| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "crypto/openpgp_symmetric_encryption.h" | 5 #include "crypto/openpgp_symmetric_encryption.h" |
| 6 | 6 |
| 7 #include <vector> | |
| 8 #include <stdlib.h> | 7 #include <stdlib.h> |
| 9 | 8 |
| 10 #include <openssl/evp.h> | 9 #include <sechash.h> |
| 11 #include <openssl/aes.h> | 10 #include <cryptohi.h> |
| 12 #include <openssl/sha.h> | |
| 13 | 11 |
| 12 #include <vector> |
| 13 |
| 14 #include "base/logging.h" |
| 14 #include "base/rand_util.h" | 15 #include "base/rand_util.h" |
| 15 #include "base/logging.h" | 16 #include "crypto/scoped_nss_types.h" |
| 16 | 17 |
| 17 namespace crypto { | 18 namespace crypto { |
| 18 | 19 |
| 19 namespace { | 20 namespace { |
| 20 | 21 |
| 21 // Reader wraps a StringPiece and provides methods to read several datatypes | 22 // Reader wraps a StringPiece and provides methods to read several datatypes |
| 22 // while advancing the StringPiece. | 23 // while advancing the StringPiece. |
| 23 class Reader { | 24 class Reader { |
| 24 public: | 25 public: |
| 25 Reader(base::StringPiece input) | 26 Reader(base::StringPiece input) |
| (...skipping 14 matching lines...) Expand all Loading... |
| 40 *out = static_cast<uint32>(data_[0]) << 24 | | 41 *out = static_cast<uint32>(data_[0]) << 24 | |
| 41 static_cast<uint32>(data_[1]) << 16 | | 42 static_cast<uint32>(data_[1]) << 16 | |
| 42 static_cast<uint32>(data_[2]) << 8 | | 43 static_cast<uint32>(data_[2]) << 8 | |
| 43 static_cast<uint32>(data_[3]); | 44 static_cast<uint32>(data_[3]); |
| 44 data_.remove_prefix(4); | 45 data_.remove_prefix(4); |
| 45 return true; | 46 return true; |
| 46 } | 47 } |
| 47 | 48 |
| 48 // Prefix sets |*out| to the first |n| bytes of the StringPiece and advances | 49 // Prefix sets |*out| to the first |n| bytes of the StringPiece and advances |
| 49 // the StringPiece by |n|. | 50 // the StringPiece by |n|. |
| 50 bool Prefix(uint32 n, base::StringPiece *out) { | 51 bool Prefix(size_t n, base::StringPiece *out) { |
| 51 if (data_.size() < n) | 52 if (data_.size() < n) |
| 52 return false; | 53 return false; |
| 53 *out = base::StringPiece(data_.data(), n); | 54 *out = base::StringPiece(data_.data(), n); |
| 54 data_.remove_prefix(n); | 55 data_.remove_prefix(n); |
| 55 return true; | 56 return true; |
| 56 } | 57 } |
| 57 | 58 |
| 58 // Remainder returns the remainer of the StringPiece and advances it to the | 59 // Remainder returns the remainer of the StringPiece and advances it to the |
| 59 // end. | 60 // end. |
| 60 base::StringPiece Remainder() { | 61 base::StringPiece Remainder() { |
| 61 base::StringPiece ret = data_; | 62 base::StringPiece ret = data_; |
| 62 data_ = base::StringPiece(); | 63 data_ = base::StringPiece(); |
| 63 return ret; | 64 return ret; |
| 64 } | 65 } |
| 65 | 66 |
| 66 typedef base::StringPiece Position; | 67 typedef base::StringPiece Position; |
| 67 | 68 |
| 68 Position tell() const { | 69 Position tell() const { |
| 69 return data_; | 70 return data_; |
| 70 } | 71 } |
| 71 | 72 |
| 72 void Seek(Position p) { | 73 void Seek(Position p) { |
| 73 data_ = p; | 74 data_ = p; |
| 74 } | 75 } |
| 75 | 76 |
| 76 bool Skip(uint32 n) { | 77 bool Skip(size_t n) { |
| 77 if (data_.size() < n) | 78 if (data_.size() < n) |
| 78 return false; | 79 return false; |
| 79 data_.remove_prefix(n); | 80 data_.remove_prefix(n); |
| 80 return true; | 81 return true; |
| 81 } | 82 } |
| 82 | 83 |
| 83 bool empty() const { | 84 bool empty() const { |
| 84 return data_.empty(); | 85 return data_.empty(); |
| 85 } | 86 } |
| 86 | 87 |
| 87 size_t size() const { | 88 size_t size() const { |
| 88 return data_.size(); | 89 return data_.size(); |
| 89 } | 90 } |
| 90 | 91 |
| 91 private: | 92 private: |
| 92 base::StringPiece data_; | 93 base::StringPiece data_; |
| 93 }; | 94 }; |
| 94 | 95 |
| 95 // SaltedIteratedS2K implements the salted and iterated string-to-key | 96 // SaltedIteratedS2K implements the salted and iterated string-to-key |
| 96 // convertion. See RFC 4880, section 3.7.1.3. | 97 // convertion. See RFC 4880, section 3.7.1.3. |
| 97 void SaltedIteratedS2K(uint32 cipher_key_length, | 98 void SaltedIteratedS2K(unsigned cipher_key_length, |
| 98 const EVP_MD *hash_function, | 99 HASH_HashType hash_function, |
| 99 base::StringPiece passphrase, | 100 base::StringPiece passphrase, |
| 100 base::StringPiece salt, | 101 base::StringPiece salt, |
| 101 uint32 count, | 102 unsigned count, |
| 102 uint8 *out_key) { | 103 uint8 *out_key) { |
| 103 const std::string combined = salt.as_string() + passphrase.as_string(); | 104 const std::string combined = salt.as_string() + passphrase.as_string(); |
| 104 const size_t combined_len = combined.size(); | 105 const size_t combined_len = combined.size(); |
| 105 | 106 |
| 106 uint32 done = 0; | 107 unsigned done = 0; |
| 107 uint8 zero[1] = {0}; | 108 uint8 zero[1] = {0}; |
| 108 | 109 |
| 109 EVP_MD_CTX ctx; | 110 HASHContext* hash_context = HASH_Create(hash_function); |
| 110 EVP_MD_CTX_init(&context); | |
| 111 | 111 |
| 112 for (uint32 i = 0; done < cipher_key_length; i++) { | 112 for (unsigned i = 0; done < cipher_key_length; i++) { |
| 113 CHECK_EQ(EVP_DigestInit_ex(&ctx, hash_function, NULL), 1); | 113 HASH_Begin(hash_context); |
| 114 | 114 |
| 115 for (uint32 j = 0; j < i; j++) | 115 for (unsigned j = 0; j < i; j++) |
| 116 EVP_DigestUpdate(&ctx, zero, sizeof(zero)); | 116 HASH_Update(hash_context, zero, sizeof(zero)); |
| 117 | 117 |
| 118 uint32 written = 0; | 118 unsigned written = 0; |
| 119 while (written < count) { | 119 while (written < count) { |
| 120 if (written + combined_len > count) { | 120 if (written + combined_len > count) { |
| 121 uint32 todo = count - written; | 121 unsigned todo = count - written; |
| 122 EVP_DigestUpdate(&ctx, combined.data(), todo); | 122 HASH_Update(hash_context, |
| 123 reinterpret_cast<const uint8*>(combined.data()), |
| 124 todo); |
