quic/core/tls_handshaker.h - quiche - Git at Google

 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef QUICHE_QUIC_CORE_TLS_HANDSHAKER_H_
 #define QUICHE_QUIC_CORE_TLS_HANDSHAKER_H_

 #include "absl/strings/string_view.h"
 #include "third_party/boringssl/src/include/openssl/base.h"
 #include "third_party/boringssl/src/include/openssl/ssl.h"
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h"
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_message_parser.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/tls_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_session.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"

 namespace quic {

 class QuicCryptoStream;

 // Base class for TlsClientHandshaker and TlsServerHandshaker. TlsHandshaker
 // provides functionality common to both the client and server, such as moving
 // messages between the TLS stack and the QUIC crypto stream, and handling
 // derivation of secrets.
 class QUIC_EXPORT_PRIVATE TlsHandshaker : public TlsConnection::Delegate,
                                           public CryptoMessageParser {
  public:
   // TlsHandshaker does not take ownership of any of its arguments; they must
   // outlive the TlsHandshaker.
   TlsHandshaker(QuicCryptoStream* stream, QuicSession* session);
   TlsHandshaker(const TlsHandshaker&) = delete;
   TlsHandshaker& operator=(const TlsHandshaker&) = delete;

   ~TlsHandshaker() override;

   // From CryptoMessageParser
   bool ProcessInput(absl::string_view input, EncryptionLevel level) override;
   size_t InputBytesRemaining() const override { return 0; }
   QuicErrorCode error() const override { return parser_error_; }
   const std::string& error_detail() const override {
     return parser_error_detail_;
   }

   // The following methods provide implementations to subclasses of
   // TlsHandshaker which use them to implement methods of QuicCryptoStream.
   CryptoMessageParser* crypto_message_parser() { return this; }
   size_t BufferSizeLimitForLevel(EncryptionLevel level) const;
   ssl_early_data_reason_t EarlyDataReason() const;
   std::unique_ptr<QuicDecrypter> AdvanceKeysAndCreateCurrentOneRttDecrypter();
   std::unique_ptr<QuicEncrypter> CreateCurrentOneRttEncrypter();
   virtual HandshakeState GetHandshakeState() const = 0;

  protected:
   // Called when a new message is received on the crypto stream and is available
   // for the TLS stack to read.
   void AdvanceHandshake();

   void CloseConnection(QuicErrorCode error, const std::string& reason_phrase);

   void OnConnectionClosed(QuicErrorCode error, ConnectionCloseSource source);

   bool is_connection_closed() const { return is_connection_closed_; }

   // Called when |SSL_do_handshake| returns 1, indicating that the handshake has
   // finished. Note that due to 0-RTT, the handshake may "finish" twice;
   // |SSL_in_early_data| can be used to determine whether the handshake is truly
   // done.
   virtual void FinishHandshake() = 0;

   // Called when a handshake message is received after the handshake is
   // complete.
   virtual void ProcessPostHandshakeMessage() = 0;

   // Called when an unexpected error code is received from |SSL_get_error|. If a
   // subclass can expect more than just a single error (as provided by
   // |set_expected_ssl_error|), it can override this method to handle that case.
   virtual bool ShouldCloseConnectionOnUnexpectedError(int ssl_error);

   void set_expected_ssl_error(int ssl_error) {
     expected_ssl_error_ = ssl_error;
   }
   int expected_ssl_error() const { return expected_ssl_error_; }

   // Returns the PRF used by the cipher suite negotiated in the TLS handshake.
   const EVP_MD* Prf(const SSL_CIPHER* cipher);

   virtual const TlsConnection* tls_connection() const = 0;

   SSL* ssl() const { return tls_connection()->ssl(); }

   QuicCryptoStream* stream() { return stream_; }
   HandshakerDelegateInterface* handshaker_delegate() {
     return handshaker_delegate_;
   }

   // SetWriteSecret provides the encryption secret used to encrypt messages at
   // encryption level |level|. The secret provided here is the one from the TLS
   // 1.3 key schedule (RFC 8446 section 7.1), in particular the handshake
   // traffic secrets and application traffic secrets. The provided write secret
   // must be used with the provided cipher suite |cipher|.
   void SetWriteSecret(EncryptionLevel level,
                       const SSL_CIPHER* cipher,
                       const std::vector<uint8_t>& write_secret) override;

