gfe-relnote: add client address into Quic proof source/verifier interface. No behavior change as the client address remains unused in GFE. Not protected.
This is needed for Envoy as client address is need to retrieve certs in Envoy.
PiperOrigin-RevId: 309485174
Change-Id: I3962c648bf33e853205541689f6e14a0fec7fe2b
diff --git a/quic/core/crypto/crypto_server_test.cc b/quic/core/crypto/crypto_server_test.cc
index 4cf618b..ee9dc53 100644
--- a/quic/core/crypto/crypto_server_test.cc
+++ b/quic/core/crypto/crypto_server_test.cc
@@ -223,7 +223,7 @@
bool called = false;
QuicSocketAddress server_address(QuicIpAddress::Any4(), 5);
config_.ValidateClientHello(
- message, client_address_.host(), server_address,
+ message, client_address_, server_address,
supported_versions_.front().transport_version, &clock_, signed_config_,
std::make_unique<ValidateCallback>(this, true, "", &called));
EXPECT_TRUE(called);
@@ -241,7 +241,7 @@
bool* called) {
QuicSocketAddress server_address(QuicIpAddress::Any4(), 5);
config_.ValidateClientHello(
- message, client_address_.host(), server_address,
+ message, client_address_, server_address,
supported_versions_.front().transport_version, &clock_, signed_config_,
std::make_unique<ValidateCallback>(this, false, error_substr, called));
}
diff --git a/quic/core/crypto/proof_source.h b/quic/core/crypto/proof_source.h
index 9757099..c4224f4 100644
--- a/quic/core/crypto/proof_source.h
+++ b/quic/core/crypto/proof_source.h
@@ -119,6 +119,7 @@
//
// Callers should expect that |callback| might be invoked synchronously.
virtual void GetProof(const QuicSocketAddress& server_address,
+ const QuicSocketAddress& client_address,
const std::string& hostname,
const std::string& server_config,
QuicTransportVersion transport_version,
@@ -128,6 +129,7 @@
// Returns the certificate chain for |hostname| in leaf-first order.
virtual QuicReferenceCountedPointer<Chain> GetCertChain(
const QuicSocketAddress& server_address,
+ const QuicSocketAddress& client_address,
const std::string& hostname) = 0;
// Computes a signature using the private key of the certificate for
@@ -140,6 +142,7 @@
// Callers should expect that |callback| might be invoked synchronously.
virtual void ComputeTlsSignature(
const QuicSocketAddress& server_address,
+ const QuicSocketAddress& client_address,
const std::string& hostname,
uint16_t signature_algorithm,
quiche::QuicheStringPiece in,
diff --git a/quic/core/crypto/proof_source_x509.cc b/quic/core/crypto/proof_source_x509.cc
index 89c4c43..6afc65f 100644
--- a/quic/core/crypto/proof_source_x509.cc
+++ b/quic/core/crypto/proof_source_x509.cc
@@ -30,6 +30,7 @@
void ProofSourceX509::GetProof(
const QuicSocketAddress& /*server_address*/,
+ const QuicSocketAddress& /*client_address*/,
const std::string& hostname,
const std::string& server_config,
QuicTransportVersion /*transport_version*/,
@@ -62,12 +63,14 @@
QuicReferenceCountedPointer<ProofSource::Chain> ProofSourceX509::GetCertChain(
const QuicSocketAddress& /*server_address*/,
+ const QuicSocketAddress& /*client_address*/,
const std::string& hostname) {
return GetCertificate(hostname)->chain;
}
void ProofSourceX509::ComputeTlsSignature(
const QuicSocketAddress& /*server_address*/,
+ const QuicSocketAddress& /*client_address*/,
const std::string& hostname,
uint16_t signature_algorithm,
quiche::QuicheStringPiece in,
diff --git a/quic/core/crypto/proof_source_x509.h b/quic/core/crypto/proof_source_x509.h
index f9a6796..8632d4b 100644
--- a/quic/core/crypto/proof_source_x509.h
+++ b/quic/core/crypto/proof_source_x509.h
@@ -28,6 +28,7 @@
// ProofSource implementation.
