1 /*
2 * Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a copy
5 * of this software and associated documentation files (the "Software"), to
6 * deal in the Software without restriction, including without limitation the
7 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
8 * sell copies of the Software, and to permit persons to whom the Software is
9 * furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice shall be included in
12 * all copies or substantial portions of the Software.
13 *
14 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
19 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
20 * IN THE SOFTWARE.
21 */
22 #ifndef picotls_h
23 #define picotls_h
24
25 #ifdef __cplusplus
26 extern "C" {
27 #endif
28
29 #ifdef _WINDOWS
30 #include "wincompat.h"
31 #endif
32
33 #include <assert.h>
34 #include <inttypes.h>
35 #include <string.h>
36 #include <sys/types.h>
37
38 #if __GNUC__ >= 3
39 #define PTLS_LIKELY(x) __builtin_expect(!!(x), 1)
40 #define PTLS_UNLIKELY(x) __builtin_expect(!!(x), 0)
41 #define PTLS_BUILD_ASSERT_EXPR(cond) (sizeof(char[2 * !!(!__builtin_constant_p(cond) || (cond)) - 1]) != 0)
42 #define PTLS_BUILD_ASSERT(cond) ((void)PTLS_BUILD_ASSERT_EXPR(cond))
43 #else
44 #define PTLS_LIKELY(x) (x)
45 #define PTLS_UNLIKELY(x) (x)
46 #define PTLS_BUILD_ASSERT(cond) 1
47 #endif
48
49 /* __builtin_types_compatible_p yields incorrect results when older versions of GCC is used; see #303.
50 * Clang with Xcode 9.4 or prior is known to not work correctly when a pointer is const-qualified; see
51 * https://github.com/h2o/quicly/pull/306#issuecomment-626037269. Older versions of clang upstream works fine, but we do not need
52 * best coverage. This macro is for preventing misuse going into the master branch, having it work one of the compilers supported in
53 * our CI is enough.
54 */
55 #if ((defined(__clang__) && __clang_major__ >= 10) || __GNUC__ >= 6) && !defined(__cplusplus)
56 #define PTLS_ASSERT_IS_ARRAY_EXPR(a) PTLS_BUILD_ASSERT_EXPR(__builtin_types_compatible_p(__typeof__(a[0])[], __typeof__(a)))
57 #else
58 #define PTLS_ASSERT_IS_ARRAY_EXPR(a) 1
59 #endif
60
61 #define PTLS_ELEMENTSOF(x) (PTLS_ASSERT_IS_ARRAY_EXPR(x) * sizeof(x) / sizeof((x)[0]))
62
63 #ifdef _WINDOWS
64 #define PTLS_THREADLOCAL __declspec(thread)
65 #else
66 #define PTLS_THREADLOCAL __thread
67 #endif
68
69 #ifndef PTLS_FUZZ_HANDSHAKE
70 #define PTLS_FUZZ_HANDSHAKE 0
71 #endif
72
73 #define PTLS_HELLO_RANDOM_SIZE 32
74
75 #define PTLS_AES128_KEY_SIZE 16
76 #define PTLS_AES256_KEY_SIZE 32
77 #define PTLS_AES_BLOCK_SIZE 16
78 #define PTLS_AES_IV_SIZE 16
79 #define PTLS_AESGCM_IV_SIZE 12
80 #define PTLS_AESGCM_TAG_SIZE 16
81 #define PTLS_AESGCM_CONFIDENTIALITY_LIMIT 0x2000000 /* 2^25 */
82 #define PTLS_AESGCM_INTEGRITY_LIMIT UINT64_C(0x40000000000000) /* 2^54 */
83 #define PTLS_AESCCM_CONFIDENTIALITY_LIMIT 0xB504F3 /* 2^23.5 */
84 #define PTLS_AESCCM_INTEGRITY_LIMIT 0xB504F3 /* 2^23.5 */
85
86 #define PTLS_CHACHA20_KEY_SIZE 32
87 #define PTLS_CHACHA20_IV_SIZE 16
88 #define PTLS_CHACHA20POLY1305_IV_SIZE 12
89 #define PTLS_CHACHA20POLY1305_TAG_SIZE 16
90 #define PTLS_CHACHA20POLY1305_CONFIDENTIALITY_LIMIT UINT64_MAX /* at least 2^64 */
91 #define PTLS_CHACHA20POLY1305_INTEGRITY_LIMIT UINT64_C(0x1000000000) /* 2^36 */
92
93 #define PTLS_BLOWFISH_KEY_SIZE 16
94 #define PTLS_BLOWFISH_BLOCK_SIZE 8
95
96 #define PTLS_SHA256_BLOCK_SIZE 64
97 #define PTLS_SHA256_DIGEST_SIZE 32
98
99 #define PTLS_SHA384_BLOCK_SIZE 128
100 #define PTLS_SHA384_DIGEST_SIZE 48
101
102 #define PTLS_MAX_SECRET_SIZE 32
103 #define PTLS_MAX_IV_SIZE 16
104 #define PTLS_MAX_DIGEST_SIZE 64
105
106 /* cipher-suites */
107 #define PTLS_CIPHER_SUITE_AES_128_GCM_SHA256 0x1301
108 #define PTLS_CIPHER_SUITE_NAME_AES_128_GCM_SHA256 "TLS_AES_128_GCM_SHA256"
109 #define PTLS_CIPHER_SUITE_AES_256_GCM_SHA384 0x1302
110 #define PTLS_CIPHER_SUITE_NAME_AES_256_GCM_SHA384 "TLS_AES_256_GCM_SHA384"
111 #define PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256 0x1303
112 #define PTLS_CIPHER_SUITE_NAME_CHACHA20_POLY1305_SHA256 "TLS_CHACHA20_POLY1305_SHA256"
113
114 /* negotiated_groups */
115 #define PTLS_GROUP_SECP256R1 23
116 #define PTLS_GROUP_NAME_SECP256R1 "scep256r1"
117 #define PTLS_GROUP_SECP384R1 24
118 #define PTLS_GROUP_NAME_SECP384R1 "secp384r1"
119 #define PTLS_GROUP_SECP521R1 25
120 #define PTLS_GROUP_NAME_SECP521R1 "secp521r1"
121 #define PTLS_GROUP_X25519 29
122 #define PTLS_GROUP_NAME_X25519 "x25519"
123 #define PTLS_GROUP_X448 30
124 #define PTLS_GROUP_NAME_X448 "x448"
125
126 /* signature algorithms */
127 #define PTLS_SIGNATURE_RSA_PKCS1_SHA1 0x0201
128 #define PTLS_SIGNATURE_RSA_PKCS1_SHA256 0x0401
129 #define PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256 0x0403
130 #define PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384 0x0503
131 #define PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512 0x0603
132 #define PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256 0x0804
133 #define PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384 0x0805
134 #define PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512 0x0806
135 #define PTLS_SIGNATURE_ED25519 0x0807
136
137 /* ESNI */
138 #define PTLS_ESNI_VERSION_DRAFT03 0xff02
139
140 #define PTLS_ESNI_RESPONSE_TYPE_ACCEPT 0
141 #define PTLS_ESNI_RESPONSE_TYPE_RETRY_REQUEST 1
142
143 /* error classes and macros */
144 #define PTLS_ERROR_CLASS_SELF_ALERT 0
145 #define PTLS_ERROR_CLASS_PEER_ALERT 0x100
146 #define PTLS_ERROR_CLASS_INTERNAL 0x200
147
148 #define PTLS_ERROR_GET_CLASS(e) ((e) & ~0xff)
149 #define PTLS_ALERT_TO_SELF_ERROR(e) ((e) + PTLS_ERROR_CLASS_SELF_ALERT)
150 #define PTLS_ALERT_TO_PEER_ERROR(e) ((e) + PTLS_ERROR_CLASS_PEER_ALERT)
151 #define PTLS_ERROR_TO_ALERT(e) ((e)&0xff)
152
153 /* the HKDF prefix */
154 #define PTLS_HKDF_EXPAND_LABEL_PREFIX "tls13 "
155
156 /* alerts */
157 #define PTLS_ALERT_LEVEL_WARNING 1
158 #define PTLS_ALERT_LEVEL_FATAL 2
159
160 #define PTLS_ALERT_CLOSE_NOTIFY 0
161 #define PTLS_ALERT_UNEXPECTED_MESSAGE 10
162 #define PTLS_ALERT_BAD_RECORD_MAC 20
163 #define PTLS_ALERT_HANDSHAKE_FAILURE 40
164 #define PTLS_ALERT_BAD_CERTIFICATE 42
165 #define PTLS_ALERT_UNSUPPORTED_CERTIFICATE 43
166 #define PTLS_ALERT_CERTIFICATE_REVOKED 44
167 #define PTLS_ALERT_CERTIFICATE_EXPIRED 45
168 #define PTLS_ALERT_CERTIFICATE_UNKNOWN 46
169 #define PTLS_ALERT_ILLEGAL_PARAMETER 47
170 #define PTLS_ALERT_UNKNOWN_CA 48
171 #define PTLS_ALERT_ACCESS_DENIED 49
172 #define PTLS_ALERT_DECODE_ERROR 50
173 #define PTLS_ALERT_DECRYPT_ERROR 51
174 #define PTLS_ALERT_PROTOCOL_VERSION 70
175 #define PTLS_ALERT_INTERNAL_ERROR 80
176 #define PTLS_ALERT_USER_CANCELED 90
177 #define PTLS_ALERT_MISSING_EXTENSION 109
