net/quic/crypto/aead_base_decrypter_nss.cc - Issue 189893002: Add ChaCha20Poly1305Encrypter, based on

Unified Diff: net/quic/crypto/aead_base_decrypter_nss.cc

Issue 189893002: Add ChaCha20Poly1305Encrypter, based on (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Move GCM-specific code back to the Aes128Gcm12En/Decrypter classes Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« net/quic/crypto/aead_base_decrypter.h ('K') | « net/quic/crypto/aead_base_decrypter.h ('k') | net/quic/crypto/aead_base_decrypter_openssl.cc » ('j') | net/quic/crypto/aead_base_encrypter.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: net/quic/crypto/aead_base_decrypter_nss.cc

===================================================================

--- net/quic/crypto/aead_base_decrypter_nss.cc (revision 255481)

+++ net/quic/crypto/aead_base_decrypter_nss.cc (working copy)

@@ -2,294 +2,58 @@

// Use of this source code is governed by a BSD-style license that can be

// found in the LICENSE file.

-#include "net/quic/crypto/aes_128_gcm_12_decrypter.h"

+#include "net/quic/crypto/aead_base_decrypter.h"

-#include <nss.h>

#include <pk11pub.h>

-#include <secerr.h>

-#include "base/lazy_instance.h"

#include "base/memory/scoped_ptr.h"

-#include "crypto/ghash.h"

#include "crypto/scoped_nss_types.h"

-#if defined(USE_NSS)

-#include <dlfcn.h>

-#endif

using base::StringPiece;

namespace net {

-namespace {

-// The pkcs11t.h header in NSS versions older than 3.14 does not have the CTR

-// and GCM types, so define them here.

-#if !defined(CKM_AES_CTR)

-#define CKM_AES_CTR 0x00001086

-#define CKM_AES_GCM 0x00001087

-struct CK_AES_CTR_PARAMS {

- CK_ULONG ulCounterBits;

- CK_BYTE cb[16];

-};

-struct CK_GCM_PARAMS {

- CK_BYTE_PTR pIv;

- CK_ULONG ulIvLen;

- CK_BYTE_PTR pAAD;

- CK_ULONG ulAADLen;

- CK_ULONG ulTagBits;

-};

-#endif // CKM_AES_CTR

-typedef SECStatus

-(*PK11_DecryptFunction)(

- PK11SymKey* symKey, CK_MECHANISM_TYPE mechanism, SECItem* param,

- unsigned char* out, unsigned int* outLen, unsigned int maxLen,

- const unsigned char* enc, unsigned encLen);

-// On Linux, dynamically link against the system version of libnss3.so. In

-// order to continue working on systems without up-to-date versions of NSS,

-// lookup PK11_Decrypt with dlsym.

-// GcmSupportChecker is a singleton which caches the results of runtime symbol

-// resolution of PK11_Decrypt.

-class GcmSupportChecker {

- public:

- static PK11_DecryptFunction pk11_decrypt_func() {

- return pk11_decrypt_func_;

- }

- static CK_MECHANISM_TYPE aes_key_mechanism() {

- return aes_key_mechanism_;

- }

- private:

- friend struct base::DefaultLazyInstanceTraits<GcmSupportChecker>;

- GcmSupportChecker() {

-#if !defined(USE_NSS)

- // Using a bundled version of NSS that is guaranteed to have this symbol.

- pk11_decrypt_func_ = PK11_Decrypt;

-#else

- // Using system NSS libraries and PCKS #11 modules, which may not have the

- // necessary function (PK11_Decrypt) or mechanism support (CKM_AES_GCM).

- // If PK11_Decrypt() was successfully resolved, then NSS will support

- // AES-GCM directly. This was introduced in NSS 3.15.

- pk11_decrypt_func_ = (PK11_DecryptFunction)dlsym(RTLD_DEFAULT,

- "PK11_Decrypt");

- if (pk11_decrypt_func_ == NULL) {

- aes_key_mechanism_ = CKM_AES_ECB;

- }

-#endif

- }

- // |pk11_decrypt_func_| stores the runtime symbol resolution of PK11_Decrypt.

