Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	crypto/crypto_aes.cc	Lines:	215	310	69.4 %
Date:	2022-05-23 04:15:47	Branches:	132	238	55.5 %


#include "crypto/crypto_aes.h"
#include "async_wrap-inl.h"
#include "base_object-inl.h"
#include "crypto/crypto_cipher.h"
#include "crypto/crypto_keys.h"
#include "crypto/crypto_util.h"
#include "env-inl.h"
#include "memory_tracker-inl.h"
#include "threadpoolwork-inl.h"
#include "v8.h"

#include <openssl/bn.h>
#include <openssl/aes.h>

#include <vector>

namespace node {

using v8::FunctionCallbackInfo;
using v8::Just;
using v8::Local;
using v8::Maybe;
using v8::Nothing;
using v8::Object;
using v8::Uint32;
using v8::Value;

namespace crypto {
namespace {
// Implements general AES encryption and decryption for CBC
// The key_data must be a secret key.
// On success, this function sets out to a new ByteSource
// instance containing the results and returns WebCryptoCipherStatus::OK.
WebCryptoCipherStatus AES_Cipher(
    Environment* env,
    KeyObjectData* key_data,
    WebCryptoCipherMode cipher_mode,
    const AESCipherConfig& params,
    const ByteSource& in,
    ByteSource* out) {
  CHECK_NOT_NULL(key_data);
  CHECK_EQ(key_data->GetKeyType(), kKeyTypeSecret);

  const int mode = EVP_CIPHER_mode(params.cipher);

  CipherCtxPointer ctx(EVP_CIPHER_CTX_new());
  EVP_CIPHER_CTX_init(ctx.get());
  if (mode == EVP_CIPH_WRAP_MODE)
    EVP_CIPHER_CTX_set_flags(ctx.get(), EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);

  const bool encrypt = cipher_mode == kWebCryptoCipherEncrypt;

  if (!EVP_CipherInit_ex(
          ctx.get(),
          params.cipher,
          nullptr,
          nullptr,
          nullptr,
          encrypt)) {
    // Cipher init failed
    return WebCryptoCipherStatus::FAILED;
  }

  if (mode == EVP_CIPH_GCM_MODE && !EVP_CIPHER_CTX_ctrl(
        ctx.get(),
        EVP_CTRL_AEAD_SET_IVLEN,
        params.iv.size(),
        nullptr)) {
    return WebCryptoCipherStatus::FAILED;
  }

  if (!EVP_CIPHER_CTX_set_key_length(
          ctx.get(),
          key_data->GetSymmetricKeySize()) ||
      !EVP_CipherInit_ex(
          ctx.get(),
          nullptr,
          nullptr,
          reinterpret_cast<const unsigned char*>(key_data->GetSymmetricKey()),
          params.iv.data<unsigned char>(),
          encrypt)) {
    return WebCryptoCipherStatus::FAILED;
  }

  size_t tag_len = 0;

  if (mode == EVP_CIPH_GCM_MODE) {
    switch (cipher_mode) {
      case kWebCryptoCipherDecrypt:
        // If in decrypt mode, the auth tag must be set in the params.tag.
        CHECK(params.tag);
        if (!EVP_CIPHER_CTX_ctrl(
                ctx.get(),
                EVP_CTRL_AEAD_SET_TAG,
                params.tag.size(),
                const_cast<char*>(params.tag.get()))) {
          return WebCryptoCipherStatus::FAILED;
        }
        break;
      case kWebCryptoCipherEncrypt:
        // In decrypt mode, we grab the tag length here. We'll use it to
        // ensure that that allocated buffer has enough room for both the
        // final block and the auth tag. Unlike our other AES-GCM implementation
        // in CipherBase, in WebCrypto, the auth tag is concatenated to the end
        // of the generated ciphertext and returned in the same ArrayBuffer.
        tag_len = params.length;
        break;
      default:
        UNREACHABLE();
    }
  }

  size_t total = 0;
  int buf_len = in.size() + EVP_CIPHER_CTX_block_size(ctx.get()) + tag_len;
  int out_len;

  if (mode == EVP_CIPH_GCM_MODE &&
      params.additional_data.size() &&
      !EVP_CipherUpdate(
            ctx.get(),
            nullptr,
            &out_len,
            params.additional_data.data<unsigned char>(),
            params.additional_data.size())) {
    return WebCryptoCipherStatus::FAILED;
  }

  char* data = MallocOpenSSL<char>(buf_len);
  ByteSource buf = ByteSource::Allocated(data, buf_len);
  unsigned char* ptr = reinterpret_cast<unsigned char*>(data);

  // In some outdated version of OpenSSL (e.g.
  // ubi81_sharedlibs_openssl111fips_x64) may be used in sharedlib mode, the
  // logic will be failed when input size is zero. The newly OpenSSL has fixed
  // it up. But we still have to regard zero as special in Node.js code to
  // prevent old OpenSSL failure.
  //
  // Refs: https://github.com/openssl/openssl/commit/420cb707b880e4fb649094241371701013eeb15f
  // Refs: https://github.com/nodejs/node/pull/38913#issuecomment-866505244
  if (in.size() == 0) {
    out_len = 0;
  } else if (!EVP_CipherUpdate(
          ctx.get(),
          ptr,
          &out_len,
          in.data<unsigned char>(),
          in.size())) {
    return WebCryptoCipherStatus::FAILED;
  }

  total += out_len;
  CHECK_LE(out_len, buf_len);
  ptr += out_len;
  out_len = EVP_CIPHER_CTX_block_size(ctx.get());
  if (!EVP_CipherFinal_ex(ctx.get(), ptr, &out_len)) {
    return WebCryptoCipherStatus::FAILED;
  }
  total += out_len;

