Issue 2333443002: Add base::UnguessableToken

tguilbert

The CQ bit was checked by tguilbert@chromium.org to run a CQ dry run

4 years, 3 months ago (2016-09-10 09:09:52 UTC) #1

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2333443002/1

4 years, 3 months ago (2016-09-10 09:10:01 UTC) #2

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

4 years, 3 months ago (2016-09-10 10:29:54 UTC) #3

commit-bot: I haz the power

Dry run: This issue passed the CQ dry run.

4 years, 3 months ago (2016-09-10 10:29:55 UTC) #4

danakj

danakj@chromium.org changed reviewers: + danakj@chromium.org

4 years, 3 months ago (2016-09-12 20:41:56 UTC) #5

danakj

A few comments on the base impl https://codereview.chromium.org/2333443002/diff/1/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode21 base/nonce.h:21: // PLEASE ...

4 years, 3 months ago (2016-09-12 20:41:57 UTC) #6

Fady Samuel

fsamuel@chromium.org changed reviewers: + fsamuel@chromium.org

4 years, 3 months ago (2016-09-12 20:47:47 UTC) #7

Fady Samuel

Some non-OWNER thoughts. https://codereview.chromium.org/2333443002/diff/1/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode28 base/nonce.h:28: static Nonce Generate(); On 2016/09/12 20:41:57, ...

4 years, 3 months ago (2016-09-12 20:47:48 UTC) #8

danakj

On Mon, Sep 12, 2016 at 1:47 PM, <fsamuel@chromium.org> wrote: > Some non-OWNER thoughts. > ...

4 years, 3 months ago (2016-09-12 20:54:55 UTC) #9

tguilbert

tguilbert@chromium.org changed reviewers: + dcheng@chromium.org, jam@chromium.org

4 years, 3 months ago (2016-09-12 23:53:32 UTC) #10

tguilbert

danakj PTAL @ base/* dcheng PTAL @ mojo/common/* jam PTAL @ ipc/* Addressed comments: - ...

4 years, 3 months ago (2016-09-12 23:53:34 UTC) #11

danakj PTAL @ base/*
dcheng PTAL @ mojo/common/*
jam    PTAL @ ipc/*

Addressed comments:
- Made Nonce(uint64_t, uint64_t) private.
- Added a UT that verifies that the class is a POD according to c++11 standards
(and therefore memcpy-able). LMK if there is a better way to do this, of if this
should live in the IPC tests instead.

Thank you very much!
Thomas

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h
File base/nonce.h (right):

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode21
base/nonce.h:21: // PLEASE MAKE SURE YOUR USAGE OF THIS CLASS IS SECURE!
On 2016/09/12 20:41:57, danakj wrote:
> You should explain how to make sure or this comment is scary but not
actionable.

Updated.

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode24
base/nonce.h:24: Nonce() : high(0), low(0){};
On 2016/09/12 20:41:57, danakj wrote:
>  = default;
> 
> move the defn to a .cc file

I have updated it to be "= default". If you have no objection, I will leave the
= default here, because moving it to the .cc file is considered to be a "user
defined" ctor, and std::is_pod<Nonce>::value would no longer be true. (Following
info I found in this post
http://stackoverflow.com/questions/4178175/what-are-aggregates-and-pods-and-h...)

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode25
base/nonce.h:25: Nonce(uint64_t high, uint64_t low) : high(high), low(low){};
On 2016/09/12 20:41:57, danakj wrote:
> dittos

Done.

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode28
base/nonce.h:28: static Nonce Generate();
On 2016/09/12 20:47:47, Fady Samuel wrote:
> On 2016/09/12 20:41:57, danakj wrote:
> > maybe this should go first in the class so people find and use this.
> 
> Do we want to expose manually setting the nonce to potentially something
> insecure? I'm not sure how I feel about this constructor:
> 
> Nonce(uint64_t high, uint64_t low) 

I agree with you and have changed the class to be harder to misuse.

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode30
base/nonce.h:30: bool is_null() const { return high == 0 && low == 0; };
On 2016/09/12 20:41:57, danakj wrote:
> no ; after a function body

Done.

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode33
base/nonce.h:33: return base::StringPrintf("(%" PRIu64 ":%" PRIu64 ")", high,
low);
On 2016/09/12 20:41:57, danakj wrote:
> move this fn defn to a .cc file

Done.

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode38
base/nonce.h:38: size_t hash() const { return base::HashInts64(high, low); }
On 2016/09/12 20:41:57, danakj wrote:
> Think this should be part of the hash struct, rather than part of this class.

Done.

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode41
base/nonce.h:41: return high == other.high ? low < other.low : high <
other.high;
On 2016/09/12 20:41:57, danakj wrote:
> use std::tie

Done.

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode50
base/nonce.h:50: // Note: two uint64_t are used instead of uint8_t[16], in order
to have a
On 2016/09/12 20:41:57, danakj wrote:
> Two

Done.

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode52
base/nonce.h:52: uint64_t high;
On 2016/09/12 20:47:47, Fady Samuel wrote:
> I'm a bit worried about exposing these because that invites the possibility of
> changing them in client code after creation.
> 
> Personally I think it might make more sense to make these private and only
> provide readonly accessors?
> 
> I'm not sure how we'd expose this to serialization code though. We could
either
> make serialization code a friend (layering violation) or continue to expose
> Nonce(uint64_t high, uint64_t low). WDYT?

I agree with you. I wasn't sure in which ways one could misuse this class, but
moving the Nonce(uint64_t, uint64_t) to private forces users to be very
deliberate about their usage of the class.

I have added a Deserialize() function that I know I will use when converting
back from JNI (where sending two longs is simpler than checking the size of byte
arrays). Otherwise, the class is a POD class (and I have added unit test that
checks that std::is_pod<Nonce>::value is true, thanks to the info found
here:http://stackoverflow.com/questions/4178175/what-are-aggregates-and-pods-and-how-why-are-they-special/7189821#7189821).
The UT makes sure it safe to simply memcpy the class for deserialization.

https://codereview.chromium.org/2333443002/diff/1/base/nonce.h#newcode59
base/nonce.h:59: // Specialize default hash for use in std::unordered_map.
On 2016/09/12 20:41:57, danakj wrote:
> You can provider a struct to do the hash if you like, but it should not be in
> std::. https://google.github.io/styleguide/cppguide.html#std_hash

Done. TY!

https://codereview.chromium.org/2333443002/diff/1/base/nonce_unittest.cc
File base/nonce_unittest.cc (right):

https://codereview.chromium.org/2333443002/diff/1/base/nonce_unittest.cc#newc...
base/nonce_unittest.cc:19: EXPECT_TRUE(nonce == nonce);
On 2016/09/12 20:41:57, danakj wrote:
> can you compare 2 different Nonces with the same internal values instead of
> comparing to *this

Done.

https://codereview.chromium.org/2333443002/diff/20001/base/nonce.h
File base/nonce.h (right):

https://codereview.chromium.org/2333443002/diff/20001/base/nonce.h#newcode50
base/nonce.h:50: return high_ == other.high_ && low_ == other.low_;
@security reviewers
Does this need to be changed to be constant time?
Ex:
uint64_t temp = high_ ^ other.high_;
temp |= low_ ^ other.low_;
return temp == 0;

(Similar to 
https://cs.chromium.org/chromium/src/crypto/secure_util.h?type=cs&q=secure+me...)

tguilbert

danakj PTAL @ base/* dcheng PTAL @ mojo/common/* jam PTAL @ ipc/* Addressed comments: - ...

4 years, 3 months ago (2016-09-12 23:53:35 UTC) #12

tguilbert

The CQ bit was checked by tguilbert@chromium.org to run a CQ dry run

4 years, 3 months ago (2016-09-12 23:53:51 UTC) #13

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2333443002/20001

4 years, 3 months ago (2016-09-12 23:54:13 UTC) #14

Fady Samuel

I love this change, making Nonce::Deserialize explicit! LGTM! Thanks!

4 years, 3 months ago (2016-09-12 23:58:06 UTC) #15

dcheng

Btw, should we pass by Nonce by value or by const ref? Seems small enough ...

4 years, 3 months ago (2016-09-13 01:33:29 UTC) #16

tguilbert

I also think that by value should be fine. Side question: Should the memory backing ...

4 years, 3 months ago (2016-09-13 01:50:12 UTC) #17

jam

jam@chromium.org changed reviewers: + tsepez@chromium.org - jam@chromium.org

4 years, 3 months ago (2016-09-13 17:43:45 UTC) #18

Fady Samuel

https://codereview.chromium.org/2333443002/diff/60001/mojo/common/common_custom_types.mojom File mojo/common/common_custom_types.mojom (right): https://codereview.chromium.org/2333443002/diff/60001/mojo/common/common_custom_types.mojom#newcode17 mojo/common/common_custom_types.mojom:17: struct Nonce; Sorry just noticed. Could we please make ...

4 years, 3 months ago (2016-09-13 17:45:00 UTC) #20

Tom Sepez

https://codereview.chromium.org/2333443002/diff/60001/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/60001/base/nonce.h#newcode34 base/nonce.h:34: // Creates a null Nonce. Actually, wouldn't this create ...

4 years, 3 months ago (2016-09-13 18:20:41 UTC) #21

tguilbert

Updated. PTAL! TY. https://codereview.chromium.org/2333443002/diff/60001/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/60001/base/nonce.h#newcode34 base/nonce.h:34: // Creates a null Nonce. On ...

4 years, 3 months ago (2016-09-13 20:20:19 UTC) #22

Avi (use Gerrit)

avi@chromium.org changed reviewers: + avi@chromium.org

4 years, 3 months ago (2016-09-13 20:28:37 UTC) #23

Avi (use Gerrit)

https://codereview.chromium.org/2333443002/diff/100001/base/nonce.cc File base/nonce.cc (right): https://codereview.chromium.org/2333443002/diff/100001/base/nonce.cc#newcode24 base/nonce.cc:24: base::RandBytes(&nonce, sizeof(nonce)); This potentially could scribble across padding. Along ...

4 years, 3 months ago (2016-09-13 20:28:38 UTC) #24

Fady Samuel

https://codereview.chromium.org/2333443002/diff/60001/mojo/common/common_custom_types.mojom File mojo/common/common_custom_types.mojom (right): https://codereview.chromium.org/2333443002/diff/60001/mojo/common/common_custom_types.mojom#newcode17 mojo/common/common_custom_types.mojom:17: struct Nonce; On 2016/09/13 20:20:19, ThomasGuilbert wrote: > On ...

4 years, 3 months ago (2016-09-13 20:28:44 UTC) #25

tguilbert

https://codereview.chromium.org/2333443002/diff/60001/mojo/common/common_custom_types.mojom File mojo/common/common_custom_types.mojom (right): https://codereview.chromium.org/2333443002/diff/60001/mojo/common/common_custom_types.mojom#newcode17 mojo/common/common_custom_types.mojom:17: struct Nonce; On 2016/09/13 20:28:44, Fady Samuel wrote: > ...

4 years, 3 months ago (2016-09-13 21:11:45 UTC) #26

tguilbert

The CQ bit was checked by tguilbert@chromium.org to run a CQ dry run

4 years, 3 months ago (2016-09-13 21:12:30 UTC) #27

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2333443002/120001

4 years, 3 months ago (2016-09-13 21:13:16 UTC) #28

Tom Sepez

LGTM otherwise. https://codereview.chromium.org/2333443002/diff/60001/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/60001/base/nonce.h#newcode34 base/nonce.h:34: // Creates a null Nonce. On 2016/09/13 ...

