1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/tls_server_handshaker.h"
6
7 #include <memory>
8 #include <string>
9
10 #include "absl/base/macros.h"
11 #include "absl/strings/str_cat.h"
12 #include "absl/strings/string_view.h"
13 #include "openssl/pool.h"
14 #include "openssl/ssl.h"
15 #include "quiche/quic/core/crypto/quic_crypto_server_config.h"
16 #include "quiche/quic/core/crypto/transport_parameters.h"
17 #include "quiche/quic/core/http/http_encoder.h"
18 #include "quiche/quic/core/http/http_frames.h"
19 #include "quiche/quic/core/quic_time.h"
20 #include "quiche/quic/core/quic_types.h"
21 #include "quiche/quic/platform/api/quic_flag_utils.h"
22 #include "quiche/quic/platform/api/quic_flags.h"
23 #include "quiche/quic/platform/api/quic_hostname_utils.h"
24 #include "quiche/quic/platform/api/quic_logging.h"
25 #include "quiche/quic/platform/api/quic_server_stats.h"
26
27 #define RECORD_LATENCY_IN_US(stat_name, latency, comment) \
28 do { \
29 const int64_t latency_in_us = (latency).ToMicroseconds(); \
30 QUIC_DVLOG(1) << "Recording " stat_name ": " << latency_in_us; \
31 QUIC_SERVER_HISTOGRAM_COUNTS(stat_name, latency_in_us, 1, 10000000, 50, \
32 comment); \
33 } while (0)
34
35 namespace quic {
36
37 namespace {
38
39 // Default port for HTTP/3.
40 uint16_t kDefaultPort = 443;
41
42 } // namespace
43
DefaultProofSourceHandle(TlsServerHandshaker * handshaker,ProofSource * proof_source)44 TlsServerHandshaker::DefaultProofSourceHandle::DefaultProofSourceHandle(
45 TlsServerHandshaker* handshaker, ProofSource* proof_source)
46 : handshaker_(handshaker), proof_source_(proof_source) {}
47
~DefaultProofSourceHandle()48 TlsServerHandshaker::DefaultProofSourceHandle::~DefaultProofSourceHandle() {
49 CloseHandle();
50 }
51
CloseHandle()52 void TlsServerHandshaker::DefaultProofSourceHandle::CloseHandle() {
53 QUIC_DVLOG(1) << "CloseHandle. is_signature_pending="
54 << (signature_callback_ != nullptr);
55 if (signature_callback_) {
56 signature_callback_->Cancel();
57 signature_callback_ = nullptr;
58 }
59 }
60
61 QuicAsyncStatus
SelectCertificate(const QuicSocketAddress & server_address,const QuicSocketAddress & client_address,const QuicConnectionId &,absl::string_view,const std::string & hostname,absl::string_view,const std::string &,std::optional<std::string>,const std::vector<uint8_t> &,const std::optional<std::vector<uint8_t>> &,const QuicSSLConfig &)62 TlsServerHandshaker::DefaultProofSourceHandle::SelectCertificate(
63 const QuicSocketAddress& server_address,
64 const QuicSocketAddress& client_address,
65 const QuicConnectionId& /*original_connection_id*/,
66 absl::string_view /*ssl_capabilities*/, const std::string& hostname,
67 absl::string_view /*client_hello*/, const std::string& /*alpn*/,
68 std::optional<std::string> /*alps*/,
69 const std::vector<uint8_t>& /*quic_transport_params*/,
70 const std::optional<std::vector<uint8_t>>& /*early_data_context*/,
71 const QuicSSLConfig& /*ssl_config*/) {
72 if (!handshaker_ || !proof_source_) {
73 QUIC_BUG(quic_bug_10341_1)
74 << "SelectCertificate called on a detached handle";
75 return QUIC_FAILURE;
76 }
77
78 bool cert_matched_sni;
79 quiche::QuicheReferenceCountedPointer<ProofSource::Chain> chain =
80 proof_source_->GetCertChain(server_address, client_address, hostname,
81 &cert_matched_sni);
82
83 handshaker_->OnSelectCertificateDone(
84 /*ok=*/true, /*is_sync=*/true, chain.get(),
85 /*handshake_hints=*/absl::string_view(),
86 /*ticket_encryption_key=*/absl::string_view(), cert_matched_sni,
87 QuicDelayedSSLConfig());
88 if (!handshaker_->select_cert_status().has_value()) {
89 QUIC_BUG(quic_bug_12423_1)
90 << "select_cert_status() has no value after a synchronous select cert";
91 // Return success to continue the handshake.
92 return QUIC_SUCCESS;
93 }
94 return *handshaker_->select_cert_status();
95 }
96
ComputeSignature(const QuicSocketAddress & server_address,const QuicSocketAddress & client_address,const std::string & hostname,uint16_t signature_algorithm,absl::string_view in,size_t max_signature_size)97 QuicAsyncStatus TlsServerHandshaker::DefaultProofSourceHandle::ComputeSignature(
98 const QuicSocketAddress& server_address,
99 const QuicSocketAddress& client_address, const std::string& hostname,
100 uint16_t signature_algorithm, absl::string_view in,
101 size_t max_signature_size) {
102 if (!handshaker_ || !proof_source_) {
103 QUIC_BUG(quic_bug_10341_2)
104 << "ComputeSignature called on a detached handle";
105 return QUIC_FAILURE;
106 }
107
108 if (signature_callback_) {
109 QUIC_BUG(quic_bug_10341_3) << "ComputeSignature called while pending";
110 return QUIC_FAILURE;
111 }
112
113 signature_callback_ = new DefaultSignatureCallback(this);
114 proof_source_->ComputeTlsSignature(
115 server_address, client_address, hostname, signature_algorithm, in,
116 std::unique_ptr<DefaultSignatureCallback>(signature_callback_));
117
118 if (signature_callback_) {
119 QUIC_DVLOG(1) << "ComputeTlsSignature is pending";
120 signature_callback_->set_is_sync(false);
121 return QUIC_PENDING;
122 }
123
124 bool success = handshaker_->HasValidSignature(max_signature_size);
125 QUIC_DVLOG(1) << "ComputeTlsSignature completed synchronously. success:"
126 << success;
127 // OnComputeSignatureDone should have been called by signature_callback_->Run.
128 return success ? QUIC_SUCCESS : QUIC_FAILURE;
129 }
130
DecryptCallback(TlsServerHandshaker * handshaker)131 TlsServerHandshaker::DecryptCallback::DecryptCallback(
132 TlsServerHandshaker* handshaker)
133 : handshaker_(handshaker) {}
134
Run(std::vector<uint8_t> plaintext)135 void TlsServerHandshaker::DecryptCallback::Run(std::vector<uint8_t> plaintext) {
136 if (handshaker_ == nullptr) {
137 // The callback was cancelled before we could run.
