Roll src/third_party/WebKit 3c1b001:57aef96 (svn 201977:201978)
[chromium-blink-merge.git] / crypto / aes_128_gcm_helpers_nss.cc
blob621f28b586f181c9bcc37ea9e4b162639fc6849c
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "crypto/aes_128_gcm_helpers_nss.h"
7 #include <pkcs11t.h>
8 #include <seccomon.h>
10 #include "base/lazy_instance.h"
11 #include "base/macros.h"
12 #include "crypto/ghash.h"
13 #include "crypto/scoped_nss_types.h"
15 #if defined(USE_NSS_CERTS)
16 #include <dlfcn.h>
17 #endif
19 namespace crypto {
20 namespace {
22 // Declaration of the prototype both PK11_Decrypt and PK11_Encrypt follow.
23 using PK11_TransformFunction = SECStatus(PK11SymKey* symKey,
24 CK_MECHANISM_TYPE mechanism,
25 SECItem* param,
26 unsigned char* out,
27 unsigned int* outLen,
28 unsigned int maxLen,
29 const unsigned char* data,
30 unsigned int dataLen);
32 // On Linux, dynamically link against the system version of libnss3.so. In
33 // order to continue working on systems without up-to-date versions of NSS,
34 // lookup PK11_Decrypt and PK11_Encrypt with dlsym.
36 // GcmSupportChecker is a singleton which caches the results of runtime symbol
37 // resolution of these symbols.
38 class GcmSupportChecker {
39 public:
40 PK11_TransformFunction* pk11_decrypt_func() { return pk11_decrypt_func_; }
42 PK11_TransformFunction* pk11_encrypt_func() { return pk11_encrypt_func_; }
44 private:
45 friend struct base::DefaultLazyInstanceTraits<GcmSupportChecker>;
47 GcmSupportChecker() {
48 #if !defined(USE_NSS_CERTS)
49 // Using a bundled version of NSS that is guaranteed to have these symbols.
50 pk11_decrypt_func_ = PK11_Decrypt;
51 pk11_encrypt_func_ = PK11_Encrypt;
52 #else
53 // Using system NSS libraries and PCKS #11 modules, which may not have the
54 // necessary functions (PK11_Decrypt and PK11_Encrypt) or mechanism support
55 // (CKM_AES_GCM).
57 // If PK11_Decrypt() and PK11_Encrypt() were successfully resolved, then NSS
58 // will support AES-GCM directly. This was introduced in NSS 3.15.
59 pk11_decrypt_func_ = reinterpret_cast<PK11_TransformFunction*>(
60 dlsym(RTLD_DEFAULT, "PK11_Decrypt"));
61 pk11_encrypt_func_ = reinterpret_cast<PK11_TransformFunction*>(
62 dlsym(RTLD_DEFAULT, "PK11_Encrypt"));
63 #endif
66 ~GcmSupportChecker() {}
68 // |pk11_decrypt_func_| stores the runtime symbol resolution of PK11_Decrypt.
69 PK11_TransformFunction* pk11_decrypt_func_;
71 // |pk11_encrypt_func_| stores the runtime symbol resolution of PK11_Encrypt.
72 PK11_TransformFunction* pk11_encrypt_func_;
74 DISALLOW_COPY_AND_ASSIGN(GcmSupportChecker);
77 base::LazyInstance<GcmSupportChecker>::Leaky g_gcm_support_checker =
78 LAZY_INSTANCE_INITIALIZER;
80 } // namespace
82 // Calls PK11_Decrypt if it's available. Otherwise, emulates CKM_AES_GCM using
83 // CKM_AES_CTR and the GaloisHash class.
84 SECStatus PK11DecryptHelper(PK11SymKey* key,
85 CK_MECHANISM_TYPE mechanism,
86 SECItem* param,
87 unsigned char* out,
88 unsigned int* out_len,
89 unsigned int max_len,
90 const unsigned char* data,
91 unsigned int data_len) {
92 // If PK11_Decrypt() was successfully resolved or if bundled version of NSS is
93 // being used, then NSS will support AES-GCM directly.
