1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/tls_client_handshaker.h"
6
7 #include <cstring>
8 #include <string>
9
10 #include "absl/strings/str_cat.h"
11 #include "absl/strings/string_view.h"
12 #include "openssl/ssl.h"
13 #include "quiche/quic/core/crypto/quic_crypto_client_config.h"
14 #include "quiche/quic/core/crypto/quic_encrypter.h"
15 #include "quiche/quic/core/crypto/transport_parameters.h"
16 #include "quiche/quic/core/quic_session.h"
17 #include "quiche/quic/core/quic_types.h"
18 #include "quiche/quic/platform/api/quic_flags.h"
19 #include "quiche/quic/platform/api/quic_hostname_utils.h"
20 #include "quiche/common/quiche_text_utils.h"
21
22 namespace quic {
23
TlsClientHandshaker(const QuicServerId & server_id,QuicCryptoStream * stream,QuicSession * session,std::unique_ptr<ProofVerifyContext> verify_context,QuicCryptoClientConfig * crypto_config,QuicCryptoClientStream::ProofHandler * proof_handler,bool has_application_state)24 TlsClientHandshaker::TlsClientHandshaker(
25 const QuicServerId& server_id, QuicCryptoStream* stream,
26 QuicSession* session, std::unique_ptr<ProofVerifyContext> verify_context,
27 QuicCryptoClientConfig* crypto_config,
28 QuicCryptoClientStream::ProofHandler* proof_handler,
29 bool has_application_state)
30 : TlsHandshaker(stream, session),
31 session_(session),
32 server_id_(server_id),
33 proof_verifier_(crypto_config->proof_verifier()),
34 verify_context_(std::move(verify_context)),
35 proof_handler_(proof_handler),
36 session_cache_(crypto_config->session_cache()),
37 user_agent_id_(crypto_config->user_agent_id()),
38 pre_shared_key_(crypto_config->pre_shared_key()),
39 crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
40 has_application_state_(has_application_state),
41 tls_connection_(crypto_config->ssl_ctx(), this, session->GetSSLConfig()) {
42 if (crypto_config->tls_signature_algorithms().has_value()) {
43 SSL_set1_sigalgs_list(ssl(),
44 crypto_config->tls_signature_algorithms()->c_str());
45 }
46 if (crypto_config->proof_source() != nullptr) {
47 std::shared_ptr<const ClientProofSource::CertAndKey> cert_and_key =
48 crypto_config->proof_source()->GetCertAndKey(server_id.host());
49 if (cert_and_key != nullptr) {
50 QUIC_DVLOG(1) << "Setting client cert and key for " << server_id.host();
51 tls_connection_.SetCertChain(cert_and_key->chain->ToCryptoBuffers().value,
52 cert_and_key->private_key.private_key());
53 }
54 }
55 #if BORINGSSL_API_VERSION >= 22
56 if (!crypto_config->preferred_groups().empty()) {
57 SSL_set1_group_ids(ssl(), crypto_config->preferred_groups().data(),
58 crypto_config->preferred_groups().size());
59 }
60 #endif // BORINGSSL_API_VERSION
61
62 #if BORINGSSL_API_VERSION >= 27
63 // Make sure we use the right ALPS codepoint.
64 SSL_set_alps_use_new_codepoint(ssl(),
65 crypto_config->alps_use_new_codepoint());
66 #endif // BORINGSSL_API_VERSION
67 }
68
~TlsClientHandshaker()69 TlsClientHandshaker::~TlsClientHandshaker() {}
70
CryptoConnect()71 bool TlsClientHandshaker::CryptoConnect() {
72 if (!pre_shared_key_.empty()) {
73 // TODO(b/154162689) add PSK support to QUIC+TLS.
74 std::string error_details =
75 "QUIC client pre-shared keys not yet supported with TLS";
76 QUIC_BUG(quic_bug_10576_1) << error_details;
77 CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
78 return false;
79 }
80
81 // Make sure we use the right TLS extension codepoint.
82 int use_legacy_extension = 0;
83 if (session()->version().UsesLegacyTlsExtension()) {
84 use_legacy_extension = 1;
85 }
86 SSL_set_quic_use_legacy_codepoint(ssl(), use_legacy_extension);
87
88 // TODO(b/193650832) Add SetFromConfig to QUIC handshakers and remove reliance
89 // on session pointer.
90 #if BORINGSSL_API_VERSION >= 16
91 // Ask BoringSSL to randomize the order of TLS extensions.
