1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/numerics/safe_math.h"
6 #include "base/stl_util.h"
7 #include "content/child/webcrypto/crypto_data.h"
8 #include "content/child/webcrypto/nss/aes_algorithm_nss.h"
9 #include "content/child/webcrypto/nss/key_nss.h"
10 #include "content/child/webcrypto/nss/util_nss.h"
11 #include "content/child/webcrypto/status.h"
12 #include "content/child/webcrypto/webcrypto_util.h"
13 #include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
15 // At the time of this writing:
16 // * Windows and Mac builds ship with their own copy of NSS (3.15+)
17 // * Linux builds use the system's libnss, which is 3.14 on Debian (but 3.15+
20 // Since NSS provides AES-GCM support starting in version 3.15, it may be
21 // unavailable for Linux Chrome users.
23 // * !defined(CKM_AES_GCM)
25 // This means that at build time, the NSS header pkcs11t.h is older than
26 // 3.15. However at runtime support may be present.
28 // TODO(eroman): Simplify this once 3.15+ is required by Linux builds.
29 #if !defined(CKM_AES_GCM)
30 #define CKM_AES_GCM 0x00001087
32 struct CK_GCM_PARAMS
{
39 #endif // !defined(CKM_AES_GCM)
47 Status
NssSupportsAesGcm() {
48 if (NssRuntimeSupport::Get()->IsAesGcmSupported())
49 return Status::Success();
50 return Status::ErrorUnsupported(
51 "NSS version doesn't support AES-GCM. Try using version 3.15 or later");
54 // Helper to either encrypt or decrypt for AES-GCM. The result of encryption is
55 // the concatenation of the ciphertext and the authentication tag. Similarly,
56 // this is the expectation for the input to decryption.
57 Status
AesGcmEncryptDecrypt(EncryptOrDecrypt mode
,
58 const blink::WebCryptoAlgorithm
& algorithm
,
59 const blink::WebCryptoKey
& key
,
60 const CryptoData
& data
,
61 std::vector
<uint8_t>* buffer
) {
62 Status status
= NssSupportsAesGcm();
66 PK11SymKey
* sym_key
= SymKeyNss::Cast(key
)->key();
67 const blink::WebCryptoAesGcmParams
* params
= algorithm
.aesGcmParams();
69 return Status::ErrorUnexpected();
71 unsigned int tag_length_bits
;
72 status
= GetAesGcmTagLengthInBits(params
, &tag_length_bits
);
75 unsigned int tag_length_bytes
= tag_length_bits
/ 8;
77 CryptoData
iv(params
->iv());
78 CryptoData
additional_data(params
->optionalAdditionalData());
80 CK_GCM_PARAMS gcm_params
= {0};
81 gcm_params
.pIv
= const_cast<unsigned char*>(iv
.bytes());
82 gcm_params
.ulIvLen
= iv
.byte_length();
84 gcm_params
.pAAD
= const_cast<unsigned char*>(additional_data
.bytes());
85 gcm_params
.ulAADLen
= additional_data
.byte_length();
87 gcm_params
.ulTagBits
= tag_length_bits
;
90 param
.type
= siBuffer
;
91 param
.data
= reinterpret_cast<unsigned char*>(&gcm_params
);
92 param
.len
= sizeof(gcm_params
);
94 base::CheckedNumeric
<unsigned int> buffer_size(data
.byte_length());
96 // Calculate the output buffer size.
97 if (mode
== ENCRYPT
) {
98 buffer_size
+= tag_length_bytes
;
99 if (!buffer_size
.IsValid())
100 return Status::ErrorDataTooLarge();
103 // TODO(eroman): In theory the buffer allocated for the plain text should be
104 // sized as |data.byte_length() - tag_length_bytes|.
106 // However NSS has a bug whereby it will fail if the output buffer size is
107 // not at least as large as the ciphertext:
109 // https://bugzilla.mozilla.org/show_bug.cgi?id=%20853674
111 // From the analysis of that bug it looks like it might be safe to pass a
112 // correctly sized buffer but lie about its size. Since resizing the
113 // WebCryptoArrayBuffer is expensive that hack may be worth looking into.
115 buffer
->resize(buffer_size
.ValueOrDie());
116 unsigned char* buffer_data
= vector_as_array(buffer
);
118 PK11_EncryptDecryptFunction encrypt_or_decrypt_func
=
119 (mode
== ENCRYPT
) ? NssRuntimeSupport::Get()->pk11_encrypt_func()
120 : NssRuntimeSupport::Get()->pk11_decrypt_func();
122 unsigned int output_len
= 0;
123 SECStatus result
= encrypt_or_decrypt_func(
124 sym_key
, CKM_AES_GCM
, ¶m
, buffer_data
, &output_len
, buffer
->size(),
125 data
.bytes(), data
.byte_length());
127 if (result
!= SECSuccess
)
128 return Status::OperationError();
130 // Unfortunately the buffer needs to be shrunk for decryption (see the NSS bug
132 buffer
->resize(output_len
);
134 return Status::Success();
137 class AesGcmImplementation
: public AesAlgorithm
{
139 AesGcmImplementation() : AesAlgorithm(CKM_AES_GCM
, "GCM") {}
141 Status
VerifyKeyUsagesBeforeImportKey(
142 blink::WebCryptoKeyFormat format
,
143 blink::WebCryptoKeyUsageMask usages
) const override
{
144 // Prevent importing AES-GCM keys if it is unavailable.
145 Status status
= NssSupportsAesGcm();
146 if (status
.IsError())
148 return AesAlgorithm::VerifyKeyUsagesBeforeImportKey(format
, usages
);
151 Status
GenerateKey(const blink::WebCryptoAlgorithm
& algorithm
,
153 blink::WebCryptoKeyUsageMask usages
,
154 GenerateKeyResult
* result
) const override
{
155 // Prevent generating AES-GCM keys if it is unavailable.
156 Status status
= NssSupportsAesGcm();
157 if (status
.IsError())
160 return AesAlgorithm::GenerateKey(algorithm
, extractable
, usages
, result
);
163 Status
Encrypt(const blink::WebCryptoAlgorithm
& algorithm
,
164 const blink::WebCryptoKey
& key
,
165 const CryptoData
& data
,
166 std::vector
<uint8_t>* buffer
) const override
{
167 return AesGcmEncryptDecrypt(ENCRYPT
, algorithm
, key
, data
, buffer
);
170 Status
Decrypt(const blink::WebCryptoAlgorithm
& algorithm
,
171 const blink::WebCryptoKey
& key
,
172 const CryptoData
& data
,
173 std::vector
<uint8_t>* buffer
) const override
{
174 return AesGcmEncryptDecrypt(DECRYPT
, algorithm
, key
, data
, buffer
);
180 AlgorithmImplementation
* CreatePlatformAesGcmImplementation() {
181 return new AesGcmImplementation
;
184 } // namespace webcrypto
186 } // namespace content
