| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/child/webcrypto/crypto_data.h" |
| 6 #include "content/child/webcrypto/nss/aes_key_nss.h" |
| 7 #include "content/child/webcrypto/nss/key_nss.h" |
| 8 #include "content/child/webcrypto/nss/util_nss.h" |
| 9 #include "content/child/webcrypto/status.h" |
| 10 #include "content/child/webcrypto/webcrypto_util.h" |
| 11 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" |
| 12 |
| 13 // At the time of this writing: |
| 14 // * Windows and Mac builds ship with their own copy of NSS (3.15+) |
| 15 // * Linux builds use the system's libnss, which is 3.14 on Debian (but 3.15+ |
| 16 // on other distros). |
| 17 // |
| 18 // Since NSS provides AES-GCM support starting in version 3.15, it may be |
| 19 // unavailable for Linux Chrome users. |
| 20 // |
| 21 // * !defined(CKM_AES_GCM) |
| 22 // |
| 23 // This means that at build time, the NSS header pkcs11t.h is older than |
| 24 // 3.15. However at runtime support may be present. |
| 25 // |
| 26 // * !defined(USE_NSS) |
| 27 // |
| 28 // This means that Chrome is being built with an embedded copy of NSS, |
| 29 // which can be assumed to be >= 3.15. On the other hand if USE_NSS is |
| 30 // defined, it also implies running on Linux. |
| 31 // |
| 32 // TODO(eroman): Simplify this once 3.15+ is required by Linux builds. |
| 33 #if !defined(CKM_AES_GCM) |
| 34 #define CKM_AES_GCM 0x00001087 |
| 35 |
| 36 struct CK_GCM_PARAMS { |
| 37 CK_BYTE_PTR pIv; |
| 38 CK_ULONG ulIvLen; |
| 39 CK_BYTE_PTR pAAD; |
| 40 CK_ULONG ulAADLen; |
| 41 CK_ULONG ulTagBits; |
| 42 }; |
| 43 #endif // !defined(CKM_AES_GCM) |
| 44 |
| 45 namespace content { |
| 46 |
| 47 namespace webcrypto { |
| 48 |
| 49 namespace { |
| 50 |
| 51 Status NssSupportsAesGcm() { |
| 52 if (NssRuntimeSupport::Get()->IsAesGcmSupported()) |
| 53 return Status::Success(); |
| 54 return Status::ErrorUnsupported( |
| 55 "NSS version doesn't support AES-GCM. Try using version 3.15 or later"); |
| 56 } |
| 57 |
| 58 // Helper to either encrypt or decrypt for AES-GCM. The result of encryption is |
| 59 // the concatenation of the ciphertext and the authentication tag. Similarly, |
| 60 // this is the expectation for the input to decryption. |
| 61 Status AesGcmEncryptDecrypt(EncryptOrDecrypt mode, |
| 62 const blink::WebCryptoAlgorithm& algorithm, |
| 63 const blink::WebCryptoKey& key, |
| 64 const CryptoData& data, |
| 65 std::vector<uint8>* buffer) { |
| 66 Status status = NssSupportsAesGcm(); |
| 67 if (status.IsError()) |
| 68 return status; |
| 69 |
| 70 PK11SymKey* sym_key = SymKeyNss::Cast(key)->key(); |
| 71 const blink::WebCryptoAesGcmParams* params = algorithm.aesGcmParams(); |
| 72 if (!params) |
| 73 return Status::ErrorUnexpected(); |
| 74 |
| 75 unsigned int tag_length_bits; |
| 76 status = GetAesGcmTagLength(params, &tag_length_bits); |
| 77 if (status.IsError()) |
| 78 return status; |
| 79 unsigned int tag_length_bytes = tag_length_bits / 8; |
| 80 |
| 81 CryptoData iv(params->iv()); |
| 82 CryptoData additional_data(params->optionalAdditionalData()); |
| 83 |
| 84 CK_GCM_PARAMS gcm_params = {0}; |
| 85 gcm_params.pIv = const_cast<unsigned char*>(iv.bytes()); |
| 86 gcm_params.ulIvLen = iv.byte_length(); |
| 87 |
| 88 gcm_params.pAAD = const_cast<unsigned char*>(additional_data.bytes()); |
| 89 gcm_params.ulAADLen = additional_data.byte_length(); |
| 90 |
| 91 gcm_params.ulTagBits = tag_length_bits; |
| 92 |
| 93 SECItem param; |
| 94 param.type = siBuffer; |
| 95 param.data = reinterpret_cast<unsigned char*>(&gcm_params); |
| 96 param.len = sizeof(gcm_params); |
| 97 |
| 98 unsigned int buffer_size = 0; |
| 99 |
