1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
|
// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/os_crypt/sync/os_crypt.h"
#include <windows.h>
#include "base/base64.h"
#include "base/check.h"
#include "base/check_op.h"
#include "base/containers/span.h"
#include "base/feature_list.h"
#include "base/logging.h"
#include "base/memory/singleton.h"
#include "base/metrics/histogram_functions.h"
#include "base/metrics/histogram_macros.h"
#include "base/strings/strcat.h"
#include "base/strings/string_util.h"
#include "base/strings/sys_string_conversions.h"
#include "base/strings/utf_string_conversions.h"
#include "base/win/wincrypt_shim.h"
#include "components/prefs/pref_registry_simple.h"
#include "components/prefs/pref_service.h"
#include "components/version_info/version_info.h"
#include "crypto/aead.h"
#include "crypto/hkdf.h"
#include "crypto/random.h"
namespace {
// Contains base64 random key encrypted with DPAPI.
constexpr char kOsCryptEncryptedKeyPrefName[] = "os_crypt.encrypted_key";
// Whether or not an attempt has been made to enable audit for the DPAPI
// encryption backing the random key.
constexpr char kOsCryptAuditEnabledPrefName[] = "os_crypt.audit_enabled";
// AEAD key length in bytes.
constexpr size_t kKeyLength = 256 / 8;
// AEAD nonce length in bytes.
constexpr size_t kNonceLength = 96 / 8;
// Version prefix for data encrypted with profile bound key.
constexpr char kEncryptionVersionPrefix[] = "v10";
// Key prefix for a key encrypted with DPAPI.
constexpr char kDPAPIKeyPrefix[] = "DPAPI";
bool EncryptStringWithDPAPI(const std::string& plaintext,
std::string* ciphertext) {
DATA_BLOB input;
input.pbData =
const_cast<BYTE*>(reinterpret_cast<const BYTE*>(plaintext.data()));
input.cbData = static_cast<DWORD>(plaintext.length());
BOOL result = FALSE;
DATA_BLOB output;
{
SCOPED_UMA_HISTOGRAM_TIMER("OSCrypt.Win.Encrypt.Time");
result = ::CryptProtectData(
/*pDataIn=*/&input,
/*szDataDescr=*/
base::SysUTF8ToWide(
base::StrCat(
{version_info::GetProductName(),
version_info::IsOfficialBuild() ? "" : " (Developer Build)"}))
.c_str(),
/*pOptionalEntropy=*/nullptr,
/*pvReserved=*/nullptr,
/*pPromptStruct=*/nullptr, /*dwFlags=*/CRYPTPROTECT_AUDIT,
/*pDataOut=*/&output);
}
base::UmaHistogramBoolean("OSCrypt.Win.Encrypt.Result", result);
if (!result) {
PLOG(ERROR) << "Failed to encrypt";
return false;
}
// this does a copy
ciphertext->assign(reinterpret_cast<std::string::value_type*>(output.pbData),
output.cbData);
LocalFree(output.pbData);
return true;
}
bool DecryptStringWithDPAPI(const std::string& ciphertext,
std::string* plaintext) {
DATA_BLOB input;
input.pbData =
const_cast<BYTE*>(reinterpret_cast<const BYTE*>(ciphertext.data()));
input.cbData = static_cast<DWORD>(ciphertext.length());
BOOL result = FALSE;
DATA_BLOB output;
{
SCOPED_UMA_HISTOGRAM_TIMER("OSCrypt.Win.Decrypt.Time");
result = CryptUnprotectData(&input, nullptr, nullptr, nullptr, nullptr, 0,
&output);
}
base::UmaHistogramBoolean("OSCrypt.Win.Decrypt.Result", result);
if (!result) {
PLOG(ERROR) << "Failed to decrypt";
return false;
}
plaintext->assign(reinterpret_cast<char*>(output.pbData), output.cbData);
LocalFree(output.pbData);
return true;
}
// Takes `key` and encrypts it with DPAPI, then stores it in the `local_state`.
