protocol-quic 0.0.0

data/ext/ngtcp2/examples/tls_server_context_openssl.cc

@@ -0,0 +1,338 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2020 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "tls_server_context_openssl.h"
+
+#include <cstring>
+#include <iostream>
+#include <fstream>
+#include <limits>
+
+#include <ngtcp2/ngtcp2_crypto_openssl.h>
+
+#include <openssl/err.h>
+
+#include "server_base.h"
+#include "template.h"
+
+extern Config config;
+
+TLSServerContext::TLSServerContext() : ssl_ctx_{nullptr} {}
+
+TLSServerContext::~TLSServerContext() {
+  if (ssl_ctx_) {
+    SSL_CTX_free(ssl_ctx_);
+  }
+}
+
+SSL_CTX *TLSServerContext::get_native_handle() const { return ssl_ctx_; }
+
+namespace {
+int alpn_select_proto_h3_cb(SSL *ssl, const unsigned char **out,
+                            unsigned char *outlen, const unsigned char *in,
+                            unsigned int inlen, void *arg) {
+  auto conn_ref = static_cast<ngtcp2_crypto_conn_ref *>(SSL_get_app_data(ssl));
+  auto h = static_cast<HandlerBase *>(conn_ref->user_data);
+  const uint8_t *alpn;
+  size_t alpnlen;
+  // This should be the negotiated version, but we have not set the
+  // negotiated version when this callback is called.
+  auto version = ngtcp2_conn_get_client_chosen_version(h->conn());
+
+  switch (version) {
+  case QUIC_VER_DRAFT29:
+    alpn = H3_ALPN_DRAFT29;
+    alpnlen = str_size(H3_ALPN_DRAFT29);
+    break;
+  case QUIC_VER_DRAFT30:
+    alpn = H3_ALPN_DRAFT30;
+    alpnlen = str_size(H3_ALPN_DRAFT30);
+    break;
+  case QUIC_VER_DRAFT31:
+    alpn = H3_ALPN_DRAFT31;
+    alpnlen = str_size(H3_ALPN_DRAFT31);
+    break;
+  case QUIC_VER_DRAFT32:
+    alpn = H3_ALPN_DRAFT32;
+    alpnlen = str_size(H3_ALPN_DRAFT32);
+    break;
+  case NGTCP2_PROTO_VER_V1:
+  case NGTCP2_PROTO_VER_V2:
+    alpn = H3_ALPN_V1;
+    alpnlen = str_size(H3_ALPN_V1);
+    break;
+  default:
+    if (!config.quiet) {
+      std::cerr << "Unexpected quic protocol version: " << std::hex << "0x"
+                << version << std::dec << std::endl;
+    }
+    return SSL_TLSEXT_ERR_ALERT_FATAL;
+  }
+
+  for (auto p = in, end = in + inlen; p + alpnlen <= end; p += *p + 1) {
+    if (std::equal(alpn, alpn + alpnlen, p)) {
+      *out = p + 1;
+      *outlen = *p;
+      return SSL_TLSEXT_ERR_OK;
+    }
+  }
+
+  if (!config.quiet) {
+    std::cerr << "Client did not present ALPN " << &alpn[1] << std::endl;
+  }
+
+  return SSL_TLSEXT_ERR_ALERT_FATAL;
+}
+} // namespace
+
+namespace {
+int alpn_select_proto_hq_cb(SSL *ssl, const unsigned char **out,
+                            unsigned char *outlen, const unsigned char *in,
+                            unsigned int inlen, void *arg) {
+  auto conn_ref = static_cast<ngtcp2_crypto_conn_ref *>(SSL_get_app_data(ssl));
+  auto h = static_cast<HandlerBase *>(conn_ref->user_data);
+  const uint8_t *alpn;
+  size_t alpnlen;
+  // This should be the negotiated version, but we have not set the
+  // negotiated version when this callback is called.
