Implement support for draft-ietf-webpush-encryption-08

components/gcm_driver/crypto/gcm_message_cryptographer.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/gcm_driver/crypto/gcm_message_cryptographer.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <algorithm>
@@ skipping 33 matching lines @@
 // https://tools.ietf.org/html/draft-ietf-webpush-encryption-03
 // https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02
 class WebPushEncryptionDraft03
     : public GCMMessageCryptographer::EncryptionScheme {
  public:
   WebPushEncryptionDraft03() = default;
   ~WebPushEncryptionDraft03() override = default;
 
   // GCMMessageCryptographer::EncryptionScheme implementation.
   std::string DerivePseudoRandomKey(
+      const base::StringPiece& /* recipient_public_key */,
+      const base::StringPiece& /* sender_public_key */,
       const base::StringPiece& ecdh_shared_secret,
       const base::StringPiece& auth_secret) override {
     std::stringstream info_stream;
     info_stream << "Content-Encoding: auth" << '\x00';

[Peter Beverloo, 2017/05/18 17:10:21]

Updated this too per the previous CL.

 
     crypto::HKDF hkdf(ecdh_shared_secret, auth_secret, info_stream.str(),
                       32, /* key_bytes_to_generate */
                       0,  /* iv_bytes_to_generate */
                       0 /* subkey_secret_bytes_to_generate */);
 
     return hkdf.client_write_key().as_string();
   }
 
   // Creates the info parameter for an HKDF value for the given
@@ skipping 82 matching lines @@
     }
 
     record.remove_prefix(padding_length);
     return true;
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(WebPushEncryptionDraft03);
 };
 
+// Implementation of draft 08 of the Web Push Encryption standard:
+// https://tools.ietf.org/html/draft-ietf-webpush-encryption-08
+// https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-07
+class WebPushEncryptionDraft08
+    : public GCMMessageCryptographer::EncryptionScheme {
+ public:
+  WebPushEncryptionDraft08() = default;
+  ~WebPushEncryptionDraft08() override = default;
+
+  // GCMMessageCryptographer::EncryptionScheme implementation.
+  std::string DerivePseudoRandomKey(
+      const base::StringPiece& recipient_public_key,
+      const base::StringPiece& sender_public_key,
+      const base::StringPiece& ecdh_shared_secret,
+      const base::StringPiece& auth_secret) override {
+    std::stringstream info_stream;

[eroman, 2017/05/16 21:03:27]

same comment as on other CLs -- i don't think stringstream is the best way to do
appends.

[Peter Beverloo, 2017/05/18 17:10:21]

Done.

+    info_stream << "WebPush: info" << '\x00';
+    info_stream << recipient_public_key;
+    info_stream << sender_public_key;
+
+    const std::string info = info_stream.str();
+    DCHECK_EQ(info.size(), 144u);
+
+    crypto::HKDF hkdf(ecdh_shared_secret, auth_secret, info_stream.str(),
+                      32, /* key_bytes_to_generate */
+                      0,  /* iv_bytes_to_generate */
+                      0 /* subkey_secret_bytes_to_generate */);
+
+    return hkdf.client_write_key().as_string();
+  }
+
+  // The info string used for generating the content encryption key and the
+  // nonce was simplified in draft-ietf-webpush-encryption-08, because the
+  // public keys of both the recipient and the sender are now in the PRK.
+  std::string GenerateInfoForContentEncoding(
+      EncodingType type,
+      const base::StringPiece& /* recipient_public_key */,
+      const base::StringPiece& /* sender_public_key */) override {
+    std::stringstream info_stream;
+    info_stream << "Content-Encoding: ";
+
+    switch (type) {
+      case EncodingType::CONTENT_ENCRYPTION_KEY:
+        info_stream << "aes128gcm";
+        break;
+      case EncodingType::NONCE:
+        info_stream << "nonce";
+        break;
+    }
+
+    info_stream << '\x00';
+    return info_stream.str();
+  }
+
+  // draft-ietf-webpush-encryption-08 defines that the padding follows the
+  // plaintext of a message. A delimiter byte (0x02 for the final record) will
+  // be added, and then zero or more bytes of padding.
+  //
+  // TODO(peter): Add support for message padding if the GCMMessageCryptographer
+  // starts encrypting payloads for reasons other than testing.
+  std::string CreateRecord(const base::StringPiece& plaintext) override {
+    std::string record;
+    record.reserve(plaintext.size() + sizeof(uint8_t));
+    plaintext.AppendToString(&record);
+
+    record.append(sizeof(uint8_t), '\x02');
+    return record;
+  }
+
+  // The record padding in draft-ietf-webpush-encryption-08 is included at the
+  // end of the record. The length is not defined, but all padding bytes must be
+  // zero until the delimiter (0x02) is found.
+  bool ValidateAndRemovePadding(base::StringPiece& record) override {
+    size_t padding_length = 1;
+    for (; padding_length < record.size(); ++padding_length) {
+      size_t offset = record.size() - padding_length;
+
+      if (record[offset] == 0x02 /* padding delimiter octet */)
+        break;
+
+      if (record[offset] != 0x00 /* valid padding byte */)
+        return false;
+    }
+
+    record.remove_suffix(padding_length);

