crypto: add OpenPGP symmetric encryption for ChromeOS

crypto/openpgp_symmetric_encryption_openssl.cc

+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "crypto/openpgp_symmetric_encryption.h"
+
+#include <vector>
+#include <stdlib.h>
+
+#include <openssl/evp.h>
+#include <openssl/aes.h>
+#include <openssl/sha.h>
+
+#include "base/rand_util.h"
+#include "base/logging.h"
+
+namespace crypto {
+
+namespace {
+
+// Reader wraps a StringPiece and provides methods to read several datatypes
+// while advancing the StringPiece.
+class Reader {
+ public:
+  Reader(base::StringPiece input)
+      : s_(input) {
+  }
+
+  bool U8(uint8* out) {
+    if (s_.size() < 1)
+      return false;
+    *out = static_cast<uint8>(s_[0]);
+    s_.remove_prefix(1);
+    return true;
+  }
+
+  bool U32(unsigned* out) {
+    if (s_.size() < 4)
+      return false;
+    *out = static_cast<unsigned>(s_[0]) << 24 |
+           static_cast<unsigned>(s_[1]) << 16 |
+           static_cast<unsigned>(s_[2]) << 8 |
+           static_cast<unsigned>(s_[3]);
+    s_.remove_prefix(4);
+    return true;
+  }
+
+  // Prefix sets |*out| to the first |n| bytes of the StringPiece and advances
+  // the StringPiece by |n|.
+  bool Prefix(unsigned n, base::StringPiece *out) {
+    if (s_.size() < n)
+      return false;
+    *out = base::StringPiece(s_.data(), n);
+    s_.remove_prefix(n);
+    return true;
+  }
+
+  // Remainder returns the remainer of the StringPiece and advances it to the
+  // end.
+  base::StringPiece Remainder() {
+    base::StringPiece ret = s_;
+    s_ = base::StringPiece();
+    return ret;
+  }
+
+  typedef base::StringPiece Position;
+
+  Position tell() const {
+    return s_;
+  }
+
+  void Seek(Position p) {
+    s_ = p;
+  }
+
+  bool Skip(unsigned n) {
+    if (s_.size() < n)
+      return false;
+    s_.remove_prefix(n);
+    return true;
+  }
+
+  bool empty() const {
+    return s_.empty();
+  }
+
+  size_t size() const {
+    return s_.size();
+  }
+
+ private:
+  base::StringPiece s_;

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Please name this something better: "string_" or "data_" or something more
descriptive.

[agl, 2011/06/27 20:42:53]

Done.

+};
+
+// SaltedIteratedS2K implements the salted and iterated string-to-key
+// convertion. See RFC 4880, section 3.7.1.3.
+void SaltedIteratedS2K(unsigned cipher_key_length,
+                       const EVP_MD *md,

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Please change "md" to "digest" or "message_digest" or something more
descriptive.

[agl, 2011/06/27 20:42:53]

Done.

+                       base::StringPiece passphrase,
+                       base::StringPiece salt,
+                       unsigned count,
+                       uint8 *out_key) {
+  const std::string combined = salt.as_string() + passphrase.as_string();
+  const size_t combined_len = combined.size();
+
+  unsigned done = 0;
+  uint8 zero[1] = {0};
+
+  EVP_MD_CTX ctx;

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

It'd be nice to call this "context" as well.  I know these are probably fairly
well known abbreviations, but it makes it a lot easier to read the code.

[agl, 2011/06/27 20:42:53]

Done.

+  EVP_MD_CTX_init(&ctx);
+
+  for (unsigned i = 0; done < cipher_key_length; i++) {
+    CHECK_EQ(EVP_DigestInit_ex(&ctx, md, NULL), 1);
+
+    for (unsigned j = 0; j < i; j++)
+      EVP_DigestUpdate(&ctx, zero, sizeof(zero));
+
+    unsigned written = 0;

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Please use uint32_t here (or uint32) and elsewhere, to be more explicit about
the size of the int.  In fact, use of unsigned types is discouraged generally,
except for specific uses.

http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Intege...

