1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef QUICHE_QUIC_CORE_CRYPTO_CRYPTO_PROTOCOL_H_ 6 #define QUICHE_QUIC_CORE_CRYPTO_CRYPTO_PROTOCOL_H_ 7 8 #include <cstddef> 9 #include <string> 10 11 #include "quiche/quic/core/quic_tag.h" 12 13 // Version and Crypto tags are written to the wire with a big-endian 14 // representation of the name of the tag. For example 15 // the client hello tag (CHLO) will be written as the 16 // following 4 bytes: 'C' 'H' 'L' 'O'. Since it is 17 // stored in memory as a little endian uint32_t, we need 18 // to reverse the order of the bytes. 19 // 20 // We use a macro to ensure that no static initialisers are created. Use the 21 // MakeQuicTag function in normal code. 22 #define TAG(a, b, c, d) \ 23 static_cast<QuicTag>((d << 24) + (c << 16) + (b << 8) + a) 24 25 namespace quic { 26 27 using ServerConfigID = std::string; 28 29 // The following tags have been deprecated and should not be reused: 30 // "1CON", "BBQ4", "NCON", "RCID", "SREJ", "TBKP", "TB10", "SCLS", "SMHL", 31 // "QNZR", "B2HI", "H2PR", "FIFO", "LIFO", "RRWS", "QNSP", "B2CL", "CHSP", 32 // "BPTE", "ACKD", "AKD2", "AKD4", "MAD1", "MAD4", "MAD5", "ACD0", "ACKQ", 33 // "TLPR", "CCS\0", "PDP4", "NCHP", "NBPE", "2RTO", "3RTO", "4RTO", "6RTO", 34 // "PDP1", "PDP2", "PDP3", "PDP5" "QLVE" 35 36 // clang-format off 37 const QuicTag kCHLO = TAG('C', 'H', 'L', 'O'); // Client hello 38 const QuicTag kSHLO = TAG('S', 'H', 'L', 'O'); // Server hello 39 const QuicTag kSCFG = TAG('S', 'C', 'F', 'G'); // Server config 40 const QuicTag kREJ = TAG('R', 'E', 'J', '\0'); // Reject 41 const QuicTag kCETV = TAG('C', 'E', 'T', 'V'); // Client encrypted tag-value 42 // pairs 43 const QuicTag kPRST = TAG('P', 'R', 'S', 'T'); // Public reset 44 const QuicTag kSCUP = TAG('S', 'C', 'U', 'P'); // Server config update 45 const QuicTag kALPN = TAG('A', 'L', 'P', 'N'); // Application-layer protocol 46 47 // Key exchange methods 48 const QuicTag kP256 = TAG('P', '2', '5', '6'); // ECDH, Curve P-256 49 const QuicTag kC255 = TAG('C', '2', '5', '5'); // ECDH, Curve25519 50 51 // AEAD algorithms 52 const QuicTag kAESG = TAG('A', 'E', 'S', 'G'); // AES128 + GCM-12 53 const QuicTag kCC20 = TAG('C', 'C', '2', '0'); // ChaCha20 + Poly1305 RFC7539 54 55 // Congestion control feedback types 56 const QuicTag kQBIC = TAG('Q', 'B', 'I', 'C'); // TCP cubic 57 58 // Connection options (COPT) values 59 const QuicTag kAFCW = TAG('A', 'F', 'C', 'W'); // Auto-tune flow control 60 // receive windows. 61 const QuicTag kIFW5 = TAG('I', 'F', 'W', '5'); // Set initial size 62 // of stream flow control 63 // receive window to 64 // 32KB. (2^5 KB). 65 const QuicTag kIFW6 = TAG('I', 'F', 'W', '6'); // Set initial size 66 // of stream flow control 67 // receive window to 68 // 64KB. (2^6 KB). 69 const QuicTag kIFW7 = TAG('I', 'F', 'W', '7'); // Set initial size 70 // of stream flow control 71 // receive window to 72 // 128KB. (2^7 KB). 73 const QuicTag kIFW8 = TAG('I', 'F', 'W', '8'); // Set initial size 74 // of stream flow control 75 // receive window to 76 // 256KB. (2^8 KB). 77 const QuicTag kIFW9 = TAG('I', 'F', 'W', '9'); // Set initial size 78 // of stream flow control 79 // receive window to 80 // 512KB. (2^9 KB). 