| OLD | NEW |
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/crypto/quic_crypto_server_config.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 | 9 |
| 10 #include "base/stl_util.h" | 10 #include "base/stl_util.h" |
| (...skipping 585 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 596 *error_details = validate_chlo_result.error_details; | 596 *error_details = validate_chlo_result.error_details; |
| 597 return validate_chlo_result.error_code; | 597 return validate_chlo_result.error_code; |
| 598 } | 598 } |
| 599 | 599 |
| 600 out->Clear(); | 600 out->Clear(); |
| 601 | 601 |
| 602 if (!info.valid_source_address_token || | 602 if (!info.valid_source_address_token || |
| 603 !info.client_nonce_well_formed || | 603 !info.client_nonce_well_formed || |
| 604 !info.unique || | 604 !info.unique || |
| 605 !requested_config.get()) { | 605 !requested_config.get()) { |
| 606 BuildRejection(*primary_config, client_hello, info, rand, out); | 606 BuildRejection(*primary_config, client_hello, info, rand, params, out); |
| 607 return QUIC_NO_ERROR; | 607 return QUIC_NO_ERROR; |
| 608 } | 608 } |
| 609 | 609 |
| 610 const QuicTag* their_aeads; | 610 const QuicTag* their_aeads; |
| 611 const QuicTag* their_key_exchanges; | 611 const QuicTag* their_key_exchanges; |
| 612 size_t num_their_aeads, num_their_key_exchanges; | 612 size_t num_their_aeads, num_their_key_exchanges; |
| 613 if (client_hello.GetTaglist(kAEAD, &their_aeads, | 613 if (client_hello.GetTaglist(kAEAD, &their_aeads, |
| 614 &num_their_aeads) != QUIC_NO_ERROR || | 614 &num_their_aeads) != QUIC_NO_ERROR || |
| 615 client_hello.GetTaglist(kKEXS, &their_key_exchanges, | 615 client_hello.GetTaglist(kKEXS, &their_key_exchanges, |
| 616 &num_their_key_exchanges) != QUIC_NO_ERROR || | 616 &num_their_key_exchanges) != QUIC_NO_ERROR || |
| (...skipping 415 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1032 strike_register_client = strike_register_client_.get(); | 1032 strike_register_client = strike_register_client_.get(); |
| 1033 } | 1033 } |
| 1034 | 1034 |
| 1035 strike_register_client->VerifyNonceIsValidAndUnique( | 1035 strike_register_client->VerifyNonceIsValidAndUnique( |
| 1036 info->client_nonce, | 1036 info->client_nonce, |
| 1037 info->now, | 1037 info->now, |
| 1038 new VerifyNonceIsValidAndUniqueCallback(client_hello_state, done_cb)); | 1038 new VerifyNonceIsValidAndUniqueCallback(client_hello_state, done_cb)); |
| 1039 helper.StartedAsyncCallback(); | 1039 helper.StartedAsyncCallback(); |
| 1040 } | 1040 } |
| 1041 | 1041 |
| 1042 bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage( |
| 1043 const IPEndPoint& client_ip, |
| 1044 const QuicClock* clock, |
| 1045 QuicRandom* rand, |
| 1046 const QuicCryptoNegotiatedParameters& params, |
| 1047 CryptoHandshakeMessage* out) const { |
| 1048 base::AutoLock locked(configs_lock_); |
| 1049 out->set_tag(kSCUP); |
| 1050 out->SetStringPiece(kSCFG, primary_config_->serialized); |
| 1051 out->SetStringPiece(kSourceAddressTokenTag, |
| 1052 NewSourceAddressToken(*primary_config_, |
| 1053 client_ip, |
| 1054 rand, |
| 1055 clock->WallNow())); |
| 1056 |
| 1057 if (proof_source_ == NULL) { |
| 1058 // Insecure QUIC, can send SCFG without proof. |
| 1059 return true; |
| 1060 } |
| 1061 |
| 1062 const vector<string>* certs; |
| 1063 string signature; |
| 1064 if (!proof_source_->GetProof(params.sni, primary_config_->serialized, |
| 1065 params.x509_ecdsa_supported, &certs, |
| 1066 &signature)) { |
| 1067 DVLOG(1) << "Server: failed to get proof."; |
| 1068 return false; |
| 1069 } |
| 1070 |
| 1071 const string compressed = CertCompressor::CompressChain( |
| 1072 *certs, params.client_common_set_hashes, params.client_cached_cert_hashes, |
| 1073 primary_config_->common_cert_sets); |
| 1074 |
| 1075 out->SetStringPiece(kCertificateTag, compressed); |
| 1076 out->SetStringPiece(kPROF, signature); |
| 1077 return true; |
| 1078 } |
| 1079 |
| 1042 void QuicCryptoServerConfig::BuildRejection( | 1080 void QuicCryptoServerConfig::BuildRejection( |
| 1043 const Config& config, | 1081 const Config& config, |
| 1044 const CryptoHandshakeMessage& client_hello, | 1082 const CryptoHandshakeMessage& client_hello, |
| 1045 const ClientHelloInfo& info, | 1083 const ClientHelloInfo& info, |
| 1046 QuicRandom* rand, | 1084 QuicRandom* rand, |
| 1085 QuicCryptoNegotiatedParameters *params, |
| 1047 CryptoHandshakeMessage* out) const { | 1086 CryptoHandshakeMessage* out) const { |
| 1048 out->set_tag(kREJ); | 1087 out->set_tag(kREJ); |
| 1049 out->SetStringPiece(kSCFG, config.serialized); | 1088 out->SetStringPiece(kSCFG, config.serialized); |
