Hi,
I have submitted a patch for review:
https://gerrit.libreoffice.org/3173
To pull it, you can do:
git pull ssh://gerrit.libreoffice.org:29418/core refs/changes/73/3173/1
Allow selecting the tls backend to use in oox from configure
Change-Id: Ie82afb1f22caa0b02ddac256e2a0c2a49f19bb15
---
M config_host.mk.in
M configure.ac
M oox/Library_oox.mk
M oox/source/core/filterdetect.cxx
4 files changed, 140 insertions(+), 0 deletions(-)
diff --git a/config_host.mk.in b/config_host.mk.in
index 08fc52c9..bb71553 100644
--- a/config_host.mk.in
+++ b/config_host.mk.in
@@ -567,6 +567,7 @@
export TELEPATHY_CFLAGS=$(gb_SPACE)@TELEPATHY_CFLAGS@
export TELEPATHY_LIBS=$(gb_SPACE)@TELEPATHY_LIBS@
export THES_SYSTEM_DIR=@THES_SYSTEM_DIR@
+export TLS=@TLS@
@x_Cygwin@ export TMP=@TMP_DIRECTORY@
export TMPDIR=@TEMP_DIRECTORY@
export TYPO_EXTENSION_PACK=@TYPO_EXTENSION_PACK@
diff --git a/configure.ac b/configure.ac
index 66a5966..5181ca4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1271,6 +1271,17 @@
installed, msi. Example: --with-package-format="deb dmg"]),
,)
+AC_ARG_WITH(tls,
+ AS_HELP_STRING([--with-tls],
+ [Decides which TLS/SSL and cryptographic implementations to use for
+ LibreOffice's code. Notice that this doesn't apply for depending
+ libraries like "neon", for example. Default is to use OpenSSL
+ although NSS is also possible. Notice that selecting NSS restricts
+ the usage of OpenSSL in LO's code but selecting OpenSSL doesn't
+ restrict by now the usage of NSS in LO's code. Possible values:
+ openssl, nss. Example: --with-tls="nss"]),
+,)
+
AC_ARG_WITH(system-libs,
AS_HELP_STRING([--with-system-libs],
[Use libraries already on system -- enables all --with-system-* flags.]),
@@ -8151,6 +8162,31 @@
AC_SUBST(MSVC80_DLL_PATH)
dnl ===================================================================
+dnl Check for TLS/SSL and cryptographic implementation to use
+dnl ===================================================================
+AC_MSG_CHECKING([which TLS/SSL and cryptographic implementation to use])
+if test -n "$with_tls"; then
+ case $with_tls in
+ openssl)
+ TLS=OPENSSL
+ ;;
+ nss)
+ TLS=NSS
+ ;;
+ *)
+ AC_MSG_ERROR([unsupported implementation $with_tls. Supported are:
+openssl - OpenSSL
+nss - Mozilla's Network Security Services (NSS)
+ ])
+ ;;
+ esac
+else
+ TLS=OPENSSL
+fi
+AC_MSG_RESULT([$TLS])
+AC_SUBST(TLS)
+
+dnl ===================================================================
dnl Check for system NSS
dnl ===================================================================
libo_CHECK_SYSTEM_MODULE([nss],[NSS],[nss >= 3.9.3 nspr >= 4.8])
diff --git a/oox/Library_oox.mk b/oox/Library_oox.mk
index 2bcbdf5..ed6f68c 100644
--- a/oox/Library_oox.mk
+++ b/oox/Library_oox.mk
@@ -81,11 +81,27 @@
$(gb_UWINAPI) \
))
+ifeq ($(TLS),OPENSSL)
$(eval $(call gb_Library_use_externals,oox,\
boost_headers \
openssl \
openssl_headers \
))
+$(eval $(call gb_Library_add_defs,oox,\
