| Index: net/quic/core/crypto/quic_crypto_server_config.cc
|
| diff --git a/net/quic/core/crypto/quic_crypto_server_config.cc b/net/quic/core/crypto/quic_crypto_server_config.cc
|
| index e2272475fbb0b83345e607536af1f69d1bac5ed4..a3093a5019b322b2900fe9a3cfbb8d66c5004738 100644
|
| --- a/net/quic/core/crypto/quic_crypto_server_config.cc
|
| +++ b/net/quic/core/crypto/quic_crypto_server_config.cc
|
| @@ -998,15 +998,10 @@ void QuicCryptoServerConfig::ProcessClientHelloAfterGetProof(
|
| hkdf_input.append(QuicCryptoConfig::kInitialLabel, label_len);
|
| hkdf_input.append(hkdf_suffix);
|
|
|
| + rand->RandBytes(out_diversification_nonce->data(),
|
| + out_diversification_nonce->size());
|
| CryptoUtils::Diversification diversification =
|
| - CryptoUtils::Diversification::Never();
|
| - if (version > QUIC_VERSION_32) {
|
| - rand->RandBytes(out_diversification_nonce->data(),
|
| - out_diversification_nonce->size());
|
| - diversification =
|
| - CryptoUtils::Diversification::Now(out_diversification_nonce.get());
|
| - }
|
| -
|
| + CryptoUtils::Diversification::Now(out_diversification_nonce.get());
|
| if (!CryptoUtils::DeriveKeys(params->initial_premaster_secret, params->aead,
|
| info.client_nonce, info.server_nonce, hkdf_input,
|
| Perspective::IS_SERVER, diversification,
|
| @@ -1390,12 +1385,10 @@ void QuicCryptoServerConfig::EvaluateClientHelloAfterGetProof(
|
| ClientHelloInfo* info = &(client_hello_state->info);
|
|
|
| if (get_proof_failed) {
|
| - found_error = true;
|
| info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
|
| }
|
|
|
| if (!ValidateExpectedLeafCertificate(client_hello, *signed_config)) {
|
| - found_error = true;
|
| info->reject_reasons.push_back(INVALID_EXPECTED_LEAF_CERTIFICATE);
|
| }
|
|
|
| @@ -1404,87 +1397,18 @@ void QuicCryptoServerConfig::EvaluateClientHelloAfterGetProof(
|
| // Invalid client nonce.
|
| LOG(ERROR) << "Invalid client nonce: " << client_hello.DebugString();
|
| DVLOG(1) << "Invalid client nonce.";
|
| - found_error = true;
|
| }
|
|
|
| // Server nonce is optional, and used for key derivation if present.
|
| client_hello.GetStringPiece(kServerNonceTag, &info->server_nonce);
|
|
|
| - if (version > QUIC_VERSION_32) {
|
| - DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_33 and higher.";
|
| - // If the server nonce is empty and we're requiring handshake confirmation
|
| - // for DoS reasons then we must reject the CHLO.
|
| - if (FLAGS_quic_require_handshake_confirmation &&
|
| - info->server_nonce.empty()) {
|
| - info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
|
| - }
|
| - helper.ValidationComplete(QUIC_NO_ERROR, "",
|
| - std::move(proof_source_details));
|
| - return;
|
| - }
|
| -
|
| - if (!replay_protection_) {
|
| - DVLOG(1) << "No replay protection.";
|
| - helper.ValidationComplete(QUIC_NO_ERROR, "",
|
| - std::move(proof_source_details));
|
| - return;
|
| - }
|
| -
|
| - if (!info->server_nonce.empty()) {
|
| - // If the server nonce is present, use it to establish uniqueness.
|
| - HandshakeFailureReason server_nonce_error =
|
| - ValidateServerNonce(info->server_nonce, info->now);
|
| - bool is_unique = server_nonce_error == HANDSHAKE_OK;
|
| - if (!is_unique) {
|
| - info->reject_reasons.push_back(server_nonce_error);
|
| - }
|
| - DVLOG(1) << "Using server nonce, unique: " << is_unique;
|
| - helper.ValidationComplete(QUIC_NO_ERROR, "",
|
| - std::move(proof_source_details));
|
| - return;
|
| - }
|
| - // If we hit this block, the server nonce was empty. If we're requiring
|
| - // handshake confirmation for DoS reasons and there's no server nonce present,
|
| - // reject the CHLO.
|
| - if (FLAGS_quic_require_handshake_confirmation ||
|
| - FLAGS_quic_require_handshake_confirmation_pre33) {
|
| + DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_33 and higher.";
|
| + // If the server nonce is empty and we're requiring handshake confirmation
|
| + // for DoS reasons then we must reject the CHLO.
|
| + if (FLAGS_quic_require_handshake_confirmation && info->server_nonce.empty()) {
|
| info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
|
| - helper.ValidationComplete(QUIC_NO_ERROR, "",
|
| - std::move(proof_source_details));
|
| - return;
|
| - }
|
| -
|
| - // We want to contact strike register only if there are no errors because it
|
| - // is a RPC call and is expensive.
|
| - if (found_error) {
|
| - helper.ValidationComplete(QUIC_NO_ERROR, "",
|
| - std::move(proof_source_details));
|
| - return;
|
| - }
|
| -
|
| - // Use the client nonce to establish uniqueness.
|
| - StrikeRegisterClient* strike_register_client;
|
| - {
|
| - base::AutoLock locked(strike_register_client_lock_);
|
| - strike_register_client = strike_register_client_.get();
|
| }
|
| -
|
| - if (!strike_register_client) {
|
| - // Either a valid server nonces or a strike register is required.
|
| - // Since neither are present, reject the handshake which will send a
|
| - // server nonce to the client.
|
| - info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
|
| - helper.ValidationComplete(QUIC_NO_ERROR, "",
|
| - std::move(proof_source_details));
|
| - return;
|
| - }
|
| -
|
| - strike_register_client->VerifyNonceIsValidAndUnique(
|
| - info->client_nonce, info->now,
|
| - new VerifyNonceIsValidAndUniqueCallback(client_hello_state,
|
| - std::move(proof_source_details),
|
| - std::move(done_cb)));
|
| - helper.DetachCallback();
|
| + helper.ValidationComplete(QUIC_NO_ERROR, "", std::move(proof_source_details));
|
| }
|
|
|
| bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
|
|
|
Chromium Code Reviews
Issue 2515613002:
deprecate FLAGS_quic_disable_pre_34 (Closed)
