1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/socket/ssl_server_socket_impl.h"
6
7 #include <memory>
8 #include <utility>
9
10 #include "base/functional/bind.h"
11 #include "base/functional/callback_helpers.h"
12 #include "base/logging.h"
13 #include "base/memory/raw_ptr.h"
14 #include "base/memory/weak_ptr.h"
15 #include "base/strings/string_util.h"
16 #include "crypto/openssl_util.h"
17 #include "crypto/rsa_private_key.h"
18 #include "net/base/completion_once_callback.h"
19 #include "net/base/net_errors.h"
20 #include "net/cert/cert_verify_result.h"
21 #include "net/cert/client_cert_verifier.h"
22 #include "net/cert/x509_util.h"
23 #include "net/log/net_log_event_type.h"
24 #include "net/log/net_log_with_source.h"
25 #include "net/socket/socket_bio_adapter.h"
26 #include "net/ssl/openssl_ssl_util.h"
27 #include "net/ssl/ssl_connection_status_flags.h"
28 #include "net/ssl/ssl_info.h"
29 #include "net/ssl/ssl_private_key.h"
30 #include "net/traffic_annotation/network_traffic_annotation.h"
31 #include "third_party/abseil-cpp/absl/types/optional.h"
32 #include "third_party/boringssl/src/include/openssl/bytestring.h"
33 #include "third_party/boringssl/src/include/openssl/err.h"
34 #include "third_party/boringssl/src/include/openssl/pool.h"
35 #include "third_party/boringssl/src/include/openssl/ssl.h"
36
37 #define GotoState(s) next_handshake_state_ = s
38
39 namespace net {
40
41 namespace {
42
43 // This constant can be any non-negative/non-zero value (eg: it does not
44 // overlap with any value of the net::Error range, including net::OK).
45 const int kSSLServerSocketNoPendingResult = 1;
46
47 } // namespace
48
49 class SSLServerContextImpl::SocketImpl : public SSLServerSocket,
50 public SocketBIOAdapter::Delegate {
51 public:
52 SocketImpl(SSLServerContextImpl* context,
53 std::unique_ptr<StreamSocket> socket);
54
55 SocketImpl(const SocketImpl&) = delete;
56 SocketImpl& operator=(const SocketImpl&) = delete;
57
58 ~SocketImpl() override;
59
60 // SSLServerSocket interface.
61 int Handshake(CompletionOnceCallback callback) override;
62
63 // SSLSocket interface.
64 int ExportKeyingMaterial(base::StringPiece label,
65 bool has_context,
66 base::StringPiece context,
67 unsigned char* out,
68 unsigned int outlen) override;
69
70 // Socket interface (via StreamSocket).
71 int Read(IOBuffer* buf,
72 int buf_len,
73 CompletionOnceCallback callback) override;
74 int ReadIfReady(IOBuffer* buf,
75 int buf_len,
76 CompletionOnceCallback callback) override;
77 int CancelReadIfReady() override;
78 int Write(IOBuffer* buf,
79 int buf_len,
80 CompletionOnceCallback callback,
81 const NetworkTrafficAnnotationTag& traffic_annotation) override;
82 int SetReceiveBufferSize(int32_t size) override;
83 int SetSendBufferSize(int32_t size) override;
84
85 // StreamSocket implementation.
86 int Connect(CompletionOnceCallback callback) override;
87 void Disconnect() override;
88 bool IsConnected() const override;
89 bool IsConnectedAndIdle() const override;
90 int GetPeerAddress(IPEndPoint* address) const override;
91 int GetLocalAddress(IPEndPoint* address) const override;
92 const NetLogWithSource& NetLog() const override;
93 bool WasEverUsed() const override;
94 bool WasAlpnNegotiated() const override;
95 NextProto GetNegotiatedProtocol() const override;
96 absl::optional<base::StringPiece> GetPeerApplicationSettings() const override;
97 bool GetSSLInfo(SSLInfo* ssl_info) override;
98 int64_t GetTotalReceivedBytes() const override;
99 void ApplySocketTag(const SocketTag& tag) override;
100
101 static SocketImpl* FromSSL(SSL* ssl);
102
103 static ssl_verify_result_t CertVerifyCallback(SSL* ssl, uint8_t* out_alert);
104 ssl_verify_result_t CertVerifyCallbackImpl(uint8_t* out_alert);
105
106 static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod;
107 static ssl_private_key_result_t PrivateKeySignCallback(SSL* ssl,
108 uint8_t* out,
109 size_t* out_len,
110 size_t max_out,
111 uint16_t algorithm,
112 const uint8_t* in,
113 size_t in_len);
114 static ssl_private_key_result_t PrivateKeyDecryptCallback(SSL* ssl,
115 uint8_t* out,
116 size_t* out_len,
117 size_t max_out,
118 const uint8_t* in,
119 size_t in_len);
120 static ssl_private_key_result_t PrivateKeyCompleteCallback(SSL* ssl,
121 uint8_t* out,
122 size_t* out_len,
123 size_t max_out);
124
125 ssl_private_key_result_t PrivateKeySignCallback(uint8_t* out,
126 size_t* out_len,
127 size_t max_out,
128 uint16_t algorithm,
129 const uint8_t* in,
130 size_t in_len);
131 ssl_private_key_result_t PrivateKeyCompleteCallback(uint8_t* out,
132 size_t* out_len,
133 size_t max_out);
134 void OnPrivateKeyComplete(Error error, const std::vector<uint8_t>& signature);
135
136 static int ALPNSelectCallback(SSL* ssl,
137 const uint8_t** out,
138 uint8_t* out_len,
139 const uint8_t* in,
140 unsigned in_len,
141 void* arg);
142
143 static ssl_select_cert_result_t SelectCertificateCallback(
144 const SSL_CLIENT_HELLO* client_hello);
145
146 // SocketBIOAdapter::Delegate implementation.
