| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/crypto_server_config.h" | 5 #include "net/quic/crypto/crypto_server_config.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 | 9 |
| 10 #include "base/stl_util.h" | 10 #include "base/stl_util.h" |
| 11 #include "base/strings/string_number_conversions.h" | 11 #include "base/strings/string_number_conversions.h" |
| 12 #include "crypto/hkdf.h" | 12 #include "crypto/hkdf.h" |
| 13 #include "crypto/secure_hash.h" | 13 #include "crypto/secure_hash.h" |
| 14 #include "net/base/net_util.h" |
| 14 #include "net/quic/crypto/aes_128_gcm_12_decrypter.h" | 15 #include "net/quic/crypto/aes_128_gcm_12_decrypter.h" |
| 15 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h" | 16 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h" |
| 16 #include "net/quic/crypto/cert_compressor.h" | 17 #include "net/quic/crypto/cert_compressor.h" |
| 17 #include "net/quic/crypto/channel_id.h" | 18 #include "net/quic/crypto/channel_id.h" |
| 18 #include "net/quic/crypto/crypto_framer.h" | 19 #include "net/quic/crypto/crypto_framer.h" |
| 19 #include "net/quic/crypto/crypto_server_config_protobuf.h" | 20 #include "net/quic/crypto/crypto_server_config_protobuf.h" |
| 20 #include "net/quic/crypto/crypto_utils.h" | 21 #include "net/quic/crypto/crypto_utils.h" |
| 21 #include "net/quic/crypto/curve25519_key_exchange.h" | 22 #include "net/quic/crypto/curve25519_key_exchange.h" |
| 22 #include "net/quic/crypto/ephemeral_key_source.h" | 23 #include "net/quic/crypto/ephemeral_key_source.h" |
| 23 #include "net/quic/crypto/key_exchange.h" | 24 #include "net/quic/crypto/key_exchange.h" |
| (...skipping 25 matching lines...) Expand all Loading... |
| 49 | 50 |
| 50 QuicCryptoServerConfig::QuicCryptoServerConfig( | 51 QuicCryptoServerConfig::QuicCryptoServerConfig( |
| 51 StringPiece source_address_token_secret, | 52 StringPiece source_address_token_secret, |
| 52 QuicRandom* rand) | 53 QuicRandom* rand) |
| 53 : replay_protection_(true), | 54 : replay_protection_(true), |
| 54 configs_lock_(), | 55 configs_lock_(), |
| 55 primary_config_(NULL), | 56 primary_config_(NULL), |
| 56 next_config_promotion_time_(QuicWallTime::Zero()), | 57 next_config_promotion_time_(QuicWallTime::Zero()), |
| 57 strike_register_lock_(), | 58 strike_register_lock_(), |
| 58 server_nonce_strike_register_lock_(), | 59 server_nonce_strike_register_lock_(), |
| 60 strike_register_no_startup_period_(false), |
| 59 strike_register_max_entries_(1 << 10), | 61 strike_register_max_entries_(1 << 10), |
| 60 strike_register_window_secs_(600), | 62 strike_register_window_secs_(600), |
| 61 source_address_token_future_secs_(3600), | 63 source_address_token_future_secs_(3600), |
| 62 source_address_token_lifetime_secs_(86400), | 64 source_address_token_lifetime_secs_(86400), |
| 63 server_nonce_strike_register_max_entries_(1 << 10), | 65 server_nonce_strike_register_max_entries_(1 << 10), |
| 64 server_nonce_strike_register_window_secs_(120) { | 66 server_nonce_strike_register_window_secs_(120) { |
| 65 crypto::HKDF hkdf(source_address_token_secret, StringPiece() /* no salt */, | 67 crypto::HKDF hkdf(source_address_token_secret, StringPiece() /* no salt */, |
| 66 "QUIC source address token key", | 68 "QUIC source address token key", |
| 67 CryptoSecretBoxer::GetKeySize(), | 69 CryptoSecretBoxer::GetKeySize(), |
| 68 0 /* no fixed IV needed */); | 70 0 /* no fixed IV needed */); |
| (...skipping 560 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 629 info->client_nonce_well_formed = true; | 631 info->client_nonce_well_formed = true; |
