 | sendbuf->base + sendbuf->off)) != 0) |
4616 | 161 | goto Exit; |
4617 | 161 | sendbuf->off += sz; |
4618 | 161 | }); |
4619 | 161 | }); |
4620 | 161 | }); |
4621 | 161 | } |
4622 | 161 | }, |
4623 | 161 | { |
4624 | 161 | if (ech_confirm_off != 0 && |
4625 | 161 | (ret = ech_calc_confirmation( |
4626 | 161 | tls->key_schedule, emitter->buf->base + ech_confirm_off, tls->ech.inner_client_random, |
4627 | 161 | ECH_CONFIRMATION_HRR, |
4628 | 161 | ptls_iovec_init(emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off))) != 0) |
4629 | 161 | goto Exit; |
4630 | 161 | }); |
4631 | 161 | if (retry_uses_cookie) { |
4632 | 0 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
4633 | 0 | goto Exit; |
4634 | 0 | ret = PTLS_ERROR_STATELESS_RETRY; |
4635 | 161 | } else { |
4636 | 161 | tls->state = PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO; |
4637 | 161 | if (ch->psk.early_data_indication) |
4638 | 82 | tls->server.early_data_skipped_bytes = 0; |
4639 | 161 | ret = PTLS_ERROR_IN_PROGRESS; |
4640 | 161 | } |
4641 | 161 | goto Exit; |
4642 | 161 | } |
4643 | 613 | } |
4644 | | |
4645 | | /* handle unknown extensions */ |
4646 | 412 | if ((ret = report_unknown_extensions(tls, properties, ch->unknown_extensions)) != 0) |
4647 | 0 | goto Exit; |
4648 | | |
4649 | | /* try psk handshake */ |
4650 | 412 | if (ch->psk.hash_end != 0 && (ch->psk.ke_modes & ((1u << PTLS_PSK_KE_MODE_PSK) | (1u << PTLS_PSK_KE_MODE_PSK_DHE))) != 0 && |
4651 | 412 | !tls->ctx->require_client_authentication && |
4652 | 412 | ((!is_second_flight && tls->ctx->encrypt_ticket != NULL) || tls->ctx->pre_shared_key.identity.base != NULL)) { |
4653 | 125 | if ((ret = try_psk_handshake(tls, &psk_index, &accept_early_data, ch, |
4654 | 125 | ptls_iovec_init(message.base, ch->psk.hash_end - message.base), is_second_flight)) != 0) { |
4655 | 1 | goto Exit; |
4656 | 1 | } |
4657 | 125 | } |
4658 | | |
4659 | | /* If the server was setup to use an external PSK but failed to agree, abort the handshake. Because external PSK is a form of |
4660 | | * mutual authentication, it makes sense to abort (at least as the default). */ |
4661 | 411 | if (tls->ctx->pre_shared_key.identity.base != NULL && psk_index == SIZE_MAX) { |
4662 | 0 | ret = PTLS_ALERT_UNKNOWN_PSK_IDENTITY; |
4663 | 0 | goto Exit; |
4664 | 0 | } |
4665 | | |
4666 | | /* If client authentication is enabled, we always force a full handshake. |
4667 | | * TODO: Check for `post_handshake_auth` extension and if that is present, do not force full handshake! |
4668 | | * Remove also the check `!require_client_authentication` above. |
4669 | | * |
4670 | | * adjust key_schedule, determine handshake mode |
4671 | | */ |
4672 | 411 | if (psk_index == SIZE_MAX || tls->ctx->require_client_authentication) { |
4673 | 411 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4674 | 411 | if (!is_second_flight) { |
4675 | 387 | assert(tls->key_schedule->generation == 0); |
4676 | 387 | key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0)); |
4677 | 387 | } |
4678 | 411 | mode = HANDSHAKE_MODE_FULL; |
4679 | 411 | if (properties != NULL) |
4680 | 411 | properties->server.selected_psk_binder.len = 0; |
4681 | 411 | } else { |
4682 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, ch->psk.hash_end, message.base + message.len - ch->psk.hash_end, 0); |
4683 | 0 | if ((ch->psk.ke_modes & (1u << PTLS_PSK_KE_MODE_PSK)) != 0) { |
4684 | 0 | mode = HANDSHAKE_MODE_PSK; |
4685 | 0 | } else { |
4686 | 0 | assert((ch->psk.ke_modes & (1u << PTLS_PSK_KE_MODE_PSK_DHE)) != 0); |
4687 | 0 | mode = HANDSHAKE_MODE_PSK_DHE; |
4688 | 0 | } |
4689 | 0 | tls->is_psk_handshake = 1; |
4690 | 0 | if (properties != NULL) { |
4691 | 0 | ptls_iovec_t *selected = &ch->psk.identities.list[psk_index].binder; |
4692 | 0 | memcpy(properties->server.selected_psk_binder.base, selected->base, selected->len); |
4693 | 0 | properties->server.selected_psk_binder.len = selected->len; |
4694 | 0 | } |
4695 | 0 | } |
4696 | | |
4697 | | /* determine number of tickets to send */ |
4698 | 411 | if (ch->psk.ke_modes != 0 && tls->ctx->ticket_lifetime != 0) { |
4699 | 195 | if (ch->ticket_request.new_session_count != 0) { |
4700 | 28 | tls->server.num_tickets_to_send = |
4701 | 28 | tls->is_psk_handshake ? ch->ticket_request.resumption_count : ch->ticket_request.new_session_count; |
4702 | 167 | } else { |
4703 | 167 | tls->server.num_tickets_to_send = 1; |
4704 | 167 | } |
4705 | 195 | uint8_t max_tickets = tls->ctx->ticket_requests.server.max_count; |
4706 | 195 | if (max_tickets == 0) |
4707 | 195 | max_tickets = PTLS_DEFAULT_MAX_TICKETS_TO_SERVE; |
4708 | 195 | if (tls->server.num_tickets_to_send > max_tickets) |
4709 | 23 | tls->server.num_tickets_to_send = max_tickets; |
4710 | 216 | } else { |
4711 | 216 | tls->server.num_tickets_to_send = 0; |
4712 | 216 | } |
4713 | | |
4714 | 411 | if (accept_early_data && tls->ctx->max_early_data_size != 0 && psk_index == 0) { |
4715 | 0 | if ((tls->pending_handshake_secret = malloc(PTLS_MAX_DIGEST_SIZE)) == NULL) { |
4716 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
4717 | 0 | goto Exit; |
4718 | 0 | } |
4719 | 0 | if ((ret = derive_exporter_secret(tls, 1)) != 0) |
4720 | 0 | goto Exit; |
4721 | 0 | if ((ret = setup_traffic_protection(tls, 0, "c e traffic", 1, 0, 0)) != 0) |
4722 | 0 | goto Exit; |
4723 | 0 | } |
4724 | | |
4725 | | /* run key-exchange, to obtain pubkey and secret */ |
4726 | 411 | if (mode != HANDSHAKE_MODE_PSK) { |
4727 | 411 | if (key_share.algorithm == NULL) { |
4728 | 129 | ret = ch->key_shares.base != NULL ? PTLS_ALERT_HANDSHAKE_FAILURE : PTLS_ALERT_MISSING_EXTENSION; |
4729 | 129 | goto Exit; |
4730 | 129 | } |
4731 | 282 | if ((ret = key_share.algorithm->exchange(key_share.algorithm, &pubkey, &ecdh_secret, key_share.peer_key)) != 0) { |
4732 | 6 | assert(pubkey.base == NULL); |
4733 | 6 | assert(ecdh_secret.base == NULL); |
4734 | 6 | goto Exit; |
4735 | 6 | } |
4736 | 276 | tls->key_share = key_share.algorithm; |
4737 | 276 | } |
4738 | | |
4739 | 276 | { /* send ServerHello */ |
4740 | 276 | size_t ech_confirm_off = 0; |
4741 | 276 | EMIT_SERVER_HELLO( |
4742 | 276 | tls->key_schedule, |
4743 | 276 | { |
4744 | 276 | tls->ctx->random_bytes(emitter->buf->base + emitter->buf->off, PTLS_HELLO_RANDOM_SIZE); |
4745 | | /* when accepting CHInner, last 8 byte of SH.random is zero for the handshake transcript */ |
4746 | 276 | if (ptls_is_ech_handshake(tls, NULL, NULL, NULL)) { |
4747 | 276 | ech_confirm_off = emitter->buf->off + PTLS_HELLO_RANDOM_SIZE - PTLS_ECH_CONFIRM_LENGTH; |
4748 | 276 | memset(emitter->buf->base + ech_confirm_off, 0, PTLS_ECH_CONFIRM_LENGTH); |
4749 | 276 | } |
4750 | 276 | }, |
4751 | 276 | { |
4752 | 276 | ptls_buffer_t *sendbuf = emitter->buf; |
4753 | 276 | if (mode != HANDSHAKE_MODE_PSK) { |
4754 | 276 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_KEY_SHARE, { |
4755 | 276 | ptls_buffer_push16(sendbuf, key_share.algorithm->id); |
4756 | 276 | ptls_buffer_push_block(sendbuf, 2, { ptls_buffer_pushv(sendbuf, pubkey.base, pubkey.len); }); |
4757 | 276 | }); |
4758 | 276 | } |
4759 | 276 | if (mode != HANDSHAKE_MODE_FULL) { |
4760 | 276 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_PRE_SHARED_KEY, |
4761 | 276 | { ptls_buffer_push16(sendbuf, (uint16_t)psk_index); }); |
4762 | 276 | } |
4763 | 276 | }, |
4764 | 276 | { |
4765 | 276 | if (ech_confirm_off != 0 && |
4766 | 276 | (ret = ech_calc_confirmation( |
4767 | 276 | tls->key_schedule, emitter->buf->base + ech_confirm_off, tls->ech.inner_client_random, |
4768 | 276 | ECH_CONFIRMATION_SERVER_HELLO, |
4769 | 276 | ptls_iovec_init(emitter->buf->base + sh_start_off, emitter->buf->off - sh_start_off))) != 0) |
4770 | 276 | goto Exit; |
4771 | 276 | }); |
4772 | 276 | } |
4773 | | |
4774 | | /* processing of ECH is complete; dispose state */ |
4775 | 276 | clear_ech(&tls->ech, 1); |
4776 | | |
4777 | 276 | if ((ret = push_change_cipher_spec(tls, emitter)) != 0) |
4778 | 0 | goto Exit; |
4779 | | |
4780 | | /* create protection contexts for the handshake */ |
4781 | 276 | assert(tls->key_schedule->generation == 1); |
4782 | 276 | key_schedule_extract(tls->key_schedule, ecdh_secret); |
4783 | 276 | if ((ret = setup_traffic_protection(tls, 1, "s hs traffic", 2, 0, 0)) != 0) |
4784 | 0 | goto Exit; |
4785 | 276 | if (tls->pending_handshake_secret != NULL) { |
4786 | 0 | if ((ret = derive_secret(tls->key_schedule, tls->pending_handshake_secret, "c hs traffic")) != 0) |
4787 | 0 | goto Exit; |
4788 | 0 | if (tls->ctx->update_traffic_key != NULL && |
4789 | 0 | (ret = tls->ctx->update_traffic_key->cb(tls->ctx->update_traffic_key, tls, 0, 2, tls->pending_handshake_secret)) != 0) |
4790 | 0 | goto Exit; |
4791 | 276 | } else { |
4792 | 276 | if ((ret = setup_traffic_protection(tls, 0, "c hs traffic", 2, 0, 0)) != 0) |
4793 | 0 | goto Exit; |
4794 | 276 | if (ch->psk.early_data_indication) |
4795 | 61 | tls->server.early_data_skipped_bytes = 0; |
4796 | 276 | } |
4797 | | |
4798 | | /* send EncryptedExtensions */ |
4799 | 276 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS, { |
4800 | 276 | ptls_buffer_t *sendbuf = emitter->buf; |
4801 | 276 | ptls_buffer_push_block(sendbuf, 2, { |
4802 | 276 | if (tls->server_name != NULL) { |
4803 | | /* In this event, the server SHALL include an extension of type "server_name" in the (extended) server hello. |
4804 | | * The "extension_data" field of this extension SHALL be empty. (RFC 6066 section 3) */ |
4805 | 276 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_NAME, {}); |
4806 | 276 | } |
4807 | 276 | if (tls->ctx->use_raw_public_keys) { |
4808 | 276 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE, |
4809 | 276 | { ptls_buffer_push(sendbuf, PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY); }); |
4810 | 276 | } |
4811 | 276 | if (tls->negotiated_protocol != NULL) { |
4812 | 276 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ALPN, { |
4813 | 276 | ptls_buffer_push_block(sendbuf, 2, { |
4814 | 276 | ptls_buffer_push_block(sendbuf, 1, { |
4815 | 276 | ptls_buffer_pushv(sendbuf, tls->negotiated_protocol, strlen(tls->negotiated_protocol)); |
4816 | 276 | }); |
4817 | 276 | }); |
4818 | 276 | }); |
4819 | 276 | } |
4820 | 276 | if (tls->pending_handshake_secret != NULL) |
4821 | 276 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_EARLY_DATA, {}); |
4822 | | /* send ECH retry_configs, if ECH was offered by rejected, even though we (the server) could have accepted ECH */ |
4823 | 276 | if (tls->ech.offered && !ptls_is_ech_handshake(tls, NULL, NULL, NULL) && tls->ctx->ech.server.create_opener != NULL && |
4824 | 276 | tls->ctx->ech.server.retry_configs.len != 0) |
4825 | 276 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_CLIENT_HELLO, { |
4826 | 276 | ptls_buffer_pushv(sendbuf, tls->ctx->ech.server.retry_configs.base, tls->ctx->ech.server.retry_configs.len); |
4827 | 276 | }); |
4828 | 276 | if (ch->ticket_request.new_session_count != 0 && tls->server.num_tickets_to_send != 0) |
4829 | 276 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_TICKET_REQUEST, |
4830 | 276 | { ptls_buffer_push(sendbuf, tls->server.num_tickets_to_send); }); |
4831 | 276 | if ((ret = push_additional_extensions(properties, sendbuf)) != 0) |
4832 | 276 | goto Exit; |
4833 | 276 | }); |
4834 | 276 | }); |
4835 | | |
4836 | 276 | if (mode == HANDSHAKE_MODE_FULL) { |
4837 | | /* send certificate request if client authentication is activated */ |
4838 | 276 | if (tls->ctx->require_client_authentication) { |
4839 | 0 | ptls_push_message(emitter, tls->key_schedule, PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST, { |
4840 | 0 | ptls_buffer_t *sendbuf = emitter->buf; |
4841 | | /* certificate_request_context: this field SHALL be zero length, unless the certificate request is used for post- |
4842 | | * handshake authentication. */ |
4843 | 0 | ptls_buffer_push(sendbuf, 0); |
4844 | | /* extensions */ |
4845 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4846 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SIGNATURE_ALGORITHMS, { |
4847 | 0 | if ((ret = push_signature_algorithms(tls->ctx->verify_certificate, sendbuf)) != 0) |
4848 | 0 | goto Exit; |
4849 | 0 | }); |
4850 | | /* certificate authorities entension */ |
4851 | 0 | if (tls->ctx->client_ca_names.count > 0) { |
4852 | 0 | buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_CERTIFICATE_AUTHORITIES, { |
4853 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4854 | 0 | for (size_t i = 0; i != tls->ctx->client_ca_names.count; ++i) { |
4855 | 0 | ptls_buffer_push_block(sendbuf, 2, { |
4856 | 0 | ptls_iovec_t name = tls->ctx->client_ca_names.list[i]; |
4857 | 0 | ptls_buffer_pushv(sendbuf, name.base, name.len); |
4858 | 0 | }); |
4859 | 0 | } |
4860 | 0 | }); |
4861 | 0 | }); |
4862 | 0 | } |
4863 | 0 | }); |
4864 | 0 | }); |
4865 | | |
4866 | 0 | if (ret != 0) { |
4867 | 0 | goto Exit; |
4868 | 0 | } |
4869 | 0 | } |
4870 | | |
4871 | | /* send certificate */ |
4872 | 276 | if ((ret = send_certificate(tls, emitter, &ch->signature_algorithms, ptls_iovec_init(NULL, 0), ch->status_request, |
4873 | 276 | ch->cert_compression_algos.list, ch->cert_compression_algos.count)) != 0) |
4874 | 14 | goto Exit; |
4875 | | /* send certificateverify, finished, and complete the handshake */ |
4876 | 262 | if ((ret = server_finish_handshake(tls, emitter, 1, &ch->signature_algorithms)) != 0) |
4877 | 0 | goto Exit; |
4878 | 262 | } else { |
4879 | | /* send finished, and complete the handshake */ |
4880 | 0 | if ((ret = server_finish_handshake(tls, emitter, 0, NULL)) != 0) |
4881 | 0 | goto Exit; |
4882 | 0 | } |
4883 | | |
4884 | 1.97k | Exit: |
4885 | 1.97k | free(pubkey.base); |
4886 | 1.97k | if (ecdh_secret.base != NULL) { |
4887 | 276 | ptls_clear_memory(ecdh_secret.base, ecdh_secret.len); |
4888 | 276 | free(ecdh_secret.base); |
4889 | 276 | } |
4890 | 1.97k | free(ech.encoded_ch_inner); |
4891 | 1.97k | free(ech.ch_outer_aad); |
4892 | 1.97k | ptls_buffer_dispose(&ech.ch_inner); |
4893 | 1.97k | free(ch); |
4894 | 1.97k | return ret; |
4895 | | |
4896 | 276 | #undef EMIT_SERVER_HELLO |
4897 | 276 | #undef EMIT_HELLO_RETRY_REQUEST |
4898 | 276 | } |
4899 | | |
