1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/tls_server_handshaker.h"
6
7 #include <memory>
8 #include <string>
9
10 #include "absl/base/macros.h"
11 #include "absl/strings/str_cat.h"
12 #include "absl/strings/string_view.h"
13 #include "openssl/pool.h"
14 #include "openssl/ssl.h"
15 #include "quiche/quic/core/crypto/quic_crypto_server_config.h"
16 #include "quiche/quic/core/crypto/transport_parameters.h"
17 #include "quiche/quic/core/http/http_encoder.h"
18 #include "quiche/quic/core/http/http_frames.h"
19 #include "quiche/quic/core/quic_time.h"
20 #include "quiche/quic/core/quic_types.h"
21 #include "quiche/quic/platform/api/quic_flag_utils.h"
22 #include "quiche/quic/platform/api/quic_flags.h"
23 #include "quiche/quic/platform/api/quic_hostname_utils.h"
24 #include "quiche/quic/platform/api/quic_logging.h"
25 #include "quiche/quic/platform/api/quic_server_stats.h"
26
27 #define RECORD_LATENCY_IN_US(stat_name, latency, comment) \
28 do { \
29 const int64_t latency_in_us = (latency).ToMicroseconds(); \
30 QUIC_DVLOG(1) << "Recording " stat_name ": " << latency_in_us; \
31 QUIC_SERVER_HISTOGRAM_COUNTS(stat_name, latency_in_us, 1, 10000000, 50, \
32 comment); \
33 } while (0)
34
35 namespace quic {
36
37 namespace {
38
39 // Default port for HTTP/3.
40 uint16_t kDefaultPort = 443;
41
42 } // namespace
43
DefaultProofSourceHandle(TlsServerHandshaker * handshaker,ProofSource * proof_source)44 TlsServerHandshaker::DefaultProofSourceHandle::DefaultProofSourceHandle(
45 TlsServerHandshaker* handshaker, ProofSource* proof_source)
46 : handshaker_(handshaker), proof_source_(proof_source) {}
47
~DefaultProofSourceHandle()48 TlsServerHandshaker::DefaultProofSourceHandle::~DefaultProofSourceHandle() {
49 CloseHandle();
50 }
51
CloseHandle()52 void TlsServerHandshaker::DefaultProofSourceHandle::CloseHandle() {
53 QUIC_DVLOG(1) << "CloseHandle. is_signature_pending="
54 << (signature_callback_ != nullptr);
55 if (signature_callback_) {
56 signature_callback_->Cancel();
57 signature_callback_ = nullptr;
58 }
59 }
60
61 QuicAsyncStatus
SelectCertificate(const QuicSocketAddress & server_address,const QuicSocketAddress & client_address,const QuicConnectionId &,absl::string_view,const std::string & hostname,absl::string_view,const std::string &,absl::optional<std::string>,const std::vector<uint8_t> &,const absl::optional<std::vector<uint8_t>> &,const QuicSSLConfig &)62 TlsServerHandshaker::DefaultProofSourceHandle::SelectCertificate(
63 const QuicSocketAddress& server_address,
64 const QuicSocketAddress& client_address,
65 const QuicConnectionId& /*original_connection_id*/,
66 absl::string_view /*ssl_capabilities*/, const std::string& hostname,
67 absl::string_view /*client_hello*/, const std::string& /*alpn*/,
68 absl::optional<std::string> /*alps*/,
69 const std::vector<uint8_t>& /*quic_transport_params*/,
70 const absl::optional<std::vector<uint8_t>>& /*early_data_context*/,
71 const QuicSSLConfig& /*ssl_config*/) {
72 if (!handshaker_ || !proof_source_) {
73 QUIC_BUG(quic_bug_10341_1)
74 << "SelectCertificate called on a detached handle";
75 return QUIC_FAILURE;
76 }
77
78 bool cert_matched_sni;
79 quiche::QuicheReferenceCountedPointer<ProofSource::Chain> chain =
80 proof_source_->GetCertChain(server_address, client_address, hostname,
81 &cert_matched_sni);
82
83 handshaker_->OnSelectCertificateDone(
84 /*ok=*/true, /*is_sync=*/true, chain.get(),
85 /*handshake_hints=*/absl::string_view(),
86 /*ticket_encryption_key=*/absl::string_view(), cert_matched_sni,
87 QuicDelayedSSLConfig());
88 if (!handshaker_->select_cert_status().has_value()) {
89 QUIC_BUG(quic_bug_12423_1)
90 << "select_cert_status() has no value after a synchronous select cert";
91 // Return success to continue the handshake.
92 return QUIC_SUCCESS;
93 }
94 return handshaker_->select_cert_status().value();
95 }
96
ComputeSignature(const QuicSocketAddress & server_address,const QuicSocketAddress & client_address,const std::string & hostname,uint16_t signature_algorithm,absl::string_view in,size_t max_signature_size)97 QuicAsyncStatus TlsServerHandshaker::DefaultProofSourceHandle::ComputeSignature(
98 const QuicSocketAddress& server_address,
99 const QuicSocketAddress& client_address, const std::string& hostname,
100 uint16_t signature_algorithm, absl::string_view in,
101 size_t max_signature_size) {
102 if (!handshaker_ || !proof_source_) {
103 QUIC_BUG(quic_bug_10341_2)
104 << "ComputeSignature called on a detached handle";
105 return QUIC_FAILURE;
106 }
107
108 if (signature_callback_) {
109 QUIC_BUG(quic_bug_10341_3) << "ComputeSignature called while pending";
110 return QUIC_FAILURE;
111 }
112
113 signature_callback_ = new DefaultSignatureCallback(this);
114 proof_source_->ComputeTlsSignature(
115 server_address, client_address, hostname, signature_algorithm, in,
116 std::unique_ptr<DefaultSignatureCallback>(signature_callback_));
117
118 if (signature_callback_) {
119 QUIC_DVLOG(1) << "ComputeTlsSignature is pending";
120 signature_callback_->set_is_sync(false);
121 return QUIC_PENDING;
122 }
123
124 bool success = handshaker_->HasValidSignature(max_signature_size);
125 QUIC_DVLOG(1) << "ComputeTlsSignature completed synchronously. success:"
126 << success;
127 // OnComputeSignatureDone should have been called by signature_callback_->Run.
128 return success ? QUIC_SUCCESS : QUIC_FAILURE;
129 }
130
DecryptCallback(TlsServerHandshaker * handshaker)131 TlsServerHandshaker::DecryptCallback::DecryptCallback(
132 TlsServerHandshaker* handshaker)
133 : handshaker_(handshaker) {}
134
Run(std::vector<uint8_t> plaintext)135 void TlsServerHandshaker::DecryptCallback::Run(std::vector<uint8_t> plaintext) {
136 if (handshaker_ == nullptr) {
137 // The callback was cancelled before we could run.
