xmlsecurity/source/xmlsec/nss/ciphercontext.cxx

   1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
   2 /*
   3  * This file is part of the LibreOffice project.
   4  *
   5  * This Source Code Form is subject to the terms of the Mozilla Public
   6  * License, v. 2.0. If a copy of the MPL was not distributed with this
   7  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
   8  *
   9  * This file incorporates work covered by the following license notice:
  10  *
  11  *   Licensed to the Apache Software Foundation (ASF) under one or more
  12  *   contributor license agreements. See the NOTICE file distributed
  13  *   with this work for additional information regarding copyright
  14  *   ownership. The ASF licenses this file to you under the Apache
  15  *   License, Version 2.0 (the "License"); you may not use this file
  16  *   except in compliance with the License. You may obtain a copy of
  17  *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
  18  */
  19
  20 #include <sal/config.h>
  21
  22 #include <com/sun/star/lang/DisposedException.hpp>
  23 #include <osl/diagnose.h>
  24 #include <rtl/random.h>
  25 #include <rtl/ref.hxx>
  26
  27 #include "ciphercontext.hxx"
  28 #include <pk11pub.h>
  29
  30 using namespace ::com::sun::star;
  31
  32 uno::Reference< xml::crypto::XCipherContext > OCipherContext::Create( CK_MECHANISM_TYPE nNSSCipherID, const uno::Sequence< ::sal_Int8 >& aKey, const uno::Sequence< ::sal_Int8 >& aInitializationVector, bool bEncryption, bool bW3CPadding )
  33 {
  34     ::rtl::Reference< OCipherContext > xResult = new OCipherContext;
  35
  36     xResult->m_pSlot = PK11_GetBestSlot( nNSSCipherID, nullptr );
  37     if ( xResult->m_pSlot )
  38     {
  39         SECItem aKeyItem = { siBuffer, const_cast< unsigned char* >( reinterpret_cast< const unsigned char* >( aKey.getConstArray() ) ), sal::static_int_cast<unsigned>( aKey.getLength() ) };
  40         xResult->m_pSymKey = PK11_ImportSymKey( xResult->m_pSlot, nNSSCipherID, PK11_OriginDerive, bEncryption ? CKA_ENCRYPT : CKA_DECRYPT, &aKeyItem, nullptr );
  41         if ( xResult->m_pSymKey )
  42         {
  43             SECItem aIVItem = { siBuffer, const_cast< unsigned char* >( reinterpret_cast< const unsigned char* >( aInitializationVector.getConstArray() ) ), sal::static_int_cast<unsigned>( aInitializationVector.getLength() ) };
  44             xResult->m_pSecParam = PK11_ParamFromIV( nNSSCipherID, &aIVItem );
  45             if ( xResult->m_pSecParam )
  46             {
  47                 xResult->m_pContext = PK11_CreateContextBySymKey( nNSSCipherID, bEncryption ? CKA_ENCRYPT : CKA_DECRYPT, xResult->m_pSymKey, xResult->m_pSecParam);
  48                 if ( xResult->m_pContext )
  49                 {
  50                     xResult->m_bEncryption = bEncryption;
  51                     xResult->m_bW3CPadding = bW3CPadding;
  52                     xResult->m_bPadding = bW3CPadding || ( PK11_GetPadMechanism( nNSSCipherID ) == nNSSCipherID );
  53                     xResult->m_nBlockSize = PK11_GetBlockSize( nNSSCipherID, xResult->m_pSecParam );
  54                     if ( xResult->m_nBlockSize <= SAL_MAX_INT8 )
  55                         return xResult;
  56                 }
  57             }
  58         }
  59     }
  60
  61     return uno::Reference< xml::crypto::XCipherContext >();
  62 }
  63
  64 void OCipherContext::Dispose()
  65 {
  66     if ( m_pContext )
  67     {
  68         PK11_DestroyContext( m_pContext, PR_TRUE );
  69         m_pContext = nullptr;
  70     }
  71
  72     if ( m_pSecParam )
  73     {
  74         SECITEM_FreeItem( m_pSecParam, PR_TRUE );
  75         m_pSecParam = nullptr;
  76     }
  77
  78     if ( m_pSymKey )
  79     {
  80         PK11_FreeSymKey( m_pSymKey );
  81         m_pSymKey = nullptr;
  82     }
  83
  84     if ( m_pSlot )
  85     {
  86         PK11_FreeSlot( m_pSlot );
  87         m_pSlot = nullptr;
  88     }
  89
  90     m_bDisposed = true;
