Update to draft-ietf-httpbis-unprompted-auth-07 Draft 07 renamed Signature auth to Concealed auth, and changed a few constants. This CL reflects that change in the codebase. Not flag protected because this code is not used in production. PiperOrigin-RevId: 645053135
diff --git a/quiche/quic/masque/masque_client_bin.cc b/quiche/quic/masque/masque_client_bin.cc index ac350b5..442ce58 100644 --- a/quiche/quic/masque/masque_client_bin.cc +++ b/quiche/quic/masque/masque_client_bin.cc
@@ -63,8 +63,8 @@ "For example: \"name1:value1;name2:value2\"."); DEFINE_QUICHE_COMMAND_LINE_FLAG( - std::string, signature_auth, "", - "Enables HTTP Signature Authentication. Pass in the string \"new\" to " + std::string, concealed_auth, "", + "Enables HTTP Concealed Authentication. Pass in the string \"new\" to " "generate new keys. Otherwise, pass in the key ID in ASCII followed by a " "colon and the 32-byte private key as hex. For example: \"kid:0123...f\"."); @@ -255,49 +255,49 @@ std::vector<std::string> urls = quiche::QuicheParseCommandLineFlags(usage, argc, argv); - std::string signature_auth_param = - quiche::GetQuicheCommandLineFlag(FLAGS_signature_auth); - std::string signature_auth_key_id; - std::string signature_auth_private_key; - std::string signature_auth_public_key; - if (!signature_auth_param.empty()) { + std::string concealed_auth_param = + quiche::GetQuicheCommandLineFlag(FLAGS_concealed_auth); + std::string concealed_auth_key_id; + std::string concealed_auth_private_key; + std::string concealed_auth_public_key; + if (!concealed_auth_param.empty()) { static constexpr size_t kEd25519Rfc8032PrivateKeySize = 32; uint8_t public_key[ED25519_PUBLIC_KEY_LEN]; uint8_t private_key[ED25519_PRIVATE_KEY_LEN]; - const bool is_new_key_pair = signature_auth_param == "new"; + const bool is_new_key_pair = concealed_auth_param == "new"; if (is_new_key_pair) { ED25519_keypair(public_key, private_key); - QUIC_LOG(INFO) << "Generated new Signature Authentication key pair"; + QUIC_LOG(INFO) << "Generated new Concealed Authentication key pair"; } else { - std::vector<absl::string_view> signature_auth_param_split = - absl::StrSplit(signature_auth_param, absl::MaxSplits(':', 1)); + std::vector<absl::string_view> concealed_auth_param_split = + absl::StrSplit(concealed_auth_param, absl::MaxSplits(':', 1)); std::string private_key_seed; - if (signature_auth_param_split.size() != 2) { + if (concealed_auth_param_split.size() != 2) { QUIC_LOG(ERROR) - << "Signature authentication parameter is missing a colon"; + << "Concealed authentication parameter is missing a colon"; return 1; } - signature_auth_key_id = signature_auth_param_split[0]; - if (signature_auth_key_id.empty()) { - QUIC_LOG(ERROR) << "Signature authentication key ID cannot be empty"; + concealed_auth_key_id = concealed_auth_param_split[0]; + if (concealed_auth_key_id.empty()) { + QUIC_LOG(ERROR) << "Concealed authentication key ID cannot be empty"; return 1; } - if (!absl::HexStringToBytes(signature_auth_param_split[1], + if (!absl::HexStringToBytes(concealed_auth_param_split[1], &private_key_seed)) { - QUIC_LOG(ERROR) << "Signature authentication key hex value is invalid"; + QUIC_LOG(ERROR) << "Concealed authentication key hex value is invalid"; return 1; } if (private_key_seed.size() != kEd25519Rfc8032PrivateKeySize) { QUIC_LOG(ERROR) - << "Invalid signature authentication private key length " + << "Invalid Concealed authentication private key length " << private_key_seed.size(); return 1; } ED25519_keypair_from_seed( public_key, private_key, reinterpret_cast<uint8_t*>(private_key_seed.data())); - QUIC_LOG(INFO) << "Loaded Signature Authentication key pair"; + QUIC_LOG(INFO) << "Loaded Concealed Authentication key pair"; } // Note that Ed25519 private keys are 32 bytes long per RFC 8032. However, // to reduce CPU costs, BoringSSL represents private keys in memory as the @@ -307,7 +307,7 @@ // RFC 8032 private key