138 return;
139 }
140
141 TlsServerHandshaker* handshaker = handshaker_;
142 handshaker_ = nullptr;
143
144 handshaker->decrypted_session_ticket_ = std::move(plaintext);
145 const bool is_async =
146 (handshaker->expected_ssl_error() == SSL_ERROR_PENDING_TICKET);
147
148 absl::optional<QuicConnectionContextSwitcher> context_switcher;
149
150 if (is_async) {
151 context_switcher.emplace(handshaker->connection_context());
152 }
153 QUIC_TRACESTRING(
154 absl::StrCat("TLS ticket decryption done. len(decrypted_ticket):",
155 handshaker->decrypted_session_ticket_.size()));
156
157 // DecryptCallback::Run could be called synchronously. When that happens, we
158 // are currently in the middle of a call to AdvanceHandshake.
159 // (AdvanceHandshake called SSL_do_handshake, which through some layers
160 // called SessionTicketOpen, which called TicketCrypter::Decrypt, which
161 // synchronously called this function.) In that case, the handshake will
162 // continue to be processed when this function returns.
163 //
164 // When this callback is called asynchronously (i.e. the ticket decryption
165 // is pending), TlsServerHandshaker is not actively processing handshake
166 // messages. We need to have it resume processing handshake messages by
167 // calling AdvanceHandshake.
168 if (is_async) {
169 handshaker->AdvanceHandshakeFromCallback();
170 }
171
172 handshaker->ticket_decryption_callback_ = nullptr;
173 }
174
Cancel()175 void TlsServerHandshaker::DecryptCallback::Cancel() {
176 QUICHE_DCHECK(handshaker_);
177 handshaker_ = nullptr;
178 }
179
TlsServerHandshaker(QuicSession * session,const QuicCryptoServerConfig * crypto_config)180 TlsServerHandshaker::TlsServerHandshaker(
181 QuicSession* session, const QuicCryptoServerConfig* crypto_config)
182 : TlsHandshaker(this, session),
183 QuicCryptoServerStreamBase(session),
184 proof_source_(crypto_config->proof_source()),
185 pre_shared_key_(crypto_config->pre_shared_key()),
186 crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
187 tls_connection_(crypto_config->ssl_ctx(), this, session->GetSSLConfig()),
188 crypto_config_(crypto_config) {
189 QUIC_DVLOG(1) << "TlsServerHandshaker: client_cert_mode initial value: "
190 << client_cert_mode();
191
192 QUICHE_DCHECK_EQ(PROTOCOL_TLS1_3,
193 session->connection()->version().handshake_protocol);
194
195 // Configure the SSL to be a server.
196 SSL_set_accept_state(ssl());
197
198 // Make sure we use the right TLS extension codepoint.
199 int use_legacy_extension = 0;
200 if (session->version().UsesLegacyTlsExtension()) {
201 use_legacy_extension = 1;
202 }
203 SSL_set_quic_use_legacy_codepoint(ssl(), use_legacy_extension);
204
205 if (session->connection()->context()->tracer) {
206 tls_connection_.EnableInfoCallback();
207 }
208 }
209
~TlsServerHandshaker()210 TlsServerHandshaker::~TlsServerHandshaker() { CancelOutstandingCallbacks(); }
211
CancelOutstandingCallbacks()212 void TlsServerHandshaker::CancelOutstandingCallbacks() {
213 if (proof_source_handle_) {
214 proof_source_handle_->CloseHandle();
215 }
216 if (ticket_decryption_callback_) {
217 ticket_decryption_callback_->Cancel();
218 ticket_decryption_callback_ = nullptr;
219 }
220 }
221
InfoCallback(int type,int value)222 void TlsServerHandshaker::InfoCallback(int type, int value) {
223 QuicConnectionTracer* tracer =
224 session()->connection()->context()->tracer.get();
225
226 if (tracer == nullptr) {
227 return;
228 }
229
230 if (type & SSL_CB_LOOP) {
231 tracer->PrintString(
232 absl::StrCat("SSL:ACCEPT_LOOP:", SSL_state_string_long(ssl())));
233 } else if (type & SSL_CB_ALERT) {
234 const char* prefix =
235 (type & SSL_CB_READ) ? "SSL:READ_ALERT:" : "SSL:WRITE_ALERT:";
236 tracer->PrintString(absl::StrCat(prefix, SSL_alert_type_string_long(value),
237 ":", SSL_alert_desc_string_long(value)));
238 } else if (type & SSL_CB_EXIT) {
239 const char* prefix =
240 (value == 1) ? "SSL:ACCEPT_EXIT_OK:" : "SSL:ACCEPT_EXIT_FAIL:";
241 tracer->PrintString(absl::StrCat(prefix, SSL_state_string_long(ssl())));
242 } else if (type & SSL_CB_HANDSHAKE_START) {
243 tracer->PrintString(
244 absl::StrCat("SSL:HANDSHAKE_START:", SSL_state_string_long(ssl())));
245 } else if (type & SSL_CB_HANDSHAKE_DONE) {
246 tracer->PrintString(
247 absl::StrCat("SSL:HANDSHAKE_DONE:", SSL_state_string_long(ssl())));
248 } else {
249 QUIC_DLOG(INFO) << "Unknown event type " << type << ": "
250 << SSL_state_string_long(ssl());
251 tracer->PrintString(
252 absl::StrCat("SSL:unknown:", value, ":", SSL_state_string_long(ssl())));
253 }
254 }
255
256 std::unique_ptr<ProofSourceHandle>
MaybeCreateProofSourceHandle()257 TlsServerHandshaker::MaybeCreateProofSourceHandle() {
258 return std::make_unique<DefaultProofSourceHandle>(this, proof_source_);
259 }
260
GetBase64SHA256ClientChannelID(std::string *) const261 bool TlsServerHandshaker::GetBase64SHA256ClientChannelID(
262 std::string* /*output*/) const {
263 // Channel ID is not supported when TLS is used in QUIC.
264 return false;
265 }
266
SendServerConfigUpdate(const CachedNetworkParameters *)267 void TlsServerHandshaker::SendServerConfigUpdate(
268 const CachedNetworkParameters* /*cached_network_params*/) {
269 // SCUP messages aren't supported when using the TLS handshake.
270 }
271
DisableResumption()272 bool TlsServerHandshaker::DisableResumption() {
273 if (!can_disable_resumption_ || !session()->connection()->connected()) {
274 return false;
275 }
276 tls_connection_.DisableTicketSupport();
277 return true;
278 }
279
IsZeroRtt() const280 bool TlsServerHandshaker::IsZeroRtt() const {
281 return SSL_early_data_accepted(ssl());
282 }
283
IsResumption() const284 bool TlsServerHandshaker::IsResumption() const {
285 return SSL_session_reused(ssl());
286 }
287
ResumptionAttempted() const288 bool TlsServerHandshaker::ResumptionAttempted() const {
289 return ticket_received_;
290 }
291
EarlyDataAttempted() const292 bool TlsServerHandshaker::EarlyDataAttempted() const {
293 QUIC_BUG_IF(quic_tls_early_data_attempted_too_early,
294 !select_cert_status_.has_value())
295 << "EarlyDataAttempted must be called after EarlySelectCertCallback is "
296 "started";
297 return early_data_attempted_;
298 }
299
NumServerConfigUpdateMessagesSent() const300 int TlsServerHandshaker::NumServerConfigUpdateMessagesSent() const {
301 // SCUP messages aren't supported when using the TLS handshake.
