Landing Recent QUIC changes until 5:30 PM, Feb 3, 2017 UTC-5

net/quic/core/crypto/quic_crypto_server_config.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/core/crypto/quic_crypto_server_config.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <memory>
 
 #include "base/macros.h"
 #include "crypto/hkdf.h"
-#include "crypto/secure_hash.h"
 #include "net/quic/core/crypto/aes_128_gcm_12_decrypter.h"
 #include "net/quic/core/crypto/aes_128_gcm_12_encrypter.h"
 #include "net/quic/core/crypto/cert_compressor.h"
 #include "net/quic/core/crypto/chacha20_poly1305_encrypter.h"
 #include "net/quic/core/crypto/channel_id.h"
 #include "net/quic/core/crypto/crypto_framer.h"
 #include "net/quic/core/crypto/crypto_handshake_message.h"
 #include "net/quic/core/crypto/crypto_server_config_protobuf.h"
 #include "net/quic/core/crypto/crypto_utils.h"
 #include "net/quic/core/crypto/curve25519_key_exchange.h"
 #include "net/quic/core/crypto/ephemeral_key_source.h"
 #include "net/quic/core/crypto/key_exchange.h"
 #include "net/quic/core/crypto/p256_key_exchange.h"
 #include "net/quic/core/crypto/proof_source.h"
 #include "net/quic/core/crypto/quic_decrypter.h"
 #include "net/quic/core/crypto/quic_encrypter.h"
 #include "net/quic/core/crypto/quic_random.h"
 #include "net/quic/core/proto/source_address_token.pb.h"
 #include "net/quic/core/quic_flags.h"
 #include "net/quic/core/quic_packets.h"
 #include "net/quic/core/quic_socket_address_coder.h"
 #include "net/quic/core/quic_utils.h"
 #include "net/quic/platform/api/quic_bug_tracker.h"
 #include "net/quic/platform/api/quic_clock.h"
 #include "net/quic/platform/api/quic_logging.h"
 #include "net/quic/platform/api/quic_reference_counted.h"
 #include "net/quic/platform/api/quic_text_utils.h"
 #include "net/quic/platform/api/quic_url_utils.h"
+#include "third_party/boringssl/src/include/openssl/sha.h"
 
 using base::StringPiece;
 using std::string;
 
 namespace net {
 
 namespace {
 
 // kMultiplier is the multiple of the CHLO message size that a REJ message
 // must stay under when the client doesn't present a valid source-address
 // token. This is used to protect QUIC from amplification attacks.
 // TODO(rch): Reduce this to 2 again once b/25933682 is fixed.
 const size_t kMultiplier = 3;
 
 const int kMaxTokenAddresses = 4;
 
 string DeriveSourceAddressTokenKey(StringPiece source_address_token_secret) {
   crypto::HKDF hkdf(source_address_token_secret, StringPiece() /* no salt */,
                     "QUIC source address token key",
                     CryptoSecretBoxer::GetKeySize(), 0 /* no fixed IV needed */,
                     0 /* no subkey secret */);
   return hkdf.server_write_key().as_string();
 }
 
 }  // namespace
 
-using crypto::SecureHash;
-
 class ValidateClientHelloHelper {
  public:
   // Note: stores a pointer to a unique_ptr, and std::moves the unique_ptr when
   // ValidationComplete is called.
   ValidateClientHelloHelper(
       QuicReferenceCountedPointer<ValidateClientHelloResultCallback::Result>
           result,
       std::unique_ptr<ValidateClientHelloResultCallback>* done_cb)
       : result_(std::move(result)), done_cb_(done_cb) {}
 
