1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/mozglue/android/NSSBridge.cpp Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,295 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this file,
1.6 + * You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#include <stdlib.h>
1.9 +#include "dlfcn.h"
1.10 +#include "NSSBridge.h"
1.11 +#include "APKOpen.h"
1.12 +#ifdef ANDROID
1.13 +#include <jni.h>
1.14 +#include <android/log.h>
1.15 +#endif
1.16 +
1.17 +#include "ElfLoader.h"
1.18 +
1.19 +#ifdef DEBUG
1.20 +#define LOG(x...) __android_log_print(ANDROID_LOG_INFO, "GeckoJNI", x)
1.21 +#else
1.22 +#define LOG(x...)
1.23 +#endif
1.24 +
1.25 +static bool initialized = false;
1.26 +
1.27 +#define NSS_WRAPPER_INT(name) name ## _t f_ ## name;
1.28 +NSS_WRAPPER_INT(NSS_Initialize)
1.29 +NSS_WRAPPER_INT(NSS_Shutdown)
1.30 +NSS_WRAPPER_INT(SECITEM_ZfreeItem)
1.31 +NSS_WRAPPER_INT(PK11SDR_Encrypt)
1.32 +NSS_WRAPPER_INT(PK11SDR_Decrypt)
1.33 +NSS_WRAPPER_INT(PK11_GetInternalKeySlot)
1.34 +NSS_WRAPPER_INT(PK11_NeedUserInit)
1.35 +NSS_WRAPPER_INT(PK11_InitPin)
1.36 +NSS_WRAPPER_INT(PR_ErrorToString)
1.37 +NSS_WRAPPER_INT(PR_GetError)
1.38 +NSS_WRAPPER_INT(PR_Free)
1.39 +NSS_WRAPPER_INT(PL_Base64Encode)
1.40 +NSS_WRAPPER_INT(PL_Base64Decode)
1.41 +NSS_WRAPPER_INT(PL_strfree)
1.42 +
1.43 +int
1.44 +setup_nss_functions(void *nss_handle,
1.45 + void *nspr_handle,
1.46 + void *plc_handle)
1.47 +{
1.48 + if (nss_handle == nullptr || nspr_handle == nullptr || plc_handle == nullptr) {
1.49 + LOG("Missing handle\n");
1.50 + return FAILURE;
1.51 + }
1.52 +#define GETFUNC(name) f_ ## name = (name ## _t) (uintptr_t) __wrap_dlsym(nss_handle, #name); \
1.53 + if (!f_ ##name) { __android_log_print(ANDROID_LOG_ERROR, "GeckoJNI", "missing %s", #name); return FAILURE; }
1.54 + GETFUNC(NSS_Initialize);
1.55 + GETFUNC(NSS_Shutdown);
1.56 + GETFUNC(PK11SDR_Encrypt);
1.57 + GETFUNC(PK11SDR_Decrypt);
1.58 + GETFUNC(PK11_GetInternalKeySlot);
1.59 + GETFUNC(PK11_NeedUserInit);
1.60 + GETFUNC(PK11_InitPin);
1.61 + GETFUNC(SECITEM_ZfreeItem);
1.62 +#undef GETFUNC
1.63 +#define NSPRFUNC(name) f_ ## name = (name ## _t) (uintptr_t) __wrap_dlsym(nspr_handle, #name); \
1.64 + if (!f_ ##name) { __android_log_print(ANDROID_LOG_ERROR, "GeckoJNI", "missing %s", #name); return FAILURE; }
1.65 + NSPRFUNC(PR_ErrorToString);
1.66 + NSPRFUNC(PR_GetError);
1.67 + NSPRFUNC(PR_Free);
1.68 +#undef NSPRFUNC
1.69 +#define PLCFUNC(name) f_ ## name = (name ## _t) (uintptr_t) __wrap_dlsym(plc_handle, #name); \
1.70 + if (!f_ ##name) { __android_log_print(ANDROID_LOG_ERROR, "GeckoJNI", "missing %s", #name); return FAILURE; }
1.71 + PLCFUNC(PL_Base64Encode);
1.72 + PLCFUNC(PL_Base64Decode);
1.73 + PLCFUNC(PL_strfree);
1.74 +#undef PLCFUNC
1.75 +
1.76 + return SUCCESS;
1.77 +}
1.78 +
1.79 +/* Throws the current NSS error. */
1.80 +static void
1.81 +throwError(JNIEnv* jenv, const char * funcString) {
1.82 + char *msg;
1.83 +
1.84 + PRErrorCode perr = f_PR_GetError();
1.85 + char * errString = f_PR_ErrorToString(perr, 0);
