| OLD | NEW |
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_ | 5 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_ |
| 6 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_ | 6 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_ |
| 7 | 7 |
| 8 #include <map> | 8 #include <map> |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 22 matching lines...) Expand all Loading... |
| 33 class QuicServerConfigProtobuf; | 33 class QuicServerConfigProtobuf; |
| 34 class StrikeRegister; | 34 class StrikeRegister; |
| 35 class StrikeRegisterClient; | 35 class StrikeRegisterClient; |
| 36 | 36 |
| 37 struct ClientHelloInfo; | 37 struct ClientHelloInfo; |
| 38 | 38 |
| 39 namespace test { | 39 namespace test { |
| 40 class QuicCryptoServerConfigPeer; | 40 class QuicCryptoServerConfigPeer; |
| 41 } // namespace test | 41 } // namespace test |
| 42 | 42 |
| 43 enum HandshakeFailureReason { |
| 44 HANDSHAKE_OK = 0, |
| 45 |
| 46 // Failure reasons for an invalid client nonce. |
| 47 // TODO(rtenneti): Implement capturing of error from strike register. |
| 48 CLIENT_NONCE_UNKNOWN_FAILURE = 100, |
| 49 CLIENT_NONCE_INVALID_FAILURE, |
| 50 |
| 51 // Failure reasons for an invalid server nonce. |
| 52 SERVER_NONCE_INVALID_FAILURE = 200, |
| 53 SERVER_NONCE_DECRYPTION_FAILURE, |
| 54 SERVER_NONCE_NOT_UNIQUE_FAILURE, |
| 55 |
| 56 // Failure reasons for an invalid server config. |
| 57 SERVER_CONFIG_INCHOATE_HELLO_FAILURE = 300, |
| 58 SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE, |
| 59 |
| 60 // Failure reasons for an invalid source adddress token. |
| 61 SOURCE_ADDRESS_TOKEN_INVALID_FAILURE = 400, |
| 62 SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, |
| 63 SOURCE_ADDRESS_TOKEN_PARSE_FAILURE, |
| 64 SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE, |
| 65 SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE, |
| 66 SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE, |
| 67 }; |
| 68 |
| 43 // Hook that allows application code to subscribe to primary config changes. | 69 // Hook that allows application code to subscribe to primary config changes. |
| 44 class PrimaryConfigChangedCallback { | 70 class PrimaryConfigChangedCallback { |
| 45 public: | 71 public: |
| 46 PrimaryConfigChangedCallback(); | 72 PrimaryConfigChangedCallback(); |
| 47 virtual ~PrimaryConfigChangedCallback(); | 73 virtual ~PrimaryConfigChangedCallback(); |
| 48 virtual void Run(const std::string& scid) = 0; | 74 virtual void Run(const std::string& scid) = 0; |
| 49 | 75 |
| 50 private: | 76 private: |
| 51 DISALLOW_COPY_AND_ASSIGN(PrimaryConfigChangedCallback); | 77 DISALLOW_COPY_AND_ASSIGN(PrimaryConfigChangedCallback); |
| 52 }; | 78 }; |
| (...skipping 325 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 378 // Config. On error, ParseConfigProtobuf returns NULL. | 404 // Config. On error, ParseConfigProtobuf returns NULL. |
| 379 scoped_refptr<Config> ParseConfigProtobuf(QuicServerConfigProtobuf* protobuf); | 405 scoped_refptr<Config> ParseConfigProtobuf(QuicServerConfigProtobuf* protobuf); |
| 380 | 406 |
| 381 // NewSourceAddressToken returns a fresh source address token for the given | 407 // NewSourceAddressToken returns a fresh source address token for the given |
| 382 // IP address. | 408 // IP address. |
| 383 std::string NewSourceAddressToken(const Config& config, | 409 std::string NewSourceAddressToken(const Config& config, |
| 384 const IPEndPoint& ip, | 410 const IPEndPoint& ip, |
| 385 QuicRandom* rand, | 411 QuicRandom* rand, |
| 386 QuicWallTime now) const; | 412 QuicWallTime now) const; |
| 387 | 413 |
