oox: Agile encryption and data integrity verification

This adds agile encryption for OOXML documents. Previously we always used the standard encryption used in MSO 2007 for max. compatibility, but new MSO versions (2010+) use the agile encryption, which allows more strong encryption methods (AES256 with SHA512). With this change we can now use do AES128 with SHA1 or AES256 with SHA512 encryption. In addition the agile encryption has data verification with HMAC hashing. With this change we also now write the data verification hash into the encrypted document and in addition also do data verification when opening / decrypting a document, so to make sure the document is not corrupted. Change-Id: Ib45d397df228c355941eefb76d51e5d6f8925470 Reviewed-on: https://gerrit.libreoffice.org/56974 Tested-by: Jenkins Reviewed-by: Tomaž Vajngerl <quikee@gmail.com>

oox: Agile encryption and data integrity verification
This adds agile encryption for OOXML documents. Previously we always used the standard encryption used in MSO 2007 for max. compatibility, but new MSO versions (2010+) use the agile encryption, which allows more strong encryption methods (AES256 with SHA512). With this change we can now use do AES128 with SHA1 or AES256 with SHA512 encryption. In addition the agile encryption has data verification with HMAC hashing. With this change we also now write the data verification hash into the encrypted document and in addition also do data verification when opening / decrypting a document, so to make sure the document is not corrupted. Change-Id: Ib45d397df228c355941eefb76d51e5d6f8925470 Reviewed-on: https://gerrit.libreoffice.org/56974 Tested-by: Jenkins Reviewed-by: Tomaž Vajngerl <quikee@gmail.com>
ce560ee9 · Tomaž Vajngerl · Tomaž Vajngerl · ce7fb747 · ce560ee9 · ce560ee9
Kaydet (Commit) ce560ee9 authored Tem 04, 2018 tarafından Tomaž Vajngerl Kaydeden (comit) Tomaž Vajngerl Tem 06, 2018
9 changed files
--- a/include/oox/crypto/AgileEngine.hxx
+++ b/include/oox/crypto/AgileEngine.hxx
@@ -13,6 +13,7 @@
 #include <vector>
+#include <oox/dllapi.h>
 #include <oox/crypto/CryptTools.hxx>
 #include <oox/crypto/CryptoEngine.hxx>
 #include <rtl/ustring.hxx>
@@ -26,7 +27,7 @@ namespace oox {
 namespace oox {
 namespace core {
-struct AgileEncryptionInfo
+struct OOX_DLLPUBLIC AgileEncryptionInfo
 {
    sal_Int32 spinCount;
    sal_Int32 saltSize;
@@ -39,15 +40,45 @@ struct AgileEncryptionInfo
    OUString hashAlgorithm;
    std::vector<sal_uInt8> keyDataSalt;
+    // Key Encryptor
    std::vector<sal_uInt8> saltValue;
    std::vector<sal_uInt8> encryptedVerifierHashInput;
    std::vector<sal_uInt8> encryptedVerifierHashValue;
    std::vector<sal_uInt8> encryptedKeyValue;
+    // HMAC
+    std::vector<sal_uInt8> hmacKey;
+    std::vector<sal_uInt8> hmacHash;
+    std::vector<sal_uInt8> hmacCalculatedHash;
+    std::vector<sal_uInt8> hmacEncryptedKey; // encrypted Key
+    std::vector<sal_uInt8> hmacEncryptedValue; // encrypted Hash
+};
+struct OOX_DLLPUBLIC AgileEncryptionParameters
+{
+    sal_Int32 spinCount;
+    sal_Int32 saltSize;
+    sal_Int32 keyBits;
+    sal_Int32 hashSize;
+    sal_Int32 blockSize;
+    OUString cipherAlgorithm;
+    OUString cipherChaining;
+    OUString hashAlgorithm;
 };
-class AgileEngine : public CryptoEngine
+enum class AgileEncryptionPreset
 {
+    AES_128_SHA1,
+    AES_256_SHA512,
+};
+class OOX_DLLPUBLIC AgileEngine : public CryptoEngine
+{
+private:
    AgileEncryptionInfo mInfo;
+    AgileEncryptionPreset meEncryptionPreset;
    void calculateHashFinal(const OUString& rPassword, std::vector<sal_uInt8>& aHashFinal);
@@ -57,28 +88,59 @@ class AgileEngine : public CryptoEngine
            std::vector<sal_uInt8>& rInput,
            std::vector<sal_uInt8>& rOutput);
+    void encryptBlock(
+            std::vector<sal_uInt8> const & rBlock,
+            std::vector<sal_uInt8>& rHashFinal,
+            std::vector<sal_uInt8>& rInput,
+            std::vector<sal_uInt8>& rOutput);
    static Crypto::CryptoType cryptoType(const AgileEncryptionInfo& rInfo);
+    bool calculateDecryptionKey(const OUString& rPassword);
 public:
-    AgileEngine() = default;
+    AgileEngine();
    AgileEncryptionInfo& getInfo() { return mInfo;}
-    virtual void writeEncryptionInfo(
+    void setPreset(AgileEncryptionPreset ePreset)
-                    const OUString& rPassword,
+    {
-                    BinaryXOutputStream& rStream) override;
+        meEncryptionPreset = ePreset;
+    }
-    virtual bool generateEncryptionKey(const OUString& rPassword) override;
+    // Decryption
-    virtual bool decrypt(
+    bool decryptEncryptionKey(OUString const & rPassword);
-                    BinaryXInputStream& aInputStream,
+    bool decryptAndCheckVerifierHash(OUString const & rPassword);
-                    BinaryXOutputStream& aOutputStream) override;
+    bool generateEncryptionKey(OUString const & rPassword) override;
    bool readEncryptionInfo(css::uno::Reference<css::io::XInputStream> & rxInputStream) override;
+    bool decrypt(BinaryXInputStream& aInputStream,
+                 BinaryXOutputStream& aOutputStream) override;
+    bool checkDataIntegrity() override;
+    bool decryptHmacKey();
+    bool decryptHmacValue();
+    // Encryption
+    void writeEncryptionInfo(BinaryXOutputStream& rStream) override;
+    void encrypt(css::uno::Reference<css::io::XInputStream>&  rxInputStream,
+                 css::uno::Reference<css::io::XOutputStream>& rxOutputStream,
+                 sal_uInt32 nSize) override;
+    bool setupEncryption(OUString const & rPassword) override;
+    bool generateAndEncryptVerifierHash(OUString const & rPassword);
+    bool encryptHmacKey();
+    bool encryptHmacValue();
-    virtual void encrypt(
+    bool encryptEncryptionKey(OUString const & rPassword);
-                    BinaryXInputStream& aInputStream,
+    void setupEncryptionParameters(AgileEncryptionParameters const & rAgileEncryptionParameters);
-                    BinaryXOutputStream& aOutputStream) override;
+    bool setupEncryptionKey(OUString const & rPassword);
 };
 } // namespace core

