diff options
author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2015-10-13 13:24:50 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2015-10-14 10:57:25 +0000 |
commit | af3d4809763ef308f08ced947a73b624729ac7ea (patch) | |
tree | 4402b911e30383f6c6dace1e8cf3b8e85355db3a /chromium/crypto | |
parent | 0e8ff63a407fe323e215bb1a2c423c09a4747c8a (diff) | |
download | qtwebengine-chromium-af3d4809763ef308f08ced947a73b624729ac7ea.tar.gz |
BASELINE: Update Chromium to 47.0.2526.14
Also adding in sources needed for spellchecking.
Change-Id: Idd44170fa1616f26315188970a8d5ba7d472b18a
Reviewed-by: Michael BrĂ¼ning <michael.bruning@theqtcompany.com>
Diffstat (limited to 'chromium/crypto')
-rw-r--r-- | chromium/crypto/BUILD.gn | 353 | ||||
-rw-r--r-- | chromium/crypto/OWNERS | 1 | ||||
-rw-r--r-- | chromium/crypto/aes_128_gcm_helpers_nss.cc | 374 | ||||
-rw-r--r-- | chromium/crypto/aes_128_gcm_helpers_nss.h | 48 | ||||
-rw-r--r-- | chromium/crypto/aes_128_gcm_helpers_nss_unittest.cc | 580 | ||||
-rw-r--r-- | chromium/crypto/capi_util.cc | 6 | ||||
-rw-r--r-- | chromium/crypto/crypto.gyp | 10 | ||||
-rw-r--r-- | chromium/crypto/crypto.gypi | 2 | ||||
-rw-r--r-- | chromium/crypto/crypto_unittests.isolate | 2 | ||||
-rw-r--r-- | chromium/crypto/cssm_init.cc | 6 | ||||
-rw-r--r-- | chromium/crypto/ec_private_key_openssl.cc | 3 | ||||
-rw-r--r-- | chromium/crypto/encryptor.h | 5 | ||||
-rw-r--r-- | chromium/crypto/mac_security_services_lock.cc | 7 | ||||
-rw-r--r-- | chromium/crypto/nss_util.cc | 88 | ||||
-rw-r--r-- | chromium/crypto/nss_util.h | 48 | ||||
-rw-r--r-- | chromium/crypto/openssl_util.cc | 7 | ||||
-rw-r--r-- | chromium/crypto/rsa_private_key.h | 29 | ||||
-rw-r--r-- | chromium/crypto/symmetric_key_unittest.cc | 2 | ||||
-rw-r--r-- | chromium/crypto/symmetric_key_win.cc | 2 |
19 files changed, 203 insertions, 1370 deletions
diff --git a/chromium/crypto/BUILD.gn b/chromium/crypto/BUILD.gn index c39a8db934e..bf03af74885 100644 --- a/chromium/crypto/BUILD.gn +++ b/chromium/crypto/BUILD.gn @@ -5,203 +5,190 @@ import("//build/config/crypto.gni") import("//testing/test.gni") -if (is_nacl) { - component("crypto") { - output_name = "crcrypto" # Avoid colliding with OpenSSL's libcrypto. - sources = [ - "random.cc", - "random.h", +component("crypto") { + output_name = "crcrypto" # Avoid colliding with OpenSSL's libcrypto. + sources = [ + "aead_openssl.cc", + "aead_openssl.h", + "apple_keychain.h", + "apple_keychain_ios.mm", + "apple_keychain_mac.mm", + "capi_util.cc", + "capi_util.h", + "crypto_export.h", + "cssm_init.cc", + "cssm_init.h", + "curve25519-donna.c", + "curve25519.cc", + "curve25519.h", + "ec_private_key.h", + "ec_private_key_nss.cc", + "ec_private_key_openssl.cc", + "ec_signature_creator.cc", + "ec_signature_creator.h", + "ec_signature_creator_impl.h", + "ec_signature_creator_nss.cc", + "ec_signature_creator_openssl.cc", + "encryptor.cc", + "encryptor.h", + "encryptor_nss.cc", + "encryptor_openssl.cc", + "ghash.cc", + "ghash.h", + "hkdf.cc", + "hkdf.h", + "hmac.cc", + "hmac.h", + "hmac_nss.cc", + "hmac_openssl.cc", + "mac_security_services_lock.cc", + "mac_security_services_lock.h", + + # TODO(brettw) these mocks should be moved to a test_support_crypto target + # if possible. + "mock_apple_keychain.cc", + "mock_apple_keychain.h", + "mock_apple_keychain_ios.cc", + "mock_apple_keychain_mac.cc", + "nss_key_util.cc", + "nss_key_util.h", + "nss_util.cc", + "nss_util.h", + "nss_util_internal.h", + "openssl_bio_string.cc", + "openssl_bio_string.h", + "openssl_util.cc", + "openssl_util.h", + "p224.cc", + "p224.h", + "p224_spake.cc", + "p224_spake.h", + "random.cc", + "random.h", + "rsa_private_key.cc", + "rsa_private_key.h", + "rsa_private_key_nss.cc", + "rsa_private_key_openssl.cc", + "scoped_capi_types.h", + "scoped_nss_types.h", + "secure_hash.h", + "secure_hash_default.cc", + "secure_hash_openssl.cc", + "secure_util.cc", + "secure_util.h", + "sha2.cc", + "sha2.h", + "signature_creator.h", + "signature_creator_nss.cc", + "signature_creator_openssl.cc", + "signature_verifier.h", + "signature_verifier_nss.cc", + "signature_verifier_openssl.cc", + "symmetric_key.h", + "symmetric_key_nss.cc", + "symmetric_key_openssl.cc", + "third_party/nss/chromium-blapi.h", + "third_party/nss/chromium-blapit.h", + "third_party/nss/chromium-nss.h", + "third_party/nss/chromium-sha256.h", + "third_party/nss/pk11akey.cc", + "third_party/nss/rsawrapr.c", + "third_party/nss/secsign.cc", + "third_party/nss/sha512.cc", + ] + + # TODO(jschuh): crbug.com/167187 fix size_t to int truncations. + configs += [ "//build/config/compiler:no_size_t_to_int_warning" ] + + deps = [ + ":platform", + "//base", + "//base/third_party/dynamic_annotations", + ] + + if (!is_mac && !is_ios) { + sources -= [ + "apple_keychain.h", + "mock_apple_keychain.cc", + "mock_apple_keychain.h", ] - deps = [ - "//base", + } + + if (!is_mac) { + sources -= [ + "cssm_init.cc", + "cssm_init.h", + "mac_security_services_lock.cc", + "mac_security_services_lock.h", ] } -} else { - component("crypto") { - output_name = "crcrypto" # Avoid colliding with OpenSSL's libcrypto. - sources = [ - "aead_openssl.cc", - "aead_openssl.h", - "aes_128_gcm_helpers_nss.cc", - "aes_128_gcm_helpers_nss.h", - "apple_keychain.h", - "apple_keychain_ios.mm", - "apple_keychain_mac.mm", + if (!is_win) { + sources -= [ "capi_util.cc", "capi_util.h", - "crypto_export.h", - "cssm_init.cc", - "cssm_init.h", - "curve25519-donna.c", - "curve25519.cc", - "curve25519.h", - "ec_private_key.h", + ] + } + + if (is_android) { + deps += [ "//third_party/android_tools:cpu_features" ] + } + + if (use_openssl) { + # Remove NSS files when using OpenSSL + sources -= [ "ec_private_key_nss.cc", - "ec_private_key_openssl.cc", - "ec_signature_creator.cc", - "ec_signature_creator.h", - "ec_signature_creator_impl.h", "ec_signature_creator_nss.cc", - "ec_signature_creator_openssl.cc", - "encryptor.cc", - "encryptor.h", "encryptor_nss.cc", - "encryptor_openssl.cc", - "ghash.cc", - "ghash.h", - "hkdf.cc", - "hkdf.h", - "hmac.cc", - "hmac.h", "hmac_nss.cc", - "hmac_openssl.cc", - "mac_security_services_lock.cc", - "mac_security_services_lock.h", - - # TODO(brettw) these mocks should be moved to a test_support_crypto target - # if possible. - "mock_apple_keychain.cc", - "mock_apple_keychain.h", - "mock_apple_keychain_ios.cc", - "mock_apple_keychain_mac.cc", - "nss_key_util.cc", - "nss_key_util.h", - "nss_util.cc", - "nss_util.h", - "nss_util_internal.h", - "openssl_bio_string.cc", - "openssl_bio_string.h", - "openssl_util.cc", - "openssl_util.h", - "p224.cc", - "p224.h", - "p224_spake.cc", - "p224_spake.h", - "random.cc", - "random.h", - "rsa_private_key.cc", - "rsa_private_key.h", "rsa_private_key_nss.cc", - "rsa_private_key_openssl.cc", - "scoped_capi_types.h", - "scoped_nss_types.h", - "secure_hash.h", "secure_hash_default.cc", - "secure_hash_openssl.cc", - "secure_util.cc", - "secure_util.h", - "sha2.cc", - "sha2.h", - "signature_creator.h", "signature_creator_nss.cc", - "signature_creator_openssl.cc", - "signature_verifier.h", "signature_verifier_nss.cc", - "signature_verifier_openssl.cc", - "symmetric_key.h", "symmetric_key_nss.cc", - "symmetric_key_openssl.cc", "third_party/nss/chromium-blapi.h", "third_party/nss/chromium-blapit.h", "third_party/nss/chromium-nss.h", - "third_party/nss/chromium-sha256.h", "third_party/nss/pk11akey.cc", "third_party/nss/rsawrapr.c", "third_party/nss/secsign.cc", - "third_party/nss/sha512.cc", ] - - # TODO(jschuh): crbug.com/167187 fix size_t to int truncations. - configs += [ "//build/config/compiler:no_size_t_to_int_warning" ] - - deps = [ - ":platform", - "//base", - "//base/third_party/dynamic_annotations", + } else { + # Remove OpenSSL when using NSS. + sources -= [ + "aead_openssl.cc", + "aead_openssl.h", + "ec_private_key_openssl.cc", + "ec_signature_creator_openssl.cc", + "encryptor_openssl.cc", + "hmac_openssl.cc", + "openssl_bio_string.cc", + "openssl_bio_string.h", + "openssl_util.cc", + "openssl_util.h", + "rsa_private_key_openssl.cc", + "secure_hash_openssl.cc", + "signature_creator_openssl.cc", + "signature_verifier_openssl.cc", + "symmetric_key_openssl.cc", ] + } - if (!is_mac && !is_ios) { - sources -= [ - "apple_keychain.h", - "mock_apple_keychain.cc", - "mock_apple_keychain.h", - ] - } - - if (!is_mac) { - sources -= [ - "cssm_init.cc", - "cssm_init.h", - "mac_security_services_lock.cc", - "mac_security_services_lock.h", - ] - } - if (!is_win) { - sources -= [ - "capi_util.cc", - "capi_util.h", - ] - } - - if (is_android) { - deps += [ "//third_party/android_tools:cpu_features" ] - } - - if (use_openssl) { - # Remove NSS files when using OpenSSL - sources -= [ - "aes_128_gcm_helpers_nss.cc", - "aes_128_gcm_helpers_nss.h", - "ec_private_key_nss.cc", - "ec_signature_creator_nss.cc", - "encryptor_nss.cc", - "hmac_nss.cc", - "rsa_private_key_nss.cc", - "secure_hash_default.cc", - "signature_creator_nss.cc", - "signature_verifier_nss.cc", - "symmetric_key_nss.cc", - "third_party/nss/chromium-blapi.h", - "third_party/nss/chromium-blapit.h", - "third_party/nss/chromium-nss.h", - "third_party/nss/pk11akey.cc", - "third_party/nss/rsawrapr.c", - "third_party/nss/secsign.cc", - ] - } else { - # Remove OpenSSL when using NSS. - sources -= [ - "aead_openssl.cc", - "aead_openssl.h", - "ec_private_key_openssl.cc", - "ec_signature_creator_openssl.cc", - "encryptor_openssl.cc", - "hmac_openssl.cc", - "openssl_bio_string.cc", - "openssl_bio_string.h", - "openssl_util.cc", - "openssl_util.h", - "rsa_private_key_openssl.cc", - "secure_hash_openssl.cc", - "signature_creator_openssl.cc", - "signature_verifier_openssl.cc", - "symmetric_key_openssl.cc", - ] - } + # Some files are built when NSS is used at all, either for the internal crypto + # library or the platform certificate library. + if (use_openssl && !use_nss_certs) { + sources -= [ + "nss_key_util.cc", + "nss_key_util.h", + "nss_util.cc", + "nss_util.h", + "nss_util_internal.h", + ] + } - # Some files are built when NSS is used at all, either for the internal crypto - # library or the platform certificate library. - if (use_openssl && !use_nss_certs) { - sources -= [ - "nss_key_util.cc", - "nss_key_util.h", - "nss_util.cc", - "nss_util.h", - "nss_util_internal.h", - ] - } + defines = [ "CRYPTO_IMPLEMENTATION" ] - defines = [ "CRYPTO_IMPLEMENTATION" ] + if (is_nacl) { + deps += [ "//native_client_sdk/src/libraries/nacl_io" ] } } @@ -237,10 +224,18 @@ if (false && is_win) { } } +# TODO(GYP): Delete this after we've converted everything to GN. +# The _run targets exist only for compatibility w/ GYP. +group("crypto_unittests_run") { + testonly = true + deps = [ + ":crypto_unittests", + ] +} + test("crypto_unittests") { sources = [ - # Tests. - "aes_128_gcm_helpers_nss_unittest.cc", + "aead_openssl_unittest.cc", "curve25519_unittest.cc", "ec_private_key_unittest.cc", "ec_signature_creator_unittest.cc", @@ -271,9 +266,7 @@ test("crypto_unittests") { ] } - if (use_openssl) { - sources -= [ "aes_128_gcm_helpers_nss_unittest.cc" ] - } else { + if (!use_openssl) { sources -= [ "openssl_bio_string_unittest.cc" ] } @@ -336,11 +329,11 @@ config("platform_config") { # on the current SSL library should just depend on this. group("platform") { if (use_openssl) { - deps = [ + public_deps = [ "//third_party/boringssl", ] } else { - deps = [ + public_deps = [ "//net/third_party/nss/ssl:libssl", ] } @@ -365,7 +358,7 @@ group("platform") { public_configs += [ "//third_party/nss:system_nss_no_ssl_config" ] } else { # Non-Linux platforms use the hermetic NSS from the tree. - deps += [ + public_deps += [ "//third_party/nss:nspr", "//third_party/nss:nss", ] diff --git a/chromium/crypto/OWNERS b/chromium/crypto/OWNERS index 3ba4dd39e25..42d0d3b58b3 100644 --- a/chromium/crypto/OWNERS +++ b/chromium/crypto/OWNERS @@ -1,4 +1,3 @@ agl@chromium.org davidben@chromium.org rsleevi@chromium.org -rvargas@chromium.org diff --git a/chromium/crypto/aes_128_gcm_helpers_nss.cc b/chromium/crypto/aes_128_gcm_helpers_nss.cc deleted file mode 100644 index 621f28b586f..00000000000 --- a/chromium/crypto/aes_128_gcm_helpers_nss.cc +++ /dev/null @@ -1,374 +0,0 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "crypto/aes_128_gcm_helpers_nss.h" - -#include <pkcs11t.h> -#include <seccomon.h> - -#include "base/lazy_instance.h" -#include "base/macros.h" -#include "crypto/ghash.h" -#include "crypto/scoped_nss_types.h" - -#if defined(USE_NSS_CERTS) -#include <dlfcn.h> -#endif - -namespace crypto { -namespace { - -// Declaration of the prototype both PK11_Decrypt and PK11_Encrypt follow. -using PK11_TransformFunction = SECStatus(PK11SymKey* symKey, - CK_MECHANISM_TYPE mechanism, - SECItem* param, - unsigned char* out, - unsigned int* outLen, - unsigned int maxLen, - const unsigned char* data, - unsigned int dataLen); - -// On Linux, dynamically link against the system version of libnss3.so. In -// order to continue working on systems without up-to-date versions of NSS, -// lookup PK11_Decrypt and PK11_Encrypt with dlsym. -// -// GcmSupportChecker is a singleton which caches the results of runtime symbol -// resolution of these symbols. -class GcmSupportChecker { - public: - PK11_TransformFunction* pk11_decrypt_func() { return pk11_decrypt_func_; } - - PK11_TransformFunction* pk11_encrypt_func() { return pk11_encrypt_func_; } - - private: - friend struct base::DefaultLazyInstanceTraits<GcmSupportChecker>; - - GcmSupportChecker() { -#if !defined(USE_NSS_CERTS) - // Using a bundled version of NSS that is guaranteed to have these symbols. - pk11_decrypt_func_ = PK11_Decrypt; - pk11_encrypt_func_ = PK11_Encrypt; -#else - // Using system NSS libraries and PCKS #11 modules, which may not have the - // necessary functions (PK11_Decrypt and PK11_Encrypt) or mechanism support - // (CKM_AES_GCM). - - // If PK11_Decrypt() and PK11_Encrypt() were successfully resolved, then NSS - // will support AES-GCM directly. This was introduced in NSS 3.15. - pk11_decrypt_func_ = reinterpret_cast<PK11_TransformFunction*>( - dlsym(RTLD_DEFAULT, "PK11_Decrypt")); - pk11_encrypt_func_ = reinterpret_cast<PK11_TransformFunction*>( - dlsym(RTLD_DEFAULT, "PK11_Encrypt")); -#endif - } - - ~GcmSupportChecker() {} - - // |pk11_decrypt_func_| stores the runtime symbol resolution of PK11_Decrypt. - PK11_TransformFunction* pk11_decrypt_func_; - - // |pk11_encrypt_func_| stores the runtime symbol resolution of PK11_Encrypt. - PK11_TransformFunction* pk11_encrypt_func_; - - DISALLOW_COPY_AND_ASSIGN(GcmSupportChecker); -}; - -base::LazyInstance<GcmSupportChecker>::Leaky g_gcm_support_checker = - LAZY_INSTANCE_INITIALIZER; - -} // namespace - -// Calls PK11_Decrypt if it's available. Otherwise, emulates CKM_AES_GCM using -// CKM_AES_CTR and the GaloisHash class. -SECStatus PK11DecryptHelper(PK11SymKey* key, - CK_MECHANISM_TYPE mechanism, - SECItem* param, - unsigned char* out, - unsigned int* out_len, - unsigned int max_len, - const unsigned char* data, - unsigned int data_len) { - // If PK11_Decrypt() was successfully resolved or if bundled version of NSS is - // being used, then NSS will support AES-GCM directly. - PK11_TransformFunction* pk11_decrypt_func = - g_gcm_support_checker.Get().pk11_decrypt_func(); - - if (pk11_decrypt_func != nullptr) { - return pk11_decrypt_func(key, mechanism, param, out, out_len, max_len, data, - data_len); - } - - // Otherwise, the user has an older version of NSS. Regrettably, NSS 3.14.x - // has a bug in the AES GCM code - // (https://bugzilla.mozilla.org/show_bug.cgi?id=853285), as well as missing - // the PK11_Decrypt function - // (https://bugzilla.mozilla.org/show_bug.cgi?id=854063), both of which are - // resolved in NSS 3.15. - - CHECK_EQ(mechanism, static_cast<CK_MECHANISM_TYPE>(CKM_AES_GCM)); - CHECK_EQ(param->len, sizeof(CK_GCM_PARAMS)); - - const CK_GCM_PARAMS* gcm_params = - reinterpret_cast<CK_GCM_PARAMS*>(param->data); - - const CK_ULONG auth_tag_size = gcm_params->ulTagBits / 8; - - if (gcm_params->ulIvLen != 12u) { - DVLOG(1) << "ulIvLen is not equal to 12"; - PORT_SetError(SEC_ERROR_INPUT_LEN); - return SECFailure; - } - - SECItem my_param = {siBuffer, nullptr, 0}; - - // Step 2. Let H = CIPH_K(128 '0' bits). - unsigned char ghash_key[16] = {0}; - crypto::ScopedPK11Context ctx( - PK11_CreateContextBySymKey(CKM_AES_ECB, CKA_ENCRYPT, key, &my_param)); - if (!ctx) { - DVLOG(1) << "PK11_CreateContextBySymKey failed"; - return SECFailure; - } - int output_len; - if (PK11_CipherOp(ctx.get(), ghash_key, &output_len, sizeof(ghash_key), - ghash_key, sizeof(ghash_key)) != SECSuccess) { - DVLOG(1) << "PK11_CipherOp failed"; - return SECFailure; - } - - if (PK11_Finalize(ctx.get()) != SECSuccess) { - DVLOG(1) << "PK11_Finalize failed"; - return SECFailure; - } - - if (output_len != sizeof(ghash_key)) { - DVLOG(1) << "Wrong output length"; - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - - // Step 3. If len(IV)=96, then let J0 = IV || 31 '0' bits || 1. - CK_AES_CTR_PARAMS ctr_params = {0}; - ctr_params.ulCounterBits = 32; - memcpy(ctr_params.cb, gcm_params->pIv, gcm_params->ulIvLen); - ctr_params.cb[12] = 0; - ctr_params.cb[13] = 0; - ctr_params.cb[14] = 0; - ctr_params.cb[15] = 1; - - my_param.type = siBuffer; - my_param.data = reinterpret_cast<unsigned char*>(&ctr_params); - my_param.len = sizeof(ctr_params); - - ctx.reset( - PK11_CreateContextBySymKey(CKM_AES_CTR, CKA_ENCRYPT, key, &my_param)); - if (!ctx) { - DVLOG(1) << "PK11_CreateContextBySymKey failed"; - return SECFailure; - } - - // Step 6. Calculate the encryption mask of GCTR_K(J0, ...). - unsigned char tag_mask[16] = {0}; - if (PK11_CipherOp(ctx.get(), tag_mask, &output_len, sizeof(tag_mask), - tag_mask, sizeof(tag_mask)) != SECSuccess) { - DVLOG(1) << "PK11_CipherOp failed"; - return SECFailure; - } - if (output_len != sizeof(tag_mask)) { - DVLOG(1) << "Wrong output length"; - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - - if (data_len < auth_tag_size) { - PORT_SetError(SEC_ERROR_INPUT_LEN); - return SECFailure; - } - - // The const_cast for |data| can be removed if system NSS libraries are - // NSS 3.14.1 or later (NSS bug - // https://bugzilla.mozilla.org/show_bug.cgi?id=808218). - if (PK11_CipherOp(ctx.get(), out, &output_len, max_len, - const_cast<unsigned char*>(data), - data_len - auth_tag_size) != SECSuccess) { - DVLOG(1) << "PK11_CipherOp failed"; - return SECFailure; - } - - if (PK11_Finalize(ctx.get()) != SECSuccess) { - DVLOG(1) << "PK11_Finalize failed"; - return SECFailure; - } - - if (static_cast<unsigned int>(output_len) != data_len - auth_tag_size) { - DVLOG(1) << "Wrong output length"; - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - - crypto::GaloisHash ghash(ghash_key); - ghash.UpdateAdditional(gcm_params->pAAD, gcm_params->ulAADLen); - ghash.UpdateCiphertext(data, output_len); - unsigned char auth_tag[auth_tag_size]; - ghash.Finish(auth_tag, auth_tag_size); - for (unsigned int i = 0; i < auth_tag_size; i++) { - auth_tag[i] ^= tag_mask[i]; - } - - if (NSS_SecureMemcmp(auth_tag, data + output_len, auth_tag_size) != 0) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return SECFailure; - } - - *out_len = output_len; - return SECSuccess; -} - -// Calls PK11_Encrypt if it's available. Otherwise, emulates CKM_AES_GCM using -// CKM_AES_CTR and the GaloisHash class. -SECStatus PK11EncryptHelper(PK11SymKey* key, - CK_MECHANISM_TYPE mechanism, - SECItem* param, - unsigned char* out, - unsigned int* out_len, - unsigned int max_len, - const unsigned char* data, - unsigned int data_len) { - // If PK11_Encrypt() was successfully resolved or if bundled version of NSS is - // being used, then NSS will support AES-GCM directly. - PK11_TransformFunction* pk11_encrypt_func = - g_gcm_support_checker.Get().pk11_encrypt_func(); - - if (pk11_encrypt_func != nullptr) { - return pk11_encrypt_func(key, mechanism, param, out, out_len, max_len, data, - data_len); - } - - // Otherwise, the user has an older version of NSS. Regrettably, NSS 3.14.x - // has a bug in the AES GCM code - // (https://bugzilla.mozilla.org/show_bug.cgi?id=853285), as well as missing - // the PK11_Encrypt function - // (https://bugzilla.mozilla.org/show_bug.cgi?id=854063), both of which are - // resolved in NSS 3.15. - - CHECK_EQ(mechanism, static_cast<CK_MECHANISM_TYPE>(CKM_AES_GCM)); - CHECK_EQ(param->len, sizeof(CK_GCM_PARAMS)); - - const CK_GCM_PARAMS* gcm_params = - reinterpret_cast<CK_GCM_PARAMS*>(param->data); - - const CK_ULONG auth_tag_size = gcm_params->ulTagBits / 8; - - if (max_len < auth_tag_size) { - DVLOG(1) << "max_len is less than kAuthTagSize"; - PORT_SetError(SEC_ERROR_OUTPUT_LEN); - return SECFailure; - } - - if (gcm_params->ulIvLen != 12u) { - DVLOG(1) << "ulIvLen is not equal to 12"; - PORT_SetError(SEC_ERROR_INPUT_LEN); - return SECFailure; - } - - SECItem my_param = {siBuffer, nullptr, 0}; - - // Step 1. Let H = CIPH_K(128 '0' bits). - unsigned char ghash_key[16] = {0}; - crypto::ScopedPK11Context ctx( - PK11_CreateContextBySymKey(CKM_AES_ECB, CKA_ENCRYPT, key, &my_param)); - if (!ctx) { - DVLOG(1) << "PK11_CreateContextBySymKey failed"; - return SECFailure; - } - int output_len; - if (PK11_CipherOp(ctx.get(), ghash_key, &output_len, sizeof(ghash_key), - ghash_key, sizeof(ghash_key)) != SECSuccess) { - DVLOG(1) << "PK11_CipherOp failed"; - return SECFailure; - } - - if (PK11_Finalize(ctx.get()) != SECSuccess) { - DVLOG(1) << "PK11_Finalize failed"; - return SECFailure; - } - - if (output_len != sizeof(ghash_key)) { - DVLOG(1) << "Wrong output length"; - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - - // Step 2. If len(IV)=96, then let J0 = IV || 31 '0' bits || 1. - CK_AES_CTR_PARAMS ctr_params = {0}; - ctr_params.ulCounterBits = 32; - memcpy(ctr_params.cb, gcm_params->pIv, gcm_params->ulIvLen); - ctr_params.cb[12] = 0; - ctr_params.cb[13] = 0; - ctr_params.cb[14] = 0; - ctr_params.cb[15] = 1; - - my_param.type = siBuffer; - my_param.data = reinterpret_cast<unsigned char*>(&ctr_params); - my_param.len = sizeof(ctr_params); - - ctx.reset( - PK11_CreateContextBySymKey(CKM_AES_CTR, CKA_ENCRYPT, key, &my_param)); - if (!ctx) { - DVLOG(1) << "PK11_CreateContextBySymKey failed"; - return SECFailure; - } - - // Step 6. Calculate the encryption mask of GCTR_K(J0, ...). - unsigned char tag_mask[16] = {0}; - if (PK11_CipherOp(ctx.get(), tag_mask, &output_len, sizeof(tag_mask), - tag_mask, sizeof(tag_mask)) != SECSuccess) { - DVLOG(1) << "PK11_CipherOp failed"; - return SECFailure; - } - if (output_len != sizeof(tag_mask)) { - DVLOG(1) << "Wrong output length"; - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - - // The const_cast for |data| can be removed if system NSS libraries are - // NSS 3.14.1 or later (NSS bug - // https://bugzilla.mozilla.org/show_bug.cgi?id=808218). - if (PK11_CipherOp(ctx.get(), out, &output_len, max_len, - const_cast<unsigned