This change introduces a way to tie source address token keys to specific QUIC server configs

net/quic/crypto/quic_crypto_server_config.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/quic_crypto_server_config.h"
 
 #include <stdlib.h>
 #include <algorithm>
 
 #include "base/stl_util.h"
@@ skipping 28 matching lines @@
 
 using base::StringPiece;
 using crypto::SecureHash;
 using std::map;
 using std::sort;
 using std::string;
 using std::vector;
 
 namespace net {
 
+namespace {
+
+string ComputeSourceAddressTokenKey(StringPiece source_address_token_secret) {

[wtc, 2014/04/07 18:38:24]

Nit: "Derive" is the usual verb for this operation.

[ramant (doing other things), 2014/04/21 22:39:29]

Done.

+  crypto::HKDF hkdf(source_address_token_secret,
+                    StringPiece() /* no salt */,
+                    "QUIC source address token key",
+                    CryptoSecretBoxer::GetKeySize(),
+                    0 /* no fixed IV needed */);
+  return hkdf.server_write_key().as_string();
+}
+
+}  // namespace
+
 // ClientHelloInfo contains information about a client hello message that is
 // only kept for as long as it's being processed.
 struct ClientHelloInfo {
   ClientHelloInfo(const IPEndPoint& in_client_ip, QuicWallTime in_now)
       : client_ip(in_client_ip),
         now(in_now),
         valid_source_address_token(false),
         client_nonce_well_formed(false),
         unique(false) {}
 
@@ skipping 117 matching lines @@
       primary_config_(NULL),
       next_config_promotion_time_(QuicWallTime::Zero()),
       server_nonce_strike_register_lock_(),
       strike_register_no_startup_period_(false),
       strike_register_max_entries_(1 << 10),
       strike_register_window_secs_(600),
       source_address_token_future_secs_(3600),
       source_address_token_lifetime_secs_(86400),
       server_nonce_strike_register_max_entries_(1 << 10),
       server_nonce_strike_register_window_secs_(120) {
-  crypto::HKDF hkdf(source_address_token_secret, StringPiece() /* no salt */,
-                    "QUIC source address token key",
-                    CryptoSecretBoxer::GetKeySize(),
-                    0 /* no fixed IV needed */);
-  source_address_token_boxer_.SetKey(hkdf.server_write_key());
+  default_source_address_token_boxer_.SetKey(
+      ComputeSourceAddressTokenKey(source_address_token_secret));
 
   // Generate a random key and orbit for server nonces.
   rand->RandBytes(server_nonce_orbit_, sizeof(server_nonce_orbit_));
   const size_t key_size = server_nonce_boxer_.GetKeySize();
   scoped_ptr<uint8[]> key_bytes(new uint8[key_size]);
   rand->RandBytes(key_bytes.get(), key_size);
 
   server_nonce_boxer_.SetKey(
       StringPiece(reinterpret_cast<char*>(key_bytes.get()), key_size));
 }
@@ skipping 178 matching lines @@
   } else {
     VLOG(1) << "Updating configs:";
 
     base::AutoLock locked(configs_lock_);
     ConfigMap new_configs;
 
     for (vector<scoped_refptr<Config> >::const_iterator i =
              parsed_configs.begin();
          i != parsed_configs.end(); ++i) {
       scoped_refptr<Config> config = *i;
+
       ConfigMap::iterator it = configs_.find(config->id);
       if (it != configs_.end()) {
         VLOG(1)
             << "Keeping scid: " << base::HexEncode(
                 config->id.data(), config->id.size())
             << " orbit: " << base::HexEncode(
                 reinterpret_cast<const char *>(config->orbit), kOrbitSize)
             << " new primary_time " << config->primary_time.ToUNIXSeconds()
             << " old primary_time " << it->second->primary_time.ToUNIXSeconds()
             << " new priority " << config->priority
@@ skipping 34 matching lines @@
     const CryptoHandshakeMessage& client_hello,
     IPEndPoint client_ip,
     const QuicClock* clock,
     ValidateClientHelloResultCallback* done_cb) const {
   const QuicWallTime now(clock->WallNow());
 
   ValidateClientHelloResultCallback::Result* result =
       new ValidateClientHelloResultCallback::Result(
           client_hello, client_ip, now);
 
