search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MacViews: Get c/b/ui/views/tabs to build on Mac
[chromium-blink-merge.git] / net / quic / quic_crypto_client_stream.cc
blob1c41e0a6e08ca352d3ca06dfe9098820e843997b
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/quic/quic_crypto_client_stream.h"
6
7 #include "base/metrics/histogram.h"
8 #include "net/quic/crypto/crypto_protocol.h"
9 #include "net/quic/crypto/crypto_utils.h"
10 #include "net/quic/crypto/null_encrypter.h"
11 #include "net/quic/quic_client_session_base.h"
12 #include "net/quic/quic_protocol.h"
13 #include "net/quic/quic_session.h"
14
15 namespace net {
16
17 QuicCryptoClientStream::ChannelIDSourceCallbackImpl::
18 ChannelIDSourceCallbackImpl(QuicCryptoClientStream* stream)
19 : stream_(stream) {}
20
21 QuicCryptoClientStream::ChannelIDSourceCallbackImpl::
22 ~ChannelIDSourceCallbackImpl() {}
23
24 void QuicCryptoClientStream::ChannelIDSourceCallbackImpl::Run(
25 scoped_ptr<ChannelIDKey>* channel_id_key) {
26 if (stream_ == nullptr) {
27 return;
28 }
29
30 stream_->channel_id_key_.reset(channel_id_key->release());
31 stream_->channel_id_source_callback_run_ = true;
32 stream_->channel_id_source_callback_ = nullptr;
33 stream_->DoHandshakeLoop(nullptr);
34
35 // The ChannelIDSource owns this object and will delete it when this method
36 // returns.
37 }
38
39 void QuicCryptoClientStream::ChannelIDSourceCallbackImpl::Cancel() {
40 stream_ = nullptr;
41 }
42
43 QuicCryptoClientStream::ProofVerifierCallbackImpl::ProofVerifierCallbackImpl(
44 QuicCryptoClientStream* stream)
45 : stream_(stream) {}
46
47 QuicCryptoClientStream::ProofVerifierCallbackImpl::
48 ~ProofVerifierCallbackImpl() {}
49
50 void QuicCryptoClientStream::ProofVerifierCallbackImpl::Run(
51 bool ok,
52 const string& error_details,
53 scoped_ptr<ProofVerifyDetails>* details) {
54 if (stream_ == nullptr) {
55 return;
56 }
57
58 stream_->verify_ok_ = ok;
59 stream_->verify_error_details_ = error_details;
60 stream_->verify_details_.reset(details->release());
61 stream_->proof_verify_callback_ = nullptr;
62 stream_->DoHandshakeLoop(nullptr);
63
64 // The ProofVerifier owns this object and will delete it when this method
65 // returns.
66 }
67
68 void QuicCryptoClientStream::ProofVerifierCallbackImpl::Cancel() {
69 stream_ = nullptr;
70 }
71
72 QuicCryptoClientStream::QuicCryptoClientStream(
73 const QuicServerId& server_id,
74 QuicClientSessionBase* session,
75 ProofVerifyContext* verify_context,
76 QuicCryptoClientConfig* crypto_config)
77 : QuicCryptoStream(session),
78 next_state_(STATE_IDLE),
79 num_client_hellos_(0),
80 crypto_config_(crypto_config),
81 server_id_(server_id),
82 generation_counter_(0),
83 channel_id_sent_(false),
84 channel_id_source_callback_run_(false),
85 channel_id_source_callback_(nullptr),
86 verify_context_(verify_context),
87 proof_verify_callback_(nullptr) {}
88
89 QuicCryptoClientStream::~QuicCryptoClientStream() {
90 if (channel_id_source_callback_) {
91 channel_id_source_callback_->Cancel();
92 }
93 if (proof_verify_callback_) {
94 proof_verify_callback_->Cancel();
95 }
96 }
97
98 void QuicCryptoClientStream::OnHandshakeMessage(
99 const CryptoHandshakeMessage& message) {
100 QuicCryptoStream::OnHandshakeMessage(message);
101
102 if (message.tag() == kSCUP) {
103 if (!handshake_confirmed()) {
104 CloseConnection(QUIC_CRYPTO_UPDATE_BEFORE_HANDSHAKE_COMPLETE);
105 return;
106 }
107
108 // |message| is an update from the server, so we treat it differently from a
109 // handshake message.
