src/content/child/webcrypto/nss/aes_gcm_nss.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "base/numerics/safe_math.h"
   6 #include "base/stl_util.h"
   7 #include "content/child/webcrypto/crypto_data.h"
   8 #include "content/child/webcrypto/nss/aes_key_nss.h"
   9 #include "content/child/webcrypto/nss/key_nss.h"
  10 #include "content/child/webcrypto/nss/util_nss.h"
  11 #include "content/child/webcrypto/status.h"
  12 #include "content/child/webcrypto/webcrypto_util.h"
  13 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
  14
  15 // At the time of this writing:
  16 //   * Windows and Mac builds ship with their own copy of NSS (3.15+)
  17 //   * Linux builds use the system's libnss, which is 3.14 on Debian (but 3.15+
  18 //     on other distros).
  19 //
  20 // Since NSS provides AES-GCM support starting in version 3.15, it may be
  21 // unavailable for Linux Chrome users.
  22 //
  23 //  * !defined(CKM_AES_GCM)
  24 //
  25 //      This means that at build time, the NSS header pkcs11t.h is older than
  26 //      3.15. However at runtime support may be present.
  27 //
  28 // TODO(eroman): Simplify this once 3.15+ is required by Linux builds.
  29 #if !defined(CKM_AES_GCM)
  30 #define CKM_AES_GCM 0x00001087
  31
  32 struct CK_GCM_PARAMS {
  33   CK_BYTE_PTR pIv;
  34   CK_ULONG ulIvLen;
  35   CK_BYTE_PTR pAAD;
  36   CK_ULONG ulAADLen;
  37   CK_ULONG ulTagBits;
  38 };
  39 #endif  // !defined(CKM_AES_GCM)
  40
  41 namespace content {
  42
  43 namespace webcrypto {
  44
  45 namespace {
  46
  47 Status NssSupportsAesGcm() {
  48   if (NssRuntimeSupport::Get()->IsAesGcmSupported())
  49     return Status::Success();
  50   return Status::ErrorUnsupported(
  51       "NSS version doesn't support AES-GCM. Try using version 3.15 or later");
  52 }
  53
  54 // Helper to either encrypt or decrypt for AES-GCM. The result of encryption is
  55 // the concatenation of the ciphertext and the authentication tag. Similarly,
  56 // this is the expectation for the input to decryption.
  57 Status AesGcmEncryptDecrypt(EncryptOrDecrypt mode,
  58                             const blink::WebCryptoAlgorithm& algorithm,
  59                             const blink::WebCryptoKey& key,
  60                             const CryptoData& data,
  61                             std::vector<uint8_t>* buffer) {
  62   Status status = NssSupportsAesGcm();
  63   if (status.IsError())
  64     return status;
  65
  66   PK11SymKey* sym_key = SymKeyNss::Cast(key)->key();
  67   const blink::WebCryptoAesGcmParams* params = algorithm.aesGcmParams();
  68   if (!params)
  69     return Status::ErrorUnexpected();
  70
  71   unsigned int tag_length_bits;
  72   status = GetAesGcmTagLengthInBits(params, &tag_length_bits);
  73   if (status.IsError())
  74     return status;
  75   unsigned int tag_length_bytes = tag_length_bits / 8;
  76
  77   CryptoData iv(params->iv());
  78   CryptoData additional_data(params->optionalAdditionalData());
  79
  80   CK_GCM_PARAMS gcm_params = {0};
  81   gcm_params.pIv = const_cast<unsigned char*>(iv.bytes());
  82   gcm_params.ulIvLen = iv.byte_length();
  83
  84   gcm_params.pAAD = const_cast<unsigned char*>(additional_data.bytes());
  85   gcm_params.ulAADLen = additional_data.byte_length();
  86
  87   gcm_params.ulTagBits = tag_length_bits;
  88
  89   SECItem param;
  90   param.type = siBuffer;
  91   param.data = reinterpret_cast<unsigned char*>(&gcm_params);
  92   param.len = sizeof(gcm_params);
  93
  94   base::CheckedNumeric<unsigned int> buffer_size(data.byte_length());
  95
  96   // Calculate the output buffer size.
