Land Recent QUIC Changes

net/quic/crypto/crypto_handshake.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/crypto_handshake.h"
 
 #include <ctype.h>
 
 #include "base/memory/scoped_ptr.h"
 #include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
 #include "crypto/secure_hash.h"
 #include "net/base/net_util.h"
 #include "net/quic/crypto/crypto_framer.h"
 #include "net/quic/crypto/crypto_utils.h"
 #include "net/quic/crypto/curve25519_key_exchange.h"
 #include "net/quic/crypto/key_exchange.h"
 #include "net/quic/crypto/p256_key_exchange.h"
+#include "net/quic/crypto/proof_verifier.h"
 #include "net/quic/crypto/quic_decrypter.h"
 #include "net/quic/crypto/quic_encrypter.h"
 #include "net/quic/crypto/quic_random.h"
 #include "net/quic/quic_clock.h"
 #include "net/quic/quic_protocol.h"
 
 using base::StringPiece;
-using crypto::SecureHash;
 using std::map;
 using std::string;
 using std::vector;
 
 namespace net {
 
 CryptoHandshakeMessage::CryptoHandshakeMessage() : tag_(0) {}
 
 CryptoHandshakeMessage::CryptoHandshakeMessage(
     const CryptoHandshakeMessage& other)
@@ skipping 52 matching lines @@
   }
 
   // Because of the way that we keep tags in memory, we can copy the contents
   // of the vector and get the correct bytes in wire format. See
   // crypto_protocol.h. This assumes that the system is little-endian.
   SetVector(tag, tags);
 
   va_end(ap);
 }
 
-void CryptoHandshakeMessage::SetStringPiece(CryptoTag tag,
-                                            StringPiece value) {
+void CryptoHandshakeMessage::SetStringPiece(CryptoTag tag, StringPiece value) {
   tag_value_map_[tag] = value.as_string();
 }
 
 QuicErrorCode CryptoHandshakeMessage::GetTaglist(CryptoTag tag,
                                                  const CryptoTag** out_tags,
                                                  size_t* out_len) const {
   CryptoTagValueMap::const_iterator it = tag_value_map_.find(tag);
   QuicErrorCode ret = QUIC_NO_ERROR;
 
   if (it == tag_value_map_.end()) {
@@ skipping 202 matching lines @@
 }
 
 
 // static
 const char QuicCryptoConfig::kLabel[] = "QUIC key expansion";
 
 QuicCryptoConfig::QuicCryptoConfig()
     : version(0) {
 }
 
-QuicCryptoConfig::~QuicCryptoConfig() {
-}
+QuicCryptoConfig::~QuicCryptoConfig() {}
 
-
-QuicCryptoClientConfig::QuicCryptoClientConfig() {
-}
+QuicCryptoClientConfig::QuicCryptoClientConfig() {}
 
 QuicCryptoClientConfig::~QuicCryptoClientConfig() {
   STLDeleteValues(&cached_states_);
 }
 
-QuicCryptoClientConfig::CachedState::CachedState() {
-}
+QuicCryptoClientConfig::CachedState::CachedState()
+    : server_config_valid_(false) {}
 
-QuicCryptoClientConfig::CachedState::~CachedState() {
-}
+QuicCryptoClientConfig::CachedState::~CachedState() {}
 
 bool QuicCryptoClientConfig::CachedState::is_complete() const {
-  return !server_config_.empty();
+  return !server_config_.empty() && server_config_valid_;
 }
 
 const CryptoHandshakeMessage*
 QuicCryptoClientConfig::CachedState::GetServerConfig() const {
   if (server_config_.empty()) {
     return NULL;
   }
 
   if (!scfg_.get()) {
     scfg_.reset(CryptoFramer::ParseMessage(server_config_));
     DCHECK(scfg_.get());
   }
   return scfg_.get();
 }
 
 bool QuicCryptoClientConfig::CachedState::SetServerConfig(
     StringPiece scfg) {
   scfg_.reset(CryptoFramer::ParseMessage(scfg));
   if (!scfg_.get()) {
     return false;
   }
   server_config_ = scfg.as_string();
   return true;
 }
 
