| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/crypto_server_config.h" | 5 #include "net/quic/crypto/crypto_server_config.h" |
| 6 | 6 |
| 7 #include "base/stl_util.h" | 7 #include "base/stl_util.h" |
| 8 #include "crypto/hkdf.h" | 8 #include "crypto/hkdf.h" |
| 9 #include "crypto/secure_hash.h" | 9 #include "crypto/secure_hash.h" |
| 10 #include "net/quic/crypto/aes_128_gcm_decrypter.h" | 10 #include "net/quic/crypto/aes_128_gcm_decrypter.h" |
| 11 #include "net/quic/crypto/aes_128_gcm_encrypter.h" | 11 #include "net/quic/crypto/aes_128_gcm_encrypter.h" |
| 12 #include "net/quic/crypto/cert_compressor.h" | |
| 13 #include "net/quic/crypto/crypto_framer.h" | 12 #include "net/quic/crypto/crypto_framer.h" |
| 14 #include "net/quic/crypto/crypto_server_config_protobuf.h" | 13 #include "net/quic/crypto/crypto_server_config_protobuf.h" |
| 15 #include "net/quic/crypto/crypto_utils.h" | 14 #include "net/quic/crypto/crypto_utils.h" |
| 16 #include "net/quic/crypto/curve25519_key_exchange.h" | 15 #include "net/quic/crypto/curve25519_key_exchange.h" |
| 17 #include "net/quic/crypto/key_exchange.h" | 16 #include "net/quic/crypto/key_exchange.h" |
| 18 #include "net/quic/crypto/p256_key_exchange.h" | 17 #include "net/quic/crypto/p256_key_exchange.h" |
| 19 #include "net/quic/crypto/proof_source.h" | 18 #include "net/quic/crypto/proof_source.h" |
| 20 #include "net/quic/crypto/quic_decrypter.h" | 19 #include "net/quic/crypto/quic_decrypter.h" |
| 21 #include "net/quic/crypto/quic_encrypter.h" | 20 #include "net/quic/crypto/quic_encrypter.h" |
| 22 #include "net/quic/crypto/quic_random.h" | 21 #include "net/quic/crypto/quic_random.h" |
| 23 #include "net/quic/crypto/source_address_token.h" | 22 #include "net/quic/crypto/source_address_token.h" |
| 24 #include "net/quic/crypto/strike_register.h" | 23 #include "net/quic/crypto/strike_register.h" |
| 25 #include "net/quic/quic_clock.h" | 24 #include "net/quic/quic_clock.h" |
| 26 #include "net/quic/quic_protocol.h" | 25 #include "net/quic/quic_protocol.h" |
| 27 #include "net/quic/quic_utils.h" | |
| 28 | 26 |
| 29 using base::StringPiece; | 27 using base::StringPiece; |
| 30 using crypto::SecureHash; | 28 using crypto::SecureHash; |
| 31 using std::map; | 29 using std::map; |
| 32 using std::string; | 30 using std::string; |
| 33 using std::vector; | 31 using std::vector; |
| 34 | 32 |
| 35 namespace net { | 33 namespace net { |
| 36 | 34 |
| 37 // static | 35 // static |
| (...skipping 322 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 360 StringPiece(reinterpret_cast<const char*>(config->orbit), | 358 StringPiece(reinterpret_cast<const char*>(config->orbit), |
| 361 sizeof(config->orbit)), | 359 sizeof(config->orbit)), |
| 362 ¶ms->server_nonce); | 360 ¶ms->server_nonce); |
| 363 } | 361 } |
| 364 out->SetStringPiece(kNONC, params->server_nonce); | 362 out->SetStringPiece(kNONC, params->server_nonce); |
| 365 | 363 |
| 366 // The client may have requested a certificate chain. | 364 // The client may have requested a certificate chain. |
| 367 const CryptoTag* their_proof_demands; | 365 const CryptoTag* their_proof_demands; |
| 368 size_t num_their_proof_demands; | 366 size_t num_their_proof_demands; |
| 369 | 367 |
| 370 if (proof_source_.get() != NULL && | 368 if (valid_source_address_token && |
| 369 proof_source_.get() != NULL && |
| 371 !sni.empty() && | 370 !sni.empty() && |
| 372 client_hello.GetTaglist(kPDMD, &their_proof_demands, | 371 client_hello.GetTaglist(kPDMD, &their_proof_demands, |
| 373 &num_their_proof_demands) == QUIC_NO_ERROR) { | 372 &num_their_proof_demands) == QUIC_NO_ERROR) { |
| 374 for (size_t i = 0; i < num_their_proof_demands; i++) { | 373 for (size_t i = 0; i < num_their_proof_demands; i++) { |
