Landing Recent QUIC changes until Mon Nov 14 04:43:50 2016 +0000

net/quic/core/crypto/quic_crypto_server_config.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_
 #define NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_
 
 #include <stddef.h>
 #include <stdint.h>
 
@@ skipping 23 matching lines @@
 
 class CryptoHandshakeMessage;
 class EphemeralKeySource;
 class KeyExchange;
 class ProofSource;
 class QuicClock;
 class QuicDecrypter;
 class QuicEncrypter;
 class QuicRandom;
 class QuicServerConfigProtobuf;
-class StrikeRegister;
-class StrikeRegisterClient;
-struct QuicCryptoProof;
+struct QuicSignedServerConfig;
 
 // ClientHelloInfo contains information about a client hello message that is
 // only kept for as long as it's being processed.
 struct ClientHelloInfo {
   ClientHelloInfo(const IPAddress& in_client_ip, QuicWallTime in_now);
   ClientHelloInfo(const ClientHelloInfo& other);
   ~ClientHelloInfo();
 
   // Inputs to EvaluateClientHello.
   const IPAddress client_ip;
@@ skipping 217 matching lines @@
   //     ValidatedClientHelloMsg token that holds information about
   //     the client hello.  The callback will always be called exactly
   //     once, either under the current call stack, or after the
   //     completion of an asynchronous operation.
   void ValidateClientHello(
       const CryptoHandshakeMessage& client_hello,
       const IPAddress& client_ip,
       const IPAddress& server_ip,
       QuicVersion version,
       const QuicClock* clock,
-      scoped_refptr<QuicCryptoProof> crypto_proof,
+      scoped_refptr<QuicSignedServerConfig> crypto_proof,
       std::unique_ptr<ValidateClientHelloResultCallback> done_cb) const;
 
   // ProcessClientHello processes |client_hello| and decides whether to accept
   // or reject the connection. If the connection is to be accepted, |done_cb| is
   // invoked with the contents of the ServerHello and QUIC_NO_ERROR. Otherwise
   // |done_cb| is called with a REJ or SREJ message and QUIC_NO_ERROR.
   //
   // validate_chlo_result: Output from the asynchronous call to
   //     ValidateClientHello.  Contains the client hello message and
   //     information about it.
@@ skipping 26 matching lines @@
       const IPAddress& server_ip,
       const IPEndPoint& client_address,
       QuicVersion version,
       const QuicVersionVector& supported_versions,
       bool use_stateless_rejects,
       QuicConnectionId server_designated_connection_id,
       const QuicClock* clock,
       QuicRandom* rand,
       QuicCompressedCertsCache* compressed_certs_cache,
       scoped_refptr<QuicCryptoNegotiatedParameters> params,
-      scoped_refptr<QuicCryptoProof> crypto_proof,
+      scoped_refptr<QuicSignedServerConfig> crypto_proof,
       QuicByteCount total_framing_overhead,
       QuicByteCount chlo_packet_size,
       std::unique_ptr<ProcessClientHelloResultCallback> done_cb) const;
 
   // BuildServerConfigUpdateMessage sets |out| to be a SCUP message containing
   // the current primary config, an up to date source-address token, and cert
   // chain and proof in the case of secure QUIC. Returns true if successfully
   // filled |out|.
   //
   // |cached_network_params| is optional, and can be nullptr.
@@ skipping 36 matching lines @@
       const CachedNetworkParameters* cached_network_params,
       const QuicTagVector& connection_options,
       std::unique_ptr<BuildServerConfigUpdateMessageResultCallback> cb) const;
 
   // SetEphemeralKeySource installs an object that can cache ephemeral keys for
   // a short period of time. This object takes ownership of
   // |ephemeral_key_source|. If not set then ephemeral keys will be generated
   // per-connection.
   void SetEphemeralKeySource(EphemeralKeySource* ephemeral_key_source);
 
