search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Supervised user whitelists: Cleanup
[chromium-blink-merge.git] / net / quic / quic_crypto_client_stream.cc
blob28a6db8569195660a55a34639065e3fa56d75bc8
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/quic/quic_crypto_client_stream.h"
6
7 #include "base/metrics/histogram.h"
8 #include "base/profiler/scoped_tracker.h"
9 #include "net/quic/crypto/crypto_protocol.h"
10 #include "net/quic/crypto/crypto_utils.h"
11 #include "net/quic/crypto/null_encrypter.h"
12 #include "net/quic/quic_client_session_base.h"
13 #include "net/quic/quic_protocol.h"
14 #include "net/quic/quic_session.h"
15
16 using std::string;
17
18 namespace net {
19
20 QuicCryptoClientStream::ChannelIDSourceCallbackImpl::
21 ChannelIDSourceCallbackImpl(QuicCryptoClientStream* stream)
22 : stream_(stream) {}
23
24 QuicCryptoClientStream::ChannelIDSourceCallbackImpl::
25 ~ChannelIDSourceCallbackImpl() {}
26
27 void QuicCryptoClientStream::ChannelIDSourceCallbackImpl::Run(
28 scoped_ptr<ChannelIDKey>* channel_id_key) {
29 if (stream_ == nullptr) {
30 return;
31 }
32
33 stream_->channel_id_key_.reset(channel_id_key->release());
34 stream_->channel_id_source_callback_run_ = true;
35 stream_->channel_id_source_callback_ = nullptr;
36 stream_->DoHandshakeLoop(nullptr);
37
38 // The ChannelIDSource owns this object and will delete it when this method
39 // returns.
40 }
41
42 void QuicCryptoClientStream::ChannelIDSourceCallbackImpl::Cancel() {
43 stream_ = nullptr;
44 }
45
46 QuicCryptoClientStream::ProofVerifierCallbackImpl::ProofVerifierCallbackImpl(
47 QuicCryptoClientStream* stream)
48 : stream_(stream) {}
49
50 QuicCryptoClientStream::ProofVerifierCallbackImpl::
51 ~ProofVerifierCallbackImpl() {}
52
53 void QuicCryptoClientStream::ProofVerifierCallbackImpl::Run(
54 bool ok,
55 const string& error_details,
56 scoped_ptr<ProofVerifyDetails>* details) {
57 if (stream_ == nullptr) {
58 return;
59 }
60
61 stream_->verify_ok_ = ok;
62 stream_->verify_error_details_ = error_details;
63 stream_->verify_details_.reset(details->release());
64 stream_->proof_verify_callback_ = nullptr;
65 stream_->DoHandshakeLoop(nullptr);
66
67 // The ProofVerifier owns this object and will delete it when this method
68 // returns.
69 }
70
71 void QuicCryptoClientStream::ProofVerifierCallbackImpl::Cancel() {
72 stream_ = nullptr;
73 }
74
75 QuicCryptoClientStream::QuicCryptoClientStream(
76 const QuicServerId& server_id,
77 QuicClientSessionBase* session,
78 ProofVerifyContext* verify_context,
79 QuicCryptoClientConfig* crypto_config)
80 : QuicCryptoStream(session),
81 next_state_(STATE_IDLE),
82 num_client_hellos_(0),
83 crypto_config_(crypto_config),
84 server_id_(server_id),
85 generation_counter_(0),
86 channel_id_sent_(false),
87 channel_id_source_callback_run_(false),
88 channel_id_source_callback_(nullptr),
89 verify_context_(verify_context),
90 proof_verify_callback_(nullptr) {
91 DCHECK_EQ(Perspective::IS_CLIENT, session->connection()->perspective());
92 }
93
94 QuicCryptoClientStream::~QuicCryptoClientStream() {
95 if (channel_id_source_callback_) {
96 channel_id_source_callback_->Cancel();
97 }
98 if (proof_verify_callback_) {
99 proof_verify_callback_->Cancel();
100 }
101 }
102
103 void QuicCryptoClientStream::OnHandshakeMessage(
104 const CryptoHandshakeMessage& message) {
105 QuicCryptoStream::OnHandshakeMessage(message);
106
107 if (message.tag() == kSCUP) {
108 if (!handshake_confirmed()) {
109 CloseConnection(QUIC_CRYPTO_UPDATE_BEFORE_HANDSHAKE_COMPLETE);
110 return;
111 }
112
113 // |message| is an update from the server, so we treat it differently from a
114 // handshake message.
