| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "crypto/openpgp_symmetric_encryption.h" | |
| 6 | |
| 7 #include <stdlib.h> | |
| 8 | |
| 9 #include <sechash.h> | |
| 10 #include <cryptohi.h> | |
| 11 | |
| 12 #include <vector> | |
| 13 | |
| 14 #include "base/logging.h" | |
| 15 #include "crypto/random.h" | |
| 16 #include "crypto/scoped_nss_types.h" | |
| 17 #include "crypto/nss_util.h" | |
| 18 | |
| 19 namespace crypto { | |
| 20 | |
| 21 namespace { | |
| 22 | |
| 23 // Reader wraps a StringPiece and provides methods to read several datatypes | |
| 24 // while advancing the StringPiece. | |
| 25 class Reader { | |
| 26 public: | |
| 27 Reader(base::StringPiece input) | |
| 28 : data_(input) { | |
| 29 } | |
| 30 | |
| 31 bool U8(uint8* out) { | |
| 32 if (data_.size() < 1) | |
| 33 return false; | |
| 34 *out = static_cast<uint8>(data_[0]); | |
| 35 data_.remove_prefix(1); | |
| 36 return true; | |
| 37 } | |
| 38 | |
| 39 bool U32(uint32* out) { | |
| 40 if (data_.size() < 4) | |
| 41 return false; | |
| 42 *out = static_cast<uint32>(data_[0]) << 24 | | |
| 43 static_cast<uint32>(data_[1]) << 16 | | |
| 44 static_cast<uint32>(data_[2]) << 8 | | |
| 45 static_cast<uint32>(data_[3]); | |
| 46 data_.remove_prefix(4); | |
| 47 return true; | |
| 48 } | |
| 49 | |
| 50 // Prefix sets |*out| to the first |n| bytes of the StringPiece and advances | |
| 51 // the StringPiece by |n|. | |
| 52 bool Prefix(size_t n, base::StringPiece *out) { | |
| 53 if (data_.size() < n) | |
| 54 return false; | |
| 55 *out = base::StringPiece(data_.data(), n); | |
| 56 data_.remove_prefix(n); | |
| 57 return true; | |
| 58 } | |
| 59 | |
| 60 // Remainder returns the remainer of the StringPiece and advances it to the | |
| 61 // end. | |
| 62 base::StringPiece Remainder() { | |
| 63 base::StringPiece ret = data_; | |
| 64 data_ = base::StringPiece(); | |
| 65 return ret; | |
| 66 } | |
| 67 | |
| 68 typedef base::StringPiece Position; | |
| 69 | |
| 70 Position tell() const { | |
| 71 return data_; | |
| 72 } | |
| 73 | |
| 74 void Seek(Position p) { | |
| 75 data_ = p; | |
| 76 } | |
| 77 | |
| 78 bool Skip(size_t n) { | |
| 79 if (data_.size() < n) | |
| 80 return false; | |
| 81 data_.remove_prefix(n); | |
| 82 return true; | |
| 83 } | |
| 84 | |
| 85 bool empty() const { | |
| 86 return data_.empty(); | |
| 87 } | |
| 88 | |
| 89 size_t size() const { | |
| 90 return data_.size(); | |
| 91 } | |
| 92 | |
| 93 private: | |
| 94 base::StringPiece data_; | |
| 95 }; | |
| 96 | |
| 97 // SaltedIteratedS2K implements the salted and iterated string-to-key | |
| 98 // convertion. See RFC 4880, section 3.7.1.3. | |
| 99 void SaltedIteratedS2K(unsigned cipher_key_length, | |
| 100 HASH_HashType hash_function, | |
| 101 base::StringPiece passphrase, | |
| 102 base::StringPiece salt, | |
| 103 unsigned count, | |
| 104 uint8 *out_key) { | |
| 105 const std::string combined = salt.as_string() + passphrase.as_string(); | |
| 106 const size_t combined_len = combined.size(); | |
| 107 | |
| 108 unsigned done = 0; | |
| 109 uint8 zero[1] = {0}; | |
| 110 | |
| 111 HASHContext* hash_context = HASH_Create(hash_function); | |
| 112 | |
| 113 for (unsigned i = 0; done < cipher_key_length; i++) { | |
| 114 HASH_Begin(hash_context); | |
| 115 | |
| 116 for (unsigned j = 0; j < i; j++) | |
| 117 HASH_Update(hash_context, zero, sizeof(zero)); | |
| 118 | |
| 119 unsigned written = 0; | |
| 120 while (written < count) { | |
| 121 if (written + combined_len > count) { | |
| 122 unsigned todo = count - written; | |
| 123 HASH_Update(hash_context, | |
| 124 reinterpret_cast<const uint8*>(combined.data()), | |
| 125 todo); | |
