Add a mechanism to scramble Mojo message IDs.

mojo/public/tools/bindings/mojom_bindings_generator.py

Index: mojo/public/tools/bindings/mojom_bindings_generator.py
diff --git a/mojo/public/tools/bindings/mojom_bindings_generator.py b/mojo/public/tools/bindings/mojom_bindings_generator.py
index a9650d77640776f4fa9e0814236fee5b22a7e98b..69190f4f477001fbbdd146c8d90535d1c2bb3253 100755
--- a/mojo/public/tools/bindings/mojom_bindings_generator.py
+++ b/mojo/public/tools/bindings/mojom_bindings_generator.py
@@ -7,11 +7,13 @@
 
 
 import argparse
+import hashlib
 import imp
 import json
 import os
 import pprint
 import re
+import struct
 import sys
 
 # Disable lint check for finding modules:
@@ -100,6 +102,38 @@ def FindImportFile(rel_dir, file_name, search_rel_dirs):
                       rel_dir.source_root)
 
 
+def ScrambleMethodOrdinals(interfaces, seed):
+  already_generated = set()
+  for interface in interfaces:
+    i = 0
+    already_generated.clear()
+    for method in interface.methods:
+      while True:
+        i = i + 1
+        if i == 1000000:
+          raise Exception("Could not generate %d method ordinals for %s" %
+              (len(interface.methods), interface.name))
+        # Generate a scrambled method.ordinal value. The algorithm doesn't have
+        # to be very strong, cryptographically. It just needs to be non-trivial
+        # to guess the results without the secret seed, in order to make it
+        # harder for a compromised renderer process to send fake Mojo messages.

[yzshen1, 2017/04/20 17:21:49]

Nit: please remove "renderer". There are many kinds of processes and this is not
a problem specific to renderers.

[nigeltao1, 2017/04/20 23:39:13]

Done.

+        s = hashlib.sha256(seed)

[yzshen1, 2017/04/20 17:21:49]

Nit: please use a more descriptive variable name than "s".

[nigeltao1, 2017/04/20 23:39:13]

Done.

+        s.update(interface.name)
+        s.update(str(i))
+        # Take the first 4 bytes as a little-endian uint32.
+        ordinal = struct.unpack('<L', s.digest()[:4])[0]
+        # Trim to 31 bits, so it always fits into a Java (signed) int.
+        ordinal = ordinal & 0x7fffffff
+        if ordinal in already_generated:
+          continue
+        already_generated.add(ordinal)
+        method.ordinal = ordinal
+        method.ordinal_comment = (
+            'The %s value is based on sha256(seed + "%s%d").' %
+            (ordinal, interface.name, i))
+        break
+
+
 class MojomProcessor(object):
   """Parses mojom files and creates ASTs for them.
 
@@ -154,6 +188,9 @@ class MojomProcessor(object):
 
     module = translate.OrderedModule(tree, name, imports)
 
+    if args.scrambled_message_id_seed:
+      ScrambleMethodOrdinals(module.interfaces, args.scrambled_message_id_seed)
+
     # Set the path as relative to the source root.
     module.path = rel_filename.relative_path()
 
@@ -319,6 +356,9 @@ def main():
   generate_parser.add_argument(
       "--depfile_target", type=str,
       help="The target name to use in the depfile.")
+  generate_parser.add_argument(
+      "--scrambled_message_id_seed", type=str,

[M-A Ruel, 2017/04/20 08:31:45]

type=str is the default, so not needed.

Technically speaking, this is a salt, not a seed, so please rename.
https://en.wikipedia.org/wiki/Salt_(cryptography)

[nigeltao1, 2017/04/20 23:39:13]

There's other unnecessary uses of "type=str" in this file, so I'll clean this
all up in a follow-up CL.
Done.

+      help="If non-empty, the seed for generating scrambled message IDs.")
   generate_parser.set_defaults(func=_Generate)
 
   precompile_parser = subparsers.add_parser("precompile",