1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/quic/quic_crypto_client_stream.h"
7 #include "base/metrics/histogram_macros.h"
8 #include "base/profiler/scoped_tracker.h"
9 #include "net/quic/crypto/crypto_protocol.h"
10 #include "net/quic/crypto/crypto_utils.h"
11 #include "net/quic/crypto/null_encrypter.h"
12 #include "net/quic/quic_client_session_base.h"
13 #include "net/quic/quic_flags.h"
14 #include "net/quic/quic_protocol.h"
15 #include "net/quic/quic_session.h"
21 QuicCryptoClientStream::ChannelIDSourceCallbackImpl::
22 ChannelIDSourceCallbackImpl(QuicCryptoClientStream
* stream
)
25 QuicCryptoClientStream::ChannelIDSourceCallbackImpl::
26 ~ChannelIDSourceCallbackImpl() {}
28 void QuicCryptoClientStream::ChannelIDSourceCallbackImpl::Run(
29 scoped_ptr
<ChannelIDKey
>* channel_id_key
) {
30 if (stream_
== nullptr) {
34 stream_
->channel_id_key_
.reset(channel_id_key
->release());
35 stream_
->channel_id_source_callback_run_
= true;
36 stream_
->channel_id_source_callback_
= nullptr;
37 stream_
->DoHandshakeLoop(nullptr);
39 // The ChannelIDSource owns this object and will delete it when this method
43 void QuicCryptoClientStream::ChannelIDSourceCallbackImpl::Cancel() {
47 QuicCryptoClientStream::ProofVerifierCallbackImpl::ProofVerifierCallbackImpl(
48 QuicCryptoClientStream
* stream
)
51 QuicCryptoClientStream::ProofVerifierCallbackImpl::
52 ~ProofVerifierCallbackImpl() {}
54 void QuicCryptoClientStream::ProofVerifierCallbackImpl::Run(
56 const string
& error_details
,
57 scoped_ptr
<ProofVerifyDetails
>* details
) {
58 if (stream_
== nullptr) {
62 stream_
->verify_ok_
= ok
;
63 stream_
->verify_error_details_
= error_details
;
64 stream_
->verify_details_
.reset(details
->release());
65 stream_
->proof_verify_callback_
= nullptr;
66 stream_
->DoHandshakeLoop(nullptr);
68 // The ProofVerifier owns this object and will delete it when this method
72 void QuicCryptoClientStream::ProofVerifierCallbackImpl::Cancel() {
76 QuicCryptoClientStream::QuicCryptoClientStream(
77 const QuicServerId
& server_id
,
78 QuicClientSessionBase
* session
,
79 ProofVerifyContext
* verify_context
,
80 QuicCryptoClientConfig
* crypto_config
)
81 : QuicCryptoStream(session
),
82 next_state_(STATE_IDLE
),
83 num_client_hellos_(0),
84 crypto_config_(crypto_config
),
85 server_id_(server_id
),
86 generation_counter_(0),
87 channel_id_sent_(false),
88 channel_id_source_callback_run_(false),
89 channel_id_source_callback_(nullptr),
90 verify_context_(verify_context
),
91 proof_verify_callback_(nullptr),
92 stateless_reject_received_(false) {
93 DCHECK_EQ(Perspective::IS_CLIENT
, session
->connection()->perspective());
96 QuicCryptoClientStream::~QuicCryptoClientStream() {
97 if (channel_id_source_callback_
) {
98 channel_id_source_callback_
->Cancel();
100 if (proof_verify_callback_
) {
101 proof_verify_callback_
->Cancel();
105 void QuicCryptoClientStream::OnHandshakeMessage(
106 const CryptoHandshakeMessage
& message
) {
107 QuicCryptoStream::OnHandshakeMessage(message
);
109 if (message
.tag() == kSCUP
) {
110 if (!handshake_confirmed()) {
111 CloseConnection(QUIC_CRYPTO_UPDATE_BEFORE_HANDSHAKE_COMPLETE
);
115 // |message| is an update from the server, so we treat it differently from a
116 // handshake message.