110 HandleServerConfigUpdateMessage(message);
111 return;
112 }
113
114 // Do not process handshake messages after the handshake is confirmed.
115 if (handshake_confirmed()) {
116 CloseConnection(QUIC_CRYPTO_MESSAGE_AFTER_HANDSHAKE_COMPLETE);
117 return;
118 }
119
120 DoHandshakeLoop(&message);
121 }
122
123 bool QuicCryptoClientStream::CryptoConnect() {
124 next_state_ = STATE_INITIALIZE;
125 DoHandshakeLoop(nullptr);
126 return true;
127 }
128
129 int QuicCryptoClientStream::num_sent_client_hellos() const {
130 return num_client_hellos_;
131 }
132
133 bool QuicCryptoClientStream::WasChannelIDSent() const {
134 return channel_id_sent_;
135 }
136
137 bool QuicCryptoClientStream::WasChannelIDSourceCallbackRun() const {
138 return channel_id_source_callback_run_;
139 }
140
141 void QuicCryptoClientStream::HandleServerConfigUpdateMessage(
142 const CryptoHandshakeMessage& server_config_update) {
143 DCHECK(server_config_update.tag() == kSCUP);
144 string error_details;
145 QuicCryptoClientConfig::CachedState* cached =
146 crypto_config_->LookupOrCreate(server_id_);
147 QuicErrorCode error = crypto_config_->ProcessServerConfigUpdate(
148 server_config_update,
149 session()->connection()->clock()->WallNow(),
150 cached,
151 &crypto_negotiated_params_,
152 &error_details);
153
154 if (error != QUIC_NO_ERROR) {
155 CloseConnectionWithDetails(
156 error, "Server config update invalid: " + error_details);
157 return;
158 }
159
160 DCHECK(handshake_confirmed());
161 if (proof_verify_callback_) {
162 proof_verify_callback_->Cancel();
163 }
164 next_state_ = STATE_INITIALIZE_SCUP;
165 DoHandshakeLoop(nullptr);
166 }
167
168 // kMaxClientHellos is the maximum number of times that we'll send a client
169 // hello. The value 3 accounts for:
170 // * One failure due to an incorrect or missing source-address token.
171 // * One failure due the server's certificate chain being unavailible and the
172 // server being unwilling to send it without a valid source-address token.
173 static const int kMaxClientHellos = 3;
174
175 void QuicCryptoClientStream::DoHandshakeLoop(
176 const CryptoHandshakeMessage* in) {
177 QuicCryptoClientConfig::CachedState* cached =
178 crypto_config_->LookupOrCreate(server_id_);
179
180 QuicAsyncStatus rv = QUIC_SUCCESS;
181 do {
182 CHECK_NE(STATE_NONE, next_state_);
183 const State state = next_state_;
184 next_state_ = STATE_IDLE;
185 rv = QUIC_SUCCESS;
186 switch (state) {
187 case STATE_INITIALIZE:
188 DoInitialize(cached);
189 break;
190 case STATE_SEND_CHLO:
191 DoSendCHLO(in, cached);
192 return;
193 case STATE_RECV_REJ:
194 DoReceiveREJ(in, cached);
195 break;
196 case STATE_VERIFY_PROOF:
197 rv = DoVerifyProof(cached);
198 break;
199 case STATE_VERIFY_PROOF_COMPLETE:
200 DoVerifyProofComplete(cached);
201 break;
202 case STATE_GET_CHANNEL_ID:
203 rv = DoGetChannelID(cached);
204 break;
205 case STATE_GET_CHANNEL_ID_COMPLETE:
206 DoGetChannelIDComplete();
207 break;
208 case STATE_RECV_SHLO:
209 DoReceiveSHLO(in, cached);
210 break;
211 case STATE_IDLE:
212 // This means that the peer sent us a message that we weren't expecting.
