net: make QUIC ProofVerifier more generic.

net/quic/quic_crypto_client_stream.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/quic_crypto_client_stream.h"
 
 #include "net/base/completion_callback.h"
 #include "net/base/net_errors.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/crypto/crypto_utils.h"
 #include "net/quic/crypto/null_encrypter.h"
 #include "net/quic/crypto/proof_verifier.h"
+#include "net/quic/crypto/proof_verifier_chromium.h"
 #include "net/quic/quic_protocol.h"
 #include "net/quic/quic_session.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 
 namespace net {
 
+// ProofVerifierCallbackClientStream is passed as the callback method to
+// VerifyProof. The ProofVerifier calls this class with the result of proof
+// verification when verification is performed asynchronously.
+class ProofVerifierCallbackClientStream : public ProofVerifierCallback {

[Ryan Hamilton, 2013/07/23 18:40:50]

This code can land in google3, right?  (It will just never be used because the
google3 verifier will never return PENDING)

[agl, 2013/07/23 21:04:57]

Right.

+ public:
+  explicit ProofVerifierCallbackClientStream(QuicCryptoClientStream* stream)
+      : stream_(stream) {}
+
+  // ProofVerifierCallback interface.
+  virtual void Run(bool ok,
+                   string* error_details,
+                   ProofVerifyDetails* details) OVERRIDE {
+    if (stream_ == NULL) {
+      delete details;
+      return;
+    }
+
+    stream_->verify_ok_ = ok;
+    stream_->verify_error_details_ = *error_details;
+    stream_->verify_details_.reset(details);
+    stream_->proof_verify_callback_ = NULL;
+    stream_->DoHandshakeLoop(NULL);
+
+    // The ProofVerifier owns this object and will delete it when this method
+    // returns.
+  }
+
+  // Cancel causes any future callbacks to be ignored. It must be called on the
+  // same thread as the callback will be made on.
+  void Cancel() {
+    stream_ = NULL;
+  }
+
+ private:
+  QuicCryptoClientStream* stream_;
+};
+
 QuicCryptoClientStream::QuicCryptoClientStream(
     const string& server_hostname,
     QuicSession* session,
     QuicCryptoClientConfig* crypto_config)
     : QuicCryptoStream(session),
-      weak_factory_(this),
       next_state_(STATE_IDLE),
       num_client_hellos_(0),
       crypto_config_(crypto_config),
       server_hostname_(server_hostname),
-      generation_counter_(0) {
+      generation_counter_(0),
+      proof_verify_callback_(NULL) {
 }
 
 QuicCryptoClientStream::~QuicCryptoClientStream() {
+  if (proof_verify_callback_) {
+    proof_verify_callback_->Cancel();
+  }
 }
 
 void QuicCryptoClientStream::OnHandshakeMessage(
     const CryptoHandshakeMessage& message) {
-  DoHandshakeLoop(&message, OK);
+  DoHandshakeLoop(&message);
 }
 
 bool QuicCryptoClientStream::CryptoConnect() {
   next_state_ = STATE_SEND_CHLO;
-  DoHandshakeLoop(NULL, OK);
+  DoHandshakeLoop(NULL);
   return true;
 }
 
 int QuicCryptoClientStream::num_sent_client_hellos() const {
   return num_client_hellos_;
 }
 
 bool QuicCryptoClientStream::GetSSLInfo(SSLInfo* ssl_info) {
   ssl_info->Reset();
   QuicCryptoClientConfig::CachedState* cached =
       crypto_config_->LookupOrCreate(server_hostname_);
   DCHECK(cached);
   if (!cached) {
     return false;
   }
   const CertVerifyResult* cert_verify_result =
-      cached->cert_verify_result();
+      &(reinterpret_cast<const ProofVerifyDetailsChromium*>(
+            cached->proof_verify_details()))->cert_verify_result;
 
   ssl_info->cert_status = cert_verify_result->cert_status;
   ssl_info->cert = cert_verify_result->verified_cert;
 
   // TODO(rtenneti): Figure out what to set for the following.
   // Temporarily hard coded cipher_suite as 0xc031 to represent
   // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (from
   // net/ssl/ssl_cipher_suite_names.cc) and encryption as 256.
   int cipher_suite = 0xc02f;
   int ssl_connection_status = 0;
@@ skipping 17 matching lines @@
 }
 
