Add ENABLE_MEDIA_ROUTER define to builds other than Android and iOS.
[chromium-blink-merge.git] / net / quic / quic_crypto_client_stream.cc
blobaa1b6ee8a05f057e46e8973c52f27308b76a8ec5
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/quic/quic_crypto_client_stream.h"
7 #include "base/metrics/histogram.h"
8 #include "base/profiler/scoped_tracker.h"
9 #include "net/quic/crypto/crypto_protocol.h"
10 #include "net/quic/crypto/crypto_utils.h"
11 #include "net/quic/crypto/null_encrypter.h"
12 #include "net/quic/quic_client_session_base.h"
13 #include "net/quic/quic_protocol.h"
14 #include "net/quic/quic_session.h"
16 using std::string;
18 namespace net {
20 QuicCryptoClientStream::ChannelIDSourceCallbackImpl::
21 ChannelIDSourceCallbackImpl(QuicCryptoClientStream* stream)
22 : stream_(stream) {}
24 QuicCryptoClientStream::ChannelIDSourceCallbackImpl::
25 ~ChannelIDSourceCallbackImpl() {}
27 void QuicCryptoClientStream::ChannelIDSourceCallbackImpl::Run(
28 scoped_ptr<ChannelIDKey>* channel_id_key) {
29 if (stream_ == nullptr) {
30 return;
33 stream_->channel_id_key_.reset(channel_id_key->release());
34 stream_->channel_id_source_callback_run_ = true;
35 stream_->channel_id_source_callback_ = nullptr;
36 stream_->DoHandshakeLoop(nullptr);
38 // The ChannelIDSource owns this object and will delete it when this method
39 // returns.
42 void QuicCryptoClientStream::ChannelIDSourceCallbackImpl::Cancel() {
43 stream_ = nullptr;
46 QuicCryptoClientStream::ProofVerifierCallbackImpl::ProofVerifierCallbackImpl(
47 QuicCryptoClientStream* stream)
48 : stream_(stream) {}
50 QuicCryptoClientStream::ProofVerifierCallbackImpl::
51 ~ProofVerifierCallbackImpl() {}
53 void QuicCryptoClientStream::ProofVerifierCallbackImpl::Run(
54 bool ok,
55 const string& error_details,
56 scoped_ptr<ProofVerifyDetails>* details) {
57 if (stream_ == nullptr) {
58 return;
61 stream_->verify_ok_ = ok;
62 stream_->verify_error_details_ = error_details;
63 stream_->verify_details_.reset(details->release());
64 stream_->proof_verify_callback_ = nullptr;
65 stream_->DoHandshakeLoop(nullptr);
67 // The ProofVerifier owns this object and will delete it when this method
68 // returns.
71 void QuicCryptoClientStream::ProofVerifierCallbackImpl::Cancel() {
72 stream_ = nullptr;
75 QuicCryptoClientStream::QuicCryptoClientStream(
76 const QuicServerId& server_id,
77 QuicClientSessionBase* session,
78 ProofVerifyContext* verify_context,
79 QuicCryptoClientConfig* crypto_config)
80 : QuicCryptoStream(session),
81 next_state_(STATE_IDLE),
82 num_client_hellos_(0),
83 crypto_config_(crypto_config),
84 server_id_(server_id),
85 generation_counter_(0),
86 channel_id_sent_(false),
87 channel_id_source_callback_run_(false),
88 channel_id_source_callback_(nullptr),
89 verify_context_(verify_context),
90 proof_verify_callback_(nullptr) {
91 DCHECK_EQ(Perspective::IS_CLIENT, session->connection()->perspective());
94 QuicCryptoClientStream::~QuicCryptoClientStream() {
95 if (channel_id_source_callback_) {
96 channel_id_source_callback_->Cancel();
98 if (proof_verify_callback_) {
99 proof_verify_callback_->Cancel();
103 void QuicCryptoClientStream::OnHandshakeMessage(
104 const CryptoHandshakeMessage& message) {
105 QuicCryptoStream::OnHandshakeMessage(message);
107 if (message.tag() == kSCUP) {
108 if (!handshake_confirmed()) {
109 CloseConnection(QUIC_CRYPTO_UPDATE_BEFORE_HANDSHAKE_COMPLETE);
110 return;
113 // |message| is an update from the server, so we treat it differently from a
114 // handshake message.
