1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifdef UNSAFE_BUFFERS_BUILD
6 // TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
7 #pragma allow_unsafe_buffers
8 #endif
9
10 #include "net/socket/ssl_server_socket_impl.h"
11
12 #include <memory>
13 #include <optional>
14 #include <string_view>
15 #include <utility>
16
17 #include "base/functional/bind.h"
18 #include "base/functional/callback_helpers.h"
19 #include "base/logging.h"
20 #include "base/memory/raw_ptr.h"
21 #include "base/memory/weak_ptr.h"
22 #include "base/strings/string_util.h"
23 #include "crypto/openssl_util.h"
24 #include "crypto/rsa_private_key.h"
25 #include "net/base/completion_once_callback.h"
26 #include "net/base/net_errors.h"
27 #include "net/cert/cert_verify_result.h"
28 #include "net/cert/client_cert_verifier.h"
29 #include "net/cert/x509_util.h"
30 #include "net/log/net_log_event_type.h"
31 #include "net/log/net_log_with_source.h"
32 #include "net/socket/socket_bio_adapter.h"
33 #include "net/ssl/openssl_ssl_util.h"
34 #include "net/ssl/ssl_connection_status_flags.h"
35 #include "net/ssl/ssl_info.h"
36 #include "net/ssl/ssl_private_key.h"
37 #include "net/traffic_annotation/network_traffic_annotation.h"
38 #include "third_party/boringssl/src/include/openssl/bytestring.h"
39 #include "third_party/boringssl/src/include/openssl/err.h"
40 #include "third_party/boringssl/src/include/openssl/pool.h"
41 #include "third_party/boringssl/src/include/openssl/ssl.h"
42
43 #define GotoState(s) next_handshake_state_ = s
44
45 namespace net {
46
47 namespace {
48
49 // This constant can be any non-negative/non-zero value (eg: it does not
50 // overlap with any value of the net::Error range, including net::OK).
51 const int kSSLServerSocketNoPendingResult = 1;
52
53 } // namespace
54
55 class SSLServerContextImpl::SocketImpl : public SSLServerSocket,
56 public SocketBIOAdapter::Delegate {
57 public:
58 SocketImpl(SSLServerContextImpl* context,
59 std::unique_ptr<StreamSocket> socket);
60
61 SocketImpl(const SocketImpl&) = delete;
62 SocketImpl& operator=(const SocketImpl&) = delete;
63
64 ~SocketImpl() override;
65
66 // SSLServerSocket interface.
67 int Handshake(CompletionOnceCallback callback) override;
68
69 // SSLSocket interface.
70 int ExportKeyingMaterial(std::string_view label,
71 std::optional<base::span<const uint8_t>> context,
72 base::span<uint8_t> out) override;
73
74 // Socket interface (via StreamSocket).
75 int Read(IOBuffer* buf,
76 int buf_len,
77 CompletionOnceCallback callback) override;
78 int ReadIfReady(IOBuffer* buf,
79 int buf_len,
80 CompletionOnceCallback callback) override;
81 int CancelReadIfReady() override;
82 int Write(IOBuffer* buf,
83 int buf_len,
84 CompletionOnceCallback callback,
85 const NetworkTrafficAnnotationTag& traffic_annotation) override;
86 int SetReceiveBufferSize(int32_t size) override;
87 int SetSendBufferSize(int32_t size) override;
88
89 // StreamSocket implementation.
90 int Connect(CompletionOnceCallback callback) override;
91 void Disconnect() override;
92 bool IsConnected() const override;
93 bool IsConnectedAndIdle() const override;
94 int GetPeerAddress(IPEndPoint* address) const override;
95 int GetLocalAddress(IPEndPoint* address) const override;
96 const NetLogWithSource& NetLog() const override;
97 bool WasEverUsed() const override;
98 NextProto GetNegotiatedProtocol() const override;
99 std::optional<std::string_view> GetPeerApplicationSettings() const override;
100 bool GetSSLInfo(SSLInfo* ssl_info) override;
101 int64_t GetTotalReceivedBytes() const override;
102 void ApplySocketTag(const SocketTag& tag) override;
103
104 static SocketImpl* FromSSL(SSL* ssl);
105
106 static ssl_verify_result_t CertVerifyCallback(SSL* ssl, uint8_t* out_alert);
107 ssl_verify_result_t CertVerifyCallbackImpl(uint8_t* out_alert);
108
109 static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod;
110 static ssl_private_key_result_t PrivateKeySignCallback(SSL* ssl,
111 uint8_t* out,
112 size_t* out_len,
113 size_t max_out,
114 uint16_t algorithm,
115 const uint8_t* in,
116 size_t in_len);
117 static ssl_private_key_result_t PrivateKeyDecryptCallback(SSL* ssl,
118 uint8_t* out,
119 size_t* out_len,
120 size_t max_out,
121 const uint8_t* in,
122 size_t in_len);
123 static ssl_private_key_result_t PrivateKeyCompleteCallback(SSL* ssl,
124 uint8_t* out,
125 size_t* out_len,
126 size_t max_out);
127
128 ssl_private_key_result_t PrivateKeySignCallback(uint8_t* out,
129 size_t* out_len,
130 size_t max_out,
131 uint16_t algorithm,
132 const uint8_t* in,
133 size_t in_len);
134 ssl_private_key_result_t PrivateKeyCompleteCallback(uint8_t* out,
135 size_t* out_len,
136 size_t max_out);
137 void OnPrivateKeyComplete(Error error, const std::vector<uint8_t>& signature);
138
139 static int ALPNSelectCallback(SSL* ssl,
140 const uint8_t** out,
141 uint8_t* out_len,
142 const uint8_t* in,
143 unsigned in_len,
144 void* arg);
145
146 static ssl_select_cert_result_t SelectCertificateCallback(
147 const SSL_CLIENT_HELLO* client_hello);
148
149 // SocketBIOAdapter::Delegate implementation.
