Landing Recent QUIC changes until 7/18/2016 11:21:53 UTC

net/quic/crypto/quic_crypto_server_config.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/quic_crypto_server_config.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <memory>
@@ skipping 79 matching lines @@
         << "Deleting ValidateClientHelloHelper with a pending callback.";
   }
 
   void ValidationComplete(QuicErrorCode error_code, const char* error_details) {
     result_->error_code = error_code;
     result_->error_details = error_details;
     done_cb_->Run(result_);
     DetachCallback();
   }
 
-  void StartedAsyncCallback() { DetachCallback(); }
-
- private:
   void DetachCallback() {
     QUIC_BUG_IF(done_cb_ == nullptr) << "Callback already detached.";
     done_cb_ = nullptr;
   }
 
+ private:
   ValidateClientHelloResultCallback::Result* result_;
   ValidateClientHelloResultCallback* done_cb_;
 
   DISALLOW_COPY_AND_ASSIGN(ValidateClientHelloHelper);
 };
 
 class VerifyNonceIsValidAndUniqueCallback
     : public StrikeRegisterClient::ResultCallback {
  public:
   VerifyNonceIsValidAndUniqueCallback(
@@ skipping 865 matching lines @@
            << QuicUtils::HexEncode(
                   reinterpret_cast<const char*>(primary_config_->orbit),
                   kOrbitSize)
            << " scid: " << QuicUtils::HexEncode(primary_config_->id);
   next_config_promotion_time_ = QuicWallTime::Zero();
   if (primary_config_changed_cb_.get() != nullptr) {
     primary_config_changed_cb_->Run(primary_config_->id);
   }
 }
 
+class EvaluateClientHelloCallback : public ProofSource::Callback {
+ public:
+  EvaluateClientHelloCallback(
+      const QuicCryptoServerConfig& config,
+      bool found_error,
+      const IPAddress& server_ip,
+      QuicVersion version,
+      const uint8_t* primary_orbit,
+      scoped_refptr<QuicCryptoServerConfig::Config> requested_config,
+      scoped_refptr<QuicCryptoServerConfig::Config> primary_config,
+      QuicCryptoProof* crypto_proof,
+      ValidateClientHelloResultCallback::Result* client_hello_state,
+      ValidateClientHelloResultCallback* done_cb)
+      : config_(config),
+        found_error_(found_error),
+        server_ip_(server_ip),
+        version_(version),
+        primary_orbit_(primary_orbit),
+        requested_config_(std::move(requested_config)),
+        primary_config_(std::move(primary_config)),
+        crypto_proof_(crypto_proof),
+        client_hello_state_(client_hello_state),
+        done_cb_(done_cb) {}
+
+  void Run(bool ok,
+           const scoped_refptr<ProofSource::Chain>& chain,
+           const string& signature,
+           const string& leaf_cert_sct) override {
+    if (ok) {
+      crypto_proof_->chain = chain;
+      crypto_proof_->signature = signature;
+      crypto_proof_->cert_sct = leaf_cert_sct;
+    }
+    config_.EvaluateClientHelloAfterGetProof(
+        found_error_, server_ip_, version_, primary_orbit_, requested_config_,
+        primary_config_, crypto_proof_, !ok, client_hello_state_, done_cb_);
+  }
+
+ private:
+  const QuicCryptoServerConfig& config_;
+  const bool found_error_;
+  const IPAddress& server_ip_;
+  const QuicVersion version_;
+  const uint8_t* primary_orbit_;
+  const scoped_refptr<QuicCryptoServerConfig::Config> requested_config_;
+  const scoped_refptr<QuicCryptoServerConfig::Config> primary_config_;
+  QuicCryptoProof* crypto_proof_;
+  ValidateClientHelloResultCallback::Result* client_hello_state_;
+  ValidateClientHelloResultCallback* done_cb_;
+};
+
 void QuicCryptoServerConfig::EvaluateClientHello(
     const IPAddress& server_ip,
     QuicVersion version,
     const uint8_t* primary_orbit,
     scoped_refptr<Config> requested_config,
     scoped_refptr<Config> primary_config,
     QuicCryptoProof* crypto_proof,
     ValidateClientHelloResultCallback::Result* client_hello_state,
     ValidateClientHelloResultCallback* done_cb) const {
   ValidateClientHelloHelper helper(client_hello_state, done_cb);
@@ skipping 53 matching lines @@
     return;
   }
 
   bool found_error = false;
   if (source_address_token_error != HANDSHAKE_OK) {
     info->reject_reasons.push_back(source_address_token_error);
     // No valid source address token.
     found_error = true;
   }
 