115 HandleServerConfigUpdateMessage(message);
116 return;
119 // Do not process handshake messages after the handshake is confirmed.
120 if (handshake_confirmed()) {
121 CloseConnection(QUIC_CRYPTO_MESSAGE_AFTER_HANDSHAKE_COMPLETE);
122 return;
125 DoHandshakeLoop(&message);
128 void QuicCryptoClientStream::CryptoConnect() {
129 next_state_ = STATE_INITIALIZE;
130 DoHandshakeLoop(nullptr);
133 int QuicCryptoClientStream::num_sent_client_hellos() const {
134 return num_client_hellos_;
137 // Used in Chromium, but not in the server.
138 bool QuicCryptoClientStream::WasChannelIDSent() const {
139 return channel_id_sent_;
142 bool QuicCryptoClientStream::WasChannelIDSourceCallbackRun() const {
143 return channel_id_source_callback_run_;
146 void QuicCryptoClientStream::HandleServerConfigUpdateMessage(
147 const CryptoHandshakeMessage& server_config_update) {
148 DCHECK(server_config_update.tag() == kSCUP);
149 string error_details;
150 QuicCryptoClientConfig::CachedState* cached =
151 crypto_config_->LookupOrCreate(server_id_);
152 QuicErrorCode error = crypto_config_->ProcessServerConfigUpdate(
153 server_config_update,
154 session()->connection()->clock()->WallNow(),
155 cached,
156 &crypto_negotiated_params_,
157 &error_details);
159 if (error != QUIC_NO_ERROR) {
160 CloseConnectionWithDetails(
161 error, "Server config update invalid: " + error_details);
162 return;
165 DCHECK(handshake_confirmed());
166 if (proof_verify_callback_) {
167 proof_verify_callback_->Cancel();
169 next_state_ = STATE_INITIALIZE_SCUP;
170 DoHandshakeLoop(nullptr);
173 // kMaxClientHellos is the maximum number of times that we'll send a client
174 // hello. The value 3 accounts for:
175 // * One failure due to an incorrect or missing source-address token.
176 // * One failure due the server's certificate chain being unavailible and the
177 // server being unwilling to send it without a valid source-address token.
178 static const int kMaxClientHellos = 3;
180 void QuicCryptoClientStream::DoHandshakeLoop(
181 const CryptoHandshakeMessage* in) {
182 QuicCryptoClientConfig::CachedState* cached =
183 crypto_config_->LookupOrCreate(server_id_);
185 QuicAsyncStatus rv = QUIC_SUCCESS;
186 do {
187 CHECK_NE(STATE_NONE, next_state_);
188 const State state = next_state_;
189 next_state_ = STATE_IDLE;
190 rv = QUIC_SUCCESS;
191 switch (state) {
192 case STATE_INITIALIZE:
193 DoInitialize(cached);
194 break;
195 case STATE_SEND_CHLO:
196 DoSendCHLO(in, cached);
197 return; // return waiting to hear from server.
198 case STATE_RECV_REJ:
199 DoReceiveREJ(in, cached);
200 break;
201 case STATE_VERIFY_PROOF:
202 rv = DoVerifyProof(cached);
203 break;
204 case STATE_VERIFY_PROOF_COMPLETE:
205 DoVerifyProofComplete(cached);
206 break;
207 case STATE_GET_CHANNEL_ID:
208 rv = DoGetChannelID(cached);
209 break;
210 case STATE_GET_CHANNEL_ID_COMPLETE:
211 DoGetChannelIDComplete();
212 break;
213 case STATE_RECV_SHLO:
214 DoReceiveSHLO(in, cached);
215 break;
216 case STATE_IDLE:
217 // This means that the peer sent us a message that we weren't expecting.
218 CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE);
219 return;
220 case STATE_INITIALIZE_SCUP:
221 DoInitializeServerConfigUpdate(cached);
222 break;
223 case STATE_NONE:
224 NOTREACHED();
225 return; // We are done.
