1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/tls_client_handshaker.h"
6
7 #include <cstring>
8 #include <string>
9
10 #include "absl/strings/str_cat.h"
11 #include "absl/strings/string_view.h"
12 #include "openssl/ssl.h"
13 #include "quiche/quic/core/crypto/quic_crypto_client_config.h"
14 #include "quiche/quic/core/crypto/quic_encrypter.h"
15 #include "quiche/quic/core/crypto/transport_parameters.h"
16 #include "quiche/quic/core/quic_session.h"
17 #include "quiche/quic/core/quic_types.h"
18 #include "quiche/quic/platform/api/quic_flags.h"
19 #include "quiche/quic/platform/api/quic_hostname_utils.h"
20 #include "quiche/common/quiche_text_utils.h"
21
22 namespace quic {
23
TlsClientHandshaker(const QuicServerId & server_id,QuicCryptoStream * stream,QuicSession * session,std::unique_ptr<ProofVerifyContext> verify_context,QuicCryptoClientConfig * crypto_config,QuicCryptoClientStream::ProofHandler * proof_handler,bool has_application_state)24 TlsClientHandshaker::TlsClientHandshaker(
25 const QuicServerId& server_id, QuicCryptoStream* stream,
26 QuicSession* session, std::unique_ptr<ProofVerifyContext> verify_context,
27 QuicCryptoClientConfig* crypto_config,
28 QuicCryptoClientStream::ProofHandler* proof_handler,
29 bool has_application_state)
30 : TlsHandshaker(stream, session),
31 session_(session),
32 server_id_(server_id),
33 proof_verifier_(crypto_config->proof_verifier()),
34 verify_context_(std::move(verify_context)),
35 proof_handler_(proof_handler),
36 session_cache_(crypto_config->session_cache()),
37 user_agent_id_(crypto_config->user_agent_id()),
38 pre_shared_key_(crypto_config->pre_shared_key()),
39 crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
40 has_application_state_(has_application_state),
41 tls_connection_(crypto_config->ssl_ctx(), this, session->GetSSLConfig()) {
42 if (crypto_config->tls_signature_algorithms().has_value()) {
43 SSL_set1_sigalgs_list(ssl(),
44 crypto_config->tls_signature_algorithms()->c_str());
45 }
46 if (crypto_config->proof_source() != nullptr) {
47 const ClientProofSource::CertAndKey* cert_and_key =
48 crypto_config->proof_source()->GetCertAndKey(server_id.host());
49 if (cert_and_key != nullptr) {
50 QUIC_DVLOG(1) << "Setting client cert and key for " << server_id.host();
51 tls_connection_.SetCertChain(cert_and_key->chain->ToCryptoBuffers().value,
52 cert_and_key->private_key.private_key());
53 }
54 }
55 #if BORINGSSL_API_VERSION >= 22
56 if (!crypto_config->preferred_groups().empty()) {
57 SSL_set1_group_ids(ssl(), crypto_config->preferred_groups().data(),
58 crypto_config->preferred_groups().size());
59 }
60 #endif // BORINGSSL_API_VERSION
61 }
62
~TlsClientHandshaker()63 TlsClientHandshaker::~TlsClientHandshaker() {}
64
CryptoConnect()65 bool TlsClientHandshaker::CryptoConnect() {
66 if (!pre_shared_key_.empty()) {
67 // TODO(b/154162689) add PSK support to QUIC+TLS.
68 std::string error_details =
69 "QUIC client pre-shared keys not yet supported with TLS";
70 QUIC_BUG(quic_bug_10576_1) << error_details;
71 CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
72 return false;
73 }
74
75 // Make sure we use the right TLS extension codepoint.
76 int use_legacy_extension = 0;
77 if (session()->version().UsesLegacyTlsExtension()) {
78 use_legacy_extension = 1;
79 }
80 SSL_set_quic_use_legacy_codepoint(ssl(), use_legacy_extension);
81
82 // TODO(b/193650832) Add SetFromConfig to QUIC handshakers and remove reliance
83 // on session pointer.
84 #if BORINGSSL_API_VERSION >= 16
85 // Ask BoringSSL to randomize the order of TLS extensions.
86 SSL_set_permute_extensions(ssl(), true);
87 #endif // BORINGSSL_API_VERSION
88
89 // Set the SNI to send, if any.
