Vectorize website settings icons in omnibox
[chromium-blink-merge.git] / components / webcrypto / openssl / aes_ctr_openssl.cc
blob26363f72b55c2fc87648e2430ec31adb07d1e3c6
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include <openssl/aes.h>
6 #include <openssl/evp.h>
8 #include "base/logging.h"
9 #include "base/macros.h"
10 #include "base/numerics/safe_math.h"
11 #include "base/stl_util.h"
12 #include "components/webcrypto/crypto_data.h"
13 #include "components/webcrypto/openssl/aes_algorithm_openssl.h"
14 #include "components/webcrypto/openssl/key_openssl.h"
15 #include "components/webcrypto/openssl/util_openssl.h"
16 #include "components/webcrypto/status.h"
17 #include "components/webcrypto/webcrypto_util.h"
18 #include "crypto/openssl_util.h"
19 #include "crypto/scoped_openssl_types.h"
20 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
22 namespace webcrypto {
24 namespace {
26 const EVP_CIPHER* GetAESCipherByKeyLength(size_t key_length_bytes) {
27 // BoringSSL does not support 192-bit AES keys.
28 switch (key_length_bytes) {
29 case 16:
30 return EVP_aes_128_ctr();
31 case 32:
32 return EVP_aes_256_ctr();
33 default:
34 return NULL;
38 // Encrypts/decrypts given a 128-bit counter.
40 // |output| must be a pointer to a buffer which has a length of at least
41 // |input.byte_length()|.
42 Status AesCtrEncrypt128BitCounter(const EVP_CIPHER* cipher,
43 const CryptoData& raw_key,
44 const CryptoData& input,
45 const CryptoData& counter,
46 uint8_t* output) {
47 DCHECK(cipher);
48 DCHECK_EQ(16u, counter.byte_length());
50 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
51 crypto::ScopedOpenSSL<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free> context(
52 EVP_CIPHER_CTX_new());
54 if (!context.get())
55 return Status::OperationError();
57 if (!EVP_CipherInit_ex(context.get(), cipher, NULL, raw_key.bytes(),
58 counter.bytes(), ENCRYPT)) {
59 return Status::OperationError();
62 int output_len = 0;
63 if (!EVP_CipherUpdate(context.get(), output, &output_len, input.bytes(),
64 input.byte_length())) {
65 return Status::OperationError();
67 int final_output_chunk_len = 0;
68 if (!EVP_CipherFinal_ex(context.get(), output + output_len,
69 &final_output_chunk_len)) {
70 return Status::OperationError();
73 output_len += final_output_chunk_len;
74 if (static_cast<unsigned int>(output_len) != input.byte_length())
75 return Status::ErrorUnexpected();
77 return Status::Success();
80 // Returns ceil(a/b), where a and b are integers.
81 template <typename T>
82 T CeilDiv(T a, T b) {
83 return a == 0 ? 0 : 1 + (a - 1) / b;
86 // Extracts the counter as a BIGNUM. The counter is the rightmost
87 // "counter_length_bits" of the block, interpreted as a big-endian number.
88 crypto::ScopedBIGNUM GetCounter(const CryptoData& counter_block,
89 unsigned int counter_length_bits) {
90 unsigned int counter_length_remainder_bits = (counter_length_bits % 8);
92 // If the counter is a multiple of 8 bits then can call BN_bin2bn() directly.
93 if (counter_length_remainder_bits == 0) {
94 unsigned int byte_length = counter_length_bits / 8;
95 return crypto::ScopedBIGNUM(BN_bin2bn(
96 counter_block.bytes() + counter_block.byte_length() - byte_length,
97 byte_length, NULL));
100 // Otherwise make a copy of the counter and zero out the topmost bits so
101 // BN_bin2bn() can be called with a byte stream.
102 unsigned int byte_length = CeilDiv(counter_length_bits, 8u);
103 std::vector<uint8_t> counter(
104 counter_block.bytes() + counter_block.byte_length() - byte_length,
105 counter_block.bytes() + counter_block.byte_length());
106 counter[0] &= ~(0xFF << counter_length_remainder_bits);
108 return crypto::ScopedBIGNUM(
109 BN_bin2bn(vector_as_array(&counter), counter.size(), NULL));
112 // Returns a counter block with the counter bits all set all zero.
113 std::vector<uint8_t> BlockWithZeroedCounter(const CryptoData& counter_block,
114 unsigned int counter_length_bits) {
115 unsigned int counter_length_bytes = counter_length_bits / 8;
116 unsigned int counter_length_bits_remainder = counter_length_bits % 8;
118 std::vector<uint8_t> new_counter_block(
119 counter_block.bytes(),
120 counter_block.bytes() + counter_block.byte_length());
122 size_t index = new_counter_block.size() - counter_length_bytes;
123 memset(&new_counter_block.front() + index, 0, counter_length_bytes);
125 if (counter_length_bits_remainder) {
126 new_counter_block[index - 1] &= 0xFF << counter_length_bits_remainder;
129 return new_counter_block;
132 // This function does encryption/decryption for AES-CTR (encryption and
133 // decryption are the same).
135 // BoringSSL's interface for AES-CTR differs from that of WebCrypto. In
136 // WebCrypto the caller specifies a 16-byte counter block and designates how
137 // many of the right-most X bits to use as a big-endian counter. Whereas in
138 // BoringSSL the entire counter block is interpreted as a 128-bit counter.
140 // In AES-CTR, the counter block MUST be unique across all messages that are
141 // encrypted/decrypted. WebCrypto expects that the counter can start at any
142 // value, and is therefore permitted to wrap around to zero on overflow.
