Date: prev next · Thread: first prev next last
2013 Archives by date, by thread · List index


Hi,

I have submitted a patch for review:

    https://gerrit.libreoffice.org/3173

To pull it, you can do:

    git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/73/3173/1

Allow selecting the tls backend to use in oox from configure

Change-Id: Ie82afb1f22caa0b02ddac256e2a0c2a49f19bb15
---
M config_host.mk.in
M configure.ac
M oox/Library_oox.mk
M oox/source/core/filterdetect.cxx
4 files changed, 140 insertions(+), 0 deletions(-)



diff --git a/config_host.mk.in b/config_host.mk.in
index 08fc52c9..bb71553 100644
--- a/config_host.mk.in
+++ b/config_host.mk.in
@@ -567,6 +567,7 @@
 export TELEPATHY_CFLAGS=$(gb_SPACE)@TELEPATHY_CFLAGS@
 export TELEPATHY_LIBS=$(gb_SPACE)@TELEPATHY_LIBS@
 export THES_SYSTEM_DIR=@THES_SYSTEM_DIR@
+export TLS=@TLS@
 @x_Cygwin@ export TMP=@TMP_DIRECTORY@
 export TMPDIR=@TEMP_DIRECTORY@
 export TYPO_EXTENSION_PACK=@TYPO_EXTENSION_PACK@
diff --git a/configure.ac b/configure.ac
index 66a5966..5181ca4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1271,6 +1271,17 @@
           installed, msi. Example: --with-package-format="deb dmg"]),
 ,)
 
+AC_ARG_WITH(tls,
+    AS_HELP_STRING([--with-tls],
+        [Decides which TLS/SSL and cryptographic implementations to use for
+         LibreOffice's code. Notice that this doesn't apply for depending
+         libraries like "neon", for example. Default is to use OpenSSL
+         although NSS is also possible. Notice that selecting NSS restricts
+         the usage of OpenSSL in LO's code but selecting OpenSSL doesn't
+         restrict by now the usage of NSS in LO's code. Possible values:
+         openssl, nss. Example: --with-tls="nss"]),
+,)
+
 AC_ARG_WITH(system-libs,
     AS_HELP_STRING([--with-system-libs],
         [Use libraries already on system -- enables all --with-system-* flags.]),
@@ -8151,6 +8162,31 @@
 AC_SUBST(MSVC80_DLL_PATH)
 
 dnl ===================================================================
+dnl Check for TLS/SSL and cryptographic implementation to use
+dnl ===================================================================
+AC_MSG_CHECKING([which TLS/SSL and cryptographic implementation to use])
+if test -n "$with_tls"; then
+    case $with_tls in
+    openssl)
+        TLS=OPENSSL
+        ;;
+    nss)
+        TLS=NSS
+        ;;
+    *)
+        AC_MSG_ERROR([unsupported implementation $with_tls. Supported are:
+openssl - OpenSSL
+nss - Mozilla's Network Security Services (NSS)
+    ])
+        ;;
+    esac
+else
+    TLS=OPENSSL
+fi
+AC_MSG_RESULT([$TLS])
+AC_SUBST(TLS)
+
+dnl ===================================================================
 dnl Check for system NSS
 dnl ===================================================================
 libo_CHECK_SYSTEM_MODULE([nss],[NSS],[nss >= 3.9.3 nspr >= 4.8])
diff --git a/oox/Library_oox.mk b/oox/Library_oox.mk
index 2bcbdf5..ed6f68c 100644
--- a/oox/Library_oox.mk
+++ b/oox/Library_oox.mk
@@ -81,11 +81,27 @@
        $(gb_UWINAPI) \
 ))
 
+ifeq ($(TLS),OPENSSL)
 $(eval $(call gb_Library_use_externals,oox,\
        boost_headers \
        openssl \
        openssl_headers \
 ))
+$(eval $(call gb_Library_add_defs,oox,\
+    -DTLS_OPENSSL \
+))
+else
+ifeq ($(TLS),NSS)
+$(eval $(call gb_Library_use_externals,oox,\
+       boost_headers \
+       plc4 \
+       nss3 \
+))
+$(eval $(call gb_Library_add_defs,oox,\
+    -DTLS_NSS \
+))
+endif
+endif
 
