Refactor TlsHandshaker classes
QuicCryptoClientConfig and QuicCryptoServerConfig each own an SSL_CTX,
which is currently created by TlsHandshaker. Those crypto config classes
can't take a dependency on TlsHandshaker (because TlsHandshaker depends on
classes have a dependency in the other direction), resulting in the SSL_CTX
being passed into the crypto config constructors. The SSL_CTX shouldn't be
exposed like this, as it's essentially an implementation detail of the
crypto handshake.
This CL splits TlsHandshaker in two. TlsConnection (and its subclasses) are
in quic/core/crypto, and handle the callbacks from BoringSSL. In turn, it
passes the implementation of those callbacks to a delegate. TlsHandshaker
implements this delegate and owns the TlsConnection.
gfe-relnote: refactor TLS handshake classes in QUIC; not flag protected
PiperOrigin-RevId: 253140899
Change-Id: Ie907a7f61798c29a385be15ea0f53403b86508ab
diff --git a/quic/core/tls_server_handshaker.cc b/quic/core/tls_server_handshaker.cc
index ca56e4d..fdda21f 100644
--- a/quic/core/tls_server_handshaker.cc
+++ b/quic/core/tls_server_handshaker.cc
@@ -40,20 +40,9 @@
handshaker_ = nullptr;
}
-const SSL_PRIVATE_KEY_METHOD TlsServerHandshaker::kPrivateKeyMethod{
- &TlsServerHandshaker::PrivateKeySign,
- nullptr, // decrypt
- &TlsServerHandshaker::PrivateKeyComplete,
-};
-
// static
bssl::UniquePtr<SSL_CTX> TlsServerHandshaker::CreateSslCtx() {
- bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsHandshaker::CreateSslCtx();
- SSL_CTX_set_tlsext_servername_callback(
- ssl_ctx.get(), TlsServerHandshaker::SelectCertificateCallback);
- SSL_CTX_set_alpn_select_cb(ssl_ctx.get(),
- TlsServerHandshaker::SelectAlpnCallback, nullptr);
- return ssl_ctx;
+ return TlsServerConnection::CreateSslCtx();
}
TlsServerHandshaker::TlsServerHandshaker(QuicCryptoStream* stream,
@@ -62,7 +51,8 @@
ProofSource* proof_source)
: TlsHandshaker(stream, session, ssl_ctx),
proof_source_(proof_source),
- crypto_negotiated_params_(new QuicCryptoNegotiatedParameters) {
+ crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
+ tls_connection_(ssl_ctx, this) {
DCHECK_EQ(PROTOCOL_TLS1_3,
session->connection()->version().handshake_protocol);
CrypterPair crypters;
@@ -264,25 +254,6 @@
handshake_confirmed_ = true;
}
-// static
-TlsServerHandshaker* TlsServerHandshaker::HandshakerFromSsl(SSL* ssl) {
- return static_cast<TlsServerHandshaker*>(
- TlsHandshaker::HandshakerFromSsl(ssl));
-}
-
-// static
-ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(SSL* ssl,
- uint8_t* out,
- size_t* out_len,
- size_t max_out,
- uint16_t sig_alg,
- const uint8_t* in,
- size_t in_len) {
- return HandshakerFromSsl(ssl)->PrivateKeySign(
- out, out_len, max_out, sig_alg,
- QuicStringPiece(reinterpret_cast<const char*>(in), in_len));
-}
-
ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(
uint8_t* out,
size_t* out_len,
@@ -300,15 +271,6 @@
return ssl_private_key_retry;
}
-// static
-ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete(
- SSL* ssl,
- uint8_t* out,
- size_t* out_len,
- size_t max_out) {
- return HandshakerFromSsl(ssl)->PrivateKeyComplete(out, out_len, max_out);
-}
-
ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete(
uint8_t* out,
size_t* out_len,
@@ -326,13 +288,6 @@
return ssl_private_key_success;
}
-// static
-int TlsServerHandshaker::SelectCertificateCallback(SSL* ssl,
- int* out_alert,
- void* arg) {
- return HandshakerFromSsl(ssl)->SelectCertificate(out_alert);
-}
-
int TlsServerHandshaker::SelectCertificate(int* out_alert) {
const char* hostname = SSL_get_servername(ssl(), TLSEXT_NAMETYPE_host_name);
if (hostname) {
@@ -357,8 +312,7 @@
chain->certs[i].length(), nullptr);
}
- SSL_set_chain_and_key(ssl(), certs.data(), certs.size(), nullptr,
- &kPrivateKeyMethod);
+ tls_connection_.SetCertChain(certs);
for (size_t i = 0; i < certs.size(); i++) {
CRYPTO_BUFFER_free(certs[i]);
@@ -375,16 +329,6 @@
return SSL_TLSEXT_ERR_OK;
}
-// static
-int TlsServerHandshaker::SelectAlpnCallback(SSL* ssl,
- const uint8_t** out,
- uint8_t* out_len,
- const uint8_t* in,
- unsigned in_len,
- void* arg) {
- return HandshakerFromSsl(ssl)->SelectAlpn(out, out_len, in, in_len);
-}
-
int TlsServerHandshaker::SelectAlpn(const uint8_t** out,
uint8_t* out_len,
const uint8_t* in,
