Home | History | Annotate | Download | only in crypto
      1 // Copyright 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_
      6 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_
      7 
      8 #include <map>
      9 #include <string>
     10 #include <vector>
     11 
     12 #include "base/memory/scoped_ptr.h"
     13 #include "base/strings/string_piece.h"
     14 #include "net/base/net_export.h"
     15 #include "net/quic/crypto/crypto_handshake.h"
     16 #include "net/quic/quic_protocol.h"
     17 #include "net/quic/quic_server_id.h"
     18 
     19 namespace net {
     20 
     21 class ChannelIDKey;
     22 class ChannelIDSource;
     23 class CryptoHandshakeMessage;
     24 class ProofVerifier;
     25 class ProofVerifyDetails;
     26 class QuicRandom;
     27 
     28 // QuicCryptoClientConfig contains crypto-related configuration settings for a
     29 // client. Note that this object isn't thread-safe. It's designed to be used on
     30 // a single thread at a time.
     31 class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
     32  public:
     33   // A CachedState contains the information that the client needs in order to
     34   // perform a 0-RTT handshake with a server. This information can be reused
     35   // over several connections to the same server.
     36   class NET_EXPORT_PRIVATE CachedState {
     37    public:
     38     CachedState();
     39     ~CachedState();
     40 
     41     // IsComplete returns true if this object contains enough information to
     42     // perform a handshake with the server. |now| is used to judge whether any
     43     // cached server config has expired.
     44     bool IsComplete(QuicWallTime now) const;
     45 
     46     // IsEmpty returns true if |server_config_| is empty.
     47     bool IsEmpty() const;
     48 
     49     // GetServerConfig returns the parsed contents of |server_config|, or NULL
     50     // if |server_config| is empty. The return value is owned by this object
     51     // and is destroyed when this object is.
     52     const CryptoHandshakeMessage* GetServerConfig() const;
     53 
     54     // SetServerConfig checks that |server_config| parses correctly and stores
     55     // it in |server_config_|. |now| is used to judge whether |server_config|
     56     // has expired.
     57     QuicErrorCode SetServerConfig(base::StringPiece server_config,
     58                                   QuicWallTime now,
     59                                   std::string* error_details);
     60 
     61     // InvalidateServerConfig clears the cached server config (if any).
     62     void InvalidateServerConfig();
     63 
     64     // SetProof stores a certificate chain and signature.
     65     void SetProof(const std::vector<std::string>& certs,
     66                   base::StringPiece signature);
     67 
     68     // Clears all the data.
     69     void Clear();
     70 
     71     // Clears the certificate chain and signature and invalidates the proof.
     72     void ClearProof();
     73 
     74     // SetProofValid records that the certificate chain and signature have been
     75     // validated and that it's safe to assume that the server is legitimate.
     76     // (Note: this does not check the chain or signature.)
     77     void SetProofValid();
     78 
     79     // If the server config or the proof has changed then it needs to be
     80     // revalidated. Helper function to keep server_config_valid_ and
     81     // generation_counter_ in sync.
     82     void SetProofInvalid();
     83 
     84     const std::string& server_config() const;
     85     const std::string& source_address_token() const;
     86     const std::vector<std::string>& certs() const;
     87     const std::string& signature() const;
     88     bool proof_valid() const;
     89     uint64 generation_counter() const;
     90     const ProofVerifyDetails* proof_verify_details() const;
     91 
     92     void set_source_address_token(base::StringPiece token);
     93 
     94     // SetProofVerifyDetails takes ownership of |details|.
     95     void SetProofVerifyDetails(ProofVerifyDetails* details);
     96 
     97     // Copy the |server_config_|, |source_address_token_|, |certs_| and
     98     // |server_config_sig_| from the |other|.  The remaining fields,
     99     // |generation_counter_|, |proof_verify_details_|, and |scfg_| remain
    100     // unchanged.
    101     void InitializeFrom(const CachedState& other);
    102 
    103     // Initializes this cached state based on the arguments provided.
    104     // Returns false if there is a problem parsing the server config.
    105     bool Initialize(base::StringPiece server_config,
    106                     base::StringPiece source_address_token,
    107                     const std::vector<std::string>& certs,
    108                     base::StringPiece signature,
    109                     QuicWallTime now);
    110 
    111    private:
    112     std::string server_config_;         // A serialized handshake message.
    113     std::string source_address_token_;  // An opaque proof of IP ownership.
