Google Git
Sign in
pigweed / third_party / github / h2o / picotls / ee951dbcafe65a34b0c856f3a04bcce69b867b64 / . / lib / cifra.c
blob: 8bb93d18d312a8980ff5f6099eca9f0890c41986 [file] [log] [blame]
/*
* Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to
* deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
* sell copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/
#ifndef _XOPEN_SOURCE
#define _XOPEN_SOURCE 700 /* required for glibc to use getaddrinfo, etc. */
#endif
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#ifdef _WINDOWS
#include "wincompat.h"
#else
#include <unistd.h>
#endif
#include "aes.h"
#include "bitops.h"
#include "drbg.h"
#include "curve25519.h"
#include "../deps/cifra/src/ext/handy.h"
#include "modes.h"
#include "poly1305.h"
#include "salsa20.h"
#include "sha2.h"
#include "picotls.h"
#include "picotls/minicrypto.h"
#ifdef _WINDOWS
#ifdef _WINDOWS_XP
/* The modern BCrypt API is only available on Windows Vista and later versions.
* If compiling on Windows XP, we need to use the olded "wincrypt" API */
#include <wincrypt.h>
static void read_entropy(uint8_t *entropy, size_t size)
{
HCRYPTPROV hCryptProv = 0;
BOOL ret = FALSE;
if (CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, 0)) {
ret = CryptGenRandom(hCryptProv, (DWORD)size, entropy);
(void)CryptReleaseContext(hCryptProv, 0);
}
if (ret == FALSE) {
perror("ptls_minicrypto_random_bytes: could not use CryptGenRandom");
abort();
}
}
#else
/* The old "Wincrypt" API requires access to default security containers.
* This can cause access control errors on some systems. We prefer
* to use the modern BCrypt API when available */
#include <bcrypt.h>
static void read_entropy(uint8_t *entropy, size_t size)
{
NTSTATUS nts = 0;
BCRYPT_ALG_HANDLE hAlgorithm = 0;
nts = BCryptOpenAlgorithmProvider(&hAlgorithm, BCRYPT_RNG_ALGORITHM, NULL, 0);
if (BCRYPT_SUCCESS(nts)) {
nts = BCryptGenRandom(hAlgorithm, (PUCHAR)entropy, (ULONG)size, 0);
(void)BCryptCloseAlgorithmProvider(hAlgorithm, 0);
}
if (!BCRYPT_SUCCESS(nts)) {
perror("ptls_minicrypto_random_bytes: could not open BCrypt RNG Algorithm");
abort();
}
}
#endif
#else
static void read_entropy(uint8_t *entropy, size_t size)
{
int fd;
if ((fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC)) == -1) {
if ((fd = open("/dev/random", O_RDONLY | O_CLOEXEC)) == -1) {
perror("ptls_minicrypto_random_bytes: could not open neither /dev/random or /dev/urandom");
abort();
}
}
while (size != 0) {
ssize_t rret;
while ((rret = read(fd, entropy, size)) == -1 && errno == EINTR)
;
if (rret < 0) {
perror("ptls_minicrypto_random_bytes");
abort();
}
entropy += rret;
size -= rret;
}
close(fd);
}
#endif
void ptls_minicrypto_random_bytes(void *buf, size_t len)
{
#ifdef _WINDOWS
static __declspec(thread) cf_hash_drbg_sha256 ctx;
#else
static __thread cf_hash_drbg_sha256 ctx;
#endif
if (cf_hash_drbg_sha256_needs_reseed(&ctx)) {
uint8_t entropy[256];
read_entropy(entropy, sizeof(entropy));
cf_hash_drbg_sha256_init(&ctx, entropy, sizeof(entropy) / 2, entropy + sizeof(entropy) / 2, sizeof(entropy) / 2, "ptls", 4);
}
cf_hash_drbg_sha256_gen(&ctx, buf, len);
}
