diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-03-15 07:49:38 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-03-15 07:49:38 +0000 |
| commit | 9287659e1b4fc6323d6b97a8c365c4b35fca660f (patch) | |
| tree | 9ffef620fd36a73a73134c4d262ef0d0ebd1e65c | |
| parent | ffd1ccb156511d3ffa761e9301208595f8a5e6f6 (diff) | |
| download | chromium_src-9287659e1b4fc6323d6b97a8c365c4b35fca660f.zip chromium_src-9287659e1b4fc6323d6b97a8c365c4b35fca660f.tar.gz chromium_src-9287659e1b4fc6323d6b97a8c365c4b35fca660f.tar.bz2 | |
Add Aes128GcmEncrypter and Aes128GcmDecrypter for the
AEAD_AES_128_GCM authenticated encryption algorithm.
An OpenSSL-based implementation is included. The NSS-based
implementation will be added later.
Merge internal change: 42641062
Add the GetKey() and GetNoncePrefix() methods to Aes128GcmEncrypter
and Aes128GcmDecrypter.
Merge internal change: 43570937
R=rch@chromium.org,rtenneti@chromium.org
BUG=none
TEST=none
Review URL: https://chromiumcodereview.appspot.com/12623017
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@188292 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | net/net.gyp | 16 | ||||
| -rw-r--r-- | net/quic/crypto/aes_128_gcm_decrypter.h | 64 | ||||
| -rw-r--r-- | net/quic/crypto/aes_128_gcm_decrypter_nss.cc | 77 | ||||
| -rw-r--r-- | net/quic/crypto/aes_128_gcm_decrypter_openssl.cc | 129 | ||||
| -rw-r--r-- | net/quic/crypto/aes_128_gcm_decrypter_test.cc | 374 | ||||
| -rw-r--r-- | net/quic/crypto/aes_128_gcm_encrypter.h | 68 | ||||
| -rw-r--r-- | net/quic/crypto/aes_128_gcm_encrypter_nss.cc | 94 | ||||
| -rw-r--r-- | net/quic/crypto/aes_128_gcm_encrypter_openssl.cc | 143 | ||||
| -rw-r--r-- | net/quic/crypto/aes_128_gcm_encrypter_test.cc | 334 | ||||
| -rw-r--r-- | net/quic/crypto/quic_decrypter.cc | 6 | ||||
| -rw-r--r-- | net/quic/crypto/quic_encrypter.cc | 6 | ||||
| -rw-r--r-- | net/quic/crypto/scoped_evp_cipher_ctx.h | 38 |
12 files changed, 1342 insertions, 7 deletions
diff --git a/net/net.gyp b/net/net.gyp index 3c88a24..3bf68cc 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -672,6 +672,12 @@ 'quic/congestion_control/tcp_cubic_sender.h', 'quic/congestion_control/tcp_receiver.cc', 'quic/congestion_control/tcp_receiver.h', + 'quic/crypto/aes_128_gcm_decrypter.h', + 'quic/crypto/aes_128_gcm_decrypter_nss.cc', + 'quic/crypto/aes_128_gcm_decrypter_openssl.cc', + 'quic/crypto/aes_128_gcm_encrypter.h', + 'quic/crypto/aes_128_gcm_encrypter_nss.cc', + 'quic/crypto/aes_128_gcm_encrypter_openssl.cc', 'quic/crypto/crypto_framer.cc', 'quic/crypto/crypto_framer.h', 'quic/crypto/crypto_handshake.cc', @@ -695,6 +701,7 @@ 'quic/crypto/quic_encrypter.h', 'quic/crypto/quic_random.cc', 'quic/crypto/quic_random.h', + 'quic/crypto/scoped_evp_cipher_ctx.h', 'quic/quic_bandwidth.cc', 'quic/quic_bandwidth.h', 'quic/quic_blocked_writer_interface.h', @@ -1092,6 +1099,9 @@ 'base/x509_util_nss.h', 'ocsp/nss_ocsp.cc', 'ocsp/nss_ocsp.h', + 'quic/crypto/aes_128_gcm_decrypter_nss.cc', + 'quic/crypto/aes_128_gcm_encrypter_nss.cc', + 'quic/crypto/p256_key_exchange_nss.cc', 'socket/nss_ssl_util.cc', 'socket/nss_ssl_util.h', 'socket/ssl_client_socket_nss.cc', @@ -1099,7 +1109,6 @@ 'socket/ssl_server_socket_nss.cc', 'socket/ssl_server_socket_nss.h', 'ssl/client_cert_store_impl_nss.cc', - 'quic/crypto/p256_key_exchange_nss.cc', 'third_party/mozilla_security_manager/nsKeygenHandler.cpp', 'third_party/mozilla_security_manager/nsKeygenHandler.h', 'third_party/mozilla_security_manager/nsNSSCertificateDB.cpp', @@ -1124,7 +1133,10 @@ 'base/x509_certificate_openssl.cc', 'base/x509_util_openssl.cc', 'base/x509_util_openssl.h', + 'quic/crypto/aes_128_gcm_decrypter_openssl.cc', + 'quic/crypto/aes_128_gcm_encrypter_openssl.cc', 'quic/crypto/p256_key_exchange_openssl.cc', + 'quic/crypto/scoped_evp_cipher_ctx.h', 'socket/ssl_client_socket_openssl.cc', 'socket/ssl_client_socket_openssl.h', 'socket/ssl_server_socket_openssl.cc', @@ -1532,6 +1544,8 @@ 'quic/congestion_control/paced_sender_test.cc', 'quic/congestion_control/tcp_cubic_sender_test.cc', 'quic/congestion_control/tcp_receiver_test.cc', + 'quic/crypto/aes_128_gcm_decrypter_test.cc', + 'quic/crypto/aes_128_gcm_encrypter_test.cc', 'quic/crypto/crypto_framer_test.cc', 'quic/crypto/crypto_handshake_test.cc', 'quic/crypto/curve25519_key_exchange_test.cc', diff --git a/net/quic/crypto/aes_128_gcm_decrypter.h b/net/quic/crypto/aes_128_gcm_decrypter.h new file mode 100644 index 0000000..87db99e --- /dev/null +++ b/net/quic/crypto/aes_128_gcm_decrypter.h @@ -0,0 +1,64 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_QUIC_CRYPTO_AES_128_GCM_DECRYPTER_H_ +#define NET_QUIC_CRYPTO_AES_128_GCM_DECRYPTER_H_ + +#include <string> + +#include "base/compiler_specific.h" +#include "net/quic/crypto/quic_decrypter.h" + +namespace net { + +namespace test { +class Aes128GcmDecrypterPeer; +} // namespace test + +// An Aes128GcmDecrypter is a QuicDecrypter that implements the +// AEAD_AES_128_GCM algorithm specified in RFC 5116. Create an instance by +// calling QuicDecrypter::Create(kAESG). +// +// It uses an authentication tag of 16 bytes (128 bits). The fixed prefix +// of the nonce is four bytes. +class NET_EXPORT_PRIVATE Aes128GcmDecrypter : public QuicDecrypter { + public: + virtual ~Aes128GcmDecrypter() {} + + // Returns true if the underlying crypto library supports AES GCM. +#if defined(USE_OPENSSL) + static bool IsSupported() { return true; } +#else + static bool IsSupported(); +#endif + + // QuicDecrypter implementation + virtual bool SetKey(base::StringPiece key) OVERRIDE; + virtual bool SetNoncePrefix(base::StringPiece