[eroman, 2017/05/16 21:03:27]

Is this correct in the case where we don't loop?

i.e. if record.size() <= 1, we will remove 1 byte from record, without actually
having checked its value.

Maybe it would be clearer to structure it so the stripping is only done after
finding 0x02, and falling-through outside the loop returns false.

[Peter Beverloo, 2017/05/18 17:10:21]

I added a DCHECK to verify that record.size() >= 1, since the ciphertext length
validation covers that. To make sure we cover the record.size() == 1 case I've
changed the "<" on line 236 to "<=".

+    return true;
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(WebPushEncryptionDraft08);
+};
+
 }  // namespace
 
 const size_t GCMMessageCryptographer::kAuthenticationTagBytes = 16;
 const size_t GCMMessageCryptographer::kSaltSize = 16;
 
 GCMMessageCryptographer::GCMMessageCryptographer(Version version) {
   switch (version) {
     case Version::DRAFT_03:
       encryption_scheme_ = base::MakeUnique<WebPushEncryptionDraft03>();
       return;
+    case Version::DRAFT_08:
+      encryption_scheme_ = base::MakeUnique<WebPushEncryptionDraft08>();
+      return;
   }
 
   NOTREACHED();
 }
 
 GCMMessageCryptographer::~GCMMessageCryptographer() = default;
 
 bool GCMMessageCryptographer::Encrypt(
     const base::StringPiece& recipient_public_key,
     const base::StringPiece& sender_public_key,
     const base::StringPiece& ecdh_shared_secret,
     const base::StringPiece& auth_secret,
     const base::StringPiece& salt,
     const base::StringPiece& plaintext,
     size_t* record_size,
     std::string* ciphertext) const {
   DCHECK_EQ(recipient_public_key.size(), 65u);
   DCHECK_EQ(sender_public_key.size(), 65u);
   DCHECK_EQ(ecdh_shared_secret.size(), 32u);
   DCHECK_EQ(auth_secret.size(), 16u);
   DCHECK_EQ(salt.size(), 16u);
   DCHECK(record_size);
   DCHECK(ciphertext);
 
   std::string prk = encryption_scheme_->DerivePseudoRandomKey(
-      ecdh_shared_secret, auth_secret);
+      recipient_public_key, sender_public_key, ecdh_shared_secret, auth_secret);
 
   std::string content_encryption_key = DeriveContentEncryptionKey(
       recipient_public_key, sender_public_key, prk, salt);
   std::string nonce =
       DeriveNonce(recipient_public_key, sender_public_key, prk, salt);
 
   std::string record = encryption_scheme_->CreateRecord(plaintext);
   std::string encrypted_record;
 
   if (!TransformRecord(Direction::ENCRYPT, record, content_encryption_key,
@@ skipping 22 matching lines @@
   DCHECK_EQ(sender_public_key.size(), 65u);
   DCHECK_EQ(ecdh_shared_secret.size(), 32u);
   DCHECK_EQ(auth_secret.size(), 16u);
   DCHECK_EQ(salt.size(), 16u);
   DCHECK(plaintext);
 
   if (record_size <= 1)
     return false;
 
   std::string prk = encryption_scheme_->DerivePseudoRandomKey(
-      ecdh_shared_secret, auth_secret);
+      recipient_public_key, sender_public_key, ecdh_shared_secret, auth_secret);
 
   std::string content_encryption_key = DeriveContentEncryptionKey(
       recipient_public_key, sender_public_key, prk, salt);
 
   std::string nonce =
       DeriveNonce(recipient_public_key, sender_public_key, prk, salt);
 
   // The |ciphertext| must be at least of size kAuthenticationTagBytes, which
   // is the case when an empty message with a zero padding length has been
   // received. The |record_size| must be large enough to use only one record.
@@ skipping 103 matching lines @@
                     0 /* subkey_secret_bytes_to_generate */);
 
   // draft-ietf-httpbis-encryption-encoding defines that the result should
   // be XOR'ed with the record's sequence number, however, Web Push encryption
   // is limited to a single record per draft-ietf-webpush-encryption.
 
   return hkdf.client_write_key().as_string();
 }
 
 }  // namespace gcm