| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/core/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/core/crypto/quic_crypto_server_config.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 #include <memory> | 10 #include <memory> |
| (...skipping 680 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 691 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); | 691 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); |
| 692 | 692 |
| 693 // No need to get a new proof if one was already generated. | 693 // No need to get a new proof if one was already generated. |
| 694 if (!signed_config->chain) { | 694 if (!signed_config->chain) { |
| 695 const QuicTag* tag_ptr; | 695 const QuicTag* tag_ptr; |
| 696 size_t num_tags; | 696 size_t num_tags; |
| 697 QuicTagVector connection_options; | 697 QuicTagVector connection_options; |
| 698 if (client_hello.GetTaglist(kCOPT, &tag_ptr, &num_tags) == QUIC_NO_ERROR) { | 698 if (client_hello.GetTaglist(kCOPT, &tag_ptr, &num_tags) == QUIC_NO_ERROR) { |
| 699 connection_options.assign(tag_ptr, tag_ptr + num_tags); | 699 connection_options.assign(tag_ptr, tag_ptr + num_tags); |
| 700 } | 700 } |
| 701 if (FLAGS_quic_reloadable_flag_enable_async_get_proof) { | 701 std::unique_ptr<ProcessClientHelloCallback> cb( |
| 702 std::unique_ptr<ProcessClientHelloCallback> cb( | 702 new ProcessClientHelloCallback( |
| 703 new ProcessClientHelloCallback( | 703 this, validate_chlo_result, reject_only, connection_id, |
| 704 this, validate_chlo_result, reject_only, connection_id, | 704 client_address, version, supported_versions, use_stateless_rejects, |
| 705 client_address, version, supported_versions, | 705 server_designated_connection_id, clock, rand, |
| 706 use_stateless_rejects, server_designated_connection_id, clock, | 706 compressed_certs_cache, params, signed_config, |
| 707 rand, compressed_certs_cache, params, signed_config, | 707 total_framing_overhead, chlo_packet_size, requested_config, |
| 708 total_framing_overhead, chlo_packet_size, requested_config, | 708 primary_config, std::move(done_cb))); |
| 709 primary_config, std::move(done_cb))); | 709 proof_source_->GetProof(server_address, info.sni.as_string(), |
| 710 proof_source_->GetProof(server_address, info.sni.as_string(), | 710 primary_config->serialized, version, chlo_hash, |
| 711 primary_config->serialized, version, chlo_hash, | 711 connection_options, std::move(cb)); |
| 712 connection_options, std::move(cb)); | 712 helper.DetachCallback(); |
| 713 helper.DetachCallback(); | 713 return; |
| 714 return; | |
| 715 } | |
| 716 | |
| 717 QuicCryptoProof proof; | |
| 718 if (!proof_source_->GetProof(server_address, info.sni.as_string(), | |
| 719 primary_config->serialized, version, chlo_hash, | |
| 720 connection_options, &signed_config->chain, | |
| 721 &proof)) { | |
| 722 helper.Fail(QUIC_HANDSHAKE_FAILED, "Missing or invalid crypto proof."); | |
| 723 return; | |
| 724 } | |
| 725 signed_config->proof = proof; | |
| 726 } | 714 } |
| 727 | 715 |
| 728 helper.DetachCallback(); | 716 helper.DetachCallback(); |
| 729 ProcessClientHelloAfterGetProof( | 717 ProcessClientHelloAfterGetProof( |
| 730 /* found_error = */ false, /* proof_source_details = */ nullptr, | 718 /* found_error = */ false, /* proof_source_details = */ nullptr, |
| 731 *validate_chlo_result, reject_only, connection_id, client_address, | 719 *validate_chlo_result, reject_only, connection_id, client_address, |
| 732 version, supported_versions, use_stateless_rejects, | 720 version, supported_versions, use_stateless_rejects, |
| 733 server_designated_connection_id, clock, rand, compressed_certs_cache, | 721 server_designated_connection_id, clock, rand, compressed_certs_cache, |
| 734 params, signed_config, total_framing_overhead, chlo_packet_size, | 722 params, signed_config, total_framing_overhead, chlo_packet_size, |
| 735 requested_config, primary_config, std::move(done_cb)); | 723 requested_config, primary_config, std::move(done_cb)); |
| (...skipping 532 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1268 string chlo_hash; | 1256 string chlo_hash; |
| 1269 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); | 1257 CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash); |
| 1270 bool need_proof = true; | 1258 bool need_proof = true; |
| 1271 need_proof = !signed_config->chain; | 1259 need_proof = !signed_config->chain; |
| 1272 const QuicTag* tag_ptr; | 1260 const QuicTag* tag_ptr; |
