Streaming decrpytion for CDoc1

Signed-off-by: Raul Metsma <raul@metsma.ee>

Author: metsma

cdoc/CDoc1Reader.cpp

@@ -384,6 +384,7 @@ result_t CDoc1Reader::decryptData(const std::vector<uint8_t>& fmk, std::string&
         return result;
     }
 
+    std::vector<unsigned char> b64;
     XMLReader reader(d->dsrc, false);
     int skipKeyInfo = 0;
     while (reader.read()) {
@@ -397,26 +398,30 @@ result_t CDoc1Reader::decryptData(const std::vector<uint8_t>& fmk, std::string&
         // EncryptedData/CipherData/CipherValue
         else if(reader.isElement("CipherValue"))
         {
-            data = libcdoc::Crypto::decrypt(d->method, fmk, reader.readBase64());
+            b64 = reader.readBase64();
             break;
         }
     }
 
-    if(data.empty()) {
+    if(b64.empty()) {
+        setLastError("Failed to decode base64 data");
+        return libcdoc::IO_ERROR;
+    }
+    VectorSource src(b64);
+    libcdoc::DecryptionSource dec(src, d->method, fmk);
+    if(dec.isError()) {
         setLastError("Failed to decrypt data, verify if FMK is correct");
-        return libcdoc::CRYPTO_ERROR;
+        return CRYPTO_ERROR;
     }
+    libcdoc::VectorConsumer out(data);
     setLastError({});
     if (d->mime == MIME_ZLIB) {
-        libcdoc::VectorSource vsrc(data);
-        libcdoc::ZSource zsrc(&vsrc);
-        std::vector<uint8_t> tmp;
-        libcdoc::VectorConsumer vcons(tmp);
-        vcons.writeAll(zsrc);
-        data = std::move(tmp);
+        libcdoc::ZSource zsrc(&dec);
+        out.writeAll(zsrc);
         mime = d->properties["OriginalMimeType"];
     }
     else
         mime = d->mime;
-    return libcdoc::OK;
+    out.writeAll(dec);
+    return dec.close();
 }

cdoc/Crypto.cpp

@@ -141,61 +141,43 @@ const EVP_CIPHER *Crypto::cipher(const std::string &algo)
 std::vector<uint8_t> Crypto::concatKDF(const std::string &hashAlg, uint32_t keyDataLen,
 	const std::vector<uint8_t> &z, const std::vector<uint8_t> &otherInfo)
 {
-	std::vector<uint8_t> key;
-	uint32_t hashLen = SHA384_DIGEST_LENGTH;
-	if(hashAlg == SHA256_MTH) hashLen = SHA256_DIGEST_LENGTH;
-	else if(hashAlg == SHA384_MTH) hashLen = SHA384_DIGEST_LENGTH;
-	else if(hashAlg == SHA512_MTH) hashLen = SHA512_DIGEST_LENGTH;
-	else return key;
-
-	SHA256_CTX sha256;
-	SHA512_CTX sha512;
-    std::vector<uint8_t> hash(hashLen, 0);
-    uint8_t intToFourBytes[4];
+    std::vector<uint8_t> key;
+    const EVP_MD *md {};
+    if(hashAlg == SHA256_MTH) md = EVP_sha256();
+    else if(hashAlg == SHA384_MTH) md = EVP_sha384();
+    else if(hashAlg == SHA512_MTH) md = EVP_sha512();
+    else {
+        LOG_WARN("Usnupported hash algo {}", hashAlg);
+        return key;
+    }
 
+    uint32_t hashLen = EVP_MD_get_size(md);
     uint32_t reps = keyDataLen / hashLen;
     if (keyDataLen % hashLen > 0)
         reps++;
 
