File Coverage

picotls-git/include/picotls.h

Criterion	Covered	Total	%
statement	13	13	100.0
branch	1	2	50.0
condition			n/a
subroutine			n/a
pod			n/a
total	14	15	93.3

line	stmt	bran	code
1			/*
2			* Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku
3			*
4			* Permission is hereby granted, free of charge, to any person obtaining a copy
5			* of this software and associated documentation files (the "Software"), to
6			* deal in the Software without restriction, including without limitation the
7			* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
8			* sell copies of the Software, and to permit persons to whom the Software is
9			* furnished to do so, subject to the following conditions:
10			*
11			* The above copyright notice and this permission notice shall be included in
12			* all copies or substantial portions of the Software.
13			*
14			* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15			* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16			* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17			* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18			* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
19			* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
20			* IN THE SOFTWARE.
21			*/
22			#ifndef picotls_h
23			#define picotls_h
24
25			#ifdef __cplusplus
26			extern "C" {
27			#endif
28
29			#ifdef _WINDOWS
30			#include "wincompat.h"
31			#endif
32
33			#include
34			#include
35			#include
36			#include
37
38			#if __GNUC__ >= 3
39			#define PTLS_LIKELY(x) __builtin_expect(!!(x), 1)
40			#define PTLS_UNLIKELY(x) __builtin_expect(!!(x), 0)
41			#define PTLS_BUILD_ASSERT_EXPR(cond) (sizeof(char[2 * !!(!__builtin_constant_p(cond) \|\| (cond)) - 1]) != 0)
42			#define PTLS_BUILD_ASSERT(cond) ((void)PTLS_BUILD_ASSERT_EXPR(cond))
43			#else
44			#define PTLS_LIKELY(x) (x)
45			#define PTLS_UNLIKELY(x) (x)
46			#define PTLS_BUILD_ASSERT(cond) 1
47			#endif
48
49			/* __builtin_types_compatible_p yields incorrect results when older versions of GCC is used; see #303.
50			* Clang with Xcode 9.4 or prior is known to not work correctly when a pointer is const-qualified; see
51			* https://github.com/h2o/quicly/pull/306#issuecomment-626037269. Older versions of clang upstream works fine, but we do not need
52			* best coverage. This macro is for preventing misuse going into the master branch, having it work one of the compilers supported in
53			* our CI is enough.
54			*/
55			#if ((defined(__clang__) && __clang_major__ >= 10) \|\| __GNUC__ >= 6) && !defined(__cplusplus)
56			#define PTLS_ASSERT_IS_ARRAY_EXPR(a) PTLS_BUILD_ASSERT_EXPR(__builtin_types_compatible_p(__typeof__(a[0])[], __typeof__(a)))
57			#else
58			#define PTLS_ASSERT_IS_ARRAY_EXPR(a) 1
59			#endif
60
61			#define PTLS_ELEMENTSOF(x) (PTLS_ASSERT_IS_ARRAY_EXPR(x) * sizeof(x) / sizeof((x)[0]))
62
63			#ifdef _WINDOWS
64			#define PTLS_THREADLOCAL __declspec(thread)
65			#else
66			#define PTLS_THREADLOCAL __thread
67			#endif
68
69			#ifndef PTLS_HAVE_LOG
70			#ifdef _WINDOWS
71			#define PTLS_HAVE_LOG 0
72			#else
73			#define PTLS_HAVE_LOG 1
74			#endif
75			#endif
76
77			#ifndef PTLS_FUZZ_HANDSHAKE
78			#define PTLS_FUZZ_HANDSHAKE 0
79			#endif
80
81			#define PTLS_HELLO_RANDOM_SIZE 32
82
83			#define PTLS_AES128_KEY_SIZE 16
84			#define PTLS_AES256_KEY_SIZE 32
85			#define PTLS_AES_BLOCK_SIZE 16
86			#define PTLS_AES_IV_SIZE 16
87			#define PTLS_AESGCM_IV_SIZE 12
88			#define PTLS_AESGCM_TAG_SIZE 16
89			#define PTLS_AESGCM_CONFIDENTIALITY_LIMIT 0x2000000 /* 2^25 */
90			#define PTLS_AESGCM_INTEGRITY_LIMIT UINT64_C(0x40000000000000) /* 2^54 */
91			#define PTLS_AESCCM_CONFIDENTIALITY_LIMIT 0xB504F3 /* 2^23.5 */
92			#define PTLS_AESCCM_INTEGRITY_LIMIT 0xB504F3 /* 2^23.5 */
93
94			#define PTLS_CHACHA20_KEY_SIZE 32
95			#define PTLS_CHACHA20_IV_SIZE 16 /* contrary to RFC 7539, follow OpenSSL way of using first 32 bits as ctr and latter 96 as IV */
96			#define PTLS_CHACHA20POLY1305_IV_SIZE 12
97			#define PTLS_CHACHA20POLY1305_TAG_SIZE 16
98			#define PTLS_CHACHA20POLY1305_CONFIDENTIALITY_LIMIT UINT64_MAX /* at least 2^64 */
99			#define PTLS_CHACHA20POLY1305_INTEGRITY_LIMIT UINT64_C(0x1000000000) /* 2^36 */
100
101			#define PTLS_AEGIS128L_KEY_SIZE 16
102			#define PTLS_AEGIS128L_IV_SIZE 16
103			#define PTLS_AEGIS128L_TAG_SIZE 16
104			#define PTLS_AEGIS128L_CONFIDENTIALITY_LIMIT UINT64_MAX /* at least 2^64 */
105			#define PTLS_AEGIS128L_INTEGRITY_LIMIT UINT64_C(0x1000000000000) /* 2^48 */
106
107			#define PTLS_AEGIS256_KEY_SIZE 32
108			#define PTLS_AEGIS256_IV_SIZE 32
109			#define PTLS_AEGIS256_TAG_SIZE 16
110			#define PTLS_AEGIS256_CONFIDENTIALITY_LIMIT UINT64_MAX /* at least 2^64 */
111			#define PTLS_AEGIS256_INTEGRITY_LIMIT UINT64_C(0x1000000000000) /* 2^48 */
112
113			#define PTLS_BLOWFISH_KEY_SIZE 16
114			#define PTLS_BLOWFISH_BLOCK_SIZE 8
115
116			#define PTLS_QUICLB_KEY_SIZE 16 /* same as the underlying aes128ecb */
117			#define PTLS_QUICLB_MIN_BLOCK_SIZE 7
118			#define PTLS_QUICLB_MAX_BLOCK_SIZE 19 /* inclusive */
119			#define PTLS_QUICLB_DEFAULT_BLOCK_SIZE \
120			8 /* when the quiclb cipher is used, the blob passed to ptls_cipher_encrypt can be anything between the min and max above; \
121			however, 8 is the default set in `ptls_cipher_algorithm_t::block_size` */
122
123			#define PTLS_SHA256_BLOCK_SIZE 64
124			#define PTLS_SHA256_DIGEST_SIZE 32
125
126			#define PTLS_SHA384_BLOCK_SIZE 128
127			#define PTLS_SHA384_DIGEST_SIZE 48
128
129			#define PTLS_SHA512_BLOCK_SIZE 128
130			#define PTLS_SHA512_DIGEST_SIZE 64
131
132			#define PTLS_MAX_SECRET_SIZE 32
133			#define PTLS_MAX_IV_SIZE 32
134			#define PTLS_MAX_DIGEST_SIZE 64
135
136			/* versions */
137			#define PTLS_PROTOCOL_VERSION_TLS12 0x0303
138			#define PTLS_PROTOCOL_VERSION_TLS13 0x0304
139
140			/* cipher-suites */
141			#define PTLS_CIPHER_SUITE_AES_128_GCM_SHA256 0x1301
142			#define PTLS_CIPHER_SUITE_NAME_AES_128_GCM_SHA256 "TLS_AES_128_GCM_SHA256"
143			#define PTLS_CIPHER_SUITE_AES_256_GCM_SHA384 0x1302
144			#define PTLS_CIPHER_SUITE_NAME_AES_256_GCM_SHA384 "TLS_AES_256_GCM_SHA384"
145			#define PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256 0x1303
146			#define PTLS_CIPHER_SUITE_NAME_CHACHA20_POLY1305_SHA256 "TLS_CHACHA20_POLY1305_SHA256"
147			#define PTLS_CIPHER_SUITE_AEGIS256_SHA512 0x1306
148			#define PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA512 "TLS_AEGIS_256_SHA512"
149			#define PTLS_CIPHER_SUITE_AEGIS128L_SHA256 0x1307
150			#define PTLS_CIPHER_SUITE_NAME_AEGIS128L_SHA256 "TLS_AEGIS_128L_SHA256"
151
152			/* TLS/1.2 cipher-suites that we support (for compatibility, OpenSSL names are used) */
153			#define PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xc02b
154			#define PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 "ECDHE-ECDSA-AES128-GCM-SHA256"
155			#define PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xc02c
156			#define PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 "ECDHE-ECDSA-AES256-GCM-SHA384"
157			#define PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xc02f
158			#define PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_AES_128_GCM_SHA256 "ECDHE-RSA-AES128-GCM-SHA256"
159			#define PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xc030
160			#define PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_AES_256_GCM_SHA384 "ECDHE-RSA-AES256-GCM-SHA384"
161			#define PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xcca8
162			#define PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 "ECDHE-RSA-CHACHA20-POLY1305"
163			#define PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xcca9
164			#define PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 "ECDHE-ECDSA-CHACHA20-POLY1305"
165
166			/* negotiated_groups */
167			#define PTLS_GROUP_SECP256R1 23
168			#define PTLS_GROUP_NAME_SECP256R1 "secp256r1"
169			#define PTLS_GROUP_SECP384R1 24
170			#define PTLS_GROUP_NAME_SECP384R1 "secp384r1"
171			#define PTLS_GROUP_SECP521R1 25
172			#define PTLS_GROUP_NAME_SECP521R1 "secp521r1"
173			#define PTLS_GROUP_X25519 29
174			#define PTLS_GROUP_NAME_X25519 "x25519"
175			#define PTLS_GROUP_X448 30
176			#define PTLS_GROUP_NAME_X448 "x448"
177			#define PTLS_GROUP_SECP256R1MLKEM768 4587
178			#define PTLS_GROUP_NAME_SECP256R1MLKEM768 "SecP256r1MLKEM768"
179			#define PTLS_GROUP_X25519MLKEM768 4588
180			#define PTLS_GROUP_NAME_X25519MLKEM768 "X25519MLKEM768"
181			#define PTLS_GROUP_SECP384R1MLKEM1024 4589
182			#define PTLS_GROUP_NAME_SECP384R1MLKEM1024 "SecP384r1MLKEM1024"
183			#define PTLS_GROUP_MLKEM512 512
184			#define PTLS_GROUP_NAME_MLKEM512 "MLKEM512"
185			#define PTLS_GROUP_MLKEM768 513
186			#define PTLS_GROUP_NAME_MLKEM768 "MLKEM768"
187			#define PTLS_GROUP_MLKEM1024 514
188			#define PTLS_GROUP_NAME_MLKEM1024 "MLKEM1024"
189
190			/* signature algorithms */
191			#define PTLS_SIGNATURE_RSA_PKCS1_SHA1 0x0201
192			#define PTLS_SIGNATURE_RSA_PKCS1_SHA256 0x0401
193			#define PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256 0x0403
194			#define PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384 0x0503
195			#define PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512 0x0603
196			#define PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256 0x0804
197			#define PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384 0x0805
198			#define PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512 0x0806
199			#define PTLS_SIGNATURE_ED25519 0x0807
200
201			/* HPKE */
202			#define PTLS_HPKE_MODE_BASE 0
203			#define PTLS_HPKE_MODE_PSK 1
204			#define PTLS_HPKE_MODE_AUTH 2
205			#define PTLS_HPKE_MODE_AUTH_PSK 3
206			#define PTLS_HPKE_KEM_P256_SHA256 16
207			#define PTLS_HPKE_KEM_P384_SHA384 17
208			#define PTLS_HPKE_KEM_X25519_SHA256 32
209			#define PTLS_HPKE_HKDF_SHA256 1
210			#define PTLS_HPKE_HKDF_SHA384 2
211			#define PTLS_HPKE_HKDF_SHA512 3
212			#define PTLS_HPKE_AEAD_AES_128_GCM 1
213			#define PTLS_HPKE_AEAD_AES_256_GCM 2
214			#define PTLS_HPKE_AEAD_CHACHA20POLY1305 3
215
216			/* error classes and macros */
217			#define PTLS_ERROR_CLASS_SELF_ALERT 0
218			#define PTLS_ERROR_CLASS_PEER_ALERT 0x100
219			#define PTLS_ERROR_CLASS_INTERNAL 0x200
220
221			#define PTLS_ERROR_GET_CLASS(e) ((e) & ~0xff)
