Chromium Code Reviews Chromium Code Reviews
Issue 7247005:
crypto: add OpenPGP symmetric encryption for ChromeOS (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: crypto/openpgp_symmetric_encryption_openssl.cc |
| diff --git a/crypto/openpgp_symmetric_encryption_openssl.cc b/crypto/openpgp_symmetric_encryption_openssl.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..05b2edea3f3ada85a2644262fdf3788f8c6a6dcf |
| --- /dev/null |
| +++ b/crypto/openpgp_symmetric_encryption_openssl.cc |
| @@ -0,0 +1,701 @@ |
| +// Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "crypto/openpgp_symmetric_encryption.h" |
| + |
| +#include <vector> |
| +#include <stdlib.h> |
| + |
| +#include <openssl/evp.h> |
| +#include <openssl/aes.h> |
| +#include <openssl/sha.h> |
| + |
| +#include "base/rand_util.h" |
| +#include "base/logging.h" |
| + |
| +namespace crypto { |
| + |
| +namespace { |
| + |
| +// Reader wraps a StringPiece and provides methods to read several datatypes |
| +// while advancing the StringPiece. |
| +class Reader { |
| + public: |
| + Reader(base::StringPiece input) |
| + : s_(input) { |
| + } |
| + |
| + bool U8(uint8* out) { |
| + if (s_.size() < 1) |
| + return false; |
| + *out = static_cast<uint8>(s_[0]); |
| + s_.remove_prefix(1); |
| + return true; |
| + } |
| + |
| + bool U32(unsigned* out) { |
| + if (s_.size() < 4) |
| + return false; |
| + *out = static_cast<unsigned>(s_[0]) << 24 | |
| + static_cast<unsigned>(s_[1]) << 16 | |
| + static_cast<unsigned>(s_[2]) << 8 | |
| + static_cast<unsigned>(s_[3]); |
| + s_.remove_prefix(4); |
| + return true; |
| + } |
| + |
| + // Prefix sets |*out| to the first |n| bytes of the StringPiece and advances |
| + // the StringPiece by |n|. |
| + bool Prefix(unsigned n, base::StringPiece *out) { |
| + if (s_.size() < n) |
| + return false; |
| + *out = base::StringPiece(s_.data(), n); |
| + s_.remove_prefix(n); |
| + return true; |
| + } |
| + |
| + // Remainder returns the remainer of the StringPiece and advances it to the |
| + // end. |
| + base::StringPiece Remainder() { |
| + base::StringPiece ret = s_; |
| + s_ = base::StringPiece(); |
| + return ret; |
| + } |
| + |
| + typedef base::StringPiece Position; |
| + |
| + Position tell() const { |
| + return s_; |
| + } |
| + |
| + void Seek(Position p) { |
| + s_ = p; |
| + } |
| + |
| + bool Skip(unsigned n) { |
| + if (s_.size() < n) |
| + return false; |
| + s_.remove_prefix(n); |
| + return true; |
| + } |
| + |
| + bool empty() const { |
| + return s_.empty(); |
| + } |
| + |
| + size_t size() const { |
| + return s_.size(); |
| + } |
| + |
| + private: |
| + base::StringPiece s_; |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Please name this something better: "string_" or "d
agl
2011/06/27 20:42:53
Done.
|
| +}; |
| + |
| +// SaltedIteratedS2K implements the salted and iterated string-to-key |
| +// convertion. See RFC 4880, section 3.7.1.3. |
| +void SaltedIteratedS2K(unsigned cipher_key_length, |
| + const EVP_MD *md, |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Please change "md" to "digest" or "message_digest"
agl
2011/06/27 20:42:53
Done.
|
| + base::StringPiece passphrase, |
| + base::StringPiece salt, |
| + unsigned count, |
| + uint8 *out_key) { |
| + const std::string combined = salt.as_string() + passphrase.as_string(); |
| + const size_t combined_len = combined.size(); |
| + |
| + unsigned done = 0; |
| + uint8 zero[1] = {0}; |
| + |
| + EVP_MD_CTX ctx; |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
It'd be nice to call this "context" as well. I kn
agl
2011/06/27 20:42:53
Done.