nonce_prefix) OVERRIDE; + virtual QuicData* Decrypt(QuicPacketSequenceNumber sequence_number, + base::StringPiece associated_data, + base::StringPiece ciphertext) OVERRIDE; + virtual base::StringPiece GetKey() const OVERRIDE; + virtual base::StringPiece GetNoncePrefix() const OVERRIDE; + + private: + friend class test::Aes128GcmDecrypterPeer; + + // The same as Decrypt(), except that the supplied |nonce| argument rather + // than the |nonce_| member is used as the nonce. This method is useful + // for testing the underlying AES GCM implementation. + QuicData* DecryptWithNonce(base::StringPiece nonce, + base::StringPiece associated_data, + base::StringPiece ciphertext); + + // The 128-bit AES key. + unsigned char key_[16]; + // The nonce, a concatenation of a four-byte fixed prefix and a 8-byte + // packet sequence number. + unsigned char nonce_[12]; +}; + +} // namespace net + +#endif // NET_QUIC_CRYPTO_AES_128_GCM_DECRYPTER_H_ diff --git a/net/quic/crypto/aes_128_gcm_decrypter_nss.cc b/net/quic/crypto/aes_128_gcm_decrypter_nss.cc new file mode 100644 index 0000000..9706839 --- /dev/null +++ b/net/quic/crypto/aes_128_gcm_decrypter_nss.cc @@ -0,0 +1,77 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/quic/crypto/aes_128_gcm_decrypter.h" + +#include "base/memory/scoped_ptr.h" + +using base::StringPiece; + +namespace net { + +namespace { + +const size_t kKeySize = 16; +const size_t kNoncePrefixSize = 4; +const size_t kAuthTagSize = 16; + +} // namespace + +// static +bool Aes128GcmDecrypter::IsSupported() { + return false; +} + +bool Aes128GcmDecrypter::SetKey(StringPiece key) { + DCHECK_EQ(key.size(), sizeof(key_)); + if (key.size() != sizeof(key_)) { + return false; + } + memcpy(key_, key.data(), key.size()); + return true; +} + +bool Aes128GcmDecrypter::SetNoncePrefix(StringPiece nonce_prefix) { + DCHECK_EQ(nonce_prefix.size(), kNoncePrefixSize); + if (nonce_prefix.size() != kNoncePrefixSize) { + return false; + } + memcpy(nonce_, nonce_prefix.data(), nonce_prefix.size()); + return true; +} + +QuicData* Aes128GcmDecrypter::Decrypt(QuicPacketSequenceNumber sequence_number, + StringPiece associated_data, + StringPiece ciphertext) { + COMPILE_ASSERT(sizeof(nonce_) == kNoncePrefixSize + sizeof(sequence_number), + incorrect_nonce_size); + memcpy(nonce_ + kNoncePrefixSize, &sequence_number, sizeof(sequence_number)); + return DecryptWithNonce(StringPiece(reinterpret_cast<char*>(nonce_), + sizeof(nonce_)), + associated_data, ciphertext); +} + +StringPiece Aes128GcmDecrypter::GetKey() const { + return StringPiece(reinterpret_cast<const char*>(key_), sizeof(key_)); +} + +StringPiece Aes128GcmDecrypter::GetNoncePrefix() const { + return StringPiece(reinterpret_cast<const char*>(nonce_), kNoncePrefixSize); +} + +QuicData* Aes128GcmDecrypter::DecryptWithNonce(StringPiece nonce, + StringPiece associated_data, + StringPiece ciphertext) { + if (ciphertext.length() < kAuthTagSize) { + return NULL; + } + size_t plaintext_size = ciphertext.length() - kAuthTagSize; + scoped_ptr<char[]> plaintext(new char[plaintext_size]); + + // TODO(wtc): implement this function using NSS. + + return new QuicData(plaintext.release(), plaintext_size, true); +} + +} // namespace net diff --git a/net/quic/crypto/aes_128_gcm_decrypter_openssl.cc b/net/quic/crypto/aes_128_gcm_decrypter_openssl.cc new file mode 100644 index 0000000..17c8cca --- /dev/null +++ b/net/quic/crypto/aes_128_gcm_decrypter_openssl.cc @@ -0,0 +1,129 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/quic/crypto/aes_128_gcm_decrypter.h" + +#include <openssl/evp.h> + +#include "base/memory/scoped_ptr.h" +#include "net/quic/crypto/scoped_evp_cipher_ctx.h" + +using base::StringPiece; + +namespace net { + +namespace { + +const size_t kKeySize = 16; +const size_t kNoncePrefixSize = 4; +const size_t kAuthTagSize = 16; + +} // namespace + +bool Aes128GcmDecrypter::SetKey(StringPiece key) { + DCHECK_EQ(key.size(), sizeof(key_)); + if (key.size() != sizeof(key_)) { + return false; + } + memcpy(key_, key.data(), key.size()); + return true; +} + +bool Aes128GcmDecrypter::SetNoncePrefix(StringPiece nonce_prefix) { + DCHECK_EQ(nonce_prefix.size(), kNoncePrefixSize); + if (nonce_prefix.size() != kNoncePrefixSize) { + return false; + } + memcpy(nonce_, nonce_prefix.data(), nonce_prefix.size()); + return true; +} + +QuicData* Aes128GcmDecrypter::Decrypt(QuicPacketSequenceNumber sequence_number, + StringPiece associated_data, + StringPiece ciphertext) { + COMPILE_ASSERT(sizeof(nonce_) == kNoncePrefixSize + sizeof(sequence_number), + incorrect_nonce_size); + memcpy(nonce_ + kNoncePrefixSize, &sequence_number, sizeof(sequence_number)); + return DecryptWithNonce(StringPiece(reinterpret_cast<char*>(nonce_), + sizeof(nonce_)), + associated_data, ciphertext); +} + +StringPiece Aes128GcmDecrypter::GetKey() const { + return StringPiece(reinterpret_cast<const char*>(key_), sizeof(key_)); +} + +StringPiece Aes128GcmDecrypter::GetNoncePrefix() const { + return StringPiece(reinterpret_cast<const char*>(nonce_), kNoncePrefixSize); +} + +QuicData* Aes128GcmDecrypter::DecryptWithNonce(StringPiece nonce, + StringPiece associated_data, + StringPiece ciphertext) { + if (ciphertext.length() < kAuthTagSize) { + return NULL; + } + size_t plaintext_size = ciphertext.length() - kAuthTagSize; + scoped_ptr<char[]> plaintext(new char[plaintext_size]); + + // |output| points to the position in the |plaintext| buffer to receive + // the next output. + unsigned char* output = reinterpret_cast<unsigned char*>(plaintext.get()); + // |output_len| is passed to an OpenSSL function to