search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Memory suppressions
[chromium-blink-merge.git] / crypto / openpgp_symmetric_encryption.cc
blob702952b018719e8e6f8c04f128899d0c07cbfbca
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "crypto/openpgp_symmetric_encryption.h"
6
7 #include <stdlib.h>
8
9 #include <sechash.h>
10 #include <cryptohi.h>
11
12 #include <vector>
13
14 #include "base/logging.h"
15 #include "crypto/random.h"
16 #include "crypto/scoped_nss_types.h"
17 #include "crypto/nss_util.h"
18
19 namespace crypto {
20
21 namespace {
22
23 // Reader wraps a StringPiece and provides methods to read several datatypes
24 // while advancing the StringPiece.
25 class Reader {
26 public:
27 Reader(base::StringPiece input)
28 : data_(input) {
29 }
30
31 bool U8(uint8* out) {
32 if (data_.size() < 1)
33 return false;
34 *out = static_cast<uint8>(data_[0]);
35 data_.remove_prefix(1);
36 return true;
37 }
38
39 bool U32(uint32* out) {
40 if (data_.size() < 4)
41 return false;
42 *out = static_cast<uint32>(data_[0]) << 24 |
43 static_cast<uint32>(data_[1]) << 16 |
44 static_cast<uint32>(data_[2]) << 8 |
45 static_cast<uint32>(data_[3]);
46 data_.remove_prefix(4);
47 return true;
48 }
49
50 // Prefix sets |*out| to the first |n| bytes of the StringPiece and advances
51 // the StringPiece by |n|.
52 bool Prefix(size_t n, base::StringPiece *out) {
53 if (data_.size() < n)
54 return false;
55 *out = base::StringPiece(data_.data(), n);
56 data_.remove_prefix(n);
57 return true;
58 }
59
60 // Remainder returns the remainer of the StringPiece and advances it to the
61 // end.
62 base::StringPiece Remainder() {
63 base::StringPiece ret = data_;
64 data_ = base::StringPiece();
65 return ret;
66 }
67
68 typedef base::StringPiece Position;
69
70 Position tell() const {
71 return data_;
72 }
73
74 void Seek(Position p) {
75 data_ = p;
76 }
77
78 bool Skip(size_t n) {
79 if (data_.size() < n)
80 return false;
81 data_.remove_prefix(n);
82 return true;
83 }
84
85 bool empty() const {
86 return data_.empty();
87 }
88
89 size_t size() const {
90 return data_.size();
91 }
92
93 private:
94 base::StringPiece data_;
95 };
96
97 // SaltedIteratedS2K implements the salted and iterated string-to-key
98 // convertion. See RFC 4880, section 3.7.1.3.
99 void SaltedIteratedS2K(unsigned cipher_key_length,
100 HASH_HashType hash_function,
101 base::StringPiece passphrase,
102 base::StringPiece salt,
103 unsigned count,
104 uint8 *out_key) {
105 const std::string combined = salt.as_string() + passphrase.as_string();
106 const size_t combined_len = combined.size();
107
108 unsigned done = 0;
109 uint8 zero[1] = {0};
110
111 HASHContext* hash_context = HASH_Create(hash_function);
112
113 for (unsigned i = 0; done < cipher_key_length; i++) {
114 HASH_Begin(hash_context);
115
116 for (unsigned j = 0; j < i; j++)
117 HASH_Update(hash_context, zero, sizeof(zero));
118
119 unsigned written = 0;
120 while (written < count) {
121 if (written + combined_len > count) {
122 unsigned todo = count - written;
123 HASH_Update(hash_context,
124 reinterpret_cast<const uint8*>(combined.data()),
125 todo);
126 written = count;
127 } else {
128 HASH_Update(hash_context,
129 reinterpret_cast<const uint8*>(combined.data()),
130 combined_len);
131 written += combined_len;
132 }
133 }
134
135 unsigned num_hash_bytes;
136 uint8 digest[HASH_LENGTH_MAX];
137 HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest));
138
139 unsigned todo = cipher_key_length - done;
140 if (todo > num_hash_bytes)
141 todo = num_hash_bytes;
142 memcpy(out_key + done, digest, todo);
143 done += todo;
144 }
145
146 HASH_Destroy(hash_context);
147 }
148
149 // CreateAESContext sets up |out_key| to be an AES context, with the given key,
150 // in ECB mode and with no IV.