147 void OnReadReady() override;
148 void OnWriteReady() override;
149
150 private:
151 enum State {
152 STATE_NONE,
153 STATE_HANDSHAKE,
154 };
155
156 void OnHandshakeIOComplete(int result);
157
158 int DoPayloadRead(IOBuffer* buf, int buf_len);
159 int DoPayloadWrite();
160
161 int DoHandshakeLoop(int last_io_result);
162 int DoHandshake();
163 void DoHandshakeCallback(int result);
164 void DoReadCallback(int result);
165 void DoWriteCallback(int result);
166
167 int Init();
168 void ExtractClientCert();
169
170 raw_ptr<SSLServerContextImpl> context_;
171
172 NetLogWithSource net_log_;
173
174 CompletionOnceCallback user_handshake_callback_;
175 CompletionOnceCallback user_read_callback_;
176 CompletionOnceCallback user_write_callback_;
177
178 // SSLPrivateKey signature.
179 int signature_result_;
180 std::vector<uint8_t> signature_;
181
182 // Used by Read function.
183 scoped_refptr<IOBuffer> user_read_buf_;
184 int user_read_buf_len_ = 0;
185
186 // Used by Write function.
187 scoped_refptr<IOBuffer> user_write_buf_;
188 int user_write_buf_len_ = 0;
189
190 // OpenSSL stuff
191 bssl::UniquePtr<SSL> ssl_;
192
193 // Whether we received any data in early data.
194 bool early_data_received_ = false;
195
196 // StreamSocket for sending and receiving data.
197 std::unique_ptr<StreamSocket> transport_socket_;
198 std::unique_ptr<SocketBIOAdapter> transport_adapter_;
199
200 // Certificate for the client.
201 scoped_refptr<X509Certificate> client_cert_;
202
203 State next_handshake_state_ = STATE_NONE;
204 bool completed_handshake_ = false;
205
206 NextProto negotiated_protocol_ = kProtoUnknown;
207
208 base::WeakPtrFactory<SocketImpl> weak_factory_{this};
209 };
210
SocketImpl(SSLServerContextImpl * context,std::unique_ptr<StreamSocket> transport_socket)211 SSLServerContextImpl::SocketImpl::SocketImpl(
212 SSLServerContextImpl* context,
213 std::unique_ptr<StreamSocket> transport_socket)
214 : context_(context),
215 signature_result_(kSSLServerSocketNoPendingResult),
216 transport_socket_(std::move(transport_socket)) {}
217
~SocketImpl()218 SSLServerContextImpl::SocketImpl::~SocketImpl() {
219 if (ssl_) {
220 // Calling SSL_shutdown prevents the session from being marked as
221 // unresumable.
222 SSL_shutdown(ssl_.get());
223 ssl_.reset();
224 }
225 }
226
227 // static
228 const SSL_PRIVATE_KEY_METHOD
229 SSLServerContextImpl::SocketImpl::kPrivateKeyMethod = {
230 &SSLServerContextImpl::SocketImpl::PrivateKeySignCallback,
231 &SSLServerContextImpl::SocketImpl::PrivateKeyDecryptCallback,
232 &SSLServerContextImpl::SocketImpl::PrivateKeyCompleteCallback,
233 };
234
235 // static
236 ssl_private_key_result_t
PrivateKeySignCallback(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out,uint16_t algorithm,const uint8_t * in,size_t in_len)237 SSLServerContextImpl::SocketImpl::PrivateKeySignCallback(SSL* ssl,
238 uint8_t* out,
239 size_t* out_len,
240 size_t max_out,
241 uint16_t algorithm,
242 const uint8_t* in,
243 size_t in_len) {
244 return FromSSL(ssl)->PrivateKeySignCallback(out, out_len, max_out, algorithm,
245 in, in_len);
246 }
247
248 // static
249 ssl_private_key_result_t
PrivateKeyDecryptCallback(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out,const uint8_t * in,size_t in_len)250 SSLServerContextImpl::SocketImpl::PrivateKeyDecryptCallback(SSL* ssl,
251 uint8_t* out,
252 size_t* out_len,
253 size_t max_out,
254 const uint8_t* in,
255 size_t in_len) {
256 // Decrypt is not supported.
