OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/quic/core/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/core/crypto/quic_crypto_server_config.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <memory> | 10 #include <memory> |
(...skipping 726 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
737 | 737 |
738 if (!ClientDemandsX509Proof(client_hello)) { | 738 if (!ClientDemandsX509Proof(client_hello)) { |
739 helper.Fail(QUIC_UNSUPPORTED_PROOF_DEMAND, "Missing or invalid PDMD"); | 739 helper.Fail(QUIC_UNSUPPORTED_PROOF_DEMAND, "Missing or invalid PDMD"); |
740 return; | 740 return; |
741 } | 741 } |
742 DCHECK(proof_source_.get()); | 742 DCHECK(proof_source_.get()); |
743 string chlo_hash; | 743 string chlo_hash; |
744 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); | 744 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); |
745 // No need to get a new proof if one was already generated. | 745 // No need to get a new proof if one was already generated. |
746 if (!crypto_proof->chain) { | 746 if (!crypto_proof->chain) { |
| 747 const QuicTag* tag_ptr; |
| 748 size_t num_tags; |
| 749 QuicTagVector connection_options; |
| 750 if (client_hello.GetTaglist(kCOPT, &tag_ptr, &num_tags) == QUIC_NO_ERROR) { |
| 751 connection_options.assign(tag_ptr, tag_ptr + num_tags); |
| 752 } |
747 if (FLAGS_enable_async_get_proof) { | 753 if (FLAGS_enable_async_get_proof) { |
748 std::unique_ptr<ProcessClientHelloCallback> cb( | 754 std::unique_ptr<ProcessClientHelloCallback> cb( |
749 new ProcessClientHelloCallback( | 755 new ProcessClientHelloCallback( |
750 this, validate_chlo_result, reject_only, connection_id, | 756 this, validate_chlo_result, reject_only, connection_id, |
751 client_address, version, supported_versions, | 757 client_address, version, supported_versions, |
752 use_stateless_rejects, server_designated_connection_id, clock, | 758 use_stateless_rejects, server_designated_connection_id, clock, |
753 rand, compressed_certs_cache, params, crypto_proof, | 759 rand, compressed_certs_cache, params, crypto_proof, |
754 total_framing_overhead, chlo_packet_size, requested_config, | 760 total_framing_overhead, chlo_packet_size, requested_config, |
755 primary_config, std::move(done_cb))); | 761 primary_config, std::move(done_cb))); |
756 proof_source_->GetProof(server_ip, info.sni.as_string(), | 762 proof_source_->GetProof(server_ip, info.sni.as_string(), |
757 primary_config->serialized, version, chlo_hash, | 763 primary_config->serialized, version, chlo_hash, |
758 std::move(cb)); | 764 connection_options, std::move(cb)); |
759 helper.DetachCallback(); | 765 helper.DetachCallback(); |
760 return; | 766 return; |
761 } | 767 } |
762 | 768 |
763 if (!proof_source_->GetProof(server_ip, info.sni.as_string(), | 769 if (!proof_source_->GetProof( |
764 primary_config->serialized, version, chlo_hash, | 770 server_ip, info.sni.as_string(), primary_config->serialized, |
765 &crypto_proof->chain, &crypto_proof->signature, | 771 version, chlo_hash, connection_options, &crypto_proof->chain, |
766 &crypto_proof->cert_sct)) { | 772 &crypto_proof->signature, &crypto_proof->cert_sct)) { |
767 helper.Fail(QUIC_HANDSHAKE_FAILED, "Missing or invalid crypto proof."); | 773 helper.Fail(QUIC_HANDSHAKE_FAILED, "Missing or invalid crypto proof."); |
768 return; | 774 return; |
769 } | 775 } |
770 } | 776 } |
771 | 777 |
772 helper.DetachCallback(); | 778 helper.DetachCallback(); |
773 ProcessClientHelloAfterGetProof( | 779 ProcessClientHelloAfterGetProof( |
774 /* found_error = */ false, *validate_chlo_result, reject_only, | 780 /* found_error = */ false, *validate_chlo_result, reject_only, |
775 connection_id, client_address, version, supported_versions, | 781 connection_id, client_address, version, supported_versions, |
776 use_stateless_rejects, server_designated_connection_id, clock, rand, | 782 use_stateless_rejects, server_designated_connection_id, clock, rand, |
(...skipping 530 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1307 // No valid source address token. | 1313 // No valid source address token. |
1308 found_error = true; | 1314 found_error = true; |