| 375 if (their_proof_demands[i] != kX509) { | 374 if (their_proof_demands[i] != kX509) { |
| 376 continue; | 375 continue; |
| 377 } | 376 } |
| 378 | 377 |
| 378 // TODO(agl): in the future we will hopefully have a cached-info like |
| 379 // mechanism where we can omit certificates that the client already has. |
| 380 // In that case, the certificate chain may be small enough to include |
| 381 // without a source-address token. But, for now, we always send the full |
| 382 // chain and we always need a valid source-address token. |
| 383 |
| 379 const vector<string>* certs; | 384 const vector<string>* certs; |
| 380 string signature; | 385 string signature; |
| 381 if (!proof_source_->GetProof(sni.as_string(), config->serialized, | 386 if (!proof_source_->GetProof(sni.as_string(), config->serialized, |
| 382 &certs, &signature)) { | 387 &certs, &signature)) { |
| 383 break; | 388 break; |
| 384 } | 389 } |
| 385 | 390 |
| 386 StringPiece their_common_set_hashes; | 391 // TODO(agl): compress and omit certificates where possible based on |
| 387 StringPiece their_cached_cert_hashes; | 392 // the client's cached certificates. |
| 388 client_hello.GetStringPiece(kCCS, &their_common_set_hashes); | 393 size_t cert_bytes = 0; |
| 389 client_hello.GetStringPiece(kCCRT, &their_cached_cert_hashes); | 394 for (vector<string>::const_iterator i = certs->begin(); |
| 395 i != certs->end(); ++i) { |
| 396 cert_bytes += i->size(); |
| 397 } |
| 398 // There's a three byte length-prefix for each certificate. |
| 399 cert_bytes += certs->size()*3; |
| 400 scoped_ptr<char[]> buf(new char[cert_bytes]); |
| 390 | 401 |
| 391 const string compressed = CertCompressor::CompressChain( | 402 size_t j = 0; |
| 392 *certs, their_common_set_hashes, their_cached_cert_hashes, | 403 for (vector<string>::const_iterator i = certs->begin(); |
| 393 config->common_cert_set_.get()); | 404 i != certs->end(); ++i) { |
| 405 size_t len = i->size(); |
| 406 buf[j++] = len; |
| 407 buf[j++] = len >> 8; |
| 408 buf[j++] = len >> 16; |
| 409 memcpy(&buf[j], i->data(), i->size()); |
| 410 j += i->size(); |
| 411 } |
| 394 | 412 |
| 395 // kMaxUnverifiedSize is the number of bytes that the certificate chain | 413 DCHECK_EQ(j, cert_bytes); |
| 396 // and signature can consume before we will demand a valid | 414 |
| 397 // source-address token. | 415 out->SetStringPiece(kCERT, StringPiece(buf.get(), cert_bytes)); |
| 398 static const size_t kMaxUnverifiedSize = 400; | 416 out->SetStringPiece(kPROF, signature); |
| 399 if (valid_source_address_token || | |
| 400 signature.size() + compressed.size() < kMaxUnverifiedSize) { | |
| 401 out->SetStringPiece(kCERT, compressed); | |
| 402 out->SetStringPiece(kPROF, signature); | |
| 403 } | |
| 404 break; | 417 break; |
| 405 } | 418 } |
| 406 } | 419 } |
| 407 | 420 |
| 408 return QUIC_NO_ERROR; | 421 return QUIC_NO_ERROR; |
| 409 } | 422 } |
| 410 | 423 |
| 411 const CryptoTag* their_aeads; | 424 const CryptoTag* their_aeads; |
| 412 const CryptoTag* their_key_exchanges; | 425 const CryptoTag* their_key_exchanges; |
| 413 size_t num_their_aeads, num_their_key_exchanges; | 426 size_t num_their_aeads, num_their_key_exchanges; |
| (...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 564 } | 577 } |
| 565 | 578 |
| 566 QuicCryptoServerConfig::Config::Config() { | 579 QuicCryptoServerConfig::Config::Config() { |
| 567 } | 580 } |
| 568 | 581 |
| 569 QuicCryptoServerConfig::Config::~Config() { | 582 QuicCryptoServerConfig::Config::~Config() { |
| 570 STLDeleteElements(&key_exchanges); | 583 STLDeleteElements(&key_exchanges); |
| 571 } | 584 } |
| 572 | 585 |
| 573 } // namespace net | 586 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 15018013:
Revert 198736 "Land Recent QUIC changes" (Closed)
Base URL: svn://svn.chromium.org/chrome/