This source file includes following definitions.
- U8
- U32
- Prefix
- Remainder
- tell
- Seek
- Skip
- empty
- SaltedIteratedS2K
- CreateAESContext
- Decrypt
- ParsePacket
- ParseStreamContents
- ParseLength
- ParseSymmetricKeyEncrypted
- CFBDecrypt
- OpenPGPCipherIdToKeyLength
- ParseSymmetricallyEncrypted
- ParseLiteralData
- Encrypt
- MakePacket
- SerializeLiteralData
- SerializeSymmetricKeyEncrypted
- SerializeSymmetricallyEncrypted
- Decrypt
- Encrypt
#include "crypto/openpgp_symmetric_encryption.h"
#include <stdlib.h>
#include <sechash.h>
#include <cryptohi.h>
#include <vector>
#include "base/logging.h"
#include "crypto/random.h"
#include "crypto/scoped_nss_types.h"
#include "crypto/nss_util.h"
namespace crypto {
namespace {
class Reader {
public:
Reader(base::StringPiece input)
: data_(input) {
}
bool U8(uint8* out) {
if (data_.size() < 1)
return false;
*out = static_cast<uint8>(data_[0]);
data_.remove_prefix(1);
return true;
}
bool U32(uint32* out) {
if (data_.size() < 4)
return false;
*out = static_cast<uint32>(data_[0]) << 24 |
static_cast<uint32>(data_[1]) << 16 |
static_cast<uint32>(data_[2]) << 8 |
static_cast<uint32>(data_[3]);
data_.remove_prefix(4);
return true;
}
bool Prefix(size_t n, base::StringPiece *out) {
if (data_.size() < n)
return false;
*out = base::StringPiece(data_.data(), n);
data_.remove_prefix(n);
return true;
}
base::StringPiece Remainder() {
base::StringPiece ret = data_;
data_ = base::StringPiece();
return ret;
}
typedef base::StringPiece Position;
Position tell() const {
return data_;
}
void Seek(Position p) {
data_ = p;
}
bool Skip(size_t n) {
if (data_.size() < n)
return false;
data_.remove_prefix(n);
return true;
}
bool empty() const {
return data_.empty();
}
size_t size() const {
return data_.size();
}
private:
base::StringPiece data_;
};
void SaltedIteratedS2K(unsigned cipher_key_length,
HASH_HashType hash_function,
base::StringPiece passphrase,
base::StringPiece salt,
unsigned count,
uint8 *out_key) {
const std::string combined = salt.as_string() + passphrase.as_string();
const size_t combined_len = combined.size();
unsigned done = 0;
uint8 zero[1] = {0};
HASHContext* hash_context = HASH_Create(hash_function);
for (unsigned i = 0; done < cipher_key_length; i++) {
HASH_Begin(hash_context);
for (unsigned j = 0; j < i; j++)
HASH_Update(hash_context, zero, sizeof(zero));
unsigned written = 0;
while (written < count) {
if (written + combined_len > count) {
unsigned todo = count - written;
HASH_Update(hash_context,
reinterpret_cast<const uint8*>(combined.data()),
todo);
written = count;
} else {
HASH_Update(hash_context,
reinterpret_cast<const uint8*>(combined.data()),
combined_len);
written += combined_len;
}
}
unsigned num_hash_bytes;
uint8 digest[HASH_LENGTH_MAX];
HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest));
unsigned todo = cipher_key_length - done;
if (todo > num_hash_bytes)
todo = num_hash_bytes;
memcpy(out_key + done, digest, todo);
done += todo;
}
HASH_Destroy(hash_context);
}
bool CreateAESContext(const uint8* key, unsigned key_len,
ScopedPK11Context* out_decryption_context) {
ScopedPK11Slot slot(PK11_GetInternalSlot());
if (!slot.get())
return false;
SECItem key_item;
key_item.type = siBuffer;
key_item.data = const_cast<uint8*>(key);
key_item.len = key_len;
ScopedPK11SymKey pk11_key(PK11_ImportSymKey(
slot.get(), CKM_AES_ECB, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item,
NULL));
if (!pk11_key.get())
return false;
ScopedSECItem iv_param(PK11_ParamFromIV(CKM_AES_ECB, NULL));
out_decryption_context->reset(
PK11_CreateContextBySymKey(CKM_AES_ECB, CKA_ENCRYPT, pk11_key.get(),
iv_param.get()));
