search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
bump product version to 6.3.0.0.beta1
[LibreOffice.git] / oox / source / crypto / AgileEngine.cxx
blob65482ee4624c5193d5a0e7a982b6f5a69e542814
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * This file is part of the LibreOffice project.
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 *
9 */
10
11 #include <oox/crypto/AgileEngine.hxx>
12
13 #include <oox/helper/binaryinputstream.hxx>
14 #include <oox/helper/binaryoutputstream.hxx>
15
16 #include <sax/tools/converter.hxx>
17
18 #include <comphelper/hash.hxx>
19 #include <comphelper/docpasswordhelper.hxx>
20 #include <comphelper/random.hxx>
21 #include <comphelper/processfactory.hxx>
22 #include <comphelper/base64.hxx>
23 #include <comphelper/sequence.hxx>
24
25 #include <filter/msfilter/mscodec.hxx>
26 #include <tools/stream.hxx>
27 #include <tools/XmlWriter.hxx>
28
29 #include <com/sun/star/io/XSeekable.hpp>
30 #include <com/sun/star/io/XStream.hpp>
31 #include <com/sun/star/uno/XComponentContext.hpp>
32 #include <com/sun/star/xml/sax/XFastParser.hpp>
33 #include <com/sun/star/xml/sax/XFastTokenHandler.hpp>
34 #include <com/sun/star/xml/sax/FastParser.hpp>
35 #include <com/sun/star/xml/sax/FastToken.hpp>
36
37 using namespace css;
38 using namespace css::beans;
39 using namespace css::io;
40 using namespace css::lang;
41 using namespace css::uno;
42 using namespace css::xml::sax;
43 using namespace css::xml;
44
45 namespace oox {
46 namespace core {
47
48 namespace {
49
50 OUString stripNamespacePrefix(OUString const & rsInputName)
51 {
52 return rsInputName.copy(rsInputName.indexOf(":") + 1);
53 }
54
55 class AgileTokenHandler : public cppu::WeakImplHelper<XFastTokenHandler>
56 {
57 public:
58 virtual sal_Int32 SAL_CALL getTokenFromUTF8(const Sequence< sal_Int8 >& /*nIdentifier*/) override
59 {
60 return FastToken::DONTKNOW;
61 }
62
63 virtual Sequence<sal_Int8> SAL_CALL getUTF8Identifier(sal_Int32 /*nToken*/) override
64 {
65 return Sequence<sal_Int8>();
66 }
67 };
68
69 class AgileDocumentHandler : public ::cppu::WeakImplHelper<XFastDocumentHandler>
70 {
71 AgileEncryptionInfo& mInfo;
72
73 public:
74 explicit AgileDocumentHandler(AgileEncryptionInfo& rInfo) :
75 mInfo(rInfo)
76 {}
77
78 void SAL_CALL startDocument() override {}
79 void SAL_CALL endDocument() override {}
80 void SAL_CALL processingInstruction( const OUString& /*rTarget*/, const OUString& /*rData*/ ) override {}
81 void SAL_CALL setDocumentLocator( const Reference< XLocator >& /*xLocator*/ ) override {}
82 void SAL_CALL startFastElement( sal_Int32 /*Element*/, const Reference< XFastAttributeList >& /*Attribs*/ ) override {}
83
84 void SAL_CALL startUnknownElement( const OUString& /*aNamespace*/, const OUString& rName, const Reference< XFastAttributeList >& aAttributeList ) override
85 {
86 const OUString& rLocalName = stripNamespacePrefix(rName);
87
88 for (const Attribute& rAttribute : aAttributeList->getUnknownAttributes())
89 {
90 const OUString& rAttrLocalName = stripNamespacePrefix(rAttribute.Name);
91
92 if (rAttrLocalName == "spinCount")
93 {
94 ::sax::Converter::convertNumber(mInfo.spinCount, rAttribute.Value);
95 }
96 else if (rAttrLocalName == "saltSize")
97 {
98 ::sax::Converter::convertNumber(mInfo.saltSize, rAttribute.Value);
99 }
100 else if (rAttrLocalName == "blockSize")
101 {
102 ::sax::Converter::convertNumber(mInfo.blockSize, rAttribute.Value);
103 }
104 else if (rAttrLocalName == "keyBits")
105 {
106 ::sax::Converter::convertNumber(mInfo.keyBits, rAttribute.Value);
107 }
108 else if (rAttrLocalName == "hashSize")
109 {
110 ::sax::Converter::convertNumber(mInfo.hashSize, rAttribute.Value);
111 }
112 else if (rAttrLocalName == "cipherAlgorithm")
