QUIC: support diversified keys with version 33.

QUIC: support diversified keys with version 33.

Before we can disable strike registers we have to deal with the fact that two
different QUIC servers may then encrypt different messages under the same key.
Since the nonce is a counter, that would be fatal.

With this change we allow servers to include a nonce in the public header of
packets.

This is complicated, somewhat, by the fact that version negotiation doesn't
easily bubble up to the crypto layer: a client that supports version 33 might
be called upon to process a packet encrypted with this new scheme, or a packet
encrypted with the old scheme if speaking to an older server. Thus the
decryptors can handle either scheme and will latch to one or the other after
processing their first packet.

Since we have run out of flags in the public header, the two bits currently
assigned to indicate the length of the connection ID are split. Bit three
remains as an indication of the connection ID length, which can now only be
zero or eight bytes. Bit two is repurposed to indicate the presence of a
32-byte nonce that is inserted before the packet number.

In order to accomodate older clients that will be setting bit two to indicate
an eight-byte connection ID we exploit the fact that nonces can only be sent
from server to client. Thus server framers ignore bit two, for now, when
parsing.

Merge internal change: 119745591

Committed: https://crrev.com/012834cfe167e8b18c5ab4cac40ac42c39ca769f
Cr-Commit-Position: refs/heads/master@{#389665}

[Ryan Hamilton, 2016-04-21 21:28:30]

rch@chromium.org changed reviewers:
+ rtenneti@chromium.org

[Ryan Hamilton, 2016-04-21 21:28:31]

I did this out-of-band because it was tricky

[ramant (doing other things), 2016-04-21 21:41:29]

lgtm

[Ryan Hamilton, 2016-04-25 20:59:32]

The CQ bit was checked by rch@chromium.org

[Ryan Hamilton, 2016-04-25 20:59:32]

The patchset sent to the CQ was uploaded after l-g-t-m from
rtenneti@chromium.org
Link to the patchset: https://codereview.chromium.org/1904213002/#ps60001
(title: "Rebase")

[commit-bot: I haz the power, 2016-04-25 21:00:11]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1904213002/60001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1904213002/60001

[commit-bot: I haz the power, 2016-04-25 21:05:19]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-04-25 21:05:20]

Try jobs failed on following builders:
  ios_rel_device_gn on tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios_rel_device_gn...)
  ios_rel_device_ninja on tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios_rel_device_ni...)

[Ryan Hamilton, 2016-04-26 00:07:04]

The CQ bit was checked by rch@chromium.org

[Ryan Hamilton, 2016-04-26 00:07:05]

The patchset sent to the CQ was uploaded after l-g-t-m from
rtenneti@chromium.org
Link to the patchset: https://codereview.chromium.org/1904213002/#ps80001
(title: "Rebase")

[commit-bot: I haz the power, 2016-04-26 00:07:46]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1904213002/80001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1904213002/80001

[commit-bot: I haz the power, 2016-04-26 02:06:50]

Committed patchset #5 (id:80001)

[commit-bot: I haz the power, 2016-04-26 02:08:17]

Description was changed from

==========
QUIC: support diversified keys with version 33.

Before we can disable strike registers we have to deal with the fact that two
different QUIC servers may then encrypt different messages under the same key.
Since the nonce is a counter, that would be fatal.

With this change we allow servers to include a nonce in the public header of
packets.

This is complicated, somewhat, by the fact that version negotiation doesn't
easily bubble up to the crypto layer: a client that supports version 33 might
be called upon to process a packet encrypted with this new scheme, or a packet
encrypted with the old scheme if speaking to an older server. Thus the
decryptors can handle either scheme and will latch to one or the other after
processing their first packet.

Since we have run out of flags in the public header, the two bits currently
assigned to indicate the length of the connection ID are split. Bit three
remains as an indication of the connection ID length, which can now only be
zero or eight bytes. Bit two is repurposed to indicate the presence of a
32-byte nonce that is inserted before the packet number.

In order to accomodate older clients that will be setting bit two to indicate
an eight-byte connection ID we exploit the fact that nonces can only be sent
from server to client. Thus server framers ignore bit two, for now, when
parsing.

Merge internal change: 119745591
==========

to

==========
QUIC: support diversified keys with version 33.

Before we can disable strike registers we have to deal with the fact that two
different QUIC servers may then encrypt different messages under the same key.
Since the nonce is a counter, that would be fatal.

With this change we allow servers to include a nonce in the public header of
packets.

This is complicated, somewhat, by the fact that version negotiation doesn't
easily bubble up to the crypto layer: a client that supports version 33 might
be called upon to process a packet encrypted with this new scheme, or a packet
encrypted with the old scheme if speaking to an older server. Thus the
decryptors can handle either scheme and will latch to one or the other after
processing their first packet.

Since we have run out of flags in the public header, the two bits currently
assigned to indicate the length of the connection ID are split. Bit three
remains as an indication of the connection ID length, which can now only be
zero or eight bytes. Bit two is repurposed to indicate the presence of a
32-byte nonce that is inserted before the packet number.

In order to accomodate older clients that will be setting bit two to indicate
an eight-byte connection ID we exploit the fact that nonces can only be sent
from server to client. Thus server framers ignore bit two, for now, when
parsing.

Merge internal change: 119745591

Committed: https://crrev.com/012834cfe167e8b18c5ab4cac40ac42c39ca769f
Cr-Commit-Position: refs/heads/master@{#389665}
==========

[commit-bot: I haz the power, 2016-04-26 02:08:18]

Patchset 5 (id:??) landed as
https://crrev.com/012834cfe167e8b18c5ab4cac40ac42c39ca769f
Cr-Commit-Position: refs/heads/master@{#389665}