diff options
Diffstat (limited to 'base/crypto')
-rw-r--r-- | base/crypto/encryptor.h | 48 | ||||
-rw-r--r-- | base/crypto/encryptor_mac.cc | 30 | ||||
-rw-r--r-- | base/crypto/encryptor_nss.cc | 124 | ||||
-rw-r--r-- | base/crypto/encryptor_unittest.cc | 40 | ||||
-rw-r--r-- | base/crypto/encryptor_win.cc | 29 | ||||
-rw-r--r-- | base/crypto/pbkdf2.h | 22 | ||||
-rw-r--r-- | base/crypto/pbkdf2_mac.cc | 17 | ||||
-rw-r--r-- | base/crypto/pbkdf2_nss.cc | 56 | ||||
-rw-r--r-- | base/crypto/pbkdf2_win.cc | 17 | ||||
-rw-r--r-- | base/crypto/scoped_nss_types.h | 12 | ||||
-rw-r--r-- | base/crypto/symmetric_key.h | 20 | ||||
-rw-r--r-- | base/crypto/symmetric_key_mac.cc | 17 | ||||
-rw-r--r-- | base/crypto/symmetric_key_nss.cc | 67 | ||||
-rw-r--r-- | base/crypto/symmetric_key_unittest.cc (renamed from base/crypto/pbkdf2_unittest.cc) | 33 | ||||
-rw-r--r-- | base/crypto/symmetric_key_win.cc | 17 |
15 files changed, 416 insertions, 133 deletions
diff --git a/base/crypto/encryptor.h b/base/crypto/encryptor.h new file mode 100644 index 0000000..55199d5 --- /dev/null +++ b/base/crypto/encryptor.h @@ -0,0 +1,48 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef BASE_CRYPTO_ENCRYPTOR_H_ +#define BASE_CRYPTO_ENCRYPTOR_H_ + +#include <string> + +#include "base/crypto/symmetric_key.h" +#include "base/scoped_ptr.h" + +namespace base { + +class Encryptor { + public: + enum Mode { + CBC + }; + explicit Encryptor(); + ~Encryptor(); + + // Initializes the encryptor using |key| and |iv|. Takes ownership of |key| if + // successful. Returns false if either the key or the initialization vector + // cannot be used. + bool Init(SymmetricKey* key, Mode mode, const std::string& iv); + + // Encrypts |plaintext| into |ciphertext|. + bool Encrypt(const std::string& plaintext, std::string* ciphertext); + + // Decrypts |ciphertext| into |plaintext|. + bool Decrypt(const std::string& ciphertext, std::string* plaintext); + + // TODO(albertb): Support streaming encryption. + + private: + Mode mode_; + scoped_ptr<SymmetricKey> key_; + +#if defined(USE_NSS) + ScopedPK11Slot slot_; + ScopedSECItem param_; +#endif +}; + +} // namespace base + +#endif // BASE_CRYPTO_ENCRYPTOR_H_ diff --git a/base/crypto/encryptor_mac.cc b/base/crypto/encryptor_mac.cc new file mode 100644 index 0000000..2b04537 --- /dev/null +++ b/base/crypto/encryptor_mac.cc @@ -0,0 +1,30 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/crypto/encryptor.h" + +namespace base { + +// TODO(albertb): Implement on Mac using the Common Crypto Library: +// http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man3/CCCryptor.3cc.html#//apple_ref/doc/man/10.5/3cc/CCCryptor?useVersion=10.5 + +Encryptor::Encryptor() { +} + +Encryptor::~Encryptor() { +} + +bool Encryptor::Init(SymmetricKey* key, Mode mode, const std::string& iv) { + return false; +} + +bool Encryptor::Encrypt(const std::string& plaintext, std::string* ciphertext) { + return false; +} + +bool Encryptor::Decrypt(const std::string& ciphertext, std::string* plaintext) { + return false; +} + +} // namespace base diff --git a/base/crypto/encryptor_nss.cc b/base/crypto/encryptor_nss.cc