222			#define PTLS_ALERT_TO_SELF_ERROR(e) ((e) + PTLS_ERROR_CLASS_SELF_ALERT)
223			#define PTLS_ALERT_TO_PEER_ERROR(e) ((e) + PTLS_ERROR_CLASS_PEER_ALERT)
224			#define PTLS_ERROR_TO_ALERT(e) ((e) & 0xff)
225
226			/* the HKDF prefix */
227			#define PTLS_HKDF_EXPAND_LABEL_PREFIX "tls13 "
228
229			/* alerts */
230			#define PTLS_ALERT_LEVEL_WARNING 1
231			#define PTLS_ALERT_LEVEL_FATAL 2
232
233			#define PTLS_ALERT_CLOSE_NOTIFY 0
234			#define PTLS_ALERT_UNEXPECTED_MESSAGE 10
235			#define PTLS_ALERT_BAD_RECORD_MAC 20
236			#define PTLS_ALERT_HANDSHAKE_FAILURE 40
237			#define PTLS_ALERT_BAD_CERTIFICATE 42
238			#define PTLS_ALERT_UNSUPPORTED_CERTIFICATE 43
239			#define PTLS_ALERT_CERTIFICATE_REVOKED 44
240			#define PTLS_ALERT_CERTIFICATE_EXPIRED 45
241			#define PTLS_ALERT_CERTIFICATE_UNKNOWN 46
242			#define PTLS_ALERT_ILLEGAL_PARAMETER 47
243			#define PTLS_ALERT_UNKNOWN_CA 48
244			#define PTLS_ALERT_ACCESS_DENIED 49
245			#define PTLS_ALERT_DECODE_ERROR 50
246			#define PTLS_ALERT_DECRYPT_ERROR 51
247			#define PTLS_ALERT_PROTOCOL_VERSION 70
248			#define PTLS_ALERT_INTERNAL_ERROR 80
249			#define PTLS_ALERT_USER_CANCELED 90
250			#define PTLS_ALERT_MISSING_EXTENSION 109
251			#define PTLS_ALERT_UNSUPPORTED_EXTENSION 110
252			#define PTLS_ALERT_UNRECOGNIZED_NAME 112
253			#define PTLS_ALERT_UNKNOWN_PSK_IDENTITY 115
254			#define PTLS_ALERT_CERTIFICATE_REQUIRED 116
255			#define PTLS_ALERT_NO_APPLICATION_PROTOCOL 120
256			#define PTLS_ALERT_ECH_REQUIRED 121
257
258			/* TLS 1.2 */
259			#define PTLS_TLS12_MASTER_SECRET_SIZE 48
260			#define PTLS_TLS12_AAD_SIZE 13
261			#define PTLS_TLS12_AESGCM_FIXED_IV_SIZE 4
262			#define PTLS_TLS12_AESGCM_RECORD_IV_SIZE 8
263			#define PTLS_TLS12_CHACHAPOLY_FIXED_IV_SIZE 12
264			#define PTLS_TLS12_CHACHAPOLY_RECORD_IV_SIZE 0
265
266			/* internal errors */
267			#define PTLS_ERROR_NO_MEMORY (PTLS_ERROR_CLASS_INTERNAL + 1)
268			#define PTLS_ERROR_IN_PROGRESS (PTLS_ERROR_CLASS_INTERNAL + 2)
269			#define PTLS_ERROR_LIBRARY (PTLS_ERROR_CLASS_INTERNAL + 3)
270			#define PTLS_ERROR_INCOMPATIBLE_KEY (PTLS_ERROR_CLASS_INTERNAL + 4)
271			#define PTLS_ERROR_SESSION_NOT_FOUND (PTLS_ERROR_CLASS_INTERNAL + 5)
272			#define PTLS_ERROR_STATELESS_RETRY (PTLS_ERROR_CLASS_INTERNAL + 6)
273			#define PTLS_ERROR_NOT_AVAILABLE (PTLS_ERROR_CLASS_INTERNAL + 7)
274			#define PTLS_ERROR_COMPRESSION_FAILURE (PTLS_ERROR_CLASS_INTERNAL + 8)
275			#define PTLS_ERROR_REJECT_EARLY_DATA (PTLS_ERROR_CLASS_INTERNAL + 9)
276			#define PTLS_ERROR_DELEGATE (PTLS_ERROR_CLASS_INTERNAL + 10)
277			#define PTLS_ERROR_ASYNC_OPERATION (PTLS_ERROR_CLASS_INTERNAL + 11)
278			#define PTLS_ERROR_BLOCK_OVERFLOW (PTLS_ERROR_CLASS_INTERNAL + 12)
279
280			#define PTLS_ERROR_INCORRECT_BASE64 (PTLS_ERROR_CLASS_INTERNAL + 50)
281			#define PTLS_ERROR_PEM_LABEL_NOT_FOUND (PTLS_ERROR_CLASS_INTERNAL + 51)
282			#define PTLS_ERROR_BER_INCORRECT_ENCODING (PTLS_ERROR_CLASS_INTERNAL + 52)
283			#define PTLS_ERROR_BER_MALFORMED_TYPE (PTLS_ERROR_CLASS_INTERNAL + 53)
284			#define PTLS_ERROR_BER_MALFORMED_LENGTH (PTLS_ERROR_CLASS_INTERNAL + 54)
285			#define PTLS_ERROR_BER_EXCESSIVE_LENGTH (PTLS_ERROR_CLASS_INTERNAL + 55)
286			#define PTLS_ERROR_BER_ELEMENT_TOO_SHORT (PTLS_ERROR_CLASS_INTERNAL + 56)
287			#define PTLS_ERROR_BER_UNEXPECTED_EOC (PTLS_ERROR_CLASS_INTERNAL + 57)
288			#define PTLS_ERROR_DER_INDEFINITE_LENGTH (PTLS_ERROR_CLASS_INTERNAL + 58)
289			#define PTLS_ERROR_INCORRECT_ASN1_SYNTAX (PTLS_ERROR_CLASS_INTERNAL + 59)
290			#define PTLS_ERROR_INCORRECT_PEM_KEY_VERSION (PTLS_ERROR_CLASS_INTERNAL + 60)
291			#define PTLS_ERROR_INCORRECT_PEM_ECDSA_KEY_VERSION (PTLS_ERROR_CLASS_INTERNAL + 61)
292			#define PTLS_ERROR_INCORRECT_PEM_ECDSA_CURVE (PTLS_ERROR_CLASS_INTERNAL + 62)
293			#define PTLS_ERROR_INCORRECT_PEM_ECDSA_KEYSIZE (PTLS_ERROR_CLASS_INTERNAL + 63)
294			#define PTLS_ERROR_INCORRECT_ASN1_ECDSA_KEY_SYNTAX (PTLS_ERROR_CLASS_INTERNAL + 64)
295
296			#define PTLS_HANDSHAKE_TYPE_CLIENT_HELLO 1
297			#define PTLS_HANDSHAKE_TYPE_SERVER_HELLO 2
298			#define PTLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET 4
299			#define PTLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA 5
300			#define PTLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS 8
301			#define PTLS_HANDSHAKE_TYPE_CERTIFICATE 11
302			#define PTLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST 13
303			#define PTLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY 15
304			#define PTLS_HANDSHAKE_TYPE_FINISHED 20
305			#define PTLS_HANDSHAKE_TYPE_KEY_UPDATE 24
306			#define PTLS_HANDSHAKE_TYPE_COMPRESSED_CERTIFICATE 25
307			#define PTLS_HANDSHAKE_TYPE_MESSAGE_HASH 254
308			#define PTLS_HANDSHAKE_TYPE_PSEUDO_HRR -1
309
310			#define PTLS_CERTIFICATE_TYPE_X509 0
311			#define PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY 2
312
313			#define PTLS_ZERO_DIGEST_SHA256 \
314			{0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, \
315			0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}
316
317			#define PTLS_ZERO_DIGEST_SHA384 \
318			{0x38, 0xb0, 0x60, 0xa7, 0x51, 0xac, 0x96, 0x38, 0x4c, 0xd9, 0x32, 0x7e, 0xb1, 0xb1, 0xe3, 0x6a, \
319			0x21, 0xfd, 0xb7, 0x11, 0x14, 0xbe, 0x07, 0x43, 0x4c, 0x0c, 0xc7, 0xbf, 0x63, 0xf6, 0xe1, 0xda, \
320			0x27, 0x4e, 0xde, 0xbf, 0xe7, 0x6f, 0x65, 0xfb, 0xd5, 0x1a, 0xd2, 0xf1, 0x48, 0x98, 0xb9, 0x5b}
321
322			#define PTLS_ZERO_DIGEST_SHA512 \
323			{0xcf, 0x83, 0xe1, 0x35, 0x7e, 0xef, 0xb8, 0xbd, 0xf1, 0x54, 0x28, 0x50, 0xd6, 0x6d, 0x80, 0x07, \
324			0xd6, 0x20, 0xe4, 0x05, 0x0b, 0x57, 0x15, 0xdc, 0x83, 0xf4, 0xa9, 0x21, 0xd3, 0x6c, 0xe9, 0xce, \
325			0x47, 0xd0, 0xd1, 0x3c, 0x5d, 0x85, 0xf2, 0xb0, 0xff, 0x83, 0x18, 0xd2, 0x87, 0x7e, 0xec, 0x2f, \
326			0x63, 0xb9, 0x31, 0xbd, 0x47, 0x41, 0x7a, 0x81, 0xa5, 0x38, 0x32, 0x7a, 0xf9, 0x27, 0xda, 0x3e}
327
328			#define PTLS_TO__STR(n) #n
329			#define PTLS_TO_STR(n) PTLS_TO__STR(n)
330
331			/**
332			* default maximum of tickets to send (see ptls_context_t::ticket_requests.server.max_count)
333			*/
334			#define PTLS_DEFAULT_MAX_TICKETS_TO_SERVE 4
335
336			typedef struct st_ptls_t ptls_t;
337			typedef struct st_ptls_context_t ptls_context_t;
338			typedef struct st_ptls_key_schedule_t ptls_key_schedule_t;
339
340			/**
341			* represents a sequence of octets
342			*/
343			typedef struct st_ptls_iovec_t {
344			uint8_t *base;
345			size_t len;
346			} ptls_iovec_t;
347
348			/**
349			* used for storing output
350			*/
351			typedef struct st_ptls_buffer_t {
352			uint8_t *base;
353			size_t capacity;
354			size_t off;
355			uint8_t is_allocated; /* boolean */
356			uint8_t align_bits; /* if particular alignment is required, set to log2(alignment); otherwize zero */
357			} ptls_buffer_t;
358
359			/**
360			* key exchange context built by ptls_key_exchange_algorithm::create.
361			*/
362			typedef struct st_ptls_key_exchange_context_t {
363			/**
364			* the underlying algorithm
365			*/
366			const struct st_ptls_key_exchange_algorithm_t *algo;
367			/**
368			* public key of this context
369			*/
370			ptls_iovec_t pubkey;
371			/**
372			* This function can be used for deriving a shared secret or for destroying the context.
373			* When `secret` is non-NULL, this callback derives the shared secret using the private key of the context and the peer key
374			* being given, and sets the value in `secret`. The memory pointed to by `secret->base` must be freed by the caller by calling
375			* `free`. When `release` is set, the callee frees resources allocated to the context and set *keyex to NULL. Upon failure
376			* (i.e., when an PTLS error code is returned), `pubkey` and `secret` either remain unchanged or are zero-cleared.
377			*/
378			int (on_exchange)(struct st_ptls_key_exchange_context_t keyex, int release, ptls_iovec_t secret, ptls_iovec_t peerkey);
379			} ptls_key_exchange_context_t;
380
381			/**
382			* A key exchange algorithm.
383			*/
384			typedef const struct st_ptls_key_exchange_algorithm_t {
385			/**
386			* ID defined by the TLS specification
387			*/
388			uint16_t id;
389			/**
390			* Creates a context for asynchronous key exchange. The function is called when ClientHello is generated. The on_exchange
391			* callback of the created context is called when the client receives ServerHello.
392			*/
393			int (create)(const struct st_ptls_key_exchange_algorithm_t algo, ptls_key_exchange_context_t **ctx);
394			/**
395			* Implements synchronous key exchange. Called when ServerHello is generated.
396			* Given a public key provided by the peer (`peerkey`), this callback generates an ephemeral private and public key, and returns
397			* the public key (`pubkey`) and a secret (`secret`) derived from the peerkey and private key.
398			* Upon failure (i.e., when an PTLS error code is returned), `pubkey` and `secret` either remain unchanged or are
399			* zero-cleared.
400			*/
401			int (exchange)(const struct st_ptls_key_exchange_algorithm_t algo, ptls_iovec_t pubkey, ptls_iovec_t secret,
402			ptls_iovec_t peerkey);
403			/**
404			* crypto-specific data
405			*/
406			intptr_t data;
407			/**
408			* Description as defined in the IANA TLS registry
409			*/
410			const char *name;
411			} ptls_key_exchange_algorithm_t;
412
413			/**
414			* context of a symmetric cipher
415			*/
416			typedef struct st_ptls_cipher_context_t {
417			const struct st_ptls_cipher_algorithm_t *algo;
418			/* field above this line must not be altered by the crypto binding */
419			void (do_dispose)(struct st_ptls_cipher_context_t ctx);
420			void (do_init)(struct st_ptls_cipher_context_t ctx, const void *iv);
421			void (do_transform)(struct st_ptls_cipher_context_t ctx, void output, const void input, size_t len);
422			} ptls_cipher_context_t;
423
424			/**
425			* a symmetric cipher
426			*/
427			typedef const struct st_ptls_cipher_algorithm_t {
428			const char *name;
429			size_t key_size;
430			size_t block_size;
431			size_t iv_size;
432			size_t context_size;
433			int (setup_crypto)(ptls_cipher_context_t ctx, int is_enc, const void *key);
434			} ptls_cipher_algorithm_t;
435
436			/**
437			* This object specifies symmetric cipher to be calculated alongside the AEAD encryption.
438			* QUIC stacks can use this object to apply QUIC header protection and AEAD encryption in one shot.