  // If using AES_GCM, grab the generated auth tag and append
  // it to the end of the ciphertext.
  if (cipher_mode == kWebCryptoCipherEncrypt && mode == EVP_CIPH_GCM_MODE) {
    data += out_len;
    if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_GET_TAG, tag_len, ptr))
      return WebCryptoCipherStatus::FAILED;
    total += tag_len;
  }

  // It's possible that we haven't used the full allocated space. Size down.
  buf.Resize(total);
  *out = std::move(buf);

  return WebCryptoCipherStatus::OK;
}

// The AES_CTR implementation here takes it's inspiration from the chromium
// implementation here:
// https://github.com/chromium/chromium/blob/7af6cfd/components/webcrypto/algorithms/aes_ctr.cc

template <typename T>
T CeilDiv(T a, T b) {
  return a == 0 ? 0 : 1 + (a - 1) / b;
}

BignumPointer GetCounter(const AESCipherConfig& params) {
  unsigned int remainder = (params.length % CHAR_BIT);
  const unsigned char* data = params.iv.data<unsigned char>();

  if (remainder == 0) {
    unsigned int byte_length = params.length / CHAR_BIT;
    return BignumPointer(BN_bin2bn(
        data + params.iv.size() - byte_length,
        byte_length,
        nullptr));
  }

  unsigned int byte_length =
      CeilDiv(params.length, static_cast<size_t>(CHAR_BIT));

  std::vector<unsigned char> counter(
      data + params.iv.size() - byte_length,
      data + params.iv.size());
  counter[0] &= ~(0xFF << remainder);

  return BignumPointer(BN_bin2bn(counter.data(), counter.size(), nullptr));
}

std::vector<unsigned char> BlockWithZeroedCounter(
    const AESCipherConfig& params) {
  unsigned int length_bytes = params.length / CHAR_BIT;
  unsigned int remainder = params.length % CHAR_BIT;

  const unsigned char* data = params.iv.data<unsigned char>();

  std::vector<unsigned char> new_counter_block(data, data + params.iv.size());

  size_t index = new_counter_block.size() - length_bytes;
  memset(&new_counter_block.front() + index, 0, length_bytes);

  if (remainder)
    new_counter_block[index - 1] &= 0xFF << remainder;

  return new_counter_block;
}

WebCryptoCipherStatus AES_CTR_Cipher2(
    KeyObjectData* key_data,
    WebCryptoCipherMode cipher_mode,
    const AESCipherConfig& params,
    const ByteSource& in,
    unsigned const char* counter,
    unsigned char* out) {
  CipherCtxPointer ctx(EVP_CIPHER_CTX_new());
  const bool encrypt = cipher_mode == kWebCryptoCipherEncrypt;

  if (!EVP_CipherInit_ex(
          ctx.get(),
          params.cipher,
          nullptr,
          reinterpret_cast<const unsigned char*>(key_data->GetSymmetricKey()),
          counter,
          encrypt)) {
    // Cipher init failed
    return WebCryptoCipherStatus::FAILED;
  }

  int out_len = 0;
  int final_len = 0;
  if (!EVP_CipherUpdate(
          ctx.get(),
          out,
          &out_len,
          in.data<unsigned char>(),
          in.size())) {
    return WebCryptoCipherStatus::FAILED;
  }

  if (!EVP_CipherFinal_ex(ctx.get(), out + out_len, &final_len))
    return WebCryptoCipherStatus::FAILED;

  out_len += final_len;
  if (static_cast<unsigned>(out_len) != in.size())
    return WebCryptoCipherStatus::FAILED;

  return WebCryptoCipherStatus::OK;
}

WebCryptoCipherStatus AES_CTR_Cipher(
    Environment* env,
    KeyObjectData* key_data,
    WebCryptoCipherMode cipher_mode,
    const AESCipherConfig& params,
    const ByteSource& in,
    ByteSource* out) {
  BignumPointer num_counters(BN_new());
  if (!BN_lshift(num_counters.get(), BN_value_one(), params.length))
    return WebCryptoCipherStatus::FAILED;

  BignumPointer current_counter = GetCounter(params);

  BignumPointer num_output(BN_new());

  if (!BN_set_word(num_output.get(), CeilDiv(in.size(), kAesBlockSize)))
    return WebCryptoCipherStatus::FAILED;

  // Just like in chromium's implementation, if the counter will
  // be incremented more than there are counter values, we fail.
  if (BN_cmp(num_output.get(), num_counters.get()) > 0)
    return WebCryptoCipherStatus::FAILED;

  BignumPointer remaining_until_reset(BN_new());
  if (!BN_sub(remaining_until_reset.get(),
              num_counters.get(),
              current_counter.get())) {
    return WebCryptoCipherStatus::FAILED;
  }

  // Output size is identical to the input size
  char* data = MallocOpenSSL<char>(in.size());
  ByteSource buf = ByteSource::Allocated(data, in.size());
  unsigned char* ptr = reinterpret_cast<unsigned char*>(data);

  // Also just like in chromium's implementation, if we can process
  // the input without wrapping the counter, we'll do it as a single
  // call here. If we can't, we'll fallback to the a two-step approach
  if (BN_cmp(remaining_until_reset.get(), num_output.get()) >= 0) {
    auto status = AES_CTR_Cipher2(
        key_data,
        cipher_mode,
        params,
        in,
        params.iv.data<unsigned char>(),
        ptr);
    if (status == WebCryptoCipherStatus::OK)
      *out = std::move(buf);
    return status;
  }

  BN_ULONG blocks_part1 = BN_get_word(remaining_until_reset.get());
  BN_ULONG input_size_part1 = blocks_part1 * kAesBlockSize;

  // Encrypt the first part...
  auto status = AES_CTR_Cipher2(
      key_data,
      cipher_mode,
      params,
      ByteSource::Foreign(in.get(), input_size_part1),
      params.iv.data<unsigned char>(),
      ptr);

  if (status != WebCryptoCipherStatus::OK)
    return status;

