[NOT FOR REVIEW] Ensure contributory behaviour for Web Push encryption.

components/gcm_driver/crypto/gcm_message_cryptographer.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/gcm_driver/crypto/gcm_message_cryptographer.h"
 
 #include <algorithm>
+#include <sstream>
 
 #include "base/big_endian.h"
 #include "base/logging.h"
 #include "crypto/hkdf.h"
 
 namespace gcm {
 namespace {
 
 // Size, in bytes, of the nonce for a record. This must be at least the size
 // of a uint64_t, which is used to indicate the record sequence number.
 const uint64_t kNonceSize = 12;
 
 // The default record size as defined by draft-thomson-http-encryption-01.
 const size_t kDefaultRecordSize = 4096;
 
 // Key size, in bytes, of a valid AEAD_AES_128_GCM key.
 const size_t kContentEncryptionKeySize = 16;
 
+// The label of the curve used by Web Push encryption, as mandated by the
+// draft-ietf-webpush-encryption-01 draft.
+const char kP256Label[] = "P-256";
+
 }  // namespace
 
 const size_t GCMMessageCryptographer::kAuthenticationTagBytes = 16;
 const size_t GCMMessageCryptographer::kSaltSize = 16;
 
-GCMMessageCryptographer::GCMMessageCryptographer() {}
+template <typename I> std::string n2hexstr(I w, size_t hex_len = sizeof(I)<<1) {
+    static const char* digits = "0123456789abcdef";
+    std::string rc(hex_len,'0');
+    for (size_t i=0, j=(hex_len-1)*4 ; i<hex_len; ++i,j-=4)
+        rc[i] = digits[(w>>j) & 0x0f];
+    return rc;
+}
+
+GCMMessageCryptographer::GCMMessageCryptographer(
+    const base::StringPiece& local_public_key,
+    const base::StringPiece& peer_public_key) {
+  std::stringstream context_stream;
+  context_stream << '\0' << kP256Label << '\0';
+  context_stream << '\0' << (char)local_public_key.size() << local_public_key;
+  context_stream << '\0' << (char)peer_public_key.size() << peer_public_key;
+
+  // TODO: \0 + size is necessary because the length must be written as a two-
+  // byte integer in big endian byte order.
+
+  // TODO: Without (char) the size is written as two ascii literals: '6' '5',
+  // rather than the binary representation of 0x41.
+
+  nonce_info_ =
+      "Content-Encoding: nonce" + context_stream.str();
+  content_encryption_key_info_ =
+      "Content-Encoding: aesgcm128" + context_stream.str();
+}
 
 GCMMessageCryptographer::~GCMMessageCryptographer() {}
 
 bool GCMMessageCryptographer::Encrypt(const base::StringPiece& plaintext,
                                       const base::StringPiece& key,
                                       const base::StringPiece& salt,
                                       size_t* record_size,
                                       std::string* ciphertext) const {
   DCHECK(ciphertext);
   DCHECK(record_size);
@@ skipping 28 matching lines @@
 }
 
 bool GCMMessageCryptographer::Decrypt(
     const base::StringPiece& ciphertext,
     const base::StringPiece& key,
     const base::StringPiece& salt,
     size_t record_size,
     std::string* plaintext) const {
   DCHECK(plaintext);
 
-  if (salt.size() != kSaltSize || record_size <= 1)
+  if (salt.size() != kSaltSize || record_size <= 1) {
+    LOG(INFO) << "--1";
     return false;
+  }
 
   // The |ciphertext| must be at least kAuthenticationTagBytes + 1 bytes, which
   // would be used for an empty message. Per
   // https://tools.ietf.org/html/draft-thomson-webpush-encryption-01#section-3,
   // the |record_size| parameter must be large enough to use only one record.
   if (ciphertext.size() < kAuthenticationTagBytes + 1 ||
       ciphertext.size() >= record_size + kAuthenticationTagBytes + 1) {
+    LOG(INFO) << "--2";
     return false;
   }
 
   std::string content_encryption_key = DeriveContentEncryptionKey(key, salt);
   std::string nonce = DeriveNonce(key, salt);
 
   std::string decrypted_record;
   if (!EncryptDecryptRecordInternal(DECRYPT, ciphertext, content_encryption_key,
                                     nonce, &decrypted_record)) {
+    LOG(INFO) << "--3";
     return false;
   }
 
   DCHECK(!decrypted_record.empty());
 
   // Records can contain between 0 and 255 octets of padding, indicated by the
   // first octet of the decrypted message. Padding bytes that are not set to
   // zero are considered a fatal decryption failure as well. Since AES-GCM
   // includes an authentication check, neither verification nor removing the
   // padding have to be done in constant time.
   size_t padding_length = static_cast<size_t>(decrypted_record[0]);
-  if (padding_length >= decrypted_record.size())
+  if (padding_length >= decrypted_record.size()) {
+    LOG(INFO) << "--4";
     return false;
+  }
 
   for (size_t i = 1; i <= padding_length; ++i) {
-    if (decrypted_record[i] != 0)
+    if (decrypted_record[i] != 0) {
+      LOG(INFO) << "--5";
       return false;
+    }
   }
 
   base::StringPiece decoded_record_string_piece(decrypted_record);
   decoded_record_string_piece.remove_prefix(1 + padding_length);
   decoded_record_string_piece.CopyToString(plaintext);
 
   return true;
 }
 
 std::string GCMMessageCryptographer::DeriveContentEncryptionKey(
     const base::StringPiece& key,
     const base::StringPiece& salt) const {
   crypto::HKDF hkdf(key, salt,
-                    "Content-Encoding: aesgcm128",
+                    content_encryption_key_info_,
                     kContentEncryptionKeySize,
                     0,  /* iv_bytes_to_generate */
                     0   /* subkey_secret_bytes_to_generate */);
 
   return hkdf.client_write_key().as_string();
 }
 
 std::string GCMMessageCryptographer::DeriveNonce(
     const base::StringPiece& key,
     const base::StringPiece& salt) const {
   crypto::HKDF hkdf(key, salt,
-                    "Content-Encoding: nonce",
+                    nonce_info_,
                     kNonceSize,
                     0,  /* iv_bytes_to_generate */
                     0   /* subkey_secret_bytes_to_generate */);
 
   // draft-thomson-http-encryption-01 defines that the result should be XOR'ed
   // with the record's sequence number, but because Web Push encryption is
   // limited to a single record we do not have to do that.
 
   return hkdf.client_write_key().as_string();
 }
 
 }  // namespace gcm