Chromium Code Reviews Chromium Code Reviews
Issue 7273080:
crypto: convert OpenPGP code to NSS (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: crypto/openpgp_symmetric_encryption_nss.cc |
| diff --git a/crypto/openpgp_symmetric_encryption_openssl.cc b/crypto/openpgp_symmetric_encryption_nss.cc |
| similarity index 69% |
| rename from crypto/openpgp_symmetric_encryption_openssl.cc |
| rename to crypto/openpgp_symmetric_encryption_nss.cc |
| index bebf095deda65473deff30dc8102a1419a7bfc36..6533e5095733a4eb232ffab2cb4433a62e96d5be 100644 |
| --- a/crypto/openpgp_symmetric_encryption_openssl.cc |
| +++ b/crypto/openpgp_symmetric_encryption_nss.cc |
| @@ -7,12 +7,12 @@ |
| #include <vector> |
|
wtc
2011/07/01 18:33:32
<vector> is a C++ system header, so it should be l
agl
2011/07/01 20:04:59
Done.
|
| #include <stdlib.h> |
| -#include <openssl/evp.h> |
| -#include <openssl/aes.h> |
| -#include <openssl/sha.h> |
| +#include <sechash.h> |
| +#include <cryptohi.h> |
| -#include "base/rand_util.h" |
| #include "base/logging.h" |
| +#include "base/rand_util.h" |
| +#include "crypto/scoped_nss_types.h" |
| namespace crypto { |
| @@ -47,7 +47,7 @@ class Reader { |
| // Prefix sets |*out| to the first |n| bytes of the StringPiece and advances |
| // the StringPiece by |n|. |
| - bool Prefix(uint32 n, base::StringPiece *out) { |
| + bool Prefix(size_t n, base::StringPiece *out) { |
| if (data_.size() < n) |
| return false; |
| *out = base::StringPiece(data_.data(), n); |
| @@ -73,7 +73,7 @@ class Reader { |
| data_ = p; |
| } |
| - bool Skip(uint32 n) { |
| + bool Skip(size_t n) { |
| if (data_.size() < n) |
| return false; |
| data_.remove_prefix(n); |
| @@ -94,59 +94,85 @@ class Reader { |
| // SaltedIteratedS2K implements the salted and iterated string-to-key |
| // convertion. See RFC 4880, section 3.7.1.3. |
| -void SaltedIteratedS2K(uint32 cipher_key_length, |
| - const EVP_MD *hash_function, |
| +void SaltedIteratedS2K(unsigned cipher_key_length, |
| + HASH_HashType hash_function, |
| base::StringPiece passphrase, |
| base::StringPiece salt, |
| - uint32 count, |
| + unsigned count, |
| uint8 *out_key) { |
| const std::string combined = salt.as_string() + passphrase.as_string(); |
| const size_t combined_len = combined.size(); |
| - uint32 done = 0; |
| + unsigned done = 0; |
| uint8 zero[1] = {0}; |
| - EVP_MD_CTX ctx; |
| - EVP_MD_CTX_init(&context); |
| + const struct SECHashObjectStr* hash = HASH_GetHashObject(hash_function); |
|
wtc
2011/07/01 18:33:32
struct SECHashObjectStr => SECHashObject
Please s
agl
2011/07/01 20:04:59
Done.