178 #define PTLS_ALERT_UNRECOGNIZED_NAME 112
179 #define PTLS_ALERT_CERTIFICATE_REQUIRED 116
180 #define PTLS_ALERT_NO_APPLICATION_PROTOCOL 120
181
182 /* internal errors */
183 #define PTLS_ERROR_NO_MEMORY (PTLS_ERROR_CLASS_INTERNAL + 1)
184 #define PTLS_ERROR_IN_PROGRESS (PTLS_ERROR_CLASS_INTERNAL + 2)
185 #define PTLS_ERROR_LIBRARY (PTLS_ERROR_CLASS_INTERNAL + 3)
186 #define PTLS_ERROR_INCOMPATIBLE_KEY (PTLS_ERROR_CLASS_INTERNAL + 4)
187 #define PTLS_ERROR_SESSION_NOT_FOUND (PTLS_ERROR_CLASS_INTERNAL + 5)
188 #define PTLS_ERROR_STATELESS_RETRY (PTLS_ERROR_CLASS_INTERNAL + 6)
189 #define PTLS_ERROR_NOT_AVAILABLE (PTLS_ERROR_CLASS_INTERNAL + 7)
190 #define PTLS_ERROR_COMPRESSION_FAILURE (PTLS_ERROR_CLASS_INTERNAL + 8)
191 #define PTLS_ERROR_ESNI_RETRY (PTLS_ERROR_CLASS_INTERNAL + 8)
192 #define PTLS_ERROR_REJECT_EARLY_DATA (PTLS_ERROR_CLASS_INTERNAL + 9)
193 #define PTLS_ERROR_DELEGATE (PTLS_ERROR_CLASS_INTERNAL + 10)
194
195 #define PTLS_ERROR_INCORRECT_BASE64 (PTLS_ERROR_CLASS_INTERNAL + 50)
196 #define PTLS_ERROR_PEM_LABEL_NOT_FOUND (PTLS_ERROR_CLASS_INTERNAL + 51)
197 #define PTLS_ERROR_BER_INCORRECT_ENCODING (PTLS_ERROR_CLASS_INTERNAL + 52)
198 #define PTLS_ERROR_BER_MALFORMED_TYPE (PTLS_ERROR_CLASS_INTERNAL + 53)
199 #define PTLS_ERROR_BER_MALFORMED_LENGTH (PTLS_ERROR_CLASS_INTERNAL + 54)
200 #define PTLS_ERROR_BER_EXCESSIVE_LENGTH (PTLS_ERROR_CLASS_INTERNAL + 55)
201 #define PTLS_ERROR_BER_ELEMENT_TOO_SHORT (PTLS_ERROR_CLASS_INTERNAL + 56)
202 #define PTLS_ERROR_BER_UNEXPECTED_EOC (PTLS_ERROR_CLASS_INTERNAL + 57)
203 #define PTLS_ERROR_DER_INDEFINITE_LENGTH (PTLS_ERROR_CLASS_INTERNAL + 58)
204 #define PTLS_ERROR_INCORRECT_ASN1_SYNTAX (PTLS_ERROR_CLASS_INTERNAL + 59)
205 #define PTLS_ERROR_INCORRECT_PEM_KEY_VERSION (PTLS_ERROR_CLASS_INTERNAL + 60)
206 #define PTLS_ERROR_INCORRECT_PEM_ECDSA_KEY_VERSION (PTLS_ERROR_CLASS_INTERNAL + 61)
207 #define PTLS_ERROR_INCORRECT_PEM_ECDSA_CURVE (PTLS_ERROR_CLASS_INTERNAL + 62)
208 #define PTLS_ERROR_INCORRECT_PEM_ECDSA_KEYSIZE (PTLS_ERROR_CLASS_INTERNAL + 63)
209 #define PTLS_ERROR_INCORRECT_ASN1_ECDSA_KEY_SYNTAX (PTLS_ERROR_CLASS_INTERNAL + 64)
210
211 #define PTLS_HANDSHAKE_TYPE_CLIENT_HELLO 1
212 #define PTLS_HANDSHAKE_TYPE_SERVER_HELLO 2
213 #define PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET 4
214 #define PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA 5
215 #define PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS 8
216 #define PTLS_HANDSHAKE_TYPE_CERTIFICATE 11
217 #define PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST 13
218 #define PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY 15
219 #define PTLS_HANDSHAKE_TYPE_FINISHED 20
220 #define PTLS_HANDSHAKE_TYPE_KEY_UPDATE 24
221 #define PTLS_HANDSHAKE_TYPE_COMPRESSED_CERTIFICATE 25
222 #define PTLS_HANDSHAKE_TYPE_MESSAGE_HASH 254
223
224 #define PTLS_CERTIFICATE_TYPE_X509 0
225 #define PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY 2
226
227 #define PTLS_ZERO_DIGEST_SHA256 \
228 { \
229 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, \
230 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 \
231 }
232
233 #define PTLS_ZERO_DIGEST_SHA384 \
234 { \
235 0x38, 0xb0, 0x60, 0xa7, 0x51, 0xac, 0x96, 0x38, 0x4c, 0xd9, 0x32, 0x7e, 0xb1, 0xb1, 0xe3, 0x6a, 0x21, 0xfd, 0xb7, 0x11, \
236 0x14, 0xbe, 0x07, 0x43, 0x4c, 0x0c, 0xc7, 0xbf, 0x63, 0xf6, 0xe1, 0xda, 0x27, 0x4e, 0xde, 0xbf, 0xe7, 0x6f, 0x65, \
237 0xfb, 0xd5, 0x1a, 0xd2, 0xf1, 0x48, 0x98, 0xb9, 0x5b \
238 }
239
240 typedef struct st_ptls_t ptls_t;
241 typedef struct st_ptls_context_t ptls_context_t;
242 typedef struct st_ptls_key_schedule_t ptls_key_schedule_t;
243
244 /**
245 * represents a sequence of octets
246 */
247 typedef struct st_ptls_iovec_t {
248 uint8_t *base;
249 size_t len;
250 } ptls_iovec_t;
251
252 /**
253 * used for storing output
254 */
255 typedef struct st_ptls_buffer_t {
256 uint8_t *base;
257 size_t capacity;
258 size_t off;
259 int is_allocated;
260 } ptls_buffer_t;
261
262 /**
263 * key exchange context built by ptls_key_exchange_algorithm::create.
264 */
265 typedef struct st_ptls_key_exchange_context_t {
266 /**
267 * the underlying algorithm
268 */
269 const struct st_ptls_key_exchange_algorithm_t *algo;
270 /**
271 * the public key
272 */
273 ptls_iovec_t pubkey;
274 /**
275 * If `release` is set, the callee frees resources allocated to the context and set *keyex to NULL
276 */
277 int (*on_exchange)(struct st_ptls_key_exchange_context_t **keyex, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey);
278 } ptls_key_exchange_context_t;
279
280 /**
281 * A key exchange algorithm.
282 */
283 typedef const struct st_ptls_key_exchange_algorithm_t {
284 /**
285 * ID defined by the TLS specification
286 */
287 uint16_t id;
288 /**
289 * creates a context for asynchronous key exchange. The function is called when ClientHello is generated. The on_exchange
290 * callback of the created context is called when the client receives ServerHello.
291 */
292 int (*create)(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **ctx);
293 /**
294 * implements synchronous key exchange. Called when receiving a ServerHello.
295 */
296 int (*exchange)(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret,
297 ptls_iovec_t peerkey);
298 /**
299 * crypto-specific data
300 */
301 intptr_t data;
302 /**
303 * Description as defined in the IANA TLS registry
304 */
305 const char *name;
306 } ptls_key_exchange_algorithm_t;
307
308 /**
309 * context of a symmetric cipher
310 */
311 typedef struct st_ptls_cipher_context_t {
312 const struct st_ptls_cipher_algorithm_t *algo;
313 /* field above this line must not be altered by the crypto binding */
314 void (*do_dispose)(struct st_ptls_cipher_context_t *ctx);
315 void (*do_init)(struct st_ptls_cipher_context_t *ctx, const void *iv);
316 void (*do_transform)(struct st_ptls_cipher_context_t *ctx, void *output, const void *input, size_t len);
317 } ptls_cipher_context_t;
318
319 /**
320 * a symmetric cipher
321 */
322 typedef const struct st_ptls_cipher_algorithm_t {
323 const char *name;
324 size_t key_size;
325 size_t block_size;
326 size_t iv_size;
327 size_t context_size;
328 int (*setup_crypto)(ptls_cipher_context_t *ctx, int is_enc, const void *key);
329 } ptls_cipher_algorithm_t;
330
331 typedef struct st_ptls_aead_supplementary_encryption_t {
332 ptls_cipher_context_t *ctx;
333 const void *input;
334 uint8_t output[16];
335 } ptls_aead_supplementary_encryption_t;
336
337 /**
338 * AEAD context. AEAD implementations are allowed to stuff data at the end of the struct. The size of the memory allocated for the
339 * struct is governed by ptls_aead_algorithm_t::context_size.