  91 }
  92
  93 uno::Sequence< ::sal_Int8 > SAL_CALL OCipherContext::convertWithCipherContext( const uno::Sequence< ::sal_Int8 >& aData )
  94 {
  95     std::unique_lock aGuard( m_aMutex );
  96
  97     if ( m_bBroken )
  98         throw uno::RuntimeException();
  99
 100     if ( m_bDisposed )
 101         throw lang::DisposedException();
 102
 103     uno::Sequence< sal_Int8 > aToConvert;
 104     if ( aData.hasElements() )
 105     {
 106         sal_Int32 nOldLastBlockLen = m_aLastBlock.getLength();
 107         OSL_ENSURE( nOldLastBlockLen <= m_nBlockSize, "Unexpected last block size!" );
 108
 109         sal_Int32 nAvailableData = nOldLastBlockLen + aData.getLength();
 110         sal_Int32 nToConvertLen;
 111         if ( m_bEncryption || !m_bW3CPadding )
 112         {
 113             if ( nAvailableData % m_nBlockSize == 0 )
 114                 nToConvertLen = nAvailableData;
 115             else if ( nAvailableData < m_nBlockSize )
 116                 nToConvertLen = 0;
 117             else
 118                 nToConvertLen = nAvailableData - nAvailableData % m_nBlockSize;
 119         }
 120         else
 121         {
 122             // decryption with W3C padding needs at least one block for finalizing
 123             if ( nAvailableData < m_nBlockSize * 2 )
 124                 nToConvertLen = 0;
 125             else
 126                 nToConvertLen = nAvailableData - nAvailableData % m_nBlockSize - m_nBlockSize;
 127         }
 128
 129         aToConvert.realloc( nToConvertLen );
 130         if ( nToConvertLen == 0 )
 131         {
 132             m_aLastBlock.realloc( nOldLastBlockLen + aData.getLength() );
 133             memcpy( m_aLastBlock.getArray() + nOldLastBlockLen, aData.getConstArray(), aData.getLength() );
 134             // aToConvert stays empty
 135         }
 136         else if ( nToConvertLen < nOldLastBlockLen )
 137         {
 138             memcpy( aToConvert.getArray(), m_aLastBlock.getConstArray(), nToConvertLen );
 139             memcpy( m_aLastBlock.getArray(), m_aLastBlock.getConstArray() + nToConvertLen, nOldLastBlockLen - nToConvertLen );
 140             m_aLastBlock.realloc( nOldLastBlockLen - nToConvertLen + aData.getLength() );
 141             memcpy( m_aLastBlock.getArray() + nOldLastBlockLen - nToConvertLen, aData.getConstArray(), aData.getLength() );
 142         }
 143         else
 144         {
 145             memcpy( aToConvert.getArray(), m_aLastBlock.getConstArray(), nOldLastBlockLen );
 146             if ( nToConvertLen > nOldLastBlockLen )
 147                 memcpy( aToConvert.getArray() + nOldLastBlockLen, aData.getConstArray(), nToConvertLen - nOldLastBlockLen );
 148             m_aLastBlock.realloc( nAvailableData - nToConvertLen );
 149             memcpy( m_aLastBlock.getArray(), aData.getConstArray() + nToConvertLen - nOldLastBlockLen, nAvailableData - nToConvertLen );
 150         }
 151     }
 152
 153     uno::Sequence< sal_Int8 > aResult;
 154     OSL_ENSURE( aToConvert.getLength() % m_nBlockSize == 0, "Unexpected size of the data to encrypt!" );
 155     if ( aToConvert.hasElements() )
 156     {
 157         int nResultLen = 0;
 158         aResult.realloc( aToConvert.getLength() + m_nBlockSize );
 159         if ( PK11_CipherOp( m_pContext, reinterpret_cast< unsigned char* >( aResult.getArray() ), &nResultLen, aResult.getLength(), reinterpret_cast< const unsigned char* >( aToConvert.getConstArray() ), aToConvert.getLength() ) != SECSuccess )
 160         {
 161             m_bBroken = true;
 162             Dispose();
 163             throw uno::RuntimeException();
 164         }
 165
 166         m_nConverted += aToConvert.getLength();
 167         aResult.realloc( nResultLen );
 168     }
 169
 170     return aResult;
 171 }
 172
 173 uno::Sequence< ::sal_Int8 > SAL_CALL OCipherContext::finalizeCipherContextAndDispose()
 174 {
 175     std::unique_lock aGuard( m_aMutex );
 176
 177     if ( m_bBroken )