| 123 written = count; | 125 written = count; |
| 124 } else { | 126 } else { |
| 125 EVP_DigestUpdate(&ctx, combined.data(), combined_len); | 127 HASH_Update(hash_context, |
| 128 reinterpret_cast<const uint8*>(combined.data()), |
| 129 combined_len); |
| 126 written += combined_len; | 130 written += combined_len; |
| 127 } | 131 } |
| 128 } | 132 } |
| 129 | 133 |
| 130 uint32 num_hash_bytes; | 134 unsigned num_hash_bytes; |
| 131 uint8 hash[EVP_MAX_MD_SIZE]; | 135 uint8 digest[HASH_LENGTH_MAX]; |
| 132 CHECK_EQ(EVP_DigestFinal_ex(&ctx, hash, &num_hash_bytes), 1); | 136 HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest)); |
| 133 | 137 |
| 134 uint32 todo = cipher_key_length - done; | 138 unsigned todo = cipher_key_length - done; |
| 135 if (todo > num_hash_bytes) | 139 if (todo > num_hash_bytes) |
| 136 todo = num_hash_bytes; | 140 todo = num_hash_bytes; |
| 137 memcpy(out_key + done, hash, todo); | 141 memcpy(out_key + done, digest, todo); |
| 138 done += todo; | 142 done += todo; |
| 139 } | 143 } |
| 140 | 144 |
| 141 EVP_MD_CTX_cleanup(&context); | 145 HASH_Destroy(hash_context); |
| 142 } | 146 } |
| 143 | 147 |
| 148 // CreateAESContext sets up |out_key| to be an AES context, with the given key, |
| 149 // in ECB mode and with no IV. |
| 150 bool CreateAESContext(const uint8* key, unsigned key_len, |
| 151 ScopedPK11Context* out_decryption_context) { |
| 152 ScopedPK11Slot slot(PK11_GetBestSlot(CKM_AES_ECB, NULL)); |
| 153 if (!slot.get()) |
| 154 return false; |
| 155 SECItem key_item; |
| 156 key_item.type = siBuffer; |
| 157 key_item.data = const_cast<uint8*>(key); |
| 158 key_item.len = key_len; |
| 159 ScopedPK11SymKey pk11_key(PK11_ImportSymKey( |
| 160 slot.get(), CKM_AES_ECB, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item, |
| 161 NULL)); |
| 162 if (!pk11_key.get()) |
| 163 return false; |
| 164 ScopedSECItem iv_param(PK11_ParamFromIV(CKM_AES_ECB, NULL)); |
| 165 out_decryption_context->reset( |
| 166 PK11_CreateContextBySymKey(CKM_AES_ECB, CKA_ENCRYPT, pk11_key.get(), |
| 167 iv_param.get())); |
| 168 return out_decryption_context->get() != NULL; |
| 169 } |
| 170 |
| 171 |
| 144 // These constants are the tag numbers for the various packet types that we | 172 // These constants are the tag numbers for the various packet types that we |
| 145 // use. | 173 // use. |
| 146 static const uint32 kSymmetricKeyEncryptedTag = 3; | 174 static const unsigned kSymmetricKeyEncryptedTag = 3; |
| 147 static const uint32 kSymmetricallyEncryptedTag = 18; | 175 static const unsigned kSymmetricallyEncryptedTag = 18; |
| 148 static const uint32 kCompressedTag = 8; | 176 static const unsigned kCompressedTag = 8; |
| 149 static const uint32 kLiteralDataTag = 11; | 177 static const unsigned kLiteralDataTag = 11; |
| 150 | 178 |
| 151 class Decrypter { | 179 class Decrypter { |
| 152 public: | 180 public: |
| 153 ~Decrypter() { | 181 ~Decrypter() { |
| 154 for (std::vector<void*>::iterator | 182 for (std::vector<void*>::iterator |
| 155 i = arena_.begin(); i != arena_.end(); i++) { | 183 i = arena_.begin(); i != arena_.end(); i++) { |
| 156 free(*i); | 184 free(*i); |
| 157 } | 185 } |
| 158 arena_.clear(); | 186 arena_.clear(); |
| 159 } | 187 } |
| 160 | 188 |
| 161 OpenPGPSymmetricEncrytion::Result Decrypt(base::StringPiece in, | 189 OpenPGPSymmetricEncrytion::Result Decrypt(base::StringPiece in, |
| 162 base::StringPiece passphrase, | 190 base::StringPiece passphrase, |
| 163 base::StringPiece *out_contents) { | 191 base::StringPiece *out_contents) { |
| 164 Reader reader(in); | 192 Reader reader(in); |
| 165 uint32 tag; | 193 unsigned tag; |
| 166 base::StringPiece contents; | 194 base::StringPiece contents; |
| 167 AES_KEY key; | 195 ScopedPK11Context decryption_context; |
| 168 | 196 |
| 169 if (!ParsePacket(&reader, &tag, &contents)) | 197 if (!ParsePacket(&reader, &tag, &contents)) |
| 170 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 198 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 171 if (tag != kSymmetricKeyEncryptedTag) | 199 if (tag != kSymmetricKeyEncryptedTag) |
| 172 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; | 200 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; |
| 173 Reader inner(contents); | 201 Reader inner(contents); |
| 174 OpenPGPSymmetricEncrytion::Result result = | 202 OpenPGPSymmetricEncrytion::Result result = |
| 175 ParseSymmetricKeyEncrypted(&inner, passphrase, &key); | 203 ParseSymmetricKeyEncrypted(&inner, passphrase, &decryption_context); |
| 176 if (result != OpenPGPSymmetricEncrytion::OK) | 204 if (result != OpenPGPSymmetricEncrytion::OK) |
| 177 return result; | 205 return result; |
| 178 | 206 |
| 179 if (!ParsePacket(&reader, &tag, &contents)) | 207 if (!ParsePacket(&reader, &tag, &contents)) |
| 180 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 208 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 181 if (tag != kSymmetricallyEncryptedTag) | 209 if (tag != kSymmetricallyEncryptedTag) |
| 182 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; | 210 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; |
| 183 if (!reader.empty()) | 211 if (!reader.empty()) |
| 184 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 212 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 185 inner = Reader(contents); | 213 inner = Reader(contents); |
| 186 if (!ParseSymmetricallyEncrypted(&inner, &key, &contents)) | 214 if (!ParseSymmetricallyEncrypted(&inner, &decryption_context, &contents)) |
| 187 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 215 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 188 | 216 |
| 189 reader = Reader(contents); | 217 reader = Reader(contents); |
| 190 if (!ParsePacket(&reader, &tag, &contents)) | 218 if (!ParsePacket(&reader, &tag, &contents)) |
| 191 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 219 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 192 if (tag == kCompressedTag) | 220 if (tag == kCompressedTag) |