113 {
114 mInfo.cipherAlgorithm = rAttribute.Value;
115 }
116 else if (rAttrLocalName == "cipherChaining")
117 {
118 mInfo.cipherChaining = rAttribute.Value;
119 }
120 else if (rAttrLocalName == "hashAlgorithm")
121 {
122 mInfo.hashAlgorithm = rAttribute.Value;
123 }
124 else if (rAttrLocalName == "saltValue")
125 {
126 Sequence<sal_Int8> saltValue;
127 comphelper::Base64::decode(saltValue, rAttribute.Value);
128 if (rLocalName == "encryptedKey")
129 mInfo.saltValue = comphelper::sequenceToContainer<std::vector<sal_uInt8>>(saltValue);
130 else if (rLocalName == "keyData")
131 mInfo.keyDataSalt = comphelper::sequenceToContainer<std::vector<sal_uInt8>>(saltValue);
132 }
133 else if (rAttrLocalName == "encryptedVerifierHashInput")
134 {
135 Sequence<sal_Int8> encryptedVerifierHashInput;
136 comphelper::Base64::decode(encryptedVerifierHashInput, rAttribute.Value);
137 mInfo.encryptedVerifierHashInput = comphelper::sequenceToContainer<std::vector<sal_uInt8>>(encryptedVerifierHashInput);
138 }
139 else if (rAttrLocalName == "encryptedVerifierHashValue")
140 {
141 Sequence<sal_Int8> encryptedVerifierHashValue;
142 comphelper::Base64::decode(encryptedVerifierHashValue, rAttribute.Value);
143 mInfo.encryptedVerifierHashValue = comphelper::sequenceToContainer<std::vector<sal_uInt8>>(encryptedVerifierHashValue);
144 }
145 else if (rAttrLocalName == "encryptedKeyValue")
146 {
147 Sequence<sal_Int8> encryptedKeyValue;
148 comphelper::Base64::decode(encryptedKeyValue, rAttribute.Value);
149 mInfo.encryptedKeyValue = comphelper::sequenceToContainer<std::vector<sal_uInt8>>(encryptedKeyValue);
150 }
151 if (rAttrLocalName == "encryptedHmacKey")
152 {
153 Sequence<sal_Int8> aValue;
154 comphelper::Base64::decode(aValue, rAttribute.Value);
155 mInfo.hmacEncryptedKey = comphelper::sequenceToContainer<std::vector<sal_uInt8>>(aValue);
156 }
157 if (rAttrLocalName == "encryptedHmacValue")
158 {
159 Sequence<sal_Int8> aValue;
160 comphelper::Base64::decode(aValue, rAttribute.Value);
161 mInfo.hmacEncryptedValue = comphelper::sequenceToContainer<std::vector<sal_uInt8>>(aValue);
162 }
163 }
164 }
165
166 void SAL_CALL endFastElement( sal_Int32 /*aElement*/ ) override
167 {}
168 void SAL_CALL endUnknownElement( const OUString& /*aNamespace*/, const OUString& /*aName*/ ) override
169 {}
170
171 Reference< XFastContextHandler > SAL_CALL createFastChildContext( sal_Int32 /*aElement*/, const Reference< XFastAttributeList >& /*aAttribs*/ ) override
172 {
173 return nullptr;
174 }
175
176 Reference< XFastContextHandler > SAL_CALL createUnknownChildContext( const OUString& /*aNamespace*/, const OUString& /*aName*/, const Reference< XFastAttributeList >& /*aAttribs*/ ) override
177 {
178 return this;
179 }
180
181 void SAL_CALL characters( const OUString& /*aChars*/ ) override
182 {}
183 };
184
185 constexpr const sal_uInt32 constSegmentLength = 4096;
186
187 static const std::vector<sal_uInt8> constBlock1 { 0xfe, 0xa7, 0xd2, 0x76, 0x3b, 0x4b, 0x9e, 0x79 };
188 static const std::vector<sal_uInt8> constBlock2 { 0xd7, 0xaa, 0x0f, 0x6d, 0x30, 0x61, 0x34, 0x4e };
189 static const std::vector<sal_uInt8> constBlock3 { 0x14, 0x6e, 0x0b, 0xe7, 0xab, 0xac, 0xd0, 0xd6 };
190 static const std::vector<sal_uInt8> constBlockHmac1 { 0x5f, 0xb2, 0xad, 0x01, 0x0c, 0xb9, 0xe1, 0xf6 };
191 static const std::vector<sal_uInt8> constBlockHmac2 { 0xa0, 0x67, 0x7f, 0x02, 0xb2, 0x2c, 0x84, 0x33 };
192
193 bool hashCalc(std::vector<sal_uInt8>& output,
194 std::vector<sal_uInt8>& input,
195 const OUString& sAlgorithm )
196 {
197 if (sAlgorithm == "SHA1")
198 {
199 std::vector<unsigned char> out = comphelper::Hash::calculateHash(input.data(), input.size(), comphelper::HashType::SHA1);
200 output = out;
