blob: 774bb440f640bde7e2fc58efa6ddd3ef50352a2c [file] [log] [blame]
// Copyright (c) 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef QUICHE_QUIC_CORE_CRYPTO_TLS_SERVER_CONNECTION_H_
#define QUICHE_QUIC_CORE_CRYPTO_TLS_SERVER_CONNECTION_H_
#include "absl/strings/string_view.h"
#include "quic/core/crypto/proof_source.h"
#include "quic/core/crypto/tls_connection.h"
namespace quic {
// TlsServerConnection receives calls for client-specific BoringSSL callbacks
// and calls its Delegate for the implementation of those callbacks.
class QUIC_EXPORT_PRIVATE TlsServerConnection : public TlsConnection {
public:
// A TlsServerConnection::Delegate implement the server-specific methods that
// are set as callbacks for an SSL object.
class QUIC_EXPORT_PRIVATE Delegate {
public:
virtual ~Delegate() {}
protected:
// Called from BoringSSL right after SNI is extracted, which is very early
// in the handshake process.
virtual ssl_select_cert_result_t EarlySelectCertCallback(
const SSL_CLIENT_HELLO* client_hello) = 0;
// Called after the ClientHello extensions have been successfully parsed.
// Returns an SSL_TLSEXT_ERR_* value (see
// https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_tlsext_servername_callback).
//
// On success, return SSL_TLSEXT_ERR_OK causes the server_name extension to
// be acknowledged in the ServerHello, or return SSL_TLSEXT_ERR_NOACK which
// causes it to be not acknowledged.
//
// If the function returns SSL_TLSEXT_ERR_ALERT_FATAL, then it puts in
// |*out_alert| the TLS alert value that the server will send.
//
virtual int TlsExtServernameCallback(int* out_alert) = 0;
// Selects which ALPN to use based on the list sent by the client.
virtual int SelectAlpn(const uint8_t** out,
uint8_t* out_len,
const uint8_t* in,
unsigned in_len) = 0;
// Signs |in| using the signature algorithm specified by |sig_alg| (an
// SSL_SIGN_* value). If the signing operation cannot be completed
// synchronously, ssl_private_key_retry is returned. If there is an error
// signing, or if the signature is longer than |max_out|, then
// ssl_private_key_failure is returned. Otherwise, ssl_private_key_success
// is returned with the signature put in |*out| and the length in
// |*out_len|.
virtual ssl_private_key_result_t PrivateKeySign(uint8_t* out,
size_t* out_len,
size_t max_out,
uint16_t sig_alg,
absl::string_view in) = 0;
// When PrivateKeySign returns ssl_private_key_retry, PrivateKeyComplete
// will be called after the async sign operation has completed.
// PrivateKeyComplete puts the resulting signature in |*out| and length in
// |*out_len|. If the length is greater than |max_out| or if there was an
// error in signing, then ssl_private_key_failure is returned. Otherwise,
// ssl_private_key_success is returned.
virtual ssl_private_key_result_t PrivateKeyComplete(uint8_t* out,
size_t* out_len,
size_t max_out) = 0;
// The following functions are used to implement an SSL_TICKET_AEAD_METHOD.
// See
// https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#ssl_ticket_aead_result_t
// for details on the BoringSSL API.
// SessionTicketMaxOverhead returns the maximum number of bytes of overhead
// that SessionTicketSeal may add when encrypting a session ticket.
virtual size_t SessionTicketMaxOverhead() = 0;
// SessionTicketSeal encrypts the session ticket in |in|, putting the
// resulting encrypted ticket in |out|, writing the length of the bytes
// written to |*out_len|, which is no larger than |max_out_len|. It returns
// 1 on success and 0 on error.
virtual int SessionTicketSeal(uint8_t* out,
size_t* out_len,
size_t max_out_len,
absl::string_view in) = 0;
// SessionTicketOpen is called when BoringSSL has an encrypted session
// ticket |in| and wants the ticket decrypted. This decryption operation can
// happen synchronously or asynchronously.