| 193 return OpenPGPSymmetricEncrytion::COMPRESSED; | 221 return OpenPGPSymmetricEncrytion::COMPRESSED; |
| 194 if (tag != kLiteralDataTag) | 222 if (tag != kLiteralDataTag) |
| 195 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; | 223 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; |
| 196 inner = Reader(contents); | 224 inner = Reader(contents); |
| 197 if (!ParseLiteralData(&inner, out_contents)) | 225 if (!ParseLiteralData(&inner, out_contents)) |
| 198 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 226 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 199 | 227 |
| 200 return OpenPGPSymmetricEncrytion::OK; | 228 return OpenPGPSymmetricEncrytion::OK; |
| 201 } | 229 } |
| 202 | 230 |
| 203 private: | 231 private: |
| 204 // ParsePacket parses an OpenPGP packet from reader. See RFC 4880, section | 232 // ParsePacket parses an OpenPGP packet from reader. See RFC 4880, section |
| 205 // 4.2.2. | 233 // 4.2.2. |
| 206 bool ParsePacket(Reader *reader, | 234 bool ParsePacket(Reader *reader, |
| 207 uint32 *out_tag, | 235 unsigned *out_tag, |
| 208 base::StringPiece *out_contents) { | 236 base::StringPiece *out_contents) { |
| 209 uint8 header; | 237 uint8 header; |
| 210 if (!reader->U8(&header)) | 238 if (!reader->U8(&header)) |
| 211 return false; | 239 return false; |
| 212 if ((header & 0x80) == 0) { | 240 if ((header & 0x80) == 0) { |
| 213 // Tag byte must have MSB set. | 241 // Tag byte must have MSB set. |
| 214 return false; | 242 return false; |
| 215 } | 243 } |
| 216 | 244 |
| 217 if ((header & 0x40) == 0) { | 245 if ((header & 0x40) == 0) { |
| 218 // Old format packet. | 246 // Old format packet. |
| 219 *out_tag = (header & 0x3f) >> 2; | 247 *out_tag = (header & 0x3f) >> 2; |
| 220 | 248 |
| 221 uint8 length_type = header & 3; | 249 uint8 length_type = header & 3; |
| 222 if (length_type == 3) { | 250 if (length_type == 3) { |
| 223 *out_contents = reader->Remainder(); | 251 *out_contents = reader->Remainder(); |
| 224 return true; | 252 return true; |
| 225 } | 253 } |
| 226 | 254 |
| 227 const uint32 length_bytes = 1 << length_type; | 255 const unsigned length_bytes = 1 << length_type; |
| 228 uint32 length = 0; | 256 size_t length = 0; |
| 229 for (uint32 i = 0; i < length_bytes; i++) { | 257 for (unsigned i = 0; i < length_bytes; i++) { |
| 230 uint8 length_byte; | 258 uint8 length_byte; |
| 231 if (!reader->U8(&length_byte)) | 259 if (!reader->U8(&length_byte)) |
| 232 return false; | 260 return false; |
| 233 length <<= 8; | 261 length <<= 8; |
| 234 length |= length_byte; | 262 length |= length_byte; |
| 235 } | 263 } |
| 236 | 264 |
| 237 return reader->Prefix(length, out_contents); | 265 return reader->Prefix(length, out_contents); |
| 238 } | 266 } |
| 239 | 267 |
| 240 // New format packet. | 268 // New format packet. |
| 241 *out_tag = header & 0x3f; | 269 *out_tag = header & 0x3f; |
| 242 uint32 length; | 270 size_t length; |
| 243 bool is_partial; | 271 bool is_partial; |
| 244 if (!ParseLength(reader, &length, &is_partial)) | 272 if (!ParseLength(reader, &length, &is_partial)) |
| 245 return false; | 273 return false; |
| 246 if (is_partial) | 274 if (is_partial) |
| 247 return ParseStreamContents(reader, length, out_contents); | 275 return ParseStreamContents(reader, length, out_contents); |
| 248 return reader->Prefix(length, out_contents); | 276 return reader->Prefix(length, out_contents); |
| 249 } | 277 } |
| 250 | 278 |
| 251 // ParseStreamContents parses all the chunks of a partial length stream from | 279 // ParseStreamContents parses all the chunks of a partial length stream from |
| 252 // reader. See http://tools.ietf.org/html/rfc4880#section-4.2.2.4 | 280 // reader. See http://tools.ietf.org/html/rfc4880#section-4.2.2.4 |
| 253 bool ParseStreamContents(Reader *reader, | 281 bool ParseStreamContents(Reader *reader, |
| 254 uint32 length, | 282 size_t length, |
| 255 base::StringPiece *out_contents) { | 283 base::StringPiece *out_contents) { |
| 256 const Reader::Position beginning_of_stream = reader->tell(); | 284 const Reader::Position beginning_of_stream = reader->tell(); |
| 257 const uint32 first_chunk_length = length; | 285 const size_t first_chunk_length = length; |
| 258 | 286 |
| 259 // First we parse the stream to find its length. | 287 // First we parse the stream to find its length. |
| 260 if (!reader->Skip(length)) | 288 if (!reader->Skip(length)) |
| 261 return false; | 289 return false; |
| 262 | 290 |
| 263 for (;;) { | 291 for (;;) { |
| 264 uint32 chunk_length; | 292 size_t chunk_length; |
| 265 bool is_partial; | 293 bool is_partial; |
| 266 | 294 |
| 267 if (!ParseLength(reader, &chunk_length, &is_partial)) | 295 if (!ParseLength(reader, &chunk_length, &is_partial)) |
| 268 return false; | 296 return false; |
| 269 if (length + chunk_length < length) | 297 if (length + chunk_length < length) |
| 270 return false; | 298 return false; |
| 271 length += chunk_length; | 299 length += chunk_length; |
| 272 if (!reader->Skip(chunk_length)) | 300 if (!reader->Skip(chunk_length)) |
| 273 return false; | 301 return false; |
| 274 if (!is_partial) | 302 if (!is_partial) |
| 275 break; | 303 break; |
| 276 } | 304 } |
| 277 | 305 |
| 278 // Now we have the length of the whole stream in |length|. | 306 // Now we have the length of the whole stream in |length|. |
| 279 char* buf = reinterpret_cast<char*>(malloc(length)); | 307 char* buf = reinterpret_cast<char*>(malloc(length)); |
| 280 arena_.push_back(buf); | 308 arena_.push_back(buf); |
| 281 uint32 j = 0; | 309 size_t j = 0; |
| 282 reader->Seek(beginning_of_stream); | 310 reader->Seek(beginning_of_stream); |
| 283 | 311 |
| 284 base::StringPiece first_chunk; | 312 base::StringPiece first_chunk; |
| 285 if (!reader->Prefix(first_chunk_length, &first_chunk)) | 313 if (!reader->Prefix(first_chunk_length, &first_chunk)) |