because BoringSSL does not provide a supported way // to access it. This is required to allow us to print the private key in a // format that can be passed back in to BoringSSL from the command-line. See - // curve25519.h for details. The rest of our signature authentication code + // curve25519.h for details. The rest of our concealed authentication code // uses the BoringSSL representation without relying on this implementation // detail. static_assert(kEd25519Rfc8032PrivateKeySize <= @@ -318,7 +318,7 @@ std::string public_key_hexstr = absl::BytesToHexString(absl::string_view( reinterpret_cast<char*>(public_key), ED25519_PUBLIC_KEY_LEN)); if (is_new_key_pair) { - std::cout << "Generated new Signature Authentication key pair." + std::cout << "Generated new Concealed Authentication key pair." << std::endl; std::cout << "Private key: " << private_key_hexstr << std::endl; std::cout << "Public key: " << public_key_hexstr << std::endl; @@ -326,9 +326,9 @@ } QUIC_LOG(INFO) << "Private key: " << private_key_hexstr; QUIC_LOG(INFO) << "Public key: " << public_key_hexstr; - signature_auth_private_key = std::string( + concealed_auth_private_key = std::string( reinterpret_cast<char*>(private_key), ED25519_PRIVATE_KEY_LEN); - signature_auth_public_key = std::string(reinterpret_cast<char*>(public_key), + concealed_auth_public_key = std::string(reinterpret_cast<char*>(public_key), ED25519_PUBLIC_KEY_LEN); } @@ -430,10 +430,10 @@ masque_client->masque_client_session()->set_additional_headers( quiche::GetQuicheCommandLineFlag(FLAGS_proxy_headers)); - if (!signature_auth_param.empty()) { - masque_client->masque_client_session()->EnableSignatureAuth( - signature_auth_key_id, signature_auth_private_key, - signature_auth_public_key); + if (!concealed_auth_param.empty()) { + masque_client->masque_client_session()->EnableConcealedAuth( + concealed_auth_key_id, concealed_auth_private_key, + concealed_auth_public_key); } masque_clients.push_back(std::move(masque_client)); }
diff --git a/quiche/quic/masque/masque_client_session.cc b/quiche/quic/masque/masque_client_session.cc index 989f217..686c6d8 100644 --- a/quiche/quic/masque/masque_client_session.cc +++ b/quiche/quic/masque/masque_client_session.cc
@@ -721,7 +721,7 @@ fake_addresses_.erase(fake_address.ToPackedString()); } -void MasqueClientSession::EnableSignatureAuth(absl::string_view key_id, +void MasqueClientSession::EnableConcealedAuth(absl::string_view key_id, absl::string_view private_key, absl::string_view public_key) { QUICHE_CHECK(!key_id.empty()); @@ -729,9 +729,9 @@ static_cast<size_t>(ED25519_PRIVATE_KEY_LEN)); QUICHE_CHECK_EQ(public_key.size(), static_cast<size_t>(ED25519_PUBLIC_KEY_LEN)); - signature_auth_key_id_ = key_id; - signature_auth_private_key_ = private_key; - signature_auth_public_key_ = public_key; + concealed_auth_key_id_ = key_id; + concealed_auth_private_key_ = private_key; + concealed_auth_public_key_ = public_key; } QuicSpdyClientStream* MasqueClientSession::SendGetRequest( @@ -775,9 +775,9 @@ QUIC_DVLOG(1) << "Closing stream " << stream->id(); } -std::optional<std::string> MasqueClientSession::ComputeSignatureAuthHeader( +std::optional<std::string> MasqueClientSession::ComputeConcealedAuthHeader( const QuicUrl& url) { - if (signature_auth_private_key_.empty()) { + if (concealed_auth_private_key_.empty()) { return std::nullopt; } std::string scheme = url.scheme(); @@ -785,27 +785,27 @@ uint16_t port = url.port(); std::string realm = ""; std::string key_exporter_output; - std::string key_exporter_context = ComputeSignatureAuthContext( - kEd25519SignatureScheme, signature_auth_key_id_, - signature_auth_public_key_, scheme, host, port, realm); + std::string key_exporter_context = ComputeConcealedAuthContext( + kEd25519SignatureScheme, concealed_auth_key_id_, + concealed_auth_public_key_, scheme, host, port, realm); QUIC_DVLOG(1) << "key_exporter_context: " << absl::WebSafeBase64Escape(key_exporter_context); QUICHE_DCHECK(!key_exporter_context.empty()); if (!GetMutableCryptoStream()->ExportKeyingMaterial( - kSignatureAuthLabel, key_exporter_context, kSignatureAuthExporterSize, + kConcealedAuthLabel, key_exporter_context, kConcealedAuthExporterSize, &key_exporter_output)) { - QUIC_LOG(FATAL) << "Signature auth TLS exporter failed"; + QUIC_LOG(FATAL) << "Concealed auth TLS exporter failed"; return std::nullopt; } - QUICHE_CHECK_EQ(key_exporter_output.size(), kSignatureAuthExporterSize); + QUICHE_CHECK_EQ(key_exporter_output.size(), kConcealedAuthExporterSize); std::string signature_input = - key_exporter_output.substr(0, kSignatureAuthSignatureInputSize); + key_exporter_output.substr(0, kConcealedAuthSignatureInputSize); QUIC_DVLOG(1) << "signature_input: " << absl::WebSafeBase64Escape(signature_input); std::string verification = key_exporter_output.substr( - kSignatureAuthSignatureInputSize, kSignatureAuthVerificationSize); + kConcealedAuthSignatureInputSize, kConcealedAuthVerificationSize); std::string data_covered_by_signature = - SignatureAuthDataCoveredBySignature(signature_input); + ConcealedAuthDataCoveredBySignature(signature_input); QUIC_DVLOG(1) << "data_covered_by_signature: " << absl::WebSafeBase64Escape(data_covered_by_signature); uint8_t signature[ED25519_SIGNATURE_LEN]; @@ -814,13 +814,13 @@ reinterpret_cast<const uint8_t*>(data_covered_by_signature.data()), data_covered_by_signature.size(), reinterpret_cast<const uint8_t*>( - signature_auth_private_key_.data())) != 1) { - QUIC_LOG(FATAL) << "Signature auth signature failed"; + concealed_auth_private_key_.data())) != 1) { + QUIC_LOG(FATAL) << "Concealed auth signature failed"; return std::nullopt; } return absl::StrCat( - "Signature k=", absl::WebSafeBase64Escape(signature_auth_key_id_), - ", a=", absl::WebSafeBase64Escape(signature_auth_public_key_), ", p=", + "Concealed k=", absl::WebSafeBase64Escape(concealed_auth_key_id_), + ", a=", absl::WebSafeBase64Escape(concealed_auth_public_key_), ", p=", absl::WebSafeBase64Escape(absl::string_view( reinterpret_cast<const char*>(signature), sizeof(signature))), ", s=", kEd25519SignatureScheme, @@ -829,10 +829,10 @@ void MasqueClientSession::AddAdditionalHeaders(spdy::Http2HeaderBlock& headers, const QuicUrl& url) { - std::optional<std::string> signature_auth_header = - ComputeSignatureAuthHeader(url); - if (signature_auth_header.has_value()) { - headers["authorization"] = *signature_auth_header; + std::optional<std::string> concealed_auth_header = + ComputeConcealedAuthHeader(url); + if (concealed_auth_header.has_value()) { + headers["authorization"] = *concealed_auth_header; } if (additional_headers_.empty()) { return;
diff --git a/quiche/quic/masque/masque_client_session.h b/quiche/quic/masque/masque_client_session.h index 50617d6..173af35 100644 --- a/quiche/quic/masque/masque_client_session.h +++ b/quiche/quic/masque/masque_client_session.h
@@ -182,10 +182,10 @@ // QuicSpdyStream::Visitor void OnClose(QuicSpdyStream* stream) override; - // Set the signature auth key ID and private key. key_id MUST be non-empty, + // Set the concealed auth key ID and private key. key_id MUST be non-empty, // private_key MUST be ED25519_PRIVATE_KEY_LEN bytes long and public_key MUST // be ED25519_PUBLIC_KEY_LEN bytes long. - void EnableSignatureAuth(absl::string_view key_id, + void EnableConcealedAuth(absl::string_view key_id, absl::string_view private_key, absl::string_view public_key); @@ -328,16 +328,16 @@ const ConnectEthernetClientState* GetOrCreateConnectEthernetClientState( EncapsulatedEthernetSession* encapsulated_ethernet_session); - std::optional<std::string> ComputeSignatureAuthHeader(const QuicUrl& url); + std::optional<std::string> ComputeConcealedAuthHeader(const QuicUrl& url); void AddAdditionalHeaders(spdy::Http2HeaderBlock& headers, const QuicUrl& url); MasqueMode masque_mode_; std::string uri_template_; std::string additional_headers_; - std::string signature_auth_key_id_; - std::string signature_auth_private_key_; - std::string signature_auth_public_key_; + std::string concealed_auth_key_id_; + std::string concealed_auth_private_key_; + std::string concealed_auth_public_key_; std::list<ConnectUdpClientState> connect_udp_client_states_; std::list<ConnectIpClientState> connect_ip_client_states_; std::list<ConnectEthernetClientState> connect_ethernet_client_states_;