|
| + void* hash_context = hash->create(); |
| - for (uint32 i = 0; done < cipher_key_length; i++) { |
| - CHECK_EQ(EVP_DigestInit_ex(&ctx, hash_function, NULL), 1); |
| + for (unsigned i = 0; done < cipher_key_length; i++) { |
| + hash->begin(hash_context); |
| - for (uint32 j = 0; j < i; j++) |
| - EVP_DigestUpdate(&ctx, zero, sizeof(zero)); |
| + for (unsigned j = 0; j < i; j++) |
| + hash->update(hash_context, zero, sizeof(zero)); |
| - uint32 written = 0; |
| + unsigned written = 0; |
| while (written < count) { |
| if (written + combined_len > count) { |
| - uint32 todo = count - written; |
| - EVP_DigestUpdate(&ctx, combined.data(), todo); |
| + unsigned todo = count - written; |
| + hash->update(hash_context, |
| + reinterpret_cast<const uint8*>(combined.data()), |
| + todo); |
| written = count; |
| } else { |
| - EVP_DigestUpdate(&ctx, combined.data(), combined_len); |
| + hash->update(hash_context, |
| + reinterpret_cast<const uint8*>(combined.data()), |
| + combined_len); |
| written += combined_len; |
| } |
| } |
| - uint32 num_hash_bytes; |
| - uint8 hash[EVP_MAX_MD_SIZE]; |
| - CHECK_EQ(EVP_DigestFinal_ex(&ctx, hash, &num_hash_bytes), 1); |
| + unsigned num_hash_bytes; |
| + uint8 digest[HASH_LENGTH_MAX]; |
| + hash->end(hash_context, digest, &num_hash_bytes, sizeof(digest)); |
| - uint32 todo = cipher_key_length - done; |
| + unsigned todo = cipher_key_length - done; |
| if (todo > num_hash_bytes) |
| todo = num_hash_bytes; |
| - memcpy(out_key + done, hash, todo); |
| + memcpy(out_key + done, digest, todo); |
| done += todo; |
| } |
| - EVP_MD_CTX_cleanup(&context); |
| + hash->destroy(hash_context, PR_TRUE); |
| } |
| +// SetKey sets up |out_key| to be an AES context, with the given key, in ECB |
| +// mode and with no IV. |
| +bool SetKey(const uint8* key, unsigned key_len, ScopedPK11Context* out_key) { |
|
wtc
2011/07/01 18:33:32
This function should be named CreateAESContext.
agl
2011/07/01 20:04:59
Done.
|
| + ScopedPK11Slot slot(PK11_GetBestSlot(CKM_AES_ECB, NULL)); |
| + if (!slot.get()) |
| + return false; |
| + SECItem key_item; |
| + key_item.type = siBuffer; |
| + key_item.data = const_cast<uint8*>(key); |
| + key_item.len = key_len; |
| + ScopedPK11SymKey pk11_key(PK11_ImportSymKey( |
| + slot.get(), CKM_AES_ECB, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item, |
| + NULL)); |
| + if (!pk11_key.get()) |
| + return false; |
| + ScopedSECItem iv_param(PK11_ParamFromIV(CKM_AES_ECB, NULL)); |
| + out_key->reset(PK11_CreateContextBySymKey(CKM_AES_ECB, CKA_ENCRYPT, |
| + pk11_key.get(), iv_param.get())); |
| + return out_key->get() != NULL; |
| +} |
| + |
| + |
| // These constants are the tag numbers for the various packet types that we |
| // use. |
| -static const uint32 kSymmetricKeyEncryptedTag = 3; |
| -static const uint32 kSymmetricallyEncryptedTag = 18; |
| -static const uint32 kCompressedTag = 8; |
| -static const uint32 kLiteralDataTag = 11; |
| +static const unsigned kSymmetricKeyEncryptedTag = 3; |
| +static const unsigned kSymmetricallyEncryptedTag = 18; |
| +static const unsigned kCompressedTag = 8; |
| +static const unsigned kLiteralDataTag = 11; |
| class Decrypter { |
| public: |
| @@ -162,9 +188,9 @@ class Decrypter { |
| base::StringPiece passphrase, |
| base::StringPiece *out_contents) { |
| Reader reader(in); |
| - uint32 tag; |
| + unsigned tag; |
| base::StringPiece contents; |
| - AES_KEY key; |
| + ScopedPK11Context key; |
|
wtc
2011/07/01 18:33:32
"key" is a strange name for a PK11Context. I thin
agl
2011/07/01 20:04:59
Done.
