Chromium Code Reviews Chromium Code Reviews
Issue 213473003:
This change introduces a way to tie source address token keys to specific QUIC server configs (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/quic/crypto/crypto_secret_boxer.cc |
| diff --git a/net/quic/crypto/crypto_secret_boxer.cc b/net/quic/crypto/crypto_secret_boxer.cc |
| index 73562c638bcc9df84d6167f6612356c238663bda..365b5d376e6595a30f53032e8469c49d0530dfc7 100644 |
| --- a/net/quic/crypto/crypto_secret_boxer.cc |
| +++ b/net/quic/crypto/crypto_secret_boxer.cc |
| @@ -5,9 +5,7 @@ |
| #include "net/quic/crypto/crypto_secret_boxer.h" |
| #include "base/logging.h" |
| -#include "base/memory/scoped_ptr.h" |
| -#include "crypto/secure_hash.h" |
| -#include "crypto/sha2.h" |
| +#include "net/quic/crypto/crypto_protocol.h" |
| #include "net/quic/crypto/quic_random.h" |
| using base::StringPiece; |
| @@ -19,21 +17,48 @@ namespace net { |
| static const size_t kKeySize = 16; |
| // kBoxNonceSize contains the number of bytes of nonce that we use in each box. |
| -static const size_t kBoxNonceSize = 16; |
| +// TODO(rtenneti): Add support for kBoxNonceSize to be 16 bytes. |
| +// |
| +// From agl@: |
| +// 96-bit nonces are on the edge. An attacker who can collect 2^41 |
| +// source-address tokens has a 1% chance of finding a duplicate. |
| +// |
| +// The "average" DDoS is now 32.4M PPS. That's 2^25 source-address tokens |
| +// per second. So one day of that DDoS botnot would reach the 1% mark. |
| +// |
| +// It's not terrible, but it's not a "forget about it" margin. |
| +static const size_t kBoxNonceSize = 12; |
| + |
| +CryptoSecretBoxer::CryptoSecretBoxer() |
| + : encrypter_(QuicEncrypter::Create(kAESG)), |
| + decrypter_(QuicDecrypter::Create(kAESG)) { |
| +} |
| + |
| +CryptoSecretBoxer::~CryptoSecretBoxer() {} |
| // static |
| size_t CryptoSecretBoxer::GetKeySize() { return kKeySize; } |
| -void CryptoSecretBoxer::SetKey(StringPiece key) { |
| +bool CryptoSecretBoxer::SetKey(StringPiece key) { |
| DCHECK_EQ(static_cast<size_t>(kKeySize), key.size()); |
|
wtc
2014/04/28 18:44:58
Please remove the static_cast. kKeySize is already
ramant (doing other things)
2014/04/29 00:31:18
Done.
|
| - key_ = key.as_string(); |
| + string key_string = key.as_string(); |
|
wtc
2014/04/28 18:44:58
It is not necessary to convert |key| to a string.
ramant (doing other things)
2014/04/29 00:31:18
Done.
|
| + if (!encrypter_->SetKey(key_string)) { |
| + DLOG(DFATAL) << "CryptoSecretBoxer's encrypter_->SetKey failed."; |
| + return false; |
| + } |
| + if (!decrypter_->SetKey(key_string)) { |
| + DLOG(DFATAL) << "CryptoSecretBoxer's decrypter_->SetKey failed."; |
| + return false; |
| + } |
| + return true; |
| } |
| -// TODO(rtenneti): Delete sha256 based code. Use Aes128Gcm12Encrypter to Box the |
| -// plaintext. This is temporary solution for tests to pass. |
| string CryptoSecretBoxer::Box(QuicRandom* rand, StringPiece plaintext) const { |
| + DCHECK_EQ(kKeySize, encrypter_->GetKeySize()); |
|
wtc
2014/04/28 18:44:58
I think this DCHECK can be deleted. Alternatively,
ramant (doing other things)
2014/04/29 00:31:18
Done.
