Remove support for esni draft-02

getdnsapi · Jul 3, 2019 · d720821 · d720821
1 parent a1119d9
commit d720821
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 35 deletions.
diff --git a/include/picotls.h b/include/picotls.h
@@ -84,7 +84,6 @@ extern "C" {
 #define PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512 0x0806
 
 /* ESNI */
-#define PTLS_ESNI_VERSION_DRAFT02 0xff01
 #define PTLS_ESNI_VERSION_DRAFT03 0xff02
 
 #define PTLS_ESNI_RESPONSE_TYPE_ACCEPT 0

diff --git a/lib/picotls.c b/lib/picotls.c
@@ -1578,7 +1578,7 @@ static int parse_esni_keys(ptls_context_t *ctx, uint16_t *esni_version, ptls_key
     /* version */
     if ((ret = ptls_decode16(&version, &src, end)) != 0)
         goto Exit;
-    if (version != PTLS_ESNI_VERSION_DRAFT02 && version != PTLS_ESNI_VERSION_DRAFT03) {
+    if (version != PTLS_ESNI_VERSION_DRAFT03) {
         ret = PTLS_ALERT_DECODE_ERROR;
         goto Exit;
     }
@@ -1606,19 +1606,19 @@ static int parse_esni_keys(ptls_context_t *ctx, uint16_t *esni_version, ptls_key
     }
     *esni_version = version;
     /* published sni */
-    if (version != PTLS_ESNI_VERSION_DRAFT02) {
-        ptls_decode_open_block(src, end, 2, {
-            size_t len = end - src;
-            *published_sni = malloc(len + 1);
-            if (*published_sni == NULL) {
-                ret = PTLS_ERROR_NO_MEMORY;
-                goto Exit;
-            }
+    ptls_decode_open_block(src, end, 2, {
+        size_t len = end - src;
+        *published_sni = malloc(len + 1);
+        if (*published_sni == NULL) {
+            ret = PTLS_ERROR_NO_MEMORY;
+            goto Exit;
+        }
+        if (len > 0) {
             memcpy(*published_sni, src, len);
-            (*published_sni)[len] = 0;
-            src = end;
-        });
-    }
+        }
+        (*published_sni)[len] = 0;
+        src = end;
+    });
     /* key-shares */
     ptls_decode_open_block(src, end, 2, {
         if ((ret = select_key_share(selected_key_share, peer_key, ctx->key_exchanges, &src, end, 0)) != 0)
@@ -2346,13 +2346,7 @@ static int client_handle_encrypted_extensions(ptls_t *tls, ptls_iovec_t message,
             }
             break;
         case PTLS_EXTENSION_TYPE_ENCRYPTED_SERVER_NAME:
-            if (tls->esni != NULL && tls->esni->version == PTLS_ESNI_VERSION_DRAFT02) {
-                if (end - src != PTLS_ESNI_NONCE_SIZE) {
-                    ret = PTLS_ALERT_ILLEGAL_PARAMETER;
-                    goto Exit;
-                }
-                esni_nonce = src;
-            } else if (*src == PTLS_ESNI_RESPONSE_TYPE_ACCEPT) {
+            if (*src == PTLS_ESNI_RESPONSE_TYPE_ACCEPT) {
                 if (end - src != PTLS_ESNI_NONCE_SIZE + 1) {
                     ret = PTLS_ALERT_ILLEGAL_PARAMETER;
                     goto Exit;
@@ -3832,10 +3826,8 @@ static int server_handle_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptl
                 /* the extension is sent even if the application does not handle server name, because otherwise the handshake
                  * would fail (FIXME ch.esni.nonce will be zero on HRR) */
                 buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_ENCRYPTED_SERVER_NAME, {
-                    if (tls->esni->version != PTLS_ESNI_VERSION_DRAFT02) {
-                        uint8_t response_type = PTLS_ESNI_RESPONSE_TYPE_ACCEPT;
-                        ptls_buffer_pushv(sendbuf, &response_type, 1);
-                    }
+                    uint8_t response_type = PTLS_ESNI_RESPONSE_TYPE_ACCEPT;
+                    ptls_buffer_pushv(sendbuf, &response_type, 1);
                     ptls_buffer_pushv(sendbuf, tls->esni->nonce, PTLS_ESNI_NONCE_SIZE);
                 });
                 free_esni_secret(&tls->esni, 1);
@@ -5126,10 +5118,9 @@ int ptls_esni_init_context(ptls_context_t *ctx, ptls_esni_context_t *esni, ptls_
         goto Exit;
     }
     src += 4;
-    /* Skip published SNI field if version 03 or later */
-    if (esni->version != PTLS_ESNI_VERSION_DRAFT02) {
-        ptls_decode_open_block(src, end, 2, { src = end; });
-    }
+    /* Published SNI field */
+    ptls_decode_open_block(src, end, 2, { src = end; });
+
     /* Process the list of KeyShareEntries, verify for each of them that the ciphersuite is supported. */
     ptls_decode_open_block(src, end, 2, {
         do {
@@ -5224,7 +5215,7 @@ void ptls_esni_dispose_context(ptls_esni_context_t *esni)
 /**
  * Obtain the ESNI secrets negotiated during the handshake.
  */
-struct st_ptls_esni_secret_t * ptls_get_esni_secret(ptls_t * ctx)
+struct st_ptls_esni_secret_t *ptls_get_esni_secret(ptls_t *ctx)
 {
     return ctx->esni;
 }