340 */
341 typedef struct st_ptls_aead_context_t {
342 const struct st_ptls_aead_algorithm_t *algo;
343 /* field above this line must not be altered by the crypto binding */
344 void (*dispose_crypto)(struct st_ptls_aead_context_t *ctx);
345 void (*do_xor_iv)(struct st_ptls_aead_context_t *ctx, const void *bytes, size_t len);
346 void (*do_encrypt_init)(struct st_ptls_aead_context_t *ctx, uint64_t seq, const void *aad, size_t aadlen);
347 size_t (*do_encrypt_update)(struct st_ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen);
348 size_t (*do_encrypt_final)(struct st_ptls_aead_context_t *ctx, void *output);
349 void (*do_encrypt)(struct st_ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
350 const void *aad, size_t aadlen, ptls_aead_supplementary_encryption_t *supp);
351 size_t (*do_decrypt)(struct st_ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
352 const void *aad, size_t aadlen);
353 } ptls_aead_context_t;
354
355 /**
356 * An AEAD cipher.
357 */
358 typedef const struct st_ptls_aead_algorithm_t {
359 /**
360 * name (following the convention of `openssl ciphers -v ALL`)
361 */
362 const char *name;
363 /**
364 * confidentiality_limit (max records / packets sent before re-key)
365 */
366 const uint64_t confidentiality_limit;
367 /**
368 * integrity_limit (max decryption failure records / packets before re-key)
369 */
370 const uint64_t integrity_limit;
371 /**
372 * the underlying key stream
373 */
374 ptls_cipher_algorithm_t *ctr_cipher;
375 /**
376 * the underlying ecb cipher (might not be available)
377 */
378 ptls_cipher_algorithm_t *ecb_cipher;
379 /**
380 * key size
381 */
382 size_t key_size;
383 /**
384 * size of the IV
385 */
386 size_t iv_size;
387 /**
388 * size of the tag
389 */
390 size_t tag_size;
391 /**
392 * size of memory allocated for ptls_aead_context_t. AEAD implementations can set this value to something greater than
393 * sizeof(ptls_aead_context_t) and stuff additional data at the bottom of the struct.
394 */
395 size_t context_size;
396 /**
397 * callback that sets up the crypto
398 */
399 int (*setup_crypto)(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv);
400 } ptls_aead_algorithm_t;
401
402 /**
403 *
404 */
405 typedef enum en_ptls_hash_final_mode_t {
406 /**
407 * obtains the digest and frees the context
408 */
409 PTLS_HASH_FINAL_MODE_FREE = 0,
410 /**
411 * obtains the digest and reset the context to initial state
412 */
413 PTLS_HASH_FINAL_MODE_RESET = 1,
414 /**
415 * obtains the digest while leaving the context as-is
416 */
417 PTLS_HASH_FINAL_MODE_SNAPSHOT = 2
418 } ptls_hash_final_mode_t;
419
420 /**
421 * A hash context.
422 */
423 typedef struct st_ptls_hash_context_t {
424 /**
425 * feeds additional data into the hash context
426 */
427 void (*update)(struct st_ptls_hash_context_t *ctx, const void *src, size_t len);
428 /**
429 * returns the digest and performs necessary operation specified by mode
430 */
431 void (*final)(struct st_ptls_hash_context_t *ctx, void *md, ptls_hash_final_mode_t mode);
432 /**
433 * creates a copy of the hash context
434 */
435 struct st_ptls_hash_context_t *(*clone_)(struct st_ptls_hash_context_t *src);
436 } ptls_hash_context_t;
437
438 /**
439 * A hash algorithm and its properties.
440 */
441 typedef const struct st_ptls_hash_algorithm_t {
442 /**
443 * block size
444 */
445 size_t block_size;
446 /**
447 * digest size
448 */
449 size_t digest_size;
450 /**
451 * constructor that creates the hash context
452 */
453 ptls_hash_context_t *(*create)(void);
454 /**
455 * digest of zero-length octets
456 */
457 uint8_t empty_digest[PTLS_MAX_DIGEST_SIZE];
458 } ptls_hash_algorithm_t;
459
460 typedef const struct st_ptls_cipher_suite_t {
461 /**
462 * ID as defined by the TLS Cipher Suites registry
463 */
464 uint16_t id;
465 /**
466 * underlying AEAD algorithm
467 */
468 ptls_aead_algorithm_t *aead;
469 /**
470 * underlying hash algorithm
471 */
472 ptls_hash_algorithm_t *hash;
473 /**
474 * value of the "Description" field of the TLS Cipher Suites registry
475 */
476 const char *name;
477 } ptls_cipher_suite_t;
478
479 struct st_ptls_traffic_protection_t;
480
481 typedef struct st_ptls_message_emitter_t {
482 ptls_buffer_t *buf;
483 struct st_ptls_traffic_protection_t *enc;
484 size_t record_header_length;
485 int (*begin_message)(struct st_ptls_message_emitter_t *self);
486 int (*commit_message)(struct st_ptls_message_emitter_t *self);
487 } ptls_message_emitter_t;
488
489 /**
490 * holds ESNIKeys and the private key (instantiated by ptls_esni_parse, freed using ptls_esni_dispose)
491 */
492 typedef struct st_ptls_esni_context_t {
493 ptls_key_exchange_context_t **key_exchanges;
494 struct {
495 ptls_cipher_suite_t *cipher_suite;
496 uint8_t record_digest[PTLS_MAX_DIGEST_SIZE];
497 } * cipher_suites;
498 uint16_t padded_length;
499 uint64_t not_before;
500 uint64_t not_after;
501 uint16_t version;
502 } ptls_esni_context_t;
503
504 /**
505 * holds the ESNI secret, as exchanged during the handshake
506 */
507
508 #define PTLS_ESNI_NONCE_SIZE 16
509
510 typedef struct st_ptls_esni_secret_t {
511 ptls_iovec_t secret;
512 uint8_t nonce[PTLS_ESNI_NONCE_SIZE];
513 uint8_t esni_contents_hash[PTLS_MAX_DIGEST_SIZE];
514 struct {
515 ptls_key_exchange_algorithm_t *key_share;
516 ptls_cipher_suite_t *cipher;
517 ptls_iovec_t pubkey;
518 uint8_t record_digest[PTLS_MAX_DIGEST_SIZE];
519 uint16_t padded_length;
520 } client;
521 uint16_t version;
522 } ptls_esni_secret_t;
523
524 #define PTLS_CALLBACK_TYPE0(ret, name) \
525 typedef struct st_ptls_##name##_t { \
526 ret (*cb)(struct st_ptls_##name##_t * self); \
527 } ptls_##name##_t
528
529 #define PTLS_CALLBACK_TYPE(ret, name, ...) \
530 typedef struct st_ptls_##name##_t { \
531 ret (*cb)(struct st_ptls_##name##_t * self, __VA_ARGS__); \
532 } ptls_##name##_t
533
534 /**
535 * arguments passsed to the on_client_hello callback
536 */
537 typedef struct st_ptls_on_client_hello_parameters_t {
538 /**
539 * SNI value received from the client. The value is {NULL, 0} if the extension was absent.
540 */
541 ptls_iovec_t server_name;
542 /**
543 * Raw value of the client_hello message.
544 */
545 ptls_iovec_t raw_message;
546 /**
547 *
548 */
549 struct {
550 ptls_iovec_t *list;
551 size_t count;
552 } negotiated_protocols;
553 struct {
554 const uint16_t *list;
555 size_t count;
556 } signature_algorithms;
557 struct {
558 const uint16_t *list;
559 size_t count;
560 } certificate_compression_algorithms;
561 struct {
562 const uint16_t *list;
563 size_t count;
564 } cipher_suites;
565 struct {
566 const uint8_t *list;
567 size_t count;
568 } server_certificate_types;
569 /**
570 * if ESNI was used
571 */
572 unsigned esni : 1;
573 /**
574 * set to 1 if ClientHello is too old (or too new) to be handled by picotls
575 */
576 unsigned incompatible_version : 1;
577 } ptls_on_client_hello_parameters_t;
578
579 /**
580 * returns current time in milliseconds (ptls_get_time can be used to return the physical time)
581 */
582 PTLS_CALLBACK_TYPE0(uint64_t, get_time);
583 /**
584 * after receiving ClientHello, the core calls the optional callback to give a chance to the swap the context depending on the input
585 * values. The callback is required to call `ptls_set_server_name` if an SNI extension needs to be sent to the client.