#define X25519_KEY_SIZE 32
struct st_x25519_key_exchange_t {
ptls_key_exchange_context_t super;
uint8_t priv[X25519_KEY_SIZE];
uint8_t pub[X25519_KEY_SIZE];
};
static void x25519_create_keypair(uint8_t *priv, uint8_t *pub)
{
ptls_minicrypto_random_bytes(priv, X25519_KEY_SIZE);
cf_curve25519_mul_base(pub, priv);
}
static int x25519_derive_secret(ptls_iovec_t *secret, const uint8_t *clientpriv, const uint8_t *clientpub,
const uint8_t *serverpriv, const uint8_t *serverpub)
{
if ((secret->base = malloc(X25519_KEY_SIZE)) == NULL)
return PTLS_ERROR_NO_MEMORY;
cf_curve25519_mul(secret->base, clientpriv != NULL ? clientpriv : serverpriv, clientpriv != NULL ? serverpub : clientpub);
secret->len = X25519_KEY_SIZE;
return 0;
}
static int x25519_on_exchange(ptls_key_exchange_context_t **_ctx, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey)
{
struct st_x25519_key_exchange_t *ctx = (struct st_x25519_key_exchange_t *)*_ctx;
int ret;
if (secret == NULL) {
ret = 0;
goto Exit;
}
if (peerkey.len != X25519_KEY_SIZE) {
ret = PTLS_ALERT_DECRYPT_ERROR;
goto Exit;
}
ret = x25519_derive_secret(secret, ctx->priv, ctx->pub, NULL, peerkey.base);
Exit:
if (release) {
ptls_clear_memory(ctx->priv, sizeof(ctx->priv));
free(ctx);
*_ctx = NULL;
}
return ret;
}
static int x25519_create_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx)
{
struct st_x25519_key_exchange_t *ctx;
if ((ctx = (struct st_x25519_key_exchange_t *)malloc(sizeof(*ctx))) == NULL)
return PTLS_ERROR_NO_MEMORY;
ctx->super = (ptls_key_exchange_context_t){algo, ptls_iovec_init(ctx->pub, sizeof(ctx->pub)), x25519_on_exchange};
x25519_create_keypair(ctx->priv, ctx->pub);
*_ctx = &ctx->super;
return 0;
}
static int x25519_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret,
ptls_iovec_t peerkey)
{
uint8_t priv[X25519_KEY_SIZE], *pub = NULL;
int ret;
if (peerkey.len != X25519_KEY_SIZE) {
ret = PTLS_ALERT_DECRYPT_ERROR;
goto Exit;
}
if ((pub = malloc(X25519_KEY_SIZE)) == NULL) {
ret = PTLS_ERROR_NO_MEMORY;
goto Exit;
}
x25519_create_keypair(priv, pub);
if ((ret = x25519_derive_secret(secret, NULL, peerkey.base, priv, pub)) != 0)
goto Exit;
*pubkey = ptls_iovec_init(pub, X25519_KEY_SIZE);
ret = 0;
Exit:
ptls_clear_memory(priv, sizeof(priv));
if (pub != NULL && ret != 0)
ptls_clear_memory(pub, X25519_KEY_SIZE);
return ret;
}
struct aesecb_context_t {
ptls_cipher_context_t super;
cf_aes_context aes;
};
static void aesecb_dispose(ptls_cipher_context_t *_ctx)
{
struct aesecb_context_t *ctx = (struct aesecb_context_t *)_ctx;
ptls_clear_memory(ctx, sizeof(*ctx));
}
static void aesecb_encrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
{
struct aesecb_context_t *ctx = (struct aesecb_context_t *)_ctx;
assert(len % AES_BLOCKSZ == 0);
cf_aes_encrypt(&ctx->aes, input, output);
}
static void aesecb_decrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
{
struct aesecb_context_t *ctx = (struct aesecb_context_t *)_ctx;
assert(len % AES_BLOCKSZ == 0);
cf_aes_decrypt(&ctx->aes, input, output);
}
static int aesecb_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key, size_t key_size)
{
struct aesecb_context_t *ctx = (struct aesecb_context_t *)_ctx;
