quic/core/tls_handshaker.cc - quiche - Git at Google

 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "net/third_party/quiche/src/quic/core/tls_handshaker.h"

 #include "absl/strings/string_view.h"
 #include "third_party/boringssl/src/include/openssl/crypto.h"
 #include "third_party/boringssl/src/include/openssl/ssl.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_stream.h"
 #include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/common/platform/api/quiche_arraysize.h"
 #include "net/third_party/quiche/src/common/platform/api/quiche_str_cat.h"

 namespace quic {

 TlsHandshaker::TlsHandshaker(QuicCryptoStream* stream, QuicSession* session)
     : stream_(stream), handshaker_delegate_(session) {}

 TlsHandshaker::~TlsHandshaker() {}

 bool TlsHandshaker::ProcessInput(absl::string_view input,
                                  EncryptionLevel level) {
   if (parser_error_ != QUIC_NO_ERROR) {
     return false;
   }
   // TODO(nharper): Call SSL_quic_read_level(ssl()) and check whether the
   // encryption level BoringSSL expects matches the encryption level that we
   // just received input at. If they mismatch, should ProcessInput return true
   // or false? If data is for a future encryption level, it should be queued for
   // later?
   if (SSL_provide_quic_data(ssl(), TlsConnection::BoringEncryptionLevel(level),
                             reinterpret_cast<const uint8_t*>(input.data()),
                             input.size()) != 1) {
     // SSL_provide_quic_data can fail for 3 reasons:
     // - API misuse (calling it before SSL_set_custom_quic_method, which we
     //   call in the TlsHandshaker c'tor)
     // - Memory exhaustion when appending data to its buffer
     // - Data provided at the wrong encryption level
     //
     // Of these, the only sensible error to handle is data provided at the wrong
     // encryption level.
     //
     // Note: the error provided below has a good-sounding enum value, although
     // it doesn't match the description as it's a QUIC Crypto specific error.
     parser_error_ = QUIC_INVALID_CRYPTO_MESSAGE_TYPE;
     parser_error_detail_ = "TLS stack failed to receive data";
     return false;
   }
   AdvanceHandshake();
   return true;
 }

 size_t TlsHandshaker::BufferSizeLimitForLevel(EncryptionLevel level) const {
   return SSL_quic_max_handshake_flight_len(
       ssl(), TlsConnection::BoringEncryptionLevel(level));
 }

 ssl_early_data_reason_t TlsHandshaker::EarlyDataReason() const {
   return SSL_get_early_data_reason(ssl());
 }

 const EVP_MD* TlsHandshaker::Prf(const SSL_CIPHER* cipher) {
   return EVP_get_digestbynid(SSL_CIPHER_get_prf_nid(cipher));
 }

 void TlsHandshaker::SetWriteSecret(EncryptionLevel level,
                                    const SSL_CIPHER* cipher,
                                    const std::vector<uint8_t>& write_secret) {
   QUIC_DVLOG(1) << "SetWriteSecret level=" << level;
   std::unique_ptr<QuicEncrypter> encrypter =
       QuicEncrypter::CreateFromCipherSuite(SSL_CIPHER_get_id(cipher));
   const EVP_MD* prf = Prf(cipher);
   CryptoUtils::SetKeyAndIV(prf, write_secret, encrypter.get());
   std::vector<uint8_t> header_protection_key =
       CryptoUtils::GenerateHeaderProtectionKey(prf, write_secret,
                                                encrypter->GetKeySize());
   encrypter->SetHeaderProtectionKey(
       absl::string_view(reinterpret_cast<char*>(header_protection_key.data()),
                         header_protection_key.size()));
   if (level == ENCRYPTION_FORWARD_SECURE) {
     DCHECK(latest_write_secret_.empty());
     latest_write_secret_ = write_secret;
     one_rtt_write_header_protection_key_ = header_protection_key;
   }
   handshaker_delegate_->OnNewEncryptionKeyAvailable(level,
                                                     std::move(encrypter));
 }