439			*/
440			typedef struct st_ptls_aead_supplementary_encryption_t {
441			/**
442			* Cipher context to be used.
443			*/
444			ptls_cipher_context_t *ctx;
445			/**
446			* Input to the cipher.
447			* This field may point to the output of AEAD encryption, in which case the input will be read after AEAD encryption is
448			* complete.
449			*/
450			const void *input;
451			/**
452			* Output.
453			*/
454			uint8_t output[16];
455			} ptls_aead_supplementary_encryption_t;
456
457			/**
458			* AEAD context.
459			* AEAD implementations are allowed to stuff data at the end of the struct; see `ptls_aead_algorithm_t::setup_crypto`.
460			* Ciphers for TLS over TCP MUST implement `do_encrypt`, `do_encrypt_v`, `do_decrypt`.
461			* `do_encrypt_init`, `~update`, `~final` are obsolete, and therefore may not be available.
462			*/
463			typedef struct st_ptls_aead_context_t {
464			/**
465			* Points to the algorithm. This field is governed by picotls core; backends must not alter.
466			*/
467			const struct st_ptls_aead_algorithm_t *algo;
468			/**
469			* Mandatory callback that disposes of all the backend-specific data.
470			*/
471			void (dispose_crypto)(struct st_ptls_aead_context_t ctx);
472			/**
473			* Mandatory callback that returns the static IV. The size of IV is available as `ptls_aead_algorithm_t::iv_size`.
474			*/
475			void (do_get_iv)(struct st_ptls_aead_context_t ctx, void *iv);
476			/**
477			* Mandatory callback that sets the static IV. The size of IV is available as `ptls_aead_algorithm_t::iv_size`.
478			*/
479			void (do_set_iv)(struct st_ptls_aead_context_t ctx, const void *iv);
480			/**
481			* Deprecated.
482			*/
483			void (do_encrypt_init)(struct st_ptls_aead_context_t ctx, uint64_t seq, const void *aad, size_t aadlen);
484			/**
485			* Deprecated.
486			*/
487			size_t (do_encrypt_update)(struct st_ptls_aead_context_t ctx, void output, const void input, size_t inlen);
488			/**
489			* Deprecated.
490			*/
491			size_t (do_encrypt_final)(struct st_ptls_aead_context_t ctx, void *output);
492			/**
493			* Mandatory callback that does "one-shot" encryption of an AEAD block.
494			* When `supp` is set to non-NULL, the callback must also encrypt the supplementary block.
495			* Backends may set this field to `ptls_aead__do_encrypt` that calls `do_encrypt_v` and `ptls_cipher_*` functions for handling
496			* the supplimentary block.
497			*/
498			void (do_encrypt)(struct st_ptls_aead_context_t ctx, void output, const void input, size_t inlen, uint64_t seq,
499			const void aad, size_t aadlen, ptls_aead_supplementary_encryption_t supp);
500			/**
501			* Variant of `do_encrypt` that gathers input from multiple blocks. Support for this callback is also mandatory.
502			* Legacy backends may set this field to `ptls_aead__do_encrypt_v` that calls `do_encrypt_init`, `do_encrypt_update`,
503			* `do_encrypt_final`.
504			*/
505			void (do_encrypt_v)(struct st_ptls_aead_context_t ctx, void output, ptls_iovec_t input, size_t incnt, uint64_t seq,
506			const void *aad, size_t aadlen);
507			/**
508			* Mandatory callback for decrypting an AEAD block.
509			* If successful, returns the amount of cleartext bytes being written to output. Otherwise, returns SIZE_MAX.
510			*/
511			size_t (do_decrypt)(struct st_ptls_aead_context_t ctx, void output, const void input, size_t inlen, uint64_t seq,
512			const void *aad, size_t aadlen);
513			} ptls_aead_context_t;
514
515			/**
516			* An AEAD cipher.
517			*/
518			typedef const struct st_ptls_aead_algorithm_t {
519			/**
520			* name (following the convention of `openssl ciphers -v ALL`)
521			*/
522			const char *name;
523			/**
524			* confidentiality_limit (max records / packets sent before re-key)
525			*/
526			const uint64_t confidentiality_limit;
527			/**
528			* integrity_limit (max decryption failure records / packets before re-key)
529			*/
530			const uint64_t integrity_limit;
531			/**
532			* the underlying key stream
533			*/
534			ptls_cipher_algorithm_t *ctr_cipher;
535			/**
536			* the underlying ecb cipher (might not be available)
537			*/
538			ptls_cipher_algorithm_t *ecb_cipher;
539			/**
540			* key size
541			*/
542			size_t key_size;
543			/**
544			* size of the IV
545			*/
546			size_t iv_size;
547			/**
548			* size of the tag
549			*/
550			size_t tag_size;
551			/**
552			* TLS/1.2 Security Parameters (AEAD without support for TLS 1.2 must set both values to 0)
553			*/
554			struct {
555			size_t fixed_iv_size;
556			size_t record_iv_size;
557			} tls12;
558			/**
559			* if encrypted bytes are going to be written using non-temporal store instructions (i.e., skip cache)
560			*/
561			unsigned non_temporal : 1;
562			/**
563			* log2(alignment) being required
564			*/
565			uint8_t align_bits;
566			/**
567			* size of memory allocated for `ptls_aead_context_t`
568			*/
569			size_t context_size;
570			/**
571			* Backend callback called to setup `ptls_aead_context_t`.
572			* Backends are allowed to stuff arbitrary data at the end of `ptls_aead_context_t`; actual size of the memory chunk being
573			* allocated is that specified by `ptls_aead_algorithm_t::context_size`. When the `setup_crypto` callback is called, all the
574			* fields outside of `ptls_aead_context_t` will be in undefined state; it is the responsibility of the callback to initialize
575			* them, as well as the callbacks of `ptls_aead_context_t` that the backend supports.
576			* A non-zero return value indicates failure, in which case the error will propagate as `ptls_aead_new` returning NULL.
577			*/
578			int (setup_crypto)(ptls_aead_context_t ctx, int is_enc, const void key, const void iv);
579			} ptls_aead_algorithm_t;
580
581			/**
582			*
583			*/
584			typedef enum en_ptls_hash_final_mode_t {
585			/**
586			* obtains the digest and frees the context
587			*/
588			PTLS_HASH_FINAL_MODE_FREE = 0,
589			/**
590			* obtains the digest and reset the context to initial state
591			*/
592			PTLS_HASH_FINAL_MODE_RESET = 1,
593			/**
594			* obtains the digest while leaving the context as-is
595			*/
596			PTLS_HASH_FINAL_MODE_SNAPSHOT = 2
597			} ptls_hash_final_mode_t;
598
599			/**
600			* A hash context.
601			*/
602			typedef struct st_ptls_hash_context_t {
603			/**
604			* feeds additional data into the hash context
605			*/
606			void (update)(struct st_ptls_hash_context_t ctx, const void *src, size_t len);
607			/**
608			* returns the digest and performs necessary operation specified by mode
609			*/
610			void (final)(struct st_ptls_hash_context_t ctx, void *md, ptls_hash_final_mode_t mode);
611			/**
612			* creates a copy of the hash context
613			*/
614			struct st_ptls_hash_context_t (clone_)(struct st_ptls_hash_context_t *src);
615			} ptls_hash_context_t;
616
617			/**
618			* A hash algorithm and its properties.
619			*/
620			typedef const struct st_ptls_hash_algorithm_t {
621			/**
622			* name of the hash algorithm
623			*/
624			const char *name;
625			/**
626			* block size
627			*/
628			size_t block_size;
629			/**
630			* digest size
631			*/
632			size_t digest_size;
633			/**
634			* constructor that creates the hash context
635			*/
636			ptls_hash_context_t (create)(void);
637			/**
638			* digest of zero-length octets
639			*/
640			uint8_t empty_digest[PTLS_MAX_DIGEST_SIZE];
641			} ptls_hash_algorithm_t;
642
643			typedef const struct st_ptls_cipher_suite_t {
644			/**
645			* ID as defined by the TLS Cipher Suites registry
646			*/
647			uint16_t id;
648			/**
649			* underlying AEAD algorithm
650			*/
651			ptls_aead_algorithm_t *aead;
652			/**
653			* underlying hash algorithm
654			*/
655			ptls_hash_algorithm_t *hash;
656			/**
657			* value of the "Description" field of the TLS Cipher Suites registry
658			*/
659			const char *name;
660			} ptls_cipher_suite_t;
661
662			struct st_ptls_traffic_protection_t;
663
664			typedef struct st_ptls_message_emitter_t {
665			ptls_buffer_t *buf;
666			struct st_ptls_traffic_protection_t *enc;
667			size_t record_header_length;
668			int (begin_message)(struct st_ptls_message_emitter_t self);
669			int (commit_message)(struct st_ptls_message_emitter_t self);
670			} ptls_message_emitter_t;
671
672			/**
673			* HPKE KEM
674			*/
675			typedef const struct st_ptls_hpke_kem_t {
676			uint16_t id;
677			ptls_key_exchange_algorithm_t *keyex;
678			ptls_hash_algorithm_t *hash;
679			} ptls_hpke_kem_t;
680
681			typedef struct st_ptls_hpke_cipher_suite_id_t {
682			uint16_t kdf;
683			uint16_t aead;
684			} ptls_hpke_cipher_suite_id_t;
685
686			typedef const struct st_ptls_hpke_cipher_suite_t {
687			ptls_hpke_cipher_suite_id_t id;
688			const char name; / in form of "/" using the sames specified in IANA HPKE registry */
689			ptls_hash_algorithm_t *hash;
690			ptls_aead_algorithm_t *aead;
691			} ptls_hpke_cipher_suite_t;
692
693			#define PTLS_CALLBACK_TYPE0(ret, name) \
694			typedef struct st_ptls_##name##_t { \
695			ret (cb)(struct st_ptls_##name##_t self); \
696			} ptls_##name##_t
697
698			#define PTLS_CALLBACK_TYPE(ret, name, ...) \
699			typedef struct st_ptls_##name##_t { \
700			ret (cb)(struct st_ptls_##name##_t self, __VA_ARGS__); \
701			} ptls_##name##_t
702
703			typedef struct st_ptls_client_hello_psk_identity_t {
704			ptls_iovec_t identity;
705			uint32_t obfuscated_ticket_age;
706			ptls_iovec_t binder;
707			} ptls_client_hello_psk_identity_t;
708
709			/**
710			* arguments passsed to the on_client_hello callback
711			*/
712			typedef struct st_ptls_on_client_hello_parameters_t {
713			/**
714			* SNI value received from the client. The value is {NULL, 0} if the extension was absent.
715			*/
716			ptls_iovec_t server_name;
717			/**
718			* Raw value of the client_hello message.
719			*/
720			ptls_iovec_t raw_message;
721			/**
722			* points to the cipher-suites section of the raw_message (see above)
723			*/
724			ptls_iovec_t cipher_suites;
725			/**
726			*
727			*/
728			struct {
729			ptls_iovec_t *list;
730			size_t count;
731			} negotiated_protocols;
732			struct {
733			const uint16_t *list;
734			size_t count;
735			} signature_algorithms;
736			struct {
737			const uint16_t *list;
738			size_t count;
739			} certificate_compression_algorithms;
740			struct {
741			const uint8_t *list;
742			size_t count;
743			} server_certificate_types;
744			struct {
745			const ptls_client_hello_psk_identity_t *list;
746			size_t count;
747			} psk_identities;
748			/**
749			* set to 1 if ClientHello is too old (or too new) to be handled by picotls
750			*/
751			unsigned incompatible_version : 1;
752			} ptls_on_client_hello_parameters_t;
753
754			/**
755			* returns current time in milliseconds (ptls_get_time can be used to return the physical time)
756			*/
757			PTLS_CALLBACK_TYPE0(uint64_t, get_time);
758			/**
759			* after receiving ClientHello, the core calls the optional callback to give a chance to the swap the context depending on the input
760			* values. The callback is required to call `ptls_set_server_name` if an SNI extension needs to be sent to the client.
761			*/
762			PTLS_CALLBACK_TYPE(int, on_client_hello, ptls_t tls, ptls_on_client_hello_parameters_t params);
763			/**
764			* callback to generate the certificate message. `ptls_context::certificates` are set when the callback is set to NULL.
765			*/
766			PTLS_CALLBACK_TYPE(int, emit_certificate, ptls_t tls, ptls_message_emitter_t emitter, ptls_key_schedule_t *key_sched,
767			ptls_iovec_t context, int push_status_request, const uint16_t *compress_algos, size_t num_compress_algos);
768			/**
769			* An object that represents an asynchronous task (e.g., RSA signature generation).
770			* When `ptls_handshake` returns `PTLS_ERROR_ASYNC_OPERATION`, it has an associated task in flight. The user should obtain the
771			* reference to the associated task by calling `ptls_get_async_job`, then either wait for the file descriptor obtained from
772			* the `get_fd` callback to become readable, or set a completion callback via `set_completion_callback` and wait for its
773			* invocation. Once notified, the user should invoke `ptls_handshake` again.
774			* Async jobs typically provide support for only one of the two methods.
775			*/
776			typedef struct st_ptls_async_job_t {
777			void (destroy_)(struct st_ptls_async_job_t self);
778			/**
779			* optional callback returning a file descriptor that becomes readable when the job is complete
780			*/
781			int (get_fd)(struct st_ptls_async_job_t self);
782			/**
783			* optional callback for setting a completion callback
784			*/
785			void (set_completion_callback)(struct st_ptls_async_job_t self, void (cb)(void ), void *cbdata);
786			} ptls_async_job_t;
787			/**
788			* When gerenating CertificateVerify, the core calls the callback to sign the handshake context using the certificate. This callback
789			* supports asynchronous mode; see `ptls_openssl_sign_certificate_t` for more information.