4900 | | static int server_finish_handshake(ptls_t *tls, ptls_message_emitter_t *emitter, int send_cert_verify, |
4901 | | struct st_ptls_signature_algorithms_t *signature_algorithms) |
4902 | 262 | { |
4903 | 262 | int ret; |
4904 | | |
4905 | 262 | if (send_cert_verify) { |
4906 | 262 | if ((ret = send_certificate_verify(tls, emitter, signature_algorithms, PTLS_SERVER_CERTIFICATE_VERIFY_CONTEXT_STRING)) != |
4907 | 262 | 0) { |
4908 | 0 | if (ret == PTLS_ERROR_ASYNC_OPERATION) { |
4909 | 0 | tls->state = PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY; |
4910 | 0 | } |
4911 | 0 | goto Exit; |
4912 | 0 | } |
4913 | 262 | } |
4914 | | |
4915 | 262 | if ((ret = send_finished(tls, emitter)) != 0) |
4916 | 0 | goto Exit; |
4917 | | |
4918 | 262 | assert(tls->key_schedule->generation == 2); |
4919 | 262 | if ((ret = key_schedule_extract(tls->key_schedule, ptls_iovec_init(NULL, 0))) != 0) |
4920 | 0 | goto Exit; |
4921 | 262 | if ((ret = setup_traffic_protection(tls, 1, "s ap traffic", 3, 0, 0)) != 0) |
4922 | 0 | goto Exit; |
4923 | 262 | if ((ret = derive_secret(tls->key_schedule, tls->server.pending_traffic_secret, "c ap traffic")) != 0) |
4924 | 0 | goto Exit; |
4925 | 262 | if ((ret = derive_exporter_secret(tls, 0)) != 0) |
4926 | 0 | goto Exit; |
4927 | | |
4928 | 262 | if (tls->pending_handshake_secret != NULL) { |
4929 | 0 | if (tls->ctx->omit_end_of_early_data) { |
4930 | 0 | if ((ret = commission_handshake_secret(tls)) != 0) |
4931 | 0 | goto Exit; |
4932 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
4933 | 0 | } else { |
4934 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA; |
4935 | 0 | } |
4936 | 262 | } else if (tls->ctx->require_client_authentication) { |
4937 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_CERTIFICATE; |
4938 | 262 | } else { |
4939 | 262 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
4940 | 262 | } |
4941 | | |
4942 | | /* send session ticket if necessary */ |
4943 | 262 | if (tls->server.num_tickets_to_send != 0) { |
4944 | 75 | assert(tls->ctx->ticket_lifetime != 0); |
4945 | 188 | for (uint8_t i = 0; i < tls->server.num_tickets_to_send; ++i) |
4946 | 113 | if ((ret = send_session_ticket(tls, emitter)) != 0) |
4947 | 0 | goto Exit; |
4948 | 75 | } |
4949 | | |
4950 | 262 | if (tls->ctx->require_client_authentication) { |
4951 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
4952 | 262 | } else { |
4953 | 262 | ret = 0; |
4954 | 262 | } |
4955 | | |
4956 | 262 | Exit: |
4957 | 262 | return ret; |
4958 | 262 | } |
4959 | | |
4960 | | static int server_handle_end_of_early_data(ptls_t *tls, ptls_iovec_t message) |
4961 | 0 | { |
4962 | 0 | int ret; |
4963 | |
|
4964 | 0 | if ((ret = commission_handshake_secret(tls)) != 0) |
4965 | 0 | goto Exit; |
4966 | | |
4967 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4968 | 0 | tls->state = PTLS_STATE_SERVER_EXPECT_FINISHED; |
4969 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
4970 | |
|
4971 | 0 | Exit: |
4972 | 0 | return ret; |
4973 | 0 | } |
4974 | | |
4975 | | static int server_handle_finished(ptls_t *tls, ptls_iovec_t message) |
4976 | 16 | { |
4977 | 16 | int ret; |
4978 | | |
4979 | 16 | if ((ret = verify_finished(tls, message)) != 0) |
4980 | 16 | return ret; |
4981 | | |
4982 | 0 | memcpy(tls->traffic_protection.dec.secret, tls->server.pending_traffic_secret, sizeof(tls->server.pending_traffic_secret)); |
4983 | 0 | ptls_clear_memory(tls->server.pending_traffic_secret, sizeof(tls->server.pending_traffic_secret)); |
4984 | 0 | if ((ret = setup_traffic_protection(tls, 0, NULL, 3, 0, 0)) != 0) |
4985 | 0 | return ret; |
4986 | | |
4987 | 0 | ptls__key_schedule_update_hash(tls->key_schedule, message.base, message.len, 0); |
4988 | |
|
4989 | 0 | tls->state = PTLS_STATE_SERVER_POST_HANDSHAKE; |
4990 | 0 | return 0; |
4991 | 0 | } |
4992 | | |
4993 | | static int update_traffic_key(ptls_t *tls, int is_enc) |
4994 | 0 | { |
4995 | 0 | struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
4996 | 0 | uint8_t secret[PTLS_MAX_DIGEST_SIZE]; |
4997 | 0 | int ret; |
4998 | |
|
4999 | 0 | ptls_hash_algorithm_t *hash = tls->key_schedule->hashes[0].algo; |
5000 | 0 | if ((ret = ptls_hkdf_expand_label(hash, secret, hash->digest_size, ptls_iovec_init(tp->secret, hash->digest_size), |
5001 | 0 | "traffic upd", ptls_iovec_init(NULL, 0), NULL)) != 0) |
5002 | 0 | goto Exit; |
5003 | 0 | memcpy(tp->secret, secret, sizeof(secret)); |
5004 | 0 | ret = setup_traffic_protection(tls, is_enc, NULL, 3, 0, 1); |
5005 | |
|
5006 | 0 | Exit: |
5007 | 0 | ptls_clear_memory(secret, sizeof(secret)); |
5008 | 0 | return ret; |
5009 | 0 | } |
5010 | | |
5011 | | static int handle_key_update(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message) |
5012 | 0 | { |
5013 | 0 | const uint8_t *src = message.base + PTLS_HANDSHAKE_HEADER_SIZE, *const end = message.base + message.len; |
5014 | 0 | int ret; |
5015 | | |
5016 | | /* validate */ |
5017 | 0 | if (end - src != 1 || *src > 1) |
5018 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5019 | | |
5020 | | /* update receive key */ |
5021 | 0 | if ((ret = update_traffic_key(tls, 0)) != 0) |
5022 | 0 | return ret; |
5023 | | |
5024 | 0 | if (*src) { |
5025 | 0 | if (tls->ctx->update_traffic_key != NULL) |
5026 | 0 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
5027 | 0 | tls->needs_key_update = 1; |
5028 | 0 | } |
5029 | | |
5030 | 0 | return 0; |
5031 | 0 | } |
5032 | | |
5033 | | static int parse_record_header(struct st_ptls_record_t *rec, const uint8_t *src) |
5034 | 108k | { |
5035 | 108k | rec->type = src[0]; |
5036 | 108k | rec->version = ntoh16(src + 1); |
5037 | 108k | rec->length = ntoh16(src + 3); |
5038 | | |
5039 | 108k | if (rec->length > |
5040 | 108k | (size_t)(rec->type == PTLS_CONTENT_TYPE_APPDATA ? PTLS_MAX_ENCRYPTED_RECORD_SIZE : PTLS_MAX_PLAINTEXT_RECORD_SIZE)) |
5041 | 9 | return PTLS_ALERT_DECODE_ERROR; |
5042 | | |
5043 | 108k | return 0; |
5044 | 108k | } |
5045 | | |
5046 | | static int parse_record(ptls_t *tls, struct st_ptls_record_t *rec, const uint8_t *src, size_t *len) |
5047 | 108k | { |
5048 | 108k | int ret; |
5049 | | |
5050 | 108k | assert(*len != 0); |
5051 | | |
5052 | | /* Check if the first byte is something that we can handle, otherwise do not bother parsing / buffering the entire record as it |
5053 | | * is obviously broken. SSL 2.0 handshakes fall into this path as well. */ |
5054 | 108k | if (tls->recvbuf.rec.base == NULL) { |
5055 | 108k | uint8_t type = src[0]; |
5056 | 108k | switch (type) { |
5057 | 645 | case PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC: |
5058 | 747 | case PTLS_CONTENT_TYPE_ALERT: |
5059 | 96.0k | case PTLS_CONTENT_TYPE_HANDSHAKE: |
5060 | 108k | case PTLS_CONTENT_TYPE_APPDATA: |
5061 | 108k | break; |
5062 | 115 | default: |
5063 | 115 | return PTLS_ALERT_DECODE_ERROR; |
5064 | 108k | } |
5065 | 108k | } |
5066 | | |
5067 | 108k | if (tls->recvbuf.rec.base == NULL && *len >= 5) { |
5068 | | /* fast path */ |
5069 | 108k | if ((ret = parse_record_header(rec, src)) != 0) |
5070 | 9 | return ret; |
5071 | 108k | if (5 + rec->length <= *len) { |
5072 | 107k | rec->fragment = src + 5; |
5073 | 107k | *len = rec->length + 5; |
5074 | 107k | return 0; |
5075 | 107k | } |
5076 | 108k | } |
5077 | | |
5078 | | /* slow path */ |
5079 | 254 | const uint8_t *const end = src + *len; |
5080 | 254 | *rec = (struct st_ptls_record_t){0}; |
5081 | | |
5082 | 254 | if (tls->recvbuf.rec.base == NULL) { |
5083 | 254 | ptls_buffer_init(&tls->recvbuf.rec, "", 0); |
5084 | 254 | if ((ret = ptls_buffer_reserve(&tls->recvbuf.rec, 5)) != 0) |
5085 | 0 | return ret; |
5086 | 254 | } |
5087 | | |
5088 | | /* fill and parse the header */ |
5089 | 1.28k | while (tls->recvbuf.rec.off < 5) { |
5090 | 1.09k | if (src == end) |
5091 | 66 | return PTLS_ERROR_IN_PROGRESS; |
5092 | 1.03k | tls->recvbuf.rec.base[tls->recvbuf.rec.off++] = *src++; |
5093 | 1.03k | } |
5094 | 188 | if ((ret = parse_record_header(rec, tls->recvbuf.rec.base)) != 0) |
5095 | 0 | return ret; |
5096 | | |
5097 | | /* fill the fragment */ |
5098 | 188 | size_t addlen = rec->length + 5 - tls->recvbuf.rec.off; |
5099 | 188 | if (addlen != 0) { |
5100 | 188 | if ((ret = ptls_buffer_reserve(&tls->recvbuf.rec, addlen)) != 0) |
5101 | 0 | return ret; |
5102 | 188 | if (addlen > (size_t)(end - src)) |
5103 | 188 | addlen = end - src; |
5104 | 188 | if (addlen != 0) { |
5105 | 75 | memcpy(tls->recvbuf.rec.base + tls->recvbuf.rec.off, src, addlen); |
5106 | 75 | tls->recvbuf.rec.off += addlen; |
5107 | 75 | src += addlen; |
5108 | 75 | } |
5109 | 188 | } |
5110 | | |
5111 | | /* set rec->fragment if a complete record has been parsed */ |
5112 | 188 | if (tls->recvbuf.rec.off == rec->length + 5) { |
5113 | 0 | rec->fragment = tls->recvbuf.rec.base + 5; |
5114 | 0 | ret = 0; |
5115 | 188 | } else { |
5116 | 188 | ret = PTLS_ERROR_IN_PROGRESS; |
5117 | 188 | } |
5118 | | |
5119 | 188 | *len -= end - src; |
5120 | 188 | return ret; |
5121 | 188 | } |
5122 | | |
5123 | | static void update_open_count(ptls_context_t *ctx, ssize_t delta) |
5124 | 8.81k | { |
5125 | 8.81k | if (ctx->update_open_count != NULL) |
5126 | 0 | ctx->update_open_count->cb(ctx->update_open_count, delta); |
5127 | 8.81k | } |
5128 | | |
5129 | | static ptls_t *new_instance(ptls_context_t *ctx, int is_server) |
5130 | 4.40k | { |
5131 | 4.40k | ptls_t *tls; |
5132 | | |
5133 | | /* check consistency of `ptls_context_t` before instantiating a connection object */ |
5134 | 4.40k | assert(ctx->get_time != NULL && "please set ctx->get_time to `&ptls_get_time`; see #92"); |
5135 | 4.40k | if (ctx->pre_shared_key.identity.base != NULL) { |
5136 | 0 | assert(ctx->pre_shared_key.identity.len != 0 && ctx->pre_shared_key.secret.base != NULL && |
5137 | 0 | ctx->pre_shared_key.secret.len != 0 && ctx->pre_shared_key.hash != NULL && |
5138 | 0 | "`ptls_context_t::pre_shared_key` in incosistent state"); |
5139 | 4.40k | } else { |
5140 | 4.40k | assert(ctx->pre_shared_key.identity.len == 0 && ctx->pre_shared_key.secret.base == NULL && |
5141 | 4.40k | ctx->pre_shared_key.secret.len == 0 && ctx->pre_shared_key.hash == NULL && |
5142 | 4.40k | "`ptls_context_t::pre_shared_key` in inconsitent state"); |
5143 | 4.40k | } |
5144 | | |
5145 | 4.40k | if ((tls = malloc(sizeof(*tls))) == NULL) |
5146 | 0 | return NULL; |
5147 | | |
5148 | 4.40k | update_open_count(ctx, 1); |
5149 | 4.40k | *tls = (ptls_t){ctx}; |
5150 | 4.40k | tls->is_server = is_server; |
5151 | 4.40k | tls->send_change_cipher_spec = ctx->send_change_cipher_spec; |
5152 | | |
5153 | 4.40k | #if PTLS_HAVE_LOG |
5154 | 4.40k | if (ptls_log_conn_state_override != NULL) { |
5155 | 0 | tls->log_state = *ptls_log_conn_state_override; |
5156 | 4.40k | } else { |
5157 | 4.40k | ptls_log_init_conn_state(&tls->log_state, ctx->random_bytes); |
5158 | 4.40k | } |
5159 | 4.40k | #endif |
5160 | | |
5161 | 4.40k | return tls; |
5162 | 4.40k | } |
5163 | | |
5164 | | ptls_t *ptls_client_new(ptls_context_t *ctx) |
5165 | 2.21k | { |
5166 | 2.21k | ptls_t *tls = new_instance(ctx, 0); |
5167 | 2.21k | tls->state = PTLS_STATE_CLIENT_HANDSHAKE_START; |
5168 | 2.21k | tls->ctx->random_bytes(tls->client_random, sizeof(tls->client_random)); |
5169 | 2.21k | log_client_random(tls); |
5170 | 2.21k | if (tls->send_change_cipher_spec) { |
5171 | 0 | tls->client.legacy_session_id = |
5172 | 0 | ptls_iovec_init(tls->client.legacy_session_id_buf, sizeof(tls->client.legacy_session_id_buf)); |
5173 | 0 | tls->ctx->random_bytes(tls->client.legacy_session_id.base, tls->client.legacy_session_id.len); |
5174 | 0 | } |
5175 | | |
5176 | 2.21k | PTLS_PROBE(NEW, tls, 0); |
5177 | 2.21k | PTLS_LOG_CONN(new, tls, { PTLS_LOG_ELEMENT_BOOL(is_server, 0); }); |
5178 | 0 | return tls; |
5179 | 2.21k | } |
5180 | | |
5181 | | ptls_t *ptls_server_new(ptls_context_t *ctx) |
5182 | 2.19k | { |
5183 | 2.19k | ptls_t *tls = new_instance(ctx, 1); |
5184 | 2.19k | tls->state = PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO; |
5185 | 2.19k | tls->server.early_data_skipped_bytes = UINT32_MAX; |
5186 | | |
5187 | 2.19k | PTLS_PROBE(NEW, tls, 1); |
5188 | 2.19k | PTLS_LOG_CONN(new, tls, { PTLS_LOG_ELEMENT_BOOL(is_server, 1); }); |
5189 | 0 | return tls; |
5190 | 2.19k | } |
5191 | | |
5192 | | #define export_tls_params(output, is_server, session_reused, protocol_version, cipher, client_random, server_name, \ |
5193 | | negotiated_protocol, ver_block) \ |
5194 | 0 | do { \ |
5195 | 0 | const char *_server_name = (server_name); \ |
5196 | 0 | ptls_iovec_t _negotiated_protocol = (negotiated_protocol); \ |
5197 | 0 | ptls_buffer_push_block((output), 2, { \ |
5198 | 0 | ptls_buffer_push((output), (is_server)); \ |
5199 | 0 | ptls_buffer_push((output), (session_reused)); \ |
5200 | 0 | ptls_buffer_push16((output), (protocol_version)); \ |
5201 | 0 | ptls_buffer_push16((output), (cipher)->id); \ |
5202 | 0 | ptls_buffer_pushv((output), (client_random), PTLS_HELLO_RANDOM_SIZE); \ |
5203 | 0 | ptls_buffer_push_block((output), 2, { \ |
5204 | 0 | size_t len = _server_name != NULL ? strlen(_server_name) : 0; \ |
5205 | 0 | ptls_buffer_pushv((output), _server_name, len); \ |
5206 | 0 | }); \ |
5207 | 0 | ptls_buffer_push_block((output), 2, \ |
5208 | 0 | { ptls_buffer_pushv((output), _negotiated_protocol.base, _negotiated_protocol.len); }); \ |
5209 | 0 | ptls_buffer_push_block((output), 2, {ver_block}); /* version-specific block */ \ |
5210 | 0 | ptls_buffer_push_block((output), 2, {}); /* for future extensions */ \ |
5211 | 0 | }); \ |
5212 | 0 | } while (0) |
5213 | | |
5214 | | static int export_tls12_params(ptls_buffer_t *output, int is_server, int session_reused, ptls_cipher_suite_t *cipher, |
5215 | | const void *client_random, const char *server_name, ptls_iovec_t negotiated_protocol, |
5216 | | const void *enc_key, const void *enc_iv, uint64_t enc_seq, uint64_t enc_record_iv, |
5217 | | const void *dec_key, const void *dec_iv, uint64_t dec_seq) |
5218 | 0 | { |
5219 | 0 | int ret; |
5220 | |
|
5221 | 0 | export_tls_params(output, is_server, session_reused, PTLS_PROTOCOL_VERSION_TLS12, cipher, client_random, server_name, |
5222 | 0 | negotiated_protocol, { |
