1 // Copyright (c) 2017 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef QUICHE_QUIC_CORE_TLS_CLIENT_HANDSHAKER_H_ 6 #define QUICHE_QUIC_CORE_TLS_CLIENT_HANDSHAKER_H_ 7 8 #include <cstdint> 9 #include <memory> 10 #include <string> 11 12 #include "absl/strings/string_view.h" 13 #include "openssl/ssl.h" 14 #include "quiche/quic/core/crypto/quic_crypto_client_config.h" 15 #include "quiche/quic/core/crypto/tls_client_connection.h" 16 #include "quiche/quic/core/crypto/transport_parameters.h" 17 #include "quiche/quic/core/quic_crypto_client_stream.h" 18 #include "quiche/quic/core/quic_crypto_stream.h" 19 #include "quiche/quic/core/tls_handshaker.h" 20 #include "quiche/quic/platform/api/quic_export.h" 21 22 namespace quic { 23 24 // An implementation of QuicCryptoClientStream::HandshakerInterface which uses 25 // TLS 1.3 for the crypto handshake protocol. 26 class QUICHE_EXPORT TlsClientHandshaker 27 : public TlsHandshaker, 28 public QuicCryptoClientStream::HandshakerInterface, 29 public TlsClientConnection::Delegate { 30 public: 31 // |crypto_config| must outlive TlsClientHandshaker. 32 TlsClientHandshaker(const QuicServerId& server_id, QuicCryptoStream* stream, 33 QuicSession* session, 34 std::unique_ptr<ProofVerifyContext> verify_context, 35 QuicCryptoClientConfig* crypto_config, 36 QuicCryptoClientStream::ProofHandler* proof_handler, 37 bool has_application_state); 38 TlsClientHandshaker(const TlsClientHandshaker&) = delete; 39 TlsClientHandshaker& operator=(const TlsClientHandshaker&) = delete; 40 41 ~TlsClientHandshaker() override; 42 43 // From QuicCryptoClientStream::HandshakerInterface 44 bool CryptoConnect() override; 45 int num_sent_client_hellos() const override; 46 bool ResumptionAttempted() const override; 47 bool IsResumption() const override; 48 bool EarlyDataAccepted() const override; 49 ssl_early_data_reason_t EarlyDataReason() const override; 50 bool ReceivedInchoateReject() const override; 51 int num_scup_messages_received() const override; 52 std::string chlo_hash() const override; 53 bool ExportKeyingMaterial(absl::string_view label, absl::string_view context, 54 size_t result_len, std::string* result) override; 55 56 // From QuicCryptoClientStream::HandshakerInterface and TlsHandshaker 57 bool encryption_established() const override; 58 bool IsCryptoFrameExpectedForEncryptionLevel( 59 EncryptionLevel level) const override; 60 EncryptionLevel GetEncryptionLevelToSendCryptoDataOfSpace( 61 PacketNumberSpace space) const override; 62 bool one_rtt_keys_available() const override; 63 const QuicCryptoNegotiatedParameters& crypto_negotiated_params() 64 const override; 65 CryptoMessageParser* crypto_message_parser() override; 66 HandshakeState GetHandshakeState() const override; 67 size_t BufferSizeLimitForLevel(EncryptionLevel level) const override; 68 std::unique_ptr<QuicDecrypter> AdvanceKeysAndCreateCurrentOneRttDecrypter() 69 override; 70 std::unique_ptr<QuicEncrypter> CreateCurrentOneRttEncrypter() override; 71 void OnOneRttPacketAcknowledged() override; 72 void OnHandshakePacketSent() override; 73 void OnConnectionClosed(QuicErrorCode error, 74 ConnectionCloseSource source) override; 75 void OnHandshakeDoneReceived() override; 76 void OnNewTokenReceived(absl::string_view token) override; 77 void SetWriteSecret(EncryptionLevel level, const SSL_CIPHER* cipher, 78 absl::Span<const uint8_t> write_secret) override; 79 80 // Override to drop initial keys if trying to write ENCRYPTION_HANDSHAKE data. 81 void WriteMessage(EncryptionLevel level, absl::string_view data) override; 82 83 void SetServerApplicationStateForResumption( 84 std::unique_ptr<ApplicationState> application_state) override; 85 AllowEmptyAlpnForTests()86 void AllowEmptyAlpnForTests() { allow_empty_alpn_for_tests_ = true; } AllowInvalidSNIForTests()87 void AllowInvalidSNIForTests() { allow_invalid_sni_for_tests_ = true; } 88 89 // Make the SSL object from BoringSSL publicly accessible. 