138 return;
139 }
140
141 TlsServerHandshaker* handshaker = handshaker_;
142 handshaker_ = nullptr;
143
144 handshaker->decrypted_session_ticket_ = std::move(plaintext);
145 const bool is_async =
146 (handshaker->expected_ssl_error() == SSL_ERROR_PENDING_TICKET);
147
148 std::optional<QuicConnectionContextSwitcher> context_switcher;
149
150 if (is_async) {
151 context_switcher.emplace(handshaker->connection_context());
152 }
153 QUIC_TRACESTRING(
154 absl::StrCat("TLS ticket decryption done. len(decrypted_ticket):",
155 handshaker->decrypted_session_ticket_.size()));
156
157 // DecryptCallback::Run could be called synchronously. When that happens, we
158 // are currently in the middle of a call to AdvanceHandshake.
159 // (AdvanceHandshake called SSL_do_handshake, which through some layers
160 // called SessionTicketOpen, which called TicketCrypter::Decrypt, which
161 // synchronously called this function.) In that case, the handshake will
162 // continue to be processed when this function returns.
163 //
164 // When this callback is called asynchronously (i.e. the ticket decryption
165 // is pending), TlsServerHandshaker is not actively processing handshake
166 // messages. We need to have it resume processing handshake messages by
167 // calling AdvanceHandshake.
168 if (is_async) {
169 handshaker->AdvanceHandshakeFromCallback();
170 }
171
172 handshaker->ticket_decryption_callback_ = nullptr;
173 }
174
Cancel()175 void TlsServerHandshaker::DecryptCallback::Cancel() {
176 QUICHE_DCHECK(handshaker_);
177 handshaker_ = nullptr;
178 }
179
TlsServerHandshaker(QuicSession * session,const QuicCryptoServerConfig * crypto_config)180 TlsServerHandshaker::TlsServerHandshaker(
181 QuicSession* session, const QuicCryptoServerConfig* crypto_config)
182 : TlsHandshaker(this, session),
183 QuicCryptoServerStreamBase(session),
184 proof_source_(crypto_config->proof_source()),
185 pre_shared_key_(crypto_config->pre_shared_key()),
186 crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
187 tls_connection_(crypto_config->ssl_ctx(), this, session->GetSSLConfig()),
188 crypto_config_(crypto_config) {
189 QUIC_DVLOG(1) << "TlsServerHandshaker: client_cert_mode initial value: "
190 << client_cert_mode();
191
192 QUICHE_DCHECK_EQ(PROTOCOL_TLS1_3,
193 session->connection()->version().handshake_protocol);
194
195 // Configure the SSL to be a server.
196 SSL_set_accept_state(ssl());
197
198 // Make sure we use the right TLS extension codepoint.
199 int use_legacy_extension = 0;
200 if (session->version().UsesLegacyTlsExtension()) {
201 use_legacy_extension = 1;
202 }
203 SSL_set_quic_use_legacy_codepoint(ssl(), use_legacy_extension);
204
205 if (session->connection()->context()->tracer) {
206 tls_connection_.EnableInfoCallback();
207 }
208 #if BORINGSSL_API_VERSION >= 22
209 if (!crypto_config->preferred_groups().empty()) {
210 SSL_set1_group_ids(ssl(), crypto_config->preferred_groups().data(),
211 crypto_config->preferred_groups().size());
212 }
213 #endif // BORINGSSL_API_VERSION
214 }
215
~TlsServerHandshaker()216 TlsServerHandshaker::~TlsServerHandshaker() { CancelOutstandingCallbacks(); }
217
CancelOutstandingCallbacks()218 void TlsServerHandshaker::CancelOutstandingCallbacks() {
219 if (proof_source_handle_) {
220 proof_source_handle_->CloseHandle();
221 }
222 if (ticket_decryption_callback_) {
223 ticket_decryption_callback_->Cancel();
224 ticket_decryption_callback_ = nullptr;
225 }
226 }
227
InfoCallback(int type,int value)228 void TlsServerHandshaker::InfoCallback(int type, int value) {
229 QuicConnectionTracer* tracer =
230 session()->connection()->context()->tracer.get();
231
232 if (tracer == nullptr) {
233 return;
234 }
235
236 if (type & SSL_CB_LOOP) {
237 tracer->PrintString(
238 absl::StrCat("SSL:ACCEPT_LOOP:", SSL_state_string_long(ssl())));
239 } else if (type & SSL_CB_ALERT) {
240 const char* prefix =
241 (type & SSL_CB_READ) ? "SSL:READ_ALERT:" : "SSL:WRITE_ALERT:";
242 tracer->PrintString(absl::StrCat(prefix, SSL_alert_type_string_long(value),
243 ":", SSL_alert_desc_string_long(value)));
244 } else if (type & SSL_CB_EXIT) {
245 const char* prefix =
246 (value == 1) ? "SSL:ACCEPT_EXIT_OK:" : "SSL:ACCEPT_EXIT_FAIL:";
247 tracer->PrintString(absl::StrCat(prefix, SSL_state_string_long(ssl())));
248 } else if (type & SSL_CB_HANDSHAKE_START) {
249 tracer->PrintString(
250 absl::StrCat("SSL:HANDSHAKE_START:", SSL_state_string_long(ssl())));
251 } else if (type & SSL_CB_HANDSHAKE_DONE) {
252 tracer->PrintString(
253 absl::StrCat("SSL:HANDSHAKE_DONE:", SSL_state_string_long(ssl())));
254 } else {
255 QUIC_DLOG(INFO) << "Unknown event type " << type << ": "
256 << SSL_state_string_long(ssl());
257 tracer->PrintString(
258 absl::StrCat("SSL:unknown:", value, ":", SSL_state_string_long(ssl())));
259 }
260 }
261
262 std::unique_ptr<ProofSourceHandle>
MaybeCreateProofSourceHandle()263 TlsServerHandshaker::MaybeCreateProofSourceHandle() {
264 return std::make_unique<DefaultProofSourceHandle>(this, proof_source_);
265 }
266
GetBase64SHA256ClientChannelID(std::string *) const267 bool TlsServerHandshaker::GetBase64SHA256ClientChannelID(
268 std::string* /*output*/) const {
269 // Channel ID is not supported when TLS is used in QUIC.
270 return false;
271 }
272
SendServerConfigUpdate(const CachedNetworkParameters *)273 void TlsServerHandshaker::SendServerConfigUpdate(
274 const CachedNetworkParameters* /*cached_network_params*/) {
275 // SCUP messages aren't supported when using the TLS handshake.
276 }
277
DisableResumption()278 bool TlsServerHandshaker::DisableResumption() {
279 if (!can_disable_resumption_ || !session()->connection()->connected()) {
280 return false;
281 }
282 tls_connection_.DisableTicketSupport();
283 return true;
284 }
285
IsZeroRtt() const286 bool TlsServerHandshaker::IsZeroRtt() const {
287 return SSL_early_data_accepted(ssl());
288 }
289
IsResumption() const290 bool TlsServerHandshaker::IsResumption() const {
291 return SSL_session_reused(ssl());
292 }
293
ResumptionAttempted() const294 bool TlsServerHandshaker::ResumptionAttempted() const {
295 return ticket_received_;
296 }
297
EarlyDataAttempted() const298 bool TlsServerHandshaker::EarlyDataAttempted() const {
299 QUIC_BUG_IF(quic_tls_early_data_attempted_too_early,
300 !select_cert_status_.has_value())
301 << "EarlyDataAttempted must be called after EarlySelectCertCallback is "
302 "started";
303 return early_data_attempted_;
304 }
305
NumServerConfigUpdateMessagesSent() const306 int TlsServerHandshaker::NumServerConfigUpdateMessagesSent() const {
307 // SCUP messages aren't supported when using the TLS handshake.