213 CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE);
214 return;
215 case STATE_INITIALIZE_SCUP:
216 DoInitializeServerConfigUpdate(cached);
217 break;
218 case STATE_NONE:
219 NOTREACHED();
220 return; // We are done.
221 }
222 } while (rv != QUIC_PENDING && next_state_ != STATE_NONE);
223 }
224
225 void QuicCryptoClientStream::DoInitialize(
226 QuicCryptoClientConfig::CachedState* cached) {
227 if (!cached->IsEmpty() && !cached->signature().empty() &&
228 server_id_.is_https()) {
229 // Note that we verify the proof even if the cached proof is valid.
230 // This allows us to respond to CA trust changes or certificate
231 // expiration because it may have been a while since we last verified
232 // the proof.
233 DCHECK(crypto_config_->proof_verifier());
234 // If the cached state needs to be verified, do it now.
235 next_state_ = STATE_VERIFY_PROOF;
236 } else {
237 next_state_ = STATE_GET_CHANNEL_ID;
238 }
239 }
240
241 void QuicCryptoClientStream::DoSendCHLO(
242 const CryptoHandshakeMessage* in,
243 QuicCryptoClientConfig::CachedState* cached) {
244 // Send the client hello in plaintext.
245 session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_NONE);
246 if (num_client_hellos_ > kMaxClientHellos) {
247 CloseConnection(QUIC_CRYPTO_TOO_MANY_REJECTS);
248 return;
249 }
250 num_client_hellos_++;
251
252 CryptoHandshakeMessage out;
253 if (!cached->IsComplete(session()->connection()->clock()->WallNow())) {
254 crypto_config_->FillInchoateClientHello(
255 server_id_,
256 session()->connection()->supported_versions().front(),
257 cached, &crypto_negotiated_params_, &out);
258 // Pad the inchoate client hello to fill up a packet.
259 const size_t kFramingOverhead = 50; // A rough estimate.
260 const size_t max_packet_size =
261 session()->connection()->max_packet_length();
262 if (max_packet_size <= kFramingOverhead) {
263 DLOG(DFATAL) << "max_packet_length (" << max_packet_size
264 << ") has no room for framing overhead.";
265 CloseConnection(QUIC_INTERNAL_ERROR);
266 return;
267 }
268 if (kClientHelloMinimumSize > max_packet_size - kFramingOverhead) {
269 DLOG(DFATAL) << "Client hello won't fit in a single packet.";
270 CloseConnection(QUIC_INTERNAL_ERROR);
271 return;
272 }
273 out.set_minimum_size(max_packet_size - kFramingOverhead);
274 next_state_ = STATE_RECV_REJ;
275 SendHandshakeMessage(out);
276 return;
277 }
278
279 session()->config()->ToHandshakeMessage(&out);
280 string error_details;
281 QuicErrorCode error = crypto_config_->FillClientHello(
282 server_id_,
283 session()->connection()->connection_id(),
284 session()->connection()->supported_versions().front(),
285 cached,
286 session()->connection()->clock()->WallNow(),
287 session()->connection()->random_generator(),
288 channel_id_key_.get(),
289 &crypto_negotiated_params_,
290 &out,
291 &error_details);
292 if (error != QUIC_NO_ERROR) {
293 // Flush the cached config so that, if it's bad, the server has a
294 // chance to send us another in the future.
295 cached->InvalidateServerConfig();
296 CloseConnectionWithDetails(error, error_details);
297 return;
298 }
299 channel_id_sent_ = (channel_id_key_.get() != nullptr);
300 if (cached->proof_verify_details()) {
301 client_session()->OnProofVerifyDetailsAvailable(
302 *cached->proof_verify_details());
303 }
304 next_state_ = STATE_RECV_SHLO;
305 SendHandshakeMessage(out);
306 // Be prepared to decrypt with the new server write key.
