| Index: net/quic/core/crypto/quic_crypto_server_config.cc
|
| diff --git a/net/quic/core/crypto/quic_crypto_server_config.cc b/net/quic/core/crypto/quic_crypto_server_config.cc
|
| index dcc925f3920ca14b2a86b635bc7779a2df15a265..e70c4f2b5ff46d0aaace8e0c5c66fa4afe877c7c 100644
|
| --- a/net/quic/core/crypto/quic_crypto_server_config.cc
|
| +++ b/net/quic/core/crypto/quic_crypto_server_config.cc
|
| @@ -500,7 +500,7 @@ void QuicCryptoServerConfig::ValidateClientHello(
|
| const IPAddress& server_ip,
|
| QuicVersion version,
|
| const QuicClock* clock,
|
| - scoped_refptr<QuicCryptoProof> crypto_proof,
|
| + scoped_refptr<QuicSignedServerConfig> signed_config,
|
| std::unique_ptr<ValidateClientHelloResultCallback> done_cb) const {
|
| const QuicWallTime now(clock->WallNow());
|
|
|
| @@ -530,16 +530,16 @@ void QuicCryptoServerConfig::ValidateClientHello(
|
|
|
| requested_config = GetConfigWithScid(requested_scid);
|
| primary_config = primary_config_;
|
| - crypto_proof->config = primary_config_;
|
| + signed_config->config = primary_config_;
|
| }
|
|
|
| if (result->error_code == QUIC_NO_ERROR) {
|
| // QUIC requires a new proof for each CHLO so clear any existing proof.
|
| - crypto_proof->chain = nullptr;
|
| - crypto_proof->signature = "";
|
| - crypto_proof->cert_sct = "";
|
| + signed_config->chain = nullptr;
|
| + signed_config->signature = "";
|
| + signed_config->cert_sct = "";
|
| EvaluateClientHello(server_ip, version, requested_config, primary_config,
|
| - crypto_proof, result, std::move(done_cb));
|
| + signed_config, result, std::move(done_cb));
|
| } else {
|
| done_cb->Run(result, /* details = */ nullptr);
|
| }
|
| @@ -597,7 +597,7 @@ class QuicCryptoServerConfig::ProcessClientHelloCallback
|
| QuicRandom* rand,
|
| QuicCompressedCertsCache* compressed_certs_cache,
|
| scoped_refptr<QuicCryptoNegotiatedParameters> params,
|
| - scoped_refptr<QuicCryptoProof> crypto_proof,
|
| + scoped_refptr<QuicSignedServerConfig> signed_config,
|
| QuicByteCount total_framing_overhead,
|
| QuicByteCount chlo_packet_size,
|
| const scoped_refptr<QuicCryptoServerConfig::Config>& requested_config,
|
| @@ -616,7 +616,7 @@ class QuicCryptoServerConfig::ProcessClientHelloCallback
|
| rand_(rand),
|
| compressed_certs_cache_(compressed_certs_cache),
|
| params_(params),
|
| - crypto_proof_(crypto_proof),
|
| + signed_config_(signed_config),
|
| total_framing_overhead_(total_framing_overhead),
|
| chlo_packet_size_(chlo_packet_size),
|
| requested_config_(requested_config),
|
| @@ -625,19 +625,18 @@ class QuicCryptoServerConfig::ProcessClientHelloCallback
|
|
|
| void Run(bool ok,
|
| const scoped_refptr<ProofSource::Chain>& chain,
|
| - const string& signature,
|
| - const string& leaf_cert_sct,
|
| + const QuicCryptoProof& proof,
|
| std::unique_ptr<ProofSource::Details> details) override {
|
| if (ok) {
|
| - crypto_proof_->chain = chain;
|
| - crypto_proof_->signature = signature;
|
| - crypto_proof_->cert_sct = leaf_cert_sct;
|
| + signed_config_->chain = chain;
|
| + signed_config_->signature = proof.signature;
|
| + signed_config_->cert_sct = proof.leaf_cert_scts;
|
| }
|
| config_->ProcessClientHelloAfterGetProof(
|
| !ok, std::move(details), *validate_chlo_result_, reject_only_,
|
| connection_id_, client_address_, version_, supported_versions_,
|