|
| if (!ParsePacket(&reader, &tag, &contents)) |
| return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| @@ -204,7 +230,7 @@ class Decrypter { |
| // ParsePacket parses an OpenPGP packet from reader. See RFC 4880, section |
| // 4.2.2. |
| bool ParsePacket(Reader *reader, |
| - uint32 *out_tag, |
| + unsigned *out_tag, |
| base::StringPiece *out_contents) { |
| uint8 header; |
| if (!reader->U8(&header)) |
| @@ -224,9 +250,9 @@ class Decrypter { |
| return true; |
| } |
| - const uint32 length_bytes = 1 << length_type; |
| - uint32 length = 0; |
| - for (uint32 i = 0; i < length_bytes; i++) { |
| + const unsigned length_bytes = 1 << length_type; |
| + size_t length = 0; |
| + for (unsigned i = 0; i < length_bytes; i++) { |
| uint8 length_byte; |
| if (!reader->U8(&length_byte)) |
| return false; |
| @@ -239,7 +265,7 @@ class Decrypter { |
| // New format packet. |
| *out_tag = header & 0x3f; |
| - uint32 length; |
| + size_t length; |
| bool is_partial; |
| if (!ParseLength(reader, &length, &is_partial)) |
| return false; |
| @@ -251,17 +277,17 @@ class Decrypter { |
| // ParseStreamContents parses all the chunks of a partial length stream from |
| // reader. See http://tools.ietf.org/html/rfc4880#section-4.2.2.4 |
| bool ParseStreamContents(Reader *reader, |
| - uint32 length, |
| + size_t length, |
| base::StringPiece *out_contents) { |
| const Reader::Position beginning_of_stream = reader->tell(); |
| - const uint32 first_chunk_length = length; |
| + const size_t first_chunk_length = length; |
| // First we parse the stream to find its length. |
| if (!reader->Skip(length)) |
| return false; |
| for (;;) { |
| - uint32 chunk_length; |
| + size_t chunk_length; |
| bool is_partial; |
| if (!ParseLength(reader, &chunk_length, &is_partial)) |
| @@ -278,7 +304,7 @@ class Decrypter { |
| // Now we have the length of the whole stream in |length|. |
| char* buf = reinterpret_cast<char*>(malloc(length)); |
| arena_.push_back(buf); |
| - uint32 j = 0; |
| + size_t j = 0; |
| reader->Seek(beginning_of_stream); |
| base::StringPiece first_chunk; |
| @@ -289,7 +315,7 @@ class Decrypter { |
| // Now we parse the stream again, this time copying into |buf| |
| for (;;) { |
| - uint32 chunk_length; |
| + size_t chunk_length; |
| bool is_partial; |
| if (!ParseLength(reader, &chunk_length, &is_partial)) |
| @@ -309,7 +335,7 @@ class Decrypter { |
| // ParseLength parses an OpenPGP length from reader. See RFC 4880, section |
| // 4.2.2. |
| - bool ParseLength(Reader *reader, uint32 *out_length, bool *out_is_prefix) { |
| + bool ParseLength(Reader *reader, size_t *out_length, bool *out_is_prefix) { |
| uint8 length_spec; |
| if (!reader->U8(&length_spec)) |
| return false; |
| @@ -331,7 +357,9 @@ class Decrypter { |
| *out_is_prefix = true; |
| return true; |
| } else { |
| - return reader->U32(out_length); |
| + uint32 length32; |
| + return reader->U32(&length32); |
| + *out_length = length32; |
|
wtc
2011/07/01 18:33:32
BUG: this is after the return statement. I think
agl
2011/07/01 20:04:59
Thanks!
