// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "components/reporting/encryption/primitives.h" #include #include #include #include #include "base/check_op.h" #include "crypto/aead.h" #include "crypto/openssl_util.h" #include "third_party/boringssl/src/include/openssl/curve25519.h" #include "third_party/boringssl/src/include/openssl/digest.h" #include "third_party/boringssl/src/include/openssl/hkdf.h" #include "base/strings/string_piece.h" namespace reporting { static_assert(X25519_PRIVATE_KEY_LEN == kKeySize, "X25519 mismatch"); static_assert(X25519_PUBLIC_VALUE_LEN == kKeySize, "X25519 mismatch"); static_assert(X25519_SHARED_KEY_LEN == kKeySize, "X25519 mismatch"); static_assert(ED25519_PRIVATE_KEY_LEN == kSignKeySize, "ED25519 mismatch"); static_assert(ED25519_PUBLIC_KEY_LEN == kKeySize, "ED25519 mismatch"); static_assert(ED25519_SIGNATURE_LEN == kSignatureSize, "ED25519 mismatch"); bool ComputeSharedSecret(const uint8_t peer_public_value[kKeySize], uint8_t shared_secret[kKeySize], uint8_t generated_public_value[kKeySize]) { // Make sure OpenSSL is initialized, in order to avoid data races later. crypto::EnsureOpenSSLInit(); // Generate new pair of private key and public value. uint8_t out_private_key[kKeySize]; X25519_keypair(generated_public_value, out_private_key); // Compute shared secret. if (1 != X25519(shared_secret, out_private_key, peer_public_value)) { return false; } // Success. return true; } bool ProduceSymmetricKey(const uint8_t shared_secret[kKeySize], uint8_t symmetric_key[kKeySize]) { // Make sure OpenSSL is initialized, in order to avoid data races later. crypto::EnsureOpenSSLInit(); // Produce symmetric key from shared secret using HKDF. // Since the original keys were only used once, no salt and context is needed. // Since the keys above are only used once, no salt and context is provided. if (1 != HKDF(symmetric_key, kKeySize, /*digest=*/EVP_sha256(), shared_secret, kKeySize, /*salt=*/nullptr, /*salt_len=*/0, /*info=*/nullptr, /*info_len=*/0)) { return false; } // Success. return true; } bool PerformSymmetricEncryption(const uint8_t symmetric_key[kKeySize], base::StringPiece input_data, std::string* output_data) { // Make sure OpenSSL is initialized, in order to avoid data races later. crypto::EnsureOpenSSLInit(); // Encrypt the data with symmetric key using AEAD interface. crypto::Aead aead(crypto::Aead::CHACHA20_POLY1305); DCHECK_EQ(aead.KeyLength(), kKeySize); // Use the symmetric key for data encryption. aead.Init(base::make_span(symmetric_key, kKeySize)); // Set nonce to 0s, since a symmetric key is only used once. // Note: if we ever start reusing the same symmetric key, we will need // to generate new nonce for every record and transfer it to the peer. DCHECK_EQ(aead.NonceLength(), kNonceSize); std::string nonce(kNonceSize, 0); // Encrypt the whole record. if (1 != aead.Seal(input_data, nonce, std::string(), output_data)) { return false; } // Success. Attach nonce at the head, for compatibility with Tink. output_data->insert(0, nonce); return true; } bool VerifySignature(const uint8_t verification_key[kKeySize], base::StringPiece message, const uint8_t signature[kSignatureSize]) { // Make sure OpenSSL is initialized, in order to avoid data races later. crypto::EnsureOpenSSLInit(); // Verify message if (1 != ED25519_verify(reinterpret_cast(message.data()), message.size(), signature, verification_key)) { return false; } // Success. return true; } } // namespace reporting