117 HandleServerConfigUpdateMessage(message
);
121 // Do not process handshake messages after the handshake is confirmed.
122 if (handshake_confirmed()) {
123 CloseConnection(QUIC_CRYPTO_MESSAGE_AFTER_HANDSHAKE_COMPLETE
);
127 DoHandshakeLoop(&message
);
130 void QuicCryptoClientStream::CryptoConnect() {
131 next_state_
= STATE_INITIALIZE
;
132 DoHandshakeLoop(nullptr);
135 int QuicCryptoClientStream::num_sent_client_hellos() const {
136 return num_client_hellos_
;
139 // Used in Chromium, but not in the server.
140 bool QuicCryptoClientStream::WasChannelIDSent() const {
141 return channel_id_sent_
;
144 bool QuicCryptoClientStream::WasChannelIDSourceCallbackRun() const {
145 return channel_id_source_callback_run_
;
148 void QuicCryptoClientStream::HandleServerConfigUpdateMessage(
149 const CryptoHandshakeMessage
& server_config_update
) {
150 DCHECK(server_config_update
.tag() == kSCUP
);
151 string error_details
;
152 QuicCryptoClientConfig::CachedState
* cached
=
153 crypto_config_
->LookupOrCreate(server_id_
);
154 QuicErrorCode error
= crypto_config_
->ProcessServerConfigUpdate(
155 server_config_update
,
156 session()->connection()->clock()->WallNow(),
158 &crypto_negotiated_params_
,
161 if (error
!= QUIC_NO_ERROR
) {
162 CloseConnectionWithDetails(
163 error
, "Server config update invalid: " + error_details
);
167 DCHECK(handshake_confirmed());
168 if (proof_verify_callback_
) {
169 proof_verify_callback_
->Cancel();
171 next_state_
= STATE_INITIALIZE_SCUP
;
172 DoHandshakeLoop(nullptr);
175 // kMaxClientHellos is the maximum number of times that we'll send a client
176 // hello. The value 3 accounts for:
177 // * One failure due to an incorrect or missing source-address token.
178 // * One failure due the server's certificate chain being unavailible and the
179 // server being unwilling to send it without a valid source-address token.
180 static const int kMaxClientHellos
= 3;
182 void QuicCryptoClientStream::DoHandshakeLoop(
183 const CryptoHandshakeMessage
* in
) {
184 QuicCryptoClientConfig::CachedState
* cached
=
185 crypto_config_
->LookupOrCreate(server_id_
);
187 QuicAsyncStatus rv
= QUIC_SUCCESS
;
189 CHECK_NE(STATE_NONE
, next_state_
);
190 const State state
= next_state_
;
191 next_state_
= STATE_IDLE
;
194 case STATE_INITIALIZE
:
195 DoInitialize(cached
);
197 case STATE_SEND_CHLO
:
198 DoSendCHLO(in
, cached
);
199 return; // return waiting to hear from server.
201 DoReceiveREJ(in
, cached
);
203 case STATE_VERIFY_PROOF
:
204 rv
= DoVerifyProof(cached
);
206 case STATE_VERIFY_PROOF_COMPLETE
:
207 DoVerifyProofComplete(cached
);
209 case STATE_GET_CHANNEL_ID
:
210 rv
= DoGetChannelID(cached
);
212 case STATE_GET_CHANNEL_ID_COMPLETE
:
213 DoGetChannelIDComplete();
215 case STATE_RECV_SHLO
:
216 DoReceiveSHLO(in
, cached
);
219 // This means that the peer sent us a message that we weren't expecting.
220 CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE
);
222 case STATE_INITIALIZE_SCUP
:
223 DoInitializeServerConfigUpdate(cached
);
227 return; // We are done.
