| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/child/webcrypto/crypto_data.h" |
| 6 #include "content/child/webcrypto/nss/aes_key_nss.h" |
| 7 #include "content/child/webcrypto/nss/key_nss.h" |
| 8 #include "content/child/webcrypto/nss/util_nss.h" |
| 9 #include "content/child/webcrypto/status.h" |
| 10 #include "content/child/webcrypto/webcrypto_util.h" |
| 11 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" |
| 12 |
| 13 // At the time of this writing: |
| 14 // * Windows and Mac builds ship with their own copy of NSS (3.15+) |
| 15 // * Linux builds use the system's libnss, which is 3.14 on Debian (but 3.15+ |
| 16 // on other distros). |
| 17 // |
| 18 // Since NSS provides AES-GCM support starting in version 3.15, it may be |
| 19 // unavailable for Linux Chrome users. |
| 20 // |
| 21 // * !defined(CKM_AES_GCM) |
| 22 // |
| 23 // This means that at build time, the NSS header pkcs11t.h is older than |
| 24 // 3.15. However at runtime support may be present. |
| 25 // |
| 26 // * !defined(USE_NSS) |
| 27 // |
| 28 // This means that Chrome is being built with an embedded copy of NSS, |
| 29 // which can be assumed to be >= 3.15. On the other hand if USE_NSS is |
| 30 // defined, it also implies running on Linux. |
| 31 // |
| 32 // TODO(eroman): Simplify this once 3.15+ is required by Linux builds. |
| 33 #if !defined(CKM_AES_GCM) |
| 34 #define CKM_AES_GCM 0x00001087 |
| 35 |
| 36 struct CK_GCM_PARAMS { |
| 37 CK_BYTE_PTR pIv; |
| 38 CK_ULONG ulIvLen; |
| 39 CK_BYTE_PTR pAAD; |
| 40 CK_ULONG ulAADLen; |
| 41 CK_ULONG ulTagBits; |
| 42 }; |
| 43 #endif // !defined(CKM_AES_GCM) |
| 44 |
| 45 namespace content { |
| 46 |
| 47 namespace webcrypto { |
| 48 |
| 49 namespace { |
| 50 |
| 51 Status NssSupportsAesGcm() { |
| 52 if (NssRuntimeSupport::Get()->IsAesGcmSupported()) |
| 53 return Status::Success(); |
| 54 return Status::ErrorUnsupported( |
| 55 "NSS version doesn't support AES-GCM. Try using version 3.15 or later"); |
| 56 } |
| 57 |
| 58 // Helper to either encrypt or decrypt for AES-GCM. The result of encryption is |
| 59 // the concatenation of the ciphertext and the authentication tag. Similarly, |
| 60 // this is the expectation for the input to decryption. |
| 61 Status AesGcmEncryptDecrypt(EncryptOrDecrypt mode, |
| 62 const blink::WebCryptoAlgorithm& algorithm, |
| 63 const blink::WebCryptoKey& key, |
| 64 const CryptoData& data, |
| 65 std::vector<uint8>* buffer) { |
| 66 Status status = NssSupportsAesGcm(); |
| 67 if (status.IsError()) |
| 68 return status; |
| 69 |
| 70 PK11SymKey* sym_key = SymKeyNss::Cast(key)->key(); |
| 71 const blink::WebCryptoAesGcmParams* params = algorithm.aesGcmParams(); |
| 72 if (!params) |
| 73 return Status::ErrorUnexpected(); |
| 74 |
| 75 unsigned int tag_length_bits = 128; |
| 76 if (params->hasTagLengthBits()) |
| 77 tag_length_bits = params->optionalTagLengthBits(); |
| 78 |
| 79 if (tag_length_bits != 32 && tag_length_bits != 64 && tag_length_bits != 96 && |
| 80 tag_length_bits != 104 && tag_length_bits != 112 && |
| 81 tag_length_bits != 120 && tag_length_bits != 128) |
| 82 return Status::ErrorInvalidAesGcmTagLength(); |
| 83 |
| 84 unsigned int tag_length_bytes = tag_length_bits / 8; |
| 85 |
| 86 CryptoData iv(params->iv()); |
| 87 CryptoData additional_data(params->optionalAdditionalData()); |
| 88 |
| 89 CK_GCM_PARAMS gcm_params = {0}; |
| 90 gcm_params.pIv = const_cast<unsigned char*>(iv.bytes()); |
| 91 gcm_params.ulIvLen = iv.byte_length(); |
| 92 |
| 93 gcm_params.pAAD = const_cast<unsigned char*>(additional_data.bytes()); |
| 94 gcm_params.ulAADLen = additional_data.byte_length(); |
| 95 |
| 96 gcm_params.ulTagBits = tag_length_bits; |
| 97 |
| 98 SECItem param; |
| 99 param.type = siBuffer; |
| 100 param.data = reinterpret_cast<unsigned char*>(&gcm_params); |
| 101 param.len = sizeof(gcm_params); |
| 102 |
| 103 unsigned int buffer_size = 0; |
| 104 |
| 105 // Calculate the output buffer size. |
| 106 if (mode == ENCRYPT) { |
| 107 // TODO(eroman): This is ugly, abstract away the safe integer arithmetic. |
| 108 if (data.byte_length() > (UINT_MAX - tag_length_bytes)) |
| 109 return Status::ErrorDataTooLarge(); |
| 110 buffer_size = data.byte_length() + tag_length_bytes; |
| 111 } else { |
| 112 // TODO(eroman): In theory the buffer allocated for the plain text should be |
| 113 // sized as |data.byte_length() - tag_length_bytes|. |
| 114 // |
| 115 // However NSS has a bug whereby it will fail if the output buffer size is |
| 116 // not at least as large as the ciphertext: |
| 117 // |
| 118 // https://bugzilla.mozilla.org/show_bug.cgi?id=%20853674 |
| 119 // |
| 120 // From the analysis of that bug it looks like it might be safe to pass a |
| 121 // correctly sized buffer but lie about its size. Since resizing the |
| 122 // WebCryptoArrayBuffer is expensive that hack may be worth looking into. |
| 123 buffer_size = data.byte_length(); |
| 124 } |
| 125 |
| 126 buffer->resize(buffer_size); |
| 127 unsigned char* buffer_data = Uint8VectorStart(buffer); |
| 128 |
| 129 PK11_EncryptDecryptFunction func = |
| 130 (mode == ENCRYPT) ? NssRuntimeSupport::Get()->pk11_encrypt_func() |
| 131 : NssRuntimeSupport::Get()->pk11_decrypt_func(); |
| 132 |
| 133 unsigned int output_len = 0; |
| 134 SECStatus result = func(sym_key, |
| 135 CKM_AES_GCM, |
| 136 ¶m, |
| 137 buffer_data, |
| 138 &output_len, |
| 139 buffer->size(), |
| 140 data.bytes(), |
| 141 data.byte_length()); |
| 142 |
| 143 if (result != SECSuccess) |
| 144 return Status::OperationError(); |
| 145 |
| 146 // Unfortunately the buffer needs to be shrunk for decryption (see the NSS bug |
| 147 // above). |
| 148 buffer->resize(output_len); |
| 149 |
| 150 return Status::Success(); |
| 151 } |
| 152 |
| 153 class AesGcmImplementation : public AesAlgorithm { |
| 154 public: |
| 155 AesGcmImplementation() : AesAlgorithm(CKM_AES_GCM, "GCM") {} |
| 156 |
| 157 virtual Status VerifyKeyUsagesBeforeImportKey( |
| 158 blink::WebCryptoKeyFormat format, |
| 159 blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE { |
| 160 // Prevent importing AES-GCM keys if it is unavailable. |
| 161 Status status = NssSupportsAesGcm(); |
| 162 if (status.IsError()) |
| 163 return status; |
| 164 return AesAlgorithm::VerifyKeyUsagesBeforeImportKey(format, usage_mask); |
| 165 } |
| 166 |
| 167 virtual Status VerifyKeyUsagesBeforeGenerateKey( |
| 168 blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE { |
| 169 // Prevent generating AES-GCM keys if it is unavailable. |
| 170 Status status = NssSupportsAesGcm(); |
| 171 if (status.IsError()) |
| 172 return status; |
| 173 return AesAlgorithm::VerifyKeyUsagesBeforeGenerateKey(usage_mask); |
| 174 } |
| 175 |
| 176 virtual Status Encrypt(const blink::WebCryptoAlgorithm& algorithm, |
| 177 const blink::WebCryptoKey& key, |
| 178 const CryptoData& data, |
| 179 std::vector<uint8>* buffer) const OVERRIDE { |
| 180 return AesGcmEncryptDecrypt(ENCRYPT, algorithm, key, data, buffer); |
| 181 } |
| 182 |
| 183 virtual Status Decrypt(const blink::WebCryptoAlgorithm& algorithm, |
| 184 const blink::WebCryptoKey& key, |
| 185 const CryptoData& data, |
| 186 std::vector<uint8>* buffer) const OVERRIDE { |
| 187 return AesGcmEncryptDecrypt(DECRYPT, algorithm, key, data, buffer); |
| 188 } |
| 189 }; |
| 190 |
| 191 } // namespace |
| 192 |
| 193 AlgorithmImplementation* CreatePlatformAesGcmImplementation() { |
| 194 return new AesGcmImplementation; |
| 195 } |
| 196 |
| 197 } // namespace webcrypto |
| 198 |
| 199 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