|
| } |
| } |
| @@ -340,7 +368,7 @@ class Decrypter { |
| OpenPGPSymmetricEncrytion::Result ParseSymmetricKeyEncrypted( |
| Reader *reader, |
| base::StringPiece passphrase, |
| - AES_KEY *out_key) { |
| + ScopedPK11Context *out_key) { |
| uint8 version, cipher, s2k_type, hash_func_id; |
| if (!reader->U8(&version) || version != 4) |
| return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| @@ -355,18 +383,19 @@ class Decrypter { |
| if (cipher_key_length == 0) |
| return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER; |
| - const EVP_MD *hash_function; |
| + HASH_HashType hash_function; |
| switch (hash_func_id) { |
| case 2: // SHA-1 |
| - hash_function = EVP_sha1(); |
| + hash_function = HASH_AlgSHA1; |
| break; |
| case 8: // SHA-256 |
| - hash_function = EVP_sha256(); |
| + hash_function = HASH_AlgSHA256; |
| break; |
| default: |
| return OpenPGPSymmetricEncrytion::UNKNOWN_HASH; |
| } |
| + // This chunk of code parses the S2K specifier. See RFC 4880, section 3.7.1. |
| base::StringPiece salt; |
| uint8 key[32]; |
| uint8 count_spec; |
| @@ -374,6 +403,7 @@ class Decrypter { |
| case 1: |
| if (!reader->Prefix(8, &salt)) |
| return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| + // fallthrough |
|
wtc
2011/07/01 18:33:32
Nit: fallthrough => Fall through.
agl
2011/07/01 20:04:59
Done.
|
| case 0: |
| SaltedIteratedS2K(cipher_key_length, hash_function, passphrase, salt, |
| passphrase.size() + salt.size(), key); |
| @@ -385,14 +415,14 @@ class Decrypter { |
| } |
| SaltedIteratedS2K( |
| cipher_key_length, hash_function, passphrase, salt, |
| - static_cast<uint32>( |
| + static_cast<unsigned>( |
| 16 + (count_spec&15)) << ((count_spec >> 4) + 6), key); |
| break; |
| default: |
| return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| } |
| - if (AES_set_encrypt_key(key, 8 * cipher_key_length, out_key)) |
| + if (!SetKey(key, cipher_key_length, out_key)) |
| return OpenPGPSymmetricEncrytion::INTERNAL_ERROR; |
| if (reader->empty()) { |
| @@ -409,30 +439,47 @@ class Decrypter { |
| malloc(encrypted_key.size())); |
| arena_.push_back(plaintext_key); |
| - int num = 0; |
| - uint8 iv[16] = {0}; |
| - |
| - AES_cfb128_encrypt(reinterpret_cast<const uint8*>(encrypted_key.data()), |
| - plaintext_key, |
| - encrypted_key.size(), |
| - out_key, |
| - iv, |
| - &num, |
| - AES_DECRYPT); |
| + CFBDecrypt(encrypted_key, out_key, plaintext_key); |
| cipher_key_length = OpenPGPCipherIdToKeyLength(plaintext_key[0]); |
| if (cipher_key_length == 0) |
| return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER; |
| if (encrypted_key.size() != 1u + cipher_key_length) |
| return OpenPGPSymmetricEncrytion::PARSE_ERROR; |
| - if (AES_set_encrypt_key(plaintext_key + 1, 8 * cipher_key_length, |
| - out_key)) { |
| + if (!SetKey(plaintext_key + 1, cipher_key_length, out_key)) |
| return OpenPGPSymmetricEncrytion::INTERNAL_ERROR; |
| - } |
| return OpenPGPSymmetricEncrytion::OK; |
| } |
| - uint32 OpenPGPCipherIdToKeyLength(uint8 cipher) { |
| + // CFBDecrypt decrypts the cipher-feedback encrypted data in |in| to |out| |
| + // using |key| and assumes an IV of all zeros. |