257 return ssl_private_key_failure;
258 }
259
260 // static
261 ssl_private_key_result_t
PrivateKeyCompleteCallback(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out)262 SSLServerContextImpl::SocketImpl::PrivateKeyCompleteCallback(SSL* ssl,
263 uint8_t* out,
264 size_t* out_len,
265 size_t max_out) {
266 return FromSSL(ssl)->PrivateKeyCompleteCallback(out, out_len, max_out);
267 }
268
269 ssl_private_key_result_t
PrivateKeySignCallback(uint8_t * out,size_t * out_len,size_t max_out,uint16_t algorithm,const uint8_t * in,size_t in_len)270 SSLServerContextImpl::SocketImpl::PrivateKeySignCallback(uint8_t* out,
271 size_t* out_len,
272 size_t max_out,
273 uint16_t algorithm,
274 const uint8_t* in,
275 size_t in_len) {
276 DCHECK(context_);
277 DCHECK(context_->private_key_);
278 signature_result_ = ERR_IO_PENDING;
279 context_->private_key_->Sign(
280 algorithm, base::make_span(in, in_len),
281 base::BindOnce(&SSLServerContextImpl::SocketImpl::OnPrivateKeyComplete,
282 weak_factory_.GetWeakPtr()));
283 return ssl_private_key_retry;
284 }
285
286 ssl_private_key_result_t
PrivateKeyCompleteCallback(uint8_t * out,size_t * out_len,size_t max_out)287 SSLServerContextImpl::SocketImpl::PrivateKeyCompleteCallback(uint8_t* out,
288 size_t* out_len,
289 size_t max_out) {
290 if (signature_result_ == ERR_IO_PENDING)
291 return ssl_private_key_retry;
292 if (signature_result_ != OK) {
293 OpenSSLPutNetError(FROM_HERE, signature_result_);
294 return ssl_private_key_failure;
295 }
296 if (signature_.size() > max_out) {
297 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
298 return ssl_private_key_failure;
299 }
300 memcpy(out, signature_.data(), signature_.size());
301 *out_len = signature_.size();
302 signature_.clear();
303 return ssl_private_key_success;
304 }
305
OnPrivateKeyComplete(Error error,const std::vector<uint8_t> & signature)306 void SSLServerContextImpl::SocketImpl::OnPrivateKeyComplete(
307 Error error,
308 const std::vector<uint8_t>& signature) {
309 DCHECK_EQ(ERR_IO_PENDING, signature_result_);
310 DCHECK(signature_.empty());
311
312 signature_result_ = error;
313 if (signature_result_ == OK)
314 signature_ = signature;
315 DoHandshakeLoop(ERR_IO_PENDING);
316 }
317
318 // static
ALPNSelectCallback(SSL * ssl,const uint8_t ** out,uint8_t * out_len,const uint8_t * in,unsigned in_len,void * arg)319 int SSLServerContextImpl::SocketImpl::ALPNSelectCallback(SSL* ssl,
320 const uint8_t** out,
321 uint8_t* out_len,
322 const uint8_t* in,
323 unsigned in_len,
324 void* arg) {
325 SSLServerContextImpl::SocketImpl* socket = FromSSL(ssl);
326
327 // Iterate over the server protocols in preference order.
328 for (NextProto server_proto :
329 socket->context_->ssl_server_config_.alpn_protos) {
330 const char* server_proto_str = NextProtoToString(server_proto);
331
332 // See if the client advertised the corresponding protocol.
333 CBS cbs;
334 CBS_init(&cbs, in, in_len);
335 while (CBS_len(&cbs) != 0) {
336 CBS client_proto;
337 if (!CBS_get_u8_length_prefixed(&cbs, &client_proto)) {
338 return SSL_TLSEXT_ERR_NOACK;
339 }
340 if (base::StringPiece(
341 reinterpret_cast<const char*>(CBS_data(&client_proto)),
342 CBS_len(&client_proto)) == server_proto_str) {
343 *out = CBS_data(&client_proto);
344 *out_len = CBS_len(&client_proto);
345
346 const auto& application_settings =
347 socket->context_->ssl_server_config_.application_settings;
348 auto it = application_settings.find(server_proto);
349 if (it != application_settings.end()) {
350 const std::vector<uint8_t>& data = it->second;
351 SSL_add_application_settings(ssl, CBS_data(&client_proto),
352 CBS_len(&client_proto), data.data(),
353 data.size());
354 }
355 return SSL_TLSEXT_ERR_OK;
356 }
357 }
358 }
359 return SSL_TLSEXT_ERR_NOACK;
360 }
361
362 ssl_select_cert_result_t
SelectCertificateCallback(const SSL_CLIENT_HELLO * client_hello)363 SSLServerContextImpl::SocketImpl::SelectCertificateCallback(
364 const SSL_CLIENT_HELLO* client_hello) {
365 SSLServerContextImpl::SocketImpl* socket = FromSSL(client_hello->ssl);
366 const SSLServerConfig& config = socket->context_->ssl_server_config_;
367 if (!config.client_hello_callback_for_testing.is_null() &&
368 !config.client_hello_callback_for_testing.Run(client_hello)) {
369 return ssl_select_cert_error;
370 }
371 return ssl_select_cert_success;
372 }
373
Handshake(CompletionOnceCallback callback)374 int SSLServerContextImpl::SocketImpl::Handshake(
375 CompletionOnceCallback callback) {
376 net_log_.BeginEvent(NetLogEventType::SSL_SERVER_HANDSHAKE);
377
378 // Set up new ssl object.
379 int rv = Init();
380 if (rv != OK) {
381 LOG(ERROR) << "Failed to initialize OpenSSL: rv=" << rv;
382 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_SERVER_HANDSHAKE,
383 rv);
384 return rv;
385 }
386
387 // Set SSL to server mode. Handshake happens in the loop below.