307 session()->connection()->SetAlternativeDecrypter(
308 crypto_negotiated_params_.initial_crypters.decrypter.release(),
309 ENCRYPTION_INITIAL,
310 true /* latch once used */);
311 // Send subsequent packets under encryption on the assumption that the
312 // server will accept the handshake.
313 session()->connection()->SetEncrypter(
314 ENCRYPTION_INITIAL,
315 crypto_negotiated_params_.initial_crypters.encrypter.release());
316 session()->connection()->SetDefaultEncryptionLevel(
317 ENCRYPTION_INITIAL);
318 if (!encryption_established_) {
319 encryption_established_ = true;
320 session()->OnCryptoHandshakeEvent(
321 QuicSession::ENCRYPTION_FIRST_ESTABLISHED);
322 } else {
323 session()->OnCryptoHandshakeEvent(
324 QuicSession::ENCRYPTION_REESTABLISHED);
325 }
326 }
327
328 void QuicCryptoClientStream::DoReceiveREJ(
329 const CryptoHandshakeMessage* in,
330 QuicCryptoClientConfig::CachedState* cached) {
331 // We sent a dummy CHLO because we didn't have enough information to
332 // perform a handshake, or we sent a full hello that the server
333 // rejected. Here we hope to have a REJ that contains the information
334 // that we need.
335 if (in->tag() != kREJ) {
336 next_state_ = STATE_NONE;
337 CloseConnectionWithDetails(QUIC_INVALID_CRYPTO_MESSAGE_TYPE,
338 "Expected REJ");
339 return;
340 }
341 string error_details;
342 QuicErrorCode error = crypto_config_->ProcessRejection(
343 *in, session()->connection()->clock()->WallNow(), cached,
344 server_id_.is_https(), &crypto_negotiated_params_, &error_details);
345 if (error != QUIC_NO_ERROR) {
346 next_state_ = STATE_NONE;
347 CloseConnectionWithDetails(error, error_details);
348 return;
349 }
350 if (!cached->proof_valid()) {
351 if (!server_id_.is_https()) {
352 // We don't check the certificates for insecure QUIC connections.
353 SetCachedProofValid(cached);
354 } else if (!cached->signature().empty()) {
355 // Note that we only verify the proof if the cached proof is not
356 // valid. If the cached proof is valid here, someone else must have
357 // just added the server config to the cache and verified the proof,
358 // so we can assume no CA trust changes or certificate expiration
359 // has happened since then.
360 next_state_ = STATE_VERIFY_PROOF;
361 return;
362 }
363 }
364 next_state_ = STATE_GET_CHANNEL_ID;
365 }
366
367 QuicAsyncStatus QuicCryptoClientStream::DoVerifyProof(
368 QuicCryptoClientConfig::CachedState* cached) {
369 ProofVerifier* verifier = crypto_config_->proof_verifier();
370 DCHECK(verifier);
371 next_state_ = STATE_VERIFY_PROOF_COMPLETE;
372 generation_counter_ = cached->generation_counter();
373
374 ProofVerifierCallbackImpl* proof_verify_callback =
375 new ProofVerifierCallbackImpl(this);
376
377 verify_ok_ = false;
378
379 QuicAsyncStatus status = verifier->VerifyProof(
380 server_id_.host(),
381 cached->server_config(),
382 cached->certs(),
383 cached->signature(),
384 verify_context_.get(),
385 &verify_error_details_,
386 &verify_details_,
387 proof_verify_callback);
388
389 switch (status) {
390 case QUIC_PENDING:
391 proof_verify_callback_ = proof_verify_callback;
392 DVLOG(1) << "Doing VerifyProof";
393 break;
394 case QUIC_FAILURE:
395 delete proof_verify_callback;
396 break;
397 case QUIC_SUCCESS:
398 delete proof_verify_callback;
399 verify_ok_ = true;
400 break;
401 }
402 return status;
403 }
404
405 void QuicCryptoClientStream::DoVerifyProofComplete(
406 QuicCryptoClientConfig::CachedState* cached) {
407 if (!verify_ok_) {
408 next_state_ = STATE_NONE;
409 client_session()->OnProofVerifyDetailsAvailable(*verify_details_);
410 UMA_HISTOGRAM_BOOLEAN("Net.QuicVerifyProofFailed.HandshakeConfirmed",
411 handshake_confirmed());
412 CloseConnectionWithDetails(
413 QUIC_PROOF_INVALID, "Proof invalid: " + verify_error_details_);
414 return;
415 }
416
417 // Check if generation_counter has changed between STATE_VERIFY_PROOF and
418 // STATE_VERIFY_PROOF_COMPLETE state changes.
