Merge pull request #2653 from h2o/kazuho/tls13-cipher-config

add knobs to configure TLS 1.3 cipher suites
h2o · Apr 5, 2021 · 284eb98 · 284eb98
2 parents fb34a10 + c08d2ce
commit 284eb98
Show file tree

Hide file tree

Showing 23 changed files with 381 additions and 169 deletions.
diff --git a/deps/picotls/appveyor.yml b/deps/picotls/appveyor.yml
@@ -0,0 +1,25 @@
+version: build{build}
+image: Visual Studio 2017
+
+environment:
+  matrix:
+    - platform: x86
+      configuration: Debug
+      OPENSSLDIR: C:\OpenSSL-v11-Win32
+    - platform: x64
+      configuration: Debug
+      OPENSSL64DIR: C:\OpenSSL-v11-Win64
+    - platform: x86
+      configuration: Release
+      OPENSSLDIR: C:\OpenSSL-v11-Win32
+    - platform: x64
+      configuration: Release
+      OPENSSL64DIR: C:\OpenSSL-v11-Win64
+
+install:
+  - ps: git submodule --quiet update --init --recursive
+
+build:
+  parallel: true
+  project: picotlsvs\picotlsvs.sln
+
diff --git a/deps/picotls/include/picotls.h b/deps/picotls/include/picotls.h
@@ -105,15 +105,23 @@ extern "C" {
 
 /* cipher-suites */
 #define PTLS_CIPHER_SUITE_AES_128_GCM_SHA256 0x1301
+#define PTLS_CIPHER_SUITE_NAME_AES_128_GCM_SHA256 "TLS_AES_128_GCM_SHA256"
 #define PTLS_CIPHER_SUITE_AES_256_GCM_SHA384 0x1302
+#define PTLS_CIPHER_SUITE_NAME_AES_256_GCM_SHA384 "TLS_AES_256_GCM_SHA384"
 #define PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256 0x1303
+#define PTLS_CIPHER_SUITE_NAME_CHACHA20_POLY1305_SHA256 "TLS_CHACHA20_POLY1305_SHA256"
 
 /* negotiated_groups */
 #define PTLS_GROUP_SECP256R1 23
+#define PTLS_GROUP_NAME_SECP256R1 "scep256r1"
 #define PTLS_GROUP_SECP384R1 24
+#define PTLS_GROUP_NAME_SECP384R1 "secp384r1"
 #define PTLS_GROUP_SECP521R1 25
+#define PTLS_GROUP_NAME_SECP521R1 "secp521r1"
 #define PTLS_GROUP_X25519 29
+#define PTLS_GROUP_NAME_X25519 "x25519"
 #define PTLS_GROUP_X448 30
+#define PTLS_GROUP_NAME_X448 "x448"
 
 /* signature algorithms */
 #define PTLS_SIGNATURE_RSA_PKCS1_SHA1 0x0201
@@ -290,6 +298,10 @@ typedef const struct st_ptls_key_exchange_algorithm_t {
      * crypto-specific data
      */
     intptr_t data;
+    /**
+     * Description as defined in the IANA TLS registry
+     */
+    const char *name;
 } ptls_key_exchange_algorithm_t;
 
 /**
@@ -329,7 +341,7 @@ typedef struct st_ptls_aead_context_t {
     const struct st_ptls_aead_algorithm_t *algo;
     /* field above this line must not be altered by the crypto binding */
     void (*dispose_crypto)(struct st_ptls_aead_context_t *ctx);
-    void (*do_xor_iv)(struct st_ptls_aead_context_t *ctx, const void * bytes, size_t len);
+    void (*do_xor_iv)(struct st_ptls_aead_context_t *ctx, const void *bytes, size_t len);
     void (*do_encrypt_init)(struct st_ptls_aead_context_t *ctx, uint64_t seq, const void *aad, size_t aadlen);
     size_t (*do_encrypt_update)(struct st_ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen);
     size_t (*do_encrypt_final)(struct st_ptls_aead_context_t *ctx, void *output);
@@ -445,9 +457,22 @@ typedef const struct st_ptls_hash_algorithm_t {
 } ptls_hash_algorithm_t;
 
 typedef const struct st_ptls_cipher_suite_t {
+    /**
+     * ID as defined by the TLS Cipher Suites registry
+     */
     uint16_t id;
+    /**
+     * underlying AEAD algorithm
+     */
     ptls_aead_algorithm_t *aead;
+    /**
+     * underlying hash algorithm
+     */
     ptls_hash_algorithm_t *hash;
+    /**
+     * value of the "Description" field of the TLS Cipher Suites registry
+     */
+    const char *name;
 } ptls_cipher_suite_t;
 