| 126 written = count; | |
| 127 } else { | |
| 128 HASH_Update(hash_context, | |
| 129 reinterpret_cast<const uint8*>(combined.data()), | |
| 130 combined_len); | |
| 131 written += combined_len; | |
| 132 } | |
| 133 } | |
| 134 | |
| 135 unsigned num_hash_bytes; | |
| 136 uint8 digest[HASH_LENGTH_MAX]; | |
| 137 HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest)); | |
| 138 | |
| 139 unsigned todo = cipher_key_length - done; | |
| 140 if (todo > num_hash_bytes) | |
| 141 todo = num_hash_bytes; | |
| 142 memcpy(out_key + done, digest, todo); | |
| 143 done += todo; | |
| 144 } | |
| 145 | |
| 146 HASH_Destroy(hash_context); | |
| 147 } | |
| 148 | |
| 149 // CreateAESContext sets up |out_key| to be an AES context, with the given key, | |
| 150 // in ECB mode and with no IV. | |
| 151 bool CreateAESContext(const uint8* key, unsigned key_len, | |
| 152 ScopedPK11Context* out_decryption_context) { | |
| 153 ScopedPK11Slot slot(PK11_GetInternalSlot()); | |
| 154 if (!slot.get()) | |
| 155 return false; | |
| 156 SECItem key_item; | |
| 157 key_item.type = siBuffer; | |
| 158 key_item.data = const_cast<uint8*>(key); | |
| 159 key_item.len = key_len; | |
| 160 ScopedPK11SymKey pk11_key(PK11_ImportSymKey( | |
| 161 slot.get(), CKM_AES_ECB, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item, | |
| 162 NULL)); | |
| 163 if (!pk11_key.get()) | |
| 164 return false; | |
| 165 ScopedSECItem iv_param(PK11_ParamFromIV(CKM_AES_ECB, NULL)); | |
| 166 out_decryption_context->reset( | |
| 167 PK11_CreateContextBySymKey(CKM_AES_ECB, CKA_ENCRYPT, pk11_key.get(), | |
| 168 iv_param.get())); | |
| 169 return out_decryption_context->get() != NULL; | |
| 170 } | |
| 171 | |
| 172 | |
| 173 // These constants are the tag numbers for the various packet types that we | |
| 174 // use. | |
| 175 static const unsigned kSymmetricKeyEncryptedTag = 3; | |
| 176 static const unsigned kSymmetricallyEncryptedTag = 18; | |
| 177 static const unsigned kCompressedTag = 8; | |
| 178 static const unsigned kLiteralDataTag = 11; | |
| 179 | |
| 180 class Decrypter { | |
| 181 public: | |
| 182 ~Decrypter() { | |
| 183 for (std::vector<void*>::iterator | |
| 184 i = arena_.begin(); i != arena_.end(); i++) { | |
| 185 free(*i); | |
| 186 } | |
| 187 arena_.clear(); | |
| 188 } | |
| 189 | |
| 190 OpenPGPSymmetricEncrytion::Result Decrypt(base::StringPiece in, | |
| 191 base::StringPiece passphrase, | |
| 192 base::StringPiece *out_contents) { | |
| 193 Reader reader(in); | |
| 194 unsigned tag; | |
| 195 base::StringPiece contents; | |
| 196 ScopedPK11Context decryption_context; | |
| 197 | |
| 198 if (!ParsePacket(&reader, &tag, &contents)) | |
| 199 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 200 if (tag != kSymmetricKeyEncryptedTag) | |
| 201 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; | |
| 202 Reader inner(contents); | |
| 203 OpenPGPSymmetricEncrytion::Result result = | |
| 204 ParseSymmetricKeyEncrypted(&inner, passphrase, &decryption_context); | |
| 205 if (result != OpenPGPSymmetricEncrytion::OK) | |
| 206 return result; | |
| 207 | |
| 208 if (!ParsePacket(&reader, &tag, &contents)) | |
| 209 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 210 if (tag != kSymmetricallyEncryptedTag) | |
| 211 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; | |
| 212 if (!reader.empty()) | |
| 213 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 214 inner = Reader(contents); | |
| 215 if (!ParseSymmetricallyEncrypted(&inner, &decryption_context, &contents)) | |
| 216 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 217 | |
| 218 reader = Reader(contents); | |
| 219 if (!ParsePacket(&reader, &tag, &contents)) | |
