OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/quic/quic_crypto_client_stream.h" | 5 #include "net/quic/quic_crypto_client_stream.h" |
6 | 6 |
7 #include "net/base/completion_callback.h" | |
8 #include "net/base/net_errors.h" | |
7 #include "net/quic/crypto/crypto_protocol.h" | 9 #include "net/quic/crypto/crypto_protocol.h" |
8 #include "net/quic/crypto/crypto_utils.h" | 10 #include "net/quic/crypto/crypto_utils.h" |
9 #include "net/quic/crypto/null_encrypter.h" | 11 #include "net/quic/crypto/null_encrypter.h" |
10 #include "net/quic/crypto/proof_verifier.h" | 12 #include "net/quic/crypto/proof_verifier.h" |
11 #include "net/quic/quic_protocol.h" | 13 #include "net/quic/quic_protocol.h" |
12 #include "net/quic/quic_session.h" | 14 #include "net/quic/quic_session.h" |
13 | 15 |
14 namespace net { | 16 namespace net { |
15 | 17 |
16 QuicCryptoClientStream::QuicCryptoClientStream( | 18 QuicCryptoClientStream::QuicCryptoClientStream( |
17 const string& server_hostname, | 19 const string& server_hostname, |
18 QuicSession* session, | 20 QuicSession* session, |
19 QuicCryptoClientConfig* crypto_config) | 21 QuicCryptoClientConfig* crypto_config) |
20 : QuicCryptoStream(session), | 22 : QuicCryptoStream(session), |
23 weak_factory_(this), | |
21 next_state_(STATE_IDLE), | 24 next_state_(STATE_IDLE), |
22 num_client_hellos_(0), | 25 num_client_hellos_(0), |
23 crypto_config_(crypto_config), | 26 crypto_config_(crypto_config), |
24 server_hostname_(server_hostname) { | 27 server_hostname_(server_hostname) { |
25 } | 28 } |
26 | 29 |
27 QuicCryptoClientStream::~QuicCryptoClientStream() { | 30 QuicCryptoClientStream::~QuicCryptoClientStream() { |
28 } | 31 } |
29 | 32 |
30 void QuicCryptoClientStream::OnHandshakeMessage( | 33 void QuicCryptoClientStream::OnHandshakeMessage( |
31 const CryptoHandshakeMessage& message) { | 34 const CryptoHandshakeMessage& message) { |
32 DoHandshakeLoop(&message); | 35 DoHandshakeLoop(&message, OK); |
33 } | 36 } |
34 | 37 |
35 bool QuicCryptoClientStream::CryptoConnect() { | 38 bool QuicCryptoClientStream::CryptoConnect() { |
36 next_state_ = STATE_SEND_CHLO; | 39 next_state_ = STATE_SEND_CHLO; |
37 DoHandshakeLoop(NULL); | 40 DoHandshakeLoop(NULL, OK); |
38 return true; | 41 return true; |
39 } | 42 } |
40 | 43 |
41 int QuicCryptoClientStream::num_sent_client_hellos() const { | 44 int QuicCryptoClientStream::num_sent_client_hellos() const { |
42 return num_client_hellos_; | 45 return num_client_hellos_; |
43 } | 46 } |
44 | 47 |
45 // kMaxClientHellos is the maximum number of times that we'll send a client | 48 // kMaxClientHellos is the maximum number of times that we'll send a client |
46 // hello. The value 3 accounts for: | 49 // hello. The value 3 accounts for: |
47 // * One failure due to an incorrect or missing source-address token. | 50 // * One failure due to an incorrect or missing source-address token. |
48 // * One failure due the server's certificate chain being unavailible and the | 51 // * One failure due the server's certificate chain being unavailible and the |
49 // server being unwilling to send it without a valid source-address token. | 52 // server being unwilling to send it without a valid source-address token. |
50 static const int kMaxClientHellos = 3; | 53 static const int kMaxClientHellos = 3; |
51 | 54 |
52 void QuicCryptoClientStream::DoHandshakeLoop( | 55 void QuicCryptoClientStream::DoHandshakeLoop( |
53 const CryptoHandshakeMessage* in) { | 56 const CryptoHandshakeMessage* in, |
57 int result) { | |
54 CryptoHandshakeMessage out; | 58 CryptoHandshakeMessage out; |
55 QuicErrorCode error; | 59 QuicErrorCode error; |
56 string error_details; | 60 string error_details; |
57 QuicCryptoClientConfig::CachedState* cached = | 61 QuicCryptoClientConfig::CachedState* cached = |
58 crypto_config_->LookupOrCreate(server_hostname_); | 62 crypto_config_->LookupOrCreate(server_hostname_); |
59 | 63 |
60 if (in != NULL) { | 64 if (in != NULL) { |
61 DVLOG(1) << "Client received: " << in->DebugString(); | 65 DVLOG(1) << "Client received: " << in->DebugString(); |
62 } | 66 } |
63 | 67 |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
132 return; | 136 return; |
133 } | 137 } |
134 error = crypto_config_->ProcessRejection( | 138 error = crypto_config_->ProcessRejection( |
135 cached, *in, session()->connection()->clock()->WallNow(), | 139 cached, *in, session()->connection()->clock()->WallNow(), |