|
| + EVP_MD_CTX_init(&ctx); |
| + |
| + for (unsigned i = 0; done < cipher_key_length; i++) { |
| + CHECK_EQ(EVP_DigestInit_ex(&ctx, md, NULL), 1); |
| + |
| + for (unsigned j = 0; j < i; j++) |
| + EVP_DigestUpdate(&ctx, zero, sizeof(zero)); |
| + |
| + unsigned written = 0; |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Please use uint32_t here (or uint32) and elsewhere
agl
2011/06/27 20:42:53
Although I don't mind changing unsigned for uint32
Greg Spencer (Chromium)
2011/06/27 21:00:07
Well, while I'm not entirely in this camp myself,
|
| + while (written < count) { |
| + if (written + combined_len > count) { |
| + unsigned todo = count - written; |
| + EVP_DigestUpdate(&ctx, combined.data(), todo); |
| + written = count; |
| + } else { |
| + EVP_DigestUpdate(&ctx, combined.data(), combined_len); |
| + written += combined_len; |
| + } |
| + } |
| + |
| + unsigned num_hash_bytes; |
| + uint8 hash[EVP_MAX_MD_SIZE]; |
| + CHECK_EQ(EVP_DigestFinal_ex(&ctx, hash, &num_hash_bytes), 1); |
| + |
| + unsigned todo = cipher_key_length - done; |
| + if (todo > num_hash_bytes) |
| + todo = num_hash_bytes; |
| + memcpy(out_key + done, hash, todo); |
| + done += todo; |
| + } |
| + |
| + EVP_MD_CTX_cleanup(&ctx); |
| +} |
| + |
| +// These constants are the tag numbers for the various packet types that we |
| +// use. |
| +static const unsigned kSymmetricKeyEncryptedTag = 3; |
| +static const unsigned kSymmetricallyEncryptedTag = 18; |
| +static const unsigned kCompressedTag = 8; |
| +static const unsigned kLiteralDataTag = 11; |
| + |
| +class Decrypter { |
| + public: |
| + ~Decrypter() { |
| + for (std::vector<void*>::iterator |
| + i = arena_.begin(); i != arena_.end(); i++) { |
| + free(*i); |
| + } |
| + arena_.clear(); |
| + } |
| + |
| + OpenPGPSymmetricEncrytion::Result Decrypt(base::StringPiece in, |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
This should be a const reference: const base::Stri
agl
2011/06/27 20:42:53
That's a misguided optimization in non-performance
Greg Spencer (Chromium)
2011/06/27 21:00:07
It's not meant to just be an optimization. It is
|
| + base::StringPiece passphrase, |
| + base::StringPiece *out_contents) { |
| + Reader r(in); |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Please call this "reader" or something more descri
agl
2011/06/27 20:42:53
Done.
|
| + unsigned tag; |
| + base::StringPiece contents; |
| + AES_KEY key; |
| + |
| + if (!ParsePacket(&r, &tag, &contents)) |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + if (tag != kSymmetricKeyEncryptedTag) |
| + return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; |
| + Reader inner(contents); |
| + OpenPGPSymmetricEncrytion::Result result = |
| + ParseSymmetricKeyEncrypted(&inner, passphrase, &key); |
| + if (result != OpenPGPSymmetricEncrytion::OK) |
| + return result; |
| + |
| + if (!ParsePacket(&r, &tag, &contents)) |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + if (tag != kSymmetricallyEncryptedTag) |
| + return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; |
| + if (!r.empty()) |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + inner = Reader(contents); |
| + if (!ParseSymmetricallyEncrypted(&inner, &key, &contents)) |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + |
| + r = Reader(contents); |
| + if (!ParsePacket(&r, &tag, &contents)) |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + if (tag == kCompressedTag) |
| + return OpenPGPSymmetricEncrytion::COMPRESSED; |
| + if (tag != kLiteralDataTag) |
| + return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; |
| + inner = Reader(contents); |
| + if (!ParseLiteralData(&inner, out_contents)) |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + |
| + return OpenPGPSymmetricEncrytion::OK; |
| + } |
| + |
| + private: |
| + // ParsePacket parses an OpenPGP packet from r. See RFC 4880, section 4.2.2. |
| + bool ParsePacket(Reader *r, |
| + unsigned *out_tag, |
| + base::StringPiece *out_contents) { |
| + uint8 b; |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Please use a better name here.