| 220 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 221 if (tag == kCompressedTag) | |
| 222 return OpenPGPSymmetricEncrytion::COMPRESSED; | |
| 223 if (tag != kLiteralDataTag) | |
| 224 return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED; | |
| 225 inner = Reader(contents); | |
| 226 if (!ParseLiteralData(&inner, out_contents)) | |
| 227 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 228 | |
| 229 return OpenPGPSymmetricEncrytion::OK; | |
| 230 } | |
| 231 | |
| 232 private: | |
| 233 // ParsePacket parses an OpenPGP packet from reader. See RFC 4880, section | |
| 234 // 4.2.2. | |
| 235 bool ParsePacket(Reader *reader, | |
| 236 unsigned *out_tag, | |
| 237 base::StringPiece *out_contents) { | |
| 238 uint8 header; | |
| 239 if (!reader->U8(&header)) | |
| 240 return false; | |
| 241 if ((header & 0x80) == 0) { | |
| 242 // Tag byte must have MSB set. | |
| 243 return false; | |
| 244 } | |
| 245 | |
| 246 if ((header & 0x40) == 0) { | |
| 247 // Old format packet. | |
| 248 *out_tag = (header & 0x3f) >> 2; | |
| 249 | |
| 250 uint8 length_type = header & 3; | |
| 251 if (length_type == 3) { | |
| 252 *out_contents = reader->Remainder(); | |
| 253 return true; | |
| 254 } | |
| 255 | |
| 256 const unsigned length_bytes = 1 << length_type; | |
| 257 size_t length = 0; | |
| 258 for (unsigned i = 0; i < length_bytes; i++) { | |
| 259 uint8 length_byte; | |
| 260 if (!reader->U8(&length_byte)) | |
| 261 return false; | |
| 262 length <<= 8; | |
| 263 length |= length_byte; | |
| 264 } | |
| 265 | |
| 266 return reader->Prefix(length, out_contents); | |
| 267 } | |
| 268 | |
| 269 // New format packet. | |
| 270 *out_tag = header & 0x3f; | |
| 271 size_t length; | |
| 272 bool is_partial; | |
| 273 if (!ParseLength(reader, &length, &is_partial)) | |
| 274 return false; | |
| 275 if (is_partial) | |
| 276 return ParseStreamContents(reader, length, out_contents); | |
| 277 return reader->Prefix(length, out_contents); | |
| 278 } | |
| 279 | |
| 280 // ParseStreamContents parses all the chunks of a partial length stream from | |
| 281 // reader. See http://tools.ietf.org/html/rfc4880#section-4.2.2.4 | |
| 282 bool ParseStreamContents(Reader *reader, | |
| 283 size_t length, | |
| 284 base::StringPiece *out_contents) { | |
| 285 const Reader::Position beginning_of_stream = reader->tell(); | |
| 286 const size_t first_chunk_length = length; | |
| 287 | |
| 288 // First we parse the stream to find its length. | |
| 289 if (!reader->Skip(length)) | |
| 290 return false; | |
| 291 | |
| 292 for (;;) { | |
| 293 size_t chunk_length; | |
| 294 bool is_partial; | |
| 295 | |
| 296 if (!ParseLength(reader, &chunk_length, &is_partial)) | |
| 297 return false; | |
| 298 if (length + chunk_length < length) | |
| 299 return false; | |
| 300 length += chunk_length; | |
| 301 if (!reader->Skip(chunk_length)) | |
| 302 return false; | |
| 303 if (!is_partial) | |
| 304 break; | |
| 305 } | |
| 306 | |
| 307 // Now we have the length of the whole stream in |length|. | |
| 308 char* buf = reinterpret_cast<char*>(malloc(length)); | |
| 309 arena_.push_back(buf); | |
| 310 size_t j = 0; | |
| 311 reader->Seek(beginning_of_stream); | |
| 312 | |
| 313 base::StringPiece first_chunk; | |
| 314 if (!reader->Prefix(first_chunk_length, &first_chunk)) | |
| 315 return false; | |
| 316 memcpy(buf + j, first_chunk.data(), first_chunk_length); | |
| 317 j += first_chunk_length; | |
| 318 | |
| 319 // Now we parse the stream again, this time copying into |buf| | |
| 320 for (;;) { | |
| 321 size_t chunk_length; | |
| 322 bool is_partial; | |
| 323 | |
| 324 if (!ParseLength(reader, &chunk_length, &is_partial)) | |
