| blob | b306886cf990bd216c296ba2a4135f40df75f096 |
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_
6 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_
8 #include <map>
9 #include <string>
10 #include <vector>
40 // ClientHelloInfo contains information about a client hello message that is
41 // only kept for as long as it's being processed.
46 // Inputs to EvaluateClientHello.
50 // Outputs from EvaluateClientHello.
58 SourceAddressTokens source_address_tokens;
60 // Errors from EvaluateClientHello.
63 };
69 // Hook that allows application code to subscribe to primary config changes.
78 };
80 // Callback used to accept the result of the |client_hello| validation step.
83 // Opaque token that holds information about the client_hello and
84 // its validity. Can be interpreted by calling ProcessClientHello.
87 IPAddressNumber in_client_ip,
88 QuicWallTime in_now);
91 CryptoHandshakeMessage client_hello;
92 ClientHelloInfo info;
93 QuicErrorCode error_code;
96 // Populated if the CHLO STK contained a CachedNetworkParameters proto.
97 CachedNetworkParameters cached_network_params;
98 };
110 };
112 // QuicCryptoServerConfig contains the crypto configuration of a QUIC server.
113 // Unlike a client, a QUIC server can have multiple configurations active in
114 // order to support clients resuming with a previous configuration.
115 // TODO(agl): when adding configurations at runtime is added, this object will
116 // need to consider locking.
119 // ConfigOptions contains options for generating server configs.
123 // expiry_time is the time, in UNIX seconds, when the server config will
124 // expire. If unset, it defaults to the current time plus six months.
125 QuicWallTime expiry_time;
126 // channel_id_enabled controls whether the server config will indicate
127 // support for ChannelIDs.
129 // id contains the server config id for the resulting config. If empty, a
130 // random id is generated.
132 // orbit contains the kOrbitSize bytes of the orbit value for the server
133 // config. If |orbit| is empty then a random orbit is generated.
135 // p256 determines whether a P-256 public key will be included in the
136 // server config. Note that this breaks deterministic server-config
137 // generation since P-256 key generation doesn't use the QuicRandom given
138 // to DefaultConfig().
140 };
142 // |source_address_token_secret|: secret key material used for encrypting and
143 // decrypting source address tokens. It can be of any length as it is fed
144 // into a KDF before use. In tests, use TESTING.
145 // |server_nonce_entropy|: an entropy source used to generate the orbit and
146 // key for server nonces, which are always local to a given instance of a
147 // server.
152 // TESTING is a magic parameter for passing to the constructor in tests.
155 // Generates a QuicServerConfigProtobuf protobuf suitable for
156 // AddConfig and SetConfigs.
162 // AddConfig adds a QuicServerConfigProtobuf to the availible configurations.
163 // It returns the SCFG message from the config if successful. The caller
164 // takes ownership of the CryptoHandshakeMessage. |now| is used in
165 // conjunction with |protobuf->primary_time()| to determine whether the
166 // config should be made primary.
168 QuicWallTime now);
170 // AddDefaultConfig calls DefaultConfig to create a config and then calls
171 // AddConfig to add it. See the comment for |DefaultConfig| for details of
172 // the arguments.
178 // SetConfigs takes a vector of config protobufs and the current time.
179 // Configs are assumed to be uniquely identified by their server config ID.
180 // Previously unknown configs are added and possibly made the primary config
181 // depending on their |primary_time| and the value of |now|. Configs that are
182 // known, but are missing from the protobufs are deleted, unless they are
183 // currently the primary config. SetConfigs returns false if any errors were
184 // encountered and no changes to the QuicCryptoServerConfig will occur.
186 QuicWallTime now);
188 // Get the server config ids for all known configs.
191 // Checks |client_hello| for gross errors and determines whether it
192 // can be shown to be fresh (i.e. not a replay). The result of the
193 // validation step must be interpreted by calling
194 // QuicCryptoServerConfig::ProcessClientHello from the done_cb.
195 //
196 // ValidateClientHello may invoke the done_cb before unrolling the
197 // stack if it is able to assess the validity of the client_nonce
198 // without asynchronous operations.
199 //
200 // client_hello: the incoming client hello message.
201 // client_ip: the IP address of the client, which is used to generate and
202 // validate source-address tokens.
203 // clock: used to validate client nonces and ephemeral keys.
204 // done_cb: single-use callback that accepts an opaque
205 // ValidatedClientHelloMsg token that holds information about
206 // the client hello. The callback will always be called exactly
207 // once, either under the current call stack, or after the
208 // completion of an asynchronous operation.
210 IPAddressNumber client_ip,
214 // ProcessClientHello processes |client_hello| and decides whether to accept
215 // or reject the connection. If the connection is to be accepted, |out| is
216 // set to the contents of the ServerHello, |out_params| is completed and
217 // QUIC_NO_ERROR is returned. Otherwise |out| is set to be a REJ message and
218 // an error code is returned.
219 //
220 // validate_chlo_result: Output from the asynchronous call to
221 // ValidateClientHello. Contains the client hello message and
222 // information about it.
223 // connection_id: the ConnectionId for the connection, which is used in key
224 // derivation.