94 PK11_TransformFunction* pk11_decrypt_func =
95 g_gcm_support_checker.Get().pk11_decrypt_func();
97 if (pk11_decrypt_func != nullptr) {
98 return pk11_decrypt_func(key, mechanism, param, out, out_len, max_len, data,
99 data_len);
102 // Otherwise, the user has an older version of NSS. Regrettably, NSS 3.14.x
103 // has a bug in the AES GCM code
104 // (https://bugzilla.mozilla.org/show_bug.cgi?id=853285), as well as missing
105 // the PK11_Decrypt function
106 // (https://bugzilla.mozilla.org/show_bug.cgi?id=854063), both of which are
107 // resolved in NSS 3.15.
109 CHECK_EQ(mechanism, static_cast<CK_MECHANISM_TYPE>(CKM_AES_GCM));
110 CHECK_EQ(param->len, sizeof(CK_GCM_PARAMS));
112 const CK_GCM_PARAMS* gcm_params =
113 reinterpret_cast<CK_GCM_PARAMS*>(param->data);
115 const CK_ULONG auth_tag_size = gcm_params->ulTagBits / 8;
117 if (gcm_params->ulIvLen != 12u) {
118 DVLOG(1) << "ulIvLen is not equal to 12";
119 PORT_SetError(SEC_ERROR_INPUT_LEN);
120 return SECFailure;
123 SECItem my_param = {siBuffer, nullptr, 0};
125 // Step 2. Let H = CIPH_K(128 '0' bits).
126 unsigned char ghash_key[16] = {0};
127 crypto::ScopedPK11Context ctx(
128 PK11_CreateContextBySymKey(CKM_AES_ECB, CKA_ENCRYPT, key, &my_param));
129 if (!ctx) {
130 DVLOG(1) << "PK11_CreateContextBySymKey failed";
131 return SECFailure;
133 int output_len;
134 if (PK11_CipherOp(ctx.get(), ghash_key, &output_len, sizeof(ghash_key),
135 ghash_key, sizeof(ghash_key)) != SECSuccess) {
136 DVLOG(1) << "PK11_CipherOp failed";
137 return SECFailure;
140 if (PK11_Finalize(ctx.get()) != SECSuccess) {
141 DVLOG(1) << "PK11_Finalize failed";
142 return SECFailure;
145 if (output_len != sizeof(ghash_key)) {
146 DVLOG(1) << "Wrong output length";
147 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
148 return SECFailure;
151 // Step 3. If len(IV)=96, then let J0 = IV || 31 '0' bits || 1.
152 CK_AES_CTR_PARAMS ctr_params = {0};
153 ctr_params.ulCounterBits = 32;
154 memcpy(ctr_params.cb, gcm_params->pIv, gcm_params->ulIvLen);
155 ctr_params.cb[12] = 0;
156 ctr_params.cb[13] = 0;
157 ctr_params.cb[14] = 0;
158 ctr_params.cb[15] = 1;
160 my_param.type = siBuffer;
161 my_param.data = reinterpret_cast<unsigned char*>(&ctr_params);
162 my_param.len = sizeof(ctr_params);
164 ctx.reset(
165 PK11_CreateContextBySymKey(CKM_AES_CTR, CKA_ENCRYPT, key, &my_param));
166 if (!ctx) {
167 DVLOG(1) << "PK11_CreateContextBySymKey failed";
168 return SECFailure;
171 // Step 6. Calculate the encryption mask of GCTR_K(J0, ...).
