| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/crypto/quic_crypto_server_config.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 | 9 |
| 10 #include "base/stl_util.h" | 10 #include "base/stl_util.h" |
| (...skipping 499 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 510 if (result->error_code == QUIC_NO_ERROR) { | 510 if (result->error_code == QUIC_NO_ERROR) { |
| 511 EvaluateClientHello(primary_orbit, requested_config, result, done_cb); | 511 EvaluateClientHello(primary_orbit, requested_config, result, done_cb); |
| 512 } else { | 512 } else { |
| 513 done_cb->Run(result); | 513 done_cb->Run(result); |
| 514 } | 514 } |
| 515 } | 515 } |
| 516 | 516 |
| 517 QuicErrorCode QuicCryptoServerConfig::ProcessClientHello( | 517 QuicErrorCode QuicCryptoServerConfig::ProcessClientHello( |
| 518 const ValidateClientHelloResultCallback::Result& validate_chlo_result, | 518 const ValidateClientHelloResultCallback::Result& validate_chlo_result, |
| 519 QuicConnectionId connection_id, | 519 QuicConnectionId connection_id, |
| 520 IPEndPoint client_address, | 520 const IPEndPoint& server_ip, |
| 521 const IPEndPoint& client_address, |
| 521 QuicVersion version, | 522 QuicVersion version, |
| 522 const QuicVersionVector& supported_versions, | 523 const QuicVersionVector& supported_versions, |
| 523 const QuicClock* clock, | 524 const QuicClock* clock, |
| 524 QuicRandom* rand, | 525 QuicRandom* rand, |
| 525 QuicCryptoNegotiatedParameters *params, | 526 QuicCryptoNegotiatedParameters* params, |
| 526 CryptoHandshakeMessage* out, | 527 CryptoHandshakeMessage* out, |
| 527 string* error_details) const { | 528 string* error_details) const { |
| 528 DCHECK(error_details); | 529 DCHECK(error_details); |
| 529 | 530 |
| 530 const CryptoHandshakeMessage& client_hello = | 531 const CryptoHandshakeMessage& client_hello = |
| 531 validate_chlo_result.client_hello; | 532 validate_chlo_result.client_hello; |
| 532 const ClientHelloInfo& info = validate_chlo_result.info; | 533 const ClientHelloInfo& info = validate_chlo_result.info; |
| 533 | 534 |
| 534 // If the client's preferred version is not the version we are currently | 535 // If the client's preferred version is not the version we are currently |
| 535 // speaking, then the client went through a version negotiation. In this | 536 // speaking, then the client went through a version negotiation. In this |
| (...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 586 *error_details = validate_chlo_result.error_details; | 587 *error_details = validate_chlo_result.error_details; |
| 587 return validate_chlo_result.error_code; | 588 return validate_chlo_result.error_code; |
| 588 } | 589 } |
| 589 | 590 |
| 590 out->Clear(); | 591 out->Clear(); |
| 591 | 592 |
| 592 if (!info.valid_source_address_token || | 593 if (!info.valid_source_address_token || |
| 593 !info.client_nonce_well_formed || | 594 !info.client_nonce_well_formed || |
| 594 !info.unique || | 595 !info.unique || |
| 595 !requested_config.get()) { | 596 !requested_config.get()) { |
| 596 BuildRejection(*primary_config.get(), client_hello, info, | 597 BuildRejection(server_ip, *primary_config.get(), client_hello, info, |
| 597 validate_chlo_result.cached_network_params, rand, params, | 598 validate_chlo_result.cached_network_params, rand, params, |
| 598 out); | 599 out); |
| 599 return QUIC_NO_ERROR; | 600 return QUIC_NO_ERROR; |
| 600 } | 601 } |
| 601 | 602 |
| 602 const QuicTag* their_aeads; | 603 const QuicTag* their_aeads; |
| 603 const QuicTag* their_key_exchanges; | 604 const QuicTag* their_key_exchanges; |
| 604 size_t num_their_aeads, num_their_key_exchanges; | 605 size_t num_their_aeads, num_their_key_exchanges; |
