Add base::UnguessableToken

base/nonce_token.h

Index: base/nonce_token.h
diff --git a/base/nonce_token.h b/base/nonce_token.h
new file mode 100644
index 0000000000000000000000000000000000000000..47fbf6adbf75714d7efdb18834a35958e38e615d
--- /dev/null
+++ b/base/nonce_token.h
@@ -0,0 +1,98 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef BASE_NONCE_TOKEN_H_
+#define BASE_NONCE_TOKEN_H_
+
+#include <stdint.h>
+#include <string.h>
+#include <tuple>
+
+#include "base/base_export.h"
+#include "base/hash.h"
+#include "base/logging.h"
+
+namespace base {
+
+struct NonceTokenHash;
+
+// A NonceToken is an unguessable 128-bit token generated from a
+// cryptographically strong random source.
+//
+// NonceToken should be used when a sensitive ID needs to be unguessable, and is
+// shared across processes. It can be used as part of a larger aggregate type,
+// or as an ID in and of itself.
+//
+// Use Create() for creating new unguessable nonce tokens.
+//
+// NOTE: A NonceToken is not semantically a "cryptographic nonce", since we
+// consider a zeroed out NonceToken to be a legal value. It is however illegal
+// to send empty NonceTokens across processes.
+class BASE_EXPORT NonceToken {
+ public:
+  // Create an unguessable and unique NonceToken.
+  static NonceToken Create();
+
+  // Return a NonceToken built from the high/low bytes provided.
+  // It should only be used in deserialization scenarios.
+  //
+  // NOTE: If |high| and |low| are both 0, the NonceToken we are trying to
+  // deserialize was never initialized, which is a security issue.
+  // If there is a way to securely and gracefully fail the deserialization,
+  // inputs should be checked using IsZeroData() before calling Deserialize().
+  // See ParamTraits<base::NonceToken>::Read(), or NonceToken's
+  // StructTraits::Read() for examples of securely failing a deserialization.
+  static NonceToken Deserialize(uint64_t high, uint64_t low);
+
+  // Helper function to check if the high/low bits passed are zeroed out.
+  static inline bool IsZeroData(uint64_t high, uint64_t low) {

[danakj, 2016/09/16 01:21:55]

I think this should not be part of this api, here's my thoughts:

If you need a check that is constant-time because you're worried an attacker may
use the timing of the result (they'd have to do this in a tight loop or where
they have control of the system right before and after the check I guess
right?), you can do this check by doing == NonceToken() already, so it's
redundant with that.

The deserialization code is going to be running after performing a whole lot of
other process/thread/something hopping. So I don't see how timing attacks are
relevant there and they can just check (high&&low), which really doesn't need a
helper. But please let me know if that isn't the case.

TBH I'm not sure where you're worried about timing attacks for is_empty() either
and I would just write it the most naive way.

I can kinda see an argument for operator==, this is something that is more
likely to appear in code outside of IPC, and could be used to fish for a
matching NonceToken with brute force.

is_empty() doesn't satisfy those concerns tho, right?

[tguilbert, 2016/09/16 22:16:40]

I was not concerned about timing attacks with this function. I used it a
syntactic sugar (that also brought attention to the importance of validating the
data) in the IPC and Mojo deserialization code.

Now that there is no CHECK in deserialize (and therefore no need to pre-validate
the data), I can construct the UnguessableToken, and then check for is_empty()
(and return false if there is an issue).

I updated the comments above deserialize to mention that the empty case should
be handled.

+    return !(high | low);
+  }
+
+  // Creates an empty NonceToken. Assign to it with Create() before using it.
+  NonceToken() = default;
+
+  // Return |high_| and |low_| as out parameters.
+  // NOTE: Serializing an empty NonceToken is an illegal operation.
+  void Serialize(uint64_t* high_out, uint64_t* low_out) const;
+
+  bool is_empty() const { return IsZeroData(high_, low_); }
+
+  std::string ToString() const;
+
+  explicit operator bool() const { return !is_empty(); }
+
+  bool operator<(const NonceToken& other) const {
+    return std::tie(high_, low_) < std::tie(other.high_, other.low_);
+  }
+
+  bool operator==(const NonceToken& other) const {
+    // Based on crypto::SecureMemEqual().
+    // See crypto::SecureMemEqual()'s comments for more context.

[danakj, 2016/09/16 01:21:55]

Thanks for this pointer.

+    return ((high_ ^ other.high_) | (low_ ^ other.low_)) == 0;
+  }
+
+  bool operator!=(const NonceToken& other) const { return !(*this == other); }
+
+ private:
+  friend struct NonceTokenHash;
+  NonceToken(uint64_t high, uint64_t low);
+
+  // Note: Two uint64_t are used instead of uint8_t[16], in order to have a
+  // simpler ToString() and is_empty().
+  uint64_t high_ = 0;
+  uint64_t low_ = 0;
+};
+
+// For use in std::unordered_map.
+struct NonceTokenHash {
+  size_t operator()(const base::NonceToken& nonce) const {
+    DCHECK(nonce);
+    return base::HashInts64(nonce.high_, nonce.low_);
+  }
+};
+
+}  // namespace base
+
+#endif  // BASE_NONCE_TOKEN_H_