201 return true;
202 }
203 else if (sAlgorithm == "SHA512")
204 {
205 std::vector<unsigned char> out = comphelper::Hash::calculateHash(input.data(), input.size(), comphelper::HashType::SHA512);
206 output = out;
207 return true;
208 }
209 return false;
210 }
211
212 CryptoHashType cryptoHashTypeFromString(OUString const & sAlgorithm)
213 {
214 if (sAlgorithm == "SHA512")
215 return CryptoHashType::SHA512;
216 return CryptoHashType::SHA1;
217 }
218
219 } // namespace
220
221 AgileEngine::AgileEngine()
222 : meEncryptionPreset(AgileEncryptionPreset::AES_256_SHA512)
223 {}
224
225 Crypto::CryptoType AgileEngine::cryptoType(const AgileEncryptionInfo& rInfo)
226 {
227 if (rInfo.keyBits == 128 && rInfo.cipherAlgorithm == "AES" && rInfo.cipherChaining == "ChainingModeCBC")
228 return Crypto::AES_128_CBC;
229 else if (rInfo.keyBits == 256 && rInfo.cipherAlgorithm == "AES" && rInfo.cipherChaining == "ChainingModeCBC")
230 return Crypto::AES_256_CBC;
231 return Crypto::UNKNOWN;
232 }
233
234 static std::vector<sal_uInt8> calculateIV(comphelper::HashType eType,
235 std::vector<sal_uInt8> const & rSalt,
236 std::vector<sal_uInt8> const & rBlock,
237 sal_Int32 nCipherBlockSize)
238 {
239 comphelper::Hash aHasher(eType);
240 aHasher.update(rSalt.data(), rSalt.size());
241 aHasher.update(rBlock.data(), rBlock.size());
242 std::vector<sal_uInt8> aIV = aHasher.finalize();
243 aIV.resize(roundUp(sal_Int32(aIV.size()), nCipherBlockSize), 0x36);
244 return aIV;
245 }
246
247 void AgileEngine::calculateBlock(
248 std::vector<sal_uInt8> const & rBlock,
249 std::vector<sal_uInt8>& rHashFinal,
250 std::vector<sal_uInt8>& rInput,
251 std::vector<sal_uInt8>& rOutput)
252 {
253 std::vector<sal_uInt8> hash(mInfo.hashSize, 0);
254 std::vector<sal_uInt8> dataFinal(mInfo.hashSize + rBlock.size(), 0);
255 std::copy(rHashFinal.begin(), rHashFinal.end(), dataFinal.begin());
256 std::copy(rBlock.begin(), rBlock.end(), dataFinal.begin() + mInfo.hashSize);
257
258 hashCalc(hash, dataFinal, mInfo.hashAlgorithm);
259
260 sal_Int32 keySize = mInfo.keyBits / 8;
261 std::vector<sal_uInt8> key(keySize, 0);
262
263 std::copy(hash.begin(), hash.begin() + keySize, key.begin());
264
265 Decrypt aDecryptor(key, mInfo.saltValue, cryptoType(mInfo));
266 aDecryptor.update(rOutput, rInput);
267 }
268
269 void AgileEngine::encryptBlock(
270 std::vector<sal_uInt8> const & rBlock,
271 std::vector<sal_uInt8> & rHashFinal,
272 std::vector<sal_uInt8> & rInput,
273 std::vector<sal_uInt8> & rOutput)
274 {
275 std::vector<sal_uInt8> hash(mInfo.hashSize, 0);
276 std::vector<sal_uInt8> dataFinal(mInfo.hashSize + rBlock.size(), 0);
277 std::copy(rHashFinal.begin(), rHashFinal.end(), dataFinal.begin());
278 std::copy(rBlock.begin(), rBlock.end(), dataFinal.begin() + mInfo.hashSize);
279
280 hashCalc(hash, dataFinal, mInfo.hashAlgorithm);
281
282 sal_Int32 keySize = mInfo.keyBits / 8;
283 std::vector<sal_uInt8> key(keySize, 0);
284
285 std::copy(hash.begin(), hash.begin() + keySize, key.begin());
286
287 Encrypt aEncryptor(key, mInfo.saltValue, cryptoType(mInfo));
288
289 aEncryptor.update(rOutput, rInput);
290 }
291
292 void AgileEngine::calculateHashFinal(const OUString& rPassword, std::vector<sal_uInt8>& aHashFinal)
293 {
294 aHashFinal = comphelper::DocPasswordHelper::GetOoxHashAsVector(
295 rPassword, mInfo.saltValue, mInfo.spinCount,
296 comphelper::Hash::IterCount::PREPEND, mInfo.hashAlgorithm);
297 }
298
299 namespace
300 {
301
302 bool generateBytes(std::vector<sal_uInt8> & rBytes, sal_Int32 nSize)
303 {
304 size_t nMax = std::min(rBytes.size(), size_t(nSize));
305
306 for (size_t i = 0; i < nMax; ++i)
307 {
308 rBytes[i] = sal_uInt8(comphelper::rng::uniform_uint_distribution(0, 0xFF));
309 }