388 SSL_set_accept_state(ssl_.get());
389
390 GotoState(STATE_HANDSHAKE);
391 rv = DoHandshakeLoop(OK);
392 if (rv == ERR_IO_PENDING) {
393 user_handshake_callback_ = std::move(callback);
394 } else {
395 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_SERVER_HANDSHAKE,
396 rv);
397 }
398
399 return rv > OK ? OK : rv;
400 }
401
ExportKeyingMaterial(base::StringPiece label,bool has_context,base::StringPiece context,unsigned char * out,unsigned int outlen)402 int SSLServerContextImpl::SocketImpl::ExportKeyingMaterial(
403 base::StringPiece label,
404 bool has_context,
405 base::StringPiece context,
406 unsigned char* out,
407 unsigned int outlen) {
408 if (!IsConnected())
409 return ERR_SOCKET_NOT_CONNECTED;
410
411 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
412
413 int rv = SSL_export_keying_material(
414 ssl_.get(), out, outlen, label.data(), label.size(),
415 reinterpret_cast<const unsigned char*>(context.data()), context.length(),
416 context.length() > 0);
417
418 if (rv != 1) {
419 int ssl_error = SSL_get_error(ssl_.get(), rv);
420 LOG(ERROR) << "Failed to export keying material;"
421 << " returned " << rv << ", SSL error code " << ssl_error;
422 return MapOpenSSLError(ssl_error, err_tracer);
423 }
424 return OK;
425 }
426
Read(IOBuffer * buf,int buf_len,CompletionOnceCallback callback)427 int SSLServerContextImpl::SocketImpl::Read(IOBuffer* buf,
428 int buf_len,
429 CompletionOnceCallback callback) {
430 int rv = ReadIfReady(buf, buf_len, std::move(callback));
431 if (rv == ERR_IO_PENDING) {
432 user_read_buf_ = buf;
433 user_read_buf_len_ = buf_len;
434 }
435 return rv;
436 }
437
ReadIfReady(IOBuffer * buf,int buf_len,CompletionOnceCallback callback)438 int SSLServerContextImpl::SocketImpl::ReadIfReady(
439 IOBuffer* buf,
440 int buf_len,
441 CompletionOnceCallback callback) {
442 DCHECK(user_read_callback_.is_null());
443 DCHECK(user_handshake_callback_.is_null());
444 DCHECK(!user_read_buf_);
445 DCHECK(!callback.is_null());
446 DCHECK(completed_handshake_);
447
448 int rv = DoPayloadRead(buf, buf_len);
449
450 if (rv == ERR_IO_PENDING) {
451 user_read_callback_ = std::move(callback);
452 }
453
454 return rv;
455 }
456
CancelReadIfReady()457 int SSLServerContextImpl::SocketImpl::CancelReadIfReady() {
458 DCHECK(user_read_callback_);
459 DCHECK(!user_read_buf_);
460
461 // Cancel |user_read_callback_|, because caller does not expect the callback
462 // to be invoked after they have canceled the ReadIfReady.
463 //
464 // We do not pass the signal on to |stream_socket_| or |transport_adapter_|.
465 // When it completes, it will signal OnReadReady(), which will notice there is
466 // no read operation to progress and skip it. Unlike with SSLClientSocket,
467 // SSL and transport reads are more aligned, but this avoids making
468 // assumptions or breaking the SocketBIOAdapter's state.
469 user_read_callback_.Reset();
470 return OK;
471 }
472
Write(IOBuffer * buf,int buf_len,CompletionOnceCallback callback,const NetworkTrafficAnnotationTag & traffic_annotation)473 int SSLServerContextImpl::SocketImpl::Write(
474 IOBuffer* buf,
475 int buf_len,
476 CompletionOnceCallback callback,
477 const NetworkTrafficAnnotationTag& traffic_annotation) {
478 DCHECK(user_write_callback_.is_null());
479 DCHECK(!user_write_buf_);
480 DCHECK(!callback.is_null());
481
482 user_write_buf_ = buf;
483 user_write_buf_len_ = buf_len;
484
485 int rv = DoPayloadWrite();
486
487 if (rv == ERR_IO_PENDING) {
488 user_write_callback_ = std::move(callback);
489 } else {
490 user_write_buf_ = nullptr;
491 user_write_buf_len_ = 0;
492 }
493 return rv;
494 }
495
SetReceiveBufferSize(int32_t size)496 int SSLServerContextImpl::SocketImpl::SetReceiveBufferSize(int32_t size) {
497 return transport_socket_->SetReceiveBufferSize(size);
498 }
499
SetSendBufferSize(int32_t size)500 int SSLServerContextImpl::SocketImpl::SetSendBufferSize(int32_t size) {
501 return transport_socket_->SetSendBufferSize(size);
502 }
503
Connect(CompletionOnceCallback callback)504 int SSLServerContextImpl::SocketImpl::Connect(CompletionOnceCallback callback) {
505 NOTIMPLEMENTED();
506 return ERR_NOT_IMPLEMENTED;
507 }
508
Disconnect()509 void SSLServerContextImpl::SocketImpl::Disconnect() {
510 transport_socket_->Disconnect();
511 }
512
IsConnected() const513 bool SSLServerContextImpl::SocketImpl::IsConnected() const {
514 // TODO(wtc): Find out if we should check transport_socket_->IsConnected()
515 // as well.