302 return 0;
303 }
304
305 const CachedNetworkParameters*
PreviousCachedNetworkParams() const306 TlsServerHandshaker::PreviousCachedNetworkParams() const {
307 return last_received_cached_network_params_.get();
308 }
309
SetPreviousCachedNetworkParams(CachedNetworkParameters cached_network_params)310 void TlsServerHandshaker::SetPreviousCachedNetworkParams(
311 CachedNetworkParameters cached_network_params) {
312 last_received_cached_network_params_ =
313 std::make_unique<CachedNetworkParameters>(cached_network_params);
314 }
315
OnPacketDecrypted(EncryptionLevel level)316 void TlsServerHandshaker::OnPacketDecrypted(EncryptionLevel level) {
317 if (level == ENCRYPTION_HANDSHAKE && state_ < HANDSHAKE_PROCESSED) {
318 state_ = HANDSHAKE_PROCESSED;
319 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
320 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_INITIAL);
321 }
322 }
323
OnHandshakeDoneReceived()324 void TlsServerHandshaker::OnHandshakeDoneReceived() { QUICHE_DCHECK(false); }
325
OnNewTokenReceived(absl::string_view)326 void TlsServerHandshaker::OnNewTokenReceived(absl::string_view /*token*/) {
327 QUICHE_DCHECK(false);
328 }
329
GetAddressToken(const CachedNetworkParameters * cached_network_params) const330 std::string TlsServerHandshaker::GetAddressToken(
331 const CachedNetworkParameters* cached_network_params) const {
332 SourceAddressTokens empty_previous_tokens;
333 const QuicConnection* connection = session()->connection();
334 return crypto_config_->NewSourceAddressToken(
335 crypto_config_->source_address_token_boxer(), empty_previous_tokens,
336 connection->effective_peer_address().host(),
337 connection->random_generator(), connection->clock()->WallNow(),
338 cached_network_params);
339 }
340
ValidateAddressToken(absl::string_view token) const341 bool TlsServerHandshaker::ValidateAddressToken(absl::string_view token) const {
342 SourceAddressTokens tokens;
343 HandshakeFailureReason reason = crypto_config_->ParseSourceAddressToken(
344 crypto_config_->source_address_token_boxer(), token, tokens);
345 if (reason != HANDSHAKE_OK) {
346 QUIC_DLOG(WARNING) << "Failed to parse source address token: "
347 << CryptoUtils::HandshakeFailureReasonToString(reason);
348 return false;
349 }
350 auto cached_network_params = std::make_unique<CachedNetworkParameters>();
351 reason = crypto_config_->ValidateSourceAddressTokens(
352 tokens, session()->connection()->effective_peer_address().host(),
353 session()->connection()->clock()->WallNow(), cached_network_params.get());
354 if (reason != HANDSHAKE_OK) {
355 QUIC_DLOG(WARNING) << "Failed to validate source address token: "
356 << CryptoUtils::HandshakeFailureReasonToString(reason);
357 return false;
358 }
359
360 last_received_cached_network_params_ = std::move(cached_network_params);
361 return true;
362 }
363
ShouldSendExpectCTHeader() const364 bool TlsServerHandshaker::ShouldSendExpectCTHeader() const { return false; }
365
DidCertMatchSni() const366 bool TlsServerHandshaker::DidCertMatchSni() const { return cert_matched_sni_; }
367
ProofSourceDetails() const368 const ProofSource::Details* TlsServerHandshaker::ProofSourceDetails() const {
369 return proof_source_details_.get();
370 }
371
ExportKeyingMaterial(absl::string_view label,absl::string_view context,size_t result_len,std::string * result)372 bool TlsServerHandshaker::ExportKeyingMaterial(absl::string_view label,
373 absl::string_view context,
374 size_t result_len,
375 std::string* result) {
376 return ExportKeyingMaterialForLabel(label, context, result_len, result);
377 }
378
OnConnectionClosed(QuicErrorCode error,ConnectionCloseSource source)379 void TlsServerHandshaker::OnConnectionClosed(QuicErrorCode error,
380 ConnectionCloseSource source) {
381 TlsHandshaker::OnConnectionClosed(error, source);
382 }
383
EarlyDataReason() const384 ssl_early_data_reason_t TlsServerHandshaker::EarlyDataReason() const {
385 return TlsHandshaker::EarlyDataReason();
386 }
387
encryption_established() const388 bool TlsServerHandshaker::encryption_established() const {
389 return encryption_established_;
390 }
391
one_rtt_keys_available() const392 bool TlsServerHandshaker::one_rtt_keys_available() const {
393 return state_ == HANDSHAKE_CONFIRMED;
394 }
395
396 const QuicCryptoNegotiatedParameters&
crypto_negotiated_params() const397 TlsServerHandshaker::crypto_negotiated_params() const {
398 return *crypto_negotiated_params_;
399 }
400
crypto_message_parser()401 CryptoMessageParser* TlsServerHandshaker::crypto_message_parser() {
402 return TlsHandshaker::crypto_message_parser();
403 }
404
GetHandshakeState() const405 HandshakeState TlsServerHandshaker::GetHandshakeState() const { return state_; }
406
SetServerApplicationStateForResumption(std::unique_ptr<ApplicationState> state)407 void TlsServerHandshaker::SetServerApplicationStateForResumption(
408 std::unique_ptr<ApplicationState> state) {
409 application_state_ = std::move(state);
410 }
411
BufferSizeLimitForLevel(EncryptionLevel level) const412 size_t TlsServerHandshaker::BufferSizeLimitForLevel(
413 EncryptionLevel level) const {
414 return TlsHandshaker::BufferSizeLimitForLevel(level);
415 }
416
417 std::unique_ptr<QuicDecrypter>
AdvanceKeysAndCreateCurrentOneRttDecrypter()418 TlsServerHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter() {
419 return TlsHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter();
420 }
421
422 std::unique_ptr<QuicEncrypter>
CreateCurrentOneRttEncrypter()423 TlsServerHandshaker::CreateCurrentOneRttEncrypter() {
424 return TlsHandshaker::CreateCurrentOneRttEncrypter();
425 }
426
OverrideQuicConfigDefaults(QuicConfig *)427 void TlsServerHandshaker::OverrideQuicConfigDefaults(QuicConfig* /*config*/) {}
428
AdvanceHandshakeFromCallback()429 void TlsServerHandshaker::AdvanceHandshakeFromCallback() {
430 QuicConnection::ScopedPacketFlusher flusher(session()->connection());
431
432 AdvanceHandshake();
433 if (!is_connection_closed()) {
434 handshaker_delegate()->OnHandshakeCallbackDone();
435 }
436 }
437
ProcessTransportParameters(const SSL_CLIENT_HELLO * client_hello,std::string * error_details)438 bool TlsServerHandshaker::ProcessTransportParameters(
439 const SSL_CLIENT_HELLO* client_hello, std::string* error_details) {
440 TransportParameters client_params;
441 const uint8_t* client_params_bytes;
442 size_t params_bytes_len;
443
444 // Make sure we use the right TLS extension codepoint.