  97   if (mode == ENCRYPT) {
  98     buffer_size += tag_length_bytes;
  99     if (!buffer_size.IsValid())
 100       return Status::ErrorDataTooLarge();
 101   }
 102
 103   // TODO(eroman): In theory the buffer allocated for the plain text should be
 104   // sized as |data.byte_length() - tag_length_bytes|.
 105   //
 106   // However NSS has a bug whereby it will fail if the output buffer size is
 107   // not at least as large as the ciphertext:
 108   //
 109   // https://bugzilla.mozilla.org/show_bug.cgi?id=%20853674
 110   //
 111   // From the analysis of that bug it looks like it might be safe to pass a
 112   // correctly sized buffer but lie about its size. Since resizing the
 113   // WebCryptoArrayBuffer is expensive that hack may be worth looking into.
 114
 115   buffer->resize(buffer_size.ValueOrDie());
 116   unsigned char* buffer_data = vector_as_array(buffer);
 117
 118   PK11_EncryptDecryptFunction encrypt_or_decrypt_func =
 119       (mode == ENCRYPT) ? NssRuntimeSupport::Get()->pk11_encrypt_func()
 120                         : NssRuntimeSupport::Get()->pk11_decrypt_func();
 121
 122   unsigned int output_len = 0;
 123   SECStatus result = encrypt_or_decrypt_func(sym_key,
 124                                              CKM_AES_GCM,
 125                                              &param,
 126                                              buffer_data,
 127                                              &output_len,
 128                                              buffer->size(),
 129                                              data.bytes(),
 130                                              data.byte_length());
 131
 132   if (result != SECSuccess)
 133     return Status::OperationError();
 134
 135   // Unfortunately the buffer needs to be shrunk for decryption (see the NSS bug
 136   // above).
 137   buffer->resize(output_len);
 138
 139   return Status::Success();
 140 }
 141
 142 class AesGcmImplementation : public AesAlgorithm {
 143  public:
 144   AesGcmImplementation() : AesAlgorithm(CKM_AES_GCM, "GCM") {}
 145
 146   virtual Status VerifyKeyUsagesBeforeImportKey(
 147       blink::WebCryptoKeyFormat format,
 148       blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE {
 149     // Prevent importing AES-GCM keys if it is unavailable.
 150     Status status = NssSupportsAesGcm();
 151     if (status.IsError())
 152       return status;
 153     return AesAlgorithm::VerifyKeyUsagesBeforeImportKey(format, usage_mask);
 154   }
 155
 156   virtual Status VerifyKeyUsagesBeforeGenerateKey(
 157       blink::WebCryptoKeyUsageMask usage_mask) const OVERRIDE {
 158     // Prevent generating AES-GCM keys if it is unavailable.
 159     Status status = NssSupportsAesGcm();
 160     if (status.IsError())
 161       return status;
 162     return AesAlgorithm::VerifyKeyUsagesBeforeGenerateKey(usage_mask);
 163   }
 164
 165   virtual Status Encrypt(const blink::WebCryptoAlgorithm& algorithm,
 166                          const blink::WebCryptoKey& key,
 167                          const CryptoData& data,
 168                          std::vector<uint8_t>* buffer) const OVERRIDE {
 169     return AesGcmEncryptDecrypt(ENCRYPT, algorithm, key, data, buffer);
 170   }
 171
 172   virtual Status Decrypt(const blink::WebCryptoAlgorithm& algorithm,
 173                          const blink::WebCryptoKey& key,
 174                          const CryptoData& data,
 175                          std::vector<uint8_t>* buffer) const OVERRIDE {
 176     return AesGcmEncryptDecrypt(DECRYPT, algorithm, key, data, buffer);
 177   }
 178 };
 179
 180 }  // namespace
 181
 182 AlgorithmImplementation* CreatePlatformAesGcmImplementation() {
 183   return new AesGcmImplementation;
 184 }
 185
 186 }  // namespace webcrypto
 187
 188 }  // namespace content