| // Copyright (c) 2017 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "net/third_party/quiche/src/quic/core/tls_server_handshaker.h" |
| |
| #include <memory> |
| #include <string> |
| |
| #include "third_party/boringssl/src/include/openssl/pool.h" |
| #include "third_party/boringssl/src/include/openssl/ssl.h" |
| #include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h" |
| #include "net/third_party/quiche/src/quic/core/crypto/transport_parameters.h" |
| #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h" |
| #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h" |
| |
| namespace quic { |
| |
| TlsServerHandshaker::SignatureCallback::SignatureCallback( |
| TlsServerHandshaker* handshaker) |
| : handshaker_(handshaker) {} |
| |
| void TlsServerHandshaker::SignatureCallback::Run(bool ok, |
| std::string signature) { |
| if (handshaker_ == nullptr) { |
| return; |
| } |
| if (ok) { |
| handshaker_->cert_verify_sig_ = std::move(signature); |
| } |
| State last_state = handshaker_->state_; |
| handshaker_->state_ = STATE_SIGNATURE_COMPLETE; |
| handshaker_->signature_callback_ = nullptr; |
| if (last_state == STATE_SIGNATURE_PENDING) { |
| handshaker_->AdvanceHandshake(); |
| } |
| } |
| |
| void TlsServerHandshaker::SignatureCallback::Cancel() { |
| handshaker_ = nullptr; |
| } |
| |
| const SSL_PRIVATE_KEY_METHOD TlsServerHandshaker::kPrivateKeyMethod{ |
| &TlsServerHandshaker::PrivateKeySign, |
| nullptr, // decrypt |
| &TlsServerHandshaker::PrivateKeyComplete, |
| }; |
| |
| // static |
| bssl::UniquePtr<SSL_CTX> TlsServerHandshaker::CreateSslCtx() { |
| bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsHandshaker::CreateSslCtx(); |
| SSL_CTX_set_tlsext_servername_callback( |
| ssl_ctx.get(), TlsServerHandshaker::SelectCertificateCallback); |
| SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), |
| TlsServerHandshaker::SelectAlpnCallback, nullptr); |
| return ssl_ctx; |
| } |
| |
| TlsServerHandshaker::TlsServerHandshaker(QuicCryptoStream* stream, |
| QuicSession* session, |
| SSL_CTX* ssl_ctx, |
| ProofSource* proof_source) |
| : TlsHandshaker(stream, session, ssl_ctx), |
| proof_source_(proof_source), |
| crypto_negotiated_params_(new QuicCryptoNegotiatedParameters) { |
| DCHECK_EQ(PROTOCOL_TLS1_3, |
| session->connection()->version().handshake_protocol); |
| CrypterPair crypters; |
| CryptoUtils::CreateTlsInitialCrypters( |
| Perspective::IS_SERVER, session->connection()->transport_version(), |
| session->connection_id(), &crypters); |
| session->connection()->SetEncrypter(ENCRYPTION_INITIAL, |
| std::move(crypters.encrypter)); |
| session->connection()->InstallDecrypter(ENCRYPTION_INITIAL, |
| std::move(crypters.decrypter)); |
| |
| // Configure the SSL to be a server. |
| SSL_set_accept_state(ssl()); |
| |
| if (!SetTransportParameters()) { |
| CloseConnection(QUIC_HANDSHAKE_FAILED, |
| "Failed to set Transport Parameters"); |
| } |
| } |
| |
| TlsServerHandshaker::~TlsServerHandshaker() { |
| CancelOutstandingCallbacks(); |
| } |
| |
| void TlsServerHandshaker::CancelOutstandingCallbacks() { |
| if (signature_callback_) { |
| signature_callback_->Cancel(); |
| signature_callback_ = nullptr; |
| } |
| } |
| |
| bool TlsServerHandshaker::GetBase64SHA256ClientChannelID( |
| std::string* output) const { |
| // Channel ID is not supported when TLS is used in QUIC. |
