iv-org-mirror
/
litespeed-quic
mirror of https://gitea.invidious.io/iv-org/litespeed-quic.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
litespeed-quic/src/liblsquic/lsquic_handshake.c

4316 lines
138 KiB
C
Raw Blame History

/* Copyright (c) 2017 - 2021 LiteSpeed Technologies Inc. See LICENSE. */
#define _GNU_SOURCE /* for memmem */
#include <assert.h>
#include <errno.h>
#include <limits.h>
#include <time.h>
#include <string.h>
#include <sys/queue.h>
#ifndef WIN32
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#else
#include <malloc.h>
#endif
#include <openssl/ssl.h>
#include <openssl/crypto.h>
#include <openssl/stack.h>
#include <openssl/x509.h>
#include <openssl/rand.h>
#include <openssl/nid.h>
#include <openssl/bn.h>
#include <openssl/hkdf.h>
#include <zlib.h>
#include "lsquic.h"
#include "lsquic_types.h"
#include "lsquic_crypto.h"
#include "lsquic_str.h"
#include "lsquic_enc_sess.h"
#include "lsquic_parse.h"
#include "lsquic_crt_compress.h"
#include "lsquic_util.h"
#include "lsquic_version.h"
#include "lsquic_mm.h"
#include "lsquic_engine_public.h"
#include "lsquic_hash.h"
#include "lsquic_qtags.h"
#include "lsquic_byteswap.h"
#include "lsquic_sizes.h"
#include "lsquic_tokgen.h"
#include "lsquic_conn.h"
#include "lsquic_packet_common.h"
#include "lsquic_packet_out.h"
#include "lsquic_packet_in.h"
#include "lsquic_handshake.h"
#include "lsquic_hkdf.h"
#include "lsquic_packet_ietf.h"
#if __GNUC__
# define UNLIKELY(cond) __builtin_expect(cond, 0)
#else
# define UNLIKELY(cond) cond
#endif
#include "fiu-local.h"
#include "lsquic_ev_log.h"
#define MIN_CHLO_SIZE 1024
#define MAX_SCFG_LENGTH 512
#define MAX_SPUBS_LENGTH 32
#define LSQUIC_LOGGER_MODULE LSQLM_HANDSHAKE
#define LSQUIC_LOG_CONN_ID lsquic_conn_log_cid( \
enc_session && enc_session->es_conn ? enc_session->es_conn : \
lconn && lconn != &dummy_lsquic_conn ? lconn : \
&dummy_lsquic_conn)
#include "lsquic_logger.h"
/* enc_session may be NULL when encrypt and decrypt packet functions are
* called. This is a workaround.
*/
static struct conn_cid_elem dummy_cce;
static const struct lsquic_conn dummy_lsquic_conn = { .cn_cces = &dummy_cce, };
static const struct lsquic_conn *const lconn = &dummy_lsquic_conn;
static int s_ccrt_idx;
static const int s_log_seal_and_open;
static char s_str[0x1000];
static const unsigned char salt_Q050[] = {
0x50, 0x45, 0x74, 0xEF, 0xD0, 0x66, 0xFE, 0x2F, 0x9D, 0x94,
0x5C, 0xFC, 0xDB, 0xD3, 0xA7, 0xF0, 0xD3, 0xB5, 0x6B, 0x45,
};
enum handshake_state
{
HSK_CHLO_REJ = 0,
HSK_SHLO,
HSK_COMPLETED,
N_HSK_STATES
};
#if LSQUIC_KEEP_ENC_SESS_HISTORY
typedef unsigned char eshist_idx_t;
enum enc_sess_history_event
{
ESHE_EMPTY = '\0',
ESHE_SET_SNI = 'I',
ESHE_SET_SNO = 'O',
ESHE_SET_STK = 'K',
ESHE_SET_SCID = 'D',
ESHE_SET_PROF = 'P',
ESHE_SET_SRST = 'S',
ESHE_VSTK_OK = 'V',
ESHE_VSTK_FAILED = 'W',
ESHE_SNI_FAIL = 'J',
ESHE_HAS_SSTK = 'H',
ESHE_UNKNOWN_CONFIG = 'a',
ESHE_MISSING_SCID = 'b',
ESHE_EMPTY_CCRT = 'c',
ESHE_MISSING_SNO = 'd',
ESHE_SNO_MISMATCH = 'e',
ESHE_SNO_OK = 'f',
ESHE_MULTI2_2BITS = 'i',
ESHE_SNI_DELAYED = 'Y',
};
#endif
typedef struct hs_ctx_st
{
enum {
HSET_TCID = (1 << 0), /* tcid is set */
HSET_SMHL = (1 << 1), /* smhl is set */
HSET_SCID = (1 << 2),
HSET_IRTT = (1 << 3),
HSET_SRST = (1 << 4),
} set;
enum {
HOPT_NSTP = (1 << 0), /* NSTP option present in COPT */
HOPT_SREJ = (1 << 1), /* SREJ option present in COPT */
} opts;
uint32_t pdmd;
uint32_t aead;
uint32_t kexs;
uint32_t mids;
uint32_t scls;
uint32_t cfcw;
uint32_t sfcw;
uint32_t smids;
uint32_t scfcw;
uint32_t ssfcw;
uint32_t icsl;
uint32_t irtt;
uint64_t rcid;
uint32_t tcid;
uint32_t smhl;
uint64_t sttl;
unsigned char scid[SCID_LENGTH];
//unsigned char chlo_hash[32]; //SHA256 HASH of CHLO
unsigned char nonc[DNONC_LENGTH]; /* 4 tm, 8 orbit ---> REJ, 20 rand */
unsigned char pubs[32];
unsigned char srst[SRST_LENGTH];
uint32_t rrej;
struct lsquic_str ccs;
struct lsquic_str uaid;
struct lsquic_str sni; /* 0 rtt */
struct lsquic_str ccrt;
struct lsquic_str stk;
struct lsquic_str sno;
struct lsquic_str prof;
struct lsquic_str csct;
struct compressed_cert *ccert;
struct lsquic_str scfg_pubs; /* Need to copy PUBS, as KEXS comes after it */
} hs_ctx_t;
/* client side need to store 0rtt info per STK */
typedef struct lsquic_session_cache_info_st
{
unsigned char sscid[SCID_LENGTH];
unsigned char spubs[32]; /* server pub key for next time 0rtt */
uint32_t ver; /* one VERSION */
uint32_t aead;
uint32_t kexs;
uint32_t pdmd;
uint64_t orbt;
uint64_t expy;
int scfg_flag; /* 0, no-init, 1, no parse, 2, parsed */
struct lsquic_str sstk;
struct lsquic_str scfg;
struct lsquic_str sni_key; /* This is only used as key */
struct lsquic_hash_elem hash_el;
} lsquic_session_cache_info_t;
/* client */
typedef struct c_cert_item_st
{
struct lsquic_str* crts;
struct lsquic_str* hashs;
int count;
} c_cert_item_t;
struct lsquic_sess_resume_storage
{
uint32_t quic_version_tag;
uint32_t serializer_version;
uint32_t ver;
uint32_t aead;
uint32_t kexs;
uint32_t pdmd;
uint64_t orbt;
uint64_t expy;
uint64_t sstk_len;
uint64_t scfg_len;
uint64_t scfg_flag;
uint8_t sstk[STK_LENGTH];
uint8_t scfg[MAX_SCFG_LENGTH];
uint8_t sscid[SCID_LENGTH];
uint8_t spubs[MAX_SPUBS_LENGTH];
uint32_t cert_count;
};
/* gQUIC crypto has three crypto levels. */
enum gel { GEL_CLEAR, GEL_EARLY, GEL_FORW, N_GELS /* Angels! */ };
#define MAX(a, b) ((a) > (b) ? (a) : (b))
#define IQUIC_IV_LEN 12
#define IQUIC_HP_LEN 16
#define MAX_IV_LEN MAX(aes128_iv_len, IQUIC_IV_LEN)
struct lsquic_enc_session
{
struct lsquic_conn *es_conn;
enum handshake_state hsk_state;
enum {
ES_SERVER = 1 << 0,
ES_RECV_REJ = 1 << 1,
ES_RECV_SREJ = 1 << 2,
ES_FREE_CERT_PTR = 1 << 3,
ES_LOG_SECRETS = 1 << 4,
ES_GQUIC2 = 1 << 5,
} es_flags;
uint8_t have_key; /* 0, no 1, I, 2, D, 3, F */
uint8_t peer_have_final_key;
uint8_t server_start_use_final_key;
lsquic_cid_t cid;
unsigned char priv_key[32];
/* Have to save the initial key for diversification need */
unsigned char enc_key_i[aes128_key_len];
unsigned char dec_key_i[aes128_key_len];
#define enc_ctx_i es_aead_ctxs[GEL_EARLY][0]
#define dec_ctx_i es_aead_ctxs[GEL_EARLY][1]
#define enc_ctx_f es_aead_ctxs[GEL_FORW][0]
#define dec_ctx_f es_aead_ctxs[GEL_FORW][1]
EVP_AEAD_CTX *es_aead_ctxs[N_GELS][2];
#define enc_key_nonce_i es_ivs[GEL_EARLY][0]
#define dec_key_nonce_i es_ivs[GEL_EARLY][1]
#define enc_key_nonce_f es_ivs[GEL_FORW][0]
#define dec_key_nonce_f es_ivs[GEL_FORW][1]
unsigned char es_ivs[N_GELS][2][MAX_IV_LEN];
unsigned char es_hps[N_GELS][2][IQUIC_HP_LEN];
hs_ctx_t hs_ctx;
lsquic_session_cache_info_t *info;
c_cert_item_t *cert_item;
lsquic_server_config_t *server_config;
SSL_CTX * ssl_ctx;
struct lsquic_engine_public *enpub;
struct lsquic_str * cert_ptr; /* pointer to the leaf cert of the server, not real copy */
struct lsquic_str chlo; /* real copy of CHLO message */
struct lsquic_str sstk;
struct lsquic_str ssno;
#if LSQUIC_KEEP_ENC_SESS_HISTORY
eshist_idx_t es_hist_idx;
unsigned char es_hist_buf[1 << ESHIST_BITS];
#endif
/* The remaining fields in the struct are used for Q050+ crypto */
lsquic_packno_t es_max_packno;
};
/* server side */
typedef struct compress_cert_hash_item_st
{
struct lsquic_str* domain; /*with port, such as "xyz.com:8088" as the key */
struct lsquic_str* crts_compress_buf;
struct lsquic_hash_elem hash_el;
} compress_cert_hash_item_t;
/* server side, only one cert */
typedef struct cert_item_st
{
struct lsquic_str* crt;
struct lsquic_hash_elem hash_el;
unsigned char key[0];
} cert_item_t;
/* server */
static cert_item_t* find_cert(struct lsquic_engine_public *, const unsigned char *, size_t);
static void s_free_cert_hash_item(cert_item_t *item);
static cert_item_t* insert_cert(struct lsquic_engine_public *,
const unsigned char *key, size_t key_sz, const struct lsquic_str *crt);
#ifdef NDEBUG
static
enum hsk_failure_reason
lsquic_verify_stk (enc_session_t *,
const struct sockaddr *ip_addr, uint64_t tm, lsquic_str_t *stk);
static
#endif
void lsquic_gen_stk(lsquic_server_config_t *, const struct sockaddr *, uint64_t tm,
unsigned char stk_out[STK_LENGTH]);
/* client */
static c_cert_item_t *make_c_cert_item(struct lsquic_str **certs, int count);
static void free_c_cert_item(c_cert_item_t *item);
static int get_tag_val_u32 (unsigned char *v, int len, uint32_t *val);
static uint32_t get_tag_value_i32(unsigned char *, int);
static uint64_t get_tag_value_i64(unsigned char *, int);
static void determine_keys(struct lsquic_enc_session *enc_session);
static void put_compressed_cert (struct compressed_cert *);
#if LSQUIC_KEEP_ENC_SESS_HISTORY
static void
eshist_append (struct lsquic_enc_session *enc_session,
enum enc_sess_history_event eh_event)
{
enc_session->es_hist_buf[
ESHIST_MASK & enc_session->es_hist_idx++ ] = eh_event;
}
# define ESHIST_APPEND(sess, event) eshist_append(sess, event)
#else
# define ESHIST_APPEND(sess, event) do { } while (0)
#endif
static void
free_compressed_cert (void *parent, void *ptr, CRYPTO_EX_DATA *ad,
int index, long argl, void *argp)
{
put_compressed_cert(ptr);
}
static int
lsquic_handshake_init(int flags)
{
lsquic_crypto_init();
if (flags & LSQUIC_GLOBAL_SERVER)
{
s_ccrt_idx = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
free_compressed_cert);
if (s_ccrt_idx < 0)
return -1;
}
return lsquic_crt_init();
}
void
lsquic_cleanup_gquic_crypto (struct lsquic_engine_public *enpub)
{
struct lsquic_hash_elem *el;
if (enpub->enp_compressed_server_certs)
{
for (el = lsquic_hash_first(enpub->enp_compressed_server_certs); el;
el = lsquic_hash_next(enpub->enp_compressed_server_certs))
{
compress_cert_hash_item_t *item = lsquic_hashelem_getdata(el);
lsquic_str_delete(item->domain);
lsquic_str_delete(item->crts_compress_buf);
free(item);
}
lsquic_hash_destroy(enpub->enp_compressed_server_certs);
enpub->enp_compressed_server_certs = NULL;
}
if (enpub->enp_server_certs)
{
for (el = lsquic_hash_first(enpub->enp_server_certs); el;
el = lsquic_hash_next(enpub->enp_server_certs))
{
s_free_cert_hash_item( lsquic_hashelem_getdata(el) );
}
lsquic_hash_destroy(enpub->enp_server_certs);
enpub->enp_server_certs = NULL;
}
free(enpub->enp_server_config);
}
static void
lsquic_handshake_cleanup (void)
{
lsquic_crt_cleanup();
}
int
lsquic_init_gquic_crypto (struct lsquic_engine_public *enpub)
{
enpub->enp_server_config = calloc(1, sizeof(*enpub->enp_server_config));
if (!enpub->enp_server_config)
return -1;
enpub->enp_compressed_server_certs = lsquic_hash_create();
if (!enpub->enp_compressed_server_certs)
return -1;
enpub->enp_server_certs = lsquic_hash_create();
if (!enpub->enp_server_certs)
{
lsquic_hash_destroy(enpub->enp_compressed_server_certs);
enpub->enp_compressed_server_certs = NULL;
return -1;
}
return 0;
}
/* server */
static cert_item_t *
find_cert (struct lsquic_engine_public *enpub, const unsigned char *key,
size_t key_sz)
{
struct lsquic_hash_elem *el;
if (!enpub->enp_server_certs)
return NULL;
el = lsquic_hash_find(enpub->enp_server_certs, key, key_sz);
if (el == NULL)
return NULL;
return lsquic_hashelem_getdata(el);
}
/* client */
static c_cert_item_t *
make_c_cert_item (lsquic_str_t **certs, int count)
{
int i;
uint64_t hash;
c_cert_item_t *item = calloc(1, sizeof(*item));
item->crts = (lsquic_str_t *)malloc(count * sizeof(lsquic_str_t));
item->hashs = lsquic_str_new(NULL, 0);
item->count = count;
for (i = 0; i < count; ++i)
{
lsquic_str_copy(&item->crts[i], certs[i]);
hash = lsquic_fnv1a_64((const uint8_t *)lsquic_str_cstr(certs[i]),
lsquic_str_len(certs[i]));
lsquic_str_append(item->hashs, (char *)&hash, 8);
}
return item;
}
/* client */
static void
free_c_cert_item (c_cert_item_t *item)
{
int i;
if (item)
{
lsquic_str_delete(item->hashs);
for(i=0; i<item->count; ++i)
lsquic_str_d(&item->crts[i]);
free(item->crts);
free(item);
}
}
/* server */
static void
s_free_cert_hash_item (cert_item_t *item)
{
if (item)
{
lsquic_str_delete(item->crt);
free(item);
}
}
/* server */
static cert_item_t *
insert_cert (struct lsquic_engine_public *enpub, const unsigned char *key,
size_t key_sz, const lsquic_str_t *crt)
{
struct lsquic_hash_elem *el;
lsquic_str_t *crt_copy;
cert_item_t *item;
crt_copy = lsquic_str_new(lsquic_str_cstr(crt), lsquic_str_len(crt));
if (!crt_copy)
return NULL;
item = calloc(1, sizeof(*item) + key_sz);
if (!item)
{
lsquic_str_delete(crt_copy);
return NULL;
}
item->crt = crt_copy;
memcpy(item->key, key, key_sz);
el = lsquic_hash_insert(enpub->enp_server_certs, item->key, key_sz,
item, &item->hash_el);
if (el)
return lsquic_hashelem_getdata(el);
else
{
s_free_cert_hash_item(item);
return NULL;
}
}
enum rtt_deserialize_return_type
{
RTT_DESERIALIZE_OK = 0,
RTT_DESERIALIZE_BAD_QUIC_VER = 1,
RTT_DESERIALIZE_BAD_SERIAL_VER = 2,
RTT_DESERIALIZE_BAD_CERT_SIZE = 3,
};
#define RTT_SERIALIZER_VERSION (1 << 0)
static void
lsquic_enc_session_serialize_sess_resume(struct lsquic_sess_resume_storage *storage,
enum lsquic_version version,
const lsquic_session_cache_info_t *info,
const c_cert_item_t *cert_item)
{
uint32_t i;
uint32_t *cert_len;
uint8_t *cert_data;
/*
* assign versions
*/
storage->quic_version_tag = lsquic_ver2tag(version);
storage->serializer_version = RTT_SERIALIZER_VERSION;
/*
* server config
*/
storage->ver = info->ver;
storage->aead = info->aead;
storage->kexs = info->kexs;
storage->pdmd = info->pdmd;
storage->orbt = info->orbt;
storage->expy = info->expy;
storage->sstk_len = lsquic_str_len(&info->sstk);
storage->scfg_len = lsquic_str_len(&info->scfg);
storage->scfg_flag = info->scfg_flag;
memcpy(storage->sstk, lsquic_str_buf(&info->sstk), storage->sstk_len);
memcpy(storage->scfg, lsquic_str_buf(&info->scfg), storage->scfg_len);
memcpy(storage->sscid, &info->sscid, SCID_LENGTH);
memcpy(storage->spubs, &info->spubs, MAX_SPUBS_LENGTH);
/*
* certificate chain
*/
storage->cert_count = (uint32_t)cert_item->count;
cert_len = (uint32_t *)(storage + 1);
cert_data = (uint8_t *)(cert_len + 1);
for (i = 0; i < storage->cert_count; i++)
{
*cert_len = lsquic_str_len(&cert_item->crts[i]);
memcpy(cert_data, lsquic_str_buf(&cert_item->crts[i]), *cert_len);
cert_len = (uint32_t *)(cert_data + *cert_len);
cert_data = (uint8_t *)(cert_len + 1);
}
}
#define CHECK_SPACE(need, start, end) \
do { if ((intptr_t) (need) > ((intptr_t) (end) - (intptr_t) (start))) \
{ return RTT_DESERIALIZE_BAD_CERT_SIZE; } \
} while (0) \
static enum rtt_deserialize_return_type
lsquic_enc_session_deserialize_sess_resume(
const struct lsquic_sess_resume_storage *storage,
size_t storage_size,
const struct lsquic_engine_settings *settings,
lsquic_session_cache_info_t *info,
c_cert_item_t *cert_item)
{
enum lsquic_version ver;
uint32_t i, len;
uint64_t hash;
uint32_t *cert_len;
uint8_t *cert_data;
void *storage_end = (uint8_t *)storage + storage_size;
/*
* check versions
*/
ver = lsquic_tag2ver(storage->quic_version_tag);
if ((int)ver == -1 || !((1 << ver) & settings->es_versions))
return RTT_DESERIALIZE_BAD_QUIC_VER;
if (storage->serializer_version != RTT_SERIALIZER_VERSION)
return RTT_DESERIALIZE_BAD_SERIAL_VER;
/*
* server config
*/
info->ver = storage->ver;
info->aead = storage->aead;
info->kexs = storage->kexs;
info->pdmd = storage->pdmd;
info->orbt = storage->orbt;
info->expy = storage->expy;
info->scfg_flag = storage->scfg_flag;
lsquic_str_setto(&info->sstk, storage->sstk, storage->sstk_len);
lsquic_str_setto(&info->scfg, storage->scfg, storage->scfg_len);
memcpy(&info->sscid, storage->sscid, SCID_LENGTH);
memcpy(&info->spubs, storage->spubs, MAX_SPUBS_LENGTH);
/*
* certificate chain
*/
cert_item->count = storage->cert_count;
cert_item->crts = malloc(cert_item->count * sizeof(lsquic_str_t));
cert_item->hashs = lsquic_str_new(NULL, 0);
cert_len = (uint32_t *)(storage + 1);
for (i = 0; i < storage->cert_count; i++)
{
CHECK_SPACE(sizeof(uint32_t), cert_len, storage_end);
cert_data = (uint8_t *)(cert_len + 1);