229 } while (rv
!= QUIC_PENDING
&& next_state_
!= STATE_NONE
);
232 void QuicCryptoClientStream::DoInitialize(
233 QuicCryptoClientConfig::CachedState
* cached
) {
234 if (!cached
->IsEmpty() && !cached
->signature().empty() &&
235 server_id_
.is_https()) {
236 // Note that we verify the proof even if the cached proof is valid.
237 // This allows us to respond to CA trust changes or certificate
238 // expiration because it may have been a while since we last verified
240 DCHECK(crypto_config_
->proof_verifier());
241 // If the cached state needs to be verified, do it now.
242 next_state_
= STATE_VERIFY_PROOF
;
244 next_state_
= STATE_GET_CHANNEL_ID
;
248 void QuicCryptoClientStream::DoSendCHLO(
249 const CryptoHandshakeMessage
* in
,
250 QuicCryptoClientConfig::CachedState
* cached
) {
251 if (stateless_reject_received_
) {
252 // If we've gotten to this point, we've sent at least one hello
253 // and received a stateless reject in response. We cannot
254 // continue to send hellos because the server has abandoned state
255 // for this connection. Abandon further handshakes.
256 next_state_
= STATE_NONE
;
257 if (session()->connection()->connected()) {
258 session()->connection()->CloseConnection(
259 QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT
, false);
264 // Send the client hello in plaintext.
265 session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_NONE
);
266 if (num_client_hellos_
> kMaxClientHellos
) {
267 CloseConnection(QUIC_CRYPTO_TOO_MANY_REJECTS
);
270 num_client_hellos_
++;
272 CryptoHandshakeMessage out
;
273 DCHECK(session() != nullptr);
274 DCHECK(session()->config() != nullptr);
275 // Send all the options, regardless of whether we're sending an
276 // inchoate or subsequent hello.
277 session()->config()->ToHandshakeMessage(&out
);
278 if (!cached
->IsComplete(session()->connection()->clock()->WallNow())) {
279 crypto_config_
->FillInchoateClientHello(
281 session()->connection()->supported_versions().front(),
282 cached
, &crypto_negotiated_params_
, &out
);
283 // Pad the inchoate client hello to fill up a packet.
284 const QuicByteCount kFramingOverhead
= 50; // A rough estimate.
285 const QuicByteCount max_packet_size
=
286 session()->connection()->max_packet_length();
287 if (max_packet_size
<= kFramingOverhead
) {
288 DLOG(DFATAL
) << "max_packet_length (" << max_packet_size
289 << ") has no room for framing overhead.";
290 CloseConnection(QUIC_INTERNAL_ERROR
);
293 if (kClientHelloMinimumSize
> max_packet_size
- kFramingOverhead
) {
294 DLOG(DFATAL
) << "Client hello won't fit in a single packet.";
295 CloseConnection(QUIC_INTERNAL_ERROR
);
298 out
.set_minimum_size(
299 static_cast<size_t>(max_packet_size
- kFramingOverhead
));
300 next_state_
= STATE_RECV_REJ
;
301 SendHandshakeMessage(out
);
305 // If the server nonce is empty, copy over the server nonce from a previous
306 // SREJ, if there is one.
307 if (FLAGS_enable_quic_stateless_reject_support
&&
308 crypto_negotiated_params_
.server_nonce
.empty() &&
309 cached
->has_server_nonce()) {
310 crypto_negotiated_params_
.server_nonce
= cached
->GetNextServerNonce();
311 DCHECK(!crypto_negotiated_params_
.server_nonce
.empty());
314 string error_details
;
315 QuicErrorCode error
= crypto_config_
->FillClientHello(
317 session()->connection()->connection_id(),
318 session()->connection()->supported_versions().front(),
320 session()->connection()->clock()->WallNow(),
321 session()->connection()->random_generator(),
322 channel_id_key_
.get(),
323 &crypto_negotiated_params_
,
327 if (error
!= QUIC_NO_ERROR
) {
328 // Flush the cached config so that, if it's bad, the server has a
329 // chance to send us another in the future.