diff --git a/quiche/quic/masque/masque_server_backend.cc b/quiche/quic/masque/masque_server_backend.cc index 66ca13c..97a58e6 100644 --- a/quiche/quic/masque/masque_server_backend.cc +++ b/quiche/quic/masque/masque_server_backend.cc
@@ -64,7 +64,7 @@ protocol_pair->second != "connect-ip" && protocol_pair->second != "connect-ethernet")) { // This is not a MASQUE request. - if (!signature_auth_on_all_requests_) { + if (!concealed_auth_on_all_requests_) { return false; } } @@ -177,12 +177,12 @@ return address; } -void MasqueServerBackend::SetSignatureAuth(absl::string_view signature_auth) { - signature_auth_credentials_.clear(); - if (signature_auth.empty()) { +void MasqueServerBackend::SetConcealedAuth(absl::string_view concealed_auth) { + concealed_auth_credentials_.clear(); + if (concealed_auth.empty()) { return; } - for (absl::string_view sp : absl::StrSplit(signature_auth, ';')) { + for (absl::string_view sp : absl::StrSplit(concealed_auth, ';')) { quiche::QuicheTextUtils::RemoveLeadingAndTrailingWhitespace(&sp); if (sp.empty()) { continue; @@ -191,26 +191,26 @@ absl::StrSplit(sp, absl::MaxSplits(':', 1)); quiche::QuicheTextUtils::RemoveLeadingAndTrailingWhitespace(&kv[0]); quiche::QuicheTextUtils::RemoveLeadingAndTrailingWhitespace(&kv[1]); - SignatureAuthCredential credential; + ConcealedAuthCredential credential; credential.key_id = std::string(kv[0]); std::string public_key; if (!absl::HexStringToBytes(kv[1], &public_key)) { - QUIC_LOG(FATAL) << "Invalid signature auth public key hex " << kv[1]; + QUIC_LOG(FATAL) << "Invalid concealed auth public key hex " << kv[1]; } if (public_key.size() != sizeof(credential.public_key)) { - QUIC_LOG(FATAL) << "Invalid signature auth public key length " + QUIC_LOG(FATAL) << "Invalid concealed auth public key length " << public_key.size(); } memcpy(credential.public_key, public_key.data(), sizeof(credential.public_key)); - signature_auth_credentials_.push_back(credential); + concealed_auth_credentials_.push_back(credential); } } -bool MasqueServerBackend::GetSignatureAuthKeyForId( +bool MasqueServerBackend::GetConcealedAuthKeyForId( absl::string_view key_id, uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN]) const { - for (const auto& credential : signature_auth_credentials_) { + for (const auto& credential : concealed_auth_credentials_) { if (credential.key_id == key_id) { memcpy(out_public_key, credential.public_key, sizeof(credential.public_key));
diff --git a/quiche/quic/masque/masque_server_backend.h b/quiche/quic/masque/masque_server_backend.h index 7a938fe..48f40cd 100644 --- a/quiche/quic/masque/masque_server_backend.h +++ b/quiche/quic/masque/masque_server_backend.h
@@ -70,27 +70,27 @@ // Pass in a list of key identifiers and hex-encoded public keys, separated // with colons and semicolons. For example: "kid1:0123...f;kid2:0123...f". - void SetSignatureAuth(absl::string_view signature_auth); + void SetConcealedAuth(absl::string_view concealed_auth); - // Returns whether any signature auth credentials are configured. - bool IsSignatureAuthEnabled() const { - return !signature_auth_credentials_.empty(); + // Returns whether any concealed auth credentials are configured. + bool IsConcealedAuthEnabled() const { + return !concealed_auth_credentials_.empty(); } // If the key ID is known, copies the corresponding public key to // out_public_key and returns true. Otherwise returns false. - bool GetSignatureAuthKeyForId( + bool GetConcealedAuthKeyForId( absl::string_view