586 */
587 PTLS_CALLBACK_TYPE(int, on_client_hello, ptls_t *tls, ptls_on_client_hello_parameters_t *params);
588 /**
589 * callback to generate the certificate message. `ptls_context::certificates` are set when the callback is set to NULL.
590 */
591 PTLS_CALLBACK_TYPE(int, emit_certificate, ptls_t *tls, ptls_message_emitter_t *emitter, ptls_key_schedule_t *key_sched,
592 ptls_iovec_t context, int push_status_request, const uint16_t *compress_algos, size_t num_compress_algos);
593 /**
594 * when gerenating CertificateVerify, the core calls the callback to sign the handshake context using the certificate.
595 */
596 PTLS_CALLBACK_TYPE(int, sign_certificate, ptls_t *tls, uint16_t *selected_algorithm, ptls_buffer_t *output, ptls_iovec_t input,
597 const uint16_t *algorithms, size_t num_algorithms);
598 /**
599 * after receiving Certificate, the core calls the callback to verify the certificate chain and to obtain a pointer to a
600 * callback that should be used for verifying CertificateVerify. If an error occurs between a successful return from this
601 * callback to the invocation of the verify_sign callback, verify_sign is called with both data and sign set to an empty buffer.
602 * The implementor of the callback should use that as the opportunity to free any temporary data allocated for the verify_sign
603 * callback.
604 */
605 typedef struct st_ptls_verify_certificate_t {
606 int (*cb)(struct st_ptls_verify_certificate_t *self, ptls_t *tls,
607 int (**verify_sign)(void *verify_ctx, uint16_t algo, ptls_iovec_t data, ptls_iovec_t sign), void **verify_data,
608 ptls_iovec_t *certs, size_t num_certs);
609 /**
610 * list of signature algorithms being supported, terminated by UINT16_MAX
611 */
612 const uint16_t *algos;
613 } ptls_verify_certificate_t;
614 /**
615 * Encrypt-and-signs (or verify-and-decrypts) a ticket (server-only).
616 * When used for encryption (i.e., is_encrypt being set), the function should return 0 if successful, or else a non-zero value.
617 * When used for decryption, the function should return 0 (successful), PTLS_ERROR_REJECT_EARLY_DATA (successful, but 0-RTT is
618 * forbidden), or any other value to indicate failure.
619 */
620 PTLS_CALLBACK_TYPE(int, encrypt_ticket, ptls_t *tls, int is_encrypt, ptls_buffer_t *dst, ptls_iovec_t src);
621 /**
622 * saves a ticket (client-only)
623 */
624 PTLS_CALLBACK_TYPE(int, save_ticket, ptls_t *tls, ptls_iovec_t input);
625 /**
626 * event logging (incl. secret logging)
627 */
628 typedef struct st_ptls_log_event_t {
629 void (*cb)(struct st_ptls_log_event_t *self, ptls_t *tls, const char *type, const char *fmt, ...)
630 __attribute__((format(printf, 4, 5)));
631 } ptls_log_event_t;
632 /**
633 * reference counting
634 */
635 PTLS_CALLBACK_TYPE(void, update_open_count, ssize_t delta);
636 /**
637 * applications that have their own record layer can set this function to derive their own traffic keys from the traffic secret.
638 * The cipher-suite that is being associated to the connection can be obtained by calling the ptls_get_cipher function.
639 */
640 PTLS_CALLBACK_TYPE(int, update_traffic_key, ptls_t *tls, int is_enc, size_t epoch, const void *secret);
641 /**
642 * callback for every extension detected during decoding
643 */
644 PTLS_CALLBACK_TYPE(int, on_extension, ptls_t *tls, uint8_t hstype, uint16_t exttype, ptls_iovec_t extdata);
645 /**
646 *
647 */
648 typedef struct st_ptls_decompress_certificate_t {
649 /**
650 * list of supported algorithms terminated by UINT16_MAX
651 */
652 const uint16_t *supported_algorithms;
653 /**
654 * callback that decompresses the message
655 */
656 int (*cb)(struct st_ptls_decompress_certificate_t *self, ptls_t *tls, uint16_t algorithm, ptls_iovec_t output,
657 ptls_iovec_t input);
658 } ptls_decompress_certificate_t;
659 /**
660 * provides access to the ESNI shared secret (Zx). API is subject to change.
661 */
662 PTLS_CALLBACK_TYPE(int, update_esni_key, ptls_t *tls, ptls_iovec_t secret, ptls_hash_algorithm_t *hash,
663 const void *hashed_esni_contents);
664
665 /**
666 * the configuration
667 */
668 struct st_ptls_context_t {
669 /**
670 * PRNG to be used
671 */
672 void (*random_bytes)(void *buf, size_t len);
673 /**
674 *
675 */
676 ptls_get_time_t *get_time;
677 /**
678 * list of supported key-exchange algorithms terminated by NULL
679 */
680 ptls_key_exchange_algorithm_t **key_exchanges;
681 /**
682 * list of supported cipher-suites terminated by NULL
683 */
684 ptls_cipher_suite_t **cipher_suites;
685 /**
686 * list of certificates
687 */
688 struct {
689 ptls_iovec_t *list;
690 size_t count;
691 } certificates;
692 /**
693 * list of ESNI data terminated by NULL
694 */
695 ptls_esni_context_t **esni;
696 /**
697 *
698 */
699 ptls_on_client_hello_t *on_client_hello;
700 /**
701 *
702 */
703 ptls_emit_certificate_t *emit_certificate;
704 /**
705 *
706 */
707 ptls_sign_certificate_t *sign_certificate;
708 /**
709 *
710 */
711 ptls_verify_certificate_t *verify_certificate;
712 /**
713 * lifetime of a session ticket (server-only)
714 */
715 uint32_t ticket_lifetime;
716 /**
717 * maximum permitted size of early data (server-only)
718 */
719 uint32_t max_early_data_size;
720 /**
721 * maximum size of the message buffer (default: 0 = unlimited = 3 + 2^24 bytes)
722 */
723 size_t max_buffer_size;
724 /**
725 * the field is obsolete; should be set to NULL for QUIC draft-17. Note also that even though everybody did, it was incorrect
726 * to set the value to "quic " in the earlier versions of the draft.
727 */
728 const char *hkdf_label_prefix__obsolete;
729 /**
730 * if set, psk handshakes use (ec)dhe
731 */
732 unsigned require_dhe_on_psk : 1;
733 /**
734 * if exporter master secrets should be recorded
735 */
736 unsigned use_exporter : 1;
737 /**
738 * if ChangeCipherSpec record should be sent during handshake. If the client sends CCS, the server sends one in response
739 * regardless of the value of this flag. See RFC 8446 Appendix D.3.
740 */
741 unsigned send_change_cipher_spec : 1;
742 /**
743 * if set, the server requests client certificates
744 * to authenticate the client.
745 */
746 unsigned require_client_authentication : 1;
747 /**
748 * if set, EOED will not be emitted or accepted
749 */
750 unsigned omit_end_of_early_data : 1;
751 /**
752 * This option turns on support for Raw Public Keys (RFC 7250).
753 *
754 * When running as a client, this option instructs the client to request the server to send raw public keys in place of X.509
755 * certificate chain. The client should set its `certificate_verify` callback to one that is capable of validating the raw
756 * public key that will be sent by the server.
757 *
758 * When running as a server, this option instructs the server to only handle clients requesting the use of raw public keys. If
759 * the client does not, the handshake is rejected. Note however that the rejection happens only after the `on_client_hello`
760 * callback is being called. Therefore, applications can support both X.509 and raw public keys by swapping `ptls_context_t` to
761 * the correct one when that callback is being called (like handling swapping the contexts based on the value of SNI).
762 */
763 unsigned use_raw_public_keys : 1;
764 /**
765 * boolean indicating if the cipher-suite should be chosen based on server's preference
766 */
767 unsigned server_cipher_preference : 1;
768 /**
769 *
770 */
771 ptls_encrypt_ticket_t *encrypt_ticket;
772 /**
773 *
774 */
775 ptls_save_ticket_t *save_ticket;
776 /**
777 *
778 */
779 ptls_log_event_t *log_event;
780 /**
781 *
782 */
783 ptls_update_open_count_t *update_open_count;
784 /**
785 *
786 */
787 ptls_update_traffic_key_t *update_traffic_key;
788 /**
789 *
790 */
791 ptls_decompress_certificate_t *decompress_certificate;
792 /**
793 *
794 */
795 ptls_update_esni_key_t *update_esni_key;
796 /**
797 *
798 */
799 ptls_on_extension_t *on_extension;
800 };
801
802 typedef struct st_ptls_raw_extension_t {
803 uint16_t type;
804 ptls_iovec_t data;
805 } ptls_raw_extension_t;
806
807 typedef enum en_ptls_early_data_acceptance_t {
808 PTLS_EARLY_DATA_ACCEPTANCE_UNKNOWN = 0,
809 PTLS_EARLY_DATA_REJECTED,
810 PTLS_EARLY_DATA_ACCEPTED
811 } ptls_early_data_acceptance_t;
812
813 /**
814 * optional arguments to client-driven handshake
815 */
816 #ifdef _WINDOWS
817 /* suppress warning C4201: nonstandard extension used: nameless struct/union */
818 #pragma warning(push)
819 #pragma warning(disable : 4201)
820 #endif
821 typedef struct st_ptls_handshake_properties_t {
822 union {
823 struct {
824 /**
825 * list of protocols offered through ALPN
826 */
827 struct {
828 const ptls_iovec_t *list;
829 size_t count;
830 } negotiated_protocols;
831 /**
832 * session ticket sent to the application via save_ticket callback
833 */
834 ptls_iovec_t session_ticket;
835 /**
836 * pointer to store the maximum size of early-data that can be sent immediately. If set to non-NULL, the first call to
837 * ptls_handshake (or ptls_handle_message) will set `*max_early_data` to the value obtained from the session ticket, or
838 * to zero if early-data cannot be sent. If NULL, early data will not be used.