| 1273 size_t num_tags; | 1261 size_t num_tags; |
| 1274 QuicTagVector connection_options; | 1262 QuicTagVector connection_options; |
| 1275 if (client_hello.GetTaglist(kCOPT, &tag_ptr, &num_tags) == QUIC_NO_ERROR) { | 1263 if (client_hello.GetTaglist(kCOPT, &tag_ptr, &num_tags) == QUIC_NO_ERROR) { |
| 1276 connection_options.assign(tag_ptr, tag_ptr + num_tags); | 1264 connection_options.assign(tag_ptr, tag_ptr + num_tags); |
| 1277 } | 1265 } |
| 1278 if (FLAGS_quic_reloadable_flag_enable_async_get_proof) { | |
| 1279 if (need_proof) { | |
| 1280 // Make an async call to GetProof and setup the callback to trampoline | |
| 1281 // back into EvaluateClientHelloAfterGetProof | |
| 1282 std::unique_ptr<EvaluateClientHelloCallback> cb( | |
| 1283 new EvaluateClientHelloCallback( | |
| 1284 *this, found_error, server_address.host(), version, | |
| 1285 requested_config, primary_config, signed_config, | |
| 1286 client_hello_state, std::move(done_cb))); | |
| 1287 proof_source_->GetProof(server_address, info->sni.as_string(), | |
| 1288 serialized_config, version, chlo_hash, | |
| 1289 connection_options, std::move(cb)); | |
| 1290 helper.DetachCallback(); | |
| 1291 return; | |
| 1292 } | |
| 1293 } | |
| 1294 | 1266 |
| 1295 // No need to get a new proof if one was already generated. | |
| 1296 if (need_proof) { | 1267 if (need_proof) { |
| 1297 QuicCryptoProof proof; | 1268 // Make an async call to GetProof and setup the callback to trampoline |
| 1298 | 1269 // back into EvaluateClientHelloAfterGetProof |
| 1299 if (proof_source_->GetProof( | 1270 std::unique_ptr<EvaluateClientHelloCallback> cb( |
| 1300 server_address, info->sni.as_string(), serialized_config, version, | 1271 new EvaluateClientHelloCallback( |
| 1301 chlo_hash, connection_options, &signed_config->chain, &proof)) { | 1272 *this, found_error, server_address.host(), version, |
| 1302 signed_config->proof = proof; | 1273 requested_config, primary_config, signed_config, client_hello_state, |
| 1303 } else { | 1274 std::move(done_cb))); |
| 1304 get_proof_failed = true; | 1275 proof_source_->GetProof(server_address, info->sni.as_string(), |
| 1305 } | 1276 serialized_config, version, chlo_hash, |
| 1277 connection_options, std::move(cb)); |
| 1278 helper.DetachCallback(); |
| 1279 return; |
| 1306 } | 1280 } |
| 1307 | 1281 |
| 1308 // Details are null because the synchronous version of GetProof does not | 1282 // Details are null because the synchronous version of GetProof does not |
| 1309 // return any stats. Eventually the synchronous codepath will be eliminated. | 1283 // return any stats. Eventually the synchronous codepath will be eliminated. |
| 1310 EvaluateClientHelloAfterGetProof( | 1284 EvaluateClientHelloAfterGetProof( |
| 1311 found_error, server_address.host(), version, requested_config, | 1285 found_error, server_address.host(), version, requested_config, |
| 1312 primary_config, signed_config, nullptr /* proof_source_details */, | 1286 primary_config, signed_config, nullptr /* proof_source_details */, |
| 1313 get_proof_failed, client_hello_state, std::move(done_cb)); | 1287 get_proof_failed, client_hello_state, std::move(done_cb)); |
| 1314 helper.DetachCallback(); | 1288 helper.DetachCallback(); |
| 1315 } | 1289 } |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1354 QUIC_DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_33 and higher."; | 1328 QUIC_DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_33 and higher."; |
| 1355 // If the server nonce is empty and we're requiring handshake confirmation | 1329 // If the server nonce is empty and we're requiring handshake confirmation |
| 1356 // for DoS reasons then we must reject the CHLO. | 1330 // for DoS reasons then we must reject the CHLO. |
| 1357 if (FLAGS_quic_reloadable_flag_quic_require_handshake_confirmation && | 1331 if (FLAGS_quic_reloadable_flag_quic_require_handshake_confirmation && |
| 1358 info->server_nonce.empty()) { | 1332 info->server_nonce.empty()) { |
| 1359 info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE); | 1333 info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE); |
| 1360 } | 1334 } |
| 1361 helper.ValidationComplete(QUIC_NO_ERROR, "", std::move(proof_source_details)); | 1335 helper.ValidationComplete(QUIC_NO_ERROR, "", std::move(proof_source_details)); |
| 1362 } | 1336 } |
| 1363 | 1337 |
| 1364 bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage( | |