227 } while (rv != QUIC_PENDING && next_state_ != STATE_NONE);
230 void QuicCryptoClientStream::DoInitialize(
231 QuicCryptoClientConfig::CachedState* cached) {
232 if (!cached->IsEmpty() && !cached->signature().empty() &&
233 server_id_.is_https()) {
234 // Note that we verify the proof even if the cached proof is valid.
235 // This allows us to respond to CA trust changes or certificate
236 // expiration because it may have been a while since we last verified
237 // the proof.
238 DCHECK(crypto_config_->proof_verifier());
239 // If the cached state needs to be verified, do it now.
240 next_state_ = STATE_VERIFY_PROOF;
241 } else {
242 next_state_ = STATE_GET_CHANNEL_ID;
246 void QuicCryptoClientStream::DoSendCHLO(
247 const CryptoHandshakeMessage* in,
248 QuicCryptoClientConfig::CachedState* cached) {
249 // TODO(rtenneti): Remove ScopedTracker below once crbug.com/422516 is fixed.
250 tracked_objects::ScopedTracker tracking_profile1(
251 FROM_HERE_WITH_EXPLICIT_FUNCTION(
252 "422516 QuicCryptoClientStream::DoSendCHLO1"));
254 // Send the client hello in plaintext.
255 session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_NONE);
256 if (num_client_hellos_ > kMaxClientHellos) {
257 CloseConnection(QUIC_CRYPTO_TOO_MANY_REJECTS);
258 return;
260 num_client_hellos_++;
262 CryptoHandshakeMessage out;
263 if (!cached->IsComplete(session()->connection()->clock()->WallNow())) {
264 crypto_config_->FillInchoateClientHello(
265 server_id_,
266 session()->connection()->supported_versions().front(),
267 cached, &crypto_negotiated_params_, &out);
268 // Pad the inchoate client hello to fill up a packet.
269 const QuicByteCount kFramingOverhead = 50; // A rough estimate.
270 const QuicByteCount max_packet_size =
271 session()->connection()->max_packet_length();
272 if (max_packet_size <= kFramingOverhead) {
273 DLOG(DFATAL) << "max_packet_length (" << max_packet_size
274 << ") has no room for framing overhead.";
275 CloseConnection(QUIC_INTERNAL_ERROR);
276 return;
278 if (kClientHelloMinimumSize > max_packet_size - kFramingOverhead) {
279 DLOG(DFATAL) << "Client hello won't fit in a single packet.";
280 CloseConnection(QUIC_INTERNAL_ERROR);
281 return;
283 out.set_minimum_size(
284 static_cast<size_t>(max_packet_size - kFramingOverhead));
285 next_state_ = STATE_RECV_REJ;
286 SendHandshakeMessage(out);
287 return;
290 session()->config()->ToHandshakeMessage(&out);
291 string error_details;
292 QuicErrorCode error = crypto_config_->FillClientHello(
293 server_id_,
294 session()->connection()->connection_id(),
295 session()->connection()->supported_versions().front(),
296 cached,
297 session()->connection()->clock()->WallNow(),
298 session()->connection()->random_generator(),
299 channel_id_key_.get(),
300 &crypto_negotiated_params_,
301 &out,
302 &error_details);
304 // TODO(rtenneti): Remove ScopedTracker below once crbug.com/422516 is fixed.
305 tracked_objects::ScopedTracker tracking_profile2(
306 FROM_HERE_WITH_EXPLICIT_FUNCTION(
307 "422516 QuicCryptoClientStream::DoSendCHLO2"));
309 if (error != QUIC_NO_ERROR) {
310 // Flush the cached config so that, if it's bad, the server has a
311 // chance to send us another in the future.
312 cached->InvalidateServerConfig();
313 CloseConnectionWithDetails(error, error_details);
314 return;
316 channel_id_sent_ = (channel_id_key_.get() != nullptr);
317 if (cached->proof_verify_details()) {
318 client_session()->OnProofVerifyDetailsAvailable(
319 *cached->proof_verify_details());
321 next_state_ = STATE_RECV_SHLO;
322 SendHandshakeMessage(out);
323 // Be prepared to decrypt with the new server write key.
