OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/gcm_driver/crypto/gcm_message_cryptographer.h" | 5 #include "components/gcm_driver/crypto/gcm_message_cryptographer.h" |
6 | 6 |
7 #include <stddef.h> | 7 #include <stddef.h> |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
11 #include <sstream> | 11 #include <sstream> |
12 | 12 |
13 #include "base/logging.h" | 13 #include "base/logging.h" |
14 #include "base/numerics/safe_math.h" | 14 #include "base/numerics/safe_math.h" |
15 #include "base/strings/string_util.h" | 15 #include "base/strings/string_util.h" |
16 #include "base/sys_byteorder.h" | 16 #include "base/sys_byteorder.h" |
17 #include "crypto/hkdf.h" | 17 #include "crypto/hkdf.h" |
18 #include "third_party/boringssl/src/include/openssl/aead.h" | 18 #include "third_party/boringssl/src/include/openssl/aead.h" |
19 | 19 |
20 namespace gcm { | 20 namespace gcm { |
21 namespace { | 21 namespace { |
22 | 22 |
23 // Size, in bytes, of the nonce for a record. This must be at least the size | 23 // Size, in bytes, of the nonce for a record. This must be at least the size |
24 // of a uint64_t, which is used to indicate the record sequence number. | 24 // of a uint64_t, which is used to indicate the record sequence number. |
25 const uint64_t kNonceSize = 12; | 25 const uint64_t kNonceSize = 12; |
26 | 26 |
27 // The default record size as defined by draft-thomson-http-encryption. | 27 // The default record size as defined by httpbis-encryption-encoding-06. |
28 const size_t kDefaultRecordSize = 4096; | 28 const size_t kDefaultRecordSize = 4096; |
29 | 29 |
30 // Key size, in bytes, of a valid AEAD_AES_128_GCM key. | 30 // Key size, in bytes, of a valid AEAD_AES_128_GCM key. |
31 const size_t kContentEncryptionKeySize = 16; | 31 const size_t kContentEncryptionKeySize = 16; |
32 | 32 |
33 // The BoringSSL functions used to seal (encrypt) and open (decrypt) a payload | 33 // The BoringSSL functions used to seal (encrypt) and open (decrypt) a payload |
34 // follow the same prototype, declared as follows. | 34 // follow the same prototype, declared as follows. |
35 using EVP_AEAD_CTX_TransformFunction = | 35 using EVP_AEAD_CTX_TransformFunction = |
36 int(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, | 36 int(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, |
37 size_t max_out_len, const uint8_t *nonce, size_t nonce_len, | 37 size_t max_out_len, const uint8_t *nonce, size_t nonce_len, |
38 const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len); | 38 const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len); |
39 | 39 |
40 // Creates the info parameter for an HKDF value for the given |content_encoding| | 40 // Creates the info parameter for an HKDF value for the given |content_encoding| |
41 // in accordance with draft-thomson-http-encryption. | 41 // in accordance with draft-thomson-http-encryption. |
42 // | 42 // |
43 // cek_info = "Content-Encoding: aesgcm" || 0x00 || context | 43 // cek_info = "Content-Encoding: aesgcm" || 0x00 || context |
44 // nonce_info = "Content-Encoding: nonce" || 0x00 || context | 44 // nonce_info = "Content-Encoding: nonce" || 0x00 || context |
45 // | 45 // |
46 // context = label || 0x00 || | 46 // context = "P-256" || 0x00 || |
47 // length(recipient_public) || recipient_public || | 47 // length(recipient_public) || recipient_public || |
48 // length(sender_public) || sender_public | 48 // length(sender_public) || sender_public |
49 // | 49 // |
50 // The length of the public keys must be written as a two octet unsigned integer | 50 // The length of the public keys must be written as a two octet unsigned integer |
51 // in network byte order (big endian). | 51 // in network byte order (big endian). |
52 std::string InfoForContentEncoding( | 52 std::string InfoForContentEncoding( |
53 const char* content_encoding, | 53 const char* content_encoding, |
54 GCMMessageCryptographer::Label label, | |
55 const base::StringPiece& recipient_public_key, | 54 const base::StringPiece& recipient_public_key, |
56 const base::StringPiece& sender_public_key) { | 55 const base::StringPiece& sender_public_key) { |
57 DCHECK(GCMMessageCryptographer::Label::P256 == label); | |
