QUIC Crypto - return the reasons for reject message. Reject reason

net/quic/crypto/quic_crypto_server_config.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_
 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_
 
 #include <map>
 #include <string>
 #include <vector>
@@ skipping 22 matching lines @@
 class QuicServerConfigProtobuf;
 class StrikeRegister;
 class StrikeRegisterClient;
 
 struct ClientHelloInfo;
 
 namespace test {
 class QuicCryptoServerConfigPeer;
 }  // namespace test
 
+enum HandshakeFailureReason {
+  // Failure reasons from strike register.
+  // TODO(rtenneti): Implement capturing of error from strike register.

[wtc, 2014/06/19 00:13:25]

I think line 44 should be deleted (seems very similar to line 48), and line 45
should be moved right after line 48.

[ramant (doing other things), 2014/06/19 01:57:35]

Done.

+  HANDSHAKE_OK = 0,
+
+  // Failure reasons for an invalid client nonce.
+  CLIENT_NONCE_UNKNOWN_FAILURE = 100,
+  CLIENT_NONCE_INVALID_FAILURE,

[wtc, 2014/06/19 00:13:25]

It seems that we should have a CLIENT_NONCE_NOT_UNIQUE_FAILURE

[ramant (doing other things), 2014/06/19 01:57:35]

Will add it in the next CL when we verify client_nonce via strike register
(after making changes in the internal source
tree).

+
+  // Failure reasons for an invalid server nonce.
+  SERVER_NONCE_INVALID_FAILURE = 200,
+  SERVER_NONCE_DECRYPTION_FAILURE,
+  SERVER_NONCE_NOT_UNIQUE_FAILURE,
+
+  // Failure reasons for an invalid server config.
+  SERVER_CONFIG_INCHOATE_HELLO_FAILURE = 300,
+  SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE,
+
+  // Failure reasons for an invalid source adddress token.
+  SOURCE_ADDRESS_TOKEN_INVALID_FAILURE = 400,
+  SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
+  SOURCE_ADDRESS_TOKEN_PARSE_FAILURE,
+  SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE,
+  SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE,
+  SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE,

[wtc, 2014/06/19 00:13:25]

Nit: these enum values should be documented with one-sentence comments.

[ramant (doing other things), 2014/06/19 01:57:35]

Will do in the next CL (will add the comments in the internal source tree).

+};
+
 // Hook that allows application code to subscribe to primary config changes.
 class PrimaryConfigChangedCallback {
  public:
   PrimaryConfigChangedCallback();
   virtual ~PrimaryConfigChangedCallback();
   virtual void Run(const std::string& scid) = 0;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(PrimaryConfigChangedCallback);
 };
@@ skipping 325 matching lines @@
   // Config. On error, ParseConfigProtobuf returns NULL.
   scoped_refptr<Config> ParseConfigProtobuf(QuicServerConfigProtobuf* protobuf);
 
   // NewSourceAddressToken returns a fresh source address token for the given
   // IP address.
   std::string NewSourceAddressToken(const Config& config,
                                     const IPEndPoint& ip,
                                     QuicRandom* rand,
                                     QuicWallTime now) const;
 
-  // ValidateSourceAddressToken returns true if the source address token in
-  // |token| is a valid and timely token for the IP address |ip| given that the
-  // current time is |now|.
-  bool ValidateSourceAddressToken(const Config& config,
-                                  base::StringPiece token,
-                                  const IPEndPoint& ip,
-                                  QuicWallTime now) const;
+  // ValidateSourceAddressToken returns HANDSHAKE_OK if the source address token
+  // in |token| is a valid and timely token for the IP address |ip| given that
+  // the current time is |now|. Otherwise it returns the reason for failure.
+  HandshakeFailureReason ValidateSourceAddressToken(const Config& config,
+                                                    base::StringPiece token,
+                                                    const IPEndPoint& ip,
+                                                    QuicWallTime now) const;
 
   // NewServerNonce generates and encrypts a random nonce.
   std::string NewServerNonce(QuicRandom* rand, QuicWallTime now) const;
 
   // ValidateServerNonce decrypts |token| and verifies that it hasn't been
   // previously used and is recent enough that it is plausible that it was part
   // of a very recently provided rejection ("recent" will be on the order of
-  // 10-30 seconds). If so, it records that it has been used and returns true.
-  // Otherwise it returns false.
-  bool ValidateServerNonce(base::StringPiece echoed_server_nonce,
-                           QuicWallTime now) const;
+  // 10-30 seconds). If so, it records that it has been used and returns
+  // HANDSHAKE_OK. Otherwise it returns the reason for failure.
+  HandshakeFailureReason ValidateServerNonce(
+      base::StringPiece echoed_server_nonce,
+      QuicWallTime now) const;
 
   // replay_protection_ controls whether the server enforces that handshakes
   // aren't replays.
   bool replay_protection_;
 
   // configs_ satisfies the following invariants:
   //   1) configs_.empty() <-> primary_config_ == NULL
   //   2) primary_config_ != NULL -> primary_config_->is_primary
   //   3) ∀ c∈configs_, c->is_primary <-> c == primary_config_
   mutable base::Lock configs_lock_;
@@ skipping 52 matching lines @@
   uint32 source_address_token_lifetime_secs_;
   uint32 server_nonce_strike_register_max_entries_;
   uint32 server_nonce_strike_register_window_secs_;
 
   DISALLOW_COPY_AND_ASSIGN(QuicCryptoServerConfig);
 };
 
 }  // namespace net
 
 #endif  // NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_