Add ChaCha20Poly1305Encrypter, based on

net/quic/crypto/aes_128_gcm_12_encrypter_nss.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h"
 
-#include <nss.h>
 #include <pk11pub.h>
 #include <secerr.h>
 
 #include "base/lazy_instance.h"
-#include "base/memory/scoped_ptr.h"
 #include "crypto/ghash.h"
 #include "crypto/scoped_nss_types.h"
 
 #if defined(USE_NSS)
 #include <dlfcn.h>
 #endif
 
 using base::StringPiece;
 
 namespace net {
 
 namespace {
 
-// The pkcs11t.h header in NSS versions older than 3.14 does not have the CTR
-// and GCM types, so define them here.
-#if !defined(CKM_AES_CTR)
-#define CKM_AES_CTR 0x00001086
-#define CKM_AES_GCM 0x00001087
-
-struct CK_AES_CTR_PARAMS {
-  CK_ULONG ulCounterBits;
-  CK_BYTE cb[16];
-};
-
-struct CK_GCM_PARAMS {
-  CK_BYTE_PTR pIv;
-  CK_ULONG ulIvLen;
-  CK_BYTE_PTR pAAD;
-  CK_ULONG ulAADLen;
-  CK_ULONG ulTagBits;
-};
-#endif  // CKM_AES_CTR
-
-typedef SECStatus
-(*PK11_EncryptFunction)(
-    PK11SymKey* symKey, CK_MECHANISM_TYPE mechanism, SECItem* param,
-    unsigned char* out, unsigned int* outLen, unsigned int maxLen,
-    const unsigned char* data, unsigned int dataLen);
+const size_t kKeySize = 16;
+const size_t kNoncePrefixSize = 4;
 
 // On Linux, dynamically link against the system version of libnss3.so. In
 // order to continue working on systems without up-to-date versions of NSS,
 // lookup PK11_Encrypt with dlsym.
 
 // GcmSupportChecker is a singleton which caches the results of runtime symbol
 // resolution of PK11_Encrypt.
 class GcmSupportChecker {
  public:
   static PK11_EncryptFunction pk11_encrypt_func() {
     return pk11_encrypt_func_;
   }
 
-  static CK_MECHANISM_TYPE aes_key_mechanism() {
-    return aes_key_mechanism_;
-  }
-
  private:
   friend struct base::DefaultLazyInstanceTraits<GcmSupportChecker>;
 
   GcmSupportChecker() {
 #if !defined(USE_NSS)
     // Using a bundled version of NSS that is guaranteed to have this symbol.
     pk11_encrypt_func_ = PK11_Encrypt;
 #else
     // Using system NSS libraries and PCKS #11 modules, which may not have the
     // necessary function (PK11_Encrypt) or mechanism support (CKM_AES_GCM).
 
     // If PK11_Encrypt() was successfully resolved, then NSS will support
     // AES-GCM directly. This was introduced in NSS 3.15.
     pk11_encrypt_func_ = (PK11_EncryptFunction)dlsym(RTLD_DEFAULT,
                                                      "PK11_Encrypt");
-    if (pk11_encrypt_func_ == NULL) {
-      aes_key_mechanism_ = CKM_AES_ECB;
-    }
 #endif
   }
 
   // |pk11_encrypt_func_| stores the runtime symbol resolution of PK11_Encrypt.
   static PK11_EncryptFunction pk11_encrypt_func_;
-
-  // The correct value for |aes_key_mechanism_| is CKM_AES_GCM, but because of
-  // NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=853285 (to be fixed in
-  // NSS 3.15), use CKM_AES_ECB for NSS versions older than 3.15.
-  static CK_MECHANISM_TYPE aes_key_mechanism_;
 };
 
 // static
 PK11_EncryptFunction GcmSupportChecker::pk11_encrypt_func_ = NULL;
 
-// static
-CK_MECHANISM_TYPE GcmSupportChecker::aes_key_mechanism_ = CKM_AES_GCM;
-
 base::LazyInstance<GcmSupportChecker>::Leaky g_gcm_support_checker =
     LAZY_INSTANCE_INITIALIZER;
 