| 325 return false; | |
| 326 base::StringPiece chunk; | |
| 327 if (!reader->Prefix(chunk_length, &chunk)) | |
| 328 return false; | |
| 329 memcpy(buf + j, chunk.data(), chunk_length); | |
| 330 j += chunk_length; | |
| 331 if (!is_partial) | |
| 332 break; | |
| 333 } | |
| 334 | |
| 335 *out_contents = base::StringPiece(buf, length); | |
| 336 return true; | |
| 337 } | |
| 338 | |
| 339 // ParseLength parses an OpenPGP length from reader. See RFC 4880, section | |
| 340 // 4.2.2. | |
| 341 bool ParseLength(Reader *reader, size_t *out_length, bool *out_is_prefix) { | |
| 342 uint8 length_spec; | |
| 343 if (!reader->U8(&length_spec)) | |
| 344 return false; | |
| 345 | |
| 346 *out_is_prefix = false; | |
| 347 if (length_spec < 192) { | |
| 348 *out_length = length_spec; | |
| 349 return true; | |
| 350 } else if (length_spec < 224) { | |
| 351 uint8 next_byte; | |
| 352 if (!reader->U8(&next_byte)) | |
| 353 return false; | |
| 354 | |
| 355 *out_length = (length_spec - 192) << 8; | |
| 356 *out_length += next_byte; | |
| 357 return true; | |
| 358 } else if (length_spec < 255) { | |
| 359 *out_length = 1u << (length_spec & 0x1f); | |
| 360 *out_is_prefix = true; | |
| 361 return true; | |
| 362 } else { | |
| 363 uint32 length32; | |
| 364 if (!reader->U32(&length32)) | |
| 365 return false; | |
| 366 *out_length = length32; | |
| 367 return true; | |
| 368 } | |
| 369 } | |
| 370 | |
| 371 // ParseSymmetricKeyEncrypted parses a passphrase protected session key. See | |
| 372 // RFC 4880, section 5.3. | |
| 373 OpenPGPSymmetricEncrytion::Result ParseSymmetricKeyEncrypted( | |
| 374 Reader *reader, | |
| 375 base::StringPiece passphrase, | |
| 376 ScopedPK11Context *decryption_context) { | |
| 377 uint8 version, cipher, s2k_type, hash_func_id; | |
| 378 if (!reader->U8(&version) || version != 4) | |
| 379 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 380 | |
| 381 if (!reader->U8(&cipher) || | |
| 382 !reader->U8(&s2k_type) || | |
| 383 !reader->U8(&hash_func_id)) { | |
| 384 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 385 } | |
| 386 | |
| 387 uint8 cipher_key_length = OpenPGPCipherIdToKeyLength(cipher); | |
| 388 if (cipher_key_length == 0) | |
| 389 return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER; | |
| 390 | |
| 391 HASH_HashType hash_function; | |
| 392 switch (hash_func_id) { | |
| 393 case 2: // SHA-1 | |
| 394 hash_function = HASH_AlgSHA1; | |
| 395 break; | |
| 396 case 8: // SHA-256 | |
| 397 hash_function = HASH_AlgSHA256; | |
| 398 break; | |
| 399 default: | |
| 400 return OpenPGPSymmetricEncrytion::UNKNOWN_HASH; | |
| 401 } | |
| 402 | |
| 403 // This chunk of code parses the S2K specifier. See RFC 4880, section 3.7.1. | |
| 404 base::StringPiece salt; | |
| 405 uint8 key[32]; | |
| 406 uint8 count_spec; | |
| 407 switch (s2k_type) { | |
| 408 case 1: | |
| 409 if (!reader->Prefix(8, &salt)) | |
| 410 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 411 // Fall through. | |
| 412 case 0: | |
| 413 SaltedIteratedS2K(cipher_key_length, hash_function, passphrase, salt, | |
| 414 passphrase.size() + salt.size(), key); | |
| 415 break; | |
| 416 case 3: | |
| 417 if (!reader->Prefix(8, &salt) || | |
| 418 !reader->U8(&count_spec)) { | |
| 419 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 420 } | |
| 421 SaltedIteratedS2K( | |
| 422 cipher_key_length, hash_function, passphrase, salt, | |
| 423 static_cast<unsigned>( | |
| 424 16 + (count_spec&15)) << ((count_spec >> 4) + 6), key); | |
| 425 break; | |
| 426 default: | |
| 427 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 428 } | |
| 429 | |
