1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef NET_QUIC_CRYPTO_CRYPTO_PROTOCOL_H_ 6#define NET_QUIC_CRYPTO_CRYPTO_PROTOCOL_H_ 7 8#include <string> 9 10#include "net/base/net_export.h" 11#include "net/quic/quic_protocol.h" 12 13// Version and Crypto tags are written to the wire with a big-endian 14// representation of the name of the tag. For example 15// the client hello tag (CHLO) will be written as the 16// following 4 bytes: 'C' 'H' 'L' 'O'. Since it is 17// stored in memory as a little endian uint32, we need 18// to reverse the order of the bytes. 19// 20// We use a macro to ensure that no static initialisers are created. Use the 21// MakeQuicTag function in normal code. 22#define TAG(a, b, c, d) \ 23 static_cast<QuicTag>((d << 24) + (c << 16) + (b << 8) + a) 24 25namespace net { 26 27typedef std::string ServerConfigID; 28 29const QuicTag kCHLO = TAG('C', 'H', 'L', 'O'); // Client hello 30const QuicTag kSHLO = TAG('S', 'H', 'L', 'O'); // Server hello 31const QuicTag kSCFG = TAG('S', 'C', 'F', 'G'); // Server config 32const QuicTag kREJ = TAG('R', 'E', 'J', '\0'); // Reject 33const QuicTag kCETV = TAG('C', 'E', 'T', 'V'); // Client encrypted tag-value 34 // pairs 35const QuicTag kPRST = TAG('P', 'R', 'S', 'T'); // Public reset 36const QuicTag kSCUP = TAG('S', 'C', 'U', 'P'); // Server config update. 37 38// Key exchange methods 39const QuicTag kP256 = TAG('P', '2', '5', '6'); // ECDH, Curve P-256 40const QuicTag kC255 = TAG('C', '2', '5', '5'); // ECDH, Curve25519 41 42// AEAD algorithms 43const QuicTag kNULL = TAG('N', 'U', 'L', 'N'); // null algorithm 44const QuicTag kAESG = TAG('A', 'E', 'S', 'G'); // AES128 + GCM-12 45const QuicTag kCC12 = TAG('C', 'C', '1', '2'); // ChaCha20 + Poly1305 46 47// Socket receive buffer 48const QuicTag kSRBF = TAG('S', 'R', 'B', 'F'); // Socket receive buffer 49 50// Congestion control feedback types 51const QuicTag kQBIC = TAG('Q', 'B', 'I', 'C'); // TCP cubic 52 53// Connection options (COPT) values 54const QuicTag kTBBR = TAG('T', 'B', 'B', 'R'); // Reduced Buffer Bloat TCP 55const QuicTag kRENO = TAG('R', 'E', 'N', 'O'); // Reno Congestion Control 56const QuicTag kIW10 = TAG('I', 'W', '1', '0'); // Force ICWND to 10 57const QuicTag kPACE = TAG('P', 'A', 'C', 'E'); // Paced TCP cubic 58 59// Loss detection algorithm types 60const QuicTag kNACK = TAG('N', 'A', 'C', 'K'); // TCP style nack counting 61const QuicTag kTIME = TAG('T', 'I', 'M', 'E'); // Time based 62 63// FEC options 64const QuicTag kFHDR = TAG('F', 'H', 'D', 'R'); // FEC protect headers 65 66// Proof types (i.e. certificate types) 67// NOTE: although it would be silly to do so, specifying both kX509 and kX59R 68// is allowed and is equivalent to specifying only kX509. 69const QuicTag kX509 = TAG('X', '5', '0', '9'); // X.509 certificate, all key 70 // types 71const QuicTag kX59R = TAG('X', '5', '9', 'R'); // X.509 certificate, RSA keys 72 // only 73const QuicTag kCHID = TAG('C', 'H', 'I', 'D'); // Channel ID. 74 75// Client hello tags 76const QuicTag kVER = TAG('V', 'E', 'R', '\0'); // Version (new) 77const QuicTag kNONC = TAG('N', 'O', 'N', 'C'); // The client's nonce 78const QuicTag kKEXS = TAG('K', 'E', 'X', 'S'); // Key exchange methods 79const QuicTag kAEAD = TAG('A', 'E', 'A', 'D'); // Authenticated 80 // encryption algorithms 81const QuicTag kCGST = TAG('C', 'G', 'S', 'T'); // Congestion control 82 // feedback types 83const QuicTag kCOPT = TAG('C', 'O', 'P', 'T'); // Connection options 84// kLOSS was 'L', 'O', 'S', 'S', but was changed from a tag vector to a tag. 85const QuicTag kLOSS = TAG('L', 'O', 'S', 'A'); // Loss detection algorithms 86const QuicTag kICSL = TAG('I', 'C', 'S', 'L'); // Idle connection state 87 // lifetime 88const QuicTag kKATO = TAG('K', 'A', 'T', 'O'); // Keepalive timeout 89const QuicTag kMSPC = TAG('M', 'S', 'P', 'C'); // Max streams per connection. 90const QuicTag kIRTT = TAG('I', 'R', 'T', 'T'); // Estimated initial RTT in us. 91const QuicTag kSWND = TAG('S', 'W', 'N', 'D'); // Server's Initial congestion 92 // window. 