4 years, 3 months ago (2016-09-13 21:29:39 UTC) #29

Tom Sepez

(The reason I suggest this is that uninitialized values look very much like random values, ...

4 years, 3 months ago (2016-09-13 22:11:04 UTC) #30

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

4 years, 3 months ago (2016-09-13 22:40:15 UTC) #31

commit-bot: I haz the power

Dry run: This issue passed the CQ dry run.

4 years, 3 months ago (2016-09-13 22:40:16 UTC) #32

tguilbert

On 2016/09/13 22:11:04, Tom Sepez wrote: > (The reason I suggest this is that uninitialized ...

4 years, 3 months ago (2016-09-13 22:55:39 UTC) #33

danakj

On Mon, Sep 12, 2016 at 6:33 PM, <dcheng@chromium.org> wrote: > Btw, should we pass ...

4 years, 3 months ago (2016-09-13 23:06:15 UTC) #35

dcheng

Mostly just nits. https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h#newcode17 base/nonce.h:17: // An Nonce is a cryptographically ...

4 years, 3 months ago (2016-09-13 23:19:06 UTC) #37

Ken Rockot(use gerrit already)

rockot@chromium.org changed reviewers: + rockot@chromium.org

4 years, 3 months ago (2016-09-13 23:21:12 UTC) #38

Ken Rockot(use gerrit already)

A few drive-by comments. We also use random 128-bit tokens inside the Mojo system layer, ...

4 years, 3 months ago (2016-09-13 23:21:13 UTC) #39

DaleCurtis

https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h#newcode71 base/nonce.h:71: // If base::Nonce is no longer 128 bits, the ...

4 years, 3 months ago (2016-09-13 23:39:48 UTC) #40

tguilbert

On 2016/09/13 23:21:13, Ken Rockot wrote: > A few drive-by comments. > > We also ...

4 years, 3 months ago (2016-09-13 23:42:35 UTC) #41

sandersd (OOO until July 31)

sandersd@chromium.org changed reviewers: + sandersd@chromium.org

4 years, 3 months ago (2016-09-13 23:51:52 UTC) #42

sandersd (OOO until July 31)

https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h#newcode28 base/nonce.h:28: static Nonce Generate(); On 2016/09/13 23:21:13, Ken Rockot wrote: ...

4 years, 3 months ago (2016-09-13 23:51:53 UTC) #43

danakj

On Tue, Sep 13, 2016 at 4:42 PM, <tguilbert@chromium.org> wrote: > On 2016/09/13 23:21:13, Ken ...

4 years, 3 months ago (2016-09-13 23:52:52 UTC) #44

On Tue, Sep 13, 2016 at 4:42 PM, <tguilbert@chromium.org> wrote:

> On 2016/09/13 23:21:13, Ken Rockot wrote:
> > A few drive-by comments.
> >
> > We also use random 128-bit tokens inside the Mojo system layer, and we
> could
> > probably de-dupe some code by reusing this now.
> >
> > https://codereview.chromium.org/2333443002/diff/140001/base/nonce.cc
> > File base/nonce.cc (right):
> >
> > https://codereview.chromium.org/2333443002/diff/140001/
> base/nonce.cc#newcode21
> > base/nonce.cc:21: // Static
> > nit: lowercase
> >
> > https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h
> > File base/nonce.h (right):
> >
> > https://codereview.chromium.org/2333443002/diff/140001/
> base/nonce.h#newcode28
> > base/nonce.h:28: static Nonce Generate();
> > Why Generate? Why can't the default constructor just do what most
> consumers
> will
> > want it to do? We could add a special constructor for creating an empty
> Nonce
> > (e.g. over nullptr_t or something)?
> >
> > https://codereview.chromium.org/2333443002/diff/140001/
> base/nonce.h#newcode34
> > base/nonce.h:34: // Creates a 0 initiliazed Nonce.
> > nit: initialized (typo)
>
> My reasoning for Generate() was that it differentiates between intentional
> use
> and accidental use. This forces any future user of the class to be
> deliberate,
> and (hopefully) think about the way they are using the Nonce. Also, I
> wanted to
> avoid stray 'Nonce nonce;' from being used, and thought that the zeroed-out
> Nonce would alert the developer that they may have made a mistake.
>
> sandersd@ also mentioned to me offline that the Nonce() should be the
> generated
> Nonce, and I can see why that makes sense.
>
> Does anyone else want to weigh in on the matter?
>

It's not POD then anymore right? Does that matter?

-- 
You received this message because you are subscribed to the Google Groups
"Chromium-reviews" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to chromium-reviews+unsubscribe@chromium.org.

tguilbert

On 2016/09/13 23:51:53, sandersd wrote: > https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h > File base/nonce.h (right): > > https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h#newcode28 > ...

4 years, 3 months ago (2016-09-14 00:00:43 UTC) #45

tguilbert

On 2016/09/13 23:52:52, danakj wrote: > On Tue, Sep 13, 2016 at 4:42 PM, <mailto:tguilbert@chromium.org> ...

4 years, 3 months ago (2016-09-14 00:03:27 UTC) #46

On 2016/09/13 23:52:52, danakj wrote:
> On Tue, Sep 13, 2016 at 4:42 PM, <mailto:tguilbert@chromium.org> wrote:
> 
> > On 2016/09/13 23:21:13, Ken Rockot wrote:
> > > A few drive-by comments.
> > >
> > > We also use random 128-bit tokens inside the Mojo system layer, and we
> > could
> > > probably de-dupe some code by reusing this now.
> > >
> > > https://codereview.chromium.org/2333443002/diff/140001/base/nonce.cc
> > > File base/nonce.cc (right):
> > >
> > > https://codereview.chromium.org/2333443002/diff/140001/
> > base/nonce.cc#newcode21
> > > base/nonce.cc:21: // Static
> > > nit: lowercase
> > >
> > > https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h
> > > File base/nonce.h (right):
> > >
> > > https://codereview.chromium.org/2333443002/diff/140001/
> > base/nonce.h#newcode28
> > > base/nonce.h:28: static Nonce Generate();
> > > Why Generate? Why can't the default constructor just do what most
> > consumers
> > will
> > > want it to do? We could add a special constructor for creating an empty
> > Nonce
> > > (e.g. over nullptr_t or something)?
> > >
> > > https://codereview.chromium.org/2333443002/diff/140001/
> > base/nonce.h#newcode34
> > > base/nonce.h:34: // Creates a 0 initiliazed Nonce.
> > > nit: initialized (typo)
> >
> > My reasoning for Generate() was that it differentiates between intentional
> > use
> > and accidental use. This forces any future user of the class to be
> > deliberate,
> > and (hopefully) think about the way they are using the Nonce. Also, I
> > wanted to
> > avoid stray 'Nonce nonce;' from being used, and thought that the zeroed-out
> > Nonce would alert the developer that they may have made a mistake.
> >
> > sandersd@ also mentioned to me offline that the Nonce() should be the
> > generated
> > Nonce, and I can see why that makes sense.
> >
> > Does anyone else want to weigh in on the matter?
> >
> 
> It's not POD then anymore right? Does that matter?
> 
> -- 
> You received this message because you are subscribed to the Google Groups
> "Chromium-reviews" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email
> to mailto:chromium-reviews+unsubscribe@chromium.org.

It is no longer POD from a standards point of view, but I don't think it matters
anymore. It was important when I was memcpy-ing the bytes directly rather than
going through the Deserialize(uint64_t, uint64_t).

danakj

On Tue, Sep 13, 2016 at 5:00 PM, <tguilbert@chromium.org> wrote: > On 2016/09/13 23:51:53, sandersd ...

4 years, 3 months ago (2016-09-14 00:05:48 UTC) #47

tguilbert

On 2016/09/14 00:05:48, danakj wrote: > On Tue, Sep 13, 2016 at 5:00 PM, <mailto:tguilbert@chromium.org> ...

4 years, 3 months ago (2016-09-14 00:57:08 UTC) #48

On 2016/09/14 00:05:48, danakj wrote:
> On Tue, Sep 13, 2016 at 5:00 PM, <mailto:tguilbert@chromium.org> wrote:
> 
> > On 2016/09/13 23:51:53, sandersd wrote:
> > > https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h
> > > File base/nonce.h (right):
> > >
> > > https://codereview.chromium.org/2333443002/diff/140001/
> > base/nonce.h#newcode28
> > > base/nonce.h:28: static Nonce Generate();
> > > On 2016/09/13 23:21:13, Ken Rockot wrote:
> > > > Why Generate? Why can't the default constructor just do what most
> > consumers
> > > will
> > > > want it to do? We could add a special constructor for creating an empty
> > Nonce
> > > > (e.g. over nullptr_t or something)?
> > >
> > > I do like the clarity of explicitly calling Generate(). A different
> > option
> > would
> > > be to make the constructor protected. Both solutions are fine by me.
> >
> > When making the constructor protected, I encountered some problems with
> > some
> > Mojo generated code.
> >
> > Come to think of it, there might be some Mojo related technical reasons as
> > to
> > why we would want the default to be 0 initialized (although I didn't look
> > too
> > deeply into any workarounds/implications of the NonceDataView).
> >
> 
> I think I prefer a default public constructor which sets to 0. Having
> uninitialized states is useful, the alternative would force people to put
> it into a base::Optional or std::unique_ptr instead.
> 
> 
> >
> > https://codereview.chromium.org/2333443002/
> >
> 
> -- 
> You received this message because you are subscribed to the Google Groups
> "Chromium-reviews" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email
> to mailto:chromium-reviews+unsubscribe@chromium.org.

After talking with sandersd@ offline, he brought up the very valid point that,
if the default constructor sets everything as 0, and we use Nonces as security
primitives, it allows a developer to accidentally used the zero-ed Nonce
everywhere.
Another way of saying this is that
Nonce() -> random-bits and explicit Nonce::Empty()  : misuse is annoying to
debug.
Nonce() -> zeros-out and explicit Nonce::Generate() : misuse is a security hole.

Which means that I will change the Nonce() to generate random data, and add an
explicit Nonce::Empty();

There is somewhat of a problem with StructTraits and the random Nonce().
StructTraits generates a NonceDataView which uses the default constructor to
create a local variable, and then passes that value by reference to the read
function. This means that, anytime a StructTrait is used, the NonceDataView
would create a Nonce() with new random data, and then overwrite that data.

I will start a thread with the Mojo team and ask if there is a way to avoid
using the default constructor in generated code.

In the meantime, in order not to not have StructTraits generate random bits
every time a Nonce is sent over mojo, I will write a TypeConverter instead, but
I might not have time by EOD.

dcheng

On 2016/09/14 00:57:08, ThomasGuilbert wrote: > On 2016/09/14 00:05:48, danakj wrote: > > On Tue, ...

