OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/quic/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/crypto/quic_crypto_server_config.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 #include <algorithm> | 8 #include <algorithm> |
9 | 9 |
10 #include "base/stl_util.h" | 10 #include "base/stl_util.h" |
(...skipping 499 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
510 if (result->error_code == QUIC_NO_ERROR) { | 510 if (result->error_code == QUIC_NO_ERROR) { |
511 EvaluateClientHello(primary_orbit, requested_config, result, done_cb); | 511 EvaluateClientHello(primary_orbit, requested_config, result, done_cb); |
512 } else { | 512 } else { |
513 done_cb->Run(result); | 513 done_cb->Run(result); |
514 } | 514 } |
515 } | 515 } |
516 | 516 |
517 QuicErrorCode QuicCryptoServerConfig::ProcessClientHello( | 517 QuicErrorCode QuicCryptoServerConfig::ProcessClientHello( |
518 const ValidateClientHelloResultCallback::Result& validate_chlo_result, | 518 const ValidateClientHelloResultCallback::Result& validate_chlo_result, |
519 QuicConnectionId connection_id, | 519 QuicConnectionId connection_id, |
520 IPEndPoint client_address, | 520 const IPEndPoint& server_ip, |
| 521 const IPEndPoint& client_address, |
521 QuicVersion version, | 522 QuicVersion version, |
522 const QuicVersionVector& supported_versions, | 523 const QuicVersionVector& supported_versions, |
523 const QuicClock* clock, | 524 const QuicClock* clock, |
524 QuicRandom* rand, | 525 QuicRandom* rand, |
525 QuicCryptoNegotiatedParameters *params, | 526 QuicCryptoNegotiatedParameters* params, |
526 CryptoHandshakeMessage* out, | 527 CryptoHandshakeMessage* out, |
527 string* error_details) const { | 528 string* error_details) const { |
528 DCHECK(error_details); | 529 DCHECK(error_details); |
529 | 530 |
530 const CryptoHandshakeMessage& client_hello = | 531 const CryptoHandshakeMessage& client_hello = |
531 validate_chlo_result.client_hello; | 532 validate_chlo_result.client_hello; |
532 const ClientHelloInfo& info = validate_chlo_result.info; | 533 const ClientHelloInfo& info = validate_chlo_result.info; |
533 | 534 |
534 // If the client's preferred version is not the version we are currently | 535 // If the client's preferred version is not the version we are currently |
535 // speaking, then the client went through a version negotiation. In this | 536 // speaking, then the client went through a version negotiation. In this |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
586 *error_details = validate_chlo_result.error_details; | 587 *error_details = validate_chlo_result.error_details; |
587 return validate_chlo_result.error_code; | 588 return validate_chlo_result.error_code; |
588 } | 589 } |
589 | 590 |
590 out->Clear(); | 591 out->Clear(); |
591 | 592 |
592 if (!info.valid_source_address_token || | 593 if (!info.valid_source_address_token || |
593 !info.client_nonce_well_formed || | 594 !info.client_nonce_well_formed || |
594 !info.unique || | 595 !info.unique || |
595 !requested_config.get()) { | 596 !requested_config.get()) { |
596 BuildRejection(*primary_config.get(), client_hello, info, | 597 BuildRejection(server_ip, *primary_config.get(), client_hello, info, |
597 validate_chlo_result.cached_network_params, rand, params, | 598 validate_chlo_result.cached_network_params, rand, params, |
598 out); | 599 out); |
599 return QUIC_NO_ERROR; | 600 return QUIC_NO_ERROR; |
600 } | 601 } |
601 | 602 |
602 const QuicTag* their_aeads; | 603 const QuicTag* their_aeads; |
603 const QuicTag* their_key_exchanges; | 604 const QuicTag* their_key_exchanges; |