-	for(uint32_t i = 1; i <= reps; i++)
-	{
-		intToFourBytes[0] = uint8_t(i >> 24);
-		intToFourBytes[1] = uint8_t(i >> 16);
-		intToFourBytes[2] = uint8_t(i >> 8);
-		intToFourBytes[3] = uint8_t(i >> 0);
-		switch(hashLen)
-		{
-		case SHA256_DIGEST_LENGTH:
-            if (SSL_FAILED(SHA256_Init(&sha256), "SHA256_Init") ||
-                SSL_FAILED(SHA256_Update(&sha256, intToFourBytes, 4), "SHA256_Update") ||
-                SSL_FAILED(SHA256_Update(&sha256, z.data(), z.size()), "SHA256_Update") ||
-                SSL_FAILED(SHA256_Update(&sha256, otherInfo.data(), otherInfo.size()), "SHA256_Update") ||
-                SSL_FAILED(SHA256_Final(hash.data(), &sha256), "SHA256_Final"))
-                return {};
-			break;
-		case SHA384_DIGEST_LENGTH:
-            if (SSL_FAILED(SHA384_Init(&sha512), "SHA384_Init") ||
-                SSL_FAILED(SHA384_Update(&sha512, intToFourBytes, 4), "SHA384_Update") ||
-                SSL_FAILED(SHA384_Update(&sha512, z.data(), z.size()), "SHA384_Update") ||
-                SSL_FAILED(SHA384_Update(&sha512, otherInfo.data(), otherInfo.size()), "SHA384_Update") ||
-                SSL_FAILED(SHA384_Final(hash.data(), &sha512), "SHA384_Final"))
-                return {};
-			break;
-		case SHA512_DIGEST_LENGTH:
-            if (SSL_FAILED(SHA512_Init(&sha512), "SHA512_Init") ||
-                SSL_FAILED(SHA512_Update(&sha512, intToFourBytes, 4), "SHA512_Update") ||
-                SSL_FAILED(SHA512_Update(&sha512, otherInfo.data(), otherInfo.size()), "SHA512_Update") ||
-                SSL_FAILED(SHA512_Final(hash.data(), &sha512), "SHA512_Update"))
-                return {};
-			break;
-        default:
-            LOG_WARN("Usnupported hash length {}", hashLen);
-            return key;
-		}
-		key.insert(key.cend(), hash.cbegin(), hash.cend());
-	}
-	key.resize(size_t(keyDataLen));
-	return key;
+    auto ctx = make_unique_ptr<EVP_MD_CTX_free>(EVP_MD_CTX_new());
+    if(!ctx)
+    {
+        LOG_SSL_ERROR("EVP_MD_CTX_new");
+        return key;
+    }
+
+    std::vector<uint8_t> hash(hashLen, 0);
+    for(uint32_t i = 1; i <= reps; i++)
+    {
+        uint8_t intToFourBytes[4] { uint8_t(i >> 24), uint8_t(i >> 16), uint8_t(i >> 8), uint8_t(i >> 0) };
+        unsigned int size = hashLen;
+        if (SSL_FAILED(EVP_DigestInit(ctx.get(), md), "EVP_DigestInit") ||
+            SSL_FAILED(EVP_DigestUpdate(ctx.get(), intToFourBytes, 4), "EVP_DigestUpdate") ||
+            SSL_FAILED(EVP_DigestUpdate(ctx.get(), z.data(), z.size()), "EVP_DigestUpdate") ||
+            SSL_FAILED(EVP_DigestUpdate(ctx.get(), otherInfo.data(), otherInfo.size()), "EVP_DigestUpdate") ||
+            SSL_FAILED(EVP_DigestFinal(ctx.get(), hash.data(), &size), "EVP_DigestFinal"))
+            return {};
+        key.insert(key.cend(), hash.cbegin(), hash.cend());
+    }
+    key.resize(size_t(keyDataLen));
+    return key;
 }
 
