search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Gtk-WARNING gtktreestore.c:1047: Invalid column number 1 added to iter
[LibreOffice.git] / xmlsecurity / source / xmlsec / nss / ciphercontext.cxx
blob19e4e3ab991f96c1b55de71a413ec9f2151e5088
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * This file is part of the LibreOffice project.
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 *
9 * This file incorporates work covered by the following license notice:
10 *
11 * Licensed to the Apache Software Foundation (ASF) under one or more
12 * contributor license agreements. See the NOTICE file distributed
13 * with this work for additional information regarding copyright
14 * ownership. The ASF licenses this file to you under the Apache
15 * License, Version 2.0 (the "License"); you may not use this file
16 * except in compliance with the License. You may obtain a copy of
17 * the License at http://www.apache.org/licenses/LICENSE-2.0 .
18 */
19
20 #include <sal/config.h>
21
22 #include <com/sun/star/lang/DisposedException.hpp>
23 #include <rtl/random.h>
24 #include <rtl/ref.hxx>
25 #include <sal/log.hxx>
26
27 #include "ciphercontext.hxx"
28 #include <nss.h> // for NSS_VMINOR
29 #include <pk11pub.h>
30
31 constexpr size_t nAESGCMIVSize = 12;
32 constexpr size_t nAESGCMTagSize = 16;
33
34 using namespace ::com::sun::star;
35
36 uno::Reference< xml::crypto::XCipherContext > OCipherContext::Create( CK_MECHANISM_TYPE nNSSCipherID, const uno::Sequence< ::sal_Int8 >& aKey, const uno::Sequence< ::sal_Int8 >& aInitializationVector, bool bEncryption, bool bW3CPadding )
37 {
38 ::rtl::Reference< OCipherContext > xResult = new OCipherContext;
39
40 xResult->m_pSlot = PK11_GetBestSlot( nNSSCipherID, nullptr );
41 if (!xResult->m_pSlot)
42 {
43 SAL_WARN("xmlsecurity.nss", "PK11_GetBestSlot failed");
44 throw uno::RuntimeException(u"PK11_GetBestSlot failed"_ustr);
45 }
46
47 SECItem aKeyItem = { siBuffer,
48 const_cast<unsigned char*>(reinterpret_cast<const unsigned char*>(aKey.getConstArray())),
49 sal::static_int_cast<unsigned>(aKey.getLength()) };
50 xResult->m_pSymKey = PK11_ImportSymKey(xResult->m_pSlot, nNSSCipherID,
51 PK11_OriginDerive, bEncryption ? CKA_ENCRYPT : CKA_DECRYPT, &aKeyItem, nullptr);
52 if (!xResult->m_pSymKey)
53 {
54 SAL_WARN("xmlsecurity.nss", "PK11_ImportSymKey failed");
55 throw uno::RuntimeException(u"PK11_ImportSymKey failed"_ustr);
56 }
57
58 if (nNSSCipherID == CKM_AES_GCM)
59 {
60 // TODO: when runtime requirements are raised to NSS 3.52,
61 // cleanup according to
62 // https://fedoraproject.org/wiki/Changes/NssGCMParams
63 #if NSS_VMINOR >= 52
64 xResult->m_pSecParam = SECITEM_AllocItem(nullptr, nullptr, sizeof(CK_NSS_GCM_PARAMS));
65 #else
66 xResult->m_pSecParam = SECITEM_AllocItem(nullptr, nullptr, sizeof(CK_GCM_PARAMS));
67 #endif
68 if (!xResult->m_pSecParam)
69 {
70 SAL_WARN("xmlsecurity.nss", "SECITEM_AllocItem failed");
