src/net/quic/crypto/crypto_utils.cc

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/quic/crypto/crypto_utils.h"
   6
   7 #include "crypto/hkdf.h"
   8 #include "net/base/net_util.h"
   9 #include "net/quic/crypto/crypto_handshake.h"
  10 #include "net/quic/crypto/crypto_protocol.h"
  11 #include "net/quic/crypto/quic_decrypter.h"
  12 #include "net/quic/crypto/quic_encrypter.h"
  13 #include "net/quic/crypto/quic_random.h"
  14 #include "net/quic/quic_time.h"
  15 #include "url/url_canon.h"
  16
  17 using base::StringPiece;
  18 using std::numeric_limits;
  19 using std::string;
  20
  21 namespace net {
  22
  23 // static
  24 void CryptoUtils::GenerateNonce(QuicWallTime now,
  25                                 QuicRandom* random_generator,
  26                                 StringPiece orbit,
  27                                 string* nonce) {
  28   // a 4-byte timestamp + 28 random bytes.
  29   nonce->reserve(kNonceSize);
  30   nonce->resize(kNonceSize);
  31   uint32 gmt_unix_time = now.ToUNIXSeconds();
  32   // The time in the nonce must be encoded in big-endian because the
  33   // strike-register depends on the nonces being ordered by time.
  34   (*nonce)[0] = static_cast<char>(gmt_unix_time >> 24);
  35   (*nonce)[1] = static_cast<char>(gmt_unix_time >> 16);
  36   (*nonce)[2] = static_cast<char>(gmt_unix_time >> 8);
  37   (*nonce)[3] = static_cast<char>(gmt_unix_time);
  38
  39   size_t bytes_written = sizeof(gmt_unix_time);
  40   if (orbit.size() == 8) {
  41     memcpy(&(*nonce)[bytes_written], orbit.data(), orbit.size());
  42     bytes_written += orbit.size();
  43   }
  44   random_generator->RandBytes(&(*nonce)[bytes_written],
  45                               kNonceSize - bytes_written);
  46 }
  47
  48 // static
  49 bool CryptoUtils::IsValidSNI(StringPiece sni) {
  50   // TODO(rtenneti): Support RFC2396 hostname.
  51   // NOTE: Microsoft does NOT enforce this spec, so if we throw away hostnames
  52   // based on the above spec, we may be losing some hostnames that windows
  53   // would consider valid. By far the most common hostname character NOT
  54   // accepted by the above spec is '_'.
  55   url::CanonHostInfo host_info;
  56   string canonicalized_host(CanonicalizeHost(sni.as_string(), &host_info));
  57   return !host_info.IsIPAddress() &&
  58       IsCanonicalizedHostCompliant(canonicalized_host, std::string()) &&
  59       sni.find_last_of('.') != string::npos;
  60 }
  61
  62 // static
  63 string CryptoUtils::NormalizeHostname(const char* hostname) {
  64   url::CanonHostInfo host_info;
  65   string host(CanonicalizeHost(hostname, &host_info));
  66
  67   // Walk backwards over the string, stopping at the first trailing dot.
  68   size_t host_end = host.length();
  69   while (host_end != 0 && host[host_end - 1] == '.') {
  70     host_end--;
  71   }
  72
  73   // Erase the trailing dots.
  74   if (host_end != host.length()) {
  75     host.erase(host_end, host.length() - host_end);
  76   }
  77   return host;
  78 }
  79
  80 // static
  81 bool CryptoUtils::DeriveKeys(StringPiece premaster_secret,
  82                              QuicTag aead,
  83                              StringPiece client_nonce,
  84                              StringPiece server_nonce,
  85                              const string& hkdf_input,
  86                              Perspective perspective,
  87                              CrypterPair* crypters,
  88                              string* subkey_secret) {
  89   crypters->encrypter.reset(QuicEncrypter::Create(aead));
  90   crypters->decrypter.reset(QuicDecrypter::Create(aead));
  91   size_t key_bytes = crypters->encrypter->GetKeySize();
  92   size_t nonce_prefix_bytes = crypters->encrypter->GetNoncePrefixSize();
  93   size_t subkey_secret_bytes =
  94       subkey_secret == NULL ? 0 : premaster_secret.length();
  95
  96   StringPiece nonce = client_nonce;
  97   string nonce_storage;
  98   if (!server_nonce.empty()) {
  99     nonce_storage = client_nonce.as_string() + server_nonce.as_string();
 100     nonce = nonce_storage;
 101   }
 102
 103   crypto::HKDF hkdf(premaster_secret, nonce, hkdf_input, key_bytes,
 104                     nonce_prefix_bytes, subkey_secret_bytes);
 105   if (perspective == SERVER) {
 106     if (!crypters->encrypter->SetKey(hkdf.server_write_key()) ||
 107         !crypters->encrypter->SetNoncePrefix(hkdf.server_write_iv()) ||
 108         !crypters->decrypter->SetKey(hkdf.client_write_key()) ||
 109         !crypters->decrypter->SetNoncePrefix(hkdf.client_write_iv())) {
 110       return false;
 111     }
 112   } else {
 113     if (!crypters->encrypter->SetKey(hkdf.client_write_key()) ||
 114         !crypters->encrypter->SetNoncePrefix(hkdf.client_write_iv()) ||
 115         !crypters->decrypter->SetKey(hkdf.server_write_key()) ||
 116         !crypters->decrypter->SetNoncePrefix(hkdf.server_write_iv())) {
 117       return false;
 118     }
 119   }
 120   if (subkey_secret != NULL) {
 121     hkdf.subkey_secret().CopyToString(subkey_secret);
 122   }
 123
 124   return true;
 125 }
 126
 127 // static
 128 bool CryptoUtils::ExportKeyingMaterial(StringPiece subkey_secret,
 129                                        StringPiece label,
 130                                        StringPiece context,
 131                                        size_t result_len,
 132                                        string* result) {
 133   for (size_t i = 0; i < label.length(); i++) {
 134     if (label[i] == '\0') {
 135       LOG(ERROR) << "ExportKeyingMaterial label may not contain NULs";
 136       return false;
 137     }
 138   }
 139   // Create HKDF info input: null-terminated label + length-prefixed context
 140   if (context.length() >= numeric_limits<uint32>::max()) {
 141     LOG(ERROR) << "Context value longer than 2^32";
 142     return false;
 143   }
 144   uint32 context_length = static_cast<uint32>(context.length());
 145   string info = label.as_string();
 146   info.push_back('\0');
 147   info.append(reinterpret_cast<char*>(&context_length), sizeof(context_length));
 148   info.append(context.data(), context.length());
 149
 150   crypto::HKDF hkdf(subkey_secret,
 151                     StringPiece() /* no salt */,
 152                     info,
 153                     result_len,
 154                     0 /* no fixed IV */,
 155                     0 /* no subkey secret */);
 156   hkdf.client_write_key().CopyToString(result);
 157   return true;
 158 }
 159
 160 }  // namespace net