150 void OnReadReady() override;
151 void OnWriteReady() override;
152
153 private:
154 enum State {
155 STATE_NONE,
156 STATE_HANDSHAKE,
157 };
158
159 void OnHandshakeIOComplete(int result);
160
161 [[nodiscard]] int DoPayloadRead(IOBuffer* buf, int buf_len);
162 [[nodiscard]] int DoPayloadWrite();
163
164 [[nodiscard]] int DoHandshakeLoop(int last_io_result);
165 [[nodiscard]] int DoHandshake();
166 void DoHandshakeCallback(int result);
167 void DoReadCallback(int result);
168 void DoWriteCallback(int result);
169
170 [[nodiscard]] int Init();
171 void ExtractClientCert();
172
173 raw_ptr<SSLServerContextImpl> context_;
174
175 NetLogWithSource net_log_;
176
177 CompletionOnceCallback user_handshake_callback_;
178 CompletionOnceCallback user_read_callback_;
179 CompletionOnceCallback user_write_callback_;
180
181 // SSLPrivateKey signature.
182 int signature_result_;
183 std::vector<uint8_t> signature_;
184
185 // Used by Read function.
186 scoped_refptr<IOBuffer> user_read_buf_;
187 int user_read_buf_len_ = 0;
188
189 // Used by Write function.
190 scoped_refptr<IOBuffer> user_write_buf_;
191 int user_write_buf_len_ = 0;
192
193 // OpenSSL stuff
194 bssl::UniquePtr<SSL> ssl_;
195
196 // Whether we received any data in early data.
197 bool early_data_received_ = false;
198
199 // StreamSocket for sending and receiving data.
200 std::unique_ptr<StreamSocket> transport_socket_;
201 std::unique_ptr<SocketBIOAdapter> transport_adapter_;
202
203 // Certificate for the client.
204 scoped_refptr<X509Certificate> client_cert_;
205
206 State next_handshake_state_ = STATE_NONE;
207 bool completed_handshake_ = false;
208
209 NextProto negotiated_protocol_ = kProtoUnknown;
210
211 base::WeakPtrFactory<SocketImpl> weak_factory_{this};
212 };
213
SocketImpl(SSLServerContextImpl * context,std::unique_ptr<StreamSocket> transport_socket)214 SSLServerContextImpl::SocketImpl::SocketImpl(
215 SSLServerContextImpl* context,
216 std::unique_ptr<StreamSocket> transport_socket)
217 : context_(context),
218 signature_result_(kSSLServerSocketNoPendingResult),
219 transport_socket_(std::move(transport_socket)) {}
220
~SocketImpl()221 SSLServerContextImpl::SocketImpl::~SocketImpl() {
222 if (ssl_) {
223 // Calling SSL_shutdown prevents the session from being marked as
224 // unresumable.
225 SSL_shutdown(ssl_.get());
226 ssl_.reset();
227 }
228 }
229
230 // static
231 const SSL_PRIVATE_KEY_METHOD
232 SSLServerContextImpl::SocketImpl::kPrivateKeyMethod = {
233 &SSLServerContextImpl::SocketImpl::PrivateKeySignCallback,
234 &SSLServerContextImpl::SocketImpl::PrivateKeyDecryptCallback,
235 &SSLServerContextImpl::SocketImpl::PrivateKeyCompleteCallback,
236 };
237
238 // static
239 ssl_private_key_result_t
PrivateKeySignCallback(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out,uint16_t algorithm,const uint8_t * in,size_t in_len)240 SSLServerContextImpl::SocketImpl::PrivateKeySignCallback(SSL* ssl,
241 uint8_t* out,
242 size_t* out_len,
243 size_t max_out,
244 uint16_t algorithm,
245 const uint8_t* in,
246 size_t in_len) {
247 return FromSSL(ssl)->PrivateKeySignCallback(out, out_len, max_out, algorithm,
248 in, in_len);
249 }
250
251 // static
252 ssl_private_key_result_t
PrivateKeyDecryptCallback(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out,const uint8_t * in,size_t in_len)253 SSLServerContextImpl::SocketImpl::PrivateKeyDecryptCallback(SSL* ssl,
254 uint8_t* out,
255 size_t* out_len,
256 size_t max_out,
257 const uint8_t* in,
258 size_t in_len) {
259 // Decrypt is not supported.