+  auto version = ngtcp2_conn_get_client_chosen_version(h->conn());
+
+  switch (version) {
+  case QUIC_VER_DRAFT29:
+    alpn = HQ_ALPN_DRAFT29;
+    alpnlen = str_size(HQ_ALPN_DRAFT29);
+    break;
+  case QUIC_VER_DRAFT30:
+    alpn = HQ_ALPN_DRAFT30;
+    alpnlen = str_size(HQ_ALPN_DRAFT30);
+    break;
+  case QUIC_VER_DRAFT31:
+    alpn = HQ_ALPN_DRAFT31;
+    alpnlen = str_size(HQ_ALPN_DRAFT31);
+    break;
+  case QUIC_VER_DRAFT32:
+    alpn = HQ_ALPN_DRAFT32;
+    alpnlen = str_size(HQ_ALPN_DRAFT32);
+    break;
+  case NGTCP2_PROTO_VER_V1:
+  case NGTCP2_PROTO_VER_V2:
+    alpn = HQ_ALPN_V1;
+    alpnlen = str_size(HQ_ALPN_V1);
+    break;
+  default:
+    if (!config.quiet) {
+      std::cerr << "Unexpected quic protocol version: " << std::hex << "0x"
+                << version << std::dec << std::endl;
+    }
+    return SSL_TLSEXT_ERR_ALERT_FATAL;
+  }
+
+  for (auto p = in, end = in + inlen; p + alpnlen <= end; p += *p + 1) {
+    if (std::equal(alpn, alpn + alpnlen, p)) {
+      *out = p + 1;
+      *outlen = *p;
+      return SSL_TLSEXT_ERR_OK;
+    }
+  }
+
+  if (!config.quiet) {
+    std::cerr << "Client did not present ALPN " << &alpn[1] << std::endl;
+  }
+
+  return SSL_TLSEXT_ERR_ALERT_FATAL;
+}
+} // namespace
+
+namespace {
+int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) {
+  // We don't verify the client certificate.  Just request it for the
+  // testing purpose.
+  return 1;
+}
+} // namespace
+
+namespace {
+int gen_ticket_cb(SSL *ssl, void *arg) {
+  auto conn_ref = static_cast<ngtcp2_crypto_conn_ref *>(SSL_get_app_data(ssl));
+  auto h = static_cast<HandlerBase *>(conn_ref->user_data);
+  auto ver = htonl(ngtcp2_conn_get_negotiated_version(h->conn()));
+
+  if (!SSL_SESSION_set1_ticket_appdata(SSL_get0_session(ssl), &ver,
+                                       sizeof(ver))) {
+    return 0;
+  }
+
+  return 1;
+}
+} // namespace
+
+namespace {
+SSL_TICKET_RETURN decrypt_ticket_cb(SSL *ssl, SSL_SESSION *session,
+                                    const unsigned char *keyname,
+                                    size_t keynamelen, SSL_TICKET_STATUS status,
+                                    void *arg) {
+  switch (status) {
+  case SSL_TICKET_EMPTY:
+  case SSL_TICKET_NO_DECRYPT:
+    return SSL_TICKET_RETURN_IGNORE_RENEW;
+  }
+
+  uint8_t *pver;
+  uint32_t ver;
+  size_t verlen;
+
+  if (!SSL_SESSION_get0_ticket_appdata(
+          session, reinterpret_cast<void **>(&pver), &verlen) ||
+      verlen != sizeof(ver)) {
+    switch (status) {
+    case SSL_TICKET_SUCCESS:
+      return SSL_TICKET_RETURN_IGNORE;
+    case SSL_TICKET_SUCCESS_RENEW:
+    default:
+      return SSL_TICKET_RETURN_IGNORE_RENEW;
+    }
+  }
+
+  memcpy(&ver, pver, sizeof(ver));
+
+  auto conn_ref = static_cast<ngtcp2_crypto_conn_ref *>(SSL_get_app_data(ssl));
+  auto h = static_cast<HandlerBase *>(conn_ref->user_data);
+
+  if (ngtcp2_conn_get_client_chosen_version(h->conn()) != ntohl(ver)) {
+    switch (status) {
+    case SSL_TICKET_SUCCESS:
+      return SSL_TICKET_RETURN_IGNORE;