81 const QuicTag kIFWA = TAG('I', 'F', 'W', 'a'); // Set initial size 82 // of stream flow control 83 // receive window to 84 // 1MB. (2^0xa KB). 85 const QuicTag kTBBR = TAG('T', 'B', 'B', 'R'); // Reduced Buffer Bloat TCP 86 const QuicTag k1RTT = TAG('1', 'R', 'T', 'T'); // STARTUP in BBR for 1 RTT 87 const QuicTag k2RTT = TAG('2', 'R', 'T', 'T'); // STARTUP in BBR for 2 RTTs 88 const QuicTag kLRTT = TAG('L', 'R', 'T', 'T'); // Exit STARTUP in BBR on loss 89 const QuicTag kBBS1 = TAG('B', 'B', 'S', '1'); // DEPRECATED 90 const QuicTag kBBS2 = TAG('B', 'B', 'S', '2'); // More aggressive packet 91 // conservation in BBR STARTUP 92 const QuicTag kBBS3 = TAG('B', 'B', 'S', '3'); // Slowstart packet 93 // conservation in BBR STARTUP 94 const QuicTag kBBS4 = TAG('B', 'B', 'S', '4'); // DEPRECATED 95 const QuicTag kBBS5 = TAG('B', 'B', 'S', '5'); // DEPRECATED 96 const QuicTag kBBRR = TAG('B', 'B', 'R', 'R'); // Rate-based recovery in BBR 97 const QuicTag kBBR1 = TAG('B', 'B', 'R', '1'); // DEPRECATED 98 const QuicTag kBBR2 = TAG('B', 'B', 'R', '2'); // DEPRECATED 99 const QuicTag kBBR3 = TAG('B', 'B', 'R', '3'); // Fully drain the queue once 100 // per cycle 101 const QuicTag kBBR4 = TAG('B', 'B', 'R', '4'); // 20 RTT ack aggregation 102 const QuicTag kBBR5 = TAG('B', 'B', 'R', '5'); // 40 RTT ack aggregation 103 const QuicTag kBBR9 = TAG('B', 'B', 'R', '9'); // DEPRECATED 104 const QuicTag kBBRA = TAG('B', 'B', 'R', 'A'); // Starts a new ack aggregation 105 // epoch if a full round has 106 // passed 107 const QuicTag kBBRB = TAG('B', 'B', 'R', 'B'); // Use send rate in BBR's 108 // MaxAckHeightTracker 109 const QuicTag kBBRS = TAG('B', 'B', 'R', 'S'); // DEPRECATED 110 const QuicTag kBBQ1 = TAG('B', 'B', 'Q', '1'); // DEPRECATED 111 const QuicTag kBBQ2 = TAG('B', 'B', 'Q', '2'); // BBRv2 with 2.885 STARTUP and 112 // DRAIN CWND gain. 113 const QuicTag kBBQ3 = TAG('B', 'B', 'Q', '3'); // BBR with ack aggregation 114 // compensation in STARTUP. 115 const QuicTag kBBQ5 = TAG('B', 'B', 'Q', '5'); // Expire ack aggregation upon 116 // bandwidth increase in 117 // STARTUP. 118 const QuicTag kBBQ6 = TAG('B', 'B', 'Q', '6'); // Reduce STARTUP gain to 25% 119 // more than BW increase. 120 const QuicTag kBBQ7 = TAG('B', 'B', 'Q', '7'); // Reduce bw_lo by 121 // bytes_lost/min_rtt. 122 const QuicTag kBBQ8 = TAG('B', 'B', 'Q', '8'); // Reduce bw_lo by 123 // bw_lo * bytes_lost/inflight 124 const QuicTag kBBQ9 = TAG('B', 'B', 'Q', '9'); // Reduce bw_lo by 125 // bw_lo * bytes_lost/cwnd 126 const QuicTag kBBQ0 = TAG('B', 'B', 'Q', '0'); // Increase bytes_acked in 127 // PROBE_UP when app limited. 128 const QuicTag kBBPD = TAG('B', 'B', 'P', 'D'); // Use 0.91 PROBE_DOWN gain. 129 const QuicTag kBBHI = TAG('B', 'B', 'H', 'I'); // Increase inflight_hi in 130 // PROBE_UP if ever inflight_hi 131 // limited in round 132 const QuicTag kRENO = TAG('R', 'E', 'N', 'O'); // Reno Congestion Control 133 const QuicTag kTPCC = TAG('P', 'C', 'C', '\0'); // Performance-Oriented 134 // Congestion Control 135 const QuicTag kBYTE = TAG('B', 'Y', 'T', 'E'); // TCP cubic or reno in bytes 136 const QuicTag kIW03 = TAG('I', 'W', '0', '3'); // Force