agl
2011/06/27 20:42:53
Done.
|
| + if (!r->U8(&b)) |
| + return false; |
| + if ((b & 0x80) == 0) { |
| + // Tag byte must have MSB set. |
| + return false; |
| + } |
| + |
| + if ((b & 0x40) == 0) { |
| + // Old format packet. |
| + *out_tag = (b & 0x3f) >> 2; |
| + |
| + uint8 length_type = b & 3; |
| + if (length_type == 3) { |
| + *out_contents = r->Remainder(); |
| + return true; |
| + } |
| + |
| + const unsigned length_bytes = 1 << length_type; |
| + unsigned length = 0; |
| + for (unsigned i = 0; i < length_bytes; i++) { |
| + uint8 length_byte; |
| + if (!r->U8(&length_byte)) |
| + return false; |
| + length <<= 8; |
| + length |= length_byte; |
| + } |
| + |
| + return r->Prefix(length, out_contents); |
| + } |
| + |
| + // New format packet. |
| + *out_tag = b & 0x3f; |
| + unsigned length; |
| + bool is_partial; |
| + if (!ParseLength(r, &length, &is_partial)) |
| + return false; |
| + if (is_partial) |
| + return ParseStreamContents(r, length, out_contents); |
| + return r->Prefix(length, out_contents); |
| + } |
| + |
| + // ParseStreamContents parses all the chunks of a partial length stream from |
| + // r. See RFC 4880, section 4.2.2.4. |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Is there a url you could provide here to this spec
agl
2011/06/27 20:42:53
Done.
|
| + bool ParseStreamContents(Reader *r, |
| + unsigned length, |
| + base::StringPiece *out_contents) { |
| + const Reader::Position beginning_of_stream = r->tell(); |
| + const unsigned first_chunk_length = length; |
| + |
| + // First we parse the stream to find its length. |
| + if (!r->Skip(length)) |
| + return false; |
| + |
| + for (;;) { |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
nit: I think "while (true)" is more readable, but
|
| + unsigned chunk_length; |
| + bool is_partial; |
| + |
| + if (!ParseLength(r, &chunk_length, &is_partial)) |
| + return false; |
| + if (length + chunk_length < length) |
| + return false; |
| + length += chunk_length; |
| + if (!r->Skip(chunk_length)) |
| + return false; |
| + if (!is_partial) |
| + break; |
| + } |
| + |
| + // Now we have the length of the whole stream in |length|. |
| + char* buf = reinterpret_cast<char*>(malloc(length)); |
| + arena_.push_back(buf); |
| + unsigned j = 0; |
| + r->Seek(beginning_of_stream); |
| + |
| + base::StringPiece first_chunk; |
| + if (!r->Prefix(first_chunk_length, &first_chunk)) |
| + return false; |
| + memcpy(buf + j, first_chunk.data(), first_chunk_length); |
| + j += first_chunk_length; |
| + |
| + // Now we parse the stream again, this time copying into |buf| |
| + for (;;) { |
| + unsigned chunk_length; |
| + bool is_partial; |
| + |
| + if (!ParseLength(r, &chunk_length, &is_partial)) |
| + return false; |
| + base::StringPiece chunk; |
| + if (!r->Prefix(chunk_length, &chunk)) |
| + return false; |
| + memcpy(buf + j, chunk.data(), chunk_length); |
| + j += chunk_length; |
| + if (!is_partial) |
| + break; |
| + } |
| + |
| + *out_contents = base::StringPiece(buf, length); |
| + return true; |
| + } |
| + |
| + // ParseLength parses an OpenPGP length from r. See RFC 4880, section 4.2.2. |
| + bool ParseLength(Reader *r, unsigned *out_length, bool *out_is_prefix) { |
| + uint8 length_spec; |
| + if (!r->U8(&length_spec)) |