| 286 return false; | 314 return false; |
| 287 memcpy(buf + j, first_chunk.data(), first_chunk_length); | 315 memcpy(buf + j, first_chunk.data(), first_chunk_length); |
| 288 j += first_chunk_length; | 316 j += first_chunk_length; |
| 289 | 317 |
| 290 // Now we parse the stream again, this time copying into |buf| | 318 // Now we parse the stream again, this time copying into |buf| |
| 291 for (;;) { | 319 for (;;) { |
| 292 uint32 chunk_length; | 320 size_t chunk_length; |
| 293 bool is_partial; | 321 bool is_partial; |
| 294 | 322 |
| 295 if (!ParseLength(reader, &chunk_length, &is_partial)) | 323 if (!ParseLength(reader, &chunk_length, &is_partial)) |
| 296 return false; | 324 return false; |
| 297 base::StringPiece chunk; | 325 base::StringPiece chunk; |
| 298 if (!reader->Prefix(chunk_length, &chunk)) | 326 if (!reader->Prefix(chunk_length, &chunk)) |
| 299 return false; | 327 return false; |
| 300 memcpy(buf + j, chunk.data(), chunk_length); | 328 memcpy(buf + j, chunk.data(), chunk_length); |
| 301 j += chunk_length; | 329 j += chunk_length; |
| 302 if (!is_partial) | 330 if (!is_partial) |
| 303 break; | 331 break; |
| 304 } | 332 } |
| 305 | 333 |
| 306 *out_contents = base::StringPiece(buf, length); | 334 *out_contents = base::StringPiece(buf, length); |
| 307 return true; | 335 return true; |
| 308 } | 336 } |
| 309 | 337 |
| 310 // ParseLength parses an OpenPGP length from reader. See RFC 4880, section | 338 // ParseLength parses an OpenPGP length from reader. See RFC 4880, section |
| 311 // 4.2.2. | 339 // 4.2.2. |
| 312 bool ParseLength(Reader *reader, uint32 *out_length, bool *out_is_prefix) { | 340 bool ParseLength(Reader *reader, size_t *out_length, bool *out_is_prefix) { |
| 313 uint8 length_spec; | 341 uint8 length_spec; |
| 314 if (!reader->U8(&length_spec)) | 342 if (!reader->U8(&length_spec)) |
| 315 return false; | 343 return false; |
| 316 | 344 |
| 317 *out_is_prefix = false; | 345 *out_is_prefix = false; |
| 318 if (length_spec < 192) { | 346 if (length_spec < 192) { |
| 319 *out_length = length_spec; | 347 *out_length = length_spec; |
| 320 return true; | 348 return true; |
| 321 } else if (length_spec < 224) { | 349 } else if (length_spec < 224) { |
| 322 uint8 next_byte; | 350 uint8 next_byte; |
| 323 if (!reader->U8(&next_byte)) | 351 if (!reader->U8(&next_byte)) |
| 324 return false; | 352 return false; |
| 325 | 353 |
| 326 *out_length = (length_spec - 192) << 8; | 354 *out_length = (length_spec - 192) << 8; |
| 327 *out_length += next_byte; | 355 *out_length += next_byte; |
| 328 return true; | 356 return true; |
| 329 } else if (length_spec < 255) { | 357 } else if (length_spec < 255) { |
| 330 *out_length = 1u << (length_spec & 0x1f); | 358 *out_length = 1u << (length_spec & 0x1f); |
| 331 *out_is_prefix = true; | 359 *out_is_prefix = true; |
| 332 return true; | 360 return true; |
| 333 } else { | 361 } else { |
| 334 return reader->U32(out_length); | 362 uint32 length32; |
| 363 if (!reader->U32(&length32)) |
| 364 return false; |
| 365 *out_length = length32; |
| 366 return true; |
| 335 } | 367 } |
| 336 } | 368 } |
| 337 | 369 |
| 338 // ParseSymmetricKeyEncrypted parses a passphrase protected session key. See | 370 // ParseSymmetricKeyEncrypted parses a passphrase protected session key. See |
| 339 // RFC 4880, section 5.3. | 371 // RFC 4880, section 5.3. |
| 340 OpenPGPSymmetricEncrytion::Result ParseSymmetricKeyEncrypted( | 372 OpenPGPSymmetricEncrytion::Result ParseSymmetricKeyEncrypted( |
| 341 Reader *reader, | 373 Reader *reader, |
| 342 base::StringPiece passphrase, | 374 base::StringPiece passphrase, |
| 343 AES_KEY *out_key) { | 375 ScopedPK11Context *decryption_context) { |
| 344 uint8 version, cipher, s2k_type, hash_func_id; | 376 uint8 version, cipher, s2k_type, hash_func_id; |
| 345 if (!reader->U8(&version) || version != 4) | 377 if (!reader->U8(&version) || version != 4) |
| 346 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 378 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 347 | 379 |
| 348 if (!reader->U8(&cipher) || | 380 if (!reader->U8(&cipher) || |
| 349 !reader->U8(&s2k_type) || | 381 !reader->U8(&s2k_type) || |
| 350 !reader->U8(&hash_func_id)) { | 382 !reader->U8(&hash_func_id)) { |
| 351 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 383 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 352 } | 384 } |
| 353 | 385 |
| 354 uint8 cipher_key_length = OpenPGPCipherIdToKeyLength(cipher); | 386 uint8 cipher_key_length = OpenPGPCipherIdToKeyLength(cipher); |
| 355 if (cipher_key_length == 0) | 387 if (cipher_key_length == 0) |
| 356 return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER; | 388 return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER; |
| 357 | 389 |
| 358 const EVP_MD *hash_function; | 390 HASH_HashType hash_function; |
| 359 switch (hash_func_id) { | 391 switch (hash_func_id) { |
| 360 case 2: // SHA-1 | 392 case 2: // SHA-1 |
| 361 hash_function = EVP_sha1(); | 393 hash_function = HASH_AlgSHA1; |
| 362 break; | 394 break; |
| 363 case 8: // SHA-256 | 395 case 8: // SHA-256 |
| 364 hash_function = EVP_sha256(); | 396 hash_function = HASH_AlgSHA256; |
| 365 break; | 397 break; |
| 366 default: | 398 default: |
| 367 return OpenPGPSymmetricEncrytion::UNKNOWN_HASH; | 399 return OpenPGPSymmetricEncrytion::UNKNOWN_HASH; |
| 368 } | 400 } |
| 369 | 401 |
| 402 // This chunk of code parses the S2K specifier. See RFC 4880, section 3.7.1. |
| 370 base::StringPiece salt; | 403 base::StringPiece salt; |
| 371 uint8 key[32]; | 404 uint8 key[32]; |
| 372 uint8 count_spec; | 405 uint8 count_spec; |
| 373 switch (s2k_type) { | 406 switch (s2k_type) { |
| 374 case 1: | 407 case 1: |
| 375 if (!reader->Prefix(8, &salt)) | 408 if (!reader->Prefix(8, &salt)) |
| 376 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 409 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 410 // Fall through. |
