1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/tls_client_handshaker.h"
6
7 #include <cstring>
8 #include <string>
9
10 #include "absl/strings/str_cat.h"
11 #include "absl/strings/string_view.h"
12 #include "openssl/ssl.h"
13 #include "quiche/quic/core/crypto/quic_crypto_client_config.h"
14 #include "quiche/quic/core/crypto/quic_encrypter.h"
15 #include "quiche/quic/core/crypto/transport_parameters.h"
16 #include "quiche/quic/core/quic_session.h"
17 #include "quiche/quic/core/quic_types.h"
18 #include "quiche/quic/platform/api/quic_flags.h"
19 #include "quiche/quic/platform/api/quic_hostname_utils.h"
20 #include "quiche/common/quiche_text_utils.h"
21
22 namespace quic {
23
TlsClientHandshaker(const QuicServerId & server_id,QuicCryptoStream * stream,QuicSession * session,std::unique_ptr<ProofVerifyContext> verify_context,QuicCryptoClientConfig * crypto_config,QuicCryptoClientStream::ProofHandler * proof_handler,bool has_application_state)24 TlsClientHandshaker::TlsClientHandshaker(
25 const QuicServerId& server_id, QuicCryptoStream* stream,
26 QuicSession* session, std::unique_ptr<ProofVerifyContext> verify_context,
27 QuicCryptoClientConfig* crypto_config,
28 QuicCryptoClientStream::ProofHandler* proof_handler,
29 bool has_application_state)
30 : TlsHandshaker(stream, session),
31 session_(session),
32 server_id_(server_id),
33 proof_verifier_(crypto_config->proof_verifier()),
34 verify_context_(std::move(verify_context)),
35 proof_handler_(proof_handler),
36 session_cache_(crypto_config->session_cache()),
37 user_agent_id_(crypto_config->user_agent_id()),
38 pre_shared_key_(crypto_config->pre_shared_key()),
39 crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
40 has_application_state_(has_application_state),
41 tls_connection_(crypto_config->ssl_ctx(), this, session->GetSSLConfig()) {
42 if (crypto_config->tls_signature_algorithms().has_value()) {
43 SSL_set1_sigalgs_list(ssl(),
44 crypto_config->tls_signature_algorithms()->c_str());
45 }
46 if (crypto_config->proof_source() != nullptr) {
47 const ClientProofSource::CertAndKey* cert_and_key =
48 crypto_config->proof_source()->GetCertAndKey(server_id.host());
49 if (cert_and_key != nullptr) {
50 QUIC_DVLOG(1) << "Setting client cert and key for " << server_id.host();
51 tls_connection_.SetCertChain(cert_and_key->chain->ToCryptoBuffers().value,
52 cert_and_key->private_key.private_key());
53 }
54 }
55 }
56
~TlsClientHandshaker()57 TlsClientHandshaker::~TlsClientHandshaker() {}
58
CryptoConnect()59 bool TlsClientHandshaker::CryptoConnect() {
60 if (!pre_shared_key_.empty()) {
61 // TODO(b/154162689) add PSK support to QUIC+TLS.
62 std::string error_details =
63 "QUIC client pre-shared keys not yet supported with TLS";
64 QUIC_BUG(quic_bug_10576_1) << error_details;
65 CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
66 return false;
67 }
68
69 // Make sure we use the right TLS extension codepoint.
70 int use_legacy_extension = 0;
71 if (session()->version().UsesLegacyTlsExtension()) {
72 use_legacy_extension = 1;
73 }
74 SSL_set_quic_use_legacy_codepoint(ssl(), use_legacy_extension);
75
76 // TODO(b/193650832) Add SetFromConfig to QUIC handshakers and remove reliance
77 // on session pointer.
78 #if BORINGSSL_API_VERSION >= 16
79 // Ask BoringSSL to randomize the order of TLS extensions.
80 SSL_set_permute_extensions(ssl(), true);
81 #endif // BORINGSSL_API_VERSION
82
83 // Set the SNI to send, if any.