void GetProof(const QuicSocketAddress& server_address,
+ const QuicSocketAddress& client_address,
const std::string& hostname,
const std::string& server_config,
QuicTransportVersion transport_version,
@@ -35,9 +36,11 @@
std::unique_ptr<Callback> callback) override;
QuicReferenceCountedPointer<Chain> GetCertChain(
const QuicSocketAddress& server_address,
+ const QuicSocketAddress& client_address,
const std::string& hostname) override;
void ComputeTlsSignature(
const QuicSocketAddress& server_address,
+ const QuicSocketAddress& client_address,
const std::string& hostname,
uint16_t signature_algorithm,
quiche::QuicheStringPiece in,
diff --git a/quic/core/crypto/proof_source_x509_test.cc b/quic/core/crypto/proof_source_x509_test.cc
index f4c9146..23311d0 100644
--- a/quic/core/crypto/proof_source_x509_test.cc
+++ b/quic/core/crypto/proof_source_x509_test.cc
@@ -72,26 +72,38 @@
std::move(*wildcard_key_)));
// Default certificate.
- EXPECT_EQ(
- proof_source->GetCertChain(QuicSocketAddress(), "unknown.test")->certs[0],
- kTestCertificate);
+ EXPECT_EQ(proof_source
+ ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
+ "unknown.test")
+ ->certs[0],
+ kTestCertificate);
// mail.example.org is explicitly a SubjectAltName in kTestCertificate.
- EXPECT_EQ(proof_source->GetCertChain(QuicSocketAddress(), "mail.example.org")
+ EXPECT_EQ(proof_source
+ ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
+ "mail.example.org")
->certs[0],
kTestCertificate);
// www.foo.test is in kWildcardCertificate.
- EXPECT_EQ(
- proof_source->GetCertChain(QuicSocketAddress(), "www.foo.test")->certs[0],
- kWildcardCertificate);
- // *.wildcard.test is in kWildcardCertificate.
- EXPECT_EQ(proof_source->GetCertChain(QuicSocketAddress(), "www.wildcard.test")
+ EXPECT_EQ(proof_source
+ ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
+ "www.foo.test")
->certs[0],
kWildcardCertificate);
- EXPECT_EQ(proof_source->GetCertChain(QuicSocketAddress(), "etc.wildcard.test")
+ // *.wildcard.test is in kWildcardCertificate.
+ EXPECT_EQ(proof_source
+ ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
+ "www.wildcard.test")
+ ->certs[0],
+ kWildcardCertificate);
+ EXPECT_EQ(proof_source
+ ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
+ "etc.wildcard.test")
->certs[0],
kWildcardCertificate);
// wildcard.test itself is not in kWildcardCertificate.
- EXPECT_EQ(proof_source->GetCertChain(QuicSocketAddress(), "wildcard.test")
+ EXPECT_EQ(proof_source
+ ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
+ "wildcard.test")
->certs[0],
kTestCertificate);
}
@@ -114,9 +126,9 @@
ProofSourceX509::Create(test_chain_, std::move(*test_key_));
ASSERT_TRUE(proof_source != nullptr);
- proof_source->ComputeTlsSignature(QuicSocketAddress(), "example.com",
- SSL_SIGN_RSA_PSS_RSAE_SHA256, "Test data",
- std::make_unique<Callback>());
+ proof_source->ComputeTlsSignature(QuicSocketAddress(), QuicSocketAddress(),
+ "example.com", SSL_SIGN_RSA_PSS_RSAE_SHA256,
+ "Test data", std::make_unique<Callback>());
}
} // namespace
diff --git a/quic/core/crypto/quic_crypto_server_config.cc b/quic/core/crypto/quic_crypto_server_config.cc
index 36372ac..9cb089b 100644
--- a/quic/core/crypto/quic_crypto_server_config.cc
+++ b/quic/core/crypto/quic_crypto_server_config.cc
@@ -46,6 +46,7 @@
#include "net/third_party/quiche/src/quic/platform/api/quic_hostname_utils.h"
#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
#include "net/third_party/quiche/src/quic/platform/api/quic_reference_counted.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
#include "net/third_party/quiche/src/common/platform/api/quiche_string_piece.h"
#include "net/third_party/quiche/src/common/platform/api/quiche_text_utils.h"
@@ -524,7 +525,7 @@
void QuicCryptoServerConfig::ValidateClientHello(
const CryptoHandshakeMessage& client_hello,
- const QuicIpAddress& client_ip,
+ const QuicSocketAddress& client_address,
const QuicSocketAddress& server_address,
QuicTransportVersion version,
const QuicClock* clock,