memcpy(&len, cert_len, sizeof(len));
CHECK_SPACE(len, cert_data, storage_end);
lsquic_str_prealloc(&cert_item->crts[i], len);
lsquic_str_setlen(&cert_item->crts[i], len);
memcpy(lsquic_str_buf(&cert_item->crts[i]), cert_data, len);
hash = lsquic_fnv1a_64((const uint8_t *)cert_data, len);
lsquic_str_append(cert_item->hashs, (char *)&hash, 8);
cert_len = (uint32_t *)(cert_data + len);
}
return RTT_DESERIALIZE_OK;
}
#define KEY_LABEL "quic key"
#define KEY_LABEL_SZ (sizeof(KEY_LABEL) - 1)
#define IV_LABEL "quic iv"
#define IV_LABEL_SZ (sizeof(IV_LABEL) - 1)
#define PN_LABEL "quic hp"
#define PN_LABEL_SZ (sizeof(PN_LABEL) - 1)
static int
gquic2_init_crypto_ctx (struct lsquic_enc_session *enc_session,
unsigned idx, const unsigned char *secret, size_t secret_sz)
{
const EVP_MD *const md = EVP_sha256();
const EVP_AEAD *const aead = EVP_aead_aes_128_gcm();
unsigned char key[aes128_key_len];
char hexbuf[sizeof(key) * 2 + 1];
lsquic_qhkdf_expand(md, secret, secret_sz, KEY_LABEL, KEY_LABEL_SZ,
key, sizeof(key));
if (enc_session->es_flags & ES_LOG_SECRETS)
LSQ_DEBUG("handshake key idx %u: %s", idx,
HEXSTR(key, sizeof(key), hexbuf));
lsquic_qhkdf_expand(md, secret, secret_sz, IV_LABEL, IV_LABEL_SZ,
enc_session->es_ivs[GEL_CLEAR][idx], IQUIC_IV_LEN);
lsquic_qhkdf_expand(md, secret, secret_sz, PN_LABEL, PN_LABEL_SZ,
enc_session->es_hps[GEL_CLEAR][idx], IQUIC_HP_LEN);
assert(!enc_session->es_aead_ctxs[GEL_CLEAR][idx]);
enc_session->es_aead_ctxs[GEL_CLEAR][idx]
= malloc(sizeof(*enc_session->es_aead_ctxs[GEL_CLEAR][idx]));
if (!enc_session->es_aead_ctxs[GEL_CLEAR][idx])
return -1;
if (!EVP_AEAD_CTX_init(enc_session->es_aead_ctxs[GEL_CLEAR][idx], aead,
key, sizeof(key), IQUIC_TAG_LEN, NULL))
{
free(enc_session->es_aead_ctxs[GEL_CLEAR][idx]);
enc_session->es_aead_ctxs[GEL_CLEAR][idx] = NULL;
return -1;
}
return 0;
}
static void
log_crypto_ctx (const struct lsquic_enc_session *enc_session,
enum enc_level enc_level, int idx)
{
char hexbuf[EVP_MAX_MD_SIZE * 2 + 1];
LSQ_DEBUG("%s keys for level %s", lsquic_enclev2str[enc_level],
idx == 0 ? "encrypt" : "decrypt");
LSQ_DEBUG("iv: %s",
HEXSTR(enc_session->es_ivs[enc_level][idx], IQUIC_IV_LEN, hexbuf));
LSQ_DEBUG("hp: %s",
HEXSTR(enc_session->es_hps[enc_level][idx], IQUIC_HP_LEN, hexbuf));
}
static int
gquic2_setup_handshake_keys (struct lsquic_enc_session *enc_session)
{
const unsigned char *const cid_buf = enc_session->es_conn->cn_cid.idbuf;
const size_t cid_buf_sz = enc_session->es_conn->cn_cid.len;
size_t hsk_secret_sz;
int i, idx;
const EVP_MD *const md = EVP_sha256();
const char *const labels[] = { CLIENT_LABEL, SERVER_LABEL, };
const size_t label_sizes[] = { CLIENT_LABEL_SZ, SERVER_LABEL_SZ, };
const unsigned dirs[2] = {
(enc_session->es_flags & ES_SERVER),
!(enc_session->es_flags & ES_SERVER),
};
unsigned char hsk_secret[EVP_MAX_MD_SIZE];
unsigned char secret[SHA256_DIGEST_LENGTH];
if (!HKDF_extract(hsk_secret, &hsk_secret_sz, md, cid_buf, cid_buf_sz,
salt_Q050, sizeof(salt_Q050)))
{
LSQ_WARN("HKDF extract failed");
return -1;
}
for (i = 0; i < 2; ++i)
{
idx = dirs[i];
lsquic_qhkdf_expand(md, hsk_secret, hsk_secret_sz, labels[idx],
label_sizes[idx], secret, sizeof(secret));
/*
LSQ_DEBUG("`%s' handshake secret: %s",
HEXSTR(secret, sizeof(secret), hexbuf));
*/
if (0 != gquic2_init_crypto_ctx(enc_session, i,
secret, sizeof(secret)))
goto err;
if (enc_session->es_flags & ES_LOG_SECRETS)
log_crypto_ctx(enc_session, ENC_LEV_CLEAR, i);
}
return 0;
err:
return -1;
}
static void
maybe_log_secrets (struct lsquic_enc_session *enc_session)
{
const char *log;
log = getenv("LSQUIC_LOG_SECRETS");
if (log)
{
if (atoi(log))
enc_session->es_flags |= ES_LOG_SECRETS;
LSQ_DEBUG("will %slog secrets",
enc_session->es_flags & ES_LOG_SECRETS ? "" : "not ");
}
}
static enc_session_t *
lsquic_enc_session_create_client (struct lsquic_conn *lconn, const char *domain,
lsquic_cid_t cid, struct lsquic_engine_public *enpub,
const unsigned char *sess_resume, size_t sess_resume_len)
{
lsquic_session_cache_info_t *info;
struct lsquic_enc_session *enc_session;
c_cert_item_t *item;
const struct lsquic_sess_resume_storage *sess_resume_storage;
if (!domain)
{
errno = EINVAL;
return NULL;
}
enc_session = calloc(1, sizeof(*enc_session));
if (!enc_session)
return NULL;
/* have to allocate every time */
info = calloc(1, sizeof(*info));
if (!info)
{
free(enc_session);
return NULL;
}
if (sess_resume && sess_resume_len > sizeof(struct lsquic_sess_resume_storage))
{
item = calloc(1, sizeof(*item));
if (!item)
{
free(enc_session);
free(info);
return NULL;
}
sess_resume_storage = (const struct lsquic_sess_resume_storage *)sess_resume;
switch (lsquic_enc_session_deserialize_sess_resume(sess_resume_storage,
sess_resume_len,
&enpub->enp_settings,
info, item))
{
case RTT_DESERIALIZE_BAD_QUIC_VER:
LSQ_ERROR("provided sess_resume has unsupported QUIC version");
free(item);
break;
case RTT_DESERIALIZE_BAD_SERIAL_VER:
LSQ_ERROR("provided sess_resume has bad serializer version");
free(item);
break;
case RTT_DESERIALIZE_BAD_CERT_SIZE:
LSQ_ERROR("provided sess_resume has bad cert size");
free(item);
break;
case RTT_DESERIALIZE_OK:
memcpy(enc_session->hs_ctx.pubs, info->spubs, 32);
enc_session->cert_item = item;
break;
}
}
enc_session->es_conn = lconn;
enc_session->enpub = enpub;
enc_session->cid = cid;
enc_session->info = info;
/* FIXME: allocation may fail */
lsquic_str_append(&enc_session->hs_ctx.sni, domain, strlen(domain));
maybe_log_secrets(enc_session);
if (lconn->cn_version >= LSQVER_050)
{
enc_session->es_flags |= ES_GQUIC2;
gquic2_setup_handshake_keys(enc_session);
}
return enc_session;
}
/* Server side: Session_cache_entry can be saved for 0rtt */
static enc_session_t *
lsquic_enc_session_create_server (struct lsquic_conn *lconn, lsquic_cid_t cid,
struct lsquic_engine_public *enpub)
{
fiu_return_on("handshake/new_enc_session", NULL);
struct lsquic_enc_session *enc_session;
enc_session = calloc(1, sizeof(*enc_session));
if (!enc_session)
return NULL;
enc_session->es_conn = lconn;
enc_session->enpub = enpub;
enc_session->cid = cid;
enc_session->es_flags |= ES_SERVER;
maybe_log_secrets(enc_session);
if (lconn->cn_version >= LSQVER_050)
{
enc_session->es_flags |= ES_GQUIC2;
gquic2_setup_handshake_keys(enc_session);
}
return enc_session;
}
static void
lsquic_enc_session_reset_cid (enc_session_t *enc_session_p,
const lsquic_cid_t *new_cid)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
LSQ_INFOC("changing CID to %"CID_FMT, CID_BITS(new_cid));
enc_session->cid = *new_cid;
}
static void
put_compressed_cert (struct compressed_cert *ccert)
{
if (ccert)
{
assert(ccert->refcnt > 0);
--ccert->refcnt;
if (0 == ccert->refcnt)
free(ccert);
}
}
static struct compressed_cert *
new_compressed_cert (const unsigned char *buf, size_t len)
{
struct compressed_cert *ccert;
ccert = malloc(sizeof(*ccert) + len);
if (ccert)
{
ccert->refcnt = 1;
ccert->len = len;
memcpy(ccert->buf, buf, len);
}
return ccert;
}
static void
lsquic_enc_session_destroy (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
enum gel gel;
unsigned i;
if (!enc_session)
return ;
hs_ctx_t *hs_ctx = &enc_session->hs_ctx;
lsquic_str_d(&hs_ctx->sni);
lsquic_str_d(&hs_ctx->ccs);
lsquic_str_d(&hs_ctx->ccrt);
lsquic_str_d(&hs_ctx->stk);
lsquic_str_d(&hs_ctx->sno);
lsquic_str_d(&hs_ctx->prof);
lsquic_str_d(&hs_ctx->csct);
put_compressed_cert(hs_ctx->ccert);
hs_ctx->ccert = NULL;
lsquic_str_d(&hs_ctx->uaid);
lsquic_str_d(&hs_ctx->scfg_pubs);
lsquic_str_d(&enc_session->chlo);
lsquic_str_d(&enc_session->sstk);
lsquic_str_d(&enc_session->ssno);
for (gel = 0; gel < N_GELS; ++gel)
for (i = 0; i < 2; ++i)
if (enc_session->es_aead_ctxs[gel][i])
{
EVP_AEAD_CTX_cleanup(enc_session->es_aead_ctxs[gel][i]);
free(enc_session->es_aead_ctxs[gel][i]);
}
memset(enc_session->es_aead_ctxs, 0, sizeof(enc_session->es_aead_ctxs));
if (enc_session->info)
{
lsquic_str_d(&enc_session->info->sstk);
lsquic_str_d(&enc_session->info->scfg);
lsquic_str_d(&enc_session->info->sni_key);
free(enc_session->info);
}
if (enc_session->cert_item)
{
free_c_cert_item(enc_session->cert_item);
enc_session->cert_item = NULL;
}
if ((enc_session->es_flags & ES_FREE_CERT_PTR) && enc_session->cert_ptr)
lsquic_str_delete(enc_session->cert_ptr);
free(enc_session);
}
static int get_hs_state(struct lsquic_enc_session *enc_session)
{
return enc_session->hsk_state;
}
/* make sure have more room for encrypt */
static int
lsquic_enc_session_is_hsk_done (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return (get_hs_state(enc_session) == HSK_COMPLETED);
}
static void
process_copt (struct lsquic_enc_session *enc_session, const uint32_t *const opts,
unsigned n_opts)
{
unsigned i;
for (i = 0; i < n_opts; ++i)
switch (opts[i])
{
case QTAG_NSTP:
enc_session->hs_ctx.opts |= HOPT_NSTP;
break;
case QTAG_SREJ:
enc_session->hs_ctx.opts |= HOPT_SREJ;
break;
}
}
static int parse_hs_data (struct lsquic_enc_session *enc_session, uint32_t tag,
unsigned char *val, int len, uint32_t head_tag)
{
hs_ctx_t * hs_ctx = &enc_session->hs_ctx;
int is_client = (head_tag != QTAG_CHLO);
switch(tag)
{
case QTAG_PDMD:
hs_ctx->pdmd = get_tag_value_i32(val, len);
break;
case QTAG_MIDS:
if (0 != get_tag_val_u32(val, len,
(is_client ? &hs_ctx->mids : &hs_ctx->smids)))
return -1;
break;
case QTAG_SCLS:
hs_ctx->scls = get_tag_value_i32(val, len);
break;
case QTAG_CFCW:
if (0 != get_tag_val_u32(val, len, (is_client ? &hs_ctx->cfcw : &hs_ctx->scfcw)))
return -1;
break;
case QTAG_SFCW:
if (0 != get_tag_val_u32(val, len, (is_client ? &hs_ctx->sfcw : &hs_ctx->ssfcw)))
return -1;
break;
case QTAG_ICSL:
hs_ctx->icsl = get_tag_value_i32(val, len);
break;
case QTAG_IRTT:
if (0 != get_tag_val_u32(val, len, &hs_ctx->irtt))
return -1;
hs_ctx->set |= HSET_IRTT;
break;
case QTAG_COPT:
if (0 == len % sizeof(uint32_t))
process_copt(enc_session, (uint32_t *) val, len / sizeof(uint32_t));
/* else ignore, following the reference implementation */
break;
case QTAG_SNI:
lsquic_str_setto(&hs_ctx->sni, val, len);
ESHIST_APPEND(enc_session, ESHE_SET_SNI);
break;
case QTAG_CCS:
lsquic_str_setto(&hs_ctx->ccs, val, len);
break;
case QTAG_CCRT:
lsquic_str_setto(&hs_ctx->ccrt, val, len);
break;
case QTAG_CRT:
put_compressed_cert(hs_ctx->ccert);
hs_ctx->ccert = new_compressed_cert(val, len);
break;
case QTAG_PUBS:
if (head_tag == QTAG_SCFG)
lsquic_str_setto(&hs_ctx->scfg_pubs, val, len);
else if (len == 32)
memcpy(hs_ctx->pubs, val, len);
break;
case QTAG_RCID:
hs_ctx->rcid = get_tag_value_i64(val, len);
break;
case QTAG_UAID:
lsquic_str_setto(&hs_ctx->uaid, val, len);
break;
case QTAG_SMHL:
if (0 != get_tag_val_u32(val, len, &hs_ctx->smhl))
return -1;
hs_ctx->set |= HSET_SMHL;
break;
case QTAG_TCID:
if (0 != get_tag_val_u32(val, len, &hs_ctx->tcid))
return -1;
hs_ctx->set |= HSET_TCID;
break;
case QTAG_EXPY:
enc_session->info->expy = get_tag_value_i64(val, len);
break;
case QTAG_ORBT:
enc_session->info->orbt = get_tag_value_i64(val, len);
break;
case QTAG_SNO:
if (is_client)
{
lsquic_str_setto(&enc_session->ssno, val, len);
}
else
{
/* Server side save a copy of SNO just for verify */
lsquic_str_setto(&hs_ctx->sno, val, len);
}
ESHIST_APPEND(enc_session, ESHE_SET_SNO);
break;
case QTAG_STK:
if (is_client)
{
lsquic_str_setto(&enc_session->info->sstk, val, len);
}
else
{
/* Server need to save a copy to verify */
lsquic_str_setto(&hs_ctx->stk, val, len);
}
ESHIST_APPEND(enc_session, ESHE_SET_STK);
break;
case QTAG_SCID:
if (len != SCID_LENGTH)
return -1;
if (is_client)
{
memcpy(enc_session->info->sscid, val, len);
}
else
{
memcpy(hs_ctx->scid, val, len);
hs_ctx->set |= HSET_SCID;
}
ESHIST_APPEND(enc_session, ESHE_SET_SCID);
break;
case QTAG_AEAD:
if (is_client)
enc_session->info->aead = get_tag_value_i32(val, len);
else
hs_ctx->aead = get_tag_value_i32(val, len);
break;
case QTAG_KEXS:
if (is_client)
{
if (head_tag == QTAG_SCFG && 0 == len % 4)
{
const unsigned char *p, *end;
unsigned pub_idx, idx;
#ifdef WIN32
pub_idx = 0;
#endif
for (p = val; p < val + len; p += 4)
if (0 == memcmp(p, "C255", 4))
{
memcpy(&enc_session->info->kexs, p, 4);
pub_idx = (p - val) / 4;
LSQ_DEBUG("Parsing SCFG: supported KEXS C255 at "
"index %u", pub_idx);
break;
}
if (p >= val + len)
{
LSQ_INFO("supported KEXS not found, trouble ahead");
break;
}
if (lsquic_str_len(&hs_ctx->scfg_pubs) > 0)
{
p = (const unsigned char *)
lsquic_str_cstr(&hs_ctx->scfg_pubs);
end = p + lsquic_str_len(&hs_ctx->scfg_pubs);
for (idx = 0; p < end; ++idx)
{
uint32_t sz = 0;
if (p + 3 > end)
break;
sz |= *p++;
sz |= *p++ << 8;
sz |= *p++ << 16;
if (p + sz > end)
break;
if (idx == pub_idx)
{
if (sz == 32)
{
memcpy(hs_ctx->pubs, p, 32);
memcpy(enc_session->info->spubs, p, 32);
}
break;
}
p += sz;
}
}
else
LSQ_INFO("No PUBS from SCFG to parse");
}
}
else
hs_ctx->kexs = get_tag_value_i32(val, len);
break;
case QTAG_NONC:
if (len != sizeof(hs_ctx->nonc))
return -1;
memcpy(hs_ctx->nonc, val, len);
break;
case QTAG_SCFG:
if (is_client)
{
lsquic_str_setto(&enc_session->info->scfg, val, len);
enc_session->info->scfg_flag = 1;
}
else
LSQ_INFO("unexpected SCFG");
break;
case QTAG_PROF:
lsquic_str_setto(&hs_ctx->prof, val, len);
ESHIST_APPEND(enc_session, ESHE_SET_PROF);
break;
case QTAG_STTL:
hs_ctx->sttl = get_tag_value_i64(val, len);
break;
case QTAG_SRST:
if (enc_session->es_flags & ES_SERVER)
break;
if (len != sizeof(hs_ctx->srst))
{
LSQ_INFO("Unexpected size of SRST: %u instead of %zu bytes",
len, sizeof(hs_ctx->srst));
return -1;
}
memcpy(hs_ctx->srst, val, len);
hs_ctx->set |= HSET_SRST;
ESHIST_APPEND(enc_session, ESHE_SET_SRST);
break;
default:
LSQ_DEBUG("Ignored tag '%.*s'", 4, (char *)&tag);
break;
}
return 0;
}
/* only for the hs stream-frame data, NOT with the packet header or frame header*/
static enum handshake_error parse_hs (struct lsquic_enc_session *enc_session,
const unsigned char *buf, int buf_len,
uint32_t *head_tag)
{
uint16_t i;
const unsigned char *p = buf;
const unsigned char *pend = buf + buf_len;
unsigned char *data;
uint32_t len = 0, offset = 0;
uint16_t num;
uint32_t tag;
if (buf_len < 6)
return DATA_FORMAT_ERROR;
memcpy(&tag, p, 4);
p += 4;
if (enc_session->es_flags & ES_SERVER)
{ /* Server only expects to receive CHLO messages from the client */
if (tag != QTAG_CHLO)
return DATA_FORMAT_ERROR;
}
else
{
if (tag != QTAG_SREJ && tag != QTAG_REJ && tag != QTAG_SHLO &&
tag != QTAG_SCFG)
return DATA_FORMAT_ERROR;
}
*head_tag = tag;
memcpy((char *)&num, p, 2);
p += 2 + 2; /* the 2 bytes padding 0x0000 need to be bypassed */
if (num < 1)
return DATA_FORMAT_ERROR;
data = (uint8_t *)(buf + 4 * 2 * (1 + num));
if ((const char *)data > (const char *)pend)
{
LSQ_DEBUG("parse_hs tag '%.*s' error: data not enough", 4, (char *)head_tag);
return DATA_NOT_ENOUGH;
}
/* check last offset */
memcpy((char *)&len, data - 4, 4);
if ((const char *)data + len > (const char *)pend)
{
LSQ_DEBUG("parse_hs tag '%.*s' error: data not enough!!!", 4, (char *)head_tag);
return DATA_NOT_ENOUGH;
}
for (i=0; i<num; ++i)
{
memcpy((char *)&tag, p, 4);
p += 4;
memcpy((char *)&len, p, 4);
len -= offset;
p += 4;
if ((const char *)data + offset + len > (const char *)pend)
return DATA_FORMAT_ERROR;
if (0 != parse_hs_data(enc_session, tag, data + offset, len,
*head_tag))
return DATA_FORMAT_ERROR;
offset += len;
}
LSQ_DEBUG("parse_hs tag '%.*s' no error.", 4, (char *)head_tag);
return DATA_NO_ERROR;
}
static uint32_t get_tag_value_i32(unsigned char *val, int len)
{
uint32_t v;
if (len < 4)
return 0;
memcpy(&v, val, 4);
return v;
}
static uint64_t get_tag_value_i64(unsigned char *val, int len)
{
uint64_t v;
if (len < 8)
return 0;
memcpy(&v, val, 8);
return v;
}
static int
get_tag_val_u32 (unsigned char *v, int len, uint32_t *val)
{
if (len != 4)
return -1;
memcpy(val, v, 4);
return 0;
}
/* From "QUIC Crypto" for easy reference:
*
* A handshake message consists of:
* - The tag of the message.