516 return completed_handshake_;
517 }
518
IsConnectedAndIdle() const519 bool SSLServerContextImpl::SocketImpl::IsConnectedAndIdle() const {
520 return completed_handshake_ && transport_socket_->IsConnectedAndIdle();
521 }
522
GetPeerAddress(IPEndPoint * address) const523 int SSLServerContextImpl::SocketImpl::GetPeerAddress(
524 IPEndPoint* address) const {
525 if (!IsConnected())
526 return ERR_SOCKET_NOT_CONNECTED;
527 return transport_socket_->GetPeerAddress(address);
528 }
529
GetLocalAddress(IPEndPoint * address) const530 int SSLServerContextImpl::SocketImpl::GetLocalAddress(
531 IPEndPoint* address) const {
532 if (!IsConnected())
533 return ERR_SOCKET_NOT_CONNECTED;
534 return transport_socket_->GetLocalAddress(address);
535 }
536
NetLog() const537 const NetLogWithSource& SSLServerContextImpl::SocketImpl::NetLog() const {
538 return net_log_;
539 }
540
WasEverUsed() const541 bool SSLServerContextImpl::SocketImpl::WasEverUsed() const {
542 return transport_socket_->WasEverUsed();
543 }
544
WasAlpnNegotiated() const545 bool SSLServerContextImpl::SocketImpl::WasAlpnNegotiated() const {
546 return negotiated_protocol_ != kProtoUnknown;
547 }
548
GetNegotiatedProtocol() const549 NextProto SSLServerContextImpl::SocketImpl::GetNegotiatedProtocol() const {
550 return negotiated_protocol_;
551 }
552
553 absl::optional<base::StringPiece>
GetPeerApplicationSettings() const554 SSLServerContextImpl::SocketImpl::GetPeerApplicationSettings() const {
555 if (!SSL_has_application_settings(ssl_.get())) {
556 return absl::nullopt;
557 }
558
559 const uint8_t* out_data;
560 size_t out_len;
561 SSL_get0_peer_application_settings(ssl_.get(), &out_data, &out_len);
562 return base::StringPiece{reinterpret_cast<const char*>(out_data), out_len};
563 }
564
GetSSLInfo(SSLInfo * ssl_info)565 bool SSLServerContextImpl::SocketImpl::GetSSLInfo(SSLInfo* ssl_info) {
566 ssl_info->Reset();
567 if (!completed_handshake_)
568 return false;
569
570 ssl_info->cert = client_cert_;
571
572 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_.get());
573 CHECK(cipher);
574
575 SSLConnectionStatusSetCipherSuite(SSL_CIPHER_get_protocol_id(cipher),
576 &ssl_info->connection_status);
577 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_.get()),
578 &ssl_info->connection_status);
579
580 ssl_info->early_data_received = early_data_received_;
581 ssl_info->encrypted_client_hello = SSL_ech_accepted(ssl_.get());
582 ssl_info->handshake_type = SSL_session_reused(ssl_.get())
583 ? SSLInfo::HANDSHAKE_RESUME
584 : SSLInfo::HANDSHAKE_FULL;
585
586 return true;
587 }
588
GetTotalReceivedBytes() const589 int64_t SSLServerContextImpl::SocketImpl::GetTotalReceivedBytes() const {
590 return transport_socket_->GetTotalReceivedBytes();
591 }
592
ApplySocketTag(const SocketTag & tag)593 void SSLServerContextImpl::SocketImpl::ApplySocketTag(const SocketTag& tag) {
594 NOTIMPLEMENTED();
595 }
596
OnReadReady()597 void SSLServerContextImpl::SocketImpl::OnReadReady() {
598 if (next_handshake_state_ == STATE_HANDSHAKE) {
599 // In handshake phase. The parameter to OnHandshakeIOComplete is unused.
600 OnHandshakeIOComplete(OK);
601 return;
602 }
603
604 // BoringSSL does not support renegotiation as a server, so the only other
605 // operation blocked on Read is DoPayloadRead.
606 if (!user_read_buf_) {
607 if (!user_read_callback_.is_null()) {
608 DoReadCallback(OK);
609 }
610 return;
611 }
612
613 int rv = DoPayloadRead(user_read_buf_.get(), user_read_buf_len_);
614 if (rv != ERR_IO_PENDING)
615 DoReadCallback(rv);
616 }
617
OnWriteReady()618 void SSLServerContextImpl::SocketImpl::OnWriteReady() {
619 if (next_handshake_state_ == STATE_HANDSHAKE) {
620 // In handshake phase. The parameter to OnHandshakeIOComplete is unused.
621 OnHandshakeIOComplete(OK);
622 return;
623 }
624
625 // BoringSSL does not support renegotiation as a server, so the only other
626 // operation blocked on Read is DoPayloadWrite.
627 if (!user_write_buf_)
628 return;
629
630 int rv = DoPayloadWrite();
631 if (rv != ERR_IO_PENDING)
632 DoWriteCallback(rv);
633 }
634
OnHandshakeIOComplete(int result)635 void SSLServerContextImpl::SocketImpl::OnHandshakeIOComplete(int result) {
636 int rv = DoHandshakeLoop(result);
637 if (rv == ERR_IO_PENDING)
638 return;
639
640 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_SERVER_HANDSHAKE, rv);
641 if (!user_handshake_callback_.is_null())
642 DoHandshakeCallback(rv);
643 }
644
DoPayloadRead(IOBuffer * buf,int buf_len)645 int SSLServerContextImpl::SocketImpl::DoPayloadRead(IOBuffer* buf,
646 int buf_len) {
647 DCHECK(completed_handshake_);
648 DCHECK_EQ(STATE_NONE, next_handshake_state_);
649 DCHECK(buf);
650 DCHECK_GT(buf_len, 0);
651
652 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
653 int rv = SSL_read(ssl_.get(), buf->data(), buf_len);
654 if (rv >= 0) {
655 if (SSL_in_early_data(ssl_.get()))
656 early_data_received_ = true;
657 return rv;
658 }
659 int ssl_error = SSL_get_error(ssl_.get(), rv);
660 OpenSSLErrorInfo error_info;
661 int net_error =
662 MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
663 if (net_error != ERR_IO_PENDING) {
664 NetLogOpenSSLError(net_log_, NetLogEventType::SSL_READ_ERROR, net_error,
665 ssl_error, error_info);
666 }
667 return net_error;
668 }
669
DoPayloadWrite()670 int SSLServerContextImpl::SocketImpl::DoPayloadWrite() {
671 DCHECK(completed_handshake_);
672 DCHECK_EQ(STATE_NONE, next_handshake_state_);
673 DCHECK(user_write_buf_);
674
675 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
676 int rv = SSL_write(ssl_.get(), user_write_buf_->data(), user_write_buf_len_);
677 if (rv >= 0)
678 return rv;
679 int ssl_error = SSL_get_error(ssl_.get(), rv);
680 OpenSSLErrorInfo error_info;
681 int net_error =
682 MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
683 if (net_error != ERR_IO_PENDING) {
684 NetLogOpenSSLError(net_log_, NetLogEventType::SSL_WRITE_ERROR, net_error,
685 ssl_error, error_info);
686 }
687 return net_error;
688 }
689
DoHandshakeLoop(int last_io_result)690 int SSLServerContextImpl::SocketImpl::DoHandshakeLoop(int last_io_result) {
691 int rv = last_io_result;
692 do {
693 // Default to STATE_NONE for next state.