5223 | 0 | ptls_buffer_pushv(output, enc_key, cipher->aead->key_size); |
5224 | 0 | ptls_buffer_pushv(output, enc_iv, cipher->aead->tls12.fixed_iv_size); |
5225 | 0 | ptls_buffer_push64(output, enc_seq); |
5226 | 0 | if (cipher->aead->tls12.record_iv_size != 0) |
5227 | 0 | ptls_buffer_push64(output, enc_record_iv); |
5228 | 0 | ptls_buffer_pushv(output, dec_key, cipher->aead->key_size); |
5229 | 0 | ptls_buffer_pushv(output, dec_iv, cipher->aead->tls12.fixed_iv_size); |
5230 | 0 | ptls_buffer_push64(output, dec_seq); |
5231 | 0 | }); |
5232 | 0 | ret = 0; |
5233 | |
|
5234 | 0 | Exit: |
5235 | 0 | return ret; |
5236 | 0 | } |
5237 | | |
5238 | | int ptls_build_tls12_export_params(ptls_context_t *ctx, ptls_buffer_t *output, int is_server, int session_reused, |
5239 | | ptls_cipher_suite_t *cipher, const void *master_secret, const void *hello_randoms, |
5240 | | uint64_t next_send_record_iv, const char *server_name, ptls_iovec_t negotiated_protocol) |
5241 | 0 | { |
5242 | 0 | assert(cipher->aead->tls12.fixed_iv_size + cipher->aead->tls12.record_iv_size != 0 || !"given cipher-suite supports TLS/1.2"); |
5243 | | |
5244 | 0 | uint8_t key_block[(PTLS_MAX_SECRET_SIZE + PTLS_MAX_IV_SIZE) * 2]; |
5245 | 0 | size_t key_block_len = (cipher->aead->key_size + cipher->aead->tls12.fixed_iv_size) * 2; |
5246 | 0 | int ret; |
5247 | |
|
5248 | 0 | assert(key_block_len <= sizeof(key_block)); |
5249 | | |
5250 | | /* generate key block */ |
5251 | 0 | if ((ret = |
5252 | 0 | ptls_tls12_phash(cipher->hash, key_block, key_block_len, ptls_iovec_init(master_secret, PTLS_TLS12_MASTER_SECRET_SIZE), |
5253 | 0 | "key expansion", ptls_iovec_init(hello_randoms, PTLS_HELLO_RANDOM_SIZE * 2))) != 0) |
5254 | 0 | goto Exit; |
5255 | | |
5256 | | /* determine key locations */ |
5257 | 0 | struct { |
5258 | 0 | const void *key; |
5259 | 0 | const void *iv; |
5260 | 0 | } client_secret, server_secret, *enc_secret = is_server ? &server_secret : &client_secret, |
5261 | 0 | *dec_secret = is_server ? &client_secret : &server_secret; |
5262 | 0 | client_secret.key = key_block; |
5263 | 0 | server_secret.key = key_block + cipher->aead->key_size; |
5264 | 0 | client_secret.iv = key_block + cipher->aead->key_size * 2; |
5265 | 0 | server_secret.iv = key_block + cipher->aead->key_size * 2 + cipher->aead->tls12.fixed_iv_size; |
5266 | | |
5267 | | /* Serialize prams. Sequence number of the first application record is 1, because Finished is the only message sent after |
5268 | | * ChangeCipherSpec. */ |
5269 | 0 | ret = export_tls12_params(output, is_server, session_reused, cipher, (uint8_t *)hello_randoms + PTLS_HELLO_RANDOM_SIZE, |
5270 | 0 | server_name, negotiated_protocol, enc_secret->key, enc_secret->iv, 1, next_send_record_iv, |
5271 | 0 | dec_secret->key, dec_secret->iv, 1); |
5272 | |
|
5273 | 0 | Exit: |
5274 | 0 | ptls_clear_memory(key_block, sizeof(key_block)); |
5275 | 0 | return ret; |
5276 | 0 | } |
5277 | | |
5278 | | int ptls_export(ptls_t *tls, ptls_buffer_t *output) |
5279 | 0 | { |
5280 | 0 | ptls_iovec_t negotiated_protocol = |
5281 | 0 | ptls_iovec_init(tls->negotiated_protocol, tls->negotiated_protocol != NULL ? strlen(tls->negotiated_protocol) : 0); |
5282 | 0 | int ret; |
5283 | |
|
5284 | 0 | if (tls->state != PTLS_STATE_SERVER_POST_HANDSHAKE) { |
5285 | 0 | ret = PTLS_ERROR_LIBRARY; |
5286 | 0 | goto Exit; |
5287 | 0 | } |
5288 | | |
5289 | 0 | if (ptls_get_protocol_version(tls) == PTLS_PROTOCOL_VERSION_TLS13) { |
5290 | 0 | export_tls_params(output, tls->is_server, tls->is_psk_handshake, PTLS_PROTOCOL_VERSION_TLS13, tls->cipher_suite, |
5291 | 0 | tls->client_random, tls->server_name, negotiated_protocol, { |
5292 | 0 | ptls_buffer_pushv(output, tls->traffic_protection.enc.secret, tls->cipher_suite->hash->digest_size); |
5293 | 0 | ptls_buffer_push64(output, tls->traffic_protection.enc.seq); |
5294 | 0 | ptls_buffer_pushv(output, tls->traffic_protection.dec.secret, tls->cipher_suite->hash->digest_size); |
5295 | 0 | ptls_buffer_push64(output, tls->traffic_protection.dec.seq); |
5296 | 0 | }); |
5297 | 0 | ret = 0; |
5298 | 0 | } else { |
5299 | 0 | if ((ret = export_tls12_params(output, tls->is_server, tls->is_psk_handshake, tls->cipher_suite, tls->client_random, |
5300 | 0 | tls->server_name, negotiated_protocol, tls->traffic_protection.enc.secret, |
5301 | 0 | tls->traffic_protection.enc.secret + PTLS_MAX_SECRET_SIZE, tls->traffic_protection.enc.seq, |
5302 | 0 | tls->traffic_protection.enc.tls12_enc_record_iv, tls->traffic_protection.dec.secret, |
5303 | 0 | tls->traffic_protection.dec.secret + PTLS_MAX_SECRET_SIZE, |
5304 | 0 | tls->traffic_protection.dec.seq)) != 0) |
5305 | 0 | goto Exit; |
5306 | 0 | } |
5307 | | |
5308 | 0 | Exit: |
5309 | 0 | return ret; |
5310 | 0 | } |
5311 | | |
5312 | | static int import_tls12_traffic_protection(ptls_t *tls, int is_enc, const uint8_t **src, const uint8_t *const end) |
5313 | 0 | { |
5314 | 0 | struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
5315 | |
|
5316 | 0 | if ((size_t)(end - *src) < tls->cipher_suite->aead->key_size + tls->cipher_suite->aead->tls12.fixed_iv_size + sizeof(uint64_t)) |
5317 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5318 | | |
5319 | | /* set properties */ |
5320 | 0 | memcpy(tp->secret, *src, tls->cipher_suite->aead->key_size); |
5321 | 0 | *src += tls->cipher_suite->aead->key_size; |
5322 | 0 | memcpy(tp->secret + PTLS_MAX_SECRET_SIZE, *src, tls->cipher_suite->aead->tls12.fixed_iv_size); |
5323 | 0 | *src += tls->cipher_suite->aead->tls12.fixed_iv_size; |
5324 | 0 | if (ptls_decode64(&tp->seq, src, end) != 0) |
5325 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5326 | 0 | if (is_enc && tls->cipher_suite->aead->tls12.record_iv_size != 0) { |
5327 | 0 | if (ptls_decode64(&tp->tls12_enc_record_iv, src, end) != 0) |
5328 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5329 | 0 | } |
5330 | 0 | tp->tls12 = 1; |
5331 | | |
5332 | | /* instantiate aead */ |
5333 | 0 | if ((tp->aead = ptls_aead_new_direct(tls->cipher_suite->aead, is_enc, tp->secret, tp->secret + PTLS_MAX_SECRET_SIZE)) == NULL) |
5334 | 0 | return PTLS_ERROR_NO_MEMORY; |
5335 | | |
5336 | 0 | return 0; |
5337 | 0 | } |
5338 | | |
5339 | | static int import_tls13_traffic_protection(ptls_t *tls, int is_enc, const uint8_t **src, const uint8_t *const end) |
5340 | 0 | { |
5341 | 0 | struct st_ptls_traffic_protection_t *tp = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
5342 | | |
5343 | | /* set properties */ |
5344 | 0 | memcpy(tp->secret, *src, tls->cipher_suite->hash->digest_size); |
5345 | 0 | *src += tls->cipher_suite->hash->digest_size; |
5346 | 0 | if (ptls_decode64(&tp->seq, src, end) != 0) |
5347 | 0 | return PTLS_ALERT_DECODE_ERROR; |
5348 | | |
5349 | 0 | if (setup_traffic_protection(tls, is_enc, NULL, 3, tp->seq, 0) != 0) |
5350 | 0 | return PTLS_ERROR_INCOMPATIBLE_KEY; |
5351 | | |
5352 | 0 | return 0; |
5353 | 0 | } |
5354 | | |
5355 | | int ptls_import(ptls_context_t *ctx, ptls_t **tls, ptls_iovec_t params) |
5356 | 0 | { |
5357 | 0 | const uint8_t *src = params.base, *const end = src + params.len; |
5358 | 0 | uint16_t protocol_version, csid; |
5359 | 0 | int ret; |
5360 | |
|
5361 | 0 | *tls = NULL; |
5362 | | |
5363 | | /* TODO handle flags like psk_handshake, ech_handshake as we add support for TLS/1.3 import */ |
5364 | 0 | ptls_decode_block(src, end, 2, { |
5365 | | /* instantiate, based on the is_server flag */ |
5366 | 0 | if (end - src < 2) { |
5367 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
5368 | 0 | goto Exit; |
5369 | 0 | } |
5370 | 0 | if ((*tls = new_instance(ctx, *src++)) == NULL) { |
5371 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
5372 | 0 | goto Exit; |
5373 | 0 | } |
5374 | 0 | (*tls)->is_psk_handshake = *src++; |
5375 | | /* determine protocol version and cipher suite */ |
5376 | 0 | if ((ret = ptls_decode16(&protocol_version, &src, end)) != 0) |
5377 | 0 | goto Exit; |
5378 | 0 | if ((ret = ptls_decode16(&csid, &src, end)) != 0) |
5379 | 0 | goto Exit; |
5380 | | /* other version-independent stuff */ |
5381 | 0 | if (end - src < PTLS_HELLO_RANDOM_SIZE) { |
5382 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
5383 | 0 | goto Exit; |
5384 | 0 | } |
5385 | 0 | memcpy((*tls)->client_random, src, PTLS_HELLO_RANDOM_SIZE); |
5386 | 0 | src += PTLS_HELLO_RANDOM_SIZE; |
5387 | 0 | ptls_decode_open_block(src, end, 2, { |
5388 | 0 | if (src != end) { |
5389 | 0 | if ((ret = ptls_set_server_name(*tls, (const char *)src, end - src)) != 0) |
5390 | 0 | goto Exit; |
5391 | 0 | src = end; |
5392 | 0 | } |
5393 | 0 | }); |
5394 | 0 | ptls_decode_open_block(src, end, 2, { |
5395 | 0 | if (src != end) { |
5396 | 0 | if ((ret = ptls_set_negotiated_protocol(*tls, (const char *)src, end - src)) != 0) |
5397 | 0 | goto Exit; |
5398 | 0 | src = end; |
5399 | 0 | } |
5400 | 0 | }); |
5401 | | /* version-dependent stuff */ |
5402 | 0 | ptls_decode_open_block(src, end, 2, { |
5403 | 0 | switch (protocol_version) { |
5404 | 0 | case PTLS_PROTOCOL_VERSION_TLS12: |
5405 | 0 | (*tls)->cipher_suite = ptls_find_cipher_suite(ctx->tls12_cipher_suites, csid); |
5406 | 0 | if ((*tls)->cipher_suite == NULL) { |
5407 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5408 | 0 | goto Exit; |
5409 | 0 | } |
5410 | | /* setup AEAD keys */ |
5411 | 0 | if ((ret = import_tls12_traffic_protection(*tls, 1, &src, end)) != 0) |
5412 | 0 | goto Exit; |
5413 | 0 | if ((ret = import_tls12_traffic_protection(*tls, 0, &src, end)) != 0) |
5414 | 0 | goto Exit; |
5415 | 0 | break; |
5416 | 0 | case PTLS_PROTOCOL_VERSION_TLS13: |
5417 | 0 | (*tls)->cipher_suite = ptls_find_cipher_suite(ctx->cipher_suites, csid); |
5418 | 0 | if ((*tls)->cipher_suite == NULL) { |
5419 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5420 | 0 | goto Exit; |
5421 | 0 | } |
5422 | | /* setup AEAD keys */ |
5423 | 0 | if (((*tls)->key_schedule = key_schedule_new((*tls)->cipher_suite, NULL, (*tls)->ech.aead != NULL)) == NULL) { |
5424 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
5425 | 0 | goto Exit; |
5426 | 0 | } |
5427 | 0 | if ((ret = import_tls13_traffic_protection(*tls, 1, &src, end)) != 0) |
5428 | 0 | goto Exit; |
5429 | 0 | if ((ret = import_tls13_traffic_protection(*tls, 0, &src, end)) != 0) |
5430 | 0 | goto Exit; |
5431 | 0 | break; |
5432 | 0 | default: |
5433 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
5434 | 0 | goto Exit; |
5435 | 0 | } |
5436 | 0 | }); |
5437 | | /* extensions */ |
5438 | 0 | ptls_decode_open_block(src, end, 2, { |
5439 | 0 | src = end; /* unused */ |
5440 | 0 | }); |
5441 | 0 | }); |
5442 | | |
5443 | 0 | (*tls)->state = ptls_is_server(*tls) ? PTLS_STATE_SERVER_POST_HANDSHAKE : PTLS_STATE_CLIENT_POST_HANDSHAKE; |
5444 | |
|
5445 | 0 | Exit: |
5446 | 0 | if (ret != 0) { |
5447 | 0 | if (*tls != NULL) { |
5448 | 0 | ptls_free(*tls); |
5449 | 0 | *tls = NULL; |
5450 | 0 | } |
5451 | 0 | } |
5452 | 0 | return ret; |
5453 | 0 | } |
5454 | | |
5455 | | void ptls_free(ptls_t *tls) |
5456 | 4.40k | { |
5457 | 4.40k | PTLS_PROBE0(FREE, tls); |
5458 | 4.40k | PTLS_LOG_CONN(free, tls, {}); |
5459 | | |
5460 | 0 | ptls_buffer_dispose(&tls->recvbuf.rec); |
5461 | 4.40k | ptls_buffer_dispose(&tls->recvbuf.mess); |
5462 | 4.40k | free_exporter_master_secret(tls, 1); |
5463 | 4.40k | free_exporter_master_secret(tls, 0); |
5464 | 4.40k | if (tls->key_schedule != NULL) |
5465 | 2.91k | key_schedule_free(tls->key_schedule); |
5466 | 4.40k | if (tls->traffic_protection.dec.aead != NULL) |
5467 | 1.38k | ptls_aead_free(tls->traffic_protection.dec.aead); |
5468 | 4.40k | if (tls->traffic_protection.enc.aead != NULL) |
5469 | 1.38k | ptls_aead_free(tls->traffic_protection.enc.aead); |
5470 | 4.40k | free(tls->server_name); |
5471 | 4.40k | free(tls->negotiated_protocol); |
5472 | 4.40k | clear_ech(&tls->ech, tls->is_server); |
5473 | 4.40k | if (tls->is_server) { |
5474 | 2.19k | if (tls->server.async_job != NULL) |
5475 | 0 | tls->server.async_job->destroy_(tls->server.async_job); |
5476 | 2.21k | } else { |
5477 | 2.21k | if (tls->client.key_share_ctx != NULL) |
5478 | 1.07k | tls->client.key_share_ctx->on_exchange(&tls->client.key_share_ctx, 1, NULL, ptls_iovec_init(NULL, 0)); |
5479 | 2.21k | if (tls->client.certificate_request.context.base != NULL) |
5480 | 280 | free(tls->client.certificate_request.context.base); |
5481 | 2.21k | } |
5482 | 4.40k | if (tls->certificate_verify.cb != NULL) |
5483 | 0 | tls->certificate_verify.cb(tls->certificate_verify.verify_ctx, 0, ptls_iovec_init(NULL, 0), ptls_iovec_init(NULL, 0)); |
5484 | 4.40k | if (tls->pending_handshake_secret != NULL) { |
5485 | 0 | ptls_clear_memory(tls->pending_handshake_secret, PTLS_MAX_DIGEST_SIZE); |
5486 | 0 | free(tls->pending_handshake_secret); |
5487 | 0 | } |
5488 | 4.40k | update_open_count(tls->ctx, -1); |
5489 | 4.40k | ptls_clear_memory(tls, sizeof(*tls)); |
5490 | 4.40k | free(tls); |
5491 | 4.40k | } |
5492 | | |
5493 | | ptls_context_t *ptls_get_context(ptls_t *tls) |
5494 | 0 | { |
5495 | 0 | return tls->ctx; |
5496 | 0 | } |
5497 | | |
5498 | | void ptls_set_context(ptls_t *tls, ptls_context_t *ctx) |
5499 | 0 | { |
5500 | 0 | update_open_count(ctx, 1); |
5501 | 0 | update_open_count(tls->ctx, -1); |
5502 | 0 | tls->ctx = ctx; |
5503 | 0 | } |
5504 | | |
5505 | | ptls_async_job_t *ptls_get_async_job(ptls_t *tls) |
5506 | 0 | { |
5507 | 0 | return tls->server.async_job; |
5508 | 0 | } |
5509 | | |
5510 | | ptls_iovec_t ptls_get_client_random(ptls_t *tls) |
5511 | 0 | { |
5512 | 0 | return ptls_iovec_init(tls->client_random, PTLS_HELLO_RANDOM_SIZE); |
5513 | 0 | } |
5514 | | |
5515 | | ptls_cipher_suite_t *ptls_get_cipher(ptls_t *tls) |
5516 | 0 | { |
5517 | 0 | return tls->cipher_suite; |
5518 | 0 | } |
5519 | | |
5520 | | uint16_t ptls_get_protocol_version(ptls_t *tls) |
5521 | 0 | { |
5522 | 0 | if (tls->traffic_protection.enc.tls12) |
5523 | 0 | return PTLS_PROTOCOL_VERSION_TLS12; |
5524 | | |
5525 | 0 | return PTLS_PROTOCOL_VERSION_TLS13; |
5526 | 0 | } |
5527 | | |
5528 | | int ptls_get_traffic_keys(ptls_t *tls, int is_enc, uint8_t *key, uint8_t *iv, uint64_t *seq) |
5529 | 0 | { |
5530 | 0 | struct st_ptls_traffic_protection_t *ctx = is_enc ? &tls->traffic_protection.enc : &tls->traffic_protection.dec; |