 $(eval $(call gb_Library_set_componentfile,oox,oox/util/oox))
 
diff --git a/oox/source/core/filterdetect.cxx b/oox/source/core/filterdetect.cxx
index a581d10..a8c72ee 100644
--- a/oox/source/core/filterdetect.cxx
+++ b/oox/source/core/filterdetect.cxx
@@ -23,7 +23,13 @@
 #include <com/sun/star/io/XStream.hpp>
 #include <comphelper/docpasswordhelper.hxx>
 #include <comphelper/mediadescriptor.hxx>
+#ifdef TLS_OPENSSL
 #include <openssl/evp.h>
+#endif // TLS_OPENSSL
+#ifdef TLS_NSS
+#include <nss.h>
+#include <pk11pub.h>
+#endif // TLS_NSS
 #include <rtl/digest.h>
 #include "oox/core/fastparser.hxx"
 #include "oox/helper/attributelist.hxx"
@@ -374,6 +380,7 @@
     if ( nKeySize == 16 && nVerifierSize == 16 && nVerifierHashSize == 32 )
     {
         // check password
+#ifdef TLS_OPENSSL
         EVP_CIPHER_CTX aes_ctx;
         EVP_CIPHER_CTX_init( &aes_ctx );
         EVP_DecryptInit_ex( &aes_ctx, EVP_aes_128_ecb(), 0, pnKey, 0 );
@@ -393,6 +400,37 @@
 
         /*int*/ EVP_DecryptUpdate( &aes_ctx, pnTmpVerifierHash, &nOutLen, pnVerifierHash, 
nVerifierHashSize );
         EVP_CIPHER_CTX_cleanup( &aes_ctx );
+#endif //TLS_OPENSSL
+
+#ifdef TLS_NSS
+        PK11SlotInfo *aSlot( PK11_GetBestSlot( CKM_AES_ECB, NULL ) );
+        sal_uInt8 *key( new sal_uInt8[ nKeySize ] );
+        (void) memcpy( key, pnKey, nKeySize * sizeof(sal_uInt8) );
+
+        SECItem keyItem;
+        keyItem.type = siBuffer;
+        keyItem.data = key;
+        keyItem.len  = nKeySize;
+
+        PK11SymKey *symKey( PK11_ImportSymKey( aSlot, CKM_AES_ECB, PK11_OriginUnwrap, CKA_ENCRYPT, 
&keyItem, NULL ) );
+        SECItem *secParam( PK11_ParamFromIV( CKM_AES_ECB, NULL ) );
+        PK11Context *encContext( PK11_CreateContextBySymKey( CKM_AES_ECB, CKA_DECRYPT, symKey, 
secParam ) );
+
+        int nOutLen(0);
+        sal_uInt8 pnTmpVerifier[ 16 ];
+        (void) memset( pnTmpVerifier, 0, sizeof(pnTmpVerifier) );
+
+        PK11_CipherOp( encContext, pnTmpVerifier, &nOutLen, sizeof(pnTmpVerifier), 
const_cast<sal_uInt8*>(pnVerifier), nVerifierSize );
+
+        sal_uInt8 pnTmpVerifierHash[ 32 ];
+        (void) memset( pnTmpVerifierHash, 0, sizeof(pnTmpVerifierHash) );
+        PK11_CipherOp( encContext, pnTmpVerifierHash, &nOutLen, sizeof(pnTmpVerifierHash), 
const_cast<sal_uInt8*>(pnVerifierHash), nVerifierHashSize );
+
+        PK11_DestroyContext( encContext, PR_TRUE );
+        PK11_FreeSymKey( symKey );
+        SECITEM_FreeItem( secParam, PR_TRUE );
+        delete[] key;
+#endif // TLS_NSS
 
         rtlDigest aDigest = rtl_digest_create( rtl_Digest_AlgorithmSHA1 );
         rtl_digest_update( aDigest, pnTmpVerifier, sizeof( pnTmpVerifier ) );
@@ -553,6 +591,11 @@
 
         if( bImplemented )
         {
+#ifdef TLS_NSS
+            // Initialize NSS, database functions are not needed
+            NSS_NoDB_Init( NULL );
+#endif // TLS_NSS
+
             /*  "VelvetSweatshop" is the built-in default encryption
                 password used by MS Excel for the "workbook protection"
                 feature with password. Try this first before prompting the
@@ -580,10 +623,31 @@
                 BinaryXOutputStream aDecryptedPackage( xDecryptedPackage, true );
                 BinaryXInputStream aEncryptedPackage( xEncryptedPackage, true );
 
