1// Copyright (c) 2011 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/browser/importer/nss_decryptor_system_nss.h"
6
7#include <pk11pub.h>
8#include <pk11sdr.h>
9
10#include "base/basictypes.h"
11#include "base/file_path.h"
12#include "base/string_util.h"
13#include "base/sys_string_conversions.h"
14#include "crypto/nss_util.h"
15
16NSSDecryptor::NSSDecryptor() : is_nss_initialized_(false), db_slot_(NULL) {}
17NSSDecryptor::~NSSDecryptor() {
18  if (db_slot_) {
19    // Deliberately leave the user db open, just in case we need to open more
20    // than one, because there's an NSS bug with reopening user dbs.
21    // https://bugzilla.mozilla.org/show_bug.cgi?id=506140
22    // SECMOD_CloseUserDB(db_slot_);
23    PK11_FreeSlot(db_slot_);
24  }
25}
26
27bool NSSDecryptor::Init(const FilePath& dll_path, const FilePath& db_path) {
28  crypto::EnsureNSSInit();
29  is_nss_initialized_ = true;
30  const std::string modspec =
31      StringPrintf("configDir='%s' tokenDescription='Firefox NSS database' "
32                   "flags=readOnly", db_path.value().c_str());
33  db_slot_ = SECMOD_OpenUserDB(modspec.c_str());
34  return db_slot_ != NULL;
35}
36
37// This method is based on some NSS code in
38//   security/nss/lib/pk11wrap/pk11sdr.c, CVS revision 1.22
39// This code is copied because the implementation assumes the use of the
40// internal key slot for decryption, but we need to use another slot.
41// The license block is:
42/* ***** BEGIN LICENSE BLOCK *****
43 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
44 *
45 * The contents of this file are subject to the Mozilla Public License Version
46 * 1.1 (the "License"); you may not use this file except in compliance with
47 * the License. You may obtain a copy of the License at
48 * http://www.mozilla.org/MPL/
49 *
50 * Software distributed under the License is distributed on an "AS IS" basis,
51 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
52 * for the specific language governing rights and limitations under the
53 * License.
54 *
55 * The Original Code is the Netscape security libraries.
56 *
57 * The Initial Developer of the Original Code is
58 * Netscape Communications Corporation.
59 * Portions created by the Initial Developer are Copyright (C) 1994-2000
60 * the Initial Developer. All Rights Reserved.
61 *
62 * Contributor(s):
63 *   thayes@netscape.com
64 *
65 * Alternatively, the contents of this file may be used under the terms of
66 * either the GNU General Public License Version 2 or later (the "GPL"), or
67 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
68 * in which case the provisions of the GPL or the LGPL are applicable instead
69 * of those above. If you wish to allow use of your version of this file only
70 * under the terms of either the GPL or the LGPL, and not to allow others to
71 * use your version of this file under the terms of the MPL, indicate your
72 * decision by deleting the provisions above and replace them with the notice
73 * and other provisions required by the GPL or the LGPL. If you do not delete
74 * the provisions above, a recipient may use your version of this file under
75 * the terms of any one of the MPL, the GPL or the LGPL.
76 *
77 * ***** END LICENSE BLOCK ***** */
78
79/*
80 * Data structure and template for encoding the result of an SDR operation
81 *  This is temporary.  It should include the algorithm ID of the encryption
82 *  mechanism
83 */
84struct SDRResult
85{
86  SECItem keyid;
87  SECAlgorithmID alg;
88  SECItem data;
89};
90typedef struct SDRResult SDRResult;
91
92static SEC_ASN1Template g_template[] = {
93  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (SDRResult) },
94  { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, keyid) },
95  { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(SDRResult, alg),
96    SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
97  { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, data) },
98  { 0 }
99};
100
101static SECStatus
102unpadBlock(SECItem *data, int blockSize, SECItem *result)
103{
104  SECStatus rv = SECSuccess;
105  int padLength;
106  int i;
107
108  result->data = 0;
109  result->len = 0;
110
111  /* Remove the padding from the end if the input data */
112  if (data->len == 0 || data->len % blockSize  != 0) {
113    rv = SECFailure;
114    goto loser;
115  }
116
117  padLength = data->data[data->len-1];
118  if (padLength > blockSize) { rv = SECFailure; goto loser; }
119
120  /* verify padding */
121  for (i=data->len - padLength; static_cast<uint32>(i) < data->len; i++) {
122    if (data->data[i] != padLength) {
123        rv = SECFailure;
124        goto loser;