//
// If the decrypted ticket is not available at the time of the function
// call, this function returns ssl_ticket_aead_retry. If this function
// returns ssl_ticket_aead_retry, then SSL_do_handshake will return
// SSL_ERROR_PENDING_TICKET. Once the pending ticket decryption has
// completed, SSL_do_handshake needs to be called again.
//
// When this function is called and the decrypted ticket is available
// (either the ticket was decrypted synchronously, or an asynchronous
// operation has completed and SSL_do_handshake has been called again), the
// decrypted ticket is put in |out|, and the length of that output is
// written to |*out_len|, not to exceed |max_out_len|, and
// ssl_ticket_aead_success is returned. If the ticket cannot be decrypted
// and should be ignored, this function returns
// ssl_ticket_aead_ignore_ticket and a full handshake will be performed
// instead. If a fatal error occurs, ssl_ticket_aead_error can be returned
// which will terminate the handshake.
virtual enum ssl_ticket_aead_result_t SessionTicketOpen(
uint8_t* out,
size_t* out_len,
size_t max_out_len,
absl::string_view in) = 0;
// Provides the delegate for callbacks that are shared between client and
// server.
virtual TlsConnection::Delegate* ConnectionDelegate() = 0;
friend class TlsServerConnection;
};
TlsServerConnection(SSL_CTX* ssl_ctx, Delegate* delegate);
// Creates and configures an SSL_CTX that is appropriate for servers to use.
static bssl::UniquePtr<SSL_CTX> CreateSslCtx(ProofSource* proof_source);
void SetCertChain(const std::vector<CRYPTO_BUFFER*>& cert_chain);
private:
// Specialization of TlsConnection::ConnectionFromSsl.
static TlsServerConnection* ConnectionFromSsl(SSL* ssl);
static ssl_select_cert_result_t EarlySelectCertCallback(
const SSL_CLIENT_HELLO* client_hello);
// These functions are registered as callbacks in BoringSSL and delegate their
// implementation to the matching methods in Delegate above.
static int TlsExtServernameCallback(SSL* ssl, int* out_alert, void* arg);
static int SelectAlpnCallback(SSL* ssl,
const uint8_t** out,
uint8_t* out_len,
const uint8_t* in,
unsigned in_len,
void* arg);
// |kPrivateKeyMethod| is a vtable pointing to PrivateKeySign and
// PrivateKeyComplete used by the TLS stack to compute the signature for the
// CertificateVerify message (using the server's private key).
static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod;
// The following functions make up the contents of |kPrivateKeyMethod|.
static ssl_private_key_result_t PrivateKeySign(SSL* ssl,
uint8_t* out,
size_t* out_len,
size_t max_out,
uint16_t sig_alg,
const uint8_t* in,
size_t in_len);
static ssl_private_key_result_t PrivateKeyComplete(SSL* ssl,
uint8_t* out,
size_t* out_len,
size_t max_out);
// Implementation of SSL_TICKET_AEAD_METHOD which delegates to corresponding
// methods in TlsServerConnection::Delegate (a.k.a. TlsServerHandshaker).
static const SSL_TICKET_AEAD_METHOD kSessionTicketMethod;
// The following functions make up the contents of |kSessionTicketMethod|.
static size_t SessionTicketMaxOverhead(SSL* ssl);
static int SessionTicketSeal(SSL* ssl,
uint8_t* out,
size_t* out_len,
size_t max_out_len,
const uint8_t* in,
size_t in_len);
static enum ssl_ticket_aead_result_t SessionTicketOpen(SSL* ssl,
uint8_t* out,
size_t* out_len,
size_t max_out_len,
const uint8_t* in,
size_t in_len);
Delegate* delegate_;
};
} // namespace quic
#endif // QUICHE_QUIC_CORE_CRYPTO_TLS_SERVER_CONNECTION_H_