Rename crypto/ *_openssl files

With the removal of most of the NSS code, we no longer need to split up code between NSS and OpenSSL implementations. BUG=604728 Review URL: https://codereview.chromium.org/1909513003 Cr-Commit-Position: refs/heads/master@{#388856}
marcosholgado · Apr 21, 2016 · 22de42f · 22de42f
1 parent 40a09e7
commit 22de42f
Show file tree

Hide file tree

Showing 16 changed files with 194 additions and 211 deletions.
diff --git a/components/certificate_reporting/error_reporter.cc b/components/certificate_reporting/error_reporter.cc
@@ -10,7 +10,7 @@
 
 #include "base/logging.h"
 #include "components/certificate_reporting/encrypted_cert_logger.pb.h"
-#include "crypto/aead_openssl.h"
+#include "crypto/aead.h"
 #include "crypto/curve25519.h"
 #include "crypto/hkdf.h"
 #include "crypto/random.h"

diff --git a/crypto/BUILD.gn b/crypto/BUILD.gn
@@ -8,8 +8,8 @@ import("//testing/test.gni")
 component("crypto") {
   output_name = "crcrypto"  # Avoid colliding with OpenSSL's libcrypto.
   sources = [
-    "aead_openssl.cc",
-    "aead_openssl.h",
+    "aead.cc",
+    "aead.h",
     "apple_keychain.h",
     "apple_keychain_ios.mm",
     "apple_keychain_mac.mm",
@@ -19,17 +19,16 @@ component("crypto") {
     "crypto_export.h",
     "cssm_init.cc",
     "cssm_init.h",
+    "curve25519.cc",
     "curve25519.h",
-    "curve25519_openssl.cc",
+    "ec_private_key.cc",
     "ec_private_key.h",
-    "ec_private_key_openssl.cc",
     "ec_signature_creator.cc",
     "ec_signature_creator.h",
     "ec_signature_creator_impl.h",
     "ec_signature_creator_openssl.cc",
     "encryptor.cc",
     "encryptor.h",
-    "encryptor_openssl.cc",
     "hkdf.cc",
     "hkdf.h",
     "hmac.cc",
@@ -59,20 +58,20 @@ component("crypto") {
     "p224_spake.h",
     "random.cc",
     "random.h",
+    "rsa_private_key.cc",
     "rsa_private_key.h",
-    "rsa_private_key_openssl.cc",
     "scoped_capi_types.h",
     "scoped_nss_types.h",
+    "secure_hash.cc",
     "secure_hash.h",
-    "secure_hash_openssl.cc",
     "secure_util.cc",
     "secure_util.h",
     "sha2.cc",
     "sha2.h",
+    "signature_creator.cc",
     "signature_creator.h",
-    "signature_creator_openssl.cc",
+    "signature_verifier.cc",
     "signature_verifier.h",
-    "signature_verifier_openssl.cc",
     "symmetric_key.h",
     "symmetric_key_openssl.cc",
     "third_party/nss/chromium-sha256.h",
@@ -165,7 +164,7 @@ if (false && is_win) {
 
 test("crypto_unittests") {
   sources = [
-    "aead_openssl_unittest.cc",
+    "aead_unittest.cc",
     "curve25519_unittest.cc",
     "ec_private_key_unittest.cc",
     "ec_signature_creator_unittest.cc",

diff --git a/crypto/aead_openssl.cc → crypto/aead.cc b/crypto/aead_openssl.cc → crypto/aead.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "crypto/aead_openssl.h"
+#include "crypto/aead.h"
 
 #include <openssl/aes.h>
 #include <openssl/evp.h>

diff --git a/crypto/aead_openssl.h → crypto/aead.h b/crypto/aead_openssl.h → crypto/aead.h
@@ -14,8 +14,7 @@ struct evp_aead_st;
 
 namespace crypto {
 
-// This class exposes the AES-128-CTR-HMAC-SHA256 AEAD, currently only
-// for OpenSSL builds.
+// This class exposes the AES-128-CTR-HMAC-SHA256 AEAD.
 class CRYPTO_EXPORT Aead {
  public:
   enum AeadAlgorithm { AES_128_CTR_HMAC_SHA256 };

diff --git a/crypto/aead_openssl_unittest.cc → crypto/aead_unittest.cc b/crypto/aead_openssl_unittest.cc → crypto/aead_unittest.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "crypto/aead_openssl.h"
+#include "crypto/aead.h"
 