419 if (generation_counter_ != cached->generation_counter()) {
420 next_state_ = STATE_VERIFY_PROOF;
421 } else {
422 SetCachedProofValid(cached);
423 cached->SetProofVerifyDetails(verify_details_.release());
424 if (!handshake_confirmed()) {
425 next_state_ = STATE_GET_CHANNEL_ID;
426 } else {
427 next_state_ = STATE_NONE;
428 }
429 }
430 }
431
432 QuicAsyncStatus QuicCryptoClientStream::DoGetChannelID(
433 QuicCryptoClientConfig::CachedState* cached) {
434 next_state_ = STATE_GET_CHANNEL_ID_COMPLETE;
435 channel_id_key_.reset();
436 if (!RequiresChannelID(cached)) {
437 next_state_ = STATE_SEND_CHLO;
438 return QUIC_SUCCESS;
439 }
440
441 ChannelIDSourceCallbackImpl* channel_id_source_callback =
442 new ChannelIDSourceCallbackImpl(this);
443 QuicAsyncStatus status =
444 crypto_config_->channel_id_source()->GetChannelIDKey(
445 server_id_.host(), &channel_id_key_,
446 channel_id_source_callback);
447
448 switch (status) {
449 case QUIC_PENDING:
450 channel_id_source_callback_ = channel_id_source_callback;
451 DVLOG(1) << "Looking up channel ID";
452 break;
453 case QUIC_FAILURE:
454 next_state_ = STATE_NONE;
455 delete channel_id_source_callback;
456 CloseConnectionWithDetails(QUIC_INVALID_CHANNEL_ID_SIGNATURE,
457 "Channel ID lookup failed");
458 break;
459 case QUIC_SUCCESS:
460 delete channel_id_source_callback;
461 break;
462 }
463 return status;
464 }
465
466 void QuicCryptoClientStream::DoGetChannelIDComplete() {
467 if (!channel_id_key_.get()) {
468 next_state_ = STATE_NONE;
469 CloseConnectionWithDetails(QUIC_INVALID_CHANNEL_ID_SIGNATURE,
470 "Channel ID lookup failed");
471 return;
472 }
473 next_state_ = STATE_SEND_CHLO;
474 }
475
476 void QuicCryptoClientStream::DoReceiveSHLO(
477 const CryptoHandshakeMessage* in,
478 QuicCryptoClientConfig::CachedState* cached) {
479 next_state_ = STATE_NONE;
480 // We sent a CHLO that we expected to be accepted and now we're hoping
481 // for a SHLO from the server to confirm that.
482 if (in->tag() == kREJ) {
483 // alternative_decrypter will be nullptr if the original alternative
484 // decrypter latched and became the primary decrypter. That happens
485 // if we received a message encrypted with the INITIAL key.
486 if (session()->connection()->alternative_decrypter() == nullptr) {
487 // The rejection was sent encrypted!
488 CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT,
489 "encrypted REJ message");
490 return;
491 }
492 next_state_ = STATE_RECV_REJ;
493 return;
494 }
495
496 if (in->tag() != kSHLO) {
497 CloseConnectionWithDetails(QUIC_INVALID_CRYPTO_MESSAGE_TYPE,
498 "Expected SHLO or REJ");
499 return;
500 }
501
502 // alternative_decrypter will be nullptr if the original alternative
503 // decrypter latched and became the primary decrypter. That happens
504 // if we received a message encrypted with the INITIAL key.
