Land Recent QUIC Changes

net/quic/crypto/crypto_handshake.h

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
 #define NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
 
 #include <map>
 #include <string>
 #include <vector>
 
 #include "base/memory/scoped_ptr.h"
 #include "base/strings/string_piece.h"
+#include "base/synchronization/lock.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_export.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/quic_time.h"
 
 namespace net {
 
 class KeyExchange;
 class QuicClock;
 class QuicDecrypter;
 class QuicEncrypter;
 class QuicRandom;
 class QuicServerConfigProtobuf;
+class StrikeRegister;
 
 namespace test {
 class QuicCryptoServerConfigPeer;
 }  // namespace test
 
 // An intermediate format of a handshake message that's convenient for a
 // CryptoFramer to serialize from or parse into.
 class NET_EXPORT_PRIVATE CryptoHandshakeMessage {
  public:
   CryptoHandshakeMessage();
@@ skipping 177 matching lines @@
   QuicCryptoNegotiatedParameters();
   ~QuicCryptoNegotiatedParameters();
 
   uint16 version;
   CryptoTag key_exchange;
   CryptoTag aead;
   std::string premaster_secret;
   scoped_ptr<QuicEncrypter> encrypter;
   scoped_ptr<QuicDecrypter> decrypter;
   std::string server_config_id;
+  std::string server_nonce;
 };
 
 // QuicCryptoConfig contains common configuration between clients and servers.
 class NET_EXPORT_PRIVATE QuicCryptoConfig {
  public:
   QuicCryptoConfig();
   ~QuicCryptoConfig();
 
   // Protocol version
   uint16 version;
   // Key exchange methods. The following two members' values correspond by
   // index.
   CryptoTagVector kexs;
   // Authenticated encryption with associated data (AEAD) algorithms.
   CryptoTagVector aead;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(QuicCryptoConfig);
 };
 
 // QuicCryptoClientConfig contains crypto-related configuration settings for a
-// client.
+// client. Note that this object isn't thread-safe. It's designed to be used on
+// a single thread at a time.
 class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
  public:
   // A CachedState contains the information that the client needs in order to
   // perform a 0-RTT handshake with a server. This information can be reused
   // over several connections to the same server.
   class CachedState {
    public:
     CachedState();
     ~CachedState();
 
     // is_complete returns true if this object contains enough information to
     // perform a handshake with the server.
     bool is_complete() const;
 
     // GetServerConfig returns the parsed contents of |server_config|, or NULL
     // if |server_config| is empty. The return value is owned by this object
     // and is destroyed when this object is.
     const CryptoHandshakeMessage* GetServerConfig() const;
 
     // SetServerConfig checks that |scfg| parses correctly and stores it in
     // |server_config|. It returns true if the parsing succeeds and false
     // otherwise.
     bool SetServerConfig(base::StringPiece scfg);
 
     const std::string& server_config() const;
     const std::string& source_address_token() const;
-    const std::string& orbit() const;
 
     void set_source_address_token(base::StringPiece token);
 
    private:
     std::string server_config_id_;  // An opaque id from the server.
     std::string server_config_;  // A serialized handshake message.
     std::string source_address_token_;  // An opaque proof of IP ownership.
-    std::string orbit_;  // An opaque server-id used in nonce generation.
 
     // scfg contains the cached, parsed value of |server_config|.
     mutable scoped_ptr<CryptoHandshakeMessage> scfg_;
   };
 
   QuicCryptoClientConfig();
   ~QuicCryptoClientConfig();
 
   // Sets the members to reasonable, default values.
   void SetDefaults();
 
   // Lookup returns a CachedState for the given hostname, or NULL if no
   // information is known.
-  const CachedState* Lookup(const std::string& server_hostname);
+  const CachedState* Lookup(const std::string& server_hostname) const;
 
   // FillInchoateClientHello sets |out| to be a CHLO message that elicits a
   // source-address token or SCFG from a server. If |cached| is non-NULL, the
   // source-address token will be taken from it.
   void FillInchoateClientHello(const std::string& server_hostname,
                                const CachedState* cached,
-                               CryptoHandshakeMessage* out);
+                               CryptoHandshakeMessage* out) const;
 
