| Index: net/quic/crypto/quic_crypto_client_config.cc
|
| diff --git a/net/quic/crypto/quic_crypto_client_config.cc b/net/quic/crypto/quic_crypto_client_config.cc
|
| index 9347493082d6e52d06e467d7dc8e3cfff2dad391..17e6f36939cf099e918f1cec3e5f4ab60d0ade40 100644
|
| --- a/net/quic/crypto/quic_crypto_client_config.cc
|
| +++ b/net/quic/crypto/quic_crypto_client_config.cc
|
| @@ -28,18 +28,19 @@ using std::vector;
|
|
|
| namespace net {
|
|
|
| -QuicCryptoClientConfig::QuicCryptoClientConfig()
|
| - : disable_ecdsa_(false) {}
|
| +QuicCryptoClientConfig::QuicCryptoClientConfig() : disable_ecdsa_(false) {
|
| +}
|
|
|
| QuicCryptoClientConfig::~QuicCryptoClientConfig() {
|
| STLDeleteValues(&cached_states_);
|
| }
|
|
|
| QuicCryptoClientConfig::CachedState::CachedState()
|
| - : server_config_valid_(false),
|
| - generation_counter_(0) {}
|
| + : server_config_valid_(false), generation_counter_(0) {
|
| +}
|
|
|
| -QuicCryptoClientConfig::CachedState::~CachedState() {}
|
| +QuicCryptoClientConfig::CachedState::~CachedState() {
|
| +}
|
|
|
| bool QuicCryptoClientConfig::CachedState::IsComplete(QuicWallTime now) const {
|
| if (server_config_.empty() || !server_config_valid_) {
|
| @@ -80,7 +81,9 @@ QuicCryptoClientConfig::CachedState::GetServerConfig() const {
|
| }
|
|
|
| QuicErrorCode QuicCryptoClientConfig::CachedState::SetServerConfig(
|
| - StringPiece server_config, QuicWallTime now, string* error_details) {
|
| + StringPiece server_config,
|
| + QuicWallTime now,
|
| + string* error_details) {
|
| const bool matches_existing = server_config == server_config_;
|
|
|
| // Even if the new server config matches the existing one, we still wish to
|
| @@ -188,8 +191,7 @@ bool QuicCryptoClientConfig::CachedState::Initialize(
|
| }
|
|
|
| string error_details;
|
| - QuicErrorCode error = SetServerConfig(server_config, now,
|
| - &error_details);
|
| + QuicErrorCode error = SetServerConfig(server_config, now, &error_details);
|
| if (error != QUIC_NO_ERROR) {
|
| DVLOG(1) << "SetServerConfig failed with " << error_details;
|
| return false;
|
| @@ -205,8 +207,8 @@ const string& QuicCryptoClientConfig::CachedState::server_config() const {
|
| return server_config_;
|
| }
|
|
|
| -const string&
|
| -QuicCryptoClientConfig::CachedState::source_address_token() const {
|
| +const string& QuicCryptoClientConfig::CachedState::source_address_token()
|
| + const {
|
| return source_address_token_;
|
| }
|
|
|
| @@ -284,7 +286,8 @@ QuicCryptoClientConfig::CachedState* QuicCryptoClientConfig::LookupOrCreate(
|
|
|
| void QuicCryptoClientConfig::ClearCachedStates() {
|
| for (CachedStateMap::const_iterator it = cached_states_.begin();
|
| - it != cached_states_.end(); ++it) {
|
| + it != cached_states_.end();
|
| + ++it) {
|
| it->second->Clear();
|
| }
|
| }
|
| @@ -330,8 +333,8 @@ void QuicCryptoClientConfig::FillInchoateClientHello(
|
| if (!certs.empty()) {
|
| vector<uint64> hashes;
|
| hashes.reserve(certs.size());
|
| - for (vector<string>::const_iterator i = certs.begin();
|
| - i != certs.end(); ++i) {
|
| + for (vector<string>::const_iterator i = certs.begin(); i != certs.end();
|
| + ++i) {
|
| hashes.push_back(QuicUtils::FNV1a_64_Hash(i->data(), i->size()));
|
| }
|
| out->SetVector(kCCRT, hashes);
|
| @@ -351,8 +354,8 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
|
| string* error_details) const {
|
| DCHECK(error_details != NULL);
|
|
|
| - FillInchoateClientHello(server_id, preferred_version, cached,
|
| - out_params, out);
|
| + FillInchoateClientHello(
|
| + server_id, preferred_version, cached, out_params, out);
|
|
|
| // Set initial receive window for flow control.