92 SSL_set_permute_extensions(ssl(), true);
93 #endif // BORINGSSL_API_VERSION
94
95 // Set the SNI to send, if any.
96 SSL_set_connect_state(ssl());
97 if (QUIC_DLOG_INFO_IS_ON() &&
98 !QuicHostnameUtils::IsValidSNI(server_id_.host())) {
99 QUIC_DLOG(INFO) << "Client configured with invalid hostname \""
100 << server_id_.host() << "\", not sending as SNI";
101 }
102 if (!server_id_.host().empty() &&
103 (QuicHostnameUtils::IsValidSNI(server_id_.host()) ||
104 allow_invalid_sni_for_tests_) &&
105 SSL_set_tlsext_host_name(ssl(), server_id_.host().c_str()) != 1) {
106 return false;
107 }
108
109 if (!SetAlpn()) {
110 CloseConnection(QUIC_HANDSHAKE_FAILED, "Client failed to set ALPN");
111 return false;
112 }
113
114 // Set the Transport Parameters to send in the ClientHello
115 if (!SetTransportParameters()) {
116 CloseConnection(QUIC_HANDSHAKE_FAILED,
117 "Client failed to set Transport Parameters");
118 return false;
119 }
120
121 // Set a session to resume, if there is one.
122 if (session_cache_) {
123 cached_state_ = session_cache_->Lookup(
124 server_id_, session()->GetClock()->WallNow(), SSL_get_SSL_CTX(ssl()));
125 }
126 if (cached_state_) {
127 SSL_set_session(ssl(), cached_state_->tls_session.get());
128 if (!cached_state_->token.empty()) {
129 session()->SetSourceAddressTokenToSend(cached_state_->token);
130 }
131 }
132
133 SSL_set_enable_ech_grease(ssl(),
134 tls_connection_.ssl_config().ech_grease_enabled);
135 if (!tls_connection_.ssl_config().ech_config_list.empty() &&
136 !SSL_set1_ech_config_list(
137 ssl(),
138 reinterpret_cast<const uint8_t*>(
139 tls_connection_.ssl_config().ech_config_list.data()),
140 tls_connection_.ssl_config().ech_config_list.size())) {
141 CloseConnection(QUIC_HANDSHAKE_FAILED,
142 "Client failed to set ECHConfigList");
143 return false;
144 }
145
146 // Start the handshake.
147 AdvanceHandshake();
148 return session()->connection()->connected();
149 }
150
PrepareZeroRttConfig(QuicResumptionState * cached_state)151 bool TlsClientHandshaker::PrepareZeroRttConfig(
152 QuicResumptionState* cached_state) {
153 std::string error_details;
154 if (!cached_state->transport_params ||
155 handshaker_delegate()->ProcessTransportParameters(
156 *(cached_state->transport_params),
157 /*is_resumption = */ true, &error_details) != QUIC_NO_ERROR) {
158 QUIC_BUG(quic_bug_10576_2)
159 << "Unable to parse cached transport parameters.";
160 CloseConnection(QUIC_HANDSHAKE_FAILED,
161 "Client failed to parse cached Transport Parameters.");
162 return false;
163 }
164
165 session()->connection()->OnTransportParametersResumed(
166 *(cached_state->transport_params));
167 session()->OnConfigNegotiated();
168
169 if (has_application_state_) {
170 if (!cached_state->application_state ||
171 !session()->ResumeApplicationState(
172 cached_state->application_state.get())) {
173 QUIC_BUG(quic_bug_10576_3) << "Unable to parse cached application state.";
174 CloseConnection(QUIC_HANDSHAKE_FAILED,
175 "Client failed to parse cached application state.");
176 return false;
177 }
178 }
179 return true;
180 }
181
IsValidAlpn(const std::string & alpn_string)182 static bool IsValidAlpn(const std::string& alpn_string) {
183 return alpn_string.length() <= std::numeric_limits<uint8_t>::max();
184 }
185
SetAlpn()186 bool TlsClientHandshaker::SetAlpn() {
187 std::vector<std::string> alpns = session()->GetAlpnsToOffer();
188 if (alpns.empty()) {
189 if (allow_empty_alpn_for_tests_) {
190 return true;
191 }
192
193 QUIC_BUG(quic_bug_10576_4) << "ALPN missing";
194 return false;
195 }
196 if (!std::all_of(alpns.begin(), alpns.end(), IsValidAlpn)) {
197 QUIC_BUG(quic_bug_10576_5) << "ALPN too long";
198 return false;
199 }
200
201 // SSL_set_alpn_protos expects a sequence of one-byte-length-prefixed
202 // strings.