151 bool CreateAESContext(const uint8* key, unsigned key_len,
152 ScopedPK11Context* out_decryption_context) {
153 ScopedPK11Slot slot(PK11_GetInternalSlot());
154 if (!slot.get())
155 return false;
156 SECItem key_item;
157 key_item.type = siBuffer;
158 key_item.data = const_cast<uint8*>(key);
159 key_item.len = key_len;
160 ScopedPK11SymKey pk11_key(PK11_ImportSymKey(
161 slot.get(), CKM_AES_ECB, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item,
162 NULL));
163 if (!pk11_key.get())
164 return false;
165 ScopedSECItem iv_param(PK11_ParamFromIV(CKM_AES_ECB, NULL));
166 out_decryption_context->reset(
167 PK11_CreateContextBySymKey(CKM_AES_ECB, CKA_ENCRYPT, pk11_key.get(),
168 iv_param.get()));
169 return out_decryption_context->get() != NULL;
170 }
171
172
173 // These constants are the tag numbers for the various packet types that we
174 // use.
175 static const unsigned kSymmetricKeyEncryptedTag = 3;
176 static const unsigned kSymmetricallyEncryptedTag = 18;
177 static const unsigned kCompressedTag = 8;
178 static const unsigned kLiteralDataTag = 11;
179
180 class Decrypter {
181 public:
182 ~Decrypter() {
183 for (std::vector<void*>::iterator
184 i = arena_.begin(); i != arena_.end(); i++) {
185 free(*i);
186 }
187 arena_.clear();
188 }
189
190 OpenPGPSymmetricEncrytion::Result Decrypt(base::StringPiece in,
191 base::StringPiece passphrase,
192 base::StringPiece *out_contents) {
193 Reader reader(in);
194 unsigned tag;
195 base::StringPiece contents;
196 ScopedPK11Context decryption_context;
197
198 if (!ParsePacket(&reader, &tag, &contents))
199 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
200 if (tag != kSymmetricKeyEncryptedTag)
201 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED;
202 Reader inner(contents);
203 OpenPGPSymmetricEncrytion::Result result =
204 ParseSymmetricKeyEncrypted(&inner, passphrase, &decryption_context);
205 if (result != OpenPGPSymmetricEncrytion::OK)
206 return result;
207
208 if (!ParsePacket(&reader, &tag, &contents))
209 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
210 if (tag != kSymmetricallyEncryptedTag)
211 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED;
212 if (!reader.empty())
213 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
214 inner = Reader(contents);
215 if (!ParseSymmetricallyEncrypted(&inner, &decryption_context, &contents))
216 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
217
218 reader = Reader(contents);
219 if (!ParsePacket(&reader, &tag, &contents))
220 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
221 if (tag == kCompressedTag)
222 return OpenPGPSymmetricEncrytion::COMPRESSED;
223 if (tag != kLiteralDataTag)
224 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED;
225 inner = Reader(contents);
226 if (!ParseLiteralData(&inner, out_contents))
227 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
228
229 return OpenPGPSymmetricEncrytion::OK;
230 }
231
232 private:
233 // ParsePacket parses an OpenPGP packet from reader. See RFC 4880, section
234 // 4.2.2.
235 bool ParsePacket(Reader *reader,
236 unsigned *out_tag,
237 base::StringPiece *out_contents) {
238 uint8 header;
239 if (!reader->U8(&header))
240 return false;
241 if ((header & 0x80) == 0) {
242 // Tag byte must have MSB set.
243 return false;
244 }
245
246 if ((header & 0x40) == 0) {
247 // Old format packet.