@@ skipping 176 matching lines @@
 
   if (!options.token_binding_params.empty()) {
     msg.SetVector(kTBKP, options.token_binding_params);
   }
 
   if (options.id.empty()) {
     // We need to ensure that the SCID changes whenever the server config does
     // thus we make it a hash of the rest of the server config.
     std::unique_ptr<QuicData> serialized(
         CryptoFramer::ConstructHandshakeMessage(msg));
-    std::unique_ptr<SecureHash> hash(SecureHash::Create(SecureHash::SHA256));
-    hash->Update(serialized->data(), serialized->length());
 
-    char scid_bytes[16];
-    hash->Finish(scid_bytes, sizeof(scid_bytes));
-    msg.SetStringPiece(kSCID, StringPiece(scid_bytes, sizeof(scid_bytes)));
+    uint8_t scid_bytes[SHA256_DIGEST_LENGTH];
+    SHA256(reinterpret_cast<const uint8_t*>(serialized->data()),
+           serialized->length(), scid_bytes);
+    // The SCID is a truncated SHA-256 digest.
+    static_assert(16 <= SHA256_DIGEST_LENGTH, "SCID length too high.");
+    msg.SetStringPiece(
+        kSCID, StringPiece(reinterpret_cast<const char*>(scid_bytes), 16));
   } else {
     msg.SetStringPiece(kSCID, options.id);
   }
   // Don't put new tags below this point. The SCID generation should hash over
   // everything but itself and so extra tags should be added prior to the
   // preceding if block.
 
   std::unique_ptr<QuicData> serialized(
       CryptoFramer::ConstructHandshakeMessage(msg));
 
@@ skipping 408 matching lines @@
   CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
 
   // No need to get a new proof if one was already generated.
   if (!signed_config->chain) {
     const QuicTag* tag_ptr;
     size_t num_tags;
     QuicTagVector connection_options;
     if (client_hello.GetTaglist(kCOPT, &tag_ptr, &num_tags) == QUIC_NO_ERROR) {
       connection_options.assign(tag_ptr, tag_ptr + num_tags);
     }
-    if (FLAGS_quic_reloadable_flag_enable_async_get_proof) {
-      std::unique_ptr<ProcessClientHelloCallback> cb(
-          new ProcessClientHelloCallback(
-              this, validate_chlo_result, reject_only, connection_id,
-              client_address, version, supported_versions,
-              use_stateless_rejects, server_designated_connection_id, clock,
-              rand, compressed_certs_cache, params, signed_config,
-              total_framing_overhead, chlo_packet_size, requested_config,
-              primary_config, std::move(done_cb)));
-      proof_source_->GetProof(server_address, info.sni.as_string(),
-                              primary_config->serialized, version, chlo_hash,
-                              connection_options, std::move(cb));
-      helper.DetachCallback();
-      return;
-    }
-
-    QuicCryptoProof proof;
-    if (!proof_source_->GetProof(server_address, info.sni.as_string(),
-                                 primary_config->serialized, version, chlo_hash,
-                                 connection_options, &signed_config->chain,
-                                 &proof)) {
-      helper.Fail(QUIC_HANDSHAKE_FAILED, "Missing or invalid crypto proof.");
-      return;
-    }
-    signed_config->proof = proof;
+    std::unique_ptr<ProcessClientHelloCallback> cb(
+        new ProcessClientHelloCallback(
+            this, validate_chlo_result, reject_only, connection_id,
+            client_address, version, supported_versions, use_stateless_rejects,
+            server_designated_connection_id, clock, rand,
+            compressed_certs_cache, params, signed_config,
+            total_framing_overhead, chlo_packet_size, requested_config,
+            primary_config, std::move(done_cb)));
+    proof_source_->GetProof(server_address, info.sni.as_string(),
+                            primary_config->serialized, version, chlo_hash,
+                            connection_options, std::move(cb));
+    helper.DetachCallback();
+    return;
   }
 