90 SSL_set_connect_state(ssl());
91 if (QUIC_DLOG_INFO_IS_ON() &&
92 !QuicHostnameUtils::IsValidSNI(server_id_.host())) {
93 QUIC_DLOG(INFO) << "Client configured with invalid hostname \""
94 << server_id_.host() << "\", not sending as SNI";
95 }
96 if (!server_id_.host().empty() &&
97 (QuicHostnameUtils::IsValidSNI(server_id_.host()) ||
98 allow_invalid_sni_for_tests_) &&
99 SSL_set_tlsext_host_name(ssl(), server_id_.host().c_str()) != 1) {
100 return false;
101 }
102
103 if (!SetAlpn()) {
104 CloseConnection(QUIC_HANDSHAKE_FAILED, "Client failed to set ALPN");
105 return false;
106 }
107
108 // Set the Transport Parameters to send in the ClientHello
109 if (!SetTransportParameters()) {
110 CloseConnection(QUIC_HANDSHAKE_FAILED,
111 "Client failed to set Transport Parameters");
112 return false;
113 }
114
115 // Set a session to resume, if there is one.
116 if (session_cache_) {
117 cached_state_ = session_cache_->Lookup(
118 server_id_, session()->GetClock()->WallNow(), SSL_get_SSL_CTX(ssl()));
119 }
120 if (cached_state_) {
121 SSL_set_session(ssl(), cached_state_->tls_session.get());
122 if (!cached_state_->token.empty()) {
123 session()->SetSourceAddressTokenToSend(cached_state_->token);
124 }
125 }
126
127 SSL_set_enable_ech_grease(ssl(),
128 tls_connection_.ssl_config().ech_grease_enabled);
129 if (!tls_connection_.ssl_config().ech_config_list.empty() &&
130 !SSL_set1_ech_config_list(
131 ssl(),
132 reinterpret_cast<const uint8_t*>(
133 tls_connection_.ssl_config().ech_config_list.data()),
134 tls_connection_.ssl_config().ech_config_list.size())) {
135 CloseConnection(QUIC_HANDSHAKE_FAILED,
136 "Client failed to set ECHConfigList");
137 return false;
138 }
139
140 // Start the handshake.
141 AdvanceHandshake();
142 return session()->connection()->connected();
143 }
144
PrepareZeroRttConfig(QuicResumptionState * cached_state)145 bool TlsClientHandshaker::PrepareZeroRttConfig(
146 QuicResumptionState* cached_state) {
147 std::string error_details;
148 if (!cached_state->transport_params ||
149 handshaker_delegate()->ProcessTransportParameters(
150 *(cached_state->transport_params),
151 /*is_resumption = */ true, &error_details) != QUIC_NO_ERROR) {
152 QUIC_BUG(quic_bug_10576_2)
153 << "Unable to parse cached transport parameters.";
154 CloseConnection(QUIC_HANDSHAKE_FAILED,
155 "Client failed to parse cached Transport Parameters.");
156 return false;
157 }
158
159 session()->connection()->OnTransportParametersResumed(
160 *(cached_state->transport_params));
161 session()->OnConfigNegotiated();
162
163 if (has_application_state_) {
164 if (!cached_state->application_state ||
165 !session()->ResumeApplicationState(
166 cached_state->application_state.get())) {
167 QUIC_BUG(quic_bug_10576_3) << "Unable to parse cached application state.";
168 CloseConnection(QUIC_HANDSHAKE_FAILED,
169 "Client failed to parse cached application state.");
170 return false;
171 }
172 }
173 return true;
174 }
175
IsValidAlpn(const std::string & alpn_string)176 static bool IsValidAlpn(const std::string& alpn_string) {
177 return alpn_string.length() <= std::numeric_limits<uint8_t>::max();
178 }
179
SetAlpn()180 bool TlsClientHandshaker::SetAlpn() {
181 std::vector<std::string> alpns = session()->GetAlpnsToOffer();
182 if (alpns.empty()) {
183 if (allow_empty_alpn_for_tests_) {
184 return true;
185 }
186
187 QUIC_BUG(quic_bug_10576_4) << "ALPN missing";
188 return false;
189 }
190 if (!std::all_of(alpns.begin(), alpns.end(), IsValidAlpn)) {
191 QUIC_BUG(quic_bug_10576_5) << "ALPN too long";
192 return false;
193 }
194
195 // SSL_set_alpn_protos expects a sequence of one-byte-length-prefixed
196 // strings.
