Landing Recent QUIC changes until 7/26/2016 13:53 UTC

net/quic/crypto/quic_crypto_server_config.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/quic_crypto_server_config.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <memory>
@@ skipping 72 matching lines @@
  public:
   ValidateClientHelloHelper(ValidateClientHelloResultCallback::Result* result,
                             ValidateClientHelloResultCallback* done_cb)
       : result_(result), done_cb_(done_cb) {}
 
   ~ValidateClientHelloHelper() {
     QUIC_BUG_IF(done_cb_ != nullptr)
         << "Deleting ValidateClientHelloHelper with a pending callback.";
   }
 
-  void ValidationComplete(QuicErrorCode error_code, const char* error_details) {
+  void ValidationComplete(
+      QuicErrorCode error_code,
+      const char* error_details,
+      std::unique_ptr<ProofSource::Details> proof_source_details) {
     result_->error_code = error_code;
     result_->error_details = error_details;
-    done_cb_->Run(result_);
+    done_cb_->Run(result_, std::move(proof_source_details));
     DetachCallback();
   }
 
   void DetachCallback() {
     QUIC_BUG_IF(done_cb_ == nullptr) << "Callback already detached.";
     done_cb_ = nullptr;
   }
 
  private:
   ValidateClientHelloResultCallback::Result* result_;
   ValidateClientHelloResultCallback* done_cb_;
 
   DISALLOW_COPY_AND_ASSIGN(ValidateClientHelloHelper);
 };
 
 class VerifyNonceIsValidAndUniqueCallback
     : public StrikeRegisterClient::ResultCallback {
  public:
   VerifyNonceIsValidAndUniqueCallback(
       ValidateClientHelloResultCallback::Result* result,
+      std::unique_ptr<ProofSource::Details> proof_source_details,
       ValidateClientHelloResultCallback* done_cb)
-      : result_(result), done_cb_(done_cb) {}
+      : result_(result),
+        proof_source_details_(std::move(proof_source_details)),
+        done_cb_(done_cb) {}
 
  protected:
   void RunImpl(bool nonce_is_valid_and_unique,
                InsertStatus nonce_error) override {
     DVLOG(1) << "Using client nonce, unique: " << nonce_is_valid_and_unique
              << " nonce_error: " << nonce_error;
     if (!nonce_is_valid_and_unique) {
       HandshakeFailureReason client_nonce_error;
       switch (nonce_error) {
         case NONCE_INVALID_FAILURE:
@@ skipping 18 matching lines @@
           client_nonce_error = CLIENT_NONCE_UNKNOWN_FAILURE;
           break;
         case NONCE_OK:
         default:
           QUIC_BUG << "Unexpected client nonce error: " << nonce_error;
           client_nonce_error = CLIENT_NONCE_UNKNOWN_FAILURE;
           break;
       }
       result_->info.reject_reasons.push_back(client_nonce_error);
     }
-    done_cb_->Run(result_);
+    done_cb_->Run(result_, std::move(proof_source_details_));
   }
 
  private:
   ValidateClientHelloResultCallback::Result* result_;
+  std::unique_ptr<ProofSource::Details> proof_source_details_;
   ValidateClientHelloResultCallback* done_cb_;
 
   DISALLOW_COPY_AND_ASSIGN(VerifyNonceIsValidAndUniqueCallback);
 };
 
 // static
 const char QuicCryptoServerConfig::TESTING[] = "secret string for testing";
 
 ClientHelloInfo::ClientHelloInfo(const IPAddress& in_client_ip,
                                  QuicWallTime in_now)
@@ skipping 12 matching lines @@
     : client_hello(in_client_hello),
       info(in_client_ip, in_now),
       error_code(QUIC_NO_ERROR) {}
 
 ValidateClientHelloResultCallback::Result::~Result() {}
 
 ValidateClientHelloResultCallback::ValidateClientHelloResultCallback() {}
 
 ValidateClientHelloResultCallback::~ValidateClientHelloResultCallback() {}
 
-void ValidateClientHelloResultCallback::Run(const Result* result) {
-  RunImpl(result->client_hello, *result);
+void ValidateClientHelloResultCallback::Run(
+    const Result* result,
+    std::unique_ptr<ProofSource::Details> details) {
+  RunImpl(result->client_hello, *result, std::move(details));
   delete result;
   delete this;
 }
 
