1/*
2 * Copyright (C) 2014 Igalia S.L. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
14 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
15 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
17 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
18 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
19 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
21 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
22 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
23 * THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "config.h"
27#include "CryptoAlgorithmAES_CBC.h"
28
29#if ENABLE(WEB_CRYPTO)
30
31#include "CryptoAlgorithmAesCbcCfbParams.h"
32#include "CryptoKeyAES.h"
33#include "NotImplemented.h"
34#include <pal/crypto/gcrypt/Handle.h>
35#include <pal/crypto/gcrypt/Utilities.h>
36
37namespace WebCore {
38
39static Optional<Vector<uint8_t>> gcryptEncrypt(const Vector<uint8_t>& key, const Vector<uint8_t>& iv, Vector<uint8_t>&& plainText)
40{
41 // Determine the AES algorithm for the given key size.
42 auto algorithm = PAL::GCrypt::aesAlgorithmForKeySize(key.size() * 8);
43 if (!algorithm)
44 return WTF::nullopt;
45
46 // Create a new GCrypt cipher object for the AES algorithm and the CBC cipher mode.
47 PAL::GCrypt::Handle<gcry_cipher_hd_t> handle;
48 gcry_error_t error = gcry_cipher_open(&handle, *algorithm, GCRY_CIPHER_MODE_CBC, 0);
49 if (error != GPG_ERR_NO_ERROR) {
50 PAL::GCrypt::logError(error);
51 return WTF::nullopt;
52 }
53
54 // Use the given key for this cipher object.
55 error = gcry_cipher_setkey(handle, key.data(), key.size());
56 if (error != GPG_ERR_NO_ERROR) {
57 PAL::GCrypt::logError(error);
58 return WTF::nullopt;
59 }
60
61 // Use the given IV for this cipher object.
62 error = gcry_cipher_setiv(handle, iv.data(), iv.size());
63 if (error != GPG_ERR_NO_ERROR) {
64 PAL::GCrypt::logError(error);
65 return WTF::nullopt;
66 }
67
68 // Use the PKCS#7 padding.
69 {
70 // Round up the size value to the next multiple of the cipher's block length to get the padded size.
71 size_t size = plainText.size();
72 size_t paddedSize = roundUpToMultipleOf(gcry_cipher_get_algo_blklen(*algorithm), size + 1);
73
74 // Padded size should be bigger than size, but bail if the value doesn't fit into a byte.
75 ASSERT(paddedSize > size);
76 if (paddedSize - size > 255)
77 return WTF::nullopt;
78 uint8_t paddingValue = paddedSize - size;
79
80 plainText.grow(paddedSize);
81 std::memset(plainText.data() + size, paddingValue, paddingValue);
82 }
83
84 // Finalize the cipher object before performing the encryption.
85 error = gcry_cipher_final(handle);
86 if (error != GPG_ERR_NO_ERROR) {
87 PAL::GCrypt::logError(error);
88 return WTF::nullopt;
89 }
90
91 // Perform the encryption and retrieve the encrypted output.
92 Vector<uint8_t> output(plainText.size());
93 error = gcry_cipher_encrypt(handle, output.data(), output.size(), plainText.data(), plainText.size());
94 if (error != GPG_ERR_NO_ERROR) {
95 PAL::GCrypt::logError(error);
96 return WTF::nullopt;
97 }
98
99 return output;
100}
101
102static Optional<Vector<uint8_t>> gcryptDecrypt(const Vector<uint8_t>& key, const Vector<uint8_t>& iv, const Vector<uint8_t>& cipherText)
103{
104 // Determine the AES algorithm for the given key size.
105 auto algorithm = PAL::GCrypt::aesAlgorithmForKeySize(key.size() * 8);
106 if (!algorithm)
107 return WTF::nullopt;
108
109 // Create a new GCrypt cipher object for the AES algorithm and the CBC cipher mode.
110 PAL::GCrypt::Handle<gcry_cipher_hd_t> handle;
111 gcry_error_t error = gcry_cipher_open(&handle, *algorithm, GCRY_CIPHER_MODE_CBC, 0);
112 if (error != GPG_ERR_NO_ERROR) {
113 PAL::GCrypt::logError(error);
114 return WTF::nullopt;
115 }
116
117 // Use the given key for this cipher object.
118 error = gcry_cipher_setkey(handle, key.data(), key.size());
119 if (error != GPG_ERR_NO_ERROR) {
120 PAL::GCrypt::logError(error);
121 return WTF::nullopt;
122 }
123
124 // Use the given IV for this cipher object.
125 error = gcry_cipher_setiv(handle, iv.data(), iv.size());
126 if (error != GPG_ERR_NO_ERROR) {
127 PAL::GCrypt::logError(error);
128 return WTF::nullopt;
129 }
130
131 // Finalize the cipher object before performing the decryption.
132 error = gcry_cipher_final(handle);
133 if (error != GPG_ERR_NO_ERROR) {
134 PAL::GCrypt::logError(error);
135 return WTF::nullopt;
136 }
137
138 // Perform the decryption and retrieve the decrypted output.
139 Vector<uint8_t> output(cipherText.size());
140 error = gcry_cipher_decrypt(handle, output.data(), output.size(), cipherText.data(), cipherText.size());
141 if (error != GPG_ERR_NO_ERROR) {
142 PAL::GCrypt::logError(error);
143 return WTF::nullopt;
144 }
145
146 // Remove the PKCS#7 padding from the decrypted output.
147 {
148 // The padding value can be retrieved from the last byte.
149 uint8_t paddingValue = output.last();
150 if (paddingValue > gcry_cipher_get_algo_blklen(*algorithm))
151 return WTF::nullopt;
152
153 // Padding value mustn't be greater than the size of the padded output.
154 size_t size = output.size();
155 if (paddingValue > size)
156 return WTF::nullopt;
157
158 // Bail if the last `paddingValue` bytes don't have the value of `paddingValue`.
159 if (std::count(output.end() - paddingValue, output.end(), paddingValue) != paddingValue)
160 return WTF::nullopt;
161
162 // Shrink the output Vector object to drop the PKCS#7 padding.
163 output.shrink(size - paddingValue);
164 }
165
166 return output;
167}
168
169ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CBC::platformEncrypt(const CryptoAlgorithmAesCbcCfbParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& plainText)
170{
171 auto output = gcryptEncrypt(key.key(), parameters.ivVector(), Vector<uint8_t>(plainText));
172 if (!output)
173 return Exception { OperationError };
174 return WTFMove(*output);
175}
176
177ExceptionOr<Vector<uint8_t>> CryptoAlgorithmAES_CBC::platformDecrypt(const CryptoAlgorithmAesCbcCfbParams& parameters, const CryptoKeyAES& key, const Vector<uint8_t>& cipherText)
178{
179 auto output = gcryptDecrypt(key.key(), parameters.ivVector(), cipherText);
180 if (!output)
181 return Exception { OperationError };
182 return WTFMove(*output);
183}
184
185} // namespace WebCore
186
187#endif // ENABLE(WEB_CRYPTO)
188