Land Recent QUIC Changes

net/quic/crypto/crypto_handshake.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/crypto_handshake.h"
 
 #include <ctype.h>
 
 #include "base/memory/scoped_ptr.h"
 #include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
 #include "crypto/hkdf.h"
 #include "crypto/secure_hash.h"
 #include "net/base/net_util.h"
 #include "net/quic/crypto/aes_128_gcm_decrypter.h"
 #include "net/quic/crypto/aes_128_gcm_encrypter.h"
 #include "net/quic/crypto/crypto_framer.h"
 #include "net/quic/crypto/crypto_utils.h"
 #include "net/quic/crypto/curve25519_key_exchange.h"
 #include "net/quic/crypto/key_exchange.h"
 #include "net/quic/crypto/p256_key_exchange.h"
 #include "net/quic/crypto/quic_decrypter.h"
 #include "net/quic/crypto/quic_encrypter.h"
 #include "net/quic/crypto/quic_random.h"
+#include "net/quic/crypto/strike_register.h"
+#include "net/quic/quic_clock.h"
 #include "net/quic/quic_protocol.h"
 
 using base::StringPiece;
 using crypto::SecureHash;
 using std::map;
 using std::string;
 using std::vector;
 
 namespace net {
 
@@ skipping 376 matching lines @@
 const string& QuicCryptoClientConfig::CachedState::server_config()
     const {
   return server_config_;
 }
 
 const string& QuicCryptoClientConfig::CachedState::source_address_token()
     const {
   return source_address_token_;
 }
 
-const string& QuicCryptoClientConfig::CachedState::orbit() const {
-  return orbit_;
-}
-
 void QuicCryptoClientConfig::CachedState::set_source_address_token(
     StringPiece token) {
   source_address_token_ = token.as_string();
 }
 
 void QuicCryptoClientConfig::SetDefaults() {
   // Version must be 0.
   version = kVersion;
 
   // Key exchange methods.
   kexs.resize(2);
   kexs[0] = kC255;
   kexs[1] = kP256;
 
   // Authenticated encryption algorithms.
   aead.resize(1);
   aead[0] = kAESG;
 }
 
 const QuicCryptoClientConfig::CachedState* QuicCryptoClientConfig::Lookup(
-    const string& server_hostname) {
+    const string& server_hostname) const {
   map<string, CachedState*>::const_iterator it =
       cached_states_.find(server_hostname);
   if (it == cached_states_.end()) {
     return NULL;
   }
   return it->second;
 }
 
 void QuicCryptoClientConfig::FillInchoateClientHello(
     const string& server_hostname,
     const CachedState* cached,
-    CryptoHandshakeMessage* out) {
+    CryptoHandshakeMessage* out) const {
   out->set_tag(kCHLO);
 
   // Server name indication.
   // If server_hostname is not an IP address literal, it is a DNS hostname.
   IPAddressNumber ip;
   if (!server_hostname.empty() &&
       !ParseIPLiteralToNumber(server_hostname, &ip)) {
     out->SetStringPiece(kSNI, server_hostname);
   }
   out->SetValue(kVERS, version);
 
   if (cached && !cached->source_address_token().empty()) {
     out->SetStringPiece(kSRCT, cached->source_address_token());
   }
 }
 
 QuicErrorCode QuicCryptoClientConfig::FillClientHello(
     const string& server_hostname,
     QuicGuid guid,
     const CachedState* cached,
     const QuicClock* clock,
     QuicRandom* rand,
     QuicCryptoNegotiatedParameters* out_params,
     CryptoHandshakeMessage* out,
-    string* error_details) {
+    string* error_details) const {
   FillInchoateClientHello(server_hostname, cached, out);
 
   const CryptoHandshakeMessage* scfg = cached->GetServerConfig();
   if (!scfg) {
     // This should never happen as our caller should have checked
     // cached->is_complete() before calling this function.
     if (error_details) {
       *error_details = "Handshake not ready";
     }
     return QUIC_CRYPTO_INTERNAL_ERROR;
@@ skipping 51 matching lines @@
 
   StringPiece public_value;
   if (scfg->GetNthValue16(kPUBS, key_exchange_index, &public_value) !=
       QUIC_NO_ERROR) {
     if (error_details) {
       *error_details = "Missing public value";
     }
     return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
   }
 