| use_stateless_rejects_, server_designated_connection_id_, clock_, rand_,
|
| - compressed_certs_cache_, params_, crypto_proof_,
|
| + compressed_certs_cache_, params_, signed_config_,
|
| total_framing_overhead_, chlo_packet_size_, requested_config_,
|
| primary_config_, std::move(done_cb_));
|
| }
|
| @@ -657,7 +656,7 @@ class QuicCryptoServerConfig::ProcessClientHelloCallback
|
| QuicRandom* const rand_;
|
| QuicCompressedCertsCache* compressed_certs_cache_;
|
| scoped_refptr<QuicCryptoNegotiatedParameters> params_;
|
| - scoped_refptr<QuicCryptoProof> crypto_proof_;
|
| + scoped_refptr<QuicSignedServerConfig> signed_config_;
|
| const QuicByteCount total_framing_overhead_;
|
| const QuicByteCount chlo_packet_size_;
|
| const scoped_refptr<QuicCryptoServerConfig::Config> requested_config_;
|
| @@ -680,7 +679,7 @@ void QuicCryptoServerConfig::ProcessClientHello(
|
| QuicRandom* rand,
|
| QuicCompressedCertsCache* compressed_certs_cache,
|
| scoped_refptr<QuicCryptoNegotiatedParameters> params,
|
| - scoped_refptr<QuicCryptoProof> crypto_proof,
|
| + scoped_refptr<QuicSignedServerConfig> signed_config,
|
| QuicByteCount total_framing_overhead,
|
| QuicByteCount chlo_packet_size,
|
| std::unique_ptr<ProcessClientHelloResultCallback> done_cb) const {
|
| @@ -722,7 +721,7 @@ void QuicCryptoServerConfig::ProcessClientHello(
|
|
|
| // Use the config that the client requested in order to do key-agreement.
|
| // Otherwise give it a copy of |primary_config_| to use.
|
| - primary_config = crypto_proof->config;
|
| + primary_config = signed_config->config;
|
| requested_config = GetConfigWithScid(requested_scid);
|
| }
|
| }
|
| @@ -746,7 +745,7 @@ void QuicCryptoServerConfig::ProcessClientHello(
|
| CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
|
|
|
| // No need to get a new proof if one was already generated.
|
| - if (!crypto_proof->chain) {
|
| + if (!signed_config->chain) {
|
| const QuicTag* tag_ptr;
|
| size_t num_tags;
|
| QuicTagVector connection_options;
|
| @@ -759,7 +758,7 @@ void QuicCryptoServerConfig::ProcessClientHello(
|
| this, validate_chlo_result, reject_only, connection_id,
|
| client_address, version, supported_versions,
|
| use_stateless_rejects, server_designated_connection_id, clock,
|
| - rand, compressed_certs_cache, params, crypto_proof,
|
| + rand, compressed_certs_cache, params, signed_config,
|
| total_framing_overhead, chlo_packet_size, requested_config,
|
| primary_config, std::move(done_cb)));
|
| proof_source_->GetProof(server_ip, info.sni.as_string(),
|
| @@ -769,13 +768,16 @@ void QuicCryptoServerConfig::ProcessClientHello(
|
| return;
|
| }
|
|
|
| - if (!proof_source_->GetProof(
|
| - server_ip, info.sni.as_string(), primary_config->serialized,
|
| - version, chlo_hash, connection_options, &crypto_proof->chain,
|
| - &crypto_proof->signature, &crypto_proof->cert_sct)) {
|
| + QuicCryptoProof proof;
|
| + if (!proof_source_->GetProof(server_ip, info.sni.as_string(),
|
| + primary_config->serialized, version, chlo_hash,
|
| + connection_options, &signed_config->chain,
|
| + &proof)) {
|
| helper.Fail(QUIC_HANDSHAKE_FAILED, "Missing or invalid crypto proof.");
|
| return;
|
| }
|
| + signed_config->signature = proof.signature;
|
| + signed_config->cert_sct = proof.leaf_cert_scts;
|
| }
|
|
|
| helper.DetachCallback();
|