[agl, 2011/06/27 20:42:53]

Although I don't mind changing unsigned for uint32 everywhere, I'm certainly not
going to use signed numbers here. Inappropriate use of signed numbers causes
horrible bugs, even in the most careful hands. (See the bcrypt bug in OpenBSD
from last week for example.) 

[Greg Spencer (Chromium), 2011/06/27 21:00:07]

Well, while I'm not entirely in this camp myself, the style guide is pretty
clear on this point, so you probably will have to use signed types here:

"Decision: You should not use the unsigned integer types such as uint32_t,
unless the quantity you are representing is really a bit pattern rather than a
number, or unless you need defined twos-complement overflow. In particular, do
not use unsigned types to say a number will never be negative. Instead, use
assertions for this."

It's also true that inappropriate use of unsigned types can cause horrible bugs
as well, so given that they are both potentially dangerous, I'm inclined to
follow the style guide.

+    while (written < count) {
+      if (written + combined_len > count) {
+        unsigned todo = count - written;
+        EVP_DigestUpdate(&ctx, combined.data(), todo);
+        written = count;
+      } else {
+        EVP_DigestUpdate(&ctx, combined.data(), combined_len);
+        written += combined_len;
+      }
+    }
+
+    unsigned num_hash_bytes;
+    uint8 hash[EVP_MAX_MD_SIZE];
+    CHECK_EQ(EVP_DigestFinal_ex(&ctx, hash, &num_hash_bytes), 1);
+
+    unsigned todo = cipher_key_length - done;
+    if (todo > num_hash_bytes)
+      todo = num_hash_bytes;
+    memcpy(out_key + done, hash, todo);
+    done += todo;
+  }
+
+  EVP_MD_CTX_cleanup(&ctx);
+}
+
+// These constants are the tag numbers for the various packet types that we
+// use.
+static const unsigned kSymmetricKeyEncryptedTag = 3;
+static const unsigned kSymmetricallyEncryptedTag = 18;
+static const unsigned kCompressedTag = 8;
+static const unsigned kLiteralDataTag = 11;
+
+class Decrypter {
+ public:
+  ~Decrypter() {
+    for (std::vector<void*>::iterator
+         i = arena_.begin(); i != arena_.end(); i++) {
+      free(*i);
+    }
+    arena_.clear();
+  }
+
+  OpenPGPSymmetricEncrytion::Result Decrypt(base::StringPiece in,

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

This should be a const reference: const base::StringPiece& in, as should the
passphrase argument.

[agl, 2011/06/27 20:42:53]

That's a misguided optimization in non-performance critical code. Using a const
reference is even slower on 64-bit platforms.

[Greg Spencer (Chromium), 2011/06/27 21:00:07]

It's not meant to just be an optimization.  It is also widely used convention in
most Google code to pass read-only parameters this way, and indicates to the
reader which parts are inputs and not modified.

+                                            base::StringPiece passphrase,
+                                            base::StringPiece *out_contents) {
+    Reader r(in);

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Please call this "reader" or something more descriptive.  In general, names
which are readable and not abbreviated are preferred: optimize for the reader,
not the typist.

http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Genera...

[agl, 2011/06/27 20:42:53]

Done.

+    unsigned tag;
+    base::StringPiece contents;
+    AES_KEY key;
+
+    if (!ParsePacket(&r, &tag, &contents))
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+    if (tag != kSymmetricKeyEncryptedTag)
+      return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED;
+    Reader inner(contents);
+    OpenPGPSymmetricEncrytion::Result result =
+      ParseSymmetricKeyEncrypted(&inner, passphrase, &key);
+    if (result != OpenPGPSymmetricEncrytion::OK)
+      return result;
+
+    if (!ParsePacket(&r, &tag, &contents))
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+    if (tag != kSymmetricallyEncryptedTag)
+      return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED;
+    if (!r.empty())
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+    inner = Reader(contents);
+    if (!ParseSymmetricallyEncrypted(&inner, &key, &contents))
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+
+    r = Reader(contents);
+    if (!ParsePacket(&r, &tag, &contents))
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+    if (tag == kCompressedTag)
+      return OpenPGPSymmetricEncrytion::COMPRESSED;
+    if (tag != kLiteralDataTag)
+      return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED;
+    inner = Reader(contents);
+    if (!ParseLiteralData(&inner, out_contents))
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+
+    return OpenPGPSymmetricEncrytion::OK;
+  }
+
+ private:
+  // ParsePacket parses an OpenPGP packet from r. See RFC 4880, section 4.2.2.
+  bool ParsePacket(Reader *r,
+                   unsigned *out_tag,
+                   base::StringPiece *out_contents) {
+    uint8 b;