| 430 if (!CreateAESContext(key, cipher_key_length, decryption_context)) | |
| 431 return OpenPGPSymmetricEncrytion::INTERNAL_ERROR; | |
| 432 | |
| 433 if (reader->empty()) { | |
| 434 // The resulting key is used directly. | |
| 435 return OpenPGPSymmetricEncrytion::OK; | |
| 436 } | |
| 437 | |
| 438 // The S2K derived key encrypts another key that follows: | |
| 439 base::StringPiece encrypted_key = reader->Remainder(); | |
| 440 if (encrypted_key.size() < 1) | |
| 441 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 442 | |
| 443 uint8* plaintext_key = reinterpret_cast<uint8*>( | |
| 444 malloc(encrypted_key.size())); | |
| 445 arena_.push_back(plaintext_key); | |
| 446 | |
| 447 CFBDecrypt(encrypted_key, decryption_context, plaintext_key); | |
| 448 | |
| 449 cipher_key_length = OpenPGPCipherIdToKeyLength(plaintext_key[0]); | |
| 450 if (cipher_key_length == 0) | |
| 451 return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER; | |
| 452 if (encrypted_key.size() != 1u + cipher_key_length) | |
| 453 return OpenPGPSymmetricEncrytion::PARSE_ERROR; | |
| 454 if (!CreateAESContext(plaintext_key + 1, cipher_key_length, | |
| 455 decryption_context)) { | |
| 456 return OpenPGPSymmetricEncrytion::INTERNAL_ERROR; | |
| 457 } | |
| 458 return OpenPGPSymmetricEncrytion::OK; | |
| 459 } | |
| 460 | |
| 461 // CFBDecrypt decrypts the cipher-feedback encrypted data in |in| to |out| | |
| 462 // using |decryption_context| and assumes an IV of all zeros. | |
| 463 void CFBDecrypt(base::StringPiece in, ScopedPK11Context* decryption_context, | |
| 464 uint8* out) { | |
| 465 // We need this for PK11_CipherOp to write to, but we never check it as we | |
| 466 // work in ECB mode, one block at a time. | |
| 467 int out_len; | |
| 468 | |
| 469 uint8 mask[AES_BLOCK_SIZE]; | |
| 470 memset(mask, 0, sizeof(mask)); | |
| 471 | |
| 472 unsigned used = AES_BLOCK_SIZE; | |
| 473 | |
| 474 for (size_t i = 0; i < in.size(); i++) { | |
| 475 if (used == AES_BLOCK_SIZE) { | |
| 476 PK11_CipherOp(decryption_context->get(), mask, &out_len, sizeof(mask), | |
| 477 mask, AES_BLOCK_SIZE); | |
| 478 used = 0; | |
| 479 } | |
| 480 | |
| 481 uint8 t = in[i]; | |
| 482 out[i] = t ^ mask[used]; | |
| 483 mask[used] = t; | |
| 484 used++; | |
| 485 } | |
| 486 } | |
| 487 | |
| 488 // OpenPGPCipherIdToKeyLength converts an OpenPGP cipher id (see RFC 4880, | |
| 489 // section 9.2) to the key length of that cipher. It returns 0 on error. | |
| 490 unsigned OpenPGPCipherIdToKeyLength(uint8 cipher) { | |
| 491 switch (cipher) { | |
| 492 case 7: // AES-128 | |
| 493 return 16; | |
| 494 case 8: // AES-192 | |
| 495 return 24; | |
| 496 case 9: // AES-256 | |
| 497 return 32; | |
| 498 default: | |
| 499 return 0; | |
| 500 } | |
| 501 } | |
| 502 | |
| 503 // ParseSymmetricallyEncrypted parses a Symmetrically Encrypted packet. See | |
| 504 // RFC 4880, sections 5.7 and 5.13. | |
| 505 bool ParseSymmetricallyEncrypted(Reader *reader, | |
| 506 ScopedPK11Context *decryption_context, | |
| 507 base::StringPiece *out_plaintext) { | |
| 508 // We need this for PK11_CipherOp to write to, but we never check it as we | |
| 509 // work in ECB mode, one block at a time. | |
| 510 int out_len; | |
| 511 | |
| 512 uint8 version; | |
| 513 if (!reader->U8(&version) || version != 1) | |
| 514 return false; | |
| 515 | |
| 516 base::StringPiece prefix_sp; | |
| 517 if (!reader->Prefix(AES_BLOCK_SIZE + 2, &prefix_sp)) | |
| 518 return false; | |
| 519 uint8 prefix[AES_BLOCK_SIZE + 2]; | |
| 520 memcpy(prefix, prefix_sp.data(), sizeof(prefix)); | |
| 521 | |
| 522 uint8 prefix_copy[AES_BLOCK_SIZE + 2]; | |
| 523 uint8 fre[AES_BLOCK_SIZE]; | |
| 524 | |
