Google Git
Sign in
quiche / quiche / e62aab7101b7f14ddbe0e391b6dad1699c11f4fa^! / . / quic / core / crypto
commite62aab7101b7f14ddbe0e391b6dad1699c11f4fa[log] [tgz]
authornharper <nharper@google.com>Wed Nov 04 16:32:09 2020 -0800
committerCopybara-Service <copybara-worker@google.com>Wed Nov 04 16:32:54 2020 -0800
treec7bc7830c812c400154244af526a55323cefd32c
parent72cb576237784e532e78971815dc670ffb39c47e [diff]
Move cert verification from TlsClientHandshaker to TlsHandshaker

Protected by not protected.

PiperOrigin-RevId: 340749853
Change-Id: If973adbd9d4edbbf9b1d06654f9d4067adfca38f

diff --git a/quic/core/crypto/tls_client_connection.cc b/quic/core/crypto/tls_client_connection.cc
index 7908847..0591571 100644
--- a/quic/core/crypto/tls_client_connection.cc
+++ b/quic/core/crypto/tls_client_connection.cc

@@ -13,9 +13,9 @@
 // static
 bssl::UniquePtr<SSL_CTX> TlsClientConnection::CreateSslCtx(
     bool enable_early_data) {
-  bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsConnection::CreateSslCtx();
+  bssl::UniquePtr<SSL_CTX> ssl_ctx =
+      TlsConnection::CreateSslCtx(SSL_VERIFY_PEER);
   // Configure certificate verification.
-  SSL_CTX_set_custom_verify(ssl_ctx.get(), SSL_VERIFY_PEER, &VerifyCallback);
   int reverify_on_resume_enabled = 1;
   SSL_CTX_set_reverify_on_resume(ssl_ctx.get(), reverify_on_resume_enabled);
 
@@ -29,14 +29,6 @@
 }
 
 // static
-enum ssl_verify_result_t TlsClientConnection::VerifyCallback(
-    SSL* ssl,
-    uint8_t* out_alert) {
-  return static_cast<TlsClientConnection*>(ConnectionFromSsl(ssl))
-      ->delegate_->VerifyCert(out_alert);
-}
-
-// static
 int TlsClientConnection::NewSessionCallback(SSL* ssl, SSL_SESSION* session) {
   static_cast<TlsClientConnection*>(ConnectionFromSsl(ssl))
       ->delegate_->InsertSession(bssl::UniquePtr<SSL_SESSION>(session));

diff --git a/quic/core/crypto/tls_client_connection.h b/quic/core/crypto/tls_client_connection.h
index a7ef209..6bea641 100644
--- a/quic/core/crypto/tls_client_connection.h
+++ b/quic/core/crypto/tls_client_connection.h

@@ -20,12 +20,6 @@
     virtual ~Delegate() {}
 
    protected:
-    // Verifies the peer's certificate chain. It may use
-    // SSL_get0_peer_certificates to get the cert chain. This method returns
-    // ssl_verify_ok if the cert is valid, ssl_verify_invalid if it is invalid,
-    // or ssl_verify_retry if verification is happening asynchronously.
-    virtual enum ssl_verify_result_t VerifyCert(uint8_t* out_alert) = 0;
-
     // Called when a NewSessionTicket is received from the server.
     virtual void InsertSession(bssl::UniquePtr<SSL_SESSION> session) = 0;
 
@@ -42,10 +36,6 @@
   static bssl::UniquePtr<SSL_CTX> CreateSslCtx(bool enable_early_data);
 
  private:
-  // Registered as the callback for SSL_CTX_set_custom_verify. The
-  // implementation is delegated to Delegate::VerifyCert.
-  static enum ssl_verify_result_t VerifyCallback(SSL* ssl, uint8_t* out_alert);
-
   // Registered as the callback for SSL_CTX_sess_set_new_cb, which calls
   // Delegate::InsertSession.
   static int NewSessionCallback(SSL* ssl, SSL_SESSION* session);

diff --git a/quic/core/crypto/tls_connection.cc b/quic/core/crypto/tls_connection.cc
index 427474c..be274e2 100644
--- a/quic/core/crypto/tls_connection.cc
+++ b/quic/core/crypto/tls_connection.cc