790			*/
791			PTLS_CALLBACK_TYPE(int, sign_certificate, ptls_t tls, ptls_async_job_t async, uint16_t selected_algorithm,
792			ptls_buffer_t output, ptls_iovec_t input, const uint16_t algorithms, size_t num_algorithms);
793			/**
794			* after receiving Certificate, the core calls the callback to verify the certificate chain and to obtain a pointer to a
795			* callback that should be used for verifying CertificateVerify. If an error occurs between a successful return from this
796			* callback to the invocation of the verify_sign callback, verify_sign is called with both data and sign set to an empty buffer.
797			* The implementor of the callback should use that as the opportunity to free any temporary data allocated for the verify_sign
798			* callback.
799			* The name of the server to be verified, if any, is provided explicitly as `server_name`. When ECH is offered by the client but
800			* the was rejected by the server, this value can be different from that being sent via `ptls_get_server_name`.
801			*/
802			typedef struct st_ptls_verify_certificate_t {
803			int (cb)(struct st_ptls_verify_certificate_t self, ptls_t tls, const char server_name,
804			int (*verify_sign)(void verify_ctx, uint16_t algo, ptls_iovec_t data, ptls_iovec_t sign), void **verify_data,
805			ptls_iovec_t *certs, size_t num_certs);
806			/**
807			* list of signature algorithms being supported, terminated by UINT16_MAX
808			*/
809			const uint16_t *algos;
810			} ptls_verify_certificate_t;
811			/**
812			* Encrypt-and-signs (or verify-and-decrypts) a ticket (server-only).
813			* When used for encryption (i.e., is_encrypt being set), the function should return 0 if successful, or else a non-zero value.
814			* When used for decryption, the function should return 0 (successful), PTLS_ERROR_REJECT_EARLY_DATA (successful, but 0-RTT is
815			* forbidden), or any other value to indicate failure.
816			*/
817			PTLS_CALLBACK_TYPE(int, encrypt_ticket, ptls_t tls, int is_encrypt, ptls_buffer_t dst, ptls_iovec_t src);
818			/**
819			* saves a ticket (client-only)
820			*/
821			PTLS_CALLBACK_TYPE(int, save_ticket, ptls_t *tls, ptls_iovec_t input);
822			/**
823			* event logging (incl. secret logging)
824			*/
825			typedef struct st_ptls_log_event_t {
826			void (cb)(struct st_ptls_log_event_t self, ptls_t tls, const char type, const char *fmt, ...)
827			__attribute__((format(printf, 4, 5)));
828			} ptls_log_event_t;
829			/**
830			* reference counting
831			*/
832			PTLS_CALLBACK_TYPE(void, update_open_count, ssize_t delta);
833			/**
834			* applications that have their own record layer can set this function to derive their own traffic keys from the traffic secret.
835			* The cipher-suite that is being associated to the connection can be obtained by calling the ptls_get_cipher function.
836			*/
837			PTLS_CALLBACK_TYPE(int, update_traffic_key, ptls_t tls, int is_enc, size_t epoch, const void secret);
838			/**
839			* callback for every extension detected during decoding
840			*/
841			PTLS_CALLBACK_TYPE(int, on_extension, ptls_t *tls, uint8_t hstype, uint16_t exttype, ptls_iovec_t extdata);
842			/**
843			*
844			*/
845			typedef struct st_ptls_decompress_certificate_t {
846			/**
847			* list of supported algorithms terminated by UINT16_MAX
848			*/
849			const uint16_t *supported_algorithms;
850			/**
851			* callback that decompresses the message
852			*/
853			int (cb)(struct st_ptls_decompress_certificate_t self, ptls_t *tls, uint16_t algorithm, ptls_iovec_t output,
854			ptls_iovec_t input);
855			} ptls_decompress_certificate_t;
856			/**
857			* ECH: creates the AEAD context to be used for "Open"-ing inner CH. Given `config_id`, the callback looks up the ECH config and the
858			* corresponding private key, invokes `ptls_hpke_setup_base_r` with provided `cipher`, `enc`, and `info_prefix` (which will be
859			* "tls ech" \|\| 00).
860			*/
861			PTLS_CALLBACK_TYPE(ptls_aead_context_t , ech_create_opener, ptls_hpke_kem_t kem, ptls_hpke_cipher_suite_t cipher, ptls_t tls,
862			uint8_t config_id, ptls_hpke_cipher_suite_id_t cipher_id, ptls_iovec_t enc, ptls_iovec_t info_prefix);
863
864			/**
865			* the configuration
866			*/
867			struct st_ptls_context_t {
868			/**
869			* PRNG to be used
870			*/
871			void (random_bytes)(void buf, size_t len);
872			/**
873			*
874			*/
875			ptls_get_time_t *get_time;
876			/**
877			* list of supported key-exchange algorithms terminated by NULL
878			*/
879			ptls_key_exchange_algorithm_t **key_exchanges;
880			/**
881			* list of supported cipher-suites terminated by NULL
882			*/
883			ptls_cipher_suite_t **cipher_suites;
884			/**
885			* list of certificates
886			*/
887			struct {
888			ptls_iovec_t *list;
889			size_t count;
890			} certificates;
891			/**
892			* External pre-shared key used for mutual authentication. Unless when using PSK, all the fields must be set to NULL / 0.
893			*/
894			struct {
895			ptls_iovec_t identity;
896			ptls_iovec_t secret;
897			/**
898			* (mandatory) hash algorithm associated to the PSK; cipher-suites not sharing the same `ptls_hash_algorithm_t` will be
899			* ignored
900			*/
901			ptls_hash_algorithm_t *hash;
902			} pre_shared_key;
903			/**
904			* ECH
905			*/
906			struct {
907			struct {
908			/**
909			* list of HPKE symmetric cipher-suites (set to NULL to disable ECH altogether)
910			*/
911			ptls_hpke_cipher_suite_t **ciphers;
912			/**
913			* KEMs being supported
914			*/
915			ptls_hpke_kem_t **kems;
916			} client;
917			struct {
918			/**
919			* callback that does ECDH key exchange and returns the AEAD context
920			*/
921			ptls_ech_create_opener_t *create_opener;
922			/**
923			* ECHConfigList to be sent to the client when there is mismatch (or when the client sends a grease)
924			*/
925			ptls_iovec_t retry_configs;
926			} server;
927			} ech;
928			/**
929			*
930			*/
931			ptls_on_client_hello_t *on_client_hello;
932			/**
933			*
934			*/
935			ptls_emit_certificate_t *emit_certificate;
936			/**
937			*
938			*/
939			ptls_sign_certificate_t *sign_certificate;
940			/**
941			*
942			*/
943			ptls_verify_certificate_t *verify_certificate;
944			/**
945			* lifetime of a session ticket (server-only)
946			*/
947			uint32_t ticket_lifetime;
948			/**
949			* maximum permitted size of early data (server-only)
950			*/
951			uint32_t max_early_data_size;
952			/**
953			* maximum size of the message buffer (default: 0 = unlimited = 3 + 2^24 bytes)
954			*/
955			size_t max_buffer_size;
956			/**
957			* this field is obsolete and ignored
958			*/
959			const char *hkdf_label_prefix__obsolete;
960			/**
961			* if set, psk handshakes use (ec)dhe
962			*/
963			unsigned require_dhe_on_psk : 1;
964			/**
965			* if exporter master secrets should be recorded
966			*/
967			unsigned use_exporter : 1;
968			/**
969			* if ChangeCipherSpec record should be sent during handshake. If the client sends CCS, the server sends one in response
970			* regardless of the value of this flag. See RFC 8446 Appendix D.3.
971			*/
972			unsigned send_change_cipher_spec : 1;
973			/**
974			* if set, the server requests client certificates to authenticate the client
975			*/
976			unsigned require_client_authentication : 1;
977			/**
978			* if set, EOED will not be emitted or accepted
979			*/
980			unsigned omit_end_of_early_data : 1;
981			/**
982			* This option turns on support for Raw Public Keys (RFC 7250).
983			*
984			* When running as a client, this option instructs the client to request the server to send raw public keys in place of X.509
985			* certificate chain. The client should set its `certificate_verify` callback to one that is capable of validating the raw
986			* public key that will be sent by the server.
987			*
988			* When running as a server, this option instructs the server to only handle clients requesting the use of raw public keys. If
989			* the client does not, the handshake is rejected. Note however that the rejection happens only after the `on_client_hello`
990			* callback is being called. Therefore, applications can support both X.509 and raw public keys by swapping `ptls_context_t` to
991			* the correct one when that callback is being called (like handling swapping the contexts based on the value of SNI).
992			*/
993			unsigned use_raw_public_keys : 1;
994			/**
995			* boolean indicating if the cipher-suite should be chosen based on server's preference
996			*/
997			unsigned server_cipher_preference : 1;
998			/**
999			* boolean indicating if ChaCha20-Poly1305 should be reprioritized to the top of the server cipher list if a ChaCha20-Poly1305
1000			* cipher is at the top of the client cipher list
1001			*/
1002			unsigned server_cipher_chacha_priority : 1;
1003			/**
1004			*
1005			*/
1006			ptls_encrypt_ticket_t *encrypt_ticket;
1007			/**
1008			*
1009			*/
1010			ptls_save_ticket_t *save_ticket;
1011			/**
1012			*
1013			*/
1014			ptls_log_event_t *log_event;
1015			/**
1016			*
1017			*/
1018			ptls_update_open_count_t *update_open_count;
1019			/**
1020			*
1021			*/
1022			ptls_update_traffic_key_t *update_traffic_key;
1023			/**
1024			*
1025			*/
1026			ptls_decompress_certificate_t *decompress_certificate;
1027			/**
1028			*
1029			*/
1030			ptls_on_extension_t *on_extension;
1031			/**
1032			* (optional) list of supported tls12 cipher-suites terminated by NULL
1033			*/
1034			ptls_cipher_suite_t **tls12_cipher_suites;
1035			/**
1036			* (optional) session ID Context to segment resumption
1037			*/
1038			struct {
1039			uint8_t bytes[PTLS_SHA256_DIGEST_SIZE];
1040			unsigned is_set : 1;
1041			} ticket_context;
1042			/**
1043			* (optional) list of CAs advertised to clients as supported in the CertificateRequest message; each item must be DNs in DER
1044			* format. The values are sent to the client only when `ptls_context_t::require_client_authentication` is set to true.
1045			*/
1046			struct {
1047			const ptls_iovec_t *list;
1048			size_t count;
1049			} client_ca_names;
1050			/**
1051			* (optional)
1052			*/
1053			struct {
1054			/**
1055			* if set to non-zero and if the save_ticket callback is provided, a ticket_request extension containing the specified
1056			* values is sent
1057			*/
1058			struct {
1059			uint8_t new_session_count;
1060			uint8_t resumption_count;
1061			} client;
1062			/**
1063			* if set to non-zero, the maximum number of tickets being sent is capped to the specifed value; if set to zero, the maximum
1064			* adopted is PTLS_DEFAULT_MAX_TICKETS_TO_SERVE.
1065			*/
1066			struct {
1067			uint8_t max_count;
1068			} server;
1069			} ticket_requests;
1070			};
1071
1072			typedef struct st_ptls_raw_extension_t {
1073			uint16_t type;
1074			ptls_iovec_t data;
1075			} ptls_raw_extension_t;
1076
1077			typedef enum en_ptls_early_data_acceptance_t {
1078			PTLS_EARLY_DATA_ACCEPTANCE_UNKNOWN = 0,
1079			PTLS_EARLY_DATA_REJECTED,
1080			PTLS_EARLY_DATA_ACCEPTED
1081			} ptls_early_data_acceptance_t;
1082
1083			/**
1084			* optional arguments to client-driven handshake
1085			*/
1086			#ifdef _WINDOWS
1087			/* suppress warning C4201: nonstandard extension used: nameless struct/union */
1088			#pragma warning(push)
1089			#pragma warning(disable : 4201)
1090			#endif
1091			typedef struct st_ptls_handshake_properties_t {
1092			union {
1093			struct {
1094			/**
1095			* list of protocols offered through ALPN
1096			*/
1097			struct {
1098			const ptls_iovec_t *list;
1099			size_t count;
1100			} negotiated_protocols;
1101			/**
1102			* session ticket sent to the application via save_ticket callback
1103			*/
1104			ptls_iovec_t session_ticket;
1105			/**
1106			* pointer to store the maximum size of early-data that can be sent immediately. If set to non-NULL, the first call to
1107			* ptls_handshake (or ptls_handle_message) will set `*max_early_data` to the value obtained from the session ticket, or
1108			* to zero if early-data cannot be sent. If NULL, early data will not be used.
1109			*/
1110			size_t *max_early_data_size;
1111			/**
1112			* If early-data has been accepted by peer, or if the state is still unknown. The state changes anytime after handshake
1113			* keys become available. Applications can peek the tri-state variable every time it calls `ptls_hanshake` or
1114			* `ptls_handle_message` to determine the result at the earliest moment. This is an output parameter.