diff --git a/src/esni.c b/src/esni.c
@@ -50,10 +50,12 @@ static int emit_esni(ptls_key_exchange_context_t **key_exchanges, ptls_cipher_su
 
     ptls_buffer_init(&buf, "", 0);
 
-    ptls_buffer_push16(&buf, (published_sni == NULL) ? PTLS_ESNI_VERSION_DRAFT02 : PTLS_ESNI_VERSION_DRAFT03);
+    ptls_buffer_push16(&buf, PTLS_ESNI_VERSION_DRAFT03);
     ptls_buffer_push(&buf, 0, 0, 0, 0); /* checksum, filled later */
     if (published_sni != NULL) {
         ptls_buffer_push_block(&buf, 2, { ptls_buffer_pushv(&buf, published_sni, strlen(published_sni)); });
+    } else {
+        ptls_buffer_push16(&buf, 0);
     }
     ptls_buffer_push_block(&buf, 2, {
         size_t i;

diff --git a/t/test.h b/t/test.h
@@ -53,10 +53,12 @@
 
 /* secp256r1 key that lasts until 2028 */
 #define ESNIKEYS                                                                                                                   \
-    "\xff\x01\xba\xd5\xad\xa2\x00\x45\x00\x17\x00\x41\x04\x3e\xee\xf7\x10\xe3\x75\x07\xa8\xfb\x3e\xfc\x62\x50\x24\x95\xa0\x61\x6e" \
-    "\xff\x6b\x63\x0f\xa3\xfd\xcc\x33\x36\xd0\xb1\x2d\x55\xba\xb0\x06\xbd\xb4\x29\x82\xc6\xd9\xee\x66\x84\xa9\x63\x94\x44\xbe\x04" \
-    "\xe7\xee\xcf\xab\xc2\xc9\xdd\x40\xe6\xc8\x89\x88\xed\x94\x86\x00\x04\x13\x01\x13\x03\x01\x04\x00\x00\x00\x00\x5c\x13\x5e\xd2" \
-    "\x00\x00\x00\x00\x6e\xdf\x61\xd1\x00\x00"
+    "\xff\x02\xcf\x27\xde\x17\x00\x0b\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x00\x45"                                         \
+    "\x00\x17\x00\x41\x04\x3e\xee\xf7\x10\xe3\x75\x07\xa8\xfb\x3e\xfc\x62\x50\x24\x95\xa0"                                         \
+    "\x61\x6e\xff\x6b\x63\x0f\xa3\xfd\xcc\x33\x36\xd0\xb1\x2d\x55\xba\xb0\x06\xbd\xb4\x29"                                         \
+    "\x82\xc6\xd9\xee\x66\x84\xa9\x63\x94\x44\xbe\x04\xe7\xee\xcf\xab\xc2\xc9\xdd\x40\xe6"                                         \
+    "\xc8\x89\x88\xed\x94\x86\x00\x02\x13\x01\x01\x04\x00\x00\x00\x00\x5d\x1c\xc0\x63\x00"                                         \
+    "\x00\x4e\x94\xee\x6b\xc0\x62\x00\x00"
 #define ESNI_SECP256R1KEY                                                                                                          \
     "-----BEGIN EC PARAMETERS-----\nBggqhkjOPQMBBw==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE "                         \
     "KEY-----\nMHcCAQEEIGrRVTfTXuOVewLt/g+Ugvg9XW/g4lGXrkZ8fdYaYuJCoAoGCCqGSM49\nAwEHoUQDQgAEPu73EON1B6j7PvxiUCSVoGFu/"            \