@@ -533,8 +534,8 @@
const QuicWallTime now(clock->WallNow());
QuicReferenceCountedPointer<ValidateClientHelloResultCallback::Result> result(
- new ValidateClientHelloResultCallback::Result(client_hello, client_ip,
- now));
+ new ValidateClientHelloResultCallback::Result(
+ client_hello, client_address.host(), now));
quiche::QuicheStringPiece requested_scid;
client_hello.GetStringPiece(kSCID, &requested_scid);
@@ -551,8 +552,8 @@
signed_config->chain = nullptr;
signed_config->proof.signature = "";
signed_config->proof.leaf_cert_scts = "";
- EvaluateClientHello(server_address, version, configs, result,
- std::move(done_cb));
+ EvaluateClientHello(server_address, client_address, version, configs,
+ result, std::move(done_cb));
} else {
done_cb->Run(result, /* details = */ nullptr);
}
@@ -717,8 +718,9 @@
this, std::move(context), configs);
DCHECK(proof_source_.get());
- proof_source_->GetProof(server_address, sni, configs.primary->serialized,
- transport_version, chlo_hash, std::move(cb));
+ proof_source_->GetProof(server_address, client_address, sni,
+ configs.primary->serialized, transport_version,
+ chlo_hash, std::move(cb));
return;
}
@@ -1016,10 +1018,12 @@
const std::string sni(context->info().sni);
const QuicTransportVersion transport_version = context->transport_version();
+ const QuicSocketAddress& client_address = context->client_address();
auto cb = std::make_unique<SendRejectWithFallbackConfigCallback>(
this, std::move(context), fallback_config);
- proof_source_->GetProof(server_address, sni, fallback_config->serialized,
- transport_version, chlo_hash, std::move(cb));
+ proof_source_->GetProof(server_address, client_address, sni,
+ fallback_config->serialized, transport_version,
+ chlo_hash, std::move(cb));
}
void QuicCryptoServerConfig::SendRejectWithFallbackConfigAfterGetProof(
@@ -1196,6 +1200,7 @@
void QuicCryptoServerConfig::EvaluateClientHello(
const QuicSocketAddress& server_address,
+ const QuicSocketAddress& client_address,
QuicTransportVersion /*version*/,
const Configs& configs,
QuicReferenceCountedPointer<ValidateClientHelloResultCallback::Result>
@@ -1270,7 +1275,8 @@
}
QuicReferenceCountedPointer<ProofSource::Chain> chain =
- proof_source_->GetCertChain(server_address, std::string(info->sni));
+ proof_source_->GetCertChain(server_address, client_address,
+ std::string(info->sni));
if (!chain) {
info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
} else if (!ValidateExpectedLeafCertificate(client_hello, chain->certs)) {
@@ -1303,7 +1309,7 @@
quiche::QuicheStringPiece chlo_hash,
const SourceAddressTokens& previous_source_address_tokens,
const QuicSocketAddress& server_address,
- const QuicIpAddress& client_ip,
+ const QuicSocketAddress& client_address,
const QuicClock* clock,
QuicRandom* rand,
QuicCompressedCertsCache* compressed_certs_cache,
@@ -1318,8 +1324,8 @@
serialized = primary_config_->serialized;
common_cert_sets = primary_config_->common_cert_sets;
source_address_token = NewSourceAddressToken(
- *primary_config_, previous_source_address_tokens, client_ip, rand,
- clock->WallNow(), cached_network_params);
+ *primary_config_, previous_source_address_tokens, client_address.host(),
+ rand, clock->WallNow(), cached_network_params);
}
CryptoHandshakeMessage message;
@@ -1332,8 +1338,9 @@
this, compressed_certs_cache, common_cert_sets, params,
std::move(message), std::move(cb));
- proof_source_->GetProof(server_address, params.sni, serialized, version,
- chlo_hash, std::move(proof_source_cb));
+ proof_source_->GetProof(server_address, client_address, params.sni,
+ serialized, version, chlo_hash,
+ std::move(proof_source_cb));
}
QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback::
diff --git a/quic/core/crypto/quic_crypto_server_config.h b/quic/core/crypto/quic_crypto_server_config.h
index 4fab2cd..9f2db60 100644
--- a/quic/core/crypto/quic_crypto_server_config.h
+++ b/quic/core/crypto/quic_crypto_server_config.h
@@ -294,7 +294,7 @@
// completion of an asynchronous operation.
