Google Git
Sign in
quiche / quiche.git / 6ebe83b7608c717c4568d8cdf775f51a05d69c77^! / . / quic / core / crypto / tls_client_connection.cc
commit6ebe83b7608c717c4568d8cdf775f51a05d69c77[log] [tgz]
authornharper <nharper@google.com>Thu Jun 13 17:43:52 2019 -0700
committerCopybara-Service <copybara-worker@google.com>Fri Jun 14 09:41:02 2019 -0700
treebfba35a4a132df62258475a5b2c3fa1a1d455b9e
parentf245d294d1705f5bd4b3df83296dbbd9feff0449 [diff] [blame]
Refactor TlsHandshaker classes

QuicCryptoClientConfig and QuicCryptoServerConfig each own an SSL_CTX,
which is currently created by TlsHandshaker. Those crypto config classes
can't take a dependency on TlsHandshaker (because TlsHandshaker depends on
classes have a dependency in the other direction), resulting in the SSL_CTX
being passed into the crypto config constructors. The SSL_CTX shouldn't be
exposed like this, as it's essentially an implementation detail of the
crypto handshake.

This CL splits TlsHandshaker in two. TlsConnection (and its subclasses) are
in quic/core/crypto, and handle the callbacks from BoringSSL. In turn, it
passes the implementation of those callbacks to a delegate. TlsHandshaker
implements this delegate and owns the TlsConnection.

gfe-relnote: refactor TLS handshake classes in QUIC; not flag protected
PiperOrigin-RevId: 253140899
Change-Id: Ie907a7f61798c29a385be15ea0f53403b86508ab

diff --git a/quic/core/crypto/tls_client_connection.cc b/quic/core/crypto/tls_client_connection.cc
new file mode 100644
index 0000000..f28af66
--- /dev/null
+++ b/quic/core/crypto/tls_client_connection.cc

@@ -0,0 +1,33 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h"
+
+namespace quic {
+
+TlsClientConnection::TlsClientConnection(SSL_CTX* ssl_ctx, Delegate* delegate)
+    : TlsConnection(ssl_ctx, delegate->ConnectionDelegate()),
+      delegate_(delegate) {}
+
+// static
+bssl::UniquePtr<SSL_CTX> TlsClientConnection::CreateSslCtx() {
+  bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsConnection::CreateSslCtx();
+  // Configure certificate verification.
+  // TODO(nharper): This only verifies certs on initial connection, not on
+  // resumption. Chromium has this callback be a no-op and verifies the
+  // certificate after the connection is complete. We need to re-verify on
+  // resumption in case of expiration or revocation/distrust.
+  SSL_CTX_set_custom_verify(ssl_ctx.get(), SSL_VERIFY_PEER, &VerifyCallback);
+  return ssl_ctx;
+}
+
+// static
+enum ssl_verify_result_t TlsClientConnection::VerifyCallback(
+    SSL* ssl,
+    uint8_t* out_alert) {
+  return static_cast<TlsClientConnection*>(ConnectionFromSsl(ssl))
+      ->delegate_->VerifyCert(out_alert);
+}
+
+}  // namespace quic