  // Wrap the counter around to zero
  std::vector<unsigned char> new_counter_block = BlockWithZeroedCounter(params);

  // Encrypt the second part...
  status = AES_CTR_Cipher2(
      key_data,
      cipher_mode,
      params,
      ByteSource::Foreign(
          in.get() + input_size_part1,
          in.size() - input_size_part1),
      new_counter_block.data(),
      ptr + input_size_part1);

  if (status == WebCryptoCipherStatus::OK)
    *out = std::move(buf);

  return status;
}

bool ValidateIV(
    Environment* env,
    CryptoJobMode mode,
    Local<Value> value,
    AESCipherConfig* params) {
  ArrayBufferOrViewContents<char> iv(value);
  if (UNLIKELY(!iv.CheckSizeInt32())) {
    THROW_ERR_OUT_OF_RANGE(env, "iv is too big");
    return false;
  }
  params->iv = (mode == kCryptoJobAsync)
      ? iv.ToCopy()
      : iv.ToByteSource();
  return true;
}

bool ValidateCounter(
  Environment* env,
  Local<Value> value,
  AESCipherConfig* params) {
  CHECK(value->IsUint32());  // Length
  params->length = value.As<Uint32>()->Value();
  if (params->iv.size() != 16 ||
      params->length == 0 ||
      params->length > 128) {
    THROW_ERR_CRYPTO_INVALID_COUNTER(env);
    return false;
  }
  return true;
}

bool ValidateAuthTag(
    Environment* env,
    CryptoJobMode mode,
    WebCryptoCipherMode cipher_mode,
    Local<Value> value,
    AESCipherConfig* params) {
  switch (cipher_mode) {
    case kWebCryptoCipherDecrypt: {
      if (!IsAnyByteSource(value)) {
        THROW_ERR_CRYPTO_INVALID_TAG_LENGTH(env);
        return false;
      }
      ArrayBufferOrViewContents<char> tag_contents(value);
      if (UNLIKELY(!tag_contents.CheckSizeInt32())) {
        THROW_ERR_OUT_OF_RANGE(env, "tagLength is too big");
        return false;
      }
      params->tag = mode == kCryptoJobAsync
          ? tag_contents.ToCopy()
          : tag_contents.ToByteSource();
      break;
    }
    case kWebCryptoCipherEncrypt: {
      if (!value->IsUint32()) {
        THROW_ERR_CRYPTO_INVALID_TAG_LENGTH(env);
        return false;
      }
      params->length = value.As<Uint32>()->Value();
      if (params->length > 128) {
        THROW_ERR_CRYPTO_INVALID_TAG_LENGTH(env);
        return false;
      }
      break;
    }
    default:
      UNREACHABLE();
  }
  return true;
}

bool ValidateAdditionalData(
    Environment* env,
    CryptoJobMode mode,
    Local<Value> value,
    AESCipherConfig* params) {
  // Additional Data
  if (IsAnyByteSource(value)) {
    ArrayBufferOrViewContents<char> additional(value);
    if (UNLIKELY(!additional.CheckSizeInt32())) {
      THROW_ERR_OUT_OF_RANGE(env, "additionalData is too big");
      return false;
    }
    params->additional_data = mode == kCryptoJobAsync
        ? additional.ToCopy()
        : additional.ToByteSource();
  }
  return true;
}

void UseDefaultIV(AESCipherConfig* params) {
  params->iv = ByteSource::Foreign(kDefaultWrapIV, strlen(kDefaultWrapIV));
}
}  // namespace

AESCipherConfig::AESCipherConfig(AESCipherConfig&& other) noexcept
    : mode(other.mode),
      variant(other.variant),
      cipher(other.cipher),
      length(other.length),
      iv(std::move(other.iv)),
      additional_data(std::move(other.additional_data)),
      tag(std::move(other.tag)) {}

AESCipherConfig& AESCipherConfig::operator=(AESCipherConfig&& other) noexcept {
  if (&other == this) return *this;
  this->~AESCipherConfig();
  return *new (this) AESCipherConfig(std::move(other));
}

void AESCipherConfig::MemoryInfo(MemoryTracker* tracker) const {
  // If mode is sync, then the data in each of these properties
  // is not owned by the AESCipherConfig, so we ignore it.
  if (mode == kCryptoJobAsync) {
    tracker->TrackFieldWithSize("iv", iv.size());
    tracker->TrackFieldWithSize("additional_data", additional_data.size());
    tracker->TrackFieldWithSize("tag", tag.size());
  }
}

Maybe<bool> AESCipherTraits::AdditionalConfig(
    CryptoJobMode mode,
    const FunctionCallbackInfo<Value>& args,
    unsigned int offset,
    WebCryptoCipherMode cipher_mode,
    AESCipherConfig* params) {
  Environment* env = Environment::GetCurrent(args);

  params->mode = mode;

  CHECK(args[offset]->IsUint32());  // Key Variant
  params->variant =
      static_cast<AESKeyVariant>(args[offset].As<Uint32>()->Value());

  int cipher_nid;