125    }
126  }
127
128  result->len = data->len - padLength;
129  result->data = (unsigned char *)PORT_Alloc(result->len);
130  if (!result->data) { rv = SECFailure; goto loser; }
131
132  PORT_Memcpy(result->data, data->data, result->len);
133
134  if (padLength < 2) {
135    return SECWouldBlock;
136  }
137
138loser:
139  return rv;
140}
141
142/* decrypt a block */
143static SECStatus
144pk11Decrypt(PK11SlotInfo *slot, PLArenaPool *arena,
145            CK_MECHANISM_TYPE type, PK11SymKey *key,
146            SECItem *params, SECItem *in, SECItem *result)
147{
148  PK11Context *ctx = 0;
149  SECItem paddedResult;
150  SECStatus rv;
151
152  paddedResult.len = 0;
153  paddedResult.data = 0;
154
155  ctx = PK11_CreateContextBySymKey(type, CKA_DECRYPT, key, params);
156  if (!ctx) { rv = SECFailure; goto loser; }
157
158  paddedResult.len = in->len;
159  paddedResult.data = static_cast<unsigned char*>(
160      PORT_ArenaAlloc(arena, paddedResult.len));
161
162  rv = PK11_CipherOp(ctx, paddedResult.data,
163                        (int*)&paddedResult.len, paddedResult.len,
164                        in->data, in->len);
165  if (rv != SECSuccess) goto loser;
166
167  PK11_Finalize(ctx);
168
169  /* Remove the padding */
170  rv = unpadBlock(&paddedResult, PK11_GetBlockSize(type, 0), result);
171  if (rv) goto loser;
172
173loser:
174  if (ctx) PK11_DestroyContext(ctx, PR_TRUE);
175  return rv;
176}
177
178SECStatus NSSDecryptor::PK11SDR_DecryptWithSlot(
179    PK11SlotInfo* slot, SECItem* data, SECItem* result, void* cx) const {
180  SECStatus rv = SECSuccess;
181  PK11SymKey *key = 0;
182  CK_MECHANISM_TYPE type;
183  SDRResult sdrResult;
184  SECItem *params = 0;
185  SECItem possibleResult = { siBuffer, NULL, 0 };
186  PLArenaPool *arena = 0;
187
188  arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
189  if (!arena) { rv = SECFailure; goto loser; }
190
191  /* Decode the incoming data */
192  memset(&sdrResult, 0, sizeof sdrResult);
193  rv = SEC_QuickDERDecodeItem(arena, &sdrResult, g_template, data);
194  if (rv != SECSuccess) goto loser;  /* Invalid format */
195
196  /* Get the parameter values from the data */
197  params = PK11_ParamFromAlgid(&sdrResult.alg);
198  if (!params) { rv = SECFailure; goto loser; }
199
200  /* Use triple-DES (Should look up the algorithm) */
201  type = CKM_DES3_CBC;
202  key = PK11_FindFixedKey(slot, type, &sdrResult.keyid, cx);
203  if (!key) {
204    rv = SECFailure;
205  } else {
206    rv = pk11Decrypt(slot, arena, type, key, params,
207                     &sdrResult.data, result);
208  }
209
210  /*
211   * if the pad value was too small (1 or 2), then it's statistically
212   * 'likely' that (1 in 256) that we may not have the correct key.
213   * Check the other keys for a better match. If we find none, use
214   * this result.
215   */
216  if (rv == SECWouldBlock)
217    possibleResult = *result;
218
219  /*
220   * handle the case where your key indicies may have been broken
221   */
222  if (rv != SECSuccess) {
223    PK11SymKey *keyList = PK11_ListFixedKeysInSlot(slot, NULL, cx);
224    PK11SymKey *testKey = NULL;
225    PK11SymKey *nextKey = NULL;
226
227    for (testKey = keyList; testKey;
228         testKey = PK11_GetNextSymKey(testKey)) {
229      rv = pk11Decrypt(slot, arena, type, testKey, params,
230                       &sdrResult.data, result);
231      if (rv == SECSuccess)
232        break;
233
234      /* found a close match. If it's our first remember it */
235      if (rv == SECWouldBlock) {
236        if (possibleResult.data) {
237          /* this is unlikely but possible. If we hit this condition,
238           * we have no way of knowing which possibility to prefer.
239           * in this case we just match the key the application
240           * thought was the right one */
241          SECITEM_ZfreeItem(result, PR_FALSE);
242        } else {
243          possibleResult = *result;
244        }
245      }
246    }
247
248    /* free the list */
249    for (testKey = keyList; testKey; testKey = nextKey) {
250         nextKey = PK11_GetNextSymKey(testKey);
251      PK11_FreeSymKey(testKey);
252    }
253  }
254
255  /* we didn't find a better key, use the one with a small pad value */
256  if ((rv != SECSuccess) && (possibleResult.data)) {
257    *result = possibleResult;
258    possibleResult.data = NULL;
259    rv = SECSuccess;
260  }
261
262 loser:
263  if (arena) PORT_FreeArena(arena, PR_TRUE);
264  if (key) PK11_FreeSymKey(key);
265  if (params) SECITEM_ZfreeItem(params, PR_TRUE);
266  if (possibleResult.data) SECITEM_ZfreeItem(&possibleResult, PR_FALSE);
267
268  return rv;
269}
270