Chromium Code Reviews Chromium Code Reviews
Issue 17385010:
OpenSSL/NSS implementation of ProofVerfifier. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/crypto_handshake.h" | 5 #include "net/quic/crypto/crypto_handshake.h" |
| 6 | 6 |
| 7 #include <ctype.h> | 7 #include <ctype.h> |
| 8 | 8 |
| 9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
| 10 #include "base/stl_util.h" | 10 #include "base/stl_util.h" |
| (...skipping 339 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 350 | 350 |
| 351 QuicCryptoConfig::~QuicCryptoConfig() {} | 351 QuicCryptoConfig::~QuicCryptoConfig() {} |
| 352 | 352 |
| 353 QuicCryptoClientConfig::QuicCryptoClientConfig() {} | 353 QuicCryptoClientConfig::QuicCryptoClientConfig() {} |
| 354 | 354 |
| 355 QuicCryptoClientConfig::~QuicCryptoClientConfig() { | 355 QuicCryptoClientConfig::~QuicCryptoClientConfig() { |
| 356 STLDeleteValues(&cached_states_); | 356 STLDeleteValues(&cached_states_); |
| 357 } | 357 } |
| 358 | 358 |
| 359 QuicCryptoClientConfig::CachedState::CachedState() | 359 QuicCryptoClientConfig::CachedState::CachedState() |
| 360 : server_config_valid_(false) {} | 360 : server_config_valid_(false), |
| 361 generation_counter_(0) {} | |
| 361 | 362 |
| 362 QuicCryptoClientConfig::CachedState::~CachedState() {} | 363 QuicCryptoClientConfig::CachedState::~CachedState() {} |
| 363 | 364 |
| 364 bool QuicCryptoClientConfig::CachedState::IsComplete(QuicWallTime now) const { | 365 bool QuicCryptoClientConfig::CachedState::IsComplete(QuicWallTime now) const { |
| 365 if (server_config_.empty() || !server_config_valid_) { | 366 if (server_config_.empty() || !server_config_valid_) { |
| 366 return false; | 367 return false; |
| 367 } | 368 } |
| 368 | 369 |
| 369 const CryptoHandshakeMessage* scfg = GetServerConfig(); | 370 const CryptoHandshakeMessage* scfg = GetServerConfig(); |
| 370 if (!scfg) { | 371 if (!scfg) { |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 423 } | 424 } |
| 424 | 425 |
| 425 if (now.ToUNIXSeconds() >= expiry_seconds) { | 426 if (now.ToUNIXSeconds() >= expiry_seconds) { |
| 426 *error_details = "SCFG has expired"; | 427 *error_details = "SCFG has expired"; |
| 427 return QUIC_CRYPTO_SERVER_CONFIG_EXPIRED; | 428 return QUIC_CRYPTO_SERVER_CONFIG_EXPIRED; |
| 428 } | 429 } |
| 429 | 430 |
| 430 if (!matches_existing) { | 431 if (!matches_existing) { |
| 431 server_config_ = server_config.as_string(); | 432 server_config_ = server_config.as_string(); |
| 432 server_config_valid_ = false; | 433 server_config_valid_ = false; |
| 434 ++generation_counter_; | |
| 433 scfg_.reset(new_scfg_storage.release()); | 435 scfg_.reset(new_scfg_storage.release()); |
| 434 } | 436 } |
| 435 return QUIC_NO_ERROR; | 437 return QUIC_NO_ERROR; |
| 436 } | 438 } |
| 437 | 439 |
| 438 void QuicCryptoClientConfig::CachedState::InvalidateServerConfig() { | 440 void QuicCryptoClientConfig::CachedState::InvalidateServerConfig() { |
| 439 server_config_.clear(); | 441 server_config_.clear(); |
| 440 scfg_.reset(); | 442 scfg_.reset(); |
| 441 server_config_valid_ = false; | 443 server_config_valid_ = false; |
| 444 ++generation_counter_; | |
| 442 } | 445 } |
| 443 | 446 |
| 444 void QuicCryptoClientConfig::CachedState::SetProof(const vector<string>& certs, | 447 void QuicCryptoClientConfig::CachedState::SetProof(const vector<string>& certs, |
| 445 StringPiece signature) { | 448 StringPiece signature) { |
| 446 bool has_changed = | 449 bool has_changed = |
| 447 signature != server_config_sig_ || certs_.size() != certs.size(); | 450 signature != server_config_sig_ || certs_.size() != certs.size(); |
| 448 | 451 |
| 449 if (!has_changed) { | 452 if (!has_changed) { |
| 450 for (size_t i = 0; i < certs_.size(); i++) { | 453 for (size_t i = 0; i < certs_.size(); i++) { |
| 451 if (certs_[i] != certs[i]) { | 454 if (certs_[i] != certs[i]) { |
| 452 has_changed = true; | 455 has_changed = true; |
| 453 break; | 456 break; |
| 454 } | 457 } |
| 455 } | 458 } |
| 456 } | 459 } |
| 457 | 460 |
| 458 if (!has_changed) { | 461 if (!has_changed) { |
| 459 return; | 462 return; |
| 460 } | 463 } |
| 461 | 464 |
| 462 // If the proof has changed then it needs to be revalidated. | 465 // If the proof has changed then it needs to be revalidated. |
| 463 server_config_valid_ = false; | 466 server_config_valid_ = false; |
| 467 ++generation_counter_; | |
|
wtc
2013/07/03 00:20:26
It may be a good idea to create a function, say Se
ramant (doing other things)
2013/07/03 05:46:34
Done.
