OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/quic/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/crypto/quic_crypto_server_config.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 #include <algorithm> | 8 #include <algorithm> |
9 | 9 |
10 #include "base/stl_util.h" | 10 #include "base/stl_util.h" |
(...skipping 1157 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1168 const size_t kREJOverheadBytes = 166; | 1168 const size_t kREJOverheadBytes = 166; |
1169 // kMultiplier is the multiple of the CHLO message size that a REJ message | 1169 // kMultiplier is the multiple of the CHLO message size that a REJ message |
1170 // must stay under when the client doesn't present a valid source-address | 1170 // must stay under when the client doesn't present a valid source-address |
1171 // token. | 1171 // token. |
1172 const size_t kMultiplier = 2; | 1172 const size_t kMultiplier = 2; |
1173 // max_unverified_size is the number of bytes that the certificate chain | 1173 // max_unverified_size is the number of bytes that the certificate chain |
1174 // and signature can consume before we will demand a valid source-address | 1174 // and signature can consume before we will demand a valid source-address |
1175 // token. | 1175 // token. |
1176 const size_t max_unverified_size = | 1176 const size_t max_unverified_size = |
1177 client_hello.size() * kMultiplier - kREJOverheadBytes; | 1177 client_hello.size() * kMultiplier - kREJOverheadBytes; |
1178 COMPILE_ASSERT(kClientHelloMinimumSize * kMultiplier >= kREJOverheadBytes, | 1178 static_assert(kClientHelloMinimumSize * kMultiplier >= kREJOverheadBytes, |
1179 overhead_calculation_may_underflow); | 1179 "overhead calculation may underflow"); |
Deprecated (see juliatuttle)
2015/01/05 22:22:39
Technically I think that's overflow?
Mostyn Bramley-Moore
2015/01/06 00:07:07
Done.
| |
1180 if (info.valid_source_address_token || | 1180 if (info.valid_source_address_token || |
1181 signature.size() + compressed.size() < max_unverified_size) { | 1181 signature.size() + compressed.size() < max_unverified_size) { |
1182 out->SetStringPiece(kCertificateTag, compressed); | 1182 out->SetStringPiece(kCertificateTag, compressed); |
1183 out->SetStringPiece(kPROF, signature); | 1183 out->SetStringPiece(kPROF, signature); |
1184 } | 1184 } |
1185 } | 1185 } |
1186 | 1186 |
1187 scoped_refptr<QuicCryptoServerConfig::Config> | 1187 scoped_refptr<QuicCryptoServerConfig::Config> |
1188 QuicCryptoServerConfig::ParseConfigProtobuf( | 1188 QuicCryptoServerConfig::ParseConfigProtobuf( |
1189 QuicServerConfigProtobuf* protobuf) { | 1189 QuicServerConfigProtobuf* protobuf) { |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1244 if (!msg->GetStringPiece(kORBT, &orbit)) { | 1244 if (!msg->GetStringPiece(kORBT, &orbit)) { |
1245 LOG(WARNING) << "Server config message is missing ORBT"; | 1245 LOG(WARNING) << "Server config message is missing ORBT"; |
1246 return nullptr; | 1246 return nullptr; |
1247 } | 1247 } |
1248 | 1248 |
1249 if (orbit.size() != kOrbitSize) { | 1249 if (orbit.size() != kOrbitSize) { |
1250 LOG(WARNING) << "Orbit value in server config is the wrong length." | 1250 LOG(WARNING) << "Orbit value in server config is the wrong length." |
1251 " Got " << orbit.size() << " want " << kOrbitSize; | 1251 " Got " << orbit.size() << " want " << kOrbitSize; |
1252 return nullptr; | 1252 return nullptr; |
1253 } | 1253 } |
1254 COMPILE_ASSERT(sizeof(config->orbit) == kOrbitSize, orbit_incorrect_size); | 1254 static_assert(sizeof(config->orbit) == kOrbitSize, |
1255 "orbit has incorrect size"); | |
1255 memcpy(config->orbit, orbit.data(), sizeof(config->orbit)); | 1256 memcpy(config->orbit, orbit.data(), sizeof(config->orbit)); |
1256 | 1257 |
1257 { | 1258 { |
1258 StrikeRegisterClient* strike_register_client; | 1259 StrikeRegisterClient* strike_register_client; |
1259 { | 1260 { |
1260 base::AutoLock locked(strike_register_client_lock_); | 1261 base::AutoLock locked(strike_register_client_lock_); |
1261 strike_register_client = strike_register_client_.get(); | 1262 strike_register_client = strike_register_client_.get(); |
1262 } | 1263 } |
1263 | 1264 |
1264 if (strike_register_client != nullptr && | 1265 if (strike_register_client != nullptr && |
(...skipping 343 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1608 // kServerNoncePlaintextSize is the number of bytes in an unencrypted server | 1609 // kServerNoncePlaintextSize is the number of bytes in an unencrypted server |
1609 // nonce. | 1610 // nonce. |
1610 static const size_t kServerNoncePlaintextSize = | 1611 static const size_t kServerNoncePlaintextSize = |
