| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/quic/crypto/aead_base_decrypter.h" | |
| 6 | |
| 7 #include <pk11pub.h> | |
| 8 | |
| 9 #include "base/memory/scoped_ptr.h" | |
| 10 #include "crypto/scoped_nss_types.h" | |
| 11 | |
| 12 using base::StringPiece; | |
| 13 | |
| 14 namespace net { | |
| 15 | |
| 16 AeadBaseDecrypter::AeadBaseDecrypter(CK_MECHANISM_TYPE aead_mechanism, | |
| 17 PK11_DecryptFunction pk11_decrypt, | |
| 18 size_t key_size, | |
| 19 size_t auth_tag_size, | |
| 20 size_t nonce_prefix_size) | |
| 21 : aead_mechanism_(aead_mechanism), | |
| 22 pk11_decrypt_(pk11_decrypt), | |
| 23 key_size_(key_size), | |
| 24 auth_tag_size_(auth_tag_size), | |
| 25 nonce_prefix_size_(nonce_prefix_size) { | |
| 26 DCHECK_LE(key_size_, sizeof(key_)); | |
| 27 DCHECK_LE(nonce_prefix_size_, sizeof(nonce_prefix_)); | |
| 28 } | |
| 29 | |
| 30 AeadBaseDecrypter::~AeadBaseDecrypter() {} | |
| 31 | |
| 32 bool AeadBaseDecrypter::SetKey(StringPiece key) { | |
| 33 DCHECK_EQ(key.size(), key_size_); | |
| 34 if (key.size() != key_size_) { | |
| 35 return false; | |
| 36 } | |
| 37 memcpy(key_, key.data(), key.size()); | |
| 38 return true; | |
| 39 } | |
| 40 | |
| 41 bool AeadBaseDecrypter::SetNoncePrefix(StringPiece nonce_prefix) { | |
| 42 DCHECK_EQ(nonce_prefix.size(), nonce_prefix_size_); | |
| 43 if (nonce_prefix.size() != nonce_prefix_size_) { | |
| 44 return false; | |
| 45 } | |
| 46 memcpy(nonce_prefix_, nonce_prefix.data(), nonce_prefix.size()); | |
| 47 return true; | |
| 48 } | |
| 49 | |
| 50 bool AeadBaseDecrypter::Decrypt(StringPiece nonce, | |
| 51 const StringPiece& associated_data, | |
| 52 const StringPiece& ciphertext, | |
| 53 uint8* output, | |
| 54 size_t* output_length, | |
| 55 size_t max_output_length) { | |
| 56 if (ciphertext.length() < auth_tag_size_ || | |
| 57 nonce.size() != nonce_prefix_size_ + sizeof(QuicPacketSequenceNumber)) { | |
| 58 return false; | |
| 59 } | |
| 60 // NSS 3.14.x incorrectly requires an output buffer at least as long as | |
| 61 // the ciphertext (NSS bug | |
| 62 // https://bugzilla.mozilla.org/show_bug.cgi?id= 853674). Fortunately | |
| 63 // QuicDecrypter::Decrypt() specifies that |output| must be as long as | |
| 64 // |ciphertext| on entry. | |
| 65 size_t plaintext_size = ciphertext.length() - auth_tag_size_; | |
| 66 | |
| 67 // Import key_ into NSS. | |
| 68 SECItem key_item; | |
| 69 key_item.type = siBuffer; | |
| 70 key_item.data = key_; | |
| 71 key_item.len = key_size_; | |
| 72 PK11SlotInfo* slot = PK11_GetInternalSlot(); | |
| 73 | |
| 74 // TODO(wtc): For an AES-GCM key, the correct value for |key_mechanism| is | |
| 75 // CKM_AES_GCM, but because of NSS bug | |
| 76 // https://bugzilla.mozilla.org/show_bug.cgi?id=853285, use CKM_AES_ECB as a | |
| 77 // workaround. Remove this when we require NSS 3.15. | |
| 78 CK_MECHANISM_TYPE key_mechanism = aead_mechanism_; | |
| 79 if (key_mechanism == CKM_AES_GCM) { | |