1.86 + asprintf(&msg, "%s returned error %d: %s\n", funcString, perr, errString);
1.87 + LOG("Throwing error: %s\n", msg);
1.88 +
1.89 + JNI_Throw(jenv, "java/lang/Exception", msg);
1.90 + free(msg);
1.91 + LOG("Error thrown\n");
1.92 +}
1.93 +
1.94 +extern "C" NS_EXPORT jstring JNICALL
1.95 +Java_org_mozilla_gecko_NSSBridge_nativeEncrypt(JNIEnv* jenv, jclass,
1.96 + jstring jPath,
1.97 + jstring jValue)
1.98 +{
1.99 + jstring ret = jenv->NewStringUTF("");
1.100 +
1.101 + const char* path;
1.102 + path = jenv->GetStringUTFChars(jPath, nullptr);
1.103 +
1.104 + const char* value;
1.105 + value = jenv->GetStringUTFChars(jValue, nullptr);
1.106 +
1.107 + char* result;
1.108 + SECStatus rv = doCrypto(jenv, path, value, &result, true);
1.109 + if (rv == SECSuccess) {
1.110 + ret = jenv->NewStringUTF(result);
1.111 + free(result);
1.112 + }
1.113 +
1.114 + jenv->ReleaseStringUTFChars(jValue, value);
1.115 + jenv->ReleaseStringUTFChars(jPath, path);
1.116 +
1.117 + return ret;
1.118 +}
1.119 +
1.120 +extern "C" NS_EXPORT jstring JNICALL
1.121 +Java_org_mozilla_gecko_NSSBridge_nativeDecrypt(JNIEnv* jenv, jclass,
1.122 + jstring jPath,
1.123 + jstring jValue)
1.124 +{
1.125 + jstring ret = jenv->NewStringUTF("");
1.126 +
1.127 + const char* path;
1.128 + path = jenv->GetStringUTFChars(jPath, nullptr);
1.129 +
1.130 + const char* value;
1.131 + value = jenv->GetStringUTFChars(jValue, nullptr);
1.132 +
1.133 + char* result;
1.134 + SECStatus rv = doCrypto(jenv, path, value, &result, false);
1.135 + if (rv == SECSuccess) {
1.136 + ret = jenv->NewStringUTF(result);
1.137 + free(result);
1.138 + }
1.139 +
1.140 + jenv->ReleaseStringUTFChars(jValue, value);
1.141 + jenv->ReleaseStringUTFChars(jPath, path);
1.142 +
1.143 + return ret;
1.144 +}
1.145 +
1.146 +
1.147 +/* Encrypts or decrypts a string. result should be freed with free() when done */
1.148 +SECStatus
1.149 +doCrypto(JNIEnv* jenv, const char *path, const char *value, char** result, bool encrypt)
1.150 +{
1.151 + SECStatus rv;
1.152 + PK11SlotInfo *slot;
1.153 + if (!initialized) {
1.154 + LOG("Initialize crypto in %s\n", path);
1.155 + rv = f_NSS_Initialize(path, "", "", "secmod.db", NSS_INIT_NOROOTINIT);
1.156 + if (rv != SECSuccess) {
1.157 + throwError(jenv, "NSS_Initialize");
1.158 + return rv;
1.159 + }
1.160 + initialized = true;
1.161 + }
1.162 +
1.163 + slot = f_PK11_GetInternalKeySlot();
1.164 + if (!slot) {
1.165 + throwError(jenv, "PK11_GetInternalKeySlot");
1.166 + return SECFailure;
1.167 + }
1.168 +
1.169 + if (f_PK11_NeedUserInit(slot)) {
1.170 + LOG("Initializing key3.db with default blank password.\n");
1.171 + rv = f_PK11_InitPin(slot, nullptr, nullptr);
1.172 + if (rv != SECSuccess) {
1.173 + throwError(jenv, "PK11_InitPin");
1.174 + return rv;
1.175 + }
1.176 + }
1.177 +
1.178 + SECItem request;
1.179 + SECItem reply;
1.180 +
1.181 + reply.data = 0;
1.182 + reply.len = 0;
1.183 +
1.184 + if (encrypt) {
1.185 + // This can print sensitive data. Uncomment if you need it.
