Roll src/third_party/boringssl/src d7421ebf6..3ac32b1ed

components/certificate_reporting/error_reporter.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/certificate_reporting/error_reporter.h"
 
 #include <set>
 
 #include "base/logging.h"
 #include "components/certificate_reporting/encrypted_cert_logger.pb.h"
@@ skipping 16 matching lines @@
 static const uint8 kServerPublicKey[] = {
     0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18,
     0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f,
     0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b};
 static const uint32 kServerPublicKeyVersion = 1;
 
 #if defined(USE_OPENSSL)
 
 static const char kHkdfLabel[] = "certificate report";
 
-std::string GetHkdfSubkeySecret(size_t subkey_length,
-                                const uint8* private_key,
-                                const uint8* public_key) {
+bool GetHkdfSubkeySecret(size_t subkey_length,
+                         const uint8* private_key,
+                         const uint8* public_key,
+                         std::string* secret) {
   uint8 shared_secret[crypto::curve25519::kBytes];
-  crypto::curve25519::ScalarMult(private_key, public_key, shared_secret);
+  if (!crypto::curve25519::ScalarMult(private_key, public_key, shared_secret))
+    return false;
 
   // By mistake, the HKDF label here ends up with an extra null byte on
   // the end, due to using sizeof(kHkdfLabel) in the StringPiece
   // constructor instead of strlen(kHkdfLabel). Ideally this code should
   // be just passing kHkdfLabel directly into the HKDF constructor.
   //
   // TODO(estark): fix this in coordination with the server-side code --
   // perhaps by rolling the public key version forward and using the
   // version to decide whether to use the extra-null-byte version of the
   // label. https://crbug.com/517746
   crypto::HKDF hkdf(base::StringPiece(reinterpret_cast<char*>(shared_secret),
                                       sizeof(shared_secret)),
                     "" /* salt */,
                     base::StringPiece(kHkdfLabel, sizeof(kHkdfLabel)),
                     0 /* key bytes */, 0 /* iv bytes */, subkey_length);
 
-  return hkdf.subkey_secret().as_string();
+  *secret = hkdf.subkey_secret().as_string();
+  return true;
 }
 
 bool EncryptSerializedReport(const uint8* server_public_key,
                              uint32 server_public_key_version,
                              const std::string& report,
                              EncryptedCertLoggerRequest* encrypted_report) {
   // Generate an ephemeral key pair to generate a shared secret.
   uint8 public_key[crypto::curve25519::kBytes];
   uint8 private_key[crypto::curve25519::kScalarBytes];
 
   crypto::RandBytes(private_key, sizeof(private_key));
   crypto::curve25519::ScalarBaseMult(private_key, public_key);
 
   crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256);
-  const std::string key =
-      GetHkdfSubkeySecret(aead.KeyLength(), private_key,
-                          reinterpret_cast<const uint8*>(server_public_key));
+  const std::string key;
+  if (!GetHkdfSubkeySecret(aead.KeyLength(), private_key,
+                           reinterpret_cast<const uint8*>(server_public_key),
+                           &key)) {
+    return false;

[estark, 2015/11/19 00:25:18]

nit: add a LOG(ERROR) here?

[davidben, 2015/11/19 00:41:36]

Done.

+  }
   aead.Init(&key);
 
   // Use an all-zero nonce because the key is random per-message.
   std::string nonce(aead.NonceLength(), '\0');
 
   std::string ciphertext;
   if (!aead.Seal(report, nonce, std::string(), &ciphertext)) {
     LOG(ERROR) << "Error sealing certificate report.";
     return false;
   }
@@ skipping 64 matching lines @@
 #endif
 }
 
 // Used only by tests.
 #if defined(USE_OPENSSL)
 bool ErrorReporter::DecryptErrorReport(
     const uint8 server_private_key[32],
     const EncryptedCertLoggerRequest& encrypted_report,
     std::string* decrypted_serialized_report) {
   crypto::Aead aead(crypto::Aead::AES_128_CTR_HMAC_SHA256);
-  const std::string key =
-      GetHkdfSubkeySecret(aead.KeyLength(), server_private_key,
-                          reinterpret_cast<const uint8*>(
-                              encrypted_report.client_public_key().data()));
+  const std::string key;
+  if (!GetHkdfSubkeySecret(aead.KeyLength(), server_private_key,
+                           reinterpret_cast<const uint8*>(
+                               encrypted_report.client_public_key().data()),
+                           &key)) {
+    return false;

[estark, 2015/11/19 00:25:18]

same nit here

[davidben, 2015/11/19 00:41:37]

Done.

+  }
   aead.Init(&key);
 
   // Use an all-zero nonce because the key is random per-message.
   std::string nonce(aead.NonceLength(), 0);
 
   return aead.Open(encrypted_report.encrypted_report(), nonce, std::string(),
                    decrypted_serialized_report);
 }
 #endif
 
 }  // namespace certificate_reporting