 // kMaxClientHellos is the maximum number of times that we'll send a client
 // hello. The value 3 accounts for:
 //   * One failure due to an incorrect or missing source-address token.
 //   * One failure due the server's certificate chain being unavailible and the
 //     server being unwilling to send it without a valid source-address token.
 static const int kMaxClientHellos = 3;
 
 void QuicCryptoClientStream::DoHandshakeLoop(
-    const CryptoHandshakeMessage* in,
-    int result) {
+    const CryptoHandshakeMessage* in) {
   CryptoHandshakeMessage out;
   QuicErrorCode error;
   string error_details;
   QuicCryptoClientConfig::CachedState* cached =
       crypto_config_->LookupOrCreate(server_hostname_);
 
   if (in != NULL) {
     DVLOG(1) << "Client received: " << in->DebugString();
   }
 
   for (;;) {
     const State state = next_state_;
     next_state_ = STATE_IDLE;
     switch (state) {
       case STATE_SEND_CHLO: {
-        DCHECK_EQ(OK, result);
         // Send the client hello in plaintext.
         session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_NONE);
         if (num_client_hellos_ > kMaxClientHellos) {
           CloseConnection(QUIC_CRYPTO_TOO_MANY_REJECTS);
           return;
         }
         num_client_hellos_++;
 
         if (!cached->IsComplete(session()->connection()->clock()->WallNow())) {
           crypto_config_->FillInchoateClientHello(
@@ skipping 38 matching lines @@
           encryption_established_ = true;
           session()->OnCryptoHandshakeEvent(
               QuicSession::ENCRYPTION_FIRST_ESTABLISHED);
         } else {
           session()->OnCryptoHandshakeEvent(
               QuicSession::ENCRYPTION_REESTABLISHED);
         }
         return;
       }
       case STATE_RECV_REJ:
-        DCHECK_EQ(OK, result);
         // We sent a dummy CHLO because we didn't have enough information to
         // perform a handshake, or we sent a full hello that the server
         // rejected. Here we hope to have a REJ that contains the information
         // that we need.
         if (in->tag() != kREJ) {
           CloseConnectionWithDetails(QUIC_INVALID_CRYPTO_MESSAGE_TYPE,
                                      "Expected REJ");
           return;
         }
         error = crypto_config_->ProcessRejection(
@@ skipping 13 matching lines @@
             break;
           }
         }
         next_state_ = STATE_SEND_CHLO;
         break;
       case STATE_VERIFY_PROOF: {
         ProofVerifier* verifier = crypto_config_->proof_verifier();
         DCHECK(verifier);
         next_state_ = STATE_VERIFY_PROOF_COMPLETE;
         generation_counter_ = cached->generation_counter();
-        result = verifier->VerifyProof(
+
+        ProofVerifierCallbackClientStream* proof_verify_callback = new
+          ProofVerifierCallbackClientStream(this);
+
+        verify_ok_ = false;
+
+        ProofVerifier::Status status = verifier->VerifyProof(
             server_hostname_,
             cached->server_config(),
             cached->certs(),
             cached->signature(),
-            &error_details_,
-            &cert_verify_result_,
-            base::Bind(&QuicCryptoClientStream::OnVerifyProofComplete,
-                       weak_factory_.GetWeakPtr()));
-        if (result == ERR_IO_PENDING) {
-          DVLOG(1) << "Doing VerifyProof";
-          return;
+            &error_details,
+            &verify_details_,
+            proof_verify_callback);
+
+        switch (status) {
+          case ProofVerifier::PENDING:
+            proof_verify_callback_ = proof_verify_callback;
+            DVLOG(1) << "Doing VerifyProof";
+            return;
+          case ProofVerifier::ERROR:
+            CloseConnectionWithDetails(
+                QUIC_PROOF_INVALID, "Proof invalid: " + error_details);
+            return;
+          case ProofVerifier::OK:
+            verify_ok_ = true;
+            break;
         }
         break;
       }
       case STATE_VERIFY_PROOF_COMPLETE:
-        if (result != OK) {
+        if (!verify_ok_) {
             CloseConnectionWithDetails(
-                QUIC_PROOF_INVALID, "Proof invalid: " + error_details_);
+                QUIC_PROOF_INVALID, "Proof invalid: " + verify_error_details_);
             return;
         }
         // Check if generation_counter has changed between STATE_VERIFY_PROOF
         // and STATE_VERIFY_PROOF_COMPLETE state changes.
         if (generation_counter_ != cached->generation_counter()) {
           next_state_ = STATE_VERIFY_PROOF;
         } else {
           cached->SetProofValid();
-          cached->SetCertVerifyResult(cert_verify_result_);
+          cached->SetProofVerifyDetails(verify_details_.release());
           next_state_ = STATE_SEND_CHLO;
         }
         break;
       case STATE_RECV_SHLO: {
         // We sent a CHLO that we expected to be accepted and now we're hoping
         // for a SHLO from the server to confirm that.
         if (in->tag() == kREJ) {
           // alternative_decrypter will be NULL if the original alternative
           // decrypter latched and became the primary decrypter. That happens
           // if we received a message encrypted with the INITIAL key.
@@ skipping 52 matching lines @@
         return;
       }
       case STATE_IDLE:
         // This means that the peer sent us a message that we weren't expecting.
         CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE);
         return;
     }
   }
 }
 
-void QuicCryptoClientStream::OnVerifyProofComplete(int result) {
-  DCHECK_EQ(STATE_VERIFY_PROOF_COMPLETE, next_state_);
-  DVLOG(1) << "VerifyProof completed: " << result;
-  DoHandshakeLoop(NULL, result);
-}
-
 }  // namespace net