| return false; |
| } |
| |
| void TlsServerHandshaker::SendServerConfigUpdate( |
| const CachedNetworkParameters* cached_network_params) { |
| // SCUP messages aren't supported when using the TLS handshake. |
| } |
| |
| uint8_t TlsServerHandshaker::NumHandshakeMessages() const { |
| // TODO(nharper): Return a sensible value here. |
| return 0; |
| } |
| |
| uint8_t TlsServerHandshaker::NumHandshakeMessagesWithServerNonces() const { |
| // TODO(nharper): Return a sensible value here. |
| return 0; |
| } |
| |
| int TlsServerHandshaker::NumServerConfigUpdateMessagesSent() const { |
| // SCUP messages aren't supported when using the TLS handshake. |
| return 0; |
| } |
| |
| const CachedNetworkParameters* |
| TlsServerHandshaker::PreviousCachedNetworkParams() const { |
| return nullptr; |
| } |
| |
| bool TlsServerHandshaker::ZeroRttAttempted() const { |
| // TODO(nharper): Support 0-RTT with TLS 1.3 in QUIC. |
| return false; |
| } |
| |
| void TlsServerHandshaker::SetPreviousCachedNetworkParams( |
| CachedNetworkParameters cached_network_params) {} |
| |
| bool TlsServerHandshaker::ShouldSendExpectCTHeader() const { |
| return false; |
| } |
| |
| bool TlsServerHandshaker::encryption_established() const { |
| return encryption_established_; |
| } |
| |
| bool TlsServerHandshaker::handshake_confirmed() const { |
| return handshake_confirmed_; |
| } |
| |
| const QuicCryptoNegotiatedParameters& |
| TlsServerHandshaker::crypto_negotiated_params() const { |
| return *crypto_negotiated_params_; |
| } |
| |
| CryptoMessageParser* TlsServerHandshaker::crypto_message_parser() { |
| return TlsHandshaker::crypto_message_parser(); |
| } |
| |
| void TlsServerHandshaker::AdvanceHandshake() { |
| if (state_ == STATE_CONNECTION_CLOSED) { |
| QUIC_LOG(INFO) << "TlsServerHandshaker received handshake message after " |
| "connection was closed"; |
| return; |
| } |
| if (state_ == STATE_HANDSHAKE_COMPLETE) { |
| // TODO(nharper): Handle post-handshake messages. |
| return; |
| } |
| |
| int rv = SSL_do_handshake(ssl()); |
| if (rv == 1) { |
| FinishHandshake(); |
| return; |
| } |
| |
| int ssl_error = SSL_get_error(ssl(), rv); |
| bool should_close = true; |
| switch (state_) { |
| case STATE_LISTENING: |
| case STATE_SIGNATURE_COMPLETE: |
| should_close = ssl_error != SSL_ERROR_WANT_READ; |
| break; |
| case STATE_SIGNATURE_PENDING: |
| should_close = ssl_error != SSL_ERROR_WANT_PRIVATE_KEY_OPERATION; |
| break; |
| default: |
| should_close = true; |
| } |
| if (should_close && state_ != STATE_CONNECTION_CLOSED) { |
| QUIC_LOG(WARNING) << "SSL_do_handshake failed; SSL_get_error returns " |
| << ssl_error << ", state_ = " << state_; |
| ERR_print_errors_fp(stderr); |
| CloseConnection(QUIC_HANDSHAKE_FAILED, "TLS handshake failed"); |
| } |
| } |
| |
| void TlsServerHandshaker::CloseConnection(QuicErrorCode error, |
| const std::string& reason_phrase) { |
| state_ = STATE_CONNECTION_CLOSED; |
| stream()->CloseConnectionWithDetails(error, reason_phrase); |
| } |
| |
| bool TlsServerHandshaker::ProcessTransportParameters( |
| std::string* error_details) { |
| TransportParameters client_params; |
| const uint8_t* client_params_bytes; |
| size_t params_bytes_len; |
| SSL_get_peer_quic_transport_params(ssl(), &client_params_bytes, |
| ¶ms_bytes_len); |
| if (params_bytes_len == 0 || |