203 uint8_t alpn[1024];
204 QuicDataWriter alpn_writer(sizeof(alpn), reinterpret_cast<char*>(alpn));
205 bool success = true;
206 for (const std::string& alpn_string : alpns) {
207 success = success && alpn_writer.WriteUInt8(alpn_string.size()) &&
208 alpn_writer.WriteStringPiece(alpn_string);
209 }
210 success =
211 success && (SSL_set_alpn_protos(ssl(), alpn, alpn_writer.length()) == 0);
212 if (!success) {
213 QUIC_BUG(quic_bug_10576_6)
214 << "Failed to set ALPN: "
215 << quiche::QuicheTextUtils::HexDump(
216 absl::string_view(alpn_writer.data(), alpn_writer.length()));
217 return false;
218 }
219
220 // Enable ALPS only for versions that use HTTP/3 frames.
221 for (const std::string& alpn_string : alpns) {
222 for (const ParsedQuicVersion& version : session()->supported_versions()) {
223 if (!version.UsesHttp3() || AlpnForVersion(version) != alpn_string) {
224 continue;
225 }
226 if (SSL_add_application_settings(
227 ssl(), reinterpret_cast<const uint8_t*>(alpn_string.data()),
228 alpn_string.size(), nullptr, /* settings_len = */ 0) != 1) {
229 QUIC_BUG(quic_bug_10576_7) << "Failed to enable ALPS.";
230 return false;
231 }
232 break;
233 }
234 }
235
236 QUIC_DLOG(INFO) << "Client using ALPN: '" << alpns[0] << "'";
237 return true;
238 }
239
SetTransportParameters()240 bool TlsClientHandshaker::SetTransportParameters() {
241 TransportParameters params;
242 params.perspective = Perspective::IS_CLIENT;
243 params.legacy_version_information =
244 TransportParameters::LegacyVersionInformation();
245 params.legacy_version_information->version =
246 CreateQuicVersionLabel(session()->supported_versions().front());
247 params.version_information = TransportParameters::VersionInformation();
248 const QuicVersionLabel version = CreateQuicVersionLabel(session()->version());
249 params.version_information->chosen_version = version;
250 params.version_information->other_versions.push_back(version);
251
252 if (!handshaker_delegate()->FillTransportParameters(¶ms)) {
253 return false;
254 }
255
256 // Notify QuicConnectionDebugVisitor.
257 session()->connection()->OnTransportParametersSent(params);
258
259 std::vector<uint8_t> param_bytes;
260 return SerializeTransportParameters(params, ¶m_bytes) &&
261 SSL_set_quic_transport_params(ssl(), param_bytes.data(),
262 param_bytes.size()) == 1;
263 }
264
ProcessTransportParameters(std::string * error_details)265 bool TlsClientHandshaker::ProcessTransportParameters(
266 std::string* error_details) {
267 received_transport_params_ = std::make_unique<TransportParameters>();
268 const uint8_t* param_bytes;
269 size_t param_bytes_len;
270 SSL_get_peer_quic_transport_params(ssl(), ¶m_bytes, ¶m_bytes_len);
271 if (param_bytes_len == 0) {
272 *error_details = "Server's transport parameters are missing";
273 return false;
274 }
275 std::string parse_error_details;
276 if (!ParseTransportParameters(
277 session()->connection()->version(), Perspective::IS_SERVER,
278 param_bytes, param_bytes_len, received_transport_params_.get(),
279 &parse_error_details)) {
280 QUICHE_DCHECK(!parse_error_details.empty());
281 *error_details =
282 "Unable to parse server's transport parameters: " + parse_error_details;
283 return false;
284 }
285
286 // Notify QuicConnectionDebugVisitor.
