| // Copyright (c) 2017 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "quiche/quic/core/tls_server_handshaker.h" |
| |
| #include <cstddef> |
| #include <cstdint> |
| #include <cstring> |
| #include <memory> |
| #include <optional> |
| #include <string> |
| #include <utility> |
| #include <vector> |
| |
| #include "absl/status/status.h" |
| #include "absl/strings/str_cat.h" |
| #include "absl/strings/string_view.h" |
| #include "absl/types/span.h" |
| #include "absl/types/variant.h" |
| #include "openssl/base.h" |
| #include "openssl/bytestring.h" |
| #include "openssl/ssl.h" |
| #include "openssl/tls1.h" |
| #include "quiche/quic/core/crypto/crypto_handshake.h" |
| #include "quiche/quic/core/crypto/crypto_message_parser.h" |
| #include "quiche/quic/core/crypto/crypto_utils.h" |
| #include "quiche/quic/core/crypto/proof_source.h" |
| #include "quiche/quic/core/crypto/proof_verifier.h" |
| #include "quiche/quic/core/crypto/quic_crypto_server_config.h" |
| #include "quiche/quic/core/crypto/quic_decrypter.h" |
| #include "quiche/quic/core/crypto/quic_encrypter.h" |
| #include "quiche/quic/core/crypto/transport_parameters.h" |
| #include "quiche/quic/core/http/http_encoder.h" |
| #include "quiche/quic/core/http/http_frames.h" |
| #include "quiche/quic/core/quic_config.h" |
| #include "quiche/quic/core/quic_connection.h" |
| #include "quiche/quic/core/quic_connection_context.h" |
| #include "quiche/quic/core/quic_connection_id.h" |
| #include "quiche/quic/core/quic_connection_stats.h" |
| #include "quiche/quic/core/quic_crypto_server_stream_base.h" |
| #include "quiche/quic/core/quic_error_codes.h" |
| #include "quiche/quic/core/quic_session.h" |
| #include "quiche/quic/core/quic_time.h" |
| #include "quiche/quic/core/quic_time_accumulator.h" |
| #include "quiche/quic/core/quic_types.h" |
| #include "quiche/quic/core/quic_versions.h" |
| #include "quiche/quic/core/tls_handshaker.h" |
| #include "quiche/quic/platform/api/quic_bug_tracker.h" |
| #include "quiche/quic/platform/api/quic_flag_utils.h" |
| #include "quiche/quic/platform/api/quic_flags.h" |
| #include "quiche/quic/platform/api/quic_hostname_utils.h" |
| #include "quiche/quic/platform/api/quic_logging.h" |
| #include "quiche/quic/platform/api/quic_server_stats.h" |
| #include "quiche/quic/platform/api/quic_socket_address.h" |
| |
| #define RECORD_LATENCY_IN_US(stat_name, latency, comment) \ |
| do { \ |
| const int64_t latency_in_us = (latency).ToMicroseconds(); \ |
| QUIC_DVLOG(1) << "Recording " stat_name ": " << latency_in_us; \ |
| QUIC_SERVER_HISTOGRAM_COUNTS(stat_name, latency_in_us, 1, 10000000, 50, \ |
| comment); \ |
| } while (0) |
| |
| namespace quic { |
| |
| namespace { |
| |
| // Default port for HTTP/3. |
| uint16_t kDefaultPort = 443; |
| |
| } // namespace |
| |
| TlsServerHandshaker::DefaultProofSourceHandle::DefaultProofSourceHandle( |
| TlsServerHandshaker* handshaker, ProofSource* proof_source) |
| : handshaker_(handshaker), proof_source_(proof_source) {} |
| |
| TlsServerHandshaker::DefaultProofSourceHandle::~DefaultProofSourceHandle() { |
| CloseHandle(); |
| } |
| |
| void TlsServerHandshaker::DefaultProofSourceHandle::CloseHandle() { |
| QUIC_DVLOG(1) << "CloseHandle. is_signature_pending=" |
| << (signature_callback_ != nullptr); |
| if (signature_callback_) { |
| signature_callback_->Cancel(); |
| signature_callback_ = nullptr; |
| } |
| } |
| |
| QuicAsyncStatus |
| TlsServerHandshaker::DefaultProofSourceHandle::SelectCertificate( |
| const QuicSocketAddress& server_address, |
| const QuicSocketAddress& client_address, |
| const QuicConnectionId& /*original_connection_id*/, |
| absl::string_view /*ssl_capabilities*/, const std::string& hostname, |
| absl::string_view /*client_hello*/, const std::string& /*alpn*/, |
| std::optional<std::string> /*alps*/, |
| const std::vector<uint8_t>& /*quic_transport_params*/, |
| const std::optional<std::vector<uint8_t>>& /*early_data_context*/, |
| const QuicSSLConfig& /*ssl_config*/) { |
| if (!handshaker_ || !proof_source_) { |
| QUIC_BUG(quic_bug_10341_1) |
| << "SelectCertificate called on a detached handle"; |
| return QUIC_FAILURE; |
| } |
| |
| bool cert_matched_sni; |
| quiche::QuicheReferenceCountedPointer<ProofSource::Chain> chain = |
| proof_source_->GetCertChain(server_address, client_address, hostname, |
| &cert_matched_sni); |
| |
| handshaker_->OnSelectCertificateDone( |
| /*ok=*/true, /*is_sync=*/true, |
| ProofSourceHandleCallback::LocalSSLConfig{chain.get(), |
| QuicDelayedSSLConfig()}, |
| /*ticket_encryption_key=*/absl::string_view(), cert_matched_sni); |
| if (!handshaker_->select_cert_status().has_value()) { |
| QUIC_BUG(quic_bug_12423_1) |
| << "select_cert_status() has no value after a synchronous select cert"; |
| // Return success to continue the handshake. |
| return QUIC_SUCCESS; |
| } |
| return *handshaker_->select_cert_status(); |
| } |
| |
| QuicAsyncStatus TlsServerHandshaker::DefaultProofSourceHandle::ComputeSignature( |
| const QuicSocketAddress& server_address, |
| const QuicSocketAddress& client_address, const std::string& hostname, |
| uint16_t signature_algorithm, absl::string_view in, |
| size_t max_signature_size) { |
| if (!handshaker_ || !proof_source_) { |
| QUIC_BUG(quic_bug_10341_2) |
| << "ComputeSignature called on a detached handle"; |
| return QUIC_FAILURE; |
| } |
| |
| if (signature_callback_) { |
| QUIC_BUG(quic_bug_10341_3) << "ComputeSignature called while pending"; |
| return QUIC_FAILURE; |
| } |
| |
| signature_callback_ = new DefaultSignatureCallback(this); |
| proof_source_->ComputeTlsSignature( |
| server_address, client_address, hostname, signature_algorithm, in, |
| std::unique_ptr<DefaultSignatureCallback>(signature_callback_)); |
| |
| if (signature_callback_) { |
| QUIC_DVLOG(1) << "ComputeTlsSignature is pending"; |
| signature_callback_->set_is_sync(false); |
| return QUIC_PENDING; |
| } |
| |