+#ifdef TLS_OPENSSL
                 EVP_CIPHER_CTX aes_ctx;
                 EVP_CIPHER_CTX_init( &aes_ctx );
                 EVP_DecryptInit_ex( &aes_ctx, EVP_aes_128_ecb(), 0, aVerifier.getKey(), 0 );
                 EVP_CIPHER_CTX_set_padding( &aes_ctx, 0 );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+                // Retrieve the valid key so we can get its size later
+                SequenceAsHashMap aHashData( aEncryptionData );
+                Sequence<sal_Int8> validKey( aHashData.getUnpackedValueOrDefault( 
OUString("AES128EncryptionKey"), Sequence<sal_Int8>() ) );
+
+                PK11SlotInfo *aSlot( PK11_GetBestSlot( CKM_AES_ECB, NULL ) );
+                sal_uInt8 *key = new sal_uInt8[ validKey.getLength() ];
+                (void) memcpy( key, aVerifier.getKey(), validKey.getLength() );
+
+                SECItem keyItem;
+                keyItem.type = siBuffer;
+                keyItem.data = key;
+                keyItem.len  = validKey.getLength();
+
+                PK11SymKey *symKey( PK11_ImportSymKey( aSlot, CKM_AES_ECB, PK11_OriginUnwrap, 
CKA_ENCRYPT, &keyItem, NULL ) );
+                SECItem *secParam( PK11_ParamFromIV( CKM_AES_ECB, NULL ) );
+                PK11Context *encContext( PK11_CreateContextBySymKey( CKM_AES_ECB, CKA_DECRYPT, 
symKey, secParam ) );
+#endif // TLS_NSS
 
                 sal_uInt8 pnInBuffer[ 1024 ];
                 sal_uInt8 pnOutBuffer[ 1024 ];
@@ -592,13 +656,36 @@
                 aEncryptedPackage.skip( 8 ); // decrypted size
                 while( (nInLen = aEncryptedPackage.readMemory( pnInBuffer, sizeof( pnInBuffer ) )) 
0 )
                 {
+#ifdef TLS_OPENSSL
                     EVP_DecryptUpdate( &aes_ctx, pnOutBuffer, &nOutLen, pnInBuffer, nInLen );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+                    PK11_CipherOp( encContext, pnOutBuffer, &nOutLen, sizeof(pnOutBuffer), 
pnInBuffer, nInLen );
+#endif // TLS_NSS
                     aDecryptedPackage.writeMemory( pnOutBuffer, nOutLen );
                 }
+#ifdef TLS_OPENSSL
                 EVP_DecryptFinal_ex( &aes_ctx, pnOutBuffer, &nOutLen );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+                uint final;
+                PK11_DigestFinal( encContext, pnOutBuffer, &final, nInLen - nOutLen );
+                nOutLen = final;
+#endif // TLS_NSS
                 aDecryptedPackage.writeMemory( pnOutBuffer, nOutLen );
 
+#ifdef TLS_OPENSSL
                 EVP_CIPHER_CTX_cleanup( &aes_ctx );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+                PK11_DestroyContext( encContext, PR_TRUE );
+                PK11_FreeSymKey( symKey );
+                SECITEM_FreeItem( secParam, PR_TRUE );
+                delete[] key;
+#endif // TLS_NSS
                 xDecryptedPackage->flush();
                 aDecryptedPackage.seekToStart();
 

-- 
To view, visit https://gerrit.libreoffice.org/3173
To unsubscribe, visit https://gerrit.libreoffice.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie82afb1f22caa0b02ddac256e2a0c2a49f19bb15
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: master
Gerrit-Owner: Miguel Gomez <magomez@igalia.com>


Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.