diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-07-12 14:07:37 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-07-17 10:29:26 +0000 |
commit | ec02ee4181c49b61fce1c8fb99292dbb8139cc90 (patch) | |
tree | 25cde714b2b71eb639d1cd53f5a22e9ba76e14ef /chromium/crypto | |
parent | bb09965444b5bb20b096a291445170876225268d (diff) | |
download | qtwebengine-chromium-ec02ee4181c49b61fce1c8fb99292dbb8139cc90.tar.gz |
BASELINE: Update Chromium to 59.0.3071.134
Change-Id: Id02ef6fb2204c5fd21668a1c3e6911c83b17585a
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
Diffstat (limited to 'chromium/crypto')
-rw-r--r-- | chromium/crypto/BUILD.gn | 2 | ||||
-rw-r--r-- | chromium/crypto/OWNERS | 2 | ||||
-rw-r--r-- | chromium/crypto/ec_private_key.cc | 107 | ||||
-rw-r--r-- | chromium/crypto/nss_util.cc | 4 | ||||
-rw-r--r-- | chromium/crypto/openssl_util.cc | 2 | ||||
-rw-r--r-- | chromium/crypto/signature_verifier.cc | 24 | ||||
-rw-r--r-- | chromium/crypto/signature_verifier.h | 16 |
7 files changed, 60 insertions, 97 deletions
diff --git a/chromium/crypto/BUILD.gn b/chromium/crypto/BUILD.gn index 6b45c9d6332..6299b594399 100644 --- a/chromium/crypto/BUILD.gn +++ b/chromium/crypto/BUILD.gn @@ -39,6 +39,7 @@ component("crypto") { "mock_apple_keychain.h", "mock_apple_keychain_ios.cc", "mock_apple_keychain_mac.cc", + "nss_crypto_module_delegate.h", "nss_key_util.cc", "nss_key_util.h", "nss_util.cc", @@ -68,6 +69,7 @@ component("crypto") { "signature_verifier.h", "symmetric_key.cc", "symmetric_key.h", + "wincrypt_shim.h", ] # TODO(jschuh): crbug.com/167187 fix size_t to int truncations. diff --git a/chromium/crypto/OWNERS b/chromium/crypto/OWNERS index 42d0d3b58b3..019db92cacc 100644 --- a/chromium/crypto/OWNERS +++ b/chromium/crypto/OWNERS @@ -1,3 +1,5 @@ agl@chromium.org davidben@chromium.org rsleevi@chromium.org + +# COMPONENT: Internals>Network>SSL diff --git a/chromium/crypto/ec_private_key.cc b/chromium/crypto/ec_private_key.cc index 08fd75dec3c..75b86c0c057 100644 --- a/chromium/crypto/ec_private_key.cc +++ b/chromium/crypto/ec_private_key.cc @@ -11,52 +11,16 @@ #include "base/logging.h" #include "crypto/openssl_util.h" -#include "third_party/boringssl/src/include/openssl/bio.h" #include "third_party/boringssl/src/include/openssl/bn.h" #include "third_party/boringssl/src/include/openssl/bytestring.h" #include "third_party/boringssl/src/include/openssl/ec.h" #include "third_party/boringssl/src/include/openssl/ec_key.h" #include "third_party/boringssl/src/include/openssl/evp.h" #include "third_party/boringssl/src/include/openssl/mem.h" -#include "third_party/boringssl/src/include/openssl/pkcs12.h" -#include "third_party/boringssl/src/include/openssl/x509.h" +#include "third_party/boringssl/src/include/openssl/pkcs8.h" namespace crypto { -namespace { - -// Function pointer definition, for injecting the required key export function -// into ExportKeyWithBio, below. |bio| is a temporary memory BIO object, and -// |key| is a handle to the input key object. Return 1 on success, 0 otherwise. -// NOTE: Used with OpenSSL functions, which do not comply with the Chromium -// style guide, hence the unusual parameter placement / types. -typedef int (*ExportBioFunction)(BIO* bio, const void* key); - -// Helper to export |key| into |output| via the specified ExportBioFunction. -bool ExportKeyWithBio(const void* key, - ExportBioFunction export_fn, - std::vector<uint8_t>* output) { - if (!key) - return false; - - bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem())); - if (!bio) - return false; - - if (!export_fn(bio.get(), key)) - return false; - - const uint8_t* data; - size_t len; - if (!BIO_mem_contents(bio.get(), &data, &len)) - return false; - - output->assign(data, data + len); - return true; -} - -} // namespace - ECPrivateKey::~ECPrivateKey() {} // static @@ -97,40 +61,32 @@ std::unique_ptr<ECPrivateKey> ECPrivateKey::CreateFromPrivateKeyInfo( std::unique_ptr<ECPrivateKey> ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( const std::vector<uint8_t>& encrypted_private_key_info, const std::vector<uint8_t>& subject_public_key_info) { - // NOTE: The |subject_public_key_info| can be ignored here, it is only - // useful for the NSS implementation (which uses the public key's SHA1 - // as a lookup key when storing the private one in its store). - if (encrypted_private_key_info.empty()) - return nullptr; - + // TODO(davidben): The |subject_public_key_info| parameter is a remnant of + // the NSS implementation. Remove it. OpenSSLErrStackTracer err_tracer(FROM_HERE); - const uint8_t* data = &encrypted_private_key_info[0]; - const uint8_t* ptr = data; - bssl::UniquePtr<X509_SIG> p8_encrypted( - d2i_X509_SIG(nullptr, &ptr, encrypted_private_key_info.size())); - if (!p8_encrypted || ptr != data + encrypted_private_key_info.size()) - return nullptr; + CBS cbs; + CBS_init(&cbs, encrypted_private_key_info.data(), + encrypted_private_key_info.size()); + bssl::UniquePtr<EVP_PKEY> pkey( + PKCS8_parse_encrypted_private_key(&cbs, "", 0)); // Hack for reading keys generated by an older version of the OpenSSL code. // Some implementations encode the empty password as "\0\0" (passwords are // normally encoded in big-endian UCS-2 with a NUL terminator) and some - // encode as the empty string. PKCS8_decrypt distinguishes the two by whether - // the password is nullptr. - bssl::UniquePtr<PKCS8_PRIV_KEY_INFO> p8_decrypted( - PKCS8_decrypt(p8_encrypted.get(), "", 0)); - if (!p8_decrypted) - p8_decrypted.reset(PKCS8_decrypt(p8_encrypted.get(), nullptr, 0)); - - if (!p8_decrypted) - return nullptr; + // encode as the empty string. PKCS8_parse_encrypted_private_key + // distinguishes the two by whether the password is nullptr. + if (!pkey) { + CBS_init(&cbs, encrypted_private_key_info.data(), + encrypted_private_key_info.size()); + pkey.reset(PKCS8_parse_encrypted_private_key(&cbs, nullptr, 0)); + } - // Create a new EVP_PKEY for it. - std::unique_ptr<ECPrivateKey> result(new ECPrivateKey()); - result->key_.reset(EVP_PKCS82PKEY(p8_decrypted.get())); - if (!result->key_ || EVP_PKEY_id(result->key_.get()) != EVP_PKEY_EC) + if (!pkey || CBS_len(&cbs) != 0 || EVP_PKEY_id(pkey.get()) != EVP_PKEY_EC) return nullptr; + std::unique_ptr<ECPrivateKey> result(new ECPrivateKey()); + result->key_ = std::move(pkey); return result; } @@ -161,25 +117,26 @@ bool ECPrivateKey::ExportPrivateKey(std::vector<uint8_t>* output) const { bool ECPrivateKey::ExportEncryptedPrivateKey( std::vector<uint8_t>* output) const { OpenSSLErrStackTracer err_tracer(FROM_HERE); - // Convert