| 1050 out->SetStringPiece(kSourceAddressTokenTag, | 1089 out->SetStringPiece(kSourceAddressTokenTag, |
| 1051 NewSourceAddressToken( | 1090 NewSourceAddressToken( |
| 1052 config, | 1091 config, |
| 1053 info.client_ip, | 1092 info.client_ip, |
| 1054 rand, | 1093 rand, |
| 1055 info.now)); | 1094 info.now)); |
| 1056 if (replay_protection_) { | 1095 if (replay_protection_) { |
| (...skipping 10 matching lines...) Expand all Loading... |
| 1067 const QuicTag* their_proof_demands; | 1106 const QuicTag* their_proof_demands; |
| 1068 size_t num_their_proof_demands; | 1107 size_t num_their_proof_demands; |
| 1069 | 1108 |
| 1070 if (proof_source_.get() == NULL || | 1109 if (proof_source_.get() == NULL || |
| 1071 client_hello.GetTaglist(kPDMD, &their_proof_demands, | 1110 client_hello.GetTaglist(kPDMD, &their_proof_demands, |
| 1072 &num_their_proof_demands) != | 1111 &num_their_proof_demands) != |
| 1073 QUIC_NO_ERROR) { | 1112 QUIC_NO_ERROR) { |
| 1074 return; | 1113 return; |
| 1075 } | 1114 } |
| 1076 | 1115 |
| 1077 bool x509_supported = false, x509_ecdsa_supported = false; | 1116 bool x509_supported = false; |
| 1078 for (size_t i = 0; i < num_their_proof_demands; i++) { | 1117 for (size_t i = 0; i < num_their_proof_demands; i++) { |
| 1079 switch (their_proof_demands[i]) { | 1118 switch (their_proof_demands[i]) { |
| 1080 case kX509: | 1119 case kX509: |
| 1081 x509_supported = true; | 1120 x509_supported = true; |
| 1082 x509_ecdsa_supported = true; | 1121 params->x509_ecdsa_supported = true; |
| 1083 break; | 1122 break; |
| 1084 case kX59R: | 1123 case kX59R: |
| 1085 x509_supported = true; | 1124 x509_supported = true; |
| 1086 break; | 1125 break; |
| 1087 } | 1126 } |
| 1088 } | 1127 } |
| 1089 | 1128 |
| 1090 if (!x509_supported) { | 1129 if (!x509_supported) { |
| 1091 return; | 1130 return; |
| 1092 } | 1131 } |
| 1093 | 1132 |
| 1094 const vector<string>* certs; | 1133 const vector<string>* certs; |
| 1095 string signature; | 1134 string signature; |
| 1096 if (!proof_source_->GetProof(info.sni.as_string(), config.serialized, | 1135 if (!proof_source_->GetProof(info.sni.as_string(), config.serialized, |
| 1097 x509_ecdsa_supported, &certs, &signature)) { | 1136 params->x509_ecdsa_supported, &certs, |
| 1137 &signature)) { |
| 1098 return; | 1138 return; |
| 1099 } | 1139 } |
| 1100 | 1140 |
| 1101 StringPiece their_common_set_hashes; | 1141 client_hello.GetStringPiece(kCCS, &(params->client_common_set_hashes)); |
| 1102 StringPiece their_cached_cert_hashes; | 1142 client_hello.GetStringPiece(kCCRT, &(params->client_cached_cert_hashes)); |
| 1103 client_hello.GetStringPiece(kCCS, &their_common_set_hashes); | |
| 1104 client_hello.GetStringPiece(kCCRT, &their_cached_cert_hashes); | |
| 1105 | 1143 |
| 1106 const string compressed = CertCompressor::CompressChain( | 1144 const string compressed = CertCompressor::CompressChain( |
| 1107 *certs, their_common_set_hashes, their_cached_cert_hashes, | 1145 *certs, params->client_common_set_hashes, |
| 1108 config.common_cert_sets); | 1146 params->client_cached_cert_hashes, config.common_cert_sets); |
| 1109 | 1147 |
| 1110 // kREJOverheadBytes is a very rough estimate of how much of a REJ | 1148 // kREJOverheadBytes is a very rough estimate of how much of a REJ |
| 1111 // message is taken up by things other than the certificates. | 1149 // message is taken up by things other than the certificates. |
| 1112 // STK: 56 bytes | 1150 // STK: 56 bytes |
| 1113 // SNO: 56 bytes | 1151 // SNO: 56 bytes |
| 1114 // SCFG | 1152 // SCFG |
| 1115 // SCID: 16 bytes | 1153 // SCID: 16 bytes |
| 1116 // PUBS: 38 bytes | 1154 // PUBS: 38 bytes |
| 1117 const size_t kREJOverheadBytes = 166; | 1155 const size_t kREJOverheadBytes = 166; |
| 1118 // kMultiplier is the multiple of the CHLO message size that a REJ message | 1156 // kMultiplier is the multiple of the CHLO message size that a REJ message |
| (...skipping 390 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1509 QuicCryptoServerConfig::Config::Config() | 1547 QuicCryptoServerConfig::Config::Config() |
| 1510 : channel_id_enabled(false), | 1548 : channel_id_enabled(false), |
| 1511 is_primary(false), | 1549 is_primary(false), |
| 1512 primary_time(QuicWallTime::Zero()), | 1550 primary_time(QuicWallTime::Zero()), |
| 1513 priority(0), | 1551 priority(0), |
| 1514 source_address_token_boxer(NULL) {} | 1552 source_address_token_boxer(NULL) {} |
| 1515 | 1553 |
| 1516 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } | 1554 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } |
| 1517 | 1555 |
| 1518 } // namespace net | 1556 } // namespace net |
| OLD | NEW |