Landing Recent QUIC changes until Sat Aug 13 04:32:36 2016 UTC-0

net/quic/core/crypto/quic_crypto_server_config.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/core/crypto/quic_crypto_server_config.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <memory>
@@ skipping 601 matching lines @@
 
   if (validate_chlo_result.error_code != QUIC_NO_ERROR) {
     *error_details = validate_chlo_result.error_details;
     return validate_chlo_result.error_code;
   }
 
   out->Clear();
 
   if (!ClientDemandsX509Proof(client_hello) && FLAGS_quic_require_x509) {
     *error_details = "Missing or invalid PDMD";
-    return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
+    return QUIC_UNSUPPORTED_PROOF_DEMAND;
   }
   DCHECK(proof_source_.get());
   string chlo_hash;
   CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
   // No need to get a new proof if one was already generated.
   if (!crypto_proof->chain &&
       !proof_source_->GetProof(server_ip, info.sni.as_string(),
                                primary_config->serialized, version, chlo_hash,
                                &crypto_proof->chain, &crypto_proof->signature,
                                &crypto_proof->cert_sct)) {
@@ skipping 876 matching lines @@
       chlo_multiplier_ * (chlo_packet_size - total_framing_overhead) -
       kREJOverheadBytes;
   const size_t max_unverified_size = FLAGS_quic_use_chlo_packet_size
                                          ? new_max_unverified_size
                                          : old_max_unverified_size;
   static_assert(kClientHelloMinimumSize * kMultiplier >= kREJOverheadBytes,
                 "overhead calculation may underflow");
   bool should_return_sct =
       params->sct_supported_by_client && enable_serving_sct_;
   const size_t sct_size = should_return_sct ? crypto_proof.cert_sct.size() : 0;
-  if (info.valid_source_address_token ||
-      crypto_proof.signature.size() + compressed.size() + sct_size <
-          max_unverified_size) {
+  const size_t total_size =
+      crypto_proof.signature.size() + compressed.size() + sct_size;
+  if (info.valid_source_address_token || total_size < max_unverified_size) {
     out->SetStringPiece(kCertificateTag, compressed);
     out->SetStringPiece(kPROF, crypto_proof.signature);
     if (should_return_sct) {
       if (crypto_proof.cert_sct.empty()) {
         DLOG(WARNING) << "SCT is expected but it is empty.";
       } else {
         out->SetStringPiece(kCertificateSCTTag, crypto_proof.cert_sct);
       }
     }
+  } else {
+    if (FLAGS_quic_use_chlo_packet_size) {
+      DLOG(WARNING) << "Sending inchoate REJ for hostname: " << info.sni
+                    << " signature: " << crypto_proof.signature.size()
+                    << " cert: " << compressed.size() << " sct:" << sct_size
+                    << " total: " << total_size
+                    << " max: " << max_unverified_size;
+    }
   }
 }
 
 string QuicCryptoServerConfig::CompressChain(
     QuicCompressedCertsCache* compressed_certs_cache,
     const scoped_refptr<ProofSource::Chain>& chain,
     const string& client_common_set_hashes,
     const string& client_cached_cert_hashes,
     const CommonCertSets* common_sets) {
   // Check whether the compressed certs is available in the cache.
@@ skipping 508 matching lines @@
       priority(0),
       source_address_token_boxer(nullptr) {}
 
 QuicCryptoServerConfig::Config::~Config() {
   base::STLDeleteElements(&key_exchanges);
 }
 
 QuicCryptoProof::QuicCryptoProof() {}
 QuicCryptoProof::~QuicCryptoProof() {}
 }  // namespace net