1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/tls_server_handshaker.h"
6
7 #include <cstddef>
8 #include <cstdint>
9 #include <cstring>
10 #include <memory>
11 #include <optional>
12 #include <string>
13 #include <utility>
14 #include <vector>
15
16 #include "absl/status/status.h"
17 #include "absl/strings/str_cat.h"
18 #include "absl/strings/string_view.h"
19 #include "absl/types/span.h"
20 #include "absl/types/variant.h"
21 #include "openssl/base.h"
22 #include "openssl/bytestring.h"
23 #include "openssl/ssl.h"
24 #include "openssl/tls1.h"
25 #include "quiche/quic/core/crypto/crypto_handshake.h"
26 #include "quiche/quic/core/crypto/crypto_message_parser.h"
27 #include "quiche/quic/core/crypto/crypto_utils.h"
28 #include "quiche/quic/core/crypto/proof_source.h"
29 #include "quiche/quic/core/crypto/proof_verifier.h"
30 #include "quiche/quic/core/crypto/quic_crypto_server_config.h"
31 #include "quiche/quic/core/crypto/quic_decrypter.h"
32 #include "quiche/quic/core/crypto/quic_encrypter.h"
33 #include "quiche/quic/core/crypto/transport_parameters.h"
34 #include "quiche/quic/core/http/http_encoder.h"
35 #include "quiche/quic/core/http/http_frames.h"
36 #include "quiche/quic/core/quic_config.h"
37 #include "quiche/quic/core/quic_connection.h"
38 #include "quiche/quic/core/quic_connection_context.h"
39 #include "quiche/quic/core/quic_connection_id.h"
40 #include "quiche/quic/core/quic_connection_stats.h"
41 #include "quiche/quic/core/quic_crypto_server_stream_base.h"
42 #include "quiche/quic/core/quic_error_codes.h"
43 #include "quiche/quic/core/quic_session.h"
44 #include "quiche/quic/core/quic_time.h"
45 #include "quiche/quic/core/quic_time_accumulator.h"
46 #include "quiche/quic/core/quic_types.h"
47 #include "quiche/quic/core/quic_versions.h"
48 #include "quiche/quic/core/tls_handshaker.h"
49 #include "quiche/quic/platform/api/quic_bug_tracker.h"
50 #include "quiche/quic/platform/api/quic_flag_utils.h"
51 #include "quiche/quic/platform/api/quic_flags.h"
52 #include "quiche/quic/platform/api/quic_hostname_utils.h"
53 #include "quiche/quic/platform/api/quic_logging.h"
54 #include "quiche/quic/platform/api/quic_server_stats.h"
55 #include "quiche/quic/platform/api/quic_socket_address.h"
56
57 #define RECORD_LATENCY_IN_US(stat_name, latency, comment) \
58 do { \
59 const int64_t latency_in_us = (latency).ToMicroseconds(); \
60 QUIC_DVLOG(1) << "Recording " stat_name ": " << latency_in_us; \
61 QUIC_SERVER_HISTOGRAM_COUNTS(stat_name, latency_in_us, 1, 10000000, 50, \
62 comment); \
63 } while (0)
64
65 namespace quic {
66
67 namespace {
68
69 // Default port for HTTP/3.
70 uint16_t kDefaultPort = 443;
71
72 } // namespace
73
DefaultProofSourceHandle(TlsServerHandshaker * handshaker,ProofSource * proof_source)74 TlsServerHandshaker::DefaultProofSourceHandle::DefaultProofSourceHandle(
75 TlsServerHandshaker* handshaker, ProofSource* proof_source)
76 : handshaker_(handshaker), proof_source_(proof_source) {}
77
~DefaultProofSourceHandle()78 TlsServerHandshaker::DefaultProofSourceHandle::~DefaultProofSourceHandle() {
79 CloseHandle();
80 }
81
CloseHandle()82 void TlsServerHandshaker::DefaultProofSourceHandle::CloseHandle() {
83 QUIC_DVLOG(1) << "CloseHandle. is_signature_pending="
84 << (signature_callback_ != nullptr);
85 if (signature_callback_) {
86 signature_callback_->Cancel();
87 signature_callback_ = nullptr;
88 }
89 }
90
91 QuicAsyncStatus
SelectCertificate(const QuicSocketAddress & server_address,const QuicSocketAddress & client_address,const QuicConnectionId &,absl::string_view,const std::string & hostname,absl::string_view,const std::string &,std::optional<std::string>,const std::vector<uint8_t> &,const std::optional<std::vector<uint8_t>> &,const QuicSSLConfig &)92 TlsServerHandshaker::DefaultProofSourceHandle::SelectCertificate(
93 const QuicSocketAddress& server_address,
94 const QuicSocketAddress& client_address,
95 const QuicConnectionId& /*original_connection_id*/,
96 absl::string_view /*ssl_capabilities*/, const std::string& hostname,
97 absl::string_view /*client_hello*/, const std::string& /*alpn*/,
98 std::optional<std::string> /*alps*/,
99 const std::vector<uint8_t>& /*quic_transport_params*/,
100 const std::optional<std::vector<uint8_t>>& /*early_data_context*/,
101 const QuicSSLConfig& /*ssl_config*/) {
102 if (!handshaker_ || !proof_source_) {
103 QUIC_BUG(quic_bug_10341_1)
104 << "SelectCertificate called on a detached handle";
105 return QUIC_FAILURE;
106 }
107
108 bool cert_matched_sni;
109 quiche::QuicheReferenceCountedPointer<ProofSource::Chain> chain =
110 proof_source_->GetCertChain(server_address, client_address, hostname,
111 &cert_matched_sni);
112
113 handshaker_->OnSelectCertificateDone(
114 /*ok=*/true, /*is_sync=*/true,
115 ProofSourceHandleCallback::LocalSSLConfig{chain.get(),
116 QuicDelayedSSLConfig()},
117 /*ticket_encryption_key=*/absl::string_view(), cert_matched_sni);
118 if (!handshaker_->select_cert_status().has_value()) {
119 QUIC_BUG(quic_bug_12423_1)
120 << "select_cert_status() has no value after a synchronous select cert";
121 // Return success to continue the handshake.
122 return QUIC_SUCCESS;
123 }
124 return *handshaker_->select_cert_status();
125 }
126
ComputeSignature(const QuicSocketAddress & server_address,const QuicSocketAddress & client_address,const std::string & hostname,uint16_t signature_algorithm,absl::string_view in,size_t max_signature_size)127 QuicAsyncStatus TlsServerHandshaker::DefaultProofSourceHandle::ComputeSignature(
128 const QuicSocketAddress& server_address,
129 const QuicSocketAddress& client_address, const std::string& hostname,
130 uint16_t signature_algorithm, absl::string_view in,
131 size_t max_signature_size) {
132 if (!handshaker_ || !proof_source_) {
133 QUIC_BUG(quic_bug_10341_2)
134 << "ComputeSignature called on a detached handle";
135 return QUIC_FAILURE;
136 }
137
138 if (signature_callback_) {
139 QUIC_BUG(quic_bug_10341_3) << "ComputeSignature called while pending";
140 return QUIC_FAILURE;
141 }
142
143 signature_callback_ = new DefaultSignatureCallback(this);
144 proof_source_->ComputeTlsSignature(
145 server_address, client_address, hostname, signature_algorithm, in,
146 std::unique_ptr<DefaultSignatureCallback>(signature_callback_));
147
148 if (signature_callback_) {
149 QUIC_DVLOG(1) << "ComputeTlsSignature is pending";
150 signature_callback_->set_is_sync(false);
151 return QUIC_PENDING;
152 }
153
154 bool success = handshaker_->HasValidSignature(max_signature_size);
155 QUIC_DVLOG(1) << "ComputeTlsSignature completed synchronously. success:"
156 << success;
157 // OnComputeSignatureDone should have been called by signature_callback_->Run.
