1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef QUICHE_QUIC_CORE_CRYPTO_CRYPTO_HANDSHAKE_H_ 6 #define QUICHE_QUIC_CORE_CRYPTO_CRYPTO_HANDSHAKE_H_ 7 8 #include <memory> 9 #include <string> 10 #include <vector> 11 12 #include "quiche/quic/core/quic_packets.h" 13 #include "quiche/quic/platform/api/quic_export.h" 14 15 namespace quic { 16 17 class SynchronousKeyExchange; 18 class QuicDecrypter; 19 class QuicEncrypter; 20 21 // HandshakeFailureReason enum values are uploaded to UMA, they cannot be 22 // changed. 23 enum HandshakeFailureReason { 24 HANDSHAKE_OK = 0, 25 26 // Failure reasons for an invalid client nonce in CHLO. 27 // 28 // The default error value for nonce verification failures from strike 29 // register (covers old strike registers and unknown failures). 30 CLIENT_NONCE_UNKNOWN_FAILURE = 1, 31 // Client nonce had incorrect length. 32 CLIENT_NONCE_INVALID_FAILURE = 2, 33 // Client nonce is not unique. 34 CLIENT_NONCE_NOT_UNIQUE_FAILURE = 3, 35 // Client orbit is invalid or incorrect. 36 CLIENT_NONCE_INVALID_ORBIT_FAILURE = 4, 37 // Client nonce's timestamp is not in the strike register's valid time range. 38 CLIENT_NONCE_INVALID_TIME_FAILURE = 5, 39 // Strike register's RPC call timed out, client nonce couldn't be verified. 40 CLIENT_NONCE_STRIKE_REGISTER_TIMEOUT = 6, 41 // Strike register is down, client nonce couldn't be verified. 42 CLIENT_NONCE_STRIKE_REGISTER_FAILURE = 7, 43 44 // Failure reasons for an invalid server nonce in CHLO. 45 // 46 // Unbox of server nonce failed. 47 SERVER_NONCE_DECRYPTION_FAILURE = 8, 48 // Decrypted server nonce had incorrect length. 49 SERVER_NONCE_INVALID_FAILURE = 9, 50 // Server nonce is not unique. 51 SERVER_NONCE_NOT_UNIQUE_FAILURE = 10, 52 // Server nonce's timestamp is not in the strike register's valid time range. 53 SERVER_NONCE_INVALID_TIME_FAILURE = 11, 54 // The server requires handshake confirmation. 55 SERVER_NONCE_REQUIRED_FAILURE = 20, 56 57 // Failure reasons for an invalid server config in CHLO. 58 // 59 // Missing Server config id (kSCID) tag. 60 SERVER_CONFIG_INCHOATE_HELLO_FAILURE = 12, 61 // Couldn't find the Server config id (kSCID). 62 SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE = 13, 63 64 // Failure reasons for an invalid source-address token. 65 // 66 // Missing Source-address token (kSourceAddressTokenTag) tag. 67 SOURCE_ADDRESS_TOKEN_INVALID_FAILURE = 14, 68 // Unbox of Source-address token failed. 69 SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE = 15, 70 // Couldn't parse the unbox'ed Source-address token. 71 SOURCE_ADDRESS_TOKEN_PARSE_FAILURE = 16, 72 // Source-address token is for a different IP address. 73 SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE = 17, 74 // The source-address token has a timestamp in the future. 75 SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE = 18, 76 // The source-address token has expired. 77 SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE = 19, 78 79 // The expected leaf certificate hash could not be validated. 80 INVALID_EXPECTED_LEAF_CERTIFICATE = 21, 81 82 MAX_FAILURE_REASON = 22, 83 }; 84 85 // These errors will be packed into an uint32_t and we don't want to set the 86 // most significant bit, which may be misinterpreted as the sign bit. 87 static_assert(MAX_FAILURE_REASON <= 32, "failure reason out of sync"); 88 89 // A CrypterPair contains the encrypter and decrypter for an encryption level. 90 struct QUIC_EXPORT_PRIVATE CrypterPair { 91 CrypterPair(); 92 CrypterPair(CrypterPair&&) = default; 93 ~CrypterPair(); 94 95 std::unique_ptr<QuicEncrypter> encrypter; 96 std::unique_ptr<QuicDecrypter> decrypter; 97 }; 98 99 // Parameters negotiated by the crypto handshake. 100 struct QUIC_EXPORT_PRIVATE QuicCryptoNegotiatedParameters 101 : public quiche::QuicheReferenceCounted { 102 // Initializes the members to 0 or empty values. 