71 throw uno::RuntimeException(u"SECITEM_AllocItem failed"_ustr);
72 }
73 assert(aInitializationVector.getLength() == nAESGCMIVSize);
74 xResult->m_AESGCMIV = aInitializationVector;
75 #if NSS_VMINOR >= 52
76 auto *const pParams = reinterpret_cast<CK_NSS_GCM_PARAMS*>(xResult->m_pSecParam->data);
77 #else
78 auto *const pParams = reinterpret_cast<CK_GCM_PARAMS*>(xResult->m_pSecParam->data);
79 #endif
80 pParams->pIv = const_cast<unsigned char*>(reinterpret_cast<const unsigned char*>(xResult->m_AESGCMIV.getConstArray()));
81 pParams->ulIvLen = sal::static_int_cast<unsigned>(xResult->m_AESGCMIV.getLength());
82 pParams->pAAD = nullptr;
83 pParams->ulAADLen = 0;
84 pParams->ulTagBits = nAESGCMTagSize * 8;
85 }
86 else
87 {
88 SECItem aIVItem = { siBuffer,
89 const_cast<unsigned char*>(reinterpret_cast<const unsigned char*>(aInitializationVector.getConstArray())),
90 sal::static_int_cast<unsigned>(aInitializationVector.getLength()) };
91 xResult->m_pSecParam = PK11_ParamFromIV(nNSSCipherID, &aIVItem);
92 if (!xResult->m_pSecParam)
93 {
94 SAL_WARN("xmlsecurity.nss", "PK11_ParamFromIV failed");
95 throw uno::RuntimeException(u"PK11_ParamFromIV failed"_ustr);
96 }
97
98 xResult->m_pContext = PK11_CreateContextBySymKey( nNSSCipherID, bEncryption ? CKA_ENCRYPT : CKA_DECRYPT, xResult->m_pSymKey, xResult->m_pSecParam);
99 if (!xResult->m_pContext)
100 {
101 SAL_WARN("xmlsecurity.nss", "PK11_CreateContextBySymKey failed");
102 throw uno::RuntimeException(u"PK11_CreateContextBySymKey failed"_ustr);
103 }
104 }
105
106 xResult->m_bEncryption = bEncryption;
107 xResult->m_bW3CPadding = bW3CPadding;
108 xResult->m_bPadding = bW3CPadding || ( PK11_GetPadMechanism( nNSSCipherID ) == nNSSCipherID );
109 // in NSS 3.94, a global default value of 8 is returned for CKM_AES_GCM
110 xResult->m_nBlockSize = nNSSCipherID == CKM_AES_GCM ? 16 : PK11_GetBlockSize(nNSSCipherID, xResult->m_pSecParam);
111 if (SAL_MAX_INT8 < xResult->m_nBlockSize)
112 {
113 SAL_WARN("xmlsecurity.nss", "PK11_GetBlockSize unexpected result");
114 throw uno::RuntimeException(u"PK11_GetBlockSize unexpected result"_ustr);
115 }
116 return xResult;
117 }
118
119 void OCipherContext::Dispose()
120 {
121 if ( m_pContext )
122 {
123 PK11_DestroyContext( m_pContext, PR_TRUE );
124 m_pContext = nullptr;
125 }
126
127 if ( m_pSecParam )
128 {
129 SECITEM_FreeItem( m_pSecParam, PR_TRUE );
130 m_pSecParam = nullptr;
131 }
132
133 if ( m_pSymKey )
134 {
135 PK11_FreeSymKey( m_pSymKey );
136 m_pSymKey = nullptr;
137 }
138
139 if ( m_pSlot )
140 {
141 PK11_FreeSlot( m_pSlot );
142 m_pSlot = nullptr;
143 }
144
145 m_bDisposed = true;
146 }
147
148 uno::Sequence< ::sal_Int8 > SAL_CALL OCipherContext::convertWithCipherContext( const uno::Sequence< ::sal_Int8 >& aData )
149 {
150 std::unique_lock aGuard( m_aMutex );
151
152 if ( m_bBroken )
153 throw uno::RuntimeException();
154
155 if ( m_bDisposed )
156 throw lang::DisposedException();
157
158 if (m_AESGCMIV.getLength())
159 {