-  // Install an externally created StrikeRegisterClient for use to
-  // interact with the strike register.  This object takes ownership
-  // of the |strike_register_client|.
-  void SetStrikeRegisterClient(StrikeRegisterClient* strike_register_client);
-
   // set_replay_protection controls whether replay protection is enabled. If
   // replay protection is disabled then no strike registers are needed and
   // frontends can share an orbit value without a shared strike-register.
   // However, an attacker can duplicate a handshake and cause a client's
   // request to be processed twice.
   void set_replay_protection(bool on);
 
   // set_chlo_multiplier specifies the multiple of the CHLO message size
   // that a REJ message must stay under when the client doesn't present a
   // valid source-address token.
   void set_chlo_multiplier(size_t multiplier);
 
-  // set_strike_register_no_startup_period configures the strike register to
-  // not have a startup period.
-  void set_strike_register_no_startup_period();
-
-  // set_strike_register_max_entries sets the maximum number of entries that
-  // the internal strike register will hold. If the strike register fills up
-  // then the oldest entries (by the client's clock) will be dropped.
-  void set_strike_register_max_entries(uint32_t max_entries);
-
-  // set_strike_register_window_secs sets the number of seconds around the
-  // current time that the strike register will attempt to be authoritative
-  // for. Setting a larger value allows for greater client clock-skew, but
-  // means that the quiescent startup period must be longer.
-  void set_strike_register_window_secs(uint32_t window_secs);
-
   // set_source_address_token_future_secs sets the number of seconds into the
   // future that source-address tokens will be accepted from. Since
   // source-address tokens are authenticated, this should only happen if
   // another, valid server has clock-skew.
   void set_source_address_token_future_secs(uint32_t future_secs);
 
   // set_source_address_token_lifetime_secs sets the number of seconds that a
   // source-address token will be valid for.
   void set_source_address_token_lifetime_secs(uint32_t lifetime_secs);
 
-  // set_server_nonce_strike_register_max_entries sets the number of entries in
-  // the server-nonce strike-register. This is used to record that server nonce
-  // values have been used. If the number of entries is too small then clients
-  // which are depending on server nonces may fail to handshake because their
-  // nonce has expired in the amount of time it took to go from the server to
-  // the client and back.
-  void set_server_nonce_strike_register_max_entries(uint32_t max_entries);
-
-  // set_server_nonce_strike_register_window_secs sets the number of seconds
-  // around the current time that the server-nonce strike-register will accept
-  // nonces from. Setting a larger value allows for clients to delay follow-up
-  // client hellos for longer and still use server nonces as proofs of
-  // uniqueness.
-  void set_server_nonce_strike_register_window_secs(uint32_t window_secs);
-
   // set_enable_serving_sct enables or disables serving signed cert timestamp
   // (RFC6962) in server hello.
   void set_enable_serving_sct(bool enable_serving_sct);
 
   // Set and take ownership of the callback to invoke on primary config changes.
   void AcquirePrimaryConfigChangedCb(
       std::unique_ptr<PrimaryConfigChangedCallback> cb);
 
   // Returns the number of configs this object owns.
   int NumberOfConfigs() const;
 
   // Callers retain the ownership of |rejection_observer| which must outlive the
   // config.
   void set_rejection_observer(RejectionObserver* rejection_observer) {
     rejection_observer_ = rejection_observer;
   }
 
  private:
   friend class test::QuicCryptoServerConfigPeer;
-  friend struct QuicCryptoProof;
+  friend struct QuicSignedServerConfig;
 
   // Config represents a server config: a collection of preferences and
   // Diffie-Hellman public values.
   class NET_EXPORT_PRIVATE Config : public QuicCryptoConfig,
                                     public base::RefCounted<Config> {
    public:
     Config();
 
     // TODO(rtenneti): since this is a class, we should probably do
     // getters/setters here.
@@ skipping 70 matching lines @@
   void SelectNewPrimaryConfig(QuicWallTime now) const;
 
