| Index: net/quic/crypto/quic_crypto_client_config.cc
|
| diff --git a/net/quic/crypto/quic_crypto_client_config.cc b/net/quic/crypto/quic_crypto_client_config.cc
|
| index bb71fcc5803a1d1eaaa966096032595eebbe191d..0467ff55f0a3f08bde6abcd08e2f343baf755ed6 100644
|
| --- a/net/quic/crypto/quic_crypto_client_config.cc
|
| +++ b/net/quic/crypto/quic_crypto_client_config.cc
|
| @@ -191,9 +191,10 @@ void QuicCryptoClientConfig::CachedState::InvalidateServerConfig() {
|
|
|
| void QuicCryptoClientConfig::CachedState::SetProof(const vector<string>& certs,
|
| StringPiece cert_sct,
|
| + StringPiece chlo_hash,
|
| StringPiece signature) {
|
| - bool has_changed =
|
| - signature != server_config_sig_ || certs_.size() != certs.size();
|
| + bool has_changed = signature != server_config_sig_ ||
|
| + chlo_hash != chlo_hash_ || certs_.size() != certs.size();
|
|
|
| if (!has_changed) {
|
| for (size_t i = 0; i < certs_.size(); i++) {
|
| @@ -212,6 +213,7 @@ void QuicCryptoClientConfig::CachedState::SetProof(const vector<string>& certs,
|
| SetProofInvalid();
|
| certs_ = certs;
|
| cert_sct_ = cert_sct.as_string();
|
| + chlo_hash_ = chlo_hash.as_string();
|
| server_config_sig_ = signature.as_string();
|
| }
|
|
|
| @@ -220,6 +222,7 @@ void QuicCryptoClientConfig::CachedState::Clear() {
|
| source_address_token_.clear();
|
| certs_.clear();
|
| cert_sct_.clear();
|
| + chlo_hash_.clear();
|
| server_config_sig_.clear();
|
| server_config_valid_ = false;
|
| proof_verify_details_.reset();
|
| @@ -233,6 +236,7 @@ void QuicCryptoClientConfig::CachedState::ClearProof() {
|
| SetProofInvalid();
|
| certs_.clear();
|
| cert_sct_.clear();
|
| + chlo_hash_.clear();
|
| server_config_sig_.clear();
|
| }
|
|
|
| @@ -250,6 +254,7 @@ bool QuicCryptoClientConfig::CachedState::Initialize(
|
| StringPiece source_address_token,
|
| const vector<string>& certs,
|
| const string& cert_sct,
|
| + StringPiece chlo_hash,
|
| StringPiece signature,
|
| QuicWallTime now) {
|
| DCHECK(server_config_.empty());
|
| @@ -267,6 +272,7 @@ bool QuicCryptoClientConfig::CachedState::Initialize(
|
| return false;
|
| }
|
|
|
| + chlo_hash.CopyToString(&chlo_hash_);
|
| signature.CopyToString(&server_config_sig_);
|
| source_address_token.CopyToString(&source_address_token_);
|
| certs_ = certs;
|
| @@ -291,6 +297,10 @@ const string& QuicCryptoClientConfig::CachedState::cert_sct() const {
|
| return cert_sct_;
|
| }
|
|
|
| +const string& QuicCryptoClientConfig::CachedState::chlo_hash() const {
|
| + return chlo_hash_;
|
| +}
|
| +
|
| const string& QuicCryptoClientConfig::CachedState::signature() const {
|
| return server_config_sig_;
|
| }
|
| @@ -330,6 +340,7 @@ void QuicCryptoClientConfig::CachedState::InitializeFrom(
|
| source_address_token_ = other.source_address_token_;
|
| certs_ = other.certs_;
|
| cert_sct_ = other.cert_sct_;
|
| + chlo_hash_ = other.chlo_hash_;
|
| server_config_sig_ = other.server_config_sig_;
|
| server_config_valid_ = other.server_config_valid_;
|
| server_designated_connection_ids_ = other.server_designated_connection_ids_;
|
| @@ -709,7 +720,8 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
|
| QuicErrorCode QuicCryptoClientConfig::CacheNewServerConfig(
|
| const CryptoHandshakeMessage& message,
|
| QuicWallTime now,
|
| - const QuicVersion version,
|
| + QuicVersion version,
|
| + StringPiece chlo_hash,
|
| const vector<string>& cached_certs,
|
| CachedState* cached,
|
| string* error_details) {
|
| @@ -751,7 +763,7 @@ QuicErrorCode QuicCryptoClientConfig::CacheNewServerConfig(
|
| if (version > QUIC_VERSION_29) {
|
| message.GetStringPiece(kCertificateSCTTag, &cert_sct);
|
| }
|
| - cached->SetProof(certs, cert_sct, proof);
|
| + cached->SetProof(certs, cert_sct, chlo_hash, proof);
|
| } else {
|
| // Secure QUIC: clear existing proof as we have been sent a new SCFG
|
| // without matching proof/certs.
|
| @@ -775,6 +787,7 @@ QuicErrorCode QuicCryptoClientConfig::ProcessRejection(
|
| const CryptoHandshakeMessage& rej,
|
| QuicWallTime now,
|
| const QuicVersion version,
|
| + StringPiece chlo_hash,
|
| CachedState* cached,
|
| QuicCryptoNegotiatedParameters* out_params,
|
| string* error_details) {
|
| @@ -785,8 +798,9 @@ QuicErrorCode QuicCryptoClientConfig::ProcessRejection(
|
| return QUIC_CRYPTO_INTERNAL_ERROR;
|
| }
|
|
|
| - QuicErrorCode error = CacheNewServerConfig(
|
| - rej, now, version, out_params->cached_certs, cached, error_details);
|
| + QuicErrorCode error =
|
| + CacheNewServerConfig(rej, now, version, chlo_hash,
|
| + out_params->cached_certs, cached, error_details);
|
| if (error != QUIC_NO_ERROR) {
|
| return error;
|
| }
|
| @@ -879,6 +893,7 @@ QuicErrorCode QuicCryptoClientConfig::ProcessServerConfigUpdate(
|
| const CryptoHandshakeMessage& server_config_update,
|
| QuicWallTime now,
|
| const QuicVersion version,
|
| + StringPiece chlo_hash,
|
| CachedState* cached,
|
| QuicCryptoNegotiatedParameters* out_params,
|
| string* error_details) {
|
| @@ -888,7 +903,7 @@ QuicErrorCode QuicCryptoClientConfig::ProcessServerConfigUpdate(
|
| *error_details = "ServerConfigUpdate must have kSCUP tag.";
|
| return QUIC_INVALID_CRYPTO_MESSAGE_TYPE;
|
| }
|
| - return CacheNewServerConfig(server_config_update, now, version,
|
| + return CacheNewServerConfig(server_config_update, now, version, chlo_hash,
|
| out_params->cached_certs, cached, error_details);
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 1753933002:
Add QUIC 31 in which the server's proof covers both the static server config as well as a hash of t… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@115244730