| @@ -784,7 +786,7 @@ void QuicCryptoServerConfig::ProcessClientHello(
|
| *validate_chlo_result, reject_only, connection_id, client_address,
|
| version, supported_versions, use_stateless_rejects,
|
| server_designated_connection_id, clock, rand, compressed_certs_cache,
|
| - params, crypto_proof, total_framing_overhead, chlo_packet_size,
|
| + params, signed_config, total_framing_overhead, chlo_packet_size,
|
| requested_config, primary_config, std::move(done_cb));
|
| }
|
|
|
| @@ -803,7 +805,7 @@ void QuicCryptoServerConfig::ProcessClientHelloAfterGetProof(
|
| QuicRandom* rand,
|
| QuicCompressedCertsCache* compressed_certs_cache,
|
| scoped_refptr<QuicCryptoNegotiatedParameters> params,
|
| - scoped_refptr<QuicCryptoProof> crypto_proof,
|
| + scoped_refptr<QuicSignedServerConfig> signed_config,
|
| QuicByteCount total_framing_overhead,
|
| QuicByteCount chlo_packet_size,
|
| const scoped_refptr<Config>& requested_config,
|
| @@ -833,7 +835,7 @@ void QuicCryptoServerConfig::ProcessClientHelloAfterGetProof(
|
| BuildRejection(version, clock->WallNow(), *primary_config, client_hello,
|
| info, validate_chlo_result.cached_network_params,
|
| use_stateless_rejects, server_designated_connection_id, rand,
|
| - compressed_certs_cache, params, *crypto_proof,
|
| + compressed_certs_cache, params, *signed_config,
|
| total_framing_overhead, chlo_packet_size, out.get());
|
| if (FLAGS_quic_export_rej_for_all_rejects &&
|
| rejection_observer_ != nullptr) {
|
| @@ -926,11 +928,11 @@ void QuicCryptoServerConfig::ProcessClientHelloAfterGetProof(
|
| client_hello_serialized.length());
|
| hkdf_suffix.append(requested_config->serialized);
|
| DCHECK(proof_source_.get());
|
| - if (crypto_proof->chain->certs.empty()) {
|
| + if (signed_config->chain->certs.empty()) {
|
| helper.Fail(QUIC_CRYPTO_INTERNAL_ERROR, "Failed to get certs");
|
| return;
|
| }
|
| - hkdf_suffix.append(crypto_proof->chain->certs.at(0));
|
| + hkdf_suffix.append(signed_config->chain->certs.at(0));
|
|
|
| StringPiece cetv_ciphertext;
|
| if (requested_config->channel_id_enabled &&
|
| @@ -1208,7 +1210,7 @@ class QuicCryptoServerConfig::EvaluateClientHelloCallback
|
| QuicVersion version,
|
| scoped_refptr<QuicCryptoServerConfig::Config> requested_config,
|
| scoped_refptr<QuicCryptoServerConfig::Config> primary_config,
|
| - scoped_refptr<QuicCryptoProof> crypto_proof,
|
| + scoped_refptr<QuicSignedServerConfig> signed_config,
|
| scoped_refptr<ValidateClientHelloResultCallback::Result>
|
| client_hello_state,
|
| std::unique_ptr<ValidateClientHelloResultCallback> done_cb)
|
| @@ -1218,23 +1220,22 @@ class QuicCryptoServerConfig::EvaluateClientHelloCallback
|
| version_(version),
|
| requested_config_(std::move(requested_config)),
|
| primary_config_(std::move(primary_config)),
|
| - crypto_proof_(crypto_proof),
|
| + signed_config_(signed_config),
|
| client_hello_state_(std::move(client_hello_state)),
|
| done_cb_(std::move(done_cb)) {}
|
|
|
| void Run(bool ok,
|
| const scoped_refptr<ProofSource::Chain>& chain,
|
| - const string& signature,
|
| - const string& leaf_cert_sct,
|
| + const QuicCryptoProof& proof,
|
| std::unique_ptr<ProofSource::Details> details) override {
|
| if (ok) {
|
| - crypto_proof_->chain = chain;
|
| - crypto_proof_->signature = signature;
|
| - crypto_proof_->cert_sct = leaf_cert_sct;
