This change introduces a way to tie source address token keys to specific QUIC server configs

net/quic/crypto/crypto_secret_boxer.cc

Index: net/quic/crypto/crypto_secret_boxer.cc
diff --git a/net/quic/crypto/crypto_secret_boxer.cc b/net/quic/crypto/crypto_secret_boxer.cc
index 73562c638bcc9df84d6167f6612356c238663bda..caecca4bf6acd2be3bef1aa848fd6e68c3a9f202 100644
--- a/net/quic/crypto/crypto_secret_boxer.cc
+++ b/net/quic/crypto/crypto_secret_boxer.cc
@@ -6,8 +6,6 @@
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
-#include "crypto/secure_hash.h"
-#include "crypto/sha2.h"
 #include "net/quic/crypto/quic_random.h"
 
 using base::StringPiece;
@@ -19,21 +17,42 @@ namespace net {
 static const size_t kKeySize = 16;
 
 // kBoxNonceSize contains the number of bytes of nonce that we use in each box.
-static const size_t kBoxNonceSize = 16;
+// TODO(rtenneti): Add support for kBoxNonceSize to be 16 bytes.
+//
+// From agl@:
+//   96-bit nonces are on the edge. An attacker who can collect 2^41
+//   source-address tokens has a 1% chance of finding a duplicate.
+//
+//   The "average" DDoS is now 32.4M PPS. That's 2^25 source-address tokens
+//   per second. So one day of that DDoS botnot would reach the 1% mark.
+//
+//   It's not terrible, but it's not a "forget about it" margin.
+static const size_t kBoxNonceSize = 12;
 
 // static
 size_t CryptoSecretBoxer::GetKeySize() { return kKeySize; }

[wtc, 2014/04/22 19:12:10]

Please move the definition of this static method after the constructor and
destructor.

[ramant (doing other things), 2014/04/25 23:40:58]

Done.

 
+CryptoSecretBoxer::CryptoSecretBoxer()
+    : encrypter_(QuicEncrypter::Create(kAESG)),
+      decrypter_(QuicDecrypter::Create(kAESG)) {
+}
+
+CryptoSecretBoxer::~CryptoSecretBoxer() {}
+
 void CryptoSecretBoxer::SetKey(StringPiece key) {
   DCHECK_EQ(static_cast<size_t>(kKeySize), key.size());
   key_ = key.as_string();
 }
 
-// TODO(rtenneti): Delete sha256 based code. Use Aes128Gcm12Encrypter to Box the
-// plaintext. This is temporary solution for tests to pass.
 string CryptoSecretBoxer::Box(QuicRandom* rand, StringPiece plaintext) const {
+  if (!encrypter_->SetKey(key_)) {
+    DLOG(DFATAL) << "CryptoSecretBoxer's SetKey failed.";
+    return string();
+  }

[wtc, 2014/04/22 19:12:10]

Lines 48-51 should be deleted. Then, change SetKey to simply call
encrypter_->SetKey(key) and decrypter_->SetKey(key), and remove the key_ data
member.

We may need to change the SetKey method to return bool so that it can report
encrypter_->SetKey() or decrypter_->SetKey() failure.

[ramant (doing other things), 2014/04/25 23:40:58]

Done.

+  size_t ciphertext_size = encrypter_->GetCiphertextSize(plaintext.length());
+
   string ret;
-  const size_t len = kBoxNonceSize + plaintext.size() + crypto::kSHA256Length;
+  const size_t len = kBoxNonceSize + ciphertext_size;
   ret.resize(len);
   char* data = &ret[0];
 
@@ -41,49 +60,39 @@ string CryptoSecretBoxer::Box(QuicRandom* rand, StringPiece plaintext) const {
   rand->RandBytes(data, kBoxNonceSize);
   memcpy(data + kBoxNonceSize, plaintext.data(), plaintext.size());
 
-  // Compute sha256 for nonce + plaintext.
-  scoped_ptr<crypto::SecureHash> sha256(crypto::SecureHash::Create(
-      crypto::SecureHash::SHA256));
-  sha256->Update(data, kBoxNonceSize + plaintext.size());
-  sha256->Finish(data + kBoxNonceSize + plaintext.size(),
-                 crypto::kSHA256Length);
+  if (!encrypter_->Encrypt(StringPiece(data, kBoxNonceSize), StringPiece(),
+                           plaintext, reinterpret_cast<unsigned char*>(
+                                          data + kBoxNonceSize))) {
+    DLOG(DFATAL) << "CryptoSecretBoxer's Encrypt failed.";
+    return string();
+  }
 
   return ret;
 }
 
-// TODO(rtenneti): Delete sha256 based code. Use Aes128Gcm12Decrypter to Unbox
-// the plaintext. This is temporary solution for tests to pass.
 bool CryptoSecretBoxer::Unbox(StringPiece ciphertext,
                               string* out_storage,
                               StringPiece* out) const {
-  if (ciphertext.size() < kBoxNonceSize + crypto::kSHA256Length) {
+  if (ciphertext.size() < kBoxNonceSize) {
     return false;
   }
 
-  const size_t plaintext_len =
-      ciphertext.size() - kBoxNonceSize - crypto::kSHA256Length;
-  out_storage->resize(plaintext_len);
-  char* data = const_cast<char*>(out_storage->data());
+  char nonce[kBoxNonceSize];
+  memcpy(nonce, ciphertext.data(), kBoxNonceSize);
+  ciphertext.remove_prefix(kBoxNonceSize);
 
-  // Copy plaintext from ciphertext.
-  if (plaintext_len != 0) {
-    memcpy(data, ciphertext.data() + kBoxNonceSize, plaintext_len);
-  }
-
-  // Compute sha256 for nonce + plaintext.
-  scoped_ptr<crypto::SecureHash> sha256(crypto::SecureHash::Create(
-      crypto::SecureHash::SHA256));
-  sha256->Update(ciphertext.data(), ciphertext.size() - crypto::kSHA256Length);
-  char sha256_bytes[crypto::kSHA256Length];
-  sha256->Finish(sha256_bytes, sizeof(sha256_bytes));
+  size_t len = ciphertext.size();
+  out_storage->resize(len);
+  char* data = const_cast<char*>(out_storage->data());
 
-  // Verify sha256.
-  if (0 != memcmp(ciphertext.data() + ciphertext.size() - crypto::kSHA256Length,
-                  sha256_bytes, crypto::kSHA256Length)) {
+  decrypter_->SetKey(key_);

[wtc, 2014/04/22 19:12:10]

As noted above, remove this line. decrypter_->SetKey() should be done in the
SetKey method.

[ramant (doing other things), 2014/04/25 23:40:58]

Done.

+  if (!decrypter_->Decrypt(StringPiece(nonce, kBoxNonceSize), StringPiece(),
+                           ciphertext, reinterpret_cast<unsigned char*>(data),
+                           &len)) {
     return false;
   }
 
-  out->set(data, plaintext_len);
+  out->set(data, len);
   return true;
 }