ICWND to 3 137 const QuicTag kIW10 = TAG('I', 'W', '1', '0'); // Force ICWND to 10 138 const QuicTag kIW20 = TAG('I', 'W', '2', '0'); // Force ICWND to 20 139 const QuicTag kIW50 = TAG('I', 'W', '5', '0'); // Force ICWND to 50 140 const QuicTag kB2ON = TAG('B', '2', 'O', 'N'); // Enable BBRv2 141 const QuicTag kB2NA = TAG('B', '2', 'N', 'A'); // For BBRv2, do not add ack 142 // height to queueing threshold 143 const QuicTag kB2NE = TAG('B', '2', 'N', 'E'); // For BBRv2, always exit 144 // STARTUP on loss, even if 145 // bandwidth growth exceeds 146 // threshold. 147 const QuicTag kB2RP = TAG('B', '2', 'R', 'P'); // For BBRv2, run PROBE_RTT on 148 // the regular schedule 149 const QuicTag kB2LO = TAG('B', '2', 'L', 'O'); // Ignore inflight_lo in BBR2 150 const QuicTag kB2HR = TAG('B', '2', 'H', 'R'); // 15% inflight_hi headroom. 151 const QuicTag kB2SL = TAG('B', '2', 'S', 'L'); // When exiting STARTUP due to 152 // loss, set inflight_hi to the 153 // max of bdp and max bytes 154 // delivered in round. 155 const QuicTag kB2H2 = TAG('B', '2', 'H', '2'); // When exiting PROBE_UP due to 156 // loss, set inflight_hi to the 157 // max of inflight@send and max 158 // bytes delivered in round. 159 const QuicTag kB2RC = TAG('B', '2', 'R', 'C'); // Disable Reno-coexistence for 160 // BBR2. 161 const QuicTag kBSAO = TAG('B', 'S', 'A', 'O'); // Avoid Overestimation in 162 // Bandwidth Sampler with ack 163 // aggregation 164 const QuicTag kB2DL = TAG('B', '2', 'D', 'L'); // Increase inflight_hi based 165 // on delievered, not inflight. 166 const QuicTag kB201 = TAG('B', '2', '0', '1'); // DEPRECATED 167 const QuicTag kB202 = TAG('B', '2', '0', '2'); // Do not exit PROBE_UP if 168 // inflight dips below 1.25*BW. 169 const QuicTag kB203 = TAG('B', '2', '0', '3'); // Ignore inflight_hi until 170 // PROBE_UP is exited. 171 const QuicTag kB204 = TAG('B', '2', '0', '4'); // Reduce extra acked when 172 // MaxBW incrases. 173 const QuicTag kB205 = TAG('B', '2', '0', '5'); // Add extra acked to CWND in 174 // STARTUP. 175 const QuicTag kB206 = TAG('B', '2', '0', '6'); // Exit STARTUP after 2 losses. 176 const QuicTag kB207 = TAG('B', '2', '0', '7'); // Exit STARTUP on persistent 177 // queue 178 const QuicTag kBB2U = TAG('B', 'B', '2', 'U'); // Exit PROBE_UP on 179 // min_bytes_in_flight for two 180 // rounds in a row. 181 const QuicTag kBB2S = TAG('B', 'B', '2', 'S'); // Exit STARTUP on 182 // min_bytes_in_flight for two 183 // rounds in a row. 184 const QuicTag kNTLP = TAG('N', 'T', 'L', 'P'); // No tail loss probe 185 const QuicTag k1TLP = TAG('1', 'T', 'L', 'P'); // 1 tail loss probe 186 const QuicTag k1RTO = TAG('1', 'R', 'T', 'O'); // Send 1 packet upon RTO 187 const QuicTag kNRTO = TAG('N', 'R', 'T', 'O'); // CWND reduction on loss 188 const QuicTag kTIME = TAG('T', 'I', 'M', 'E'); // Time based loss detection 189 const QuicTag kATIM = TAG('A', 'T', 'I', 'M'); // Adaptive time loss detection 190 const QuicTag kMIN1 = TAG('M', 'I', 'N', '1'); // Min CWND of 1 packet 191 const QuicTag kMIN4 = TAG('M', 'I', 'N', '4'); // Min CWND of 4 packets, 192 // with a min rate of 1 BDP. 193 const QuicTag kMAD0 = TAG('M', 'A', 'D', '0'); // Ignore ack