158 return success ? QUIC_SUCCESS : QUIC_FAILURE;
159 }
160
DecryptCallback(TlsServerHandshaker * handshaker)161 TlsServerHandshaker::DecryptCallback::DecryptCallback(
162 TlsServerHandshaker* handshaker)
163 : handshaker_(handshaker) {}
164
Run(std::vector<uint8_t> plaintext)165 void TlsServerHandshaker::DecryptCallback::Run(std::vector<uint8_t> plaintext) {
166 if (handshaker_ == nullptr) {
167 // The callback was cancelled before we could run.
168 return;
169 }
170
171 TlsServerHandshaker* handshaker = handshaker_;
172 handshaker_ = nullptr;
173
174 handshaker->decrypted_session_ticket_ = std::move(plaintext);
175 const bool is_async =
176 (handshaker->expected_ssl_error() == SSL_ERROR_PENDING_TICKET);
177
178 std::optional<QuicConnectionContextSwitcher> context_switcher;
179
180 if (is_async) {
181 context_switcher.emplace(handshaker->connection_context());
182 }
183 QUIC_TRACESTRING(
184 absl::StrCat("TLS ticket decryption done. len(decrypted_ticket):",
185 handshaker->decrypted_session_ticket_.size()));
186
187 // DecryptCallback::Run could be called synchronously. When that happens, we
188 // are currently in the middle of a call to AdvanceHandshake.
189 // (AdvanceHandshake called SSL_do_handshake, which through some layers
190 // called SessionTicketOpen, which called TicketCrypter::Decrypt, which
191 // synchronously called this function.) In that case, the handshake will
192 // continue to be processed when this function returns.
193 //
194 // When this callback is called asynchronously (i.e. the ticket decryption
195 // is pending), TlsServerHandshaker is not actively processing handshake
196 // messages. We need to have it resume processing handshake messages by
197 // calling AdvanceHandshake.
198 if (is_async) {
199 handshaker->AdvanceHandshakeFromCallback();
200 }
201
202 handshaker->ticket_decryption_callback_ = nullptr;
203 }
204
Cancel()205 void TlsServerHandshaker::DecryptCallback::Cancel() {
206 QUICHE_DCHECK(handshaker_);
207 handshaker_ = nullptr;
208 }
209
TlsServerHandshaker(QuicSession * session,const QuicCryptoServerConfig * crypto_config)210 TlsServerHandshaker::TlsServerHandshaker(
211 QuicSession* session, const QuicCryptoServerConfig* crypto_config)
212 : TlsHandshaker(this, session),
213 QuicCryptoServerStreamBase(session),
214 proof_source_(crypto_config->proof_source()),
215 pre_shared_key_(crypto_config->pre_shared_key()),
216 crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
217 tls_connection_(crypto_config->ssl_ctx(), this, session->GetSSLConfig()),
218 crypto_config_(crypto_config) {
219 QUIC_DVLOG(1) << "TlsServerHandshaker: client_cert_mode initial value: "
220 << client_cert_mode();
221
222 QUICHE_DCHECK_EQ(PROTOCOL_TLS1_3,
223 session->connection()->version().handshake_protocol);
224
225 // Configure the SSL to be a server.
226 SSL_set_accept_state(ssl());
227
228 // Make sure we use the right TLS extension codepoint.
229 int use_legacy_extension = 0;
230 if (session->version().UsesLegacyTlsExtension()) {
231 use_legacy_extension = 1;
232 }
233 SSL_set_quic_use_legacy_codepoint(ssl(), use_legacy_extension);
234
235 if (session->connection()->context()->tracer) {
236 tls_connection_.EnableInfoCallback();
237 }
238 #if BORINGSSL_API_VERSION >= 22
239 if (!crypto_config->preferred_groups().empty()) {
240 SSL_set1_group_ids(ssl(), crypto_config->preferred_groups().data(),
241 crypto_config->preferred_groups().size());
242 }
243 #endif // BORINGSSL_API_VERSION
244 }
245
~TlsServerHandshaker()246 TlsServerHandshaker::~TlsServerHandshaker() { CancelOutstandingCallbacks(); }
247
CancelOutstandingCallbacks()248 void TlsServerHandshaker::CancelOutstandingCallbacks() {
249 if (proof_source_handle_) {
250 proof_source_handle_->CloseHandle();
251 }
252 if (ticket_decryption_callback_) {
253 ticket_decryption_callback_->Cancel();
254 ticket_decryption_callback_ = nullptr;
255 }
256 }
257
InfoCallback(int type,int value)258 void TlsServerHandshaker::InfoCallback(int type, int value) {
259 QuicConnectionTracer* tracer =
260 session()->connection()->context()->tracer.get();
261
262 if (tracer == nullptr) {
263 return;
264 }
265
266 if (type & SSL_CB_LOOP) {
267 tracer->PrintString(
268 absl::StrCat("SSL:ACCEPT_LOOP:", SSL_state_string_long(ssl())));
269 } else if (type & SSL_CB_ALERT) {
270 const char* prefix =
271 (type & SSL_CB_READ) ? "SSL:READ_ALERT:" : "SSL:WRITE_ALERT:";
272 tracer->PrintString(absl::StrCat(prefix, SSL_alert_type_string_long(value),
273 ":", SSL_alert_desc_string_long(value)));
274 } else if (type & SSL_CB_EXIT) {
275 const char* prefix =
276 (value == 1) ? "SSL:ACCEPT_EXIT_OK:" : "SSL:ACCEPT_EXIT_FAIL:";
277 tracer->PrintString(absl::StrCat(prefix, SSL_state_string_long(ssl())));
278 } else if (type & SSL_CB_HANDSHAKE_START) {
279 tracer->PrintString(
280 absl::StrCat("SSL:HANDSHAKE_START:", SSL_state_string_long(ssl())));
281 } else if (type & SSL_CB_HANDSHAKE_DONE) {
282 tracer->PrintString(
283 absl::StrCat("SSL:HANDSHAKE_DONE:", SSL_state_string_long(ssl())));
284 } else {
285 QUIC_DLOG(INFO) << "Unknown event type " << type << ": "
286 << SSL_state_string_long(ssl());
287 tracer->PrintString(
288 absl::StrCat("SSL:unknown:", value, ":", SSL_state_string_long(ssl())));
289 }
290 }
291
292 std::unique_ptr<ProofSourceHandle>
MaybeCreateProofSourceHandle()293 TlsServerHandshaker::MaybeCreateProofSourceHandle() {
294 return std::make_unique<DefaultProofSourceHandle>(this, proof_source_);
295 }
296
GetBase64SHA256ClientChannelID(std::string *) const297 bool TlsServerHandshaker::GetBase64SHA256ClientChannelID(
298 std::string* /*output*/) const {
299 // Channel ID is not supported when TLS is used in QUIC.
300 return false;
301 }
302
SendServerConfigUpdate(const CachedNetworkParameters *)303 void TlsServerHandshaker::SendServerConfigUpdate(
304 const CachedNetworkParameters* /*cached_network_params*/) {
305 // SCUP messages aren't supported when using the TLS handshake.