| !ParseTransportParameters(client_params_bytes, params_bytes_len, |
| Perspective::IS_CLIENT, &client_params)) { |
| *error_details = "Unable to parse Transport Parameters"; |
| return false; |
| } |
| |
| // When interoperating with non-Google implementations that do not send |
| // the version extension, set it to what we expect. |
| if (client_params.version == 0) { |
| client_params.version = |
| CreateQuicVersionLabel(session()->connection()->version()); |
| } |
| |
| if (CryptoUtils::ValidateClientHelloVersion( |
| client_params.version, session()->connection()->version(), |
| session()->supported_versions(), error_details) != QUIC_NO_ERROR || |
| session()->config()->ProcessTransportParameters( |
| client_params, CLIENT, error_details) != QUIC_NO_ERROR) { |
| return false; |
| } |
| |
| session()->OnConfigNegotiated(); |
| return true; |
| } |
| |
| bool TlsServerHandshaker::SetTransportParameters() { |
| TransportParameters server_params; |
| server_params.perspective = Perspective::IS_SERVER; |
| server_params.supported_versions = |
| CreateQuicVersionLabelVector(session()->supported_versions()); |
| server_params.version = |
| CreateQuicVersionLabel(session()->connection()->version()); |
| |
| if (!session()->config()->FillTransportParameters(&server_params)) { |
| return false; |
| } |
| |
| // TODO(nharper): Provide an actual value for the stateless reset token. |
| server_params.stateless_reset_token.resize(16); |
| std::vector<uint8_t> server_params_bytes; |
| if (!SerializeTransportParameters(server_params, &server_params_bytes) || |
| SSL_set_quic_transport_params(ssl(), server_params_bytes.data(), |
| server_params_bytes.size()) != 1) { |
| return false; |
| } |
| return true; |
| } |
| |
| void TlsServerHandshaker::FinishHandshake() { |
| QUIC_LOG(INFO) << "Server: handshake finished"; |
| state_ = STATE_HANDSHAKE_COMPLETE; |
| |
| session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE); |
| session()->NeuterUnencryptedData(); |
| encryption_established_ = true; |
| handshake_confirmed_ = true; |
| } |
| |
| // static |
| TlsServerHandshaker* TlsServerHandshaker::HandshakerFromSsl(SSL* ssl) { |
| return static_cast<TlsServerHandshaker*>( |
| TlsHandshaker::HandshakerFromSsl(ssl)); |
| } |
| |
| // static |
| ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(SSL* ssl, |
| uint8_t* out, |
| size_t* out_len, |
| size_t max_out, |
| uint16_t sig_alg, |
| const uint8_t* in, |
| size_t in_len) { |
| return HandshakerFromSsl(ssl)->PrivateKeySign( |
| out, out_len, max_out, sig_alg, |
| QuicStringPiece(reinterpret_cast<const char*>(in), in_len)); |
| } |
| |
| ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign( |
| uint8_t* out, |
| size_t* out_len, |
| size_t max_out, |
| uint16_t sig_alg, |
| QuicStringPiece in) { |
| signature_callback_ = new SignatureCallback(this); |
| proof_source_->ComputeTlsSignature( |
| session()->connection()->self_address(), hostname_, sig_alg, in, |
| std::unique_ptr<SignatureCallback>(signature_callback_)); |
| if (state_ == STATE_SIGNATURE_COMPLETE) { |
| return PrivateKeyComplete(out, out_len, max_out); |
| } |
| state_ = STATE_SIGNATURE_PENDING; |
| return ssl_private_key_retry; |
| } |
| |
| // static |
| ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete( |
| SSL* ssl, |
| uint8_t* out, |
| size_t* out_len, |
| size_t max_out) { |