287 session()->connection()->OnTransportParametersReceived(
288 *received_transport_params_);
289
290 if (received_transport_params_->legacy_version_information.has_value()) {
291 if (received_transport_params_->legacy_version_information->version !=
292 CreateQuicVersionLabel(session()->connection()->version())) {
293 *error_details = "Version mismatch detected";
294 return false;
295 }
296 if (CryptoUtils::ValidateServerHelloVersions(
297 received_transport_params_->legacy_version_information
298 ->supported_versions,
299 session()->connection()->server_supported_versions(),
300 error_details) != QUIC_NO_ERROR) {
301 QUICHE_DCHECK(!error_details->empty());
302 return false;
303 }
304 }
305 if (received_transport_params_->version_information.has_value()) {
306 if (!CryptoUtils::ValidateChosenVersion(
307 received_transport_params_->version_information->chosen_version,
308 session()->version(), error_details)) {
309 QUICHE_DCHECK(!error_details->empty());
310 return false;
311 }
312 if (!CryptoUtils::CryptoUtils::ValidateServerVersions(
313 received_transport_params_->version_information->other_versions,
314 session()->version(),
315 session()->client_original_supported_versions(), error_details)) {
316 QUICHE_DCHECK(!error_details->empty());
317 return false;
318 }
319 }
320
321 if (handshaker_delegate()->ProcessTransportParameters(
322 *received_transport_params_, /* is_resumption = */ false,
323 error_details) != QUIC_NO_ERROR) {
324 QUICHE_DCHECK(!error_details->empty());
325 return false;
326 }
327
328 session()->OnConfigNegotiated();
329 if (is_connection_closed()) {
330 *error_details =
331 "Session closed the connection when parsing negotiated config.";
332 return false;
333 }
334 return true;
335 }
336
num_sent_client_hellos() const337 int TlsClientHandshaker::num_sent_client_hellos() const { return 0; }
338
ResumptionAttempted() const339 bool TlsClientHandshaker::ResumptionAttempted() const {
340 QUIC_BUG_IF(quic_tls_client_resumption_attempted, !encryption_established_);
341 return cached_state_ != nullptr;
342 }
343
IsResumption() const344 bool TlsClientHandshaker::IsResumption() const {
345 QUIC_BUG_IF(quic_bug_12736_1, !one_rtt_keys_available());
346 return SSL_session_reused(ssl()) == 1;
347 }
348
EarlyDataAccepted() const349 bool TlsClientHandshaker::EarlyDataAccepted() const {
350 QUIC_BUG_IF(quic_bug_12736_2, !one_rtt_keys_available());
351 return SSL_early_data_accepted(ssl()) == 1;
352 }
353
EarlyDataReason() const354 ssl_early_data_reason_t TlsClientHandshaker::EarlyDataReason() const {
355 return TlsHandshaker::EarlyDataReason();
356 }
357
ReceivedInchoateReject() const358 bool TlsClientHandshaker::ReceivedInchoateReject() const {
359 QUIC_BUG_IF(quic_bug_12736_3, !one_rtt_keys_available());
360 // REJ messages are a QUIC crypto feature, so TLS always returns false.
361 return false;
362 }
363
num_scup_messages_received() const364 int TlsClientHandshaker::num_scup_messages_received() const {
365 // SCUP messages aren't sent or received when using the TLS handshake.
366 return 0;
367 }
368
chlo_hash() const369 std::string TlsClientHandshaker::chlo_hash() const { return ""; }
370
ExportKeyingMaterial(absl::string_view label,absl::string_view context,size_t result_len,std::string * result)371 bool TlsClientHandshaker::ExportKeyingMaterial(absl::string_view label,
372 absl::string_view context,
373 size_t result_len,
374 std::string* result) {
375 return ExportKeyingMaterialForLabel(label, context, result_len, result);
376 }
377
encryption_established() const378 bool TlsClientHandshaker::encryption_established() const {
379 return encryption_established_;
380 }
381
IsCryptoFrameExpectedForEncryptionLevel(EncryptionLevel level) const382 bool TlsClientHandshaker::IsCryptoFrameExpectedForEncryptionLevel(
383 EncryptionLevel level) const {
384 return level != ENCRYPTION_ZERO_RTT;
385 }
