| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/core/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/core/crypto/quic_crypto_server_config.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 #include <memory> | 10 #include <memory> |
| (...skipping 622 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 633 return QUIC_HANDSHAKE_FAILED; | 633 return QUIC_HANDSHAKE_FAILED; |
| 634 } | 634 } |
| 635 | 635 |
| 636 StringPiece cert_sct; | 636 StringPiece cert_sct; |
| 637 if (client_hello.GetStringPiece(kCertificateSCTTag, &cert_sct) && | 637 if (client_hello.GetStringPiece(kCertificateSCTTag, &cert_sct) && |
| 638 cert_sct.empty()) { | 638 cert_sct.empty()) { |
| 639 params->sct_supported_by_client = true; | 639 params->sct_supported_by_client = true; |
| 640 } | 640 } |
| 641 | 641 |
| 642 if (!info.reject_reasons.empty() || !requested_config.get()) { | 642 if (!info.reject_reasons.empty() || !requested_config.get()) { |
| 643 BuildRejection(version, *primary_config, client_hello, info, | 643 BuildRejection(version, clock->WallNow(), *primary_config, client_hello, |
| 644 validate_chlo_result.cached_network_params, | 644 info, validate_chlo_result.cached_network_params, |
| 645 use_stateless_rejects, server_designated_connection_id, rand, | 645 use_stateless_rejects, server_designated_connection_id, rand, |
| 646 compressed_certs_cache, params, *crypto_proof, | 646 compressed_certs_cache, params, *crypto_proof, |
| 647 total_framing_overhead, chlo_packet_size, out); | 647 total_framing_overhead, chlo_packet_size, out); |
| 648 return QUIC_NO_ERROR; | 648 return QUIC_NO_ERROR; |
| 649 } | 649 } |
| 650 | 650 |
| 651 if (reject_only) { | 651 if (reject_only) { |
| 652 return QUIC_NO_ERROR; | 652 return QUIC_NO_ERROR; |
| 653 } | 653 } |
| 654 | 654 |
| (...skipping 623 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1278 const IPAddress& server_ip, | 1278 const IPAddress& server_ip, |
| 1279 const IPAddress& client_ip, | 1279 const IPAddress& client_ip, |
| 1280 const QuicClock* clock, | 1280 const QuicClock* clock, |
| 1281 QuicRandom* rand, | 1281 QuicRandom* rand, |
| 1282 QuicCompressedCertsCache* compressed_certs_cache, | 1282 QuicCompressedCertsCache* compressed_certs_cache, |
| 1283 const QuicCryptoNegotiatedParameters& params, | 1283 const QuicCryptoNegotiatedParameters& params, |
| 1284 const CachedNetworkParameters* cached_network_params, | 1284 const CachedNetworkParameters* cached_network_params, |
| 1285 CryptoHandshakeMessage* out) const { | 1285 CryptoHandshakeMessage* out) const { |
| 1286 string serialized; | 1286 string serialized; |
| 1287 string source_address_token; | 1287 string source_address_token; |
| 1288 QuicWallTime expiry_time = QuicWallTime::Zero(); |
| 1288 const CommonCertSets* common_cert_sets; | 1289 const CommonCertSets* common_cert_sets; |
| 1289 { | 1290 { |
| 1290 base::AutoLock locked(configs_lock_); | 1291 base::AutoLock locked(configs_lock_); |
| 1291 serialized = primary_config_->serialized; | 1292 serialized = primary_config_->serialized; |
| 1292 common_cert_sets = primary_config_->common_cert_sets; | 1293 common_cert_sets = primary_config_->common_cert_sets; |
| 1294 expiry_time = primary_config_->expiry_time; |
| 1293 source_address_token = NewSourceAddressToken( | 1295 source_address_token = NewSourceAddressToken( |
| 1294 *primary_config_, previous_source_address_tokens, client_ip, rand, | 1296 *primary_config_, previous_source_address_tokens, client_ip, rand, |
| 1295 clock->WallNow(), cached_network_params); | 1297 clock->WallNow(), cached_network_params); |
| 1296 } | 1298 } |
| 1297 | 1299 |
| 1298 out->set_tag(kSCUP); | 1300 out->set_tag(kSCUP); |
| 1299 out->SetStringPiece(kSCFG, serialized); | 1301 out->SetStringPiece(kSCFG, serialized); |
| 1300 out->SetStringPiece(kSourceAddressTokenTag, source_address_token); | 1302 out->SetStringPiece(kSourceAddressTokenTag, source_address_token); |