| 377 case 0: | 411 case 0: |
| 378 SaltedIteratedS2K(cipher_key_length, hash_function, passphrase, salt, | 412 SaltedIteratedS2K(cipher_key_length, hash_function, passphrase, salt, |
| 379 passphrase.size() + salt.size(), key); | 413 passphrase.size() + salt.size(), key); |
| 380 break; | 414 break; |
| 381 case 3: | 415 case 3: |
| 382 if (!reader->Prefix(8, &salt) || | 416 if (!reader->Prefix(8, &salt) || |
| 383 !reader->U8(&count_spec)) { | 417 !reader->U8(&count_spec)) { |
| 384 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 418 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 385 } | 419 } |
| 386 SaltedIteratedS2K( | 420 SaltedIteratedS2K( |
| 387 cipher_key_length, hash_function, passphrase, salt, | 421 cipher_key_length, hash_function, passphrase, salt, |
| 388 static_cast<uint32>( | 422 static_cast<unsigned>( |
| 389 16 + (count_spec&15)) << ((count_spec >> 4) + 6), key); | 423 16 + (count_spec&15)) << ((count_spec >> 4) + 6), key); |
| 390 break; | 424 break; |
| 391 default: | 425 default: |
| 392 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 426 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 393 } | 427 } |
| 394 | 428 |
| 395 if (AES_set_encrypt_key(key, 8 * cipher_key_length, out_key)) | 429 if (!CreateAESContext(key, cipher_key_length, decryption_context)) |
| 396 return OpenPGPSymmetricEncrytion::INTERNAL_ERROR; | 430 return OpenPGPSymmetricEncrytion::INTERNAL_ERROR; |
| 397 | 431 |
| 398 if (reader->empty()) { | 432 if (reader->empty()) { |
| 399 // The resulting key is used directly. | 433 // The resulting key is used directly. |
| 400 return OpenPGPSymmetricEncrytion::OK; | 434 return OpenPGPSymmetricEncrytion::OK; |
| 401 } | 435 } |
| 402 | 436 |
| 403 // The S2K derived key encrypts another key that follows: | 437 // The S2K derived key encrypts another key that follows: |
| 404 base::StringPiece encrypted_key = reader->Remainder(); | 438 base::StringPiece encrypted_key = reader->Remainder(); |
| 405 if (encrypted_key.size() < 1) | 439 if (encrypted_key.size() < 1) |
| 406 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 440 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 407 | 441 |
| 408 uint8* plaintext_key = reinterpret_cast<uint8*>( | 442 uint8* plaintext_key = reinterpret_cast<uint8*>( |
| 409 malloc(encrypted_key.size())); | 443 malloc(encrypted_key.size())); |
| 410 arena_.push_back(plaintext_key); | 444 arena_.push_back(plaintext_key); |
| 411 | 445 |
| 412 int num = 0; | 446 CFBDecrypt(encrypted_key, decryption_context, plaintext_key); |
| 413 uint8 iv[16] = {0}; | |
| 414 | |
| 415 AES_cfb128_encrypt(reinterpret_cast<const uint8*>(encrypted_key.data()), | |
| 416 plaintext_key, | |
| 417 encrypted_key.size(), | |
| 418 out_key, | |
| 419 iv, | |
| 420 &num, | |
| 421 AES_DECRYPT); | |
| 422 | 447 |
| 423 cipher_key_length = OpenPGPCipherIdToKeyLength(plaintext_key[0]); | 448 cipher_key_length = OpenPGPCipherIdToKeyLength(plaintext_key[0]); |
| 424 if (cipher_key_length == 0) | 449 if (cipher_key_length == 0) |
| 425 return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER; | 450 return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER; |
| 426 if (encrypted_key.size() != 1u + cipher_key_length) | 451 if (encrypted_key.size() != 1u + cipher_key_length) |
| 427 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | 452 return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| 428 if (AES_set_encrypt_key(plaintext_key + 1, 8 * cipher_key_length, | 453 if (!CreateAESContext(plaintext_key + 1, cipher_key_length, |
| 429 out_key)) { | 454 decryption_context)) { |
| 430 return OpenPGPSymmetricEncrytion::INTERNAL_ERROR; | 455 return OpenPGPSymmetricEncrytion::INTERNAL_ERROR; |
| 431 } | 456 } |
| 432 return OpenPGPSymmetricEncrytion::OK; | 457 return OpenPGPSymmetricEncrytion::OK; |
| 433 } | 458 } |
| 434 | 459 |
| 435 uint32 OpenPGPCipherIdToKeyLength(uint8 cipher) { | 460 // CFBDecrypt decrypts the cipher-feedback encrypted data in |in| to |out| |
| 461 // using |decryption_context| and assumes an IV of all zeros. |
| 462 void CFBDecrypt(base::StringPiece in, ScopedPK11Context* decryption_context, |
| 463 uint8* out) { |
| 464 // We need this for PK11_CipherOp to write to, but we never check it as we |
| 465 // work in ECB mode, one block at a time. |
| 466 int out_len; |
| 467 |
| 468 uint8 mask[AES_BLOCK_SIZE]; |
| 469 memset(mask, 0, sizeof(mask)); |
| 470 |
| 471 unsigned used = AES_BLOCK_SIZE; |
| 472 |
| 473 for (size_t i = 0; i < in.size(); i++) { |
| 474 if (used == AES_BLOCK_SIZE) { |
| 475 PK11_CipherOp(decryption_context->get(), mask, &out_len, sizeof(mask), |
| 476 mask, AES_BLOCK_SIZE); |
| 477 used = 0; |
| 478 } |
| 479 |
| 480 uint8 t = in[i]; |
| 481 out[i] = t ^ mask[used]; |
| 482 mask[used] = t; |
| 483 used++; |
| 484 } |
| 485 } |
| 486 |
| 487 // OpenPGPCipherIdToKeyLength converts an OpenPGP cipher id (see RFC 4880, |
| 488 // section 9.2) to the key length of that cipher. It returns 0 on error. |
| 489 unsigned OpenPGPCipherIdToKeyLength(uint8 cipher) { |
| 436 switch (cipher) { | 490 switch (cipher) { |
| 437 case 7: // AES-128 | 491 case 7: // AES-128 |
| 438 return 16; | 492 return 16; |
| 439 case 8: // AES-192 | 493 case 8: // AES-192 |
| 440 return 24; | 494 return 24; |
| 441 case 9: // AES-256 | 495 case 9: // AES-256 |
| 442 return 32; | 496 return 32; |
| 443 default: | 497 default: |
| 444 return 0; | 498 return 0; |
| 445 } | 499 } |
| 446 } | 500 } |
| 447 | 501 |
| 448 // ParseSymmetricallyEncrypted parses a Symmetrically Encrypted packet. See | 502 // ParseSymmetricallyEncrypted parses a Symmetrically Encrypted packet. See |
| 449 // RFC 4880, sections 5.7 and 5.13. | 503 // RFC 4880, sections 5.7 and 5.13. |
| 450 bool ParseSymmetricallyEncrypted(Reader *reader, | 504 bool ParseSymmetricallyEncrypted(Reader *reader, |
| 451 AES_KEY *key, | 505 ScopedPK11Context *decryption_context, |