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Please use a better name here.

[agl, 2011/06/27 20:42:53]

Done.

+    if (!r->U8(&b))
+      return false;
+    if ((b & 0x80) == 0) {
+      // Tag byte must have MSB set.
+      return false;
+    }
+
+    if ((b & 0x40) == 0) {
+      // Old format packet.
+      *out_tag = (b & 0x3f) >> 2;
+
+      uint8 length_type = b & 3;
+      if (length_type == 3) {
+        *out_contents = r->Remainder();
+        return true;
+      }
+
+      const unsigned length_bytes = 1 << length_type;
+      unsigned length = 0;
+      for (unsigned i = 0; i < length_bytes; i++) {
+        uint8 length_byte;
+        if (!r->U8(&length_byte))
+          return false;
+        length <<= 8;
+        length |= length_byte;
+      }
+
+      return r->Prefix(length, out_contents);
+    }
+
+    // New format packet.
+    *out_tag = b & 0x3f;
+    unsigned length;
+    bool is_partial;
+    if (!ParseLength(r, &length, &is_partial))
+      return false;
+    if (is_partial)
+      return ParseStreamContents(r, length, out_contents);
+    return r->Prefix(length, out_contents);
+  }
+
+  // ParseStreamContents parses all the chunks of a partial length stream from
+  // r. See RFC 4880, section 4.2.2.4.

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Is there a url you could provide here to this spec (preferably to the right
section)?

[agl, 2011/06/27 20:42:53]

Done.

+  bool ParseStreamContents(Reader *r,
+                           unsigned length,
+                           base::StringPiece *out_contents) {
+    const Reader::Position beginning_of_stream = r->tell();
+    const unsigned first_chunk_length = length;
+
+    // First we parse the stream to find its length.
+    if (!r->Skip(length))
+      return false;
+
+    for (;;) {

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

nit: I think "while (true)" is more readable, but it's up to you.

+      unsigned chunk_length;
+      bool is_partial;
+
+      if (!ParseLength(r, &chunk_length, &is_partial))
+        return false;
+      if (length + chunk_length < length)
+        return false;
+      length += chunk_length;
+      if (!r->Skip(chunk_length))
+        return false;
+      if (!is_partial)
+        break;
+    }
+
+    // Now we have the length of the whole stream in |length|.
+    char* buf = reinterpret_cast<char*>(malloc(length));
+    arena_.push_back(buf);
+    unsigned j = 0;
+    r->Seek(beginning_of_stream);
+
+    base::StringPiece first_chunk;
+    if (!r->Prefix(first_chunk_length, &first_chunk))
+      return false;
+    memcpy(buf + j, first_chunk.data(), first_chunk_length);
+    j += first_chunk_length;
+
+    // Now we parse the stream again, this time copying into |buf|
+    for (;;) {
+      unsigned chunk_length;
+      bool is_partial;
+
+      if (!ParseLength(r, &chunk_length, &is_partial))
+        return false;
+      base::StringPiece chunk;
+      if (!r->Prefix(chunk_length, &chunk))
+        return false;
+      memcpy(buf + j, chunk.data(), chunk_length);
+      j += chunk_length;
+      if (!is_partial)
+        break;
+    }
+
+    *out_contents = base::StringPiece(buf, length);
+    return true;
+  }
+
+  // ParseLength parses an OpenPGP length from r. See RFC 4880, section 4.2.2.
+  bool ParseLength(Reader *r, unsigned *out_length, bool *out_is_prefix) {
+    uint8 length_spec;
+    if (!r->U8(&length_spec))
+      return false;
+
+    *out_is_prefix = false;
+    if (length_spec < 192) {

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

It might be good to document these seemingly-arbitrary numbers either with
comments, or by turning them into self documenting constants.  There are a bunch
of these in this code, and it starts to look like magic after a while.