308 return 0;
309 }
310
311 const CachedNetworkParameters*
PreviousCachedNetworkParams() const312 TlsServerHandshaker::PreviousCachedNetworkParams() const {
313 return last_received_cached_network_params_.get();
314 }
315
SetPreviousCachedNetworkParams(CachedNetworkParameters cached_network_params)316 void TlsServerHandshaker::SetPreviousCachedNetworkParams(
317 CachedNetworkParameters cached_network_params) {
318 last_received_cached_network_params_ =
319 std::make_unique<CachedNetworkParameters>(cached_network_params);
320 }
321
OnPacketDecrypted(EncryptionLevel level)322 void TlsServerHandshaker::OnPacketDecrypted(EncryptionLevel level) {
323 if (level == ENCRYPTION_HANDSHAKE && state_ < HANDSHAKE_PROCESSED) {
324 state_ = HANDSHAKE_PROCESSED;
325 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
326 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_INITIAL);
327 }
328 }
329
OnHandshakeDoneReceived()330 void TlsServerHandshaker::OnHandshakeDoneReceived() { QUICHE_DCHECK(false); }
331
OnNewTokenReceived(absl::string_view)332 void TlsServerHandshaker::OnNewTokenReceived(absl::string_view /*token*/) {
333 QUICHE_DCHECK(false);
334 }
335
GetAddressToken(const CachedNetworkParameters * cached_network_params) const336 std::string TlsServerHandshaker::GetAddressToken(
337 const CachedNetworkParameters* cached_network_params) const {
338 SourceAddressTokens empty_previous_tokens;
339 const QuicConnection* connection = session()->connection();
340 return crypto_config_->NewSourceAddressToken(
341 crypto_config_->source_address_token_boxer(), empty_previous_tokens,
342 connection->effective_peer_address().host(),
343 connection->random_generator(), connection->clock()->WallNow(),
344 cached_network_params);
345 }
346
ValidateAddressToken(absl::string_view token) const347 bool TlsServerHandshaker::ValidateAddressToken(absl::string_view token) const {
348 SourceAddressTokens tokens;
349 HandshakeFailureReason reason = crypto_config_->ParseSourceAddressToken(
350 crypto_config_->source_address_token_boxer(), token, tokens);
351 if (reason != HANDSHAKE_OK) {
352 QUIC_DLOG(WARNING) << "Failed to parse source address token: "
353 << CryptoUtils::HandshakeFailureReasonToString(reason);
354 return false;
355 }
356 auto cached_network_params = std::make_unique<CachedNetworkParameters>();
357 reason = crypto_config_->ValidateSourceAddressTokens(
358 tokens, session()->connection()->effective_peer_address().host(),
359 session()->connection()->clock()->WallNow(), cached_network_params.get());
360 if (reason != HANDSHAKE_OK) {
361 QUIC_DLOG(WARNING) << "Failed to validate source address token: "
362 << CryptoUtils::HandshakeFailureReasonToString(reason);
363 return false;
364 }
365
366 last_received_cached_network_params_ = std::move(cached_network_params);
367 return true;
368 }
369
ShouldSendExpectCTHeader() const370 bool TlsServerHandshaker::ShouldSendExpectCTHeader() const { return false; }
371
DidCertMatchSni() const372 bool TlsServerHandshaker::DidCertMatchSni() const { return cert_matched_sni_; }
373
ProofSourceDetails() const374 const ProofSource::Details* TlsServerHandshaker::ProofSourceDetails() const {
375 return proof_source_details_.get();
376 }
377
ExportKeyingMaterial(absl::string_view label,absl::string_view context,size_t result_len,std::string * result)378 bool TlsServerHandshaker::ExportKeyingMaterial(absl::string_view label,
379 absl::string_view context,
380 size_t result_len,
381 std::string* result) {
382 return ExportKeyingMaterialForLabel(label, context, result_len, result);
383 }
384
OnConnectionClosed(QuicErrorCode error,ConnectionCloseSource source)385 void TlsServerHandshaker::OnConnectionClosed(QuicErrorCode error,
386 ConnectionCloseSource source) {
387 TlsHandshaker::OnConnectionClosed(error, source);
388 }
389
EarlyDataReason() const390 ssl_early_data_reason_t TlsServerHandshaker::EarlyDataReason() const {
391 return TlsHandshaker::EarlyDataReason();
392 }
393
encryption_established() const394 bool TlsServerHandshaker::encryption_established() const {
395 return encryption_established_;
396 }
397
one_rtt_keys_available() const398 bool TlsServerHandshaker::one_rtt_keys_available() const {
399 return state_ == HANDSHAKE_CONFIRMED;
400 }
401
402 const QuicCryptoNegotiatedParameters&
crypto_negotiated_params() const403 TlsServerHandshaker::crypto_negotiated_params() const {
404 return *crypto_negotiated_params_;
405 }
406
crypto_message_parser()407 CryptoMessageParser* TlsServerHandshaker::crypto_message_parser() {
408 return TlsHandshaker::crypto_message_parser();
409 }
410
GetHandshakeState() const411 HandshakeState TlsServerHandshaker::GetHandshakeState() const { return state_; }
412
SetServerApplicationStateForResumption(std::unique_ptr<ApplicationState> state)413 void TlsServerHandshaker::SetServerApplicationStateForResumption(
414 std::unique_ptr<ApplicationState> state) {
415 application_state_ = std::move(state);
416 }
417
BufferSizeLimitForLevel(EncryptionLevel level) const418 size_t TlsServerHandshaker::BufferSizeLimitForLevel(
419 EncryptionLevel level) const {
420 return TlsHandshaker::BufferSizeLimitForLevel(level);
421 }
422
423 std::unique_ptr<QuicDecrypter>
AdvanceKeysAndCreateCurrentOneRttDecrypter()424 TlsServerHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter() {
425 return TlsHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter();
426 }
427
428 std::unique_ptr<QuicEncrypter>
CreateCurrentOneRttEncrypter()429 TlsServerHandshaker::CreateCurrentOneRttEncrypter() {
430 return TlsHandshaker::CreateCurrentOneRttEncrypter();
431 }
432
OverrideQuicConfigDefaults(QuicConfig *)433 void TlsServerHandshaker::OverrideQuicConfigDefaults(QuicConfig* /*config*/) {}
434
AdvanceHandshakeFromCallback()435 void TlsServerHandshaker::AdvanceHandshakeFromCallback() {
436 QuicConnection::ScopedPacketFlusher flusher(session()->connection());
437
438 AdvanceHandshake();
439 if (!is_connection_closed()) {
440 handshaker_delegate()->OnHandshakeCallbackDone();
441 }
442 }
443
ProcessTransportParameters(const SSL_CLIENT_HELLO * client_hello,std::string * error_details)444 bool TlsServerHandshaker::ProcessTransportParameters(
445 const SSL_CLIENT_HELLO* client_hello, std::string* error_details) {
446 TransportParameters client_params;
447 const uint8_t* client_params_bytes;
448 size_t params_bytes_len;
449
450 // Make sure we use the right TLS extension codepoint.