into a PKCS#8 object. - bssl::UniquePtr<PKCS8_PRIV_KEY_INFO> pkcs8(EVP_PKEY2PKCS8(key_.get())); - if (!pkcs8) - return false; // Encrypt the object. // NOTE: NSS uses SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC // so use NID_pbe_WithSHA1And3_Key_TripleDES_CBC which should be the OpenSSL // equivalent. - bssl::UniquePtr<X509_SIG> encrypted( - PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, nullptr, 0, - nullptr, 0, 1, pkcs8.get())); - if (!encrypted) + uint8_t* der; + size_t der_len; + bssl::ScopedCBB cbb; + if (!CBB_init(cbb.get(), 0) || + !PKCS8_marshal_encrypted_private_key( + cbb.get(), NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + nullptr /* cipher */, nullptr /* no password */, 0 /* pass_len */, + nullptr /* salt */, 0 /* salt_len */, 1 /* iterations */, + key_.get()) || + !CBB_finish(cbb.get(), &der, &der_len)) { return false; - - // Write it into |*output| - return ExportKeyWithBio(encrypted.get(), - reinterpret_cast<ExportBioFunction>(i2d_PKCS8_bio), - output); + } + output->assign(der, der + der_len); + OPENSSL_free(der); + return true; } bool ECPrivateKey::ExportPublicKey(std::vector<uint8_t>* output) const { diff --git a/chromium/crypto/nss_util.cc b/chromium/crypto/nss_util.cc index 35865679007..5ed2fa06740 100644 --- a/chromium/crypto/nss_util.cc +++ b/chromium/crypto/nss_util.cc @@ -172,7 +172,7 @@ void UseLocalCacheOfNSSDatabaseIfNFS(const base::FilePath& database_dir) { // singleton. class NSPRInitSingleton { private: - friend struct base::DefaultLazyInstanceTraits<NSPRInitSingleton>; + friend struct base::LazyInstanceTraitsBase<NSPRInitSingleton>; NSPRInitSingleton() { PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); @@ -657,7 +657,7 @@ class NSSInitSingleton { } private: - friend struct base::DefaultLazyInstanceTraits<NSSInitSingleton>; + friend struct base::LazyInstanceTraitsBase<NSSInitSingleton>; NSSInitSingleton() : tpm_token_enabled_for_nss_(false), diff --git a/chromium/crypto/openssl_util.cc b/chromium/crypto/openssl_util.cc index 0d044c76d4f..65be615a505 100644 --- a/chromium/crypto/openssl_util.cc +++ b/chromium/crypto/openssl_util.cc @@ -40,7 +40,7 @@ void EnsureOpenSSLInit() { } void ClearOpenSSLERRStack(const tracked_objects::Location& location) { - if (logging::DEBUG_MODE && VLOG_IS_ON(1)) { + if (DCHECK_IS_ON() && VLOG_IS_ON(1)) { uint32_t error_num = ERR_peek_error(); if (error_num == 0) return; diff --git a/chromium/crypto/signature_verifier.cc b/chromium/crypto/signature_verifier.cc index 852f822fcc6..2a9f0879729 100644 --- a/chromium/crypto/signature_verifier.cc +++ b/chromium/crypto/signature_verifier.cc @@ -10,6 +10,7 @@ #include <vector> #include "base/logging.h" +#include "base/numerics/safe_conversions.h" #include "crypto/openssl_util.h" #include "third_party/boringssl/src/include/openssl/bytestring.h" #include "third_party/boringssl/src/include/openssl/digest.h" @@ -42,9 +43,9 @@ SignatureVerifier::~SignatureVerifier() {} bool SignatureVerifier::VerifyInit(SignatureAlgorithm signature_algorithm, const uint8_t* signature, - int signature_len, + size_t signature_len, const uint8_t* public_key_info, - int public_key_info_len) { + size_t public_key_info_len) { int pkey_type = EVP_PKEY_NONE; const EVP_MD* digest = nullptr; switch (signature_algorithm) { @@ -70,11 +71,11 @@ bool SignatureVerifier::VerifyInit(SignatureAlgorithm signature_algorithm, bool SignatureVerifier::VerifyInitRSAPSS(HashAlgorithm hash_alg, HashAlgorithm mask_hash_alg, - int salt_len, + size_t salt_len, const uint8_t* signature, - int signature_len, + size_t signature_len, const uint8_t* public_key_info, - int public_key_info_len) { + size_t public_key_info_len) { OpenSSLErrStackTracer err_tracer(FROM_HERE); const EVP_MD* const digest = ToOpenSSLDigest(hash_alg); DCHECK(digest); @@ -97,15 +98,16 @@ bool SignatureVerifier::VerifyInitRSAPSS(HashAlgorithm hash_alg, return false; } return EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf_digest) && - EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, salt_len); + EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, + base::checked_cast<int>(salt_len)); } void SignatureVerifier::VerifyUpdate(const uint8_t* data_part, - int data_part_len) { + size_t data_part_len) { DCHECK(verify_context_); OpenSSLErrStackTracer err_tracer(FROM_HERE); - int rv = EVP_DigestVerifyUpdate(verify_context_->ctx.get(), - data_part, data_part_len); + int rv = EVP_DigestVerifyUpdate(verify_context_->ctx.get(), data_part, + data_part_len); DCHECK_EQ(rv, 1); } @@ -122,9 +124,9 @@ bool SignatureVerifier::VerifyFinal() { bool SignatureVerifier::CommonInit(int pkey_type, const EVP_MD* digest, const uint8_t* signature, - int signature_len, + size_t signature_len, const uint8_t* public_key_info, - int public_key_info_len, + size_t public_key_info_len, EVP_PKEY_CTX** pkey_ctx) { if (verify_context_) return false; diff --git a/chromium/crypto/signature_verifier.h b/chromium/crypto/signature_verifier.h index f1ea58062cf..e9d5fe7b2ba 100644 --- a/chromium/crypto/signature_verifier.h +++ b/chromium/crypto/signature_verifier.h @@ -54,9 +54,9 @@ class CRYPTO_EXPORT SignatureVerifier { // subjectPublicKey BIT STRING } bool VerifyInit(SignatureAlgorithm signature_algorithm, const uint8_t* signature, - int signature_len, + size_t signature_len, const uint8_t* public_key_info, - int public_key_info_len); + size_t public_key_info_len); // Initiates a RSA-PSS signature verification operation. This should be // followed by one or more VerifyUpdate calls and a VerifyFinal call. @@ -76,14 +76,14 @@ class CRYPTO_EXPORT SignatureVerifier { // subjectPublicKey BIT STRING } bool VerifyInitRSAPSS(HashAlgorithm hash_alg, HashAlgorithm mask_hash_alg, - int salt_len, + size_t salt_len, const uint8_t* signature, - int signature_len, + size_t signature_len, const uint8_t* public_key_info, - int public_key_info_len); + size_t public_key_info_len); // Feeds a piece of the data to the signature verifier. - void VerifyUpdate(const uint8_t* data_part, int data_part_len); + void VerifyUpdate(const uint8_t* data_part, size_t data_part_len); // Concludes a signature verification operation. Returns true if the // signature is valid. Returns false if the signature is invalid or an @@ -94,9 +94,9 @@ class CRYPTO_EXPORT SignatureVerifier { bool CommonInit(int pkey_type, const EVP_MD* digest, const uint8_t* signature, - int signature_len, + size_t signature_len, const uint8_t* public_key_info, - int public_key_info_len, + size_t public_key_info_len, EVP_PKEY_CTX** pkey_ctx); void Reset(); |