new file mode 100644 index 0000000..78ddb64 --- /dev/null +++ b/base/crypto/encryptor_nss.cc @@ -0,0 +1,124 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/crypto/encryptor.h" + +#include <cryptohi.h> +#include <vector> + +#include "base/logging.h" +#include "base/nss_util.h" + +namespace base { + +Encryptor::Encryptor() { + EnsureNSSInit(); +} + +Encryptor::~Encryptor() { +} + +bool Encryptor::Init(SymmetricKey* key, Mode mode, const std::string& iv) { + DCHECK(key); + DCHECK_EQ(CBC, mode); + + mode_ = mode; + if (iv.size() != AES_BLOCK_SIZE) + return false; + + slot_.reset(PK11_GetBestSlot(CKM_AES_CBC_PAD, NULL)); + if (!slot_.get()) + return false; + + SECItem iv_item; + iv_item.type = siBuffer; + iv_item.data = reinterpret_cast<unsigned char*>( + const_cast<char *>(iv.data())); + iv_item.len = iv.size(); + + param_.reset(PK11_ParamFromIV(CKM_AES_CBC_PAD, &iv_item)); + if (!param_.get()) + return false; + + key_.reset(key); + return true; +} + +bool Encryptor::Encrypt(const std::string& plaintext, std::string* ciphertext) { + if (plaintext.size() == 0) + return false; + + ScopedPK11Context context(PK11_CreateContextBySymKey(CKM_AES_CBC_PAD, + CKA_ENCRYPT, + key_->key(), + param_.get())); + if (!context.get()) + return false; + + size_t ciphertext_len = plaintext.size() + AES_BLOCK_SIZE; + std::vector<unsigned char> buffer(ciphertext_len); + + int op_len; + SECStatus rv = PK11_CipherOp(context.get(), + &buffer[0], + &op_len, + ciphertext_len, + reinterpret_cast<unsigned char*>( + const_cast<char*>(plaintext.data())), + plaintext.size()); + if (SECSuccess != rv) + return false; + + unsigned int digest_len; + rv = PK11_DigestFinal(context.get(), + &buffer[op_len], + &digest_len, + ciphertext_len - op_len); + if (SECSuccess != rv) + return false; + + ciphertext->assign(reinterpret_cast<char *>(&buffer[0]), + op_len + digest_len); + return true; +} + +bool Encryptor::Decrypt(const std::string& ciphertext, std::string* plaintext) { + if (ciphertext.size() == 0) + return false; + + ScopedPK11Context context(PK11_CreateContextBySymKey(CKM_AES_CBC_PAD, + CKA_DECRYPT, + key_->key(), + param_.get())); + if (!context.get()) + return false; + + size_t plaintext_len = ciphertext.size(); + std::vector<unsigned char> buffer(plaintext_len); + + int op_len; + SECStatus rv = PK11_CipherOp(context.get(), + &buffer[0], + &op_len, + plaintext_len, + reinterpret_cast<unsigned char*>( + const_cast<char*>(ciphertext.data())), + ciphertext.size()); + if (SECSuccess != rv) + return false; + + unsigned int digest_len; + rv = PK11_DigestFinal(context.get(), + &buffer[op_len], + &digest_len, + plaintext_len - op_len); + if (SECSuccess != rv) + return false; + + plaintext->assign(reinterpret_cast<char *>(&buffer[0]), + op_len + digest_len); + return true; +} + +} // namespace base diff --git a/base/crypto/encryptor_unittest.cc b/base/crypto/encryptor_unittest.cc new file mode 100644 index 0000000..c183d90 --- /dev/null +++ b/base/crypto/encryptor_unittest.cc @@ -0,0 +1,40 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/crypto/encryptor.h" + +#include <string> + +#include "base/crypto/symmetric_key.h" +#include "base/scoped_ptr.h" +#include "base/string_util.h" +#include "testing/gtest/include/gtest/gtest.h" + +#if defined(USE_NSS) +#define MAYBE(name) name +#else +#define MAYBE(name) DISABLED_ ## name +#endif + +TEST(EncryptorTest, MAYBE(EncryptDecrypt)) { + scoped_ptr<base::SymmetricKey> key(base::SymmetricKey::DeriveKeyFromPassword( + base::SymmetricKey::AES, "password", "salt", 1000, 32)); + EXPECT_TRUE(NULL != key.get()); + + base::Encryptor encryptor; + // The IV must be exactly as long a the cipher block size. + std::string iv("the iv: 16 bytes"); + EXPECT_TRUE(encryptor.Init(key.release(), base::Encryptor::CBC, iv)); + + std::string plaintext("this is the plaintext"); + std::string ciphertext; + EXPECT_TRUE(encryptor.Encrypt(plaintext, &ciphertext)); + + EXPECT_LT(0U, ciphertext.size()); + + std::string decypted; + EXPECT_TRUE(encryptor.Decrypt(ciphertext, &decypted)); + + EXPECT_EQ(plaintext, decypted); +} diff --git a/base/crypto/encryptor_win.cc b/base/crypto/encryptor_win.cc new file mode 100644 index 0000000..6411408 --- /dev/null +++ b/base/crypto/encryptor_win.cc @@ -0,0 +1,29 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/crypto/encryptor.h" + +namespace base { + +// TODO(albertb): Implement on Windows. + +Encryptor::Encryptor() { +} + +Encryptor::~Encryptor() { +} + +bool Encryptor::Init(SymmetricKey* key, Mode mode, const std::string& iv) { + return false; +} + +bool Encryptor::Encrypt(const std::string& plaintext, std::string* ciphertext) { + return false; +} + +bool Encryptor::Decrypt(const std::string& ciphertext, std::string* plaintext) { + return false; +} + +} // namespace base diff --git a/base/crypto/pbkdf2.h b/base/crypto/pbkdf2.h deleted file mode 100644 index e5c0821..0000000 --- a/base/crypto/pbkdf2.h +++ /dev/null @@ -1,22 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef BASE_CRYPTO_PBKDF2_H_ -#define BASE_CRYPTO_PBKDF2_H_ - -#include <string> - -#include "base/crypto/symmetric_key.h" - -namespace base { - -// Derives a key from the supplied password and salt using PBKDF2. -SymmetricKey* DeriveKeyFromPassword(const std::string& password, - const std::string& salt, - unsigned int iterations, - unsigned int key_size); - -} // namespace base - -#endif // BASE_CRYPTO_PBKDF2_H_ diff --git a/base/crypto/pbkdf2_mac.cc b/base/crypto/pbkdf2_mac.cc deleted file mode 100644 index 64e661e..0000000 --- a/base/crypto/pbkdf2_mac.cc +++ /dev/null @@ -1,17 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "base/crypto/pbkdf2.h" - -namespace base { - -SymmetricKey* DeriveKeyFromPassword(const std::string& password, - const std::string& salt, - unsigned int iterations, - unsigned int key_size) { - // TODO(albertb): Implement this on Mac. - return NULL; -} - -} // namespace base diff --git a/base/crypto/pbkdf2_nss.cc b/base/crypto/pbkdf2_nss.cc deleted file mode 100644 index df1d898..0000000 --- a/base/crypto/pbkdf2_nss.cc +++ /dev/null @@ -1,56 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "base/crypto/pbkdf2.h" - -#include <nss.h> -#include <pk11pub.h> - -#include "base/crypto/scoped_nss_types.h" -#include "base/nss_util.h" - -namespace base { - -SymmetricKey* DeriveKeyFromPassword(const std::string& password, - const std::string& salt, - unsigned int iterations, - unsigned int key_size) { - EnsureNSSInit(); - if (salt.empty() || iterations == 0 || key_size == 0) - return NULL; - - SECItem password_item; - password_item.type = siBuffer; - password_item.data = reinterpret_cast<unsigned char*>( - const_cast<char *>(password.data())); - password_item.len = password.size(); - - SECItem salt_item; - salt_item.type = siBuffer; - salt_item.data = reinterpret_cast<unsigned char*>( - const_cast<char *>(salt.data())); - salt_item.len = salt.size(); - - ScopedSECAlgorithmID alg_id(PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, - SEC_OID_PKCS5_PBKDF2, - SEC_OID_HMAC_SHA1, - key_size, - iterations, - &salt_item)); - if (!alg_id.get()) - return NULL; - - ScopedPK11Slot slot(PK11_GetBestSlot(SEC_OID_PKCS5_PBKDF2, NULL)); - if (!slot.get()) - return NULL; - - PK11SymKey* sym_key = PK11_PBEKeyGen(slot.get(), alg_id.get(), &password_item, - PR_FALSE, NULL); - if (!sym_key) - return NULL; - - return new SymmetricKey(sym_key); -} - -} // namespace base diff --git a/base/crypto/pbkdf2_win.cc b/base/crypto/pbkdf2_win.cc deleted file mode 100644 index 172199b..0000000 --- a/base/crypto/pbkdf2_win.cc +++ /dev/null @@ -1,17 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "base/crypto/pbkdf2.h" - -namespace base { - -SymmetricKey* DeriveKeyFromPassword(const std::string& password, - const std::string& salt, - unsigned int iterations, - unsigned int key_size) { - // TODO(albertb): Implement this on Windows. - return NULL; -} - -} // namespace base diff --git a/base/crypto/scoped_nss_types.h b/base/crypto/scoped_nss_types.h index 5d67ba1..c1c84c1 100644 --- a/base/crypto/scoped_nss_types.h +++ b/base/crypto/scoped_nss_types.h @@ -30,10 +30,6 @@ struct NSSDestroyer1 { // Define some convenient scopers around NSS pointers. typedef scoped_ptr_malloc< - SECAlgorithmID, NSSDestroyer1<SECAlgorithmID, - SECOID_DestroyAlgorithmID, - PR_TRUE> > ScopedSECAlgorithmID; -typedef scoped_ptr_malloc< PK11Context, NSSDestroyer1<PK11Context, PK11_DestroyContext, PR_TRUE> > ScopedPK11Context; @@ -41,6 +37,14 @@ typedef scoped_ptr_malloc< PK11SlotInfo, NSSDestroyer<PK11SlotInfo, PK11_FreeSlot> > ScopedPK11Slot; typedef scoped_ptr_malloc< PK11SymKey, NSSDestroyer<PK11SymKey, PK11_FreeSymKey> > ScopedPK11SymKey; +typedef scoped_ptr_malloc< + SECAlgorithmID, NSSDestroyer1<SECAlgorithmID, + SECOID_DestroyAlgorithmID, + PR_TRUE> > ScopedSECAlgorithmID; +typedef scoped_ptr_malloc< + SECItem, NSSDestroyer1<SECItem, + SECITEM_FreeItem, + PR_TRUE> > ScopedSECItem; } // namespace base diff --git a/base/crypto/symmetric_key.h b/base/crypto/symmetric_key.h index c298048..1e1aed5 100644 --- a/base/crypto/symmetric_key.h +++ b/base/crypto/symmetric_key.h @@ -19,12 +19,25 @@ namespace base { // scoped_ptr. class SymmetricKey { public: -#if defined(USE_NSS) - explicit SymmetricKey(PK11SymKey* key) : key_(key) {} -#endif // USE_NSS + enum Algorithm { + AES, + HMAC_SHA1, + }; virtual ~SymmetricKey() {} + // Generates a