| 80 key_mechanism = CKM_AES_ECB; | |
| 81 } | |
| 82 | |
| 83 // The exact value of the |origin| argument doesn't matter to NSS as long as | |
| 84 // it's not PK11_OriginFortezzaHack, so pass PK11_OriginUnwrap as a | |
| 85 // placeholder. | |
| 86 crypto::ScopedPK11SymKey aead_key(PK11_ImportSymKey( | |
| 87 slot, key_mechanism, PK11_OriginUnwrap, CKA_DECRYPT, &key_item, nullptr)); | |
| 88 PK11_FreeSlot(slot); | |
| 89 slot = nullptr; | |
| 90 if (!aead_key) { | |
| 91 DVLOG(1) << "PK11_ImportSymKey failed"; | |
| 92 return false; | |
| 93 } | |
| 94 | |
| 95 AeadParams aead_params = {0}; | |
| 96 FillAeadParams(nonce, associated_data, auth_tag_size_, &aead_params); | |
| 97 | |
| 98 SECItem param; | |
| 99 param.type = siBuffer; | |
| 100 param.data = reinterpret_cast<unsigned char*>(&aead_params.data); | |
| 101 param.len = aead_params.len; | |
| 102 | |
| 103 unsigned int output_len; | |
| 104 if (pk11_decrypt_(aead_key.get(), aead_mechanism_, ¶m, output, | |
| 105 &output_len, max_output_length, | |
| 106 reinterpret_cast<const unsigned char*>(ciphertext.data()), | |
| 107 ciphertext.length()) != SECSuccess) { | |
| 108 return false; | |
| 109 } | |
| 110 | |
| 111 if (output_len != plaintext_size) { | |
| 112 DVLOG(1) << "Wrong output length"; | |
| 113 return false; | |
| 114 } | |
| 115 *output_length = output_len; | |
| 116 return true; | |
| 117 } | |
| 118 | |
| 119 bool AeadBaseDecrypter::DecryptPacket(QuicPacketSequenceNumber sequence_number, | |
| 120 const StringPiece& associated_data, | |
| 121 const StringPiece& ciphertext, | |
| 122 char* output, | |
| 123 size_t* output_length, | |
| 124 size_t max_output_length) { | |
| 125 if (ciphertext.length() < auth_tag_size_) { | |
| 126 return false; | |
| 127 } | |
| 128 | |
| 129 uint8 nonce[sizeof(nonce_prefix_) + sizeof(sequence_number)]; | |
| 130 const size_t nonce_size = nonce_prefix_size_ + sizeof(sequence_number); | |
| 131 DCHECK_LE(nonce_size, sizeof(nonce)); | |
| 132 memcpy(nonce, nonce_prefix_, nonce_prefix_size_); | |
| 133 memcpy(nonce + nonce_prefix_size_, &sequence_number, sizeof(sequence_number)); | |
| 134 return Decrypt(StringPiece(reinterpret_cast<char*>(nonce), nonce_size), | |
| 135 associated_data, ciphertext, reinterpret_cast<uint8*>(output), | |
| 136 output_length, max_output_length); | |
| 137 } | |
| 138 | |
| 139 StringPiece AeadBaseDecrypter::GetKey() const { | |
| 140 return StringPiece(reinterpret_cast<const char*>(key_), key_size_); | |
| 141 } | |
| 142 | |
| 143 StringPiece AeadBaseDecrypter::GetNoncePrefix() const { | |
| 144 if (nonce_prefix_size_ == 0) { | |
| 145 return StringPiece(); | |
| 146 } | |
| 147 return StringPiece(reinterpret_cast<const char*>(nonce_prefix_), | |
| 148 nonce_prefix_size_); | |
| 149 } | |
| 150 | |
| 151 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 992733002:
Remove //net (except for Android test stuff) and sdch (Closed)
Base URL: git@github.com:domokit/mojo.git@master