| // Copyright (c) 2017 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "net/third_party/quiche/src/quic/core/tls_handshaker.h" |
| |
| #include "third_party/boringssl/src/include/openssl/crypto.h" |
| #include "third_party/boringssl/src/include/openssl/ssl.h" |
| #include "net/third_party/quiche/src/quic/core/quic_crypto_stream.h" |
| #include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h" |
| #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h" |
| #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h" |
| #include "net/third_party/quiche/src/quic/platform/api/quic_singleton.h" |
| |
| namespace quic { |
| |
| namespace { |
| |
| class SslIndexSingleton { |
| public: |
| static SslIndexSingleton* GetInstance() { |
| return QuicSingleton<SslIndexSingleton>::get(); |
| } |
| |
| int HandshakerIndex() const { return ssl_ex_data_index_handshaker_; } |
| |
| private: |
| SslIndexSingleton() { |
| CRYPTO_library_init(); |
| ssl_ex_data_index_handshaker_ = |
| SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr); |
| CHECK_LE(0, ssl_ex_data_index_handshaker_); |
| } |
| |
| SslIndexSingleton(const SslIndexSingleton&) = delete; |
| SslIndexSingleton& operator=(const SslIndexSingleton&) = delete; |
| |
| friend QuicSingletonFriend<SslIndexSingleton>; |
| |
| int ssl_ex_data_index_handshaker_; |
| }; |
| |
| } // namespace |
| |
| TlsHandshaker::TlsHandshaker(QuicCryptoStream* stream, |
| QuicSession* session, |
| SSL_CTX* ssl_ctx) |
| : stream_(stream), session_(session) { |
| ssl_.reset(SSL_new(ssl_ctx)); |
| SSL_set_ex_data(ssl(), SslIndexSingleton::GetInstance()->HandshakerIndex(), |
| this); |
| } |
| |
| TlsHandshaker::~TlsHandshaker() {} |
| |
| bool TlsHandshaker::ProcessInput(QuicStringPiece input, EncryptionLevel level) { |
| if (parser_error_ != QUIC_NO_ERROR) { |
| return false; |
| } |
| // TODO(nharper): Call SSL_quic_read_level(ssl()) and check whether the |
| // encryption level BoringSSL expects matches the encryption level that we |
| // just received input at. If they mismatch, should ProcessInput return true |
| // or false? If data is for a future encryption level, it should be queued for |
| // later? |
| if (SSL_provide_quic_data(ssl(), BoringEncryptionLevel(level), |
| reinterpret_cast<const uint8_t*>(input.data()), |
| input.size()) != 1) { |
| // SSL_provide_quic_data can fail for 3 reasons: |
| // - API misuse (calling it before SSL_set_custom_quic_method, which we |
| // call in the TlsHandshaker c'tor) |
| // - Memory exhaustion when appending data to its buffer |
| // - Data provided at the wrong encryption level |
| // |
| // Of these, the only sensible error to handle is data provided at the wrong |
| // encryption level. |
| // |
| // Note: the error provided below has a good-sounding enum value, although |
| // it doesn't match the description as it's a QUIC Crypto specific error. |
| parser_error_ = QUIC_INVALID_CRYPTO_MESSAGE_TYPE; |
| parser_error_detail_ = "TLS stack failed to receive data"; |
| return false; |
| } |
| AdvanceHandshake(); |
| return true; |
| } |
| |
| // static |
| bssl::UniquePtr<SSL_CTX> TlsHandshaker::CreateSslCtx() { |
| CRYPTO_library_init(); |
| bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_with_buffers_method())); |
| SSL_CTX_set_min_proto_version(ssl_ctx.get(), TLS1_3_VERSION); |
| SSL_CTX_set_max_proto_version(ssl_ctx.get(), TLS1_3_VERSION); |
| SSL_CTX_set_quic_method(ssl_ctx.get(), &kSslQuicMethod); |
| return ssl_ctx; |
| } |
| |
| // static |
| TlsHandshaker* TlsHandshaker::HandshakerFromSsl(const SSL* ssl) { |
| return reinterpret_cast<TlsHandshaker*>(SSL_get_ex_data( |
| ssl, SslIndexSingleton::GetInstance()->HandshakerIndex())); |
| } |
| |
| // static |
| EncryptionLevel TlsHandshaker::QuicEncryptionLevel( |
| enum ssl_encryption_level_t level) { |
| switch (level) { |
| case ssl_encryption_initial: |
| return ENCRYPTION_NONE; |
| case ssl_encryption_early_data: |
| case ssl_encryption_handshake: |
| return ENCRYPTION_ZERO_RTT; |
| case ssl_encryption_application: |
| return ENCRYPTION_FORWARD_SECURE; |
| } |
| } |
| |
| // static |
| enum ssl_encryption_level_t TlsHandshaker::BoringEncryptionLevel( |
| EncryptionLevel level) { |
| switch (level) { |
| case ENCRYPTION_NONE: |
| return ssl_encryption_initial; |
| case ENCRYPTION_ZERO_RTT: |
| return ssl_encryption_handshake; |
| case ENCRYPTION_FORWARD_SECURE: |
| return ssl_encryption_application; |
| default: |
| QUIC_BUG << "Invalid encryption level " << level; |