260 return ssl_private_key_failure;
261 }
262
263 // static
264 ssl_private_key_result_t
PrivateKeyCompleteCallback(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out)265 SSLServerContextImpl::SocketImpl::PrivateKeyCompleteCallback(SSL* ssl,
266 uint8_t* out,
267 size_t* out_len,
268 size_t max_out) {
269 return FromSSL(ssl)->PrivateKeyCompleteCallback(out, out_len, max_out);
270 }
271
272 ssl_private_key_result_t
PrivateKeySignCallback(uint8_t * out,size_t * out_len,size_t max_out,uint16_t algorithm,const uint8_t * in,size_t in_len)273 SSLServerContextImpl::SocketImpl::PrivateKeySignCallback(uint8_t* out,
274 size_t* out_len,
275 size_t max_out,
276 uint16_t algorithm,
277 const uint8_t* in,
278 size_t in_len) {
279 DCHECK(context_);
280 DCHECK(context_->private_key_);
281 signature_result_ = ERR_IO_PENDING;
282 context_->private_key_->Sign(
283 algorithm, base::span(in, in_len),
284 base::BindOnce(&SSLServerContextImpl::SocketImpl::OnPrivateKeyComplete,
285 weak_factory_.GetWeakPtr()));
286 return ssl_private_key_retry;
287 }
288
289 ssl_private_key_result_t
PrivateKeyCompleteCallback(uint8_t * out,size_t * out_len,size_t max_out)290 SSLServerContextImpl::SocketImpl::PrivateKeyCompleteCallback(uint8_t* out,
291 size_t* out_len,
292 size_t max_out) {
293 if (signature_result_ == ERR_IO_PENDING)
294 return ssl_private_key_retry;
295 if (signature_result_ != OK) {
296 OpenSSLPutNetError(FROM_HERE, signature_result_);
297 return ssl_private_key_failure;
298 }
299 if (signature_.size() > max_out) {
300 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
301 return ssl_private_key_failure;
302 }
303 memcpy(out, signature_.data(), signature_.size());
304 *out_len = signature_.size();
305 signature_.clear();
306 return ssl_private_key_success;
307 }
308
OnPrivateKeyComplete(Error error,const std::vector<uint8_t> & signature)309 void SSLServerContextImpl::SocketImpl::OnPrivateKeyComplete(
310 Error error,
311 const std::vector<uint8_t>& signature) {
312 DCHECK_EQ(ERR_IO_PENDING, signature_result_);
313 DCHECK(signature_.empty());
314
315 signature_result_ = error;
316 if (signature_result_ == OK)
317 signature_ = signature;
318 OnHandshakeIOComplete(ERR_IO_PENDING);
319 }
320
321 // static
ALPNSelectCallback(SSL * ssl,const uint8_t ** out,uint8_t * out_len,const uint8_t * in,unsigned in_len,void * arg)322 int SSLServerContextImpl::SocketImpl::ALPNSelectCallback(SSL* ssl,
323 const uint8_t** out,
324 uint8_t* out_len,
325 const uint8_t* in,
326 unsigned in_len,
327 void* arg) {
328 SSLServerContextImpl::SocketImpl* socket = FromSSL(ssl);
329
330 // Iterate over the server protocols in preference order.
331 for (NextProto server_proto :
332 socket->context_->ssl_server_config_.alpn_protos) {
333 const char* server_proto_str = NextProtoToString(server_proto);
334
335 // See if the client advertised the corresponding protocol.
336 CBS cbs;
337 CBS_init(&cbs, in, in_len);
338 while (CBS_len(&cbs) != 0) {
339 CBS client_proto;
340 if (!CBS_get_u8_length_prefixed(&cbs, &client_proto)) {
341 return SSL_TLSEXT_ERR_NOACK;
342 }
343 if (std::string_view(
344 reinterpret_cast<const char*>(CBS_data(&client_proto)),
345 CBS_len(&client_proto)) == server_proto_str) {
346 *out = CBS_data(&client_proto);
347 *out_len = CBS_len(&client_proto);
348
349 const auto& application_settings =
350 socket->context_->ssl_server_config_.application_settings;
351 auto it = application_settings.find(server_proto);
352 if (it != application_settings.end()) {
353 const std::vector<uint8_t>& data = it->second;
354 SSL_add_application_settings(ssl, CBS_data(&client_proto),
355 CBS_len(&client_proto), data.data(),
356 data.size());
357 }
358 return SSL_TLSEXT_ERR_OK;
359 }
360 }
361 }
362 return SSL_TLSEXT_ERR_NOACK;
363 }
364
365 ssl_select_cert_result_t
SelectCertificateCallback(const SSL_CLIENT_HELLO * client_hello)366 SSLServerContextImpl::SocketImpl::SelectCertificateCallback(
367 const SSL_CLIENT_HELLO* client_hello) {
368 SSLServerContextImpl::SocketImpl* socket = FromSSL(client_hello->ssl);
369 const SSLServerConfig& config = socket->context_->ssl_server_config_;
370 if (!config.client_hello_callback_for_testing.is_null() &&
371 !config.client_hello_callback_for_testing.Run(client_hello)) {
372 return ssl_select_cert_error;
373 }
374 return ssl_select_cert_success;
375 }
376
Handshake(CompletionOnceCallback callback)377 int SSLServerContextImpl::SocketImpl::Handshake(
378 CompletionOnceCallback callback) {
379 net_log_.BeginEvent(NetLogEventType::SSL_SERVER_HANDSHAKE);
380
381 // Set up new ssl object.
382 int rv = Init();
383 if (rv != OK) {
384 LOG(ERROR) << "Failed to initialize OpenSSL: rv=" << rv;
385 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_SERVER_HANDSHAKE,
386 rv);
387 return rv;
388 }
389
390 // Set SSL to server mode. Handshake happens in the loop below.