+  StringPiece orbit;
+  if (!scfg->GetStringPiece(kORBT, &orbit) ||
+      orbit.size() != kOrbitSize) {
+    if (error_details) {
+      *error_details = "SCFG missing OBIT";
+    }
+    return QUIC_CRYPTO_MESSAGE_PARAMETER_NOT_FOUND;
+  }
+
   string nonce;
-  CryptoUtils::GenerateNonce(clock, rand, cached->orbit(), &nonce);
+  CryptoUtils::GenerateNonce(clock->NowAsDeltaSinceUnixEpoch(), rand, orbit,
+                             &nonce);
   out->SetStringPiece(kNONC, nonce);
 
   scoped_ptr<KeyExchange> key_exchange;
   switch (out_params->key_exchange) {
   case kC255:
     key_exchange.reset(Curve25519KeyExchange::New(
           Curve25519KeyExchange::NewPrivateKey(rand)));
     break;
   case kP256:
     key_exchange.reset(P256KeyExchange::New(
@@ skipping 25 matching lines @@
   hkdf_input.append(cached->server_config());
 
   CryptoUtils::DeriveKeys(out_params, nonce, hkdf_input, CryptoUtils::CLIENT);
 
   return QUIC_NO_ERROR;
 }
 
 QuicErrorCode QuicCryptoClientConfig::ProcessRejection(
     const string& server_hostname,
     const CryptoHandshakeMessage& rej,
+    QuicCryptoNegotiatedParameters* out_params,
     string* error_details) {
   CachedState* cached;
 
   map<string, CachedState*>::const_iterator it =
       cached_states_.find(server_hostname);
   if (it == cached_states_.end()) {
     cached = new CachedState;
     cached_states_[server_hostname] = cached;
   } else {
     cached = it->second;
@@ skipping 12 matching lines @@
       *error_details = "Invalid SCFG";
     }
     return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
   }
 
   StringPiece token;
   if (rej.GetStringPiece(kSRCT, &token)) {
     cached->set_source_address_token(token);
   }
 
+  StringPiece nonce;
+  if (rej.GetStringPiece(kNONC, &nonce) &&
+      nonce.size() == kNonceSize) {
+    out_params->server_nonce = nonce.as_string();
+  }
+
   return QUIC_NO_ERROR;
 }
 
 QuicErrorCode QuicCryptoClientConfig::ProcessServerHello(
     const CryptoHandshakeMessage& server_hello,
     const string& nonce,
     QuicCryptoNegotiatedParameters* out_params,
     string* error_details) {
   if (server_hello.tag() != kSHLO) {
     *error_details = "Bad tag";
@@ skipping 15 matching lines @@
     // AES-GCM is used to encrypt and authenticate source address tokens. The
     // full, 96-bit nonce is used but we must ensure that an attacker cannot
     // obtain two source address tokens with the same nonce. This occurs with
     // probability 0.5 after 2**48 values. We assume that obtaining 2**48
     // source address tokens is not possible: at a rate of 10M packets per
     // second, it would still take the attacker a year to obtain the needed
     // number of packets.
     //
     // TODO(agl): switch to an encrypter with a larger nonce space (i.e.
     // Salsa20+Poly1305).
-    : source_address_token_encrypter_(new Aes128GcmEncrypter),
+    : strike_register_lock_(),
+      source_address_token_encrypter_(new Aes128GcmEncrypter),
       source_address_token_decrypter_(new Aes128GcmDecrypter) {
   crypto::HKDF hkdf(source_address_token_secret, StringPiece()  /* no salt */,
                     "QUIC source address token key",
                     source_address_token_encrypter_->GetKeySize(),
                     0 /* no fixed IV needed */);
   source_address_token_encrypter_->SetKey(hkdf.server_write_key());
   source_address_token_decrypter_->SetKey(hkdf.server_write_key());
 }
 
 QuicCryptoServerConfig::~QuicCryptoServerConfig() {
   STLDeleteValues(&configs_);
 }
 