| + void CFBDecrypt(base::StringPiece in, ScopedPK11Context* key, uint8* out) { |
| + // We need this for PK11_CipherOp to write to, but we never check it as we |
| + // work in ECB mode, one block at a time. |
| + int out_len; |
| + |
| + uint8 mask[AES_BLOCK_SIZE]; |
| + memset(mask, 0, sizeof(mask)); |
| + |
| + unsigned used = AES_BLOCK_SIZE; |
| + |
| + for (size_t i = 0; i < in.size(); i++) { |
| + if (used == AES_BLOCK_SIZE) { |
| + PK11_CipherOp(key->get(), mask, &out_len, sizeof(mask), mask, |
| + AES_BLOCK_SIZE); |
| + used = 0; |
| + } |
| + |
| + uint8 t = in[i]; |
| + out[i] = t ^ mask[used]; |
| + mask[used] = t; |
| + used++; |
| + } |
| + } |
| + |
| + // OpenPGPCipherIdToKeyLength converts an OpenPGP cipher id (see RFC 4880, |
| + // section 9.2) to the key length of that cipher. It returns 0 on error. |
| + unsigned OpenPGPCipherIdToKeyLength(uint8 cipher) { |
| switch (cipher) { |
| case 7: // AES-128 |
| return 16; |
| @@ -448,8 +495,12 @@ class Decrypter { |
| // ParseSymmetricallyEncrypted parses a Symmetrically Encrypted packet. See |
| // RFC 4880, sections 5.7 and 5.13. |
| bool ParseSymmetricallyEncrypted(Reader *reader, |
| - AES_KEY *key, |
| + ScopedPK11Context *key, |
| base::StringPiece *out_plaintext) { |
| + // We need this for PK11_CipherOp to write to, but we never check it as we |
| + // work in ECB mode, one block at a time. |
| + int out_len; |
| + |
| uint8 version; |
| if (!reader->U8(&version) || version != 1) |
| return false; |
| @@ -464,10 +515,12 @@ class Decrypter { |
| uint8 fre[AES_BLOCK_SIZE]; |
| memset(prefix_copy, 0, AES_BLOCK_SIZE); |
| - AES_ecb_encrypt(prefix_copy, fre, key, AES_ENCRYPT); |
| - for (uint32 i = 0; i < AES_BLOCK_SIZE; i++) |
| + PK11_CipherOp(key->get(), fre, &out_len, sizeof(fre), prefix_copy, |
| + AES_BLOCK_SIZE); |
| + for (unsigned i = 0; i < AES_BLOCK_SIZE; i++) |
| prefix_copy[i] = fre[i] ^ prefix[i]; |
| - AES_ecb_encrypt(prefix, fre, key, AES_ENCRYPT); |
| + PK11_CipherOp(key->get(), fre, &out_len, sizeof(fre), prefix, |
| + AES_BLOCK_SIZE); |
| prefix_copy[AES_BLOCK_SIZE] = prefix[AES_BLOCK_SIZE] ^ fre[0]; |
| prefix_copy[AES_BLOCK_SIZE + 1] = prefix[AES_BLOCK_SIZE + 1] ^ fre[1]; |
| @@ -479,10 +532,10 @@ class Decrypter { |
| fre[0] = prefix[AES_BLOCK_SIZE]; |
| fre[1] = prefix[AES_BLOCK_SIZE + 1]; |
| - uint32 out_used = 2; |
| + unsigned out_used = 2; |
| - const uint32 plaintext_size = reader->size(); |
| - if (plaintext_size < SHA_DIGEST_LENGTH + 2) { |
| + const size_t plaintext_size = reader->size(); |
| + if (plaintext_size < SHA1_LENGTH + 2) { |
| // Too small to contain an MDC trailer. |
| return false; |
| } |
| @@ -490,12 +543,13 @@ class Decrypter { |
| uint8* plaintext = reinterpret_cast<uint8*>(malloc(plaintext_size)); |
| arena_.push_back(plaintext); |
| - for (uint32 i = 0; i < plaintext_size; i++) { |
| + for (size_t i = 0; i < plaintext_size; i++) { |
| uint8 b; |
| if (!reader->U8(&b)) |
| return false; |
| if (out_used == AES_BLOCK_SIZE) { |
| - AES_ecb_encrypt(fre, fre, key, AES_ENCRYPT); |
| + PK11_CipherOp(key->get(), fre, &out_len, sizeof(fre), fre, |