| 605 if (client_hello.GetTaglist(kAEAD, &their_aeads, | 606 if (client_hello.GetTaglist(kAEAD, &their_aeads, |
| 606 &num_their_aeads) != QUIC_NO_ERROR || | 607 &num_their_aeads) != QUIC_NO_ERROR || |
| (...skipping 420 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1027 } | 1028 } |
| 1028 | 1029 |
| 1029 strike_register_client->VerifyNonceIsValidAndUnique( | 1030 strike_register_client->VerifyNonceIsValidAndUnique( |
| 1030 info->client_nonce, | 1031 info->client_nonce, |
| 1031 info->now, | 1032 info->now, |
| 1032 new VerifyNonceIsValidAndUniqueCallback(client_hello_state, done_cb)); | 1033 new VerifyNonceIsValidAndUniqueCallback(client_hello_state, done_cb)); |
| 1033 helper.StartedAsyncCallback(); | 1034 helper.StartedAsyncCallback(); |
| 1034 } | 1035 } |
| 1035 | 1036 |
| 1036 bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage( | 1037 bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage( |
| 1038 const IPEndPoint& server_ip, |
| 1037 const IPEndPoint& client_ip, | 1039 const IPEndPoint& client_ip, |
| 1038 const QuicClock* clock, | 1040 const QuicClock* clock, |
| 1039 QuicRandom* rand, | 1041 QuicRandom* rand, |
| 1040 const QuicCryptoNegotiatedParameters& params, | 1042 const QuicCryptoNegotiatedParameters& params, |
| 1041 const CachedNetworkParameters* cached_network_params, | 1043 const CachedNetworkParameters* cached_network_params, |
| 1042 CryptoHandshakeMessage* out) const { | 1044 CryptoHandshakeMessage* out) const { |
| 1043 base::AutoLock locked(configs_lock_); | 1045 base::AutoLock locked(configs_lock_); |
| 1044 out->set_tag(kSCUP); | 1046 out->set_tag(kSCUP); |
| 1045 out->SetStringPiece(kSCFG, primary_config_->serialized); | 1047 out->SetStringPiece(kSCFG, primary_config_->serialized); |
| 1046 out->SetStringPiece(kSourceAddressTokenTag, | 1048 out->SetStringPiece(kSourceAddressTokenTag, |
| 1047 NewSourceAddressToken(*primary_config_.get(), | 1049 NewSourceAddressToken(*primary_config_.get(), |
| 1048 client_ip, | 1050 client_ip, |
| 1049 rand, | 1051 rand, |
| 1050 clock->WallNow(), | 1052 clock->WallNow(), |
| 1051 cached_network_params)); | 1053 cached_network_params)); |
| 1052 | 1054 |
| 1053 if (proof_source_ == nullptr) { | 1055 if (proof_source_ == nullptr) { |
| 1054 // Insecure QUIC, can send SCFG without proof. | 1056 // Insecure QUIC, can send SCFG without proof. |
| 1055 return true; | 1057 return true; |
| 1056 } | 1058 } |
| 1057 | 1059 |
| 1058 const vector<string>* certs; | 1060 const vector<string>* certs; |
| 1059 string signature; | 1061 string signature; |
| 1060 if (!proof_source_->GetProof(params.sni, primary_config_->serialized, | 1062 if (!proof_source_->GetProof( |
| 1061 params.x509_ecdsa_supported, &certs, | 1063 server_ip, params.sni, primary_config_->serialized, |
| 1062 &signature)) { | 1064 params.x509_ecdsa_supported, &certs, &signature)) { |
| 1063 DVLOG(1) << "Server: failed to get proof."; | 1065 DVLOG(1) << "Server: failed to get proof."; |
| 1064 return false; | 1066 return false; |
| 1065 } | 1067 } |
| 1066 | 1068 |
| 1067 const string compressed = CertCompressor::CompressChain( | 1069 const string compressed = CertCompressor::CompressChain( |
| 1068 *certs, params.client_common_set_hashes, params.client_cached_cert_hashes, | 1070 *certs, params.client_common_set_hashes, params.client_cached_cert_hashes, |
| 1069 primary_config_->common_cert_sets); | 1071 primary_config_->common_cert_sets); |
| 1070 | 1072 |
| 1071 out->SetStringPiece(kCertificateTag, compressed); | 1073 out->SetStringPiece(kCertificateTag, compressed); |
| 1072 out->SetStringPiece(kPROF, signature); | 1074 out->SetStringPiece(kPROF, signature); |
