Google Git
Sign in
quiche/quiche/3a72e2fbe28154a596b9a795b599970ab2abcd08^!/.
commit
3a72e2fbe28154a596b9a795b599970ab2abcd08
[log]
author
QUICHE team <quiche-dev@google.com>
Fri Jan 24 15:13:19 2020 -0800
committer
Copybara-Service <copybara-worker@google.com>
Fri Jan 24 15:14:00 2020 -0800
tree
8c1526439431c69df9e0022a3fad1c73d365a406
parent
ea3b0112297b2dcd43efb4fa44bebff4279931bc [diff]
Add a ServerProofVerifier and ClientCertMode to QuicCryptoServerConfig.

These two parameters allow configuration of server endpoints that request (or
require) client certificates.

This cl adds the settings, but implementation is left to a future change.

See go/quic-tls-client-certificates for details.

gfe-relnote: no behavior change (new settings are not used in gfe)
PiperOrigin-RevId: 291452792
Change-Id: Ia2a6299d51bec8446043ac859087882c5cac3b88

diff --git a/quic/core/crypto/quic_crypto_server_config.cc b/quic/core/crypto/quic_crypto_server_config.cc
index 9c40d8f..8ab550c 100644
--- a/quic/core/crypto/quic_crypto_server_config.cc
+++ b/quic/core/crypto/quic_crypto_server_config.cc

@@ -24,10 +24,12 @@
 #include "net/third_party/quiche/src/quic/core/crypto/key_exchange.h"
 #include "net/third_party/quiche/src/quic/core/crypto/p256_key_exchange.h"
 #include "net/third_party/quiche/src/quic/core/crypto/proof_source.h"
+#include "net/third_party/quiche/src/quic/core/crypto/proof_verifier.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
+#include "net/third_party/quiche/src/quic/core/crypto/server_proof_verifier.h"
 #include "net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h"
 #include "net/third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h"
 #include "net/third_party/quiche/src/quic/core/proto/source_address_token_proto.h"
@@ -238,6 +240,7 @@
       primary_config_(nullptr),
       next_config_promotion_time_(QuicWallTime::Zero()),
       proof_source_(std::move(proof_source)),
+      client_cert_mode_(ClientCertMode::kNone),
       key_exchange_source_(std::move(key_exchange_source)),
       ssl_ctx_(TlsServerConnection::CreateSslCtx()),
       source_address_token_future_secs_(3600),
@@ -1732,6 +1735,23 @@
   return proof_source_.get();
 }
 
+ServerProofVerifier* QuicCryptoServerConfig::proof_verifier() const {
+  return proof_verifier_.get();
+}
+
+void QuicCryptoServerConfig::set_proof_verifier(
+    std::unique_ptr<ServerProofVerifier> proof_verifier) {
+  proof_verifier_ = std::move(proof_verifier);
+}
+
+ClientCertMode QuicCryptoServerConfig::client_cert_mode() const {
+  return client_cert_mode_;
+}
+
+void QuicCryptoServerConfig::set_client_cert_mode(ClientCertMode mode) {
+  client_cert_mode_ = mode;
+}
+
 SSL_CTX* QuicCryptoServerConfig::ssl_ctx() const {
   return ssl_ctx_.get();
 }

diff --git a/quic/core/crypto/quic_crypto_server_config.h b/quic/core/crypto/quic_crypto_server_config.h
index 20aaa6f..4a8cb73 100644
--- a/quic/core/crypto/quic_crypto_server_config.h
+++ b/quic/core/crypto/quic_crypto_server_config.h

@@ -19,8 +19,10 @@
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_secret_boxer.h"
 #include "net/third_party/quiche/src/quic/core/crypto/key_exchange.h"
 #include "net/third_party/quiche/src/quic/core/crypto/proof_source.h"
+#include "net/third_party/quiche/src/quic/core/crypto/proof_verifier.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_compressed_certs_cache.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_proof.h"
+#include "net/third_party/quiche/src/quic/core/crypto/server_proof_verifier.h"
 #include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/proto/source_address_token_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_time.h"
@@ -422,6 +424,11 @@
   }
 
   ProofSource* proof_source() const;
+  ServerProofVerifier* proof_verifier() const;
+  void set_proof_verifier(std::unique_ptr<ServerProofVerifier> proof_verifier);
+
+  ClientCertMode client_cert_mode() const;
+  void set_client_cert_mode(ClientCertMode client_cert_mode);
 
   SSL_CTX* ssl_ctx() const;
 
@@ -908,6 +915,8 @@
   // proof_source_ contains an object that can provide certificate chains and
   // signatures.
   std::unique_ptr<ProofSource> proof_source_;
+  std::unique_ptr<ServerProofVerifier> proof_verifier_;
+  ClientCertMode client_cert_mode_;
 
   // key_exchange_source_ contains an object that can provide key exchange
   // objects.