key_id, uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN]) const; - // Enable signature auth on all requests (e.g., GET) instead of just MASQUE. - void SetSignatureAuthOnAllRequests(bool signature_auth_on_all_requests) { - signature_auth_on_all_requests_ = signature_auth_on_all_requests; + // Enable concealed auth on all requests (e.g., GET) instead of just MASQUE. + void SetConcealedAuthOnAllRequests(bool concealed_auth_on_all_requests) { + concealed_auth_on_all_requests_ = concealed_auth_on_all_requests; } - // Whether signature auth is enabled on all requests (e.g., GET). - bool IsSignatureAuthOnAllRequests() const { - return signature_auth_on_all_requests_; + // Whether concealed auth is enabled on all requests (e.g., GET). + bool IsConcealedAuthOnAllRequests() const { + return concealed_auth_on_all_requests_; } private: @@ -110,12 +110,12 @@ QuicConnectionIdHash> backend_client_states_; uint8_t connect_ip_next_client_ip_[4]; - struct QUIC_NO_EXPORT SignatureAuthCredential { + struct QUIC_NO_EXPORT ConcealedAuthCredential { std::string key_id; uint8_t public_key[ED25519_PUBLIC_KEY_LEN]; }; - std::list<SignatureAuthCredential> signature_auth_credentials_; - bool signature_auth_on_all_requests_ = false; + std::list<ConcealedAuthCredential> concealed_auth_credentials_; + bool concealed_auth_on_all_requests_ = false; }; } // namespace quic
diff --git a/quiche/quic/masque/masque_server_bin.cc b/quiche/quic/masque/masque_server_bin.cc index 51f5b40..7a99bdb 100644 --- a/quiche/quic/masque/masque_server_bin.cc +++ b/quiche/quic/masque/masque_server_bin.cc
@@ -40,15 +40,15 @@ "Allows setting MASQUE mode, currently only valid value is \"open\"."); DEFINE_QUICHE_COMMAND_LINE_FLAG( - std::string, signature_auth, "", - "Require HTTP Signature Authentication. Pass in a list of key identifiers " + std::string, concealed_auth, "", + "Require HTTP Concealed Authentication. Pass in a list of key identifiers " "and hex-encoded public keys. " "Separated with colons and semicolons. " "For example: \"kid1:0123...f;kid2:0123...f\"."); DEFINE_QUICHE_COMMAND_LINE_FLAG( - bool, signature_auth_on_all_requests, false, - "If set to true, enable signature auth on all requests (such as GET) " + bool, concealed_auth_on_all_requests, false, + "If set to true, enable concealed auth on all requests (such as GET) " "instead of just MASQUE."); int main(int argc, char* argv[]) { @@ -72,10 +72,10 @@ masque_mode, quiche::GetQuicheCommandLineFlag(FLAGS_server_authority), quiche::GetQuicheCommandLineFlag(FLAGS_cache_dir)); - backend->SetSignatureAuth( - quiche::GetQuicheCommandLineFlag(FLAGS_signature_auth)); - backend->SetSignatureAuthOnAllRequests( - quiche::GetQuicheCommandLineFlag(FLAGS_signature_auth_on_all_requests)); + backend->SetConcealedAuth( + quiche::GetQuicheCommandLineFlag(FLAGS_concealed_auth)); + backend->SetConcealedAuthOnAllRequests( + quiche::GetQuicheCommandLineFlag(FLAGS_concealed_auth_on_all_requests)); auto server = std::make_unique<quic::MasqueServer>(masque_mode, backend.get());
diff --git a/quiche/quic/masque/masque_server_session.cc b/quiche/quic/masque/masque_server_session.cc index a413f58..9e91483 100644 --- a/quiche/quic/masque/masque_server_session.cc +++ b/quiche/quic/masque/masque_server_session.cc
@@ -188,19 +188,19 @@ } std::unique_ptr<QuicBackendResponse> -MasqueServerSession::MaybeCheckSignatureAuth( +MasqueServerSession::MaybeCheckConcealedAuth( const spdy::Http2HeaderBlock& request_headers, absl::string_view authority, absl::string_view scheme, QuicSimpleServerBackend::RequestHandler* request_handler) { // TODO(dschinazi) Add command-line flag that makes this implementation // probe-resistant by returning the usual failure instead of 401. - constexpr absl::string_view kSignatureAuthStatus = "401"; - if (!masque_server_backend_->IsSignatureAuthEnabled()) { + constexpr absl::string_view kConcealedAuthStatus = "401"; + if (!masque_server_backend_->IsConcealedAuthEnabled()) { return nullptr; } auto authorization_pair = request_headers.find("authorization"); if (authorization_pair == request_headers.end()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Missing authorization header"); } absl::string_view credentials = authorization_pair->second; @@ -208,12 +208,12 @@ std::vector<absl::string_view> v = absl::StrSplit(credentials, absl::MaxSplits(' ', 1)); if (v.size() != 2) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Authorization header missing space"); } absl::string_view auth_scheme = v[0]; - if (auth_scheme != "Signature") { - return CreateBackendErrorResponse(kSignatureAuthStatus, + if (auth_scheme != "Concealed") { + return CreateBackendErrorResponse(kConcealedAuthStatus, "Unexpected auth scheme"); } absl::string_view auth_parameters = v[1]; @@ -242,58 +242,58 @@ switch (param_name[0]) { case 'k': { if (key_id.has_value()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Duplicate k"); } if (!absl::WebSafeBase64Unescape(param_value, &decoded_param)) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Failed to base64 decode k"); } key_id = decoded_param; } break; case 'a': { if (header_public_key.has_value()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Duplicate a"); } if (!absl::WebSafeBase64Unescape(param_value, &decoded_param)) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Failed to base64 decode a"); } header_public_key = decoded_param; } break; case 'p': { if (proof.has_value()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Duplicate p"); } if (!absl::WebSafeBase64Unescape(param_value, &decoded_param)) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Failed to base64 decode p"); } proof = decoded_param; } break; case 's': { if (signature_scheme.has_value()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Duplicate s"); } int signature_scheme_int = 0; if (!absl::SimpleAtoi(param_value, &signature_scheme_int) || signature_scheme_int < 0 || signature_scheme_int > std::numeric_limits<uint16_t>::max()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Failed to parse s"); } signature_scheme = static_cast<uint16_t>(signature_scheme_int); } break; case 'v': { if (verification.has_value()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Duplicate v"); } if (!absl::WebSafeBase64Unescape(param_value, &decoded_param)) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Failed to base64 decode v"); } verification = decoded_param; @@ -301,40 +301,40 @@ } } if (!key_id.has_value()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Missing k auth parameter"); } if (!header_public_key.has_value()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Missing a auth parameter"); } if (!proof.has_value()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Missing p auth parameter"); } if (!signature_scheme.has_value()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Missing s auth parameter"); } if (!verification.has_value()) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Missing v auth parameter"); } uint8_t config_public_key[ED25519_PUBLIC_KEY_LEN]; - if (!masque_server_backend_->GetSignatureAuthKeyForId(*key_id, + if (!masque_server_backend_->GetConcealedAuthKeyForId(*key_id, config_public_key)) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Unexpected key id"); } if (*header_public_key != std::string(reinterpret_cast<const char*>(config_public_key), sizeof(config_public_key))) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Unexpected public key in header"); } std::string realm = ""; QuicUrl url(absl::StrCat(scheme, "://", authority, "/")); - std::optional<std::string> key_exporter_context = ComputeSignatureAuthContext( + std::optional<std::string> key_exporter_context = ComputeConcealedAuthContext( kEd25519SignatureScheme, *key_id, *header_public_key, scheme, url.host(), url.port(), realm); if (!key_exporter_context.has_value()) { @@ -346,20 +346,20 @@ QUICHE_DCHECK(!key_exporter_context->empty()); std::string key_exporter_output; if (!GetMutableCryptoStream()->ExportKeyingMaterial( - kSignatureAuthLabel, *key_exporter_context, - kSignatureAuthExporterSize, &key_exporter_output)) { + kConcealedAuthLabel, *key_exporter_context, + kConcealedAuthExporterSize, &key_exporter_output)) { return CreateBackendErrorResponse("500", "Key exporter failed"); } - QUICHE_CHECK_EQ(key_exporter_output.size(), kSignatureAuthExporterSize); + QUICHE_CHECK_EQ(key_exporter_output.size(), kConcealedAuthExporterSize); std::string signature_input = - key_exporter_output.substr(0, kSignatureAuthSignatureInputSize); + key_exporter_output.substr(0, kConcealedAuthSignatureInputSize); QUIC_DVLOG(1) << "signature_input: " << absl::WebSafeBase64Escape(signature_input); std::string expected_verification = key_exporter_output.substr( - kSignatureAuthSignatureInputSize, kSignatureAuthVerificationSize); + kConcealedAuthSignatureInputSize, kConcealedAuthVerificationSize); if (verification != expected_verification) { return CreateBackendErrorResponse( - kSignatureAuthStatus, + kConcealedAuthStatus, absl::StrCat("Unexpected verification, expected ", absl::WebSafeBase64Escape(expected_verification), " but got ", absl::WebSafeBase64Escape(*verification), @@ -367,15 +367,15 @@ absl::WebSafeBase64Escape(*key_exporter_context))); } std::string data_covered_by_signature = - SignatureAuthDataCoveredBySignature(signature_input); + ConcealedAuthDataCoveredBySignature(signature_input); QUIC_DVLOG(1) << "data_covered_by_signature: " << absl::WebSafeBase64Escape(data_covered_by_signature); if (*signature_scheme != kEd25519SignatureScheme) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Unexpected signature scheme"); } if (proof->size() != ED25519_SIGNATURE_LEN) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Unexpected proof length"); } if (ED25519_verify( @@ -383,7 +383,7 @@ data_covered_by_signature.size(), reinterpret_cast<const uint8_t*>(proof->data()), config_public_key) != 1) { - return CreateBackendErrorResponse(kSignatureAuthStatus, + return CreateBackendErrorResponse(kConcealedAuthStatus, "Signature failed to validate"); } QUIC_LOG(INFO) << "Successfully validated signature auth for stream ID " @@ -411,11 +411,11 @@ if (scheme.empty()) { return CreateBackendErrorResponse("400", "Empty scheme"); } - // Signature authentication. - auto signature_auth_reply = MaybeCheckSignatureAuth( + // Concealed authentication. + auto concealed_auth_reply = MaybeCheckConcealedAuth( request_headers, authority, scheme, request_handler); - if (signature_auth_reply) { - return signature_auth_reply; + if (concealed_auth_reply) { + return concealed_auth_reply; } // Path. auto path_pair = request_headers.find(":path"); @@ -437,7 +437,7 @@ absl::string_view method = method_pair->second; if (method != "CONNECT") { QUIC_DLOG(ERROR) << "MASQUE request with bad method \"" << method << "\""; - if (masque_server_backend_->IsSignatureAuthOnAllRequests()) { + if (masque_server_backend_->IsConcealedAuthOnAllRequests()) { return nullptr; } else { return CreateBackendErrorResponse("400", "Bad method"); @@ -447,7 +447,7 @@ auto protocol_pair = request_headers.find(":protocol"); if (protocol_pair == request_headers.end()) { QUIC_DLOG(ERROR) << "MASQUE request is missing :protocol"; - if (masque_server_backend_->IsSignatureAuthOnAllRequests()) { + if (masque_server_backend_->IsConcealedAuthOnAllRequests()) { return nullptr; } else { return CreateBackendErrorResponse("400", "Missing :protocol"); @@ -458,7 +458,7 @@ protocol != "connect-ethernet") { QUIC_DLOG(ERROR) << "MASQUE request with bad protocol \"" << protocol << "\""; - if (masque_server_backend_->IsSignatureAuthOnAllRequests()) { + if (masque_server_backend_->IsConcealedAuthOnAllRequests()) { return nullptr; } else { return CreateBackendErrorResponse("400", "Bad protocol");