| bool success = handshaker_->HasValidSignature(max_signature_size); |
| QUIC_DVLOG(1) << "ComputeTlsSignature completed synchronously. success:" |
| << success; |
| // OnComputeSignatureDone should have been called by signature_callback_->Run. |
| return success ? QUIC_SUCCESS : QUIC_FAILURE; |
| } |
| |
| TlsServerHandshaker::DecryptCallback::DecryptCallback( |
| TlsServerHandshaker* handshaker) |
| : handshaker_(handshaker) {} |
| |
| void TlsServerHandshaker::DecryptCallback::Run(std::vector<uint8_t> plaintext) { |
| if (handshaker_ == nullptr) { |
| // The callback was cancelled before we could run. |
| return; |
| } |
| |
| TlsServerHandshaker* handshaker = handshaker_; |
| handshaker_ = nullptr; |
| |
| handshaker->decrypted_session_ticket_ = std::move(plaintext); |
| const bool is_async = |
| (handshaker->expected_ssl_error() == SSL_ERROR_PENDING_TICKET); |
| |
| std::optional<QuicConnectionContextSwitcher> context_switcher; |
| |
| if (is_async) { |
| context_switcher.emplace(handshaker->connection_context()); |
| } |
| QUIC_TRACESTRING( |
| absl::StrCat("TLS ticket decryption done. len(decrypted_ticket):", |
| handshaker->decrypted_session_ticket_.size())); |
| |
| // DecryptCallback::Run could be called synchronously. When that happens, we |
| // are currently in the middle of a call to AdvanceHandshake. |
| // (AdvanceHandshake called SSL_do_handshake, which through some layers |
| // called SessionTicketOpen, which called TicketCrypter::Decrypt, which |
| // synchronously called this function.) In that case, the handshake will |
| // continue to be processed when this function returns. |
| // |
| // When this callback is called asynchronously (i.e. the ticket decryption |
| // is pending), TlsServerHandshaker is not actively processing handshake |
| // messages. We need to have it resume processing handshake messages by |
| // calling AdvanceHandshake. |
| if (is_async) { |
| handshaker->AdvanceHandshakeFromCallback(); |
| } |
| |
| handshaker->ticket_decryption_callback_ = nullptr; |
| } |
| |
| void TlsServerHandshaker::DecryptCallback::Cancel() { |
| QUICHE_DCHECK(handshaker_); |
| handshaker_ = nullptr; |
| } |
| |
| TlsServerHandshaker::TlsServerHandshaker( |
| QuicSession* session, const QuicCryptoServerConfig* crypto_config) |
| : TlsHandshaker(this, session), |
| QuicCryptoServerStreamBase(session), |
| proof_source_(crypto_config->proof_source()), |
| pre_shared_key_(crypto_config->pre_shared_key()), |
| crypto_negotiated_params_(new QuicCryptoNegotiatedParameters), |
| tls_connection_(crypto_config->ssl_ctx(), this, session->GetSSLConfig()), |
| crypto_config_(crypto_config) { |
| QUIC_DVLOG(1) << "TlsServerHandshaker: client_cert_mode initial value: " |
| << client_cert_mode(); |
| |
| QUICHE_DCHECK_EQ(PROTOCOL_TLS1_3, |
| session->connection()->version().handshake_protocol); |
| |
| // Configure the SSL to be a server. |
| SSL_set_accept_state(ssl()); |
| |
| // Make sure we use the right TLS extension codepoint. |
| int use_legacy_extension = 0; |
| if (session->version().UsesLegacyTlsExtension()) { |
| use_legacy_extension = 1; |
| } |
| SSL_set_quic_use_legacy_codepoint(ssl(), use_legacy_extension); |
| |
| if (session->connection()->context()->tracer) { |
| tls_connection_.EnableInfoCallback(); |
| } |
| #if BORINGSSL_API_VERSION >= 22 |
| if (!crypto_config->preferred_groups().empty()) { |
| SSL_set1_group_ids(ssl(), crypto_config->preferred_groups().data(), |
| crypto_config->preferred_groups().size()); |
| } |
| #endif // BORINGSSL_API_VERSION |
| } |
| |
| TlsServerHandshaker::~TlsServerHandshaker() { CancelOutstandingCallbacks(); } |
| |
| void TlsServerHandshaker::CancelOutstandingCallbacks() { |
| if (proof_source_handle_) { |
| proof_source_handle_->CloseHandle(); |
| } |
| if (ticket_decryption_callback_) { |
| ticket_decryption_callback_->Cancel(); |
| ticket_decryption_callback_ = nullptr; |
| } |
| } |
| |
| void TlsServerHandshaker::InfoCallback(int type, int value) { |
| QuicConnectionTracer* tracer = |
| session()->connection()->context()->tracer.get(); |
| |
| if (tracer == nullptr) { |
| return; |
| } |
| |
| if (type & SSL_CB_LOOP) { |
| tracer->PrintString( |
| absl::StrCat("SSL:ACCEPT_LOOP:", SSL_state_string_long(ssl()))); |
| } else if (type & SSL_CB_ALERT) { |
| const char* prefix = |
| (type & SSL_CB_READ) ? "SSL:READ_ALERT:" : "SSL:WRITE_ALERT:"; |
| tracer->PrintString(absl::StrCat(prefix, SSL_alert_type_string_long(value), |
| ":", SSL_alert_desc_string_long(value))); |
| } else if (type & SSL_CB_EXIT) { |
| const char* prefix = |
| (value == 1) ? "SSL:ACCEPT_EXIT_OK:" : "SSL:ACCEPT_EXIT_FAIL:"; |
| tracer->PrintString(absl::StrCat(prefix, SSL_state_string_long(ssl()))); |
| } else if (type & SSL_CB_HANDSHAKE_START) { |
| tracer->PrintString( |
| absl::StrCat("SSL:HANDSHAKE_START:", SSL_state_string_long(ssl()))); |
| } else if (type & SSL_CB_HANDSHAKE_DONE) { |
| tracer->PrintString( |
| absl::StrCat("SSL:HANDSHAKE_DONE:", SSL_state_string_long(ssl()))); |
| } else { |
| QUIC_DLOG(INFO) << "Unknown event type " << type << ": " |
| << SSL_state_string_long(ssl()); |
| tracer->PrintString( |
| absl::StrCat("SSL:unknown:", value, ":", SSL_state_string_long(ssl()))); |
| } |
| } |
| |
| std::unique_ptr<ProofSourceHandle> |
| TlsServerHandshaker::MaybeCreateProofSourceHandle() { |
| return std::make_unique<DefaultProofSourceHandle>(this, proof_source_); |
| } |
| |
| bool TlsServerHandshaker::GetBase64SHA256ClientChannelID( |
| std::string* /*output*/) const { |
| // Channel ID is not supported when TLS is used in QUIC. |
| return false; |
| } |
| |
| void TlsServerHandshaker::SendServerConfigUpdate( |
| const CachedNetworkParameters* /*cached_network_params*/) { |
| // SCUP messages aren't supported when using the TLS handshake. |
| } |
| |
| bool TlsServerHandshaker::DisableResumption() { |
| if (!can_disable_resumption_ || !session()->connection()->connected()) { |