- static PK11_DecryptFunction pk11_decrypt_func_;

- // The correct value for |aes_key_mechanism_| is CKM_AES_GCM, but because of

- // NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=853285 (to be fixed in

- // NSS 3.15), use CKM_AES_ECB for NSS versions older than 3.15.

- static CK_MECHANISM_TYPE aes_key_mechanism_;

-};

-// static

-PK11_DecryptFunction GcmSupportChecker::pk11_decrypt_func_ = NULL;

-// static

-CK_MECHANISM_TYPE GcmSupportChecker::aes_key_mechanism_ = CKM_AES_GCM;

-base::LazyInstance<GcmSupportChecker>::Leaky g_gcm_support_checker =

- LAZY_INSTANCE_INITIALIZER;

-const size_t kNoncePrefixSize = 4;

-const size_t kAESNonceSize = 12;

-// Calls PK11_Decrypt if it's available. Otherwise, emulates CKM_AES_GCM using

-// CKM_AES_CTR and the GaloisHash class.

-SECStatus My_Decrypt(PK11SymKey* key,

- CK_MECHANISM_TYPE mechanism,

- SECItem* param,

- unsigned char* out,

- unsigned int* out_len,

- unsigned int max_len,

- const unsigned char* enc,

- unsigned int enc_len) {

- // If PK11_Decrypt() was successfully resolved or if bundled version of NSS is

- // being used, then NSS will support AES-GCM directly.

- PK11_DecryptFunction pk11_decrypt_func =

- GcmSupportChecker::pk11_decrypt_func();

- if (pk11_decrypt_func != NULL) {

- return pk11_decrypt_func(key, mechanism, param, out, out_len, max_len, enc,

- enc_len);

- }

- // Otherwise, the user has an older version of NSS. Regrettably, NSS 3.14.x

- // has a bug in the AES GCM code

- // (https://bugzilla.mozilla.org/show_bug.cgi?id=853285), as well as missing

- // the PK11_Decrypt function

- // (https://bugzilla.mozilla.org/show_bug.cgi?id=854063), both of which are

- // resolved in NSS 3.15.

- DCHECK_EQ(mechanism, static_cast<CK_MECHANISM_TYPE>(CKM_AES_GCM));

- DCHECK_EQ(param->len, sizeof(CK_GCM_PARAMS));

- const CK_GCM_PARAMS* gcm_params =

- reinterpret_cast<CK_GCM_PARAMS*>(param->data);

- DCHECK_EQ(gcm_params->ulTagBits,

- static_cast<CK_ULONG>(Aes128Gcm12Decrypter::kAuthTagSize * 8));

- if (gcm_params->ulIvLen != 12u) {

- DVLOG(1) << "ulIvLen is not equal to 12";

- PORT_SetError(SEC_ERROR_INPUT_LEN);

- return SECFailure;

- }

- SECItem my_param = { siBuffer, NULL, 0 };

- // Step 2. Let H = CIPH_K(128 '0' bits).

- unsigned char ghash_key[16] = {0};

- crypto::ScopedPK11Context ctx(PK11_CreateContextBySymKey(

- CKM_AES_ECB, CKA_ENCRYPT, key, &my_param));

- if (!ctx) {

- DVLOG(1) << "PK11_CreateContextBySymKey failed";

- return SECFailure;

- }

- int output_len;

- if (PK11_CipherOp(ctx.get(), ghash_key, &output_len, sizeof(ghash_key),

- ghash_key, sizeof(ghash_key)) != SECSuccess) {

- DVLOG(1) << "PK11_CipherOp failed";

- return SECFailure;

- }

- PK11_Finalize(ctx.get());

- if (output_len != sizeof(ghash_key)) {

- DVLOG(1) << "Wrong output length";

- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

- return SECFailure;

- }

- // Step 3. If len(IV)=96, then let J0 = IV || 31 '0' bits || 1.