58 DCHECK_EQ(recipient_public_key.size(), 65u); | 56 DCHECK_EQ(recipient_public_key.size(), 65u); |
59 DCHECK_EQ(sender_public_key.size(), 65u); | 57 DCHECK_EQ(sender_public_key.size(), 65u); |
60 | 58 |
61 std::stringstream info_stream; | 59 std::stringstream info_stream; |
62 info_stream << "Content-Encoding: " << content_encoding << '\x00'; | 60 info_stream << "Content-Encoding: " << content_encoding << '\x00'; |
63 | 61 info_stream << "P-256" << '\x00'; |
64 switch (label) { | |
65 case GCMMessageCryptographer::Label::P256: | |
66 info_stream << "P-256" << '\x00'; | |
67 break; | |
68 } | |
69 | 62 |
70 uint16_t local_len = | 63 uint16_t local_len = |
71 base::HostToNet16(static_cast<uint16_t>(recipient_public_key.size())); | 64 base::HostToNet16(static_cast<uint16_t>(recipient_public_key.size())); |
72 info_stream.write(reinterpret_cast<char*>(&local_len), sizeof(local_len)); | 65 info_stream.write(reinterpret_cast<char*>(&local_len), sizeof(local_len)); |
73 info_stream << recipient_public_key; | 66 info_stream << recipient_public_key; |
74 | 67 |
75 uint16_t peer_len = | 68 uint16_t peer_len = |
76 base::HostToNet16(static_cast<uint16_t>(sender_public_key.size())); | 69 base::HostToNet16(static_cast<uint16_t>(sender_public_key.size())); |
77 info_stream.write(reinterpret_cast<char*>(&peer_len), sizeof(peer_len)); | 70 info_stream.write(reinterpret_cast<char*>(&peer_len), sizeof(peer_len)); |
78 info_stream << sender_public_key; | 71 info_stream << sender_public_key; |
79 | 72 |
80 return info_stream.str(); | 73 return info_stream.str(); |
81 } | 74 } |
82 | 75 |
83 } // namespace | 76 } // namespace |
84 | 77 |
85 const size_t GCMMessageCryptographer::kAuthenticationTagBytes = 16; | 78 const size_t GCMMessageCryptographer::kAuthenticationTagBytes = 16; |
86 const size_t GCMMessageCryptographer::kSaltSize = 16; | 79 const size_t GCMMessageCryptographer::kSaltSize = 16; |
87 | 80 |
88 GCMMessageCryptographer::GCMMessageCryptographer( | 81 GCMMessageCryptographer::GCMMessageCryptographer( |
89 Label label, | |
90 const base::StringPiece& recipient_public_key, | 82 const base::StringPiece& recipient_public_key, |
91 const base::StringPiece& sender_public_key, | 83 const base::StringPiece& sender_public_key, |
92 const std::string& auth_secret) | 84 const std::string& auth_secret) |
93 : content_encryption_key_info_( | 85 : content_encryption_key_info_( |
94 InfoForContentEncoding("aesgcm", label, recipient_public_key, | 86 InfoForContentEncoding("aesgcm", recipient_public_key, |
95 sender_public_key)), | 87 sender_public_key)), |
96 nonce_info_( | 88 nonce_info_( |
97 InfoForContentEncoding("nonce", label, recipient_public_key, | 89 InfoForContentEncoding("nonce", recipient_public_key, |
98 sender_public_key)), | 90 sender_public_key)), |
99 auth_secret_(auth_secret) { | 91 auth_secret_(auth_secret) { |
100 } | 92 } |
101 | 93 |
102 GCMMessageCryptographer::~GCMMessageCryptographer() {} | 94 GCMMessageCryptographer::~GCMMessageCryptographer() {} |
103 | 95 |
104 bool GCMMessageCryptographer::Encrypt(const base::StringPiece& plaintext, | 96 bool GCMMessageCryptographer::Encrypt(const base::StringPiece& plaintext, |
105 const base::StringPiece& ikm, | 97 const base::StringPiece& ikm, |
106 const base::StringPiece& salt, | 98 const base::StringPiece& salt, |
107 size_t* record_size, | 99 size_t* record_size, |
(...skipping 190 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
298 0 /* subkey_secret_bytes_to_generate */); | 290 0 /* subkey_secret_bytes_to_generate */); |
299 | 291 |
300 // draft-thomson-http-encryption defines that the result should be XOR'ed with | 292 // draft-thomson-http-encryption defines that the result should be XOR'ed with |
301 // the record's sequence number, however, Web Push encryption is limited to a | 293 // the record's sequence number, however, Web Push encryption is limited to a |
302 // single record per draft-ietf-webpush-encryption. | 294 // single record per draft-ietf-webpush-encryption. |
303 | 295 |
304 return hkdf.client_write_key().as_string(); | 296 return hkdf.client_write_key().as_string(); |
305 } | 297 } |
306 | 298 |
307 } // namespace gcm | 299 } // namespace gcm |
OLD | NEW |