310
311 return true;
312 }
313
314 } // end anonymous namespace
315
316 bool AgileEngine::decryptAndCheckVerifierHash(OUString const & rPassword)
317 {
318 std::vector<sal_uInt8> hashFinal(mInfo.hashSize, 0);
319 calculateHashFinal(rPassword, hashFinal);
320
321 std::vector<sal_uInt8>& encryptedHashInput = mInfo.encryptedVerifierHashInput;
322 std::vector<sal_uInt8> hashInput(mInfo.saltSize, 0);
323 calculateBlock(constBlock1, hashFinal, encryptedHashInput, hashInput);
324
325 std::vector<sal_uInt8>& encryptedHashValue = mInfo.encryptedVerifierHashValue;
326 std::vector<sal_uInt8> hashValue(encryptedHashValue.size(), 0);
327 calculateBlock(constBlock2, hashFinal, encryptedHashValue, hashValue);
328
329 std::vector<sal_uInt8> hash(mInfo.hashSize, 0);
330 hashCalc(hash, hashInput, mInfo.hashAlgorithm);
331
332 return (hash.size() <= hashValue.size() && std::equal(hash.begin(), hash.end(), hashValue.begin()));
333 }
334
335 void AgileEngine::decryptEncryptionKey(OUString const & rPassword)
336 {
337 sal_Int32 nKeySize = mInfo.keyBits / 8;
338
339 mKey.clear();
340 mKey.resize(nKeySize, 0);
341
342 std::vector<sal_uInt8> aPasswordHash(mInfo.hashSize, 0);
343 calculateHashFinal(rPassword, aPasswordHash);
344
345 calculateBlock(constBlock3, aPasswordHash, mInfo.encryptedKeyValue, mKey);
346 }
347
348 // TODO: Rename
349 bool AgileEngine::generateEncryptionKey(OUString const & rPassword)
350 {
351 bool bResult = decryptAndCheckVerifierHash(rPassword);
352
353 if (bResult)
354 {
355 decryptEncryptionKey(rPassword);
356 decryptHmacKey();
357 decryptHmacValue();
358 }
359 return bResult;
360 }
361
362 bool AgileEngine::decryptHmacKey()
363 {
364 // Initialize hmacKey
365 mInfo.hmacKey.clear();
366 mInfo.hmacKey.resize(mInfo.hmacEncryptedKey.size(), 0);
367
368 // Calculate IV
369 comphelper::HashType eType;
370 if (mInfo.hashAlgorithm == "SHA1")
371 eType = comphelper::HashType::SHA1;
372 else if (mInfo.hashAlgorithm == "SHA512")
373 eType = comphelper::HashType::SHA512;
374 else
375 return false;
376
377 std::vector<sal_uInt8> iv = calculateIV(eType, mInfo.keyDataSalt, constBlockHmac1, mInfo.blockSize);
378
379 // Decrypt with out key, calculated iv
380 Decrypt aDecrypt(mKey, iv, cryptoType(mInfo));
381 aDecrypt.update(mInfo.hmacKey, mInfo.hmacEncryptedKey);
382
383 mInfo.hmacKey.resize(mInfo.hashSize, 0);
384
385 return true;
386 }
387
388 bool AgileEngine::decryptHmacValue()
389 {
390 // Initialize hmacHash
391 mInfo.hmacHash.clear();
392 mInfo.hmacHash.resize(mInfo.hmacEncryptedValue.size(), 0);
393
394 // Calculate IV
395 comphelper::HashType eType;
396 if (mInfo.hashAlgorithm == "SHA1")
397 eType = comphelper::HashType::SHA1;
398 else if (mInfo.hashAlgorithm == "SHA512")
399 eType = comphelper::HashType::SHA512;
400 else
401 return false;
402 std::vector<sal_uInt8> iv = calculateIV(eType, mInfo.keyDataSalt, constBlockHmac2, mInfo.blockSize);
403
404 // Decrypt with out key, calculated iv
405 Decrypt aDecrypt(mKey, iv, cryptoType(mInfo));
406 aDecrypt.update(mInfo.hmacHash, mInfo.hmacEncryptedValue);
407
408 mInfo.hmacHash.resize(mInfo.hashSize, 0);
409
410 return true;
411 }
412
413 bool AgileEngine::checkDataIntegrity()
414 {
415 bool bResult = (mInfo.hmacHash.size() == mInfo.hmacCalculatedHash.size() &&
416 std::equal(mInfo.hmacHash.begin(), mInfo.hmacHash.end(), mInfo.hmacCalculatedHash.begin()));
417
418 return bResult;
419 }
420
421 bool AgileEngine::decrypt(BinaryXInputStream& aInputStream,
422 BinaryXOutputStream& aOutputStream)
423 {
424 CryptoHash aCryptoHash(mInfo.hmacKey, cryptoHashTypeFromString(mInfo.hashAlgorithm));
425
426 sal_uInt32 totalSize = aInputStream.readuInt32(); // Document unencrypted size - 4 bytes
427 // account for size in HMAC
