Add ChaCha20Poly1305Encrypter, based on

net/quic/crypto/aead_base_decrypter_nss.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/quic/crypto/aes_128_gcm_12_decrypter.h"
+#include "net/quic/crypto/aead_base_decrypter.h"
 
-#include <nss.h>
 #include <pk11pub.h>
-#include <secerr.h>
 
-#include "base/lazy_instance.h"
 #include "base/memory/scoped_ptr.h"
-#include "crypto/ghash.h"
 #include "crypto/scoped_nss_types.h"
 
-#if defined(USE_NSS)
-#include <dlfcn.h>
-#endif
-
 using base::StringPiece;
 
 namespace net {
 
-namespace {
-
-// The pkcs11t.h header in NSS versions older than 3.14 does not have the CTR
-// and GCM types, so define them here.
-#if !defined(CKM_AES_CTR)
-#define CKM_AES_CTR 0x00001086
-#define CKM_AES_GCM 0x00001087
-
-struct CK_AES_CTR_PARAMS {
-  CK_ULONG ulCounterBits;
-  CK_BYTE cb[16];
-};
-
-struct CK_GCM_PARAMS {
-  CK_BYTE_PTR pIv;
-  CK_ULONG ulIvLen;
-  CK_BYTE_PTR pAAD;
-  CK_ULONG ulAADLen;
-  CK_ULONG ulTagBits;
-};
-#endif  // CKM_AES_CTR
-
-typedef SECStatus
-(*PK11_DecryptFunction)(
-    PK11SymKey* symKey, CK_MECHANISM_TYPE mechanism, SECItem* param,
-    unsigned char* out, unsigned int* outLen, unsigned int maxLen,
-    const unsigned char* enc, unsigned encLen);
-
-// On Linux, dynamically link against the system version of libnss3.so. In
-// order to continue working on systems without up-to-date versions of NSS,
-// lookup PK11_Decrypt with dlsym.
-
-// GcmSupportChecker is a singleton which caches the results of runtime symbol
-// resolution of PK11_Decrypt.
-class GcmSupportChecker {
- public:
-  static PK11_DecryptFunction pk11_decrypt_func() {
-    return pk11_decrypt_func_;
-  }
-
-  static CK_MECHANISM_TYPE aes_key_mechanism() {
-    return aes_key_mechanism_;
-  }
-
- private:
-  friend struct base::DefaultLazyInstanceTraits<GcmSupportChecker>;
-
-  GcmSupportChecker() {
-#if !defined(USE_NSS)
-    // Using a bundled version of NSS that is guaranteed to have this symbol.
-    pk11_decrypt_func_ = PK11_Decrypt;
-#else
-    // Using system NSS libraries and PCKS #11 modules, which may not have the
-    // necessary function (PK11_Decrypt) or mechanism support (CKM_AES_GCM).
-
-    // If PK11_Decrypt() was successfully resolved, then NSS will support
-    // AES-GCM directly. This was introduced in NSS 3.15.
-    pk11_decrypt_func_ = (PK11_DecryptFunction)dlsym(RTLD_DEFAULT,
-                                                     "PK11_Decrypt");
-    if (pk11_decrypt_func_ == NULL) {
-      aes_key_mechanism_ = CKM_AES_ECB;
-    }
-#endif
-  }
-
-  // |pk11_decrypt_func_| stores the runtime symbol resolution of PK11_Decrypt.
-  static PK11_DecryptFunction pk11_decrypt_func_;
-
-  // The correct value for |aes_key_mechanism_| is CKM_AES_GCM, but because of
-  // NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=853285 (to be fixed in
-  // NSS 3.15), use CKM_AES_ECB for NSS versions older than 3.15.
-  static CK_MECHANISM_TYPE aes_key_mechanism_;
-};
-
-// static