* - A uint16 containing the number of tag-value pairs.
* - Two bytes of padding which should be zero when sent but ignored when
* received.
* - A series of uint32 tags and uint32 end offsets, one for each
* tag-value pair. The tags must be strictly monotonically
* increasing, and the end-offsets must be monotonic non-decreasing.
* The end offset gives the offset, from the start of the value
* data, to a byte one beyond the end of the data for that tag.
* (Thus the end offset of the last tag contains the length of the
* value data).
* - The value data, concatenated without padding.
*/
struct table_entry { uint32_t tag, off; };
struct message_writer
{
unsigned char *mw_p;
struct table_entry mw_first_dummy_entry;
struct table_entry *mw_entry,
*mw_prev_entry,
*mw_end;
};
/* MW_ family of macros is used to write entries to handshake message
* (MW stands for "message writer").
*/
#define MW_BEGIN(mw, msg_tag, n_entries, data_ptr) do { \
uint32_t t_ = msg_tag; \
uint16_t n_ = n_entries; \
memcpy(data_ptr, &t_, 4); \
memcpy(data_ptr + 4, &n_, 2); \
memset(data_ptr + 4 + 2, 0, 2); \
(mw)->mw_entry = (void *) (data_ptr + 8); \
(mw)->mw_p = data_ptr + 8 + \
(n_entries) * sizeof((mw)->mw_entry[0]); \
(mw)->mw_first_dummy_entry.tag = 0; \
(mw)->mw_first_dummy_entry.off = 0; \
(mw)->mw_prev_entry = &(mw)->mw_first_dummy_entry; \
(mw)->mw_end = (void *) (mw)->mw_p; \
} while (0)
#ifndef NDEBUG
# define MW_END(mw) do { \
assert((mw)->mw_entry == (mw)->mw_end); \
} while (0)
#else
# define MW_END(mw)
#endif
#define MW_P(mw) ((mw)->mw_p)
#define MW_ADVANCE_P(mw, n) do { \
MW_P(mw) += (n); \
} while (0)
#define MW_WRITE_TABLE_ENTRY(mw, tag_, sz) do { \
assert((mw)->mw_prev_entry->tag < (tag_)); \
assert((mw)->mw_entry < (mw)->mw_end); \
(mw)->mw_entry->tag = (tag_); \
(mw)->mw_entry->off = (mw)->mw_prev_entry->off + (sz); \
(mw)->mw_prev_entry = (mw)->mw_entry; \
++(mw)->mw_entry; \
} while (0)
#define MW_WRITE_BUFFER(mw, tag, buf, sz) do { \
MW_WRITE_TABLE_ENTRY(mw, tag, sz); \
memcpy(MW_P(mw), buf, sz); \
MW_ADVANCE_P(mw, sz); \
} while (0)
#define MW_WRITE_LS_STR(mw, tag, s) \
MW_WRITE_BUFFER(mw, tag, lsquic_str_buf(s), lsquic_str_len(s))
#define MW_WRITE_UINT32(mw, tag, val) do { \
uint32_t v_ = (val); \
MW_WRITE_BUFFER(mw, tag, &v_, sizeof(v_)); \
} while (0)
#define MW_WRITE_UINT64(mw, tag, val) do { \
uint64_t v_ = (val); \
MW_WRITE_BUFFER(mw, tag, &v_, sizeof(v_)); \
} while (0)
/* MSG_LEN_ family of macros calculates buffer size required for a
* handshake message.
*/
#define MSG_LEN_INIT(len) do { \
len = 4 /* Tag */ + 2 /* # tags */ + 2 /* Two zero bytes */; \
} while (0)
#define MSG_LEN_ADD(len, payload_sz) do { \
len += 4 + 4 + (payload_sz); \
} while (0)
#define MSG_LEN_VAL(len) (+(len))
static int
lsquic_enc_session_gen_chlo (enc_session_t *enc_session_p,
enum lsquic_version version, uint8_t *buf, size_t *len)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
int include_pad;
const lsquic_str_t *const ccs = lsquic_get_common_certs_hash();
const struct lsquic_engine_settings *const settings =
&enc_session->enpub->enp_settings;
c_cert_item_t *const cert_item = enc_session->cert_item;
unsigned char pub_key[32];
size_t ua_len;
uint32_t opts[1]; /* Only NSTP is supported for now */
unsigned n_opts, msg_len, n_tags, pad_size;
struct message_writer mw;
/* Before we do anything else, sanity check: */
if (*len < MIN_CHLO_SIZE)
return -1;
n_opts = 0;
/* CHLO is not regenerated during version negotiation. Hence we always
* include this option to cover the case when Q044 or Q046 gets negotiated
* down.
*/
if (settings->es_support_nstp)
opts[ n_opts++ ] = QTAG_NSTP;
/* Count tags and calculate required buffer size: */
MSG_LEN_INIT(msg_len); n_tags = 0;
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* PDMD */
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* AEAD */
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* VER */
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* MIDS */
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* SCLS */
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* CFCW */
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* SFCW */
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* ICSL */
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* SMHL */
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* KEXS */
MSG_LEN_ADD(msg_len, 0); ++n_tags; /* CSCT */
if (n_opts > 0)
{
MSG_LEN_ADD(msg_len, sizeof(opts[0]) * n_opts);
++n_tags; /* COPT */
}
if (settings->es_ua)
{
ua_len = strlen(settings->es_ua);
if (ua_len > 0)
{
MSG_LEN_ADD(msg_len, ua_len); ++n_tags; /* UAID */
}
}
else
ua_len = 0;
if (settings->es_support_tcid0)
{
MSG_LEN_ADD(msg_len, 4); ++n_tags; /* TCID */
}
MSG_LEN_ADD(msg_len, lsquic_str_len(&enc_session->hs_ctx.sni));
++n_tags; /* SNI */
MSG_LEN_ADD(msg_len, lsquic_str_len(ccs)); ++n_tags; /* CCS */
if (cert_item)
{
enc_session->cert_ptr = &cert_item->crts[0];
MSG_LEN_ADD(msg_len, lsquic_str_len(cert_item->hashs));
++n_tags; /* CCRT */
MSG_LEN_ADD(msg_len, 8); ++n_tags; /* XLCT */
}
MSG_LEN_ADD(msg_len, lsquic_str_len(&enc_session->ssno));
++n_tags; /* SNO */
MSG_LEN_ADD(msg_len, lsquic_str_len(&enc_session->info->sstk));
++n_tags; /* STK */
if (lsquic_str_len(&enc_session->info->scfg) > 0)
{
MSG_LEN_ADD(msg_len, sizeof(enc_session->info->sscid));
++n_tags; /* SCID */
if (enc_session->cert_ptr)
{
MSG_LEN_ADD(msg_len, sizeof(pub_key));
++n_tags; /* PUBS */
MSG_LEN_ADD(msg_len, sizeof(enc_session->hs_ctx.nonc));
++n_tags; /* NONC */
RAND_bytes(enc_session->priv_key, 32);
lsquic_c255_get_pub_key(enc_session->priv_key, pub_key);
lsquic_gen_nonce_c(enc_session->hs_ctx.nonc, enc_session->info->orbt);
}
}
include_pad = MSG_LEN_VAL(msg_len) < MIN_CHLO_SIZE;
if (include_pad)
{
if (MSG_LEN_VAL(msg_len) + sizeof(struct table_entry) < MIN_CHLO_SIZE)
pad_size = MIN_CHLO_SIZE - MSG_LEN_VAL(msg_len) -
sizeof(struct table_entry);
else
pad_size = 0;
MSG_LEN_ADD(msg_len, pad_size); ++n_tags; /* PAD */
}
#ifdef WIN32
else
pad_size = 0;
#endif
/* Check that we have enough room in the output buffer: */
if (MSG_LEN_VAL(msg_len) > *len)
return -1;
/* Write CHLO: */
MW_BEGIN(&mw, QTAG_CHLO, n_tags, buf);
if (include_pad)
{
memset(MW_P(&mw), '-', pad_size);
MW_WRITE_TABLE_ENTRY(&mw, QTAG_PAD, pad_size);
MW_ADVANCE_P(&mw, pad_size);
}
MW_WRITE_LS_STR(&mw, QTAG_SNI, &enc_session->hs_ctx.sni);
MW_WRITE_LS_STR(&mw, QTAG_STK, &enc_session->info->sstk);
MW_WRITE_LS_STR(&mw, QTAG_SNO, &enc_session->ssno);
MW_WRITE_UINT32(&mw, QTAG_VER, lsquic_ver2tag(version));
MW_WRITE_LS_STR(&mw, QTAG_CCS, ccs);
if (lsquic_str_len(&enc_session->info->scfg) > 0 && enc_session->cert_ptr)
MW_WRITE_BUFFER(&mw, QTAG_NONC, enc_session->hs_ctx.nonc,
sizeof(enc_session->hs_ctx.nonc));
MW_WRITE_UINT32(&mw, QTAG_AEAD, settings->es_aead);
if (ua_len)
MW_WRITE_BUFFER(&mw, QTAG_UAID, settings->es_ua, ua_len);
if (lsquic_str_len(&enc_session->info->scfg) > 0)
MW_WRITE_BUFFER(&mw, QTAG_SCID, enc_session->info->sscid,
sizeof(enc_session->info->sscid));
if (settings->es_support_tcid0)
MW_WRITE_UINT32(&mw, QTAG_TCID, 0);
MW_WRITE_UINT32(&mw, QTAG_PDMD, settings->es_pdmd);
MW_WRITE_UINT32(&mw, QTAG_SMHL, 1);
MW_WRITE_UINT32(&mw, QTAG_ICSL, settings->es_idle_conn_to / 1000000);
if (lsquic_str_len(&enc_session->info->scfg) > 0 && enc_session->cert_ptr)
MW_WRITE_BUFFER(&mw, QTAG_PUBS, pub_key, sizeof(pub_key));
MW_WRITE_UINT32(&mw, QTAG_MIDS, settings->es_max_streams_in);
MW_WRITE_UINT32(&mw, QTAG_SCLS, settings->es_silent_close);
MW_WRITE_UINT32(&mw, QTAG_KEXS, settings->es_kexs);
if (cert_item)
MW_WRITE_BUFFER(&mw, QTAG_XLCT, lsquic_str_buf(cert_item->hashs), 8);
/* CSCT is empty on purpose (retained from original code) */
MW_WRITE_TABLE_ENTRY(&mw, QTAG_CSCT, 0);
if (n_opts > 0)
MW_WRITE_BUFFER(&mw, QTAG_COPT, opts, n_opts * sizeof(opts[0]));
if (cert_item)
MW_WRITE_LS_STR(&mw, QTAG_CCRT, cert_item->hashs);
MW_WRITE_UINT32(&mw, QTAG_CFCW, settings->es_cfcw);
MW_WRITE_UINT32(&mw, QTAG_SFCW, settings->es_sfcw);
MW_END(&mw);
assert(buf + *len >= MW_P(&mw));
*len = MW_P(&mw) - buf;
lsquic_str_setto(&enc_session->chlo, buf, *len);
if (lsquic_str_len(&enc_session->info->scfg) > 0 && enc_session->cert_ptr)
{
enc_session->have_key = 0;
assert(lsquic_str_len(enc_session->cert_ptr) > 0);
determine_keys(enc_session);
enc_session->have_key = 1;
}
LSQ_DEBUG("lsquic_enc_session_gen_chlo called, return 0, buf_len %zd.", *len);
return 0;
}
static enum handshake_error
determine_rtts (struct lsquic_enc_session *enc_session,
const struct sockaddr *ip_addr, time_t t)
{
hs_ctx_t *const hs_ctx = &enc_session->hs_ctx;
enum hsk_failure_reason hfr;
if (!(hs_ctx->set & HSET_SCID))
{
hs_ctx->rrej = HFR_CONFIG_INCHOATE_HELLO;
ESHIST_APPEND(enc_session, ESHE_MISSING_SCID);
goto fail_1rtt;
}
hfr = lsquic_verify_stk(enc_session, ip_addr, t, &hs_ctx->stk);
if (hfr != HFR_HANDSHAKE_OK)
{
hs_ctx->rrej = hfr;
ESHIST_APPEND(enc_session, ESHE_VSTK_FAILED);
goto fail_1rtt;
}
else
ESHIST_APPEND(enc_session, ESHE_VSTK_OK);
if (memcmp(enc_session->server_config->lsc_scfg->info.sscid, hs_ctx->scid, 16) != 0)
{
hs_ctx->rrej = HFR_CONFIG_UNKNOWN_CONFIG;
ESHIST_APPEND(enc_session, ESHE_UNKNOWN_CONFIG);
goto fail_1rtt;
}
if (!(lsquic_str_len(&hs_ctx->ccrt) > 0))
{
/* We provide incorrect RREJ here because there is not one that fits
* this case. We can tell them apart: one comes in SREJ, the other
* in REJ.
*/
hs_ctx->rrej = HFR_CONFIG_INCHOATE_HELLO;
ESHIST_APPEND(enc_session, ESHE_EMPTY_CCRT);
goto fail_1rtt;
}
if (lsquic_str_len(&enc_session->ssno) > 0)
{
if (lsquic_str_len(&hs_ctx->sno) == 0)
{
hs_ctx->rrej = HFR_SERVER_NONCE_REQUIRED;
ESHIST_APPEND(enc_session, ESHE_MISSING_SNO);
goto fail_1rtt;
}
else if (lsquic_str_bcmp(&enc_session->ssno, &hs_ctx->sno) != 0)
{
hs_ctx->rrej = HFR_SERVER_NONCE_INVALID;
ESHIST_APPEND(enc_session, ESHE_SNO_MISMATCH);
goto fail_1rtt;
}
else
ESHIST_APPEND(enc_session, ESHE_SNO_OK);
}
enc_session->hsk_state = HSK_SHLO;
memcpy(enc_session->priv_key, enc_session->server_config->lsc_scfg->info.priv_key, 32);
return HS_SHLO;
fail_1rtt:
enc_session->hsk_state = HSK_CHLO_REJ;
return HS_1RTT;
}
static int
config_has_correct_size (const struct lsquic_enc_session *enc_session,
const void *data, unsigned shm_len)
{
/* EVP_AEAD_CTX from boringssl after-18d9f28f0df9f95570. */
struct new_evp_aead_ctx_st {
void *ptr1; /* aead */
void *ptr2; /* aead_state */
uint8_t tag_len;
};
/* This is how SHM would like in 5.2.1 builds 7 and 8: */
struct old_scfg_info
{
unsigned char sscid[SCID_LENGTH];
unsigned char priv_key[32];
unsigned char skt_key[16];
uint32_t aead;
uint32_t kexs;
uint32_t pdmd;
uint64_t orbt;
uint64_t expy;
struct new_evp_aead_ctx_st ctx;
short scfg_len;
};
const SCFG_t *const modern_config = data;
const struct old_scfg_info *const old_info = data;
size_t expected_size;
expected_size = modern_config->info.scfg_len + sizeof(*modern_config);
if (expected_size == shm_len)
return 1;
if (old_info->scfg_len + sizeof(*old_info) == shm_len)
{
LSQ_WARN("Generating new server config");
return 0;
}
LSQ_ERROR("Server config has size %u -- expected %zd", shm_len,
expected_size);
return 0;
}
static lsquic_server_config_t *
get_valid_scfg (const struct lsquic_enc_session *enc_session,
const struct lsquic_engine_public *enpub)
{
#define SERVER_SCFG_KEY "SERVER_SCFG"
#define SERVER_SCFG_KEY_SIZE (sizeof(SERVER_SCFG_KEY) - 1)
const struct lsquic_engine_settings *const settings = &enpub->enp_settings;
const struct lsquic_shared_hash_if *const shi = enpub->enp_shi;
void *const shi_ctx = enpub->enp_shi_ctx;
uint8_t spubs[35] = {0x20, 0, 0, };/* need to init first 3 bytes */
time_t t = time(NULL);
unsigned int real_len;
SCFG_info_t *temp_scfg;
SCFG_t *tmp_scfg_copy = NULL;
void *scfg_ptr;
int ret;
unsigned msg_len, server_config_sz;
struct message_writer mw;
if (enc_session->enpub->enp_server_config->lsc_scfg && (enc_session->enpub->enp_server_config->lsc_scfg->info.expy > (uint64_t)t))
return enc_session->enpub->enp_server_config;
ret = shi->shi_lookup(shi_ctx, SERVER_SCFG_KEY, SERVER_SCFG_KEY_SIZE,
&scfg_ptr, &real_len);
if (ret == 1)
{
if (config_has_correct_size(enc_session, scfg_ptr, real_len) &&
(enc_session->enpub->enp_server_config->lsc_scfg = scfg_ptr,
enc_session->enpub->enp_server_config->lsc_scfg->info.expy > (uint64_t)t))
{
/* Why need to init here, because this memory may be read from SHM,
* the struct is ready but AEAD_CTX is not ready.
**/
EVP_AEAD_CTX_init(&enc_session->enpub->enp_server_config->lsc_stk_ctx, EVP_aead_aes_128_gcm(),
enc_session->enpub->enp_server_config->lsc_scfg->info.skt_key, 16, 12, NULL);
return enc_session->enpub->enp_server_config;
}
else
{
shi->shi_delete(shi_ctx, SERVER_SCFG_KEY, SERVER_SCFG_KEY_SIZE);
}
}
MSG_LEN_INIT(msg_len);
MSG_LEN_ADD(msg_len, sizeof(temp_scfg->sscid));
MSG_LEN_ADD(msg_len, sizeof(spubs));
MSG_LEN_ADD(msg_len, enpub->enp_ver_tags_len);
MSG_LEN_ADD(msg_len, sizeof(temp_scfg->aead));
MSG_LEN_ADD(msg_len, sizeof(temp_scfg->kexs));
MSG_LEN_ADD(msg_len, sizeof(temp_scfg->pdmd));
MSG_LEN_ADD(msg_len, sizeof(temp_scfg->orbt));
MSG_LEN_ADD(msg_len, sizeof(temp_scfg->expy));
server_config_sz = sizeof(*enc_session->enpub->enp_server_config->lsc_scfg) + MSG_LEN_VAL(msg_len);
enc_session->enpub->enp_server_config->lsc_scfg = malloc(server_config_sz);
if (!enc_session->enpub->enp_server_config->lsc_scfg)
return NULL;
temp_scfg = &enc_session->enpub->enp_server_config->lsc_scfg->info;
RAND_bytes(temp_scfg->skt_key, sizeof(temp_scfg->skt_key));
RAND_bytes(temp_scfg->sscid, sizeof(temp_scfg->sscid));
RAND_bytes(temp_scfg->priv_key, sizeof(temp_scfg->priv_key));
lsquic_c255_get_pub_key(temp_scfg->priv_key, spubs + 3);
temp_scfg->aead = settings->es_aead;
temp_scfg->kexs = settings->es_kexs;
temp_scfg->pdmd = settings->es_pdmd;
temp_scfg->orbt = 0;
temp_scfg->expy = t + settings->es_sttl;
MW_BEGIN(&mw, QTAG_SCFG, 8, enc_session->enpub->enp_server_config->lsc_scfg->scfg);
MW_WRITE_BUFFER(&mw, QTAG_VER, enpub->enp_ver_tags_buf,
enpub->enp_ver_tags_len);
MW_WRITE_UINT32(&mw, QTAG_AEAD, temp_scfg->aead);
MW_WRITE_BUFFER(&mw, QTAG_SCID, temp_scfg->sscid, sizeof(temp_scfg->sscid));
MW_WRITE_UINT32(&mw, QTAG_PDMD, temp_scfg->pdmd);
MW_WRITE_BUFFER(&mw, QTAG_PUBS, spubs, sizeof(spubs));
MW_WRITE_UINT32(&mw, QTAG_KEXS, temp_scfg->kexs);
MW_WRITE_UINT64(&mw, QTAG_ORBT, temp_scfg->orbt);
MW_WRITE_UINT64(&mw, QTAG_EXPY, temp_scfg->expy);
MW_END(&mw);
assert(MW_P(&mw) == enc_session->enpub->enp_server_config->lsc_scfg->scfg + MSG_LEN_VAL(msg_len));
temp_scfg->scfg_len = MSG_LEN_VAL(msg_len);
LSQ_DEBUG("%s called, return len %d.", __func__, temp_scfg->scfg_len);
// /* TODO: will shi_delete call free to release the buffer? */
// shi->shi_delete(shi_ctx, SERVER_SCFG_KEY, SERVER_SCFG_KEY_SIZE);
void *scfg_key = strdup(SERVER_SCFG_KEY);
shi->shi_insert(shi_ctx, scfg_key, SERVER_SCFG_KEY_SIZE,
enc_session->enpub->enp_server_config->lsc_scfg, server_config_sz, t + settings->es_sttl);
ret = shi->shi_lookup(shi_ctx, scfg_key, SERVER_SCFG_KEY_SIZE,
&scfg_ptr, &real_len);
if (ret == 1)
{
tmp_scfg_copy = scfg_ptr;
if (tmp_scfg_copy != enc_session->enpub->enp_server_config->lsc_scfg)
{
free(enc_session->enpub->enp_server_config->lsc_scfg);
enc_session->enpub->enp_server_config->lsc_scfg = tmp_scfg_copy;
}
}
else
{
/* Since internal error occured, but I have to use a SCFG, log it*/
LSQ_DEBUG("get_valid_scfg got an shi internal error.\n");
}
ret = EVP_AEAD_CTX_init(&enc_session->enpub->enp_server_config->lsc_stk_ctx, EVP_aead_aes_128_gcm(),
enc_session->enpub->enp_server_config->lsc_scfg->info.skt_key,
sizeof(enc_session->enpub->enp_server_config->lsc_scfg->info.skt_key), 12, NULL);
LSQ_DEBUG("get_valid_scfg::EVP_AEAD_CTX_init return %d.", ret);
return enc_session->enpub->enp_server_config;
}
static int
generate_crt (struct lsquic_enc_session *enc_session)
{
int i, n, len, crt_num, rv = -1;
lsquic_str_t **crts;
unsigned char *out;
X509* crt;
STACK_OF(X509) *pXchain;
SSL_CTX *const ctx = enc_session->ssl_ctx;
hs_ctx_t *const hs_ctx = &enc_session->hs_ctx;
struct compressed_cert *ccert;
SSL_CTX_get0_chain_certs(ctx, &pXchain);
n = sk_X509_num(pXchain);
crt_num = n + 1;
crts = calloc(crt_num, sizeof(crts[0]));
if (!crts)
return -1;
crts[0] = lsquic_str_new(lsquic_str_cstr(enc_session->cert_ptr),
lsquic_str_len(enc_session->cert_ptr));
if (!crts[0])
goto cleanup;
for (i = 1; i < crt_num; i++)
{
crt = sk_X509_value(pXchain, i - 1);
out = NULL;
len = i2d_X509(crt, &out);
if (len < 0)
goto cleanup;
crts[i] = lsquic_str_new((const char *) out, len);
OPENSSL_free(out);
}
ccert = lsquic_compress_certs(crts, crt_num, &hs_ctx->ccs, &hs_ctx->ccrt);
if (!ccert)
goto cleanup;
if (SSL_CTX_set_ex_data(ctx, s_ccrt_idx, ccert))
++ccert->refcnt;
else
{
free(ccert);
ccert = NULL;
goto cleanup;
}
++ccert->refcnt;
hs_ctx->ccert = ccert;
/* We got here, set rv to 0: success */
rv = 0;
cleanup:
for (i = 0; i < crt_num; ++i)
if (crts[i])
lsquic_str_delete(crts[i]);
free(crts);
return rv;
}
/* rtt == 1 case */
static int
gen_rej1_data (struct lsquic_enc_session *enc_session, uint8_t *data,
size_t max_len, const struct sockaddr *ip, time_t t)
{
#ifndef WIN32
# define ERR(e_) do { return (e_); } while (0)
#else
# define ERR(e_) do { len = (e_); goto end; } while (0)
#endif
int len;
EVP_PKEY * rsa_priv_key;
SSL_CTX *ctx = enc_session->ssl_ctx;
hs_ctx_t *const hs_ctx = &enc_session->hs_ctx;
int scfg_len = enc_session->server_config->lsc_scfg->info.scfg_len;
uint8_t *scfg_data = enc_session->server_config->lsc_scfg->scfg;
size_t msg_len;
struct message_writer mw;
uint64_t sttl;
rsa_priv_key = SSL_CTX_get0_privatekey(ctx);
if (!rsa_priv_key)
return -1;
size_t prof_len = (size_t) EVP_PKEY_size(rsa_priv_key);
#ifndef WIN32
char prof_buf[prof_len];
#else
char *prof_buf = _malloca(prof_len);
if (!prof_buf)
return -1;
#endif
if (hs_ctx->ccert)
{
put_compressed_cert(hs_ctx->ccert);
hs_ctx->ccert = NULL;
}
hs_ctx->ccert = SSL_CTX_get_ex_data(ctx, s_ccrt_idx);
if (hs_ctx->ccert)
{
++hs_ctx->ccert->refcnt;
LSQ_DEBUG("use cached compressed cert");
}
else if (0 == generate_crt(enc_session))
LSQ_DEBUG("generated compressed cert");
else
{
LSQ_INFO("cannot could not generate compressed cert for");
ERR(-1);
}
LSQ_DEBUG("gQUIC rej1 data");
LSQ_DEBUG("gQUIC NOT enabled");
const int s = lsquic_gen_prof((const uint8_t *)lsquic_str_cstr(&enc_session->chlo),
(size_t)lsquic_str_len(&enc_session->chlo),
scfg_data, scfg_len,
rsa_priv_key, (uint8_t *)prof_buf, &prof_len);
if (s != 0)
{
LSQ_INFO("could not generate server proof, code %d", s);
ERR(-1);
}
lsquic_str_setto(&hs_ctx->prof, prof_buf, prof_len);
if (!hs_ctx->rrej)
{
LSQ_WARN("REJ: RREJ is not set, use default");
hs_ctx->rrej = HFR_CLIENT_NONCE_UNKNOWN;
}
MSG_LEN_INIT(msg_len);
MSG_LEN_ADD(msg_len, sizeof(hs_ctx->rrej));
MSG_LEN_ADD(msg_len, scfg_len);
MSG_LEN_ADD(msg_len, STK_LENGTH);
MSG_LEN_ADD(msg_len, SNO_LENGTH);
MSG_LEN_ADD(msg_len, sizeof(sttl));
MSG_LEN_ADD(msg_len, lsquic_str_len(&hs_ctx->prof));
if (hs_ctx->ccert)
MSG_LEN_ADD(msg_len, hs_ctx->ccert->len);
if (MSG_LEN_VAL(msg_len) > max_len)
ERR(-1);
memcpy(enc_session->priv_key, enc_session->server_config->lsc_scfg->info.priv_key, 32);
if (lsquic_str_len(&enc_session->sstk) != STK_LENGTH)
{
lsquic_str_d(&enc_session->sstk);
lsquic_str_prealloc(&enc_session->sstk, STK_LENGTH);
lsquic_str_setlen(&enc_session->sstk, STK_LENGTH);
}
lsquic_gen_stk(enc_session->server_config, ip, t,
(unsigned char *) lsquic_str_buf(&enc_session->sstk));
if (lsquic_str_len(&enc_session->ssno) != SNO_LENGTH)
{
lsquic_str_d(&enc_session->ssno);
lsquic_str_prealloc(&enc_session->ssno, SNO_LENGTH);
lsquic_str_setlen(&enc_session->ssno, SNO_LENGTH);
}
RAND_bytes((uint8_t *) lsquic_str_buf(&enc_session->ssno), SNO_LENGTH);
sttl = enc_session->enpub->enp_server_config->lsc_scfg->info.expy
- (uint64_t) time(NULL);
MW_BEGIN(&mw, QTAG_REJ, 7, data);
MW_WRITE_LS_STR(&mw, QTAG_STK, &enc_session->sstk);
MW_WRITE_LS_STR(&mw, QTAG_SNO, &enc_session->ssno);
MW_WRITE_LS_STR(&mw, QTAG_PROF, &hs_ctx->prof);
MW_WRITE_BUFFER(&mw, QTAG_SCFG, scfg_data, scfg_len);
MW_WRITE_BUFFER(&mw, QTAG_RREJ, &hs_ctx->rrej, sizeof(hs_ctx->rrej));
MW_WRITE_BUFFER(&mw, QTAG_STTL, &sttl, sizeof(sttl));
if (hs_ctx->ccert)
MW_WRITE_BUFFER(&mw, QTAG_CRT, hs_ctx->ccert->buf, hs_ctx->ccert->len);
MW_END(&mw);
assert(data + max_len >= MW_P(&mw));
len = MW_P(&mw) - data;
LSQ_DEBUG("gen_rej1_data called, return len %d.", len);
#ifdef WIN32
end:
_freea(prof_buf);
#endif
return len;
#undef ERR
}
/* rtt == 0 case */
static int
gen_shlo_data (uint8_t *buf, size_t buf_len, struct lsquic_enc_session *enc_session,
enum lsquic_version version, const struct sockaddr *ip,
time_t t, uint8_t *nonce)
{
char pub_key[32];
const struct lsquic_engine_settings *const settings =
&enc_session->enpub->enp_settings;
struct message_writer mw;
int len;
const int include_reset_token = version >= LSQVER_046;
size_t msg_len;
MSG_LEN_INIT(msg_len);
MSG_LEN_ADD(msg_len, enc_session->enpub->enp_ver_tags_len);
MSG_LEN_ADD(msg_len, sizeof(pub_key));
MSG_LEN_ADD(msg_len, 4); /* MIDS */
MSG_LEN_ADD(msg_len, 4); /* CFCW */
MSG_LEN_ADD(msg_len, 4); /* SFCW */
MSG_LEN_ADD(msg_len, 4); /* ICSL */
MSG_LEN_ADD(msg_len, 4); /* SMHL */
MSG_LEN_ADD(msg_len, lsquic_str_len(&enc_session->sstk));
MSG_LEN_ADD(msg_len, lsquic_str_len(&enc_session->ssno));
if (include_reset_token)
MSG_LEN_ADD(msg_len, SRST_LENGTH);
if (MSG_LEN_VAL(msg_len) > buf_len)
return -1;
RAND_bytes(nonce, 32);
RAND_bytes(enc_session->priv_key, 32);
lsquic_c255_get_pub_key(enc_session->priv_key, (unsigned char *)pub_key);
if (lsquic_str_len(&enc_session->sstk) != STK_LENGTH)
{
lsquic_str_d(&enc_session->sstk);
lsquic_str_prealloc(&enc_session->sstk, STK_LENGTH);
lsquic_str_setlen(&enc_session->sstk, STK_LENGTH);
}
lsquic_gen_stk(enc_session->server_config, ip, t,
(unsigned char *) lsquic_str_buf(&enc_session->sstk));
if (lsquic_str_len(&enc_session->ssno) != SNO_LENGTH)
{
lsquic_str_d(&enc_session->ssno);
lsquic_str_prealloc(&enc_session->ssno, SNO_LENGTH);
lsquic_str_setlen(&enc_session->ssno, SNO_LENGTH);
}
RAND_bytes((uint8_t *) lsquic_str_buf(&enc_session->ssno), SNO_LENGTH);
MW_BEGIN(&mw, QTAG_SHLO, 9 + include_reset_token, buf);
MW_WRITE_LS_STR(&mw, QTAG_STK, &enc_session->sstk);
MW_WRITE_LS_STR(&mw, QTAG_SNO, &enc_session->ssno);
MW_WRITE_BUFFER(&mw, QTAG_VER, enc_session->enpub->enp_ver_tags_buf,
enc_session->enpub->enp_ver_tags_len);
MW_WRITE_UINT32(&mw, QTAG_SMHL, 1);
MW_WRITE_UINT32(&mw, QTAG_ICSL, settings->es_idle_conn_to / 1000000);
MW_WRITE_BUFFER(&mw, QTAG_PUBS, pub_key, sizeof(pub_key));
MW_WRITE_UINT32(&mw, QTAG_MIDS, settings->es_max_streams_in);
if (include_reset_token)
{
MW_WRITE_TABLE_ENTRY(&mw, QTAG_SRST, SRST_LENGTH);
lsquic_tg_generate_sreset(enc_session->enpub->enp_tokgen,
&enc_session->cid, MW_P(&mw));
MW_ADVANCE_P(&mw, SRST_LENGTH);
}
MW_WRITE_UINT32(&mw, QTAG_CFCW, settings->es_cfcw);
MW_WRITE_UINT32(&mw, QTAG_SFCW, settings->es_sfcw);
MW_END(&mw);
assert(buf + buf_len >= MW_P(&mw));
len = MW_P(&mw) - buf;
LSQ_DEBUG("gen_shlo_data called, return len %d.", len);
return len;
}
/* Generate key based on issuer and serial number. The key has the following
* structure:
*
* size_t length of issuer. This field is required to prevent
* the chance (however remote) that concatenation of
* the next two fields is ambiguous.