 178         throw uno::RuntimeException();
 179
 180     if ( m_bDisposed )
 181         throw lang::DisposedException();
 182
 183     OSL_ENSURE( m_nBlockSize <= SAL_MAX_INT8, "Unexpected block size!" );
 184     OSL_ENSURE( m_nConverted % m_nBlockSize == 0, "Unexpected amount of bytes is already converted!" );
 185     sal_Int32 nSizeForPadding = ( m_nConverted + m_aLastBlock.getLength() ) % m_nBlockSize;
 186
 187     // if it is decryption, the amount of data should be rounded to the block size even in case of padding
 188     if ( ( !m_bPadding || !m_bEncryption ) && nSizeForPadding )
 189         throw uno::RuntimeException("The data should contain complete blocks only." );
 190
 191     if ( m_bW3CPadding && m_bEncryption )
 192     {
 193         // in this case the last block should be smaller than standard block
 194         // it will be increased with the padding
 195         OSL_ENSURE( m_aLastBlock.getLength() < m_nBlockSize, "Unexpected size of cashed incomplete last block!" );
 196
 197         // W3CPadding handling for encryption
 198         sal_Int32 nPaddingSize = m_nBlockSize - nSizeForPadding;
 199         sal_Int32 nOldLastBlockLen = m_aLastBlock.getLength();
 200         m_aLastBlock.realloc( nOldLastBlockLen + nPaddingSize );
 201         auto pLastBlock = m_aLastBlock.getArray();
 202
 203         if ( nPaddingSize > 1 )
 204         {
 205             rtlRandomPool aRandomPool = rtl_random_createPool();
 206             rtl_random_getBytes( aRandomPool, pLastBlock + nOldLastBlockLen, nPaddingSize - 1 );
 207             rtl_random_destroyPool ( aRandomPool );
 208         }
 209         pLastBlock[m_aLastBlock.getLength() - 1] = static_cast< sal_Int8 >( nPaddingSize );
 210     }
 211
 212     // finally should the last block be smaller than two standard blocks
 213     OSL_ENSURE( m_aLastBlock.getLength() < m_nBlockSize * 2 , "Unexpected size of cashed incomplete last block!" );
 214
 215     uno::Sequence< sal_Int8 > aResult;
 216     if ( m_aLastBlock.hasElements() )
 217     {
 218         int nPrefResLen = 0;
 219         aResult.realloc( m_aLastBlock.getLength() + m_nBlockSize );
 220         if ( PK11_CipherOp( m_pContext, reinterpret_cast< unsigned char* >( aResult.getArray() ), &nPrefResLen, aResult.getLength(), reinterpret_cast< const unsigned char* >( m_aLastBlock.getConstArray() ), m_aLastBlock.getLength() ) != SECSuccess )
 221         {
 222             m_bBroken = true;
 223             Dispose();
 224             throw uno::RuntimeException();
 225         }
 226
 227         aResult.realloc( nPrefResLen );
 228         m_aLastBlock.realloc( 0 );
 229     }
 230
 231     sal_Int32 nPrefixLen = aResult.getLength();
 232     aResult.realloc( nPrefixLen + m_nBlockSize * 2 );
 233     unsigned nFinalLen = 0;
 234     if ( PK11_DigestFinal( m_pContext, reinterpret_cast< unsigned char* >( aResult.getArray() + nPrefixLen ), &nFinalLen, aResult.getLength() - nPrefixLen ) != SECSuccess )
 235     {
 236         m_bBroken = true;
 237         Dispose();
 238         throw uno::RuntimeException();
 239     }
 240
 241     aResult.realloc( nPrefixLen + nFinalLen );
 242
 243     if ( m_bW3CPadding && !m_bEncryption )
 244     {
 245         // W3CPadding handling for decryption
 246         // aResult should have enough data, since we let m_aLastBlock be big enough in case of decryption
 247         OSL_ENSURE( aResult.getLength() >= m_nBlockSize, "Not enough data to handle the padding!" );
 248
 249         sal_Int8 nBytesToRemove = aResult[aResult.getLength() - 1];
 250         if ( nBytesToRemove <= 0 || nBytesToRemove > aResult.getLength() )
 251         {
 252             m_bBroken = true;
 253             Dispose();
 254             throw uno::RuntimeException();
 255         }
 256
 257         aResult.realloc( aResult.getLength() - nBytesToRemove );
 258     }
 259
 260     Dispose();
 261
 262     return aResult;
 263 }
 264
 265 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */