Google Git
Sign in
android / platform / external / chromium_org / 8bcbed8 / . / net / quic / crypto / crypto_handshake.h
blob: 1a344f6323cfe2749882c6c4c807af7c9d8b366f [file] [log] [blame]
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
#define NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
#include <map>
#include <string>
#include <vector>
#include "base/memory/scoped_ptr.h"
#include "base/strings/string_piece.h"
#include "net/base/net_export.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/x509_certificate.h"
#include "net/quic/crypto/crypto_protocol.h"
#include "net/quic/crypto/proof_verifier.h"
#include "net/quic/quic_protocol.h"
namespace net {
class ChannelIDSigner;
class CommonCertSets;
class KeyExchange;
class ProofVerifier;
class QuicDecrypter;
class QuicEncrypter;
class QuicRandom;
// An intermediate format of a handshake message that's convenient for a
// CryptoFramer to serialize from or parse into.
class NET_EXPORT_PRIVATE CryptoHandshakeMessage {
public:
CryptoHandshakeMessage();
CryptoHandshakeMessage(const CryptoHandshakeMessage& other);
~CryptoHandshakeMessage();
CryptoHandshakeMessage& operator=(const CryptoHandshakeMessage& other);
// Clears state.
void Clear();
// GetSerialized returns the serialized form of this message and caches the
// result. Subsequently altering the message does not invalidate the cache.
const QuicData& GetSerialized() const;
// MarkDirty invalidates the cache created by |GetSerialized|.
void MarkDirty();
// SetValue sets an element with the given tag to the raw, memory contents of
// |v|.
template<class T> void SetValue(QuicTag tag, const T& v) {
tag_value_map_[tag] =
std::string(reinterpret_cast<const char*>(&v), sizeof(v));
}
// SetVector sets an element with the given tag to the raw contents of an
// array of elements in |v|.
template<class T> void SetVector(QuicTag tag, const std::vector<T>& v) {
if (v.empty()) {
tag_value_map_[tag] = std::string();
} else {
tag_value_map_[tag] = std::string(reinterpret_cast<const char*>(&v[0]),
v.size() * sizeof(T));
}
}
// Returns the message tag.
QuicTag tag() const { return tag_; }
// Sets the message tag.
void set_tag(QuicTag tag) { tag_ = tag; }
const QuicTagValueMap& tag_value_map() const { return tag_value_map_; }
// SetTaglist sets an element with the given tag to contain a list of tags,
// passed as varargs. The argument list must be terminated with a 0 element.
void SetTaglist(QuicTag tag, ...);
void SetStringPiece(QuicTag tag, base::StringPiece value);
// Erase removes a tag/value, if present, from the message.
void Erase(QuicTag tag);
// GetTaglist finds an element with the given tag containing zero or more
// tags. If such a tag doesn't exist, it returns false. Otherwise it sets
// |out_tags| and |out_len| to point to the array of tags and returns true.
// The array points into the CryptoHandshakeMessage and is valid only for as
// long as the CryptoHandshakeMessage exists and is not modified.
QuicErrorCode GetTaglist(QuicTag tag, const QuicTag** out_tags,
size_t* out_len) const;
bool GetStringPiece(QuicTag tag, base::StringPiece* out) const;
// GetNthValue24 interprets the value with the given tag to be a series of
// 24-bit, length prefixed values and it returns the subvalue with the given
// index.
QuicErrorCode GetNthValue24(QuicTag tag,
unsigned index,
base::StringPiece* out) const;
QuicErrorCode GetUint16(QuicTag tag, uint16* out) const;
QuicErrorCode GetUint32(QuicTag tag, uint32* out) const;
QuicErrorCode GetUint64(QuicTag tag, uint64* out) const;
// size returns 4 (message tag) + 2 (uint16, number of entries) +
// (4 (tag) + 4 (end offset))*tag_value_map_.size() + ∑ value sizes.
size_t size() const;
// set_minimum_size sets the minimum number of bytes that the message should
// consume. The CryptoFramer will add a PAD tag as needed when serializing in
// order to ensure this. Setting a value of 0 disables padding.
//
// Padding is useful in order to ensure that messages are a minimum size. A
// QUIC server can require a minimum size in order to reduce the
// amplification factor of any mirror DoS attack.
void set_minimum_size(size_t min_bytes);
size_t minimum_size() const;
// DebugString returns a multi-line, string representation of the message
// suitable for including in debug output.
std::string DebugString() const;
private:
// GetPOD is a utility function for extracting a plain-old-data value. If
// |tag| exists in the message, and has a value of exactly |len| bytes then
// it copies |len| bytes of data into |out|. Otherwise |len| bytes at |out|
// are zeroed out.
//
// If used to copy integers then this assumes that the machine is
// little-endian.