306 }
307
DisableResumption()308 bool TlsServerHandshaker::DisableResumption() {
309 if (!can_disable_resumption_ || !session()->connection()->connected()) {
310 return false;
311 }
312 tls_connection_.DisableTicketSupport();
313 return true;
314 }
315
IsZeroRtt() const316 bool TlsServerHandshaker::IsZeroRtt() const {
317 return SSL_early_data_accepted(ssl());
318 }
319
IsResumption() const320 bool TlsServerHandshaker::IsResumption() const {
321 return SSL_session_reused(ssl());
322 }
323
ResumptionAttempted() const324 bool TlsServerHandshaker::ResumptionAttempted() const {
325 return ticket_received_;
326 }
327
EarlyDataAttempted() const328 bool TlsServerHandshaker::EarlyDataAttempted() const {
329 QUIC_BUG_IF(quic_tls_early_data_attempted_too_early,
330 !select_cert_status_.has_value())
331 << "EarlyDataAttempted must be called after EarlySelectCertCallback is "
332 "started";
333 return early_data_attempted_;
334 }
335
NumServerConfigUpdateMessagesSent() const336 int TlsServerHandshaker::NumServerConfigUpdateMessagesSent() const {
337 // SCUP messages aren't supported when using the TLS handshake.
338 return 0;
339 }
340
341 const CachedNetworkParameters*
PreviousCachedNetworkParams() const342 TlsServerHandshaker::PreviousCachedNetworkParams() const {
343 return last_received_cached_network_params_.get();
344 }
345
SetPreviousCachedNetworkParams(CachedNetworkParameters cached_network_params)346 void TlsServerHandshaker::SetPreviousCachedNetworkParams(
347 CachedNetworkParameters cached_network_params) {
348 last_received_cached_network_params_ =
349 std::make_unique<CachedNetworkParameters>(cached_network_params);
350 }
351
OnPacketDecrypted(EncryptionLevel level)352 void TlsServerHandshaker::OnPacketDecrypted(EncryptionLevel level) {
353 if (level == ENCRYPTION_HANDSHAKE && state_ < HANDSHAKE_PROCESSED) {
354 state_ = HANDSHAKE_PROCESSED;
355 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
356 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_INITIAL);
357 }
358 }
359
OnHandshakeDoneReceived()360 void TlsServerHandshaker::OnHandshakeDoneReceived() { QUICHE_DCHECK(false); }
361
OnNewTokenReceived(absl::string_view)362 void TlsServerHandshaker::OnNewTokenReceived(absl::string_view /*token*/) {
363 QUICHE_DCHECK(false);
364 }
365
GetAddressToken(const CachedNetworkParameters * cached_network_params) const366 std::string TlsServerHandshaker::GetAddressToken(
367 const CachedNetworkParameters* cached_network_params) const {
368 SourceAddressTokens empty_previous_tokens;
369 const QuicConnection* connection = session()->connection();
370 return crypto_config_->NewSourceAddressToken(
371 crypto_config_->source_address_token_boxer(), empty_previous_tokens,
372 connection->effective_peer_address().host(),
373 connection->random_generator(), connection->clock()->WallNow(),
374 cached_network_params);
375 }
376
ValidateAddressToken(absl::string_view token) const377 bool TlsServerHandshaker::ValidateAddressToken(absl::string_view token) const {
378 SourceAddressTokens tokens;
379 HandshakeFailureReason reason = crypto_config_->ParseSourceAddressToken(
380 crypto_config_->source_address_token_boxer(), token, tokens);
381 if (reason != HANDSHAKE_OK) {
382 QUIC_DLOG(WARNING) << "Failed to parse source address token: "
383 << CryptoUtils::HandshakeFailureReasonToString(reason);
384 return false;
385 }
386 auto cached_network_params = std::make_unique<CachedNetworkParameters>();
387 reason = crypto_config_->ValidateSourceAddressTokens(
388 tokens, session()->connection()->effective_peer_address().host(),
389 session()->connection()->clock()->WallNow(), cached_network_params.get());
390 if (reason != HANDSHAKE_OK) {
391 QUIC_DLOG(WARNING) << "Failed to validate source address token: "
392 << CryptoUtils::HandshakeFailureReasonToString(reason);
393 return false;
394 }
395
396 last_received_cached_network_params_ = std::move(cached_network_params);
397 return true;
398 }
399
ShouldSendExpectCTHeader() const400 bool TlsServerHandshaker::ShouldSendExpectCTHeader() const { return false; }
401
DidCertMatchSni() const402 bool TlsServerHandshaker::DidCertMatchSni() const { return cert_matched_sni_; }
403
ProofSourceDetails() const404 const ProofSource::Details* TlsServerHandshaker::ProofSourceDetails() const {
405 return proof_source_details_.get();
406 }
407
ExportKeyingMaterial(absl::string_view label,absl::string_view context,size_t result_len,std::string * result)408 bool TlsServerHandshaker::ExportKeyingMaterial(absl::string_view label,
409 absl::string_view context,
410 size_t result_len,
411 std::string* result) {
412 return ExportKeyingMaterialForLabel(label, context, result_len, result);
413 }
414
OnConnectionClosed(QuicErrorCode error,ConnectionCloseSource source)415 void TlsServerHandshaker::OnConnectionClosed(QuicErrorCode error,
416 ConnectionCloseSource source) {
417 TlsHandshaker::OnConnectionClosed(error, source);
418 }
419
EarlyDataReason() const420 ssl_early_data_reason_t TlsServerHandshaker::EarlyDataReason() const {
421 return TlsHandshaker::EarlyDataReason();
422 }
423
encryption_established() const424 bool TlsServerHandshaker::encryption_established() const {
425 return encryption_established_;
426 }
427
one_rtt_keys_available() const428 bool TlsServerHandshaker::one_rtt_keys_available() const {
429 return state_ == HANDSHAKE_CONFIRMED;
430 }
431
432 const QuicCryptoNegotiatedParameters&
crypto_negotiated_params() const433 TlsServerHandshaker::crypto_negotiated_params() const {
434 return *crypto_negotiated_params_;
435 }
436
crypto_message_parser()437 CryptoMessageParser* TlsServerHandshaker::crypto_message_parser() {
438 return TlsHandshaker::crypto_message_parser();
439 }
440
GetHandshakeState() const441 HandshakeState TlsServerHandshaker::GetHandshakeState() const { return state_; }
442
SetServerApplicationStateForResumption(std::unique_ptr<ApplicationState> state)443 void TlsServerHandshaker::SetServerApplicationStateForResumption(
444 std::unique_ptr<ApplicationState> state) {
445 application_state_ = std::move(state);
446 }
447
BufferSizeLimitForLevel(EncryptionLevel level) const448 size_t TlsServerHandshaker::BufferSizeLimitForLevel(
449 EncryptionLevel level) const {
450 return TlsHandshaker::BufferSizeLimitForLevel(level);
451 }
452
453 std::unique_ptr<QuicDecrypter>
AdvanceKeysAndCreateCurrentOneRttDecrypter()454 TlsServerHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter() {
455 return TlsHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter();
456 }
457
458 std::unique_ptr<QuicEncrypter>
CreateCurrentOneRttEncrypter()459 TlsServerHandshaker::CreateCurrentOneRttEncrypter() {
460 return TlsHandshaker::CreateCurrentOneRttEncrypter();
461 }
462
OverrideQuicConfigDefaults(QuicConfig *)463 void TlsServerHandshaker::OverrideQuicConfigDefaults(QuicConfig* /*config*/) {}
464
AdvanceHandshakeFromCallback()465 void TlsServerHandshaker::AdvanceHandshakeFromCallback() {
466 QuicConnection::ScopedPacketFlusher flusher(session()->connection());
467
468 AdvanceHandshake();
469 if (!is_connection_closed()) {
470 handshaker_delegate()->OnHandshakeCallbackDone();
471 }
472 }
473
ProcessTransportParameters(const SSL_CLIENT_HELLO * client_hello,std::string * error_details)474 bool TlsServerHandshaker::ProcessTransportParameters(
475 const SSL_CLIENT_HELLO* client_hello, std::string* error_details) {
476 TransportParameters client_params;
477 const uint8_t* client_params_bytes;
478 size_t params_bytes_len;
479
480 // Make sure we use the right TLS extension codepoint.