248 *out_tag = (header & 0x3f) >> 2;
249
250 uint8 length_type = header & 3;
251 if (length_type == 3) {
252 *out_contents = reader->Remainder();
253 return true;
254 }
255
256 const unsigned length_bytes = 1 << length_type;
257 size_t length = 0;
258 for (unsigned i = 0; i < length_bytes; i++) {
259 uint8 length_byte;
260 if (!reader->U8(&length_byte))
261 return false;
262 length <<= 8;
263 length |= length_byte;
264 }
265
266 return reader->Prefix(length, out_contents);
267 }
268
269 // New format packet.
270 *out_tag = header & 0x3f;
271 size_t length;
272 bool is_partial;
273 if (!ParseLength(reader, &length, &is_partial))
274 return false;
275 if (is_partial)
276 return ParseStreamContents(reader, length, out_contents);
277 return reader->Prefix(length, out_contents);
278 }
279
280 // ParseStreamContents parses all the chunks of a partial length stream from
281 // reader. See http://tools.ietf.org/html/rfc4880#section-4.2.2.4
282 bool ParseStreamContents(Reader *reader,
283 size_t length,
284 base::StringPiece *out_contents) {
285 const Reader::Position beginning_of_stream = reader->tell();
286 const size_t first_chunk_length = length;
287
288 // First we parse the stream to find its length.
289 if (!reader->Skip(length))
290 return false;
291
292 for (;;) {
293 size_t chunk_length;
294 bool is_partial;
295
296 if (!ParseLength(reader, &chunk_length, &is_partial))
297 return false;
298 if (length + chunk_length < length)
299 return false;
300 length += chunk_length;
301 if (!reader->Skip(chunk_length))
302 return false;
303 if (!is_partial)
304 break;
305 }
306
307 // Now we have the length of the whole stream in |length|.
308 char* buf = reinterpret_cast<char*>(malloc(length));
309 arena_.push_back(buf);
310 size_t j = 0;
311 reader->Seek(beginning_of_stream);
312
313 base::StringPiece first_chunk;
314 if (!reader->Prefix(first_chunk_length, &first_chunk))
315 return false;
316 memcpy(buf + j, first_chunk.data(), first_chunk_length);
317 j += first_chunk_length;
318
319 // Now we parse the stream again, this time copying into |buf|
320 for (;;) {
321 size_t chunk_length;
322 bool is_partial;
323
324 if (!ParseLength(reader, &chunk_length, &is_partial))
325 return false;
326 base::StringPiece chunk;
327 if (!reader->Prefix(chunk_length, &chunk))
328 return false;
329 memcpy(buf + j, chunk.data(), chunk_length);
330 j += chunk_length;
331 if (!is_partial)
332 break;
333 }
334
335 *out_contents = base::StringPiece(buf, length);
336 return true;
337 }
338
339 // ParseLength parses an OpenPGP length from reader. See RFC 4880, section
340 // 4.2.2.
341 bool ParseLength(Reader *reader, size_t *out_length, bool *out_is_prefix) {
342 uint8 length_spec;
343 if (!reader->U8(&length_spec))
344 return false;
345
346 *out_is_prefix = false;
347 if (length_spec < 192) {
348 *out_length = length_spec;
349 return true;
350 } else if (length_spec < 224) {
351 uint8 next_byte;
352 if (!reader->U8(&next_byte))
353 return false;
354
355 *out_length = (length_spec - 192) << 8;
356 *out_length += next_byte;
357 return true;
358 } else if (length_spec < 255) {
359 *out_length = 1u << (length_spec & 0x1f);
360 *out_is_prefix = true;
361 return true;
362 } else {
363 uint32 length32;
364 if (!reader->U32(&length32))
365 return false;
366 *out_length = length32;
367 return true;
368 }
369 }
370
371 // ParseSymmetricKeyEncrypted parses a passphrase protected session key. See
372 // RFC 4880, section 5.3.