 struct st_ptls_traffic_protection_t;
@@ -735,6 +760,10 @@ struct st_ptls_context_t {
      * the correct one when that callback is being called (like handling swapping the contexts based on the value of SNI).
      */
     unsigned use_raw_public_keys : 1;
+    /**
+     * boolean indicating if the cipher-suite should be chosen based on server's preference
+     */
+    unsigned server_cipher_preference : 1;
     /**
      *
      */

diff --git a/deps/picotls/include/picotls/asn1.h b/deps/picotls/include/picotls/asn1.h
@@ -1,38 +1,38 @@
 /*
-* Copyright (c) 2017 Christian Huitema <huitema@huitema.net>
-*
-* Permission to use, copy, modify, and distribute this software for any
-* purpose with or without fee is hereby granted, provided that the above
-* copyright notice and this permission notice appear in all copies.
-*
-* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-*/
+ * Copyright (c) 2017 Christian Huitema <huitema@huitema.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
 
 #ifndef PTLS_ASN1_H
 #define PTLS_ASN1_H
 
 // #include "picotls/minicrypto.h"
 
 /*
-* The ASN.1 functions take a "log context" parameter of type ptls_minicrypto_log_ctx_t.
-*
-* The log function in that code can be instantiated for example as:
-*
-* void log_printf(void * ctx, const char * format, ...)
-* {
-*     va_list argptr;
-*     va_start(argptr, format);
-*     vfprintf(stderr, format, argptr);
-* }
-*
-* Using definitions from <stdio.h> and <stdarg.h>
-*/
+ * The ASN.1 functions take a "log context" parameter of type ptls_minicrypto_log_ctx_t.
+ *
+ * The log function in that code can be instantiated for example as:
+ *
+ * void log_printf(void * ctx, const char * format, ...)
+ * {
+ *     va_list argptr;
+ *     va_start(argptr, format);
+ *     vfprintf(stderr, format, argptr);
+ * }
+ *
+ * Using definitions from <stdio.h> and <stdarg.h>
+ */
 
 typedef struct st_ptls_minicrypto_log_ctx_t {
     void *ctx;

diff --git a/deps/picotls/include/picotls/pembase64.h b/deps/picotls/include/picotls/pembase64.h
@@ -1,25 +1,25 @@
 /*
-* Copyright (c) 2017 Christian Huitema <huitema@huitema.net>
-*
-* Permission to use, copy, modify, and distribute this software for any
-* purpose with or without fee is hereby granted, provided that the above
-* copyright notice and this permission notice appear in all copies.
-*
-* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-*/
+ * Copyright (c) 2017 Christian Huitema <huitema@huitema.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
 
 #ifndef PTLS_PEMBASE64_H
 #define PTLS_PEMBASE64_H
 
 /*
-* Base64 functions used in encoding and decoding of PEM files
-*/
+ * Base64 functions used in encoding and decoding of PEM files
+ */
 