1115			*/
1116			ptls_early_data_acceptance_t early_data_acceptance;
1117			/**
1118			* negotiate the key exchange method before sending key_share
1119			*/
1120			unsigned negotiate_before_key_exchange : 1;
1121			/**
1122			* ECH
1123			*/
1124			struct {
1125			/**
1126			* Config offered by server e.g., by HTTPS RR. If config.base is non-NULL but config.len is zero, a grease ECH will
1127			* be sent, assuming that X25519-SHA256 KEM and SHA256-AES-128-GCM HPKE cipher is available.
1128			*/
1129			ptls_iovec_t configs;
1130			/**
1131			* slot to save the config obtained from server on mismatch; user must free the returned blob by calling `free`
1132			*/
1133			ptls_iovec_t *retry_configs;
1134			} ech;
1135			} client;
1136			struct {
1137			/**
1138			* psk binder being selected (len is set to zero if none)
1139			*/
1140			struct {
1141			uint8_t base[PTLS_MAX_DIGEST_SIZE];
1142			size_t len;
1143			} selected_psk_binder;
1144			/**
1145			* parameters related to use of the Cookie extension
1146			*/
1147			struct {
1148			/**
1149			* HMAC key to protect the integrity of the cookie. The key should be as long as the digest size of the first
1150			* ciphersuite specified in ptls_context_t (i.e. the hash algorithm of the best ciphersuite that can be chosen).
1151			*/
1152			const void *key;
1153			/**
1154			* additional data to be used for verifying the cookie
1155			*/
1156			ptls_iovec_t additional_data;
1157			} cookie;
1158			/**
1159			* if HRR should always be sent
1160			*/
1161			unsigned enforce_retry : 1;
1162			/**
1163			* if retry should be stateless (cookie.key MUST be set when this option is used)
1164			*/
1165			unsigned retry_uses_cookie : 1;
1166			} server;
1167			};
1168			/**
1169			* an optional list of additional extensions to send either in CH or EE, terminated by type == UINT16_MAX
1170			*/
1171			ptls_raw_extension_t *additional_extensions;
1172			/**
1173			* an optional callback that returns a boolean value indicating if a particular extension should be collected
1174			*/
1175			int (collect_extension)(ptls_t tls, struct st_ptls_handshake_properties_t *properties, uint16_t type);
1176			/**
1177			* an optional callback that reports the extensions being collected
1178			*/
1179			int (collected_extensions)(ptls_t tls, struct st_ptls_handshake_properties_t properties, ptls_raw_extension_t extensions);
1180			} ptls_handshake_properties_t;
1181			#ifdef _WINDOWS
1182			#pragma warning(pop)
1183			#endif
1184			#ifdef _WINDOWS
1185			/* suppress warning C4293: >> shift count negative or too big */
1186			#pragma warning(disable : 4293)
1187			#endif
1188			/**
1189			* builds a new ptls_iovec_t instance using the supplied parameters
1190			*/
1191			static ptls_iovec_t ptls_iovec_init(const void *p, size_t len);
1192			/**
1193			* initializes a buffer, setting the default destination to the small buffer provided as the argument.
1194			*/
1195			static void ptls_buffer_init(ptls_buffer_t buf, void smallbuf, size_t smallbuf_size);
1196			/**
1197			* disposes a buffer, freeing resources allocated by the buffer itself (if any)
1198			*/
1199			static void ptls_buffer_dispose(ptls_buffer_t *buf);
1200			/**
1201			* internal
1202			*/
1203			void ptls_buffer__release_memory(ptls_buffer_t *buf);
1204			/**
1205			* reserves space for additional amount of memory
1206			*/
1207			int ptls_buffer_reserve(ptls_buffer_t *buf, size_t delta);
1208			/**
1209			* reserves space for additional amount of memory, requiring `buf->base` to follow specified alignment
1210			*/
1211			int ptls_buffer_reserve_aligned(ptls_buffer_t *buf, size_t delta, uint8_t align_bits);
1212			/**
1213			* internal
1214			*/
1215			int ptls_buffer__do_pushv(ptls_buffer_t buf, const void src, size_t len);
1216			/**
1217			* internal
1218			*/
1219			int ptls_buffer__adjust_quic_blocksize(ptls_buffer_t *buf, size_t body_size);
1220			/**
1221			* internal
1222			*/
1223			int ptls_buffer__adjust_asn1_blocksize(ptls_buffer_t *buf, size_t body_size);
1224			/**
1225			* pushes an unsigned bigint
1226			*/
1227			int ptls_buffer_push_asn1_ubigint(ptls_buffer_t buf, const void bignum, size_t size);
1228			/**
1229			* encodes a quic varint (maximum length is PTLS_ENCODE_QUICINT_CAPACITY)
1230			*/
1231			static uint8_t ptls_encode_quicint(uint8_t p, uint64_t v);
1232			#define PTLS_ENCODE_QUICINT_CAPACITY 8
1233
1234			#define PTLS_QUICINT_MAX 4611686018427387903 // (1 << 62) - 1
1235			#define PTLS_QUICINT_LONGEST_STR "4611686018427387903"
1236
1237			#define ptls_buffer_pushv(buf, src, len) \
1238			do { \
1239			if ((ret = ptls_buffer__do_pushv((buf), (src), (len))) != 0) \
1240			goto Exit; \
1241			} while (0)
1242
1243			#define ptls_buffer_push(buf, ...) \
1244			do { \
1245			if ((ret = ptls_buffer__do_pushv((buf), (uint8_t[]){__VA_ARGS__}, sizeof((uint8_t[]){__VA_ARGS__}))) != 0) \
1246			goto Exit; \
1247			} while (0)
1248
1249			#define ptls_buffer_push16(buf, v) \
1250			do { \
1251			uint16_t _v = (v); \
1252			ptls_buffer_push(buf, (uint8_t)(_v >> 8), (uint8_t)_v); \
1253			} while (0)
1254
1255			#define ptls_buffer_push24(buf, v) \
1256			do { \
1257			uint32_t _v = (v); \
1258			ptls_buffer_push(buf, (uint8_t)(_v >> 16), (uint8_t)(_v >> 8), (uint8_t)_v); \
1259			} while (0)
1260
1261			#define ptls_buffer_push32(buf, v) \
1262			do { \
1263			uint32_t _v = (v); \
1264			ptls_buffer_push(buf, (uint8_t)(_v >> 24), (uint8_t)(_v >> 16), (uint8_t)(_v >> 8), (uint8_t)_v); \
1265			} while (0)
1266
1267			#define ptls_buffer_push64(buf, v) \
1268			do { \
1269			uint64_t _v = (v); \
1270			ptls_buffer_push(buf, (uint8_t)(_v >> 56), (uint8_t)(_v >> 48), (uint8_t)(_v >> 40), (uint8_t)(_v >> 32), \
1271			(uint8_t)(_v >> 24), (uint8_t)(_v >> 16), (uint8_t)(_v >> 8), (uint8_t)_v); \
1272			} while (0)
1273
1274			#define ptls_buffer_push_quicint(buf, v) \
1275			do { \
1276			if ((ret = ptls_buffer_reserve((buf), PTLS_ENCODE_QUICINT_CAPACITY)) != 0) \
1277			goto Exit; \
1278			uint8_t *d = ptls_encode_quicint((buf)->base + (buf)->off, (v)); \
1279			(buf)->off = d - (buf)->base; \
1280			} while (0)
1281
1282			#define ptls_buffer_push_block(buf, _capacity, block) \
1283			do { \
1284			size_t capacity = (_capacity); \
1285			ptls_buffer_pushv((buf), (uint8_t *)"\0\0\0\0\0\0\0", capacity != -1 ? capacity : 1); \
1286			size_t body_start = (buf)->off; \
1287			do { \
1288			block \
1289			} while (0); \
1290			size_t body_size = (buf)->off - body_start; \
1291			if (capacity != -1) { \
1292			if (capacity < sizeof(size_t) && body_size >= (size_t)1 << (capacity * 8)) { \
1293			ret = PTLS_ERROR_BLOCK_OVERFLOW; \
1294			goto Exit; \
1295			} \
1296			for (; capacity != 0; --capacity) \
1297			(buf)->base[body_start - capacity] = (uint8_t)(body_size >> (8 * (capacity - 1))); \
1298			} else { \
1299			if ((ret = ptls_buffer__adjust_quic_blocksize((buf), body_size)) != 0) \
1300			goto Exit; \
1301			} \
1302			} while (0)
1303
1304			#define ptls_buffer_push_asn1_block(buf, block) \
1305			do { \
1306			ptls_buffer_push((buf), 0xff); /* dummy */ \
1307			size_t body_start = (buf)->off; \
1308			do { \
1309			block \
1310			} while (0); \
1311			size_t body_size = (buf)->off - body_start; \
1312			if (body_size < 128) { \
1313			(buf)->base[body_start - 1] = (uint8_t)body_size; \
1314			} else { \
1315			if ((ret = ptls_buffer__adjust_asn1_blocksize((buf), body_size)) != 0) \
1316			goto Exit; \
1317			} \
1318			} while (0)
1319
1320			#define ptls_buffer_push_asn1_sequence(buf, block) \
1321			do { \
1322			ptls_buffer_push((buf), 0x30); \
1323			ptls_buffer_push_asn1_block((buf), block); \
1324			} while (0)
1325
1326			#define ptls_buffer_push_message_body(buf, key_sched, type, block) \
1327			do { \
1328			ptls_buffer_t *_buf = (buf); \
1329			ptls_key_schedule_t *_key_sched = (key_sched); \
1330			size_t mess_start = _buf->off; \
1331			ptls_buffer_push(_buf, (type)); \
1332			ptls_buffer_push_block(_buf, 3, block); \
1333			if (_key_sched != NULL) \
1334			ptls__key_schedule_update_hash(_key_sched, _buf->base + mess_start, _buf->off - mess_start, 0); \
1335			} while (0)
1336
1337			#define ptls_push_message(emitter, key_sched, type, block) \
1338			do { \
1339			ptls_message_emitter_t *_emitter = (emitter); \
1340			if ((ret = _emitter->begin_message(_emitter)) != 0) \
1341			goto Exit; \
1342			ptls_buffer_push_message_body(_emitter->buf, (key_sched), (type), block); \
1343			if ((ret = _emitter->commit_message(_emitter)) != 0) \
1344			goto Exit; \
1345			} while (0)
1346
1347			int ptls_decode8(uint8_t value, const uint8_t src, const uint8_t end);
1348			int ptls_decode16(uint16_t value, const uint8_t src, const uint8_t end);
1349			int ptls_decode24(uint32_t value, const uint8_t src, const uint8_t end);
1350			int ptls_decode32(uint32_t value, const uint8_t src, const uint8_t end);
1351			int ptls_decode64(uint64_t value, const uint8_t src, const uint8_t end);
1352			uint64_t ptls_decode_quicint(const uint8_t *src, const uint8_t end);
1353
1354			#define ptls_decode_open_block(src, end, capacity, block) \
1355			do { \
1356			size_t _capacity = (capacity); \
1357			size_t _block_size; \
1358			if (_capacity == -1) { \
1359			uint64_t _block_size64; \
1360			const uint8_t *_src = (src); \
1361			if ((_block_size64 = ptls_decode_quicint(&_src, end)) == UINT64_MAX \|\| \
1362			(sizeof(size_t) < 8 && (_block_size64 >> (8 * sizeof(size_t))) != 0)) { \
1363			ret = PTLS_ALERT_DECODE_ERROR; \
1364			goto Exit; \
1365			} \
1366			(src) = _src; \
1367			_block_size = (size_t)_block_size64; \
1368			} else { \
1369			if (_capacity > (size_t)(end - (src))) { \
1370			ret = PTLS_ALERT_DECODE_ERROR; \
1371			goto Exit; \
1372			} \
1373			_block_size = 0; \
1374			do { \
1375			_block_size = _block_size << 8 \| *(src)++; \
1376			} while (--_capacity != 0); \
1377			} \
1378			if (_block_size > (size_t)(end - (src))) { \
1379			ret = PTLS_ALERT_DECODE_ERROR; \
1380			goto Exit; \
1381			} \
1382			do { \
1383			const uint8_t *const end = (src) + _block_size; \
1384			do { \
1385			block \
1386			} while (0); \
1387			if ((src) != end) { \
1388			ret = PTLS_ALERT_DECODE_ERROR; \
1389			goto Exit; \
1390			} \
1391			} while (0); \
1392			} while (0)
1393
1394			#define ptls_decode_assert_block_close(src, end) \
1395			do { \
1396			if ((src) != end) { \
1397			ret = PTLS_ALERT_DECODE_ERROR; \
1398			goto Exit; \
1399			} \
1400			} while (0);
1401
1402			#define ptls_decode_block(src, end, capacity, block) \
1403			do { \
1404			ptls_decode_open_block((src), end, capacity, block); \
1405			ptls_decode_assert_block_close((src), end); \
1406			} while (0)
1407
1408			#if PTLS_HAVE_LOG
1409			#define PTLS_LOG__DO_LOG(module, name, conn_state, get_sni, get_sni_arg, add_time, block) \
1410			do { \
1411			int ptlslog_include_appdata = 0; \
1412			do { \
1413			ptls_log__do_write_start(&logpoint, (add_time)); \
1414			do { \
1415			block \
1416			} while (0); \
1417			ptlslog_include_appdata = \
1418			ptls_log__do_write_end(&logpoint, (conn_state), (get_sni), (get_sni_arg), ptlslog_include_appdata); \
1419			} while (PTLS_UNLIKELY(ptlslog_include_appdata)); \
1420			} while (0)
1421			#else
1422			#define PTLS_LOG__DO_LOG(module, name, conn_state, get_sni, get_sni_arg, add_time, block) /* don't generate code */
1423			#endif
1424