| 1303 if (FLAGS_quic_send_scfg_ttl) { |
| 1304 out->SetValue(kSTTL, |
| 1305 expiry_time.AbsoluteDifference(clock->WallNow()).ToSeconds()); |
| 1306 } |
| 1301 | 1307 |
| 1302 scoped_refptr<ProofSource::Chain> chain; | 1308 scoped_refptr<ProofSource::Chain> chain; |
| 1303 string signature; | 1309 string signature; |
| 1304 string cert_sct; | 1310 string cert_sct; |
| 1305 if (!proof_source_->GetProof(server_ip, params.sni, serialized, version, | 1311 if (!proof_source_->GetProof(server_ip, params.sni, serialized, version, |
| 1306 chlo_hash, &chain, &signature, &cert_sct)) { | 1312 chlo_hash, &chain, &signature, &cert_sct)) { |
| 1307 DVLOG(1) << "Server: failed to get proof."; | 1313 DVLOG(1) << "Server: failed to get proof."; |
| 1308 return false; | 1314 return false; |
| 1309 } | 1315 } |
| 1310 | 1316 |
| (...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1428 } else { | 1434 } else { |
| 1429 message.SetStringPiece(kCertificateSCTTag, leaf_cert_sct); | 1435 message.SetStringPiece(kCertificateSCTTag, leaf_cert_sct); |
| 1430 } | 1436 } |
| 1431 } | 1437 } |
| 1432 | 1438 |
| 1433 cb->Run(true, message); | 1439 cb->Run(true, message); |
| 1434 } | 1440 } |
| 1435 | 1441 |
| 1436 void QuicCryptoServerConfig::BuildRejection( | 1442 void QuicCryptoServerConfig::BuildRejection( |
| 1437 QuicVersion version, | 1443 QuicVersion version, |
| 1444 QuicWallTime now, |
| 1438 const Config& config, | 1445 const Config& config, |
| 1439 const CryptoHandshakeMessage& client_hello, | 1446 const CryptoHandshakeMessage& client_hello, |
| 1440 const ClientHelloInfo& info, | 1447 const ClientHelloInfo& info, |
| 1441 const CachedNetworkParameters& cached_network_params, | 1448 const CachedNetworkParameters& cached_network_params, |
| 1442 bool use_stateless_rejects, | 1449 bool use_stateless_rejects, |
| 1443 QuicConnectionId server_designated_connection_id, | 1450 QuicConnectionId server_designated_connection_id, |
| 1444 QuicRandom* rand, | 1451 QuicRandom* rand, |
| 1445 QuicCompressedCertsCache* compressed_certs_cache, | 1452 QuicCompressedCertsCache* compressed_certs_cache, |
| 1446 QuicCryptoNegotiatedParameters* params, | 1453 QuicCryptoNegotiatedParameters* params, |
| 1447 const QuicCryptoProof& crypto_proof, | 1454 const QuicCryptoProof& crypto_proof, |
| 1448 QuicByteCount total_framing_overhead, | 1455 QuicByteCount total_framing_overhead, |
| 1449 QuicByteCount chlo_packet_size, | 1456 QuicByteCount chlo_packet_size, |
| 1450 CryptoHandshakeMessage* out) const { | 1457 CryptoHandshakeMessage* out) const { |
| 1451 if (FLAGS_enable_quic_stateless_reject_support && use_stateless_rejects) { | 1458 if (FLAGS_enable_quic_stateless_reject_support && use_stateless_rejects) { |
| 1452 DVLOG(1) << "QUIC Crypto server config returning stateless reject " | 1459 DVLOG(1) << "QUIC Crypto server config returning stateless reject " |
| 1453 << "with server-designated connection ID " | 1460 << "with server-designated connection ID " |
| 1454 << server_designated_connection_id; | 1461 << server_designated_connection_id; |
| 1455 out->set_tag(kSREJ); | 1462 out->set_tag(kSREJ); |
| 1456 out->SetValue(kRCID, server_designated_connection_id); | 1463 out->SetValue(kRCID, server_designated_connection_id); |
| 1457 } else { | 1464 } else { |
| 1458 out->set_tag(kREJ); | 1465 out->set_tag(kREJ); |
| 1459 } | 1466 } |
| 1460 out->SetStringPiece(kSCFG, config.serialized); | 1467 out->SetStringPiece(kSCFG, config.serialized); |
| 1461 out->SetStringPiece( | 1468 out->SetStringPiece( |
| 1462 kSourceAddressTokenTag, | 1469 kSourceAddressTokenTag, |
| 1463 NewSourceAddressToken(config, info.source_address_tokens, info.client_ip, | 1470 NewSourceAddressToken(config, info.source_address_tokens, info.client_ip, |
| 1464 rand, info.now, &cached_network_params)); | 1471 rand, info.now, &cached_network_params)); |
| 1472 if (FLAGS_quic_send_scfg_ttl) { |
| 1473 out->SetValue(kSTTL, |
| 1474 config.expiry_time.AbsoluteDifference(now).ToSeconds()); |
