1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_ 6 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_ 7 8 #include <map> 9 #include <string> 10 #include <vector> 11 12 #include "base/memory/scoped_ptr.h" 13 #include "base/strings/string_piece.h" 14 #include "net/base/net_export.h" 15 #include "net/quic/crypto/crypto_handshake.h" 16 #include "net/quic/quic_protocol.h" 17 #include "net/quic/quic_server_id.h" 18 19 namespace net { 20 21 class ChannelIDKey; 22 class ChannelIDSource; 23 class CryptoHandshakeMessage; 24 class ProofVerifier; 25 class ProofVerifyDetails; 26 class QuicRandom; 27 28 // QuicCryptoClientConfig contains crypto-related configuration settings for a 29 // client. Note that this object isn't thread-safe. It's designed to be used on 30 // a single thread at a time. 31 class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig { 32 public: 33 // A CachedState contains the information that the client needs in order to 34 // perform a 0-RTT handshake with a server. This information can be reused 35 // over several connections to the same server. 36 class NET_EXPORT_PRIVATE CachedState { 37 public: 38 CachedState(); 39 ~CachedState(); 40 41 // IsComplete returns true if this object contains enough information to 42 // perform a handshake with the server. |now| is used to judge whether any 43 // cached server config has expired. 44 bool IsComplete(QuicWallTime now) const; 45 46 // IsEmpty returns true if |server_config_| is empty. 47 bool IsEmpty() const; 48 49 // GetServerConfig returns the parsed contents of |server_config|, or NULL 50 // if |server_config| is empty. The return value is owned by this object 51 // and is destroyed when this object is. 52 const CryptoHandshakeMessage* GetServerConfig() const; 53 54 // SetServerConfig checks that |server_config| parses correctly and stores 55 // it in |server_config_|. |now| is used to judge whether |server_config| 56 // has expired. 57 QuicErrorCode SetServerConfig(base::StringPiece server_config, 58 QuicWallTime now, 59 std::string* error_details); 60 61 // InvalidateServerConfig clears the cached server config (if any). 62 void InvalidateServerConfig(); 63 64 // SetProof stores a certificate chain and signature. 65 void SetProof(const std::vector<std::string>& certs, 66 base::StringPiece signature); 67 68 // Clears all the data. 69 void Clear(); 70 71 // Clears the certificate chain and signature and invalidates the proof. 72 void ClearProof(); 73 74 // SetProofValid records that the certificate chain and signature have been 75 // validated and that it's safe to assume that the server is legitimate. 76 // (Note: this does not check the chain or signature.) 77 void SetProofValid(); 78 79 // If the server config or the proof has changed then it needs to be 80 // revalidated. Helper function to keep server_config_valid_ and 81 // generation_counter_ in sync. 82 void SetProofInvalid(); 83 84 const std::string& server_config() const; 85 const std::string& source_address_token() const; 86 const std::vector<std::string>& certs() const; 87 const std::string& signature() const; 88 bool proof_valid() const; 89 uint64 generation_counter() const; 90 const ProofVerifyDetails* proof_verify_details() const; 91 92 void set_source_address_token(base::StringPiece token); 93 94 // SetProofVerifyDetails takes ownership of |details|. 95 void SetProofVerifyDetails(ProofVerifyDetails* details); 96 97 // Copy the |server_config_|, |source_address_token_|, |certs_| and 98 // |server_config_sig_| from the |other|. The remaining fields, 99 // |generation_counter_|, |proof_verify_details_|, and |scfg_| remain 100 // unchanged. 101 void InitializeFrom(const CachedState& other); 102 103 // Initializes this cached state based on the arguments provided. 104 // Returns false if there is a problem parsing the server config. 105 bool Initialize(base::StringPiece server_config, 106 base::StringPiece source_address_token, 107 const std::vector<std::string>& certs, 108 base::StringPiece signature, 109 QuicWallTime now); 110 111 private: 112 std::string server_config_; // A serialized handshake message. 113 std::string source_address_token_; // An opaque proof of IP ownership. 