1 // Copyright (c) 2017 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef QUICHE_QUIC_CORE_TLS_CLIENT_HANDSHAKER_H_ 6 #define QUICHE_QUIC_CORE_TLS_CLIENT_HANDSHAKER_H_ 7 8 #include <cstdint> 9 #include <memory> 10 #include <string> 11 12 #include "absl/strings/string_view.h" 13 #include "openssl/ssl.h" 14 #include "quiche/quic/core/crypto/quic_crypto_client_config.h" 15 #include "quiche/quic/core/crypto/tls_client_connection.h" 16 #include "quiche/quic/core/crypto/transport_parameters.h" 17 #include "quiche/quic/core/quic_crypto_client_stream.h" 18 #include "quiche/quic/core/quic_crypto_stream.h" 19 #include "quiche/quic/core/tls_handshaker.h" 20 #include "quiche/quic/platform/api/quic_export.h" 21 22 namespace quic { 23 24 // An implementation of QuicCryptoClientStream::HandshakerInterface which uses 25 // TLS 1.3 for the crypto handshake protocol. 26 class QUIC_EXPORT_PRIVATE TlsClientHandshaker 27 : public TlsHandshaker, 28 public QuicCryptoClientStream::HandshakerInterface, 29 public TlsClientConnection::Delegate { 30 public: 31 // |crypto_config| must outlive TlsClientHandshaker. 32 TlsClientHandshaker(const QuicServerId& server_id, QuicCryptoStream* stream, 33 QuicSession* session, 34 std::unique_ptr<ProofVerifyContext> verify_context, 35 QuicCryptoClientConfig* crypto_config, 36 QuicCryptoClientStream::ProofHandler* proof_handler, 37 bool has_application_state); 38 TlsClientHandshaker(const TlsClientHandshaker&) = delete; 39 TlsClientHandshaker& operator=(const TlsClientHandshaker&) = delete; 40 41 ~TlsClientHandshaker() override; 42 43 // From QuicCryptoClientStream::HandshakerInterface 44 bool CryptoConnect() override; 45 int num_sent_client_hellos() const override; 46 bool IsResumption() const override; 47 bool EarlyDataAccepted() const override; 48 ssl_early_data_reason_t EarlyDataReason() const override; 49 bool ReceivedInchoateReject() const override; 50 int num_scup_messages_received() const override; 51 std::string chlo_hash() const override; 52 bool ExportKeyingMaterial(absl::string_view label, absl::string_view context, 53 size_t result_len, std::string* result) override; 54 55 // From QuicCryptoClientStream::HandshakerInterface and TlsHandshaker 56 bool encryption_established() const override; 57 bool IsCryptoFrameExpectedForEncryptionLevel( 58 EncryptionLevel level) const override; 59 EncryptionLevel GetEncryptionLevelToSendCryptoDataOfSpace( 60 PacketNumberSpace space) const override; 61 bool one_rtt_keys_available() const override; 62 const QuicCryptoNegotiatedParameters& crypto_negotiated_params() 63 const override; 64 CryptoMessageParser* crypto_message_parser() override; 65 HandshakeState GetHandshakeState() const override; 66 size_t BufferSizeLimitForLevel(EncryptionLevel level) const override; 67 std::unique_ptr<QuicDecrypter> AdvanceKeysAndCreateCurrentOneRttDecrypter() 68 override; 69 std::unique_ptr<QuicEncrypter> CreateCurrentOneRttEncrypter() override; 70 void OnOneRttPacketAcknowledged() override; 71 void OnHandshakePacketSent() override; 72 void OnConnectionClosed(QuicErrorCode error, 73 ConnectionCloseSource source) override; 74 void OnHandshakeDoneReceived() override; 75 void OnNewTokenReceived(absl::string_view token) override; 76 void SetWriteSecret(EncryptionLevel level, const SSL_CIPHER* cipher, 77 absl::Span<const uint8_t> write_secret) override; 78 79 // Override to drop initial keys if trying to write ENCRYPTION_HANDSHAKE data. 80 void WriteMessage(EncryptionLevel level, absl::string_view data) override; 81 82 void SetServerApplicationStateForResumption( 83 std::unique_ptr<ApplicationState> application_state) override; 84 AllowEmptyAlpnForTests()85 void AllowEmptyAlpnForTests() { allow_empty_alpn_for_tests_ = true; } AllowInvalidSNIForTests()86 void AllowInvalidSNIForTests() { allow_invalid_sni_for_tests_ = true; } 87 88 // Make the SSL object from BoringSSL publicly accessible. 