[webcrypto] Workaround for NSS AES-KW unwrap bug 981170

See https://bugzilla.mozilla.org/show_bug.cgi?id=981170 BUG=349939 TEST=content_unittests --gtest_filter="SharedCryptoTest*" Review URL: https://codereview.chromium.org/190633008 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@256181 0039d316-1c4b-4281-b951-d872f2087c98
author: padolph@netflix.com <padolph@netflix.com@0039d316-1c4b-4281-b951-d872f2087c98> 2014-03-11 10:18:27 +0000
committer: padolph@netflix.com <padolph@netflix.com@0039d316-1c4b-4281-b951-d872f2087c98> 2014-03-11 10:18:27 +0000
commit: 421fae27a8db394255b8bb8c2962c9e7f2a49f9d (patch)
tree: 11f41464d4b12e6e3263725b06cc8a5732f9706b /content/child/webcrypto
parent: 871ec2eacbe2e8ad18e0e893a92d7e017055eb7b (diff)
download: chromium_src-421fae27a8db394255b8bb8c2962c9e7f2a49f9d.zip
chromium_src-421fae27a8db394255b8bb8c2962c9e7f2a49f9d.tar.gz
chromium_src-421fae27a8db394255b8bb8c2962c9e7f2a49f9d.tar.bz2
2 files changed, 34 insertions, 11 deletions
diff --git a/content/child/webcrypto/platform_crypto_nss.cc b/content/child/webcrypto/platform_crypto_nss.cc
index 4cc6cb1..be6d0b0 100644
--- a/content/child/webcrypto/platform_crypto_nss.cc
+++ b/content/child/webcrypto/platform_crypto_nss.cc
@@ -1191,6 +1191,35 @@ Status UnwrapSymKeyAesKw(const CryptoData& wrapped_key_data,
   if (!unwrapped_key)
     return Status::Error();
 
+// TODO(padolph): Change to "defined(USE_NSS)" once the NSS fix for
+// https://bugzilla.mozilla.org/show_bug.cgi?id=981170 rolls into chromium.
+#if 1
+  // ------- Start NSS bug workaround
+  // Workaround for https://code.google.com/p/chromium/issues/detail?id=349939
+  // If unwrap fails, NSS nevertheless returns a valid-looking PK11SymKey, with
+  // a reasonable length but with key data pointing to uninitialized memory.
+  // This workaround re-wraps the key and compares the result with the incoming
+  // data, and fails if there is a difference. This prevents returning a bad key
+  // to the caller.
+  const unsigned int output_length = wrapped_key_data.byte_length();
+  std::vector<unsigned char> buffer(output_length, 0);
+  SECItem wrapped_key_item = MakeSECItemForBuffer(CryptoData(buffer));
+  if (SECSuccess != PK11_WrapSymKey(CKM_NSS_AES_KEY_WRAP,
+                                    param_item.get(),
+                                    wrapping_key->key(),
+                                    unwrapped_key.get(),
+                                    &wrapped_key_item)) {
+    return Status::Error();
+  }
+  if (wrapped_key_item.len != wrapped_key_data.byte_length() ||
+      memcmp(wrapped_key_item.data,
+             wrapped_key_data.bytes(),
+             wrapped_key_item.len) != 0) {
+    return Status::Error();
+  }
+  // ------- End NSS bug workaround
+#endif
+
   blink::WebCryptoKeyAlgorithm key_algorithm;
   if (!CreateSecretKeyAlgorithm(algorithm, plaintext_length, &key_algorithm))
     return Status::ErrorUnexpected();
diff --git a/content/child/webcrypto/shared_crypto_unittest.cc b/content/child/webcrypto/shared_crypto_unittest.cc
index 8ded2c4..d5c7df8 100644
--- a/content/child/webcrypto/shared_crypto_unittest.cc
+++ b/content/child/webcrypto/shared_crypto_unittest.cc
@@ -158,7 +158,7 @@ void ExpectCryptoDataMatchesHex(const std::string& expected_hex,
 
 void ExpectArrayBufferMatchesHex(const std::string& expected_hex,
                                  const blink::WebArrayBuffer& array_buffer) {
-  return ExpectCryptoDataMatchesHex(expected_hex, CryptoData(array_buffer));
+  ExpectCryptoDataMatchesHex(expected_hex, CryptoData(array_buffer));
 }
 
 void ExpectVectorMatches(const std::vector<uint8>& expected,
@@ -2171,10 +2171,11 @@ TEST_F(SharedCryptoTest, MAYBE(AesKwRawSymkeyUnwrapCorruptData)) {
       wrapping_algorithm,
       blink::WebCryptoKeyUsageWrapKey | blink::WebCryptoKeyUsageUnwrapKey);
 
-  // Unwrap a corrupted version of the known ciphertext. Unwrap should pass but
-  // will produce a key that is different than the known original.
+  // Unwrap of a corrupted version of the known ciphertext should fail, due to
+  // AES-KW's built-in integrity check.
   blink::WebCryptoKey unwrapped_key = blink::WebCryptoKey::createNull();
-  ASSERT_STATUS_SUCCESS(
+  EXPECT_STATUS(
+      Status::Error(),
       UnwrapKey(blink::WebCryptoKeyFormatRaw,
                 CryptoData(Corrupted(test_ciphertext)),
                 wrapping_key,
@@ -2183,13 +2184,6 @@ TEST_F(SharedCryptoTest, MAYBE(AesKwRawSymkeyUnwrapCorruptData)) {
                 true,
                 blink::WebCryptoKeyUsageEncrypt,
                 &unwrapped_key));
-
-  // Export the new key and compare its raw bytes with the original known key.
-  // The comparison should fail.
-  blink::WebArrayBuffer raw_key;
-  EXPECT_STATUS_SUCCESS(
-      ExportKey(blink::WebCryptoKeyFormatRaw, unwrapped_key, &raw_key));
-  EXPECT_FALSE(ArrayBufferMatches(test_key, raw_key));
 }
 
 // TODO(eroman):
author	padolph@netflix.com <padolph@netflix.com@0039d316-1c4b-4281-b951-d872f2087c98>	2014-03-11 10:18:27 +0000
committer	padolph@netflix.com <padolph@netflix.com@0039d316-1c4b-4281-b951-d872f2087c98>	2014-03-11 10:18:27 +0000
commit	421fae27a8db394255b8bb8c2962c9e7f2a49f9d (patch)
tree	11f41464d4b12e6e3263725b06cc8a5732f9706b /content/child/webcrypto
parent	871ec2eacbe2e8ad18e0e893a92d7e017055eb7b (diff)
download	chromium_src-421fae27a8db394255b8bb8c2962c9e7f2a49f9d.zip chromium_src-421fae27a8db394255b8bb8c2962c9e7f2a49f9d.tar.gz chromium_src-421fae27a8db394255b8bb8c2962c9e7f2a49f9d.tar.bz2