445 uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters_standard;
446 if (session()->version().UsesLegacyTlsExtension()) {
447 extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
448 }
449 // When using early select cert callback, SSL_get_peer_quic_transport_params
450 // can not be used to retrieve the client's transport parameters, but we can
451 // use SSL_early_callback_ctx_extension_get to do that.
452 if (!SSL_early_callback_ctx_extension_get(client_hello, extension_type,
453 &client_params_bytes,
454 ¶ms_bytes_len)) {
455 params_bytes_len = 0;
456 }
457
458 if (params_bytes_len == 0) {
459 *error_details = "Client's transport parameters are missing";
460 return false;
461 }
462 std::string parse_error_details;
463 if (!ParseTransportParameters(session()->connection()->version(),
464 Perspective::IS_CLIENT, client_params_bytes,
465 params_bytes_len, &client_params,
466 &parse_error_details)) {
467 QUICHE_DCHECK(!parse_error_details.empty());
468 *error_details =
469 "Unable to parse client's transport parameters: " + parse_error_details;
470 return false;
471 }
472
473 // Notify QuicConnectionDebugVisitor.
474 session()->connection()->OnTransportParametersReceived(client_params);
475
476 if (client_params.legacy_version_information.has_value() &&
477 CryptoUtils::ValidateClientHelloVersion(
478 client_params.legacy_version_information.value().version,
479 session()->connection()->version(), session()->supported_versions(),
480 error_details) != QUIC_NO_ERROR) {
481 return false;
482 }
483
484 if (client_params.version_information.has_value() &&
485 !CryptoUtils::ValidateChosenVersion(
486 client_params.version_information.value().chosen_version,
487 session()->version(), error_details)) {
488 QUICHE_DCHECK(!error_details->empty());
489 return false;
490 }
491
492 if (handshaker_delegate()->ProcessTransportParameters(
493 client_params, /* is_resumption = */ false, error_details) !=
494 QUIC_NO_ERROR) {
495 return false;
496 }
497
498 ProcessAdditionalTransportParameters(client_params);
499
500 return true;
501 }
502
503 TlsServerHandshaker::SetTransportParametersResult
SetTransportParameters()504 TlsServerHandshaker::SetTransportParameters() {
505 SetTransportParametersResult result;
506 QUICHE_DCHECK(!result.success);
507
508 server_params_.perspective = Perspective::IS_SERVER;
509 server_params_.legacy_version_information =
510 TransportParameters::LegacyVersionInformation();
511 server_params_.legacy_version_information.value().supported_versions =
512 CreateQuicVersionLabelVector(session()->supported_versions());
513 server_params_.legacy_version_information.value().version =
514 CreateQuicVersionLabel(session()->connection()->version());
515 server_params_.version_information =
516 TransportParameters::VersionInformation();
517 server_params_.version_information.value().chosen_version =
518 CreateQuicVersionLabel(session()->version());
519 server_params_.version_information.value().other_versions =
520 CreateQuicVersionLabelVector(session()->supported_versions());
521
522 if (!handshaker_delegate()->FillTransportParameters(&server_params_)) {
523 return result;
524 }
525
526 // Notify QuicConnectionDebugVisitor.
527 session()->connection()->OnTransportParametersSent(server_params_);
528
529 { // Ensure |server_params_bytes| is not accessed out of the scope.
530 std::vector<uint8_t> server_params_bytes;
531 if (!SerializeTransportParameters(server_params_, &server_params_bytes) ||
532 SSL_set_quic_transport_params(ssl(), server_params_bytes.data(),
533 server_params_bytes.size()) != 1) {
534 return result;
535 }
536 result.quic_transport_params = std::move(server_params_bytes);
537 }
538
539 if (application_state_) {
540 std::vector<uint8_t> early_data_context;
541 if (!SerializeTransportParametersForTicket(
542 server_params_, *application_state_, &early_data_context)) {
543 QUIC_BUG(quic_bug_10341_4)
544 << "Failed to serialize Transport Parameters for ticket.";
545 result.early_data_context = std::vector<uint8_t>();
546 return result;
547 }
548 SSL_set_quic_early_data_context(ssl(), early_data_context.data(),
549 early_data_context.size());
550 result.early_data_context = std::move(early_data_context);
551 application_state_.reset(nullptr);
552 }
553 result.success = true;
554 return result;
555 }
556
TransportParametersMatch(absl::Span<const uint8_t> serialized_params) const557 bool TlsServerHandshaker::TransportParametersMatch(
558 absl::Span<const uint8_t> serialized_params) const {
559 TransportParameters params;
560 std::string error_details;
561
562 bool parse_ok = ParseTransportParameters(
563 session()->version(), Perspective::IS_SERVER, serialized_params.data(),
564 serialized_params.size(), ¶ms, &error_details);
565
566 if (!parse_ok) {
567 return false;
568 }
569
570 DegreaseTransportParameters(params);
571
572 return params == server_params_;
573 }
574
SetWriteSecret(EncryptionLevel level,const SSL_CIPHER * cipher,absl::Span<const uint8_t> write_secret)575 void TlsServerHandshaker::SetWriteSecret(
576 EncryptionLevel level, const SSL_CIPHER* cipher,
577 absl::Span<const uint8_t> write_secret) {
578 if (is_connection_closed()) {
579 return;
580 }
581 if (level == ENCRYPTION_FORWARD_SECURE) {
582 encryption_established_ = true;
583 // Fill crypto_negotiated_params_:
584 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
585 if (cipher) {
586 crypto_negotiated_params_->cipher_suite =
587 SSL_CIPHER_get_protocol_id(cipher);
588 }
589 crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl());
590 crypto_negotiated_params_->encrypted_client_hello = SSL_ech_accepted(ssl());
591 }
592 TlsHandshaker::SetWriteSecret(level, cipher, write_secret);
593 }
594
GetAcceptChValueForHostname(const std::string &) const595 std::string TlsServerHandshaker::GetAcceptChValueForHostname(
596 const std::string& /*hostname*/) const {
597 return {};
598 }
599
FinishHandshake()600 void TlsServerHandshaker::FinishHandshake() {
601 QUICHE_DCHECK(!SSL_in_early_data(ssl()));
602
603 if (!valid_alpn_received_) {
604 QUIC_DLOG(ERROR)
605 << "Server: handshake finished without receiving a known ALPN";
606 // TODO(b/130164908) this should send no_application_protocol
607 // instead of QUIC_HANDSHAKE_FAILED.