839 */
840 size_t *max_early_data_size;
841 /**
842 * If early-data has been accepted by peer, or if the state is still unknown. The state changes anytime after handshake
843 * keys become available. Applications can peek the tri-state variable every time it calls `ptls_hanshake` or
844 * `ptls_handle_message` to determine the result at the earliest moment. This is an output parameter.
845 */
846 ptls_early_data_acceptance_t early_data_acceptance;
847 /**
848 * negotiate the key exchange method before sending key_share
849 */
850 unsigned negotiate_before_key_exchange : 1;
851 /**
852 * ESNIKeys (the value of the TXT record, after being base64-"decoded")
853 */
854 ptls_iovec_t esni_keys;
855 } client;
856 struct {
857 /**
858 * psk binder being selected (len is set to zero if none)
859 */
860 struct {
861 uint8_t base[PTLS_MAX_DIGEST_SIZE];
862 size_t len;
863 } selected_psk_binder;
864 /**
865 * parameters related to use of the Cookie extension
866 */
867 struct {
868 /**
869 * HMAC key to protect the integrity of the cookie. The key should be as long as the digest size of the first
870 * ciphersuite specified in ptls_context_t (i.e. the hash algorithm of the best ciphersuite that can be chosen).
871 */
872 const void *key;
873 /**
874 * additional data to be used for verifying the cookie
875 */
876 ptls_iovec_t additional_data;
877 } cookie;
878 /**
879 * if HRR should always be sent
880 */
881 unsigned enforce_retry : 1;
882 /**
883 * if retry should be stateless (cookie.key MUST be set when this option is used)
884 */
885 unsigned retry_uses_cookie : 1;
886 } server;
887 };
888 /**
889 * an optional list of additional extensions to send either in CH or EE, terminated by type == UINT16_MAX
890 */
891 ptls_raw_extension_t *additional_extensions;
892 /**
893 * an optional callback that returns a boolean value indicating if a particular extension should be collected
894 */
895 int (*collect_extension)(ptls_t *tls, struct st_ptls_handshake_properties_t *properties, uint16_t type);
896 /**
897 * an optional callback that reports the extensions being collected
898 */
899 int (*collected_extensions)(ptls_t *tls, struct st_ptls_handshake_properties_t *properties, ptls_raw_extension_t *extensions);
900 } ptls_handshake_properties_t;
901 #ifdef _WINDOWS
902 #pragma warning(pop)
903 #endif
904 #ifdef _WINDOWS
905 /* suppress warning C4293: >> shift count negative or too big */
906 #pragma warning(disable : 4293)
907 #endif
908 /**
909 * builds a new ptls_iovec_t instance using the supplied parameters
910 */
911 static ptls_iovec_t ptls_iovec_init(const void *p, size_t len);
912 /**
913 * initializes a buffer, setting the default destination to the small buffer provided as the argument.
914 */
915 static void ptls_buffer_init(ptls_buffer_t *buf, void *smallbuf, size_t smallbuf_size);
916 /**
917 * disposes a buffer, freeing resources allocated by the buffer itself (if any)
918 */
919 static void ptls_buffer_dispose(ptls_buffer_t *buf);
920 /**
921 * internal
922 */
923 void ptls_buffer__release_memory(ptls_buffer_t *buf);
924 /**
925 * reserves space for additional amount of memory
926 */
927 int ptls_buffer_reserve(ptls_buffer_t *buf, size_t delta);
928 /**
929 * internal
930 */
931 int ptls_buffer__do_pushv(ptls_buffer_t *buf, const void *src, size_t len);
932 /**
933 * internal
934 */
935 int ptls_buffer__adjust_quic_blocksize(ptls_buffer_t *buf, size_t body_size);
936 /**
937 * internal
938 */
939 int ptls_buffer__adjust_asn1_blocksize(ptls_buffer_t *buf, size_t body_size);
940 /**
941 * pushes an unsigned bigint
942 */
943 int ptls_buffer_push_asn1_ubigint(ptls_buffer_t *buf, const void *bignum, size_t size);
944 /**
945 * encodes a quic varint (maximum length is PTLS_ENCODE_QUICINT_CAPACITY)
946 */
947 static uint8_t *ptls_encode_quicint(uint8_t *p, uint64_t v);
948 #define PTLS_ENCODE_QUICINT_CAPACITY 8
949
950 #define PTLS_QUICINT_MAX 4611686018427387903 // (1 << 62) - 1
951 #define PTLS_QUICINT_LONGEST_STR "4611686018427387903"
952
953 #define ptls_buffer_pushv(buf, src, len) \
954 do { \
955 if ((ret = ptls_buffer__do_pushv((buf), (src), (len))) != 0) \
956 goto Exit; \
957 } while (0)
958
959 #define ptls_buffer_push(buf, ...) \
960 do { \
961 if ((ret = ptls_buffer__do_pushv((buf), (uint8_t[]){__VA_ARGS__}, sizeof((uint8_t[]){__VA_ARGS__}))) != 0) \
962 goto Exit; \
963 } while (0)
964
965 #define ptls_buffer_push16(buf, v) \
966 do { \
967 uint16_t _v = (v); \
968 ptls_buffer_push(buf, (uint8_t)(_v >> 8), (uint8_t)_v); \
969 } while (0)
970
971 #define ptls_buffer_push24(buf, v) \
972 do { \
973 uint32_t _v = (v); \
974 ptls_buffer_push(buf, (uint8_t)(_v >> 16), (uint8_t)(_v >> 8), (uint8_t)_v); \
975 } while (0)
976
977 #define ptls_buffer_push32(buf, v) \
978 do { \
979 uint32_t _v = (v); \
980 ptls_buffer_push(buf, (uint8_t)(_v >> 24), (uint8_t)(_v >> 16), (uint8_t)(_v >> 8), (uint8_t)_v); \
981 } while (0)
982
983 #define ptls_buffer_push64(buf, v) \
984 do { \
985 uint64_t _v = (v); \
986 ptls_buffer_push(buf, (uint8_t)(_v >> 56), (uint8_t)(_v >> 48), (uint8_t)(_v >> 40), (uint8_t)(_v >> 32), \
987 (uint8_t)(_v >> 24), (uint8_t)(_v >> 16), (uint8_t)(_v >> 8), (uint8_t)_v); \
988 } while (0)
989
990 #define ptls_buffer_push_quicint(buf, v) \
991 do { \
992 if ((ret = ptls_buffer_reserve((buf), PTLS_ENCODE_QUICINT_CAPACITY)) != 0) \
993 goto Exit; \
994 uint8_t *d = ptls_encode_quicint((buf)->base + (buf)->off, (v)); \
995 (buf)->off = d - (buf)->base; \
996 } while (0)
997
998 #define ptls_buffer_push_block(buf, _capacity, block) \
999 do { \
1000 size_t capacity = (_capacity); \
1001 ptls_buffer_pushv((buf), (uint8_t *)"\0\0\0\0\0\0\0", capacity != -1 ? capacity : 1); \
1002 size_t body_start = (buf)->off; \
1003 do { \
1004 block \
1005 } while (0); \
1006 size_t body_size = (buf)->off - body_start; \
1007 if (capacity != -1) { \
1008 for (; capacity != 0; --capacity) \
1009 (buf)->base[body_start - capacity] = (uint8_t)(body_size >> (8 * (capacity - 1))); \
1010 } else { \
1011 if ((ret = ptls_buffer__adjust_quic_blocksize((buf), body_size)) != 0) \
1012 goto Exit; \
1013 } \
1014 } while (0)
1015
1016 #define ptls_buffer_push_asn1_block(buf, block) \
1017 do { \
1018 ptls_buffer_push((buf), 0xff); /* dummy */ \
1019 size_t body_start = (buf)->off; \
1020 do { \
1021 block \
1022 } while (0); \
1023 size_t body_size = (buf)->off - body_start; \
1024 if (body_size < 128) { \
1025 (buf)->base[body_start - 1] = (uint8_t)body_size; \
1026 } else { \
1027 if ((ret = ptls_buffer__adjust_asn1_blocksize((buf), body_size)) != 0) \
1028 goto Exit; \
1029 } \
1030 } while (0)
1031
1032 #define ptls_buffer_push_asn1_sequence(buf, block) \
1033 do { \
1034 ptls_buffer_push((buf), 0x30); \
1035 ptls_buffer_push_asn1_block((buf), block); \
1036 } while (0)
1037
1038 #define ptls_buffer_push_message_body(buf, key_sched, type, block) \
1039 do { \
1040 ptls_buffer_t *_buf = (buf); \
1041 ptls_key_schedule_t *_key_sched = (key_sched); \
1042 size_t mess_start = _buf->off; \
1043 ptls_buffer_push(_buf, (type)); \
1044 ptls_buffer_push_block(_buf, 3, block); \
1045 if (_key_sched != NULL) \