-PK11_DecryptFunction GcmSupportChecker::pk11_decrypt_func_ = NULL;
-
-// static
-CK_MECHANISM_TYPE GcmSupportChecker::aes_key_mechanism_ = CKM_AES_GCM;
-
-base::LazyInstance<GcmSupportChecker>::Leaky g_gcm_support_checker =
-    LAZY_INSTANCE_INITIALIZER;
-
-const size_t kNoncePrefixSize = 4;
-const size_t kAESNonceSize = 12;
-
-// Calls PK11_Decrypt if it's available.  Otherwise, emulates CKM_AES_GCM using
-// CKM_AES_CTR and the GaloisHash class.
-SECStatus My_Decrypt(PK11SymKey* key,
-                     CK_MECHANISM_TYPE mechanism,
-                     SECItem* param,
-                     unsigned char* out,
-                     unsigned int* out_len,
-                     unsigned int max_len,
-                     const unsigned char* enc,
-                     unsigned int enc_len) {
-  // If PK11_Decrypt() was successfully resolved or if bundled version of NSS is
-  // being used, then NSS will support AES-GCM directly.
-  PK11_DecryptFunction pk11_decrypt_func =
-      GcmSupportChecker::pk11_decrypt_func();
-  if (pk11_decrypt_func != NULL) {
-    return pk11_decrypt_func(key, mechanism, param, out, out_len, max_len, enc,
-                             enc_len);
-  }
-
-  // Otherwise, the user has an older version of NSS. Regrettably, NSS 3.14.x
-  // has a bug in the AES GCM code
-  // (https://bugzilla.mozilla.org/show_bug.cgi?id=853285), as well as missing
-  // the PK11_Decrypt function
-  // (https://bugzilla.mozilla.org/show_bug.cgi?id=854063), both of which are
-  // resolved in NSS 3.15.
-
-  DCHECK_EQ(mechanism, static_cast<CK_MECHANISM_TYPE>(CKM_AES_GCM));
-  DCHECK_EQ(param->len, sizeof(CK_GCM_PARAMS));
-
-  const CK_GCM_PARAMS* gcm_params =
-      reinterpret_cast<CK_GCM_PARAMS*>(param->data);
-
-  DCHECK_EQ(gcm_params->ulTagBits,
-            static_cast<CK_ULONG>(Aes128Gcm12Decrypter::kAuthTagSize * 8));
-  if (gcm_params->ulIvLen != 12u) {
-    DVLOG(1) << "ulIvLen is not equal to 12";
-    PORT_SetError(SEC_ERROR_INPUT_LEN);
-    return SECFailure;
-  }
-
-  SECItem my_param = { siBuffer, NULL, 0 };
-
-  // Step 2. Let H = CIPH_K(128 '0' bits).
-  unsigned char ghash_key[16] = {0};
-  crypto::ScopedPK11Context ctx(PK11_CreateContextBySymKey(
-      CKM_AES_ECB, CKA_ENCRYPT, key, &my_param));
-  if (!ctx) {
-    DVLOG(1) << "PK11_CreateContextBySymKey failed";
-    return SECFailure;
-  }
-  int output_len;
-  if (PK11_CipherOp(ctx.get(), ghash_key, &output_len, sizeof(ghash_key),
-                    ghash_key, sizeof(ghash_key)) != SECSuccess) {
-    DVLOG(1) << "PK11_CipherOp failed";
-    return SECFailure;
-  }
-
-  PK11_Finalize(ctx.get());
-
-  if (output_len != sizeof(ghash_key)) {
-    DVLOG(1) << "Wrong output length";
-    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-    return SECFailure;
-  }
-
-  // Step 3. If len(IV)=96, then let J0 = IV || 31 '0' bits || 1.
-  CK_AES_CTR_PARAMS ctr_params = {0};
-  ctr_params.ulCounterBits = 32;
-  memcpy(ctr_params.cb, gcm_params->pIv, gcm_params->ulIvLen);