* uint8_t[] DER-encoded issuer
* uint8_t[] Serial number represented as sequence of bytes output
* by BN_bn2bin
*
* Return size of the key or zero on error.
*/
static size_t
gen_iasn_key (X509 *cert, unsigned char *const out, size_t const sz)
{
const unsigned char *name_bytes;
size_t name_sz;
X509_NAME *name;
ASN1_INTEGER *sernum;
BIGNUM *bn;
unsigned bn_sz;
name = X509_get_issuer_name(cert);
if (!name)
return 0;
if (!X509_NAME_get0_der(name, &name_bytes, &name_sz))
return 0;
sernum = X509_get_serialNumber(cert);
if (!sernum)
return 0;
bn = ASN1_INTEGER_to_BN(sernum, NULL);
if (!bn)
return 0;
bn_sz = BN_num_bytes(bn);
if (sizeof(size_t) + name_sz + bn_sz > sz)
{
BN_free(bn);
return 0;
}
memcpy(out, &name_sz, sizeof(name_sz));
memcpy(out + sizeof(name_sz), name_bytes, name_sz);
BN_bn2bin(bn, out + sizeof(name_sz) + name_sz);
BN_free(bn);
return sizeof(name_sz) + name_sz + bn_sz;
}
static enum {
GET_SNI_OK,
GET_SNI_ERR,
}
get_sni_SSL_CTX(struct lsquic_enc_session *enc_session, lsquic_lookup_cert_f cb,
void *cb_ctx, const struct sockaddr *local)
{
X509 *crt = NULL;
unsigned char *out;
int len;
lsquic_str_t crtstr;
cert_item_t *item;
struct ssl_ctx_st *ssl_ctx;
size_t key_sz;
unsigned char key[0x400];
if (!enc_session->ssl_ctx)
{
if (!cb)
return GET_SNI_ERR;
ssl_ctx = cb(cb_ctx, local, lsquic_str_cstr(&enc_session->hs_ctx.sni));
if (ssl_ctx == NULL)
return GET_SNI_ERR;
enc_session->ssl_ctx = ssl_ctx;
}
if (enc_session->cert_ptr == NULL)
{
crt = SSL_CTX_get0_certificate(enc_session->ssl_ctx);
if (!crt)
return GET_SNI_ERR;
key_sz = gen_iasn_key(crt, key, sizeof(key));
if (key_sz)
{
item = find_cert(enc_session->enpub, key, key_sz);
if (item)
LSQ_DEBUG("found cert in cache");
else
{
out = NULL;
len = i2d_X509(crt, &out);
if (len < 0)
return GET_SNI_ERR;
lsquic_str_set(&crtstr, (char *) out, len);
item = insert_cert(enc_session->enpub, key, key_sz, &crtstr);
if (item)
{
OPENSSL_free(out);
LSQ_DEBUG("inserted cert into cache");
}
else
{
LSQ_DEBUG("cert insertion failed, keep own copy");
goto copy;
}
}
enc_session->cert_ptr = item->crt;
}
else
{
LSQ_INFO("cannot generate cert cache key, make copy");
out = NULL;
len = i2d_X509(crt, &out);
if (len < 0)
return GET_SNI_ERR;
copy: enc_session->cert_ptr = lsquic_str_new((char *) out, len);
OPENSSL_free(out);
if (!enc_session->cert_ptr)
return GET_SNI_ERR;
enc_session->es_flags |= ES_FREE_CERT_PTR;
}
}
return GET_SNI_OK;
}
/***
* Comments: data and len are the frame(s) parsed data, no packet header.
* return rtt number:
* 1 for rej1 and 0 for shlo
* DATA_NOT_ENOUGH(-2) for not enough data,
* DATA_FORMAT_ERROR(-1) all other errors
* HS_DELAYED handshake delayed
*/
static enum handshake_error
handle_chlo_frames_data(const uint8_t *data, int len,
struct lsquic_enc_session *enc_session,
lsquic_lookup_cert_f cb, void *cb_ctx,
const struct sockaddr *local,
const struct lsquic_shared_hash_if *shi,
void *shi_ctx, const struct sockaddr *ip, time_t t)
{
/* start to parse it */
// struct lsquic_enc_session *enc_session = retrive_enc_session(cid);
uint32_t head_tag;
enum handshake_error rtt;
int ret;
LSQ_DEBUG("handle_chlo_frames_data called.");
ret = parse_hs(enc_session, data, len, &head_tag);
if (ret)
{
LSQ_DEBUG("handle_chlo_frames_data parse_hs error,s o quit.");
return ret;
}
if (head_tag != QTAG_CHLO)
{
LSQ_DEBUG("handle_chlo_frames_data got data format error 1.");
return DATA_FORMAT_ERROR;
}
rtt = determine_rtts(enc_session, ip, t);
ESHIST_APPEND(enc_session, ESHE_MULTI2_2BITS + rtt);
lsquic_str_setto(&enc_session->chlo, (const char *)data, len);
switch (get_sni_SSL_CTX(enc_session, cb, cb_ctx, local))
{
case GET_SNI_ERR:
ESHIST_APPEND(enc_session, ESHE_SNI_FAIL);
LSQ_DEBUG("handle_chlo_frames_data got data format error 2.");
return DATA_FORMAT_ERROR;
default:
break;
}
LSQ_DEBUG("handle_chlo_frames_data return %d.", rtt);
return rtt;
}
static int handle_chlo_reply_verify_prof(struct lsquic_enc_session *enc_session,
lsquic_str_t **out_certs,
size_t *out_certs_count,
lsquic_str_t *cached_certs,
int cached_certs_count)
{
const unsigned char *dummy = (unsigned char *) "";
const unsigned char *const in = enc_session->hs_ctx.ccert
? enc_session->hs_ctx.ccert->buf : dummy;
const unsigned char *const in_end = enc_session->hs_ctx.ccert
? in + enc_session->hs_ctx.ccert->len : 0;
EVP_PKEY *pub_key;
int ret;
size_t i;
X509 *cert, *server_cert;
STACK_OF(X509) *chain = NULL;
ret = lsquic_decompress_certs(in, in_end,cached_certs, cached_certs_count,
out_certs, out_certs_count);
if (ret)
return ret;
server_cert = lsquic_bio_to_crt((const char *)lsquic_str_cstr(out_certs[0]),
lsquic_str_len(out_certs[0]), 0);
pub_key = X509_get_pubkey(server_cert);
ret = lsquic_verify_prof((const uint8_t *)lsquic_str_cstr(&enc_session->chlo),
(size_t)lsquic_str_len(&enc_session->chlo),
&enc_session->info->scfg,
pub_key,
(const uint8_t *)lsquic_str_cstr(&enc_session->hs_ctx.prof),
lsquic_str_len(&enc_session->hs_ctx.prof));
EVP_PKEY_free(pub_key);
if (ret != 0)
{
LSQ_DEBUG("cannot verify server proof");
goto cleanup;
}
if (enc_session->enpub->enp_verify_cert)
{
chain = sk_X509_new_null();
sk_X509_push(chain, server_cert);
for (i = 1; i < *out_certs_count; ++i)
{
cert = lsquic_bio_to_crt((const char *)lsquic_str_cstr(out_certs[i]),
lsquic_str_len(out_certs[i]), 0);
if (cert)
sk_X509_push(chain, cert);
else
{
LSQ_WARN("cannot push certificate to stack");
ret = -1;
goto cleanup;
}
}
ret = enc_session->enpub->enp_verify_cert(
enc_session->enpub->enp_verify_ctx, chain);
LSQ_INFO("server certificate verification %ssuccessful",
ret == 0 ? "" : "not ");
}
EV_LOG_CHECK_CERTS(&enc_session->cid, (const lsquic_str_t **)out_certs, *out_certs_count);
cleanup:
if (chain)
sk_X509_free(chain);
X509_free(server_cert);
return ret;
}
static void
setup_aead_ctx (const struct lsquic_enc_session *enc_session,
EVP_AEAD_CTX **ctx, unsigned char key[], int key_len,
unsigned char *key_copy)
{
const EVP_AEAD *aead_ = EVP_aead_aes_128_gcm();
const int auth_tag_size = enc_session->es_flags & ES_GQUIC2
? IQUIC_TAG_LEN : GQUIC_PACKET_HASH_SZ;
if (*ctx)
{
EVP_AEAD_CTX_cleanup(*ctx);
}
else
*ctx = (EVP_AEAD_CTX *)malloc(sizeof(EVP_AEAD_CTX));
EVP_AEAD_CTX_init(*ctx, aead_, key, key_len, auth_tag_size, NULL);
if (key_copy)
memcpy(key_copy, key, key_len);
}
static int
determine_diversification_key (enc_session_t *enc_session_p,
uint8_t *diversification_nonce)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
const int is_client = !(enc_session->es_flags & ES_SERVER);
EVP_AEAD_CTX **ctx_s_key;
unsigned char *key_i, *iv;
const size_t iv_len = enc_session->es_flags & ES_GQUIC2
? IQUIC_IV_LEN : aes128_iv_len;
uint8_t ikm[aes128_key_len + MAX_IV_LEN];
char str_buf[DNONC_LENGTH * 2 + 1];
if (is_client)
{
ctx_s_key = &enc_session->dec_ctx_i;
key_i = enc_session->dec_key_i;
iv = enc_session->dec_key_nonce_i;
}
else
{
ctx_s_key = &enc_session->enc_ctx_i;
key_i = enc_session->enc_key_i;
iv = enc_session->enc_key_nonce_i;
}
memcpy(ikm, key_i, aes128_key_len);
memcpy(ikm + aes128_key_len, iv, iv_len);
lsquic_export_key_material(ikm, aes128_key_len + iv_len,
diversification_nonce, DNONC_LENGTH,
(const unsigned char *) "QUIC key diversification", 24,
0, NULL, aes128_key_len, key_i, 0, NULL,
iv_len, iv, NULL, NULL, NULL);
setup_aead_ctx(enc_session, ctx_s_key, key_i, aes128_key_len, NULL);
if (enc_session->es_flags & ES_LOG_SECRETS)
{
LSQ_DEBUG("determine_diversification_keys nonce: %s",
HEXSTR(diversification_nonce, DNONC_LENGTH, str_buf));
LSQ_DEBUG("determine_diversification_keys diversification key: %s",
HEXSTR(key_i, aes128_key_len, str_buf));
LSQ_DEBUG("determine_diversification_keys diversification iv: %s",
HEXSTR(iv, iv_len, str_buf));
}
return 0;
}
/* After CHLO msg generatered, call it to determine_keys */
static void
determine_keys (struct lsquic_enc_session *enc_session)
{
lsquic_str_t *chlo = &enc_session->chlo;
const int is_client = !(enc_session->es_flags & ES_SERVER);
uint8_t shared_key_c[32];
const size_t iv_len = enc_session->es_flags & ES_GQUIC2
? IQUIC_IV_LEN : aes128_iv_len;
unsigned char *nonce_c;
unsigned char *hkdf_input, *hkdf_input_p;
unsigned char c_key[aes128_key_len];
unsigned char s_key[aes128_key_len];
unsigned char *c_key_bin = NULL;
unsigned char *s_key_bin = NULL;
unsigned char *c_iv;
unsigned char *s_iv;
uint8_t *c_hp, *s_hp;
size_t nonce_len, hkdf_input_len;
unsigned char sub_key[32];
EVP_AEAD_CTX **ctx_c_key, **ctx_s_key;
char key_flag;
char str_buf[512];
hkdf_input_len = (enc_session->have_key == 0 ? 18 + 1 : 33 + 1)
+ enc_session->cid.len
+ lsquic_str_len(chlo)
+ (is_client
? lsquic_str_len(&enc_session->info->scfg)
: (size_t) enc_session->server_config->lsc_scfg->info.scfg_len)
+ lsquic_str_len(enc_session->cert_ptr);
hkdf_input = malloc(hkdf_input_len);
if (UNLIKELY(!hkdf_input))
{
LSQ_WARN("cannot allocate memory for hkdf_input");
return;
}
hkdf_input_p = hkdf_input;
if (enc_session->have_key == 0)
{
memcpy(hkdf_input_p, "QUIC key expansion\0", 18 + 1); /* Add a 0x00 */
hkdf_input_p += 18 + 1;
key_flag = 'I';
}
else
{
memcpy(hkdf_input_p, "QUIC forward secure key expansion\0", 33 + 1); /* Add a 0x00 */
hkdf_input_p += 33 + 1;
key_flag = 'F';
}
lsquic_c255_gen_share_key(enc_session->priv_key,
enc_session->hs_ctx.pubs,
(unsigned char *)shared_key_c);
if (is_client)
{
if (enc_session->have_key == 0)
{
ctx_c_key = &enc_session->enc_ctx_i;
ctx_s_key = &enc_session->dec_ctx_i;
c_iv = (unsigned char *) enc_session->enc_key_nonce_i;
s_iv = (unsigned char *) enc_session->dec_key_nonce_i;
c_key_bin = enc_session->enc_key_i;
s_key_bin = enc_session->dec_key_i;
c_hp = enc_session->es_flags & ES_GQUIC2
? enc_session->es_hps[GEL_EARLY][0] : NULL;
s_hp = enc_session->es_flags & ES_GQUIC2
? enc_session->es_hps[GEL_EARLY][1] : NULL;
}
else
{
ctx_c_key = &enc_session->enc_ctx_f;
ctx_s_key = &enc_session->dec_ctx_f;
c_iv = (unsigned char *) enc_session->enc_key_nonce_f;
s_iv = (unsigned char *) enc_session->dec_key_nonce_f;
c_hp = enc_session->es_flags & ES_GQUIC2
? enc_session->es_hps[GEL_FORW][0] : NULL;
s_hp = enc_session->es_flags & ES_GQUIC2
? enc_session->es_hps[GEL_FORW][1] : NULL;
}
}
else
{
if (enc_session->have_key == 0)
{
ctx_c_key = &enc_session->dec_ctx_i;
ctx_s_key = &enc_session->enc_ctx_i;
c_iv = (unsigned char *) enc_session->dec_key_nonce_i;
s_iv = (unsigned char *) enc_session->enc_key_nonce_i;
c_key_bin = enc_session->dec_key_i;
s_key_bin = enc_session->enc_key_i;
c_hp = enc_session->es_flags & ES_GQUIC2
? enc_session->es_hps[GEL_EARLY][1] : NULL;
s_hp = enc_session->es_flags & ES_GQUIC2
? enc_session->es_hps[GEL_EARLY][0] : NULL;
}
else
{
ctx_c_key = &enc_session->dec_ctx_f;
ctx_s_key = &enc_session->enc_ctx_f;
c_iv = (unsigned char *) enc_session->dec_key_nonce_f;
s_iv = (unsigned char *) enc_session->enc_key_nonce_f;
c_hp = enc_session->es_flags & ES_GQUIC2
? enc_session->es_hps[GEL_FORW][1] : NULL;
s_hp = enc_session->es_flags & ES_GQUIC2
? enc_session->es_hps[GEL_FORW][0] : NULL;
}
}
LSQ_DEBUG("export_key_material lsquic_c255_gen_share_key %s",
lsquic_get_bin_str(shared_key_c, 32, 512));
memcpy(hkdf_input_p, enc_session->cid.idbuf, enc_session->cid.len);
hkdf_input_p += enc_session->cid.len;
memcpy(hkdf_input_p, lsquic_str_cstr(chlo), lsquic_str_len(chlo)); /* CHLO msg */
hkdf_input_p += lsquic_str_len(chlo);
if (is_client)
{
memcpy(hkdf_input_p, lsquic_str_cstr(&enc_session->info->scfg),
lsquic_str_len(&enc_session->info->scfg)); /* scfg msg */
hkdf_input_p += lsquic_str_len(&enc_session->info->scfg);
}
else
{
memcpy(hkdf_input_p,
(const char *) enc_session->server_config->lsc_scfg->scfg,
enc_session->server_config->lsc_scfg->info.scfg_len);
hkdf_input_p += enc_session->server_config->lsc_scfg->info.scfg_len;
}