84 SSL_set_connect_state(ssl());
85 if (QUIC_DLOG_INFO_IS_ON() &&
86 !QuicHostnameUtils::IsValidSNI(server_id_.host())) {
87 QUIC_DLOG(INFO) << "Client configured with invalid hostname \""
88 << server_id_.host() << "\", not sending as SNI";
89 }
90 if (!server_id_.host().empty() &&
91 (QuicHostnameUtils::IsValidSNI(server_id_.host()) ||
92 allow_invalid_sni_for_tests_) &&
93 SSL_set_tlsext_host_name(ssl(), server_id_.host().c_str()) != 1) {
94 return false;
95 }
96
97 if (!SetAlpn()) {
98 CloseConnection(QUIC_HANDSHAKE_FAILED, "Client failed to set ALPN");
99 return false;
100 }
101
102 // Set the Transport Parameters to send in the ClientHello
103 if (!SetTransportParameters()) {
104 CloseConnection(QUIC_HANDSHAKE_FAILED,
105 "Client failed to set Transport Parameters");
106 return false;
107 }
108
109 // Set a session to resume, if there is one.
110 if (session_cache_) {
111 cached_state_ = session_cache_->Lookup(
112 server_id_, session()->GetClock()->WallNow(), SSL_get_SSL_CTX(ssl()));
113 }
114 if (cached_state_) {
115 SSL_set_session(ssl(), cached_state_->tls_session.get());
116 if (!cached_state_->token.empty()) {
117 session()->SetSourceAddressTokenToSend(cached_state_->token);
118 }
119 }
120
121 SSL_set_enable_ech_grease(ssl(),
122 tls_connection_.ssl_config().ech_grease_enabled);
123 if (!tls_connection_.ssl_config().ech_config_list.empty() &&
124 !SSL_set1_ech_config_list(
125 ssl(),
126 reinterpret_cast<const uint8_t*>(
127 tls_connection_.ssl_config().ech_config_list.data()),
128 tls_connection_.ssl_config().ech_config_list.size())) {
129 CloseConnection(QUIC_HANDSHAKE_FAILED,
130 "Client failed to set ECHConfigList");
131 return false;
132 }
133
134 // Start the handshake.
135 AdvanceHandshake();
136 return session()->connection()->connected();
137 }
138
PrepareZeroRttConfig(QuicResumptionState * cached_state)139 bool TlsClientHandshaker::PrepareZeroRttConfig(
140 QuicResumptionState* cached_state) {
141 std::string error_details;
142 if (!cached_state->transport_params ||
143 handshaker_delegate()->ProcessTransportParameters(
144 *(cached_state->transport_params),
145 /*is_resumption = */ true, &error_details) != QUIC_NO_ERROR) {
146 QUIC_BUG(quic_bug_10576_2)
147 << "Unable to parse cached transport parameters.";
148 CloseConnection(QUIC_HANDSHAKE_FAILED,
149 "Client failed to parse cached Transport Parameters.");
150 return false;
151 }
152
153 session()->connection()->OnTransportParametersResumed(
154 *(cached_state->transport_params));
155 session()->OnConfigNegotiated();
156
157 if (has_application_state_) {
158 if (!cached_state->application_state ||
159 !session()->ResumeApplicationState(
160 cached_state->application_state.get())) {
161 QUIC_BUG(quic_bug_10576_3) << "Unable to parse cached application state.";
162 CloseConnection(QUIC_HANDSHAKE_FAILED,
163 "Client failed to parse cached application state.");
164 return false;
165 }
166 }
167 return true;
168 }
169
IsValidAlpn(const std::string & alpn_string)170 static bool IsValidAlpn(const std::string& alpn_string) {
171 return alpn_string.length() <= std::numeric_limits<uint8_t>::max();
172 }
173
SetAlpn()174 bool TlsClientHandshaker::SetAlpn() {
175 std::vector<std::string> alpns = session()->GetAlpnsToOffer();
176 if (alpns.empty()) {
177 if (allow_empty_alpn_for_tests_) {
178 return true;
179 }
180
181 QUIC_BUG(quic_bug_10576_4) << "ALPN missing";
182 return false;
183 }
184 if (!std::all_of(alpns.begin(), alpns.end(), IsValidAlpn)) {
185 QUIC_BUG(quic_bug_10576_5) << "ALPN too long";
186 return false;
187 }
188
189 // SSL_set_alpn_protos expects a sequence of one-byte-length-prefixed
190 // strings.