1425			#define PTLS_LOG_DEFINE_POINT(_module, _name, _var) \
1426			static struct st_ptls_log_point_t _var = {.name = PTLS_TO_STR(_module) ":" PTLS_TO_STR(_name)}
1427
1428			#define PTLS_LOG(module, name, block) \
1429			do { \
1430			PTLS_LOG_DEFINE_POINT(module, name, logpoint); \
1431			if (PTLS_LIKELY(ptls_log_point_maybe_active(&logpoint) == 0)) \
1432			break; \
1433			PTLS_LOG__DO_LOG(module, name, NULL, NULL, NULL, 1, {block}); \
1434			} while (0)
1435
1436			#define PTLS_LOG_CONN(name, tls, block) \
1437			do { \
1438			PTLS_LOG_DEFINE_POINT(picotls, name, logpoint); \
1439			uint32_t active = ptls_log_point_maybe_active(&logpoint); \
1440			if (PTLS_LIKELY(active == 0)) \
1441			break; \
1442			ptls_t *_tls = (tls); \
1443			ptls_log_conn_state_t *conn_state = ptls_get_log_state(_tls); \
1444			active &= ptls_log_conn_maybe_active(conn_state, (const char ()(void *))ptls_get_server_name, _tls); \
1445			if (PTLS_LIKELY(active == 0)) \
1446			break; \
1447			PTLS_LOG__DO_LOG(picotls, name, conn_state, (const char ()(void *))ptls_get_server_name, _tls, 1, { \
1448			PTLS_LOG_ELEMENT_PTR(tls, _tls); \
1449			do { \
1450			block \
1451			} while (0); \
1452			}); \
1453			} while (0)
1454
1455			#define PTLS_LOG__ELEMENT_PREFIX_CORE(lit) ",\"" lit "\":"
1456			#define PTLS_LOG__ELEMENT_PREFIX(lit) PTLS_LOG__ELEMENT_PREFIX_CORE(lit), sizeof(PTLS_LOG__ELEMENT_PREFIX_CORE(lit)) - 1
1457			#define PTLS_LOG_ELEMENT_SAFESTR(name, value) \
1458			do { \
1459			const char *value_ = (value); \
1460			ptls_log__do_push_element_safestr(PTLS_LOG__ELEMENT_PREFIX(PTLS_TO_STR(name)), (value_), strlen(value_)); \
1461			} while (0)
1462			#define PTLS_LOG_ELEMENT_UNSAFESTR(name, value, value_len) \
1463			ptls_log__do_push_element_unsafestr(PTLS_LOG__ELEMENT_PREFIX(PTLS_TO_STR(name)), (value), (value_len))
1464			#define PTLS_LOG_ELEMENT_HEXDUMP(name, value, value_len) \
1465			ptls_log__do_push_element_hexdump(PTLS_LOG__ELEMENT_PREFIX(PTLS_TO_STR(name)), (value), (value_len))
1466			#define PTLS_LOG_ELEMENT_PTR(name, value) PTLS_LOG_ELEMENT_UNSIGNED(name, (uint64_t)(value))
1467			#define PTLS_LOG_ELEMENT_SIGNED(name, value) \
1468			do { \
1469			if (sizeof(value) <= sizeof(int32_t)) { \
1470			ptls_log__do_push_element_signed32(PTLS_LOG__ELEMENT_PREFIX(PTLS_TO_STR(name)), (value)); \
1471			} else { \
1472			ptls_log__do_push_element_signed64(PTLS_LOG__ELEMENT_PREFIX(PTLS_TO_STR(name)), (value)); \
1473			} \
1474			} while (0)
1475			#define PTLS_LOG__DO_ELEMENT_UNSIGNED(lit, value) \
1476			do { \
1477			if (sizeof(value) <= sizeof(uint32_t)) { \
1478			ptls_log__do_push_element_unsigned32(PTLS_LOG__ELEMENT_PREFIX(lit), (value)); \
1479			} else { \
1480			ptls_log__do_push_element_unsigned64(PTLS_LOG__ELEMENT_PREFIX(lit), (value)); \
1481			} \
1482			} while (0)
1483			#define PTLS_LOG_ELEMENT_UNSIGNED(name, value) PTLS_LOG__DO_ELEMENT_UNSIGNED(PTLS_TO_STR(name), (value))
1484			#define PTLS_LOG_ELEMENT_BOOL(name, value) ptls_log__do_push_element_bool(PTLS_LOG__ELEMENT_PREFIX(PTLS_TO_STR(name)), (value))
1485			#define PTLS_LOG_APPDATA_ELEMENT_UNSAFESTR(name, value, value_len) \
1486			do { \
1487			if (ptlslog_include_appdata) \
1488			PTLS_LOG_ELEMENT_UNSAFESTR(name, value, value_len); \
1489			PTLS_LOG__DO_ELEMENT_UNSIGNED(PTLS_TO_STR(name) "_len", value_len); \
1490			} while (0)
1491			#define PTLS_LOG_APPDATA_ELEMENT_HEXDUMP(name, value, value_len) \
1492			do { \
1493			if (ptlslog_include_appdata) \
1494			PTLS_LOG_ELEMENT_HEXDUMP(name, value, value_len); \
1495			PTLS_LOG__DO_ELEMENT_UNSIGNED(PTLS_TO_STR(name) "_len", value_len); \
1496			} while (0)
1497
1498			/**
1499			* retains a list of connections that are bound to the object
1500			*/
1501			struct st_ptls_log_state_t {
1502			/**
1503			* bit array of connections (1 is active)
1504			*/
1505			uint32_t active_conns;
1506			/**
1507			* generation counter used for staleness check; see `ptls_log._generation`
1508			*/
1509			uint64_t generation;
1510			};
1511
1512			/**
1513			* represents a log point identified by name (`module:type`)
1514			*/
1515			struct st_ptls_log_point_t {
1516			const char *name;
1517			struct st_ptls_log_state_t state;
1518			};
1519
1520			/**
1521			* represents a logging state of each connection
1522			*/
1523			typedef struct st_ptls_log_conn_state_t {
1524			/**
1525			* random value between 0 (inclusive) and 1 (non-inclusive) used to determine the ratio of sampling-based logging; see
1526			* `ptls_add_fd'`. To disable logging entirely, use `ptls_log.dummy_conn_state`, or set the value exactly to 1.
1527			*/
1528			float random_;
1529			/**
1530			* represents the peer address using ipv6; ipv4 addresses are stored using the mapped form (::ffff:192.0.2.1)
1531			*/
1532			uint8_t address[16];
1533			struct st_ptls_log_state_t state;
1534			} ptls_log_conn_state_t;
1535
1536			/**
1537			* see `ptls_get_log_state`
1538			*/
1539			extern PTLS_THREADLOCAL ptls_log_conn_state_t *ptls_log_conn_state_override;
1540
1541			/**
1542			* global variables exposed
1543			*/
1544			extern struct st_ptls_log_t {
1545			/**
1546			* if application-data (e.g., payload) should be emitted as well
1547			*/
1548			volatile unsigned may_include_appdata : 1;
1549			/**
1550			* endpoints that want to disable logging entirely can provide this value to the loggers
1551			*/
1552			ptls_log_conn_state_t dummy_conn_state;
1553			/**
1554			* generation counter that is incremented whenever the state of loggers change; see `st_ptls_log_state_t::generation`
1555			*/
1556			volatile uint64_t _generation;
1557			} ptls_log;
1558
1559			/**
1560			* initializes a ptls_log_conn_state_t
1561			*/
1562			void ptls_log_init_conn_state(ptls_log_conn_state_t state, void (random_bytes)(void *, size_t));
1563			/**
1564			* forces recalculation of the log state (should be called when SNI is determined)
1565			*/
1566			static void ptls_log_recalc_conn_state(ptls_log_conn_state_t *state);
1567			/**
1568			* returns a bitmap indicating the loggers active for given log point
1569			*/
1570			static uint32_t ptls_log_point_maybe_active(struct st_ptls_log_point_t *point);
1571			/**
1572			* returns a bitmap indicating the loggers active for given connection
1573			*/
1574			static uint32_t ptls_log_conn_maybe_active(ptls_log_conn_state_t conn, const char (get_sni)(void ), void *get_sni_arg);
1575
1576			/**
1577			* Returns the number of log events that were unable to be emitted.
1578			*/
1579			size_t ptls_log_num_lost(void);
1580			/**
1581			* Registers an fd to the logger. A registered fd is automatically closed and removed when it is closed by the peer.
1582			* @param sample_ratio sampling ratio between 0 and 1
1583			* @param points list of points to log, in the form of p1\0p2\0\0 (i.e., concatenated list of C strings with an empty string
1584			* marking the end). An empty list means attach to all.
1585			* @param snis list of SNIs to log, using the same form as points
1586			* @param addresses list of IPv4/v6 addresses to log, using the same form as points
1587			*/
1588			int ptls_log_add_fd(int fd, float sample_ratio, const char points, const char snis, const char *addresses, int appdata);
1589
1590			void ptls_log__recalc_point(int caller_locked, struct st_ptls_log_point_t *point);
1591			void ptls_log__recalc_conn(int caller_locked, struct st_ptls_log_conn_state_t conn, const char (get_sni)(void ),
1592			void *get_sni_arg);
1593			void ptls_log__do_push_element_safestr(const char prefix, size_t prefix_len, const char s, size_t l);
1594			void ptls_log__do_push_element_unsafestr(const char prefix, size_t prefix_len, const char s, size_t l);
1595			void ptls_log__do_push_element_hexdump(const char prefix, size_t prefix_len, const void s, size_t l);
1596			void ptls_log__do_push_element_signed32(const char *prefix, size_t prefix_len, int32_t v);
1597			void ptls_log__do_push_element_signed64(const char *prefix, size_t prefix_len, int64_t v);
1598			void ptls_log__do_push_element_unsigned32(const char *prefix, size_t prefix_len, uint32_t v);
1599			void ptls_log__do_push_element_unsigned64(const char *prefix, size_t prefix_len, uint64_t v);
1600			void ptls_log__do_push_element_bool(const char *prefix, size_t prefix_len, int v);
1601			void ptls_log__do_push_appdata_element_unsafestr(int includes_appdata, const char prefix, size_t prefix_len, const char s,
1602			size_t l);
1603			void ptls_log__do_push_appdata_element_hexdump(int includes_appdata, const char prefix, size_t prefix_len, const void s,
1604			size_t l);
1605			void ptls_log__do_write_start(struct st_ptls_log_point_t *point, int add_time);
1606			int ptls_log__do_write_end(struct st_ptls_log_point_t point, struct st_ptls_log_conn_state_t conn, const char (get_sni)(void *),
1607			void *get_sni_arg, int includes_appdata);
1608
1609			/**
1610			* create a client object to handle new TLS connection
1611			*/
1612			ptls_t ptls_client_new(ptls_context_t ctx);
1613			/**
1614			* create a server object to handle new TLS connection
1615			*/
1616			ptls_t ptls_server_new(ptls_context_t ctx);
1617			/**
1618			* creates an object handle new TLS connection
1619			*/
1620			static ptls_t ptls_new(ptls_context_t ctx, int is_server);
1621			/**
1622			* creates TLS 1.2 record layer for post-handshake communication
1623			*/
1624			int ptls_build_tls12_export_params(ptls_context_t ctx, ptls_buffer_t output, int is_server, int session_reused,
1625			ptls_cipher_suite_t cipher, const void master_secret, const void *hello_randoms,
1626			uint64_t next_send_record_iv, const char *server_name, ptls_iovec_t negotiated_protocol);
1627			/**
1628			* store the parameters of a post-handshake TLS connection so that it can be reconstructed later
1629			*/
1630			int ptls_export(ptls_t tls, ptls_buffer_t output);
1631			/**
1632			* create a post-handshake TLS connection object using given parameters
1633			*/
1634			int ptls_import(ptls_context_t ctx, ptls_t *tls, ptls_iovec_t params);
1635			/**
1636			* releases all resources associated to the object
1637			*/
1638			void ptls_free(ptls_t *tls);
1639			/**
1640			* returns address of the crypto callbacks that the connection is using
1641			*/
1642			ptls_context_t ptls_get_context(ptls_t tls);
1643			/**
1644			* updates the context of a connection. Can be called from `on_client_hello` callback.
1645			*/
1646			void ptls_set_context(ptls_t tls, ptls_context_t ctx);
1647			/**
1648			* get the signature context
1649			*/
1650			ptls_async_job_t ptls_get_async_job(ptls_t tls);
1651			/**
1652			* returns the client-random
1653			*/
1654			ptls_iovec_t ptls_get_client_random(ptls_t *tls);
1655			/**
1656			* returns the cipher-suite being used
1657			*/
1658			ptls_cipher_suite_t ptls_get_cipher(ptls_t tls);
1659			/**
1660			* returns a supported cipher-suite given an id
1661			*/
1662			ptls_cipher_suite_t ptls_find_cipher_suite(ptls_cipher_suite_t *cipher_suites, uint16_t id);
1663			/**
1664			* Returns protocol version (e.g., 0x0303 for TLS 1.2, 0x0304 for TLS 1.3). The result may be unstable prior to handshake
1665			* completion.
1666			*/
1667			uint16_t ptls_get_protocol_version(ptls_t *tls);
1668			/**
1669			* Returns current state of traffic keys. The cipher-suite being used, as well as the length of the traffic keys, can be obtained
1670			* via `ptls_get_cipher`.