-  ctr_params.cb[12] = 0;
-  ctr_params.cb[13] = 0;
-  ctr_params.cb[14] = 0;
-  ctr_params.cb[15] = 1;
-
-  my_param.type = siBuffer;
-  my_param.data = reinterpret_cast<unsigned char*>(&ctr_params);
-  my_param.len = sizeof(ctr_params);
-
-  ctx.reset(PK11_CreateContextBySymKey(CKM_AES_CTR, CKA_ENCRYPT, key,
-                                       &my_param));
-  if (!ctx) {
-    DVLOG(1) << "PK11_CreateContextBySymKey failed";
-    return SECFailure;
-  }
-
-  // Step 6. Calculate the encryption mask of GCTR_K(J0, ...).
-  unsigned char tag_mask[16] = {0};
-  if (PK11_CipherOp(ctx.get(), tag_mask, &output_len, sizeof(tag_mask),
-                    tag_mask, sizeof(tag_mask)) != SECSuccess) {
-    DVLOG(1) << "PK11_CipherOp failed";
-    return SECFailure;
-  }
-  if (output_len != sizeof(tag_mask)) {
-    DVLOG(1) << "Wrong output length";
-    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-    return SECFailure;
-  }
-
-  if (enc_len < Aes128Gcm12Decrypter::kAuthTagSize) {
-    PORT_SetError(SEC_ERROR_INPUT_LEN);
-    return SECFailure;
-  }
-
-  // The const_cast for |enc| can be removed if system NSS libraries are
-  // NSS 3.14.1 or later (NSS bug
-  // https://bugzilla.mozilla.org/show_bug.cgi?id=808218).
-  if (PK11_CipherOp(ctx.get(), out, &output_len, max_len,
-          const_cast<unsigned char*>(enc),
-          enc_len - Aes128Gcm12Decrypter::kAuthTagSize) != SECSuccess) {
-    DVLOG(1) << "PK11_CipherOp failed";
-    return SECFailure;
-  }
-
-  PK11_Finalize(ctx.get());
-
-  if (static_cast<unsigned int>(output_len) !=
-      enc_len - Aes128Gcm12Decrypter::kAuthTagSize) {
-    DVLOG(1) << "Wrong output length";
-    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-    return SECFailure;
-  }
-
-  crypto::GaloisHash ghash(ghash_key);
-  ghash.UpdateAdditional(gcm_params->pAAD, gcm_params->ulAADLen);
-  ghash.UpdateCiphertext(enc, output_len);
-  unsigned char auth_tag[Aes128Gcm12Decrypter::kAuthTagSize];
-  ghash.Finish(auth_tag, Aes128Gcm12Decrypter::kAuthTagSize);
-  for (unsigned int i = 0; i < Aes128Gcm12Decrypter::kAuthTagSize; i++) {
-    auth_tag[i] ^= tag_mask[i];
-  }
-
-  if (NSS_SecureMemcmp(auth_tag, enc + output_len,
-                       Aes128Gcm12Decrypter::kAuthTagSize) != 0) {
-    PORT_SetError(SEC_ERROR_BAD_DATA);
-    return SECFailure;
-  }
-
-  *out_len = output_len;
-  return SECSuccess;
+AeadBaseDecrypter::AeadBaseDecrypter(CK_MECHANISM_TYPE aead_mechanism,
+                                     PK11_DecryptFunction pk11_decrypt,
+                                     size_t key_size,
+                                     size_t auth_tag_size,
+                                     size_t nonce_prefix_size)
+    : aead_mechanism_(aead_mechanism),
+      pk11_decrypt_(pk11_decrypt),
+      key_size_(key_size),
+      auth_tag_size_(auth_tag_size),
+      nonce_prefix_size_(nonce_prefix_size) {
+  DCHECK_LE(key_size_, sizeof(key_));
+  DCHECK_LE(nonce_prefix_size_, sizeof(nonce_prefix_));
 }
 