604 size_t num_their_aeads, num_their_key_exchanges; | 605 size_t num_their_aeads, num_their_key_exchanges; |
605 if (client_hello.GetTaglist(kAEAD, &their_aeads, | 606 if (client_hello.GetTaglist(kAEAD, &their_aeads, |
606 &num_their_aeads) != QUIC_NO_ERROR || | 607 &num_their_aeads) != QUIC_NO_ERROR || |
(...skipping 420 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1027 } | 1028 } |
1028 | 1029 |
1029 strike_register_client->VerifyNonceIsValidAndUnique( | 1030 strike_register_client->VerifyNonceIsValidAndUnique( |
1030 info->client_nonce, | 1031 info->client_nonce, |
1031 info->now, | 1032 info->now, |
1032 new VerifyNonceIsValidAndUniqueCallback(client_hello_state, done_cb)); | 1033 new VerifyNonceIsValidAndUniqueCallback(client_hello_state, done_cb)); |
1033 helper.StartedAsyncCallback(); | 1034 helper.StartedAsyncCallback(); |
1034 } | 1035 } |
1035 | 1036 |
1036 bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage( | 1037 bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage( |
| 1038 const IPEndPoint& server_ip, |
1037 const IPEndPoint& client_ip, | 1039 const IPEndPoint& client_ip, |
1038 const QuicClock* clock, | 1040 const QuicClock* clock, |
1039 QuicRandom* rand, | 1041 QuicRandom* rand, |
1040 const QuicCryptoNegotiatedParameters& params, | 1042 const QuicCryptoNegotiatedParameters& params, |
1041 const CachedNetworkParameters* cached_network_params, | 1043 const CachedNetworkParameters* cached_network_params, |
1042 CryptoHandshakeMessage* out) const { | 1044 CryptoHandshakeMessage* out) const { |
1043 base::AutoLock locked(configs_lock_); | 1045 base::AutoLock locked(configs_lock_); |
1044 out->set_tag(kSCUP); | 1046 out->set_tag(kSCUP); |
1045 out->SetStringPiece(kSCFG, primary_config_->serialized); | 1047 out->SetStringPiece(kSCFG, primary_config_->serialized); |
1046 out->SetStringPiece(kSourceAddressTokenTag, | 1048 out->SetStringPiece(kSourceAddressTokenTag, |
1047 NewSourceAddressToken(*primary_config_.get(), | 1049 NewSourceAddressToken(*primary_config_.get(), |
1048 client_ip, | 1050 client_ip, |
1049 rand, | 1051 rand, |
1050 clock->WallNow(), | 1052 clock->WallNow(), |
1051 cached_network_params)); | 1053 cached_network_params)); |
1052 | 1054 |
1053 if (proof_source_ == nullptr) { | 1055 if (proof_source_ == nullptr) { |
1054 // Insecure QUIC, can send SCFG without proof. | 1056 // Insecure QUIC, can send SCFG without proof. |
1055 return true; | 1057 return true; |
1056 } | 1058 } |
1057 | 1059 |
1058 const vector<string>* certs; | 1060 const vector<string>* certs; |
1059 string signature; | 1061 string signature; |
1060 if (!proof_source_->GetProof(params.sni, primary_config_->serialized, | 1062 if (!proof_source_->GetProof( |
1061 params.x509_ecdsa_supported, &certs, | 1063 server_ip, params.sni, primary_config_->serialized, |
1062 &signature)) { | 1064 params.x509_ecdsa_supported, &certs, &signature)) { |
1063 DVLOG(1) << "Server: failed to get proof."; | 1065 DVLOG(1) << "Server: failed to get proof."; |
1064 return false; | 1066 return false; |
1065 } | 1067 } |
1066 | 1068 |
1067 const string compressed = CertCompressor::CompressChain( | 1069 const string compressed = CertCompressor::CompressChain( |
1068 *certs, params.client_common_set_hashes, params.client_cached_cert_hashes, | 1070 *certs, params.client_common_set_hashes, params.client_cached_cert_hashes, |
1069 primary_config_->common_cert_sets); | 1071 primary_config_->common_cert_sets); |
1070 | 1072 |
1071 out->SetStringPiece(kCertificateTag, compressed); | 1073 out->SetStringPiece(kCertificateTag, compressed); |