451 uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters_standard;
452 if (session()->version().UsesLegacyTlsExtension()) {
453 extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
454 }
455 // When using early select cert callback, SSL_get_peer_quic_transport_params
456 // can not be used to retrieve the client's transport parameters, but we can
457 // use SSL_early_callback_ctx_extension_get to do that.
458 if (!SSL_early_callback_ctx_extension_get(client_hello, extension_type,
459 &client_params_bytes,
460 ¶ms_bytes_len)) {
461 params_bytes_len = 0;
462 }
463
464 if (params_bytes_len == 0) {
465 *error_details = "Client's transport parameters are missing";
466 return false;
467 }
468 std::string parse_error_details;
469 if (!ParseTransportParameters(session()->connection()->version(),
470 Perspective::IS_CLIENT, client_params_bytes,
471 params_bytes_len, &client_params,
472 &parse_error_details)) {
473 QUICHE_DCHECK(!parse_error_details.empty());
474 *error_details =
475 "Unable to parse client's transport parameters: " + parse_error_details;
476 return false;
477 }
478
479 // Notify QuicConnectionDebugVisitor.
480 session()->connection()->OnTransportParametersReceived(client_params);
481
482 if (client_params.legacy_version_information.has_value() &&
483 CryptoUtils::ValidateClientHelloVersion(
484 client_params.legacy_version_information->version,
485 session()->connection()->version(), session()->supported_versions(),
486 error_details) != QUIC_NO_ERROR) {
487 return false;
488 }
489
490 if (client_params.version_information.has_value() &&
491 !CryptoUtils::ValidateChosenVersion(
492 client_params.version_information->chosen_version,
493 session()->version(), error_details)) {
494 QUICHE_DCHECK(!error_details->empty());
495 return false;
496 }
497
498 if (handshaker_delegate()->ProcessTransportParameters(
499 client_params, /* is_resumption = */ false, error_details) !=
500 QUIC_NO_ERROR) {
501 return false;
502 }
503
504 ProcessAdditionalTransportParameters(client_params);
505
506 return true;
507 }
508
509 TlsServerHandshaker::SetTransportParametersResult
SetTransportParameters()510 TlsServerHandshaker::SetTransportParameters() {
511 SetTransportParametersResult result;
512 QUICHE_DCHECK(!result.success);
513
514 server_params_.perspective = Perspective::IS_SERVER;
515 server_params_.legacy_version_information =
516 TransportParameters::LegacyVersionInformation();
517 server_params_.legacy_version_information->supported_versions =
518 CreateQuicVersionLabelVector(session()->supported_versions());
519 server_params_.legacy_version_information->version =
520 CreateQuicVersionLabel(session()->connection()->version());
521 server_params_.version_information =
522 TransportParameters::VersionInformation();
523 server_params_.version_information->chosen_version =
524 CreateQuicVersionLabel(session()->version());
525 server_params_.version_information->other_versions =
526 CreateQuicVersionLabelVector(session()->supported_versions());
527
528 if (!handshaker_delegate()->FillTransportParameters(&server_params_)) {
529 return result;
530 }
531
532 // Notify QuicConnectionDebugVisitor.
533 session()->connection()->OnTransportParametersSent(server_params_);
534
535 { // Ensure |server_params_bytes| is not accessed out of the scope.
536 std::vector<uint8_t> server_params_bytes;
537 if (!SerializeTransportParameters(server_params_, &server_params_bytes) ||
538 SSL_set_quic_transport_params(ssl(), server_params_bytes.data(),
539 server_params_bytes.size()) != 1) {
540 return result;
541 }
542 result.quic_transport_params = std::move(server_params_bytes);
543 }
544
545 if (application_state_) {
546 std::vector<uint8_t> early_data_context;
547 if (!SerializeTransportParametersForTicket(
548 server_params_, *application_state_, &early_data_context)) {
549 QUIC_BUG(quic_bug_10341_4)
550 << "Failed to serialize Transport Parameters for ticket.";
551 result.early_data_context = std::vector<uint8_t>();
552 return result;
553 }
554 SSL_set_quic_early_data_context(ssl(), early_data_context.data(),
555 early_data_context.size());
556 result.early_data_context = std::move(early_data_context);
557 application_state_.reset(nullptr);
558 }
559 result.success = true;
560 return result;
561 }
562
TransportParametersMatch(absl::Span<const uint8_t> serialized_params) const563 bool TlsServerHandshaker::TransportParametersMatch(
564 absl::Span<const uint8_t> serialized_params) const {
565 TransportParameters params;
566 std::string error_details;
567
568 bool parse_ok = ParseTransportParameters(
569 session()->version(), Perspective::IS_SERVER, serialized_params.data(),
570 serialized_params.size(), ¶ms, &error_details);
571
572 if (!parse_ok) {
573 return false;
574 }
575
576 DegreaseTransportParameters(params);
577
578 return params == server_params_;
579 }
580
SetWriteSecret(EncryptionLevel level,const SSL_CIPHER * cipher,absl::Span<const uint8_t> write_secret)581 void TlsServerHandshaker::SetWriteSecret(
582 EncryptionLevel level, const SSL_CIPHER* cipher,
583 absl::Span<const uint8_t> write_secret) {
584 if (is_connection_closed()) {
585 return;
586 }
587 if (level == ENCRYPTION_FORWARD_SECURE) {
588 encryption_established_ = true;
589 // Fill crypto_negotiated_params_:
590 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
591 if (cipher) {
592 crypto_negotiated_params_->cipher_suite =
593 SSL_CIPHER_get_protocol_id(cipher);
594 }
595 crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl());
596 crypto_negotiated_params_->encrypted_client_hello = SSL_ech_accepted(ssl());
597 }
598 TlsHandshaker::SetWriteSecret(level, cipher, write_secret);
599 }
600
GetAcceptChValueForHostname(const std::string &) const601 std::string TlsServerHandshaker::GetAcceptChValueForHostname(
602 const std::string& /*hostname*/) const {
603 return {};
604 }
605
FinishHandshake()606 void TlsServerHandshaker::FinishHandshake() {
607 QUICHE_DCHECK(!SSL_in_early_data(ssl()));
608
609 if (!valid_alpn_received_) {
610 QUIC_DLOG(ERROR)
611 << "Server: handshake finished without receiving a known ALPN";
612 // TODO(b/130164908) this should send no_application_protocol
613 // instead of QUIC_HANDSHAKE_FAILED.
