[PATCH] Allow selecting the tls backend to use in oox from configure

Miguel Gomez (via Code Review) gerrit at gerrit.libreoffice.org
Tue Apr 2 06:36:43 PDT 2013 

Hi,

I have submitted a patch for review:

    https://gerrit.libreoffice.org/3173

To pull it, you can do:

    git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/73/3173/1

Allow selecting the tls backend to use in oox from configure

Change-Id: Ie82afb1f22caa0b02ddac256e2a0c2a49f19bb15
---
M config_host.mk.in
M configure.ac
M oox/Library_oox.mk
M oox/source/core/filterdetect.cxx
4 files changed, 140 insertions(+), 0 deletions(-)



diff --git a/config_host.mk.in b/config_host.mk.in
index 08fc52c9..bb71553 100644
--- a/config_host.mk.in
+++ b/config_host.mk.in
@@ -567,6 +567,7 @@
 export TELEPATHY_CFLAGS=$(gb_SPACE)@TELEPATHY_CFLAGS@
 export TELEPATHY_LIBS=$(gb_SPACE)@TELEPATHY_LIBS@
 export THES_SYSTEM_DIR=@THES_SYSTEM_DIR@
+export TLS=@TLS@
 @x_Cygwin@ export TMP=@TMP_DIRECTORY@
 export TMPDIR=@TEMP_DIRECTORY@
 export TYPO_EXTENSION_PACK=@TYPO_EXTENSION_PACK@
diff --git a/configure.ac b/configure.ac
index 66a5966..5181ca4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1271,6 +1271,17 @@
           installed, msi. Example: --with-package-format="deb dmg"]),
 ,)
 
+AC_ARG_WITH(tls,
+    AS_HELP_STRING([--with-tls],
+        [Decides which TLS/SSL and cryptographic implementations to use for
+         LibreOffice's code. Notice that this doesn't apply for depending
+         libraries like "neon", for example. Default is to use OpenSSL
+         although NSS is also possible. Notice that selecting NSS restricts
+         the usage of OpenSSL in LO's code but selecting OpenSSL doesn't
+         restrict by now the usage of NSS in LO's code. Possible values:
+         openssl, nss. Example: --with-tls="nss"]),
+,)
+
 AC_ARG_WITH(system-libs,
     AS_HELP_STRING([--with-system-libs],
         [Use libraries already on system -- enables all --with-system-* flags.]),
@@ -8151,6 +8162,31 @@
 AC_SUBST(MSVC80_DLL_PATH)
 
 dnl ===================================================================
+dnl Check for TLS/SSL and cryptographic implementation to use
+dnl ===================================================================
+AC_MSG_CHECKING([which TLS/SSL and cryptographic implementation to use])
+if test -n "$with_tls"; then
+    case $with_tls in
+    openssl)
+        TLS=OPENSSL
+        ;;
+    nss)
+        TLS=NSS
+        ;;
+    *)
+        AC_MSG_ERROR([unsupported implementation $with_tls. Supported are:
+openssl - OpenSSL
+nss - Mozilla's Network Security Services (NSS)
+    ])
+        ;;
+    esac
+else
+    TLS=OPENSSL
+fi
+AC_MSG_RESULT([$TLS])
+AC_SUBST(TLS)
+
+dnl ===================================================================
 dnl Check for system NSS
 dnl ===================================================================
 libo_CHECK_SYSTEM_MODULE([nss],[NSS],[nss >= 3.9.3 nspr >= 4.8])
diff --git a/oox/Library_oox.mk b/oox/Library_oox.mk
index 2bcbdf5..ed6f68c 100644
--- a/oox/Library_oox.mk
+++ b/oox/Library_oox.mk
@@ -81,11 +81,27 @@
 	$(gb_UWINAPI) \
 ))
 
+ifeq ($(TLS),OPENSSL)
 $(eval $(call gb_Library_use_externals,oox,\
 	boost_headers \
 	openssl \
 	openssl_headers \
 ))
+$(eval $(call gb_Library_add_defs,oox,\
+    -DTLS_OPENSSL \
+))
+else
+ifeq ($(TLS),NSS)
+$(eval $(call gb_Library_use_externals,oox,\
+       boost_headers \
+       plc4 \
+       nss3 \
+))
+$(eval $(call gb_Library_add_defs,oox,\
+    -DTLS_NSS \
+))
+endif
+endif
 