5531 | 0 | int ret; |
5532 | |
|
5533 | 0 | if ((ret = get_traffic_keys(tls->cipher_suite->aead, tls->cipher_suite->hash, key, iv, ctx->secret, ptls_iovec_init(NULL, 0), |
5534 | 0 | NULL)) != 0) |
5535 | 0 | return ret; |
5536 | 0 | *seq = ctx->seq; |
5537 | 0 | return 0; |
5538 | 0 | } |
5539 | | |
5540 | | const char *ptls_get_server_name(ptls_t *tls) |
5541 | 0 | { |
5542 | 0 | return tls->server_name; |
5543 | 0 | } |
5544 | | |
5545 | | int ptls_set_server_name(ptls_t *tls, const char *server_name, size_t server_name_len) |
5546 | 0 | { |
5547 | 0 | char *duped = NULL; |
5548 | |
|
5549 | 0 | if (server_name != NULL && |
5550 | 0 | (duped = duplicate_as_str(server_name, server_name_len != 0 ? server_name_len : strlen(server_name))) == NULL) |
5551 | 0 | return PTLS_ERROR_NO_MEMORY; |
5552 | | |
5553 | 0 | free(tls->server_name); |
5554 | 0 | tls->server_name = duped; |
5555 | |
|
5556 | 0 | return 0; |
5557 | 0 | } |
5558 | | |
5559 | | const char *ptls_get_negotiated_protocol(ptls_t *tls) |
5560 | 0 | { |
5561 | 0 | return tls->negotiated_protocol; |
5562 | 0 | } |
5563 | | |
5564 | | int ptls_set_negotiated_protocol(ptls_t *tls, const char *protocol, size_t protocol_len) |
5565 | 24 | { |
5566 | 24 | char *duped = NULL; |
5567 | | |
5568 | 24 | if (protocol != NULL && (duped = duplicate_as_str(protocol, protocol_len != 0 ? protocol_len : strlen(protocol))) == NULL) |
5569 | 0 | return PTLS_ERROR_NO_MEMORY; |
5570 | | |
5571 | 24 | free(tls->negotiated_protocol); |
5572 | 24 | tls->negotiated_protocol = duped; |
5573 | | |
5574 | 24 | return 0; |
5575 | 24 | } |
5576 | | |
5577 | | int ptls_handshake_is_complete(ptls_t *tls) |
5578 | 0 | { |
5579 | 0 | return tls->state >= PTLS_STATE_POST_HANDSHAKE_MIN; |
5580 | 0 | } |
5581 | | |
5582 | | int ptls_is_psk_handshake(ptls_t *tls) |
5583 | 0 | { |
5584 | 0 | return tls->is_psk_handshake; |
5585 | 0 | } |
5586 | | |
5587 | | int ptls_is_ech_handshake(ptls_t *tls, uint8_t *config_id, ptls_hpke_kem_t **kem, ptls_hpke_cipher_suite_t **cipher) |
5588 | 438 | { |
5589 | 438 | if (tls->ech.accepted) { |
5590 | 0 | if (config_id != NULL) |
5591 | 0 | *config_id = tls->ech.config_id; |
5592 | 0 | if (kem != NULL) |
5593 | 0 | *kem = tls->ech.kem; |
5594 | 0 | if (cipher != NULL) |
5595 | 0 | *cipher = tls->ech.cipher; |
5596 | 0 | return 1; |
5597 | 0 | } |
5598 | 438 | return 0; |
5599 | 438 | } |
5600 | | |
5601 | | void **ptls_get_data_ptr(ptls_t *tls) |
5602 | 0 | { |
5603 | 0 | return &tls->data_ptr; |
5604 | 0 | } |
5605 | | |
5606 | | ptls_log_conn_state_t *ptls_get_log_state(ptls_t *tls) |
5607 | 0 | { |
5608 | 0 | #if PTLS_HAVE_LOG |
5609 | 0 | return &tls->log_state; |
5610 | | #else |
5611 | | return &ptls_log.dummy_conn_state; |
5612 | | #endif |
5613 | 0 | } |
5614 | | |
5615 | | static int handle_client_handshake_message(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, int is_end_of_record, |
5616 | | ptls_handshake_properties_t *properties) |
5617 | 41.6k | { |
5618 | 41.6k | uint8_t type = message.base[0]; |
5619 | 41.6k | int ret; |
5620 | | |
5621 | 41.6k | switch (tls->state) { |
5622 | 1.97k | case PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO: |
5623 | 39.8k | case PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO: |
5624 | 39.8k | if (type == PTLS_HANDSHAKE_TYPE_SERVER_HELLO && is_end_of_record) { |
5625 | 39.8k | ret = client_handle_hello(tls, emitter, message, properties); |
5626 | 39.8k | } else { |
5627 | 41 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5628 | 41 | } |
5629 | 39.8k | break; |
5630 | 1.03k | case PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS: |
5631 | 1.03k | if (type == PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS) { |
5632 | 1.02k | ret = client_handle_encrypted_extensions(tls, message, properties); |
5633 | 1.02k | } else { |
5634 | 12 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5635 | 12 | } |
5636 | 1.03k | break; |
5637 | 675 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE: |
5638 | 675 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { |
5639 | 284 | ret = client_handle_certificate_request(tls, message, properties); |
5640 | 284 | break; |
5641 | 284 | } |
5642 | | /* fall through */ |
5643 | 394 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE: |
5644 | 394 | switch (type) { |
5645 | 390 | case PTLS_HANDSHAKE_TYPE_CERTIFICATE: |
5646 | 390 | ret = client_handle_certificate(tls, message); |
5647 | 390 | break; |
5648 | 2 | case PTLS_HANDSHAKE_TYPE_COMPRESSED_CERTIFICATE: |
5649 | 2 | ret = client_handle_compressed_certificate(tls, message); |
5650 | 2 | break; |
5651 | 2 | default: |
5652 | 2 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5653 | 2 | break; |
5654 | 394 | } |
5655 | 394 | break; |
5656 | 394 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY: |
5657 | 78 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { |
5658 | 67 | ret = client_handle_certificate_verify(tls, message); |
5659 | 67 | } else { |
5660 | 11 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5661 | 11 | } |
5662 | 78 | break; |
5663 | 30 | case PTLS_STATE_CLIENT_EXPECT_FINISHED: |
5664 | 30 | if (type == PTLS_HANDSHAKE_TYPE_FINISHED && is_end_of_record) { |
5665 | 18 | ret = client_handle_finished(tls, emitter, message); |
5666 | 18 | } else { |
5667 | 12 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5668 | 12 | } |
5669 | 30 | break; |
5670 | 0 | case PTLS_STATE_CLIENT_POST_HANDSHAKE: |
5671 | 0 | switch (type) { |
5672 | 0 | case PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET: |
5673 | 0 | ret = client_handle_new_session_ticket(tls, message); |
5674 | 0 | break; |
5675 | 0 | case PTLS_HANDSHAKE_TYPE_KEY_UPDATE: |
5676 | 0 | ret = handle_key_update(tls, emitter, message); |
5677 | 0 | break; |
5678 | 0 | default: |
5679 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5680 | 0 | break; |
5681 | 0 | } |
5682 | 0 | break; |
5683 | 0 | default: |
5684 | 0 | assert(!"unexpected state"); |
5685 | 0 | ret = PTLS_ALERT_INTERNAL_ERROR; |
5686 | 0 | break; |
5687 | 41.6k | } |
5688 | | |
5689 | 41.6k | PTLS_PROBE(RECEIVE_MESSAGE, tls, message.base[0], message.base + PTLS_HANDSHAKE_HEADER_SIZE, |
5690 | 41.6k | message.len - PTLS_HANDSHAKE_HEADER_SIZE, ret); |
5691 | 41.6k | PTLS_LOG_CONN(receive_message, tls, { |
5692 | 41.6k | PTLS_LOG_ELEMENT_UNSIGNED(message, message.base[0]); |
5693 | 41.6k | PTLS_LOG_ELEMENT_UNSIGNED(len, message.len - PTLS_HANDSHAKE_HEADER_SIZE); |
5694 | 41.6k | PTLS_LOG_ELEMENT_SIGNED(result, ret); |
5695 | 41.6k | }); |
5696 | | |
5697 | 0 | return ret; |
5698 | 41.6k | } |
5699 | | |
5700 | | static int handle_server_handshake_message(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, int is_end_of_record, |
5701 | | ptls_handshake_properties_t *properties) |
5702 | 2.06k | { |
5703 | 2.06k | uint8_t type = message.base[0]; |
5704 | 2.06k | int ret; |
5705 | | |
5706 | 2.06k | switch (tls->state) { |
5707 | 1.94k | case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO: |
5708 | 2.02k | case PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO: |
5709 | 2.02k | if (type == PTLS_HANDSHAKE_TYPE_CLIENT_HELLO && is_end_of_record) { |
5710 | 1.97k | ret = server_handle_hello(tls, emitter, message, properties); |
5711 | 1.97k | } else { |
5712 | 44 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5713 | 44 | } |
5714 | 2.02k | break; |
5715 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE: |
5716 | 0 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE) { |
5717 | 0 | ret = server_handle_certificate(tls, message); |
5718 | 0 | } else { |
5719 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5720 | 0 | } |
5721 | 0 | break; |
5722 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY: |
5723 | 0 | if (type == PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY) { |
5724 | 0 | ret = server_handle_certificate_verify(tls, message); |
5725 | 0 | } else { |
5726 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5727 | 0 | } |
5728 | 0 | break; |
5729 | 0 | case PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA: |
5730 | 0 | assert(!tls->ctx->omit_end_of_early_data); |
5731 | 0 | if (type == PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA) { |
5732 | 0 | ret = server_handle_end_of_early_data(tls, message); |
5733 | 0 | } else { |
5734 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5735 | 0 | } |
5736 | 0 | break; |
5737 | 41 | case PTLS_STATE_SERVER_EXPECT_FINISHED: |
5738 | 41 | if (type == PTLS_HANDSHAKE_TYPE_FINISHED && is_end_of_record) { |
5739 | 16 | ret = server_handle_finished(tls, message); |
5740 | 25 | } else { |
5741 | 25 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
5742 | 25 | } |
5743 | 41 | break; |
5744 | 0 | case PTLS_STATE_SERVER_POST_HANDSHAKE: |
5745 | 0 | switch (type) { |
5746 | 0 | case PTLS_HANDSHAKE_TYPE_KEY_UPDATE: |
5747 | 0 | ret = handle_key_update(tls, emitter, message); |
5748 | 0 | break; |
5749 | 0 | default: |
5750 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5751 | 0 | break; |
5752 | 0 | } |
5753 | 0 | break; |
5754 | 0 | default: |
5755 | 0 | assert(!"unexpected state"); |
5756 | 0 | ret = PTLS_ALERT_INTERNAL_ERROR; |
5757 | 0 | break; |
5758 | 2.06k | } |
5759 | | |
5760 | 2.06k | PTLS_PROBE(RECEIVE_MESSAGE, tls, message.base[0], message.base + PTLS_HANDSHAKE_HEADER_SIZE, |
5761 | 2.06k | message.len - PTLS_HANDSHAKE_HEADER_SIZE, ret); |
5762 | 2.06k | PTLS_LOG_CONN(receive_message, tls, { |
5763 | 2.06k | PTLS_LOG_ELEMENT_UNSIGNED(message, message.base[0]); |
5764 | 2.06k | PTLS_LOG_ELEMENT_UNSIGNED(len, message.len - PTLS_HANDSHAKE_HEADER_SIZE); |
5765 | 2.06k | PTLS_LOG_ELEMENT_SIGNED(result, ret); |
5766 | 2.06k | }); |
5767 | | |
5768 | 0 | return ret; |
5769 | 2.06k | } |
5770 | | |
5771 | | static int handle_alert(ptls_t *tls, const uint8_t *src, size_t len) |
5772 | 80 | { |
5773 | 80 | if (len != 2) |
5774 | 35 | return PTLS_ALERT_DECODE_ERROR; |
5775 | | |
5776 | 45 | uint8_t desc = src[1]; |
5777 | | |
5778 | | /* all fatal alerts and USER_CANCELLED warning tears down the connection immediately, regardless of the transmitted level */ |
5779 | 45 | return PTLS_ALERT_TO_PEER_ERROR(desc); |
5780 | 80 | } |
5781 | | |
5782 | | static int message_buffer_is_overflow(ptls_context_t *ctx, size_t size) |
5783 | 57.2k | { |
5784 | 57.2k | if (ctx->max_buffer_size == 0) |
5785 | 57.2k | return 0; |
5786 | 0 | if (size <= ctx->max_buffer_size) |
5787 | 0 | return 0; |
5788 | 0 | return 1; |
5789 | 0 | } |
5790 | | |
5791 | | static int handle_handshake_record(ptls_t *tls, |
5792 | | int (*cb)(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_iovec_t message, |
5793 | | int is_end_of_record, ptls_handshake_properties_t *properties), |
5794 | | ptls_message_emitter_t *emitter, struct st_ptls_record_t *rec, |
5795 | | ptls_handshake_properties_t *properties) |
5796 | 97.1k | { |
5797 | 97.1k | int ret; |
5798 | | |
5799 | | /* handshake */ |
5800 | 97.1k | if (rec->type != PTLS_CONTENT_TYPE_HANDSHAKE) |
5801 | 15 | return PTLS_ALERT_DECODE_ERROR; |
5802 | | |
5803 | | /* flatten the unhandled messages */ |
5804 | 97.1k | const uint8_t *src, *src_end; |
5805 | 97.1k | if (tls->recvbuf.mess.base == NULL) { |
5806 | 68.6k | src = rec->fragment; |
5807 | 68.6k | src_end = src + rec->length; |
5808 | 68.6k | } else { |
5809 | 28.5k | if (message_buffer_is_overflow(tls->ctx, tls->recvbuf.mess.off + rec->length)) |
5810 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5811 | 28.5k | if ((ret = ptls_buffer_reserve(&tls->recvbuf.mess, rec->length)) != 0) |
5812 | 0 | return ret; |
5813 | 28.5k | memcpy(tls->recvbuf.mess.base + tls->recvbuf.mess.off, rec->fragment, rec->length); |
5814 | 28.5k | tls->recvbuf.mess.off += rec->length; |
5815 | 28.5k | src = tls->recvbuf.mess.base; |
5816 | 28.5k | src_end = src + tls->recvbuf.mess.off; |
5817 | 28.5k | } |
5818 | | |
5819 | | /* handle the messages */ |
5820 | 97.1k | ret = PTLS_ERROR_IN_PROGRESS; |
5821 | 137k | while (src_end - src >= 4) { |
5822 | 71.7k | size_t mess_len = 4 + ntoh24(src + 1); |
5823 | 71.7k | if (src_end - src < (int)mess_len) |
5824 | 27.9k | break; |
5825 | 43.7k | ret = cb(tls, emitter, ptls_iovec_init(src, mess_len), src_end - src == mess_len, properties); |
5826 | 43.7k | switch (ret) { |
5827 | 262 | case 0: |
5828 | 262 | case PTLS_ERROR_ASYNC_OPERATION: |
5829 | 40.4k | case PTLS_ERROR_IN_PROGRESS: |
5830 | 40.4k | break; |
5831 | 3.35k | default: |
5832 | 3.35k | ptls_buffer_dispose(&tls->recvbuf.mess); |
5833 | 3.35k | return ret; |
5834 | 43.7k | } |
5835 | 40.4k | src += mess_len; |
5836 | 40.4k | } |
5837 | | |
5838 | | /* keep last partial message in buffer */ |
5839 | 93.7k | if (src != src_end) { |
5840 | 28.7k | size_t new_size = src_end - src; |
5841 | 28.7k | if (message_buffer_is_overflow(tls->ctx, new_size)) |
5842 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5843 | 28.7k | if (tls->recvbuf.mess.base == NULL) { |
5844 | 1.26k | ptls_buffer_init(&tls->recvbuf.mess, "", 0); |
5845 | 1.26k | if ((ret = ptls_buffer_reserve(&tls->recvbuf.mess, new_size)) != 0) |
5846 | 0 | return ret; |
5847 | 1.26k | memcpy(tls->recvbuf.mess.base, src, new_size); |
5848 | 27.4k | } else { |
5849 | 27.4k | memmove(tls->recvbuf.mess.base, src, new_size); |
5850 | 27.4k | } |
5851 | 28.7k | tls->recvbuf.mess.off = new_size; |
5852 | 28.7k | ret = PTLS_ERROR_IN_PROGRESS; |
5853 | 65.0k | } else { |
5854 | 65.0k | ptls_buffer_dispose(&tls->recvbuf.mess); |
5855 | 65.0k | } |
5856 | | |
5857 | 93.7k | return ret; |
5858 | 93.7k | } |
5859 | | |
5860 | | static int handle_input(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_buffer_t *decryptbuf, const void *input, size_t *inlen, |
5861 | | ptls_handshake_properties_t *properties) |
5862 | 108k | { |
5863 | 108k | struct st_ptls_record_t rec; |
5864 | 108k | int ret; |
5865 | | |
5866 | | /* extract the record */ |
5867 | 108k | if ((ret = parse_record(tls, &rec, input, inlen)) != 0) |
5868 | 378 | return ret; |
5869 | 107k | assert(rec.fragment != NULL); |
5870 | | |
5871 | | /* decrypt the record */ |