char*>(data), data_len) != SECSuccess) { - DVLOG(1) << "PK11_CipherOp failed"; - return SECFailure; - } - - if (PK11_Finalize(ctx.get()) != SECSuccess) { - DVLOG(1) << "PK11_Finalize failed"; - return SECFailure; - } - - if (static_cast<unsigned int>(output_len) != data_len) { - DVLOG(1) << "Wrong output length"; - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - - if ((max_len - auth_tag_size) < static_cast<unsigned int>(output_len)) { - DVLOG(1) << "(max_len - kAuthTagSize) is less than output_len"; - PORT_SetError(SEC_ERROR_OUTPUT_LEN); - return SECFailure; - } - - crypto::GaloisHash ghash(ghash_key); - ghash.UpdateAdditional(gcm_params->pAAD, gcm_params->ulAADLen); - ghash.UpdateCiphertext(out, output_len); - ghash.Finish(out + output_len, auth_tag_size); - for (unsigned int i = 0; i < auth_tag_size; i++) { - out[output_len + i] ^= tag_mask[i]; - } - - *out_len = output_len + auth_tag_size; - return SECSuccess; -} - -} // namespace crypto diff --git a/chromium/crypto/aes_128_gcm_helpers_nss.h b/chromium/crypto/aes_128_gcm_helpers_nss.h deleted file mode 100644 index dadc56e0f0d..00000000000 --- a/chromium/crypto/aes_128_gcm_helpers_nss.h +++ /dev/null @@ -1,48 +0,0 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef CRYPTO_AES_128_GCM_HELPERS_NSS_H_ -#define CRYPTO_AES_128_GCM_HELPERS_NSS_H_ - -#include <pk11pub.h> -#include <secerr.h> - -#include "crypto/crypto_export.h" - -namespace crypto { - -// When using the CKM_AES_GCM mechanism, one must consider that the mechanism -// had a bug in NSS 3.14.x (https://bugzilla.mozilla.org/show_bug.cgi?id=853285) -// which also lacks the PK11_Decrypt and PK11_Encrypt functions. -// (https://bugzilla.mozilla.org/show_bug.cgi?id=854063) -// -// While both these bugs were resolved in NSS 3.15, certain builds of Chromium -// may still be loading older versions of NSS as the system libraries. These -// helper methods emulate support by using CKM_AES_CTR and the GaloisHash. - -// Helper function for using PK11_Decrypt. |mechanism| must be set to -// CKM_AES_GCM for this method. -CRYPTO_EXPORT SECStatus PK11DecryptHelper(PK11SymKey* key, - CK_MECHANISM_TYPE mechanism, - SECItem* param, - unsigned char* out, - unsigned int* out_len, - unsigned int max_len, - const unsigned char* data, - unsigned int data_len); - -// Helper function for using PK11_Encrypt. |mechanism| must be set to -// CKM_AES_GCM for this method. -CRYPTO_EXPORT SECStatus PK11EncryptHelper(PK11SymKey* key, - CK_MECHANISM_TYPE mechanism, - SECItem* param, - unsigned char* out, - unsigned int* out_len, - unsigned int max_len, - const unsigned char* data, - unsigned int data_len); - -} // namespace crypto - -#endif // CRYPTO_AES_128_GCM_HELPERS_NSS_H_ diff --git a/chromium/crypto/aes_128_gcm_helpers_nss_unittest.cc b/chromium/crypto/aes_128_gcm_helpers_nss_unittest.cc deleted file mode 100644 index d741b2fe54d..00000000000 --- a/chromium/crypto/aes_128_gcm_helpers_nss_unittest.cc +++ /dev/null @@ -1,580 +0,0 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "crypto/aes_128_gcm_helpers_nss.h" - -#include <pk11pub.h> -#include <secerr.h> -#include <string> - -#include "base/logging.h" -#include "base/rand_util.h" -#include "base/strings/string_number_conversions.h" -#include "base/strings/string_util.h" -#include "crypto/nss_util.h" -#include "crypto/random.h" -#include "crypto/scoped_nss_types.h" -#include "testing/gtest/include/gtest/gtest.h" - -namespace crypto { - -namespace { - -// The AES GCM test vectors come from the gcmDecrypt128.rsp and -// gcmEncryptExtIV128.rsp files downloaded from -// http://csrc.nist.gov/groups/STM/cavp/index.html on 2013-02-01. The test -// vectors in that file look like this: -// -// [Keylen = 128] -// [IVlen = 96] -// [PTlen = 0] -// [AADlen = 0] -// [Taglen = 128] -// -// Count = 0 -// Key = cf063a34d4a9a76c2c86787d3f96db71 -// IV = 113b9785971864c83b01c787 -// CT = -// AAD = -// Tag = 72ac8493e3a5228b5d130a69d2510e42 -// PT = -// -// Count = 1 -// Key = a49a5e26a2f8cb63d05546c2a62f5343 -// IV = 907763b19b9b4ab6bd4f0281 -// CT = -// AAD = -// Tag = a2be08210d8c470a8df6e8fbd79ec5cf -// FAIL -// -// ... -// -// These files are huge (2.6 MB and 2.8 MB), so this file contains just a -// selection of test vectors. - -// Describes a group of test vectors that all have a given key length, IV -// length, plaintext length, AAD length, and tag length. -struct TestGroupInfo { - size_t key_len; - size_t iv_len; - size_t input_len; - size_t aad_len; - size_t tag_len; -}; - -// Each test vector consists of six strings of lowercase hexadecimal digits. -// The strings may be empty (zero length). A test vector with a NULL |key| -// marks the end of an array of test vectors. -struct TestVector { - // Input: - const char* key; - const char* iv; - const char* input; - const char* aad; - const char* tag; - - // Expected output: - const char* output; // An empty string "" means decryption or encryption - // succeeded and the plaintext is zero-length. NULL means - // that the decryption or encryption failed. -}; - -const TestGroupInfo test_group_info[] = { - {128, 96, 0, 0, 128}, - {128, 96, 0, 128, 128}, - {128, 96, 128, 0, 128}, - {128, 96, 408, 160, 128}, - {128, 96, 408, 720, 128}, - {128, 96, 104, 0, 128}, -}; - -const TestVector decryption_test_group_0[] = { - {"cf063a34d4a9a76c2c86787d3f96db71", - "113b9785971864c83b01c787", - "", - "", - "72ac8493e3a5228b5d130a69d2510e42", - ""}, - { - "a49a5e26a2f8cb63d05546c2a62f5343", - "907763b19b9b4ab6bd4f0281", - "", - "", - "a2be08210d8c470a8df6e8fbd79ec5cf", - NULL // FAIL - }, - {NULL}}; - -const TestVector decryption_test_group_1[] = { - { - "d1f6af919cde85661208bdce0c27cb22", - "898c6929b435017bf031c3c5", - "", - "7c5faa40e636bbc91107e68010c92b9f", - "ae45f11777540a2caeb128be8092468a", - NULL // FAIL - }, - {"2370e320d4344208e0ff5683f243b213", - "04dbb82f044d30831c441228", - "", - "d43a8e5089eea0d026c03a85178b27da", - "2a049c049d25aa95969b451d93c31c6e", - ""}, - {NULL}}; - -const TestVector decryption_test_group_2[] = { - {"e98b72a9881a84ca6b76e0f43e68647a", - "8b23299fde174053f3d652ba", - "5a3c1cf1985dbb8bed818036fdd5ab42", - "", - "23c7ab0f952b7091cd324835043b5eb5", - "28286a321293253c3e0aa2704a278032"}, - {"33240636cd3236165f1a553b773e728e", - "17c4d61493ecdc8f31700b12", - "47bb7e23f7bdfe05a8091ac90e4f8b2e", - "", - "b723c70e931d9785f40fd4ab1d612dc9", - "95695a5b12f2870b9cc5fdc8f218a97d"}, - { - "5164df856f1e9cac04a79b808dc5be39", - "e76925d5355e0584ce871b2b", - "0216c899c88d6e32c958c7e553daa5bc", - "", - "a145319896329c96df291f64efbe0e3a", - NULL // FAIL - }, - {NULL}}; - -const TestVector decryption_test_group_3[] = { - {"af57f42c60c0fc5a09adb81ab86ca1c3", - "a2dc01871f37025dc0fc9a79", - "b9a535864f48ea7b6b1367914978f9bfa087d854bb0e269bed8d279d2eea1210e48947" - "338b22f9bad09093276a331e9c79c7f4", - "41dc38988945fcb44faf2ef72d0061289ef8efd8", - "4f71e72bde0018f555c5adcce062e005", - "3803a0727eeb0ade441e0ec107161ded2d425ec0d102f21f51bf2cf9947c7ec4aa7279" - "5b2f69b041596e8817d0a3c16f8fadeb"}, - {"ebc753e5422b377d3cb64b58ffa41b61", - "2e1821efaced9acf1f241c9b", - "069567190554e9ab2b50a4e1fbf9c147340a5025fdbd201929834eaf6532325899ccb9" - "f401823e04b05817243d2142a3589878", - "b9673412fd4f88ba0e920f46dd6438ff791d8eef", - "534d9234d2351cf30e565de47baece0b", - "39077edb35e9c5a4b1e4c2a6b9bb1fce77f00f5023af40333d6d699014c2bcf4209c18" - "353a18017f5b36bfc00b1f6dcb7ed485"}, - { - "52bdbbf9cf477f187ec010589cb39d58", - "d3be36d3393134951d324b31", - "700188da144fa692cf46e4a8499510a53d90903c967f7f13e8a1bd8151a74adc4fe63e" - "32b992760b3a5f99e9a47838867000a9", - "93c4fc6a4135f54d640b0c976bf755a06a292c33", - "8ca4e38aa3dfa6b1d0297021ccf3ea5f", - NULL // FAIL - }, - {NULL}}; - -const TestVector decryption_test_group_4[] = { - {"da2bb7d581493d692380c77105590201", - "44aa3e7856ca279d2eb020c6", - "9290d430c9e89c37f0446dbd620c9a6b34b1274aeb6f911f75867efcf95b6feda69f1a" - "f4ee16c761b3c9aeac3da03aa9889c88", - "4cd171b23bddb3a53cdf959d5c1710b481eb3785a90eb20a2345ee00d0bb7868c367ab" - "12e6f4dd1dee72af4eee1d197777d1d6499cc541f34edbf45cda6ef90b3c024f9272d7" - "2ec1909fb8fba7db88a4d6f7d3d925980f9f9f72", - "9e3ac938d3eb0cadd6f5c9e35d22ba38", - "9bbf4c1a2742f6ac80cb4e8a052e4a8f4f07c43602361355b717381edf9fabd4cb7e3a" - "d65dbd1378b196ac270588dd0621f642"}, - {"d74e4958717a9d5c0e235b76a926cae8", - "0b7471141e0c70b1995fd7b1", - "e701c57d2330bf066f9ff8cf3ca4343cafe4894651cd199bdaaa681ba486b4a65c5a22" - "b0f1420be29ea547d42c713bc6af66aa", - "4a42b7aae8c245c6f1598a395316e4b8484dbd6e64648d5e302021b1d3fa0a38f46e22" - "bd9c8080b863dc0016482538a8562a4bd0ba84edbe2697c76fd039527ac179ec5506cf" - "34a6039312774cedebf4961f3978b14a26509f96", - "e192c23cb036f0b31592989119eed55d", - "840d9fb95e32559fb3602e48590280a172ca36d9b49ab69510f5bd552bfab7a306f85f" - "f0a34bc305b88b804c60b90add594a17"}, - { - "1986310c725ac94ecfe6422e75fc3ee7", - "93ec4214fa8e6dc4e3afc775", - "b178ec72f85a311ac4168f42a4b2c23113fbea4b85f4b9dabb74e143eb1b8b0a361e02" - "43edfd365b90d5b325950df0ada058f9", - "e80b88e62c49c958b5e0b8b54f532d9ff6aa84c8a40132e93e55b59fc24e8decf28463" - "139f155d1e8ce4ee76aaeefcd245baa0fc519f83a5fb9ad9aa40c4b21126013f576c42" - "72c2cb136c8fd091cc4539877a5d1e72d607f960", - "8b347853f11d75e81e8a95010be81f17", - NULL // FAIL - }, - {NULL}}; - -const TestVector decryption_test_group_5[] = { - {"387218b246c1a8257748b56980e50c94", - "dd7e014198672be39f95b69d", - "cdba9e73eaf3d38eceb2b04a8d", - "", - "ecf90f4a47c9c626d6fb2c765d201556", - "48f5b426baca03064554cc2b30"}, - {"294de463721e359863887c820524b3d4", - "3338b35c9d57a5d28190e8c9", - "2f46634e74b8e4c89812ac83b9", - "", - "dabd506764e68b82a7e720aa18da0abe", - "46a2e55c8e264df211bd112685"}, - {"28ead7fd2179e0d12aa6d5d88c58c2dc", - "5055347f18b4d5add0ae5c41", - "142d8210c3fb84774cdbd0447a", - "", - "5fd321d9cdb01952dc85f034736c2a7d", - "3b95b981086ee73cc4d0cc1422"}, - { - "7d7b6c988137b8d470c57bf674a09c87", - "9edf2aa970d016ac962e1fd8", - "a85b66c3cb5eab91d5bdc8bc0e", - "", - "dc054efc01f3afd21d9c2484819f569a", - NULL // FAIL - }, - {NULL}}; - -const TestVector encryption_test_group_0[] = { - {"11754cd72aec309bf52f7687212e8957", - "3c819d9a9bed087615030b65", - "", - "", - "250327c674aaf477aef2675748cf6971", - ""}, - {"ca47248ac0b6f8372a97ac43508308ed", - "ffd2b598feabc9019262d2be", - "", - "", - "60d20404af527d248d893ae495707d1a", - ""}, - {NULL}}; - -const TestVector encryption_test_group_1[] = { - {"77be63708971c4e240d1cb79e8d77feb", - "e0e00f19fed7ba0136a797f3", - "", - "7a43ec1d9c0a5a78a0b16533a6213cab", - "209fcc8d3675ed938e9c7166709dd946", - ""}, - {"7680c5d3ca6154758e510f4d25b98820", - "f8f105f9c3df4965780321f8", - "", - "c94c410194c765e3dcc7964379758ed3", - "94dca8edfcf90bb74b153c8d48a17930", - ""}, - {NULL}}; - -const TestVector encryption_test_group_2[] = { - {"7fddb57453c241d03efbed3ac44e371c", - "ee283a3fc75575e33efd4887", - "d5de42b461646c255c87bd2962d3b9a2", - "", - "b36d1df9b9d5e596f83e8b7f52971cb3", - "2ccda4a5415cb91e135c2a0f78c9b2fd"}, - {"ab72c77b97cb5fe9a382d9fe81ffdbed", - "54cc7dc2c37ec006bcc6d1da", - "007c5e5b3e59df24a7c355584fc1518d", - "", - "2b4401346697138c7a4891ee59867d0c", - "0e1bde206a07a9c2c1b65300f8c64997"}, - {NULL}}; - -const TestVector encryption_test_group_3[] = { - {"fe47fcce5fc32665d2ae399e4eec72ba", - "5adb9609dbaeb58cbd6e7275", - "7c0e88c88899a779228465074797cd4c2e1498d259b54390b85e3eef1c02df60e743f1" - "b840382c4bccaf3bafb4ca8429bea063", - "88319d6e1d3ffa5f987199166c8a9b56c2aeba5a", - "291ef1982e4defedaa2249f898556b47", - "98f4826f05a265e6dd2be82db241c0fbbbf9ffb1c173aa83964b7cf539304373636525" - "3ddbc5db8778371495da76d269e5db3e"}, - {"ec0c2ba17aa95cd6afffe949da9cc3a8", - "296bce5b50b7d66096d627ef", - "b85b3753535b825cbe5f632c0b843c741351f18aa484281aebec2f45bb9eea2d79d987" - "b764b9611f6c0f8641843d5d58f3a242", - "f8d00f05d22bf68599bcdeb131292ad6e2df5d14", - "890147971946b627c40016da1ecf3e77", - "a7443d31c26bdf2a1c945e29ee4bd344a99cfaf3aa71f8b3f191f83c2adfc7a0716299" - "5506fde6309ffc19e716eddf1a828c5a"}, - {NULL}}; - -const TestVector encryption_test_group_4[] = { - {"2c1f21cf0f6fb3661943155c3e3d8492", - "23cb5ff362e22426984d1907", - "42f758836986954db44bf37c6ef5e4ac0adaf38f27252a1b82d02ea949c8a1a2dbc0d6" - "8b5615ba7c1220ff6510e259f06655d8", - "5d3624879d35e46849953e45a32a624d6a6c536ed9857c613b572b0333e701557a713e" - "3f010ecdf9a6bd6c9e3e44b065208645aff4aabee611b391528514170084ccf587177f" - "4488f33cfb5e979e42b6e1cfc0a60238982a7aec", - "57a3ee28136e94c74838997ae9823f3a", - "81824f0e0d523db30d3da369fdc0d60894c7a0a20646dd015073ad2732bd989b14a222" - "b6ad57af43e1895df9dca2a5344a62cc"}, - {"d9f7d2411091f947b4d6f1e2d1f0fb2e", - "e1934f5db57cc983e6b180e7", - "73ed042327f70fe9c572a61545eda8b2a0c6e1d6c291ef19248e973aee6c312012f490" - "c2c6f6166f4a59431e182663fcaea05a", - "0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d" - "0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a201" - "15d2e51398344b16bee1ed7c499b353d6c597af8", - "21b51ca862cb637cdd03b99a0f93b134", - "aaadbd5c92e9151ce3db7210b8714126b73e43436d242677afa50384f2149b831f1d57" - "3c7891c2a91fbc48db29967ec9542b23"}, - {NULL}}; - -const TestVector encryption_test_group_5[] = { - {"fe9bb47deb3a61e423c2231841cfd1fb", - "4d328eb776f500a2f7fb47aa", - "f1cc3818e421876bb6b8bbd6c9", - "", - "43fd4727fe5cdb4b5b42818dea7ef8c9", - "b88c5c1977b35b517b0aeae967"}, - {"6703df3701a7f54911ca72e24dca046a", - "12823ab601c350ea4bc2488c", - "793cd125b0b84a043e3ac67717", - "", - "38e6bcd29962e5f2c13626b85a877101", - "b2051c80014f42f08735a7b0cd"}, - {NULL}}; - -const TestVector* const decryption_test_group_array[] = { - decryption_test_group_0, - decryption_test_group_1, - decryption_test_group_2, - decryption_test_group_3, - decryption_test_group_4, - decryption_test_group_5, -}; - -const TestVector* const encryption_test_group_array[] = { - encryption_test_group_0, - encryption_test_group_1, - encryption_test_group_2, - encryption_test_group_3, - encryption_test_group_4, - encryption_test_group_5, -}; - -bool DecodeHexString(const base::StringPiece& hex, std::string* bytes) { - bytes->clear(); - if (hex.empty()) - return true; - std::vector<uint8> v; - if (!base::HexStringToBytes(hex.as_string(), &v)) - return false; - if (!v.empty()) - bytes->assign(reinterpret_cast<const char*>(&v[0]), v.size()); - return true; -} - -class Aes128GcmHelpersTest : public ::testing::Test { - public: - enum Mode { DECRYPT, ENCRYPT }; - - void SetUp() override { EnsureNSSInit(); } - - bool DecryptOrEncrypt(Mode mode, - const base::StringPiece& input, - const base::StringPiece& key, - const base::StringPiece& nonce, - const base::StringPiece& aad, - size_t auth_tag_size, - std::string* output) { - DCHECK(output); - - const CK_ATTRIBUTE_TYPE cka_mode = - mode == DECRYPT ? CKA_DECRYPT : CKA_ENCRYPT; - - SECItem key_item; - key_item.type = siBuffer; - key_item.data = const_cast<unsigned char*>( - reinterpret_cast<const unsigned char*>(key.data())); - key_item.len = key.size(); - - crypto::ScopedPK11Slot slot(PK11_GetInternalSlot()); - DCHECK(slot); - - crypto::ScopedPK11SymKey aead_key( - PK11_ImportSymKey(slot.get(), CKM_AES_GCM, PK11_OriginUnwrap, cka_mode, - &key_item, nullptr)); - - CK_GCM_PARAMS gcm_params; - gcm_params.pIv = const_cast<unsigned char*>( - reinterpret_cast<const unsigned char*>(nonce.data())); - gcm_params.ulIvLen = nonce.size(); - - gcm_params.pAAD = const_cast<unsigned char*>( - reinterpret_cast<const unsigned char*>(aad.data())); - - gcm_params.ulAADLen = aad.size(); - - gcm_params.ulTagBits = auth_tag_size * 8; - - SECItem param; - param.type = siBuffer; - param.data = reinterpret_cast<unsigned char*>(&gcm_params); - param.len = sizeof(CK_GCM_PARAMS); - - size_t maximum_output_length = input.size(); - if (mode == ENCRYPT) - maximum_output_length += auth_tag_size; - - unsigned int output_length = 0; - unsigned char* raw_input = const_cast<unsigned char*>( - reinterpret_cast<const unsigned char*>(input.data())); - unsigned char* raw_output = reinterpret_cast<unsigned char*>( - base::WriteInto(output, maximum_output_length + 1 /* null */)); - - PK11Helper_TransformFunction* transform_function = - mode == DECRYPT ? PK11DecryptHelper : PK11EncryptHelper; - - const SECStatus result = transform_function( - aead_key.get(), CKM_AES_GCM, ¶m, raw_output, &output_length, - maximum_output_length, raw_input, input.size()); - - if (result != SECSuccess) - return false; - - const size_t expected_output_length = mode == DECRYPT - ? input.size() - auth_tag_size - : input.size() + auth_tag_size; - - EXPECT_EQ(expected_output_length, output_length); - - output->resize(expected_output_length); - return true; - } - - private: - // The prototype of PK11_Decrypt and PK11_Encrypt. - using PK11Helper_TransformFunction = SECStatus(PK11SymKey* symKey, - CK_MECHANISM_TYPE mechanism, - SECItem* param, - unsigned char* out, - unsigned int* outLen, - unsigned int maxLen, - const unsigned char* data, - unsigned int dataLen); -}; - -} // namespace - -TEST_F(Aes128GcmHelpersTest, RoundTrip) { - const std::string message = "Hello, world!"; - - const size_t kKeySize = 16; - const size_t kNonceSize = 16; - - std::string key, nonce; - RandBytes(base::WriteInto(&key, kKeySize + 1), kKeySize); - RandBytes(base::WriteInto(&nonce, kNonceSize + 1), kNonceSize); - - // AEAD_AES_128_GCM is defined with a default authentication tag size of 16, - // but RFC 5282 extends this to authentication tag sizes of 8 and 12 as well. - size_t auth_tag_size = base::RandInt(2, 4) * 4; - - std::string encrypted; - ASSERT_TRUE(DecryptOrEncrypt(ENCRYPT, message, key, nonce, - base::StringPiece(), auth_tag_size, &encrypted)); - - std::string decrypted; - ASSERT_TRUE(DecryptOrEncrypt(DECRYPT, encrypted, key, nonce, - base::StringPiece(), auth_tag_size, &decrypted)); - - EXPECT_EQ(message, decrypted); -} - -TEST_F(Aes128GcmHelpersTest, DecryptionVectors) { - for (size_t i = 0; i < arraysize(decryption_test_group_array); i++) { - SCOPED_TRACE(i); - const TestVector* test_vectors = decryption_test_group_array[i]; - const TestGroupInfo& test_info = test_group_info[i]; - - for (size_t j = 0; test_vectors[j].key != nullptr; j++) { - // If not present then decryption is expected to fail. - bool has_output = test_vectors[j].output; - - // Decode the test vector. - std::string key, iv, input, aad, tag, expected_output; - ASSERT_TRUE(DecodeHexString(test_vectors[j].key, &key)); - ASSERT_TRUE(DecodeHexString(test_vectors[j].iv, &iv)); - ASSERT_TRUE(DecodeHexString(test_vectors[j].input, &input)); - ASSERT_TRUE(DecodeHexString(test_vectors[j].aad, &aad)); - ASSERT_TRUE(DecodeHexString(test_vectors[j].tag, &tag)); - if (has_output) - ASSERT_TRUE(DecodeHexString(test_vectors[j].output, &expected_output)); - - // The test vector's lengths should look sane. Note that the lengths - // in |test_info| are in bits. - EXPECT_EQ(test_info.key_len, key.length() * 8); - EXPECT_EQ(test_info.iv_len, iv.length() * 8); - EXPECT_EQ(test_info.input_len, input.length() * 8); - EXPECT_EQ(test_info.aad_len, aad.length() * 8); - EXPECT_EQ(test_info.tag_len, tag.length() * 8); - if (has_output) - EXPECT_EQ(test_info.input_len, expected_output.length() * 8); - - const std::string ciphertext = input + tag; - std::string output; - - if (!DecryptOrEncrypt(DECRYPT, ciphertext, key, iv, aad, tag.length(), - &output)) { - EXPECT_FALSE(has_output); - continue; - } - - EXPECT_TRUE(has_output); - EXPECT_EQ(expected_output, output); - } - } -} - -TEST_F(Aes128GcmHelpersTest, EncryptionVectors) { - for (size_t i = 0; i < arraysize(encryption_test_group_array); i++) { - SCOPED_TRACE(i); - const TestVector* test_vectors = encryption_test_group_array[i]; - const TestGroupInfo& test_info = test_group_info[i]; - - for (size_t j = 0; test_vectors[j].key != nullptr; j++) { - // If not present then decryption is expected to fail. - bool has_output = test_vectors[j].output; - - // Decode the test vector. - std::string key, iv, input, aad, tag, expected_output; - ASSERT_TRUE(DecodeHexString(test_vectors[j].key, &key)); - ASSERT_TRUE(DecodeHexString(test_vectors[j].iv, &iv)); - ASSERT_TRUE(DecodeHexString(test_vectors[j].input, &input)); - ASSERT_TRUE(DecodeHexString(test_vectors[j].aad, &aad)); - ASSERT_TRUE(DecodeHexString(test_vectors[j].tag, &tag)); - if (has_output) - ASSERT_TRUE(DecodeHexString(test_vectors[j].output, &expected_output)); - - // The test vector's lengths should look sane. Note that the lengths - // in |test_info| are in bits. - EXPECT_EQ(test_info.key_len, key.length() * 8); - EXPECT_EQ(test_info.iv_len, iv.length() * 8); - EXPECT_EQ(test_info.input_len, input.length() * 8); - EXPECT_EQ(test_info.aad_len, aad.length() * 8); - EXPECT_EQ(test_info.tag_len, tag.length() * 8); - if (has_output) - EXPECT_EQ(test_info.input_len, expected_output.length() * 8); - - std::string output; - - if (!DecryptOrEncrypt(ENCRYPT, input, key, iv, aad, tag.length(), - &output)) { - EXPECT_FALSE(has_output); - continue; - } - - const std::string expected_output_with_tag = expected_output + tag; - - EXPECT_TRUE(has_output); - EXPECT_EQ(expected_output_with_tag, output); - } - } -} - -} // namespace crypto diff --git a/chromium/crypto/capi_util.cc b/chromium/crypto/capi_util.cc index 2cf10625ec3..1a3e139b50e 100644 --- a/chromium/crypto/capi_util.cc +++ b/chromium/crypto/capi_util.cc @@ -13,7 +13,7 @@ namespace { class CAPIUtilSingleton { public: static CAPIUtilSingleton* GetInstance() { - return Singleton<CAPIUtilSingleton>::get(); + return base::Singleton<CAPIUtilSingleton>::get(); } // Returns a lock to guard calls to CryptAcquireContext with @@ -23,8 +23,8 @@ class CAPIUtilSingleton { } private: - friend class Singleton<CAPIUtilSingleton>; - friend struct DefaultSingletonTraits<CAPIUtilSingleton>; + friend class base::Singleton<CAPIUtilSingleton>; + friend struct base::DefaultSingletonTraits<CAPIUtilSingleton>; CAPIUtilSingleton() {} diff --git a/chromium/crypto/crypto.gyp b/chromium/crypto/crypto.gyp index 6327ce76dd2..c1c1047c41d 100644 --- a/chromium/crypto/crypto.gyp +++ b/chromium/crypto/crypto.gyp @@ -94,7 +94,6 @@ [ 'OS == "win"', { 'msvs_disabled_warnings': [ 4267, # TODO(jschuh): crbug.com/167187 fix size_t to int truncations. - 4018, ], }], [ 'use_openssl==1', { @@ -104,8 +103,6 @@ # TODO(joth): Use a glob to match exclude patterns once the # OpenSSL file set is complete. 