OLD | NEW |
| (Empty) |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include <pk11pub.h> | |
6 | |
7 #include <memory> | |
8 | |
9 #include "crypto/scoped_nss_types.h" | |
10 #include "net/quic/crypto/aead_base_encrypter.h" | |
11 #include "net/quic/quic_flags.h" | |
12 #include "net/quic/quic_utils.h" | |
13 | |
14 using base::StringPiece; | |
15 | |
16 namespace net { | |
17 | |
18 namespace { | |
19 | |
20 // The maximum size in bytes of the nonce, including 8 bytes of sequence number. | |
21 // ChaCha20 uses only the 8 byte sequence number and AES-GCM uses 12 bytes. | |
22 const size_t kMaxNonceSize = 12; | |
23 | |
24 } // namespace | |
25 | |
26 AeadBaseEncrypter::AeadBaseEncrypter(CK_MECHANISM_TYPE aead_mechanism, | |
27 size_t key_size, | |
28 size_t auth_tag_size, | |
29 size_t nonce_prefix_size) | |
30 : aead_mechanism_(aead_mechanism), | |
31 key_size_(key_size), | |
32 auth_tag_size_(auth_tag_size), | |
33 nonce_prefix_size_(nonce_prefix_size) { | |
34 DCHECK_LE(key_size_, sizeof(key_)); | |
35 DCHECK_LE(nonce_prefix_size_, sizeof(nonce_prefix_)); | |
36 DCHECK_GE(kMaxNonceSize, nonce_prefix_size_); | |
37 } | |
38 | |
39 AeadBaseEncrypter::~AeadBaseEncrypter() {} | |
40 | |
41 bool AeadBaseEncrypter::SetKey(StringPiece key) { | |
42 DCHECK_EQ(key.size(), key_size_); | |
43 if (key.size() != key_size_) { | |
44 return false; | |
45 } | |
46 memcpy(key_, key.data(), key.size()); | |
47 return true; | |
48 } | |
49 | |
50 bool AeadBaseEncrypter::SetNoncePrefix(StringPiece nonce_prefix) { | |
51 DCHECK_EQ(nonce_prefix.size(), nonce_prefix_size_); | |
52 if (nonce_prefix.size() != nonce_prefix_size_) { | |
53 return false; | |
54 } | |
55 memcpy(nonce_prefix_, nonce_prefix.data(), nonce_prefix.size()); | |
56 return true; | |
57 } | |
58 | |
59 bool AeadBaseEncrypter::Encrypt(StringPiece nonce, | |
60 StringPiece associated_data, | |
61 StringPiece plaintext, | |
62 unsigned char* output) { | |
63 if (nonce.size() != nonce_prefix_size_ + sizeof(QuicPacketNumber)) { | |
64 return false; | |
65 } | |
66 | |
67 size_t ciphertext_size = GetCiphertextSize(plaintext.length()); | |
68 | |
69 // Import key_ into NSS. | |
70 SECItem key_item; | |
71 key_item.type = siBuffer; | |
72 key_item.data = key_; | |
73 key_item.len = key_size_; | |
74 PK11SlotInfo* slot = PK11_GetInternalSlot(); | |
75 | |
76 // The exact value of the |origin| argument doesn't matter to NSS as long as | |
77 // it's not PK11_OriginFortezzaHack, so we pass PK11_OriginUnwrap as a | |
78 // placeholder. | |
79 crypto::ScopedPK11SymKey aead_key( | |
80 PK11_ImportSymKey(slot, aead_mechanism_, PK11_OriginUnwrap, CKA_ENCRYPT, | |
81 &key_item, nullptr)); | |
82 PK11_FreeSlot(slot); | |
83 slot = nullptr; | |
84 if (!aead_key) { | |
85 DVLOG(1) << "PK11_ImportSymKey failed"; | |
86 return false; | |
87 } | |
88 | |
89 AeadParams aead_params = {0}; | |
90 FillAeadParams(nonce, associated_data, auth_tag_size_, &aead_params); | |
91 | |
92 SECItem param; | |
93 param.type = siBuffer; | |
94 param.data = reinterpret_cast<unsigned char*>(&aead_params.data); | |