+  StringPiece requested_scid;
+  client_hello.GetStringPiece(kSCID, &requested_scid);
+
   uint8 primary_orbit[kOrbitSize];
+  scoped_refptr<Config> requested_config;
   {
     base::AutoLock locked(configs_lock_);
 
     if (!primary_config_.get()) {
       result->error_code = QUIC_CRYPTO_INTERNAL_ERROR;
       result->error_details = "No configurations loaded";
     } else {
       if (!next_config_promotion_time_.IsZero() &&
           next_config_promotion_time_.IsAfter(now)) {
         SelectNewPrimaryConfig(now);
         DCHECK(primary_config_);
         DCHECK(configs_.find(primary_config_->id)->second == primary_config_);
       }
 
       memcpy(primary_orbit, primary_config_->orbit, sizeof(primary_orbit));
     }
+
+    requested_config = GetConfigWithScid(requested_scid);
   }
 
   if (result->error_code == QUIC_NO_ERROR) {
-    EvaluateClientHello(primary_orbit, result, done_cb);
+    EvaluateClientHello(primary_orbit, requested_config, result, done_cb);
   } else {
     done_cb->Run(result);
   }
 }
 
 QuicErrorCode QuicCryptoServerConfig::ProcessClientHello(
     const ValidateClientHelloResultCallback::Result& validate_chlo_result,
     QuicConnectionId connection_id,
     IPEndPoint client_address,
     QuicVersion version,
@@ skipping 48 matching lines @@
 
     if (!next_config_promotion_time_.IsZero() &&
         next_config_promotion_time_.IsAfter(now)) {
       SelectNewPrimaryConfig(now);
       DCHECK(primary_config_);
       DCHECK(configs_.find(primary_config_->id)->second == primary_config_);
     }
 
     primary_config = primary_config_;
 
-    if (!requested_scid.empty()) {
-      ConfigMap::const_iterator it = configs_.find(requested_scid.as_string());
-      if (it != configs_.end()) {
-        // We'll use the config that the client requested in order to do
-        // key-agreement. Otherwise we'll give it a copy of |primary_config_|
-        // to use.
-        requested_config = it->second;
-      }
-    }
+    requested_config = GetConfigWithScid(requested_scid);
   }
 
   if (validate_chlo_result.error_code != QUIC_NO_ERROR) {
     *error_details = validate_chlo_result.error_details;
     return validate_chlo_result.error_code;
   }
 
   out->Clear();
 
   if (!info.valid_source_address_token ||
@@ skipping 160 matching lines @@
   }
 
   out->set_tag(kSHLO);
   QuicTagVector supported_version_tags;
   for (size_t i = 0; i < supported_versions.size(); ++i) {
     supported_version_tags.push_back
         (QuicVersionToQuicTag(supported_versions[i]));
   }
   out->SetVector(kVER, supported_version_tags);
   out->SetStringPiece(kSourceAddressTokenTag,
-                      NewSourceAddressToken(client_address, rand, info.now));
+                      NewSourceAddressToken(
+                          requested_config.get(),
+                          client_address, rand,
+                          info.now));
   QuicSocketAddressCoder address_coder(client_address);
   out->SetStringPiece(kCADR, address_coder.Encode());
   out->SetStringPiece(kPUBS, forward_secure_public_value);
 
   // Set initial receive window for flow control.
   out->SetValue(kIFCW, initial_flow_control_window_bytes);
 
   return QUIC_NO_ERROR;
 }
 
+scoped_refptr<QuicCryptoServerConfig::Config>
+QuicCryptoServerConfig::GetConfigWithScid(StringPiece requested_scid) const {
+  // In Chromium, we will dead lock if the lock is held by the current thread.
+  // Chromium doesn't have AssertReaderHeld API call.
+  // configs_lock_.AssertReaderHeld();
+
+  if (!requested_scid.empty()) {
+    ConfigMap::const_iterator it = configs_.find(requested_scid.as_string());
+    if (it != configs_.end()) {
+      // We'll use the config that the client requested in order to do
+      // key-agreement. Otherwise we'll give it a copy of |primary_config_|
+      // to use.

[wtc, 2014/04/07 18:38:24]

The comment "Otherwise we'll give it a copy of |primary_config_| to use.", or
perhaps this whole paragraph, should be moved back to the call site at line 549
(or a little earlier, at line 547). The reference to |primary_config_| only
makes sense there.

[ramant (doing other things), 2014/04/21 22:39:29]

Please take a look at the new comments.

Done.