  switch (params->variant) {
    case kKeyVariantAES_CTR_128:
      if (!ValidateIV(env, mode, args[offset + 1], params) ||
          !ValidateCounter(env, args[offset + 2], params)) {
        return Nothing<bool>();
      }
      cipher_nid = NID_aes_128_ctr;
      break;
    case kKeyVariantAES_CTR_192:
      if (!ValidateIV(env, mode, args[offset + 1], params) ||
          !ValidateCounter(env, args[offset + 2], params)) {
        return Nothing<bool>();
      }
      cipher_nid = NID_aes_192_ctr;
      break;
    case kKeyVariantAES_CTR_256:
      if (!ValidateIV(env, mode, args[offset + 1], params) ||
          !ValidateCounter(env, args[offset + 2], params)) {
        return Nothing<bool>();
      }
      cipher_nid = NID_aes_256_ctr;
      break;
    case kKeyVariantAES_CBC_128:
      if (!ValidateIV(env, mode, args[offset + 1], params))
        return Nothing<bool>();
      cipher_nid = NID_aes_128_cbc;
      break;
    case kKeyVariantAES_CBC_192:
      if (!ValidateIV(env, mode, args[offset + 1], params))
        return Nothing<bool>();
      cipher_nid = NID_aes_192_cbc;
      break;
    case kKeyVariantAES_CBC_256:
      if (!ValidateIV(env, mode, args[offset + 1], params))
        return Nothing<bool>();
      cipher_nid = NID_aes_256_cbc;
      break;
    case kKeyVariantAES_KW_128:
      UseDefaultIV(params);
      cipher_nid = NID_id_aes128_wrap;
      break;
    case kKeyVariantAES_KW_192:
      UseDefaultIV(params);
      cipher_nid = NID_id_aes192_wrap;
      break;
    case kKeyVariantAES_KW_256:
      UseDefaultIV(params);
      cipher_nid = NID_id_aes256_wrap;
      break;
    case kKeyVariantAES_GCM_128:
      if (!ValidateIV(env, mode, args[offset + 1], params) ||
          !ValidateAuthTag(env, mode, cipher_mode, args[offset + 2], params) ||
          !ValidateAdditionalData(env, mode, args[offset + 3], params)) {
        return Nothing<bool>();
      }
      cipher_nid = NID_aes_128_gcm;
      break;
    case kKeyVariantAES_GCM_192:
      if (!ValidateIV(env, mode, args[offset + 1], params) ||
          !ValidateAuthTag(env, mode, cipher_mode, args[offset + 2], params) ||
          !ValidateAdditionalData(env, mode, args[offset + 3], params)) {
        return Nothing<bool>();
      }
      cipher_nid = NID_aes_192_gcm;
      break;
    case kKeyVariantAES_GCM_256:
      if (!ValidateIV(env, mode, args[offset + 1], params) ||
          !ValidateAuthTag(env, mode, cipher_mode, args[offset + 2], params) ||
          !ValidateAdditionalData(env, mode, args[offset + 3], params)) {
        return Nothing<bool>();
      }
      cipher_nid = NID_aes_256_gcm;
      break;
    default:
      UNREACHABLE();
  }

  params->cipher = EVP_get_cipherbynid(cipher_nid);
  CHECK_NOT_NULL(params->cipher);

  if (params->iv.size() <
      static_cast<size_t>(EVP_CIPHER_iv_length(params->cipher))) {
    THROW_ERR_CRYPTO_INVALID_IV(env);
    return Nothing<bool>();
  }

  return Just(true);
}

WebCryptoCipherStatus AESCipherTraits::DoCipher(
    Environment* env,
    std::shared_ptr<KeyObjectData> key_data,
    WebCryptoCipherMode cipher_mode,
    const AESCipherConfig& params,
    const ByteSource& in,
    ByteSource* out) {
#define V(name, fn)                                                           \
  case kKeyVariantAES_ ## name:                                               \
    return fn(env, key_data.get(), cipher_mode, params, in, out);
  switch (params.variant) {
    VARIANTS(V)
    default:
      UNREACHABLE();
  }
#undef V
}

void AES::Initialize(Environment* env, Local<Object> target) {
  AESCryptoJob::Initialize(env, target);

#define V(name, _) NODE_DEFINE_CONSTANT(target, kKeyVariantAES_ ## name);
  VARIANTS(V)
#undef V
}

void AES::RegisterExternalReferences(ExternalReferenceRegistry* registry) {
  AESCryptoJob::RegisterExternalReferences(registry);
}

}  // namespace crypto
}  // namespace node


Generated by: GCOVR (Version 4.2)