172 unsigned char tag_mask[16] = {0};
173 if (PK11_CipherOp(ctx.get(), tag_mask, &output_len, sizeof(tag_mask),
174 tag_mask, sizeof(tag_mask)) != SECSuccess) {
175 DVLOG(1) << "PK11_CipherOp failed";
176 return SECFailure;
178 if (output_len != sizeof(tag_mask)) {
179 DVLOG(1) << "Wrong output length";
180 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
181 return SECFailure;
184 if (data_len < auth_tag_size) {
185 PORT_SetError(SEC_ERROR_INPUT_LEN);
186 return SECFailure;
189 // The const_cast for |data| can be removed if system NSS libraries are
190 // NSS 3.14.1 or later (NSS bug
191 // https://bugzilla.mozilla.org/show_bug.cgi?id=808218).
192 if (PK11_CipherOp(ctx.get(), out, &output_len, max_len,
193 const_cast<unsigned char*>(data),
194 data_len - auth_tag_size) != SECSuccess) {
195 DVLOG(1) << "PK11_CipherOp failed";
196 return SECFailure;
199 if (PK11_Finalize(ctx.get()) != SECSuccess) {
200 DVLOG(1) << "PK11_Finalize failed";
201 return SECFailure;
204 if (static_cast<unsigned int>(output_len) != data_len - auth_tag_size) {
205 DVLOG(1) << "Wrong output length";
206 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
207 return SECFailure;
210 crypto::GaloisHash ghash(ghash_key);
211 ghash.UpdateAdditional(gcm_params->pAAD, gcm_params->ulAADLen);
212 ghash.UpdateCiphertext(data, output_len);
213 unsigned char auth_tag[auth_tag_size];
214 ghash.Finish(auth_tag, auth_tag_size);
215 for (unsigned int i = 0; i < auth_tag_size; i++) {
216 auth_tag[i] ^= tag_mask[i];
219 if (NSS_SecureMemcmp(auth_tag, data + output_len, auth_tag_size) != 0) {
220 PORT_SetError(SEC_ERROR_BAD_DATA);
221 return SECFailure;
224 *out_len = output_len;
225 return SECSuccess;
228 // Calls PK11_Encrypt if it's available. Otherwise, emulates CKM_AES_GCM using
229 // CKM_AES_CTR and the GaloisHash class.
230 SECStatus PK11EncryptHelper(PK11SymKey* key,
231 CK_MECHANISM_TYPE mechanism,
232 SECItem* param,
233 unsigned char* out,
234 unsigned int* out_len,
235 unsigned int max_len,
236 const unsigned char* data,
237 unsigned int data_len) {
238 // If PK11_Encrypt() was successfully resolved or if bundled version of NSS is
239 // being used, then NSS will support AES-GCM directly.
240 PK11_TransformFunction* pk11_encrypt_func =
241 g_gcm_support_checker.Get().pk11_encrypt_func();
243 if (pk11_encrypt_func != nullptr) {
244 return pk11_encrypt_func(key, mechanism, param, out, out_len, max_len, data,
245 data_len);
248 // Otherwise, the user has an older version of NSS. Regrettably, NSS 3.14.x
249 // has a bug in the AES GCM code
250 // (https://bugzilla.mozilla.org/show_bug.cgi?id=853285), as well as missing
251 // the PK11_Encrypt function
252 // (https://bugzilla.mozilla.org/show_bug.cgi?id=854063), both of which are
253 // resolved in NSS 3.15.
255 CHECK_EQ(mechanism, static_cast<CK_MECHANISM_TYPE>(CKM_AES_GCM));
256 CHECK_EQ(param->len, sizeof(CK_GCM_PARAMS));
258 const CK_GCM_PARAMS* gcm_params =
259 reinterpret_cast<CK_GCM_PARAMS*>(param->data);
261 const CK_ULONG auth_tag_size = gcm_params->ulTagBits / 8;
263 if (max_len < auth_tag_size) {
264 DVLOG(1) << "max_len is less than kAuthTagSize";
265 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
266 return SECFailure;
269 if (gcm_params->ulIvLen != 12u) {
270 DVLOG(1) << "ulIvLen is not equal to 12";
271 PORT_SetError(SEC_ERROR_INPUT_LEN);
272 return SECFailure;
275 SECItem my_param = {siBuffer, nullptr, 0};
277 // Step 1. Let H = CIPH_K(128 '0' bits).