197 uint8_t alpn[1024];
198 QuicDataWriter alpn_writer(sizeof(alpn), reinterpret_cast<char*>(alpn));
199 bool success = true;
200 for (const std::string& alpn_string : alpns) {
201 success = success && alpn_writer.WriteUInt8(alpn_string.size()) &&
202 alpn_writer.WriteStringPiece(alpn_string);
203 }
204 success =
205 success && (SSL_set_alpn_protos(ssl(), alpn, alpn_writer.length()) == 0);
206 if (!success) {
207 QUIC_BUG(quic_bug_10576_6)
208 << "Failed to set ALPN: "
209 << quiche::QuicheTextUtils::HexDump(
210 absl::string_view(alpn_writer.data(), alpn_writer.length()));
211 return false;
212 }
213
214 // Enable ALPS only for versions that use HTTP/3 frames.
215 for (const std::string& alpn_string : alpns) {
216 for (const ParsedQuicVersion& version : session()->supported_versions()) {
217 if (!version.UsesHttp3() || AlpnForVersion(version) != alpn_string) {
218 continue;
219 }
220 if (SSL_add_application_settings(
221 ssl(), reinterpret_cast<const uint8_t*>(alpn_string.data()),
222 alpn_string.size(), nullptr, /* settings_len = */ 0) != 1) {
223 QUIC_BUG(quic_bug_10576_7) << "Failed to enable ALPS.";
224 return false;
225 }
226 break;
227 }
228 }
229
230 QUIC_DLOG(INFO) << "Client using ALPN: '" << alpns[0] << "'";
231 return true;
232 }
233
SetTransportParameters()234 bool TlsClientHandshaker::SetTransportParameters() {
235 TransportParameters params;
236 params.perspective = Perspective::IS_CLIENT;
237 params.legacy_version_information =
238 TransportParameters::LegacyVersionInformation();
239 params.legacy_version_information->version =
240 CreateQuicVersionLabel(session()->supported_versions().front());
241 params.version_information = TransportParameters::VersionInformation();
242 const QuicVersionLabel version = CreateQuicVersionLabel(session()->version());
243 params.version_information->chosen_version = version;
244 params.version_information->other_versions.push_back(version);
245
246 if (!handshaker_delegate()->FillTransportParameters(¶ms)) {
247 return false;
248 }
249
250 // Notify QuicConnectionDebugVisitor.
251 session()->connection()->OnTransportParametersSent(params);
252
253 std::vector<uint8_t> param_bytes;
254 return SerializeTransportParameters(params, ¶m_bytes) &&
255 SSL_set_quic_transport_params(ssl(), param_bytes.data(),
256 param_bytes.size()) == 1;
257 }
258
ProcessTransportParameters(std::string * error_details)259 bool TlsClientHandshaker::ProcessTransportParameters(
260 std::string* error_details) {
261 received_transport_params_ = std::make_unique<TransportParameters>();
262 const uint8_t* param_bytes;
263 size_t param_bytes_len;
264 SSL_get_peer_quic_transport_params(ssl(), ¶m_bytes, ¶m_bytes_len);
265 if (param_bytes_len == 0) {
266 *error_details = "Server's transport parameters are missing";
267 return false;
268 }
269 std::string parse_error_details;
270 if (!ParseTransportParameters(
271 session()->connection()->version(), Perspective::IS_SERVER,
272 param_bytes, param_bytes_len, received_transport_params_.get(),
273 &parse_error_details)) {
274 QUICHE_DCHECK(!parse_error_details.empty());
275 *error_details =
276 "Unable to parse server's transport parameters: " + parse_error_details;
277 return false;
278 }
279
280 // Notify QuicConnectionDebugVisitor.