4 years, 3 months ago (2016-09-14 01:01:25 UTC) #49

On 2016/09/14 00:57:08, ThomasGuilbert wrote:
> On 2016/09/14 00:05:48, danakj wrote:
> > On Tue, Sep 13, 2016 at 5:00 PM, <mailto:tguilbert@chromium.org> wrote:
> > 
> > > On 2016/09/13 23:51:53, sandersd wrote:
> > > > https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h
> > > > File base/nonce.h (right):
> > > >
> > > > https://codereview.chromium.org/2333443002/diff/140001/
> > > base/nonce.h#newcode28
> > > > base/nonce.h:28: static Nonce Generate();
> > > > On 2016/09/13 23:21:13, Ken Rockot wrote:
> > > > > Why Generate? Why can't the default constructor just do what most
> > > consumers
> > > > will
> > > > > want it to do? We could add a special constructor for creating an
empty
> > > Nonce
> > > > > (e.g. over nullptr_t or something)?
> > > >
> > > > I do like the clarity of explicitly calling Generate(). A different
> > > option
> > > would
> > > > be to make the constructor protected. Both solutions are fine by me.
> > >
> > > When making the constructor protected, I encountered some problems with
> > > some
> > > Mojo generated code.
> > >
> > > Come to think of it, there might be some Mojo related technical reasons as
> > > to
> > > why we would want the default to be 0 initialized (although I didn't look
> > > too
> > > deeply into any workarounds/implications of the NonceDataView).
> > >
> > 
> > I think I prefer a default public constructor which sets to 0. Having
> > uninitialized states is useful, the alternative would force people to put
> > it into a base::Optional or std::unique_ptr instead.
> > 
> > 
> > >
> > > https://codereview.chromium.org/2333443002/
> > >
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups
> > "Chromium-reviews" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> email
> > to mailto:chromium-reviews+unsubscribe@chromium.org.
> 
> After talking with sandersd@ offline, he brought up the very valid point that,
> if the default constructor sets everything as 0, and we use Nonces as security
> primitives, it allows a developer to accidentally used the zero-ed Nonce
> everywhere.
> Another way of saying this is that
> Nonce() -> random-bits and explicit Nonce::Empty()  : misuse is annoying to
> debug.
> Nonce() -> zeros-out and explicit Nonce::Generate() : misuse is a security
hole.
> 
> Which means that I will change the Nonce() to generate random data, and add an
> explicit Nonce::Empty();
> 
> 
> There is somewhat of a problem with StructTraits and the random Nonce().
> StructTraits generates a NonceDataView which uses the default constructor to
> create a local variable, and then passes that value by reference to the read
> function. This means that, anytime a StructTrait is used, the NonceDataView
> would create a Nonce() with new random data, and then overwrite that data.
> 
> I will start a thread with the Mojo team and ask if there is a way to avoid
> using the default constructor in generated code.
> 
> In the meantime, in order not to not have StructTraits generate random bits
> every time a Nonce is sent over mojo, I will write a TypeConverter instead,
but
> I might not have time by EOD.

TypeConverter is deprecated and something we're actively (or at least, we should
be =P) trying to remove.

danakj

On Tue, Sep 13, 2016 at 5:57 PM, <tguilbert@chromium.org> wrote: > On 2016/09/14 00:05:48, danakj ...

4 years, 3 months ago (2016-09-14 01:08:28 UTC) #50

On Tue, Sep 13, 2016 at 5:57 PM, <tguilbert@chromium.org> wrote:

> On 2016/09/14 00:05:48, danakj wrote:
>
> > On Tue, Sep 13, 2016 at 5:00 PM, <mailto:tguilbert@chromium.org> wrote:
> >
> > > On 2016/09/13 23:51:53, sandersd wrote:
> > > > https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h
> > > > File base/nonce.h (right):
> > > >
> > > > https://codereview.chromium.org/2333443002/diff/140001/
> > > base/nonce.h#newcode28
> > > > base/nonce.h:28: static Nonce Generate();
> > > > On 2016/09/13 23:21:13, Ken Rockot wrote:
> > > > > Why Generate? Why can't the default constructor just do what most
> > > consumers
> > > > will
> > > > > want it to do? We could add a special constructor for creating an
> empty
> > > Nonce
> > > > > (e.g. over nullptr_t or something)?
> > > >
> > > > I do like the clarity of explicitly calling Generate(). A different
> > > option
> > > would
> > > > be to make the constructor protected. Both solutions are fine by me.
> > >
> > > When making the constructor protected, I encountered some problems with
> > > some
> > > Mojo generated code.
> > >
> > > Come to think of it, there might be some Mojo related technical
> reasons as
> > > to
> > > why we would want the default to be 0 initialized (although I didn't
> look
> > > too
> > > deeply into any workarounds/implications of the NonceDataView).
> > >
> >
> > I think I prefer a default public constructor which sets to 0. Having
> > uninitialized states is useful, the alternative would force people to put
> > it into a base::Optional or std::unique_ptr instead.
> >
> >
> > >
> > > https://codereview.chromium.org/2333443002/
> > >
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Chromium-reviews" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> email
> > to mailto:chromium-reviews+unsubscribe@chromium.org.
>
> After talking with sandersd@ offline, he brought up the very valid point
> that,
> if the default constructor sets everything as 0, and we use Nonces as
> security
> primitives, it allows a developer to accidentally used the zero-ed Nonce
> everywhere.
>

Can we just DCHECK that the nonce is not empty when sending it over IPC?


> Another way of saying this is that
> Nonce() -> random-bits and explicit Nonce::Empty() : misuse is annoying to
> debug.
> Nonce() -> zeros-out and explicit Nonce::Generate() : misuse is a security
> hole.
>
> Which means that I will change the Nonce() to generate random data, and
> add an
> explicit Nonce::Empty();
>
>
> There is somewhat of a problem with StructTraits and the random Nonce().
> StructTraits generates a NonceDataView which uses the default constructor
> to
> create a local variable, and then passes that value by reference to the
> read
> function. This means that, anytime a StructTrait is used, the NonceDataView
> would create a Nonce() with new random data, and then overwrite that data.
>
> I will start a thread with the Mojo team and ask if there is a way to avoid
> using the default constructor in generated code.
>
> In the meantime, in order not to not have StructTraits generate random bits
> every time a Nonce is sent over mojo, I will write a TypeConverter
> instead, but
> I might not have time by EOD.
>
> https://codereview.chromium.org/2333443002/
>

-- 
You received this message because you are subscribed to the Google Groups
"Chromium-reviews" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to chromium-reviews+unsubscribe@chromium.org.

tguilbert

@dcheng Oops, yep, no TypeConverter :P CHECKs/DCHECKS seem like the way to go :) I ...

4 years, 3 months ago (2016-09-14 22:40:48 UTC) #51

@dcheng Oops, yep, no TypeConverter :P

CHECKs/DCHECKS seem like the way to go :)

I have added a CHECK to:
- ParamTraits<base::Nonce>::Write()
- Nonce::Deserialize()
- NonceHash::operator()

And a DCHECK to Nonce::high()/Nonce::low() (although I am less sure about the
usefulness of these two)

I do realize that the CHECK in Deserialize will be hit right before
ParamTraits<>::Read() or StructTraits<>::Read() would return false. I however
like the idea of having the DCHECK in Deserialize, to cover the deserialization
on Android, after the high/low bits have been send through AIDL.

Does anybody have another suggested way of adding CHECKs? I.e. not having the
CHECK in deserialize and instead letting IPC/Mojo handle the invalid empty
nonce?

I also updated the == operator to use the same logic that is in SecureMemEqual.

Thanks!
Thomas

https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h
File base/nonce.h (right):

https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h#newcode17
base/nonce.h:17: // An Nonce is a cryptographically strong, randomly generated,
unguessable 128
On 2016/09/13 23:19:05, dcheng wrote:
> A Nonce is an unguessable 128-bit token generated from a cryptographically
> strong random source. Nonce should be used when <insert scenarios here>.

Done. However, I don't know what all useful scenarios for Nonces are. I know
they can be used in some authentication schemes, but I think adding further uses
might be out of scope for the comments of this header file.

https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h#newcode20
base/nonce.h:20: // TO CREATE NEW NONCES, ONLY USE GENERATE()!
On 2016/09/13 23:19:05, dcheng wrote:
> Suggested wording:
> 
> Use Generate() for creating new unguessable nonces. Deserialize() is a helper
> intended only for implementing IPC deserialization.
> 
> (I think we don't need to repeat the bit about cryptographically strong
random,
> since it's such a long phrase =)

TY for the better wording! Done.

https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h#newcode26
base/nonce.h:26: // Generates a unique, strongly random, unguessable nonce.
On 2016/09/13 23:19:05, dcheng wrote:
> Ditto: "Create an unguessable and unique nonce."

Done.

https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h#newcode28
base/nonce.h:28: static Nonce Generate();
On 2016/09/13 23:51:53, sandersd wrote:
> On 2016/09/13 23:21:13, Ken Rockot wrote:
> > Why Generate? Why can't the default constructor just do what most consumers
> will
> > want it to do? We could add a special constructor for creating an empty
Nonce
> > (e.g. over nullptr_t or something)?
> 
> I do like the clarity of explicitly calling Generate(). A different option
would
> be to make the constructor protected. Both solutions are fine by me.

As per the discussions floating around, I have maintained the Generate()
function (in order to not generate random bits when simply reserving memory on
the stack, if it's about to be overwritten immediately after, like in some Mojo
generated code).

I have added DCHECKs and CHECKs in various places to palliate the security
missuses that would come from forgetting to Generate() Nonce.

More on this in the main discussion.

https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h#newcode34
base/nonce.h:34: // Creates a 0 initiliazed Nonce.
On 2016/09/13 23:19:05, dcheng wrote:
> Nit: Create a zero-initialized Nonce (so it doesn't look like an O)

Done.

https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h#newcode71
base/nonce.h:71: // If base::Nonce is no longer 128 bits, the IPC serialization
logic and Mojo
On 2016/09/13 23:39:48, DaleCurtis wrote:
> Drive-by: Worth moving to C++ file to avoid all includes from running
> static_assert? I.e. in c++ it'll only run once, versus once for each include.

Done.

https://codereview.chromium.org/2333443002/diff/140001/mojo/common/common_cus...
File mojo/common/common_custom_types.typemap (right):

https://codereview.chromium.org/2333443002/diff/140001/mojo/common/common_cus...
mojo/common/common_custom_types.typemap:29:
"mojo.common.mojom.Nonce=base::Nonce",
On 2016/09/13 23:19:06, dcheng wrote:
> If we expect people to pass Nonce by value (and it sounds like we do?), then
> this should be annotated with [copyable_pass_by_value]

From danakj@'s comment earlier in the thread, I think the preferred way is via
const ref.

https://codereview.chromium.org/2333443002/diff/140001/mojo/common/common_cus...
File mojo/common/common_custom_types_struct_traits.h (right):

https://codereview.chromium.org/2333443002/diff/140001/mojo/common/common_cus...
mojo/common/common_custom_types_struct_traits.h:31: static void
SetToNull(base::Nonce* out) { *out = base::Nonce(); }
On 2016/09/13 23:19:06, dcheng wrote:
> Do we actually need to support nullability? I'd suggest only adding this when
> there's a clear need.

Done.

danakj

On Wed, Sep 14, 2016 at 3:40 PM, <tguilbert@chromium.org> wrote: > @dcheng Oops, yep, no ...

4 years, 3 months ago (2016-09-14 23:00:29 UTC) #52

On Wed, Sep 14, 2016 at 3:40 PM, <tguilbert@chromium.org> wrote:

> @dcheng Oops, yep, no TypeConverter :P
>
> CHECKs/DCHECKS seem like the way to go :)
>

Thanks!


>
> I have added a CHECK to:
> - ParamTraits<base::Nonce>::Write()
>
- Nonce::Deserialize()
> - NonceHash::operator()
>

Why CHECK and not DCHECK? Use CHECK to track down a bug, or prevent a
security problem. I don't see either here.