void ValidateClientHello(
const CryptoHandshakeMessage& client_hello,
- const QuicIpAddress& client_ip,
+ const QuicSocketAddress& client_address,
const QuicSocketAddress& server_address,
QuicTransportVersion version,
const QuicClock* clock,
@@ -360,7 +360,7 @@
quiche::QuicheStringPiece chlo_hash,
const SourceAddressTokens& previous_source_address_tokens,
const QuicSocketAddress& server_address,
- const QuicIpAddress& client_ip,
+ const QuicSocketAddress& client_address,
const QuicClock* clock,
QuicRandom* rand,
QuicCompressedCertsCache* compressed_certs_cache,
@@ -553,6 +553,7 @@
// are written to |client_hello_state->info|.
void EvaluateClientHello(
const QuicSocketAddress& server_address,
+ const QuicSocketAddress& client_address,
QuicTransportVersion version,
const Configs& configs,
QuicReferenceCountedPointer<ValidateClientHelloResultCallback::Result>
diff --git a/quic/core/crypto/quic_crypto_server_config_test.cc b/quic/core/crypto/quic_crypto_server_config_test.cc
index 8dd1108..6f0c047 100644
--- a/quic/core/crypto/quic_crypto_server_config_test.cc
+++ b/quic/core/crypto/quic_crypto_server_config_test.cc
@@ -481,7 +481,7 @@
test_peer_.SelectNewPrimaryConfig(1000);
test_peer_.CheckConfigs({{"a", true}, {"b", false}});
CryptoHandshakeMessage client_hello;
- QuicIpAddress client_ip;
+ QuicSocketAddress client_address;
QuicSocketAddress server_address;
QuicTransportVersion transport_version = QUIC_VERSION_UNSUPPORTED;
for (const ParsedQuicVersion& version : AllSupportedVersions()) {
@@ -497,7 +497,7 @@
std::unique_ptr<ValidateClientHelloResultCallback> done_cb(
new ValidateCallback);
clock.AdvanceTime(QuicTime::Delta::FromSeconds(1100));
- config_.ValidateClientHello(client_hello, client_ip, server_address,
+ config_.ValidateClientHello(client_hello, client_address, server_address,
transport_version, &clock, signed_config,
std::move(done_cb));
test_peer_.CheckConfigs({{"a", false}, {"b", true}});
diff --git a/quic/core/quic_crypto_client_handshaker_test.cc b/quic/core/quic_crypto_client_handshaker_test.cc
index a74d7e7..e3d12fa 100644
--- a/quic/core/quic_crypto_client_handshaker_test.cc
+++ b/quic/core/quic_crypto_client_handshaker_test.cc
@@ -69,13 +69,14 @@
// ProofSource override.
