Land Recent QUIC changes

net/quic/quic_crypto_client_stream.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/quic_crypto_client_stream.h"
 
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/crypto/crypto_utils.h"
 #include "net/quic/crypto/null_encrypter.h"
 #include "net/quic/crypto/proof_verifier.h"
@@ skipping 22 matching lines @@
     const CryptoHandshakeMessage& message) {
   DoHandshakeLoop(&message);
 }
 
 bool QuicCryptoClientStream::CryptoConnect() {
   next_state_ = STATE_SEND_CHLO;
   DoHandshakeLoop(NULL);
   return true;
 }
 
-const QuicNegotiatedParameters&
-QuicCryptoClientStream::negotiated_params() const {
-  return negotiated_params_;
-}
-
-const QuicCryptoNegotiatedParameters&
-QuicCryptoClientStream::crypto_negotiated_params() const {
-  return crypto_negotiated_params_;
-}
-
 int QuicCryptoClientStream::num_sent_client_hellos() const {
   return num_client_hellos_;
 }
 
 // kMaxClientHellos is the maximum number of times that we'll send a client
 // hello. The value 3 accounts for:
 //   * One failure due to an incorrect or missing source-address token.
 //   * One failure due the server's certificate chain being unavailible and the
 //     server being unwilling to send it without a valid source-address token.
 static const int kMaxClientHellos = 3;
@@ skipping 28 matching lines @@
           DLOG(INFO) << "Client Sending: " << out.DebugString();
           SendHandshakeMessage(out);
           return;
         }
         const CryptoHandshakeMessage* scfg = cached->GetServerConfig();
         config_.ToHandshakeMessage(&out);
         error = crypto_config_->FillClientHello(
             server_hostname_,
             session()->connection()->guid(),
             cached,
-            session()->connection()->clock(),
+            session()->connection()->clock()->WallNow(),
             session()->connection()->random_generator(),
             &crypto_negotiated_params_,
             &out,
             &error_details);
         if (error != QUIC_NO_ERROR) {
           CloseConnectionWithDetails(error, error_details);
           return;
         }
         error = config_.ProcessFinalPeerHandshake(
             *scfg, CryptoUtils::PEER_PRIORITY, &negotiated_params_,
             &error_details);
         if (error != QUIC_NO_ERROR) {
           CloseConnectionWithDetails(error, error_details);
           return;
         }
         next_state_ = STATE_RECV_SHLO;
         DLOG(INFO) << "Client Sending: " << out.DebugString();
         SendHandshakeMessage(out);
         // Be prepared to decrypt with the new server write key.
         session()->connection()->SetAlternativeDecrypter(
-            crypto_negotiated_params_.decrypter.release(),
+            crypto_negotiated_params_.initial_crypters.decrypter.release(),
             true /* latch once used */);
         // Send subsequent packets under encryption on the assumption that the
         // server will accept the handshake.
         session()->connection()->SetEncrypter(
             ENCRYPTION_INITIAL,
-            crypto_negotiated_params_.encrypter.release());
+            crypto_negotiated_params_.initial_crypters.encrypter.release());
         session()->connection()->SetDefaultEncryptionLevel(
             ENCRYPTION_INITIAL);
         if (!encryption_established_) {
-          session()->OnCryptoHandshakeEvent(
-              QuicSession::ENCRYPTION_FIRST_ESTABLISHED);
-          encryption_established_ = true;
+          // TODO(agl): the following, commented code should live here and not
+          // down when the handshake is confirmed. However, it causes
+          // EndToEndTest.LargePost to be flaky (b/8074678), seemingly because
+          // the packets dropped when the client hello is dropped cause the
+          // congestion control to be too conservative and the server times
+          // out.
+          //   session()->OnCryptoHandshakeEvent(
+          //       QuicSession::ENCRYPTION_FIRST_ESTABLISHED);
+          //   encryption_established_ = true;
         } else {
           session()->OnCryptoHandshakeEvent(
               QuicSession::ENCRYPTION_REESTABLISHED);
         }
         return;
       }
       case STATE_RECV_REJ:
         // We sent a dummy CHLO because we didn't have enough information to
         // perform a handshake, or we sent a full hello that the server
         // rejected. Here we hope to have a REJ that contains the information
@@ skipping 28 matching lines @@
               return;
             }
             cached->SetProofValid();
           }
         }
         // Send the subsequent client hello in plaintext.
         session()->connection()->SetDefaultEncryptionLevel(
             ENCRYPTION_NONE);
         next_state_ = STATE_SEND_CHLO;
         break;
-      case STATE_RECV_SHLO:
+      case STATE_RECV_SHLO: {
         // We sent a CHLO that we expected to be accepted and now we're hoping
         // for a SHLO from the server to confirm that.
         if (in->tag() == kREJ) {
+          // alternative_decrypter will be NULL if the original alternative
+          // decrypter latched and became the primary decrypter. That happens
+          // if we received a message encrypted with the INITIAL key.
+          if (session()->connection()->alternative_decrypter() == NULL) {
+            // The rejection was sent encrypted!
+            CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT,
+                                       "encrypted REJ message");
+            return;
+          }
           next_state_ = STATE_RECV_REJ;
           break;
         }
         if (in->tag() != kSHLO) {
           CloseConnectionWithDetails(QUIC_INVALID_CRYPTO_MESSAGE_TYPE,
                                      "Expected SHLO or REJ");
           return;
         }
-        // TODO(agl): enable this once the tests are corrected to permit it.
-        // DCHECK(session()->connection()->alternative_decrypter() == NULL);
+        // alternative_decrypter will be NULL if the original alternative
+        // decrypter latched and became the primary decrypter. That happens
+        // if we received a message encrypted with the INITIAL key.
+        if (session()->connection()->alternative_decrypter() != NULL) {
+          // The server hello was sent without encryption.
+          CloseConnectionWithDetails(QUIC_CRYPTO_ENCRYPTION_LEVEL_INCORRECT,
+                                     "unencrypted SHLO message");
+          return;
+        }
+        error = crypto_config_->ProcessServerHello(
+            *in, session()->connection()->guid(), &crypto_negotiated_params_,
+            &error_details);
+        if (error != QUIC_NO_ERROR) {
+          CloseConnectionWithDetails(
+              error, "Server hello invalid: " + error_details);
+          return;
+        }
+        CrypterPair* crypters =
+            &crypto_negotiated_params_.forward_secure_crypters;
+        // TODO(agl): we don't currently latch this decrypter because the idea
+        // has been floated that the server shouldn't send packets encrypted
+        // with the FORWARD_SECURE key until it receives a FORWARD_SECURE
+        // packet from the client.
+        session()->connection()->SetAlternativeDecrypter(
+            crypters->decrypter.release(), false /* don't latch */);
+        session()->connection()->SetEncrypter(
+            ENCRYPTION_FORWARD_SECURE, crypters->encrypter.release());
+        session()->connection()->SetDefaultEncryptionLevel(
+            ENCRYPTION_FORWARD_SECURE);
+
+        // TODO(agl): this code shouldn't be here. See the TODO further up
+        // about it.
+        session()->OnCryptoHandshakeEvent(
+            QuicSession::ENCRYPTION_FIRST_ESTABLISHED);
+        encryption_established_ = true;
+
         handshake_confirmed_ = true;
         session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
         return;
+      }
       case STATE_IDLE:
         // This means that the peer sent us a message that we weren't expecting.
         CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE);
         return;
     }
   }
 }
 
 }  // namespace net