278 unsigned char ghash_key[16] = {0};
279 crypto::ScopedPK11Context ctx(
280 PK11_CreateContextBySymKey(CKM_AES_ECB, CKA_ENCRYPT, key, &my_param));
281 if (!ctx) {
282 DVLOG(1) << "PK11_CreateContextBySymKey failed";
283 return SECFailure;
285 int output_len;
286 if (PK11_CipherOp(ctx.get(), ghash_key, &output_len, sizeof(ghash_key),
287 ghash_key, sizeof(ghash_key)) != SECSuccess) {
288 DVLOG(1) << "PK11_CipherOp failed";
289 return SECFailure;
292 if (PK11_Finalize(ctx.get()) != SECSuccess) {
293 DVLOG(1) << "PK11_Finalize failed";
294 return SECFailure;
297 if (output_len != sizeof(ghash_key)) {
298 DVLOG(1) << "Wrong output length";
299 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
300 return SECFailure;
303 // Step 2. If len(IV)=96, then let J0 = IV || 31 '0' bits || 1.
304 CK_AES_CTR_PARAMS ctr_params = {0};
305 ctr_params.ulCounterBits = 32;
306 memcpy(ctr_params.cb, gcm_params->pIv, gcm_params->ulIvLen);
307 ctr_params.cb[12] = 0;
308 ctr_params.cb[13] = 0;
309 ctr_params.cb[14] = 0;
310 ctr_params.cb[15] = 1;
312 my_param.type = siBuffer;
313 my_param.data = reinterpret_cast<unsigned char*>(&ctr_params);
314 my_param.len = sizeof(ctr_params);
316 ctx.reset(
317 PK11_CreateContextBySymKey(CKM_AES_CTR, CKA_ENCRYPT, key, &my_param));
318 if (!ctx) {
319 DVLOG(1) << "PK11_CreateContextBySymKey failed";
320 return SECFailure;
323 // Step 6. Calculate the encryption mask of GCTR_K(J0, ...).
324 unsigned char tag_mask[16] = {0};
325 if (PK11_CipherOp(ctx.get(), tag_mask, &output_len, sizeof(tag_mask),
326 tag_mask, sizeof(tag_mask)) != SECSuccess) {
327 DVLOG(1) << "PK11_CipherOp failed";
328 return SECFailure;
330 if (output_len != sizeof(tag_mask)) {
331 DVLOG(1) << "Wrong output length";
332 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
333 return SECFailure;
336 // The const_cast for |data| can be removed if system NSS libraries are
337 // NSS 3.14.1 or later (NSS bug
338 // https://bugzilla.mozilla.org/show_bug.cgi?id=808218).
339 if (PK11_CipherOp(ctx.get(), out, &output_len, max_len,
340 const_cast<unsigned char*>(data), data_len) != SECSuccess) {
341 DVLOG(1) << "PK11_CipherOp failed";
342 return SECFailure;
345 if (PK11_Finalize(ctx.get()) != SECSuccess) {
346 DVLOG(1) << "PK11_Finalize failed";
347 return SECFailure;
350 if (static_cast<unsigned int>(output_len) != data_len) {
351 DVLOG(1) << "Wrong output length";
352 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
353 return SECFailure;
356 if ((max_len - auth_tag_size) < static_cast<unsigned int>(output_len)) {
357 DVLOG(1) << "(max_len - kAuthTagSize) is less than output_len";
358 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
359 return SECFailure;
362 crypto::GaloisHash ghash(ghash_key);
363 ghash.UpdateAdditional(gcm_params->pAAD, gcm_params->ulAADLen);
364 ghash.UpdateCiphertext(out, output_len);
365 ghash.Finish(out + output_len, auth_tag_size);
366 for (unsigned int i = 0; i < auth_tag_size; i++) {
367 out[output_len + i] ^= tag_mask[i];
370 *out_len = output_len + auth_tag_size;
371 return SECSuccess;
374 } // namespace crypto