diff --git a/quiche/quic/masque/masque_server_session.h b/quiche/quic/masque/masque_server_session.h index c7659f2..6b6a796 100644 --- a/quiche/quic/masque/masque_server_session.h +++ b/quiche/quic/masque/masque_server_session.h
@@ -82,7 +82,7 @@ QuicSocketEventMask events); bool HandleConnectEthernetSocketEvent(QuicUdpSocketFd fd, QuicSocketEventMask events); - std::unique_ptr<QuicBackendResponse> MaybeCheckSignatureAuth( + std::unique_ptr<QuicBackendResponse> MaybeCheckConcealedAuth( const spdy::Http2HeaderBlock& request_headers, absl::string_view authority, absl::string_view scheme, QuicSimpleServerBackend::RequestHandler* request_handler);
diff --git a/quiche/quic/masque/masque_utils.cc b/quiche/quic/masque/masque_utils.cc index 999fc75..0bfd5d1 100644 --- a/quiche/quic/masque/masque_utils.cc +++ b/quiche/quic/masque/masque_utils.cc
@@ -214,13 +214,13 @@ } #endif // defined(__linux__) -std::string ComputeSignatureAuthContext(uint16_t signature_scheme, +std::string ComputeConcealedAuthContext(uint16_t signature_scheme, absl::string_view key_id, absl::string_view public_key, absl::string_view scheme, absl::string_view host, uint16_t port, absl::string_view realm) { - QUIC_DVLOG(2) << "ComputeSignatureAuthContext: key_id=\"" << key_id + QUIC_DVLOG(2) << "ComputeConcealedAuthContext: key_id=\"" << key_id << "\" public_key=" << absl::WebSafeBase64Escape(public_key) << " scheme=\"" << scheme << "\" host=\"" << host << "\" port=" << port << " realm=\"" << realm << "\""; @@ -240,14 +240,14 @@ !writer.WriteStringPieceVarInt62(scheme) || !writer.WriteStringPieceVarInt62(host) || !writer.WriteUInt16(port) || !writer.WriteStringPieceVarInt62(realm) || writer.remaining() != 0) { - QUIC_LOG(FATAL) << "ComputeSignatureAuthContext failed"; + QUIC_LOG(FATAL) << "ComputeConcealedAuthContext failed"; } return key_exporter_context; } -std::string SignatureAuthDataCoveredBySignature( +std::string ConcealedAuthDataCoveredBySignature( absl::string_view signature_input) { - return absl::StrCat(std::string(64, 0x20), "HTTP Signature Authentication", + return absl::StrCat(std::string(64, 0x20), "HTTP Concealed Authentication", std::string(1, 0x00), signature_input); }
diff --git a/quiche/quic/masque/masque_utils.h b/quiche/quic/masque/masque_utils.h index 4cf1189..09705d5 100644 --- a/quiche/quic/masque/masque_utils.h +++ b/quiche/quic/masque/masque_utils.h
@@ -54,23 +54,23 @@ // Create a TAP interface. Requires root. int CreateTapInterface(); -inline constexpr size_t kSignatureAuthSignatureInputSize = 32; -inline constexpr size_t kSignatureAuthVerificationSize = 16; -inline constexpr size_t kSignatureAuthExporterSize = - kSignatureAuthSignatureInputSize + kSignatureAuthVerificationSize; +inline constexpr size_t kConcealedAuthSignatureInputSize = 32; +inline constexpr size_t kConcealedAuthVerificationSize = 16; +inline constexpr size_t kConcealedAuthExporterSize = + kConcealedAuthSignatureInputSize + kConcealedAuthVerificationSize; inline constexpr uint16_t kEd25519SignatureScheme = 0x0807; -inline constexpr absl::string_view kSignatureAuthLabel = - "EXPORTER-HTTP-Signature-Authentication"; +inline constexpr absl::string_view kConcealedAuthLabel = + "EXPORTER-HTTP-Concealed-Authentication"; // Returns the signature auth TLS key exporter context. -QUIC_NO_EXPORT std::string ComputeSignatureAuthContext( +QUIC_NO_EXPORT std::string ComputeConcealedAuthContext( uint16_t signature_scheme, absl::string_view key_id, absl::string_view public_key, absl::string_view scheme, absl::string_view host, uint16_t port, absl::string_view realm); // Returns the data covered by signature auth signatures, computed by // concatenating a fixed prefix from the specification and the signature input. -QUIC_NO_EXPORT std::string SignatureAuthDataCoveredBySignature( +QUIC_NO_EXPORT std::string ConcealedAuthDataCoveredBySignature( absl::string_view signature_input); } // namespace quic