 QuicCryptoServerConfig::ConfigOptions::ConfigOptions()
     : expiry_time(QuicWallTime::Zero()),
       channel_id_enabled(false),
       token_binding_enabled(false),
       p256(false) {}
 
@@ skipping 326 matching lines @@
     if (FLAGS_quic_refresh_proof && version > QUIC_VERSION_30) {
       // QUIC v31 and above require a new proof for each CHLO so clear the
       // existing proof, if any.
       crypto_proof->chain = nullptr;
       crypto_proof->signature = "";
       crypto_proof->cert_sct = "";
     }
     EvaluateClientHello(server_ip, version, primary_orbit, requested_config,
                         primary_config, crypto_proof, result, done_cb);
   } else {
-    done_cb->Run(result);
+    done_cb->Run(result, nullptr /* proof_source_details */);
   }
 }
 
 QuicErrorCode QuicCryptoServerConfig::ProcessClientHello(
     const ValidateClientHelloResultCallback::Result& validate_chlo_result,
     bool reject_only,
     QuicConnectionId connection_id,
     const IPAddress& server_ip,
     const IPEndPoint& client_address,
     QuicVersion version,
@@ skipping 449 matching lines @@
         primary_orbit_(primary_orbit),
         requested_config_(std::move(requested_config)),
         primary_config_(std::move(primary_config)),
         crypto_proof_(crypto_proof),
         client_hello_state_(client_hello_state),
         done_cb_(done_cb) {}
 
   void Run(bool ok,
            const scoped_refptr<ProofSource::Chain>& chain,
            const string& signature,
-           const string& leaf_cert_sct) override {
+           const string& leaf_cert_sct,
+           std::unique_ptr<ProofSource::Details> details) override {
     if (ok) {
       crypto_proof_->chain = chain;
       crypto_proof_->signature = signature;
       crypto_proof_->cert_sct = leaf_cert_sct;
     }
     config_.EvaluateClientHelloAfterGetProof(
         found_error_, server_ip_, version_, primary_orbit_, requested_config_,
-        primary_config_, crypto_proof_, !ok, client_hello_state_, done_cb_);
+        primary_config_, crypto_proof_, std::move(details), !ok,
+        client_hello_state_, done_cb_);
   }
 
  private:
   const QuicCryptoServerConfig& config_;
   const bool found_error_;
   const IPAddress& server_ip_;
   const QuicVersion version_;
   const uint8_t* primary_orbit_;
   const scoped_refptr<QuicCryptoServerConfig::Config> requested_config_;
   const scoped_refptr<QuicCryptoServerConfig::Config> primary_config_;
@@ skipping 11 matching lines @@
     QuicCryptoProof* crypto_proof,
     ValidateClientHelloResultCallback::Result* client_hello_state,
     ValidateClientHelloResultCallback* done_cb) const {
   ValidateClientHelloHelper helper(client_hello_state, done_cb);
 
   const CryptoHandshakeMessage& client_hello = client_hello_state->client_hello;
   ClientHelloInfo* info = &(client_hello_state->info);
 
   if (client_hello.size() < kClientHelloMinimumSize) {
     helper.ValidationComplete(QUIC_CRYPTO_INVALID_VALUE_LENGTH,
-                              "Client hello too small");
+                              "Client hello too small", nullptr);
     return;
   }
 
   if (client_hello.GetStringPiece(kSNI, &info->sni) &&
       !CryptoUtils::IsValidSNI(info->sni)) {
     helper.ValidationComplete(QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER,
-                              "Invalid SNI name");
+                              "Invalid SNI name", nullptr);
     return;
   }
 
   client_hello.GetStringPiece(kUAID, &info->user_agent_id);
 