1072 out->SetStringPiece(kPROF, signature); | 1074 out->SetStringPiece(kPROF, signature); |
1073 return true; | 1075 return true; |
1074 } | 1076 } |
1075 | 1077 |
1076 void QuicCryptoServerConfig::BuildRejection( | 1078 void QuicCryptoServerConfig::BuildRejection( |
| 1079 const IPEndPoint& server_ip, |
1077 const Config& config, | 1080 const Config& config, |
1078 const CryptoHandshakeMessage& client_hello, | 1081 const CryptoHandshakeMessage& client_hello, |
1079 const ClientHelloInfo& info, | 1082 const ClientHelloInfo& info, |
1080 const CachedNetworkParameters& cached_network_params, | 1083 const CachedNetworkParameters& cached_network_params, |
1081 QuicRandom* rand, | 1084 QuicRandom* rand, |
1082 QuicCryptoNegotiatedParameters *params, | 1085 QuicCryptoNegotiatedParameters* params, |
1083 CryptoHandshakeMessage* out) const { | 1086 CryptoHandshakeMessage* out) const { |
1084 out->set_tag(kREJ); | 1087 out->set_tag(kREJ); |
1085 out->SetStringPiece(kSCFG, config.serialized); | 1088 out->SetStringPiece(kSCFG, config.serialized); |
1086 out->SetStringPiece(kSourceAddressTokenTag, | 1089 out->SetStringPiece(kSourceAddressTokenTag, |
1087 NewSourceAddressToken( | 1090 NewSourceAddressToken( |
1088 config, | 1091 config, |
1089 info.client_ip, | 1092 info.client_ip, |
1090 rand, | 1093 rand, |
1091 info.now, | 1094 info.now, |
1092 &cached_network_params)); | 1095 &cached_network_params)); |
(...skipping 30 matching lines...) Expand all Loading... |
1123 break; | 1126 break; |
1124 } | 1127 } |
1125 } | 1128 } |
1126 | 1129 |
1127 if (!x509_supported) { | 1130 if (!x509_supported) { |
1128 return; | 1131 return; |
1129 } | 1132 } |
1130 | 1133 |
1131 const vector<string>* certs; | 1134 const vector<string>* certs; |
1132 string signature; | 1135 string signature; |
1133 if (!proof_source_->GetProof(info.sni.as_string(), config.serialized, | 1136 if (!proof_source_->GetProof(server_ip, info.sni.as_string(), |
1134 params->x509_ecdsa_supported, &certs, | 1137 config.serialized, params->x509_ecdsa_supported, |
1135 &signature)) { | 1138 &certs, &signature)) { |
1136 return; | 1139 return; |
1137 } | 1140 } |
1138 | 1141 |
1139 StringPiece client_common_set_hashes; | 1142 StringPiece client_common_set_hashes; |
1140 if (client_hello.GetStringPiece(kCCS, &client_common_set_hashes)) { | 1143 if (client_hello.GetStringPiece(kCCS, &client_common_set_hashes)) { |
1141 params->client_common_set_hashes = client_common_set_hashes.as_string(); | 1144 params->client_common_set_hashes = client_common_set_hashes.as_string(); |
1142 } | 1145 } |
1143 | 1146 |
1144 StringPiece client_cached_cert_hashes; | 1147 StringPiece client_cached_cert_hashes; |
1145 if (client_hello.GetStringPiece(kCCRT, &client_cached_cert_hashes)) { | 1148 if (client_hello.GetStringPiece(kCCRT, &client_cached_cert_hashes)) { |
(...skipping 420 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1566 QuicCryptoServerConfig::Config::Config() | 1569 QuicCryptoServerConfig::Config::Config() |
1567 : channel_id_enabled(false), | 1570 : channel_id_enabled(false), |
1568 is_primary(false), | 1571 is_primary(false), |
1569 primary_time(QuicWallTime::Zero()), | 1572 primary_time(QuicWallTime::Zero()), |
1570 priority(0), | 1573 priority(0), |
1571 source_address_token_boxer(nullptr) {} | 1574 source_address_token_boxer(nullptr) {} |
1572 | 1575 |
1573 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } | 1576 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } |
1574 | 1577 |
1575 } // namespace net | 1578 } // namespace net |
OLD | NEW |