-const string& QuicCryptoClientConfig::CachedState::server_config()
-    const {
+void QuicCryptoClientConfig::CachedState::SetProof(
+    const vector<StringPiece>& certs, StringPiece signature) {
+  bool has_changed = signature != server_config_sig_;
+
+  if (certs.size() != certs_.size()) {
+    has_changed = true;
+  }
+  if (!has_changed) {
+    for (size_t i = 0; i < certs_.size(); i++) {
+      if (certs[i] != certs_[i]) {
+        has_changed = true;
+        break;
+      }
+    }
+  }
+
+  if (!has_changed) {
+    return;
+  }
+
+  // If the proof has changed then it needs to be revalidated.
+  server_config_valid_ = false;
+  certs_.clear();
+  for (vector<StringPiece>::const_iterator i = certs.begin();
+       i != certs.end(); ++i) {
+    certs_.push_back(i->as_string());
+  }
+  server_config_sig_ = signature.as_string();
+}
+
+void QuicCryptoClientConfig::CachedState::SetProofValid() {
+  server_config_valid_ = true;
+}
+
+const string&
+QuicCryptoClientConfig::CachedState::server_config() const {
   return server_config_;
 }
 
-const string& QuicCryptoClientConfig::CachedState::source_address_token()
-    const {
+const string&
+QuicCryptoClientConfig::CachedState::source_address_token() const {
   return source_address_token_;
 }
 
+const vector<string>& QuicCryptoClientConfig::CachedState::certs() const {
+  return certs_;
+}
+
+const string& QuicCryptoClientConfig::CachedState::signature() const {
+  return server_config_sig_;
+}
+
+bool QuicCryptoClientConfig::CachedState::proof_valid() const {
+  return server_config_valid_;
+}
+
 void QuicCryptoClientConfig::CachedState::set_source_address_token(
     StringPiece token) {
   source_address_token_ = token.as_string();
 }
 
 void QuicCryptoClientConfig::SetDefaults() {
   // Version must be 0.
   version = QuicCryptoConfig::CONFIG_VERSION;
 
   // Key exchange methods.
   kexs.resize(2);
   kexs[0] = kC255;
   kexs[1] = kP256;
 
   // Authenticated encryption algorithms.
   aead.resize(1);
   aead[0] = kAESG;
 }
 
-const QuicCryptoClientConfig::CachedState* QuicCryptoClientConfig::Lookup(
-    const string& server_hostname) const {
+QuicCryptoClientConfig::CachedState* QuicCryptoClientConfig::LookupOrCreate(
+    const string& server_hostname) {
   map<string, CachedState*>::const_iterator it =
       cached_states_.find(server_hostname);
-  if (it == cached_states_.end()) {
-    return NULL;
+  if (it != cached_states_.end()) {
+    return it->second;
   }
-  return it->second;
+
+  CachedState* cached = new CachedState;
+  cached_states_.insert(make_pair(server_hostname, cached));
+  return cached;
 }
 
 void QuicCryptoClientConfig::FillInchoateClientHello(
     const string& server_hostname,
     const CachedState* cached,
     CryptoHandshakeMessage* out) const {
   out->set_tag(kCHLO);
 
   // Server name indication.
   // If server_hostname is not an IP address literal, it is a DNS hostname.
   IPAddressNumber ip;
   if (!server_hostname.empty() &&
       !ParseIPLiteralToNumber(server_hostname, &ip)) {
     out->SetStringPiece(kSNI, server_hostname);
   }
   out->SetValue(kVERS, version);
 
-  if (cached && !cached->source_address_token().empty()) {
+  if (!cached->source_address_token().empty()) {
     out->SetStringPiece(kSRCT, cached->source_address_token());
   }
 
   out->SetTaglist(kPDMD, kX509, 0);
 }
 
 QuicErrorCode QuicCryptoClientConfig::FillClientHello(
     const string& server_hostname,
     QuicGuid guid,
     const CachedState* cached,
@@ skipping 51 matching lines @@
                                   &out_params->key_exchange,
                                   &key_exchange_index)) {
     *error_details = "Unsupported AEAD or KEXS";
     return QUIC_CRYPTO_NO_SUPPORT;
   }
   out->SetTaglist(kAEAD, out_params->aead, 0);
   out->SetTaglist(kKEXS, out_params->key_exchange, 0);
 
   StringPiece public_value;
   if (scfg->GetNthValue16(kPUBS, key_exchange_index, &public_value) !=
-      QUIC_NO_ERROR) {
+          QUIC_NO_ERROR) {
     *error_details = "Missing public value";
     return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
   }
 