| return ssl_encryption_initial; |
| } |
| } |
| |
| const EVP_MD* TlsHandshaker::Prf() { |
| return EVP_get_digestbynid( |
| SSL_CIPHER_get_prf_nid(SSL_get_pending_cipher(ssl()))); |
| } |
| |
| std::unique_ptr<QuicEncrypter> TlsHandshaker::CreateEncrypter( |
| const std::vector<uint8_t>& pp_secret) { |
| std::unique_ptr<QuicEncrypter> encrypter = |
| QuicEncrypter::CreateFromCipherSuite( |
| SSL_CIPHER_get_id(SSL_get_pending_cipher(ssl()))); |
| CryptoUtils::SetKeyAndIV(Prf(), pp_secret, encrypter.get()); |
| return encrypter; |
| } |
| |
| std::unique_ptr<QuicDecrypter> TlsHandshaker::CreateDecrypter( |
| const std::vector<uint8_t>& pp_secret) { |
| std::unique_ptr<QuicDecrypter> decrypter = |
| QuicDecrypter::CreateFromCipherSuite( |
| SSL_CIPHER_get_id(SSL_get_pending_cipher(ssl()))); |
| CryptoUtils::SetKeyAndIV(Prf(), pp_secret, decrypter.get()); |
| return decrypter; |
| } |
| |
| const SSL_QUIC_METHOD TlsHandshaker::kSslQuicMethod{ |
| TlsHandshaker::SetEncryptionSecretCallback, |
| TlsHandshaker::WriteMessageCallback, TlsHandshaker::FlushFlightCallback, |
| TlsHandshaker::SendAlertCallback}; |
| |
| // static |
| int TlsHandshaker::SetEncryptionSecretCallback( |
| SSL* ssl, |
| enum ssl_encryption_level_t level, |
| const uint8_t* read_key, |
| const uint8_t* write_key, |
| size_t secret_len) { |
| // TODO(nharper): replace these vectors and memcpys with spans (which |
| // unfortunately doesn't yet exist in quic/platform/api). |
| std::vector<uint8_t> read_secret(secret_len), write_secret(secret_len); |
| memcpy(read_secret.data(), read_key, secret_len); |
| memcpy(write_secret.data(), write_key, secret_len); |
| HandshakerFromSsl(ssl)->SetEncryptionSecret(QuicEncryptionLevel(level), |
| read_secret, write_secret); |
| return 1; |
| } |
| |
| // static |
| int TlsHandshaker::WriteMessageCallback(SSL* ssl, |
| enum ssl_encryption_level_t level, |
| const uint8_t* data, |
| size_t len) { |
| HandshakerFromSsl(ssl)->WriteMessage( |
| QuicEncryptionLevel(level), |
| QuicStringPiece(reinterpret_cast<const char*>(data), len)); |
| return 1; |
| } |
| |
| // static |
| int TlsHandshaker::FlushFlightCallback(SSL* ssl) { |
| HandshakerFromSsl(ssl)->FlushFlight(); |
| return 1; |
| } |
| |
| // static |
| int TlsHandshaker::SendAlertCallback(SSL* ssl, |
| enum ssl_encryption_level_t level, |
| uint8_t desc) { |
| HandshakerFromSsl(ssl)->SendAlert(QuicEncryptionLevel(level), desc); |
| return 1; |
| } |
| |
| void TlsHandshaker::SetEncryptionSecret( |
| EncryptionLevel level, |
| const std::vector<uint8_t>& read_secret, |
| const std::vector<uint8_t>& write_secret) { |
| std::unique_ptr<QuicEncrypter> encrypter = CreateEncrypter(write_secret); |
| session()->connection()->SetEncrypter(level, std::move(encrypter)); |
| if (level != ENCRYPTION_FORWARD_SECURE) { |
| std::unique_ptr<QuicDecrypter> decrypter = CreateDecrypter(read_secret); |
| session()->connection()->SetDecrypter(level, std::move(decrypter)); |
| } else { |
| // When forward-secure read keys are available, they get set as the |
| // alternative decrypter instead of the primary decrypter. One reason for |
| // this is that after the forward secure keys become available, the server |
| // still has crypto handshake messages to read at the handshake encryption |
| // level, meaning that both the ENCRYPTION_ZERO_RTT and |
| // ENCRYPTION_FORWARD_SECURE decrypters need to be available. (Tests also |
| // assume that an alternative decrypter gets set, so at some point we need |
| // to call SetAlternativeDecrypter.) |
| std::unique_ptr<QuicDecrypter> decrypter = CreateDecrypter(read_secret); |
| session()->connection()->SetAlternativeDecrypter( |
| level, std::move(decrypter), /*latch_once_used*/ true); |
| } |
| } |
| |
| void TlsHandshaker::WriteMessage(EncryptionLevel level, QuicStringPiece data) { |
| stream_->WriteCryptoData(level, data); |
| } |
| |
| void TlsHandshaker::FlushFlight() {} |
| |
| void TlsHandshaker::SendAlert(EncryptionLevel level, uint8_t desc) { |
| // TODO(nharper): Alerts should be sent on the wire as a 16-bit QUIC error |
| // code computed to be 0x100 | desc (draft-ietf-quic-tls-14, section 4.8). |
| // This puts it in the range reserved for CRYPTO_ERROR |
| // (draft-ietf-quic-transport-14, section 11.3). However, according to |
| // quic_error_codes.h, this QUIC implementation only sends 1-byte error codes |
| // right now. |
| CloseConnection(QUIC_HANDSHAKE_FAILED, "TLS handshake failure"); |
| } |
| |
| } // namespace quic |