Land the proto for leak detection.

Also the CL lands the feature in the password manager.

Bug: 986298
Change-Id: I8b7e38d5ec177edd9565d6207644edad99c34677
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1713192
Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org>
Reviewed-by: Ioana Pandele <ioanap@chromium.org>
Cr-Commit-Position: refs/heads/master@{#680404}

components/password_manager/core/browser/BUILD.gn

@@ -255,7 +255,10 @@ jumbo_static_library("browser") {
       "http_credentials_cleaner.cc",
       "http_credentials_cleaner.h",
     ]
-    deps += [ "//components/safe_browsing/common:safe_browsing_prefs" ]
+    deps += [
+      "//components/password_manager/core/browser/leak_detection:leak_detection",
+      "//components/safe_browsing/common:safe_browsing_prefs",
+    ]
   }
 
   if (is_posix && !is_mac && !is_ios) {

components/password_manager/core/browser/leak_detection/BUILD.gn

+# Copyright 2019 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+import("//build/config/jumbo.gni")
+import("//third_party/libprotobuf-mutator/fuzzable_proto_library.gni")
+
+fuzzable_proto_library("proto") {
+  sources = [
+    "leak_detection_api.proto",
+  ]
+}
+
+jumbo_source_set("leak_detection") {
+  deps = [
+    ":proto",
+  ]
+}

components/password_manager/core/browser/leak_detection/leak_detection_api.proto

+syntax = "proto3";
+
+package leak_detection;
+
+option optimize_for = LITE_RUNTIME;
+
+// See internal/identity/passwords/leak/check/v1/service.proto for the server
+// side definition.
+service PasswordsLeakCheckService {
+  // Enables clients to privately check whether given username-password pairs
+  // are part of a leak that we collected.
+  //
+  // The protocol used here requires the client to request buckets of known
+  // leaks identified by a username-hash prefix (username_hash_prefix).
+  // In response, the server returns all the leaks (hashed username-password
+  // pairs) of the requested buckets (leak_match).
+  //
+  // In order to not leak the database of hashed username-password pairs
+  // to the client, we added the blinders protocol (go/blinders) into the mix.
+  // This allows the server to only return an encrypted version of the hashes
+  // to the clients (encrypted_leak_hash). The clients will not know the key
+  // with which the server encrypted the hashes.
+  // In order for the client to figure out if their credentials actually got
+  // leaked, they need to encrypt their username-password pair hashes with their
+  // own secret key and send the encrypted result to the server
+  // (encrypted_lookup_hash).
+  // The server will then reencrypt encrypted_lookup_hash with their own secret
+  // key and return that in the result (reencrypted_lookup_hash).
+  // The client will then reverse their own encryption on
+  // reencrypted_lookup_hash and look up if the result is in the list of
+  // returned leaks (leak_match). If so, the client has identified a leak.
+  rpc LookupLeaks(LookupLeaksRequest) returns (LookupLeaksResponse) {}
+}
+
+message LookupLeaksRequest {
+  // The prefix of the username hash (algorithm: SHA-256;
+  // string encoding: UTF8).
+  //
+  // The underlying username is expected to be canonicalized by lower-casing
+  // and stripping a mail-address host in case the username is a mail address.
+  //
+  // Only a most significant bit prefix with the length of
+  // username_hash_prefix_length bits is to be set, the rest needs to be filled
+  // with 0.
+  //
+  // The client can request all known leaks for a given username bucket.
+  // This specifies the requested username buckets. All returned
+  // `leak_match` values will belong to one of the requested username
+  // buckets.
+  repeated bytes username_hash_prefix = 1;
+
+  // The length of the username hash prefix in bits.
+  // We only allow 24 bits at the moment.
+  //
+  // Note: the prefix length is limited in order to:
+  // - Protect client against too low anonymity (upper limit)
+  // - Protect server against full database download (lower limit)
+  uint32 username_hash_prefix_length = 2;
+
+  // The full hash of username and password which was encrypted using a
+  // commutative cipher.
+  //
+  // The underlying username is expected to be canonicalized the same as
+  // described for username_hash_prefix.
+  //
+  // The key should be randomly generated by the client. It can choose a new one
+  // per request, or even per hash. The server can't decrypt this and
+  // won't know the difference.
+  repeated bytes encrypted_lookup_hash = 3;
+}
+
+message LookupLeaksResponse {
+  // The leaks that match the requested `username_hash_prefix`.
+  // This list is sorted by `encrypted_leak_hash` in order to enable binary
+  // search for matches.
+  repeated LeakMatch leak_match = 1;
+
+  // The reencrypted `encrypted_lookup_hash` from the request. In order for the
+  // clients to check for matches, it needs the server to reencrypt the
+  // `encrypted_lookup_hash` that they sent. The client can then reverse their
+  // own encryption and check `leak_match` for the resulting values.
+  repeated ReencryptedLookupHash reencrypted_lookup_hash = 2;
+
+  message LeakMatch {
+    // The requested username_hash_prefix that the leak matches belong to.
+    bytes username_hash_prefix = 2;
+
+    // The full hash of username and password that was discovered in a leak
+    // which was encrypted using a commutative cipher with a private key picked
+    // by the server.
+    // The hashing algorithm and cipher used are the same as defined in the
+    // request.
+    // Note: There are no guarantees that the server key stays the same between
+    // subsequent requests.
+    repeated bytes encrypted_leak_hash = 1;
+  }
+
+  message ReencryptedLookupHash {
+    // The same as `encrypted_lookup_hash` from the request. This can be used by
+    // the client to link the reencrypted hash to the originally requested
+    // one.
+    bytes encrypted_lookup_hash = 1;
+    // The `encrypted_lookup_hash` reencrypted with the server's  private key
+    // (the same key that is used for encrypting `encrypted_leak_hash`).
+    // This enables the client to reverse their own encryption, giving the
+    // client a server-side only encrypted leak entry which it can use to check
+    // if `leak_match` contains it.
+    bytes reencrypted_lookup_hash = 2;
+  }
+}