614 CloseConnection(QUIC_HANDSHAKE_FAILED,
615 "Server did not receive a known ALPN");
616 return;
617 }
618
619 ssl_early_data_reason_t reason_code = EarlyDataReason();
620 QUIC_DLOG(INFO) << "Server: handshake finished. Early data reason "
621 << reason_code << " ("
622 << CryptoUtils::EarlyDataReasonToString(reason_code) << ")";
623 state_ = HANDSHAKE_CONFIRMED;
624
625 handshaker_delegate()->OnTlsHandshakeComplete();
626 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_HANDSHAKE);
627 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_HANDSHAKE);
628 // ENCRYPTION_ZERO_RTT decryption key is not discarded here as "Servers MAY
629 // temporarily retain 0-RTT keys to allow decrypting reordered packets
630 // without requiring their contents to be retransmitted with 1-RTT keys."
631 // It is expected that QuicConnection will discard the key at an
632 // appropriate time.
633 }
634
VerifyCertChain(const std::vector<std::string> &,std::string *,std::unique_ptr<ProofVerifyDetails> *,uint8_t *,std::unique_ptr<ProofVerifierCallback>)635 QuicAsyncStatus TlsServerHandshaker::VerifyCertChain(
636 const std::vector<std::string>& /*certs*/, std::string* /*error_details*/,
637 std::unique_ptr<ProofVerifyDetails>* /*details*/, uint8_t* /*out_alert*/,
638 std::unique_ptr<ProofVerifierCallback> /*callback*/) {
639 QUIC_DVLOG(1) << "VerifyCertChain returning success";
640
641 // No real verification here. A subclass can override this function to verify
642 // the client cert if needed.
643 return QUIC_SUCCESS;
644 }
645
OnProofVerifyDetailsAvailable(const ProofVerifyDetails &)646 void TlsServerHandshaker::OnProofVerifyDetailsAvailable(
647 const ProofVerifyDetails& /*verify_details*/) {}
648
PrivateKeySign(uint8_t * out,size_t * out_len,size_t max_out,uint16_t sig_alg,absl::string_view in)649 ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(
650 uint8_t* out, size_t* out_len, size_t max_out, uint16_t sig_alg,
651 absl::string_view in) {
652 QUICHE_DCHECK_EQ(expected_ssl_error(), SSL_ERROR_WANT_READ);
653
654 QuicAsyncStatus status = proof_source_handle_->ComputeSignature(
655 session()->connection()->self_address(),
656 session()->connection()->peer_address(), crypto_negotiated_params_->sni,
657 sig_alg, in, max_out);
658 if (status == QUIC_PENDING) {
659 set_expected_ssl_error(SSL_ERROR_WANT_PRIVATE_KEY_OPERATION);
660 if (async_op_timer_.has_value()) {
661 QUIC_CODE_COUNT(
662 quic_tls_server_computing_signature_while_another_op_pending);
663 }
664 async_op_timer_ = QuicTimeAccumulator();
665 async_op_timer_->Start(now());
666 }
667 return PrivateKeyComplete(out, out_len, max_out);
668 }
669
PrivateKeyComplete(uint8_t * out,size_t * out_len,size_t max_out)670 ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete(
671 uint8_t* out, size_t* out_len, size_t max_out) {
672 if (expected_ssl_error() == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
673 return ssl_private_key_retry;
674 }
675
676 const bool success = HasValidSignature(max_out);
677 QuicConnectionStats::TlsServerOperationStats compute_signature_stats;
678 compute_signature_stats.success = success;
679 if (async_op_timer_.has_value()) {
680 async_op_timer_->Stop(now());
681 compute_signature_stats.async_latency =
682 async_op_timer_->GetTotalElapsedTime();
683 async_op_timer_.reset();
684 RECORD_LATENCY_IN_US("tls_server_async_compute_signature_latency_us",
685 compute_signature_stats.async_latency,
686 "Async compute signature latency in microseconds");
687 }
688 connection_stats().tls_server_compute_signature_stats =
689 std::move(compute_signature_stats);
690
691 if (!success) {
692 return ssl_private_key_failure;
693 }
694 *out_len = cert_verify_sig_.size();
695 memcpy(out, cert_verify_sig_.data(), *out_len);
696 cert_verify_sig_.clear();
697 cert_verify_sig_.shrink_to_fit();
698 return ssl_private_key_success;
699 }
700
OnComputeSignatureDone(bool ok,bool is_sync,std::string signature,std::unique_ptr<ProofSource::Details> details)701 void TlsServerHandshaker::OnComputeSignatureDone(
702 bool ok, bool is_sync, std::string signature,
703 std::unique_ptr<ProofSource::Details> details) {
704 QUIC_DVLOG(1) << "OnComputeSignatureDone. ok:" << ok
705 << ", is_sync:" << is_sync
706 << ", len(signature):" << signature.size();
707 std::optional<QuicConnectionContextSwitcher> context_switcher;
708
709 if (!is_sync) {
710 context_switcher.emplace(connection_context());
711 }
712
713 QUIC_TRACESTRING(absl::StrCat("TLS compute signature done. ok:", ok,
714 ", len(signature):", signature.size()));
715
716 if (ok) {
717 cert_verify_sig_ = std::move(signature);
718 proof_source_details_ = std::move(details);
719 }
720 const int last_expected_ssl_error = expected_ssl_error();
721 set_expected_ssl_error(SSL_ERROR_WANT_READ);
722 if (!is_sync) {
723 QUICHE_DCHECK_EQ(last_expected_ssl_error,
724 SSL_ERROR_WANT_PRIVATE_KEY_OPERATION);
725 AdvanceHandshakeFromCallback();
726 }
727 }
728
HasValidSignature(size_t max_signature_size) const729 bool TlsServerHandshaker::HasValidSignature(size_t max_signature_size) const {
730 return !cert_verify_sig_.empty() &&
731 cert_verify_sig_.size() <= max_signature_size;
732 }
733
SessionTicketMaxOverhead()734 size_t TlsServerHandshaker::SessionTicketMaxOverhead() {
735 QUICHE_DCHECK(proof_source_->GetTicketCrypter());
736 return proof_source_->GetTicketCrypter()->MaxOverhead();
737 }
738
SessionTicketSeal(uint8_t * out,size_t * out_len,size_t max_out_len,absl::string_view in)739 int TlsServerHandshaker::SessionTicketSeal(uint8_t* out, size_t* out_len,
740 size_t max_out_len,
741 absl::string_view in) {
742 QUICHE_DCHECK(proof_source_->GetTicketCrypter());
743 std::vector<uint8_t> ticket =
744 proof_source_->GetTicketCrypter()->Encrypt(in, ticket_encryption_key_);
745 if (GetQuicReloadableFlag(
746 quic_send_placeholder_ticket_when_encrypt_ticket_fails) &&
747 ticket.empty()) {
748 QUIC_CODE_COUNT(quic_tls_server_handshaker_send_placeholder_ticket);
749 const absl::string_view kTicketFailurePlaceholder = "TICKET FAILURE";
750 const absl::string_view kTicketWithSizeLimit =
751 kTicketFailurePlaceholder.substr(0, max_out_len);
752 ticket.assign(kTicketWithSizeLimit.begin(), kTicketWithSizeLimit.end());
753 }
754 if (max_out_len < ticket.size()) {
755 QUIC_BUG(quic_bug_12423_2)
756 << "TicketCrypter returned " << ticket.size()
757 << " bytes of ciphertext, which is larger than its max overhead of "
758 << max_out_len;
759 return 0; // failure
760 }
761 *out_len = ticket.size();
762 memcpy(out, ticket.data(), ticket.size());
763 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_sealed);
764 return 1; // success
765 }
766
SessionTicketOpen(uint8_t * out,size_t * out_len,size_t max_out_len,absl::string_view in)767 ssl_ticket_aead_result_t TlsServerHandshaker::SessionTicketOpen(
768 uint8_t* out, size_t* out_len, size_t max_out_len, absl::string_view in) {
769 QUICHE_DCHECK(proof_source_->GetTicketCrypter());
770
771 if (ignore_ticket_open_) {
772 // SetIgnoreTicketOpen has been called. Typically this means the caller is
773 // using handshake hints and expect the hints to contain ticket decryption
774 // results.