93const QuicTag kSNI = TAG('S', 'N', 'I', '\0'); // Server name 94 // indication 95const QuicTag kPUBS = TAG('P', 'U', 'B', 'S'); // Public key values 96const QuicTag kSCID = TAG('S', 'C', 'I', 'D'); // Server config id 97const QuicTag kORBT = TAG('O', 'B', 'I', 'T'); // Server orbit. 98const QuicTag kPDMD = TAG('P', 'D', 'M', 'D'); // Proof demand. 99const QuicTag kPROF = TAG('P', 'R', 'O', 'F'); // Proof (signature). 100const QuicTag kCCS = TAG('C', 'C', 'S', 0); // Common certificate set 101const QuicTag kCCRT = TAG('C', 'C', 'R', 'T'); // Cached certificate 102const QuicTag kEXPY = TAG('E', 'X', 'P', 'Y'); // Expiry 103// TODO(rjshade): Remove kIFCW when removing QUIC_VERSION_19. 104const QuicTag kIFCW = TAG('I', 'F', 'C', 'W'); // Initial flow control receive 105 // window. 106const QuicTag kSFCW = TAG('S', 'F', 'C', 'W'); // Initial stream flow control 107 // receive window. 108const QuicTag kCFCW = TAG('C', 'F', 'C', 'W'); // Initial session/connection 109 // flow control receive window. 110const QuicTag kUAID = TAG('U', 'A', 'I', 'D'); // Client's User Agent ID. 111 112// Rejection tags 113const QuicTag kRREJ = TAG('R', 'R', 'E', 'J'); // Reasons for server sending 114 // rejection message tag. 115 116// Server hello tags 117const QuicTag kCADR = TAG('C', 'A', 'D', 'R'); // Client IP address and port 118 119// CETV tags 120const QuicTag kCIDK = TAG('C', 'I', 'D', 'K'); // ChannelID key 121const QuicTag kCIDS = TAG('C', 'I', 'D', 'S'); // ChannelID signature 122 123// Public reset tags 124const QuicTag kRNON = TAG('R', 'N', 'O', 'N'); // Public reset nonce proof 125const QuicTag kRSEQ = TAG('R', 'S', 'E', 'Q'); // Rejected sequence number 126 127// Universal tags 128const QuicTag kPAD = TAG('P', 'A', 'D', '\0'); // Padding 129 130// These tags have a special form so that they appear either at the beginning 131// or the end of a handshake message. Since handshake messages are sorted by 132// tag value, the tags with 0 at the end will sort first and those with 255 at 133// the end will sort last. 134// 135// The certificate chain should have a tag that will cause it to be sorted at 136// the end of any handshake messages because it's likely to be large and the 137// client might be able to get everything that it needs from the small values at 138// the beginning. 139// 140// Likewise tags with random values should be towards the beginning of the 141// message because the server mightn't hold state for a rejected client hello 142// and therefore the client may have issues reassembling the rejection message 143// in the event that it sent two client hellos. 144const QuicTag kServerNonceTag = 145 TAG('S', 'N', 'O', 0); // The server's nonce 146const QuicTag kSourceAddressTokenTag = 147 TAG('S', 'T', 'K', 0); // Source-address token 148const QuicTag kCertificateTag = 149 TAG('C', 'R', 'T', 255); // Certificate chain 150 151#undef TAG 152 153const size_t kMaxEntries = 128; // Max number of entries in a message. 154 155const size_t kNonceSize = 32; // Size in bytes of the connection nonce. 156 157const size_t kOrbitSize = 8; // Number of bytes in an orbit value. 158 159// kProofSignatureLabel is prepended to server configs before signing to avoid 160// any cross-protocol attacks on the signature. 161const char kProofSignatureLabel[] = "QUIC server config signature"; 162 163// kClientHelloMinimumSize is the minimum size of a client hello. Client hellos 164// will have PAD tags added in order to ensure this minimum is met and client 165// hellos smaller than this will be an error. This minimum size reduces the 166// amplification factor of any mirror DoS attack. 167// 168// A client may pad an inchoate client hello to a size larger than 169// kClientHelloMinimumSize to make it more likely to receive a complete 170// rejection message. 171const size_t kClientHelloMinimumSize = 1024; 172 173} // namespace net 174 175#endif // NET_QUIC_CRYPTO_CRYPTO_PROTOCOL_H_ 176