QUIC: support diversified keys with version 33.
Before we can disable strike registers we have to deal with the fact that two
different QUIC servers may then encrypt different messages under the same key.
Since the nonce is a counter, that would be fatal.
With this change we allow servers to include a nonce in the public header of
packets.
This is complicated, somewhat, by the fact that version negotiation doesn't
easily bubble up to the crypto layer: a client that supports version 33 might
be called upon to process a packet encrypted with this new scheme, or a packet
encrypted with the old scheme if speaking to an older server. Thus the
decryptors can handle either scheme and will latch to one or the other after
processing their first packet.
Since we have run out of flags in the public header, the two bits currently
assigned to indicate the length of the connection ID are split. Bit three
remains as an indication of the connection ID length, which can now only be
zero or eight bytes. Bit two is repurposed to indicate the presence of a
32-byte nonce that is inserted before the packet number.
In order to accomodate older clients that will be setting bit two to indicate
an eight-byte connection ID we exploit the fact that nonces can only be sent
from server to client. Thus server framers ignore bit two, for now, when
parsing.
Merge internal change: 119745591
Review URL: https://codereview.chromium.org/1904213002
Cr-Commit-Position: refs/heads/master@{#389665}
43 files changed