330 cached
->InvalidateServerConfig();
331 CloseConnectionWithDetails(error
, error_details
);
334 channel_id_sent_
= (channel_id_key_
.get() != nullptr);
335 if (cached
->proof_verify_details()) {
336 client_session()->OnProofVerifyDetailsAvailable(
337 *cached
->proof_verify_details());
339 next_state_
= STATE_RECV_SHLO
;
340 SendHandshakeMessage(out
);
341 // Be prepared to decrypt with the new server write key.
342 session()->connection()->SetAlternativeDecrypter(
343 crypto_negotiated_params_
.initial_crypters
.decrypter
.release(),
345 true /* latch once used */);
346 // Send subsequent packets under encryption on the assumption that the
347 // server will accept the handshake.
348 session()->connection()->SetEncrypter(
350 crypto_negotiated_params_
.initial_crypters
.encrypter
.release());
351 session()->connection()->SetDefaultEncryptionLevel(
353 if (!encryption_established_
) {
354 encryption_established_
= true;
355 session()->OnCryptoHandshakeEvent(
356 QuicSession::ENCRYPTION_FIRST_ESTABLISHED
);
358 session()->OnCryptoHandshakeEvent(
359 QuicSession::ENCRYPTION_REESTABLISHED
);
363 void QuicCryptoClientStream::DoReceiveREJ(
364 const CryptoHandshakeMessage
* in
,
365 QuicCryptoClientConfig::CachedState
* cached
) {
366 // TODO(rtenneti): Remove ScopedTracker below once crbug.com/422516 is fixed.
367 tracked_objects::ScopedTracker
tracking_profile(
368 FROM_HERE_WITH_EXPLICIT_FUNCTION(
369 "422516 QuicCryptoClientStream::DoReceiveREJ"));
371 // We sent a dummy CHLO because we didn't have enough information to
372 // perform a handshake, or we sent a full hello that the server
373 // rejected. Here we hope to have a REJ that contains the information
375 if ((in
->tag() != kREJ
) && (in
->tag() != kSREJ
)) {
376 next_state_
= STATE_NONE
;
377 CloseConnectionWithDetails(QUIC_INVALID_CRYPTO_MESSAGE_TYPE
,
381 stateless_reject_received_
= in
->tag() == kSREJ
;
382 string error_details
;
383 QuicErrorCode error
= crypto_config_
->ProcessRejection(
384 *in
, session()->connection()->clock()->WallNow(), cached
,
385 server_id_
.is_https(), &crypto_negotiated_params_
, &error_details
);
387 if (error
!= QUIC_NO_ERROR
) {
388 next_state_
= STATE_NONE
;
389 CloseConnectionWithDetails(error
, error_details
);
392 if (!cached
->proof_valid()) {
393 if (!server_id_
.is_https()) {
394 // We don't check the certificates for insecure QUIC connections.
395 SetCachedProofValid(cached
);
396 } else if (!cached
->signature().empty()) {
397 // Note that we only verify the proof if the cached proof is not
398 // valid. If the cached proof is valid here, someone else must have
399 // just added the server config to the cache and verified the proof,
400 // so we can assume no CA trust changes or certificate expiration
401 // has happened since then.
402 next_state_
= STATE_VERIFY_PROOF
;
406 next_state_
= STATE_GET_CHANNEL_ID
;
409 QuicAsyncStatus
QuicCryptoClientStream::DoVerifyProof(
410 QuicCryptoClientConfig::CachedState
* cached
) {
411 ProofVerifier
* verifier
= crypto_config_
->proof_verifier();
413 next_state_
= STATE_VERIFY_PROOF_COMPLETE
;
414 generation_counter_
= cached
->generation_counter();
416 ProofVerifierCallbackImpl
* proof_verify_callback
=
417 new ProofVerifierCallbackImpl(this);
421 QuicAsyncStatus status
= verifier
->VerifyProof(
423 cached
->server_config(),
426 verify_context_
.get(),
427 &verify_error_details_
,
429 proof_verify_callback
);
433 proof_verify_callback_
= proof_verify_callback
;
434 DVLOG(1) << "Doing VerifyProof";
437 delete proof_verify_callback
;
440 delete proof_verify_callback
;
447 void QuicCryptoClientStream::DoVerifyProofComplete(
448 QuicCryptoClientConfig::CachedState
* cached
) {
450 next_state_
= STATE_NONE
;
451 if (verify_details_
.get()) {
452 client_session()->OnProofVerifyDetailsAvailable(*verify_details_
);
454 UMA_HISTOGRAM_BOOLEAN("Net.QuicVerifyProofFailed.HandshakeConfirmed",
455 handshake_confirmed());
456 CloseConnectionWithDetails(
457 QUIC_PROOF_INVALID
, "Proof invalid: " + verify_error_details_
);
461 // Check if generation_counter has changed between STATE_VERIFY_PROOF and
462 // STATE_VERIFY_PROOF_COMPLETE state changes.