608 CloseConnection(QUIC_HANDSHAKE_FAILED,
609 "Server did not receive a known ALPN");
610 return;
611 }
612
613 ssl_early_data_reason_t reason_code = EarlyDataReason();
614 QUIC_DLOG(INFO) << "Server: handshake finished. Early data reason "
615 << reason_code << " ("
616 << CryptoUtils::EarlyDataReasonToString(reason_code) << ")";
617 state_ = HANDSHAKE_CONFIRMED;
618
619 handshaker_delegate()->OnTlsHandshakeComplete();
620 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_HANDSHAKE);
621 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_HANDSHAKE);
622 // ENCRYPTION_ZERO_RTT decryption key is not discarded here as "Servers MAY
623 // temporarily retain 0-RTT keys to allow decrypting reordered packets
624 // without requiring their contents to be retransmitted with 1-RTT keys."
625 // It is expected that QuicConnection will discard the key at an
626 // appropriate time.
627 }
628
VerifyCertChain(const std::vector<std::string> &,std::string *,std::unique_ptr<ProofVerifyDetails> *,uint8_t *,std::unique_ptr<ProofVerifierCallback>)629 QuicAsyncStatus TlsServerHandshaker::VerifyCertChain(
630 const std::vector<std::string>& /*certs*/, std::string* /*error_details*/,
631 std::unique_ptr<ProofVerifyDetails>* /*details*/, uint8_t* /*out_alert*/,
632 std::unique_ptr<ProofVerifierCallback> /*callback*/) {
633 QUIC_DVLOG(1) << "VerifyCertChain returning success";
634
635 // No real verification here. A subclass can override this function to verify
636 // the client cert if needed.
637 return QUIC_SUCCESS;
638 }
639
OnProofVerifyDetailsAvailable(const ProofVerifyDetails &)640 void TlsServerHandshaker::OnProofVerifyDetailsAvailable(
641 const ProofVerifyDetails& /*verify_details*/) {}
642
PrivateKeySign(uint8_t * out,size_t * out_len,size_t max_out,uint16_t sig_alg,absl::string_view in)643 ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(
644 uint8_t* out, size_t* out_len, size_t max_out, uint16_t sig_alg,
645 absl::string_view in) {
646 QUICHE_DCHECK_EQ(expected_ssl_error(), SSL_ERROR_WANT_READ);
647
648 QuicAsyncStatus status = proof_source_handle_->ComputeSignature(
649 session()->connection()->self_address(),
650 session()->connection()->peer_address(), crypto_negotiated_params_->sni,
651 sig_alg, in, max_out);
652 if (status == QUIC_PENDING) {
653 set_expected_ssl_error(SSL_ERROR_WANT_PRIVATE_KEY_OPERATION);
654 if (async_op_timer_.has_value()) {
655 QUIC_CODE_COUNT(
656 quic_tls_server_computing_signature_while_another_op_pending);
657 }
658 async_op_timer_ = QuicTimeAccumulator();
659 async_op_timer_->Start(now());
660 }
661 return PrivateKeyComplete(out, out_len, max_out);
662 }
663
PrivateKeyComplete(uint8_t * out,size_t * out_len,size_t max_out)664 ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete(
665 uint8_t* out, size_t* out_len, size_t max_out) {
666 if (expected_ssl_error() == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
667 return ssl_private_key_retry;
668 }
669
670 const bool success = HasValidSignature(max_out);
671 QuicConnectionStats::TlsServerOperationStats compute_signature_stats;
672 compute_signature_stats.success = success;
673 if (async_op_timer_.has_value()) {
674 async_op_timer_->Stop(now());
675 compute_signature_stats.async_latency =
676 async_op_timer_->GetTotalElapsedTime();
677 async_op_timer_.reset();
678 RECORD_LATENCY_IN_US("tls_server_async_compute_signature_latency_us",
679 compute_signature_stats.async_latency,
680 "Async compute signature latency in microseconds");
681 }
682 connection_stats().tls_server_compute_signature_stats =
683 std::move(compute_signature_stats);
684
685 if (!success) {
686 return ssl_private_key_failure;
687 }
688 *out_len = cert_verify_sig_.size();
689 memcpy(out, cert_verify_sig_.data(), *out_len);
690 cert_verify_sig_.clear();
691 cert_verify_sig_.shrink_to_fit();
692 return ssl_private_key_success;
693 }
694
OnComputeSignatureDone(bool ok,bool is_sync,std::string signature,std::unique_ptr<ProofSource::Details> details)695 void TlsServerHandshaker::OnComputeSignatureDone(
696 bool ok, bool is_sync, std::string signature,
697 std::unique_ptr<ProofSource::Details> details) {
698 QUIC_DVLOG(1) << "OnComputeSignatureDone. ok:" << ok
699 << ", is_sync:" << is_sync
700 << ", len(signature):" << signature.size();
701 absl::optional<QuicConnectionContextSwitcher> context_switcher;
702
703 if (!is_sync) {
704 context_switcher.emplace(connection_context());
705 }
706
707 QUIC_TRACESTRING(absl::StrCat("TLS compute signature done. ok:", ok,
708 ", len(signature):", signature.size()));
709
710 if (ok) {
711 cert_verify_sig_ = std::move(signature);
712 proof_source_details_ = std::move(details);
713 }
714 const int last_expected_ssl_error = expected_ssl_error();
715 set_expected_ssl_error(SSL_ERROR_WANT_READ);
716 if (!is_sync) {
717 QUICHE_DCHECK_EQ(last_expected_ssl_error,
718 SSL_ERROR_WANT_PRIVATE_KEY_OPERATION);
719 AdvanceHandshakeFromCallback();
720 }
721 }
722
HasValidSignature(size_t max_signature_size) const723 bool TlsServerHandshaker::HasValidSignature(size_t max_signature_size) const {
724 return !cert_verify_sig_.empty() &&
725 cert_verify_sig_.size() <= max_signature_size;
726 }
727
SessionTicketMaxOverhead()728 size_t TlsServerHandshaker::SessionTicketMaxOverhead() {
729 QUICHE_DCHECK(proof_source_->GetTicketCrypter());
730 return proof_source_->GetTicketCrypter()->MaxOverhead();
731 }
732
SessionTicketSeal(uint8_t * out,size_t * out_len,size_t max_out_len,absl::string_view in)733 int TlsServerHandshaker::SessionTicketSeal(uint8_t* out, size_t* out_len,
734 size_t max_out_len,
735 absl::string_view in) {
736 QUICHE_DCHECK(proof_source_->GetTicketCrypter());
737 std::vector<uint8_t> ticket =
738 proof_source_->GetTicketCrypter()->Encrypt(in, ticket_encryption_key_);
739 if (GetQuicReloadableFlag(
740 quic_send_placeholder_ticket_when_encrypt_ticket_fails) &&
741 ticket.empty()) {
742 QUIC_CODE_COUNT(quic_tls_server_handshaker_send_placeholder_ticket);
743 const absl::string_view kTicketFailurePlaceholder = "TICKET FAILURE";
744 const absl::string_view kTicketWithSizeLimit =
745 kTicketFailurePlaceholder.substr(0, max_out_len);
746 ticket.assign(kTicketWithSizeLimit.begin(), kTicketWithSizeLimit.end());
747 }
748 if (max_out_len < ticket.size()) {
749 QUIC_BUG(quic_bug_12423_2)
750 << "TicketCrypter returned " << ticket.size()
751 << " bytes of ciphertext, which is larger than its max overhead of "
752 << max_out_len;
753 return 0; // failure
754 }
755 *out_len = ticket.size();
756 memcpy(out, ticket.data(), ticket.size());
757 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_sealed);
758 return 1; // success
759 }
760
SessionTicketOpen(uint8_t * out,size_t * out_len,size_t max_out_len,absl::string_view in)761 ssl_ticket_aead_result_t TlsServerHandshaker::SessionTicketOpen(
762 uint8_t* out, size_t* out_len, size_t max_out_len, absl::string_view in) {
763 QUICHE_DCHECK(proof_source_->GetTicketCrypter());
764
765 if (ignore_ticket_open_) {
766 // SetIgnoreTicketOpen has been called. Typically this means the caller is
767 // using handshake hints and expect the hints to contain ticket decryption
768 // results.