5872 | 107k | if (rec.type == PTLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { |
5873 | 623 | if (tls->state < PTLS_STATE_POST_HANDSHAKE_MIN) { |
5874 | 623 | if (!(rec.length == 1 && rec.fragment[0] == 0x01)) |
5875 | 47 | return PTLS_ALERT_ILLEGAL_PARAMETER; |
5876 | 623 | } else { |
5877 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5878 | 0 | } |
5879 | 576 | ret = PTLS_ERROR_IN_PROGRESS; |
5880 | 576 | goto NextRecord; |
5881 | 623 | } |
5882 | 107k | if (tls->traffic_protection.dec.aead != NULL && rec.type != PTLS_CONTENT_TYPE_ALERT) { |
5883 | 11.6k | size_t decrypted_length; |
5884 | 11.6k | if (rec.type != PTLS_CONTENT_TYPE_APPDATA) |
5885 | 7 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5886 | 11.6k | if ((ret = ptls_buffer_reserve(decryptbuf, 5 + rec.length)) != 0) |
5887 | 0 | return ret; |
5888 | 11.6k | if ((ret = aead_decrypt(&tls->traffic_protection.dec, decryptbuf->base + decryptbuf->off, &decrypted_length, rec.fragment, |
5889 | 11.6k | rec.length)) != 0) { |
5890 | 9.50k | if (tls->is_server && tls->server.early_data_skipped_bytes != UINT32_MAX) |
5891 | 9.48k | goto ServerSkipEarlyData; |
5892 | 15 | return ret; |
5893 | 9.50k | } |
5894 | 2.14k | rec.length = decrypted_length; |
5895 | 2.14k | rec.fragment = decryptbuf->base + decryptbuf->off; |
5896 | | /* skip padding */ |
5897 | 11.0k | for (; rec.length != 0; --rec.length) |
5898 | 11.0k | if (rec.fragment[rec.length - 1] != 0) |
5899 | 2.11k | break; |
5900 | 2.14k | if (rec.length == 0) |
5901 | 31 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
5902 | 2.11k | rec.type = rec.fragment[--rec.length]; |
5903 | 95.5k | } else if (rec.type == PTLS_CONTENT_TYPE_APPDATA && tls->is_server && tls->server.early_data_skipped_bytes != UINT32_MAX) { |
5904 | 420 | goto ServerSkipEarlyData; |
5905 | 420 | } |
5906 | | |
5907 | 97.2k | if (tls->recvbuf.mess.base != NULL || rec.type == PTLS_CONTENT_TYPE_HANDSHAKE) { |
5908 | | /* handshake record */ |
5909 | 97.1k | ret = handle_handshake_record(tls, tls->is_server ? handle_server_handshake_message : handle_client_handshake_message, |
5910 | 97.1k | emitter, &rec, properties); |
5911 | 97.1k | } else { |
5912 | | /* handling of an alert or an application record */ |
5913 | 144 | switch (rec.type) { |
5914 | 12 | case PTLS_CONTENT_TYPE_APPDATA: |
5915 | 12 | if (tls->state >= PTLS_STATE_POST_HANDSHAKE_MIN) { |
5916 | 0 | decryptbuf->off += rec.length; |
5917 | 0 | ret = 0; |
5918 | 12 | } else if (tls->state == PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA) { |
5919 | 0 | if (tls->traffic_protection.dec.aead != NULL) |
5920 | 0 | decryptbuf->off += rec.length; |
5921 | 0 | ret = 0; |
5922 | 12 | } else { |
5923 | 12 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5924 | 12 | } |
5925 | 12 | break; |
5926 | 80 | case PTLS_CONTENT_TYPE_ALERT: |
5927 | 80 | ret = handle_alert(tls, rec.fragment, rec.length); |
5928 | 80 | break; |
5929 | 52 | default: |
5930 | 52 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
5931 | 52 | break; |
5932 | 144 | } |
5933 | 144 | } |
5934 | | |
5935 | 107k | NextRecord: |
5936 | 107k | ptls_buffer_dispose(&tls->recvbuf.rec); |
5937 | 107k | return ret; |
5938 | | |
5939 | 9.90k | ServerSkipEarlyData: |
5940 | 9.90k | tls->server.early_data_skipped_bytes += (uint32_t)rec.length; |
5941 | 9.90k | if (tls->server.early_data_skipped_bytes > PTLS_MAX_EARLY_DATA_SKIP_SIZE) |
5942 | 2 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
5943 | 9.90k | ret = PTLS_ERROR_IN_PROGRESS; |
5944 | 9.90k | goto NextRecord; |
5945 | 9.90k | } |
5946 | | |
5947 | | static int handle_input_tls12(ptls_t *tls, ptls_buffer_t *decryptbuf, const void *input, size_t *inlen) |
5948 | 0 | { |
5949 | 0 | struct st_ptls_record_t rec; |
5950 | 0 | int ret; |
5951 | | |
5952 | | /* extract the record, or bail out */ |
5953 | 0 | if ((ret = parse_record(tls, &rec, input, inlen)) != 0) |
5954 | 0 | return ret; |
5955 | 0 | assert(rec.fragment != NULL); |
5956 | | |
5957 | 0 | const uint8_t *src = rec.fragment, *end = src + rec.length; |
5958 | 0 | uint64_t nonce; |
5959 | 0 | uint8_t aad[PTLS_TLS12_AAD_SIZE]; |
5960 | | |
5961 | | /* determine the nonce */ |
5962 | 0 | if (tls->traffic_protection.dec.aead->algo->tls12.record_iv_size != 0) { |
5963 | 0 | assert(tls->traffic_protection.dec.aead->algo->tls12.record_iv_size == 8); |
5964 | 0 | if ((ret = ptls_decode64(&nonce, &src, end)) != 0) |
5965 | 0 | goto Exit; |
5966 | 0 | } else { |
5967 | 0 | nonce = tls->traffic_protection.dec.seq; |
5968 | 0 | } |
5969 | | |
5970 | | /* determine cleartext length */ |
5971 | 0 | size_t textlen = end - src; |
5972 | 0 | if (textlen < tls->traffic_protection.dec.aead->algo->tag_size) { |
5973 | 0 | ret = PTLS_ALERT_BAD_RECORD_MAC; |
5974 | 0 | goto Exit; |
5975 | 0 | } |
5976 | 0 | textlen -= tls->traffic_protection.dec.aead->algo->tag_size; |
5977 | | |
5978 | | /* build aad */ |
5979 | 0 | build_tls12_aad(aad, rec.type, tls->traffic_protection.dec.seq, (uint16_t)textlen); |
5980 | | |
5981 | | /* decrypt input to decryptbuf */ |
5982 | 0 | if ((ret = ptls_buffer_reserve(decryptbuf, textlen)) != 0) |
5983 | 0 | goto Exit; |
5984 | 0 | if (ptls_aead_decrypt(tls->traffic_protection.dec.aead, decryptbuf->base + decryptbuf->off, src, end - src, nonce, aad, |
5985 | 0 | sizeof(aad)) != textlen) { |
5986 | 0 | ret = PTLS_ALERT_BAD_RECORD_MAC; |
5987 | 0 | goto Exit; |
5988 | 0 | } |
5989 | 0 | ++tls->traffic_protection.dec.seq; |
5990 | | |
5991 | | /* record-type specific action */ |
5992 | 0 | switch (rec.type) { |
5993 | 0 | case PTLS_CONTENT_TYPE_APPDATA: |
5994 | | /* if application data, retain the bytes being decrypted */ |
5995 | 0 | decryptbuf->off += textlen; |
5996 | 0 | break; |
5997 | 0 | case PTLS_CONTENT_TYPE_ALERT: |
5998 | | /* submit alert without adjusting decryptbuf, so that the decrypted data would be dropped after handling the alert */ |
5999 | 0 | ret = handle_alert(tls, decryptbuf->base + decryptbuf->off, textlen); |
6000 | 0 | break; |
6001 | 0 | default: |
6002 | 0 | ret = PTLS_ALERT_UNEXPECTED_MESSAGE; |
6003 | 0 | break; |
6004 | 0 | } |
6005 | | |
6006 | 0 | Exit: |
6007 | 0 | ptls_buffer_dispose(&tls->recvbuf.rec); |
6008 | 0 | ptls_clear_memory(aad, sizeof(aad)); |
6009 | 0 | return 0; |
6010 | 0 | } |
6011 | | |
6012 | | static void init_record_message_emitter(ptls_t *tls, struct st_ptls_record_message_emitter_t *emitter, ptls_buffer_t *sendbuf) |
6013 | 6.62k | { |
6014 | 6.62k | *emitter = (struct st_ptls_record_message_emitter_t){ |
6015 | 6.62k | {sendbuf, &tls->traffic_protection.enc, 5, begin_record_message, commit_record_message}}; |
6016 | 6.62k | } |
6017 | | |
6018 | | int ptls_handshake(ptls_t *tls, ptls_buffer_t *_sendbuf, const void *input, size_t *inlen, ptls_handshake_properties_t *properties) |
6019 | 6.62k | { |
6020 | 6.62k | struct st_ptls_record_message_emitter_t emitter; |
6021 | 6.62k | int ret; |
6022 | | |
6023 | 6.62k | assert(tls->state < PTLS_STATE_POST_HANDSHAKE_MIN); |
6024 | | |
6025 | 6.62k | init_record_message_emitter(tls, &emitter, _sendbuf); |
6026 | 6.62k | size_t sendbuf_orig_off = emitter.super.buf->off; |
6027 | | |
6028 | | /* special handlings */ |
6029 | 6.62k | switch (tls->state) { |
6030 | 2.21k | case PTLS_STATE_CLIENT_HANDSHAKE_START: { |
6031 | 2.21k | assert(input == NULL || *inlen == 0); |
6032 | 2.21k | return send_client_hello(tls, &emitter.super, properties, NULL); |
6033 | 2.21k | } |
6034 | 0 | case PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY: |
6035 | 0 | return server_finish_handshake(tls, &emitter.super, 1, NULL); |
6036 | 4.40k | default: |
6037 | 4.40k | break; |
6038 | 6.62k | } |
6039 | | |
6040 | 4.40k | const uint8_t *src = input, *const src_end = src + *inlen; |
6041 | 4.40k | ptls_buffer_t decryptbuf; |
6042 | | |
6043 | 4.40k | ptls_buffer_init(&decryptbuf, "", 0); |
6044 | | |
6045 | | /* perform handhake until completion or until all the input has been swallowed */ |
6046 | 4.40k | ret = PTLS_ERROR_IN_PROGRESS; |
6047 | 102k | while (ret == PTLS_ERROR_IN_PROGRESS && src != src_end) { |
6048 | 97.8k | size_t consumed = src_end - src; |
6049 | 97.8k | ret = handle_input(tls, &emitter.super, &decryptbuf, src, &consumed, properties); |
6050 | 97.8k | src += consumed; |
6051 | 97.8k | assert(decryptbuf.off == 0); |
6052 | 97.8k | } |
6053 | | |
6054 | 4.40k | ptls_buffer_dispose(&decryptbuf); |
6055 | | |
6056 | 4.40k | switch (ret) { |
6057 | 262 | case 0: |
6058 | 829 | case PTLS_ERROR_IN_PROGRESS: |
6059 | 829 | case PTLS_ERROR_STATELESS_RETRY: |
6060 | 829 | case PTLS_ERROR_ASYNC_OPERATION: |
6061 | 829 | break; |
6062 | 3.58k | default: |
6063 | | /* Flush handshake messages that have been written partially. ECH_REQUIRED sticks out because it is a message sent |
6064 | | * post-handshake compared to other alerts that are generating *during* the handshake. */ |
6065 | 3.58k | if (ret != PTLS_ALERT_ECH_REQUIRED) { |
6066 | 3.58k | ptls_clear_memory(emitter.super.buf->base + sendbuf_orig_off, emitter.super.buf->off - sendbuf_orig_off); |
6067 | 3.58k | emitter.super.buf->off = sendbuf_orig_off; |
6068 | 3.58k | } |
6069 | | /* send alert immediately */ |
6070 | 3.58k | if (PTLS_ERROR_GET_CLASS(ret) != PTLS_ERROR_CLASS_PEER_ALERT) |
6071 | 3.54k | if (ptls_send_alert(tls, emitter.super.buf, PTLS_ALERT_LEVEL_FATAL, |
6072 | 3.54k | PTLS_ERROR_GET_CLASS(ret) == PTLS_ERROR_CLASS_SELF_ALERT ? ret : PTLS_ALERT_INTERNAL_ERROR) != 0) |
6073 | 0 | emitter.super.buf->off = sendbuf_orig_off; |
6074 | 3.58k | break; |
6075 | 4.40k | } |
6076 | | |
6077 | 4.40k | *inlen -= src_end - src; |
6078 | 4.40k | return ret; |
6079 | 4.40k | } |
6080 | | |
6081 | | int ptls_receive(ptls_t *tls, ptls_buffer_t *decryptbuf, const void *_input, size_t *inlen) |
6082 | 234 | { |
6083 | 234 | const uint8_t *input = (const uint8_t *)_input, *const end = input + *inlen; |
6084 | 234 | size_t decryptbuf_orig_size = decryptbuf->off; |
6085 | 234 | int ret = 0; |
6086 | | |
6087 | 234 | assert(tls->state >= PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA); |
6088 | | |
6089 | | /* loop until we decrypt some application data (or an error) */ |
6090 | 10.6k | while (ret == 0 && input != end && decryptbuf_orig_size == decryptbuf->off) { |
6091 | 10.3k | size_t consumed = end - input; |
6092 | 10.3k | if (tls->traffic_protection.dec.tls12) { |
6093 | 0 | ret = handle_input_tls12(tls, decryptbuf, input, &consumed); |
6094 | 10.3k | } else { |
6095 | 10.3k | ret = handle_input(tls, NULL, decryptbuf, input, &consumed, NULL); |
6096 | 10.3k | } |
6097 | 10.3k | input += consumed; |
6098 | | |
6099 | 10.3k | switch (ret) { |
6100 | 0 | case 0: |
6101 | 0 | break; |
6102 | 10.2k | case PTLS_ERROR_IN_PROGRESS: |
6103 | 10.2k | ret = 0; |
6104 | 10.2k | break; |
6105 | 0 | case PTLS_ERROR_CLASS_PEER_ALERT + PTLS_ALERT_CLOSE_NOTIFY: |
6106 | | /* TODO send close alert */ |
6107 | 0 | break; |
6108 | 163 | default: |
6109 | 163 | if (PTLS_ERROR_GET_CLASS(ret) == PTLS_ERROR_CLASS_SELF_ALERT) { |
6110 | | /* TODO send alert */ |
6111 | 150 | } |
6112 | 163 | break; |
6113 | 10.3k | } |
6114 | 10.3k | } |
6115 | | |
6116 | 234 | *inlen -= end - input; |
6117 | | |
6118 | 234 | return ret; |
6119 | 234 | } |
6120 | | |
6121 | | static int update_send_key(ptls_t *tls, ptls_buffer_t *_sendbuf, int request_update) |
6122 | 0 | { |
6123 | 0 | struct st_ptls_record_message_emitter_t emitter; |
6124 | 0 | int ret; |
6125 | |
|
6126 | 0 | init_record_message_emitter(tls, &emitter, _sendbuf); |
6127 | 0 | size_t sendbuf_orig_off = emitter.super.buf->off; |
6128 | |
|
6129 | 0 | ptls_push_message(&emitter.super, NULL, PTLS_HANDSHAKE_TYPE_KEY_UPDATE, |
6130 | 0 | { ptls_buffer_push(emitter.super.buf, !!request_update); }); |
6131 | 0 | if ((ret = update_traffic_key(tls, 1)) != 0) |
6132 | 0 | goto Exit; |
6133 | 0 | ret = 0; |
6134 | |
|
6135 | 0 | Exit: |
6136 | 0 | if (ret != 0) |
6137 | 0 | emitter.super.buf->off = sendbuf_orig_off; |
6138 | 0 | return ret; |
6139 | 0 | } |
6140 | | |
6141 | | int ptls_send(ptls_t *tls, ptls_buffer_t *sendbuf, const void *input, size_t inlen) |
6142 | 0 | { |
6143 | 0 | assert(tls->traffic_protection.enc.aead != NULL); |
6144 | | |
6145 | | /* "For AES-GCM, up to 2^24.5 full-size records (about 24 million) may be encrypted on a given connection while keeping a |
6146 | | * safety margin of approximately 2^-57 for Authenticated Encryption (AE) security." (RFC 8446 section 5.5). |
6147 | | * |
6148 | | * Key updates do not happen with tls 1.2, check `key_schedule` to see if we are using tls/1.3 |
6149 | | */ |
6150 | 0 | if (tls->traffic_protection.enc.seq >= 16777216 && tls->key_schedule != NULL) |
6151 | 0 | tls->needs_key_update = 1; |
6152 | |
|
6153 | 0 | if (tls->needs_key_update) { |
6154 | 0 | int ret; |
6155 | 0 | if ((ret = update_send_key(tls, sendbuf, tls->key_update_send_request)) != 0) |
6156 | 0 | return ret; |
6157 | 0 | tls->needs_key_update = 0; |
6158 | 0 | tls->key_update_send_request = 0; |
6159 | 0 | } |
6160 | | |
6161 | 0 | return buffer_push_encrypted_records(sendbuf, PTLS_CONTENT_TYPE_APPDATA, input, inlen, &tls->traffic_protection.enc); |
6162 | 0 | } |
6163 | | |
6164 | | int ptls_update_key(ptls_t *tls, int request_update) |
6165 | 0 | { |
6166 | 0 | assert(tls->ctx->update_traffic_key == NULL); |
6167 | 0 | tls->needs_key_update = 1; |
6168 | 0 | tls->key_update_send_request = request_update; |
6169 | 0 | return 0; |
6170 | 0 | } |
6171 | | |
6172 | | size_t ptls_get_record_overhead(ptls_t *tls) |
6173 | 0 | { |
6174 | 0 | ptls_aead_algorithm_t *algo = tls->traffic_protection.enc.aead->algo; |
6175 | |
|
6176 | 0 | if (tls->traffic_protection.enc.tls12) { |
6177 | 0 | return 5 + algo->tls12.record_iv_size + algo->tag_size; |
6178 | 0 | } else { |
6179 | 0 | return 6 + algo->tag_size; |
6180 | 0 | } |
6181 | 0 | } |
6182 | | |
6183 | | int ptls_send_alert(ptls_t *tls, ptls_buffer_t *sendbuf, uint8_t level, uint8_t description) |
6184 | 3.54k | { |
6185 | 3.54k | size_t rec_start = sendbuf->off; |
6186 | 3.54k | int ret = 0; |
6187 | | |
6188 | 3.54k | buffer_push_record(sendbuf, PTLS_CONTENT_TYPE_ALERT, { ptls_buffer_push(sendbuf, level, description); }); |