89 using TlsHandshaker::ssl; 90 91 protected: tls_connection()92 const TlsConnection* tls_connection() const override { 93 return &tls_connection_; 94 } 95 96 void FinishHandshake() override; 97 void OnEnterEarlyData() override; 98 void FillNegotiatedParams(); 99 void ProcessPostHandshakeMessage() override; 100 bool ShouldCloseConnectionOnUnexpectedError(int ssl_error) override; 101 QuicAsyncStatus VerifyCertChain( 102 const std::vector<std::string>& certs, std::string* error_details, 103 std::unique_ptr<ProofVerifyDetails>* details, uint8_t* out_alert, 104 std::unique_ptr<ProofVerifierCallback> callback) override; 105 void OnProofVerifyDetailsAvailable( 106 const ProofVerifyDetails& verify_details) override; 107 108 // TlsClientConnection::Delegate implementation: ConnectionDelegate()109 TlsConnection::Delegate* ConnectionDelegate() override { return this; } 110 111 private: 112 bool SetAlpn(); 113 bool SetTransportParameters(); 114 bool ProcessTransportParameters(std::string* error_details); 115 void HandleZeroRttReject(); 116 117 // Called when server completes handshake (i.e., either handshake done is 118 // received or 1-RTT packet gets acknowledged). 119 void OnHandshakeConfirmed(); 120 121 void InsertSession(bssl::UniquePtr<SSL_SESSION> session) override; 122 123 bool PrepareZeroRttConfig(QuicResumptionState* cached_state); 124 session()125 QuicSession* session() { return session_; } 126 QuicSession* session_; 127 128 QuicServerId server_id_; 129 130 // Objects used for verifying the server's certificate chain. 131 // |proof_verifier_| is owned by the caller of TlsHandshaker's constructor. 132 ProofVerifier* proof_verifier_; 133 std::unique_ptr<ProofVerifyContext> verify_context_; 134 135 // Unowned pointer to the proof handler which has the 136 // OnProofVerifyDetailsAvailable callback to use for notifying the result of 137 // certificate verification. 138 QuicCryptoClientStream::ProofHandler* proof_handler_; 139 140 // Used for session resumption. |session_cache_| is owned by the 141 // QuicCryptoClientConfig passed into TlsClientHandshaker's constructor. 142 SessionCache* session_cache_; 143 144 std::string user_agent_id_; 145 146 // Pre-shared key used during the handshake. 147 std::string pre_shared_key_; 148 149 HandshakeState state_ = HANDSHAKE_START; 150 bool encryption_established_ = false; 151 bool initial_keys_dropped_ = false; 152 quiche::QuicheReferenceCountedPointer<QuicCryptoNegotiatedParameters> 153 crypto_negotiated_params_; 154 155 bool allow_empty_alpn_for_tests_ = false; 156 bool allow_invalid_sni_for_tests_ = false; 157 158 const bool has_application_state_; 159 // Contains the state for performing a resumption, if one is attempted. This 160 // will always be non-null if a 0-RTT resumption is attempted. 161 std::unique_ptr<QuicResumptionState> cached_state_; 162 163 TlsClientConnection tls_connection_; 164 165 // If |has_application_state_|, stores the tls session tickets before 166 // application state is received. The latest one is put in the front. 167 bssl::UniquePtr<SSL_SESSION> cached_tls_sessions_[2] = {}; 168 169 std::unique_ptr<TransportParameters> received_transport_params_ = nullptr; 170 std::unique_ptr<ApplicationState> received_application_state_ = nullptr; 171 }; 172 173 } // namespace quic 174 175 #endif // QUICHE_QUIC_CORE_TLS_CLIENT_HANDSHAKER_H_ 176