OpenSSL/NSS implementation of ProofVerfifier.

net/quic/quic_crypto_client_stream.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/quic_crypto_client_stream.h"
 
+#include "net/base/completion_callback.h"
+#include "net/base/net_errors.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/crypto/crypto_utils.h"
 #include "net/quic/crypto/null_encrypter.h"
 #include "net/quic/crypto/proof_verifier.h"
 #include "net/quic/quic_protocol.h"
 #include "net/quic/quic_session.h"
 
 namespace net {
 
 QuicCryptoClientStream::QuicCryptoClientStream(
     const string& server_hostname,
     QuicSession* session,
     QuicCryptoClientConfig* crypto_config)
     : QuicCryptoStream(session),
+      weak_factory_(this),
       next_state_(STATE_IDLE),
       num_client_hellos_(0),
       crypto_config_(crypto_config),
       server_hostname_(server_hostname) {
 }
 
 QuicCryptoClientStream::~QuicCryptoClientStream() {
 }
 
 void QuicCryptoClientStream::OnHandshakeMessage(
     const CryptoHandshakeMessage& message) {
-  DoHandshakeLoop(&message);
+  DoHandshakeLoop(&message, OK);
 }
 
 bool QuicCryptoClientStream::CryptoConnect() {
   next_state_ = STATE_SEND_CHLO;
-  DoHandshakeLoop(NULL);
+  DoHandshakeLoop(NULL, OK);
   return true;
 }
 
 int QuicCryptoClientStream::num_sent_client_hellos() const {
   return num_client_hellos_;
 }
 
 // kMaxClientHellos is the maximum number of times that we'll send a client
 // hello. The value 3 accounts for:
 //   * One failure due to an incorrect or missing source-address token.
 //   * One failure due the server's certificate chain being unavailible and the
 //     server being unwilling to send it without a valid source-address token.
 static const int kMaxClientHellos = 3;
 
 void QuicCryptoClientStream::DoHandshakeLoop(
-    const CryptoHandshakeMessage* in) {
+    const CryptoHandshakeMessage* in,
+    int result) {
   CryptoHandshakeMessage out;
   QuicErrorCode error;
   string error_details;
   QuicCryptoClientConfig::CachedState* cached =
       crypto_config_->LookupOrCreate(server_hostname_);
 
   if (in != NULL) {
     DVLOG(1) << "Client received: " << in->DebugString();
   }
 
@@ skipping 68 matching lines @@
           return;
         }
         error = crypto_config_->ProcessRejection(
             cached, *in, session()->connection()->clock()->WallNow(),
             &crypto_negotiated_params_, &error_details);
         if (error != QUIC_NO_ERROR) {
           CloseConnectionWithDetails(error, error_details);
           return;
         }
         if (!cached->proof_valid()) {
-          const ProofVerifier* verifier = crypto_config_->proof_verifier();
-          if (!verifier) {
-            // If no verifier is set then we don't check the certificates.
-            cached->SetProofValid();
-          } else if (!cached->signature().empty()) {
-            // TODO(rtenneti): In Chromium, we will need to make VerifyProof()
-            // asynchronous.
-            if (!verifier->VerifyProof(server_hostname_,
-                                       cached->server_config(),
-                                       cached->certs(),
-                                       cached->signature(),
-                                       &error_details)) {
-              CloseConnectionWithDetails(QUIC_PROOF_INVALID,
-                                         "Proof invalid: " + error_details);
-              return;
-            }
-            cached->SetProofValid();
+          ProofVerifier* verifier = session()->proof_verifier();
+          if (verifier && !cached->signature().empty()) {
+            next_state_ = STATE_VERIFY_PROOF;
+            continue;
           }
         }
+        // If proof is valid or if there is no verifier is set or if
+        // cached->signature is empty then we don't check the certificates.

