Land Recent QUIC Changes

net/quic/crypto/crypto_handshake.h

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
 #define NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_
 
 #include <map>
 #include <string>
 #include <vector>
 
 #include "base/memory/scoped_ptr.h"
 #include "base/strings/string_piece.h"
-#include "base/synchronization/lock.h"
-#include "net/base/ip_endpoint.h"
 #include "net/base/net_export.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/quic_time.h"
 
 namespace net {
 
 class KeyExchange;
 class QuicClock;
 class QuicDecrypter;
 class QuicEncrypter;
 class QuicRandom;
-class QuicServerConfigProtobuf;
-class StrikeRegister;
-
-namespace test {
-class QuicCryptoServerConfigPeer;
-}  // namespace test
 
 // An intermediate format of a handshake message that's convenient for a
 // CryptoFramer to serialize from or parse into.
 class NET_EXPORT_PRIVATE CryptoHandshakeMessage {
  public:
   CryptoHandshakeMessage();
   CryptoHandshakeMessage(const CryptoHandshakeMessage& other);
   ~CryptoHandshakeMessage();
 
   CryptoHandshakeMessage& operator=(const CryptoHandshakeMessage& other);
@@ skipping 76 matching lines @@
   std::string DebugStringInternal(size_t indent) const;
 
   CryptoTag tag_;
   CryptoTagValueMap tag_value_map_;
 
   // The serialized form of the handshake message. This member is constructed
   // lasily.
   mutable scoped_ptr<QuicData> serialized_;
 };
 
-// TODO(rch): sync with server more rationally
-class NET_EXPORT_PRIVATE QuicServerConfigProtobuf {
- public:
-  class NET_EXPORT_PRIVATE PrivateKey {
-   public:
-    CryptoTag tag() const {
-      return tag_;
-    }
-    void set_tag(CryptoTag tag) {
-      tag_ = tag;
-    }
-    std::string private_key() const {
-      return private_key_;
-    }
-    void set_private_key(std::string key) {
-      private_key_ = key;
-    }
-
-   private:
-    CryptoTag tag_;
-    std::string private_key_;
-  };
-
-  QuicServerConfigProtobuf();
-  ~QuicServerConfigProtobuf();
-
-  size_t key_size() const {
-    return keys_.size();
-  }
-
-  const PrivateKey& key(size_t i) const {
-    DCHECK_GT(keys_.size(), i);
-    return *keys_[i];
-  }
-
-  std::string config() const {
-    return config_;
-  }
-
-  void set_config(base::StringPiece config) {
-    config_ = config.as_string();
-  }
-
-  QuicServerConfigProtobuf::PrivateKey* add_key() {
-    keys_.push_back(new PrivateKey);
-    return keys_.back();
-  }
-
- private:
-  std::vector<PrivateKey*> keys_;
-  std::string config_;
-};
-
-// TODO(rtenneti): sync with server more rationally.
-class NET_EXPORT_PRIVATE SourceAddressToken {
- public:
-  SourceAddressToken();
-  ~SourceAddressToken();
-
-  std::string SerializeAsString() const;
-
-  bool ParseFromArray(unsigned char* plaintext, size_t plaintext_length);
-
-  std::string ip() const {
-    return ip_;
-  }
-
-  int64 timestamp() const {
-    return timestamp_;
-  }
-
-  void set_ip(base::StringPiece ip) {
-    ip_ = ip.as_string();
-  }
-
-  void set_timestamp(int64 timestamp) {
-    timestamp_ = timestamp;
-  }
-
- private:
-  std::string ip_;
-  int64 timestamp_;
-};
-
 // Parameters negotiated by the crypto handshake.
 struct NET_EXPORT_PRIVATE QuicCryptoNegotiatedParameters {
   // Initializes the members to 0 or empty values.
   QuicCryptoNegotiatedParameters();
   ~QuicCryptoNegotiatedParameters();
 
   uint16 version;
   CryptoTag key_exchange;
   CryptoTag aead;
   std::string premaster_secret;
   scoped_ptr<QuicEncrypter> encrypter;
   scoped_ptr<QuicDecrypter> decrypter;
   std::string server_config_id;
   std::string server_nonce;
 };
 
 // QuicCryptoConfig contains common configuration between clients and servers.
 class NET_EXPORT_PRIVATE QuicCryptoConfig {
  public:
+  enum {
+    // CONFIG_VERSION is the one (and, for the moment, only) version number that
+    // we implement.
+     CONFIG_VERSION = 0,
+  };
+
+  // kLabel is constant that is used in key derivation to tie the resulting key
+  // to this protocol.
+  static const char kLabel[];
+
   QuicCryptoConfig();
   ~QuicCryptoConfig();
 
   // Protocol version
   uint16 version;
   // Key exchange methods. The following two members' values correspond by
   // index.
   CryptoTagVector kexs;
   // Authenticated encryption with associated data (AEAD) algorithms.
   CryptoTagVector aead;
@@ skipping 95 matching lines @@
                                    const std::string& nonce,
                                    QuicCryptoNegotiatedParameters* out_params,
                                    std::string* error_details);
 
  private:
   // cached_states_ maps from the server hostname to the cached information
   // about that server.
   std::map<std::string, CachedState*> cached_states_;
 };
 