ctx->super.do_dispose = aesecb_dispose;
ctx->super.do_init = NULL;
ctx->super.do_transform = is_enc ? aesecb_encrypt : aesecb_decrypt;
cf_aes_init(&ctx->aes, key, key_size);
return 0;
}
static int aes128ecb_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
{
return aesecb_setup_crypto(ctx, is_enc, key, PTLS_AES128_KEY_SIZE);
}
static int aes256ecb_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
{
return aesecb_setup_crypto(ctx, is_enc, key, PTLS_AES256_KEY_SIZE);
}
struct aesctr_context_t {
ptls_cipher_context_t super;
cf_aes_context aes;
cf_ctr ctr;
};
static void aesctr_dispose(ptls_cipher_context_t *_ctx)
{
struct aesctr_context_t *ctx = (struct aesctr_context_t *)_ctx;
ptls_clear_memory(ctx, sizeof(*ctx));
}
static void aesctr_init(ptls_cipher_context_t *_ctx, const void *iv)
{
struct aesctr_context_t *ctx = (struct aesctr_context_t *)_ctx;
cf_ctr_init(&ctx->ctr, &cf_aes, &ctx->aes, iv);
}
static void aesctr_transform(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
{
struct aesctr_context_t *ctx = (struct aesctr_context_t *)_ctx;
cf_ctr_cipher(&ctx->ctr, input, output, len);
}
static int aesctr_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key, size_t key_size)
{
struct aesctr_context_t *ctx = (struct aesctr_context_t *)_ctx;
ctx->super.do_dispose = aesctr_dispose;
ctx->super.do_init = aesctr_init;
ctx->super.do_transform = aesctr_transform;
cf_aes_init(&ctx->aes, key, key_size);
return 0;
}
static int aes128ctr_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
{
return aesctr_setup_crypto(ctx, is_enc, key, PTLS_AES128_KEY_SIZE);
}
static int aes256ctr_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
{
return aesctr_setup_crypto(ctx, is_enc, key, PTLS_AES256_KEY_SIZE);
}
struct aesgcm_context_t {
ptls_aead_context_t super;
cf_aes_context aes;
cf_gcm_ctx gcm;
};
static void aesgcm_dispose_crypto(ptls_aead_context_t *_ctx)
{
struct aesgcm_context_t *ctx = (struct aesgcm_context_t *)_ctx;
/* clear all memory except super */
ptls_clear_memory((uint8_t *)ctx + sizeof(ctx->super), sizeof(*ctx) - sizeof(ctx->super));
}
static void aesgcm_encrypt_init(ptls_aead_context_t *_ctx, const void *iv, const void *aad, size_t aadlen)
{
struct aesgcm_context_t *ctx = (struct aesgcm_context_t *)_ctx;
cf_gcm_encrypt_init(&cf_aes, &ctx->aes, &ctx->gcm, aad, aadlen, iv, PTLS_AESGCM_IV_SIZE);
}
static size_t aesgcm_encrypt_update(ptls_aead_context_t *_ctx, void *output, const void *input, size_t inlen)
{
struct aesgcm_context_t *ctx = (struct aesgcm_context_t *)_ctx;
cf_gcm_encrypt_update(&ctx->gcm, input, inlen, output);
return inlen;
}
static size_t aesgcm_encrypt_final(ptls_aead_context_t *_ctx, void *output)
{
struct aesgcm_context_t *ctx = (struct aesgcm_context_t *)_ctx;
cf_gcm_encrypt_final(&ctx->gcm, output, PTLS_AESGCM_TAG_SIZE);
return PTLS_AESGCM_TAG_SIZE;
}
static size_t aesgcm_decrypt(ptls_aead_context_t *_ctx, void *output, const void *input, size_t inlen, const void *iv,
const void *aad, size_t aadlen)
{
struct aesgcm_context_t *ctx = (struct aesgcm_context_t *)_ctx;
if (inlen < PTLS_AESGCM_TAG_SIZE)
return SIZE_MAX;
