diff options
author | Thorsten Behrens <Thorsten.Behrens@CIB.de> | 2018-01-11 23:47:24 +0100 |
---|---|---|
committer | Thorsten Behrens <Thorsten.Behrens@CIB.de> | 2018-01-13 14:36:27 +0100 |
commit | 39805f65189cd0085fe8f1071ae75cdec450c65e (patch) | |
tree | a3561e72a034aa6a92949de9a790617a1c972af0 | |
parent | 6df0c7bc230a424f5aefe583b591df70c6273b6f (diff) |
tdf#114550 don't use PBKDF2 in package for gpg encryption
No need to derive password-based key, simply skip rtl_digest_PBKDF2
for the gpg4libre case.
Also pass down PBKDF2 iteration count from ZipPackage, which knows
about GPG encryption, instead of just always setting it in package
stream.
We otherwise needlessly iterate session key also for gpg encrypted
storages.
Change-Id: Ic96b2193f8541bbd109795fb9c0212a0a10c7344
Reviewed-on: https://gerrit.libreoffice.org/47783
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
-rw-r--r-- | package/inc/ZipPackageEntry.hxx | 1 | ||||
-rw-r--r-- | package/inc/ZipPackageFolder.hxx | 2 | ||||
-rw-r--r-- | package/inc/ZipPackageStream.hxx | 1 | ||||
-rw-r--r-- | package/source/zipapi/ZipFile.cxx | 9 | ||||
-rw-r--r-- | package/source/zippackage/ZipPackage.cxx | 7 | ||||
-rw-r--r-- | package/source/zippackage/ZipPackageFolder.cxx | 10 | ||||
-rw-r--r-- | package/source/zippackage/ZipPackageStream.cxx | 3 |
7 files changed, 24 insertions, 9 deletions
diff --git a/package/inc/ZipPackageEntry.hxx b/package/inc/ZipPackageEntry.hxx index 300b5f25ea67..5e0064f9bf7e 100644 --- a/package/inc/ZipPackageEntry.hxx +++ b/package/inc/ZipPackageEntry.hxx @@ -69,6 +69,7 @@ public: std::vector < css::uno::Sequence < css::beans::PropertyValue > > &rManList, ZipOutputStream & rZipOut, const css::uno::Sequence < sal_Int8 >& rEncryptionKey, + sal_Int32 nPBKDF2IterationCount, const rtlRandomPool &rRandomPool ) = 0; void clearParent() diff --git a/package/inc/ZipPackageFolder.hxx b/package/inc/ZipPackageFolder.hxx index 0fad51f72ba2..1f65b2ca297e 100644 --- a/package/inc/ZipPackageFolder.hxx +++ b/package/inc/ZipPackageFolder.hxx @@ -73,6 +73,7 @@ public: std::vector < css::uno::Sequence < css::beans::PropertyValue > > &rManList, ZipOutputStream & rZipOut, const css::uno::Sequence < sal_Int8 >& rEncryptionKey, + sal_Int32 nPBKDF2IterationCount, const rtlRandomPool &rRandomPool ) override; // Recursive functions @@ -82,6 +83,7 @@ public: std::vector < css::uno::Sequence < css::beans::PropertyValue > > &rManList, ZipOutputStream & rZipOut, const css::uno::Sequence< sal_Int8 > &rEncryptionKey, + sal_Int32 nPBKDF2IterationCount, const rtlRandomPool & rRandomPool) const; // XNameContainer diff --git a/package/inc/ZipPackageStream.hxx b/package/inc/ZipPackageStream.hxx index b691370bf7e0..014898115517 100644 --- a/package/inc/ZipPackageStream.hxx +++ b/package/inc/ZipPackageStream.hxx @@ -133,6 +133,7 @@ public: std::vector < css::uno::Sequence < css::beans::PropertyValue > > &rManList, ZipOutputStream & rZipOut, const css::uno::Sequence < sal_Int8 >& rEncryptionKey, + sal_Int32 nPBKDF2IterationCount, const rtlRandomPool &rRandomPool ) override; void setZipEntryOnLoading( const ZipEntry &rInEntry); diff --git a/package/source/zipapi/ZipFile.cxx b/package/source/zipapi/ZipFile.cxx index 3d4abb65a8f9..1d10a56aaf9c 100644 --- a/package/source/zipapi/ZipFile.cxx +++ b/package/source/zipapi/ZipFile.cxx @@ -170,7 +170,14 @@ uno::Reference< xml::crypto::XCipherContext > ZipFile::StaticGetCipher( const un } uno::Sequence< sal_Int8 > aDerivedKey( xEncryptionData->m_nDerivedKeySize ); - if ( rtl_Digest_E_None != rtl_digest_PBKDF2( reinterpret_cast< sal_uInt8* >( aDerivedKey.getArray() ), + if ( !xEncryptionData->m_nIterationCount && + xEncryptionData->m_nDerivedKeySize == xEncryptionData->m_aKey.getLength() ) + { + // gpg4libre: no need to derive key, m_aKey is already + // usable as symmetric session key + aDerivedKey = xEncryptionData->m_aKey; + } + else if ( rtl_Digest_E_None != rtl_digest_PBKDF2( reinterpret_cast< sal_uInt8* >( aDerivedKey.getArray() ), aDerivedKey.getLength(), reinterpret_cast< const sal_uInt8 * > (xEncryptionData->m_aKey.getConstArray() ), xEncryptionData->m_aKey.getLength(), diff --git a/package/source/zippackage/ZipPackage.cxx b/package/source/zippackage/ZipPackage.cxx index 967e0eded056..2a918c8df630 100644 --- a/package/source/zippackage/ZipPackage.cxx +++ b/package/source/zippackage/ZipPackage.cxx @@ -287,6 +287,7 @@ void ZipPackage::parseManifest() pStream->SetToBeCompressed ( true ); pStream->SetToBeEncrypted ( true ); pStream->SetIsEncrypted ( true ); + pStream->setIterationCount(0); // clamp to default SHA256 start key magic value, // c.f. ZipPackageStream::GetEncryptionKey() @@ -1249,10 +1250,10 @@ uno::Reference< io::XInputStream > ZipPackage::writeTempFile() const OUString sMediaType ("MediaType"); const OUString sVersion ("Version"); const OUString sFullPath ("FullPath"); + const bool bIsGpgEncrypt = m_aGpgProps.hasElements(); if ( m_nFormat == embed::StorageFormats::PACKAGE ) { - bool bIsGpgEncrypt = m_aGpgProps.hasElements(); uno::Sequence < PropertyValue > aPropSeq( bIsGpgEncrypt ? PKG_SIZE_NOENCR_MNFST+1 : PKG_SIZE_NOENCR_MNFST ); aPropSeq [PKG_MNFST_MEDIATYPE].Name = sMediaType; @@ -1275,8 +1276,10 @@ uno::Reference< io::XInputStream > ZipPackage::writeTempFile() // for encrypted streams RandomPool aRandomPool; + sal_Int32 const nPBKDF2IterationCount = 100000; + // call saveContents ( it will recursively save sub-directories - m_xRootFolder->saveContents("", aManList, aZipOut, GetEncryptionKey(), aRandomPool.get()); + m_xRootFolder->saveContents("", aManList, aZipOut, GetEncryptionKey(), bIsGpgEncrypt ? 0 : nPBKDF2IterationCount, aRandomPool.get()); } if( m_nFormat == embed::StorageFormats::PACKAGE ) diff --git a/package/source/zippackage/ZipPackageFolder.cxx b/package/source/zippackage/ZipPackageFolder.cxx index e76381826fe3..8d9556069d95 100644 --- a/package/source/zippackage/ZipPackageFolder.cxx +++ b/package/source/zippackage/ZipPackageFolder.cxx @@ -257,6 +257,7 @@ bool ZipPackageFolder::saveChild( std::vector < uno::Sequence < PropertyValue > > &rManList, ZipOutputStream & rZipOut, const uno::Sequence < sal_Int8 >& rEncryptionKey, + sal_Int32 nPBKDF2IterationCount, const rtlRandomPool &rRandomPool) { const OUString sMediaTypeProperty ("MediaType"); @@ -278,7 +279,7 @@ bool ZipPackageFolder::saveChild( else aPropSet.realloc( 0 ); - saveContents( sTempName, rManList, rZipOut, rEncryptionKey, rRandomPool); + saveContents( sTempName, rManList, rZipOut, rEncryptionKey, nPBKDF2IterationCount, rRandomPool); // folder can have a mediatype only in package format if ( aPropSet.getLength() && ( m_nFormat == embed::StorageFormats::PACKAGE ) ) @@ -292,6 +293,7 @@ void ZipPackageFolder::saveContents( std::vector < uno::Sequence < PropertyValue > > &rManList, ZipOutputStream & rZipOut, const uno::Sequence < sal_Int8 >& rEncryptionKey, + sal_Int32 nPBKDF2IterationCount, const rtlRandomPool &rRandomPool ) const { bool bWritingFailed = false; @@ -330,7 +332,7 @@ void ZipPackageFolder::saveContents( { bMimeTypeStreamStored = true; bWritingFailed = !aIter->second->pStream->saveChild( - rPath + aIter->first, rManList, rZipOut, rEncryptionKey, rRandomPool ); + rPath + aIter->first, rManList, rZipOut, rEncryptionKey, nPBKDF2IterationCount, rRandomPool ); } } @@ -346,12 +348,12 @@ void ZipPackageFolder::saveContents( if (rInfo.bFolder) { bWritingFailed = !rInfo.pFolder->saveChild( - rPath + rShortName, rManList, rZipOut, rEncryptionKey, rRandomPool ); + rPath + rShortName, rManList, rZipOut, rEncryptionKey, nPBKDF2IterationCount, rRandomPool ); } else { bWritingFailed = !rInfo.pStream->saveChild( - rPath + rShortName, rManList, rZipOut, rEncryptionKey, rRandomPool ); + rPath + rShortName, rManList, rZipOut, rEncryptionKey, nPBKDF2IterationCount, rRandomPool ); } } } diff --git a/package/source/zippackage/ZipPackageStream.cxx b/package/source/zippackage/ZipPackageStream.cxx index 55ebae82ee48..ec9c4e6a8c5d 100644 --- a/package/source/zippackage/ZipPackageStream.cxx +++ b/package/source/zippackage/ZipPackageStream.cxx @@ -507,6 +507,7 @@ bool ZipPackageStream::saveChild( std::vector < uno::Sequence < beans::PropertyValue > > &rManList, ZipOutputStream & rZipOut, const uno::Sequence < sal_Int8 >& rEncryptionKey, + sal_Int32 nPBKDF2IterationCount, const rtlRandomPool &rRandomPool) { bool bSuccess = true; @@ -652,8 +653,6 @@ bool ZipPackageStream::saveChild( uno::Sequence < sal_Int8 > aSalt( 16 ), aVector( GetBlockSize() ); rtl_random_getBytes ( rRandomPool, aSalt.getArray(), 16 ); rtl_random_getBytes ( rRandomPool, aVector.getArray(), aVector.getLength() ); - sal_Int32 const nPBKDF2IterationCount = 100000; - if ( !m_bHaveOwnKey ) { m_aEncryptionKey = rEncryptionKey; |