   // FillClientHello sets |out| to be a CHLO message based on the configuration
   // of this object. This object must have cached enough information about
   // |server_hostname| in order to perform a handshake. This can be checked
   // with the |is_complete| member of |CachedState|.
   //
   // |clock| and |rand| are used to generate the nonce and |out_params| is
   // filled with the results of the handshake that the server is expected to
   // accept.
   QuicErrorCode FillClientHello(const std::string& server_hostname,
                                 QuicGuid guid,
                                 const CachedState* cached,
                                 const QuicClock* clock,
                                 QuicRandom* rand,
                                 QuicCryptoNegotiatedParameters* out_params,
                                 CryptoHandshakeMessage* out,
-                                std::string* error_details);
+                                std::string* error_details) const;
 
   // ProcessRejection processes a REJ message from a server and updates the
   // cached information about that server. After this, |is_complete| may return
-  // true for that server's CachedState.
+  // true for that server's CachedState. If the rejection message contains
+  // state about a future handshake (i.e. an nonce value from the server), then
+  // it will be saved in |out_params|.
   QuicErrorCode ProcessRejection(const std::string& server_hostname,
                                  const CryptoHandshakeMessage& rej,
+                                 QuicCryptoNegotiatedParameters* out_params,
                                  std::string* error_details);
 
   // ProcessServerHello processes the message in |server_hello|, writes the
   // negotiated parameters to |out_params| and returns QUIC_NO_ERROR. If
   // |server_hello| is unacceptable then it puts an error message in
   // |error_details| and returns an error code.
   QuicErrorCode ProcessServerHello(const CryptoHandshakeMessage& server_hello,
                                    const std::string& nonce,
                                    QuicCryptoNegotiatedParameters* out_params,
                                    std::string* error_details);
 
  private:
   // cached_states_ maps from the server hostname to the cached information
   // about that server.
   std::map<std::string, CachedState*> cached_states_;
 };
 
 // QuicCryptoServerConfig contains the crypto configuration of a QUIC server.
 // Unlike a client, a QUIC server can have multiple configurations active in
 // order to support clients resuming with a previous configuration.
 // TODO(agl): when adding configurations at runtime is added, this object will
 // need to consider locking.
 class NET_EXPORT_PRIVATE QuicCryptoServerConfig {
  public:
   // |source_address_token_secret|: secret key material used for encrypting and
   //     decrypting source address tokens. It can be of any length as it is fed
-  //     into a KDF before use.
+  //     into a KDF before use. In tests, use TESTING.
   explicit QuicCryptoServerConfig(
       base::StringPiece source_address_token_secret);
   ~QuicCryptoServerConfig();
 
   // TESTING is a magic parameter for passing to the constructor in tests.
   static const char TESTING[];
 
-  // ConfigForTesting generates a QuicServerConfigProtobuf protobuf suitable
+  // DefaultConfig generates a QuicServerConfigProtobuf protobuf suitable
   // for using in tests. |extra_tags| contains additional key/value pairs that
   // will be inserted into the config.
-  static QuicServerConfigProtobuf* ConfigForTesting(
+  static QuicServerConfigProtobuf* DefaultConfig(
       QuicRandom* rand,
       const QuicClock* clock,
       const CryptoHandshakeMessage& extra_tags);
 
   // AddConfig adds a QuicServerConfigProtobuf to the availible configurations.
   // It returns the SCFG message from the config if successful. The caller
   // takes ownership of the CryptoHandshakeMessage.
   CryptoHandshakeMessage* AddConfig(QuicServerConfigProtobuf* protobuf);
 
-  // AddTestingConfig creates a test config and then calls AddConfig to add it.
-  // Any tags in |extra_tags| will be copied into the config.
-  CryptoHandshakeMessage* AddTestingConfig(
+  // AddDefaultConfig creates a config and then calls AddConfig to
+  // add it. Any tags in |extra_tags| will be copied into the config.
+  CryptoHandshakeMessage* AddDefaultConfig(
       QuicRandom* rand,
       const QuicClock* clock,
       const CryptoHandshakeMessage& extra_tags);
 