| return false; |
| } |
| tls_connection_.DisableTicketSupport(); |
| return true; |
| } |
| |
| bool TlsServerHandshaker::IsZeroRtt() const { |
| return SSL_early_data_accepted(ssl()); |
| } |
| |
| bool TlsServerHandshaker::IsResumption() const { |
| return SSL_session_reused(ssl()); |
| } |
| |
| bool TlsServerHandshaker::ResumptionAttempted() const { |
| return ticket_received_; |
| } |
| |
| bool TlsServerHandshaker::EarlyDataAttempted() const { |
| QUIC_BUG_IF(quic_tls_early_data_attempted_too_early, |
| !select_cert_status_.has_value()) |
| << "EarlyDataAttempted must be called after EarlySelectCertCallback is " |
| "started"; |
| return early_data_attempted_; |
| } |
| |
| int TlsServerHandshaker::NumServerConfigUpdateMessagesSent() const { |
| // SCUP messages aren't supported when using the TLS handshake. |
| return 0; |
| } |
| |
| const CachedNetworkParameters* |
| TlsServerHandshaker::PreviousCachedNetworkParams() const { |
| return last_received_cached_network_params_.get(); |
| } |
| |
| void TlsServerHandshaker::SetPreviousCachedNetworkParams( |
| CachedNetworkParameters cached_network_params) { |
| last_received_cached_network_params_ = |
| std::make_unique<CachedNetworkParameters>(cached_network_params); |
| } |
| |
| void TlsServerHandshaker::OnPacketDecrypted(EncryptionLevel level) { |
| if (level == ENCRYPTION_HANDSHAKE && state_ < HANDSHAKE_PROCESSED) { |
| state_ = HANDSHAKE_PROCESSED; |
| handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL); |
| handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_INITIAL); |
| } |
| } |
| |
| void TlsServerHandshaker::OnHandshakeDoneReceived() { QUICHE_DCHECK(false); } |
| |
| void TlsServerHandshaker::OnNewTokenReceived(absl::string_view /*token*/) { |
| QUICHE_DCHECK(false); |
| } |
| |
| std::string TlsServerHandshaker::GetAddressToken( |
| const CachedNetworkParameters* cached_network_params) const { |
| SourceAddressTokens empty_previous_tokens; |
| const QuicConnection* connection = session()->connection(); |
| return crypto_config_->NewSourceAddressToken( |
| crypto_config_->source_address_token_boxer(), empty_previous_tokens, |
| connection->effective_peer_address().host(), |
| connection->random_generator(), connection->clock()->WallNow(), |
| cached_network_params); |
| } |
| |
| bool TlsServerHandshaker::ValidateAddressToken(absl::string_view token) const { |
| SourceAddressTokens tokens; |
| HandshakeFailureReason reason = crypto_config_->ParseSourceAddressToken( |
| crypto_config_->source_address_token_boxer(), token, tokens); |
| if (reason != HANDSHAKE_OK) { |
| QUIC_DLOG(WARNING) << "Failed to parse source address token: " |
| << CryptoUtils::HandshakeFailureReasonToString(reason); |
| return false; |
| } |
| auto cached_network_params = std::make_unique<CachedNetworkParameters>(); |
| reason = crypto_config_->ValidateSourceAddressTokens( |
| tokens, session()->connection()->effective_peer_address().host(), |
| session()->connection()->clock()->WallNow(), cached_network_params.get()); |
| if (reason != HANDSHAKE_OK) { |
| QUIC_DLOG(WARNING) << "Failed to validate source address token: " |
| << CryptoUtils::HandshakeFailureReasonToString(reason); |
| return false; |
| } |
| |
| last_received_cached_network_params_ = std::move(cached_network_params); |
| return true; |
| } |
| |
| bool TlsServerHandshaker::ShouldSendExpectCTHeader() const { return false; } |
| |
| bool TlsServerHandshaker::DidCertMatchSni() const { return cert_matched_sni_; } |
| |
| const ProofSource::Details* TlsServerHandshaker::ProofSourceDetails() const { |
| return proof_source_details_.get(); |
| } |
| |
| bool TlsServerHandshaker::ExportKeyingMaterial(absl::string_view label, |
| absl::string_view context, |
| size_t result_len, |
| std::string* result) { |
| return ExportKeyingMaterialForLabel(label, context, result_len, result); |
| } |
| |
| void TlsServerHandshaker::OnConnectionClosed(QuicErrorCode error, |
| ConnectionCloseSource source) { |
| TlsHandshaker::OnConnectionClosed(error, source); |
| } |
| |
| ssl_early_data_reason_t TlsServerHandshaker::EarlyDataReason() const { |
| return TlsHandshaker::EarlyDataReason(); |
| } |
| |
| bool TlsServerHandshaker::encryption_established() const { |
| return encryption_established_; |
| } |
| |
| bool TlsServerHandshaker::one_rtt_keys_available() const { |
| return state_ == HANDSHAKE_CONFIRMED; |
| } |
| |
| const QuicCryptoNegotiatedParameters& |
| TlsServerHandshaker::crypto_negotiated_params() const { |
| return *crypto_negotiated_params_; |
| } |
| |
| CryptoMessageParser* TlsServerHandshaker::crypto_message_parser() { |
| return TlsHandshaker::crypto_message_parser(); |
| } |
| |
| HandshakeState TlsServerHandshaker::GetHandshakeState() const { return state_; } |
| |
| void TlsServerHandshaker::SetServerApplicationStateForResumption( |
| std::unique_ptr<ApplicationState> state) { |
| application_state_ = std::move(state); |
| } |
| |
| size_t TlsServerHandshaker::BufferSizeLimitForLevel( |
| EncryptionLevel level) const { |
| return TlsHandshaker::BufferSizeLimitForLevel(level); |
| } |
| |
| std::unique_ptr<QuicDecrypter> |
| TlsServerHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter() { |
| return TlsHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter(); |
| } |
| |
| std::unique_ptr<QuicEncrypter> |
| TlsServerHandshaker::CreateCurrentOneRttEncrypter() { |
| return TlsHandshaker::CreateCurrentOneRttEncrypter(); |
| } |
| |
| void TlsServerHandshaker::OverrideQuicConfigDefaults(QuicConfig* /*config*/) {} |
| |
| void TlsServerHandshaker::AdvanceHandshakeFromCallback() { |
| QuicConnection::ScopedPacketFlusher flusher(session()->connection()); |
| |
| AdvanceHandshake(); |
| if (!is_connection_closed()) { |
| handshaker_delegate()->OnHandshakeCallbackDone(); |
| } |
| } |
| |
| bool TlsServerHandshaker::ProcessTransportParameters( |