+  bool get_proof_failed = false;
   if (version > QUIC_VERSION_25) {
     bool x509_supported = false;
     bool x509_ecdsa_supported = false;
     ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported);
     string serialized_config = primary_config->serialized;
     string chlo_hash;
     CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
     bool need_proof = true;
     if (FLAGS_quic_refresh_proof) {
       need_proof = !crypto_proof->chain;
     }
+    if (FLAGS_enable_async_get_proof) {
+      if (need_proof) {
+        // Make an async call to GetProof and setup the callback to trampoline
+        // back into EvaluateClientHelloAfterGetProof
+        std::unique_ptr<EvaluateClientHelloCallback> cb(
+            new EvaluateClientHelloCallback(
+                *this, found_error, server_ip, version, primary_orbit,
+                requested_config, primary_config, crypto_proof,
+                client_hello_state, done_cb));
+        proof_source_->GetProof(server_ip, info->sni.as_string(),
+                                serialized_config, version, chlo_hash,
+                                x509_ecdsa_supported, std::move(cb));
+        helper.DetachCallback();
+        return;
+      }
+    }
+
     // No need to get a new proof if one was already generated.
     if (need_proof &&
         !proof_source_->GetProof(
             server_ip, info->sni.as_string(), serialized_config, version,
             chlo_hash, x509_ecdsa_supported, &crypto_proof->chain,
             &crypto_proof->signature, &crypto_proof->cert_sct)) {
-      found_error = true;
-      info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
+      get_proof_failed = true;
     }
+  }
 
+  EvaluateClientHelloAfterGetProof(
+      found_error, server_ip, version, primary_orbit, requested_config,
+      primary_config, crypto_proof, get_proof_failed, client_hello_state,
+      done_cb);
+  helper.DetachCallback();
+}
+
+void QuicCryptoServerConfig::EvaluateClientHelloAfterGetProof(
+    bool found_error,
+    const IPAddress& server_ip,
+    QuicVersion version,
+    const uint8_t* primary_orbit,
+    scoped_refptr<Config> requested_config,
+    scoped_refptr<Config> primary_config,
+    QuicCryptoProof* crypto_proof,
+    bool get_proof_failed,
+    ValidateClientHelloResultCallback::Result* client_hello_state,
+    ValidateClientHelloResultCallback* done_cb) const {
+  ValidateClientHelloHelper helper(client_hello_state, done_cb);
+  const CryptoHandshakeMessage& client_hello = client_hello_state->client_hello;
+  ClientHelloInfo* info = &(client_hello_state->info);
+
+  if (get_proof_failed) {
+    found_error = true;
+    info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
+  }
+
+  if (version > QUIC_VERSION_25) {
     if (!ValidateExpectedLeafCertificate(client_hello, *crypto_proof)) {
       found_error = true;
       info->reject_reasons.push_back(INVALID_EXPECTED_LEAF_CERTIFICATE);
     }
   }
 
   if (info->client_nonce.size() != kNonceSize) {
     info->reject_reasons.push_back(CLIENT_NONCE_INVALID_FAILURE);
     // Invalid client nonce.
     LOG(ERROR) << "Invalid client nonce: " << client_hello.DebugString();
@@ skipping 62 matching lines @@
     // Since neither are present, reject the handshake which will send a
     // server nonce to the client.
     info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
     helper.ValidationComplete(QUIC_NO_ERROR, "");
     return;
   }
 