115 HandleServerConfigUpdateMessage(message);
116 return;
117 }
118
119 // Do not process handshake messages after the handshake is confirmed.
120 if (handshake_confirmed()) {
121 CloseConnection(QUIC_CRYPTO_MESSAGE_AFTER_HANDSHAKE_COMPLETE);
122 return;
123 }
124
125 DoHandshakeLoop(&message);
126 }
127
128 void QuicCryptoClientStream::CryptoConnect() {
129 next_state_ = STATE_INITIALIZE;
130 DoHandshakeLoop(nullptr);
131 }
132
133 int QuicCryptoClientStream::num_sent_client_hellos() const {
134 return num_client_hellos_;
135 }
136
137 // Used in Chromium, but not in the server.
138 bool QuicCryptoClientStream::WasChannelIDSent() const {
139 return channel_id_sent_;
140 }
141
142 bool QuicCryptoClientStream::WasChannelIDSourceCallbackRun() const {
143 return channel_id_source_callback_run_;
144 }
145
146 void QuicCryptoClientStream::HandleServerConfigUpdateMessage(
147 const CryptoHandshakeMessage& server_config_update) {
148 DCHECK(server_config_update.tag() == kSCUP);
149 string error_details;
150 QuicCryptoClientConfig::CachedState* cached =
151 crypto_config_->LookupOrCreate(server_id_);
152 QuicErrorCode error = crypto_config_->ProcessServerConfigUpdate(
153 server_config_update,
154 session()->connection()->clock()->WallNow(),
155 cached,
156 &crypto_negotiated_params_,
157 &error_details);
158
159 if (error != QUIC_NO_ERROR) {
160 CloseConnectionWithDetails(
161 error, "Server config update invalid: " + error_details);
162 return;
163 }
164
165 DCHECK(handshake_confirmed());
166 if (proof_verify_callback_) {
167 proof_verify_callback_->Cancel();
168 }
169 next_state_ = STATE_INITIALIZE_SCUP;
170 DoHandshakeLoop(nullptr);
171 }
172
173 // kMaxClientHellos is the maximum number of times that we'll send a client
174 // hello. The value 3 accounts for:
175 // * One failure due to an incorrect or missing source-address token.
176 // * One failure due the server's certificate chain being unavailible and the
177 // server being unwilling to send it without a valid source-address token.
178 static const int kMaxClientHellos = 3;
179
180 void QuicCryptoClientStream::DoHandshakeLoop(
181 const CryptoHandshakeMessage* in) {
182 QuicCryptoClientConfig::CachedState* cached =
183 crypto_config_->LookupOrCreate(server_id_);
184
185 QuicAsyncStatus rv = QUIC_SUCCESS;
186 do {
187 CHECK_NE(STATE_NONE, next_state_);
188 const State state = next_state_;
189 next_state_ = STATE_IDLE;
190 rv = QUIC_SUCCESS;
191 switch (state) {
192 case STATE_INITIALIZE:
193 DoInitialize(cached);
194 break;
195 case STATE_SEND_CHLO:
196 DoSendCHLO(in, cached);
197 return; // return waiting to hear from server.
198 case STATE_RECV_REJ:
199 DoReceiveREJ(in, cached);
200 break;
201 case STATE_VERIFY_PROOF:
202 rv = DoVerifyProof(cached);
203 break;
204 case STATE_VERIFY_PROOF_COMPLETE:
205 DoVerifyProofComplete(cached);
206 break;
207 case STATE_GET_CHANNEL_ID:
208 rv = DoGetChannelID(cached);
209 break;
210 case STATE_GET_CHANNEL_ID_COMPLETE:
211 DoGetChannelIDComplete();
212 break;
213 case STATE_RECV_SHLO:
214 DoReceiveSHLO(in, cached);
215 break;
216 case STATE_IDLE:
217 // This means that the peer sent us a message that we weren't expecting.