 // static
-QuicServerConfigProtobuf* QuicCryptoServerConfig::ConfigForTesting(
+QuicServerConfigProtobuf* QuicCryptoServerConfig::DefaultConfig(
     QuicRandom* rand,
     const QuicClock* clock,
     const CryptoHandshakeMessage& extra_tags)  {
   CryptoHandshakeMessage msg;
 
   const string curve25519_private_key =
       Curve25519KeyExchange::NewPrivateKey(rand);
   scoped_ptr<Curve25519KeyExchange> curve25519(
       Curve25519KeyExchange::New(curve25519_private_key));
   StringPiece curve25519_public_value = curve25519->public_value();
@@ skipping 20 matching lines @@
   msg.SetTaglist(kAEAD, kAESG, 0);
   msg.SetValue(kVERS, static_cast<uint16>(0));
   msg.SetStringPiece(kPUBS, encoded_public_values);
   msg.Insert(extra_tags.tag_value_map().begin(),
              extra_tags.tag_value_map().end());
 
   char scid_bytes[16];
   rand->RandBytes(scid_bytes, sizeof(scid_bytes));
   msg.SetStringPiece(kSCID, StringPiece(scid_bytes, sizeof(scid_bytes)));
 
+  char orbit_bytes[kOrbitSize];
+  rand->RandBytes(orbit_bytes, sizeof(orbit_bytes));
+  msg.SetStringPiece(kORBT, StringPiece(orbit_bytes, sizeof(orbit_bytes)));
+
   scoped_ptr<QuicData> serialized(
       CryptoFramer::ConstructHandshakeMessage(msg));
 
   scoped_ptr<QuicServerConfigProtobuf> config(new QuicServerConfigProtobuf);
   config->set_config(serialized->AsStringPiece());
   QuicServerConfigProtobuf::PrivateKey* curve25519_key = config->add_key();
   curve25519_key->set_tag(kC255);
   curve25519_key->set_private_key(curve25519_private_key);
   QuicServerConfigProtobuf::PrivateKey* p256_key = config->add_key();
   p256_key->set_tag(kP256);
@@ skipping 36 matching lines @@
   }
   config->aead = vector<CryptoTag>(aead_tags, aead_tags + aead_len);
 
   const CryptoTag* kexs_tags;
   size_t kexs_len;
   if (msg->GetTaglist(kKEXS, &kexs_tags, &kexs_len) != QUIC_NO_ERROR) {
     LOG(WARNING) << "Server config message is missing KEXS";
     return NULL;
   }
 
+  StringPiece orbit;
+  if (!msg->GetStringPiece(kORBT, &orbit)) {
+    LOG(WARNING) << "Server config message is missing OBIT";
+    return NULL;
+  }
+
+  if (orbit.size() != kOrbitSize) {
+    LOG(WARNING) << "Orbit value in server config is the wrong length."
+                    " Got " << orbit.size() << " want " << kOrbitSize;
+    return NULL;
+  }
+  COMPILE_ASSERT(sizeof(config->orbit) == kOrbitSize, orbit_incorrect_size);
+  memcpy(config->orbit, orbit.data(), sizeof(config->orbit));
+
   if (kexs_len != protobuf->key_size()) {
     LOG(WARNING) << "Server config has "
                  << kexs_len
                  << " key exchange methods configured, but "
                  << protobuf->key_size()
                  << " private keys";
     return NULL;
   }
 
   for (size_t i = 0; i < kexs_len; i++) {
@@ skipping 68 matching lines @@
   char id_bytes[16];
   sha256->Finish(id_bytes, sizeof(id_bytes));
   const string id(id_bytes, sizeof(id_bytes));
 
   configs_[id] = config.release();
   active_config_ = id;
 
   return msg.release();
 }
 
-CryptoHandshakeMessage* QuicCryptoServerConfig::AddTestingConfig(
+CryptoHandshakeMessage* QuicCryptoServerConfig::AddDefaultConfig(
     QuicRandom* rand,
     const QuicClock* clock,
     const CryptoHandshakeMessage& extra_tags) {
-  scoped_ptr<QuicServerConfigProtobuf> config(ConfigForTesting(
+  scoped_ptr<QuicServerConfigProtobuf> config(DefaultConfig(
       rand, clock, extra_tags));
   return AddConfig(config.get());
 }
 
