day 3

Author: kazuho

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "deps/picotest"]
+	path = deps/picotest
+	url = https://github.com/h2o/picotest.git

deps/picotest

@@ -22,6 +22,10 @@
 #ifndef picotls_h
 #define picotls_h
 
+#include <inttypes.h>
+
+#define PTLS_MAX_DIGEST_SIZE 64
+
 /* cipher-suites */
 #define PTLS_CIPHER_SUITE_AES_128_GCM_SHA256 0x1301
 #define PTLS_CIPHER_SUITE_AES_256_GCM_SHA384 0x1302
@@ -47,22 +51,71 @@
 
 typedef struct st_ptls_t ptls_t;
 
+typedef struct st_ptls_iovec_t {
+    uint8_t *base;
+    size_t len;
+} ptls_iovec_t;
+
+typedef struct st_ptls_crypto_t ptls_crypto_t;
+
 typedef struct st_ptls_context_t {
+    ptls_crypto_t *crypto;
     struct {
-        int (*server_name)(ptls_t *tls, X509 **cert, STACK_OF(X509) * *extra_certs);
+        int (*server_name)(ptls_t *tls, ptls_iovec_t **certs, size_t *num_certs, void **signer);
     } callbacks;
 } ptls_context_t;
 
+typedef struct st_ptls_key_exchange_algorithm_t {
+    uint16_t id;
+    int (*key_exchange)(ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey);
+} ptls_key_exchange_algorithm_t;
+
 typedef struct st_ptls_aead_context_t {
+    void (*destroy)(struct st_ptls_aead_context_t *ctx);
+    size_t (*transform)(struct st_ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen);
+    uint64_t nonce;
+} ptls_aead_context_t;
+
+typedef struct st_ptls_aead_algorithm_t {
+    size_t key_size;
+    size_t block_size;
+    ptls_aead_context_t *(*create)(const uint8_t *key);
+} ptls_aead_algorithm_t;
+
+typedef enum en_ptls_hash_final_mode_t {
+    PTLS_HASH_FINAL_MODE_FREE = 0,
+    PTLS_HASH_FINAL_MODE_RESET = 1,
+    PTLS_HASH_FINAL_MODE_SNAPSHOT = 2
+} ptls_hash_final_mode_t;
+
+typedef struct st_ptls_hash_context_t {
+    void (*update)(struct st_ptls_hash_context_t *ctx, const void *src, size_t len);
+    void (* final)(struct st_ptls_hash_context_t *ctx, void *md, ptls_hash_final_mode_t mode);
+} ptls_hash_context_t;
+
+typedef struct st_ptls_hash_algorithm_t {
+    size_t block_size;
+    size_t digest_size;
+    ptls_hash_context_t *(*create)(void);
+} ptls_hash_algorithm_t;
+
+typedef struct st_ptls_cipher_suite_t {
+    uint16_t id;
+    ptls_aead_algorithm_t *aead;
+    ptls_hash_algorithm_t *hash;
+} ptls_cipher_suite_t;
+
+typedef struct st_ptls_crypto_t {
+    void (*random_bytes)(void *buf, size_t len);
     /**
-     *
+     * list of supported key-exchange algorithms terminated by .id == UINT16_MAX
      */
-    uint64_t nonce;
+    ptls_key_exchange_algorithm_t *key_exchanges;
     /**
-     * callback used to encrypt a record
+     * list of supported cipher-suites terminated by .id == UINT16_MAX
      */
-    size_t (*transform)(struct st_ptls_aead_context_t *ctx, uint8_t *output, const uint8_t *input, size_t inlen);
-} ptls_aead_context_t;
+    ptls_cipher_suite_t *cipher_suites;
+} ptls_crypto_t;
 