391 SSL_set_accept_state(ssl_.get());
392
393 GotoState(STATE_HANDSHAKE);
394 rv = DoHandshakeLoop(OK);
395 if (rv == ERR_IO_PENDING) {
396 user_handshake_callback_ = std::move(callback);
397 } else {
398 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_SERVER_HANDSHAKE,
399 rv);
400 }
401
402 return rv > OK ? OK : rv;
403 }
404
ExportKeyingMaterial(std::string_view label,std::optional<base::span<const uint8_t>> context,base::span<uint8_t> out)405 int SSLServerContextImpl::SocketImpl::ExportKeyingMaterial(
406 std::string_view label,
407 std::optional<base::span<const uint8_t>> context,
408 base::span<uint8_t> out) {
409 DCHECK(base::IsStringASCII(label));
410 if (!IsConnected())
411 return ERR_SOCKET_NOT_CONNECTED;
412
413 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
414
415 int rv = SSL_export_keying_material(
416 ssl_.get(), out.data(), out.size(), label.data(), label.size(),
417 context.has_value() ? context->data() : nullptr,
418 context.has_value() ? context->size() : 0, context.has_value());
419
420 if (rv != 1) {
421 int ssl_error = SSL_get_error(ssl_.get(), rv);
422 LOG(ERROR) << "Failed to export keying material;"
423 << " returned " << rv << ", SSL error code " << ssl_error;
424 return MapOpenSSLError(ssl_error, err_tracer);
425 }
426 return OK;
427 }
428
Read(IOBuffer * buf,int buf_len,CompletionOnceCallback callback)429 int SSLServerContextImpl::SocketImpl::Read(IOBuffer* buf,
430 int buf_len,
431 CompletionOnceCallback callback) {
432 int rv = ReadIfReady(buf, buf_len, std::move(callback));
433 if (rv == ERR_IO_PENDING) {
434 user_read_buf_ = buf;
435 user_read_buf_len_ = buf_len;
436 }
437 return rv;
438 }
439
ReadIfReady(IOBuffer * buf,int buf_len,CompletionOnceCallback callback)440 int SSLServerContextImpl::SocketImpl::ReadIfReady(
441 IOBuffer* buf,
442 int buf_len,
443 CompletionOnceCallback callback) {
444 DCHECK(user_read_callback_.is_null());
445 DCHECK(user_handshake_callback_.is_null());
446 DCHECK(!user_read_buf_);
447 DCHECK(!callback.is_null());
448 DCHECK(completed_handshake_);
449
450 int rv = DoPayloadRead(buf, buf_len);
451
452 if (rv == ERR_IO_PENDING) {
453 user_read_callback_ = std::move(callback);
454 }
455
456 return rv;
457 }
458
CancelReadIfReady()459 int SSLServerContextImpl::SocketImpl::CancelReadIfReady() {
460 DCHECK(user_read_callback_);
461 DCHECK(!user_read_buf_);
462
463 // Cancel |user_read_callback_|, because caller does not expect the callback
464 // to be invoked after they have canceled the ReadIfReady.
465 //
466 // We do not pass the signal on to |stream_socket_| or |transport_adapter_|.
467 // When it completes, it will signal OnReadReady(), which will notice there is
468 // no read operation to progress and skip it. Unlike with SSLClientSocket,
469 // SSL and transport reads are more aligned, but this avoids making
470 // assumptions or breaking the SocketBIOAdapter's state.
471 user_read_callback_.Reset();
472 return OK;
473 }
474
Write(IOBuffer * buf,int buf_len,CompletionOnceCallback callback,const NetworkTrafficAnnotationTag & traffic_annotation)475 int SSLServerContextImpl::SocketImpl::Write(
476 IOBuffer* buf,
477 int buf_len,
478 CompletionOnceCallback callback,
479 const NetworkTrafficAnnotationTag& traffic_annotation) {
480 DCHECK(user_write_callback_.is_null());
481 DCHECK(!user_write_buf_);
482 DCHECK(!callback.is_null());
483
484 user_write_buf_ = buf;
485 user_write_buf_len_ = buf_len;
486
487 int rv = DoPayloadWrite();
488
489 if (rv == ERR_IO_PENDING) {
490 user_write_callback_ = std::move(callback);
491 } else {
492 user_write_buf_ = nullptr;
493 user_write_buf_len_ = 0;
494 }
495 return rv;
496 }
497
SetReceiveBufferSize(int32_t size)498 int SSLServerContextImpl::SocketImpl::SetReceiveBufferSize(int32_t size) {
499 return transport_socket_->SetReceiveBufferSize(size);
500 }
501
SetSendBufferSize(int32_t size)502 int SSLServerContextImpl::SocketImpl::SetSendBufferSize(int32_t size) {
503 return transport_socket_->SetSendBufferSize(size);
504 }
505
Connect(CompletionOnceCallback callback)506 int SSLServerContextImpl::SocketImpl::Connect(CompletionOnceCallback callback) {
507 NOTIMPLEMENTED();
508 return ERR_NOT_IMPLEMENTED;
509 }
510
Disconnect()511 void SSLServerContextImpl::SocketImpl::Disconnect() {
512 transport_socket_->Disconnect();
513 }
514
IsConnected() const515 bool SSLServerContextImpl::SocketImpl::IsConnected() const {
516 // TODO(wtc): Find out if we should check transport_socket_->IsConnected()
517 // as well.
518 return completed_handshake_;
519 }
520
IsConnectedAndIdle() const521 bool SSLServerContextImpl::SocketImpl::IsConnectedAndIdle() const {
522 return completed_handshake_ && transport_socket_->IsConnectedAndIdle();
523 }
524
GetPeerAddress(IPEndPoint * address) const525 int SSLServerContextImpl::SocketImpl::GetPeerAddress(
526 IPEndPoint* address) const {
527 if (!IsConnected())
528 return ERR_SOCKET_NOT_CONNECTED;
529 return transport_socket_->GetPeerAddress(address);
530 }
531
GetLocalAddress(IPEndPoint * address) const532 int SSLServerContextImpl::SocketImpl::GetLocalAddress(
533 IPEndPoint* address) const {
534 if (!IsConnected())
535 return ERR_SOCKET_NOT_CONNECTED;
536 return transport_socket_->GetLocalAddress(address);
537 }
538
NetLog() const539 const NetLogWithSource& SSLServerContextImpl::SocketImpl::NetLog() const {
540 return net_log_;
541 }