 $(eval $(call gb_Library_set_componentfile,oox,oox/util/oox))
 
diff --git a/oox/source/core/filterdetect.cxx b/oox/source/core/filterdetect.cxx
index a581d10..a8c72ee 100644
--- a/oox/source/core/filterdetect.cxx
+++ b/oox/source/core/filterdetect.cxx
@@ -23,7 +23,13 @@
 #include <com/sun/star/io/XStream.hpp>
 #include <comphelper/docpasswordhelper.hxx>
 #include <comphelper/mediadescriptor.hxx>
+#ifdef TLS_OPENSSL
 #include <openssl/evp.h>
+#endif // TLS_OPENSSL
+#ifdef TLS_NSS
+#include <nss.h>
+#include <pk11pub.h>
+#endif // TLS_NSS
 #include <rtl/digest.h>
 #include "oox/core/fastparser.hxx"
 #include "oox/helper/attributelist.hxx"
@@ -374,6 +380,7 @@
     if ( nKeySize == 16 && nVerifierSize == 16 && nVerifierHashSize == 32 )
     {
         // check password
+#ifdef TLS_OPENSSL
         EVP_CIPHER_CTX aes_ctx;
         EVP_CIPHER_CTX_init( &aes_ctx );
         EVP_DecryptInit_ex( &aes_ctx, EVP_aes_128_ecb(), 0, pnKey, 0 );
@@ -393,6 +400,37 @@
 
         /*int*/ EVP_DecryptUpdate( &aes_ctx, pnTmpVerifierHash, &nOutLen, pnVerifierHash, nVerifierHashSize );
         EVP_CIPHER_CTX_cleanup( &aes_ctx );
+#endif //TLS_OPENSSL
+
+#ifdef TLS_NSS
+        PK11SlotInfo *aSlot( PK11_GetBestSlot( CKM_AES_ECB, NULL ) );
+        sal_uInt8 *key( new sal_uInt8[ nKeySize ] );
+        (void) memcpy( key, pnKey, nKeySize * sizeof(sal_uInt8) );
+
+        SECItem keyItem;
+        keyItem.type = siBuffer;
+        keyItem.data = key;
+        keyItem.len  = nKeySize;
+
+        PK11SymKey *symKey( PK11_ImportSymKey( aSlot, CKM_AES_ECB, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, NULL ) );
+        SECItem *secParam( PK11_ParamFromIV( CKM_AES_ECB, NULL ) );
+        PK11Context *encContext( PK11_CreateContextBySymKey( CKM_AES_ECB, CKA_DECRYPT, symKey, secParam ) );
+
+        int nOutLen(0);
+        sal_uInt8 pnTmpVerifier[ 16 ];
+        (void) memset( pnTmpVerifier, 0, sizeof(pnTmpVerifier) );
+
+        PK11_CipherOp( encContext, pnTmpVerifier, &nOutLen, sizeof(pnTmpVerifier), const_cast<sal_uInt8*>(pnVerifier), nVerifierSize );
+
+        sal_uInt8 pnTmpVerifierHash[ 32 ];
+        (void) memset( pnTmpVerifierHash, 0, sizeof(pnTmpVerifierHash) );
+        PK11_CipherOp( encContext, pnTmpVerifierHash, &nOutLen, sizeof(pnTmpVerifierHash), const_cast<sal_uInt8*>(pnVerifierHash), nVerifierHashSize );
+
+        PK11_DestroyContext( encContext, PR_TRUE );
+        PK11_FreeSymKey( symKey );
+        SECITEM_FreeItem( secParam, PR_TRUE );
+        delete[] key;
+#endif // TLS_NSS
 
         rtlDigest aDigest = rtl_digest_create( rtl_Digest_AlgorithmSHA1 );
         rtl_digest_update( aDigest, pnTmpVerifier, sizeof( pnTmpVerifier ) );
@@ -553,6 +591,11 @@
 
         if( bImplemented )
         {
+#ifdef TLS_NSS
+            // Initialize NSS, database functions are not needed
+            NSS_NoDB_Init( NULL );
+#endif // TLS_NSS
+
             /*  "VelvetSweatshop" is the built-in default encryption
                 password used by MS Excel for the "workbook protection"
                 feature with password. Try this first before prompting the
@@ -580,10 +623,31 @@
                 BinaryXOutputStream aDecryptedPackage( xDecryptedPackage, true );
                 BinaryXInputStream aEncryptedPackage( xEncryptedPackage, true );
 
