blob: 3c905940ad5ac9e81cd84b436ef2251b286b6df7 [file] [log] [blame]
/*
* Copyright (C) 2017 Apple Inc. All rights reserved.
* Copyright (C) 2017 Metrological Group B.V.
* Copyright (C) 2017 Igalia S.L.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "CryptoAlgorithmAES_CTR.h"
#if ENABLE(WEB_CRYPTO)
#include "CryptoAlgorithmAesCtrParams.h"
#include "CryptoKeyAES.h"
#include <pal/crypto/gcrypt/Handle.h>
#include <pal/crypto/gcrypt/Utilities.h>
namespace WebCore {
// This is a helper function that resets the cipher object, sets the provided counter data,
// and executes the encrypt or decrypt operation, retrieving and returning the output data.
static Optional<Vector<uint8_t>> callOperation(PAL::GCrypt::CipherOperation operation, gcry_cipher_hd_t handle, const Vector<uint8_t>& counter, const uint8_t* data, const size_t size)
{
gcry_error_t error = gcry_cipher_reset(handle);
if (error != GPG_ERR_NO_ERROR) {
PAL::GCrypt::logError(error);
return WTF::nullopt;
}
error = gcry_cipher_setctr(handle, counter.data(), counter.size());
if (error != GPG_ERR_NO_ERROR) {
PAL::GCrypt::logError(error);
return WTF::nullopt;
}
error = gcry_cipher_final(handle);
if (error != GPG_ERR_NO_ERROR) {
PAL::GCrypt::logError(error);
return WTF::nullopt;
}
Vector<uint8_t> output(size);
error = operation(handle, output.data(), output.size(), data, size);
if (error != GPG_ERR_NO_ERROR) {
PAL::GCrypt::logError(error);
return WTF::nullopt;
}
return output;
}
static Optional<Vector<uint8_t>> gcryptAES_CTR(PAL::GCrypt::CipherOperation operation, const Vector<uint8_t>& key, const Vector<uint8_t>& counter, size_t counterLength, const Vector<uint8_t>& inputText)
{
constexpr size_t blockSize = 16;
auto algorithm = PAL::GCrypt::aesAlgorithmForKeySize(key.size() * 8);
if (!algorithm)
return WTF::nullopt;
// Construct the libgcrypt cipher object and attach the key to it. Key information on this
// cipher object will live through any gcry_cipher_reset() calls.
PAL::GCrypt::Handle<gcry_cipher_hd_t> handle;
gcry_error_t error = gcry_cipher_open(&handle, *algorithm, GCRY_CIPHER_MODE_CTR, 0);
if (error != GPG_ERR_NO_ERROR) {
PAL::GCrypt::logError(error);
return WTF::nullopt;
}
error = gcry_cipher_setkey(handle, key.data(), key.size());
if (error != GPG_ERR_NO_ERROR) {
PAL::GCrypt::logError(error);
return WTF::nullopt;
}
// Calculate the block count: ((inputText.size() + blockSize - 1) / blockSize), remainder discarded.
PAL::GCrypt::Handle<gcry_mpi_t> blockCountMPI(gcry_mpi_new(0));
{
PAL::GCrypt::Handle<gcry_mpi_t> blockSizeMPI(gcry_mpi_set_ui(nullptr, blockSize));
PAL::GCrypt::Handle<gcry_mpi_t> roundedUpSize(gcry_mpi_set_ui(nullptr, inputText.size()));
gcry_mpi_add_ui(roundedUpSize, roundedUpSize, blockSize - 1);
gcry_mpi_div(blockCountMPI, nullptr, roundedUpSize, blockSizeMPI, 0);
}
// Calculate the counter limit for the specified counter length: (2 << counterLength).
// (counterLimitMPI - 1) is the maximum value the counter can hold -- essentially it's
// a bit-mask for valid counter values.
PAL::GCrypt::Handle<gcry_mpi_t> counterLimitMPI(gcry_mpi_set_ui(nullptr, 1));
gcry_mpi_mul_2exp(counterLimitMPI, counterLimitMPI, counterLength);
// Counter values must not repeat for a given cipher text. If the counter limit (i.e.
// the number of unique counter values we could produce for the specified counter
// length) is lower than the deduced block count, we bail.
if (gcry_mpi_cmp(counterLimitMPI, blockCountMPI) < 0)
return WTF::nullopt;
// If the counter length, in bits, matches the size of the counter data, we don't have to
// use any part of the counter Vector<> as nonce. This allows us to directly encrypt or
// decrypt all the provided data in a single step.
if (counterLength == counter.size() * 8)
return callOperation(operation, handle, counter, inputText.data(), inputText.size());
// Scan the counter data into the MPI format. We'll do all the counter computations with
// the MPI API.