|
| + signed_config_->chain = chain;
|
| + signed_config_->signature = proof.signature;
|
| + signed_config_->cert_sct = proof.leaf_cert_scts;
|
| }
|
| config_.EvaluateClientHelloAfterGetProof(
|
| found_error_, server_ip_, version_, requested_config_, primary_config_,
|
| - crypto_proof_, std::move(details), !ok, client_hello_state_,
|
| + signed_config_, std::move(details), !ok, client_hello_state_,
|
| std::move(done_cb_));
|
| }
|
|
|
| @@ -1245,7 +1246,7 @@ class QuicCryptoServerConfig::EvaluateClientHelloCallback
|
| const QuicVersion version_;
|
| const scoped_refptr<QuicCryptoServerConfig::Config> requested_config_;
|
| const scoped_refptr<QuicCryptoServerConfig::Config> primary_config_;
|
| - scoped_refptr<QuicCryptoProof> crypto_proof_;
|
| + scoped_refptr<QuicSignedServerConfig> signed_config_;
|
| scoped_refptr<ValidateClientHelloResultCallback::Result> client_hello_state_;
|
| std::unique_ptr<ValidateClientHelloResultCallback> done_cb_;
|
| };
|
| @@ -1255,7 +1256,7 @@ void QuicCryptoServerConfig::EvaluateClientHello(
|
| QuicVersion version,
|
| scoped_refptr<Config> requested_config,
|
| scoped_refptr<Config> primary_config,
|
| - scoped_refptr<QuicCryptoProof> crypto_proof,
|
| + scoped_refptr<QuicSignedServerConfig> signed_config,
|
| scoped_refptr<ValidateClientHelloResultCallback::Result> client_hello_state,
|
| std::unique_ptr<ValidateClientHelloResultCallback> done_cb) const {
|
| ValidateClientHelloHelper helper(client_hello_state, &done_cb);
|
| @@ -1327,7 +1328,7 @@ void QuicCryptoServerConfig::EvaluateClientHello(
|
| string chlo_hash;
|
| CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
|
| bool need_proof = true;
|
| - need_proof = !crypto_proof->chain;
|
| + need_proof = !signed_config->chain;
|
| const QuicTag* tag_ptr;
|
| size_t num_tags;
|
| QuicTagVector connection_options;
|
| @@ -1341,7 +1342,7 @@ void QuicCryptoServerConfig::EvaluateClientHello(
|
| std::unique_ptr<EvaluateClientHelloCallback> cb(
|
| new EvaluateClientHelloCallback(
|
| *this, found_error, server_ip, version, requested_config,
|
| - primary_config, crypto_proof, client_hello_state,
|
| + primary_config, signed_config, client_hello_state,
|
| std::move(done_cb)));
|
| proof_source_->GetProof(server_ip, info->sni.as_string(),
|
| serialized_config, version, chlo_hash,
|
| @@ -1352,19 +1353,24 @@ void QuicCryptoServerConfig::EvaluateClientHello(
|
| }
|
|
|
| // No need to get a new proof if one was already generated.
|
| - if (need_proof &&
|
| - !proof_source_->GetProof(
|
| - server_ip, info->sni.as_string(), serialized_config, version,
|
| - chlo_hash, connection_options, &crypto_proof->chain,
|
| - &crypto_proof->signature, &crypto_proof->cert_sct)) {
|
| - get_proof_failed = true;
|
| + if (need_proof) {
|
| + QuicCryptoProof proof;
|
| +
|
| + if (proof_source_->GetProof(
|
| + server_ip, info->sni.as_string(), serialized_config, version,
|
| + chlo_hash, connection_options, &signed_config->chain, &proof)) {
|
| + signed_config->signature = proof.signature;
|
| + signed_config->cert_sct = proof.leaf_cert_scts;
|
| + } else {
|
| + get_proof_failed = true;
|
| + }
|
| }
|
|
|
| // Details are null because the synchronous version of GetProof does not
|
| // return any stats. Eventually the synchronous codepath will be eliminated.