Line	Branch	Exec	Source
1			#include "crypto/crypto_aes.h"
2			#include "async_wrap-inl.h"
3			#include "base_object-inl.h"
4			#include "crypto/crypto_cipher.h"
5			#include "crypto/crypto_keys.h"
6			#include "crypto/crypto_util.h"
7			#include "env-inl.h"
8			#include "memory_tracker-inl.h"
9			#include "threadpoolwork-inl.h"
10			#include "v8.h"
11
12			#include <openssl/bn.h>
13			#include <openssl/aes.h>
14
15			#include <vector>
16
17			namespace node {
18
19			using v8::FunctionCallbackInfo;
20			using v8::Just;
21			using v8::Local;
22			using v8::Maybe;
23			using v8::Nothing;
24			using v8::Object;
25			using v8::Uint32;
26			using v8::Value;
27
28			namespace crypto {
29			namespace {
30			// Implements general AES encryption and decryption for CBC
31			// The key_data must be a secret key.
32			// On success, this function sets out to a new ByteSource
33			// instance containing the results and returns WebCryptoCipherStatus::OK.
34		801	WebCryptoCipherStatus AES_Cipher(
35			Environment* env,
36			KeyObjectData* key_data,
37			WebCryptoCipherMode cipher_mode,
38			const AESCipherConfig& params,
39			const ByteSource& in,
40			ByteSource* out) {
41	✗✓	801	CHECK_NOT_NULL(key_data);
42	✗✓	801	CHECK_EQ(key_data->GetKeyType(), kKeyTypeSecret);
43
44		801	const int mode = EVP_CIPHER_mode(params.cipher);
45
46		1602	CipherCtxPointer ctx(EVP_CIPHER_CTX_new());
47		801	EVP_CIPHER_CTX_init(ctx.get());
48	✓✓	801	if (mode == EVP_CIPH_WRAP_MODE)
49		76	EVP_CIPHER_CTX_set_flags(ctx.get(), EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
50
51		801	const bool encrypt = cipher_mode == kWebCryptoCipherEncrypt;
52
53	✗✓	801	if (!EVP_CipherInit_ex(
54			ctx.get(),
55		801	params.cipher,
56			nullptr,
57			nullptr,
58			nullptr,
59			encrypt)) {
60			// Cipher init failed
61			return WebCryptoCipherStatus::FAILED;
62			}
63
64	✓✓✗✓ ✗✓	1275	if (mode == EVP_CIPH_GCM_MODE && !EVP_CIPHER_CTX_ctrl(
65			ctx.get(),
66			EVP_CTRL_AEAD_SET_IVLEN,
67		474	params.iv.size(),
68			nullptr)) {
69			return WebCryptoCipherStatus::FAILED;
70			}
71
72		801	if (!EVP_CIPHER_CTX_set_key_length(
73			ctx.get(),
74	✓✗✗✓ ✗✓	2403	key_data->GetSymmetricKeySize()) \|\|
75		1602	!EVP_CipherInit_ex(
76			ctx.get(),
77			nullptr,
78			nullptr,
79		801	reinterpret_cast<const unsigned char*>(key_data->GetSymmetricKey()),
80			params.iv.data<unsigned char>(),
81			encrypt)) {
82			return WebCryptoCipherStatus::FAILED;
83			}
84
85		801	size_t tag_len = 0;
86
87	✓✓	801	if (mode == EVP_CIPH_GCM_MODE) {
88	✓✓✗	474	switch (cipher_mode) {
89		228	case kWebCryptoCipherDecrypt:
90			// If in decrypt mode, the auth tag must be set in the params.tag.
91	✗✓	228	CHECK(params.tag);
92	✗✓	228	if (!EVP_CIPHER_CTX_ctrl(
93			ctx.get(),
94			EVP_CTRL_AEAD_SET_TAG,
95		228	params.tag.size(),
96		228	const_cast<char*>(params.tag.get()))) {
97			return WebCryptoCipherStatus::FAILED;
98			}
99		228	break;
100		246	case kWebCryptoCipherEncrypt:
101			// In decrypt mode, we grab the tag length here. We'll use it to
102			// ensure that that allocated buffer has enough room for both the
103			// final block and the auth tag. Unlike our other AES-GCM implementation
104			// in CipherBase, in WebCrypto, the auth tag is concatenated to the end
105			// of the generated ciphertext and returned in the same ArrayBuffer.
106		246	tag_len = params.length;
107		246	break;
108			default:
109			UNREACHABLE();
110			}
111			}
112
113		801	size_t total = 0;
114		801	int buf_len = in.size() + EVP_CIPHER_CTX_block_size(ctx.get()) + tag_len;
115			int out_len;
116
117	✓✓	474	if (mode == EVP_CIPH_GCM_MODE &&
118	✓✓✗✓ ✗✓	1275	params.additional_data.size() &&
119		318	!EVP_CipherUpdate(
120			ctx.get(),
121			nullptr,
122			&out_len,
123			params.additional_data.data<unsigned char>(),
124		318	params.additional_data.size())) {
125			return WebCryptoCipherStatus::FAILED;
126			}
127
128		801	char* data = MallocOpenSSL<char>(buf_len);
129		1602	ByteSource buf = ByteSource::Allocated(data, buf_len);
130		801	unsigned char* ptr = reinterpret_cast<unsigned char*>(data);
131
132			// In some outdated version of OpenSSL (e.g.
133			// ubi81_sharedlibs_openssl111fips_x64) may be used in sharedlib mode, the
134			// logic will be failed when input size is zero. The newly OpenSSL has fixed
135			// it up. But we still have to regard zero as special in Node.js code to
136			// prevent old OpenSSL failure.
137			//
138			// Refs: https://github.com/openssl/openssl/commit/420cb707b880e4fb649094241371701013eeb15f
139			// Refs: https://github.com/nodejs/node/pull/38913#issuecomment-866505244
140	✓✓	801	if (in.size() == 0) {
141		2	out_len = 0;
142	✗✓	799	} else if (!EVP_CipherUpdate(
143			ctx.get(),
144			ptr,
145			&out_len,
146			in.data<unsigned char>(),
147		799	in.size())) {
148			return WebCryptoCipherStatus::FAILED;
149			}
150
151		801	total += out_len;
152	✗✓	801	CHECK_LE(out_len, buf_len);
153		801	ptr += out_len;
154		801	out_len = EVP_CIPHER_CTX_block_size(ctx.get());
155	✓✓	801	if (!EVP_CipherFinal_ex(ctx.get(), ptr, &out_len)) {