| 452 base::StringPiece *out_plaintext) { | 506 base::StringPiece *out_plaintext) { |
| 507 // We need this for PK11_CipherOp to write to, but we never check it as we |
| 508 // work in ECB mode, one block at a time. |
| 509 int out_len; |
| 510 |
| 453 uint8 version; | 511 uint8 version; |
| 454 if (!reader->U8(&version) || version != 1) | 512 if (!reader->U8(&version) || version != 1) |
| 455 return false; | 513 return false; |
| 456 | 514 |
| 457 base::StringPiece prefix_sp; | 515 base::StringPiece prefix_sp; |
| 458 if (!reader->Prefix(AES_BLOCK_SIZE + 2, &prefix_sp)) | 516 if (!reader->Prefix(AES_BLOCK_SIZE + 2, &prefix_sp)) |
| 459 return false; | 517 return false; |
| 460 uint8 prefix[AES_BLOCK_SIZE + 2]; | 518 uint8 prefix[AES_BLOCK_SIZE + 2]; |
| 461 memcpy(prefix, prefix_sp.data(), sizeof(prefix)); | 519 memcpy(prefix, prefix_sp.data(), sizeof(prefix)); |
| 462 | 520 |
| 463 uint8 prefix_copy[AES_BLOCK_SIZE + 2]; | 521 uint8 prefix_copy[AES_BLOCK_SIZE + 2]; |
| 464 uint8 fre[AES_BLOCK_SIZE]; | 522 uint8 fre[AES_BLOCK_SIZE]; |
| 465 | 523 |
| 466 memset(prefix_copy, 0, AES_BLOCK_SIZE); | 524 memset(prefix_copy, 0, AES_BLOCK_SIZE); |
| 467 AES_ecb_encrypt(prefix_copy, fre, key, AES_ENCRYPT); | 525 PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre), |
| 468 for (uint32 i = 0; i < AES_BLOCK_SIZE; i++) | 526 prefix_copy, AES_BLOCK_SIZE); |
| 527 for (unsigned i = 0; i < AES_BLOCK_SIZE; i++) |
| 469 prefix_copy[i] = fre[i] ^ prefix[i]; | 528 prefix_copy[i] = fre[i] ^ prefix[i]; |
| 470 AES_ecb_encrypt(prefix, fre, key, AES_ENCRYPT); | 529 PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre), prefix, |
| 530 AES_BLOCK_SIZE); |
| 471 prefix_copy[AES_BLOCK_SIZE] = prefix[AES_BLOCK_SIZE] ^ fre[0]; | 531 prefix_copy[AES_BLOCK_SIZE] = prefix[AES_BLOCK_SIZE] ^ fre[0]; |
| 472 prefix_copy[AES_BLOCK_SIZE + 1] = prefix[AES_BLOCK_SIZE + 1] ^ fre[1]; | 532 prefix_copy[AES_BLOCK_SIZE + 1] = prefix[AES_BLOCK_SIZE + 1] ^ fre[1]; |
| 473 | 533 |
| 474 if (prefix_copy[AES_BLOCK_SIZE - 2] != prefix_copy[AES_BLOCK_SIZE] || | 534 if (prefix_copy[AES_BLOCK_SIZE - 2] != prefix_copy[AES_BLOCK_SIZE] || |
| 475 prefix_copy[AES_BLOCK_SIZE - 1] != prefix_copy[AES_BLOCK_SIZE + 1]) { | 535 prefix_copy[AES_BLOCK_SIZE - 1] != prefix_copy[AES_BLOCK_SIZE + 1]) { |
| 476 return false; | 536 return false; |
| 477 } | 537 } |
| 478 | 538 |
| 479 fre[0] = prefix[AES_BLOCK_SIZE]; | 539 fre[0] = prefix[AES_BLOCK_SIZE]; |
| 480 fre[1] = prefix[AES_BLOCK_SIZE + 1]; | 540 fre[1] = prefix[AES_BLOCK_SIZE + 1]; |
| 481 | 541 |
| 482 uint32 out_used = 2; | 542 unsigned out_used = 2; |
| 483 | 543 |
| 484 const uint32 plaintext_size = reader->size(); | 544 const size_t plaintext_size = reader->size(); |
| 485 if (plaintext_size < SHA_DIGEST_LENGTH + 2) { | 545 if (plaintext_size < SHA1_LENGTH + 2) { |
| 486 // Too small to contain an MDC trailer. | 546 // Too small to contain an MDC trailer. |
| 487 return false; | 547 return false; |
| 488 } | 548 } |
| 489 | 549 |
| 490 uint8* plaintext = reinterpret_cast<uint8*>(malloc(plaintext_size)); | 550 uint8* plaintext = reinterpret_cast<uint8*>(malloc(plaintext_size)); |
| 491 arena_.push_back(plaintext); | 551 arena_.push_back(plaintext); |
| 492 | 552 |
| 493 for (uint32 i = 0; i < plaintext_size; i++) { | 553 for (size_t i = 0; i < plaintext_size; i++) { |
| 494 uint8 b; | 554 uint8 b; |
| 495 if (!reader->U8(&b)) | 555 if (!reader->U8(&b)) |
| 496 return false; | 556 return false; |
| 497 if (out_used == AES_BLOCK_SIZE) { | 557 if (out_used == AES_BLOCK_SIZE) { |
| 498 AES_ecb_encrypt(fre, fre, key, AES_ENCRYPT); | 558 PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre), |
| 559 fre, AES_BLOCK_SIZE); |
| 499 out_used = 0; | 560 out_used = 0; |
| 500 } | 561 } |
| 501 | 562 |
| 502 plaintext[i] = b ^ fre[out_used]; | 563 plaintext[i] = b ^ fre[out_used]; |
| 503 fre[out_used++] = b; | 564 fre[out_used++] = b; |
| 504 } | 565 } |
| 505 | 566 |
| 506 // The plaintext should be followed by a Modification Detection Code | 567 // The plaintext should be followed by a Modification Detection Code |
| 507 // packet. This packet is specified such that the header is always | 568 // packet. This packet is specified such that the header is always |
| 508 // serialized as exactly these two bytes: | 569 // serialized as exactly these two bytes: |
| 509 if (plaintext[plaintext_size - SHA_DIGEST_LENGTH - 2] != 0xd3 || | 570 if (plaintext[plaintext_size - SHA1_LENGTH - 2] != 0xd3 || |
| 510 plaintext[plaintext_size - SHA_DIGEST_LENGTH - 1] != 0x14) { | 571 plaintext[plaintext_size - SHA1_LENGTH - 1] != 0x14) { |
| 511 return false; | 572 return false; |
| 512 } | 573 } |
| 513 | 574 |
| 514 SHA_CTX sha1; | 575 HASHContext* hash_context = HASH_Create(HASH_AlgSHA1); |
| 515 SHA1_Init(&sha1); | 576 HASH_Begin(hash_context); |
| 516 SHA1_Update(&sha1, prefix_copy, sizeof(prefix_copy)); | 577 HASH_Update(hash_context, prefix_copy, sizeof(prefix_copy)); |
| 517 SHA1_Update(&sha1, plaintext, plaintext_size - SHA_DIGEST_LENGTH); | 578 HASH_Update(hash_context, plaintext, plaintext_size - SHA1_LENGTH); |
| 518 uint8 digest[SHA_DIGEST_LENGTH]; | 579 uint8 digest[SHA1_LENGTH]; |
| 519 SHA1_Final(digest, &sha1); | 580 unsigned num_hash_bytes; |
| 581 HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest)); |
| 582 HASH_Destroy(hash_context); |
| 520 | 583 |
| 521 if (memcmp(digest, &plaintext[plaintext_size - SHA_DIGEST_LENGTH], | 584 if (memcmp(digest, &plaintext[plaintext_size - SHA1_LENGTH], |
| 522 SHA_DIGEST_LENGTH) != 0) { | 585 SHA1_LENGTH) != 0) { |
| 523 return false; | 586 return false; |
| 524 } | 587 } |
| 525 | 588 |
| 526 *out_plaintext = base::StringPiece(reinterpret_cast<char*>(plaintext), | 589 *out_plaintext = base::StringPiece(reinterpret_cast<char*>(plaintext), |
| 527 plaintext_size - SHA_DIGEST_LENGTH); | 590 plaintext_size - SHA1_LENGTH); |
| 528 return true; | 591 return true; |