   HandshakeFailureReason source_address_token_error = MAX_FAILURE_REASON;
   StringPiece srct;
   if (client_hello.GetStringPiece(kSourceAddressTokenTag, &srct)) {
     Config& config = requested_config ? *requested_config : *primary_config;
     source_address_token_error =
@@ skipping 11 matching lines @@
   }
 
   if (!requested_config.get()) {
     StringPiece requested_scid;
     if (client_hello.GetStringPiece(kSCID, &requested_scid)) {
       info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
     } else {
       info->reject_reasons.push_back(SERVER_CONFIG_INCHOATE_HELLO_FAILURE);
     }
     // No server config with the requested ID.
-    helper.ValidationComplete(QUIC_NO_ERROR, "");
+    helper.ValidationComplete(QUIC_NO_ERROR, "", nullptr);
     return;
   }
 
   if (!client_hello.GetStringPiece(kNONC, &info->client_nonce)) {
     info->reject_reasons.push_back(SERVER_CONFIG_INCHOATE_HELLO_FAILURE);
     // Report no client nonce as INCHOATE_HELLO_FAILURE.
-    helper.ValidationComplete(QUIC_NO_ERROR, "");
+    helper.ValidationComplete(QUIC_NO_ERROR, "", nullptr);
     return;
   }
 
   bool found_error = false;
   if (source_address_token_error != HANDSHAKE_OK) {
     info->reject_reasons.push_back(source_address_token_error);
     // No valid source address token.
     found_error = true;
   }
 
@@ skipping 27 matching lines @@
 
   // No need to get a new proof if one was already generated.
   if (need_proof &&
       !proof_source_->GetProof(
           server_ip, info->sni.as_string(), serialized_config, version,
           chlo_hash, x509_ecdsa_supported, &crypto_proof->chain,
           &crypto_proof->signature, &crypto_proof->cert_sct)) {
     get_proof_failed = true;
   }
 
+  // Details are null because the synchronous version of GetProof does not
+  // return any stats.  Eventually the synchronous codepath will be eliminated.
   EvaluateClientHelloAfterGetProof(
       found_error, server_ip, version, primary_orbit, requested_config,
-      primary_config, crypto_proof, get_proof_failed, client_hello_state,
-      done_cb);
+      primary_config, crypto_proof, nullptr /* proof_source_details */,
+      get_proof_failed, client_hello_state, done_cb);
   helper.DetachCallback();
 }
 
 void QuicCryptoServerConfig::EvaluateClientHelloAfterGetProof(
     bool found_error,
     const IPAddress& server_ip,
     QuicVersion version,
     const uint8_t* primary_orbit,
     scoped_refptr<Config> requested_config,
     scoped_refptr<Config> primary_config,
     QuicCryptoProof* crypto_proof,
+    std::unique_ptr<ProofSource::Details> proof_source_details,
     bool get_proof_failed,
     ValidateClientHelloResultCallback::Result* client_hello_state,
     ValidateClientHelloResultCallback* done_cb) const {
   ValidateClientHelloHelper helper(client_hello_state, done_cb);
   const CryptoHandshakeMessage& client_hello = client_hello_state->client_hello;
   ClientHelloInfo* info = &(client_hello_state->info);
 
   if (get_proof_failed) {
     found_error = true;
     info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
@@ skipping 16 matching lines @@
   client_hello.GetStringPiece(kServerNonceTag, &info->server_nonce);
 
   if (version > QUIC_VERSION_32) {
     DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_33 and higher.";
     // If the server nonce is empty and we're requiring handshake confirmation
     // for DoS reasons then we must reject the CHLO.
     if (FLAGS_quic_require_handshake_confirmation &&
         info->server_nonce.empty()) {
       info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
     }
-    helper.ValidationComplete(QUIC_NO_ERROR, "");
+    helper.ValidationComplete(QUIC_NO_ERROR, "",
+                              std::move(proof_source_details));
     return;
   }
 
   if (!replay_protection_) {
     DVLOG(1) << "No replay protection.";
-    helper.ValidationComplete(QUIC_NO_ERROR, "");
+    helper.ValidationComplete(QUIC_NO_ERROR, "",
+                              std::move(proof_source_details));
     return;
   }
 
   if (!info->server_nonce.empty()) {
     // If the server nonce is present, use it to establish uniqueness.
     HandshakeFailureReason server_nonce_error =
         ValidateServerNonce(info->server_nonce, info->now);
     bool is_unique = server_nonce_error == HANDSHAKE_OK;
     if (!is_unique) {
       info->reject_reasons.push_back(server_nonce_error);
     }
     DVLOG(1) << "Using server nonce, unique: " << is_unique;
-    helper.ValidationComplete(QUIC_NO_ERROR, "");
+    helper.ValidationComplete(QUIC_NO_ERROR, "",
+                              std::move(proof_source_details));
     return;
   }
   // If we hit this block, the server nonce was empty.  If we're requiring
   // handshake confirmation for DoS reasons and there's no server nonce present,
   // reject the CHLO.
-  if (FLAGS_quic_require_handshake_confirmation) {
+  if (FLAGS_quic_require_handshake_confirmation ||
+      FLAGS_quic_require_handshake_confirmation_pre33) {
     info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
-    helper.ValidationComplete(QUIC_NO_ERROR, "");
+    helper.ValidationComplete(QUIC_NO_ERROR, "",
+                              std::move(proof_source_details));
     return;
   }
 
