1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_QUIC_CRYPTO_CRYPTO_PROTOCOL_H_
6 #define NET_QUIC_CRYPTO_CRYPTO_PROTOCOL_H_
10 #include "net/base/net_export.h"
11 #include "net/quic/quic_protocol.h"
13 // Version and Crypto tags are written to the wire with a big-endian
14 // representation of the name of the tag. For example
15 // the client hello tag (CHLO) will be written as the
16 // following 4 bytes: 'C' 'H' 'L' 'O'. Since it is
17 // stored in memory as a little endian uint32, we need
18 // to reverse the order of the bytes.
20 // We use a macro to ensure that no static initialisers are created. Use the
21 // MakeQuicTag function in normal code.
22 #define TAG(a, b, c, d) \
23 static_cast<QuicTag>((d << 24) + (c << 16) + (b << 8) + a)
27 typedef std::string ServerConfigID
;
29 const QuicTag kCHLO
= TAG('C', 'H', 'L', 'O'); // Client hello
30 const QuicTag kSHLO
= TAG('S', 'H', 'L', 'O'); // Server hello
31 const QuicTag kSCFG
= TAG('S', 'C', 'F', 'G'); // Server config
32 const QuicTag kREJ
= TAG('R', 'E', 'J', '\0'); // Reject
33 const QuicTag kCETV
= TAG('C', 'E', 'T', 'V'); // Client encrypted tag-value
35 const QuicTag kPRST
= TAG('P', 'R', 'S', 'T'); // Public reset
36 const QuicTag kSCUP
= TAG('S', 'C', 'U', 'P'); // Server config update.
38 // Key exchange methods
39 const QuicTag kP256
= TAG('P', '2', '5', '6'); // ECDH, Curve P-256
40 const QuicTag kC255
= TAG('C', '2', '5', '5'); // ECDH, Curve25519
43 const QuicTag kNULL
= TAG('N', 'U', 'L', 'N'); // null algorithm
44 const QuicTag kAESG
= TAG('A', 'E', 'S', 'G'); // AES128 + GCM-12
45 const QuicTag kCC12
= TAG('C', 'C', '1', '2'); // ChaCha20 + Poly1305
47 // Socket receive buffer
48 const QuicTag kSRBF
= TAG('S', 'R', 'B', 'F'); // Socket receive buffer
50 // Congestion control feedback types
51 const QuicTag kQBIC
= TAG('Q', 'B', 'I', 'C'); // TCP cubic
53 // Connection options (COPT) values
54 const QuicTag kTBBR
= TAG('T', 'B', 'B', 'R'); // Reduced Buffer Bloat TCP
55 const QuicTag kRENO
= TAG('R', 'E', 'N', 'O'); // Reno Congestion Control
56 const QuicTag kIW10
= TAG('I', 'W', '1', '0'); // Force ICWND to 10
57 const QuicTag kPACE
= TAG('P', 'A', 'C', 'E'); // Paced TCP cubic
58 const QuicTag k1CON
= TAG('1', 'C', 'O', 'N'); // Emulate a single connection
59 const QuicTag kNTLP
= TAG('N', 'T', 'L', 'P'); // No tail loss probe
60 const QuicTag kNCON
= TAG('N', 'C', 'O', 'N'); // N Connection Congestion Ctrl
61 const QuicTag kNRTO
= TAG('N', 'R', 'T', 'O'); // CWND reduction on loss
63 // Loss detection algorithm types
64 const QuicTag kNACK
= TAG('N', 'A', 'C', 'K'); // TCP style nack counting
65 const QuicTag kTIME
= TAG('T', 'I', 'M', 'E'); // Time based
67 // Optional support of truncated Connection IDs. If sent by a peer, the value
68 // is the minimum number of bytes allowed for the connection ID sent to the
70 const QuicTag kTCID
= TAG('T', 'C', 'I', 'D'); // Connection ID truncation.
73 const QuicTag kFHDR
= TAG('F', 'H', 'D', 'R'); // FEC protect headers
75 // Enable bandwidth resumption experiment.
76 const QuicTag kBWRE
= TAG('B', 'W', 'R', 'E'); // Bandwidth resumption.
78 // Proof types (i.e. certificate types)
79 // NOTE: although it would be silly to do so, specifying both kX509 and kX59R
80 // is allowed and is equivalent to specifying only kX509.
81 const QuicTag kX509
= TAG('X', '5', '0', '9'); // X.509 certificate, all key
83 const QuicTag kX59R
= TAG('X', '5', '9', 'R'); // X.509 certificate, RSA keys
85 const QuicTag kCHID
= TAG('C', 'H', 'I', 'D'); // Channel ID.