114 std::vector<std::string> certs_; // A list of certificates in leaf-first 115 // order. 116 std::string server_config_sig_; // A signature of |server_config_|. 117 bool server_config_valid_; // True if |server_config_| is correctly 118 // signed and |certs_| has been 119 // validated. 120 // Generation counter associated with the |server_config_|, |certs_| and 121 // |server_config_sig_| combination. It is incremented whenever we set 122 // server_config_valid_ to false. 123 uint64 generation_counter_; 124 125 scoped_ptr<ProofVerifyDetails> proof_verify_details_; 126 127 // scfg contains the cached, parsed value of |server_config|. 128 mutable scoped_ptr<CryptoHandshakeMessage> scfg_; 129 130 DISALLOW_COPY_AND_ASSIGN(CachedState); 131 }; 132 133 QuicCryptoClientConfig(); 134 ~QuicCryptoClientConfig(); 135 136 // Sets the members to reasonable, default values. 137 void SetDefaults(); 138 139 // LookupOrCreate returns a CachedState for the given |server_id|. If no such 140 // CachedState currently exists, it will be created and cached. 141 CachedState* LookupOrCreate(const QuicServerId& server_id); 142 143 // Delete all CachedState objects from cached_states_. 144 void ClearCachedStates(); 145 146 // FillInchoateClientHello sets |out| to be a CHLO message that elicits a 147 // source-address token or SCFG from a server. If |cached| is non-NULL, the 148 // source-address token will be taken from it. |out_params| is used in order 149 // to store the cached certs that were sent as hints to the server in 150 // |out_params->cached_certs|. |preferred_version| is the version of the 151 // QUIC protocol that this client chose to use initially. This allows the 152 // server to detect downgrade attacks. 153 void FillInchoateClientHello(const QuicServerId& server_id, 154 const QuicVersion preferred_version, 155 const CachedState* cached, 156 QuicCryptoNegotiatedParameters* out_params, 157 CryptoHandshakeMessage* out) const; 158 159 // FillClientHello sets |out| to be a CHLO message based on the configuration 160 // of this object. This object must have cached enough information about 161 // the server's hostname in order to perform a handshake. This can be checked 162 // with the |IsComplete| member of |CachedState|. 163 // 164 // |now| and |rand| are used to generate the nonce and |out_params| is 165 // filled with the results of the handshake that the server is expected to 166 // accept. |preferred_version| is the version of the QUIC protocol that this 167 // client chose to use initially. This allows the server to detect downgrade 168 // attacks. 169 // 170 // If |channel_id_key| is not null, it is used to sign a secret value derived 171 // from the client and server's keys, and the Channel ID public key and the 172 // signature are placed in the CETV value of the CHLO. 173 QuicErrorCode FillClientHello(const QuicServerId& server_id, 174 QuicConnectionId connection_id, 175 const QuicVersion preferred_version, 176 const CachedState* cached, 177 QuicWallTime now, 178 QuicRandom* rand, 179 const ChannelIDKey* channel_id_key, 180 QuicCryptoNegotiatedParameters* out_params, 181 CryptoHandshakeMessage* out, 182 std::string* error_details) const; 183 184 // ProcessRejection processes a REJ message from a server and updates the 185 // cached information about that server. After this, |IsComplete| may return 186 // true for that server's CachedState. If the rejection message contains 187 // state about a future handshake (i.e. an nonce value from the server), then 188 // it will be saved in |out_params|. |now| is used to judge whether the 189 // server config in the rejection message has expired. 190 QuicErrorCode ProcessRejection(const CryptoHandshakeMessage& rej, 191 QuicWallTime now, 192 CachedState* cached, 193 QuicCryptoNegotiatedParameters* out_params, 194 std::string* error_details); 195 196 // ProcessServerHello processes the message in |server_hello|, updates the 197 // cached information about that server, writes the negotiated parameters to 198 // |out_params| and returns QUIC_NO_ERROR. If |server_hello| is unacceptable 199 // then it puts an error message in |error_details| and returns an error 200 // code. |negotiated_versions| contains the list of version, if any, that were 201 // present in a version negotiation packet previously recevied from the 202 // server. The contents of this list will be compared against the list of 203 // versions provided in the VER tag of the server hello. 