| 630 if (replay_protection_) { | 632 if (replay_protection_) { |
| 631 base::AutoLock auto_lock(strike_register_lock_); | 633 base::AutoLock auto_lock(strike_register_lock_); |
| 632 | 634 |
| 633 if (strike_register_.get() == NULL) { | 635 if (strike_register_.get() == NULL) { |
| 634 strike_register_.reset(new StrikeRegister( | 636 strike_register_.reset(new StrikeRegister( |
| 635 strike_register_max_entries_, | 637 strike_register_max_entries_, |
| 636 static_cast<uint32>(info->now.ToUNIXSeconds()), | 638 static_cast<uint32>(info->now.ToUNIXSeconds()), |
| 637 strike_register_window_secs_, | 639 strike_register_window_secs_, |
| 638 orbit, | 640 orbit, |
| 641 strike_register_no_startup_period_ ? |
| 642 StrikeRegister::NO_STARTUP_PERIOD_NEEDED : |
| 639 StrikeRegister::DENY_REQUESTS_AT_STARTUP)); | 643 StrikeRegister::DENY_REQUESTS_AT_STARTUP)); |
| 640 } | 644 } |
| 641 | 645 |
| 642 unique_by_strike_register = strike_register_->Insert( | 646 unique_by_strike_register = strike_register_->Insert( |
| 643 reinterpret_cast<const uint8*>(info->client_nonce.data()), | 647 reinterpret_cast<const uint8*>(info->client_nonce.data()), |
| 644 static_cast<uint32>(info->now.ToUNIXSeconds())); | 648 static_cast<uint32>(info->now.ToUNIXSeconds())); |
| 645 } | 649 } |
| 646 } | 650 } |
| 647 | 651 |
| 648 client_hello.GetStringPiece(kServerNonceTag, &info->server_nonce); | 652 client_hello.GetStringPiece(kServerNonceTag, &info->server_nonce); |
| (...skipping 252 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 901 | 905 |
| 902 void QuicCryptoServerConfig::SetEphemeralKeySource( | 906 void QuicCryptoServerConfig::SetEphemeralKeySource( |
| 903 EphemeralKeySource* ephemeral_key_source) { | 907 EphemeralKeySource* ephemeral_key_source) { |
| 904 ephemeral_key_source_.reset(ephemeral_key_source); | 908 ephemeral_key_source_.reset(ephemeral_key_source); |
| 905 } | 909 } |
| 906 | 910 |
| 907 void QuicCryptoServerConfig::set_replay_protection(bool on) { | 911 void QuicCryptoServerConfig::set_replay_protection(bool on) { |
| 908 replay_protection_ = on; | 912 replay_protection_ = on; |
| 909 } | 913 } |
| 910 | 914 |
| 915 void QuicCryptoServerConfig::set_strike_register_no_startup_period() { |
| 916 base::AutoLock auto_lock(strike_register_lock_); |
| 917 DCHECK(!strike_register_.get()); |
| 918 strike_register_no_startup_period_ = true; |
| 919 } |
| 920 |
| 911 void QuicCryptoServerConfig::set_strike_register_max_entries( | 921 void QuicCryptoServerConfig::set_strike_register_max_entries( |
| 912 uint32 max_entries) { | 922 uint32 max_entries) { |
| 913 base::AutoLock locker(strike_register_lock_); | 923 base::AutoLock locker(strike_register_lock_); |
| 914 DCHECK(!strike_register_.get()); | 924 DCHECK(!strike_register_.get()); |
| 915 strike_register_max_entries_ = max_entries; | 925 strike_register_max_entries_ = max_entries; |
| 916 } | 926 } |
| 917 | 927 |
| 918 void QuicCryptoServerConfig::set_strike_register_window_secs( | 928 void QuicCryptoServerConfig::set_strike_register_window_secs( |
| 919 uint32 window_secs) { | 929 uint32 window_secs) { |
| 920 base::AutoLock locker(strike_register_lock_); | 930 base::AutoLock locker(strike_register_lock_); |
| (...skipping 21 matching lines...) Expand all Loading... |
| 942 uint32 window_secs) { | 952 uint32 window_secs) { |
| 943 DCHECK(!server_nonce_strike_register_.get()); | 953 DCHECK(!server_nonce_strike_register_.get()); |
| 944 server_nonce_strike_register_window_secs_ = window_secs; | 954 server_nonce_strike_register_window_secs_ = window_secs; |