PAL::GCrypt::Handle<gcry_mpi_t> counterDataMPI;
error = gcry_mpi_scan(&counterDataMPI, GCRYMPI_FMT_USG, counter.data(), counter.size(), nullptr);
if (error != GPG_ERR_NO_ERROR) {
PAL::GCrypt::logError(error);
return WTF::nullopt;
}
// Extract the counter MPI from the counterDataMPI: (counterDataMPI % counterLimitMPI).
// This MPI represents solely the counter value, as initially provided.
PAL::GCrypt::Handle<gcry_mpi_t> counterMPI(gcry_mpi_new(0));
gcry_mpi_mod(counterMPI, counterDataMPI, counterLimitMPI);
{
// Calculate the leeway of the initially-provided counter: counterLimitMPI - counterMPI.
// This is essentially the number of blocks we can encrypt/decrypt with that counter
// (incrementing it after each operation) before the counter wraps around to 0.
PAL::GCrypt::Handle<gcry_mpi_t> counterLeewayMPI(gcry_mpi_new(0));
gcry_mpi_sub(counterLeewayMPI, counterLimitMPI, counterMPI);
// If counterLeewayMPI is larger or equal to the deduced block count, we can directly
// encrypt or decrypt the provided data in a single step since it's ensured that the
// counter won't overflow.
if (gcry_mpi_cmp(counterLeewayMPI, blockCountMPI) >= 0)
return callOperation(operation, handle, counter, inputText.data(), inputText.size());
}
// From here onwards we're dealing with a counter of which the length doesn't match the
// provided data, meaning we'll also have to manage the nonce data. The counter will also
// wrap around, so we'll have to address that too.
// Determine the nonce MPI that we'll use to reconstruct the counter data for each block:
// (counterDataMPI - counterMPI). This is equivalent to counterDataMPI with the lowest
// counterLength bits cleared.
PAL::GCrypt::Handle<gcry_mpi_t> nonceMPI(gcry_mpi_new(0));
gcry_mpi_sub(nonceMPI, counterDataMPI, counterMPI);
// FIXME: This should be optimized further by first encrypting the amount of blocks for
// which the counter won't yet wrap around, and then encrypting the rest of the blocks
// starting from the counter set to 0.
Vector<uint8_t> output;
Vector<uint8_t> blockCounterData(16);
size_t inputTextSize = inputText.size();
for (size_t i = 0; i < inputTextSize; i += 16) {
size_t blockInputSize = std::min<size_t>(16, inputTextSize - i);
// Construct the block-specific counter: (nonceMPI + counterMPI).
PAL::GCrypt::Handle<gcry_mpi_t> blockCounterMPI(gcry_mpi_new(0));
gcry_mpi_add(blockCounterMPI, nonceMPI, counterMPI);
error = gcry_mpi_print(GCRYMPI_FMT_USG, blockCounterData.data(), blockCounterData.size(), nullptr, blockCounterMPI);
if (error != GPG_ERR_NO_ERROR) {
PAL::GCrypt::logError(error);
return WTF::nullopt;
}
// Encrypt/decrypt this single block with the block-specific counter. Output for this
// single block is appended to the general output vector.
auto blockOutput = callOperation(operation, handle, blockCounterData, inputText.data() + i, blockInputSize);
if (!blockOutput)
return WTF::nullopt;
output.appendVector(*blockOutput);
// Increment the counter. The modulus operation takes care of any wrap-around.
PAL::GCrypt::Handle<gcry_mpi_t> counterIncrementMPI(gcry_mpi_new(0));
gcry_mpi_add_ui(counterIncrementMPI, counterMPI, 1);
gcry_mpi_mod(counterMPI, counterIncrementMPI, counterLimitMPI);
}
return output;
}
ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CTR::platformEncrypt(const CryptoAlgorithmAesCtrParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& plainText)
{
auto output = gcryptAES_CTR(gcry_cipher_encrypt, key.key(), parameters.counterVector(), parameters.length, plainText);
if (!output)
return Exception { OperationError };
return WTFMove(*output);
}
ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CTR::platformDecrypt(const CryptoAlgorithmAesCtrParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& cipherText)
{
auto output = gcryptAES_CTR(gcry_cipher_decrypt, key.key(), parameters.counterVector(), parameters.length, cipherText);
if (!output)
return Exception { OperationError };
return WTFMove(*output);
}
} // namespace WebCore
#endif // ENABLE(WEB_CRYPTO)