+ -DTLS_OPENSSL \
+))
+else
+ifeq ($(TLS),NSS)
+$(eval $(call gb_Library_use_externals,oox,\
+ boost_headers \
+ plc4 \
+ nss3 \
+))
+$(eval $(call gb_Library_add_defs,oox,\
+ -DTLS_NSS \
+))
+endif
+endif
$(eval $(call gb_Library_set_componentfile,oox,oox/util/oox))
diff --git a/oox/source/core/filterdetect.cxx b/oox/source/core/filterdetect.cxx
index a581d10..a8c72ee 100644
--- a/oox/source/core/filterdetect.cxx
+++ b/oox/source/core/filterdetect.cxx
@@ -23,7 +23,13 @@
#include <com/sun/star/io/XStream.hpp>
#include <comphelper/docpasswordhelper.hxx>
#include <comphelper/mediadescriptor.hxx>
+#ifdef TLS_OPENSSL
#include <openssl/evp.h>
+#endif // TLS_OPENSSL
+#ifdef TLS_NSS
+#include <nss.h>
+#include <pk11pub.h>
+#endif // TLS_NSS
#include <rtl/digest.h>
#include "oox/core/fastparser.hxx"
#include "oox/helper/attributelist.hxx"
@@ -374,6 +380,7 @@
if ( nKeySize == 16 && nVerifierSize == 16 && nVerifierHashSize == 32 )
{
// check password
+#ifdef TLS_OPENSSL
EVP_CIPHER_CTX aes_ctx;
EVP_CIPHER_CTX_init( &aes_ctx );
EVP_DecryptInit_ex( &aes_ctx, EVP_aes_128_ecb(), 0, pnKey, 0 );
@@ -393,6 +400,37 @@
/*int*/ EVP_DecryptUpdate( &aes_ctx, pnTmpVerifierHash, &nOutLen, pnVerifierHash,
nVerifierHashSize );
EVP_CIPHER_CTX_cleanup( &aes_ctx );
+#endif //TLS_OPENSSL
+
+#ifdef TLS_NSS
+ PK11SlotInfo *aSlot( PK11_GetBestSlot( CKM_AES_ECB, NULL ) );
+ sal_uInt8 *key( new sal_uInt8[ nKeySize ] );
+ (void) memcpy( key, pnKey, nKeySize * sizeof(sal_uInt8) );
+
+ SECItem keyItem;
+ keyItem.type = siBuffer;
+ keyItem.data = key;
+ keyItem.len = nKeySize;
+
+ PK11SymKey *symKey( PK11_ImportSymKey( aSlot, CKM_AES_ECB, PK11_OriginUnwrap, CKA_ENCRYPT,
&keyItem, NULL ) );
+ SECItem *secParam( PK11_ParamFromIV( CKM_AES_ECB, NULL ) );
+ PK11Context *encContext( PK11_CreateContextBySymKey( CKM_AES_ECB, CKA_DECRYPT, symKey,
secParam ) );
+
+ int nOutLen(0);
+ sal_uInt8 pnTmpVerifier[ 16 ];
+ (void) memset( pnTmpVerifier, 0, sizeof(pnTmpVerifier) );
+
+ PK11_CipherOp( encContext, pnTmpVerifier, &nOutLen, sizeof(pnTmpVerifier),
const_cast<sal_uInt8*>(pnVerifier), nVerifierSize );
+
+ sal_uInt8 pnTmpVerifierHash[ 32 ];
+ (void) memset( pnTmpVerifierHash, 0, sizeof(pnTmpVerifierHash) );
+ PK11_CipherOp( encContext, pnTmpVerifierHash, &nOutLen, sizeof(pnTmpVerifierHash),
const_cast<sal_uInt8*>(pnVerifierHash), nVerifierHashSize );
+
+ PK11_DestroyContext( encContext, PR_TRUE );
+ PK11_FreeSymKey( symKey );
+ SECITEM_FreeItem( secParam, PR_TRUE );
+ delete[] key;
+#endif // TLS_NSS
rtlDigest aDigest = rtl_digest_create( rtl_Digest_AlgorithmSHA1 );
rtl_digest_update( aDigest, pnTmpVerifier, sizeof( pnTmpVerifier ) );
@@ -553,6 +591,11 @@
if( bImplemented )
{
+#ifdef TLS_NSS
+ // Initialize NSS, database functions are not needed
+ NSS_NoDB_Init( NULL );
+#endif // TLS_NSS
+
/* "VelvetSweatshop" is the built-in default encryption
password used by MS Excel for the "workbook protection"