--- a/include/oox/crypto/CryptoEngine.hxx
+++ b/include/oox/crypto/CryptoEngine.hxx
@@ -17,6 +17,7 @@
 #include <sal/types.h>
 #include <com/sun/star/io/XInputStream.hpp>
+#include <com/sun/star/io/XOutputStream.hpp>
 namespace oox {
    class BinaryXInputStream;
@@ -38,9 +39,8 @@ public:
    virtual ~CryptoEngine()
    {}
-    virtual void writeEncryptionInfo(
+    // Decryption
-                    const OUString& rPassword,
+    virtual bool readEncryptionInfo(css::uno::Reference<css::io::XInputStream> & rxInputStream) = 0;
-                    BinaryXOutputStream& rStream) = 0;
    virtual bool generateEncryptionKey(const OUString& rPassword) = 0;
@@ -48,11 +48,16 @@ public:
                    BinaryXInputStream& aInputStream,
                    BinaryXOutputStream& aOutputStream) = 0;
-    virtual bool readEncryptionInfo(css::uno::Reference<css::io::XInputStream> & rxInputStream) = 0;
+    // Encryption
+    virtual void writeEncryptionInfo(BinaryXOutputStream & rStream) = 0;
-    virtual void encrypt(
+    virtual bool setupEncryption(const OUString& rPassword) = 0;
-                    BinaryXInputStream& aInputStream,
-                    BinaryXOutputStream& aOutputStream) = 0;
+    virtual void encrypt(css::uno::Reference<css::io::XInputStream> & rxInputStream,
+                         css::uno::Reference<css::io::XOutputStream> & rxOutputStream,
+                         sal_uInt32 nSize) = 0;
+    virtual bool checkDataIntegrity() = 0;
 };
 } // namespace core