160 if (SAL_MAX_INT32 - nAESGCMIVSize - nAESGCMTagSize <= static_cast<size_t>(m_aLastBlock.getLength()) + static_cast<size_t>(aData.getLength()))
161 {
162 m_bBroken = true;
163 throw uno::RuntimeException(u"overflow"_ustr);
164 }
165 m_aLastBlock.realloc(m_aLastBlock.getLength() + aData.getLength());
166 memcpy(m_aLastBlock.getArray() + m_aLastBlock.getLength() - aData.getLength(), aData.getConstArray(), aData.getLength());
167 return {};
168 }
169
170 uno::Sequence< sal_Int8 > aToConvert;
171 if ( aData.hasElements() )
172 {
173 sal_Int32 nOldLastBlockLen = m_aLastBlock.getLength();
174
175 sal_Int32 nAvailableData = nOldLastBlockLen + aData.getLength();
176 sal_Int32 nToConvertLen;
177 if ( m_bEncryption || !m_bW3CPadding )
178 {
179 assert(nOldLastBlockLen < m_nBlockSize);
180 if ( nAvailableData % m_nBlockSize == 0 )
181 nToConvertLen = nAvailableData;
182 else if ( nAvailableData < m_nBlockSize )
183 nToConvertLen = 0;
184 else
185 nToConvertLen = nAvailableData - nAvailableData % m_nBlockSize;
186 }
187 else
188 {
189 assert(nOldLastBlockLen < m_nBlockSize * 2);
190 // decryption with W3C padding needs at least one block for finalizing
191 if ( nAvailableData < m_nBlockSize * 2 )
192 nToConvertLen = 0;
193 else
194 nToConvertLen = nAvailableData - nAvailableData % m_nBlockSize - m_nBlockSize;
195 }
196
197 aToConvert.realloc( nToConvertLen );
198 if ( nToConvertLen == 0 )
199 {
200 m_aLastBlock.realloc( nOldLastBlockLen + aData.getLength() );
201 memcpy( m_aLastBlock.getArray() + nOldLastBlockLen, aData.getConstArray(), aData.getLength() );
202 // aToConvert stays empty
203 }
204 else if ( nToConvertLen < nOldLastBlockLen )
205 {
206 memcpy( aToConvert.getArray(), m_aLastBlock.getConstArray(), nToConvertLen );
207 memcpy( m_aLastBlock.getArray(), m_aLastBlock.getConstArray() + nToConvertLen, nOldLastBlockLen - nToConvertLen );
208 m_aLastBlock.realloc( nOldLastBlockLen - nToConvertLen + aData.getLength() );
209 memcpy( m_aLastBlock.getArray() + nOldLastBlockLen - nToConvertLen, aData.getConstArray(), aData.getLength() );
210 }
211 else
212 {
213 memcpy( aToConvert.getArray(), m_aLastBlock.getConstArray(), nOldLastBlockLen );
214 if ( nToConvertLen > nOldLastBlockLen )
215 memcpy( aToConvert.getArray() + nOldLastBlockLen, aData.getConstArray(), nToConvertLen - nOldLastBlockLen );
216 m_aLastBlock.realloc( nAvailableData - nToConvertLen );
217 memcpy( m_aLastBlock.getArray(), aData.getConstArray() + nToConvertLen - nOldLastBlockLen, nAvailableData - nToConvertLen );
218 }
219 }
220
221 uno::Sequence< sal_Int8 > aResult;
222 assert(aToConvert.getLength() % m_nBlockSize == 0);
223 if ( aToConvert.hasElements() )
224 {
225 int nResultLen = 0;
226 aResult.realloc( aToConvert.getLength() + m_nBlockSize );
227 if ( PK11_CipherOp( m_pContext, reinterpret_cast< unsigned char* >( aResult.getArray() ), &nResultLen, aResult.getLength(), reinterpret_cast< const unsigned char* >( aToConvert.getConstArray() ), aToConvert.getLength() ) != SECSuccess )