386
GetEncryptionLevelToSendCryptoDataOfSpace(PacketNumberSpace space) const387 EncryptionLevel TlsClientHandshaker::GetEncryptionLevelToSendCryptoDataOfSpace(
388 PacketNumberSpace space) const {
389 switch (space) {
390 case INITIAL_DATA:
391 return ENCRYPTION_INITIAL;
392 case HANDSHAKE_DATA:
393 return ENCRYPTION_HANDSHAKE;
394 default:
395 QUICHE_DCHECK(false);
396 return NUM_ENCRYPTION_LEVELS;
397 }
398 }
399
one_rtt_keys_available() const400 bool TlsClientHandshaker::one_rtt_keys_available() const {
401 return state_ >= HANDSHAKE_COMPLETE;
402 }
403
404 const QuicCryptoNegotiatedParameters&
crypto_negotiated_params() const405 TlsClientHandshaker::crypto_negotiated_params() const {
406 return *crypto_negotiated_params_;
407 }
408
crypto_message_parser()409 CryptoMessageParser* TlsClientHandshaker::crypto_message_parser() {
410 return TlsHandshaker::crypto_message_parser();
411 }
412
GetHandshakeState() const413 HandshakeState TlsClientHandshaker::GetHandshakeState() const { return state_; }
414
BufferSizeLimitForLevel(EncryptionLevel level) const415 size_t TlsClientHandshaker::BufferSizeLimitForLevel(
416 EncryptionLevel level) const {
417 return TlsHandshaker::BufferSizeLimitForLevel(level);
418 }
419
420 std::unique_ptr<QuicDecrypter>
AdvanceKeysAndCreateCurrentOneRttDecrypter()421 TlsClientHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter() {
422 return TlsHandshaker::AdvanceKeysAndCreateCurrentOneRttDecrypter();
423 }
424
425 std::unique_ptr<QuicEncrypter>
CreateCurrentOneRttEncrypter()426 TlsClientHandshaker::CreateCurrentOneRttEncrypter() {
427 return TlsHandshaker::CreateCurrentOneRttEncrypter();
428 }
429
OnOneRttPacketAcknowledged()430 void TlsClientHandshaker::OnOneRttPacketAcknowledged() {
431 OnHandshakeConfirmed();
432 }
433
OnHandshakePacketSent()434 void TlsClientHandshaker::OnHandshakePacketSent() {
435 if (initial_keys_dropped_) {
436 return;
437 }
438 initial_keys_dropped_ = true;
439 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
440 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_INITIAL);
441 }
442
OnConnectionClosed(QuicErrorCode error,ConnectionCloseSource source)443 void TlsClientHandshaker::OnConnectionClosed(QuicErrorCode error,
444 ConnectionCloseSource source) {
445 TlsHandshaker::OnConnectionClosed(error, source);
446 }
447
OnHandshakeDoneReceived()448 void TlsClientHandshaker::OnHandshakeDoneReceived() {
449 if (!one_rtt_keys_available()) {
450 CloseConnection(QUIC_HANDSHAKE_FAILED,
451 "Unexpected handshake done received");
452 return;
453 }
454 OnHandshakeConfirmed();
455 }
456
OnNewTokenReceived(absl::string_view token)457 void TlsClientHandshaker::OnNewTokenReceived(absl::string_view token) {
458 if (token.empty()) {
459 return;
460 }
461 if (session_cache_ != nullptr) {
462 session_cache_->OnNewTokenReceived(server_id_, token);
463 }
464 }
465
SetWriteSecret(EncryptionLevel level,const SSL_CIPHER * cipher,absl::Span<const uint8_t> write_secret)466 void TlsClientHandshaker::SetWriteSecret(
467 EncryptionLevel level, const SSL_CIPHER* cipher,
468 absl::Span<const uint8_t> write_secret) {
469 if (is_connection_closed()) {
470 return;
471 }
472 if (level == ENCRYPTION_FORWARD_SECURE || level == ENCRYPTION_ZERO_RTT) {
473 encryption_established_ = true;
474 }
475 TlsHandshaker::SetWriteSecret(level, cipher, write_secret);
476 if (level == ENCRYPTION_FORWARD_SECURE) {
477 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_ZERO_RTT);
478 }
479 }
480
OnHandshakeConfirmed()481 void TlsClientHandshaker::OnHandshakeConfirmed() {
482 QUICHE_DCHECK(one_rtt_keys_available());
483 if (state_ >= HANDSHAKE_CONFIRMED) {
484 return;
485 }
486 state_ = HANDSHAKE_CONFIRMED;
487 handshaker_delegate()->OnTlsHandshakeConfirmed();
488 handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_HANDSHAKE);
489 handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_HANDSHAKE);
