Encrypted SNI

CMakeLists.txt

@@ -35,7 +35,9 @@ IF (OPENSSL_FOUND AND NOT (OPENSSL_VERSION VERSION_LESS "1.0.1"))
     INCLUDE_DIRECTORIES(${OPENSSL_INCLUDE_DIR})
     ADD_LIBRARY(picotls-openssl lib/openssl.c)
     ADD_EXECUTABLE(cli t/cli.c lib/pembase64.c)
-    TARGET_LINK_LIBRARIES(cli picotls-openssl picotls-core ${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS})
+    TARGET_LINK_LIBRARIES(cli picotls-openssl picotls-core ${OPENSSL_LIBRARIES} resolv ${CMAKE_DL_LIBS})
+    ADD_EXECUTABLE(picotls-esni src/esni.c)
+    TARGET_LINK_LIBRARIES(picotls-esni picotls-openssl picotls-core ${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS})
     ADD_EXECUTABLE(test-openssl.t ${MINICRYPTO_LIBRARY_FILES} lib/cifra.c lib/uecc.c lib/asn1.c lib/pembase64.c deps/picotest/picotest.c t/picotls.c t/openssl.c)
     SET_TARGET_PROPERTIES(test-openssl.t PROPERTIES COMPILE_FLAGS "-DPTLS_MEMORY_DEBUG=1")
     TARGET_LINK_LIBRARIES(test-openssl.t ${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS})
@@ -46,6 +48,8 @@ ENDIF ()
 
 ADD_CUSTOM_TARGET(check prove --exec '' -v ${CMAKE_CURRENT_BINARY_DIR}/*.t WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR} DEPENDS ${TEST_EXES})
 
-IF ("${CMAKE_SYSTEM_NAME}" MATCHES "SunOS")
+IF (CMAKE_SYSTEM_NAME STREQUAL "Linux")
+     SET(CMAKE_C_FLAGS "-D_GNU_SOURCE ${CMAKE_C_FLAGS}")
+ELSEIF ("${CMAKE_SYSTEM_NAME}" MATCHES "SunOS")
     TARGET_LINK_LIBRARIES(cli "socket" "nsl")
 ENDIF ()

include/picotls.h

@@ -170,11 +170,15 @@ typedef struct st_ptls_buffer_t {
  * key exchange context built by ptls_key_exchange_algorithm::create.
  */
 typedef struct st_ptls_key_exchange_context_t {
+    const struct st_ptls_key_exchange_algorithm_t *algo;
     /**
-     * called once per created context. Callee must free resources allocated to the context and set *keyex to NULL. Secret and
-     * peerkey will be NULL in case the exchange never happened.
+     * If `release` is set, the callee frees resources allocated to the context and set *keyex to NULL
      */
-    int (*on_exchange)(struct st_ptls_key_exchange_context_t **keyex, ptls_iovec_t *secret, ptls_iovec_t peerkey);
+    int (*on_exchange)(struct st_ptls_key_exchange_context_t **keyex, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey);
+    /**
+     * optional callback to serialize the private key
+     */
+    int (*save)(struct st_ptls_key_exchange_context_t *keyex, ptls_buffer_t *outbuf);
 } ptls_key_exchange_context_t;
 
 /**
@@ -189,11 +193,21 @@ typedef const struct st_ptls_key_exchange_algorithm_t {
      * creates a context for asynchronous key exchange. The function is called when ClientHello is generated. The on_exchange
      * callback of the created context is called when the client receives ServerHello.
      */
-    int (*create)(ptls_key_exchange_context_t **ctx, ptls_iovec_t *pubkey);
+    int (*create)(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **ctx, ptls_iovec_t *pubkey);
     /**
      * implements synchronous key exchange. Called when receiving a ServerHello.
      */
-    int (*exchange)(ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey);
+    int (*exchange)(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret,
+                    ptls_iovec_t peerkey);
+    /**
+     * optional callback for loading a serialized private key
+     */
+    int (*load)(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **ctx, ptls_iovec_t pubkey,
+                ptls_iovec_t privkey);
+    /**
+     * crypto-specific data
+     */
+    intptr_t data;
 } ptls_key_exchange_algorithm_t;
 
 /**
@@ -333,6 +347,20 @@ typedef const struct st_ptls_cipher_suite_t {
     ptls_hash_algorithm_t *hash;
 } ptls_cipher_suite_t;
 