| + return false; |
| + |
| + *out_is_prefix = false; |
| + if (length_spec < 192) { |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
It might be good to document these seemingly-arbit
|
| + *out_length = length_spec; |
| + return true; |
| + } else if (length_spec < 224) { |
| + uint8 next_byte; |
| + if (!r->U8(&next_byte)) |
| + return false; |
| + |
| + *out_length = (length_spec - 192) << 8; |
| + *out_length += next_byte; |
| + return true; |
| + } else if (length_spec < 255) { |
| + *out_length = 1u << (length_spec & 0x1f); |
| + *out_is_prefix = true; |
| + return true; |
| + } else { |
| + return r->U32(out_length); |
| + } |
| + } |
| + |
| + // ParseSymmetricKeyEncrypted parses a passphrase protected session key. See |
| + // RFC 4880, section 5.3. |
| + OpenPGPSymmetricEncrytion::Result ParseSymmetricKeyEncrypted( |
| + Reader *r, |
| + base::StringPiece passphrase, |
| + AES_KEY *out_key) { |
| + uint8 version, cipher, s2k_type, hash_func; |
| + if (!r->U8(&version) || version != 4) |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + |
| + if (!r->U8(&cipher) || |
| + !r->U8(&s2k_type) || |
| + !r->U8(&hash_func)) { |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + } |
| + |
| + uint8 cipher_key_length = OpenPGPCipherIdToKeyLength(cipher); |
| + if (cipher_key_length == 0) |
| + return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER; |
| + |
| + const EVP_MD *md; |
| + switch (hash_func) { |
| + case 2: // SHA-1 |
| + md = EVP_sha1(); |
| + break; |
| + case 8: // SHA-256 |
| + md = EVP_sha256(); |
| + break; |
| + default: |
| + return OpenPGPSymmetricEncrytion::UNKNOWN_HASH; |
| + } |
| + |
| + base::StringPiece salt; |
| + uint8 key[32], c; |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Don't declare multiple variables on one line. Sep
agl
2011/06/27 20:42:53
Done.
|
| + switch (s2k_type) { |
| + case 1: |
| + if (!r->Prefix(8, &salt)) |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + case 0: |
| + SaltedIteratedS2K(cipher_key_length, md, passphrase, salt, |
| + passphrase.size() + salt.size(), key); |
| + break; |
| + case 3: |
| + if (!r->Prefix(8, &salt) || |
| + !r->U8(&c)) { |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + } |
| + SaltedIteratedS2K( |
| + cipher_key_length, md, passphrase, salt, |
| + static_cast<unsigned>(16 + (c&15)) << ((c >> 4) + 6), key); |
| + break; |
| + default: |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + } |
| + |
| + if (AES_set_encrypt_key(key, 8 * cipher_key_length, out_key)) |
| + return OpenPGPSymmetricEncrytion::INTERNAL_ERROR; |
| + |
| + if (r->empty()) { |
| + // The resulting key is used directly. |
| + return OpenPGPSymmetricEncrytion::OK; |
| + } |
| + |
| + // The S2K derived key encrypts another key that follows: |
| + base::StringPiece encrypted_key = r->Remainder(); |
| + if (encrypted_key.size() < 1) |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + |
| + uint8* plaintext_key = reinterpret_cast<uint8*>( |
| + malloc(encrypted_key.size())); |
| + arena_.push_back(plaintext_key); |
| + |
| + int num = 0; |
| + uint8 iv[16] = {0}; |
| + |
| + AES_cfb128_encrypt(reinterpret_cast<const uint8*>(encrypted_key.data()), |
| + plaintext_key, |
| + encrypted_key.size(), |
| + out_key, |
| + iv, |