// Returns true if the key was successfully encrypted and stored.
bool EncryptAndStoreKey(const std::string& key, PrefService* local_state) {
std::string encrypted_key;
if (!EncryptStringWithDPAPI(key, &encrypted_key)) {
return false;
}
// Add header indicating this key is encrypted with DPAPI.
encrypted_key.insert(0, kDPAPIKeyPrefix);
std::string base64_key = base::Base64Encode(encrypted_key);
local_state->SetString(kOsCryptEncryptedKeyPrefName, base64_key);
return true;
}
} // namespace
namespace OSCrypt {
bool EncryptString16(const std::u16string& plaintext, std::string* ciphertext) {
return OSCryptImpl::GetInstance()->EncryptString16(plaintext, ciphertext);
}
bool DecryptString16(const std::string& ciphertext, std::u16string* plaintext) {
return OSCryptImpl::GetInstance()->DecryptString16(ciphertext, plaintext);
}
bool EncryptString(const std::string& plaintext, std::string* ciphertext) {
return OSCryptImpl::GetInstance()->EncryptString(plaintext, ciphertext);
}
bool DecryptString(const std::string& ciphertext, std::string* plaintext) {
return OSCryptImpl::GetInstance()->DecryptString(ciphertext, plaintext);
}
void RegisterLocalPrefs(PrefRegistrySimple* registry) {
OSCryptImpl::RegisterLocalPrefs(registry);
}
InitResult InitWithExistingKey(PrefService* local_state) {
return OSCryptImpl::GetInstance()->InitWithExistingKey(local_state);
}
bool Init(PrefService* local_state) {
return OSCryptImpl::GetInstance()->Init(local_state);
}
std::string GetRawEncryptionKey() {
return OSCryptImpl::GetInstance()->GetRawEncryptionKey();
}
void SetRawEncryptionKey(const std::string& key) {
OSCryptImpl::GetInstance()->SetRawEncryptionKey(key);
}
bool IsEncryptionAvailable() {
return OSCryptImpl::GetInstance()->IsEncryptionAvailable();
}
void UseMockKeyForTesting(bool use_mock) {
OSCryptImpl::GetInstance()->UseMockKeyForTesting(use_mock);
}
void SetLegacyEncryptionForTesting(bool legacy) {
OSCryptImpl::GetInstance()->SetLegacyEncryptionForTesting(legacy);
}
void ResetStateForTesting() {
OSCryptImpl::GetInstance()->ResetStateForTesting();
}
} // namespace OSCrypt
OSCryptImpl::OSCryptImpl() = default;
OSCryptImpl::~OSCryptImpl() = default;
OSCryptImpl* OSCryptImpl::GetInstance() {
return base::Singleton<OSCryptImpl,
base::LeakySingletonTraits<OSCryptImpl>>::get();
}
bool OSCryptImpl::EncryptString16(const std::u16string& plaintext,
std::string* ciphertext) {
return EncryptString(base::UTF16ToUTF8(plaintext), ciphertext);
}
bool OSCryptImpl::DecryptString16(const std::string& ciphertext,
std::u16string* plaintext) {
std::string utf8;
if (!DecryptString(ciphertext, &utf8))
return false;
*plaintext = base::UTF8ToUTF16(utf8);
return true;
}
bool OSCryptImpl::EncryptString(const std::string& plaintext,
std::string* ciphertext) {
if (use_legacy_)
return EncryptStringWithDPAPI(plaintext, ciphertext);
crypto::Aead aead(crypto::Aead::AES_256_GCM);
const auto key = GetRawEncryptionKey();
aead.Init(&key);
// Note: can only check these once AEAD is initialized.
DCHECK_EQ(kKeyLength, aead.KeyLength());
DCHECK_EQ(kNonceLength, aead.NonceLength());
std::string nonce(kNonceLength, '\0');
crypto::RandBytes(base::as_writable_byte_span(nonce));
if (!aead.Seal(plaintext, nonce, std::string(), ciphertext))
return false;
ciphertext->insert(0, nonce);
ciphertext->insert(0, kEncryptionVersionPrefix);
return true;
}
bool OSCryptImpl::DecryptString(const std::string& ciphertext,
std::string* plaintext) {
if (!base::StartsWith(ciphertext, kEncryptionVersionPrefix,
base::CompareCase::SENSITIVE))
return DecryptStringWithDPAPI(ciphertext, plaintext);
crypto::Aead aead(crypto::Aead::AES_256_GCM);
const auto key = GetRawEncryptionKey();
aead.Init(&key);
// Obtain the nonce.
const std::string nonce =
ciphertext.substr(sizeof(kEncryptionVersionPrefix) - 1, kNonceLength);
// Strip off the versioning prefix before decrypting.