>
> And a DCHECK to Nonce::high()/Nonce::low() (although I am less sure about
> the
> usefulness of these two)
>

Ya I don't think these are needed, feels overly paranoid. They may get in
the way of tests also.


>
> I do realize that the CHECK in Deserialize will be hit right before
> ParamTraits<>::Read() or StructTraits<>::Read() would return false. I
> however
> like the idea of having the DCHECK in Deserialize, to cover the
> deserialization
> on Android, after the high/low bits have been send through AIDL.
>
> Does anybody have another suggested way of adding CHECKs? I.e. not having
> the
> CHECK in deserialize and instead letting IPC/Mojo handle the invalid empty
> nonce?
>

Return false seems like enough? We don't want a compromised renderer to
crash the browser, we want the message to be rejected so we kill the
renderer.


>
> I also updated the == operator to use the same logic that is in
> SecureMemEqual.
>
> Thanks!
> Thomas
>
>
> https://codereview.chromium.org/2333443002/diff/140001/base/nonce.h
> File base/nonce.h (right):
>
> https://codereview.chromium.org/2333443002/diff/140001/
> base/nonce.h#newcode17
> base/nonce.h:17: // An Nonce is a cryptographically strong, randomly
> generated, unguessable 128
> On 2016/09/13 23:19:05, dcheng wrote:
> > A Nonce is an unguessable 128-bit token generated from a
> cryptographically
> > strong random source. Nonce should be used when <insert scenarios
> here>.
>
> Done. However, I don't know what all useful scenarios for Nonces are. I
> know they can be used in some authentication schemes, but I think adding
> further uses might be out of scope for the comments of this header file.
>
> https://codereview.chromium.org/2333443002/diff/140001/
> base/nonce.h#newcode20
> base/nonce.h:20: // TO CREATE NEW NONCES, ONLY USE GENERATE()!
> On 2016/09/13 23:19:05, dcheng wrote:
> > Suggested wording:
> >
> > Use Generate() for creating new unguessable nonces. Deserialize() is a
> helper
> > intended only for implementing IPC deserialization.
> >
> > (I think we don't need to repeat the bit about cryptographically
> strong random,
> > since it's such a long phrase =)
>
> TY for the better wording! Done.
>
> https://codereview.chromium.org/2333443002/diff/140001/
> base/nonce.h#newcode26
> base/nonce.h:26: // Generates a unique, strongly random, unguessable
> nonce.
> On 2016/09/13 23:19:05, dcheng wrote:
> > Ditto: "Create an unguessable and unique nonce."
>
> Done.
>
> https://codereview.chromium.org/2333443002/diff/140001/
> base/nonce.h#newcode28
> base/nonce.h:28: static Nonce Generate();
> On 2016/09/13 23:51:53, sandersd wrote:
> > On 2016/09/13 23:21:13, Ken Rockot wrote:
> > > Why Generate? Why can't the default constructor just do what most
> consumers
> > will
> > > want it to do? We could add a special constructor for creating an
> empty Nonce
> > > (e.g. over nullptr_t or something)?
> >
> > I do like the clarity of explicitly calling Generate(). A different
> option would
> > be to make the constructor protected. Both solutions are fine by me.
>
> As per the discussions floating around, I have maintained the Generate()
> function (in order to not generate random bits when simply reserving
> memory on the stack, if it's about to be overwritten immediately after,
> like in some Mojo generated code).
>
> I have added DCHECKs and CHECKs in various places to palliate the
> security missuses that would come from forgetting to Generate() Nonce.
>
> More on this in the main discussion.
>
> https://codereview.chromium.org/2333443002/diff/140001/
> base/nonce.h#newcode34
> base/nonce.h:34: // Creates a 0 initiliazed Nonce.
> On 2016/09/13 23:19:05, dcheng wrote:
> > Nit: Create a zero-initialized Nonce (so it doesn't look like an O)
>
> Done.
>
> https://codereview.chromium.org/2333443002/diff/140001/
> base/nonce.h#newcode71
> base/nonce.h:71: // If base::Nonce is no longer 128 bits, the IPC
> serialization logic and Mojo
> On 2016/09/13 23:39:48, DaleCurtis wrote:
> > Drive-by: Worth moving to C++ file to avoid all includes from running
> > static_assert? I.e. in c++ it'll only run once, versus once for each
> include.
>
> Done.
>
> https://codereview.chromium.org/2333443002/diff/140001/
> mojo/common/common_custom_types.typemap
> File mojo/common/common_custom_types.typemap (right):
>
> https://codereview.chromium.org/2333443002/diff/140001/
> mojo/common/common_custom_types.typemap#newcode29
> mojo/common/common_custom_types.typemap:29:
> "mojo.common.mojom.Nonce=base::Nonce",
> On 2016/09/13 23:19:06, dcheng wrote:
> > If we expect people to pass Nonce by value (and it sounds like we
> do?), then
> > this should be annotated with [copyable_pass_by_value]
>
> From danakj@'s comment earlier in the thread, I think the preferred way
> is via const ref.
>
> https://codereview.chromium.org/2333443002/diff/140001/
> mojo/common/common_custom_types_struct_traits.h
> File mojo/common/common_custom_types_struct_traits.h (right):
>
> https://codereview.chromium.org/2333443002/diff/140001/
> mojo/common/common_custom_types_struct_traits.h#newcode31
> mojo/common/common_custom_types_struct_traits.h:31: static void
> SetToNull(base::Nonce* out) { *out = base::Nonce(); }
> On 2016/09/13 23:19:06, dcheng wrote:
> > Do we actually need to support nullability? I'd suggest only adding
> this when
> > there's a clear need.
>
> Done.
>
> https://codereview.chromium.org/2333443002/
>

-- 
You received this message because you are subscribed to the Google Groups
"Chromium-reviews" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to chromium-reviews+unsubscribe@chromium.org.

sandersd (OOO until July 31)

> And a DCHECK to Nonce::high()/Nonce::low() (although I am less sure about the > usefulness ...

4 years, 3 months ago (2016-09-14 23:02:05 UTC) #53

danakj

On Wed, Sep 14, 2016 at 4:02 PM, <sandersd@chromium.org> wrote: > > And a DCHECK ...

4 years, 3 months ago (2016-09-14 23:11:23 UTC) #54

On Wed, Sep 14, 2016 at 4:02 PM, <sandersd@chromium.org> wrote:

> > And a DCHECK to Nonce::high()/Nonce::low() (although I am less sure
> about the
> > usefulness of these two)
>
> I'd actually like to advocate removing these methods, in favor of either
> friend
> classes or a Serialize() method with out parameters. Just to make it clear
> that
> accessing these internals should not be taken lightly. Whatever you
> choose, they
> should have checks, as should the comparison operators.
>
> In the same vein, I don't think is_empty() should be exposed. At the very
> least
> it should be renamed to is_initialized(), but if that feature exists I
> would
> also expect operator bool() to be implemented.
>

What happens when you write a test with a SurfaceId which is composed of
some things with a Nonce, and you want to test that first some SurfaceId is
not initialized, then you do some steps, and you see the SurfaceId be
populated with a value from the renderer? Being able to see that a Nonce
has not been set seems extremely relevant for tests, or we'll have to
litter the code with bool has_set_nonce_ which isn't particularly useful?

I'm not a security engineer so maybe I'm being super naive, but I feel like
uses of the class (ie Serialization/Deserialization) should be made secure
but being overly paranoid inside the type itself feels wrong.


>
> ToString() should have a special case for printing uninitialized Nonces,
> but I
> don't think it should CHECK(), since I imagine that the main use of
> ToString()
> will in fact be CHECK()-style messages.
>
> > I do realize that the CHECK in Deserialize will be hit right before
> > ParamTraits<>::Read() or StructTraits<>::Read() would return false. I
> however
> > like the idea of having the DCHECK in Deserialize, to cover the
> deserialization
> > on Android, after the high/low bits have been send through AIDL.
> >
> > Does anybody have another suggested way of adding CHECKs? I.e. not
> having the
> > CHECK in deserialize and instead letting IPC/Mojo handle the invalid
> empty
> > nonce?
>
> I would recommend having the check in both places for now. Then the Mojo
> code
> will be correct and other theoretical Nonce clients at least won't be able
> to
> get it wrong.
>
> https://codereview.chromium.org/2333443002/
>

-- 
You received this message because you are subscribed to the Google Groups
"Chromium-reviews" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to chromium-reviews+unsubscribe@chromium.org.

sandersd (OOO until July 31)

> What happens when you write a test with a SurfaceId which is composed of ...

4 years, 3 months ago (2016-09-14 23:30:09 UTC) #55

danakj

On Wed, Sep 14, 2016 at 4:30 PM, <sandersd@chromium.org> wrote: > > What happens when ...

4 years, 3 months ago (2016-09-14 23:59:45 UTC) #56

On Wed, Sep 14, 2016 at 4:30 PM, <sandersd@chromium.org> wrote:

> > What happens when you write a test with a SurfaceId which is composed of
> > some things with a Nonce, and you want to test that first some SurfaceId
> is
> > not initialized, then you do some steps, and you see the SurfaceId be
> > populated with a value from the renderer? Being able to see that a Nonce
> > has not been set seems extremely relevant for tests, or we'll have to
> > litter the code with bool has_set_nonce_ which isn't particularly useful?
> >
> > I'm not a security engineer so maybe I'm being super naive, but I feel
> like
> > uses of the class (ie Serialization/Deserialization) should be made
> secure
> > but being overly paranoid inside the type itself feels wrong.
>
> It is true that I may be overly paranoid. That said, for this specific
> case, I
> would advocate base::Optional<base::Nonce>. Given that that exists and
> quite
> clear in meaning, I would not want base::Nonce itself to gain similar
> features.
>

I guess my thought is that Nonce is not going to always (often?) be used on
its own, it is part of some id like SurfaceId. In these cases, we (chromium
in general? c++ developers?) like to make objects that are
default-initialized to empty, so I feel like a majority of uses of Nonce
will end up being wrapped in Optional (including inside of types that we
serialize like SurfaceId). So then the serializer will have to check that
the Nonce exists, instead of checking that it is null. So we gain little
there.

There are other cases like gpu::Mailbox where the Nonce kinda lives on its
own, but it's still a member of gpu::Mailbox, which we for sure create as
empty sometimes, example:
https://cs.chromium.org/chromium/src/cc/resources/texture_mailbox.h?rcl=0&l=42
. So we'd have to use Optional again which means IPCing a mailbox needs to
check if the Nonce exists again.. idk, I just feel like we're going to make
more work for ourselves by ending up with Optional around every Nonce.

>
> https://codereview.chromium.org/2333443002/
>

-- 
You received this message because you are subscribed to the Google Groups
"Chromium-reviews" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to chromium-reviews+unsubscribe@chromium.org.

Ken Rockot(use gerrit already)

On Sep 14, 2016 4:51 PM, <danakj@chromium.org> wrote: > > On Wed, Sep 14, 2016 ...