775 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_ignored_1);
776 return ssl_ticket_aead_ignore_ticket;
777 }
778
779 if (!ticket_decryption_callback_) {
780 ticket_decryption_callback_ = std::make_shared<DecryptCallback>(this);
781 proof_source_->GetTicketCrypter()->Decrypt(in, ticket_decryption_callback_);
782
783 // Decrypt can run the callback synchronously. In that case, the callback
784 // will clear the ticket_decryption_callback_ pointer, and instead of
785 // returning ssl_ticket_aead_retry, we should continue processing to
786 // return the decrypted ticket.
787 //
788 // If the callback is not run synchronously, return ssl_ticket_aead_retry
789 // and when the callback is complete this function will be run again to
790 // return the result.
791 if (ticket_decryption_callback_) {
792 QUICHE_DCHECK(!ticket_decryption_callback_->IsDone());
793 set_expected_ssl_error(SSL_ERROR_PENDING_TICKET);
794 if (async_op_timer_.has_value()) {
795 QUIC_CODE_COUNT(
796 quic_tls_server_decrypting_ticket_while_another_op_pending);
797 }
798 async_op_timer_ = QuicTimeAccumulator();
799 async_op_timer_->Start(now());
800 }
801 }
802
803 // If the async ticket decryption is pending, either started by this
804 // SessionTicketOpen call or one that happened earlier, return
805 // ssl_ticket_aead_retry.
806 if (ticket_decryption_callback_ && !ticket_decryption_callback_->IsDone()) {
807 return ssl_ticket_aead_retry;
808 }
809
810 ssl_ticket_aead_result_t result =
811 FinalizeSessionTicketOpen(out, out_len, max_out_len);
812
813 QuicConnectionStats::TlsServerOperationStats decrypt_ticket_stats;
814 decrypt_ticket_stats.success = (result == ssl_ticket_aead_success);
815 if (async_op_timer_.has_value()) {
816 async_op_timer_->Stop(now());
817 decrypt_ticket_stats.async_latency = async_op_timer_->GetTotalElapsedTime();
818 async_op_timer_.reset();
819 RECORD_LATENCY_IN_US("tls_server_async_decrypt_ticket_latency_us",
820 decrypt_ticket_stats.async_latency,
821 "Async decrypt ticket latency in microseconds");
822 }
823 connection_stats().tls_server_decrypt_ticket_stats =
824 std::move(decrypt_ticket_stats);
825
826 return result;
827 }
828
FinalizeSessionTicketOpen(uint8_t * out,size_t * out_len,size_t max_out_len)829 ssl_ticket_aead_result_t TlsServerHandshaker::FinalizeSessionTicketOpen(
830 uint8_t* out, size_t* out_len, size_t max_out_len) {
831 ticket_decryption_callback_ = nullptr;
832 set_expected_ssl_error(SSL_ERROR_WANT_READ);
833 if (decrypted_session_ticket_.empty()) {
834 QUIC_DLOG(ERROR) << "Session ticket decryption failed; ignoring ticket";
835 // Ticket decryption failed. Ignore the ticket.
836 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_ignored_2);
837 return ssl_ticket_aead_ignore_ticket;
838 }
839 if (max_out_len < decrypted_session_ticket_.size()) {
840 return ssl_ticket_aead_error;
841 }
842 memcpy(out, decrypted_session_ticket_.data(),
843 decrypted_session_ticket_.size());
844 *out_len = decrypted_session_ticket_.size();
845
846 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_opened);
847 return ssl_ticket_aead_success;
848 }
849
EarlySelectCertCallback(const SSL_CLIENT_HELLO * client_hello)850 ssl_select_cert_result_t TlsServerHandshaker::EarlySelectCertCallback(
851 const SSL_CLIENT_HELLO* client_hello) {
852 // EarlySelectCertCallback can be called twice from BoringSSL: If the first
853 // call returns ssl_select_cert_retry, when cert selection completes,
854 // SSL_do_handshake will call it again.
855
856 if (select_cert_status_.has_value()) {
857 // This is the second call, return the result directly.
858 QUIC_DVLOG(1) << "EarlySelectCertCallback called to continue handshake, "
859 "returning directly. success:"
860 << (*select_cert_status_ == QUIC_SUCCESS);
861 return (*select_cert_status_ == QUIC_SUCCESS) ? ssl_select_cert_success
862 : ssl_select_cert_error;
863 }
864
865 // This is the first call.
866 select_cert_status_ = QUIC_PENDING;
867 proof_source_handle_ = MaybeCreateProofSourceHandle();
868
869 if (!pre_shared_key_.empty()) {
870 // TODO(b/154162689) add PSK support to QUIC+TLS.
871 QUIC_BUG(quic_bug_10341_6)
872 << "QUIC server pre-shared keys not yet supported with TLS";
873 return ssl_select_cert_error;
874 }
875
876 {
877 const uint8_t* unused_extension_bytes;
878 size_t unused_extension_len;
879 ticket_received_ = SSL_early_callback_ctx_extension_get(
880 client_hello, TLSEXT_TYPE_pre_shared_key, &unused_extension_bytes,
881 &unused_extension_len);
882
883 early_data_attempted_ = SSL_early_callback_ctx_extension_get(
884 client_hello, TLSEXT_TYPE_early_data, &unused_extension_bytes,
885 &unused_extension_len);
886 }
887
888 // This callback is called very early by Boring SSL, most of the SSL_get_foo
889 // function do not work at this point, but SSL_get_servername does.