103 QuicCryptoNegotiatedParameters(); 104 105 QuicTag key_exchange; 106 QuicTag aead; 107 std::string initial_premaster_secret; 108 std::string forward_secure_premaster_secret; 109 // initial_subkey_secret is used as the PRK input to the HKDF used when 110 // performing key extraction that needs to happen before forward-secure keys 111 // are available. 112 std::string initial_subkey_secret; 113 // subkey_secret is used as the PRK input to the HKDF used for key extraction. 114 std::string subkey_secret; 115 CrypterPair initial_crypters; 116 CrypterPair forward_secure_crypters; 117 // Normalized SNI: converted to lower case and trailing '.' removed. 118 std::string sni; 119 std::string client_nonce; 120 std::string server_nonce; 121 // hkdf_input_suffix contains the HKDF input following the label: the 122 // ConnectionId, client hello and server config. This is only populated in the 123 // client because only the client needs to derive the forward secure keys at a 124 // later time from the initial keys. 125 std::string hkdf_input_suffix; 126 // cached_certs contains the cached certificates that a client used when 127 // sending a client hello. 128 std::vector<std::string> cached_certs; 129 // client_key_exchange is used by clients to store the ephemeral KeyExchange 130 // for the connection. 131 std::unique_ptr<SynchronousKeyExchange> client_key_exchange; 132 // channel_id is set by servers to a ChannelID key when the client correctly 133 // proves possession of the corresponding private key. It consists of 32 134 // bytes of x coordinate, followed by 32 bytes of y coordinate. Both values 135 // are big-endian and the pair is a P-256 public key. 136 std::string channel_id; 137 QuicTag token_binding_key_param; 138 139 // Used when generating proof signature when sending server config updates. 140 141 // Used to generate cert chain when sending server config updates. 142 std::string client_cached_cert_hashes; 143 144 // Default to false; set to true if the client indicates that it supports sct 145 // by sending CSCT tag with an empty value in client hello. 146 bool sct_supported_by_client; 147 148 // Parameters only populated for TLS handshakes. These will be 0 for 149 // connections not using TLS, or if the TLS handshake is not finished yet. 150 uint16_t cipher_suite = 0; 151 uint16_t key_exchange_group = 0; 152 uint16_t peer_signature_algorithm = 0; 153 bool encrypted_client_hello = false; 154 155 protected: 156 ~QuicCryptoNegotiatedParameters() override; 157 }; 158 159 // QuicCryptoConfig contains common configuration between clients and servers. 160 class QUIC_EXPORT_PRIVATE QuicCryptoConfig { 161 public: 162 // kInitialLabel is a constant that is used when deriving the initial 163 // (non-forward secure) keys for the connection in order to tie the resulting 164 // key to this protocol. 165 static const char kInitialLabel[]; 166 167 // kCETVLabel is a constant that is used when deriving the keys for the 168 // encrypted tag/value block in the client hello. 169 static const char kCETVLabel[]; 170 171 // kForwardSecureLabel is a constant that is used when deriving the forward 172 // secure keys for the connection in order to tie the resulting key to this 173 // protocol. 174 static const char kForwardSecureLabel[]; 175 176 QuicCryptoConfig(); 177 QuicCryptoConfig(const QuicCryptoConfig&) = delete; 178 QuicCryptoConfig& operator=(const QuicCryptoConfig&) = delete; 179 ~QuicCryptoConfig(); 180 181 // Key exchange methods. The following two members' values correspond by 182 // index. 183 QuicTagVector kexs; 184 // Authenticated encryption with associated data (AEAD) algorithms. 185 QuicTagVector aead; 186 }; 187 188 } // namespace quic 189 190 #endif // QUICHE_QUIC_CORE_CRYPTO_CRYPTO_HANDSHAKE_H_ 191