| + AES_BLOCK_SIZE); |
| out_used = 0; |
| } |
| @@ -506,25 +560,28 @@ class Decrypter { |
| // The plaintext should be followed by a Modification Detection Code |
| // packet. This packet is specified such that the header is always |
| // serialized as exactly these two bytes: |
| - if (plaintext[plaintext_size - SHA_DIGEST_LENGTH - 2] != 0xd3 || |
| - plaintext[plaintext_size - SHA_DIGEST_LENGTH - 1] != 0x14) { |
| + if (plaintext[plaintext_size - SHA1_LENGTH - 2] != 0xd3 || |
| + plaintext[plaintext_size - SHA1_LENGTH - 1] != 0x14) { |
| return false; |
| } |
| - SHA_CTX sha1; |
| - SHA1_Init(&sha1); |
| - SHA1_Update(&sha1, prefix_copy, sizeof(prefix_copy)); |
| - SHA1_Update(&sha1, plaintext, plaintext_size - SHA_DIGEST_LENGTH); |
| - uint8 digest[SHA_DIGEST_LENGTH]; |
| - SHA1_Final(digest, &sha1); |
| - |
| - if (memcmp(digest, &plaintext[plaintext_size - SHA_DIGEST_LENGTH], |
| - SHA_DIGEST_LENGTH) != 0) { |
| + const struct SECHashObjectStr* hash = HASH_GetHashObject(HASH_AlgSHA1); |
| + void* hash_context = hash->create(); |
| + hash->begin(hash_context); |
| + hash->update(hash_context, prefix_copy, sizeof(prefix_copy)); |
| + hash->update(hash_context, plaintext, plaintext_size - SHA1_LENGTH); |
| + uint8 digest[SHA1_LENGTH]; |
| + unsigned num_hash_bytes; |
| + hash->end(hash_context, digest, &num_hash_bytes, sizeof(digest)); |
| + hash->destroy(hash_context, PR_TRUE); |
| + |
| + if (memcmp(digest, &plaintext[plaintext_size - SHA1_LENGTH], |
| + SHA1_LENGTH) != 0) { |
| return false; |
| } |
| *out_plaintext = base::StringPiece(reinterpret_cast<char*>(plaintext), |
| - plaintext_size - SHA_DIGEST_LENGTH); |
| + plaintext_size - SHA1_LENGTH); |
| return true; |
| } |
| @@ -564,7 +621,9 @@ class Encrypter { |
| } |
| private: |
| - static ByteString MakePacket(uint32 tag, const ByteString& contents) { |
| + // MakePacket returns an OpenPGP packet tagged as type |tag|. It always uses |
| + // new-format headers. See RFC 4880, section 4.2. |
| + static ByteString MakePacket(unsigned tag, const ByteString& contents) { |
| ByteString header; |
| header.push_back(0x80 | 0x40 | tag); |
| @@ -587,6 +646,9 @@ class Encrypter { |
| return header + contents; |
| } |
| + // SerializeLiteralData returns a Literal Data packet containing |contents| |
| + // as binary data with no filename nor mtime specified. See RFC 4880, section |
| + // 5.9. |
| static ByteString SerializeLiteralData(base::StringPiece contents) { |
| ByteString literal_data; |
| literal_data.push_back(0x74); // text mode |
| @@ -600,6 +662,9 @@ class Encrypter { |
| return MakePacket(kLiteralDataTag, literal_data); |
| } |
| + // SerializeSymmetricKeyEncrypted generates a random AES-128 key from |
| + // |passphrase|, sets |out_key| to it and returns a Symmetric Key Encrypted |
| + // packet. See RFC 4880, section 5.3. |
| static ByteString SerializeSymmetricKeyEncrypted(base::StringPiece passphrase, |
| ByteString *out_key) { |
| ByteString ske; |
| @@ -617,30 +682,39 @@ class Encrypter { |
| uint8 key[16]; |
| SaltedIteratedS2K( |
| - sizeof(key), EVP_sha1(), passphrase, |