| 529 } | 592 } |
| 530 | 593 |
| 531 // ParseLiteralData parses a Literal Data packet. See RFC 4880, section 5.9. | 594 // ParseLiteralData parses a Literal Data packet. See RFC 4880, section 5.9. |
| 532 bool ParseLiteralData(Reader *reader, base::StringPiece *out_data) { | 595 bool ParseLiteralData(Reader *reader, base::StringPiece *out_data) { |
| 533 uint8 is_binary, filename_len; | 596 uint8 is_binary, filename_len; |
| 534 if (!reader->U8(&is_binary) || | 597 if (!reader->U8(&is_binary) || |
| 535 !reader->U8(&filename_len) || | 598 !reader->U8(&filename_len) || |
| 536 !reader->Skip(filename_len) || | 599 !reader->Skip(filename_len) || |
| 537 !reader->Skip(sizeof(uint32) /* mtime */)) { | 600 !reader->Skip(sizeof(uint32) /* mtime */)) { |
| (...skipping 19 matching lines...) Expand all Loading... |
| 557 base::StringPiece passphrase) { | 620 base::StringPiece passphrase) { |
| 558 ByteString key; | 621 ByteString key; |
| 559 ByteString ske = SerializeSymmetricKeyEncrypted(passphrase, &key); | 622 ByteString ske = SerializeSymmetricKeyEncrypted(passphrase, &key); |
| 560 | 623 |
| 561 ByteString literal_data = SerializeLiteralData(plaintext); | 624 ByteString literal_data = SerializeLiteralData(plaintext); |
| 562 ByteString se = SerializeSymmetricallyEncrypted(literal_data, key); | 625 ByteString se = SerializeSymmetricallyEncrypted(literal_data, key); |
| 563 return ske + se; | 626 return ske + se; |
| 564 } | 627 } |
| 565 | 628 |
| 566 private: | 629 private: |
| 567 static ByteString MakePacket(uint32 tag, const ByteString& contents) { | 630 // MakePacket returns an OpenPGP packet tagged as type |tag|. It always uses |
| 631 // new-format headers. See RFC 4880, section 4.2. |
| 632 static ByteString MakePacket(unsigned tag, const ByteString& contents) { |
| 568 ByteString header; | 633 ByteString header; |
| 569 header.push_back(0x80 | 0x40 | tag); | 634 header.push_back(0x80 | 0x40 | tag); |
| 570 | 635 |
| 571 if (contents.size() < 192) { | 636 if (contents.size() < 192) { |
| 572 header.push_back(contents.size()); | 637 header.push_back(contents.size()); |
| 573 } else if (contents.size() < 8384) { | 638 } else if (contents.size() < 8384) { |
| 574 size_t length = contents.size(); | 639 size_t length = contents.size(); |
| 575 length -= 192; | 640 length -= 192; |
| 576 header.push_back(192 + (length >> 8)); | 641 header.push_back(192 + (length >> 8)); |
| 577 header.push_back(length & 0xff); | 642 header.push_back(length & 0xff); |
| 578 } else { | 643 } else { |
| 579 size_t length = contents.size(); | 644 size_t length = contents.size(); |
| 580 header.push_back(255); | 645 header.push_back(255); |
| 581 header.push_back(length >> 24); | 646 header.push_back(length >> 24); |
| 582 header.push_back(length >> 16); | 647 header.push_back(length >> 16); |
| 583 header.push_back(length >> 8); | 648 header.push_back(length >> 8); |
| 584 header.push_back(length); | 649 header.push_back(length); |
| 585 } | 650 } |
| 586 | 651 |
| 587 return header + contents; | 652 return header + contents; |
| 588 } | 653 } |
| 589 | 654 |
| 655 // SerializeLiteralData returns a Literal Data packet containing |contents| |
| 656 // as binary data with no filename nor mtime specified. See RFC 4880, section |
| 657 // 5.9. |
| 590 static ByteString SerializeLiteralData(base::StringPiece contents) { | 658 static ByteString SerializeLiteralData(base::StringPiece contents) { |
| 591 ByteString literal_data; | 659 ByteString literal_data; |
| 592 literal_data.push_back(0x74); // text mode | 660 literal_data.push_back(0x74); // text mode |
| 593 literal_data.push_back(0x00); // no filename | 661 literal_data.push_back(0x00); // no filename |
| 594 literal_data.push_back(0x00); // zero mtime | 662 literal_data.push_back(0x00); // zero mtime |
| 595 literal_data.push_back(0x00); | 663 literal_data.push_back(0x00); |
| 596 literal_data.push_back(0x00); | 664 literal_data.push_back(0x00); |
| 597 literal_data.push_back(0x00); | 665 literal_data.push_back(0x00); |
| 598 literal_data += ByteString(reinterpret_cast<const uint8*>(contents.data()), | 666 literal_data += ByteString(reinterpret_cast<const uint8*>(contents.data()), |
| 599 contents.size()); | 667 contents.size()); |
| 600 return MakePacket(kLiteralDataTag, literal_data); | 668 return MakePacket(kLiteralDataTag, literal_data); |
| 601 } | 669 } |
| 602 | 670 |
| 671 // SerializeSymmetricKeyEncrypted generates a random AES-128 key from |
| 672 // |passphrase|, sets |out_key| to it and returns a Symmetric Key Encrypted |
| 673 // packet. See RFC 4880, section 5.3. |
| 603 static ByteString SerializeSymmetricKeyEncrypted(base::StringPiece passphrase, | 674 static ByteString SerializeSymmetricKeyEncrypted(base::StringPiece passphrase, |
| 604 ByteString *out_key) { | 675 ByteString *out_key) { |
| 605 ByteString ske; | 676 ByteString ske; |
| 606 ske.push_back(4); // version 4 | 677 ske.push_back(4); // version 4 |
| 607 ske.push_back(7); // AES-128 | 678 ske.push_back(7); // AES-128 |
| 608 ske.push_back(3); // iterated and salted S2K | 679 ske.push_back(3); // iterated and salted S2K |
| 609 ske.push_back(2); // SHA-1 | 680 ske.push_back(2); // SHA-1 |
| 610 | 681 |
| 611 uint64 salt64 = base::RandUint64(); | 682 uint64 salt64 = base::RandUint64(); |
| 612 ByteString salt(sizeof(salt64), 0); | 683 ByteString salt(sizeof(salt64), 0); |
| 613 | 684 |
| 614 // It's a random value, so endianness doesn't matter. | 685 // It's a random value, so endianness doesn't matter. |
| 615 ske += ByteString(reinterpret_cast<uint8*>(&salt64), sizeof(salt64)); | 686 ske += ByteString(reinterpret_cast<uint8*>(&salt64), sizeof(salt64)); |
| 616 ske.push_back(96); // iteration count of 65536 | 687 ske.push_back(96); // iteration count of 65536 |
| 617 | 688 |
| 618 uint8 key[16]; | 689 uint8 key[16]; |
| 619 SaltedIteratedS2K( | 690 SaltedIteratedS2K( |