| const SSL_CLIENT_HELLO* client_hello, std::string* error_details) { |
| TransportParameters client_params; |
| const uint8_t* client_params_bytes; |
| size_t params_bytes_len; |
| |
| // Make sure we use the right TLS extension codepoint. |
| uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters_standard; |
| if (session()->version().UsesLegacyTlsExtension()) { |
| extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy; |
| } |
| // When using early select cert callback, SSL_get_peer_quic_transport_params |
| // can not be used to retrieve the client's transport parameters, but we can |
| // use SSL_early_callback_ctx_extension_get to do that. |
| if (!SSL_early_callback_ctx_extension_get(client_hello, extension_type, |
| &client_params_bytes, |
| ¶ms_bytes_len)) { |
| params_bytes_len = 0; |
| } |
| |
| if (params_bytes_len == 0) { |
| *error_details = "Client's transport parameters are missing"; |
| return false; |
| } |
| std::string parse_error_details; |
| if (!ParseTransportParameters(session()->connection()->version(), |
| Perspective::IS_CLIENT, client_params_bytes, |
| params_bytes_len, &client_params, |
| &parse_error_details)) { |
| QUICHE_DCHECK(!parse_error_details.empty()); |
| *error_details = |
| "Unable to parse client's transport parameters: " + parse_error_details; |
| return false; |
| } |
| |
| // Notify QuicConnectionDebugVisitor. |
| session()->connection()->OnTransportParametersReceived(client_params); |
| |
| if (client_params.legacy_version_information.has_value() && |
| CryptoUtils::ValidateClientHelloVersion( |
| client_params.legacy_version_information->version, |
| session()->connection()->version(), session()->supported_versions(), |
| error_details) != QUIC_NO_ERROR) { |
| return false; |
| } |
| |
| if (client_params.version_information.has_value() && |
| !CryptoUtils::ValidateChosenVersion( |
| client_params.version_information->chosen_version, |
| session()->version(), error_details)) { |
| QUICHE_DCHECK(!error_details->empty()); |
| return false; |
| } |
| |
| if (handshaker_delegate()->ProcessTransportParameters( |
| client_params, /* is_resumption = */ false, error_details) != |
| QUIC_NO_ERROR) { |
| return false; |
| } |
| |
| ProcessAdditionalTransportParameters(client_params); |
| |
| return true; |
| } |
| |
| TlsServerHandshaker::SetTransportParametersResult |
| TlsServerHandshaker::SetTransportParameters() { |
| SetTransportParametersResult result; |
| QUICHE_DCHECK(!result.success); |
| |
| server_params_.perspective = Perspective::IS_SERVER; |
| server_params_.legacy_version_information = |
| TransportParameters::LegacyVersionInformation(); |
| server_params_.legacy_version_information->supported_versions = |
| CreateQuicVersionLabelVector(session()->supported_versions()); |
| server_params_.legacy_version_information->version = |
| CreateQuicVersionLabel(session()->connection()->version()); |
| server_params_.version_information = |
| TransportParameters::VersionInformation(); |
| server_params_.version_information->chosen_version = |
| CreateQuicVersionLabel(session()->version()); |
| server_params_.version_information->other_versions = |
| CreateQuicVersionLabelVector(session()->supported_versions()); |
| |
| if (!handshaker_delegate()->FillTransportParameters(&server_params_)) { |
| return result; |
| } |
| |
| // Notify QuicConnectionDebugVisitor. |
| session()->connection()->OnTransportParametersSent(server_params_); |
| |
| { // Ensure |server_params_bytes| is not accessed out of the scope. |
| std::vector<uint8_t> server_params_bytes; |
| if (!SerializeTransportParameters(server_params_, &server_params_bytes) || |
| SSL_set_quic_transport_params(ssl(), server_params_bytes.data(), |
| server_params_bytes.size()) != 1) { |
| return result; |
| } |
| result.quic_transport_params = std::move(server_params_bytes); |
| } |
| |
| if (application_state_) { |
| std::vector<uint8_t> early_data_context; |
| if (!SerializeTransportParametersForTicket( |
| server_params_, *application_state_, &early_data_context)) { |
| QUIC_BUG(quic_bug_10341_4) |
| << "Failed to serialize Transport Parameters for ticket."; |
| result.early_data_context = std::vector<uint8_t>(); |
| return result; |
| } |
| SSL_set_quic_early_data_context(ssl(), early_data_context.data(), |
| early_data_context.size()); |
| result.early_data_context = std::move(early_data_context); |
| application_state_.reset(nullptr); |
| } |
| result.success = true; |
| return result; |
| } |
| |
| bool TlsServerHandshaker::TransportParametersMatch( |
| absl::Span<const uint8_t> serialized_params) const { |
| TransportParameters params; |
| std::string error_details; |
| |
| bool parse_ok = ParseTransportParameters( |
| session()->version(), Perspective::IS_SERVER, serialized_params.data(), |
| serialized_params.size(), ¶ms, &error_details); |
| |
| if (!parse_ok) { |
| return false; |
| } |
| |
| DegreaseTransportParameters(params); |
| |
| return params == server_params_; |
| } |
| |
| void TlsServerHandshaker::SetWriteSecret( |
| EncryptionLevel level, const SSL_CIPHER* cipher, |
| absl::Span<const uint8_t> write_secret) { |
| if (is_connection_closed()) { |
| return; |
| } |
| if (level == ENCRYPTION_FORWARD_SECURE) { |
| encryption_established_ = true; |
| // Fill crypto_negotiated_params_: |
| const SSL_CIPHER* ssl_cipher = SSL_get_current_cipher(ssl()); |
| if (ssl_cipher) { |
| crypto_negotiated_params_->cipher_suite = |
| SSL_CIPHER_get_protocol_id(ssl_cipher); |
| } |
| crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl()); |
| crypto_negotiated_params_->encrypted_client_hello = SSL_ech_accepted(ssl()); |
| } |
| TlsHandshaker::SetWriteSecret(level, cipher, write_secret); |
| } |
| |
| std::string TlsServerHandshaker::GetAcceptChValueForHostname( |
| const std::string& /*hostname*/) const { |
| return {}; |
| } |
| |
| bool TlsServerHandshaker::UseAlpsNewCodepoint() const { |