1671			* TODO: Even in case of offloading just the TX side, there should be API for handling key updates, sending Close aleart.
1672			*/
1673			int ptls_get_traffic_keys(ptls_t tls, int is_enc, uint8_t key, uint8_t iv, uint64_t seq);
1674			/**
1675			* returns the server-name (NULL if SNI is not used or failed to negotiate)
1676			*/
1677			const char ptls_get_server_name(ptls_t tls);
1678			/**
1679			* sets the server-name associated to the TLS connection. If server_name_len is zero, then strlen(server_name) is called to
1680			* determine the length of the name.
1681			* On the client-side, the value is used for certificate validation. The value will be also sent as an SNI extension, if it looks
1682			* like a DNS name.
1683			* On the server-side, it can be called from on_client_hello to indicate the acceptance of the SNI extension to the client.
1684			*/
1685			int ptls_set_server_name(ptls_t tls, const char server_name, size_t server_name_len);
1686			/**
1687			* returns the negotiated protocol (or NULL)
1688			*/
1689			const char ptls_get_negotiated_protocol(ptls_t tls);
1690			/**
1691			* sets the negotiated protocol. If protocol_len is zero, strlen(protocol) is called to determine the length of the protocol name.
1692			*/
1693			int ptls_set_negotiated_protocol(ptls_t tls, const char protocol, size_t protocol_len);
1694			/**
1695			* returns if the handshake has been completed
1696			*/
1697			int ptls_handshake_is_complete(ptls_t *tls);
1698			/**
1699			* returns if a PSK (or PSK-DHE) handshake was performed
1700			*/
1701			int ptls_is_psk_handshake(ptls_t *tls);
1702			/**
1703			* return if a ECH handshake was performed, as well as optionally the kem and cipher-suite being used
1704			* FIXME: this function always return false when the TLS session is exported and imported
1705			*/
1706			int ptls_is_ech_handshake(ptls_t tls, uint8_t config_id, ptls_hpke_kem_t kem, ptls_hpke_cipher_suite_t cipher);
1707			/**
1708			* returns a pointer to user data pointer (client is reponsible for freeing the associated data prior to calling ptls_free)
1709			*/
1710			void *ptls_get_data_ptr(ptls_t tls);
1711			/**
1712			* Returns `ptls_log_conn_state_t` of `ptls_t`. By default, the state is initialized by calling `ptls_log_init_conn_state`, but the
1713			* behavior can be overidden by setting `ptls_log_conn_state_override`.
1714			* This value can be changed by setting `ptls_log_random_override` or by calling `ptls_set_log_random`.
1715			*/
1716			ptls_log_conn_state_t ptls_get_log_state(ptls_t tls);
1717			/**
1718			* proceeds with the handshake, optionally taking some input from peer. The function returns zero in case the handshake completed
1719			* successfully. PTLS_ERROR_IN_PROGRESS is returned in case the handshake is incomplete. Otherwise, an error value is returned. The
1720			* contents of sendbuf should be sent to the client, regardless of whether if an error is returned. inlen is an argument used for
1721			* both input and output. As an input, the arguments takes the size of the data available as input. Upon return the value is updated
1722			* to the number of bytes consumed by the handshake. In case the returned value is PTLS_ERROR_IN_PROGRESS there is a guarantee that
1723			* all the input are consumed (i.e. the value of inlen does not change).
1724			*/
1725			int ptls_handshake(ptls_t tls, ptls_buffer_t sendbuf, const void input, size_t inlen, ptls_handshake_properties_t *args);
1726			/**
1727			* decrypts the first record within given buffer
1728			*/
1729			int ptls_receive(ptls_t tls, ptls_buffer_t plaintextbuf, const void input, size_t len);
1730			/**
1731			* encrypts given buffer into multiple TLS records
1732			*/
1733			int ptls_send(ptls_t tls, ptls_buffer_t sendbuf, const void *input, size_t inlen);
1734			/**
1735			* updates the send traffic key (as well as asks the peer to update)
1736			*/
1737			int ptls_update_key(ptls_t *tls, int request_update);
1738			/**
1739			* Returns if the context is a server context.
1740			*/
1741			int ptls_is_server(ptls_t *tls);
1742			/**
1743			* returns per-record overhead
1744			*/
1745			size_t ptls_get_record_overhead(ptls_t *tls);
1746			/**
1747			* sends an alert
1748			*/
1749			int ptls_send_alert(ptls_t tls, ptls_buffer_t sendbuf, uint8_t level, uint8_t description);
1750			/**
1751			*
1752			*/
1753			int ptls_export_secret(ptls_t tls, void output, size_t outlen, const char *label, ptls_iovec_t context_value, int is_early);
1754			/**
1755			* build the body of a Certificate message. Can be called with tls set to NULL in order to create a precompressed message.
1756			*/
1757			int ptls_build_certificate_message(ptls_buffer_t buf, ptls_iovec_t request_context, ptls_iovec_t certificates,
1758			size_t num_certificates, ptls_iovec_t ocsp_status);
1759			/**
1760			*
1761			*/
1762			int ptls_calc_hash(ptls_hash_algorithm_t algo, void output, const void *src, size_t len);
1763			/**
1764			*
1765			*/
1766			ptls_hash_context_t ptls_hmac_create(ptls_hash_algorithm_t algo, const void *key, size_t key_size);
1767			/**
1768			*
1769			*/
1770			int ptls_hkdf_extract(ptls_hash_algorithm_t hash, void output, ptls_iovec_t salt, ptls_iovec_t ikm);
1771			/**
1772			*
1773			*/
1774			int ptls_hkdf_expand(ptls_hash_algorithm_t hash, void output, size_t outlen, ptls_iovec_t prk, ptls_iovec_t info);
1775			/**
1776			*
1777			*/
1778			int ptls_hkdf_expand_label(ptls_hash_algorithm_t algo, void output, size_t outlen, ptls_iovec_t secret, const char *label,
1779			ptls_iovec_t hash_value, const char *label_prefix);
1780			/**
1781			* The expansion function of TLS 1.2 defined in RFC 5426 section 5. When `label` is NULL, acts as P_, or if non-NULL, as PRF.
1782			*/
1783			int ptls_tls12_phash(ptls_hash_algorithm_t algo, void output, size_t outlen, ptls_iovec_t secret, const char *label,
1784			ptls_iovec_t seed);
1785			/**
1786			* instantiates a symmetric cipher
1787			*/
1788			ptls_cipher_context_t ptls_cipher_new(ptls_cipher_algorithm_t algo, int is_enc, const void *key);
1789			/**
1790			* destroys a symmetric cipher
1791			*/
1792			void ptls_cipher_free(ptls_cipher_context_t *ctx);
1793			/**
1794			* initializes the IV; this function must be called prior to calling ptls_cipher_encrypt
1795			*/
1796			static void ptls_cipher_init(ptls_cipher_context_t ctx, const void iv);
1797			/**
1798			* Encrypts given text. The function must be used in a way that the output length would be equal to the input length. For example,
1799			* when using a block cipher in ECB mode, `len` must be a multiple of the block size when using a block cipher. The length can be
1800			* of any value when using a stream cipher or a block cipher in CTR mode.
1801			*/
1802			static void ptls_cipher_encrypt(ptls_cipher_context_t ctx, void output, const void *input, size_t len);
1803			/**
1804			* instantiates an AEAD cipher given a secret, which is expanded using hkdf to a set of key and iv
1805			* @param aead
1806			* @param hash
1807			* @param is_enc 1 if creating a context for encryption, 0 if creating a context for decryption
1808			* @param secret the secret. The size must be the digest length of the hash algorithm
1809			* @return pointer to an AEAD context if successful, otherwise NULL
1810			*/
1811			ptls_aead_context_t ptls_aead_new(ptls_aead_algorithm_t aead, ptls_hash_algorithm_t hash, int is_enc, const void secret,
1812			const char *label_prefix);
1813			/**
1814			* instantiates an AEAD cipher given key and iv
1815			* @param aead
1816			* @param is_enc 1 if creating a context for encryption, 0 if creating a context for decryption
1817			* @return pointer to an AEAD context if successful, otherwise NULL
1818			*/
1819			ptls_aead_context_t ptls_aead_new_direct(ptls_aead_algorithm_t aead, int is_enc, const void key, const void iv);
1820			/**
1821			* destroys an AEAD cipher context
1822			*/
1823			void ptls_aead_free(ptls_aead_context_t *ctx);
1824			/**
1825			* Permutes the static IV by applying given bytes using bit-wise XOR. This API can be used for supplying nonces longer than 64-
1826			* bits.
1827			*/
1828			void ptls_aead_xor_iv(ptls_aead_context_t ctx, const void bytes, size_t len);
1829			static void ptls_aead_get_iv(ptls_aead_context_t ctx, void iv);
1830			static void ptls_aead_set_iv(ptls_aead_context_t ctx, const void iv);
1831			/**
1832			* Encrypts one AEAD block, given input and output vectors.
1833			*/
1834			static size_t ptls_aead_encrypt(ptls_aead_context_t ctx, void output, const void *input, size_t inlen, uint64_t seq,
1835			const void *aad, size_t aadlen);
1836			/**
1837			* Encrypts one AEAD block, as well as one block of ECB (for QUIC / DTLS packet number encryption). Depending on the AEAD engine
1838			* being used, the two operations might run simultaneously.
1839			*/
1840			static void ptls_aead_encrypt_s(ptls_aead_context_t ctx, void output, const void *input, size_t inlen, uint64_t seq,
1841			const void aad, size_t aadlen, ptls_aead_supplementary_encryption_t supp);
1842			/**
1843			* Encrypts one AEAD block, given a vector of vectors.
1844			*/
1845			static void ptls_aead_encrypt_v(ptls_aead_context_t ctx, void output, ptls_iovec_t *input, size_t incnt, uint64_t seq,
1846			const void *aad, size_t aadlen);
1847			/**
1848			* Obsolete; new applications should use one of: `ptls_aead_encrypt`, `ptls_aead_encrypt_s`, `ptls_aead_encrypt_v`.
1849			*/
1850			static void ptls_aead_encrypt_init(ptls_aead_context_t ctx, uint64_t seq, const void aad, size_t aadlen);
1851			/**
1852			* Obsolete; see `ptls_aead_encrypt_init`.
1853			*/
1854			static size_t ptls_aead_encrypt_update(ptls_aead_context_t ctx, void output, const void *input, size_t inlen);
1855			/**
1856			* Obsolete; see `ptls_aead_encrypt_init`.
1857			*/
1858			static size_t ptls_aead_encrypt_final(ptls_aead_context_t ctx, void output);
1859			/**
1860			* decrypts an AEAD record
1861			* @return number of bytes emitted to output if successful, or SIZE_MAX if the input is invalid (e.g. broken MAC)
1862			*/
1863			static size_t ptls_aead_decrypt(ptls_aead_context_t ctx, void output, const void *input, size_t inlen, uint64_t seq,
1864			const void *aad, size_t aadlen);
1865			/**
1866			* Return the current read epoch (i.e., that of the message being received or to be)
1867			*/
1868			size_t ptls_get_read_epoch(ptls_t *tls);
1869			/**
1870			* Runs the handshake by dealing directly with handshake messages. Callers MUST delay supplying input to this function until the
1871			* epoch of the input becomes equal to the value returned by `ptls_get_read_epoch()`.
1872			* @param tls the TLS context
1873			* @param sendbuf buffer to which the output will be written
1874			* @param epoch_offsets start and end offset of the messages in each epoch. For example, when the server emits ServerHello between
1875			* offset 0 and 38, the following handshake messages between offset 39 and 348, and a post-handshake message
1876			* between 349 and 451, epoch_offsets will be {0,39,39,349,452} and the length of the sendbuf will be 452.
1877			* This argument is an I/O argument. Applications can either reset sendbuf to empty and epoch_offsets and to
1878			* all zero every time they invoke the function, or retain the values until the handshake completes so that
1879			* data will be appended to sendbuf and epoch_offsets will be adjusted.
1880			* @param in_epoch epoch of the input
1881			* @param input input bytes (must be NULL when starting the handshake on the client side)
1882			* @param inlen length of the input
1883			* @param properties properties specific to the running handshake
1884			* @return same as `ptls_handshake`
1885			*/
1886			int ptls_handle_message(ptls_t tls, ptls_buffer_t sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input,
1887			size_t inlen, ptls_handshake_properties_t *properties);
1888			int ptls_client_handle_message(ptls_t tls, ptls_buffer_t sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input,
1889			size_t inlen, ptls_handshake_properties_t *properties);
1890			int ptls_server_handle_message(ptls_t tls, ptls_buffer_t sendbuf, size_t epoch_offsets[5], size_t in_epoch, const void *input,
1891			size_t inlen, ptls_handshake_properties_t *properties);
1892			/**
1893			* internal
1894			*/
1895			void ptls_aead__build_iv(ptls_aead_algorithm_t algo, uint8_t iv, const uint8_t *static_iv, uint64_t seq);
1896			/**
1897			*
1898			*/
1899			static void ptls_aead__do_encrypt(ptls_aead_context_t ctx, void output, const void *input, size_t inlen, uint64_t seq,
1900			const void aad, size_t aadlen, ptls_aead_supplementary_encryption_t supp);
1901			/**
1902			*
1903			*/
1904			static void ptls_aead__do_encrypt_v(ptls_aead_context_t ctx, void _output, ptls_iovec_t *input, size_t incnt, uint64_t seq,
1905			const void *aad, size_t aadlen);
1906			/**
1907			* internal
1908			*/
1909			void ptls__key_schedule_update_hash(ptls_key_schedule_t sched, const uint8_t msg, size_t msglen, int use_outer);
1910			/**
1911			* clears memory
1912			*/
1913			extern void (volatile ptls_clear_memory)(void p, size_t len);
1914			/**
1915			* constant-time memcmp
1916			*/
1917			extern int (volatile ptls_mem_equal)(const void x, const void *y, size_t len);
1918			/**
1919			* checks if a server name is an IP address.