218 CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE);
219 return;
220 case STATE_INITIALIZE_SCUP:
221 DoInitializeServerConfigUpdate(cached);
222 break;
223 case STATE_NONE:
224 NOTREACHED();
225 return; // We are done.
226 }
227 } while (rv != QUIC_PENDING && next_state_ != STATE_NONE);
228 }
229
230 void QuicCryptoClientStream::DoInitialize(
231 QuicCryptoClientConfig::CachedState* cached) {
232 if (!cached->IsEmpty() && !cached->signature().empty() &&
233 server_id_.is_https()) {
234 // Note that we verify the proof even if the cached proof is valid.
235 // This allows us to respond to CA trust changes or certificate
236 // expiration because it may have been a while since we last verified
237 // the proof.
238 DCHECK(crypto_config_->proof_verifier());
239 // If the cached state needs to be verified, do it now.
240 next_state_ = STATE_VERIFY_PROOF;
241 } else {
242 next_state_ = STATE_GET_CHANNEL_ID;
243 }
244 }
245
246 void QuicCryptoClientStream::DoSendCHLO(
247 const CryptoHandshakeMessage* in,
248 QuicCryptoClientConfig::CachedState* cached) {
249 // Send the client hello in plaintext.
250 session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_NONE);
251 if (num_client_hellos_ > kMaxClientHellos) {
252 CloseConnection(QUIC_CRYPTO_TOO_MANY_REJECTS);
253 return;
254 }
255 num_client_hellos_++;
256
257 CryptoHandshakeMessage out;
258 if (!cached->IsComplete(session()->connection()->clock()->WallNow())) {
259 crypto_config_->FillInchoateClientHello(
260 server_id_,
261 session()->connection()->supported_versions().front(),
262 cached, &crypto_negotiated_params_, &out);
263 // Pad the inchoate client hello to fill up a packet.
264 const QuicByteCount kFramingOverhead = 50; // A rough estimate.
265 const QuicByteCount max_packet_size =
266 session()->connection()->max_packet_length();
267 if (max_packet_size <= kFramingOverhead) {
268 DLOG(DFATAL) << "max_packet_length (" << max_packet_size
269 << ") has no room for framing overhead.";
270 CloseConnection(QUIC_INTERNAL_ERROR);
271 return;
272 }
273 if (kClientHelloMinimumSize > max_packet_size - kFramingOverhead) {
274 DLOG(DFATAL) << "Client hello won't fit in a single packet.";
275 CloseConnection(QUIC_INTERNAL_ERROR);
276 return;
277 }
278 out.set_minimum_size(
279 static_cast<size_t>(max_packet_size - kFramingOverhead));
280 next_state_ = STATE_RECV_REJ;
281 SendHandshakeMessage(out);
282 return;
283 }
284
285 session()->config()->ToHandshakeMessage(&out);
286 string error_details;
287 QuicErrorCode error = crypto_config_->FillClientHello(
288 server_id_,
289 session()->connection()->connection_id(),
290 session()->connection()->supported_versions().front(),
291 cached,
292 session()->connection()->clock()->WallNow(),
293 session()->connection()->random_generator(),
294 channel_id_key_.get(),
295 &crypto_negotiated_params_,
296 &out,
297 &error_details);
298
299 if (error != QUIC_NO_ERROR) {
300 // Flush the cached config so that, if it's bad, the server has a
301 // chance to send us another in the future.
302 cached->InvalidateServerConfig();
303 CloseConnectionWithDetails(error, error_details);
304 return;
305 }
306 channel_id_sent_ = (channel_id_key_.get() != nullptr);
307 if (cached->proof_verify_details()) {
308 client_session()->OnProofVerifyDetailsAvailable(
309 *cached->proof_verify_details());
310 }
311 next_state_ = STATE_RECV_SHLO;
312 SendHandshakeMessage(out);
313 // Be prepared to decrypt with the new server write key.