+      return scoped_refptr<Config>(it->second);
+    }
+  }
+
+  return scoped_refptr<Config>();
+}
+
 // ConfigPrimaryTimeLessThan is a comparator that implements "less than" for
 // Config's based on their primary_time.
 // static
 bool QuicCryptoServerConfig::ConfigPrimaryTimeLessThan(
     const scoped_refptr<Config>& a,
     const scoped_refptr<Config>& b) {
   if (a->primary_time.IsBefore(b->primary_time) ||
       b->primary_time.IsBefore(a->primary_time)) {
     // Primary times differ.
     return a->primary_time.IsBefore(b->primary_time);
@@ skipping 74 matching lines @@
   // and highest priority candidate primary.
   scoped_refptr<Config> new_primary(best_candidate);
   if (primary_config_.get()) {
     primary_config_->is_primary = false;
   }
   primary_config_ = new_primary;
   new_primary->is_primary = true;
   DVLOG(1) << "New primary config.  orbit: "
            << base::HexEncode(
                reinterpret_cast<const char*>(primary_config_->orbit),
-               kOrbitSize);
+               kOrbitSize)
+           << " scid: " << base::HexEncode(primary_config_->id.data(),
+                                           primary_config_->id.size());
   next_config_promotion_time_ = QuicWallTime::Zero();
   if (primary_config_changed_cb_.get() != NULL) {
     primary_config_changed_cb_->Run(primary_config_->id);
   }
 }
 
 void QuicCryptoServerConfig::EvaluateClientHello(
     const uint8* primary_orbit,
+    scoped_refptr<Config> requested_config,
     ValidateClientHelloResultCallback::Result* client_hello_state,
     ValidateClientHelloResultCallback* done_cb) const {
   ValidateClientHelloHelper helper(client_hello_state, done_cb);
 
   const CryptoHandshakeMessage& client_hello =
       client_hello_state->client_hello;
   ClientHelloInfo* info = &(client_hello_state->info);
 
   if (client_hello.size() < kClientHelloMinimumSize) {
     helper.ValidationComplete(QUIC_CRYPTO_INVALID_VALUE_LENGTH,
                               "Client hello too small");
     return;
   }
 
   if (client_hello.GetStringPiece(kSNI, &info->sni) &&
       !CryptoUtils::IsValidSNI(info->sni)) {
     helper.ValidationComplete(QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER,
                               "Invalid SNI name");
     return;
   }
 
   StringPiece srct;
-  if (client_hello.GetStringPiece(kSourceAddressTokenTag, &srct) &&
-      ValidateSourceAddressToken(srct, info->client_ip, info->now)) {
+  if (requested_config.get() != NULL &&

[wtc, 2014/04/07 18:38:24]

Why do we want to allow requested_config to be NULL? It may be better for the
caller to ensure that requested_config is not NULL.

[ramant (doing other things), 2014/04/21 22:39:29]

Will make this change in internal source code.

+      client_hello.GetStringPiece(kSourceAddressTokenTag, &srct) &&
+      ValidateSourceAddressToken(requested_config.get(),
+                                 srct,
+                                 info->client_ip,
+                                 info->now)) {
     info->valid_source_address_token = true;
   } else {
     // No valid source address token.

[wtc, 2014/04/07 18:38:24]

With the new code, this comment is no longer accurate. Now it should say
something like "No server config with the requested ID, or no valid source
address token".

[ramant (doing other things), 2014/04/21 22:39:29]

Done.

     helper.ValidationComplete(QUIC_NO_ERROR, "");
     return;
   }
 
   if (client_hello.GetStringPiece(kNONC, &info->client_nonce) &&
       info->client_nonce.size() == kNonceSize) {
     info->client_nonce_well_formed = true;
   } else {
     // Invalid client nonce.
     DVLOG(1) << "Invalid client nonce.";
@@ skipping 44 matching lines @@
 
 void QuicCryptoServerConfig::BuildRejection(
     const scoped_refptr<Config>& config,
     const CryptoHandshakeMessage& client_hello,
     const ClientHelloInfo& info,
     QuicRandom* rand,
     CryptoHandshakeMessage* out) const {
   out->set_tag(kREJ);
   out->SetStringPiece(kSCFG, config->serialized);
   out->SetStringPiece(kSourceAddressTokenTag,
-                      NewSourceAddressToken(info.client_ip, rand, info.now));
+                      NewSourceAddressToken(
+                          config,
+                          info.client_ip,
+                          rand,
+                          info.now));
   if (replay_protection_) {
     out->SetStringPiece(kServerNonceTag, NewServerNonce(rand, info.now));
   }
 