|
| out->SetValue(kIFCW, initial_flow_control_window_bytes);
|
| @@ -375,10 +378,10 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
|
| const QuicTag* their_aeads;
|
| const QuicTag* their_key_exchanges;
|
| size_t num_their_aeads, num_their_key_exchanges;
|
| - if (scfg->GetTaglist(kAEAD, &their_aeads,
|
| - &num_their_aeads) != QUIC_NO_ERROR ||
|
| - scfg->GetTaglist(kKEXS, &their_key_exchanges,
|
| - &num_their_key_exchanges) != QUIC_NO_ERROR) {
|
| + if (scfg->GetTaglist(kAEAD, &their_aeads, &num_their_aeads) !=
|
| + QUIC_NO_ERROR ||
|
| + scfg->GetTaglist(kKEXS, &their_key_exchanges, &num_their_key_exchanges) !=
|
| + QUIC_NO_ERROR) {
|
| *error_details = "Missing AEAD or KEXS";
|
| return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
|
| }
|
| @@ -389,13 +392,18 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
|
| // Key exchange: the client does more work than the server, so favor the
|
| // client's preference.
|
| size_t key_exchange_index;
|
| - if (!QuicUtils::FindMutualTag(
|
| - aead, their_aeads, num_their_aeads, QuicUtils::LOCAL_PRIORITY,
|
| - &out_params->aead, NULL) ||
|
| - !QuicUtils::FindMutualTag(
|
| - kexs, their_key_exchanges, num_their_key_exchanges,
|
| - QuicUtils::LOCAL_PRIORITY, &out_params->key_exchange,
|
| - &key_exchange_index)) {
|
| + if (!QuicUtils::FindMutualTag(aead,
|
| + their_aeads,
|
| + num_their_aeads,
|
| + QuicUtils::LOCAL_PRIORITY,
|
| + &out_params->aead,
|
| + NULL) ||
|
| + !QuicUtils::FindMutualTag(kexs,
|
| + their_key_exchanges,
|
| + num_their_key_exchanges,
|
| + QuicUtils::LOCAL_PRIORITY,
|
| + &out_params->key_exchange,
|
| + &key_exchange_index)) {
|
| *error_details = "Unsupported AEAD or KEXS";
|
| return QUIC_CRYPTO_NO_SUPPORT;
|
| }
|
| @@ -404,7 +412,7 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
|
|
|
| StringPiece public_value;
|
| if (scfg->GetNthValue24(kPUBS, key_exchange_index, &public_value) !=
|
| - QUIC_NO_ERROR) {
|
| + QUIC_NO_ERROR) {
|
| *error_details = "Missing public value";
|
| return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
|
| }
|
| @@ -427,8 +435,8 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
|
| Curve25519KeyExchange::NewPrivateKey(rand)));
|
| break;
|
| case kP256:
|
| - out_params->client_key_exchange.reset(P256KeyExchange::New(
|
| - P256KeyExchange::NewPrivateKey()));
|
| + out_params->client_key_exchange.reset(
|
| + P256KeyExchange::New(P256KeyExchange::NewPrivateKey()));
|
| break;
|
| default:
|
| DCHECK(false);
|
| @@ -447,7 +455,8 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
|
| if (channel_id_signer_.get()) {
|
| const QuicTag* their_proof_demands;
|
| size_t num_their_proof_demands;
|
| - if (scfg->GetTaglist(kPDMD, &their_proof_demands,
|
| + if (scfg->GetTaglist(kPDMD,
|
| + &their_proof_demands,
|
| &num_their_proof_demands) == QUIC_NO_ERROR) {
|
| for (size_t i = 0; i < num_their_proof_demands; i++) {
|
| if (their_proof_demands[i] == kCHID) {
|
| @@ -479,8 +488,8 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
|
| hkdf_input.append(cached->server_config());
|
|
|
| string key, signature;
|
| - if (!channel_id_signer_->Sign(server_id.host(), hkdf_input,
|
| - &key, &signature)) {
|
| + if (!channel_id_signer_->Sign(
|
| + server_id.host(), hkdf_input, &key, &signature)) {
|
| *error_details = "Channel ID signature failed";
|
| return QUIC_INVALID_CHANNEL_ID_SIGNATURE;
|
| }
|
| @@ -490,18 +499,21 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
|
|
|
| CrypterPair crypters;
|
| if (!CryptoUtils::DeriveKeys(out_params->initial_premaster_secret,
|
| - out_params->aead, out_params->client_nonce,
|
| - out_params->server_nonce, hkdf_input,
|
| - CryptoUtils::CLIENT, &crypters)) {
|
| + out_params->aead,
|
| + out_params->client_nonce,
|
| + out_params->server_nonce,
|
| + hkdf_input,
|
| + CryptoUtils::CLIENT,
|
| + &crypters)) {
|
| *error_details = "Symmetric key setup failed";
|
| return QUIC_CRYPTO_SYMMETRIC_KEY_SETUP_FAILED;
|
| }
|
|
|
| const QuicData& cetv_plaintext = cetv.GetSerialized();
|
| - scoped_ptr<QuicData> cetv_ciphertext(crypters.encrypter->EncryptPacket(
|
| - 0 /* sequence number */,
|
| - StringPiece() /* associated data */,