return out_decryption_context->get() != NULL;
}
static const unsigned kSymmetricKeyEncryptedTag = 3;
static const unsigned kSymmetricallyEncryptedTag = 18;
static const unsigned kCompressedTag = 8;
static const unsigned kLiteralDataTag = 11;
class Decrypter {
public:
~Decrypter() {
for (std::vector<void*>::iterator
i = arena_.begin(); i != arena_.end(); i++) {
free(*i);
}
arena_.clear();
}
OpenPGPSymmetricEncrytion::Result Decrypt(base::StringPiece in,
base::StringPiece passphrase,
base::StringPiece *out_contents) {
Reader reader(in);
unsigned tag;
base::StringPiece contents;
ScopedPK11Context decryption_context;
if (!ParsePacket(&reader, &tag, &contents))
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
if (tag != kSymmetricKeyEncryptedTag)
return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED;
Reader inner(contents);
OpenPGPSymmetricEncrytion::Result result =
ParseSymmetricKeyEncrypted(&inner, passphrase, &decryption_context);
if (result != OpenPGPSymmetricEncrytion::OK)
return result;
if (!ParsePacket(&reader, &tag, &contents))
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
if (tag != kSymmetricallyEncryptedTag)
return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED;
if (!reader.empty())
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
inner = Reader(contents);
if (!ParseSymmetricallyEncrypted(&inner, &decryption_context, &contents))
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
reader = Reader(contents);
if (!ParsePacket(&reader, &tag, &contents))
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
if (tag == kCompressedTag)
return OpenPGPSymmetricEncrytion::COMPRESSED;
if (tag != kLiteralDataTag)
return OpenPGPSymmetricEncrytion::NOT_SYMMETRICALLY_ENCRYPTED;
inner = Reader(contents);
if (!ParseLiteralData(&inner, out_contents))
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
return OpenPGPSymmetricEncrytion::OK;
}
private:
bool ParsePacket(Reader *reader,
unsigned *out_tag,
base::StringPiece *out_contents) {
uint8 header;
if (!reader->U8(&header))
return false;
if ((header & 0x80) == 0) {
return false;
}
if ((header & 0x40) == 0) {
*out_tag = (header & 0x3f) >> 2;
uint8 length_type = header & 3;
if (length_type == 3) {
*out_contents = reader->Remainder();
return true;
}
const unsigned length_bytes = 1 << length_type;
size_t length = 0;
for (unsigned i = 0; i < length_bytes; i++) {
uint8 length_byte;
if (!reader->U8(&length_byte))
return false;
length <<= 8;
length |= length_byte;
}
return reader->Prefix(length, out_contents);
}
*out_tag = header & 0x3f;
size_t length;
bool is_partial;
if (!ParseLength(reader, &length, &is_partial))
return false;
if (is_partial)
return ParseStreamContents(reader, length, out_contents);
return reader->Prefix(length, out_contents);
}
bool ParseStreamContents(Reader *reader,
size_t length,
base::StringPiece *out_contents) {
const Reader::Position beginning_of_stream = reader->tell();
const size_t first_chunk_length = length;
if (!reader->Skip(length))
return false;
for (;;) {
size_t chunk_length;
bool is_partial;
if (!ParseLength(reader, &chunk_length, &is_partial))
return false;
if (length + chunk_length < length)
return false;
length += chunk_length;
if (!reader->Skip(chunk_length))
return false;
if (!is_partial)
break;
}
char* buf = reinterpret_cast<char*>(malloc(length));
arena_.push_back(buf);
size_t j = 0;
reader->Seek(beginning_of_stream);
base::StringPiece first_chunk;
if (!reader->Prefix(first_chunk_length, &first_chunk))
return false;
memcpy(buf + j, first_chunk.data(), first_chunk_length);
j += first_chunk_length;
for (;;) {
size_t chunk_length;
bool is_partial;
