Home | History | Annotate | Download | only in crypto 
      1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
      6 #define NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
      7 
      8 #include <string>
      9 #include <vector>
     10 
     11 #include "base/memory/scoped_ptr.h"
     12 #include "net/base/net_export.h"
     13 #include "net/quic/quic_protocol.h"
     14 
     15 namespace net {
     16 
     17 class CommonCertSets;
     18 class KeyExchange;
     19 class QuicDecrypter;
     20 class QuicEncrypter;
     21 
     22 // HandshakeFailureReason enum values are uploaded to UMA, they cannot be
     23 // changed.
     24 enum HandshakeFailureReason {
     25   HANDSHAKE_OK = 0,
     26 
     27   // Failure reasons for an invalid client nonce in CHLO.
     28   //
     29   // The default error value for nonce verification failures from strike
     30   // register (covers old strike registers and unknown failures).
     31   CLIENT_NONCE_UNKNOWN_FAILURE = 1,
     32   // Client nonce had incorrect length.
     33   CLIENT_NONCE_INVALID_FAILURE = 2,
     34   // Client nonce is not unique.
     35   CLIENT_NONCE_NOT_UNIQUE_FAILURE = 3,
     36   // Client orbit is invalid or incorrect.
     37   CLIENT_NONCE_INVALID_ORBIT_FAILURE = 4,
     38   // Client nonce's timestamp is not in the strike register's valid time range.
     39   CLIENT_NONCE_INVALID_TIME_FAILURE = 5,
     40   // Strike register's RPC call timed out, client nonce couldn't be verified.
     41   CLIENT_NONCE_STRIKE_REGISTER_TIMEOUT = 6,
     42   // Strike register is down, client nonce couldn't be verified.
     43   CLIENT_NONCE_STRIKE_REGISTER_FAILURE = 7,
     44 
     45   // Failure reasons for an invalid server nonce in CHLO.
     46   //
     47   // Unbox of server nonce failed.
     48   SERVER_NONCE_DECRYPTION_FAILURE = 8,
     49   // Decrypted server nonce had incorrect length.
     50   SERVER_NONCE_INVALID_FAILURE = 9,
     51   // Server nonce is not unique.
     52   SERVER_NONCE_NOT_UNIQUE_FAILURE = 10,
     53   // Server nonce's timestamp is not in the strike register's valid time range.
     54   SERVER_NONCE_INVALID_TIME_FAILURE = 11,
     55 
     56   // Failure reasons for an invalid server config in CHLO.
     57   //
     58   // Missing Server config id (kSCID) tag.
     59   SERVER_CONFIG_INCHOATE_HELLO_FAILURE = 12,
     60   // Couldn't find the Server config id (kSCID).
     61   SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE = 13,
     62 
     63   // Failure reasons for an invalid source-address token.
     64   //
     65   // Missing Source-address token (kSourceAddressTokenTag) tag.
     66   SOURCE_ADDRESS_TOKEN_INVALID_FAILURE = 14,
     67   // Unbox of Source-address token failed.
     68   SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE = 15,
     69   // Couldn't parse the unbox'ed Source-address token.
     70   SOURCE_ADDRESS_TOKEN_PARSE_FAILURE = 16,
     71   // Source-address token is for a different IP address.
     72   SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE = 17,
     73   // The source-address token has a timestamp in the future.
     74   SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE = 18,
     75   // The source-address token has expired.
     76   SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE = 19,
     77 
     78   MAX_FAILURE_REASON,
     79 };
     80 
     81 // These errors will be packed into an uint32 and we don't want to set the most
     82 // significant bit, which may be misinterpreted as the sign bit.
     83 COMPILE_ASSERT(MAX_FAILURE_REASON <= 32, failure_reason_out_of_sync);
     84 
     85 // A CrypterPair contains the encrypter and decrypter for an encryption level.
     86 struct NET_EXPORT_PRIVATE CrypterPair {
     87   CrypterPair();
     88   ~CrypterPair();
     89   scoped_ptr<QuicEncrypter> encrypter;
     90   scoped_ptr<QuicDecrypter> decrypter;
     91 };
     92 
     93 // Parameters negotiated by the crypto handshake.
     94 struct NET_EXPORT_PRIVATE QuicCryptoNegotiatedParameters {
     95   // Initializes the members to 0 or empty values.
     96   QuicCryptoNegotiatedParameters();
     97   ~QuicCryptoNegotiatedParameters();
     98 
     99   QuicTag key_exchange;
    100   QuicTag aead;
    101   std::string initial_premaster_secret;
    102   std::string forward_secure_premaster_secret;
    103   // subkey_secret is used as the PRK input to the HKDF used for key extraction.
    104   std::string subkey_secret;
    105   CrypterPair initial_crypters;
    106   CrypterPair forward_secure_crypters;
    107   // Normalized SNI: converted to lower case and trailing '.' removed.
    108   std::string sni;
    109   std::string client_nonce;
    110   std::string server_nonce;
    111   // hkdf_input_suffix contains the HKDF input following the label: the
    112   // ConnectionId, client hello and server config. This is only populated in the
    113   // client because only the client needs to derive the forward secure keys at a
    114   // later time from the initial keys.
    115   std::string hkdf_input_suffix;
    116   // cached_certs contains the cached certificates that a client used when
    117   // sending a client hello.
    118   std::vector<std::string> cached_certs;
    119   // client_key_exchange is used by clients to store the ephemeral KeyExchange
    120   // for the connection.
    121   scoped_ptr<KeyExchange> client_key_exchange;
    122   // channel_id is set by servers to a ChannelID key when the client correctly
    123   // proves possession of the corresponding private key. It consists of 32
    124   // bytes of x coordinate, followed by 32 bytes of y coordinate. Both values
    125   // are big-endian and the pair is a P-256 public key.
    126   std::string channel_id;
    127 
    128   // Used when generating proof signature when sending server config updates.
    129   bool x509_ecdsa_supported;
    130 
    131   // Used to generate cert chain when sending server config updates.
    132   std::string client_common_set_hashes;
    133   std::string client_cached_cert_hashes;
    134 };
    135 
    136 // QuicCryptoConfig contains common configuration between clients and servers.
    137 class NET_EXPORT_PRIVATE QuicCryptoConfig {
    138  public:
    139   // kInitialLabel is a constant that is used when deriving the initial
    140   // (non-forward secure) keys for the connection in order to tie the resulting
    141   // key to this protocol.
    142   static const char kInitialLabel[];
    143 
    144   // kCETVLabel is a constant that is used when deriving the keys for the
    145   // encrypted tag/value block in the client hello.
    146   static const char kCETVLabel[];
    147 
    148   // kForwardSecureLabel is a constant that is used when deriving the forward
    149   // secure keys for the connection in order to tie the resulting key to this
    150   // protocol.
    151   static const char kForwardSecureLabel[];
    152 
    153   QuicCryptoConfig();
    154   ~QuicCryptoConfig();
    155 
    156   // Key exchange methods. The following two members' values correspond by
    157   // index.
    158   QuicTagVector kexs;
    159   // Authenticated encryption with associated data (AEAD) algorithms.
    160   QuicTagVector aead;
    161 
    162   const CommonCertSets* common_cert_sets;
    163 
    164  private:
    165   DISALLOW_COPY_AND_ASSIGN(QuicCryptoConfig);
    166 };
    167 
    168 }  // namespace net
    169 
    170 #endif  // NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
    171