--- a/include/oox/crypto/Standard2007Engine.hxx
+++ b/include/oox/crypto/Standard2007Engine.hxx
@@ -38,21 +38,23 @@ public:
    msfilter::StandardEncryptionInfo& getInfo() { return mInfo;}
-    virtual bool generateEncryptionKey(const OUString& rPassword) override;
+    bool readEncryptionInfo(css::uno::Reference<css::io::XInputStream> & rxInputStream) override;
-    virtual void writeEncryptionInfo(
+    virtual bool generateEncryptionKey(OUString const & rPassword) override;
-                    const OUString& rPassword,
-                    BinaryXOutputStream& rStream) override;
    virtual bool decrypt(
                    BinaryXInputStream& aInputStream,
                    BinaryXOutputStream& aOutputStream) override;
-    bool readEncryptionInfo(css::uno::Reference<css::io::XInputStream> & rxInputStream) override;
+    bool checkDataIntegrity() override;
-    virtual void encrypt(
+    void encrypt(css::uno::Reference<css::io::XInputStream>&  rxInputStream,
-                    BinaryXInputStream& aInputStream,
+                 css::uno::Reference<css::io::XOutputStream>& rxOutputStream,
-                    BinaryXOutputStream& aOutputStream) override;
+                 sal_uInt32 nSize) override;
+    virtual void writeEncryptionInfo(BinaryXOutputStream& rStream) override;
+    virtual bool setupEncryption(OUString const & rPassword) override;
 };

--- a/oox/qa/unit/CryptoTest.cxx
+++ b/oox/qa/unit/CryptoTest.cxx
--- a/oox/source/core/filterdetect.cxx
+++ b/oox/source/core/filterdetect.cxx
@@ -348,14 +348,21 @@ Reference< XInputStream > FilterDetect::extractUnencryptedPackage( MediaDescript
                {
                    // create temporary file for unencrypted package
                    Reference<XStream> xTempFile( TempFile::create(mxContext), UNO_QUERY_THROW );
-                    aDecryptor.decrypt( xTempFile );
-                    // store temp file in media descriptor to keep it alive
+                    // if decryption was unsuccessful (corrupted file or any other reason)
-                    rMediaDescriptor.setComponentDataEntry( "DecryptedPackage", Any( xTempFile ) );
+                    if (!aDecryptor.decrypt(xTempFile))
+                    {
-                    Reference<XInputStream> xDecryptedInputStream = xTempFile->getInputStream();
+                        rMediaDescriptor[ MediaDescriptor::PROP_ABORTED() ] <<= true;
-                    if( lclIsZipPackage( mxContext, xDecryptedInputStream ) )
+                    }
-                        return xDecryptedInputStream;
+                    else
+                    {
+                        // store temp file in media descriptor to keep it alive
+                        rMediaDescriptor.setComponentDataEntry( "DecryptedPackage", Any( xTempFile ) );
+                        Reference<XInputStream> xDecryptedInputStream = xTempFile->getInputStream();
+                        if( lclIsZipPackage( mxContext, xDecryptedInputStream ) )
+                            return xDecryptedInputStream;
+                    }
                }
            }
        }

--- a/oox/source/crypto/AgileEngine.cxx
+++ b/oox/source/crypto/AgileEngine.cxx
--- a/oox/source/crypto/DocumentDecryption.cxx
+++ b/oox/source/crypto/DocumentDecryption.cxx
@@ -106,6 +106,9 @@ bool DocumentDecryption::decrypt(const uno::Reference<io::XStream>& xDocumentStr
    xDecryptedPackage->flush();
    aDecryptedPackage.seekToStart();
+    if (bResult)
+        return mEngine->checkDataIntegrity();
    return bResult;
 }

--- a/oox/source/crypto/DocumentEncryption.cxx
+++ b/oox/source/crypto/DocumentEncryption.cxx
@@ -41,37 +41,30 @@ bool DocumentEncryption::encrypt()
    if (!xSeekable.is())
        return false;
-    sal_uInt32 aLength = xSeekable->getLength();
+    sal_uInt32 aLength = xSeekable->getLength(); // check length of the stream
+    xSeekable->seek(0); // seek to begin of the document stream
    if (!mrOleStorage.isStorage())
        return false;
+    mEngine.setupEncryption(maPassword);
+    Reference<XOutputStream> xOutputStream(mrOleStorage.openOutputStream("EncryptedPackage"), UNO_SET_THROW);
+    mEngine.encrypt(xInputStream, xOutputStream, aLength);
+    xOutputStream->flush();
+    xOutputStream->closeOutput();
    Reference<XOutputStream> xEncryptionInfo(mrOleStorage.openOutputStream("EncryptionInfo"), UNO_SET_THROW);
    BinaryXOutputStream aEncryptionInfoBinaryOutputStream(xEncryptionInfo, false);
-    mEngine.writeEncryptionInfo(maPassword, aEncryptionInfoBinaryOutputStream);
+    mEngine.writeEncryptionInfo(aEncryptionInfoBinaryOutputStream);
    aEncryptionInfoBinaryOutputStream.close();
    xEncryptionInfo->flush();
    xEncryptionInfo->closeOutput();
-    Reference<XOutputStream> xEncryptedPackage(mrOleStorage.openOutputStream("EncryptedPackage"), UNO_SET_THROW);
-    BinaryXOutputStream aEncryptedPackageStream(xEncryptedPackage, false);
-    BinaryXInputStream aDocumentInputStream(xInputStream, false);
-    aDocumentInputStream.seekToStart();
-    aEncryptedPackageStream.WriteUInt32(aLength); // size
-    aEncryptedPackageStream.WriteUInt32(0U);      // reserved
-    mEngine.encrypt(aDocumentInputStream, aEncryptedPackageStream);
-    aEncryptedPackageStream.close();
-    aDocumentInputStream.close();
-    xEncryptedPackage->flush();
-    xEncryptedPackage->closeOutput();
    return true;
 }