1611 4 /* timestamp */ + 20 /* random bytes */; | 1612 4 /* timestamp */ + 20 /* random bytes */; |
1612 | 1613 |
1613 string QuicCryptoServerConfig::NewServerNonce(QuicRandom* rand, | 1614 string QuicCryptoServerConfig::NewServerNonce(QuicRandom* rand, |
1614 QuicWallTime now) const { | 1615 QuicWallTime now) const { |
1615 const uint32 timestamp = static_cast<uint32>(now.ToUNIXSeconds()); | 1616 const uint32 timestamp = static_cast<uint32>(now.ToUNIXSeconds()); |
1616 | 1617 |
1617 uint8 server_nonce[kServerNoncePlaintextSize]; | 1618 uint8 server_nonce[kServerNoncePlaintextSize]; |
1618 COMPILE_ASSERT(sizeof(server_nonce) > sizeof(timestamp), nonce_too_small); | 1619 static_assert(sizeof(server_nonce) > sizeof(timestamp), "nonce too small"); |
1619 server_nonce[0] = static_cast<uint8>(timestamp >> 24); | 1620 server_nonce[0] = static_cast<uint8>(timestamp >> 24); |
1620 server_nonce[1] = static_cast<uint8>(timestamp >> 16); | 1621 server_nonce[1] = static_cast<uint8>(timestamp >> 16); |
1621 server_nonce[2] = static_cast<uint8>(timestamp >> 8); | 1622 server_nonce[2] = static_cast<uint8>(timestamp >> 8); |
1622 server_nonce[3] = static_cast<uint8>(timestamp); | 1623 server_nonce[3] = static_cast<uint8>(timestamp); |
1623 rand->RandBytes(&server_nonce[sizeof(timestamp)], | 1624 rand->RandBytes(&server_nonce[sizeof(timestamp)], |
1624 sizeof(server_nonce) - sizeof(timestamp)); | 1625 sizeof(server_nonce) - sizeof(timestamp)); |
1625 | 1626 |
1626 return server_nonce_boxer_.Box( | 1627 return server_nonce_boxer_.Box( |
1627 rand, | 1628 rand, |
1628 StringPiece(reinterpret_cast<char*>(server_nonce), sizeof(server_nonce))); | 1629 StringPiece(reinterpret_cast<char*>(server_nonce), sizeof(server_nonce))); |
(...skipping 16 matching lines...) Expand all Loading... | |
1645 // This should never happen because the value decrypted correctly. | 1646 // This should never happen because the value decrypted correctly. |
1646 LOG(DFATAL) << "Seemingly valid server nonce had incorrect length."; | 1647 LOG(DFATAL) << "Seemingly valid server nonce had incorrect length."; |
1647 return SERVER_NONCE_INVALID_FAILURE; | 1648 return SERVER_NONCE_INVALID_FAILURE; |
1648 } | 1649 } |
1649 | 1650 |
1650 uint8 server_nonce[32]; | 1651 uint8 server_nonce[32]; |
1651 memcpy(server_nonce, plaintext.data(), 4); | 1652 memcpy(server_nonce, plaintext.data(), 4); |
1652 memcpy(server_nonce + 4, server_nonce_orbit_, sizeof(server_nonce_orbit_)); | 1653 memcpy(server_nonce + 4, server_nonce_orbit_, sizeof(server_nonce_orbit_)); |
1653 memcpy(server_nonce + 4 + sizeof(server_nonce_orbit_), plaintext.data() + 4, | 1654 memcpy(server_nonce + 4 + sizeof(server_nonce_orbit_), plaintext.data() + 4, |
1654 20); | 1655 20); |
1655 COMPILE_ASSERT(4 + sizeof(server_nonce_orbit_) + 20 == sizeof(server_nonce), | 1656 static_assert(4 + sizeof(server_nonce_orbit_) + 20 == sizeof(server_nonce), |
1656 bad_nonce_buffer_length); | 1657 "bad nonce buffer length"); |
1657 | 1658 |
1658 InsertStatus nonce_error; | 1659 InsertStatus nonce_error; |
1659 { | 1660 { |
1660 base::AutoLock auto_lock(server_nonce_strike_register_lock_); | 1661 base::AutoLock auto_lock(server_nonce_strike_register_lock_); |
1661 if (server_nonce_strike_register_.get() == nullptr) { | 1662 if (server_nonce_strike_register_.get() == nullptr) { |
1662 server_nonce_strike_register_.reset(new StrikeRegister( | 1663 server_nonce_strike_register_.reset(new StrikeRegister( |
1663 server_nonce_strike_register_max_entries_, | 1664 server_nonce_strike_register_max_entries_, |
1664 static_cast<uint32>(now.ToUNIXSeconds()), | 1665 static_cast<uint32>(now.ToUNIXSeconds()), |
1665 server_nonce_strike_register_window_secs_, server_nonce_orbit_, | 1666 server_nonce_strike_register_window_secs_, server_nonce_orbit_, |
1666 StrikeRegister::NO_STARTUP_PERIOD_NEEDED)); | 1667 StrikeRegister::NO_STARTUP_PERIOD_NEEDED)); |
(...skipping 24 matching lines...) Expand all Loading... | |
1691 QuicCryptoServerConfig::Config::Config() | 1692 QuicCryptoServerConfig::Config::Config() |
1692 : channel_id_enabled(false), | 1693 : channel_id_enabled(false), |
1693 is_primary(false), | 1694 is_primary(false), |
1694 primary_time(QuicWallTime::Zero()), | 1695 primary_time(QuicWallTime::Zero()), |
1695 priority(0), | 1696 priority(0), |
1696 source_address_token_boxer(nullptr) {} | 1697 source_address_token_boxer(nullptr) {} |
1697 | 1698 |
1698 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } | 1699 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } |
1699 | 1700 |
1700 } // namespace net | 1701 } // namespace net |
OLD | NEW |