Landing Recent QUIC changes until 2016-07-02 02:45 UTC

net/quic/crypto/quic_crypto_server_config.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/quic_crypto_server_config.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <memory>
@@ skipping 586 matching lines @@
   if (validate_chlo_result.error_code != QUIC_NO_ERROR) {
     *error_details = validate_chlo_result.error_details;
     return validate_chlo_result.error_code;
   }
 
   out->Clear();
 
   bool x509_supported = false;
   bool x509_ecdsa_supported = false;
   ParseProofDemand(client_hello, &x509_supported, &x509_ecdsa_supported);
+  if (!x509_supported && FLAGS_quic_require_x509) {
+    *error_details = "Missing or invalid PDMD";
+    return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
+  }
   DCHECK(proof_source_.get());
   string chlo_hash;
   CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
   if (!crypto_proof->chain &&
       !proof_source_->GetProof(
           server_ip, info.sni.as_string(), primary_config->serialized, version,
           chlo_hash, x509_ecdsa_supported, &crypto_proof->chain,
           &crypto_proof->signature, &crypto_proof->cert_sct)) {
     return QUIC_HANDSHAKE_FAILED;
   }
@@ skipping 539 matching lines @@
     StringPiece chlo_hash,
     const SourceAddressTokens& previous_source_address_tokens,
     const IPAddress& server_ip,
     const IPAddress& client_ip,
     const QuicClock* clock,
     QuicRandom* rand,
     QuicCompressedCertsCache* compressed_certs_cache,
     const QuicCryptoNegotiatedParameters& params,
     const CachedNetworkParameters* cached_network_params,
     CryptoHandshakeMessage* out) const {
-  base::AutoLock locked(configs_lock_);
+  string serialized;
+  string source_address_token;
+  const CommonCertSets* common_cert_sets;
+  {
+    base::AutoLock locked(configs_lock_);
+    serialized = primary_config_->serialized;
+    common_cert_sets = primary_config_->common_cert_sets;
+    source_address_token = NewSourceAddressToken(
+        *primary_config_, previous_source_address_tokens, client_ip, rand,
+        clock->WallNow(), cached_network_params);
+  }
+
   out->set_tag(kSCUP);
-  out->SetStringPiece(kSCFG, primary_config_->serialized);
-  out->SetStringPiece(
-      kSourceAddressTokenTag,
-      NewSourceAddressToken(*primary_config_.get(),
-                            previous_source_address_tokens, client_ip, rand,
-                            clock->WallNow(), cached_network_params));
+  out->SetStringPiece(kSCFG, serialized);
+  out->SetStringPiece(kSourceAddressTokenTag, source_address_token);
 
   scoped_refptr<ProofSource::Chain> chain;
   string signature;
   string cert_sct;
   if (FLAGS_quic_use_hash_in_scup) {
-    if (!proof_source_->GetProof(server_ip, params.sni,
-                                 primary_config_->serialized, version,
+    if (!proof_source_->GetProof(server_ip, params.sni, serialized, version,
                                  chlo_hash, params.x509_ecdsa_supported, &chain,
                                  &signature, &cert_sct)) {
       DVLOG(1) << "Server: failed to get proof.";
       return false;
     }
   } else {
     if (!proof_source_->GetProof(
-            server_ip, params.sni, primary_config_->serialized, version,
-            params.client_nonce, params.x509_ecdsa_supported, &chain,
-            &signature, &cert_sct)) {
+            server_ip, params.sni, serialized, version, params.client_nonce,
+            params.x509_ecdsa_supported, &chain, &signature, &cert_sct)) {
       DVLOG(1) << "Server: failed to get proof.";
       return false;
     }
   }
 
   const string compressed = CompressChain(
       compressed_certs_cache, chain, params.client_common_set_hashes,
-      params.client_cached_cert_hashes, primary_config_->common_cert_sets);
+      params.client_cached_cert_hashes, common_cert_sets);
 
   out->SetStringPiece(kCertificateTag, compressed);
   out->SetStringPiece(kPROF, signature);
   if (params.sct_supported_by_client && version > QUIC_VERSION_29 &&
       enable_serving_sct_) {
     if (cert_sct.empty()) {
       DLOG(WARNING) << "SCT is expected but it is empty.";
     } else {
       out->SetStringPiece(kCertificateSCTTag, cert_sct);
     }
@@ skipping 33 matching lines @@
   }
 
   // Send client the reject reason for debugging purposes.
   DCHECK_LT(0u, info.reject_reasons.size());
   out->SetVector(kRREJ, info.reject_reasons);
 
   // The client may have requested a certificate chain.
   bool x509_supported = false;
   ParseProofDemand(client_hello, &x509_supported,
                    &params->x509_ecdsa_supported);
-  if (!x509_supported) {
+  if (!x509_supported && FLAGS_quic_require_x509) {
+    QUIC_BUG << "x509 certificates not supported in proof demand";
     return;
   }
 
   StringPiece client_common_set_hashes;
   if (client_hello.GetStringPiece(kCCS, &client_common_set_hashes)) {
     params->client_common_set_hashes = client_common_set_hashes.as_string();
   }
 
   StringPiece client_cached_cert_hashes;
   if (client_hello.GetStringPiece(kCCRT, &client_cached_cert_hashes)) {
@@ skipping 563 matching lines @@
       priority(0),
       source_address_token_boxer(nullptr) {}
 
 QuicCryptoServerConfig::Config::~Config() {
   STLDeleteElements(&key_exchanges);
 }
 
 QuicCryptoProof::QuicCryptoProof() {}
 QuicCryptoProof::~QuicCryptoProof() {}
 }  // namespace net