4 years, 3 months ago (2016-09-15 00:03:46 UTC) #57

On Sep 14, 2016 4:51 PM, <danakj@chromium.org> wrote:
>
> On Wed, Sep 14, 2016 at 4:30 PM, <sandersd@chromium.org> wrote:
>>
>> > What happens when you write a test with a SurfaceId which is composed
of
>> > some things with a Nonce, and you want to test that first some
SurfaceId is
>> > not initialized, then you do some steps, and you see the SurfaceId be
>> > populated with a value from the renderer? Being able to see that a
Nonce
>> > has not been set seems extremely relevant for tests, or we'll have to
>> > litter the code with bool has_set_nonce_ which isn't particularly
useful?
>> >
>> > I'm not a security engineer so maybe I'm being super naive, but I feel
like
>> > uses of the class (ie Serialization/Deserialization) should be made
secure
>> > but being overly paranoid inside the type itself feels wrong.
>>
>> It is true that I may be overly paranoid. That said, for this specific
case, I
>> would advocate base::Optional<base::Nonce>. Given that that exists and
quite
>> clear in meaning, I would not want base::Nonce itself to gain similar
features.
>
>
> I guess my thought is that Nonce is not going to always (often?) be used
on its own, it is part of some id like SurfaceId. In these cases, we
(chromium in general? c++ developers?) like to make objects that are
default-initialized to empty, so I feel like a majority of uses of Nonce
will end up being wrapped in Optional (including inside of types that we
serialize like SurfaceId). So then the serializer will have to check that
the Nonce exists, instead of checking that it is null. So we gain little
there.
>
> There are other cases like gpu::Mailbox where the Nonce kinda lives on
its own, but it's still a member of gpu::Mailbox, which we for sure create
as empty sometimes, example:
https://cs.chromium.org/chromium/src/cc/resources/texture_mailbox.h?rcl=0&l=42
. So we'd have to use Optional again which means IPCing a mailbox needs to
check if the Nonce exists again.. idk, I just feel like we're going to make
more work for ourselves by ending up with Optional around every Nonce.
>
>>
>>
>> https://codereview.chromium.org/2333443002/
>
>

FWIW, I agree with danakj here. Nonce shouldn't try to stop people from
using an empty value.

-- 
You received this message because you are subscribed to the Google Groups
"Chromium-reviews" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to chromium-reviews+unsubscribe@chromium.org.

Tom Sepez

Ok, sounds like it's more trouble than its worth. Still LGTM.

4 years, 3 months ago (2016-09-15 16:55:08 UTC) #58

danakj

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.cc File base/nonce.cc (right): https://codereview.chromium.org/2333443002/diff/160001/base/nonce.cc#newcode40 base/nonce.cc:40: CHECK((high | low)); DCHECK? https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h#newcode43 ...

4 years, 3 months ago (2016-09-15 18:06:37 UTC) #59

watk

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.cc File base/nonce.cc (right): https://codereview.chromium.org/2333443002/diff/160001/base/nonce.cc#newcode38 base/nonce.cc:38: // Sending an empty nonce accross processes likely means ...

4 years, 3 months ago (2016-09-15 18:46:10 UTC) #61

sandersd (OOO until July 31)

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h#newcode59 base/nonce.h:59: // Constant time comparison check. On 2016/09/15 18:06:37, danakj ...

4 years, 3 months ago (2016-09-15 18:52:26 UTC) #62

Tom Sepez

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h File base/nonce.h (right): https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h#newcode59 base/nonce.h:59: // Constant time comparison check. On 2016/09/15 18:06:37, danakj ...

4 years, 3 months ago (2016-09-15 19:43:36 UTC) #63

danakj

On Thu, Sep 15, 2016 at 12:43 PM, <tsepez@chromium.org> wrote: > > https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h > File ...

4 years, 3 months ago (2016-09-15 21:09:32 UTC) #64

tguilbert

The CQ bit was checked by tguilbert@chromium.org to run a CQ dry run

4 years, 3 months ago (2016-09-15 21:11:45 UTC) #65

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2333443002/180001

4 years, 3 months ago (2016-09-15 21:12:39 UTC) #66

dcheng

On 2016/09/15 21:09:32, danakj wrote: > On Thu, Sep 15, 2016 at 12:43 PM, <mailto:tsepez@chromium.org> ...

4 years, 3 months ago (2016-09-15 21:14:57 UTC) #67

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

4 years, 3 months ago (2016-09-15 21:17:28 UTC) #68

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: android_arm64_dbg_recipe on master.tryserver.chromium.android (JOB_FAILED, https://build.chromium.org/p/tryserver.chromium.android/builders/android_arm64_dbg_recipe/builds/129589) android_clang_dbg_recipe on ...

4 years, 3 months ago (2016-09-15 21:17:30 UTC) #69

tguilbert

On 2016/09/15 21:14:57, dcheng wrote: > On 2016/09/15 21:09:32, danakj wrote: > > On Thu, ...

4 years, 3 months ago (2016-09-15 21:59:11 UTC) #70

tguilbert

The CQ bit was checked by tguilbert@chromium.org to run a CQ dry run

4 years, 3 months ago (2016-09-15 22:03:51 UTC) #71

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2333443002/200001

4 years, 3 months ago (2016-09-15 22:04:24 UTC) #72

tguilbert

After some thought, I have renamed base::Nonce to base::NonceToken. I think this clears some of ...

4 years, 3 months ago (2016-09-15 22:57:40 UTC) #73

After some thought, I have renamed base::Nonce to base::NonceToken.

I think this clears some of the issues that come with the intrinsic meaning
behind a "Nonce". From what I understand, a cryptographic nonce should
"uncompromisingly never ever" be equal to 0. Providing a "base::Nonce", which
could also technically be used in authentication scenarios, means that we have
to guarantee that it cannot be misused.

Writing a "NonceToken" instead allows us to be more flexible with its meaning an
its usage. The only use we have for base::NonceToken right now is make certain
IDs unguessable. It makes it clearer that the class is a use of nonce, and not a
nonce in and of itself.

This means that is is OK to have an empty NonceToken, and to compare and assign
them.

This also however means that, since NonceToken is supposed to identify some
sensitive unguessable resource, it is never OK to send an empty NonceToken
accross processes. There are therefore CHECKs in both the serialization and the
deserialization code.

In the case where a NonceToken may be empty and needs to be sent across
processes, using base::Optional will make it explicitly clear that the "null"
scenario is acceptable and should be separately handled.

Thoughts?

Thanks,
Thomas

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.cc
File base/nonce.cc (right):

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.cc#newcode38
base/nonce.cc:38: // Sending an empty nonce accross processes likely means that
On 2016/09/15 18:46:10, watk wrote:
> across

Done.

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.cc#newcode40
base/nonce.cc:40: CHECK((high | low));
On 2016/09/15 18:06:36, danakj wrote:
> DCHECK?

I think this CHECK is important. There is no case where deserializing a zeroed
out NonceToken is a valid scenario. The IPC ParamTraits and Mojo StructTraits
are now checking to see if high/low are both 0, and return false instead of
calling Deserialize, which means we shouldn't run into this CHECK.

If someone planned on creating an intentional empty NonceToken, NonceToken() is
the way to go.

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h
File base/nonce.h (right):

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h#newcode43
base/nonce.h:43: DCHECK(!is_empty());
On 2016/09/15 18:06:37, danakj wrote:
> I don't think you need to DCHECK these.

Removed in newest iteration.

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h#newcode59
base/nonce.h:59: // Constant time comparison check.
On 2016/09/15 19:43:36, Tom Sepez wrote:
> On 2016/09/15 18:06:37, danakj wrote:
> > I don't know what you mean by constant time. Comparing 2 things is always
> > constant time. Do you have data to support this being faster than just
writing
> > high == high && low == low? This looks like trying to write compilers to me.
> 
> https://en.wikipedia.org/wiki/Timing_attack.  Extremly unlikely since we are
not
> going byte by byte, but you never know.

Removed the comment. Leaving the equality check as is unless someone else has
any other comments.

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h#newcode63
base/nonce.h:63: bool operator!=(const Nonce& other) const { return
!operator==(other); }
On 2016/09/15 18:06:37, danakj wrote:
> nit: normally written !(*this == other)

Done.

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h#newcode69
base/nonce.h:69: // simpler ToString() and is_null().
On 2016/09/15 18:46:10, watk wrote:
> drive by: s/is_null/is_empty

Done.

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h#newcode70
base/nonce.h:70: uint64_t high_;
On 2016/09/15 18:06:37, danakj wrote:
> can you  "= 0" here and just "=default" the constructor definition?

Done.

https://codereview.chromium.org/2333443002/diff/160001/base/nonce.h#newcode77
base/nonce.h:77: CHECK(!nonce.is_empty());
On 2016/09/15 18:06:36, danakj wrote:
> DCHECK?
> 
> Also, you need to include base/logging.h to use this.

Done.

tguilbert

Description was changed from ========== Add base::Nonce cc::SurfaceId, gpu::Mailbox and ScopedSurfaceRequestManager (currently blocked on this ...

4 years, 3 months ago (2016-09-15 23:07:32 UTC) #74

danakj

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc File base/nonce_token.cc (right): https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#newcode15 base/nonce_token.cc:15: static_assert(sizeof(NonceToken) == 2 * sizeof(uint64_t), Can you put this ...

4 years, 3 months ago (2016-09-15 23:35:16 UTC) #75

tguilbert

PTAL. https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc File base/nonce_token.cc (right): https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#newcode15 base/nonce_token.cc:15: static_assert(sizeof(NonceToken) == 2 * sizeof(uint64_t), On 2016/09/15 23:35:15, ...

4 years, 3 months ago (2016-09-16 01:03:02 UTC) #76

PTAL.

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc
File base/nonce_token.cc (right):

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#ne...
base/nonce_token.cc:15: static_assert(sizeof(NonceToken) == 2 *
sizeof(uint64_t),
On 2016/09/15 23:35:15, danakj wrote:
> Can you put this assert at the site(s) of the code that would need to be
updated
> instead?

Done.

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#ne...
base/nonce_token.cc:35: CHECK(!is_empty());
On 2016/09/15 23:35:16, danakj wrote:
> Why not DCHECK?

Empty NonceTokens can be copied and assigned normally within a process. If
Serialize is called, it is only for the IPC/Mojo/AIDL case. If a process tries
to serialize an empty NonceToken, it means the resource that is meant to be
protected by the unguessability of the NonceToken is not actually being
protected. I think this is a security issue, and that CHECK should therefore be
used here.

WDYT?

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#ne...
base/nonce_token.cc:44: CHECK(!NonceToken::IsZeroData(high, low));
On 2016/09/15 23:35:16, danakj wrote:
> I don't think CHECK is appropriate here, it means a misbehaving renderer can
> crash the whole browser. When deserializing, if the message is invalid we
should
> just fail to deserialize it and destroy the misbehaving process.

The IPC and the Mojo deserialization code use NonceToken::IsZeroData() to make
sure the given bits are not equal to zero before calling deserialize. If
high/low are both equal to 0 in the IPC and the Mojo case,
StructTraits::Read()/ParamTraits::Read() return false, and never calls
Deserialize.

In Mojo's case, this prompts the browser process to kill the misbehaving
renderer.(https://groups.google.com/a/chromium.org/d/msg/chromium-mojo/_Dn9YV9ghxs/S2tZ0mnwBAAJ)

In IPC's case, I do not have a clear cut comment to link to, (but I assume it is
the same).
@tsepez: Is returning false from ParamTraits::Read() sufficient?

I added a comment to Deserialize() in the .h saying that IsZeroData() should be
used to validate the data in cases where we can gracefully fail the
deserialization.