   strike_register_client->VerifyNonceIsValidAndUnique(
       info->client_nonce, info->now,
       new VerifyNonceIsValidAndUniqueCallback(client_hello_state, done_cb));
-  helper.StartedAsyncCallback();
+  helper.DetachCallback();
 }
 
 bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
     QuicVersion version,
     StringPiece chlo_hash,
     const SourceAddressTokens& previous_source_address_tokens,
     const IPAddress& server_ip,
     const IPAddress& client_ip,
     const QuicClock* clock,
     QuicRandom* rand,
@@ skipping 13 matching lines @@
         clock->WallNow(), cached_network_params);
   }
 
   out->set_tag(kSCUP);
   out->SetStringPiece(kSCFG, serialized);
   out->SetStringPiece(kSourceAddressTokenTag, source_address_token);
 
   scoped_refptr<ProofSource::Chain> chain;
   string signature;
   string cert_sct;
-  if (FLAGS_quic_use_hash_in_scup) {
-    if (!proof_source_->GetProof(server_ip, params.sni, serialized, version,
-                                 chlo_hash, params.x509_ecdsa_supported, &chain,
-                                 &signature, &cert_sct)) {
-      DVLOG(1) << "Server: failed to get proof.";
-      return false;
-    }
-  } else {
-    if (!proof_source_->GetProof(
-            server_ip, params.sni, serialized, version, params.client_nonce,
-            params.x509_ecdsa_supported, &chain, &signature, &cert_sct)) {
-      DVLOG(1) << "Server: failed to get proof.";
-      return false;
-    }
+  if (!proof_source_->GetProof(server_ip, params.sni, serialized, version,
+                               chlo_hash, params.x509_ecdsa_supported, &chain,
+                               &signature, &cert_sct)) {
+    DVLOG(1) << "Server: failed to get proof.";
+    return false;
   }
 
   const string compressed = CompressChain(
       compressed_certs_cache, chain, params.client_common_set_hashes,
       params.client_cached_cert_hashes, common_cert_sets);
 
   out->SetStringPiece(kCertificateTag, compressed);
   out->SetStringPiece(kPROF, signature);
   if (params.sct_supported_by_client && version > QUIC_VERSION_29 &&
       enable_serving_sct_) {
@@ skipping 33 matching lines @@
   CryptoHandshakeMessage message;
   message.set_tag(kSCUP);
   message.SetStringPiece(kSCFG, serialized);
   message.SetStringPiece(kSourceAddressTokenTag, source_address_token);
 
   std::unique_ptr<BuildServerConfigUpdateMessageProofSourceCallback>
       proof_source_cb(new BuildServerConfigUpdateMessageProofSourceCallback(
           this, version, compressed_certs_cache, common_cert_sets, params,
           std::move(message), std::move(cb)));
 
-  if (FLAGS_quic_use_hash_in_scup) {
-    proof_source_->GetProof(server_ip, params.sni, serialized, version,
-                            chlo_hash, params.x509_ecdsa_supported,
-                            std::move(proof_source_cb));
-  } else {
-    proof_source_->GetProof(server_ip, params.sni, serialized, version,
-                            params.client_nonce, params.x509_ecdsa_supported,
-                            std::move(proof_source_cb));
-  }
+  proof_source_->GetProof(server_ip, params.sni, serialized, version, chlo_hash,
+                          params.x509_ecdsa_supported,
+                          std::move(proof_source_cb));
 }
 
 QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback::
     ~BuildServerConfigUpdateMessageProofSourceCallback() {}
 
 QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback::
     BuildServerConfigUpdateMessageProofSourceCallback(
         const QuicCryptoServerConfig* config,
         QuicVersion version,
         QuicCompressedCertsCache* compressed_certs_cache,
@@ skipping 676 matching lines @@
       priority(0),
       source_address_token_boxer(nullptr) {}
 
 QuicCryptoServerConfig::Config::~Config() {
   STLDeleteElements(&key_exchanges);
 }
 
 QuicCryptoProof::QuicCryptoProof() {}
 QuicCryptoProof::~QuicCryptoProof() {}
 }  // namespace net