| + &num, |
| + AES_DECRYPT); |
| + |
| + cipher_key_length = OpenPGPCipherIdToKeyLength(plaintext_key[0]); |
| + if (cipher_key_length == 0) |
| + return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER; |
| + if (encrypted_key.size() != 1u + cipher_key_length) |
| + return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + if (AES_set_encrypt_key(plaintext_key + 1, 8 * cipher_key_length, |
| + out_key)) { |
| + return OpenPGPSymmetricEncrytion::INTERNAL_ERROR; |
| + } |
| + return OpenPGPSymmetricEncrytion::OK; |
| + } |
| + |
| + unsigned OpenPGPCipherIdToKeyLength(uint8 cipher) { |
| + switch (cipher) { |
| + case 7: // AES-128 |
| + return 16; |
| + case 8: // AES-192 |
| + return 24; |
| + case 9: // AES-256 |
| + return 32; |
| + default: |
| + return 0; |
| + } |
| + } |
| + |
| + // ParseSymmetricallyEncrypted parses a Symmetrically Encrypted packet. See |
| + // RFC 4880, sections 5.7 and 5.13. |
| + bool ParseSymmetricallyEncrypted(Reader *r, |
| + AES_KEY *key, |
| + base::StringPiece *out_plaintext) { |
| + uint8 version; |
| + if (!r->U8(&version) || version != 1) |
| + return false; |
| + |
| + base::StringPiece prefix_sp; |
| + if (!r->Prefix(AES_BLOCK_SIZE + 2, &prefix_sp)) |
| + return false; |
| + uint8 prefix[AES_BLOCK_SIZE + 2]; |
| + memcpy(prefix, prefix_sp.data(), sizeof(prefix)); |
| + |
| + uint8 prefix_copy[AES_BLOCK_SIZE + 2]; |
| + uint8 fre[AES_BLOCK_SIZE]; |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Please rename fre to something more descriptive.
agl
2011/06/27 20:42:53
No. It matches the spec.
|
| + |
| + memset(prefix_copy, 0, AES_BLOCK_SIZE); |
| + AES_ecb_encrypt(prefix_copy, fre, key, AES_ENCRYPT); |
| + for (unsigned i = 0; i < AES_BLOCK_SIZE; i++) |
| + prefix_copy[i] = fre[i] ^ prefix[i]; |
| + AES_ecb_encrypt(prefix, fre, key, AES_ENCRYPT); |
| + prefix_copy[AES_BLOCK_SIZE] = prefix[AES_BLOCK_SIZE] ^ fre[0]; |
| + prefix_copy[AES_BLOCK_SIZE + 1] = prefix[AES_BLOCK_SIZE + 1] ^ fre[1]; |
| + |
| + if (prefix_copy[AES_BLOCK_SIZE - 2] != prefix_copy[AES_BLOCK_SIZE] || |
| + prefix_copy[AES_BLOCK_SIZE - 1] != prefix_copy[AES_BLOCK_SIZE + 1]) { |
| + return false; |
| + } |
| + |
| + fre[0] = prefix[AES_BLOCK_SIZE]; |
| + fre[1] = prefix[AES_BLOCK_SIZE + 1]; |
| + |
| + unsigned out_used = 2; |
| + |
| + const unsigned plaintext_size = r->size(); |
| + if (plaintext_size < 22) { |
| + // Too small to contain an MDC trailer. |
| + return false; |
| + } |
| + |
| + uint8* plaintext = reinterpret_cast<uint8*>(malloc(plaintext_size)); |
| + arena_.push_back(plaintext); |
| + |
| + for (unsigned i = 0; i < plaintext_size; i++) { |
| + uint8 b; |
| + if (!r->U8(&b)) |
| + return false; |
| + if (out_used == AES_BLOCK_SIZE) { |
| + AES_ecb_encrypt(fre, fre, key, AES_ENCRYPT); |
| + out_used = 0; |
| + } |
| + |
| + plaintext[i] = b ^ fre[out_used]; |
| + fre[out_used++] = b; |
| + } |
| + |
| + if (plaintext[plaintext_size - SHA_DIGEST_LENGTH - 2] != 0xd3 || |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
You might add a comment about why you're looking f
agl
2011/06/27 20:42:53
Done.
|
| + plaintext[plaintext_size - SHA_DIGEST_LENGTH - 1] != 0x14) { |
| + // Not an MDC packet. |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
What does MDC stand for?
