blob: 8a7f33e7696310ed98a3600138ce3f80c1639ee2 [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/os_crypt/os_crypt.h"
#include <windows.h>
#include "base/base64.h"
#include "base/no_destructor.h"
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
#include "base/win/wincrypt_shim.h"
#include "components/prefs/pref_registry_simple.h"
#include "components/prefs/pref_service.h"
#include "crypto/aead.h"
#include "crypto/hkdf.h"
#include "crypto/random.h"
namespace {
// Contains base64 random key encrypted with DPAPI.
const char kOsCryptEncryptedKeyPrefName[] = "os_crypt.encrypted_key";
// AEAD key length in bytes.
const size_t kKeyLength = 256 / 8;
// AEAD nonce length in bytes.
const size_t kNonceLength = 96 / 8;
// Version prefix for data encrypted with profile bound key.
const char kEncryptionVersionPrefix[] = "v10";
// Key prefix for a key encrypted with DPAPI.
const char kDPAPIKeyPrefix[] = "DPAPI";
// Use mock key instead of a real encryption key. Used for testing.
bool g_use_mock_key = false;
// Store data using the legacy (DPAPI) method rather than session key.
bool g_use_legacy = false;
// These two keys must have no destructors to allow OSCrypt calls to function
// correctly during shutdown.
// Encryption Key. Set either by calling Init() or SetRawEncryptionKey().
std::string& GetEncryptionKeyFactory() {
static base::NoDestructor<std::string> encryption_key;
return *encryption_key;
}
// Mock Encryption Key. Only set and used if g_use_mock_key is true.
std::string& GetMockEncryptionKeyFactory() {
static base::NoDestructor<std::string> mock_encryption_key;
return *mock_encryption_key;
}
bool EncryptStringWithDPAPI(const std::string& plaintext,
std::string* ciphertext) {
DATA_BLOB input;
input.pbData = const_cast<BYTE*>(
reinterpret_cast<const BYTE*>(plaintext.data()));
input.cbData = static_cast<DWORD>(plaintext.length());
DATA_BLOB output;
BOOL result =
CryptProtectData(&input, L"", nullptr, nullptr, nullptr, 0, &output);
if (!result) {
PLOG(ERROR) << "Failed to encrypt";
return false;
}
// this does a copy
ciphertext->assign(reinterpret_cast<std::string::value_type*>(output.pbData),
output.cbData);
LocalFree(output.pbData);
return true;
}
bool DecryptStringWithDPAPI(const std::string& ciphertext,
std::string* plaintext) {
DATA_BLOB input;
input.pbData = const_cast<BYTE*>(
reinterpret_cast<const BYTE*>(ciphertext.data()));
input.cbData = static_cast<DWORD>(ciphertext.length());
DATA_BLOB output;
BOOL result = CryptUnprotectData(&input, nullptr, nullptr, nullptr, nullptr,
0, &output);
if (!result) {
PLOG(ERROR) << "Failed to decrypt";
return false;
}
plaintext->assign(reinterpret_cast<char*>(output.pbData), output.cbData);
LocalFree(output.pbData);
return true;
}
const std::string& GetEncryptionKeyInternal() {
if (g_use_mock_key) {
if (GetMockEncryptionKeyFactory().empty())
GetMockEncryptionKeyFactory().assign(
crypto::HkdfSha256("peanuts", "salt", "info", kKeyLength));
DCHECK(!GetMockEncryptionKeyFactory().empty())
<< "Failed to initialize mock key.";
return GetMockEncryptionKeyFactory();
}
DCHECK(!GetEncryptionKeyFactory().empty()) << "No key.";
return GetEncryptionKeyFactory();
}
} // namespace
// static
bool OSCrypt::EncryptString16(const base::string16& plaintext,
std::string* ciphertext) {
return EncryptString(base::UTF16ToUTF8(plaintext), ciphertext);
}
// static
bool OSCrypt::DecryptString16(const std::string& ciphertext,
base::string16* plaintext) {
std::string utf8;
if (!DecryptString(ciphertext, &utf8))
return false;
*plaintext = base::UTF8ToUTF16(utf8);
return true;
}
// static
bool OSCrypt::EncryptString(const std::string& plaintext,
std::string* ciphertext) {
if (g_use_legacy)
return EncryptStringWithDPAPI(plaintext, ciphertext);
crypto::Aead aead(crypto::Aead::AES_256_GCM);
auto key = GetEncryptionKeyInternal();
aead.Init(&key);
// Note: can only check these once AEAD is initialized.