if (!ParseLength(reader, &chunk_length, &is_partial))
return false;
base::StringPiece chunk;
if (!reader->Prefix(chunk_length, &chunk))
return false;
memcpy(buf + j, chunk.data(), chunk_length);
j += chunk_length;
if (!is_partial)
break;
}
*out_contents = base::StringPiece(buf, length);
return true;
}
bool ParseLength(Reader *reader, size_t *out_length, bool *out_is_prefix) {
uint8 length_spec;
if (!reader->U8(&length_spec))
return false;
*out_is_prefix = false;
if (length_spec < 192) {
*out_length = length_spec;
return true;
} else if (length_spec < 224) {
uint8 next_byte;
if (!reader->U8(&next_byte))
return false;
*out_length = (length_spec - 192) << 8;
*out_length += next_byte;
return true;
} else if (length_spec < 255) {
*out_length = 1u << (length_spec & 0x1f);
*out_is_prefix = true;
return true;
} else {
uint32 length32;
if (!reader->U32(&length32))
return false;
*out_length = length32;
return true;
}
}
OpenPGPSymmetricEncrytion::Result ParseSymmetricKeyEncrypted(
Reader *reader,
base::StringPiece passphrase,
ScopedPK11Context *decryption_context) {
uint8 version, cipher, s2k_type, hash_func_id;
if (!reader->U8(&version) || version != 4)
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
if (!reader->U8(&cipher) ||
!reader->U8(&s2k_type) ||
!reader->U8(&hash_func_id)) {
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
}
uint8 cipher_key_length = OpenPGPCipherIdToKeyLength(cipher);
if (cipher_key_length == 0)
return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER;
HASH_HashType hash_function;
switch (hash_func_id) {
case 2:
hash_function = HASH_AlgSHA1;
break;
case 8:
hash_function = HASH_AlgSHA256;
break;
default:
return OpenPGPSymmetricEncrytion::UNKNOWN_HASH;
}
base::StringPiece salt;
uint8 key[32];
uint8 count_spec;
switch (s2k_type) {
case 1:
if (!reader->Prefix(8, &salt))
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
case 0:
SaltedIteratedS2K(cipher_key_length, hash_function, passphrase, salt,
passphrase.size() + salt.size(), key);
break;
case 3:
if (!reader->Prefix(8, &salt) ||
!reader->U8(&count_spec)) {
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
}
SaltedIteratedS2K(
cipher_key_length, hash_function, passphrase, salt,
static_cast<unsigned>(
16 + (count_spec&15)) << ((count_spec >> 4) + 6), key);
break;
default:
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
}
if (!CreateAESContext(key, cipher_key_length, decryption_context))
return OpenPGPSymmetricEncrytion::INTERNAL_ERROR;
if (reader->empty()) {
return OpenPGPSymmetricEncrytion::OK;
}
base::StringPiece encrypted_key = reader->Remainder();
if (encrypted_key.size() < 1)
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
uint8* plaintext_key = reinterpret_cast<uint8*>(
malloc(encrypted_key.size()));
arena_.push_back(plaintext_key);
CFBDecrypt(encrypted_key, decryption_context, plaintext_key);
cipher_key_length = OpenPGPCipherIdToKeyLength(plaintext_key[0]);
if (cipher_key_length == 0)
return OpenPGPSymmetricEncrytion::UNKNOWN_CIPHER;
if (encrypted_key.size() != 1u + cipher_key_length)
return OpenPGPSymmetricEncrytion::PARSE_ERROR;
if (!CreateAESContext(plaintext_key + 1, cipher_key_length,
decryption_context)) {
return OpenPGPSymmetricEncrytion::INTERNAL_ERROR;
}
return OpenPGPSymmetricEncrytion::OK;
}
void CFBDecrypt(base::StringPiece in, ScopedPK11Context* decryption_context,
uint8* out) {
int out_len;
uint8 mask[AES_BLOCK_SIZE];
memset(mask, 0, sizeof(mask));
unsigned used = AES_BLOCK_SIZE;
for (size_t i = 0; i < in.size(); i++) {
if (used == AES_BLOCK_SIZE) {
PK11_CipherOp(decryption_context->get(), mask, &out_len, sizeof(mask),
mask, AES_BLOCK_SIZE);