[agl, 2013/07/02 15:20:08]

We can receive multiple REJ in a handshake. At the moment, if a REJ comes in
with no signature then we'll go to STATE_VERIFY_PROOF_COMPLETED and end up
calling cached->SetProofValid. i.e. sending no certificates would be accepted by
this code.

[ramant (doing other things), 2013/07/02 19:45:51]

Reorganized the code. Could you take another look.

+        result = OK;
+        next_state_ = STATE_VERIFY_PROOF_COMPLETED;
+        break;
+      case STATE_VERIFY_PROOF: {
+        // We will verify proof if there is a verifier.
+        ProofVerifier* verifier = session()->proof_verifier();
+        DCHECK_EQ(verifier->generation_counter(), 0u);

[agl, 2013/07/02 15:20:08]

Why should the generation counter always be zero? We might end up verifying
several proofs.

[ramant (doing other things), 2013/07/02 19:45:51]

Done.

+        DCHECK_GT(cached->generation_counter(), 0u);
+        result = verifier->VerifyProof(
+            server_hostname_,
+            cached->server_config(),
+            cached->certs(),
+            cached->signature(),
+            cached->generation_counter(),
+            base::Bind(&QuicCryptoClientStream::OnVerifyProofComplete,
+                       weak_factory_.GetWeakPtr()));
+        if (result == ERR_IO_PENDING) {
+          DVLOG(1) << "Doing VerifyProof";
+          return;
+        }
+        next_state_ = STATE_VERIFY_PROOF_COMPLETED;
+        break;
+      }
+      case STATE_VERIFY_PROOF_COMPLETED: {
+        if (!cached->proof_valid()) {
+          ProofVerifier* verifier = session()->proof_verifier();
+          if (result != OK) {
+            CloseConnectionWithDetails(QUIC_PROOF_INVALID,
+                "Proof invalid: " + verifier->error_details());
+            return;
+          }
+          // Check if generation_counter has changed between STATE_VERIFY_PROOF
+          // and STATE_VERIFY_PROOF_COMPLETED state changes.
+          if (verifier && verifier->generation_counter() > 0 &&
+              verifier->generation_counter() != cached->generation_counter()) {
+            CloseConnectionWithDetails(QUIC_PROOF_INVALID,

[agl, 2013/07/02 15:20:08]

The generation counter changing isn't an error. We should just loop back to
STATE_VERIFY_PROOF.

[ramant (doing other things), 2013/07/02 19:45:51]

Done.

+                "Proof invalid: server certs have changed");
+            return;
+          }
+          cached->SetProofValid();
+        }
         // Send the subsequent client hello in plaintext.
-        session()->connection()->SetDefaultEncryptionLevel(
-            ENCRYPTION_NONE);
+        session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_NONE);
         next_state_ = STATE_SEND_CHLO;
         break;
+      }
       case STATE_RECV_SHLO: {
         // We sent a CHLO that we expected to be accepted and now we're hoping
         // for a SHLO from the server to confirm that.
         if (in->tag() == kREJ) {
           // alternative_decrypter will be NULL if the original alternative
           // decrypter latched and became the primary decrypter. That happens
           // if we received a message encrypted with the INITIAL key.
           if (session()->connection()->alternative_decrypter() == NULL) {
             // The rejection was sent encrypted!
             CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT,
@@ skipping 49 matching lines @@
         return;
       }
       case STATE_IDLE:
         // This means that the peer sent us a message that we weren't expecting.
         CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE);
         return;
     }
   }
 }
 
+void QuicCryptoClientStream::OnVerifyProofComplete(int result) {
+  DVLOG(1) << "VerifyProof completed: " << result;

[agl, 2013/07/02 15:20:08]

Is it ensured that this callback is always made on the same thread? If so, could
you comment that?

[ramant (doing other things), 2013/07/02 19:45:51]

Added the comment to VerifyProof.

Done.

+  next_state_ = STATE_VERIFY_PROOF_COMPLETED;
+  DoHandshakeLoop(NULL, result);
+}
+
 }  // namespace net