373 OpenPGPSymmetricEncrytion::Result ParseSymmetricKeyEncrypted(
374 Reader *reader,
375 base::StringPiece passphrase,
376 ScopedPK11Context *decryption_context) {
377 uint8 version, cipher, s2k_type, hash_func_id;
378 if (!reader->U8(&version) || version != 4)
379 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
380
381 if (!reader->U8(&cipher) ||
382 !reader->U8(&s2k_type) ||
383 !reader->U8(&hash_func_id)) {
384 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
385 }
386
387 uint8 cipher_key_length = OpenPGPCipherIdToKeyLength(cipher);
388 if (cipher_key_length == 0)
389 return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER;
390
391 HASH_HashType hash_function;
392 switch (hash_func_id) {
393 case 2: // SHA-1
394 hash_function = HASH_AlgSHA1;
395 break;
396 case 8: // SHA-256
397 hash_function = HASH_AlgSHA256;
398 break;
399 default:
400 return OpenPGPSymmetricEncrytion::UNKNOWN_HASH;
401 }
402
403 // This chunk of code parses the S2K specifier. See RFC 4880, section 3.7.1.
404 base::StringPiece salt;
405 uint8 key[32];
406 uint8 count_spec;
407 switch (s2k_type) {
408 case 1:
409 if (!reader->Prefix(8, &salt))
410 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
411 // Fall through.
412 case 0:
413 SaltedIteratedS2K(cipher_key_length, hash_function, passphrase, salt,
414 passphrase.size() + salt.size(), key);
415 break;
416 case 3:
417 if (!reader->Prefix(8, &salt) ||
418 !reader->U8(&count_spec)) {
419 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
420 }
421 SaltedIteratedS2K(
422 cipher_key_length, hash_function, passphrase, salt,
423 static_cast<unsigned>(
424 16 + (count_spec&15)) << ((count_spec >> 4) + 6), key);
425 break;
426 default:
427 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
428 }
429
430 if (!CreateAESContext(key, cipher_key_length, decryption_context))
431 return OpenPGPSymmetricEncrytion::INTERNAL_ERROR;
432
433 if (reader->empty()) {
434 // The resulting key is used directly.
435 return OpenPGPSymmetricEncrytion::OK;
436 }
437
438 // The S2K derived key encrypts another key that follows:
439 base::StringPiece encrypted_key = reader->Remainder();
440 if (encrypted_key.size() < 1)
441 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
442
443 uint8* plaintext_key = reinterpret_cast<uint8*>(
444 malloc(encrypted_key.size()));
445 arena_.push_back(plaintext_key);
446
447 CFBDecrypt(encrypted_key, decryption_context, plaintext_key);
448
449 cipher_key_length = OpenPGPCipherIdToKeyLength(plaintext_key[0]);
450 if (cipher_key_length == 0)
451 return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER;
452 if (encrypted_key.size() != 1u + cipher_key_length)
453 return OpenPGPSymmetricEncrytion::PARSE_ERROR;
454 if (!CreateAESContext(plaintext_key + 1, cipher_key_length,
455 decryption_context)) {
456 return OpenPGPSymmetricEncrytion::INTERNAL_ERROR;
457 }
458 return OpenPGPSymmetricEncrytion::OK;
459 }
460
461 // CFBDecrypt decrypts the cipher-feedback encrypted data in |in| to |out|
462 // using |decryption_context| and assumes an IV of all zeros.
463 void CFBDecrypt(base::StringPiece in, ScopedPK11Context* decryption_context,
464 uint8* out) {
465 // We need this for PK11_CipherOp to write to, but we never check it as we
466 // work in ECB mode, one block at a time.
467 int out_len;
468
469 uint8 mask[AES_BLOCK_SIZE];
470 memset(mask, 0, sizeof(mask));
471
472 unsigned used = AES_BLOCK_SIZE;
473
474 for (size_t i = 0; i < in.size(); i++) {
475 if (used == AES_BLOCK_SIZE) {
476 PK11_CipherOp(decryption_context->get(), mask, &out_len, sizeof(mask),
477 mask, AES_BLOCK_SIZE);
478 used = 0;
479 }
480
481 uint8 t = in[i];
482 out[i] = t ^ mask[used];
483 mask[used] = t;
484 used++;
485 }
486 }
487
488 // OpenPGPCipherIdToKeyLength converts an OpenPGP cipher id (see RFC 4880,
489 // section 9.2) to the key length of that cipher. It returns 0 on error.