| 525 memset(prefix_copy, 0, AES_BLOCK_SIZE); | |
| 526 PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre), | |
| 527 prefix_copy, AES_BLOCK_SIZE); | |
| 528 for (unsigned i = 0; i < AES_BLOCK_SIZE; i++) | |
| 529 prefix_copy[i] = fre[i] ^ prefix[i]; | |
| 530 PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre), prefix, | |
| 531 AES_BLOCK_SIZE); | |
| 532 prefix_copy[AES_BLOCK_SIZE] = prefix[AES_BLOCK_SIZE] ^ fre[0]; | |
| 533 prefix_copy[AES_BLOCK_SIZE + 1] = prefix[AES_BLOCK_SIZE + 1] ^ fre[1]; | |
| 534 | |
| 535 if (prefix_copy[AES_BLOCK_SIZE - 2] != prefix_copy[AES_BLOCK_SIZE] || | |
| 536 prefix_copy[AES_BLOCK_SIZE - 1] != prefix_copy[AES_BLOCK_SIZE + 1]) { | |
| 537 return false; | |
| 538 } | |
| 539 | |
| 540 fre[0] = prefix[AES_BLOCK_SIZE]; | |
| 541 fre[1] = prefix[AES_BLOCK_SIZE + 1]; | |
| 542 | |
| 543 unsigned out_used = 2; | |
| 544 | |
| 545 const size_t plaintext_size = reader->size(); | |
| 546 if (plaintext_size < SHA1_LENGTH + 2) { | |
| 547 // Too small to contain an MDC trailer. | |
| 548 return false; | |
| 549 } | |
| 550 | |
| 551 uint8* plaintext = reinterpret_cast<uint8*>(malloc(plaintext_size)); | |
| 552 arena_.push_back(plaintext); | |
| 553 | |
| 554 for (size_t i = 0; i < plaintext_size; i++) { | |
| 555 uint8 b; | |
| 556 if (!reader->U8(&b)) | |
| 557 return false; | |
| 558 if (out_used == AES_BLOCK_SIZE) { | |
| 559 PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre), | |
| 560 fre, AES_BLOCK_SIZE); | |
| 561 out_used = 0; | |
| 562 } | |
| 563 | |
| 564 plaintext[i] = b ^ fre[out_used]; | |
| 565 fre[out_used++] = b; | |
| 566 } | |
| 567 | |
| 568 // The plaintext should be followed by a Modification Detection Code | |
| 569 // packet. This packet is specified such that the header is always | |
| 570 // serialized as exactly these two bytes: | |
| 571 if (plaintext[plaintext_size - SHA1_LENGTH - 2] != 0xd3 || | |
| 572 plaintext[plaintext_size - SHA1_LENGTH - 1] != 0x14) { | |
| 573 return false; | |
| 574 } | |
| 575 | |
| 576 HASHContext* hash_context = HASH_Create(HASH_AlgSHA1); | |
| 577 HASH_Begin(hash_context); | |
| 578 HASH_Update(hash_context, prefix_copy, sizeof(prefix_copy)); | |
| 579 HASH_Update(hash_context, plaintext, plaintext_size - SHA1_LENGTH); | |
| 580 uint8 digest[SHA1_LENGTH]; | |
| 581 unsigned num_hash_bytes; | |
| 582 HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest)); | |
| 583 HASH_Destroy(hash_context); | |
| 584 | |
| 585 if (memcmp(digest, &plaintext[plaintext_size - SHA1_LENGTH], | |
| 586 SHA1_LENGTH) != 0) { | |
| 587 return false; | |
| 588 } | |
| 589 | |
| 590 *out_plaintext = base::StringPiece(reinterpret_cast<char*>(plaintext), | |
| 591 plaintext_size - SHA1_LENGTH); | |
| 592 return true; | |
| 593 } | |
| 594 | |
| 595 // ParseLiteralData parses a Literal Data packet. See RFC 4880, section 5.9. | |
| 596 bool ParseLiteralData(Reader *reader, base::StringPiece *out_data) { | |
| 597 uint8 is_binary, filename_len; | |
| 598 if (!reader->U8(&is_binary) || | |
| 599 !reader->U8(&filename_len) || | |
| 600 !reader->Skip(filename_len) || | |
| 601 !reader->Skip(sizeof(uint32) /* mtime */)) { | |
| 602 return false; | |
| 603 } | |
| 604 | |
| 605 *out_data = reader->Remainder(); | |
| 606 return true; | |
| 607 } | |
| 608 | |
| 609 // arena_ contains malloced pointers that are used as temporary space during | |
| 610 // the decryption. | |
| 611 std::vector<void*> arena_; | |
| 612 }; | |
| 613 | |
| 614 class Encrypter { | |
| 615 public: | |
| 616 // ByteString is used throughout in order to avoid signedness issues with a | |
| 617 // std::string. | |
| 618 typedef std::basic_string<uint8> ByteString; | |