481 uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters_standard;
482 if (session()->version().UsesLegacyTlsExtension()) {
483 extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
484 }
485 // When using early select cert callback, SSL_get_peer_quic_transport_params
486 // can not be used to retrieve the client's transport parameters, but we can
487 // use SSL_early_callback_ctx_extension_get to do that.
488 if (!SSL_early_callback_ctx_extension_get(client_hello, extension_type,
489 &client_params_bytes,
490 ¶ms_bytes_len)) {
491 params_bytes_len = 0;
492 }
493
494 if (params_bytes_len == 0) {
495 *error_details = "Client's transport parameters are missing";
496 return false;
497 }
498 std::string parse_error_details;
499 if (!ParseTransportParameters(session()->connection()->version(),
500 Perspective::IS_CLIENT, client_params_bytes,
501 params_bytes_len, &client_params,
502 &parse_error_details)) {
503 QUICHE_DCHECK(!parse_error_details.empty());
504 *error_details =
505 "Unable to parse client's transport parameters: " + parse_error_details;
506 return false;
507 }
508
509 // Notify QuicConnectionDebugVisitor.
510 session()->connection()->OnTransportParametersReceived(client_params);
511
512 if (client_params.legacy_version_information.has_value() &&
513 CryptoUtils::ValidateClientHelloVersion(
514 client_params.legacy_version_information->version,
515 session()->connection()->version(), session()->supported_versions(),
516 error_details) != QUIC_NO_ERROR) {
517 return false;
518 }
519
520 if (client_params.version_information.has_value() &&
521 !CryptoUtils::ValidateChosenVersion(
522 client_params.version_information->chosen_version,
523 session()->version(), error_details)) {
524 QUICHE_DCHECK(!error_details->empty());
525 return false;
526 }
527
528 if (handshaker_delegate()->ProcessTransportParameters(
529 client_params, /* is_resumption = */ false, error_details) !=
530 QUIC_NO_ERROR) {
531 return false;
532 }
533
534 if (!ProcessAdditionalTransportParameters(client_params)) {
535 *error_details = "Failed to process additional transport parameters";
536 return false;
537 }
538
539 return true;
540 }
541
542 TlsServerHandshaker::SetTransportParametersResult
SetTransportParameters()543 TlsServerHandshaker::SetTransportParameters() {
544 SetTransportParametersResult result;
545 QUICHE_DCHECK(!result.success);
546
547 server_params_.perspective = Perspective::IS_SERVER;
548 server_params_.legacy_version_information =
549 TransportParameters::LegacyVersionInformation();
550 server_params_.legacy_version_information->supported_versions =
551 CreateQuicVersionLabelVector(session()->supported_versions());
552 server_params_.legacy_version_information->version =
553 CreateQuicVersionLabel(session()->connection()->version());
554 server_params_.version_information =
555 TransportParameters::VersionInformation();
556 server_params_.version_information->chosen_version =
557 CreateQuicVersionLabel(session()->version());
558 server_params_.version_information->other_versions =
559 CreateQuicVersionLabelVector(session()->supported_versions());
560
561 if (!handshaker_delegate()->FillTransportParameters(&server_params_)) {
562 return result;
563 }
564
565 // Notify QuicConnectionDebugVisitor.
566 session()->connection()->OnTransportParametersSent(server_params_);
567
568 { // Ensure |server_params_bytes| is not accessed out of the scope.
569 std::vector<uint8_t> server_params_bytes;
570 if (!SerializeTransportParameters(server_params_, &server_params_bytes) ||
571 SSL_set_quic_transport_params(ssl(), server_params_bytes.data(),
572 server_params_bytes.size()) != 1) {
573 return result;
574 }
575 result.quic_transport_params = std::move(server_params_bytes);
576 }
577
578 if (application_state_) {
579 std::vector<uint8_t> early_data_context;
580 if (!SerializeTransportParametersForTicket(
581 server_params_, *application_state_, &early_data_context)) {
582 QUIC_BUG(quic_bug_10341_4)
583 << "Failed to serialize Transport Parameters for ticket.";
584 result.early_data_context = std::vector<uint8_t>();
585 return result;
586 }
587 SSL_set_quic_early_data_context(ssl(), early_data_context.data(),
588 early_data_context.size());
589 result.early_data_context = std::move(early_data_context);
590 application_state_.reset(nullptr);
591 }
592 result.success = true;
593 return result;
594 }
595
TransportParametersMatch(absl::Span<const uint8_t> serialized_params) const596 bool TlsServerHandshaker::TransportParametersMatch(
597 absl::Span<const uint8_t> serialized_params) const {
598 TransportParameters params;
599 std::string error_details;
600
601 bool parse_ok = ParseTransportParameters(
602 session()->version(), Perspective::IS_SERVER, serialized_params.data(),
603 serialized_params.size(), ¶ms, &error_details);
604
605 if (!parse_ok) {
606 return false;
607 }
608
609 DegreaseTransportParameters(params);
610
611 return params == server_params_;
612 }
613
SetWriteSecret(EncryptionLevel level,const SSL_CIPHER * cipher,absl::Span<const uint8_t> write_secret)614 void TlsServerHandshaker::SetWriteSecret(
615 EncryptionLevel level, const SSL_CIPHER* cipher,
616 absl::Span<const uint8_t> write_secret) {
617 if (is_connection_closed()) {
618 return;
619 }
620 if (level == ENCRYPTION_FORWARD_SECURE) {
621 encryption_established_ = true;
622 // Fill crypto_negotiated_params_:
623 const SSL_CIPHER* ssl_cipher = SSL_get_current_cipher(ssl());
624 if (ssl_cipher) {
625 crypto_negotiated_params_->cipher_suite =
626 SSL_CIPHER_get_protocol_id(ssl_cipher);
627 }
628 crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl());
629 crypto_negotiated_params_->encrypted_client_hello = SSL_ech_accepted(ssl());
630 }
631 TlsHandshaker::SetWriteSecret(level, cipher, write_secret);
632 }
633
GetAcceptChValueForHostname(const std::string &) const634 std::string TlsServerHandshaker::GetAcceptChValueForHostname(
635 const std::string& /*hostname*/) const {
636 return {};
637 }
638
UseAlpsNewCodepoint() const639 bool TlsServerHandshaker::UseAlpsNewCodepoint() const {
640 if (!select_cert_status_.has_value()) {
641 QUIC_BUG(quic_tls_check_alps_new_codepoint_too_early)
642 << "UseAlpsNewCodepoint must be called after "
643 "EarlySelectCertCallback is started";
644 return false;
645 }
646
647 return alps_new_codepoint_received_;
648 }
649
FinishHandshake()650 void TlsServerHandshaker::FinishHandshake() {
651 QUICHE_DCHECK(!SSL_in_early_data(ssl()));
652
653 if (!valid_alpn_received_) {
654 QUIC_DLOG(ERROR)
655 << "Server: handshake finished without receiving a known ALPN";
656 // TODO(b/130164908) this should send no_application_protocol
657 // instead of QUIC_HANDSHAKE_FAILED.