505 if (session()->connection()->alternative_decrypter() != nullptr) {
506 // The server hello was sent without encryption.
507 CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT,
508 "unencrypted SHLO message");
509 return;
510 }
511
512 string error_details;
513 QuicErrorCode error = crypto_config_->ProcessServerHello(
514 *in, session()->connection()->connection_id(),
515 session()->connection()->server_supported_versions(),
516 cached, &crypto_negotiated_params_, &error_details);
517
518 if (error != QUIC_NO_ERROR) {
519 CloseConnectionWithDetails(error, "Server hello invalid: " + error_details);
520 return;
521 }
522 error = session()->config()->ProcessPeerHello(*in, SERVER, &error_details);
523 if (error != QUIC_NO_ERROR) {
524 CloseConnectionWithDetails(error, "Server hello invalid: " + error_details);
525 return;
526 }
527 session()->OnConfigNegotiated();
528
529 CrypterPair* crypters = &crypto_negotiated_params_.forward_secure_crypters;
530 // TODO(agl): we don't currently latch this decrypter because the idea
531 // has been floated that the server shouldn't send packets encrypted
532 // with the FORWARD_SECURE key until it receives a FORWARD_SECURE
533 // packet from the client.
534 session()->connection()->SetAlternativeDecrypter(
535 crypters->decrypter.release(), ENCRYPTION_FORWARD_SECURE,
536 false /* don't latch */);
537 session()->connection()->SetEncrypter(
538 ENCRYPTION_FORWARD_SECURE, crypters->encrypter.release());
539 session()->connection()->SetDefaultEncryptionLevel(
540 ENCRYPTION_FORWARD_SECURE);
541
542 handshake_confirmed_ = true;
543 session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
544 session()->connection()->OnHandshakeComplete();
545 }
546
547 void QuicCryptoClientStream::DoInitializeServerConfigUpdate(
548 QuicCryptoClientConfig::CachedState* cached) {
549 bool update_ignored = false;
550 if (!server_id_.is_https()) {
551 // We don't check the certificates for insecure QUIC connections.
552 SetCachedProofValid(cached);
553 next_state_ = STATE_NONE;
554 } else if (!cached->IsEmpty() && !cached->signature().empty()) {
555 // Note that we verify the proof even if the cached proof is valid.
556 DCHECK(crypto_config_->proof_verifier());
557 next_state_ = STATE_VERIFY_PROOF;
558 } else {
559 update_ignored = true;
560 next_state_ = STATE_NONE;
561 }
562 UMA_HISTOGRAM_COUNTS("Net.QuicNumServerConfig.UpdateMessagesIgnored",
563 update_ignored);
564 }
565
566 void QuicCryptoClientStream::SetCachedProofValid(
567 QuicCryptoClientConfig::CachedState* cached) {
568 cached->SetProofValid();
569 client_session()->OnProofValid(*cached);
570 }
571
572 bool QuicCryptoClientStream::RequiresChannelID(
573 QuicCryptoClientConfig::CachedState* cached) {
574 if (!server_id_.is_https() ||
575 server_id_.privacy_mode() == PRIVACY_MODE_ENABLED ||
576 !crypto_config_->channel_id_source()) {
577 return false;
578 }
579 const CryptoHandshakeMessage* scfg = cached->GetServerConfig();
580 if (!scfg) { // scfg may be null when we send an inchoate CHLO.
581 return false;
582 }
583 const QuicTag* their_proof_demands;
584 size_t num_their_proof_demands;
585 if (scfg->GetTaglist(kPDMD, &their_proof_demands,
586 &num_their_proof_demands) != QUIC_NO_ERROR) {
587 return false;
588 }
589 for (size_t i = 0; i < num_their_proof_demands; i++) {
590 if (their_proof_demands[i] == kCHID) {
591 return true;
592 }
593 }
594 return false;
595 }
596
597 QuicClientSessionBase* QuicCryptoClientStream::client_session() {
598 return reinterpret_cast<QuicClientSessionBase*>(session());
599 }
600
601 } // namespace net