+/**
+ * holds ESNIKeys and the private key (instantiated by ptlts_esni_parse, freed using ptls_esni_dispose)
+ */
+typedef struct st_ptls_esni_t {
+    ptls_key_exchange_context_t **key_exchanges;
+    struct {
+        ptls_cipher_suite_t *cipher_suite;
+        uint8_t record_digest[PTLS_MAX_DIGEST_SIZE];
+    } * cipher_suites;
+    uint16_t padded_length;
+    uint64_t not_before;
+    uint64_t not_after;
+} ptls_esni_t;
+
 #define PTLS_CALLBACK_TYPE0(ret, name)                                                                                             \
     typedef struct st_ptls_##name##_t {                                                                                            \
         ret (*cb)(struct st_ptls_##name##_t * self);                                                                               \
@@ -421,6 +449,10 @@ struct st_ptls_context_t {
         ptls_iovec_t *list;
         size_t count;
     } certificates;
+    /**
+     * list of ESNI data terminated by NULL
+     */
+    ptls_esni_t **esni;
     /**
      *
      */
@@ -515,6 +547,10 @@ typedef struct st_ptls_handshake_properties_t {
              * pointer to store the maximum size of early-data that can be sent immediately (if NULL, early data is not used)
              */
             size_t *max_early_data_size;
+            /**
+             * ESNIKeys (the value of the TXT record, after being base64-"decoded")
+             */
+            ptls_iovec_t esni_keys;
             /**
              *
              */
@@ -554,6 +590,10 @@ typedef struct st_ptls_handshake_properties_t {
              * if retry should be stateless (cookie.key MUST be set when this option is used)
              */
             unsigned retry_uses_cookie : 1;
+            /**
+             * if esni was used
+             */
+            unsigned esni : 1;
         } server;
     };
     /**
@@ -980,6 +1020,9 @@ int ptls_load_certificates(ptls_context_t *ctx, char const *cert_pem_file);
 
 extern ptls_get_time_t ptls_get_time;
 
+void ptls_esni_dispose(ptls_esni_t *esni);
+int ptls_esni_parse(ptls_context_t *ctx, ptls_esni_t *esni, ptls_iovec_t *esnikeys, const uint8_t *src, const uint8_t *end);
+
 #define ptls_define_hash(name, ctx_type, init_func, update_func, final_func)                                                       \
                                                                                                                                    \
     struct name##_context_t {                                                                                                      \

lib/cifra.c

@@ -128,13 +128,11 @@ static int x25519_derive_secret(ptls_iovec_t *secret, const uint8_t *clientpriv,
     return 0;
 }
 
-static int x25519_on_exchange(ptls_key_exchange_context_t **_ctx, ptls_iovec_t *secret, ptls_iovec_t peerkey)
+static int x25519_on_exchange(ptls_key_exchange_context_t **_ctx, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey)
 {
     struct st_x25519_key_exchange_t *ctx = (struct st_x25519_key_exchange_t *)*_ctx;
     int ret;
 
-    *_ctx = NULL;
-
     if (secret == NULL) {
         ret = 0;
         goto Exit;
@@ -147,26 +145,30 @@ static int x25519_on_exchange(ptls_key_exchange_context_t **_ctx, ptls_iovec_t *
     ret = x25519_derive_secret(secret, ctx->priv, ctx->pub, NULL, peerkey.base);
 
 Exit:
-    ptls_clear_memory(ctx->priv, sizeof(ctx->priv));
-    free(ctx);
+    if (release) {
+        ptls_clear_memory(ctx->priv, sizeof(ctx->priv));
+        free(ctx);
+        *_ctx = NULL;
+    }
     return ret;
 }
 
-static int x25519_create_key_exchange(ptls_key_exchange_context_t **_ctx, ptls_iovec_t *pubkey)
+static int x25519_create_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx, ptls_iovec_t *pubkey)
 {
     struct st_x25519_key_exchange_t *ctx;
 
     if ((ctx = (struct st_x25519_key_exchange_t *)malloc(sizeof(*ctx))) == NULL)
         return PTLS_ERROR_NO_MEMORY;
-    ctx->super = (ptls_key_exchange_context_t){x25519_on_exchange};
+    ctx->super = (ptls_key_exchange_context_t){algo, x25519_on_exchange};
     x25519_create_keypair(ctx->priv, ctx->pub);
 
     *_ctx = &ctx->super;
     *pubkey = ptls_iovec_init(ctx->pub, sizeof(ctx->pub));
     return 0;
 }
 
-static int x25519_key_exchange(ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey)
+static int x25519_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret,
+                               ptls_iovec_t peerkey)
 {
     uint8_t priv[X25519_KEY_SIZE], *pub = NULL;
     int ret;