--- a/oox/source/crypto/Standard2007Engine.cxx
+++ b/oox/source/crypto/Standard2007Engine.cxx
@@ -35,6 +35,7 @@ void lclRandomGenerateValues(sal_uInt8* aArray, sal_uInt32 aSize)
 }
 static const OUString lclCspName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
+constexpr const sal_uInt32 AES128Size = 16;
 } // end anonymous namespace
@@ -172,7 +173,12 @@ bool Standard2007Engine::decrypt(BinaryXInputStream& aInputStream,
    return true;
 }
-void Standard2007Engine::writeEncryptionInfo(const OUString& password, BinaryXOutputStream& rStream)
+bool Standard2007Engine::checkDataIntegrity()
+{
+    return true;
+}
+bool Standard2007Engine::setupEncryption(OUString const & password)
 {
    mInfo.header.flags        = msfilter::ENCRYPTINFO_AES | msfilter::ENCRYPTINFO_CRYPTOAPI;
    mInfo.header.algId        = msfilter::ENCRYPT_ALGO_AES128;
@@ -187,11 +193,16 @@ void Standard2007Engine::writeEncryptionInfo(const OUString& password, BinaryXOu
    mKey.resize(keyLength, 0);
    if (!calculateEncryptionKey(password))
-        return;
+        return false;
    if (!generateVerifier())
-        return;
+        return false;
+    return true;
+}
+void Standard2007Engine::writeEncryptionInfo(BinaryXOutputStream& rStream)
+{
    rStream.WriteUInt32(msfilter::VERSION_INFO_2007_FORMAT);
    sal_uInt32 cspNameSize = (lclCspName.getLength() * 2) + 2;
@@ -209,9 +220,19 @@ void Standard2007Engine::writeEncryptionInfo(const OUString& password, BinaryXOu
    rStream.writeMemory(&mInfo.verifier, sizeof(msfilter::EncryptionVerifierAES));
 }
-void Standard2007Engine::encrypt(BinaryXInputStream& aInputStream,
+void Standard2007Engine::encrypt(css::uno::Reference<css::io::XInputStream> &  rxInputStream,
-                                 BinaryXOutputStream& aOutputStream)
+                                 css::uno::Reference<css::io::XOutputStream> & rxOutputStream,
+                                 sal_uInt32 nSize)
 {
+    if (mKey.empty())
+        return;
+    BinaryXOutputStream aBinaryOutputStream(rxOutputStream, false);
+    BinaryXInputStream aBinaryInputStream(rxInputStream, false);
+    aBinaryOutputStream.WriteUInt32(nSize); // size
+    aBinaryOutputStream.WriteUInt32(0U);    // reserved
    std::vector<sal_uInt8> inputBuffer(1024);
    std::vector<sal_uInt8> outputBuffer(1024);
@@ -221,11 +242,13 @@ void Standard2007Engine::encrypt(BinaryXInputStream& aInputStream,
    std::vector<sal_uInt8> iv;
    Encrypt aEncryptor(mKey, iv, Crypto::AES_128_ECB);
-    while ((inputLength = aInputStream.readMemory(inputBuffer.data(), inputBuffer.size())) > 0)
+    while ((inputLength = aBinaryInputStream.readMemory(inputBuffer.data(), inputBuffer.size())) > 0)
    {
-        inputLength = inputLength % 16 == 0 ? inputLength : ((inputLength / 16) * 16) + 16;
+        // increase size to multiple of 16 (size of mKey) if necessary
+        inputLength = inputLength % AES128Size == 0 ?
+                            inputLength : roundUp(inputLength, AES128Size);
        outputLength = aEncryptor.update(outputBuffer, inputBuffer, inputLength);
-        aOutputStream.writeMemory(outputBuffer.data(), outputLength);
+        aBinaryOutputStream.writeMemory(outputBuffer.data(), outputLength);
    }
 }