281 session()->connection()->OnTransportParametersReceived(
282 *received_transport_params_);
283
284 if (received_transport_params_->legacy_version_information.has_value()) {
285 if (received_transport_params_->legacy_version_information->version !=
286 CreateQuicVersionLabel(session()->connection()->version())) {
287 *error_details = "Version mismatch detected";
288 return false;
289 }
290 if (CryptoUtils::ValidateServerHelloVersions(
291 received_transport_params_->legacy_version_information
292 ->supported_versions,
293 session()->connection()->server_supported_versions(),
294 error_details) != QUIC_NO_ERROR) {
295 QUICHE_DCHECK(!error_details->empty());
296 return false;
297 }
298 }
299 if (received_transport_params_->version_information.has_value()) {
300 if (!CryptoUtils::ValidateChosenVersion(
301 received_transport_params_->version_information->chosen_version,
302 session()->version(), error_details)) {
303 QUICHE_DCHECK(!error_details->empty());
304 return false;
305 }
306 if (!CryptoUtils::CryptoUtils::ValidateServerVersions(
307 received_transport_params_->version_information->other_versions,
308 session()->version(),
309 session()->client_original_supported_versions(), error_details)) {
310 QUICHE_DCHECK(!error_details->empty());
311 return false;
312 }
313 }
314
315 if (handshaker_delegate()->ProcessTransportParameters(
316 *received_transport_params_, /* is_resumption = */ false,
317 error_details) != QUIC_NO_ERROR) {
318 QUICHE_DCHECK(!error_details->empty());
319 return false;
320 }
321
322 session()->OnConfigNegotiated();
323 if (is_connection_closed()) {
324 *error_details =
325 "Session closed the connection when parsing negotiated config.";
326 return false;
327 }
328 return true;
329 }
330
num_sent_client_hellos() const331 int TlsClientHandshaker::num_sent_client_hellos() const { return 0; }
332
ResumptionAttempted() const333 bool TlsClientHandshaker::ResumptionAttempted() const {
334 QUIC_BUG_IF(quic_tls_client_resumption_attempted, !encryption_established_);
335 return cached_state_ != nullptr;
336 }
337
IsResumption() const338 bool TlsClientHandshaker::IsResumption() const {
339 QUIC_BUG_IF(quic_bug_12736_1, !one_rtt_keys_available());
340 return SSL_session_reused(ssl()) == 1;
341 }
342
EarlyDataAccepted() const343 bool TlsClientHandshaker::EarlyDataAccepted() const {
344 QUIC_BUG_IF(quic_bug_12736_2, !one_rtt_keys_available());
345 return SSL_early_data_accepted(ssl()) == 1;
346 }
347
EarlyDataReason() const348 ssl_early_data_reason_t TlsClientHandshaker::EarlyDataReason() const {
349 return TlsHandshaker::EarlyDataReason();
350 }
351
ReceivedInchoateReject() const352 bool TlsClientHandshaker::ReceivedInchoateReject() const {
353 QUIC_BUG_IF(quic_bug_12736_3, !one_rtt_keys_available());
354 // REJ messages are a QUIC crypto feature, so TLS always returns false.
355 return false;
356 }
357
num_scup_messages_received() const358 int TlsClientHandshaker::num_scup_messages_received() const {
359 // SCUP messages aren't sent or received when using the TLS handshake.
360 return 0;
361 }
362
chlo_hash() const363 std::string TlsClientHandshaker::chlo_hash() const { return ""; }
364
ExportKeyingMaterial(absl::string_view label,absl::string_view context,size_t result_len,std::string * result)365 bool TlsClientHandshaker::ExportKeyingMaterial(absl::string_view label,
366 absl::string_view context,
367 size_t result_len,
368 std::string* result) {
369 return ExportKeyingMaterialForLabel(label, context, result_len, result);
370 }
371
encryption_established() const372 bool TlsClientHandshaker::encryption_established() const {
373 return encryption_established_;
374 }
375
IsCryptoFrameExpectedForEncryptionLevel(EncryptionLevel level) const376 bool TlsClientHandshaker::IsCryptoFrameExpectedForEncryptionLevel(
377 EncryptionLevel level) const {
378 return level != ENCRYPTION_ZERO_RTT;
379 }