-}  // namespace
+AeadBaseDecrypter::~AeadBaseDecrypter() {}
 
-Aes128Gcm12Decrypter::Aes128Gcm12Decrypter() {
-  ignore_result(g_gcm_support_checker.Get());
-}
-
-Aes128Gcm12Decrypter::~Aes128Gcm12Decrypter() {}
-
-// static
-bool Aes128Gcm12Decrypter::IsSupported() {
-  // NSS 3.15 supports CKM_AES_GCM directly.
-  // NSS 3.14 supports CKM_AES_CTR, which can be used to emulate CKM_AES_GCM.
-  // Versions earlier than NSS 3.14 are not supported.
-  return NSS_VersionCheck("3.14") != PR_FALSE;
-}
-
-bool Aes128Gcm12Decrypter::SetKey(StringPiece key) {
-  DCHECK_EQ(key.size(), sizeof(key_));
-  if (key.size() != sizeof(key_)) {
+bool AeadBaseDecrypter::SetKey(StringPiece key) {
+  DCHECK_EQ(key.size(), key_size_);
+  if (key.size() != key_size_) {
     return false;
   }
   memcpy(key_, key.data(), key.size());
   return true;
 }
 
-bool Aes128Gcm12Decrypter::SetNoncePrefix(StringPiece nonce_prefix) {
-  DCHECK_EQ(nonce_prefix.size(), kNoncePrefixSize);
-  if (nonce_prefix.size() != kNoncePrefixSize) {
+bool AeadBaseDecrypter::SetNoncePrefix(StringPiece nonce_prefix) {
+  DCHECK_EQ(nonce_prefix.size(), nonce_prefix_size_);
+  if (nonce_prefix.size() != nonce_prefix_size_) {
     return false;
   }
-  COMPILE_ASSERT(sizeof(nonce_prefix_) == kNoncePrefixSize, bad_nonce_length);
   memcpy(nonce_prefix_, nonce_prefix.data(), nonce_prefix.size());
   return true;
 }
 
-bool Aes128Gcm12Decrypter::Decrypt(StringPiece nonce,
-                                   StringPiece associated_data,
-                                   StringPiece ciphertext,
-                                   uint8* output,
-                                   size_t* output_length) {
-  if (ciphertext.length() < kAuthTagSize ||
-      nonce.size() != kNoncePrefixSize + sizeof(QuicPacketSequenceNumber)) {
+bool AeadBaseDecrypter::Decrypt(StringPiece nonce,
+                                StringPiece associated_data,
+                                StringPiece ciphertext,
+                                uint8* output,
+                                size_t* output_length) {
+  if (ciphertext.length() < auth_tag_size_ ||
+      nonce.size() != nonce_prefix_size_ + sizeof(QuicPacketSequenceNumber)) {
     return false;
   }
   // NSS 3.14.x incorrectly requires an output buffer at least as long as
   // the ciphertext (NSS bug
   // https://bugzilla.mozilla.org/show_bug.cgi?id= 853674). Fortunately
   // QuicDecrypter::Decrypt() specifies that |output| must be as long as
   // |ciphertext| on entry.
-  size_t plaintext_size = ciphertext.length() - kAuthTagSize;
+  size_t plaintext_size = ciphertext.length() - auth_tag_size_;
 
   // Import key_ into NSS.
   SECItem key_item;
   key_item.type = siBuffer;
   key_item.data = key_;
-  key_item.len = sizeof(key_);
+  key_item.len = key_size_;
   PK11SlotInfo* slot = PK11_GetInternalSlot();
+
+  // TODO(wtc): For an AES-GCM key, the correct value for |key_mechanism| is
+  // CKM_AES_GCM, but because of NSS bug
+  // https://bugzilla.mozilla.org/show_bug.cgi?id=853285, use CKM_AES_ECB as a
+  // workaround. Remove this when we require NSS 3.15.
+  CK_MECHANISM_TYPE key_mechanism = aead_mechanism_;
+  if (key_mechanism == CKM_AES_GCM) {
+    key_mechanism = CKM_AES_ECB;
+  }

[wtc, 2014/03/11 04:02:02]

I just wanted to point out that the AEAD base class still has this tiny bit of
GCM-specific code. It is possible to move this back to the Aes128Gcm12Decrypter
subclass, at the cost of adding another argument to the AEAD base class
constructor.

+
   // The exact value of the |origin| argument doesn't matter to NSS as long as
   // it's not PK11_OriginFortezzaHack, so pass PK11_OriginUnwrap as a
   // placeholder.
-  crypto::ScopedPK11SymKey aes_key(PK11_ImportSymKey(
-      slot, GcmSupportChecker::aes_key_mechanism(), PK11_OriginUnwrap,
-      CKA_DECRYPT, &key_item, NULL));
+  crypto::ScopedPK11SymKey aead_key(PK11_ImportSymKey(
+      slot, key_mechanism, PK11_OriginUnwrap, CKA_DECRYPT, &key_item, NULL));
   PK11_FreeSlot(slot);
   slot = NULL;
-  if (!aes_key) {
+  if (!aead_key) {
     DVLOG(1) << "PK11_ImportSymKey failed";
     return false;
   }
 