| 945 } | 955 } |
| 946 | 956 |
| 947 string QuicCryptoServerConfig::NewSourceAddressToken( | 957 string QuicCryptoServerConfig::NewSourceAddressToken( |
| 948 const IPEndPoint& ip, | 958 const IPEndPoint& ip, |
| 949 QuicRandom* rand, | 959 QuicRandom* rand, |
| 950 QuicWallTime now) const { | 960 QuicWallTime now) const { |
| 951 SourceAddressToken source_address_token; | 961 SourceAddressToken source_address_token; |
| 952 source_address_token.set_ip(ip.ToString()); | 962 source_address_token.set_ip(IPAddressToPackedString(ip.address())); |
| 953 source_address_token.set_timestamp(now.ToUNIXSeconds()); | 963 source_address_token.set_timestamp(now.ToUNIXSeconds()); |
| 954 | 964 |
| 955 return source_address_token_boxer_.Box( | 965 return source_address_token_boxer_.Box( |
| 956 rand, source_address_token.SerializeAsString()); | 966 rand, source_address_token.SerializeAsString()); |
| 957 } | 967 } |
| 958 | 968 |
| 959 bool QuicCryptoServerConfig::ValidateSourceAddressToken( | 969 bool QuicCryptoServerConfig::ValidateSourceAddressToken( |
| 960 StringPiece token, | 970 StringPiece token, |
| 961 const IPEndPoint& ip, | 971 const IPEndPoint& ip, |
| 962 QuicWallTime now) const { | 972 QuicWallTime now) const { |
| 963 string storage; | 973 string storage; |
| 964 StringPiece plaintext; | 974 StringPiece plaintext; |
| 965 if (!source_address_token_boxer_.Unbox(token, &storage, &plaintext)) { | 975 if (!source_address_token_boxer_.Unbox(token, &storage, &plaintext)) { |
| 966 return false; | 976 return false; |
| 967 } | 977 } |
| 968 | 978 |
| 969 SourceAddressToken source_address_token; | 979 SourceAddressToken source_address_token; |
| 970 if (!source_address_token.ParseFromArray(plaintext.data(), | 980 if (!source_address_token.ParseFromArray(plaintext.data(), |
| 971 plaintext.size())) { | 981 plaintext.size())) { |
| 972 return false; | 982 return false; |
| 973 } | 983 } |
| 974 | 984 |
| 975 if (source_address_token.ip() != ip.ToString()) { | 985 if (source_address_token.ip() != IPAddressToPackedString(ip.address())) { |
| 976 // It's for a different IP address. | 986 // It's for a different IP address. |
| 977 return false; | 987 return false; |
| 978 } | 988 } |
| 979 | 989 |
| 980 const QuicWallTime timestamp( | 990 const QuicWallTime timestamp( |
| 981 QuicWallTime::FromUNIXSeconds(source_address_token.timestamp())); | 991 QuicWallTime::FromUNIXSeconds(source_address_token.timestamp())); |
| 982 const QuicTime::Delta delta(now.AbsoluteDifference(timestamp)); | 992 const QuicTime::Delta delta(now.AbsoluteDifference(timestamp)); |
| 983 | 993 |
| 984 if (now.IsBefore(timestamp) && | 994 if (now.IsBefore(timestamp) && |
| 985 delta.ToSeconds() > source_address_token_future_secs_) { | 995 delta.ToSeconds() > source_address_token_future_secs_) { |
| (...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1061 } | 1071 } |
| 1062 | 1072 |
| 1063 QuicCryptoServerConfig::Config::Config() | 1073 QuicCryptoServerConfig::Config::Config() |
| 1064 : channel_id_enabled(false), | 1074 : channel_id_enabled(false), |
| 1065 is_primary(false), | 1075 is_primary(false), |
| 1066 primary_time(QuicWallTime::Zero()) {} | 1076 primary_time(QuicWallTime::Zero()) {} |
| 1067 | 1077 |
| 1068 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } | 1078 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); } |
| 1069 | 1079 |
| 1070 } // namespace net | 1080 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 23464033:
Land Recent QUIC changes. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src