380
GetEncryptionLevelToSendCryptoDataOfSpace(PacketNumberSpace space) const381 EncryptionLevel TlsClientHandshaker::GetEncryptionLevelToSendCryptoDataOfSpace(
382 PacketNumberSpace space) const {
383 switch (space) {
384 case INITIAL_DATA:
385 return ENCRYPTION_INITIAL;
386 case HANDSHAKE_DATA:
387 return ENCRYPTION_HANDSHAKE;
388 default:
389 QUICHE_DCHECK(false);
390 return NUM_ENCRYPTION_LEVELS;
391 }
392 }
393
one_rtt_keys_available() const394 bool TlsClientHandshaker::one_rtt_keys_available() const {
395 return state_ >= HANDSHAKE_COMPLETE;
396 }
397
398 const QuicCryptoNegotiatedParameters&
crypto_negotiated_params() const399 TlsClientHandshaker::crypto_negotiated_params() const {
400 return *crypto_negotiated_params_;
401 }
402
crypto_message_parser()403 CryptoMessageParser* TlsClientHandshaker::crypto_message_parser() {
404 return TlsHandshaker::crypto_message_parser();
405 }
406
GetHandshakeState() const407 HandshakeState TlsClientHandshaker::GetHandshakeState() const { return state_; }
408
BufferSizeLimitForLevel(EncryptionLevel level) const409 size_t TlsClientHandshaker::BufferSizeLimitForLevel(
410 EncryptionLevel level) const {
411 return TlsHandshaker::BufferSizeLimitForLevel(level);
412 }
413
414 std::unique_ptr<QuicDecrypter>
AdvanceKeysAndCreateCurrentOneRttDecrypter()415 TlsClientHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter() {
416 return TlsHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter();
417 }
418
419 std::unique_ptr<QuicEncrypter>
CreateCurrentOneRttEncrypter()420 TlsClientHandshaker::CreateCurrentOneRttEncrypter() {
421 return TlsHandshaker::CreateCurrentOneRttEncrypter();
422 }
423
OnOneRttPacketAcknowledged()424 void TlsClientHandshaker::OnOneRttPacketAcknowledged() {
425 OnHandshakeConfirmed();
426 }
427
OnHandshakePacketSent()428 void TlsClientHandshaker::OnHandshakePacketSent() {
429 if (initial_keys_dropped_) {
430 return;
431 }
432 initial_keys_dropped_ = true;
433 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
434 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_INITIAL);
435 }
436
OnConnectionClosed(QuicErrorCode error,ConnectionCloseSource source)437 void TlsClientHandshaker::OnConnectionClosed(QuicErrorCode error,
438 ConnectionCloseSource source) {
439 TlsHandshaker::OnConnectionClosed(error, source);
440 }
441
OnHandshakeDoneReceived()442 void TlsClientHandshaker::OnHandshakeDoneReceived() {
443 if (!one_rtt_keys_available()) {
444 CloseConnection(QUIC_HANDSHAKE_FAILED,
445 "Unexpected handshake done received");
446 return;
447 }
448 OnHandshakeConfirmed();
449 }
450
OnNewTokenReceived(absl::string_view token)451 void TlsClientHandshaker::OnNewTokenReceived(absl::string_view token) {
452 if (token.empty()) {
453 return;
454 }
455 if (session_cache_ != nullptr) {
456 session_cache_->OnNewTokenReceived(server_id_, token);
457 }
458 }
459
SetWriteSecret(EncryptionLevel level,const SSL_CIPHER * cipher,absl::Span<const uint8_t> write_secret)460 void TlsClientHandshaker::SetWriteSecret(
461 EncryptionLevel level, const SSL_CIPHER* cipher,
462 absl::Span<const uint8_t> write_secret) {
463 if (is_connection_closed()) {
464 return;
465 }
466 if (level == ENCRYPTION_FORWARD_SECURE || level == ENCRYPTION_ZERO_RTT) {
467 encryption_established_ = true;
468 }
469 TlsHandshaker::SetWriteSecret(level, cipher, write_secret);
470 if (level == ENCRYPTION_FORWARD_SECURE) {
471 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_ZERO_RTT);
472 }
473 }
474
OnHandshakeConfirmed()475 void TlsClientHandshaker::OnHandshakeConfirmed() {
476 QUICHE_DCHECK(one_rtt_keys_available());
477 if (state_ >= HANDSHAKE_CONFIRMED) {
478 return;
479 }
480 state_ = HANDSHAKE_CONFIRMED;
481 handshaker_delegate()->OnTlsHandshakeConfirmed();
482 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_HANDSHAKE);
483 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_HANDSHAKE);