324 session()->connection()->SetAlternativeDecrypter(
325 crypto_negotiated_params_.initial_crypters.decrypter.release(),
326 ENCRYPTION_INITIAL,
327 true /* latch once used */);
328 // Send subsequent packets under encryption on the assumption that the
329 // server will accept the handshake.
330 session()->connection()->SetEncrypter(
331 ENCRYPTION_INITIAL,
332 crypto_negotiated_params_.initial_crypters.encrypter.release());
333 session()->connection()->SetDefaultEncryptionLevel(
334 ENCRYPTION_INITIAL);
335 if (!encryption_established_) {
336 encryption_established_ = true;
337 session()->OnCryptoHandshakeEvent(
338 QuicSession::ENCRYPTION_FIRST_ESTABLISHED);
339 } else {
340 session()->OnCryptoHandshakeEvent(
341 QuicSession::ENCRYPTION_REESTABLISHED);
345 void QuicCryptoClientStream::DoReceiveREJ(
346 const CryptoHandshakeMessage* in,
347 QuicCryptoClientConfig::CachedState* cached) {
348 // TODO(rtenneti): Remove ScopedTracker below once crbug.com/422516 is fixed.
349 tracked_objects::ScopedTracker tracking_profile(
350 FROM_HERE_WITH_EXPLICIT_FUNCTION(
351 "422516 QuicCryptoClientStream::DoReceiveREJ"));
353 // We sent a dummy CHLO because we didn't have enough information to
354 // perform a handshake, or we sent a full hello that the server
355 // rejected. Here we hope to have a REJ that contains the information
356 // that we need.
357 if (in->tag() != kREJ) {
358 next_state_ = STATE_NONE;
359 CloseConnectionWithDetails(QUIC_INVALID_CRYPTO_MESSAGE_TYPE,
360 "Expected REJ");
361 return;
363 string error_details;
364 QuicErrorCode error = crypto_config_->ProcessRejection(
365 *in, session()->connection()->clock()->WallNow(), cached,
366 server_id_.is_https(), &crypto_negotiated_params_, &error_details);
367 if (error != QUIC_NO_ERROR) {
368 next_state_ = STATE_NONE;
369 CloseConnectionWithDetails(error, error_details);
370 return;
372 if (!cached->proof_valid()) {
373 if (!server_id_.is_https()) {
374 // We don't check the certificates for insecure QUIC connections.
375 SetCachedProofValid(cached);
376 } else if (!cached->signature().empty()) {
377 // Note that we only verify the proof if the cached proof is not
378 // valid. If the cached proof is valid here, someone else must have
379 // just added the server config to the cache and verified the proof,
380 // so we can assume no CA trust changes or certificate expiration
381 // has happened since then.
382 next_state_ = STATE_VERIFY_PROOF;
383 return;
386 next_state_ = STATE_GET_CHANNEL_ID;
389 QuicAsyncStatus QuicCryptoClientStream::DoVerifyProof(
390 QuicCryptoClientConfig::CachedState* cached) {
391 ProofVerifier* verifier = crypto_config_->proof_verifier();
392 DCHECK(verifier);
393 next_state_ = STATE_VERIFY_PROOF_COMPLETE;
394 generation_counter_ = cached->generation_counter();
396 ProofVerifierCallbackImpl* proof_verify_callback =
397 new ProofVerifierCallbackImpl(this);
399 verify_ok_ = false;
401 QuicAsyncStatus status = verifier->VerifyProof(
402 server_id_.host(),
403 cached->server_config(),
404 cached->certs(),
405 cached->signature(),
406 verify_context_.get(),
407 &verify_error_details_,
408 &verify_details_,
409 proof_verify_callback);
411 switch (status) {
412 case QUIC_PENDING:
413 proof_verify_callback_ = proof_verify_callback;
414 DVLOG(1) << "Doing VerifyProof";
415 break;
416 case QUIC_FAILURE:
417 delete proof_verify_callback;
418 break;
419 case QUIC_SUCCESS:
420 delete proof_verify_callback;
421 verify_ok_ = true;
422 break;
424 return status;
427 void QuicCryptoClientStream::DoVerifyProofComplete(
428 QuicCryptoClientConfig::CachedState* cached) {
429 if (!verify_ok_) {
430 next_state_ = STATE_NONE;
431 if (verify_details_.get()) {
432 client_session()->OnProofVerifyDetailsAvailable(*verify_details_);
434 UMA_HISTOGRAM_BOOLEAN("Net.QuicVerifyProofFailed.HandshakeConfirmed",
435 handshake_confirmed());
436 CloseConnectionWithDetails(
437 QUIC_PROOF_INVALID, "Proof invalid: " + verify_error_details_);
438 return;
441 // Check if generation_counter has changed between STATE_VERIFY_PROOF and
442 // STATE_VERIFY_PROOF_COMPLETE state changes.
