We started redesigning GpuMemoryBuffer interface to handle multiple buffers [0].
[chromium-blink-merge.git] / net / quic / crypto / aead_base_decrypter_nss.cc
blob1ed4f3ab6e2b77739a813106076b77f9292d58dd
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/quic/crypto/aead_base_decrypter.h"
7 #include <pk11pub.h>
9 #include "base/memory/scoped_ptr.h"
10 #include "crypto/scoped_nss_types.h"
12 using base::StringPiece;
14 namespace net {
16 AeadBaseDecrypter::AeadBaseDecrypter(CK_MECHANISM_TYPE aead_mechanism,
17 PK11_DecryptFunction pk11_decrypt,
18 size_t key_size,
19 size_t auth_tag_size,
20 size_t nonce_prefix_size)
21 : aead_mechanism_(aead_mechanism),
22 pk11_decrypt_(pk11_decrypt),
23 key_size_(key_size),
24 auth_tag_size_(auth_tag_size),
25 nonce_prefix_size_(nonce_prefix_size) {
26 DCHECK_LE(key_size_, sizeof(key_));
27 DCHECK_LE(nonce_prefix_size_, sizeof(nonce_prefix_));
30 AeadBaseDecrypter::~AeadBaseDecrypter() {}
32 bool AeadBaseDecrypter::SetKey(StringPiece key) {
33 DCHECK_EQ(key.size(), key_size_);
34 if (key.size() != key_size_) {
35 return false;
37 memcpy(key_, key.data(), key.size());
38 return true;
41 bool AeadBaseDecrypter::SetNoncePrefix(StringPiece nonce_prefix) {
42 DCHECK_EQ(nonce_prefix.size(), nonce_prefix_size_);
43 if (nonce_prefix.size() != nonce_prefix_size_) {
44 return false;
46 memcpy(nonce_prefix_, nonce_prefix.data(), nonce_prefix.size());
47 return true;
50 bool AeadBaseDecrypter::Decrypt(StringPiece nonce,
51 const StringPiece& associated_data,
52 const StringPiece& ciphertext,
53 uint8* output,
54 size_t* output_length,
55 size_t max_output_length) {
56 if (ciphertext.length() < auth_tag_size_ ||
57 nonce.size() != nonce_prefix_size_ + sizeof(QuicPacketSequenceNumber)) {
58 return false;
60 // NSS 3.14.x incorrectly requires an output buffer at least as long as
61 // the ciphertext (NSS bug
62 // https://bugzilla.mozilla.org/show_bug.cgi?id= 853674). Fortunately
63 // QuicDecrypter::Decrypt() specifies that |output| must be as long as
64 // |ciphertext| on entry.
65 size_t plaintext_size = ciphertext.length() - auth_tag_size_;
67 // Import key_ into NSS.
68 SECItem key_item;
69 key_item.type = siBuffer;
70 key_item.data = key_;
71 key_item.len = key_size_;
72 PK11SlotInfo* slot = PK11_GetInternalSlot();
74 // TODO(wtc): For an AES-GCM key, the correct value for |key_mechanism| is
75 // CKM_AES_GCM, but because of NSS bug
76 // https://bugzilla.mozilla.org/show_bug.cgi?id=853285, use CKM_AES_ECB as a
77 // workaround. Remove this when we require NSS 3.15.
78 CK_MECHANISM_TYPE key_mechanism = aead_mechanism_;
79 if (key_mechanism == CKM_AES_GCM) {
80 key_mechanism = CKM_AES_ECB;
83 // The exact value of the |origin| argument doesn't matter to NSS as long as
84 // it's not PK11_OriginFortezzaHack, so pass PK11_OriginUnwrap as a
85 // placeholder.
86 crypto::ScopedPK11SymKey aead_key(PK11_ImportSymKey(
87 slot, key_mechanism, PK11_OriginUnwrap, CKA_DECRYPT, &key_item, nullptr));
88 PK11_FreeSlot(slot);
89 slot = nullptr;
90 if (!aead_key) {
91 DVLOG(1) << "PK11_ImportSymKey failed";
92 return false;
95 AeadParams aead_params = {0};
96 FillAeadParams(nonce, associated_data, auth_tag_size_, &aead_params);
98 SECItem param;
99 param.type = siBuffer;
100 param.data = reinterpret_cast<unsigned char*>(&aead_params.data);
101 param.len = aead_params.len;
103 unsigned int output_len;
104 if (pk11_decrypt_(aead_key.get(), aead_mechanism_, &param, output,
105 &output_len, max_output_length,
106 reinterpret_cast<const unsigned char*>(ciphertext.data()),
107 ciphertext.length()) != SECSuccess) {
108 return false;
111 if (output_len != plaintext_size) {
112 DVLOG(1) << "Wrong output length";
113 return false;
115 *output_length = output_len;
116 return true;
119 bool AeadBaseDecrypter::DecryptPacket(QuicPacketSequenceNumber sequence_number,
120 const StringPiece& associated_data,
121 const StringPiece& ciphertext,
122 char* output,
123 size_t* output_length,
124 size_t max_output_length) {
125 if (ciphertext.length() < auth_tag_size_) {
126 return false;
129 uint8 nonce[sizeof(nonce_prefix_) + sizeof(sequence_number)];
130 const size_t nonce_size = nonce_prefix_size_ + sizeof(sequence_number);
131 DCHECK_LE(nonce_size, sizeof(nonce));
132 memcpy(nonce, nonce_prefix_, nonce_prefix_size_);
133 memcpy(nonce + nonce_prefix_size_, &sequence_number, sizeof(sequence_number));
134 return Decrypt(StringPiece(reinterpret_cast<char*>(nonce), nonce_size),
135 associated_data, ciphertext, reinterpret_cast<uint8*>(output),
136 output_length, max_output_length);
139 StringPiece AeadBaseDecrypter::GetKey() const {
140 return StringPiece(reinterpret_cast<const char*>(key_), key_size_);
143 StringPiece AeadBaseDecrypter::GetNoncePrefix() const {
144 if (nonce_prefix_size_ == 0) {
145 return StringPiece();
147 return StringPiece(reinterpret_cast<const char*>(nonce_prefix_),
148 nonce_prefix_size_);
151 } // namespace net