net/quic/crypto/crypto_handshake.h

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
   6 #define NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
   7
   8 #include <string>
   9 #include <vector>
  10
  11 #include "base/memory/scoped_ptr.h"
  12 #include "net/base/net_export.h"
  13 #include "net/quic/quic_protocol.h"
  14
  15 namespace net {
  16
  17 class CommonCertSets;
  18 class KeyExchange;
  19 class QuicDecrypter;
  20 class QuicEncrypter;
  21
  22 // HandshakeFailureReason enum values are uploaded to UMA, they cannot be
  23 // changed.
  24 enum HandshakeFailureReason {
  25   HANDSHAKE_OK = 0,
  26
  27   // Failure reasons for an invalid client nonce in CHLO.
  28   //
  29   // The default error value for nonce verification failures from strike
  30   // register (covers old strike registers and unknown failures).
  31   CLIENT_NONCE_UNKNOWN_FAILURE = 1,
  32   // Client nonce had incorrect length.
  33   CLIENT_NONCE_INVALID_FAILURE = 2,
  34   // Client nonce is not unique.
  35   CLIENT_NONCE_NOT_UNIQUE_FAILURE = 3,
  36   // Client orbit is invalid or incorrect.
  37   CLIENT_NONCE_INVALID_ORBIT_FAILURE = 4,
  38   // Client nonce's timestamp is not in the strike register's valid time range.
  39   CLIENT_NONCE_INVALID_TIME_FAILURE = 5,
  40   // Strike register's RPC call timed out, client nonce couldn't be verified.
  41   CLIENT_NONCE_STRIKE_REGISTER_TIMEOUT = 6,
  42   // Strike register is down, client nonce couldn't be verified.
  43   CLIENT_NONCE_STRIKE_REGISTER_FAILURE = 7,
  44
  45   // Failure reasons for an invalid server nonce in CHLO.
  46   //
  47   // Unbox of server nonce failed.
  48   SERVER_NONCE_DECRYPTION_FAILURE = 8,
  49   // Decrypted server nonce had incorrect length.
  50   SERVER_NONCE_INVALID_FAILURE = 9,
  51   // Server nonce is not unique.
  52   SERVER_NONCE_NOT_UNIQUE_FAILURE = 10,
  53   // Server nonce's timestamp is not in the strike register's valid time range.
  54   SERVER_NONCE_INVALID_TIME_FAILURE = 11,
  55   // The server requires handshake confirmation.
  56   SERVER_NONCE_REQUIRED_FAILURE = 20,
  57
  58   // Failure reasons for an invalid server config in CHLO.
  59   //
  60   // Missing Server config id (kSCID) tag.
  61   SERVER_CONFIG_INCHOATE_HELLO_FAILURE = 12,
  62   // Couldn't find the Server config id (kSCID).
  63   SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE = 13,
  64
  65   // Failure reasons for an invalid source-address token.
  66   //
  67   // Missing Source-address token (kSourceAddressTokenTag) tag.
  68   SOURCE_ADDRESS_TOKEN_INVALID_FAILURE = 14,
  69   // Unbox of Source-address token failed.
  70   SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE = 15,
  71   // Couldn't parse the unbox'ed Source-address token.
  72   SOURCE_ADDRESS_TOKEN_PARSE_FAILURE = 16,
  73   // Source-address token is for a different IP address.
  74   SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE = 17,
  75   // The source-address token has a timestamp in the future.
  76   SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE = 18,
  77   // The source-address token has expired.
  78   SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE = 19,
  79
  80   MAX_FAILURE_REASON = 21,
  81 };
  82
  83 // These errors will be packed into an uint32 and we don't want to set the most
  84 // significant bit, which may be misinterpreted as the sign bit.
  85 static_assert(MAX_FAILURE_REASON <= 32, "failure reason out of sync");
  86
  87 // A CrypterPair contains the encrypter and decrypter for an encryption level.
  88 struct NET_EXPORT_PRIVATE CrypterPair {
  89   CrypterPair();
  90   ~CrypterPair();
  91   scoped_ptr<QuicEncrypter> encrypter;
  92   scoped_ptr<QuicDecrypter> decrypter;
  93 };
  94
  95 // Parameters negotiated by the crypto handshake.
  96 struct NET_EXPORT_PRIVATE QuicCryptoNegotiatedParameters {
  97   // Initializes the members to 0 or empty values.
  98   QuicCryptoNegotiatedParameters();
  99   ~QuicCryptoNegotiatedParameters();
 100
 101   QuicTag key_exchange;
 102   QuicTag aead;
 103   std::string initial_premaster_secret;
 104   std::string forward_secure_premaster_secret;
 105   // subkey_secret is used as the PRK input to the HKDF used for key extraction.
 106   std::string subkey_secret;
 107   CrypterPair initial_crypters;
 108   CrypterPair forward_secure_crypters;
 109   // Normalized SNI: converted to lower case and trailing '.' removed.
 110   std::string sni;
 111   std::string client_nonce;
 112   std::string server_nonce;
 113   // hkdf_input_suffix contains the HKDF input following the label: the
 114   // ConnectionId, client hello and server config. This is only populated in the
 115   // client because only the client needs to derive the forward secure keys at a
 116   // later time from the initial keys.
 117   std::string hkdf_input_suffix;
 118   // cached_certs contains the cached certificates that a client used when
 119   // sending a client hello.
 120   std::vector<std::string> cached_certs;
 121   // client_key_exchange is used by clients to store the ephemeral KeyExchange
 122   // for the connection.
 123   scoped_ptr<KeyExchange> client_key_exchange;
 124   // channel_id is set by servers to a ChannelID key when the client correctly
 125   // proves possession of the corresponding private key. It consists of 32
 126   // bytes of x coordinate, followed by 32 bytes of y coordinate. Both values
 127   // are big-endian and the pair is a P-256 public key.
 128   std::string channel_id;
 129
 130   // Used when generating proof signature when sending server config updates.
 131   bool x509_ecdsa_supported;
 132
 133   // Used to generate cert chain when sending server config updates.
 134   std::string client_common_set_hashes;
 135   std::string client_cached_cert_hashes;
 136 };
 137
 138 // QuicCryptoConfig contains common configuration between clients and servers.
 139 class NET_EXPORT_PRIVATE QuicCryptoConfig {
 140  public:
 141   // kInitialLabel is a constant that is used when deriving the initial
 142   // (non-forward secure) keys for the connection in order to tie the resulting
 143   // key to this protocol.
 144   static const char kInitialLabel[];
 145
 146   // kCETVLabel is a constant that is used when deriving the keys for the
 147   // encrypted tag/value block in the client hello.
 148   static const char kCETVLabel[];
 149
 150   // kForwardSecureLabel is a constant that is used when deriving the forward
 151   // secure keys for the connection in order to tie the resulting key to this
 152   // protocol.
 153   static const char kForwardSecureLabel[];
 154
 155   QuicCryptoConfig();
 156   ~QuicCryptoConfig();
 157
 158   // Key exchange methods. The following two members' values correspond by
 159   // index.
 160   QuicTagVector kexs;
 161   // Authenticated encryption with associated data (AEAD) algorithms.
 162   QuicTagVector aead;
 163
 164   const CommonCertSets* common_cert_sets;
 165
 166  private:
 167   DISALLOW_COPY_AND_ASSIGN(QuicCryptoConfig);
 168 };
 169
 170 }  // namespace net
 171
 172 #endif  // NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_