QuicErrorCode GetPOD(QuicTag tag, void* out, size_t len) const;
std::string DebugStringInternal(size_t indent) const;
QuicTag tag_;
QuicTagValueMap tag_value_map_;
size_t minimum_size_;
// The serialized form of the handshake message. This member is constructed
// lasily.
mutable scoped_ptr<QuicData> serialized_;
};
// A CrypterPair contains the encrypter and decrypter for an encryption level.
struct NET_EXPORT_PRIVATE CrypterPair {
CrypterPair();
~CrypterPair();
scoped_ptr<QuicEncrypter> encrypter;
scoped_ptr<QuicDecrypter> decrypter;
};
// Parameters negotiated by the crypto handshake.
struct NET_EXPORT_PRIVATE QuicCryptoNegotiatedParameters {
// Initializes the members to 0 or empty values.
QuicCryptoNegotiatedParameters();
~QuicCryptoNegotiatedParameters();
QuicTag key_exchange;
QuicTag aead;
std::string initial_premaster_secret;
std::string forward_secure_premaster_secret;
CrypterPair initial_crypters;
CrypterPair forward_secure_crypters;
// Normalized SNI: converted to lower case and trailing '.' removed.
std::string sni;
std::string client_nonce;
std::string server_nonce;
// hkdf_input_suffix contains the HKDF input following the label: the GUID,
// client hello and server config. This is only populated in the client
// because only the client needs to derive the forward secure keys at a later
// time from the initial keys.
std::string hkdf_input_suffix;
// cached_certs contains the cached certificates that a client used when
// sending a client hello.
std::vector<std::string> cached_certs;
// client_key_exchange is used by clients to store the ephemeral KeyExchange
// for the connection.
scoped_ptr<KeyExchange> client_key_exchange;
// channel_id is set by servers to a ChannelID key when the client correctly
// proves possession of the corresponding private key. It consists of 32
// bytes of x coordinate, followed by 32 bytes of y coordinate. Both values
// are big-endian and the pair is a P-256 public key.
std::string channel_id;
};
// QuicCryptoConfig contains common configuration between clients and servers.
class NET_EXPORT_PRIVATE QuicCryptoConfig {
public:
enum {
// CONFIG_VERSION is the one (and, for the moment, only) version number that
// we implement.
CONFIG_VERSION = 0,
};
// kInitialLabel is a constant that is used when deriving the initial
// (non-forward secure) keys for the connection in order to tie the resulting
// key to this protocol.
static const char kInitialLabel[];
// kCETVLabel is a constant that is used when deriving the keys for the
// encrypted tag/value block in the client hello.
static const char kCETVLabel[];
// kForwardSecureLabel is a constant that is used when deriving the forward
// secure keys for the connection in order to tie the resulting key to this
// protocol.
static const char kForwardSecureLabel[];
QuicCryptoConfig();
~QuicCryptoConfig();
// Protocol version
uint16 version;
// Key exchange methods. The following two members' values correspond by
// index.
QuicTagVector kexs;
// Authenticated encryption with associated data (AEAD) algorithms.
QuicTagVector aead;
const CommonCertSets* common_cert_sets;
private:
DISALLOW_COPY_AND_ASSIGN(QuicCryptoConfig);
};
// QuicCryptoClientConfig contains crypto-related configuration settings for a
// client. Note that this object isn't thread-safe. It's designed to be used on
// a single thread at a time.
class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
public:
// A CachedState contains the information that the client needs in order to
// perform a 0-RTT handshake with a server. This information can be reused
// over several connections to the same server.
class NET_EXPORT_PRIVATE CachedState {
public:
CachedState();
~CachedState();
// IsComplete returns true if this object contains enough information to
// perform a handshake with the server. |now| is used to judge whether any
// cached server config has expired.
bool IsComplete(QuicWallTime now) const;
// GetServerConfig returns the parsed contents of |server_config|, or NULL
// if |server_config| is empty. The return value is owned by this object
// and is destroyed when this object is.
const CryptoHandshakeMessage* GetServerConfig() const;
// SetServerConfig checks that |server_config| parses correctly and stores
// it in |server_config_|. |now| is used to judge whether |server_config|
// has expired.
QuicErrorCode SetServerConfig(base::StringPiece server_config,
QuicWallTime now,
std::string* error_details);
// InvalidateServerConfig clears the cached server config (if any).
void InvalidateServerConfig();
// SetProof stores a certificate chain and signature.
void SetProof(const std::vector<std::string>& certs,
base::StringPiece signature);
// Clears the certificate chain and signature and invalidates the proof.
void ClearProof();
// SetProofValid records that the certificate chain and signature have been
// validated and that it's safe to assume that the server is legitimate.