|
| EvaluateClientHelloAfterGetProof(
|
| found_error, server_ip, version, requested_config, primary_config,
|
| - crypto_proof, nullptr /* proof_source_details */, get_proof_failed,
|
| + signed_config, nullptr /* proof_source_details */, get_proof_failed,
|
| client_hello_state, std::move(done_cb));
|
| helper.DetachCallback();
|
| }
|
| @@ -1375,7 +1381,7 @@ void QuicCryptoServerConfig::EvaluateClientHelloAfterGetProof(
|
| QuicVersion version,
|
| scoped_refptr<Config> requested_config,
|
| scoped_refptr<Config> primary_config,
|
| - scoped_refptr<QuicCryptoProof> crypto_proof,
|
| + scoped_refptr<QuicSignedServerConfig> signed_config,
|
| std::unique_ptr<ProofSource::Details> proof_source_details,
|
| bool get_proof_failed,
|
| scoped_refptr<ValidateClientHelloResultCallback::Result> client_hello_state,
|
| @@ -1389,7 +1395,7 @@ void QuicCryptoServerConfig::EvaluateClientHelloAfterGetProof(
|
| info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
|
| }
|
|
|
| - if (!ValidateExpectedLeafCertificate(client_hello, *crypto_proof)) {
|
| + if (!ValidateExpectedLeafCertificate(client_hello, *signed_config)) {
|
| found_error = true;
|
| info->reject_reasons.push_back(INVALID_EXPECTED_LEAF_CERTIFICATE);
|
| }
|
| @@ -1516,11 +1522,9 @@ bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
|
| expiry_time.AbsoluteDifference(clock->WallNow()).ToSeconds());
|
|
|
| scoped_refptr<ProofSource::Chain> chain;
|
| - string signature;
|
| - string cert_sct;
|
| + QuicCryptoProof proof;
|
| if (!proof_source_->GetProof(server_ip, params.sni, serialized, version,
|
| - chlo_hash, connection_options, &chain,
|
| - &signature, &cert_sct)) {
|
| + chlo_hash, connection_options, &chain, &proof)) {
|
| DVLOG(1) << "Server: failed to get proof.";
|
| return false;
|
| }
|
| @@ -1530,13 +1534,13 @@ bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
|
| params.client_cached_cert_hashes, common_cert_sets);
|
|
|
| out->SetStringPiece(kCertificateTag, compressed);
|
| - out->SetStringPiece(kPROF, signature);
|
| + out->SetStringPiece(kPROF, proof.signature);
|
| if (params.sct_supported_by_client && enable_serving_sct_) {
|
| - if (cert_sct.empty()) {
|
| + if (proof.leaf_cert_scts.empty()) {
|
| DLOG(WARNING) << "SCT is expected but it is empty. sni: " << params.sni
|
| << " server_ip: " << server_ip.ToString();
|
| } else {
|
| - out->SetStringPiece(kCertificateSCTTag, cert_sct);
|
| + out->SetStringPiece(kCertificateSCTTag, proof.leaf_cert_scts);
|
| }
|
| }
|
| return true;
|
| @@ -1612,14 +1616,14 @@ QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback::
|
| void QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback::
|
| Run(bool ok,
|
| const scoped_refptr<ProofSource::Chain>& chain,
|
| - const string& signature,
|
| - const string& leaf_cert_sct,
|
| + const QuicCryptoProof& proof,
|
| std::unique_ptr<ProofSource::Details> details) {
|
| config_->FinishBuildServerConfigUpdateMessage(
|
| version_, compressed_certs_cache_, common_cert_sets_,
|
| client_common_set_hashes_, client_cached_cert_hashes_,
|
| - sct_supported_by_client_, ok, chain, signature, leaf_cert_sct,
|
| - std::move(details), std::move(message_), std::move(cb_));
|
| + sct_supported_by_client_, ok, chain, proof.signature,
|
| + proof.leaf_cert_scts, std::move(details), std::move(message_),
|
| + std::move(cb_));
|
| }
|
|
|
| void QuicCryptoServerConfig::FinishBuildServerConfigUpdateMessage(
|
| @@ -1670,7 +1674,7 @@ void QuicCryptoServerConfig::BuildRejection(