 #include <string>
 

diff --git a/crypto/crypto.gyp b/crypto/crypto.gyp
@@ -107,7 +107,7 @@
       'target_name': 'crypto_unittests',
       'type': 'executable',
       'sources': [
-        'aead_openssl_unittest.cc',
+        'aead_unittest.cc',
         'curve25519_unittest.cc',
         'ec_private_key_unittest.cc',
         'ec_signature_creator_unittest.cc',

diff --git a/crypto/crypto.gypi b/crypto/crypto.gypi
@@ -25,8 +25,8 @@
       # NOTE: all transitive dependencies of HMAC on windows need
       #     to be placed in the source list above.
       '<@(hmac_win64_related_sources)',
-      'aead_openssl.cc',
-      'aead_openssl.h',
+      'aead.cc',
+      'aead.h',
       'apple_keychain.h',
       'apple_keychain_ios.mm',
       'apple_keychain_mac.mm',
@@ -36,17 +36,16 @@
       'crypto_export.h',
       'cssm_init.cc',
       'cssm_init.h',
+      'curve25519.cc',
       'curve25519.h',
-      'curve25519_openssl.cc',
+      'ec_private_key.cc',
       'ec_private_key.h',
-      'ec_private_key_openssl.cc',
       'ec_signature_creator.cc',
       'ec_signature_creator.h',
       'ec_signature_creator_impl.h',
       'ec_signature_creator_openssl.cc',
       'encryptor.cc',
       'encryptor.h',
-      'encryptor_openssl.cc',
       'hkdf.cc',
       'hkdf.h',
       'hmac_openssl.cc',
@@ -72,18 +71,18 @@
       'p224.h',
       'random.h',
       'random.cc',
+      'rsa_private_key.cc',
       'rsa_private_key.h',
-      'rsa_private_key_openssl.cc',
       'scoped_capi_types.h',
       'scoped_nss_types.h',
+      'secure_hash.cc',
       'secure_hash.h',
-      'secure_hash_openssl.cc',
       'sha2.cc',
       'sha2.h',
+      'signature_creator.cc',
       'signature_creator.h',
-      'signature_creator_openssl.cc',
+      'signature_verifier.cc',
       'signature_verifier.h',
-      'signature_verifier_openssl.cc',
       'symmetric_key_openssl.cc',
     ],
     'nacl_win64_sources': [

diff --git a/crypto/curve25519_openssl.cc → crypto/curve25519.cc b/crypto/curve25519_openssl.cc → crypto/curve25519.cc
diff --git a/crypto/ec_private_key_openssl.cc → crypto/ec_private_key.cc b/crypto/ec_private_key_openssl.cc → crypto/ec_private_key.cc
diff --git a/crypto/encryptor.cc b/crypto/encryptor.cc
@@ -4,14 +4,48 @@
 
 #include "crypto/encryptor.h"
 
+#include <openssl/aes.h>
+#include <openssl/evp.h>
 #include <stddef.h>
 #include <stdint.h>
 
 #include "base/logging.h"
+#include "base/strings/string_util.h"
 #include "base/sys_byteorder.h"
+#include "crypto/openssl_util.h"
+#include "crypto/symmetric_key.h"
 
 namespace crypto {
 
+namespace {
+
+const EVP_CIPHER* GetCipherForKey(SymmetricKey* key) {
+  switch (key->key().length()) {
+    case 16: return EVP_aes_128_cbc();
+    case 32: return EVP_aes_256_cbc();
+    default: return NULL;
+  }
+}
+
+// On destruction this class will cleanup the ctx, and also clear the OpenSSL
+// ERR stack as a convenience.
+class ScopedCipherCTX {
+ public:
+  explicit ScopedCipherCTX() {
+    EVP_CIPHER_CTX_init(&ctx_);
+  }
+  ~ScopedCipherCTX() {
+    EVP_CIPHER_CTX_cleanup(&ctx_);
+    ClearOpenSSLERRStack(FROM_HERE);
+  }
+  EVP_CIPHER_CTX* get() { return &ctx_; }
+
+ private:
+  EVP_CIPHER_CTX ctx_;
+};
+
+}  // namespace
+
 /////////////////////////////////////////////////////////////////////////////
 // Encyptor::Counter Implementation.
 Encryptor::Counter::Counter(const base::StringPiece& counter) {
@@ -48,7 +82,50 @@ size_t Encryptor::Counter::GetLengthInBytes() const {
 }
 
 /////////////////////////////////////////////////////////////////////////////
-// Partial Encryptor Implementation.
+// Encryptor Implementation.
+
+Encryptor::Encryptor()
+    : key_(NULL),
+      mode_(CBC) {
+}
+
+Encryptor::~Encryptor() {
+}
+
+bool Encryptor::Init(SymmetricKey* key,
+                     Mode mode,
+                     const base::StringPiece& iv) {
+  DCHECK(key);
+  DCHECK(mode == CBC || mode == CTR);
+
+  EnsureOpenSSLInit();
+  if (mode == CBC && iv.size() != AES_BLOCK_SIZE)
+    return false;
+
+  if (GetCipherForKey(key) == NULL)
+    return false;
+
+  key_ = key;
+  mode_ = mode;
+  iv.CopyToString(&iv_);
+  return true;
+}
+
+bool Encryptor::Encrypt(const base::StringPiece& plaintext,
+                        std::string* ciphertext) {
+  CHECK(!plaintext.empty() || (mode_ == CBC));
+  return (mode_ == CTR) ?
+      CryptCTR(true, plaintext, ciphertext) :
+      Crypt(true, plaintext, ciphertext);
+}
+
+bool Encryptor::Decrypt(const base::StringPiece& ciphertext,
+                        std::string* plaintext) {
+  CHECK(!ciphertext.empty());
+  return (mode_ == CTR) ?
+      CryptCTR(false, ciphertext, plaintext) :
+      Crypt(false, ciphertext, plaintext);
+}
 