6189 | | /* encrypt the alert if we have the encryption keys, unless when it is the early data key */ |
6190 | 3.54k | if (tls->traffic_protection.enc.aead != NULL && !(tls->state <= PTLS_STATE_CLIENT_EXPECT_FINISHED)) { |
6191 | 14 | if ((ret = buffer_encrypt_record(sendbuf, rec_start, &tls->traffic_protection.enc)) != 0) |
6192 | 0 | goto Exit; |
6193 | 14 | } |
6194 | | |
6195 | 3.54k | Exit: |
6196 | 3.54k | return ret; |
6197 | 3.54k | } |
6198 | | |
6199 | | int ptls_export_secret(ptls_t *tls, void *output, size_t outlen, const char *label, ptls_iovec_t context_value, int is_early) |
6200 | 0 | { |
6201 | 0 | ptls_hash_algorithm_t *algo = tls->key_schedule->hashes[0].algo; |
6202 | 0 | uint8_t *master_secret = is_early ? tls->exporter_master_secret.early : tls->exporter_master_secret.one_rtt, |
6203 | 0 | derived_secret[PTLS_MAX_DIGEST_SIZE], context_value_hash[PTLS_MAX_DIGEST_SIZE]; |
6204 | 0 | int ret; |
6205 | |
|
6206 | 0 | if (master_secret == NULL) { |
6207 | 0 | if (is_early) { |
6208 | 0 | switch (tls->state) { |
6209 | 0 | case PTLS_STATE_CLIENT_HANDSHAKE_START: |
6210 | 0 | case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO: |
6211 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
6212 | 0 | break; |
6213 | 0 | default: |
6214 | 0 | ret = PTLS_ERROR_NOT_AVAILABLE; |
6215 | 0 | break; |
6216 | 0 | } |
6217 | 0 | } else { |
6218 | 0 | ret = PTLS_ERROR_IN_PROGRESS; |
6219 | 0 | } |
6220 | 0 | return ret; |
6221 | 0 | } |
6222 | | |
6223 | 0 | if ((ret = ptls_calc_hash(algo, context_value_hash, context_value.base, context_value.len)) != 0) |
6224 | 0 | return ret; |
6225 | | |
6226 | 0 | if ((ret = ptls_hkdf_expand_label(algo, derived_secret, algo->digest_size, ptls_iovec_init(master_secret, algo->digest_size), |
6227 | 0 | label, ptls_iovec_init(algo->empty_digest, algo->digest_size), NULL)) != 0) |
6228 | 0 | goto Exit; |
6229 | 0 | ret = ptls_hkdf_expand_label(algo, output, outlen, ptls_iovec_init(derived_secret, algo->digest_size), "exporter", |
6230 | 0 | ptls_iovec_init(context_value_hash, algo->digest_size), NULL); |
6231 | |
|
6232 | 0 | Exit: |
6233 | 0 | ptls_clear_memory(derived_secret, sizeof(derived_secret)); |
6234 | 0 | ptls_clear_memory(context_value_hash, sizeof(context_value_hash)); |
6235 | 0 | return ret; |
6236 | 0 | } |
6237 | | |
6238 | | struct st_picotls_hmac_context_t { |
6239 | | ptls_hash_context_t super; |
6240 | | ptls_hash_algorithm_t *algo; |
6241 | | ptls_hash_context_t *hash; |
6242 | | uint8_t key[1]; |
6243 | | }; |
6244 | | |
6245 | | static void hmac_update(ptls_hash_context_t *_ctx, const void *src, size_t len) |
6246 | 28.0k | { |
6247 | 28.0k | struct st_picotls_hmac_context_t *ctx = (struct st_picotls_hmac_context_t *)_ctx; |
6248 | 28.0k | ctx->hash->update(ctx->hash, src, len); |
6249 | 28.0k | } |
6250 | | |
6251 | | static void hmac_apply_key(struct st_picotls_hmac_context_t *ctx, uint8_t pad) |
6252 | 44.4k | { |
6253 | 44.4k | size_t i; |
6254 | | |
6255 | 3.51M | for (i = 0; i != ctx->algo->block_size; ++i) |
6256 | 3.46M | ctx->key[i] ^= pad; |
6257 | 44.4k | ctx->hash->update(ctx->hash, ctx->key, ctx->algo->block_size); |
6258 | 3.51M | for (i = 0; i != ctx->algo->block_size; ++i) |
6259 | 3.46M | ctx->key[i] ^= pad; |
6260 | 44.4k | } |
6261 | | |
6262 | | static void hmac_final(ptls_hash_context_t *_ctx, void *md, ptls_hash_final_mode_t mode) |
6263 | 28.0k | { |
6264 | 28.0k | struct st_picotls_hmac_context_t *ctx = (struct st_picotls_hmac_context_t *)_ctx; |
6265 | | |
6266 | 28.0k | assert(mode != PTLS_HASH_FINAL_MODE_SNAPSHOT || !"not supported"); |
6267 | | |
6268 | 28.0k | if (md != NULL) { |
6269 | 16.4k | ctx->hash->final(ctx->hash, md, PTLS_HASH_FINAL_MODE_RESET); |
6270 | 16.4k | hmac_apply_key(ctx, 0x5c); |
6271 | 16.4k | ctx->hash->update(ctx->hash, md, ctx->algo->digest_size); |
6272 | 16.4k | } |
6273 | 28.0k | ctx->hash->final(ctx->hash, md, mode); |
6274 | | |
6275 | 28.0k | switch (mode) { |
6276 | 16.4k | case PTLS_HASH_FINAL_MODE_FREE: |
6277 | 16.4k | ptls_clear_memory(ctx->key, ctx->algo->block_size); |
6278 | 16.4k | free(ctx); |
6279 | 16.4k | break; |
6280 | 11.6k | case PTLS_HASH_FINAL_MODE_RESET: |
6281 | 11.6k | hmac_apply_key(ctx, 0x36); |
6282 | 11.6k | break; |
6283 | 0 | default: |
6284 | 0 | assert(!"FIXME"); |
6285 | 0 | break; |
6286 | 28.0k | } |
6287 | 28.0k | } |
6288 | | |
6289 | | int ptls_calc_hash(ptls_hash_algorithm_t *algo, void *output, const void *src, size_t len) |
6290 | 0 | { |
6291 | 0 | ptls_hash_context_t *ctx; |
6292 | |
|
6293 | 0 | if ((ctx = algo->create()) == NULL) |
6294 | 0 | return PTLS_ERROR_NO_MEMORY; |
6295 | 0 | ctx->update(ctx, src, len); |
6296 | 0 | ctx->final(ctx, output, PTLS_HASH_FINAL_MODE_FREE); |
6297 | 0 | return 0; |
6298 | 0 | } |
6299 | | |
6300 | | ptls_hash_context_t *ptls_hmac_create(ptls_hash_algorithm_t *algo, const void *key, size_t key_size) |
6301 | 16.4k | { |
6302 | 16.4k | struct st_picotls_hmac_context_t *ctx; |
6303 | | |
6304 | 16.4k | assert(key_size <= algo->block_size); |
6305 | | |
6306 | 16.4k | if ((ctx = malloc(offsetof(struct st_picotls_hmac_context_t, key) + algo->block_size)) == NULL) |
6307 | 0 | return NULL; |
6308 | | |
6309 | 16.4k | *ctx = (struct st_picotls_hmac_context_t){{hmac_update, hmac_final}, algo}; |
6310 | 16.4k | if ((ctx->hash = algo->create()) == NULL) { |
6311 | 0 | free(ctx); |
6312 | 0 | return NULL; |
6313 | 0 | } |
6314 | 16.4k | memset(ctx->key, 0, algo->block_size); |
6315 | 16.4k | memcpy(ctx->key, key, key_size); |
6316 | | |
6317 | 16.4k | hmac_apply_key(ctx, 0x36); |
6318 | | |
6319 | 16.4k | return &ctx->super; |
6320 | 16.4k | } |
6321 | | |
6322 | | int ptls_hkdf_extract(ptls_hash_algorithm_t *algo, void *output, ptls_iovec_t salt, ptls_iovec_t ikm) |
6323 | 4.40k | { |
6324 | 4.40k | ptls_hash_context_t *hash; |
6325 | | |
6326 | 4.40k | if (salt.len == 0) |
6327 | 0 | salt = ptls_iovec_init(zeroes_of_max_digest_size, algo->digest_size); |
6328 | | |
6329 | 4.40k | if ((hash = ptls_hmac_create(algo, salt.base, salt.len)) == NULL) |
6330 | 0 | return PTLS_ERROR_NO_MEMORY; |
6331 | 4.40k | hash->update(hash, ikm.base, ikm.len); |
6332 | 4.40k | hash->final(hash, output, PTLS_HASH_FINAL_MODE_FREE); |
6333 | 4.40k | return 0; |
6334 | 4.40k | } |
6335 | | |
6336 | | int ptls_hkdf_expand(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t prk, ptls_iovec_t info) |
6337 | 11.6k | { |
6338 | 11.6k | ptls_hash_context_t *hmac = NULL; |
6339 | 11.6k | size_t i; |
6340 | 11.6k | uint8_t digest[PTLS_MAX_DIGEST_SIZE]; |
6341 | | |
6342 | 23.2k | for (i = 0; (i * algo->digest_size) < outlen; ++i) { |
6343 | 11.6k | if (hmac == NULL) { |
6344 | 11.6k | if ((hmac = ptls_hmac_create(algo, prk.base, prk.len)) == NULL) |
6345 | 0 | return PTLS_ERROR_NO_MEMORY; |
6346 | 11.6k | } else { |
6347 | 0 | hmac->update(hmac, digest, algo->digest_size); |
6348 | 0 | } |
6349 | 11.6k | hmac->update(hmac, info.base, info.len); |
6350 | 11.6k | uint8_t gen = (uint8_t)(i + 1); |
6351 | 11.6k | hmac->update(hmac, &gen, 1); |
6352 | 11.6k | hmac->final(hmac, digest, 1); |
6353 | | |
6354 | 11.6k | size_t off_start = i * algo->digest_size, off_end = off_start + algo->digest_size; |
6355 | 11.6k | if (off_end > outlen) |
6356 | 6.06k | off_end = outlen; |
6357 | 11.6k | memcpy((uint8_t *)output + off_start, digest, off_end - off_start); |
6358 | 11.6k | } |
6359 | | |
6360 | 11.6k | if (hmac != NULL) |
6361 | 11.6k | hmac->final(hmac, NULL, PTLS_HASH_FINAL_MODE_FREE); |
6362 | | |
6363 | 11.6k | ptls_clear_memory(digest, algo->digest_size); |
6364 | | |
6365 | 11.6k | return 0; |
6366 | 11.6k | } |
6367 | | |
6368 | | int ptls_hkdf_expand_label(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t secret, const char *label, |
6369 | | ptls_iovec_t hash_value, const char *label_prefix) |
6370 | 11.6k | { |
6371 | 11.6k | ptls_buffer_t hkdf_label; |
6372 | 11.6k | uint8_t hkdf_label_buf[80]; |
6373 | 11.6k | int ret; |
6374 | | |
6375 | 11.6k | ptls_buffer_init(&hkdf_label, hkdf_label_buf, sizeof(hkdf_label_buf)); |
6376 | | |
6377 | 11.6k | ptls_buffer_push16(&hkdf_label, (uint16_t)outlen); |
6378 | 11.6k | ptls_buffer_push_block(&hkdf_label, 1, { |
6379 | 11.6k | if (label_prefix == NULL) |
6380 | 11.6k | label_prefix = PTLS_HKDF_EXPAND_LABEL_PREFIX; |
6381 | 11.6k | ptls_buffer_pushv(&hkdf_label, label_prefix, strlen(label_prefix)); |
6382 | 11.6k | ptls_buffer_pushv(&hkdf_label, label, strlen(label)); |
6383 | 11.6k | }); |
6384 | 11.6k | ptls_buffer_push_block(&hkdf_label, 1, { ptls_buffer_pushv(&hkdf_label, hash_value.base, hash_value.len); }); |
6385 | | |
6386 | 11.6k | ret = ptls_hkdf_expand(algo, output, outlen, secret, ptls_iovec_init(hkdf_label.base, hkdf_label.off)); |
6387 | | |
6388 | 11.6k | Exit: |
6389 | 11.6k | ptls_buffer_dispose(&hkdf_label); |
6390 | 11.6k | return ret; |
6391 | 11.6k | } |
6392 | | |
6393 | | int ptls_tls12_phash(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t secret, const char *label, |
6394 | | ptls_iovec_t seed) |
6395 | 0 | { |
6396 | 0 | ptls_hash_context_t *hmac; |
6397 | 0 | uint8_t An[PTLS_MAX_DIGEST_SIZE]; |
6398 | 0 | size_t output_off = 0; |
6399 | |
|
6400 | 0 | if ((hmac = ptls_hmac_create(algo, secret.base, secret.len)) == NULL) |
6401 | 0 | return PTLS_ERROR_NO_MEMORY; |
6402 | | |
6403 | | /* A(1) = HMAC_hash(secret, label + seed) */ |
6404 | 0 | if (label != NULL) |
6405 | 0 | hmac->update(hmac, label, strlen(label)); |
6406 | 0 | hmac->update(hmac, seed.base, seed.len); |
6407 | 0 | hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_RESET); |
6408 | |
|
6409 | 0 | while (1) { |
6410 | | /* output += HMAC_hash(secret, A(i) + label + seed) */ |
6411 | 0 | hmac->update(hmac, An, algo->digest_size); |
6412 | 0 | if (label != NULL) |
6413 | 0 | hmac->update(hmac, label, strlen(label)); |
6414 | 0 | hmac->update(hmac, seed.base, seed.len); |
6415 | 0 | if (outlen - output_off <= algo->digest_size) { |
6416 | | /* digest of last chunk is at first written to An then the necessary bytes are copied to output */ |
6417 | 0 | hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_FREE); |
6418 | 0 | memcpy((uint8_t *)output + output_off, An, outlen - output_off); |
6419 | 0 | break; |
6420 | 0 | } |
6421 | 0 | hmac->final(hmac, (uint8_t *)output + output_off, PTLS_HASH_FINAL_MODE_RESET); |
6422 | 0 | output_off += algo->digest_size; |
6423 | | |
6424 | | /* A(i) = HMAC_hash(secret, A(i-1)) */ |
6425 | 0 | hmac->update(hmac, An, algo->digest_size); |
6426 | 0 | hmac->final(hmac, An, PTLS_HASH_FINAL_MODE_RESET); |
6427 | 0 | } |
6428 | |
|
6429 | 0 | ptls_clear_memory(An, algo->digest_size); |
6430 | |
|
6431 | 0 | return 0; |
6432 | 0 | } |
6433 | | |
6434 | | ptls_cipher_context_t *ptls_cipher_new(ptls_cipher_algorithm_t *algo, int is_enc, const void *key) |
6435 | 0 | { |
6436 | 0 | ptls_cipher_context_t *ctx; |
6437 | |
|
6438 | 0 | if ((ctx = (ptls_cipher_context_t *)malloc(algo->context_size)) == NULL) |
6439 | 0 | return NULL; |
6440 | 0 | *ctx = (ptls_cipher_context_t){algo}; |
6441 | 0 | if (algo->setup_crypto(ctx, is_enc, key) != 0) { |
6442 | 0 | free(ctx); |
6443 | 0 | ctx = NULL; |
6444 | 0 | } |
6445 | 0 | return ctx; |
6446 | 0 | } |
6447 | | |
6448 | | void ptls_cipher_free(ptls_cipher_context_t *ctx) |
6449 | 0 | { |
6450 | 0 | ctx->do_dispose(ctx); |
6451 | 0 | free(ctx); |
6452 | 0 | } |
6453 | | |
6454 | | ptls_aead_context_t *new_aead(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret, |
6455 | | ptls_iovec_t hash_value, const char *label_prefix) |
6456 | 3.03k | { |
6457 | 3.03k | ptls_aead_context_t *ctx = NULL; |
6458 | 3.03k | struct { |
6459 | 3.03k | uint8_t key[PTLS_MAX_SECRET_SIZE]; |
6460 | 3.03k | uint8_t iv[PTLS_MAX_IV_SIZE]; |
6461 | 3.03k | } key_iv; |
6462 | 3.03k | int ret; |
6463 | | |
6464 | 3.03k | if ((ret = get_traffic_keys(aead, hash, key_iv.key, key_iv.iv, secret, hash_value, label_prefix)) != 0) |
6465 | 0 | goto Exit; |
6466 | 3.03k | ctx = ptls_aead_new_direct(aead, is_enc, key_iv.key, key_iv.iv); |
6467 | 3.03k | Exit: |
6468 | 3.03k | ptls_clear_memory(&key_iv, sizeof(key_iv)); |
6469 | 3.03k | return ctx; |
6470 | 3.03k | } |
6471 | | |
6472 | | ptls_aead_context_t *ptls_aead_new(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret, |
6473 | | const char *label_prefix) |
6474 | 3.03k | { |
6475 | 3.03k | return new_aead(aead, hash, is_enc, secret, ptls_iovec_init(NULL, 0), label_prefix); |
6476 | 3.03k | } |
6477 | | |
6478 | | ptls_aead_context_t *ptls_aead_new_direct(ptls_aead_algorithm_t *aead, int is_enc, const void *key, const void *iv) |
6479 | 3.03k | { |
6480 | 3.03k | ptls_aead_context_t *ctx; |
6481 | | |
6482 | 3.03k | if ((ctx = (ptls_aead_context_t *)malloc(aead->context_size)) == NULL) |
6483 | 0 | return NULL; |
6484 | | |
6485 | 3.03k | *ctx = (ptls_aead_context_t){aead}; |
6486 | | |
6487 | 3.03k | if (aead->setup_crypto(ctx, is_enc, key, iv) != 0) { |
6488 | 0 | free(ctx); |
6489 | 0 | return NULL; |
6490 | 0 | } |
6491 | | |
6492 | 3.03k | return ctx; |
6493 | 3.03k | } |
6494 | | |
6495 | | void ptls_aead_free(ptls_aead_context_t *ctx) |
6496 | 3.03k | { |
6497 | 3.03k | ctx->dispose_crypto(ctx); |
6498 | 3.03k | free(ctx); |
6499 | 3.03k | } |
6500 | | |
6501 | | void ptls_aead_xor_iv(ptls_aead_context_t *ctx, const void *_bytes, size_t len) |
6502 | 0 | { |
6503 | 0 | const uint8_t *bytes = _bytes; |
6504 | 0 | uint8_t iv[PTLS_MAX_IV_SIZE]; |
6505 | |
|
6506 | 0 | ptls_aead_get_iv(ctx, iv); |
6507 | 0 | for (size_t i = 0; i < len; ++i) |
6508 | 0 | iv[i] ^= bytes[i]; |
6509 | 0 | ptls_aead_set_iv(ctx, iv); |
6510 | 0 | } |
6511 | | |
6512 | | void ptls_aead__build_iv(ptls_aead_algorithm_t *algo, uint8_t *iv, const uint8_t *static_iv, uint64_t seq) |
6513 | 0 | { |
6514 | 0 | size_t iv_size = algo->iv_size, i; |
6515 | 0 | const uint8_t *s = static_iv; |
6516 | 0 | uint8_t *d = iv; |
6517 | | |
6518 | | /* build iv */ |
6519 | 0 | for (i = iv_size - 8; i != 0; --i) |
6520 | 0 | *d++ = *s++; |
6521 | 0 | i = 64; |
6522 | 0 | do { |
6523 | 0 | i -= 8; |
6524 | 0 | *d++ = *s++ ^ (uint8_t)(seq >> i); |
6525 | 0 | } while (i != 0); |
6526 | 0 | } |
6527 | | |