156		15	return WebCryptoCipherStatus::FAILED;
157			}
158		786	total += out_len;
159
160			// If using AES_GCM, grab the generated auth tag and append
161			// it to the end of the ciphertext.
162	✓✓✓✓	786	if (cipher_mode == kWebCryptoCipherEncrypt && mode == EVP_CIPH_GCM_MODE) {
163		246	data += out_len;
164	✗✓	246	if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_GET_TAG, tag_len, ptr))
165			return WebCryptoCipherStatus::FAILED;
166		246	total += tag_len;
167			}
168
169			// It's possible that we haven't used the full allocated space. Size down.
170		786	buf.Resize(total);
171		786	*out = std::move(buf);
172
173		786	return WebCryptoCipherStatus::OK;
174			}
175
176			// The AES_CTR implementation here takes it's inspiration from the chromium
177			// implementation here:
178			// https://github.com/chromium/chromium/blob/7af6cfd/components/webcrypto/algorithms/aes_ctr.cc
179
180			template <typename T>
181		236	T CeilDiv(T a, T b) {
182	✓✗	236	return a == 0 ? 0 : 1 + (a - 1) / b;
183			}
184
185		236	BignumPointer GetCounter(const AESCipherConfig& params) {
186		236	unsigned int remainder = (params.length % CHAR_BIT);
187		236	const unsigned char* data = params.iv.data<unsigned char>();
188
189	✓✗	236	if (remainder == 0) {
190		236	unsigned int byte_length = params.length / CHAR_BIT;
191			return BignumPointer(BN_bin2bn(
192		472	data + params.iv.size() - byte_length,
193			byte_length,
194		236	nullptr));
195			}
196
197			unsigned int byte_length =
198			CeilDiv(params.length, static_cast<size_t>(CHAR_BIT));
199
200			std::vector<unsigned char> counter(
201			data + params.iv.size() - byte_length,
202			data + params.iv.size());
203			counter[0] &= ~(0xFF << remainder);
204
205			return BignumPointer(BN_bin2bn(counter.data(), counter.size(), nullptr));
206			}
207
208			std::vector<unsigned char> BlockWithZeroedCounter(
209			const AESCipherConfig& params) {
210			unsigned int length_bytes = params.length / CHAR_BIT;
211			unsigned int remainder = params.length % CHAR_BIT;
212
213			const unsigned char* data = params.iv.data<unsigned char>();
214
215			std::vector<unsigned char> new_counter_block(data, data + params.iv.size());
216
217			size_t index = new_counter_block.size() - length_bytes;
218			memset(&new_counter_block.front() + index, 0, length_bytes);
219
220			if (remainder)
221			new_counter_block[index - 1] &= 0xFF << remainder;
222
223			return new_counter_block;
224			}
225
226		236	WebCryptoCipherStatus AES_CTR_Cipher2(
227			KeyObjectData* key_data,
228			WebCryptoCipherMode cipher_mode,
229			const AESCipherConfig& params,
230			const ByteSource& in,
231			unsigned const char* counter,
232			unsigned char* out) {
233		472	CipherCtxPointer ctx(EVP_CIPHER_CTX_new());
234		236	const bool encrypt = cipher_mode == kWebCryptoCipherEncrypt;
235
236	✗✓	236	if (!EVP_CipherInit_ex(
237			ctx.get(),
238		236	params.cipher,
239			nullptr,
240		236	reinterpret_cast<const unsigned char*>(key_data->GetSymmetricKey()),
241			counter,
242			encrypt)) {
243			// Cipher init failed
244			return WebCryptoCipherStatus::FAILED;
245			}
246
247		236	int out_len = 0;
248		236	int final_len = 0;
249	✗✓	236	if (!EVP_CipherUpdate(
250			ctx.get(),
251			out,
252			&out_len,
253			in.data<unsigned char>(),
254		236	in.size())) {
255			return WebCryptoCipherStatus::FAILED;
256			}
257
258	✗✓	236	if (!EVP_CipherFinal_ex(ctx.get(), out + out_len, &final_len))
259			return WebCryptoCipherStatus::FAILED;
260
261		236	out_len += final_len;
262	✗✓	236	if (static_cast<unsigned>(out_len) != in.size())
263			return WebCryptoCipherStatus::FAILED;
264
265		236	return WebCryptoCipherStatus::OK;
266			}
267
268		236	WebCryptoCipherStatus AES_CTR_Cipher(
269			Environment* env,
270			KeyObjectData* key_data,
271			WebCryptoCipherMode cipher_mode,
272			const AESCipherConfig& params,
273			const ByteSource& in,
274			ByteSource* out) {
275		472	BignumPointer num_counters(BN_new());
276	✗✓	236	if (!BN_lshift(num_counters.get(), BN_value_one(), params.length))
277			return WebCryptoCipherStatus::FAILED;
278
279		472	BignumPointer current_counter = GetCounter(params);
280
281		472	BignumPointer num_output(BN_new());
282
283	✗✓	236	if (!BN_set_word(num_output.get(), CeilDiv(in.size(), kAesBlockSize)))
284			return WebCryptoCipherStatus::FAILED;
285
286			// Just like in chromium's implementation, if the counter will
287			// be incremented more than there are counter values, we fail.
288	✗✓	236	if (BN_cmp(num_output.get(), num_counters.get()) > 0)
289			return WebCryptoCipherStatus::FAILED;
290
291		472	BignumPointer remaining_until_reset(BN_new());
292	✗✓	236	if (!BN_sub(remaining_until_reset.get(),
293		236	num_counters.get(),
294		236	current_counter.get())) {
295			return WebCryptoCipherStatus::FAILED;
296			}
297
298			// Output size is identical to the input size
299		236	char* data = MallocOpenSSL<char>(in.size());
300		472	ByteSource buf = ByteSource::Allocated(data, in.size());
301		236	unsigned char* ptr = reinterpret_cast<unsigned char*>(data);
302