228 {
229 m_bBroken = true;
230 Dispose();
231 throw uno::RuntimeException(u"PK11_CipherOp failed"_ustr);
232 }
233
234 m_nConverted += aToConvert.getLength();
235 aResult.realloc( nResultLen );
236 }
237
238 return aResult;
239 }
240
241 uno::Sequence< ::sal_Int8 > SAL_CALL OCipherContext::finalizeCipherContextAndDispose()
242 {
243 std::unique_lock aGuard( m_aMutex );
244
245 if ( m_bBroken )
246 throw uno::RuntimeException();
247
248 if ( m_bDisposed )
249 throw lang::DisposedException();
250
251 if (m_AESGCMIV.getLength())
252 {
253 uno::Sequence<sal_Int8> aResult;
254 unsigned outLen;
255 if (m_bEncryption)
256 {
257 assert(sal::static_int_cast<size_t>(m_aLastBlock.getLength()) <= SAL_MAX_INT32 - nAESGCMIVSize - nAESGCMTagSize);
258 // add space for IV and tag
259 aResult.realloc(m_aLastBlock.getLength() + nAESGCMIVSize + nAESGCMTagSize);
260 // W3C xmlenc-core1 requires the IV preceding the ciphertext,
261 // but NSS doesn't do it, so copy it manually
262 memcpy(aResult.getArray(), m_AESGCMIV.getConstArray(), nAESGCMIVSize);
263 if (PK11_Encrypt(m_pSymKey, CKM_AES_GCM, m_pSecParam,
264 reinterpret_cast<unsigned char*>(aResult.getArray() + nAESGCMIVSize),
265 &outLen, aResult.getLength() - nAESGCMIVSize,
266 reinterpret_cast<unsigned char const*>(m_aLastBlock.getConstArray()),
267 m_aLastBlock.getLength()) != SECSuccess)
268 {
269 m_bBroken = true;
270 Dispose();
271 throw uno::RuntimeException(u"PK11_Encrypt failed"_ustr);
272 }
273 assert(outLen == sal::static_int_cast<unsigned>(aResult.getLength() - nAESGCMIVSize));
274 }
275 else if (nAESGCMIVSize + nAESGCMTagSize < sal::static_int_cast<size_t>(m_aLastBlock.getLength()))
276 {
277 if (0 != memcmp(m_AESGCMIV.getConstArray(), m_aLastBlock.getConstArray(), nAESGCMIVSize))
278 {
279 m_bBroken = true;
280 Dispose();
281 throw uno::RuntimeException(u"inconsistent IV"_ustr);
282 }
283 aResult.realloc(m_aLastBlock.getLength() - nAESGCMIVSize - nAESGCMTagSize);
284 if (PK11_Decrypt(m_pSymKey, CKM_AES_GCM, m_pSecParam,
285 reinterpret_cast<unsigned char*>(aResult.getArray()),
286 &outLen, aResult.getLength(),
287 reinterpret_cast<unsigned char const*>(m_aLastBlock.getConstArray() + nAESGCMIVSize),
288 m_aLastBlock.getLength() - nAESGCMIVSize) != SECSuccess)
289 {
290 m_bBroken = true;
291 Dispose();
292 throw uno::RuntimeException(u"PK11_Decrypt failed"_ustr);
293 }
294 assert(outLen == sal::static_int_cast<unsigned>(aResult.getLength()));
295 }
296 else
297 {
298 m_bBroken = true;
299 Dispose();
300 throw uno::RuntimeException(u"incorrect size of input"_ustr);
301 }
302 Dispose();
303 return aResult;
304 }
305
306 assert(m_nBlockSize <= SAL_MAX_INT8);
307 assert(m_nConverted % m_nBlockSize == 0); // whole blocks are converted
308 sal_Int32 nSizeForPadding = ( m_nConverted + m_aLastBlock.getLength() ) % m_nBlockSize;
309
310 // if it is decryption, the amount of data should be rounded to the block size even in case of padding