769 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_ignored_1);
770 return ssl_ticket_aead_ignore_ticket;
771 }
772
773 if (!ticket_decryption_callback_) {
774 ticket_decryption_callback_ = std::make_shared<DecryptCallback>(this);
775 proof_source_->GetTicketCrypter()->Decrypt(in, ticket_decryption_callback_);
776
777 // Decrypt can run the callback synchronously. In that case, the callback
778 // will clear the ticket_decryption_callback_ pointer, and instead of
779 // returning ssl_ticket_aead_retry, we should continue processing to
780 // return the decrypted ticket.
781 //
782 // If the callback is not run synchronously, return ssl_ticket_aead_retry
783 // and when the callback is complete this function will be run again to
784 // return the result.
785 if (ticket_decryption_callback_) {
786 QUICHE_DCHECK(!ticket_decryption_callback_->IsDone());
787 set_expected_ssl_error(SSL_ERROR_PENDING_TICKET);
788 if (async_op_timer_.has_value()) {
789 QUIC_CODE_COUNT(
790 quic_tls_server_decrypting_ticket_while_another_op_pending);
791 }
792 async_op_timer_ = QuicTimeAccumulator();
793 async_op_timer_->Start(now());
794 }
795 }
796
797 // If the async ticket decryption is pending, either started by this
798 // SessionTicketOpen call or one that happened earlier, return
799 // ssl_ticket_aead_retry.
800 if (ticket_decryption_callback_ && !ticket_decryption_callback_->IsDone()) {
801 return ssl_ticket_aead_retry;
802 }
803
804 ssl_ticket_aead_result_t result =
805 FinalizeSessionTicketOpen(out, out_len, max_out_len);
806
807 QuicConnectionStats::TlsServerOperationStats decrypt_ticket_stats;
808 decrypt_ticket_stats.success = (result == ssl_ticket_aead_success);
809 if (async_op_timer_.has_value()) {
810 async_op_timer_->Stop(now());
811 decrypt_ticket_stats.async_latency = async_op_timer_->GetTotalElapsedTime();
812 async_op_timer_.reset();
813 RECORD_LATENCY_IN_US("tls_server_async_decrypt_ticket_latency_us",
814 decrypt_ticket_stats.async_latency,
815 "Async decrypt ticket latency in microseconds");
816 }
817 connection_stats().tls_server_decrypt_ticket_stats =
818 std::move(decrypt_ticket_stats);
819
820 return result;
821 }
822
FinalizeSessionTicketOpen(uint8_t * out,size_t * out_len,size_t max_out_len)823 ssl_ticket_aead_result_t TlsServerHandshaker::FinalizeSessionTicketOpen(
824 uint8_t* out, size_t* out_len, size_t max_out_len) {
825 ticket_decryption_callback_ = nullptr;
826 set_expected_ssl_error(SSL_ERROR_WANT_READ);
827 if (decrypted_session_ticket_.empty()) {
828 QUIC_DLOG(ERROR) << "Session ticket decryption failed; ignoring ticket";
829 // Ticket decryption failed. Ignore the ticket.
830 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_ignored_2);
831 return ssl_ticket_aead_ignore_ticket;
832 }
833 if (max_out_len < decrypted_session_ticket_.size()) {
834 return ssl_ticket_aead_error;
835 }
836 memcpy(out, decrypted_session_ticket_.data(),
837 decrypted_session_ticket_.size());
838 *out_len = decrypted_session_ticket_.size();
839
840 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_opened);
841 return ssl_ticket_aead_success;
842 }
843
EarlySelectCertCallback(const SSL_CLIENT_HELLO * client_hello)844 ssl_select_cert_result_t TlsServerHandshaker::EarlySelectCertCallback(
845 const SSL_CLIENT_HELLO* client_hello) {
846 // EarlySelectCertCallback can be called twice from BoringSSL: If the first
847 // call returns ssl_select_cert_retry, when cert selection completes,
848 // SSL_do_handshake will call it again.
849
850 if (select_cert_status_.has_value()) {
851 // This is the second call, return the result directly.
852 QUIC_DVLOG(1) << "EarlySelectCertCallback called to continue handshake, "
853 "returning directly. success:"
854 << (select_cert_status_.value() == QUIC_SUCCESS);
855 return (select_cert_status_.value() == QUIC_SUCCESS)
856 ? ssl_select_cert_success
857 : ssl_select_cert_error;
858 }
859
860 // This is the first call.
861 select_cert_status_ = QUIC_PENDING;
862 proof_source_handle_ = MaybeCreateProofSourceHandle();
863
864 if (!pre_shared_key_.empty()) {
865 // TODO(b/154162689) add PSK support to QUIC+TLS.
866 QUIC_BUG(quic_bug_10341_6)
867 << "QUIC server pre-shared keys not yet supported with TLS";
868 return ssl_select_cert_error;
869 }
870
871 {
872 const uint8_t* unused_extension_bytes;
873 size_t unused_extension_len;
874 ticket_received_ = SSL_early_callback_ctx_extension_get(
875 client_hello, TLSEXT_TYPE_pre_shared_key, &unused_extension_bytes,
876 &unused_extension_len);
877
878 early_data_attempted_ = SSL_early_callback_ctx_extension_get(
879 client_hello, TLSEXT_TYPE_early_data, &unused_extension_bytes,
880 &unused_extension_len);
881 }
882
883 // This callback is called very early by Boring SSL, most of the SSL_get_foo
884 // function do not work at this point, but SSL_get_servername does.