   // SetReadSecret is similar to SetWriteSecret, except that it is used for
   // decrypting messages. SetReadSecret at a particular level is always called
   // after SetWriteSecret for that level, except for ENCRYPTION_ZERO_RTT, where
   // the EncryptionLevel for SetWriteSecret is ENCRYPTION_FORWARD_SECURE.
   bool SetReadSecret(EncryptionLevel level,
                      const SSL_CIPHER* cipher,
                      const std::vector<uint8_t>& read_secret) override;

   // WriteMessage is called when there is |data| from the TLS stack ready for
   // the QUIC stack to write in a crypto frame. The data must be transmitted at
   // encryption level |level|.
   void WriteMessage(EncryptionLevel level, absl::string_view data) override;

   // FlushFlight is called to signal that the current flight of
   // messages have all been written (via calls to WriteMessage) and can be
   // flushed to the underlying transport.
   void FlushFlight() override;

   // SendAlert causes this TlsHandshaker to close the QUIC connection with an
   // error code corresponding to the TLS alert description |desc|.
   void SendAlert(EncryptionLevel level, uint8_t desc) override;

  private:
   int expected_ssl_error_ = SSL_ERROR_WANT_READ;
   bool is_connection_closed_ = false;

   QuicCryptoStream* stream_;
   HandshakerDelegateInterface* handshaker_delegate_;

   QuicErrorCode parser_error_ = QUIC_NO_ERROR;
   std::string parser_error_detail_;

   // The most recently derived 1-RTT read and write secrets, which are updated
   // on each key update.
   std::vector<uint8_t> latest_read_secret_;
   std::vector<uint8_t> latest_write_secret_;
   // 1-RTT header protection keys, which are not changed during key update.
   std::vector<uint8_t> one_rtt_read_header_protection_key_;
   std::vector<uint8_t> one_rtt_write_header_protection_key_;
 };

 }  // namespace quic

 #endif  // QUICHE_QUIC_CORE_TLS_HANDSHAKER_H_
	// Copyright (c) 2017 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef QUICHE_QUIC_CORE_TLS_HANDSHAKER_H_
	#define QUICHE_QUIC_CORE_TLS_HANDSHAKER_H_

	#include "absl/strings/string_view.h"
	#include "third_party/boringssl/src/include/openssl/base.h"
	#include "third_party/boringssl/src/include/openssl/ssl.h"
	#include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h"
	#include "net/third_party/quiche/src/quic/core/crypto/crypto_message_parser.h"
	#include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
	#include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
	#include "net/third_party/quiche/src/quic/core/crypto/tls_connection.h"
	#include "net/third_party/quiche/src/quic/core/quic_session.h"
	#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"

	namespace quic {

	class QuicCryptoStream;

	// Base class for TlsClientHandshaker and TlsServerHandshaker. TlsHandshaker
	// provides functionality common to both the client and server, such as moving
	// messages between the TLS stack and the QUIC crypto stream, and handling
	// derivation of secrets.
	class QUIC_EXPORT_PRIVATE TlsHandshaker : public TlsConnection::Delegate,
	public CryptoMessageParser {
	public:
	// TlsHandshaker does not take ownership of any of its arguments; they must
	// outlive the TlsHandshaker.
	TlsHandshaker(QuicCryptoStream* stream, QuicSession* session);
	TlsHandshaker(const TlsHandshaker&) = delete;
	TlsHandshaker& operator=(const TlsHandshaker&) = delete;

	~TlsHandshaker() override;

	// From CryptoMessageParser
	bool ProcessInput(absl::string_view input, EncryptionLevel level) override;
	size_t InputBytesRemaining() const override { return 0; }
	QuicErrorCode error() const override { return parser_error_; }
	const std::string& error_detail() const override {
	return parser_error_detail_;
	}