694 // (This is a quirk carried over from the windows
695 // implementation. It makes reading the logs a bit harder.)
696 // State handlers can and often do call GotoState just
697 // to stay in the current state.
698 State state = next_handshake_state_;
699 GotoState(STATE_NONE);
700 switch (state) {
701 case STATE_HANDSHAKE:
702 rv = DoHandshake();
703 break;
704 case STATE_NONE:
705 default:
706 rv = ERR_UNEXPECTED;
707 LOG(DFATAL) << "unexpected state " << state;
708 break;
709 }
710 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
711 return rv;
712 }
713
DoHandshake()714 int SSLServerContextImpl::SocketImpl::DoHandshake() {
715 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
716 int net_error = OK;
717 int rv = SSL_do_handshake(ssl_.get());
718 if (rv == 1) {
719 const STACK_OF(CRYPTO_BUFFER)* certs =
720 SSL_get0_peer_certificates(ssl_.get());
721 if (certs) {
722 client_cert_ = x509_util::CreateX509CertificateFromBuffers(certs);
723 if (!client_cert_)
724 return ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT;
725 }
726
727 const uint8_t* alpn_proto = nullptr;
728 unsigned alpn_len = 0;
729 SSL_get0_alpn_selected(ssl_.get(), &alpn_proto, &alpn_len);
730 if (alpn_len > 0) {
731 base::StringPiece proto(reinterpret_cast<const char*>(alpn_proto),
732 alpn_len);
733 negotiated_protocol_ = NextProtoFromString(proto);
734 }
735
736 if (context_->ssl_server_config_.alert_after_handshake_for_testing) {
737 SSL_send_fatal_alert(ssl_.get(),
738 context_->ssl_server_config_
739 .alert_after_handshake_for_testing.value());
740 return ERR_FAILED;
741 }
742
743 completed_handshake_ = true;
744 } else {
745 int ssl_error = SSL_get_error(ssl_.get(), rv);
746
747 if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
748 DCHECK(context_->private_key_);
749 GotoState(STATE_HANDSHAKE);
750 return ERR_IO_PENDING;
751 }
752
753 OpenSSLErrorInfo error_info;
754 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
755
756 // SSL_R_CERTIFICATE_VERIFY_FAILED's mapping is different between client and
757 // server.
758 if (ERR_GET_LIB(error_info.error_code) == ERR_LIB_SSL &&
759 ERR_GET_REASON(error_info.error_code) ==
760 SSL_R_CERTIFICATE_VERIFY_FAILED) {
761 net_error = ERR_BAD_SSL_CLIENT_AUTH_CERT;
762 }
763
764 // If not done, stay in this state
765 if (net_error == ERR_IO_PENDING) {
766 GotoState(STATE_HANDSHAKE);
767 } else {
768 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code "
769 << ssl_error << ", net_error " << net_error;
770 NetLogOpenSSLError(net_log_, NetLogEventType::SSL_HANDSHAKE_ERROR,
771 net_error, ssl_error, error_info);
772 }
773 }
774 return net_error;
775 }
776
DoHandshakeCallback(int rv)777 void SSLServerContextImpl::SocketImpl::DoHandshakeCallback(int rv) {
778 DCHECK_NE(rv, ERR_IO_PENDING);
779 std::move(user_handshake_callback_).Run(rv > OK ? OK : rv);
780 }
781
DoReadCallback(int rv)782 void SSLServerContextImpl::SocketImpl::DoReadCallback(int rv) {
783 DCHECK(rv != ERR_IO_PENDING);
784 DCHECK(!user_read_callback_.is_null());
785
786 user_read_buf_ = nullptr;
787 user_read_buf_len_ = 0;
788 std::move(user_read_callback_).Run(rv);
789 }
790
DoWriteCallback(int rv)791 void SSLServerContextImpl::SocketImpl::DoWriteCallback(int rv) {
792 DCHECK(rv != ERR_IO_PENDING);
793 DCHECK(!user_write_callback_.is_null());
794
795 user_write_buf_ = nullptr;
796 user_write_buf_len_ = 0;
797 std::move(user_write_callback_).Run(rv);
798 }
799
Init()800 int SSLServerContextImpl::SocketImpl::Init() {
801 static const int kBufferSize = 17 * 1024;
802
803 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
804
805 ssl_.reset(SSL_new(context_->ssl_ctx_.get()));
806 if (!ssl_ || !SSL_set_app_data(ssl_.get(), this)) {
807 return ERR_UNEXPECTED;
808 }
809
810 SSL_set_shed_handshake_config(ssl_.get(), 1);
811
812 // Set certificate and private key.