 std::vector<uint8_t> Crypto::concatKDF(const std::string &hashAlg, uint32_t keyDataLen, const std::vector<uint8_t> &z,
@@ -608,14 +590,109 @@ EncryptionConsumer::close()
         if(SSL_FAILED(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, int(tag.size()), tag.data()), "EVP_CIPHER_CTX_ctrl"))
             return CRYPTO_ERROR;
         LOG_DBG("tag: {}", toHex(tag));
-        return dst.write(tag.data(), tag.size());
+        if (dst.write(tag.data(), tag.size()) != tag.size())
+            return IO_ERROR;
     }
-    if(EVP_CIPHER_CTX_flags(ctx.get()) & EVP_CIPH_FLAG_AEAD_CIPHER)
+    else if(EVP_CIPHER_CTX_flags(ctx.get()) & EVP_CIPH_FLAG_AEAD_CIPHER)
     {
         if(SSL_FAILED(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_GET_TAG, int(tag.size()), tag.data()), "EVP_CIPHER_CTX_ctrl"))
             return CRYPTO_ERROR;
         LOG_DBG("tag: {}", toHex(tag));
-        return dst.write(tag.data(), tag.size());
+        if (dst.write(tag.data(), tag.size()) != tag.size())
+            return IO_ERROR;
+    }
+    return OK;
+}
+
+DecryptionSource::DecryptionSource(DataSource &src, const std::string &method, const std::vector<unsigned char> &key)
+    : DecryptionSource(src, Crypto::cipher(method), key)
+{}
+
+DecryptionSource::DecryptionSource(DataSource &src, const EVP_CIPHER *cipher, const std::vector<unsigned char> &key)
+    : ctx{EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free}
+    , src(src)
+{
+    EVP_CIPHER_CTX_set_flags(ctx.get(), EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+    int ivLen = EVP_CIPHER_iv_length(cipher);
+    std::vector<unsigned char> iv(ivLen, 0);
+    if(auto rv = src.read(iv.data(), ivLen); size_t(rv) != iv.size())
+        error = rv < 0 ? rv : IO_ERROR;
+    else if(SSL_FAILED(EVP_CipherInit_ex(ctx.get(), cipher, nullptr, key.data(), iv.data(), 0), "EVP_CipherInit_ex"))
+        error = CRYPTO_ERROR;
+    else if(auto rv = src.read(tag.data(), tag.size()); size_t(rv) != tag.size())
+        error = rv < 0 ? rv : IO_ERROR;
+}
+
+result_t DecryptionSource::readAAD(const std::vector<uint8_t> &data)
+{
+    if (error != OK)
+        return error;
+    int len = 0;
+    if(SSL_FAILED(EVP_CipherUpdate(ctx.get(), nullptr, &len, data.data(), int(data.size())), "EVP_CipherUpdate"))
+        return CRYPTO_ERROR;
+    return OK;
+}
+
+result_t DecryptionSource::read(unsigned char *dst, size_t size)
+{
+    if (error != OK)
+        return error;
+    if (!dst || size == 0)
+        return OK;
+    if(size < tag.size())
+        return INPUT_STREAM_ERROR;
+
+    auto r = src.read(dst + tag.size(), size - tag.size());
+    if (r <= 0) {
+        return r;
+    }
+    auto nread = static_cast<size_t>(r);
+
+    std::copy(tag.begin(), tag.end(), dst);
+
+    if (nread < size - tag.size()) {
+        std::copy_n(std::next(dst, nread), tag.size(), tag.begin());
+        size = nread;
+    } else if (auto r = src.read(tag.data(), tag.size()); r < 0) {
+        return r;
+    } else if (auto tagSize = static_cast<size_t>(r); tagSize < tag.size()) {
+        std::move_backward(tag.begin(), std::next(tag.begin(), tagSize), tag.end());
+        size_t more = tag.size() - tagSize;
+        std::copy_n(std::next(dst, size - more), more, tag.data());
+        size -= more;
+    }
+
+    if (int out = 0;
+        SSL_FAILED(EVP_CipherUpdate(ctx.get(), dst, &out, dst, size), "EVP_CipherUpdate") ||
+        size != out) {
+        return error = CRYPTO_ERROR;
+    }
+    return size;
+}
+
+result_t DecryptionSource::close()
+{
+    if (error != OK)
+        return error;
+
+    if (EVP_CIPHER_CTX_mode(ctx.get()) == EVP_CIPH_GCM_MODE) {
+        LOG_DBG("tag: {}", toHex(tag));
+        if (SSL_FAILED(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, int(tag.size()), (void*)tag.data()), "EVP_CIPHER_CTX_ctrl")) {
+            return error = CRYPTO_ERROR;
+        }
+    }
+    else if(EVP_CIPHER_CTX_flags(ctx.get()) & EVP_CIPH_FLAG_AEAD_CIPHER)
+    {
+        LOG_DBG("tag: {}", toHex(tag));
+        if (SSL_FAILED(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_TAG, int(tag.size()), (void*)tag.data()), "EVP_CIPHER_CTX_ctrl")) {
+            return error = CRYPTO_ERROR;
+        }
+    }
+
+    int len = 0;
+    std::vector<uint8_t> buffer(EVP_CIPHER_CTX_block_size(ctx.get()), 0);
+    if (SSL_FAILED(EVP_CipherFinal_ex(ctx.get(), buffer.data(), &len), "EVP_CipherFinal_ex")) {
+        return error = CRYPTO_ERROR;
     }
     return OK;
 }

cdoc/Crypto.h

@@ -129,7 +129,7 @@ struct EncryptionConsumer final : public DataConsumer {
     result_t write(const uint8_t *src, size_t size) final;
     result_t writeAAD(const std::vector<uint8_t> &data);
     result_t close() final;
-    bool isError() final { return error != OK; }
+    bool isError() final { return error != OK || dst.isError(); }
 
 private:
     unique_free_t<EVP_CIPHER_CTX> ctx;
@@ -138,4 +138,22 @@ struct EncryptionConsumer final : public DataConsumer {
     std::vector<uint8_t> buf;
 };
 
