QUIC: support diversified keys with version 33.

net/quic/crypto/crypto_utils.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/crypto_utils.h"
 
 #include <memory>
 
 #include "crypto/hkdf.h"
 #include "crypto/secure_hash.h"
 #include "net/base/url_util.h"
 #include "net/quic/crypto/crypto_handshake.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/crypto/quic_decrypter.h"
 #include "net/quic/crypto/quic_encrypter.h"
 #include "net/quic/crypto/quic_random.h"
+#include "net/quic/quic_bug_tracker.h"
 #include "net/quic/quic_time.h"
 #include "net/quic/quic_utils.h"
 #include "url/url_canon.h"
 
 using base::StringPiece;
 using std::numeric_limits;
 using std::string;
 
 namespace net {
 
@@ skipping 56 matching lines @@
   return host;
 }
 
 // static
 bool CryptoUtils::DeriveKeys(StringPiece premaster_secret,
                              QuicTag aead,
                              StringPiece client_nonce,
                              StringPiece server_nonce,
                              const string& hkdf_input,
                              Perspective perspective,
+                             Diversification diversification,
                              CrypterPair* crypters,
                              string* subkey_secret) {
   crypters->encrypter.reset(QuicEncrypter::Create(aead));
   crypters->decrypter.reset(QuicDecrypter::Create(aead));
   size_t key_bytes = crypters->encrypter->GetKeySize();
   size_t nonce_prefix_bytes = crypters->encrypter->GetNoncePrefixSize();
   size_t subkey_secret_bytes =
       subkey_secret == nullptr ? 0 : premaster_secret.length();
 
   StringPiece nonce = client_nonce;
   string nonce_storage;
   if (!server_nonce.empty()) {
     nonce_storage = client_nonce.as_string() + server_nonce.as_string();
     nonce = nonce_storage;
   }
 
   crypto::HKDF hkdf(premaster_secret, nonce, hkdf_input, key_bytes,
                     nonce_prefix_bytes, subkey_secret_bytes);
-  if (perspective == Perspective::IS_SERVER) {
-    if (!crypters->encrypter->SetKey(hkdf.server_write_key()) ||
-        !crypters->encrypter->SetNoncePrefix(hkdf.server_write_iv()) ||
-        !crypters->decrypter->SetKey(hkdf.client_write_key()) ||
-        !crypters->decrypter->SetNoncePrefix(hkdf.client_write_iv())) {
-      return false;
+
+  // Key derivation depends on the key diversification method being employed.
+  // both the client and the server support never doing key diversification.
+  // The server also supports immediate diversification, and the client
+  // supports pending diversification.
+  switch (diversification.mode()) {
+    case Diversification::NEVER: {
+      if (perspective == Perspective::IS_SERVER) {
+        if (!crypters->encrypter->SetKey(hkdf.server_write_key()) ||
+            !crypters->encrypter->SetNoncePrefix(hkdf.server_write_iv()) ||
+            !crypters->decrypter->SetKey(hkdf.client_write_key()) ||
+            !crypters->decrypter->SetNoncePrefix(hkdf.client_write_iv())) {
+          return false;
+        }
+      } else {
+        if (!crypters->encrypter->SetKey(hkdf.client_write_key()) ||
+            !crypters->encrypter->SetNoncePrefix(hkdf.client_write_iv()) ||
+            !crypters->decrypter->SetKey(hkdf.server_write_key()) ||
+            !crypters->decrypter->SetNoncePrefix(hkdf.server_write_iv())) {
+          return false;
+        }
+      }
+      break;
     }
-  } else {
-    if (!crypters->encrypter->SetKey(hkdf.client_write_key()) ||
-        !crypters->encrypter->SetNoncePrefix(hkdf.client_write_iv()) ||
-        !crypters->decrypter->SetKey(hkdf.server_write_key()) ||
-        !crypters->decrypter->SetNoncePrefix(hkdf.server_write_iv())) {
-      return false;
+    case Diversification::PENDING: {
+      if (perspective == Perspective::IS_SERVER) {
+        QUIC_BUG << "Pending diversification is only for clients.";
+        return false;
+      }
+
+      if (!crypters->encrypter->SetKey(hkdf.client_write_key()) ||
+          !crypters->encrypter->SetNoncePrefix(hkdf.client_write_iv()) ||
+          !crypters->decrypter->SetPreliminaryKey(hkdf.server_write_key()) ||
+          !crypters->decrypter->SetNoncePrefix(hkdf.server_write_iv())) {
+        return false;
+      }
+      break;
     }
+    case Diversification::NOW: {
+      if (perspective == Perspective::IS_CLIENT) {
+        QUIC_BUG << "Immediate diversification is only for servers.";
+        return false;
+      }
+
+      string key, nonce_prefix;
+      QuicDecrypter::DiversifyPreliminaryKey(
+          hkdf.server_write_key(), hkdf.server_write_iv(),
+          *diversification.nonce(), key_bytes, nonce_prefix_bytes, &key,
+          &nonce_prefix);
+      if (!crypters->decrypter->SetKey(hkdf.client_write_key()) ||
+          !crypters->decrypter->SetNoncePrefix(hkdf.client_write_iv()) ||
+          !crypters->encrypter->SetKey(key) ||
+          !crypters->encrypter->SetNoncePrefix(nonce_prefix)) {
+        return false;
+      }
+      break;
+    }
+    default:
+      DCHECK(false);
   }
+
   if (subkey_secret != nullptr) {
     hkdf.subkey_secret().CopyToString(subkey_secret);
   }
 
   return true;
 }
 
 // static
 bool CryptoUtils::ExportKeyingMaterial(StringPiece subkey_secret,
                                        StringPiece label,
@@ skipping 147 matching lines @@
   const QuicData& serialized = message.GetSerialized();
   std::unique_ptr<crypto::SecureHash> hash(
       crypto::SecureHash::Create(crypto::SecureHash::SHA256));
   hash->Update(serialized.data(), serialized.length());
   uint8_t digest[32];
   hash->Finish(digest, sizeof(digest));
   output->assign(reinterpret_cast<const char*>(&digest), sizeof(digest));
 }
 
 }  // namespace net