1309 } | 1315 } |
1310 | 1316 |
1311 bool get_proof_failed = false; | 1317 bool get_proof_failed = false; |
1312 string serialized_config = primary_config->serialized; | 1318 string serialized_config = primary_config->serialized; |
1313 string chlo_hash; | 1319 string chlo_hash; |
1314 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); | 1320 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); |
1315 bool need_proof = true; | 1321 bool need_proof = true; |
1316 need_proof = !crypto_proof->chain; | 1322 need_proof = !crypto_proof->chain; |
| 1323 const QuicTag* tag_ptr; |
| 1324 size_t num_tags; |
| 1325 QuicTagVector connection_options; |
| 1326 if (client_hello.GetTaglist(kCOPT, &tag_ptr, &num_tags) == QUIC_NO_ERROR) { |
| 1327 connection_options.assign(tag_ptr, tag_ptr + num_tags); |
| 1328 } |
1317 if (FLAGS_enable_async_get_proof) { | 1329 if (FLAGS_enable_async_get_proof) { |
1318 if (need_proof) { | 1330 if (need_proof) { |
1319 // Make an async call to GetProof and setup the callback to trampoline | 1331 // Make an async call to GetProof and setup the callback to trampoline |
1320 // back into EvaluateClientHelloAfterGetProof | 1332 // back into EvaluateClientHelloAfterGetProof |
1321 std::unique_ptr<EvaluateClientHelloCallback> cb( | 1333 std::unique_ptr<EvaluateClientHelloCallback> cb( |
1322 new EvaluateClientHelloCallback( | 1334 new EvaluateClientHelloCallback( |
1323 *this, found_error, server_ip, version, requested_config, | 1335 *this, found_error, server_ip, version, requested_config, |
1324 primary_config, crypto_proof, client_hello_state, | 1336 primary_config, crypto_proof, client_hello_state, |
1325 std::move(done_cb))); | 1337 std::move(done_cb))); |
1326 proof_source_->GetProof(server_ip, info->sni.as_string(), | 1338 proof_source_->GetProof(server_ip, info->sni.as_string(), |
1327 serialized_config, version, chlo_hash, | 1339 serialized_config, version, chlo_hash, |
1328 std::move(cb)); | 1340 connection_options, std::move(cb)); |
1329 helper.DetachCallback(); | 1341 helper.DetachCallback(); |
1330 return; | 1342 return; |
1331 } | 1343 } |
1332 } | 1344 } |
1333 | 1345 |
1334 // No need to get a new proof if one was already generated. | 1346 // No need to get a new proof if one was already generated. |
1335 if (need_proof && | 1347 if (need_proof && |
1336 !proof_source_->GetProof(server_ip, info->sni.as_string(), | 1348 !proof_source_->GetProof( |
1337 serialized_config, version, chlo_hash, | 1349 server_ip, info->sni.as_string(), serialized_config, version, |
1338 &crypto_proof->chain, &crypto_proof->signature, | 1350 chlo_hash, connection_options, &crypto_proof->chain, |
1339 &crypto_proof->cert_sct)) { | 1351 &crypto_proof->signature, &crypto_proof->cert_sct)) { |
1340 get_proof_failed = true; | 1352 get_proof_failed = true; |
1341 } | 1353 } |
1342 | 1354 |
1343 // Details are null because the synchronous version of GetProof does not | 1355 // Details are null because the synchronous version of GetProof does not |
1344 // return any stats. Eventually the synchronous codepath will be eliminated. | 1356 // return any stats. Eventually the synchronous codepath will be eliminated. |
1345 EvaluateClientHelloAfterGetProof( | 1357 EvaluateClientHelloAfterGetProof( |
1346 found_error, server_ip, version, requested_config, primary_config, | 1358 found_error, server_ip, version, requested_config, primary_config, |
1347 crypto_proof, nullptr /* proof_source_details */, get_proof_failed, | 1359 crypto_proof, nullptr /* proof_source_details */, get_proof_failed, |
1348 client_hello_state, std::move(done_cb)); | 1360 client_hello_state, std::move(done_cb)); |
1349 helper.DetachCallback(); | 1361 helper.DetachCallback(); |
(...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1466 QuicVersion version, | 1478 QuicVersion version, |
1467 StringPiece chlo_hash, | 1479 StringPiece chlo_hash, |
1468 const SourceAddressTokens& previous_source_address_tokens, | 1480 const SourceAddressTokens& previous_source_address_tokens, |
1469 const IPAddress& server_ip, | 1481 const IPAddress& server_ip, |