443 if (generation_counter_ != cached->generation_counter()) {
444 next_state_ = STATE_VERIFY_PROOF;
445 } else {
446 SetCachedProofValid(cached);
447 cached->SetProofVerifyDetails(verify_details_.release());
448 if (!handshake_confirmed()) {
449 next_state_ = STATE_GET_CHANNEL_ID;
450 } else {
451 next_state_ = STATE_NONE;
456 QuicAsyncStatus QuicCryptoClientStream::DoGetChannelID(
457 QuicCryptoClientConfig::CachedState* cached) {
458 next_state_ = STATE_GET_CHANNEL_ID_COMPLETE;
459 channel_id_key_.reset();
460 if (!RequiresChannelID(cached)) {
461 next_state_ = STATE_SEND_CHLO;
462 return QUIC_SUCCESS;
465 ChannelIDSourceCallbackImpl* channel_id_source_callback =
466 new ChannelIDSourceCallbackImpl(this);
467 QuicAsyncStatus status =
468 crypto_config_->channel_id_source()->GetChannelIDKey(
469 server_id_.host(), &channel_id_key_,
470 channel_id_source_callback);
472 switch (status) {
473 case QUIC_PENDING:
474 channel_id_source_callback_ = channel_id_source_callback;
475 DVLOG(1) << "Looking up channel ID";
476 break;
477 case QUIC_FAILURE:
478 next_state_ = STATE_NONE;
479 delete channel_id_source_callback;
480 CloseConnectionWithDetails(QUIC_INVALID_CHANNEL_ID_SIGNATURE,
481 "Channel ID lookup failed");
482 break;
483 case QUIC_SUCCESS:
484 delete channel_id_source_callback;
485 break;
487 return status;
490 void QuicCryptoClientStream::DoGetChannelIDComplete() {
491 if (!channel_id_key_.get()) {
492 next_state_ = STATE_NONE;
493 CloseConnectionWithDetails(QUIC_INVALID_CHANNEL_ID_SIGNATURE,
494 "Channel ID lookup failed");
495 return;
497 next_state_ = STATE_SEND_CHLO;
500 void QuicCryptoClientStream::DoReceiveSHLO(
501 const CryptoHandshakeMessage* in,
502 QuicCryptoClientConfig::CachedState* cached) {
503 // TODO(rtenneti): Remove ScopedTracker below once crbug.com/422516 is fixed.
504 tracked_objects::ScopedTracker tracking_profile(
505 FROM_HERE_WITH_EXPLICIT_FUNCTION(
506 "422516 QuicCryptoClientStream::DoReceiveSHLO"));
508 next_state_ = STATE_NONE;
509 // We sent a CHLO that we expected to be accepted and now we're hoping
510 // for a SHLO from the server to confirm that.
511 if (in->tag() == kREJ) {
512 // alternative_decrypter will be nullptr if the original alternative
513 // decrypter latched and became the primary decrypter. That happens
514 // if we received a message encrypted with the INITIAL key.
515 if (session()->connection()->alternative_decrypter() == nullptr) {
516 // The rejection was sent encrypted!