|
| + return false; |
| + } |
| + |
| + SHA_CTX sha1; |
| + SHA1_Init(&sha1); |
| + SHA1_Update(&sha1, prefix_copy, sizeof(prefix_copy)); |
| + SHA1_Update(&sha1, plaintext, plaintext_size - SHA_DIGEST_LENGTH); |
| + uint8 digest[SHA_DIGEST_LENGTH]; |
| + SHA1_Final(digest, &sha1); |
| + |
| + if (memcmp(digest, &plaintext[plaintext_size - SHA_DIGEST_LENGTH], |
| + SHA_DIGEST_LENGTH) != 0) { |
| + return false; |
| + } |
| + |
| + *out_plaintext = base::StringPiece(reinterpret_cast<char*>(plaintext), |
| + plaintext_size - SHA_DIGEST_LENGTH); |
| + return true; |
| + } |
| + |
| + // ParseLiteralData parses a Literal Data packet. See RFC 4880, section 5.9. |
| + bool ParseLiteralData(Reader *r, base::StringPiece *out_data) { |
| + uint8 is_binary, filename_len; |
| + if (!r->U8(&is_binary) || |
| + !r->U8(&filename_len) || |
| + !r->Skip(filename_len) || |
| + !r->Skip(sizeof(uint32) /* mtime */)) { |
| + return false; |
| + } |
| + |
| + *out_data = r->Remainder(); |
| + return true; |
| + } |
| + |
| + // arena_ contains malloced pointers that are used as temporary space during |
| + // the decryption. |
| + std::vector<void*> arena_; |
| +}; |
| + |
| +class Encrypter { |
| + public: |
| + // ByteString is used throughout in order to avoid signedness issues with a |
| + // std::string. |
| + typedef std::basic_string<uint8> ByteString; |
| + |
| + static ByteString Encrypt(base::StringPiece plaintext, |
| + base::StringPiece passphrase) { |
| + ByteString key; |
| + ByteString ske = SerializeSymmetricKeyEncrypted(passphrase, &key); |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Better name needed for "ske".
|
| + |
| + ByteString literal_data = SerializeLiteralData(plaintext); |
| + ByteString se = SerializeSymmetricallyEncrypted(literal_data, key); |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Better name needed for "se"
|
| + return ske + se; |
| + } |
| + |
| + private: |
| + static ByteString MakePacket(unsigned tag, const ByteString& contents) { |
| + ByteString header; |
| + header.push_back(0x80 | 0x40 | tag); |
| + |
| + if (contents.size() < 192) { |
| + header.push_back(contents.size()); |
| + } else if (contents.size() < 8384) { |
| + size_t length = contents.size(); |
| + length -= 192; |
| + header.push_back(192 + (length >> 8)); |
| + header.push_back(length & 0xff); |
| + } else { |
| + size_t length = contents.size(); |
| + header.push_back(255); |
| + header.push_back(length >> 24); |
| + header.push_back(length >> 16); |
| + header.push_back(length >> 8); |
| + header.push_back(length); |
| + } |
| + |
| + return header + contents; |
| + } |
| + |
| + static ByteString SerializeLiteralData(base::StringPiece contents) { |
| + ByteString literal_data; |
| + literal_data.push_back(0x74); // text mode |
| + literal_data.push_back(0x00); // no filename |
| + literal_data.push_back(0x00); // zero mtime |
| + literal_data.push_back(0x00); |
| + literal_data.push_back(0x00); |
| + literal_data.push_back(0x00); |
| + literal_data += ByteString(reinterpret_cast<const uint8*>(contents.data()), |
| + contents.size()); |
| + return MakePacket(kLiteralDataTag, literal_data); |
| + } |
| + |
| + static ByteString SerializeSymmetricKeyEncrypted(base::StringPiece passphrase, |
| + ByteString *out_key) { |
| + ByteString ske; |
| + ske.push_back(4); // version 4 |
| + ske.push_back(7); // AES-128 |
| + ske.push_back(3); // iterated and salted S2K |
| + ske.push_back(2); // SHA-1 |
| + |
| + uint64 salt64 = base::RandUint64(); |
| + ByteString salt(sizeof(salt64), 0); |
| + |
| + // It's a random value, so endianness doesn't matter. |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
What? You're not going to byte-flip a completely
|
| + ske += ByteString(reinterpret_cast<uint8*>(&salt64), sizeof(salt64)); |
| + ske.push_back(96); // iteration count of 65536 |
| + |
| + uint8 key[16]; |
| + SaltedIteratedS2K( |
| + sizeof(key), EVP_sha1(), passphrase, |
| + base::StringPiece(reinterpret_cast<char*>(&salt64), sizeof(salt64)), |
| + 65536, key); |
| + *out_key = ByteString(key, sizeof(key)); |
| + return MakePacket(kSymmetricKeyEncryptedTag, ske); |
| + } |
| + |
| + static ByteString SerializeSymmetricallyEncrypted(ByteString plaintext, |
| + const ByteString& key) { |
| + ByteString se; |
|
Greg Spencer (Chromium)
2011/06/23 20:55:00
Better name needed for "se".