delay 194 const QuicTag kMAD2 = TAG('M', 'A', 'D', '2'); // No min TLP 195 const QuicTag kMAD3 = TAG('M', 'A', 'D', '3'); // No min RTO 196 const QuicTag k1ACK = TAG('1', 'A', 'C', 'K'); // 1 fast ack for reordering 197 const QuicTag kAKD3 = TAG('A', 'K', 'D', '3'); // Ack decimation style acking 198 // with 1/8 RTT acks. 199 const QuicTag kAKDU = TAG('A', 'K', 'D', 'U'); // Unlimited number of packets 200 // received before acking 201 const QuicTag kAFFE = TAG('A', 'F', 'F', 'E'); // Enable client receiving 202 // AckFrequencyFrame. 203 const QuicTag kAFF1 = TAG('A', 'F', 'F', '1'); // Use SRTT in building 204 // AckFrequencyFrame. 205 const QuicTag kAFF2 = TAG('A', 'F', 'F', '2'); // Send AckFrequencyFrame upon 206 // handshake completion. 207 const QuicTag kSSLR = TAG('S', 'S', 'L', 'R'); // Slow Start Large Reduction. 208 const QuicTag kNPRR = TAG('N', 'P', 'R', 'R'); // Pace at unity instead of PRR 209 const QuicTag k5RTO = TAG('5', 'R', 'T', 'O'); // Close connection on 5 RTOs 210 const QuicTag kCBHD = TAG('C', 'B', 'H', 'D'); // Client only blackhole 211 // detection. 212 const QuicTag kNBHD = TAG('N', 'B', 'H', 'D'); // No blackhole detection. 213 const QuicTag kCONH = TAG('C', 'O', 'N', 'H'); // Conservative Handshake 214 // Retransmissions. 215 const QuicTag kLFAK = TAG('L', 'F', 'A', 'K'); // Don't invoke FACK on the 216 // first ack. 217 const QuicTag kSTMP = TAG('S', 'T', 'M', 'P'); // DEPRECATED 218 const QuicTag kEACK = TAG('E', 'A', 'C', 'K'); // Bundle ack-eliciting frame 219 // with an ACK after PTO/RTO 220 221 const QuicTag kILD0 = TAG('I', 'L', 'D', '0'); // IETF style loss detection 222 // (default with 1/8 RTT time 223 // threshold) 224 const QuicTag kILD1 = TAG('I', 'L', 'D', '1'); // IETF style loss detection 225 // with 1/4 RTT time threshold 226 const QuicTag kILD2 = TAG('I', 'L', 'D', '2'); // IETF style loss detection 227 // with adaptive packet 228 // threshold 229 const QuicTag kILD3 = TAG('I', 'L', 'D', '3'); // IETF style loss detection 230 // with 1/4 RTT time threshold 231 // and adaptive packet 232 // threshold 233 const QuicTag kILD4 = TAG('I', 'L', 'D', '4'); // IETF style loss detection 234 // with both adaptive time 235 // threshold (default 1/4 RTT) 236 // and adaptive packet 237 // threshold 238 const QuicTag kRUNT = TAG('R', 'U', 'N', 'T'); // No packet threshold loss 239 // detection for "runt" packet. 240 const QuicTag kNSTP = TAG('N', 'S', 'T', 'P'); // No stop waiting frames. 241 const QuicTag kNRTT = TAG('N', 'R', 'T', 'T'); // Ignore initial RTT 242 243 const QuicTag k1PTO = TAG('1', 'P', 'T', 'O'); // Send 1 packet upon PTO. 244 const QuicTag k2PTO = TAG('2', 'P', 'T', 'O'); // Send 2 packets upon PTO. 245 246 const QuicTag k6PTO = TAG('6', 'P', 'T', 'O'); // Closes connection on 6 247 // consecutive PTOs. 248 const QuicTag k7PTO = TAG('7', 'P', 'T', 'O'); // Closes connection on 7 249 // consecutive PTOs. 250 const QuicTag k8PTO = TAG('8', 'P', 'T', 'O'); // Closes connection on 8 251 // consecutive PTOs. 252 const QuicTag kPTOS = TAG('P', 'T', 'O', 'S'); // Skip packet number before 253 // sending the last PTO. 254 const QuicTag kPTOA = TAG('P', 'T', 'O', 'A'); // Do not add max ack delay 255 // when computing PTO timeout 256 // if an immediate ACK is 257 // expected. 