490 }
491
VerifyCertChain(const std::vector<std::string> & certs,std::string * error_details,std::unique_ptr<ProofVerifyDetails> * details,uint8_t * out_alert,std::unique_ptr<ProofVerifierCallback> callback)492 QuicAsyncStatus TlsClientHandshaker::VerifyCertChain(
493 const std::vector<std::string>& certs, std::string* error_details,
494 std::unique_ptr<ProofVerifyDetails>* details, uint8_t* out_alert,
495 std::unique_ptr<ProofVerifierCallback> callback) {
496 const uint8_t* ocsp_response_raw;
497 size_t ocsp_response_len;
498 SSL_get0_ocsp_response(ssl(), &ocsp_response_raw, &ocsp_response_len);
499 std::string ocsp_response(reinterpret_cast<const char*>(ocsp_response_raw),
500 ocsp_response_len);
501 const uint8_t* sct_list_raw;
502 size_t sct_list_len;
503 SSL_get0_signed_cert_timestamp_list(ssl(), &sct_list_raw, &sct_list_len);
504 std::string sct_list(reinterpret_cast<const char*>(sct_list_raw),
505 sct_list_len);
506
507 return proof_verifier_->VerifyCertChain(
508 server_id_.host(), server_id_.port(), certs, ocsp_response, sct_list,
509 verify_context_.get(), error_details, details, out_alert,
510 std::move(callback));
511 }
512
OnProofVerifyDetailsAvailable(const ProofVerifyDetails & verify_details)513 void TlsClientHandshaker::OnProofVerifyDetailsAvailable(
514 const ProofVerifyDetails& verify_details) {
515 proof_handler_->OnProofVerifyDetailsAvailable(verify_details);
516 }
517
FinishHandshake()518 void TlsClientHandshaker::FinishHandshake() {
519 FillNegotiatedParams();
520
521 QUICHE_CHECK(!SSL_in_early_data(ssl()));
522
523 QUIC_LOG(INFO) << "Client: handshake finished";
524
525 std::string error_details;
526 if (!ProcessTransportParameters(&error_details)) {
527 QUICHE_DCHECK(!error_details.empty());
528 CloseConnection(QUIC_HANDSHAKE_FAILED, error_details);
529 return;
530 }
531
532 const uint8_t* alpn_data = nullptr;
533 unsigned alpn_length = 0;
534 SSL_get0_alpn_selected(ssl(), &alpn_data, &alpn_length);
535
536 if (alpn_length == 0) {
537 QUIC_DLOG(ERROR) << "Client: server did not select ALPN";
538 // TODO(b/130164908) this should send no_application_protocol
539 // instead of QUIC_HANDSHAKE_FAILED.
540 CloseConnection(QUIC_HANDSHAKE_FAILED, "Server did not select ALPN");
541 return;
542 }
543
544 std::string received_alpn_string(reinterpret_cast<const char*>(alpn_data),
545 alpn_length);
546 std::vector<std::string> offered_alpns = session()->GetAlpnsToOffer();
547 if (std::find(offered_alpns.begin(), offered_alpns.end(),
548 received_alpn_string) == offered_alpns.end()) {
549 QUIC_LOG(ERROR) << "Client: received mismatched ALPN '"
550 << received_alpn_string;
551 // TODO(b/130164908) this should send no_application_protocol
552 // instead of QUIC_HANDSHAKE_FAILED.
553 CloseConnection(QUIC_HANDSHAKE_FAILED, "Client received mismatched ALPN");
554 return;
555 }
556 session()->OnAlpnSelected(received_alpn_string);
557 QUIC_DLOG(INFO) << "Client: server selected ALPN: '" << received_alpn_string
558 << "'";
559
560 // Parse ALPS extension.
561 const uint8_t* alps_data;
562 size_t alps_length;
563 SSL_get0_peer_application_settings(ssl(), &alps_data, &alps_length);
564 if (alps_length > 0) {
565 auto error = session()->OnAlpsData(alps_data, alps_length);
566 if (error.has_value()) {
567 // Calling CloseConnection() is safe even in case OnAlpsData() has
568 // already closed the connection.
569 CloseConnection(QUIC_HANDSHAKE_FAILED,
570 absl::StrCat("Error processing ALPS data: ", *error));
571 return;
572 }
573 }
574
575 state_ = HANDSHAKE_COMPLETE;
576 handshaker_delegate()->OnTlsHandshakeComplete();
577 }
578
OnEnterEarlyData()579 void TlsClientHandshaker::OnEnterEarlyData() {
580 QUICHE_DCHECK(SSL_in_early_data(ssl()));
581
582 // TODO(wub): It might be unnecessary to FillNegotiatedParams() at this time,
583 // because we fill it again when handshake completes.