 bool Encryptor::SetCounter(const base::StringPiece& counter) {
   if (mode_ != CTR)
@@ -97,4 +174,91 @@ void Encryptor::MaskMessage(const void* plaintext,
     ciphertext_ptr[i] = plaintext_ptr[i] ^ mask_ptr[i];
 }
 
+bool Encryptor::Crypt(bool do_encrypt,
+                      const base::StringPiece& input,
+                      std::string* output) {
+  DCHECK(key_);  // Must call Init() before En/De-crypt.
+  // Work on the result in a local variable, and then only transfer it to
+  // |output| on success to ensure no partial data is returned.
+  std::string result;
+  output->clear();
+
+  const EVP_CIPHER* cipher = GetCipherForKey(key_);
+  DCHECK(cipher);  // Already handled in Init();
+
+  const std::string& key = key_->key();
+  DCHECK_EQ(EVP_CIPHER_iv_length(cipher), iv_.length());
+  DCHECK_EQ(EVP_CIPHER_key_length(cipher), key.length());
+
+  ScopedCipherCTX ctx;
+  if (!EVP_CipherInit_ex(
+          ctx.get(), cipher, NULL, reinterpret_cast<const uint8_t*>(key.data()),
+          reinterpret_cast<const uint8_t*>(iv_.data()), do_encrypt))
+    return false;
+
+  // When encrypting, add another block size of space to allow for any padding.
+  const size_t output_size = input.size() + (do_encrypt ? iv_.size() : 0);
+  CHECK_GT(output_size, 0u);
+  CHECK_GT(output_size + 1, input.size());
+  uint8_t* out_ptr =
+      reinterpret_cast<uint8_t*>(base::WriteInto(&result, output_size + 1));
+  int out_len;
+  if (!EVP_CipherUpdate(ctx.get(), out_ptr, &out_len,
+                        reinterpret_cast<const uint8_t*>(input.data()),
+                        input.length()))
+    return false;
+
+  // Write out the final block plus padding (if any) to the end of the data
+  // just written.
+  int tail_len;
+  if (!EVP_CipherFinal_ex(ctx.get(), out_ptr + out_len, &tail_len))
+    return false;
+
+  out_len += tail_len;
+  DCHECK_LE(out_len, static_cast<int>(output_size));
+  result.resize(out_len);
+
+  output->swap(result);
+  return true;
+}
+
+bool Encryptor::CryptCTR(bool do_encrypt,
+                         const base::StringPiece& input,
+                         std::string* output) {
+  if (!counter_.get()) {
+    LOG(ERROR) << "Counter value not set in CTR mode.";
+    return false;
+  }
+
+  AES_KEY aes_key;
+  if (AES_set_encrypt_key(reinterpret_cast<const uint8_t*>(key_->key().data()),
+                          key_->key().size() * 8, &aes_key) != 0) {
+    return false;
+  }
+
+  const size_t out_size = input.size();
+  CHECK_GT(out_size, 0u);
+  CHECK_GT(out_size + 1, input.size());
+
+  std::string result;
+  uint8_t* out_ptr =
+      reinterpret_cast<uint8_t*>(base::WriteInto(&result, out_size + 1));
+
+  uint8_t ivec[AES_BLOCK_SIZE] = { 0 };
+  uint8_t ecount_buf[AES_BLOCK_SIZE] = { 0 };
+  unsigned int block_offset = 0;
+
+  counter_->Write(ivec);
+
+  AES_ctr128_encrypt(reinterpret_cast<const uint8_t*>(input.data()), out_ptr,
+                     input.size(), &aes_key, ivec, ecount_buf, &block_offset);
+
+  // AES_ctr128_encrypt() updates |ivec|. Update the |counter_| here.
+  SetCounter(base::StringPiece(reinterpret_cast<const char*>(ivec),
+                               AES_BLOCK_SIZE));
+
+  output->swap(result);
+  return true;
+}
+
 }  // namespace crypto
diff --git a/crypto/encryptor.h b/crypto/encryptor.h
@@ -51,7 +51,7 @@ class CRYPTO_EXPORT Encryptor {
   };
 
   Encryptor();
-  virtual ~Encryptor();
+  ~Encryptor();
 
   // Initializes the encryptor using |key| and |iv|. Returns false if either the
   // key or the initialization vector cannot be used.