| 1073 return true; | 1075 return true; |
| 1074 } | 1076 } |
| 1075 | 1077 |
| 1076 void QuicCryptoServerConfig::BuildRejection( | 1078 void QuicCryptoServerConfig::BuildRejection( |
| 1079 const IPEndPoint& server_ip, |
| 1077 const Config& config, | 1080 const Config& config, |
| 1078 const CryptoHandshakeMessage& client_hello, | 1081 const CryptoHandshakeMessage& client_hello, |
| 1079 const ClientHelloInfo& info, | 1082 const ClientHelloInfo& info, |
| 1080 const CachedNetworkParameters& cached_network_params, | 1083 const CachedNetworkParameters& cached_network_params, |
| 1081 QuicRandom* rand, | 1084 QuicRandom* rand, |
| 1082 QuicCryptoNegotiatedParameters *params, | 1085 QuicCryptoNegotiatedParameters* params, |
| 1083 CryptoHandshakeMessage* out) const { | 1086 CryptoHandshakeMessage* out) const { |
| 1084 out->set_tag(kREJ); | 1087 out->set_tag(kREJ); |
| 1085 out->SetStringPiece(kSCFG, config.serialized); | 1088 out->SetStringPiece(kSCFG, config.serialized); |
| 1086 out->SetStringPiece(kSourceAddressTokenTag, | 1089 out->SetStringPiece(kSourceAddressTokenTag, |
| 1087 NewSourceAddressToken( | 1090 NewSourceAddressToken( |
| 1088 config, | 1091 config, |
| 1089 info.client_ip, | 1092 info.client_ip, |
| 1090 rand, | 1093 rand, |
| 1091 info.now, | 1094 info.now, |
| 1092 &cached_network_params)); | 1095 &cached_network_params)); |
| (...skipping 30 matching lines...) Expand all Loading... |
| 1123 break; | 1126 break; |
| 1124 } | 1127 } |
| 1125 } | 1128 } |
| 1126 | 1129 |
| 1127 if (!x509_supported) { | 1130 if (!x509_supported) { |
| 1128 return; | 1131 return; |
| 1129 } | 1132 } |
| 1130 | 1133 |
| 1131 const vector<string>* certs; | 1134 const vector<string>* certs; |
| 1132 string signature; | 1135 string signature; |
| 1133 if (!proof_source_->GetProof(info.sni.as_string(), config.serialized, | 1136 if (!proof_source_->GetProof(server_ip, info.sni.as_string(), |
| 1134 params->x509_ecdsa_supported, &certs, | 1137 config.serialized, params->x509_ecdsa_supported, |
| 1135 &signature)) { | 1138 &certs, &signature)) { |
| 1136 return; | 1139 return; |
| 1137 } | 1140 } |
| 1138 | 1141 |
| 1139 StringPiece client_common_set_hashes; | 1142 StringPiece client_common_set_hashes; |
| 1140 if (client_hello.GetStringPiece(kCCS, &client_common_set_hashes)) { | 1143 if (client_hello.GetStringPiece(kCCS, &client_common_set_hashes)) { |
| 1141 params->client_common_set_hashes = client_common_set_hashes.as_string(); | 1144 params->client_common_set_hashes = client_common_set_hashes.as_string(); |
| 1142 } | 1145 } |
| 1143 | 1146 |
| 1144 StringPiece client_cached_cert_hashes; | 1147 StringPiece client_cached_cert_hashes; |
| 1145 if (client_hello.GetStringPiece(kCCRT, &client_cached_cert_hashes)) { | 1148 if (client_hello.GetStringPiece(kCCRT, &client_cached_cert_hashes)) { |
| (...skipping 420 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1566 QuicCryptoServerConfig::Config::Config() | 1569 QuicCryptoServerConfig::Config::Config() |
| 1567 : channel_id_enabled(false), | 1570 : channel_id_enabled(false), |
| 1568 is_primary(false), | 1571 is_primary(false), |
| 1569 primary_time(QuicWallTime::Zero()), | 1572 primary_time(QuicWallTime::Zero()), |
| 1570 priority(0), | 1573 priority(0), |
| 1571 source_address_token_boxer(nullptr) {} | 1574 source_address_token_boxer(nullptr) {} |
| 1572 | 1575 |
| 1573 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } | 1576 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } |
| 1574 | 1577 |
| 1575 } // namespace net | 1578 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 816543004:
Update from https://crrev.com/308996 (Closed)
Base URL: git@github.com:domokit/mojo.git@master