base/nonce.cc - Issue 2333443002: Add base::UnguessableToken

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: base/nonce.cc

Issue 2333443002: Add base::UnguessableToken (Closed)

Patch Set: Addressed comments. Added CHECKs, const time ==. Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "base/nonce.h"

	6

	7 #include "base/format_macros.h"

	8 #include "base/rand_util.h"

	9 #include "base/strings/stringprintf.h"

	10

	11 namespace base {

	12

	13 // If base::Nonce is no longer 128 bits, the IPC serialization logic and Mojo

	14 // StructTraits should be updated to match the size of the struct.

	15 static_assert(sizeof(Nonce) == 2 * sizeof(uint64_t),

	16 "base::Nonce should be of size 2 * sizeof(uint64_t).");

	17

	18 Nonce::Nonce() : high_(0), low_(0) {}

	19

	20 Nonce::Nonce(uint64_t high, uint64_t low) : high_(high), low_(low) {}

	21

	22 std::string Nonce::ToString() const {

	23 return base::StringPrintf("(%" PRIu64 ":%" PRIu64 ")", high_, low_);

	24 }

	25

	26 // static

	27 Nonce Nonce::Generate() {

	28 Nonce nonce;

	29 // Use base::RandBytes instead of crypto::RandBytes, because crypto calls the

	30 // base version directly, and to prevent the dependency from base/ to crypto/.

	31 base::RandBytes(&nonce, sizeof(nonce));

	32 return nonce;

	33 }

	34

	35 // static

	36 Nonce Nonce::Deserialize(uint64_t high, uint64_t low) {

	37 // Make sure we are not trying to deserialize an empty nonce.

	38 // Sending an empty nonce accross processes likely means that
	watk 2016/09/15 18:46:10 across across tguilbert 2016/09/15 22:57:39 Done. Show quoted text On 2016/09/15 18:46:10, watk wrote: > across Done.
	39 // Nonce::Generate() was never called, which points to a security hole.

	40 CHECK((high \| low));
	danakj 2016/09/15 18:06:36 DCHECK? DCHECK? tguilbert 2016/09/15 22:57:39 I think this CHECK is important. There is no case Show quoted text On 2016/09/15 18:06:36, danakj wrote: > DCHECK? I think this CHECK is important. There is no case where deserializing a zeroed out NonceToken is a valid scenario. The IPC ParamTraits and Mojo StructTraits are now checking to see if high/low are both 0, and return false instead of calling Deserialize, which means we shouldn't run into this CHECK. If someone planned on creating an intentional empty NonceToken, NonceToken() is the way to go.
	41 return Nonce(high, low);

	42 }

	43

	44 } // namespace base

OLD	NEW

« base/nonce.h ('K') | « base/nonce.h ('k') | base/nonce_unittest.cc » ('j') | no next file with comments »