225 // server_ip: the IP address and port of the server. The IP address may be
226 // used for certificate selection.
227 // client_address: the IP address and port of the client. The IP address is
228 // used to generate and validate source-address tokens.
229 // version: version of the QUIC protocol in use for this connection
230 // supported_versions: versions of the QUIC protocol that this server
231 // supports.
232 // initial_flow_control_window: size of initial flow control window this
233 // server uses for new streams.
234 // clock: used to validate client nonces and ephemeral keys.
235 // rand: an entropy source
236 // params: the state of the handshake. This may be updated with a server
237 // nonce when we send a rejection. After a successful handshake, this will
238 // contain the state of the connection.
239 // out: the resulting handshake message (either REJ or SHLO)
240 // error_details: used to store a string describing any error.
243 QuicConnectionId connection_id,
246 QuicVersion version,
254 // BuildServerConfigUpdateMessage sets |out| to be a SCUP message containing
255 // the current primary config, an up to date source-address token, and cert
256 // chain and proof in the case of secure QUIC. Returns true if successfully
257 // filled |out|.
258 //
259 // |cached_network_params| is optional, and can be nullptr.
270 // SetProofSource installs |proof_source| as the ProofSource for handshakes.
271 // This object takes ownership of |proof_source|.
274 // SetEphemeralKeySource installs an object that can cache ephemeral keys for
275 // a short period of time. This object takes ownership of
276 // |ephemeral_key_source|. If not set then ephemeral keys will be generated
277 // per-connection.
280 // Install an externall created StrikeRegisterClient for use to
281 // interact with the strike register. This object takes ownership
282 // of the |strike_register_client|.
285 // set_replay_protection controls whether replay protection is enabled. If
286 // replay protection is disabled then no strike registers are needed and
287 // frontends can share an orbit value without a shared strike-register.
288 // However, an attacker can duplicate a handshake and cause a client's
289 // request to be processed twice.
292 // set_strike_register_no_startup_period configures the strike register to
293 // not have a startup period.
296 // set_strike_register_max_entries sets the maximum number of entries that
297 // the internal strike register will hold. If the strike register fills up
298 // then the oldest entries (by the client's clock) will be dropped.
301 // set_strike_register_window_secs sets the number of seconds around the
302 // current time that the strike register will attempt to be authoritative
303 // for. Setting a larger value allows for greater client clock-skew, but
304 // means that the quiescent startup period must be longer.
307 // set_source_address_token_future_secs sets the number of seconds into the
308 // future that source-address tokens will be accepted from. Since
309 // source-address tokens are authenticated, this should only happen if
310 // another, valid server has clock-skew.
313 // set_source_address_token_lifetime_secs sets the number of seconds that a
314 // source-address token will be valid for.
317 // set_server_nonce_strike_register_max_entries sets the number of entries in
318 // the server-nonce strike-register. This is used to record that server nonce
319 // values have been used. If the number of entries is too small then clients
320 // which are depending on server nonces may fail to handshake because their
321 // nonce has expired in the amount of time it took to go from the server to
322 // the client and back.
325 // set_server_nonce_strike_register_window_secs sets the number of seconds
326 // around the current time that the server-nonce strike-register will accept
327 // nonces from. Setting a larger value allows for clients to delay follow-up
328 // client hellos for longer and still use server nonces as proofs of
329 // uniqueness.
332 // Set and take ownership of the callback to invoke on primary config changes.
335 // Returns true if this config has a |proof_source_|.
338 // Returns the number of configs this object owns.
344 // Config represents a server config: a collection of preferences and
345 // Diffie-Hellman public values.
351 // TODO(rtenneti): since this is a class, we should probably do
352 // getters/setters here.
353 // |serialized| contains the bytes of this server config, suitable for
354 // sending on the wire.
356 // id contains the SCID of this server config.
358 // orbit contains the orbit value for this config: an opaque identifier
359 // used to identify clusters of server frontends.
362 // key_exchanges contains key exchange objects with the private keys
363 // already loaded. The values correspond, one-to-one, with the tags in
364 // |kexs| from the parent class.
367 // tag_value_map contains the raw key/value pairs for the config.
368 QuicTagValueMap tag_value_map;
370 // channel_id_enabled is true if the config in |serialized| specifies that
371 // ChannelIDs are supported.
374 // is_primary is true if this config is the one that we'll give out to
375 // clients as the current one.
378 // primary_time contains the timestamp when this config should become the
379 // primary config. A value of QuicWallTime::Zero() means that this config
380 // will not be promoted at a specific time.
381 QuicWallTime primary_time;
383 // Secondary sort key for use when selecting primary configs and
384 // there are multiple configs with the same primary time.
385 // Smaller numbers mean higher priority.
386 uint64 priority;
388 // source_address_token_boxer_ is used to protect the
389 // source-address tokens that are given to clients.
390 // Points to either source_address_token_boxer_storage or the
391 // default boxer provided by QuicCryptoServerConfig.
394 // Holds the override source_address_token_boxer instance if the
395 // Config is not using the default source address token boxer
396 // instance provided by QuicCryptoServerConfig.