+    case SSL_TICKET_SUCCESS_RENEW:
+    default:
+      return SSL_TICKET_RETURN_IGNORE_RENEW;
+    }
+  }
+
+  switch (status) {
+  case SSL_TICKET_SUCCESS:
+    return SSL_TICKET_RETURN_USE;
+  case SSL_TICKET_SUCCESS_RENEW:
+  default:
+    return SSL_TICKET_RETURN_USE_RENEW;
+  }
+}
+} // namespace
+
+int TLSServerContext::init(const char *private_key_file, const char *cert_file,
+                           AppProtocol app_proto) {
+  constexpr static unsigned char sid_ctx[] = "ngtcp2 server";
+
+  ssl_ctx_ = SSL_CTX_new(TLS_server_method());
+  if (!ssl_ctx_) {
+    std::cerr << "SSSL_CTX_new: " << ERR_error_string(ERR_get_error(), nullptr)
+              << std::endl;
+    return -1;
+  }
+
+  if (ngtcp2_crypto_openssl_configure_server_context(ssl_ctx_) != 0) {
+    std::cerr << "ngtcp2_crypto_openssl_configure_server_context failed"
+              << std::endl;
+    return -1;
+  }
+
+  SSL_CTX_set_max_early_data(ssl_ctx_, UINT32_MAX);
+
+  constexpr auto ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
+                            SSL_OP_SINGLE_ECDH_USE |
+                            SSL_OP_CIPHER_SERVER_PREFERENCE |
+                            SSL_OP_NO_ANTI_REPLAY;
+
+  SSL_CTX_set_options(ssl_ctx_, ssl_opts);
+
+  if (SSL_CTX_set_ciphersuites(ssl_ctx_, config.ciphers) != 1) {
+    std::cerr << "SSL_CTX_set_ciphersuites: "
+              << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+    return -1;
+  }
+
+  if (SSL_CTX_set1_groups_list(ssl_ctx_, config.groups) != 1) {
+    std::cerr << "SSL_CTX_set1_groups_list failed" << std::endl;
+    return -1;
+  }
+
+  SSL_CTX_set_mode(ssl_ctx_, SSL_MODE_RELEASE_BUFFERS);
+
+  switch (app_proto) {
+  case AppProtocol::H3:
+    SSL_CTX_set_alpn_select_cb(ssl_ctx_, alpn_select_proto_h3_cb, nullptr);
+    break;
+  case AppProtocol::HQ:
+    SSL_CTX_set_alpn_select_cb(ssl_ctx_, alpn_select_proto_hq_cb, nullptr);
+    break;
+  }
+
+  SSL_CTX_set_default_verify_paths(ssl_ctx_);
+
+  if (SSL_CTX_use_PrivateKey_file(ssl_ctx_, private_key_file,
+                                  SSL_FILETYPE_PEM) != 1) {
+    std::cerr << "SSL_CTX_use_PrivateKey_file: "
+              << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+    return -1;
+  }
+
+  if (SSL_CTX_use_certificate_chain_file(ssl_ctx_, cert_file) != 1) {
+    std::cerr << "SSL_CTX_use_certificate_chain_file: "
+              << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+    return -1;
+  }
+
+  if (SSL_CTX_check_private_key(ssl_ctx_) != 1) {
+    std::cerr << "SSL_CTX_check_private_key: "
+              << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+    return -1;
+  }
+
+  SSL_CTX_set_session_id_context(ssl_ctx_, sid_ctx, sizeof(sid_ctx) - 1);
+
+  if (config.verify_client) {
+    SSL_CTX_set_verify(ssl_ctx_,
+                       SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
+                           SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+                       verify_cb);
+  }
+
+  SSL_CTX_set_session_ticket_cb(ssl_ctx_, gen_ticket_cb, decrypt_ticket_cb,