+      *out_length = length_spec;
+      return true;
+    } else if (length_spec < 224) {
+      uint8 next_byte;
+      if (!r->U8(&next_byte))
+        return false;
+
+      *out_length = (length_spec - 192) << 8;
+      *out_length += next_byte;
+      return true;
+    } else if (length_spec < 255) {
+      *out_length = 1u << (length_spec & 0x1f);
+      *out_is_prefix = true;
+      return true;
+    } else {
+      return r->U32(out_length);
+    }
+  }
+
+  // ParseSymmetricKeyEncrypted parses a passphrase protected session key. See
+  // RFC 4880, section 5.3.
+  OpenPGPSymmetricEncrytion::Result ParseSymmetricKeyEncrypted(
+      Reader *r,
+      base::StringPiece passphrase,
+      AES_KEY *out_key) {
+    uint8 version, cipher, s2k_type, hash_func;
+    if (!r->U8(&version) || version != 4)
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+
+    if (!r->U8(&cipher) ||
+        !r->U8(&s2k_type) ||
+        !r->U8(&hash_func)) {
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+    }
+
+    uint8 cipher_key_length = OpenPGPCipherIdToKeyLength(cipher);
+    if (cipher_key_length == 0)
+      return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER;
+
+    const EVP_MD *md;
+    switch (hash_func) {
+    case 2:  // SHA-1
+      md = EVP_sha1();
+      break;
+    case 8:  // SHA-256
+      md = EVP_sha256();
+      break;
+    default:
+      return OpenPGPSymmetricEncrytion::UNKNOWN_HASH;
+    }
+
+    base::StringPiece salt;
+    uint8 key[32], c;

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Don't declare multiple variables on one line.  Separate "c" out into its own
declaration, and changing its name to something more descriptive.

You also might consider initializing the key array with {0}.

[agl, 2011/06/27 20:42:53]

Done.

+    switch (s2k_type) {
+    case 1:
+      if (!r->Prefix(8, &salt))
+        return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+    case 0:
+      SaltedIteratedS2K(cipher_key_length, md, passphrase, salt,
+                        passphrase.size() + salt.size(), key);
+      break;
+    case 3:
+      if (!r->Prefix(8, &salt) ||
+          !r->U8(&c)) {
+        return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+      }
+      SaltedIteratedS2K(
+          cipher_key_length, md, passphrase, salt,
+          static_cast<unsigned>(16 + (c&15)) << ((c >> 4) + 6), key);
+      break;
+    default:
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+    }
+
+    if (AES_set_encrypt_key(key, 8 * cipher_key_length, out_key))
+      return OpenPGPSymmetricEncrytion::INTERNAL_ERROR;
+
+    if (r->empty()) {
+      // The resulting key is used directly.
+      return OpenPGPSymmetricEncrytion::OK;
+    }
+
+    // The S2K derived key encrypts another key that follows:
+    base::StringPiece encrypted_key = r->Remainder();
+    if (encrypted_key.size() < 1)
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+
+    uint8* plaintext_key = reinterpret_cast<uint8*>(
+        malloc(encrypted_key.size()));
+    arena_.push_back(plaintext_key);
+
+    int num = 0;
+    uint8 iv[16] = {0};
+
+    AES_cfb128_encrypt(reinterpret_cast<const uint8*>(encrypted_key.data()),
+                       plaintext_key,
+                       encrypted_key.size(),
+                       out_key,
+                       iv,
+                       &num,
+                       AES_DECRYPT);
+
+    cipher_key_length = OpenPGPCipherIdToKeyLength(plaintext_key[0]);
+    if (cipher_key_length == 0)
+      return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER;
+    if (encrypted_key.size() != 1u + cipher_key_length)
+      return OpenPGPSymmetricEncrytion::PARSE_ERROR;
+    if (AES_set_encrypt_key(plaintext_key + 1, 8 * cipher_key_length,
+                            out_key)) {
+      return OpenPGPSymmetricEncrytion::INTERNAL_ERROR;
+    }
+    return OpenPGPSymmetricEncrytion::OK;
+  }
+
+  unsigned OpenPGPCipherIdToKeyLength(uint8 cipher) {
+    switch (cipher) {
+    case 7:  // AES-128
+      return 16;
+    case 8:  // AES-192
+      return 24;
+    case 9:  // AES-256
+      return 32;
+    default:
+      return 0;
+    }
+  }
+
+  // ParseSymmetricallyEncrypted parses a Symmetrically Encrypted packet. See
+  // RFC 4880, sections 5.7 and 5.13.
+  bool ParseSymmetricallyEncrypted(Reader *r,
+                                   AES_KEY *key,
+                                   base::StringPiece *out_plaintext) {
+    uint8 version;
+    if (!r->U8(&version) || version != 1)
+      return false;
+
+    base::StringPiece prefix_sp;
+    if (!r->Prefix(AES_BLOCK_SIZE + 2, &prefix_sp))
+      return false;
+    uint8 prefix[AES_BLOCK_SIZE + 2];
+    memcpy(prefix, prefix_sp.data(), sizeof(prefix));
+
+    uint8 prefix_copy[AES_BLOCK_SIZE + 2];
+    uint8 fre[AES_BLOCK_SIZE];