813 if (context_->pkey_) {
814 DCHECK(context_->cert_->cert_buffer());
815 if (!SetSSLChainAndKey(ssl_.get(), context_->cert_.get(),
816 context_->pkey_.get(), nullptr)) {
817 return ERR_UNEXPECTED;
818 }
819 } else {
820 DCHECK(context_->private_key_);
821 if (!SetSSLChainAndKey(ssl_.get(), context_->cert_.get(), nullptr,
822 &kPrivateKeyMethod)) {
823 return ERR_UNEXPECTED;
824 }
825 std::vector<uint16_t> preferences =
826 context_->private_key_->GetAlgorithmPreferences();
827 SSL_set_signing_algorithm_prefs(ssl_.get(), preferences.data(),
828 preferences.size());
829 }
830
831 if (context_->ssl_server_config_.signature_algorithm_for_testing
832 .has_value()) {
833 uint16_t id = *context_->ssl_server_config_.signature_algorithm_for_testing;
834 CHECK(SSL_set_signing_algorithm_prefs(ssl_.get(), &id, 1));
835 }
836
837 const std::vector<int>& curves =
838 context_->ssl_server_config_.curves_for_testing;
839 if (!curves.empty()) {
840 CHECK(SSL_set1_curves(ssl_.get(), curves.data(), curves.size()));
841 }
842
843 transport_adapter_ = std::make_unique<SocketBIOAdapter>(
844 transport_socket_.get(), kBufferSize, kBufferSize, this);
845 BIO* transport_bio = transport_adapter_->bio();
846
847 BIO_up_ref(transport_bio); // SSL_set0_rbio takes ownership.
848 SSL_set0_rbio(ssl_.get(), transport_bio);
849
850 BIO_up_ref(transport_bio); // SSL_set0_wbio takes ownership.
851 SSL_set0_wbio(ssl_.get(), transport_bio);
852
853 return OK;
854 }
855
FromSSL(SSL * ssl)856 SSLServerContextImpl::SocketImpl* SSLServerContextImpl::SocketImpl::FromSSL(
857 SSL* ssl) {
858 SocketImpl* socket = reinterpret_cast<SocketImpl*>(SSL_get_app_data(ssl));
859 DCHECK(socket);
860 return socket;
861 }
862
863 // static
CertVerifyCallback(SSL * ssl,uint8_t * out_alert)864 ssl_verify_result_t SSLServerContextImpl::SocketImpl::CertVerifyCallback(
865 SSL* ssl,
866 uint8_t* out_alert) {
867 return FromSSL(ssl)->CertVerifyCallbackImpl(out_alert);
868 }
869
CertVerifyCallbackImpl(uint8_t * out_alert)870 ssl_verify_result_t SSLServerContextImpl::SocketImpl::CertVerifyCallbackImpl(
871 uint8_t* out_alert) {
872 ClientCertVerifier* verifier =
873 context_->ssl_server_config_.client_cert_verifier;
874 // If a verifier was not supplied, all certificates are accepted.
875 if (!verifier)
876 return ssl_verify_ok;
877
878 scoped_refptr<X509Certificate> client_cert =
879 x509_util::CreateX509CertificateFromBuffers(
880 SSL_get0_peer_certificates(ssl_.get()));
881 if (!client_cert) {
882 *out_alert = SSL_AD_BAD_CERTIFICATE;
883 return ssl_verify_invalid;
884 }
885
886 // TODO(davidben): Support asynchronous verifiers. http://crbug.com/347402
887 std::unique_ptr<ClientCertVerifier::Request> ignore_async;
888 int res = verifier->Verify(client_cert.get(), CompletionOnceCallback(),
889 &ignore_async);
890 DCHECK_NE(res, ERR_IO_PENDING);
891
892 if (res != OK) {
893 // TODO(davidben): Map from certificate verification failure to alert.
894 *out_alert = SSL_AD_CERTIFICATE_UNKNOWN;
895 return ssl_verify_invalid;
896 }
897 return ssl_verify_ok;
898 }
899
CreateSSLServerContext(X509Certificate * certificate,EVP_PKEY * pkey,const SSLServerConfig & ssl_server_config)900 std::unique_ptr<SSLServerContext> CreateSSLServerContext(
901 X509Certificate* certificate,
902 EVP_PKEY* pkey,
903 const SSLServerConfig& ssl_server_config) {
904 return std::make_unique<SSLServerContextImpl>(certificate, pkey,
905 ssl_server_config);
906 }
907
CreateSSLServerContext(X509Certificate * certificate,const crypto::RSAPrivateKey & key,const SSLServerConfig & ssl_server_config)908 std::unique_ptr<SSLServerContext> CreateSSLServerContext(
909 X509Certificate* certificate,
910 const crypto::RSAPrivateKey& key,
911 const SSLServerConfig& ssl_server_config) {
912 return std::make_unique<SSLServerContextImpl>(certificate, key.key(),
913 ssl_server_config);
914 }
915
CreateSSLServerContext(X509Certificate * certificate,scoped_refptr<SSLPrivateKey> key,const SSLServerConfig & ssl_config)916 std::unique_ptr<SSLServerContext> CreateSSLServerContext(
917 X509Certificate* certificate,
918 scoped_refptr<SSLPrivateKey> key,
919 const SSLServerConfig& ssl_config) {
920 return std::make_unique<SSLServerContextImpl>(certificate, key, ssl_config);
921 }
922
SSLServerContextImpl(X509Certificate * certificate,scoped_refptr<net::SSLPrivateKey> key,const SSLServerConfig & ssl_server_config)923 SSLServerContextImpl::SSLServerContextImpl(
924 X509Certificate* certificate,
925 scoped_refptr<net::SSLPrivateKey> key,
926 const SSLServerConfig& ssl_server_config)
927 : ssl_server_config_(ssl_server_config),
928 cert_(certificate),
929 private_key_(key) {
930 CHECK(private_key_);
931 Init();
932 }
933
SSLServerContextImpl(X509Certificate * certificate,EVP_PKEY * pkey,const SSLServerConfig & ssl_server_config)934 SSLServerContextImpl::SSLServerContextImpl(
935 X509Certificate* certificate,
936 EVP_PKEY* pkey,
937 const SSLServerConfig& ssl_server_config)
938 : ssl_server_config_(ssl_server_config), cert_(certificate) {
939 CHECK(pkey);
940 pkey_ = bssl::UpRef(pkey);
941 Init();
942 }
943
Init()944 void SSLServerContextImpl::Init() {
945 crypto::EnsureOpenSSLInit();
946 ssl_ctx_.reset(SSL_CTX_new(TLS_with_buffers_method()));
947 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER);
948 uint8_t session_ctx_id = 0;
949 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id,
950 sizeof(session_ctx_id));
951 // Deduplicate all certificates minted from the SSL_CTX in memory.
