Move Window's specific logic for disabling ECDSA from QuicCryptoyclientConfig

to QuicStreamFactory. Review URL: https://codereview.chromium.org/209413005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@260295 0039d316-1c4b-4281-b951-d872f2087c98

Move Window's specific logic for disabling ECDSA from QuicCryptoyclientConfig
to QuicStreamFactory. Review URL: https://codereview.chromium.org/209413005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@260295 0039d316-1c4b-4281-b951-d872f2087c98
3c6f8817 · rch@chromium.org · d377e991 · 3c6f8817 · 3c6f8817 · 3c6f8817
Commit 3c6f8817 authored Mar 28, 2014 by rch@chromium.org
4 changed files
--- a/net/quic/crypto/quic_crypto_client_config.cc
+++ b/net/quic/crypto/quic_crypto_client_config.cc
@@ -20,10 +20,6 @@
 #include "net/quic/quic_session_key.h"
 #include "net/quic/quic_utils.h"
-#if defined(OS_WIN)
-#include "base/win/windows_version.h"
-#endif
 using base::StringPiece;
 using std::find;
 using std::make_pair;
@@ -33,7 +29,8 @@ using std::vector;
 namespace net {
-QuicCryptoClientConfig::QuicCryptoClientConfig() {}
+QuicCryptoClientConfig::QuicCryptoClientConfig()
+    : disable_ecdsa_(false) {}
 QuicCryptoClientConfig::~QuicCryptoClientConfig() {
  STLDeleteValues(&cached_states_);
@@ -258,6 +255,8 @@ void QuicCryptoClientConfig::SetDefaults() {
    aead.push_back(kCC12);
  }
  aead.push_back(kAESG);
+  disable_ecdsa_ = false;
 }
 QuicCryptoClientConfig::CachedState* QuicCryptoClientConfig::LookupOrCreate(
@@ -294,14 +293,7 @@ void QuicCryptoClientConfig::FillInchoateClientHello(
  }
  if (server_key.is_https()) {
-    // Don't request ECDSA proofs on platforms that do not support ECDSA
+    if (disable_ecdsa_) {
-    // certificates.
-    bool disableECDSA = false;
-#if defined(OS_WIN)
-    if (base::win::GetVersion() < base::win::VERSION_VISTA)
-      disableECDSA = true;
-#endif
-    if (disableECDSA) {
      out->SetTaglist(kPDMD, kX59R, 0);
    } else {
      out->SetTaglist(kPDMD, kX509, 0);
@@ -707,6 +699,10 @@ void QuicCryptoClientConfig::PreferAesGcm() {
  }
 }
+void QuicCryptoClientConfig::DisableEcdsa() {
+  disable_ecdsa_ = true;
+}
 void QuicCryptoClientConfig::PopulateFromCanonicalConfig(
    const QuicSessionKey& server_key,
    CachedState* server_state) {

--- a/net/quic/crypto/quic_crypto_client_config.h
+++ b/net/quic/crypto/quic_crypto_client_config.h
@@ -229,6 +229,11 @@ class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
  // called after SetDefaults().
  void PreferAesGcm();
+  // Disables the use of ECDSA for proof verification.
+  // Call this method on platforms that do not support ECDSA.
+  // TODO(rch): remove this method when we drop support for Windows XP.
+  void DisableEcdsa();
 private:
  typedef std::map<QuicSessionKey, CachedState*> CachedStateMap;
@@ -255,6 +260,9 @@ class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
  scoped_ptr<ProofVerifier> proof_verifier_;
  scoped_ptr<ChannelIDSigner> channel_id_signer_;
+  // True if ECDSA should be disabled.
+  bool disable_ecdsa_;
  DISALLOW_COPY_AND_ASSIGN(QuicCryptoClientConfig);
 };

--- a/net/quic/crypto/quic_crypto_client_config_test.cc
+++ b/net/quic/crypto/quic_crypto_client_config_test.cc
@@ -74,6 +74,35 @@ TEST(QuicCryptoClientConfigTest, PreferAesGcm) {
  EXPECT_EQ(kAESG, config.aead[0]);
 }
+TEST(QuicCryptoClientConfigTest, InchoateChloSecure) {
+  QuicCryptoClientConfig::CachedState state;
+  QuicCryptoClientConfig config;
+  QuicCryptoNegotiatedParameters params;
+  CryptoHandshakeMessage msg;
+  QuicSessionKey server_key("www.google.com", 443, true, kPrivacyModeDisabled);
+  config.FillInchoateClientHello(server_key, QuicVersionMax(), &state,
+                                 &params, &msg);
+  QuicTag pdmd;
+  EXPECT_EQ(QUIC_NO_ERROR, msg.GetUint32(kPDMD, &pdmd));
+  EXPECT_EQ(kX509, pdmd);
+}
+TEST(QuicCryptoClientConfigTest, InchoateChloSecureNoEcdsa) {
+  QuicCryptoClientConfig::CachedState state;
+  QuicCryptoClientConfig config;
+  config.DisableEcdsa();
+  QuicCryptoNegotiatedParameters params;
+  CryptoHandshakeMessage msg;
+  QuicSessionKey server_key("www.google.com", 443, true, kPrivacyModeDisabled);
+  config.FillInchoateClientHello(server_key, QuicVersionMax(), &state,
+                                 &params, &msg);
+  QuicTag pdmd;
+  EXPECT_EQ(QUIC_NO_ERROR, msg.GetUint32(kPDMD, &pdmd));
+  EXPECT_EQ(kX59R, pdmd);
+}
 TEST(QuicCryptoClientConfigTest, ProcessServerDowngradeAttack) {
  QuicVersionVector supported_versions = QuicSupportedVersions();
  if (supported_versions.size() == 1) {

--- a/net/quic/quic_stream_factory.cc
+++ b/net/quic/quic_stream_factory.cc
@@ -35,6 +35,10 @@
 #include "net/quic/quic_session_key.h"
 #include "net/socket/client_socket_factory.h"
+#if defined(OS_WIN)
+#include "base/win/windows_version.h"
+#endif
 using std::string;
 using std::vector;
@@ -56,6 +60,15 @@ void HistogramCreateSessionFailure(enum CreateSessionFailure error) {
                            CREATION_ERROR_MAX);
 }
+bool IsEcdsaSupported() {
+#if defined(OS_WIN)
+  if (base::win::GetVersion() < base::win::VERSION_VISTA)
+    return false;
+#endif
+  return true;
+}
 }  // namespace
 QuicStreamFactory::IpAliasKey::IpAliasKey() {}
@@ -397,9 +410,10 @@ QuicStreamFactory::QuicStreamFactory(
  crypto_config_.AddCanonicalSuffix(".googlevideo.com");
  crypto_config_.SetProofVerifier(new ProofVerifierChromium(cert_verifier));
  base::CPU cpu;
-  if (cpu.has_aesni() && cpu.has_avx()) {
+  if (cpu.has_aesni() && cpu.has_avx())
    crypto_config_.PreferAesGcm();
-  }
+  if (!IsEcdsaSupported())
+    crypto_config_.DisableEcdsa();
 }
 QuicStreamFactory::~QuicStreamFactory() {