311 if ( ( !m_bPadding || !m_bEncryption ) && nSizeForPadding )
312 throw uno::RuntimeException(u"The data should contain complete blocks only."_ustr );
313
314 if ( m_bW3CPadding && m_bEncryption )
315 {
316 // in this case the last block should be smaller than standard block
317 // it will be increased with the padding
318 assert(m_aLastBlock.getLength() < m_nBlockSize);
319
320 // W3CPadding handling for encryption
321 sal_Int32 nPaddingSize = m_nBlockSize - nSizeForPadding;
322 sal_Int32 nOldLastBlockLen = m_aLastBlock.getLength();
323 m_aLastBlock.realloc( nOldLastBlockLen + nPaddingSize );
324 auto pLastBlock = m_aLastBlock.getArray();
325
326 if ( nPaddingSize > 1 )
327 {
328 if (rtl_random_getBytes(nullptr, pLastBlock + nOldLastBlockLen, nPaddingSize - 1) != rtl_Random_E_None)
329 {
330 throw uno::RuntimeException(u"rtl_random_getBytes failed"_ustr);
331 }
332 }
333 pLastBlock[m_aLastBlock.getLength() - 1] = static_cast< sal_Int8 >( nPaddingSize );
334 }
335
336 // finally should the last block be smaller than two standard blocks
337 assert(m_aLastBlock.getLength() < m_nBlockSize * 2);
338
339 uno::Sequence< sal_Int8 > aResult;
340 if ( m_aLastBlock.hasElements() )
341 {
342 int nPrefResLen = 0;
343 aResult.realloc( m_aLastBlock.getLength() + m_nBlockSize );
344 if ( PK11_CipherOp( m_pContext, reinterpret_cast< unsigned char* >( aResult.getArray() ), &nPrefResLen, aResult.getLength(), reinterpret_cast< const unsigned char* >( m_aLastBlock.getConstArray() ), m_aLastBlock.getLength() ) != SECSuccess )
345 {
346 m_bBroken = true;
347 Dispose();
348 throw uno::RuntimeException(u"PK11_CipherOp failed"_ustr);
349 }
350
351 aResult.realloc( nPrefResLen );
352 m_aLastBlock.realloc( 0 );
353 }
354
355 sal_Int32 nPrefixLen = aResult.getLength();
356 aResult.realloc( nPrefixLen + m_nBlockSize * 2 );
357 unsigned nFinalLen = 0;
358 if ( PK11_DigestFinal( m_pContext, reinterpret_cast< unsigned char* >( aResult.getArray() + nPrefixLen ), &nFinalLen, aResult.getLength() - nPrefixLen ) != SECSuccess )
359 {
360 m_bBroken = true;
361 Dispose();
362 throw uno::RuntimeException(u"PK11_DigestFinal failed"_ustr);
363 }
364
365 aResult.realloc( nPrefixLen + nFinalLen );
366
367 if ( m_bW3CPadding && !m_bEncryption )
368 {
369 // W3CPadding handling for decryption
370 // aResult should have enough data, except if the input was completely empty
371
372 // see https://www.w3.org/TR/xmlenc-core1/#sec-Alg-Block
373 if (aResult.getLength() < m_nBlockSize
374 || aResult[aResult.getLength()-1] <= 0
375 || m_nBlockSize < aResult[aResult.getLength()-1])
376 {
377 m_bBroken = true;
378 Dispose();
379 throw uno::RuntimeException(u"incorrect size of padding"_ustr);
380 }
381
382 aResult.realloc(aResult.getLength() - aResult[aResult.getLength()-1]);
383 }
384
385 Dispose();
386
387 return aResult;
388 }
389
390 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
FREE OFFICE SUITE