890 const char* hostname = SSL_get_servername(ssl(), TLSEXT_NAMETYPE_host_name);
891 if (hostname) {
892 crypto_negotiated_params_->sni =
893 QuicHostnameUtils::NormalizeHostname(hostname);
894 if (!ValidateHostname(hostname)) {
895 return ssl_select_cert_error;
896 }
897 if (hostname != crypto_negotiated_params_->sni) {
898 QUIC_CODE_COUNT(quic_tls_server_hostname_diff);
899 QUIC_LOG_EVERY_N_SEC(WARNING, 300)
900 << "Raw and normalized hostnames differ, but both are valid SNIs. "
901 "raw hostname:"
902 << hostname << ", normalized:" << crypto_negotiated_params_->sni;
903 } else {
904 QUIC_CODE_COUNT(quic_tls_server_hostname_same);
905 }
906 } else {
907 QUIC_LOG(INFO) << "No hostname indicated in SNI";
908 }
909
910 std::string error_details;
911 if (!ProcessTransportParameters(client_hello, &error_details)) {
912 CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
913 return ssl_select_cert_error;
914 }
915 OverrideQuicConfigDefaults(session()->config());
916 session()->OnConfigNegotiated();
917
918 auto set_transport_params_result = SetTransportParameters();
919 if (!set_transport_params_result.success) {
920 QUIC_LOG(ERROR) << "Failed to set transport parameters";
921 return ssl_select_cert_error;
922 }
923
924 bssl::UniquePtr<uint8_t> ssl_capabilities;
925 size_t ssl_capabilities_len = 0;
926 absl::string_view ssl_capabilities_view;
927
928 if (CryptoUtils::GetSSLCapabilities(ssl(), &ssl_capabilities,
929 &ssl_capabilities_len)) {
930 ssl_capabilities_view =
931 absl::string_view(reinterpret_cast<const char*>(ssl_capabilities.get()),
932 ssl_capabilities_len);
933 }
934
935 // Enable ALPS for the session's ALPN.
936 SetApplicationSettingsResult alps_result =
937 SetApplicationSettings(AlpnForVersion(session()->version()));
938 if (!alps_result.success) {
939 return ssl_select_cert_error;
940 }
941
942 if (!session()->connection()->connected()) {
943 select_cert_status_ = QUIC_FAILURE;
944 return ssl_select_cert_error;
945 }
946
947 can_disable_resumption_ = false;
948 const QuicAsyncStatus status = proof_source_handle_->SelectCertificate(
949 session()->connection()->self_address().Normalized(),
950 session()->connection()->peer_address().Normalized(),
951 session()->connection()->GetOriginalDestinationConnectionId(),
952 ssl_capabilities_view, crypto_negotiated_params_->sni,
953 absl::string_view(
954 reinterpret_cast<const char*>(client_hello->client_hello),
955 client_hello->client_hello_len),
956 AlpnForVersion(session()->version()), std::move(alps_result.alps_buffer),
957 set_transport_params_result.quic_transport_params,
958 set_transport_params_result.early_data_context,
959 tls_connection_.ssl_config());
960
961 QUICHE_DCHECK_EQ(status, *select_cert_status());
962
963 if (status == QUIC_PENDING) {
964 set_expected_ssl_error(SSL_ERROR_PENDING_CERTIFICATE);
965 if (async_op_timer_.has_value()) {
966 QUIC_CODE_COUNT(quic_tls_server_selecting_cert_while_another_op_pending);
967 }
968 async_op_timer_ = QuicTimeAccumulator();
969 async_op_timer_->Start(now());
970 return ssl_select_cert_retry;
971 }
972
973 if (status == QUIC_FAILURE) {
974 return ssl_select_cert_error;
975 }
976
977 return ssl_select_cert_success;
978 }
979
OnSelectCertificateDone(bool ok,bool is_sync,const ProofSource::Chain * chain,absl::string_view handshake_hints,absl::string_view ticket_encryption_key,bool cert_matched_sni,QuicDelayedSSLConfig delayed_ssl_config)980 void TlsServerHandshaker::OnSelectCertificateDone(
981 bool ok, bool is_sync, const ProofSource::Chain* chain,
982 absl::string_view handshake_hints, absl::string_view ticket_encryption_key,
983 bool cert_matched_sni, QuicDelayedSSLConfig delayed_ssl_config) {
984 QUIC_DVLOG(1) << "OnSelectCertificateDone. ok:" << ok
985 << ", is_sync:" << is_sync
986 << ", len(handshake_hints):" << handshake_hints.size()
987 << ", len(ticket_encryption_key):"
988 << ticket_encryption_key.size();
989 std::optional<QuicConnectionContextSwitcher> context_switcher;
990 if (!is_sync) {
991 context_switcher.emplace(connection_context());
992 }
993
994 QUIC_TRACESTRING(absl::StrCat(
995 "TLS select certificate done: ok:", ok,
996 ", certs_found:", (chain != nullptr && !chain->certs.empty()),
997 ", len(handshake_hints):", handshake_hints.size(),
998 ", len(ticket_encryption_key):", ticket_encryption_key.size()));
999
1000 ticket_encryption_key_ = std::string(ticket_encryption_key);
1001 select_cert_status_ = QUIC_FAILURE;
1002 cert_matched_sni_ = cert_matched_sni;
1003
1004 if (delayed_ssl_config.quic_transport_parameters.has_value()) {
1005 // In case of any error the SSL object is still valid. Handshaker may need
1006 // to call ComputeSignature but otherwise can proceed.
1007 if (TransportParametersMatch(
1008 absl::MakeSpan(*delayed_ssl_config.quic_transport_parameters))) {
1009 if (SSL_set_quic_transport_params(
1010 ssl(), delayed_ssl_config.quic_transport_parameters->data(),
1011 delayed_ssl_config.quic_transport_parameters->size()) != 1) {
1012 QUIC_DVLOG(1) << "SSL_set_quic_transport_params override failed";
1013 }
1014 } else {
1015 QUIC_DVLOG(1)
1016 << "QUIC transport parameters mismatch with ProofSourceHandle";
1017 }
1018 }
1019
1020 if (delayed_ssl_config.client_cert_mode.has_value()) {
1021 tls_connection_.SetClientCertMode(*delayed_ssl_config.client_cert_mode);
1022 QUIC_DVLOG(1) << "client_cert_mode after cert selection: "
1023 << client_cert_mode();
1024 }
1025
1026 if (ok) {
1027 if (chain && !chain->certs.empty()) {
1028 tls_connection_.SetCertChain(chain->ToCryptoBuffers().value);
1029 if (!handshake_hints.empty() &&
1030 !SSL_set_handshake_hints(
1031 ssl(), reinterpret_cast<const uint8_t*>(handshake_hints.data()),
1032 handshake_hints.size())) {
1033 // If |SSL_set_handshake_hints| fails, the ssl() object will remain
1034 // intact, it is as if we didn't call it. The handshaker will
1035 // continue to compute signature/decrypt ticket as normal.