-// QuicCryptoServerConfig contains the crypto configuration of a QUIC server.
-// Unlike a client, a QUIC server can have multiple configurations active in
-// order to support clients resuming with a previous configuration.
-// TODO(agl): when adding configurations at runtime is added, this object will
-// need to consider locking.
-class NET_EXPORT_PRIVATE QuicCryptoServerConfig {
- public:
-  // |source_address_token_secret|: secret key material used for encrypting and
-  //     decrypting source address tokens. It can be of any length as it is fed
-  //     into a KDF before use. In tests, use TESTING.
-  explicit QuicCryptoServerConfig(
-      base::StringPiece source_address_token_secret);
-  ~QuicCryptoServerConfig();
-
-  // TESTING is a magic parameter for passing to the constructor in tests.
-  static const char TESTING[];
-
-  // DefaultConfig generates a QuicServerConfigProtobuf protobuf suitable
-  // for using in tests. |extra_tags| contains additional key/value pairs that
-  // will be inserted into the config.
-  static QuicServerConfigProtobuf* DefaultConfig(
-      QuicRandom* rand,
-      const QuicClock* clock,
-      const CryptoHandshakeMessage& extra_tags);
-
-  // AddConfig adds a QuicServerConfigProtobuf to the availible configurations.
-  // It returns the SCFG message from the config if successful. The caller
-  // takes ownership of the CryptoHandshakeMessage.
-  CryptoHandshakeMessage* AddConfig(QuicServerConfigProtobuf* protobuf);
-
-  // AddDefaultConfig creates a config and then calls AddConfig to
-  // add it. Any tags in |extra_tags| will be copied into the config.
-  CryptoHandshakeMessage* AddDefaultConfig(
-      QuicRandom* rand,
-      const QuicClock* clock,
-      const CryptoHandshakeMessage& extra_tags);
-
-  // ProcessClientHello processes |client_hello| and decides whether to accept
-  // or reject the connection. If the connection is to be accepted, |out| is
-  // set to the contents of the ServerHello, |out_params| is completed and
-  // QUIC_NO_ERROR is returned. Otherwise |out| is set to be a REJ message and
-  // an error code is returned.
-  //
-  // client_hello: the incoming client hello message.
-  // guid: the GUID for the connection, which is used in key derivation.
-  // client_ip: the IP address of the client, which is used to generate and
-  //     validate source-address tokens.
-  // now_since_epoch: the current time, as a delta since the unix epoch,
-  //     which is used to validate client nonces.
-  // rand: an entropy source
-  // params: the state of the handshake. This may be updated with a server
-  //     nonce when we send a rejection. After a successful handshake, this will
-  //     contain the state of the connection.
-  // out: the resulting handshake message (either REJ or SHLO)
-  // error_details: used to store a string describing any error.
-  QuicErrorCode ProcessClientHello(const CryptoHandshakeMessage& client_hello,
-                                   QuicGuid guid,
-                                   const IPEndPoint& client_ip,
-                                   QuicTime::Delta now_since_epoch,
-                                   QuicRandom* rand,
-                                   QuicCryptoNegotiatedParameters* params,
-                                   CryptoHandshakeMessage* out,
-                                   std::string* error_details) const;
-
- private:
-  friend class test::QuicCryptoServerConfigPeer;
-
-  // Config represents a server config: a collection of preferences and
-  // Diffie-Hellman public values.
-  struct Config : public QuicCryptoConfig {
-    Config();
-    ~Config();
-
-    // serialized contains the bytes of this server config, suitable for sending
-    // on the wire.
-    std::string serialized;
-    // id contains the SCID of this server config.
-    std::string id;
-    // orbit contains the orbit value for this config: an opaque identifier
-    // used to identify clusters of server frontends.
-    unsigned char orbit[kOrbitSize];
-
-    // key_exchanges contains key exchange objects with the private keys
-    // already loaded. The values correspond, one-to-one, with the tags in
-    // |kexs| from the parent class.
-    std::vector<KeyExchange*> key_exchanges;
-
-    // tag_value_map contains the raw key/value pairs for the config.
-    CryptoTagValueMap tag_value_map;
-
-   private:
-    DISALLOW_COPY_AND_ASSIGN(Config);
-  };
-
-  // NewSourceAddressToken returns a fresh source address token for the given
-  // IP address.
-  std::string NewSourceAddressToken(const IPEndPoint& ip,
-                                    QuicRandom* rand,
-                                    QuicTime::Delta now_since_epoch) const;
-
-  // ValidateSourceAddressToken returns true if the source address token in
-  // |token| is a valid and timely token for the IP address |ip| given that the
-  // current time is |now|.
-  bool ValidateSourceAddressToken(base::StringPiece token,
-                                  const IPEndPoint& ip,
-                                  QuicTime::Delta now_since_epoch) const;
-
-  std::map<ServerConfigID, Config*> configs_;
-
-  ServerConfigID active_config_;
-
-  mutable base::Lock strike_register_lock_;
-  // strike_register_ contains a data structure that keeps track of previously
-  // observed client nonces in order to prevent replay attacks.
-  mutable scoped_ptr<StrikeRegister> strike_register_;
-
-  // These members are used to encrypt and decrypt the source address tokens
-  // that we receive from and send to clients.
-  scoped_ptr<QuicEncrypter> source_address_token_encrypter_;
-  scoped_ptr<QuicDecrypter> source_address_token_decrypter_;
-};
-
 }  // namespace net
 
 #endif  // NET_QUIC_CRYPTO_CRYPTO_HANDSHAKE_H_