 QuicErrorCode QuicCryptoServerConfig::ProcessClientHello(
     const CryptoHandshakeMessage& client_hello,
     QuicGuid guid,
     const IPEndPoint& client_ip,
     QuicTime::Delta now_since_unix_epoch,
     QuicRandom* rand,
+    QuicCryptoNegotiatedParameters *params,
     CryptoHandshakeMessage* out,
-    QuicCryptoNegotiatedParameters *out_params,
-    string* error_details) {
+    string* error_details) const {
   CHECK(!configs_.empty());
   // FIXME(agl): we should use the client's SCID, not just the active config.
-  const Config* config(configs_[active_config_]);
+  map<ServerConfigID, Config*>::const_iterator it =
+      configs_.find(active_config_);
+  if (it == configs_.end()) {
+    *error_details = "No valid server config loaded";
+    return QUIC_CRYPTO_INTERNAL_ERROR;
+  }
+  const Config* const config(it->second);
 
   bool valid_source_address_token = false;
   StringPiece srct;
   if (client_hello.GetStringPiece(kSRCT, &srct) &&
       ValidateSourceAddressToken(srct, client_ip, now_since_unix_epoch)) {
     valid_source_address_token = true;
   }
 
   const string fresh_source_address_token =
       NewSourceAddressToken(client_ip, rand, now_since_unix_epoch);
 
+  // If we previously sent a REJ to this client then we may have stored a
+  // server nonce in |params|. In which case, we know that the connection
+  // is unique because the server nonce will be mixed into the key generation.
+  bool unique_by_server_nonce = !params->server_nonce.empty();
+  // If we can't ensure uniqueness by a server nonce, then we will try and use
+  // the strike register.
+  bool unique_by_strike_register = false;
+
+  StringPiece client_nonce;
+  bool client_nonce_well_formed = false;
+  if (client_hello.GetStringPiece(kNONC, &client_nonce) &&
+      client_nonce.size() == kNonceSize) {
+    client_nonce_well_formed = true;
+    if (!unique_by_server_nonce) {
+      base::AutoLock auto_lock(strike_register_lock_);
+
+      if (strike_register_.get() == NULL) {
+        strike_register_.reset(new StrikeRegister(
+              // TODO(agl): these magic numbers should come from config.
+              1024 /* max entries */,
+              static_cast<uint32>(now_since_unix_epoch.ToSeconds()),
+              600 /* window secs */, config->orbit));
+      }
+      unique_by_strike_register = strike_register_->Insert(
+          reinterpret_cast<const uint8*>(client_nonce.data()),
+          static_cast<uint32>(now_since_unix_epoch.ToSeconds()));
+    }
+  }
+
   StringPiece scid;
   if (!client_hello.GetStringPiece(kSCID, &scid) ||
       scid.as_string() != config->id ||
-      !valid_source_address_token) {
+      !valid_source_address_token ||
+      !client_nonce_well_formed ||
+      (!unique_by_strike_register &&
+       !unique_by_server_nonce)) {
     // If the client didn't provide a server config ID, or gave the wrong one,
     // then the handshake cannot possibly complete. We reject the handshake and
     // give the client enough information to do better next time.
     out->Clear();
     out->set_tag(kREJ);
     out->SetStringPiece(kSCFG, config->serialized);
     out->SetStringPiece(kSRCT, fresh_source_address_token);
+    if (params->server_nonce.empty()) {
+      CryptoUtils::GenerateNonce(
+          now_since_unix_epoch, rand,
+          StringPiece(reinterpret_cast<const char*>(config->orbit),
+                      sizeof(config->orbit)),
+          &params->server_nonce);
+    }
+    out->SetStringPiece(kNONC, params->server_nonce);
     return QUIC_NO_ERROR;
   }
 
   const CryptoTag* their_aeads;
   const CryptoTag* their_key_exchanges;
   size_t num_their_aeads, num_their_key_exchanges;
   if (client_hello.GetTaglist(kAEAD, &their_aeads,
                               &num_their_aeads) != QUIC_NO_ERROR ||
       client_hello.GetTaglist(kKEXS, &their_key_exchanges,
                               &num_their_key_exchanges) != QUIC_NO_ERROR ||
       num_their_aeads != 1 ||
       num_their_key_exchanges != 1) {
     if (error_details) {
       *error_details = "Missing or invalid AEAD or KEXS";
     }
     return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
   }
 