memcpy(hkdf_input_p, lsquic_str_cstr(enc_session->cert_ptr),
lsquic_str_len(enc_session->cert_ptr));
assert(hkdf_input + hkdf_input_len
== hkdf_input_p + lsquic_str_len(enc_session->cert_ptr));
LSQ_DEBUG("export_key_material hkdf_input %s",
HEXSTR(hkdf_input, hkdf_input_len, str_buf));
/* then need to use the salts and the shared_key_* to get the real aead key */
nonce_len = sizeof(enc_session->hs_ctx.nonc)
+ lsquic_str_len(&enc_session->ssno);
nonce_c = malloc(nonce_len);
if (UNLIKELY(!nonce_c))
{
LSQ_WARN("cannot allocate memory for nonce_c");
free(hkdf_input);
return;
}
memcpy(nonce_c, enc_session->hs_ctx.nonc, sizeof(enc_session->hs_ctx.nonc));
memcpy(nonce_c + sizeof(enc_session->hs_ctx.nonc),
lsquic_str_cstr(&enc_session->ssno),
lsquic_str_len(&enc_session->ssno));
LSQ_DEBUG("export_key_material nonce %s",
HEXSTR(nonce_c, nonce_len, str_buf));
lsquic_export_key_material(shared_key_c, 32,
nonce_c, nonce_len,
hkdf_input, hkdf_input_len,
aes128_key_len, c_key,
aes128_key_len, s_key,
iv_len, c_iv,
iv_len, s_iv,
sub_key,
c_hp, s_hp
);
setup_aead_ctx(enc_session, ctx_c_key, c_key, aes128_key_len, c_key_bin);
setup_aead_ctx(enc_session, ctx_s_key, s_key, aes128_key_len, s_key_bin);
free(nonce_c);
free(hkdf_input);
if (enc_session->es_flags & ES_LOG_SECRETS)
{
LSQ_DEBUG("***export_key_material '%c' c_key: %s", key_flag,
HEXSTR(c_key, aes128_key_len, str_buf));
LSQ_DEBUG("***export_key_material '%c' s_key: %s", key_flag,
HEXSTR(s_key, aes128_key_len, str_buf));
LSQ_DEBUG("***export_key_material '%c' c_iv: %s", key_flag,
HEXSTR(c_iv, iv_len, str_buf));
LSQ_DEBUG("***export_key_material '%c' s_iv: %s", key_flag,
HEXSTR(s_iv, iv_len, str_buf));
LSQ_DEBUG("***export_key_material '%c' subkey: %s", key_flag,
HEXSTR(sub_key, 32, str_buf));
if (c_hp)
LSQ_DEBUG("***export_key_material '%c' c_hp: %s", key_flag,
HEXSTR(c_hp, IQUIC_HP_LEN, str_buf));
if (s_hp)
LSQ_DEBUG("***export_key_material '%c' s_hp: %s", key_flag,
HEXSTR(s_hp, IQUIC_HP_LEN, str_buf));
}
}
/* 0 Match */
static int cached_certs_match(c_cert_item_t *item,
lsquic_str_t **certs, int count)
{
int i;
if (!item || item->count != count)
return -1;
for (i=0; i<count; ++i)
{
if (lsquic_str_bcmp(certs[i], &item->crts[i]) != 0)
return -1;
}
return 0;
}
static const char *
he2str (enum handshake_error he)
{
switch (he)
{
case DATA_NOT_ENOUGH: return "DATA_NOT_ENOUGH";
case HS_ERROR: return "HS_ERROR";
case HS_SHLO: return "HS_SHLO";
case HS_1RTT: return "HS_1RTT";
case HS_SREJ: return "HS_SREJ";
default:
assert(0); return "<unknown enum value>";
}
}
/* NOT packet, just the frames-data */
/* return rtt number:
* 0 OK
* DATA_NOT_ENOUGH(-2) for not enough data,
* DATA_FORMAT_ERROR(-1) all other errors
*/
static int
lsquic_enc_session_handle_chlo_reply (enc_session_t *enc_session_p,
const uint8_t *data, int len)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
uint32_t head_tag;
int ret, got_srej;
lsquic_session_cache_info_t *info = enc_session->info;
c_cert_item_t *cert_item = enc_session->cert_item;
/* FIXME get the number first */
lsquic_str_t **out_certs = NULL;
size_t out_certs_count = 0, i;
ret = parse_hs(enc_session, data, len, &head_tag);
if (ret)
goto end;
got_srej = head_tag == QTAG_SREJ;
switch (head_tag)
{
case QTAG_SREJ:
if (enc_session->es_flags & ES_RECV_SREJ)
{
LSQ_DEBUG("received second SREJ: handshake failed");
ret = -1;
goto end;
}
enc_session->es_flags |= ES_RECV_SREJ;
/* fall-through */
case QTAG_REJ:
enc_session->hsk_state = HSK_CHLO_REJ;
enc_session->es_flags |= ES_RECV_REJ;
break;
case QTAG_SHLO:
enc_session->hsk_state = HSK_COMPLETED;
EV_LOG_HSK_COMPLETED(&enc_session->cid);
if (!(enc_session->es_flags & ES_RECV_REJ))
EV_LOG_SESSION_RESUMPTION(&enc_session->cid);
break;
default:
ret = 1; /* XXX Why 1? */
goto end;
}
if (info->scfg_flag == 1)
{
ret = parse_hs(enc_session, (uint8_t *)lsquic_str_cstr(&info->scfg),
lsquic_str_len(&info->scfg), &head_tag);
/* After handled, set the length to 0 to avoid do it again*/
enc_session->info->scfg_flag = 2;
if (ret)
goto end;
if (got_srej)
{
if (lsquic_str_len(&enc_session->info->sstk))
ret = HS_SREJ;
else
{
LSQ_DEBUG("expected STK in SREJ message from the server");
ret = -1;
}
goto end;
}
if (enc_session->hs_ctx.ccert)
{
out_certs_count = lsquic_get_certs_count(enc_session->hs_ctx.ccert);
if (out_certs_count > 0)
{
out_certs = malloc(out_certs_count * sizeof(lsquic_str_t *));
if (!out_certs)
{
ret = -1;
goto end;
}
for (i=0; i<out_certs_count; ++i)
out_certs[i] = lsquic_str_new(NULL, 0);
ret = handle_chlo_reply_verify_prof(enc_session, out_certs,
&out_certs_count,
(cert_item ? cert_item->crts : NULL),
(cert_item ? cert_item->count : 0));
if (ret == 0)
{
if (out_certs_count > 0)
{
if (cached_certs_match(cert_item, out_certs,
out_certs_count) != 0)
{
cert_item = make_c_cert_item(out_certs,
out_certs_count);
enc_session->cert_item = cert_item;
enc_session->cert_ptr = &cert_item->crts[0];
}
}
}
for (i=0; i<out_certs_count; ++i)
lsquic_str_delete(out_certs[i]);
free(out_certs);
if (ret)
goto end;
}
}
}
if (enc_session->hsk_state == HSK_COMPLETED)
{
determine_keys(enc_session);
enc_session->have_key = 3;
}
end:
LSQ_DEBUG("lsquic_enc_session_handle_chlo_reply called, buf in %d, return %d.", len, ret);
EV_LOG_CONN_EVENT(&enc_session->cid, "%s returning %s", __func__,
he2str(ret));
return ret;
}
/** stk = 16 bytes IP ( V4 is 4 bytes, will add 12 byes 0 )
* + 8 bytes time
* + 36 bytes random bytes (24 bytes can be reserved for other using)
* then stk first 48 byte will be encrypted with AES128-GCM
* when encrypting, the salt is the last 12 bytes
*/
#ifdef NDEBUG
static
#endif
void
lsquic_gen_stk (lsquic_server_config_t *server_config, const struct sockaddr *ip_addr,
uint64_t tm, unsigned char stk_out[STK_LENGTH])
{
unsigned char stk[STK_LENGTH + 16];
size_t out_len = STK_LENGTH + 16;
memset(stk, 0 , 24);
if (AF_INET == ip_addr->sa_family)
memcpy(stk, &((struct sockaddr_in *)ip_addr)->sin_addr.s_addr, 4);
else
memcpy(stk, &((struct sockaddr_in6 *)ip_addr)->sin6_addr, 16);
memcpy(stk + 16, &tm, 8);
RAND_bytes(stk + 24, STK_LENGTH - 24 - 12);
RAND_bytes(stk_out + STK_LENGTH - 12, 12);
lsquic_aes_aead_enc(&server_config->lsc_stk_ctx, NULL, 0, stk_out + STK_LENGTH - 12, 12, stk,
STK_LENGTH - 12 - 12, stk_out, &out_len);
}
/* server using */
#ifdef NDEBUG
static
#endif
enum hsk_failure_reason
lsquic_verify_stk0 (const struct lsquic_enc_session *enc_session,
lsquic_server_config_t *server_config,
const struct sockaddr *ip_addr, uint64_t tm, lsquic_str_t *stk,
unsigned secs_since_stk_generated)
{
uint64_t tm0, exp;
unsigned char *const stks = (unsigned char *) lsquic_str_buf(stk);
unsigned char stk_out[STK_LENGTH];
size_t out_len = STK_LENGTH;
if (lsquic_str_len(stk) < STK_LENGTH)
return HFR_SRC_ADDR_TOKEN_INVALID;
int ret = lsquic_aes_aead_dec(&server_config->lsc_stk_ctx, NULL, 0,
stks + STK_LENGTH - 12, 12, stks,
STK_LENGTH - 12, stk_out, &out_len);
if (ret != 0)
{
LSQ_DEBUG("***lsquic_verify_stk decrypted failed.");
return HFR_SRC_ADDR_TOKEN_DECRYPTION;
}
if (AF_INET == ip_addr->sa_family)
{
if (memcmp(stk_out, &((struct sockaddr_in *)ip_addr)->sin_addr.s_addr, 4) != 0)
{
LSQ_DEBUG("***lsquic_verify_stk for ipv4 failed.");
return HFR_SRC_ADDR_TOKEN_DIFFERENT_IP_ADDRESS;
}
}
else
{
if (memcmp(stk_out, &((struct sockaddr_in6 *)ip_addr)->sin6_addr, 16) != 0)
{
LSQ_DEBUG("***lsquic_verify_stk for ipv6 failed.");
return HFR_SRC_ADDR_TOKEN_DIFFERENT_IP_ADDRESS;
}
}
memcpy((void *)&tm0, stk_out + 16, 8);
if (tm < tm0)
{
LSQ_DEBUG("***lsquic_verify_stk timestamp is in the future.");
return HFR_SRC_ADDR_TOKEN_CLOCK_SKEW;
}
if (secs_since_stk_generated)
exp = tm0 + secs_since_stk_generated;
else
exp = server_config->lsc_scfg->info.expy;
if (tm > server_config->lsc_scfg->info.expy /* XXX this check does not seem needed */ ||
tm0 > exp)
{
LSQ_DEBUG("***lsquic_verify_stk stk expired");
return HFR_SRC_ADDR_TOKEN_EXPIRED;
}
LSQ_DEBUG("***lsquic_verify_stk pass.");
return HFR_HANDSHAKE_OK;
}
/* 0, verified, other fail */
#ifdef NDEBUG
static
#endif
enum hsk_failure_reason
lsquic_verify_stk (enc_session_t *enc_session_p,
const struct sockaddr *ip_addr, uint64_t tm, lsquic_str_t *stk)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
if (lsquic_str_len(&enc_session->sstk) > 0)
{
ESHIST_APPEND(enc_session, ESHE_HAS_SSTK);
if (0 == lsquic_str_bcmp(&enc_session->sstk, &enc_session->hs_ctx.stk))
return HFR_HANDSHAKE_OK;
else
return HFR_SRC_ADDR_TOKEN_INVALID;
}
else
return lsquic_verify_stk0(enc_session, enc_session->server_config,
ip_addr, tm, stk, 0);
}
static uint64_t combine_path_id_pack_num(uint8_t path_id, uint64_t pack_num)
{
uint64_t v = ((uint64_t)path_id << 56) | pack_num;
return v;
}
# define IS_SERVER(session) ((session)->es_flags & ES_SERVER)
static int
verify_packet_hash (const struct lsquic_enc_session *enc_session,
enum lsquic_version version, const unsigned char *buf, size_t *header_len,
size_t data_len, unsigned char *buf_out, size_t max_out_len,
size_t *out_len)
{
uint8_t md[HS_PKT_HASH_LENGTH];
uint128 hash;
int ret;
if (data_len < HS_PKT_HASH_LENGTH)
return -1;
if (!enc_session || (IS_SERVER(enc_session)))
hash = lsquic_fnv1a_128_3(buf, *header_len,
buf + *header_len + HS_PKT_HASH_LENGTH,
data_len - HS_PKT_HASH_LENGTH,
(unsigned char *) "Client", 6);
else
hash = lsquic_fnv1a_128_3(buf, *header_len,
buf + *header_len + HS_PKT_HASH_LENGTH,
data_len - HS_PKT_HASH_LENGTH,
(unsigned char *) "Server", 6);
lsquic_serialize_fnv128_short(hash, md);
ret = memcmp(md, buf + *header_len, HS_PKT_HASH_LENGTH);
if(ret == 0)
{
*header_len += HS_PKT_HASH_LENGTH;
*out_len = data_len - HS_PKT_HASH_LENGTH;
if (max_out_len < *header_len + *out_len)
return -1;
memcpy(buf_out, buf, *header_len + *out_len);
return 0;
}
else
return -1;
}
static enum enc_level
decrypt_packet (struct lsquic_enc_session *enc_session, uint8_t path_id,
uint64_t pack_num, unsigned char *buf, size_t *header_len,
size_t data_len, unsigned char *buf_out, size_t max_out_len,
size_t *out_len)
{
int ret;
/* Comment: 12 = sizeof(dec_key_iv] 4 + sizeof(pack_num) 8 */
uint8_t nonce[12];
uint64_t path_id_packet_number;
EVP_AEAD_CTX *key = NULL;
int try_times = 0;
enum enc_level enc_level;
path_id_packet_number = combine_path_id_pack_num(path_id, pack_num);
memcpy(buf_out, buf, *header_len);
do
{
if (enc_session->have_key == 3 && try_times == 0)
{
key = enc_session->dec_ctx_f;
memcpy(nonce, enc_session->dec_key_nonce_f, 4);
LSQ_DEBUG("decrypt_packet using 'F' key...");
enc_level = ENC_LEV_FORW;
}
else
{
key = enc_session->dec_ctx_i;
memcpy(nonce, enc_session->dec_key_nonce_i, 4);
LSQ_DEBUG("decrypt_packet using 'I' key...");
enc_level = ENC_LEV_INIT;
}
memcpy(nonce + 4, &path_id_packet_number,
sizeof(path_id_packet_number));
*out_len = data_len;
ret = lsquic_aes_aead_dec(key,
buf, *header_len,
nonce, 12,
buf + *header_len, data_len,
buf_out + *header_len, out_len);
if (ret != 0)
++try_times;
else
{
if (enc_session->peer_have_final_key == 0 &&
enc_session->have_key == 3 &&
try_times == 0)
{
LSQ_DEBUG("!!!decrypt_packet find peer have final key.");
enc_session->peer_have_final_key = 1;
EV_LOG_CONN_EVENT(&enc_session->cid, "settled on private key "
"'%c' after %d tries (packet number %"PRIu64")",
key == enc_session->dec_ctx_f ? 'F' : 'I',
try_times, pack_num);
}
break;
}
}
while (try_times < 2);
LSQ_DEBUG("***decrypt_packet %s.", (ret == 0 ? "succeed" : "failed"));
return ret == 0 ? enc_level : (enum enc_level) -1;
}
static int
lsquic_enc_session_have_key_gt_one (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return enc_session && enc_session->have_key > 1;
}
/* The size of `buf' is *header_len plus data_len. The two parts of the
* buffer correspond to the header and the payload of incoming QUIC packet.