484 }
485
VerifyCertChain(const std::vector<std::string> & certs,std::string * error_details,std::unique_ptr<ProofVerifyDetails> * details,uint8_t * out_alert,std::unique_ptr<ProofVerifierCallback> callback)486 QuicAsyncStatus TlsClientHandshaker::VerifyCertChain(
487 const std::vector<std::string>& certs, std::string* error_details,
488 std::unique_ptr<ProofVerifyDetails>* details, uint8_t* out_alert,
489 std::unique_ptr<ProofVerifierCallback> callback) {
490 const uint8_t* ocsp_response_raw;
491 size_t ocsp_response_len;
492 SSL_get0_ocsp_response(ssl(), &ocsp_response_raw, &ocsp_response_len);
493 std::string ocsp_response(reinterpret_cast<const char*>(ocsp_response_raw),
494 ocsp_response_len);
495 const uint8_t* sct_list_raw;
496 size_t sct_list_len;
497 SSL_get0_signed_cert_timestamp_list(ssl(), &sct_list_raw, &sct_list_len);
498 std::string sct_list(reinterpret_cast<const char*>(sct_list_raw),
499 sct_list_len);
500
501 return proof_verifier_->VerifyCertChain(
502 server_id_.host(), server_id_.port(), certs, ocsp_response, sct_list,
503 verify_context_.get(), error_details, details, out_alert,
504 std::move(callback));
505 }
506
OnProofVerifyDetailsAvailable(const ProofVerifyDetails & verify_details)507 void TlsClientHandshaker::OnProofVerifyDetailsAvailable(
508 const ProofVerifyDetails& verify_details) {
509 proof_handler_->OnProofVerifyDetailsAvailable(verify_details);
510 }
511
FinishHandshake()512 void TlsClientHandshaker::FinishHandshake() {
513 FillNegotiatedParams();
514
515 QUICHE_CHECK(!SSL_in_early_data(ssl()));
516
517 QUIC_LOG(INFO) << "Client: handshake finished";
518
519 std::string error_details;
520 if (!ProcessTransportParameters(&error_details)) {
521 QUICHE_DCHECK(!error_details.empty());
522 CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
523 return;
524 }
525
526 const uint8_t* alpn_data = nullptr;
527 unsigned alpn_length = 0;
528 SSL_get0_alpn_selected(ssl(), &alpn_data, &alpn_length);
529
530 if (alpn_length == 0) {
531 QUIC_DLOG(ERROR) << "Client: server did not select ALPN";
532 // TODO(b/130164908) this should send no_application_protocol
533 // instead of QUIC_HANDSHAKE_FAILED.
534 CloseConnection(QUIC_HANDSHAKE_FAILED, "Server did not select ALPN");
535 return;
536 }
537
538 std::string received_alpn_string(reinterpret_cast<const char*>(alpn_data),
539 alpn_length);
540 std::vector<std::string> offered_alpns = session()->GetAlpnsToOffer();
541 if (std::find(offered_alpns.begin(), offered_alpns.end(),
542 received_alpn_string) == offered_alpns.end()) {
543 QUIC_LOG(ERROR) << "Client: received mismatched ALPN '"
544 << received_alpn_string;
545 // TODO(b/130164908) this should send no_application_protocol
546 // instead of QUIC_HANDSHAKE_FAILED.
547 CloseConnection(QUIC_HANDSHAKE_FAILED, "Client received mismatched ALPN");
548 return;
549 }
550 session()->OnAlpnSelected(received_alpn_string);
551 QUIC_DLOG(INFO) << "Client: server selected ALPN: '" << received_alpn_string
552 << "'";
553
554 // Parse ALPS extension.
555 const uint8_t* alps_data;
556 size_t alps_length;
557 SSL_get0_peer_application_settings(ssl(), &alps_data, &alps_length);
558 if (alps_length > 0) {
559 auto error = session()->OnAlpsData(alps_data, alps_length);
560 if (error.has_value()) {
561 // Calling CloseConnection() is safe even in case OnAlpsData() has
562 // already closed the connection.
563 CloseConnection(QUIC_HANDSHAKE_FAILED,
564 absl::StrCat("Error processing ALPS data: ", *error));
565 return;
566 }
567 }
568
569 state_ = HANDSHAKE_COMPLETE;
570 handshaker_delegate()->OnTlsHandshakeComplete();
571 }
572
OnEnterEarlyData()573 void TlsClientHandshaker::OnEnterEarlyData() {
574 QUICHE_DCHECK(SSL_in_early_data(ssl()));
575
576 // TODO(wub): It might be unnecessary to FillNegotiatedParams() at this time,
577 // because we fill it again when handshake completes.