   helper.DetachCallback();
   ProcessClientHelloAfterGetProof(
       /* found_error = */ false, /* proof_source_details = */ nullptr,
       *validate_chlo_result, reject_only, connection_id, client_address,
       version, supported_versions, use_stateless_rejects,
       server_designated_connection_id, clock, rand, compressed_certs_cache,
       params, signed_config, total_framing_overhead, chlo_packet_size,
       requested_config, primary_config, std::move(done_cb));
@@ skipping 164 matching lines @@
                                  CryptoUtils::Diversification::Never(),
                                  &crypters, nullptr /* subkey secret */)) {
       helper.Fail(QUIC_CRYPTO_SYMMETRIC_KEY_SETUP_FAILED,
                   "Symmetric key setup failed");
       return;
     }
 
     char plaintext[kMaxPacketSize];
     size_t plaintext_length = 0;
     const bool success = crypters.decrypter->DecryptPacket(
-        QUIC_VERSION_35, kDefaultPathId, 0 /* packet number */,
+        QUIC_VERSION_35, 0 /* packet number */,
         StringPiece() /* associated data */, cetv_ciphertext, plaintext,
         &plaintext_length, kMaxPacketSize);
     if (!success) {
       helper.Fail(QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER,
                   "CETV decryption failure");
       return;
     }
     std::unique_ptr<CryptoHandshakeMessage> cetv(
         CryptoFramer::ParseMessage(StringPiece(plaintext, plaintext_length)));
     if (!cetv.get()) {
@@ skipping 347 matching lines @@
   string chlo_hash;
   CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
   bool need_proof = true;
   need_proof = !signed_config->chain;
   const QuicTag* tag_ptr;
   size_t num_tags;
   QuicTagVector connection_options;
   if (client_hello.GetTaglist(kCOPT, &tag_ptr, &num_tags) == QUIC_NO_ERROR) {
     connection_options.assign(tag_ptr, tag_ptr + num_tags);
   }
-  if (FLAGS_quic_reloadable_flag_enable_async_get_proof) {
-    if (need_proof) {
-      // Make an async call to GetProof and setup the callback to trampoline
-      // back into EvaluateClientHelloAfterGetProof
-      std::unique_ptr<EvaluateClientHelloCallback> cb(
-          new EvaluateClientHelloCallback(
-              *this, found_error, server_address.host(), version,
-              requested_config, primary_config, signed_config,
-              client_hello_state, std::move(done_cb)));
-      proof_source_->GetProof(server_address, info->sni.as_string(),
-                              serialized_config, version, chlo_hash,
-                              connection_options, std::move(cb));
-      helper.DetachCallback();
-      return;
-    }
-  }
 
-  // No need to get a new proof if one was already generated.
   if (need_proof) {
-    QuicCryptoProof proof;
-
-    if (proof_source_->GetProof(
-            server_address, info->sni.as_string(), serialized_config, version,
-            chlo_hash, connection_options, &signed_config->chain, &proof)) {
-      signed_config->proof = proof;
-    } else {
-      get_proof_failed = true;
-    }
+    // Make an async call to GetProof and setup the callback to trampoline
+    // back into EvaluateClientHelloAfterGetProof
+    std::unique_ptr<EvaluateClientHelloCallback> cb(
+        new EvaluateClientHelloCallback(
+            *this, found_error, server_address.host(), version,
+            requested_config, primary_config, signed_config, client_hello_state,
+            std::move(done_cb)));
+    proof_source_->GetProof(server_address, info->sni.as_string(),
+                            serialized_config, version, chlo_hash,
+                            connection_options, std::move(cb));
+    helper.DetachCallback();
+    return;
   }
 