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.h
File base/nonce_token.h (right):

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.h#new...
base/nonce_token.h:35: // USE ONLY THIS FUNCTION TO GENERATE NEW NONCES.
On 2016/09/15 23:35:16, danakj wrote:
> I'd prefer less capslock in comments. The comment above already calls out this
> method as the place to call too. I think you can drop this whole capslock
part.

Done.

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.h#new...
base/nonce_token.h:39: // NOTE: The NonceToken still needs to be initialized via
Create().
On 2016/09/15 23:35:16, danakj wrote:
> How about // Creates an empty NonceToken. Assign to it with Create() before
> using it.

Nicely worded, thank you! Done.

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.h#new...
base/nonce_token.h:51: static NonceToken Deserialize(uint64_t high, uint64_t
low);
On 2016/09/15 23:35:16, danakj wrote:
> It's easier to read if the static methods are grouped, can you put this with
> Create()

Done.

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.h#new...
base/nonce_token.h:54: static inline bool IsZeroData(uint64_t high, uint64_t
low) {
On 2016/09/15 23:35:16, danakj wrote:
> Can be private? Why isn't it used for is_empty() as well?

I am using it in the IPC and Mojo deserialization code before actually calling
NonceToken::Deserialize, and therefore it can't be private.

And yes, I updated it to be used in is_empty(). (This was Leftover from a local
commit I had where I renamed is_empty() to is_initialized())

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.h#new...
base/nonce_token.h:69: return !((high_ ^ other.high_) | (low_ ^ other.low_));
On 2016/09/15 23:35:16, danakj wrote:
> Either just do high_==other.high_ && low==other.low_ or explain this with a
> comment (in a widely understandable way).

I think SecureMemEqual's comments give good context, so I added a  pointer to
those comments.

danakj

Thanks, few more comments. https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc File base/nonce_token.cc (right): https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#newcode35 base/nonce_token.cc:35: CHECK(!is_empty()); On 2016/09/16 01:03:01, ThomasGuilbert ...

4 years, 3 months ago (2016-09-16 01:21:55 UTC) #77

Thanks, few more comments.

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc
File base/nonce_token.cc (right):

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#ne...
base/nonce_token.cc:35: CHECK(!is_empty());
On 2016/09/16 01:03:01, ThomasGuilbert wrote:
> On 2016/09/15 23:35:16, danakj wrote:
> > Why not DCHECK?
> 
> Empty NonceTokens can be copied and assigned normally within a process. If
> Serialize is called, it is only for the IPC/Mojo/AIDL case. If a process tries
> to serialize an empty NonceToken, it means the resource that is meant to be
> protected by the unguessability of the NonceToken is not actually being
> protected. I think this is a security issue, and that CHECK should therefore
be
> used here.
> 
> WDYT?

You're right it's a security issue but you can't trust an untrusted process to
do anything right anyway, so I think using CHECK here is misleading. The
validation should happen at the time of deserialization, which happens in a
trusted place.

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#ne...
base/nonce_token.cc:44: CHECK(!NonceToken::IsZeroData(high, low));
On 2016/09/16 01:03:01, ThomasGuilbert wrote:
> On 2016/09/15 23:35:16, danakj wrote:
> > I don't think CHECK is appropriate here, it means a misbehaving renderer can
> > crash the whole browser. When deserializing, if the message is invalid we
> should
> > just fail to deserialize it and destroy the misbehaving process.
> 
> The IPC and the Mojo deserialization code use NonceToken::IsZeroData() to make
> sure the given bits are not equal to zero before calling deserialize. If
> high/low are both equal to 0 in the IPC and the Mojo case,
> StructTraits::Read()/ParamTraits::Read() return false, and never calls
> Deserialize.
> 
> In Mojo's case, this prompts the browser process to kill the misbehaving
>
renderer.(https://groups.google.com/a/chromium.org/d/msg/chromium-mojo/_Dn9YV9ghxs/S2tZ0mnwBAAJ)
> 
> In IPC's case, I do not have a clear cut comment to link to, (but I assume it
is
> the same).
> @tsepez: Is returning false from ParamTraits::Read() sufficient?
> 
> 
> I added a comment to Deserialize() in the .h saying that IsZeroData() should
be
> used to validate the data in cases where we can gracefully fail the
> deserialization.

That sounds good, but then I don't think you need this CHECK. You can DCHECK to
verify that this does indeed not happen, but please don't overuse CHECK.
https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md...

https://codereview.chromium.org/2333443002/diff/240001/base/nonce_token.h
File base/nonce_token.h (right):

https://codereview.chromium.org/2333443002/diff/240001/base/nonce_token.h#new...
base/nonce_token.h:49: static inline bool IsZeroData(uint64_t high, uint64_t
low) {
I think this should not be part of this api, here's my thoughts:

If you need a check that is constant-time because you're worried an attacker may
use the timing of the result (they'd have to do this in a tight loop or where
they have control of the system right before and after the check I guess
right?), you can do this check by doing == NonceToken() already, so it's
redundant with that.

The deserialization code is going to be running after performing a whole lot of
other process/thread/something hopping. So I don't see how timing attacks are
relevant there and they can just check (high&&low), which really doesn't need a
helper. But please let me know if that isn't the case.

TBH I'm not sure where you're worried about timing attacks for is_empty() either
and I would just write it the most naive way.

I can kinda see an argument for operator==, this is something that is more
likely to appear in code outside of IPC, and could be used to fish for a
matching NonceToken with brute force.

is_empty() doesn't satisfy those concerns tho, right?

https://codereview.chromium.org/2333443002/diff/240001/base/nonce_token.h#new...
base/nonce_token.h:72: // See crypto::SecureMemEqual()'s comments for more
context.
Thanks for this pointer.

Tom Sepez

Deserialization should just return false on error, the browser then invokes its bad message path ...

4 years, 3 months ago (2016-09-16 16:02:59 UTC) #78

Tom Sepez

On 2016/09/16 16:02:59, Tom Sepez wrote: > Deserialization should just return false on error, the ...

4 years, 3 months ago (2016-09-16 16:05:41 UTC) #79

Tom Sepez

On 2016/09/16 16:05:41, Tom Sepez wrote: > On 2016/09/16 16:02:59, Tom Sepez wrote: > > ...

4 years, 3 months ago (2016-09-16 16:07:18 UTC) #80

danakj

On Fri, Sep 16, 2016 at 9:02 AM, <tsepez@chromium.org> wrote: > Deserialization should just return ...

4 years, 3 months ago (2016-09-16 17:54:19 UTC) #81

Fady Samuel

+1 to UnguessableToken! On 2016/09/16 17:54:19, danakj wrote: > On Fri, Sep 16, 2016 at ...

4 years, 3 months ago (2016-09-16 17:56:24 UTC) #82

tguilbert

On 2016/09/16 17:56:24, Fady Samuel wrote: > +1 to UnguessableToken! > > On 2016/09/16 17:54:19, ...

4 years, 3 months ago (2016-09-16 18:50:16 UTC) #83

tguilbert

Description was changed from ========== Add base::NonceToken cc::SurfaceId, gpu::Mailbox and ScopedSurfaceRequestManager need an unguessable identifier. ...

4 years, 3 months ago (2016-09-16 21:46:27 UTC) #84

Description was changed from

==========
Add base::NonceToken

cc::SurfaceId, gpu::Mailbox and ScopedSurfaceRequestManager need an 
unguessable identifier. Security recommends using 128 bits to make sure
an ID is unguessable. However, there is no conveniently serializable
way to represent 128 bits.

This change introduces base::NonceToken, a 128 bit class with a
cryptographically strong Create() function. NonceTokens can be used by
themselves, or as part of an aggregate ID.

An empty NonceToken is a valid value. This means the NonceToken is not
in and of itself a cryptographic nonce. It is however illegal to send
empty NonceToken across processes (because the resource that is
supposed to be protected by the token would now be guessable).

This change also introduces the appropriate code to send NonceTokens
over IPC and Mojo. Trying to serialize/deserialize an empty NonceToken
will result in CHECKs and failures. base::Optional should be used in
cases where it may be valid to return no token.

TEST=Added unittests. Also tested in a prototype that uses IPC and Mojo.
BUG=643857
==========

to

==========
Add base::UnguessableToken

cc::SurfaceId, gpu::Mailbox and ScopedSurfaceRequestManager need an 
unguessable identifier. Security recommends using 128 bits to make sure
an ID is unguessable. However, there is no conveniently serializable
way to represent 128 bits.

This change introduces base::UnguessableToken, a 128 bit class with a
cryptographically strong Create() function. UnguessableToken can be
used by themselves, or as part of an aggregate ID.

An empty UnguessableToken is a valid value. It is however illegal to
send empty UnguessableToken across processes (because the resource that
is supposed to be protected by the token would now be guessable).
Sending empty tokens across processes is a security issue, and should
be handled as such.

This change also introduces the appropriate code to send tokens
over IPC and Mojo. base::Optional should be used in cases where it may
be valid to send no token (rather than sending an empty token).

TEST=Added unittests. Also tested in a prototype that uses IPC and Mojo.
BUG=643857
==========

tguilbert

The CQ bit was checked by tguilbert@chromium.org to run a CQ dry run

4 years, 3 months ago (2016-09-16 21:51:12 UTC) #85

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2333443002/260001

4 years, 3 months ago (2016-09-16 21:51:40 UTC) #86

sandersd (OOO until July 31)

https://codereview.chromium.org/2333443002/diff/260001/base/unguessable_token.cc File base/unguessable_token.cc (right): https://codereview.chromium.org/2333443002/diff/260001/base/unguessable_token.cc#newcode17 base/unguessable_token.cc:17: return base::StringPrintf("(%" PRIu64 ":%" PRIu64 ")", high_, low_); I ...

4 years, 3 months ago (2016-09-16 22:13:55 UTC) #88

tguilbert

After a few offline discussions, I have changed all CHECKs to DCHECKs. Following comments and ...

4 years, 3 months ago (2016-09-16 22:16:40 UTC) #89

After a few offline discussions, I have changed all CHECKs to DCHECKs.

Following comments and discussion, I have updated the name to UnguessableToken
(which has gone full circle, because it was the original name I had before
changing it to Nonce :P)

PTAL. Thank you everyone for the comments and discussion!

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc
File base/nonce_token.cc (right):

https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#ne...
base/nonce_token.cc:35: CHECK(!is_empty());
On 2016/09/16 01:21:55, danakj wrote:
> On 2016/09/16 01:03:01, ThomasGuilbert wrote:
> > On 2016/09/15 23:35:16, danakj wrote:
> > > Why not DCHECK?
> > 
> > Empty NonceTokens can be copied and assigned normally within a process. If
> > Serialize is called, it is only for the IPC/Mojo/AIDL case. If a process
tries
> > to serialize an empty NonceToken, it means the resource that is meant to be
> > protected by the unguessability of the NonceToken is not actually being
> > protected. I think this is a security issue, and that CHECK should therefore
> be
> > used here.
> > 
> > WDYT?
> 
> You're right it's a security issue but you can't trust an untrusted process to
> do anything right anyway, so I think using CHECK here is misleading. The
> validation should happen at the time of deserialization, which happens in a
> trusted place.

Ah, I understand the point you are making.

My concern however was more along the lines of the Browser --> Renderer path.
If, due to some edge case, some ID that is meant to be unguessable is never
initialized in the Browser process, then the serialization is the only place
where we can perform validations in a trusted place. If an empty ID is
mistakenly sent by the browser to a valid Renderer, I feel like this will be
hard to debug without a stack trace that shows the browser is the culprit
(because, any valid Renderer that deserializes the 0 token that the browser sent
would then be killed, from what I understand).