191 uint8_t alpn[1024];
192 QuicDataWriter alpn_writer(sizeof(alpn), reinterpret_cast<char*>(alpn));
193 bool success = true;
194 for (const std::string& alpn_string : alpns) {
195 success = success && alpn_writer.WriteUInt8(alpn_string.size()) &&
196 alpn_writer.WriteStringPiece(alpn_string);
197 }
198 success =
199 success && (SSL_set_alpn_protos(ssl(), alpn, alpn_writer.length()) == 0);
200 if (!success) {
201 QUIC_BUG(quic_bug_10576_6)
202 << "Failed to set ALPN: "
203 << quiche::QuicheTextUtils::HexDump(
204 absl::string_view(alpn_writer.data(), alpn_writer.length()));
205 return false;
206 }
207
208 // Enable ALPS only for versions that use HTTP/3 frames.
209 for (const std::string& alpn_string : alpns) {
210 for (const ParsedQuicVersion& version : session()->supported_versions()) {
211 if (!version.UsesHttp3() || AlpnForVersion(version) != alpn_string) {
212 continue;
213 }
214 if (SSL_add_application_settings(
215 ssl(), reinterpret_cast<const uint8_t*>(alpn_string.data()),
216 alpn_string.size(), nullptr, /* settings_len = */ 0) != 1) {
217 QUIC_BUG(quic_bug_10576_7) << "Failed to enable ALPS.";
218 return false;
219 }
220 break;
221 }
222 }
223
224 QUIC_DLOG(INFO) << "Client using ALPN: '" << alpns[0] << "'";
225 return true;
226 }
227
SetTransportParameters()228 bool TlsClientHandshaker::SetTransportParameters() {
229 TransportParameters params;
230 params.perspective = Perspective::IS_CLIENT;
231 params.legacy_version_information =
232 TransportParameters::LegacyVersionInformation();
233 params.legacy_version_information.value().version =
234 CreateQuicVersionLabel(session()->supported_versions().front());
235 params.version_information = TransportParameters::VersionInformation();
236 const QuicVersionLabel version = CreateQuicVersionLabel(session()->version());
237 params.version_information.value().chosen_version = version;
238 params.version_information.value().other_versions.push_back(version);
239
240 if (!handshaker_delegate()->FillTransportParameters(¶ms)) {
241 return false;
242 }
243
244 // Notify QuicConnectionDebugVisitor.
245 session()->connection()->OnTransportParametersSent(params);
246
247 std::vector<uint8_t> param_bytes;
248 return SerializeTransportParameters(params, ¶m_bytes) &&
249 SSL_set_quic_transport_params(ssl(), param_bytes.data(),
250 param_bytes.size()) == 1;
251 }
252
ProcessTransportParameters(std::string * error_details)253 bool TlsClientHandshaker::ProcessTransportParameters(
254 std::string* error_details) {
255 received_transport_params_ = std::make_unique<TransportParameters>();
256 const uint8_t* param_bytes;
257 size_t param_bytes_len;
258 SSL_get_peer_quic_transport_params(ssl(), ¶m_bytes, ¶m_bytes_len);
259 if (param_bytes_len == 0) {
260 *error_details = "Server's transport parameters are missing";
261 return false;
262 }
263 std::string parse_error_details;
264 if (!ParseTransportParameters(
265 session()->connection()->version(), Perspective::IS_SERVER,
266 param_bytes, param_bytes_len, received_transport_params_.get(),
267 &parse_error_details)) {
268 QUICHE_DCHECK(!parse_error_details.empty());
269 *error_details =
270 "Unable to parse server's transport parameters: " + parse_error_details;
271 return false;
272 }
273
274 // Notify QuicConnectionDebugVisitor.