   // The client may have requested a certificate chain.
   const QuicTag* their_proof_demands;
   size_t num_their_proof_demands;
 
   if (proof_source_.get() == NULL ||
       client_hello.GetTaglist(kPDMD, &their_proof_demands,
@@ skipping 69 matching lines @@
 
   if (msg->tag() != kSCFG) {
     LOG(WARNING) << "Server config message has tag " << msg->tag()
                  << " expected " << kSCFG;
     return NULL;
   }
 
   scoped_refptr<Config> config(new Config);
   config->serialized = protobuf->config();
 
+  if (!protobuf->has_source_address_token_secret_override()) {
+    // Use the default boxer.
+    config->source_address_token_boxer = &default_source_address_token_boxer_;
+  } else {
+    // Create override boxer instance.
+    CryptoSecretBoxer* boxer = new CryptoSecretBoxer;
+    boxer->SetKey(ComputeSourceAddressTokenKey(
+        protobuf->source_address_token_secret_override()));
+    config->source_address_token_boxer_storage.reset(boxer);
+    config->source_address_token_boxer = boxer;
+  }
+
   if (protobuf->has_primary_time()) {
     config->primary_time =
         QuicWallTime::FromUNIXSeconds(protobuf->primary_time());
   }
 
   config->priority = protobuf->priority();
 
   StringPiece scid;
   if (!msg->GetStringPiece(kSCID, &scid)) {
     LOG(WARNING) << "Server config message is missing SCID";
@@ skipping 11 matching lines @@
 
   const QuicTag* kexs_tags;
   size_t kexs_len;
   if (msg->GetTaglist(kKEXS, &kexs_tags, &kexs_len) != QUIC_NO_ERROR) {
     LOG(WARNING) << "Server config message is missing KEXS";
     return NULL;
   }
 
   StringPiece orbit;
   if (!msg->GetStringPiece(kORBT, &orbit)) {
-    LOG(WARNING) << "Server config message is missing OBIT";
+    LOG(WARNING) << "Server config message is missing ORBT";
     return NULL;
   }
 
   if (orbit.size() != kOrbitSize) {
     LOG(WARNING) << "Orbit value in server config is the wrong length."
                     " Got " << orbit.size() << " want " << kOrbitSize;
     return NULL;
   }
   COMPILE_ASSERT(sizeof(config->orbit) == kOrbitSize, orbit_incorrect_size);
   memcpy(config->orbit, orbit.data(), sizeof(config->orbit));
@@ skipping 153 matching lines @@
   server_nonce_strike_register_window_secs_ = window_secs;
 }
 
 void QuicCryptoServerConfig::AcquirePrimaryConfigChangedCb(
     PrimaryConfigChangedCallback* cb) {
   base::AutoLock locked(configs_lock_);
   primary_config_changed_cb_.reset(cb);
 }
 
 string QuicCryptoServerConfig::NewSourceAddressToken(
+    const QuicCryptoServerConfig::Config* config,
     const IPEndPoint& ip,
     QuicRandom* rand,
     QuicWallTime now) const {
   SourceAddressToken source_address_token;
   source_address_token.set_ip(IPAddressToPackedString(ip.address()));
   source_address_token.set_timestamp(now.ToUNIXSeconds());
 
-  return source_address_token_boxer_.Box(
+  return config->source_address_token_boxer->Box(
       rand, source_address_token.SerializeAsString());
 }
 
 bool QuicCryptoServerConfig::ValidateSourceAddressToken(
+    const QuicCryptoServerConfig::Config* config,
     StringPiece token,
     const IPEndPoint& ip,
     QuicWallTime now) const {
   string storage;
   StringPiece plaintext;
-  if (!source_address_token_boxer_.Unbox(token, &storage, &plaintext)) {
+  if (!config->source_address_token_boxer->Unbox(token, &storage, &plaintext)) {
     return false;
   }
 
   SourceAddressToken source_address_token;
   if (!source_address_token.ParseFromArray(plaintext.data(),
                                            plaintext.size())) {
     return false;
   }
 
   if (source_address_token.ip() != IPAddressToPackedString(ip.address())) {
@@ skipping 81 matching lines @@
         server_nonce, static_cast<uint32>(now.ToUNIXSeconds()));
   }
 
   return is_unique;
 }
 
 QuicCryptoServerConfig::Config::Config()
     : channel_id_enabled(false),
       is_primary(false),
       primary_time(QuicWallTime::Zero()),
-      priority(0) {}
+      priority(0),
+      source_address_token_boxer(NULL) {}
 
 QuicCryptoServerConfig::Config::~Config() { STLDeleteElements(&key_exchanges); }
 
 }  // namespace net