1470 const IPAddress& client_ip, | 1482 const IPAddress& client_ip, |
1471 const QuicClock* clock, | 1483 const QuicClock* clock, |
1472 QuicRandom* rand, | 1484 QuicRandom* rand, |
1473 QuicCompressedCertsCache* compressed_certs_cache, | 1485 QuicCompressedCertsCache* compressed_certs_cache, |
1474 const QuicCryptoNegotiatedParameters& params, | 1486 const QuicCryptoNegotiatedParameters& params, |
1475 const CachedNetworkParameters* cached_network_params, | 1487 const CachedNetworkParameters* cached_network_params, |
| 1488 const QuicTagVector& connection_options, |
1476 CryptoHandshakeMessage* out) const { | 1489 CryptoHandshakeMessage* out) const { |
1477 string serialized; | 1490 string serialized; |
1478 string source_address_token; | 1491 string source_address_token; |
1479 QuicWallTime expiry_time = QuicWallTime::Zero(); | 1492 QuicWallTime expiry_time = QuicWallTime::Zero(); |
1480 const CommonCertSets* common_cert_sets; | 1493 const CommonCertSets* common_cert_sets; |
1481 { | 1494 { |
1482 base::AutoLock locked(configs_lock_); | 1495 base::AutoLock locked(configs_lock_); |
1483 serialized = primary_config_->serialized; | 1496 serialized = primary_config_->serialized; |
1484 common_cert_sets = primary_config_->common_cert_sets; | 1497 common_cert_sets = primary_config_->common_cert_sets; |
1485 expiry_time = primary_config_->expiry_time; | 1498 expiry_time = primary_config_->expiry_time; |
1486 source_address_token = NewSourceAddressToken( | 1499 source_address_token = NewSourceAddressToken( |
1487 *primary_config_, previous_source_address_tokens, client_ip, rand, | 1500 *primary_config_, previous_source_address_tokens, client_ip, rand, |
1488 clock->WallNow(), cached_network_params); | 1501 clock->WallNow(), cached_network_params); |
1489 } | 1502 } |
1490 | 1503 |
1491 out->set_tag(kSCUP); | 1504 out->set_tag(kSCUP); |
1492 out->SetStringPiece(kSCFG, serialized); | 1505 out->SetStringPiece(kSCFG, serialized); |
1493 out->SetStringPiece(kSourceAddressTokenTag, source_address_token); | 1506 out->SetStringPiece(kSourceAddressTokenTag, source_address_token); |
1494 out->SetValue(kSTTL, | 1507 out->SetValue(kSTTL, |
1495 expiry_time.AbsoluteDifference(clock->WallNow()).ToSeconds()); | 1508 expiry_time.AbsoluteDifference(clock->WallNow()).ToSeconds()); |
1496 | 1509 |
1497 scoped_refptr<ProofSource::Chain> chain; | 1510 scoped_refptr<ProofSource::Chain> chain; |
1498 string signature; | 1511 string signature; |
1499 string cert_sct; | 1512 string cert_sct; |
1500 if (!proof_source_->GetProof(server_ip, params.sni, serialized, version, | 1513 if (!proof_source_->GetProof(server_ip, params.sni, serialized, version, |
1501 chlo_hash, &chain, &signature, &cert_sct)) { | 1514 chlo_hash, connection_options, &chain, |
| 1515 &signature, &cert_sct)) { |
1502 DVLOG(1) << "Server: failed to get proof."; | 1516 DVLOG(1) << "Server: failed to get proof."; |
1503 return false; | 1517 return false; |
1504 } | 1518 } |
1505 | 1519 |
1506 const string compressed = CompressChain( | 1520 const string compressed = CompressChain( |
1507 compressed_certs_cache, chain, params.client_common_set_hashes, | 1521 compressed_certs_cache, chain, params.client_common_set_hashes, |
1508 params.client_cached_cert_hashes, common_cert_sets); | 1522 params.client_cached_cert_hashes, common_cert_sets); |
1509 | 1523 |
1510 out->SetStringPiece(kCertificateTag, compressed); | 1524 out->SetStringPiece(kCertificateTag, compressed); |
1511 out->SetStringPiece(kPROF, signature); | 1525 out->SetStringPiece(kPROF, signature); |
(...skipping 12 matching lines...) Expand all Loading... |
1524 QuicVersion version, | 1538 QuicVersion version, |
1525 StringPiece chlo_hash, | 1539 StringPiece chlo_hash, |
1526 const SourceAddressTokens& previous_source_address_tokens, | 1540 const SourceAddressTokens& previous_source_address_tokens, |
1527 const IPAddress& server_ip, | 1541 const IPAddress& server_ip, |
1528 const IPAddress& client_ip, | 1542 const IPAddress& client_ip, |
1529 const QuicClock* clock, | 1543 const QuicClock* clock, |
1530 QuicRandom* rand, | 1544 QuicRandom* rand, |