used = 0;
}
uint8 t = in[i];
out[i] = t ^ mask[used];
mask[used] = t;
used++;
}
}
unsigned OpenPGPCipherIdToKeyLength(uint8 cipher) {
switch (cipher) {
case 7:
return 16;
case 8:
return 24;
case 9:
return 32;
default:
return 0;
}
}
bool ParseSymmetricallyEncrypted(Reader *reader,
ScopedPK11Context *decryption_context,
base::StringPiece *out_plaintext) {
int out_len;
uint8 version;
if (!reader->U8(&version) || version != 1)
return false;
base::StringPiece prefix_sp;
if (!reader->Prefix(AES_BLOCK_SIZE + 2, &prefix_sp))
return false;
uint8 prefix[AES_BLOCK_SIZE + 2];
memcpy(prefix, prefix_sp.data(), sizeof(prefix));
uint8 prefix_copy[AES_BLOCK_SIZE + 2];
uint8 fre[AES_BLOCK_SIZE];
memset(prefix_copy, 0, AES_BLOCK_SIZE);
PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre),
prefix_copy, AES_BLOCK_SIZE);
for (unsigned i = 0; i < AES_BLOCK_SIZE; i++)
prefix_copy[i] = fre[i] ^ prefix[i];
PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre), prefix,
AES_BLOCK_SIZE);
prefix_copy[AES_BLOCK_SIZE] = prefix[AES_BLOCK_SIZE] ^ fre[0];
prefix_copy[AES_BLOCK_SIZE + 1] = prefix[AES_BLOCK_SIZE + 1] ^ fre[1];
if (prefix_copy[AES_BLOCK_SIZE - 2] != prefix_copy[AES_BLOCK_SIZE] ||
prefix_copy[AES_BLOCK_SIZE - 1] != prefix_copy[AES_BLOCK_SIZE + 1]) {
return false;
}
fre[0] = prefix[AES_BLOCK_SIZE];
fre[1] = prefix[AES_BLOCK_SIZE + 1];
unsigned out_used = 2;
const size_t plaintext_size = reader->size();
if (plaintext_size < SHA1_LENGTH + 2) {
return false;
}
uint8* plaintext = reinterpret_cast<uint8*>(malloc(plaintext_size));
arena_.push_back(plaintext);
for (size_t i = 0; i < plaintext_size; i++) {
uint8 b;
if (!reader->U8(&b))
return false;
if (out_used == AES_BLOCK_SIZE) {
PK11_CipherOp(decryption_context->get(), fre, &out_len, sizeof(fre),
fre, AES_BLOCK_SIZE);
out_used = 0;
}
plaintext[i] = b ^ fre[out_used];
fre[out_used++] = b;
}
if (plaintext[plaintext_size - SHA1_LENGTH - 2] != 0xd3 ||
plaintext[plaintext_size - SHA1_LENGTH - 1] != 0x14) {
return false;
}
HASHContext* hash_context = HASH_Create(HASH_AlgSHA1);
HASH_Begin(hash_context);
HASH_Update(hash_context, prefix_copy, sizeof(prefix_copy));
HASH_Update(hash_context, plaintext, plaintext_size - SHA1_LENGTH);
uint8 digest[SHA1_LENGTH];
unsigned num_hash_bytes;
HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest));
HASH_Destroy(hash_context);
if (memcmp(digest, &plaintext[plaintext_size - SHA1_LENGTH],
SHA1_LENGTH) != 0) {
return false;
}
*out_plaintext = base::StringPiece(reinterpret_cast<char*>(plaintext),
plaintext_size - SHA1_LENGTH);
return true;
}
bool ParseLiteralData(Reader *reader, base::StringPiece *out_data) {
uint8 is_binary, filename_len;
if (!reader->U8(&is_binary) ||
!reader->U8(&filename_len) ||
!reader->Skip(filename_len) ||
!reader->Skip(sizeof(uint32) )) {
return false;
}
*out_data = reader->Remainder();
return true;
}
std::vector<void*> arena_;
};
class Encrypter {
public:
typedef std::basic_string<uint8> ByteString;
static ByteString Encrypt(base::StringPiece plaintext,
base::StringPiece passphrase) {
ByteString key;
ByteString ske = SerializeSymmetricKeyEncrypted(passphrase, &key);
ByteString literal_data = SerializeLiteralData(plaintext);
ByteString se = SerializeSymmetricallyEncrypted(literal_data, key);
return ske + se;
}
private:
static ByteString MakePacket(unsigned tag, const ByteString& contents) {
ByteString header;
header.push_back(0x80 | 0x40 | tag);
if (contents.size() < 192) {
header.push_back(contents.size());
} else if (contents.size() < 8384) {
size_t length = contents.size();
length -= 192;
header.push_back(192 + (length >> 8));
header.push_back(length & 0xff);