1920			*/
1921			int ptls_server_name_is_ipaddr(const char *name);
1922			/**
1923			* encodes one ECH Config
1924			*/
1925			int ptls_ech_encode_config(ptls_buffer_t buf, uint8_t config_id, ptls_hpke_kem_t kem, ptls_iovec_t public_key,
1926			ptls_hpke_cipher_suite_t *ciphers, uint8_t max_name_length, const char public_name);
1927			/**
1928			* loads a certificate chain to ptls_context_t::certificates. `certificate.list` and each element of the list is allocated by
1929			* malloc. It is the responsibility of the user to free them when discarding the TLS context.
1930			*/
1931			int ptls_load_certificates(ptls_context_t ctx, char const cert_pem_file);
1932			/**
1933			* SetupBaseS function of RFC 9180. Given `kem`, `algo`, `info`, and receiver's public key, returns an ephemeral public key and an
1934			* AEAD context used for encrypting data.
1935			*/
1936			int ptls_hpke_setup_base_s(ptls_hpke_kem_t kem, ptls_hpke_cipher_suite_t cipher, ptls_iovec_t pk_s, ptls_aead_context_t *ctx,
1937			ptls_iovec_t pk_r, ptls_iovec_t info);
1938			/**
1939			* SetupBaseR function of RFC 9180. Given `kem`, `algo`, `info`, receiver's private key (`keyex`), and the esnder's public key,
1940			* returns the AEAD context to be used for decrypting data.
1941			*/
1942			int ptls_hpke_setup_base_r(ptls_hpke_kem_t kem, ptls_hpke_cipher_suite_t cipher, ptls_key_exchange_context_t *keyex,
1943			ptls_aead_context_t **ctx, ptls_iovec_t pk_s, ptls_iovec_t info);
1944			/**
1945			*
1946			*/
1947			char ptls_hexdump(char dst, const void *src, size_t len);
1948			/**
1949			* Builds a JSON-safe string without double quotes. Supplied buffer MUST be at least 6x + 1 bytes larger than the input.
1950			*/
1951			char ptls_jsonescape(char buf, const char *s, size_t len);
1952			/**
1953			* Builds a v4-mapped address (i.e., ::ffff:192.0.2.1). The v4 address must be in big-endian.
1954			*/
1955			void ptls_build_v4_mapped_v6_address(void v6, const void v4);
1956
1957			/**
1958			* the default get_time callback
1959			*/
1960			extern ptls_get_time_t ptls_get_time;
1961			/**
1962			* default hash clone function that calls memcpy
1963			*/
1964			static void ptls_hash_clone_memcpy(void dst, const void src, size_t size);
1965
1966			/* inline functions */
1967
1968			inline uint32_t ptls_log_point_maybe_active(struct st_ptls_log_point_t *point)
1969			{
1970			#if PTLS_HAVE_LOG
1971			if (PTLS_UNLIKELY(point->state.generation != ptls_log._generation))
1972			ptls_log__recalc_point(0, point);
1973			return point->state.active_conns;
1974			#else
1975			return 0;
1976			#endif
1977			}
1978
1979			inline void ptls_log_recalc_conn_state(ptls_log_conn_state_t *state)
1980			{
1981			state->state.generation = 0;
1982			}
1983
1984			inline uint32_t ptls_log_conn_maybe_active(ptls_log_conn_state_t conn, const char (get_sni)(void ), void *get_sni_arg)
1985			{
1986			#if PTLS_HAVE_LOG
1987			if (PTLS_UNLIKELY(conn->state.generation != ptls_log._generation))
1988			ptls_log__recalc_conn(0, conn, get_sni, get_sni_arg);
1989			return conn->state.active_conns;
1990			#else
1991			return 0;
1992			#endif
1993			}
1994
1995	59		inline ptls_t ptls_new(ptls_context_t ctx, int is_server)
1996			{
1997	59	50	return is_server ? ptls_server_new(ctx) : ptls_client_new(ctx);
1998			}
1999
2000			inline ptls_iovec_t ptls_iovec_init(const void *p, size_t len)
2001			{
2002			/* avoid the "return (ptls_iovec_t){(uint8_t *)p, len};" construct because it requires C99
2003			* and triggers a warning "C4204: nonstandard extension used: non-constant aggregate initializer"
2004			* in Visual Studio */
2005			ptls_iovec_t r;
2006			r.base = (uint8_t *)p;
2007			r.len = len;
2008			return r;
2009			}
2010
2011	871		inline void ptls_buffer_init(ptls_buffer_t buf, void smallbuf, size_t smallbuf_size)
2012			{
2013			assert(smallbuf != NULL);
2014	871		buf->base = (uint8_t *)smallbuf;
2015	871		buf->off = 0;
2016	871		buf->capacity = smallbuf_size;
2017	871		buf->is_allocated = 0;
2018	871		buf->align_bits = 0;
2019	871		}
2020
2021	1392		inline void ptls_buffer_dispose(ptls_buffer_t *buf)
2022			{
2023	1392		ptls_buffer__release_memory(buf);
2024	1392		*buf = (ptls_buffer_t){NULL, 0, 0, 0, 0};
2025	1392		}
2026
2027			inline uint8_t ptls_encode_quicint(uint8_t p, uint64_t v)
2028			{
2029			if (PTLS_UNLIKELY(v > 63)) {
2030			if (PTLS_UNLIKELY(v > 16383)) {
2031			unsigned sb;
2032			if (PTLS_UNLIKELY(v > 1073741823)) {
2033			assert(v <= 4611686018427387903);
2034			*p++ = 0xc0 \| (uint8_t)(v >> 56);
2035			sb = 6 * 8;
2036			} else {
2037			*p++ = 0x80 \| (uint8_t)(v >> 24);
2038			sb = 2 * 8;
2039			}
2040			do {
2041			*p++ = (uint8_t)(v >> sb);
2042			} while ((sb -= 8) != 0);
2043			} else {
2044			*p++ = 0x40 \| (uint8_t)((uint16_t)v >> 8);
2045			}
2046			}
2047			*p++ = (uint8_t)v;
2048			return p;
2049			}
2050
2051			inline void ptls_cipher_init(ptls_cipher_context_t ctx, const void iv)
2052			{
2053			ctx->do_init(ctx, iv);
2054			}
2055
2056			inline void ptls_cipher_encrypt(ptls_cipher_context_t ctx, void output, const void *input, size_t len)
2057			{
2058			ctx->do_transform(ctx, output, input, len);
2059			}
2060
2061			inline void ptls_aead_get_iv(ptls_aead_context_t ctx, void iv)
2062			{
2063			ctx->do_get_iv(ctx, iv);
2064			}
2065
2066			inline void ptls_aead_set_iv(ptls_aead_context_t ctx, const void iv)
2067			{
2068			ctx->do_set_iv(ctx, iv);
2069			}
2070
2071			inline size_t ptls_aead_encrypt(ptls_aead_context_t ctx, void output, const void *input, size_t inlen, uint64_t seq,
2072			const void *aad, size_t aadlen)
2073			{
2074			ctx->do_encrypt(ctx, output, input, inlen, seq, aad, aadlen, NULL);
2075			return inlen + ctx->algo->tag_size;
2076			}
2077
2078			inline void ptls_aead_encrypt_s(ptls_aead_context_t ctx, void output, const void *input, size_t inlen, uint64_t seq,
2079			const void aad, size_t aadlen, ptls_aead_supplementary_encryption_t supp)
2080			{
2081			ctx->do_encrypt(ctx, output, input, inlen, seq, aad, aadlen, supp);
2082			}
2083
2084			inline void ptls_aead_encrypt_v(ptls_aead_context_t ctx, void output, ptls_iovec_t *input, size_t incnt, uint64_t seq,
2085			const void *aad, size_t aadlen)
2086			{
2087			ctx->do_encrypt_v(ctx, output, input, incnt, seq, aad, aadlen);
2088			}
2089
2090			inline void ptls_aead_encrypt_init(ptls_aead_context_t ctx, uint64_t seq, const void aad, size_t aadlen)
2091			{
2092			ctx->do_encrypt_init(ctx, seq, aad, aadlen);
2093			}
2094
2095			inline size_t ptls_aead_encrypt_update(ptls_aead_context_t ctx, void output, const void *input, size_t inlen)
2096			{
2097			return ctx->do_encrypt_update(ctx, output, input, inlen);
2098			}
2099
2100			inline size_t ptls_aead_encrypt_final(ptls_aead_context_t ctx, void output)
2101			{
2102			return ctx->do_encrypt_final(ctx, output);
2103			}
2104
2105			inline void ptls_aead__do_encrypt(ptls_aead_context_t ctx, void output, const void *input, size_t inlen, uint64_t seq,
2106			const void aad, size_t aadlen, ptls_aead_supplementary_encryption_t supp)
2107			{
2108			ptls_iovec_t invec = ptls_iovec_init(input, inlen);
2109			ctx->do_encrypt_v(ctx, output, &invec, 1, seq, aad, aadlen);
2110
2111			if (supp != NULL) {
2112			ptls_cipher_init(supp->ctx, supp->input);
2113			memset(supp->output, 0, sizeof(supp->output));
2114			ptls_cipher_encrypt(supp->ctx, supp->output, supp->output, sizeof(supp->output));
2115			}
2116			}
2117
2118			inline void ptls_aead__do_encrypt_v(ptls_aead_context_t ctx, void _output, ptls_iovec_t *input, size_t incnt, uint64_t seq,
2119			const void *aad, size_t aadlen)
2120			{
2121			uint8_t output = (uint8_t )_output;
2122
2123			ctx->do_encrypt_init(ctx, seq, aad, aadlen);
2124			for (size_t i = 0; i < incnt; ++i)
2125			output += ctx->do_encrypt_update(ctx, output, input[i].base, input[i].len);
2126			ctx->do_encrypt_final(ctx, output);
2127			}
2128
2129			inline size_t ptls_aead_decrypt(ptls_aead_context_t ctx, void output, const void *input, size_t inlen, uint64_t seq,
2130			const void *aad, size_t aadlen)
2131			{
2132			return ctx->do_decrypt(ctx, output, input, inlen, seq, aad, aadlen);
2133			}
2134
2135			inline void ptls_hash_clone_memcpy(void dst, const void src, size_t size)
2136			{
2137			memcpy(dst, src, size);
2138			}
2139
2140			#define ptls_define_hash(name, ctx_type, init_func, update_func, final_func) \
2141			ptls_define_hash6(name, ctx_type, init_func, update_func, final_func, ptls_hash_clone_memcpy)
2142			#define ptls_define_hash6(name, ctx_type, init_func, update_func, final_func, clone_func) \
2143			\
2144			struct name##_context_t { \
2145			ptls_hash_context_t super; \
2146			ctx_type ctx; \
2147			}; \
2148			\
2149			static void name##_update(ptls_hash_context_t _ctx, const void src, size_t len) \
2150			{ \
2151			struct name##_context_t ctx = (struct name##_context_t )_ctx; \
2152			update_func(&ctx->ctx, src, len); \
2153			} \
2154			\
2155			static void name##_final(ptls_hash_context_t _ctx, void md, ptls_hash_final_mode_t mode) \
2156			{ \
2157			struct name##_context_t ctx = (struct name##_context_t )_ctx; \
2158			if (mode == PTLS_HASH_FINAL_MODE_SNAPSHOT) { \
2159			ctx_type copy = ctx->ctx; \
2160			final_func(©, md); \
2161			ptls_clear_memory(©, sizeof(copy)); \
2162			return; \
2163			} \
2164			if (md != NULL) \
2165			final_func(&ctx->ctx, md); \
2166			switch (mode) { \
2167			case PTLS_HASH_FINAL_MODE_FREE: \
2168			ptls_clear_memory(&ctx->ctx, sizeof(ctx->ctx)); \
2169			free(ctx); \
2170			break; \
2171			case PTLS_HASH_FINAL_MODE_RESET: \
2172			init_func(&ctx->ctx); \
2173			break; \
2174			default: \
2175			assert(!"FIXME"); \
2176			break; \
2177			} \
2178			} \
2179			\
2180			static ptls_hash_context_t name##_clone(ptls_hash_context_t _src) \
2181			{ \
2182			struct name##_context_t dst, src = (struct name##_context_t *)_src; \
2183			if ((dst = malloc(sizeof(*dst))) == NULL) \
2184			return NULL; \
2185			dst->super = src->super; \
2186			clone_func(&dst->ctx, &src->ctx, sizeof(dst->ctx)); \
2187			return &dst->super; \
2188			} \
2189			\
2190			static ptls_hash_context_t *name##_create(void) \
2191			{ \
2192			struct name##_context_t *ctx; \
2193			if ((ctx = malloc(sizeof(*ctx))) == NULL) \
2194			return NULL; \
2195			ctx->super = (ptls_hash_context_t){name##_update, name##_final, name##_clone}; \
2196			init_func(&ctx->ctx); \
2197			return &ctx->super; \
2198			}
2199
2200			#ifdef __cplusplus
2201			}
2202			#endif
2203
2204			#endif