| 1475 } |
| 1465 if (replay_protection_) { | 1476 if (replay_protection_) { |
| 1466 out->SetStringPiece(kServerNonceTag, NewServerNonce(rand, info.now)); | 1477 out->SetStringPiece(kServerNonceTag, NewServerNonce(rand, info.now)); |
| 1467 } | 1478 } |
| 1468 | 1479 |
| 1469 // Send client the reject reason for debugging purposes. | 1480 // Send client the reject reason for debugging purposes. |
| 1470 DCHECK_LT(0u, info.reject_reasons.size()); | 1481 DCHECK_LT(0u, info.reject_reasons.size()); |
| 1471 out->SetVector(kRREJ, info.reject_reasons); | 1482 out->SetVector(kRREJ, info.reject_reasons); |
| 1472 | 1483 |
| 1473 // The client may have requested a certificate chain. | 1484 // The client may have requested a certificate chain. |
| 1474 if (!ClientDemandsX509Proof(client_hello)) { | 1485 if (!ClientDemandsX509Proof(client_hello)) { |
| (...skipping 244 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1719 for (const KeyExchange* key_exchange : config->key_exchanges) { | 1730 for (const KeyExchange* key_exchange : config->key_exchanges) { |
| 1720 if (key_exchange->tag() == tag) { | 1731 if (key_exchange->tag() == tag) { |
| 1721 LOG(WARNING) << "Duplicate key exchange in config: " << tag; | 1732 LOG(WARNING) << "Duplicate key exchange in config: " << tag; |
| 1722 return nullptr; | 1733 return nullptr; |
| 1723 } | 1734 } |
| 1724 } | 1735 } |
| 1725 | 1736 |
| 1726 config->key_exchanges.push_back(ka.release()); | 1737 config->key_exchanges.push_back(ka.release()); |
| 1727 } | 1738 } |
| 1728 | 1739 |
| 1740 if (FLAGS_quic_send_scfg_ttl) { |
| 1741 uint64_t expiry_seconds; |
| 1742 if (msg->GetUint64(kEXPY, &expiry_seconds) != QUIC_NO_ERROR) { |
| 1743 LOG(WARNING) << "Server config message is missing EXPY"; |
| 1744 return nullptr; |
| 1745 } |
| 1746 config->expiry_time = QuicWallTime::FromUNIXSeconds(expiry_seconds); |
| 1747 } |
| 1748 |
| 1729 return config; | 1749 return config; |
| 1730 } | 1750 } |
| 1731 | 1751 |
| 1732 void QuicCryptoServerConfig::SetEphemeralKeySource( | 1752 void QuicCryptoServerConfig::SetEphemeralKeySource( |
| 1733 EphemeralKeySource* ephemeral_key_source) { | 1753 EphemeralKeySource* ephemeral_key_source) { |
| 1734 ephemeral_key_source_.reset(ephemeral_key_source); | 1754 ephemeral_key_source_.reset(ephemeral_key_source); |
| 1735 } | 1755 } |
| 1736 | 1756 |
| 1737 void QuicCryptoServerConfig::SetStrikeRegisterClient( | 1757 void QuicCryptoServerConfig::SetStrikeRegisterClient( |
| 1738 StrikeRegisterClient* strike_register_client) { | 1758 StrikeRegisterClient* strike_register_client) { |
| (...skipping 297 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2036 return true; | 2056 return true; |
| 2037 } | 2057 } |
| 2038 } | 2058 } |
| 2039 return false; | 2059 return false; |
| 2040 } | 2060 } |
| 2041 | 2061 |
| 2042 QuicCryptoServerConfig::Config::Config() | 2062 QuicCryptoServerConfig::Config::Config() |
| 2043 : channel_id_enabled(false), | 2063 : channel_id_enabled(false), |
| 2044 is_primary(false), | 2064 is_primary(false), |
| 2045 primary_time(QuicWallTime::Zero()), | 2065 primary_time(QuicWallTime::Zero()), |
| 2066 expiry_time(QuicWallTime::Zero()), |
| 2046 priority(0), | 2067 priority(0), |
| 2047 source_address_token_boxer(nullptr) {} | 2068 source_address_token_boxer(nullptr) {} |
| 2048 | 2069 |
| 2049 QuicCryptoServerConfig::Config::~Config() { | 2070 QuicCryptoServerConfig::Config::~Config() { |
| 2050 base::STLDeleteElements(&key_exchanges); | 2071 base::STLDeleteElements(&key_exchanges); |
| 2051 } | 2072 } |
| 2052 | 2073 |
| 2053 QuicCryptoProof::QuicCryptoProof() {} | 2074 QuicCryptoProof::QuicCryptoProof() {} |
| 2054 QuicCryptoProof::~QuicCryptoProof() {} | 2075 QuicCryptoProof::~QuicCryptoProof() {} |
| 2055 } // namespace net | 2076 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2308043003:
Landing Recent QUIC changes until 5:55 PM, Aug 25, 2016 UTC-4 (Closed)