receive the output + // length. + int output_len; + + ScopedEVPCipherCtx ctx; + + // Set the cipher type and the key. The IV (nonce) is set below. + if (EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_gcm(), NULL, key_, + NULL) == 0) { + return NULL; + } + + // Set the IV (nonce) length. + if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN, nonce.size(), + NULL) == 0) { + return NULL; + } + // Set the IV (nonce). + if (EVP_DecryptInit_ex(ctx.get(), NULL, NULL, NULL, + reinterpret_cast<const unsigned char*>( + nonce.data())) == 0) { + return NULL; + } + + // Set the authentication tag. + if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, kAuthTagSize, + const_cast<char*>(ciphertext.data()) + + plaintext_size) == 0) { + return NULL; + } + + // Set the associated data. The second argument (output buffer) must be + // NULL. + if (EVP_DecryptUpdate(ctx.get(), NULL, &output_len, + reinterpret_cast<const unsigned char*>( + associated_data.data()), + associated_data.size()) == 0) { + return NULL; + } + + if (EVP_DecryptUpdate(ctx.get(), output, &output_len, + reinterpret_cast<const unsigned char*>( + ciphertext.data()), + plaintext_size) == 0) { + return NULL; + } + output += output_len; + + if (EVP_DecryptFinal_ex(ctx.get(), output, &output_len) == 0) { + return NULL; + } + output += output_len; + + return new QuicData(plaintext.release(), plaintext_size, true); +} + +} // namespace net diff --git a/net/quic/crypto/aes_128_gcm_decrypter_test.cc b/net/quic/crypto/aes_128_gcm_decrypter_test.cc new file mode 100644 index 0000000..ac09581 --- /dev/null +++ b/net/quic/crypto/aes_128_gcm_decrypter_test.cc @@ -0,0 +1,374 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/quic/crypto/aes_128_gcm_decrypter.h" + +#include "net/quic/test_tools/quic_test_utils.h" + +using base::StringPiece; + +namespace { + +// The AES GCM test vectors come from the file gcmDecrypt128.rsp +// downloaded from http://csrc.nist.gov/groups/STM/cavp/index.html on +// 2013-02-01. The test vectors in that file look like this: +// +// [Keylen = 128] +// [IVlen = 96] +// [PTlen = 0] +// [AADlen = 0] +// [Taglen = 128] +// +// Count = 0 +// Key = cf063a34d4a9a76c2c86787d3f96db71 +// IV = 113b9785971864c83b01c787 +// CT = +// AAD = +// Tag = 72ac8493e3a5228b5d130a69d2510e42 +// PT = +// +// Count = 1 +// Key = a49a5e26a2f8cb63d05546c2a62f5343 +// IV = 907763b19b9b4ab6bd4f0281 +// CT = +// AAD = +// Tag = a2be08210d8c470a8df6e8fbd79ec5cf +// FAIL +// +// ... +// +// The gcmDecrypt128.rsp file is huge (2.6 MB), so I selected just a +// few test vectors for this unit test. + +// Describes a group of test vectors that all have a given key length, IV +// length, plaintext length, AAD length, and tag length. +struct TestGroupInfo { + size_t key_len; + size_t iv_len; + size_t pt_len; + size_t aad_len; + size_t tag_len; +}; + +// Each test vector consists of six strings of lowercase hexadecimal digits. +// The strings may be empty (zero length). A test vector with a NULL |key| +// marks the end of an array of test vectors. +struct TestVector { + // Input: + const char* key; + const char* iv; + const char* ct; + const char* aad; + const char* tag; + + // Expected output: + const char* pt; // An empty string "" means decryption succeeded and + // the plaintext is zero-length. NULL means decryption + // failed. +}; + +const TestGroupInfo test_group_info[] = { + { 128, 96, 0, 0, 128 }, + { 128, 96, 0, 128, 128 }, + { 128, 96, 128, 0, 128 }, + { 128, 96, 408, 160, 128 }, + { 128, 96, 408, 720, 128 }, + { 128, 96, 104, 0, 128 }, +}; + +const TestVector test_group_0[] = { + { "cf063a34d4a9a76c2c86787d3f96db71", + "113b9785971864c83b01c787", + "", + "", + "72ac8493e3a5228b5d130a69d2510e42", + "" + }, + { "a49a5e26a2f8cb63d05546c2a62f5343", + "907763b19b9b4ab6bd4f0281", + "", + "", + "a2be08210d8c470a8df6e8fbd79ec5cf", + NULL // FAIL + }, + { NULL } +}; + +const TestVector test_group_1[] = { + { "d1f6af919cde85661208bdce0c27cb22", + "898c6929b435017bf031c3c5", + "", + "7c5faa40e636bbc91107e68010c92b9f", + "ae45f11777540a2caeb128be8092468a", + NULL // FAIL + }, + { "2370e320d4344208e0ff5683f243b213", + "04dbb82f044d30831c441228", + "", + "d43a8e5089eea0d026c03a85178b27da", + "2a049c049d25aa95969b451d93c31c6e", + "" + }, + { NULL } +}; + +const TestVector test_group_2[] = { + { "e98b72a9881a84ca6b76e0f43e68647a", + "8b23299fde174053f3d652ba", + "5a3c1cf1985dbb8bed818036fdd5ab42", + "", + "23c7ab0f952b7091cd324835043b5eb5", + "28286a321293253c3e0aa2704a278032" + }, + { "33240636cd3236165f1a553b773e728e", + "17c4d61493ecdc8f31700b12", + "47bb7e23f7bdfe05a8091ac90e4f8b2e", + "", + "b723c70e931d9785f40fd4ab1d612dc9", + "95695a5b12f2870b9cc5fdc8f218a97d" + }, + { "5164df856f1e9cac04a79b808dc5be39", + "e76925d5355e0584ce871b2b", + "0216c899c88d6e32c958c7e553daa5bc", + "", + "a145319896329c96df291f64efbe0e3a", + NULL // FAIL + }, + { NULL } +}; + +const TestVector test_group_3[] = { + { "af57f42c60c0fc5a09adb81ab86ca1c3", + "a2dc01871f37025dc0fc9a79", + "b9a535864f48ea7b6b1367914978f9bfa087d854bb0e269bed8d279d2eea1210e48947" + "338b22f9bad09093276a331e9c79c7f4", + "41dc38988945fcb44faf2ef72d0061289ef8efd8", + "4f71e72bde0018f555c5adcce062e005", + "3803a0727eeb0ade441e0ec107161ded2d425ec0d102f21f51bf2cf9947c7ec4aa7279" + "5b2f69b041596e8817d0a3c16f8fadeb" + }, + { "ebc753e5422b377d3cb64b58ffa41b61", + "2e1821efaced9acf1f241c9b", + "069567190554e9ab2b50a4e1fbf9c147340a5025fdbd201929834eaf6532325899ccb9" + "f401823e04b05817243d2142a3589878", + "b9673412fd4f88ba0e920f46dd6438ff791d8eef", + "534d9234d2351cf30e565de47baece0b", + "39077edb35e9c5a4b1e4c2a6b9bb1fce77f00f5023af40333d6d699014c2bcf4209c18" + "353a18017f5b36bfc00b1f6dcb7ed485" + }, + { "52bdbbf9cf477f187ec010589cb39d58", + "d3be36d3393134951d324b31", + "700188da144fa692cf46e4a8499510a53d90903c967f7f13e8a1bd8151a74adc4fe63e" + "32b992760b3a5f99e9a47838867000a9", + "93c4fc6a4135f54d640b0c976bf755a06a292c33", + "8ca4e38aa3dfa6b1d0297021ccf3ea5f", + NULL // FAIL + }, + { NULL } +}; + +const TestVector test_group_4[] = { + { "da2bb7d581493d692380c77105590201", + "44aa3e7856ca279d2eb020c6", + "9290d430c9e89c37f0446dbd620c9a6b34b1274aeb6f911f75867efcf95b6feda69f1a" + "f4ee16c761b3c9aeac3da03aa9889c88", + "4cd171b23bddb3a53cdf959d5c1710b481eb3785a90eb20a2345ee00d0bb7868c367ab" + "12e6f4dd1dee72af4eee1d197777d1d6499cc541f34edbf45cda6ef90b3c024f9272d7" + "2ec1909fb8fba7db88a4d6f7d3d925980f9f9f72", + "9e3ac938d3eb0cadd6f5c9e35d22ba38", + "9bbf4c1a2742f6ac80cb4e8a052e4a8f4f07c43602361355b717381edf9fabd4cb7e3a" + "d65dbd1378b196ac270588dd0621f642" + }, + { "d74e4958717a9d5c0e235b76a926cae8", + "0b7471141e0c70b1995fd7b1", + "e701c57d2330bf066f9ff8cf3ca4343cafe4894651cd199bdaaa681ba486b4a65c5a22" + "b0f1420be29ea547d42c713bc6af66aa", + "4a42b7aae8c245c6f1598a395316e4b8484dbd6e64648d5e302021b1d3fa0a38f46e22" + "bd9c8080b863dc0016482538a8562a4bd0ba84edbe2697c76fd039527ac179ec5506cf" + "34a6039312774cedebf4961f3978b14a26509f96", + "e192c23cb036f0b31592989119eed55d", + "840d9fb95e32559fb3602e48590280a172ca36d9b49ab69510f5bd552bfab7a306f85f" + "f0a34bc305b88b804c60b90add594a17" + }, + { "1986310c725ac94ecfe6422e75fc3ee7", + "93ec4214fa8e6dc4e3afc775", + "b178ec72f85a311ac4168f42a4b2c23113fbea4b85f4b9dabb74e143eb1b8b0a361e02" + "43edfd365b90d5b325950df0ada058f9", + "e80b88e62c49c958b5e0b8b54f532d9ff6aa84c8a40132e93e55b59fc24e8decf28463" + "139f155d1e8ce4ee76aaeefcd245baa0fc519f83a5fb9ad9aa40c4b21126013f576c42" + "72c2cb136c8fd091cc4539877a5d1e72d607f960", + "8b347853f11d75e81e8a95010be81f17", + NULL // FAIL + }, + { NULL } +}; + +const TestVector test_group_5[] = { + { "387218b246c1a8257748b56980e50c94", + "dd7e014198672be39f95b69d", + "cdba9e73eaf3d38eceb2b04a8d", + "", + "ecf90f4a47c9c626d6fb2c765d201556", + "48f5b426baca03064554cc2b30" + }, + { "294de463721e359863887c820524b3d4", + "3338b35c9d57a5d28190e8c9", + "2f46634e74b8e4c89812ac83b9", + "", + "dabd506764e68b82a7e720aa18da0abe", + "46a2e55c8e264df211bd112685" + }, + { "28ead7fd2179e0d12aa6d5d88c58c2dc", + "5055347f18b4d5add0ae5c41", + "142d8210c3fb84774cdbd0447a", + "", + "5fd321d9cdb01952dc85f034736c2a7d", + "3b95b981086ee73cc4d0cc1422" + }, + { "7d7b6c988137b8d470c57bf674a09c87", + "9edf2aa970d016ac962e1fd8", + "a85b66c3cb5eab91d5bdc8bc0e", + "", + "dc054efc01f3afd21d9c2484819f569a", + NULL // FAIL + }, + { NULL } +}; + +const TestVector* const test_group_array[] = { + test_group_0, + test_group_1, + test_group_2, + test_group_3, + test_group_4, + test_group_5, +}; + +// Returns true if |ch| is a lowercase hexadecimal digit. +bool IsHexDigit(char ch) { + return ('0' <= ch && ch <= '9') || ('a' <= ch && ch <= 'f'); +} + +// Converts a lowercase hexadecimal digit to its integer value. +int HexDigitToInt(char ch) { + if ('0' <= ch && ch <= '9') { + return ch - '0'; + } + return ch - 'a' + 10; +} + +// |in| is a string consisting of lowercase hexadecimal digits, where +// every two digits represent one byte. |out| is a buffer of size |max_len|. +// Converts |in| to bytes and stores the bytes in the |out| buffer. The +// number of bytes converted is returned in |*out_len|. Returns true on +// success, false on failure. +bool DecodeHexString(const char* in, + char* out, + size_t* out_len, + size_t max_len) { + if (!in) { + *out_len = (size_t)-1; + return true; + } + *out_len = 0; + while (*in != '\0') { + if (!IsHexDigit(*in) || !IsHexDigit(*(in + 1))) { + return false; + } + if (*out_len >= max_len) { + return false; + } + out[*out_len] = HexDigitToInt(*in) * 16 + HexDigitToInt(*(in + 1)); + (*out_len)++; + in += 2; + } + return true; +} + +} // namespace + +namespace net { +namespace test { + +class Aes128GcmDecrypterPeer { + public: + static QuicData* Decrypt(Aes128GcmDecrypter* decrypter, + StringPiece nonce, + StringPiece associated_data, + StringPiece ciphertext) { + return decrypter->DecryptWithNonce(nonce, associated_data, ciphertext); + } +}; + +TEST(Aes128GcmDecrypterTest, Decrypt) { + if (!Aes128GcmDecrypter::IsSupported()) { + LOG(INFO) << "AES GCM not supported. Test skipped."; + return; + } + + char key[1024]; + size_t key_len; + char iv[1024]; + size_t iv_len; + char ct[1024]; + size_t ct_len; + char aad[1024]; + size_t aad_len; + char tag[1024]; + size_t tag_len; + char pt[1024]; + size_t pt_len; + + for (size_t i = 0; i < arraysize(test_group_array); i++) { + const TestVector* test_vector = test_group_array[i]; + const TestGroupInfo& test_info = test_group_info[i]; + for (size_t j = 0; test_vector[j].key != NULL; j++) { + // Decode the test vector. + ASSERT_TRUE(DecodeHexString(test_vector[j].key, key, &key_len, + sizeof(key))); + ASSERT_TRUE(DecodeHexString(test_vector[j].iv, iv, &iv_len, + sizeof(iv))); + ASSERT_TRUE(DecodeHexString(test_vector[j].ct, ct, &ct_len, + sizeof(ct))); + ASSERT_TRUE(DecodeHexString(test_vector[j].aad, aad, &aad_len, + sizeof(aad))); + ASSERT_TRUE(DecodeHexString(test_vector[j].tag, tag, &tag_len, + sizeof(tag))); + ASSERT_TRUE(DecodeHexString(test_vector[j].pt, pt, &pt_len, + sizeof(pt))); + + // The test vector's lengths should look sane. Note that the lengths + // in |test_info| are in bits. + EXPECT_EQ(test_info.key_len, key_len * 8); + EXPECT_EQ(test_info.iv_len, iv_len * 8); + EXPECT_EQ(test_info.pt_len, ct_len * 8); + EXPECT_EQ(test_info.aad_len, aad_len * 8); + EXPECT_EQ(test_info.tag_len, tag_len * 8); + if (pt_len != static_cast<size_t>(-1)) { + EXPECT_EQ(test_info.pt_len, pt_len * 8); + } + + Aes128GcmDecrypter decrypter; + ASSERT_TRUE(decrypter.SetKey(StringPiece(key, key_len))); + string ciphertext(ct, ct_len); + ciphertext.append(tag, tag_len); + scoped_ptr<QuicData> decrypted(Aes128GcmDecrypterPeer::Decrypt( + &decrypter, StringPiece(iv, iv_len), StringPiece(aad, aad_len), + ciphertext)); + if (!decrypted.get()) { + EXPECT_EQ((size_t)-1, pt_len); + continue; + } + ASSERT_NE((size_t)-1, pt_len); + + ASSERT_EQ(pt_len, decrypted->length()); + test::CompareCharArraysWithHexError( + "plaintext", decrypted->data(), pt_len, + pt, pt_len); + } + } +} + +} // namespace test +} // namespace net diff --git a/net/quic/crypto/aes_128_gcm_encrypter.h b/net/quic/crypto/aes_128_gcm_encrypter.h new file mode 100644 index 0000000..d0c182c --- /dev/null +++ b/net/quic/crypto/aes_128_gcm_encrypter.h @@ -0,0 +1,68 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_QUIC_CRYPTO_AES_128_GCM_ENCRYPTER_H_ +#define NET_QUIC_CRYPTO_AES_128_GCM_ENCRYPTER_H_ + +#include <string> + +#include "base/compiler_specific.h" +#include "net/quic/crypto/quic_encrypter.h" + +namespace net { + +namespace test { +class Aes128GcmEncrypterPeer; +} // namespace test + +// An Aes128GcmEncrypter is a QuicEncrypter that implements the +// AEAD_AES_128_GCM algorithm specified in RFC 5116. Create an instance by +// calling QuicEncrypter::Create(kAESG). +// +// It uses an authentication tag of 16 bytes (128 bits). The fixed prefix +// of the nonce is four bytes. +class NET_EXPORT_PRIVATE Aes128GcmEncrypter : public QuicEncrypter { + public: + virtual ~Aes128GcmEncrypter() {} + + // Returns true if the underlying crypto library supports AES GCM. +#if defined(USE_OPENSSL) + static bool IsSupported() { return true; } +#else + static bool IsSupported(); +#endif + + // QuicEncrypter implementation + virtual bool SetKey(base::StringPiece key) OVERRIDE; + virtual bool SetNoncePrefix(base::StringPiece nonce_prefix) OVERRIDE; + virtual QuicData* Encrypt(QuicPacketSequenceNumber sequence_number, + base::StringPiece associated_data, + base::StringPiece plaintext) OVERRIDE; + virtual size_t GetKeySize() const OVERRIDE; + virtual size_t GetNoncePrefixSize() const OVERRIDE; + virtual size_t GetMaxPlaintextSize(size_t ciphertext_size) const OVERRIDE; + virtual size_t GetCiphertextSize(size_t plaintext_size) const OVERRIDE; + virtual base::StringPiece GetKey() const OVERRIDE; + virtual base::StringPiece GetNoncePrefix() const OVERRIDE; + + private: + friend class test::Aes128GcmEncrypterPeer; + + // The same as Encrypt(), except that the supplied |nonce| argument rather + // than the |nonce_| member is used as the nonce. This method is useful + // for testing the underlying AES GCM implementation. + QuicData* EncryptWithNonce(base::StringPiece nonce, + base::StringPiece associated_data, + base::StringPiece plaintext); + + // The 128-bit AES key. + unsigned char key_[16]; + // The nonce, a concatenation of a four-byte fixed prefix and a 8-byte + // packet sequence number. + unsigned char nonce_[12]; +}; + +} // namespace net + +#endif // NET_QUIC_CRYPTO_AES_128_GCM_ENCRYPTER_H_ diff --git a/net/quic/crypto/aes_128_gcm_encrypter_nss.cc b/net/quic/crypto/aes_128_gcm_encrypter_nss.cc new file mode 100644 index 0000000..7a38e89 --- /dev/null +++ b/net/quic/crypto/aes_128_gcm_encrypter_nss.cc @@ -0,0 +1,94 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/quic/crypto/aes_128_gcm_encrypter.h" + +#include <string.h> + +#include "base/memory/scoped_ptr.h" + +using base::StringPiece; + +namespace net { + +namespace { + +const size_t kKeySize = 16; +const size_t kNoncePrefixSize = 4; +const size_t kAuthTagSize = 16; + +} // namespace + +// static +bool Aes128GcmEncrypter::IsSupported() { + return false; +} + +bool Aes128GcmEncrypter::SetKey(StringPiece key) { + DCHECK_EQ(key.size(), sizeof(key_)); + if (key.size() != sizeof(key_)) { + return false; + } + memcpy(key_, key.data(), key.size()); + return true; +} + +bool Aes128GcmEncrypter::SetNoncePrefix(StringPiece nonce_prefix) { + DCHECK_EQ(nonce_prefix.size(), kNoncePrefixSize); + if (nonce_prefix.size() != kNoncePrefixSize) { + return false; + } + memcpy(nonce_, nonce_prefix.data(), nonce_prefix.size()); + return true; +} + +QuicData* Aes128GcmEncrypter::Encrypt(QuicPacketSequenceNumber sequence_number, + StringPiece associated_data, + StringPiece plaintext) { + COMPILE_ASSERT(sizeof(nonce_) == kNoncePrefixSize + sizeof(sequence_number), + incorrect_nonce_size); + memcpy(nonce_ + kNoncePrefixSize, &sequence_number, sizeof(sequence_number)); + return EncryptWithNonce(StringPiece(reinterpret_cast<char*>(nonce_), + sizeof(nonce_)), + associated_data, plaintext); +} + +size_t Aes128GcmEncrypter::GetKeySize() const { + return kKeySize; +} + +size_t Aes128GcmEncrypter::GetNoncePrefixSize() const { + return kNoncePrefixSize; +} + +size_t Aes128GcmEncrypter::GetMaxPlaintextSize(size_t ciphertext_size) const { + return ciphertext_size - kAuthTagSize; +} + +// An AEAD_AES_128_GCM ciphertext is exactly 16 bytes longer than its +// corresponding plaintext. +size_t Aes128GcmEncrypter::GetCiphertextSize(size_t plaintext_size) const { + return plaintext_size + kAuthTagSize; +} + +QuicData* Aes128GcmEncrypter::EncryptWithNonce(StringPiece nonce, + StringPiece associated_data, + StringPiece plaintext) { + size_t ciphertext_size = GetCiphertextSize(plaintext.length()); + scoped_ptr<char[]> ciphertext(new char[ciphertext_size]); + + // TODO(wtc): implement this function using NSS. + + return new QuicData(ciphertext.release(), ciphertext_size, true); +} + +StringPiece Aes128GcmEncrypter::GetKey() const { + return StringPiece(reinterpret_cast<const char*>(key_), sizeof(key_)); +} + +StringPiece Aes128GcmEncrypter::GetNoncePrefix() const { + return StringPiece(reinterpret_cast<const char*>(nonce_), kNoncePrefixSize); +} + +} // namespace net diff --git a/net/quic/crypto/aes_128_gcm_encrypter_openssl.cc b/net/quic/crypto/aes_128_gcm_encrypter_openssl.cc new file mode 100644 index 0000000..84a3827 --- /dev/null +++ b/net/quic/crypto/aes_128_gcm_encrypter_openssl.cc @@ -0,0 +1,143 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/quic/crypto/aes_128_gcm_encrypter.h" + +#include <openssl/evp.h> +#include <string.h> + +#include "base/memory/scoped_ptr.h" +#include "net/quic/crypto/scoped_evp_cipher_ctx.h" + +using base::StringPiece; + +namespace net { + +namespace { + +const size_t kKeySize = 16; +const size_t kNoncePrefixSize = 4; +const size_t kAuthTagSize = 16; + +} // namespace + +bool Aes128GcmEncrypter::SetKey(StringPiece key) { + DCHECK_EQ(key.size(), sizeof(key_)); + if (key.size() != sizeof(key_)) { + return false; + } + memcpy(key_, key.data(), key.size()); + return true; +} + +bool Aes128GcmEncrypter::SetNoncePrefix(StringPiece nonce_prefix) { + DCHECK_EQ(nonce_prefix.size(), kNoncePrefixSize); + if (nonce_prefix.size() != kNoncePrefixSize) { + return false; + } + memcpy(nonce_, nonce_prefix.data(), nonce_prefix.size()); + return true; +} + +QuicData* Aes128GcmEncrypter::Encrypt(QuicPacketSequenceNumber sequence_number, + StringPiece associated_data, + StringPiece plaintext) { + COMPILE_ASSERT(sizeof(nonce_) == kNoncePrefixSize + sizeof(sequence_number), + incorrect_nonce_size); + memcpy(nonce_ + kNoncePrefixSize, &sequence_number, sizeof(sequence_number)); + return EncryptWithNonce(StringPiece(reinterpret_cast<char*>(nonce_), + sizeof(nonce_)), + associated_data, plaintext); +} + +size_t Aes128GcmEncrypter::GetKeySize() const { + return kKeySize; +} + +size_t Aes128GcmEncrypter::GetNoncePrefixSize() const { + return kNoncePrefixSize; +} + +size_t Aes128GcmEncrypter::GetMaxPlaintextSize(size_t ciphertext_size) const { + return ciphertext_size - kAuthTagSize; +} + +// An AEAD_AES_128_GCM ciphertext is exactly 16 bytes longer than its +// corresponding plaintext. +size_t Aes128GcmEncrypter::GetCiphertextSize(size_t plaintext_size) const { + return plaintext_size + kAuthTagSize; +} + +QuicData* Aes128GcmEncrypter::EncryptWithNonce(StringPiece nonce, + StringPiece associated_data, + StringPiece plaintext) { + size_t ciphertext_size = GetCiphertextSize(plaintext.length()); + scoped_ptr<char[]> ciphertext(new char[ciphertext_size]); + + // |output| points to the position in the |ciphertext| buffer to receive + // the next output. + unsigned char* output = reinterpret_cast<unsigned char*>(ciphertext.get()); + // |output_len| is passed to an OpenSSL function to receive the output + // length. + int output_len; + + ScopedEVPCipherCtx ctx; + + // Set the cipher type and the key. The IV (nonce) is set below. + if (EVP_EncryptInit_ex(ctx.get(), EVP_aes_128_gcm(), NULL, key_, + NULL) == 0) { + return NULL; + } + + // Set the IV (nonce) length. + if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN, nonce.size(), + NULL) == 0) { + return NULL; + } + // Set the IV (nonce). + if (EVP_EncryptInit_ex(ctx.get(), NULL, NULL, NULL, + reinterpret_cast<const unsigned char*>( + nonce.data())) == 0) { + return NULL; + } + + // Set the associated data. The second argument (output buffer) must be + // NULL. + if (EVP_EncryptUpdate(ctx.get(), NULL, &output_len, + reinterpret_cast<const unsigned char*>( + associated_data.data()), + associated_data.size()) == 0) { + return NULL; + } + + if (EVP_EncryptUpdate(ctx.get(), output, &output_len, + reinterpret_cast<const unsigned char*>( + plaintext.data()), + plaintext.size()) == 0) { + return NULL; + } + output += output_len; + + if (EVP_EncryptFinal_ex(ctx.get(), output, &output_len) == 0) { + return NULL; + } + output += output_len; + + if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, kAuthTagSize, + output) == 0) { + return NULL; + } + + return new QuicData(ciphertext.release(), ciphertext_size, true); +} + +StringPiece Aes128GcmEncrypter::GetKey() const { + return StringPiece(reinterpret_cast<const char*>(key_), sizeof(key_)); +} + +StringPiece Aes128GcmEncrypter::GetNoncePrefix() const { + return StringPiece(reinterpret_cast<const char*>(nonce_), kNoncePrefixSize); +} + +} // namespace net diff --git a/net/quic/crypto/aes_128_gcm_encrypter_test.cc b/net/quic/crypto/aes_128_gcm_encrypter_test.cc new file mode 100644 index 0000000..4dd38b4 --- /dev/null +++ b/net/quic/crypto/aes_128_gcm_encrypter_test.cc @@ -0,0 +1,334 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/quic/crypto/aes_128_gcm_encrypter.h" + +#include "net/quic/test_tools/quic_test_utils.h" + +using base::StringPiece; + +namespace { + +// The AES GCM test vectors come from the file gcmEncryptExtIV128.rsp +// downloaded from http://csrc.nist.gov/groups/STM/cavp/index.html on +// 2013-02-01. The test vectors in that file look like this: +// +// [Keylen = 128] +// [IVlen = 96] +// [PTlen = 0] +// [AADlen = 0] +// [Taglen = 128] +// +// Count = 0 +// Key = 11754cd72aec309bf52f7687212e8957 +// IV = 3c819d9a9bed087615030b65 +// PT = +// AAD = +// CT = +// Tag = 250327c674aaf477aef2675748cf6971 +// +// Count = 1 +// Key = ca47248ac0b6f8372a97ac43508308ed +// IV = ffd2b598feabc9019262d2be +// PT = +// AAD = +// CT = +// Tag = 60d20404af527d248d893ae495707d1a +// +// ... +// +// The gcmEncryptExtIV128.rsp file is huge (2.8 MB), so I selected just a +// few test vectors for this unit test. + +// Describes a group of test vectors that all have a given key length, IV +// length, plaintext length, AAD length, and tag length. +struct TestGroupInfo { + size_t key_len; + size_t iv_len; + size_t pt_len; + size_t aad_len; + size_t tag_len; +}; + +// Each test vector consists of six strings of lowercase hexadecimal digits. +// The strings may be empty (zero length). A test vector with a NULL |key| +// marks the end of an array of test vectors. +struct TestVector { + const char* key; + const char* iv; + const char* pt; + const char* aad; + const char* ct; + const char* tag; +}; + +const TestGroupInfo test_group_info[] = { + { 128, 96, 0, 0, 128 }, + { 128, 96, 0, 128, 128 }, + { 128, 96, 128, 0, 128 }, + { 128, 96, 408, 160, 128 }, + { 128, 96, 408, 720, 128 }, + { 128, 96, 104, 0, 128 }, +}; + +const TestVector test_group_0[] = { + { "11754cd72aec309bf52f7687212e8957", + "3c819d9a9bed087615030b65", + "", + "", + "", + "250327c674aaf477aef2675748cf6971" + }, + { "ca47248ac0b6f8372a97ac43508308ed", + "ffd2b598feabc9019262d2be", + "", + "", + "", + "60d20404af527d248d893ae495707d1a" + }, + { NULL } +}; + +const TestVector test_group_1[] = { + { "77be63708971c4e240d1cb79e8d77feb", + "e0e00f19fed7ba0136a797f3", + "", + "7a43ec1d9c0a5a78a0b16533a6213cab", + "", + "209fcc8d3675ed938e9c7166709dd946" + }, + { "7680c5d3ca6154758e510f4d25b98820", + "f8f105f9c3df4965780321f8", + "", + "c94c410194c765e3dcc7964379758ed3", + "", + "94dca8edfcf90bb74b153c8d48a17930" + }, + { NULL } +}; + +const TestVector test_group_2[] = { + { "7fddb57453c241d03efbed3ac44e371c", + "ee283a3fc75575e33efd4887", + "d5de42b461646c255c87bd2962d3b9a2", + "", + "2ccda4a5415cb91e135c2a0f78c9b2fd", + "b36d1df9b9d5e596f83e8b7f52971cb3" + }, + { "ab72c77b97cb5fe9a382d9fe81ffdbed", + "54cc7dc2c37ec006bcc6d1da", + "007c5e5b3e59df24a7c355584fc1518d", + "", + "0e1bde206a07a9c2c1b65300f8c64997", + "2b4401346697138c7a4891ee59867d0c" + }, + { NULL } +}; + +const TestVector test_group_3[] = { + { "fe47fcce5fc32665d2ae399e4eec72ba", + "5adb9609dbaeb58cbd6e7275", + "7c0e88c88899a779228465074797cd4c2e1498d259b54390b85e3eef1c02df60e743f1" + "b840382c4bccaf3bafb4ca8429bea063", + "88319d6e1d3ffa5f987199166c8a9b56c2aeba5a", + "98f4826f05a265e6dd2be82db241c0fbbbf9ffb1c173aa83964b7cf539304373636525" + "3ddbc5db8778371495da76d269e5db3e", + "291ef1982e4defedaa2249f898556b47" + }, + { "ec0c2ba17aa95cd6afffe949da9cc3a8", + "296bce5b50b7d66096d627ef", + "b85b3753535b825cbe5f632c0b843c741351f18aa484281aebec2f45bb9eea2d79d987" + "b764b9611f6c0f8641843d5d58f3a242", + "f8d00f05d22bf68599bcdeb131292ad6e2df5d14", + "a7443d31c26bdf2a1c945e29ee4bd344a99cfaf3aa71f8b3f191f83c2adfc7a0716299" + "5506fde6309ffc19e716eddf1a828c5a", + "890147971946b627c40016da1ecf3e77" + }, + { NULL } +}; + +const TestVector test_group_4[] = { + { "2c1f21cf0f6fb3661943155c3e3d8492", + "23cb5ff362e22426984d1907", + "42f758836986954db44bf37c6ef5e4ac0adaf38f27252a1b82d02ea949c8a1a2dbc0d6" + "8b5615ba7c1220ff6510e259f06655d8", + "5d3624879d35e46849953e45a32a624d6a6c536ed9857c613b572b0333e701557a713e" + "3f010ecdf9a6bd6c9e3e44b065208645aff4aabee611b391528514170084ccf587177f" + "4488f33cfb5e979e42b6e1cfc0a60238982a7aec", + "81824f0e0d523db30d3da369fdc0d60894c7a0a20646dd015073ad2732bd989b14a222" + "b6ad57af43e1895df9dca2a5344a62cc", + "57a3ee28136e94c74838997ae9823f3a" + }, + { "d9f7d2411091f947b4d6f1e2d1f0fb2e", + "e1934f5db57cc983e6b180e7", + "73ed042327f70fe9c572a61545eda8b2a0c6e1d6c291ef19248e973aee6c312012f490" + "c2c6f6166f4a59431e182663fcaea05a", + "0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d" + "0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a201" + "15d2e51398344b16bee1ed7c499b353d6c597af8", + "aaadbd5c92e9151ce3db7210b8714126b73e43436d242677afa50384f2149b831f1d57" + "3c7891c2a91fbc48db29967ec9542b23", + "21b51ca862cb637cdd03b99a0f93b134" + }, + { NULL } +}; + +const TestVector test_group_5[] = { + { "fe9bb47deb3a61e423c2231841cfd1fb", + "4d328eb776f500a2f7fb47aa", + "f1cc3818e421876bb6b8bbd6c9", + "", + "b88c5c1977b35b517b0aeae967", + "43fd4727fe5cdb4b5b42818dea7ef8c9" + }, + { "6703df3701a7f54911ca72e24dca046a", + "12823ab601c350ea4bc2488c", + "793cd125b0b84a043e3ac67717", + "", + "b2051c80014f42f08735a7b0cd", + "38e6bcd29962e5f2c13626b85a877101" + }, + { NULL } +}; + +const TestVector* const test_group_array[] = { + test_group_0, + test_group_1, + test_group_2, + test_group_3, + test_group_4, + test_group_5, +}; + +// Returns true if |ch| is a lowercase hexadecimal digit. +bool IsHexDigit(char ch) { + return ('0' <= ch && ch <= '9') || ('a' <= ch && ch <= 'f'); +} + +// Converts a lowercase hexadecimal digit to its integer value. +int HexDigitToInt(char ch) { + if ('0' <= ch && ch <= '9') { + return ch - '0'; + } + return ch - 'a' + 10; +} + +// |in| is a string consisting of lowercase hexadecimal digits, where +// every two digits represent one byte. |out| is a buffer of size |max_len|. +// Converts |in| to bytes and stores the bytes in the |out| buffer. The +// number of bytes converted is returned in |*out_len|. Returns true on +// success, false on failure. +bool DecodeHexString(const char* in, + char* out, + size_t* out_len, + size_t max_len) { + *out_len = 0; + while (*in != '\0') { + if (!IsHexDigit(*in) || !IsHexDigit(*(in + 1))) { + return false; + } + if (*out_len >= max_len) { + return false; + } + out[*out_len] = HexDigitToInt(*in) * 16 + HexDigitToInt(*(in + 1)); + (*out_len)++; + in += 2; + } + return true; +} + +} // namespace + +namespace net { +namespace test { + +class Aes128GcmEncrypterPeer { + public: + static QuicData* Encrypt(Aes128GcmEncrypter* encrypter, + StringPiece nonce, + StringPiece associated_data, + StringPiece plaintext) { + return encrypter->EncryptWithNonce(nonce, associated_data, plaintext); + } +}; + +TEST(Aes128GcmEncrypterTest, Encrypt) { + if (!Aes128GcmEncrypter::IsSupported()) { + LOG(INFO) << "AES GCM not supported. Test skipped."; + return; + } + + char key[1024]; + size_t key_len; + char iv[1024]; + size_t iv_len; + char pt[1024]; + size_t pt_len; + char aad[1024]; + size_t aad_len; + char ct[1024]; + size_t ct_len; + char tag[1024]; + size_t tag_len; + + for (size_t i = 0; i < arraysize(test_group_array); i++) { + const TestVector* test_vector = test_group_array[i]; + const TestGroupInfo& test_info = test_group_info[i]; + for (size_t j = 0; test_vector[j].key != NULL; j++) { + // Decode the test vector. + ASSERT_TRUE(DecodeHexString(test_vector[j].key, key, &key_len, + sizeof(key))); + ASSERT_TRUE(DecodeHexString(test_vector[j].iv, iv, &iv_len, + sizeof(iv))); + ASSERT_TRUE(DecodeHexString(test_vector[j].pt, pt, &pt_len, + sizeof(pt))); + ASSERT_TRUE(DecodeHexString(test_vector[j].aad, aad, &aad_len, + sizeof(aad))); + ASSERT_TRUE(DecodeHexString(test_vector[j].ct, ct, &ct_len, + sizeof(ct))); + ASSERT_TRUE(DecodeHexString(test_vector[j].tag, tag, &tag_len, + sizeof(tag))); + + // The test vector's lengths should look sane. Note that the lengths + // in |test_info| are in bits. + EXPECT_EQ(test_info.key_len, key_len * 8); + EXPECT_EQ(test_info.iv_len, iv_len * 8); + EXPECT_EQ(test_info.pt_len, pt_len * 8); + EXPECT_EQ(test_info.aad_len, aad_len * 8); + EXPECT_EQ(test_info.pt_len, ct_len * 8); + EXPECT_EQ(test_info.tag_len, tag_len * 8); + + Aes128GcmEncrypter encrypter; + ASSERT_TRUE(encrypter.SetKey(StringPiece(key, key_len))); + scoped_ptr<QuicData> encrypted(Aes128GcmEncrypterPeer::Encrypt( + &encrypter, StringPiece(iv, iv_len), StringPiece(aad, aad_len), + StringPiece(pt, pt_len))); + ASSERT_TRUE(encrypted.get()); + ASSERT_EQ(ct_len + tag_len, encrypted->length()); + test::CompareCharArraysWithHexError( + "ciphertext", encrypted->data(), ct_len, + ct, ct_len); + test::CompareCharArraysWithHexError( + "authentication tag", encrypted->data() + ct_len, tag_len, + tag, tag_len); + } + } +} + +TEST(Aes128GcmEncrypterTest, GetMaxPlaintextSize) { + Aes128GcmEncrypter encrypter; + EXPECT_EQ(1000u, encrypter.GetMaxPlaintextSize(1016)); + EXPECT_EQ(100u, encrypter.GetMaxPlaintextSize(116)); + EXPECT_EQ(10u, encrypter.GetMaxPlaintextSize(26)); +} + +TEST(Aes128GcmEncrypterTest, GetCiphertextSize) { + Aes128GcmEncrypter encrypter; + EXPECT_EQ(1016u, encrypter.GetCiphertextSize(1000)); + EXPECT_EQ(116u, encrypter.GetCiphertextSize(100)); + EXPECT_EQ(26u, encrypter.GetCiphertextSize(10)); +} + +} // namespace test +} // namespace net diff --git a/net/quic/crypto/quic_decrypter.cc b/net/quic/crypto/quic_decrypter.cc index aa036df..3c0e660 100644 --- a/net/quic/crypto/quic_decrypter.cc +++ b/net/quic/crypto/quic_decrypter.cc @@ -3,6 +3,8 @@ // found in the LICENSE file. #include "net/quic/crypto/quic_decrypter.h" + +#include "net/quic/crypto/aes_128_gcm_decrypter.h" #include "net/quic/crypto/null_decrypter.h" namespace net { @@ -11,9 +13,7 @@ namespace net { QuicDecrypter* QuicDecrypter::Create(CryptoTag algorithm) { switch (algorithm) { case kAESG: - // TODO(wtc): add support for Aes128GcmDecrypter. - // return new Aes128GcmDecrypter(); - return new NullDecrypter(); + return new Aes128GcmDecrypter(); case kNULL: return new NullDecrypter(); default: diff --git a/net/quic/crypto/quic_encrypter.cc b/net/quic/crypto/quic_encrypter.cc index ec521ec..a84530f 100644 --- a/net/quic/crypto/quic_encrypter.cc +++ b/net/quic/crypto/quic_encrypter.cc @@ -3,6 +3,8 @@ // found in the LICENSE file. #include "net/quic/crypto/quic_encrypter.h" + +#include "net/quic/crypto/aes_128_gcm_encrypter.h" #include "net/quic/crypto/null_encrypter.h" namespace net { @@ -11,9 +13,7 @@ namespace net { QuicEncrypter* QuicEncrypter::Create(CryptoTag algorithm) { switch (algorithm) { case kAESG: - // TODO(wtc): add support for Aes128GcmEncrypter. - // return new Aes128GcmEncrypter(); - return new NullEncrypter(); + return new Aes128GcmEncrypter(); case kNULL: return new NullEncrypter(); default: diff --git a/net/quic/crypto/scoped_evp_cipher_ctx.h b/net/quic/crypto/scoped_evp_cipher_ctx.h new file mode 100644 index 0000000..a241eea --- /dev/null +++ b/net/quic/crypto/scoped_evp_cipher_ctx.h @@ -0,0 +1,38 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_QUIC_CRYPTO_SCOPED_EVP_CIPHER_CTX_H_ +#define NET_QUIC_CRYPTO_SCOPED_EVP_CIPHER_CTX_H_ + +#include <openssl/evp.h> + +#include "base/logging.h" + +namespace net { + +// TODO(wtc): this is the same as the ScopedCipherCTX class defined in +// crypto/encryptor_openssl.cc. Eliminate the duplicate code. +// crypto::ScopedOpenSSL is not suitable for EVP_CIPHER_CTX because +// there are no EVP_CIPHER_CTX_create and EVP_CIPHER_CTX_destroy +// functions. +class ScopedEVPCipherCtx { + public: + ScopedEVPCipherCtx() { + EVP_CIPHER_CTX_init(&ctx_); + } + + ~ScopedEVPCipherCtx() { + int rv = EVP_CIPHER_CTX_cleanup(&ctx_); + DCHECK_EQ(rv, 1); + } + + EVP_CIPHER_CTX* get() { return &ctx_; } + + private: + EVP_CIPHER_CTX ctx_; +}; + +} // namespace net + +#endif // NET_QUIC_CRYPTO_SCOPED_EVP_CIPHER_CTX_H_ |