428 std::vector<sal_uInt8> aSizeBytes(sizeof(sal_uInt32));
429 ByteOrderConverter::writeLittleEndian(aSizeBytes.data(), totalSize);
430 aCryptoHash.update(aSizeBytes);
431
432 aInputStream.skip(4); // Reserved 4 Bytes
433 // account for reserved 4 bytes (must be 0)
434 std::vector<sal_uInt8> aReserved{0,0,0,0};
435 aCryptoHash.update(aReserved);
436
437 // setup decryption
438 std::vector<sal_uInt8>& keyDataSalt = mInfo.keyDataSalt;
439
440 sal_uInt32 saltSize = mInfo.saltSize;
441 sal_uInt32 keySize = mInfo.keyBits / 8;
442
443 sal_uInt32 segment = 0;
444
445 std::vector<sal_uInt8> saltWithBlockKey(saltSize + sizeof(segment), 0);
446 std::copy(keyDataSalt.begin(), keyDataSalt.end(), saltWithBlockKey.begin());
447
448 std::vector<sal_uInt8> hash(mInfo.hashSize, 0);
449 std::vector<sal_uInt8> iv(keySize, 0);
450
451 std::vector<sal_uInt8> inputBuffer(constSegmentLength);
452 std::vector<sal_uInt8> outputBuffer(constSegmentLength);
453 sal_uInt32 inputLength;
454 sal_uInt32 outputLength;
455 sal_uInt32 remaining = totalSize;
456
457 while ((inputLength = aInputStream.readMemory(inputBuffer.data(), inputBuffer.size())) > 0)
458 {
459 sal_uInt8* segmentBegin = reinterpret_cast<sal_uInt8*>(&segment);
460 sal_uInt8* segmentEnd = segmentBegin + sizeof(segment);
461 std::copy(segmentBegin, segmentEnd, saltWithBlockKey.begin() + saltSize);
462
463 hashCalc(hash, saltWithBlockKey, mInfo.hashAlgorithm);
464
465 // Only if hash > keySize
466 std::copy(hash.begin(), hash.begin() + keySize, iv.begin());
467
468 Decrypt aDecryptor(mKey, iv, AgileEngine::cryptoType(mInfo));
469 outputLength = aDecryptor.update(outputBuffer, inputBuffer, inputLength);
470
471 sal_uInt32 writeLength = std::min(outputLength, remaining);
472
473 aCryptoHash.update(inputBuffer, inputLength);
474
475 aOutputStream.writeMemory(outputBuffer.data(), writeLength);
476
477 remaining -= outputLength;
478 segment++;
479 }
480
481 mInfo.hmacCalculatedHash = aCryptoHash.finalize();
482
483 return true;
484 }
485
486 bool AgileEngine::readEncryptionInfo(uno::Reference<io::XInputStream> & rxInputStream)
487 {
488 // Check reserved value
489 std::vector<sal_uInt8> aExpectedReservedBytes(sizeof(sal_uInt32));
490 ByteOrderConverter::writeLittleEndian(aExpectedReservedBytes.data(), msfilter::AGILE_ENCRYPTION_RESERVED);
491
492 uno::Sequence<sal_Int8> aReadReservedBytes(sizeof(sal_uInt32));
493 rxInputStream->readBytes(aReadReservedBytes, aReadReservedBytes.getLength());
494
495 if (!std::equal(aReadReservedBytes.begin(), aReadReservedBytes.end(), aExpectedReservedBytes.begin()))
496 return false;
497
498 mInfo.spinCount = 0;
499 mInfo.saltSize = 0;
500 mInfo.keyBits = 0;
501 mInfo.hashSize = 0;
502 mInfo.blockSize = 0;
503
504 Reference<XFastDocumentHandler> xFastDocumentHandler(new AgileDocumentHandler(mInfo));
505 Reference<XFastTokenHandler> xFastTokenHandler(new AgileTokenHandler);
506
507 Reference<XFastParser> xParser(css::xml::sax::FastParser::create(comphelper::getProcessComponentContext()));
508
509 xParser->setFastDocumentHandler(xFastDocumentHandler);
510 xParser->setTokenHandler(xFastTokenHandler);
511
512 InputSource aInputSource;
513 aInputSource.aInputStream = rxInputStream;
514 xParser->parseStream(aInputSource);
515
516 // CHECK info data
517 if (2 > mInfo.blockSize || mInfo.blockSize > 4096)
518 return false;
519
520 if (0 > mInfo.spinCount || mInfo.spinCount > 10000000)
521 return false;
522
523 if (1 > mInfo.saltSize|| mInfo.saltSize > 65536) // Check
524 return false;
525
526 // AES 128 CBC with SHA1
527 if (mInfo.keyBits == 128 &&
528 mInfo.cipherAlgorithm == "AES" &&
529 mInfo.cipherChaining == "ChainingModeCBC" &&
530 mInfo.hashAlgorithm == "SHA1" &&
