1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "media/cdm/aes_cbc_crypto.h"
#include "base/logging.h"
#include "base/numerics/safe_conversions.h"
#include "crypto/openssl_util.h"
#include "crypto/symmetric_key.h"
#include "third_party/boringssl/src/include/openssl/aes.h"
#include "third_party/boringssl/src/include/openssl/crypto.h"
#include "third_party/boringssl/src/include/openssl/err.h"
#include "third_party/boringssl/src/include/openssl/evp.h"
// Notes on using OpenSSL:
// https://www.openssl.org/docs/man1.1.0/crypto/EVP_DecryptUpdate.html
// The documentation for EVP_DecryptUpdate() only states
// "EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex()
// are the corresponding decryption operations. EVP_DecryptFinal() will
// return an error code if padding is enabled and the final block is not
// correctly formatted. The parameters and restrictions are identical
// to the encryption operations except that if padding is enabled ..."
// As this implementation does not use padding, the last part should not be
// an issue. However, there is no mention whether data can be decrypted
// block-by-block or if all the data must be unencrypted at once.
//
// The documentation for EVP_EncryptUpdate() (same page as above) states
// "EVP_EncryptUpdate() encrypts inl bytes from the buffer in and writes
// the encrypted version to out. This function can be called multiple times
// to encrypt successive blocks of data."
// Given that the EVP_Decrypt* methods have the same restrictions, the code
// below assumes that EVP_DecryptUpdate() can be called on a block-by-block
// basis. A test in aes_cbc_crypto_unittest.cc verifies this.
namespace media {
AesCbcCrypto::AesCbcCrypto() {
// Ensure the crypto library is initialized. CRYPTO_library_init may be
// safely called concurrently.
CRYPTO_library_init();
EVP_CIPHER_CTX_init(&ctx_);
}
AesCbcCrypto::~AesCbcCrypto() {
EVP_CIPHER_CTX_cleanup(&ctx_);
}
bool AesCbcCrypto::Initialize(const crypto::SymmetricKey& key,
base::span<const uint8_t> iv) {
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
// This uses AES-CBC-128, so the key must be 128 bits.
const EVP_CIPHER* cipher = EVP_aes_128_cbc();
const uint8_t* key_data = reinterpret_cast<const uint8_t*>(key.key().data());
if (key.key().length() != EVP_CIPHER_key_length(cipher)) {
DVLOG(1) << "Key length is incorrect.";
return false;
}
// |iv| must also be 128 bits.
if (iv.size_bytes() != EVP_CIPHER_iv_length(cipher)) {
DVLOG(1) << "IV length is incorrect.";
return false;
}
if (!EVP_DecryptInit_ex(&ctx_, cipher, nullptr, key_data, iv.data())) {
DVLOG(1) << "EVP_DecryptInit_ex() failed.";
return false;
}
if (!EVP_CIPHER_CTX_set_padding(&ctx_, 0)) {
DVLOG(1) << "EVP_CIPHER_CTX_set_padding() failed.";
return false;
}
return true;
}
bool AesCbcCrypto::Decrypt(base::span<const uint8_t> encrypted_data,
uint8_t* decrypted_data) {
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
if (encrypted_data.size_bytes() % EVP_CIPHER_CTX_block_size(&ctx_) != 0) {
DVLOG(1) << "Encrypted bytes not a multiple of block size.";
return false;
}
int out_length;
if (!EVP_DecryptUpdate(&ctx_, decrypted_data, &out_length,
encrypted_data.data(), encrypted_data.size_bytes())) {
DVLOG(1) << "EVP_DecryptUpdate() failed.";
return false;
}
return encrypted_data.size_bytes() == base::checked_cast<size_t>(out_length);
}
} // namespace media
|
