Home | History | Annotate | Download | only in crypto 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_QUIC_CRYPTO_CRYPTO_PROTOCOL_H_
      6 #define NET_QUIC_CRYPTO_CRYPTO_PROTOCOL_H_
      7 
      8 #include <map>
      9 #include <string>
     10 #include <vector>
     11 
     12 #include "net/base/net_export.h"
     13 #include "net/quic/quic_protocol.h"
     14 
     15 // Version and Crypto tags are written to the wire with a big-endian
     16 // representation of the name of the tag.  For example
     17 // the client hello tag (CHLO) will be written as the
     18 // following 4 bytes: 'C' 'H' 'L' 'O'.  Since it is
     19 // stored in memory as a little endian uint32, we need
     20 // to reverse the order of the bytes.
     21 //
     22 // We use a macro to ensure that no static initialisers are created. Use the
     23 // MakeQuicTag function in normal code.
     24 #define TAG(a, b, c, d) ((d << 24) + (c << 16) + (b << 8) + a)
     25 
     26 namespace net {
     27 
     28 typedef std::string ServerConfigID;
     29 typedef std::map<QuicTag, std::string> QuicTagValueMap;
     30 
     31 const QuicTag kCHLO = TAG('C', 'H', 'L', 'O');  // Client hello
     32 const QuicTag kSHLO = TAG('S', 'H', 'L', 'O');  // Server hello
     33 const QuicTag kSCFG = TAG('S', 'C', 'F', 'G');  // Server config
     34 const QuicTag kREJ  = TAG('R', 'E', 'J', '\0'); // Reject
     35 const QuicTag kCETV = TAG('C', 'E', 'T', 'V');  // Client encrypted tag-value
     36                                                 // pairs
     37 
     38 // Key exchange methods
     39 const QuicTag kP256 = TAG('P', '2', '5', '6');  // ECDH, Curve P-256
     40 const QuicTag kC255 = TAG('C', '2', '5', '5');  // ECDH, Curve25519
     41 
     42 // AEAD algorithms
     43 const QuicTag kNULL = TAG('N', 'U', 'L', 'N');  // null algorithm
     44 const QuicTag kAESG = TAG('A', 'E', 'S', 'G');  // AES128 + GCM-12
     45 
     46 // Congestion control feedback types
     47 const QuicTag kQBIC = TAG('Q', 'B', 'I', 'C');  // TCP cubic
     48 const QuicTag kPACE = TAG('P', 'A', 'C', 'E');  // Paced TCP cubic
     49 const QuicTag kINAR = TAG('I', 'N', 'A', 'R');  // Inter arrival
     50 
     51 // Proof types (i.e. certificate types)
     52 // NOTE: although it would be silly to do so, specifying both kX509 and kX59R
     53 // is allowed and is equivalent to specifying only kX509.
     54 const QuicTag kX509 = TAG('X', '5', '0', '9');  // X.509 certificate, all key
     55                                                 // types
     56 const QuicTag kX59R = TAG('X', '5', '9', 'R');  // X.509 certificate, RSA keys
     57                                                 // only
     58 const QuicTag kCHID = TAG('C', 'H', 'I', 'D');  // Channel ID.
     59 
     60 // Client hello tags
     61 // TODO(rch): Remove once we remove QUIC_VERSION_12.
     62 const QuicTag kVERS = TAG('V', 'E', 'R', 'S');  // Version (obsolete)
     63 const QuicTag kVER  = TAG('V', 'E', 'R', '\0'); // Version (new)
     64 const QuicTag kNONC = TAG('N', 'O', 'N', 'C');  // The client's nonce
     65 const QuicTag kKEXS = TAG('K', 'E', 'X', 'S');  // Key exchange methods
     66 const QuicTag kAEAD = TAG('A', 'E', 'A', 'D');  // Authenticated
     67                                                 // encryption algorithms
     68 const QuicTag kCGST = TAG('C', 'G', 'S', 'T');  // Congestion control
     69                                                 // feedback types
     70 const QuicTag kICSL = TAG('I', 'C', 'S', 'L');  // Idle connection state
     71                                                 // lifetime
     72 const QuicTag kKATO = TAG('K', 'A', 'T', 'O');  // Keepalive timeout
     73 const QuicTag kMSPC = TAG('M', 'S', 'P', 'C');  // Max streams per connection.