463 if (generation_counter_
!= cached
->generation_counter()) {
464 next_state_
= STATE_VERIFY_PROOF
;
466 SetCachedProofValid(cached
);
467 cached
->SetProofVerifyDetails(verify_details_
.release());
468 if (!handshake_confirmed()) {
469 next_state_
= STATE_GET_CHANNEL_ID
;
471 next_state_
= STATE_NONE
;
476 QuicAsyncStatus
QuicCryptoClientStream::DoGetChannelID(
477 QuicCryptoClientConfig::CachedState
* cached
) {
478 next_state_
= STATE_GET_CHANNEL_ID_COMPLETE
;
479 channel_id_key_
.reset();
480 if (!RequiresChannelID(cached
)) {
481 next_state_
= STATE_SEND_CHLO
;
485 ChannelIDSourceCallbackImpl
* channel_id_source_callback
=
486 new ChannelIDSourceCallbackImpl(this);
487 QuicAsyncStatus status
=
488 crypto_config_
->channel_id_source()->GetChannelIDKey(
489 server_id_
.host(), &channel_id_key_
,
490 channel_id_source_callback
);
494 channel_id_source_callback_
= channel_id_source_callback
;
495 DVLOG(1) << "Looking up channel ID";
498 next_state_
= STATE_NONE
;
499 delete channel_id_source_callback
;
500 CloseConnectionWithDetails(QUIC_INVALID_CHANNEL_ID_SIGNATURE
,
501 "Channel ID lookup failed");
504 delete channel_id_source_callback
;
510 void QuicCryptoClientStream::DoGetChannelIDComplete() {
511 if (!channel_id_key_
.get()) {
512 next_state_
= STATE_NONE
;
513 CloseConnectionWithDetails(QUIC_INVALID_CHANNEL_ID_SIGNATURE
,
514 "Channel ID lookup failed");
517 next_state_
= STATE_SEND_CHLO
;
520 void QuicCryptoClientStream::DoReceiveSHLO(
521 const CryptoHandshakeMessage
* in
,
522 QuicCryptoClientConfig::CachedState
* cached
) {
523 next_state_
= STATE_NONE
;
524 // We sent a CHLO that we expected to be accepted and now we're
525 // hoping for a SHLO from the server to confirm that. First check
526 // to see whether the response was a reject, and if so, move on to
527 // the reject-processing state.
528 if ((in
->tag() == kREJ
) || (in
->tag() == kSREJ
)) {
529 // alternative_decrypter will be nullptr if the original alternative
530 // decrypter latched and became the primary decrypter. That happens
531 // if we received a message encrypted with the INITIAL key.
532 if (session()->connection()->alternative_decrypter() == nullptr) {
533 // The rejection was sent encrypted!
534 CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT
,
535 "encrypted REJ message");
538 next_state_
= STATE_RECV_REJ
;
542 if (in
->tag() != kSHLO
) {
543 CloseConnectionWithDetails(QUIC_INVALID_CRYPTO_MESSAGE_TYPE
,
544 "Expected SHLO or REJ");
548 // alternative_decrypter will be nullptr if the original alternative
549 // decrypter latched and became the primary decrypter. That happens
550 // if we received a message encrypted with the INITIAL key.