random key suitable to be used with |cipher| and of |key_size| + // bytes. The caller is responsible for deleting the returned SymmetricKey. + static SymmetricKey* GenerateRandomKey(Algorithm algorithm, size_t key_size); + + // Derives a key from the supplied password and salt using PBKDF2. The caller + // is respnosible for deleting the returned SymmetricKey. + static SymmetricKey* DeriveKeyFromPassword(Algorithm algorithm, + const std::string& password, + const std::string& salt, + size_t iterations, + size_t key_size); + #if defined(USE_NSS) PK11SymKey* key() const { return key_.get(); } #endif // USE_NSS @@ -35,6 +48,7 @@ class SymmetricKey { private: #if defined(USE_NSS) + explicit SymmetricKey(PK11SymKey* key) : key_(key) {} ScopedPK11SymKey key_; #endif // USE_NSS diff --git a/base/crypto/symmetric_key_mac.cc b/base/crypto/symmetric_key_mac.cc index b24b434..8290e71 100644 --- a/base/crypto/symmetric_key_mac.cc +++ b/base/crypto/symmetric_key_mac.cc @@ -6,8 +6,23 @@ namespace base { +// TODO(albertb): Implement on Mac. + +// static +SymmetricKey* SymmetricKey::GenerateRandomKey(Algorithm algorithm, size_t key_size) { + return NULL; +} + +// static +SymmetricKey* SymmetricKey::DeriveKeyFromPassword(Algorithm algorithm, + const std::string& password, + const std::string& salt, + size_t iterations, + size_t key_size) { + return NULL; +} + bool SymmetricKey::GetRawKey(std::string* raw_key) { - // TODO(albertb): Implement on Mac. return false; } diff --git a/base/crypto/symmetric_key_nss.cc b/base/crypto/symmetric_key_nss.cc index 2c6c1ac..7196ae4 100644 --- a/base/crypto/symmetric_key_nss.cc +++ b/base/crypto/symmetric_key_nss.cc @@ -7,10 +7,77 @@ #include <nss.h> #include <pk11pub.h> +#include "base/nss_util.h" #include "base/logging.h" namespace base { +// static +SymmetricKey* SymmetricKey::GenerateRandomKey(Algorithm algorithm, size_t key_size) { + DCHECK_EQ(AES, algorithm); + + EnsureNSSInit(); + if (key_size == 0) + return NULL; + + ScopedPK11Slot slot(PK11_GetBestSlot(CKM_AES_KEY_GEN, NULL)); + if (!slot.get()) + return NULL; + + PK11SymKey* sym_key = PK11_KeyGen(slot.get(), CKM_AES_KEY_GEN, NULL, key_size, + NULL); + if (!sym_key) + return NULL; + + return new SymmetricKey(sym_key); +} + +// static +SymmetricKey* SymmetricKey::DeriveKeyFromPassword(Algorithm algorithm, + const std::string& password, + const std::string& salt, + size_t iterations, + size_t key_size) { + EnsureNSSInit(); + if (salt.empty() || iterations == 0 || key_size == 0) + return NULL; + + SECItem password_item; + password_item.type = siBuffer; + password_item.data = reinterpret_cast<unsigned char*>( + const_cast<char *>(password.data())); + password_item.len = password.size(); + + SECItem salt_item; + salt_item.type = siBuffer; + salt_item.data = reinterpret_cast<unsigned char*>( + const_cast<char *>(salt.data())); + salt_item.len = salt.size(); + + + SECOidTag cipher_algorithm = + algorithm == AES ? SEC_OID_AES_256_CBC : SEC_OID_HMAC_SHA1; + ScopedSECAlgorithmID alg_id(PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, + cipher_algorithm, + SEC_OID_HMAC_SHA1, + key_size, + iterations, + &salt_item)); + if (!alg_id.get()) + return NULL; + + ScopedPK11Slot slot(PK11_GetBestSlot(SEC_OID_PKCS5_PBKDF2, NULL)); + if (!slot.get()) + return NULL; + + PK11SymKey* sym_key = PK11_PBEKeyGen(slot.get(), alg_id.get(), &password_item, + PR_FALSE, NULL); + if (!sym_key) + return NULL; + + return new SymmetricKey(sym_key); +} + bool SymmetricKey::GetRawKey(std::string* raw_key) { SECStatus rv = PK11_ExtractKeyValue(key_.get()); if (SECSuccess != rv) diff --git a/base/crypto/pbkdf2_unittest.cc b/base/crypto/symmetric_key_unittest.cc index 377bd61..fe94b61 100644 --- a/base/crypto/pbkdf2_unittest.cc +++ b/base/crypto/symmetric_key_unittest.cc @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include "base/crypto/pbkdf2.h" +#include "base/crypto/symmetric_key.h" #include <string> @@ -10,7 +10,19 @@ #include "base/string_util.h" #include "testing/gtest/include/gtest/gtest.h" -struct TestVector { +#if defined(USE_NSS) +#define MAYBE(name) name +#else +#define MAYBE(name) DISABLED_ ## name +#endif + +TEST(SymmetricKeyTest, MAYBE(GenerateRandomKey)) { + scoped_ptr<base::SymmetricKey> key( + base::SymmetricKey::GenerateRandomKey(base::SymmetricKey::AES, 32)); + EXPECT_TRUE(NULL != key.get()); +} + +struct PBKDF2TestVector { const char* password; const char* salt; unsigned int rounds; @@ -20,7 +32,7 @@ struct TestVector { // These are the test vectors suggested in: // http://www.ietf.org/id/draft-josefsson-pbkdf2-test-vectors-00.txt -static const TestVector test_vectors[] = { +static const PBKDF2TestVector test_vectors[] = { { "password", "salt", @@ -58,17 +70,14 @@ static const TestVector test_vectors[] = { #endif }; -#if defined(USE_NSS) -#define MAYBE_TestVectors TestVectors -#else -#define MAYBE_TestVectors DISABLED_TestVectors -#endif -TEST(PBKDF2Test, MAYBE_TestVectors) { +TEST(SymmetricKeyTest, MAYBE(DeriveKeyFromPassword)) { for (unsigned int i = 0; i < ARRAYSIZE_UNSAFE(test_vectors); ++i) { SCOPED_TRACE(StringPrintf("Test[%u]", i)); - scoped_ptr<base::SymmetricKey> key(base::DeriveKeyFromPassword( - test_vectors[i].password, test_vectors[i].salt, test_vectors[i].rounds, - test_vectors[i].key_size)); + scoped_ptr<base::SymmetricKey> key( + base::SymmetricKey::DeriveKeyFromPassword( + base::SymmetricKey::HMAC_SHA1, + test_vectors[i].password, test_vectors[i].salt, + test_vectors[i].rounds, test_vectors[i].key_size)); EXPECT_TRUE(NULL != key.get()); std::string raw_key; diff --git a/base/crypto/symmetric_key_win.cc b/base/crypto/symmetric_key_win.cc index 5a302aa..014e1ba 100644 --- a/base/crypto/symmetric_key_win.cc +++ b/base/crypto/symmetric_key_win.cc @@ -6,8 +6,23 @@ namespace base { +// TODO(albertb): Implement on Windows. + +// static +SymmetricKey* SymmetricKey::GenerateRandomKey(Algorithm algorithm, unsigned int key_size) { + return NULL; +} + +// static +SymmetricKey* SymmetricKey::DeriveKeyFromPassword(Algorithm algorithm, + const std::string& password, + const std::string& salt, + size_t iterations, + size_t key_size) { + return NULL; +} + bool SymmetricKey::GetRawKey(std::string* raw_key) { - // TODO(albertb): Implement on Windows. return false; } |