     74 const QuicTag kIRTT = TAG('I', 'R', 'T', 'T');  // Estimated initial RTT in us.
     75 const QuicTag kSWND = TAG('S', 'W', 'N', 'D');  // Server's Initial congestion
     76                                                 // window.
     77 const QuicTag kSNI  = TAG('S', 'N', 'I', '\0'); // Server name
     78                                                 // indication
     79 const QuicTag kPUBS = TAG('P', 'U', 'B', 'S');  // Public key values
     80 const QuicTag kSCID = TAG('S', 'C', 'I', 'D');  // Server config id
     81 const QuicTag kORBT = TAG('O', 'B', 'I', 'T');  // Server orbit.
     82 const QuicTag kPDMD = TAG('P', 'D', 'M', 'D');  // Proof demand.
     83 const QuicTag kPROF = TAG('P', 'R', 'O', 'F');  // Proof (signature).
     84 const QuicTag kCCS  = TAG('C', 'C', 'S', 0);    // Common certificate set
     85 const QuicTag kCCRT = TAG('C', 'C', 'R', 'T');  // Cached certificate
     86 const QuicTag kEXPY = TAG('E', 'X', 'P', 'Y');  // Expiry
     87 
     88 // CETV tags
     89 const QuicTag kCIDK = TAG('C', 'I', 'D', 'K');  // ChannelID key
     90 const QuicTag kCIDS = TAG('C', 'I', 'D', 'S');  // ChannelID signature
     91 
     92 // Universal tags
     93 const QuicTag kPAD  = TAG('P', 'A', 'D', '\0'); // Padding
     94 
     95 // These tags have a special form so that they appear either at the beginning
     96 // or the end of a handshake message. Since handshake messages are sorted by
     97 // tag value, the tags with 0 at the end will sort first and those with 255 at
     98 // the end will sort last.
     99 //
    100 // The certificate chain should have a tag that will cause it to be sorted at
    101 // the end of any handshake messages because it's likely to be large and the
    102 // client might be able to get everything that it needs from the small values at
    103 // the beginning.
    104 //
    105 // Likewise tags with random values should be towards the beginning of the
    106 // message because the server mightn't hold state for a rejected client hello
    107 // and therefore the client may have issues reassembling the rejection message
    108 // in the event that it sent two client hellos.
    109 const QuicTag kServerNonceTag =
    110     TAG('S', 'N', 'O', 0);  // The server's nonce
    111 const QuicTag kSourceAddressTokenTag =
    112     TAG('S', 'T', 'K', 0);  // Source-address token
    113 const QuicTag kCertificateTag =
    114     TAG('C', 'R', 'T', 255);  // Certificate chain
    115 
    116 #undef TAG
    117 
    118 const size_t kMaxEntries = 128;  // Max number of entries in a message.
    119 
    120 const size_t kNonceSize = 32;  // Size in bytes of the connection nonce.
    121 
    122 const size_t kOrbitSize = 8;  // Number of bytes in an orbit value.
    123 
    124 // kProofSignatureLabel is prepended to server configs before signing to avoid
    125 // any cross-protocol attacks on the signature.
    126 const char kProofSignatureLabel[] = "QUIC server config signature";
    127 
    128 // kClientHelloMinimumSize is the minimum size of a client hello. Client hellos
    129 // will have PAD tags added in order to ensure this minimum is met and client
    130 // hellos smaller than this will be an error. This minimum size reduces the
    131 // amplification factor of any mirror DoS attack.
    132 //
    133 // A client may pad an inchoate client hello to a size larger than
    134 // kClientHelloMinimumSize to make it more likely to receive a complete
    135 // rejection message.
    136 const size_t kClientHelloMinimumSize = 1024;
    137 
    138 // kClientHelloMinimumSizeOld is the previous value of kClientHelloMinimumSize.
    139 // To support old clients, the server only enforces this size.
    140 // TODO(wtc): Replace it with kClientHelloMinimumSize when we drop support for
    141 // QUIC_VERSION_12 clients.
    142 const size_t kClientHelloMinimumSizeOld = 512;
    143 
    144 }  // namespace net
    145 
    146 #endif  // NET_QUIC_CRYPTO_CRYPTO_PROTOCOL_H_
    147