 #define PTLS_BASE64_DECODE_DONE 0
 #define PTLS_BASE64_DECODE_IN_PROGRESS 1

diff --git a/deps/picotls/lib/cifra/aes128.c b/deps/picotls/lib/cifra/aes128.c
@@ -57,5 +57,7 @@ ptls_aead_algorithm_t ptls_minicrypto_aes128gcm = {"AES128-GCM",
                                                    PTLS_AESGCM_TAG_SIZE,
                                                    sizeof(struct aesgcm_context_t),
                                                    aead_aes128gcm_setup_crypto};
-ptls_cipher_suite_t ptls_minicrypto_aes128gcmsha256 = {PTLS_CIPHER_SUITE_AES_128_GCM_SHA256, &ptls_minicrypto_aes128gcm,
-                                                       &ptls_minicrypto_sha256};
+ptls_cipher_suite_t ptls_minicrypto_aes128gcmsha256 = {.id = PTLS_CIPHER_SUITE_AES_128_GCM_SHA256,
+                                                       .name = PTLS_CIPHER_SUITE_NAME_AES_128_GCM_SHA256,
+                                                       .aead = &ptls_minicrypto_aes128gcm,
+                                                       .hash = &ptls_minicrypto_sha256};
diff --git a/deps/picotls/lib/cifra/aes256.c b/deps/picotls/lib/cifra/aes256.c
@@ -57,5 +57,7 @@ ptls_aead_algorithm_t ptls_minicrypto_aes256gcm = {"AES256-GCM",
                                                    PTLS_AESGCM_TAG_SIZE,
                                                    sizeof(struct aesgcm_context_t),
                                                    aead_aes256gcm_setup_crypto};
-ptls_cipher_suite_t ptls_minicrypto_aes256gcmsha384 = {PTLS_CIPHER_SUITE_AES_256_GCM_SHA384, &ptls_minicrypto_aes256gcm,
-                                                       &ptls_minicrypto_sha384};
+ptls_cipher_suite_t ptls_minicrypto_aes256gcmsha384 = {.id = PTLS_CIPHER_SUITE_AES_256_GCM_SHA384,
+                                                       .name = PTLS_CIPHER_SUITE_NAME_AES_256_GCM_SHA384,
+                                                       .aead = &ptls_minicrypto_aes256gcm,
+                                                       .hash = &ptls_minicrypto_sha384};
diff --git a/deps/picotls/lib/cifra/chacha20.c b/deps/picotls/lib/cifra/chacha20.c
@@ -225,5 +225,7 @@ ptls_aead_algorithm_t ptls_minicrypto_chacha20poly1305 = {"CHACHA20-POLY1305",
                                                           PTLS_CHACHA20POLY1305_TAG_SIZE,
                                                           sizeof(struct chacha20poly1305_context_t),
                                                           aead_chacha20poly1305_setup_crypto};
-ptls_cipher_suite_t ptls_minicrypto_chacha20poly1305sha256 = {PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256,
-                                                              &ptls_minicrypto_chacha20poly1305, &ptls_minicrypto_sha256};
+ptls_cipher_suite_t ptls_minicrypto_chacha20poly1305sha256 = {.id = PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256,
+                                                              .name = PTLS_CIPHER_SUITE_NAME_CHACHA20_POLY1305_SHA256,
+                                                              .aead = &ptls_minicrypto_chacha20poly1305,
+                                                              .hash = &ptls_minicrypto_sha256};
diff --git a/deps/picotls/lib/cifra/random.c b/deps/picotls/lib/cifra/random.c
@@ -37,8 +37,8 @@
 #include <stdio.h>
 #ifdef _WINDOWS
 #ifdef _WINDOWS_XP
- /* The modern BCrypt API is only available on Windows Vista and later versions.
-  * If compiling on Windows XP, we need to use the olded "wincrypt" API */
+/* The modern BCrypt API is only available on Windows Vista and later versions.
+ * If compiling on Windows XP, we need to use the olded "wincrypt" API */
 #include <wincrypt.h>
 
 static void read_entropy(uint8_t *entropy, size_t size)
@@ -57,13 +57,13 @@ static void read_entropy(uint8_t *entropy, size_t size)
     }
 }
 #else
- /* The old "Wincrypt" API requires access to default security containers.
-  * This can cause access control errors on some systems. We prefer
-  * to use the modern BCrypt API when available */
+/* The old "Wincrypt" API requires access to default security containers.
+ * This can cause access control errors on some systems. We prefer
+ * to use the modern BCrypt API when available */
 #include <bcrypt.h>
 
- static void read_entropy(uint8_t *entropy, size_t size)
- {
+static void read_entropy(uint8_t *entropy, size_t size)
+{
     NTSTATUS nts = 0;
     BCRYPT_ALG_HANDLE hAlgorithm = 0;
 

diff --git a/deps/picotls/lib/cifra/x25519.c b/deps/picotls/lib/cifra/x25519.c
@@ -116,4 +116,5 @@ static int x25519_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_iovec_t
     return ret;
 }
 
-ptls_key_exchange_algorithm_t ptls_minicrypto_x25519 = {PTLS_GROUP_X25519, x25519_create_key_exchange, x25519_key_exchange};
+ptls_key_exchange_algorithm_t ptls_minicrypto_x25519 = {
+    .id = PTLS_GROUP_X25519, .name = PTLS_GROUP_NAME_X25519, .create = x25519_create_key_exchange, .exchange = x25519_key_exchange};
diff --git a/deps/picotls/lib/minicrypto-pem.c b/deps/picotls/lib/minicrypto-pem.c
@@ -105,13 +105,13 @@ size_t ptls_minicrypto_asn1_decode_private_key(ptls_asn1_pkcs8_private_key_t *pk
             byte_index += oid_length;
         }
     }
-  
+
     if (*decode_error == 0) {
         /* get parameters, ANY */
         if (log_ctx != NULL) {
             log_ctx->fn(log_ctx->ctx, "      Parameters:\n");
         }
-      
+
         if (last_byte1 <= byte_index) {
             pkey->parameters_index = 0;
             pkey->parameters_length = 0;