commit 06b4bed3bcd20664c9892f317fbdc9a1f9d2bea8
author Leonid Baraz <lbaraz@chromium.org> Wed Mar 24 06:19:44 2021
committer Chromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Mar 24 06:19:44 2021
tree 30e50d4f4aa60a7d0149c8919cf99fbb1558088a
parent 3b8eb3bbb3a272c0bbc92311edff4caa7194e258

Refactor Encryption to match ChromeOS version

Factor BoringSSL+Crypto out to be replaced by OpenSSL in ChromeOS.

Bug: 1174889
Change-Id: I597c2dea8809bbeac45c456970052058c8ebcd88
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2777052
Reviewed-by: Zach Trudo <zatrudo@google.com>
Commit-Queue: Leonid Baraz <lbaraz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#865999}

components/reporting/encryption/primitives.cc

diff --git a/components/reporting/encryption/primitives.cc b/components/reporting/encryption/primitives.cc
new file mode 100644
index 0000000..137516d
--- /dev/null
+++ b/components/reporting/encryption/primitives.cc
@@ -0,0 +1,112 @@
+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/reporting/encryption/primitives.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <memory>
+#include <string>
+
+#include "crypto/aead.h"
+#include "crypto/openssl_util.h"
+#include "third_party/boringssl/src/include/openssl/curve25519.h"
+#include "third_party/boringssl/src/include/openssl/digest.h"
+#include "third_party/boringssl/src/include/openssl/hkdf.h"
+
+#include "base/strings/string_piece.h"
+
+namespace reporting {
+
+static_assert(X25519_PRIVATE_KEY_LEN == kKeySize, "X25519 mismatch");
+static_assert(X25519_PUBLIC_VALUE_LEN == kKeySize, "X25519 mismatch");
+static_assert(X25519_SHARED_KEY_LEN == kKeySize, "X25519 mismatch");
+static_assert(ED25519_PRIVATE_KEY_LEN == kSignKeySize, "ED25519 mismatch");
+static_assert(ED25519_PUBLIC_KEY_LEN == kKeySize, "ED25519 mismatch");
+static_assert(ED25519_SIGNATURE_LEN == kSignatureSize, "ED25519 mismatch");
+
+bool ComputeSharedSecret(const uint8_t peer_public_value[kKeySize],
+                         uint8_t shared_secret[kKeySize],
+                         uint8_t generated_public_value[kKeySize]) {
+  // Make sure OpenSSL is initialized, in order to avoid data races later.
+  crypto::EnsureOpenSSLInit();
+
+  // Generate new pair of private key and public value.
+  uint8_t out_private_key[kKeySize];
+  X25519_keypair(generated_public_value, out_private_key);
+
+  // Compute shared secret.
+  if (1 != X25519(shared_secret, out_private_key, peer_public_value)) {
+    return false;
+  }
+
+  // Success.
+  return true;
+}
+
+bool ProduceSymmetricKey(const uint8_t shared_secret[kKeySize],
+                         uint8_t symmetric_key[kKeySize]) {
+  // Make sure OpenSSL is initialized, in order to avoid data races later.
+  crypto::EnsureOpenSSLInit();
+
+  // Produce symmetric key from shared secret using HKDF.
+  // Since the original keys were only used once, no salt and context is needed.
+  // Since the keys above are only used once, no salt and context is provided.
+  if (1 != HKDF(symmetric_key, kKeySize, /*digest=*/EVP_sha256(), shared_secret,
+                kKeySize,
+                /*salt=*/nullptr, /*salt_len=*/0,
+                /*info=*/nullptr, /*info_len=*/0)) {
+    return false;
+  }
+
+  // Success.
+  return true;
+}
+
+bool PerformSymmetricEncryption(const uint8_t symmetric_key[kKeySize],
+                                base::StringPiece input_data,
+                                std::string* output_data) {
+  // Make sure OpenSSL is initialized, in order to avoid data races later.
+  crypto::EnsureOpenSSLInit();
+
+  // Encrypt the data with symmetric key using AEAD interface.
+  crypto::Aead aead(crypto::Aead::CHACHA20_POLY1305);
+  DCHECK_EQ(aead.KeyLength(), kKeySize);
+
+  // Use the symmetric key for data encryption.
+  aead.Init(base::make_span(symmetric_key, kKeySize));
+
+  // Set nonce to 0s, since a symmetric key is only used once.
+  // Note: if we ever start reusing the same symmetric key, we will need
+  // to generate new nonce for every record and transfer it to the peer.
+  DCHECK_EQ(aead.NonceLength(), kNonceSize);
+  std::string nonce(kNonceSize, 0);
+
+  // Encrypt the whole record.
+  if (1 != aead.Seal(input_data, nonce, std::string(), output_data)) {
+    return false;
+  }
+
+  // Success. Attach nonce at the head, for compatibility with Tink.
+  output_data->insert(0, nonce);
+  return true;
+}
+
+bool VerifySignature(const uint8_t verification_key[kKeySize],
+                     base::StringPiece message,
+                     const uint8_t signature[kSignatureSize]) {
+  // Make sure OpenSSL is initialized, in order to avoid data races later.
+  crypto::EnsureOpenSSLInit();
+
+  // Verify message
+  if (1 != ED25519_verify(reinterpret_cast<const uint8_t*>(message.data()),
+                          message.size(), signature, verification_key)) {
+    return false;
+  }
+
+  // Success.
+  return true;
+}
+
+}  // namespace reporting