   StringPiece orbit;
-  if (!scfg->GetStringPiece(kORBT, &orbit) ||
-      orbit.size() != kOrbitSize) {
+  if (!scfg->GetStringPiece(kORBT, &orbit) || orbit.size() != kOrbitSize) {
     *error_details = "SCFG missing OBIT";
     return QUIC_CRYPTO_MESSAGE_PARAMETER_NOT_FOUND;
   }
 
   string nonce;
   CryptoUtils::GenerateNonce(clock->NowAsDeltaSinceUnixEpoch(), rand, orbit,
                              &nonce);
   out->SetStringPiece(kNONC, nonce);
 
   scoped_ptr<KeyExchange> key_exchange;
@@ skipping 27 matching lines @@
   hkdf_input.append(client_hello_serialized.data(),
                    client_hello_serialized.length());
   hkdf_input.append(cached->server_config());
 
   CryptoUtils::DeriveKeys(out_params, nonce, hkdf_input, CryptoUtils::CLIENT);
 
   return QUIC_NO_ERROR;
 }
 
 QuicErrorCode QuicCryptoClientConfig::ProcessRejection(
-    const string& server_hostname,
+    CachedState* cached,
     const CryptoHandshakeMessage& rej,
     QuicCryptoNegotiatedParameters* out_params,
     string* error_details) {
   DCHECK(error_details != NULL);
 
-  CachedState* cached;
-  map<string, CachedState*>::const_iterator it =
-      cached_states_.find(server_hostname);
-  if (it == cached_states_.end()) {
-    cached = new CachedState;
-    cached_states_[server_hostname] = cached;
-  } else {
-    cached = it->second;
-  }
-
   StringPiece scfg;
   if (!rej.GetStringPiece(kSCFG, &scfg)) {
     *error_details = "Missing SCFG";
     return QUIC_CRYPTO_MESSAGE_PARAMETER_NOT_FOUND;
   }
 
   if (!cached->SetServerConfig(scfg)) {
     *error_details = "Invalid SCFG";
     return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
   }
 
   StringPiece token;
   if (rej.GetStringPiece(kSRCT, &token)) {
     cached->set_source_address_token(token);
   }
 
   StringPiece nonce;
   if (rej.GetStringPiece(kNONC, &nonce) &&
       nonce.size() == kNonceSize) {
     out_params->server_nonce = nonce.as_string();
   }
 
+  StringPiece proof, cert_bytes;
+  if (rej.GetStringPiece(kPROF, &proof) &&
+      rej.GetStringPiece(kCERT, &cert_bytes)) {
+    vector<StringPiece> certs;
+    while (!cert_bytes.empty()) {
+      if (cert_bytes.size() < 3) {
+        *error_details = "Certificate length truncated";
+        return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
+      }
+      size_t len = static_cast<size_t>(cert_bytes[0]) |
+                   static_cast<size_t>(cert_bytes[1]) << 8 |
+                   static_cast<size_t>(cert_bytes[2]) << 16;
+      if (len == 0) {
+        *error_details = "Zero length certificate";
+        return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
+      }
+      cert_bytes.remove_prefix(3);
+      if (cert_bytes.size() < len) {
+        *error_details = "Certificate truncated";
+        return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
+      }
+      certs.push_back(StringPiece(cert_bytes.data(), len));
+      cert_bytes.remove_prefix(len);
+    }
+
+    cached->SetProof(certs, proof);
+  }
+
   return QUIC_NO_ERROR;
 }
 
 QuicErrorCode QuicCryptoClientConfig::ProcessServerHello(
     const CryptoHandshakeMessage& server_hello,
     const string& nonce,
     QuicCryptoNegotiatedParameters* out_params,
     string* error_details) {
   DCHECK(error_details != NULL);
 
   if (server_hello.tag() != kSHLO) {
     *error_details = "Bad tag";
     return QUIC_INVALID_CRYPTO_MESSAGE_TYPE;
   }
 
   // TODO(agl):
   //   learn about updated SCFGs.
   //   read ephemeral public value for forward-secret keys.
 
   return QUIC_NO_ERROR;
 }
 
+const ProofVerifier* QuicCryptoClientConfig::proof_verifier() const {
+  return proof_verifier_.get();
+}
+
+void QuicCryptoClientConfig::SetProofVerifier(ProofVerifier* verifier) {
+  proof_verifier_.reset(verifier);
+}
+
 }  // namespace net