258 const QuicTag kPEB1 = TAG('P', 'E', 'B', '1'); // Start exponential backoff 259 // since 1st PTO. 260 const QuicTag kPEB2 = TAG('P', 'E', 'B', '2'); // Start exponential backoff 261 // since 2nd PTO. 262 const QuicTag kPVS1 = TAG('P', 'V', 'S', '1'); // Use 2 * rttvar when 263 // calculating PTO timeout. 264 const QuicTag kPAG1 = TAG('P', 'A', 'G', '1'); // Make 1st PTO more aggressive 265 const QuicTag kPAG2 = TAG('P', 'A', 'G', '2'); // Make first 2 PTOs more 266 // aggressive 267 const QuicTag kPSDA = TAG('P', 'S', 'D', 'A'); // Use standard deviation when 268 // calculating PTO timeout. 269 const QuicTag kPLE1 = TAG('P', 'L', 'E', '1'); // Arm the 1st PTO with 270 // earliest in flight sent time 271 // and at least 0.5*srtt from 272 // last sent packet. 273 const QuicTag kPLE2 = TAG('P', 'L', 'E', '2'); // Arm the 1st PTO with 274 // earliest in flight sent time 275 // and at least 1.5*srtt from 276 // last sent packet. 277 const QuicTag kAPTO = TAG('A', 'P', 'T', 'O'); // Use 1.5 * initial RTT before 278 // any RTT sample is available. 279 280 const QuicTag kELDT = TAG('E', 'L', 'D', 'T'); // Enable Loss Detection Tuning 281 282 // TODO(haoyuewang) Remove RVCM option once 283 // --quic_remove_connection_migration_connection_option_v2 is deprecated. 284 const QuicTag kRVCM = TAG('R', 'V', 'C', 'M'); // Validate the new address 285 // upon client address change. 286 287 const QuicTag kSPAD = TAG('S', 'P', 'A', 'D'); // Use server preferred address 288 const QuicTag kSPA2 = TAG('S', 'P', 'A', '2'); // Start validating server 289 // preferred address once it is 290 // received. Send all coalesced 291 // packets to both addresses. 292 293 // Optional support of truncated Connection IDs. If sent by a peer, the value 294 // is the minimum number of bytes allowed for the connection ID sent to the 295 // peer. 296 const QuicTag kTCID = TAG('T', 'C', 'I', 'D'); // Connection ID truncation. 297 298 // Multipath option. 299 const QuicTag kMPTH = TAG('M', 'P', 'T', 'H'); // Enable multipath. 300 301 const QuicTag kNCMR = TAG('N', 'C', 'M', 'R'); // Do not attempt connection 302 // migration. 303 304 // Allows disabling defer_send_in_response_to_packets in QuicConnection. 305 const QuicTag kDFER = TAG('D', 'F', 'E', 'R'); // Do not defer sending. 306 307 // Disable Pacing offload option. 308 const QuicTag kNPCO = TAG('N', 'P', 'C', 'O'); // No pacing offload. 309 310 // Enable bandwidth resumption experiment. 311 const QuicTag kBWRE = TAG('B', 'W', 'R', 'E'); // Bandwidth resumption. 312 const QuicTag kBWMX = TAG('B', 'W', 'M', 'X'); // Max bandwidth resumption. 313 const QuicTag kBWID = TAG('B', 'W', 'I', 'D'); // Send bandwidth when idle. 314 const QuicTag kBWI1 = TAG('B', 'W', 'I', '1'); // Resume bandwidth experiment 1 315 const QuicTag kBWRS = TAG('B', 'W', 'R', 'S'); // Server bandwidth resumption. 316 const QuicTag kBWS2 = TAG('B', 'W', 'S', '2'); // Server bw resumption v2. 317 const QuicTag kBWS3 = TAG('B', 'W', 'S', '3'); // QUIC Initial CWND - Control. 318 const QuicTag kBWS4 = TAG('B', 'W', 'S', '4'); // QUIC Initial CWND - Enabled. 