-const size_t kKeySize = 16;
-const size_t kNoncePrefixSize = 4;
-const size_t kAESNonceSize = 12;
-
 // Calls PK11_Encrypt if it's available.  Otherwise, emulates CKM_AES_GCM using
 // CKM_AES_CTR and the GaloisHash class.
 SECStatus My_Encrypt(PK11SymKey* key,
                      CK_MECHANISM_TYPE mechanism,
                      SECItem* param,
                      unsigned char* out,
                      unsigned int* out_len,
                      unsigned int max_len,
                      const unsigned char* data,
                      unsigned int data_len) {
@@ skipping 122 matching lines @@
   for (unsigned int i = 0; i < Aes128Gcm12Encrypter::kAuthTagSize; i++) {
     out[output_len + i] ^= tag_mask[i];
   }
 
   *out_len = output_len + Aes128Gcm12Encrypter::kAuthTagSize;
   return SECSuccess;
 }
 
 }  // namespace
 
-Aes128Gcm12Encrypter::Aes128Gcm12Encrypter() {
+Aes128Gcm12Encrypter::Aes128Gcm12Encrypter()
+    : AeadBaseEncrypter(CKM_AES_GCM, My_Encrypt, kKeySize, kAuthTagSize,
+                        kNoncePrefixSize) {
+  COMPILE_ASSERT(kKeySize <= kMaxKeySize, key_size_too_big);
+  COMPILE_ASSERT(kNoncePrefixSize <= kMaxNoncePrefixSize,
+                 nonce_prefix_size_too_big);
   ignore_result(g_gcm_support_checker.Get());
 }
 