952 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool());
953
954 int verify_mode = 0;
955 switch (ssl_server_config_.client_cert_type) {
956 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT:
957 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
958 [[fallthrough]];
959 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT:
960 verify_mode |= SSL_VERIFY_PEER;
961 SSL_CTX_set_custom_verify(ssl_ctx_.get(), verify_mode,
962 SocketImpl::CertVerifyCallback);
963 break;
964 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT:
965 break;
966 }
967
968 SSL_CTX_set_early_data_enabled(ssl_ctx_.get(),
969 ssl_server_config_.early_data_enabled);
970 // TLS versions before TLS 1.2 are no longer supported.
971 CHECK_LE(TLS1_2_VERSION, ssl_server_config_.version_min);
972 CHECK_LE(TLS1_2_VERSION, ssl_server_config_.version_max);
973 CHECK(SSL_CTX_set_min_proto_version(ssl_ctx_.get(),
974 ssl_server_config_.version_min));
975 CHECK(SSL_CTX_set_max_proto_version(ssl_ctx_.get(),
976 ssl_server_config_.version_max));
977
978 // OpenSSL defaults some options to on, others to off. To avoid ambiguity,
979 // set everything we care about to an absolute value.
980 SslSetClearMask options;
981 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true);
982
983 SSL_CTX_set_options(ssl_ctx_.get(), options.set_mask);
984 SSL_CTX_clear_options(ssl_ctx_.get(), options.clear_mask);
985
986 // Same as above, this time for the SSL mode.
987 SslSetClearMask mode;
988
989 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);
990
991 SSL_CTX_set_mode(ssl_ctx_.get(), mode.set_mask);
992 SSL_CTX_clear_mode(ssl_ctx_.get(), mode.clear_mask);
993
994 if (ssl_server_config_.cipher_suite_for_testing.has_value()) {
995 const SSL_CIPHER* cipher =
996 SSL_get_cipher_by_value(*ssl_server_config_.cipher_suite_for_testing);
997 CHECK(cipher);
998 CHECK(SSL_CTX_set_strict_cipher_list(ssl_ctx_.get(),
999 SSL_CIPHER_get_name(cipher)));
1000 } else {
1001 // Use BoringSSL defaults, but disable 3DES and HMAC-SHA1 ciphers in ECDSA.
1002 // These are the remaining CBC-mode ECDSA ciphers.
1003 std::string command("ALL:!aPSK:!ECDSA+SHA1:!3DES");
1004
1005 // SSLPrivateKey only supports ECDHE-based ciphers because it lacks decrypt.
1006 if (ssl_server_config_.require_ecdhe || (!pkey_ && private_key_))
1007 command.append(":!kRSA");
1008
1009 // Remove any disabled ciphers.
1010 for (uint16_t id : ssl_server_config_.disabled_cipher_suites) {
1011 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);
1012 if (cipher) {
1013 command.append(":!");
1014 command.append(SSL_CIPHER_get_name(cipher));
1015 }
1016 }
1017
1018 CHECK(SSL_CTX_set_strict_cipher_list(ssl_ctx_.get(), command.c_str()));
1019 }
1020
1021 if (ssl_server_config_.client_cert_type !=
1022 SSLServerConfig::ClientCertType::NO_CLIENT_CERT &&
1023 !ssl_server_config_.cert_authorities.empty()) {
1024 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> stack(sk_CRYPTO_BUFFER_new_null());
1025 for (const auto& authority : ssl_server_config_.cert_authorities) {
1026 sk_CRYPTO_BUFFER_push(stack.get(),
1027 x509_util::CreateCryptoBuffer(authority).release());
1028 }
1029 SSL_CTX_set0_client_CAs(ssl_ctx_.get(), stack.release());
1030 }
1031
1032 SSL_CTX_set_alpn_select_cb(ssl_ctx_.get(), &SocketImpl::ALPNSelectCallback,
1033 nullptr);
1034
1035 if (!ssl_server_config_.ocsp_response.empty()) {
1036 SSL_CTX_set_ocsp_response(ssl_ctx_.get(),
1037 ssl_server_config_.ocsp_response.data(),
1038 ssl_server_config_.ocsp_response.size());
1039 }
1040
1041 if (!ssl_server_config_.signed_cert_timestamp_list.empty()) {
1042 SSL_CTX_set_signed_cert_timestamp_list(
1043 ssl_ctx_.get(), ssl_server_config_.signed_cert_timestamp_list.data(),
1044 ssl_server_config_.signed_cert_timestamp_list.size());
1045 }
1046
1047 if (ssl_server_config_.ech_keys) {
1048 CHECK(SSL_CTX_set1_ech_keys(ssl_ctx_.get(),
1049 ssl_server_config_.ech_keys.get()));
1050 }
1051
1052 SSL_CTX_set_select_certificate_cb(ssl_ctx_.get(),
1053 &SocketImpl::SelectCertificateCallback);
1054 }
1055
1056 SSLServerContextImpl::~SSLServerContextImpl() = default;
1057
CreateSSLServerSocket(std::unique_ptr<StreamSocket> socket)1058 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket(
1059 std::unique_ptr<StreamSocket> socket) {
1060 return std::make_unique<SocketImpl>(this, std::move(socket));
1061 }
1062
1063 } // namespace net
1064