 bool TlsHandshaker::SetReadSecret(EncryptionLevel level,
                                   const SSL_CIPHER* cipher,
                                   const std::vector<uint8_t>& read_secret) {
   QUIC_DVLOG(1) << "SetReadSecret level=" << level;
   std::unique_ptr<QuicDecrypter> decrypter =
       QuicDecrypter::CreateFromCipherSuite(SSL_CIPHER_get_id(cipher));
   const EVP_MD* prf = Prf(cipher);
   CryptoUtils::SetKeyAndIV(prf, read_secret, decrypter.get());
   std::vector<uint8_t> header_protection_key =
       CryptoUtils::GenerateHeaderProtectionKey(prf, read_secret,
                                                decrypter->GetKeySize());
   decrypter->SetHeaderProtectionKey(
       absl::string_view(reinterpret_cast<char*>(header_protection_key.data()),
                         header_protection_key.size()));
   if (level == ENCRYPTION_FORWARD_SECURE) {
     DCHECK(latest_read_secret_.empty());
     latest_read_secret_ = read_secret;
     one_rtt_read_header_protection_key_ = header_protection_key;
   }
   return handshaker_delegate_->OnNewDecryptionKeyAvailable(
       level, std::move(decrypter),
       /*set_alternative_decrypter=*/false,
       /*latch_once_used=*/false);
 }

 std::unique_ptr<QuicDecrypter>
 TlsHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter() {
   if (latest_read_secret_.empty() || latest_write_secret_.empty() ||
       one_rtt_read_header_protection_key_.empty() ||
       one_rtt_write_header_protection_key_.empty()) {
     std::string error_details = "1-RTT secret(s) not set yet.";
     QUIC_BUG << error_details;
     CloseConnection(QUIC_INTERNAL_ERROR, error_details);
     return nullptr;
   }
   const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
   const EVP_MD* prf = Prf(cipher);
   latest_read_secret_ =
       CryptoUtils::GenerateNextKeyPhaseSecret(prf, latest_read_secret_);
   latest_write_secret_ =
       CryptoUtils::GenerateNextKeyPhaseSecret(prf, latest_write_secret_);

   std::unique_ptr<QuicDecrypter> decrypter =
       QuicDecrypter::CreateFromCipherSuite(SSL_CIPHER_get_id(cipher));
   CryptoUtils::SetKeyAndIV(prf, latest_read_secret_, decrypter.get());
   decrypter->SetHeaderProtectionKey(absl::string_view(
       reinterpret_cast<char*>(one_rtt_read_header_protection_key_.data()),
       one_rtt_read_header_protection_key_.size()));

   return decrypter;
 }

 std::unique_ptr<QuicEncrypter> TlsHandshaker::CreateCurrentOneRttEncrypter() {
   if (latest_write_secret_.empty() ||
       one_rtt_write_header_protection_key_.empty()) {
     std::string error_details = "1-RTT write secret not set yet.";
     QUIC_BUG << error_details;
     CloseConnection(QUIC_INTERNAL_ERROR, error_details);
     return nullptr;
   }
   const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
   std::unique_ptr<QuicEncrypter> encrypter =
       QuicEncrypter::CreateFromCipherSuite(SSL_CIPHER_get_id(cipher));
   CryptoUtils::SetKeyAndIV(Prf(cipher), latest_write_secret_, encrypter.get());
   encrypter->SetHeaderProtectionKey(absl::string_view(
       reinterpret_cast<char*>(one_rtt_write_header_protection_key_.data()),
       one_rtt_write_header_protection_key_.size()));
   return encrypter;
 }

 void TlsHandshaker::WriteMessage(EncryptionLevel level,
                                  absl::string_view data) {
   stream_->WriteCryptoData(level, data);
 }

 void TlsHandshaker::FlushFlight() {}

 void TlsHandshaker::SendAlert(EncryptionLevel level, uint8_t desc) {
   // TODO(b/151676147): Alerts should be sent on the wire as a varint QUIC error
   // code computed to be 0x100 | desc (draft-ietf-quic-tls-27, section 4.9).
   // This puts it in the range reserved for CRYPTO_ERROR
   // (draft-ietf-quic-transport-27, section 20). However, according to
   // quic_error_codes.h, this QUIC implementation only sends 1-byte error codes
   // right now.
   std::string error_details = quiche::QuicheStrCat(
       "TLS handshake failure (", EncryptionLevelToString(level), ") ",
       static_cast<int>(desc), ": ", SSL_alert_desc_string_long(desc));
   QUIC_DLOG(ERROR) << error_details;
   CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
 }

 }  // namespace quic
	// Copyright (c) 2017 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "net/third_party/quiche/src/quic/core/tls_handshaker.h"