542
WasEverUsed() const543 bool SSLServerContextImpl::SocketImpl::WasEverUsed() const {
544 return transport_socket_->WasEverUsed();
545 }
546
GetNegotiatedProtocol() const547 NextProto SSLServerContextImpl::SocketImpl::GetNegotiatedProtocol() const {
548 return negotiated_protocol_;
549 }
550
551 std::optional<std::string_view>
GetPeerApplicationSettings() const552 SSLServerContextImpl::SocketImpl::GetPeerApplicationSettings() const {
553 if (!SSL_has_application_settings(ssl_.get())) {
554 return std::nullopt;
555 }
556
557 const uint8_t* out_data;
558 size_t out_len;
559 SSL_get0_peer_application_settings(ssl_.get(), &out_data, &out_len);
560 return std::string_view{reinterpret_cast<const char*>(out_data), out_len};
561 }
562
GetSSLInfo(SSLInfo * ssl_info)563 bool SSLServerContextImpl::SocketImpl::GetSSLInfo(SSLInfo* ssl_info) {
564 *ssl_info = SSLInfo();
565 if (!completed_handshake_)
566 return false;
567
568 ssl_info->cert = client_cert_;
569
570 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_.get());
571 CHECK(cipher);
572
573 SSLConnectionStatusSetCipherSuite(SSL_CIPHER_get_protocol_id(cipher),
574 &ssl_info->connection_status);
575 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_.get()),
576 &ssl_info->connection_status);
577
578 ssl_info->early_data_received = early_data_received_;
579 ssl_info->encrypted_client_hello = SSL_ech_accepted(ssl_.get());
580 ssl_info->handshake_type = SSL_session_reused(ssl_.get())
581 ? SSLInfo::HANDSHAKE_RESUME
582 : SSLInfo::HANDSHAKE_FULL;
583 ssl_info->peer_signature_algorithm =
584 SSL_get_peer_signature_algorithm(ssl_.get());
585
586 return true;
587 }
588
GetTotalReceivedBytes() const589 int64_t SSLServerContextImpl::SocketImpl::GetTotalReceivedBytes() const {
590 return transport_socket_->GetTotalReceivedBytes();
591 }
592
ApplySocketTag(const SocketTag & tag)593 void SSLServerContextImpl::SocketImpl::ApplySocketTag(const SocketTag& tag) {
594 NOTIMPLEMENTED();
595 }
596
OnReadReady()597 void SSLServerContextImpl::SocketImpl::OnReadReady() {
598 if (next_handshake_state_ == STATE_HANDSHAKE) {
599 // In handshake phase. The parameter to OnHandshakeIOComplete is unused.
600 OnHandshakeIOComplete(OK);
601 return;
602 }
603
604 // BoringSSL does not support renegotiation as a server, so the only other
605 // operation blocked on Read is DoPayloadRead.
606 if (!user_read_buf_) {
607 if (!user_read_callback_.is_null()) {
608 DoReadCallback(OK);
609 }
610 return;
611 }
612
613 int rv = DoPayloadRead(user_read_buf_.get(), user_read_buf_len_);
614 if (rv != ERR_IO_PENDING)
615 DoReadCallback(rv);
616 }
617
OnWriteReady()618 void SSLServerContextImpl::SocketImpl::OnWriteReady() {
619 if (next_handshake_state_ == STATE_HANDSHAKE) {
620 // In handshake phase. The parameter to OnHandshakeIOComplete is unused.
621 OnHandshakeIOComplete(OK);
622 return;
623 }
624
625 // BoringSSL does not support renegotiation as a server, so the only other
626 // operation blocked on Read is DoPayloadWrite.
627 if (!user_write_buf_)
628 return;
629
630 int rv = DoPayloadWrite();
631 if (rv != ERR_IO_PENDING)
632 DoWriteCallback(rv);
633 }
634
OnHandshakeIOComplete(int result)635 void SSLServerContextImpl::SocketImpl::OnHandshakeIOComplete(int result) {
636 int rv = DoHandshakeLoop(result);
637 if (rv == ERR_IO_PENDING)
638 return;
639
640 net_log_.EndEventWithNetErrorCode(NetLogEventType::SSL_SERVER_HANDSHAKE, rv);
641 if (!user_handshake_callback_.is_null())
642 DoHandshakeCallback(rv);
643 }
644
DoPayloadRead(IOBuffer * buf,int buf_len)645 int SSLServerContextImpl::SocketImpl::DoPayloadRead(IOBuffer* buf,
646 int buf_len) {
647 DCHECK(completed_handshake_);
648 DCHECK_EQ(STATE_NONE, next_handshake_state_);
649 DCHECK(buf);
650 DCHECK_GT(buf_len, 0);
651
652 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
653 int rv = SSL_read(ssl_.get(), buf->data(), buf_len);
654 if (rv >= 0) {
655 if (SSL_in_early_data(ssl_.get()))
656 early_data_received_ = true;
657 return rv;
658 }
659 int ssl_error = SSL_get_error(ssl_.get(), rv);
660 OpenSSLErrorInfo error_info;
661 int net_error =
662 MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
663 if (net_error != ERR_IO_PENDING) {
664 NetLogOpenSSLError(net_log_, NetLogEventType::SSL_READ_ERROR, net_error,
665 ssl_error, error_info);
666 }
667 return net_error;
668 }
669
DoPayloadWrite()670 int SSLServerContextImpl::SocketImpl::DoPayloadWrite() {
671 DCHECK(completed_handshake_);
672 DCHECK_EQ(STATE_NONE, next_handshake_state_);
673 DCHECK(user_write_buf_);
674
675 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
676 int rv = SSL_write(ssl_.get(), user_write_buf_->data(), user_write_buf_len_);
677 if (rv >= 0)
678 return rv;
679 int ssl_error = SSL_get_error(ssl_.get(), rv);
680 OpenSSLErrorInfo error_info;
681 int net_error =
682 MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
683 if (net_error != ERR_IO_PENDING) {
684 NetLogOpenSSLError(net_log_, NetLogEventType::SSL_WRITE_ERROR, net_error,
685 ssl_error, error_info);
686 }
687 return net_error;
688 }
689
DoHandshakeLoop(int last_io_result)690 int SSLServerContextImpl::SocketImpl::DoHandshakeLoop(int last_io_result) {
691 int rv = last_io_result;
692 do {
693 // Default to STATE_NONE for next state.
694 // (This is a quirk carried over from the windows
695 // implementation. It makes reading the logs a bit harder.)