   // EvaluateClientHello checks |client_hello| for gross errors and determines
   // whether it can be shown to be fresh (i.e. not a replay). The results are
   // written to |info|.
   void EvaluateClientHello(
       const IPAddress& server_ip,
       QuicVersion version,
       scoped_refptr<Config> requested_config,
       scoped_refptr<Config> primary_config,
-      scoped_refptr<QuicCryptoProof> crypto_proof,
+      scoped_refptr<QuicSignedServerConfig> crypto_proof,
       scoped_refptr<ValidateClientHelloResultCallback::Result>
           client_hello_state,
       std::unique_ptr<ValidateClientHelloResultCallback> done_cb) const;
 
   // Callback class for bridging between EvaluateClientHello and
   // EvaluateClientHelloAfterGetProof.
   class EvaluateClientHelloCallback;
   friend class EvaluateClientHelloCallback;
 
   // Continuation of EvaluateClientHello after the call to
   // ProofSource::GetProof.  |found_error| indicates whether an error was
   // detected in EvaluateClientHello, and |get_proof_failed| indicates whether
   // GetProof failed.  If GetProof was not run, then |get_proof_failed| will be
   // set to false.
   void EvaluateClientHelloAfterGetProof(
       bool found_error,
       const IPAddress& server_ip,
       QuicVersion version,
       scoped_refptr<Config> requested_config,
       scoped_refptr<Config> primary_config,
-      scoped_refptr<QuicCryptoProof> crypto_proof,
+      scoped_refptr<QuicSignedServerConfig> crypto_proof,
       std::unique_ptr<ProofSource::Details> proof_source_details,
       bool get_proof_failed,
       scoped_refptr<ValidateClientHelloResultCallback::Result>
           client_hello_state,
       std::unique_ptr<ValidateClientHelloResultCallback> done_cb) const;
 
   // Callback class for bridging between ProcessClientHello and
   // ProcessClientHelloAfterGetProof.
   class ProcessClientHelloCallback;
   friend class ProcessClientHelloCallback;
 
   // Portion of ProcessClientHello which executes after GetProof.
   void ProcessClientHelloAfterGetProof(
       bool found_error,
       std::unique_ptr<ProofSource::Details> proof_source_details,
       const ValidateClientHelloResultCallback::Result& validate_chlo_result,
       bool reject_only,
       QuicConnectionId connection_id,
       const IPEndPoint& client_address,
       QuicVersion version,
       const QuicVersionVector& supported_versions,
       bool use_stateless_rejects,
       QuicConnectionId server_designated_connection_id,
       const QuicClock* clock,
       QuicRandom* rand,
       QuicCompressedCertsCache* compressed_certs_cache,
       scoped_refptr<QuicCryptoNegotiatedParameters> params,
-      scoped_refptr<QuicCryptoProof> crypto_proof,
+      scoped_refptr<QuicSignedServerConfig> crypto_proof,
       QuicByteCount total_framing_overhead,
       QuicByteCount chlo_packet_size,
       const scoped_refptr<Config>& requested_config,
       const scoped_refptr<Config>& primary_config,
       std::unique_ptr<ProcessClientHelloResultCallback> done_cb) const;
 
   // BuildRejection sets |out| to be a REJ message in reply to |client_hello|.
   void BuildRejection(QuicVersion version,
                       QuicWallTime now,
                       const Config& config,
                       const CryptoHandshakeMessage& client_hello,
                       const ClientHelloInfo& info,
                       const CachedNetworkParameters& cached_network_params,
                       bool use_stateless_rejects,
                       QuicConnectionId server_designated_connection_id,
                       QuicRandom* rand,
                       QuicCompressedCertsCache* compressed_certs_cache,
                       scoped_refptr<QuicCryptoNegotiatedParameters> params,
-                      const QuicCryptoProof& crypto_proof,
+                      const QuicSignedServerConfig& crypto_proof,
                       QuicByteCount total_framing_overhead,
                       QuicByteCount chlo_packet_size,
                       CryptoHandshakeMessage* out) const;
 