   // ProcessClientHello processes |client_hello| and decides whether to accept
   // or reject the connection. If the connection is to be accepted, |out| is
   // set to the contents of the ServerHello, |out_params| is completed and
   // QUIC_NO_ERROR is returned. Otherwise |out| is set to be a REJ message and
   // an error code is returned.
   //
   // client_hello: the incoming client hello message.
   // guid: the GUID for the connection, which is used in key derivation.
   // client_ip: the IP address of the client, which is used to generate and
   //     validate source-address tokens.
   // now_since_epoch: the current time, as a delta since the unix epoch,
   //     which is used to validate client nonces.
   // rand: an entropy source
+  // params: the state of the handshake. This may be updated with a server
+  //     nonce when we send a rejection. After a successful handshake, this will
+  //     contain the state of the connection.
   // out: the resulting handshake message (either REJ or SHLO)
-  // out_params: the state of the handshake
   // error_details: used to store a string describing any error.
   QuicErrorCode ProcessClientHello(const CryptoHandshakeMessage& client_hello,
                                    QuicGuid guid,
                                    const IPEndPoint& client_ip,
                                    QuicTime::Delta now_since_epoch,
                                    QuicRandom* rand,
+                                   QuicCryptoNegotiatedParameters* params,
                                    CryptoHandshakeMessage* out,
-                                   QuicCryptoNegotiatedParameters* out_params,
-                                   std::string* error_details);
+                                   std::string* error_details) const;
 
  private:
   friend class test::QuicCryptoServerConfigPeer;
 
   // Config represents a server config: a collection of preferences and
   // Diffie-Hellman public values.
   struct Config : public QuicCryptoConfig {
     Config();
     ~Config();
 
     // serialized contains the bytes of this server config, suitable for sending
     // on the wire.
     std::string serialized;
     // id contains the SCID of this server config.
     std::string id;
+    // orbit contains the orbit value for this config: an opaque identifier
+    // used to identify clusters of server frontends.
+    unsigned char orbit[kOrbitSize];
 
     // key_exchanges contains key exchange objects with the private keys
     // already loaded. The values correspond, one-to-one, with the tags in
     // |kexs| from the parent class.
     std::vector<KeyExchange*> key_exchanges;
 
     // tag_value_map contains the raw key/value pairs for the config.
     CryptoTagValueMap tag_value_map;
 
    private:
     DISALLOW_COPY_AND_ASSIGN(Config);
   };
 
   // NewSourceAddressToken returns a fresh source address token for the given
   // IP address.
   std::string NewSourceAddressToken(const IPEndPoint& ip,
                                     QuicRandom* rand,
-                                    QuicTime::Delta now_since_epoch);
+                                    QuicTime::Delta now_since_epoch) const;
 
   // ValidateSourceAddressToken returns true if the source address token in
   // |token| is a valid and timely token for the IP address |ip| given that the
   // current time is |now|.
   bool ValidateSourceAddressToken(base::StringPiece token,
                                   const IPEndPoint& ip,
-                                  QuicTime::Delta now_since_epoch);
+                                  QuicTime::Delta now_since_epoch) const;
 
   std::map<ServerConfigID, Config*> configs_;
 
   ServerConfigID active_config_;
 
+  mutable base::Lock strike_register_lock_;
+  // strike_register_ contains a data structure that keeps track of previously
+  // observed client nonces in order to prevent replay attacks.
+  mutable scoped_ptr<StrikeRegister> strike_register_;
+
   // These members are used to encrypt and decrypt the source address tokens
   // that we receive from and send to clients.
   scoped_ptr<QuicEncrypter> source_address_token_encrypter_;
   scoped_ptr<QuicDecrypter> source_address_token_decrypter_;
 };
 
 }  // namespace net
 
 #endif  // NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_