1531 QuicCompressedCertsCache* compressed_certs_cache, | 1545 QuicCompressedCertsCache* compressed_certs_cache, |
1532 const QuicCryptoNegotiatedParameters& params, | 1546 const QuicCryptoNegotiatedParameters& params, |
1533 const CachedNetworkParameters* cached_network_params, | 1547 const CachedNetworkParameters* cached_network_params, |
| 1548 const QuicTagVector& connection_options, |
1534 std::unique_ptr<BuildServerConfigUpdateMessageResultCallback> cb) const { | 1549 std::unique_ptr<BuildServerConfigUpdateMessageResultCallback> cb) const { |
1535 string serialized; | 1550 string serialized; |
1536 string source_address_token; | 1551 string source_address_token; |
1537 const CommonCertSets* common_cert_sets; | 1552 const CommonCertSets* common_cert_sets; |
1538 { | 1553 { |
1539 base::AutoLock locked(configs_lock_); | 1554 base::AutoLock locked(configs_lock_); |
1540 serialized = primary_config_->serialized; | 1555 serialized = primary_config_->serialized; |
1541 common_cert_sets = primary_config_->common_cert_sets; | 1556 common_cert_sets = primary_config_->common_cert_sets; |
1542 source_address_token = NewSourceAddressToken( | 1557 source_address_token = NewSourceAddressToken( |
1543 *primary_config_, previous_source_address_tokens, client_ip, rand, | 1558 *primary_config_, previous_source_address_tokens, client_ip, rand, |
1544 clock->WallNow(), cached_network_params); | 1559 clock->WallNow(), cached_network_params); |
1545 } | 1560 } |
1546 | 1561 |
1547 CryptoHandshakeMessage message; | 1562 CryptoHandshakeMessage message; |
1548 message.set_tag(kSCUP); | 1563 message.set_tag(kSCUP); |
1549 message.SetStringPiece(kSCFG, serialized); | 1564 message.SetStringPiece(kSCFG, serialized); |
1550 message.SetStringPiece(kSourceAddressTokenTag, source_address_token); | 1565 message.SetStringPiece(kSourceAddressTokenTag, source_address_token); |
1551 | 1566 |
1552 std::unique_ptr<BuildServerConfigUpdateMessageProofSourceCallback> | 1567 std::unique_ptr<BuildServerConfigUpdateMessageProofSourceCallback> |
1553 proof_source_cb(new BuildServerConfigUpdateMessageProofSourceCallback( | 1568 proof_source_cb(new BuildServerConfigUpdateMessageProofSourceCallback( |
1554 this, version, compressed_certs_cache, common_cert_sets, params, | 1569 this, version, compressed_certs_cache, common_cert_sets, params, |
1555 std::move(message), std::move(cb))); | 1570 std::move(message), std::move(cb))); |
1556 | 1571 |
1557 proof_source_->GetProof(server_ip, params.sni, serialized, version, chlo_hash, | 1572 proof_source_->GetProof(server_ip, params.sni, serialized, version, chlo_hash, |
1558 std::move(proof_source_cb)); | 1573 connection_options, std::move(proof_source_cb)); |
1559 } | 1574 } |
1560 | 1575 |
1561 QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback:: | 1576 QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback:: |
1562 ~BuildServerConfigUpdateMessageProofSourceCallback() {} | 1577 ~BuildServerConfigUpdateMessageProofSourceCallback() {} |
1563 | 1578 |
1564 QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback:: | 1579 QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback:: |
1565 BuildServerConfigUpdateMessageProofSourceCallback( | 1580 BuildServerConfigUpdateMessageProofSourceCallback( |
1566 const QuicCryptoServerConfig* config, | 1581 const QuicCryptoServerConfig* config, |
1567 QuicVersion version, | 1582 QuicVersion version, |
1568 QuicCompressedCertsCache* compressed_certs_cache, | 1583 QuicCompressedCertsCache* compressed_certs_cache, |
(...skipping 676 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2245 priority(0), | 2260 priority(0), |
2246 source_address_token_boxer(nullptr) {} | 2261 source_address_token_boxer(nullptr) {} |
2247 | 2262 |
2248 QuicCryptoServerConfig::Config::~Config() { | 2263 QuicCryptoServerConfig::Config::~Config() { |
2249 } | 2264 } |
2250 | 2265 |
2251 QuicCryptoProof::QuicCryptoProof() {} | 2266 QuicCryptoProof::QuicCryptoProof() {} |
2252 QuicCryptoProof::~QuicCryptoProof() {} | 2267 QuicCryptoProof::~QuicCryptoProof() {} |
2253 | 2268 |
2254 } // namespace net | 2269 } // namespace net |
OLD | NEW |