-  CK_GCM_PARAMS gcm_params = {0};
-  gcm_params.pIv =
-      reinterpret_cast<CK_BYTE*>(const_cast<char*>(nonce.data()));
-  gcm_params.ulIvLen = nonce.size();
-  gcm_params.pAAD =
-      reinterpret_cast<CK_BYTE*>(const_cast<char*>(associated_data.data()));
-  gcm_params.ulAADLen = associated_data.size();
-  gcm_params.ulTagBits = kAuthTagSize * 8;
+  AeadParams aead_params = {0};
+  FillAeadParams(nonce, associated_data, auth_tag_size_, &aead_params);
 
   SECItem param;
   param.type = siBuffer;
-  param.data = reinterpret_cast<unsigned char*>(&gcm_params);
-  param.len = sizeof(gcm_params);
+  param.data = reinterpret_cast<unsigned char*>(&aead_params.data);
+  param.len = aead_params.len;
 
   unsigned int output_len;
-  if (My_Decrypt(aes_key.get(), CKM_AES_GCM, &param,
-                 output, &output_len, ciphertext.length(),
-                 reinterpret_cast<const unsigned char*>(ciphertext.data()),
-                 ciphertext.length()) != SECSuccess) {
+  if (pk11_decrypt_(aead_key.get(), aead_mechanism_, &param,
+                    output, &output_len, ciphertext.length(),
+                    reinterpret_cast<const unsigned char*>(ciphertext.data()),
+                    ciphertext.length()) != SECSuccess) {
     return false;
   }
 
   if (output_len != plaintext_size) {
     DVLOG(1) << "Wrong output length";
     return false;
   }
   *output_length = output_len;
   return true;
 }
 
-QuicData* Aes128Gcm12Decrypter::DecryptPacket(
+QuicData* AeadBaseDecrypter::DecryptPacket(
     QuicPacketSequenceNumber sequence_number,
     StringPiece associated_data,
     StringPiece ciphertext) {
-  if (ciphertext.length() < kAuthTagSize) {
+  if (ciphertext.length() < auth_tag_size_) {
     return NULL;
   }
   size_t plaintext_size;
   scoped_ptr<char[]> plaintext(new char[ciphertext.length()]);
 
-  uint8 nonce[kNoncePrefixSize + sizeof(sequence_number)];
-  COMPILE_ASSERT(sizeof(nonce) == kAESNonceSize, bad_sequence_number_size);
-  memcpy(nonce, nonce_prefix_, kNoncePrefixSize);
-  memcpy(nonce + kNoncePrefixSize, &sequence_number, sizeof(sequence_number));
-  if (!Decrypt(StringPiece(reinterpret_cast<char*>(nonce), sizeof(nonce)),
+  uint8 nonce[sizeof(nonce_prefix_) + sizeof(sequence_number)];
+  const size_t nonce_size = nonce_prefix_size_ + sizeof(sequence_number);
+  DCHECK_LE(nonce_size, sizeof(nonce));
+  memcpy(nonce, nonce_prefix_, nonce_prefix_size_);
+  memcpy(nonce + nonce_prefix_size_, &sequence_number, sizeof(sequence_number));
+  if (!Decrypt(StringPiece(reinterpret_cast<char*>(nonce), nonce_size),
                associated_data, ciphertext,
                reinterpret_cast<uint8*>(plaintext.get()),
                &plaintext_size)) {
     return NULL;
   }
   return new QuicData(plaintext.release(), plaintext_size, true);
 }
 
-StringPiece Aes128Gcm12Decrypter::GetKey() const {
-  return StringPiece(reinterpret_cast<const char*>(key_), sizeof(key_));
+StringPiece AeadBaseDecrypter::GetKey() const {
+  return StringPiece(reinterpret_cast<const char*>(key_), key_size_);
 }
 
-StringPiece Aes128Gcm12Decrypter::GetNoncePrefix() const {
+StringPiece AeadBaseDecrypter::GetNoncePrefix() const {
+  if (nonce_prefix_size_ == 0) {
+    return StringPiece();
+  }
   return StringPiece(reinterpret_cast<const char*>(nonce_prefix_),
-                     kNoncePrefixSize);
+                     nonce_prefix_size_);
 }
 
 }  // namespace net