+                                nullptr);
+
+  return 0;
+}
+
+extern std::ofstream keylog_file;
+
+namespace {
+void keylog_callback(const SSL *ssl, const char *line) {
+  keylog_file.write(line, strlen(line));
+  keylog_file.put('\n');
+  keylog_file.flush();
+}
+} // namespace
+
+void TLSServerContext::enable_keylog() {
+  SSL_CTX_set_keylog_callback(ssl_ctx_, keylog_callback);
+}

data/ext/ngtcp2/examples/tls_server_context_openssl.h

@@ -0,0 +1,54 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2020 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef TLS_SERVER_CONTEXT_OPENSSL_H
+#define TLS_SERVER_CONTEXT_OPENSSL_H
+
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif // HAVE_CONFIG_H
+
+#include <openssl/ssl.h>
+
+#include "shared.h"
+
+using namespace ngtcp2;
+
+class TLSServerContext {
+public:
+  TLSServerContext();
+  ~TLSServerContext();
+
+  int init(const char *private_key_file, const char *cert_file,
+           AppProtocol app_proto);
+
+  SSL_CTX *get_native_handle() const;
+
+  void enable_keylog();
+
+private:
+  SSL_CTX *ssl_ctx_;
+};
+
+#endif // TLS_SERVER_CONTEXT_OPENSSL_H

data/ext/ngtcp2/examples/tls_server_context_picotls.cc

@@ -0,0 +1,321 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2022 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "tls_server_context_picotls.h"
+
+#include <iostream>
+#include <memory>
+
+#include <ngtcp2/ngtcp2_crypto_picotls.h>
+
+#include <openssl/pem.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#  include <openssl/core_names.h>
+#endif // OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+#include "server_base.h"
+#include "tls_shared_picotls.h"
+#include "template.h"
+
+extern Config config;
+
+namespace {
+int on_client_hello_cb(ptls_on_client_hello_t *self, ptls_t *ptls,
+                       ptls_on_client_hello_parameters_t *params) {
+  auto &negprotos = params->negotiated_protocols;
+
+  for (size_t i = 0; i < negprotos.count; ++i) {
+    auto &proto = negprotos.list[i];
+    if (H3_ALPN_V1[0] == proto.len &&
+        memcmp(&H3_ALPN_V1[1], proto.base, proto.len) == 0) {
+      if (ptls_set_negotiated_protocol(
+              ptls, reinterpret_cast<char *>(proto.base), proto.len) != 0) {
+        return -1;
+      }
+
+      return 0;
+    }
+  }
+
+  return PTLS_ALERT_NO_APPLICATION_PROTOCOL;
+}
+
+ptls_on_client_hello_t on_client_hello = {on_client_hello_cb};
+} // namespace
+
+namespace {
+auto ticket_hmac = EVP_sha256();
+
+template <size_t N> void random_bytes(std::array<uint8_t, N> &dest) {
+  ptls_openssl_random_bytes(dest.data(), dest.size());
+}
+
+const std::array<uint8_t, 16> &get_ticket_key_name() {
+  static std::array<uint8_t, 16> key_name;
+  random_bytes(key_name);
+  return key_name;
+}
+
+const std::array<uint8_t, 32> &get_ticket_key() {
+  static std::array<uint8_t, 32> key;
+  random_bytes(key);
+  return key;
+}
+
+const std::array<uint8_t, 32> &get_ticket_hmac_key() {
+  static std::array<uint8_t, 32> hmac_key;
+  random_bytes(hmac_key);
+  return hmac_key;
+}
+} // namespace
+
+namespace {