275 session()->connection()->OnTransportParametersReceived(
276 *received_transport_params_);
277
278 if (received_transport_params_->legacy_version_information.has_value()) {
279 if (received_transport_params_->legacy_version_information.value()
280 .version !=
281 CreateQuicVersionLabel(session()->connection()->version())) {
282 *error_details = "Version mismatch detected";
283 return false;
284 }
285 if (CryptoUtils::ValidateServerHelloVersions(
286 received_transport_params_->legacy_version_information.value()
287 .supported_versions,
288 session()->connection()->server_supported_versions(),
289 error_details) != QUIC_NO_ERROR) {
290 QUICHE_DCHECK(!error_details->empty());
291 return false;
292 }
293 }
294 if (received_transport_params_->version_information.has_value()) {
295 if (!CryptoUtils::ValidateChosenVersion(
296 received_transport_params_->version_information.value()
297 .chosen_version,
298 session()->version(), error_details)) {
299 QUICHE_DCHECK(!error_details->empty());
300 return false;
301 }
302 if (!CryptoUtils::CryptoUtils::ValidateServerVersions(
303 received_transport_params_->version_information.value()
304 .other_versions,
305 session()->version(),
306 session()->client_original_supported_versions(), error_details)) {
307 QUICHE_DCHECK(!error_details->empty());
308 return false;
309 }
310 }
311
312 if (handshaker_delegate()->ProcessTransportParameters(
313 *received_transport_params_, /* is_resumption = */ false,
314 error_details) != QUIC_NO_ERROR) {
315 QUICHE_DCHECK(!error_details->empty());
316 return false;
317 }
318
319 session()->OnConfigNegotiated();
320 if (is_connection_closed()) {
321 *error_details =
322 "Session closed the connection when parsing negotiated config.";
323 return false;
324 }
325 return true;
326 }
327
num_sent_client_hellos() const328 int TlsClientHandshaker::num_sent_client_hellos() const { return 0; }
329
IsResumption() const330 bool TlsClientHandshaker::IsResumption() const {
331 QUIC_BUG_IF(quic_bug_12736_1, !one_rtt_keys_available());
332 return SSL_session_reused(ssl()) == 1;
333 }
334
EarlyDataAccepted() const335 bool TlsClientHandshaker::EarlyDataAccepted() const {
336 QUIC_BUG_IF(quic_bug_12736_2, !one_rtt_keys_available());
337 return SSL_early_data_accepted(ssl()) == 1;
338 }
339
EarlyDataReason() const340 ssl_early_data_reason_t TlsClientHandshaker::EarlyDataReason() const {
341 return TlsHandshaker::EarlyDataReason();
342 }
343
ReceivedInchoateReject() const344 bool TlsClientHandshaker::ReceivedInchoateReject() const {
345 QUIC_BUG_IF(quic_bug_12736_3, !one_rtt_keys_available());
346 // REJ messages are a QUIC crypto feature, so TLS always returns false.
347 return false;
348 }
349
num_scup_messages_received() const350 int TlsClientHandshaker::num_scup_messages_received() const {
351 // SCUP messages aren't sent or received when using the TLS handshake.
352 return 0;
353 }
354
chlo_hash() const355 std::string TlsClientHandshaker::chlo_hash() const { return ""; }
356
ExportKeyingMaterial(absl::string_view label,absl::string_view context,size_t result_len,std::string * result)357 bool TlsClientHandshaker::ExportKeyingMaterial(absl::string_view label,
358 absl::string_view context,
359 size_t result_len,
360 std::string* result) {
361 return ExportKeyingMaterialForLabel(label, context, result_len, result);
362 }
363
encryption_established() const364 bool TlsClientHandshaker::encryption_established() const {
365 return encryption_established_;
366 }
367
IsCryptoFrameExpectedForEncryptionLevel(EncryptionLevel level) const368 bool TlsClientHandshaker::IsCryptoFrameExpectedForEncryptionLevel(
369 EncryptionLevel level) const {
370 return level != ENCRYPTION_ZERO_RTT;
371 }
372
GetEncryptionLevelToSendCryptoDataOfSpace(PacketNumberSpace space) const373 EncryptionLevel TlsClientHandshaker::GetEncryptionLevelToSendCryptoDataOfSpace(