| return HandshakerFromSsl(ssl)->PrivateKeyComplete(out, out_len, max_out); |
| } |
| |
| ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete( |
| uint8_t* out, |
| size_t* out_len, |
| size_t max_out) { |
| if (state_ == STATE_SIGNATURE_PENDING) { |
| return ssl_private_key_retry; |
| } |
| if (cert_verify_sig_.size() > max_out || cert_verify_sig_.empty()) { |
| return ssl_private_key_failure; |
| } |
| *out_len = cert_verify_sig_.size(); |
| memcpy(out, cert_verify_sig_.data(), *out_len); |
| cert_verify_sig_.clear(); |
| cert_verify_sig_.shrink_to_fit(); |
| return ssl_private_key_success; |
| } |
| |
| // static |
| int TlsServerHandshaker::SelectCertificateCallback(SSL* ssl, |
| int* out_alert, |
| void* arg) { |
| return HandshakerFromSsl(ssl)->SelectCertificate(out_alert); |
| } |
| |
| int TlsServerHandshaker::SelectCertificate(int* out_alert) { |
| const char* hostname = SSL_get_servername(ssl(), TLSEXT_NAMETYPE_host_name); |
| if (hostname) { |
| hostname_ = hostname; |
| } else { |
| QUIC_LOG(INFO) << "No hostname indicated in SNI"; |
| } |
| |
| QuicReferenceCountedPointer<ProofSource::Chain> chain = |
| proof_source_->GetCertChain(session()->connection()->self_address(), |
| hostname_); |
| if (chain->certs.empty()) { |
| QUIC_LOG(ERROR) << "No certs provided for host '" << hostname_ << "'"; |
| return SSL_TLSEXT_ERR_ALERT_FATAL; |
| } |
| |
| std::vector<CRYPTO_BUFFER*> certs; |
| certs.resize(chain->certs.size()); |
| for (size_t i = 0; i < certs.size(); i++) { |
| certs[i] = CRYPTO_BUFFER_new( |
| reinterpret_cast<const uint8_t*>(chain->certs[i].data()), |
| chain->certs[i].length(), nullptr); |
| } |
| |
| SSL_set_chain_and_key(ssl(), certs.data(), certs.size(), nullptr, |
| &kPrivateKeyMethod); |
| |
| for (size_t i = 0; i < certs.size(); i++) { |
| CRYPTO_BUFFER_free(certs[i]); |
| } |
| |
| std::string error_details; |
| if (!ProcessTransportParameters(&error_details)) { |
| CloseConnection(QUIC_HANDSHAKE_FAILED, error_details); |
| *out_alert = SSL_AD_INTERNAL_ERROR; |
| return SSL_TLSEXT_ERR_ALERT_FATAL; |
| } |
| |
| QUIC_LOG(INFO) << "Set " << chain->certs.size() << " certs for server"; |
| return SSL_TLSEXT_ERR_OK; |
| } |
| |
| // static |
| int TlsServerHandshaker::SelectAlpnCallback(SSL* ssl, |
| const uint8_t** out, |
| uint8_t* out_len, |
| const uint8_t* in, |
| unsigned in_len, |
| void* arg) { |
| return HandshakerFromSsl(ssl)->SelectAlpn(out, out_len, in, in_len); |
| } |
| |
| int TlsServerHandshaker::SelectAlpn(const uint8_t** out, |
| uint8_t* out_len, |
| const uint8_t* in, |
| unsigned in_len) { |
| // |in| contains a sequence of 1-byte-length-prefixed values. |
| // We currently simply return the first provided ALPN value. |
| // TODO(b/130164908) Act on ALPN. |
| if (in_len == 0) { |
| *out_len = 0; |
| *out = nullptr; |
| QUIC_DLOG(INFO) << "No ALPN provided"; |
| return SSL_TLSEXT_ERR_OK; |
| } |
| const uint8_t first_alpn_length = in[0]; |
| if (static_cast<unsigned>(first_alpn_length) > in_len - 1) { |
| QUIC_LOG(ERROR) << "Failed to parse ALPN"; |
| return SSL_TLSEXT_ERR_ALERT_FATAL; |
| } |
| *out_len = first_alpn_length; |
| *out = in + 1; |
| QUIC_DLOG(INFO) << "Server selecting ALPN '" |
| << QuicStringPiece(reinterpret_cast<const char*>(*out), |
| *out_len) |
| << "'"; |
| return SSL_TLSEXT_ERR_OK; |
| } |
| |
| } // namespace quic |