319 const QuicTag kBWS5 = TAG('B', 'W', 'S', '5'); // QUIC Initial CWND up and down 320 const QuicTag kBWS6 = TAG('B', 'W', 'S', '6'); // QUIC Initial CWND - Enabled 321 // with 0.5 * default 322 // multiplier. 323 const QuicTag kBWP0 = TAG('B', 'W', 'P', '0'); // QUIC Initial CWND - SPDY 324 // priority 0. 325 const QuicTag kBWP1 = TAG('B', 'W', 'P', '1'); // QUIC Initial CWND - SPDY 326 // priorities 0 and 1. 327 const QuicTag kBWP2 = TAG('B', 'W', 'P', '2'); // QUIC Initial CWND - SPDY 328 // priorities 0, 1 and 2. 329 const QuicTag kBWP3 = TAG('B', 'W', 'P', '3'); // QUIC Initial CWND - SPDY 330 // priorities 0, 1, 2 and 3. 331 const QuicTag kBWP4 = TAG('B', 'W', 'P', '4'); // QUIC Initial CWND - SPDY 332 // priorities >= 0, 1, 2, 3 and 333 // 4. 334 const QuicTag kBWG4 = TAG('B', 'W', 'G', '4'); // QUIC Initial CWND - 335 // Bandwidth model 1. 336 const QuicTag kBWG7 = TAG('B', 'W', 'G', '7'); // QUIC Initial CWND - 337 // Bandwidth model 2. 338 const QuicTag kBWG8 = TAG('B', 'W', 'G', '8'); // QUIC Initial CWND - 339 // Bandwidth model 3. 340 const QuicTag kBWS7 = TAG('B', 'W', 'S', '7'); // QUIC Initial CWND - Enabled 341 // with 0.75 * default 342 // multiplier. 343 const QuicTag kBWM3 = TAG('B', 'W', 'M', '3'); // Consider overshooting if 344 // bytes lost after bandwidth 345 // resumption * 3 > IW. 346 const QuicTag kBWM4 = TAG('B', 'W', 'M', '4'); // Consider overshooting if 347 // bytes lost after bandwidth 348 // resumption * 4 > IW. 349 const QuicTag kICW1 = TAG('I', 'C', 'W', '1'); // Max initial congestion window 350 // 100. 351 const QuicTag kDTOS = TAG('D', 'T', 'O', 'S'); // Enable overshooting 352 // detection. 353 354 const QuicTag kFIDT = TAG('F', 'I', 'D', 'T'); // Extend idle timer by PTO 355 // instead of the whole idle 356 // timeout. 357 358 const QuicTag k3AFF = TAG('3', 'A', 'F', 'F'); // 3 anti amplification factor. 359 const QuicTag k10AF = TAG('1', '0', 'A', 'F'); // 10 anti amplification factor. 360 361 // Enable path MTU discovery experiment. 362 const QuicTag kMTUH = TAG('M', 'T', 'U', 'H'); // High-target MTU discovery. 363 const QuicTag kMTUL = TAG('M', 'T', 'U', 'L'); // Low-target MTU discovery. 364 365 const QuicTag kNSLC = TAG('N', 'S', 'L', 'C'); // Always send connection close 366 // for idle timeout. 367 368 // Proof types (i.e. certificate types) 369 // NOTE: although it would be silly to do so, specifying both kX509 and kX59R 370 // is allowed and is equivalent to specifying only kX509. 371 const QuicTag kX509 = TAG('X', '5', '0', '9'); // X.509 certificate, all key 372 // types 373 const QuicTag kX59R = TAG('X', '5', '9', 'R'); // X.509 certificate, RSA keys 374 // only 375 const QuicTag kCHID = TAG('C', 'H', 'I', 'D'); // Channel ID. 376 377 // Client hello tags 378 const QuicTag kVER = TAG('V', 'E', 'R', '\0'); // Version 379 const QuicTag kNONC = TAG('N', 'O', 'N', 'C'); // The client's nonce 380 const QuicTag kNONP = TAG('N', 'O', 'N', 'P'); // The client's proof nonce 381 const QuicTag kKEXS = TAG('K', 'E', 'X', 'S'); // Key exchange methods 382 const QuicTag kAEAD = TAG('A', 'E', 'A', 'D'); // Authenticated 383 // encryption algorithms 384 const QuicTag kCOPT = TAG('C', 'O', 'P', 'T'); // Connection options 385 const QuicTag kCLOP = TAG('C', 'L', 'O', 'P'); // Client connection options 386 const QuicTag kICSL = TAG('I', 'C', 'S', 'L'); // Idle network timeout 387 const QuicTag kMIBS = TAG('M', 'I', 'D', 'S'); // Max incoming bidi streams 388 const QuicTag kMIUS = TAG('M', 'I', 'U', 'S'); // Max incoming unidi streams 389 const QuicTag kADE = TAG('A', 'D', 'E', 0); // Ack Delay Exponent (IETF 390 // QUIC ACK Frame Only). 