DCHECK_EQ(kKeyLength, aead.KeyLength());
DCHECK_EQ(kNonceLength, aead.NonceLength());
std::string nonce;
crypto::RandBytes(base::WriteInto(&nonce, kNonceLength + 1), kNonceLength);
if (!aead.Seal(plaintext, nonce, std::string(), ciphertext))
return false;
ciphertext->insert(0, nonce);
ciphertext->insert(0, kEncryptionVersionPrefix);
return true;
}
// static
bool OSCrypt::DecryptString(const std::string& ciphertext,
std::string* plaintext) {
if (!base::StartsWith(ciphertext, kEncryptionVersionPrefix,
base::CompareCase::SENSITIVE))
return DecryptStringWithDPAPI(ciphertext, plaintext);
crypto::Aead aead(crypto::Aead::AES_256_GCM);
auto key = GetEncryptionKeyInternal();
aead.Init(&key);
// Obtain the nonce.
std::string nonce =
ciphertext.substr(sizeof(kEncryptionVersionPrefix) - 1, kNonceLength);
// Strip off the versioning prefix before decrypting.
std::string raw_ciphertext =
ciphertext.substr(kNonceLength + (sizeof(kEncryptionVersionPrefix) - 1));
return aead.Open(raw_ciphertext, nonce, std::string(), plaintext);
}
// static
void OSCrypt::RegisterLocalPrefs(PrefRegistrySimple* registry) {
registry->RegisterStringPref(kOsCryptEncryptedKeyPrefName, "");
}
// static
bool OSCrypt::Init(PrefService* local_state) {
DCHECK(GetEncryptionKeyFactory().empty()) << "Key already exists.";
// Try and pull the key from local state.
if (local_state->HasPrefPath(kOsCryptEncryptedKeyPrefName)) {
std::string base64_encrypted_key =
local_state->GetString(kOsCryptEncryptedKeyPrefName);
std::string encrypted_key_with_header;
base::Base64Decode(base64_encrypted_key, &encrypted_key_with_header);
if (!base::StartsWith(encrypted_key_with_header, kDPAPIKeyPrefix,
base::CompareCase::SENSITIVE)) {
NOTREACHED() << "Invalid key format.";
return false;
}
std::string encrypted_key =
encrypted_key_with_header.substr(sizeof(kDPAPIKeyPrefix) - 1);
std::string key;
if (!DecryptStringWithDPAPI(encrypted_key, &key))
return false;
GetEncryptionKeyFactory().assign(key);
return true;
}
// Otherwise, generate a key.
std::string key;
crypto::RandBytes(base::WriteInto(&key, kKeyLength + 1), kKeyLength);
std::string encrypted_key;
if (!EncryptStringWithDPAPI(key, &encrypted_key))
return false;
// Add header indicating this key is encrypted with DPAPI.
encrypted_key.insert(0, kDPAPIKeyPrefix);
std::string base64_key;
base::Base64Encode(encrypted_key, &base64_key);
local_state->SetString(kOsCryptEncryptedKeyPrefName, base64_key);
GetEncryptionKeyFactory().assign(key);
return true;
}
// static
void OSCrypt::SetRawEncryptionKey(const std::string& raw_key) {
DCHECK(!g_use_mock_key) << "Mock key in use.";
DCHECK(!raw_key.empty()) << "Bad key.";
DCHECK(GetEncryptionKeyFactory().empty()) << "Key already set.";
GetEncryptionKeyFactory().assign(raw_key);
}
// static
std::string OSCrypt::GetRawEncryptionKey() {
return GetEncryptionKeyInternal();
}
// static
void OSCrypt::UseMockKeyForTesting(bool use_mock) {
g_use_mock_key = use_mock;
}
// static
void OSCrypt::SetLegacyEncryptionForTesting(bool legacy) {
g_use_legacy = legacy;
}
// static
void OSCrypt::ResetStateForTesting() {
g_use_legacy = false;
g_use_mock_key = false;
GetEncryptionKeyFactory().clear();
GetMockEncryptionKeyFactory().clear();
}