1036 QUIC_CODE_COUNT(quic_tls_server_set_handshake_hints_failed);
1037 QUIC_DVLOG(1) << "SSL_set_handshake_hints failed";
1038 }
1039 select_cert_status_ = QUIC_SUCCESS;
1040 } else {
1041 QUIC_DLOG(ERROR) << "No certs provided for host '"
1042 << crypto_negotiated_params_->sni << "', server_address:"
1043 << session()->connection()->self_address()
1044 << ", client_address:"
1045 << session()->connection()->peer_address();
1046 }
1047 }
1048
1049 QuicConnectionStats::TlsServerOperationStats select_cert_stats;
1050 select_cert_stats.success = (select_cert_status_ == QUIC_SUCCESS);
1051 QUICHE_DCHECK_NE(is_sync, async_op_timer_.has_value());
1052 if (async_op_timer_.has_value()) {
1053 async_op_timer_->Stop(now());
1054 select_cert_stats.async_latency = async_op_timer_->GetTotalElapsedTime();
1055 async_op_timer_.reset();
1056 RECORD_LATENCY_IN_US("tls_server_async_select_cert_latency_us",
1057 select_cert_stats.async_latency,
1058 "Async select cert latency in microseconds");
1059 }
1060 connection_stats().tls_server_select_cert_stats =
1061 std::move(select_cert_stats);
1062
1063 const int last_expected_ssl_error = expected_ssl_error();
1064 set_expected_ssl_error(SSL_ERROR_WANT_READ);
1065 if (!is_sync) {
1066 QUICHE_DCHECK_EQ(last_expected_ssl_error, SSL_ERROR_PENDING_CERTIFICATE);
1067 AdvanceHandshakeFromCallback();
1068 }
1069 }
1070
WillNotCallComputeSignature() const1071 bool TlsServerHandshaker::WillNotCallComputeSignature() const {
1072 return SSL_can_release_private_key(ssl());
1073 }
1074
ValidateHostname(const std::string & hostname) const1075 bool TlsServerHandshaker::ValidateHostname(const std::string& hostname) const {
1076 if (!QuicHostnameUtils::IsValidSNI(hostname)) {
1077 // TODO(b/151676147): Include this error string in the CONNECTION_CLOSE
1078 // frame.
1079 QUIC_DLOG(ERROR) << "Invalid SNI provided: \"" << hostname << "\"";
1080 return false;
1081 }
1082 return true;
1083 }
1084
TlsExtServernameCallback(int *)1085 int TlsServerHandshaker::TlsExtServernameCallback(int* /*out_alert*/) {
1086 // SSL_TLSEXT_ERR_OK causes the server_name extension to be acked in
1087 // ServerHello.
1088 return SSL_TLSEXT_ERR_OK;
1089 }
1090
SelectAlpn(const uint8_t ** out,uint8_t * out_len,const uint8_t * in,unsigned in_len)1091 int TlsServerHandshaker::SelectAlpn(const uint8_t** out, uint8_t* out_len,
1092 const uint8_t* in, unsigned in_len) {
1093 // |in| contains a sequence of 1-byte-length-prefixed values.
1094 *out_len = 0;
1095 *out = nullptr;
1096 if (in_len == 0) {
1097 QUIC_DLOG(ERROR) << "No ALPN provided by client";
1098 return SSL_TLSEXT_ERR_NOACK;
1099 }
1100
1101 CBS all_alpns;
1102 CBS_init(&all_alpns, in, in_len);
1103
1104 std::vector<absl::string_view> alpns;
1105 while (CBS_len(&all_alpns) > 0) {
1106 CBS alpn;
1107 if (!CBS_get_u8_length_prefixed(&all_alpns, &alpn)) {
1108 QUIC_DLOG(ERROR) << "Failed to parse ALPN length";
1109 return SSL_TLSEXT_ERR_NOACK;
1110 }
1111
1112 const size_t alpn_length = CBS_len(&alpn);
1113 if (alpn_length == 0) {
1114 QUIC_DLOG(ERROR) << "Received invalid zero-length ALPN";
1115 return SSL_TLSEXT_ERR_NOACK;
1116 }
1117
1118 alpns.emplace_back(reinterpret_cast<const char*>(CBS_data(&alpn)),
1119 alpn_length);
1120 }
1121
1122 // TODO(wub): Remove QuicSession::SelectAlpn. QuicSessions should know the
1123 // ALPN on construction.
1124 auto selected_alpn = session()->SelectAlpn(alpns);
1125 if (selected_alpn == alpns.end()) {
1126 QUIC_DLOG(ERROR) << "No known ALPN provided by client";
1127 return SSL_TLSEXT_ERR_NOACK;
1128 }
1129
1130 session()->OnAlpnSelected(*selected_alpn);
1131 valid_alpn_received_ = true;
1132 *out_len = selected_alpn->size();
1133 *out = reinterpret_cast<const uint8_t*>(selected_alpn->data());
1134 return SSL_TLSEXT_ERR_OK;
1135 }
1136
1137 TlsServerHandshaker::SetApplicationSettingsResult
SetApplicationSettings(absl::string_view alpn)1138 TlsServerHandshaker::SetApplicationSettings(absl::string_view alpn) {
1139 TlsServerHandshaker::SetApplicationSettingsResult result;
1140
1141 const std::string& hostname = crypto_negotiated_params_->sni;
1142 std::string accept_ch_value = GetAcceptChValueForHostname(hostname);
1143 std::string origin = absl::StrCat("https://", hostname);
1144 uint16_t port = session()->self_address().port();
1145 if (port != kDefaultPort) {
1146 // This should be rare in production, but useful for test servers.
1147 QUIC_CODE_COUNT(quic_server_alps_non_default_port);
1148 absl::StrAppend(&origin, ":", port);
1149 }
1150
1151 if (!accept_ch_value.empty()) {
1152 AcceptChFrame frame{{{std::move(origin), std::move(accept_ch_value)}}};
1153 result.alps_buffer = HttpEncoder::SerializeAcceptChFrame(frame);
1154 }
1155
1156 const std::string& alps = result.alps_buffer;
1157 if (SSL_add_application_settings(
1158 ssl(), reinterpret_cast<const uint8_t*>(alpn.data()), alpn.size(),
1159 reinterpret_cast<const uint8_t*>(alps.data()), alps.size()) != 1) {
1160 QUIC_DLOG(ERROR) << "Failed to enable ALPS";
1161 result.success = false;
1162 } else {
1163 result.success = true;
1164 }
1165 return result;
1166 }
1167
GetSsl() const1168 SSL* TlsServerHandshaker::GetSsl() const { return ssl(); }
1169
IsCryptoFrameExpectedForEncryptionLevel(EncryptionLevel level) const1170 bool TlsServerHandshaker::IsCryptoFrameExpectedForEncryptionLevel(
1171 EncryptionLevel level) const {
1172 return level != ENCRYPTION_ZERO_RTT;
1173 }
1174
GetEncryptionLevelToSendCryptoDataOfSpace(PacketNumberSpace space) const1175 EncryptionLevel TlsServerHandshaker::GetEncryptionLevelToSendCryptoDataOfSpace(
1176 PacketNumberSpace space) const {
1177 switch (space) {
1178 case INITIAL_DATA:
1179 return ENCRYPTION_INITIAL;
1180 case HANDSHAKE_DATA:
1181 return ENCRYPTION_HANDSHAKE;
1182 case APPLICATION_DATA:
1183 return ENCRYPTION_FORWARD_SECURE;
1184 default:
1185 QUICHE_DCHECK(false);
1186 return NUM_ENCRYPTION_LEVELS;
1187 }
1188 }
1189
1190 } // namespace quic
1191