| blob | 8aa4527bd735f9f5dc6e7383939677d5462a32cd |
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_
6 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_
8 #include <map>
9 #include <string>
10 #include <vector>
28 // QuicCryptoClientConfig contains crypto-related configuration settings for a
29 // client. Note that this object isn't thread-safe. It's designed to be used on
30 // a single thread at a time.
33 // A CachedState contains the information that the client needs in order to
34 // perform a 0-RTT handshake with a server. This information can be reused
35 // over several connections to the same server.
41 // IsComplete returns true if this object contains enough information to
42 // perform a handshake with the server. |now| is used to judge whether any
43 // cached server config has expired.
46 // IsEmpty returns true if |server_config_| is empty.
49 // GetServerConfig returns the parsed contents of |server_config|, or NULL
50 // if |server_config| is empty. The return value is owned by this object
51 // and is destroyed when this object is.
54 // SetServerConfig checks that |server_config| parses correctly and stores
55 // it in |server_config_|. |now| is used to judge whether |server_config|
56 // has expired.
58 QuicWallTime now,
61 // InvalidateServerConfig clears the cached server config (if any).
64 // SetProof stores a certificate chain and signature.
68 // Clears all the data.
71 // Clears the certificate chain and signature and invalidates the proof.
74 // SetProofValid records that the certificate chain and signature have been
75 // validated and that it's safe to assume that the server is legitimate.
76 // (Note: this does not check the chain or signature.)
79 // If the server config or the proof has changed then it needs to be
80 // revalidated. Helper function to keep server_config_valid_ and
81 // generation_counter_ in sync.
94 // SetProofVerifyDetails takes ownership of |details|.
97 // Copy the |server_config_|, |source_address_token_|, |certs_| and
98 // |server_config_sig_| from the |other|. The remaining fields,
99 // |generation_counter_|, |proof_verify_details_|, and |scfg_| remain
100 // unchanged.
103 // Initializes this cached state based on the arguments provided.
104 // Returns false if there is a problem parsing the server config.
109 QuicWallTime now);
115 // order.
118 // signed and |certs_| has been
119 // validated.
120 // Generation counter associated with the |server_config_|, |certs_| and
121 // |server_config_sig_| combination. It is incremented whenever we set
122 // server_config_valid_ to false.
123 uint64 generation_counter_;
127 // scfg contains the cached, parsed value of |server_config|.
131 };
136 // Sets the members to reasonable, default values.
139 // LookupOrCreate returns a CachedState for the given |server_id|. If no such
140 // CachedState currently exists, it will be created and cached.
143 // Delete all CachedState objects from cached_states_.
146 // FillInchoateClientHello sets |out| to be a CHLO message that elicits a
147 // source-address token or SCFG from a server. If |cached| is non-NULL, the
148 // source-address token will be taken from it. |out_params| is used in order
149 // to store the cached certs that were sent as hints to the server in
150 // |out_params->cached_certs|. |preferred_version| is the version of the
151 // QUIC protocol that this client chose to use initially. This allows the
152 // server to detect downgrade attacks.
159 // FillClientHello sets |out| to be a CHLO message based on the configuration
160 // of this object. This object must have cached enough information about
161 // the server's hostname in order to perform a handshake. This can be checked
162 // with the |IsComplete| member of |CachedState|.
163 //
164 // |now| and |rand| are used to generate the nonce and |out_params| is
165 // filled with the results of the handshake that the server is expected to
166 // accept. |preferred_version| is the version of the QUIC protocol that this
167 // client chose to use initially. This allows the server to detect downgrade
168 // attacks.
169 //
170 // If |channel_id_key| is not null, it is used to sign a secret value derived
171 // from the client and server's keys, and the Channel ID public key and the
172 // signature are placed in the CETV value of the CHLO.
174 QuicConnectionId connection_id,
177 QuicWallTime now,
184 // ProcessRejection processes a REJ message from a server and updates the
185 // cached information about that server. After this, |IsComplete| may return
186 // true for that server's CachedState. If the rejection message contains
187 // state about a future handshake (i.e. an nonce value from the server), then
188 // it will be saved in |out_params|. |now| is used to judge whether the
189 // server config in the rejection message has expired.
191 QuicWallTime now,
196 // ProcessServerHello processes the message in |server_hello|, updates the
197 // cached information about that server, writes the negotiated parameters to
198 // |out_params| and returns QUIC_NO_ERROR. If |server_hello| is unacceptable
199 // then it puts an error message in |error_details| and returns an error
200 // code. |negotiated_versions| contains the list of version, if any, that were
201 // present in a version negotiation packet previously recevied from the
202 // server. The contents of this list will be compared against the list of
203 // versions provided in the VER tag of the server hello.
205 QuicConnectionId connection_id,
213 // SetProofVerifier takes ownership of a |ProofVerifier| that clients are
214 // free to use in order to verify certificate chains from servers. If a
215 // ProofVerifier is set then the client will request a certificate chain from
216 // the server.
221 // SetChannelIDSource sets a ChannelIDSource that will be called, when the
222 // server supports channel IDs, to obtain a channel ID for signing a message
223 // proving possession of the channel ID. This object takes ownership of
224 // |source|.
227 // Initialize the CachedState from |canonical_crypto_config| for the
228 // |canonical_server_id| as the initial CachedState for |server_id|. We will
229 // copy config data only if |canonical_crypto_config| has valid proof.
234 // Adds |suffix| as a domain suffix for which the server's crypto config
235 // is expected to be shared among servers with the domain suffix. If a server
236 // matches this suffix, then the server config from another server with the
237 // suffix will be used to initialize the cached state for this server.
240 // Prefers AES-GCM (kAESG) over other AEAD algorithms. Call this method if
241 // the CPU has hardware acceleration for AES-GCM. This method can only be
242 // called after SetDefaults().
245 // Disables the use of ECDSA for proof verification.
246 // Call this method on platforms that do not support ECDSA.
247 // TODO(rch): remove this method when we drop support for Windows XP.
250 // Saves the |user_agent_id| that will be passed in QUIC's CHLO message.
253 }
258 // If the suffix of the hostname in |server_id| is in |canoncial_suffixes_|,
259 // then populate |cached| with the canonical cached state from
260 // |canonical_server_map_| for that suffix.
264 // cached_states_ maps from the server_id to the cached information about
265 // that server.
266 CachedStateMap cached_states_;
268 // Contains a map of servers which could share the same server config. Map
269 // from a canonical host suffix/port/scheme to a representative server with
270 // the canonical suffix, which has a plausible set of initial certificates
271 // (or at least server public key).
274 // Contains list of suffixes (for exmaple ".c.youtube.com",
275 // ".googlevideo.com") of canoncial hostnames.
281 // True if ECDSA should be disabled.
284 // The |user_agent_id_| passed in QUIC's CHLO message.
288 };