feature with password. Try this first before prompting the
@@ -580,10 +623,31 @@
BinaryXOutputStream aDecryptedPackage( xDecryptedPackage, true );
BinaryXInputStream aEncryptedPackage( xEncryptedPackage, true );
+#ifdef TLS_OPENSSL
EVP_CIPHER_CTX aes_ctx;
EVP_CIPHER_CTX_init( &aes_ctx );
EVP_DecryptInit_ex( &aes_ctx, EVP_aes_128_ecb(), 0, aVerifier.getKey(), 0 );
EVP_CIPHER_CTX_set_padding( &aes_ctx, 0 );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+ // Retrieve the valid key so we can get its size later
+ SequenceAsHashMap aHashData( aEncryptionData );
+ Sequence<sal_Int8> validKey( aHashData.getUnpackedValueOrDefault(
OUString("AES128EncryptionKey"), Sequence<sal_Int8>() ) );
+
+ PK11SlotInfo *aSlot( PK11_GetBestSlot( CKM_AES_ECB, NULL ) );
+ sal_uInt8 *key = new sal_uInt8[ validKey.getLength() ];
+ (void) memcpy( key, aVerifier.getKey(), validKey.getLength() );
+
+ SECItem keyItem;
+ keyItem.type = siBuffer;
+ keyItem.data = key;
+ keyItem.len = validKey.getLength();
+
+ PK11SymKey *symKey( PK11_ImportSymKey( aSlot, CKM_AES_ECB, PK11_OriginUnwrap,
CKA_ENCRYPT, &keyItem, NULL ) );
+ SECItem *secParam( PK11_ParamFromIV( CKM_AES_ECB, NULL ) );
+ PK11Context *encContext( PK11_CreateContextBySymKey( CKM_AES_ECB, CKA_DECRYPT,
symKey, secParam ) );
+#endif // TLS_NSS
sal_uInt8 pnInBuffer[ 1024 ];
sal_uInt8 pnOutBuffer[ 1024 ];
@@ -592,13 +656,36 @@
aEncryptedPackage.skip( 8 ); // decrypted size
while( (nInLen = aEncryptedPackage.readMemory( pnInBuffer, sizeof( pnInBuffer ) ))
0 )
{
+#ifdef TLS_OPENSSL
EVP_DecryptUpdate( &aes_ctx, pnOutBuffer, &nOutLen, pnInBuffer, nInLen );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+ PK11_CipherOp( encContext, pnOutBuffer, &nOutLen, sizeof(pnOutBuffer),
pnInBuffer, nInLen );
+#endif // TLS_NSS
aDecryptedPackage.writeMemory( pnOutBuffer, nOutLen );
}
+#ifdef TLS_OPENSSL
EVP_DecryptFinal_ex( &aes_ctx, pnOutBuffer, &nOutLen );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+ uint final;
+ PK11_DigestFinal( encContext, pnOutBuffer, &final, nInLen - nOutLen );
+ nOutLen = final;
+#endif // TLS_NSS
aDecryptedPackage.writeMemory( pnOutBuffer, nOutLen );
+#ifdef TLS_OPENSSL
EVP_CIPHER_CTX_cleanup( &aes_ctx );
+#endif // TLS_OPENSSL
+
+#ifdef TLS_NSS
+ PK11_DestroyContext( encContext, PR_TRUE );
+ PK11_FreeSymKey( symKey );
+ SECITEM_FreeItem( secParam, PR_TRUE );
+ delete[] key;
+#endif // TLS_NSS
xDecryptedPackage->flush();
aDecryptedPackage.seekToStart();
--
To view, visit https://gerrit.libreoffice.org/3173
To unsubscribe, visit https://gerrit.libreoffice.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie82afb1f22caa0b02ddac256e2a0c2a49f19bb15
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: master
Gerrit-Owner: Miguel Gomez <magomez@igalia.com>
Context
- [PATCH] Allow selecting the tls backend to use in oox from configure · Miguel Gomez (via Code Review)
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.