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Please rename fre to something more descriptive.

[agl, 2011/06/27 20:42:53]

No. It matches the spec.

+
+    memset(prefix_copy, 0, AES_BLOCK_SIZE);
+    AES_ecb_encrypt(prefix_copy, fre, key, AES_ENCRYPT);
+    for (unsigned i = 0; i < AES_BLOCK_SIZE; i++)
+      prefix_copy[i] = fre[i] ^ prefix[i];
+    AES_ecb_encrypt(prefix, fre, key, AES_ENCRYPT);
+    prefix_copy[AES_BLOCK_SIZE] = prefix[AES_BLOCK_SIZE] ^ fre[0];
+    prefix_copy[AES_BLOCK_SIZE + 1] = prefix[AES_BLOCK_SIZE + 1] ^ fre[1];
+
+    if (prefix_copy[AES_BLOCK_SIZE - 2] != prefix_copy[AES_BLOCK_SIZE] ||
+        prefix_copy[AES_BLOCK_SIZE - 1] != prefix_copy[AES_BLOCK_SIZE + 1]) {
+      return false;
+    }
+
+    fre[0] = prefix[AES_BLOCK_SIZE];
+    fre[1] = prefix[AES_BLOCK_SIZE + 1];
+
+    unsigned out_used = 2;
+
+    const unsigned plaintext_size = r->size();
+    if (plaintext_size < 22) {
+      // Too small to contain an MDC trailer.
+      return false;
+    }
+
+    uint8* plaintext = reinterpret_cast<uint8*>(malloc(plaintext_size));
+    arena_.push_back(plaintext);
+
+    for (unsigned i = 0; i < plaintext_size; i++) {
+      uint8 b;
+      if (!r->U8(&b))
+        return false;
+      if (out_used == AES_BLOCK_SIZE) {
+        AES_ecb_encrypt(fre, fre, key, AES_ENCRYPT);
+        out_used = 0;
+      }
+
+      plaintext[i] = b ^ fre[out_used];
+      fre[out_used++] = b;
+    }
+
+    if (plaintext[plaintext_size - SHA_DIGEST_LENGTH - 2] != 0xd3 ||

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

You might add a comment about why you're looking for arbitrary values at the end
of the text.

[agl, 2011/06/27 20:42:53]

Done.

+        plaintext[plaintext_size - SHA_DIGEST_LENGTH - 1] != 0x14) {
+      // Not an MDC packet.