   // CompressChain compresses the certificates in |chain->certs| and returns a
   // compressed representation. |common_sets| contains the common certificate
   // sets known locally and |client_common_set_hashes| contains the hashes of
   // the common sets known to the peer. |client_cached_cert_hashes| contains
   // 64-bit, FNV-1a hashes of certificates that the peer already possesses.
   static std::string CompressChain(
@@ skipping 51 matching lines @@
   // Returns HANDSHAKE_OK if the source address token in |token| is a timely
   // token given that the current time is |now|. Otherwise it returns the
   // reason for failure.
   HandshakeFailureReason ValidateSourceAddressTokenTimestamp(
       const SourceAddressToken& token,
       QuicWallTime now) const;
 
   // NewServerNonce generates and encrypts a random nonce.
   std::string NewServerNonce(QuicRandom* rand, QuicWallTime now) const;
 
-  // ValidateServerNonce decrypts |token| and verifies that it hasn't been
-  // previously used and is recent enough that it is plausible that it was part
-  // of a very recently provided rejection ("recent" will be on the order of
-  // 10-30 seconds). If so, it records that it has been used and returns
-  // HANDSHAKE_OK. Otherwise it returns the reason for failure.
-  HandshakeFailureReason ValidateServerNonce(
-      base::StringPiece echoed_server_nonce,
-      QuicWallTime now) const;
-
   // ValidateExpectedLeafCertificate checks the |client_hello| to see if it has
   // an XLCT tag, and if so, verifies that its value matches the hash of the
   // server's leaf certificate. The certs field of |crypto_proof| is used to
   // compare against the XLCT value.  This method returns true if the XLCT tag
   // is not present, or if the XLCT tag is present and valid. It returns false
   // otherwise.
   bool ValidateExpectedLeafCertificate(
       const CryptoHandshakeMessage& client_hello,
-      const QuicCryptoProof& crypto_proof) const;
+      const QuicSignedServerConfig& crypto_proof) const;
 
   // Returns true if the PDMD field from the client hello demands an X509
   // certificate.
   bool ClientDemandsX509Proof(const CryptoHandshakeMessage& client_hello) const;
 
   // Callback to receive the results of ProofSource::GetProof.  Note: this
   // callback has no cancellation support, since the lifetime of the ProofSource
   // is controlled by this object via unique ownership.  If that ownership
   // stricture changes, this decision may need to be revisited.
   class BuildServerConfigUpdateMessageProofSourceCallback
       : public ProofSource::Callback {
    public:
     BuildServerConfigUpdateMessageProofSourceCallback(
         const BuildServerConfigUpdateMessageProofSourceCallback&) = delete;
     ~BuildServerConfigUpdateMessageProofSourceCallback() override;
     void operator=(const BuildServerConfigUpdateMessageProofSourceCallback&) =
         delete;
     BuildServerConfigUpdateMessageProofSourceCallback(
         const QuicCryptoServerConfig* config,
         QuicVersion version,
         QuicCompressedCertsCache* compressed_certs_cache,
         const CommonCertSets* common_cert_sets,
         const QuicCryptoNegotiatedParameters& params,
         CryptoHandshakeMessage message,
         std::unique_ptr<BuildServerConfigUpdateMessageResultCallback> cb);
 
     void Run(bool ok,
              const scoped_refptr<ProofSource::Chain>& chain,
-             const std::string& signature,
-             const std::string& leaf_cert_sct,
+             const QuicCryptoProof& proof,
              std::unique_ptr<ProofSource::Details> details) override;
 
    private:
     const QuicCryptoServerConfig* config_;
     const QuicVersion version_;
     QuicCompressedCertsCache* compressed_certs_cache_;
     const CommonCertSets* common_cert_sets_;
     const std::string client_common_set_hashes_;
     const std::string client_cached_cert_hashes_;
     const bool sct_supported_by_client_;
@@ skipping 38 matching lines @@
   ConfigMap configs_;
   // primary_config_ points to a Config (which is also in |configs_|) which is
   // the primary config - i.e. the one that we'll give out to new clients.
   mutable scoped_refptr<Config> primary_config_;
   // next_config_promotion_time_ contains the nearest, future time when an
   // active config will be promoted to primary.
   mutable QuicWallTime next_config_promotion_time_;
   // Callback to invoke when the primary config changes.
   std::unique_ptr<PrimaryConfigChangedCallback> primary_config_changed_cb_;
 