1046 ptls__key_schedule_update_hash(_key_sched, _buf->base + mess_start, _buf->off - mess_start); \
1047 } while (0)
1048
1049 #define ptls_push_message(emitter, key_sched, type, block) \
1050 do { \
1051 ptls_message_emitter_t *_emitter = (emitter); \
1052 if ((ret = _emitter->begin_message(_emitter)) != 0) \
1053 goto Exit; \
1054 ptls_buffer_push_message_body(_emitter->buf, (key_sched), (type), block); \
1055 if ((ret = _emitter->commit_message(_emitter)) != 0) \
1056 goto Exit; \
1057 } while (0)
1058
1059 int ptls_decode16(uint16_t *value, const uint8_t **src, const uint8_t *end);
1060 int ptls_decode24(uint32_t *value, const uint8_t **src, const uint8_t *end);
1061 int ptls_decode32(uint32_t *value, const uint8_t **src, const uint8_t *end);
1062 int ptls_decode64(uint64_t *value, const uint8_t **src, const uint8_t *end);
1063 uint64_t ptls_decode_quicint(const uint8_t **src, const uint8_t *end);
1064
1065 #define ptls_decode_open_block(src, end, capacity, block) \
1066 do { \
1067 size_t _capacity = (capacity); \
1068 size_t _block_size; \
1069 if (_capacity == -1) { \
1070 uint64_t _block_size64; \
1071 const uint8_t *_src = (src); \
1072 if ((_block_size64 = ptls_decode_quicint(&_src, end)) == UINT64_MAX || \
1073 (sizeof(size_t) < 8 && (_block_size64 >> (8 * sizeof(size_t))) != 0)) { \
1074 ret = PTLS_ALERT_DECODE_ERROR; \
1075 goto Exit; \
1076 } \
1077 (src) = _src; \
1078 _block_size = (size_t)_block_size64; \
1079 } else { \
1080 if (_capacity > (size_t)(end - (src))) { \
1081 ret = PTLS_ALERT_DECODE_ERROR; \
1082 goto Exit; \
1083 } \
1084 _block_size = 0; \
1085 do { \
1086 _block_size = _block_size << 8 | *(src)++; \
1087 } while (--_capacity != 0); \
1088 } \
1089 if (_block_size > (size_t)(end - (src))) { \
1090 ret = PTLS_ALERT_DECODE_ERROR; \
1091 goto Exit; \
1092 } \
1093 do { \
1094 const uint8_t *const end = (src) + _block_size; \
1095 do { \
1096 block \
1097 } while (0); \
1098 if ((src) != end) { \
1099 ret = PTLS_ALERT_DECODE_ERROR; \
1100 goto Exit; \
1101 } \
1102 } while (0); \
1103 } while (0)
1104
1105 #define ptls_decode_assert_block_close(src, end) \
1106 do { \
1107 if ((src) != end) { \
1108 ret = PTLS_ALERT_DECODE_ERROR; \
1109 goto Exit; \
1110 } \
1111 } while (0);
1112
1113 #define ptls_decode_block(src, end, capacity, block) \
1114 do { \
1115 ptls_decode_open_block((src), end, capacity, block); \
1116 ptls_decode_assert_block_close((src), end); \
1117 } while (0)
1118
1119 /**
1120 * create a client object to handle new TLS connection
1121 */
1122 ptls_t *ptls_client_new(ptls_context_t *ctx);
1123 /**
1124 * create a server object to handle new TLS connection
1125 */
1126 ptls_t *ptls_server_new(ptls_context_t *ctx);
1127 /**
1128 * creates a object handle new TLS connection
1129 */
1130 static ptls_t *ptls_new(ptls_context_t *ctx, int is_server);
1131 /**
1132 * releases all resources associated to the object
1133 */
1134 void ptls_free(ptls_t *tls);
1135 /**
1136 * returns address of the crypto callbacks that the connection is using
1137 */
1138 ptls_context_t *ptls_get_context(ptls_t *tls);
1139 /**
1140 * updates the context of a connection. Can be called from `on_client_hello` callback.
1141 */
1142 void ptls_set_context(ptls_t *tls, ptls_context_t *ctx);
1143 /**
1144 * returns the client-random
1145 */
1146 ptls_iovec_t ptls_get_client_random(ptls_t *tls);
1147 /**
1148 * returns the cipher-suite being used
1149 */
1150 ptls_cipher_suite_t *ptls_get_cipher(ptls_t *tls);
1151 /**
1152 * returns the server-name (NULL if SNI is not used or failed to negotiate)
1153 */
1154 const char *ptls_get_server_name(ptls_t *tls);
1155 /**
1156 * sets the server-name associated to the TLS connection. If server_name_len is zero, then strlen(server_name) is called to
1157 * determine the length of the name.
1158 * On the client-side, the value is used for certificate validation. The value will be also sent as an SNI extension, if it looks
1159 * like a DNS name.
1160 * On the server-side, it can be called from on_client_hello to indicate the acceptance of the SNI extension to the client.
1161 */
1162 int ptls_set_server_name(ptls_t *tls, const char *server_name, size_t server_name_len);
1163 /**
1164 * returns the negotiated protocol (or NULL)
1165 */
1166 const char *ptls_get_negotiated_protocol(ptls_t *tls);
1167 /**
1168 * sets the negotiated protocol. If protocol_len is zero, strlen(protocol) is called to determine the length of the protocol name.
1169 */
1170 int ptls_set_negotiated_protocol(ptls_t *tls, const char *protocol, size_t protocol_len);
1171 /**
1172 * returns if the handshake has been completed
1173 */
1174 int ptls_handshake_is_complete(ptls_t *tls);
1175 /**
1176 * returns if a PSK (or PSK-DHE) handshake was performed
1177 */
1178 int ptls_is_psk_handshake(ptls_t *tls);
1179 /**
1180 * returns a pointer to user data pointer (client is reponsible for freeing the associated data prior to calling ptls_free)
1181 */
1182 void **ptls_get_data_ptr(ptls_t *tls);
1183 /**
1184 *
1185 */
1186 int ptls_skip_tracing(ptls_t *tls);
1187 /**
1188 *
1189 */
1190 void ptls_set_skip_tracing(ptls_t *tls, int skip_tracing);
1191 /**
1192 * proceeds with the handshake, optionally taking some input from peer. The function returns zero in case the handshake completed
1193 * successfully. PTLS_ERROR_IN_PROGRESS is returned in case the handshake is incomplete. Otherwise, an error value is returned. The
1194 * contents of sendbuf should be sent to the client, regardless of whether if an error is returned. inlen is an argument used for
1195 * both input and output. As an input, the arguments takes the size of the data available as input. Upon return the value is updated
1196 * to the number of bytes consumed by the handshake. In case the returned value is PTLS_ERROR_IN_PROGRESS there is a guarantee that
1197 * all the input are consumed (i.e. the value of inlen does not change).
1198 */
1199 int ptls_handshake(ptls_t *tls, ptls_buffer_t *sendbuf, const void *input, size_t *inlen, ptls_handshake_properties_t *args);
1200 /**
1201 * decrypts the first record within given buffer
1202 */
1203 int ptls_receive(ptls_t *tls, ptls_buffer_t *plaintextbuf, const void *input, size_t *len);
1204 /**
1205 * encrypts given buffer into multiple TLS records
1206 */
1207 int ptls_send(ptls_t *tls, ptls_buffer_t *sendbuf, const void *input, size_t inlen);
1208 /**
1209 * updates the send traffic key (as well as asks the peer to update)
1210 */
1211 int ptls_update_key(ptls_t *tls, int request_update);
1212 /**
1213 * Returns if the context is a server context.
1214 */
1215 int ptls_is_server(ptls_t *tls);
1216 /**
1217 * returns per-record overhead
1218 */
1219 size_t ptls_get_record_overhead(ptls_t *tls);
1220 /**
1221 * sends an alert
1222 */
1223 int ptls_send_alert(ptls_t *tls, ptls_buffer_t *sendbuf, uint8_t level, uint8_t description);
1224 /**
1225 *
1226 */
1227 int ptls_export_secret(ptls_t *tls, void *output, size_t outlen, const char *label, ptls_iovec_t context_value, int is_early);
1228 /**
1229 * build the body of a Certificate message. Can be called with tls set to NULL in order to create a precompressed message.