885 const char* hostname = SSL_get_servername(ssl(), TLSEXT_NAMETYPE_host_name);
886 if (hostname) {
887 crypto_negotiated_params_->sni =
888 QuicHostnameUtils::NormalizeHostname(hostname);
889 if (!ValidateHostname(hostname)) {
890 return ssl_select_cert_error;
891 }
892 if (hostname != crypto_negotiated_params_->sni) {
893 QUIC_CODE_COUNT(quic_tls_server_hostname_diff);
894 QUIC_LOG_EVERY_N_SEC(WARNING, 300)
895 << "Raw and normalized hostnames differ, but both are valid SNIs. "
896 "raw hostname:"
897 << hostname << ", normalized:" << crypto_negotiated_params_->sni;
898 } else {
899 QUIC_CODE_COUNT(quic_tls_server_hostname_same);
900 }
901 } else {
902 QUIC_LOG(INFO) << "No hostname indicated in SNI";
903 }
904
905 std::string error_details;
906 if (!ProcessTransportParameters(client_hello, &error_details)) {
907 CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
908 return ssl_select_cert_error;
909 }
910 OverrideQuicConfigDefaults(session()->config());
911 session()->OnConfigNegotiated();
912
913 auto set_transport_params_result = SetTransportParameters();
914 if (!set_transport_params_result.success) {
915 QUIC_LOG(ERROR) << "Failed to set transport parameters";
916 return ssl_select_cert_error;
917 }
918
919 bssl::UniquePtr<uint8_t> ssl_capabilities;
920 size_t ssl_capabilities_len = 0;
921 absl::string_view ssl_capabilities_view;
922
923 if (CryptoUtils::GetSSLCapabilities(ssl(), &ssl_capabilities,
924 &ssl_capabilities_len)) {
925 ssl_capabilities_view =
926 absl::string_view(reinterpret_cast<const char*>(ssl_capabilities.get()),
927 ssl_capabilities_len);
928 }
929
930 // Enable ALPS for the session's ALPN.
931 SetApplicationSettingsResult alps_result =
932 SetApplicationSettings(AlpnForVersion(session()->version()));
933 if (!alps_result.success) {
934 return ssl_select_cert_error;
935 }
936
937 if (!session()->connection()->connected()) {
938 select_cert_status_ = QUIC_FAILURE;
939 return ssl_select_cert_error;
940 }
941
942 can_disable_resumption_ = false;
943 const QuicAsyncStatus status = proof_source_handle_->SelectCertificate(
944 session()->connection()->self_address().Normalized(),
945 session()->connection()->peer_address().Normalized(),
946 session()->connection()->GetOriginalDestinationConnectionId(),
947 ssl_capabilities_view, crypto_negotiated_params_->sni,
948 absl::string_view(
949 reinterpret_cast<const char*>(client_hello->client_hello),
950 client_hello->client_hello_len),
951 AlpnForVersion(session()->version()), std::move(alps_result.alps_buffer),
952 set_transport_params_result.quic_transport_params,
953 set_transport_params_result.early_data_context,
954 tls_connection_.ssl_config());
955
956 QUICHE_DCHECK_EQ(status, select_cert_status().value());
957
958 if (status == QUIC_PENDING) {
959 set_expected_ssl_error(SSL_ERROR_PENDING_CERTIFICATE);
960 if (async_op_timer_.has_value()) {
961 QUIC_CODE_COUNT(quic_tls_server_selecting_cert_while_another_op_pending);
962 }
963 async_op_timer_ = QuicTimeAccumulator();
964 async_op_timer_->Start(now());
965 return ssl_select_cert_retry;
966 }
967
968 if (status == QUIC_FAILURE) {
969 return ssl_select_cert_error;
970 }
971
972 return ssl_select_cert_success;
973 }
974
OnSelectCertificateDone(bool ok,bool is_sync,const ProofSource::Chain * chain,absl::string_view handshake_hints,absl::string_view ticket_encryption_key,bool cert_matched_sni,QuicDelayedSSLConfig delayed_ssl_config)975 void TlsServerHandshaker::OnSelectCertificateDone(
976 bool ok, bool is_sync, const ProofSource::Chain* chain,
977 absl::string_view handshake_hints, absl::string_view ticket_encryption_key,
978 bool cert_matched_sni, QuicDelayedSSLConfig delayed_ssl_config) {
979 QUIC_DVLOG(1) << "OnSelectCertificateDone. ok:" << ok
980 << ", is_sync:" << is_sync
981 << ", len(handshake_hints):" << handshake_hints.size()
982 << ", len(ticket_encryption_key):"
983 << ticket_encryption_key.size();
984 absl::optional<QuicConnectionContextSwitcher> context_switcher;
985 if (!is_sync) {
986 context_switcher.emplace(connection_context());
987 }
988
989 QUIC_TRACESTRING(absl::StrCat(
990 "TLS select certificate done: ok:", ok,
991 ", certs_found:", (chain != nullptr && !chain->certs.empty()),
992 ", len(handshake_hints):", handshake_hints.size(),
993 ", len(ticket_encryption_key):", ticket_encryption_key.size()));
994
995 ticket_encryption_key_ = std::string(ticket_encryption_key);
996 select_cert_status_ = QUIC_FAILURE;
997 cert_matched_sni_ = cert_matched_sni;
998
999 if (delayed_ssl_config.quic_transport_parameters.has_value()) {
1000 // In case of any error the SSL object is still valid. Handshaker may need
1001 // to call ComputeSignature but otherwise can proceed.
1002 if (TransportParametersMatch(
1003 absl::MakeSpan(*delayed_ssl_config.quic_transport_parameters))) {
1004 if (SSL_set_quic_transport_params(
1005 ssl(), delayed_ssl_config.quic_transport_parameters->data(),
1006 delayed_ssl_config.quic_transport_parameters->size()) != 1) {
1007 QUIC_DVLOG(1) << "SSL_set_quic_transport_params override failed";
1008 }
1009 } else {
1010 QUIC_DVLOG(1)
1011 << "QUIC transport parameters mismatch with ProofSourceHandle";
1012 }
1013 }
1014
1015 if (delayed_ssl_config.client_cert_mode.has_value()) {
1016 tls_connection_.SetClientCertMode(*delayed_ssl_config.client_cert_mode);
1017 QUIC_DVLOG(1) << "client_cert_mode after cert selection: "
1018 << client_cert_mode();
1019 }
1020
1021 if (ok) {
1022 if (chain && !chain->certs.empty()) {
1023 tls_connection_.SetCertChain(chain->ToCryptoBuffers().value);
1024 if (!handshake_hints.empty() &&
1025 !SSL_set_handshake_hints(
1026 ssl(), reinterpret_cast<const uint8_t*>(handshake_hints.data()),
1027 handshake_hints.size())) {
1028 // If |SSL_set_handshake_hints| fails, the ssl() object will remain
1029 // intact, it is as if we didn't call it. The handshaker will
1030 // continue to compute signature/decrypt ticket as normal.
