Remove dependencies on external libraries and platform native APIs from mozc::Encryptor

[GoogleCodeExporter]

Currently Mozc depends on OpenSSL because Mozc has been using AES256 to encrypt 
user data. However, depending on OpenSSL might not be a good option because:
1. OpenSSL is a gigantic library and supposed to be updated more frequently 
than Mozc itself.
2. The license of OpenSSL is not compatible with at least GPL. This is not a 
problem for Mozc itself, but could be an unpleasant obstacle if a developer 
want to develop a derivative work of Mozc with combining other projects that 
are licences under GPL.
3. Mozc has been using AES256 for a *casual* encryption of user data, rather 
than a cryptographically critical functionality. To be honest, completely 
stopping doing encryption is an option because a user can still be able to use 
system-level encryption, which is more designed and tested well.

In r192, I removed dependency on OpenSSL by default. You can still use OpenSSL 
by explicitly specifying GYP_DEFINES="use_legacy_encryptor=1" as of r192 but it 
is supposed to be removed in future releases.

Original issue reported on code.google.com by yukawa@google.com on 17 May 2014 at 2:19

[GoogleCodeExporter]

Original comment by yukawa@google.com on 17 May 2014 at 2:19

• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

r208 removed the previous implementation. GYP_DEFINES="use_legacy_encryptor=1" 
is no longer supported.

Original comment by yukawa@google.com on 29 May 2014 at 5:31

[GoogleCodeExporter]

tl;dr No behavioral change expected with this effort.  User conversion history 
is still obfuscated before and after r192 with the same algorithm (AES-256 in 
CBC mode) 

Long version:
What I did in r192 is basically a self-contained reinplementation of 
AES-256-CBC and SHA1, which allows us not to depend on external libraries and 
platform-dependent APIs such as OpenSSL (on OS X, Linux, and NaCl) and 
javax.crypto.Cipher (on Android). Of course, reimplementing cryptographic 
module is discouraged in general. However, given that mozc::Encryptor is 
originally designed to be a part of *casual* obfuscation functionality rather 
than a cryptographically critical feature, this is sort of acceptable to reduce 
the maintainance cost.

Summary:
Until r192, mozc::Encryptor had depended on following modules.
  - Windows: Crypt APIs.
  - Mac: OpenSSL
  - Linux: OpenSSL
  - NaCl: OpenSSL
  - Android: javax.crypto.Cipher

Since r192, mozc::Encryptor has depended on following modules.
  - Windows: Crypt APIs (not for AES-256-CBC and SHA1 but for further OS-level data protection)
  - Mac, Linux, NaCl, Android: None.

Reference:
https://code.google.com/p/mozc/wiki/DataEncryptionAndPasswordManagement

Original comment by yukawa@google.com on 29 May 2014 at 5:34

• Changed title: Remove dependencies on external libraries and platform native APIs from mozc::Encryptor
• Changed state: Fixed
• Added labels: OpSys-Android