Refactor Tls(Client|Server)Connection::CreateSslCtx.
TlsClientConnection::CreateSslCtx always set up cert verify callback and TlsServerConnection::CreateSslCtx always does not set up one. Previously the setup is done in TlsConnection::CreateSslCtx (the base class), this CL change it to do it in the child classes.
To support client cert at server, we will set up the verify callback for the per-connection SSL object, instead of the global SSL_CTX object.
PiperOrigin-RevId: 401042521
diff --git a/quic/core/crypto/tls_client_connection.cc b/quic/core/crypto/tls_client_connection.cc
index dd53ee7..bfd20b2 100644
--- a/quic/core/crypto/tls_client_connection.cc
+++ b/quic/core/crypto/tls_client_connection.cc
@@ -17,9 +17,9 @@
// static
bssl::UniquePtr<SSL_CTX> TlsClientConnection::CreateSslCtx(
bool enable_early_data) {
- bssl::UniquePtr<SSL_CTX> ssl_ctx =
- TlsConnection::CreateSslCtx(SSL_VERIFY_PEER);
+ bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsConnection::CreateSslCtx();
// Configure certificate verification.
+ SSL_CTX_set_custom_verify(ssl_ctx.get(), SSL_VERIFY_PEER, &VerifyCallback);
int reverify_on_resume_enabled = 1;
SSL_CTX_set_reverify_on_resume(ssl_ctx.get(), reverify_on_resume_enabled);
diff --git a/quic/core/crypto/tls_connection.cc b/quic/core/crypto/tls_connection.cc
index f822d96..fa9be97 100644
--- a/quic/core/crypto/tls_connection.cc
+++ b/quic/core/crypto/tls_connection.cc
@@ -121,15 +121,12 @@
}
// static
-bssl::UniquePtr<SSL_CTX> TlsConnection::CreateSslCtx(int cert_verify_mode) {
+bssl::UniquePtr<SSL_CTX> TlsConnection::CreateSslCtx() {
CRYPTO_library_init();
bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_with_buffers_method()));
SSL_CTX_set_min_proto_version(ssl_ctx.get(), TLS1_3_VERSION);
SSL_CTX_set_max_proto_version(ssl_ctx.get(), TLS1_3_VERSION);
SSL_CTX_set_quic_method(ssl_ctx.get(), &kSslQuicMethod);
- if (cert_verify_mode != SSL_VERIFY_NONE) {
- SSL_CTX_set_custom_verify(ssl_ctx.get(), cert_verify_mode, &VerifyCallback);
- }
return ssl_ctx;
}
diff --git a/quic/core/crypto/tls_connection.h b/quic/core/crypto/tls_connection.h
index f59eaa1..c8d377e 100644
--- a/quic/core/crypto/tls_connection.h
+++ b/quic/core/crypto/tls_connection.h
@@ -108,12 +108,7 @@
// Creates an SSL_CTX and configures it with the options that are appropriate
// for both client and server. The caller is responsible for ownership of the
// newly created struct.
- //
- // The provided |cert_verify_mode| is passed in as the |mode| argument for
- // |SSL_CTX_set_verify|. See
- // https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_VERIFY_NONE
- // for a description of possible values.
- static bssl::UniquePtr<SSL_CTX> CreateSslCtx(int cert_verify_mode);
+ static bssl::UniquePtr<SSL_CTX> CreateSslCtx();
// From a given SSL* |ssl|, returns a pointer to the TlsConnection that it
// belongs to. This helper method allows the callbacks set in BoringSSL to be
@@ -121,11 +116,11 @@
// callback.
static TlsConnection* ConnectionFromSsl(const SSL* ssl);
- private:
- // Registered as the callback for SSL_CTX_set_custom_verify. The
+ // Registered as the callback for SSL(_CTX)_set_custom_verify. The
// implementation is delegated to Delegate::VerifyCert.
static enum ssl_verify_result_t VerifyCallback(SSL* ssl, uint8_t* out_alert);
+ private:
// TlsConnection implements SSL_QUIC_METHOD, which provides the interface
// between BoringSSL's TLS stack and a QUIC implementation.
static const SSL_QUIC_METHOD kSslQuicMethod;
diff --git a/quic/core/crypto/tls_server_connection.cc b/quic/core/crypto/tls_server_connection.cc
index 2042c15..0da9bbc 100644
--- a/quic/core/crypto/tls_server_connection.cc
+++ b/quic/core/crypto/tls_server_connection.cc
@@ -23,8 +23,12 @@
// static
bssl::UniquePtr<SSL_CTX> TlsServerConnection::CreateSslCtx(
ProofSource* proof_source) {
- bssl::UniquePtr<SSL_CTX> ssl_ctx =
- TlsConnection::CreateSslCtx(SSL_VERIFY_NONE);
+ bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsConnection::CreateSslCtx();
+
+ // Server does not request/verify client certs by default. Individual server
+ // connections may call SSL_set_custom_verify on their SSL object to request
+ // client certs.
+
SSL_CTX_set_tlsext_servername_callback(ssl_ctx.get(),
&TlsExtServernameCallback);
SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), &SelectAlpnCallback, nullptr);