const std::string raw_ciphertext =
ciphertext.substr(kNonceLength + (sizeof(kEncryptionVersionPrefix) - 1));
return aead.Open(raw_ciphertext, nonce, std::string(), plaintext);
}
// static
void OSCryptImpl::RegisterLocalPrefs(PrefRegistrySimple* registry) {
registry->RegisterStringPref(kOsCryptEncryptedKeyPrefName, "");
registry->RegisterBooleanPref(kOsCryptAuditEnabledPrefName, false);
}
bool OSCryptImpl::Init(PrefService* local_state) {
// Try to pull the key from the local state.
switch (InitWithExistingKey(local_state)) {
case OSCrypt::kSuccess:
return true;
case OSCrypt::kKeyDoesNotExist:
break;
case OSCrypt::kInvalidKeyFormat:
return false;
case OSCrypt::kDecryptionFailed:
break;
}
// If there is no key in the local state, or if DPAPI decryption fails,
// generate a new key.
std::string key(kKeyLength, '\0');
crypto::RandBytes(base::as_writable_byte_span(key));
if (!EncryptAndStoreKey(key, local_state)) {
return false;
}
// This new key is already encrypted with audit flag enabled.
local_state->SetBoolean(kOsCryptAuditEnabledPrefName, true);
encryption_key_.assign(key);
return true;
}
OSCrypt::InitResult OSCryptImpl::InitWithExistingKey(PrefService* local_state) {
DCHECK(encryption_key_.empty()) << "Key already exists.";
// Try and pull the key from the local state.
if (!local_state->HasPrefPath(kOsCryptEncryptedKeyPrefName))
return OSCrypt::kKeyDoesNotExist;
const std::string base64_encrypted_key =
local_state->GetString(kOsCryptEncryptedKeyPrefName);
std::string encrypted_key_with_header;
base::Base64Decode(base64_encrypted_key, &encrypted_key_with_header);
if (!base::StartsWith(encrypted_key_with_header, kDPAPIKeyPrefix,
base::CompareCase::SENSITIVE)) {
return OSCrypt::kInvalidKeyFormat;
}
const std::string encrypted_key =
encrypted_key_with_header.substr(sizeof(kDPAPIKeyPrefix) - 1);
std::string key;
// This DPAPI decryption can fail if the user's password has been reset
// by an Administrator.
if (!DecryptStringWithDPAPI(encrypted_key, &key)) {
base::UmaHistogramSparse("OSCrypt.Win.KeyDecryptionError",
::GetLastError());
return OSCrypt::kDecryptionFailed;
}
if (!local_state->GetBoolean(kOsCryptAuditEnabledPrefName)) {
// In theory, EncryptAndStoreKey could fail if DPAPI fails to encrypt, but
// DPAPI decrypted the old data fine. In this case it's better to leave the
// previously encrypted key, since the code has been able to decrypt it.
// Trying over and over makes no sense so the code explicitly does not
// attempt again, and audit will simply not be enabled in this case.
std::ignore = EncryptAndStoreKey(key, local_state);
// Indicate that an attempt has been made to turn audit flag on, so retry is
// not attempted.
local_state->SetBoolean(kOsCryptAuditEnabledPrefName, true);
}
encryption_key_.assign(key);
return OSCrypt::kSuccess;
}
void OSCryptImpl::SetRawEncryptionKey(const std::string& raw_key) {
DCHECK(!use_mock_key_) << "Mock key in use.";
DCHECK(!raw_key.empty()) << "Bad key.";
DCHECK(encryption_key_.empty()) << "Key already set.";
encryption_key_.assign(raw_key);
}
std::string OSCryptImpl::GetRawEncryptionKey() {
if (use_mock_key_) {
if (mock_encryption_key_.empty())
mock_encryption_key_.assign(
crypto::HkdfSha256("peanuts", "salt", "info", kKeyLength));
DCHECK(!mock_encryption_key_.empty()) << "Failed to initialize mock key.";
return mock_encryption_key_;
}
DCHECK(!encryption_key_.empty()) << "No key.";
return encryption_key_;
}
bool OSCryptImpl::IsEncryptionAvailable() {
if (use_mock_key_) {
return !GetRawEncryptionKey().empty();
}
return !encryption_key_.empty();
}
void OSCryptImpl::UseMockKeyForTesting(bool use_mock) {
use_mock_key_ = use_mock;
}
void OSCryptImpl::SetLegacyEncryptionForTesting(bool legacy) {
use_legacy_ = legacy;
}
void OSCryptImpl::ResetStateForTesting() {
use_legacy_ = false;
use_mock_key_ = false;
encryption_key_.clear();
mock_encryption_key_.clear();
}
|