   size_t key_exchange_index;
   if (!CryptoUtils::FindMutualTag(config->aead,
                                   their_aeads, num_their_aeads,
                                   CryptoUtils::LOCAL_PRIORITY,
-                                  &out_params->aead,
+                                  &params->aead,
                                   NULL) ||
       !CryptoUtils::FindMutualTag(config->kexs,
                                   their_key_exchanges, num_their_key_exchanges,
                                   CryptoUtils::LOCAL_PRIORITY,
-                                  &out_params->key_exchange,
+                                  &params->key_exchange,
                                   &key_exchange_index)) {
     if (error_details) {
       *error_details = "Unsupported AEAD or KEXS";
     }
     return QUIC_CRYPTO_NO_SUPPORT;
   }
 
   StringPiece public_value;
   if (!client_hello.GetStringPiece(kPUBS, &public_value)) {
     if (error_details) {
       *error_details = "Missing public value";
     }
     return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
   }
 
   if (!config->key_exchanges[key_exchange_index]->CalculateSharedKey(
-           public_value, &out_params->premaster_secret)) {
+           public_value, &params->premaster_secret)) {
     if (error_details) {
       *error_details = "Invalid public value";
     }
     return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
   }
 
-  out_params->server_config_id = scid.as_string();
-
-  StringPiece client_nonce;
-  if (!client_hello.GetStringPiece(kNONC, &client_nonce)) {
-    if (error_details) {
-      *error_details = "Invalid nonce";
-    }
-    return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
-  }
+  params->server_config_id = scid.as_string();
 
   string hkdf_input(kLabel, arraysize(kLabel));
   hkdf_input.append(reinterpret_cast<char*>(&guid), sizeof(guid));
 
   const QuicData& client_hello_serialized = client_hello.GetSerialized();
   hkdf_input.append(client_hello_serialized.data(),
                     client_hello_serialized.length());
   hkdf_input.append(config->serialized);
 
-  CryptoUtils::DeriveKeys(out_params, client_nonce, hkdf_input,
+  CryptoUtils::DeriveKeys(params, client_nonce, hkdf_input,
                           CryptoUtils::SERVER);
 
   out->set_tag(kSHLO);
   out->SetStringPiece(kSRCT, fresh_source_address_token);
   return QUIC_NO_ERROR;
 }
 
 string QuicCryptoServerConfig::NewSourceAddressToken(
     const IPEndPoint& ip,
     QuicRandom* rand,
-    QuicTime::Delta now_since_epoch) {
+    QuicTime::Delta now_since_epoch) const {
   SourceAddressToken source_address_token;
   source_address_token.set_ip(ip.ToString());
   source_address_token.set_timestamp(now_since_epoch.ToSeconds());
 
   string plaintext = source_address_token.SerializeAsString();
   char nonce[12];
   DCHECK_EQ(sizeof(nonce),
       source_address_token_encrypter_->GetNoncePrefixSize() +
       sizeof(QuicPacketSequenceNumber));
   rand->RandBytes(nonce, sizeof(nonce));
@@ skipping 10 matching lines @@
     DCHECK(false);
     return string();
   }
 
   return result;
 }
 
 bool QuicCryptoServerConfig::ValidateSourceAddressToken(
     StringPiece token,
     const IPEndPoint& ip,
-    QuicTime::Delta now_since_epoch) {
+    QuicTime::Delta now_since_epoch) const {
   char nonce[12];
   DCHECK_EQ(sizeof(nonce),
       source_address_token_encrypter_->GetNoncePrefixSize() +
       sizeof(QuicPacketSequenceNumber));
 
   if (token.size() <= sizeof(nonce)) {
     return false;
   }
   memcpy(&nonce, token.data(), sizeof(nonce));
   token.remove_prefix(sizeof(nonce));
@@ skipping 45 matching lines @@
 }
 
 QuicCryptoServerConfig::Config::Config() {
 }
 
 QuicCryptoServerConfig::Config::~Config() {
   STLDeleteElements(&key_exchanges);
 }
 
 }  // namespace net