531 mInfo.hashSize == msfilter::SHA1_HASH_LENGTH)
532 {
533 return true;
534 }
535
536 // AES 256 CBC with SHA512
537 if (mInfo.keyBits == 256 &&
538 mInfo.cipherAlgorithm == "AES" &&
539 mInfo.cipherChaining == "ChainingModeCBC" &&
540 mInfo.hashAlgorithm == "SHA512" &&
541 mInfo.hashSize == msfilter::SHA512_HASH_LENGTH)
542 {
543 return true;
544 }
545
546 return false;
547 }
548
549 bool AgileEngine::generateAndEncryptVerifierHash(OUString const & rPassword)
550 {
551 if (!generateBytes(mInfo.saltValue, mInfo.saltSize))
552 return false;
553
554 std::vector<sal_uInt8> unencryptedVerifierHashInput(mInfo.saltSize);
555 if (!generateBytes(unencryptedVerifierHashInput, mInfo.saltSize))
556 return false;
557
558 // HASH - needs to be modified to be multiple of block size
559 sal_Int32 nVerifierHash = roundUp(mInfo.hashSize, mInfo.blockSize);
560 std::vector<sal_uInt8> unencryptedVerifierHashValue;
561 if (!hashCalc(unencryptedVerifierHashValue, unencryptedVerifierHashInput, mInfo.hashAlgorithm))
562 return false;
563 unencryptedVerifierHashValue.resize(nVerifierHash, 0);
564
565 std::vector<sal_uInt8> hashFinal(mInfo.hashSize, 0);
566 calculateHashFinal(rPassword, hashFinal);
567
568 encryptBlock(constBlock1, hashFinal, unencryptedVerifierHashInput, mInfo.encryptedVerifierHashInput);
569
570 encryptBlock(constBlock2, hashFinal, unencryptedVerifierHashValue, mInfo.encryptedVerifierHashValue);
571
572 return true;
573 }
574
575 bool AgileEngine::encryptHmacKey()
576 {
577 // Initialize hmacKey
578 mInfo.hmacKey.clear();
579 mInfo.hmacKey.resize(mInfo.hashSize, 0);
580
581 if (!generateBytes(mInfo.hmacKey, mInfo.hashSize))
582 return false;
583
584 // Encrypted salt must be multiple of block size
585 sal_Int32 nEncryptedSaltSize = oox::core::roundUp(mInfo.hashSize, mInfo.blockSize);
586
587 // We need to extend hmacSalt to multiple of block size, padding with 0x36
588 std::vector<sal_uInt8> extendedSalt(mInfo.hmacKey);
589 extendedSalt.resize(nEncryptedSaltSize, 0x36);
590
591 // Initialize hmacEncryptedKey
592 mInfo.hmacEncryptedKey.clear();
593 mInfo.hmacEncryptedKey.resize(nEncryptedSaltSize, 0);
594
595 // Calculate IV
596 comphelper::HashType eType;
597 if (mInfo.hashAlgorithm == "SHA1")
598 eType = comphelper::HashType::SHA1;
599 else if (mInfo.hashAlgorithm == "SHA512")
600 eType = comphelper::HashType::SHA512;
601 else
602 return false;
603
604 std::vector<sal_uInt8> iv = calculateIV(eType, mInfo.keyDataSalt, constBlockHmac1, mInfo.blockSize);
605
606 // Encrypt with out key, calculated iv
607 Encrypt aEncryptor(mKey, iv, cryptoType(mInfo));
608 aEncryptor.update(mInfo.hmacEncryptedKey, extendedSalt);
609
610 return true;
611 }
612
613 bool AgileEngine::encryptHmacValue()
614 {
615 sal_Int32 nEncryptedValueSize = roundUp(mInfo.hashSize, mInfo.blockSize);
616 mInfo.hmacEncryptedValue.clear();
617 mInfo.hmacEncryptedValue.resize(nEncryptedValueSize, 0);
618
619 std::vector<sal_uInt8> extendedHash(mInfo.hmacHash);
620 extendedHash.resize(nEncryptedValueSize, 0x36);
621
622 // Calculate IV
623 comphelper::HashType eType;
624 if (mInfo.hashAlgorithm == "SHA1")
625 eType = comphelper::HashType::SHA1;
626 else if (mInfo.hashAlgorithm == "SHA512")
627 eType = comphelper::HashType::SHA512;
628 else
629 return false;
630
631 std::vector<sal_uInt8> iv = calculateIV(eType, mInfo.keyDataSalt, constBlockHmac2, mInfo.blockSize);
632
633 // Encrypt with out key, calculated iv
634 Encrypt aEncryptor(mKey, iv, cryptoType(mInfo));
635 aEncryptor.update(mInfo.hmacEncryptedValue, extendedHash);
636
637 return true;
638 }
639
640 bool AgileEngine::encryptEncryptionKey(OUString const & rPassword)
641 {
642 sal_Int32 nKeySize = mInfo.keyBits / 8;
643
644 mKey.clear();