144 // Some care is taken to fail if the counter wraps back to an earlier value.
145 // However this protection is only enforced during a *single* call to
146 // encrypt/decrypt.
147 Status AesCtrEncryptDecrypt(const blink::WebCryptoAlgorithm& algorithm,
148 const blink::WebCryptoKey& key,
149 const CryptoData& data,
150 std::vector<uint8_t>* buffer) {
151 const blink::WebCryptoAesCtrParams* params = algorithm.aesCtrParams();
152 const std::vector<uint8_t>& raw_key =
153 SymKeyOpenSsl::Cast(key)->raw_key_data();
155 if (params->counter().size() != 16)
156 return Status::ErrorIncorrectSizeAesCtrCounter();
158 unsigned int counter_length_bits = params->lengthBits();
159 if (counter_length_bits < 1 || counter_length_bits > 128)
160 return Status::ErrorInvalidAesCtrCounterLength();
162 // The output of AES-CTR is the same size as the input. However BoringSSL
163 // expects buffer sizes as an "int".
164 base::CheckedNumeric<int> output_max_len = data.byte_length();
165 if (!output_max_len.IsValid())
166 return Status::ErrorDataTooLarge();
168 const EVP_CIPHER* const cipher = GetAESCipherByKeyLength(raw_key.size());
169 if (!cipher)
170 return Status::ErrorUnexpected();
172 const CryptoData counter_block(params->counter());
173 buffer->resize(output_max_len.ValueOrDie());
175 // The total number of possible counter values is pow(2, counter_length_bits)
176 crypto::ScopedBIGNUM num_counter_values(BN_new());
177 if (!BN_lshift(num_counter_values.get(), BN_value_one(), counter_length_bits))
178 return Status::ErrorUnexpected();
180 crypto::ScopedBIGNUM current_counter =
181 GetCounter(counter_block, counter_length_bits);
183 // The number of AES blocks needed for encryption/decryption. The counter is
184 // incremented this many times.
185 crypto::ScopedBIGNUM num_output_blocks(BN_new());
186 if (!BN_set_word(
187 num_output_blocks.get(),
188 CeilDiv(buffer->size(), static_cast<size_t>(AES_BLOCK_SIZE)))) {
189 return Status::ErrorUnexpected();
192 // If the counter is going to be incremented more times than there are counter
193 // values, fail. (Repeating values of the counter block is bad).
194 if (BN_cmp(num_output_blocks.get(), num_counter_values.get()) > 0)
195 return Status::ErrorAesCtrInputTooLongCounterRepeated();
197 // This is the number of blocks that can be successfully encrypted without
198 // overflowing the counter. Encrypting the subsequent block will need to
199 // reset the counter to zero.
200 crypto::ScopedBIGNUM num_blocks_until_reset(BN_new());
202 if (!BN_sub(num_blocks_until_reset.get(), num_counter_values.get(),
203 current_counter.get())) {
204 return Status::ErrorUnexpected();
207 // If the counter can be incremented for the entire input without
208 // wrapping-around, do it as a single call into BoringSSL.
209 if (BN_cmp(num_blocks_until_reset.get(), num_output_blocks.get()) >= 0) {
210 return AesCtrEncrypt128BitCounter(cipher, CryptoData(raw_key), data,
211 counter_block, vector_as_array(buffer));
214 // Otherwise the encryption needs to be done in 2 parts. The first part using
215 // the current counter_block, and the next part resetting the counter portion
216 // of the block to zero.
218 // This is guaranteed to fit in an "unsigned int" because input size in bytes
219 // fits in an "unsigned int".
220 BN_ULONG num_blocks_part1 = BN_get_word(num_blocks_until_reset.get());
221 BN_ULONG input_size_part1 = num_blocks_part1 * AES_BLOCK_SIZE;
222 DCHECK_LT(input_size_part1, data.byte_length());
224 // Encrypt the first part (before wrap-around).
225 Status status = AesCtrEncrypt128BitCounter(
226 cipher, CryptoData(raw_key), CryptoData(data.bytes(), input_size_part1),
227 counter_block, vector_as_array(buffer));
228 if (status.IsError())
229 return status;
231 // Encrypt the second part (after wrap-around).
232 std::vector<uint8_t> counter_block_part2 =
233 BlockWithZeroedCounter(counter_block, counter_length_bits);
235 return AesCtrEncrypt128BitCounter(
236 cipher, CryptoData(raw_key),
237 CryptoData(data.bytes() + input_size_part1,
238 data.byte_length() - input_size_part1),
239 CryptoData(counter_block_part2),
240 vector_as_array(buffer) + input_size_part1);
243 class AesCtrImplementation : public AesAlgorithm {
244 public:
245 AesCtrImplementation() : AesAlgorithm("CTR") {}
247 Status Encrypt(const blink::WebCryptoAlgorithm& algorithm,
248 const blink::WebCryptoKey& key,
249 const CryptoData& data,
250 std::vector<uint8_t>* buffer) const override {
251 return AesCtrEncryptDecrypt(algorithm, key, data, buffer);
254 Status Decrypt(const blink::WebCryptoAlgorithm& algorithm,
255 const blink::WebCryptoKey& key,
256 const CryptoData& data,
257 std::vector<uint8_t>* buffer) const override {
258 return AesCtrEncryptDecrypt(algorithm, key, data, buffer);
262 } // namespace
264 AlgorithmImplementation* CreatePlatformAesCtrImplementation() {
265 return new AesCtrImplementation;
268 } // namespace webcrypto