|
| QuicRandom* rand,
|
| QuicCompressedCertsCache* compressed_certs_cache,
|
| scoped_refptr<QuicCryptoNegotiatedParameters> params,
|
| - const QuicCryptoProof& crypto_proof,
|
| + const QuicSignedServerConfig& signed_config,
|
| QuicByteCount total_framing_overhead,
|
| QuicByteCount chlo_packet_size,
|
| CryptoHandshakeMessage* out) const {
|
| @@ -1714,7 +1718,7 @@ void QuicCryptoServerConfig::BuildRejection(
|
| }
|
|
|
| const string compressed =
|
| - CompressChain(compressed_certs_cache, crypto_proof.chain,
|
| + CompressChain(compressed_certs_cache, signed_config.chain,
|
| params->client_common_set_hashes,
|
| params->client_cached_cert_hashes, config.common_cert_sets);
|
|
|
| @@ -1737,22 +1741,22 @@ void QuicCryptoServerConfig::BuildRejection(
|
| "overhead calculation may underflow");
|
| bool should_return_sct =
|
| params->sct_supported_by_client && enable_serving_sct_;
|
| - const size_t sct_size = should_return_sct ? crypto_proof.cert_sct.size() : 0;
|
| + const size_t sct_size = should_return_sct ? signed_config.cert_sct.size() : 0;
|
| const size_t total_size =
|
| - crypto_proof.signature.size() + compressed.size() + sct_size;
|
| + signed_config.signature.size() + compressed.size() + sct_size;
|
| if (info.valid_source_address_token || total_size < max_unverified_size) {
|
| out->SetStringPiece(kCertificateTag, compressed);
|
| - out->SetStringPiece(kPROF, crypto_proof.signature);
|
| + out->SetStringPiece(kPROF, signed_config.signature);
|
| if (should_return_sct) {
|
| - if (crypto_proof.cert_sct.empty()) {
|
| + if (signed_config.cert_sct.empty()) {
|
| DLOG(WARNING) << "SCT is expected but it is empty.";
|
| } else {
|
| - out->SetStringPiece(kCertificateSCTTag, crypto_proof.cert_sct);
|
| + out->SetStringPiece(kCertificateSCTTag, signed_config.cert_sct);
|
| }
|
| }
|
| } else {
|
| DLOG(WARNING) << "Sending inchoate REJ for hostname: " << info.sni
|
| - << " signature: " << crypto_proof.signature.size()
|
| + << " signature: " << signed_config.signature.size()
|
| << " cert: " << compressed.size() << " sct:" << sct_size
|
| << " total: " << total_size
|
| << " max: " << max_unverified_size;
|
| @@ -2234,8 +2238,8 @@ HandshakeFailureReason QuicCryptoServerConfig::ValidateServerNonce(
|
|
|
| bool QuicCryptoServerConfig::ValidateExpectedLeafCertificate(
|
| const CryptoHandshakeMessage& client_hello,
|
| - const QuicCryptoProof& crypto_proof) const {
|
| - if (crypto_proof.chain->certs.empty()) {
|
| + const QuicSignedServerConfig& signed_config) const {
|
| + if (signed_config.chain->certs.empty()) {
|
| return false;
|
| }
|
|
|
| @@ -2243,7 +2247,7 @@ bool QuicCryptoServerConfig::ValidateExpectedLeafCertificate(
|
| if (client_hello.GetUint64(kXLCT, &hash_from_client) != QUIC_NO_ERROR) {
|
| return false;
|
| }
|
| - return CryptoUtils::ComputeLeafCertHash(crypto_proof.chain->certs.at(0)) ==
|
| + return CryptoUtils::ComputeLeafCertHash(signed_config.chain->certs.at(0)) ==
|
| hash_from_client;
|
| }
|
|
|
| @@ -2277,7 +2281,7 @@ QuicCryptoServerConfig::Config::Config()
|
| QuicCryptoServerConfig::Config::~Config() {
|
| }
|
|
|
| -QuicCryptoProof::QuicCryptoProof() {}
|
| -QuicCryptoProof::~QuicCryptoProof() {}
|
| +QuicSignedServerConfig::QuicSignedServerConfig() {}
|
| +QuicSignedServerConfig::~QuicSignedServerConfig() {}
|
|
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 2511643002:
Refactoring output of ProofSource::GetProof (no functional changes). (Closed)