658 CloseConnection(QUIC_HANDSHAKE_FAILED,
659 "Server did not receive a known ALPN");
660 return;
661 }
662
663 ssl_early_data_reason_t reason_code = EarlyDataReason();
664 QUIC_DLOG(INFO) << "Server: handshake finished. Early data reason "
665 << reason_code << " ("
666 << CryptoUtils::EarlyDataReasonToString(reason_code) << ")";
667 state_ = HANDSHAKE_CONFIRMED;
668
669 handshaker_delegate()->OnTlsHandshakeComplete();
670 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_HANDSHAKE);
671 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_HANDSHAKE);
672 // ENCRYPTION_ZERO_RTT decryption key is not discarded here as "Servers MAY
673 // temporarily retain 0-RTT keys to allow decrypting reordered packets
674 // without requiring their contents to be retransmitted with 1-RTT keys."
675 // It is expected that QuicConnection will discard the key at an
676 // appropriate time.
677 }
678
VerifyCertChain(const std::vector<std::string> &,std::string *,std::unique_ptr<ProofVerifyDetails> *,uint8_t *,std::unique_ptr<ProofVerifierCallback>)679 QuicAsyncStatus TlsServerHandshaker::VerifyCertChain(
680 const std::vector<std::string>& /*certs*/, std::string* /*error_details*/,
681 std::unique_ptr<ProofVerifyDetails>* /*details*/, uint8_t* /*out_alert*/,
682 std::unique_ptr<ProofVerifierCallback> /*callback*/) {
683 QUIC_DVLOG(1) << "VerifyCertChain returning success";
684
685 // No real verification here. A subclass can override this function to verify
686 // the client cert if needed.
687 return QUIC_SUCCESS;
688 }
689
OnProofVerifyDetailsAvailable(const ProofVerifyDetails &)690 void TlsServerHandshaker::OnProofVerifyDetailsAvailable(
691 const ProofVerifyDetails& /*verify_details*/) {}
692
PrivateKeySign(uint8_t * out,size_t * out_len,size_t max_out,uint16_t sig_alg,absl::string_view in)693 ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(
694 uint8_t* out, size_t* out_len, size_t max_out, uint16_t sig_alg,
695 absl::string_view in) {
696 QUICHE_DCHECK_EQ(expected_ssl_error(), SSL_ERROR_WANT_READ);
697
698 QuicAsyncStatus status = proof_source_handle_->ComputeSignature(
699 session()->connection()->self_address(),
700 session()->connection()->peer_address(), crypto_negotiated_params_->sni,
701 sig_alg, in, max_out);
702 if (status == QUIC_PENDING) {
703 set_expected_ssl_error(SSL_ERROR_WANT_PRIVATE_KEY_OPERATION);
704 if (async_op_timer_.has_value()) {
705 QUIC_CODE_COUNT(
706 quic_tls_server_computing_signature_while_another_op_pending);
707 }
708 async_op_timer_ = QuicTimeAccumulator();
709 async_op_timer_->Start(now());
710 }
711 return PrivateKeyComplete(out, out_len, max_out);
712 }
713
PrivateKeyComplete(uint8_t * out,size_t * out_len,size_t max_out)714 ssl_private_key_result_t TlsServerHandshaker::PrivateKeyComplete(
715 uint8_t* out, size_t* out_len, size_t max_out) {
716 if (expected_ssl_error() == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
717 return ssl_private_key_retry;
718 }
719
720 const bool success = HasValidSignature(max_out);
721 QuicConnectionStats::TlsServerOperationStats compute_signature_stats;
722 compute_signature_stats.success = success;
723 if (async_op_timer_.has_value()) {
724 async_op_timer_->Stop(now());
725 compute_signature_stats.async_latency =
726 async_op_timer_->GetTotalElapsedTime();
727 async_op_timer_.reset();
728 RECORD_LATENCY_IN_US("tls_server_async_compute_signature_latency_us",
729 compute_signature_stats.async_latency,
730 "Async compute signature latency in microseconds");
731 }
732 connection_stats().tls_server_compute_signature_stats =
733 std::move(compute_signature_stats);
734
735 if (!success) {
736 return ssl_private_key_failure;
737 }
738 *out_len = cert_verify_sig_.size();
739 memcpy(out, cert_verify_sig_.data(), *out_len);
740 cert_verify_sig_.clear();
741 cert_verify_sig_.shrink_to_fit();
742 return ssl_private_key_success;
743 }
744
OnComputeSignatureDone(bool ok,bool is_sync,std::string signature,std::unique_ptr<ProofSource::Details> details)745 void TlsServerHandshaker::OnComputeSignatureDone(
746 bool ok, bool is_sync, std::string signature,
747 std::unique_ptr<ProofSource::Details> details) {
748 QUIC_DVLOG(1) << "OnComputeSignatureDone. ok:" << ok
749 << ", is_sync:" << is_sync
750 << ", len(signature):" << signature.size();
751 std::optional<QuicConnectionContextSwitcher> context_switcher;
752
753 if (!is_sync) {
754 context_switcher.emplace(connection_context());
755 }
756
757 QUIC_TRACESTRING(absl::StrCat("TLS compute signature done. ok:", ok,
758 ", len(signature):", signature.size()));
759
760 if (ok) {
761 cert_verify_sig_ = std::move(signature);
762 proof_source_details_ = std::move(details);
763 }
764 const int last_expected_ssl_error = expected_ssl_error();
765 set_expected_ssl_error(SSL_ERROR_WANT_READ);
766 if (!is_sync) {
767 QUICHE_DCHECK_EQ(last_expected_ssl_error,
768 SSL_ERROR_WANT_PRIVATE_KEY_OPERATION);
769 AdvanceHandshakeFromCallback();
770 }
771 }
772
HasValidSignature(size_t max_signature_size) const773 bool TlsServerHandshaker::HasValidSignature(size_t max_signature_size) const {
774 return !cert_verify_sig_.empty() &&
775 cert_verify_sig_.size() <= max_signature_size;
776 }
777
SessionTicketMaxOverhead()778 size_t TlsServerHandshaker::SessionTicketMaxOverhead() {
779 QUICHE_DCHECK(proof_source_->GetTicketCrypter());
780 return proof_source_->GetTicketCrypter()->MaxOverhead();
781 }
782
SessionTicketSeal(uint8_t * out,size_t * out_len,size_t max_out_len,absl::string_view in)783 int TlsServerHandshaker::SessionTicketSeal(uint8_t* out, size_t* out_len,
784 size_t max_out_len,
785 absl::string_view in) {
786 QUICHE_DCHECK(proof_source_->GetTicketCrypter());
787 std::vector<uint8_t> ticket =
788 proof_source_->GetTicketCrypter()->Encrypt(in, ticket_encryption_key_);
789 if (GetQuicReloadableFlag(
790 quic_send_placeholder_ticket_when_encrypt_ticket_fails) &&
791 ticket.empty()) {
792 QUIC_CODE_COUNT(quic_tls_server_handshaker_send_placeholder_ticket);
793 const absl::string_view kTicketFailurePlaceholder = "TICKET FAILURE";
794 const absl::string_view kTicketWithSizeLimit =
795 kTicketFailurePlaceholder.substr(0, max_out_len);
796 ticket.assign(kTicketWithSizeLimit.begin(), kTicketWithSizeLimit.end());
797 }
798 if (max_out_len < ticket.size()) {
799 QUIC_BUG(quic_bug_12423_2)
800 << "TicketCrypter returned " << ticket.size()
801 << " bytes of ciphertext, which is larger than its max overhead of "
802 << max_out_len;
803 return 0; // failure
804 }
805 *out_len = ticket.size();
806 memcpy(out, ticket.data(), ticket.size());
807 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_sealed);
808 return 1; // success
809 }
810
SessionTicketOpen(uint8_t * out,size_t * out_len,size_t max_out_len,absl::string_view in)811 ssl_ticket_aead_result_t TlsServerHandshaker::SessionTicketOpen(
812 uint8_t* out, size_t* out_len, size_t max_out_len, absl::string_view in) {
813 QUICHE_DCHECK(proof_source_->GetTicketCrypter());
814
815 if (ignore_ticket_open_) {
816 // SetIgnoreTicketOpen has been called. Typically this means the caller is
817 // using handshake hints and expect the hints to contain ticket decryption
818 // results.