| + sizeof(key), HASH_AlgSHA1, passphrase, |
| base::StringPiece(reinterpret_cast<char*>(&salt64), sizeof(salt64)), |
| 65536, key); |
| *out_key = ByteString(key, sizeof(key)); |
| return MakePacket(kSymmetricKeyEncryptedTag, ske); |
| } |
| + // SerializeSymmetricallyEncrypted encrypts |plaintext| with |key| and |
| + // returns a Symmetrically Encrypted packet containing the ciphertext. See |
| + // RFC 4880, section 5.7. |
| static ByteString SerializeSymmetricallyEncrypted(ByteString plaintext, |
| const ByteString& key) { |
| + // We need this for PK11_CipherOp to write to, but we never check it as we |
| + // work in ECB mode, one block at a time. |
| + int out_len; |
| + |
| ByteString packet; |
| packet.push_back(1); // version 1 |
| - static const uint32 kBlockSize = 16; // AES block size |
| + static const unsigned kBlockSize = 16; // AES block size |
| uint8 prefix[kBlockSize + 2], fre[kBlockSize], iv[kBlockSize]; |
| base::RandBytes(iv, kBlockSize); |
| memset(fre, 0, sizeof(fre)); |
| - AES_KEY aes_key; |
| - AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key); |
| + ScopedPK11Context aes_key; |
| + CHECK(SetKey(key.data(), key.size(), &aes_key)); |
| - AES_ecb_encrypt(fre, fre, &aes_key, AES_ENCRYPT); |
| - for (uint32 i = 0; i < 16; i++) |
| + PK11_CipherOp(aes_key.get(), fre, &out_len, sizeof(fre), fre, |
| + AES_BLOCK_SIZE); |
| + for (unsigned i = 0; i < 16; i++) |
| prefix[i] = iv[i] ^ fre[i]; |
| - AES_ecb_encrypt(prefix, fre, &aes_key, AES_ENCRYPT); |
| + PK11_CipherOp(aes_key.get(), fre, &out_len, sizeof(fre), prefix, |
| + AES_BLOCK_SIZE); |
| prefix[kBlockSize] = iv[kBlockSize - 2] ^ fre[0]; |
| prefix[kBlockSize + 1] = iv[kBlockSize - 1] ^ fre[1]; |
| @@ -650,23 +724,27 @@ class Encrypter { |
| plaintext_copy.push_back(0xd3); // MDC packet |
| plaintext_copy.push_back(20); // packet length (20 bytes) |
| - SHA_CTX sha1; |
| - SHA1_Init(&sha1); |
| - SHA1_Update(&sha1, iv, sizeof(iv)); |
| - SHA1_Update(&sha1, iv + kBlockSize - 2, 2); |
| - SHA1_Update(&sha1, plaintext_copy.data(), plaintext_copy.size()); |
| - uint8 digest[SHA_DIGEST_LENGTH]; |
| - SHA1_Final(digest, &sha1); |
| + const struct SECHashObjectStr* hash = HASH_GetHashObject(HASH_AlgSHA1); |
| + void* hash_context = hash->create(); |
| + hash->begin(hash_context); |
| + hash->update(hash_context, iv, sizeof(iv)); |
| + hash->update(hash_context, iv + kBlockSize - 2, 2); |
| + hash->update(hash_context, plaintext_copy.data(), plaintext_copy.size()); |
| + uint8 digest[SHA1_LENGTH]; |
| + unsigned num_hash_bytes; |
| + hash->end(hash_context, digest, &num_hash_bytes, sizeof(digest)); |
| + hash->destroy(hash_context, PR_TRUE); |
| plaintext_copy += ByteString(digest, sizeof(digest)); |
| fre[0] = prefix[kBlockSize]; |
| fre[1] = prefix[kBlockSize+1]; |
| - uint32 out_used = 2; |
| + unsigned out_used = 2; |
| for (size_t i = 0; i < plaintext_copy.size(); i++) { |
| if (out_used == kBlockSize) { |
| - AES_ecb_encrypt(fre, fre, &aes_key, AES_ENCRYPT); |
| + PK11_CipherOp(aes_key.get(), fre, &out_len, sizeof(fre), fre, |
| + AES_BLOCK_SIZE); |
| out_used = 0; |
| } |