6528 | | static void clear_memory(void *p, size_t len) |
6529 | 415k | { |
6530 | 415k | if (len != 0) |
6531 | 172k | memset(p, 0, len); |
6532 | 415k | } |
6533 | | |
6534 | | void (*volatile ptls_clear_memory)(void *p, size_t len) = clear_memory; |
6535 | | |
6536 | | static int mem_equal(const void *_x, const void *_y, size_t len) |
6537 | 39.2k | { |
6538 | 39.2k | const volatile uint8_t *x = _x, *y = _y; |
6539 | 39.2k | uint8_t t = 0; |
6540 | | |
6541 | 41.1k | for (; len != 0; --len) |
6542 | 1.96k | t |= *x++ ^ *y++; |
6543 | | |
6544 | 39.2k | return t == 0; |
6545 | 39.2k | } |
6546 | | |
6547 | | int (*volatile ptls_mem_equal)(const void *x, const void *y, size_t len) = mem_equal; |
6548 | | |
6549 | | static uint64_t get_time(ptls_get_time_t *self) |
6550 | 238 | { |
6551 | 238 | struct timeval tv; |
6552 | 238 | gettimeofday(&tv, NULL); |
6553 | 238 | return (uint64_t)tv.tv_sec * 1000 + tv.tv_usec / 1000; |
6554 | 238 | } |
6555 | | |
6556 | | ptls_get_time_t ptls_get_time = {get_time}; |
6557 | | |
6558 | | int ptls_is_server(ptls_t *tls) |
6559 | 3.03k | { |
6560 | 3.03k | return tls->is_server; |
6561 | 3.03k | } |
6562 | | |
6563 | | struct st_ptls_raw_message_emitter_t { |
6564 | | ptls_message_emitter_t super; |
6565 | | size_t start_off; |
6566 | | size_t *epoch_offsets; |
6567 | | }; |
6568 | | |
6569 | | static int begin_raw_message(ptls_message_emitter_t *_self) |
6570 | 0 | { |
6571 | 0 | struct st_ptls_raw_message_emitter_t *self = (void *)_self; |
6572 | |
|
6573 | 0 | self->start_off = self->super.buf->off; |
6574 | 0 | return 0; |
6575 | 0 | } |
6576 | | |
6577 | | static int commit_raw_message(ptls_message_emitter_t *_self) |
6578 | 0 | { |
6579 | 0 | struct st_ptls_raw_message_emitter_t *self = (void *)_self; |
6580 | 0 | size_t epoch; |
6581 | | |
6582 | | /* epoch is the key epoch, with the only exception being 2nd CH generated after 0-RTT key */ |
6583 | 0 | epoch = self->super.enc->epoch; |
6584 | 0 | if (epoch == 1 && self->super.buf->base[self->start_off] == PTLS_HANDSHAKE_TYPE_CLIENT_HELLO) |
6585 | 0 | epoch = 0; |
6586 | |
|
6587 | 0 | for (++epoch; epoch < 5; ++epoch) { |
6588 | 0 | assert(self->epoch_offsets[epoch] == self->start_off); |
6589 | 0 | self->epoch_offsets[epoch] = self->super.buf->off; |
6590 | 0 | } |
6591 | | |
6592 | 0 | self->start_off = SIZE_MAX; |
6593 | |
|
6594 | 0 | return 0; |
6595 | 0 | } |
6596 | | |
6597 | | size_t ptls_get_read_epoch(ptls_t *tls) |
6598 | 0 | { |
6599 | 0 | switch (tls->state) { |
6600 | 0 | case PTLS_STATE_CLIENT_HANDSHAKE_START: |
6601 | 0 | case PTLS_STATE_CLIENT_EXPECT_SERVER_HELLO: |
6602 | 0 | case PTLS_STATE_CLIENT_EXPECT_SECOND_SERVER_HELLO: |
6603 | 0 | case PTLS_STATE_SERVER_EXPECT_CLIENT_HELLO: |
6604 | 0 | case PTLS_STATE_SERVER_EXPECT_SECOND_CLIENT_HELLO: |
6605 | 0 | return 0; /* plaintext */ |
6606 | 0 | case PTLS_STATE_SERVER_EXPECT_END_OF_EARLY_DATA: |
6607 | 0 | assert(!tls->ctx->omit_end_of_early_data); |
6608 | 0 | return 1; /* 0-rtt */ |
6609 | 0 | case PTLS_STATE_CLIENT_EXPECT_ENCRYPTED_EXTENSIONS: |
6610 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE: |
6611 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE: |
6612 | 0 | case PTLS_STATE_CLIENT_EXPECT_CERTIFICATE_VERIFY: |
6613 | 0 | case PTLS_STATE_CLIENT_EXPECT_FINISHED: |
6614 | 0 | case PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY: |
6615 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE: |
6616 | 0 | case PTLS_STATE_SERVER_EXPECT_CERTIFICATE_VERIFY: |
6617 | 0 | case PTLS_STATE_SERVER_EXPECT_FINISHED: |
6618 | 0 | return 2; /* handshake */ |
6619 | 0 | case PTLS_STATE_CLIENT_POST_HANDSHAKE: |
6620 | 0 | case PTLS_STATE_SERVER_POST_HANDSHAKE: |
6621 | 0 | return 3; /* 1-rtt */ |
6622 | 0 | default: |
6623 | 0 | assert(!"invalid state"); |
6624 | 0 | return SIZE_MAX; |
6625 | 0 | } |
6626 | 0 | } |
6627 | | |
6628 | | int ptls_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input, |
6629 | | size_t inlen, ptls_handshake_properties_t *properties) |
6630 | 0 | { |
6631 | 0 | return tls->is_server ? ptls_server_handle_message(tls, sendbuf, epoch_offsets, in_epoch, input, inlen, properties) |
6632 | 0 | : ptls_client_handle_message(tls, sendbuf, epoch_offsets, in_epoch, input, inlen, properties); |
6633 | 0 | } |
6634 | | |
6635 | | int ptls_client_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input, |
6636 | | size_t inlen, ptls_handshake_properties_t *properties) |
6637 | 0 | { |
6638 | 0 | assert(!tls->is_server); |
6639 | | |
6640 | 0 | struct st_ptls_raw_message_emitter_t emitter = { |
6641 | 0 | {sendbuf, &tls->traffic_protection.enc, 0, begin_raw_message, commit_raw_message}, SIZE_MAX, epoch_offsets}; |
6642 | 0 | struct st_ptls_record_t rec = {PTLS_CONTENT_TYPE_HANDSHAKE, 0, inlen, input}; |
6643 | |
|
6644 | 0 | if (input == NULL) |
6645 | 0 | return send_client_hello(tls, &emitter.super, properties, NULL); |
6646 | | |
6647 | 0 | if (ptls_get_read_epoch(tls) != in_epoch) |
6648 | 0 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
6649 | | |
6650 | 0 | return handle_handshake_record(tls, handle_client_handshake_message, &emitter.super, &rec, properties); |
6651 | 0 | } |
6652 | | |
6653 | | int ptls_server_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input, |
6654 | | size_t inlen, ptls_handshake_properties_t *properties) |
6655 | 0 | { |
6656 | 0 | assert(tls->is_server); |
6657 | | |
6658 | 0 | struct st_ptls_raw_message_emitter_t emitter = { |
6659 | 0 | {sendbuf, &tls->traffic_protection.enc, 0, begin_raw_message, commit_raw_message}, SIZE_MAX, epoch_offsets}; |
6660 | 0 | struct st_ptls_record_t rec = {PTLS_CONTENT_TYPE_HANDSHAKE, 0, inlen, input}; |
6661 | |
|
6662 | 0 | if (tls->state == PTLS_STATE_SERVER_GENERATING_CERTIFICATE_VERIFY) { |
6663 | 0 | assert(input == NULL || inlen == 0); |
6664 | 0 | return server_finish_handshake(tls, &emitter.super, 1, NULL); |
6665 | 0 | } |
6666 | | |
6667 | 0 | assert(input != NULL); |
6668 | | |
6669 | 0 | if (ptls_get_read_epoch(tls) != in_epoch) |
6670 | 0 | return PTLS_ALERT_UNEXPECTED_MESSAGE; |
6671 | | |
6672 | 0 | return handle_handshake_record(tls, handle_server_handshake_message, &emitter.super, &rec, properties); |
6673 | 0 | } |
6674 | | |
6675 | | /** |
6676 | | * checks if given name looks like an IP address |
6677 | | */ |
6678 | | int ptls_server_name_is_ipaddr(const char *name) |
6679 | 0 | { |
6680 | 0 | #ifdef AF_INET |
6681 | 0 | struct sockaddr_in sin; |
6682 | 0 | if (inet_pton(AF_INET, name, &sin) == 1) |
6683 | 0 | return 1; |
6684 | 0 | #endif |
6685 | 0 | #ifdef AF_INET6 |
6686 | 0 | struct sockaddr_in6 sin6; |
6687 | 0 | if (inet_pton(AF_INET6, name, &sin6) == 1) |
6688 | 0 | return 1; |
6689 | 0 | #endif |
6690 | 0 | return 0; |
6691 | 0 | } |
6692 | | |
6693 | | int ptls_ech_encode_config(ptls_buffer_t *buf, uint8_t config_id, ptls_hpke_kem_t *kem, ptls_iovec_t public_key, |
6694 | | ptls_hpke_cipher_suite_t **ciphers, uint8_t max_name_length, const char *public_name) |
6695 | 0 | { |
6696 | 0 | int ret; |
6697 | |
|
6698 | 0 | ptls_buffer_push16(buf, PTLS_ECH_CONFIG_VERSION); |
6699 | 0 | ptls_buffer_push_block(buf, 2, { |
6700 | 0 | ptls_buffer_push(buf, config_id); |
6701 | 0 | ptls_buffer_push16(buf, kem->id); |
6702 | 0 | ptls_buffer_push_block(buf, 2, { ptls_buffer_pushv(buf, public_key.base, public_key.len); }); |
6703 | 0 | ptls_buffer_push_block(buf, 2, { |
6704 | 0 | for (size_t i = 0; ciphers[i] != NULL; ++i) { |
6705 | 0 | ptls_buffer_push16(buf, ciphers[i]->id.kdf); |
6706 | 0 | ptls_buffer_push16(buf, ciphers[i]->id.aead); |
6707 | 0 | } |
6708 | 0 | }); |
6709 | 0 | ptls_buffer_push(buf, max_name_length); |
6710 | 0 | ptls_buffer_push_block(buf, 1, { ptls_buffer_pushv(buf, public_name, strlen(public_name)); }); |
6711 | 0 | ptls_buffer_push_block(buf, 2, {/* extensions */}); |
6712 | 0 | }); |
6713 | | |
6714 | 0 | Exit: |
6715 | 0 | return ret; |
6716 | 0 | } |
6717 | | |
6718 | | static char *byte_to_hex(char *dst, uint8_t v) |
6719 | 0 | { |
6720 | 0 | *dst++ = "0123456789abcdef"[v >> 4]; |
6721 | 0 | *dst++ = "0123456789abcdef"[v & 0xf]; |
6722 | 0 | return dst; |
6723 | 0 | } |
6724 | | |
6725 | | char *ptls_hexdump(char *dst, const void *_src, size_t len) |
6726 | 0 | { |
6727 | 0 | char *buf = dst; |
6728 | 0 | const uint8_t *src = _src; |
6729 | |
|
6730 | 0 | for (size_t i = 0; i != len; ++i) |
6731 | 0 | dst = byte_to_hex(dst, src[i]); |
6732 | 0 | *dst = '\0'; |
6733 | 0 | return buf; |
6734 | 0 | } |
6735 | | |
6736 | | char *ptls_jsonescape(char *buf, const char *unsafe_str, size_t len) |
6737 | 0 | { |
6738 | 0 | char *dst = buf; |
6739 | 0 | const uint8_t *src = (const uint8_t *)unsafe_str, *end = src + len; |
6740 | |
|
6741 | 0 | for (; src != end; ++src) { |
6742 | 0 | switch (*src) { |
6743 | 0 | #define MAP(ch, escaped) \ |
6744 | 0 | case ch: \ |
6745 | 0 | memcpy(dst, (escaped), sizeof(escaped) - 1); \ |
6746 | 0 | dst += sizeof(escaped) - 1; \ |
6747 | 0 | break |
6748 | 0 | MAP('"', "\\\""); |
6749 | 0 | MAP('\\', "\\\\"); |
6750 | 0 | MAP('/', "\\/"); |
6751 | 0 | MAP('\b', "\\b"); |
6752 | 0 | MAP('\f', "\\f"); |
6753 | 0 | MAP('\n', "\\n"); |
6754 | 0 | MAP('\r', "\\r"); |
6755 | 0 | MAP('\t', "\\t"); |
6756 | 0 | #undef MAP |
6757 | 0 | default: |
6758 | 0 | if (*src < 0x20 || *src == 0x7f) { |
6759 | 0 | *dst++ = '\\'; |
6760 | 0 | *dst++ = 'u'; |
6761 | 0 | *dst++ = '0'; |
6762 | 0 | *dst++ = '0'; |
6763 | 0 | dst = byte_to_hex(dst, *src); |
6764 | 0 | } else { |
6765 | 0 | *dst++ = *src; |
6766 | 0 | } |
6767 | 0 | break; |
6768 | 0 | } |
6769 | 0 | } |
6770 | 0 | *dst = '\0'; |
6771 | |
|
6772 | 0 | return dst; |
6773 | 0 | } |
6774 | | |
6775 | | void ptls_build_v4_mapped_v6_address(struct in6_addr *v6, const struct in_addr *v4) |
6776 | 0 | { |
6777 | 0 | *v6 = (struct in6_addr){.s6_addr[10] = 0xff, .s6_addr[11] = 0xff}; |
6778 | 0 | memcpy(&v6->s6_addr[12], &v4->s_addr, 4); |
6779 | 0 | } |
6780 | | |
6781 | | struct st_ptls_log_t ptls_log = { |
6782 | | .dummy_conn_state = {.random_ = 1 /* never log */}, |
6783 | | ._generation = 1, /* starts from 1 so that recalc can be forced by setting to zero (i.e., the initial) */ |
6784 | | }; |
6785 | | PTLS_THREADLOCAL ptls_log_conn_state_t *ptls_log_conn_state_override = NULL; |
6786 | | |
6787 | | #if PTLS_HAVE_LOG |
6788 | | |
6789 | | static struct { |
6790 | | /** |
6791 | | * list of connections; the slot is connected if points != NULL |
6792 | | */ |
6793 | | struct { |
6794 | | /** |
6795 | | * file descriptor |
6796 | | */ |
6797 | | int fd; |
6798 | | /** |
6799 | | * see `ptls_log_add_fd` |
6800 | | */ |
6801 | | char *points; |
6802 | | /** |
6803 | | * |
6804 | | */ |
6805 | | char *snis; |
6806 | | /** |
6807 | | * list of addresses terminated by ip6addr_any |
6808 | | */ |
6809 | | struct in6_addr *addresses; |
6810 | | /** |
6811 | | * |
6812 | | */ |
6813 | | float sample_ratio; |
6814 | | /** |
6815 | | * |
6816 | | */ |
6817 | | unsigned appdata : 1; |
6818 | | } conns[sizeof(((struct st_ptls_log_state_t *)NULL)->active_conns) * 8]; |
6819 | | /** |
6820 | | * counts the number of writes that failed |
6821 | | */ |
6822 | | size_t num_lost; |
6823 | | /** |
6824 | | * anchor of the single-linked list of log points; the tail refers to itself (i.e., point->next == point) |
6825 | | */ |
6826 | | struct st_ptls_log_point_t *points; |
6827 | | /** |
6828 | | * |
6829 | | */ |
6830 | | pthread_mutex_t mutex; |
6831 | | } logctx = {.mutex = PTHREAD_MUTEX_INITIALIZER}; |
6832 | | |
6833 | | static PTLS_THREADLOCAL struct { |
6834 | | ptls_buffer_t buf; /* buf.base == NULL upon failre */ |
6835 | | char smallbuf[128]; |
6836 | | struct { |
6837 | | char buf[sizeof(",\"tid\":-9223372036854775808")]; |
6838 | | size_t len; |
6839 | | } tid; |
6840 | | } logbuf; |
6841 | | |
6842 | | static void close_log_fd(size_t slot) |
6843 | 0 | { |
6844 | 0 | assert(logctx.conns[slot].fd >= 0 && logctx.conns[slot].points != NULL); |
6845 | | |
6846 | 0 | close(logctx.conns[slot].fd); |
6847 | | |
6848 | | /* clear the connection information */ |
6849 | 0 | logctx.conns[slot].fd = -1; |
6850 | 0 | logctx.conns[slot].sample_ratio = 0; |
6851 | 0 | free(logctx.conns[slot].points); |
6852 | 0 | logctx.conns[slot].points = NULL; |
6853 | 0 | free(logctx.conns[slot].snis); |
6854 | 0 | logctx.conns[slot].snis = NULL; |
6855 | 0 | free(logctx.conns[slot].addresses); |
6856 | 0 | logctx.conns[slot].addresses = NULL; |
6857 | 0 | logctx.conns[slot].appdata = 0; |
6858 | 0 | ++ptls_log._generation; |
6859 | 0 | } |
6860 | | |
6861 | | static char *duplicate_stringlist(const char *input) |
6862 | 0 | { |
6863 | 0 | if (input == NULL) |
6864 | 0 | return strdup(""); |
6865 | | |
6866 | 0 | char *result; |
6867 | 0 | const char *in_tail; |
6868 | |
|
6869 | 0 | for (in_tail = input; in_tail[0] != '\0'; in_tail += strlen(in_tail) + 1) |
6870 | 0 | ; |
6871 | 0 | ++in_tail; |
6872 | 0 | if ((result = malloc(in_tail - input)) == NULL) |
6873 | 0 | return NULL; |
6874 | 0 | memcpy(result, input, in_tail - input); |
6875 | 0 | return result; |
6876 | 0 | } |
6877 | | |
6878 | | static int is_in_stringlist(const char *list, const char *search_for) |
6879 | 0 | { |
6880 | 0 | if (list[0] == '\0') |
6881 | 0 | return 1; |
6882 | | |
6883 | 0 | if (search_for == NULL) |
6884 | 0 | return 0; |
6885 | | |
6886 | 0 | for (const char *element = list; element[0] != '\0'; element += strlen(element) + 1) |
6887 | 0 | if (strcmp(element, search_for) == 0) |
6888 | 0 | return 1; |
6889 | 0 | return 0; |
6890 | 0 | } |
6891 | | |
6892 | | static int is_in_addresslist(const struct in6_addr *list, const struct in6_addr *search_for) |
6893 | 0 | { |
6894 | 0 | #define IS_EQUAL(x, y) (memcmp((x), (y), sizeof(struct in6_addr)) == 0) |
6895 | |
|
6896 | 0 | if (IS_EQUAL(&list[0], &in6addr_any)) |
6897 | 0 | return 1; |
6898 | | |
6899 | 0 | if (IS_EQUAL(search_for, &in6addr_any)) |
6900 | 0 | return 0; |
6901 | | |
6902 | 0 | for (const struct in6_addr *element = list; !IS_EQUAL(element, &in6addr_any); ++element) |
6903 | 0 | if (IS_EQUAL(element, search_for)) |
6904 | 0 | return 1; |
6905 | 0 | return 0; |
6906 | |
|
6907 | 0 | #undef IS_EQUAL |
6908 | 0 | } |
6909 | | |
