| Index: net/quic/crypto/quic_crypto_server_config.cc
|
| diff --git a/net/quic/crypto/quic_crypto_server_config.cc b/net/quic/crypto/quic_crypto_server_config.cc
|
| index cd14bc1e173de36930fe16cb620e7d08164209b5..cd44c7e1e509b25585181c0c34ebc4c8c78b1459 100644
|
| --- a/net/quic/crypto/quic_crypto_server_config.cc
|
| +++ b/net/quic/crypto/quic_crypto_server_config.cc
|
| @@ -607,11 +607,13 @@ QuicErrorCode QuicCryptoServerConfig::ProcessClientHello(
|
| bool x509_ecdsa_supported = false;
|
| ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported);
|
| DCHECK(proof_source_.get());
|
| + string chlo_hash;
|
| + CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
|
| if (!crypto_proof->chain &&
|
| - !proof_source_->GetProof(server_ip, info.sni.as_string(),
|
| - primary_config->serialized, x509_ecdsa_supported,
|
| - &crypto_proof->chain, &crypto_proof->signature,
|
| - &crypto_proof->cert_sct)) {
|
| + !proof_source_->GetProof(
|
| + server_ip, info.sni.as_string(), primary_config->serialized, version,
|
| + chlo_hash, x509_ecdsa_supported, &crypto_proof->chain,
|
| + &crypto_proof->signature, &crypto_proof->cert_sct)) {
|
| return QUIC_HANDSHAKE_FAILED;
|
| }
|
|
|
| @@ -1061,10 +1063,12 @@ void QuicCryptoServerConfig::EvaluateClientHello(
|
| bool x509_ecdsa_supported = false;
|
| ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported);
|
| string serialized_config = primary_config->serialized;
|
| - if (!proof_source_->GetProof(server_ip, info->sni.as_string(),
|
| - serialized_config, x509_ecdsa_supported,
|
| - &crypto_proof->chain, &crypto_proof->signature,
|
| - &crypto_proof->cert_sct)) {
|
| + string chlo_hash;
|
| + CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
|
| + if (!proof_source_->GetProof(
|
| + server_ip, info->sni.as_string(), serialized_config, version,
|
| + chlo_hash, x509_ecdsa_supported, &crypto_proof->chain,
|
| + &crypto_proof->signature, &crypto_proof->cert_sct)) {
|
| found_error = true;
|
| info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
|
| }
|
| @@ -1090,8 +1094,8 @@ void QuicCryptoServerConfig::EvaluateClientHello(
|
| // Server nonce is optional, and used for key derivation if present.
|
| client_hello.GetStringPiece(kServerNonceTag, &info->server_nonce);
|
|
|
| - if (version > QUIC_VERSION_30) {
|
| - DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_31 and higher.";
|
| + if (version > QUIC_VERSION_31) {
|
| + DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_32 and higher.";
|
| // If the server nonce is empty and we're requiring handshake confirmation
|
| // for DoS reasons then we must reject the CHLO.
|
| if (FLAGS_quic_require_handshake_confirmation &&
|
| @@ -1192,9 +1196,10 @@ bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
|
| scoped_refptr<ProofSource::Chain> chain;
|
| string signature;
|
| string cert_sct;
|
| - if (!proof_source_->GetProof(
|
| - server_ip, params.sni, primary_config_->serialized,
|
| - params.x509_ecdsa_supported, &chain, &signature, &cert_sct)) {
|
| + if (!proof_source_->GetProof(server_ip, params.sni,
|
| + primary_config_->serialized, version,
|
| + params.client_nonce, params.x509_ecdsa_supported,
|
| + &chain, &signature, &cert_sct)) {
|
| DVLOG(1) << "Server: failed to get proof.";
|
| return false;
|
| }
|
|
|
Chromium Code Reviews
Issue 1765603002:
Add QUIC 31 in which the server's proof covers both the static server config as well as a hash of t… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master