Refactor TlsHandshaker classes
QuicCryptoClientConfig and QuicCryptoServerConfig each own an SSL_CTX,
which is currently created by TlsHandshaker. Those crypto config classes
can't take a dependency on TlsHandshaker (because TlsHandshaker depends on
classes have a dependency in the other direction), resulting in the SSL_CTX
being passed into the crypto config constructors. The SSL_CTX shouldn't be
exposed like this, as it's essentially an implementation detail of the
crypto handshake.
This CL splits TlsHandshaker in two. TlsConnection (and its subclasses) are
in quic/core/crypto, and handle the callbacks from BoringSSL. In turn, it
passes the implementation of those callbacks to a delegate. TlsHandshaker
implements this delegate and owns the TlsConnection.
gfe-relnote: refactor TLS handshake classes in QUIC; not flag protected
PiperOrigin-RevId: 253140899
Change-Id: Ie907a7f61798c29a385be15ea0f53403b86508ab
diff --git a/quic/core/crypto/tls_client_connection.h b/quic/core/crypto/tls_client_connection.h
new file mode 100644
index 0000000..c741389
--- /dev/null
+++ b/quic/core/crypto/tls_client_connection.h
@@ -0,0 +1,51 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CRYPTO_TLS_CLIENT_CONNECTION_H_
+#define QUICHE_QUIC_CORE_CRYPTO_TLS_CLIENT_CONNECTION_H_
+
+#include "net/third_party/quiche/src/quic/core/crypto/tls_connection.h"
+
+namespace quic {
+
+// TlsClientConnection receives calls for client-specific BoringSSL callbacks
+// and calls its Delegate for the implementation of those callbacks.
+class TlsClientConnection : public TlsConnection {
+ public:
+ // A TlsClientConnection::Delegate implements the client-specific methods that
+ // are set as callbacks for an SSL object.
+ class Delegate {
+ public:
+ virtual ~Delegate() {}
+
+ protected:
+ // Verifies the peer's certificate chain. It may use
+ // SSL_get0_peer_certificates to get the cert chain. This method returns
+ // ssl_verify_ok if the cert is valid, ssl_verify_invalid if it is invalid,
+ // or ssl_verify_retry if verification is happening asynchronously.
+ virtual enum ssl_verify_result_t VerifyCert(uint8_t* out_alert) = 0;
+
+ // Provides the delegate for callbacks that are shared between client and
+ // server.
+ virtual TlsConnection::Delegate* ConnectionDelegate() = 0;
+
+ friend class TlsClientConnection;
+ };
+
+ TlsClientConnection(SSL_CTX* ssl_ctx, Delegate* delegate);
+
+ // Creates and configures an SSL_CTX that is appropriate for clients to use.
+ static bssl::UniquePtr<SSL_CTX> CreateSslCtx();
+
+ private:
+ // Registered as the callback for SSL_CTX_set_custom_verify. The
+ // implementation is delegated to Delegate::VerifyCert.
+ static enum ssl_verify_result_t VerifyCallback(SSL* ssl, uint8_t* out_alert);
+
+ Delegate* delegate_;
+};
+
+} // namespace quic
+
+#endif // QUICHE_QUIC_CORE_CRYPTO_TLS_CLIENT_CONNECTION_H_