size_t tag_offset = inlen - PTLS_AESGCM_TAG_SIZE;
if (cf_gcm_decrypt(&cf_aes, &ctx->aes, input, tag_offset, aad, aadlen, iv, PTLS_AESGCM_IV_SIZE, (uint8_t *)input + tag_offset,
PTLS_AESGCM_TAG_SIZE, output) != 0)
return SIZE_MAX;
return tag_offset;
}
static int aead_aesgcm_setup_crypto(ptls_aead_context_t *_ctx, int is_enc, const void *key, size_t key_size)
{
struct aesgcm_context_t *ctx = (struct aesgcm_context_t *)_ctx;
ctx->super.dispose_crypto = aesgcm_dispose_crypto;
if (is_enc) {
ctx->super.do_encrypt_init = aesgcm_encrypt_init;
ctx->super.do_encrypt_update = aesgcm_encrypt_update;
ctx->super.do_encrypt_final = aesgcm_encrypt_final;
ctx->super.do_decrypt = NULL;
} else {
ctx->super.do_encrypt_init = NULL;
ctx->super.do_encrypt_update = NULL;
ctx->super.do_encrypt_final = NULL;
ctx->super.do_decrypt = aesgcm_decrypt;
}
cf_aes_init(&ctx->aes, key, key_size);
return 0;
}
static int aead_aes128gcm_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key)
{
return aead_aesgcm_setup_crypto(ctx, is_enc, key, PTLS_AES128_KEY_SIZE);
}
static int aead_aes256gcm_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key)
{
return aead_aesgcm_setup_crypto(ctx, is_enc, key, PTLS_AES256_KEY_SIZE);
}
struct chacha20_context_t {
ptls_cipher_context_t super;
cf_chacha20_ctx chacha;
uint8_t key[PTLS_CHACHA20_KEY_SIZE];
};
static void chacha20_dispose(ptls_cipher_context_t *_ctx)
{
struct chacha20_context_t *ctx = (struct chacha20_context_t *)_ctx;
ptls_clear_memory(ctx, sizeof(*ctx));
}
static void chacha20_init(ptls_cipher_context_t *_ctx, const void *iv)
{
struct chacha20_context_t *ctx = (struct chacha20_context_t *)_ctx;
ctx->chacha.nblock = 0;
ctx->chacha.ncounter = 0;
memcpy(ctx->chacha.nonce, iv, sizeof ctx->chacha.nonce);
}
static void chacha20_transform(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
{
struct chacha20_context_t *ctx = (struct chacha20_context_t *)_ctx;
cf_chacha20_cipher(&ctx->chacha, input, output, len);
}
static int chacha20_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key)
{
struct chacha20_context_t *ctx = (struct chacha20_context_t *)_ctx;
ctx->super.do_dispose = chacha20_dispose;
ctx->super.do_init = chacha20_init;
ctx->super.do_transform = chacha20_transform;
cf_chacha20_init(&ctx->chacha, key, PTLS_CHACHA20_KEY_SIZE, (const uint8_t *)"01234567" /* not used */);
return 0;
}
struct chacha20poly1305_context_t {
ptls_aead_context_t super;
uint8_t key[PTLS_CHACHA20_KEY_SIZE];
cf_chacha20_ctx chacha;
cf_poly1305 poly;
size_t aadlen;
size_t textlen;
};
static void chacha20poly1305_dispose_crypto(ptls_aead_context_t *_ctx)
{
struct chacha20poly1305_context_t *ctx = (struct chacha20poly1305_context_t *)_ctx;
/* clear all memory except super */
ptls_clear_memory(&ctx->key, sizeof(*ctx) - offsetof(struct chacha20poly1305_context_t, key));
}
static const uint8_t zeros64[64] = {0};
static void chacha20poly1305_encrypt_pad(cf_poly1305 *poly, size_t n)
{
if (n % 16 != 0)
cf_poly1305_update(poly, zeros64, 16 - (n % 16));
}
static void chacha20poly1305_finalize(struct chacha20poly1305_context_t *ctx, uint8_t *tag)
{
uint8_t lenbuf[16];
