Add QUIC 31 in which the server's proof covers both the static server config as well as a hash of t…

net/quic/crypto/quic_crypto_client_config.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_
 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_
 
 #include <stdint.h>
 
 #include <map>
@@ skipping 68 matching lines @@
     ServerConfigState SetServerConfig(base::StringPiece server_config,
                                       QuicWallTime now,
                                       std::string* error_details);
 
     // InvalidateServerConfig clears the cached server config (if any).
     void InvalidateServerConfig();
 
     // SetProof stores a certificate chain and signature.
     void SetProof(const std::vector<std::string>& certs,
                   base::StringPiece cert_sct,
+                  base::StringPiece chlo_hash,
                   base::StringPiece signature);
 
     // Clears all the data.
     void Clear();
 
     // Clears the certificate chain and signature and invalidates the proof.
     void ClearProof();
 
     // SetProofValid records that the certificate chain and signature have been
     // validated and that it's safe to assume that the server is legitimate.
     // (Note: this does not check the chain or signature.)
     void SetProofValid();
 
     // If the server config or the proof has changed then it needs to be
     // revalidated. Helper function to keep server_config_valid_ and
     // generation_counter_ in sync.
     void SetProofInvalid();
 
     const std::string& server_config() const;
     const std::string& source_address_token() const;
     const std::vector<std::string>& certs() const;
     const std::string& cert_sct() const;
+    const std::string& chlo_hash() const;
     const std::string& signature() const;
     bool proof_valid() const;
     uint64_t generation_counter() const;
     const ProofVerifyDetails* proof_verify_details() const;
 
     void set_source_address_token(base::StringPiece token);
 
     void set_cert_sct(base::StringPiece cert_sct);
 
     // Adds the connection ID to the queue of server-designated connection-ids.
@@ skipping 30 matching lines @@
     // |generation_counter_|, |proof_verify_details_|, and |scfg_| remain
     // unchanged.
     void InitializeFrom(const CachedState& other);
 
     // Initializes this cached state based on the arguments provided.
     // Returns false if there is a problem parsing the server config.
     bool Initialize(base::StringPiece server_config,
                     base::StringPiece source_address_token,
                     const std::vector<std::string>& certs,
                     const std::string& cert_sct,
+                    base::StringPiece chlo_hash,
                     base::StringPiece signature,
                     QuicWallTime now);
 
    private:
     std::string server_config_;         // A serialized handshake message.
     std::string source_address_token_;  // An opaque proof of IP ownership.
     std::vector<std::string> certs_;    // A list of certificates in leaf-first
                                         // order.
     std::string cert_sct_;              // Signed timestamp of the leaf cert.
+    std::string chlo_hash_;             // Hash of the CHLO message.
     std::string server_config_sig_;     // A signature of |server_config_|.
     bool server_config_valid_;          // True if |server_config_| is correctly
                                         // signed and |certs_| has been
                                         // validated.
     // Generation counter associated with the |server_config_|, |certs_| and
     // |server_config_sig_| combination. It is incremented whenever we set
     // server_config_valid_ to false.
     uint64_t generation_counter_;
 
     scoped_ptr<ProofVerifyDetails> proof_verify_details_;
@@ skipping 61 matching lines @@
 
   // ProcessRejection processes a REJ message from a server and updates the
   // cached information about that server. After this, |IsComplete| may return
   // true for that server's CachedState. If the rejection message contains state
   // about a future handshake (i.e. an nonce value from the server), then it
   // will be saved in |out_params|. |now| is used to judge whether the server
   // config in the rejection message has expired.
   QuicErrorCode ProcessRejection(const CryptoHandshakeMessage& rej,
                                  QuicWallTime now,
                                  QuicVersion version,
+                                 base::StringPiece chlo_hash,
                                  CachedState* cached,
                                  QuicCryptoNegotiatedParameters* out_params,
                                  std::string* error_details);
 
   // ProcessServerHello processes the message in |server_hello|, updates the
   // cached information about that server, writes the negotiated parameters to
   // |out_params| and returns QUIC_NO_ERROR. If |server_hello| is unacceptable
   // then it puts an error message in |error_details| and returns an error
   // code. |version| is the QUIC version for the current connection.
   // |negotiated_versions| contains the list of version, if any, that were
@@ skipping 10 matching lines @@
 
   // Processes the message in |server_update|, updating the cached source
   // address token, and server config.
   // If |server_update| is invalid then |error_details| will contain an error
   // message, and an error code will be returned. If all has gone well
   // QUIC_NO_ERROR is returned.
   QuicErrorCode ProcessServerConfigUpdate(
       const CryptoHandshakeMessage& server_update,
       QuicWallTime now,
       const QuicVersion version,
+      base::StringPiece chlo_hash,
       CachedState* cached,
       QuicCryptoNegotiatedParameters* out_params,
       std::string* error_details);
 
   ProofVerifier* proof_verifier() const;
 
   ChannelIDSource* channel_id_source() const;
 
   // SetChannelIDSource sets a ChannelIDSource that will be called, when the
   // server supports channel IDs, to obtain a channel ID for signing a message
@@ skipping 36 matching lines @@
   void SetDefaults();
 
   // CacheNewServerConfig checks for SCFG, STK, PROF, and CRT tags in |message|,
   // verifies them, and stores them in the cached state if they validate.
   // This is used on receipt of a REJ from a server, or when a server sends
   // updated server config during a connection.
   QuicErrorCode CacheNewServerConfig(
       const CryptoHandshakeMessage& message,
       QuicWallTime now,
       const QuicVersion version,
+      base::StringPiece chlo_hash,
       const std::vector<std::string>& cached_certs,
       CachedState* cached,
       std::string* error_details);
 
   // If the suffix of the hostname in |server_id| is in |canonical_suffixes_|,
   // then populate |cached| with the canonical cached state from
   // |canonical_server_map_| for that suffix. Returns true if |cached| is
   // initialized with canonical cached state.
   bool PopulateFromCanonicalConfig(const QuicServerId& server_id,
                                    CachedState* cached);
@@ skipping 20 matching lines @@
 
   // The |user_agent_id_| passed in QUIC's CHLO message.
   std::string user_agent_id_;
 
   DISALLOW_COPY_AND_ASSIGN(QuicCryptoClientConfig);
 };
 
 }  // namespace net
 
 #endif  // NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_