Deleted the DECHEK_EQ.
Wanted to make sur
|
| + size_t ciphertext_size = encrypter_->GetCiphertextSize(plaintext.length()); |
| + |
| string ret; |
| - const size_t len = kBoxNonceSize + plaintext.size() + crypto::kSHA256Length; |
| + const size_t len = kBoxNonceSize + ciphertext_size; |
| ret.resize(len); |
| char* data = &ret[0]; |
| @@ -41,49 +66,38 @@ string CryptoSecretBoxer::Box(QuicRandom* rand, StringPiece plaintext) const { |
| rand->RandBytes(data, kBoxNonceSize); |
| memcpy(data + kBoxNonceSize, plaintext.data(), plaintext.size()); |
| - // Compute sha256 for nonce + plaintext. |
| - scoped_ptr<crypto::SecureHash> sha256(crypto::SecureHash::Create( |
| - crypto::SecureHash::SHA256)); |
| - sha256->Update(data, kBoxNonceSize + plaintext.size()); |
| - sha256->Finish(data + kBoxNonceSize + plaintext.size(), |
| - crypto::kSHA256Length); |
| + if (!encrypter_->Encrypt(StringPiece(data, kBoxNonceSize), StringPiece(), |
| + plaintext, reinterpret_cast<unsigned char*>( |
| + data + kBoxNonceSize))) { |
| + DLOG(DFATAL) << "CryptoSecretBoxer's Encrypt failed."; |
| + return string(); |
| + } |
| return ret; |
| } |
| -// TODO(rtenneti): Delete sha256 based code. Use Aes128Gcm12Decrypter to Unbox |
| -// the plaintext. This is temporary solution for tests to pass. |
| bool CryptoSecretBoxer::Unbox(StringPiece ciphertext, |
| string* out_storage, |
| StringPiece* out) const { |
| - if (ciphertext.size() < kBoxNonceSize + crypto::kSHA256Length) { |
| + if (ciphertext.size() < kBoxNonceSize) { |
| return false; |
| } |
| - const size_t plaintext_len = |
| - ciphertext.size() - kBoxNonceSize - crypto::kSHA256Length; |
| - out_storage->resize(plaintext_len); |
| - char* data = const_cast<char*>(out_storage->data()); |
| - |
| - // Copy plaintext from ciphertext. |
| - if (plaintext_len != 0) { |
| - memcpy(data, ciphertext.data() + kBoxNonceSize, plaintext_len); |
| - } |
| + char nonce[kBoxNonceSize]; |
| + memcpy(nonce, ciphertext.data(), kBoxNonceSize); |
| + ciphertext.remove_prefix(kBoxNonceSize); |
| - // Compute sha256 for nonce + plaintext. |
| - scoped_ptr<crypto::SecureHash> sha256(crypto::SecureHash::Create( |
| - crypto::SecureHash::SHA256)); |
| - sha256->Update(ciphertext.data(), ciphertext.size() - crypto::kSHA256Length); |
| - char sha256_bytes[crypto::kSHA256Length]; |
| - sha256->Finish(sha256_bytes, sizeof(sha256_bytes)); |
| + size_t len = ciphertext.size(); |
| + out_storage->resize(len); |
| + char* data = const_cast<char*>(out_storage->data()); |
| - // Verify sha256. |
| - if (0 != memcmp(ciphertext.data() + ciphertext.size() - crypto::kSHA256Length, |
| - sha256_bytes, crypto::kSHA256Length)) { |
| + if (!decrypter_->Decrypt(StringPiece(nonce, kBoxNonceSize), StringPiece(), |
| + ciphertext, reinterpret_cast<unsigned char*>(data), |
| + &len)) { |
| return false; |
| } |
| - out->set(data, plaintext_len); |
| + out->set(data, len); |
| return true; |
| } |