696 // State handlers can and often do call GotoState just
697 // to stay in the current state.
698 State state = next_handshake_state_;
699 GotoState(STATE_NONE);
700 switch (state) {
701 case STATE_HANDSHAKE:
702 rv = DoHandshake();
703 break;
704 case STATE_NONE:
705 default:
706 rv = ERR_UNEXPECTED;
707 LOG(DFATAL) << "unexpected state " << state;
708 break;
709 }
710 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
711 return rv;
712 }
713
DoHandshake()714 int SSLServerContextImpl::SocketImpl::DoHandshake() {
715 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
716 int net_error = OK;
717 int rv = SSL_do_handshake(ssl_.get());
718 if (rv == 1) {
719 const STACK_OF(CRYPTO_BUFFER)* certs =
720 SSL_get0_peer_certificates(ssl_.get());
721 if (certs) {
722 client_cert_ = x509_util::CreateX509CertificateFromBuffers(certs);
723 if (!client_cert_)
724 return ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT;
725 }
726
727 const uint8_t* alpn_proto = nullptr;
728 unsigned alpn_len = 0;
729 SSL_get0_alpn_selected(ssl_.get(), &alpn_proto, &alpn_len);
730 if (alpn_len > 0) {
731 std::string_view proto(reinterpret_cast<const char*>(alpn_proto),
732 alpn_len);
733 negotiated_protocol_ = NextProtoFromString(proto);
734 }
735
736 if (context_->ssl_server_config_.alert_after_handshake_for_testing) {
737 SSL_send_fatal_alert(ssl_.get(),
738 context_->ssl_server_config_
739 .alert_after_handshake_for_testing.value());
740 return ERR_FAILED;
741 }
742
743 completed_handshake_ = true;
744 } else {
745 int ssl_error = SSL_get_error(ssl_.get(), rv);
746
747 if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
748 DCHECK(context_->private_key_);
749 GotoState(STATE_HANDSHAKE);
750 return ERR_IO_PENDING;
751 }
752
753 OpenSSLErrorInfo error_info;
754 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
755
756 // SSL_R_CERTIFICATE_VERIFY_FAILED's mapping is different between client and
757 // server.
758 if (ERR_GET_LIB(error_info.error_code) == ERR_LIB_SSL &&
759 ERR_GET_REASON(error_info.error_code) ==
760 SSL_R_CERTIFICATE_VERIFY_FAILED) {
761 net_error = ERR_BAD_SSL_CLIENT_AUTH_CERT;
762 }
763
764 // If not done, stay in this state
765 if (net_error == ERR_IO_PENDING) {
766 GotoState(STATE_HANDSHAKE);
767 } else {
768 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code "
769 << ssl_error << ", net_error " << net_error;
770 NetLogOpenSSLError(net_log_, NetLogEventType::SSL_HANDSHAKE_ERROR,
771 net_error, ssl_error, error_info);
772 }
773 }
774 return net_error;
775 }
776
DoHandshakeCallback(int rv)777 void SSLServerContextImpl::SocketImpl::DoHandshakeCallback(int rv) {
778 DCHECK_NE(rv, ERR_IO_PENDING);
779 std::move(user_handshake_callback_).Run(rv > OK ? OK : rv);
780 }
781
DoReadCallback(int rv)782 void SSLServerContextImpl::SocketImpl::DoReadCallback(int rv) {
783 DCHECK(rv != ERR_IO_PENDING);
784 DCHECK(!user_read_callback_.is_null());
785
786 user_read_buf_ = nullptr;
787 user_read_buf_len_ = 0;
788 std::move(user_read_callback_).Run(rv);
789 }
790
DoWriteCallback(int rv)791 void SSLServerContextImpl::SocketImpl::DoWriteCallback(int rv) {
792 DCHECK(rv != ERR_IO_PENDING);
793 DCHECK(!user_write_callback_.is_null());
794
795 user_write_buf_ = nullptr;
796 user_write_buf_len_ = 0;
797 std::move(user_write_callback_).Run(rv);
798 }
799
Init()800 int SSLServerContextImpl::SocketImpl::Init() {
801 static const int kBufferSize = 17 * 1024;
802
803 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
804
805 ssl_.reset(SSL_new(context_->ssl_ctx_.get()));
806 if (!ssl_ || !SSL_set_app_data(ssl_.get(), this)) {
807 return ERR_UNEXPECTED;
808 }
809
810 SSL_set_shed_handshake_config(ssl_.get(), 1);
811
812 // Set certificate and private key.
813 if (context_->pkey_) {
814 DCHECK(context_->cert_->cert_buffer());
815 if (!SetSSLChainAndKey(ssl_.get(), context_->cert_.get(),
816 context_->pkey_.get(), nullptr)) {
817 return ERR_UNEXPECTED;
818 }
819 } else {
820 DCHECK(context_->private_key_);
821 if (!SetSSLChainAndKey(ssl_.get(), context_->cert_.get(), nullptr,
822 &kPrivateKeyMethod)) {
823 return ERR_UNEXPECTED;
824 }
825 std::vector<uint16_t> preferences =
826 context_->private_key_->GetAlgorithmPreferences();
827 SSL_set_signing_algorithm_prefs(ssl_.get(), preferences.data(),
828 preferences.size());
829 }
830
831 if (context_->ssl_server_config_.signature_algorithm_for_testing
832 .has_value()) {
833 uint16_t id = *context_->ssl_server_config_.signature_algorithm_for_testing;
834 CHECK(SSL_set_signing_algorithm_prefs(ssl_.get(), &id, 1));
835 }
836
837 const std::vector<int>& curves =
838 context_->ssl_server_config_.curves_for_testing;
839 if (!curves.empty()) {
840 CHECK(SSL_set1_curves(ssl_.get(), curves.data(), curves.size()));
841 }
842
843 transport_adapter_ = std::make_unique<SocketBIOAdapter>(
844 transport_socket_.get(), kBufferSize, kBufferSize, this);