	#include "absl/strings/string_view.h"
	#include "third_party/boringssl/src/include/openssl/crypto.h"
	#include "third_party/boringssl/src/include/openssl/ssl.h"
	#include "net/third_party/quiche/src/quic/core/quic_crypto_stream.h"
	#include "net/third_party/quiche/src/quic/core/tls_client_handshaker.h"
	#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
	#include "net/third_party/quiche/src/common/platform/api/quiche_arraysize.h"
	#include "net/third_party/quiche/src/common/platform/api/quiche_str_cat.h"

	namespace quic {

	TlsHandshaker::TlsHandshaker(QuicCryptoStream* stream, QuicSession* session)
	: stream_(stream), handshaker_delegate_(session) {}

	TlsHandshaker::~TlsHandshaker() {}

	bool TlsHandshaker::ProcessInput(absl::string_view input,
	EncryptionLevel level) {
	if (parser_error_ != QUIC_NO_ERROR) {
	return false;
	}
	// TODO(nharper): Call SSL_quic_read_level(ssl()) and check whether the
	// encryption level BoringSSL expects matches the encryption level that we
	// just received input at. If they mismatch, should ProcessInput return true
	// or false? If data is for a future encryption level, it should be queued for
	// later?
	if (SSL_provide_quic_data(ssl(), TlsConnection::BoringEncryptionLevel(level),
	reinterpret_cast<const uint8_t*>(input.data()),
	input.size()) != 1) {
	// SSL_provide_quic_data can fail for 3 reasons:
	// - API misuse (calling it before SSL_set_custom_quic_method, which we
	// call in the TlsHandshaker c'tor)
	// - Memory exhaustion when appending data to its buffer
	// - Data provided at the wrong encryption level
	//
	// Of these, the only sensible error to handle is data provided at the wrong
	// encryption level.
	//
	// Note: the error provided below has a good-sounding enum value, although
	// it doesn't match the description as it's a QUIC Crypto specific error.
	parser_error_ = QUIC_INVALID_CRYPTO_MESSAGE_TYPE;
	parser_error_detail_ = "TLS stack failed to receive data";
	return false;
	}
	AdvanceHandshake();
	return true;
	}

	size_t TlsHandshaker::BufferSizeLimitForLevel(EncryptionLevel level) const {
	return SSL_quic_max_handshake_flight_len(
	ssl(), TlsConnection::BoringEncryptionLevel(level));
	}

	ssl_early_data_reason_t TlsHandshaker::EarlyDataReason() const {
	return SSL_get_early_data_reason(ssl());
	}

	const EVP_MD* TlsHandshaker::Prf(const SSL_CIPHER* cipher) {
	return EVP_get_digestbynid(SSL_CIPHER_get_prf_nid(cipher));
	}

	void TlsHandshaker::SetWriteSecret(EncryptionLevel level,
	const SSL_CIPHER* cipher,
	const std::vector<uint8_t>& write_secret) {
	QUIC_DVLOG(1) << "SetWriteSecret level=" << level;
	std::unique_ptr<QuicEncrypter> encrypter =
	QuicEncrypter::CreateFromCipherSuite(SSL_CIPHER_get_id(cipher));
	const EVP_MD* prf = Prf(cipher);
	CryptoUtils::SetKeyAndIV(prf, write_secret, encrypter.get());
	std::vector<uint8_t> header_protection_key =
	CryptoUtils::GenerateHeaderProtectionKey(prf, write_secret,
	encrypter->GetKeySize());
	encrypter->SetHeaderProtectionKey(
	absl::string_view(reinterpret_cast<char*>(header_protection_key.data()),
	header_protection_key.size()));
	if (level == ENCRYPTION_FORWARD_SECURE) {
	DCHECK(latest_write_secret_.empty());
	latest_write_secret_ = write_secret;
	one_rtt_write_header_protection_key_ = header_protection_key;
	}
	handshaker_delegate_->OnNewEncryptionKeyAvailable(level,
	std::move(encrypter));
	}