1031 QUIC_CODE_COUNT(quic_tls_server_set_handshake_hints_failed);
1032 QUIC_DVLOG(1) << "SSL_set_handshake_hints failed";
1033 }
1034 select_cert_status_ = QUIC_SUCCESS;
1035 } else {
1036 QUIC_DLOG(ERROR) << "No certs provided for host '"
1037 << crypto_negotiated_params_->sni << "', server_address:"
1038 << session()->connection()->self_address()
1039 << ", client_address:"
1040 << session()->connection()->peer_address();
1041 }
1042 }
1043
1044 QuicConnectionStats::TlsServerOperationStats select_cert_stats;
1045 select_cert_stats.success = (select_cert_status_ == QUIC_SUCCESS);
1046 QUICHE_DCHECK_NE(is_sync, async_op_timer_.has_value());
1047 if (async_op_timer_.has_value()) {
1048 async_op_timer_->Stop(now());
1049 select_cert_stats.async_latency = async_op_timer_->GetTotalElapsedTime();
1050 async_op_timer_.reset();
1051 RECORD_LATENCY_IN_US("tls_server_async_select_cert_latency_us",
1052 select_cert_stats.async_latency,
1053 "Async select cert latency in microseconds");
1054 }
1055 connection_stats().tls_server_select_cert_stats =
1056 std::move(select_cert_stats);
1057
1058 const int last_expected_ssl_error = expected_ssl_error();
1059 set_expected_ssl_error(SSL_ERROR_WANT_READ);
1060 if (!is_sync) {
1061 QUICHE_DCHECK_EQ(last_expected_ssl_error, SSL_ERROR_PENDING_CERTIFICATE);
1062 AdvanceHandshakeFromCallback();
1063 }
1064 }
1065
WillNotCallComputeSignature() const1066 bool TlsServerHandshaker::WillNotCallComputeSignature() const {
1067 return SSL_can_release_private_key(ssl());
1068 }
1069
ValidateHostname(const std::string & hostname) const1070 bool TlsServerHandshaker::ValidateHostname(const std::string& hostname) const {
1071 if (!QuicHostnameUtils::IsValidSNI(hostname)) {
1072 // TODO(b/151676147): Include this error string in the CONNECTION_CLOSE
1073 // frame.
1074 QUIC_DLOG(ERROR) << "Invalid SNI provided: \"" << hostname << "\"";
1075 return false;
1076 }
1077 return true;
1078 }
1079
TlsExtServernameCallback(int *)1080 int TlsServerHandshaker::TlsExtServernameCallback(int* /*out_alert*/) {
1081 // SSL_TLSEXT_ERR_OK causes the server_name extension to be acked in
1082 // ServerHello.
1083 return SSL_TLSEXT_ERR_OK;
1084 }
1085
SelectAlpn(const uint8_t ** out,uint8_t * out_len,const uint8_t * in,unsigned in_len)1086 int TlsServerHandshaker::SelectAlpn(const uint8_t** out, uint8_t* out_len,
1087 const uint8_t* in, unsigned in_len) {
1088 // |in| contains a sequence of 1-byte-length-prefixed values.
1089 *out_len = 0;
1090 *out = nullptr;
1091 if (in_len == 0) {
1092 QUIC_DLOG(ERROR) << "No ALPN provided by client";
1093 return SSL_TLSEXT_ERR_NOACK;
1094 }
1095
1096 CBS all_alpns;
1097 CBS_init(&all_alpns, in, in_len);
1098
1099 std::vector<absl::string_view> alpns;
1100 while (CBS_len(&all_alpns) > 0) {
1101 CBS alpn;
1102 if (!CBS_get_u8_length_prefixed(&all_alpns, &alpn)) {
1103 QUIC_DLOG(ERROR) << "Failed to parse ALPN length";
1104 return SSL_TLSEXT_ERR_NOACK;
1105 }
1106
1107 const size_t alpn_length = CBS_len(&alpn);
1108 if (alpn_length == 0) {
1109 QUIC_DLOG(ERROR) << "Received invalid zero-length ALPN";
1110 return SSL_TLSEXT_ERR_NOACK;
1111 }
1112
1113 alpns.emplace_back(reinterpret_cast<const char*>(CBS_data(&alpn)),
1114 alpn_length);
1115 }
1116
1117 // TODO(wub): Remove QuicSession::SelectAlpn. QuicSessions should know the
1118 // ALPN on construction.
1119 auto selected_alpn = session()->SelectAlpn(alpns);
1120 if (selected_alpn == alpns.end()) {
1121 QUIC_DLOG(ERROR) << "No known ALPN provided by client";
1122 return SSL_TLSEXT_ERR_NOACK;
1123 }
1124
1125 session()->OnAlpnSelected(*selected_alpn);
1126 valid_alpn_received_ = true;
1127 *out_len = selected_alpn->size();
1128 *out = reinterpret_cast<const uint8_t*>(selected_alpn->data());
1129 return SSL_TLSEXT_ERR_OK;
1130 }
1131
1132 TlsServerHandshaker::SetApplicationSettingsResult
SetApplicationSettings(absl::string_view alpn)1133 TlsServerHandshaker::SetApplicationSettings(absl::string_view alpn) {
1134 TlsServerHandshaker::SetApplicationSettingsResult result;
1135
1136 const std::string& hostname = crypto_negotiated_params_->sni;
1137 std::string accept_ch_value = GetAcceptChValueForHostname(hostname);
1138 std::string origin = absl::StrCat("https://", hostname);
1139 uint16_t port = session()->self_address().port();
1140 if (port != kDefaultPort) {
1141 // This should be rare in production, but useful for test servers.
1142 QUIC_CODE_COUNT(quic_server_alps_non_default_port);
1143 absl::StrAppend(&origin, ":", port);
1144 }
1145
1146 if (!accept_ch_value.empty()) {
1147 AcceptChFrame frame{{{std::move(origin), std::move(accept_ch_value)}}};
1148 result.alps_buffer = HttpEncoder::SerializeAcceptChFrame(frame);
1149 }
1150
1151 const std::string& alps = result.alps_buffer;
1152 if (SSL_add_application_settings(
1153 ssl(), reinterpret_cast<const uint8_t*>(alpn.data()), alpn.size(),
1154 reinterpret_cast<const uint8_t*>(alps.data()), alps.size()) != 1) {
1155 QUIC_DLOG(ERROR) << "Failed to enable ALPS";
1156 result.success = false;
1157 } else {
1158 result.success = true;
1159 }
1160 return result;
1161 }
1162
GetSsl() const1163 SSL* TlsServerHandshaker::GetSsl() const { return ssl(); }
1164
IsCryptoFrameExpectedForEncryptionLevel(EncryptionLevel level) const1165 bool TlsServerHandshaker::IsCryptoFrameExpectedForEncryptionLevel(
1166 EncryptionLevel level) const {
1167 return level != ENCRYPTION_ZERO_RTT;
1168 }
1169
GetEncryptionLevelToSendCryptoDataOfSpace(PacketNumberSpace space) const1170 EncryptionLevel TlsServerHandshaker::GetEncryptionLevelToSendCryptoDataOfSpace(
1171 PacketNumberSpace space) const {
1172 switch (space) {
1173 case INITIAL_DATA:
1174 return ENCRYPTION_INITIAL;
1175 case HANDSHAKE_DATA:
1176 return ENCRYPTION_HANDSHAKE;
1177 case APPLICATION_DATA:
1178 return ENCRYPTION_FORWARD_SECURE;
1179 default:
1180 QUICHE_DCHECK(false);
1181 return NUM_ENCRYPTION_LEVELS;
1182 }
1183 }
1184
1185 } // namespace quic
1186