391 const QuicTag kIRTT = TAG('I', 'R', 'T', 'T'); // Estimated initial RTT in us. 392 const QuicTag kTRTT = TAG('T', 'R', 'T', 'T'); // If server receives an rtt 393 // from an address token, set 394 // it as the initial rtt. 395 const QuicTag kSNI = TAG('S', 'N', 'I', '\0'); // Server name 396 // indication 397 const QuicTag kPUBS = TAG('P', 'U', 'B', 'S'); // Public key values 398 const QuicTag kSCID = TAG('S', 'C', 'I', 'D'); // Server config id 399 const QuicTag kORBT = TAG('O', 'B', 'I', 'T'); // Server orbit. 400 const QuicTag kPDMD = TAG('P', 'D', 'M', 'D'); // Proof demand. 401 const QuicTag kPROF = TAG('P', 'R', 'O', 'F'); // Proof (signature). 402 const QuicTag kCCRT = TAG('C', 'C', 'R', 'T'); // Cached certificate 403 const QuicTag kEXPY = TAG('E', 'X', 'P', 'Y'); // Expiry 404 const QuicTag kSTTL = TAG('S', 'T', 'T', 'L'); // Server Config TTL 405 const QuicTag kSFCW = TAG('S', 'F', 'C', 'W'); // Initial stream flow control 406 // receive window. 407 const QuicTag kCFCW = TAG('C', 'F', 'C', 'W'); // Initial session/connection 408 // flow control receive window. 409 const QuicTag kUAID = TAG('U', 'A', 'I', 'D'); // Client's User Agent ID. 410 const QuicTag kXLCT = TAG('X', 'L', 'C', 'T'); // Expected leaf certificate. 411 412 const QuicTag kQNZ2 = TAG('Q', 'N', 'Z', '2'); // Turn off QUIC crypto 0-RTT. 413 414 const QuicTag kMAD = TAG('M', 'A', 'D', 0); // Max Ack Delay (IETF QUIC) 415 416 const QuicTag kIGNP = TAG('I', 'G', 'N', 'P'); // Do not use PING only packet 417 // for RTT measure or 418 // congestion control. 419 420 const QuicTag kSRWP = TAG('S', 'R', 'W', 'P'); // Enable retransmittable on 421 // wire PING (ROWP) on the 422 // server side. 423 const QuicTag kROWF = TAG('R', 'O', 'W', 'F'); // Send first 1-RTT packet on 424 // ROWP timeout. 425 const QuicTag kROWR = TAG('R', 'O', 'W', 'R'); // Send random bytes on ROWP 426 // timeout. 427 // Selective Resumption variants. 428 const QuicTag kGSR0 = TAG('G', 'S', 'R', '0'); 429 const QuicTag kGSR1 = TAG('G', 'S', 'R', '1'); 430 const QuicTag kGSR2 = TAG('G', 'S', 'R', '2'); 431 const QuicTag kGSR3 = TAG('G', 'S', 'R', '3'); 432 433 const QuicTag kNRES = TAG('N', 'R', 'E', 'S'); // No resumption 434 435 const QuicTag kINVC = TAG('I', 'N', 'V', 'C'); // Send connection close for 436 // INVALID_VERSION 437 438 const QuicTag kMPQC = TAG('M', 'P', 'Q', 'C'); // Multi-port QUIC connection 439 440 // Client Hints triggers. 