| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/crypto/quic_crypto_server_config.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 | 9 |
| 10 #include "base/stl_util.h" | 10 #include "base/stl_util.h" |
| (...skipping 224 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 235 p256_public_value.size()); | 235 p256_public_value.size()); |
| 236 } | 236 } |
| 237 | 237 |
| 238 msg.set_tag(kSCFG); | 238 msg.set_tag(kSCFG); |
| 239 if (options.p256) { | 239 if (options.p256) { |
| 240 msg.SetTaglist(kKEXS, kC255, kP256, 0); | 240 msg.SetTaglist(kKEXS, kC255, kP256, 0); |
| 241 } else { | 241 } else { |
| 242 msg.SetTaglist(kKEXS, kC255, 0); | 242 msg.SetTaglist(kKEXS, kC255, 0); |
| 243 } | 243 } |
| 244 msg.SetTaglist(kAEAD, kAESG, 0); | 244 msg.SetTaglist(kAEAD, kAESG, 0); |
| 245 // TODO(rch): Remove once we remove QUIC_VERSION_12. | |
| 246 msg.SetValue(kVERS, static_cast<uint16>(0)); | |
| 247 msg.SetStringPiece(kPUBS, encoded_public_values); | 245 msg.SetStringPiece(kPUBS, encoded_public_values); |
| 248 | 246 |
| 249 if (options.expiry_time.IsZero()) { | 247 if (options.expiry_time.IsZero()) { |
| 250 const QuicWallTime now = clock->WallNow(); | 248 const QuicWallTime now = clock->WallNow(); |
| 251 const QuicWallTime expiry = now.Add(QuicTime::Delta::FromSeconds( | 249 const QuicWallTime expiry = now.Add(QuicTime::Delta::FromSeconds( |
| 252 60 * 60 * 24 * 180 /* 180 days, ~six months */)); | 250 60 * 60 * 24 * 180 /* 180 days, ~six months */)); |
| 253 const uint64 expiry_seconds = expiry.ToUNIXSeconds(); | 251 const uint64 expiry_seconds = expiry.ToUNIXSeconds(); |
| 254 msg.SetValue(kEXPY, expiry_seconds); | 252 msg.SetValue(kEXPY, expiry_seconds); |
| 255 } else { | 253 } else { |
| 256 msg.SetValue(kEXPY, options.expiry_time.ToUNIXSeconds()); | 254 msg.SetValue(kEXPY, options.expiry_time.ToUNIXSeconds()); |
| (...skipping 220 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 477 | 475 |
| 478 const CryptoHandshakeMessage& client_hello = | 476 const CryptoHandshakeMessage& client_hello = |
| 479 validate_chlo_result.client_hello; | 477 validate_chlo_result.client_hello; |
| 480 const ClientHelloInfo& info = validate_chlo_result.info; | 478 const ClientHelloInfo& info = validate_chlo_result.info; |
| 481 | 479 |
| 482 // If the client's preferred version is not the version we are currently | 480 // If the client's preferred version is not the version we are currently |
| 483 // speaking, then the client went through a version negotiation. In this | 481 // speaking, then the client went through a version negotiation. In this |
| 484 // case, we need to make sure that we actually do not support this version | 482 // case, we need to make sure that we actually do not support this version |
| 485 // and that it wasn't a downgrade attack. | 483 // and that it wasn't a downgrade attack. |
| 486 QuicTag client_version_tag; | 484 QuicTag client_version_tag; |
| 487 // TODO(rch): Make this check mandatory when we remove QUIC_VERSION_12. | 485 // TODO(rch): Make this check mandatory. |
| 488 if (client_hello.GetUint32(kVER, &client_version_tag) == QUIC_NO_ERROR) { | 486 if (client_hello.GetUint32(kVER, &client_version_tag) == QUIC_NO_ERROR) { |
| 489 QuicVersion client_version = QuicTagToQuicVersion(client_version_tag); | 487 QuicVersion client_version = QuicTagToQuicVersion(client_version_tag); |
| 490 if (client_version != version) { | 488 if (client_version != version) { |
| 491 // Just because client_version is a valid version enum doesn't mean that | 489 // Just because client_version is a valid version enum doesn't mean that |
| 492 // this server actually supports that version, so we check to see if | 490 // this server actually supports that version, so we check to see if |
| 493 // it's actually in the supported versions list. | 491 // it's actually in the supported versions list. |
| 494 for (size_t i = 0; i < supported_versions.size(); ++i) { | 492 for (size_t i = 0; i < supported_versions.size(); ++i) { |
| 495 if (client_version == supported_versions[i]) { | 493 if (client_version == supported_versions[i]) { |
| 496 *error_details = "Downgrade attack detected"; | 494 *error_details = "Downgrade attack detected"; |
| 497 return QUIC_VERSION_NEGOTIATION_MISMATCH; | 495 return QUIC_VERSION_NEGOTIATION_MISMATCH; |
| (...skipping 325 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 823 void QuicCryptoServerConfig::EvaluateClientHello( | 821 void QuicCryptoServerConfig::EvaluateClientHello( |
| 824 const uint8* primary_orbit, | 822 const uint8* primary_orbit, |