845 BIO* transport_bio = transport_adapter_->bio();
846
847 BIO_up_ref(transport_bio); // SSL_set0_rbio takes ownership.
848 SSL_set0_rbio(ssl_.get(), transport_bio);
849
850 BIO_up_ref(transport_bio); // SSL_set0_wbio takes ownership.
851 SSL_set0_wbio(ssl_.get(), transport_bio);
852
853 return OK;
854 }
855
FromSSL(SSL * ssl)856 SSLServerContextImpl::SocketImpl* SSLServerContextImpl::SocketImpl::FromSSL(
857 SSL* ssl) {
858 SocketImpl* socket = reinterpret_cast<SocketImpl*>(SSL_get_app_data(ssl));
859 DCHECK(socket);
860 return socket;
861 }
862
863 // static
CertVerifyCallback(SSL * ssl,uint8_t * out_alert)864 ssl_verify_result_t SSLServerContextImpl::SocketImpl::CertVerifyCallback(
865 SSL* ssl,
866 uint8_t* out_alert) {
867 return FromSSL(ssl)->CertVerifyCallbackImpl(out_alert);
868 }
869
CertVerifyCallbackImpl(uint8_t * out_alert)870 ssl_verify_result_t SSLServerContextImpl::SocketImpl::CertVerifyCallbackImpl(
871 uint8_t* out_alert) {
872 ClientCertVerifier* verifier =
873 context_->ssl_server_config_.client_cert_verifier;
874 // If a verifier was not supplied, all certificates are accepted.
875 if (!verifier)
876 return ssl_verify_ok;
877
878 scoped_refptr<X509Certificate> client_cert =
879 x509_util::CreateX509CertificateFromBuffers(
880 SSL_get0_peer_certificates(ssl_.get()));
881 if (!client_cert) {
882 *out_alert = SSL_AD_BAD_CERTIFICATE;
883 return ssl_verify_invalid;
884 }
885
886 // TODO(davidben): Support asynchronous verifiers. http://crbug.com/347402
887 std::unique_ptr<ClientCertVerifier::Request> ignore_async;
888 int res = verifier->Verify(client_cert.get(), CompletionOnceCallback(),
889 &ignore_async);
890 DCHECK_NE(res, ERR_IO_PENDING);
891
892 if (res != OK) {
893 // TODO(davidben): Map from certificate verification failure to alert.
894 *out_alert = SSL_AD_CERTIFICATE_UNKNOWN;
895 return ssl_verify_invalid;
896 }
897 return ssl_verify_ok;
898 }
899
CreateSSLServerContext(X509Certificate * certificate,EVP_PKEY * pkey,const SSLServerConfig & ssl_server_config)900 std::unique_ptr<SSLServerContext> CreateSSLServerContext(
901 X509Certificate* certificate,
902 EVP_PKEY* pkey,
903 const SSLServerConfig& ssl_server_config) {
904 return std::make_unique<SSLServerContextImpl>(certificate, pkey,
905 ssl_server_config);
906 }
907
CreateSSLServerContext(X509Certificate * certificate,const crypto::RSAPrivateKey & key,const SSLServerConfig & ssl_server_config)908 std::unique_ptr<SSLServerContext> CreateSSLServerContext(
909 X509Certificate* certificate,
910 const crypto::RSAPrivateKey& key,
911 const SSLServerConfig& ssl_server_config) {
912 return std::make_unique<SSLServerContextImpl>(certificate, key.key(),
913 ssl_server_config);
914 }
915
CreateSSLServerContext(X509Certificate * certificate,scoped_refptr<SSLPrivateKey> key,const SSLServerConfig & ssl_config)916 std::unique_ptr<SSLServerContext> CreateSSLServerContext(
917 X509Certificate* certificate,
918 scoped_refptr<SSLPrivateKey> key,
919 const SSLServerConfig& ssl_config) {
920 return std::make_unique<SSLServerContextImpl>(certificate, key, ssl_config);
921 }
922
SSLServerContextImpl(X509Certificate * certificate,scoped_refptr<net::SSLPrivateKey> key,const SSLServerConfig & ssl_server_config)923 SSLServerContextImpl::SSLServerContextImpl(
924 X509Certificate* certificate,
925 scoped_refptr<net::SSLPrivateKey> key,
926 const SSLServerConfig& ssl_server_config)
927 : ssl_server_config_(ssl_server_config),
928 cert_(certificate),
929 private_key_(key) {
930 CHECK(private_key_);
931 Init();
932 }
933
SSLServerContextImpl(X509Certificate * certificate,EVP_PKEY * pkey,const SSLServerConfig & ssl_server_config)934 SSLServerContextImpl::SSLServerContextImpl(
935 X509Certificate* certificate,
936 EVP_PKEY* pkey,
937 const SSLServerConfig& ssl_server_config)
938 : ssl_server_config_(ssl_server_config), cert_(certificate) {
939 CHECK(pkey);
940 pkey_ = bssl::UpRef(pkey);
941 Init();
942 }
943
Init()944 void SSLServerContextImpl::Init() {
945 ssl_ctx_.reset(SSL_CTX_new(TLS_with_buffers_method()));
946 SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_SERVER);
947 uint8_t session_ctx_id = 0;
948 SSL_CTX_set_session_id_context(ssl_ctx_.get(), &session_ctx_id,
949 sizeof(session_ctx_id));
950 // Deduplicate all certificates minted from the SSL_CTX in memory.