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

What does MDC stand for?

+      return false;
+    }
+
+    SHA_CTX sha1;
+    SHA1_Init(&sha1);
+    SHA1_Update(&sha1, prefix_copy, sizeof(prefix_copy));
+    SHA1_Update(&sha1, plaintext, plaintext_size - SHA_DIGEST_LENGTH);
+    uint8 digest[SHA_DIGEST_LENGTH];
+    SHA1_Final(digest, &sha1);
+
+    if (memcmp(digest, &plaintext[plaintext_size - SHA_DIGEST_LENGTH],
+               SHA_DIGEST_LENGTH) != 0) {
+      return false;
+    }
+
+    *out_plaintext = base::StringPiece(reinterpret_cast<char*>(plaintext),
+                                       plaintext_size - SHA_DIGEST_LENGTH);
+    return true;
+  }
+
+  // ParseLiteralData parses a Literal Data packet. See RFC 4880, section 5.9.
+  bool ParseLiteralData(Reader *r, base::StringPiece *out_data) {
+    uint8 is_binary, filename_len;
+    if (!r->U8(&is_binary) ||
+        !r->U8(&filename_len) ||
+        !r->Skip(filename_len) ||
+        !r->Skip(sizeof(uint32) /* mtime */)) {
+      return false;
+    }
+
+    *out_data = r->Remainder();
+    return true;
+  }
+
+  // arena_ contains malloced pointers that are used as temporary space during
+  // the decryption.
+  std::vector<void*> arena_;
+};
+
+class Encrypter {
+ public:
+  // ByteString is used throughout in order to avoid signedness issues with a
+  // std::string.
+  typedef std::basic_string<uint8> ByteString;
+
+  static ByteString Encrypt(base::StringPiece plaintext,
+                            base::StringPiece passphrase) {
+    ByteString key;
+    ByteString ske = SerializeSymmetricKeyEncrypted(passphrase, &key);

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Better name needed for "ske".

+
+    ByteString literal_data = SerializeLiteralData(plaintext);
+    ByteString se = SerializeSymmetricallyEncrypted(literal_data, key);

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Better name needed for "se"

+    return ske + se;
+  }
+
+ private:
+  static ByteString MakePacket(unsigned tag, const ByteString& contents) {
+    ByteString header;
+    header.push_back(0x80 | 0x40 | tag);
+
+    if (contents.size() < 192) {
+      header.push_back(contents.size());
+    } else if (contents.size() < 8384) {
+      size_t length = contents.size();
+      length -= 192;
+      header.push_back(192 + (length >> 8));
+      header.push_back(length & 0xff);
+    } else {
+      size_t length = contents.size();
+      header.push_back(255);
+      header.push_back(length >> 24);
+      header.push_back(length >> 16);
+      header.push_back(length >> 8);
+      header.push_back(length);
+    }
+
+    return header + contents;
+  }
+
+  static ByteString SerializeLiteralData(base::StringPiece contents) {
+    ByteString literal_data;
+    literal_data.push_back(0x74);  // text mode
+    literal_data.push_back(0x00);  // no filename
+    literal_data.push_back(0x00);  // zero mtime
+    literal_data.push_back(0x00);
+    literal_data.push_back(0x00);
+    literal_data.push_back(0x00);
+    literal_data += ByteString(reinterpret_cast<const uint8*>(contents.data()),
+                               contents.size());
+    return MakePacket(kLiteralDataTag, literal_data);
+  }
+
+  static ByteString SerializeSymmetricKeyEncrypted(base::StringPiece passphrase,
+                                                   ByteString *out_key) {
+    ByteString ske;
+    ske.push_back(4);  // version 4
+    ske.push_back(7);  // AES-128
+    ske.push_back(3);  // iterated and salted S2K
+    ske.push_back(2);  // SHA-1
+
+    uint64 salt64 = base::RandUint64();
+    ByteString salt(sizeof(salt64), 0);
+
+    // It's a random value, so endianness doesn't matter.