| 388 // ValidateSourceAddressToken returns true if the source address token in | 414 // ValidateSourceAddressToken returns HANDSHAKE_OK if the source address token |
| 389 // |token| is a valid and timely token for the IP address |ip| given that the | 415 // in |token| is a valid and timely token for the IP address |ip| given that |
| 390 // current time is |now|. | 416 // the current time is |now|. Otherwise it returns the reason for failure. |
| 391 bool ValidateSourceAddressToken(const Config& config, | 417 HandshakeFailureReason ValidateSourceAddressToken(const Config& config, |
| 392 base::StringPiece token, | 418 base::StringPiece token, |
| 393 const IPEndPoint& ip, | 419 const IPEndPoint& ip, |
| 394 QuicWallTime now) const; | 420 QuicWallTime now) const; |
| 395 | 421 |
| 396 // NewServerNonce generates and encrypts a random nonce. | 422 // NewServerNonce generates and encrypts a random nonce. |
| 397 std::string NewServerNonce(QuicRandom* rand, QuicWallTime now) const; | 423 std::string NewServerNonce(QuicRandom* rand, QuicWallTime now) const; |
| 398 | 424 |
| 399 // ValidateServerNonce decrypts |token| and verifies that it hasn't been | 425 // ValidateServerNonce decrypts |token| and verifies that it hasn't been |
| 400 // previously used and is recent enough that it is plausible that it was part | 426 // previously used and is recent enough that it is plausible that it was part |
| 401 // of a very recently provided rejection ("recent" will be on the order of | 427 // of a very recently provided rejection ("recent" will be on the order of |
| 402 // 10-30 seconds). If so, it records that it has been used and returns true. | 428 // 10-30 seconds). If so, it records that it has been used and returns |
| 403 // Otherwise it returns false. | 429 // HANDSHAKE_OK. Otherwise it returns the reason for failure. |
| 404 bool ValidateServerNonce(base::StringPiece echoed_server_nonce, | 430 HandshakeFailureReason ValidateServerNonce( |
| 405 QuicWallTime now) const; | 431 base::StringPiece echoed_server_nonce, |
| 432 QuicWallTime now) const; |
| 406 | 433 |
| 407 // replay_protection_ controls whether the server enforces that handshakes | 434 // replay_protection_ controls whether the server enforces that handshakes |
| 408 // aren't replays. | 435 // aren't replays. |
| 409 bool replay_protection_; | 436 bool replay_protection_; |
| 410 | 437 |
| 411 // configs_ satisfies the following invariants: | 438 // configs_ satisfies the following invariants: |
| 412 // 1) configs_.empty() <-> primary_config_ == NULL | 439 // 1) configs_.empty() <-> primary_config_ == NULL |
| 413 // 2) primary_config_ != NULL -> primary_config_->is_primary | 440 // 2) primary_config_ != NULL -> primary_config_->is_primary |
| 414 // 3) ∀ c∈configs_, c->is_primary <-> c == primary_config_ | 441 // 3) ∀ c∈configs_, c->is_primary <-> c == primary_config_ |
| 415 mutable base::Lock configs_lock_; | 442 mutable base::Lock configs_lock_; |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 468 uint32 source_address_token_lifetime_secs_; | 495 uint32 source_address_token_lifetime_secs_; |
| 469 uint32 server_nonce_strike_register_max_entries_; | 496 uint32 server_nonce_strike_register_max_entries_; |
| 470 uint32 server_nonce_strike_register_window_secs_; | 497 uint32 server_nonce_strike_register_window_secs_; |
| 471 | 498 |
| 472 DISALLOW_COPY_AND_ASSIGN(QuicCryptoServerConfig); | 499 DISALLOW_COPY_AND_ASSIGN(QuicCryptoServerConfig); |
| 473 }; | 500 }; |
| 474 | 501 |
| 475 } // namespace net | 502 } // namespace net |
| 476 | 503 |
| 477 #endif // NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_ | 504 #endif // NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_ |
| OLD | NEW |