314 session()->connection()->SetAlternativeDecrypter(
315 crypto_negotiated_params_.initial_crypters.decrypter.release(),
316 ENCRYPTION_INITIAL,
317 true /* latch once used */);
318 // Send subsequent packets under encryption on the assumption that the
319 // server will accept the handshake.
320 session()->connection()->SetEncrypter(
321 ENCRYPTION_INITIAL,
322 crypto_negotiated_params_.initial_crypters.encrypter.release());
323 session()->connection()->SetDefaultEncryptionLevel(
324 ENCRYPTION_INITIAL);
325 if (!encryption_established_) {
326 encryption_established_ = true;
327 session()->OnCryptoHandshakeEvent(
328 QuicSession::ENCRYPTION_FIRST_ESTABLISHED);
329 } else {
330 session()->OnCryptoHandshakeEvent(
331 QuicSession::ENCRYPTION_REESTABLISHED);
332 }
333 }
334
335 void QuicCryptoClientStream::DoReceiveREJ(
336 const CryptoHandshakeMessage* in,
337 QuicCryptoClientConfig::CachedState* cached) {
338 // TODO(rtenneti): Remove ScopedTracker below once crbug.com/422516 is fixed.
339 tracked_objects::ScopedTracker tracking_profile(
340 FROM_HERE_WITH_EXPLICIT_FUNCTION(
341 "422516 QuicCryptoClientStream::DoReceiveREJ"));
342
343 // We sent a dummy CHLO because we didn't have enough information to
344 // perform a handshake, or we sent a full hello that the server
345 // rejected. Here we hope to have a REJ that contains the information
346 // that we need.
347 if (in->tag() != kREJ) {
348 next_state_ = STATE_NONE;
349 CloseConnectionWithDetails(QUIC_INVALID_CRYPTO_MESSAGE_TYPE,
350 "Expected REJ");
351 return;
352 }
353 string error_details;
354 QuicErrorCode error = crypto_config_->ProcessRejection(
355 *in, session()->connection()->clock()->WallNow(), cached,
356 server_id_.is_https(), &crypto_negotiated_params_, &error_details);
357 if (error != QUIC_NO_ERROR) {
358 next_state_ = STATE_NONE;
359 CloseConnectionWithDetails(error, error_details);
360 return;
361 }
362 if (!cached->proof_valid()) {
363 if (!server_id_.is_https()) {
364 // We don't check the certificates for insecure QUIC connections.
365 SetCachedProofValid(cached);
366 } else if (!cached->signature().empty()) {
367 // Note that we only verify the proof if the cached proof is not
368 // valid. If the cached proof is valid here, someone else must have
369 // just added the server config to the cache and verified the proof,
370 // so we can assume no CA trust changes or certificate expiration
371 // has happened since then.
372 next_state_ = STATE_VERIFY_PROOF;
373 return;
374 }
375 }
376 next_state_ = STATE_GET_CHANNEL_ID;
377 }
378
379 QuicAsyncStatus QuicCryptoClientStream::DoVerifyProof(
380 QuicCryptoClientConfig::CachedState* cached) {
381 ProofVerifier* verifier = crypto_config_->proof_verifier();
382 DCHECK(verifier);
383 next_state_ = STATE_VERIFY_PROOF_COMPLETE;
384 generation_counter_ = cached->generation_counter();
385
386 ProofVerifierCallbackImpl* proof_verify_callback =
387 new ProofVerifierCallbackImpl(this);
388
389 verify_ok_ = false;
390
391 QuicAsyncStatus status = verifier->VerifyProof(
392 server_id_.host(),
393 cached->server_config(),
394 cached->certs(),
395 cached->signature(),
396 verify_context_.get(),
397 &verify_error_details_,
398 &verify_details_,
399 proof_verify_callback);
400
401 switch (status) {
402 case QUIC_PENDING:
403 proof_verify_callback_ = proof_verify_callback;
404 DVLOG(1) << "Doing VerifyProof";
405 break;
406 case QUIC_FAILURE:
407 delete proof_verify_callback;
408 break;
409 case QUIC_SUCCESS:
410 delete proof_verify_callback;
411 verify_ok_ = true;
412 break;
413 }
414 return status;
415 }
416
417 void QuicCryptoClientStream::DoVerifyProofComplete(
418 QuicCryptoClientConfig::CachedState* cached) {
419 if (!verify_ok_) {
420 next_state_ = STATE_NONE;
421 if (verify_details_.get()) {
422 client_session()->OnProofVerifyDetailsAvailable(*verify_details_);
423 }
424 UMA_HISTOGRAM_BOOLEAN("Net.QuicVerifyProofFailed.HandshakeConfirmed",
425 handshake_confirmed());
426 CloseConnectionWithDetails(
427 QUIC_PROOF_INVALID, "Proof invalid: " + verify_error_details_);
428 return;
429 }
430
431 // Check if generation_counter has changed between STATE_VERIFY_PROOF and
432 // STATE_VERIFY_PROOF_COMPLETE state changes.