| 620 sizeof(key), EVP_sha1(), passphrase, | 691 sizeof(key), HASH_AlgSHA1, passphrase, |
| 621 base::StringPiece(reinterpret_cast<char*>(&salt64), sizeof(salt64)), | 692 base::StringPiece(reinterpret_cast<char*>(&salt64), sizeof(salt64)), |
| 622 65536, key); | 693 65536, key); |
| 623 *out_key = ByteString(key, sizeof(key)); | 694 *out_key = ByteString(key, sizeof(key)); |
| 624 return MakePacket(kSymmetricKeyEncryptedTag, ske); | 695 return MakePacket(kSymmetricKeyEncryptedTag, ske); |
| 625 } | 696 } |
| 626 | 697 |
| 698 // SerializeSymmetricallyEncrypted encrypts |plaintext| with |key| and |
| 699 // returns a Symmetrically Encrypted packet containing the ciphertext. See |
| 700 // RFC 4880, section 5.7. |
| 627 static ByteString SerializeSymmetricallyEncrypted(ByteString plaintext, | 701 static ByteString SerializeSymmetricallyEncrypted(ByteString plaintext, |
| 628 const ByteString& key) { | 702 const ByteString& key) { |
| 703 // We need this for PK11_CipherOp to write to, but we never check it as we |
| 704 // work in ECB mode, one block at a time. |
| 705 int out_len; |
| 706 |
| 629 ByteString packet; | 707 ByteString packet; |
| 630 packet.push_back(1); // version 1 | 708 packet.push_back(1); // version 1 |
| 631 static const uint32 kBlockSize = 16; // AES block size | 709 static const unsigned kBlockSize = 16; // AES block size |
| 632 | 710 |
| 633 uint8 prefix[kBlockSize + 2], fre[kBlockSize], iv[kBlockSize]; | 711 uint8 prefix[kBlockSize + 2], fre[kBlockSize], iv[kBlockSize]; |
| 634 base::RandBytes(iv, kBlockSize); | 712 base::RandBytes(iv, kBlockSize); |
| 635 memset(fre, 0, sizeof(fre)); | 713 memset(fre, 0, sizeof(fre)); |
| 636 | 714 |
| 637 AES_KEY aes_key; | 715 ScopedPK11Context aes_context; |
| 638 AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key); | 716 CHECK(CreateAESContext(key.data(), key.size(), &aes_context)); |
| 639 | 717 |
| 640 AES_ecb_encrypt(fre, fre, &aes_key, AES_ENCRYPT); | 718 PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), fre, |
| 641 for (uint32 i = 0; i < 16; i++) | 719 AES_BLOCK_SIZE); |
| 720 for (unsigned i = 0; i < 16; i++) |
| 642 prefix[i] = iv[i] ^ fre[i]; | 721 prefix[i] = iv[i] ^ fre[i]; |
| 643 AES_ecb_encrypt(prefix, fre, &aes_key, AES_ENCRYPT); | 722 PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), prefix, |
| 723 AES_BLOCK_SIZE); |
| 644 prefix[kBlockSize] = iv[kBlockSize - 2] ^ fre[0]; | 724 prefix[kBlockSize] = iv[kBlockSize - 2] ^ fre[0]; |
| 645 prefix[kBlockSize + 1] = iv[kBlockSize - 1] ^ fre[1]; | 725 prefix[kBlockSize + 1] = iv[kBlockSize - 1] ^ fre[1]; |
| 646 | 726 |
| 647 packet += ByteString(prefix, sizeof(prefix)); | 727 packet += ByteString(prefix, sizeof(prefix)); |
| 648 | 728 |
| 649 ByteString plaintext_copy = plaintext; | 729 ByteString plaintext_copy = plaintext; |
| 650 plaintext_copy.push_back(0xd3); // MDC packet | 730 plaintext_copy.push_back(0xd3); // MDC packet |
| 651 plaintext_copy.push_back(20); // packet length (20 bytes) | 731 plaintext_copy.push_back(20); // packet length (20 bytes) |
| 652 | 732 |
| 653 SHA_CTX sha1; | 733 HASHContext* hash_context = HASH_Create(HASH_AlgSHA1); |
| 654 SHA1_Init(&sha1); | 734 HASH_Begin(hash_context); |
| 655 SHA1_Update(&sha1, iv, sizeof(iv)); | 735 HASH_Update(hash_context, iv, sizeof(iv)); |
| 656 SHA1_Update(&sha1, iv + kBlockSize - 2, 2); | 736 HASH_Update(hash_context, iv + kBlockSize - 2, 2); |
| 657 SHA1_Update(&sha1, plaintext_copy.data(), plaintext_copy.size()); | 737 HASH_Update(hash_context, plaintext_copy.data(), plaintext_copy.size()); |
| 658 uint8 digest[SHA_DIGEST_LENGTH]; | 738 uint8 digest[SHA1_LENGTH]; |
| 659 SHA1_Final(digest, &sha1); | 739 unsigned num_hash_bytes; |
| 740 HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest)); |
| 741 HASH_Destroy(hash_context); |
| 660 | 742 |
| 661 plaintext_copy += ByteString(digest, sizeof(digest)); | 743 plaintext_copy += ByteString(digest, sizeof(digest)); |
| 662 | 744 |
| 663 fre[0] = prefix[kBlockSize]; | 745 fre[0] = prefix[kBlockSize]; |
| 664 fre[1] = prefix[kBlockSize+1]; | 746 fre[1] = prefix[kBlockSize+1]; |
| 665 uint32 out_used = 2; | 747 unsigned out_used = 2; |
| 666 | 748 |
| 667 for (size_t i = 0; i < plaintext_copy.size(); i++) { | 749 for (size_t i = 0; i < plaintext_copy.size(); i++) { |
| 668 if (out_used == kBlockSize) { | 750 if (out_used == kBlockSize) { |
| 669 AES_ecb_encrypt(fre, fre, &aes_key, AES_ENCRYPT); | 751 PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), fre, |
| 752 AES_BLOCK_SIZE); |
| 670 out_used = 0; | 753 out_used = 0; |
| 671 } | 754 } |
| 672 | 755 |
| 673 uint8 c = plaintext_copy[i] ^ fre[out_used]; | 756 uint8 c = plaintext_copy[i] ^ fre[out_used]; |
| 674 fre[out_used++] = c; | 757 fre[out_used++] = c; |
| 675 packet.push_back(c); | 758 packet.push_back(c); |
| 676 } | 759 } |
| 677 | 760 |
| 678 return MakePacket(kSymmetricallyEncryptedTag, packet); | 761 return MakePacket(kSymmetricallyEncryptedTag, packet); |
| 679 } | 762 } |
| (...skipping 18 matching lines...) Expand all Loading... |
| 698 // static | 781 // static |
| 699 std::string OpenPGPSymmetricEncrytion::Encrypt( | 782 std::string OpenPGPSymmetricEncrytion::Encrypt( |
| 700 base::StringPiece plaintext, | 783 base::StringPiece plaintext, |
| 701 base::StringPiece passphrase) { | 784 base::StringPiece passphrase) { |
| 702 Encrypter::ByteString b = | 785 Encrypter::ByteString b = |
| 703 Encrypter::Encrypt(plaintext, passphrase); | 786 Encrypter::Encrypt(plaintext, passphrase); |
| 704 return std::string(reinterpret_cast<const char*>(b.data()), b.size()); | 787 return std::string(reinterpret_cast<const char*>(b.data()), b.size()); |
| 705 } | 788 } |
| 706 | 789 |
| 707 } // namespace crypto | 790 } // namespace crypto |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 7273080:
crypto: convert OpenPGP code to NSS (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src