   // We want to contact strike register only if there are no errors because it
   // is a RPC call and is expensive.
   if (found_error) {
-    helper.ValidationComplete(QUIC_NO_ERROR, "");
+    helper.ValidationComplete(QUIC_NO_ERROR, "",
+                              std::move(proof_source_details));
     return;
   }
 
   // Use the client nonce to establish uniqueness.
   StrikeRegisterClient* strike_register_client;
   {
     base::AutoLock locked(strike_register_client_lock_);
     strike_register_client = strike_register_client_.get();
   }
 
   if (!strike_register_client) {
     // Either a valid server nonces or a strike register is required.
     // Since neither are present, reject the handshake which will send a
     // server nonce to the client.
     info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
-    helper.ValidationComplete(QUIC_NO_ERROR, "");
+    helper.ValidationComplete(QUIC_NO_ERROR, "",
+                              std::move(proof_source_details));
     return;
   }
 
   strike_register_client->VerifyNonceIsValidAndUnique(
       info->client_nonce, info->now,
-      new VerifyNonceIsValidAndUniqueCallback(client_hello_state, done_cb));
+      new VerifyNonceIsValidAndUniqueCallback(
+          client_hello_state, std::move(proof_source_details), done_cb));
   helper.DetachCallback();
 }
 
 bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
     QuicVersion version,
     StringPiece chlo_hash,
     const SourceAddressTokens& previous_source_address_tokens,
     const IPAddress& server_ip,
     const IPAddress& client_ip,
     const QuicClock* clock,
@@ skipping 102 matching lines @@
       client_common_set_hashes_(params.client_common_set_hashes),
       client_cached_cert_hashes_(params.client_cached_cert_hashes),
       sct_supported_by_client_(params.sct_supported_by_client),
       message_(std::move(message)),
       cb_(std::move(cb)) {}
 
 void QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback::
     Run(bool ok,
         const scoped_refptr<ProofSource::Chain>& chain,
         const string& signature,
-        const string& leaf_cert_sct) {
+        const string& leaf_cert_sct,
+        std::unique_ptr<ProofSource::Details> details) {
   config_->FinishBuildServerConfigUpdateMessage(
       version_, compressed_certs_cache_, common_cert_sets_,
       client_common_set_hashes_, client_cached_cert_hashes_,
       sct_supported_by_client_, ok, chain, signature, leaf_cert_sct,
-      std::move(message_), std::move(cb_));
+      std::move(details), std::move(message_), std::move(cb_));
 }
 
 void QuicCryptoServerConfig::FinishBuildServerConfigUpdateMessage(
     QuicVersion version,
     QuicCompressedCertsCache* compressed_certs_cache,
     const CommonCertSets* common_cert_sets,
     const string& client_common_set_hashes,
     const string& client_cached_cert_hashes,
     bool sct_supported_by_client,
     bool ok,
     const scoped_refptr<ProofSource::Chain>& chain,
     const string& signature,
     const string& leaf_cert_sct,
+    std::unique_ptr<ProofSource::Details> details,
     CryptoHandshakeMessage message,
     std::unique_ptr<BuildServerConfigUpdateMessageResultCallback> cb) const {
   if (!ok) {
     cb->Run(false, message);
     return;
   }
 
   const string compressed =
       CompressChain(compressed_certs_cache, chain, client_common_set_hashes,
                     client_cached_cert_hashes, common_cert_sets);
@@ skipping 628 matching lines @@
       priority(0),
       source_address_token_boxer(nullptr) {}
 
 QuicCryptoServerConfig::Config::~Config() {
   STLDeleteElements(&key_exchanges);
 }
 
 QuicCryptoProof::QuicCryptoProof() {}
 QuicCryptoProof::~QuicCryptoProof() {}
 }  // namespace net