| Index: net/quic/crypto/crypto_handshake.h
|
| diff --git a/net/quic/crypto/crypto_handshake.h b/net/quic/crypto/crypto_handshake.h
|
| index c597b7432f47a2d59af1a8a594961cb3495dbf35..0be50d0129811470b6d0b925cdac2141214d4936 100644
|
| --- a/net/quic/crypto/crypto_handshake.h
|
| +++ b/net/quic/crypto/crypto_handshake.h
|
| @@ -11,8 +11,6 @@
|
|
|
| #include "base/memory/scoped_ptr.h"
|
| #include "base/strings/string_piece.h"
|
| -#include "base/synchronization/lock.h"
|
| -#include "net/base/ip_endpoint.h"
|
| #include "net/base/net_export.h"
|
| #include "net/quic/crypto/crypto_protocol.h"
|
| #include "net/quic/quic_time.h"
|
| @@ -24,12 +22,6 @@ class QuicClock;
|
| class QuicDecrypter;
|
| class QuicEncrypter;
|
| class QuicRandom;
|
| -class QuicServerConfigProtobuf;
|
| -class StrikeRegister;
|
| -
|
| -namespace test {
|
| -class QuicCryptoServerConfigPeer;
|
| -} // namespace test
|
|
|
| // An intermediate format of a handshake message that's convenient for a
|
| // CryptoFramer to serialize from or parse into.
|
| @@ -126,90 +118,6 @@ class NET_EXPORT_PRIVATE CryptoHandshakeMessage {
|
| mutable scoped_ptr<QuicData> serialized_;
|
| };
|
|
|
| -// TODO(rch): sync with server more rationally
|
| -class NET_EXPORT_PRIVATE QuicServerConfigProtobuf {
|
| - public:
|
| - class NET_EXPORT_PRIVATE PrivateKey {
|
| - public:
|
| - CryptoTag tag() const {
|
| - return tag_;
|
| - }
|
| - void set_tag(CryptoTag tag) {
|
| - tag_ = tag;
|
| - }
|
| - std::string private_key() const {
|
| - return private_key_;
|
| - }
|
| - void set_private_key(std::string key) {
|
| - private_key_ = key;
|
| - }
|
| -
|
| - private:
|
| - CryptoTag tag_;
|
| - std::string private_key_;
|
| - };
|
| -
|
| - QuicServerConfigProtobuf();
|
| - ~QuicServerConfigProtobuf();
|
| -
|
| - size_t key_size() const {
|
| - return keys_.size();
|
| - }
|
| -
|
| - const PrivateKey& key(size_t i) const {
|
| - DCHECK_GT(keys_.size(), i);
|
| - return *keys_[i];
|
| - }
|
| -
|
| - std::string config() const {
|
| - return config_;
|
| - }
|
| -
|
| - void set_config(base::StringPiece config) {
|
| - config_ = config.as_string();
|
| - }
|
| -
|
| - QuicServerConfigProtobuf::PrivateKey* add_key() {
|
| - keys_.push_back(new PrivateKey);
|
| - return keys_.back();
|
| - }
|
| -
|
| - private:
|
| - std::vector<PrivateKey*> keys_;
|
| - std::string config_;
|
| -};
|
| -
|
| -// TODO(rtenneti): sync with server more rationally.
|
| -class NET_EXPORT_PRIVATE SourceAddressToken {
|
| - public:
|
| - SourceAddressToken();
|
| - ~SourceAddressToken();
|
| -
|
| - std::string SerializeAsString() const;
|
| -
|
| - bool ParseFromArray(unsigned char* plaintext, size_t plaintext_length);
|
| -
|
| - std::string ip() const {
|
| - return ip_;
|
| - }
|
| -
|
| - int64 timestamp() const {
|
| - return timestamp_;
|
| - }
|
| -
|
| - void set_ip(base::StringPiece ip) {
|
| - ip_ = ip.as_string();
|
| - }
|
| -
|
| - void set_timestamp(int64 timestamp) {
|
| - timestamp_ = timestamp;
|
| - }
|
| -
|
| - private:
|
| - std::string ip_;
|
| - int64 timestamp_;
|
| -};
|
| -
|
| // Parameters negotiated by the crypto handshake.
|
| struct NET_EXPORT_PRIVATE QuicCryptoNegotiatedParameters {
|
| // Initializes the members to 0 or empty values.
|
| @@ -229,6 +137,16 @@ struct NET_EXPORT_PRIVATE QuicCryptoNegotiatedParameters {
|
| // QuicCryptoConfig contains common configuration between clients and servers.
|
| class NET_EXPORT_PRIVATE QuicCryptoConfig {
|
| public:
|
| + enum {
|
| + // CONFIG_VERSION is the one (and, for the moment, only) version number that
|
| + // we implement.
|
| + CONFIG_VERSION = 0,
|
| + };
|
| +
|
| + // kLabel is constant that is used in key derivation to tie the resulting key
|
| + // to this protocol.
|
| + static const char kLabel[];
|
| +
|
| QuicCryptoConfig();
|
| ~QuicCryptoConfig();
|
|
|
| @@ -344,128 +262,6 @@ class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
|
| std::map<std::string, CachedState*> cached_states_;
|
| };
|
|
|
| -// QuicCryptoServerConfig contains the crypto configuration of a QUIC server.
|
| -// Unlike a client, a QUIC server can have multiple configurations active in
|
| -// order to support clients resuming with a previous configuration.
|
| -// TODO(agl): when adding configurations at runtime is added, this object will
|
| -// need to consider locking.
