This change introduces a way to tie source address token keys to specific QUIC server configs

net/quic/crypto/crypto_secret_boxer.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/crypto_secret_boxer.h"
 
 #include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "crypto/secure_hash.h"
-#include "crypto/sha2.h"
+#include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/crypto/quic_random.h"
 
 using base::StringPiece;
 using std::string;
 
 namespace net {
 
 // Defined kKeySize for GetKeySize() and SetKey().
 static const size_t kKeySize = 16;
 
 // kBoxNonceSize contains the number of bytes of nonce that we use in each box.
-static const size_t kBoxNonceSize = 16;
+// TODO(rtenneti): Add support for kBoxNonceSize to be 16 bytes.
+//
+// From agl@:
+//   96-bit nonces are on the edge. An attacker who can collect 2^41
+//   source-address tokens has a 1% chance of finding a duplicate.
+//
+//   The "average" DDoS is now 32.4M PPS. That's 2^25 source-address tokens
+//   per second. So one day of that DDoS botnot would reach the 1% mark.
+//
+//   It's not terrible, but it's not a "forget about it" margin.
+static const size_t kBoxNonceSize = 12;
+
+CryptoSecretBoxer::CryptoSecretBoxer()
+    : encrypter_(QuicEncrypter::Create(kAESG)),
+      decrypter_(QuicDecrypter::Create(kAESG)) {
+}
+
+CryptoSecretBoxer::~CryptoSecretBoxer() {}
 
 // static
 size_t CryptoSecretBoxer::GetKeySize() { return kKeySize; }
 
-void CryptoSecretBoxer::SetKey(StringPiece key) {
+bool CryptoSecretBoxer::SetKey(StringPiece key) {
   DCHECK_EQ(static_cast<size_t>(kKeySize), key.size());

[wtc, 2014/04/28 18:44:58]

Please remove the static_cast. kKeySize is already defined as a size_t.

[ramant (doing other things), 2014/04/29 00:31:18]

Done.

-  key_ = key.as_string();
+  string key_string = key.as_string();

[wtc, 2014/04/28 18:44:58]

It is not necessary to convert |key| to a string. encrypter_->SetKey() and
decrypter_->SetKey() both take a StringPiece, so we can just pass |key| to them.

[ramant (doing other things), 2014/04/29 00:31:18]

Done.

+  if (!encrypter_->SetKey(key_string)) {
+    DLOG(DFATAL) << "CryptoSecretBoxer's encrypter_->SetKey failed.";
+    return false;
+  }
+  if (!decrypter_->SetKey(key_string)) {
+    DLOG(DFATAL) << "CryptoSecretBoxer's decrypter_->SetKey failed.";
+    return false;
+  }
+  return true;
 }
 
-// TODO(rtenneti): Delete sha256 based code. Use Aes128Gcm12Encrypter to Box the
-// plaintext. This is temporary solution for tests to pass.
 string CryptoSecretBoxer::Box(QuicRandom* rand, StringPiece plaintext) const {
+  DCHECK_EQ(kKeySize, encrypter_->GetKeySize());

[wtc, 2014/04/28 18:44:58]

I think this DCHECK can be deleted. Alternatively, it should be moved to the
SetKey method, where we call encrypter_->SetKey. But encrypter_->SetKey will
check the key size, which is why I think this DCHECK can be removed.

[ramant (doing other things), 2014/04/29 00:31:18]

Done.

Deleted the DECHEK_EQ. 

Wanted to make sure SetKey was called before calling Box.

+  size_t ciphertext_size = encrypter_->GetCiphertextSize(plaintext.length());
+
   string ret;
-  const size_t len = kBoxNonceSize + plaintext.size() + crypto::kSHA256Length;
+  const size_t len = kBoxNonceSize + ciphertext_size;
   ret.resize(len);
   char* data = &ret[0];
 
   // Generate nonce.
   rand->RandBytes(data, kBoxNonceSize);
   memcpy(data + kBoxNonceSize, plaintext.data(), plaintext.size());
 
-  // Compute sha256 for nonce + plaintext.
-  scoped_ptr<crypto::SecureHash> sha256(crypto::SecureHash::Create(
-      crypto::SecureHash::SHA256));
-  sha256->Update(data, kBoxNonceSize + plaintext.size());
-  sha256->Finish(data + kBoxNonceSize + plaintext.size(),
-                 crypto::kSHA256Length);
+  if (!encrypter_->Encrypt(StringPiece(data, kBoxNonceSize), StringPiece(),
+                           plaintext, reinterpret_cast<unsigned char*>(
+                                          data + kBoxNonceSize))) {
+    DLOG(DFATAL) << "CryptoSecretBoxer's Encrypt failed.";
+    return string();
+  }
 
   return ret;
 }
 
-// TODO(rtenneti): Delete sha256 based code. Use Aes128Gcm12Decrypter to Unbox
-// the plaintext. This is temporary solution for tests to pass.
 bool CryptoSecretBoxer::Unbox(StringPiece ciphertext,
                               string* out_storage,
                               StringPiece* out) const {
-  if (ciphertext.size() < kBoxNonceSize + crypto::kSHA256Length) {
+  if (ciphertext.size() < kBoxNonceSize) {
     return false;
   }
 
-  const size_t plaintext_len =
-      ciphertext.size() - kBoxNonceSize - crypto::kSHA256Length;
-  out_storage->resize(plaintext_len);
+  char nonce[kBoxNonceSize];
+  memcpy(nonce, ciphertext.data(), kBoxNonceSize);
+  ciphertext.remove_prefix(kBoxNonceSize);
+
+  size_t len = ciphertext.size();
+  out_storage->resize(len);
   char* data = const_cast<char*>(out_storage->data());
 
-  // Copy plaintext from ciphertext.
-  if (plaintext_len != 0) {
-    memcpy(data, ciphertext.data() + kBoxNonceSize, plaintext_len);
-  }
-
-  // Compute sha256 for nonce + plaintext.
-  scoped_ptr<crypto::SecureHash> sha256(crypto::SecureHash::Create(
-      crypto::SecureHash::SHA256));
-  sha256->Update(ciphertext.data(), ciphertext.size() - crypto::kSHA256Length);
-  char sha256_bytes[crypto::kSHA256Length];
-  sha256->Finish(sha256_bytes, sizeof(sha256_bytes));
-
-  // Verify sha256.
-  if (0 != memcmp(ciphertext.data() + ciphertext.size() - crypto::kSHA256Length,
-                  sha256_bytes, crypto::kSHA256Length)) {
+  if (!decrypter_->Decrypt(StringPiece(nonce, kBoxNonceSize), StringPiece(),
+                           ciphertext, reinterpret_cast<unsigned char*>(data),
+                           &len)) {
     return false;
   }
 
-  out->set(data, plaintext_len);
+  out->set(data, len);
   return true;
 }
 
 }  // namespace net