551 if (session()->connection()->alternative_decrypter() != nullptr) {
552 // The server hello was sent without encryption.
553 CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT
,
554 "unencrypted SHLO message");
558 string error_details
;
559 QuicErrorCode error
= crypto_config_
->ProcessServerHello(
560 *in
, session()->connection()->connection_id(),
561 session()->connection()->server_supported_versions(),
562 cached
, &crypto_negotiated_params_
, &error_details
);
564 if (error
!= QUIC_NO_ERROR
) {
565 CloseConnectionWithDetails(error
, "Server hello invalid: " + error_details
);
568 error
= session()->config()->ProcessPeerHello(*in
, SERVER
, &error_details
);
569 if (error
!= QUIC_NO_ERROR
) {
570 CloseConnectionWithDetails(error
, "Server hello invalid: " + error_details
);
573 session()->OnConfigNegotiated();
575 CrypterPair
* crypters
= &crypto_negotiated_params_
.forward_secure_crypters
;
576 // TODO(agl): we don't currently latch this decrypter because the idea
577 // has been floated that the server shouldn't send packets encrypted
578 // with the FORWARD_SECURE key until it receives a FORWARD_SECURE
579 // packet from the client.
580 session()->connection()->SetAlternativeDecrypter(
581 crypters
->decrypter
.release(), ENCRYPTION_FORWARD_SECURE
,
582 false /* don't latch */);
583 session()->connection()->SetEncrypter(
584 ENCRYPTION_FORWARD_SECURE
, crypters
->encrypter
.release());
585 session()->connection()->SetDefaultEncryptionLevel(
586 ENCRYPTION_FORWARD_SECURE
);
588 handshake_confirmed_
= true;
589 session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED
);
590 session()->connection()->OnHandshakeComplete();
593 void QuicCryptoClientStream::DoInitializeServerConfigUpdate(
594 QuicCryptoClientConfig::CachedState
* cached
) {
595 bool update_ignored
= false;
596 if (!server_id_
.is_https()) {
597 // We don't check the certificates for insecure QUIC connections.
598 SetCachedProofValid(cached
);
599 next_state_
= STATE_NONE
;
600 } else if (!cached
->IsEmpty() && !cached
->signature().empty()) {
601 // Note that we verify the proof even if the cached proof is valid.
602 DCHECK(crypto_config_
->proof_verifier());
603 next_state_
= STATE_VERIFY_PROOF
;
605 update_ignored
= true;
606 next_state_
= STATE_NONE
;
608 UMA_HISTOGRAM_COUNTS("Net.QuicNumServerConfig.UpdateMessagesIgnored",
612 void QuicCryptoClientStream::SetCachedProofValid(
613 QuicCryptoClientConfig::CachedState
* cached
) {
614 cached
->SetProofValid();
615 client_session()->OnProofValid(*cached
);
618 bool QuicCryptoClientStream::RequiresChannelID(
619 QuicCryptoClientConfig::CachedState
* cached
) {
620 if (!server_id_
.is_https() ||
621 server_id_
.privacy_mode() == PRIVACY_MODE_ENABLED
||
622 !crypto_config_
->channel_id_source()) {
625 const CryptoHandshakeMessage
* scfg
= cached
->GetServerConfig();
626 if (!scfg
) { // scfg may be null then we send an inchoate CHLO.
629 const QuicTag
* their_proof_demands
;
630 size_t num_their_proof_demands
;
631 if (scfg
->GetTaglist(kPDMD
, &their_proof_demands
,
632 &num_their_proof_demands
) != QUIC_NO_ERROR
) {
635 for (size_t i
= 0; i
< num_their_proof_demands
; i
++) {
636 if (their_proof_demands
[i
] == kCHID
) {
643 QuicClientSessionBase
* QuicCryptoClientStream::client_session() {
644 return reinterpret_cast<QuicClientSessionBase
*>(session());