*/
static enum enc_level
lsquic_enc_session_decrypt (struct lsquic_enc_session *enc_session,
enum lsquic_version version,
uint8_t path_id, uint64_t pack_num,
unsigned char *buf, size_t *header_len, size_t data_len,
unsigned char *diversification_nonce,
unsigned char *buf_out, size_t max_out_len, size_t *out_len)
{
/* Client: got SHLO which should have diversification_nonce */
if (diversification_nonce && enc_session && enc_session->have_key == 1)
{
determine_diversification_key(enc_session, diversification_nonce);
enc_session->have_key = 2;
}
if (lsquic_enc_session_have_key_gt_one(enc_session))
return decrypt_packet(enc_session, path_id, pack_num, buf,
header_len, data_len, buf_out, max_out_len, out_len);
else if (0 == verify_packet_hash(enc_session, version, buf, header_len,
data_len, buf_out, max_out_len, out_len))
return ENC_LEV_CLEAR;
else
return -1;
}
static enum dec_packin
gquic_decrypt_packet (enc_session_t *enc_session_p,
struct lsquic_engine_public *enpub,
const struct lsquic_conn *lconn,
struct lsquic_packet_in *packet_in)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
size_t header_len, data_len;
enum enc_level enc_level;
size_t out_len = 0;
unsigned char *copy = lsquic_mm_get_packet_in_buf(&enpub->enp_mm, 1370);
if (!copy)
{
LSQ_WARN("cannot allocate memory to copy incoming packet data");
return DECPI_NOMEM;
}
assert(packet_in->pi_data);
header_len = packet_in->pi_header_sz;
data_len = packet_in->pi_data_sz - packet_in->pi_header_sz;
enc_level = lsquic_enc_session_decrypt(enc_session,
lconn->cn_version, 0,
packet_in->pi_packno, packet_in->pi_data,
&header_len, data_len,
lsquic_packet_in_nonce(packet_in),
copy, 1370, &out_len);
if ((enum enc_level) -1 == enc_level)
{
lsquic_mm_put_packet_in_buf(&enpub->enp_mm, copy, 1370);
EV_LOG_CONN_EVENT(&lconn->cn_cid, "could not decrypt packet %"PRIu64,
packet_in->pi_packno);
return DECPI_BADCRYPT;
}
assert(header_len + out_len <= 1370);
if (packet_in->pi_flags & PI_OWN_DATA)
lsquic_mm_put_packet_in_buf(&enpub->enp_mm, packet_in->pi_data, 1370);
packet_in->pi_data = copy;
packet_in->pi_flags |= PI_OWN_DATA | PI_DECRYPTED
| (enc_level << PIBIT_ENC_LEV_SHIFT);
packet_in->pi_header_sz = header_len;
packet_in->pi_data_sz = out_len + header_len;
EV_LOG_CONN_EVENT(&lconn->cn_cid, "decrypted packet %"PRIu64,
packet_in->pi_packno);
return DECPI_OK;
}
static enum enc_level
gquic_encrypt_buf (struct lsquic_enc_session *enc_session,
enum lsquic_version version,
uint8_t path_id, uint64_t pack_num,
const unsigned char *header, size_t header_len,
const unsigned char *data, size_t data_len,
unsigned char *buf_out, size_t max_out_len, size_t *out_len,
int is_hello)
{
uint8_t md[HS_PKT_HASH_LENGTH];
uint128 hash;
int ret;
enum enc_level enc_level;
int is_chlo = (is_hello && ((IS_SERVER(enc_session)) == 0));
int is_shlo = (is_hello && (IS_SERVER(enc_session)));
/* Comment: 12 = sizeof(dec_key_iv] 4 + sizeof(pack_num) 8 */
uint8_t nonce[12];
uint64_t path_id_packet_number;
EVP_AEAD_CTX *key;
if (enc_session)
LSQ_DEBUG("%s: hsk_state: %d", __func__, enc_session->hsk_state);
else
LSQ_DEBUG("%s: enc_session is not set", __func__);
if (!enc_session || enc_session->have_key == 0 || is_chlo)
{
*out_len = header_len + data_len + HS_PKT_HASH_LENGTH;
if (max_out_len < *out_len)
return -1;
if (!enc_session || (IS_SERVER(enc_session)))
hash = lsquic_fnv1a_128_3(header, header_len, data, data_len,
(unsigned char *) "Server", 6);
else
hash = lsquic_fnv1a_128_3(header, header_len, data, data_len,
(unsigned char *) "Client", 6);
lsquic_serialize_fnv128_short(hash, md);
memcpy(buf_out, header, header_len);
memcpy(buf_out + header_len, md, HS_PKT_HASH_LENGTH);
memcpy(buf_out + header_len + HS_PKT_HASH_LENGTH, data, data_len);
return ENC_LEV_CLEAR;
}
else
{
if (enc_session->have_key != 3 || is_shlo ||
((IS_SERVER(enc_session)) &&
enc_session->server_start_use_final_key == 0))
{
LSQ_DEBUG("lsquic_enc_session_encrypt using 'I' key...");
key = enc_session->enc_ctx_i;
memcpy(nonce, enc_session->enc_key_nonce_i, 4);
if (is_shlo && enc_session->have_key == 3)
{
enc_session->server_start_use_final_key = 1;
}
enc_level = ENC_LEV_INIT;
}
else
{
LSQ_DEBUG("lsquic_enc_session_encrypt using 'F' key...");
key = enc_session->enc_ctx_f;
memcpy(nonce, enc_session->enc_key_nonce_f, 4);
enc_level = ENC_LEV_FORW;
}
path_id_packet_number = combine_path_id_pack_num(path_id, pack_num);
memcpy(nonce + 4, &path_id_packet_number,
sizeof(path_id_packet_number));
memcpy(buf_out, header, header_len);
*out_len = max_out_len - header_len;
ret = lsquic_aes_aead_enc(key, header, header_len, nonce, 12, data,
data_len, buf_out + header_len, out_len);
if (ret == 0)
{
*out_len += header_len;
return enc_level;
}
else
return -1;
}
}
/* server */
/* out_len should have init value as the max length of out */
/* return -1 error, 0, SHLO, 1, RTT1, 2, RTT2, DELAYED */
static enum handshake_error
lsquic_enc_session_handle_chlo(enc_session_t *enc_session_p,
enum lsquic_version version,
const uint8_t *in, int in_len, time_t t,
const struct sockaddr *peer,
const struct sockaddr *local,
uint8_t *out, size_t *out_len,
uint8_t nonce[DNONC_LENGTH], int *nonce_set)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
enum handshake_error rtt;
int len;
lsquic_server_config_t *server_config;
const struct lsquic_engine_public *const enpub = enc_session->enpub;
const struct lsquic_shared_hash_if *const shi = enpub->enp_shi;
void *const shi_ctx = enpub->enp_shi_ctx;
server_config = get_valid_scfg(enc_session, enpub);
if (!server_config)
return HS_ERROR;
assert(server_config->lsc_scfg);
enc_session->server_config = server_config;
*nonce_set = 0;
rtt = handle_chlo_frames_data(in, in_len, enc_session,
enpub->enp_lookup_cert, enpub->enp_cert_lu_ctx,
local, shi, shi_ctx, peer, t);
if (rtt == HS_1RTT)
{
LSQ_DEBUG("lsquic_enc_session_handle_chlo call gen_rej1_data");
len = gen_rej1_data(enc_session, out, *out_len, peer, t);
if (len < 0)
{
rtt = HS_ERROR;
goto end;
}
*out_len = len;
}
else if (rtt == HS_SHLO)
{
enc_session->have_key = 0;
determine_keys(enc_session);
enc_session->have_key = 1;
if (lsquic_str_len(&enc_session->hs_ctx.stk) > 0)
{
shi->shi_delete(shi_ctx, lsquic_str_cstr(&enc_session->hs_ctx.stk),
lsquic_str_len(&enc_session->hs_ctx.stk));
}
LSQ_DEBUG("lsquic_enc_session_handle_chlo call gen_shlo_data");
len = gen_shlo_data(out, *out_len, enc_session, version, peer,
t, nonce);
if (len < 0)
{
rtt = HS_ERROR;
goto end;
}
*out_len = len;
*nonce_set = 1;
determine_diversification_key(enc_session, nonce);
enc_session->have_key = 2;
determine_keys(enc_session);
enc_session->have_key = 3;
enc_session->hsk_state = HSK_COMPLETED;
LSQ_DEBUG("lsquic_enc_session_handle_chlo have_key 3 hsk_state HSK_COMPLETED.");
}
end:
EV_LOG_CONN_EVENT(&enc_session->cid, "%s returning %s", __func__,
he2str(rtt));
return rtt;
}
static int
lsquic_enc_session_get_peer_option (enc_session_t *enc_session_p,
uint32_t tag)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
switch (tag)
{
case QTAG_NSTP:
return !!(enc_session->hs_ctx.opts & HOPT_NSTP);
case QTAG_SREJ:
return !!(enc_session->hs_ctx.opts & HOPT_SREJ);
default:
assert(0);
return 0;
}
}
/* Query a several parameters sent by the peer that are required by
* connection.
*/
static int
lsquic_enc_session_get_peer_setting (enc_session_t *enc_session_p,
uint32_t tag, uint32_t *val)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
switch (tag)
{
case QTAG_TCID:
if (enc_session->hs_ctx.set & HSET_TCID)
{
*val = enc_session->hs_ctx.tcid;
return 0;
}
else
return -1;
case QTAG_SMHL:
if (enc_session->hs_ctx.set & HSET_SMHL)
{
*val = enc_session->hs_ctx.smhl;
return 0;
}
else
return -1;
case QTAG_IRTT:
if (enc_session->hs_ctx.set & HSET_IRTT)
{
*val = enc_session->hs_ctx.irtt;
return 0;
}
else
return -1;
}
/* XXX For the following values, there is no record which were present
* in CHLO or SHLO and which were not. Assume that zero means that
* they weren't present.
*/
if (IS_SERVER(enc_session))
switch (tag)
{
case QTAG_CFCW:
if (enc_session->hs_ctx.scfcw)
{
*val = enc_session->hs_ctx.scfcw;
return 0;
}
else
return -1;
case QTAG_SFCW:
if (enc_session->hs_ctx.ssfcw)
{
*val = enc_session->hs_ctx.ssfcw;
return 0;
}
else
return -1;
case QTAG_MIDS:
if (enc_session->hs_ctx.smids)
{
*val = enc_session->hs_ctx.smids;
return 0;
}
else
return -1;
default:
return -1;
}
else
switch (tag)
{
case QTAG_CFCW:
if (enc_session->hs_ctx.cfcw)
{
*val = enc_session->hs_ctx.cfcw;
return 0;
}
else
return -1;
case QTAG_SFCW:
if (enc_session->hs_ctx.sfcw)
{
*val = enc_session->hs_ctx.sfcw;
return 0;
}
else
return -1;
case QTAG_MIDS:
if (enc_session->hs_ctx.mids)
{
*val = enc_session->hs_ctx.mids;
return 0;
}
else
return -1;
default:
return -1;
}
}
static const char *
lsquic_enc_session_cipher (enc_session_t *enc_session_p)
{
return LN_aes_128_gcm; /* TODO: get this string from enc_session */
}
static int
lsquic_enc_session_keysize (enc_session_t *enc_session_p)
{
return 128 /* bits */ / 8; /* TODO: get this info from enc_session */
}
static int
lsquic_enc_session_alg_keysize (enc_session_t *enc_session_p)
{
return 16; /* TODO: get this info from enc_session */
}
#if LSQUIC_KEEP_ENC_SESS_HISTORY
static void
lsquic_get_enc_hist (enc_session_t *enc_session_p,
char buf[(1 << ESHIST_BITS) + 1])
{
struct lsquic_enc_session *const enc_session = enc_session_p;
const unsigned hist_idx = ESHIST_MASK & enc_session->es_hist_idx;
if (enc_session->es_hist_buf[hist_idx] == ESHE_EMPTY)
memcpy(buf, enc_session->es_hist_buf, hist_idx + 1);
else
{
memcpy(buf, enc_session->es_hist_buf + hist_idx, sizeof(enc_session->es_hist_buf) - hist_idx);
memcpy(buf + hist_idx, enc_session->es_hist_buf, hist_idx);
buf[(1 << ESHIST_BITS)] = '\0';
}
}
#endif
static const char *
lsquic_enc_session_get_ua (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
if (enc_session && lsquic_str_len(&enc_session->hs_ctx.uaid) > 0)
return lsquic_str_buf(&enc_session->hs_ctx.uaid);
else
return NULL;
}
static const char *
lsquic_enc_session_get_sni (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return lsquic_str_cstr(&enc_session->hs_ctx.sni);
}
#ifndef NDEBUG
static uint8_t
lsquic_enc_session_have_key (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return enc_session->have_key;
}
static void
lsquic_enc_session_set_have_key (enc_session_t *enc_session_p, uint8_t val)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
enc_session->have_key = val;
}
static const unsigned char *
lsquic_enc_session_get_enc_key_i (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return enc_session->enc_key_i;
}
static const unsigned char *
lsquic_enc_session_get_dec_key_i (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return enc_session->dec_key_i;
}
static const unsigned char *
lsquic_enc_session_get_enc_key_nonce_i (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return enc_session->enc_key_nonce_i;
}
static const unsigned char *
lsquic_enc_session_get_dec_key_nonce_i (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return enc_session->dec_key_nonce_i;
}
static const unsigned char *
lsquic_enc_session_get_enc_key_nonce_f (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return enc_session->enc_key_nonce_f;
}
static const unsigned char *
lsquic_enc_session_get_dec_key_nonce_f (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return enc_session->dec_key_nonce_f;
}
#endif /* not defined NDEBUG */
static size_t
lsquic_enc_session_mem_used (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
size_t size;
size = sizeof(*enc_session);
size += lsquic_str_len(&enc_session->chlo);
size += lsquic_str_len(&enc_session->sstk);
size += lsquic_str_len(&enc_session->ssno);
size += lsquic_str_len(&enc_session->hs_ctx.ccs);
size += lsquic_str_len(&enc_session->hs_ctx.uaid);
size += lsquic_str_len(&enc_session->hs_ctx.sni);
size += lsquic_str_len(&enc_session->hs_ctx.ccrt);
size += lsquic_str_len(&enc_session->hs_ctx.stk);
size += lsquic_str_len(&enc_session->hs_ctx.sno);
size += lsquic_str_len(&enc_session->hs_ctx.prof);
size += lsquic_str_len(&enc_session->hs_ctx.csct);
if (enc_session->hs_ctx.ccert)
size += enc_session->hs_ctx.ccert->len
+ sizeof(*enc_session->hs_ctx.ccert);
if (enc_session->info)
{
size += sizeof(*enc_session->info);
size += lsquic_str_len(&enc_session->info->sstk);
size += lsquic_str_len(&enc_session->info->scfg);
size += lsquic_str_len(&enc_session->info->sni_key);
}
/* TODO: calculate memory taken up by SSL stuff */
return size;
}
static int
lsquic_enc_session_verify_reset_token (enc_session_t *enc_session_p,
const unsigned char *buf, size_t bufsz)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
if (bufsz == SRST_LENGTH
&& 0 == (enc_session->es_flags & ES_SERVER)
&& (enc_session->hs_ctx.set & HSET_SRST)
&& 0 == memcmp(buf, enc_session->hs_ctx.srst, SRST_LENGTH))
return 0;
else
return -1;
}
static int
lsquic_enc_session_did_sess_resume_succeed (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return !(enc_session->es_flags & ES_RECV_REJ);
}
static int
lsquic_enc_session_is_sess_resume_enabled (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
return enc_session->info && enc_session->cert_item;
}
static ssize_t
gquic_really_encrypt_packet (struct lsquic_enc_session *enc_session,
const struct lsquic_conn *lconn, struct lsquic_packet_out *packet_out,
unsigned char *buf, size_t bufsz)
{
int header_sz, is_hello_packet;
enum enc_level enc_level;
size_t packet_sz;
unsigned char header_buf[GQUIC_MAX_PUBHDR_SZ];
header_sz = lconn->cn_pf->pf_gen_reg_pkt_header(lconn, packet_out,
header_buf, sizeof(header_buf), NULL, NULL);
if (header_sz < 0)
return -1;
is_hello_packet = !!(packet_out->po_flags & PO_HELLO);
enc_level = gquic_encrypt_buf(enc_session, lconn->cn_version, 0,
packet_out->po_packno, header_buf, header_sz,
packet_out->po_data, packet_out->po_data_sz,
buf, bufsz, &packet_sz, is_hello_packet);
if ((int) enc_level >= 0)
{
LSQ_DEBUG("encrypted packet %"PRIu64"; plaintext is %zu bytes, "
"ciphertext is %zd bytes",
packet_out->po_packno,
lconn->cn_pf->pf_packout_size(lconn, packet_out) +
packet_out->po_data_sz,
packet_sz);
lsquic_packet_out_set_enc_level(packet_out, enc_level);
return packet_sz;
}
else
return -1;
}
static STACK_OF(X509) *
lsquic_enc_session_get_server_cert_chain (enc_session_t *enc_session_p)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
const struct c_cert_item_st *item;
STACK_OF(X509) *chain;
X509 *cert;
int i;
if (enc_session->es_flags & ES_SERVER)
return NULL;
item = enc_session->cert_item;
if (!item)
{
LSQ_WARN("could not find certificates for `%.*s'",
(int) lsquic_str_len(&enc_session->hs_ctx.sni),
lsquic_str_cstr(&enc_session->hs_ctx.sni));
return NULL;
}
chain = sk_X509_new_null();
for (i = 0; i < item->count; ++i)
{
cert = lsquic_bio_to_crt(lsquic_str_cstr(&item->crts[i]),
lsquic_str_len(&item->crts[i]), 0);
if (cert)
sk_X509_push(chain, cert);
else
{
sk_X509_free(chain);
return NULL;
}
}
return chain;
}
static void
maybe_dispatch_sess_resume (enc_session_t *enc_session_p,
void (*cb)(struct lsquic_conn *, const unsigned char *, size_t))
{
struct lsquic_enc_session *const enc_session = enc_session_p;
struct lsquic_conn *const lconn = enc_session->es_conn;
void *buf;
size_t sz;
int i;
if (!(enc_session->info && enc_session->cert_item && cb))
{
LSQ_DEBUG("no session resumption information or callback is not set");
return;
}
for (sz = 0, i = 0; i < enc_session->cert_item->count; ++i)
{
sz += sizeof(uint32_t);
sz += lsquic_str_len(&enc_session->cert_item->crts[i]);
}
sz += sizeof(struct lsquic_sess_resume_storage);
buf = malloc(sz);
if (!buf)
{
LSQ_WARN("malloc failed: cannot allocate %zu bytes for session "
"resumption", sz);
return;
}
lsquic_enc_session_serialize_sess_resume(
(struct lsquic_sess_resume_storage *) buf, lconn->cn_version,
enc_session->info, enc_session->cert_item);
cb(lconn, buf, sz);
free(buf);
}
static enum enc_packout
gquic_encrypt_packet (enc_session_t *enc_session_p,
const struct lsquic_engine_public *enpub,
struct lsquic_conn *lconn, struct lsquic_packet_out *packet_out)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