	bool TlsHandshaker::SetReadSecret(EncryptionLevel level,
	const SSL_CIPHER* cipher,
	const std::vector<uint8_t>& read_secret) {
	QUIC_DVLOG(1) << "SetReadSecret level=" << level;
	std::unique_ptr<QuicDecrypter> decrypter =
	QuicDecrypter::CreateFromCipherSuite(SSL_CIPHER_get_id(cipher));
	const EVP_MD* prf = Prf(cipher);
	CryptoUtils::SetKeyAndIV(prf, read_secret, decrypter.get());
	std::vector<uint8_t> header_protection_key =
	CryptoUtils::GenerateHeaderProtectionKey(prf, read_secret,
	decrypter->GetKeySize());
	decrypter->SetHeaderProtectionKey(
	absl::string_view(reinterpret_cast<char*>(header_protection_key.data()),
	header_protection_key.size()));
	if (level == ENCRYPTION_FORWARD_SECURE) {
	DCHECK(latest_read_secret_.empty());
	latest_read_secret_ = read_secret;
	one_rtt_read_header_protection_key_ = header_protection_key;
	}
	return handshaker_delegate_->OnNewDecryptionKeyAvailable(
	level, std::move(decrypter),
	/set_alternative_decrypter=/false,
	/latch_once_used=/false);
	}

	std::unique_ptr<QuicDecrypter>
	TlsHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter() {
	if (latest_read_secret_.empty() \|\| latest_write_secret_.empty() \|\|
	one_rtt_read_header_protection_key_.empty() \|\|
	one_rtt_write_header_protection_key_.empty()) {
	std::string error_details = "1-RTT secret(s) not set yet.";
	QUIC_BUG << error_details;
	CloseConnection(QUIC_INTERNAL_ERROR, error_details);
	return nullptr;
	}
	const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
	const EVP_MD* prf = Prf(cipher);
	latest_read_secret_ =
	CryptoUtils::GenerateNextKeyPhaseSecret(prf, latest_read_secret_);
	latest_write_secret_ =
	CryptoUtils::GenerateNextKeyPhaseSecret(prf, latest_write_secret_);

	std::unique_ptr<QuicDecrypter> decrypter =
	QuicDecrypter::CreateFromCipherSuite(SSL_CIPHER_get_id(cipher));
	CryptoUtils::SetKeyAndIV(prf, latest_read_secret_, decrypter.get());
	decrypter->SetHeaderProtectionKey(absl::string_view(
	reinterpret_cast<char*>(one_rtt_read_header_protection_key_.data()),
	one_rtt_read_header_protection_key_.size()));

	return decrypter;
	}

	std::unique_ptr<QuicEncrypter> TlsHandshaker::CreateCurrentOneRttEncrypter() {
	if (latest_write_secret_.empty() \|\|
	one_rtt_write_header_protection_key_.empty()) {
	std::string error_details = "1-RTT write secret not set yet.";
	QUIC_BUG << error_details;
	CloseConnection(QUIC_INTERNAL_ERROR, error_details);
	return nullptr;
	}
	const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
	std::unique_ptr<QuicEncrypter> encrypter =
	QuicEncrypter::CreateFromCipherSuite(SSL_CIPHER_get_id(cipher));
	CryptoUtils::SetKeyAndIV(Prf(cipher), latest_write_secret_, encrypter.get());
	encrypter->SetHeaderProtectionKey(absl::string_view(
	reinterpret_cast<char*>(one_rtt_write_header_protection_key_.data()),
	one_rtt_write_header_protection_key_.size()));
	return encrypter;
	}

	void TlsHandshaker::WriteMessage(EncryptionLevel level,
	absl::string_view data) {
	stream_->WriteCryptoData(level, data);
	}

	void TlsHandshaker::FlushFlight() {}

	void TlsHandshaker::SendAlert(EncryptionLevel level, uint8_t desc) {
	// TODO(b/151676147): Alerts should be sent on the wire as a varint QUIC error
	// code computed to be 0x100 \| desc (draft-ietf-quic-tls-27, section 4.9).
	// This puts it in the range reserved for CRYPTO_ERROR
	// (draft-ietf-quic-transport-27, section 20). However, according to
	// quic_error_codes.h, this QUIC implementation only sends 1-byte error codes
	// right now.
	std::string error_details = quiche::QuicheStrCat(
	"TLS handshake failure (", EncryptionLevelToString(level), ") ",
	static_cast<int>(desc), ": ", SSL_alert_desc_string_long(desc));
	QUIC_DLOG(ERROR) << error_details;
	CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
	}

	} // namespace quic