584 FillNegotiatedParams();
585
586 // If we're attempting a 0-RTT handshake, then we need to let the transport
587 // and application know what state to apply to early data.
588 PrepareZeroRttConfig(cached_state_.get());
589 }
590
FillNegotiatedParams()591 void TlsClientHandshaker::FillNegotiatedParams() {
592 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
593 if (cipher) {
594 crypto_negotiated_params_->cipher_suite =
595 SSL_CIPHER_get_protocol_id(cipher);
596 }
597 crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl());
598 crypto_negotiated_params_->peer_signature_algorithm =
599 SSL_get_peer_signature_algorithm(ssl());
600 crypto_negotiated_params_->encrypted_client_hello = SSL_ech_accepted(ssl());
601 }
602
ProcessPostHandshakeMessage()603 void TlsClientHandshaker::ProcessPostHandshakeMessage() {
604 int rv = SSL_process_quic_post_handshake(ssl());
605 if (rv != 1) {
606 CloseConnection(QUIC_HANDSHAKE_FAILED, "Unexpected post-handshake data");
607 }
608 }
609
ShouldCloseConnectionOnUnexpectedError(int ssl_error)610 bool TlsClientHandshaker::ShouldCloseConnectionOnUnexpectedError(
611 int ssl_error) {
612 if (ssl_error != SSL_ERROR_EARLY_DATA_REJECTED) {
613 return true;
614 }
615 HandleZeroRttReject();
616 return false;
617 }
618
HandleZeroRttReject()619 void TlsClientHandshaker::HandleZeroRttReject() {
620 QUIC_LOG(INFO) << "0-RTT handshake attempted but was rejected by the server";
621 QUICHE_DCHECK(session_cache_);
622 // Disable encrytion to block outgoing data until 1-RTT keys are available.
623 encryption_established_ = false;
624 handshaker_delegate()->OnZeroRttRejected(EarlyDataReason());
625 SSL_reset_early_data_reject(ssl());
626 session_cache_->ClearEarlyData(server_id_);
627 AdvanceHandshake();
628 }
629
InsertSession(bssl::UniquePtr<SSL_SESSION> session)630 void TlsClientHandshaker::InsertSession(bssl::UniquePtr<SSL_SESSION> session) {
631 if (!received_transport_params_) {
632 QUIC_BUG(quic_bug_10576_8) << "Transport parameters isn't received";
633 return;
634 }
635 if (session_cache_ == nullptr) {
636 QUIC_DVLOG(1) << "No session cache, not inserting a session";
637 return;
638 }
639 if (has_application_state_ && !received_application_state_) {
640 // Application state is not received yet. cache the sessions.
641 if (cached_tls_sessions_[0] != nullptr) {
642 cached_tls_sessions_[1] = std::move(cached_tls_sessions_[0]);
643 }
644 cached_tls_sessions_[0] = std::move(session);
645 return;
646 }
647 session_cache_->Insert(server_id_, std::move(session),
648 *received_transport_params_,
649 received_application_state_.get());
650 }
651
WriteMessage(EncryptionLevel level,absl::string_view data)652 void TlsClientHandshaker::WriteMessage(EncryptionLevel level,
653 absl::string_view data) {
654 if (level == ENCRYPTION_HANDSHAKE && state_ < HANDSHAKE_PROCESSED) {
655 state_ = HANDSHAKE_PROCESSED;
656 }
657 TlsHandshaker::WriteMessage(level, data);
658 }
659
SetServerApplicationStateForResumption(std::unique_ptr<ApplicationState> application_state)660 void TlsClientHandshaker::SetServerApplicationStateForResumption(
661 std::unique_ptr<ApplicationState> application_state) {
662 QUICHE_DCHECK(one_rtt_keys_available());
663 received_application_state_ = std::move(application_state);
664 // At least one tls session is cached before application state is received. So
665 // insert now.
666 if (session_cache_ != nullptr && cached_tls_sessions_[0] != nullptr) {
667 if (cached_tls_sessions_[1] != nullptr) {
668 // Insert the older session first.
669 session_cache_->Insert(server_id_, std::move(cached_tls_sessions_[1]),
670 *received_transport_params_,
671 received_application_state_.get());
672 }
673 session_cache_->Insert(server_id_, std::move(cached_tls_sessions_[0]),
674 *received_transport_params_,
675 received_application_state_.get());
676 }
677 }
678
679 } // namespace quic
680