// Copyright 2024 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "components/enterprise/obfuscation/core/utils.h" #include "base/files/file_util.h" #include "base/files/scoped_temp_file.h" #include "base/no_destructor.h" #include "base/numerics/byte_conversions.h" #include "crypto/aead.h" #include "crypto/hkdf.h" #include "crypto/random.h" #include "crypto/symmetric_key.h" namespace enterprise_obfuscation { namespace { // Default key and derived key size, nonce length and max tag length in // BoringSSL's implementation of AES-256 GCM used by the crypto library. // TODO(b/356473947): Consider switching to 128-bit key for performance. static constexpr size_t kKeySize = …; static constexpr size_t kNonceSize = …; static constexpr size_t kAuthTagSize = …; // Nonce prefix and header size based on Tink streaming AEAD implementation // (https://developers.google.com/tink/streaming-aead/aes_gcm_hkdf_streaming). static constexpr size_t kNoncePrefixSize = …; static constexpr size_t kSaltSize = …; static constexpr size_t kHeaderSize = …; // Maximum size of a data chunk for obfuscation/deobfuscation. // // This size is chosen to be the default buffer size in bytes used for downloads // (kDefaultDownloadFileBufferSize = 524288) plus the auth tag length. static constexpr size_t kMaxChunkSize = …; // Size of the chunk size prefix for variable size. static constexpr size_t kChunkSizePrefixSize = …; // Generates a random 256 bit AES key. const std::vector<uint8_t>& GetSymmetricKey() { … } // Computes nonce. The structure is: noncePrefix | counter (4 bytes) | b (1 // byte). The last byte is to ensure that the ciphertext is different for the // last chunk of a file. const std::vector<uint8_t> ComputeNonce( const std::vector<uint8_t>& nonce_prefix, uint32_t counter, bool is_last_chunk) { … } } // namespace BASE_FEATURE(…); bool IsFileObfuscationEnabled() { … } base::expected<std::vector<uint8_t>, Error> CreateHeader( std::vector<uint8_t>* derived_key, std::vector<uint8_t>* nonce_prefix) { … } base::expected<std::vector<uint8_t>, Error> ObfuscateDataChunk( base::span<const uint8_t> data, const std::vector<uint8_t>& derived_key, const std::vector<uint8_t>& nonce_prefix, uint32_t counter, bool is_last_chunk) { … } base::expected<size_t, Error> GetObfuscatedChunkSize( base::span<const uint8_t> data) { … } base::expected<std::pair</*derived key*/ std::vector<uint8_t>, /*nonce prefix*/ std::vector<uint8_t>>, Error> GetHeaderData(const std::vector<uint8_t>& header) { … } base::expected<std::vector<uint8_t>, Error> DeobfuscateDataChunk( base::span<const uint8_t> data, const std::vector<uint8_t>& derived_key, const std::vector<uint8_t>& nonce_prefix, uint32_t counter, bool is_last_chunk) { … } base::expected<void, Error> DeobfuscateFileInPlace( const base::FilePath& file_path) { … } } // namespace enterprise_obfuscation
Codebase Browser
chromium