374 PacketNumberSpace space) const {
375 switch (space) {
376 case INITIAL_DATA:
377 return ENCRYPTION_INITIAL;
378 case HANDSHAKE_DATA:
379 return ENCRYPTION_HANDSHAKE;
380 default:
381 QUICHE_DCHECK(false);
382 return NUM_ENCRYPTION_LEVELS;
383 }
384 }
385
one_rtt_keys_available() const386 bool TlsClientHandshaker::one_rtt_keys_available() const {
387 return state_ >= HANDSHAKE_COMPLETE;
388 }
389
390 const QuicCryptoNegotiatedParameters&
crypto_negotiated_params() const391 TlsClientHandshaker::crypto_negotiated_params() const {
392 return *crypto_negotiated_params_;
393 }
394
crypto_message_parser()395 CryptoMessageParser* TlsClientHandshaker::crypto_message_parser() {
396 return TlsHandshaker::crypto_message_parser();
397 }
398
GetHandshakeState() const399 HandshakeState TlsClientHandshaker::GetHandshakeState() const { return state_; }
400
BufferSizeLimitForLevel(EncryptionLevel level) const401 size_t TlsClientHandshaker::BufferSizeLimitForLevel(
402 EncryptionLevel level) const {
403 return TlsHandshaker::BufferSizeLimitForLevel(level);
404 }
405
406 std::unique_ptr<QuicDecrypter>
AdvanceKeysAndCreateCurrentOneRttDecrypter()407 TlsClientHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter() {
408 return TlsHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter();
409 }
410
411 std::unique_ptr<QuicEncrypter>
CreateCurrentOneRttEncrypter()412 TlsClientHandshaker::CreateCurrentOneRttEncrypter() {
413 return TlsHandshaker::CreateCurrentOneRttEncrypter();
414 }
415
OnOneRttPacketAcknowledged()416 void TlsClientHandshaker::OnOneRttPacketAcknowledged() {
417 OnHandshakeConfirmed();
418 }
419
OnHandshakePacketSent()420 void TlsClientHandshaker::OnHandshakePacketSent() {
421 if (initial_keys_dropped_) {
422 return;
423 }
424 initial_keys_dropped_ = true;
425 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
426 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_INITIAL);
427 }
428
OnConnectionClosed(QuicErrorCode error,ConnectionCloseSource source)429 void TlsClientHandshaker::OnConnectionClosed(QuicErrorCode error,
430 ConnectionCloseSource source) {
431 TlsHandshaker::OnConnectionClosed(error, source);
432 }
433
OnHandshakeDoneReceived()434 void TlsClientHandshaker::OnHandshakeDoneReceived() {
435 if (!one_rtt_keys_available()) {
436 CloseConnection(QUIC_HANDSHAKE_FAILED,
437 "Unexpected handshake done received");
438 return;
439 }
440 OnHandshakeConfirmed();
441 }
442
OnNewTokenReceived(absl::string_view token)443 void TlsClientHandshaker::OnNewTokenReceived(absl::string_view token) {
444 if (token.empty()) {
445 return;
446 }
447 if (session_cache_ != nullptr) {
448 session_cache_->OnNewTokenReceived(server_id_, token);
449 }
450 }
451
SetWriteSecret(EncryptionLevel level,const SSL_CIPHER * cipher,absl::Span<const uint8_t> write_secret)452 void TlsClientHandshaker::SetWriteSecret(
453 EncryptionLevel level, const SSL_CIPHER* cipher,
454 absl::Span<const uint8_t> write_secret) {
455 if (is_connection_closed()) {
456 return;
457 }
458 if (level == ENCRYPTION_FORWARD_SECURE || level == ENCRYPTION_ZERO_RTT) {
459 encryption_established_ = true;
460 }
461 TlsHandshaker::SetWriteSecret(level, cipher, write_secret);
462 if (level == ENCRYPTION_FORWARD_SECURE) {
463 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_ZERO_RTT);
464 }
465 }
466
OnHandshakeConfirmed()467 void TlsClientHandshaker::OnHandshakeConfirmed() {
468 QUICHE_DCHECK(one_rtt_keys_available());
469 if (state_ >= HANDSHAKE_CONFIRMED) {
470 return;
471 }
472 state_ = HANDSHAKE_CONFIRMED;
473 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_HANDSHAKE);
474 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_HANDSHAKE);
475 }
476
VerifyCertChain(const std::vector<std::string> & certs,std::string * error_details,std::unique_ptr<ProofVerifyDetails> * details,uint8_t * out_alert,std::unique_ptr<ProofVerifierCallback> callback)477 QuicAsyncStatus TlsClientHandshaker::VerifyCertChain(