6910 | | void ptls_log__recalc_point(int caller_locked, struct st_ptls_log_point_t *point) |
6911 | 11 | { |
6912 | 11 | if (!caller_locked) |
6913 | 11 | pthread_mutex_lock(&logctx.mutex); |
6914 | | |
6915 | 11 | if (point->state.generation != ptls_log._generation) { |
6916 | | /* update active bitmap */ |
6917 | 11 | uint32_t new_active = 0; |
6918 | 363 | for (size_t slot = 0; slot < PTLS_ELEMENTSOF(logctx.conns); ++slot) |
6919 | 352 | if (logctx.conns[slot].points != NULL && is_in_stringlist(logctx.conns[slot].points, point->name)) |
6920 | 0 | new_active |= (uint32_t)1 << slot; |
6921 | 11 | point->state.active_conns = new_active; |
6922 | 11 | point->state.generation = ptls_log._generation; |
6923 | 11 | } |
6924 | | |
6925 | 11 | if (!caller_locked) |
6926 | 11 | pthread_mutex_unlock(&logctx.mutex); |
6927 | 11 | } |
6928 | | |
6929 | | void ptls_log__recalc_conn(int caller_locked, struct st_ptls_log_conn_state_t *conn, const char *(*get_sni)(void *), |
6930 | | void *get_sni_arg) |
6931 | 0 | { |
6932 | 0 | if (!caller_locked) |
6933 | 0 | pthread_mutex_lock(&logctx.mutex); |
6934 | |
|
6935 | 0 | if (conn->state.generation != ptls_log._generation) { |
6936 | | /* update active bitmap */ |
6937 | 0 | uint32_t new_active = 0; |
6938 | 0 | const char *sni = get_sni != NULL ? get_sni(get_sni_arg) : NULL; |
6939 | 0 | for (size_t slot = 0; slot < PTLS_ELEMENTSOF(logctx.conns); ++slot) { |
6940 | 0 | if (logctx.conns[slot].points != NULL && conn->random_ < logctx.conns[slot].sample_ratio && |
6941 | 0 | is_in_stringlist(logctx.conns[slot].snis, sni) && is_in_addresslist(logctx.conns[slot].addresses, &conn->address)) { |
6942 | 0 | new_active |= (uint32_t)1 << slot; |
6943 | 0 | } |
6944 | 0 | } |
6945 | 0 | conn->state.active_conns = new_active; |
6946 | 0 | conn->state.generation = ptls_log._generation; |
6947 | 0 | } |
6948 | |
|
6949 | 0 | if (!caller_locked) |
6950 | 0 | pthread_mutex_unlock(&logctx.mutex); |
6951 | 0 | } |
6952 | | |
6953 | | static int expand_logbuf_or_invalidate(const char *prefix, size_t prefix_len, size_t capacity) |
6954 | 0 | { |
6955 | 0 | if (logbuf.buf.base == NULL) |
6956 | 0 | return 0; |
6957 | | |
6958 | 0 | if (ptls_buffer_reserve(&logbuf.buf, prefix_len + capacity) != 0) { |
6959 | 0 | ptls_buffer_dispose(&logbuf.buf); |
6960 | 0 | assert(logbuf.buf.base == NULL); |
6961 | 0 | return 0; |
6962 | 0 | } |
6963 | | |
6964 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, prefix, prefix_len); |
6965 | 0 | logbuf.buf.off += prefix_len; |
6966 | |
|
6967 | 0 | return 1; |
6968 | 0 | } |
6969 | | |
6970 | | __attribute__((format(printf, 4, 5))) static void pushf_logbuf_or_invalidate(const char *prefix, size_t prefix_len, size_t capacity, |
6971 | | const char *fmt, ...) |
6972 | 0 | { |
6973 | 0 | if (!expand_logbuf_or_invalidate(prefix, prefix_len, capacity)) |
6974 | 0 | return; |
6975 | | |
6976 | 0 | va_list args; |
6977 | 0 | va_start(args, fmt); |
6978 | 0 | int l = vsnprintf((char *)logbuf.buf.base + logbuf.buf.off, logbuf.buf.capacity - logbuf.buf.off, fmt, args); |
6979 | 0 | va_end(args); |
6980 | |
|
6981 | 0 | assert(l < logbuf.buf.capacity - logbuf.buf.off && "insufficent capacity"); |
6982 | 0 | logbuf.buf.off += l; |
6983 | 0 | } |
6984 | | |
6985 | | void ptls_log__do_push_element_safestr(const char *prefix, size_t prefix_len, const char *s, size_t l) |
6986 | 0 | { |
6987 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, l + 2)) { |
6988 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
6989 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, s, l); |
6990 | 0 | logbuf.buf.off += l; |
6991 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
6992 | 0 | } |
6993 | 0 | } |
6994 | | |
6995 | | void ptls_log__do_push_element_unsafestr(const char *prefix, size_t prefix_len, const char *s, size_t l) |
6996 | 0 | { |
6997 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, l * (sizeof("\\uXXXX") - 1) + 2)) { |
6998 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
6999 | 0 | logbuf.buf.off = (uint8_t *)ptls_jsonescape((char *)logbuf.buf.base + logbuf.buf.off, s, l) - logbuf.buf.base; |
7000 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
7001 | 0 | } |
7002 | 0 | } |
7003 | | |
7004 | | void ptls_log__do_push_element_hexdump(const char *prefix, size_t prefix_len, const void *s, size_t l) |
7005 | 0 | { |
7006 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, l * 2 + 2)) { |
7007 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
7008 | 0 | ptls_hexdump((char *)logbuf.buf.base + logbuf.buf.off, s, l); |
7009 | 0 | logbuf.buf.off += l * 2; |
7010 | 0 | logbuf.buf.base[logbuf.buf.off++] = '"'; |
7011 | 0 | } |
7012 | 0 | } |
7013 | | |
7014 | | void ptls_log__do_push_element_signed32(const char *prefix, size_t prefix_len, int32_t v) |
7015 | 0 | { |
7016 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("-2147483648"), "%" PRId32, v); |
7017 | 0 | } |
7018 | | |
7019 | | void ptls_log__do_push_element_signed64(const char *prefix, size_t prefix_len, int64_t v) |
7020 | 0 | { |
7021 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("-9223372036854775808"), "%" PRId64, v); |
7022 | 0 | } |
7023 | | |
7024 | | void ptls_log__do_push_element_unsigned32(const char *prefix, size_t prefix_len, uint32_t v) |
7025 | 0 | { |
7026 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("4294967295"), "%" PRIu32, v); |
7027 | 0 | } |
7028 | | |
7029 | | void ptls_log__do_push_element_unsigned64(const char *prefix, size_t prefix_len, uint64_t v) |
7030 | 0 | { |
7031 | 0 | pushf_logbuf_or_invalidate(prefix, prefix_len, sizeof("18446744073709551615"), "%" PRIu64, v); |
7032 | 0 | } |
7033 | | |
7034 | | void ptls_log__do_push_element_bool(const char *prefix, size_t prefix_len, int v) |
7035 | 0 | { |
7036 | 0 | if (expand_logbuf_or_invalidate(prefix, prefix_len, 5)) { |
7037 | 0 | if (v) { |
7038 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, "true", 4); |
7039 | 0 | logbuf.buf.off += 4; |
7040 | 0 | } else { |
7041 | 0 | memcpy(logbuf.buf.base + logbuf.buf.off, "false", 5); |
7042 | 0 | logbuf.buf.off += 5; |
7043 | 0 | } |
7044 | 0 | } |
7045 | 0 | } |
7046 | | |
7047 | | void ptls_log__do_write_start(struct st_ptls_log_point_t *point, int add_time) |
7048 | 0 | { |
7049 | 0 | assert(logbuf.buf.base == NULL); |
7050 | 0 | ptls_buffer_init(&logbuf.buf, logbuf.smallbuf, sizeof(logbuf.smallbuf)); |
7051 | | |
7052 | | /* add module and type name */ |
7053 | 0 | const char *colon_at = strchr(point->name, ':'); |
7054 | 0 | int written = snprintf((char *)logbuf.buf.base, logbuf.buf.capacity, "{\"module\":\"%.*s\",\"type\":\"%s\"", |
7055 | 0 | (int)(colon_at - point->name), point->name, colon_at + 1); |
7056 | | |
7057 | | /* obtain and stringify thread id once */ |
7058 | 0 | if (logbuf.tid.len == 0) { |
7059 | 0 | #if defined(__linux__) |
7060 | 0 | logbuf.tid.len = sprintf(logbuf.tid.buf, ",\"tid\":%" PRId64, (int64_t)syscall(SYS_gettid)); |
7061 | | #elif defined(__APPLE__) |
7062 | | uint64_t t = 0; |
7063 | | (void)pthread_threadid_np(NULL, &t); |
7064 | | logbuf.tid.len = sprintf(logbuf.tid.buf, ",\"tid\":%" PRIu64, t); |
7065 | | #else |
7066 | | /* other platforms: skip emitting tid, by keeping logbuf.tid.len == 0 */ |
7067 | | #endif |
7068 | 0 | } |
7069 | | /* append tid */ |
7070 | 0 | assert(written > 0 && written + logbuf.tid.len < logbuf.buf.capacity); |
7071 | 0 | memcpy((char *)logbuf.buf.base + written, logbuf.tid.buf, logbuf.tid.len + 1); |
7072 | 0 | written += logbuf.tid.len; |
7073 | | |
7074 | | /* append time if requested */ |
7075 | 0 | if (add_time) { |
7076 | 0 | struct timeval tv; |
7077 | 0 | gettimeofday(&tv, NULL); |
7078 | 0 | written += snprintf((char *)logbuf.buf.base + written, logbuf.buf.capacity - written, ",\"time\":%" PRIu64, |
7079 | 0 | (uint64_t)tv.tv_sec * 1000 + tv.tv_usec / 1000); |
7080 | 0 | } |
7081 | 0 | assert(written > 0 && written < logbuf.buf.capacity && "caller MUST provide smallbuf suffient to emit the prefix"); |
7082 | | |
7083 | 0 | logbuf.buf.off = (size_t)written; |
7084 | 0 | } |
7085 | | |
7086 | | int ptls_log__do_write_end(struct st_ptls_log_point_t *point, struct st_ptls_log_conn_state_t *conn, const char *(*get_sni)(void *), |
7087 | | void *get_sni_arg, int includes_appdata) |
7088 | 0 | { |
7089 | 0 | if (!expand_logbuf_or_invalidate("}\n", 2, 0)) |
7090 | 0 | return 0; |
7091 | | |
7092 | 0 | int needs_appdata = 0; |
7093 | |
|
7094 | 0 | pthread_mutex_lock(&logctx.mutex); |
7095 | | |
7096 | | /* calc the active conn bits, updating stale information if necessary */ |
7097 | 0 | if (point->state.generation != ptls_log._generation) |
7098 | 0 | ptls_log__recalc_point(1, point); |
7099 | 0 | uint32_t active = point->state.active_conns; |
7100 | 0 | if (conn != NULL && conn->state.generation != ptls_log._generation) { |
7101 | 0 | ptls_log__recalc_conn(1, conn, get_sni, get_sni_arg); |
7102 | 0 | active &= conn->state.active_conns; |
7103 | 0 | } |
7104 | | |
7105 | | /* iterate through the active connctions */ |
7106 | 0 | for (size_t slot = 0; active != 0; ++slot, active >>= 1) { |
7107 | 0 | if ((active & 1) == 0) |
7108 | 0 | continue; |
7109 | | |
7110 | 0 | assert(logctx.conns[slot].points != NULL); |
7111 | | |
7112 | 0 | if (logctx.conns[slot].appdata != includes_appdata) { |
7113 | 0 | if (!includes_appdata && ptls_log.may_include_appdata) |
7114 | 0 | needs_appdata = 1; |
7115 | 0 | continue; |
7116 | 0 | } |
7117 | | |
7118 | | /* write */ |
7119 | 0 | ssize_t wret; |
7120 | 0 | while ((wret = write(logctx.conns[slot].fd, logbuf.buf.base, logbuf.buf.off)) == -1 && errno == EINTR) |
7121 | 0 | ; |
7122 | 0 | if (wret == logbuf.buf.off) { |
7123 | | /* success */ |
7124 | 0 | } else if (wret > 0 || (wret == -1 && (errno == EAGAIN || errno == EWOULDBLOCK))) { |
7125 | | /* partial write or buffer full */ |
7126 | 0 | ++logctx.num_lost; |
7127 | 0 | } else { |
7128 | | /* write error; close and unregister the connection */ |
7129 | 0 | close_log_fd(slot); |
7130 | 0 | } |
7131 | 0 | } |
7132 | | |
7133 | 0 | pthread_mutex_unlock(&logctx.mutex); |
7134 | |
|
7135 | 0 | if (includes_appdata) |
7136 | 0 | assert(!needs_appdata); |
7137 | | |
7138 | 0 | ptls_buffer_dispose(&logbuf.buf); |
7139 | 0 | assert(logbuf.buf.base == NULL); |
7140 | 0 | return needs_appdata; |
7141 | 0 | } |
7142 | | |
7143 | | #endif |
7144 | | |
7145 | | void ptls_log_init_conn_state(ptls_log_conn_state_t *state, void (*random_bytes)(void *, size_t)) |
7146 | 4.40k | { |
7147 | 4.40k | uint32_t r; |
7148 | 4.40k | random_bytes(&r, sizeof(r)); |
7149 | | |
7150 | 4.40k | *state = (ptls_log_conn_state_t){ |
7151 | 4.40k | .random_ = (float)r / ((uint64_t)UINT32_MAX + 1), /* [0..1), so that any(r) < sample_ratio where sample_ratio is [0..1] */ |
7152 | 4.40k | .address = in6addr_any, |
7153 | 4.40k | }; |
7154 | 4.40k | } |
7155 | | |
7156 | | size_t ptls_log_num_lost(void) |
7157 | 0 | { |
7158 | 0 | #if PTLS_HAVE_LOG |
7159 | 0 | return logctx.num_lost; |
7160 | | #else |
7161 | | return 0; |
7162 | | #endif |
7163 | 0 | } |
7164 | | |
7165 | | int ptls_log_add_fd(int fd, float sample_ratio, const char *_points, const char *_snis, const char *_addresses, int appdata) |
7166 | 0 | { |
7167 | 0 | #if PTLS_HAVE_LOG |
7168 | |
|
7169 | 0 | char *points = NULL, *snis = NULL; |
7170 | 0 | struct in6_addr *addresses = NULL; |
7171 | 0 | int ret; |
7172 | |
|
7173 | 0 | pthread_mutex_lock(&logctx.mutex); |
7174 | |
|
7175 | 0 | if ((points = duplicate_stringlist(_points)) == NULL) { |
7176 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7177 | 0 | goto Exit; |
7178 | 0 | } |
7179 | 0 | if ((snis = duplicate_stringlist(_snis)) == NULL) { |
7180 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7181 | 0 | goto Exit; |
7182 | 0 | } |
7183 | 0 | { |
7184 | 0 | size_t num_addresses = 0; |
7185 | 0 | for (const char *input = _addresses; input != NULL && *input != '\0'; input += strlen(input) + 1) |
7186 | 0 | ++num_addresses; |
7187 | 0 | if ((addresses = malloc(sizeof(*addresses) * (num_addresses + 1))) == NULL) { |
7188 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7189 | 0 | goto Exit; |
7190 | 0 | } |
7191 | 0 | size_t index = 0; |
7192 | 0 | for (const char *input = _addresses; input != NULL && *input != '\0'; input += strlen(input) + 1) { |
7193 | | /* note: for consistency to the handling of points, erroneous input is ignored. V4 addresses will use the mapped form |
7194 | | * (::ffff:192.0.2.1) */ |
7195 | 0 | if (!inet_pton(AF_INET6, input, &addresses[index])) { |
7196 | 0 | struct in_addr v4; |
7197 | 0 | if (!inet_pton(AF_INET, input, &v4)) |
7198 | 0 | continue; |
7199 | 0 | ptls_build_v4_mapped_v6_address(&addresses[index], &v4); |
7200 | 0 | } |
7201 | 0 | if (memcmp(&addresses[index], &in6addr_any, sizeof(struct in6_addr)) == 0) |
7202 | 0 | continue; |
7203 | 0 | ++index; |
7204 | 0 | } |
7205 | 0 | addresses[index] = in6addr_any; |
7206 | 0 | } |
7207 | | |
7208 | | /* find slot, or return if not available */ |
7209 | 0 | size_t slot_index; |
7210 | 0 | for (slot_index = 0; slot_index < PTLS_ELEMENTSOF(logctx.conns); ++slot_index) |
7211 | 0 | if (logctx.conns[slot_index].points == NULL) |
7212 | 0 | break; |
7213 | 0 | if (slot_index == PTLS_ELEMENTSOF(logctx.conns)) { |
7214 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
7215 | 0 | goto Exit; |
7216 | 0 | } |
7217 | | |
7218 | | /* setup the slot */ |
7219 | 0 | logctx.conns[slot_index].fd = fd; |
7220 | 0 | logctx.conns[slot_index].points = points; |
7221 | 0 | logctx.conns[slot_index].snis = snis; |
7222 | 0 | logctx.conns[slot_index].addresses = addresses; |
7223 | 0 | logctx.conns[slot_index].sample_ratio = sample_ratio; |
7224 | 0 | logctx.conns[slot_index].appdata = appdata; |
7225 | 0 | ++ptls_log._generation; |
7226 | |
|
7227 | 0 | ret = 0; /* success */ |
7228 | |
|
7229 | 0 | Exit: |
7230 | 0 | pthread_mutex_unlock(&logctx.mutex); |
7231 | 0 | if (ret != 0) { |
7232 | 0 | free(points); |
7233 | 0 | free(snis); |
7234 | 0 | free(addresses); |
7235 | 0 | } |
7236 | 0 | return ret; |
7237 | |
|
7238 | | #else |
7239 | | return PTLS_ERROR_NOT_AVAILABLE; |
7240 | | #endif |
7241 | 0 | } |