| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/crypto/quic_crypto_server_config.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 589 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 600 *error_details = validate_chlo_result.error_details; | 600 *error_details = validate_chlo_result.error_details; |
| 601 return validate_chlo_result.error_code; | 601 return validate_chlo_result.error_code; |
| 602 } | 602 } |
| 603 | 603 |
| 604 out->Clear(); | 604 out->Clear(); |
| 605 | 605 |
| 606 bool x509_supported = false; | 606 bool x509_supported = false; |
| 607 bool x509_ecdsa_supported = false; | 607 bool x509_ecdsa_supported = false; |
| 608 ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported); | 608 ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported); |
| 609 DCHECK(proof_source_.get()); | 609 DCHECK(proof_source_.get()); |
| 610 string chlo_hash; |
| 611 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); |
| 610 if (!crypto_proof->chain && | 612 if (!crypto_proof->chain && |
| 611 !proof_source_->GetProof(server_ip, info.sni.as_string(), | 613 !proof_source_->GetProof( |
| 612 primary_config->serialized, x509_ecdsa_supported, | 614 server_ip, info.sni.as_string(), primary_config->serialized, version, |
| 613 &crypto_proof->chain, &crypto_proof->signature, | 615 chlo_hash, x509_ecdsa_supported, &crypto_proof->chain, |
| 614 &crypto_proof->cert_sct)) { | 616 &crypto_proof->signature, &crypto_proof->cert_sct)) { |
| 615 return QUIC_HANDSHAKE_FAILED; | 617 return QUIC_HANDSHAKE_FAILED; |
| 616 } | 618 } |
| 617 | 619 |
| 618 if (version > QUIC_VERSION_29) { | 620 if (version > QUIC_VERSION_29) { |
| 619 StringPiece cert_sct; | 621 StringPiece cert_sct; |
| 620 if (client_hello.GetStringPiece(kCertificateSCTTag, &cert_sct) && | 622 if (client_hello.GetStringPiece(kCertificateSCTTag, &cert_sct) && |
| 621 cert_sct.empty()) { | 623 cert_sct.empty()) { |
| 622 params->sct_supported_by_client = true; | 624 params->sct_supported_by_client = true; |
| 623 } | 625 } |
| 624 } | 626 } |
| (...skipping 429 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1054 return; | 1056 return; |
| 1055 } | 1057 } |
| 1056 found_error = true; | 1058 found_error = true; |
| 1057 } | 1059 } |
| 1058 | 1060 |
| 1059 if (version > QUIC_VERSION_25) { | 1061 if (version > QUIC_VERSION_25) { |
| 1060 bool x509_supported = false; | 1062 bool x509_supported = false; |
| 1061 bool x509_ecdsa_supported = false; | 1063 bool x509_ecdsa_supported = false; |
| 1062 ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported); | 1064 ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported); |
| 1063 string serialized_config = primary_config->serialized; | 1065 string serialized_config = primary_config->serialized; |
| 1064 if (!proof_source_->GetProof(server_ip, info->sni.as_string(), | 1066 string chlo_hash; |
| 1065 serialized_config, x509_ecdsa_supported, | 1067 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); |
| 1066 &crypto_proof->chain, &crypto_proof->signature, | 1068 if (!proof_source_->GetProof( |
| 1067 &crypto_proof->cert_sct)) { | 1069 server_ip, info->sni.as_string(), serialized_config, version, |
| 1070 chlo_hash, x509_ecdsa_supported, &crypto_proof->chain, |
| 1071 &crypto_proof->signature, &crypto_proof->cert_sct)) { |
| 1068 found_error = true; | 1072 found_error = true; |
| 1069 info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE); | 1073 info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE); |
| 1070 } | 1074 } |
| 1071 | 1075 |
| 1072 if (!ValidateExpectedLeafCertificate(client_hello, *crypto_proof)) { | 1076 if (!ValidateExpectedLeafCertificate(client_hello, *crypto_proof)) { |
| 1073 found_error = true; | 1077 found_error = true; |
| 1074 info->reject_reasons.push_back(INVALID_EXPECTED_LEAF_CERTIFICATE); | 1078 info->reject_reasons.push_back(INVALID_EXPECTED_LEAF_CERTIFICATE); |
| 1075 } | 1079 } |
| 1076 } | 1080 } |
| 1077 | 1081 |
| 1078 if (!client_hello.GetStringPiece(kNONC, &info->client_nonce) || | 1082 if (!client_hello.GetStringPiece(kNONC, &info->client_nonce) || |
| 1079 info->client_nonce.size() != kNonceSize) { | 1083 info->client_nonce.size() != kNonceSize) { |
| 1080 info->reject_reasons.push_back(CLIENT_NONCE_INVALID_FAILURE); | 1084 info->reject_reasons.push_back(CLIENT_NONCE_INVALID_FAILURE); |
| 1081 // Invalid client nonce. | 1085 // Invalid client nonce. |
| 1082 DVLOG(1) << "Invalid client nonce."; | 1086 DVLOG(1) << "Invalid client nonce."; |
| 1083 if (FLAGS_use_early_return_when_verifying_chlo) { | 1087 if (FLAGS_use_early_return_when_verifying_chlo) { |