951 SSL_CTX_set0_buffer_pool(ssl_ctx_.get(), x509_util::GetBufferPool());
952
953 int verify_mode = 0;
954 switch (ssl_server_config_.client_cert_type) {
955 case SSLServerConfig::ClientCertType::REQUIRE_CLIENT_CERT:
956 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
957 [[fallthrough]];
958 case SSLServerConfig::ClientCertType::OPTIONAL_CLIENT_CERT:
959 verify_mode |= SSL_VERIFY_PEER;
960 SSL_CTX_set_custom_verify(ssl_ctx_.get(), verify_mode,
961 SocketImpl::CertVerifyCallback);
962 break;
963 case SSLServerConfig::ClientCertType::NO_CLIENT_CERT:
964 break;
965 }
966
967 SSL_CTX_set_early_data_enabled(ssl_ctx_.get(),
968 ssl_server_config_.early_data_enabled);
969 // TLS versions before TLS 1.2 are no longer supported.
970 CHECK_LE(TLS1_2_VERSION, ssl_server_config_.version_min);
971 CHECK_LE(TLS1_2_VERSION, ssl_server_config_.version_max);
972 CHECK(SSL_CTX_set_min_proto_version(ssl_ctx_.get(),
973 ssl_server_config_.version_min));
974 CHECK(SSL_CTX_set_max_proto_version(ssl_ctx_.get(),
975 ssl_server_config_.version_max));
976
977 // OpenSSL defaults some options to on, others to off. To avoid ambiguity,
978 // set everything we care about to an absolute value.
979 SslSetClearMask options;
980 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true);
981
982 SSL_CTX_set_options(ssl_ctx_.get(), options.set_mask);
983 SSL_CTX_clear_options(ssl_ctx_.get(), options.clear_mask);
984
985 // Same as above, this time for the SSL mode.
986 SslSetClearMask mode;
987
988 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);
989
990 SSL_CTX_set_mode(ssl_ctx_.get(), mode.set_mask);
991 SSL_CTX_clear_mode(ssl_ctx_.get(), mode.clear_mask);
992
993 if (ssl_server_config_.cipher_suite_for_testing.has_value()) {
994 const SSL_CIPHER* cipher =
995 SSL_get_cipher_by_value(*ssl_server_config_.cipher_suite_for_testing);
996 CHECK(cipher);
997 CHECK(SSL_CTX_set_strict_cipher_list(ssl_ctx_.get(),
998 SSL_CIPHER_get_name(cipher)));
999 } else {
1000 // Use BoringSSL defaults, but disable 3DES and HMAC-SHA1 ciphers in ECDSA.
1001 // These are the remaining CBC-mode ECDSA ciphers.
1002 std::string command("ALL:!aPSK:!ECDSA+SHA1:!3DES");
1003
1004 // SSLPrivateKey only supports ECDHE-based ciphers because it lacks decrypt.
1005 if (ssl_server_config_.require_ecdhe || (!pkey_ && private_key_))
1006 command.append(":!kRSA");
1007
1008 // Remove any disabled ciphers.
1009 for (uint16_t id : ssl_server_config_.disabled_cipher_suites) {
1010 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);
1011 if (cipher) {
1012 command.append(":!");
1013 command.append(SSL_CIPHER_get_name(cipher));
1014 }
1015 }
1016
1017 CHECK(SSL_CTX_set_strict_cipher_list(ssl_ctx_.get(), command.c_str()));
1018 }
1019
1020 if (ssl_server_config_.client_cert_type !=
1021 SSLServerConfig::ClientCertType::NO_CLIENT_CERT) {
1022 if (!ssl_server_config_.cert_authorities.empty()) {
1023 bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> stack(
1024 sk_CRYPTO_BUFFER_new_null());
1025 for (const auto& authority : ssl_server_config_.cert_authorities) {
1026 sk_CRYPTO_BUFFER_push(
1027 stack.get(), x509_util::CreateCryptoBuffer(authority).release());
1028 }
1029 SSL_CTX_set0_client_CAs(ssl_ctx_.get(), stack.release());
1030 }
1031
1032 if (!ssl_server_config_.client_cert_signature_algorithms.empty()) {
1033 CHECK(SSL_CTX_set_verify_algorithm_prefs(
1034 ssl_ctx_.get(),
1035 ssl_server_config_.client_cert_signature_algorithms.data(),
1036 ssl_server_config_.client_cert_signature_algorithms.size()));
1037 }
1038 }
1039
1040 SSL_CTX_set_alpn_select_cb(ssl_ctx_.get(), &SocketImpl::ALPNSelectCallback,
1041 nullptr);
1042
1043 if (!ssl_server_config_.ocsp_response.empty()) {
1044 SSL_CTX_set_ocsp_response(ssl_ctx_.get(),
1045 ssl_server_config_.ocsp_response.data(),
1046 ssl_server_config_.ocsp_response.size());
1047 }
1048
1049 if (!ssl_server_config_.signed_cert_timestamp_list.empty()) {
1050 SSL_CTX_set_signed_cert_timestamp_list(
1051 ssl_ctx_.get(), ssl_server_config_.signed_cert_timestamp_list.data(),
1052 ssl_server_config_.signed_cert_timestamp_list.size());
1053 }
1054
1055 if (ssl_server_config_.ech_keys) {
1056 CHECK(SSL_CTX_set1_ech_keys(ssl_ctx_.get(),
1057 ssl_server_config_.ech_keys.get()));
1058 }
1059
1060 SSL_CTX_set_select_certificate_cb(ssl_ctx_.get(),
1061 &SocketImpl::SelectCertificateCallback);
1062 }
1063
1064 SSLServerContextImpl::~SSLServerContextImpl() = default;
1065
CreateSSLServerSocket(std::unique_ptr<StreamSocket> socket)1066 std::unique_ptr<SSLServerSocket> SSLServerContextImpl::CreateSSLServerSocket(
1067 std::unique_ptr<StreamSocket> socket) {
1068 return std::make_unique<SocketImpl>(this, std::move(socket));
1069 }
1070
1071 } // namespace net
1072