| 825 ValidateClientHelloResultCallback::Result* client_hello_state, | 823 ValidateClientHelloResultCallback::Result* client_hello_state, |
| 826 ValidateClientHelloResultCallback* done_cb) const { | 824 ValidateClientHelloResultCallback* done_cb) const { |
| 827 ValidateClientHelloHelper helper(client_hello_state, done_cb); | 825 ValidateClientHelloHelper helper(client_hello_state, done_cb); |
| 828 | 826 |
| 829 const CryptoHandshakeMessage& client_hello = | 827 const CryptoHandshakeMessage& client_hello = |
| 830 client_hello_state->client_hello; | 828 client_hello_state->client_hello; |
| 831 ClientHelloInfo* info = &(client_hello_state->info); | 829 ClientHelloInfo* info = &(client_hello_state->info); |
| 832 | 830 |
| 833 if (client_hello.size() < kClientHelloMinimumSizeOld) { | 831 if (client_hello.size() < kClientHelloMinimumSize) { |
| 834 helper.ValidationComplete(QUIC_CRYPTO_INVALID_VALUE_LENGTH, | 832 helper.ValidationComplete(QUIC_CRYPTO_INVALID_VALUE_LENGTH, |
| 835 "Client hello too small"); | 833 "Client hello too small"); |
| 836 return; | 834 return; |
| 837 } | 835 } |
| 838 | 836 |
| 839 if (client_hello.GetStringPiece(kSNI, &info->sni) && | 837 if (client_hello.GetStringPiece(kSNI, &info->sni) && |
| 840 !CryptoUtils::IsValidSNI(info->sni)) { | 838 !CryptoUtils::IsValidSNI(info->sni)) { |
| 841 helper.ValidationComplete(QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER, | 839 helper.ValidationComplete(QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER, |
| 842 "Invalid SNI name"); | 840 "Invalid SNI name"); |
| 843 return; | 841 return; |
| (...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 972 const size_t kREJOverheadBytes = 166; | 970 const size_t kREJOverheadBytes = 166; |
| 973 // kMultiplier is the multiple of the CHLO message size that a REJ message | 971 // kMultiplier is the multiple of the CHLO message size that a REJ message |
| 974 // must stay under when the client doesn't present a valid source-address | 972 // must stay under when the client doesn't present a valid source-address |
| 975 // token. | 973 // token. |
| 976 const size_t kMultiplier = 2; | 974 const size_t kMultiplier = 2; |
| 977 // max_unverified_size is the number of bytes that the certificate chain | 975 // max_unverified_size is the number of bytes that the certificate chain |
| 978 // and signature can consume before we will demand a valid source-address | 976 // and signature can consume before we will demand a valid source-address |
| 979 // token. | 977 // token. |
| 980 const size_t max_unverified_size = | 978 const size_t max_unverified_size = |
| 981 client_hello.size() * kMultiplier - kREJOverheadBytes; | 979 client_hello.size() * kMultiplier - kREJOverheadBytes; |
| 982 COMPILE_ASSERT(kClientHelloMinimumSizeOld * kMultiplier >= kREJOverheadBytes, | 980 COMPILE_ASSERT(kClientHelloMinimumSize * kMultiplier >= kREJOverheadBytes, |
| 983 overhead_calculation_may_underflow); | 981 overhead_calculation_may_underflow); |
| 984 if (info.valid_source_address_token || | 982 if (info.valid_source_address_token || |
| 985 signature.size() + compressed.size() < max_unverified_size) { | 983 signature.size() + compressed.size() < max_unverified_size) { |
| 986 out->SetStringPiece(kCertificateTag, compressed); | 984 out->SetStringPiece(kCertificateTag, compressed); |
| 987 out->SetStringPiece(kPROF, signature); | 985 out->SetStringPiece(kPROF, signature); |
| 988 } | 986 } |
| 989 } | 987 } |
| 990 | 988 |
| 991 scoped_refptr<QuicCryptoServerConfig::Config> | 989 scoped_refptr<QuicCryptoServerConfig::Config> |
| 992 QuicCryptoServerConfig::ParseConfigProtobuf( | 990 QuicCryptoServerConfig::ParseConfigProtobuf( |
| (...skipping 332 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1325 | 1323 |
| 1326 QuicCryptoServerConfig::Config::Config() | 1324 QuicCryptoServerConfig::Config::Config() |
| 1327 : channel_id_enabled(false), | 1325 : channel_id_enabled(false), |
| 1328 is_primary(false), | 1326 is_primary(false), |
| 1329 primary_time(QuicWallTime::Zero()), | 1327 primary_time(QuicWallTime::Zero()), |
| 1330 priority(0) {} | 1328 priority(0) {} |
| 1331 | 1329 |
| 1332 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } | 1330 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } |
| 1333 | 1331 |
| 1334 } // namespace net | 1332 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 185203003:
Killing off QUICv12, including cleaning out all of the code for handling (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src