819 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_ignored_1);
820 return ssl_ticket_aead_ignore_ticket;
821 }
822
823 if (!ticket_decryption_callback_) {
824 ticket_decryption_callback_ = std::make_shared<DecryptCallback>(this);
825 proof_source_->GetTicketCrypter()->Decrypt(in, ticket_decryption_callback_);
826
827 // Decrypt can run the callback synchronously. In that case, the callback
828 // will clear the ticket_decryption_callback_ pointer, and instead of
829 // returning ssl_ticket_aead_retry, we should continue processing to
830 // return the decrypted ticket.
831 //
832 // If the callback is not run synchronously, return ssl_ticket_aead_retry
833 // and when the callback is complete this function will be run again to
834 // return the result.
835 if (ticket_decryption_callback_) {
836 QUICHE_DCHECK(!ticket_decryption_callback_->IsDone());
837 set_expected_ssl_error(SSL_ERROR_PENDING_TICKET);
838 if (async_op_timer_.has_value()) {
839 QUIC_CODE_COUNT(
840 quic_tls_server_decrypting_ticket_while_another_op_pending);
841 }
842 async_op_timer_ = QuicTimeAccumulator();
843 async_op_timer_->Start(now());
844 }
845 }
846
847 // If the async ticket decryption is pending, either started by this
848 // SessionTicketOpen call or one that happened earlier, return
849 // ssl_ticket_aead_retry.
850 if (ticket_decryption_callback_ && !ticket_decryption_callback_->IsDone()) {
851 return ssl_ticket_aead_retry;
852 }
853
854 ssl_ticket_aead_result_t result =
855 FinalizeSessionTicketOpen(out, out_len, max_out_len);
856
857 QuicConnectionStats::TlsServerOperationStats decrypt_ticket_stats;
858 decrypt_ticket_stats.success = (result == ssl_ticket_aead_success);
859 if (async_op_timer_.has_value()) {
860 async_op_timer_->Stop(now());
861 decrypt_ticket_stats.async_latency = async_op_timer_->GetTotalElapsedTime();
862 async_op_timer_.reset();
863 RECORD_LATENCY_IN_US("tls_server_async_decrypt_ticket_latency_us",
864 decrypt_ticket_stats.async_latency,
865 "Async decrypt ticket latency in microseconds");
866 }
867 connection_stats().tls_server_decrypt_ticket_stats =
868 std::move(decrypt_ticket_stats);
869
870 return result;
871 }
872
FinalizeSessionTicketOpen(uint8_t * out,size_t * out_len,size_t max_out_len)873 ssl_ticket_aead_result_t TlsServerHandshaker::FinalizeSessionTicketOpen(
874 uint8_t* out, size_t* out_len, size_t max_out_len) {
875 ticket_decryption_callback_ = nullptr;
876 set_expected_ssl_error(SSL_ERROR_WANT_READ);
877 if (decrypted_session_ticket_.empty()) {
878 QUIC_DLOG(ERROR) << "Session ticket decryption failed; ignoring ticket";
879 // Ticket decryption failed. Ignore the ticket.
880 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_ignored_2);
881 return ssl_ticket_aead_ignore_ticket;
882 }
883 if (max_out_len < decrypted_session_ticket_.size()) {
884 return ssl_ticket_aead_error;
885 }
886 memcpy(out, decrypted_session_ticket_.data(),
887 decrypted_session_ticket_.size());
888 *out_len = decrypted_session_ticket_.size();
889
890 QUIC_CODE_COUNT(quic_tls_server_handshaker_tickets_opened);
891 return ssl_ticket_aead_success;
892 }
893
EarlySelectCertCallback(const SSL_CLIENT_HELLO * client_hello)894 ssl_select_cert_result_t TlsServerHandshaker::EarlySelectCertCallback(
895 const SSL_CLIENT_HELLO* client_hello) {
896 // EarlySelectCertCallback can be called twice from BoringSSL: If the first
897 // call returns ssl_select_cert_retry, when cert selection completes,
898 // SSL_do_handshake will call it again.
899
900 if (select_cert_status_.has_value()) {
901 // This is the second call, return the result directly.
902 QUIC_DVLOG(1) << "EarlySelectCertCallback called to continue handshake, "
903 "returning directly. success:"
904 << (*select_cert_status_ == QUIC_SUCCESS);
905 return (*select_cert_status_ == QUIC_SUCCESS) ? ssl_select_cert_success
906 : ssl_select_cert_error;
907 }
908
909 // This is the first call.
910 select_cert_status_ = QUIC_PENDING;
911 proof_source_handle_ = MaybeCreateProofSourceHandle();
912
913 if (!pre_shared_key_.empty()) {
914 // TODO(b/154162689) add PSK support to QUIC+TLS.
915 QUIC_BUG(quic_bug_10341_6)
916 << "QUIC server pre-shared keys not yet supported with TLS";
917 return ssl_select_cert_error;
918 }
919
920 {
921 const uint8_t* unused_extension_bytes;
922 size_t unused_extension_len;
923 ticket_received_ = SSL_early_callback_ctx_extension_get(
924 client_hello, TLSEXT_TYPE_pre_shared_key, &unused_extension_bytes,
925 &unused_extension_len);
926
927 early_data_attempted_ = SSL_early_callback_ctx_extension_get(
928 client_hello, TLSEXT_TYPE_early_data, &unused_extension_bytes,
929 &unused_extension_len);
930
931 int use_alps_new_codepoint = 0;
932
933 #if BORINGSSL_API_VERSION >= 27
934 if (GetQuicReloadableFlag(quic_gfe_allow_alps_new_codepoint)) {
935 QUIC_RELOADABLE_FLAG_COUNT(quic_gfe_allow_alps_new_codepoint);
936
937 alps_new_codepoint_received_ = SSL_early_callback_ctx_extension_get(
938 client_hello, TLSEXT_TYPE_application_settings,
939 &unused_extension_bytes, &unused_extension_len);
940 // Make sure we use the right ALPS codepoint.
941 if (alps_new_codepoint_received_) {
942 QUIC_CODE_COUNT(quic_gfe_alps_use_new_codepoint);
943 use_alps_new_codepoint = 1;
944 }
945 QUIC_DLOG(INFO) << "ALPS use new codepoint: " << use_alps_new_codepoint;
946 SSL_set_alps_use_new_codepoint(ssl(), use_alps_new_codepoint);
947 }
948 #endif // BORINGSSL_API_VERSION
949
950 if (use_alps_new_codepoint == 0) {
951 QUIC_CODE_COUNT(quic_gfe_alps_use_old_codepoint);
952 }
953 }
954
955 // This callback is called very early by Boring SSL, most of the SSL_get_foo
956 // function do not work at this point, but SSL_get_servername does.