	// The following methods provide implementations to subclasses of
	// TlsHandshaker which use them to implement methods of QuicCryptoStream.
	CryptoMessageParser* crypto_message_parser() { return this; }
	size_t BufferSizeLimitForLevel(EncryptionLevel level) const;
	ssl_early_data_reason_t EarlyDataReason() const;
	std::unique_ptr<QuicDecrypter> AdvanceKeysAndCreateCurrentOneRttDecrypter();
	std::unique_ptr<QuicEncrypter> CreateCurrentOneRttEncrypter();
	virtual HandshakeState GetHandshakeState() const = 0;

	protected:
	// Called when a new message is received on the crypto stream and is available
	// for the TLS stack to read.
	void AdvanceHandshake();

	void CloseConnection(QuicErrorCode error, const std::string& reason_phrase);

	void OnConnectionClosed(QuicErrorCode error, ConnectionCloseSource source);

	bool is_connection_closed() const { return is_connection_closed_; }

	// Called when \|SSL_do_handshake\| returns 1, indicating that the handshake has
	// finished. Note that due to 0-RTT, the handshake may "finish" twice;
	// \|SSL_in_early_data\| can be used to determine whether the handshake is truly
	// done.
	virtual void FinishHandshake() = 0;

	// Called when a handshake message is received after the handshake is
	// complete.
	virtual void ProcessPostHandshakeMessage() = 0;

	// Called when an unexpected error code is received from \|SSL_get_error\|. If a
	// subclass can expect more than just a single error (as provided by
	// \|set_expected_ssl_error\|), it can override this method to handle that case.
	virtual bool ShouldCloseConnectionOnUnexpectedError(int ssl_error);

	void set_expected_ssl_error(int ssl_error) {
	expected_ssl_error_ = ssl_error;
	}
	int expected_ssl_error() const { return expected_ssl_error_; }

	// Returns the PRF used by the cipher suite negotiated in the TLS handshake.
	const EVP_MD* Prf(const SSL_CIPHER* cipher);

	virtual const TlsConnection* tls_connection() const = 0;

	SSL* ssl() const { return tls_connection()->ssl(); }

	QuicCryptoStream* stream() { return stream_; }
	HandshakerDelegateInterface* handshaker_delegate() {
	return handshaker_delegate_;
	}

	// SetWriteSecret provides the encryption secret used to encrypt messages at
	// encryption level \|level\|. The secret provided here is the one from the TLS
	// 1.3 key schedule (RFC 8446 section 7.1), in particular the handshake
	// traffic secrets and application traffic secrets. The provided write secret
	// must be used with the provided cipher suite \|cipher\|.
	void SetWriteSecret(EncryptionLevel level,
	const SSL_CIPHER* cipher,
	const std::vector<uint8_t>& write_secret) override;

	// SetReadSecret is similar to SetWriteSecret, except that it is used for
	// decrypting messages. SetReadSecret at a particular level is always called
	// after SetWriteSecret for that level, except for ENCRYPTION_ZERO_RTT, where
	// the EncryptionLevel for SetWriteSecret is ENCRYPTION_FORWARD_SECURE.
	bool SetReadSecret(EncryptionLevel level,
	const SSL_CIPHER* cipher,
	const std::vector<uint8_t>& read_secret) override;

	// WriteMessage is called when there is \|data\| from the TLS stack ready for
	// the QUIC stack to write in a crypto frame. The data must be transmitted at
	// encryption level \|level\|.
	void WriteMessage(EncryptionLevel level, absl::string_view data) override;

	// FlushFlight is called to signal that the current flight of
	// messages have all been written (via calls to WriteMessage) and can be
	// flushed to the underlying transport.
	void FlushFlight() override;

	// SendAlert causes this TlsHandshaker to close the QUIC connection with an
	// error code corresponding to the TLS alert description \|desc\|.
	void SendAlert(EncryptionLevel level, uint8_t desc) override;

	private:
	int expected_ssl_error_ = SSL_ERROR_WANT_READ;
	bool is_connection_closed_ = false;

	QuicCryptoStream* stream_;
	HandshakerDelegateInterface* handshaker_delegate_;

	QuicErrorCode parser_error_ = QUIC_NO_ERROR;
	std::string parser_error_detail_;

	// The most recently derived 1-RTT read and write secrets, which are updated
	// on each key update.
	std::vector<uint8_t> latest_read_secret_;
	std::vector<uint8_t> latest_write_secret_;
	// 1-RTT header protection keys, which are not changed during key update.
	std::vector<uint8_t> one_rtt_read_header_protection_key_;
	std::vector<uint8_t> one_rtt_write_header_protection_key_;
	};

	} // namespace quic

	#endif // QUICHE_QUIC_CORE_TLS_HANDSHAKER_H_