 /**
  *
@@ -88,5 +141,23 @@ int ptls_decrypt(ptls_t *tls, const void *encrypted, size_t *enclen, void *dst,
  *
  */
 int ptls_enrypt(ptls_t *tls, const void *src, size_t *srclen, void *encrypted, size_t *enclen);
+/**
+ *
+ */
+ptls_hash_context_t *ptls_hmac_create(ptls_hash_algorithm_t *algo, const void *key, size_t key_size);
+/**
+ *
+ */
+void ptls_hkdf_extract(ptls_hash_algorithm_t *hash, void *output, ptls_iovec_t salt, ptls_iovec_t ikm);
+/**
+ *
+ */
+void ptls_hkdf_expand(ptls_hash_algorithm_t *hash, void *output, size_t outlen, ptls_iovec_t prk, ptls_iovec_t info);
+/**
+ * clears memory
+ */
+extern void (*volatile ptls_clear_memory)(void *p, size_t len);
+
+extern ptls_crypto_t ptls_crypto_openssl;
 
 #endif

include/picotls.h

@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+#include <assert.h>
+#include <stdlib.h>
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/err.h>
+#include <openssl/crypto.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include "picotls.h"
+
+static void random_bytes(void *buf, size_t len)
+{
+    RAND_bytes(buf, (int)len);
+}
+
+static EC_KEY *ecdh_gerenate_key(EC_GROUP *group)
+{
+    EC_KEY *key;
+
+    if ((key = EC_KEY_new()) == NULL)
+        return NULL;
+    if (!EC_KEY_set_group(key, group) || !EC_KEY_generate_key(key)) {
+        EC_KEY_free(key);
+        return NULL;
+    }
+
+    return key;
+}
+
+static EC_POINT *x9_62_decode_point(EC_GROUP *group, ptls_iovec_t vec, BN_CTX *bn_ctx)
+{
+    EC_POINT *point = NULL;
+
+    if ((point = EC_POINT_new(group)) == NULL)
+        return NULL;
+    if (!EC_POINT_oct2point(group, point, vec.base, vec.len, bn_ctx)) {
+        EC_POINT_free(point);
+        return NULL;
+    }
+
+    return point;
+}
+
+static ptls_iovec_t x9_62_encode_point(EC_GROUP *group, const EC_POINT *point, BN_CTX *bn_ctx)
+{
+    ptls_iovec_t vec;
+
+    if ((vec.len = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, bn_ctx)) == 0)
+        return (ptls_iovec_t){NULL};
+    if ((vec.base = malloc(vec.len)) == NULL)
+        return (ptls_iovec_t){NULL};
+    if (EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, vec.base, vec.len, bn_ctx) != vec.len) {
+        free(vec.base);
+        return (ptls_iovec_t){NULL};
+    }
+
+    return vec;
+}
+
+static int x9_62_key_exchange(EC_GROUP *group, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey, BN_CTX *bn_ctx)
+{
+    EC_POINT *peer_point = NULL;
+    EC_KEY *privkey = NULL;
+    int ret;
+
+    *pubkey = (ptls_iovec_t){NULL};
+    *secret = (ptls_iovec_t){NULL};
+
+    /* decode peer key */
+    if ((peer_point = x9_62_decode_point(group, peerkey, bn_ctx)) == NULL) {
+        ret = PTLS_ALERT_DECODE_ERROR;
+        goto Exit;
+    }
+
+    /* create private key */
+    if ((privkey = ecdh_gerenate_key(group)) == NULL) {
+        ret = PTLS_ERROR_NO_MEMORY;
+        goto Exit;
+    }
+
+    /* encode public key */
+    if ((*pubkey = x9_62_encode_point(group, EC_KEY_get0_public_key(privkey), bn_ctx)).base == NULL) {
+        ret = PTLS_ERROR_NO_MEMORY;
+        goto Exit;
+    }
+
+    /* calc secret */
+    secret->len = (EC_GROUP_get_degree(group) + 7) / 8;
+    if ((secret->base = malloc(secret->len)) == NULL) {
+        ret = PTLS_ERROR_NO_MEMORY;