957 const char* hostname = SSL_get_servername(ssl(), TLSEXT_NAMETYPE_host_name);
958 if (hostname) {
959 crypto_negotiated_params_->sni =
960 QuicHostnameUtils::NormalizeHostname(hostname);
961 if (!ValidateHostname(hostname)) {
962 return ssl_select_cert_error;
963 }
964 if (hostname != crypto_negotiated_params_->sni) {
965 QUIC_CODE_COUNT(quic_tls_server_hostname_diff);
966 QUIC_LOG_EVERY_N_SEC(WARNING, 300)
967 << "Raw and normalized hostnames differ, but both are valid SNIs. "
968 "raw hostname:"
969 << hostname << ", normalized:" << crypto_negotiated_params_->sni;
970 } else {
971 QUIC_CODE_COUNT(quic_tls_server_hostname_same);
972 }
973 } else {
974 QUIC_LOG(INFO) << "No hostname indicated in SNI";
975 }
976
977 std::string error_details;
978 if (!ProcessTransportParameters(client_hello, &error_details)) {
979 CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
980 return ssl_select_cert_error;
981 }
982 OverrideQuicConfigDefaults(session()->config());
983 session()->OnConfigNegotiated();
984
985 auto set_transport_params_result = SetTransportParameters();
986 if (!set_transport_params_result.success) {
987 QUIC_LOG(ERROR) << "Failed to set transport parameters";
988 return ssl_select_cert_error;
989 }
990
991 bssl::UniquePtr<uint8_t> ssl_capabilities;
992 size_t ssl_capabilities_len = 0;
993 absl::string_view ssl_capabilities_view;
994
995 if (CryptoUtils::GetSSLCapabilities(ssl(), &ssl_capabilities,
996 &ssl_capabilities_len)) {
997 ssl_capabilities_view =
998 absl::string_view(reinterpret_cast<const char*>(ssl_capabilities.get()),
999 ssl_capabilities_len);
1000 }
1001
1002 // Enable ALPS for the session's ALPN.
1003 SetApplicationSettingsResult alps_result =
1004 SetApplicationSettings(AlpnForVersion(session()->version()));
1005 if (!alps_result.success) {
1006 return ssl_select_cert_error;
1007 }
1008
1009 if (!session()->connection()->connected()) {
1010 select_cert_status_ = QUIC_FAILURE;
1011 return ssl_select_cert_error;
1012 }
1013
1014 can_disable_resumption_ = false;
1015 const QuicAsyncStatus status = proof_source_handle_->SelectCertificate(
1016 session()->connection()->self_address().Normalized(),
1017 session()->connection()->peer_address().Normalized(),
1018 session()->connection()->GetOriginalDestinationConnectionId(),
1019 ssl_capabilities_view, crypto_negotiated_params_->sni,
1020 absl::string_view(
1021 reinterpret_cast<const char*>(client_hello->client_hello),
1022 client_hello->client_hello_len),
1023 AlpnForVersion(session()->version()), std::move(alps_result.alps_buffer),
1024 set_transport_params_result.quic_transport_params,
1025 set_transport_params_result.early_data_context,
1026 tls_connection_.ssl_config());
1027
1028 QUICHE_DCHECK_EQ(status, *select_cert_status());
1029
1030 if (status == QUIC_PENDING) {
1031 set_expected_ssl_error(SSL_ERROR_PENDING_CERTIFICATE);
1032 if (async_op_timer_.has_value()) {
1033 QUIC_CODE_COUNT(quic_tls_server_selecting_cert_while_another_op_pending);
1034 }
1035 async_op_timer_ = QuicTimeAccumulator();
1036 async_op_timer_->Start(now());
1037 return ssl_select_cert_retry;
1038 }
1039
1040 if (status == QUIC_FAILURE) {
1041 return ssl_select_cert_error;
1042 }
1043
1044 return ssl_select_cert_success;
1045 }
1046
OnSelectCertificateDone(bool ok,bool is_sync,SSLConfig ssl_config,absl::string_view ticket_encryption_key,bool cert_matched_sni)1047 void TlsServerHandshaker::OnSelectCertificateDone(
1048 bool ok, bool is_sync, SSLConfig ssl_config,
1049 absl::string_view ticket_encryption_key, bool cert_matched_sni) {
1050 QUIC_DVLOG(1) << "OnSelectCertificateDone. ok:" << ok
1051 << ", is_sync:" << is_sync << ", len(ticket_encryption_key):"
1052 << ticket_encryption_key.size();
1053 std::optional<QuicConnectionContextSwitcher> context_switcher;
1054 if (!is_sync) {
1055 context_switcher.emplace(connection_context());
1056 }
1057
1058 QUIC_TRACESTRING(absl::StrCat(
1059 "TLS select certificate done: ok:", ok,
1060 ", len(ticket_encryption_key):", ticket_encryption_key.size()));
1061
1062 ticket_encryption_key_ = std::string(ticket_encryption_key);
1063 select_cert_status_ = QUIC_FAILURE;
1064 cert_matched_sni_ = cert_matched_sni;
1065
1066 // Extract the delayed SSL config from either LocalSSLConfig or
1067 // HintsSSLConfig.
1068 const QuicDelayedSSLConfig& delayed_ssl_config = absl::visit(
1069 [](const auto& config) { return config.delayed_ssl_config; }, ssl_config);
1070
1071 if (delayed_ssl_config.quic_transport_parameters.has_value()) {
1072 // In case of any error the SSL object is still valid. Handshaker may need
1073 // to call ComputeSignature but otherwise can proceed.