1.186 + // LOG("Encrypting: %s\n", value);
1.187 + request.data = (unsigned char*)value;
1.188 + request.len = strlen(value);
1.189 +
1.190 + SECItem keyid;
1.191 + keyid.data = 0;
1.192 + keyid.len = 0;
1.193 + rv = f_PK11SDR_Encrypt(&keyid, &request, &reply, nullptr);
1.194 +
1.195 + if (rv != SECSuccess) {
1.196 + throwError(jenv, "PK11SDR_Encrypt");
1.197 + goto done;
1.198 + }
1.199 +
1.200 + rv = encode(reply.data, reply.len, result);
1.201 + if (rv != SECSuccess) {
1.202 + throwError(jenv, "encode");
1.203 + goto done;
1.204 + }
1.205 + LOG("Encrypted: %s\n", *result);
1.206 + } else {
1.207 + LOG("Decoding: %s\n", value);
1.208 + rv = decode(value, &request.data, (int32_t*)&request.len);
1.209 + if (rv != SECSuccess) {
1.210 + throwError(jenv, "decode");
1.211 + return rv;
1.212 + }
1.213 +
1.214 + rv = f_PK11SDR_Decrypt(&request, &reply, nullptr);
1.215 + if (rv != SECSuccess) {
1.216 + throwError(jenv, "PK11SDR_Decrypt");
1.217 + goto done;
1.218 + }
1.219 +
1.220 + *result = (char *)malloc(reply.len+1);
1.221 + strncpy(*result, (char *)reply.data, reply.len);
1.222 + (*result)[reply.len] = '\0';
1.223 +
1.224 + // This can print sensitive data. Uncomment if you need it.
1.225 + // LOG("Decoded %i letters: %s\n", reply.len, *result);
1.226 + free(request.data);
1.227 + }
1.228 +
1.229 +done:
1.230 + f_SECITEM_ZfreeItem(&reply, false);
1.231 + return rv;
1.232 +}
1.233 +
1.234 +/*
1.235 + * Base64 encodes the data passed in. The caller must deallocate _retval using free();
1.236 + */
1.237 +SECStatus
1.238 +encode(const unsigned char *data, int32_t dataLen, char **_retval)
1.239 +{
1.240 + SECStatus rv = SECSuccess;
1.241 + char *encoded = f_PL_Base64Encode((const char *)data, dataLen, nullptr);
1.242 + if (!encoded)
1.243 + rv = SECFailure;
1.244 + if (!*encoded)
1.245 + rv = SECFailure;
1.246 +
1.247 + if (rv == SECSuccess) {
1.248 + *_retval = (char *)malloc(strlen(encoded)+1);
1.249 + strcpy(*_retval, encoded);
1.250 + }
1.251 +
1.252 + if (encoded) {
1.253 + f_PR_Free(encoded);
1.254 + }
1.255 +
1.256 + return rv;
1.257 +}
1.258 +
1.259 +/*
1.260 + * Base64 decodes the data passed in. The caller must deallocate result using free();
1.261 + */
1.262 +SECStatus
1.263 +decode(const char *data, unsigned char **result, int32_t *length)
1.264 +{
1.265 + SECStatus rv = SECSuccess;
1.266 + uint32_t len = strlen(data);
1.267 + int adjust = 0;
1.268 +
1.269 + /* Compute length adjustment */
1.270 + if (len > 0 && data[len-1] == '=') {
1.271 + adjust++;
1.272 + if (data[len-2] == '=') adjust++;
1.273 + }
1.274 +
1.275 + char *decoded;
1.276 + decoded = f_PL_Base64Decode(data, len, nullptr);
1.277 + if (!decoded) {
1.278 + return SECFailure;
1.279 + }
1.280 + if (!*decoded) {
1.281 + return SECFailure;
1.282 + }
1.283 +
1.284 + *length = (len*3)/4 - adjust;
1.285 + LOG("Decoded %i chars into %i chars\n", len, *length);
1.286 +
1.287 + *result = (unsigned char*)malloc((size_t)len);
1.288 +
1.289 + if (!*result) {
1.290 + rv = SECFailure;
1.291 + } else {
1.292 + memcpy((char*)*result, decoded, len);
1.293 + }
1.294 + f_PR_Free(decoded);
1.295 + return rv;
1.296 +}
1.297 +
1.298 +