645 mKey.resize(nKeySize, 0);
646
647 mInfo.encryptedKeyValue.clear();
648 mInfo.encryptedKeyValue.resize(nKeySize, 0);
649
650 if (!generateBytes(mKey, nKeySize))
651 return false;
652
653 std::vector<sal_uInt8> aPasswordHash(mInfo.hashSize, 0);
654 calculateHashFinal(rPassword, aPasswordHash);
655
656 encryptBlock(constBlock3, aPasswordHash, mKey, mInfo.encryptedKeyValue);
657
658 return true;
659 }
660
661 bool AgileEngine::setupEncryption(OUString const & rPassword)
662 {
663 if (meEncryptionPreset == AgileEncryptionPreset::AES_128_SHA1)
664 setupEncryptionParameters({ 100000, 16, 128, 20, 16, OUString("AES"), OUString("ChainingModeCBC"), OUString("SHA1") });
665 else
666 setupEncryptionParameters({ 100000, 16, 256, 64, 16, OUString("AES"), OUString("ChainingModeCBC"), OUString("SHA512") });
667
668 return setupEncryptionKey(rPassword);
669 }
670
671 void AgileEngine::setupEncryptionParameters(AgileEncryptionParameters const & rAgileEncryptionParameters)
672 {
673 mInfo.spinCount = rAgileEncryptionParameters.spinCount;
674 mInfo.saltSize = rAgileEncryptionParameters.saltSize;
675 mInfo.keyBits = rAgileEncryptionParameters.keyBits;
676 mInfo.hashSize = rAgileEncryptionParameters.hashSize;
677 mInfo.blockSize = rAgileEncryptionParameters.blockSize;
678
679 mInfo.cipherAlgorithm = rAgileEncryptionParameters.cipherAlgorithm;
680 mInfo.cipherChaining = rAgileEncryptionParameters.cipherChaining;
681 mInfo.hashAlgorithm = rAgileEncryptionParameters.hashAlgorithm;
682
683 mInfo.keyDataSalt.resize(mInfo.saltSize);
684 mInfo.saltValue.resize(mInfo.saltSize);
685 mInfo.encryptedVerifierHashInput.resize(mInfo.saltSize);
686 mInfo.encryptedVerifierHashValue.resize(roundUp(mInfo.hashSize, mInfo.blockSize), 0);
687 }
688
689 bool AgileEngine::setupEncryptionKey(OUString const & rPassword)
690 {
691 if (!generateAndEncryptVerifierHash(rPassword))
692 return false;
693 if (!encryptEncryptionKey(rPassword))
694 return false;
695 if (!generateBytes(mInfo.keyDataSalt, mInfo.saltSize))
696 return false;
697 if (!encryptHmacKey())
698 return false;
699 return true;
700 }
701
702 void AgileEngine::writeEncryptionInfo(BinaryXOutputStream & rStream)
703 {
704 rStream.WriteUInt32(msfilter::VERSION_INFO_AGILE);
705 rStream.WriteUInt32(msfilter::AGILE_ENCRYPTION_RESERVED);
706
707 SvMemoryStream aMemStream;
708 tools::XmlWriter aXmlWriter(&aMemStream);
709
710 if (aXmlWriter.startDocument(0/*nIndent*/))
711 {
712 aXmlWriter.startElement("", "encryption", "http://schemas.microsoft.com/office/2006/encryption");
713 aXmlWriter.attribute("xmlns:p", OString("http://schemas.microsoft.com/office/2006/keyEncryptor/password"));
714
715 aXmlWriter.startElement("keyData");
716 aXmlWriter.attribute("saltSize", mInfo.saltSize);
717 aXmlWriter.attribute("blockSize", mInfo.blockSize);
718 aXmlWriter.attribute("keyBits", mInfo.keyBits);
719 aXmlWriter.attribute("hashSize", mInfo.hashSize);
720 aXmlWriter.attribute("cipherAlgorithm", mInfo.cipherAlgorithm);
721 aXmlWriter.attribute("cipherChaining", mInfo.cipherChaining);
722 aXmlWriter.attribute("hashAlgorithm", mInfo.hashAlgorithm);
723 aXmlWriter.attributeBase64("saltValue", mInfo.keyDataSalt);
724 aXmlWriter.endElement();
725
726 aXmlWriter.startElement("dataIntegrity");
727 aXmlWriter.attributeBase64("encryptedHmacKey", mInfo.hmacEncryptedKey);
728 aXmlWriter.attributeBase64("encryptedHmacValue", mInfo.hmacEncryptedValue);
729 aXmlWriter.endElement();
730
731 aXmlWriter.startElement("keyEncryptors");
732 aXmlWriter.startElement("keyEncryptor");
733 aXmlWriter.attribute("uri", OString("http://schemas.microsoft.com/office/2006/keyEncryptor/password"));
734
735 aXmlWriter.startElement("p", "encryptedKey", "");
736 aXmlWriter.attribute("spinCount", mInfo.spinCount);
