1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/numerics/safe_math.h" 6 #include "base/stl_util.h" 7 #include "content/child/webcrypto/crypto_data.h" 8 #include "content/child/webcrypto/nss/aes_key_nss.h" 9 #include "content/child/webcrypto/nss/key_nss.h" 10 #include "content/child/webcrypto/nss/util_nss.h" 11 #include "content/child/webcrypto/status.h" 12 #include "content/child/webcrypto/webcrypto_util.h" 13 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h" 14 15 // At the time of this writing: 16 // * Windows and Mac builds ship with their own copy of NSS (3.15+) 17 // * Linux builds use the system's libnss, which is 3.14 on Debian (but 3.15+ 18 // on other distros). 19 // 20 // Since NSS provides AES-GCM support starting in version 3.15, it may be 21 // unavailable for Linux Chrome users. 22 // 23 // * !defined(CKM_AES_GCM) 24 // 25 // This means that at build time, the NSS header pkcs11t.h is older than 26 // 3.15. However at runtime support may be present. 27 // 28 // TODO(eroman): Simplify this once 3.15+ is required by Linux builds. 29 #if !defined(CKM_AES_GCM) 30 #define CKM_AES_GCM 0x00001087 31 32 struct CK_GCM_PARAMS { 33 CK_BYTE_PTR pIv; 34 CK_ULONG ulIvLen; 35 CK_BYTE_PTR pAAD; 36 CK_ULONG ulAADLen; 37 CK_ULONG ulTagBits; 38 }; 39 #endif // !defined(CKM_AES_GCM) 40 41 namespace content { 42 43 namespace webcrypto { 44 45 namespace { 46 47 Status NssSupportsAesGcm() { 48 if (NssRuntimeSupport::Get()->IsAesGcmSupported()) 49 return Status::Success(); 50 return Status::ErrorUnsupported( 51 "NSS version doesn't support AES-GCM. Try using version 3.15 or later"); 52 } 53 54 // Helper to either encrypt or decrypt for AES-GCM. The result of encryption is 55 // the concatenation of the ciphertext and the authentication tag. Similarly, 56 // this is the expectation for the input to decryption. 57 Status AesGcmEncryptDecrypt(EncryptOrDecrypt mode, 58 const blink::WebCryptoAlgorithm& algorithm, 59 const blink::WebCryptoKey& key, 60 const CryptoData& data, 61 std::vector<uint8_t>* buffer) { 62 Status status = NssSupportsAesGcm(); 63 if (status.IsError()) 64 return status; 65 66 PK11SymKey* sym_key = SymKeyNss::Cast(key)->key(); 67 const blink::WebCryptoAesGcmParams* params = algorithm.aesGcmParams(); 68 if (!params) 69 return Status::ErrorUnexpected(); 70 71 unsigned int tag_length_bits; 72 status = GetAesGcmTagLengthInBits(params, &tag_length_bits); 73 if (status.IsError()) 74 return status; 75 unsigned int tag_length_bytes = tag_length_bits / 8; 76 77 CryptoData iv(params->iv()); 78 CryptoData additional_data(params->optionalAdditionalData()); 79 80 CK_GCM_PARAMS gcm_params = {0}; 81 gcm_params.pIv = const_cast<unsigned char*>(iv.bytes()); 82 gcm_params.ulIvLen = iv.byte_length(); 83 84 gcm_params.pAAD = const_cast<unsigned char*>(additional_data.bytes()); 85 gcm_params.ulAADLen = additional_data.byte_length(); 86 87 gcm_params.ulTagBits = tag_length_bits; 88 89 SECItem param; 90 param.type = siBuffer; 91 param.data = reinterpret_cast<unsigned char*>(&gcm_params); 92 param.len = sizeof(gcm_params); 93 94 base::CheckedNumeric<unsigned int> buffer_size(data.byte_length()); 95 96 // Calculate the output buffer size. 97 if (mode == ENCRYPT) { 98 buffer_size += tag_length_bytes; 99 if (!buffer_size.IsValid()) 100 return Status::ErrorDataTooLarge(); 101 } 102 103 // TODO(eroman): In theory the buffer allocated for the plain text should be 104 // sized as |data.byte_length() - tag_length_bytes|. 105 // 106 // However NSS has a bug whereby it will fail if the output buffer size is 107 // not at least as large as the ciphertext: 108 // 109 // https://bugzilla.mozilla.org/show_bug.cgi?id=%20853674 110 // 111 // From the analysis of that bug it looks like it might be safe to pass a 112 // correctly sized buffer but lie about its size. Since resizing the 113 // WebCryptoArrayBuffer is expensive that hack may be worth looking into. 114 115 buffer->resize(buffer_size.ValueOrDie()); 116 unsigned char* buffer_data = vector_as_array(buffer); 117 118 PK11_EncryptDecryptFunction encrypt_or_decrypt_func = 119 (mode == ENCRYPT) ? NssRuntimeSupport::Get()->pk11_encrypt_func() 120 : NssRuntimeSupport::Get()->pk11_decrypt_func(); 121 122 unsigned int output_len = 0; 123 SECStatus result = encrypt_or_decrypt_func(sym_key, 124 CKM_AES_GCM, 125 ¶m, 126 buffer_data, 127 &output_len, 128 buffer->size(), 129 data.bytes(), 130 data.byte_length()); 131 132 if (result != SECSuccess) 133 return Status::OperationError(); 134 135 // Unfortunately the buffer needs to be shrunk for decryption (see the NSS bug 136 // above). 137 buffer->resize(output_len); 138 139 return Status::Success(); 140 } 141 142 class AesGcmImplementation : public AesAlgorithm { 143 public: 144 AesGcmImplementation() : AesAlgorithm(CKM_AES_GCM, "GCM") {} 145 146 virtual Status VerifyKeyUsagesBeforeImportKey( 147 blink::WebCryptoKeyFormat format, 148 blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE { 149 // Prevent importing AES-GCM keys if it is unavailable. 150 Status status = NssSupportsAesGcm(); 151 if (status.IsError()) 152 return status; 153 return AesAlgorithm::VerifyKeyUsagesBeforeImportKey(format, usage_mask); 154 } 155 156 virtual Status VerifyKeyUsagesBeforeGenerateKey( 157 blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE { 158 // Prevent generating AES-GCM keys if it is unavailable. 159 Status status = NssSupportsAesGcm(); 160 if (status.IsError()) 161 return status; 162 return AesAlgorithm::VerifyKeyUsagesBeforeGenerateKey(usage_mask); 163 } 164 165 virtual Status Encrypt(const blink::WebCryptoAlgorithm& algorithm, 166 const blink::WebCryptoKey& key, 167 const CryptoData& data, 168 std::vector<uint8_t>* buffer) const OVERRIDE { 169 return AesGcmEncryptDecrypt(ENCRYPT, algorithm, key, data, buffer); 170 } 171 172 virtual Status Decrypt(const blink::WebCryptoAlgorithm& algorithm, 173 const blink::WebCryptoKey& key, 174 const CryptoData& data, 175 std::vector<uint8_t>* buffer) const OVERRIDE { 176 return AesGcmEncryptDecrypt(DECRYPT, algorithm, key, data, buffer); 177 } 178 }; 179 180 } // namespace 181 182 AlgorithmImplementation* CreatePlatformAesGcmImplementation() { 183 return new AesGcmImplementation; 184 } 185 186 } // namespace webcrypto 187 188 } // namespace content 189