+        goto Exit;
+    }
+
+    /* ecdh! */
+    if (ECDH_compute_key(secret->base, secret->len, peer_point, privkey, NULL) <= 0) {
+        ret = PTLS_ALERT_HANDSHAKE_FAILURE; /* ??? */
+        goto Exit;
+    }
+
+    ret = 0;
+
+Exit:
+    if (peer_point != NULL)
+        EC_POINT_free(peer_point);
+    if (privkey != NULL)
+        EC_KEY_free(privkey);
+    if (ret != 0) {
+        free(pubkey->base);
+        *pubkey = (ptls_iovec_t){NULL};
+        free(secret->base);
+        *secret = (ptls_iovec_t){NULL};
+    }
+    return ret;
+}
+
+static int secp_key_exchange(int nid, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey)
+{
+    EC_GROUP *group = NULL;
+    BN_CTX *bn_ctx = NULL;
+    int ret;
+
+    if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
+        ret = PTLS_ERROR_LIBRARY;
+        goto Exit;
+    }
+    if ((bn_ctx = BN_CTX_new()) != NULL) {
+        ret = PTLS_ERROR_NO_MEMORY;
+        goto Exit;
+    }
+
+    ret = x9_62_key_exchange(group, pubkey, secret, peerkey, bn_ctx);
+
+Exit:
+    if (bn_ctx != NULL)
+        BN_CTX_free(bn_ctx);
+    if (group != NULL)
+        EC_GROUP_free(group);
+    return ret;
+}
+
+static int secp256r1_key_exchange(ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey)
+{
+    return secp_key_exchange(NID_X9_62_prime256v1, pubkey, secret, peerkey);
+}
+
+static ptls_aead_context_t *aead_aes128gcm_create(const uint8_t *key)
+{
+    return NULL;
+}
+
+struct sha256_context_t {
+    ptls_hash_context_t super;
+    SHA256_CTX ctx;
+};
+
+static void sha256_update(ptls_hash_context_t *_ctx, const void *src, size_t len)
+{
+    struct sha256_context_t *ctx = (struct sha256_context_t *)_ctx;
+
+    SHA256_Update(&ctx->ctx, src, len);
+}
+
+static void sha256_final(ptls_hash_context_t *_ctx, void *md, ptls_hash_final_mode_t mode)
+{
+    struct sha256_context_t *ctx = (struct sha256_context_t *)_ctx;
+
+    if (mode == PTLS_HASH_FINAL_MODE_SNAPSHOT) {
+        SHA256_CTX copy = ctx->ctx;
+        SHA256_Final(md, &copy);
+        ptls_clear_memory(&copy, sizeof(copy));
+        return;
+    }
+
+    if (md != NULL)
+        SHA256_Final(md, &ctx->ctx);
+
+    switch (mode) {
+    case PTLS_HASH_FINAL_MODE_FREE:
+        ptls_clear_memory(&ctx->ctx, sizeof(ctx->ctx));
+        free(ctx);
+        break;
+    case PTLS_HASH_FINAL_MODE_RESET:
+        SHA256_Init(&ctx->ctx);
+        break;
+    default:
+        assert(!"FIXME");
+        break;
+    }
+}
+
+static ptls_hash_context_t *sha256_create(void)
+{
+    struct sha256_context_t *ctx;
+
+    if ((ctx = malloc(sizeof(*ctx))) == NULL)
+        return NULL;
+    ctx->super = (ptls_hash_context_t){sha256_update, sha256_final};
+    SHA256_Init(&ctx->ctx);
+    return &ctx->super;
+}
+
+static ptls_key_exchange_algorithm_t key_exchanges[] = {{PTLS_GROUP_SECP256R1, secp256r1_key_exchange}, {UINT16_MAX}};
+static ptls_aead_algorithm_t aes128gcm = {16, 16, aead_aes128gcm_create};
+static ptls_hash_algorithm_t sha256 = {64, 32, sha256_create};
+static ptls_cipher_suite_t cipher_suites[] = {{PTLS_CIPHER_SUITE_AES_128_GCM_SHA256, &aes128gcm, &sha256}, {UINT16_MAX}};
+
+ptls_crypto_t ptls_crypto_openssl = {random_bytes, key_exchanges, cipher_suites};