136 &crypto_negotiated_params_, &error_details); | 140 &crypto_negotiated_params_, &error_details); |
137 if (error != QUIC_NO_ERROR) { | 141 if (error != QUIC_NO_ERROR) { |
138 CloseConnectionWithDetails(error, error_details); | 142 CloseConnectionWithDetails(error, error_details); |
139 return; | 143 return; |
140 } | 144 } |
141 if (!cached->proof_valid()) { | 145 if (!cached->proof_valid()) { |
142 const ProofVerifier* verifier = crypto_config_->proof_verifier(); | 146 ProofVerifier* verifier = crypto_config_->proof_verifier(); |
143 if (!verifier) { | 147 if (verifier && !cached->signature().empty()) { |
144 // If no verifier is set then we don't check the certificates. | 148 next_state_ = STATE_PROOF_VERIFY; |
145 cached->SetProofValid(); | 149 continue; |
146 } else if (!cached->signature().empty()) { | |
147 // TODO(rtenneti): In Chromium, we will need to make VerifyProof() | |
148 // asynchronous. | |
149 if (!verifier->VerifyProof(server_hostname_, | |
150 cached->server_config(), | |
151 cached->certs(), | |
152 cached->signature(), | |
153 &error_details)) { | |
154 CloseConnectionWithDetails(QUIC_PROOF_INVALID, | |
155 "Proof invalid: " + error_details); | |
156 return; | |
157 } | |
158 cached->SetProofValid(); | |
159 } | 150 } |
160 } | 151 } |
152 next_state_ = STATE_PROOF_VERIFICATION_COMPLETED; | |
153 break; | |
154 case STATE_PROOF_VERIFY: { | |
155 ProofVerifier* verifier = crypto_config_->proof_verifier(); | |
156 result = verifier->VerifyProof( | |
157 server_hostname_, | |
158 cached->server_config(), | |
159 cached->certs(), | |
160 cached->signature(), | |
161 base::Bind(&QuicCryptoClientStream::VerifyProofCompleted, | |
162 weak_factory_.GetWeakPtr())); | |
163 if (result == ERR_IO_PENDING) { | |
164 DVLOG(1) << "Doing VerifyProof"; | |
165 return; | |
166 } | |
167 next_state_ = STATE_PROOF_VERIFICATION_COMPLETED; | |
agl
2013/07/01 16:23:18
This needs to be STATE_PROOF_VERIFY I think, and t
ramant (doing other things)
2013/07/02 14:19:50
Implemented generation_counter.
Didn't change the
| |
168 break; | |
169 } | |
170 case STATE_PROOF_VERIFICATION_COMPLETED: | |
171 if (result != OK) { | |
172 error_details = crypto_config_->proof_verifier()->error_details(); | |
173 CloseConnectionWithDetails(QUIC_PROOF_INVALID, | |
174 "Proof invalid: " + error_details); | |
175 return; | |
176 } | |
177 cached->SetProofValid(); | |
161 // Send the subsequent client hello in plaintext. | 178 // Send the subsequent client hello in plaintext. |
162 session()->connection()->SetDefaultEncryptionLevel( | 179 session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_NONE); |
163 ENCRYPTION_NONE); | |
164 next_state_ = STATE_SEND_CHLO; | 180 next_state_ = STATE_SEND_CHLO; |
165 break; | 181 break; |
166 case STATE_RECV_SHLO: { | 182 case STATE_RECV_SHLO: { |
167 // We sent a CHLO that we expected to be accepted and now we're hoping | 183 // We sent a CHLO that we expected to be accepted and now we're hoping |
168 // for a SHLO from the server to confirm that. | 184 // for a SHLO from the server to confirm that. |
169 if (in->tag() == kREJ) { | 185 if (in->tag() == kREJ) { |
170 // alternative_decrypter will be NULL if the original alternative | 186 // alternative_decrypter will be NULL if the original alternative |
171 // decrypter latched and became the primary decrypter. That happens | 187 // decrypter latched and became the primary decrypter. That happens |
172 // if we received a message encrypted with the INITIAL key. | 188 // if we received a message encrypted with the INITIAL key. |
173 if (session()->connection()->alternative_decrypter() == NULL) { | 189 if (session()->connection()->alternative_decrypter() == NULL) { |
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
225 return; | 241 return; |
226 } | 242 } |
227 case STATE_IDLE: | 243 case STATE_IDLE: |
228 // This means that the peer sent us a message that we weren't expecting. | 244 // This means that the peer sent us a message that we weren't expecting. |
229 CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE); | 245 CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE); |
230 return; | 246 return; |
231 } | 247 } |
232 } | 248 } |
233 } | 249 } |
234 | 250 |
251 void QuicCryptoClientStream::VerifyProofCompleted(int result) { | |
252 DVLOG(1) << "VerifyProof completed: " << result; | |
253 DoHandshakeLoop(NULL, result); | |
254 } | |
255 | |
235 } // namespace net | 256 } // namespace net |
OLD | NEW |