490 unsigned OpenPGPCipherIdToKeyLength(uint8 cipher) {
491 switch (cipher) {
492 case 7: // AES-128
493 return 16;
494 case 8: // AES-192
495 return 24;
496 case 9: // AES-256
497 return 32;
498 default:
499 return 0;
500 }
501 }
502
503 // ParseSymmetricallyEncrypted parses a Symmetrically Encrypted packet. See
504 // RFC 4880, sections 5.7 and 5.13.
505 bool ParseSymmetricallyEncrypted(Reader *reader,
506 ScopedPK11Context *decryption_context,
507 base::StringPiece *out_plaintext) {
508 // We need this for PK11_CipherOp to write to, but we never check it as we
509 // work in ECB mode, one block at a time.
510 int out_len;
511
512 uint8 version;
513 if (!reader->U8(&version) || version != 1)
514 return false;
515
516 base::StringPiece prefix_sp;
517 if (!reader->Prefix(AES_BLOCK_SIZE + 2, &prefix_sp))
518 return false;
519 uint8 prefix[AES_BLOCK_SIZE + 2];
520 memcpy(prefix, prefix_sp.data(), sizeof(prefix));
521
522 uint8 prefix_copy[AES_BLOCK_SIZE + 2];
523 uint8 fre[AES_BLOCK_SIZE];
524
525 memset(prefix_copy, 0, AES_BLOCK_SIZE);
526 PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre),
527 prefix_copy, AES_BLOCK_SIZE);
528 for (unsigned i = 0; i < AES_BLOCK_SIZE; i++)
529 prefix_copy[i] = fre[i] ^ prefix[i];
530 PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre), prefix,
531 AES_BLOCK_SIZE);
532 prefix_copy[AES_BLOCK_SIZE] = prefix[AES_BLOCK_SIZE] ^ fre[0];
533 prefix_copy[AES_BLOCK_SIZE + 1] = prefix[AES_BLOCK_SIZE + 1] ^ fre[1];
534
535 if (prefix_copy[AES_BLOCK_SIZE - 2] != prefix_copy[AES_BLOCK_SIZE] ||
536 prefix_copy[AES_BLOCK_SIZE - 1] != prefix_copy[AES_BLOCK_SIZE + 1]) {
537 return false;
538 }
539
540 fre[0] = prefix[AES_BLOCK_SIZE];
541 fre[1] = prefix[AES_BLOCK_SIZE + 1];
542
543 unsigned out_used = 2;
544
545 const size_t plaintext_size = reader->size();
546 if (plaintext_size < SHA1_LENGTH + 2) {
547 // Too small to contain an MDC trailer.
548 return false;
549 }
550
551 uint8* plaintext = reinterpret_cast<uint8*>(malloc(plaintext_size));
552 arena_.push_back(plaintext);
553
554 for (size_t i = 0; i < plaintext_size; i++) {
555 uint8 b;
556 if (!reader->U8(&b))
557 return false;
558 if (out_used == AES_BLOCK_SIZE) {
559 PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre),
560 fre, AES_BLOCK_SIZE);
561 out_used = 0;
562 }
563
564 plaintext[i] = b ^ fre[out_used];
565 fre[out_used++] = b;
566 }
567
568 // The plaintext should be followed by a Modification Detection Code
569 // packet. This packet is specified such that the header is always
570 // serialized as exactly these two bytes:
571 if (plaintext[plaintext_size - SHA1_LENGTH - 2] != 0xd3 ||
572 plaintext[plaintext_size - SHA1_LENGTH - 1] != 0x14) {
573 return false;
574 }
575
576 HASHContext* hash_context = HASH_Create(HASH_AlgSHA1);
577 HASH_Begin(hash_context);
578 HASH_Update(hash_context, prefix_copy, sizeof(prefix_copy));
579 HASH_Update(hash_context, plaintext, plaintext_size - SHA1_LENGTH);
580 uint8 digest[SHA1_LENGTH];
581 unsigned num_hash_bytes;
582 HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest));
583 HASH_Destroy(hash_context);
584
585 if (memcmp(digest, &plaintext[plaintext_size - SHA1_LENGTH],
586 SHA1_LENGTH) != 0) {
587 return false;
588 }
589
590 *out_plaintext = base::StringPiece(reinterpret_cast<char*>(plaintext),
591 plaintext_size - SHA1_LENGTH);
592 return true;
593 }
594
595 // ParseLiteralData parses a Literal Data packet. See RFC 4880, section 5.9.