433 if (generation_counter_ != cached->generation_counter()) {
434 next_state_ = STATE_VERIFY_PROOF;
435 } else {
436 SetCachedProofValid(cached);
437 cached->SetProofVerifyDetails(verify_details_.release());
438 if (!handshake_confirmed()) {
439 next_state_ = STATE_GET_CHANNEL_ID;
440 } else {
441 next_state_ = STATE_NONE;
442 }
443 }
444 }
445
446 QuicAsyncStatus QuicCryptoClientStream::DoGetChannelID(
447 QuicCryptoClientConfig::CachedState* cached) {
448 next_state_ = STATE_GET_CHANNEL_ID_COMPLETE;
449 channel_id_key_.reset();
450 if (!RequiresChannelID(cached)) {
451 next_state_ = STATE_SEND_CHLO;
452 return QUIC_SUCCESS;
453 }
454
455 ChannelIDSourceCallbackImpl* channel_id_source_callback =
456 new ChannelIDSourceCallbackImpl(this);
457 QuicAsyncStatus status =
458 crypto_config_->channel_id_source()->GetChannelIDKey(
459 server_id_.host(), &channel_id_key_,
460 channel_id_source_callback);
461
462 switch (status) {
463 case QUIC_PENDING:
464 channel_id_source_callback_ = channel_id_source_callback;
465 DVLOG(1) << "Looking up channel ID";
466 break;
467 case QUIC_FAILURE:
468 next_state_ = STATE_NONE;
469 delete channel_id_source_callback;
470 CloseConnectionWithDetails(QUIC_INVALID_CHANNEL_ID_SIGNATURE,
471 "Channel ID lookup failed");
472 break;
473 case QUIC_SUCCESS:
474 delete channel_id_source_callback;
475 break;
476 }
477 return status;
478 }
479
480 void QuicCryptoClientStream::DoGetChannelIDComplete() {
481 if (!channel_id_key_.get()) {
482 next_state_ = STATE_NONE;
483 CloseConnectionWithDetails(QUIC_INVALID_CHANNEL_ID_SIGNATURE,
484 "Channel ID lookup failed");
485 return;
486 }
487 next_state_ = STATE_SEND_CHLO;
488 }
489
490 void QuicCryptoClientStream::DoReceiveSHLO(
491 const CryptoHandshakeMessage* in,
492 QuicCryptoClientConfig::CachedState* cached) {
493 next_state_ = STATE_NONE;
494 // We sent a CHLO that we expected to be accepted and now we're hoping
495 // for a SHLO from the server to confirm that.
496 if (in->tag() == kREJ) {
497 // alternative_decrypter will be nullptr if the original alternative
498 // decrypter latched and became the primary decrypter. That happens
499 // if we received a message encrypted with the INITIAL key.
500 if (session()->connection()->alternative_decrypter() == nullptr) {
501 // The rejection was sent encrypted!
502 CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT,
503 "encrypted REJ message");
504 return;
505 }
506 next_state_ = STATE_RECV_REJ;
507 return;
508 }
509
510 if (in->tag() != kSHLO) {
511 CloseConnectionWithDetails(QUIC_INVALID_CRYPTO_MESSAGE_TYPE,
512 "Expected SHLO or REJ");
513 return;
514 }
515
516 // alternative_decrypter will be nullptr if the original alternative
517 // decrypter latched and became the primary decrypter. That happens
518 // if we received a message encrypted with the INITIAL key.