517 CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT,
518 "encrypted REJ message");
519 return;
521 next_state_ = STATE_RECV_REJ;
522 return;
525 if (in->tag() != kSHLO) {
526 CloseConnectionWithDetails(QUIC_INVALID_CRYPTO_MESSAGE_TYPE,
527 "Expected SHLO or REJ");
528 return;
531 // alternative_decrypter will be nullptr if the original alternative
532 // decrypter latched and became the primary decrypter. That happens
533 // if we received a message encrypted with the INITIAL key.
534 if (session()->connection()->alternative_decrypter() != nullptr) {
535 // The server hello was sent without encryption.
536 CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT,
537 "unencrypted SHLO message");
538 return;
541 string error_details;
542 QuicErrorCode error = crypto_config_->ProcessServerHello(
543 *in, session()->connection()->connection_id(),
544 session()->connection()->server_supported_versions(),
545 cached, &crypto_negotiated_params_, &error_details);
547 if (error != QUIC_NO_ERROR) {
548 CloseConnectionWithDetails(error, "Server hello invalid: " + error_details);
549 return;
551 error = session()->config()->ProcessPeerHello(*in, SERVER, &error_details);
552 if (error != QUIC_NO_ERROR) {
553 CloseConnectionWithDetails(error, "Server hello invalid: " + error_details);
554 return;
556 session()->OnConfigNegotiated();
558 CrypterPair* crypters = &crypto_negotiated_params_.forward_secure_crypters;
559 // TODO(agl): we don't currently latch this decrypter because the idea
560 // has been floated that the server shouldn't send packets encrypted
561 // with the FORWARD_SECURE key until it receives a FORWARD_SECURE
562 // packet from the client.
563 session()->connection()->SetAlternativeDecrypter(
564 crypters->decrypter.release(), ENCRYPTION_FORWARD_SECURE,
565 false /* don't latch */);
566 session()->connection()->SetEncrypter(
567 ENCRYPTION_FORWARD_SECURE, crypters->encrypter.release());
568 session()->connection()->SetDefaultEncryptionLevel(
569 ENCRYPTION_FORWARD_SECURE);
571 handshake_confirmed_ = true;
572 session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
573 session()->connection()->OnHandshakeComplete();
576 void QuicCryptoClientStream::DoInitializeServerConfigUpdate(
577 QuicCryptoClientConfig::CachedState* cached) {
578 bool update_ignored = false;
579 if (!server_id_.is_https()) {
580 // We don't check the certificates for insecure QUIC connections.
581 SetCachedProofValid(cached);
582 next_state_ = STATE_NONE;
583 } else if (!cached->IsEmpty() && !cached->signature().empty()) {
584 // Note that we verify the proof even if the cached proof is valid.
585 DCHECK(crypto_config_->proof_verifier());
586 next_state_ = STATE_VERIFY_PROOF;
587 } else {
588 update_ignored = true;
589 next_state_ = STATE_NONE;
591 UMA_HISTOGRAM_COUNTS("Net.QuicNumServerConfig.UpdateMessagesIgnored",
592 update_ignored);
595 void QuicCryptoClientStream::SetCachedProofValid(
596 QuicCryptoClientConfig::CachedState* cached) {
597 cached->SetProofValid();
598 client_session()->OnProofValid(*cached);
601 bool QuicCryptoClientStream::RequiresChannelID(
602 QuicCryptoClientConfig::CachedState* cached) {
603 if (!server_id_.is_https() ||
604 server_id_.privacy_mode() == PRIVACY_MODE_ENABLED ||
605 !crypto_config_->channel_id_source()) {
606 return false;
608 const CryptoHandshakeMessage* scfg = cached->GetServerConfig();
609 if (!scfg) { // scfg may be null then we send an inchoate CHLO.
610 return false;
612 const QuicTag* their_proof_demands;
613 size_t num_their_proof_demands;
614 if (scfg->GetTaglist(kPDMD, &their_proof_demands,
615 &num_their_proof_demands) != QUIC_NO_ERROR) {
616 return false;
618 for (size_t i = 0; i < num_their_proof_demands; i++) {
619 if (their_proof_demands[i] == kCHID) {
620 return true;
623 return false;
626 QuicClientSessionBase* QuicCryptoClientStream::client_session() {
627 return reinterpret_cast<QuicClientSessionBase*>(session());
630 } // namespace net