596 bool ParseLiteralData(Reader *reader, base::StringPiece *out_data) {
597 uint8 is_binary, filename_len;
598 if (!reader->U8(&is_binary) ||
599 !reader->U8(&filename_len) ||
600 !reader->Skip(filename_len) ||
601 !reader->Skip(sizeof(uint32) /* mtime */)) {
602 return false;
603 }
604
605 *out_data = reader->Remainder();
606 return true;
607 }
608
609 // arena_ contains malloced pointers that are used as temporary space during
610 // the decryption.
611 std::vector<void*> arena_;
612 };
613
614 class Encrypter {
615 public:
616 // ByteString is used throughout in order to avoid signedness issues with a
617 // std::string.
618 typedef std::basic_string<uint8> ByteString;
619
620 static ByteString Encrypt(base::StringPiece plaintext,
621 base::StringPiece passphrase) {
622 ByteString key;
623 ByteString ske = SerializeSymmetricKeyEncrypted(passphrase, &key);
624
625 ByteString literal_data = SerializeLiteralData(plaintext);
626 ByteString se = SerializeSymmetricallyEncrypted(literal_data, key);
627 return ske + se;
628 }
629
630 private:
631 // MakePacket returns an OpenPGP packet tagged as type |tag|. It always uses
632 // new-format headers. See RFC 4880, section 4.2.
633 static ByteString MakePacket(unsigned tag, const ByteString& contents) {
634 ByteString header;
635 header.push_back(0x80 | 0x40 | tag);
636
637 if (contents.size() < 192) {
638 header.push_back(contents.size());
639 } else if (contents.size() < 8384) {
640 size_t length = contents.size();
641 length -= 192;
642 header.push_back(192 + (length >> 8));
643 header.push_back(length & 0xff);
644 } else {
645 size_t length = contents.size();
646 header.push_back(255);
647 header.push_back(length >> 24);
648 header.push_back(length >> 16);
649 header.push_back(length >> 8);
650 header.push_back(length);
651 }
652
653 return header + contents;
654 }
655
656 // SerializeLiteralData returns a Literal Data packet containing |contents|
657 // as binary data with no filename nor mtime specified. See RFC 4880, section
658 // 5.9.
659 static ByteString SerializeLiteralData(base::StringPiece contents) {
660 ByteString literal_data;
661 literal_data.push_back(0x74); // text mode
662 literal_data.push_back(0x00); // no filename
663 literal_data.push_back(0x00); // zero mtime
664 literal_data.push_back(0x00);
665 literal_data.push_back(0x00);
666 literal_data.push_back(0x00);
667 literal_data += ByteString(reinterpret_cast<const uint8*>(contents.data()),
668 contents.size());
669 return MakePacket(kLiteralDataTag, literal_data);
670 }
671
672 // SerializeSymmetricKeyEncrypted generates a random AES-128 key from
673 // |passphrase|, sets |out_key| to it and returns a Symmetric Key Encrypted
674 // packet. See RFC 4880, section 5.3.
675 static ByteString SerializeSymmetricKeyEncrypted(base::StringPiece passphrase,
676 ByteString *out_key) {
677 ByteString ske;
678 ske.push_back(4); // version 4
679 ske.push_back(7); // AES-128
680 ske.push_back(3); // iterated and salted S2K
681 ske.push_back(2); // SHA-1
682
683 uint64 salt64;
684 crypto::RandBytes(&salt64, sizeof(salt64));
685 ByteString salt(sizeof(salt64), 0);
686
687 // It's a random value, so endianness doesn't matter.