| if (!select_cert_status_.has_value()) { |
| QUIC_BUG(quic_tls_check_alps_new_codepoint_too_early) |
| << "UseAlpsNewCodepoint must be called after " |
| "EarlySelectCertCallback is started"; |
| return false; |
| } |
| |
| return alps_new_codepoint_received_; |
| } |
| |
| void TlsServerHandshaker::FinishHandshake() { |
| QUICHE_DCHECK(!SSL_in_early_data(ssl())); |
| |
| if (!valid_alpn_received_) { |
| QUIC_DLOG(ERROR) |
| << "Server: handshake finished without receiving a known ALPN"; |
| // TODO(b/130164908) this should send no_application_protocol |
| // instead of QUIC_HANDSHAKE_FAILED. |
| CloseConnection(QUIC_HANDSHAKE_FAILED, |
| "Server did not receive a known ALPN"); |
| return; |
| } |
| |
| ssl_early_data_reason_t reason_code = EarlyDataReason(); |
| QUIC_DLOG(INFO) << "Server: handshake finished. Early data reason " |
| << reason_code << " (" |
| << CryptoUtils::EarlyDataReasonToString(reason_code) << ")"; |
| state_ = HANDSHAKE_CONFIRMED; |
| |
| handshaker_delegate()->OnTlsHandshakeComplete(); |
| handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_HANDSHAKE); |
| handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_HANDSHAKE); |
| // ENCRYPTION_ZERO_RTT decryption key is not discarded here as "Servers MAY |
| // temporarily retain 0-RTT keys to allow decrypting reordered packets |
| // without requiring their contents to be retransmitted with 1-RTT keys." |
| // It is expected that QuicConnection will discard the key at an |
| // appropriate time. |
| } |
| |
| QuicAsyncStatus TlsServerHandshaker::VerifyCertChain( |
| const std::vector<std::string>& /*certs*/, std::string* /*error_details*/, |
| std::unique_ptr<ProofVerifyDetails>* /*details*/, uint8_t* /*out_alert*/, |
| std::unique_ptr<ProofVerifierCallback> /*callback*/) { |
| QUIC_DVLOG(1) << "VerifyCertChain returning success"; |
| |
| // No real verification here. A subclass can override this function to verify |
| // the client cert if needed. |
| return QUIC_SUCCESS; |
| } |
| |
| void TlsServerHandshaker::OnProofVerifyDetailsAvailable( |
| const ProofVerifyDetails& /*verify_details*/) {} |
| |
| ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign( |
| uint8_t* out, size_t* out_len, size_t max_out, uint16_t sig_alg, |
| absl::string_view in) { |
| QUICHE_DCHECK_EQ(expected_ssl_error(), SSL_ERROR_WANT_READ); |
| |
| QuicAsyncStatus status = proof_source_handle_->ComputeSignature( |
| session()->connection()->self_address(), |
| session()->connection()->peer_address(), crypto_negotiated_params_->sni, |
| sig_alg, in, max_out); |
| if (status == QUIC_PENDING) { |
| set_expected_ssl_error(SSL_ERROR_WANT_PRIVATE_KEY_OPERATION); |
| if (async_op_timer_.has_value()) { |
| QUIC_CODE_COUNT( |
| quic_tls_server_computing_signature_while_another_op_pending); |
| } |
| async_op_timer_ = QuicTimeAccumulator(); |
| async_op_timer_->Start(now()); |
| } |
| return PrivateKeyComplete(out, out_len, max_out); |
| } |
| |
| ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete( |
| uint8_t* out, size_t* out_len, size_t max_out) { |
| if (expected_ssl_error() == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) { |
| return ssl_private_key_retry; |
| } |
| |
| const bool success = HasValidSignature(max_out); |
| QuicConnectionStats::TlsServerOperationStats compute_signature_stats; |
| compute_signature_stats.success = success; |
| if (async_op_timer_.has_value()) { |
| async_op_timer_->Stop(now()); |
| compute_signature_stats.async_latency = |
| async_op_timer_->GetTotalElapsedTime(); |
| async_op_timer_.reset(); |
| RECORD_LATENCY_IN_US("tls_server_async_compute_signature_latency_us", |
| compute_signature_stats.async_latency, |
| "Async compute signature latency in microseconds"); |
| } |
| connection_stats().tls_server_compute_signature_stats = |
| std::move(compute_signature_stats); |
| |
| if (!success) { |
| return ssl_private_key_failure; |
| } |
| *out_len = cert_verify_sig_.size(); |
| memcpy(out, cert_verify_sig_.data(), *out_len); |
| cert_verify_sig_.clear(); |
| cert_verify_sig_.shrink_to_fit(); |
| return ssl_private_key_success; |
| } |
| |
| void TlsServerHandshaker::OnComputeSignatureDone( |
| bool ok, bool is_sync, std::string signature, |
| std::unique_ptr<ProofSource::Details> details) { |
| QUIC_DVLOG(1) << "OnComputeSignatureDone. ok:" << ok |
| << ", is_sync:" << is_sync |
| << ", len(signature):" << signature.size(); |
| std::optional<QuicConnectionContextSwitcher> context_switcher; |
| |
| if (!is_sync) { |
| context_switcher.emplace(connection_context()); |
| } |
| |
| QUIC_TRACESTRING(absl::StrCat("TLS compute signature done. ok:", ok, |
| ", len(signature):", signature.size())); |
| |
| if (ok) { |
| cert_verify_sig_ = std::move(signature); |
| proof_source_details_ = std::move(details); |
| } |
| const int last_expected_ssl_error = expected_ssl_error(); |
| set_expected_ssl_error(SSL_ERROR_WANT_READ); |
| if (!is_sync) { |
| QUICHE_DCHECK_EQ(last_expected_ssl_error, |
| SSL_ERROR_WANT_PRIVATE_KEY_OPERATION); |
| AdvanceHandshakeFromCallback(); |
| } |
| } |
| |
| bool TlsServerHandshaker::HasValidSignature(size_t max_signature_size) const { |
| return !cert_verify_sig_.empty() && |
| cert_verify_sig_.size() <= max_signature_size; |
| } |
| |
| size_t TlsServerHandshaker::SessionTicketMaxOverhead() { |
| QUICHE_DCHECK(proof_source_->GetTicketCrypter()); |
| return proof_source_->GetTicketCrypter()->MaxOverhead(); |
| } |
| |
| int TlsServerHandshaker::SessionTicketSeal(uint8_t* out, size_t* out_len, |
| size_t max_out_len, |
| absl::string_view in) { |
| QUICHE_DCHECK(proof_source_->GetTicketCrypter()); |
| std::vector<uint8_t> ticket = |
| proof_source_->GetTicketCrypter()->Encrypt(in, ticket_encryption_key_); |
| if (GetQuicReloadableFlag( |
| quic_send_placeholder_ticket_when_encrypt_ticket_fails) && |
| ticket.empty()) { |
| QUIC_CODE_COUNT(quic_tls_server_handshaker_send_placeholder_ticket); |