519 if (session()->connection()->alternative_decrypter() != nullptr) {
520 // The server hello was sent without encryption.
521 CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT,
522 "unencrypted SHLO message");
523 return;
524 }
525
526 string error_details;
527 QuicErrorCode error = crypto_config_->ProcessServerHello(
528 *in, session()->connection()->connection_id(),
529 session()->connection()->server_supported_versions(),
530 cached, &crypto_negotiated_params_, &error_details);
531
532 if (error != QUIC_NO_ERROR) {
533 CloseConnectionWithDetails(error, "Server hello invalid: " + error_details);
534 return;
535 }
536 error = session()->config()->ProcessPeerHello(*in, SERVER, &error_details);
537 if (error != QUIC_NO_ERROR) {
538 CloseConnectionWithDetails(error, "Server hello invalid: " + error_details);
539 return;
540 }
541 session()->OnConfigNegotiated();
542
543 CrypterPair* crypters = &crypto_negotiated_params_.forward_secure_crypters;
544 // TODO(agl): we don't currently latch this decrypter because the idea
545 // has been floated that the server shouldn't send packets encrypted
546 // with the FORWARD_SECURE key until it receives a FORWARD_SECURE
547 // packet from the client.
548 session()->connection()->SetAlternativeDecrypter(
549 crypters->decrypter.release(), ENCRYPTION_FORWARD_SECURE,
550 false /* don't latch */);
551 session()->connection()->SetEncrypter(
552 ENCRYPTION_FORWARD_SECURE, crypters->encrypter.release());
553 session()->connection()->SetDefaultEncryptionLevel(
554 ENCRYPTION_FORWARD_SECURE);
555
556 handshake_confirmed_ = true;
557 session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
558 session()->connection()->OnHandshakeComplete();
559 }
560
561 void QuicCryptoClientStream::DoInitializeServerConfigUpdate(
562 QuicCryptoClientConfig::CachedState* cached) {
563 bool update_ignored = false;
564 if (!server_id_.is_https()) {
565 // We don't check the certificates for insecure QUIC connections.
566 SetCachedProofValid(cached);
567 next_state_ = STATE_NONE;
568 } else if (!cached->IsEmpty() && !cached->signature().empty()) {
569 // Note that we verify the proof even if the cached proof is valid.
570 DCHECK(crypto_config_->proof_verifier());
571 next_state_ = STATE_VERIFY_PROOF;
572 } else {
573 update_ignored = true;
574 next_state_ = STATE_NONE;
575 }
576 UMA_HISTOGRAM_COUNTS("Net.QuicNumServerConfig.UpdateMessagesIgnored",
577 update_ignored);
578 }
579
580 void QuicCryptoClientStream::SetCachedProofValid(
581 QuicCryptoClientConfig::CachedState* cached) {
582 cached->SetProofValid();
583 client_session()->OnProofValid(*cached);
584 }
585
586 bool QuicCryptoClientStream::RequiresChannelID(
587 QuicCryptoClientConfig::CachedState* cached) {
588 if (!server_id_.is_https() ||
589 server_id_.privacy_mode() == PRIVACY_MODE_ENABLED ||
590 !crypto_config_->channel_id_source()) {
591 return false;
592 }
593 const CryptoHandshakeMessage* scfg = cached->GetServerConfig();
594 if (!scfg) { // scfg may be null then we send an inchoate CHLO.
595 return false;
596 }
597 const QuicTag* their_proof_demands;
598 size_t num_their_proof_demands;
599 if (scfg->GetTaglist(kPDMD, &their_proof_demands,
600 &num_their_proof_demands) != QUIC_NO_ERROR) {
601 return false;
602 }
603 for (size_t i = 0; i < num_their_proof_demands; i++) {
604 if (their_proof_demands[i] == kCHID) {
605 return true;
606 }
607 }
608 return false;
609 }
610
611 QuicClientSessionBase* QuicCryptoClientStream::client_session() {
612 return reinterpret_cast<QuicClientSessionBase*>(session());
613 }
614
615 } // namespace net