+#ifdef TLS_OPENSSL
                 EVP_CIPHER_CTX aes_ctx;
                 EVP_CIPHER_CTX_init( &aes_ctx );
                 EVP_DecryptInit_ex( &aes_ctx, EVP_aes_128_ecb(), 0, aVerifier.getKey(), 0 );
                 EVP_CIPHER_CTX_set_padding( &aes_ctx, 0 );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+                // Retrieve the valid key so we can get its size later
+                SequenceAsHashMap aHashData( aEncryptionData );
+                Sequence<sal_Int8> validKey( aHashData.getUnpackedValueOrDefault( OUString("AES128EncryptionKey"), Sequence<sal_Int8>() ) );
+
+                PK11SlotInfo *aSlot( PK11_GetBestSlot( CKM_AES_ECB, NULL ) );
+                sal_uInt8 *key = new sal_uInt8[ validKey.getLength() ];
+                (void) memcpy( key, aVerifier.getKey(), validKey.getLength() );
+
+                SECItem keyItem;
+                keyItem.type = siBuffer;
+                keyItem.data = key;
+                keyItem.len  = validKey.getLength();
+
+                PK11SymKey *symKey( PK11_ImportSymKey( aSlot, CKM_AES_ECB, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, NULL ) );
+                SECItem *secParam( PK11_ParamFromIV( CKM_AES_ECB, NULL ) );
+                PK11Context *encContext( PK11_CreateContextBySymKey( CKM_AES_ECB, CKA_DECRYPT, symKey, secParam ) );
+#endif // TLS_NSS
 
                 sal_uInt8 pnInBuffer[ 1024 ];
                 sal_uInt8 pnOutBuffer[ 1024 ];
@@ -592,13 +656,36 @@
                 aEncryptedPackage.skip( 8 ); // decrypted size
                 while( (nInLen = aEncryptedPackage.readMemory( pnInBuffer, sizeof( pnInBuffer ) )) > 0 )
                 {
+#ifdef TLS_OPENSSL
                     EVP_DecryptUpdate( &aes_ctx, pnOutBuffer, &nOutLen, pnInBuffer, nInLen );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+                    PK11_CipherOp( encContext, pnOutBuffer, &nOutLen, sizeof(pnOutBuffer), pnInBuffer, nInLen );
+#endif // TLS_NSS
                     aDecryptedPackage.writeMemory( pnOutBuffer, nOutLen );
                 }
+#ifdef TLS_OPENSSL
                 EVP_DecryptFinal_ex( &aes_ctx, pnOutBuffer, &nOutLen );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+                uint final;
+                PK11_DigestFinal( encContext, pnOutBuffer, &final, nInLen - nOutLen );
+                nOutLen = final;
+#endif // TLS_NSS
                 aDecryptedPackage.writeMemory( pnOutBuffer, nOutLen );
 
+#ifdef TLS_OPENSSL
                 EVP_CIPHER_CTX_cleanup( &aes_ctx );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+                PK11_DestroyContext( encContext, PR_TRUE );
+                PK11_FreeSymKey( symKey );
+                SECITEM_FreeItem( secParam, PR_TRUE );
+                delete[] key;
+#endif // TLS_NSS
                 xDecryptedPackage->flush();
                 aDecryptedPackage.seekToStart();
 

-- 
To view, visit https://gerrit.libreoffice.org/3173
To unsubscribe, visit https://gerrit.libreoffice.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie82afb1f22caa0b02ddac256e2a0c2a49f19bb15
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: master
Gerrit-Owner: Miguel Gomez <magomez at igalia.com>

More information about the LibreOffice mailing list