Google Git
Sign in
quiche/quiche.git/40bdf53a2da804a5bb82453c2c8552850389c44a^!/.
commit
40bdf53a2da804a5bb82453c2c8552850389c44a
[log] [tgz]
author
nharper <nharper@google.com>
Thu Oct 03 11:16:22 2019 -0700
committer
Copybara-Service <copybara-worker@google.com>
Thu Oct 03 12:38:13 2019 -0700
tree
ae97a8f69843cd561afaa5bb72470dc11700c419
parent
c8754e138a863f800e7d6bff18b6bce38fb29140 [diff]
Call ProofHandler::OnProofVerifyDetailsAvailable in TLS handshake in QUIC

gfe-relnote: Notify QuicCryptoClientStream::ProofHandler when VerifyCertChain completes, protected by quic_supports_tls_handshake
PiperOrigin-RevId: 272701332
Change-Id: Ie96d15a99421e43226feefb6e5889056868a1746

diff --git a/quic/core/quic_crypto_client_stream.cc b/quic/core/quic_crypto_client_stream.cc
index a05caee..097fc9b 100644
--- a/quic/core/quic_crypto_client_stream.cc
+++ b/quic/core/quic_crypto_client_stream.cc

@@ -44,7 +44,7 @@
     case PROTOCOL_TLS1_3:
       handshaker_ = std::make_unique<TlsClientHandshaker>(
           this, session, server_id, crypto_config->proof_verifier(),
-          crypto_config->ssl_ctx(), std::move(verify_context),
+          crypto_config->ssl_ctx(), std::move(verify_context), proof_handler,
           crypto_config->user_agent_id());
       break;
     case PROTOCOL_UNSUPPORTED:

diff --git a/quic/core/quic_crypto_client_stream_test.cc b/quic/core/quic_crypto_client_stream_test.cc
index 9969baf..5b49fad 100644
--- a/quic/core/quic_crypto_client_stream_test.cc
+++ b/quic/core/quic_crypto_client_stream_test.cc

@@ -95,10 +95,11 @@
 TEST_F(QuicCryptoClientStreamTest, ConnectedAfterTlsHandshake) {
   SetQuicReloadableFlag(quic_supports_tls_handshake, true);
   supported_versions_.clear();
-  for (QuicTransportVersion transport_version :
-       AllSupportedTransportVersions()) {
-    supported_versions_.push_back(
-        ParsedQuicVersion(PROTOCOL_TLS1_3, transport_version));
+  for (ParsedQuicVersion version : AllSupportedVersions()) {
+    if (version.handshake_protocol != PROTOCOL_TLS1_3) {
+      continue;
+    }
+    supported_versions_.push_back(version);
   }
   CreateConnection();
   CompleteCryptoHandshake();
@@ -107,6 +108,29 @@
   EXPECT_TRUE(stream()->handshake_confirmed());
 }
 
+TEST_F(QuicCryptoClientStreamTest,
+       ProofVerifyDetailsAvailableAfterTlsHandshake) {
+  SetQuicReloadableFlag(quic_supports_tls_handshake, true);
+  supported_versions_.clear();
+  for (ParsedQuicVersion version : AllSupportedVersions()) {
+    if (version.handshake_protocol != PROTOCOL_TLS1_3) {
+      continue;
+    }
+    supported_versions_.push_back(version);
+  }
+  CreateConnection();
+
+  EXPECT_CALL(*session_, OnProofVerifyDetailsAvailable(testing::_));
+  stream()->CryptoConnect();
+  QuicConfig config;
+  crypto_test_utils::HandshakeWithFakeServer(
+      &config, &server_helper_, &alarm_factory_, connection_, stream(),
+      AlpnForVersion(connection_->version()));
+  EXPECT_EQ(PROTOCOL_TLS1_3, stream()->handshake_protocol());
+  EXPECT_TRUE(stream()->encryption_established());
+  EXPECT_TRUE(stream()->handshake_confirmed());
+}
+
 TEST_F(QuicCryptoClientStreamTest, MessageAfterHandshake) {
   CompleteCryptoHandshake();
 

diff --git a/quic/core/tls_client_handshaker.cc b/quic/core/tls_client_handshaker.cc
index bb45602..88fea66 100644
--- a/quic/core/tls_client_handshaker.cc
+++ b/quic/core/tls_client_handshaker.cc

@@ -33,6 +33,8 @@
   parent_->verify_result_ = ok ? ssl_verify_ok : ssl_verify_invalid;
   parent_->state_ = STATE_HANDSHAKE_RUNNING;
   parent_->proof_verify_callback_ = nullptr;
+  parent_->proof_handler_->OnProofVerifyDetailsAvailable(
+      *parent_->verify_details_);
   parent_->AdvanceHandshake();
 }
 