1074 if (TransportParametersMatch(
1075 absl::MakeSpan(*delayed_ssl_config.quic_transport_parameters))) {
1076 if (SSL_set_quic_transport_params(
1077 ssl(), delayed_ssl_config.quic_transport_parameters->data(),
1078 delayed_ssl_config.quic_transport_parameters->size()) != 1) {
1079 QUIC_DVLOG(1) << "SSL_set_quic_transport_params override failed";
1080 }
1081 } else {
1082 QUIC_DVLOG(1)
1083 << "QUIC transport parameters mismatch with ProofSourceHandle";
1084 }
1085 }
1086
1087 if (delayed_ssl_config.client_cert_mode.has_value()) {
1088 tls_connection_.SetClientCertMode(*delayed_ssl_config.client_cert_mode);
1089 QUIC_DVLOG(1) << "client_cert_mode after cert selection: "
1090 << client_cert_mode();
1091 }
1092
1093 if (ok) {
1094 if (auto* local_config = absl::get_if<LocalSSLConfig>(&ssl_config);
1095 local_config != nullptr) {
1096 if (local_config->chain && !local_config->chain->certs.empty()) {
1097 tls_connection_.SetCertChain(
1098 local_config->chain->ToCryptoBuffers().value);
1099 select_cert_status_ = QUIC_SUCCESS;
1100 } else {
1101 QUIC_DLOG(ERROR) << "No certs provided for host '"
1102 << crypto_negotiated_params_->sni
1103 << "', server_address:"
1104 << session()->connection()->self_address()
1105 << ", client_address:"
1106 << session()->connection()->peer_address();
1107 }
1108 } else if (auto* hints_config = absl::get_if<HintsSSLConfig>(&ssl_config);
1109 hints_config != nullptr) {
1110 if (hints_config->configure_ssl) {
1111 if (const absl::Status status = tls_connection_.ConfigureSSL(
1112 std::move(hints_config->configure_ssl));
1113 !status.ok()) {
1114 QUIC_CODE_COUNT(quic_tls_server_set_handshake_hints_failed);
1115 QUIC_DVLOG(1) << "SSL_set_handshake_hints failed: " << status;
1116 }
1117 select_cert_status_ = QUIC_SUCCESS;
1118 }
1119 } else {
1120 QUIC_DLOG(FATAL) << "Neither branch hit";
1121 }
1122 }
1123
1124 QuicConnectionStats::TlsServerOperationStats select_cert_stats;
1125 select_cert_stats.success = (select_cert_status_ == QUIC_SUCCESS);
1126 QUICHE_DCHECK_NE(is_sync, async_op_timer_.has_value());
1127 if (async_op_timer_.has_value()) {
1128 async_op_timer_->Stop(now());
1129 select_cert_stats.async_latency = async_op_timer_->GetTotalElapsedTime();
1130 async_op_timer_.reset();
1131 RECORD_LATENCY_IN_US("tls_server_async_select_cert_latency_us",
1132 select_cert_stats.async_latency,
1133 "Async select cert latency in microseconds");
1134 }
1135 connection_stats().tls_server_select_cert_stats =
1136 std::move(select_cert_stats);
1137
1138 const int last_expected_ssl_error = expected_ssl_error();
1139 set_expected_ssl_error(SSL_ERROR_WANT_READ);
1140 if (!is_sync) {
1141 QUICHE_DCHECK_EQ(last_expected_ssl_error, SSL_ERROR_PENDING_CERTIFICATE);
1142 AdvanceHandshakeFromCallback();
1143 }
1144 }
1145
WillNotCallComputeSignature() const1146 bool TlsServerHandshaker::WillNotCallComputeSignature() const {
1147 return SSL_can_release_private_key(ssl());
1148 }
1149
ValidateHostname(const std::string & hostname) const1150 bool TlsServerHandshaker::ValidateHostname(const std::string& hostname) const {
1151 if (!QuicHostnameUtils::IsValidSNI(hostname)) {
1152 // TODO(b/151676147): Include this error string in the CONNECTION_CLOSE
1153 // frame.
1154 QUIC_DLOG(ERROR) << "Invalid SNI provided: \"" << hostname << "\"";
1155 return false;
1156 }
1157 return true;
1158 }
1159
TlsExtServernameCallback(int *)1160 int TlsServerHandshaker::TlsExtServernameCallback(int* /*out_alert*/) {
1161 // SSL_TLSEXT_ERR_OK causes the server_name extension to be acked in
1162 // ServerHello.
1163 return SSL_TLSEXT_ERR_OK;
1164 }
1165
SelectAlpn(const uint8_t ** out,uint8_t * out_len,const uint8_t * in,unsigned in_len)1166 int TlsServerHandshaker::SelectAlpn(const uint8_t** out, uint8_t* out_len,
1167 const uint8_t* in, unsigned in_len) {
1168 // |in| contains a sequence of 1-byte-length-prefixed values.
1169 *out_len = 0;
1170 *out = nullptr;
1171 if (in_len == 0) {
1172 QUIC_DLOG(ERROR) << "No ALPN provided by client";
1173 return SSL_TLSEXT_ERR_NOACK;
1174 }
1175
1176 CBS all_alpns;
1177 CBS_init(&all_alpns, in, in_len);
1178
1179 std::vector<absl::string_view> alpns;
1180 while (CBS_len(&all_alpns) > 0) {
1181 CBS alpn;
1182 if (!CBS_get_u8_length_prefixed(&all_alpns, &alpn)) {
1183 QUIC_DLOG(ERROR) << "Failed to parse ALPN length";
1184 return SSL_TLSEXT_ERR_NOACK;
1185 }
1186
1187 const size_t alpn_length = CBS_len(&alpn);
1188 if (alpn_length == 0) {
1189 QUIC_DLOG(ERROR) << "Received invalid zero-length ALPN";
1190 return SSL_TLSEXT_ERR_NOACK;
1191 }
1192
1193 alpns.emplace_back(reinterpret_cast<const char*>(CBS_data(&alpn)),
1194 alpn_length);
1195 }
1196
1197 // TODO(wub): Remove QuicSession::SelectAlpn. QuicSessions should know the
1198 // ALPN on construction.
1199 auto selected_alpn = session()->SelectAlpn(alpns);
1200 if (selected_alpn == alpns.end()) {
1201 QUIC_DLOG(ERROR) << "No known ALPN provided by client";
1202 return SSL_TLSEXT_ERR_NOACK;
1203 }
1204
1205 session()->OnAlpnSelected(*selected_alpn);
1206 valid_alpn_received_ = true;
1207 *out_len = selected_alpn->size();
1208 *out = reinterpret_cast<const uint8_t*>(selected_alpn->data());
1209 return SSL_TLSEXT_ERR_OK;
1210 }
1211
1212 TlsServerHandshaker::SetApplicationSettingsResult
SetApplicationSettings(absl::string_view alpn)1213 TlsServerHandshaker::SetApplicationSettings(absl::string_view alpn) {
1214 TlsServerHandshaker::SetApplicationSettingsResult result;
1215
1216 const std::string& hostname = crypto_negotiated_params_->sni;
1217 std::string accept_ch_value = GetAcceptChValueForHostname(hostname);
1218 std::string origin = absl::StrCat("https://", hostname);
1219 uint16_t port = session()->self_address().port();
1220 if (port != kDefaultPort) {
1221 // This should be rare in production, but useful for test servers.
1222 QUIC_CODE_COUNT(quic_server_alps_non_default_port);
1223 absl::StrAppend(&origin, ":", port);
1224 }
1225
1226 if (!accept_ch_value.empty()) {
1227 AcceptChFrame frame{{{std::move(origin), std::move(accept_ch_value)}}};
1228 result.alps_buffer = HttpEncoder::SerializeAcceptChFrame(frame);
1229 }
1230
1231 const std::string& alps = result.alps_buffer;
1232 if (SSL_add_application_settings(
1233 ssl(), reinterpret_cast<const uint8_t*>(alpn.data()), alpn.size(),
1234 reinterpret_cast<const uint8_t*>(alps.data()), alps.size()) != 1) {
1235 QUIC_DLOG(ERROR) << "Failed to enable ALPS";
1236 result.success = false;
1237 } else {
1238 result.success = true;
1239 }
1240 return result;
1241 }
1242
GetSsl() const1243 SSL* TlsServerHandshaker::GetSsl() const { return ssl(); }
1244
IsCryptoFrameExpectedForEncryptionLevel(EncryptionLevel level) const1245 bool TlsServerHandshaker::IsCryptoFrameExpectedForEncryptionLevel(
1246 EncryptionLevel level) const {
1247 return level != ENCRYPTION_ZERO_RTT;
1248 }
1249
GetEncryptionLevelToSendCryptoDataOfSpace(PacketNumberSpace space) const1250 EncryptionLevel TlsServerHandshaker::GetEncryptionLevelToSendCryptoDataOfSpace(
1251 PacketNumberSpace space) const {
1252 switch (space) {
1253 case INITIAL_DATA:
1254 return ENCRYPTION_INITIAL;
1255 case HANDSHAKE_DATA:
1256 return ENCRYPTION_HANDSHAKE;
1257 case APPLICATION_DATA:
1258 return ENCRYPTION_FORWARD_SECURE;
1259 default:
1260 QUICHE_DCHECK(false);
1261 return NUM_ENCRYPTION_LEVELS;
1262 }
1263 }
1264
1265 } // namespace quic
1266