+int ticket_key_cb(unsigned char *key_name, unsigned char *iv,
+                  EVP_CIPHER_CTX *ctx,
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+                  EVP_MAC_CTX *hctx,
+#else  // OPENSSL_VERSION_NUMBER < 0x30000000L
+                  HMAC_CTX *hctx,
+#endif // OPENSSL_VERSION_NUMBER < 0x30000000L
+                  int enc) {
+  static const auto &static_key_name = get_ticket_key_name();
+  static const auto &static_key = get_ticket_key();
+  static const auto &static_hmac_key = get_ticket_hmac_key();
+
+  if (enc) {
+    ptls_openssl_random_bytes(iv, EVP_MAX_IV_LENGTH);
+
+    memcpy(key_name, static_key_name.data(), static_key_name.size());
+
+    EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), nullptr, static_key.data(), iv);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    std::array<OSSL_PARAM, 3> params{
+        OSSL_PARAM_construct_octet_string(
+            OSSL_MAC_PARAM_KEY, const_cast<uint8_t *>(static_hmac_key.data()),
+            static_hmac_key.size()),
+        OSSL_PARAM_construct_utf8_string(
+            OSSL_MAC_PARAM_DIGEST,
+            const_cast<char *>(EVP_MD_get0_name(ticket_hmac)), 0),
+        OSSL_PARAM_construct_end(),
+    };
+    if (!EVP_MAC_CTX_set_params(hctx, params.data())) {
+      /* TODO Which value should we return on error? */
+      return 0;
+    }
+#else  // OPENSSL_VERSION_NUMBER < 0x30000000L
+    HMAC_Init_ex(hctx, static_hmac_key.data(), static_hmac_key.size(),
+                 ticket_hmac, nullptr);
+#endif // OPENSSL_VERSION_NUMBER < 0x30000000L
+
+    return 1;
+  }
+
+  if (memcmp(key_name, static_key_name.data(), static_key_name.size()) != 0) {
+    return 0;
+  }
+
+  EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), nullptr, static_key.data(), iv);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+  std::array<OSSL_PARAM, 3> params{
+      OSSL_PARAM_construct_octet_string(
+          OSSL_MAC_PARAM_KEY, const_cast<uint8_t *>(static_hmac_key.data()),
+          static_hmac_key.size()),
+      OSSL_PARAM_construct_utf8_string(
+          OSSL_MAC_PARAM_DIGEST,
+          const_cast<char *>(EVP_MD_get0_name(ticket_hmac)), 0),
+      OSSL_PARAM_construct_end(),
+  };
+  if (!EVP_MAC_CTX_set_params(hctx, params.data())) {
+    /* TODO Which value should we return on error? */
+    return 0;
+  }
+#else  // OPENSSL_VERSION_NUMBER < 0x30000000L
+  HMAC_Init_ex(hctx, static_hmac_key.data(), static_hmac_key.size(),
+               ticket_hmac, nullptr);
+#endif // OPENSSL_VERSION_NUMBER < 0x30000000L
+
+  return 1;
+}
+} // namespace
+
+namespace {
+int encrypt_ticket_cb(ptls_encrypt_ticket_t *encrypt_ticket, ptls_t *ptls,
+                      int is_encrypt, ptls_buffer_t *dst, ptls_iovec_t src) {
+  int rv;
+  auto conn_ref =
+      static_cast<ngtcp2_crypto_conn_ref *>(*ptls_get_data_ptr(ptls));
+  auto conn = conn_ref->get_conn(conn_ref);
+  uint32_t ver;
+
+  if (is_encrypt) {
+    ver = htonl(ngtcp2_conn_get_negotiated_version(conn));
+    // TODO Replace std::make_unique with
+    // std::make_unique_for_overwrite when it is available.