- CK_AES_CTR_PARAMS ctr_params = {0};

- ctr_params.ulCounterBits = 32;

- memcpy(ctr_params.cb, gcm_params->pIv, gcm_params->ulIvLen);

- ctr_params.cb[12] = 0;

- ctr_params.cb[13] = 0;

- ctr_params.cb[14] = 0;

- ctr_params.cb[15] = 1;

- my_param.type = siBuffer;

- my_param.data = reinterpret_cast<unsigned char*>(&ctr_params);

- my_param.len = sizeof(ctr_params);

- ctx.reset(PK11_CreateContextBySymKey(CKM_AES_CTR, CKA_ENCRYPT, key,

- &my_param));

- if (!ctx) {

- DVLOG(1) << "PK11_CreateContextBySymKey failed";

- return SECFailure;

- }

- // Step 6. Calculate the encryption mask of GCTR_K(J0, ...).

- unsigned char tag_mask[16] = {0};

- if (PK11_CipherOp(ctx.get(), tag_mask, &output_len, sizeof(tag_mask),

- tag_mask, sizeof(tag_mask)) != SECSuccess) {

- DVLOG(1) << "PK11_CipherOp failed";

- return SECFailure;

- }

- if (output_len != sizeof(tag_mask)) {

- DVLOG(1) << "Wrong output length";

- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

- return SECFailure;

- }

- if (enc_len < Aes128Gcm12Decrypter::kAuthTagSize) {

- PORT_SetError(SEC_ERROR_INPUT_LEN);

- return SECFailure;

- }

- // The const_cast for |enc| can be removed if system NSS libraries are

- // NSS 3.14.1 or later (NSS bug

- // https://bugzilla.mozilla.org/show_bug.cgi?id=808218).

- if (PK11_CipherOp(ctx.get(), out, &output_len, max_len,

- const_cast<unsigned char*>(enc),

- enc_len - Aes128Gcm12Decrypter::kAuthTagSize) != SECSuccess) {

- DVLOG(1) << "PK11_CipherOp failed";

- return SECFailure;

- }

- PK11_Finalize(ctx.get());

- if (static_cast<unsigned int>(output_len) !=

- enc_len - Aes128Gcm12Decrypter::kAuthTagSize) {

- DVLOG(1) << "Wrong output length";

- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

- return SECFailure;

- }

- crypto::GaloisHash ghash(ghash_key);

- ghash.UpdateAdditional(gcm_params->pAAD, gcm_params->ulAADLen);

- ghash.UpdateCiphertext(enc, output_len);

- unsigned char auth_tag[Aes128Gcm12Decrypter::kAuthTagSize];

- ghash.Finish(auth_tag, Aes128Gcm12Decrypter::kAuthTagSize);

- for (unsigned int i = 0; i < Aes128Gcm12Decrypter::kAuthTagSize; i++) {

- auth_tag[i] ^= tag_mask[i];

- }

- if (NSS_SecureMemcmp(auth_tag, enc + output_len,

- Aes128Gcm12Decrypter::kAuthTagSize) != 0) {

- PORT_SetError(SEC_ERROR_BAD_DATA);

- return SECFailure;

- }

- *out_len = output_len;

- return SECSuccess;

+AeadBaseDecrypter::AeadBaseDecrypter(CK_MECHANISM_TYPE aead_mechanism,

+ PK11_DecryptFunction pk11_decrypt,

+ size_t key_size,

+ size_t auth_tag_size,

+ size_t nonce_prefix_size)

+ : aead_mechanism_(aead_mechanism),

+ pk11_decrypt_(pk11_decrypt),

+ key_size_(key_size),

+ auth_tag_size_(auth_tag_size),

+ nonce_prefix_size_(nonce_prefix_size) {

+ DCHECK_LE(key_size_, sizeof(key_));

+ DCHECK_LE(nonce_prefix_size_, sizeof(nonce_prefix_));

}

-} // namespace

+AeadBaseDecrypter::~AeadBaseDecrypter() {}

-Aes128Gcm12Decrypter::Aes128Gcm12Decrypter() {

- ignore_result(g_gcm_support_checker.Get());

-Aes128Gcm12Decrypter::~Aes128Gcm12Decrypter() {}

-// static

-bool Aes128Gcm12Decrypter::IsSupported() {

- // NSS 3.15 supports CKM_AES_GCM directly.

- // NSS 3.14 supports CKM_AES_CTR, which can be used to emulate CKM_AES_GCM.