441 const QuicTag kGWCH = TAG('G', 'W', 'C', 'H'); 442 const QuicTag kYTCH = TAG('Y', 'T', 'C', 'H'); 443 const QuicTag kACH0 = TAG('A', 'C', 'H', '0'); 444 445 // Rejection tags 446 const QuicTag kRREJ = TAG('R', 'R', 'E', 'J'); // Reasons for server sending 447 448 // Server hello tags 449 const QuicTag kCADR = TAG('C', 'A', 'D', 'R'); // Client IP address and port 450 const QuicTag kASAD = TAG('A', 'S', 'A', 'D'); // Alternate Server IP address 451 // and port. 452 const QuicTag kSRST = TAG('S', 'R', 'S', 'T'); // Stateless reset token used 453 // in IETF public reset packet 454 455 // CETV tags 456 const QuicTag kCIDK = TAG('C', 'I', 'D', 'K'); // ChannelID key 457 const QuicTag kCIDS = TAG('C', 'I', 'D', 'S'); // ChannelID signature 458 459 // Public reset tags 460 const QuicTag kRNON = TAG('R', 'N', 'O', 'N'); // Public reset nonce proof 461 const QuicTag kRSEQ = TAG('R', 'S', 'E', 'Q'); // Rejected packet number 462 463 // Universal tags 464 const QuicTag kPAD = TAG('P', 'A', 'D', '\0'); // Padding 465 466 // Stats collection tags 467 const QuicTag kEPID = TAG('E', 'P', 'I', 'D'); // Endpoint identifier. 468 469 // clang-format on 470 471 // These tags have a special form so that they appear either at the beginning 472 // or the end of a handshake message. Since handshake messages are sorted by 473 // tag value, the tags with 0 at the end will sort first and those with 255 at 474 // the end will sort last. 475 // 476 // The certificate chain should have a tag that will cause it to be sorted at 477 // the end of any handshake messages because it's likely to be large and the 478 // client might be able to get everything that it needs from the small values at 479 // the beginning. 480 // 481 // Likewise tags with random values should be towards the beginning of the 482 // message because the server mightn't hold state for a rejected client hello 483 // and therefore the client may have issues reassembling the rejection message 484 // in the event that it sent two client hellos. 485 const QuicTag kServerNonceTag = TAG('S', 'N', 'O', 0); // The server's nonce 486 const QuicTag kSourceAddressTokenTag = 487 TAG('S', 'T', 'K', 0); // Source-address token 488 const QuicTag kCertificateTag = TAG('C', 'R', 'T', 255); // Certificate chain 489 const QuicTag kCertificateSCTTag = 490 TAG('C', 'S', 'C', 'T'); // Signed cert timestamp (RFC6962) of leaf cert. 491 492 #undef TAG 493 494 const size_t kMaxEntries = 128; // Max number of entries in a message. 495 496 const size_t kNonceSize = 32; // Size in bytes of the connection nonce. 497 498 const size_t kOrbitSize = 8; // Number of bytes in an orbit value. 499 500 // kProofSignatureLabel is prepended to the CHLO hash and server configs before 501 // signing to avoid any cross-protocol attacks on the signature. 502 const char kProofSignatureLabel[] = "QUIC CHLO and server config signature"; 503 504 // kClientHelloMinimumSize is the minimum size of a client hello. Client hellos 505 // will have PAD tags added in order to ensure this minimum is met and client 506 // hellos smaller than this will be an error. This minimum size reduces the 507 // amplification factor of any mirror DoS attack. 508 // 509 // A client may pad an inchoate client hello to a size larger than 510 // kClientHelloMinimumSize to make it more likely to receive a complete 511 // rejection message. 512 const size_t kClientHelloMinimumSize = 1024; 513 514 } // namespace quic 515 516 #endif // QUICHE_QUIC_CORE_CRYPTO_CRYPTO_PROTOCOL_H_ 517