'sources!': [ - 'aes_128_gcm_helpers_nss.cc', - 'aes_128_gcm_helpers_nss.h', 'ec_private_key_nss.cc', 'ec_signature_creator_nss.cc', 'encryptor_nss.cc', @@ -165,7 +162,6 @@ 'type': 'executable', 'sources': [ 'aead_openssl_unittest.cc', - 'aes_128_gcm_helpers_nss_unittest.cc', 'curve25519_unittest.cc', 'ec_private_key_unittest.cc', 'ec_signature_creator_unittest.cc', @@ -230,9 +226,6 @@ 'dependencies': [ '../third_party/boringssl/boringssl.gyp:boringssl', ], - 'sources!': [ - 'aes_128_gcm_helpers_nss_unittest.cc', - ], }, { 'sources!': [ 'openssl_bio_string_unittest.cc', @@ -261,9 +254,6 @@ 'CRYPTO_IMPLEMENTATION', '<@(nacl_win64_defines)', ], - 'msvs_disabled_warnings': [ - 4018, - ], 'configurations': { 'Common_Base': { 'msvs_target_platform': 'x64', diff --git a/chromium/crypto/crypto.gypi b/chromium/crypto/crypto.gypi index 71ffbecad11..73b33322605 100644 --- a/chromium/crypto/crypto.gypi +++ b/chromium/crypto/crypto.gypi @@ -29,8 +29,6 @@ '<@(hmac_win64_related_sources)', 'aead_openssl.cc', 'aead_openssl.h', - 'aes_128_gcm_helpers_nss.cc', - 'aes_128_gcm_helpers_nss.h', 'apple_keychain.h', 'apple_keychain_ios.mm', 'apple_keychain_mac.mm', diff --git a/chromium/crypto/crypto_unittests.isolate b/chromium/crypto/crypto_unittests.isolate index e09095c142b..de13aa23a72 100644 --- a/chromium/crypto/crypto_unittests.isolate +++ b/chromium/crypto/crypto_unittests.isolate @@ -18,9 +18,7 @@ 'variables': { 'files': [ '../testing/test_env.py', - '<(PRODUCT_DIR)/crypto_unittests<(EXECUTABLE_SUFFIX)', ], - 'read_only': 1, }, }], ['OS=="mac" and asan==1 and fastbuild==0', { diff --git a/chromium/crypto/cssm_init.cc b/chromium/crypto/cssm_init.cc index 208309c351e..495e71b68ab 100644 --- a/chromium/crypto/cssm_init.cc +++ b/chromium/crypto/cssm_init.cc @@ -39,8 +39,8 @@ void* CSSMCalloc(uint32 num, CSSM_SIZE size, void* alloc_ref) { class CSSMInitSingleton { public: static CSSMInitSingleton* GetInstance() { - return Singleton<CSSMInitSingleton, - LeakySingletonTraits<CSSMInitSingleton> >::get(); + return base::Singleton<CSSMInitSingleton, base::LeakySingletonTraits< + CSSMInitSingleton>>::get(); } CSSM_CSP_HANDLE csp_handle() const { return csp_handle_; } @@ -150,7 +150,7 @@ class CSSMInitSingleton { CSSM_CL_HANDLE cl_handle_; CSSM_TP_HANDLE tp_handle_; - friend struct DefaultSingletonTraits<CSSMInitSingleton>; + friend struct base::DefaultSingletonTraits<CSSMInitSingleton>; }; } // namespace diff --git a/chromium/crypto/ec_private_key_openssl.cc b/chromium/crypto/ec_private_key_openssl.cc index 35403f39ce8..1a060283892 100644 --- a/chromium/crypto/ec_private_key_openssl.cc +++ b/chromium/crypto/ec_private_key_openssl.cc @@ -176,9 +176,10 @@ bool ECPrivateKey::ExportEncryptedPrivateKey( // equivalent. ScopedX509_SIG encrypted(PKCS8_encrypt_pbe( NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + nullptr, reinterpret_cast<const uint8_t*>(password.data()), password.size(), - NULL, + nullptr, 0, iterations, pkcs8.get())); diff --git a/chromium/crypto/encryptor.h b/chromium/crypto/encryptor.h index 8052a9fd574..85ebaeb1499 100644 --- a/chromium/crypto/encryptor.h +++ b/chromium/crypto/encryptor.h @@ -13,8 +13,7 @@ #include "build/build_config.h" #include "crypto/crypto_export.h" -#if defined(USE_NSS_CERTS) || \ - (!defined(USE_OPENSSL) && (defined(OS_WIN) || defined(OS_MACOSX))) +#if !defined(USE_OPENSSL) #include "crypto/scoped_nss_types.h" #endif @@ -122,7 +121,7 @@ class CRYPTO_EXPORT Encryptor { const base::StringPiece& input, std::string* output); std::string iv_; -#elif defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_MACOSX) +#else bool Crypt(PK11Context* context, const base::StringPiece& input, std::string* output); diff --git a/chromium/crypto/mac_security_services_lock.cc b/chromium/crypto/mac_security_services_lock.cc index c0b8712089e..af66918f3ca 100644 --- a/chromium/crypto/mac_security_services_lock.cc +++ b/chromium/crypto/mac_security_services_lock.cc @@ -14,14 +14,15 @@ namespace { class SecurityServicesSingleton { public: static SecurityServicesSingleton* GetInstance() { - return Singleton<SecurityServicesSingleton, - LeakySingletonTraits<SecurityServicesSingleton> >::get(); + return base::Singleton< + SecurityServicesSingleton, + base::LeakySingletonTraits<SecurityServicesSingleton>>::get(); } base::Lock& lock() { return lock_; } private: - friend struct DefaultSingletonTraits<SecurityServicesSingleton>; + friend struct base::DefaultSingletonTraits<SecurityServicesSingleton>; SecurityServicesSingleton() {} ~SecurityServicesSingleton() {} diff --git a/chromium/crypto/nss_util.cc b/chromium/crypto/nss_util.cc index 125591c73f6..d13170c0562 100644 --- a/chromium/crypto/nss_util.cc +++ b/chromium/crypto/nss_util.cc @@ -670,12 +670,6 @@ class NSSInitSingleton { } #endif // defined(USE_NSS_CERTS) - // This method is used to force NSS to be initialized without a DB. - // Call this method before NSSInitSingleton() is constructed. - static void ForceNoDBInit() { - force_nodb_init_ = true; - } - private: friend struct base::DefaultLazyInstanceTraits<NSSInitSingleton>; @@ -708,7 +702,7 @@ class NSSInitSingleton { } SECStatus status = SECFailure; - bool nodb_init = force_nodb_init_; + bool nodb_init = false; #if !defined(USE_NSS_CERTS) // Use the system certificate store, so initialize NSS without database. @@ -867,9 +861,6 @@ class NSSInitSingleton { } } - // If this is set to true NSS is forced to be initialized without a DB. - static bool force_nodb_init_; - bool tpm_token_enabled_for_nss_; bool initializing_tpm_token_; typedef std::vector<base::Closure> TPMReadyCallbackList; @@ -891,9 +882,6 @@ class NSSInitSingleton { base::ThreadChecker thread_checker_; }; -// static -bool NSSInitSingleton::force_nodb_init_ = false; - base::LazyInstance<NSSInitSingleton>::Leaky g_nss_singleton = LAZY_INSTANCE_INITIALIZER; } // namespace @@ -927,17 +915,6 @@ void EnsureNSPRInit() { g_nspr_singleton.Get(); } -void InitNSSSafely() { - // We might fork, but we haven't loaded any security modules. - DisableNSSForkCheck(); - // If we're sandboxed, we shouldn't be able to open user security modules, - // but it's more correct to tell NSS to not even try. - // Loading user security modules would have security implications. - ForceNSSNoDBInit(); - // Initialize NSS. - EnsureNSSInit(); -} - void EnsureNSSInit() { // Initializing SSL causes us to do blocking IO. // Temporarily allow it until we fix @@ -946,69 +923,6 @@ void EnsureNSSInit() { g_nss_singleton.Get(); } -void ForceNSSNoDBInit() { - NSSInitSingleton::ForceNoDBInit(); -} - -void DisableNSSForkCheck() { - scoped_ptr<base::Environment> env(base::Environment::Create()); - env->SetVar("NSS_STRICT_NOFORK", "DISABLED"); -} - -void LoadNSSLibraries() { - // Some NSS libraries are linked dynamically so load them here. -#if defined(USE_NSS_CERTS) - // Try to search for multiple directories to load the libraries. - std::vector<base::FilePath> paths; - - // Use relative path to Search PATH for the library files. - paths.push_back(base::FilePath()); - - // For Debian derivatives NSS libraries are located here. - paths.push_back(base::FilePath("/usr/lib/nss")); - - // Ubuntu 11.10 (Oneiric) and Debian Wheezy place the libraries here. -#if defined(ARCH_CPU_X86_64) - paths.push_back(base::FilePath("/usr/lib/x86_64-linux-gnu/nss")); -#elif defined(ARCH_CPU_X86) - paths.push_back(base::FilePath("/usr/lib/i386-linux-gnu/nss")); -#elif defined(ARCH_CPU_ARMEL) -#if defined(__ARM_PCS_VFP) - paths.push_back(base::FilePath("/usr/lib/arm-linux-gnueabihf/nss")); -#else - paths.push_back(base::FilePath("/usr/lib/arm-linux-gnueabi/nss")); -#endif // defined(__ARM_PCS_VFP) -#elif defined(ARCH_CPU_MIPSEL) - paths.push_back(base::FilePath("/usr/lib/mipsel-linux-gnu/nss")); -#endif // defined(ARCH_CPU_X86_64) - - // A list of library files to load. - std::vector<std::string> libs; - libs.push_back("libsoftokn3.so"); - libs.push_back("libfreebl3.so"); - - // For each combination of library file and path, check for existence and - // then load. - size_t loaded = 0; - for (size_t i = 0; i < libs.size(); ++i) { - for (size_t j = 0; j < paths.size(); ++j) { - base::FilePath path = paths[j].Append(libs[i]); - base::NativeLibrary lib = base::LoadNativeLibrary(path, NULL); - if (lib) { - ++loaded; - break; - } - } - } - - if (loaded == libs.size()) { - VLOG(3) << "NSS libraries loaded."; - } else { - LOG(ERROR) << "Failed to load NSS libraries."; - } -#endif // defined(USE_NSS_CERTS) -} - bool CheckNSSVersion(const char* version) { return !!NSS_VersionCheck(version); } diff --git a/chromium/crypto/nss_util.h b/chromium/crypto/nss_util.h index 1ca0de3e777..06c1e5d9d52 100644 --- a/chromium/crypto/nss_util.h +++ b/chromium/crypto/nss_util.h @@ -33,59 +33,11 @@ CRYPTO_EXPORT void EarlySetupForNSSInit(); // thread-safe, and NSPR will only ever be initialized once. CRYPTO_EXPORT void EnsureNSPRInit(); -// Initialize NSS safely for strict sandboxing. This function tells NSS to not -// load user security modules, and makes sure NSS will have proper entropy in a -// restricted, sandboxed environment. -// -// As a defense in depth measure, this function should be called in a sandboxed -// environment. That way, in the event of a bug, NSS will still not be able to -// load security modules that could expose private data and keys. -// -// Make sure to get an LGTM from the Chrome Security Team if you use this. -CRYPTO_EXPORT void InitNSSSafely(); - // Initialize NSS if it isn't already initialized. This must be called before // any other NSS functions. This function is thread-safe, and NSS will only // ever be initialized once. CRYPTO_EXPORT void EnsureNSSInit(); -// Call this before calling EnsureNSSInit() will force NSS to initialize -// without a persistent DB. This is used for the special case where access of -// persistent DB is prohibited. -// -// TODO(hclam): Isolate loading default root certs. -// -// NSS will be initialized without loading any user security modules, including -// the built-in root certificates module. User security modules need to be -// loaded manually after NSS initialization. -// -// If EnsureNSSInit() is called before then this function has no effect. -// -// Calling this method only has effect on Linux. -// -// WARNING: Use this with caution. -CRYPTO_EXPORT void ForceNSSNoDBInit(); - -// This method is used to disable checks in NSS when used in a forked process. -// NSS checks whether it is running a forked process to avoid problems when -// using user security modules in a forked process. However if we are sure -// there are no modules loaded before the process is forked then there is no -// harm disabling the check. -// -// This method must be called before EnsureNSSInit() to take effect. -// -// WARNING: Use this with caution. -CRYPTO_EXPORT void DisableNSSForkCheck(); - -// Load NSS library files. This function has no effect on Mac and Windows. -// This loads the necessary NSS library files so that NSS can be initialized -// after loading additional library files is disallowed, for example when the -// sandbox is active. -// -// Note that this does not load libnssckbi.so which contains the root -// certificates. -CRYPTO_EXPORT void LoadNSSLibraries(); - // Check if the current NSS version is greater than or equals to |version|. // A sample version string is "3.12.3". bool CheckNSSVersion(const char* version); diff --git a/chromium/crypto/openssl_util.cc b/chromium/crypto/openssl_util.cc index d89857f3851..f5b20c9e0c2 100644 --- a/chromium/crypto/openssl_util.cc +++ b/chromium/crypto/openssl_util.cc @@ -35,11 +35,12 @@ class OpenSSLInitSingleton { // we can't control the order the AtExit handlers will run in so // allowing the global environment to leak at least ensures it is // available for those other singletons to reliably cleanup. - return Singleton<OpenSSLInitSingleton, - LeakySingletonTraits<OpenSSLInitSingleton> >::get(); + return base::Singleton< + OpenSSLInitSingleton, + base::LeakySingletonTraits<OpenSSLInitSingleton>>::get(); } private: - friend struct DefaultSingletonTraits<OpenSSLInitSingleton>; + friend struct base::DefaultSingletonTraits<OpenSSLInitSingleton>; OpenSSLInitSingleton() { #if defined(OS_ANDROID) && defined(ARCH_CPU_ARMEL) const bool has_neon = diff --git a/chromium/crypto/rsa_private_key.h b/chromium/crypto/rsa_private_key.h index 637be38836f..fdcb392f40d 100644 --- a/chromium/crypto/rsa_private_key.h +++ b/chromium/crypto/rsa_private_key.h @@ -5,18 +5,13 @@ #ifndef CRYPTO_RSA_PRIVATE_KEY_H_ #define CRYPTO_RSA_PRIVATE_KEY_H_ -#include "build/build_config.h" - #include <list> #include <vector> #include "base/basictypes.h" +#include "build/build_config.h" #include "crypto/crypto_export.h" -#if defined(USE_NSS_CERTS) -#include "base/gtest_prod_util.h" -#endif - #if defined(USE_OPENSSL) // Forward declaration for openssl/*.h typedef struct evp_pkey_st EVP_PKEY; @@ -34,7 +29,6 @@ namespace crypto { // PKCS #8 PrivateKeyInfo and PublicKeyInfo. class PrivateKeyInfoCodec { public: - // ASN.1 encoding of the AlgorithmIdentifier from PKCS #8. static const uint8 kRsaAlgorithmIdentifier[]; @@ -73,14 +67,14 @@ class PrivateKeyInfoCodec { // Accessors to the contents of the integer components of the PrivateKeyInfo // structure. - std::vector<uint8>* modulus() { return &modulus_; }; - std::vector<uint8>* public_exponent() { return &public_exponent_; }; - std::vector<uint8>* private_exponent() { return &private_exponent_; }; - std::vector<uint8>* prime1() { return &prime1_; }; - std::vector<uint8>* prime2() { return &prime2_; }; - std::vector<uint8>* exponent1() { return &exponent1_; }; - std::vector<uint8>* exponent2() { return &exponent2_; }; - std::vector<uint8>* coefficient() { return &coefficient_; }; + std::vector<uint8>* modulus() { return &modulus_; } + std::vector<uint8>* public_exponent() { return &public_exponent_; } + std::vector<uint8>* private_exponent() { return &private_exponent_; } + std::vector<uint8>* prime1() { return &prime1_; } + std::vector<uint8>* prime2() { return &prime2_; } + std::vector<uint8>* exponent1() { return &exponent1_; } + std::vector<uint8>* exponent2() { return &exponent2_; } + std::vector<uint8>* coefficient() { return &coefficient_; } private: // Utility wrappers for PrependIntegerImpl that use the class's |big_endian_| @@ -208,11 +202,6 @@ class CRYPTO_EXPORT RSAPrivateKey { bool ExportPublicKey(std::vector<uint8>* output) const; private: -#if defined(USE_NSS_CERTS) - FRIEND_TEST_ALL_PREFIXES(RSAPrivateKeyNSSTest, FindFromPublicKey); - FRIEND_TEST_ALL_PREFIXES(RSAPrivateKeyNSSTest, FailedFindFromPublicKey); -#endif - // Constructor is private. Use one of the Create*() methods above instead. RSAPrivateKey(); diff --git a/chromium/crypto/symmetric_key_unittest.cc b/chromium/crypto/symmetric_key_unittest.cc index 28e44d27da7..ef8e7e1852a 100644 --- a/chromium/crypto/symmetric_key_unittest.cc +++ b/chromium/crypto/symmetric_key_unittest.cc @@ -100,7 +100,7 @@ TEST_P(SymmetricKeyDeriveKeyFromPasswordTest, DeriveKeyFromPassword) { key->GetRawKey(&raw_key); EXPECT_EQ(test_data.key_size_in_bits / 8, raw_key.size()); EXPECT_EQ(test_data.expected, - base::StringToLowerASCII(base::HexEncode(raw_key.data(), + base::ToLowerASCII(base::HexEncode(raw_key.data(), raw_key.size()))); } diff --git a/chromium/crypto/symmetric_key_win.cc b/chromium/crypto/symmetric_key_win.cc index b3d65f66137..ec9cfa04d75 100644 --- a/chromium/crypto/symmetric_key_win.cc +++ b/chromium/crypto/symmetric_key_win.cc @@ -295,7 +295,7 @@ bool ComputePBKDF2Block(HCRYPTHASH hash, if (!ok || size != hash_size) return false; - for (int i = 0; i < hash_size; ++i) + for (DWORD i = 0; i < hash_size; ++i) output_buf[i] ^= hash_value[i]; } |