chacha20poly1305_encrypt_pad(&ctx->poly, ctx->textlen);
write64_le(ctx->aadlen, lenbuf);
write64_le(ctx->textlen, lenbuf + 8);
cf_poly1305_update(&ctx->poly, lenbuf, sizeof(lenbuf));
cf_poly1305_finish(&ctx->poly, tag);
}
static void chacha20poly1305_init(ptls_aead_context_t *_ctx, const void *iv, const void *aad, size_t aadlen)
{
struct chacha20poly1305_context_t *ctx = (struct chacha20poly1305_context_t *)_ctx;
uint8_t tmpbuf[64];
/* init chacha */
memset(tmpbuf, 0, 16 - PTLS_CHACHA20POLY1305_IV_SIZE);
memcpy(tmpbuf + 16 - PTLS_CHACHA20POLY1305_IV_SIZE, iv, PTLS_CHACHA20POLY1305_IV_SIZE);
cf_chacha20_init_custom(&ctx->chacha, ctx->key, sizeof(ctx->key), tmpbuf, 4);
/* init poly1305 (by using first 16 bytes of the key stream of the first block) */
cf_chacha20_cipher(&ctx->chacha, zeros64, tmpbuf, 64);
cf_poly1305_init(&ctx->poly, tmpbuf, tmpbuf + 16);
ptls_clear_memory(tmpbuf, sizeof(tmpbuf));
/* aad */
if (aadlen != 0) {
cf_poly1305_update(&ctx->poly, aad, aadlen);
chacha20poly1305_encrypt_pad(&ctx->poly, aadlen);
}
ctx->aadlen = aadlen;
ctx->textlen = 0;
}
static size_t chacha20poly1305_encrypt_update(ptls_aead_context_t *_ctx, void *output, const void *input, size_t inlen)
{
struct chacha20poly1305_context_t *ctx = (struct chacha20poly1305_context_t *)_ctx;
cf_chacha20_cipher(&ctx->chacha, input, output, inlen);
cf_poly1305_update(&ctx->poly, output, inlen);
ctx->textlen += inlen;
return inlen;
}
static size_t chacha20poly1305_encrypt_final(ptls_aead_context_t *_ctx, void *output)
{
struct chacha20poly1305_context_t *ctx = (struct chacha20poly1305_context_t *)_ctx;
chacha20poly1305_finalize(ctx, output);
ptls_clear_memory(&ctx->chacha, sizeof(ctx->chacha));
return PTLS_CHACHA20POLY1305_TAG_SIZE;
}
static size_t chacha20poly1305_decrypt(ptls_aead_context_t *_ctx, void *output, const void *input, size_t inlen, const void *iv,
const void *aad, size_t aadlen)
{
struct chacha20poly1305_context_t *ctx = (struct chacha20poly1305_context_t *)_ctx;
uint8_t tag[PTLS_CHACHA20POLY1305_TAG_SIZE];
size_t ret;
if (inlen < sizeof(tag))
return SIZE_MAX;
chacha20poly1305_init(&ctx->super, iv, aad, aadlen);
cf_poly1305_update(&ctx->poly, input, inlen - sizeof(tag));
ctx->textlen = inlen - sizeof(tag);
chacha20poly1305_finalize(ctx, tag);
if (mem_eq(tag, (const uint8_t *)input + inlen - sizeof(tag), sizeof(tag))) {
cf_chacha20_cipher(&ctx->chacha, input, output, inlen - sizeof(tag));
ret = inlen - sizeof(tag);
} else {
ret = SIZE_MAX;
}
ptls_clear_memory(tag, sizeof(tag));
ptls_clear_memory(&ctx->poly, sizeof(ctx->poly));
return ret;
}
static int aead_chacha20poly1305_setup_crypto(ptls_aead_context_t *_ctx, int is_enc, const void *key)
{
struct chacha20poly1305_context_t *ctx = (struct chacha20poly1305_context_t *)_ctx;
ctx->super.dispose_crypto = chacha20poly1305_dispose_crypto;
if (is_enc) {
ctx->super.do_encrypt_init = chacha20poly1305_init;
ctx->super.do_encrypt_update = chacha20poly1305_encrypt_update;
ctx->super.do_encrypt_final = chacha20poly1305_encrypt_final;
ctx->super.do_decrypt = NULL;
} else {
ctx->super.do_encrypt_init = NULL;
ctx->super.do_encrypt_update = NULL;
ctx->super.do_encrypt_final = NULL;