+struct DecryptionSource final : public DataSource {
+    DecryptionSource(DataSource &src, const std::string &method, const std::vector<unsigned char> &key);
+    DecryptionSource(DataSource &src, const EVP_CIPHER *cipher, const std::vector<unsigned char> &key);
+    CDOC_DISABLE_MOVE_COPY(DecryptionSource)
+
+    result_t read(unsigned char* dst, size_t size) final;
+    result_t readAAD(const std::vector<uint8_t>& data);
+    result_t close();
+    bool isError() final { return error != OK || src.isError(); }
+    bool isEof() final { return src.isEof(); }
+
+private:
+    unique_free_t<EVP_CIPHER_CTX> ctx;
+    DataSource &src;
+    result_t error = OK;
+    std::array<uint8_t, 16> tag {};
+};
+
 }; // namespace libcdoc

cdoc/Io.h

@@ -311,7 +311,7 @@ struct CDOC_EXPORT VectorSource : public DataSource {
 
     result_t read(uint8_t *dst, size_t size) override {
 		size = std::min<size_t>(size, _data.size() - _ptr);
-		std::copy(_data.cbegin() + _ptr, _data.cbegin() + _ptr + size, dst);
+		std::copy_n(_data.cbegin() + _ptr, size, dst);
 		_ptr += size;
 		return size;
 	}

test/CMakeLists.txt

@@ -1,4 +1,4 @@
-add_executable(unittests libcdoc_boost.cpp ../cdoc/CDocCipher.cpp)
+add_executable(unittests libcdoc_boost.cpp ../cdoc/CDocCipher.cpp ../cdoc/Crypto.cpp)
 target_compile_definitions(unittests PRIVATE DATA_DIR="${CMAKE_CURRENT_SOURCE_DIR}/data")
 target_link_libraries(unittests OpenSSL::SSL cdoc Boost::unit_test_framework)
 

test/libcdoc_boost.cpp

@@ -25,6 +25,8 @@
 #include <CDocCipher.h>
 #include <Recipient.h>
 #include <Utils.h>
+#include <cdoc/Crypto.h>
+#include <cdoc/Io.h>
 
 #ifndef DATA_DIR
 #define DATA_DIR "."
@@ -515,3 +517,41 @@ BOOST_AUTO_TEST_CASE(Base64LabelParsingWithMediaType)
 }
 
 BOOST_AUTO_TEST_SUITE_END()
+
+BOOST_AUTO_TEST_SUITE(StreamingDecryption)
+
+BOOST_AUTO_TEST_CASE(DecryptWithStream)
+{
+    const std::vector<uint8_t> plaintext = {'s', 'o', 'm', 'e', ' ', 'p', 'l', 'a', 'i', 'n', 't', 'e', 'x', 't'};
+    //std::vector<uint8_t> aad = {'A', 'A', 'D'};
+    std::array<uint8_t, 20> buffer{};
+    const auto key = libcdoc::Crypto::generateKey(std::string(libcdoc::Crypto::AES256GCM_MTH));
+    const auto method = std::string(libcdoc::Crypto::AES256GCM_MTH);
+
+    // Encrypt
+    std::vector<uint8_t> encrypted_data;
+    libcdoc::VectorConsumer encrypted_dst(encrypted_data);
+    libcdoc::EncryptionConsumer encrypt(encrypted_dst, method, key);
+    BOOST_CHECK_EQUAL_COLLECTIONS(encrypted_data.begin(), encrypted_data.end(), key.iv.begin(), key.iv.end());
+    //BOOST_CHECK_EQUAL(encrypt.writeAAD(aad), libcdoc::OK);
+    libcdoc::VectorSource plain_src(plaintext);
+    for(ssize_t read_len = 0; (read_len = plain_src.read(buffer.data(), buffer.size())) > 0; ) {
+        BOOST_CHECK_EQUAL(encrypt.write(buffer.data(), read_len), read_len);
+    }
+    BOOST_CHECK_EQUAL(encrypt.close(), libcdoc::OK);
+
+    // Decrypt
+    libcdoc::VectorSource encrypted_src(encrypted_data);
+    libcdoc::DecryptionSource decrypt(encrypted_src, method, key.key);
+    //BOOST_CHECK_EQUAL(decrypt.readAAD(aad), libcdoc::OK);
+    std::vector<uint8_t> decrypted_text;
+    for(ssize_t read_len = 0; (read_len = decrypt.read(buffer.data(), buffer.size())) > 0; ) {
+        decrypted_text.insert(decrypted_text.end(), buffer.data(), buffer.data() + read_len);
+    }
+    BOOST_CHECK_EQUAL(decrypt.isError(), false);
+    BOOST_CHECK_EQUAL(decrypt.close(), libcdoc::OK);
+
+    BOOST_CHECK_EQUAL_COLLECTIONS(plaintext.begin(), plaintext.end(), decrypted_text.begin(), decrypted_text.end());
+}
+
+BOOST_AUTO_TEST_SUITE_END()