@@ -47,11 +49,13 @@
     ProofVerifier* proof_verifier,
     SSL_CTX* ssl_ctx,
     std::unique_ptr<ProofVerifyContext> verify_context,
+    QuicCryptoClientStream::ProofHandler* proof_handler,
     const std::string& user_agent_id)
     : TlsHandshaker(stream, session, ssl_ctx),
       server_id_(server_id),
       proof_verifier_(proof_verifier),
       verify_context_(std::move(verify_context)),
+      proof_handler_(proof_handler),
       user_agent_id_(user_agent_id),
       crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
       tls_connection_(ssl_ctx, this) {}
@@ -366,6 +370,7 @@
       std::unique_ptr<ProofVerifierCallback>(proof_verify_callback));
   switch (verify_result) {
     case QUIC_SUCCESS:
+      proof_handler_->OnProofVerifyDetailsAvailable(*verify_details_);
       return ssl_verify_ok;
     case QUIC_PENDING:
       proof_verify_callback_ = proof_verify_callback;

diff --git a/quic/core/tls_client_handshaker.h b/quic/core/tls_client_handshaker.h
index f3e90ce..4672821 100644
--- a/quic/core/tls_client_handshaker.h
+++ b/quic/core/tls_client_handshaker.h

@@ -30,6 +30,7 @@
                       ProofVerifier* proof_verifier,
                       SSL_CTX* ssl_ctx,
                       std::unique_ptr<ProofVerifyContext> verify_context,
+                      QuicCryptoClientStream::ProofHandler* proof_handler,
                       const std::string& user_agent_id);
   TlsClientHandshaker(const TlsClientHandshaker&) = delete;
   TlsClientHandshaker& operator=(const TlsClientHandshaker&) = delete;
@@ -109,6 +110,10 @@
   // constructor.
   ProofVerifier* proof_verifier_;
   std::unique_ptr<ProofVerifyContext> verify_context_;
+  // Unowned pointer to the proof handler which has the
+  // OnProofVerifyDetailsAvailable callback to use for notifying the result of
+  // certificate verification.
+  QuicCryptoClientStream::ProofHandler* proof_handler_;
 
   std::string user_agent_id_;
 

diff --git a/quic/core/tls_handshaker_test.cc b/quic/core/tls_handshaker_test.cc
index 168dc55..1d34321 100644
--- a/quic/core/tls_handshaker_test.cc
+++ b/quic/core/tls_handshaker_test.cc

@@ -210,6 +210,15 @@
   std::vector<std::pair<std::string, EncryptionLevel>> pending_writes_;
 };
 
+class MockProofHandler : public QuicCryptoClientStream::ProofHandler {
+ public:
+  MockProofHandler() = default;
+  ~MockProofHandler() override {}
+
+  MOCK_METHOD1(OnProofValid, void(const QuicCryptoClientConfig::CachedState&));
+  MOCK_METHOD1(OnProofVerifyDetailsAvailable, void(const ProofVerifyDetails&));
+};
+
 class TestQuicCryptoClientStream : public TestQuicCryptoStream {
  public:
   explicit TestQuicCryptoClientStream(QuicSession* session)
@@ -223,12 +232,14 @@
             proof_verifier_.get(),
             ssl_ctx_.get(),
             crypto_test_utils::ProofVerifyContextForTesting(),
+            &proof_handler_,
             "quic-tester")) {}
 
   ~TestQuicCryptoClientStream() override = default;
 
   TlsHandshaker* handshaker() const override { return handshaker_.get(); }
   TlsClientHandshaker* client_handshaker() const { return handshaker_.get(); }
+  const MockProofHandler& proof_handler() { return proof_handler_; }
 
   bool CryptoConnect() { return handshaker_->CryptoConnect(); }
 
@@ -238,6 +249,7 @@
 
  private:
   std::unique_ptr<FakeProofVerifier> proof_verifier_;
+  MockProofHandler proof_handler_;
   bssl::UniquePtr<SSL_CTX> ssl_ctx_;
   std::unique_ptr<TlsClientHandshaker> handshaker_;
 };
@@ -341,6 +353,7 @@
               OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED));
   EXPECT_CALL(server_session_,
               OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED));
+  EXPECT_CALL(client_stream_->proof_handler(), OnProofVerifyDetailsAvailable);
   client_stream_->CryptoConnect();
   ExchangeHandshakeMessages(client_stream_, server_stream_);
 
@@ -401,6 +414,8 @@
   FakeProofVerifier* proof_verifier = client_stream_->GetFakeProofVerifier();
   proof_verifier->Activate();
 
+  EXPECT_CALL(client_stream_->proof_handler(), OnProofVerifyDetailsAvailable);
+
   // Start handshake.
   client_stream_->CryptoConnect();
   ExchangeHandshakeMessages(client_stream_, server_stream_);