90 using TlsHandshaker::ssl; 91 92 protected: tls_connection()93 const TlsConnection* tls_connection() const override { 94 return &tls_connection_; 95 } 96 97 void FinishHandshake() override; 98 void OnEnterEarlyData() override; 99 void FillNegotiatedParams(); 100 void ProcessPostHandshakeMessage() override; 101 bool ShouldCloseConnectionOnUnexpectedError(int ssl_error) override; 102 QuicAsyncStatus VerifyCertChain( 103 const std::vector<std::string>& certs, std::string* error_details, 104 std::unique_ptr<ProofVerifyDetails>* details, uint8_t* out_alert, 105 std::unique_ptr<ProofVerifierCallback> callback) override; 106 void OnProofVerifyDetailsAvailable( 107 const ProofVerifyDetails& verify_details) override; 108 109 // TlsClientConnection::Delegate implementation: ConnectionDelegate()110 TlsConnection::Delegate* ConnectionDelegate() override { return this; } 111 112 private: 113 bool SetAlpn(); 114 bool SetTransportParameters(); 115 bool ProcessTransportParameters(std::string* error_details); 116 void HandleZeroRttReject(); 117 118 // Called when server completes handshake (i.e., either handshake done is 119 // received or 1-RTT packet gets acknowledged). 120 void OnHandshakeConfirmed(); 121 122 void InsertSession(bssl::UniquePtr<SSL_SESSION> session) override; 123 124 bool PrepareZeroRttConfig(QuicResumptionState* cached_state); 125 session()126 QuicSession* session() { return session_; } 127 QuicSession* session_; 128 129 QuicServerId server_id_; 130 131 // Objects used for verifying the server's certificate chain. 132 // |proof_verifier_| is owned by the caller of TlsHandshaker's constructor. 133 ProofVerifier* proof_verifier_; 134 std::unique_ptr<ProofVerifyContext> verify_context_; 135 136 // Unowned pointer to the proof handler which has the 137 // OnProofVerifyDetailsAvailable callback to use for notifying the result of 138 // certificate verification. 139 QuicCryptoClientStream::ProofHandler* proof_handler_; 140 141 // Used for session resumption. |session_cache_| is owned by the 142 // QuicCryptoClientConfig passed into TlsClientHandshaker's constructor. 143 SessionCache* session_cache_; 144 145 std::string user_agent_id_; 146 147 // Pre-shared key used during the handshake. 148 std::string pre_shared_key_; 149 150 HandshakeState state_ = HANDSHAKE_START; 151 bool encryption_established_ = false; 152 bool initial_keys_dropped_ = false; 153 quiche::QuicheReferenceCountedPointer<QuicCryptoNegotiatedParameters> 154 crypto_negotiated_params_; 155 156 bool allow_empty_alpn_for_tests_ = false; 157 bool allow_invalid_sni_for_tests_ = false; 158 159 const bool has_application_state_; 160 // Contains the state for performing a resumption, if one is attempted. This 161 // will always be non-null if a 0-RTT resumption is attempted. 162 std::unique_ptr<QuicResumptionState> cached_state_; 163 164 TlsClientConnection tls_connection_; 165 166 // If |has_application_state_|, stores the tls session tickets before 167 // application state is received. The latest one is put in the front. 168 bssl::UniquePtr<SSL_SESSION> cached_tls_sessions_[2] = {}; 169 170 std::unique_ptr<TransportParameters> received_transport_params_ = nullptr; 171 std::unique_ptr<ApplicationState> received_application_state_ = nullptr; 172 }; 173 174 } // namespace quic 175 176 #endif // QUICHE_QUIC_CORE_TLS_CLIENT_HANDSHAKER_H_ 177