components/password_manager/core/common/password_manager_features.cc

@@ -30,10 +30,19 @@ const base::Feature kFillOnAccountSelect = {"fill-on-account-select",
 const base::Feature kFillOnAccountSelectHttp = {
     "FillOnAccountSelectHttp", base::FEATURE_DISABLED_BY_DEFAULT};
 
+// Forces password generation to ask user to update the password instead of
+// overwriting silently.
+const base::Feature kGenerationNoOverwrites = {
+    "GenerationNoOverwrites", base::FEATURE_DISABLED_BY_DEFAULT};
+
 // Integration with Google's Password Manager for signed-in and sync users.
 const base::Feature kGooglePasswordManager = {
     "google-password-manager", base::FEATURE_DISABLED_BY_DEFAULT};
 
+// Analyses the credentials submitted by user for leak detection.
+const base::Feature kLeakDetection = {"PasswordLeakDetection",
+                                      base::FEATURE_DISABLED_BY_DEFAULT};
+
 // Controls whether to offer manual password generation in the accessory sheet
 // on Android.
 const base::Feature kManualPasswordGenerationAndroid{
@@ -77,10 +86,9 @@ const base::Feature kPasswordManagerOnboardingAndroid = {
 const base::Feature kRecoverPasswordsForSyncUsers = {
     "RecoverPasswordsForSyncUsers", base::FEATURE_ENABLED_BY_DEFAULT};
 
-// Forces password generation to ask user to update the password instead of
-// overwriting silently.
-const base::Feature kGenerationNoOverwrites = {
-    "GenerationNoOverwrites", base::FEATURE_DISABLED_BY_DEFAULT};
+// Enables the touch to fill feature for Android.
+const base::Feature kTouchToFillAndroid = {"TouchToFillAndroid",
+                                           base::FEATURE_DISABLED_BY_DEFAULT};
 
 // Enables support of filling and saving on username first flow.
 const base::Feature kUsernameFirstFlow = {"UsernameFirstFlow",

components/password_manager/core/common/password_manager_features.h

@@ -21,7 +21,9 @@ extern const base::Feature kEditPasswordsInDesktopSettings;
 extern const base::Feature kDeleteCorruptedPasswords;
 extern const base::Feature kFillOnAccountSelect;
 extern const base::Feature kFillOnAccountSelectHttp;
+extern const base::Feature kGenerationNoOverwrites;
 extern const base::Feature kGooglePasswordManager;
+extern const base::Feature kLeakDetection;
 extern const base::Feature kManualPasswordGenerationAndroid;
 extern const base::Feature kMigrateLinuxToLoginDB;
 extern const base::Feature kNewPasswordFormParsing;
@@ -31,7 +33,7 @@ extern const base::Feature kPasswordEditingAndroid;
 extern const base::Feature kPasswordImport;
 extern const base::Feature kPasswordManagerOnboardingAndroid;
 extern const base::Feature kRecoverPasswordsForSyncUsers;
-extern const base::Feature kGenerationNoOverwrites;
+extern const base::Feature kTouchToFillAndroid;
 extern const base::Feature kUsernameFirstFlow;
 
 // Field trial and corresponding parameters.