|
| -class NET_EXPORT_PRIVATE QuicCryptoServerConfig {
|
| - public:
|
| - // |source_address_token_secret|: secret key material used for encrypting and
|
| - // decrypting source address tokens. It can be of any length as it is fed
|
| - // into a KDF before use. In tests, use TESTING.
|
| - explicit QuicCryptoServerConfig(
|
| - base::StringPiece source_address_token_secret);
|
| - ~QuicCryptoServerConfig();
|
| -
|
| - // TESTING is a magic parameter for passing to the constructor in tests.
|
| - static const char TESTING[];
|
| -
|
| - // DefaultConfig generates a QuicServerConfigProtobuf protobuf suitable
|
| - // for using in tests. |extra_tags| contains additional key/value pairs that
|
| - // will be inserted into the config.
|
| - static QuicServerConfigProtobuf* DefaultConfig(
|
| - QuicRandom* rand,
|
| - const QuicClock* clock,
|
| - const CryptoHandshakeMessage& extra_tags);
|
| -
|
| - // AddConfig adds a QuicServerConfigProtobuf to the availible configurations.
|
| - // It returns the SCFG message from the config if successful. The caller
|
| - // takes ownership of the CryptoHandshakeMessage.
|
| - CryptoHandshakeMessage* AddConfig(QuicServerConfigProtobuf* protobuf);
|
| -
|
| - // AddDefaultConfig creates a config and then calls AddConfig to
|
| - // add it. Any tags in |extra_tags| will be copied into the config.
|
| - CryptoHandshakeMessage* AddDefaultConfig(
|
| - QuicRandom* rand,
|
| - const QuicClock* clock,
|
| - const CryptoHandshakeMessage& extra_tags);
|
| -
|
| - // ProcessClientHello processes |client_hello| and decides whether to accept
|
| - // or reject the connection. If the connection is to be accepted, |out| is
|
| - // set to the contents of the ServerHello, |out_params| is completed and
|
| - // QUIC_NO_ERROR is returned. Otherwise |out| is set to be a REJ message and
|
| - // an error code is returned.
|
| - //
|
| - // client_hello: the incoming client hello message.
|
| - // guid: the GUID for the connection, which is used in key derivation.
|
| - // client_ip: the IP address of the client, which is used to generate and
|
| - // validate source-address tokens.
|
| - // now_since_epoch: the current time, as a delta since the unix epoch,
|
| - // which is used to validate client nonces.
|
| - // rand: an entropy source
|
| - // params: the state of the handshake. This may be updated with a server
|
| - // nonce when we send a rejection. After a successful handshake, this will
|
| - // contain the state of the connection.
|
| - // out: the resulting handshake message (either REJ or SHLO)
|
| - // error_details: used to store a string describing any error.
|
| - QuicErrorCode ProcessClientHello(const CryptoHandshakeMessage& client_hello,
|
| - QuicGuid guid,
|
| - const IPEndPoint& client_ip,
|
| - QuicTime::Delta now_since_epoch,
|
| - QuicRandom* rand,
|
| - QuicCryptoNegotiatedParameters* params,
|
| - CryptoHandshakeMessage* out,
|
| - std::string* error_details) const;
|
| -
|
| - private:
|
| - friend class test::QuicCryptoServerConfigPeer;
|
| -
|
| - // Config represents a server config: a collection of preferences and
|
| - // Diffie-Hellman public values.
|
| - struct Config : public QuicCryptoConfig {
|
| - Config();
|
| - ~Config();
|
| -
|
| - // serialized contains the bytes of this server config, suitable for sending
|
| - // on the wire.
|
| - std::string serialized;
|
| - // id contains the SCID of this server config.
|
| - std::string id;
|
| - // orbit contains the orbit value for this config: an opaque identifier
|
| - // used to identify clusters of server frontends.
|
| - unsigned char orbit[kOrbitSize];
|
| -
|
| - // key_exchanges contains key exchange objects with the private keys
|
| - // already loaded. The values correspond, one-to-one, with the tags in
|
| - // |kexs| from the parent class.
|
| - std::vector<KeyExchange*> key_exchanges;
|
| -
|
| - // tag_value_map contains the raw key/value pairs for the config.
|
| - CryptoTagValueMap tag_value_map;
|
| -
|
| - private:
|
| - DISALLOW_COPY_AND_ASSIGN(Config);
|
| - };
|
| -
|
| - // NewSourceAddressToken returns a fresh source address token for the given
|
| - // IP address.
|
| - std::string NewSourceAddressToken(const IPEndPoint& ip,
|
| - QuicRandom* rand,
|
| - QuicTime::Delta now_since_epoch) const;
|
| -
|
| - // ValidateSourceAddressToken returns true if the source address token in
|
| - // |token| is a valid and timely token for the IP address |ip| given that the
|
| - // current time is |now|.
|
| - bool ValidateSourceAddressToken(base::StringPiece token,
|
| - const IPEndPoint& ip,
|
| - QuicTime::Delta now_since_epoch) const;
|
| -
|
| - std::map<ServerConfigID, Config*> configs_;
|
| -
|
| - ServerConfigID active_config_;
|
| -
|
| - mutable base::Lock strike_register_lock_;
|
| - // strike_register_ contains a data structure that keeps track of previously
|
| - // observed client nonces in order to prevent replay attacks.
|
| - mutable scoped_ptr<StrikeRegister> strike_register_;
|
| -
|
| - // These members are used to encrypt and decrypt the source address tokens
|
| - // that we receive from and send to clients.
|
| - scoped_ptr<QuicEncrypter> source_address_token_encrypter_;
|
| - scoped_ptr<QuicDecrypter> source_address_token_decrypter_;
|
| -};
|
| -
|
| } // namespace net
|
|
|
| #endif // NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
|
|
|
Chromium Code Reviews
