Google Git
Sign in
boringssl/boringssl.git/54304734eb43c3897d08c30b72d8665cab027965^!/./include
commit
54304734eb43c3897d08c30b72d8665cab027965
[log]
author
Steven Valdez <svaldez@chromium.org>
Mon May 04 11:56:12 2020 -0400
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Tue May 05 18:37:58 2020 +0000
tree
4fe947650ae36901a02b128aa23784f125d98777
parent
802523aa5f7b216d559ff8287e12d47b12b51df5 [diff]
Use token hash to encode private metadata for Trust Token Experiment V1.

Bug: 328
Change-Id: Iaf3ff1bbe2f21c622b974081281848c60a01f142
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/40764
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/include/openssl/trust_token.h b/include/openssl/trust_token.h
index 4945172..a73a868 100644
--- a/include/openssl/trust_token.h
+++ b/include/openssl/trust_token.h

@@ -230,15 +230,13 @@
 // buffer and must call |OPENSSL_free| when done. It returns one on success or
 // zero on error.
 //
-// The caller must keep track of all values of |*out_token| and
-// |*out_client_data| and seen globally before returning the SRR to the client.
-// If either value has been repeated, the caller must discard the SRR and report
-// an error to the caller. Returning an SRR with replayed values allows an
-// attacker to double-spend tokens and query private metadata bits in SRRs.
+// The caller must keep track of all values of |*out_token| seen globally before
+// returning the SRR to the client. If the value has been reused, the caller
+// must discard the SRR and report an error to the caller. Returning an SRR with
+// replayed values allows an attacker to double-spend tokens.
 //
-// TODO(svaldez): The private metadata bit should not be leaked on replay. This
-// means callers cannot use eventual consistency to trade off double-spending
-// and distributed system performance. See https://crbug.com/boringssl/328.
+// The private metadata construction in |TRUST_TOKEN_experiment_v0| does not
+// keep the value secret and should not be used when secrecy is required.
 OPENSSL_EXPORT int TRUST_TOKEN_ISSUER_redeem(
     const TRUST_TOKEN_ISSUER *ctx, uint8_t **out, size_t *out_len,
     TRUST_TOKEN **out_token, uint8_t **out_client_data,
@@ -247,12 +245,14 @@
 
 // TRUST_TOKEN_decode_private_metadata decodes |encrypted_bit| using the
 // private metadata key specified by a |key| buffer of length |key_len| and the
-// client data specified by a |client_data| buffer of length |client_data_len|.
-// |*out_value is set to the decrypted value, either zero or one. It returns one
-// on success and zero on error.
+// nonce by a |nonce| buffer of length |nonce_len|. The nonce in
+// |TRUST_TOKEN_experiment_v0| is the client-data field of the SRR. The nonce in
+// |TRUST_TOKEN_experiment_v1| is the token-hash field of the SRR. |*out_value|
+// is set to the decrypted value, either zero or one. It returns one on success
+// and zero on error.
 OPENSSL_EXPORT int TRUST_TOKEN_decode_private_metadata(
     const TRUST_TOKEN_METHOD *method, uint8_t *out_value, const uint8_t *key,
-    size_t key_len, const uint8_t *client_data, size_t client_data_len,
+    size_t key_len, const uint8_t *nonce, size_t nonce_len,
     uint8_t encrypted_bit);