search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / net / quic / crypto / crypto_utils.cc
blob0916474f215719459d5f4b9dca8b59a0f6e62035
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/quic/crypto/crypto_utils.h"
6
7 #include "crypto/hkdf.h"
8 #include "net/base/net_util.h"
9 #include "net/quic/crypto/crypto_handshake.h"
10 #include "net/quic/crypto/crypto_protocol.h"
11 #include "net/quic/crypto/quic_decrypter.h"
12 #include "net/quic/crypto/quic_encrypter.h"
13 #include "net/quic/crypto/quic_random.h"
14 #include "net/quic/quic_time.h"
15 #include "url/url_canon.h"
16
17 using base::StringPiece;
18 using std::numeric_limits;
19 using std::string;
20
21 namespace net {
22
23 // static
24 void CryptoUtils::GenerateNonce(QuicWallTime now,
25 QuicRandom* random_generator,
26 StringPiece orbit,
27 string* nonce) {
28 // a 4-byte timestamp + 28 random bytes.
29 nonce->reserve(kNonceSize);
30 nonce->resize(kNonceSize);
31
32 uint32 gmt_unix_time = static_cast<uint32>(now.ToUNIXSeconds());
33 // The time in the nonce must be encoded in big-endian because the
34 // strike-register depends on the nonces being ordered by time.
35 (*nonce)[0] = static_cast<char>(gmt_unix_time >> 24);
36 (*nonce)[1] = static_cast<char>(gmt_unix_time >> 16);
37 (*nonce)[2] = static_cast<char>(gmt_unix_time >> 8);
38 (*nonce)[3] = static_cast<char>(gmt_unix_time);
39 size_t bytes_written = 4;
40
41 if (orbit.size() == 8) {
42 memcpy(&(*nonce)[bytes_written], orbit.data(), orbit.size());
43 bytes_written += orbit.size();
44 }
45
46 random_generator->RandBytes(&(*nonce)[bytes_written],
47 kNonceSize - bytes_written);
48 }
49
50 // static
51 bool CryptoUtils::IsValidSNI(StringPiece sni) {
52 // TODO(rtenneti): Support RFC2396 hostname.
53 // NOTE: Microsoft does NOT enforce this spec, so if we throw away hostnames
54 // based on the above spec, we may be losing some hostnames that windows
55 // would consider valid. By far the most common hostname character NOT
56 // accepted by the above spec is '_'.
57 url::CanonHostInfo host_info;
58 string canonicalized_host(CanonicalizeHost(sni.as_string(), &host_info));
59 return !host_info.IsIPAddress() &&
60 IsCanonicalizedHostCompliant(canonicalized_host) &&
61 sni.find_last_of('.') != string::npos;
62 }
63
64 // static
65 string CryptoUtils::NormalizeHostname(const char* hostname) {
66 url::CanonHostInfo host_info;
67 string host(CanonicalizeHost(hostname, &host_info));
68
69 // Walk backwards over the string, stopping at the first trailing dot.
70 size_t host_end = host.length();
71 while (host_end != 0 && host[host_end - 1] == '.') {
72 host_end--;
73 }
74
75 // Erase the trailing dots.
76 if (host_end != host.length()) {
77 host.erase(host_end, host.length() - host_end);
78 }
79 return host;
80 }
81
82 // static
83 bool CryptoUtils::DeriveKeys(StringPiece premaster_secret,
84 QuicTag aead,
85 StringPiece client_nonce,
86 StringPiece server_nonce,
87 const string& hkdf_input,
88 Perspective perspective,
89 CrypterPair* crypters,
90 string* subkey_secret) {
91 crypters->encrypter.reset(QuicEncrypter::Create(aead));
92 crypters->decrypter.reset(QuicDecrypter::Create(aead));
93 size_t key_bytes = crypters->encrypter->GetKeySize();
94 size_t nonce_prefix_bytes = crypters->encrypter->GetNoncePrefixSize();
95 size_t subkey_secret_bytes =
96 subkey_secret == nullptr ? 0 : premaster_secret.length();
97
98 StringPiece nonce = client_nonce;
99 string nonce_storage;
100 if (!server_nonce.empty()) {
101 nonce_storage = client_nonce.as_string() + server_nonce.as_string();
102 nonce = nonce_storage;
103 }
104
105 crypto::HKDF hkdf(premaster_secret, nonce, hkdf_input, key_bytes,
106 nonce_prefix_bytes, subkey_secret_bytes);
107 if (perspective == Perspective::IS_SERVER) {
108 if (!crypters->encrypter->SetKey(hkdf.server_write_key()) ||
109 !crypters->encrypter->SetNoncePrefix(hkdf.server_write_iv()) ||
110 !crypters->decrypter->SetKey(hkdf.client_write_key()) ||
111 !crypters->decrypter->SetNoncePrefix(hkdf.client_write_iv())) {
112 return false;
113 }
114 } else {
115 if (!crypters->encrypter->SetKey(hkdf.client_write_key()) ||
116 !crypters->encrypter->SetNoncePrefix(hkdf.client_write_iv()) ||
117 !crypters->decrypter->SetKey(hkdf.server_write_key()) ||
118 !crypters->decrypter->SetNoncePrefix(hkdf.server_write_iv())) {
119 return false;
120 }
121 }
122 if (subkey_secret != nullptr) {
123 hkdf.subkey_secret().CopyToString(subkey_secret);
124 }
125
126 return true;
127 }
128
129 // static
130 bool CryptoUtils::ExportKeyingMaterial(StringPiece subkey_secret,
131 StringPiece label,
132 StringPiece context,
133 size_t result_len,
134 string* result) {
135 for (size_t i = 0; i < label.length(); i++) {
136 if (label[i] == '\0') {
137 LOG(ERROR) << "ExportKeyingMaterial label may not contain NULs";
138 return false;
139 }
140 }
141 // Create HKDF info input: null-terminated label + length-prefixed context
142 if (context.length() >= numeric_limits<uint32>::max()) {
143 LOG(ERROR) << "Context value longer than 2^32";
144 return false;
145 }
146 uint32 context_length = static_cast<uint32>(context.length());
147 string info = label.as_string();
148 info.push_back('\0');
149 info.append(reinterpret_cast<char*>(&context_length), sizeof(context_length));
150 info.append(context.data(), context.length());
151
152 crypto::HKDF hkdf(subkey_secret,
153 StringPiece() /* no salt */,
154 info,
155 result_len,
156 0 /* no fixed IV */,
157 0 /* no subkey secret */);
158 hkdf.client_write_key().CopyToString(result);
159 return true;
160 }
161
162 } // namespace net