204 QuicErrorCode ProcessServerHello(const CryptoHandshakeMessage& server_hello, 205 QuicConnectionId connection_id, 206 const QuicVersionVector& negotiated_versions, 207 CachedState* cached, 208 QuicCryptoNegotiatedParameters* out_params, 209 std::string* error_details); 210 211 ProofVerifier* proof_verifier() const; 212 213 // SetProofVerifier takes ownership of a |ProofVerifier| that clients are 214 // free to use in order to verify certificate chains from servers. If a 215 // ProofVerifier is set then the client will request a certificate chain from 216 // the server. 217 void SetProofVerifier(ProofVerifier* verifier); 218 219 ChannelIDSource* channel_id_source() const; 220 221 // SetChannelIDSource sets a ChannelIDSource that will be called, when the 222 // server supports channel IDs, to obtain a channel ID for signing a message 223 // proving possession of the channel ID. This object takes ownership of 224 // |source|. 225 void SetChannelIDSource(ChannelIDSource* source); 226 227 // Initialize the CachedState from |canonical_crypto_config| for the 228 // |canonical_server_id| as the initial CachedState for |server_id|. We will 229 // copy config data only if |canonical_crypto_config| has valid proof. 230 void InitializeFrom(const QuicServerId& server_id, 231 const QuicServerId& canonical_server_id, 232 QuicCryptoClientConfig* canonical_crypto_config); 233 234 // Adds |suffix| as a domain suffix for which the server's crypto config 235 // is expected to be shared among servers with the domain suffix. If a server 236 // matches this suffix, then the server config from another server with the 237 // suffix will be used to initialize the cached state for this server. 238 void AddCanonicalSuffix(const std::string& suffix); 239 240 // Prefers AES-GCM (kAESG) over other AEAD algorithms. Call this method if 241 // the CPU has hardware acceleration for AES-GCM. This method can only be 242 // called after SetDefaults(). 243 void PreferAesGcm(); 244 245 // Disables the use of ECDSA for proof verification. 246 // Call this method on platforms that do not support ECDSA. 247 // TODO(rch): remove this method when we drop support for Windows XP. 248 void DisableEcdsa(); 249 250 // Saves the |user_agent_id| that will be passed in QUIC's CHLO message. set_user_agent_id(const std::string & user_agent_id)251 void set_user_agent_id(const std::string& user_agent_id) { 252 user_agent_id_ = user_agent_id; 253 } 254 255 private: 256 typedef std::map<QuicServerId, CachedState*> CachedStateMap; 257 258 // If the suffix of the hostname in |server_id| is in |canoncial_suffixes_|, 259 // then populate |cached| with the canonical cached state from 260 // |canonical_server_map_| for that suffix. 261 void PopulateFromCanonicalConfig(const QuicServerId& server_id, 262 CachedState* cached); 263 264 // cached_states_ maps from the server_id to the cached information about 265 // that server. 266 CachedStateMap cached_states_; 267 268 // Contains a map of servers which could share the same server config. Map 269 // from a canonical host suffix/port/scheme to a representative server with 270 // the canonical suffix, which has a plausible set of initial certificates 271 // (or at least server public key). 272 std::map<QuicServerId, QuicServerId> canonical_server_map_; 273 274 // Contains list of suffixes (for exmaple ".c.youtube.com", 275 // ".googlevideo.com") of canoncial hostnames. 276 std::vector<std::string> canoncial_suffixes_; 277 278 scoped_ptr<ProofVerifier> proof_verifier_; 279 scoped_ptr<ChannelIDSource> channel_id_source_; 280 281 // True if ECDSA should be disabled. 282 bool disable_ecdsa_; 283 284 // The |user_agent_id_| passed in QUIC's CHLO message. 285 std::string user_agent_id_; 286 287 DISALLOW_COPY_AND_ASSIGN(QuicCryptoClientConfig); 288 }; 289 290 } // namespace net 291 292 #endif // NET_QUIC_CRYPTO_QUIC_CRYPTO_CLIENT_CONFIG_H_ 293