+    auto buf = std::make_unique<uint8_t[]>(src.len + sizeof(ver));
+    auto p = std::copy_n(src.base, src.len, buf.get());
+    p = std::copy_n(reinterpret_cast<uint8_t *>(&ver), sizeof(ver), p);
+
+    src.base = buf.get();
+    src.len = p - buf.get();
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    rv = ptls_openssl_encrypt_ticket_evp(dst, src, ticket_key_cb);
+#else  // OPENSSL_VERSION_NUMBER < 0x30000000L
+    rv = ptls_openssl_encrypt_ticket(dst, src, ticket_key_cb);
+#endif // OPENSSL_VERSION_NUMBER < 0x30000000L
+    if (rv != 0) {
+      return -1;
+    }
+
+    return 0;
+  }
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+  rv = ptls_openssl_decrypt_ticket_evp(dst, src, ticket_key_cb);
+#else  // OPENSSL_VERSION_NUMBER < 0x30000000L
+  rv = ptls_openssl_decrypt_ticket(dst, src, ticket_key_cb);
+#endif // OPENSSL_VERSION_NUMBER < 0x30000000L
+  if (rv != 0) {
+    return -1;
+  }
+
+  if (dst->off < sizeof(ver)) {
+    return -1;
+  }
+
+  memcpy(&ver, dst->base + dst->off - sizeof(ver), sizeof(ver));
+
+  if (ngtcp2_conn_get_client_chosen_version(conn) != ntohl(ver)) {
+    return -1;
+  }
+
+  dst->off -= sizeof(ver);
+
+  return 0;
+}
+
+ptls_encrypt_ticket_t encrypt_ticket = {encrypt_ticket_cb};
+} // namespace
+
+namespace {
+ptls_key_exchange_algorithm_t *key_exchanges[] = {
+    &ptls_openssl_x25519,
+    &ptls_openssl_secp256r1,
+    &ptls_openssl_secp384r1,
+    &ptls_openssl_secp521r1,
+    nullptr,
+};
+} // namespace
+
+namespace {
+ptls_cipher_suite_t *cipher_suites[] = {
+    &ptls_openssl_aes128gcmsha256,
+    &ptls_openssl_aes256gcmsha384,
+    &ptls_openssl_chacha20poly1305sha256,
+    nullptr,
+};
+} // namespace
+
+TLSServerContext::TLSServerContext()
+    : ctx_{
+          .random_bytes = ptls_openssl_random_bytes,
+          .get_time = &ptls_get_time,
+          .key_exchanges = key_exchanges,
+          .cipher_suites = cipher_suites,
+          .on_client_hello =  &on_client_hello,
+          .ticket_lifetime = 86400,
+          .require_dhe_on_psk = 1,
+          .server_cipher_preference = 1,
+          .encrypt_ticket = &encrypt_ticket,
+      },
+      sign_cert_{}
+{}
+
+TLSServerContext::~TLSServerContext() {
+  if (sign_cert_.key) {
+    ptls_openssl_dispose_sign_certificate(&sign_cert_);
+  }
+
+  for (size_t i = 0; i < ctx_.certificates.count; ++i) {
+    free(ctx_.certificates.list[i].base);
+  }
+  free(ctx_.certificates.list);
+}
+
+ptls_context_t *TLSServerContext::get_native_handle() { return &ctx_; }
+
+int TLSServerContext::init(const char *private_key_file, const char *cert_file,
+                           AppProtocol app_proto) {
+  if (ngtcp2_crypto_picotls_configure_server_context(&ctx_) != 0) {
+    std::cerr << "ngtcp2_crypto_picotls_configure_server_context failed"
+              << std::endl;
+    return -1;
+  }
+
+  if (ptls_load_certificates(&ctx_, cert_file) != 0) {
+    std::cerr << "ptls_load_certificates failed" << std::endl;
+    return -1;
+  }
+
+  if (load_private_key(private_key_file) != 0) {
+    return -1;
+  }
+
+  if (config.verify_client) {
+    ctx_.require_client_authentication = 1;
+  }
+
+  return 0;
+}
+
+int TLSServerContext::load_private_key(const char *private_key_file) {
+  auto fp = fopen(private_key_file, "rb");
+  if (fp == nullptr) {
+    std::cerr << "Could not open private key file " << private_key_file << ": "
+              << strerror(errno) << std::endl;
+    return -1;
+  }
+
+  auto fp_d = defer(fclose, fp);
+
+  auto pkey = PEM_read_PrivateKey(fp, nullptr, nullptr, nullptr);
+  if (pkey == nullptr) {
+    std::cerr << "Could not read private key file " << private_key_file
+              << std::endl;
+    return -1;
+  }
+
+  auto pkey_d = defer(EVP_PKEY_free, pkey);
+
+  if (ptls_openssl_init_sign_certificate(&sign_cert_, pkey) != 0) {
+    std::cerr << "ptls_openssl_init_sign_certificate failed" << std::endl;
+    return -1;
+  }
+
+  ctx_.sign_certificate = &sign_cert_.super;
+
+  return 0;
+}
+
+void TLSServerContext::enable_keylog() { ctx_.log_event = &log_event; }