} else {
size_t length = contents.size();
header.push_back(255);
header.push_back(length >> 24);
header.push_back(length >> 16);
header.push_back(length >> 8);
header.push_back(length);
}
return header + contents;
}
static ByteString SerializeLiteralData(base::StringPiece contents) {
ByteString literal_data;
literal_data.push_back(0x74);
literal_data.push_back(0x00);
literal_data.push_back(0x00);
literal_data.push_back(0x00);
literal_data.push_back(0x00);
literal_data.push_back(0x00);
literal_data += ByteString(reinterpret_cast<const uint8*>(contents.data()),
contents.size());
return MakePacket(kLiteralDataTag, literal_data);
}
static ByteString SerializeSymmetricKeyEncrypted(base::StringPiece passphrase,
ByteString *out_key) {
ByteString ske;
ske.push_back(4);
ske.push_back(7);
ske.push_back(3);
ske.push_back(2);
uint64 salt64;
crypto::RandBytes(&salt64, sizeof(salt64));
ByteString salt(sizeof(salt64), 0);
ske += ByteString(reinterpret_cast<uint8*>(&salt64), sizeof(salt64));
ske.push_back(96);
uint8 key[16];
SaltedIteratedS2K(
sizeof(key), HASH_AlgSHA1, passphrase,
base::StringPiece(reinterpret_cast<char*>(&salt64), sizeof(salt64)),
65536, key);
*out_key = ByteString(key, sizeof(key));
return MakePacket(kSymmetricKeyEncryptedTag, ske);
}
static ByteString SerializeSymmetricallyEncrypted(ByteString plaintext,
const ByteString& key) {
int out_len;
ByteString packet;
packet.push_back(1);
static const unsigned kBlockSize = 16;
uint8 prefix[kBlockSize + 2], fre[kBlockSize], iv[kBlockSize];
crypto::RandBytes(iv, kBlockSize);
memset(fre, 0, sizeof(fre));
ScopedPK11Context aes_context;
CHECK(CreateAESContext(key.data(), key.size(), &aes_context));
PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), fre,
AES_BLOCK_SIZE);
for (unsigned i = 0; i < 16; i++)
prefix[i] = iv[i] ^ fre[i];
PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), prefix,
AES_BLOCK_SIZE);
prefix[kBlockSize] = iv[kBlockSize - 2] ^ fre[0];
prefix[kBlockSize + 1] = iv[kBlockSize - 1] ^ fre[1];
packet += ByteString(prefix, sizeof(prefix));
ByteString plaintext_copy = plaintext;
plaintext_copy.push_back(0xd3);
plaintext_copy.push_back(20);
HASHContext* hash_context = HASH_Create(HASH_AlgSHA1);
HASH_Begin(hash_context);
HASH_Update(hash_context, iv, sizeof(iv));
HASH_Update(hash_context, iv + kBlockSize - 2, 2);
HASH_Update(hash_context, plaintext_copy.data(), plaintext_copy.size());
uint8 digest[SHA1_LENGTH];
unsigned num_hash_bytes;
HASH_End(hash_context, digest, &num_hash_bytes, sizeof(digest));
HASH_Destroy(hash_context);
plaintext_copy += ByteString(digest, sizeof(digest));
fre[0] = prefix[kBlockSize];
fre[1] = prefix[kBlockSize+1];
unsigned out_used = 2;
for (size_t i = 0; i < plaintext_copy.size(); i++) {
if (out_used == kBlockSize) {
PK11_CipherOp(aes_context.get(), fre, &out_len, sizeof(fre), fre,
AES_BLOCK_SIZE);
out_used = 0;
}
uint8 c = plaintext_copy[i] ^ fre[out_used];
fre[out_used++] = c;
packet.push_back(c);
}
return MakePacket(kSymmetricallyEncryptedTag, packet);
}
};
}
OpenPGPSymmetricEncrytion::Result OpenPGPSymmetricEncrytion::Decrypt(
base::StringPiece encrypted,
base::StringPiece passphrase,
std::string *out) {
EnsureNSSInit();
Decrypter decrypter;
base::StringPiece result;
Result reader = decrypter.Decrypt(encrypted, passphrase, &result);
if (reader == OK)
*out = result.as_string();
return reader;
}
std::string OpenPGPSymmetricEncrytion::Encrypt(
base::StringPiece plaintext,
base::StringPiece passphrase) {
EnsureNSSInit();
Encrypter::ByteString b =
Encrypter::Encrypt(plaintext, passphrase);
return std::string(reinterpret_cast<const char*>(b.data()), b.size());
}
}