95 param.len = aead_params.len; | |
96 | |
97 if (plaintext.size() > kMaxPacketSize) { | |
98 DLOG(FATAL) << "Plaintext too large"; | |
99 return false; | |
100 } | |
101 // NSS doesn't support inplace encryption, so copy plaintext to a temporary | |
102 // buffer. | |
103 unsigned char temp_plaintext[kMaxPacketSize]; | |
104 memcpy(temp_plaintext, plaintext.data(), plaintext.size()); | |
105 | |
106 unsigned int output_len; | |
107 if (PK11_Encrypt(aead_key.get(), aead_mechanism_, ¶m, output, &output_len, | |
108 ciphertext_size, temp_plaintext, | |
109 plaintext.size()) != SECSuccess) { | |
110 DVLOG(1) << "PK11_Encrypt failed"; | |
111 return false; | |
112 } | |
113 | |
114 if (output_len != ciphertext_size) { | |
115 DVLOG(1) << "Wrong output length"; | |
116 return false; | |
117 } | |
118 | |
119 return true; | |
120 } | |
121 | |
122 bool AeadBaseEncrypter::EncryptPacket(QuicPathId path_id, | |
123 QuicPacketNumber packet_number, | |
124 StringPiece associated_data, | |
125 StringPiece plaintext, | |
126 char* output, | |
127 size_t* output_length, | |
128 size_t max_output_length) { | |
129 size_t ciphertext_size = GetCiphertextSize(plaintext.length()); | |
130 if (max_output_length < ciphertext_size) { | |
131 return false; | |
132 } | |
133 // TODO(ianswett): Introduce a check to ensure that we don't encrypt with the | |
134 // same packet number twice. | |
135 const size_t nonce_size = nonce_prefix_size_ + sizeof(packet_number); | |
136 ALIGNAS(4) char nonce_buffer[kMaxNonceSize]; | |
137 memcpy(nonce_buffer, nonce_prefix_, nonce_prefix_size_); | |
138 uint64_t path_id_packet_number = | |
139 QuicUtils::PackPathIdAndPacketNumber(path_id, packet_number); | |
140 memcpy(nonce_buffer + nonce_prefix_size_, &path_id_packet_number, | |
141 sizeof(path_id_packet_number)); | |
142 if (!Encrypt(StringPiece(nonce_buffer, nonce_size), associated_data, | |
143 plaintext, reinterpret_cast<unsigned char*>(output))) { | |
144 return false; | |
145 } | |
146 *output_length = ciphertext_size; | |
147 return true; | |
148 } | |
149 | |
150 size_t AeadBaseEncrypter::GetKeySize() const { | |
151 return key_size_; | |
152 } | |
153 | |
154 size_t AeadBaseEncrypter::GetNoncePrefixSize() const { | |
155 return nonce_prefix_size_; | |
156 } | |
157 | |
158 size_t AeadBaseEncrypter::GetMaxPlaintextSize(size_t ciphertext_size) const { | |
159 return ciphertext_size - auth_tag_size_; | |
160 } | |
161 | |
162 size_t AeadBaseEncrypter::GetCiphertextSize(size_t plaintext_size) const { | |
163 return plaintext_size + auth_tag_size_; | |
164 } | |
165 | |
166 StringPiece AeadBaseEncrypter::GetKey() const { | |
167 return StringPiece(reinterpret_cast<const char*>(key_), key_size_); | |
168 } | |
169 | |
170 StringPiece AeadBaseEncrypter::GetNoncePrefix() const { | |
171 if (nonce_prefix_size_ == 0) { | |
172 return StringPiece(); | |
173 } | |
174 return StringPiece(reinterpret_cast<const char*>(nonce_prefix_), | |
175 nonce_prefix_size_); | |
176 } | |
177 | |
178 } // namespace net | |
OLD | NEW |