| 619 | |
| 620 static ByteString Encrypt(base::StringPiece plaintext, | |
| 621 base::StringPiece passphrase) { | |
| 622 ByteString key; | |
| 623 ByteString ske = SerializeSymmetricKeyEncrypted(passphrase, &key); | |
| 624 | |
| 625 ByteString literal_data = SerializeLiteralData(plaintext); | |
| 626 ByteString se = SerializeSymmetricallyEncrypted(literal_data, key); | |
| 627 return ske + se; | |
| 628 } | |
| 629 | |
| 630 private: | |
| 631 // MakePacket returns an OpenPGP packet tagged as type |tag|. It always uses | |
| 632 // new-format headers. See RFC 4880, section 4.2. | |
| 633 static ByteString MakePacket(unsigned tag, const ByteString& contents) { | |
| 634 ByteString header; | |
| 635 header.push_back(0x80 | 0x40 | tag); | |
| 636 | |
| 637 if (contents.size() < 192) { | |
| 638 header.push_back(contents.size()); | |
| 639 } else if (contents.size() < 8384) { | |
| 640 size_t length = contents.size(); | |
| 641 length -= 192; | |
| 642 header.push_back(192 + (length >> 8)); | |
| 643 header.push_back(length & 0xff); | |
| 644 } else { | |
| 645 size_t length = contents.size(); | |
| 646 header.push_back(255); | |
| 647 header.push_back(length >> 24); | |
| 648 header.push_back(length >> 16); | |
| 649 header.push_back(length >> 8); | |
| 650 header.push_back(length); | |
| 651 } | |
| 652 | |
| 653 return header + contents; | |
| 654 } | |
| 655 | |
| 656 // SerializeLiteralData returns a Literal Data packet containing |contents| | |
| 657 // as binary data with no filename nor mtime specified. See RFC 4880, section | |
| 658 // 5.9. | |
| 659 static ByteString SerializeLiteralData(base::StringPiece contents) { | |
| 660 ByteString literal_data; | |
| 661 literal_data.push_back(0x74); // text mode | |
| 662 literal_data.push_back(0x00); // no filename | |
| 663 literal_data.push_back(0x00); // zero mtime | |
| 664 literal_data.push_back(0x00); | |
| 665 literal_data.push_back(0x00); | |
| 666 literal_data.push_back(0x00); | |
| 667 literal_data += ByteString(reinterpret_cast<const uint8*>(contents.data()), | |
| 668 contents.size()); | |
| 669 return MakePacket(kLiteralDataTag, literal_data); | |
| 670 } | |
| 671 | |
| 672 // SerializeSymmetricKeyEncrypted generates a random AES-128 key from | |
| 673 // |passphrase|, sets |out_key| to it and returns a Symmetric Key Encrypted | |
| 674 // packet. See RFC 4880, section 5.3. | |
| 675 static ByteString SerializeSymmetricKeyEncrypted(base::StringPiece passphrase, | |
| 676 ByteString *out_key) { | |
| 677 ByteString ske; | |
| 678 ske.push_back(4); // version 4 | |
| 679 ske.push_back(7); // AES-128 | |
| 680 ske.push_back(3); // iterated and salted S2K | |
| 681 ske.push_back(2); // SHA-1 | |
| 682 | |
| 683 uint64 salt64; | |
| 684 crypto::RandBytes(&salt64, sizeof(salt64)); | |
| 685 ByteString salt(sizeof(salt64), 0); | |
| 686 | |
| 687 // It's a random value, so endianness doesn't matter. | |
| 688 ske += ByteString(reinterpret_cast<uint8*>(&salt64), sizeof(salt64)); | |
| 689 ske.push_back(96); // iteration count of 65536 | |
| 690 | |
| 691 uint8 key[16]; | |
| 692 SaltedIteratedS2K( | |
| 693 sizeof(key), HASH_AlgSHA1, passphrase, | |
| 694 base::StringPiece(reinterpret_cast<char*>(&salt64), sizeof(salt64)), | |
| 695 65536, key); | |
| 696 *out_key = ByteString(key, sizeof(key)); | |
| 697 return MakePacket(kSymmetricKeyEncryptedTag, ske); | |
| 698 } | |
| 699 | |
| 700 // SerializeSymmetricallyEncrypted encrypts |plaintext| with |key| and | |
| 701 // returns a Symmetrically Encrypted packet containing the ciphertext. See | |
| 702 // RFC 4880, section 5.7. | |