    114     std::vector<std::string> certs_;    // A list of certificates in leaf-first
    115                                         // order.
    116     std::string server_config_sig_;     // A signature of |server_config_|.
    117     bool server_config_valid_;          // True if |server_config_| is correctly
    118                                         // signed and |certs_| has been
    119                                         // validated.
    120     // Generation counter associated with the |server_config_|, |certs_| and
    121     // |server_config_sig_| combination. It is incremented whenever we set
    122     // server_config_valid_ to false.
    123     uint64 generation_counter_;
    124 
    125     scoped_ptr<ProofVerifyDetails> proof_verify_details_;
    126 
    127     // scfg contains the cached, parsed value of |server_config|.
    128     mutable scoped_ptr<CryptoHandshakeMessage> scfg_;
    129 
    130     DISALLOW_COPY_AND_ASSIGN(CachedState);
    131   };
    132 
    133   QuicCryptoClientConfig();
    134   ~QuicCryptoClientConfig();
    135 
    136   // Sets the members to reasonable, default values.
    137   void SetDefaults();
    138 
    139   // LookupOrCreate returns a CachedState for the given |server_id|. If no such
    140   // CachedState currently exists, it will be created and cached.
    141   CachedState* LookupOrCreate(const QuicServerId& server_id);
    142 
    143   // Delete all CachedState objects from cached_states_.
    144   void ClearCachedStates();
    145 
    146   // FillInchoateClientHello sets |out| to be a CHLO message that elicits a
    147   // source-address token or SCFG from a server. If |cached| is non-NULL, the
    148   // source-address token will be taken from it. |out_params| is used in order
    149   // to store the cached certs that were sent as hints to the server in
    150   // |out_params->cached_certs|. |preferred_version| is the version of the
    151   // QUIC protocol that this client chose to use initially. This allows the
    152   // server to detect downgrade attacks.
    153   void FillInchoateClientHello(const QuicServerId& server_id,
    154                                const QuicVersion preferred_version,
    155                                const CachedState* cached,
    156                                QuicCryptoNegotiatedParameters* out_params,
    157                                CryptoHandshakeMessage* out) const;
    158 
    159   // FillClientHello sets |out| to be a CHLO message based on the configuration
    160   // of this object. This object must have cached enough information about
    161   // the server's hostname in order to perform a handshake. This can be checked
    162   // with the |IsComplete| member of |CachedState|.
    163   //
    164   // |now| and |rand| are used to generate the nonce and |out_params| is
    165   // filled with the results of the handshake that the server is expected to
    166   // accept. |preferred_version| is the version of the QUIC protocol that this
    167   // client chose to use initially. This allows the server to detect downgrade
    168   // attacks.
    169   //
    170   // If |channel_id_key| is not null, it is used to sign a secret value derived
    171   // from the client and server's keys, and the Channel ID public key and the
    172   // signature are placed in the CETV value of the CHLO.
    173   QuicErrorCode FillClientHello(const QuicServerId& server_id,
    174                                 QuicConnectionId connection_id,
    175                                 const QuicVersion preferred_version,
    176                                 const CachedState* cached,
    177                                 QuicWallTime now,
    178                                 QuicRandom* rand,
    179                                 const ChannelIDKey* channel_id_key,
    180                                 QuicCryptoNegotiatedParameters* out_params,
    181                                 CryptoHandshakeMessage* out,
    182                                 std::string* error_details) const;
    183 
    184   // ProcessRejection processes a REJ message from a server and updates the
    185   // cached information about that server. After this, |IsComplete| may return
    186   // true for that server's CachedState. If the rejection message contains
    187   // state about a future handshake (i.e. an nonce value from the server), then
    188   // it will be saved in |out_params|. |now| is used to judge whether the
    189   // server config in the rejection message has expired.
    190   QuicErrorCode ProcessRejection(const CryptoHandshakeMessage& rej,
    191                                  QuicWallTime now,
    192                                  CachedState* cached,
    193                                  QuicCryptoNegotiatedParameters* out_params,
    194                                  std::string* error_details);
    195 
    196   // ProcessServerHello processes the message in |server_hello|, updates the
    197   // cached information about that server, writes the negotiated parameters to
    198   // |out_params| and returns QUIC_NO_ERROR. If |server_hello| is unacceptable
    199   // then it puts an error message in |error_details| and returns an error
    200   // code. |negotiated_versions| contains the list of version, if any, that were
    201   // present in a version negotiation packet previously recevied from the
    202   // server. The contents of this list will be compared against the list of
    203   // versions provided in the VER tag of the server hello.