 Aes128Gcm12Encrypter::~Aes128Gcm12Encrypter() {}
 
-bool Aes128Gcm12Encrypter::SetKey(StringPiece key) {
-  DCHECK_EQ(key.size(), sizeof(key_));
-  if (key.size() != sizeof(key_)) {
-    return false;
-  }
-  memcpy(key_, key.data(), key.size());
-  return true;
-}
-
-bool Aes128Gcm12Encrypter::SetNoncePrefix(StringPiece nonce_prefix) {
-  DCHECK_EQ(nonce_prefix.size(), kNoncePrefixSize);
-  if (nonce_prefix.size() != kNoncePrefixSize) {
-    return false;
-  }
-  COMPILE_ASSERT(sizeof(nonce_prefix_) == kNoncePrefixSize, bad_nonce_length);
-  memcpy(nonce_prefix_, nonce_prefix.data(), nonce_prefix.size());
-  return true;
-}
-
-bool Aes128Gcm12Encrypter::Encrypt(StringPiece nonce,
-                                   StringPiece associated_data,
-                                   StringPiece plaintext,
-                                   unsigned char* output) {
-  if (nonce.size() != kNoncePrefixSize + sizeof(QuicPacketSequenceNumber)) {
-    return false;
-  }
-
-  size_t ciphertext_size = GetCiphertextSize(plaintext.length());
-
-  // Import key_ into NSS.
-  SECItem key_item;
-  key_item.type = siBuffer;
-  key_item.data = key_;
-  key_item.len = sizeof(key_);
-  PK11SlotInfo* slot = PK11_GetInternalSlot();
-  // The exact value of the |origin| argument doesn't matter to NSS as long as
-  // it's not PK11_OriginFortezzaHack, so we pass PK11_OriginUnwrap as a
-  // placeholder.
-  crypto::ScopedPK11SymKey aes_key(PK11_ImportSymKey(
-      slot, GcmSupportChecker::aes_key_mechanism(), PK11_OriginUnwrap,
-      CKA_ENCRYPT, &key_item, NULL));
-  PK11_FreeSlot(slot);
-  slot = NULL;
-  if (!aes_key) {
-    DVLOG(1) << "PK11_ImportSymKey failed";
-    return false;
-  }
-
-  CK_GCM_PARAMS gcm_params = {0};
-  gcm_params.pIv =
+void Aes128Gcm12Encrypter::FillAeadParams(StringPiece nonce,
+                                          StringPiece associated_data,
+                                          size_t auth_tag_size,
+                                          AeadParams* aead_params) const {
+  aead_params->len = sizeof(aead_params->data.gcm_params);
+  CK_GCM_PARAMS* gcm_params = &aead_params->data.gcm_params;
+  gcm_params->pIv =
       reinterpret_cast<CK_BYTE*>(const_cast<char*>(nonce.data()));
-  gcm_params.ulIvLen = nonce.size();
-  gcm_params.pAAD =
+  gcm_params->ulIvLen = nonce.size();
+  gcm_params->pAAD =
       reinterpret_cast<CK_BYTE*>(const_cast<char*>(associated_data.data()));
-  gcm_params.ulAADLen = associated_data.size();
-  gcm_params.ulTagBits = kAuthTagSize * 8;
-
-  SECItem param;
-  param.type = siBuffer;
-  param.data = reinterpret_cast<unsigned char*>(&gcm_params);
-  param.len = sizeof(gcm_params);
-
-  unsigned int output_len;
-  if (My_Encrypt(aes_key.get(), CKM_AES_GCM, &param,
-                 output, &output_len, ciphertext_size,
-                 reinterpret_cast<const unsigned char*>(plaintext.data()),
-                 plaintext.size()) != SECSuccess) {
-    DVLOG(1) << "My_Encrypt failed";
-    return false;
-  }
-
-  if (output_len != ciphertext_size) {
-    DVLOG(1) << "Wrong output length";
-    return false;
-  }
-
-  return true;
-}
-
-QuicData* Aes128Gcm12Encrypter::EncryptPacket(
-    QuicPacketSequenceNumber sequence_number,
-    StringPiece associated_data,
-    StringPiece plaintext) {
-  size_t ciphertext_size = GetCiphertextSize(plaintext.length());
-  scoped_ptr<char[]> ciphertext(new char[ciphertext_size]);
-
-  // TODO(ianswett): Introduce a check to ensure that we don't encrypt with the
-  // same sequence number twice.
-  uint8 nonce[kNoncePrefixSize + sizeof(sequence_number)];
-  COMPILE_ASSERT(sizeof(nonce) == kAESNonceSize, bad_sequence_number_size);
-  memcpy(nonce, nonce_prefix_, kNoncePrefixSize);
-  memcpy(nonce + kNoncePrefixSize, &sequence_number, sizeof(sequence_number));
-  if (!Encrypt(StringPiece(reinterpret_cast<char*>(nonce), sizeof(nonce)),
-               associated_data, plaintext,
-               reinterpret_cast<unsigned char*>(ciphertext.get()))) {
-    return NULL;
-  }
-
-  return new QuicData(ciphertext.release(), ciphertext_size, true);
-}
-
-size_t Aes128Gcm12Encrypter::GetKeySize() const { return kKeySize; }
-
-size_t Aes128Gcm12Encrypter::GetNoncePrefixSize() const {
-  return kNoncePrefixSize;
-}
-
-size_t Aes128Gcm12Encrypter::GetMaxPlaintextSize(size_t ciphertext_size) const {
-  return ciphertext_size - kAuthTagSize;
-}
-
-// An AEAD_AES_128_GCM_12 ciphertext is exactly 12 bytes longer than its
-// corresponding plaintext.
-size_t Aes128Gcm12Encrypter::GetCiphertextSize(size_t plaintext_size) const {
-  return plaintext_size + kAuthTagSize;
-}
-
-StringPiece Aes128Gcm12Encrypter::GetKey() const {
-  return StringPiece(reinterpret_cast<const char*>(key_), sizeof(key_));
-}
-
-StringPiece Aes128Gcm12Encrypter::GetNoncePrefix() const {
-  return StringPiece(reinterpret_cast<const char*>(nonce_prefix_),
-                     kNoncePrefixSize);
+  gcm_params->ulAADLen = associated_data.size();
+  gcm_params->ulTagBits = auth_tag_size * 8;
 }
 
 }  // namespace net