That being said, it is a DCHECK now.

https://codereview.chromium.org/2333443002/diff/240001/base/nonce_token.h
File base/nonce_token.h (right):

https://codereview.chromium.org/2333443002/diff/240001/base/nonce_token.h#new...
base/nonce_token.h:49: static inline bool IsZeroData(uint64_t high, uint64_t
low) {
On 2016/09/16 01:21:55, danakj wrote:
> I think this should not be part of this api, here's my thoughts:
> 
> If you need a check that is constant-time because you're worried an attacker
may
> use the timing of the result (they'd have to do this in a tight loop or where
> they have control of the system right before and after the check I guess
> right?), you can do this check by doing == NonceToken() already, so it's
> redundant with that.
> 
> The deserialization code is going to be running after performing a whole lot
of
> other process/thread/something hopping. So I don't see how timing attacks are
> relevant there and they can just check (high&&low), which really doesn't need
a
> helper. But please let me know if that isn't the case.
> 
> TBH I'm not sure where you're worried about timing attacks for is_empty()
either
> and I would just write it the most naive way.
> 
> I can kinda see an argument for operator==, this is something that is more
> likely to appear in code outside of IPC, and could be used to fish for a
> matching NonceToken with brute force.
> 
> is_empty() doesn't satisfy those concerns tho, right?

I was not concerned about timing attacks with this function. I used it a
syntactic sugar (that also brought attention to the importance of validating the
data) in the IPC and Mojo deserialization code.

Now that there is no CHECK in deserialize (and therefore no need to pre-validate
the data), I can construct the UnguessableToken, and then check for is_empty()
(and return false if there is an issue).

I updated the comments above deserialize to mention that the empty case should
be handled.

danakj

LGTM too thanks for all the iterations https://codereview.chromium.org/2333443002/diff/260001/base/unguessable_token_unittest.cc File base/unguessable_token_unittest.cc (right): https://codereview.chromium.org/2333443002/diff/260001/base/unguessable_token_unittest.cc#newcode74 base/unguessable_token_unittest.cc:74: TestSmallerThanOperator(UnguessableToken::Deserialize(0, 1), ...

4 years, 3 months ago (2016-09-16 22:18:32 UTC) #90

danakj

On 2016/09/16 22:16:40, ThomasGuilbert wrote: > After a few offline discussions, I have changed all ...

4 years, 3 months ago (2016-09-16 22:20:24 UTC) #91

On 2016/09/16 22:16:40, ThomasGuilbert wrote:
> After a few offline discussions, I have changed all CHECKs to DCHECKs.
> 
> Following comments and discussion, I have updated the name to UnguessableToken
> (which has gone full circle, because it was the original name I had before
> changing it to Nonce :P)
> 
> PTAL. Thank you everyone for the comments and discussion!
> 
> https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc
> File base/nonce_token.cc (right):
> 
>
https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#ne...
> base/nonce_token.cc:35: CHECK(!is_empty());
> On 2016/09/16 01:21:55, danakj wrote:
> > On 2016/09/16 01:03:01, ThomasGuilbert wrote:
> > > On 2016/09/15 23:35:16, danakj wrote:
> > > > Why not DCHECK?
> > > 
> > > Empty NonceTokens can be copied and assigned normally within a process. If
> > > Serialize is called, it is only for the IPC/Mojo/AIDL case. If a process
> tries
> > > to serialize an empty NonceToken, it means the resource that is meant to
be
> > > protected by the unguessability of the NonceToken is not actually being
> > > protected. I think this is a security issue, and that CHECK should
therefore
> > be
> > > used here.
> > > 
> > > WDYT?
> > 
> > You're right it's a security issue but you can't trust an untrusted process
to
> > do anything right anyway, so I think using CHECK here is misleading. The
> > validation should happen at the time of deserialization, which happens in a
> > trusted place.
> 
> Ah, I understand the point you are making.
> 
> My concern however was more along the lines of the Browser --> Renderer path.
> If, due to some edge case, some ID that is meant to be unguessable is never
> initialized in the Browser process, then the serialization is the only place
> where we can perform validations in a trusted place. If an empty ID is
> mistakenly sent by the browser to a valid Renderer, I feel like this will be
> hard to debug without a stack trace that shows the browser is the culprit
> (because, any valid Renderer that deserializes the 0 token that the browser
sent
> would then be killed, from what I understand).
> 
> That being said, it is a DCHECK now.
> 
> https://codereview.chromium.org/2333443002/diff/240001/base/nonce_token.h
> File base/nonce_token.h (right):
> 
>
https://codereview.chromium.org/2333443002/diff/240001/base/nonce_token.h#new...
> base/nonce_token.h:49: static inline bool IsZeroData(uint64_t high, uint64_t
> low) {
> On 2016/09/16 01:21:55, danakj wrote:
> > I think this should not be part of this api, here's my thoughts:
> > 
> > If you need a check that is constant-time because you're worried an attacker
> may
> > use the timing of the result (they'd have to do this in a tight loop or
where
> > they have control of the system right before and after the check I guess
> > right?), you can do this check by doing == NonceToken() already, so it's
> > redundant with that.
> > 
> > The deserialization code is going to be running after performing a whole lot
> of
> > other process/thread/something hopping. So I don't see how timing attacks
are
> > relevant there and they can just check (high&&low), which really doesn't
need
> a
> > helper. But please let me know if that isn't the case.
> > 
> > TBH I'm not sure where you're worried about timing attacks for is_empty()
> either
> > and I would just write it the most naive way.
> > 
> > I can kinda see an argument for operator==, this is something that is more
> > likely to appear in code outside of IPC, and could be used to fish for a
> > matching NonceToken with brute force.
> > 
> > is_empty() doesn't satisfy those concerns tho, right?
> 
> I was not concerned about timing attacks with this function. I used it a
> syntactic sugar (that also brought attention to the importance of validating
the
> data) in the IPC and Mojo deserialization code.
> 
> Now that there is no CHECK in deserialize (and therefore no need to
pre-validate
> the data), I can construct the UnguessableToken, and then check for is_empty()
> (and return false if there is an issue).

I don't agree with this really. The serialization code should check that high
and low are non-zero before calling Deserialize. Don't write code that can
DCHECK, they are for verifying that we didn't write code that can do it.

> I updated the comments above deserialize to mention that the empty case should
> be handled.

danakj

https://codereview.chromium.org/2333443002/diff/260001/base/unguessable_token.h File base/unguessable_token.h (right): https://codereview.chromium.org/2333443002/diff/260001/base/unguessable_token.h#newcode64 base/unguessable_token.h:64: // Based on crypto::SecureMemEqual(). On 2016/09/16 22:13:55, sandersd wrote: ...

4 years, 3 months ago (2016-09-16 22:21:35 UTC) #92

tguilbert

https://codereview.chromium.org/2333443002/diff/260001/base/unguessable_token.cc File base/unguessable_token.cc (right): https://codereview.chromium.org/2333443002/diff/260001/base/unguessable_token.cc#newcode17 base/unguessable_token.cc:17: return base::StringPrintf("(%" PRIu64 ":%" PRIu64 ")", high_, low_); On ...

4 years, 3 months ago (2016-09-16 22:48:15 UTC) #93

tguilbert

On 2016/09/16 22:20:24, danakj wrote: > On 2016/09/16 22:16:40, ThomasGuilbert wrote: > > After a ...

4 years, 3 months ago (2016-09-16 22:49:36 UTC) #94

On 2016/09/16 22:20:24, danakj wrote:
> On 2016/09/16 22:16:40, ThomasGuilbert wrote:
> > After a few offline discussions, I have changed all CHECKs to DCHECKs.
> > 
> > Following comments and discussion, I have updated the name to
UnguessableToken
> > (which has gone full circle, because it was the original name I had before
> > changing it to Nonce :P)
> > 
> > PTAL. Thank you everyone for the comments and discussion!
> > 
> > https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc
> > File base/nonce_token.cc (right):
> > 
> >
>
https://codereview.chromium.org/2333443002/diff/220001/base/nonce_token.cc#ne...
> > base/nonce_token.cc:35: CHECK(!is_empty());
> > On 2016/09/16 01:21:55, danakj wrote:
> > > On 2016/09/16 01:03:01, ThomasGuilbert wrote:
> > > > On 2016/09/15 23:35:16, danakj wrote:
> > > > > Why not DCHECK?
> > > > 
> > > > Empty NonceTokens can be copied and assigned normally within a process.
If
> > > > Serialize is called, it is only for the IPC/Mojo/AIDL case. If a process
> > tries
> > > > to serialize an empty NonceToken, it means the resource that is meant to
> be
> > > > protected by the unguessability of the NonceToken is not actually being
> > > > protected. I think this is a security issue, and that CHECK should
> therefore
> > > be
> > > > used here.
> > > > 
> > > > WDYT?
> > > 
> > > You're right it's a security issue but you can't trust an untrusted
process
> to
> > > do anything right anyway, so I think using CHECK here is misleading. The
> > > validation should happen at the time of deserialization, which happens in
a
> > > trusted place.
> > 
> > Ah, I understand the point you are making.
> > 
> > My concern however was more along the lines of the Browser --> Renderer
path.
> > If, due to some edge case, some ID that is meant to be unguessable is never
> > initialized in the Browser process, then the serialization is the only place
> > where we can perform validations in a trusted place. If an empty ID is
> > mistakenly sent by the browser to a valid Renderer, I feel like this will be
> > hard to debug without a stack trace that shows the browser is the culprit
> > (because, any valid Renderer that deserializes the 0 token that the browser
> sent
> > would then be killed, from what I understand).
> > 
> > That being said, it is a DCHECK now.
> > 
> > https://codereview.chromium.org/2333443002/diff/240001/base/nonce_token.h
> > File base/nonce_token.h (right):
> > 
> >
>
https://codereview.chromium.org/2333443002/diff/240001/base/nonce_token.h#new...
> > base/nonce_token.h:49: static inline bool IsZeroData(uint64_t high, uint64_t
> > low) {
> > On 2016/09/16 01:21:55, danakj wrote:
> > > I think this should not be part of this api, here's my thoughts:
> > > 
> > > If you need a check that is constant-time because you're worried an
attacker
> > may
> > > use the timing of the result (they'd have to do this in a tight loop or
> where
> > > they have control of the system right before and after the check I guess
> > > right?), you can do this check by doing == NonceToken() already, so it's
> > > redundant with that.
> > > 
> > > The deserialization code is going to be running after performing a whole
lot
> > of
> > > other process/thread/something hopping. So I don't see how timing attacks
> are
> > > relevant there and they can just check (high&&low), which really doesn't
> need
> > a
> > > helper. But please let me know if that isn't the case.
> > > 
> > > TBH I'm not sure where you're worried about timing attacks for is_empty()
> > either
> > > and I would just write it the most naive way.
> > > 
> > > I can kinda see an argument for operator==, this is something that is more
> > > likely to appear in code outside of IPC, and could be used to fish for a
> > > matching NonceToken with brute force.
> > > 
> > > is_empty() doesn't satisfy those concerns tho, right?
> > 
> > I was not concerned about timing attacks with this function. I used it a
> > syntactic sugar (that also brought attention to the importance of validating
> the
> > data) in the IPC and Mojo deserialization code.
> > 
> > Now that there is no CHECK in deserialize (and therefore no need to
> pre-validate
> > the data), I can construct the UnguessableToken, and then check for
is_empty()
> > (and return false if there is an issue).
> 
> I don't agree with this really. The serialization code should check that high
> and low are non-zero before calling Deserialize. Don't write code that can
> DCHECK, they are for verifying that we didn't write code that can do it.
> 
> > I updated the comments above deserialize to mention that the empty case
should
> > be handled.