   // Details are null because the synchronous version of GetProof does not
   // return any stats.  Eventually the synchronous codepath will be eliminated.
   EvaluateClientHelloAfterGetProof(
       found_error, server_address.host(), version, requested_config,
       primary_config, signed_config, nullptr /* proof_source_details */,
       get_proof_failed, client_hello_state, std::move(done_cb));
   helper.DetachCallback();
 }
@@ skipping 38 matching lines @@
   QUIC_DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_33 and higher.";
   // If the server nonce is empty and we're requiring handshake confirmation
   // for DoS reasons then we must reject the CHLO.
   if (FLAGS_quic_reloadable_flag_quic_require_handshake_confirmation &&
       info->server_nonce.empty()) {
     info->reject_reasons.push_back(SERVER_NONCE_REQUIRED_FAILURE);
   }
   helper.ValidationComplete(QUIC_NO_ERROR, "", std::move(proof_source_details));
 }
 
-bool QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
-    QuicVersion version,
-    StringPiece chlo_hash,
-    const SourceAddressTokens& previous_source_address_tokens,
-    const QuicSocketAddress& server_address,
-    const QuicIpAddress& client_ip,
-    const QuicClock* clock,
-    QuicRandom* rand,
-    QuicCompressedCertsCache* compressed_certs_cache,
-    const QuicCryptoNegotiatedParameters& params,
-    const CachedNetworkParameters* cached_network_params,
-    const QuicTagVector& connection_options,
-    CryptoHandshakeMessage* out) const {
-  string serialized;
-  string source_address_token;
-  QuicWallTime expiry_time = QuicWallTime::Zero();
-  const CommonCertSets* common_cert_sets;
-  {
-    QuicReaderMutexLock locked(&configs_lock_);
-    serialized = primary_config_->serialized;
-    common_cert_sets = primary_config_->common_cert_sets;
-    expiry_time = primary_config_->expiry_time;
-    source_address_token = NewSourceAddressToken(
-        *primary_config_, previous_source_address_tokens, client_ip, rand,
-        clock->WallNow(), cached_network_params);
-  }
-
-  out->set_tag(kSCUP);
-  out->SetStringPiece(kSCFG, serialized);
-  out->SetStringPiece(kSourceAddressTokenTag, source_address_token);
-  out->SetValue(kSTTL,
-                expiry_time.AbsoluteDifference(clock->WallNow()).ToSeconds());
-
-  QuicReferenceCountedPointer<ProofSource::Chain> chain;
-  QuicCryptoProof proof;
-  if (!proof_source_->GetProof(server_address, params.sni, serialized, version,
-                               chlo_hash, connection_options, &chain, &proof)) {
-    QUIC_DVLOG(1) << "Server: failed to get proof.";
-    return false;
-  }
-
-  const string compressed = CompressChain(
-      compressed_certs_cache, chain, params.client_common_set_hashes,
-      params.client_cached_cert_hashes, common_cert_sets);
-
-  out->SetStringPiece(kCertificateTag, compressed);
-  out->SetStringPiece(kPROF, proof.signature);
-  if (params.sct_supported_by_client && enable_serving_sct_) {
-    if (proof.leaf_cert_scts.empty()) {
-      QUIC_LOG_EVERY_N_SEC(WARNING, 60)
-          << "SCT is expected but it is empty.  sni: " << params.sni
-          << " server_address: " << server_address.ToString();
-    } else {
-      out->SetStringPiece(kCertificateSCTTag, proof.leaf_cert_scts);
-    }
-  }
-  return true;
-}
-
 void QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
     QuicVersion version,
     StringPiece chlo_hash,
     const SourceAddressTokens& previous_source_address_tokens,
     const QuicSocketAddress& server_address,
     const QuicIpAddress& client_ip,
     const QuicClock* clock,
     QuicRandom* rand,
     QuicCompressedCertsCache* compressed_certs_cache,
     const QuicCryptoNegotiatedParameters& params,
@@ skipping 603 matching lines @@
       expiry_time(QuicWallTime::Zero()),
       priority(0),
       source_address_token_boxer(nullptr) {}
 
 QuicCryptoServerConfig::Config::~Config() {}
 
 QuicSignedServerConfig::QuicSignedServerConfig() {}
 QuicSignedServerConfig::~QuicSignedServerConfig() {}
 
 }  // namespace net