478 const std::vector<std::string>& certs, std::string* error_details,
479 std::unique_ptr<ProofVerifyDetails>* details, uint8_t* out_alert,
480 std::unique_ptr<ProofVerifierCallback> callback) {
481 const uint8_t* ocsp_response_raw;
482 size_t ocsp_response_len;
483 SSL_get0_ocsp_response(ssl(), &ocsp_response_raw, &ocsp_response_len);
484 std::string ocsp_response(reinterpret_cast<const char*>(ocsp_response_raw),
485 ocsp_response_len);
486 const uint8_t* sct_list_raw;
487 size_t sct_list_len;
488 SSL_get0_signed_cert_timestamp_list(ssl(), &sct_list_raw, &sct_list_len);
489 std::string sct_list(reinterpret_cast<const char*>(sct_list_raw),
490 sct_list_len);
491
492 return proof_verifier_->VerifyCertChain(
493 server_id_.host(), server_id_.port(), certs, ocsp_response, sct_list,
494 verify_context_.get(), error_details, details, out_alert,
495 std::move(callback));
496 }
497
OnProofVerifyDetailsAvailable(const ProofVerifyDetails & verify_details)498 void TlsClientHandshaker::OnProofVerifyDetailsAvailable(
499 const ProofVerifyDetails& verify_details) {
500 proof_handler_->OnProofVerifyDetailsAvailable(verify_details);
501 }
502
FinishHandshake()503 void TlsClientHandshaker::FinishHandshake() {
504 FillNegotiatedParams();
505
506 QUICHE_CHECK(!SSL_in_early_data(ssl()));
507
508 QUIC_LOG(INFO) << "Client: handshake finished";
509
510 std::string error_details;
511 if (!ProcessTransportParameters(&error_details)) {
512 QUICHE_DCHECK(!error_details.empty());
513 CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
514 return;
515 }
516
517 const uint8_t* alpn_data = nullptr;
518 unsigned alpn_length = 0;
519 SSL_get0_alpn_selected(ssl(), &alpn_data, &alpn_length);
520
521 if (alpn_length == 0) {
522 QUIC_DLOG(ERROR) << "Client: server did not select ALPN";
523 // TODO(b/130164908) this should send no_application_protocol
524 // instead of QUIC_HANDSHAKE_FAILED.
525 CloseConnection(QUIC_HANDSHAKE_FAILED, "Server did not select ALPN");
526 return;
527 }
528
529 std::string received_alpn_string(reinterpret_cast<const char*>(alpn_data),
530 alpn_length);
531 std::vector<std::string> offered_alpns = session()->GetAlpnsToOffer();
532 if (std::find(offered_alpns.begin(), offered_alpns.end(),
533 received_alpn_string) == offered_alpns.end()) {
534 QUIC_LOG(ERROR) << "Client: received mismatched ALPN '"
535 << received_alpn_string;
536 // TODO(b/130164908) this should send no_application_protocol
537 // instead of QUIC_HANDSHAKE_FAILED.
538 CloseConnection(QUIC_HANDSHAKE_FAILED, "Client received mismatched ALPN");
539 return;
540 }
541 session()->OnAlpnSelected(received_alpn_string);
542 QUIC_DLOG(INFO) << "Client: server selected ALPN: '" << received_alpn_string
543 << "'";
544
545 // Parse ALPS extension.
546 const uint8_t* alps_data;
547 size_t alps_length;
548 SSL_get0_peer_application_settings(ssl(), &alps_data, &alps_length);
549 if (alps_length > 0) {
550 auto error = session()->OnAlpsData(alps_data, alps_length);
551 if (error) {
552 // Calling CloseConnection() is safe even in case OnAlpsData() has
553 // already closed the connection.
554 CloseConnection(
555 QUIC_HANDSHAKE_FAILED,
556 absl::StrCat("Error processing ALPS data: ", error.value()));
557 return;
558 }
559 }
560
561 state_ = HANDSHAKE_COMPLETE;
562 handshaker_delegate()->OnTlsHandshakeComplete();
563 }
564
OnEnterEarlyData()565 void TlsClientHandshaker::OnEnterEarlyData() {
566 QUICHE_DCHECK(SSL_in_early_data(ssl()));
567
568 // TODO(wub): It might be unnecessary to FillNegotiatedParams() at this time,
569 // because we fill it again when handshake completes.
570 FillNegotiatedParams();
571
572 // If we're attempting a 0-RTT handshake, then we need to let the transport
573 // and application know what state to apply to early data.
