Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(238)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/quic/crypto/quic_crypto_server_config.cc

Issue 2126053003: Require support for X509 certificates in QUIC CHLO PDMDs. Protected by --quic_require_x509 (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@126432842
Patch Set: Created 4 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/quic/crypto/crypto_server_test.cc ('k') | net/quic/quic_flags.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/quic/crypto/quic_crypto_server_config.h" 5 #include "net/quic/crypto/quic_crypto_server_config.h"
6 6
7 #include <stdlib.h> 7 #include <stdlib.h>
8 8
9 #include <algorithm> 9 #include <algorithm>
10 #include <memory> 10 #include <memory>
(...skipping 586 matching lines...) Expand 10 before | Expand all | Expand 10 after
597 if (validate_chlo_result.error_code != QUIC_NO_ERROR) { 597 if (validate_chlo_result.error_code != QUIC_NO_ERROR) {
598 *error_details = validate_chlo_result.error_details; 598 *error_details = validate_chlo_result.error_details;
599 return validate_chlo_result.error_code; 599 return validate_chlo_result.error_code;
600 } 600 }
601 601
602 out->Clear(); 602 out->Clear();
603 603
604 bool x509_supported = false; 604 bool x509_supported = false;
605 bool x509_ecdsa_supported = false; 605 bool x509_ecdsa_supported = false;
606 ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported); 606 ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported);
607 if (!x509_supported && FLAGS_quic_require_x509) {
608 *error_details = "Missing or invalid PDMD";
609 return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
610 }
607 DCHECK(proof_source_.get()); 611 DCHECK(proof_source_.get());
608 string chlo_hash; 612 string chlo_hash;
609 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); 613 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
610 if (!crypto_proof->chain && 614 if (!crypto_proof->chain &&
611 !proof_source_->GetProof( 615 !proof_source_->GetProof(
612 server_ip, info.sni.as_string(), primary_config->serialized, version, 616 server_ip, info.sni.as_string(), primary_config->serialized, version,
613 chlo_hash, x509_ecdsa_supported, &crypto_proof->chain, 617 chlo_hash, x509_ecdsa_supported, &crypto_proof->chain,
614 &crypto_proof->signature, &crypto_proof->cert_sct)) { 618 &crypto_proof->signature, &crypto_proof->cert_sct)) {
615 return QUIC_HANDSHAKE_FAILED; 619 return QUIC_HANDSHAKE_FAILED;
616 } 620 }
(...skipping 630 matching lines...) Expand 10 before | Expand all | Expand 10 after
1247 } 1251 }
1248 1252
1249 // Send client the reject reason for debugging purposes. 1253 // Send client the reject reason for debugging purposes.
1250 DCHECK_LT(0u, info.reject_reasons.size()); 1254 DCHECK_LT(0u, info.reject_reasons.size());
1251 out->SetVector(kRREJ, info.reject_reasons); 1255 out->SetVector(kRREJ, info.reject_reasons);
1252 1256
1253 // The client may have requested a certificate chain. 1257 // The client may have requested a certificate chain.
1254 bool x509_supported = false; 1258 bool x509_supported = false;
1255 ParseProofDemand(client_hello, &x509_supported, 1259 ParseProofDemand(client_hello, &x509_supported,
1256 &params->x509_ecdsa_supported); 1260 &params->x509_ecdsa_supported);
1257 if (!x509_supported) { 1261 if (!x509_supported && FLAGS_quic_require_x509) {
1262 QUIC_BUG << "x509 certificates not supported in proof demand";
1258 return; 1263 return;
1259 } 1264 }
1260 1265
1261 StringPiece client_common_set_hashes; 1266 StringPiece client_common_set_hashes;
1262 if (client_hello.GetStringPiece(kCCS, &client_common_set_hashes)) { 1267 if (client_hello.GetStringPiece(kCCS, &client_common_set_hashes)) {
1263 params->client_common_set_hashes = client_common_set_hashes.as_string(); 1268 params->client_common_set_hashes = client_common_set_hashes.as_string();
1264 } 1269 }
1265 1270
1266 StringPiece client_cached_cert_hashes; 1271 StringPiece client_cached_cert_hashes;
1267 if (client_hello.GetStringPiece(kCCRT, &client_cached_cert_hashes)) { 1272 if (client_hello.GetStringPiece(kCCRT, &client_cached_cert_hashes)) {
(...skipping 563 matching lines...) Expand 10 before | Expand all | Expand 10 after
1831 priority(0), 1836 priority(0),
1832 source_address_token_boxer(nullptr) {} 1837 source_address_token_boxer(nullptr) {}
1833 1838
1834 QuicCryptoServerConfig::Config::~Config() { 1839 QuicCryptoServerConfig::Config::~Config() {
1835 STLDeleteElements(&key_exchanges); 1840 STLDeleteElements(&key_exchanges);
1836 } 1841 }
1837 1842
1838 QuicCryptoProof::QuicCryptoProof() {} 1843 QuicCryptoProof::QuicCryptoProof() {}
1839 QuicCryptoProof::~QuicCryptoProof() {} 1844 QuicCryptoProof::~QuicCryptoProof() {}
1840 } // namespace net 1845 } // namespace net
OLDNEW
« no previous file with comments | « net/quic/crypto/crypto_server_test.cc ('k') | net/quic/quic_flags.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698