| 1365 QuicVersion version, | |
| 1366 StringPiece chlo_hash, | |
| 1367 const SourceAddressTokens& previous_source_address_tokens, | |
| 1368 const QuicSocketAddress& server_address, | |
| 1369 const QuicIpAddress& client_ip, | |
| 1370 const QuicClock* clock, | |
| 1371 QuicRandom* rand, | |
| 1372 QuicCompressedCertsCache* compressed_certs_cache, | |
| 1373 const QuicCryptoNegotiatedParameters& params, | |
| 1374 const CachedNetworkParameters* cached_network_params, | |
| 1375 const QuicTagVector& connection_options, | |
| 1376 CryptoHandshakeMessage* out) const { | |
| 1377 string serialized; | |
| 1378 string source_address_token; | |
| 1379 QuicWallTime expiry_time = QuicWallTime::Zero(); | |
| 1380 const CommonCertSets* common_cert_sets; | |
| 1381 { | |
| 1382 QuicReaderMutexLock locked(&configs_lock_); | |
| 1383 serialized = primary_config_->serialized; | |
| 1384 common_cert_sets = primary_config_->common_cert_sets; | |
| 1385 expiry_time = primary_config_->expiry_time; | |
| 1386 source_address_token = NewSourceAddressToken( | |
| 1387 *primary_config_, previous_source_address_tokens, client_ip, rand, | |
| 1388 clock->WallNow(), cached_network_params); | |
| 1389 } | |
| 1390 | |
| 1391 out->set_tag(kSCUP); | |
| 1392 out->SetStringPiece(kSCFG, serialized); | |
| 1393 out->SetStringPiece(kSourceAddressTokenTag, source_address_token); | |
| 1394 out->SetValue(kSTTL, | |
| 1395 expiry_time.AbsoluteDifference(clock->WallNow()).ToSeconds()); | |
| 1396 | |
| 1397 QuicReferenceCountedPointer<ProofSource::Chain> chain; | |
| 1398 QuicCryptoProof proof; | |
| 1399 if (!proof_source_->GetProof(server_address, params.sni, serialized, version, | |
| 1400 chlo_hash, connection_options, &chain, &proof)) { | |
| 1401 QUIC_DVLOG(1) << "Server: failed to get proof."; | |
| 1402 return false; | |
| 1403 } | |
| 1404 | |
| 1405 const string compressed = CompressChain( | |
| 1406 compressed_certs_cache, chain, params.client_common_set_hashes, | |
| 1407 params.client_cached_cert_hashes, common_cert_sets); | |
| 1408 | |
| 1409 out->SetStringPiece(kCertificateTag, compressed); | |
| 1410 out->SetStringPiece(kPROF, proof.signature); | |
| 1411 if (params.sct_supported_by_client && enable_serving_sct_) { | |
| 1412 if (proof.leaf_cert_scts.empty()) { | |
| 1413 QUIC_LOG_EVERY_N_SEC(WARNING, 60) | |
| 1414 << "SCT is expected but it is empty. sni: " << params.sni | |
| 1415 << " server_address: " << server_address.ToString(); | |
| 1416 } else { | |
| 1417 out->SetStringPiece(kCertificateSCTTag, proof.leaf_cert_scts); | |
| 1418 } | |
| 1419 } | |
| 1420 return true; | |
| 1421 } | |
| 1422 | |
| 1423 void QuicCryptoServerConfig::BuildServerConfigUpdateMessage( | 1338 void QuicCryptoServerConfig::BuildServerConfigUpdateMessage( |
| 1424 QuicVersion version, | 1339 QuicVersion version, |
| 1425 StringPiece chlo_hash, | 1340 StringPiece chlo_hash, |
| 1426 const SourceAddressTokens& previous_source_address_tokens, | 1341 const SourceAddressTokens& previous_source_address_tokens, |
| 1427 const QuicSocketAddress& server_address, | 1342 const QuicSocketAddress& server_address, |
| 1428 const QuicIpAddress& client_ip, | 1343 const QuicIpAddress& client_ip, |
| 1429 const QuicClock* clock, | 1344 const QuicClock* clock, |
| 1430 QuicRandom* rand, | 1345 QuicRandom* rand, |
| 1431 QuicCompressedCertsCache* compressed_certs_cache, | 1346 QuicCompressedCertsCache* compressed_certs_cache, |
| 1432 const QuicCryptoNegotiatedParameters& params, | 1347 const QuicCryptoNegotiatedParameters& params, |
| (...skipping 603 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2036 expiry_time(QuicWallTime::Zero()), | 1951 expiry_time(QuicWallTime::Zero()), |
| 2037 priority(0), | 1952 priority(0), |
| 2038 source_address_token_boxer(nullptr) {} | 1953 source_address_token_boxer(nullptr) {} |
| 2039 | 1954 |
| 2040 QuicCryptoServerConfig::Config::~Config() {} | 1955 QuicCryptoServerConfig::Config::~Config() {} |
| 2041 | 1956 |
| 2042 QuicSignedServerConfig::QuicSignedServerConfig() {} | 1957 QuicSignedServerConfig::QuicSignedServerConfig() {} |
| 2043 QuicSignedServerConfig::~QuicSignedServerConfig() {} | 1958 QuicSignedServerConfig::~QuicSignedServerConfig() {} |
| 2044 | 1959 |
| 2045 } // namespace net | 1960 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2679783003:
Deprecate FLAGS_quic_reloadable_flag_enable_async_get_proof (Closed)