void GetProof(const QuicSocketAddress& server_address,
+ const QuicSocketAddress& client_address,
const std::string& hostname,
const std::string& /*server_config*/,
QuicTransportVersion /*transport_version*/,
quiche::QuicheStringPiece /*chlo_hash*/,
std::unique_ptr<Callback> callback) override {
QuicReferenceCountedPointer<ProofSource::Chain> chain =
- GetCertChain(server_address, hostname);
+ GetCertChain(server_address, client_address, hostname);
QuicCryptoProof proof;
proof.signature = "Dummy signature";
proof.leaf_cert_scts = "Dummy timestamp";
@@ -84,6 +85,7 @@
QuicReferenceCountedPointer<Chain> GetCertChain(
const QuicSocketAddress& /*server_address*/,
+ const QuicSocketAddress& /*client_address*/,
const std::string& /*hostname*/) override {
std::vector<std::string> certs;
certs.push_back("Dummy cert");
@@ -93,6 +95,7 @@
void ComputeTlsSignature(
const QuicSocketAddress& /*server_address*/,
+ const QuicSocketAddress& /*client_address*/,
const std::string& /*hostname*/,
uint16_t /*signature_algorit*/,
quiche::QuicheStringPiece /*in*/,
diff --git a/quic/core/quic_crypto_client_stream_test.cc b/quic/core/quic_crypto_client_stream_test.cc
index d300127..6542382 100644
--- a/quic/core/quic_crypto_client_stream_test.cc
+++ b/quic/core/quic_crypto_client_stream_test.cc
@@ -285,7 +285,7 @@
crypto_config.BuildServerConfigUpdateMessage(
session_->transport_version(), stream()->chlo_hash(), tokens,
QuicSocketAddress(QuicIpAddress::Loopback6(), 1234),
- QuicIpAddress::Loopback6(), connection_->clock(),
+ QuicSocketAddress(QuicIpAddress::Loopback6(), 4321), connection_->clock(),
QuicRandom::GetInstance(), &cache, stream()->crypto_negotiated_params(),
&network_params,
std::unique_ptr<BuildServerConfigUpdateMessageResultCallback>(
diff --git a/quic/core/quic_crypto_server_stream.cc b/quic/core/quic_crypto_server_stream.cc
index c651351..66f8229 100644
--- a/quic/core/quic_crypto_server_stream.cc
+++ b/quic/core/quic_crypto_server_stream.cc
@@ -129,9 +129,9 @@
DCHECK(process_client_hello_cb_ == nullptr);
validate_client_hello_cb_ = cb.get();
crypto_config_->ValidateClientHello(
- message, GetClientAddress().host(),
- session()->connection()->self_address(), transport_version(),
- session()->connection()->clock(), signed_config_, std::move(cb));
+ message, GetClientAddress(), session()->connection()->self_address(),
+ transport_version(), session()->connection()->clock(), signed_config_,
+ std::move(cb));
}
void QuicCryptoServerStream::FinishProcessingHandshakeMessage(
@@ -245,7 +245,7 @@
crypto_config_->BuildServerConfigUpdateMessage(
session()->transport_version(), chlo_hash_,
previous_source_address_tokens_, session()->connection()->self_address(),
- GetClientAddress().host(), session()->connection()->clock(),
+ GetClientAddress(), session()->connection()->clock(),
session()->connection()->random_generator(), compressed_certs_cache_,
*crypto_negotiated_params_, cached_network_params, std::move(cb));
}
diff --git a/quic/core/tls_server_handshaker.cc b/quic/core/tls_server_handshaker.cc
index 249973c..baecf70 100644
--- a/quic/core/tls_server_handshaker.cc
+++ b/quic/core/tls_server_handshaker.cc
@@ -378,7 +378,8 @@
quiche::QuicheStringPiece in) {
signature_callback_ = new SignatureCallback(this);
proof_source_->ComputeTlsSignature(
- session()->connection()->self_address(), hostname_, sig_alg, in,
+ session()->connection()->self_address(),
+ session()->connection()->peer_address(), hostname_, sig_alg, in,
std::unique_ptr<SignatureCallback>(signature_callback_));
if (state_ == STATE_SIGNATURE_COMPLETE) {
return PrivateKeyComplete(out, out_len, max_out);
@@ -480,6 +481,7 @@
QuicReferenceCountedPointer<ProofSource::Chain> chain =
proof_source_->GetCertChain(session()->connection()->self_address(),
+ session()->connection()->peer_address(),
hostname_);
if (chain->certs.empty()) {
QUIC_LOG(ERROR) << "No certs provided for host '" << hostname_ << "'";