688 ske += ByteString(reinterpret_cast<uint8*>(&salt64), sizeof(salt64));
689 ske.push_back(96); // iteration count of 65536
690
691 uint8 key[16];
692 SaltedIteratedS2K(
693 sizeof(key), HASH_AlgSHA1, passphrase,
694 base::StringPiece(reinterpret_cast<char*>(&salt64), sizeof(salt64)),
695 65536, key);
696 *out_key = ByteString(key, sizeof(key));
697 return MakePacket(kSymmetricKeyEncryptedTag, ske);
698 }
699
700 // SerializeSymmetricallyEncrypted encrypts |plaintext| with |key| and
701 // returns a Symmetrically Encrypted packet containing the ciphertext. See
702 // RFC 4880, section 5.7.
703 static ByteString SerializeSymmetricallyEncrypted(ByteString plaintext,
704 const ByteString& key) {
705 // We need this for PK11_CipherOp to write to, but we never check it as we
706 // work in ECB mode, one block at a time.
707 int out_len;
708
709 ByteString packet;
710 packet.push_back(1); // version 1
711 static const unsigned kBlockSize = 16; // AES block size
712
713 uint8 prefix[kBlockSize + 2], fre[kBlockSize], iv[kBlockSize];
714 crypto::RandBytes(iv, kBlockSize);
715 memset(fre, 0, sizeof(fre));
716
717 ScopedPK11Context aes_context;
718 CHECK(CreateAESContext(key.data(), key.size(), &aes_context));
719
720 PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), fre,
721 AES_BLOCK_SIZE);
722 for (unsigned i = 0; i < 16; i++)
723 prefix[i] = iv[i] ^ fre[i];
724 PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), prefix,
725 AES_BLOCK_SIZE);
726 prefix[kBlockSize] = iv[kBlockSize - 2] ^ fre[0];
727 prefix[kBlockSize + 1] = iv[kBlockSize - 1] ^ fre[1];
728
729 packet += ByteString(prefix, sizeof(prefix));
730
731 ByteString plaintext_copy = plaintext;
732 plaintext_copy.push_back(0xd3); // MDC packet
733 plaintext_copy.push_back(20); // packet length (20 bytes)
734
735 HASHContext* hash_context = HASH_Create(HASH_AlgSHA1);
736 HASH_Begin(hash_context);
737 HASH_Update(hash_context, iv, sizeof(iv));
738 HASH_Update(hash_context, iv + kBlockSize - 2, 2);
739 HASH_Update(hash_context, plaintext_copy.data(), plaintext_copy.size());
740 uint8 digest[SHA1_LENGTH];
741 unsigned num_hash_bytes;
742 HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest));
743 HASH_Destroy(hash_context);
744
745 plaintext_copy += ByteString(digest, sizeof(digest));
746
747 fre[0] = prefix[kBlockSize];
748 fre[1] = prefix[kBlockSize+1];
749 unsigned out_used = 2;
750
751 for (size_t i = 0; i < plaintext_copy.size(); i++) {
752 if (out_used == kBlockSize) {
753 PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), fre,
754 AES_BLOCK_SIZE);
755 out_used = 0;
756 }
757
758 uint8 c = plaintext_copy[i] ^ fre[out_used];
759 fre[out_used++] = c;
760 packet.push_back(c);
761 }
762
763 return MakePacket(kSymmetricallyEncryptedTag, packet);
764 }
765 };
766
767 } // anonymous namespace
768
769 // static
770 OpenPGPSymmetricEncrytion::Result OpenPGPSymmetricEncrytion::Decrypt(
771 base::StringPiece encrypted,
772 base::StringPiece passphrase,
773 std::string *out) {
774 EnsureNSSInit();
775
776 Decrypter decrypter;
777 base::StringPiece result;
778 Result reader = decrypter.Decrypt(encrypted, passphrase, &result);
779 if (reader == OK)
780 *out = result.as_string();
781 return reader;
782 }
783
784 // static
785 std::string OpenPGPSymmetricEncrytion::Encrypt(
786 base::StringPiece plaintext,
787 base::StringPiece passphrase) {
788 EnsureNSSInit();
789
790 Encrypter::ByteString b =
791 Encrypter::Encrypt(plaintext, passphrase);
792 return std::string(reinterpret_cast<const char*>(b.data()), b.size());
793 }
794
795 } // namespace crypto