88 const QuicTag kVER
= TAG('V', 'E', 'R', '\0'); // Version (new)
89 const QuicTag kNONC
= TAG('N', 'O', 'N', 'C'); // The client's nonce
90 const QuicTag kKEXS
= TAG('K', 'E', 'X', 'S'); // Key exchange methods
91 const QuicTag kAEAD
= TAG('A', 'E', 'A', 'D'); // Authenticated
92 // encryption algorithms
93 const QuicTag kCGST
= TAG('C', 'G', 'S', 'T'); // Congestion control
95 const QuicTag kCOPT
= TAG('C', 'O', 'P', 'T'); // Connection options
96 const QuicTag kICSL
= TAG('I', 'C', 'S', 'L'); // Idle connection state
98 const QuicTag kSCLS
= TAG('S', 'C', 'L', 'S'); // Silently close on timeout
99 const QuicTag kMSPC
= TAG('M', 'S', 'P', 'C'); // Max streams per connection.
100 const QuicTag kIRTT
= TAG('I', 'R', 'T', 'T'); // Estimated initial RTT in us.
101 const QuicTag kSWND
= TAG('S', 'W', 'N', 'D'); // Server's Initial congestion
103 const QuicTag kSNI
= TAG('S', 'N', 'I', '\0'); // Server name
105 const QuicTag kPUBS
= TAG('P', 'U', 'B', 'S'); // Public key values
106 const QuicTag kSCID
= TAG('S', 'C', 'I', 'D'); // Server config id
107 const QuicTag kORBT
= TAG('O', 'B', 'I', 'T'); // Server orbit.
108 const QuicTag kPDMD
= TAG('P', 'D', 'M', 'D'); // Proof demand.
109 const QuicTag kPROF
= TAG('P', 'R', 'O', 'F'); // Proof (signature).
110 const QuicTag kCCS
= TAG('C', 'C', 'S', 0); // Common certificate set
111 const QuicTag kCCRT
= TAG('C', 'C', 'R', 'T'); // Cached certificate
112 const QuicTag kEXPY
= TAG('E', 'X', 'P', 'Y'); // Expiry
113 const QuicTag kSFCW
= TAG('S', 'F', 'C', 'W'); // Initial stream flow control
115 const QuicTag kCFCW
= TAG('C', 'F', 'C', 'W'); // Initial session/connection
116 // flow control receive window.
117 const QuicTag kUAID
= TAG('U', 'A', 'I', 'D'); // Client's User Agent ID.
120 const QuicTag kRREJ
= TAG('R', 'R', 'E', 'J'); // Reasons for server sending
121 // rejection message tag.
124 const QuicTag kCADR
= TAG('C', 'A', 'D', 'R'); // Client IP address and port
127 const QuicTag kCIDK
= TAG('C', 'I', 'D', 'K'); // ChannelID key
128 const QuicTag kCIDS
= TAG('C', 'I', 'D', 'S'); // ChannelID signature
131 const QuicTag kRNON
= TAG('R', 'N', 'O', 'N'); // Public reset nonce proof
132 const QuicTag kRSEQ
= TAG('R', 'S', 'E', 'Q'); // Rejected sequence number
135 const QuicTag kPAD
= TAG('P', 'A', 'D', '\0'); // Padding
137 // These tags have a special form so that they appear either at the beginning
138 // or the end of a handshake message. Since handshake messages are sorted by
139 // tag value, the tags with 0 at the end will sort first and those with 255 at
140 // the end will sort last.
142 // The certificate chain should have a tag that will cause it to be sorted at
143 // the end of any handshake messages because it's likely to be large and the
144 // client might be able to get everything that it needs from the small values at
147 // Likewise tags with random values should be towards the beginning of the
148 // message because the server mightn't hold state for a rejected client hello
149 // and therefore the client may have issues reassembling the rejection message
150 // in the event that it sent two client hellos.
151 const QuicTag kServerNonceTag
=
152 TAG('S', 'N', 'O', 0); // The server's nonce
153 const QuicTag kSourceAddressTokenTag
=
154 TAG('S', 'T', 'K', 0); // Source-address token
155 const QuicTag kCertificateTag
=
156 TAG('C', 'R', 'T', 255); // Certificate chain
160 const size_t kMaxEntries
= 128; // Max number of entries in a message.
162 const size_t kNonceSize
= 32; // Size in bytes of the connection nonce.
164 const size_t kOrbitSize
= 8; // Number of bytes in an orbit value.
166 // kProofSignatureLabel is prepended to server configs before signing to avoid
167 // any cross-protocol attacks on the signature.
168 const char kProofSignatureLabel
[] = "QUIC server config signature";
170 // kClientHelloMinimumSize is the minimum size of a client hello. Client hellos
171 // will have PAD tags added in order to ensure this minimum is met and client
172 // hellos smaller than this will be an error. This minimum size reduces the
173 // amplification factor of any mirror DoS attack.
175 // A client may pad an inchoate client hello to a size larger than
176 // kClientHelloMinimumSize to make it more likely to receive a complete
177 // rejection message.
178 const size_t kClientHelloMinimumSize
= 1024;
182 #endif // NET_QUIC_CRYPTO_CRYPTO_PROTOCOL_H_