agl
2011/06/27 20:42:53
Done.
|
| + se.push_back(1); // version 1 |
| + static const unsigned kBlockSize = 16; // AES block size |
| + |
| + uint8 prefix[kBlockSize + 2], fre[kBlockSize], iv[kBlockSize]; |
| + base::RandBytes(iv, kBlockSize); |
| + memset(fre, 0, sizeof(fre)); |
| + |
| + AES_KEY aes_key; |
| + AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key); |
| + |
| + AES_ecb_encrypt(fre, fre, &aes_key, AES_ENCRYPT); |
| + for (unsigned i = 0; i < 16; i++) |
| + prefix[i] = iv[i] ^ fre[i]; |
| + AES_ecb_encrypt(prefix, fre, &aes_key, AES_ENCRYPT); |
| + prefix[kBlockSize] = iv[kBlockSize - 2] ^ fre[0]; |
| + prefix[kBlockSize + 1] = iv[kBlockSize - 1] ^ fre[1]; |
| + |
| + se += ByteString(prefix, sizeof(prefix)); |
| + |
| + ByteString plaintext_copy = plaintext; |
| + plaintext_copy.push_back(0xd3); // MDC packet |
| + plaintext_copy.push_back(20); // packet length (20 bytes) |
| + |
| + SHA_CTX sha1; |
| + SHA1_Init(&sha1); |
| + SHA1_Update(&sha1, iv, sizeof(iv)); |
| + SHA1_Update(&sha1, iv + kBlockSize - 2, 2); |
| + SHA1_Update(&sha1, plaintext_copy.data(), plaintext_copy.size()); |
| + uint8 digest[SHA_DIGEST_LENGTH]; |
| + SHA1_Final(digest, &sha1); |
| + |
| + plaintext_copy += ByteString(digest, sizeof(digest)); |
| + |
| + fre[0] = prefix[kBlockSize]; |
| + fre[1] = prefix[kBlockSize+1]; |
| + unsigned out_used = 2; |
| + |
| + for (size_t i = 0; i < plaintext_copy.size(); i++) { |
| + if (out_used == kBlockSize) { |
| + AES_ecb_encrypt(fre, fre, &aes_key, AES_ENCRYPT); |
| + out_used = 0; |
| + } |
| + |
| + uint8 c = plaintext_copy[i] ^ fre[out_used]; |
| + fre[out_used++] = c; |
| + se.push_back(c); |
| + } |
| + |
| + return MakePacket(kSymmetricallyEncryptedTag, se); |
| + } |
| +}; |
| + |
| +} // anonymous namespace |
| + |
| +// static |
| +OpenPGPSymmetricEncrytion::Result OpenPGPSymmetricEncrytion::Decrypt( |
| + base::StringPiece encrypted, |
| + base::StringPiece passphrase, |
| + std::string *out) { |
| + Decrypter decrypter; |
| + |
| + base::StringPiece result; |
| + Result r = decrypter.Decrypt(encrypted, passphrase, &result); |
| + if (r == OK) |
| + *out = result.as_string(); |
| + return r; |
| +} |
| + |
| +// static |
| +std::string OpenPGPSymmetricEncrytion::Encrypt( |
| + base::StringPiece plaintext, |
| + base::StringPiece passphrase) { |
| + Encrypter::ByteString b = |
| + Encrypter::Encrypt(plaintext, passphrase); |
| + return std::string(reinterpret_cast<const char*>(b.data()), b.size()); |
| +} |
| + |
| +} // namespace crypto |