1230 */
1231 int ptls_build_certificate_message(ptls_buffer_t *buf, ptls_iovec_t request_context, ptls_iovec_t *certificates,
1232 size_t num_certificates, ptls_iovec_t ocsp_status);
1233 /**
1234 *
1235 */
1236 int ptls_calc_hash(ptls_hash_algorithm_t *algo, void *output, const void *src, size_t len);
1237 /**
1238 *
1239 */
1240 ptls_hash_context_t *ptls_hmac_create(ptls_hash_algorithm_t *algo, const void *key, size_t key_size);
1241 /**
1242 *
1243 */
1244 int ptls_hkdf_extract(ptls_hash_algorithm_t *hash, void *output, ptls_iovec_t salt, ptls_iovec_t ikm);
1245 /**
1246 *
1247 */
1248 int ptls_hkdf_expand(ptls_hash_algorithm_t *hash, void *output, size_t outlen, ptls_iovec_t prk, ptls_iovec_t info);
1249 /**
1250 *
1251 */
1252 int ptls_hkdf_expand_label(ptls_hash_algorithm_t *algo, void *output, size_t outlen, ptls_iovec_t secret, const char *label,
1253 ptls_iovec_t hash_value, const char *label_prefix);
1254 /**
1255 * instantiates a symmetric cipher
1256 */
1257 ptls_cipher_context_t *ptls_cipher_new(ptls_cipher_algorithm_t *algo, int is_enc, const void *key);
1258 /**
1259 * destroys a symmetric cipher
1260 */
1261 void ptls_cipher_free(ptls_cipher_context_t *ctx);
1262 /**
1263 * initializes the IV; this function must be called prior to calling ptls_cipher_encrypt
1264 */
1265 static void ptls_cipher_init(ptls_cipher_context_t *ctx, const void *iv);
1266 /**
1267 * Encrypts given text. The function must be used in a way that the output length would be equal to the input length. For example,
1268 * when using a block cipher in ECB mode, `len` must be a multiple of the block size when using a block cipher. The length can be
1269 * of any value when using a stream cipher or a block cipher in CTR mode.
1270 */
1271 static void ptls_cipher_encrypt(ptls_cipher_context_t *ctx, void *output, const void *input, size_t len);
1272 /**
1273 * instantiates an AEAD cipher given a secret, which is expanded using hkdf to a set of key and iv
1274 * @param aead
1275 * @param hash
1276 * @param is_enc 1 if creating a context for encryption, 0 if creating a context for decryption
1277 * @param secret the secret. The size must be the digest length of the hash algorithm
1278 * @return pointer to an AEAD context if successful, otherwise NULL
1279 */
1280 ptls_aead_context_t *ptls_aead_new(ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, int is_enc, const void *secret,
1281 const char *label_prefix);
1282 /**
1283 * instantiates an AEAD cipher given key and iv
1284 * @param aead
1285 * @param is_enc 1 if creating a context for encryption, 0 if creating a context for decryption
1286 * @return pointer to an AEAD context if successful, otherwise NULL
1287 */
1288 ptls_aead_context_t *ptls_aead_new_direct(ptls_aead_algorithm_t *aead, int is_enc, const void *key, const void *iv);
1289 /**
1290 * destroys an AEAD cipher context
1291 */
1292 void ptls_aead_free(ptls_aead_context_t *ctx);
1293 /**
1294 * Permutes the static IV by applying given bytes using bit-wise XOR. This API can be used for supplying nonces longer than 64-
1295 * bits.
1296 */
1297 static void ptls_aead_xor_iv(ptls_aead_context_t *ctx, const void *bytes, size_t len);
1298 /**
1299 *
1300 */
1301 static size_t ptls_aead_encrypt(ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
1302 const void *aad, size_t aadlen);
1303 static void ptls_aead_encrypt_s(ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
1304 const void *aad, size_t aadlen, ptls_aead_supplementary_encryption_t *supp);
1305 /**
1306 * initializes the internal state of the encryptor
1307 */
1308 static void ptls_aead_encrypt_init(ptls_aead_context_t *ctx, uint64_t seq, const void *aad, size_t aadlen);
1309 /**
1310 * encrypts the input and updates the GCM state
1311 * @return number of bytes emitted to output
1312 */
1313 static size_t ptls_aead_encrypt_update(ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen);
1314 /**
1315 * emits buffered data (if any) and the GCM tag
1316 * @return number of bytes emitted to output
1317 */
1318 static size_t ptls_aead_encrypt_final(ptls_aead_context_t *ctx, void *output);
1319 /**
1320 * decrypts an AEAD record
1321 * @return number of bytes emitted to output if successful, or SIZE_MAX if the input is invalid (e.g. broken MAC)
1322 */
1323 static size_t ptls_aead_decrypt(ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
1324 const void *aad, size_t aadlen);
1325 /**
1326 * Return the current read epoch.
1327 */
1328 size_t ptls_get_read_epoch(ptls_t *tls);
1329 /**
1330 * Runs the handshake by dealing directly with handshake messages. Callers MUST delay supplying input to this function until the
1331 * epoch of the input becomes equal to the value returned by `ptls_get_read_epoch()`.
1332 * @param tls the TLS context
1333 * @param sendbuf buffer to which the output will be written
1334 * @param epoch_offsets start and end offset of the messages in each epoch. For example, when the server emits ServerHello between
1335 * offset 0 and 38, the following handshake messages between offset 39 and 348, and a post-handshake message
1336 * between 349 and 451, epoch_offsets will be {0,39,39,349,452} and the length of the sendbuf will be 452.
1337 * This argument is an I/O argument. Applications can either reset sendbuf to empty and epoch_offsets and to
1338 * all zero every time they invoke the function, or retain the values until the handshake completes so that
1339 * data will be appended to sendbuf and epoch_offsets will be adjusted.
1340 * @param in_epoch epoch of the input
1341 * @param input input bytes (must be NULL when starting the handshake on the client side)
1342 * @param inlen length of the input
1343 * @param properties properties specific to the running handshake
1344 * @return same as `ptls_handshake`
1345 */
1346 int ptls_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input,
1347 size_t inlen, ptls_handshake_properties_t *properties);
1348 int ptls_client_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input,
1349 size_t inlen, ptls_handshake_properties_t *properties);
1350 int ptls_server_handle_message(ptls_t *tls, ptls_buffer_t *sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input,
1351 size_t inlen, ptls_handshake_properties_t *properties);
1352 /**
1353 * internal
1354 */
1355 void ptls_aead__build_iv(ptls_aead_algorithm_t *algo, uint8_t *iv, const uint8_t *static_iv, uint64_t seq);
1356 /**
1357 *
1358 */
1359 static void ptls_aead__do_encrypt(ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
1360 const void *aad, size_t aadlen, ptls_aead_supplementary_encryption_t *supp);
1361 /**
1362 * internal
1363 */
1364 void ptls__key_schedule_update_hash(ptls_key_schedule_t *sched, const uint8_t *msg, size_t msglen);
1365 /**
1366 * clears memory
1367 */
1368 extern void (*volatile ptls_clear_memory)(void *p, size_t len);
1369 /**
1370 * constant-time memcmp
1371 */
1372 extern int (*volatile ptls_mem_equal)(const void *x, const void *y, size_t len);
1373 /**
1374 *
1375 */
1376 static ptls_iovec_t ptls_iovec_init(const void *p, size_t len);
1377 /**
1378 * checks if a server name is an IP address.
1379 */
1380 int ptls_server_name_is_ipaddr(const char *name);
1381 /**
1382 * loads a certificate chain to ptls_context_t::certificates. `certificate.list` and each element of the list is allocated by
1383 * malloc. It is the responsibility of the user to free them when discarding the TLS context.
1384 */
1385 int ptls_load_certificates(ptls_context_t *ctx, char const *cert_pem_file);
1386 /**
1387 *
1388 */
1389 int ptls_esni_init_context(ptls_context_t *ctx, ptls_esni_context_t *esni, ptls_iovec_t esni_keys,
1390 ptls_key_exchange_context_t **key_exchanges);
1391 /**
1392 *
1393 */
1394 void ptls_esni_dispose_context(ptls_esni_context_t *esni);
1395 /**
1396 * Obtain the ESNI secrets negotiated during the handshake.
