1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/numerics/safe_math.h"
6 #include "base/stl_util.h"
7 #include "components/webcrypto/crypto_data.h"
8 #include "components/webcrypto/nss/aes_algorithm_nss.h"
9 #include "components/webcrypto/nss/key_nss.h"
10 #include "components/webcrypto/nss/util_nss.h"
11 #include "components/webcrypto/status.h"
12 #include "components/webcrypto/webcrypto_util.h"
13 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
15 // At the time of this writing:
16 // * Windows and Mac builds ship with their own copy of NSS (3.15+)
17 // * Linux builds use the system's libnss, which is 3.14 on Debian (but 3.15+
20 // Since NSS provides AES-GCM support starting in version 3.15, it may be
21 // unavailable for Linux Chrome users.
23 // * !defined(CKM_AES_GCM)
25 // This means that at build time, the NSS header pkcs11t.h is older than
26 // 3.15. However at runtime support may be present.
28 // TODO(eroman): Simplify this once 3.15+ is required by Linux builds.
29 #if !defined(CKM_AES_GCM)
30 #define CKM_AES_GCM 0x00001087
32 struct CK_GCM_PARAMS
{
39 #endif // !defined(CKM_AES_GCM)
45 Status
NssSupportsAesGcm() {
46 if (NssRuntimeSupport::Get()->IsAesGcmSupported())
47 return Status::Success();
48 return Status::ErrorUnsupported(
49 "NSS version doesn't support AES-GCM. Try using version 3.15 or later");
52 // Helper to either encrypt or decrypt for AES-GCM. The result of encryption is
53 // the concatenation of the ciphertext and the authentication tag. Similarly,
54 // this is the expectation for the input to decryption.
55 Status
AesGcmEncryptDecrypt(EncryptOrDecrypt mode
,
56 const blink::WebCryptoAlgorithm
& algorithm
,
57 const blink::WebCryptoKey
& key
,
58 const CryptoData
& data
,
59 std::vector
<uint8_t>* buffer
) {
60 Status status
= NssSupportsAesGcm();
64 PK11SymKey
* sym_key
= SymKeyNss::Cast(key
)->key();
65 const blink::WebCryptoAesGcmParams
* params
= algorithm
.aesGcmParams();
67 return Status::ErrorUnexpected();
69 unsigned int tag_length_bits
;
70 status
= GetAesGcmTagLengthInBits(params
, &tag_length_bits
);
73 unsigned int tag_length_bytes
= tag_length_bits
/ 8;
75 CryptoData
iv(params
->iv());
76 CryptoData
additional_data(params
->optionalAdditionalData());
78 CK_GCM_PARAMS gcm_params
= {0};
79 gcm_params
.pIv
= const_cast<unsigned char*>(iv
.bytes());
80 gcm_params
.ulIvLen
= iv
.byte_length();
82 gcm_params
.pAAD
= const_cast<unsigned char*>(additional_data
.bytes());
83 gcm_params
.ulAADLen
= additional_data
.byte_length();
85 gcm_params
.ulTagBits
= tag_length_bits
;
88 param
.type
= siBuffer
;
89 param
.data
= reinterpret_cast<unsigned char*>(&gcm_params
);
90 param
.len
= sizeof(gcm_params
);
92 base::CheckedNumeric
<unsigned int> buffer_size(data
.byte_length());
94 // Calculate the output buffer size.
95 if (mode
== ENCRYPT
) {
96 buffer_size
+= tag_length_bytes
;
97 if (!buffer_size
.IsValid())
98 return Status::ErrorDataTooLarge();
101 // TODO(eroman): In theory the buffer allocated for the plain text should be
102 // sized as |data.byte_length() - tag_length_bytes|.
104 // However NSS has a bug whereby it will fail if the output buffer size is
105 // not at least as large as the ciphertext:
107 // https://bugzilla.mozilla.org/show_bug.cgi?id=%20853674
109 // From the analysis of that bug it looks like it might be safe to pass a
110 // correctly sized buffer but lie about its size. Since resizing the
111 // WebCryptoArrayBuffer is expensive that hack may be worth looking into.
113 buffer
->resize(buffer_size
.ValueOrDie());
114 unsigned char* buffer_data
= vector_as_array(buffer
);
116 PK11_EncryptDecryptFunction encrypt_or_decrypt_func
=
117 (mode
== ENCRYPT
) ? NssRuntimeSupport::Get()->pk11_encrypt_func()
118 : NssRuntimeSupport::Get()->pk11_decrypt_func();
120 unsigned int output_len
= 0;
121 SECStatus result
= encrypt_or_decrypt_func(
122 sym_key
, CKM_AES_GCM
, ¶m
, buffer_data
, &output_len
, buffer
->size(),
123 data
.bytes(), data
.byte_length());
125 if (result
!= SECSuccess
)
126 return Status::OperationError();
128 // Unfortunately the buffer needs to be shrunk for decryption (see the NSS bug
130 buffer
->resize(output_len
);
132 return Status::Success();
135 class AesGcmImplementation
: public AesAlgorithm
{
137 AesGcmImplementation() : AesAlgorithm(CKM_AES_GCM
, "GCM") {}
139 Status
VerifyKeyUsagesBeforeImportKey(
140 blink::WebCryptoKeyFormat format
,
141 blink::WebCryptoKeyUsageMask usages
) const override
{
142 // Prevent importing AES-GCM keys if it is unavailable.
143 Status status
= NssSupportsAesGcm();
144 if (status
.IsError())
146 return AesAlgorithm::VerifyKeyUsagesBeforeImportKey(format
, usages
);
149 Status
GenerateKey(const blink::WebCryptoAlgorithm
& algorithm
,
151 blink::WebCryptoKeyUsageMask usages
,
152 GenerateKeyResult
* result
) const override
{
153 // Prevent generating AES-GCM keys if it is unavailable.
154 Status status
= NssSupportsAesGcm();
155 if (status
.IsError())
158 return AesAlgorithm::GenerateKey(algorithm
, extractable
, usages
, result
);
161 Status
Encrypt(const blink::WebCryptoAlgorithm
& algorithm
,
162 const blink::WebCryptoKey
& key
,
163 const CryptoData
& data
,
164 std::vector
<uint8_t>* buffer
) const override
{
165 return AesGcmEncryptDecrypt(ENCRYPT
, algorithm
, key
, data
, buffer
);
168 Status
Decrypt(const blink::WebCryptoAlgorithm
& algorithm
,
169 const blink::WebCryptoKey
& key
,
170 const CryptoData
& data
,
171 std::vector
<uint8_t>* buffer
) const override
{
172 return AesGcmEncryptDecrypt(DECRYPT
, algorithm
, key
, data
, buffer
);
178 AlgorithmImplementation
* CreatePlatformAesGcmImplementation() {
179 return new AesGcmImplementation
;
182 } // namespace webcrypto
