Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1938)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/quic/crypto/quic_crypto_server_config.h

Issue 213473003: This change introduces a way to tie source address token keys to specific QUIC server configs (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Merge internal change: 65382861 Created 6 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/quic/crypto/crypto_secret_boxer.cc ('K') | « net/quic/crypto/crypto_server_config_protobuf.h ('k') | net/quic/crypto/quic_crypto_server_config.cc » ('j') | net/quic/crypto/quic_crypto_server_config.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/quic/crypto/quic_crypto_server_config.h
diff --git a/net/quic/crypto/quic_crypto_server_config.h b/net/quic/crypto/quic_crypto_server_config.h
index 5ece45d5ed71753abfa8fa918a95adeecf858c0d..f64859d8ccb5f75619b5f52dfa0487ba69e0347f 100644
--- a/net/quic/crypto/quic_crypto_server_config.h
+++ b/net/quic/crypto/quic_crypto_server_config.h
@@ -323,6 +323,17 @@ class NET_EXPORT_PRIVATE QuicCryptoServerConfig {
// Smaller numbers mean higher priority.
uint64 priority;
+ // source_address_token_boxer_ is used to protect the
+ // source-address tokens that are given to clients.
+ // Points to either source_address_token_boxer_storage or the
+ // default boxer provided by QuicCryptoServerConfig.
+ const CryptoSecretBoxer* source_address_token_boxer;
+
+ // Holds the override source_address_token_boxer instance if the
+ // Config is not using the default source address token boxer
+ // instance provided by QuicCryptoServerConfig.
+ scoped_ptr<CryptoSecretBoxer> source_address_token_boxer_storage;
+
private:
friend class base::RefCounted<Config>;
virtual ~Config();
@@ -332,6 +343,10 @@ class NET_EXPORT_PRIVATE QuicCryptoServerConfig {
typedef std::map<ServerConfigID, scoped_refptr<Config> > ConfigMap;
+ // Get a ref to the config with a given server config id.
+ scoped_refptr<Config> GetConfigWithScid(
+ base::StringPiece requested_scid) const;
+
// ConfigPrimaryTimeLessThan returns true if a->primary_time <
// b->primary_time.
static bool ConfigPrimaryTimeLessThan(const scoped_refptr<Config>& a,
@@ -346,12 +361,13 @@ class NET_EXPORT_PRIVATE QuicCryptoServerConfig {
// written to |info|.
void EvaluateClientHello(
const uint8* primary_orbit,
+ scoped_refptr<Config> requested_config,
ValidateClientHelloResultCallback::Result* client_hello_state,
ValidateClientHelloResultCallback* done_cb) const;
// BuildRejection sets |out| to be a REJ message in reply to |client_hello|.
void BuildRejection(
- const scoped_refptr<Config>& config,
+ const Config& config,
const CryptoHandshakeMessage& client_hello,
const ClientHelloInfo& info,
QuicRandom* rand,
@@ -364,16 +380,20 @@ class NET_EXPORT_PRIVATE QuicCryptoServerConfig {
// NewSourceAddressToken returns a fresh source address token for the given
// IP address.
- std::string NewSourceAddressToken(const IPEndPoint& ip,
- QuicRandom* rand,
- QuicWallTime now) const;
+ std::string NewSourceAddressToken(
+ const QuicCryptoServerConfig::Config& config,
+ const IPEndPoint& ip,
+ QuicRandom* rand,
+ QuicWallTime now) const;
// ValidateSourceAddressToken returns true if the source address token in
// |token| is a valid and timely token for the IP address |ip| given that the
// current time is |now|.
- bool ValidateSourceAddressToken(base::StringPiece token,
- const IPEndPoint& ip,
- QuicWallTime now) const;
+ bool ValidateSourceAddressToken(
+ const QuicCryptoServerConfig::Config& config,
wtc 2014/04/22 19:12:10 Change QuicCryptoServerConfig::Config to Config on
ramant (doing other things) 2014/04/25 23:40:58 Done.
+ base::StringPiece token,
+ const IPEndPoint& ip,
+ QuicWallTime now) const;
// NewServerNonce generates and encrypts a random nonce.
std::string NewServerNonce(QuicRandom* rand, QuicWallTime now) const;
@@ -413,9 +433,10 @@ class NET_EXPORT_PRIVATE QuicCryptoServerConfig {
// observed client nonces in order to prevent replay attacks.
mutable scoped_ptr<StrikeRegisterClient> strike_register_client_;
- // source_address_token_boxer_ is used to protect the source-address tokens
- // that are given to clients.
- CryptoSecretBoxer source_address_token_boxer_;
+ // Default source_address_token_boxer_ used to protect the
+ // source-address tokens that are given to clients. Individual
+ // configs may use boxers with alternate secrets.
+ CryptoSecretBoxer default_source_address_token_boxer_;
// server_nonce_boxer_ is used to encrypt and validate suggested server
// nonces.
« net/quic/crypto/crypto_secret_boxer.cc ('K') | « net/quic/crypto/crypto_server_config_protobuf.h ('k') | net/quic/crypto/quic_crypto_server_config.cc » ('j') | net/quic/crypto/quic_crypto_server_config.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698