    204   QuicErrorCode ProcessServerHello(const CryptoHandshakeMessage& server_hello,
    205                                    QuicConnectionId connection_id,
    206                                    const QuicVersionVector& negotiated_versions,
    207                                    CachedState* cached,
    208                                    QuicCryptoNegotiatedParameters* out_params,
    209                                    std::string* error_details);
    210 
    211   ProofVerifier* proof_verifier() const;
    212 
    213   // SetProofVerifier takes ownership of a |ProofVerifier| that clients are
    214   // free to use in order to verify certificate chains from servers. If a
    215   // ProofVerifier is set then the client will request a certificate chain from
    216   // the server.
    217   void SetProofVerifier(ProofVerifier* verifier);
    218 
    219   ChannelIDSource* channel_id_source() const;
    220 
    221   // SetChannelIDSource sets a ChannelIDSource that will be called, when the
    222   // server supports channel IDs, to obtain a channel ID for signing a message
    223   // proving possession of the channel ID. This object takes ownership of
    224   // |source|.
    225   void SetChannelIDSource(ChannelIDSource* source);
    226 
    227   // Initialize the CachedState from |canonical_crypto_config| for the
    228   // |canonical_server_id| as the initial CachedState for |server_id|. We will
    229   // copy config data only if |canonical_crypto_config| has valid proof.
    230   void InitializeFrom(const QuicServerId& server_id,
    231                       const QuicServerId& canonical_server_id,
    232                       QuicCryptoClientConfig* canonical_crypto_config);
    233 
    234   // Adds |suffix| as a domain suffix for which the server's crypto config
    235   // is expected to be shared among servers with the domain suffix. If a server
    236   // matches this suffix, then the server config from another server with the
    237   // suffix will be used to initialize the cached state for this server.
    238   void AddCanonicalSuffix(const std::string& suffix);
    239 
    240   // Prefers AES-GCM (kAESG) over other AEAD algorithms. Call this method if
    241   // the CPU has hardware acceleration for AES-GCM. This method can only be
    242   // called after SetDefaults().
    243   void PreferAesGcm();
    244 
    245   // Disables the use of ECDSA for proof verification.
    246   // Call this method on platforms that do not support ECDSA.
    247   // TODO(rch): remove this method when we drop support for Windows XP.
    248   void DisableEcdsa();
    249 
    250   // Saves the |user_agent_id| that will be passed in QUIC's CHLO message.
    251   void set_user_agent_id(const std::string& user_agent_id) {
    252     user_agent_id_ = user_agent_id;
    253   }
    254 
    255  private:
    256   typedef std::map<QuicServerId, CachedState*> CachedStateMap;
    257 
    258   // If the suffix of the hostname in |server_id| is in |canoncial_suffixes_|,
    259   // then populate |cached| with the canonical cached state from
    260   // |canonical_server_map_| for that suffix.
    261   void PopulateFromCanonicalConfig(const QuicServerId& server_id,
    262                                    CachedState* cached);
    263 
    264   // cached_states_ maps from the server_id to the cached information about
    265   // that server.
    266   CachedStateMap cached_states_;
    267 
    268   // Contains a map of servers which could share the same server config. Map
    269   // from a canonical host suffix/port/scheme to a representative server with
    270   // the canonical suffix, which has a plausible set of initial certificates
    271   // (or at least server public key).
    272   std::map<QuicServerId, QuicServerId> canonical_server_map_;
    273 
    274   // Contains list of suffixes (for exmaple ".c.youtube.com",
    275   // ".googlevideo.com") of canoncial hostnames.
    276   std::vector<std::string> canoncial_suffixes_;
    277 
    278   scoped_ptr<ProofVerifier> proof_verifier_;
    279   scoped_ptr<ChannelIDSource> channel_id_source_;
    280 
    281   // True if ECDSA should be disabled.
    282   bool disable_ecdsa_;
    283 
    284   // The |user_agent_id_| passed in QUIC's CHLO message.
    285   std::string user_agent_id_;
    286 
    287   DISALLOW_COPY_AND_ASSIGN(QuicCryptoClientConfig);
    288 };
    289 
    290 }  // namespace net
    291 
    292 #endif  // NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_
    293