ssize_t enc_sz;
size_t bufsz;
unsigned char *buf;
int ipv6;
assert(!enc_session || lconn == enc_session->es_conn);
bufsz = lconn->cn_pf->pf_packout_size(lconn, packet_out);
if (bufsz > USHRT_MAX)
return ENCPA_BADCRYPT; /* To cause connection to close */
ipv6 = NP_IS_IPv6(packet_out->po_path);
buf = enpub->enp_pmi->pmi_allocate(enpub->enp_pmi_ctx,
packet_out->po_path->np_peer_ctx, lconn->cn_conn_ctx,
bufsz, ipv6);
if (!buf)
{
LSQ_DEBUG("could not allocate memory for outgoing packet of size %zd",
bufsz);
return ENCPA_NOMEM;
}
enc_sz = gquic_really_encrypt_packet(enc_session,
lconn, packet_out, buf, bufsz);
if (enc_sz < 0)
{
enpub->enp_pmi->pmi_return(enpub->enp_pmi_ctx,
packet_out->po_path->np_peer_ctx, buf, ipv6);
return ENCPA_BADCRYPT;
}
packet_out->po_enc_data = buf;
packet_out->po_enc_data_sz = enc_sz;
packet_out->po_sent_sz = enc_sz;
packet_out->po_flags &= ~PO_IPv6;
packet_out->po_flags |= PO_ENCRYPTED|PO_SENT_SZ|(ipv6 << POIPv6_SHIFT);
packet_out->po_dcid_len = GQUIC_CID_LEN;
return ENCPA_OK;
}
static void
gquic_esf_set_conn (enc_session_t *enc_session_p, struct lsquic_conn *lconn)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
enc_session->es_conn = lconn;
LSQ_DEBUG("updated conn reference");
}
#ifdef NDEBUG
const
#endif
struct enc_session_funcs_common lsquic_enc_session_common_gquic_1 =
{
.esf_global_init = lsquic_handshake_init,
.esf_global_cleanup = lsquic_handshake_cleanup,
.esf_cipher = lsquic_enc_session_cipher,
.esf_keysize = lsquic_enc_session_keysize,
.esf_alg_keysize = lsquic_enc_session_alg_keysize,
.esf_get_sni = lsquic_enc_session_get_sni,
.esf_encrypt_packet = gquic_encrypt_packet,
.esf_decrypt_packet = gquic_decrypt_packet,
.esf_tag_len = GQUIC_PACKET_HASH_SZ,
.esf_get_server_cert_chain = lsquic_enc_session_get_server_cert_chain,
.esf_verify_reset_token = lsquic_enc_session_verify_reset_token,
.esf_did_sess_resume_succeed = lsquic_enc_session_did_sess_resume_succeed,
.esf_is_sess_resume_enabled = lsquic_enc_session_is_sess_resume_enabled,
.esf_set_conn = gquic_esf_set_conn,
};
static void
gquic2_gen_hp_mask (struct lsquic_enc_session *enc_session,
const unsigned char hp[IQUIC_HP_LEN],
const unsigned char *sample, unsigned char mask[EVP_MAX_BLOCK_LENGTH])
{
const EVP_CIPHER *const cipher = EVP_aes_128_ecb();
EVP_CIPHER_CTX hp_ctx;
int out_len;
EVP_CIPHER_CTX_init(&hp_ctx);
if (EVP_EncryptInit_ex(&hp_ctx, cipher, NULL, hp, 0)
&& EVP_EncryptUpdate(&hp_ctx, mask, &out_len, sample, 16))
{
assert(out_len >= 5);
}
else
{
LSQ_WARN("cannot generate hp mask, error code: %"PRIu32,
ERR_get_error());
enc_session->es_conn->cn_if->ci_internal_error(enc_session->es_conn,
"cannot generate hp mask, error code: %"PRIu32, ERR_get_error());
}
(void) EVP_CIPHER_CTX_cleanup(&hp_ctx);
if (0)
{
char hp_str[IQUIC_HP_LEN * 2 + 1], sample_str[16 * 2 + 1];
LSQ_DEBUG("generated hp mask using hp %s and sample %s",
HEXSTR(hp, IQUIC_HP_LEN, hp_str),
HEXSTR(sample, 16, sample_str));
}
}
static void
gquic2_apply_hp (struct lsquic_enc_session *enc_session,
enum gel gel, unsigned char *dst, unsigned packno_off,
unsigned sample_off, unsigned packno_len)
{
unsigned char mask[EVP_MAX_BLOCK_LENGTH];
char mask_str[5 * 2 + 1];
gquic2_gen_hp_mask(enc_session, enc_session->es_hps[gel][0],
dst + sample_off, mask);
LSQ_DEBUG("apply header protection using mask %s",
HEXSTR(mask, 5, mask_str));
dst[0] ^= (0xF | (((dst[0] & 0x80) == 0) << 4)) & mask[0];
switch (packno_len)
{
case 4:
dst[packno_off + 3] ^= mask[4];
/* fall-through */
case 3:
dst[packno_off + 2] ^= mask[3];
/* fall-through */
case 2:
dst[packno_off + 1] ^= mask[2];
/* fall-through */
default:
dst[packno_off + 0] ^= mask[1];
}
}
static const enum gel hety2gel[] =
{
[HETY_NOT_SET] = GEL_FORW,
[HETY_VERNEG] = 0,
[HETY_INITIAL] = GEL_CLEAR,
[HETY_RETRY] = 0,
[HETY_HANDSHAKE] = GEL_CLEAR,
[HETY_0RTT] = GEL_EARLY,
};
static const char *const gel2str[] =
{
[GEL_CLEAR] = "clear",
[GEL_EARLY] = "early",
[GEL_FORW] = "forw-secure",
};
static const enum enc_level gel2el[] =
{
[GEL_CLEAR] = ENC_LEV_CLEAR,
[GEL_EARLY] = ENC_LEV_EARLY,
[GEL_FORW] = ENC_LEV_FORW,
};
static enum enc_packout
gquic2_esf_encrypt_packet (enc_session_t *enc_session_p,
const struct lsquic_engine_public *enpub, struct lsquic_conn *lconn_UNUSED,
struct lsquic_packet_out *packet_out)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
struct lsquic_conn *const lconn = enc_session->es_conn;
EVP_AEAD_CTX *aead_ctx;
unsigned char *dst;
enum gel gel;
unsigned char nonce_buf[ IQUIC_IV_LEN + 8 ];
unsigned char *nonce, *begin_xor;
lsquic_packno_t packno;
size_t out_sz, dst_sz;
int header_sz;
int ipv6;
unsigned packno_off, packno_len, sample_off, divers_nonce_len;
char errbuf[ERR_ERROR_STRING_BUF_LEN];
gel = hety2gel[ packet_out->po_header_type ];
aead_ctx = enc_session->es_aead_ctxs[gel][0];
if (UNLIKELY(!aead_ctx))
{
LSQ_WARN("encrypt crypto context at level %s not initialized",
gel2str[gel]);
return ENCPA_BADCRYPT;
}
if (packet_out->po_data_sz < 3)
{
/* [draft-ietf-quic-tls-20] Section 5.4.2 */
enum packno_bits bits = lsquic_packet_out_packno_bits(packet_out);
/* XXX same packet rules as in IETF QUIC? */
unsigned len = iquic_packno_bits2len(bits);
if (packet_out->po_data_sz + len < 4)
{
len = 4 - packet_out->po_data_sz - len;
memset(packet_out->po_data + packet_out->po_data_sz, 0, len);
packet_out->po_data_sz += len;
packet_out->po_frame_types |= QUIC_FTBIT_PADDING;
LSQ_DEBUG("padded packet %"PRIu64" with %u bytes of PADDING",
packet_out->po_packno, len);
}
}
dst_sz = lconn->cn_pf->pf_packout_size(lconn, packet_out);
ipv6 = NP_IS_IPv6(packet_out->po_path);
dst = enpub->enp_pmi->pmi_allocate(enpub->enp_pmi_ctx,
packet_out->po_path->np_peer_ctx, lconn->cn_conn_ctx,
dst_sz, ipv6);
if (!dst)
{
LSQ_DEBUG("could not allocate memory for outgoing packet of size %zd",
dst_sz);
return ENCPA_NOMEM;
}
/* Align nonce so we can perform XOR safely in one shot: */
begin_xor = nonce_buf + sizeof(nonce_buf) - 8;
begin_xor = (unsigned char *) ((uintptr_t) begin_xor & ~0x7);
nonce = begin_xor - IQUIC_IV_LEN + 8;
memcpy(nonce, enc_session->es_ivs[gel][0], IQUIC_IV_LEN);
packno = packet_out->po_packno;
#if __BYTE_ORDER == __LITTLE_ENDIAN
packno = bswap_64(packno);
#endif
*((uint64_t *) begin_xor) ^= packno;
header_sz = lconn->cn_pf->pf_gen_reg_pkt_header(lconn, packet_out, dst,
dst_sz, &packno_off, &packno_len);
if (header_sz < 0)
goto err;
if (s_log_seal_and_open)
{
LSQ_DEBUG("seal: iv (%u bytes): %s", IQUIC_IV_LEN,
HEXSTR(nonce, IQUIC_IV_LEN, s_str));
LSQ_DEBUG("seal: ad (%u bytes): %s", header_sz,
HEXSTR(dst, header_sz, s_str));
LSQ_DEBUG("seal: in (%hu bytes): %s", packet_out->po_data_sz,
HEXSTR(packet_out->po_data, packet_out->po_data_sz, s_str));
}
if (!EVP_AEAD_CTX_seal(aead_ctx, dst + header_sz, &out_sz,
dst_sz - header_sz, nonce, IQUIC_IV_LEN,
packet_out->po_data, packet_out->po_data_sz, dst, header_sz))
{
LSQ_WARN("cannot seal packet #%"PRIu64": %s", packet_out->po_packno,
ERR_error_string(ERR_get_error(), errbuf));
goto err;
}
assert(out_sz == dst_sz - header_sz);
if (!packet_out->po_nonce)
divers_nonce_len = 0;
else
{
assert(enc_session->es_flags & ES_SERVER);
assert(gel == GEL_EARLY);
divers_nonce_len = DNONC_LENGTH;
}
sample_off = packno_off + divers_nonce_len + 4;
assert(sample_off + IQUIC_TAG_LEN <= dst_sz);
gquic2_apply_hp(enc_session, gel, dst, packno_off, sample_off, packno_len);
packet_out->po_enc_data = dst;
packet_out->po_enc_data_sz = dst_sz;
packet_out->po_sent_sz = dst_sz;
packet_out->po_flags &= ~PO_IPv6;
packet_out->po_flags |= PO_ENCRYPTED|PO_SENT_SZ|(ipv6 << POIPv6_SHIFT);
lsquic_packet_out_set_enc_level(packet_out, gel2el[gel]);
return ENCPA_OK;
err:
enpub->enp_pmi->pmi_return(enpub->enp_pmi_ctx,
packet_out->po_path->np_peer_ctx, dst, ipv6);
return ENCPA_BADCRYPT;
}
/* XXX this is an exact copy, can reuse */
static lsquic_packno_t
decode_packno (lsquic_packno_t max_packno, lsquic_packno_t packno,
unsigned shift)
{
lsquic_packno_t candidates[3], epoch_delta;
int64_t diffs[3];
unsigned min;;
epoch_delta = 1ULL << shift;
candidates[1] = (max_packno & ~(epoch_delta - 1)) + packno;
candidates[0] = candidates[1] - epoch_delta;
candidates[2] = candidates[1] + epoch_delta;
diffs[0] = llabs((int64_t) candidates[0] - (int64_t) max_packno);
diffs[1] = llabs((int64_t) candidates[1] - (int64_t) max_packno);
diffs[2] = llabs((int64_t) candidates[2] - (int64_t) max_packno);
min = diffs[1] < diffs[0];
if (diffs[2] < diffs[min])
min = 2;
return candidates[min];
}
static lsquic_packno_t
gquic2_strip_hp (struct lsquic_enc_session *enc_session,
enum gel gel, const unsigned char *iv, unsigned char *dst,
unsigned packno_off, unsigned *packno_len)
{
lsquic_packno_t packno;
unsigned shift;
unsigned char mask[EVP_MAX_BLOCK_LENGTH];
char mask_str[5 * 2 + 1];
gquic2_gen_hp_mask(enc_session, enc_session->es_hps[gel][1], iv, mask);
LSQ_DEBUG("strip header protection using mask %s",
HEXSTR(mask, 5, mask_str));
dst[0] ^= (0xF | (((dst[0] & 0x80) == 0) << 4)) & mask[0];
packno = 0;
shift = 0;
*packno_len = 1 + (dst[0] & 3);
switch (*packno_len)
{
case 4:
dst[packno_off + 3] ^= mask[4];
packno |= dst[packno_off + 3];
shift += 8;
/* fall-through */
case 3:
dst[packno_off + 2] ^= mask[3];
packno |= (unsigned) dst[packno_off + 2] << shift;
shift += 8;
/* fall-through */
case 2:
dst[packno_off + 1] ^= mask[2];
packno |= (unsigned) dst[packno_off + 1] << shift;
shift += 8;
/* fall-through */
default:
dst[packno_off + 0] ^= mask[1];
packno |= (unsigned) dst[packno_off + 0] << shift;
shift += 8;
}
return decode_packno(enc_session->es_max_packno, packno, shift);
}
static enum dec_packin
gquic2_esf_decrypt_packet (enc_session_t *enc_session_p,
struct lsquic_engine_public *enpub, const struct lsquic_conn *lconn,
struct lsquic_packet_in *packet_in)
{
struct lsquic_enc_session *const enc_session = enc_session_p;
unsigned char *dst;
unsigned char nonce_buf[ IQUIC_IV_LEN + 8 ];
unsigned char *nonce, *begin_xor;
unsigned sample_off, packno_len, divers_nonce_len;
enum gel gel;
lsquic_packno_t packno;
size_t out_sz;
enum dec_packin dec_packin;
const size_t dst_sz = packet_in->pi_data_sz;
char errbuf[ERR_ERROR_STRING_BUF_LEN];
dst = lsquic_mm_get_packet_in_buf(&enpub->enp_mm, dst_sz);
if (!dst)
{
LSQ_WARN("cannot allocate memory to copy incoming packet data");
dec_packin = DECPI_NOMEM;
goto err;
}
if (!(HETY_0RTT == packet_in->pi_header_type
&& !(enc_session->es_flags & ES_SERVER)))
divers_nonce_len = 0;
else
divers_nonce_len = DNONC_LENGTH;
gel = hety2gel[packet_in->pi_header_type];
if (UNLIKELY(!enc_session->es_aead_ctxs[gel][1]))
{
LSQ_INFO("decrypt crypto context at level %s not initialized",
gel2str[gel]);
dec_packin = DECPI_BADCRYPT;
goto err;
}
/* Decrypt packet number. After this operation, packet_in is adjusted:
* the packet number becomes part of the header.
*/
sample_off = packet_in->pi_header_sz + divers_nonce_len + 4;
if (sample_off + IQUIC_TAG_LEN > packet_in->pi_data_sz)
{
LSQ_INFO("packet data is too short: %hu bytes",
packet_in->pi_data_sz);
dec_packin = DECPI_TOO_SHORT;
goto err;
}
memcpy(dst, packet_in->pi_data, sample_off);
packet_in->pi_packno =
packno = gquic2_strip_hp(enc_session, gel,
packet_in->pi_data + sample_off,
dst, packet_in->pi_header_sz, &packno_len);
packet_in->pi_header_sz += packno_len;
if (UNLIKELY(divers_nonce_len))
{
if (enc_session->have_key == 1)
{
determine_diversification_key(enc_session,
dst + packet_in->pi_header_sz);
enc_session->have_key = 2;
}
packet_in->pi_header_sz += divers_nonce_len;
}
/* Align nonce so we can perform XOR safely in one shot: */
begin_xor = nonce_buf + sizeof(nonce_buf) - 8;
begin_xor = (unsigned char *) ((uintptr_t) begin_xor & ~0x7);
nonce = begin_xor - IQUIC_IV_LEN + 8;
memcpy(nonce, enc_session->es_ivs[gel][1], IQUIC_IV_LEN);
#if __BYTE_ORDER == __LITTLE_ENDIAN
packno = bswap_64(packno);
#endif
*((uint64_t *) begin_xor) ^= packno;
if (s_log_seal_and_open)
{
LSQ_DEBUG("open: iv (%u bytes): %s", IQUIC_IV_LEN,
HEXSTR(nonce, IQUIC_IV_LEN, s_str));
LSQ_DEBUG("open: ad (%u bytes): %s", packet_in->pi_header_sz,
HEXSTR(dst, packet_in->pi_header_sz, s_str));
LSQ_DEBUG("open: in (%u bytes): %s",
packet_in->pi_data_sz - packet_in->pi_header_sz,
HEXSTR(packet_in->pi_data + packet_in->pi_header_sz,
packet_in->pi_data_sz - packet_in->pi_header_sz, s_str));
}
if (!EVP_AEAD_CTX_open(enc_session->es_aead_ctxs[gel][1],
dst + packet_in->pi_header_sz, &out_sz,
dst_sz - packet_in->pi_header_sz, nonce, IQUIC_IV_LEN,
packet_in->pi_data + packet_in->pi_header_sz,
packet_in->pi_data_sz - packet_in->pi_header_sz,
dst, packet_in->pi_header_sz))
{
LSQ_INFO("cannot open packet #%"PRIu64": %s", packet_in->pi_packno,
ERR_error_string(ERR_get_error(), errbuf));
dec_packin = DECPI_BADCRYPT;
goto err;
}
/* Bits 2 and 3 are not set and don't need to be checked in gQUIC */
packet_in->pi_data_sz = packet_in->pi_header_sz + out_sz;
if (packet_in->pi_flags & PI_OWN_DATA)
lsquic_mm_put_packet_in_buf(&enpub->enp_mm, packet_in->pi_data,
packet_in->pi_data_sz);
packet_in->pi_data = dst;
packet_in->pi_flags |= PI_OWN_DATA | PI_DECRYPTED
| (gel2el[gel] << PIBIT_ENC_LEV_SHIFT);
EV_LOG_CONN_EVENT(LSQUIC_LOG_CONN_ID, "decrypted packet %"PRIu64,
packet_in->pi_packno);
if (packet_in->pi_packno > enc_session->es_max_packno)
enc_session->es_max_packno = packet_in->pi_packno;
return DECPI_OK;
err:
if (dst)
lsquic_mm_put_packet_in_buf(&enpub->enp_mm, dst, dst_sz);
EV_LOG_CONN_EVENT(LSQUIC_LOG_CONN_ID, "could not decrypt packet (type %s, "
"number %"PRIu64")", lsquic_hety2str[packet_in->pi_header_type],
packet_in->pi_packno);
return dec_packin;
}
#ifdef NDEBUG
const
#endif
/* Q050 and later */
struct enc_session_funcs_common lsquic_enc_session_common_gquic_2 =
{
.esf_get_sni = lsquic_enc_session_get_sni,
.esf_global_init = lsquic_handshake_init,
.esf_global_cleanup = lsquic_handshake_cleanup,
.esf_cipher = lsquic_enc_session_cipher,
.esf_keysize = lsquic_enc_session_keysize,
.esf_alg_keysize = lsquic_enc_session_alg_keysize,
.esf_get_server_cert_chain = lsquic_enc_session_get_server_cert_chain,
.esf_verify_reset_token = lsquic_enc_session_verify_reset_token,
.esf_did_sess_resume_succeed = lsquic_enc_session_did_sess_resume_succeed,
.esf_is_sess_resume_enabled = lsquic_enc_session_is_sess_resume_enabled,
.esf_set_conn = gquic_esf_set_conn,
/* These are different from gquic_1: */
.esf_encrypt_packet = gquic2_esf_encrypt_packet,
.esf_decrypt_packet = gquic2_esf_decrypt_packet,
.esf_tag_len = IQUIC_TAG_LEN,
};
#ifdef NDEBUG
const
#endif
struct enc_session_funcs_gquic lsquic_enc_session_gquic_gquic_1 =
{
#if LSQUIC_KEEP_ENC_SESS_HISTORY
.esf_get_hist = lsquic_get_enc_hist,
#endif
.esf_destroy = lsquic_enc_session_destroy,
.esf_is_hsk_done = lsquic_enc_session_is_hsk_done,
.esf_get_peer_setting = lsquic_enc_session_get_peer_setting,
.esf_get_peer_option = lsquic_enc_session_get_peer_option,
.esf_create_server = lsquic_enc_session_create_server,
.esf_handle_chlo = lsquic_enc_session_handle_chlo,
.esf_get_ua = lsquic_enc_session_get_ua,
.esf_have_key_gt_one = lsquic_enc_session_have_key_gt_one,
#ifndef NDEBUG
.esf_determine_diversification_key = determine_diversification_key,
.esf_have_key = lsquic_enc_session_have_key,
.esf_set_have_key = lsquic_enc_session_set_have_key,
.esf_get_enc_key_i = lsquic_enc_session_get_enc_key_i,
.esf_get_dec_key_i = lsquic_enc_session_get_dec_key_i,
.esf_get_enc_key_nonce_i = lsquic_enc_session_get_enc_key_nonce_i,
.esf_get_dec_key_nonce_i = lsquic_enc_session_get_dec_key_nonce_i,
.esf_get_enc_key_nonce_f = lsquic_enc_session_get_enc_key_nonce_f,
.esf_get_dec_key_nonce_f = lsquic_enc_session_get_dec_key_nonce_f,
#endif /* !defined(NDEBUG) */
.esf_create_client = lsquic_enc_session_create_client,
.esf_gen_chlo = lsquic_enc_session_gen_chlo,
.esf_handle_chlo_reply = lsquic_enc_session_handle_chlo_reply,
.esf_mem_used = lsquic_enc_session_mem_used,
.esf_maybe_dispatch_sess_resume = maybe_dispatch_sess_resume,
.esf_reset_cid = lsquic_enc_session_reset_cid,
};
typedef char reset_token_lengths_match[
SRST_LENGTH == IQUIC_SRESET_TOKEN_SZ ? 1 : -1];
Reference in New Issue View Git Blame Copy Permalink