|
| - cetv_plaintext.AsStringPiece()));
|
| + scoped_ptr<QuicData> cetv_ciphertext(
|
| + crypters.encrypter->EncryptPacket(0 /* sequence number */,
|
| + StringPiece() /* associated data */,
|
| + cetv_plaintext.AsStringPiece()));
|
| if (!cetv_ciphertext.get()) {
|
| *error_details = "Packet encryption failed";
|
| return QUIC_ENCRYPTION_FAILURE;
|
| @@ -527,10 +539,13 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
|
| hkdf_input.append(QuicCryptoConfig::kInitialLabel, label_len);
|
| hkdf_input.append(out_params->hkdf_input_suffix);
|
|
|
| - if (!CryptoUtils::DeriveKeys(
|
| - out_params->initial_premaster_secret, out_params->aead,
|
| - out_params->client_nonce, out_params->server_nonce, hkdf_input,
|
| - CryptoUtils::CLIENT, &out_params->initial_crypters)) {
|
| + if (!CryptoUtils::DeriveKeys(out_params->initial_premaster_secret,
|
| + out_params->aead,
|
| + out_params->client_nonce,
|
| + out_params->server_nonce,
|
| + hkdf_input,
|
| + CryptoUtils::CLIENT,
|
| + &out_params->initial_crypters)) {
|
| *error_details = "Symmetric key setup failed";
|
| return QUIC_CRYPTO_SYMMETRIC_KEY_SETUP_FAILED;
|
| }
|
| @@ -577,8 +592,8 @@ QuicErrorCode QuicCryptoClientConfig::ProcessRejection(
|
| bool has_cert = rej.GetStringPiece(kCertificateTag, &cert_bytes);
|
| if (has_proof && has_cert) {
|
| vector<string> certs;
|
| - if (!CertCompressor::DecompressChain(cert_bytes, out_params->cached_certs,
|
| - common_cert_sets, &certs)) {
|
| + if (!CertCompressor::DecompressChain(
|
| + cert_bytes, out_params->cached_certs, common_cert_sets, &certs)) {
|
| *error_details = "Certificate data invalid";
|
| return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
|
| }
|
| @@ -617,7 +632,8 @@ QuicErrorCode QuicCryptoClientConfig::ProcessServerHello(
|
| const QuicTag* supported_version_tags;
|
| size_t num_supported_versions;
|
|
|
| - if (server_hello.GetTaglist(kVER, &supported_version_tags,
|
| + if (server_hello.GetTaglist(kVER,
|
| + &supported_version_tags,
|
| &num_supported_versions) != QUIC_NO_ERROR) {
|
| *error_details = "server hello missing version list";
|
| return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
|
| @@ -626,11 +642,11 @@ QuicErrorCode QuicCryptoClientConfig::ProcessServerHello(
|
| bool mismatch = num_supported_versions != negotiated_versions.size();
|
| for (size_t i = 0; i < num_supported_versions && !mismatch; ++i) {
|
| mismatch = QuicTagToQuicVersion(supported_version_tags[i]) !=
|
| - negotiated_versions[i];
|
| + negotiated_versions[i];
|
| }
|
| // The server sent a list of supported versions, and the connection
|
| // reports that there was a version negotiation during the handshake.
|
| - // Ensure that these two lists are identical.
|
| + // Ensure that these two lists are identical.
|
| if (mismatch) {
|
| *error_details = "Downgrade attack detected";
|
| return QUIC_VERSION_NEGOTIATION_MISMATCH;
|
| @@ -664,10 +680,13 @@ QuicErrorCode QuicCryptoClientConfig::ProcessServerHello(
|
| hkdf_input.append(QuicCryptoConfig::kForwardSecureLabel, label_len);
|
| hkdf_input.append(out_params->hkdf_input_suffix);
|
|
|
| - if (!CryptoUtils::DeriveKeys(
|
| - out_params->forward_secure_premaster_secret, out_params->aead,
|
| - out_params->client_nonce, out_params->server_nonce, hkdf_input,
|
| - CryptoUtils::CLIENT, &out_params->forward_secure_crypters)) {
|
| + if (!CryptoUtils::DeriveKeys(out_params->forward_secure_premaster_secret,
|
| + out_params->aead,
|
| + out_params->client_nonce,
|
| + out_params->server_nonce,
|
| + hkdf_input,
|
| + CryptoUtils::CLIENT,
|
| + &out_params->forward_secure_crypters)) {
|
| *error_details = "Symmetric key setup failed";
|
| return QUIC_CRYPTO_SYMMETRIC_KEY_SETUP_FAILED;
|
| }
|
| @@ -737,7 +756,8 @@ void QuicCryptoClientConfig::PopulateFromCanonicalConfig(
|
| if (i == canoncial_suffixes_.size())
|
| return;
|
|
|
| - QuicServerId suffix_server_id(canoncial_suffixes_[i], server_id.port(),
|
| + QuicServerId suffix_server_id(canoncial_suffixes_[i],
|
| + server_id.port(),
|
| server_id.is_https(),
|
| server_id.privacy_mode());
|
| if (!ContainsKey(canonical_server_map_, suffix_server_id)) {
|
|
|
Chromium Code Reviews