| 100 // Calculate the output buffer size. |
| 101 if (mode == ENCRYPT) { |
| 102 // TODO(eroman): This is ugly, abstract away the safe integer arithmetic. |
| 103 if (data.byte_length() > (UINT_MAX - tag_length_bytes)) |
| 104 return Status::ErrorDataTooLarge(); |
| 105 buffer_size = data.byte_length() + tag_length_bytes; |
| 106 } else { |
| 107 // TODO(eroman): In theory the buffer allocated for the plain text should be |
| 108 // sized as |data.byte_length() - tag_length_bytes|. |
| 109 // |
| 110 // However NSS has a bug whereby it will fail if the output buffer size is |
| 111 // not at least as large as the ciphertext: |
| 112 // |
| 113 // https://bugzilla.mozilla.org/show_bug.cgi?id=%20853674 |
| 114 // |
| 115 // From the analysis of that bug it looks like it might be safe to pass a |
| 116 // correctly sized buffer but lie about its size. Since resizing the |
| 117 // WebCryptoArrayBuffer is expensive that hack may be worth looking into. |
| 118 buffer_size = data.byte_length(); |
| 119 } |
| 120 |
| 121 buffer->resize(buffer_size); |
| 122 unsigned char* buffer_data = Uint8VectorStart(buffer); |
| 123 |
| 124 PK11_EncryptDecryptFunction func = |
| 125 (mode == ENCRYPT) ? NssRuntimeSupport::Get()->pk11_encrypt_func() |
| 126 : NssRuntimeSupport::Get()->pk11_decrypt_func(); |
| 127 |
| 128 unsigned int output_len = 0; |
| 129 SECStatus result = func(sym_key, |
| 130 CKM_AES_GCM, |
| 131 ¶m, |
| 132 buffer_data, |
| 133 &output_len, |
| 134 buffer->size(), |
| 135 data.bytes(), |
| 136 data.byte_length()); |
| 137 |
| 138 if (result != SECSuccess) |
| 139 return Status::OperationError(); |
| 140 |
| 141 // Unfortunately the buffer needs to be shrunk for decryption (see the NSS bug |
| 142 // above). |
| 143 buffer->resize(output_len); |
| 144 |
| 145 return Status::Success(); |
| 146 } |
| 147 |
| 148 class AesGcmImplementation : public AesAlgorithm { |
| 149 public: |
| 150 AesGcmImplementation() : AesAlgorithm(CKM_AES_GCM, "GCM") {} |
| 151 |
| 152 virtual Status VerifyKeyUsagesBeforeImportKey( |
| 153 blink::WebCryptoKeyFormat format, |
| 154 blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE { |
| 155 // Prevent importing AES-GCM keys if it is unavailable. |
| 156 Status status = NssSupportsAesGcm(); |
| 157 if (status.IsError()) |
| 158 return status; |
| 159 return AesAlgorithm::VerifyKeyUsagesBeforeImportKey(format, usage_mask); |
| 160 } |
| 161 |
| 162 virtual Status VerifyKeyUsagesBeforeGenerateKey( |
| 163 blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE { |
| 164 // Prevent generating AES-GCM keys if it is unavailable. |
| 165 Status status = NssSupportsAesGcm(); |
| 166 if (status.IsError()) |
| 167 return status; |
| 168 return AesAlgorithm::VerifyKeyUsagesBeforeGenerateKey(usage_mask); |
| 169 } |
| 170 |
| 171 virtual Status Encrypt(const blink::WebCryptoAlgorithm& algorithm, |
| 172 const blink::WebCryptoKey& key, |
| 173 const CryptoData& data, |
| 174 std::vector<uint8>* buffer) const OVERRIDE { |
| 175 return AesGcmEncryptDecrypt(ENCRYPT, algorithm, key, data, buffer); |
| 176 } |
| 177 |
| 178 virtual Status Decrypt(const blink::WebCryptoAlgorithm& algorithm, |
| 179 const blink::WebCryptoKey& key, |
| 180 const CryptoData& data, |
| 181 std::vector<uint8>* buffer) const OVERRIDE { |
| 182 return AesGcmEncryptDecrypt(DECRYPT, algorithm, key, data, buffer); |
| 183 } |
| 184 }; |
| 185 |
| 186 } // namespace |
| 187 |
| 188 AlgorithmImplementation* CreatePlatformAesGcmImplementation() { |
| 189 return new AesGcmImplementation; |
| 190 } |
| 191 |
| 192 } // namespace webcrypto |
| 193 |
| 194 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