| 703 static ByteString SerializeSymmetricallyEncrypted(ByteString plaintext, | |
| 704 const ByteString& key) { | |
| 705 // We need this for PK11_CipherOp to write to, but we never check it as we | |
| 706 // work in ECB mode, one block at a time. | |
| 707 int out_len; | |
| 708 | |
| 709 ByteString packet; | |
| 710 packet.push_back(1); // version 1 | |
| 711 static const unsigned kBlockSize = 16; // AES block size | |
| 712 | |
| 713 uint8 prefix[kBlockSize + 2], fre[kBlockSize], iv[kBlockSize]; | |
| 714 crypto::RandBytes(iv, kBlockSize); | |
| 715 memset(fre, 0, sizeof(fre)); | |
| 716 | |
| 717 ScopedPK11Context aes_context; | |
| 718 CHECK(CreateAESContext(key.data(), key.size(), &aes_context)); | |
| 719 | |
| 720 PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), fre, | |
| 721 AES_BLOCK_SIZE); | |
| 722 for (unsigned i = 0; i < 16; i++) | |
| 723 prefix[i] = iv[i] ^ fre[i]; | |
| 724 PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), prefix, | |
| 725 AES_BLOCK_SIZE); | |
| 726 prefix[kBlockSize] = iv[kBlockSize - 2] ^ fre[0]; | |
| 727 prefix[kBlockSize + 1] = iv[kBlockSize - 1] ^ fre[1]; | |
| 728 | |
| 729 packet += ByteString(prefix, sizeof(prefix)); | |
| 730 | |
| 731 ByteString plaintext_copy = plaintext; | |
| 732 plaintext_copy.push_back(0xd3); // MDC packet | |
| 733 plaintext_copy.push_back(20); // packet length (20 bytes) | |
| 734 | |
| 735 HASHContext* hash_context = HASH_Create(HASH_AlgSHA1); | |
| 736 HASH_Begin(hash_context); | |
| 737 HASH_Update(hash_context, iv, sizeof(iv)); | |
| 738 HASH_Update(hash_context, iv + kBlockSize - 2, 2); | |
| 739 HASH_Update(hash_context, plaintext_copy.data(), plaintext_copy.size()); | |
| 740 uint8 digest[SHA1_LENGTH]; | |
| 741 unsigned num_hash_bytes; | |
| 742 HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest)); | |
| 743 HASH_Destroy(hash_context); | |
| 744 | |
| 745 plaintext_copy += ByteString(digest, sizeof(digest)); | |
| 746 | |
| 747 fre[0] = prefix[kBlockSize]; | |
| 748 fre[1] = prefix[kBlockSize+1]; | |
| 749 unsigned out_used = 2; | |
| 750 | |
| 751 for (size_t i = 0; i < plaintext_copy.size(); i++) { | |
| 752 if (out_used == kBlockSize) { | |
| 753 PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), fre, | |
| 754 AES_BLOCK_SIZE); | |
| 755 out_used = 0; | |
| 756 } | |
| 757 | |
| 758 uint8 c = plaintext_copy[i] ^ fre[out_used]; | |
| 759 fre[out_used++] = c; | |
| 760 packet.push_back(c); | |
| 761 } | |
| 762 | |
| 763 return MakePacket(kSymmetricallyEncryptedTag, packet); | |
| 764 } | |
| 765 }; | |
| 766 | |
| 767 } // anonymous namespace | |
| 768 | |
| 769 // static | |
| 770 OpenPGPSymmetricEncrytion::Result OpenPGPSymmetricEncrytion::Decrypt( | |
| 771 base::StringPiece encrypted, | |
| 772 base::StringPiece passphrase, | |
| 773 std::string *out) { | |
| 774 EnsureNSSInit(); | |
| 775 | |
| 776 Decrypter decrypter; | |
| 777 base::StringPiece result; | |
| 778 Result reader = decrypter.Decrypt(encrypted, passphrase, &result); | |
| 779 if (reader == OK) | |
| 780 *out = result.as_string(); | |
| 781 return reader; | |
| 782 } | |
| 783 | |
| 784 // static | |
| 785 std::string OpenPGPSymmetricEncrytion::Encrypt( | |
| 786 base::StringPiece plaintext, | |
| 787 base::StringPiece passphrase) { | |
| 788 EnsureNSSInit(); | |
| 789 | |
| 790 Encrypter::ByteString b = | |
| 791 Encrypter::Encrypt(plaintext, passphrase); | |
| 792 return std::string(reinterpret_cast<const char*>(b.data()), b.size()); | |
| 793 } | |
| 794 | |
| 795 } // namespace crypto | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 253643002:
Remove unused bits implementing parts of RFC 4880 (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src