ctx->super.do_decrypt = chacha20poly1305_decrypt;
}
memcpy(ctx->key, key, sizeof(ctx->key));
return 0;
}
ptls_define_hash(sha256, cf_sha256_context, cf_sha256_init, cf_sha256_update, cf_sha256_digest_final);
ptls_define_hash(sha384, cf_sha512_context, cf_sha384_init, cf_sha384_update, cf_sha384_digest_final);
ptls_key_exchange_algorithm_t ptls_minicrypto_x25519 = {PTLS_GROUP_X25519, x25519_create_key_exchange, x25519_key_exchange};
ptls_cipher_algorithm_t ptls_minicrypto_aes128ecb = {
"AES128-ECB", PTLS_AES128_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 0 /* iv size */, sizeof(struct aesecb_context_t),
aes128ecb_setup_crypto};
ptls_cipher_algorithm_t ptls_minicrypto_aes128ctr = {
"AES128-CTR", PTLS_AES128_KEY_SIZE, 1 /* block size */, PTLS_AES_IV_SIZE, sizeof(struct aesctr_context_t),
aes128ctr_setup_crypto};
ptls_aead_algorithm_t ptls_minicrypto_aes128gcm = {
"AES128-GCM", &ptls_minicrypto_aes128ctr, &ptls_minicrypto_aes128ecb, PTLS_AES128_KEY_SIZE,
PTLS_AESGCM_IV_SIZE, PTLS_AESGCM_TAG_SIZE, sizeof(struct aesgcm_context_t), aead_aes128gcm_setup_crypto};
ptls_cipher_algorithm_t ptls_minicrypto_aes256ecb = {
"AES128-ECB", PTLS_AES256_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 0 /* iv size */, sizeof(struct aesecb_context_t),
aes256ecb_setup_crypto};
ptls_cipher_algorithm_t ptls_minicrypto_aes256ctr = {
"AES256-CTR", PTLS_AES256_KEY_SIZE, 1 /* block size */, PTLS_AES_IV_SIZE, sizeof(struct aesctr_context_t),
aes256ctr_setup_crypto};
ptls_aead_algorithm_t ptls_minicrypto_aes256gcm = {
"AES256-GCM", &ptls_minicrypto_aes256ctr, &ptls_minicrypto_aes256ecb, PTLS_AES256_KEY_SIZE,
PTLS_AESGCM_IV_SIZE, PTLS_AESGCM_TAG_SIZE, sizeof(struct aesgcm_context_t), aead_aes256gcm_setup_crypto};
ptls_hash_algorithm_t ptls_minicrypto_sha256 = {PTLS_SHA256_BLOCK_SIZE, PTLS_SHA256_DIGEST_SIZE, sha256_create,
PTLS_ZERO_DIGEST_SHA256};
ptls_hash_algorithm_t ptls_minicrypto_sha384 = {PTLS_SHA384_BLOCK_SIZE, PTLS_SHA384_DIGEST_SIZE, sha384_create,
PTLS_ZERO_DIGEST_SHA384};
ptls_cipher_algorithm_t ptls_minicrypto_chacha20 = {
"CHACHA20", PTLS_CHACHA20_KEY_SIZE, 1 /* block size */, PTLS_CHACHA20_IV_SIZE, sizeof(struct chacha20_context_t),
chacha20_setup_crypto};
ptls_aead_algorithm_t ptls_minicrypto_chacha20poly1305 = {"CHACHA20-POLY1305",
&ptls_minicrypto_chacha20,
NULL,
PTLS_CHACHA20_KEY_SIZE,
PTLS_CHACHA20POLY1305_IV_SIZE,
PTLS_CHACHA20POLY1305_TAG_SIZE,
sizeof(struct chacha20poly1305_context_t),
aead_chacha20poly1305_setup_crypto};
ptls_cipher_suite_t ptls_minicrypto_aes128gcmsha256 = {PTLS_CIPHER_SUITE_AES_128_GCM_SHA256, &ptls_minicrypto_aes128gcm,
&ptls_minicrypto_sha256};
ptls_cipher_suite_t ptls_minicrypto_aes256gcmsha384 = {PTLS_CIPHER_SUITE_AES_256_GCM_SHA384, &ptls_minicrypto_aes256gcm,
&ptls_minicrypto_sha384};
ptls_cipher_suite_t ptls_minicrypto_chacha20poly1305sha256 = {PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256,
&ptls_minicrypto_chacha20poly1305, &ptls_minicrypto_sha256};
ptls_cipher_suite_t *ptls_minicrypto_cipher_suites[] = {&ptls_minicrypto_aes256gcmsha384, &ptls_minicrypto_aes128gcmsha256,
&ptls_minicrypto_chacha20poly1305sha256, NULL};