// (Note: this does not check the chain or signature.)
void SetProofValid();
// If the server config or the proof has changed then it needs to be
// revalidated. Helper function to keep server_config_valid_ and
// generation_counter_ in sync.
void SetProofInvalid();
const std::string& server_config() const;
const std::string& source_address_token() const;
const std::vector<std::string>& certs() const;
const std::string& signature() const;
bool proof_valid() const;
uint64 generation_counter() const;
const ProofVerifyDetails* proof_verify_details() const;
void set_source_address_token(base::StringPiece token);
// SetProofVerifyDetails takes ownership of |details|.
void SetProofVerifyDetails(ProofVerifyDetails* details);
// Copy the |server_config_|, |source_address_token_|, |certs_| and
// |server_config_sig_| from the |other|. The remaining fields,
// |generation_counter_|, |proof_verify_details_|, and |scfg_| remain
// unchanged.
void InitializeFrom(const CachedState& other);
private:
std::string server_config_id_; // An opaque id from the server.
std::string server_config_; // A serialized handshake message.
std::string source_address_token_; // An opaque proof of IP ownership.
std::vector<std::string> certs_; // A list of certificates in leaf-first
// order.
std::string server_config_sig_; // A signature of |server_config_|.
bool server_config_valid_; // True if |server_config_| is correctly
// signed and |certs_| has been
// validated.
// Generation counter associated with the |server_config_|, |certs_| and
// |server_config_sig_| combination. It is incremented whenever we set
// server_config_valid_ to false.
uint64 generation_counter_;
scoped_ptr<ProofVerifyDetails> proof_verify_details_;
// scfg contains the cached, parsed value of |server_config|.
mutable scoped_ptr<CryptoHandshakeMessage> scfg_;
DISALLOW_COPY_AND_ASSIGN(CachedState);
};
QuicCryptoClientConfig();
~QuicCryptoClientConfig();
// Sets the members to reasonable, default values.
void SetDefaults();
// LookupOrCreate returns a CachedState for the given hostname. If no such
// CachedState currently exists, it will be created and cached.
CachedState* LookupOrCreate(const std::string& server_hostname);
// FillInchoateClientHello sets |out| to be a CHLO message that elicits a
// source-address token or SCFG from a server. If |cached| is non-NULL, the
// source-address token will be taken from it. |out_params| is used in order
// to store the cached certs that were sent as hints to the server in
// |out_params->cached_certs|.
void FillInchoateClientHello(const std::string& server_hostname,
const CachedState* cached,
QuicCryptoNegotiatedParameters* out_params,
CryptoHandshakeMessage* out) const;
// FillClientHello sets |out| to be a CHLO message based on the configuration
// of this object. This object must have cached enough information about
// |server_hostname| in order to perform a handshake. This can be checked
// with the |IsComplete| member of |CachedState|.
//
// |clock| and |rand| are used to generate the nonce and |out_params| is
// filled with the results of the handshake that the server is expected to
// accept.
QuicErrorCode FillClientHello(const std::string& server_hostname,
QuicGuid guid,
const CachedState* cached,
QuicWallTime now,
QuicRandom* rand,
QuicCryptoNegotiatedParameters* out_params,
CryptoHandshakeMessage* out,
std::string* error_details) const;
// ProcessRejection processes a REJ message from a server and updates the
// cached information about that server. After this, |IsComplete| may return
// true for that server's CachedState. If the rejection message contains
// state about a future handshake (i.e. an nonce value from the server), then
// it will be saved in |out_params|. |now| is used to judge whether the
// server config in the rejection message has expired.
QuicErrorCode ProcessRejection(const CryptoHandshakeMessage& rej,
QuicWallTime now,
CachedState* cached,
QuicCryptoNegotiatedParameters* out_params,
std::string* error_details);
// ProcessServerHello processes the message in |server_hello|, updates the
// cached information about that server, writes the negotiated parameters to
// |out_params| and returns QUIC_NO_ERROR. If |server_hello| is unacceptable
// then it puts an error message in |error_details| and returns an error
// code.
QuicErrorCode ProcessServerHello(const CryptoHandshakeMessage& server_hello,
QuicGuid guid,
CachedState* cached,
QuicCryptoNegotiatedParameters* out_params,
std::string* error_details);
ProofVerifier* proof_verifier() const;
// SetProofVerifier takes ownership of a |ProofVerifier| that clients are
// free to use in order to verify certificate chains from servers. If a
// ProofVerifier is set then the client will request a certificate chain from
// the server.
void SetProofVerifier(ProofVerifier* verifier);
ChannelIDSigner* channel_id_signer() const;
// SetChannelIDSigner sets a ChannelIDSigner that will be called when the
// server supports channel IDs to sign a message proving possession of the
// given ChannelID. This object takes ownership of |signer|.
void SetChannelIDSigner(ChannelIDSigner* signer);
// Initialize the CachedState from |canonical_crypto_config| for the
// |canonical_server_hostname| as the initial CachedState for
// |server_hostname|.
void InitializeFrom(const std::string& server_hostname,
const std::string& canonical_server_hostname,
QuicCryptoClientConfig* canonical_crypto_config);
private:
// cached_states_ maps from the server hostname to the cached information
// about that server.
std::map<std::string, CachedState*> cached_states_;
scoped_ptr<ProofVerifier> proof_verifier_;
scoped_ptr<ChannelIDSigner> channel_id_signer_;
DISALLOW_COPY_AND_ASSIGN(QuicCryptoClientConfig);
};
} // namespace net
#endif // NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_