578 FillNegotiatedParams();
579
580 // If we're attempting a 0-RTT handshake, then we need to let the transport
581 // and application know what state to apply to early data.
582 PrepareZeroRttConfig(cached_state_.get());
583 }
584
FillNegotiatedParams()585 void TlsClientHandshaker::FillNegotiatedParams() {
586 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
587 if (cipher) {
588 crypto_negotiated_params_->cipher_suite =
589 SSL_CIPHER_get_protocol_id(cipher);
590 }
591 crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl());
592 crypto_negotiated_params_->peer_signature_algorithm =
593 SSL_get_peer_signature_algorithm(ssl());
594 crypto_negotiated_params_->encrypted_client_hello = SSL_ech_accepted(ssl());
595 }
596
ProcessPostHandshakeMessage()597 void TlsClientHandshaker::ProcessPostHandshakeMessage() {
598 int rv = SSL_process_quic_post_handshake(ssl());
599 if (rv != 1) {
600 CloseConnection(QUIC_HANDSHAKE_FAILED, "Unexpected post-handshake data");
601 }
602 }
603
ShouldCloseConnectionOnUnexpectedError(int ssl_error)604 bool TlsClientHandshaker::ShouldCloseConnectionOnUnexpectedError(
605 int ssl_error) {
606 if (ssl_error != SSL_ERROR_EARLY_DATA_REJECTED) {
607 return true;
608 }
609 HandleZeroRttReject();
610 return false;
611 }
612
HandleZeroRttReject()613 void TlsClientHandshaker::HandleZeroRttReject() {
614 QUIC_LOG(INFO) << "0-RTT handshake attempted but was rejected by the server";
615 QUICHE_DCHECK(session_cache_);
616 // Disable encrytion to block outgoing data until 1-RTT keys are available.
617 encryption_established_ = false;
618 handshaker_delegate()->OnZeroRttRejected(EarlyDataReason());
619 SSL_reset_early_data_reject(ssl());
620 session_cache_->ClearEarlyData(server_id_);
621 AdvanceHandshake();
622 }
623
InsertSession(bssl::UniquePtr<SSL_SESSION> session)624 void TlsClientHandshaker::InsertSession(bssl::UniquePtr<SSL_SESSION> session) {
625 if (!received_transport_params_) {
626 QUIC_BUG(quic_bug_10576_8) << "Transport parameters isn't received";
627 return;
628 }
629 if (session_cache_ == nullptr) {
630 QUIC_DVLOG(1) << "No session cache, not inserting a session";
631 return;
632 }
633 if (has_application_state_ && !received_application_state_) {
634 // Application state is not received yet. cache the sessions.
635 if (cached_tls_sessions_[0] != nullptr) {
636 cached_tls_sessions_[1] = std::move(cached_tls_sessions_[0]);
637 }
638 cached_tls_sessions_[0] = std::move(session);
639 return;
640 }
641 session_cache_->Insert(server_id_, std::move(session),
642 *received_transport_params_,
643 received_application_state_.get());
644 }
645
WriteMessage(EncryptionLevel level,absl::string_view data)646 void TlsClientHandshaker::WriteMessage(EncryptionLevel level,
647 absl::string_view data) {
648 if (level == ENCRYPTION_HANDSHAKE && state_ < HANDSHAKE_PROCESSED) {
649 state_ = HANDSHAKE_PROCESSED;
650 }
651 TlsHandshaker::WriteMessage(level, data);
652 }
653
SetServerApplicationStateForResumption(std::unique_ptr<ApplicationState> application_state)654 void TlsClientHandshaker::SetServerApplicationStateForResumption(
655 std::unique_ptr<ApplicationState> application_state) {
656 QUICHE_DCHECK(one_rtt_keys_available());
657 received_application_state_ = std::move(application_state);
658 // At least one tls session is cached before application state is received. So
659 // insert now.
660 if (session_cache_ != nullptr && cached_tls_sessions_[0] != nullptr) {
661 if (cached_tls_sessions_[1] != nullptr) {
662 // Insert the older session first.
663 session_cache_->Insert(server_id_, std::move(cached_tls_sessions_[1]),
664 *received_transport_params_,
665 received_application_state_.get());
666 }
667 session_cache_->Insert(server_id_, std::move(cached_tls_sessions_[0]),
668 *received_transport_params_,
669 received_application_state_.get());
670 }
671 }
672
673 } // namespace quic
674