-  // Protects access to the pointer held by strike_register_client_.
-  mutable base::Lock strike_register_client_lock_;
-  // strike_register_ contains a data structure that keeps track of previously
-  // observed client nonces in order to prevent replay attacks.
-  mutable std::unique_ptr<StrikeRegisterClient> strike_register_client_;
-
   // Used to protect the source-address tokens that are given to clients.
   CryptoSecretBoxer source_address_token_boxer_;
 
   // server_nonce_boxer_ is used to encrypt and validate suggested server
   // nonces.
   CryptoSecretBoxer server_nonce_boxer_;
 
   // server_nonce_orbit_ contains the random, per-server orbit values that this
   // server will use to generate server nonces (the moral equivalent of a SYN
   // cookies).
   uint8_t server_nonce_orbit_[8];
 
-  mutable base::Lock server_nonce_strike_register_lock_;
-  // server_nonce_strike_register_ contains a data structure that keeps track of
-  // previously observed server nonces from this server, in order to prevent
-  // replay attacks.
-  mutable std::unique_ptr<StrikeRegister> server_nonce_strike_register_;
-
   // proof_source_ contains an object that can provide certificate chains and
   // signatures.
   std::unique_ptr<ProofSource> proof_source_;
 
   // ephemeral_key_source_ contains an object that caches ephemeral keys for a
   // short period of time.
   std::unique_ptr<EphemeralKeySource> ephemeral_key_source_;
 
   // These fields store configuration values. See the comments for their
   // respective setter functions.
-  bool strike_register_no_startup_period_;
-  uint32_t strike_register_max_entries_;
-  uint32_t strike_register_window_secs_;
   uint32_t source_address_token_future_secs_;
   uint32_t source_address_token_lifetime_secs_;
-  uint32_t server_nonce_strike_register_max_entries_;
-  uint32_t server_nonce_strike_register_window_secs_;
 
   // Enable serving SCT or not.
   bool enable_serving_sct_;
 
   // Does not own this observer.
   RejectionObserver* rejection_observer_;
 
   DISALLOW_COPY_AND_ASSIGN(QuicCryptoServerConfig);
 };
 
-struct NET_EXPORT_PRIVATE QuicCryptoProof
-    : public base::RefCounted<QuicCryptoProof> {
-  QuicCryptoProof();
+struct NET_EXPORT_PRIVATE QuicSignedServerConfig
+    : public base::RefCounted<QuicSignedServerConfig> {
+  QuicSignedServerConfig();
 
+  // TODO(eranm): Have a QuicCryptoProof field instead of signature, cert_sct.
   std::string signature;
   scoped_refptr<ProofSource::Chain> chain;
   std::string cert_sct;
   // The server config that is used for this proof (and the rest of the
   // request).
   scoped_refptr<QuicCryptoServerConfig::Config> config;
   std::string primary_scid;
+  // Indication whether the Expect-CT header should be sent on the session
+  // this proof relates to (for background, see
+  // https://www.ietf.org/id/draft-stark-expect-ct-00.txt).
+  // NOTE: This field is intentionally independent from the |cert_sct| one
+  // and can be true even if |cert_sct| is empty.
+  // The goal of the Expect-CT header is uncover cases where valid SCTs are
+  // expected to be served, but aren't.
+  bool send_expect_ct_header;
 
  private:
-  friend class base::RefCounted<QuicCryptoProof>;
-  virtual ~QuicCryptoProof();
+  friend class base::RefCounted<QuicSignedServerConfig>;
+  virtual ~QuicSignedServerConfig();
 };
 
 }  // namespace net
 
 #endif  // NET_QUIC_CRYPTO_QUIC_CRYPTO_SERVER_CONFIG_H_