| 1084 helper.ValidationComplete(QUIC_NO_ERROR, ""); | 1088 helper.ValidationComplete(QUIC_NO_ERROR, ""); |
| 1085 return; | 1089 return; |
| 1086 } | 1090 } |
| 1087 found_error = true; | 1091 found_error = true; |
| 1088 } | 1092 } |
| 1089 | 1093 |
| 1090 // Server nonce is optional, and used for key derivation if present. | 1094 // Server nonce is optional, and used for key derivation if present. |
| 1091 client_hello.GetStringPiece(kServerNonceTag, &info->server_nonce); | 1095 client_hello.GetStringPiece(kServerNonceTag, &info->server_nonce); |
| 1092 | 1096 |
| 1093 if (version > QUIC_VERSION_30) { | 1097 if (version > QUIC_VERSION_31) { |
| 1094 DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_31 and higher."; | 1098 DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_32 and higher."; |
| 1095 // If the server nonce is empty and we're requiring handshake confirmation | 1099 // If the server nonce is empty and we're requiring handshake confirmation |
| 1096 // for DoS reasons then we must reject the CHLO. | 1100 // for DoS reasons then we must reject the CHLO. |
| 1097 if (FLAGS_quic_require_handshake_confirmation && | 1101 if (FLAGS_quic_require_handshake_confirmation && |
| 1098 info->server_nonce.empty()) { | 1102 info->server_nonce.empty()) { |
| 1099 info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE); | 1103 info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE); |
| 1100 } | 1104 } |
| 1101 helper.ValidationComplete(QUIC_NO_ERROR, ""); | 1105 helper.ValidationComplete(QUIC_NO_ERROR, ""); |
| 1102 return; | 1106 return; |
| 1103 } | 1107 } |
| 1104 | 1108 |
| (...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1185 out->SetStringPiece(kSCFG, primary_config_->serialized); | 1189 out->SetStringPiece(kSCFG, primary_config_->serialized); |
| 1186 out->SetStringPiece( | 1190 out->SetStringPiece( |
| 1187 kSourceAddressTokenTag, | 1191 kSourceAddressTokenTag, |
| 1188 NewSourceAddressToken(*primary_config_.get(), | 1192 NewSourceAddressToken(*primary_config_.get(), |
| 1189 previous_source_address_tokens, client_ip, rand, | 1193 previous_source_address_tokens, client_ip, rand, |
| 1190 clock->WallNow(), cached_network_params)); | 1194 clock->WallNow(), cached_network_params)); |
| 1191 | 1195 |
| 1192 scoped_refptr<ProofSource::Chain> chain; | 1196 scoped_refptr<ProofSource::Chain> chain; |
| 1193 string signature; | 1197 string signature; |
| 1194 string cert_sct; | 1198 string cert_sct; |
| 1195 if (!proof_source_->GetProof( | 1199 if (!proof_source_->GetProof(server_ip, params.sni, |
| 1196 server_ip, params.sni, primary_config_->serialized, | 1200 primary_config_->serialized, version, |
| 1197 params.x509_ecdsa_supported, &chain, &signature, &cert_sct)) { | 1201 params.client_nonce, params.x509_ecdsa_supported, |
| 1202 &chain, &signature, &cert_sct)) { |
| 1198 DVLOG(1) << "Server: failed to get proof."; | 1203 DVLOG(1) << "Server: failed to get proof."; |
| 1199 return false; | 1204 return false; |
| 1200 } | 1205 } |
| 1201 | 1206 |
| 1202 const string compressed = CertCompressor::CompressChain( | 1207 const string compressed = CertCompressor::CompressChain( |
| 1203 chain->certs, params.client_common_set_hashes, | 1208 chain->certs, params.client_common_set_hashes, |
| 1204 params.client_cached_cert_hashes, primary_config_->common_cert_sets); | 1209 params.client_cached_cert_hashes, primary_config_->common_cert_sets); |
| 1205 | 1210 |
| 1206 out->SetStringPiece(kCertificateTag, compressed); | 1211 out->SetStringPiece(kCertificateTag, compressed); |
| 1207 out->SetStringPiece(kPROF, signature); | 1212 out->SetStringPiece(kPROF, signature); |
| (...skipping 598 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1806 priority(0), | 1811 priority(0), |
| 1807 source_address_token_boxer(nullptr) {} | 1812 source_address_token_boxer(nullptr) {} |
| 1808 | 1813 |
| 1809 QuicCryptoServerConfig::Config::~Config() { | 1814 QuicCryptoServerConfig::Config::~Config() { |
| 1810 STLDeleteElements(&key_exchanges); | 1815 STLDeleteElements(&key_exchanges); |
| 1811 } | 1816 } |
| 1812 | 1817 |
| 1813 QuicCryptoProof::QuicCryptoProof() {} | 1818 QuicCryptoProof::QuicCryptoProof() {} |
| 1814 QuicCryptoProof::~QuicCryptoProof() {} | 1819 QuicCryptoProof::~QuicCryptoProof() {} |
| 1815 } // namespace net | 1820 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1753933002:
Add QUIC 31 in which the server's proof covers both the static server config as well as a hash of t… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@115244730