- // Versions earlier than NSS 3.14 are not supported.

- return NSS_VersionCheck("3.14") != PR_FALSE;

-bool Aes128Gcm12Decrypter::SetKey(StringPiece key) {

- DCHECK_EQ(key.size(), sizeof(key_));

- if (key.size() != sizeof(key_)) {

+bool AeadBaseDecrypter::SetKey(StringPiece key) {

+ DCHECK_EQ(key.size(), key_size_);

+ if (key.size() != key_size_) {

return false;

}

memcpy(key_, key.data(), key.size());

return true;

}

-bool Aes128Gcm12Decrypter::SetNoncePrefix(StringPiece nonce_prefix) {

- DCHECK_EQ(nonce_prefix.size(), kNoncePrefixSize);

- if (nonce_prefix.size() != kNoncePrefixSize) {

+bool AeadBaseDecrypter::SetNoncePrefix(StringPiece nonce_prefix) {

+ DCHECK_EQ(nonce_prefix.size(), nonce_prefix_size_);

+ if (nonce_prefix.size() != nonce_prefix_size_) {

return false;

}

- COMPILE_ASSERT(sizeof(nonce_prefix_) == kNoncePrefixSize, bad_nonce_length);

memcpy(nonce_prefix_, nonce_prefix.data(), nonce_prefix.size());

return true;

}

-bool Aes128Gcm12Decrypter::Decrypt(StringPiece nonce,

- StringPiece associated_data,

- StringPiece ciphertext,

- uint8* output,

- size_t* output_length) {

- if (ciphertext.length() < kAuthTagSize ||

- nonce.size() != kNoncePrefixSize + sizeof(QuicPacketSequenceNumber)) {

+bool AeadBaseDecrypter::Decrypt(StringPiece nonce,

+ StringPiece associated_data,

+ StringPiece ciphertext,

+ uint8* output,

+ size_t* output_length) {

+ if (ciphertext.length() < auth_tag_size_ ||

+ nonce.size() != nonce_prefix_size_ + sizeof(QuicPacketSequenceNumber)) {

return false;

}

// NSS 3.14.x incorrectly requires an output buffer at least as long as

@@ -297,46 +61,49 @@

// https://bugzilla.mozilla.org/show_bug.cgi?id= 853674). Fortunately

// QuicDecrypter::Decrypt() specifies that |output| must be as long as

// |ciphertext| on entry.

- size_t plaintext_size = ciphertext.length() - kAuthTagSize;

+ size_t plaintext_size = ciphertext.length() - auth_tag_size_;

// Import key_ into NSS.

SECItem key_item;

key_item.type = siBuffer;

key_item.data = key_;

- key_item.len = sizeof(key_);

+ key_item.len = key_size_;

PK11SlotInfo* slot = PK11_GetInternalSlot();

+ // TODO(wtc): For an AES-GCM key, the correct value for |key_mechanism| is

+ // CKM_AES_GCM, but because of NSS bug

+ // https://bugzilla.mozilla.org/show_bug.cgi?id=853285, use CKM_AES_ECB as a

+ // workaround. Remove this when we require NSS 3.15.

+ CK_MECHANISM_TYPE key_mechanism = aead_mechanism_;

+ if (key_mechanism == CKM_AES_GCM) {

+ key_mechanism = CKM_AES_ECB;

+ }

wtc 2014/03/11 04:02:02 I just wanted to point out that the AEAD base clas

// The exact value of the |origin| argument doesn't matter to NSS as long as

// it's not PK11_OriginFortezzaHack, so pass PK11_OriginUnwrap as a

// placeholder.