303			// Also just like in chromium's implementation, if we can process
304			// the input without wrapping the counter, we'll do it as a single
305			// call here. If we can't, we'll fallback to the a two-step approach
306	✓✗	236	if (BN_cmp(remaining_until_reset.get(), num_output.get()) >= 0) {
307		236	auto status = AES_CTR_Cipher2(
308			key_data,
309			cipher_mode,
310			params,
311			in,
312			params.iv.data<unsigned char>(),
313			ptr);
314	✓✗	236	if (status == WebCryptoCipherStatus::OK)
315		236	*out = std::move(buf);
316		236	return status;
317			}
318
319			BN_ULONG blocks_part1 = BN_get_word(remaining_until_reset.get());
320			BN_ULONG input_size_part1 = blocks_part1 * kAesBlockSize;
321
322			// Encrypt the first part...
323			auto status = AES_CTR_Cipher2(
324			key_data,
325			cipher_mode,
326			params,
327			ByteSource::Foreign(in.get(), input_size_part1),
328			params.iv.data<unsigned char>(),
329			ptr);
330
331			if (status != WebCryptoCipherStatus::OK)
332			return status;
333
334			// Wrap the counter around to zero
335			std::vector<unsigned char> new_counter_block = BlockWithZeroedCounter(params);
336
337			// Encrypt the second part...
338			status = AES_CTR_Cipher2(
339			key_data,
340			cipher_mode,
341			params,
342			ByteSource::Foreign(
343			in.get() + input_size_part1,
344			in.size() - input_size_part1),
345			new_counter_block.data(),
346			ptr + input_size_part1);
347
348			if (status == WebCryptoCipherStatus::OK)
349			*out = std::move(buf);
350
351			return status;
352			}
353
354		961	bool ValidateIV(
355			Environment* env,
356			CryptoJobMode mode,
357			Local<Value> value,
358			AESCipherConfig* params) {
359		1922	ArrayBufferOrViewContents<char> iv(value);
360	✗✓	961	if (UNLIKELY(!iv.CheckSizeInt32())) {
361			THROW_ERR_OUT_OF_RANGE(env, "iv is too big");
362			return false;
363			}
364			params->iv = (mode == kCryptoJobAsync)
365	✓✗	1922	? iv.ToCopy()
366		961	: iv.ToByteSource();
367		961	return true;
368			}
369
370		236	bool ValidateCounter(
371			Environment* env,
372			Local<Value> value,
373			AESCipherConfig* params) {
374	✗✓	236	CHECK(value->IsUint32()); // Length
375		236	params->length = value.As<Uint32>()->Value();
376		236	if (params->iv.size() != 16 \|\|
377	✓✗✓✗ ✗✓	472	params->length == 0 \|\|
378	✗✓	236	params->length > 128) {
379			THROW_ERR_CRYPTO_INVALID_COUNTER(env);
380			return false;
381			}
382		236	return true;
383			}
384
385		474	bool ValidateAuthTag(
386			Environment* env,
387			CryptoJobMode mode,
388			WebCryptoCipherMode cipher_mode,
389			Local<Value> value,
390			AESCipherConfig* params) {
391	✓✓✗	474	switch (cipher_mode) {
392		228	case kWebCryptoCipherDecrypt: {
393	✗✓	228	if (!IsAnyByteSource(value)) {
394			THROW_ERR_CRYPTO_INVALID_TAG_LENGTH(env);
395			return false;
396			}
397		228	ArrayBufferOrViewContents<char> tag_contents(value);
398	✗✓	228	if (UNLIKELY(!tag_contents.CheckSizeInt32())) {
399			THROW_ERR_OUT_OF_RANGE(env, "tagLength is too big");
400			return false;
401			}
402			params->tag = mode == kCryptoJobAsync
403	✓✗	456	? tag_contents.ToCopy()
404		228	: tag_contents.ToByteSource();
405		228	break;
406			}
407		246	case kWebCryptoCipherEncrypt: {
408	✗✓	246	if (!value->IsUint32()) {
409			THROW_ERR_CRYPTO_INVALID_TAG_LENGTH(env);
410			return false;
411			}
412		246	params->length = value.As<Uint32>()->Value();
413	✗✓	246	if (params->length > 128) {
414			THROW_ERR_CRYPTO_INVALID_TAG_LENGTH(env);
415			return false;
416			}
417		246	break;
418			}
419			default:
420			UNREACHABLE();
421			}
422		474	return true;
423			}
424
425		474	bool ValidateAdditionalData(
426			Environment* env,
427			CryptoJobMode mode,
428			Local<Value> value,
429			AESCipherConfig* params) {
430			// Additional Data
431	✓✓	474	if (IsAnyByteSource(value)) {
432		318	ArrayBufferOrViewContents<char> additional(value);
433	✗✓	318	if (UNLIKELY(!additional.CheckSizeInt32())) {
434			THROW_ERR_OUT_OF_RANGE(env, "additionalData is too big");
435			return false;
436			}
437			params->additional_data = mode == kCryptoJobAsync
438	✓✗	636	? additional.ToCopy()
439		318	: additional.ToByteSource();
440			}
441		474	return true;
442			}
443
444		76	void UseDefaultIV(AESCipherConfig* params) {
445		76	params->iv = ByteSource::Foreign(kDefaultWrapIV, strlen(kDefaultWrapIV));
446		76	}
447			} // namespace
448
449		1037	AESCipherConfig::AESCipherConfig(AESCipherConfig&& other) noexcept
450		1037	: mode(other.mode),
451		1037	variant(other.variant),
452		1037	cipher(other.cipher),
453		1037	length(other.length),
454		1037	iv(std::move(other.iv)),
455		1037	additional_data(std::move(other.additional_data)),
456		1037	tag(std::move(other.tag)) {}
457
458			AESCipherConfig& AESCipherConfig::operator=(AESCipherConfig&& other) noexcept {
459			if (&other == this) return *this;
460			this->~AESCipherConfig();
461			return *new (this) AESCipherConfig(std::move(other));
462			}
463
464			void AESCipherConfig::MemoryInfo(MemoryTracker* tracker) const {
465			// If mode is sync, then the data in each of these properties