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

What?  You're not going to byte-flip a completely random number? Haha! :-)

+    ske += ByteString(reinterpret_cast<uint8*>(&salt64), sizeof(salt64));
+    ske.push_back(96);  // iteration count of 65536
+
+    uint8 key[16];
+    SaltedIteratedS2K(
+        sizeof(key), EVP_sha1(), passphrase,
+        base::StringPiece(reinterpret_cast<char*>(&salt64), sizeof(salt64)),
+        65536, key);
+    *out_key = ByteString(key, sizeof(key));
+    return MakePacket(kSymmetricKeyEncryptedTag, ske);
+  }
+
+  static ByteString SerializeSymmetricallyEncrypted(ByteString plaintext,
+                                                    const ByteString& key) {
+    ByteString se;

[Greg Spencer (Chromium), 2011/06/23 20:55:00]

Better name needed for "se".

[agl, 2011/06/27 20:42:53]

Done.

+    se.push_back(1);  // version 1
+    static const unsigned kBlockSize = 16;  // AES block size
+
+    uint8 prefix[kBlockSize + 2], fre[kBlockSize], iv[kBlockSize];
+    base::RandBytes(iv, kBlockSize);
+    memset(fre, 0, sizeof(fre));
+
+    AES_KEY aes_key;
+    AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key);
+
+    AES_ecb_encrypt(fre, fre, &aes_key, AES_ENCRYPT);
+    for (unsigned i = 0; i < 16; i++)
+      prefix[i] = iv[i] ^ fre[i];
+    AES_ecb_encrypt(prefix, fre, &aes_key, AES_ENCRYPT);
+    prefix[kBlockSize] = iv[kBlockSize - 2] ^ fre[0];
+    prefix[kBlockSize + 1] = iv[kBlockSize - 1] ^ fre[1];
+
+    se += ByteString(prefix, sizeof(prefix));
+
+    ByteString plaintext_copy = plaintext;
+    plaintext_copy.push_back(0xd3);  // MDC packet
+    plaintext_copy.push_back(20);  // packet length (20 bytes)
+
+    SHA_CTX sha1;
+    SHA1_Init(&sha1);
+    SHA1_Update(&sha1, iv, sizeof(iv));
+    SHA1_Update(&sha1, iv + kBlockSize - 2, 2);
+    SHA1_Update(&sha1, plaintext_copy.data(), plaintext_copy.size());
+    uint8 digest[SHA_DIGEST_LENGTH];
+    SHA1_Final(digest, &sha1);
+
+    plaintext_copy += ByteString(digest, sizeof(digest));
+
+    fre[0] = prefix[kBlockSize];
+    fre[1] = prefix[kBlockSize+1];
+    unsigned out_used = 2;
+
+    for (size_t i = 0; i < plaintext_copy.size(); i++) {
+      if (out_used == kBlockSize) {
+        AES_ecb_encrypt(fre, fre, &aes_key, AES_ENCRYPT);
+        out_used = 0;
+      }
+
+      uint8 c = plaintext_copy[i] ^ fre[out_used];
+      fre[out_used++] = c;
+      se.push_back(c);
+    }
+
+    return MakePacket(kSymmetricallyEncryptedTag, se);
+  }
+};
+
+}  // anonymous namespace
+
+// static
+OpenPGPSymmetricEncrytion::Result OpenPGPSymmetricEncrytion::Decrypt(
+    base::StringPiece encrypted,
+    base::StringPiece passphrase,
+    std::string *out) {
+  Decrypter decrypter;
+
+  base::StringPiece result;
+  Result r = decrypter.Decrypt(encrypted, passphrase, &result);
+  if (r == OK)
+    *out = result.as_string();
+  return r;
+}
+
+// static
+std::string OpenPGPSymmetricEncrytion::Encrypt(
+    base::StringPiece plaintext,
+    base::StringPiece passphrase) {
+  Encrypter::ByteString b =
+      Encrypter::Encrypt(plaintext, passphrase);
+  return std::string(reinterpret_cast<const char*>(b.data()), b.size());
+}
+
+}  // namespace crypto