| const absl::string_view kTicketFailurePlaceholder = "TICKET FAILURE"; |
| const absl::string_view kTicketWithSizeLimit = |
| kTicketFailurePlaceholder.substr(0, max_out_len); |
| ticket.assign(kTicketWithSizeLimit.begin(), kTicketWithSizeLimit.end()); |
| } |
| if (max_out_len < ticket.size()) { |
| QUIC_BUG(quic_bug_12423_2) |
| << "TicketCrypter returned " << ticket.size() |
| << " bytes of ciphertext, which is larger than its max overhead of " |
| << max_out_len; |
| return 0; // failure |
| } |
| *out_len = ticket.size(); |
| memcpy(out, ticket.data(), ticket.size()); |
| QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_sealed); |
| return 1; // success |
| } |
| |
| ssl_ticket_aead_result_t TlsServerHandshaker::SessionTicketOpen( |
| uint8_t* out, size_t* out_len, size_t max_out_len, absl::string_view in) { |
| QUICHE_DCHECK(proof_source_->GetTicketCrypter()); |
| |
| if (ignore_ticket_open_) { |
| // SetIgnoreTicketOpen has been called. Typically this means the caller is |
| // using handshake hints and expect the hints to contain ticket decryption |
| // results. |
| QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_ignored_1); |
| return ssl_ticket_aead_ignore_ticket; |
| } |
| |
| if (!ticket_decryption_callback_) { |
| ticket_decryption_callback_ = std::make_shared<DecryptCallback>(this); |
| proof_source_->GetTicketCrypter()->Decrypt(in, ticket_decryption_callback_); |
| |
| // Decrypt can run the callback synchronously. In that case, the callback |
| // will clear the ticket_decryption_callback_ pointer, and instead of |
| // returning ssl_ticket_aead_retry, we should continue processing to |
| // return the decrypted ticket. |
| // |
| // If the callback is not run synchronously, return ssl_ticket_aead_retry |
| // and when the callback is complete this function will be run again to |
| // return the result. |
| if (ticket_decryption_callback_) { |
| QUICHE_DCHECK(!ticket_decryption_callback_->IsDone()); |
| set_expected_ssl_error(SSL_ERROR_PENDING_TICKET); |
| if (async_op_timer_.has_value()) { |
| QUIC_CODE_COUNT( |
| quic_tls_server_decrypting_ticket_while_another_op_pending); |
| } |
| async_op_timer_ = QuicTimeAccumulator(); |
| async_op_timer_->Start(now()); |
| } |
| } |
| |
| // If the async ticket decryption is pending, either started by this |
| // SessionTicketOpen call or one that happened earlier, return |
| // ssl_ticket_aead_retry. |
| if (ticket_decryption_callback_ && !ticket_decryption_callback_->IsDone()) { |
| return ssl_ticket_aead_retry; |
| } |
| |
| ssl_ticket_aead_result_t result = |
| FinalizeSessionTicketOpen(out, out_len, max_out_len); |
| |
| QuicConnectionStats::TlsServerOperationStats decrypt_ticket_stats; |
| decrypt_ticket_stats.success = (result == ssl_ticket_aead_success); |
| if (async_op_timer_.has_value()) { |
| async_op_timer_->Stop(now()); |
| decrypt_ticket_stats.async_latency = async_op_timer_->GetTotalElapsedTime(); |
| async_op_timer_.reset(); |
| RECORD_LATENCY_IN_US("tls_server_async_decrypt_ticket_latency_us", |
| decrypt_ticket_stats.async_latency, |
| "Async decrypt ticket latency in microseconds"); |
| } |
| connection_stats().tls_server_decrypt_ticket_stats = |
| std::move(decrypt_ticket_stats); |
| |
| return result; |
| } |
| |
| ssl_ticket_aead_result_t TlsServerHandshaker::FinalizeSessionTicketOpen( |
| uint8_t* out, size_t* out_len, size_t max_out_len) { |
| ticket_decryption_callback_ = nullptr; |
| set_expected_ssl_error(SSL_ERROR_WANT_READ); |
| if (decrypted_session_ticket_.empty()) { |
| QUIC_DLOG(ERROR) << "Session ticket decryption failed; ignoring ticket"; |
| // Ticket decryption failed. Ignore the ticket. |
| QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_ignored_2); |
| return ssl_ticket_aead_ignore_ticket; |
| } |
| if (max_out_len < decrypted_session_ticket_.size()) { |
| return ssl_ticket_aead_error; |
| } |
| memcpy(out, decrypted_session_ticket_.data(), |
| decrypted_session_ticket_.size()); |
| *out_len = decrypted_session_ticket_.size(); |
| |
| QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_opened); |
| return ssl_ticket_aead_success; |
| } |
| |
| ssl_select_cert_result_t TlsServerHandshaker::EarlySelectCertCallback( |
| const SSL_CLIENT_HELLO* client_hello) { |
| // EarlySelectCertCallback can be called twice from BoringSSL: If the first |
| // call returns ssl_select_cert_retry, when cert selection completes, |
| // SSL_do_handshake will call it again. |
| |
| if (select_cert_status_.has_value()) { |
| // This is the second call, return the result directly. |
| QUIC_DVLOG(1) << "EarlySelectCertCallback called to continue handshake, " |
| "returning directly. success:" |
| << (*select_cert_status_ == QUIC_SUCCESS); |
| return (*select_cert_status_ == QUIC_SUCCESS) ? ssl_select_cert_success |
| : ssl_select_cert_error; |
| } |
| |
| // This is the first call. |
| select_cert_status_ = QUIC_PENDING; |
| proof_source_handle_ = MaybeCreateProofSourceHandle(); |
| |
| if (!pre_shared_key_.empty()) { |
| // TODO(b/154162689) add PSK support to QUIC+TLS. |
| QUIC_BUG(quic_bug_10341_6) |
| << "QUIC server pre-shared keys not yet supported with TLS"; |
| return ssl_select_cert_error; |
| } |
| |
| { |
| const uint8_t* unused_extension_bytes; |
| size_t unused_extension_len; |
| ticket_received_ = SSL_early_callback_ctx_extension_get( |
| client_hello, TLSEXT_TYPE_pre_shared_key, &unused_extension_bytes, |
| &unused_extension_len); |
| |
| early_data_attempted_ = SSL_early_callback_ctx_extension_get( |
| client_hello, TLSEXT_TYPE_early_data, &unused_extension_bytes, |
| &unused_extension_len); |
| |
| #if BORINGSSL_API_VERSION >= 27 |
| if (GetQuicReloadableFlag(quic_gfe_allow_alps_new_codepoint)) { |
| QUIC_RELOADABLE_FLAG_COUNT(quic_gfe_allow_alps_new_codepoint); |
| |
| alps_new_codepoint_received_ = SSL_early_callback_ctx_extension_get( |
| client_hello, TLSEXT_TYPE_application_settings, |