466			// is not owned by the AESCipherConfig, so we ignore it.
467			if (mode == kCryptoJobAsync) {
468			tracker->TrackFieldWithSize("iv", iv.size());
469			tracker->TrackFieldWithSize("additional_data", additional_data.size());
470			tracker->TrackFieldWithSize("tag", tag.size());
471			}
472			}
473
474		1037	Maybe<bool> AESCipherTraits::AdditionalConfig(
475			CryptoJobMode mode,
476			const FunctionCallbackInfo<Value>& args,
477			unsigned int offset,
478			WebCryptoCipherMode cipher_mode,
479			AESCipherConfig* params) {
480		1037	Environment* env = Environment::GetCurrent(args);
481
482		1037	params->mode = mode;
483
484	✓✗✗✓	2074	CHECK(args[offset]->IsUint32()); // Key Variant
485		1037	params->variant =
486	✓✗	3111	static_cast<AESKeyVariant>(args[offset].As<Uint32>()->Value());
487
488			int cipher_nid;
489
490	✓✓✓✓ ✓✓✓✗ ✗✓✓✓ ✗	1037	switch (params->variant) {
491		223	case kKeyVariantAES_CTR_128:
492	✓✗✓✗ ✗✓	669	if (!ValidateIV(env, mode, args[offset + 1], params) \|\|
493	✓✗✗✓	446	!ValidateCounter(env, args[offset + 2], params)) {
494			return Nothing<bool>();
495			}
496		223	cipher_nid = NID_aes_128_ctr;
497		223	break;
498		4	case kKeyVariantAES_CTR_192:
499	✓✗✓✗ ✗✓	12	if (!ValidateIV(env, mode, args[offset + 1], params) \|\|
500	✓✗✗✓	8	!ValidateCounter(env, args[offset + 2], params)) {
501			return Nothing<bool>();
502			}
503		4	cipher_nid = NID_aes_192_ctr;
504		4	break;
505		9	case kKeyVariantAES_CTR_256:
506	✓✗✓✗ ✗✓	27	if (!ValidateIV(env, mode, args[offset + 1], params) \|\|
507	✓✗✗✓	18	!ValidateCounter(env, args[offset + 2], params)) {
508			return Nothing<bool>();
509			}
510		9	cipher_nid = NID_aes_256_ctr;
511		9	break;
512		229	case kKeyVariantAES_CBC_128:
513	✓✗✗✓	458	if (!ValidateIV(env, mode, args[offset + 1], params))
514			return Nothing<bool>();
515		229	cipher_nid = NID_aes_128_cbc;
516		229	break;
517		7	case kKeyVariantAES_CBC_192:
518	✓✗✗✓	14	if (!ValidateIV(env, mode, args[offset + 1], params))
519			return Nothing<bool>();
520		7	cipher_nid = NID_aes_192_cbc;
521		7	break;
522		15	case kKeyVariantAES_CBC_256:
523	✓✗✗✓	30	if (!ValidateIV(env, mode, args[offset + 1], params))
524			return Nothing<bool>();
525		15	cipher_nid = NID_aes_256_cbc;
526		15	break;
527		76	case kKeyVariantAES_KW_128:
528		76	UseDefaultIV(params);
529		76	cipher_nid = NID_id_aes128_wrap;
530		76	break;
531			case kKeyVariantAES_KW_192:
532			UseDefaultIV(params);
533			cipher_nid = NID_id_aes192_wrap;
534			break;
535			case kKeyVariantAES_KW_256:
536			UseDefaultIV(params);
537			cipher_nid = NID_id_aes256_wrap;
538			break;
539		314	case kKeyVariantAES_GCM_128:
540	✓✗	628	if (!ValidateIV(env, mode, args[offset + 1], params) \|\|
541	✓✗✓✗ ✓✗✗✓	942	!ValidateAuthTag(env, mode, cipher_mode, args[offset + 2], params) \|\|
542	✓✗✗✓	628	!ValidateAdditionalData(env, mode, args[offset + 3], params)) {
543			return Nothing<bool>();
544			}
545		314	cipher_nid = NID_aes_128_gcm;
546		314	break;
547		56	case kKeyVariantAES_GCM_192:
548	✓✗	112	if (!ValidateIV(env, mode, args[offset + 1], params) \|\|
549	✓✗✓✗ ✓✗✗✓	168	!ValidateAuthTag(env, mode, cipher_mode, args[offset + 2], params) \|\|
550	✓✗✗✓	112	!ValidateAdditionalData(env, mode, args[offset + 3], params)) {
551			return Nothing<bool>();
552			}
553		56	cipher_nid = NID_aes_192_gcm;
554		56	break;
555		104	case kKeyVariantAES_GCM_256:
556	✓✗	208	if (!ValidateIV(env, mode, args[offset + 1], params) \|\|
557	✓✗✓✗ ✓✗✗✓	312	!ValidateAuthTag(env, mode, cipher_mode, args[offset + 2], params) \|\|
558	✓✗✗✓	208	!ValidateAdditionalData(env, mode, args[offset + 3], params)) {
559			return Nothing<bool>();
560			}
561		104	cipher_nid = NID_aes_256_gcm;
562		104	break;
563			default:
564			UNREACHABLE();
565			}
566
567		1037	params->cipher = EVP_get_cipherbynid(cipher_nid);
568	✗✓	1037	CHECK_NOT_NULL(params->cipher);
569
570		1037	if (params->iv.size() <
571	✗✓	1037	static_cast<size_t>(EVP_CIPHER_iv_length(params->cipher))) {
572			THROW_ERR_CRYPTO_INVALID_IV(env);
573			return Nothing<bool>();
574			}
575
576		1037	return Just(true);
577			}
578
579		1037	WebCryptoCipherStatus AESCipherTraits::DoCipher(
580			Environment* env,
581			std::shared_ptr<KeyObjectData> key_data,
582			WebCryptoCipherMode cipher_mode,
583			const AESCipherConfig& params,
584			const ByteSource& in,
585			ByteSource* out) {
586			#define V(name, fn) \
587			case kKeyVariantAES_ ## name: \
588			return fn(env, key_data.get(), cipher_mode, params, in, out);
589	✓✓✓✓ ✓✓✓✓ ✓✓✗✗ ✗	1037	switch (params.variant) {
590		1037	VARIANTS(V)
591			default:
592			UNREACHABLE();
593			}
594			#undef V
595			}
596
597		847	void AES::Initialize(Environment* env, Local<Object> target) {
598		847	AESCryptoJob::Initialize(env, target);
599
600			#define V(name, _) NODE_DEFINE_CONSTANT(target, kKeyVariantAES_ ## name);
601		20328	VARIANTS(V)
602			#undef V
603		847	}
604
605		5187	void AES::RegisterExternalReferences(ExternalReferenceRegistry* registry) {
606		5187	AESCryptoJob::RegisterExternalReferences(registry);
607		5187	}
608
609			} // namespace crypto
610			} // namespace node