| |
| 464 certs_ = certs; | 468 certs_ = certs; |
| 465 server_config_sig_ = signature.as_string(); | 469 server_config_sig_ = signature.as_string(); |
| 466 } | 470 } |
| 467 | 471 |
| 468 void QuicCryptoClientConfig::CachedState::SetProofValid() { | 472 void QuicCryptoClientConfig::CachedState::SetProofValid() { |
| 469 server_config_valid_ = true; | 473 server_config_valid_ = true; |
| 470 } | 474 } |
| 471 | 475 |
| 472 const string& QuicCryptoClientConfig::CachedState::server_config() const { | 476 const string& QuicCryptoClientConfig::CachedState::server_config() const { |
| 473 return server_config_; | 477 return server_config_; |
| 474 } | 478 } |
| 475 | 479 |
| 476 const string& | 480 const string& |
| 477 QuicCryptoClientConfig::CachedState::source_address_token() const { | 481 QuicCryptoClientConfig::CachedState::source_address_token() const { |
| 478 return source_address_token_; | 482 return source_address_token_; |
| 479 } | 483 } |
| 480 | 484 |
| 481 const vector<string>& QuicCryptoClientConfig::CachedState::certs() const { | 485 const vector<string>& QuicCryptoClientConfig::CachedState::certs() const { |
| 482 return certs_; | 486 return certs_; |
| 483 } | 487 } |
| 484 | 488 |
| 485 const string& QuicCryptoClientConfig::CachedState::signature() const { | 489 const string& QuicCryptoClientConfig::CachedState::signature() const { |
| 486 return server_config_sig_; | 490 return server_config_sig_; |
| 487 } | 491 } |
| 488 | 492 |
| 489 bool QuicCryptoClientConfig::CachedState::proof_valid() const { | 493 bool QuicCryptoClientConfig::CachedState::proof_valid() const { |
| 490 return server_config_valid_; | 494 return server_config_valid_; |
| 491 } | 495 } |
| 492 | 496 |
| 497 uint64 QuicCryptoClientConfig::CachedState::generation_counter() const { | |
| 498 return generation_counter_; | |
| 499 } | |
| 500 | |
| 493 void QuicCryptoClientConfig::CachedState::set_source_address_token( | 501 void QuicCryptoClientConfig::CachedState::set_source_address_token( |
| 494 StringPiece token) { | 502 StringPiece token) { |
| 495 source_address_token_ = token.as_string(); | 503 source_address_token_ = token.as_string(); |
| 496 } | 504 } |
| 497 | 505 |
| 498 void QuicCryptoClientConfig::SetDefaults() { | 506 void QuicCryptoClientConfig::SetDefaults() { |
| 499 // Version must be 0. | 507 // Version must be 0. |
| 500 // TODO(agl): this version stuff is obsolete now. | 508 // TODO(agl): this version stuff is obsolete now. |
| 501 version = QuicCryptoConfig::CONFIG_VERSION; | 509 version = QuicCryptoConfig::CONFIG_VERSION; |
| 502 | 510 |
| (...skipping 326 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 829 hkdf_input.append(out_params->hkdf_input_suffix); | 837 hkdf_input.append(out_params->hkdf_input_suffix); |
| 830 | 838 |
| 831 CryptoUtils::DeriveKeys( | 839 CryptoUtils::DeriveKeys( |
| 832 out_params->forward_secure_premaster_secret, out_params->aead, | 840 out_params->forward_secure_premaster_secret, out_params->aead, |
| 833 out_params->client_nonce, out_params->server_nonce, hkdf_input, | 841 out_params->client_nonce, out_params->server_nonce, hkdf_input, |
| 834 CryptoUtils::CLIENT, &out_params->forward_secure_crypters); | 842 CryptoUtils::CLIENT, &out_params->forward_secure_crypters); |
| 835 | 843 |
| 836 return QUIC_NO_ERROR; | 844 return QUIC_NO_ERROR; |
| 837 } | 845 } |
| 838 | 846 |
| 839 const ProofVerifier* QuicCryptoClientConfig::proof_verifier() const { | 847 ProofVerifier* QuicCryptoClientConfig::proof_verifier() const { |
| 840 return proof_verifier_.get(); | 848 return proof_verifier_.get(); |
| 841 } | 849 } |
| 842 | 850 |
| 843 void QuicCryptoClientConfig::SetProofVerifier(ProofVerifier* verifier) { | 851 void QuicCryptoClientConfig::SetProofVerifier(ProofVerifier* verifier) { |
| 844 proof_verifier_.reset(verifier); | 852 proof_verifier_.reset(verifier); |
| 845 } | 853 } |
| 846 | 854 |
| 847 ChannelIDSigner* QuicCryptoClientConfig::channel_id_signer() const { | 855 ChannelIDSigner* QuicCryptoClientConfig::channel_id_signer() const { |
| 848 return channel_id_signer_.get(); | 856 return channel_id_signer_.get(); |
| 849 } | 857 } |
| 850 | 858 |
| 851 void QuicCryptoClientConfig::SetChannelIDSigner(ChannelIDSigner* signer) { | 859 void QuicCryptoClientConfig::SetChannelIDSigner(ChannelIDSigner* signer) { |
| 852 channel_id_signer_.reset(signer); | 860 channel_id_signer_.reset(signer); |
| 853 } | 861 } |
| 854 | 862 |
| 855 } // namespace net | 863 } // namespace net |
| OLD | NEW |
