1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/numerics/safe_math.h"
6 #include "base/stl_util.h"
7 #include "content/child/webcrypto/crypto_data.h"
8 #include "content/child/webcrypto/nss/aes_key_nss.h"
9 #include "content/child/webcrypto/nss/key_nss.h"
10 #include "content/child/webcrypto/nss/util_nss.h"
11 #include "content/child/webcrypto/status.h"
12 #include "content/child/webcrypto/webcrypto_util.h"
13 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
15 // At the time of this writing:
16 // * Windows and Mac builds ship with their own copy of NSS (3.15+)
17 // * Linux builds use the system's libnss, which is 3.14 on Debian (but 3.15+
20 // Since NSS provides AES-GCM support starting in version 3.15, it may be
21 // unavailable for Linux Chrome users.
23 // * !defined(CKM_AES_GCM)
25 // This means that at build time, the NSS header pkcs11t.h is older than
26 // 3.15. However at runtime support may be present.
28 // TODO(eroman): Simplify this once 3.15+ is required by Linux builds.
29 #if !defined(CKM_AES_GCM)
30 #define CKM_AES_GCM 0x00001087
32 struct CK_GCM_PARAMS {
39 #endif // !defined(CKM_AES_GCM)
47 Status NssSupportsAesGcm() {
48 if (NssRuntimeSupport::Get()->IsAesGcmSupported())
49 return Status::Success();
50 return Status::ErrorUnsupported(
51 "NSS version doesn't support AES-GCM. Try using version 3.15 or later");
54 // Helper to either encrypt or decrypt for AES-GCM. The result of encryption is
55 // the concatenation of the ciphertext and the authentication tag. Similarly,
56 // this is the expectation for the input to decryption.
57 Status AesGcmEncryptDecrypt(EncryptOrDecrypt mode,
58 const blink::WebCryptoAlgorithm& algorithm,
59 const blink::WebCryptoKey& key,
60 const CryptoData& data,
61 std::vector<uint8_t>* buffer) {
62 Status status = NssSupportsAesGcm();
66 PK11SymKey* sym_key = SymKeyNss::Cast(key)->key();
67 const blink::WebCryptoAesGcmParams* params = algorithm.aesGcmParams();
69 return Status::ErrorUnexpected();
71 unsigned int tag_length_bits;
72 status = GetAesGcmTagLengthInBits(params, &tag_length_bits);
75 unsigned int tag_length_bytes = tag_length_bits / 8;
77 CryptoData iv(params->iv());
78 CryptoData additional_data(params->optionalAdditionalData());
80 CK_GCM_PARAMS gcm_params = {0};
81 gcm_params.pIv = const_cast<unsigned char*>(iv.bytes());
82 gcm_params.ulIvLen = iv.byte_length();
84 gcm_params.pAAD = const_cast<unsigned char*>(additional_data.bytes());
85 gcm_params.ulAADLen = additional_data.byte_length();
87 gcm_params.ulTagBits = tag_length_bits;
90 param.type = siBuffer;
91 param.data = reinterpret_cast<unsigned char*>(&gcm_params);
92 param.len = sizeof(gcm_params);
94 base::CheckedNumeric<unsigned int> buffer_size(data.byte_length());
96 // Calculate the output buffer size.
97 if (mode == ENCRYPT) {
98 buffer_size += tag_length_bytes;
99 if (!buffer_size.IsValid())
100 return Status::ErrorDataTooLarge();
103 // TODO(eroman): In theory the buffer allocated for the plain text should be
104 // sized as |data.byte_length() - tag_length_bytes|.
106 // However NSS has a bug whereby it will fail if the output buffer size is
107 // not at least as large as the ciphertext:
109 // https://bugzilla.mozilla.org/show_bug.cgi?id=%20853674
111 // From the analysis of that bug it looks like it might be safe to pass a
112 // correctly sized buffer but lie about its size. Since resizing the
113 // WebCryptoArrayBuffer is expensive that hack may be worth looking into.
115 buffer->resize(buffer_size.ValueOrDie());
116 unsigned char* buffer_data = vector_as_array(buffer);
118 PK11_EncryptDecryptFunction encrypt_or_decrypt_func =
119 (mode == ENCRYPT) ? NssRuntimeSupport::Get()->pk11_encrypt_func()
120 : NssRuntimeSupport::Get()->pk11_decrypt_func();
122 unsigned int output_len = 0;
123 SECStatus result = encrypt_or_decrypt_func(sym_key,
132 if (result != SECSuccess)
133 return Status::OperationError();
135 // Unfortunately the buffer needs to be shrunk for decryption (see the NSS bug
137 buffer->resize(output_len);
139 return Status::Success();
142 class AesGcmImplementation : public AesAlgorithm {
144 AesGcmImplementation() : AesAlgorithm(CKM_AES_GCM, "GCM") {}
146 Status VerifyKeyUsagesBeforeImportKey(
147 blink::WebCryptoKeyFormat format,
148 blink::WebCryptoKeyUsageMask usages) const override {
149 // Prevent importing AES-GCM keys if it is unavailable.
150 Status status = NssSupportsAesGcm();
151 if (status.IsError())
153 return AesAlgorithm::VerifyKeyUsagesBeforeImportKey(format, usages);
156 Status GenerateKey(const blink::WebCryptoAlgorithm& algorithm,
158 blink::WebCryptoKeyUsageMask usages,
159 GenerateKeyResult* result) const override {
160 // Prevent generating AES-GCM keys if it is unavailable.
161 Status status = NssSupportsAesGcm();
162 if (status.IsError())
165 return AesAlgorithm::GenerateKey(algorithm, extractable, usages, result);
168 Status Encrypt(const blink::WebCryptoAlgorithm& algorithm,
169 const blink::WebCryptoKey& key,
170 const CryptoData& data,
171 std::vector<uint8_t>* buffer) const override {
172 return AesGcmEncryptDecrypt(ENCRYPT, algorithm, key, data, buffer);
175 Status Decrypt(const blink::WebCryptoAlgorithm& algorithm,
176 const blink::WebCryptoKey& key,
177 const CryptoData& data,
178 std::vector<uint8_t>* buffer) const override {
179 return AesGcmEncryptDecrypt(DECRYPT, algorithm, key, data, buffer);
185 AlgorithmImplementation* CreatePlatformAesGcmImplementation() {
186 return new AesGcmImplementation;
189 } // namespace webcrypto
191 } // namespace content