1397 */
1398 ptls_esni_secret_t *ptls_get_esni_secret(ptls_t *ctx);
1399 /**
1400 *
1401 */
1402 char *ptls_hexdump(char *dst, const void *src, size_t len);
1403 /**
1404 * the default get_time callback
1405 */
1406 extern ptls_get_time_t ptls_get_time;
1407 #if PICOTLS_USE_DTRACE
1408 /**
1409 *
1410 */
1411 extern PTLS_THREADLOCAL unsigned ptls_default_skip_tracing;
1412 #else
1413 #define ptls_default_skip_tracing 0
1414 #endif
1415
1416 /* inline functions */
1417
ptls_new(ptls_context_t * ctx,int is_server)1418 inline ptls_t *ptls_new(ptls_context_t *ctx, int is_server)
1419 {
1420 return is_server ? ptls_server_new(ctx) : ptls_client_new(ctx);
1421 }
1422
ptls_iovec_init(const void * p,size_t len)1423 inline ptls_iovec_t ptls_iovec_init(const void *p, size_t len)
1424 {
1425 /* avoid the "return (ptls_iovec_t){(uint8_t *)p, len};" construct because it requires C99
1426 * and triggers a warning "C4204: nonstandard extension used: non-constant aggregate initializer"
1427 * in Visual Studio */
1428 ptls_iovec_t r;
1429 r.base = (uint8_t *)p;
1430 r.len = len;
1431 return r;
1432 }
1433
ptls_buffer_init(ptls_buffer_t * buf,void * smallbuf,size_t smallbuf_size)1434 inline void ptls_buffer_init(ptls_buffer_t *buf, void *smallbuf, size_t smallbuf_size)
1435 {
1436 assert(smallbuf != NULL);
1437 buf->base = (uint8_t *)smallbuf;
1438 buf->off = 0;
1439 buf->capacity = smallbuf_size;
1440 buf->is_allocated = 0;
1441 }
1442
ptls_buffer_dispose(ptls_buffer_t * buf)1443 inline void ptls_buffer_dispose(ptls_buffer_t *buf)
1444 {
1445 ptls_buffer__release_memory(buf);
1446 *buf = (ptls_buffer_t){NULL};
1447 }
1448
ptls_encode_quicint(uint8_t * p,uint64_t v)1449 inline uint8_t *ptls_encode_quicint(uint8_t *p, uint64_t v)
1450 {
1451 if (PTLS_UNLIKELY(v > 63)) {
1452 if (PTLS_UNLIKELY(v > 16383)) {
1453 unsigned sb;
1454 if (PTLS_UNLIKELY(v > 1073741823)) {
1455 assert(v <= 4611686018427387903);
1456 *p++ = 0xc0 | (uint8_t)(v >> 56);
1457 sb = 6 * 8;
1458 } else {
1459 *p++ = 0x80 | (uint8_t)(v >> 24);
1460 sb = 2 * 8;
1461 }
1462 do {
1463 *p++ = (uint8_t)(v >> sb);
1464 } while ((sb -= 8) != 0);
1465 } else {
1466 *p++ = 0x40 | (uint8_t)((uint16_t)v >> 8);
1467 }
1468 }
1469 *p++ = (uint8_t)v;
1470 return p;
1471 }
1472
ptls_cipher_init(ptls_cipher_context_t * ctx,const void * iv)1473 inline void ptls_cipher_init(ptls_cipher_context_t *ctx, const void *iv)
1474 {
1475 ctx->do_init(ctx, iv);
1476 }
1477
ptls_cipher_encrypt(ptls_cipher_context_t * ctx,void * output,const void * input,size_t len)1478 inline void ptls_cipher_encrypt(ptls_cipher_context_t *ctx, void *output, const void *input, size_t len)
1479 {
1480 ctx->do_transform(ctx, output, input, len);
1481 }
1482
ptls_aead_xor_iv(ptls_aead_context_t * ctx,const void * bytes,size_t len)1483 inline void ptls_aead_xor_iv(ptls_aead_context_t *ctx, const void *bytes, size_t len)
1484 {
1485 ctx->do_xor_iv(ctx, bytes, len);
1486 }
1487
ptls_aead_encrypt(ptls_aead_context_t * ctx,void * output,const void * input,size_t inlen,uint64_t seq,const void * aad,size_t aadlen)1488 inline size_t ptls_aead_encrypt(ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
1489 const void *aad, size_t aadlen)
1490 {
1491 ctx->do_encrypt(ctx, output, input, inlen, seq, aad, aadlen, NULL);
1492 return inlen + ctx->algo->tag_size;
1493 }
1494
ptls_aead_encrypt_s(ptls_aead_context_t * ctx,void * output,const void * input,size_t inlen,uint64_t seq,const void * aad,size_t aadlen,ptls_aead_supplementary_encryption_t * supp)1495 inline void ptls_aead_encrypt_s(ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
1496 const void *aad, size_t aadlen, ptls_aead_supplementary_encryption_t *supp)
1497 {
1498 ctx->do_encrypt(ctx, output, input, inlen, seq, aad, aadlen, supp);
1499 }
1500
ptls_aead_encrypt_init(ptls_aead_context_t * ctx,uint64_t seq,const void * aad,size_t aadlen)1501 inline void ptls_aead_encrypt_init(ptls_aead_context_t *ctx, uint64_t seq, const void *aad, size_t aadlen)
1502 {
1503 ctx->do_encrypt_init(ctx, seq, aad, aadlen);
1504 }
1505
ptls_aead_encrypt_update(ptls_aead_context_t * ctx,void * output,const void * input,size_t inlen)1506 inline size_t ptls_aead_encrypt_update(ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen)
1507 {
1508 return ctx->do_encrypt_update(ctx, output, input, inlen);
1509 }
1510
ptls_aead_encrypt_final(ptls_aead_context_t * ctx,void * output)1511 inline size_t ptls_aead_encrypt_final(ptls_aead_context_t *ctx, void *output)
1512 {
1513 return ctx->do_encrypt_final(ctx, output);
1514 }
1515
ptls_aead__do_encrypt(ptls_aead_context_t * ctx,void * output,const void * input,size_t inlen,uint64_t seq,const void * aad,size_t aadlen,ptls_aead_supplementary_encryption_t * supp)1516 inline void ptls_aead__do_encrypt(ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
1517 const void *aad, size_t aadlen, ptls_aead_supplementary_encryption_t *supp)
1518 {
1519 ctx->do_encrypt_init(ctx, seq, aad, aadlen);
1520 ctx->do_encrypt_update(ctx, output, input, inlen);
1521 ctx->do_encrypt_final(ctx, (uint8_t *)output + inlen);
1522
1523 if (supp != NULL) {
1524 ptls_cipher_init(supp->ctx, supp->input);
1525 memset(supp->output, 0, sizeof(supp->output));
1526 ptls_cipher_encrypt(supp->ctx, supp->output, supp->output, sizeof(supp->output));
1527 }
1528 }
1529
ptls_aead_decrypt(ptls_aead_context_t * ctx,void * output,const void * input,size_t inlen,uint64_t seq,const void * aad,size_t aadlen)1530 inline size_t ptls_aead_decrypt(ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
1531 const void *aad, size_t aadlen)
1532 {
1533 return ctx->do_decrypt(ctx, output, input, inlen, seq, aad, aadlen);
1534 }
1535
1536 #define ptls_define_hash(name, ctx_type, init_func, update_func, final_func) \
1537 \
1538 struct name##_context_t { \
1539 ptls_hash_context_t super; \
1540 ctx_type ctx; \
1541 }; \
1542 \
1543 static void name##_update(ptls_hash_context_t *_ctx, const void *src, size_t len) \
1544 { \
1545 struct name##_context_t *ctx = (struct name##_context_t *)_ctx; \
1546 update_func(&ctx->ctx, src, len); \
1547 } \
1548 \
1549 static void name##_final(ptls_hash_context_t *_ctx, void *md, ptls_hash_final_mode_t mode) \
1550 { \
1551 struct name##_context_t *ctx = (struct name##_context_t *)_ctx; \
1552 if (mode == PTLS_HASH_FINAL_MODE_SNAPSHOT) { \
1553 ctx_type copy = ctx->ctx; \
1554 final_func(©, md); \
1555 ptls_clear_memory(©, sizeof(copy)); \
1556 return; \
1557 } \
1558 if (md != NULL) \
1559 final_func(&ctx->ctx, md); \
1560 switch (mode) { \
1561 case PTLS_HASH_FINAL_MODE_FREE: \
1562 ptls_clear_memory(&ctx->ctx, sizeof(ctx->ctx)); \
1563 free(ctx); \
1564 break; \
1565 case PTLS_HASH_FINAL_MODE_RESET: \
1566 init_func(&ctx->ctx); \
1567 break; \
1568 default: \
1569 assert(!"FIXME"); \
1570 break; \
1571 } \
1572 } \
1573 \
1574 static ptls_hash_context_t *name##_clone(ptls_hash_context_t *_src) \
1575 { \
1576 struct name##_context_t *dst, *src = (struct name##_context_t *)_src; \
1577 if ((dst = malloc(sizeof(*dst))) == NULL) \
1578 return NULL; \
1579 *dst = *src; \
1580 return &dst->super; \
1581 } \
1582 \
1583 static ptls_hash_context_t *name##_create(void) \
1584 { \
1585 struct name##_context_t *ctx; \
1586 if ((ctx = malloc(sizeof(*ctx))) == NULL) \
1587 return NULL; \
1588 ctx->super = (ptls_hash_context_t){name##_update, name##_final, name##_clone}; \
1589 init_func(&ctx->ctx); \
1590 return &ctx->super; \
1591 }
1592
1593 #ifdef __cplusplus
1594 }
1595 #endif
1596
1597 #endif
1598