| &unused_extension_bytes, &unused_extension_len); |
| // Make sure we use the right ALPS codepoint. |
| int use_alps_new_codepoint = 0; |
| if (alps_new_codepoint_received_) { |
| QUIC_CODE_COUNT(quic_gfe_alps_use_new_codepoint); |
| use_alps_new_codepoint = 1; |
| } |
| QUIC_DLOG(INFO) << "ALPS use new codepoint: " << use_alps_new_codepoint; |
| SSL_set_alps_use_new_codepoint(ssl(), use_alps_new_codepoint); |
| } |
| #endif // BORINGSSL_API_VERSION |
| } |
| |
| // This callback is called very early by Boring SSL, most of the SSL_get_foo |
| // function do not work at this point, but SSL_get_servername does. |
| const char* hostname = SSL_get_servername(ssl(), TLSEXT_NAMETYPE_host_name); |
| if (hostname) { |
| crypto_negotiated_params_->sni = |
| QuicHostnameUtils::NormalizeHostname(hostname); |
| if (!ValidateHostname(hostname)) { |
| return ssl_select_cert_error; |
| } |
| if (hostname != crypto_negotiated_params_->sni) { |
| QUIC_CODE_COUNT(quic_tls_server_hostname_diff); |
| QUIC_LOG_EVERY_N_SEC(WARNING, 300) |
| << "Raw and normalized hostnames differ, but both are valid SNIs. " |
| "raw hostname:" |
| << hostname << ", normalized:" << crypto_negotiated_params_->sni; |
| } else { |
| QUIC_CODE_COUNT(quic_tls_server_hostname_same); |
| } |
| } else { |
| QUIC_LOG(INFO) << "No hostname indicated in SNI"; |
| } |
| |
| std::string error_details; |
| if (!ProcessTransportParameters(client_hello, &error_details)) { |
| CloseConnection(QUIC_HANDSHAKE_FAILED, error_details); |
| return ssl_select_cert_error; |
| } |
| OverrideQuicConfigDefaults(session()->config()); |
| session()->OnConfigNegotiated(); |
| |
| auto set_transport_params_result = SetTransportParameters(); |
| if (!set_transport_params_result.success) { |
| QUIC_LOG(ERROR) << "Failed to set transport parameters"; |
| return ssl_select_cert_error; |
| } |
| |
| bssl::UniquePtr<uint8_t> ssl_capabilities; |
| size_t ssl_capabilities_len = 0; |
| absl::string_view ssl_capabilities_view; |
| |
| if (CryptoUtils::GetSSLCapabilities(ssl(), &ssl_capabilities, |
| &ssl_capabilities_len)) { |
| ssl_capabilities_view = |
| absl::string_view(reinterpret_cast<const char*>(ssl_capabilities.get()), |
| ssl_capabilities_len); |
| } |
| |
| // Enable ALPS for the session's ALPN. |
| SetApplicationSettingsResult alps_result = |
| SetApplicationSettings(AlpnForVersion(session()->version())); |
| if (!alps_result.success) { |
| return ssl_select_cert_error; |
| } |
| |
| if (!session()->connection()->connected()) { |
| select_cert_status_ = QUIC_FAILURE; |
| return ssl_select_cert_error; |
| } |
| |
| can_disable_resumption_ = false; |
| const QuicAsyncStatus status = proof_source_handle_->SelectCertificate( |
| session()->connection()->self_address().Normalized(), |
| session()->connection()->peer_address().Normalized(), |
| session()->connection()->GetOriginalDestinationConnectionId(), |
| ssl_capabilities_view, crypto_negotiated_params_->sni, |
| absl::string_view( |
| reinterpret_cast<const char*>(client_hello->client_hello), |
| client_hello->client_hello_len), |
| AlpnForVersion(session()->version()), std::move(alps_result.alps_buffer), |
| set_transport_params_result.quic_transport_params, |
| set_transport_params_result.early_data_context, |
| tls_connection_.ssl_config()); |
| |
| QUICHE_DCHECK_EQ(status, *select_cert_status()); |
| |
| if (status == QUIC_PENDING) { |
| set_expected_ssl_error(SSL_ERROR_PENDING_CERTIFICATE); |
| if (async_op_timer_.has_value()) { |
| QUIC_CODE_COUNT(quic_tls_server_selecting_cert_while_another_op_pending); |
| } |
| async_op_timer_ = QuicTimeAccumulator(); |
| async_op_timer_->Start(now()); |
| return ssl_select_cert_retry; |
| } |
| |
| if (status == QUIC_FAILURE) { |
| return ssl_select_cert_error; |
| } |
| |
| return ssl_select_cert_success; |
| } |
| |
| void TlsServerHandshaker::OnSelectCertificateDone( |
| bool ok, bool is_sync, SSLConfig ssl_config, |
| absl::string_view ticket_encryption_key, bool cert_matched_sni) { |
| QUIC_DVLOG(1) << "OnSelectCertificateDone. ok:" << ok |
| << ", is_sync:" << is_sync << ", len(ticket_encryption_key):" |
| << ticket_encryption_key.size(); |
| std::optional<QuicConnectionContextSwitcher> context_switcher; |
| if (!is_sync) { |
| context_switcher.emplace(connection_context()); |
| } |
| |
| QUIC_TRACESTRING(absl::StrCat( |
| "TLS select certificate done: ok:", ok, |
| ", len(ticket_encryption_key):", ticket_encryption_key.size())); |
| |
| ticket_encryption_key_ = std::string(ticket_encryption_key); |
| select_cert_status_ = QUIC_FAILURE; |
| cert_matched_sni_ = cert_matched_sni; |
| |
| // Extract the delayed SSL config from either LocalSSLConfig or |
| // HintsSSLConfig. |
| const QuicDelayedSSLConfig& delayed_ssl_config = absl::visit( |
| [](const auto& config) { return config.delayed_ssl_config; }, ssl_config); |
| |
| if (delayed_ssl_config.quic_transport_parameters.has_value()) { |
| // In case of any error the SSL object is still valid. Handshaker may need |
| // to call ComputeSignature but otherwise can proceed. |
| if (TransportParametersMatch( |
| absl::MakeSpan(*delayed_ssl_config.quic_transport_parameters))) { |
| if (SSL_set_quic_transport_params( |
| ssl(), delayed_ssl_config.quic_transport_parameters->data(), |
| delayed_ssl_config.quic_transport_parameters->size()) != 1) { |
| QUIC_DVLOG(1) << "SSL_set_quic_transport_params override failed"; |
| } |
| } else { |
| QUIC_DVLOG(1) |
| << "QUIC transport parameters mismatch with ProofSourceHandle"; |
| } |
| } |
| |
| if (delayed_ssl_config.client_cert_mode.has_value()) { |
| tls_connection_.SetClientCertMode(*delayed_ssl_config.client_cert_mode); |
| QUIC_DVLOG(1) << "client_cert_mode after cert selection: " |
| << client_cert_mode(); |
| } |
| |
| if (ok) { |
| if (auto* local_config = absl::get_if<LocalSSLConfig>(&ssl_config); |
| local_config != nullptr) { |