574 PrepareZeroRttConfig(cached_state_.get());
575 }
576
FillNegotiatedParams()577 void TlsClientHandshaker::FillNegotiatedParams() {
578 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
579 if (cipher) {
580 crypto_negotiated_params_->cipher_suite =
581 SSL_CIPHER_get_protocol_id(cipher);
582 }
583 crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl());
584 crypto_negotiated_params_->peer_signature_algorithm =
585 SSL_get_peer_signature_algorithm(ssl());
586 crypto_negotiated_params_->encrypted_client_hello = SSL_ech_accepted(ssl());
587 }
588
ProcessPostHandshakeMessage()589 void TlsClientHandshaker::ProcessPostHandshakeMessage() {
590 int rv = SSL_process_quic_post_handshake(ssl());
591 if (rv != 1) {
592 CloseConnection(QUIC_HANDSHAKE_FAILED, "Unexpected post-handshake data");
593 }
594 }
595
ShouldCloseConnectionOnUnexpectedError(int ssl_error)596 bool TlsClientHandshaker::ShouldCloseConnectionOnUnexpectedError(
597 int ssl_error) {
598 if (ssl_error != SSL_ERROR_EARLY_DATA_REJECTED) {
599 return true;
600 }
601 HandleZeroRttReject();
602 return false;
603 }
604
HandleZeroRttReject()605 void TlsClientHandshaker::HandleZeroRttReject() {
606 QUIC_LOG(INFO) << "0-RTT handshake attempted but was rejected by the server";
607 QUICHE_DCHECK(session_cache_);
608 // Disable encrytion to block outgoing data until 1-RTT keys are available.
609 encryption_established_ = false;
610 handshaker_delegate()->OnZeroRttRejected(EarlyDataReason());
611 SSL_reset_early_data_reject(ssl());
612 session_cache_->ClearEarlyData(server_id_);
613 AdvanceHandshake();
614 }
615
InsertSession(bssl::UniquePtr<SSL_SESSION> session)616 void TlsClientHandshaker::InsertSession(bssl::UniquePtr<SSL_SESSION> session) {
617 if (!received_transport_params_) {
618 QUIC_BUG(quic_bug_10576_8) << "Transport parameters isn't received";
619 return;
620 }
621 if (session_cache_ == nullptr) {
622 QUIC_DVLOG(1) << "No session cache, not inserting a session";
623 return;
624 }
625 if (has_application_state_ && !received_application_state_) {
626 // Application state is not received yet. cache the sessions.
627 if (cached_tls_sessions_[0] != nullptr) {
628 cached_tls_sessions_[1] = std::move(cached_tls_sessions_[0]);
629 }
630 cached_tls_sessions_[0] = std::move(session);
631 return;
632 }
633 session_cache_->Insert(server_id_, std::move(session),
634 *received_transport_params_,
635 received_application_state_.get());
636 }
637
WriteMessage(EncryptionLevel level,absl::string_view data)638 void TlsClientHandshaker::WriteMessage(EncryptionLevel level,
639 absl::string_view data) {
640 if (level == ENCRYPTION_HANDSHAKE && state_ < HANDSHAKE_PROCESSED) {
641 state_ = HANDSHAKE_PROCESSED;
642 }
643 TlsHandshaker::WriteMessage(level, data);
644 }
645
SetServerApplicationStateForResumption(std::unique_ptr<ApplicationState> application_state)646 void TlsClientHandshaker::SetServerApplicationStateForResumption(
647 std::unique_ptr<ApplicationState> application_state) {
648 QUICHE_DCHECK(one_rtt_keys_available());
649 received_application_state_ = std::move(application_state);
650 // At least one tls session is cached before application state is received. So
651 // insert now.
652 if (session_cache_ != nullptr && cached_tls_sessions_[0] != nullptr) {
653 if (cached_tls_sessions_[1] != nullptr) {
654 // Insert the older session first.
655 session_cache_->Insert(server_id_, std::move(cached_tls_sessions_[1]),
656 *received_transport_params_,
657 received_application_state_.get());
658 }
659 session_cache_->Insert(server_id_, std::move(cached_tls_sessions_[0]),
660 *received_transport_params_,
661 received_application_state_.get());
662 }
663 }
664
665 } // namespace quic
666