737 aXmlWriter.attribute("saltSize", mInfo.saltSize);
738 aXmlWriter.attribute("blockSize", mInfo.blockSize);
739 aXmlWriter.attribute("keyBits", mInfo.keyBits);
740 aXmlWriter.attribute("hashSize", mInfo.hashSize);
741 aXmlWriter.attribute("cipherAlgorithm", mInfo.cipherAlgorithm);
742 aXmlWriter.attribute("cipherChaining", mInfo.cipherChaining);
743 aXmlWriter.attribute("hashAlgorithm", mInfo.hashAlgorithm);
744 aXmlWriter.attributeBase64("saltValue", mInfo.saltValue);
745 aXmlWriter.attributeBase64("encryptedVerifierHashInput", mInfo.encryptedVerifierHashInput);
746 aXmlWriter.attributeBase64("encryptedVerifierHashValue", mInfo.encryptedVerifierHashValue);
747 aXmlWriter.attributeBase64("encryptedKeyValue", mInfo.encryptedKeyValue);
748 aXmlWriter.endElement();
749
750 aXmlWriter.endElement();
751 aXmlWriter.endElement();
752
753 aXmlWriter.endElement();
754 aXmlWriter.endDocument();
755 }
756 rStream.writeMemory(aMemStream.GetData(), aMemStream.GetSize());
757 }
758
759 void AgileEngine::encrypt(css::uno::Reference<css::io::XInputStream> & rxInputStream,
760 css::uno::Reference<css::io::XOutputStream> & rxOutputStream,
761 sal_uInt32 nSize)
762 {
763 CryptoHash aCryptoHash(mInfo.hmacKey, cryptoHashTypeFromString(mInfo.hashAlgorithm));
764
765 BinaryXOutputStream aBinaryOutputStream(rxOutputStream, false);
766 BinaryXInputStream aBinaryInputStream(rxInputStream, false);
767
768 std::vector<sal_uInt8> aSizeBytes(sizeof(sal_uInt32));
769 ByteOrderConverter::writeLittleEndian(aSizeBytes.data(), nSize);
770 aBinaryOutputStream.writeMemory(aSizeBytes.data(), aSizeBytes.size()); // size
771 aCryptoHash.update(aSizeBytes, aSizeBytes.size());
772
773 std::vector<sal_uInt8> aNull{0,0,0,0};
774 aBinaryOutputStream.writeMemory(aNull.data(), aNull.size()); // reserved
775 aCryptoHash.update(aNull, aNull.size());
776
777 std::vector<sal_uInt8>& keyDataSalt = mInfo.keyDataSalt;
778
779 sal_uInt32 saltSize = mInfo.saltSize;
780 sal_uInt32 keySize = mInfo.keyBits / 8;
781
782 sal_uInt32 nSegment = 0;
783 sal_uInt32 nSegmentByteSize = sizeof(nSegment);
784
785 std::vector<sal_uInt8> saltWithBlockKey(saltSize + nSegmentByteSize, 0);
786 std::copy(keyDataSalt.begin(), keyDataSalt.end(), saltWithBlockKey.begin());
787
788 std::vector<sal_uInt8> hash(mInfo.hashSize, 0);
789 std::vector<sal_uInt8> iv(keySize, 0);
790
791 std::vector<sal_uInt8> inputBuffer(constSegmentLength);
792 std::vector<sal_uInt8> outputBuffer(constSegmentLength);
793 sal_uInt32 inputLength;
794 sal_uInt32 outputLength;
795
796 while ((inputLength = aBinaryInputStream.readMemory(inputBuffer.data(), inputBuffer.size())) > 0)
797 {
798 sal_uInt32 correctedInputLength = inputLength % mInfo.blockSize == 0 ?
799 inputLength : oox::core::roundUp(inputLength, sal_uInt32(mInfo.blockSize));
800
801 // Update Key
802 sal_uInt8* segmentBegin = reinterpret_cast<sal_uInt8*>(&nSegment);
803 sal_uInt8* segmentEnd = segmentBegin + nSegmentByteSize;
804 std::copy(segmentBegin, segmentEnd, saltWithBlockKey.begin() + saltSize);
805
806 hashCalc(hash, saltWithBlockKey, mInfo.hashAlgorithm);
807
808 // Only if hash > keySize
809 std::copy(hash.begin(), hash.begin() + keySize, iv.begin());
810
811 Encrypt aEncryptor(mKey, iv, AgileEngine::cryptoType(mInfo));
812 outputLength = aEncryptor.update(outputBuffer, inputBuffer, correctedInputLength);
813 aBinaryOutputStream.writeMemory(outputBuffer.data(), outputLength);
814 aCryptoHash.update(outputBuffer, outputLength);
815
816 nSegment++;
817 }
818 mInfo.hmacHash = aCryptoHash.finalize();
819 encryptHmacValue();
820 }
821
822 } // namespace core
823 } // namespace oox
824
825 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
FREE OFFICE SUITE