- crypto::ScopedPK11SymKey aes_key(PK11_ImportSymKey(

- slot, GcmSupportChecker::aes_key_mechanism(), PK11_OriginUnwrap,

- CKA_DECRYPT, &key_item, NULL));

+ crypto::ScopedPK11SymKey aead_key(PK11_ImportSymKey(

+ slot, key_mechanism, PK11_OriginUnwrap, CKA_DECRYPT, &key_item, NULL));

PK11_FreeSlot(slot);

slot = NULL;

- if (!aes_key) {

+ if (!aead_key) {

DVLOG(1) << "PK11_ImportSymKey failed";

return false;

}

- CK_GCM_PARAMS gcm_params = {0};

- gcm_params.pIv =

- reinterpret_cast<CK_BYTE*>(const_cast<char*>(nonce.data()));

- gcm_params.ulIvLen = nonce.size();

- gcm_params.pAAD =

- reinterpret_cast<CK_BYTE*>(const_cast<char*>(associated_data.data()));

- gcm_params.ulAADLen = associated_data.size();

- gcm_params.ulTagBits = kAuthTagSize * 8;

+ AeadParams aead_params = {0};

+ FillAeadParams(nonce, associated_data, auth_tag_size_, &aead_params);

SECItem param;

param.type = siBuffer;

- param.data = reinterpret_cast<unsigned char*>(&gcm_params);

- param.len = sizeof(gcm_params);

+ param.data = reinterpret_cast<unsigned char*>(&aead_params.data);

+ param.len = aead_params.len;

unsigned int output_len;

- if (My_Decrypt(aes_key.get(), CKM_AES_GCM, &param,

- output, &output_len, ciphertext.length(),

- reinterpret_cast<const unsigned char*>(ciphertext.data()),

- ciphertext.length()) != SECSuccess) {

+ if (pk11_decrypt_(aead_key.get(), aead_mechanism_, &param,

+ output, &output_len, ciphertext.length(),

+ reinterpret_cast<const unsigned char*>(ciphertext.data()),

+ ciphertext.length()) != SECSuccess) {

return false;

}

@@ -348,21 +115,22 @@

return true;

}

-QuicData* Aes128Gcm12Decrypter::DecryptPacket(

+QuicData* AeadBaseDecrypter::DecryptPacket(

QuicPacketSequenceNumber sequence_number,

StringPiece associated_data,

StringPiece ciphertext) {

- if (ciphertext.length() < kAuthTagSize) {

+ if (ciphertext.length() < auth_tag_size_) {

return NULL;

}

size_t plaintext_size;

scoped_ptr<char[]> plaintext(new char[ciphertext.length()]);

- uint8 nonce[kNoncePrefixSize + sizeof(sequence_number)];

- COMPILE_ASSERT(sizeof(nonce) == kAESNonceSize, bad_sequence_number_size);

- memcpy(nonce, nonce_prefix_, kNoncePrefixSize);

- memcpy(nonce + kNoncePrefixSize, &sequence_number, sizeof(sequence_number));

- if (!Decrypt(StringPiece(reinterpret_cast<char*>(nonce), sizeof(nonce)),

+ uint8 nonce[sizeof(nonce_prefix_) + sizeof(sequence_number)];

+ const size_t nonce_size = nonce_prefix_size_ + sizeof(sequence_number);

+ DCHECK_LE(nonce_size, sizeof(nonce));

+ memcpy(nonce, nonce_prefix_, nonce_prefix_size_);

+ memcpy(nonce + nonce_prefix_size_, &sequence_number, sizeof(sequence_number));

+ if (!Decrypt(StringPiece(reinterpret_cast<char*>(nonce), nonce_size),

associated_data, ciphertext,

reinterpret_cast<uint8*>(plaintext.get()),

&plaintext_size)) {

@@ -371,13 +139,16 @@

return new QuicData(plaintext.release(), plaintext_size, true);

}

-StringPiece Aes128Gcm12Decrypter::GetKey() const {

- return StringPiece(reinterpret_cast<const char*>(key_), sizeof(key_));

+StringPiece AeadBaseDecrypter::GetKey() const {

+ return StringPiece(reinterpret_cast<const char*>(key_), key_size_);

}

-StringPiece Aes128Gcm12Decrypter::GetNoncePrefix() const {

+StringPiece AeadBaseDecrypter::GetNoncePrefix() const {

+ if (nonce_prefix_size_ == 0) {

+ return StringPiece();

+ }

return StringPiece(reinterpret_cast<const char*>(nonce_prefix_),

- kNoncePrefixSize);

+ nonce_prefix_size_);

}

} // namespace net