| if (local_config->chain && !local_config->chain->certs.empty()) { |
| tls_connection_.SetCertChain( |
| local_config->chain->ToCryptoBuffers().value); |
| select_cert_status_ = QUIC_SUCCESS; |
| } else { |
| QUIC_DLOG(ERROR) << "No certs provided for host '" |
| << crypto_negotiated_params_->sni |
| << "', server_address:" |
| << session()->connection()->self_address() |
| << ", client_address:" |
| << session()->connection()->peer_address(); |
| } |
| } else if (auto* hints_config = absl::get_if<HintsSSLConfig>(&ssl_config); |
| hints_config != nullptr) { |
| if (hints_config->configure_ssl) { |
| if (const absl::Status status = tls_connection_.ConfigureSSL( |
| std::move(hints_config->configure_ssl)); |
| !status.ok()) { |
| QUIC_CODE_COUNT(quic_tls_server_set_handshake_hints_failed); |
| QUIC_DVLOG(1) << "SSL_set_handshake_hints failed: " << status; |
| } |
| select_cert_status_ = QUIC_SUCCESS; |
| } |
| } else { |
| QUIC_DLOG(FATAL) << "Neither branch hit"; |
| } |
| } |
| |
| QuicConnectionStats::TlsServerOperationStats select_cert_stats; |
| select_cert_stats.success = (select_cert_status_ == QUIC_SUCCESS); |
| QUICHE_DCHECK_NE(is_sync, async_op_timer_.has_value()); |
| if (async_op_timer_.has_value()) { |
| async_op_timer_->Stop(now()); |
| select_cert_stats.async_latency = async_op_timer_->GetTotalElapsedTime(); |
| async_op_timer_.reset(); |
| RECORD_LATENCY_IN_US("tls_server_async_select_cert_latency_us", |
| select_cert_stats.async_latency, |
| "Async select cert latency in microseconds"); |
| } |
| connection_stats().tls_server_select_cert_stats = |
| std::move(select_cert_stats); |
| |
| const int last_expected_ssl_error = expected_ssl_error(); |
| set_expected_ssl_error(SSL_ERROR_WANT_READ); |
| if (!is_sync) { |
| QUICHE_DCHECK_EQ(last_expected_ssl_error, SSL_ERROR_PENDING_CERTIFICATE); |
| AdvanceHandshakeFromCallback(); |
| } |
| } |
| |
| bool TlsServerHandshaker::WillNotCallComputeSignature() const { |
| return SSL_can_release_private_key(ssl()); |
| } |
| |
| bool TlsServerHandshaker::ValidateHostname(const std::string& hostname) const { |
| if (!QuicHostnameUtils::IsValidSNI(hostname)) { |
| // TODO(b/151676147): Include this error string in the CONNECTION_CLOSE |
| // frame. |
| QUIC_DLOG(ERROR) << "Invalid SNI provided: \"" << hostname << "\""; |
| return false; |
| } |
| return true; |
| } |
| |
| int TlsServerHandshaker::TlsExtServernameCallback(int* /*out_alert*/) { |
| // SSL_TLSEXT_ERR_OK causes the server_name extension to be acked in |
| // ServerHello. |
| return SSL_TLSEXT_ERR_OK; |
| } |
| |
| int TlsServerHandshaker::SelectAlpn(const uint8_t** out, uint8_t* out_len, |
| const uint8_t* in, unsigned in_len) { |
| // |in| contains a sequence of 1-byte-length-prefixed values. |
| *out_len = 0; |
| *out = nullptr; |
| if (in_len == 0) { |
| QUIC_DLOG(ERROR) << "No ALPN provided by client"; |
| return SSL_TLSEXT_ERR_NOACK; |
| } |
| |
| CBS all_alpns; |
| CBS_init(&all_alpns, in, in_len); |
| |
| std::vector<absl::string_view> alpns; |
| while (CBS_len(&all_alpns) > 0) { |
| CBS alpn; |
| if (!CBS_get_u8_length_prefixed(&all_alpns, &alpn)) { |
| QUIC_DLOG(ERROR) << "Failed to parse ALPN length"; |
| return SSL_TLSEXT_ERR_NOACK; |
| } |
| |
| const size_t alpn_length = CBS_len(&alpn); |
| if (alpn_length == 0) { |
| QUIC_DLOG(ERROR) << "Received invalid zero-length ALPN"; |
| return SSL_TLSEXT_ERR_NOACK; |
| } |
| |
| alpns.emplace_back(reinterpret_cast<const char*>(CBS_data(&alpn)), |
| alpn_length); |
| } |
| |
| // TODO(wub): Remove QuicSession::SelectAlpn. QuicSessions should know the |
| // ALPN on construction. |
| auto selected_alpn = session()->SelectAlpn(alpns); |
| if (selected_alpn == alpns.end()) { |
| QUIC_DLOG(ERROR) << "No known ALPN provided by client"; |
| return SSL_TLSEXT_ERR_NOACK; |
| } |
| |
| session()->OnAlpnSelected(*selected_alpn); |
| valid_alpn_received_ = true; |
| *out_len = selected_alpn->size(); |
| *out = reinterpret_cast<const uint8_t*>(selected_alpn->data()); |
| return SSL_TLSEXT_ERR_OK; |
| } |
| |
| TlsServerHandshaker::SetApplicationSettingsResult |
| TlsServerHandshaker::SetApplicationSettings(absl::string_view alpn) { |
| TlsServerHandshaker::SetApplicationSettingsResult result; |
| |
| const std::string& hostname = crypto_negotiated_params_->sni; |
| std::string accept_ch_value = GetAcceptChValueForHostname(hostname); |
| std::string origin = absl::StrCat("https://", hostname); |
| uint16_t port = session()->self_address().port(); |
| if (port != kDefaultPort) { |
| // This should be rare in production, but useful for test servers. |
| QUIC_CODE_COUNT(quic_server_alps_non_default_port); |
| absl::StrAppend(&origin, ":", port); |
| } |
| |
| if (!accept_ch_value.empty()) { |
| AcceptChFrame frame{{{std::move(origin), std::move(accept_ch_value)}}}; |
| result.alps_buffer = HttpEncoder::SerializeAcceptChFrame(frame); |
| } |
| |
| const std::string& alps = result.alps_buffer; |
| if (SSL_add_application_settings( |
| ssl(), reinterpret_cast<const uint8_t*>(alpn.data()), alpn.size(), |
| reinterpret_cast<const uint8_t*>(alps.data()), alps.size()) != 1) { |
| QUIC_DLOG(ERROR) << "Failed to enable ALPS"; |
| result.success = false; |
| } else { |
| result.success = true; |
| } |
| return result; |
| } |
| |
| SSL* TlsServerHandshaker::GetSsl() const { return ssl(); } |
| |
| bool TlsServerHandshaker::IsCryptoFrameExpectedForEncryptionLevel( |
| EncryptionLevel level) const { |
| return level != ENCRYPTION_ZERO_RTT; |
| } |
| |
| EncryptionLevel TlsServerHandshaker::GetEncryptionLevelToSendCryptoDataOfSpace( |
| PacketNumberSpace space) const { |
| switch (space) { |
| case INITIAL_DATA: |
| return ENCRYPTION_INITIAL; |
| case HANDSHAKE_DATA: |
| return ENCRYPTION_HANDSHAKE; |
| case APPLICATION_DATA: |
| return ENCRYPTION_FORWARD_SECURE; |
| default: |
| QUICHE_DCHECK(false); |
| return NUM_ENCRYPTION_LEVELS; |
| } |
| } |
| |
| } // namespace quic |