405 };
409 // Get a ref to the config with a given server config id.
413 // ConfigPrimaryTimeLessThan returns true if a->primary_time <
414 // b->primary_time.
418 // SelectNewPrimaryConfig reevaluates the primary config based on the
419 // "primary_time" deadlines contained in each.
422 // EvaluateClientHello checks |client_hello| for gross errors and determines
423 // whether it can be shown to be fresh (i.e. not a replay). The results are
424 // written to |info|.
431 // BuildRejection sets |out| to be a REJ message in reply to |client_hello|.
441 // ParseConfigProtobuf parses the given config protobuf and returns a
442 // scoped_refptr<Config> if successful. The caller adopts the reference to the
443 // Config. On error, ParseConfigProtobuf returns nullptr.
446 // NewSourceAddressToken returns a fresh source address token for the given
447 // IP address. |cached_network_params| is optional, and can be nullptr.
453 QuicWallTime now,
456 // ParseSourceAddressToken parses the source address tokens contained in
457 // the encrypted |token|, and populates |tokens| with the parsed tokens.
458 // Returns HANDSHAKE_OK if |token| could be parsed, or the reason for the
459 // failure.
465 // ValidateSourceAddressToken returns HANDSHAKE_OK if the source address
466 // tokens in |tokens| contain a valid and timely token for the IP address
467 // |ip| given that the current time is |now|. Otherwise it returns the
468 // reason for failure. |cached_network_params| is populated if the valid
469 // token contains a CachedNetworkParameters proto.
470 // TODO(rch): remove this method when we remove:
471 // FLAGS_quic_use_multiple_address_in_source_tokens.
476 QuicWallTime now,
479 // ValidateSourceAddressTokens returns HANDSHAKE_OK if the source address
480 // tokens in |tokens| contain a valid and timely token for the IP address
481 // |ip| given that the current time is |now|. Otherwise it returns the
482 // reason for failure. |cached_network_params| is populated if the valid
483 // token contains a CachedNetworkParameters proto.
487 QuicWallTime now,
490 // ValidateSingleSourceAddressToken returns HANDSHAKE_OK if the source
491 // address token in |token| is a timely token for the IP address |ip|
492 // given that the current time is |now|. Otherwise it returns the reason
493 // for failure.
499 // Returns HANDSHAKE_OK if the source address token in |token| is a timely
500 // token given that the current time is |now|. Otherwise it returns the
501 // reason for failure.
506 // NewServerNonce generates and encrypts a random nonce.
509 // ValidateServerNonce decrypts |token| and verifies that it hasn't been
510 // previously used and is recent enough that it is plausible that it was part
511 // of a very recently provided rejection ("recent" will be on the order of
512 // 10-30 seconds). If so, it records that it has been used and returns
513 // HANDSHAKE_OK. Otherwise it returns the reason for failure.
518 // replay_protection_ controls whether the server enforces that handshakes
519 // aren't replays.
522 // configs_ satisfies the following invariants:
523 // 1) configs_.empty() <-> primary_config_ == nullptr
524 // 2) primary_config_ != nullptr -> primary_config_->is_primary
525 // 3) ∀ c∈configs_, c->is_primary <-> c == primary_config_
527 // configs_ contains all active server configs. It's expected that there are
528 // about half-a-dozen configs active at any one time.
529 ConfigMap configs_;
530 // primary_config_ points to a Config (which is also in |configs_|) which is
531 // the primary config - i.e. the one that we'll give out to new clients.
533 // next_config_promotion_time_ contains the nearest, future time when an
534 // active config will be promoted to primary.
536 // Callback to invoke when the primary config changes.
539 // Protects access to the pointer held by strike_register_client_.
541 // strike_register_ contains a data structure that keeps track of previously
542 // observed client nonces in order to prevent replay attacks.
545 // Default source_address_token_boxer_ used to protect the
546 // source-address tokens that are given to clients. Individual
547 // configs may use boxers with alternate secrets.
548 CryptoSecretBoxer default_source_address_token_boxer_;
550 // server_nonce_boxer_ is used to encrypt and validate suggested server
551 // nonces.
552 CryptoSecretBoxer server_nonce_boxer_;
554 // server_nonce_orbit_ contains the random, per-server orbit values that this
555 // server will use to generate server nonces (the moral equivalent of a SYN
556 // cookies).
560 // server_nonce_strike_register_ contains a data structure that keeps track of
561 // previously observed server nonces from this server, in order to prevent
562 // replay attacks.
565 // proof_source_ contains an object that can provide certificate chains and
566 // signatures.
569 // ephemeral_key_source_ contains an object that caches ephemeral keys for a
570 // short period of time.
573 // These fields store configuration values. See the comments for their
574 // respective setter functions.
576 uint32 strike_register_max_entries_;
577 uint32 strike_register_window_secs_;
578 uint32 source_address_token_future_secs_;
579 uint32 source_address_token_lifetime_secs_;
580 uint32 server_nonce_strike_register_max_entries_;
581 uint32 server_nonce_strike_register_window_secs_;
584 };