@@ -93,12 +93,15 @@
       this);
 }
 // static
-bssl::UniquePtr<SSL_CTX> TlsConnection::CreateSslCtx() {
+bssl::UniquePtr<SSL_CTX> TlsConnection::CreateSslCtx(int cert_verify_mode) {
   CRYPTO_library_init();
   bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_with_buffers_method()));
   SSL_CTX_set_min_proto_version(ssl_ctx.get(), TLS1_3_VERSION);
   SSL_CTX_set_max_proto_version(ssl_ctx.get(), TLS1_3_VERSION);
   SSL_CTX_set_quic_method(ssl_ctx.get(), &kSslQuicMethod);
+  if (cert_verify_mode != SSL_VERIFY_NONE) {
+    SSL_CTX_set_custom_verify(ssl_ctx.get(), cert_verify_mode, &VerifyCallback);
+  }
   return ssl_ctx;
 }
 
@@ -108,6 +111,12 @@
       ssl, SslIndexSingleton::GetInstance()->ssl_ex_data_index_connection()));
 }
 
+// static
+enum ssl_verify_result_t TlsConnection::VerifyCallback(SSL* ssl,
+                                                       uint8_t* out_alert) {
+  return ConnectionFromSsl(ssl)->delegate_->VerifyCert(out_alert);
+}
+
 const SSL_QUIC_METHOD TlsConnection::kSslQuicMethod{
     TlsConnection::SetReadSecretCallback, TlsConnection::SetWriteSecretCallback,
     TlsConnection::WriteMessageCallback, TlsConnection::FlushFlightCallback,

diff --git a/quic/core/crypto/tls_connection.h b/quic/core/crypto/tls_connection.h
index ef5ca58..037e4b0 100644
--- a/quic/core/crypto/tls_connection.h
+++ b/quic/core/crypto/tls_connection.h

@@ -31,6 +31,16 @@
     virtual ~Delegate() {}
 
    protected:
+    // Certificate management functions:
+
+    // Verifies the peer's certificate chain. It may use
+    // SSL_get0_peer_certificates to get the cert chain. This method returns
+    // ssl_verify_ok if the cert is valid, ssl_verify_invalid if it is invalid,
+    // or ssl_verify_retry if verification is happening asynchronously.
+    virtual enum ssl_verify_result_t VerifyCert(uint8_t* out_alert) = 0;
+
+    // QUIC-TLS interface functions:
+
     // SetWriteSecret provides the encryption secret used to encrypt messages at
     // encryption level |level|. The secret provided here is the one from the
     // TLS 1.3 key schedule (RFC 8446 section 7.1), in particular the handshake
@@ -87,7 +97,12 @@
   // Creates an SSL_CTX and configures it with the options that are appropriate
   // for both client and server. The caller is responsible for ownership of the
   // newly created struct.
-  static bssl::UniquePtr<SSL_CTX> CreateSslCtx();
+  //
+  // The provided |cert_verify_mode| is passed in as the |mode| argument for
+  // |SSL_CTX_set_verify|. See
+  // https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_VERIFY_NONE
+  // for a description of possible values.
+  static bssl::UniquePtr<SSL_CTX> CreateSslCtx(int cert_verify_mode);
 
   // From a given SSL* |ssl|, returns a pointer to the TlsConnection that it
   // belongs to. This helper method allows the callbacks set in BoringSSL to be
@@ -96,6 +111,10 @@
   static TlsConnection* ConnectionFromSsl(const SSL* ssl);
 
  private:
+  // Registered as the callback for SSL_CTX_set_custom_verify. The
+  // implementation is delegated to Delegate::VerifyCert.
+  static enum ssl_verify_result_t VerifyCallback(SSL* ssl, uint8_t* out_alert);
+
   // TlsConnection implements SSL_QUIC_METHOD, which provides the interface
   // between BoringSSL's TLS stack and a QUIC implementation.
   static const SSL_QUIC_METHOD kSslQuicMethod;

diff --git a/quic/core/crypto/tls_server_connection.cc b/quic/core/crypto/tls_server_connection.cc
index 9619ee7..f47e5ad 100644
--- a/quic/core/crypto/tls_server_connection.cc
+++ b/quic/core/crypto/tls_server_connection.cc

@@ -18,7 +18,8 @@
 // static
 bssl::UniquePtr<SSL_CTX> TlsServerConnection::CreateSslCtx(
     ProofSource* proof_source) {
-  bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsConnection::CreateSslCtx();
+  bssl::UniquePtr<SSL_CTX> ssl_ctx =
+      TlsConnection::CreateSslCtx(SSL_VERIFY_NONE);
   SSL_CTX_set_tlsext_servername_callback(ssl_ctx.get(),
                                          &SelectCertificateCallback);
   SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), &SelectAlpnCallback, nullptr);