You are right. I explicitly check for the high == 0 && low == 0 now.

danakj

Thanks! LGTM https://codereview.chromium.org/2333443002/diff/280001/ipc/ipc_message_utils.cc File ipc/ipc_message_utils.cc (right): https://codereview.chromium.org/2333443002/diff/280001/ipc/ipc_message_utils.cc#newcode1033 ipc/ipc_message_utils.cc:1033: return false; please "git cl format" there's ...

4 years, 3 months ago (2016-09-16 22:52:46 UTC) #95

dcheng

https://codereview.chromium.org/2333443002/diff/280001/mojo/common/common_custom_types_struct_traits.h File mojo/common/common_custom_types_struct_traits.h (right): https://codereview.chromium.org/2333443002/diff/280001/mojo/common/common_custom_types_struct_traits.h#newcode38 mojo/common/common_custom_types_struct_traits.h:38: token.Serialize(&high, &low); So, for Reasons (tm), each getter here ...

4 years, 3 months ago (2016-09-16 23:01:36 UTC) #97

danakj

https://codereview.chromium.org/2333443002/diff/280001/mojo/common/common_custom_types_struct_traits.h File mojo/common/common_custom_types_struct_traits.h (right): https://codereview.chromium.org/2333443002/diff/280001/mojo/common/common_custom_types_struct_traits.h#newcode38 mojo/common/common_custom_types_struct_traits.h:38: token.Serialize(&high, &low); On 2016/09/16 23:01:35, dcheng wrote: > So, ...

4 years, 3 months ago (2016-09-16 23:26:51 UTC) #98

tguilbert

On 2016/09/16 23:26:51, danakj wrote: > https://codereview.chromium.org/2333443002/diff/280001/mojo/common/common_custom_types_struct_traits.h > File mojo/common/common_custom_types_struct_traits.h (right): > > https://codereview.chromium.org/2333443002/diff/280001/mojo/common/common_custom_types_struct_traits.h#newcode38 > ...

4 years, 3 months ago (2016-09-17 00:10:16 UTC) #99

Fady Samuel

On 2016/09/17 00:10:16, ThomasGuilbert wrote: > On 2016/09/16 23:26:51, danakj wrote: > > > https://codereview.chromium.org/2333443002/diff/280001/mojo/common/common_custom_types_struct_traits.h ...

4 years, 3 months ago (2016-09-17 00:21:38 UTC) #100

dcheng

LGTM with comments addressed. https://codereview.chromium.org/2333443002/diff/320001/base/unguessable_token.cc File base/unguessable_token.cc (right): https://codereview.chromium.org/2333443002/diff/320001/base/unguessable_token.cc#newcode30 base/unguessable_token.cc:30: // Serializing an empty UnguessableToken ...

4 years, 3 months ago (2016-09-17 00:22:20 UTC) #101

tguilbert

Done. Thank you so much everyone for your comments and for the discussion! I am ...

4 years, 3 months ago (2016-09-17 00:49:49 UTC) #102

tguilbert

The patchset sent to the CQ was uploaded after l-g-t-m from fsamuel@chromium.org, avi@chromium.org, tsepez@chromium.org, sandersd@chromium.org, ...

4 years, 3 months ago (2016-09-17 00:50:08 UTC) #104

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2333443002/340001

4 years, 3 months ago (2016-09-17 00:50:44 UTC) #105

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

4 years, 3 months ago (2016-09-17 00:59:34 UTC) #106

commit-bot: I haz the power

Try jobs failed on following builders: chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presubmit/builds/261627)

4 years, 3 months ago (2016-09-17 00:59:36 UTC) #107

tguilbert

@rockot Can you OWNERS review mojo/* ? These two files do not have an OWNERS ...

4 years, 3 months ago (2016-09-17 01:12:37 UTC) #108

Ken Rockot(use gerrit already)

Woops, sorry. LGTM On Sep 16, 2016 6:12 PM, <tguilbert@chromium.org> wrote: > @rockot Can you ...

4 years, 3 months ago (2016-09-17 01:43:12 UTC) #109

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2333443002/340001

4 years, 3 months ago (2016-09-17 01:50:42 UTC) #112

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

4 years, 3 months ago (2016-09-17 03:18:08 UTC) #113

commit-bot: I haz the power

Try jobs failed on following builders: win_clang on master.tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_clang/builds/87640)

4 years, 3 months ago (2016-09-17 03:18:10 UTC) #114

tguilbert

The patchset sent to the CQ was uploaded after l-g-t-m from rockot@chromium.org, avi@chromium.org, sandersd@chromium.org, dcheng@chromium.org, ...

4 years, 3 months ago (2016-09-19 17:51:02 UTC) #116

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2333443002/360001

4 years, 3 months ago (2016-09-19 17:51:20 UTC) #117

tguilbert

The patchset sent to the CQ was uploaded after l-g-t-m from rockot@chromium.org, avi@chromium.org, sandersd@chromium.org, dcheng@chromium.org, ...

4 years, 3 months ago (2016-09-19 18:32:56 UTC) #120

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2333443002/380001

4 years, 3 months ago (2016-09-19 18:33:22 UTC) #121

commit-bot: I haz the power

Description was changed from ========== Add base::UnguessableToken cc::SurfaceId, gpu::Mailbox and ScopedSurfaceRequestManager need an unguessable identifier. ...

4 years, 3 months ago (2016-09-19 21:11:44 UTC) #122

Message was sent while issue was closed.

Description was changed from

==========
Add base::UnguessableToken

cc::SurfaceId, gpu::Mailbox and ScopedSurfaceRequestManager need an 
unguessable identifier. Security recommends using 128 bits to make sure
an ID is unguessable. However, there is no conveniently serializable
way to represent 128 bits.

This change introduces base::UnguessableToken, a 128 bit class with a
cryptographically strong Create() function. UnguessableToken can be
used by themselves, or as part of an aggregate ID.

An empty UnguessableToken is a valid value. It is however illegal to
send empty UnguessableToken across processes (because the resource that
is supposed to be protected by the token would now be guessable).
Sending empty tokens across processes is a security issue, and should
be handled as such.

This change also introduces the appropriate code to send tokens
over IPC and Mojo. base::Optional should be used in cases where it may
be valid to send no token (rather than sending an empty token).

TEST=Added unittests. Also tested in a prototype that uses IPC and Mojo.
BUG=643857
==========

to

==========
Add base::UnguessableToken

cc::SurfaceId, gpu::Mailbox and ScopedSurfaceRequestManager need an 
unguessable identifier. Security recommends using 128 bits to make sure
an ID is unguessable. However, there is no conveniently serializable
way to represent 128 bits.

This change introduces base::UnguessableToken, a 128 bit class with a
cryptographically strong Create() function. UnguessableToken can be
used by themselves, or as part of an aggregate ID.

An empty UnguessableToken is a valid value. It is however illegal to
send empty UnguessableToken across processes (because the resource that
is supposed to be protected by the token would now be guessable).
Sending empty tokens across processes is a security issue, and should
be handled as such.

This change also introduces the appropriate code to send tokens
over IPC and Mojo. base::Optional should be used in cases where it may
be valid to send no token (rather than sending an empty token).

TEST=Added unittests. Also tested in a prototype that uses IPC and Mojo.
BUG=643857
==========

commit-bot: I haz the power

Description was changed from ========== Add base::UnguessableToken cc::SurfaceId, gpu::Mailbox and ScopedSurfaceRequestManager need an unguessable identifier. ...

4 years, 3 months ago (2016-09-19 21:13:40 UTC) #124

Message was sent while issue was closed.

Description was changed from

==========
Add base::UnguessableToken

cc::SurfaceId, gpu::Mailbox and ScopedSurfaceRequestManager need an 
unguessable identifier. Security recommends using 128 bits to make sure
an ID is unguessable. However, there is no conveniently serializable
way to represent 128 bits.

This change introduces base::UnguessableToken, a 128 bit class with a
cryptographically strong Create() function. UnguessableToken can be
used by themselves, or as part of an aggregate ID.

An empty UnguessableToken is a valid value. It is however illegal to
send empty UnguessableToken across processes (because the resource that
is supposed to be protected by the token would now be guessable).
Sending empty tokens across processes is a security issue, and should
be handled as such.

This change also introduces the appropriate code to send tokens
over IPC and Mojo. base::Optional should be used in cases where it may
be valid to send no token (rather than sending an empty token).

TEST=Added unittests. Also tested in a prototype that uses IPC and Mojo.
BUG=643857
==========

to

==========
Add base::UnguessableToken

cc::SurfaceId, gpu::Mailbox and ScopedSurfaceRequestManager need an
unguessable identifier. Security recommends using 128 bits to make sure
an ID is unguessable. However, there is no conveniently serializable
way to represent 128 bits.

This change introduces base::UnguessableToken, a 128 bit class with a
cryptographically strong Create() function. UnguessableToken can be
used by themselves, or as part of an aggregate ID.

An empty UnguessableToken is a valid value. It is however illegal to
send empty UnguessableToken across processes (because the resource that
is supposed to be protected by the token would now be guessable).
Sending empty tokens across processes is a security issue, and should
be handled as such.

This change also introduces the appropriate code to send tokens
over IPC and Mojo. base::Optional should be used in cases where it may
be valid to send no token (rather than sending an empty token).

TEST=Added unittests. Also tested in a prototype that uses IPC and Mojo.
BUG=643857

Committed: https://crrev.com/4a5ac609f7ea52f2eb69fe871ba6b00c463b9b25
Cr-Commit-Position: refs/heads/master@{#419550}
==========

commit-bot: I haz the power

4 years, 3 months ago (2016-09-19 21:13:43 UTC) #125

Message was sent while issue was closed.

Patchset 20 (id:??) landed as
https://crrev.com/4a5ac609f7ea52f2eb69fe871ba6b00c463b9b25
Cr-Commit-Position: refs/heads/master@{#419550}

Issue 2333443002: Add base::UnguessableToken (Closed)

Description

Patch Set 1 #

Patch Set 2 : Addressed comments. #

Patch Set 3 : Changed std::is_pod<Nonce> from UT to static_assert #

Patch Set 4 : Addressing comments. #

Patch Set 5 : Added struct traits. Changed IPC serialization. #

Patch Set 6 : Fixed a UT #

Patch Set 7 : Fixed typos. int64_t --> uint64_t #

Patch Set 8 : Removed '= default' constructor. #

Patch Set 9 : Addressed comments. Added CHECKs, const time ==. #

Patch Set 10 : Rename to NonceToken. Addressed comments. #

Patch Set 11 : Rebase #

Patch Set 12 : NonceTokenHash CHECK --> DCHECK #

Patch Set 13 : Adressed comments #

Patch Set 14 : Name change. CHECK --> DCHECK #

Patch Set 15 : Addressed comments. #

Patch Set 16 : cl format #

Patch Set 17 : Serialize --> Serialization getters #

Patch Set 18 : Addressed last comments. #

Patch Set 19 : Fixed typemap linking issue. #

Patch Set 20 : Removed MOJO_COMMON_EXPORT #

Messages